From 6bce008de00ecb789ba69203ea60ac90eec87fc7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 30 Jan 2009 17:46:59 -0800 Subject: [PATCH] .28 patches --- ...another-macbook-pro-4-1-subsystem-id.patch | 30 +++++ ...a-hda-add-quirk-for-hp-dv6700-laptop.patch | 29 +++++ ...ence-nid-for-stac-idt-analog-outputs.patch | 34 ++++++ ...m-access-when-the-device-is-inactive.patch | 33 +++++ ...pto-authenc-fix-zero-length-iv-crash.patch | 69 +++++++++++ ...-ccm-fix-handling-of-null-assoc-data.patch | 85 +++++++++++++ .../dmaengine-fix-dependency-chaining.patch | 43 +++++++ ...es-and-rely-only-on-max_user_watches.patch | 115 ++++++++++++++++++ ...add-sanity-check-to-make_indexed_dir.patch | 68 +++++++++++ ...ing-adjacent-vm_locked-file-segments.patch | 67 ++++++++++ queue-2.6.28/fix_reserve_memtype_1MB.patch | 93 ++++++++++++++ .../gpiolib-fix-request-related-issue.patch | 31 +++++ ...bsg.h-to-the-kernel-exported-headers.patch | 40 ++++++ ...net-net_namespace-fix-lock-imbalance.patch | 32 +++++ ...hotplug-fix-lock-imbalance-in-pciehp.patch | 38 ++++++ ...-imbalance-in-relay_late_setup_files.patch | 31 +++++ ...ing-ofdm-power-settings-for-rtl8187l.patch | 55 +++++++++ queue-2.6.28/series | 20 +++ ...re-flags-are-updated-before-bte_copy.patch | 80 ++++++++++++ ...-xpc-remove-null-pointer-dereference.patch | 42 +++++++ ...ssue-while-mapping-ram-using-dev-mem.patch | 70 +++++++++++ 21 files changed, 1105 insertions(+) create mode 100644 queue-2.6.28/alsa-hda-add-another-macbook-pro-4-1-subsystem-id.patch create mode 100644 queue-2.6.28/alsa-hda-add-quirk-for-hp-dv6700-laptop.patch create mode 100644 queue-2.6.28/alsa-hda-fix-pcm-reference-nid-for-stac-idt-analog-outputs.patch create mode 100644 queue-2.6.28/bnx2x-block-nvram-access-when-the-device-is-inactive.patch create mode 100644 queue-2.6.28/crypto-authenc-fix-zero-length-iv-crash.patch create mode 100644 queue-2.6.28/crypto-ccm-fix-handling-of-null-assoc-data.patch create mode 100644 queue-2.6.28/dmaengine-fix-dependency-chaining.patch create mode 100644 queue-2.6.28/epoll-drop-max_user_instances-and-rely-only-on-max_user_watches.patch create mode 100644 queue-2.6.28/ext3-add-sanity-check-to-make_indexed_dir.patch create mode 100644 queue-2.6.28/fix-oops-in-mmap_region-when-merging-adjacent-vm_locked-file-segments.patch create mode 100644 queue-2.6.28/fix_reserve_memtype_1MB.patch create mode 100644 queue-2.6.28/gpiolib-fix-request-related-issue.patch create mode 100644 queue-2.6.28/include-linux-add-bsg.h-to-the-kernel-exported-headers.patch create mode 100644 queue-2.6.28/net-net_namespace-fix-lock-imbalance.patch create mode 100644 queue-2.6.28/pci-hotplug-fix-lock-imbalance-in-pciehp.patch create mode 100644 queue-2.6.28/relay-fix-lock-imbalance-in-relay_late_setup_files.patch create mode 100644 queue-2.6.28/rtl8187-fix-error-in-setting-ofdm-power-settings-for-rtl8187l.patch create mode 100644 queue-2.6.28/sgi-xpc-ensure-flags-are-updated-before-bte_copy.patch create mode 100644 queue-2.6.28/sgi-xpc-remove-null-pointer-dereference.patch create mode 100644 queue-2.6.28/x86-pat-fix-pte-corruption-issue-while-mapping-ram-using-dev-mem.patch diff --git a/queue-2.6.28/alsa-hda-add-another-macbook-pro-4-1-subsystem-id.patch b/queue-2.6.28/alsa-hda-add-another-macbook-pro-4-1-subsystem-id.patch new file mode 100644 index 00000000000..1bbe593b8c8 --- /dev/null +++ b/queue-2.6.28/alsa-hda-add-another-macbook-pro-4-1-subsystem-id.patch @@ -0,0 +1,30 @@ +From 2a88464ceb1bda2571f88902fd8068a6168e3f7b Mon Sep 17 00:00:00 2001 +From: Luke Yelavich +Date: Wed, 28 Jan 2009 15:58:38 +1100 +Subject: ALSA: hda - add another MacBook Pro 4, 1 subsystem ID + +From: Luke Yelavich + +commit 2a88464ceb1bda2571f88902fd8068a6168e3f7b upstream. + +Add another MacBook Pro 4,1 SSID (106b:3800). It seems that latter revisions, +(at least mine), have different IDs to earlier revisions. + +Signed-off-by: Luke Yelavich +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6780,6 +6780,7 @@ static int patch_alc882(struct hda_codec + case 0x106b00a4: /* MacbookPro4,1 */ + case 0x106b2c00: /* Macbook Pro rev3 */ + case 0x106b3600: /* Macbook 3.1 */ ++ case 0x106b3800: /* MacbookPro4,1 - latter revision */ + board_config = ALC885_MBP3; + break; + default: diff --git a/queue-2.6.28/alsa-hda-add-quirk-for-hp-dv6700-laptop.patch b/queue-2.6.28/alsa-hda-add-quirk-for-hp-dv6700-laptop.patch new file mode 100644 index 00000000000..e50811cda22 --- /dev/null +++ b/queue-2.6.28/alsa-hda-add-quirk-for-hp-dv6700-laptop.patch @@ -0,0 +1,29 @@ +From aa9d823bb347fb66cb07f98c686be8bb85cb6a74 Mon Sep 17 00:00:00 2001 +From: Joerg Schirottke +Date: Tue, 27 Jan 2009 11:01:34 +0100 +Subject: ALSA: hda - Add quirk for HP DV6700 laptop + +From: Joerg Schirottke + +commit aa9d823bb347fb66cb07f98c686be8bb85cb6a74 upstream. + +Added the matching model=laptop for HP DV6700 laptop. + +Signed-off-by: Joerg Schirottke +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1470,6 +1470,7 @@ static struct snd_pci_quirk cxt5047_cfg_ + SND_PCI_QUIRK(0x103c, 0x30a5, "HP DV5200T/DV8000T", CXT5047_LAPTOP_HP), + SND_PCI_QUIRK(0x103c, 0x30b2, "HP DV2000T/DV3000T", CXT5047_LAPTOP), + SND_PCI_QUIRK(0x103c, 0x30b5, "HP DV2000Z", CXT5047_LAPTOP), ++ SND_PCI_QUIRK(0x103c, 0x30cf, "HP DV6700", CXT5047_LAPTOP), + SND_PCI_QUIRK(0x1179, 0xff31, "Toshiba P100", CXT5047_LAPTOP_EAPD), + {} + }; diff --git a/queue-2.6.28/alsa-hda-fix-pcm-reference-nid-for-stac-idt-analog-outputs.patch b/queue-2.6.28/alsa-hda-fix-pcm-reference-nid-for-stac-idt-analog-outputs.patch new file mode 100644 index 00000000000..6792c1f4bb2 --- /dev/null +++ b/queue-2.6.28/alsa-hda-fix-pcm-reference-nid-for-stac-idt-analog-outputs.patch @@ -0,0 +1,34 @@ +From 00a602db1ce9d61319d6f769dee206ec85f19bda Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 23 Jan 2009 11:55:42 +0100 +Subject: ALSA: hda - Fix PCM reference NID for STAC/IDT analog outputs + +From: Takashi Iwai + +commit 00a602db1ce9d61319d6f769dee206ec85f19bda upstream. + +The reference NID for the analog outputs of STAC/IDT codecs is set +to a fixed number 0x02. But this isn't always correct and in many +codecs it points to a non-existing NID. + +This patch fixes the initialization of the PCM reference NID taken +from the actually probed DAC list. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_sigmatel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -2428,6 +2428,8 @@ static int stac92xx_build_pcms(struct hd + + info->name = "STAC92xx Analog"; + info->stream[SNDRV_PCM_STREAM_PLAYBACK] = stac92xx_pcm_analog_playback; ++ info->stream[SNDRV_PCM_STREAM_PLAYBACK].nid = ++ spec->multiout.dac_nids[0]; + info->stream[SNDRV_PCM_STREAM_CAPTURE] = stac92xx_pcm_analog_capture; + info->stream[SNDRV_PCM_STREAM_CAPTURE].nid = spec->adc_nids[0]; + info->stream[SNDRV_PCM_STREAM_CAPTURE].substreams = spec->num_adcs; diff --git a/queue-2.6.28/bnx2x-block-nvram-access-when-the-device-is-inactive.patch b/queue-2.6.28/bnx2x-block-nvram-access-when-the-device-is-inactive.patch new file mode 100644 index 00000000000..aa925837620 --- /dev/null +++ b/queue-2.6.28/bnx2x-block-nvram-access-when-the-device-is-inactive.patch @@ -0,0 +1,33 @@ +From 2add3acb11a26cc14b54669433ae6ace6406cbf2 Mon Sep 17 00:00:00 2001 +From: Eilon Greenstein +Date: Wed, 14 Jan 2009 06:44:07 +0000 +Subject: bnx2x: Block nvram access when the device is inactive + +From: Eilon Greenstein + +commit 2add3acb11a26cc14b54669433ae6ace6406cbf2 upstream. + +Don't dump eeprom when bnx2x adapter is down. Running ethtool -e causes an eeh +without it when the device is down + +Signed-off-by: Paul Larson +Signed-off-by: Eilon Greenstein +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bnx2x_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/bnx2x_main.c ++++ b/drivers/net/bnx2x_main.c +@@ -8079,6 +8079,9 @@ static int bnx2x_get_eeprom(struct net_d + struct bnx2x *bp = netdev_priv(dev); + int rc; + ++ if (!netif_running(dev)) ++ return -EAGAIN; ++ + DP(BNX2X_MSG_NVM, "ethtool_eeprom: cmd %d\n" + DP_LEVEL " magic 0x%x offset 0x%x (%d) len 0x%x (%d)\n", + eeprom->cmd, eeprom->magic, eeprom->offset, eeprom->offset, diff --git a/queue-2.6.28/crypto-authenc-fix-zero-length-iv-crash.patch b/queue-2.6.28/crypto-authenc-fix-zero-length-iv-crash.patch new file mode 100644 index 00000000000..4cae653c302 --- /dev/null +++ b/queue-2.6.28/crypto-authenc-fix-zero-length-iv-crash.patch @@ -0,0 +1,69 @@ +From 29b37f42127f7da511560a40ea74f5047da40c13 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 13 Jan 2009 11:26:18 +1100 +Subject: crypto: authenc - Fix zero-length IV crash + +From: Herbert Xu + +commit 29b37f42127f7da511560a40ea74f5047da40c13 upstream. + +As it is if an algorithm with a zero-length IV is used (e.g., +NULL encryption) with authenc, authenc may generate an SG entry +of length zero, which will trigger a BUG check in the hash layer. + +This patch fixes it by skipping the IV SG generation if the IV +size is zero. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/authenc.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -157,16 +157,19 @@ static int crypto_authenc_genicv(struct + dstp = sg_page(dst); + vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset; + +- sg_init_table(cipher, 2); +- sg_set_buf(cipher, iv, ivsize); +- authenc_chain(cipher, dst, vdst == iv + ivsize); ++ if (ivsize) { ++ sg_init_table(cipher, 2); ++ sg_set_buf(cipher, iv, ivsize); ++ authenc_chain(cipher, dst, vdst == iv + ivsize); ++ dst = cipher; ++ } + + cryptlen = req->cryptlen + ivsize; +- hash = crypto_authenc_hash(req, flags, cipher, cryptlen); ++ hash = crypto_authenc_hash(req, flags, dst, cryptlen); + if (IS_ERR(hash)) + return PTR_ERR(hash); + +- scatterwalk_map_and_copy(hash, cipher, cryptlen, ++ scatterwalk_map_and_copy(hash, dst, cryptlen, + crypto_aead_authsize(authenc), 1); + return 0; + } +@@ -284,11 +287,14 @@ static int crypto_authenc_iverify(struct + srcp = sg_page(src); + vsrc = PageHighMem(srcp) ? NULL : page_address(srcp) + src->offset; + +- sg_init_table(cipher, 2); +- sg_set_buf(cipher, iv, ivsize); +- authenc_chain(cipher, src, vsrc == iv + ivsize); ++ if (ivsize) { ++ sg_init_table(cipher, 2); ++ sg_set_buf(cipher, iv, ivsize); ++ authenc_chain(cipher, src, vsrc == iv + ivsize); ++ src = cipher; ++ } + +- return crypto_authenc_verify(req, cipher, cryptlen + ivsize); ++ return crypto_authenc_verify(req, src, cryptlen + ivsize); + } + + static int crypto_authenc_decrypt(struct aead_request *req) diff --git a/queue-2.6.28/crypto-ccm-fix-handling-of-null-assoc-data.patch b/queue-2.6.28/crypto-ccm-fix-handling-of-null-assoc-data.patch new file mode 100644 index 00000000000..2331c9b6aed --- /dev/null +++ b/queue-2.6.28/crypto-ccm-fix-handling-of-null-assoc-data.patch @@ -0,0 +1,85 @@ +From 516280e735b034216de97eb7ba080ec6acbfc58f Mon Sep 17 00:00:00 2001 +From: Jarod Wilson +Date: Thu, 22 Jan 2009 19:58:15 +1100 +Subject: crypto: ccm - Fix handling of null assoc data + +From: Jarod Wilson + +commit 516280e735b034216de97eb7ba080ec6acbfc58f upstream. + +Its a valid use case to have null associated data in a ccm vector, but +this case isn't being handled properly right now. + +The following ccm decryption/verification test vector, using the +rfc4309 implementation regularly triggers a panic, as will any +other vector with null assoc data: + +* key: ab2f8a74b71cd2b1ff802e487d82f8b9 +* iv: c6fb7d800d13abd8a6b2d8 +* Associated Data: [NULL] +* Tag Length: 8 +* input: d5e8939fc7892e2b + +The resulting panic looks like so: + +Unable to handle kernel paging request at ffff810064ddaec0 RIP: + [] :ccm:get_data_to_compute+0x1a6/0x1d6 +PGD 8063 PUD 0 +Oops: 0002 [1] SMP +last sysfs file: /module/libata/version +CPU 0 +Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a +lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_ +tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg +snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p +c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h +cd ohci_hcd ehci_hcd +Pid: 12844, comm: crypto-tester Tainted: G 2.6.18-128.el5.fips1 #1 +RIP: 0010:[] [] :ccm:get_data_to_compute+0x1a6/0x1d6 +RSP: 0018:ffff8100134434e8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10 +RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0 +RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000 +R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858 +R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000 +FS: 00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0 +Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860) +Stack: ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000 + 0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858 + 0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634 +Call Trace: + [] :ccm:crypto_ccm_auth+0x12d/0x140 + [] :ccm:crypto_ccm_decrypt+0x161/0x23a + [] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559 +[...] + +The above is from a RHEL5-based kernel, but upstream is susceptible too. + +The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains +whatever was in memory when pctx was allocated if assoclen is 0. The tested +fix is to simply add an else clause setting pctx->ilen to 0 for the +assoclen == 0 case, so that get_data_to_compute() doesn't try doing +things its not supposed to. + +Signed-off-by: Jarod Wilson +Acked-by: Neil Horman +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ccm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/ccm.c ++++ b/crypto/ccm.c +@@ -266,6 +266,8 @@ static int crypto_ccm_auth(struct aead_r + if (assoclen) { + pctx->ilen = format_adata(idata, assoclen); + get_data_to_compute(cipher, pctx, req->assoc, req->assoclen); ++ } else { ++ pctx->ilen = 0; + } + + /* compute plaintext into mac */ diff --git a/queue-2.6.28/dmaengine-fix-dependency-chaining.patch b/queue-2.6.28/dmaengine-fix-dependency-chaining.patch new file mode 100644 index 00000000000..16eecf037f6 --- /dev/null +++ b/queue-2.6.28/dmaengine-fix-dependency-chaining.patch @@ -0,0 +1,43 @@ +From yur@emcraft.com Fri Jan 30 17:40:59 2009 +From: Yuri Tikhonov +Date: Thu, 29 Jan 2009 15:37:13 +0300 +Subject: dmaengine: fix dependency chaining +To: Greg KH +Cc: stable@kernel.org, Dan Williams , wd@denx.de +Message-ID: <200901291537.13536.yur@emcraft.com> +Content-Disposition: inline + +From: Yuri Tikhonov + +commit dd59b8537f6cb53ab863fafad86a5828f1e889a2 upstream + + + ASYNC_TX: fix dependency chaining + + In ASYNC_TX we track the dependencies between the descriptors +using the 'next' pointers of the structures. These pointers are +set to NULL as soon as the corresponding descriptor has been +submitted to the channel (in async_tx_run_dependencies()). + But, the first 'next' in chain still remains set, regardless +the fact, that tx->next is already submitted. This may lead to +multiple submisions of the same descriptor. This patch fixes this. + +Signed-off-by: Yuri Tikhonov +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/async_tx/async_tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/async_tx/async_tx.c ++++ b/crypto/async_tx/async_tx.c +@@ -124,6 +124,8 @@ void async_tx_run_dependencies(struct dm + if (!dep) + return; + ++ /* we'll submit tx->next now, so clear the link */ ++ tx->next = NULL; + chan = dep->chan; + + /* keep submitting up until a channel switch is detected diff --git a/queue-2.6.28/epoll-drop-max_user_instances-and-rely-only-on-max_user_watches.patch b/queue-2.6.28/epoll-drop-max_user_instances-and-rely-only-on-max_user_watches.patch new file mode 100644 index 00000000000..ea8780fcc1c --- /dev/null +++ b/queue-2.6.28/epoll-drop-max_user_instances-and-rely-only-on-max_user_watches.patch @@ -0,0 +1,115 @@ +From 9df04e1f25effde823a600e755b51475d438f56b Mon Sep 17 00:00:00 2001 +From: Davide Libenzi +Date: Thu, 29 Jan 2009 14:25:26 -0800 +Subject: epoll: drop max_user_instances and rely only on max_user_watches + +From: Davide Libenzi + +commit 9df04e1f25effde823a600e755b51475d438f56b upstream. + +Linus suggested to put limits where the money is, and max_user_watches +already does that w/out the need of max_user_instances. That has the +advantage to mitigate the potential DoS while allowing pretty generous +default behavior. + +Allowing top 4% of low memory (per user) to be allocated in epoll watches, +we have: + +LOMEM MAX_WATCHES (per user) +512MB ~178000 +1GB ~356000 +2GB ~712000 + +A box with 512MB of lomem, will meet some challenge in hitting 180K +watches, socket buffers math teaches us. No more max_user_instances +limits then. + +Signed-off-by: Davide Libenzi +Cc: Willy Tarreau +Cc: Michael Kerrisk +Cc: Bron Gondwana +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/eventpoll.c | 22 ++++------------------ + include/linux/sched.h | 1 - + 2 files changed, 4 insertions(+), 19 deletions(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -234,8 +234,6 @@ struct ep_pqueue { + /* + * Configuration options available inside /proc/sys/fs/epoll/ + */ +-/* Maximum number of epoll devices, per user */ +-static int max_user_instances __read_mostly; + /* Maximum number of epoll watched descriptors, per user */ + static int max_user_watches __read_mostly; + +@@ -261,14 +259,6 @@ static int zero; + + ctl_table epoll_table[] = { + { +- .procname = "max_user_instances", +- .data = &max_user_instances, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = &proc_dointvec_minmax, +- .extra1 = &zero, +- }, +- { + .procname = "max_user_watches", + .data = &max_user_watches, + .maxlen = sizeof(int), +@@ -491,7 +481,6 @@ static void ep_free(struct eventpoll *ep + + mutex_unlock(&epmutex); + mutex_destroy(&ep->mtx); +- atomic_dec(&ep->user->epoll_devs); + free_uid(ep->user); + kfree(ep); + } +@@ -581,10 +570,6 @@ static int ep_alloc(struct eventpoll **p + struct eventpoll *ep; + + user = get_current_user(); +- error = -EMFILE; +- if (unlikely(atomic_read(&user->epoll_devs) >= +- max_user_instances)) +- goto free_uid; + error = -ENOMEM; + ep = kzalloc(sizeof(*ep), GFP_KERNEL); + if (unlikely(!ep)) +@@ -1141,7 +1126,6 @@ SYSCALL_DEFINE1(epoll_create1, int, flag + flags & O_CLOEXEC); + if (fd < 0) + ep_free(ep); +- atomic_inc(&ep->user->epoll_devs); + + error_return: + DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n", +@@ -1366,8 +1350,10 @@ static int __init eventpoll_init(void) + struct sysinfo si; + + si_meminfo(&si); +- max_user_instances = 128; +- max_user_watches = (((si.totalram - si.totalhigh) / 32) << PAGE_SHIFT) / ++ /* ++ * Allows top 4% of lomem to be allocated for epoll watches (per user). ++ */ ++ max_user_watches = (((si.totalram - si.totalhigh) / 25) << PAGE_SHIFT) / + EP_ITEM_COST; + + /* Initialize the structure used to perform safe poll wait head wake ups */ +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -631,7 +631,6 @@ struct user_struct { + atomic_t inotify_devs; /* How many inotify devs does this user have opened? */ + #endif + #ifdef CONFIG_EPOLL +- atomic_t epoll_devs; /* The number of epoll descriptors currently open */ + atomic_t epoll_watches; /* The number of file descriptors currently watched */ + #endif + #ifdef CONFIG_POSIX_MQUEUE diff --git a/queue-2.6.28/ext3-add-sanity-check-to-make_indexed_dir.patch b/queue-2.6.28/ext3-add-sanity-check-to-make_indexed_dir.patch new file mode 100644 index 00000000000..3c109c93fb8 --- /dev/null +++ b/queue-2.6.28/ext3-add-sanity-check-to-make_indexed_dir.patch @@ -0,0 +1,68 @@ +From a21102b55c4f8dfd3adb4a15a34cd62237b46039 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 16 Jan 2009 11:13:47 -0500 +Subject: ext3: Add sanity check to make_indexed_dir + +From: Theodore Ts'o + +commit a21102b55c4f8dfd3adb4a15a34cd62237b46039 upstream. + +Make sure the rec_len field in the '..' entry is sane, lest we overrun +the directory block and cause a kernel oops on a purposefully +corrupted filesystem. + +This fixes a bug related to a bug originally reported by Sami Liedes +for ext4 at: + +http://bugzilla.kernel.org/show_bug.cgi?id=12430 + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/namei.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/fs/ext3/namei.c ++++ b/fs/ext3/namei.c +@@ -1357,7 +1357,7 @@ static int make_indexed_dir(handle_t *ha + struct fake_dirent *fde; + + blocksize = dir->i_sb->s_blocksize; +- dxtrace(printk("Creating index\n")); ++ dxtrace(printk(KERN_DEBUG "Creating index: inode %lu\n", dir->i_ino)); + retval = ext3_journal_get_write_access(handle, bh); + if (retval) { + ext3_std_error(dir->i_sb, retval); +@@ -1366,6 +1366,19 @@ static int make_indexed_dir(handle_t *ha + } + root = (struct dx_root *) bh->b_data; + ++ /* The 0th block becomes the root, move the dirents out */ ++ fde = &root->dotdot; ++ de = (struct ext3_dir_entry_2 *)((char *)fde + ++ ext3_rec_len_from_disk(fde->rec_len)); ++ if ((char *) de >= (((char *) root) + blocksize)) { ++ ext3_error(dir->i_sb, __func__, ++ "invalid rec_len for '..' in inode %lu", ++ dir->i_ino); ++ brelse(bh); ++ return -EIO; ++ } ++ len = ((char *) root) + blocksize - (char *) de; ++ + bh2 = ext3_append (handle, dir, &block, &retval); + if (!