From: Greg Kroah-Hartman Date: Tue, 11 Aug 2009 21:19:00 +0000 (-0700) Subject: .30 bugfixes X-Git-Tag: v2.6.30.5~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ddc61391e2c05d6eda7c793f087aeff8cbeea7de;p=thirdparty%2Fkernel%2Fstable-queue.git .30 bugfixes --- diff --git a/queue-2.6.30/compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch b/queue-2.6.30/compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch new file mode 100644 index 00000000000..0ff7afd312f --- /dev/null +++ b/queue-2.6.30/compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch @@ -0,0 +1,42 @@ +From 69130c7cf96ea853dc5be599dd6a4b98907d39cc Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Thu, 6 Aug 2009 15:07:37 -0700 +Subject: compat_ioctl: hook up compat handler for FIEMAP ioctl + +From: Eric Sandeen + +commit 69130c7cf96ea853dc5be599dd6a4b98907d39cc upstream. + +The FIEMAP_IOC_FIEMAP mapping ioctl was missing a 32-bit compat handler, +which means that 32-bit suerspace on 64-bit kernels cannot use this ioctl +command. + +The structure is nicely aligned, padded, and sized, so it is just this +simple. + +Tested w/ 32-bit ioctl tester (from Josef) on a 64-bit kernel on ext4. + +Signed-off-by: Eric Sandeen +Cc: +Cc: Mark Lord +Cc: Arnd Bergmann +Cc: Josef Bacik +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/compat_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -1915,6 +1915,7 @@ COMPATIBLE_IOCTL(FIONCLEX) + COMPATIBLE_IOCTL(FIOASYNC) + COMPATIBLE_IOCTL(FIONBIO) + COMPATIBLE_IOCTL(FIONREAD) /* This is also TIOCINQ */ ++COMPATIBLE_IOCTL(FS_IOC_FIEMAP) + /* 0x00 */ + COMPATIBLE_IOCTL(FIBMAP) + COMPATIBLE_IOCTL(FIGETBSZ) diff --git a/queue-2.6.30/execve-must-clear-current-clear_child_tid.patch b/queue-2.6.30/execve-must-clear-current-clear_child_tid.patch new file mode 100644 index 00000000000..ff363fc76bf --- /dev/null +++ b/queue-2.6.30/execve-must-clear-current-clear_child_tid.patch @@ -0,0 +1,126 @@ +From 9c8a8228d0827e0d91d28527209988f672f97d28 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Aug 2009 15:09:28 -0700 +Subject: execve: must clear current->clear_child_tid + +From: Eric Dumazet + +commit 9c8a8228d0827e0d91d28527209988f672f97d28 upstream. + +While looking at Jens Rosenboom bug report +(http://lkml.org/lkml/2009/7/27/35) about strange sys_futex call done from +a dying "ps" program, we found following problem. + +clone() syscall has special support for TID of created threads. This +support includes two features. + +One (CLONE_CHILD_SETTID) is to set an integer into user memory with the +TID value. + +One (CLONE_CHILD_CLEARTID) is to clear this same integer once the created +thread dies. + +The integer location is a user provided pointer, provided at clone() +time. + +kernel keeps this pointer value into current->clear_child_tid. + +At execve() time, we should make sure kernel doesnt keep this user +provided pointer, as full user memory is replaced by a new one. + +As glibc fork() actually uses clone() syscall with CLONE_CHILD_SETTID and +CLONE_CHILD_CLEARTID set, chances are high that we might corrupt user +memory in forked processes. + +Following sequence could happen: + +1) bash (or any program) starts a new process, by a fork() call that + glibc maps to a clone( ... CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID + ...) syscall + +2) When new process starts, its current->clear_child_tid is set to a + location that has a meaning only in bash (or initial program) context + (&THREAD_SELF->tid) + +3) This new process does the execve() syscall to start a new program. + current->clear_child_tid is left unchanged (a non NULL value) + +4) If this new program creates some threads, and initial thread exits, + kernel will attempt to clear the integer pointed by + current->clear_child_tid from mm_release() : + + if (tsk->clear_child_tid + && !