From 87eb474ad3d48abc9bc14e8af7d36deaa8093320 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 21 Sep 2007 15:17:47 -0700 Subject: [PATCH] more 2.6.22 patches added --- .../afs-mntput-called-before-dput.patch | 36 +++ ...ves-enough-free-space-in-both-blocks.patch | 262 ++++++++++++++++++ ...gnore-failure-of-pci_set_power_state.patch | 64 +++++ ...hines-which-don-t-support-64-bit-dma.patch | 89 ++++++ ...hines-which-don-t-support-64-bit-dma.patch | 41 +++ ...futex_compat-fix-list-traversal-bugs.patch | 67 +++++ .../leases-can-be-hidden-by-flocks.patch | 108 ++++++++ ...s-fix-oops-re-sysctls-and-v4-support.patch | 82 ++++++ queue-2.6.22/series | 8 + 9 files changed, 757 insertions(+) create mode 100644 queue-2.6.22/afs-mntput-called-before-dput.patch create mode 100644 queue-2.6.22/ext34-ensure-do_split-leaves-enough-free-space-in-both-blocks.patch create mode 100644 queue-2.6.22/firewire-fw-ohci-ignore-failure-of-pci_set_power_state.patch create mode 100644 queue-2.6.22/fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch create mode 100644 queue-2.6.22/fix-fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch create mode 100644 queue-2.6.22/futex_compat-fix-list-traversal-bugs.patch create mode 100644 queue-2.6.22/leases-can-be-hidden-by-flocks.patch create mode 100644 queue-2.6.22/nfs-fix-oops-re-sysctls-and-v4-support.patch diff --git a/queue-2.6.22/afs-mntput-called-before-dput.patch b/queue-2.6.22/afs-mntput-called-before-dput.patch new file mode 100644 index 00000000000..b3b120a95a9 --- /dev/null +++ b/queue-2.6.22/afs-mntput-called-before-dput.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Tue Sep 11 15:24:09 2007 +From: Andreas Gruenbacher +Date: Tue, 11 Sep 2007 15:23:37 -0700 +Subject: afs: mntput called before dput +To: torvalds@linux-foundation.org +Cc: dhowells@redhat.com, akpm@linux-foundation.org, stable@kernel.org, agruen@suse.de +Message-ID: <200709112223.l8BMNboi032647@imap1.linux-foundation.org> + +From: Andreas Gruenbacher + +commit 1a1a1a758bf0107d1f78ff1d622f45987803d894 in mainline. + +dput must be called before mntput here. + +Signed-off-by: Andreas Gruenbacher +Acked-By: David Howells +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/afs/mntpt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/afs/mntpt.c ++++ b/fs/afs/mntpt.c +@@ -235,8 +235,8 @@ static void *afs_mntpt_follow_link(struc + err = do_add_mount(newmnt, nd, MNT_SHRINKABLE, &afs_vfsmounts); + switch (err) { + case 0: +- mntput(nd->mnt); + dput(nd->dentry); ++ mntput(nd->mnt); + nd->mnt = newmnt; + nd->dentry = dget(newmnt->mnt_root); + schedule_delayed_work(&afs_mntpt_expiry_timer, diff --git a/queue-2.6.22/ext34-ensure-do_split-leaves-enough-free-space-in-both-blocks.patch b/queue-2.6.22/ext34-ensure-do_split-leaves-enough-free-space-in-both-blocks.patch new file mode 100644 index 00000000000..3e290003fef --- /dev/null +++ b/queue-2.6.22/ext34-ensure-do_split-leaves-enough-free-space-in-both-blocks.patch @@ -0,0 +1,262 @@ +From stable-bounces@linux.kernel.org Tue Sep 18 22:47:15 2007 +From: Eric Sandeen +Date: Tue, 18 Sep 2007 22:46:42 -0700 +Subject: ext34: ensure do_split leaves enough free space in both blocks +To: torvalds@linux-foundation.org +Cc: sandeen@redhat.com, hooanon05@yahoo.co.jp, stable@kernel.org, tytso@mit.edu, akpm@linux-foundation.org, linux-ext4@vger.kernel.org, adilger@clusterfs.com +Message-ID: <200709190546.l8J5kgvJ009348@imap1.linux-foundation.org> + +From: Eric Sandeen + +commit ef2b02d3e617cb0400eedf2668f86215e1b0e6af in mainline. + +The do_split() function for htree dir blocks is intended to split a leaf +block to make room for a new entry. It sorts the entries in the original +block by hash value, then moves the last half of the entries to the new +block - without accounting for how much space this actually moves. (IOW, +it moves half of the entry *count* not half of the entry *space*). If by +chance we have both large & small entries, and we move only the smallest +entries, and we have a large new entry to insert, we may not have created +enough space for it. + +The patch below stores each record size when calculating the dx_map, and +then walks the hash-sorted dx_map, calculating how many entries must be +moved to more evenly split the existing entries between the old block and +the new block, guaranteeing enough space for the new entry. + +The dx_map "offs" member is reduced to u16 so that the overall map size +does not change - it is temporarily stored at the end of the new block, and +if it grows too large it may be overwritten. By making offs and size both +u16, we won't grow the map size. + +Also add a few comments to the functions involved. + +This fixes the testcase reported by hooanon05@yahoo.co.jp on the +linux-ext4 list, "ext3 dir_index causes an error" + +Thanks to Andreas Dilger for discussing the problem & solution with me. + +Signed-off-by: Eric Sandeen +Signed-off-by: Andreas Dilger +Tested-by: Junjiro Okajima +Cc: Theodore Ts'o +Cc: ext4 +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/namei.c | 39 +++++++++++++++++++++++++++++++++++---- + fs/ext4/namei.c | 39 +++++++++++++++++++++++++++++++++++---- + 2 files changed, 70 insertions(+), 8 deletions(-) + +--- a/fs/ext3/namei.c ++++ b/fs/ext3/namei.c +@@ -140,7 +140,8 @@ struct dx_frame + struct dx_map_entry + { + u32 hash; +- u32 offs; ++ u16 offs; ++ u16 size; + }; + + #ifdef CONFIG_EXT3_INDEX +@@ -671,6 +672,10 @@ errout: + * Directory block splitting, compacting + */ + ++/* ++ * Create map of hash values, offsets, and sizes, stored at end of block. ++ * Returns number of entries mapped. ++ */ + static int dx_make_map (struct ext3_dir_entry_2 *de, int size, + struct dx_hash_info *hinfo, struct dx_map_entry *map_tail) + { +@@ -684,7 +689,8 @@ static int dx_make_map (struct ext3_dir_ + ext3fs_dirhash(de->name, de->name_len, &h); + map_tail--; + map_tail->hash = h.hash; +- map_tail->offs = (u32) ((char *) de - base); ++ map_tail->offs = (u16) ((char *) de - base); ++ map_tail->size = le16_to_cpu(de->rec_len); + count++; + cond_resched(); + } +@@ -694,6 +700,7 @@ static int dx_make_map (struct ext3_dir_ + return count; + } + ++/* Sort map by hash value */ + static void dx_sort_map (struct dx_map_entry *map, unsigned count) + { + struct dx_map_entry *p, *q, *top = map + count - 1; +@@ -1081,6 +1088,10 @@ static inline void ext3_set_de_type(stru + } + + #ifdef CONFIG_EXT3_INDEX ++/* ++ * Move count entries from end of map between two memory locations. ++ * Returns pointer to last entry moved. ++ */ + static struct ext3_dir_entry_2 * + dx_move_dirents(char *from, char *to, struct dx_map_entry *map, int count) + { +@@ -1099,6 +1110,10 @@ dx_move_dirents(char *from, char *to, st + return (struct ext3_dir_entry_2 *) (to - rec_len); + } + ++/* ++ * Compact each dir entry in the range to the