From: Greg Kroah-Hartman Date: Fri, 19 Nov 2010 21:11:58 +0000 (-0800) Subject: .35 patches X-Git-Tag: v2.6.27.56~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed963235ab3b85687069d704a47bfe56d069c4ea;p=thirdparty%2Fkernel%2Fstable-queue.git .35 patches --- diff --git a/queue-2.6.35/arm-cns3xxx-fixup-the-missing-second-parameter-to-addruart-macro-to-allow-them-to-build.patch b/queue-2.6.35/arm-cns3xxx-fixup-the-missing-second-parameter-to-addruart-macro-to-allow-them-to-build.patch new file mode 100644 index 00000000000..7729849c393 --- /dev/null +++ b/queue-2.6.35/arm-cns3xxx-fixup-the-missing-second-parameter-to-addruart-macro-to-allow-them-to-build.patch @@ -0,0 +1,39 @@ +From linux@arm.linux.org.uk Fri Nov 19 13:04:48 2010 +From: Mac Lin +Date: Sun, 14 Nov 2010 22:17:23 +0000 +Subject: ARM: cns3xxx: Fixup the missing second parameter to addruart macro to allow them to build. +To: stable@kernel.org +Message-ID: <20101114221723.GA12389@n2100.arm.linux.org.uk> +Content-Disposition: inline + +From: Mac Lin + +It can't be merged into Linus' tree because this file has already been +changed in incompatible ways. + +Fixup the missing second parameter to addruart macro to allow them to build, +according to to commit 0e17226f7cd289504724466f4298abc9bdfca3fe. + +Enabling DEBUG in head.S would cause: +rch/arm/boot/compressed/head.S: Assembler messages: +arch/arm/boot/compressed/head.S:1037: Error: too many positional arguments +arch/arm/boot/compressed/head.S:1055: Error: too many positional arguments + +Signed-off-by: Mac Lin +Acked-by: Russell King +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-cns3xxx/include/mach/debug-macro.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-cns3xxx/include/mach/debug-macro.S ++++ b/arch/arm/mach-cns3xxx/include/mach/debug-macro.S +@@ -10,7 +10,7 @@ + * published by the Free Software Foundation. + */ + +- .macro addruart,rx ++ .macro addruart,rx,rtmp + mrc p15, 0, \rx, c1, c0 + tst \rx, #1 @ MMU enabled? + moveq \rx, #0x10000000 diff --git a/queue-2.6.35/isdn-avoid-calling-tty_ldisc_flush-in-atomic-context.patch b/queue-2.6.35/isdn-avoid-calling-tty_ldisc_flush-in-atomic-context.patch new file mode 100644 index 00000000000..9be0c12f508 --- /dev/null +++ b/queue-2.6.35/isdn-avoid-calling-tty_ldisc_flush-in-atomic-context.patch @@ -0,0 +1,42 @@ +From bc10f96757bd6ab3721510df8defa8f21c32f974 Mon Sep 17 00:00:00 2001 +From: Tilman Schmidt +Date: Mon, 5 Jul 2010 14:18:27 +0000 +Subject: isdn: avoid calling tty_ldisc_flush() in atomic context + +From: Tilman Schmidt + +commit bc10f96757bd6ab3721510df8defa8f21c32f974 upstream. + +Remove the call to tty_ldisc_flush() from the RESULT_NO_CARRIER +branch of isdn_tty_modem_result(), as already proposed in commit +00409bb045887ec5e7b9e351bc080c38ab6bfd33. +This avoids a "sleeping function called from invalid context" BUG +when the hardware driver calls the statcallb() callback with +command==ISDN_STAT_DHUP in atomic context, which in turn calls +isdn_tty_modem_result(RESULT_NO_CARRIER, ~), and from there, +tty_ldisc_flush() which may sleep. + +Signed-off-by: Tilman Schmidt +Signed-off-by: David S. Miller +Cc: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_tty.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/isdn/i4l/isdn_tty.c ++++ b/drivers/isdn/i4l/isdn_tty.c +@@ -2636,12 +2636,6 @@ isdn_tty_modem_result(int code, modem_in + if ((info->flags & ISDN_ASYNC_CLOSING) || (!info->tty)) { + return; + } +-#ifdef CONFIG_ISDN_AUDIO +- if ( !info->vonline ) +- tty_ldisc_flush(info->tty); +-#else +- tty_ldisc_flush(info->tty); +-#endif + if ((info->flags & ISDN_ASYNC_CHECK_CD) && + (!