(tsk->flags & PF_SIGNALED) + && atomic_read(&mm->mm_users) > 1) { + u32 __user * tidptr = tsk->clear_child_tid; + tsk->clear_child_tid = NULL; + + /* + * We don't check the error code - if userspace has + * not set up a proper pointer then tough luck. + */ +<< here >> put_user(0, tidptr); + sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0); + } + +5) OR : if new program is not multi-threaded, but spied by /proc/pid + users (ps command for example), mm_users > 1, and the exiting program + could corrupt 4 bytes in a persistent memory area (shm or memory mapped + file) + +If current->clear_child_tid points to a writeable portion of memory of the +new program, kernel happily and silently corrupts 4 bytes of memory, with +unexpected effects. + +Fix is straightforward and should not break any sane program. + +Reported-by: Jens Rosenboom +Acked-by: Linus Torvalds +Signed-off-by: Eric Dumazet +Signed-off-by: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Sonny Rao +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: Ulrich Drepper +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -568,18 +568,18 @@ void mm_release(struct task_struct *tsk, + * the value intact in a core dump, and to save the unnecessary + * trouble otherwise. Userland only wants this done for a sys_exit. + */ +- if (tsk->clear_child_tid +- && !(tsk->flags & PF_SIGNALED) +- && atomic_read(&mm->mm_users) > 1) { +- u32 __user * tidptr = tsk->clear_child_tid; ++ if (tsk->clear_child_tid) { ++ if (!(tsk->flags & PF_SIGNALED) && ++ atomic_read(&mm->mm_users) > 1) { ++ /* ++ * We don't check the error code - if userspace has ++ * not set up a proper pointer then tough luck. ++ */ ++ put_user(0, tsk->clear_child_tid); ++ sys_futex(tsk->clear_child_tid, FUTEX_WAKE, ++ 1, NULL, NULL, 0); ++ } + tsk->clear_child_tid = NULL; +- +- /* +- * We don't check the error code - if userspace has +- * not set up a proper pointer then tough luck. +- */ +- put_user(0, tidptr); +- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0); + } + } + diff --git a/queue-2.6.30/flat-fix-uninitialized-ptr-with-shared-libs.patch b/queue-2.6.30/flat-fix-uninitialized-ptr-with-shared-libs.patch new file mode 100644 index 00000000000..f20e2f0e447 --- /dev/null +++ b/queue-2.6.30/flat-fix-uninitialized-ptr-with-shared-libs.patch @@ -0,0 +1,54 @@ +From 3440625d78711bee41a84cf29c3d8c579b522666 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 6 Aug 2009 15:09:34 -0700 +Subject: flat: fix uninitialized ptr with shared libs + +From: Linus Torvalds + +commit 3440625d78711bee41a84cf29c3d8c579b522666 upstream. + +The new credentials code broke load_flat_shared_library() as it now uses +an uninitialized cred pointer. + +Reported-by: Bernd Schmidt +Tested-by: Bernd Schmidt +Cc: Mike Frysinger +Cc: David Howells +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_flat.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/binfmt_flat.c ++++ b/fs/binfmt_flat.c +@@ -828,15 +828,22 @@ static int load_flat_shared_library(int + if (IS_ERR(bprm.file)) + return res; + ++ bprm.cred = prepare_exec_creds(); ++ res = -ENOMEM; ++ if (!bprm.cred) ++ goto out; ++ + res = prepare_binprm(&bprm); + + if (res <= (unsigned long)-4096) + res = load_flat_file(&bprm, libs, id, NULL); +- if (bprm.file) { +- allow_write_access(bprm.file); +- fput(bprm.file); +- bprm.file = NULL; +- } ++ ++ abort_creds(bprm.cred); ++ ++out: ++ allow_write_access(bprm.file); ++ fput(bprm.file); ++ + return(res); + } + diff --git a/queue-2.6.30/generic-ipi-fix-hotplug_cfd.patch b/queue-2.6.30/generic-ipi-fix-hotplug_cfd.patch