From: Greg Kroah-Hartman Date: Tue, 15 Feb 2011 19:07:49 +0000 (-0800) Subject: .36 patches X-Git-Tag: v2.6.36.4~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21bbe2c0a869c4d1f8817c883f77dee9bfbc680e;p=thirdparty%2Fkernel%2Fstable-queue.git .36 patches --- diff --git a/queue-2.6.36/0001-KVM-i8259-initialize-isr_ack.patch b/queue-2.6.36/0001-KVM-i8259-initialize-isr_ack.patch new file mode 100644 index 00000000000..5876fdd551f --- /dev/null +++ b/queue-2.6.36/0001-KVM-i8259-initialize-isr_ack.patch @@ -0,0 +1,36 @@ +From mtosatti@redhat.com Tue Feb 15 10:53:38 2011 +From: Avi Kivity +Date: Fri, 14 Jan 2011 10:10:17 -0200 +Subject: KVM: i8259: initialize isr_ack +To: greg@kroah.com, avi@redhat.com, mtosatti@redhat.com, stable@kernel.org +Message-ID: <20110114121048.231846872@amt.cnet> +Content-Disposition: inline; filename=0001-KVM-i8259-initialize-isr_ack.patch + + +From: Avi Kivity + +commit a0272630bb594b4eac03a79e77957df7dad8eade upstream. + +isr_ack is never initialized. So, until the first PIC reset, interrupts +may fail to be injected. This can cause Windows XP to fail to boot, as +reported in the fallout from the fix to +https://bugzilla.kernel.org/show_bug.cgi?id=21962. + +Reported-and-tested-by: Nicolas Prochazka +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/i8259.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/i8259.c ++++ b/arch/x86/kvm/i8259.c +@@ -570,6 +570,8 @@ struct kvm_pic *kvm_create_pic(struct kv + s->pics[1].elcr_mask = 0xde; + s->pics[0].pics_state = s; + s->pics[1].pics_state = s; ++ s->pics[0].isr_ack = 0xff; ++ s->pics[1].isr_ack = 0xff; + + /* + * Initialize PIO device diff --git a/queue-2.6.36/keys-don-t-call-up_write-if-__key_link_begin-returns-an-error.patch b/queue-2.6.36/keys-don-t-call-up_write-if-__key_link_begin-returns-an-error.patch new file mode 100644 index 00000000000..09d591875df --- /dev/null +++ b/queue-2.6.36/keys-don-t-call-up_write-if-__key_link_begin-returns-an-error.patch @@ -0,0 +1,76 @@ +From 3fc5e98d8cf85e0d77fc597b49e9268dff67400e Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 22 Dec 2010 16:24:13 +0000 +Subject: KEYS: Don't call up_write() if __key_link_begin() returns an error + +From: David Howells + +commit 3fc5e98d8cf85e0d77fc597b49e9268dff67400e upstream. + +In construct_alloc_key(), up_write() is called in the error path if +__key_link_begin() fails, but this is incorrect as __key_link_begin() only +returns with the nominated keyring locked if it returns successfully. + +Without this patch, you might see the following in dmesg: + + ===================================== + [ BUG: bad unlock balance detected! ] + ------------------------------------- + mount.cifs/5769 is trying to release lock (&key->sem) at: + [] request_key_and_link+0x263/0x3fc + but there are no more locks to release! + + other info that might help us debug this: + 3 locks held by mount.cifs/5769: + #0: (&type->s_umount_key#41/1){+.+.+.}, at: [] sget+0x278/0x3e7 + #1: (&ret_buf->session_mutex){+.+.+.}, at: [] cifs_get_smb_ses+0x35a/0x443 [cifs] + #2: (root_key_user.cons_lock){+.+.+.}, at: [] request_key_and_link+0x10a/0x3fc + + stack backtrace: + Pid: 5769, comm: mount.cifs Not tainted 2.6.37-rc6+ #1 + Call Trace: + [] ? request_key_and_link+0x263/0x3fc + [] print_unlock_inbalance_bug+0xca/0xd5 + [] lock_release_non_nested+0xc1/0x263 + [] ? request_key_and_link+0x263/0x3fc + [] ? request_key_and_link+0x263/0x3fc + [] lock_release+0x17d/0x1a4 + [] up_write+0x23/0x3b + [] request_key_and_link+0x263/0x3fc + [] ? cifs_get_spnego_key+0x61/0x21f [cifs] + [] request_key+0x41/0x74 + [] cifs_get_spnego_key+0x200/0x21f [cifs] + [] CIFS_SessSetup+0x55d/0x1273 [cifs] + [] cifs_setup_session+0x90/0x1ae [cifs] + [] cifs_get_smb_ses+0x37f/0x443 [cifs] + [] cifs_mount+0x1aa1/0x23f3 [cifs] + [] ? alloc_debug_processing+0xdb/0x120 + [] ? cifs_get_spnego_key+0x1ef/0x21f [cifs] + [] cifs_do_mount+0x165/0x2b3 [cifs] + [] vfs_kern_mount+0xaf/0x1dc + [] do_kern_mount+0x4d/0xef + [] do_mount+0x6f4/0x733 + [] sys_mount+0x88/0xc2 + [] system_call_fastpath+0x16/0x1b + +Reported-by: Jeff Layton +Signed-off-by: David Howells +Reviewed-and-Tested-by: Jeff Layton +Signed-off-by: Linus Torvalds +Cc: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/request_key.