minimal rec_len. ++ * Returns pointer to last entry in range. ++ */ + static struct ext3_dir_entry_2* dx_pack_dirents(char *base, int size) + { + struct ext3_dir_entry_2 *next, *to, *prev, *de = (struct ext3_dir_entry_2 *) base; +@@ -1121,6 +1136,11 @@ static struct ext3_dir_entry_2* dx_pack_ + return prev; + } + ++/* ++ * Split a full leaf block to make room for a new dir entry. ++ * Allocate a new block, and move entries so that they are approx. equally full. ++ * Returns pointer to de in block into which the new entry will be inserted. ++ */ + static struct ext3_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + struct buffer_head **bh,struct dx_frame *frame, + struct dx_hash_info *hinfo, int *error) +@@ -1132,7 +1152,7 @@ static struct ext3_dir_entry_2 *do_split + u32 hash2; + struct dx_map_entry *map; + char *data1 = (*bh)->b_data, *data2; +- unsigned split; ++ unsigned split, move, size, i; + struct ext3_dir_entry_2 *de = NULL, *de2; + int err = 0; + +@@ -1160,8 +1180,19 @@ static struct ext3_dir_entry_2 *do_split + count = dx_make_map ((struct ext3_dir_entry_2 *) data1, + blocksize, hinfo, map); + map -= count; +- split = count/2; // need to adjust to actual middle + dx_sort_map (map, count); ++ /* Split the existing block in the middle, size-wise */ ++ size = 0; ++ move = 0; ++ for (i = count-1; i >= 0; i--) { ++ /* is more than half of this entry in 2nd half of the block? */ ++ if (size + map[i].size/2 > blocksize/2) ++ break; ++ size += map[i].size; ++ move++; ++ } ++ /* map index at which we will split */ ++ split = count - move; + hash2 = map[split].hash; + continued = hash2 == map[split - 1].hash; + dxtrace(printk("Split block %i at %x, %i/%i\n", +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -140,7 +140,8 @@ struct dx_frame + struct dx_map_entry + { + u32 hash; +- u32 offs; ++ u16 offs; ++ u16 size; + }; + + #ifdef CONFIG_EXT4_INDEX +@@ -671,6 +672,10 @@ errout: + * Directory block splitting, compacting + */ + ++/* ++ * Create map of hash values, offsets, and sizes, stored at end of block. ++ * Returns number of entries mapped. ++ */ + static int dx_make_map (struct ext4_dir_entry_2 *de, int size, + struct dx_hash_info *hinfo, struct dx_map_entry *map_tail) + { +@@ -684,7 +689,8 @@ static int dx_make_map (struct ext4_dir_ + ext4fs_dirhash(de->name, de->name_len, &h); + map_tail--; + map_tail->hash = h.hash; +- map_tail->offs = (u32) ((char *) de - base); ++ map_tail->offs = (u16) ((char *) de - base); ++ map_tail->size = le16_to_cpu(de->rec_len); + count++; + cond_resched(); + } +@@ -694,6 +700,7 @@ static int dx_make_map (struct ext4_dir_ + return count; + } + ++/* Sort map by hash value */ + static void dx_sort_map (struct dx_map_entry *map, unsigned count) + { + struct dx_map_entry *p, *q, *top = map + count - 1; +@@ -1079,6 +1086,10 @@ static inline void ext4_set_de_type(stru + } + + #ifdef CONFIG_EXT4_INDEX ++/* ++ * Move count entries from end of map between two memory locations. ++ * Returns pointer to last entry moved. ++ */ + static struct ext4_dir_entry_2 * + dx_move_dirents(char *from, char *to, struct dx_map_entry *map, int count) + { +@@ -1097,6 +1108,10 @@ dx_move_dirents(char *from, char *to, st + return (struct ext4_dir_entry_2 *) (to - rec_len); + } + ++/* ++ * Compact each dir entry in the range to the minimal rec_len. ++ * Returns pointer to last entry in range. ++ */ + static struct ext4_dir_entry_2* dx_pack_dirents(char *base, int size) + { + struct ext4_dir_entry_2 *next, *to, *prev, *de = (struct ext4_dir_entry_2 *) base; +@@ -1119,6 +1134,11 @@ static struct ext4_dir_entry_2* dx_pack_ + return prev; + } + ++/* ++ * Split a full leaf block to make room for a new dir entry. ++ * Allocate a new block, and move entries so that they are approx. equally full. ++ * Returns pointer to de in block into which the new entry will be inserted. ++ */ + static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + struct buffer_head **bh,struct dx_frame *frame, + struct dx_hash_info *hinfo, int *error) +@@ -1130,7 +1150,7 @@ static struct ext4_dir_entry_2 *do_split + u32 hash2; + struct dx_map_entry *map; + char *data1 = (*bh)->b_data, *data2; +- unsigned split; ++ unsigned split, move, size, i; + struct ext4_dir_entry_2 *de = NULL, *de2; + int err = 0; + +@@ -1158,8 +1178,19 @@ static struct ext4_dir_entry_2 *do_split + count = dx_make_map ((struct ext4_dir_entry_2 *) data1, + blocksize, hinfo, map); + map -= count; +- split = count/2; // need to adjust to actual middle + dx_sort_map (map, count); ++ /* Split the existing block in the middle, size-wise */ ++ size = 0; ++ move = 0; ++ for (i = count-1; i >= 0; i--) { ++ /* is more than half of this entry in 2nd half of the block? */ ++ if (size + map[i].size/2 > blocksize/2) ++ break; ++ size += map[i].size; ++ move++; ++ } ++ /* map index at which we will split */ ++ split = count - move; + hash2 = map[split].hash; + continued = hash2 == map[split - 1].hash; + dxtrace(printk("Split block %i at %x, %i/%i\n", diff --git a/queue-2.6.22/firewire-fw-ohci-ignore-failure-of-pci_set_power_state.patch b/queue-2.6.22/firewire-fw-ohci-ignore-failure-of-pci_set_power_state.patch new file mode 100644 index 00000000000..936928046a3 --- /dev/null +++ b/queue-2.6.22/firewire-fw-ohci-ignore-failure-of-pci_set_power_state.patch @@ -0,0 +1,64 @@ +From stable-bounces@linux.kernel.org Tue Sep 11 06:09:07 2007 +From: Stefan Richter +Date: Tue, 11 Sep 2007 14:59:17 +0200 (CEST) +Subject: firewire: fw-ohci: ignore failure of pci_set_power_state (fix suspend regression) +To: stable@kernel.org +Cc: linux1394-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org +Message-ID: +Content-Disposition: INLINE + +From: Stefan Richter + +Minor regression since 2.6.22-rc1: If the experimental firewire-ohci +driver instead of ohci1394 was loaded, iBook G3 and older PowerBooks +refused to suspend. + +Same as commit 5511142870046a7bed947d51ec9b320856ee120a plus format +string touch-ups from 8a8cea2734808522f02941ea16125810ee42c9c7, +"firewire: missing newline in printk". Original patch description: + +Fixes (papers over) "Sleep problems with kernels >= 2.6.21 on powerpc", +http://lkml.org/lkml/2007/8/25/155. The issue is that the FireWire +controller's pci_dev.current_state of iBook G3 and presumably older +PowerBooks is still in PCI_UNKNOWN instead of PCI_D0 when the firewire +driver's .suspend method is called. + +Like it was suggested earlier in http://lkml.org/lkml/2006/10/24/13, we +do not fail .suspend anymore if pci_set_power_state failed. + +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/fw-ohci.