new file mode 100644 index 00000000000..da9177b4f3b --- /dev/null +++ b/queue-2.6.30/generic-ipi-fix-hotplug_cfd.patch @@ -0,0 +1,42 @@ +From 69dd647f969c28d18de77e2153f30d05a1874571 Mon Sep 17 00:00:00 2001 +From: Xiao Guangrong +Date: Thu, 6 Aug 2009 15:07:29 -0700 +Subject: generic-ipi: fix hotplug_cfd() + +From: Xiao Guangrong + +commit 69dd647f969c28d18de77e2153f30d05a1874571 upstream. + +Use CONFIG_HOTPLUG_CPU, not CONFIG_CPU_HOTPLUG + +When hot-unpluging a cpu, it will leak memory allocated at cpu hotplug, +but only if CPUMASK_OFFSTACK=y, which is default to n. + +The bug was introduced by 8969a5ede0f9e17da4b943712429aef2c9bcd82b +("generic-ipi: remove kmalloc()"). + +Signed-off-by: Xiao Guangrong +Cc: Ingo Molnar +Cc: Jens Axboe +Cc: Nick Piggin +Cc: Peter Zijlstra +Cc: Rusty Russell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/smp.c ++++ b/kernel/smp.c +@@ -57,7 +57,7 @@ hotplug_cfd(struct notifier_block *nfb, + return NOTIFY_BAD; + break; + +-#ifdef CONFIG_CPU_HOTPLUG ++#ifdef CONFIG_HOTPLUG_CPU + case CPU_UP_CANCELED: + case CPU_UP_CANCELED_FROZEN: + diff --git a/queue-2.6.30/ring-buffer-fix-memleak-in-ring_buffer_free.patch b/queue-2.6.30/ring-buffer-fix-memleak-in-ring_buffer_free.patch new file mode 100644 index 00000000000..1f4d77ea438 --- /dev/null +++ b/queue-2.6.30/ring-buffer-fix-memleak-in-ring_buffer_free.patch @@ -0,0 +1,31 @@ +From bd3f02212d6a457267e0c9c02c426151c436d9d4 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 7 Aug 2009 12:49:29 +0200 +Subject: ring-buffer: Fix memleak in ring_buffer_free() + +From: Eric Dumazet + +commit bd3f02212d6a457267e0c9c02c426151c436d9d4 upstream. + +I noticed oprofile memleaked in linux-2.6 current tree, +and tracked this ring-buffer leak. + +Signed-off-by: Eric Dumazet +LKML-Reference: <4A7C06B9.2090302@gmail.com> +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -695,6 +695,7 @@ ring_buffer_free(struct ring_buffer *buf + + put_online_cpus(); + ++ kfree(buffer->buffers); + free_cpumask_var(buffer->cpumask); + + kfree(buffer); diff --git a/queue-2.6.30/series b/queue-2.6.30/series index 333ed067d00..2f304d132cc 100644 --- a/queue-2.6.30/series +++ b/queue-2.6.30/series @@ -52,3 +52,15 @@ atl1c-wake_mcast-tested-twice-not-wake_ucast.patch atl1c-add-missing-parentheses.patch atl1c-misplaced-parenthesis.patch md-handle-growth-of-v1.x-metadata-correctly.patch +execve-must-clear-current-clear_child_tid.patch +flat-fix-uninitialized-ptr-with-shared-libs.patch +compat_ioctl-hook-up-compat-handler-for-fiemap-ioctl.patch +generic-ipi-fix-hotplug_cfd.patch +staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch +usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch +usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch +usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch +usb-usbfs-fix-enoent-error-code-to-be-enodev.patch +usb-devio-properly-do-access_ok-checks.patch +ring-buffer-fix-memleak-in-ring_buffer_free.patch +x86-fix-vmi-stack-protector.patch diff --git a/queue-2.6.30/staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch b/queue-2.6.30/staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch new file mode 100644 index 00000000000..e148a8b1fda --- /dev/null +++ b/queue-2.6.30/staging-rt2870-revert-d44ca7-removal-of-kernel_thread-api.patch @@ -0,0 +1,329 @@ +From 2c63abf9e8a51dec886da482dfd8ae752581a61c Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 31 Jul 2009 07:14:04 +0200 +Subject: Staging: rt2870: Revert d44ca7 Removal of kernel_thread() API + +From: Greg Kroah-Hartman + +commit 2c63abf9e8a51dec886da482dfd8ae752581a61c upstream. + +[Mike Galbraith did the upstream revert, which was more complex] + +Staging: rt2870: Revert