From: Greg Kroah-Hartman Date: Fri, 6 Nov 2009 22:06:44 +0000 (-0800) Subject: start 2.6.27.39 review cycle X-Git-Tag: v2.6.31.6~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7e9c118053a1d9220bcf5f5db999e077a407255;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.27.39 review cycle --- diff --git a/queue-2.6.27/8250_pci-add-ibm-saturn-serial-card.patch b/review-2.6.27/8250_pci-add-ibm-saturn-serial-card.patch similarity index 100% rename from queue-2.6.27/8250_pci-add-ibm-saturn-serial-card.patch rename to review-2.6.27/8250_pci-add-ibm-saturn-serial-card.patch diff --git a/queue-2.6.27/af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch b/review-2.6.27/af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch similarity index 100% rename from queue-2.6.27/af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch rename to review-2.6.27/af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch diff --git a/queue-2.6.27/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch b/review-2.6.27/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch similarity index 100% rename from queue-2.6.27/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch rename to review-2.6.27/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch diff --git a/queue-2.6.27/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch b/review-2.6.27/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch similarity index 100% rename from queue-2.6.27/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch rename to review-2.6.27/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch diff --git a/queue-2.6.27/bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch b/review-2.6.27/bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch similarity index 100% rename from queue-2.6.27/bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch rename to review-2.6.27/bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch diff --git a/queue-2.6.27/dpt_i2o-fix-typo-of-einval.patch b/review-2.6.27/dpt_i2o-fix-typo-of-einval.patch similarity index 100% rename from queue-2.6.27/dpt_i2o-fix-typo-of-einval.patch rename to review-2.6.27/dpt_i2o-fix-typo-of-einval.patch diff --git a/queue-2.6.27/dpt_i2o-fix-up-copy-user.patch b/review-2.6.27/dpt_i2o-fix-up-copy-user.patch similarity index 100% rename from queue-2.6.27/dpt_i2o-fix-up-copy-user.patch rename to review-2.6.27/dpt_i2o-fix-up-copy-user.patch diff --git a/queue-2.6.27/driver-core-fix-driver_register-return-value.patch b/review-2.6.27/driver-core-fix-driver_register-return-value.patch similarity index 100% rename from queue-2.6.27/driver-core-fix-driver_register-return-value.patch rename to review-2.6.27/driver-core-fix-driver_register-return-value.patch diff --git a/queue-2.6.27/fs-pipe.c-null-pointer-dereference.patch b/review-2.6.27/fs-pipe.c-null-pointer-dereference.patch similarity index 100% rename from queue-2.6.27/fs-pipe.c-null-pointer-dereference.patch rename to review-2.6.27/fs-pipe.c-null-pointer-dereference.patch diff --git a/queue-2.6.27/hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch b/review-2.6.27/hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch similarity index 100% rename from queue-2.6.27/hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch rename to review-2.6.27/hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch diff --git a/queue-2.6.27/input-synaptics-add-another-protege-m300-to-rate-blacklist.patch b/review-2.6.27/input-synaptics-add-another-protege-m300-to-rate-blacklist.patch similarity index 100% rename from queue-2.6.27/input-synaptics-add-another-protege-m300-to-rate-blacklist.patch rename to review-2.6.27/input-synaptics-add-another-protege-m300-to-rate-blacklist.patch diff --git a/queue-2.6.27/irda-add-irda_skb_cb-qdisc-related-padding.patch b/review-2.6.27/irda-add-irda_skb_cb-qdisc-related-padding.patch similarity index 100% rename from queue-2.6.27/irda-add-irda_skb_cb-qdisc-related-padding.patch rename to review-2.6.27/irda-add-irda_skb_cb-qdisc-related-padding.patch diff --git a/queue-2.6.27/kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch b/review-2.6.27/kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch similarity index 100% rename from queue-2.6.27/kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch rename to review-2.6.27/kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch diff --git a/queue-2.6.27/libata-fix-internal-command-failure-handling.patch b/review-2.6.27/libata-fix-internal-command-failure-handling.patch similarity index 100% rename from queue-2.6.27/libata-fix-internal-command-failure-handling.patch rename to review-2.6.27/libata-fix-internal-command-failure-handling.patch diff --git a/queue-2.6.27/libertas-if_usb-fix-crash-on-64-bit-machines.patch b/review-2.6.27/libertas-if_usb-fix-crash-on-64-bit-machines.patch similarity index 100% rename from queue-2.6.27/libertas-if_usb-fix-crash-on-64-bit-machines.patch rename to review-2.6.27/libertas-if_usb-fix-crash-on-64-bit-machines.patch diff --git a/queue-2.6.27/mbind-fix-leak-of-never-putback-pages.patch b/review-2.6.27/mbind-fix-leak-of-never-putback-pages.patch similarity index 100% rename from queue-2.6.27/mbind-fix-leak-of-never-putback-pages.patch rename to review-2.6.27/mbind-fix-leak-of-never-putback-pages.patch diff --git a/review-2.6.27/mbox b/review-2.6.27/mbox new file mode 100644 index 00000000000..620f4e12097 --- /dev/null +++ b/review-2.6.27/mbox @@ -0,0 +1,2390 @@ +From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009 +Message-Id: <20091106215950.184976817@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:04 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Benjamin Herrenschmidt , + Alan Cox , + Michael Reed +Subject: [01/30] 8250_pci: add IBM Saturn serial card +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=8250_pci-add-ibm-saturn-serial-card.patch +Content-Length: 2147 +Lines: 69 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Benjamin Herrenschmidt + +commit c68d2b1594548cda7f6dbac6a4d9d30a9b01558c upstream. + +The IBM Saturn serial card has only one port. Without that fixup, +the kernel thinks it has two, which confuses userland setup and +admin tools as well. + +[akpm@linux-foundation.org: fix pci-ids.h layout] +Signed-off-by: Benjamin Herrenschmidt +Acked-by: Alan Cox +Cc: Michael Reed +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/8250_pci.c | 11 +++++++++++ + include/linux/pci_ids.h | 3 +++ + 2 files changed, 14 insertions(+) + +--- a/drivers/serial/8250_pci.c ++++ b/drivers/serial/8250_pci.c +@@ -1218,6 +1218,7 @@ enum pci_board_num_t { + pbn_exar_XR17C152, + pbn_exar_XR17C154, + pbn_exar_XR17C158, ++ pbn_exar_ibm_saturn, + pbn_pasemi_1682M, + }; + +@@ -1746,6 +1747,13 @@ static struct pciserial_board pci_boards + .base_baud = 921600, + .uart_offset = 0x200, + }, ++ [pbn_exar_ibm_saturn] = { ++ .flags = FL_BASE0, ++ .num_ports = 1, ++ .base_baud = 921600, ++ .uart_offset = 0x200, ++ }, ++ + /* + * PA Semi PWRficient PA6T-1682M on-chip UART + */ +@@ -2217,6 +2225,9 @@ static struct pci_device_id serial_pci_t + PCI_SUBVENDOR_ID_CONNECT_TECH, + PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_485, 0, 0, + pbn_b0_8_1843200_200 }, ++ { PCI_VENDOR_ID_EXAR, PCI_DEVICE_ID_EXAR_XR17C152, ++ PCI_VENDOR_ID_IBM, PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT, ++ 0, 0, pbn_exar_ibm_saturn }, + + { PCI_VENDOR_ID_SEALEVEL, PCI_DEVICE_ID_SEALEVEL_U530, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -478,6 +478,9 @@ + #define PCI_DEVICE_ID_IBM_ICOM_V2_ONE_PORT_RVX_ONE_PORT_MDM_PCIE 0x0361 + #define PCI_DEVICE_ID_IBM_ICOM_FOUR_PORT_MODEL 0x252 + ++#define PCI_SUBVENDOR_ID_IBM 0x1014 ++#define PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT 0x03d4 ++ + #define PCI_VENDOR_ID_UNISYS 0x1018 + #define PCI_DEVICE_ID_UNISYS_DMA_DIRECTOR 0x001C + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009 +Message-Id: <20091106215950.309655651@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:05 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Larry Finger , + "John W. Linville" +Subject: [02/30] b43: Fix Bugzilla #14181 and the bug from the previous fix +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch +Content-Length: 1322 +Lines: 35 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Larry Finger + +commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream. + +"b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported +in Bugzilla No. 14181; however, it introduced a new bug. Whenever the +radio switch was turned off, it was necessary to unload and reload +the driver for it to recognize the switch again. + +This patch fixes both the original bug in #14181 and the bug introduced by +the previous patch. It must be stated, however, that if there is a BCM4306/3 +with an rfkill switch (not yet proven), then the driver will need an +unload/reload cycle to turn the device back on. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/b43/rfkill.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/b43/rfkill.c ++++ b/drivers/net/wireless/b43/rfkill.c +@@ -36,7 +36,8 @@ static bool b43_is_hw_radio_enabled(stru + & B43_MMIO_RADIO_HWENABLED_HI_MASK)) + return 1; + } else { +- if (b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO) ++ if (b43_status(dev) >= B43_STAT_STARTED && ++ b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO) + & B43_MMIO_RADIO_HWENABLED_LO_MASK) + return 1; + } + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009 +Message-Id: <20091106215950.444170520@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:06 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Cox +Subject: [03/30] dpt_i2o: Fix up copy*user +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=dpt_i2o-fix-up-copy-user.patch +Content-Length: 680 +Lines: 26 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Alan Cox + +commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 upstream. + +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/dpt_i2o.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/dpt_i2o.c ++++ b/drivers/scsi/dpt_i2o.c +@@ -1918,6 +1918,10 @@ static int adpt_i2o_passthru(adpt_hba* p + } + size = size>>16; + size *= 4; ++ if (size > MAX_MESSAGE_SIZE) { ++ rcode = EINVAL; ++ goto cleanup; ++ } + /* Copy in the user's I2O command */ + if (copy_from_user (msg, user_msg, size)) { + rcode = -EFAULT; + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009 +Message-Id: <20091106215950.565514514@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:07 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + OGAWA Hirofumi , + Alan Cox +Subject: [04/30] dpt_i2o: Fix typo of EINVAL +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=dpt_i2o-fix-typo-of-einval.patch +Content-Length: 824 +Lines: 28 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: OGAWA Hirofumi + +commit aefba418bfecd1985a08f50a95bd854a119f0153 upstream. + +Commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 ("dpt_i2o: Fix up +copy*user") had a silly typo: EINVAL should be -EINVAL. + +Signed-off-by: OGAWA Hirofumi +Cc: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/dpt_i2o.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/dpt_i2o.c ++++ b/drivers/scsi/dpt_i2o.c +@@ -1919,7 +1919,7 @@ static int adpt_i2o_passthru(adpt_hba* p + size = size>>16; + size *= 4; + if (size > MAX_MESSAGE_SIZE) { +- rcode = EINVAL; ++ rcode = -EINVAL; + goto cleanup; + } + /* Copy in the user's I2O command */ + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009 +Message-Id: <20091106215950.692406972@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:08 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Stas Sergeev +Subject: [05/30] Driver core: fix driver_register() return value +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=driver-core-fix-driver_register-return-value.patch +Content-Length: 1078 +Lines: 31 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Stas Sergeev + +commit 39acbc12affcaa23ef1d887ba3d197baca8e6e47 upstream. + +In this patch: +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=16dc42e018c2868211b4928f20a957c0c216126c +the check was added for another driver to already claim the same device +on the same bus. But the returned error code was wrong: to modprobe, the +-EEXIST means that _this_ driver is already installed. It therefore +doesn't produce the needed error message when _another_ driver is trying +to register for the same device. Returning -EBUSY fixes the problem. + +Signed-off-by: Stas Sergeev +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/driver.c ++++ b/drivers/base/driver.c +@@ -227,7 +227,7 @@ int driver_register(struct device_driver + put_driver(other); + printk(KERN_ERR "Error: Driver '%s' is already registered, " + "aborting...\n", drv->name); +- return -EEXIST; ++ return -EBUSY; + } + + ret = bus_add_driver(drv); + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009 +Message-Id: <20091106215950.827974192@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:09 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Earl Chew +Subject: [06/30] fs: pipe.c null pointer dereference +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=fs-pipe.c-null-pointer-dereference.patch +Content-Length: 3550 +Lines: 131 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Earl Chew + +commit ad3960243e55320d74195fb85c975e0a8cc4466c upstream. + +This patch fixes a null pointer exception in pipe_rdwr_open() which +generates the stack trace: + +> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP: +> [] pipe_rdwr_open+0x35/0x70 +> [] __dentry_open+0x13c/0x230 +> [] do_filp_open+0x2d/0x40 +> [] do_sys_open+0x5a/0x100 +> [] sysenter_do_call+0x1b/0x67 + +The failure mode is triggered by an attempt to open an anonymous +pipe via /proc/pid/fd/* as exemplified by this script: + +============================================================= +while : ; do + { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } & + PID=$! + OUT=$(ps -efl | grep 'sleep 1' | grep -v grep | + { read PID REST ; echo $PID; } ) + OUT="${OUT%% *}" + DELAY=$((RANDOM * 1000 / 32768)) + usleep $((DELAY * 1000 + RANDOM % 1000 )) + echo n > /proc/$OUT/fd/1 # Trigger defect +done +============================================================= + +Note that the failure window is quite small and I could only +reliably reproduce the defect by inserting a small delay +in pipe_rdwr_open(). For example: + + static int + pipe_rdwr_open(struct inode *inode, struct file *filp) + { + msleep(100); + mutex_lock(&inode->i_mutex); + +Although the defect was observed in pipe_rdwr_open(), I think it +makes sense to replicate the change through all the pipe_*_open() +functions. + +The core of the change is to verify that inode->i_pipe has not +been released before attempting to manipulate it. If inode->i_pipe +is no longer present, return ENOENT to indicate so. + +The comment about potentially using atomic_t for i_pipe->readers +and i_pipe->writers has also been removed because it is no longer +relevant in this context. The inode->i_mutex lock must be used so +that inode->i_pipe can be dealt with correctly. + +Signed-off-by: Earl Chew +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/pipe.c | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -742,36 +742,55 @@ pipe_rdwr_release(struct inode *inode, s + static int + pipe_read_open(struct inode *inode, struct file *filp) + { +- /* We could have perhaps used atomic_t, but this and friends +- below are the only places. So it doesn't seem worthwhile. */ ++ int ret = -ENOENT; ++ + mutex_lock(&inode->i_mutex); +- inode->i_pipe->readers++; ++ ++ if (inode->i_pipe) { ++ ret = 0; ++ inode->i_pipe->readers++; ++ } ++ + mutex_unlock(&inode->i_mutex); + +- return 0; ++ return ret; + } + + static int + pipe_write_open(struct inode *inode, struct file *filp) + { ++ int ret = -ENOENT; ++ + mutex_lock(&inode->i_mutex); +- inode->i_pipe->writers++; ++ ++ if (inode->i_pipe) { ++ ret = 0; ++ inode->i_pipe->writers++; ++ } ++ + mutex_unlock(&inode->i_mutex); + +- return 0; ++ return ret; + } + + static int + pipe_rdwr_open(struct inode *inode, struct file *filp) + { ++ int ret = -ENOENT; ++ + mutex_lock(&inode->i_mutex); +- if (filp->f_mode & FMODE_READ) +- inode->i_pipe->readers++; +- if (filp->f_mode & FMODE_WRITE) +- inode->i_pipe->writers++; ++ ++ if (inode->i_pipe) { ++ ret = 0; ++ if (filp->f_mode & FMODE_READ) ++ inode->i_pipe->readers++; ++ if (filp->f_mode & FMODE_WRITE) ++ inode->i_pipe->writers++; ++ } ++ + mutex_unlock(&inode->i_mutex); + +- return 0; ++ return ret; + } + + /* + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215950.946752422@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:10 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ben Hutchings , + Eric Sesterhenn , + Roman Zippel +Subject: [07/30] hfsplus: refuse to mount volumes larger than 2TB +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch +Content-Length: 1480 +Lines: 43 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Ben Hutchings + +commit 5c36fe3d87b3f0c85894a49193c66096a3d6b26f upstream. + +As found in , hfsplus is using type u32 +rather than sector_t for some sector number calculations. + +In particular, hfsplus_get_block() does: + + u32 ablock, dblock, mask; +... + map_bh(bh_result, sb, (dblock << HFSPLUS_SB(sb).fs_shift) + HFSPLUS_SB(sb).blockoffset + (iblock & mask)); + +I am not confident that I can find and fix all cases where a sector number +may be truncated. For now, avoid data loss by refusing to mount HFS+ +volumes with more than 2^32 sectors (2TB). + +[akpm@linux-foundation.org: fix 32 and 64-bit issues] +Signed-off-by: Ben Hutchings +Cc: Eric Sesterhenn +Cc: Roman Zippel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hfsplus/wrapper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/hfsplus/wrapper.c ++++ b/fs/hfsplus/wrapper.c +@@ -99,6 +99,10 @@ int hfsplus_read_wrapper(struct super_bl + + if (hfsplus_get_last_session(sb, &part_start, &part_size)) + return -EINVAL; ++ if ((u64)part_start + part_size > 0x100000000ULL) { ++ pr_err("hfs: volumes larger than 2TB are not supported yet\n"); ++ return -EINVAL; ++ } + while (1) { + bh = sb_bread512(sb, part_start + HFSPLUS_VOLHEAD_SECTOR, vhdr); + if (!bh) + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215951.081519349@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:11 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Dmitry Torokhov +Subject: [08/30] Input: synaptics - add another Protege M300 to rate blacklist +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=input-synaptics-add-another-protege-m300-to-rate-blacklist.patch +Content-Length: 1080 +Lines: 38 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Dmitry Torokhov + +commit 5f5eeff4c93256ee93435a3bf08cf18c45e9a994 upstream. + +Apparently some of Toshiba Protege M300 identify themselves as +"Portable PC" in DMI so we need to add that to the DMI table as +well. We need DMI data so we can automatically lower Synaptics +reporting rate from 80 to 40 pps to avoid over-taxing their +keyboard controllers. + +Tested-by: Rod Davison +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/synaptics.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -623,6 +623,16 @@ static const struct dmi_system_id toshib + DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), + DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"), + }, ++ ++ }, ++ { ++ .ident = "Toshiba Portege M300", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"), ++ }, ++ + }, + { } + }; + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215951.213173511@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:12 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tejun Heo , + Jeff Garzik +Subject: [09/30] libata: fix internal command failure handling +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=libata-fix-internal-command-failure-handling.patch +Content-Length: 1544 +Lines: 47 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Tejun Heo + +commit f4b31db92d163df8a639f5a8c8633bdeb6e8432d upstream. + +When an internal command fails, it should be failed directly without +invoking EH. In the original implemetation, this was accomplished by +letting internal command bypass failure handling in ata_qc_complete(). +However, later changes added post-successful-completion handling to +that code path and the success path is no longer adequate as internal +command failure path. One of the visible problems is that internal +command failure due to timeout or other freeze conditions would +spuriously trigger WARN_ON_ONCE() in the success path. + +This patch updates failure path such that internal command failure +handling is contained there. + +Signed-off-by: Tejun Heo +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4747,12 +4747,14 @@ void ata_qc_complete(struct ata_queued_c + qc->flags |= ATA_QCFLAG_FAILED; + + if (unlikely(qc->flags & ATA_QCFLAG_FAILED)) { +- if (!ata_tag_internal(qc->tag)) { +- /* always fill result TF for failed qc */ +- fill_result_tf(qc); ++ /* always fill result TF for failed qc */ ++ fill_result_tf(qc); ++ ++ if (!ata_tag_internal(qc->tag)) + ata_qc_schedule_eh(qc); +- return; +- } ++ else ++ __ata_qc_complete(qc); ++ return; + } + + /* read result TF if requested */ + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215951.349463309@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:13 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Woodhouse , + "David S. Miller" , + "John W. Linville" +Subject: [10/30] libertas if_usb: Fix crash on 64-bit machines +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=libertas-if_usb-fix-crash-on-64-bit-machines.patch +Content-Length: 1455 +Lines: 37 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: David Woodhouse + +commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57 upstream. + +On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas +usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting +crashes. Fix that by using skb->data instead. + +This highlights a problem with usb_fill_bulk_urb(). It doesn't notice +when dma_map_single() fails and return the error to its caller as it +should. In fact it _can't_ currently return the error, since it returns +void. + +So this problem was showing up only at unmap time, after we'd already +suffered memory corruption by doing DMA to a bogus address. + +Signed-off-by: David Woodhouse +Acked-by: David S. Miller +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/if_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/libertas/if_usb.c ++++ b/drivers/net/wireless/libertas/if_usb.c +@@ -443,7 +443,7 @@ static int __if_usb_submit_rx_urb(struct + /* Fill the receive configuration URB and initialise the Rx call back */ + usb_fill_bulk_urb(cardp->rx_urb, cardp->udev, + usb_rcvbulkpipe(cardp->udev, cardp->ep_in), +- (void *) (skb->tail + (size_t) IPFIELD_ALIGN_OFFSET), ++ skb->data + IPFIELD_ALIGN_OFFSET, + MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, + cardp); + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215951.465536726@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:14 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + KOSAKI Motohiro , + Christoph Lameter +Subject: [11/30] mbind(): fix leak of never putback pages +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=mbind-fix-leak-of-never-putback-pages.patch +Content-Length: 2098 +Lines: 101 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: KOSAKI Motohiro + +commit ab8a3e14e6f8e567560f664bbd29aefb306a274e upstream. + +If mbind() receives an invalid address, do_mbind leaks a page. The +following test program detects this leak. + +This patch fixes it. + +migrate_efault.c +======================================= + #include + #include + #include + #include + #include + #include + #include + +static unsigned long pagesize; + +static void* make_hole_mapping(void) +{ + + void* addr; + + addr = mmap(NULL, pagesize*3, PROT_READ|PROT_WRITE, + MAP_ANON|MAP_PRIVATE, 0, 0); + if (addr == MAP_FAILED) + return NULL; + + /* make page populate */ + memset(addr, 0, pagesize*3); + + /* make memory hole */ + munmap(addr+pagesize, pagesize); + + return addr; +} + +int main(int argc, char** argv) +{ + void* addr; + int ch; + int node; + struct bitmask *nmask = numa_allocate_nodemask(); + int err; + int node_set = 0; + + while ((ch = getopt(argc, argv, "n:")) != -1){ + switch (ch){ + case 'n': + node = strtol(optarg, NULL, 0); + numa_bitmask_setbit(nmask, node); + node_set = 1; + break; + default: + ; + } + } + argc -= optind; + argv += optind; + + if (!node_set) + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + addr = make_hole_mapping(); + + err = mbind(addr, pagesize*3, MPOL_BIND, nmask->maskp, nmask->size, MPOL_MF_MOVE_ALL); + if (err) + perror("mbind "); + + return 0; +} +======================================= + +Signed-off-by: KOSAKI Motohiro +Acked-by: Christoph Lameter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -985,7 +985,8 @@ static long do_mbind(unsigned long start + + if (!err && nr_failed && (flags & MPOL_MF_STRICT)) + err = -EIO; +- } ++ } else ++ putback_lru_pages(&pagelist); + + up_write(&mm->mmap_sem); + mpol_put(new); + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215951.589569188@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:15 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Cox +Subject: [12/30] ray_cs: Fix copy_from_user handling +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=ray_cs-fix-copy_from_user-handling.patch +Content-Length: 779 +Lines: 26 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Alan Cox + +commit 575c9ed7798218dc923f319c0d78f0c25ca506b9 upstream. + +I've not touched the other stuff here but the word "locking" comes to mind. + +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ray_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -2758,7 +2758,7 @@ static void raycs_write(const char *name + static int write_essid(struct file *file, const char __user *buffer, unsigned long count, void *data) + { + static char proc_essid[33]; +- int len = count; ++ unsigned int len = count; + + if (len > 32) + len = 32; + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215951.713217304@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:16 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Len Brown , + Chuck Ebbert +Subject: [13/30] Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch +Content-Length: 1211 +Lines: 45 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Len Brown + +commit f61f925859c57f6175082aeeee17743c68558a6e upstream. + +This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af. + +http://bugzilla.kernel.org/show_bug.cgi?id=13002 + +Signed-off-by: Len Brown +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/scan.