From: Chris Wright Date: Wed, 12 Mar 2008 06:17:46 +0000 (-0700) Subject: add bunch of backlogged 2.6.24 stable patches X-Git-Tag: v2.6.24.4~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d34a1f6f9747ae4b73a70f2a59c18198530a1459;p=thirdparty%2Fkernel%2Fstable-queue.git add bunch of backlogged 2.6.24 stable patches --- diff --git a/queue-2.6.24/arm-pxa-fix-clock-lookup-to-find-specific-device-clocks.patch b/queue-2.6.24/arm-pxa-fix-clock-lookup-to-find-specific-device-clocks.patch new file mode 100644 index 00000000000..c1f72422e70 --- /dev/null +++ b/queue-2.6.24/arm-pxa-fix-clock-lookup-to-find-specific-device-clocks.patch @@ -0,0 +1,71 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:15:48 2008 +From: Uli Luckas +To: stable@kernel.org +Date: Sun, 24 Feb 2008 15:55:37 +0100 +Message-Id: <200802241555.39230.u.luckas@road.de> +Cc: Russell King - ARM Linux +Subject: ARM pxa: fix clock lookup to find specific device clocks + +From: Russell King +commit: a0dd005d1d9f4c3beab52086f3844ef9342d1e67 + +Ensure that the clock lookup always finds an entry for a specific +device and ID before it falls back to finding just by ID. This +fixes a problem reported by Holger Schurig where the BTUART was +assigned the wrong clock. + +Tested-by: Holger Schurig +Signed-off-by: Russell King + +Uli Luckas notes: + + The patch fixes the otherwise unusable bluetooth uart on pxa25x. The + patch is written by Russell King [1] who also gave his OK for + stable inclusion [2]. The patch is also available as commit + a0dd005d1d9f4c3beab52086f3844ef9342d1e67 to Linus' tree. + + [1] http://marc.info/?l=linux-arm-kernel&m=120298366510315 + [2] http://marc.info/?l=linux-arm-kernel&m=120384388411097 + +Signed-off-by: Chris Wright +--- + arch/arm/mach-pxa/clock.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/arch/arm/mach-pxa/clock.c ++++ b/arch/arm/mach-pxa/clock.c +@@ -23,18 +23,27 @@ static LIST_HEAD(clocks); + static DEFINE_MUTEX(clocks_mutex); + static DEFINE_SPINLOCK(clocks_lock); + ++static struct clk *clk_lookup(struct device *dev, const char *id) ++{ ++ struct clk *p; ++ ++ list_for_each_entry(p, &clocks, node) ++ if (strcmp(id, p->name) == 0 && p->dev == dev) ++ return p; ++ ++ return NULL; ++} ++ + struct clk *clk_get(struct device *dev, const char *id) + { + struct clk *p, *clk = ERR_PTR(-ENOENT); + + mutex_lock(&clocks_mutex); +- list_for_each_entry(p, &clocks, node) { +- if (strcmp(id, p->name) == 0 && +- (p->dev == NULL || p->dev == dev)) { +- clk = p; +- break; +- } +- } ++ p = clk_lookup(dev, id); ++ if (!p) ++ p = clk_lookup(NULL, id); ++ if (p) ++ clk = p; + mutex_unlock(&clocks_mutex); + + return clk; diff --git a/queue-2.6.24/file-capabilities-simplify-signal-check.patch b/queue-2.6.24/file-capabilities-simplify-signal-check.patch new file mode 100644 index 00000000000..bc5c82b0255 --- /dev/null +++ b/queue-2.6.24/file-capabilities-simplify-signal-check.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:32:28 2008 +Date: Sun, 24 Feb 2008 02:10:07 GMT +Message-Id: <200802240210.m1O2A7rF015414@hera.kernel.org> +From: jejb@kernel.org +To: jejb@kernel.org, stable@kernel.org +Subject: file capabilities: simplify signal check + +From: Serge E. Hallyn +commit: 094972840f2e7c1c6fc9e1a97d817cc17085378e + +Simplify the uid equivalence check in cap_task_kill(). Anyone can kill a +process owned by the same uid. + +Without this patch wireshark is reported to fail. + +Signed-off-by: Serge E. Hallyn +Signed-off-by: Andrew G. Morgan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + security/commoncap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -539,7 +539,7 @@ int cap_task_kill(struct task_struct *p, + * allowed. + * We must preserve legacy signal behavior in this case. + */ +- if (p->euid == 0 && p->uid == current->uid) ++ if (p->uid == current->uid) + return 0; + + /* sigcont is permitted within same session */ diff --git a/queue-2.6.24/fuse-fix-permission-checking.patch b/queue-2.6.24/fuse-fix-permission-checking.patch new file mode 100644 index 00000000000..369ef20c36a --- /dev/null +++ b/queue-2.6.24/fuse-fix-permission-checking.patch @@ -0,0 +1,43 @@ +From 1a823ac9ff09cbdf39201df37b7ede1f9395de83 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Sat, 23 Feb 2008 15:23:27 -0800 +Message-Id: +Subject: fuse: fix permission checking + +[upstream commit 1a823ac9ff09cbdf39201df37b7ede1f9395de83] + +I added a nasty local variable shadowing bug to fuse in 2.6.24, with the +result, that the 'default_permissions' mount option is basically ignored. + +How did this happen? + + - old err declaration in inner scope + - new err getting declared in outer scope + - 'return err' from inner scope getting removed + - old declaration not being noticed + +-Wshadow would have saved us, but it doesn't seem practical for +the kernel :( + +More testing would have also saved us :(( + +Signed-off-by: Miklos Szeredi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -905,7 +905,7 @@ static int fuse_permission(struct inode + } + + if (fc->flags & FUSE_DEFAULT_PERMISSIONS) { +- int err = generic_permission(inode, mask, NULL); ++ err = generic_permission(inode, mask, NULL); + + /* If permission is denied, try to refresh file + attributes. This is also needed, because the root diff --git a/queue-2.6.24/futex-fix-init-order.patch b/queue-2.6.24/futex-fix-init-order.patch new file mode 100644 index 00000000000..7376a91117b --- /dev/null +++ b/queue-2.6.24/futex-fix-init-order.patch @@ -0,0 +1,58 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:31:39 2008 +Date: Sun, 24 Feb 2008 02:10:06 GMT +Message-Id: <200802240210.m1O2A6Et015329@hera.kernel.org> +From: jejb@kernel.org +To: jejb@kernel.org, stable@kernel.org +Subject: futex: fix init order + +From: Thomas Gleixner +commit: 3e4ab747efa8e78562ec6782b08bbf21a00aba1b + +When the futex init code fails to initialize the futex pseudo file system it +returns early without initializing the hash queues. Should the boot succeed +then a futex syscall which tries to enqueue a waiter on the hashqueue will +crash due to the unitilialized plist heads. + +Initialize the hash queues before the filesystem. + +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Cc: Lennert Buytenhek +Cc: Riku Voipio +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + kernel/futex.