From: Greg Kroah-Hartman Date: Tue, 22 Nov 2011 23:44:45 +0000 (-0800) Subject: 3.1 patches X-Git-Tag: v3.0.11~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27c67fa25a3cf4ad6861162c431b3023996be7fd;p=thirdparty%2Fkernel%2Fstable-queue.git 3.1 patches added patches: batman-adv-add-sanity-check-when-removing-global-tts.patch batman-adv-correctly-set-the-data-field-in-the-tt_reponse-packet.patch batman-adv-fix-tt_local_reset_flags-function.patch batman-adv-remove-references-for-global-tt-entries.patch batman-adv-unify-hash_entry-field-position-in-tt_local-global_entry.patch vmscan-fix-shrinker-callback-bug-in-fs-super.c.patch --- diff --git a/queue-3.1/batman-adv-add-sanity-check-when-removing-global-tts.patch b/queue-3.1/batman-adv-add-sanity-check-when-removing-global-tts.patch new file mode 100644 index 00000000000..145cee57328 --- /dev/null +++ b/queue-3.1/batman-adv-add-sanity-check-when-removing-global-tts.patch @@ -0,0 +1,34 @@ +From 6e8014947d6469df1566e9e253805557c5c0e4e0 Mon Sep 17 00:00:00 2001 +From: Simon Wunderlich +Date: Wed, 19 Oct 2011 10:28:26 +0200 +Subject: batman-adv: add sanity check when removing global tts + +From: Simon Wunderlich + +commit 6e8014947d6469df1566e9e253805557c5c0e4e0 upstream. + +After removing the batman-adv module, the hash may be already gone +when tt_global_del_orig() tries to clean the hash. This patch adds +a sanity check to avoid this. + +Signed-off-by: Simon Wunderlich +Tested-by: Alexey Fisher +Signed-off-by: Marek Lindner +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/translation-table.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -698,6 +698,9 @@ void tt_global_del_orig(struct bat_priv + struct hlist_head *head; + spinlock_t *list_lock; /* protects write access to the hash lists */ + ++ if (!hash) ++ return; ++ + for (i = 0; i < hash->size; i++) { + head = &hash->table[i]; + list_lock = &hash->list_locks[i]; diff --git a/queue-3.1/batman-adv-correctly-set-the-data-field-in-the-tt_reponse-packet.patch b/queue-3.1/batman-adv-correctly-set-the-data-field-in-the-tt_reponse-packet.patch new file mode 100644 index 00000000000..f4983484060 --- /dev/null +++ b/queue-3.1/batman-adv-correctly-set-the-data-field-in-the-tt_reponse-packet.patch @@ -0,0 +1,43 @@ +From 9d8523931f7f5eb8900077f0da0fbe6b8ad0010b Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Mon, 17 Oct 2011 14:25:13 +0200 +Subject: batman-adv: correctly set the data field in the TT_REPONSE packet + +From: Antonio Quartulli + +commit 9d8523931f7f5eb8900077f0da0fbe6b8ad0010b upstream. + +In the TT_RESPONSE packet, the number of carried entries is not correctly set. +This leads to a wrong interpretation of the packet payload on the receiver side +causing random entries to be added to the global translation table. Therefore +the latter gets always corrupted, triggering a table recovery all the time. + +Signed-off-by: Antonio Quartulli +Signed-off-by: Marek Lindner +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/translation-table.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -999,7 +999,6 @@ static struct sk_buff *tt_response_fill_ + tt_response = (struct tt_query_packet *)skb_put(skb, + tt_query_size + tt_len); + tt_response->ttvn = ttvn; +- tt_response->tt_data = htons(tt_tot); + + tt_change = (struct tt_change *)(skb->data + tt_query_size); + tt_count = 0; +@@ -1025,6 +1024,10 @@ static struct sk_buff *tt_response_fill_ + } + rcu_read_unlock(); + ++ /* store in the message the number of entries we have successfully ++ * copied */ ++ tt_response->tt_data = htons(tt_count); ++ + out: + return skb; + } diff --git a/queue-3.1/batman-adv-fix-tt_local_reset_flags-function.patch