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1262,16 +1262,6 @@ acpi_add_single_object(struct acpi_devic + acpi_device_set_id(device, parent, handle, type); + + /* +- * The ACPI device is attached to acpi handle before getting +- * the power/wakeup/peformance flags. Otherwise OS can't get +- * the corresponding ACPI device by the acpi handle in the course +- * of getting the power/wakeup/performance flags. +- */ +- result = acpi_device_set_context(device, type); +- if (result) +- goto end; +- +- /* + * Power Management + * ---------------- + */ +@@ -1301,6 +1291,8 @@ acpi_add_single_object(struct acpi_devic + goto end; + } + ++ if ((result = acpi_device_set_context(device, type))) ++ goto end; + + result = acpi_device_register(device, parent); + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009 +Message-Id: <20091106215951.841486806@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:17 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Alan Cox +Subject: [14/30] tty: Mark generic_serial users as BROKEN +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=tty-mark-generic_serial-users-as-broken.patch +Content-Length: 2444 +Lines: 73 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Alan Cox + +commit 412145947adfca60a4b5b4893fbae82dffa25edd upstream. + +There isn't much else I can do with these. I can find no hardware for any +of them and no users. The code is broken. + +Signed-off-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + arch/m68k/Kconfig | 6 +++--- + drivers/char/Kconfig | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/m68k/Kconfig ++++ b/arch/m68k/Kconfig +@@ -572,7 +572,7 @@ config HPAPCI + + config MVME147_SCC + bool "SCC support for MVME147 serial ports" +- depends on MVME147 ++ depends on MVME147 && BROKEN + help + This is the driver for the serial ports on the Motorola MVME147 + boards. Everyone using one of these boards should say Y here. +@@ -587,14 +587,14 @@ config SERIAL167 + + config MVME162_SCC + bool "SCC support for MVME162 serial ports" +- depends on MVME16x ++ depends on MVME16x && BROKEN + help + This is the driver for the serial ports on the Motorola MVME162 and + 172 boards. Everyone using one of these boards should say Y here. + + config BVME6000_SCC + bool "SCC support for BVME6000 serial ports" +- depends on BVME6000 ++ depends on BVME6000 && BROKEN + help + This is the driver for the serial ports on the BVME4000 and BVME6000 + boards from BVM Ltd. Everyone using one of these boards should say +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -310,7 +310,7 @@ config SPECIALIX + + config SX + tristate "Specialix SX (and SI) card support" +- depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA) ++ depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA) && BROKEN + help + This is a driver for the SX and SI multiport serial cards. + Please read the file for details. +@@ -321,7 +321,7 @@ config SX + + config RIO + tristate "Specialix RIO system support" +- depends on SERIAL_NONSTANDARD ++ depends on SERIAL_NONSTANDARD && BROKEN + help + This is a driver for the Specialix RIO, a smart serial card which + drives an outboard box that can support up to 128 ports. Product +@@ -382,7 +382,7 @@ config NOZOMI + + config A2232 + tristate "Commodore A2232 serial support (EXPERIMENTAL)" +- depends on EXPERIMENTAL && ZORRO && BROKEN_ON_SMP ++ depends on EXPERIMENTAL && ZORRO && BROKEN + ---help--- + This option supports the 2232 7-port serial card shipped with the + Amiga 2000 and other Zorro-bus machines, dating from 1989. At + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215951.964924845@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:18 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jan Beulich , + Roland McGrath , + Ingo Molnar +Subject: [15/30] x86-64: Fix register leak in 32-bit syscall audting +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=x86-64-fix-register-leak-in-32-bit-syscall-audting.patch +Content-Length: 1651 +Lines: 50 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Jan Beulich + +commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream. + +Restoring %ebp after the call to audit_syscall_exit() is not +only unnecessary (because the register didn't get clobbered), +but in the sysenter case wasn't even doing the right thing: It +loaded %ebp from a location below the top of stack (RBP < +ARGOFFSET), i.e. arbitrary kernel data got passed back to user +mode in the register. + +Signed-off-by: Jan Beulich +Acked-by: Roland McGrath +LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -204,7 +204,7 @@ sysexit_from_sys_call: + movl RDI-ARGOFFSET(%rsp),%r8d /* reload 5th syscall arg */ + .endm + +- .macro auditsys_exit exit,ebpsave=RBP ++ .macro auditsys_exit exit + testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) + jnz ia32_ret_from_sys_call + TRACE_IRQS_ON +@@ -217,7 +217,6 @@ sysexit_from_sys_call: + call audit_syscall_exit + GET_THREAD_INFO(%r10) + movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall return value */ +- movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */ + movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi + cli + TRACE_IRQS_OFF +@@ -351,7 +350,7 @@ cstar_auditsys: + jmp cstar_dispatch + + sysretl_audit: +- auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */ ++ auditsys_exit sysretl_from_sys_call + #endif + + cstar_tracesys: + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215952.100901703@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:19 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Tomoki Sekiyama , + Masanori Yoshida , + Chuck Ebbert , + "David S. Miller" +Subject: [16/30] AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621) +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch +Content-Length: 2533 +Lines: 85 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Tomoki Sekiyama + +commit 77238f2b942b38ab4e7f3aced44084493e4a8675 upstream. + +I found a deadlock bug in UNIX domain socket, which makes able to DoS +attack against the local machine by non-root users. + +How to reproduce: +1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct + namespace(*), and shutdown(2) it. + 2. Repeat connect(2)ing to the listening socket from the other sockets + until the connection backlog is full-filled. + 3. connect(2) takes the CPU forever. If every core is taken, the + system hangs. + +PoC code: (Run as many times as cores on SMP machines.) + +int main(void) +{ + int ret; + int csd; + int lsd; + struct sockaddr_un sun; + + /* make an abstruct name address (*) */ + memset(&sun, 0, sizeof(sun)); + sun.sun_family = PF_UNIX; + sprintf(&sun.sun_path[1], "%d", getpid()); + + /* create the listening socket and shutdown */ + lsd = socket(AF_UNIX, SOCK_STREAM, 0); + bind(lsd, (struct sockaddr *)&sun, sizeof(sun)); + listen(lsd, 1); + shutdown(lsd, SHUT_RDWR); + + /* connect loop */ + alarm(15); /* forcely exit the loop after 15 sec */ + for (;;) { + csd = socket(AF_UNIX, SOCK_STREAM, 0); + ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun)); + if (-1 == ret) { + perror("connect()"); + break; + } + puts("Connection OK"); + } + return 0; +} + +(*) Make sun_path[0] = 0 to use the abstruct namespace. + If a file-based socket is used, the system doesn't deadlock because + of context switches in the file system layer. + +Why this happens: + Error checks between unix_socket_connect() and unix_wait_for_peer() are + inconsistent. The former calls the latter to wait until the backlog is + processed. Despite the latter returns without doing anything when the + socket is shutdown, the former doesn't check the shutdown state and + just retries calling the latter forever. + +Patch: + The patch below adds shutdown check into unix_socket_connect(), so + connect(2) to the shutdown socket will return -ECONREFUSED. + +Signed-off-by: Tomoki Sekiyama +Signed-off-by: Masanori Yoshida +Cc: Chuck Ebbert +Signed-off-by: David S. Miller + +--- + net/unix/af_unix.