From: Greg Kroah-Hartman Date: Fri, 22 Feb 2008 20:15:52 +0000 (-0800) Subject: more 2.6.22 patches X-Git-Tag: v2.6.22.19~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=beb49cac0eb5fbde4bdd7b5fe0d1ecd27302023f;p=thirdparty%2Fkernel%2Fstable-queue.git more 2.6.22 patches --- diff --git a/queue-2.6.22/cciss-fix-memory-leak.patch b/queue-2.6.22/cciss-fix-memory-leak.patch new file mode 100644 index 00000000000..bd47d5c28cd --- /dev/null +++ b/queue-2.6.22/cciss-fix-memory-leak.patch @@ -0,0 +1,49 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:00 2008 +From: Jesper Juhl +Date: Thu, 7 Feb 2008 21:03:11 +0100 +Subject: cciss: fix memory leak +Message-ID: <6101e8c40802071203r5d56f6d6m330a4d7a15e4642b@mail.gmail.com> +Content-Disposition: inline + +From: Jesper Juhl + +mainline: f2912a1223c0917a7b4e054f18086209137891ea + +There's a memory leak in the cciss driver. + +in alloc_cciss_hba() we may leak sizeof(ctlr_info_t) bytes if a +call to alloc_disk(1 << NWD_SHIFT) fails. +This patch should fix the issue. + +Spotted by the Coverity checker. + +Signed-off-by: Jesper Juhl +Acked-by: Mike Miller +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/cciss.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/block/cciss.c ++++ b/drivers/block/cciss.c +@@ -3225,12 +3225,15 @@ static int alloc_cciss_hba(void) + for (i = 0; i < MAX_CTLR; i++) { + if (!hba[i]) { + ctlr_info_t *p; ++ + p = kzalloc(sizeof(ctlr_info_t), GFP_KERNEL); + if (!p) + goto Enomem; + p->gendisk[0] = alloc_disk(1 << NWD_SHIFT); +- if (!p->gendisk[0]) ++ if (!p->gendisk[0]) { ++ kfree(p); + goto Enomem; ++ } + hba[i] = p; + return i; + } diff --git a/queue-2.6.22/cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch b/queue-2.6.22/cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch new file mode 100644 index 00000000000..e1be32e8cc0 --- /dev/null +++ b/queue-2.6.22/cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch @@ -0,0 +1,88 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:11 2008 +From: Lee Schermerhorn +Date: Thu, 7 Feb 2008 21:03:14 +0100 +Subject: cciss: Panic in blk_rq_map_sg() from CCISS driver +Message-ID: <6101e8c40802071203t29fcb4fk11ff1e7169bafdbd@mail.gmail.com> +Content-Disposition: inline + + +From: Lee Schermerhorn + +mainline: a683d652d334a546be9175b894f42dbd8e399536 + +New scatter/gather list chaining [sg_next()] treats 'page' member of +struct scatterlist with low bit set [0x01] as a chain pointer to +another struct scatterlist [array]. The CCISS driver request function +passes an uninitialized, temporary, on-stack scatterlist array to +blk_rq_map_sq(). sg_next() interprets random data on the stack as a +chain pointer and eventually tries to de-reference an invalid pointer, +resulting in: + +[] blk_rq_map_sg+0x70/0x170 +PGD 6090c3067 PUD 0 +Oops: 0000 [1] SMP +last sysfs file: /block/cciss!c0d0/cciss!c0d0p1/dev +CPU 6 +Modules linked in: ehci_hcd ohci_hcd uhci_hcd +Pid: 1, comm: init Not tainted 2.6.23-rc6-mm1 #3 +RIP: 0010:[] [] blk_rq_map_sg+0x70/0x170 +RSP: 0018:ffff81060901f768 EFLAGS: 00010206 +RAX: 000000040b161000 RBX: ffff81060901f7d8 RCX: 000000040b162c00 +RDX: 0000000000000000 RSI: ffff81060b13a260 RDI: ffff81060b139600 +RBP: 0000000000001400 R08: 00000000fffffffe R09: 0000000000000400 +R10: 0000000000000000 R11: 000000040b163000 R12: ffff810102fe0000 +R13: 0000000000000001 R14: 0000000000000001 R15: 00001e0000000000 +FS: 00000000026108f0(0063) GS:ffff810409000b80(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 000000010000001e CR3: 00000006090c6000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process init (pid: 1, threadinfo ffff81060901e000, task ffff810409020800) +last branch before last exception/interrupt +from [] blk_rq_map_sg+0x10a/0x170 +to [] blk_rq_map_sg+0x70/0x170 +Stack: 000000018068ea00 ffff810102fe0000 0000000000000000 ffff810011400000 +0000000000000002 0000000000000000 ffff81040b172000 ffffffff803acd3d +0000000000003ec1 ffff8106090d5000 ffff8106090d5000 ffff810102fe0000 +Call Trace: +[] do_cciss_request+0x15d/0x4c0 +[] new_slab+0x1c8/0x270 +[] __slab_alloc+0x22d/0x470 +[] mempool_alloc+0x4b/0x130 +[] cfq_set_request+0xee/0x380 +[] mempool_alloc+0x4b/0x130 +[] get_request+0x168/0x360 +[] rb_insert_color+0x8d/0x110 +[] elv_rb_add+0x58/0x60 +[] cfq_add_rq_rb+0x69/0xa0 +[] elv_merged_request+0x5b/0x60 +[] __make_request+0x23d/0x650 +[] __slab_alloc+0x22d/0x470 +[] generic_write_checks+0x140/0x190 +[] generic_make_request+0x1c2/0x3a0 + +Kernel panic - not syncing: Attempted to kill init! + +This patch initializes the tmp_sg array to zeroes. Perhaps not the ultimate +fix, but an effective work-around. I can now boot 23-rc6-mm1 on an HP +Proliant x86_64 with CCISS boot disk. + +Signed-off-by: Lee Schermerhorn +CC: Oliver Pinter +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/cciss.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/cciss.c ++++ b/drivers/block/cciss.c +@@ -2568,6 +2568,7 @@ static void do_cciss_request(request_que + (int)creq->nr_sectors); + #endif /* CCISS_DEBUG */ + ++ memset(tmp_sg, 0, sizeof(tmp_sg)); + seg = blk_rq_map_sg(q, creq, tmp_sg); + + /* get the DMA records for the setup */ diff --git a/queue-2.6.22/handle-bogus-cs-selector-in-single-step-instruction-decoding.patch b/queue-2.6.22/handle-bogus-cs-selector-in-single-step-instruction-decoding.patch new file mode 100644 index 00000000000..1e62eff6d74 --- /dev/null +++ b/queue-2.6.22/handle-bogus-cs-selector-in-single-step-instruction-decoding.patch @@ -0,0 +1,95 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:33 2008 +From: Roland McGrath +Date: Thu, 7 Feb 2008 21:03:16 +0100 +Subject: Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731) +Message-ID: <6101e8c40802071203i132e678s8e7f30484f5854c5@mail.gmail.com> +Content-Disposition: inline + + +From: Roland McGrath + +Handle bogus %cs selector in single-step instruction decoding + +mainline: 29eb51101c02df517ca64ec472d7501127ad1da8 + +The code for LDT segment selectors was not robust in the face of a bogus +selector set in %cs via ptrace before the single-step was done. + +Signed-off-by: Roland McGrath +Signed-off-by: Linus Torvalds +Acked-by: Jeff Mahoney +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/kernel/ptrace.c | 22 +++++++++++++++------- + arch/x86_64/kernel/ptrace.c | 23 ++++++++++++++++------- + 2 files changed, 31 insertions(+), 14 deletions(-) + +--- a/arch/i386/kernel/ptrace.c ++++ b/arch/i386/kernel/ptrace.c +@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_line + u32 *desc; + unsigned long base; + +- down(&child->mm->context.sem); +- desc = child->mm->context.ldt + (seg & ~7); +- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000); ++ seg &= ~7UL; + +- /* 16-bit code segment? */ +- if (!((desc[1] >> 22) & 1)) +- addr &= 0xffff; +- addr += base; ++ down(&child->mm->context.sem); ++ if (unlikely((seg >> 3) >= child->mm->context.size)) ++ addr = -1L; /* bogus selector, access would fault */ ++ else { ++ desc = child->mm->context.ldt + seg; ++ base = ((desc[0] >> 16) | ++ ((desc[1] & 0xff) << 16) | ++ (desc[1] & 0xff000000)); ++ ++ /* 16-bit code segment? */ ++ if (!((desc[1] >> 22) & 1)) ++ addr &= 0xffff; ++ addr += base; ++ } + up(&child->mm->context.sem); + } + return addr; +--- a/arch/x86_64/kernel/ptrace.c ++++ b/arch/x86_64/kernel/ptrace.c +@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(stru + u32 *desc; + unsigned long base; + +- down(&child->mm->context.sem); +- desc = child->mm->context.ldt + (seg & ~7); +- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000); ++ seg &= ~7UL; + +- /* 16-bit code segment? */ +- if (!((desc[1] >> 22) & 1)) +- addr &= 0xffff; +- addr += base; ++ down(&child->mm->context.sem); ++ if (unlikely((seg >> 3) >= child->mm->context.size)) ++ addr = -1L; /* bogus selector, access would fault */ ++ else { ++ desc = child->mm->context.ldt + seg; ++ base = ((desc[0] >> 16) | ++ ((desc[1] & 0xff) << 16) | ++ (desc[1] & 0xff000000)); ++ ++ /* 16-bit code segment? */ ++ if (!