From c3a8f652d2a7419fb31945b3532f4ff53370264d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 7 Aug 2007 01:23:21 -0700 Subject: [PATCH] more 2.6.22 patches added --- queue-2.6.22/cpu-online-file-permission.patch | 39 ++++++++++++ .../dm-io-fix-panic-on-large-request.patch | 50 +++++++++++++++ ...u32-to-receive-physical-block-number.patch | 50 +++++++++++++++ ...-memory-leak-of-fw_request-instances.patch | 52 ++++++++++++++++ .../fix-leak-on-proc-lockdep_stats.patch | 30 +++++++++ ...d-sched_debug-timer_list-timer_stats.patch | 46 ++++++++++++++ ...leakage-with-locked-ipc-shem-segment.patch | 62 +++++++++++++++++++ ...futex-pass-nr_wake2-to-futex_wake_op.patch | 41 ++++++++++++ .../fw-ohci-fix-scheduling-while-atomic.patch | 35 +++++++++++ ...i386-hpet-check-if-the-counter-works.patch | 62 +++++++++++++++++++ ...-serial_reg.h-with-userspace-headers.patch | 42 +++++++++++++ ...s-to-broken-raid10-arrays-gracefully.patch | 40 ++++++++++++ .../md-raid10-fix-use-after-free-of-bio.patch | 45 ++++++++++++++ ...cmcia-give-socket-time-to-power-down.patch | 35 +++++++++++ queue-2.6.22/series | 14 +++++ 15 files changed, 643 insertions(+) create mode 100644 queue-2.6.22/cpu-online-file-permission.patch create mode 100644 queue-2.6.22/dm-io-fix-panic-on-large-request.patch create mode 100644 queue-2.6.22/ext4_ext_put_in_cache-uses-__u32-to-receive-physical-block-number.patch create mode 100644 queue-2.6.22/firewire-fix-memory-leak-of-fw_request-instances.patch create mode 100644 queue-2.6.22/fix-leak-on-proc-lockdep_stats.patch create mode 100644 queue-2.6.22/fix-leaks-on-proc-sched-sched_debug-timer_list-timer_stats.patch create mode 100644 queue-2.6.22/fix-user-struct-leakage-with-locked-ipc-shem-segment.patch create mode 100644 queue-2.6.22/futex-pass-nr_wake2-to-futex_wake_op.patch create mode 100644 queue-2.6.22/fw-ohci-fix-scheduling-while-atomic.patch create mode 100644 queue-2.6.22/i386-hpet-check-if-the-counter-works.patch create mode 100644 queue-2.6.22/include-serial_reg.h-with-userspace-headers.patch create mode 100644 queue-2.6.22/md-handle-writes-to-broken-raid10-arrays-gracefully.patch create mode 100644 queue-2.6.22/md-raid10-fix-use-after-free-of-bio.patch create mode 100644 queue-2.6.22/pcmcia-give-socket-time-to-power-down.patch diff --git a/queue-2.6.22/cpu-online-file-permission.patch b/queue-2.6.22/cpu-online-file-permission.patch new file mode 100644 index 00000000000..3244a4679f6 --- /dev/null +++ b/queue-2.6.22/cpu-online-file-permission.patch @@ -0,0 +1,39 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:47:21 2007 +From: Ulrich Drepper +Date: Tue, 31 Jul 2007 00:38:16 -0700 +Subject: CPU online file permission +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, drepper@redhat.com, stable@kernel.org +Message-ID: <200707310738.l6V7cGTs021998@imap1.linux-foundation.org> + + +From: Ulrich Drepper + +Is there a reason why the "online" file in the subdirectories for the CPUs +in /sys/devices/system isn't world-readable? I cannot imagine it to be +security relevant especially now that a getcpu() syscall can be used to +determine what CPUa thread runs on. + +The file is useful to correctly implement the sysconf() function to return +the number of online CPUs. In the presence of hotplug we currently cannot +provide this information. The patch below should to it. + +Signed-off-by: Ulrich Drepper +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -53,7 +53,7 @@ static ssize_t store_online(struct sys_d + ret = count; + return ret; + } +-static SYSDEV_ATTR(online, 0600, show_online, store_online); ++static SYSDEV_ATTR(online, 