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2123,8 +2123,14 @@ static struct file_system_type futex_fs_ + + static int __init init(void) + { +- int i = register_filesystem(&futex_fs_type); ++ int i; + ++ for (i = 0; i < ARRAY_SIZE(futex_queues); i++) { ++ plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock); ++ spin_lock_init(&futex_queues[i].lock); ++ } ++ ++ i = register_filesystem(&futex_fs_type); + if (i) + return i; + +@@ -2134,10 +2140,6 @@ static int __init init(void) + return PTR_ERR(futex_mnt); + } + +- for (i = 0; i < ARRAY_SIZE(futex_queues); i++) { +- plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock); +- spin_lock_init(&futex_queues[i].lock); +- } + return 0; + } + __initcall(init); diff --git a/queue-2.6.24/futex-runtime-enable-pi-and-robust-functionality.patch b/queue-2.6.24/futex-runtime-enable-pi-and-robust-functionality.patch new file mode 100644 index 00000000000..7f473397322 --- /dev/null +++ b/queue-2.6.24/futex-runtime-enable-pi-and-robust-functionality.patch @@ -0,0 +1,200 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:30:10 2008 +Date: Sun, 24 Feb 2008 02:10:05 GMT +Message-Id: <200802240210.m1O2A5n3015260@hera.kernel.org> +From: jejb@kernel.org +To: jejb@kernel.org, stable@kernel.org +Subject: futex: runtime enable pi and robust functionality + +From: Thomas Gleixner +commit: a0c1e9073ef7428a14309cba010633a6cd6719ea + +Not all architectures implement futex_atomic_cmpxchg_inatomic(). The default +implementation returns -ENOSYS, which is currently not handled inside of the +futex guts. + +Futex PI calls and robust list exits with a held futex result in an endless +loop in the futex code on architectures which have no support. + +Fixing up every place where futex_atomic_cmpxchg_inatomic() is called would +add a fair amount of extra if/else constructs to the already complex code. It +is also not possible to disable the robust feature before user space tries to +register robust lists. + +Compile time disabling is not a good idea either, as there are already +architectures with runtime detection of futex_atomic_cmpxchg_inatomic support. + +Detect the functionality at runtime instead by calling +cmpxchg_futex_value_locked() with a NULL pointer from the futex initialization +code. This is guaranteed to fail, but the call of +futex_atomic_cmpxchg_inatomic() happens with pagefaults disabled. + +On architectures, which use the asm-generic implementation or have a runtime +CPU feature detection, a -ENOSYS return value disables the PI/robust features. + +On architectures with a working implementation the call returns -EFAULT and +the PI/robust features are enabled. + +The relevant syscalls return -ENOSYS and the robust list exit code is blocked, +when the detection fails. + +Fixes http://lkml.org/lkml/2008/2/11/149 +Originally reported by: Lennart Buytenhek + +Signed-off-by: Thomas Gleixner +Acked-by: Ingo Molnar +Cc: Lennert Buytenhek +Cc: Riku Voipio +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + include/linux/futex.h | 1 + + kernel/futex.c | 38 ++++++++++++++++++++++++++++++++++---- + kernel/futex_compat.c | 9 +++++++++ + 3 files changed, 44 insertions(+), 4 deletions(-) + +--- a/include/linux/futex.h ++++ b/include/linux/futex.h +@@ -153,6 +153,7 @@ union futex_key { + #ifdef CONFIG_FUTEX + extern void exit_robust_list(struct task_struct *curr); + extern void exit_pi_state_list(struct task_struct *curr); ++extern int futex_cmpxchg_enabled; + #else + static inline void exit_robust_list(struct task_struct *curr) + { +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -60,6 +60,8 @@ + + #include "rtmutex_common.h" + ++int __read_mostly futex_cmpxchg_enabled; ++ + #define FUTEX_HASHBITS (CONFIG_BASE_SMALL ? 4 : 8) + + /* +@@ -466,6 +468,8 @@ void exit_pi_state_list(struct task_stru + struct futex_hash_bucket *hb; + union futex_key key; + ++ if (!futex_cmpxchg_enabled) ++ return; + /* + * We are a ZOMBIE and nobody can enqueue itself on + * pi_state_list anymore, but we have to be careful +@@ -1854,6 +1858,8 @@ asmlinkage long + sys_set_robust_list(struct robust_list_head __user *head, + size_t len) + { ++ if (!futex_cmpxchg_enabled) ++ return -ENOSYS; + /* + * The kernel knows only one size for now: + */ +@@ -1878,6 +1884,9 @@ sys_get_robust_list(int pid, struct robu + struct robust_list_head __user *head; + unsigned long ret; + ++ if (!futex_cmpxchg_enabled) ++ return -ENOSYS; ++ + if (!pid) + head = current->robust_list; + else { +@@ -1980,6 +1989,9 @@ void exit_robust_list(struct task_struct + unsigned long futex_offset; + int rc; + ++ if (!futex_cmpxchg_enabled) ++ return; ++ + /* + * Fetch the list head (which was registered earlier, via + * sys_set_robust_list()): +@@ -2034,7 +2046,7 @@ void exit_robust_list(struct task_struct + long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, + u32 __user *uaddr2, u32 val2, u32 val3) + { +- int ret; ++ int ret = -ENOSYS; + int cmd = op & FUTEX_CMD_MASK; + struct rw_semaphore *fshared = NULL; + +@@ -2062,13 +2074,16 @@ long do_futex(u32 __user *uaddr, int op, + ret = futex_wake_op(uaddr, fshared, uaddr2, val, val2, val3); + break; + case FUTEX_LOCK_PI: +- ret = futex_lock_pi(uaddr, fshared, val, timeout, 0); ++ if (futex_cmpxchg_enabled) ++ ret = futex_lock_pi(uaddr, fshared, val, timeout, 0); + break; + case FUTEX_UNLOCK_PI: +- ret = futex_unlock_pi(uaddr, fshared); ++ if (futex_cmpxchg_enabled) ++ ret = futex_unlock_pi(uaddr, fshared); + break; + case FUTEX_TRYLOCK_PI: +- ret = futex_lock_pi(uaddr, fshared, 0, timeout, 1); ++ if (futex_cmpxchg_enabled) ++ ret = futex_lock_pi(uaddr, fshared, 0, timeout, 1); + break; + default: + ret = -ENOSYS; +@@ -2123,8 +2138,23 @@ static struct file_system_type futex_fs_ + + static int __init init(void) + { ++ u32 curval; + int i; + ++ /* ++ * This will fail and we want it. Some arch implementations do ++ * runtime detection of the futex_atomic_cmpxchg_inatomic() ++ * functionality. We want to know that before we call in any ++ * of the complex code paths. Also we want to prevent ++ * registration of robust lists in that case. NULL is ++ * guaranteed to fault and we get -EFAULT on functional ++ * implementation, the non functional ones will return ++ * -ENOSYS. ++ */ ++ curval = cmpxchg_futex_value_locked(NULL, 0, 0); ++ if (curval == -EFAULT) ++ futex_cmpxchg_enabled = 1; ++ + for (i = 0; i < ARRAY_SIZE(futex_queues); i++) { + plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock); + spin_lock_init(&futex_queues[i].lock); +--- a/kernel/futex_compat.c ++++ b/kernel/futex_compat.c +@@ -54,6 +54,9 @@ void compat_exit_robust_list(struct task + compat_long_t futex_offset; + int rc; + ++ if (!futex_cmpxchg_enabled) ++ return; ++ + /* + * Fetch the list head (which was registered earlier, via + * sys_set_robust_list()): +@@ -115,6 +118,9 @@ asmlinkage long + compat_sys_set_robust_list(struct compat_robust_list_head __user *head, + compat_size_t len) + { ++ if (!futex_cmpxchg_enabled) ++ return -ENOSYS; ++ + if (unlikely(len != sizeof(*head))) + return -EINVAL; + +@@ -130,6 +136,9 @@ compat_sys_get_robust_list(int pid, comp + struct compat_robust_list_head __user *head; + unsigned long ret; + ++ if (!futex_cmpxchg_enabled) ++ return -ENOSYS; ++ + if (!pid) + head = current->compat_robust_list; + else { diff --git a/queue-2.6.24/hugetlb-ensure-we-do-not-reference-a-surplus-page-after-handing-it-to-buddy.patch b/queue-2.6.24/hugetlb-ensure-we-do-not-reference-a-surplus-page-after-handing-it-to-buddy.patch new file mode 100644 index 00000000000..147e023902c --- /dev/null +++ b/queue-2.6.24/hugetlb-ensure-we-do-not-reference-a-surplus-page-after-handing-it-to-buddy.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:33:10 2008 +Date: Sun, 24 Feb 2008 02:10:08 GMT +Message-Id: <200802240210.m1O2A8nV015424@hera.kernel.org> +From: jejb@kernel.org +To: jejb@kernel.org, stable@kernel.org +Subject: hugetlb: ensure we do not reference a surplus page after handing it to buddy + +From: Andy Whitcroft +commit: e5df70ab194543522397fa3da8c8f80564a0f7d3 + +When we free a page via free_huge_page and we detect that we are in surplus +the page will be returned to the buddy. After this we no longer own the page. + +However at the end free_huge_page we clear out our mapping pointer from +page private. Even where the page is not a surplus we free the page to +the hugepage pool, drop the pool locks and then clear page private. In +either case the page may have been reallocated. BAD. + +Make sure we clear out page private before we free the page. + +Signed-off-by: Andy Whitcroft +Acked-by: Adam Litke +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + mm/hugetlb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -119,6 +119,7 @@ static void free_huge_page(struct page * + struct address_space *mapping; + + mapping = (struct address_space *) page_private(page); ++ set_page_private(page, 0); + BUG_ON(page_count(page)); + INIT_LIST_HEAD(&page->lru); + +@@ -133,7 +134,6 @@ static void free_huge_page(struct page * + spin_unlock(&hugetlb_lock); + if (mapping) + hugetlb_put_quota(mapping, 1); +- set_page_private(page, 0); + } + + /* diff --git a/queue-2.6.24/netfilter-fix-ebtable-targets-return.patch b/queue-2.6.24/netfilter-fix-ebtable-targets-return.patch new file mode 100644 index 00000000000..0d09dcf01b8 --- /dev/null +++ b/queue-2.6.24/netfilter-fix-ebtable-targets-return.patch @@ -0,0 +1,56 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:46:38 2008 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20080225140102.20602.42947.sendpatchset@localhost.localdomain> +Date: Mon, 25 Feb 2008 15:01:04 +0100 (MET) +Cc: netfilter-devel@vger.kernel.org, Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: fix ebtable targets return + +Upstream commit 1b04ab459: + +The function ebt_do_table doesn't take NF_DROP as a verdict from the targets. + +Signed-off-by: Joonwoo Park +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + net/bridge/netfilter/ebt_dnat.c | 2 +- + net/bridge/netfilter/ebt_redirect.c | 2 +- + net/bridge/netfilter/ebt_snat.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/net/bridge/netfilter/ebt_dnat.c ++++ b/net/bridge/netfilter/ebt_dnat.c +@@ -21,7 +21,7 @@ static int ebt_target_dnat(struct sk_buf + struct ebt_nat_info *info = (struct ebt_nat_info *)data; + + if (!skb_make_writable(skb, 0)) +- return NF_DROP; ++ return EBT_DROP; + + memcpy(eth_hdr(skb)->h_dest, info->mac, ETH_ALEN); + return info->target; +--- a/net/bridge/netfilter/ebt_redirect.c ++++ b/net/bridge/netfilter/ebt_redirect.c +@@ -22,7 +22,7 @@ static int ebt_target_redirect(struct sk + struct ebt_redirect_info *info = (struct ebt_redirect_info *)data; + + if (!skb_make_writable(skb, 0)) +- return NF_DROP; ++ return EBT_DROP; + + if (hooknr != NF_BR_BROUTING) + memcpy(eth_hdr(skb)->h_dest, +--- a/net/bridge/netfilter/ebt_snat.c ++++ b/net/bridge/netfilter/ebt_snat.c +@@ -23,7 +23,7 @@ static int ebt_target_snat(struct sk_buf + struct ebt_nat_info *info = (struct ebt_nat_info *) data; + + if (!skb_make_writable(skb, 0)) +- return NF_DROP; ++ return EBT_DROP; + + memcpy(eth_hdr(skb)->h_source, info->mac, ETH_ALEN); + if (!