((desc[1] >> 22) & 1)) ++ addr &= 0xffff; ++ addr += base; ++ } + up(&child->mm->context.sem); + } ++ + return addr; + } + diff --git a/queue-2.6.22/i386-fixup-trace_irq-breakage.patch b/queue-2.6.22/i386-fixup-trace_irq-breakage.patch new file mode 100644 index 00000000000..576478db11e --- /dev/null +++ b/queue-2.6.22/i386-fixup-trace_irq-breakage.patch @@ -0,0 +1,71 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:03:51 2008 +From: Peter Zijlstra +Date: Thu, 7 Feb 2008 21:03:18 +0100 +Subject: i386: fixup TRACE_IRQ breakage (CVE-2007-3731) +Message-ID: <6101e8c40802071203x444c7a2by599b6e07b27193f1@mail.gmail.com> +Content-Disposition: inline + + +From: Peter Zijlstra + +mainline: a10d9a71bafd3a283da240d2868e71346d2aef6f + +The TRACE_IRQS_ON function in iret_exc: calls a C function without +ensuring that the segments are set properly. Move the trace function and +the enabling of interrupt into the C stub. + +Signed-off-by: Peter Zijlstra +Signed-off-by: Linus Torvalds +Acked-by: Jeff Mahoney +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/kernel/entry.S | 2 -- + arch/i386/kernel/traps.c | 10 ++++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/i386/kernel/entry.S ++++ b/arch/i386/kernel/entry.S +@@ -409,8 +409,6 @@ restore_nocheck_notrace: + 1: INTERRUPT_RETURN + .section .fixup,"ax" + iret_exc: +- TRACE_IRQS_ON +- ENABLE_INTERRUPTS(CLBR_NONE) + pushl $0 # no error code + pushl $do_iret_error + jmp error_code +--- a/arch/i386/kernel/traps.c ++++ b/arch/i386/kernel/traps.c +@@ -517,10 +517,12 @@ fastcall void do_##name(struct pt_regs * + do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \ + } + +-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \ ++#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \ + fastcall void do_##name(struct pt_regs * regs, long error_code) \ + { \ + siginfo_t info; \ ++ if (irq) \ ++ local_irq_enable(); \ + info.si_signo = signr; \ + info.si_errno = 0; \ + info.si_code = sicode; \ +@@ -560,13 +562,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3) + #endif + DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow) + DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds) +-DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip) ++DO_ERROR_INFO( 6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0) + DO_ERROR( 9, SIGFPE, "coprocessor segment overrun", coprocessor_segment_overrun) + DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS) + DO_ERROR(11, SIGBUS, "segment not present", segment_not_present) + DO_ERROR(12, SIGBUS, "stack segment", stack_segment) +-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0) +-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0) ++DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0) ++DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1) + + fastcall void __kprobes do_general_protection(struct pt_regs * regs, + long error_code) diff --git a/queue-2.6.22/intel_agp-really-fix-945-965gme.patch b/queue-2.6.22/intel_agp-really-fix-945-965gme.patch new file mode 100644 index 00000000000..1fececcccd7 --- /dev/null +++ b/queue-2.6.22/intel_agp-really-fix-945-965gme.patch @@ -0,0 +1,100 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:03:38 2008 +From: Wang Zhenyu +Date: Thu, 7 Feb 2008 21:03:21 +0100 +Subject: Intel_agp: really fix 945/965GME +Message-ID: <6101e8c40802071203q762a977k5cdbe28ef356efa8@mail.gmail.com> +Content-Disposition: inline + +From: Wang Zhenyu + +mainline: dde4787642ee3cb85aef80bdade04b6f8ddc3df8 + +Fix some missing places to check with device id info, which +should probe the device gart correctly. + +Signed-off-by: Wang Zhenyu +Signed-off-by: Dave Airlie +Acked-by: Takashi Iwai +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/agp/intel-agp.