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1061,6 +1061,8 @@ restart: + err = -ECONNREFUSED; + if (other->sk_state != TCP_LISTEN) + goto out_unlock; ++ if (other->sk_shutdown & RCV_SHUTDOWN) ++ goto out_unlock; + + if (unix_recvq_full(other)) { + err = -EAGAIN; + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215952.229428650@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:20 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + David Miller , + Arnaldo Carvalho de Melo , + Chuck Ebbert +Subject: [17/30] appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903) +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch +Content-Length: 5719 +Lines: 199 + + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Arnaldo Carvalho de Melo + +commit ffcfb8db540ff879c2a85bf7e404954281443414 upstream + +appletalk: Fix skb leak when ipddp interface is not loaded + +[ backport to 2.6.27 : Chuck Ebbert +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/appletalk/ipddp.c | 3 -- + net/appletalk/aarp.c | 16 +++++++++----- + net/appletalk/ddp.c | 47 +++++++++++++++++++++--------------------- + 3 files changed, 36 insertions(+), 30 deletions(-) + +--- a/drivers/net/appletalk/ipddp.c ++++ b/drivers/net/appletalk/ipddp.c +@@ -173,8 +173,7 @@ static int ipddp_xmit(struct sk_buff *sk + ((struct net_device_stats *) dev->priv)->tx_packets++; + ((struct net_device_stats *) dev->priv)->tx_bytes+=skb->len; + +- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0) +- dev_kfree_skb(skb); ++ aarp_send_ddp(rt->dev, skb, &rt->at, NULL); + + return 0; + } +--- a/net/appletalk/aarp.c ++++ b/net/appletalk/aarp.c +@@ -598,7 +598,7 @@ int aarp_send_ddp(struct net_device *dev + + /* Non ELAP we cannot do. */ + if (dev->type != ARPHRD_ETHER) +- return -1; ++ goto free_it; + + skb->dev = dev; + skb->protocol = htons(ETH_P_ATALK); +@@ -633,7 +633,7 @@ int aarp_send_ddp(struct net_device *dev + if (!a) { + /* Whoops slipped... good job it's an unreliable protocol 8) */ + write_unlock_bh(&aarp_lock); +- return -1; ++ goto free_it; + } + + /* Set up the queue */ +@@ -662,15 +662,21 @@ out_unlock: + write_unlock_bh(&aarp_lock); + + /* Tell the ddp layer we have taken over for this frame. */ +- return 0; ++ goto sent; + + sendit: + if (skb->sk) + skb->priority = skb->sk->sk_priority; +- dev_queue_xmit(skb); ++ if (dev_queue_xmit(skb)) ++ goto drop; + sent: +- return 1; ++ return NET_XMIT_SUCCESS; ++free_it: ++ kfree_skb(skb); ++drop: ++ return NET_XMIT_DROP; + } ++EXPORT_SYMBOL(aarp_send_ddp); + + /* + * An entry in the aarp unresolved queue has become resolved. Send +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1277,8 +1277,10 @@ static int handle_ip_over_ddp(struct sk_ + struct net_device_stats *stats; + + /* This needs to be able to handle ipddp"N" devices */ +- if (!dev) +- return -ENODEV; ++ if (!dev) { ++ kfree_skb(skb); ++ return NET_RX_DROP; ++ } + + skb->protocol = htons(ETH_P_IP); + skb_pull(skb, 13); +@@ -1288,8 +1290,7 @@ static int handle_ip_over_ddp(struct sk_ + stats = dev->priv; + stats->rx_packets++; + stats->rx_bytes += skb->len + 13; +- netif_rx(skb); /* Send the SKB up to a higher place. */ +- return 0; ++ return netif_rx(skb); /* Send the SKB up to a higher place. */ + } + #else + /* make it easy for gcc to optimize this test out, i.e. kill the code */ +@@ -1297,9 +1298,8 @@ static int handle_ip_over_ddp(struct sk_ + #define handle_ip_over_ddp(skb) 0 + #endif + +-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev, +- struct ddpehdr *ddp, __u16 len_hops, +- int origlen) ++static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev, ++ struct ddpehdr *ddp, __u16 len_hops, int origlen) + { + struct atalk_route *rt; + struct atalk_addr ta; +@@ -1366,8 +1366,6 @@ static void atalk_route_packet(struct sk + /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */ + struct sk_buff *nskb = skb_realloc_headroom(skb, 32); + kfree_skb(skb); +- if (!nskb) +- goto out; + skb = nskb; + } else + skb = skb_unshare(skb, GFP_ATOMIC); +@@ -1376,12 +1374,16 @@ static void atalk_route_packet(struct sk + * If the buffer didn't vanish into the lack of space bitbucket we can + * send it. + */ +- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1) +- goto free_it; +-out: +- return; ++ if (skb == NULL) ++ goto drop; ++ ++ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP) ++ return NET_RX_DROP; ++ return NET_XMIT_SUCCESS; + free_it: + kfree_skb(skb); ++drop: ++ return NET_RX_DROP; + } + + /** +@@ -1455,8 +1457,7 @@ static int atalk_rcv(struct sk_buff *skb + /* Not ours, so we route the packet via the correct + * AppleTalk iface + */ +- atalk_route_packet(skb, dev, ddp, len_hops, origlen); +- goto out; ++ return atalk_route_packet(skb, dev, ddp, len_hops, origlen); + } + + /* if IP over DDP is not selected this code will be optimized out */ +@@ -1663,10 +1664,10 @@ static int atalk_sendmsg(struct kiocb *i + if (skb2) { + loopback = 1; + SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk); +- if (aarp_send_ddp(dev, skb2, +- &usat->sat_addr, NULL) == -1) +- kfree_skb(skb2); +- /* else queued/sent above in the aarp queue */ ++ /* ++ * If it fails it is queued/sent above in the aarp queue ++ */ ++ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL); + } + } + +@@ -1696,9 +1697,10 @@ static int atalk_sendmsg(struct kiocb *i + usat = &gsat; + } + +- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1) +- kfree_skb(skb); +- /* else queued/sent above in the aarp queue */ ++ /* ++ * If it fails it is queued/sent above in the aarp queue ++ */ ++ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL); + } + SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len); + +@@ -1877,7 +1879,6 @@ static struct packet_type ppptalk_packet + static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B }; + + /* Export symbols for use by drivers when AppleTalk is a module */ +-EXPORT_SYMBOL(aarp_send_ddp); + EXPORT_SYMBOL(atrtr_get_dev); + EXPORT_SYMBOL(atalk_find_dev_addr); + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215952.357515032@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:21 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jiri Pirko , + "David S. Miller" , + Chuck Ebbert +Subject: [18/30] netlink: fix typo in initialization (CVE-2009-3612) +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=netlink-fix-typo-in-initialization-cve-2009-3612.patch +Content-Length: 902 +Lines: 29 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Jiri Pirko + +commit ad61df918c44316940404891d5082c63e79c256a upstream. + +Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing +initializations in dumped data") introduced a typo in +initialization. This patch fixes this. + +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -337,7 +337,7 @@ static int tcf_fill_node(struct sk_buff + tcm = NLMSG_DATA(nlh); + tcm->tcm_family = AF_UNSPEC; + tcm->tcm__pad1 = 0; +- tcm->tcm__pad1 = 0; ++ tcm->tcm__pad2 = 0; + tcm->tcm_ifindex = qdisc_dev(tp->q)->ifindex; + tcm->tcm_parent = tp->classid; + tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol); + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215952.485583618@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:22 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Avi Kivity , + Chuck Ebbert +Subject: [19/30] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638) +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch +Content-Length: 775 +Lines: 24 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Avi Kivity + +commit 6a54435560efdab1a08f429a954df4d6c740bddf upstream. + +The number of entries is multiplied by the entry size, which can +overflow on 32-bit hosts. Bound the entry count instead. + +Reported-by: David Wagner +Signed-off-by: Avi Kivity +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1591,6 +1591,8 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid, + + if (cpuid->nent < 1) + goto out; ++ if (cpuid->nent > KVM_MAX_CPUID_ENTRIES) ++ cpuid->nent = KVM_MAX_CPUID_ENTRIES; + r = -ENOMEM; + cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent); + if (!cpuid_entries) + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215952.613942748@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:23 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Samuel Ortiz , + "David S. Miller" , + Chuck Ebbert +Subject: [20/30] irda: Add irda_skb_cb qdisc related padding +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=irda-add-irda_skb_cb-qdisc-related-padding.patch +Content-Length: 1270 +Lines: 35 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Samuel Ortiz + +commit 69c30e1e7492192f882a3fc11888b320fde5206a upstream. + +We need to pad irda_skb_cb in order to keep it safe accross dev_queue_xmit() +calls. This is some ugly and temporary hack triggered by recent qisc code +changes. +Even though it fixes bugzilla.kernel.org bug #11795, it will be replaced by a +proper fix before 2.6.29 is released. + +Signed-off-by: Samuel Ortiz +Signed-off-by: David S. Miller +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/irda/irda_device.