0644, show_online, store_online); + + static void __devinit register_cpu_control(struct cpu *cpu) + { diff --git a/queue-2.6.22/dm-io-fix-panic-on-large-request.patch b/queue-2.6.22/dm-io-fix-panic-on-large-request.patch new file mode 100644 index 00000000000..9fedfd3c221 --- /dev/null +++ b/queue-2.6.22/dm-io-fix-panic-on-large-request.patch @@ -0,0 +1,50 @@ +From stable-bounces@linux.kernel.org Sat Jul 21 04:37:49 2007 +From: Milan Broz +Date: Sat, 21 Jul 2007 04:37:27 -0700 +Subject: dm io: fix panic on large request +To: torvalds@linux-foundation.org +Cc: christophe@saout.de, stable@kernel.org, cebbert@redhat.com, akpm@linux-foundation.org, kaber@trash.net, agk@redhat.com, mbroz@redhat.com +Message-ID: <200707211137.l6LBbR52014349@imap1.linux-foundation.org> + + +From: Milan Broz + +Flush workqueue before releasing bioset and mopools in dm-crypt. There can +be finished but not yet released request. + +Call chain causing oops: + run workqueue + dec_pending + bio_endio(...); + + mempool_free(io, cc->io_pool); + +This usually happens when cryptsetup create temporary +luks mapping in the beggining of crypt device activation. + +When dm-core calls destructor crypt_dtr, no new request +are possible. + +Signed-off-by: Milan Broz +Cc: Chuck Ebbert +Cc: Patrick McHardy +Acked-by: Alasdair G Kergon +Cc: Christophe Saout +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -920,6 +920,8 @@ static void crypt_dtr(struct dm_target * + { + struct crypt_config *cc = (struct crypt_config *) ti->private; + ++ flush_workqueue(_kcryptd_workqueue); ++ + bioset_free(cc->bs); + mempool_destroy(cc->page_pool); + mempool_destroy(cc->io_pool); diff --git a/queue-2.6.22/ext4_ext_put_in_cache-uses-__u32-to-receive-physical-block-number.patch b/queue-2.6.22/ext4_ext_put_in_cache-uses-__u32-to-receive-physical-block-number.patch new file mode 100644 index 00000000000..860f1256f07 --- /dev/null +++ b/queue-2.6.22/ext4_ext_put_in_cache-uses-__u32-to-receive-physical-block-number.patch @@ -0,0 +1,50 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:48:13 2007 +From: Mingming Cao +Date: Tue, 31 Jul 2007 00:37:46 -0700 +Subject: "ext4_ext_put_in_cache" uses __u32 to receive physical block number +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, linux-ext4@vger.kernel.org, cmm@us.ibm.com, stable@kernel.org, yanzheng@21cn.com +Message-ID: <200707310737.l6V7bk50021902@imap1.linux-foundation.org> + + +From: Mingming Cao + +Yan Zheng wrote: + +> I think I found a bug in ext4/extents.c, "ext4_ext_put_in_cache" uses +> "__u32" to receive physical block number. "ext4_ext_put_in_cache" is +> used in "ext4_ext_get_blocks", it sets ext4 inode's extent cache +> according most recently tree lookup (higher 16 bits of saved physical +> block number are always zero). when serving a mapping request, +> "ext4_ext_get_blocks" first check whether the logical block is in +> inode's extent cache. if the logical block is in the cache and the +> cached region isn't a gap, "ext4_ext_get_blocks" gets physical block +> number by using cached region's physical block number and offset in +> the cached region. as described above, "ext4_ext_get_blocks" may +> return wrong result when there are physical block numbers bigger than +> 0xffffffff. +> + +You are right. Thanks for reporting this! + +Signed-off-by: Mingming Cao +Cc: Yan Zheng +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1445,7 +1445,7 @@ int ext4_ext_walk_space(struct inode *in + + static void + ext4_ext_put_in_cache(struct inode *inode, __u32 block, +- __u32 len, __u32 start, int type) ++ __u32 len, ext4_fsblk_t