(bh2)) { + brelse(bh); +@@ -1374,11 +1387,6 @@ static int make_indexed_dir(handle_t *ha + EXT3_I(dir)->i_flags |= EXT3_INDEX_FL; + data1 = bh2->b_data; + +- /* The 0th block becomes the root, move the dirents out */ +- fde = &root->dotdot; +- de = (struct ext3_dir_entry_2 *)((char *)fde + +- ext3_rec_len_from_disk(fde->rec_len)); +- len = ((char *) root) + blocksize - (char *) de; + memcpy (data1, de, len); + de = (struct ext3_dir_entry_2 *) data1; + top = data1 + len; diff --git a/queue-2.6.28/fix-oops-in-mmap_region-when-merging-adjacent-vm_locked-file-segments.patch b/queue-2.6.28/fix-oops-in-mmap_region-when-merging-adjacent-vm_locked-file-segments.patch new file mode 100644 index 00000000000..b0529722974 --- /dev/null +++ b/queue-2.6.28/fix-oops-in-mmap_region-when-merging-adjacent-vm_locked-file-segments.patch @@ -0,0 +1,67 @@ +From akpm@linux-foundation.org Wed Jan 28 13:44:38 2009 +From: Andrew Morton +Date: Wed, 28 Jan 2009 13:43:50 -0800 +Subject: Fix OOPS in mmap_region() when merging adjacent VM_LOCKED file segments +To: Maksim Yevmenkin +Cc: npiggin@suse.de, torvalds@linux-foundation.org, gregkh@suse.de, will@crowder-design.com, Hugh Dickins , Rik van Riel +Message-ID: <20090128134350.034ac6a7.akpm@linux-foundation.org> + +From: Andrew Morton + +This patch differs from the upstream commit +de33c8db5910cda599899dd431cc30d7c1018cbf written by Linus, as it aims to +only prevent the oops from happening, not attempt to change anything +else. + + +The problem was introduced by commit +ba470de43188cdbff795b5da43a1474523c6c2fb + +which added new references to *vma after we've potentially freed it. + +From: Andrew Morton +Reported-by: Maksim Yevmenkin +Tested-by: Maksim Yevmenkin +Cc: Lee Schermerhorn +Cc: Nick Piggin +Cc: Andrew Morton +Cc: Rik van Riel +Cc: Hugh Dickins +Cc: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + + +--- + mm/mmap.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1095,6 +1095,7 @@ unsigned long mmap_region(struct file *f + { + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma, *prev; ++ struct vm_area_struct *merged_vma; + int correct_wcount = 0; + int error; + struct rb_node **rb_link, *rb_parent; +@@ -1207,13 +1208,17 @@ munmap_back: + if (vma_wants_writenotify(vma)) + vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED); + +- if (file && vma_merge(mm, prev, addr, vma->vm_end, +- vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) { ++ merged_vma = NULL; ++ if (file) ++ merged_vma = vma_merge(mm, prev, addr, vma->vm_end, ++ vma->vm_flags, NULL, file, pgoff, vma_policy(vma)); ++ if (merged_vma) { + mpol_put(vma_policy(vma)); + kmem_cache_free(vm_area_cachep, vma); + fput(file); + if (vm_flags & VM_EXECUTABLE) + removed_exe_file_vma(mm); ++ vma = merged_vma; + } else { + vma_link(mm, vma, prev, rb_link, rb_parent); + file = vma->vm_file; diff --git a/queue-2.6.28/fix_reserve_memtype_1MB.patch b/queue-2.6.28/fix_reserve_memtype_1MB.patch new file mode 100644 index 00000000000..e2ff733d8e5 --- /dev/null +++ b/queue-2.6.28/fix_reserve_memtype_1MB.patch @@ -0,0 +1,93 @@ +From suresh.b.siddha@intel.com Fri Jan 30 17:39:13 2009 +From: Suresh Siddha +Date: Wed, 28 Jan 2009 16:51:52 -0800 +Subject: x86, pat: fix reserve_memtype() for legacy 1MB range +To: greg@kroah.com +Cc: stable@kernel.org, Suresh Siddha , Venkatesh Pallipadi , Ingo Molnar , tvignaud@mandriva.com +Message-ID: <20090129005328.952031000@intel.com> +Content-Disposition: inline; filename=fix_reserve_memtype_1MB.patch + +From: Suresh Siddha + +commit 5cca0cf15a94417f49625ce52e23589eed0a1675 upstream + +Thierry Vignaud reported: +> http://bugzilla.kernel.org/show_bug.cgi?id=12372 +> +> On P4 with an SiS motherboard (video card is a SiS 651) +> X server fails to start with error: +> xf86MapVidMem: Could not mmap framebuffer (0x00000000,0x2000) (Invalid +> argument) + +Here X is trying to map first 8KB of memory using /dev/mem. Existing +code treats first 0-4KB of memory as non-RAM and 4KB-8KB as RAM. Recent +code changes don't allow to map memory with different attributes +at the same time. + +Fix this by treating the first 1MB legacy region as special and always +track the attribute requests with in this region using linear linked +list (and don't bother if the range is RAM or non-RAM or mixed) + +Reported-and-tested-by: Thierry Vignaud +Signed-off-by: Suresh Siddha +Signed-off-by: Venkatesh Pallipadi +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/pat.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +--- a/arch/x86/mm/pat.c ++++ b/arch/x86/mm/pat.c +@@ -333,11 +333,20 @@ int reserve_memtype(u64 start, u64 end, + req_type & _PAGE_CACHE_MASK); + } + +- is_range_ram = pagerange_is_ram(start, end); +- if (is_range_ram == 1) +- return reserve_ram_pages_type(start, end, req_type, new_type); +- else if (is_range_ram < 0) +- return -EINVAL; ++ /* ++ * For legacy reasons, some parts of the physical address range in the ++ * legacy 1MB region is treated as non-RAM (even when listed as RAM in ++ * the e820 tables). So we will track the memory attributes of this ++ * legacy 1MB region using the linear memtype_list always. ++ */ ++ if (end >= ISA_END_ADDRESS) { ++ is_range_ram = pagerange_is_ram(start, end); ++ if (is_range_ram == 1) ++ return reserve_ram_pages_type(start, end, req_type, ++ new_type); ++ else if (is_range_ram < 0) ++ return -EINVAL; ++ } + + new = kmalloc(sizeof(struct memtype), GFP_KERNEL); + if (!new) +@@ -437,11 +446,19 @@ int free_memtype(u64 start, u64 end) + if (is_ISA_range(start, end - 1)) + return 0; + +- is_range_ram = pagerange_is_ram(start, end); +- if (is_range_ram == 1) +- return free_ram_pages_type(start, end); +- else if (is_range_ram < 0) +- return -EINVAL; ++ /* ++ * For legacy reasons, some parts of the physical address range in the ++ * legacy 1MB region is treated as non-RAM (even when listed as RAM in ++ * the e820 tables). So we will track the memory attributes of this ++ * legacy 1MB region using the linear memtype_list always. ++ */ ++ if (end >= ISA_END_ADDRESS) { ++ is_range_ram = pagerange_is_ram(start, end); ++ if (is_range_ram == 1) ++ return free_ram_pages_type(start, end); ++ else if (is_range_ram < 0) ++ return -EINVAL; ++ } + + spin_lock(&memtype_lock); + list_for_each_entry(entry, &memtype_list, nd) { diff --git a/queue-2.6.28/gpiolib-fix-request-related-issue.patch b/queue-2.6.28/gpiolib-fix-request-related-issue.patch new file mode 100644 index 00000000000..c53409cfb22 --- /dev/null +++ b/queue-2.6.28/gpiolib-fix-request-related-issue.patch @@ -0,0 +1,31 @@ +From 7460db567bbca76bf087d1694d792a1a96bdaa26 Mon Sep 17 00:00:00 2001 +From: Magnus Damm +Date: Thu, 29 Jan 2009 14:25:12 -0800 +Subject: gpiolib: fix request related issue + +From: Magnus Damm + +commit 7460db567bbca76bf087d1694d792a1a96bdaa26 upstream. + +Fix request-already-requested handling in gpio_request(). + +Signed-off-by: Magnus Damm +Acked-by: David Brownell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -789,6 +789,7 @@ int gpio_request(unsigned gpio, const ch + } else { + status = -EBUSY; + module_put(chip->owner); ++ goto done; + } + + if (chip->request) { diff --git a/queue-2.6.28/include-linux-add-bsg.h-to-the-kernel-exported-headers.patch b/queue-2.6.28/include-linux-add-bsg.h-to-the-kernel-exported-headers.patch new file mode 100644 index 00000000000..2db8331dc74 --- /dev/null +++ b/queue-2.6.28/include-linux-add-bsg.h-to-the-kernel-exported-headers.patch @@ -0,0 +1,40 @@ +From a229fc61ef0ee3c30fd193beee0eeb87410227f1 Mon Sep 17 00:00:00 2001 +From: Boaz Harrosh +Date: Mon, 19 Jan 2009 10:37:38 +0100 +Subject: include/linux: Add bsg.h to the Kernel exported headers + +From: Boaz Harrosh + +commit a229fc61ef0ee3c30fd193beee0eeb87410227f1 upstream. + +bsg.h in current form is perfectly suitable for user-mode +consumption. It is needed together with scsi/sg.h for applications +that want to interface with the bsg driver. + +Currently the few projects that use it would copy it over into +the projects. But that is not acceptable for projects that need +to provide source and devel packages for distros. + +This should also be submitted to stable 2.6.28 and 2.6.27 since bsg had +a stable API since these Kernels and distro users will need the header +for these kernels a swell + +Signed-off-by: Boaz Harrosh +Acked-by: FUJITA Tomonori +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/Kbuild ++++ b/include/linux/Kbuild +@@ -41,6 +41,7 @@ header-y += baycom.h + header-y += bfs_fs.h + header-y += blkpg.h + header-y += bpqether.h ++header-y += bsg.h + header-y += can.h + header-y += cdk.h + header-y += chio.h diff --git a/queue-2.6.28/net-net_namespace-fix-lock-imbalance.patch b/queue-2.6.28/net-net_namespace-fix-lock-imbalance.patch new file mode 100644 index 00000000000..a6af331c22d --- /dev/null +++ b/queue-2.6.28/net-net_namespace-fix-lock-imbalance.patch @@ -0,0 +1,32 @@ +From 357f5b0b91054ae23385ea4b0634bb8b43736e83 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Sat, 17 Jan 2009 06:47:12 +0000 +Subject: NET: net_namespace, fix lock imbalance + +From: Jiri Slaby + +commit 357f5b0b91054ae23385ea4b0634bb8b43736e83 upstream. + +register_pernet_gen_subsys omits mutex_unlock in one fail path. +Fix it. + +Signed-off-by: Jiri Slaby +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/net_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -342,8 +342,8 @@ again: + rv = register_pernet_operations(first_device, ops); + if (rv < 0) + ida_remove(&net_generic_ids, *id); +- mutex_unlock(&net_mutex); + out: ++ mutex_unlock(&net_mutex); + return rv; + } + EXPORT_SYMBOL_GPL(register_pernet_gen_subsys); diff --git a/queue-2.6.28/pci-hotplug-fix-lock-imbalance-in-pciehp.patch b/queue-2.6.28/pci-hotplug-fix-lock-imbalance-in-pciehp.patch new file mode 100644 index 00000000000..95dbf3c73ed --- /dev/null +++ b/queue-2.6.28/pci-hotplug-fix-lock-imbalance-in-pciehp.patch @@ -0,0 +1,38 @@ +From c2fdd36b550659f5ac2240d1f5a83ffa1a092289 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Sat, 17 Jan 2009 16:23:55 +0100 +Subject: PCI hotplug: fix lock imbalance in pciehp + +From: Jiri Slaby + +commit c2fdd36b550659f5ac2240d1f5a83ffa1a092289 upstream. + +set_lock_status omits mutex_unlock in fail path. Add the omitted +unlock. + +As a result a lockup caused by this can be triggered from userspace +by writing 1 to /sys/bus/pci/slots/.../lock often enough. + +Signed-off-by: Jiri Slaby +Reviewed-by: Kenji Kaneshige +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pciehp_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -126,8 +126,10 @@ static int set_lock_status(struct hotplu + mutex_lock(&slot->ctrl->crit_sect); + + /* has it been >1 sec since our last toggle? */ +- if ((get_seconds() - slot->last_emi_toggle) < 1) ++ if ((get_seconds() - slot->last_emi_toggle) < 1) { ++ mutex_unlock(&slot->ctrl->crit_sect); + return -EINVAL; ++ } + + /* see what our current state is */ + retval = get_lock_status(hotplug_slot, &value); diff --git a/queue-2.6.28/relay-fix-lock-imbalance-in-relay_late_setup_files.patch b/queue-2.6.28/relay-fix-lock-imbalance-in-relay_late_setup_files.patch new file mode 100644 index 00000000000..23c3a2b4b44 --- /dev/null +++ b/queue-2.6.28/relay-fix-lock-imbalance-in-relay_late_setup_files.patch @@ -0,0 +1,31 @@ +From b786c6a98ef6fa81114ba7b9fbfc0d67060775e3 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Sat, 17 Jan 2009 12:04:36 +0100 +Subject: relay: fix lock imbalance in relay_late_setup_files + +From: Jiri Slaby + +commit b786c6a98ef6fa81114ba7b9fbfc0d67060775e3 upstream. + +One fail path in relay_late_setup_files() omits +mutex_unlock(&relay_channels_mutex); +Add