(info->target & NAT_ARP_BIT) && diff --git a/queue-2.6.24/netfilter-fix-incorrect-use-of-skb_make_writable.patch b/queue-2.6.24/netfilter-fix-incorrect-use-of-skb_make_writable.patch new file mode 100644 index 00000000000..b838d0374f1 --- /dev/null +++ b/queue-2.6.24/netfilter-fix-incorrect-use-of-skb_make_writable.patch @@ -0,0 +1,69 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:44:30 2008 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20080225140100.20602.23690.sendpatchset@localhost.localdomain> +Date: Mon, 25 Feb 2008 15:01:02 +0100 (MET) +Cc: netfilter-devel@vger.kernel.org, Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: Fix incorrect use of skb_make_writable + +Upstream commit eb1197bc0: + +http://bugzilla.kernel.org/show_bug.cgi?id=9920 +The function skb_make_writable returns true or false. + +Signed-off-by: Joonwoo Park +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + net/bridge/netfilter/ebt_dnat.c | 2 +- + net/bridge/netfilter/ebt_redirect.c | 2 +- + net/bridge/netfilter/ebt_snat.c | 2 +- + net/ipv4/netfilter/arpt_mangle.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/bridge/netfilter/ebt_dnat.c ++++ b/net/bridge/netfilter/ebt_dnat.c +@@ -20,7 +20,7 @@ static int ebt_target_dnat(struct sk_buf + { + struct ebt_nat_info *info = (struct ebt_nat_info *)data; + +- if (skb_make_writable(skb, 0)) ++ if (!skb_make_writable(skb, 0)) + return NF_DROP; + + memcpy(eth_hdr(skb)->h_dest, info->mac, ETH_ALEN); +--- a/net/bridge/netfilter/ebt_redirect.c ++++ b/net/bridge/netfilter/ebt_redirect.c +@@ -21,7 +21,7 @@ static int ebt_target_redirect(struct sk + { + struct ebt_redirect_info *info = (struct ebt_redirect_info *)data; + +- if (skb_make_writable(skb, 0)) ++ if (!skb_make_writable(skb, 0)) + return NF_DROP; + + if (hooknr != NF_BR_BROUTING) +--- a/net/bridge/netfilter/ebt_snat.c ++++ b/net/bridge/netfilter/ebt_snat.c +@@ -22,7 +22,7 @@ static int ebt_target_snat(struct sk_buf + { + struct ebt_nat_info *info = (struct ebt_nat_info *) data; + +- if (skb_make_writable(skb, 0)) ++ if (!skb_make_writable(skb, 0)) + return NF_DROP; + + memcpy(eth_hdr(skb)->h_source, info->mac, ETH_ALEN); +--- a/net/ipv4/netfilter/arpt_mangle.c ++++ b/net/ipv4/netfilter/arpt_mangle.c +@@ -19,7 +19,7 @@ target(struct sk_buff *skb, + unsigned char *arpptr; + int pln, hln; + +- if (skb_make_writable(skb, skb->len)) ++ if (!skb_make_writable(skb, skb->len)) + return NF_DROP; + + arp = arp_hdr(skb); diff --git a/queue-2.6.24/netfilter-nfnetlink_queue-fix-skb_linear_assert-when-mangling-packet-data.patch b/queue-2.6.24/netfilter-nfnetlink_queue-fix-skb_linear_assert-when-mangling-packet-data.patch new file mode 100644 index 00000000000..16bd8ce61b7 --- /dev/null +++ b/queue-2.6.24/netfilter-nfnetlink_queue-fix-skb_linear_assert-when-mangling-packet-data.patch @@ -0,0 +1,129 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:41:37 2008 +From: Patrick McHardy +To: stable@kernel.org +Message-Id: <20080225140059.20602.57007.sendpatchset@localhost.localdomain> +Date: Mon, 25 Feb 2008 15:01:01 +0100 (MET) +Cc: netfilter-devel@vger.kernel.org, Patrick McHardy , davem@davemloft.net +Subject: NETFILTER: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data + +Upstream commit e2b58a67: + +As reported by Tomas Simonaitis , inserting new +data in skbs queued over {ip,ip6,nfnetlink}_queue triggers a SKB_LINEAR_ASSERT +in skb_put(). + +Going back through the git history, it seems this bug is present since at +least 2.6.12-rc2, probably even since the removal of skb_linearize() for +netfilter. + +Linearize non-linear skbs through skb_copy_expand() when enlarging them. +Tested by Thomas, fixes bugzilla #9933. + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- +Patrick, which part of commit log did you want to drop? + + net/ipv4/netfilter/ip_queue.c | 12 +++++++----- + net/ipv6/netfilter/ip6_queue.c | 10 ++++++---- + net/netfilter/nfnetlink_queue.c | 10 ++++++---- + 3 files changed, 19 insertions(+), 13 deletions(-) + +--- a/net/ipv4/netfilter/ip_queue.c ++++ b/net/ipv4/netfilter/ip_queue.c +@@ -336,8 +336,8 @@ static int + ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e) + { + int diff; +- int err; + struct iphdr *user_iph = (struct iphdr *)v->payload; ++ struct sk_buff *nskb; + + if (v->data_len < sizeof(*user_iph)) + return 0; +@@ -349,14 +349,16 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st + if (v->data_len > 0xFFFF) + return -EINVAL; + if (diff > skb_tailroom(e->skb)) { +- err = pskb_expand_head(e->skb, 0, ++ nskb = skb_copy_expand(e->skb, 0, + diff - skb_tailroom(e->skb), + GFP_ATOMIC); +- if (err) { ++ if (!nskb) { + printk(KERN_WARNING "ip_queue: error " +- "in mangle, dropping packet: %d\n", -err); +- return err; ++ "in mangle, dropping packet\n"); ++ return -ENOMEM; + } ++ kfree_skb(e->skb); ++ e->skb = nskb; + } + skb_put(e->skb, diff); + } +--- a/net/ipv6/netfilter/ip6_queue.c ++++ b/net/ipv6/netfilter/ip6_queue.c +@@ -333,8 +333,8 @@ static int + ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e) + { + int diff; +- int err; + struct ipv6hdr *user_iph = (struct ipv6hdr *)v->payload; ++ struct sk_buff *nskb; + + if (v->data_len < sizeof(*user_iph)) + return 0; +@@ -346,14 +346,16 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st + if (v->data_len > 0xFFFF) + return -EINVAL; + if (diff > skb_tailroom(e->skb)) { +- err = pskb_expand_head(e->skb, 0, ++ nskb = skb_copy_expand(e->skb, 0, + diff - skb_tailroom(e->skb), + GFP_ATOMIC); +- if (err) { ++ if (!nskb) { + printk(KERN_WARNING "ip6_queue: OOM " + "in mangle, dropping packet\n"); +- return err; ++ return -ENOMEM; + } ++ kfree_skb(e->skb); ++ e->skb = nskb; + } + skb_put(e->skb, diff); + } +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -616,8 +616,8 @@ err_out_put: + static int + nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e) + { ++ struct sk_buff *nskb; + int diff; +- int err; + + diff = data_len - e->skb->len; + if (diff < 0) { +@@ -627,14 +627,16 @@ nfqnl_mangle(void *data, int