From: Greg Kroah-Hartman Date: Fri, 7 May 2010 21:11:13 +0000 (-0700) Subject: .33 patches X-Git-Tag: v2.6.32.13~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8be7a76cf8e5f6416f39cd5862826428a0bde603;p=thirdparty%2Fkernel%2Fstable-queue.git .33 patches --- diff --git a/queue-2.6.33/cred-fix-a-race-in-creds_are_invalid-in-credentials-debugging.patch b/queue-2.6.33/cred-fix-a-race-in-creds_are_invalid-in-credentials-debugging.patch new file mode 100644 index 00000000000..62882b3b1a2 --- /dev/null +++ b/queue-2.6.33/cred-fix-a-race-in-creds_are_invalid-in-credentials-debugging.patch @@ -0,0 +1,75 @@ +From e134d200d57d43b171dcb0b55c178a1a0c7db14a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 21 Apr 2010 10:28:25 +0100 +Subject: CRED: Fix a race in creds_are_invalid() in credentials debugging + +From: David Howells + +commit e134d200d57d43b171dcb0b55c178a1a0c7db14a upstream. + +creds_are_invalid() reads both cred->usage and cred->subscribers and then +compares them to make sure the number of processes subscribed to a cred struct +never exceeds the refcount of that cred struct. + +The problem is that this can cause a race with both copy_creds() and +exit_creds() as the two counters, whilst they are of atomic_t type, are only +atomic with respect to themselves, and not atomic with respect to each other. + +This means that if creds_are_invalid() can read the values on one CPU whilst +they're being modified on another CPU, and so can observe an evolving state in +which the subscribers count now is greater than the usage count a moment +before. + +Switching the order in which the counts are read cannot help, so the thing to +do is to remove that particular check. + +I had considered rechecking the values to see if they're in flux if the test +fails, but I can't guarantee they won't appear the same, even if they've +changed several times in the meantime. + +Note that this can only happen if CONFIG_DEBUG_CREDENTIALS is enabled. + +The problem is only likely to occur with multithreaded programs, and can be +tested by the tst-eintr1 program from glibc's "make check". The symptoms look +like: + + CRED: Invalid credentials + CRED: At include/linux/cred.h:240 + CRED: Specified credentials: ffff88003dda5878 [real][eff] + CRED: ->magic=43736564, put_addr=(null) + CRED: ->usage=766, subscr=766 + CRED: ->*uid = { 0,0,0,0 } + CRED: ->*gid = { 0,0,0,0 } + CRED: ->security is ffff88003d72f538 + CRED: ->security {359, 359} + ------------[ cut here ]------------ + kernel BUG at kernel/cred.c:850! + ... + RIP: 0010:[] [] __invalid_creds+0x4e/0x52 + ... + Call Trace: + [] copy_creds+0x6b/0x23f + +Note the ->usage=766 and subscr=766. The values appear the same because +they've been re-read since the check was made. + +Reported-by: Roland McGrath +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cred.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -786,8 +786,6 @@ bool creds_are_invalid(const struct cred + { + if (cred->magic != CRED_MAGIC) + return true; +- if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers)) +- return true; + #ifdef CONFIG_SECURITY_SELINUX + if (selinux_is_enabled()) { + if ((unsigned long) cred->security < PAGE_SIZE) diff --git a/queue-2.6.33/drivers-net-wireless-p54-txrx.c-fix-off-by-one-error.patch b/queue-2.6.33/drivers-net-wireless-p54-txrx.c-fix-off-by-one-error.patch new file mode 100644 index 00000000000..ade951bc5b3 --- /dev/null +++ b/queue-2.6.33/drivers-net-wireless-p54-txrx.c-fix-off-by-one-error.patch @@ -0,0 +1,32 @@ +From 088ea189c4c75cdf211146faa4b341a0f7476be6 Mon Sep 17 00:00:00 2001 +From: Darren Jenkins +Date: Wed, 17 Feb 2010 23:40:15 +1100 +Subject: drivers/net/wireless/p54/txrx.c Fix off by one error + +From: Darren Jenkins + +commit 088ea189c4c75cdf211146faa4b341a0f7476be6 upstream. + +fix off by one error in the queue size check of p54_tx_qos_accounting_alloc() + +Coverity CID: 13314 + +Signed-off-by: Darren Jenkins +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/p54/txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/p54/txrx.c ++++ b/drivers/net/wireless/p54/txrx.c +@@ -186,7 +186,7 @@ static int p54_tx_qos_accounting_alloc(s + struct ieee80211_tx_queue_stats *queue; + unsigned long flags; + +- if (WARN_ON(p54_queue > P54_QUEUE_NUM)) ++ if (WARN_ON(p54_queue >= P54_QUEUE_NUM)) + return -EINVAL; + + queue = &priv->tx_stats[p54_queue]; diff --git a/queue-2.6.33/ext4-correctly-calculate-number-of-blocks-for-fiemap.patch b/queue-2.6.33/ext4-correctly-calculate-number-of-blocks-for-fiemap.patch new file mode 100644 index 00000000000..bc743d5483f --- /dev/null +++ b/queue-2.6.33/ext4-correctly-calculate-number-of-blocks-for-fiemap.patch @@ -0,0 +1,52 @@ +From aca92ff6f57c000d1b4523e383c8bd6b8269b8b1 Mon Sep 17 00:00:00 2001 +From: Leonard Michlmayr +Date: Thu, 4 Mar 2010 17:07:28 -0500 +Subject: ext4: correctly calculate number of blocks for fiemap + +From: Leonard Michlmayr + +commit aca92ff6f57c000d1b4523e383c8bd6b8269b8b1 upstream. + +ext4_fiemap() rounds the length of the requested range down to +blocksize, which is is not the true number of blocks that cover the +requested region. This problem is especially impressive if the user +requests only the first byte of a file: not a single extent will be +reported. + +We fix this by calculating the last block of the region and then +subtract to find the number of blocks in the extents. + +Signed-off-by: Leonard Michlmayr +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3767,7 +3767,6 @@ int ext4_fiemap(struct inode *inode, str + __u64 start, __u64 len) + { + ext4_lblk_t start_blk; +- ext4_lblk_t len_blks; + int error = 0; + + /* fallback to generic here if not in extents fmt */ +@@ -3781,8 +3780,14 @@ int ext4_fiemap(struct inode *inode, str + if (fieinfo->fi_flags & FIEMAP_FLAG_XATTR) { + error = ext4_xattr_fiemap(inode, fieinfo); + } else { ++ ext4_lblk_t len_blks; ++ __u64 last_blk; ++ + start_blk = start >> inode->i_sb->s_blocksize_bits; +- len_blks = len >> inode->i_sb->s_blocksize_bits; ++ last_blk = (start + len - 1) >> inode->i_sb->s_blocksize_bits; ++ if (last_blk >= EXT_MAX_BLOCK) ++ last_blk = EXT_MAX_BLOCK-1; ++ len_blks = ((ext4_lblk_t) last_blk) - start_blk + 1; + + /* + * Walk the extent tree gathering extent information. diff --git a/queue-2.6.33/initramfs-handle-unrecognised-decompressor-when-unpacking.patch b/queue-2.6.33/initramfs-handle-unrecognised-decompressor-when-unpacking.patch new file mode 100644 index 00000000000..be6a64ede37 --- /dev/null +++ b/queue-2.6.33/initramfs-handle-unrecognised-decompressor-when-unpacking.patch @@ -0,0 +1,43 @@ +From df37bd156dcb4f5441beaf5bde444adac974e9a0 Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Fri, 23 Apr 2010 13:18:11 -0400 +Subject: initramfs: handle unrecognised decompressor when unpacking + +From: Phillip Lougher + +commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream. + +The unpack routine fails to handle the decompress_method() returning +unrecognised decompressor (compress_name == NULL). This results in