From 3277c9064c381c9cebe2a2e9111a688088f759ae Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 16 Oct 2008 15:40:23 -0700 Subject: [PATCH] more .27 patches --- ...ntation-in-ath9k-report-to-userspace.patch | 66 ++++++++++++++ .../driver-core-clarify-device-cleanup.patch | 72 +++++++++++++++ ...e-fix-cleanup-in-device_create_vargs.patch | 33 +++++++ ...-when-switching-the-rotated-consoles.patch | 90 +++++++++++++++++++ .../md-fix-rdev_size_store-with-size-0.patch | 49 ++++++++++ ...odules-fix-module-notes-kobject-leak.patch | 59 ++++++++++++ queue-2.6.27/series | 7 ++ ...remount-rw-with-unrecognized-options.patch | 41 +++++++++ 8 files changed, 417 insertions(+) create mode 100644 queue-2.6.27/ath9k-mac80211-disallow-fragmentation-in-ath9k-report-to-userspace.patch create mode 100644 queue-2.6.27/driver-core-clarify-device-cleanup.patch create mode 100644 queue-2.6.27/driver-core-fix-cleanup-in-device_create_vargs.patch create mode 100644 queue-2.6.27/fbcon_set_all_vcs-fix-kernel-crash-when-switching-the-rotated-consoles.patch create mode 100644 queue-2.6.27/md-fix-rdev_size_store-with-size-0.patch create mode 100644 queue-2.6.27/modules-fix-module-notes-kobject-leak.patch create mode 100644 queue-2.6.27/series create mode 100644 queue-2.6.27/xfs-fix-remount-rw-with-unrecognized-options.patch diff --git a/queue-2.6.27/ath9k-mac80211-disallow-fragmentation-in-ath9k-report-to-userspace.patch b/queue-2.6.27/ath9k-mac80211-disallow-fragmentation-in-ath9k-report-to-userspace.patch new file mode 100644 index 00000000000..af88ab3b610 --- /dev/null +++ b/queue-2.6.27/ath9k-mac80211-disallow-fragmentation-in-ath9k-report-to-userspace.patch @@ -0,0 +1,66 @@ +From jejb@kernel.org Thu Oct 16 15:37:22 2008 +From: Johannes Berg +Date: Thu, 16 Oct 2008 19:05:12 GMT +Subject: ath9k/mac80211: disallow fragmentation in ath9k, report to userspace +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810161905.m9GJ5Cvk013905@hera.kernel.org> + +From: Johannes Berg + +commit 4233df6b748193d45f79fb7448991a473061a65d upstream + +As I've reported, ath9k currently fails utterly when fragmentation +is enabled. This makes ath9k "support" hardware fragmentation by +not supporting fragmentation at all to avoid the double-free issue. +The patch also changes mac80211 to report errors from the driver +operation to userspace. + +That hack in ath9k should be removed once the rate control algorithm +it has is fixed, and we can at that time consider removing the hw +fragmentation support entirely since it's not used by any driver. + +Signed-off-by: Johannes Berg +Acked-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath9k/main.c | 8 +++++++- + net/mac80211/wext.c | 2 +- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath9k/main.c ++++ b/drivers/net/wireless/ath9k/main.c +@@ -1007,6 +1007,11 @@ static int ath9k_ampdu_action(struct iee + return ret; + } + ++static int ath9k_no_fragmentation(struct ieee80211_hw *hw, u32 value) ++{ ++ return -EOPNOTSUPP; ++} ++ + static struct ieee80211_ops ath9k_ops = { + .tx = ath9k_tx, + .start = ath9k_start, +@@ -1031,7 +1036,8 @@ static struct ieee80211_ops ath9k_ops = + .get_tsf = ath9k_get_tsf, + .reset_tsf = ath9k_reset_tsf, + .tx_last_beacon = NULL, +- .ampdu_action = ath9k_ampdu_action ++ .ampdu_action = ath9k_ampdu_action, ++ .set_frag_threshold = ath9k_no_fragmentation, + }; + + void ath_get_beaconconfig(struct ath_softc *sc, +--- a/net/mac80211/wext.c ++++ b/net/mac80211/wext.c +@@ -804,7 +804,7 @@ static int ieee80211_ioctl_siwfrag(struc + * configure it here */ + + if (local->ops->set_frag_threshold) +- local->ops->set_frag_threshold( ++ return local->ops->set_frag_threshold( + local_to_hw(local), + local->fragmentation_threshold); + diff --git a/queue-2.6.27/driver-core-clarify-device-cleanup.patch b/queue-2.6.27/driver-core-clarify-device-cleanup.patch new file mode 100644 index 00000000000..0ebced7e824 --- /dev/null +++ b/queue-2.6.27/driver-core-clarify-device-cleanup.patch @@ -0,0 +1,72 @@ +From jejb@kernel.org Thu Oct 16 15:33:36 2008 +From: Cornelia Huck +Date: Thu, 16 Oct 2008 22:05:07 GMT +Subject: Driver core: Clarify device cleanup. +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810162205.m9GM579P005836@hera.kernel.org> + +From: Cornelia Huck + +commit 5739411acbaa63a6c22c91e340fdcdbcc7d82a51 upstream + +Make the comments on how to use device_initialize(), device_add() +and device_register() a bit clearer - in particular, explicitly +note that put_device() must be used once we tried to add the device +to the hierarchy. + +Signed-off-by: Cornelia Huck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -523,11 +523,16 @@ static void klist_children_put(struct kl + * device_initialize - init device structure. + * @dev: device. + * +- * This prepares the device for use by other layers, +- * including adding it to the device hierarchy. ++ * This prepares the device for use by other layers by initializing ++ * its fields. + * It is the first half of device_register(), if called by +- * that, though it can also be called separately, so one +- * may use @dev's fields (e.g. the refcount). ++ * that function, though it can also be called separately, so one ++ * may use @dev's fields. In particular, get_device()/put_device() ++ * may be used for reference counting of @dev after calling this ++ * function. ++ * ++ * NOTE: Use put_device() to give up your reference instead of freeing ++ * @dev directly once you have called this function. + */ + void device_initialize(struct device *dev) + { +@@ -836,9 +841,13 @@ static void device_remove_sys_dev_entry( + * This is part 2 of device_register(), though may be called + * separately _iff_ device_initialize() has been called separately. + * +- * This adds it to the kobject hierarchy via kobject_add(), adds it ++ * This adds @dev to the kobject hierarchy via kobject_add(), adds it + * to the global and sibling lists for the device, then + * adds it to the other relevant subsystems of the driver model. ++ * ++ * NOTE: _Never_ directly free @dev after calling this function, even ++ * if it returned an error! Always use put_device() to give up your ++ * reference instead. + */ + int device_add(struct device *dev) + { +@@ -965,6 +974,10 @@ done: + * I.e. you should only call the two helpers separately if + * have a clearly defined need to use and refcount the device + * before it is added to the hierarchy. ++ * ++ * NOTE: _Never_ directly free @dev after calling this function, even ++ * if it returned an error! Always use put_device() to give up the ++ * reference initialized in this function instead. + */ + int device_register(struct device *dev) + { diff --git a/queue-2.6.27/driver-core-fix-cleanup-in-device_create_vargs.patch b/queue-2.6.27/driver-core-fix-cleanup-in-device_create_vargs.patch new file mode 100644 index 00000000000..f8ad94fc24f --- /dev/null +++ b/queue-2.6.27/driver-core-fix-cleanup-in-device_create_vargs.patch @@ -0,0 +1,33 @@ +From jejb@kernel.org Thu Oct 16 15:33:09 2008 +From: Cornelia Huck +Date: Thu, 16 Oct 2008 22:05:05 GMT +Subject: Driver core: Fix cleanup in