data_len, s + if (data_len > 0xFFFF) + return -EINVAL; + if (diff > skb_tailroom(e->skb)) { +- err = pskb_expand_head(e->skb, 0, ++ nskb = skb_copy_expand(e->skb, 0, + diff - skb_tailroom(e->skb), + GFP_ATOMIC); +- if (err) { ++ if (!nskb) { + printk(KERN_WARNING "nf_queue: OOM " + "in mangle, dropping packet\n"); +- return err; ++ return -ENOMEM; + } ++ kfree_skb(e->skb); ++ e->skb = nskb; + } + skb_put(e->skb, diff); + } diff --git a/queue-2.6.24/scsi-advansys-fix-overrun_buf-aligned-bug.patch b/queue-2.6.24/scsi-advansys-fix-overrun_buf-aligned-bug.patch new file mode 100644 index 00000000000..312e0aa0bff --- /dev/null +++ b/queue-2.6.24/scsi-advansys-fix-overrun_buf-aligned-bug.patch @@ -0,0 +1,82 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:58:53 2008 +Date: Wed, 27 Feb 2008 02:06:18 +0900 +To: stable@kernel.org +From: FUJITA Tomonori +Message-Id: <20080226090603A.tomof@acm.org> +Cc: James.Bottomley@HansenPartnership.com, fujita.tomonori@lab.ntt.co.jp, matthew@wil.cx +Subject: SCSI advansys: fix overrun_buf aligned bug + +From: FUJITA Tomonori +commit 7d5d408c77cee95d1380511de46b7a4c8dc2211d + +struct asc_dvc_var needs overrun buffer to be placed on an 8 byte +boundary. advansys defines struct asc_dvc_var: + +struct asc_dvc_var { + ... + uchar overrun_buf[ASC_OVERRUN_BSIZE] __aligned(8); + +The problem is that struct asc_dvc_var is placed on +shost->hostdata. So if the hostdata is not on an 8 byte boundary, the +advansys crashes. The hostdata is placed on a sizeof(unsigned long) +boundary so the 8 byte boundary is not garanteed with x86_32. + +With 2.6.23 and 2.6.24, the hostdata is on an 8 byte boundary by +chance, but with the current git, it's not. + +This patch removes overrun_buf static array and use kzalloc. + +Signed-off-by: FUJITA Tomonori +Signed-off-by: James Bottomley + +FUJITA Tomonori notes: + We thought that 2.6.24 doesn't have this bug, however it does. +Signed-off-by: Chris Wright +--- + drivers/scsi/advansys.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/advansys.c ++++ b/drivers/scsi/advansys.c +@@ -566,7 +566,7 @@ typedef struct asc_dvc_var { + ASC_SCSI_BIT_ID_TYPE unit_not_ready; + ASC_SCSI_BIT_ID_TYPE queue_full_or_busy; + ASC_SCSI_BIT_ID_TYPE start_motor; +- uchar overrun_buf[ASC_OVERRUN_BSIZE] __aligned(8); ++ uchar *overrun_buf; + dma_addr_t overrun_dma; + uchar scsi_reset_wait; + uchar chip_no; +@@ -13833,6 +13833,12 @@ static int __devinit advansys_board_foun + */ + if (ASC_NARROW_BOARD(boardp)) { + ASC_DBG(2, "AscInitAsc1000Driver()\n"); ++ ++ asc_dvc_varp->overrun_buf = kzalloc(ASC_OVERRUN_BSIZE, GFP_KERNEL); ++ if (!asc_dvc_varp->overrun_buf) { ++ ret = -ENOMEM; ++ goto err_free_wide_mem; ++ } + warn_code = AscInitAsc1000Driver(asc_dvc_varp); + + if (warn_code || asc_dvc_varp->err_code) { +@@ -13840,8 +13846,10 @@ static int __devinit advansys_board_foun + "warn 0x%x, error 0x%x\n", + asc_dvc_varp->init_state, warn_code, + asc_dvc_varp->err_code); +- if (asc_dvc_varp->err_code) ++ if (asc_dvc_varp->err_code) { + ret = -ENODEV; ++ kfree(asc_dvc_varp->overrun_buf); ++ } + } + } else { + if (advansys_wide_init_chip(shost)) +@@ -13894,6 +13902,7 @@ static int advansys_release(struct Scsi_ + dma_unmap_single(board->dev, + board->dvc_var.asc_dvc_var.overrun_dma, + ASC_OVERRUN_BSIZE, DMA_FROM_DEVICE); ++ kfree(board->dvc_var.asc_dvc_var.overrun_buf); + } else { + iounmap(board->ioremap_addr); + advansys_wide_free_mem(board); diff --git a/queue-2.6.24/scsi-aic94xx-fix-req_task_abort-and-req_device_reset.patch b/queue-2.6.24/scsi-aic94xx-fix-req_task_abort-and-req_device_reset.patch new file mode 100644 index 00000000000..707e3b08f59 --- /dev/null +++ b/queue-2.6.24/scsi-aic94xx-fix-req_task_abort-and-req_device_reset.patch @@ -0,0 +1,68 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:09:33 2008 +Date: Sat, 23 Feb 2008 20:55:15 GMT +Message-Id: <200802232055.m1NKtFCh024335@hera.kernel.org> +From: James Bottomley +To: jejb@kernel.org, stable@kernel.org +Subject: SCSI aic94xx: fix REQ_TASK_ABORT and REQ_DEVICE_RESET + +From: James Bottomley +commit: cb84e2d2ff3b50c0da5a7604a6d8634294a00a01 + +This driver has been failing under heavy load with + +aic94xx: escb_tasklet_complete: REQ_TASK_ABORT, reason=0x6 +aic94xx: escb_tasklet_complete: Can't find task (tc=4) to abort! + +The second message is because the driver fails to identify the task +it's being asked to abort. On closer inpection, there's a thinko in +the for each task loop over pending tasks in both the REQ_TASK_ABORT +and REQ_DEVICE_RESET cases where it doesn't look at the task on the +pending list but at the one on the ESCB (which is always NULL). + +Fix by looking at the right task. Also add a print for the case where +the pending SCB doesn't have a task attached. + +Not sure if this will fix all the problems, but it's a definite first +step. + +Cc: Stable Tree +Signed-off-by: James Bottomley +Signed-off-by: Chris Wright +--- + drivers/scsi/aic94xx/aic94xx_scb.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/aic94xx/aic94xx_scb.c ++++ b/drivers/scsi/aic94xx/aic94xx_scb.c +@@ -458,13 +458,19 @@ static void escb_tasklet_complete(struct + tc_abort = le16_to_cpu(tc_abort); + + list_for_each_entry_safe(a, b, &asd_ha->seq.pend_q, list) { +- struct sas_task *task = ascb->uldd_task; ++ struct sas_task *task = a->uldd_task; ++ ++ if (a->tc_index != tc_abort) ++ continue; + +- if (task && a->tc_index == tc_abort) { ++ if (task) { + failed_dev = task->dev; + sas_task_abort(task); +- break; ++ } else { ++ ASD_DPRINTK("R_T_A for non TASK scb 0x%x\n", ++ a->scb->header.opcode); + } ++ break; + } + + if (!failed_dev) { +@@ -478,7 +484,7 @@ static void escb_tasklet_complete(struct + * that the EH will wake up and do something. + */ + list_for_each_entry_safe(a, b, &asd_ha->seq.pend_q, list) { +- struct sas_task *task = ascb->uldd_task; ++ struct sas_task *task = a->uldd_task; + + if (task && + task->dev == failed_dev && diff --git a/queue-2.6.24/scsi-gdth-don-t-call-pci_free_consistent-under-spinlock.patch b/queue-2.6.24/scsi-gdth-don-t-call-pci_free_consistent-under-spinlock.patch new file mode 100644 index 00000000000..7702a3ff1ed --- /dev/null +++ b/queue-2.6.24/scsi-gdth-don-t-call-pci_free_consistent-under-spinlock.