((info->flags & ISDN_ASYNC_CALLOUT_ACTIVE) && + (info->flags & ISDN_ASYNC_CALLOUT_NOHUP)))) { diff --git a/queue-2.6.35/kvm-x86-emulator-fix-regression-with-cmpxchg8b-on-i386-hosts.patch b/queue-2.6.35/kvm-x86-emulator-fix-regression-with-cmpxchg8b-on-i386-hosts.patch new file mode 100644 index 00000000000..ee73d4ac089 --- /dev/null +++ b/queue-2.6.35/kvm-x86-emulator-fix-regression-with-cmpxchg8b-on-i386-hosts.patch @@ -0,0 +1,75 @@ +From a64c8ec1d075617579fdc09b28559c748bf0d660 Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Thu, 26 Aug 2010 14:31:30 +0300 +Subject: KVM: x86 emulator: fix regression with cmpxchg8b on i386 hosts + +From: Avi Kivity + +commit 16518d5ada690643453eb0aef3cc7841d3623c2d upstream. + +operand::val and operand::orig_val are 32-bit on i386, whereas cmpxchg8b +operands are 64-bit. + +Fix by adding val64 and orig_val64 union members to struct operand, and +using them where needed. + +Signed-off-by: Avi Kivity +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_emulate.h | 10 +++++++++- + arch/x86/kvm/emulate.c | 9 ++++----- + 2 files changed, 13 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -143,7 +143,15 @@ struct x86_emulate_ops { + struct operand { + enum { OP_REG, OP_MEM, OP_IMM, OP_NONE } type; + unsigned int bytes; +- unsigned long val, orig_val, *ptr; ++ union { ++ unsigned long orig_val; ++ u64 orig_val64; ++ }; ++ unsigned long *ptr; ++ union { ++ unsigned long val; ++ u64 val64; ++ }; + }; + + struct fetch_cache { +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1712,17 +1712,16 @@ static inline int emulate_grp9(struct x8 + struct x86_emulate_ops *ops) + { + struct decode_cache *c = &ctxt->decode; +- u64 old = c->dst.orig_val; ++ u64 old = c->dst.orig_val64; + + if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) || + ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) { +- + c->regs[VCPU_REGS_RAX] = (u32) (old >> 0); + c->regs[VCPU_REGS_RDX] = (u32) (old >> 32); + ctxt->eflags &= ~EFLG_ZF; + } else { +- c->dst.val = ((u64)c->regs[VCPU_REGS_RCX] << 32) | +- (u32) c->regs[VCPU_REGS_RBX]; ++ c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) | ++ (u32) c->regs[VCPU_REGS_RBX]; + + ctxt->eflags |= EFLG_ZF; + } +@@ -2535,7 +2534,7 @@ x86_emulate_insn(struct x86_emulate_ctxt + ctxt->vcpu); + if (rc != X86EMUL_CONTINUE) + goto done; +- c->src.orig_val = c->src.val; ++ c->src.orig_val64 = c->src.val64; + } + + if (c->src2.type == OP_MEM) { diff --git a/queue-2.6.35/secmark-do-not-return-early-if-there-was-no-error.patch b/queue-2.6.35/secmark-do-not-return-early-if-there-was-no-error.patch new file mode 100644 index 00000000000..43973368fa7 --- /dev/null +++ b/queue-2.6.35/secmark-do-not-return-early-if-there-was-no-error.patch @@ -0,0 +1,34 @@ +From 15714f7b58011cf3948cab2988abea560240c74f Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Tue, 12 Oct 2010 11:40:08 -0400 +Subject: secmark: do not return early if there was no error + +From: Eric Paris + +commit 15714f7b58011cf3948cab2988abea560240c74f upstream. + +Commit 4a5a5c73 attempted to pass decent error messages back to userspace for +netfilter errors. In xt_SECMARK.c however the patch screwed up and returned +on 0 (aka no error) early and didn't finish setting up secmark. This results +in a kernel BUG if you use SECMARK. + +Signed-off-by: Eric Paris +Acked-by: Paul Moore +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_SECMARK.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/xt_SECMARK.c ++++ b/net/netfilter/xt_SECMARK.c +@@ -101,7 +101,7 @@ static int secmark_tg_check(const struct + switch (info->mode) { + case SECMARK_MODE_SEL: + err = checkentry_selinux(info); +- if (err <= 0) ++ if (err) + return err; + break; + diff --git a/queue-2.6.35/series b/queue-2.6.35/series index 873dcfb2ec5..7b8acd10901 100644 --- a/queue-2.6.35/series +++ b/queue-2.6.35/series @@ -75,3 +75,8 @@ revert-d88dca79d3852a3623f606f781e013d61486828a.patch net-add-a-recursion-limit-in-xmit-path.patch net-core-allow-tagged-vlan-packets-to-flow-through-veth-devices.patch xfrm4-strip-ecn-bits-from-tos-field.patch +secmark-do-not-return-early-if-there-was-no-error.patch +arm-cns3xxx-fixup-the-missing-second-parameter-to-addruart-macro-to-allow-them-to-build.patch +sgi-xp-incoming-xpc-channel-messages-can-come-in-after-the-channel-s-partition-structures-have-been-torn-down.patch +isdn-avoid-calling-tty_ldisc_flush-in-atomic-context.patch +kvm-x86-emulator-fix-regression-with-cmpxchg8b-on-i386-hosts.patch diff --git a/queue-2.6.35/sgi-xp-incoming-xpc-channel-messages-can-come-in-after-the-channel-s-partition-structures-have-been-torn-down.patch b/queue-2.6.35/sgi-xp-incoming-xpc-channel-messages-can-come-in-after-the-channel-s-partition-structures-have-been-torn-down.patch new file mode 100644 index 00000000000..18c4868e5b2 --- /dev/null +++ b/queue-2.6.35/sgi-xp-incoming-xpc-channel-messages-can-come-in-after-the-channel-s-partition-structures-have-been-torn-down.patch @@ -0,0 +1,95 @@ +From 09358972bff5ce99de496bbba97c85d417b3c054 Mon Sep 17 00:00:00 2001 +From: Robin Holt +Date: Tue, 26 Oct 2010 14:21:15 -0700 +Subject: sgi-xp: incoming XPC channel messages can come in after the channel's partition structures have been torn down + +From: Robin Holt + +commit 09358972bff5ce99de496bbba97c85d417b3c054 upstream. + +Under some workloads, some channel messages have been observed being +delayed on the sending side past the point where the receiving side has +been able to tear down its partition structures. + +This condition is already detected in xpc_handle_activate_IRQ_uv(), but +that information is not given to xpc_handle_activate_mq_msg_uv(). As a +result, xpc_handle_activate_mq_msg_uv() assumes the structures still exist +and references them, causing a NULL-pointer deref. + +Signed-off-by: Robin Holt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sgi-xp/xpc_uv.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/misc/sgi-xp/xpc_uv.c ++++ b/drivers/misc/sgi-xp/xpc_uv.c +@@ -417,6 +417,7 @@ xpc_process_activate_IRQ_rcvd_uv(void) + static void + xpc_handle_activate_mq_msg_uv(struct xpc_partition *part, + struct xpc_activate_mq_msghdr_uv *msg_hdr, ++ int part_setup, + int *wakeup_hb_checker) + { + unsigned long irq_flags; +@@ -481,6 +482,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc + case XPC_ACTIVATE_MQ_MSG_CHCTL_CLOSEREQUEST_UV: { + struct xpc_activate_mq_msg_chctl_closerequest_uv *msg; + ++ if (!part_setup) ++ break; ++ + msg = container_of(msg_hdr, struct + xpc_activate_mq_msg_chctl_closerequest_uv, + hdr); +@@ -497,6 +501,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc + case XPC_ACTIVATE_MQ_MSG_CHCTL_CLOSEREPLY_UV: { + struct xpc_activate_mq_msg_chctl_closereply_uv *msg; + ++ if (!part_setup) ++ break; ++ + msg = container_of(msg_hdr, struct + xpc_activate_mq_msg_chctl_closereply_uv, + hdr); +@@ -511,6 +518,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc + case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENREQUEST_UV: { + struct xpc_activate_mq_msg_chctl_openrequest_uv *msg; + ++ if (!part_setup) ++ break; ++ + msg = container_of(msg_hdr, struct + xpc_activate_mq_msg_chctl_openrequest_uv, + hdr); +@@ -528,6 +538,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc + case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENREPLY_UV: { + struct xpc_activate_mq_msg_chctl_openreply_uv *msg; + ++ if (!part_setup) ++ break; ++ + msg = container_of(msg_hdr, struct + xpc_activate_mq_msg_chctl_openreply_uv, hdr); + args = &part->remote_openclose_args[msg->ch_number]; +@@ -545,6 +558,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc + case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENCOMPLETE_UV: { + struct xpc_activate_mq_msg_chctl_opencomplete_uv *msg; + ++ if (!part_setup) ++ break; ++ + msg = container_of(msg_hdr, struct + xpc_activate_mq_msg_chctl_opencomplete_uv, hdr); + spin_lock_irqsave(&part->chctl_lock, irq_flags); +@@ -621,6 +637,7 @@ xpc_handle_activate_IRQ_uv(int irq, void + + part_referenced = xpc_part_ref(part); + xpc_handle_activate_mq_msg_uv(part, msg_hdr, ++ part_referenced, + &wakeup_hb_checker); + if (part_referenced) + xpc_part_deref(part);