From: Greg Kroah-Hartman Date: Tue, 15 Jan 2008 20:13:46 +0000 (-0800) Subject: 2.6.23 patches added X-Git-Tag: v2.6.22.19~60 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f36257f2f174f7d427e6b2e05c4d2b3a0f79fbf5;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.23 patches added --- diff --git a/queue-2.6.23/clockevents-fix-reprogramming-decision-in-oneshot-broadcast.patch b/queue-2.6.23/clockevents-fix-reprogramming-decision-in-oneshot-broadcast.patch new file mode 100644 index 00000000000..38040ad6320 --- /dev/null +++ b/queue-2.6.23/clockevents-fix-reprogramming-decision-in-oneshot-broadcast.patch @@ -0,0 +1,127 @@ +From stable-bounces@linux.kernel.org Thu Dec 13 00:58:37 2007 +From: Thomas Gleixner +Date: Thu, 13 Dec 2007 09:57:17 +0100 +Subject: clockevents: fix reprogramming decision in oneshot broadcast +To: Greg Kroah-Hartman +Cc: Thomas Gleixner , stable@kernel.org +Message-ID: <20071213085717.GA1926@elte.hu> +Content-Disposition: inline + +From: Thomas Gleixner + +patch cdc6f27d9e3c2f7ca1a3e19c6eabb1ad6a2add5d in mainline. + +A previous version of the code did the reprogramming of the broadcast +device in the return from idle code. This was removed, but the logic in +tick_handle_oneshot_broadcast() was kept the same. + +When a broadcast interrupt happens we signal the expiry to all CPUs +which have an expired event. If none of the CPUs has an expired event, +which can happen in dyntick mode, then we reprogram the broadcast +device. We do not reprogram otherwise, but this is only correct if all +CPUs, which are in the idle broadcast state have been woken up. + +The code ignores, that there might be pending not yet expired events on +other CPUs, which are in the idle broadcast state. So the delivery of +those events can be delayed for quite a time. + +Change the tick_handle_oneshot_broadcast() function to check for CPUs, +which are in broadcast state and are not woken up by the current event, +and enforce the rearming of the broadcast device for those CPUs. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar + +--- + kernel/time/tick-broadcast.c | 56 ++++++++++++++++--------------------------- + 1 file changed, 21 insertions(+), 35 deletions(-) + +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -387,45 +387,19 @@ int tick_resume_broadcast_oneshot(struct + } + + /* +- * Reprogram the broadcast device: +- * +- * Called with tick_broadcast_lock held and interrupts disabled. +- */ +-static int tick_broadcast_reprogram(void) +-{ +- ktime_t expires = { .tv64 = KTIME_MAX }; +- struct tick_device *td; +- int cpu; +- +- /* +- * Find the event which expires next: +- */ +- for (cpu = first_cpu(tick_broadcast_oneshot_mask); cpu != NR_CPUS; +- cpu = next_cpu(cpu, tick_broadcast_oneshot_mask)) { +- td = &per_cpu(tick_cpu_device, cpu); +- if (td->evtdev->next_event.tv64 < expires.tv64) +- expires = td->evtdev->next_event; +- } +- +- if (expires.tv64 == KTIME_MAX) +- return 0; +- +- return tick_broadcast_set_event(expires, 0); +-} +- +-/* + * Handle oneshot mode broadcasting + */ + static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + { + struct tick_device *td; + cpumask_t mask; +- ktime_t now; ++ ktime_t now, next_event; + int cpu; + + spin_lock(&tick_broadcast_lock); + again: + dev->next_event.tv64 = KTIME_MAX; ++ next_event.tv64 = KTIME_MAX; + mask = CPU_MASK_NONE; + now = ktime_get(); + /* Find all expired events */ +@@ -434,19 +408,31 @@ again: + td = &per_cpu(tick_cpu_device, cpu); + if (td->evtdev->next_event.tv64 <= now.tv64) + cpu_set(cpu, mask); ++ else if (td->evtdev->next_event.tv64 < next_event.tv64) ++ next_event.tv64 = td->evtdev->next_event.tv64; + } + + /* +- * Wakeup the cpus which have an expired event. The broadcast +- * device is reprogrammed in the return from idle code. ++ * Wakeup the cpus which have an expired event. ++ */ ++ tick_do_broadcast(mask); ++ ++ /* ++ * Two reasons for reprogram: ++ * ++ * - The global event