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/firewire/fw-ohci.c ++++ b/drivers/firewire/fw-ohci.c +@@ -1934,14 +1934,12 @@ static int pci_suspend(struct pci_dev *p + free_irq(pdev->irq, ohci); + err = pci_save_state(pdev); + if (err) { +- fw_error("pci_save_state failed with %d", err); ++ fw_error("pci_save_state failed with %d\n", err); + return err; + } + err = pci_set_power_state(pdev, pci_choose_state(pdev, state)); +- if (err) { +- fw_error("pci_set_power_state failed with %d", err); +- return err; +- } ++ if (err) ++ fw_error("pci_set_power_state failed with %d\n", err); + + return 0; + } +@@ -1955,7 +1953,7 @@ static int pci_resume(struct pci_dev *pd + pci_restore_state(pdev); + err = pci_enable_device(pdev); + if (err) { +- fw_error("pci_enable_device failed with %d", err); ++ fw_error("pci_enable_device failed with %d\n", err); + return err; + } + diff --git a/queue-2.6.22/fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch b/queue-2.6.22/fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch new file mode 100644 index 00000000000..6b5628d3559 --- /dev/null +++ b/queue-2.6.22/fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch @@ -0,0 +1,89 @@ +From stable-bounces@linux.kernel.org Tue Sep 11 15:24:19 2007 +From: Matthew Wilcox +Date: Tue, 11 Sep 2007 15:23:38 -0700 +Subject: Fix DAC960 driver on machines which don't support 64-bit DMA +To: torvalds@linux-foundation.org +Cc: jeff@garzik.org, matthew@wil.cx, alex@nibbles.it, dac@conglom-o.org, akpm@linux-foundation.org, stable@kernel.org, polynomial-c@gmx.de +Message-ID: <200709112223.l8BMNcAG032651@imap1.linux-foundation.org> + + +From: Matthew Wilcox + +commit 868047fcbb85dbb44ddd98c336fef83236a2c06a in mainline. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=8942 + +Use PCI_DMA_* constants instead of own private definitions Fall back to +32-bit DMA mask if a 64-bit one fails + +Signed-off-by: Matthew Wilcox +Acked-by: Jeff Garzik +Tested-by: Lars +Cc: Alessandro Polverini +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/DAC960.c | 17 ++++++++++------- + drivers/block/DAC960.h | 7 ------- + 2 files changed, 10 insertions(+), 14 deletions(-) + +--- a/drivers/block/DAC960.c ++++ b/drivers/block/DAC960.c +@@ -17,8 +17,8 @@ + */ + + +-#define DAC960_DriverVersion "2.5.48" +-#define DAC960_DriverDate "14 May 2006" ++#define DAC960_DriverVersion "2.5.49" ++#define DAC960_DriverDate "21 Aug 2007" + + + #include +@@ -1165,9 +1165,9 @@ static bool DAC960_V1_EnableMemoryMailbo + int i; + + +- if (pci_set_dma_mask(Controller->PCIDevice, DAC690_V1_PciDmaMask)) ++ if (pci_set_dma_mask(Controller->PCIDevice, DMA_32BIT_MASK)) + return DAC960_Failure(Controller, "DMA mask out of range"); +- Controller->BounceBufferLimit = DAC690_V1_PciDmaMask; ++ Controller->BounceBufferLimit = DMA_32BIT_MASK; + + if ((hw_type == DAC960_PD_Controller) || (hw_type == DAC960_P_Controller)) { + CommandMailboxesSize = 0; +@@ -1368,9 +1368,12 @@ static bool DAC960_V2_EnableMemoryMailbo + dma_addr_t CommandMailboxDMA; + DAC960_V2_CommandStatus_T CommandStatus; + +- if (pci_set_dma_mask(Controller->PCIDevice, DAC690_V2_PciDmaMask)) +- return DAC960_Failure(Controller, "DMA mask out of range"); +- Controller->BounceBufferLimit = DAC690_V2_PciDmaMask; ++ if (!pci_set_dma_mask(Controller->PCIDevice, DMA_64BIT_MASK)) ++ Controller->BounceBufferLimit = DMA_64BIT_MASK; ++ else if (!pci_set_dma_mask(Controller->PCIDevice, DMA_32BIT_MASK)) ++ Controller->BounceBufferLimit = DMA_32BIT_MASK; ++ else ++ return DAC960_Failure(Controller, "DMA mask out of range"); + + /* This is a temporary dma mapping, used only in the scope of this function */ + CommandMailbox = pci_alloc_consistent(PCI_Device, +--- a/drivers/block/DAC960.h ++++ b/drivers/block/DAC960.h +@@ -61,13 +61,6 @@ + #define DAC960_V2_MaxPhysicalDevices 272 + + /* +- Define the pci dma mask supported by DAC960 V1 and V2 Firmware Controlers +- */ +- +-#define DAC690_V1_PciDmaMask 0xffffffff +-#define DAC690_V2_PciDmaMask 0xffffffffffffffffULL +- +-/* + Define a 32/64 bit I/O Address data type. + */ + diff --git a/queue-2.6.22/fix-fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch b/queue-2.6.22/fix-fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch new file mode 100644 index 00000000000..9e2b25c54c9 --- /dev/null +++ b/queue-2.6.22/fix-fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Tue Sep 18 22:47:02 2007 +From: Andrew Morton +Date: Tue, 18 Sep 2007 22:46:19 -0700 +Subject: Fix "Fix DAC960 driver on machines which don't support 64-bit DMA" +To: torvalds@linux-foundation.org +Cc: jeff@garzik.org, matthew@wil.cx, alex@nibbles.it, dac@conglom-o.org, akpm@linux-foundation.org, stable@kernel.org +Message-ID: <200709190546.l8J5kJEw009285@imap1.linux-foundation.org> + + +From: Andrew Morton + +commit 3558c9b3232b5f0fd9f32043a191eca20fca64c6 in mainline. + +sparc32: + +drivers/block/DAC960.c: In function 'DAC960_V1_EnableMemoryMailboxInterface': +drivers/block/DAC960.c:1168: error: 'DMA_32BIT_MASK' undeclared (first use in this function) +drivers/block/DAC960.c:1168: error: (Each undeclared identifier is reported only + +Cc: +Cc: Alessandro Polverini +Cc: Jeff Garzik +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/DAC960.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/DAC960.c ++++ b/drivers/block/DAC960.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/queue-2.6.22/futex_compat-fix-list-traversal-bugs.patch b/queue-2.6.22/futex_compat-fix-list-traversal-bugs.patch new file mode 100644 index 00000000000..af65024354d --- /dev/null +++ b/queue-2.6.22/futex_compat-fix-list-traversal-bugs.patch @@ -0,0 +1,67 @@ +From stable-bounces@linux.kernel.org Tue Sep 11 15:24:28 2007 +From: Arnd Bergmann +Date: Tue, 11 Sep 2007 15:23:49 -0700 +Subject: futex_compat: fix list traversal bugs +To: torvalds@linux-foundation.org +Cc: arnd@arndb.de, stable@kernel.org, davem@davemloft.net, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu +Message-ID: <200709112223.l8BMNn8s032675@imap1.linux-foundation.org> + + +From: Arnd Bergmann + +commit 179c85ea53bef807621f335767e41e23f86f01df in mainline. + +The futex list traversal on the compat side appears to have +a bug. + +It's loop termination condition compares: + + while (compat_ptr(uentry) != &head->list) + +But that can't be right because "uentry" has the special +"pi" indicator bit still potentially set at bit 0. This +is cleared by fetch_robust_entry() into the "entry" +return value. + +What this seems to mean is that the list won't terminate +when list iteration gets back to the the head. And we'll +also process the list head like a normal entry, which could +cause all kinds of problems. + +So we should check for equality with "entry". That pointer +is of the non-compat type so we have to do a little casting +to keep the compiler and sparse happy. + +The same problem can in theory occur with the 'pending' +variable, although that has not been reported from users +so far. + +Based on the original patch from David Miller. + +Acked-by: Ingo Molnar +Cc: Thomas Gleixner +Cc: David Miller +Signed-off-by: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex_compat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/futex_compat.c ++++ b/kernel/futex_compat.c +@@ -61,10 +61,10 @@ void compat_exit_robust_list(struct task + if (fetch_robust_entry(&upending, &pending, + &head->list_op_pending, &pip)) + return; +- if (upending) ++ if (pending) + handle_futex_death((void __user *)pending + futex_offset, curr, pip); + +- while (compat_ptr(uentry) != &head->list) { ++ while (entry != (struct robust_list __user *) &head->list) { + /* + * A pending lock might already be on the list, so + * dont process it twice: diff --git a/queue-2.6.22/leases-can-be-hidden-by-flocks.patch b/queue-2.6.22/leases-can-be-hidden-by-flocks.patch new file mode 100644 index 00000000000..8019e8247d6 --- /dev/null +++ b/queue-2.6.22/leases-can-be-hidden-by-flocks.patch @@ -0,0 +1,108 @@ +From stable-bounces@linux.kernel.org Tue Sep 11 15:29:11 2007 +From: Pavel Emelyanov +Date: Tue, 11 Sep 2007 15:24:01 -0700 +Subject: Leases can be hidden by flocks +To: torvalds@linux-foundation.org +Cc: bfields@fieldses.org, akpm@linux-foundation.org, trond.myklebust@fys.uio.no, stable@kernel.org, xemul@openvz.org +Message-ID: <200709112224.l8BMO2NQ000334@imap1.linux-foundation.org> + + +From: Pavel Emelyanov + +commit 0e2f6db88a6900bc9db576d6b478b12ee60d61f7 in mainline. + +The inode->i_flock list contains the leases, flocks and posix +locks in the specified order. However, the flocks are added in +the head of this list thus hiding the leases from F_GETLEASE +command, from time_out_leases() and other code that expects +the leases to come first. + +The following example will demonstrate this: + +#define _GNU_SOURCE + +#include +#include +#include +#include + +static void show_lease(int fd) +{ + int res; + + res = fcntl(fd, F_GETLEASE); + switch (res) { + case F_RDLCK: + printf("Read lease\n"); + break; + case F_WRLCK: + printf("Write lease\n"); + break; + case F_UNLCK: + printf("No leases\n"); + break; + default: + printf("Some shit\n"); + break; + } +} + +int main(int argc, char **argv) +{ + int fd, res; + + fd = open(argv[1], O_RDONLY); + if (fd == -1) { + perror("Can't open file"); + return 1; + } + + res = fcntl(fd, F_SETLEASE, F_WRLCK); + if (res == -1) { + perror("Can't set lease"); + return 1; + } + + show_lease(fd); + + if (flock(fd, LOCK_SH) == -1) { + perror("Can't flock shared"); + return 1; + } + + show_lease(fd); + + return 0; +} + +The first call to show_lease() will show the write lease set, but +the second will show no leases. + +Fix the flock adding so that the leases always stay in the head +of this list. + +Found during making the flocks pid-namespaces aware. + +Signed-off-by: Pavel Emelyanov +Acked-by: "J. Bruce Fields" +Cc: Trond Myklebust +Cc: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/locks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -786,7 +786,7 @@ find_conflict: + if (request->fl_flags & FL_ACCESS) + goto out; + locks_copy_lock(new_fl, request); +- locks_insert_lock(&inode->i_flock, new_fl); ++ locks_insert_lock(before, new_fl); + new_fl = NULL; + error = 0; + diff --git a/queue-2.6.22/nfs-fix-oops-re-sysctls-and-v4-support.patch b/queue-2.6.22/nfs-fix-oops-re-sysctls-and-v4-support.patch new file mode 100644 index 00000000000..d11ac49c8c1 --- /dev/null +++ b/queue-2.6.22/nfs-fix-oops-re-sysctls-and-v4-support.patch @@ -0,0 +1,82 @@ +From stable-bounces@linux.kernel.org Tue Sep 18 22:48:03 2007 +From: Alexey Dobriyan +Date: Tue, 18 Sep 2007 22:46:40 -0700 +Subject: nfs: fix oops re sysctls and V4 support +To: torvalds@linux-foundation.org +Cc: bfields@fieldses.org, akpm@linux-foundation.org, trond.myklebust@fys.uio.no, adobriyan@gmail.com, stable@kernel.org +Message-ID: <200709190546.l8J5kevR009340@imap1.linux-foundation.org> + + +From: Alexey Dobriyan + +commit 49af7ee181f4f516ac99eba85d3f70ed42cabe76 in mainline. + +NFS unregisters sysctls only if V4 support is compiled in. However, sysctl +table is not V4 specific, so unregister it always. + +Steps to reproduce: + + [build nfs.ko with CONFIG_NFS_V4=n] + modrobe nfs + rmmod nfs + ls /proc/sys + +Unable to handle kernel paging request at ffffffff880661c0 RIP: + [] proc_sys_readdir+0xd3/0x350 +PGD 203067 PUD 207063 PMD 7e216067 PTE 0 +Oops: 0000 [1] SMP +CPU 1 +Modules linked in: lockd nfs_acl sunrpc +Pid: 3335, comm: ls Not tainted 2.6.23-rc3-bloat #2 +RIP: 0010:[] [] proc_sys_readdir+0xd3/0x350 +RSP: 0018:ffff81007fd93e78 EFLAGS: 00010286 +RAX: ffffffff880661c0 RBX: ffffffff80466370 RCX: ffffffff880661c0 +RDX: 00000000000014c0 RSI: ffff81007f3ad020 RDI: ffff81007efd8b40 +RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000001 R11: ffffffff802a8570 R12: ffffffff880661c0 +R13: ffff81007e219640 R14: ffff81007efd8b40 R15: ffff81007ded7280 +FS: 00002ba25ef03060(0000) GS:ffff81007ff81258(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: ffffffff880661c0 CR3: 000000007dfaf000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process ls (pid: 3335, threadinfo ffff81007fd92000, task ffff81007d8a0000) +Stack: ffff81007f3ad150 ffffffff80283f30 ffff81007fd93f48 ffff81007efd8b40 + ffff81007ee00440 0000000422222222 0000000200035593 ffffffff88037e9a + 2222222222222222 ffffffff80466500 ffff81007e416400 ffff81007e219640 +Call Trace: + [] filldir+0x0/0xf0 + [] filldir+0x0/0xf0 + [] vfs_readdir+0xa7/0xc0 + [] sys_getdents+0x96/0xe0 + [] system_call+0x7e/0x83 + +Code: 41 8b 14 24 85 d2 74 dc 49 8b 44 24 08 48 85 c0 74 e7 49 3b +RIP [] proc_sys_readdir+0xd3/0x350 + RSP +CR2: ffffffff880661c0 +Kernel panic - not syncing: Fatal exception + +Signed-off-by: Alexey Dobriyan +Acked-by: Trond Myklebust +Cc: "J. Bruce Fields" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + + fs/nfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -181,8 +181,8 @@ void __exit unregister_nfs_fs(void) + remove_shrinker(acl_shrinker); + #ifdef CONFIG_NFS_V4 + unregister_filesystem(&nfs4_fs_type); +- nfs_unregister_sysctl(); + #endif ++ nfs_unregister_sysctl(); + unregister_filesystem(&nfs_fs_type); + } + diff --git a/queue-2.6.22/series b/queue-2.6.22/series index c7fcafbb5f3..c5d80a6b4b4 100644 --- a/queue-2.6.22/series +++ b/queue-2.6.22/series @@ -18,3 +18,11 @@ fix-debug-regression-in-video-pwc.patch splice-fix-direct-splice-error-handling.patch rpc-fix-garbage-in-printk-in-svc_tcp_accept.patch disable-sys_timerfd.patch +afs-mntput-called-before-dput.patch +fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch +fix-fix-dac960-driver-on-machines-which-don-t-support-64-bit-dma.patch +firewire-fw-ohci-ignore-failure-of-pci_set_power_state.patch +futex_compat-fix-list-traversal-bugs.patch +leases-can-be-hidden-by-flocks.patch +ext34-ensure-do_split-leaves-enough-free-space-in-both-blocks.patch +nfs-fix-oops-re-sysctls-and-v4-support.patch -- 2.47.3