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -403,7 +403,6 @@ link_check_failed: + return ret; + + link_prealloc_failed: +- up_write(&dest_keyring->sem); + mutex_unlock(&user->cons_lock); + kleave(" = %d [prelink]", ret); + return ret; diff --git a/queue-2.6.36/kvm-mmu-fix-32-bit-legacy-paging-with-npt.patch b/queue-2.6.36/kvm-mmu-fix-32-bit-legacy-paging-with-npt.patch new file mode 100644 index 00000000000..5add2dcd3e0 --- /dev/null +++ b/queue-2.6.36/kvm-mmu-fix-32-bit-legacy-paging-with-npt.patch @@ -0,0 +1,56 @@ +From mtosatti@redhat.com Tue Feb 15 10:54:21 2011 +From: Joerg Roedel +Date: Fri, 14 Jan 2011 10:10:19 -0200 +Subject: KVM: MMU: Fix 32 bit legacy paging with NPT +To: greg@kroah.com, avi@redhat.com, mtosatti@redhat.com, stable@kernel.org +Cc: Joerg Roedel +Message-ID: <20110114121048.359036117@amt.cnet> + +From: Joerg Roedel + +commit f87f928882d080eaec8b0d76aecff003d664697d upstream. + +This patch fixes 32 bit legacy paging with NPT enabled. The +mmu_check_root call on the top-level of the loop causes +root_gfn to take values (in the tdp_enabled path) which are +outside of guest memory. So the mmu_check_root call fails at +some point in the loop interation causing the guest to +tiple-fault. +This patch changes the mmu_check_root calls to the places +where they are really necessary. As a side-effect it +introduces a check for the root of a pae page table too. + +Signed-off-by: Joerg Roedel +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2254,6 +2254,10 @@ static int mmu_alloc_roots(struct kvm_vc + return 0; + } + direct = !is_paging(vcpu); ++ ++ if (mmu_check_root(vcpu, root_gfn)) ++ return 1; ++ + for (i = 0; i < 4; ++i) { + hpa_t root = vcpu->arch.mmu.pae_root[i]; + +@@ -2265,10 +2269,10 @@ static int mmu_alloc_roots(struct kvm_vc + continue; + } + root_gfn = pdptr >> PAGE_SHIFT; ++ if (mmu_check_root(vcpu, root_gfn)) ++ return 1; + } else if (vcpu->arch.mmu.root_level == 0) + root_gfn = 0; +- if (mmu_check_root(vcpu, root_gfn)) +- return 1; + if (tdp_enabled) { + direct = 1; + root_gfn = i << (30 - PAGE_SHIFT); diff --git a/queue-2.6.36/kvm-mmu-fix-incorrect-direct-gfn-for-unpaged-mode-shadow.patch b/queue-2.6.36/kvm-mmu-fix-incorrect-direct-gfn-for-unpaged-mode-shadow.patch new file mode 100644 index 00000000000..4ba30ce6d16 --- /dev/null +++ b/queue-2.6.36/kvm-mmu-fix-incorrect-direct-gfn-for-unpaged-mode-shadow.patch @@ -0,0 +1,37 @@ +From mtosatti@redhat.com Tue Feb 15 10:53:55 2011 +From: Avi Kivity +Date: Fri, 14 Jan 2011 10:10:18 -0200 +Subject: KVM: MMU: Fix incorrect direct gfn for unpaged mode shadow +To: greg@kroah.com, avi@redhat.com, mtosatti@redhat.com, stable@kernel.org +Message-ID: <20110114121048.294837491@amt.cnet> + + +From: Avi Kivity + +commit c093b8b46c5f0dd12d799f0d6a3b579863df72f6 upstream. + +We use the physical address instead of the base gfn for the four +PAE page directories we use in unpaged mode. When the guest accesses +an address above 1GB that is backed by a large host page, a BUG_ON() +in kvm_mmu_set_gfn() triggers. + +Resolves: https://bugzilla.kernel.org/show_bug.cgi?id=21962 +Reported-and-tested-by: Nicolas Prochazka +Signed-off-by: Avi Kivity +Cc: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2271,7 +2271,7 @@ static int mmu_alloc_roots(struct kvm_vc + return 1; + if (tdp_enabled) { + direct = 1; +- root_gfn = i << 30; ++ root_gfn = i << (30 - PAGE_SHIFT); + } + spin_lock(&vcpu->kvm->mmu_lock); + kvm_mmu_free_some_pages(vcpu); diff --git a/queue-2.6.36/md-ensure-no-io-request-to-get-md-device-before-it-is-properly-initialised.patch b/queue-2.6.36/md-ensure-no-io-request-to-get-md-device-before-it-is-properly-initialised.patch new file mode 100644 index 00000000000..d6eff0b7ee7 --- /dev/null +++ b/queue-2.6.36/md-ensure-no-io-request-to-get-md-device-before-it-is-properly-initialised.patch @@ -0,0 +1,82 @@ +From 0ca69886a8273ac1350143d562280bfcbe4760dc Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 14 Jan 2011 09:14:33 +1100 +Subject: md: Ensure no IO request to get md device before it is properly initialised. + +From: NeilBrown + +commit 0ca69886a8273ac1350143d562280bfcbe4760dc upstream. + +When an md device is in the process of coming on line it is possible +for an IO request (typically a partition table probe) to get through +before the array is fully initialised, which can cause unexpected +behaviour (e.g. a crash). + +So explicitly record when the array is ready for IO and don't allow IO +through until then. + +There is no possibility for a similar problem when the array is going +off-line as there must only be one 'open' at that time, and it is busy +off-lining the array and so cannot send IO requests. So no memory +barrier is needed in md_stop() + +This has been a bug since commit 409c57f3801 in 2.6.30 which +introduced md_make_request. Before then, each personality would +register its own make_request_fn when it was ready. +This is suitable for any stable kernel from 2.6.30.y onwards. + +Signed-off-by: NeilBrown +Reported-by: "Hawrylewicz Czarnowski, Przemyslaw" +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 8 ++++++-- + drivers/md/md.h | 3 ++- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -221,10 +221,12 @@ static int md_make_request(struct reques + int rv; + int cpu; + +- if (mddev == NULL || mddev->pers == NULL) { ++ if (mddev == NULL || mddev->pers == NULL ++ || !mddev->ready) { + bio_io_error(bio); + return 0; + } ++ smp_rmb(); /* Ensure implications of 'active' are visible */ + rcu_read_lock(); + if (mddev->suspended || mddev->barrier) { + DEFINE_WAIT(__wait); +@@ -4554,7 +4556,8 @@ int md_run(mddev_t *mddev) + mddev->safemode_timer.data = (unsigned long) mddev; + mddev->safemode_delay = (200 * HZ)/1000 +1; /* 200 msec delay */ + mddev->in_sync = 1; +- ++ smp_wmb(); ++ mddev->ready = 1; + list_for_each_entry(rdev, &mddev->disks, same_set) + if (rdev->raid_disk >= 0) { + char nm[20]; +@@ -4716,6 +4719,7 @@ EXPORT_SYMBOL_GPL(md_stop_writes); + + void md_stop(mddev_t *mddev) + { ++ mddev->ready = 0; + mddev->pers->stop(mddev); + if (mddev->pers->sync_request && mddev->to_remove == NULL) + mddev->to_remove = &md_redundancy_group; +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -149,7 +149,8 @@ struct mddev_s + * are happening, so run/ + * takeover/stop are not safe + */ +- ++ int ready; /* See when safe to pass ++ * IO requests down */ + struct gendisk *gendisk; + + struct kobject kobj; diff --git a/queue-2.6.36/md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch b/queue-2.6.36/md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch new file mode 100644 index 00000000000..905f290e967 --- /dev/null +++ b/queue-2.6.36/md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch @@ -0,0 +1,48 @@ +From 6c9879101442b08581e8a0e3ae6b7f643a78fd63 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 14 Jan 2011 09:13:53 +1100 +Subject: md: fix regression resulting in delays in clearing bits in a bitmap + +From: NeilBrown + +commit 6c9879101442b08581e8a0e3ae6b7f643a78fd63 upstream. + +commit 589a594be1fb (2.6.37-rc4) fixed a problem were md_thread would +sometimes call the ->run function at a bad time. + +If an error is detected during array start up after the md_thread has +been started, the md_thread is killed. This resulted in the ->run +function being called once. However the array may not be in a state +that it is safe to call ->run. + +However the fix imposed meant that ->run was not called on a timeout. +This means that when an array goes idle, bitmap bits do not get +cleared promptly. While the array is busy the bits will still be +cleared when appropriate so this is not very serious. There is no +risk to data. + +Change the test so that we only avoid calling ->run when the thread +is being stopped. This more explicitly addresses the problem situation. + +This is suitable for 2.6.37-stable and any -stable kernel to which +589a594be1fb was applied. + +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6038,7 +6038,8 @@ static int md_thread(void * arg) + || kthread_should_stop(), + thread->timeout); + +- if (test_and_clear_bit(THREAD_WAKEUP, &thread->flags)) ++ clear_bit(THREAD_WAKEUP, &thread->flags); ++ if (!kthread_should_stop()) + thread->run(thread->mddev); + } + diff --git a/queue-2.6.36/md-fix-regression-with-re-adding-devices-to-arrays-with-no-metadata.patch b/queue-2.6.36/md-fix-regression-with-re-adding-devices-to-arrays-with-no-metadata.patch new file mode 100644 index 00000000000..a4cf964ed9a --- /dev/null +++ b/queue-2.6.36/md-fix-regression-with-re-adding-devices-to-arrays-with-no-metadata.patch @@ -0,0 +1,46 @@ +From bf572541ab44240163eaa2d486b06f306a31d45a Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 12 Jan 2011 09:03:35 +1100 +Subject: md: fix regression with re-adding devices to arrays with no metadata + +From: NeilBrown + +commit bf572541ab44240163eaa2d486b06f306a31d45a upstream. + +Commit 1a855a0606 (2.6.37-rc4) fixed a problem where devices were +re-added when they shouldn't be but caused a regression in a less +common case that means sometimes devices cannot be re-added when they +should be. + +In particular, when re-adding a device to an array without metadata +we should always access the device, but after the above commit we +didn't. + +This patch sets the In_sync flag in that case so that the re-add +succeeds. + +This patch is suitable for any -stable kernel to which 1a855a0606 was +applied. + +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5150,9 +5150,10 @@ static int add_new_disk(mddev_t * mddev, + /* set saved_raid_disk if appropriate */ + if (!mddev->persistent) { + if (info->state & (1<raid_disk < mddev->raid_disks) ++ info->raid_disk < mddev->raid_disks) { + rdev->raid_disk = info->raid_disk; +- else ++ set_bit(In_sync, &rdev->flags); ++ } else + rdev->raid_disk = -1; + } else + super_types[mddev->major_version]. diff --git a/queue-2.6.36/md-fix-removal-of-extra-drives-when-converting-raid6-to-raid5.patch b/queue-2.6.36/md-fix-removal-of-extra-drives-when-converting-raid6-to-raid5.patch new file mode 100644 index 00000000000..c04a1aa39ef --- /dev/null +++ b/queue-2.6.36/md-fix-removal-of-extra-drives-when-converting-raid6-to-raid5.patch @@ -0,0 +1,36 @@ +From bf2cb0dab8c97f00a71875d9b13dbac17a2f47ca Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 14 Jan 2011 09:14:34 +1100 +Subject: md: Fix removal of extra drives when converting RAID6 to RAID5 + +From: NeilBrown + +commit bf2cb0dab8c97f00a71875d9b13dbac17a2f47ca upstream. + +When a RAID6 is converted to a RAID5, the extra drive should +be discarded. However it isn't due to a typo in a comparison. + +This bug was introduced in commit e93f68a1fc6 in 2.6.35-rc4 +and is suitable for any -stable since than. + +As the extra drive is not removed, the 'degraded' counter is wrong and +so the RAID5 will not respond correctly to a subsequent failure. + +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3111,7 +3111,7 @@ level_store(mddev_t *mddev, const char * + char nm[20]; + if (rdev->raid_disk < 0) + continue; +- if (rdev->new_raid_disk > mddev->raid_disks) ++ if (rdev->new_raid_disk >= mddev->raid_disks) + rdev->new_raid_disk = -1; + if (rdev->new_raid_disk == rdev->raid_disk) + continue; diff --git a/queue-2.6.36/md_make_request-don-t-touch-the-bio-after-calling-make_request.patch b/queue-2.6.36/md_make_request-don-t-touch-the-bio-after-calling-make_request.patch new file mode 100644 index 00000000000..60499084d8b --- /dev/null +++ b/queue-2.6.36/md_make_request-don-t-touch-the-bio-after-calling-make_request.patch @@ -0,0 +1,56 @@ +From e91ece5590b3c728624ab57043fc7a05069c604a Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Mon, 7 Feb 2011 19:21:48 -0500 +Subject: md_make_request: don't touch the bio after calling make_request + +From: Chris Mason + +commit e91ece5590b3c728624ab57043fc7a05069c604a upstream. + +md_make_request was calling bio_sectors() for part_stat_add +after it was calling the make_request function. This is +bad because the make_request function can free the bio and +because the bi_size field can change around. + +The fix here was suggested by Jens Axboe. It saves the +sector count before the make_request call. I hit this +with CONFIG_DEBUG_PAGEALLOC turned