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/include/net/irda/irda_device.h ++++ b/include/net/irda/irda_device.h +@@ -135,9 +135,11 @@ struct dongle_reg { + + /* + * Per-packet information we need to hide inside sk_buff +- * (must not exceed 48 bytes, check with struct sk_buff) ++ * (must not exceed 48 bytes, check with struct sk_buff) ++ * The default_qdisc_pad field is a temporary hack. + */ + struct irda_skb_cb { ++ unsigned int default_qdisc_pad; + magic_t magic; /* Be sure that we can trust the information */ + __u32 next_speed; /* The Speed to be set *after* this frame */ + __u16 mtt; /* Minimum turn around time */ + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215952.733588955@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:24 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Terry Loftin , + Trond Myklebust +Subject: [21/30] nfs: Panic when commit fails +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=nfs-panic-when-commit-fails.patch +Content-Length: 1250 +Lines: 34 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Terry Loftin + +commit a8b40bc7e635831b61c43acc71a86d3a68b2dff0 upstream. + +Actually pass the NFS_FILE_SYNC option to the server to avoid a +Panic in nfs_direct_write_complete() when a commit fails. + +At the end of an nfs write, if the nfs commit fails, all the writes +will be rescheduled. They are supposed to be rescheduled as NFS_FILE_SYNC +writes, but the rpc_task structure is not completely intialized and so +the option is not passed. When the rescheduled writes complete, the +return indicates that they are NFS_UNSTABLE and we try to do another +commit. This leads to a Panic because the commit data structure pointer +was set to null in the initial (failed) commit attempt. + +Signed-off-by: Terry Loftin +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/direct.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -454,6 +454,7 @@ static void nfs_direct_write_reschedule( + }; + struct rpc_task_setup task_setup_data = { + .rpc_client = NFS_CLIENT(inode), ++ .rpc_message = &msg, + .callback_ops = &nfs_write_direct_ops, + .workqueue = nfsiod_workqueue, + .flags = RPC_TASK_ASYNC, + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009 +Message-Id: <20091106215952.861425234@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:25 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Trond Myklebust +Subject: [22/30] NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch +Content-Length: 1575 +Lines: 55 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Trond Myklebust + +commit 52567b03ca38b6e556ced450d64dba8d66e23b0e upstream. + +RFC 3530 states that when we recieve the error NFS4ERR_RESOURCE, we are not +supposed to bump the sequence number on OPEN, LOCK, LOCKU, CLOSE, etc +operations. The problem is that we map that error into EREMOTEIO in the XDR +layer, and so the NFSv4 middle-layer routines like seqid_mutating_err(), +and nfs_increment_seqid() don't recognise it. + +The fix is to defer the mapping until after the middle layers have +processed the error. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 11 ++++++++--- + fs/nfs/nfs4xdr.c | 1 - + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -71,12 +71,17 @@ static int _nfs4_proc_getattr(struct nfs + /* Prevent leaks of NFSv4 errors into userland */ + int nfs4_map_errors(int err) + { +- if (err < -1000) { ++ if (err >= -1000) ++ return err; ++ switch (err) { ++ case -NFS4ERR_RESOURCE: ++ return -EREMOTEIO; ++ default: + dprintk("%s could not handle NFSv4 error %d\n", + __func__, -err); +- return -EIO; ++ break; + } +- return err; ++ return -EIO; + } + + /* +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4671,7 +4671,6 @@ static struct { + { NFS4ERR_SERVERFAULT, -ESERVERFAULT }, + { NFS4ERR_BADTYPE, -EBADTYPE }, + { NFS4ERR_LOCKED, -EAGAIN }, +- { NFS4ERR_RESOURCE, -EREMOTEIO }, + { NFS4ERR_SYMLINK, -ELOOP }, + { NFS4ERR_OP_ILLEGAL, -EOPNOTSUPP }, + { NFS4ERR_DEADLOCK, -EDEADLK }, + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009 +Message-Id: <20091106215952.988107330@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:26 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Ben Hutchings , + Trond Myklebust +Subject: [23/30] nfs: Avoid overrun when copying client IP address string +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=nfs-avoid-overrun-when-copying-client-ip-address-string.patch +Content-Length: 1004 +Lines: 30 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Ben Hutchings + +commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream. + +As seen in , nfs4_init_client() can +overrun the source string when copying the client IP address from +nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since +these are both treated as null-terminated strings elsewhere, the copy +should be done with strlcpy() not memcpy(). + +Signed-off-by: Ben Hutchings +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -983,7 +983,7 @@ static int nfs4_init_client(struct nfs_c + RPC_CLNT_CREATE_DISCRTRY); + if (error < 0) + goto error; +- memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr)); ++ strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr)); + + error = nfs_idmap_new(clp); + if (error < 0) { + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009 +Message-Id: <20091106215953.120260379@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:27 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Trond Myklebust +Subject: [24/30] NFSv4: Kill nfs4_renewd_prepare_shutdown() +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=nfsv4-kill-nfs4_renewd_prepare_shutdown.patch +Content-Length: 1305 +Lines: 46 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Trond Myklebust + +commit 3050141bae57984dd660e6861632ccf9b8bca77e upstream. + +The NFSv4 renew daemon is shared between all active super blocks that refer +to a particular NFS server, so it is wrong to be shutting it down in +nfs4_kill_super every time a super block is destroyed. + +This patch therefore kills nfs4_renewd_prepare_shutdown altogether, and +leaves it up to nfs4_shutdown_client() to also shut down the renew daemon +by means of the existing call to nfs4_kill_renewd(). + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4renewd.c | 6 ------ + fs/nfs/super.c | 1 - + 2 files changed, 7 deletions(-) + +--- a/fs/nfs/nfs4renewd.c ++++ b/fs/nfs/nfs4renewd.c +@@ -125,12 +125,6 @@ nfs4_schedule_state_renewal(struct nfs_c + } + + void +-nfs4_renewd_prepare_shutdown(struct nfs_server *server) +-{ +- cancel_delayed_work(&server->nfs_client->cl_renewd); +-} +- +-void + nfs4_kill_renewd(struct nfs_client *clp) + { + cancel_delayed_work_sync(&clp->cl_renewd); +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2398,7 +2398,6 @@ static void nfs4_kill_super(struct super + nfs_return_all_delegations(sb); + kill_anon_super(sb); + +- nfs4_renewd_prepare_shutdown(server); + nfs_free_server(server); + } + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009 +Message-Id: <20091106215953.252395742@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:28 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Trond Myklebust +Subject: [25/30] NFSv4: Fix a problem whereby a buggy server can oops the kernel +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch +Content-Length: 2298 +Lines: 70 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Trond Myklebust + +commit d953126a28f97ec965d23c69fd5795854c048f30 upstream. + +We just had a case in which a buggy server occasionally returns the wrong +attributes during an OPEN call. While the client does catch this sort of +condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return +-EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a +fallback to an ordinary lookup instead of just returning the error. + +When the buggy server then returns a regular file for the fallback lookup, +the VFS allows the open, and bad things start to happen, since the open +file doesn't have any associated NFSv4 state. + +The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and +secondly to ensure that we are always careful when dereferencing the +nfs_open_context state pointer. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1025,12 +1025,12 @@ static struct dentry *nfs_atomic_lookup(struct inode *dir, struct dentry *dentry + res = NULL; + goto out; + /* This turned out not to be a regular file */ +- case -EISDIR: + case -ENOTDIR: + goto no_open; + case -ELOOP: + if (!(nd->intent.open.flags & O_NOFOLLOW)) + goto no_open; ++ /* case -EISDIR: */ + /* case -EINVAL: */ + default: + goto out; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index df24f67..6917311 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4093,15 +4093,23 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request) + if (request->fl_start < 0 || request->fl_end < 0) + return -EINVAL; + +- if (IS_GETLK(cmd)) +- return nfs4_proc_getlk(state, F_GETLK, request); ++ if (IS_GETLK(cmd)) { ++ if (state != NULL) ++ return nfs4_proc_getlk(state, F_GETLK, request); ++ return 0; ++ } + + if (!(IS_SETLK(cmd) || IS_SETLKW(cmd))) + return -EINVAL; + +- if (request->fl_type == F_UNLCK) +- return nfs4_proc_unlck(state, cmd, request); ++ if (request->fl_type == F_UNLCK) { ++ if (state != NULL) ++ return nfs4_proc_unlck(state, cmd, request); ++ return 0; ++ } + ++ if (state == NULL) ++ return -ENOLCK; + do { + status = nfs4_proc_setlk(state, cmd, request); + if ((status != -EAGAIN) || IS_SETLK(cmd)) + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009 +Message-Id: <20091106215953.387043228@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:29 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Trond Myklebust +Subject: [26/30] NFSv4: The link() operation should return any delegation on the file +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch +Content-Length: 704 +Lines: 25 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Trond Myklebust + +commit 9a3936aac133037f65124fcb2d676a6c201a90a4 upstream. + +Otherwise, we have to wait for the server to recall it. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1526,6 +1526,8 @@ nfs_link(struct dentry *old_dentry, stru + old_dentry->d_parent->d_name.name, old_dentry->d_name.name, + dentry->d_parent->d_name.name, dentry->d_name.name); + ++ nfs_inode_return_delegation(inode); ++ + d_drop(dentry); + error = NFS_PROTO(dir)->link(inode, dir, &dentry->d_name); + if (error == 0) { + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009 +Message-Id: <20091106215953.555767894@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:30 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Peter Zijlstra , + Ingo Molnar +Subject: [27/30] printk: robustify printk +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=printk-robustify-printk.patch +Content-Length: 2615 +Lines: 90 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Peter Zijlstra + +commit b845b517b5e3706a3729f6ea83b88ab85f0725b0 upstream. + +Avoid deadlocks against rq->lock and xtime_lock by deferring the klogd +wakeup by polling from the timer tick. + +Signed-off-by: Peter Zijlstra +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kernel.h | 4 ++++ + kernel/printk.c | 19 +++++++++++++++++-- + kernel/time/tick-sched.c | 2 +- + kernel/timer.c | 1 + + 4 files changed, 23 insertions(+), 3 deletions(-) + +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -200,6 +200,8 @@ extern struct ratelimit_state printk_rat + extern int printk_ratelimit(void); + extern bool printk_timed_ratelimit(unsigned long *caller_jiffies, + unsigned int interval_msec); ++extern void printk_tick(void); ++extern int printk_needs_cpu(int); + #else + static inline int vprintk(const char *s, va_list args) + __attribute__ ((format (printf, 1, 0))); +@@ -211,6 +213,8 @@ static inline int printk_ratelimit(void) + static inline bool printk_timed_ratelimit(unsigned long *caller_jiffies, \ + unsigned int interval_msec) \ + { return false; } ++static inline void printk_tick(void) { } ++static inline int printk_needs_cpu(int) { return 0; } + #endif + + extern void asmlinkage __attribute__((format(printf, 1, 2))) +--- a/kernel/printk.c ++++ b/kernel/printk.c +@@ -977,10 +977,25 @@ int is_console_locked(void) + return console_locked; + } + +-void wake_up_klogd(void) ++static DEFINE_PER_CPU(int, printk_pending); ++ ++void printk_tick(void) + { +- if (!oops_in_progress && waitqueue_active(&log_wait)) ++ if (__get_cpu_var(printk_pending)) { ++ __get_cpu_var(printk_pending) = 0; + wake_up_interruptible(&log_wait); ++ } ++} ++ ++int printk_needs_cpu(int cpu) ++{ ++ return per_cpu(printk_pending, cpu); ++} ++ ++void wake_up_klogd(void) ++{ ++ if (waitqueue_active(&log_wait)) ++ __get_cpu_var(printk_pending) = 1; + } + + /** +--- a/kernel/timer.c ++++ b/kernel/timer.c +@@ -978,6 +978,7 @@ void update_process_times(int user_tick) + run_local_timers(); + if (rcu_pending(cpu)) + rcu_check_callbacks(cpu, user_tick); ++ printk_tick(); + scheduler_tick(); + run_posix_cpu_timers(p); + } +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -261,7 +261,7 @@ void tick_nohz_stop_sched_tick(int inidl + next_jiffies = get_next_timer_interrupt(last_jiffies); + delta_jiffies = next_jiffies - last_jiffies; + +- if (rcu_needs_cpu(cpu)) ++ if (rcu_needs_cpu(cpu) || printk_needs_cpu(cpu)) + delta_jiffies = 1; + /* + * Do not stop the tick, if we are only one off + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009 +Message-Id: <20091106215953.701406586@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:31 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Jiri Bohac , + "David S. Miller" +Subject: [28/30] bonding: fix a race condition in calls to slave MII ioctls +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch +Content-Length: 1434 +Lines: 39 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Jiri Bohac + +commit d9d5283228d0c752f199c901fff6e1405dc91bcb upstream. + +In mii monitor mode, bond_check_dev_link() calls the the ioctl +handler of slave devices. It stores the ndo_do_ioctl function +pointer to a static (!) ioctl variable and later uses it to call the +handler with the IOCTL macro. + +If another thread executes bond_check_dev_link() at the same time +(even with a different bond, which none of the locks prevent), a +race condition occurs. If the two racing slaves have different +drivers, this may result in one driver's ioctl handler being +called with a pointer to a net_device controlled with a different +driver, resulting in unpredictable breakage. + +Unless I am overlooking something, the "static" must be a +copy'n'paste error (?). + +Signed-off-by: Jiri Bohac +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -686,7 +686,7 @@ static int bond_update_speed_duplex(stru + */ + static int bond_check_dev_link(struct bonding *bond, struct net_device *slave_dev, int reporting) + { +- static int (* ioctl)(struct net_device *, struct ifreq *, int); ++ int (* ioctl)(struct net_device *, struct ifreq *, int); + struct ifreq ifr; + struct mii_ioctl_data *mii; + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009 +Message-Id: <20091106215953.842686540@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:32 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Joerg Roedel +Subject: [29/30] x86/amd-iommu: Un__init function required on shutdown +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=x86-amd-iommu-un__init-function-required-on-shutdown.patch +Content-Length: 857 +Lines: 28 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Joerg Roedel + +commit ca0207114f1708b563f510b7781a360ec5b98359 upstream. + +The function iommu_feature_disable is required on system +shutdown to disable the IOMMU but it is marked as __init. +This may result in a panic if the memory is reused. This +patch fixes this bug. + +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/amd_iommu_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/amd_iommu_init.c ++++ b/arch/x86/kernel/amd_iommu_init.c +@@ -230,7 +230,7 @@ static void __init iommu_feature_enable( + writel(ctrl, iommu->mmio_base + MMIO_CONTROL_OFFSET); + } + +-static void __init iommu_feature_disable(struct amd_iommu *iommu, u8 bit) ++static void iommu_feature_disable(struct amd_iommu *iommu, u8 bit) + { + u32 ctrl; + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:54 2009 +Message-Id: <20091106215954.017532651@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:33 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + Greg KH +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk, + Joerg Roedel +Subject: [30/30] x86/amd-iommu: Workaround for erratum 63 +References: <20091106215603.413650799@mini.kroah.org> +Content-Disposition: inline; filename=x86-amd-iommu-workaround-for-erratum-63.patch +Content-Length: 1686 +Lines: 60 + +2.6.29-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Joerg Roedel + +commit c5cca146aa03e1f60fb179df65f0dbaf17bc64ed upstream. + +There is an erratum for IOMMU hardware which documents +undefined behavior when forwarding SMI requests from +peripherals and the DTE of that peripheral has a sysmgt +value of 01b. This problem caused weird IO_PAGE_FAULTS in my +case. +This patch implements the suggested workaround for that +erratum into the AMD IOMMU driver. The erratum is +documented with number 63. + +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/amd_iommu_init.