d44ca7 Removal of kernel_thread() API + +The sanity check this patch introduced triggers on shutdown, apparently due to +threads having already exited by the time BUG_ON() is reached. + +Cc: Mike Galbraith +Cc: Peter Teoh +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/staging/rt2870/2870_main_dev.c | 67 ++++++++++++++++--------- + drivers/staging/rt2870/common/2870_rtmp_init.c | 35 +++++-------- + drivers/staging/rt2870/common/cmm_data.c | 3 + + drivers/staging/rt2870/common/rtmp_init.c | 2 + drivers/staging/rt2870/common/rtusb_io.c | 3 - + drivers/staging/rt2870/rt2870.h | 6 -- + drivers/staging/rt2870/rt_linux.h | 11 ++-- + 7 files changed, 74 insertions(+), 53 deletions(-) + +--- a/drivers/staging/rt2870/2870_main_dev.c ++++ b/drivers/staging/rt2870/2870_main_dev.c +@@ -265,7 +265,7 @@ INT MlmeThread( + */ + DBGPRINT(RT_DEBUG_TRACE,( "<---%s\n",__func__)); + +- pObj->MLMEThr_task = NULL; ++ pObj->MLMEThr_pid = THREAD_PID_INIT_VALUE; + + complete_and_exit (&pAd->mlmeComplete, 0); + return 0; +@@ -373,7 +373,7 @@ INT RTUSBCmdThread( + */ + DBGPRINT(RT_DEBUG_TRACE,( "<---RTUSBCmdThread\n")); + +- pObj->RTUSBCmdThr_task = NULL; ++ pObj->RTUSBCmdThr_pid = THREAD_PID_INIT_VALUE; + + complete_and_exit (&pAd->CmdQComplete, 0); + return 0; +@@ -467,7 +467,7 @@ INT TimerQThread( + */ + DBGPRINT(RT_DEBUG_TRACE,( "<---%s\n",__func__)); + +- pObj->TimerQThr_task = NULL; ++ pObj->TimerQThr_pid = THREAD_PID_INIT_VALUE; + + complete_and_exit(&pAd->TimerQComplete, 0); + return 0; +@@ -944,46 +944,69 @@ VOID RT28xxThreadTerminate( + RTUSBCancelPendingIRPs(pAd); + + // Terminate Threads +- BUG_ON(pObj->TimerQThr_task == NULL); +- CHECK_PID_LEGALITY(task_pid(pObj->TimerQThr_task)) ++ CHECK_PID_LEGALITY(pObj->TimerQThr_pid) + { + POS_COOKIE pObj = (POS_COOKIE)pAd->OS_Cookie; + +- printk(KERN_DEBUG "Terminate the TimerQThr pid=%d!\n", +- pid_nr(task_pid(pObj->TimerQThr_task))); ++ printk("Terminate the TimerQThr_pid=%d!\n", GET_PID_NUMBER(pObj->TimerQThr_pid)); + mb(); + pAd->TimerFunc_kill = 1; + mb(); +- kthread_stop(pObj->TimerQThr_task); +- pObj->TimerQThr_task = NULL; ++ ret = KILL_THREAD_PID(pObj->TimerQThr_pid, SIGTERM, 1); ++ if (ret) ++ { ++ printk(KERN_WARNING "%s: unable to stop TimerQThread, pid=%d, ret=%d!\n", ++ pAd->net_dev->name, GET_PID_NUMBER(pObj->TimerQThr_pid), ret); ++ } ++ else ++ { ++ wait_for_completion(&pAd->TimerQComplete); ++ pObj->TimerQThr_pid = THREAD_PID_INIT_VALUE; ++ } + } + +- BUG_ON(pObj->MLMEThr_task == NULL); +- CHECK_PID_LEGALITY(task_pid(pObj->MLMEThr_task)) ++ CHECK_PID_LEGALITY(pObj->MLMEThr_pid) + { +- printk(KERN_DEBUG "Terminate the MLMEThr pid=%d!\n", +- pid_nr(task_pid(pObj->MLMEThr_task))); ++ printk("Terminate the MLMEThr_pid=%d!\n", GET_PID_NUMBER(pObj->MLMEThr_pid)); + mb(); + pAd->mlme_kill = 1; + //RT28XX_MLME_HANDLER(pAd); + mb(); +- kthread_stop(pObj->MLMEThr_task); +- pObj->MLMEThr_task = NULL; ++ ret = KILL_THREAD_PID(pObj->MLMEThr_pid, SIGTERM, 1); ++ if (ret) ++ { ++ printk (KERN_WARNING "%s: unable to Mlme thread, pid=%d, ret=%d!\n", ++ pAd->net_dev->name, GET_PID_NUMBER(pObj->MLMEThr_pid), ret); ++ } ++ else ++ { ++ //wait_for_completion (&pAd->notify); ++ wait_for_completion (&pAd->mlmeComplete); ++ pObj->MLMEThr_pid = THREAD_PID_INIT_VALUE; ++ } + } + +- BUG_ON(pObj->RTUSBCmdThr_task == NULL); +- CHECK_PID_LEGALITY(task_pid(pObj->RTUSBCmdThr_task)) ++ CHECK_PID_LEGALITY(pObj->RTUSBCmdThr_pid) + { +- printk(KERN_DEBUG "Terminate the RTUSBCmdThr pid=%d!\n", +- pid_nr(task_pid(pObj->RTUSBCmdThr_task))); ++ printk("Terminate the RTUSBCmdThr_pid=%d!