on while trying to break +his pretty fusionio card. + +Signed-off-by: Chris Mason +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -220,6 +220,7 @@ static int md_make_request(struct reques + mddev_t *mddev = q->queuedata; + int rv; + int cpu; ++ unsigned int sectors; + + if (mddev == NULL || mddev->pers == NULL + || !mddev->ready) { +@@ -244,12 +245,16 @@ static int md_make_request(struct reques + atomic_inc(&mddev->active_io); + rcu_read_unlock(); + ++ /* ++ * save the sectors now since our bio can ++ * go away inside make_request ++ */ ++ sectors = bio_sectors(bio); + rv = mddev->pers->make_request(mddev, bio); + + cpu = part_stat_lock(); + part_stat_inc(cpu, &mddev->gendisk->part0, ios[rw]); +- part_stat_add(cpu, &mddev->gendisk->part0, sectors[rw], +- bio_sectors(bio)); ++ part_stat_add(cpu, &mddev->gendisk->part0, sectors[rw], sectors); + part_stat_unlock(); + + if (atomic_dec_and_test(&mddev->active_io) && mddev->suspended) diff --git a/queue-2.6.36/nilfs2-fix-crash-after-one-superblock-became-unavailable.patch b/queue-2.6.36/nilfs2-fix-crash-after-one-superblock-became-unavailable.patch new file mode 100644 index 00000000000..5f188960a81 --- /dev/null +++ b/queue-2.6.36/nilfs2-fix-crash-after-one-superblock-became-unavailable.patch @@ -0,0 +1,52 @@ +From 0ca7a5b9ac5d301845dd6382ff25a699b6263a81 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 21 Jan 2011 16:40:31 +0900 +Subject: nilfs2: fix crash after one superblock became unavailable + +From: Ryusuke Konishi + +commit 0ca7a5b9ac5d301845dd6382ff25a699b6263a81 upstream. + +Fixes the following kernel oops in nilfs_setup_super() which could +arise if one of two super-blocks is unavailable. + +> BUG: unable to handle kernel NULL pointer dereference at (null) +> Pid: 3529, comm: mount.nilfs2 Not tainted 2.6.37 #1 / +> EIP: 0060:[] EFLAGS: 00010202 CPU: 3 +> EIP is at memcpy+0xc/0x1b +> Call Trace: +> [] ? nilfs_setup_super+0x6c/0xa5 [nilfs2] +> [] ? nilfs_get_root_dentry+0x81/0xcb [nilfs2] +> [] ? nilfs_mount+0x4f9/0x62c [nilfs2] +> [] ? kstrdup+0x36/0x3f +> [] ? nilfs_mount+0x0/0x62c [nilfs2] +> [] ? vfs_kern_mount+0x4d/0x12c +> [] ? get_fs_type+0x76/0x8f +> [] ? do_kern_mount+0x33/0xbf +> [] ? do_mount+0x2ed/0x714 +> [] ? copy_mount_options+0x28/0xfc +> [] ? sys_mount+0x72/0xaf +> [] ? syscall_call+0x7/0xb + +Reported-by: Wakko Warner +Signed-off-by: Ryusuke Konishi +Tested-by: Wakko Warner +LKML-Reference: <20110121024918.GA29598@animx.eu.org> +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/super.c ++++ b/fs/nilfs2/super.c +@@ -733,7 +733,8 @@ static int nilfs_setup_super(struct nilf + cpu_to_le16(le16_to_cpu(sbp[0]->s_state) & ~NILFS_VALID_FS); + sbp[0]->s_mtime = cpu_to_le64(get_seconds()); + /* synchronize sbp[1] with sbp[0] */ +- memcpy(sbp[1], sbp[0], nilfs->ns_sbsize); ++ if (sbp[1]) ++ memcpy(sbp[1], sbp[0], nilfs->ns_sbsize); + return nilfs_commit_super(sbi, NILFS_SB_COMMIT_ALL); + } + diff --git a/queue-2.6.36/pata_mpc52xx-inherit-from-ata_bmdma_port_ops.patch b/queue-2.6.36/pata_mpc52xx-inherit-from-ata_bmdma_port_ops.patch new file mode 100644 index 00000000000..e7824fbd999 --- /dev/null +++ b/queue-2.6.36/pata_mpc52xx-inherit-from-ata_bmdma_port_ops.patch @@ -0,0 +1,33 @@ +From 77c5fd19075d299fe820bb59bb21b0b113676e20 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Sun, 9 Jan 2011 17:48:20 -0500 +Subject: pata_mpc52xx: inherit from ata_bmdma_port_ops + +From: Tejun Heo + +commit 77c5fd19075d299fe820bb59bb21b0b113676e20 upstream. + +pata_mpc52xx supports BMDMA but inherits ata_sff_port_ops which +triggers BUG_ON() when a DMA command is issued. Fix it. + +Signed-off-by: Tejun Heo +Reported-by: Roman Fietze +Cc: Sergei Shtylyov +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/pata_mpc52xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/pata_mpc52xx.c ++++ b/drivers/ata/pata_mpc52xx.c +@@ -610,7 +610,7 @@ static struct scsi_host_template mpc52xx + }; + + static struct ata_port_operations mpc52xx_ata_port_ops = { +- .inherits = &ata_sff_port_ops, ++ .inherits = &ata_bmdma_port_ops, + .sff_dev_select = mpc52xx_ata_dev_select, + .set_piomode = mpc52xx_ata_set_piomode, + .set_dmamode = mpc52xx_ata_set_dmamode, diff --git a/queue-2.6.36/selinux-define-permissions-for-dcb-netlink-messages.patch b/queue-2.6.36/selinux-define-permissions-for-dcb-netlink-messages.patch new file mode 100644 index 00000000000..7382dbd60cd --- /dev/null +++ b/queue-2.6.36/selinux-define-permissions-for-dcb-netlink-messages.patch @@ -0,0 +1,35 @@ +From 350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8 Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Thu, 16 Dec 2010 11:46:51 -0500 +Subject: SELinux: define permissions for DCB netlink messages + +From: Eric Paris + +commit 350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8 upstream. + +Commit 2f90b865 added two new netlink message types to the netlink route +socket. SELinux has hooks to define if netlink messages are allowed to +be sent or received, but it did not know about these two new message +types. By default we allow such actions so noone likely noticed. This +patch adds the proper definitions and thus proper permissions +enforcement. + +Signed-off-by: Eric Paris +Cc: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/nlmsgtab.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/security/selinux/nlmsgtab.c ++++ b/security/selinux/nlmsgtab.c +@@ -65,6 +65,8 @@ static struct nlmsg_perm nlmsg_route_per + { RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, + { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, + { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, ++ { RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ }, ++ { RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, + }; + + static struct nlmsg_perm nlmsg_firewall_perms[] = diff --git a/queue-2.6.36/selinux-do-not-compute-transition-labels-on-mountpoint-labeled-filesystems.patch b/queue-2.6.36/selinux-do-not-compute-transition-labels-on-mountpoint-labeled-filesystems.patch new file mode 100644 index 00000000000..c983b2ab882 --- /dev/null +++ b/queue-2.6.36/selinux-do-not-compute-transition-labels-on-mountpoint-labeled-filesystems.patch @@ -0,0 +1,57 @@ +From 415103f9932d45f7927f4b17e3a9a13834cdb9a1 Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Thu, 2 Dec 2010 16:13:40 -0500 +Subject: SELinux: do not compute transition labels on mountpoint labeled filesystems + +From: Eric Paris + +commit 415103f9932d45f7927f4b17e3a9a13834cdb9a1 upstream. + +selinux_inode_init_security computes transitions sids even for filesystems +that use mount point labeling. It shouldn't do that. It should just use +the mount point label always and no matter what. + +This causes 2 problems. 1) it makes file creation slower than it needs to be +since we calculate the transition sid and 2) it allows files to be created +with a different label than the mount point! + +# id -Z +staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 +# sesearch --type --class file --source sysadm_t --target tmp_t +Found 1 semantic te rules: + type_transition sysadm_t tmp_t : file user_tmp_t; + +# mount -o loop,context="system_u:object_r:tmp_t:s0" /tmp/fs /mnt/tmp + +# ls -lZ /mnt/tmp +drwx------. root root system_u:object_r:tmp_t:s0 lost+found +# touch /mnt/tmp/file1 +# ls -lZ /mnt/tmp +-rw-r--r--. root root staff_u:object_r:user_tmp_t:s0 file1 +drwx------. root root system_u:object_r:tmp_t:s0 lost+found + +Whoops, we have a mount point labeled filesystem tmp_t with a user_tmp_t +labeled file! + +Signed-off-by: Eric Paris +Reviewed-by: Reviewed-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2529,7 +2529,10 @@ static int selinux_inode_init_security(s + sid = tsec->sid; + newsid = tsec->create_sid; + +- if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { ++ if ((sbsec->flags & SE_SBINITIALIZED) && ++ (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) ++ newsid = sbsec->mntpoint_sid; ++ else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { + rc = security_transition_sid(sid, dsec->sid, + inode_mode_to_security_class(inode->i_mode), + &newsid); diff --git a/queue-2.6.36/series b/queue-2.6.36/series index d3d2de311e6..1431fbc69e1 100644 --- a/queue-2.6.36/series +++ b/queue-2.6.36/series @@ -136,3 +136,19 @@ ssb-pcmcia-fix-parsing-of-invariants-tuples.patch backlight-fix-88pm860x_bl-macro-collision.patch fs-direct-io.c-don-t-try-to-allocate-more-than-bio_max_pages-in-a-bio.patch kernel-smp.c-fix-smp_call_function_many-smp-race.patch +md-fix-regression-with-re-adding-devices-to-arrays-with-no-metadata.patch +md-fix-regression-resulting-in-delays-in-clearing-bits-in-a-bitmap.patch +md-ensure-no-io-request-to-get-md-device-before-it-is-properly-initialised.patch +md-fix-removal-of-extra-drives-when-converting-raid6-to-raid5.patch +pata_mpc52xx-inherit-from-ata_bmdma_port_ops.patch +md_make_request-don-t-touch-the-bio-after-calling-make_request.patch +0001-KVM-i8259-initialize-isr_ack.patch +kvm-mmu-fix-incorrect-direct-gfn-for-unpaged-mode-shadow.patch +kvm-mmu-fix-32-bit-legacy-paging-with-npt.patch +nilfs2-fix-crash-after-one-superblock-became-unavailable.patch +tpm-long-default-timeout-fix.patch +tpm_tis-use-timeouts-returned-from-tpm.patch +keys-don-t-call-up_write-if-__key_link_begin-returns-an-error.patch +selinux-define-permissions-for-dcb-netlink-messages.patch +selinux-do-not-compute-transition-labels-on-mountpoint-labeled-filesystems.patch +tpm-autodetect-itpm-devices.patch diff --git a/queue-2.6.36/tpm-autodetect-itpm-devices.patch b/queue-2.6.36/tpm-autodetect-itpm-devices.patch new file mode 100644 index 00000000000..794e9e17d69 --- /dev/null +++ b/queue-2.6.36/tpm-autodetect-itpm-devices.patch @@ -0,0 +1,75 @@ +From 3f0d3d016d89a5efb8b926d4707eb21fa13f3d27 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 21 Oct 2010 17:42:40 -0400 +Subject: tpm: Autodetect itpm devices + +From: Matthew Garrett + +commit 3f0d3d016d89a5efb8b926d4707eb21fa13f3d27 upstream. + +Some Lenovos have TPMs that require a quirk to function correctly. This can +be autodetected by checking whether the device has a _HID of INTC0102. This +is an invalid PNPid, and as such is discarded by the pnp layer - however +it's still present in the ACPI code, so we can pull it out that way. This +means that the quirk won't be automatically applied on non-ACPI systems, +but without ACPI we don't have any way to identify the chip anyway so I +don't think that's a great concern. + +Signed-off-by: Matthew Garrett +Acked-by: Rajiv Andrade +Tested-by: Jiri Kosina +Tested-by: Andy Isaacson +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_tis.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include "tpm.h" + + #define TPM_HEADER_SIZE 10 +@@ -78,6 +79,26 @@ enum tis_defaults { + static LIST_HEAD(tis_chips); + static DEFINE_SPINLOCK(tis_lock); + ++#ifdef CONFIG_ACPI ++static int is_itpm(struct pnp_dev *dev) ++{ ++ struct acpi_device *acpi = pnp_acpi_device(dev); ++ struct acpi_hardware_id *id; ++ ++ list_for_each_entry(id, &acpi->pnp.ids, list) { ++ if (!strcmp("INTC0102", id->id)) ++ return 1; ++ } ++ ++ return 0; ++} ++#else ++static int is_itpm(struct pnp_dev *dev) ++{ ++ return 0; ++} ++#endif ++ + static int check_locality(struct tpm_chip *chip, int l) + { + if ((ioread8(chip->vendor.iobase + TPM_ACCESS(l)) & +@@ -474,6 +495,9 @@ static int tpm_tis_init(struct device *d + "1.2 TPM (device-id 0x%X, rev-id %d)\n", + vendor >> 16, ioread8(chip->vendor.iobase + TPM_RID(0))); + ++ if (is_itpm(to_pnp_dev(dev))) ++ itpm = 1; ++ + if (itpm) + dev_info(dev, "Intel iTPM workaround enabled\n"); + diff --git a/queue-2.6.36/tpm-long-default-timeout-fix.patch b/queue-2.6.36/tpm-long-default-timeout-fix.patch new file mode 100644 index 00000000000..fe9514f44d1 --- /dev/null +++ b/queue-2.6.36/tpm-long-default-timeout-fix.patch @@ -0,0 +1,46 @@ +From c4ff4b829ef9e6353c0b133b7adb564a68054979 Mon Sep 17 00:00:00 2001 +From: Rajiv Andrade +Date: Fri, 12 Nov 2010 22:30:02 +0100 +Subject: TPM: Long default timeout fix + +From: Rajiv Andrade + +commit c4ff4b829ef9e6353c0b133b7adb564a68054979 upstream. + +If duration variable value is 0 at this point, it's because +chip->vendor.duration wasn't filled by tpm_get_timeouts() yet. +This patch sets then the lowest timeout just to give enough +time for tpm_get_timeouts() to further succeed. + +This fix avoids long boot times in case