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/char/agp/intel-agp.c ++++ b/drivers/char/agp/intel-agp.c +@@ -20,7 +20,9 @@ + #define PCI_DEVICE_ID_INTEL_82965G_IG 0x29A2 + #define PCI_DEVICE_ID_INTEL_82965GM_HB 0x2A00 + #define PCI_DEVICE_ID_INTEL_82965GM_IG 0x2A02 ++#define PCI_DEVICE_ID_INTEL_82965GME_HB 0x2A10 + #define PCI_DEVICE_ID_INTEL_82965GME_IG 0x2A12 ++#define PCI_DEVICE_ID_INTEL_82945GME_HB 0x27AC + #define PCI_DEVICE_ID_INTEL_82945GME_IG 0x27AE + #define PCI_DEVICE_ID_INTEL_G33_HB 0x29C0 + #define PCI_DEVICE_ID_INTEL_G33_IG 0x29C2 +@@ -33,7 +35,8 @@ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965G_1_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965Q_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965G_HB || \ +- agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GM_HB) ++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GM_HB || \ ++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82965GME_HB) + + #define IS_G33 (agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_G33_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_Q35_HB || \ +@@ -527,6 +530,7 @@ static void intel_i830_init_gtt_entries( + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB || + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB || + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GM_HB || ++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GME_HB || + IS_I965 || IS_G33) + gtt_entries = MB(48) - KB(size); + else +@@ -538,6 +542,7 @@ static void intel_i830_init_gtt_entries( + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB || + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB || + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GM_HB || ++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GME_HB || + IS_I965 || IS_G33) + gtt_entries = MB(64) - KB(size); + else +@@ -1848,9 +1853,9 @@ static const struct intel_driver_descrip + NULL, &intel_915_driver }, + { PCI_DEVICE_ID_INTEL_82945G_HB, PCI_DEVICE_ID_INTEL_82945G_IG, 0, "945G", + NULL, &intel_915_driver }, +- { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GM_IG, 1, "945GM", ++ { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GM_IG, 0, "945GM", + NULL, &intel_915_driver }, +- { PCI_DEVICE_ID_INTEL_82945GM_HB, PCI_DEVICE_ID_INTEL_82945GME_IG, 0, "945GME", ++ { PCI_DEVICE_ID_INTEL_82945GME_HB, PCI_DEVICE_ID_INTEL_82945GME_IG, 0, "945GME", + NULL, &intel_915_driver }, + { PCI_DEVICE_ID_INTEL_82946GZ_HB, PCI_DEVICE_ID_INTEL_82946GZ_IG, 0, "946GZ", + NULL, &intel_i965_driver }, +@@ -1860,9 +1865,9 @@ static const struct intel_driver_descrip + NULL, &intel_i965_driver }, + { PCI_DEVICE_ID_INTEL_82965G_HB, PCI_DEVICE_ID_INTEL_82965G_IG, 0, "965G", + NULL, &intel_i965_driver }, +- { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GM_IG, 1, "965GM", ++ { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GM_IG, 0, "965GM", + NULL, &intel_i965_driver }, +- { PCI_DEVICE_ID_INTEL_82965GM_HB, PCI_DEVICE_ID_INTEL_82965GME_IG, 0, "965GME/GLE", ++ { PCI_DEVICE_ID_INTEL_82965GME_HB, PCI_DEVICE_ID_INTEL_82965GME_IG, 0, "965GME/GLE", + NULL, &intel_i965_driver }, + { PCI_DEVICE_ID_INTEL_7505_0, 0, 0, "E7505", &intel_7505_driver, NULL }, + { PCI_DEVICE_ID_INTEL_7205_0, 0, 0, "E7205", &intel_7505_driver, NULL }, +@@ -2051,11 +2056,13 @@ static struct pci_device_id agp_intel_pc + ID(PCI_DEVICE_ID_INTEL_82915GM_HB), + ID(PCI_DEVICE_ID_INTEL_82945G_HB), + ID(PCI_DEVICE_ID_INTEL_82945GM_HB), ++ ID(PCI_DEVICE_ID_INTEL_82945GME_HB), + ID(PCI_DEVICE_ID_INTEL_82946GZ_HB), + ID(PCI_DEVICE_ID_INTEL_82965G_1_HB), + ID(PCI_DEVICE_ID_INTEL_82965Q_HB), + ID(PCI_DEVICE_ID_INTEL_82965G_HB), + ID(PCI_DEVICE_ID_INTEL_82965GM_HB), ++ ID(PCI_DEVICE_ID_INTEL_82965GME_HB), + ID(PCI_DEVICE_ID_INTEL_G33_HB), + ID(PCI_DEVICE_ID_INTEL_Q35_HB), + ID(PCI_DEVICE_ID_INTEL_Q33_HB), diff --git a/queue-2.6.22/knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch b/queue-2.6.22/knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch new file mode 100644 index 00000000000..f6df0a529ee --- /dev/null +++ b/queue-2.6.22/knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch @@ -0,0 +1,55 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:43 2008 +From: J. Bruce Fields +Date: Thu, 7 Feb 2008 21:03:41 +0100 +Subject: knfsd: fix