the +routine looping eventually oopsing on an out of bounds memory access. + +Note this bug is usually hidden, only triggering on trailing junk after +one or more correct compressed blocks. The case of the compressed archive +being complete junk is (by accident?) caught by the if (state != Reset) +check because state is initialised to Start, but not updated due to the +decompressor not having been called. Obviously if the junk is trailing a +correctly decompressed buffer, state == Reset from the previous call to +the decompressor. + +Signed-off-by: Phillip Lougher +Reported-by: Aaro Koskinen +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + init/initramfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/init/initramfs.c ++++ b/init/initramfs.c +@@ -457,7 +457,8 @@ static char * __init unpack_to_rootfs(ch + compress_name); + message = msg_buf; + } +- } ++ } else ++ error("junk in compressed archive"); + if (state != Reset) + error("junk in compressed archive"); + this_header = saved_offset + my_inptr; diff --git a/queue-2.6.33/jfs-fix-diallocext-error-in-resizing-filesystem.patch b/queue-2.6.33/jfs-fix-diallocext-error-in-resizing-filesystem.patch new file mode 100644 index 00000000000..f940ac6aa00 --- /dev/null +++ b/queue-2.6.33/jfs-fix-diallocext-error-in-resizing-filesystem.patch @@ -0,0 +1,52 @@ +From 2b0b39517d1af5294128dbc2fd7ed39c8effa540 Mon Sep 17 00:00:00 2001 +From: Bill Pemberton +Date: Fri, 16 Apr 2010 08:01:20 -0500 +Subject: jfs: fix diAllocExt error in resizing filesystem + +From: Bill Pemberton + +commit 2b0b39517d1af5294128dbc2fd7ed39c8effa540 upstream. + +Resizing the filesystem would result in an diAllocExt error in some +instances because changes in bmp->db_agsize would not get noticed if +goto extendBmap was called. + +Signed-off-by: Bill Pemberton +Signed-off-by: Dave Kleikamp +Cc: jfs-discussion@lists.sourceforge.net +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jfs/resize.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/jfs/resize.c ++++ b/fs/jfs/resize.c +@@ -81,6 +81,7 @@ int jfs_extendfs(struct super_block *sb, + struct inode *iplist[1]; + struct jfs_superblock *j_sb, *j_sb2; + uint old_agsize; ++ int agsizechanged = 0; + struct buffer_head *bh, *bh2; + + /* If the volume hasn't grown, get out now */ +@@ -333,6 +334,9 @@ int jfs_extendfs(struct super_block *sb, + */ + if ((rc = dbExtendFS(ipbmap, XAddress, nblocks))) + goto error_out; ++ ++ agsizechanged |= (bmp->db_agsize != old_agsize); ++ + /* + * the map now has extended to cover additional nblocks: + * dn_mapsize = oldMapsize + nblocks; +@@ -432,7 +436,7 @@ int jfs_extendfs(struct super_block *sb, + * will correctly identify the new ag); + */ + /* if new AG size the same as old AG size, done! */ +- if (bmp->db_agsize != old_agsize) { ++ if (agsizechanged) { + if ((rc = diExtendFS(ipimap, ipbmap))) + goto error_out; + diff --git a/queue-2.6.33/libata-fix-accesses-at-lba28-boundary-old-bug-but-nasty-v2.patch b/queue-2.6.33/libata-fix-accesses-at-lba28-boundary-old-bug-but-nasty-v2.patch new file mode 100644 index 00000000000..8917e309746 --- /dev/null +++ b/queue-2.6.33/libata-fix-accesses-at-lba28-boundary-old-bug-but-nasty-v2.patch @@ -0,0 +1,39 @@ +From 45c4d015a92f72ec47acd0c7557abdc0c8a6499d Mon Sep 17 00:00:00 2001 +From: Mark Lord +Date: Wed, 7 Apr 2010 13:52:08 -0400 +Subject: libata: Fix accesses at LBA28 boundary (old bug, but nasty) (v2) + +From: Mark Lord + +commit 45c4d015a92f72ec47acd0c7557abdc0c8a6499d upstream. + +Most drives from Seagate, Hitachi, and possibly other brands, +do not allow LBA28 access to sector number 0x0fffffff (2^28 - 1). +So instead use LBA48 for such accesses. + +This bug could bite a lot of systems, especially when the user has +taken care to align partitions to 4KB boundaries. On misaligned systems, +it is less likely to be encountered, since a 4KB read would end at +0x10000000 rather than at 0x0fffffff. + +Signed-off-by: Mark Lord +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/ata.