b/queue-3.1/batman-adv-fix-tt_local_reset_flags-function.patch new file mode 100644 index 00000000000..ed51a239209 --- /dev/null +++ b/queue-3.1/batman-adv-fix-tt_local_reset_flags-function.patch @@ -0,0 +1,36 @@ +From 31901264511cf20c5ed33b8649a3ca9ce28df60b Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Sun, 16 Oct 2011 18:53:37 +0200 +Subject: batman-adv: fix tt_local_reset_flags() function + +From: Antonio Quartulli + +commit 31901264511cf20c5ed33b8649a3ca9ce28df60b upstream. + +Currently the counter of tt_local_entry structures (tt_local_num) is incremented +each time the tt_local_reset_flags() is invoked causing the node to send wrong +TT_REPONSE packets containing a copy of non-initialised memory thus corrupting +other nodes global translation table and making higher level communication +impossible. + +Reported-by: Junkeun Song +Signed-off-by: Antonio Quartulli +Acked-by: Junkeun Song +Signed-off-by: Marek Lindner +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/translation-table.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -1668,6 +1668,8 @@ static void tt_local_reset_flags(struct + rcu_read_lock(); + hlist_for_each_entry_rcu(tt_local_entry, node, + head, hash_entry) { ++ if (!(tt_local_entry->flags & flags)) ++ continue; + tt_local_entry->flags &= ~flags; + atomic_inc(&bat_priv->num_local_tt); + } diff --git a/queue-3.1/batman-adv-remove-references-for-global-tt-entries.patch b/queue-3.1/batman-adv-remove-references-for-global-tt-entries.patch new file mode 100644 index 00000000000..604de0be014 --- /dev/null +++ b/queue-3.1/batman-adv-remove-references-for-global-tt-entries.patch @@ -0,0 +1,47 @@ +From 531027fcddbcf81c9937dd04f08a7e8f11fd47d2 Mon Sep 17 00:00:00 2001 +From: Simon Wunderlich +Date: Wed, 19 Oct 2011 11:02:25 +0200 +Subject: batman-adv: remove references for global tt entries + +From: Simon Wunderlich + +commit 531027fcddbcf81c9937dd04f08a7e8f11fd47d2 upstream. + +struct tt_global_entry holds a reference to an orig_node which must be +decremented before deallocating the structure. + +Signed-off-by: Simon Wunderlich +Tested-by: Alexey Fisher +Signed-off-by: Marek Lindner +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/translation-table.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -137,10 +137,22 @@ static void tt_local_entry_free_ref(stru + kfree_rcu(tt_local_entry, rcu); + } + ++static void tt_global_entry_free_rcu(struct rcu_head *rcu) ++{ ++ struct tt_global_entry *tt_global_entry; ++ ++ tt_global_entry = container_of(rcu, struct tt_global_entry, rcu); ++ ++ if (tt_global_entry->orig_node) ++ orig_node_free_ref(tt_global_entry->orig_node); ++ ++ kfree(tt_global_entry); ++} ++ + static void tt_global_entry_free_ref(struct tt_global_entry *tt_global_entry) + { + if (atomic_dec_and_test(&tt_global_entry->refcount)) +- kfree_rcu(tt_global_entry, rcu); ++ call_rcu(&tt_global_entry->rcu, tt_global_entry_free_rcu); + } + + static void tt_local_event(struct bat_priv *bat_priv, const uint8_t *addr, diff --git a/queue-3.1/batman-adv-unify-hash_entry-field-position-in-tt_local-global_entry.patch b/queue-3.1/batman-adv-unify-hash_entry-field-position-in-tt_local-global_entry.patch new file mode 100644 index 00000000000..15d0368f99e --- /dev/null +++ b/queue-3.1/batman-adv-unify-hash_entry-field-position-in-tt_local-global_entry.patch @@ -0,0 +1,51 @@ +From 93840ac40bb0d0f177ef8af74e64671be67e8c37 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Sat, 22 Oct 2011 00:55:39 +0200 +Subject: batman-adv: unify hash_entry field position in tt_local/global_entry + +From: Antonio Quartulli + +commit 93840ac40bb0d0f177ef8af74e64671be67e8c37 upstream. + +Function tt_response_fill_table() actually uses a tt_local_entry pointer to +iterate either over the local or the global table entries (it depends on the +what hash table is passed as argument). To iterate over such entries the +hlist_for_each_entry_rcu() macro has to access their "hash_entry" field which +MUST be at the same position in both the tt_global/local_entry structures. + +Reported-by: Simon Wunderlich +Signed-off-by: Antonio Quartulli +Signed-off-by: Marek Lindner +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/types.