spurious EINVAL errors on first access of new filesystem +Message-ID: <6101e8c40802071203t53a5a88cseb39c4f8aa61e832@mail.gmail.com> +Content-Disposition: inline + + +From: J. Bruce Fields + +mainline: ac8587dcb58e40dd336d99d60f852041e06cc3dd + +The v2/v3 acl code in nfsd is translating any return from fh_verify() to +nfserr_inval. This is particularly unfortunate in the case of an +nfserr_dropit return, which is an internal error meant to indicate to +callers that this request has been deferred and should just be dropped +pending the results of an upcall to mountd. + +Thanks to Roland for bug report and data collection. + +Cc: Roland +Acked-by: Andreas Gruenbacher +Signed-off-by: J. Bruce Fields +Reviewed-By: NeilBrown +Signed-off-by: Linus Torvalds +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs2acl.c | 2 +- + fs/nfsd/nfs3acl.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs2acl.c ++++ b/fs/nfsd/nfs2acl.c +@@ -41,7 +41,7 @@ static __be32 nfsacld_proc_getacl(struct + + fh = fh_copy(&resp->fh, &argp->fh); + if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP))) +- RETURN_STATUS(nfserr_inval); ++ RETURN_STATUS(nfserr); + + if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT)) + RETURN_STATUS(nfserr_inval); +--- a/fs/nfsd/nfs3acl.c ++++ b/fs/nfsd/nfs3acl.c +@@ -37,7 +37,7 @@ static __be32 nfsd3_proc_getacl(struct s + + fh = fh_copy(&resp->fh, &argp->fh); + if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP))) +- RETURN_STATUS(nfserr_inval); ++ RETURN_STATUS(nfserr); + + if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT)) + RETURN_STATUS(nfserr_inval); diff --git a/queue-2.6.22/nfs-fix-nfs_reval_fsid.patch b/queue-2.6.22/nfs-fix-nfs_reval_fsid.patch new file mode 100644 index 00000000000..f29c47c92f0 --- /dev/null +++ b/queue-2.6.22/nfs-fix-nfs_reval_fsid.patch @@ -0,0 +1,67 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:43 2008 +From: Trond Myklebust +Date: Thu, 7 Feb 2008 21:03:45 +0100 +Subject: NFS: Fix nfs_reval_fsid() +Message-ID: <6101e8c40802071203n78a10d40ycb414e0b03ce2545@mail.gmail.com> +Content-Disposition: inline + + +From: Trond Myklebust + +mainline: a0356862bcbeb20acf64bc1a82d28a4c5bb957a7 + +We don't need to revalidate the fsid on the root directory. It suffices to +revalidate it on the current directory. + +Signed-off-by: Trond Myklebust +Acked-by: Neil Brown +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 9 ++++----- + fs/nfs/inode.c | 4 ++-- + 2 files changed, 6 insertions(+), 7 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -897,14 +897,13 @@ int nfs_is_exclusive_create(struct inode + return (nd->intent.open.flags & O_EXCL) != 0; + } + +-static inline int nfs_reval_fsid(struct vfsmount *mnt, struct inode *dir, +- struct nfs_fh *fh, struct nfs_fattr *fattr) ++static inline int nfs_reval_fsid(struct inode *dir, const struct nfs_fattr *fattr) + { + struct nfs_server *server = NFS_SERVER(dir); + + if (!nfs_fsid_equal(&server->fsid, &fattr->fsid)) +- /* Revalidate fsid on root dir */ +- return __nfs_revalidate_inode(server, mnt->mnt_root->d_inode); ++ /* Revalidate fsid using the parent directory */ ++ return __nfs_revalidate_inode(server, dir); + return 0; + } + +@@ -946,7 +945,7 @@ static struct dentry *nfs_lookup(struct + res = ERR_PTR(error); + goto out_unlock; + } +- error = nfs_reval_fsid(nd->mnt, dir, &fhandle, &fattr); ++ error = nfs_reval_fsid(dir, &fattr); + if (error < 0) { + res = ERR_PTR(error); + goto out_unlock; +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -961,8 +961,8 @@ static int nfs_update_inode(struct inode + goto out_changed; + + server = NFS_SERVER(inode); +- /* Update the fsid if and only if this is the root directory */ +- if (inode == inode->i_sb->s_root->d_inode ++ /* Update the fsid? */ ++ if (S_ISDIR(inode->i_mode) + && !nfs_fsid_equal(&server->fsid, &fattr->fsid)) + server->fsid = fattr->fsid; + diff --git a/queue-2.6.22/nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch b/queue-2.6.22/nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch new file mode 100644 index 00000000000..af79987d945 --- /dev/null +++ b/queue-2.6.22/nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch @@ -0,0 +1,64 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:53 2008 +From: Trond Myklebust +Date: Thu, 7 Feb 2008 21:03:52 +0100 +Subject: NFSv2/v3: Fix a memory leak when using -onolock +Message-ID: <6101e8c40802071203o1b32c2c2md53859623228463@mail.gmail.com> +Content-Disposition: inline + + +aka: nfs-unmount-leak.patch + +From: Trond Myklebust + + +mainline: 5cef338b30c110daf547fb13d99f0c77f2a79fbc + + Neil Brown said: + > Hi Trond, + > + > We found that a machine which made moderately heavy use of + > 'automount' was leaking some nfs data structures - particularly the + > 4K allocated by rpc_alloc_iostats. + > It turns out that this only happens with filesystems with -onolock + > set. + + > The problem is that if NFS_MOUNT_NONLM is set, nfs_start_lockd doesn't + > set server->destroy, so when the filesystem is unmounted, the + > ->client_acl is not shutdown, and so several resources are still + > held. Multiple mount/umount cycles will slowly eat away memory + > several pages at a time. + + Signed-off-by: Trond Myklebust + +Acked-by: Neil Brown +Signed-off-by: Neil Brown +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + + +--- + fs/nfs/client.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -433,9 +433,6 @@ static int nfs_create_rpc_client(struct + */ + static void nfs_destroy_server(struct nfs_server *server) + { +- if (!IS_ERR(server->client_acl)) +- rpc_shutdown_client(server->client_acl); +- + if (!(server->flags & NFS_MOUNT_NONLM)) + lockd_down(); /* release rpc.lockd */ + } +@@ -781,6 +778,9 @@ void nfs_free_server(struct nfs_server * + + if (server->destroy != NULL) + server->destroy(server); ++ ++ if (!IS_ERR(server->client_acl)) ++ rpc_shutdown_client(server->client_acl); + if (!IS_ERR(server->client)) + rpc_shutdown_client(server->client); + diff --git a/queue-2.6.22/pci-fix-fakephp-deadlock.patch b/queue-2.6.22/pci-fix-fakephp-deadlock.patch index 6fe26fc1f7e..010010b1690 100644 --- a/queue-2.6.22/pci-fix-fakephp-deadlock.patch +++ b/queue-2.6.22/pci-fix-fakephp-deadlock.patch @@ -3,7 +3,6 @@ From: Ian Abbott Date: Mon, 04 Feb 2008 13:56:36 +0000 Subject: PCI: Fix fakephp deadlock To: stable@kernel.org -Cc: linux-pci@atrey.karlin.mff.cuni.cz, linux-kernel@vger.kernel.org Message-ID: <47A71994.3050409@mev.co.uk> From: Ian Abbott diff --git a/queue-2.6.22/pci-fix-unterminated-pci_device_id-lists.patch b/queue-2.6.22/pci-fix-unterminated-pci_device_id-lists.patch new file mode 100644 index 00000000000..80bd595f6d6 --- /dev/null +++ b/queue-2.6.22/pci-fix-unterminated-pci_device_id-lists.patch @@ -0,0 +1,69 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:22 2008 +From: Kees Cook +Date: Thu, 7 Feb 2008 21:03:26 +0100 +Subject: pci: fix unterminated pci_device_id lists +Message-ID: <6101e8c40802071203q71cf9401v6b84a589d69cf8dd@mail.gmail.com> +Content-Disposition: inline + +From: Kees Cook + +mainline: 248bdd5efca5a113cbf443a993c69e53d370236b + +Fix a couple drivers that do not correctly terminate their pci_device_id +lists. This results in garbage being spewed into modules.pcimap when the +module happens to not have 28 NULL bytes following the table, and/or the +last PCI ID is actually truncated from the table when calculating the +modules.alias PCI aliases, cause those unfortunate device IDs to not +auto-load. + +Signed-off-by: Kees Cook +Acked-by: Corey Minyard +Cc: David Woodhouse +Acked-by: Jeff Garzik +Cc: Greg KH +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Jeff Mahoney +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_si_intf.c | 3 ++- + drivers/media/video/usbvision/usbvision-cards.c | 1 + + drivers/mtd/nand/cafe_nand.c | 3 ++- + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -2214,7 +2214,8 @@ static int ipmi_pci_resume(struct pci_de + + static struct pci_device_id