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -1024,8 +1024,8 @@ static inline int ata_ok(u8 status) + + static inline int lba_28_ok(u64 block, u32 n_block) + { +- /* check the ending block number */ +- return ((block + n_block) < ((u64)1 << 28)) && (n_block <= 256); ++ /* check the ending block number: must be LESS THAN 0x0fffffff */ ++ return ((block + n_block) < ((1 << 28) - 1)) && (n_block <= 256); + } + + static inline int lba_48_ok(u64 block, u32 n_block) diff --git a/queue-2.6.33/pci-ensure-we-re-enable-devices-on-resume.patch b/queue-2.6.33/pci-ensure-we-re-enable-devices-on-resume.patch new file mode 100644 index 00000000000..121d72851d5 --- /dev/null +++ b/queue-2.6.33/pci-ensure-we-re-enable-devices-on-resume.patch @@ -0,0 +1,49 @@ +From cc2893b6af5265baa1d68b17b136cffca9e40cfa Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 22 Apr 2010 09:30:51 -0400 +Subject: PCI: Ensure we re-enable devices on resume + +From: Matthew Garrett + +commit cc2893b6af5265baa1d68b17b136cffca9e40cfa upstream. + +If the firmware puts a device back into D0 state at resume time, we'll +update its state in resume_noirq and thus skip the platform resume code. +Calling that code twice should be safe and we ought to avoid getting to +that point anyway, so remove the check and also allow the platform pci +code to be called for D0. + +Fixes USB not being powered after resume on recent Lenovo machines. + +Acked-by: Alex Chiang +Acked-by: Rafael J. Wysocki +Signed-off-by: Matthew Garrett +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -624,7 +624,7 @@ static void __pci_start_power_transition + */ + int __pci_complete_power_transition(struct pci_dev *dev, pci_power_t state) + { +- return state > PCI_D0 ? ++ return state >= PCI_D0 ? + pci_platform_power_transition(dev, state) : -EINVAL; + } + EXPORT_SYMBOL_GPL(__pci_complete_power_transition); +@@ -661,10 +661,6 @@ int pci_set_power_state(struct pci_dev * + */ + return 0; + +- /* Check if we're already there */ +- if (dev->current_state == state) +- return 0; +- + __pci_start_power_transition(dev, state); + + /* This device is quirked not to be put into D3, so diff --git a/queue-2.6.33/series b/queue-2.6.33/series index 2276d8b49f8..ff8153129e4 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -61,3 +61,10 @@ alsa-snd-meastro3-ignore-spurious-hv-interrupts-during-suspend-resume.patch alsa-hda-fix-0-db-for-packard-bell-models-using-conexant-cx20549-venice.patch alsa-hda-use-olpc-xo-1_5-quirk-for-toshiba-satellite-pro-t130-15f.patch alsa-hda-use-olpc-xo-1_5-quirk-for-toshiba-satellite-p500-pspgsc-01800t.patch +pci-ensure-we-re-enable-devices-on-resume.patch +libata-fix-accesses-at-lba28-boundary-old-bug-but-nasty-v2.patch +ext4-correctly-calculate-number-of-blocks-for-fiemap.patch +initramfs-handle-unrecognised-decompressor-when-unpacking.patch +cred-fix-a-race-in-creds_are_invalid-in-credentials-debugging.patch +jfs-fix-diallocext-error-in-resizing-filesystem.patch +drivers-net-wireless-p54-txrx.c-fix-off-by-one-error.patch