start, int type) + { + struct ext4_ext_cache *cex; + BUG_ON(len == 0); diff --git a/queue-2.6.22/firewire-fix-memory-leak-of-fw_request-instances.patch b/queue-2.6.22/firewire-fix-memory-leak-of-fw_request-instances.patch new file mode 100644 index 00000000000..daf257efce4 --- /dev/null +++ b/queue-2.6.22/firewire-fix-memory-leak-of-fw_request-instances.patch @@ -0,0 +1,52 @@ +From stable-bounces@linux.kernel.org Thu Jul 19 00:28:56 2007 +From: Stefan Richter +Date: Thu, 19 Jul 2007 09:28:42 +0200 (CEST) +Subject: firewire: fix memory leak of fw_request instances +To: stable@kernel.org +Cc: Kristian Høgsberg , linux-kernel@vger.kernel.org +Message-ID: +Content-Disposition: INLINE + +From: Stefan Richter + +Found and debugged by Jay Fenlason . +The bug was especially noticeable with direct I/O over fw-sbp2. + +Same as commit 9c9bdf4d50730fd04b06077e22d7a83b585f26b5. + +Signed-off-by: Stefan Richter +Signed-off-by: Kristian Høgsberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/fw-transaction.c | 4 +++- + drivers/firewire/fw-transaction.h | 4 ++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/firewire/fw-transaction.c ++++ b/drivers/firewire/fw-transaction.c +@@ -605,8 +605,10 @@ fw_send_response(struct fw_card *card, s + * check is sufficient to ensure we don't send response to + * broadcast packets or posted writes. + */ +- if (request->ack != ACK_PENDING) ++ if (request->ack != ACK_PENDING) { ++ kfree(request); + return; ++ } + + if (rcode == RCODE_COMPLETE) + fw_fill_response(&request->response, request->request_header, +--- a/drivers/firewire/fw-transaction.h ++++ b/drivers/firewire/fw-transaction.h +@@ -124,6 +124,10 @@ typedef void (*fw_transaction_callback_t + size_t length, + void *callback_data); + ++/* ++ * Important note: The callback must guarantee that either fw_send_response() ++ * or kfree() is called on the @request. ++ */ + typedef void (*fw_address_callback_t)(struct fw_card *card, + struct fw_request *request, + int tcode, int destination, int source, diff --git a/queue-2.6.22/fix-leak-on-proc-lockdep_stats.patch b/queue-2.6.22/fix-leak-on-proc-lockdep_stats.patch new file mode 100644 index 00000000000..07223dbbfb2 --- /dev/null +++ b/queue-2.6.22/fix-leak-on-proc-lockdep_stats.patch @@ -0,0 +1,30 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:47:11 2007 +From: Alexey Dobriyan +Date: Tue, 31 Jul 2007 00:38:50 -0700 +Subject: Fix leak on /proc/lockdep_stats +To: torvalds@linux-foundation.org +Cc: adobriyan@sw.ru, akpm@linux-foundation.org, stable@kernel.org +Message-ID: <200707310738.l6V7co6e022182@imap1.linux-foundation.org> + + +From: Alexey Dobriyan + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/lockdep_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/lockdep_proc.c ++++ b/kernel/lockdep_proc.c +@@ -339,7 +339,7 @@ static const struct file_operations proc + .open = lockdep_stats_open, + .read = seq_read, + .llseek = seq_lseek, +- .release = seq_release, ++ .release = single_release, + }; + + static int __init lockdep_proc_init(void) diff --git a/queue-2.6.22/fix-leaks-on-proc-sched-sched_debug-timer_list-timer_stats.patch b/queue-2.6.22/fix-leaks-on-proc-sched-sched_debug-timer_list-timer_stats.patch new file mode 100644 index 00000000000..fdac7cc9aad --- /dev/null +++ b/queue-2.6.22/fix-leaks-on-proc-sched-sched_debug-timer_list-timer_stats.