From 31d43fe8aa4fdb9ff944d38f47cd34f07b6dea03 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 11 Dec 2008 09:43:58 -0800 Subject: [PATCH] more .27 patches --- .../acpi-delete-osi-dmi-dmesg-spam.patch | 72 ++++++++ ...ion-in-binfmt_script-and-binfmt_misc.patch | 109 ++++++++++++ ...tv-hid-quirk-for-appletv-ir-receiver.patch | 39 ++++ ...a-regression-in-cifs-umount-codepath.patch | 151 ++++++++++++++++ .../fix-mapping_writably_mapped.patch | 70 ++++++++ ...agemap-fix-32-bit-pagemap-regression.patch | 40 +++++ ...leaking-slot_name-in-pci_create_slot.patch | 31 ++++ ...aiting-for-pci-config-bits-to-switch.patch | 100 +++++++++++ ...e-the-resource-type-an-unsigned-long.patch | 85 +++++++++ ...5-fix-virtex5-machine-check-handling.patch | 55 ++++++ .../sched-cpu-remove-deadlock-fix.patch | 54 ++++++ queue-2.6.27/series | 13 ++ .../tracehook-exec-double-reporting-fix.patch | 166 ++++++++++++++++++ ...ml-boot-broken-due-to-buffer-overrun.patch | 48 +++++ 14 files changed, 1033 insertions(+) create mode 100644 queue-2.6.27/acpi-delete-osi-dmi-dmesg-spam.patch create mode 100644 queue-2.6.27/allow-recursion-in-binfmt_script-and-binfmt_misc.patch create mode 100644 queue-2.6.27/atv-hid-quirk-for-appletv-ir-receiver.patch create mode 100644 queue-2.6.27/cifs-fix-a-regression-in-cifs-umount-codepath.patch create mode 100644 queue-2.6.27/fix-mapping_writably_mapped.patch create mode 100644 queue-2.6.27/pagemap-fix-32-bit-pagemap-regression.patch create mode 100644 queue-2.6.27/pci-stop-leaking-slot_name-in-pci_create_slot.patch create mode 100644 queue-2.6.27/pcie-aspm-break-out-of-endless-loop-waiting-for-pci-config-bits-to-switch.patch create mode 100644 queue-2.6.27/pnp-make-the-resource-type-an-unsigned-long.patch create mode 100644 queue-2.6.27/powerpc-virtex5-fix-virtex5-machine-check-handling.patch create mode 100644 queue-2.6.27/sched-cpu-remove-deadlock-fix.patch create mode 100644 queue-2.6.27/tracehook-exec-double-reporting-fix.patch create mode 100644 queue-2.6.27/uml-boot-broken-due-to-buffer-overrun.patch diff --git a/queue-2.6.27/acpi-delete-osi-dmi-dmesg-spam.patch b/queue-2.6.27/acpi-delete-osi-dmi-dmesg-spam.patch new file mode 100644 index 00000000000..74310b57207 --- /dev/null +++ b/queue-2.6.27/acpi-delete-osi-dmi-dmesg-spam.patch @@ -0,0 +1,72 @@ +From lenb@kernel.org Thu Dec 11 08:47:13 2008 +From: Len Brown +Date: Mon, 08 Dec 2008 16:03:07 -0500 (EST) +Subject: ACPI: delete OSI(Linux) DMI dmesg spam +To: stable@kernel.org +Message-ID: + +From: Len Brown + +With the 2.6.28 commit a6e0887f21bbab337ee32d9c0a84d7c0b6e9141b, we now +have fixed up the ACPI DMI code, so stop asking for people to report the +issues to the acpi developers, it is no longer needed at all. + +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/osl.c | 36 ------------------------------------ + 1 file changed, 36 deletions(-) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1261,34 +1261,6 @@ acpi_status acpi_os_release_object(acpi_ + return (AE_OK); + } + +-/** +- * acpi_dmi_dump - dump DMI slots needed for blacklist entry +- * +- * Returns 0 on success +- */ +-static int acpi_dmi_dump(void) +-{ +- +- if (!dmi_available) +- return -1; +- +- printk(KERN_NOTICE PREFIX "DMI System Vendor: %s\n", +- dmi_get_system_info(DMI_SYS_VENDOR)); +- printk(KERN_NOTICE PREFIX "DMI Product Name: %s\n", +- dmi_get_system_info(DMI_PRODUCT_NAME)); +- printk(KERN_NOTICE PREFIX "DMI Product Version: %s\n", +- dmi_get_system_info(DMI_PRODUCT_VERSION)); +- printk(KERN_NOTICE PREFIX "DMI Board Name: %s\n", +- dmi_get_system_info(DMI_BOARD_NAME)); +- printk(KERN_NOTICE PREFIX "DMI BIOS Vendor: %s\n", +- dmi_get_system_info(DMI_BIOS_VENDOR)); +- printk(KERN_NOTICE PREFIX "DMI BIOS Date: %s\n", +- dmi_get_system_info(DMI_BIOS_DATE)); +- +- return 0; +-} +- +- + /****************************************************************************** + * + * FUNCTION: acpi_os_validate_interface +@@ -1315,14 +1287,6 @@ acpi_os_validate_interface (char *interf + osi_linux.cmdline ? " via cmdline" : + osi_linux.dmi ? " via DMI" : ""); + +- if (!osi_linux.dmi) { +- if (acpi_dmi_dump()) +- printk(KERN_NOTICE PREFIX +- "[please extract dmidecode output]\n"); +- printk(KERN_NOTICE PREFIX +- "Please send DMI info above to " +- "linux-acpi@vger.kernel.org\n"); +- } + if (!osi_linux.known && !osi_linux.cmdline) { + printk(KERN_NOTICE PREFIX + "If \"acpi_osi=%sLinux\" works better, " diff --git a/queue-2.6.27/allow-recursion-in-binfmt_script-and-binfmt_misc.patch b/queue-2.6.27/allow-recursion-in-binfmt_script-and-binfmt_misc.patch new file mode 100644 index 00000000000..2d2bb129b2b --- /dev/null +++ b/queue-2.6.27/allow-recursion-in-binfmt_script-and-binfmt_misc.patch @@ -0,0 +1,109 @@ +From bf2a9a39639b8b51377905397a5005f444e9a892 Mon Sep 17 00:00:00 2001 +From: Kirill A. Shutemov +Date: Wed, 15 Oct 2008 22:02:39 -0700 +Subject: Allow recursion in binfmt_script and binfmt_misc + +From: Kirill A. Shutemov + +commit bf2a9a39639b8b51377905397a5005f444e9a892 upstream. + +binfmt_script and binfmt_misc disallow recursion to avoid stack overflow +using sh_bang and misc_bang. It causes problem in some cases: + +$ echo '#!