did not expire any CPU local ++ * events. This happens in dyntick mode, as the maximum PIT ++ * delta is quite small. ++ * ++ * - There are pending events on sleeping CPUs which were not ++ * in the event mask + */ +- if (!tick_do_broadcast(mask)) { ++ if (next_event.tv64 != KTIME_MAX) { + /* +- * The global event did not expire any CPU local +- * events. This happens in dyntick mode, as the +- * maximum PIT delta is quite small. ++ * Rearm the broadcast device. If event expired, ++ * repeat the above + */ +- if (tick_broadcast_reprogram()) ++ if (tick_broadcast_set_event(next_event, 0)) + goto again; + } + spin_unlock(&tick_broadcast_lock); diff --git a/queue-2.6.23/freezer-fix-apm-emulation-breakage.patch b/queue-2.6.23/freezer-fix-apm-emulation-breakage.patch new file mode 100644 index 00000000000..78b1b32b87a --- /dev/null +++ b/queue-2.6.23/freezer-fix-apm-emulation-breakage.patch @@ -0,0 +1,120 @@ +From rjw@sisk.pl Sun Dec 16 15:44:47 2007 +From: "Rafael J. Wysocki" +Date: Mon, 17 Dec 2007 01:03:46 +0100 +Subject: Freezer: Fix APM emulation breakage +To: Greg KH +Cc: Chuck Ebbert , Andrew Morton , Greg Kroah-Hartman , torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, stable@kernel.org +Message-ID: <200712170103.47097.rjw@sisk.pl> +Content-Disposition: inline + +From: Rafael J. Wysocki + +The APM emulation is currently broken as a result of commit +831441862956fffa17b9801db37e6ea1650b0f69 +"Freezer: make kernel threads nonfreezable by default" +that removed the PF_NOFREEZE annotations from apm_ioctl() without +adding the appropriate freezer hooks. Fix it and remove the +unnecessary variable flags from apm_ioctl(). + +This problem has been fixed in the mainline by +commit cb43c54ca05c01533c45e4d3abfe8f99b7acf624 +"Freezer: Fix APM emulation breakage". + +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/apm-emulation.c | 15 ++++++++------- + include/linux/freezer.h | 23 +++++++++++++++++++++++ + 2 files changed, 31 insertions(+), 7 deletions(-) + +--- a/drivers/char/apm-emulation.c ++++ b/drivers/char/apm-emulation.c +@@ -295,7 +295,6 @@ static int + apm_ioctl(struct inode * inode, struct file *filp, u_int cmd, u_long arg) + { + struct apm_user *as = filp->private_data; +- unsigned long flags; + int err = -EINVAL; + + if (!as->suser || !as->writer) +@@ -331,10 +330,16 @@ apm_ioctl(struct inode * inode, struct f + * Wait for the suspend/resume to complete. If there + * are pending acknowledges, we wait here for them. + */ +- flags = current->flags; ++ freezer_do_not_count(); + + wait_event(apm_suspend_waitqueue, + as->suspend_state == SUSPEND_DONE); ++ ++ /* ++ * Since we are waiting until the suspend is done, the ++ * try_to_freeze() in freezer_count() will not trigger ++ */ ++ freezer_count(); + } else { + as->suspend_state = SUSPEND_WAIT; + mutex_unlock(&state_lock); +@@ -362,14 +367,10 @@ apm_ioctl(struct inode * inode, struct f + * Wait for the suspend/resume to complete. If there + * are pending acknowledges, we wait here for them. + */ +- flags = current->flags; +- +- wait_event_interruptible(apm_suspend_waitqueue, ++ wait_event_freezable(apm_suspend_waitqueue, + as->suspend_state == SUSPEND_DONE); + } + +- current->flags = flags; +- + mutex_lock(&state_lock); + err = as->suspend_result; + as->suspend_state = SUSPEND_NONE; +--- a/include/linux/freezer.h ++++ b/include/linux/freezer.h +@@ -4,6 +4,7 @@ + #define FREEZER_H_INCLUDED + + #include ++#include + + #ifdef CONFIG_PM_SLEEP + /* +@@ -126,6 +127,24 @@ static inline void set_freezable(void) + current->flags &= ~PF_NOFREEZE; + } + ++/* ++ * Freezer-friendly wrapper around wait_event_interruptible(), originally ++ * defined in ++ */ ++ ++#define wait_event_freezable(wq, condition) \ ++({ \ ++ int __retval; \ ++ do { \ ++ __retval = wait_event_interruptible(wq, \ ++ (condition) || freezing(current)); \ ++ if (__retval && !freezing(current)) \ ++ break; \ ++ else if (!