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:48:04 2007 +From: Alexey Dobriyan +Date: Tue, 31 Jul 2007 00:38:50 -0700 +Subject: Fix leaks on /proc/{*/sched, sched_debug, timer_list, timer_stats} +To: torvalds@linux-foundation.org +Cc: adobriyan@sw.ru, akpm@linux-foundation.org, mingo@elte.hu, stable@kernel.org +Message-ID: <200707310738.l6V7cokR022178@imap1.linux-foundation.org> + + +From: Alexey Dobriyan + +On every open/close one struct seq_operations leaks. +Kudos to /proc/slab_allocators. + +Signed-off-by: Alexey Dobriyan +Acked-by: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer_list.c | 2 +- + kernel/time/timer_stats.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/time/timer_list.c ++++ b/kernel/time/timer_list.c +@@ -267,7 +267,7 @@ static struct file_operations timer_list + .open = timer_list_open, + .read = seq_read, + .llseek = seq_lseek, +- .release = seq_release, ++ .release = single_release, + }; + + static int __init init_timer_list_procfs(void) +--- a/kernel/time/timer_stats.c ++++ b/kernel/time/timer_stats.c +@@ -391,7 +391,7 @@ static struct file_operations tstats_fop + .read = seq_read, + .write = tstats_write, + .llseek = seq_lseek, +- .release = seq_release, ++ .release = single_release, + }; + + void __init init_timer_stats(void) diff --git a/queue-2.6.22/fix-user-struct-leakage-with-locked-ipc-shem-segment.patch b/queue-2.6.22/fix-user-struct-leakage-with-locked-ipc-shem-segment.patch new file mode 100644 index 00000000000..9fc1a3b623e --- /dev/null +++ b/queue-2.6.22/fix-user-struct-leakage-with-locked-ipc-shem-segment.patch @@ -0,0 +1,62 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:47:25 2007 +From: Pavel Emelianov +Date: Tue, 31 Jul 2007 00:38:48 -0700 +Subject: Fix user struct leakage with locked IPC shem segment +To: torvalds@linux-foundation.org +Cc: akpm@linux-foundation.org, stable@kernel.org, xemul@openvz.org +Message-ID: <200707310738.l6V7cmIf022165@imap1.linux-foundation.org> + + +From: Pavel Emelianov + +When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is +already locked the shmem_lock() function returns 0. After this the +subsequent code leaks the existing user struct: + +== ipc/shm.c: sys_shmctl() == + ... + err = shmem_lock(shp->shm_file, 1, user); + if (!err) { + shp->shm_perm.mode |= SHM_LOCKED; + shp->mlock_user = user; + } + ... +== + +Other results of this are: +1. the new shp->mlock_user is not get-ed and will point to freed + memory when the task dies. +2. the RLIMIT_MEMLOCK is screwed on both user structs. + +The exploit looks like this: + +== + id = shmget(...); + setresuid(uid, 0, 0); + shmctl(id, SHM_LOCK, NULL); + setresuid(uid + 1, 0, 0); + shmctl(id, SHM_LOCK, NULL); +== + +My solution is to return 0 to the userspace and do not change the +segment's user. + +Signed-off-by: Pavel Emelianov +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -716,7 +716,7 @@ asmlinkage long sys_shmctl (int shmid, i + struct user_struct * user = current->user; + if (!is_file_hugepages(shp->shm_file)) { + err = shmem_lock(shp->shm_file, 1, user); +- if (!err) { ++ if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){ + shp->shm_perm.mode |= SHM_LOCKED; + shp->mlock_user = user; + } diff --git a/queue-2.6.22/futex-pass-nr_wake2-to-futex_wake_op.patch b/queue-2.6.22/futex-pass-nr_wake2-to-futex_wake_op.patch new file mode 100644 index 00000000000..63d1aaa2228 --- /dev/null +++ b/queue-2.6.22/futex-pass-nr_wake2-to-futex_wake_op.patch @@ -0,0 +1,41 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:48:04 2007 +From: Andreas Schwab +Date: Tue, 31 Jul 2007 00:38:51 -0700 +Subject: futex: pass nr_wake2 to futex_wake_op +To: torvalds@linux-foundation.org +Cc: schwab@suse.de, akpm@linux-foundation.org, mingo@elte.hu, drepper@redhat.com, stable@kernel.org +Message-ID: <200707310738.l6V7cpPP022186@imap1.linux-foundation.org> + + +From: Andreas Schwab + +The fourth argument of sys_futex is ignored when op == FUTEX_WAKE_OP, +but futex_wake_op expects it as its nr_wake2 parameter. + +The only user of this operation in glibc is always passing 1, so this +bug had no consequences so far. + +Signed-off-by: Andreas Schwab +Cc: Ingo Molnar +Signed-off-by: Ulrich Drepper +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2061,8 +2061,10 @@ asmlinkage long sys_futex(u32 __user *ua + } + /* + * requeue parameter in 'utime' if cmd == FUTEX_REQUEUE. ++ * number of waiters to wake in 'utime' if cmd == FUTEX_WAKE_OP. + */ +- if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE) ++ if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE || ++ cmd == FUTEX_WAKE_OP) + val2 = (u32) (unsigned long) utime; + + return do_futex(uaddr, op, val, tp, uaddr2, val2, val3); diff --git a/queue-2.6.22/fw-ohci-fix-scheduling-while-atomic.patch b/queue-2.6.22/fw-ohci-fix-scheduling-while-atomic.patch new file mode 100644 index 00000000000..d688c9b2472 --- /dev/null +++ b/queue-2.6.22/fw-ohci-fix-scheduling-while-atomic.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Thu Jul 19 00:27:57 2007 +From: Stefan Richter +Date: Thu, 19 Jul 2007 09:27:37 +0200 (CEST) +Subject: fw-ohci: fix "scheduling while atomic" +To: stable@kernel.org +Cc: Kristian Høgsberg , linux-kernel@vger.kernel.org +Message-ID: +Content-Disposition: INLINE + + +From: Stefan Richter + +context_stop is called by bus_reset_tasklet, among else. + +Fixes http://bugzilla.kernel.org/show_bug.cgi?id=8735. +Same as commit b980f5a224f3df6c884dbf5ae48797ce352ba139. + +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/fw-ohci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firewire/fw-ohci.c ++++ b/drivers/firewire/fw-ohci.c +@@ -586,7 +586,7 @@ static void context_stop(struct context + break; + + fw_notify("context_stop: still active (0x%08x)\n", reg); +- msleep(1); ++ mdelay(1); + } + } + diff --git a/queue-2.6.22/i386-hpet-check-if-the-counter-works.patch b/queue-2.6.22/i386-hpet-check-if-the-counter-works.patch new file mode 100644 index 00000000000..8100e700160 --- /dev/null +++ b/queue-2.6.22/i386-hpet-check-if-the-counter-works.patch @@ -0,0 +1,62 @@ +From stable-bounces@linux.kernel.org Sat Jul 21 08:11:18 2007 +From: Thomas Gleixner +Date: Sat, 21 Jul 2007 17:11:12 +0200 (CEST) +Subject: i386: HPET, check if the counter works +To: tglx@linutronix.de, ak@suse.de, johnstul@us.ibm.com, stable@kernel.org, torvalds@osdl.org +Message-ID: <20070721151112.29090147AA@wotan.suse.de> + +From: Thomas Gleixner + +Some systems have a HPET which is not incrementing, which leads to a +complete hang. Detect it during HPET setup. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Andi Kleen +Cc: john stultz +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/kernel/hpet.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/arch/i386/kernel/hpet.c ++++ b/arch/i386/kernel/hpet.c +@@ -226,7 +226,8 @@ int __init hpet_enable(void) + { + unsigned long id; + uint64_t hpet_freq; +- u64 tmp; ++ u64 tmp, start, now; ++ cycle_t t1; + + if (!is_hpet_capable()) + return 0; +@@ -273,6 +274,27 @@ int __init hpet_enable(void) + /* Start the counter */ + hpet_start_counter(); + ++ /* Verify whether hpet counter works */ ++ t1 = read_hpet(); ++ rdtscll(start); ++ ++ /* ++ * We don't know the TSC frequency yet, but waiting for ++ * 200000 TSC cycles is safe: ++ * 4 GHz == 50us ++ * 1 GHz == 200us ++ */ ++ do { ++ rep_nop(); ++ rdtscll(now); ++ } while ((now - start) < 200000UL); ++ ++ if (t1 == read_hpet()) { ++ printk(KERN_WARNING ++ "HPET counter not counting. HPET disabled\n"); ++ goto out_nohpet; ++ } ++ + /* Initialize and register HPET clocksource + * + * hpet period is in femto seconds per cycle diff --git a/queue-2.6.22/include-serial_reg.h-with-userspace-headers.patch b/queue-2.6.22/include-serial_reg.h-with-userspace-headers.patch new file mode 100644 index 00000000000..0d82f9c4aff --- /dev/null +++ b/queue-2.6.22/include-serial_reg.h-with-userspace-headers.patch @@ -0,0 +1,42 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:48:18 2007 +From: Herton Ronaldo Krzesinski +Date: Tue, 31 Jul 2007 00:38:52 -0700 +Subject: Include serial_reg.h with userspace headers +To: torvalds@linux-foundation.org +Cc: herton@mandriva.com.br, gustavodn@mandriva.com.br, akpm@linux-foundation.org, dwmw2@infradead.org, stable@kernel.org, rmk@arm.linux.org.uk +Message-ID: <200707310738.l6V7cqpK022190@imap1.linux-foundation.org> + + +From: Herton Ronaldo Krzesinski + +As reported by Gustavo de Nardin , while trying to +compile xosview (http://xosview.sourceforge.net/) with upstream kernel +headers being used you get the following errors: +serialmeter.cc:48:30: error: linux/serial_reg.h: No such file or directory +serialmeter.cc: In member function 'virtual void +SerialMeter::checkResources()': +serialmeter.cc:71: error: 'UART_LSR' was not declared in this scope +serialmeter.cc:71: error: 'UART_MSR' was not declared in this scope +... + +Signed-off-by: Herton Ronaldo Krzesinski +Cc: Gustavo de Nardin +Cc: David Woodhouse +Cc: Russell King +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/Kbuild ++++ b/include/linux/Kbuild +@@ -137,6 +137,7 @@ header-y += radeonfb.h + header-y += raw.h + header-y += resource.h + header-y += rose.h ++header-y += serial_reg.h + header-y += smbno.h + header-y += snmp.h + header-y += sockios.h diff --git a/queue-2.6.22/md-handle-writes-to-broken-raid10-arrays-gracefully.patch b/queue-2.6.22/md-handle-writes-to-broken-raid10-arrays-gracefully.patch new file mode 100644 index 00000000000..a4fe31f243c --- /dev/null +++ b/queue-2.6.22/md-handle-writes-to-broken-raid10-arrays-gracefully.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:47:41 2007 +From: Arne Redlich +Date: Tue, 31 Jul 2007 00:37:57 -0700 +Subject: md: handle writes to broken raid10 arrays gracefully +To: torvalds@linux-foundation.org +Cc: neilb@suse.de, akpm@linux-foundation.org, stable@kernel.org, agr@powerkom-dd.de +Message-ID: <200707310737.l6V7bvG2021938@imap1.linux-foundation.org> + + +From: Arne Redlich + +When writing to a broken array, raid10 currently happily emits empty bio +lists. IOW, the master bio will never be completed, sending writers to +UNINTERRUPTIBLE_SLEEP forever. + +Signed-off-by: Arne Redlich +Acked-by: Neil Brown +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -917,6 +917,13 @@ static int make_request(request_queue_t + bio_list_add(&bl, mbio); + } + ++ if (unlikely(!atomic_read(&r10_bio->remaining))) { ++ /* the array is dead */ ++ md_write_end(mddev); ++ raid_end_bio_io(r10_bio); ++ return 0; ++ } ++ + bitmap_startwrite(mddev->bitmap, bio->bi_sector, r10_bio->sectors, 0); + spin_lock_irqsave(&conf->device_lock, flags); + bio_list_merge(&conf->pending_bio_list, &bl); diff --git a/queue-2.6.22/md-raid10-fix-use-after-free-of-bio.patch b/queue-2.6.22/md-raid10-fix-use-after-free-of-bio.patch new file mode 100644 index 00000000000..66da050f555 --- /dev/null +++ b/queue-2.6.22/md-raid10-fix-use-after-free-of-bio.