/bin/ls' > /tmp/t0 +$ echo '#!/tmp/t0' > /tmp/t1 +$ echo '#!/tmp/t1' > /tmp/t2 +$ chmod +x /tmp/t* +$ /tmp/t2 +zsh: exec format error: /tmp/t2 + +Similar problem with binfmt_misc. + +This patch introduces field 'recursion_depth' into struct linux_binprm to +track recursion level in binfmt_misc and binfmt_script. If recursion +level more then BINPRM_MAX_RECURSION it generates -ENOEXEC. + +[akpm@linux-foundation.org: make linux_binprm.recursion_depth a uint] +Signed-off-by: Kirill A. Shutemov +Cc: Pavel Emelyanov +Cc: Alexander Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_em86.c | 2 +- + fs/binfmt_misc.c | 4 ++-- + fs/binfmt_script.c | 5 +++-- + include/linux/binfmts.h | 2 ++ + 4 files changed, 8 insertions(+), 5 deletions(-) + +--- a/fs/binfmt_em86.c ++++ b/fs/binfmt_em86.c +@@ -43,7 +43,7 @@ static int load_em86(struct linux_binprm + return -ENOEXEC; + } + +- bprm->sh_bang = 1; /* Well, the bang-shell is implicit... */ ++ bprm->recursion_depth++; /* Well, the bang-shell is implicit... */ + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -117,7 +117,7 @@ static int load_misc_binary(struct linux + goto _ret; + + retval = -ENOEXEC; +- if (bprm->misc_bang) ++ if (bprm->recursion_depth > BINPRM_MAX_RECURSION) + goto _ret; + + /* to keep locking time low, we copy the interpreter string */ +@@ -197,7 +197,7 @@ static int load_misc_binary(struct linux + if (retval < 0) + goto _error; + +- bprm->misc_bang = 1; ++ bprm->recursion_depth++; + + retval = search_binary_handler (bprm, regs); + if (retval < 0) +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -22,14 +22,15 @@ static int load_script(struct linux_binp + char interp[BINPRM_BUF_SIZE]; + int retval; + +- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || (bprm->sh_bang)) ++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || ++ (bprm->recursion_depth > BINPRM_MAX_RECURSION)) + return -ENOEXEC; + /* + * This section does the #! interpretation. + * Sorta complicated, but hopefully it will work. -TYT + */ + +- bprm->sh_bang = 1; ++ bprm->recursion_depth++; + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -36,6 +36,7 @@ struct linux_binprm{ + unsigned long p; /* current top of mem */ + unsigned int sh_bang:1, + misc_bang:1; ++ unsigned int recursion_depth; + struct file * file; + int e_uid, e_gid; + kernel_cap_t cap_post_exec_permitted; +@@ -58,6 +59,7 @@ struct linux_binprm{ + #define BINPRM_FLAGS_EXECFD_BIT 1 + #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT) + ++#define BINPRM_MAX_RECURSION 4 + + /* + * This structure defines the functions that are used to load the binary formats that diff --git a/queue-2.6.27/atv-hid-quirk-for-appletv-ir-receiver.patch b/queue-2.6.27/atv-hid-quirk-for-appletv-ir-receiver.patch new file mode 100644 index 00000000000..1d565d06b1b --- /dev/null +++ b/queue-2.6.27/atv-hid-quirk-for-appletv-ir-receiver.patch @@ -0,0 +1,39 @@ +From jacmet@sunsite.dk Thu Dec 11 08:34:44 2008 +From: Peter Korsgaard +Date: Mon, 6 Oct 2008 10:02:58 +0200 +Subject: atv: hid quirk for appletv IR receiver +To: Greg KH +Message-ID: <87hc5boh5d.fsf@macbook.be.48ers.dk> + +From: Peter Korsgaard + +(2.6.27 backport of 0f492f2a) + +Similar to the existing IRCONTROL4 handling + +Signed-off-by: Peter Korsgaard +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -83,6 +83,7 @@ + #define USB_DEVICE_ID_APPLE_WELLSPRING2_JIS 0x0232 + #define USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY 0x030a + #define USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY 0x030b ++#define USB_DEVICE_ID_APPLE_ATV_IRCONTROL 0x8241 + #define USB_DEVICE_ID_APPLE_IRCONTROL4 0x8242 + + #define USB_VENDOR_ID_ASUS 0x0b05 +@@ -458,6 +459,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_AFATECH, USB_DEVICE_ID_AFATECH_AF9016, HID_QUIRK_FULLSPEED_INTERVAL }, + + { USB_VENDOR_ID_BELKIN, USB_DEVICE_ID_FLIP_KVM, HID_QUIRK_HIDDEV }, ++ { USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ATV_IRCONTROL, HID_QUIRK_HIDDEV | HID_QUIRK_IGNORE_HIDINPUT }, + { USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_IRCONTROL4, HID_QUIRK_HIDDEV | HID_QUIRK_IGNORE_HIDINPUT }, + { USB_VENDOR_ID_SAMSUNG, USB_DEVICE_ID_SAMSUNG_IR_REMOTE, HID_QUIRK_HIDDEV | HID_QUIRK_IGNORE_HIDINPUT }, + { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_SIDEWINDER_GV, HID_QUIRK_HIDINPUT }, diff --git a/queue-2.6.27/cifs-fix-a-regression-in-cifs-umount-codepath.patch b/queue-2.6.27/cifs-fix-a-regression-in-cifs-umount-codepath.patch new file mode 100644 index 00000000000..ac4abdb60ac --- /dev/null +++ b/queue-2.6.27/cifs-fix-a-regression-in-cifs-umount-codepath.patch @@ -0,0 +1,151 @@ +From jlayton@redhat.com Thu Dec 11 08:49:55 2008 +From: Jeff Layton +Date: Wed, 10 Dec 2008 06:44:29 -0500 +Subject: cifs: fix a regression in cifs umount codepath +To: greg@kroah.com, stable@kernel.org +Cc: smfrench@gmail.com, shirishp@us.ibm.com, sjayaraman@suse.de +Message-ID: <1228909469-438-1-git-send-email-jlayton@redhat.com> + +From: Jeff Layton + +backport of 469ee614aaa367d9cde01cbdd2027212f56c6cc6 upstream. + +Several cifs patches were added to 2.6.27.8 to fix some races in the +mount/umount codepath. When this was done, a couple of prerequisite +patches were missed causing a minor regression. + +When the last cifs mount to a server goes away, the kthread that manages +the socket is supposed to come down. The patches that went into 2.6.27.8 +removed the kthread_stop calls that used to take down these threads, but +left the thread function expecting them. This made the thread stay up +even after the last mount was gone. + +This patch should fix up this regression and also prevent a possible +race where a dead task could be signalled. + +Signed-off-by: Jeff Layton +Cc: Suresh Jayaraman +Acked-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -128,7 +128,7 @@ cifs_reconnect(struct TCP_Server_Info *s + struct mid_q_entry *mid_entry; + + spin_lock(&GlobalMid_Lock); +- if (kthread_should_stop()) { ++ if (server->tcpStatus == CifsExiting) { + /* the demux thread will exit normally + next time through the loop */ + spin_unlock(&GlobalMid_Lock); +@@ -182,7 +182,8 @@ cifs_reconnect(struct TCP_Server_Info *s + spin_unlock(&GlobalMid_Lock); + up(&server->tcpSem); + +- while ((!kthread_should_stop()) && (server->tcpStatus != CifsGood)) { ++ while ((server->tcpStatus != CifsExiting) && ++ (server->tcpStatus != CifsGood)) { + try_to_freeze(); + if (server->addr.sockAddr6.sin6_family == AF_INET6) { + rc = ipv6_connect(&server->addr.sockAddr6, +@@ -200,7 +201,7 @@ cifs_reconnect(struct TCP_Server_Info *s + } else { + atomic_inc(&tcpSesReconnectCount); + spin_lock(&GlobalMid_Lock); +- if (!kthread_should_stop()) ++ if (server->tcpStatus != CifsExiting) + server->tcpStatus = CifsGood; + server->sequence_number = 0; + spin_unlock(&GlobalMid_Lock); +@@ -355,7 +356,7 @@ cifs_demultiplex_thread(struct TCP_Serve + GFP_KERNEL); + + set_freezable(); +- while (!kthread_should_stop()) { ++ while (server->tcpStatus != CifsExiting) { + if (try_to_freeze()) + continue; + if (bigbuf == NULL) { +@@ -396,7 +397,7 @@ incomplete_rcv: + kernel_recvmsg(csocket, &smb_msg, + &iov, 1, pdu_length, 0 /* BB other flags? */); + +- if (kthread_should_stop()) { ++ if (server->tcpStatus == CifsExiting) { + break; + } else if (server->tcpStatus == CifsNeedReconnect) { + cFYI(1, ("Reconnect after server stopped responding")); +@@ -527,7 +528,7 @@ incomplete_rcv: + total_read += length) { + length = kernel_recvmsg(csocket, &smb_msg, &iov, 1, + pdu_length - total_read, 0); +- if (kthread_should_stop() || ++ if ((server->tcpStatus == CifsExiting) || + (length == -EINTR)) { + /* then will exit */ + reconnect = 2; +@@ -661,14 +662,6 @@ multi_t2_fnd: + spin_unlock(&GlobalMid_Lock); + wake_up_all(&server->response_q); + +- /* don't exit until kthread_stop is called */ +- set_current_state(TASK_UNINTERRUPTIBLE); +- while (!kthread_should_stop()) { +- schedule(); +- set_current_state(TASK_UNINTERRUPTIBLE); +- } +- set_current_state(TASK_RUNNING); +- + /* check if we have blocked requests that need to free */ + /* Note that cifs_max_pending is normally 50, but + can be set at module install time to as little as two */ +@@ -764,6 +757,7 @@ multi_t2_fnd: + read_unlock(&cifs_tcp_ses_lock); + + kfree(server->hostname); ++ task_to_wake = xchg(&server->tsk, NULL); + kfree(server); + + length = atomic_dec_return(&tcpSesAllocCount); +@@ -771,6 +765,16 @@ multi_t2_fnd: + mempool_resize(cifs_req_poolp, length + cifs_min_rcv, + GFP_KERNEL); + ++ /* if server->tsk was NULL then wait for a signal before exiting */ ++ if (!task_to_wake) { ++ set_current_state(TASK_INTERRUPTIBLE); ++ while (!signal_pending(current)) { ++ schedule(); ++ set_current_state(TASK_INTERRUPTIBLE); ++ } ++ set_current_state(TASK_RUNNING); ++ } ++ + return 0; + } + +@@ -2310,7 +2314,7 @@ cifs_mount(struct