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:08:26 2008 +Date: Sat, 23 Feb 2008 20:55:14 GMT +Message-Id: <200802232055.m1NKtEuD024293@hera.kernel.org> +From: James Bottomley +To: jejb@kernel.org, stable@kernel.org +Subject: SCSI gdth: don't call pci_free_consistent under spinlock + +From: James Bottomley +commit: ff83efacf2b77a1fe8942db6613825a4b80ee5e2 + +The spinlock is held over too large a region: pscratch is a permanent +address (it's allocated at boot time and never changes). All you need +the smp lock for is mediating the scratch in use flag, so fix this by +moving the spinlock into the case where we set the pscratch_busy flag +to false. + +Cc: Stable Tree +Signed-off-by: James Bottomley +Signed-off-by: Chris Wright +--- + drivers/scsi/gdth_proc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/gdth_proc.c ++++ b/drivers/scsi/gdth_proc.c +@@ -694,15 +694,13 @@ static void gdth_ioctl_free(gdth_ha_str + { + ulong flags; + +- spin_lock_irqsave(&ha->smp_lock, flags); +- + if (buf == ha->pscratch) { ++ spin_lock_irqsave(&ha->smp_lock, flags); + ha->scratch_busy = FALSE; ++ spin_unlock_irqrestore(&ha->smp_lock, flags); + } else { + pci_free_consistent(ha->pdev, size, buf, paddr); + } +- +- spin_unlock_irqrestore(&ha->smp_lock, flags); + } + + #ifdef GDTH_IOCTL_PROC diff --git a/queue-2.6.24/scsi-ips-fix-data-buffer-accessors-conversion-bug.patch b/queue-2.6.24/scsi-ips-fix-data-buffer-accessors-conversion-bug.patch new file mode 100644 index 00000000000..66995c3b132 --- /dev/null +++ b/queue-2.6.24/scsi-ips-fix-data-buffer-accessors-conversion-bug.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:05:31 2008 +Date: Sat, 23 Feb 2008 20:55:12 GMT +Message-Id: <200802232055.m1NKtCp8024252@hera.kernel.org> +From: jejb@kernel.org +To: jejb@kernel.org, stable@kernel.org +Subject: SCSI ips: fix data buffer accessors conversion bug + +From: FUJITA Tomonori +commit: 2b28a4721e068ac89bd5435472723a1bc44442fe + +This fixes a bug that can't handle a passthru command with more than +two sg entries. + +Big thanks to Tim Pepper for debugging the problem. + +Signed-off-by: FUJITA Tomonori +Acked-by: Mark Salyzyn +Cc: Stable Tree +Signed-off-by: James Bottomley +Signed-off-by: Chris Wright +--- + drivers/scsi/ips.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ips.c ++++ b/drivers/scsi/ips.c +@@ -1580,7 +1580,7 @@ ips_make_passthru(ips_ha_t *ha, struct s + METHOD_TRACE("ips_make_passthru", 1); + + scsi_for_each_sg(SC, sg, scsi_sg_count(SC), i) +- length += sg[i].length; ++ length += sg->length; + + if (length < sizeof (ips_passthru_t)) { + /* wrong size */ diff --git a/queue-2.6.24/scsi-ips-handle-scsi_add_host-failure-and-other-err-cleanups.patch b/queue-2.6.24/scsi-ips-handle-scsi_add_host-failure-and-other-err-cleanups.patch index 322a366e996..abdb5003873 100644 --- a/queue-2.6.24/scsi-ips-handle-scsi_add_host-failure-and-other-err-cleanups.patch +++ b/queue-2.6.24/scsi-ips-handle-scsi_add_host-failure-and-other-err-cleanups.patch @@ -9,6 +9,11 @@ Date: Wed, 12 Mar 2008 10:25:42 +0900 From: Jeff Garzik commit 2551a13e61d3c3df6c2da6de5a3ece78e6d67111 +Signed-off-by: Jeff Garzik +Acked-by: "Salyzyn, Mark" +Signed-off-by: Andrew Morton +Signed-off-by: James Bottomley + FUJITA Tomonori notes: It didn't intend to fix a critical bug, however, it turned out that it does. Without this patch, the ips driver in 2.6.23 and 2.6.24 doesn't @@ -16,10 +21,6 @@ FUJITA Tomonori notes: http://marc.info/?t=120293911900023&r=1&w=2 -Signed-off-by: Jeff Garzik -Acked-by: "Salyzyn, Mark" -Signed-off-by: Andrew Morton -Signed-off-by: James Bottomley Signed-off-by: Chris Wright --- drivers/scsi/ips.c | 18 +++++++++++++----- diff --git a/queue-2.6.24/series b/queue-2.6.24/series index c675c7103ce..c31d09bce02 100644 --- a/queue-2.6.24/series +++ b/queue-2.6.24/series @@ -22,3 +22,20 @@ x86-adjust-enable_nmi_through_lvt0.patch scsi-ips-handle-scsi_add_host-failure-and-other-err-cleanups.patch crypto-xcbc-fix-crash-with-ipsec.patch crypto-xts-use-proper-alignment.patch +fuse-fix-permission-checking.patch +usb-storage-don-t-access-beyond-the-end-of-the-sg-buffer.patch +scsi-ips-fix-data-buffer-accessors-conversion-bug.patch +scsi-gdth-don-t-call-pci_free_consistent-under-spinlock.patch +scsi-aic94xx-fix-req_task_abort-and-req_device_reset.patch +x86-replace-lock_prefix-in-futex.h.patch +arm-pxa-fix-clock-lookup-to-find-specific-device-clocks.patch +futex-fix-init-order.patch +futex-runtime-enable-pi-and-robust-functionality.patch +file-capabilities-simplify-signal-check.patch +hugetlb-ensure-we-do-not-reference-a-surplus-page-after-handing-it-to-buddy.patch +ufs-fix-parenthesisation-in-ufs_set_fs_state.patch +spi-pxa2xx_spi-clock-polarity-fix.patch +netfilter-nfnetlink_queue-fix-skb_linear_assert-when-mangling-packet-data.patch +netfilter-fix-incorrect-use-of-skb_make_writable.patch +netfilter-fix-ebtable-targets-return.patch +scsi-advansys-fix-overrun_buf-aligned-bug.patch diff --git a/queue-2.6.24/spi-pxa2xx_spi-clock-polarity-fix.patch b/queue-2.6.24/spi-pxa2xx_spi-clock-polarity-fix.patch new file mode 100644 index 00000000000..e965d1eba51 --- /dev/null +++ b/queue-2.6.24/spi-pxa2xx_spi-clock-polarity-fix.patch @@ -0,0 +1,130 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:30:56 2008 +Date: Sun, 24 Feb 2008 02:10:06 GMT +Message-Id: <200802240210.m1O2A6be015394@hera.kernel.org> +From: jejb@kernel.org +To: jejb@kernel.org, stable@kernel.org +Subject: spi: pxa2xx_spi clock polarity fix + +From: Ned