device_create_vargs(). +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810162205.m9GM55pF005776@hera.kernel.org> + +From: Cornelia Huck + +commit 286661b3777897220ecfcd774bccc68a34667f39 upstream + +If device_register() in device_create_vargs() fails, the device +must be cleaned up with put_device() (which is also fine on NULL) +instead of kfree(). + +Signed-off-by: Cornelia Huck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1243,7 +1243,7 @@ struct device *device_create_vargs(struc + return dev; + + error: +- kfree(dev); ++ put_device(dev); + return ERR_PTR(retval); + } + EXPORT_SYMBOL_GPL(device_create_vargs); diff --git a/queue-2.6.27/fbcon_set_all_vcs-fix-kernel-crash-when-switching-the-rotated-consoles.patch b/queue-2.6.27/fbcon_set_all_vcs-fix-kernel-crash-when-switching-the-rotated-consoles.patch new file mode 100644 index 00000000000..f6a518381e9 --- /dev/null +++ b/queue-2.6.27/fbcon_set_all_vcs-fix-kernel-crash-when-switching-the-rotated-consoles.patch @@ -0,0 +1,90 @@ +From jejb@kernel.org Thu Oct 16 14:54:47 2008 +From: Oleg Nesterov +Date: Thu, 16 Oct 2008 19:05:07 GMT +Subject: fbcon_set_all_vcs: fix kernel crash when switching the rotated consoles +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810161905.m9GJ57Ki013495@hera.kernel.org> + +From: Oleg Nesterov + +commit 232fb69a53a5ec3f22a8104d447abe4806848a8f upstream + +echo 3 >> /sys/class/graphics/fbcon/rotate_all, then switch to another +console. Result: + + BUG: unable to handle kernel paging request at ffffc20005d00000 + IP: [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109 + PGD 7e228067 PUD 7e229067 PMD 7bc1f067 PTE 0 + Oops: 0002 [1] SMP + CPU 1 + Modules linked in: [...a lot...] + Pid: 10, comm: events/1 Not tainted 2.6.26.5-45.fc9.x86_64 #1 + RIP: 0010:[bitfill_aligned+149/265] [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109 + RSP: 0018:ffff81007d811bc8 EFLAGS: 00010216 + RAX: ffffc20005d00000 RBX: 0000000000000000 RCX: 0000000000000400 + RDX: 0000000000000000 RSI: ffffc20005d00000 RDI: ffffffffffffffff + RBP: ffff81007d811be0 R08: 0000000000000400 R09: 0000000000000040 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000010000 + R13: ffffffff811632f0 R14: 0000000000000006 R15: ffff81007cb85400 + FS: 0000000000000000(0000) GS:ffff81007e004780(0000) knlGS:0000000000000000 + CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b + CR2: ffffc20005d00000 CR3: 0000000000201000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Process events/1 (pid: 10, threadinfo ffff81007d810000, task ffff81007d808000) + Stack: ffff81007c9d75a0 0000000000000000 0000000000000000 ffff81007d811c80 + ffffffff81163a61 ffff810000000000 ffffffff8115f9c8 0000001000000000 + 0000000100aaaaaa 000000007cd0d4a0 fffffd8a00000800 0001000000000000 + Call Trace: + [cfb_fillrect+523/798] cfb_fillrect+0x20b/0x31e + [soft_cursor+416/436] ? soft_cursor+0x1a0/0x1b4 + [ccw_clear_margins+205/263] ccw_clear_margins+0xcd/0x107 + [fbcon_clear_margins+59/61] fbcon_clear_margins+0x3b/0x3d + [fbcon_switch+1291/1466] fbcon_switch+0x50b/0x5ba + [redraw_screen+261/481] redraw_screen+0x105/0x1e1 + [ccw_cursor+0/1869] ? ccw_cursor+0x0/0x74d + [complete_change_console+48/190] complete_change_console+0x30/0xbe + [change_console+115/120] change_console+0x73/0x78 + [console_callback+0/292] ? console_callback+0x0/0x124 + [console_callback+97/292] console_callback+0x61/0x124 + [schedule_delayed_work+25/30] ? schedule_delayed_work+0x19/0x1e + [run_workqueue+139/282] run_workqueue+0x8b/0x11a + [worker_thread+221/238] worker_thread+0xdd/0xee + [autoremove_wake_function+0/56] ? autoremove_wake_function+0x0/0x38 + [worker_thread+0/238] ? worker_thread+0x0/0xee + [kthread+73/118] kthread+0x49/0x76 + [child_rip+10/18] child_rip+0xa/0x12 + [kthread+0/118] ? kthread+0x0/0x76 + [child_rip+0/18] ? child_rip+0x0/0x12 + +Because fbcon_set_all_vcs()->FBCON_SWAP() uses display->rotate == 0 instead +of fbcon_ops->rotate, and vc_resize() has no effect because it is called with +new_cols/rows == ->vc_cols/rows. + +Tested on 2.6.26.5-45.fc9.x86_64, but +http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git seems to +have the same problem. + +Signed-off-by: Oleg Nesterov +Cc: Krzysztof Helt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/fbcon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -2996,8 +2996,8 @@ static void fbcon_set_all_vcs(struct fb_ + p = &fb_display[vc->vc_num]; + set_blitting_type(vc, info); + var_to_display(p, &info->var, info); +- cols = FBCON_SWAP(p->rotate, info->var.xres, info->var.yres); +- rows = FBCON_SWAP(p->rotate, info->var.yres, info->var.xres); ++ cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres); ++ rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); + cols /= vc->vc_font.width; + rows /= vc->vc_font.height; + vc_resize(vc, cols, rows); diff --git a/queue-2.6.27/md-fix-rdev_size_store-with-size-0.patch b/queue-2.6.27/md-fix-rdev_size_store-with-size-0.patch new file mode 100644 index 00000000000..9a5ef2b11b6 --- /dev/null +++ b/queue-2.6.27/md-fix-rdev_size_store-with-size-0.patch @@ -0,0 +1,49 @@ +From jejb@kernel.org Thu Oct 16 15:37:50 2008 +From: James Bottomley +Date: Thu, 16 Oct 2008 19:05:16 GMT +Subject: md: Fix rdev_size_store with size == 0 +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810161905.m9GJ5GiT014058@hera.kernel.org> + +From: Chris Webb + +commit 7d3c6f8717ee6c2bf6cba5fa0bda3b28fbda6015 upstream + +Fix rdev_size_store with size == 0. +size == 0 means to use the largest size allowed by the +underlying device and is used when modifying an active array. + +This fixes a regression introduced by + commit d7027458d68b2f1752a28016dcf2ffd0a7e8f567 + +Signed-off-by: Chris Webb +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2109,8 +2109,6 @@ rdev_size_store(mdk_rdev_t *rdev, const + + if (strict_strtoull(buf, 10, &size) < 0) + return -EINVAL; +- if (size < my_mddev->size) +- return -EINVAL; + if (my_mddev->pers && rdev->raid_disk >= 0) { + if (my_mddev->persistent) { + size = super_types[my_mddev->major_version]. +@@ -2121,9 +2119,9 @@ rdev_size_store(mdk_rdev_t *rdev, const + size = (rdev->bdev->bd_inode->i_size >> 10); + size -= rdev->data_offset/2; + } +- if (size < my_mddev->size) +- return -EINVAL; /* component must fit device */ + } ++ if (size < my_mddev->size) ++ return -EINVAL; /* component must fit device */ + + rdev->size = size; + if (size > oldsize && my_mddev->external) { diff --git a/queue-2.6.27/modules-fix-module-notes-kobject-leak.patch b/queue-2.6.27/modules-fix-module-notes-kobject-leak.patch new file mode 100644 index 00000000000..f44d48f8974 --- /dev/null +++ b/queue-2.6.27/modules-fix-module-notes-kobject-leak.patch @@ -0,0 +1,59 @@ +From jejb@kernel.org Thu Oct 16 15:31:27 2008 +From: Alexey Dobriyan +Date: Thu, 16 Oct 2008 22:05:10 GMT +Subject: modules: fix module "notes" kobject leak +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200810162205.m9GM5A4T005941@hera.kernel.org> + +From: Alexey Dobriyan + +commit e94320939f44e0cbaccc3f259a5778abced4949c upstream + +Fix "notes" kobject leak + +It happens every rmmod if KALLSYMS=y and