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:47:46 2007 +From: Maik Hampel +Date: Tue, 31 Jul 2007 00:37:57 -0700 +Subject: md: raid10: fix use-after-free of bio +To: torvalds@linux-foundation.org +Cc: neilb@suse.de, akpm@linux-foundation.org, m.hampel@gmx.de, stable@kernel.org +Message-ID: <200707310737.l6V7bvqd021934@imap1.linux-foundation.org> + + +From: Maik Hampel + +In case of read errors raid10d tries to print a nice error message, +unfortunately using data from an already put bio. + +Signed-off-by: Maik Hampel +Acked-By: NeilBrown +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/md/raid10.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1565,7 +1565,6 @@ static void raid10d(mddev_t *mddev) + bio = r10_bio->devs[r10_bio->read_slot].bio; + r10_bio->devs[r10_bio->read_slot].bio = + mddev->ro ? IO_BLOCKED : NULL; +- bio_put(bio); + mirror = read_balance(conf, r10_bio); + if (mirror == -1) { + printk(KERN_ALERT "raid10: %s: unrecoverable I/O" +@@ -1573,8 +1572,10 @@ static void raid10d(mddev_t *mddev) + bdevname(bio->bi_bdev,b), + (unsigned long long)r10_bio->sector); + raid_end_bio_io(r10_bio); ++ bio_put(bio); + } else { + const int do_sync = bio_sync(r10_bio->master_bio); ++ bio_put(bio); + rdev = conf->mirrors[mirror].rdev; + if (printk_ratelimit()) + printk(KERN_ERR "raid10: %s: redirecting sector %llu to" diff --git a/queue-2.6.22/pcmcia-give-socket-time-to-power-down.patch b/queue-2.6.22/pcmcia-give-socket-time-to-power-down.patch new file mode 100644 index 00000000000..e7f223b34b4 --- /dev/null +++ b/queue-2.6.22/pcmcia-give-socket-time-to-power-down.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Tue Jul 31 00:48:00 2007 +From: Daniel Ritz +Date: Tue, 31 Jul 2007 00:38:08 -0700 +Subject: pcmcia: give socket time to power down +To: torvalds@linux-foundation.org +Cc: nils.neumann@rwth-aachen.de, akpm@linux-foundation.org, daniel.ritz-ml@swissonline.ch, daniel.ritz@gmx.ch, stable@kernel.org +Message-ID: <200707310738.l6V7c8Om021966@imap1.linux-foundation.org> + + +From: Daniel Ritz + +Give sockets up to 100ms of additional time to power down. otherwise we +might generate false warnings with KERN_ERR priority (like in bug #8262). + +Signed-off-by: Daniel Ritz +Cc: Nils Neumann +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pcmcia/cs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -409,6 +409,9 @@ static void socket_shutdown(struct pcmci + #endif + s->functions = 0; + ++ /* give socket some time to power down */ ++ msleep(100); ++ + s->ops->get_status(s, &status); + if (status & SS_POWERON) { + printk(KERN_ERR "PCMCIA: socket %p: *** DANGER *** unable to remove socket power\n", s); diff --git a/queue-2.6.22/series b/queue-2.6.22/series index 61d7a29bf08..49f05df44da 100644 --- a/queue-2.6.22/series +++ b/queue-2.6.22/series @@ -32,3 +32,17 @@ v4l-wm8775-wm8739-fix-memory-leak-when-unloading-module.patch input-lifebook-fix-an-oops-on-panasonic-cf-18.patch splice-fix-double-page-unlock.patch drm-i915-fix-i965-secured-batchbuffer-usage.patch +fix-leak-on-proc-lockdep_stats.patch +cpu-online-file-permission.patch +fix-user-struct-leakage-with-locked-ipc-shem-segment.patch +md-handle-writes-to-broken-raid10-arrays-gracefully.patch +md-raid10-fix-use-after-free-of-bio.patch +pcmcia-give-socket-time-to-power-down.patch +fix-leaks-on-proc-sched-sched_debug-timer_list-timer_stats.patch +futex-pass-nr_wake2-to-futex_wake_op.patch +ext4_ext_put_in_cache-uses-__u32-to-receive-physical-block-number.patch +include-serial_reg.h-with-userspace-headers.patch +dm-io-fix-panic-on-large-request.patch +i386-hpet-check-if-the-counter-works.patch +fw-ohci-fix-scheduling-while-atomic.patch +firewire-fix-memory-leak-of-fw_request-instances.patch -- 2.47.3