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/arch/x86/kernel/amd_iommu_init.c ++++ b/arch/x86/kernel/amd_iommu_init.c +@@ -430,6 +430,27 @@ static void set_dev_entry_bit(u16 devid, + amd_iommu_dev_table[devid].data[i] |= (1 << _bit); + } + ++static int get_dev_entry_bit(u16 devid, u8 bit) ++{ ++ int i = (bit >> 5) & 0x07; ++ int _bit = bit & 0x1f; ++ ++ return (amd_iommu_dev_table[devid].data[i] & (1 << _bit)) >> _bit; ++} ++ ++ ++void amd_iommu_apply_erratum_63(u16 devid) ++{ ++ int sysmgt; ++ ++ sysmgt = get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT1) | ++ (get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT2) << 1); ++ ++ if (sysmgt == 0x01) ++ set_dev_entry_bit(devid, DEV_ENTRY_IW); ++} ++ ++ + /* Writes the specific IOMMU for a device into the rlookup table */ + static void __init set_iommu_for_device(struct amd_iommu *iommu, u16 devid) + { +@@ -458,6 +479,8 @@ static void __init set_dev_entry_from_ac + if (flags & ACPI_DEVFLAG_LINT1) + set_dev_entry_bit(devid, DEV_ENTRY_LINT1_PASS); + ++ amd_iommu_apply_erratum_63(devid); ++ + set_iommu_for_device(iommu, devid); + } + + + +From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009 +Message-Id: <20091106215603.413650799@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Fri, 06 Nov 2009 13:56:03 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org +Cc: stable-review@kernel.org, + torvalds@linux-foundation.org, + akpm@linux-foundation.org, + alan@lxorguk.ukuu.org.uk +Subject: [00/30] 2.6.27.39-stable review +Content-Length: 2702 +Lines: 57 + +This is the start of the stable review cycle for the 2.6.27.39 release. +There are 30 patches in this series, all will be posted as a response to +this one. If anyone has any issues with these being applied, please let +us know. If anyone is a maintainer of the proper subsystem, and wants +to add a Signed-off-by: line to the patch, please respond with it. + +Responses should be made by November 8, 2009, 20:00:00 UTC. Anything +received after that time might be too late. + +The whole patch series can be found in one patch at: + kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.27.39-rc1.gz +and the diffstat can be found below. + + +thanks, + +greg k-h + +------------ + Makefile | 2 +- + arch/m68k/Kconfig | 6 ++-- + arch/x86/ia32/ia32entry.S | 5 +-- + arch/x86/kernel/amd_iommu_init.c | 25 ++++++++++++++++- + arch/x86/kvm/x86.c | 2 + + drivers/acpi/scan.c | 12 +------- + drivers/ata/libata-core.c | 12 +++++--- + drivers/base/driver.c | 2 +- + drivers/char/Kconfig | 6 ++-- + drivers/input/mouse/synaptics.c | 10 +++++++ + drivers/net/appletalk/ipddp.c | 3 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/wireless/b43/rfkill.c | 3 +- + drivers/net/wireless/libertas/if_usb.c | 2 +- + drivers/net/wireless/ray_cs.c | 2 +- + drivers/scsi/dpt_i2o.c | 4 +++ + drivers/serial/8250_pci.c | 11 +++++++ + fs/hfsplus/wrapper.c | 4 +++ + fs/nfs/client.c | 2 +- + fs/nfs/dir.c | 4 ++- + fs/nfs/direct.c | 1 + + fs/nfs/nfs4proc.c | 27 +++++++++++++----- + fs/nfs/nfs4renewd.c | 6 ---- + fs/nfs/nfs4xdr.c | 1 - + fs/nfs/super.c | 1 - + fs/pipe.c | 41 ++++++++++++++++++++------- + include/linux/kernel.h | 4 +++ + include/linux/pci_ids.h | 3 ++ + include/net/irda/irda_device.h | 4 ++- + kernel/printk.c | 19 +++++++++++- + kernel/time/tick-sched.c | 2 +- + kernel/timer.c | 1 + + mm/mempolicy.c | 3 +- + net/appletalk/aarp.c | 16 +++++++--- + net/appletalk/ddp.c | 47 ++++++++++++++++--------------- + net/sched/cls_api.c | 2 +- + net/unix/af_unix.c | 2 + + 37 files changed, 204 insertions(+), 95 deletions(-) + diff --git a/queue-2.6.27/netlink-fix-typo-in-initialization-cve-2009-3612.patch b/review-2.6.27/netlink-fix-typo-in-initialization-cve-2009-3612.patch similarity index 100% rename from queue-2.6.27/netlink-fix-typo-in-initialization-cve-2009-3612.patch rename to review-2.6.27/netlink-fix-typo-in-initialization-cve-2009-3612.patch diff --git a/queue-2.6.27/nfs-avoid-overrun-when-copying-client-ip-address-string.patch b/review-2.6.27/nfs-avoid-overrun-when-copying-client-ip-address-string.patch similarity index 100% rename from queue-2.6.27/nfs-avoid-overrun-when-copying-client-ip-address-string.patch rename to review-2.6.27/nfs-avoid-overrun-when-copying-client-ip-address-string.patch diff --git a/queue-2.6.27/nfs-panic-when-commit-fails.patch b/review-2.6.27/nfs-panic-when-commit-fails.patch similarity index 100% rename from queue-2.6.27/nfs-panic-when-commit-fails.patch rename to review-2.6.27/nfs-panic-when-commit-fails.patch diff --git a/queue-2.6.27/nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch b/review-2.6.27/nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch similarity index 100% rename from queue-2.6.27/nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch rename to review-2.6.27/nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch diff --git a/queue-2.6.27/nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch b/review-2.6.27/nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch similarity index 100% rename from queue-2.6.27/nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch rename to review-2.6.27/nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch diff --git a/queue-2.6.27/nfsv4-kill-nfs4_renewd_prepare_shutdown.patch b/review-2.6.27/nfsv4-kill-nfs4_renewd_prepare_shutdown.patch similarity index 100% rename from queue-2.6.27/nfsv4-kill-nfs4_renewd_prepare_shutdown.patch rename to review-2.6.27/nfsv4-kill-nfs4_renewd_prepare_shutdown.patch diff --git a/queue-2.6.27/nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch b/review-2.6.27/nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch similarity index 100% rename from queue-2.6.27/nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch rename to review-2.6.27/nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch diff --git a/queue-2.6.27/printk-robustify-printk.patch b/review-2.6.27/printk-robustify-printk.patch similarity index 100% rename from queue-2.6.27/printk-robustify-printk.patch rename to review-2.6.27/printk-robustify-printk.patch diff --git a/queue-2.6.27/ray_cs-fix-copy_from_user-handling.patch b/review-2.6.27/ray_cs-fix-copy_from_user-handling.patch similarity index 100% rename from queue-2.6.27/ray_cs-fix-copy_from_user-handling.patch rename to review-2.6.27/ray_cs-fix-copy_from_user-handling.patch diff --git a/queue-2.6.27/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch b/review-2.6.27/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch similarity index 100% rename from queue-2.6.27/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch rename to review-2.6.27/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch diff --git a/queue-2.6.27/series b/review-2.6.27/series similarity index 100% rename from queue-2.6.27/series rename to review-2.6.27/series diff --git a/queue-2.6.27/tty-mark-generic_serial-users-as-broken.patch b/review-2.6.27/tty-mark-generic_serial-users-as-broken.patch similarity index 100% rename from queue-2.6.27/tty-mark-generic_serial-users-as-broken.patch rename to review-2.6.27/tty-mark-generic_serial-users-as-broken.patch diff --git a/queue-2.6.27/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch b/review-2.6.27/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch similarity index 100% rename from queue-2.6.27/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch rename to review-2.6.27/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch diff --git a/queue-2.6.27/x86-amd-iommu-un__init-function-required-on-shutdown.patch b/review-2.6.27/x86-amd-iommu-un__init-function-required-on-shutdown.patch similarity index 100% rename from queue-2.6.27/x86-amd-iommu-un__init-function-required-on-shutdown.patch rename to review-2.6.27/x86-amd-iommu-un__init-function-required-on-shutdown.patch diff --git a/queue-2.6.27/x86-amd-iommu-workaround-for-erratum-63.patch b/review-2.6.27/x86-amd-iommu-workaround-for-erratum-63.patch similarity index 100% rename from queue-2.6.27/x86-amd-iommu-workaround-for-erratum-63.patch rename to review-2.6.27/x86-amd-iommu-workaround-for-erratum-63.patch