another entity attempts +to send commands to the TPM when the TPM isn't accessible. + +Signed-off-by: Rajiv Andrade +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -354,12 +354,14 @@ unsigned long tpm_calc_ordinal_duration( + tpm_protected_ordinal_duration[ordinal & + TPM_PROTECTED_ORDINAL_MASK]; + +- if (duration_idx != TPM_UNDEFINED) ++ if (duration_idx != TPM_UNDEFINED) { + duration = chip->vendor.duration[duration_idx]; +- if (duration <= 0) ++ /* if duration is 0, it's because chip->vendor.duration wasn't */ ++ /* filled yet, so we set the lowest timeout just to give enough */ ++ /* time for tpm_get_timeouts() to succeed */ ++ return (duration <= 0 ? HZ : duration); ++ } else + return 2 * 60 * HZ; +- else +- return duration; + } + EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration); + diff --git a/queue-2.6.36/tpm_tis-use-timeouts-returned-from-tpm.patch b/queue-2.6.36/tpm_tis-use-timeouts-returned-from-tpm.patch new file mode 100644 index 00000000000..97dc4fc1e2b --- /dev/null +++ b/queue-2.6.36/tpm_tis-use-timeouts-returned-from-tpm.patch @@ -0,0 +1,95 @@ +From 9b29050f8f75916f974a2d231ae5d3cd59792296 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 11 Jan 2011 14:37:29 -0500 +Subject: tpm_tis: Use timeouts returned from TPM + +From: Stefan Berger + +commit 9b29050f8f75916f974a2d231ae5d3cd59792296 upstream. + +The current TPM TIS driver in git discards the timeout values returned +from the TPM. The check of the response packet needs to consider that +the return_code field is 0 on success and the size of the expected +packet is equivalent to the header size + u32 length indicator for the +TPM_GetCapability() result + 3 timeout indicators of type u32. + +I am also adding a sysfs entry 'timeouts' showing the timeouts that are +being used. + +Signed-off-by: Stefan Berger +Tested-by: Guillaume Chazarain +Signed-off-by: Rajiv Andrade +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm.c | 18 ++++++++++++++++-- + drivers/char/tpm/tpm.h | 2 ++ + drivers/char/tpm/tpm_tis.c | 4 +++- + 3 files changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -567,9 +567,11 @@ duration: + if (rc) + return; + +- if (be32_to_cpu(tpm_cmd.header.out.return_code) +- != 3 * sizeof(u32)) ++ if (be32_to_cpu(tpm_cmd.header.out.return_code) != 0 || ++ be32_to_cpu(tpm_cmd.header.out.length) ++ != sizeof(tpm_cmd.header.out) + sizeof(u32) + 3 * sizeof(u32)) + return; ++ + duration_cap = &tpm_cmd.params.getcap_out.cap.duration; + chip->vendor.duration[TPM_SHORT] = + usecs_to_jiffies(be32_to_cpu(duration_cap->tpm_short)); +@@ -913,6 +915,18 @@ ssize_t tpm_show_caps_1_2(struct device + } + EXPORT_SYMBOL_GPL(tpm_show_caps_1_2); + ++ssize_t tpm_show_timeouts(struct device *dev, struct device_attribute *attr, ++ char *buf) ++{ ++ struct tpm_chip *chip = dev_get_drvdata(dev); ++ ++ return sprintf(buf, "%d %d %d\n", ++ jiffies_to_usecs(chip->vendor.duration[TPM_SHORT]), ++ jiffies_to_usecs(chip->vendor.duration[TPM_MEDIUM]), ++ jiffies_to_usecs(chip->vendor.duration[TPM_LONG])); ++} ++EXPORT_SYMBOL_GPL(tpm_show_timeouts); ++ + ssize_t tpm_store_cancel(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -56,6 +56,8 @@ extern ssize_t tpm_show_owned(struct dev + char *); + extern ssize_t tpm_show_temp_deactivated(struct device *, + struct device_attribute *attr, char *); ++extern ssize_t tpm_show_timeouts(struct device *, ++ struct device_attribute *attr, char *); + + struct tpm_chip; + +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -355,6 +355,7 @@ static DEVICE_ATTR(temp_deactivated, S_I + NULL); + static DEVICE_ATTR(caps, S_IRUGO, tpm_show_caps_1_2, NULL); + static DEVICE_ATTR(cancel, S_IWUSR | S_IWGRP, NULL, tpm_store_cancel); ++static DEVICE_ATTR(timeouts, S_IRUGO, tpm_show_timeouts, NULL); + + static struct attribute *tis_attrs[] = { + &dev_attr_pubek.attr, +@@ -364,7 +365,8 @@ static struct attribute *tis_attrs[] = { + &dev_attr_owned.attr, + &dev_attr_temp_deactivated.attr, + &dev_attr_caps.attr, +- &dev_attr_cancel.attr, NULL, ++ &dev_attr_cancel.attr, ++ &dev_attr_timeouts.attr, NULL, + }; + + static struct attribute_group tis_attr_grp = {