Forrester +commit: b97c74bddce4e2c6fef6b3b58910b4fd9eb7f3b8 + +Fixes a sequencing bug in spi driver pxa2xx_spi.c in which the chip select +for a transfer may be asserted before the clock polarity is set on the +interface. As a result of this bug, the clock signal may have the wrong +polarity at transfer start, so it may need to make an extra half transition +before the intended clock/data signals begin. (This probably means all +transfers are one bit out of sequence.) + +This only occurs on the first transfer following a change in clock polarity +in systems using more than one more than one such polarity. The fix +assures that the clock mode is properly set before asserting chip select. + +This bug was introduced in a patch merged on 2006/12/10, kernel 2.6.20. +The patch defines an additional bit in: include/asm-arm/arch-pxa/regs-ssp.h +for 2.6.25 and newer kernels but this addition must be made in: +include/asm-arm/arch-pxa/pxa-regs.h for kernels between 2.6.20 and 2.6.24, +inclusive + +Signed-off-by: Ned Forrester +Signed-off-by: David Brownell +Cc: Russell King +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[chrisw@sous-sol.org: backport to 2.6.24.3] +Signed-off-by: Chris Wright +--- + drivers/spi/pxa2xx_spi.c | 41 +++++++++++++++++++++++------------- + include/asm-arm/arch-pxa/pxa-regs.h | 1 + 2 files changed, 28 insertions(+), 14 deletions(-) + +--- a/drivers/spi/pxa2xx_spi.c ++++ b/drivers/spi/pxa2xx_spi.c +@@ -48,13 +48,19 @@ MODULE_LICENSE("GPL"); + #define RESET_DMA_CHANNEL (DCSR_NODESC | DMA_INT_MASK) + #define IS_DMA_ALIGNED(x) (((u32)(x)&0x07)==0) + +-/* for testing SSCR1 changes that require SSP restart, basically +- * everything except the service and interrupt enables */ +-#define SSCR1_CHANGE_MASK (SSCR1_TTELP | SSCR1_TTE | SSCR1_EBCEI | SSCR1_SCFR \ ++/* ++ * for testing SSCR1 changes that require SSP restart, basically ++ * everything except the service and interrupt enables, the pxa270 developer ++ * manual says only SSCR1_SCFR, SSCR1_SPH, SSCR1_SPO need to be in this ++ * list, but the PXA255 dev man says all bits without really meaning the ++ * service and interrupt enables ++ */ ++#define SSCR1_CHANGE_MASK (SSCR1_TTELP | SSCR1_TTE | SSCR1_SCFR \ + | SSCR1_ECRA | SSCR1_ECRB | SSCR1_SCLKDIR \ +- | SSCR1_RWOT | SSCR1_TRAIL | SSCR1_PINTE \ +- | SSCR1_STRF | SSCR1_EFWR |SSCR1_RFT \ +- | SSCR1_TFT | SSCR1_SPH | SSCR1_SPO | SSCR1_LBM) ++ | SSCR1_SFRMDIR | SSCR1_RWOT | SSCR1_TRAIL \ ++ | SSCR1_IFS | SSCR1_STRF | SSCR1_EFWR \ ++ | SSCR1_RFT | SSCR1_TFT | SSCR1_MWDS \ ++ | SSCR1_SPH | SSCR1_SPO | SSCR1_LBM) + + #define DEFINE_SSP_REG(reg, off) \ + static inline u32 read_##reg(void *p) { return __raw_readl(p + (off)); } \ +@@ -961,9 +967,6 @@ static void pump_transfers(unsigned long + if (drv_data->ssp_type == PXA25x_SSP) + DCMD(drv_data->tx_channel) |= DCMD_ENDIRQEN; + +- /* Fix me, need to handle cs polarity */ +- drv_data->cs_control(PXA2XX_CS_ASSERT); +- + /* Clear status and start DMA engine */ + cr1 = chip->cr1 | dma_thresh | drv_data->dma_cr1; + write_SSSR(drv_data->clear_sr, reg); +@@ -973,9 +976,6 @@ static void pump_transfers(unsigned long + /* Ensure we have the correct interrupt handler */ + drv_data->transfer_handler = interrupt_transfer; + +- /* Fix me, need to handle cs polarity */ +- drv_data->cs_control(PXA2XX_CS_ASSERT); +- + /* Clear status */ + cr1 = chip->cr1 | chip->threshold | drv_data->int_cr1; + write_SSSR(drv_data->clear_sr, reg); +@@ -986,16 +986,29 @@ static void pump_transfers(unsigned long + || (read_SSCR1(reg) & SSCR1_CHANGE_MASK) != + (cr1 & SSCR1_CHANGE_MASK)) { + ++ /* stop the SSP, and update the other bits */ + write_SSCR0(cr0 & ~SSCR0_SSE, reg); + if (drv_data->ssp_type != PXA25x_SSP) + write_SSTO(chip->timeout, reg); +- write_SSCR1(cr1, reg); ++ /* first set CR1 without interrupt and service enables */ ++ write_SSCR1(cr1 & SSCR1_CHANGE_MASK, reg); ++ /* restart the SSP */ + write_SSCR0(cr0, reg); ++ + } else { + if (drv_data->ssp_type != PXA25x_SSP) + write_SSTO(chip->timeout, reg); +- write_SSCR1(cr1, reg); + } ++ ++ /* FIXME, need to handle cs polarity, ++ * this driver uses struct pxa2xx_spi_chip.cs_control to ++ * specify a CS handling function, and it ignores most ++ * struct spi_device.mode[s], including SPI_CS_HIGH */ ++ drv_data->cs_control(PXA2XX_CS_ASSERT); ++ ++ /* after chip select, release the data by enabling service ++ * requests and interrupts, without changing any mode bits */ ++ write_SSCR1(cr1, reg); + } + + static void pump_messages(struct work_struct *work) +--- a/include/asm-arm/arch-pxa/pxa-regs.h ++++ b/include/asm-arm/arch-pxa/pxa-regs.h +@@ -1669,6 +1669,7 @@ + #define SSCR1_RSRE (1 << 20) /* Receive Service Request Enable */ + #define SSCR1_TINTE (1 << 19) /* Receiver Time-out Interrupt enable */ + #define SSCR1_PINTE (1 << 18) /* Peripheral Trailing Byte Interupt Enable */ ++#define SSCR1_IFS (1 << 16) /* Invert Frame Signal */ + #define SSCR1_STRF (1 << 15) /* Select FIFO or EFWR */ + #define SSCR1_EFWR (1 << 14) /* Enable FIFO Write/Read */ + diff --git a/queue-2.6.24/ufs-fix-parenthesisation-in-ufs_set_fs_state.patch b/queue-2.6.24/ufs-fix-parenthesisation-in-ufs_set_fs_state.patch new file mode 100644 index 00000000000..27013022052 --- /dev/null +++ b/queue-2.6.24/ufs-fix-parenthesisation-in-ufs_set_fs_state.