ipmi_pci_devices[] = { + { PCI_DEVICE(PCI_HP_VENDOR_ID, PCI_MMC_DEVICE_ID) }, +- { PCI_DEVICE_CLASS(PCI_ERMC_CLASSCODE, PCI_ERMC_CLASSCODE_MASK) } ++ { PCI_DEVICE_CLASS(PCI_ERMC_CLASSCODE, PCI_ERMC_CLASSCODE_MASK) }, ++ { 0, } + }; + MODULE_DEVICE_TABLE(pci, ipmi_pci_devices); + +--- a/drivers/media/video/usbvision/usbvision-cards.c ++++ b/drivers/media/video/usbvision/usbvision-cards.c +@@ -1081,6 +1081,7 @@ struct usb_device_id usbvision_table [] + { USB_DEVICE(0x2304, 0x0301), .driver_info=PINNA_LINX_VD_IN_CAB_PAL }, + { USB_DEVICE(0x2304, 0x0419), .driver_info=PINNA_PCTV_BUNGEE_PAL_FM }, + { USB_DEVICE(0x2400, 0x4200), .driver_info=HPG_WINTV }, ++ { }, /* terminate list */ + }; + + MODULE_DEVICE_TABLE (usb, usbvision_table); +--- a/drivers/mtd/nand/cafe_nand.c ++++ b/drivers/mtd/nand/cafe_nand.c +@@ -816,7 +816,8 @@ static void __devexit cafe_nand_remove(s + } + + static struct pci_device_id cafe_nand_tbl[] = { +- { 0x11ab, 0x4100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_MEMORY_FLASH << 8, 0xFFFF0 } ++ { 0x11ab, 0x4100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_MEMORY_FLASH << 8, 0xFFFF0 }, ++ { 0, } + }; + + MODULE_DEVICE_TABLE(pci, cafe_nand_tbl); diff --git a/queue-2.6.22/series b/queue-2.6.22/series index eb8fde41582..b1617b76c05 100644 --- a/queue-2.6.22/series +++ b/queue-2.6.22/series @@ -1,5 +1,17 @@ +cciss-fix-memory-leak.patch sata_promise-fasttrack-tx4200-is-a-second-generation-chip.patch sata_promise-asic-prd-table-bug-workaround.patch pci-fix-fakephp-deadlock.patch quicklists-do-not-release-off-node-pages-early.patch nfs-fix-a-potential-file-corruption-issue-when-writing.patch +cciss-panic-in-blk_rq_map_sg-from-cciss-driver.patch +handle-bogus-cs-selector-in-single-step-instruction-decoding.patch +i386-fixup-trace_irq-breakage.patch +intel_agp-really-fix-945-965gme.patch +pci-fix-unterminated-pci_device_id-lists.patch +sony-laptop-call-sonypi_compat_init-earlier.patch +via_velocity-don-t-oops-on-mtu-change.patch +via-velocity-don-t-oops-on-mtu-change.patch +knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch +nfs-fix-nfs_reval_fsid.patch +nfsv2-v3-fix-a-memory-leak-when-using-onolock.patch diff --git a/queue-2.6.22/sony-laptop-call-sonypi_compat_init-earlier.patch b/queue-2.6.22/sony-laptop-call-sonypi_compat_init-earlier.patch new file mode 100644 index 00000000000..47bb1e9586f --- /dev/null +++ b/queue-2.6.22/sony-laptop-call-sonypi_compat_init-earlier.patch @@ -0,0 +1,84 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:11 2008 +From: Mattia Dongili +Date: Thu, 7 Feb 2008 21:03:29 +0100 +Subject: sony-laptop: call sonypi_compat_init earlier +Message-ID: <6101e8c40802071203w14fadb44m6732cc551d5613df@mail.gmail.com> +Content-Disposition: inline + +From: Mattia Dongili + +mainline: 015a916fbbf105bb15f4bbfd80c3b9b2f2e0d7db + +sonypi_compat uses a kfifo that needs to be present before _SRS is +called to be able to cope with the IRQs triggered when setting +resources. + +Signed-off-by: Mattia Dongili +Signed-off-by: Len Brown +Acked-by: Jeff Mahoney +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sony-laptop.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/misc/sony-laptop.c ++++ b/drivers/misc/sony-laptop.c +@@ -2056,8 +2056,6 @@ static int sony_pic_remove(struct acpi_d + struct sony_pic_ioport *io, *tmp_io; + struct sony_pic_irq *irq, *tmp_irq; + +- sonypi_compat_exit(); +- + if (sony_pic_disable(device)) { + printk(KERN_ERR DRV_PFX "Couldn't disable device.\n"); + return -ENXIO; +@@ -2067,6 +2065,8 @@ static int sony_pic_remove(struct acpi_d + release_region(spic_dev.cur_ioport->io.minimum, + spic_dev.cur_ioport->io.address_length); + ++ sonypi_compat_exit(); ++ + sony_laptop_remove_input(); + + /* pf attrs */ +@@ -2132,6 +2132,9 @@ static int sony_pic_add(struct acpi_devi + goto err_free_resources; + } + ++ if (sonypi_compat_init()) ++ goto err_remove_input; ++ + /* request io port */ + list_for_each_entry(io, &spic_dev.ioports, list) { + if (request_region(io->io.minimum, io->io.address_length, +@@ -2146,7 +2149,7 @@ static int sony_pic_add(struct acpi_devi + if (!spic_dev.cur_ioport) { + printk(KERN_ERR DRV_PFX "Failed to request_region.