From: Greg Kroah-Hartman Date: Wed, 3 Sep 2008 16:53:40 +0000 (-0700) Subject: more .26 patches X-Git-Tag: v2.6.25.17~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46bef22484a63e21ee5a02ddb3bc2359b7843398;p=thirdparty%2Fkernel%2Fstable-queue.git more .26 patches --- diff --git a/queue-2.6.26/kvm-mmu-fix-torn-shadow-pte.patch b/queue-2.6.26/kvm-mmu-fix-torn-shadow-pte.patch new file mode 100644 index 00000000000..d1b0f789a44 --- /dev/null +++ b/queue-2.6.26/kvm-mmu-fix-torn-shadow-pte.patch @@ -0,0 +1,32 @@ +From avi@qumranet.com Wed Sep 3 09:45:00 2008 +From: Avi Kivity +Date: Tue, 26 Aug 2008 11:05:28 +0300 +Subject: KVM: MMU: Fix torn shadow pte +To: stable@kernel.org +Message-ID: <1219737928-18186-1-git-send-email-avi@qumranet.com> + +From: Avi Kivity + +(cherry picked from commit cd5998ebfbc9e6cb44408efa217c15d7eea13675) + +The shadow code assigns a pte directly in one place, which is nonatomic on +i386 can can cause random memory references. Fix by using an atomic setter. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/paging_tmpl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -343,7 +343,7 @@ static u64 *FNAME(fetch)(struct kvm_vcpu + shadow_addr = __pa(shadow_page->spt); + shadow_pte = shadow_addr | PT_PRESENT_MASK | PT_ACCESSED_MASK + | PT_WRITABLE_MASK | PT_USER_MASK; +- *shadow_ent = shadow_pte; ++ set_shadow_pte(shadow_ent, shadow_pte); + } + + mmu_set_spte(vcpu, shadow_ent, access, walker->pte_access & access, diff --git a/queue-2.6.26/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch b/queue-2.6.26/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch new file mode 100644 index 00000000000..d5d566ae43a --- /dev/null +++ b/queue-2.6.26/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch @@ -0,0 +1,36 @@ +From bfields@citi.umich.edu Wed Sep 3 09:39:51 2008 +From: "J. Bruce Fields" +Date: Mon, 1 Sep 2008 14:51:02 -0400 +Subject: nfsd: fix buffer overrun decoding NFSv4 acl +To: stable@kernel.org +Cc: linux-nfs@vger.kernel.org, "J. Bruce Fields" , linux-kernel@vger.kernel.org, David Richter +Message-ID: <1220295062-10957-2-git-send-email-bfields@citi.umich.edu> + +From: J. Bruce Fields + +commit 91b80969ba466ba4b915a4a1d03add8c297add3f upstream + +The array we kmalloc() here is not large enough. + +Thanks to Johann Dahm and David Richter for bug report and testing. + +Signed-off-by: J. Bruce Fields +Cc: David Richter +Tested-by: Johann Dahm +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4acl.c ++++ b/fs/nfsd/nfs4acl.c +@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state + * enough space for either: + */ + alloc = sizeof(struct posix_ace_state_array) +- + cnt*sizeof(struct posix_ace_state); ++ + cnt*sizeof(struct posix_user_ace_state); + state->users = kzalloc(alloc, GFP_KERNEL); + if (!state->users) + return -ENOMEM; diff --git a/queue-2.6.26/r8169-balance-pci_map-pci_unmap-pair.patch b/queue-2.6.26/r8169-balance-pci_map-pci_unmap-pair.patch new file mode 100644 index 00000000000..6e30b4a8f9d --- /dev/null +++ b/queue-2.6.26/r8169-balance-pci_map-pci_unmap-pair.patch @@ -0,0 +1,40 @@ +From romieu@fr.zoreil.com Wed Sep 3 09:37:25 2008 +From: Francois Romieu +Date: Thu, 28 Aug 2008 22:55:33 +0200 +Subject: r8169: balance pci_map / pci_unmap pair +To: stable@kernel.org +Cc: Andrew Morton , Marcus Sundberg , Jeff Garzik +Message-ID: <20080828205533.GA599@electric-eye.fr.zoreil.com> + +From: Francois Romieu + +commit a866bbf6aacf95f849810079442a20be118ce905 upstream + +The leak hurts with swiotlb and jumbo frames. + +Fix http://bugzilla.kernel.org/show_bug.cgi?id=9468. + +Heavily hinted by Ilpo Järvinen . + +Signed-off-by: Francois Romieu +Tested-by: Alistair John Strachan +Tested-by: Timothy J Fontaine +Cc: Edward Hsu +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -2822,7 +2822,7 @@ static int rtl8169_rx_interrupt(struct n + pkt_size, PCI_DMA_FROMDEVICE); + rtl8169_mark_to_asic(desc, tp->rx_buf_sz); + } else { +- pci_unmap_single(pdev, addr, pkt_size, ++ pci_unmap_single(pdev, addr, tp->rx_buf_sz, + PCI_DMA_FROMDEVICE); + tp->Rx_skbuff[entry] = NULL; + } diff --git a/queue-2.6.26/sata_mv-don-t-issue-two-dma-commands-concurrently.patch b/queue-2.6.26/sata_mv-don-t-issue-two-dma-commands-concurrently.patch new file mode 100644 index 00000000000..9a9305cc270 --- /dev/null +++ b/queue-2.6.26/sata_mv-don-t-issue-two-dma-commands-concurrently.patch @@ -0,0 +1,68 @@ +From 4bdee6c5103696a2729d3db2f235d202191788e4 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 13 Aug 2008 20:24:16 +0900 +Subject: sata_mv: don't issue two DMA commands concurrently + +From: Tejun Heo + +commit 4bdee6c5103696a2729d3db2f235d202191788e4 upstream + +sata_mv allowed issuing two DMA commands concurrently which the +hardware allows. Unfortunately, libata core layer isn't ready for +this yet and spews ugly warning message and malfunctions on this. +Don't allow concurrent DMA commands for now. + +Signed-off-by: Tejun Heo +Signed-off-by: Jeff Garzik +Cc: Martin Michlmayr +Cc: Mark Lord +Cc: Artem Bokhan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_mv.c | 34 ++++++++++------------------------ + 1 file changed, 10 insertions(+), 24 deletions(-) + +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -1134,30 +1134,16 @@ static int mv_qc_defer(struct ata_queued + if (ap->nr_active_links == 0) + return 0; + +- if (pp->pp_flags & MV_PP_FLAG_EDMA_EN) { +- /* +- * The port is operating in host queuing mode (EDMA). +- * It can accomodate a new qc if the qc protocol +- * is compatible with the current host queue mode. +- */ +- if (pp->pp_flags & MV_PP_FLAG_NCQ_EN) { +- /* +- * The host queue (EDMA) is in NCQ mode. +- * If the new qc is also an NCQ command, +- * then allow the new qc. +- */ +- if (qc->tf.protocol == ATA_PROT_NCQ) +- return 0; +- } else { +- /* +- * The host queue (EDMA) is in non-NCQ, DMA mode. +- * If the new qc is also a non-NCQ, DMA command, +- * then allow the new qc. +- */ +- if (qc->tf.protocol == ATA_PROT_DMA) +- return 0; +- } +- } ++ /* ++ * The port is operating in host queuing mode (EDMA) with NCQ ++ * enabled, allow multiple NCQ commands. EDMA also allows ++ * queueing multiple DMA commands but libata core currently ++ * doesn't allow it. ++ */ ++ if ((pp->pp_flags & MV_PP_FLAG_EDMA_EN) && ++ (pp->pp_flags & MV_PP_FLAG_NCQ_EN) && ata_is_ncq(qc->tf.protocol)) ++ return 0; ++ + return ATA_DEFER_PORT; + } + diff --git a/queue-2.6.26/series b/queue-2.6.26/series index fc23b41560b..901f9cb7d5d 100644 --- a/queue-2.6.26/series +++ b/queue-2.6.26/series @@ -33,3 +33,10 @@ mm-make-setup_zone_migrate_reserve-aware-of-overlapping-nodes.patch 0001-sparc64-Fix-overshoot-in-nid_range.patch 0002-sparc64-Fix-cmdline_memory_size-handling-bugs.patch crypto-authenc-avoid-using-clobbered-request-pointer.patch +tg3-fix-firmware-event-timeouts.patch +r8169-balance-pci_map-pci_unmap-pair.patch +sunrpc-fix-possible-overrun-on-read-of-proc-sys-sunrpc-transports.patch +nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch +x86-work-around-mtrr-mask-setting-v2.patch +kvm-mmu-fix-torn-shadow-pte.patch +sata_mv-don-t-issue-two-dma-commands-concurrently.patch diff --git a/queue-2.6.26/sunrpc-fix-possible-overrun-on-read-of-proc-sys-sunrpc-transports.patch b/queue-2.6.26/sunrpc-fix-possible-overrun-on-read-of-proc-sys-sunrpc-transports.patch new file mode 100644 index 00000000000..a433c2a586f --- /dev/null +++ b/queue-2.6.26/sunrpc-fix-possible-overrun-on-read-of-proc-sys-sunrpc-transports.patch @@ -0,0 +1,80 @@ +From bfields@citi.umich.edu Wed Sep 3 09:39:03 2008 +From: Cyrill Gorcunov +Date: Mon, 1 Sep 2008 14:51:01 -0400 +Subject: sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports +To: stable@kernel.org +Cc: linux-nfs@vger.kernel.org, Greg Banks , Neil Brown , "J. Bruce Fields" , linux-kernel@vger.kernel.org, Tom Tucker , Ingo Oeser , Cyrill Gorcunov , Chuck Lever +Message-ID: <1220295062-10957-1-git-send-email-bfields@citi.umich.edu> + + +From: Cyrill Gorcunov + +commit 27df6f25ff218072e0e879a96beeb398a79cdbc8 upstream + +Vegard Nossum reported +---------------------- +> I noticed that something weird is going on with /proc/sys/sunrpc/transports. +> This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When +> I "cat" this file, I get the expected output: +> $ cat /proc/sys/sunrpc/transports +> tcp 1048576 +> udp 32768 + +> But I think that it does not check the length of the buffer supplied by +> userspace to read(). With my original program, I found that the stack was +> being overwritten by the characters above, even when the length given to +> read() was just 1. + +David Wagner added (among other things) that copy_to_user could be +probably used here. + +Ingo Oeser suggested to use simple_read_from_buffer() here. + +The conclusion is that proc_do_xprt doesn't check for userside buffer +size indeed so fix this by using Ingo's suggestion. + +Reported-by: Vegard Nossum +Signed-off-by: Cyrill Gorcunov +CC: Ingo Oeser +Cc: Neil Brown +Cc: Chuck Lever +Cc: Greg Banks +Cc: Tom Tucker +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/sysctl.c | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +--- a/net/sunrpc/sysctl.c ++++ b/net/sunrpc/sysctl.c +@@ -60,24 +60,14 @@ static int proc_do_xprt(ctl_table *table + void __user *buffer, size_t *lenp, loff_t *ppos) + { + char tmpbuf[256]; +- int len; ++ size_t len; ++ + if ((*ppos && !write) || !