\n", GET_PID_NUMBER(pObj->RTUSBCmdThr_pid)); + mb(); + NdisAcquireSpinLock(&pAd->CmdQLock); + pAd->CmdQ.CmdQState = RT2870_THREAD_STOPED; + NdisReleaseSpinLock(&pAd->CmdQLock); + mb(); + //RTUSBCMDUp(pAd); +- kthread_stop(pObj->RTUSBCmdThr_task); +- pObj->RTUSBCmdThr_task = NULL; ++ ret = KILL_THREAD_PID(pObj->RTUSBCmdThr_pid, SIGTERM, 1); ++ if (ret) ++ { ++ printk(KERN_WARNING "%s: unable to RTUSBCmd thread, pid=%d, ret=%d!\n", ++ pAd->net_dev->name, GET_PID_NUMBER(pObj->RTUSBCmdThr_pid), ret); ++ } ++ else ++ { ++ //wait_for_completion (&pAd->notify); ++ wait_for_completion (&pAd->CmdQComplete); ++ pObj->RTUSBCmdThr_pid = THREAD_PID_INIT_VALUE; ++ } + } + + +@@ -1044,7 +1067,7 @@ BOOLEAN RT28XXChipsetCheck( + if (dev_p->descriptor.idVendor == rtusb_usb_id[i].idVendor && + dev_p->descriptor.idProduct == rtusb_usb_id[i].idProduct) + { +- printk(KERN_DEBUG "rt2870: idVendor = 0x%x, idProduct = 0x%x\n", ++ printk("rt2870: idVendor = 0x%x, idProduct = 0x%x\n", + dev_p->descriptor.idVendor, dev_p->descriptor.idProduct); + break; + } +--- a/drivers/staging/rt2870/common/2870_rtmp_init.c ++++ b/drivers/staging/rt2870/common/2870_rtmp_init.c +@@ -727,8 +727,8 @@ NDIS_STATUS AdapterBlockAllocateMemory( + + usb_dev = pObj->pUsb_Dev; + +- pObj->MLMEThr_task = NULL; +- pObj->RTUSBCmdThr_task = NULL; ++ pObj->MLMEThr_pid = THREAD_PID_INIT_VALUE; ++ pObj->RTUSBCmdThr_pid = THREAD_PID_INIT_VALUE; + + *ppAd = (PVOID)vmalloc(sizeof(RTMP_ADAPTER)); + +@@ -765,7 +765,7 @@ NDIS_STATUS CreateThreads( + { + PRTMP_ADAPTER pAd = net_dev->ml_priv; + POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie; +- struct task_struct *tsk; ++ pid_t pid_number = -1; + + //init_MUTEX(&(pAd->usbdev_semaphore)); + +@@ -779,39 +779,36 @@ NDIS_STATUS CreateThreads( + init_completion (&pAd->TimerQComplete); + + // Creat MLME Thread +- pObj->MLMEThr_task = NULL; +- tsk = kthread_run(MlmeThread, pAd, pAd->net_dev->name); +- +- if (IS_ERR(tsk)) { ++ pObj->MLMEThr_pid= THREAD_PID_INIT_VALUE; ++ pid_number = kernel_thread(MlmeThread, pAd, CLONE_VM); ++ if (pid_number < 0) ++ { + printk (KERN_WARNING "%s: unable to start Mlme thread\n",pAd->net_dev->name); + return NDIS_STATUS_FAILURE; + } +- +- pObj->MLMEThr_task = tsk; ++ pObj->MLMEThr_pid = GET_PID(pid_number); + // Wait for the thread to start + wait_for_completion(&(pAd->mlmeComplete)); + + // Creat Command Thread +- pObj->RTUSBCmdThr_task = NULL; +- tsk = kthread_run(RTUSBCmdThread, pAd, pAd->net_dev->name); +- +- if (IS_ERR(tsk) < 0) ++ pObj->RTUSBCmdThr_pid= THREAD_PID_INIT_VALUE; ++ pid_number = kernel_thread(RTUSBCmdThread, pAd, CLONE_VM); ++ if (pid_number < 0) + { + printk (KERN_WARNING "%s: unable to start RTUSBCmd thread\n",pAd->net_dev->name); + return NDIS_STATUS_FAILURE; + } +- +- pObj->RTUSBCmdThr_task = tsk; ++ pObj->RTUSBCmdThr_pid = GET_PID(pid_number); + wait_for_completion(&(pAd->CmdQComplete)); + +- pObj->TimerQThr_task = NULL; +- tsk = kthread_run(TimerQThread, pAd, pAd->net_dev->name); +- if (IS_ERR(tsk) < 0) ++ pObj->TimerQThr_pid= THREAD_PID_INIT_VALUE; ++ pid_number = kernel_thread(TimerQThread, pAd, CLONE_VM); ++ if (pid_number < 0) + { + printk (KERN_WARNING "%s: unable to start TimerQThread\n",pAd->net_dev->name); + return NDIS_STATUS_FAILURE; + } +- pObj->TimerQThr_task = tsk; ++ pObj->TimerQThr_pid = GET_PID(pid_number); + // Wait for the thread to start + wait_for_completion(&(pAd->TimerQComplete)); + +--- a/drivers/staging/rt2870/common/cmm_data.c ++++ b/drivers/staging/rt2870/common/cmm_data.c +@@ -709,6 +709,9 @@ BOOLEAN RTMP_FillTxBlkInfo( + } + + return TRUE; ++ ++FillTxBlkErr: ++ return FALSE; + } + + +--- a/drivers/staging/rt2870/common/rtmp_init.c ++++ b/drivers/staging/rt2870/common/rtmp_init.c +@@ -3655,7 +3655,7 @@ VOID UserCfgInit( + #ifdef RALINK_28xx_QA + //pAd->ate.Repeat = 0; + pAd->ate.TxStatus = 0; +- pAd->ate.AtePid = NULL; ++ pAd->ate.AtePid = THREAD_PID_INIT_VALUE; + #endif // RALINK_28xx_QA // + #endif // RALINK_ATE // + +--- a/drivers/staging/rt2870/common/rtusb_io.c ++++ b/drivers/staging/rt2870/common/rtusb_io.c +@@ -958,8 +958,7 @@ NDIS_STATUS RTUSBEnqueueCmdFromNdis( + POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie; + + +- BUG_ON(pObj->RTUSBCmdThr_task == NULL); +- CHECK_PID_LEGALITY(task_pid(pObj->RTUSBCmdThr_task)) ++ CHECK_PID_LEGALITY(pObj->RTUSBCmdThr_pid) + return (NDIS_STATUS_RESOURCES); + + status = RTMPAllocateMemory((PVOID *)&cmdqelmt, sizeof(CmdQElmt)); +--- a/drivers/staging/rt2870/rt2870.h ++++ b/drivers/staging/rt2870/rt2870.h +@@ -580,16 +580,14 @@ VOID RTUSBBulkRxComplete(purbb_t pUrb, s + #define RTUSBMlmeUp(pAd) \ + { \ + POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie; \ +- BUG_ON(pObj->MLMEThr_task == NULL); \ +- CHECK_PID_LEGALITY(task_pid(pObj->MLMEThr_task)) \ ++ CHECK_PID_LEGALITY(pObj->MLMEThr_pid) \ + up(&(pAd->mlme_semaphore)); \ + } + + #define RTUSBCMDUp(pAd) \ + { \ + POS_COOKIE pObj = (POS_COOKIE) pAd->OS_Cookie; \ +- BUG_ON(pObj->RTUSBCmdThr_task == NULL); \ +- CHECK_PID_LEGALITY(task_pid(pObj->RTUSBCmdThr_task)) \ ++ CHECK_PID_LEGALITY(pObj->RTUSBCmdThr_pid) \ + up(&(pAd->RTUSBCmd_semaphore)); \ + } + +--- a/drivers/staging/rt2870/rt_linux.h ++++ b/drivers/staging/rt2870/rt_linux.h +@@ -44,7 +44,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -166,12 +165,14 @@ typedef int (*HARD_START_XMIT_FUNC)(stru + + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27) + typedef struct pid * THREAD_PID; ++#define THREAD_PID_INIT_VALUE NULL + #define GET_PID(_v) find_get_pid(_v) + #define GET_PID_NUMBER(_v) pid_nr(_v) + #define CHECK_PID_LEGALITY(_pid) if (pid_nr(_pid) >= 0) + #define KILL_THREAD_PID(_A, _B, _C) kill_pid(_A, _B, _C) + #else + typedef pid_t THREAD_PID; ++#define THREAD_PID_INIT_VALUE -1 + #define GET_PID(_v) _v + #define GET_PID_NUMBER(_v) _v + #define CHECK_PID_LEGALITY(_pid) if (_pid >= 0) +@@ -187,11 +188,11 @@ struct os_lock { + struct os_cookie { + + #ifdef RT2870 +- struct usb_device *pUsb_Dev; ++ struct usb_device *pUsb_Dev; + +- struct task_struct *MLMEThr_task; +- struct task_struct *RTUSBCmdThr_task; +- struct task_struct *TimerQThr_task; ++ THREAD_PID MLMEThr_pid; ++ THREAD_PID RTUSBCmdThr_pid; ++ THREAD_PID TimerQThr_pid; + #endif // RT2870 // + + struct tasklet_struct rx_done_task; diff --git a/queue-2.6.30/usb-devio-properly-do-access_ok-checks.patch b/queue-2.6.30/usb-devio-properly-do-access_ok-checks.patch new file mode 100644 index 00000000000..f2cc684a6d1 --- /dev/null +++ b/queue-2.6.30/usb-devio-properly-do-access_ok-checks.patch @@ -0,0 +1,49 @@ +From 18753ebc8a98efe0e8ff6167afb31cef220c8e50 Mon Sep 17 00:00:00 2001 +From: Michael Buesch +Date: Wed, 29 Jul 2009 11:39:03 +0200 +Subject: USB: devio: Properly do access_ok() checks + +From: Michael Buesch + +commit 18753ebc8a98efe0e8ff6167afb31cef220c8e50 upstream. + +access_ok() checks must be done on every part of the userspace structure +that is accessed. If access_ok() on one part of the struct succeeded, it +does not imply it will succeed on other parts of the struct. (Does +depend on the architecture implementation of access_ok()). + +This changes the __get_user() users to first check access_ok() on the +data structure. + +Signed-off-by: Michael Buesch +Cc: Pete Zaitcev +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1308,7 +1308,8 @@ static int get_urb32(struct usbdevfs_urb + struct usbdevfs_urb32 __user *uurb) + { + __u32 uptr; +- if (get_user(kurb->type, &uurb->type) || ++ if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) || ++ __get_user(kurb->type, &uurb->type) || + __get_user(kurb->endpoint, &uurb->endpoint) || + __get_user(kurb->status, &uurb->status) || + __get_user(kurb->flags, &uurb->flags) || +@@ -1523,8 +1524,9 @@ static int proc_ioctl_compat(struct dev_ + u32 udata; + + uioc = compat_ptr((long)arg); +- if (get_user(ctrl.ifno, &uioc->ifno) || +- get_user(ctrl.ioctl_code, &uioc->ioctl_code) || ++ if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) || ++ __get_user(ctrl.ifno, &uioc->ifno) || ++ __get_user(ctrl.ioctl_code, &uioc->ioctl_code) || + __get_user(udata, &uioc->data)) + return -EFAULT; + ctrl.data = compat_ptr(udata); diff --git a/queue-2.6.30/usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch b/queue-2.6.30/usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch new file mode 100644 index 00000000000..e7ef716914b --- /dev/null +++ b/queue-2.6.30/usb-ftdi_sio-add-product_id-for-marvell-openrd-base-client.patch @@ -0,0 +1,47 @@ +From 50d0678e2026c18e4147f0b16b5853113659b82d Mon Sep 17 00:00:00 2001 +From: Dhaval Vasa +Date: Fri, 7 Aug 2009 17:26:49 +0530 +Subject: USB: ftdi_sio: add product_id for Marvell OpenRD Base, Client + +From: Dhaval Vasa + +commit 50d0678e2026c18e4147f0b16b5853113659b82d upstream. + +reference: +http://www.open-rd.org + +Signed-off-by: Dhaval Vasa +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio.h | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -673,6 +673,8 @@ static struct usb_device_id id_table_com + { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) }, ++ { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +--- a/drivers/usb/serial/ftdi_sio.h ++++ b/drivers/usb/serial/ftdi_sio.h +@@ -933,6 +933,13 @@ + #define BAYER_CONTOUR_CABLE_PID 0x6001 + + /* ++ * Marvell OpenRD Base, Client ++ * http://www.open-rd.org ++ * OpenRD Base, Client use VID 0x0403 ++ */ ++#define MARVELL_OPENRD_PID 0x9e90 ++ ++/* + * BmRequestType: 1100 0000b + * bRequest: FTDI_E2_READ + * wValue: 0 diff --git a/queue-2.6.30/usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch b/queue-2.6.30/usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch new file mode 100644 index 00000000000..091562cdcf6 --- /dev/null +++ b/queue-2.6.30/usb-ftdi_sio-add-vendor-and-product-id-for-bayer-glucose-meter-serial-converter-cable.patch @@ -0,0 +1,49 @@ +From c47aacc67a3d26dfab9c9b8965975ed2b2010b30 Mon Sep 17 00:00:00 2001 +From: Marko Hänninen +Date: Fri, 31 Jul 2009 22:32:39 +0300 +Subject: USB: ftdi_sio: add vendor and product id for Bayer glucose meter serial converter cable + +From: Marko Hänninen + +commit c47aacc67a3d26dfab9c9b8965975ed2b2010b30 upstream. + +Attached patch adds USB vendor and product IDs for Bayer's USB to serial +converter cable used by Bayer blood glucose meters. It seems to be a +FT232RL based device and works without any problem with ftdi_sio driver +when this patch is applied. See: http://winglucofacts.com/cables/ + + +Signed-off-by: Marko Hänninen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio.h | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -672,6 +672,7 @@ static struct usb_device_id id_table_com + { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) }, + { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +--- a/drivers/usb/serial/ftdi_sio.h ++++ b/drivers/usb/serial/ftdi_sio.h +@@ -926,6 +926,13 @@ + #define MARVELL_SHEEVAPLUG_PID 0x9e8f + + /* ++ * Bayer Ascensia Contour blood glucose meter USB-converter cable. ++ * http://winglucofacts.com/cables/ ++ */ ++#define BAYER_VID 0x1A79 ++#define BAYER_CONTOUR_CABLE_PID 0x6001 ++ ++/* + * BmRequestType: 1100 0000b + * bRequest: FTDI_E2_READ + * wValue: 0 diff --git a/queue-2.6.30/usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch b/queue-2.6.30/usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch new file mode 100644 index 00000000000..0f0fd5549d0 --- /dev/null +++ b/queue-2.6.30/usb-storage-include-prolific-technology-usb-drive-in-unusual_devs-list.patch @@ -0,0 +1,43 @@ +From c15e3ca1d822abba78c00b1ffc3e7b382a50396e Mon Sep 17 00:00:00 2001 +From: Rogerio Brito +Date: Thu, 6 Aug 2009 15:20:19 -0700 +Subject: USB: storage: include Prolific Technology USB drive in unusual_devs list + +From: Rogerio Brito + +commit c15e3ca1d822abba78c00b1ffc3e7b382a50396e upstream. + +Add a quirk entry for the Leading Driver UD-11 usb flash drive. + +As Alan Stern told me, the device doesn't deal correctly with the +locking media feature of the device, and this patch incorporates it. + +Compiled, tested, working. + +Signed-off-by: Rogerio Brito +Cc: Phil Dibowitz +Cc: Alan Stern +Cc: Robert Hancock +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -838,6 +838,13 @@ UNUSUAL_DEV( 0x066f, 0x8000, 0x0001, 0x0 + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_FIX_CAPACITY ), + ++/* Reported by Rogerio Brito */ ++UNUSUAL_DEV( 0x067b, 0x2317, 0x0001, 0x001, ++ "Prolific Technology, Inc.", ++ "Mass Storage Device", ++ US_SC_DEVICE, US_PR_DEVICE, NULL, ++ US_FL_NOT_LOCKABLE ), ++ + /* Reported by Richard -=[]=- */ + /* Change to bcdDeviceMin (0x0100 to 0x0001) reported by + * Thomas Bartosik */ diff --git a/queue-2.6.30/usb-usbfs-fix-enoent-error-code-to-be-enodev.patch b/queue-2.6.30/usb-usbfs-fix-enoent-error-code-to-be-enodev.patch new file mode 100644 index 00000000000..c5de6ef92b1 --- /dev/null +++ b/queue-2.6.30/usb-usbfs-fix-enoent-error-code-to-be-enodev.patch @@ -0,0 +1,32 @@ +From 01105a246345f011fde64d24a601090b646e9e4c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 30 Jul 2009 15:28:14 -0400 +Subject: USB: usbfs: fix -ENOENT error code to be -ENODEV + +From: Alan Stern + +commit 01105a246345f011fde64d24a601090b646e9e4c upstream. + +This patch (as1272) changes the error code returned when an open call +for a USB device node fails to locate the corresponding device. The +appropriate error code is -ENODEV, not -ENOENT. + +Signed-off-by: Alan Stern +CC: Kay Sievers +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -582,7 +582,7 @@ static int usbdev_open(struct inode *ino + if (!ps) + goto out; + +- ret = -ENOENT; ++ ret = -ENODEV; + + /* usbdev device-node */ + if (imajor(inode) == USB_DEVICE_MAJOR) diff --git a/queue-2.6.30/x86-fix-vmi-stack-protector.patch b/queue-2.6.30/x86-fix-vmi-stack-protector.patch new file mode 100644 index 00000000000..66c73055663 --- /dev/null +++ b/queue-2.6.30/x86-fix-vmi-stack-protector.patch @@ -0,0 +1,38 @@ +From 7d5b005652bc5ae3e1e0efc53fd0e25a643ec506 Mon Sep 17 00:00:00 2001 +From: Alok Kataria +Date: Tue, 4 Aug 2009 15:34:22 -0700 +Subject: x86: Fix VMI && stack protector + +From: Alok Kataria + +commit 7d5b005652bc5ae3e1e0efc53fd0e25a643ec506 upstream. + +With CONFIG_STACK_PROTECTOR turned on, VMI doesn't boot with +more than one processor. The problem is with the gs value not +being initialized correctly when registering the secondary +processor for VMI's case. + +The patch below initializes the gs value for the AP to +__KERNEL_STACK_CANARY. Without this the secondary processor +keeps on taking a GP on every gs access. + +Signed-off-by: Alok N Kataria +LKML-Reference: <1249425262.18955.40.camel@ank32.eng.vmware.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/vmi_32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/vmi_32.c ++++ b/arch/x86/kernel/vmi_32.c +@@ -441,7 +441,7 @@ vmi_startup_ipi_hook(int phys_apicid, un + ap.ds = __USER_DS; + ap.es = __USER_DS; + ap.fs = __KERNEL_PERCPU; +- ap.gs = 0; ++ ap.gs = __KERNEL_STACK_CANARY; + + ap.eflags = 0; +