\n"); + result = -ENODEV; +- goto err_remove_input; ++ goto err_remove_compat; + } + + /* request IRQ */ +@@ -2186,9 +2189,6 @@ static int sony_pic_add(struct acpi_devi + if (result) + goto err_remove_pf; + +- if (sonypi_compat_init()) +- goto err_remove_pf; +- + return 0; + + err_remove_pf: +@@ -2204,6 +2204,9 @@ err_release_region: + release_region(spic_dev.cur_ioport->io.minimum, + spic_dev.cur_ioport->io.address_length); + ++err_remove_compat: ++ sonypi_compat_exit(); ++ + err_remove_input: + sony_laptop_remove_input(); + diff --git a/queue-2.6.22/via-velocity-don-t-oops-on-mtu-change.patch b/queue-2.6.22/via-velocity-don-t-oops-on-mtu-change.patch new file mode 100644 index 00000000000..a3567494705 --- /dev/null +++ b/queue-2.6.22/via-velocity-don-t-oops-on-mtu-change.patch @@ -0,0 +1,61 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:33 2008 +From: Stephen Hemminger +Date: Thu, 7 Feb 2008 21:03:38 +0100 +Subject: via-velocity: don't oops on MTU change (resend) +Message-ID: <6101e8c40802071203kee22a19rc24c0f8657160d46@mail.gmail.com> +Content-Disposition: inline + + +From: Stephen Hemminger + +mainline: 48f6b053613b62fed7a2fe3255e5568260a8d615 + +The VIA veloicty driver needs the following to allow changing MTU when down. +The buffer size needs to be computed when device is brought up, not when +device is initialized. This also fixes a bug where the buffer size was +computed differently on change_mtu versus initial setting. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Jeff Garzik +Acked-by: Jeff Mahoney +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/via-velocity.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/net/via-velocity.c ++++ b/drivers/net/via-velocity.c +@@ -1075,6 +1075,9 @@ static int velocity_init_rd_ring(struct + int ret = -ENOMEM; + unsigned int rsize = sizeof(struct velocity_rd_info) * + vptr->options.numrx; ++ int mtu = vptr->dev->mtu; ++ ++ vptr->rx_buf_sz = (mtu <= ETH_DATA_LEN) ? PKT_BUF_SZ : mtu + 32; + + vptr->rd_info = kmalloc(rsize, GFP_KERNEL); + if(vptr->rd_info == NULL) +@@ -1733,8 +1736,6 @@ static int velocity_open(struct net_devi + struct velocity_info *vptr = netdev_priv(dev); + int ret; + +- vptr->rx_buf_sz = (dev->mtu <= 1504 ? PKT_BUF_SZ : dev->mtu + 32); +- + ret = velocity_init_rings(vptr); + if (ret < 0) + goto out; +@@ -1813,12 +1814,6 @@ static int velocity_change_mtu(struct ne + velocity_free_rd_ring(vptr); + + dev->mtu = new_mtu; +- if (new_mtu > 8192) +- vptr->rx_buf_sz = 9 * 1024; +- else if (new_mtu > 4096) +- vptr->rx_buf_sz = 8192; +- else +- vptr->rx_buf_sz = 4 * 1024; + + ret = velocity_init_rd_ring(vptr); + if (ret < 0) diff --git a/queue-2.6.22/via_velocity-don-t-oops-on-mtu-change.patch b/queue-2.6.22/via_velocity-don-t-oops-on-mtu-change.patch new file mode 100644 index 00000000000..b720a0a552c --- /dev/null +++ b/queue-2.6.22/via_velocity-don-t-oops-on-mtu-change.patch @@ -0,0 +1,38 @@ +From stable-bounces@linux.kernel.org Thu Feb 7 12:04:22 2008 +From: Stephen Hemminger +Date: Thu, 7 Feb 2008 21:03:34 +0100 +Subject: VIA_VELOCITY: Don't oops on MTU change. +Message-ID: <6101e8c40802071203o2877ffc0q9e8c4681fe130648@mail.gmail.com> +Content-Disposition: inline + +From: Stephen Hemminger + +mainline: bd7b3f34198071d8bec05180530c362f1800ba46 + +Simple mtu change when device is down. +Fix http://bugzilla.kernel.org/show_bug.cgi?id=9382. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Acked-by: Jeff Mahoney +CC: Oliver Pinter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/via-velocity.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/via-velocity.c ++++ b/drivers/net/via-velocity.c +@@ -1798,6 +1798,11 @@ static int velocity_change_mtu(struct ne + return -EINVAL; + } + ++ if (!netif_running(dev)) { ++ dev->mtu = new_mtu; ++ return 0; ++ } ++ + if (new_mtu != oldmtu) { + spin_lock_irqsave(&vptr->lock, flags); +