(condition)) \ ++ __retval = -ERESTARTSYS; \ ++ } while (try_to_freeze()); \ ++ __retval; \ ++}) + #else /* !CONFIG_PM_SLEEP */ + static inline int frozen(struct task_struct *p) { return 0; } + static inline int freezing(struct task_struct *p) { return 0; } +@@ -143,6 +162,10 @@ static inline void freezer_do_not_count( + static inline void freezer_count(void) {} + static inline int freezer_should_skip(struct task_struct *p) { return 0; } + static inline void set_freezable(void) {} ++ ++#define wait_event_freezable(wq, condition) \ ++ wait_event_interruptible(wq, condition) ++ + #endif /* !CONFIG_PM_SLEEP */ + + #endif /* FREEZER_H_INCLUDED */ diff --git a/queue-2.6.23/quicklist-set-tlb-need_flush-if-pages-are-remaining-in-quicklist-0.patch b/queue-2.6.23/quicklist-set-tlb-need_flush-if-pages-are-remaining-in-quicklist-0.patch new file mode 100644 index 00000000000..192b50e52ea --- /dev/null +++ b/queue-2.6.23/quicklist-set-tlb-need_flush-if-pages-are-remaining-in-quicklist-0.patch @@ -0,0 +1,49 @@ +From stable-bounces@linux.kernel.org Mon Dec 17 16:32:25 2007 +From: Christoph Lameter +Date: Mon, 17 Dec 2007 16:20:27 -0800 +Subject: quicklist: Set tlb->need_flush if pages are remaining in quicklist 0 +To: torvalds@linux-foundation.org +Cc: stable@kernel.org, akpm@linux-foundation.org, dhaval@linux.vnet.ibm.com, clameter@sgi.com +Message-ID: <200712180020.lBI0KSKF010011@imap1.linux-foundation.org> + + +From: Christoph Lameter + +patch 421d99193537a6522aac2148286f08792167d5fd in mainline. + +This ensures that the quicklists are drained. Otherwise draining may only +occur when the processor reaches an idle state. + +Fixes fatal leakage of pgd_t's on 2.6.22 and later. + +Signed-off-by: Christoph Lameter +Reported-by: Dhaval Giani +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + + +--- + include/asm-generic/tlb.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/asm-generic/tlb.h ++++ b/include/asm-generic/tlb.h +@@ -14,6 +14,7 @@ + #define _ASM_GENERIC__TLB_H + + #include ++#include + #include + #include + +@@ -85,6 +86,9 @@ tlb_flush_mmu(struct mmu_gather *tlb, un + static inline void + tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start, unsigned long end) + { ++#ifdef CONFIG_QUICKLIST ++ tlb->need_flush += &__get_cpu_var(quicklist)[0].nr_pages != 0; ++#endif + tlb_flush_mmu(tlb, start, end); + + /* keep the page table cache within bounds */ diff --git a/queue-2.6.23/quicklists-do-not-release-off-node-pages-early.patch b/queue-2.6.23/quicklists-do-not-release-off-node-pages-early.patch new file mode 100644 index 00000000000..a55ed65dd81 --- /dev/null +++ b/queue-2.6.23/quicklists-do-not-release-off-node-pages-early.patch @@ -0,0 +1,43 @@ +From stable-bounces@linux.kernel.org Sat Dec 22 14:04:08 2007 +From: Christoph Lameter +Date: Sat, 22 Dec 2007 14:03:23 -0800 +Subject: quicklists: do not release off node pages early +To: torvalds@linux-foundation.org +Cc: stable@kernel.org, akpm@linux-foundation.org, dhaval@linux.vnet.ibm.com, clameter@sgi.com +Message-ID: <200712222203.lBMM3Nsk021922@imap1.linux-foundation.org> + + +From: Christoph Lameter + +patch ed367fc3a7349b17354c7acef551533337764859 in mainline. + +quicklists must keep even off node pages on the quicklists until the TLB +flush has been completed. + +Signed-off-by: Christoph Lameter +Cc: Dhaval Giani +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/quicklist.h | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/include/linux/quicklist.h ++++ b/include/linux/quicklist.h +@@ -56,14 +56,6 @@ static inline void __quicklist_free(int + struct page *page) + { + struct quicklist *q; +- int nid = page_to_nid(page); +- +- if (unlikely(nid != numa_node_id())) { +- if (dtor) +- dtor(p); +- __free_page(page); +- return; +- } + + q = &get_cpu_var(quicklist)[nr]; + *(void **)p = q->page; diff --git a/queue-2.6.23/quicklists-only-consider-memory-that-can-be-used-with-gfp_kernel.patch