super_block *sb, struc + /* on error free sesinfo and tcon struct if needed */ + mount_fail_check: + if (rc) { +- /* If find_unc succeeded then rc == 0 so we can not end */ ++ /* If find_unc succeeded then rc == 0 so we can not end */ + /* up accidently freeing someone elses tcon struct */ + if (tcon) + cifs_put_tcon(tcon); +@@ -3715,8 +3719,10 @@ int cifs_setup_session(unsigned int xid, + cERROR(1, ("Send error in SessSetup = %d", rc)); + } else { + cFYI(1, ("CIFS Session Established successfully")); ++ spin_lock(&GlobalMid_Lock); + pSesInfo->status = CifsGood; + pSesInfo->need_reconnect = false; ++ spin_unlock(&GlobalMid_Lock); + } + + ss_err_exit: diff --git a/queue-2.6.27/fix-mapping_writably_mapped.patch b/queue-2.6.27/fix-mapping_writably_mapped.patch new file mode 100644 index 00000000000..7a27fc52e48 --- /dev/null +++ b/queue-2.6.27/fix-mapping_writably_mapped.patch @@ -0,0 +1,70 @@ +From b88ed20594db2c685555b68c52b693b75738b2f5 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Wed, 10 Dec 2008 20:48:52 +0000 +Subject: fix mapping_writably_mapped() + +From: Hugh Dickins + +commit b88ed20594db2c685555b68c52b693b75738b2f5 upstream. + +Lee Schermerhorn noticed yesterday that I broke the mapping_writably_mapped +test in 2.6.7! Bad bad bug, good good find. + +The i_mmap_writable count must be incremented for VM_SHARED (just as +i_writecount is for VM_DENYWRITE, but while holding the i_mmap_lock) +when dup_mmap() copies the vma for fork: it has its own more optimal +version of __vma_link_file(), and I missed this out. So the count +was later going down to 0 (dangerous) when one end unmapped, then +wrapping negative (inefficient) when the other end unmapped. + +The only impact on x86 would have been that setting a mandatory lock on +a file which has at some time been opened O_RDWR and mapped MAP_SHARED +(but not necessarily PROT_WRITE) across a fork, might fail with -EAGAIN +when it should succeed, or succeed when it should fail. + +But those architectures which rely on flush_dcache_page() to flush +userspace modifications back into the page before the kernel reads it, +may in some cases have skipped the flush after such a fork - though any +repetitive test will soon wrap the count negative, in which case it will +flush_dcache_page() unnecessarily. + +Fix would be a two-liner, but mapping variable added, and comment moved. + +Reported-by: Lee Schermerhorn +Signed-off-by: Hugh Dickins +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -313,17 +313,20 @@ static int dup_mmap(struct mm_struct *mm + file = tmp->vm_file; + if (file) { + struct inode *inode = file->f_path.dentry->d_inode; ++ struct address_space *mapping = file->f_mapping; ++ + get_file(file); + if (tmp->vm_flags & VM_DENYWRITE) + atomic_dec(&inode->i_writecount); +- +- /* insert tmp into the share list, just after mpnt */ +- spin_lock(&file->f_mapping->i_mmap_lock); ++ spin_lock(&mapping->i_mmap_lock); ++ if (tmp->vm_flags & VM_SHARED) ++ mapping->i_mmap_writable++; + tmp->vm_truncate_count = mpnt->vm_truncate_count; +- flush_dcache_mmap_lock(file->f_mapping); ++ flush_dcache_mmap_lock(mapping); ++ /* insert tmp into the share list, just after mpnt */ + vma_prio_tree_add(tmp, mpnt); +- flush_dcache_mmap_unlock(file->f_mapping); +- spin_unlock(&file->f_mapping->i_mmap_lock); ++ flush_dcache_mmap_unlock(mapping); ++ spin_unlock(&mapping->i_mmap_lock); + } + + /* diff --git a/queue-2.6.27/pagemap-fix-32-bit-pagemap-regression.patch b/queue-2.6.27/pagemap-fix-32-bit-pagemap-regression.patch new file mode 100644 index 00000000000..2a968a26d9e --- /dev/null +++ b/queue-2.6.27/pagemap-fix-32-bit-pagemap-regression.patch @@ -0,0 +1,40 @@ +From 49c50342c728344b79c8f9e8293637fe80ef5ad5 Mon Sep 17 00:00:00 2001 +From: Matt Mackall +Date: Tue, 9 Dec 2008 13:14:21 -0800 +Subject: pagemap: fix 32-bit pagemap regression + +From: Matt Mackall + +commit 49c50342c728344b79c8f9e8293637fe80ef5ad5 upstream. + +The large pages fix from bcf8039ed45 broke 32-bit pagemap by pulling the +pagemap entry code out into a function with the wrong return type. +Pagemap entries are 64 bits on all systems and unsigned long is only 32 +bits on 32-bit systems. + +Signed-off-by: Matt Mackall +Reported-by: Doug Graham +Cc: Alexey Dobriyan +Cc: Dave Hansen +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -563,9 +563,9 @@ static u64 swap_pte_to_pagemap_entry(pte + return swp_type(e) | (swp_offset(e) << MAX_SWAPFILES_SHIFT); + } + +-static unsigned long pte_to_pagemap_entry(pte_t pte) ++static u64 pte_to_pagemap_entry(pte_t pte) + { +- unsigned long pme = 0; ++ u64 pme = 0; + if (is_swap_pte(pte)) + pme = PM_PFRAME(swap_pte_to_pagemap_entry(pte)) + | PM_PSHIFT(PAGE_SHIFT) | PM_SWAP; diff --git a/queue-2.6.27/pci-stop-leaking-slot_name-in-pci_create_slot.patch b/queue-2.6.27/pci-stop-leaking-slot_name-in-pci_create_slot.patch new file mode 100644 index 00000000000..cb41a23fe18 --- /dev/null +++ b/queue-2.6.27/pci-stop-leaking-slot_name-in-pci_create_slot.patch @@ -0,0 +1,31 @@ +From 3b5dd45e947ecd21491e1658fba7bb4bc4a54995 Mon Sep 17 00:00:00 2001 +From: Alex Chiang +Date: Mon, 1 Dec 2008 18:17:21 -0700 +Subject: PCI: stop leaking 'slot_name' in pci_create_slot + +From: Alex Chiang + +commit 3b5dd45e947ecd21491e1658fba7bb4bc4a54995 upstream. + +In pci_create_slot(), the local variable 'slot_name' is allocated by +make_slot_name(), but never freed. We never use it after passing it to +the kobject core, so we should free it upon function exit. + +Signed-off-by: Alex Chiang +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/slot.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -243,6 +243,7 @@ placeholder: + __func__, pci_domain_nr(parent), parent->number, slot_nr); + + out: ++ kfree(slot_name); + up_write(&pci_bus_sem); + return slot; + err: diff --git a/queue-2.6.27/pcie-aspm-break-out-of-endless-loop-waiting-for-pci-config-bits-to-switch.patch b/queue-2.6.27/pcie-aspm-break-out-of-endless-loop-waiting-for-pci-config-bits-to-switch.patch new file mode 100644 index 00000000000..d7d208f9085 --- /dev/null +++ b/queue-2.6.27/pcie-aspm-break-out-of-endless-loop-waiting-for-pci-config-bits-to-switch.patch @@ -0,0 +1,100 @@ +From 2a42d9dba7842422ffb2c02e75288a8bc2fd5065 Mon Sep 17 00:00:00 2001 +From: Thomas Renninger +Date: Tue, 9 Dec 2008 13:05:09 +0100 +Subject: PCIe: ASPM: Break out of endless loop waiting for PCI config bits to switch + +From: Thomas Renninger + +commit 2a42d9dba7842422ffb2c02e75288a8bc2fd5065 upstream. + +Makes a Compaq 6735s boot reliably again. It used to hang in the loop +on some boots. Give the link one second to train, otherwise break out +of the loop and reset the previously set clock bits. + +Signed-off-by: Thomas Renninger +Signed-off-by: Shaohua Li +Signed-off-by: Matthew Garrett +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pcie/aspm.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include "../pci.h" + +@@ -161,11 +162,12 @@ static void pcie_check_clock_pm(struct p + */ + static void pcie_aspm_configure_common_clock(struct pci_dev *pdev) + { +- int pos, child_pos; ++ int pos, child_pos, i = 0; + u16 reg16 = 0; + struct pci_dev *child_dev; + int same_clock = 1; +- ++ unsigned long start_jiffies; ++ u16 child_regs[8], parent_reg; + /* + * all functions of a slot should have the same Slot Clock + * Configuration, so just check one function +@@ -191,16 +193,19 @@ static void pcie_aspm_configure_common_c + child_pos = pci_find_capability(child_dev, PCI_CAP_ID_EXP); + pci_read_config_word(child_dev, child_pos + PCI_EXP_LNKCTL, + ®16); ++ child_regs[i] = reg16; + if (same_clock) + reg16 |= PCI_EXP_LNKCTL_CCC; + else + reg16 &= ~PCI_EXP_LNKCTL_CCC; + pci_write_config_word(child_dev, child_pos + PCI_EXP_LNKCTL, + reg16); ++ i++; + } + + /* Configure upstream component */ + pci_read_config_word(pdev, pos + PCI_EXP_LNKCTL, ®16); ++ parent_reg = reg16; + if (same_clock) + reg16 |= PCI_EXP_LNKCTL_CCC; + else +@@ -212,12 +217,30 @@ static void pcie_aspm_configure_common_c + pci_write_config_word(pdev, pos + PCI_EXP_LNKCTL, reg16); + + /* Wait for link training end */ +- while (1) { ++ /* break out after waiting for 1 second */ ++ start_jiffies = jiffies; ++ while ((jiffies - start_jiffies) < HZ) { + pci_read_config_word(pdev, pos + PCI_EXP_LNKSTA, ®16); + if (!(reg16 & PCI_EXP_LNKSTA_LT)) + break; + cpu_relax(); + } ++ /* training failed -> recover */ ++ if ((jiffies - start_jiffies) >= HZ) { ++ dev_printk (KERN_ERR, &pdev->dev, "ASPM: Could not configure" ++ " common clock\n"); ++ i = 0; ++ list_for_each_entry(child_dev, &pdev->subordinate->devices, ++ bus_list) { ++ child_pos = pci_find_capability(child_dev, ++ PCI_CAP_ID_EXP); ++ pci_write_config_word(child_dev, ++ child_pos + PCI_EXP_LNKCTL, ++ child_regs[i]); ++ i++; ++ } ++ pci_write_config_word(pdev, pos + PCI_EXP_LNKCTL, parent_reg); ++ } + } + + /* diff --git a/queue-2.6.27/pnp-make-the-resource-type-an-unsigned-long.patch b/queue-2.6.27/pnp-make-the-resource-type-an-unsigned-long.patch new file mode 100644 index 00000000000..171f614ca0e --- /dev/null +++ b/queue-2.6.27/pnp-make-the-resource-type-an-unsigned-long.patch @@ -0,0 +1,85 @@ +From b563cf59c4d67da7d671788a9848416bfa4180ab Mon Sep 17 00:00:00 2001 +From: Rene Herman +Date: Wed, 15 Oct 2008 22:03:58 -0700 +Subject: pnp: make the resource type an unsigned long + +From: Rene Herman + +commit b563cf59c4d67da7d671788a9848416bfa4180ab upstream. + +PnP encodes the resource type directly as its struct resource->flags value +which is an unsigned long. Make it so... + +Signed-off-by: Rene Herman +Cc: "H. Peter Anvin" +Acked-by: Bjorn Helgaas +Cc: Andi Kleen +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pnp/base.h | 2 +- + drivers/pnp/quirks.c | 2 +- + drivers/pnp/resource.c | 4 ++-- + include/linux/pnp.h | 6 ++++-- + 4 files changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/pnp/base.h ++++ b/drivers/pnp/base.h +@@ -147,7 +147,7 @@ char *pnp_resource_type_name(struct reso + void dbg_pnp_show_resources(struct pnp_dev *dev, char *desc); + + void pnp_free_resources(struct pnp_dev *dev); +-int pnp_resource_type(struct resource *res); ++unsigned long pnp_resource_type(struct resource *res); + + struct pnp_resource { + struct list_head list; +--- a/drivers/pnp/quirks.c ++++ b/drivers/pnp/quirks.c +@@ -245,7 +245,7 @@ static void quirk_system_pci_resources(s + */ + for_each_pci_dev(pdev) { + for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) { +- unsigned int type; ++ unsigned long type; + + type = pci_resource_flags(pdev, i) & + (IORESOURCE_IO | IORESOURCE_MEM); +--- a/drivers/pnp/resource.c ++++ b/drivers/pnp/resource.c +@@ -467,14 +467,14 @@ int pnp_check_dma(struct pnp_dev *dev, s + #endif + } + +-int pnp_resource_type(struct resource *res) ++unsigned long pnp_resource_type(struct resource *res) + { + return res->flags & (IORESOURCE_IO | IORESOURCE_MEM | + IORESOURCE_IRQ | IORESOURCE_DMA); + } + + struct resource *pnp_get_resource(struct pnp_dev *dev, +- unsigned int type, unsigned int num) ++ unsigned long type, unsigned int num) + { + struct pnp_resource *pnp_res; + struct resource *res; +--- a/include/linux/pnp.h ++++ b/include/linux/pnp.h +@@ -22,9 +22,11 @@ struct pnp_dev; + * Resource Management + */ + #ifdef CONFIG_PNP +-struct resource *pnp_get_resource(struct pnp_dev *, unsigned int, unsigned int); ++struct resource *pnp_get_resource(struct pnp_dev *dev, unsigned long type, ++ unsigned int num); + #else +-static inline struct resource *pnp_get_resource(struct pnp_dev *dev, unsigned int type, unsigned int num) ++static inline struct resource *pnp_get_resource(struct pnp_dev *dev, ++ unsigned long type, unsigned int num) + { + return NULL; + } diff --git a/queue-2.6.27/powerpc-virtex5-fix-virtex5-machine-check-handling.patch b/queue-2.6.27/powerpc-virtex5-fix-virtex5-machine-check-handling.patch new file mode 100644 index 00000000000..c1fc6e6c9a6 --- /dev/null +++ b/queue-2.6.27/powerpc-virtex5-fix-virtex5-machine-check-handling.patch @@ -0,0 +1,55 @@ +From 640d17d60e83401e10e66a0ab6e9e2d6350df656 Mon Sep 17 00:00:00 2001 +From: Grant Likely +Date: Thu, 4 Dec 2008 05:39:55 +0000 +Subject: powerpc/virtex5: Fix Virtex5 machine check handling + +From: Grant Likely + +commit 640d17d60e83401e10e66a0ab6e9e2d6350df656 upstream. + +The 440x5 core in the Virtex5 uses the 440A type machine check +(ie, they have MCSRR0/MCSRR1). They thus need to call the +appropriate fixup function to hook the right variant of the +exception. + +Without this, all machine checks become fatal due to loss +of context when entering the exception handler. + +Signed-off-by: Grant Likely +Signed-off-by: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/cpu_setup_44x.S | 1 + + arch/powerpc/kernel/cputable.c | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/arch/powerpc/kernel/cpu_setup_44x.S ++++ b/arch/powerpc/kernel/cpu_setup_44x.S +@@ -35,6 +35,7 @@ _GLOBAL(__setup_cpu_440grx) + _GLOBAL(__setup_cpu_460ex) + _GLOBAL(__setup_cpu_460gt) + b __init_fpu_44x ++_GLOBAL(__setup_cpu_440x5) + _GLOBAL(__setup_cpu_440gx) + _GLOBAL(__setup_cpu_440spe) + b __fixup_440A_mcheck +--- a/arch/powerpc/kernel/cputable.c ++++ b/arch/powerpc/kernel/cputable.c +@@ -39,6 +39,7 @@ extern void __setup_cpu_440epx(unsigned + extern void __setup_cpu_440gx(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_440grx(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_440spe(unsigned long offset, struct cpu_spec* spec); ++extern void __setup_cpu_440x5(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_460ex(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_460gt(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_603(unsigned long offset, struct cpu_spec* spec); +@@ -1463,6 +1464,8 @@ static struct cpu_spec __initdata cpu_sp + .cpu_user_features = COMMON_USER_BOOKE, + .icache_bsize = 32, + .dcache_bsize = 32, ++ .cpu_setup = __setup_cpu_440x5, ++ .machine_check = machine_check_440A, + .platform = "ppc440", + }, + { /* 460EX */ diff --git