*lenp) { + *lenp = 0; + return 0; + } +- if (write) +- return -EINVAL; +- else { +- len = svc_print_xprts(tmpbuf, sizeof(tmpbuf)); +- if (!access_ok(VERIFY_WRITE, buffer, len)) +- return -EFAULT; +- +- if (__copy_to_user(buffer, tmpbuf, len)) +- return -EFAULT; +- } +- *lenp -= len; +- *ppos += len; +- return 0; ++ len = svc_print_xprts(tmpbuf, sizeof(tmpbuf)); ++ return simple_read_from_buffer(buffer, *lenp, ppos, tmpbuf, len); + } + + static int diff --git a/queue-2.6.26/tg3-fix-firmware-event-timeouts.patch b/queue-2.6.26/tg3-fix-firmware-event-timeouts.patch new file mode 100644 index 00000000000..3540dcf5ebe --- /dev/null +++ b/queue-2.6.26/tg3-fix-firmware-event-timeouts.patch @@ -0,0 +1,156 @@ +From 4ba526ced990f4d61ee8d65fe8a6f0745e8e455c Mon Sep 17 00:00:00 2001 +From: Matt Carlson +Date: Fri, 15 Aug 2008 14:10:04 -0700 +Subject: tg3: Fix firmware event timeouts +Message-Id: <20080902.204333.50898620.davem@davemloft.net> + + +From: Matt Carlson + +patch 4ba526ced990f4d61ee8d65fe8a6f0745e8e455c upstream + +The git commit 7c5026aa9b81dd45df8d3f4e0be73e485976a8b6 ("tg3: Add +link state reporting to UMP firmware") introduced code that waits for +previous firmware events to be serviced before attempting to submit a +new event. Unfortunately that patch contained a bug that cause the +driver to wait 2.5 seconds, rather than 2.5 milliseconds as intended. +This patch fixes that bug. + +This bug revealed that not all firmware versions service driver events +though. Since we do not know which versions of the firmware do and don't +service these events, the driver needs some way to minimize the effects +of the delay. This patch solves the problem by recording a jiffies +timestamp when it submits an event to the hardware. If the jiffies +counter shows that 2.5 milliseconds have already passed, a wait is not +needed and the driver can proceed to submit a new event. + +Signed-off-by: Matt Carlson +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tg3.c | 53 +++++++++++++++++++++++++++++++++++++---------------- + drivers/net/tg3.h | 3 +++ + 2 files changed, 40 insertions(+), 16 deletions(-) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -1672,15 +1672,43 @@ static int tg3_set_power_state(struct tg + } + + /* tp->lock is held. */ ++static inline void tg3_generate_fw_event(struct tg3 *tp) ++{ ++ u32 val; ++ ++ val = tr32(GRC_RX_CPU_EVENT); ++ val |= GRC_RX_CPU_DRIVER_EVENT; ++ tw32_f(GRC_RX_CPU_EVENT, val); ++ ++ tp->last_event_jiffies = jiffies; ++} ++ ++#define TG3_FW_EVENT_TIMEOUT_USEC 2500 ++ ++/* tp->lock is held. */ + static void tg3_wait_for_event_ack(struct tg3 *tp) + { + int i; ++ unsigned int delay_cnt; ++ long time_remain; ++ ++ /* If enough time has passed, no wait is necessary. */ ++ time_remain = (long)(tp->last_event_jiffies + 1 + ++ usecs_to_jiffies(TG3_FW_EVENT_TIMEOUT_USEC)) - ++ (long)jiffies; ++ if (time_remain < 0) ++ return; ++ ++ /* Check if we can shorten the wait time. */ ++ delay_cnt = jiffies_to_usecs(time_remain); ++ if (delay_cnt > TG3_FW_EVENT_TIMEOUT_USEC) ++ delay_cnt = TG3_FW_EVENT_TIMEOUT_USEC; ++ delay_cnt = (delay_cnt >> 3) + 1; + +- /* Wait for up to 2.5 milliseconds */ +- for (i = 0; i < 250000; i++) { ++ for (i = 0; i < delay_cnt; i++) { + if (!