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:34:00 2008 +Date: Sun, 24 Feb 2008 02:10:08 GMT +Message-Id: <200802240210.m1O2A8OD015445@hera.kernel.org> +From: jejb@kernel.org +To: jejb@kernel.org, stable@kernel.org +Subject: ufs: fix parenthesisation in ufs_set_fs_state() + +From: Roel Kluin <12o3l@tiscali.nl> +commit: f81e8a43871f44f98dd14e83a83bf9ca0b3b46c5 + +This bug snuck in with + +commit 252e211e90ce56bf005cb533ad5a297c18c19407 +Author: Mark Fortescue +Date: Tue Oct 16 23:26:31 2007 -0700 + + Add in SunOS 4.1.x compatible mode for UFS + +Signed-off-by: Roel Kluin <12o3l@tiscali.nl> +Acked-by: Evgeniy Dushistov +Cc: Mark Fortescue +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Chris Wright +--- + fs/ufs/util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ufs/util.h ++++ b/fs/ufs/util.h +@@ -58,7 +58,7 @@ ufs_set_fs_state(struct super_block *sb, + { + switch (UFS_SB(sb)->s_flags & UFS_ST_MASK) { + case UFS_ST_SUNOS: +- if (fs32_to_cpu(sb, usb3->fs_postblformat == UFS_42POSTBLFMT)) { ++ if (fs32_to_cpu(sb, usb3->fs_postblformat) == UFS_42POSTBLFMT) { + usb1->fs_u0.fs_sun.fs_state = cpu_to_fs32(sb, value); + break; + } diff --git a/queue-2.6.24/usb-storage-don-t-access-beyond-the-end-of-the-sg-buffer.patch b/queue-2.6.24/usb-storage-don-t-access-beyond-the-end-of-the-sg-buffer.patch new file mode 100644 index 00000000000..bb36fbc5da2 --- /dev/null +++ b/queue-2.6.24/usb-storage-don-t-access-beyond-the-end-of-the-sg-buffer.patch @@ -0,0 +1,50 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 21:58:41 2008 +Date: Fri, 22 Feb 2008 17:03:25 -0500 (EST) +From: Alan Stern +To: stable@kernel.org +Message-ID: +Cc: Mark Glines , linux-usb@vger.kernel.org, Boaz Harrosh +Subject: usb-storage: don't access beyond the end of the sg buffer + +This patch (as1038) fixes a bug in usb_stor_access_xfer_buf() and +usb_stor_set_xfer_buf() (the bug was originally found by Boaz +Harrosh): The routine must not attempt to write beyond the end of a +scatter-gather list or beyond the number of bytes requested. + +This is the minimal 2.6.24 equivalent to as1035 + +as1037 (7084191d53b224b953c8e1db525ea6c31aca5fc7 "USB: +usb-storage: don't access beyond the end of the sg buffer" + +6d512a80c26d87f8599057c86dc920fbfe0aa3aa "usb-storage: update earlier +scatter-gather bug fix"). Mark Glines has confirmed that it fixes +his problem. + +Signed-off-by: Alan Stern +Cc: Mark Glines +Cc: Boaz Harrosh +Signed-off-by: Chris Wright + +--- + drivers/usb/storage/protocol.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/storage/protocol.c ++++ b/drivers/usb/storage/protocol.c +@@ -194,7 +194,7 @@ unsigned int usb_stor_access_xfer_buf(un + * and the starting offset within the page, and update + * the *offset and *index values for the next loop. */ + cnt = 0; +- while (cnt < buflen) { ++ while (cnt < buflen && sg) { + struct page *page = sg_page(sg) + + ((sg->offset + *offset) >> PAGE_SHIFT); + unsigned int poff = +@@ -249,7 +249,8 @@ void usb_stor_set_xfer_buf(unsigned char + unsigned int offset = 0; + struct scatterlist *sg = NULL; + +- usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset, ++ buflen = min(buflen, srb->request_bufflen); ++ buflen = usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset, + TO_XFER_BUF); + if (buflen < srb->request_bufflen) + srb->resid = srb->request_bufflen - buflen; diff --git a/queue-2.6.24/x86-replace-lock_prefix-in-futex.h.patch b/queue-2.6.24/x86-replace-lock_prefix-in-futex.h.patch new file mode 100644 index 00000000000..dea535a58b1 --- /dev/null +++ b/queue-2.6.24/x86-replace-lock_prefix-in-futex.h.patch @@ -0,0 +1,92 @@ +From stable-bounces@linux.kernel.org Tue Mar 11 22:13:48 2008 +Message-ID: <47C05058.1030509@redhat.com> +Date: Sat, 23 Feb 2008 11:56:56 -0500 +From: Chuck Ebbert +To: Greg KH +Cc: stable@kernel.org +Subject: x86: replace LOCK_PREFIX in futex.h + +From: Thomas Gleixner +Commit: 9d55b9923a1b7ea8193b8875c57ec940dc2ff027 + +The exception fixup for the futex macros __futex_atomic_op1/2 and +futex_atomic_cmpxchg_inatomic() is missing an entry when the lock +prefix is replaced by a NOP via SMP alternatives. + +Chuck Ebert tracked this down from the information provided in: +https://bugzilla.redhat.com/show_bug.cgi?id=429412 + +A possible solution would be to add another fixup after the +LOCK_PREFIX, so both the LOCK and NOP case have their own entry in the +exception table, but it's not really worth the trouble. + +Simply replace LOCK_PREFIX with lock and keep those untouched by SMP +alternatives. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar +[cebbert@redhat.com: backport to 2.6.24] +Signed-off-by: Chris Wright +--- + include/asm-x86/futex_32.h | 6 +++--- + include/asm-x86/futex_64.h | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/include/asm-x86/futex_32.h ++++ b/include/asm-x86/futex_32.h +@@ -28,7 +28,7 @@ + "1: movl %2, %0\n\ + movl %0, %3\n" \ + insn "\n" \ +-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\ ++"2: lock ; cmpxchgl %3, %2\n\ + jnz 1b\n\ + 3: .section .fixup,\"ax\"\n\ + 4: mov %5, %1\n\ +@@ -68,7 +68,7 @@ futex_atomic_op_inuser (int encoded_op, + #endif + switch (op) { + case FUTEX_OP_ADD: +- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, ++ __futex_atomic_op1("lock ; xaddl %0, %2", ret, + oldval, uaddr, oparg); + break; + case FUTEX_OP_OR: +@@ -111,7 +111,7 @@ futex_atomic_cmpxchg_inatomic(int __user + return -EFAULT; + + __asm__ __volatile__( +- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n" ++ "1: lock ; cmpxchgl %3, %1 \n" + + "2: .section .fixup, \"ax\" \n" + "3: mov %2, %0 \n" +--- a/include/asm-x86/futex_64.h ++++ b/include/asm-x86/futex_64.h +@@ -27,7 +27,7 @@ + "1: movl %2, %0\n\ + movl %0, %3\n" \ + insn "\n" \ +-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\ ++"2: lock ; cmpxchgl %3, %2\n\ + jnz 1b\n\ + 3: .section .fixup,\"ax\"\n\ + 4: mov %5, %1\n\ +@@ -62,7 +62,7 @@ futex_atomic_op_inuser (int encoded_op, + __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_ADD: +- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval, ++ __futex_atomic_op1("lock ; xaddl %0, %2", ret, oldval, + uaddr, oparg); + break; + case FUTEX_OP_OR: +@@ -101,7 +101,7 @@ futex_atomic_cmpxchg_inatomic(int __user + return -EFAULT; + + __asm__ __volatile__( +- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n" ++ "1: lock ; cmpxchgl %3, %1 \n" + + "2: .section .fixup, \"ax\" \n" + "3: mov %2, %0 \n"