a/queue-2.6.27/sched-cpu-remove-deadlock-fix.patch b/queue-2.6.27/sched-cpu-remove-deadlock-fix.patch new file mode 100644 index 00000000000..fefb05196b6 --- /dev/null +++ b/queue-2.6.27/sched-cpu-remove-deadlock-fix.patch @@ -0,0 +1,54 @@ +From 9a2bd244e18ffbb96c8b783210fda4eded7c7e6f Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Tue, 9 Dec 2008 08:47:00 -0600 +Subject: sched: CPU remove deadlock fix + +From: Brian King + +commit 9a2bd244e18ffbb96c8b783210fda4eded7c7e6f upstream. + +Impact: fix possible deadlock in CPU hot-remove path + +This patch fixes a possible deadlock scenario in the CPU remove path. +migration_call grabs rq->lock, then wakes up everything on rq->migration_queue +with the lock held. Then one of the tasks on the migration queue ends up +calling tg_shares_up which then also tries to acquire the same rq->lock. + +[c000000058eab2e0] c000000000502078 ._spin_lock_irqsave+0x98/0xf0 +[c000000058eab370] c00000000008011c .tg_shares_up+0x10c/0x20c +[c000000058eab430] c00000000007867c .walk_tg_tree+0xc4/0xfc +[c000000058eab4d0] c0000000000840c8 .try_to_wake_up+0xb0/0x3c4 +[c000000058eab590] c0000000000799a0 .__wake_up_common+0x6c/0xe0 +[c000000058eab640] c00000000007ada4 .complete+0x54/0x80 +[c000000058eab6e0] c000000000509fa8 .migration_call+0x5fc/0x6f8 +[c000000058eab7c0] c000000000504074 .notifier_call_chain+0x68/0xe0 +[c000000058eab860] c000000000506568 ._cpu_down+0x2b0/0x3f4 +[c000000058eaba60] c000000000506750 .cpu_down+0xa4/0x108 +[c000000058eabb10] c000000000507e54 .store_online+0x44/0xa8 +[c000000058eabba0] c000000000396260 .sysdev_store+0x3c/0x50 +[c000000058eabc10] c0000000001a39b8 .sysfs_write_file+0x124/0x18c +[c000000058eabcd0] c00000000013061c .vfs_write+0xd0/0x1bc +[c000000058eabd70] c0000000001308a4 .sys_write+0x68/0x114 +[c000000058eabe30] c0000000000086b4 syscall_exit+0x0/0x40 + +Signed-off-by: Brian King +Acked-by: Peter Zijlstra +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -6500,7 +6500,9 @@ migration_call(struct notifier_block *nf + req = list_entry(rq->migration_queue.next, + struct migration_req, list); + list_del_init(&req->list); ++ spin_unlock_irq(&rq->lock); + complete(&req->done); ++ spin_lock_irq(&rq->lock); + } + spin_unlock_irq(&rq->lock); + break; diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 4644e5337cb..3f0f6d3976a 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -68,3 +68,16 @@ sched-fix-a-bug-in-sched-domain-degenerate.patch x86-hpet-convert-warn_on-to-warn_on_once.patch x86-memory-hotplug-remove-wrong-1-in-calling-init_memory_mapping.patch x86-remove-debug-code-from-arch_add_memory.patch +sched-cpu-remove-deadlock-fix.patch +pci-stop-leaking-slot_name-in-pci_create_slot.patch +pcie-aspm-break-out-of-endless-loop-waiting-for-pci-config-bits-to-switch.patch +uml-boot-broken-due-to-buffer-overrun.patch +pagemap-fix-32-bit-pagemap-regression.patch +fix-mapping_writably_mapped.patch +atv-hid-quirk-for-appletv-ir-receiver.patch +allow-recursion-in-binfmt_script-and-binfmt_misc.patch +tracehook-exec-double-reporting-fix.patch +powerpc-virtex5-fix-virtex5-machine-check-handling.patch +acpi-delete-osi-dmi-dmesg-spam.patch +cifs-fix-a-regression-in-cifs-umount-codepath.patch +pnp-make-the-resource-type-an-unsigned-long.patch diff --git a/queue-2.6.27/tracehook-exec-double-reporting-fix.patch b/queue-2.6.27/tracehook-exec-double-reporting-fix.patch new file mode 100644 index 00000000000..1b0f63f27cb --- /dev/null +++ b/queue-2.6.27/tracehook-exec-double-reporting-fix.patch @@ -0,0 +1,166 @@ +From 85f334666a771680472722eee43ae0fc8730a619 Mon Sep 17 00:00:00 2001 +From: Roland McGrath +Date: Tue, 9 Dec 2008 19:36:38 -0800 +Subject: tracehook: exec double-reporting fix + +From: Roland McGrath + +commit 85f334666a771680472722eee43ae0fc8730a619 upstream. + +The patch 6341c39 "tracehook: exec" introduced a small regression in +2.6.27 regarding binfmt_misc exec event reporting. Since the reporting +is now done in the common search_binary_handler() function, an exec +of a misc binary will result in two (or possibly multiple) exec events +being reported, instead of just a single one, because the misc handler +contains a recursive call to search_binary_handler. + +To add to the confusion, if PTRACE_O_TRACEEXEC is not active, the multiple +SIGTRAP signals will in fact cause only a single ptrace intercept, as the +signals are not queued. However, if PTRACE_O_TRACEEXEC is on, the debugger +will actually see multiple ptrace intercepts (PTRACE_EVENT_EXEC). + +The test program included below demonstrates the problem. + +This change fixes the bug by calling tracehook_report_exec() only in the +outermost search_binary_handler() call (bprm->recursion_depth == 0). + +The additional change to restore bprm->recursion_depth after each binfmt +load_binary call is actually superfluous for this bug, since we test the +value saved on entry to search_binary_handler(). But it keeps the use of +of the depth count to its most obvious expected meaning. Depending on what +binfmt handlers do in certain cases, there could have been false-positive +tests for recursion limits before this change. + + /* Test program using PTRACE_O_TRACEEXEC. + This forks and exec's the first argument with the rest of the arguments, + while ptrace'ing. It expects to see one PTRACE_EVENT_EXEC stop and + then a successful exit, with no other signals or events in between. + + Test for kernel doing two PTRACE_EVENT_EXEC stops for a binfmt_misc exec: + + $ gcc -g traceexec.c -o traceexec + $ sudo sh -c 'echo :test:M::foobar::/bin/cat: > /proc/sys/fs/binfmt_misc/register' + $ echo 'foobar test' > ./foobar + $ chmod +x ./foobar + $ ./traceexec ./foobar; echo $? + ==> good <== + foobar test + 0 + $ + ==> bad <== + foobar test + unexpected status 0x4057f != 0 + 3 + $ + + */ + + #include + #include + #include + #include + #include + #include + #include + + static void + wait_for (pid_t child, int expect) + { + int status; + pid_t p = wait (&status); + if (p != child) + { + perror ("wait"); + exit (2); + } + if (status != expect) + { + fprintf (stderr, "unexpected status %#x != %#x\n", status, expect); + exit (3); + } + } + + int + main (int argc, char **argv) + { + pid_t child = fork (); + + if (child < 0) + { + perror ("fork"); + return 127; + } + else if (child == 0) + { + ptrace (PTRACE_TRACEME); + raise (SIGUSR1); + execv (argv[1], &argv[1]); + perror ("execve"); + _exit (127); + } + + wait_for (child, W_STOPCODE (SIGUSR1)); + + if (ptrace (PTRACE_SETOPTIONS, child, + 0L, (void *) (long) PTRACE_O_TRACEEXEC) != 0) + { + perror ("PTRACE_SETOPTIONS"); + return 4; + } + + if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0) + { + perror ("PTRACE_CONT"); + return 5; + } + + wait_for (child, W_STOPCODE (SIGTRAP | (PTRACE_EVENT_EXEC << 8))); + + if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0) + { + perror ("PTRACE_CONT"); + return 6; + } + + wait_for (child, W_EXITCODE (0, 0)); + + return 0; + } + +Reported-by: Arnd Bergmann +CC: Ulrich Weigand +Signed-off-by: Roland McGrath +Acked-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1164,6 +1164,7 @@ EXPORT_SYMBOL(remove_arg_zero); + */ + int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + { ++ unsigned int depth = bprm->recursion_depth; + int try,retval; + struct linux_binfmt *fmt; + #ifdef __alpha__ +@@ -1224,8 +1225,15 @@ int search_binary_handler(struct linux_b + continue; + read_unlock(&binfmt_lock); + retval = fn(bprm, regs); ++ /* ++ * Restore the depth counter to its starting value ++ * in this call, so we don't have to rely on every ++ * load_binary function to restore it on return. ++ */ ++ bprm->recursion_depth = depth; + if (retval >= 0) { +- tracehook_report_exec(fmt, bprm, regs); ++ if (depth == 0) ++ tracehook_report_exec(fmt, bprm, regs); + put_binfmt(fmt); + allow_write_access(bprm->file); + if (bprm->file) diff --git a/queue-2.6.27/uml-boot-broken-due-to-buffer-overrun.patch b/queue-2.6.27/uml-boot-broken-due-to-buffer-overrun.patch new file mode 100644 index 00000000000..a8a8d68b325 --- /dev/null +++ b/queue-2.6.27/uml-boot-broken-due-to-buffer-overrun.patch @@ -0,0 +1,48 @@ +From 361371201b60ffd686a694c848c1d5ad6061725f Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Tue, 9 Dec 2008 13:14:07 -0800 +Subject: uml: boot broken due to buffer overrun + +From: Balbir Singh + +commit 361371201b60ffd686a694c848c1d5ad6061725f upstream. + +mconsole_init() passed 256 bytes as length in os_create_unix_socket, while +the sizeof UNIX_PATH_MAX is 108. This patch fixes that problem and avoids +a big overrun bug reported on UML bootup. + +sockaddr_un.sun_path is UNIX_PATH_MAX long which causes the problem. +Reported-by: Vikas K Managutte +Reported-by: Sarvesh Kumar Lal Das +Signed-off-by: Balbir Singh +Reviewed-by: Pekka Enberg +Reviewed-by: WANG Cong +Cc: Jeff Dike +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/mconsole_kern.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/um/drivers/mconsole_kern.c ++++ b/arch/um/drivers/mconsole_kern.c +@@ -16,6 +16,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -785,7 +787,7 @@ static int __init mconsole_init(void) + /* long to avoid size mismatch warnings from gcc */ + long sock; + int err; +- char file[256]; ++ char file[UNIX_PATH_MAX]; + + if (umid_file_name("mconsole", file, sizeof(file))) + return -1; -- 2.47.3