SYSFS=y. + + # modprobe foo + +kobject: 'foo' (ffffffffa00743d0): kobject_add_internal: parent: 'module', set: 'module' +kobject: 'holders' (ffff88017e7c5770): kobject_add_internal: parent: 'foo', set: '' +kobject: 'foo' (ffffffffa00743d0): kobject_uevent_env +kobject: 'foo' (ffffffffa00743d0): fill_kobj_path: path = '/module/foo' +kobject: 'notes' (ffff88017fa9b668): kobject_add_internal: parent: 'foo', set: '' + ^^^^^ + + # rmmod foo + +kobject: 'holders' (ffff88017e7c5770): kobject_cleanup +kobject: 'holders' (ffff88017e7c5770): auto cleanup kobject_del +kobject: 'holders' (ffff88017e7c5770): calling ktype release +kobject: (ffff88017e7c5770): dynamic_kobj_release +kobject: 'holders': free name +kobject: 'foo' (ffffffffa00743d0): kobject_cleanup +kobject: 'foo' (ffffffffa00743d0): does not have a release() function, it is broken and must be fixed. +kobject: 'foo' (ffffffffa00743d0): auto cleanup 'remove' event +kobject: 'foo' (ffffffffa00743d0): kobject_uevent_env +kobject: 'foo' (ffffffffa00743d0): fill_kobj_path: path = '/module/foo' +kobject: 'foo' (ffffffffa00743d0): auto cleanup kobject_del +kobject: 'foo': free name + + [whooops] + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1173,7 +1173,7 @@ static void free_notes_attrs(struct modu + while (i-- > 0) + sysfs_remove_bin_file(notes_attrs->dir, + ¬es_attrs->attrs[i]); +- kobject_del(notes_attrs->dir); ++ kobject_put(notes_attrs->dir); + } + kfree(notes_attrs); + } diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..97f1b5a5062 --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,7 @@ +fbcon_set_all_vcs-fix-kernel-crash-when-switching-the-rotated-consoles.patch +modules-fix-module-notes-kobject-leak.patch +driver-core-fix-cleanup-in-device_create_vargs.patch +driver-core-clarify-device-cleanup.patch +ath9k-mac80211-disallow-fragmentation-in-ath9k-report-to-userspace.patch +md-fix-rdev_size_store-with-size-0.patch +xfs-fix-remount-rw-with-unrecognized-options.patch diff --git a/queue-2.6.27/xfs-fix-remount-rw-with-unrecognized-options.patch b/queue-2.6.27/xfs-fix-remount-rw-with-unrecognized-options.patch new file mode 100644 index 00000000000..4f93cbab85e --- /dev/null +++ b/queue-2.6.27/xfs-fix-remount-rw-with-unrecognized-options.patch @@ -0,0 +1,41 @@ +From 6c5e51dae2c37127e00be392f40842e08077e96a Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sun, 12 Oct 2008 14:30:44 +0200 +Subject: xfs: fix remount rw with unrecognized options + +From: Christoph Hellwig + +commit 6c5e51dae2c37127e00be392f40842e08077e96a upstream + +When we skip unrecognized options in xfs_fs_remount we should just break +out of the switch and not return because otherwise we may skip clearing +the xfs-internal read-only flag. This will only show up on some +operations like touch because most read-only checks are done by the VFS +which thinks this filesystem is r/w. Eventually we should replace the +XFS read-only flag with a helper that always checks the VFS flag to make +sure they can never get out of sync. + +Bug reported and fix verified by Marcel Beister on #xfs. +Bug fix verified by updated xfstests/189. + +Signed-off-by: Christoph Hellwig +Acked-by: Eric Sandeen +Signed-off-by: Timothy Shimmin +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/linux-2.6/xfs_super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/linux-2.6/xfs_super.c ++++ b/fs/xfs/linux-2.6/xfs_super.c +@@ -1323,7 +1323,7 @@ xfs_fs_remount( + "XFS: mount option \"%s\" not supported for remount\n", p); + return -EINVAL; + #else +- return 0; ++ break; + #endif + } + } -- 2.47.3