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -223,22 +223,22 @@ struct socket_packet { + + struct tt_local_entry { + uint8_t addr[ETH_ALEN]; ++ struct hlist_node hash_entry; + unsigned long last_seen; + uint16_t flags; + atomic_t refcount; + struct rcu_head rcu; +- struct hlist_node hash_entry; + }; + + struct tt_global_entry { + uint8_t addr[ETH_ALEN]; ++ struct hlist_node hash_entry; /* entry in the global table */ + struct orig_node *orig_node; + uint8_t ttvn; + uint16_t flags; /* only TT_GLOBAL_ROAM is used */ + unsigned long roam_at; /* time at which TT_GLOBAL_ROAM was set */ + atomic_t refcount; + struct rcu_head rcu; +- struct hlist_node hash_entry; /* entry in the global table */ + }; + + struct tt_change_node { diff --git a/queue-3.1/series b/queue-3.1/series index 0a72504cb4e..b0ea958998e 100644 --- a/queue-3.1/series +++ b/queue-3.1/series @@ -45,3 +45,9 @@ usb-add-quirk-for-logitech-c600-web-cam.patch usb-quirks-adding-more-quirky-webcams-to-avoid-squeaky-audio.patch drm-i915-fix-ivb-cursor-support.patch drm-i915-always-set-fdi-composite-sync-bit.patch +batman-adv-fix-tt_local_reset_flags-function.patch +batman-adv-correctly-set-the-data-field-in-the-tt_reponse-packet.patch +batman-adv-remove-references-for-global-tt-entries.patch +batman-adv-add-sanity-check-when-removing-global-tts.patch +batman-adv-unify-hash_entry-field-position-in-tt_local-global_entry.patch +vmscan-fix-shrinker-callback-bug-in-fs-super.c.patch diff --git a/queue-3.1/vmscan-fix-shrinker-callback-bug-in-fs-super.c.patch b/queue-3.1/vmscan-fix-shrinker-callback-bug-in-fs-super.c.patch new file mode 100644 index 00000000000..3ce157f5f5c --- /dev/null +++ b/queue-3.1/vmscan-fix-shrinker-callback-bug-in-fs-super.c.patch @@ -0,0 +1,44 @@ +From 09f363c7363eb10cfb4b82094bd7064e5608258b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 31 Oct 2011 17:08:57 -0700 +Subject: vmscan: fix shrinker callback bug in fs/super.c + +From: Mikulas Patocka + +commit 09f363c7363eb10cfb4b82094bd7064e5608258b upstream. + +The callback must not return -1 when nr_to_scan is zero. Fix the bug in +fs/super.c and add this requirement to the callback specification. + +Signed-off-by: Mikulas Patocka +Cc: Dave Chinner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/super.c | 2 +- + include/linux/shrinker.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/super.c ++++ b/fs/super.c +@@ -61,7 +61,7 @@ static int prune_super(struct shrinker * + return -1; + + if (!grab_super_passive(sb)) +- return -1; ++ return !sc->nr_to_scan ? 0 : -1; + + if (sb->s_op && sb->s_op->nr_cached_objects) + fs_objects = sb->s_op->nr_cached_objects(sb); +--- a/include/linux/shrinker.h ++++ b/include/linux/shrinker.h +@@ -20,6 +20,7 @@ struct shrink_control { + * 'nr_to_scan' entries and attempt to free them up. It should return + * the number of objects which remain in the cache. If it returns -1, it means + * it cannot do any scanning at this time (eg. there is a risk of deadlock). ++ * The callback must not return -1 if nr_to_scan is zero. + * + * The 'gfpmask' refers to the allocation we are currently trying to + * fulfil.