it. + +Signed-off-by: Jiri Slaby +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -663,8 +663,10 @@ int relay_late_setup_files(struct rchan *chan, + + mutex_lock(&relay_channels_mutex); + /* Is chan already set up? */ +- if (unlikely(chan->has_base_filename)) ++ if (unlikely(chan->has_base_filename)) { ++ mutex_unlock(&relay_channels_mutex); + return -EEXIST; ++ } + chan->has_base_filename = 1; + chan->parent = parent; + curr_cpu = get_cpu(); diff --git a/queue-2.6.28/rtl8187-fix-error-in-setting-ofdm-power-settings-for-rtl8187l.patch b/queue-2.6.28/rtl8187-fix-error-in-setting-ofdm-power-settings-for-rtl8187l.patch new file mode 100644 index 00000000000..c24982fe16d --- /dev/null +++ b/queue-2.6.28/rtl8187-fix-error-in-setting-ofdm-power-settings-for-rtl8187l.patch @@ -0,0 +1,55 @@ +From eb83bbf57429ab80f49b413e3e44d3b19c3fdc5a Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Tue, 27 Jan 2009 12:31:23 -0600 +Subject: rtl8187: Fix error in setting OFDM power settings for RTL8187L +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8 +Content-Transfer-Encoding: 8bit + +From: Larry Finger + +commit eb83bbf57429ab80f49b413e3e44d3b19c3fdc5a upstream. + +After reports of poor performance, a review of the latest vendor driver +(rtl8187_linux_26.1025.0328.2007) for RTL8187L devices was undertaken. + +A difference was found in the code used to index the OFDM power tables. When +the Linux driver was changed, my unit works at a much greater range than +before. I think this fixes Bugzilla #12380 and has been tested by at least +two other users. + +Signed-off-by: Larry Finger +Tested-by: Martín Ernesto Barreyro +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtl8187_rtl8225.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/rtl8187_rtl8225.c ++++ b/drivers/net/wireless/rtl8187_rtl8225.c +@@ -287,7 +287,10 @@ static void rtl8225_rf_set_tx_power(stru + ofdm_power = priv->channels[channel - 1].hw_value >> 4; + + cck_power = min(cck_power, (u8)11); +- ofdm_power = min(ofdm_power, (u8)35); ++ if (ofdm_power > (u8)15) ++ ofdm_power = 25; ++ else ++ ofdm_power += 10; + + rtl818x_iowrite8(priv, &priv->map->TX_GAIN_CCK, + rtl8225_tx_gain_cck_ofdm[cck_power / 6] >> 1); +@@ -540,7 +543,10 @@ static void rtl8225z2_rf_set_tx_power(st + cck_power += priv->txpwr_base & 0xF; + cck_power = min(cck_power, (u8)35); + +- ofdm_power = min(ofdm_power, (u8)15); ++ if (ofdm_power > (u8)15) ++ ofdm_power = 25; ++ else ++ ofdm_power += 10; + ofdm_power += priv->txpwr_base >> 4; + ofdm_power = min(ofdm_power, (u8)35); + diff --git a/queue-2.6.28/series b/queue-2.6.28/series index cc5eb53fe28..cddadd4efa1 100644 --- a/queue-2.6.28/series +++ b/queue-2.6.28/series @@ -21,3 +21,23 @@ it821x-add-ultra_mask-quirk-for-vortex86sx.patch libata-pata_via-support-vx855-future-chips-whose-ide-controller-use-0x0571.patch serial_8250-support-for-sealevel-systems-model-7803-comm-8.patch drm-stash-agp-include-under-the-do-we-have-agp-ifdef.patch +fix-oops-in-mmap_region-when-merging-adjacent-vm_locked-file-segments.patch +bnx2x-block-nvram-access-when-the-device-is-inactive.patch +ext3-add-sanity-check-to-make_indexed_dir.patch +rtl8187-fix-error-in-setting-ofdm-power-settings-for-rtl8187l.patch +epoll-drop-max_user_instances-and-rely-only-on-max_user_watches.patch +gpiolib-fix-request-related-issue.patch +sgi-xpc-remove-null-pointer-dereference.patch +sgi-xpc-ensure-flags-are-updated-before-bte_copy.patch +include-linux-add-bsg.h-to-the-kernel-exported-headers.patch +alsa-hda-fix-pcm-reference-nid-for-stac-idt-analog-outputs.patch +alsa-hda-add-another-macbook-pro-4-1-subsystem-id.patch +alsa-hda-add-quirk-for-hp-dv6700-laptop.patch +crypto-authenc-fix-zero-length-iv-crash.patch +crypto-ccm-fix-handling-of-null-assoc-data.patch +fix_reserve_memtype_1MB.patch +x86-pat-fix-pte-corruption-issue-while-mapping-ram-using-dev-mem.patch +pci-hotplug-fix-lock-imbalance-in-pciehp.patch +dmaengine-fix-dependency-chaining.patch +net-net_namespace-fix-lock-imbalance.patch +relay-fix-lock-imbalance-in-relay_late_setup_files.patch diff --git a/queue-2.6.28/sgi-xpc-ensure-flags-are-updated-before-bte_copy.patch b/queue-2.6.28/sgi-xpc-ensure-flags-are-updated-before-bte_copy.patch new file mode 100644 index 00000000000..d0047f06f0f --- /dev/null +++ b/queue-2.6.28/sgi-xpc-ensure-flags-are-updated-before-bte_copy.patch @@ -0,0 +1,80 @@ +From 69b3bb65fa97a1e8563518dbbc35cd57beefb2d4 Mon Sep 17 00:00:00 2001 +From: Robin Holt +Date: Thu, 29 Jan 2009 14:25:06 -0800 +Subject: sgi-xpc: ensure flags are updated before bte_copy + +From: Robin Holt + +commit 69b3bb65fa97a1e8563518dbbc35cd57beefb2d4 upstream. + +The clearing of the msg->flags needs a barrier between it and the notify +of the channel threads that the messages are cleaned and ready for use. + +Signed-off-by: Robin Holt +Signed-off-by: Dean Nelson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sgi-xp/xpc_sn2.c | 9 +++++---- + drivers/misc/sgi-xp/xpc_uv.c | 2 +- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/misc/sgi-xp/xpc_sn2.c ++++ b/drivers/misc/sgi-xp/xpc_sn2.c +@@ -1841,6 +1841,7 @@ xpc_process_msg_chctl_flags_sn2(struct x + */ + xpc_clear_remote_msgqueue_flags_sn2(ch); + ++ smp_wmb(); /* ensure flags have been cleared before bte_copy */ + ch_sn2->w_remote_GP.put = ch_sn2->remote_GP.put; + + dev_dbg(xpc_chan, "w_remote_GP.put changed to %ld, partid=%d, " +@@ -1939,7 +1940,7 @@ xpc_get_deliverable_payload_sn2(struct x + break; + + get = ch_sn2->w_local_GP.get; +- rmb(); /* guarantee that .get loads before .put */ ++ smp_rmb(); /* guarantee that .get loads before .put */ + if (get == ch_sn2->w_remote_GP.put) + break; + +@@ -2060,7 +2061,7 @@ xpc_allocate_msg_sn2(struct xpc_channel + while (1) { + + put = ch_sn2->w_local_GP.put; +- rmb(); /* guarantee that .put loads before .get */ ++ smp_rmb(); /* guarantee that .put loads before .get */ + if (put - ch_sn2->w_remote_GP.get < ch->local_nentries) { + + /* There are available message entries. We need to try +@@ -2193,7 +2194,7 @@ xpc_send_payload_sn2(struct xpc_channel + * The preceding store of msg->flags must occur before the following + * load of local_GP->put. + */ +- mb(); ++ smp_mb(); + + /* see if the message is next in line to be sent, if so send it */ + +@@ -2294,7 +2295,7 @@ xpc_received_payload_sn2(struct xpc_chan + * The preceding store of msg->flags must occur before the following + * load of local_GP->get. + */ +- mb(); ++ smp_mb(); + + /* + * See if this message is next in line to be acknowledged as having +--- a/drivers/misc/sgi-xp/xpc_uv.c ++++ b/drivers/misc/sgi-xp/xpc_uv.c +@@ -1238,7 +1238,7 @@ xpc_send_payload_uv(struct xpc_channel * + atomic_inc(&ch->n_to_notify); + + msg_slot->key = key; +- wmb(); /* a non-NULL func must hit memory after the key */ ++ smp_wmb(); /* a non-NULL func must hit memory after the key */ + msg_slot->func = func; + + if (ch->flags & XPC_C_DISCONNECTING) { diff --git a/queue-2.6.28/sgi-xpc-remove-null-pointer-dereference.patch b/queue-2.6.28/sgi-xpc-remove-null-pointer-dereference.patch new file mode 100644 index 00000000000..6de7d72b1a5 --- /dev/null +++ b/queue-2.6.28/sgi-xpc-remove-null-pointer-dereference.patch @@ -0,0 +1,42 @@ +From 17e2161654da4e6bdfd8d53d4f52e820ee93f423 Mon Sep 17 00:00:00 2001 +From: Robin Holt +Date: Thu, 29 Jan 2009 14:25:07 -0800 +Subject: sgi-xpc: Remove NULL pointer dereference. + +From: Robin Holt + +commit 17e2161654da4e6bdfd8d53d4f52e820ee93f423 upstream. + +If the bte copy fails, the attempt to retrieve payloads merely returns a +null pointer deref and not NULL as was expected. + +Signed-off-by: Robin Holt +Signed-off-by: Dean Nelson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sgi-xp/xpc_sn2.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/misc/sgi-xp/xpc_sn2.c ++++ b/drivers/misc/sgi-xp/xpc_sn2.c +@@ -1961,11 +1961,13 @@ xpc_get_deliverable_payload_sn2(struct x + + msg = xpc_pull_remote_msg_sn2(ch, get); + +- DBUG_ON(msg != NULL && msg->number != get); +- DBUG_ON(msg != NULL && (msg->flags & XPC_M_SN2_DONE)); +- DBUG_ON(msg != NULL && !(msg->flags & XPC_M_SN2_READY)); ++ if (msg != NULL) { ++ DBUG_ON(msg->number != get); ++ DBUG_ON(msg->flags & XPC_M_SN2_DONE); ++ DBUG_ON(!(msg->flags & XPC_M_SN2_READY)); + +- payload = &msg->payload; ++ payload = &msg->payload; ++ } + break; + } + diff --git a/queue-2.6.28/x86-pat-fix-pte-corruption-issue-while-mapping-ram-using-dev-mem.patch b/queue-2.6.28/x86-pat-fix-pte-corruption-issue-while-mapping-ram-using-dev-mem.patch new file mode 100644 index 00000000000..b34aac5319d --- /dev/null +++ b/queue-2.6.28/x86-pat-fix-pte-corruption-issue-while-mapping-ram-using-dev-mem.patch @@ -0,0 +1,70 @@ +From suresh.b.siddha@intel.com Fri Jan 30 17:39:50 2009 +From: Suresh Siddha +Date: Wed, 28 Jan 2009 16:51:53 -0800 +Subject: x86, pat: fix PTE corruption issue while mapping RAM using /dev/mem +To: greg@kroah.com +Cc: stable@kernel.org, Suresh Siddha , Venkatesh Pallipadi , Ingo Molnar , Daniel.Beschorner@facton.com, pageexec@freemail.hu +Message-ID: <20090129005329.064526000@intel.com> + +From: Suresh Siddha + +commit 9597134218300c045cf219be3664615e97cb239c upstream. + +Beschorner Daniel reported: +> hwinfo problem since 2.6.28, showing this in the oops: +> Corrupted page table at address 7fd04de3ec00 + +Also, PaX Team reported a regression with this commit: + +> commit 9542ada803198e6eba29d3289abb39ea82047b92 +> Author: Suresh Siddha +> Date: Wed Sep 24 08:53:33 2008 -0700 +> +> x86: track memtype for RAM in page struct + +This commit breaks mapping any RAM page through /dev/mem, as the +reserve_memtype() was not initializing the return attribute type and as such +corrupting the PTE entry that was setup with the return attribute type. + +Because of this bug, application mapping this RAM page through /dev/mem +will die with "Corrupted page table at address xxxx" message in the kernel +log and also the kernel identity mapping which maps the underlying RAM +page gets converted to UC. + +Fix this by initializing the return attribute type before calling +reserve_ram_pages_type() + +Reported-by: PaX Team +Reported-and-tested-by: Beschorner Daniel +Tested-and-Acked-by: PaX Team +Signed-off-by: Suresh Siddha +Signed-off-by: Venkatesh Pallipadi +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/pat.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/pat.c ++++ b/arch/x86/mm/pat.c +@@ -333,6 +333,9 @@ int reserve_memtype(u64 start, u64 end, + req_type & _PAGE_CACHE_MASK); + } + ++ if (new_type) ++ *new_type = actual_type ++ + /* + * For legacy reasons, some parts of the physical address range in the + * legacy 1MB region is treated as non-RAM (even when listed as RAM in +@@ -356,9 +359,6 @@ int reserve_memtype(u64 start, u64 end, + new->end = end; + new->type = actual_type; + +- if (new_type) +- *new_type = actual_type; +- + spin_lock(&memtype_lock); + + if (cached_entry && start >= cached_start) -- 2.47.3