(tr32(GRC_RX_CPU_EVENT) & GRC_RX_CPU_DRIVER_EVENT)) + break; +- udelay(10); ++ udelay(8); + } + } + +@@ -1729,9 +1757,7 @@ static void tg3_ump_link_report(struct t + val = 0; + tg3_write_mem(tp, NIC_SRAM_FW_CMD_DATA_MBOX + 12, val); + +- val = tr32(GRC_RX_CPU_EVENT); +- val |= GRC_RX_CPU_DRIVER_EVENT; +- tw32_f(GRC_RX_CPU_EVENT, val); ++ tg3_generate_fw_event(tp); + } + + static void tg3_link_report(struct tg3 *tp) +@@ -5565,6 +5591,7 @@ static int tg3_chip_reset(struct tg3 *tp + tg3_read_mem(tp, NIC_SRAM_DATA_CFG, &nic_cfg); + if (nic_cfg & NIC_SRAM_DATA_CFG_ASF_ENABLE) { + tp->tg3_flags |= TG3_FLAG_ENABLE_ASF; ++ tp->last_event_jiffies = jiffies; + if (tp->tg3_flags2 & TG3_FLG2_5750_PLUS) + tp->tg3_flags2 |= TG3_FLG2_ASF_NEW_HANDSHAKE; + } +@@ -5578,15 +5605,12 @@ static void tg3_stop_fw(struct tg3 *tp) + { + if ((tp->tg3_flags & TG3_FLAG_ENABLE_ASF) && + !(tp->tg3_flags3 & TG3_FLG3_ENABLE_APE)) { +- u32 val; +- + /* Wait for RX cpu to ACK the previous event. */ + tg3_wait_for_event_ack(tp); + + tg3_write_mem(tp, NIC_SRAM_FW_CMD_MBOX, FWCMD_NICDRV_PAUSE_FW); +- val = tr32(GRC_RX_CPU_EVENT); +- val |= GRC_RX_CPU_DRIVER_EVENT; +- tw32(GRC_RX_CPU_EVENT, val); ++ ++ tg3_generate_fw_event(tp); + + /* Wait for RX cpu to ACK this event. */ + tg3_wait_for_event_ack(tp); +@@ -7477,8 +7501,6 @@ static void tg3_timer(unsigned long __op + */ + if (!--tp->asf_counter) { + if (tp->tg3_flags & TG3_FLAG_ENABLE_ASF) { +- u32 val; +- + tg3_wait_for_event_ack(tp); + + tg3_write_mem(tp, NIC_SRAM_FW_CMD_MBOX, +@@ -7486,9 +7508,8 @@ static void tg3_timer(unsigned long __op + tg3_write_mem(tp, NIC_SRAM_FW_CMD_LEN_MBOX, 4); + /* 5 seconds timeout */ + tg3_write_mem(tp, NIC_SRAM_FW_CMD_DATA_MBOX, 5); +- val = tr32(GRC_RX_CPU_EVENT); +- val |= GRC_RX_CPU_DRIVER_EVENT; +- tw32_f(GRC_RX_CPU_EVENT, val); ++ ++ tg3_generate_fw_event(tp); + } + tp->asf_counter = tp->asf_multiplier; + } +--- a/drivers/net/tg3.h ++++ b/drivers/net/tg3.h +@@ -2404,7 +2404,10 @@ struct tg3 { + struct tg3_ethtool_stats estats; + struct tg3_ethtool_stats estats_prev; + ++ union { + unsigned long phy_crc_errors; ++ unsigned long last_event_jiffies; ++ }; + + u32 rx_offset; + u32 tg3_flags; diff --git a/queue-2.6.26/x86-work-around-mtrr-mask-setting-v2.patch b/queue-2.6.26/x86-work-around-mtrr-mask-setting-v2.patch new file mode 100644 index 00000000000..0710232d1e3 --- /dev/null +++ b/queue-2.6.26/x86-work-around-mtrr-mask-setting-v2.patch @@ -0,0 +1,47 @@ +From yhlu.kernel@gmail.com Wed Sep 3 09:41:06 2008 +From: Ingo Molnar +Date: Tue, 2 Sep 2008 17:54:10 -0700 +Subject: x86: work around MTRR mask setting, v2 +To: gregkh@suse.de +Cc: mingo@elte.hu +Message-ID: <86802c440809021754s7cd5ad5dy30a46ff65f9f2e5c@mail.gmail.com> +Content-Disposition: inline + +From: Ingo Molnar + +commit 9754a5b840a209bc1f192d59f63e81b698a55ac8 upstream + +x86: work around MTRR mask setting, v2 + +improve the debug printout: + +- make it actually display something +- print it only once + +would be nice to have a WARN_ONCE() facility, to feed such things to +kerneloops.org. + +Signed-off-by: Ingo Molnar +Cc: Yinghai Lu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mtrr/generic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -387,7 +387,12 @@ static void generic_get_mtrr(unsigned in + tmp |= ~((1<<(hi - 1)) - 1); + + if (tmp != mask_lo) { +- WARN_ON("mtrr: your BIOS has set up an incorrect mask, fixing it up.\n"); ++ static int once = 1; ++ ++ if (once) { ++ printk(KERN_INFO "mtrr: your BIOS has set up an incorrect mask, fixing it up.\n"); ++ once = 0; ++ } + mask_lo = tmp; + } + }