b/queue-2.6.23/quicklists-only-consider-memory-that-can-be-used-with-gfp_kernel.patch new file mode 100644 index 00000000000..e320440dc79 --- /dev/null +++ b/queue-2.6.23/quicklists-only-consider-memory-that-can-be-used-with-gfp_kernel.patch @@ -0,0 +1,50 @@ +From stable-bounces@linux.kernel.org Tue Jan 15 10:52:21 2008 +From: Christoph Lameter +Date: Wed, 16 Jan 2008 00:21:19 +0530 +Subject: quicklists: Only consider memory that can be used with GFP_KERNEL +To: gregkh@suse.de +Cc: Andrew Morton , stable@kernel.org, clameter@sgi.com +Message-ID: <20080115185119.GA6806@linux.vnet.ibm.com> +Content-Disposition: inline + +From: Christoph Lameter + +patch 96990a4ae979df9e235d01097d6175759331e88c in mainline. + +Quicklists calculates the size of the quicklists based on the number of +free pages. This must be the number of free pages that can be allocated +with GFP_KERNEL. node_page_state() includes the pages in ZONE_HIGHMEM and +ZONE_MOVABLE which may lead the quicklists to become too large causing OOM. + +Signed-off-by: Christoph Lameter +Tested-by: Dhaval Giani +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/quicklist.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/mm/quicklist.c ++++ b/mm/quicklist.c +@@ -26,9 +26,17 @@ DEFINE_PER_CPU(struct quicklist, quickli + static unsigned long max_pages(unsigned long min_pages) + { + unsigned long node_free_pages, max; ++ struct zone *zones = NODE_DATA(numa_node_id())->node_zones; ++ ++ node_free_pages = ++#ifdef CONFIG_ZONE_DMA ++ zone_page_state(&zones[ZONE_DMA], NR_FREE_PAGES) + ++#endif ++#ifdef CONFIG_ZONE_DMA32 ++ zone_page_state(&zones[ZONE_DMA32], NR_FREE_PAGES) + ++#endif ++ zone_page_state(&zones[ZONE_NORMAL], NR_FREE_PAGES); + +- node_free_pages = node_page_state(numa_node_id(), +- NR_FREE_PAGES); + max = node_free_pages / FRACTION_OF_NODE_MEM; + return max(max, min_pages); + } diff --git a/queue-2.6.23/series b/queue-2.6.23/series index 2b6a0661464..982c1d7cee4 100644 --- a/queue-2.6.23/series +++ b/queue-2.6.23/series @@ -37,3 +37,9 @@ acpi-apply-quirk_ich6_lpc_acpi-to-more-ich8-and-ich9.patch pm-acpi-and-apm-must-not-be-enabled-at-the-same-time.patch crypto-padlock-fix-spurious-ecb-page-fault.patch usb-update-sierra.c-with-latest-device-ids-that-are-in-2.6.24-rc7.patch +clockevents-fix-reprogramming-decision-in-oneshot-broadcast.patch +freezer-fix-apm-emulation-breakage.patch +vfs-coredumping-fix.patch +quicklist-set-tlb-need_flush-if-pages-are-remaining-in-quicklist-0.patch +quicklists-do-not-release-off-node-pages-early.patch +quicklists-only-consider-memory-that-can-be-used-with-gfp_kernel.patch diff --git a/queue-2.6.23/vfs-coredumping-fix.patch b/queue-2.6.23/vfs-coredumping-fix.patch new file mode 100644 index 00000000000..1073022b11a --- /dev/null +++ b/queue-2.6.23/vfs-coredumping-fix.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Mon Dec 17 12:18:29 2007 +From: Ingo Molnar +Date: Mon, 17 Dec 2007 21:17:56 +0100 +Subject: vfs: coredumping fix (CVE-2007-6206) +To: stable@kernel.org +Cc: Ingo Molnar +Message-ID: <20071217201756.GA15344@stro.at> +Content-Disposition: inline + + +From: Ingo Molnar + +vfs: coredumping fix + +patch c46f739dd39db3b07ab5deb4e3ec81e1c04a91af in mainline + +fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 + +only allow coredumping to the same uid that the coredumping +task runs under. + +Signed-off-by: Ingo Molnar +Acked-by: Alan Cox +Acked-by: Christoph Hellwig +Acked-by: Al Viro +Signed-off-by: Linus Torvalds +Cc: maximilian attems +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1786,6 +1786,12 @@ int do_coredump(long signr, int exit_cod + but keep the previous behaviour for now. */ + if (!ispipe && !S_ISREG(inode->i_mode)) + goto close_fail; ++ /* ++ * Dont allow local users get cute and trick others to coredump ++ * into their pre-created files: ++ */ ++ if (inode->i_uid != current->fsuid) ++ goto close_fail; + if (!file->f_op) + goto close_fail; + if (!file->f_op->write)