--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 18 09:25:15 2008
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Fri, 18 Apr 2008 16:25:10 GMT
+Subject: cgroup: fix a race condition in manipulating tsk->cg_list
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200804181625.m3IGPAB9016440@hera.kernel.org>
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+commit: 0e04388f0189fa1f6812a8e1cb6172136eada87e
+
+When I ran a test program to fork mass processes and at the same time
+'cat /cgroup/tasks', I got the following oops:
+
+ ------------[ cut here ]------------
+ kernel BUG at lib/list_debug.c:72!
+ invalid opcode: 0000 [#1] SMP
+ Pid: 4178, comm: a.out Not tainted (2.6.25-rc9 #72)
+ ...
+ Call Trace:
+ [<c044a5f9>] ? cgroup_exit+0x55/0x94
+ [<c0427acf>] ? do_exit+0x217/0x5ba
+ [<c0427ed7>] ? do_group_exit+0.65/0x7c
+ [<c0427efd>] ? sys_exit_group+0xf/0x11
+ [<c0404842>] ? syscall_call+0x7/0xb
+ [<c05e0000>] ? init_cyrix+0x2fa/0x479
+ ...
+ EIP: [<c04df671>] list_del+0x35/0x53 SS:ESP 0068:ebc7df4
+ ---[ end trace caffb7332252612b ]---
+ Fixing recursive fault but reboot is needed!
+
+After digging into the code and debugging, I finlly found out a race
+situation:
+
+ do_exit()
+ ->cgroup_exit()
+ ->if (!list_empty(&tsk->cg_list))
+ list_del(&tsk->cg_list);
+
+ cgroup_iter_start()
+ ->cgroup_enable_task_cg_list()
+ ->list_add(&tsk->cg_list, ..);
+
+In this case the list won't be deleted though the process has exited.
+
+We got two bug reports in the past, which seem to be the same bug as
+this one:
+ http://lkml.org/lkml/2008/3/5/332
+ http://lkml.org/lkml/2007/10/17/224
+
+Actually sometimes I got oops on list_del, sometimes oops on list_add.
+And I can change my test program a bit to trigger other oops.
+
+The patch has been tested both on x86_32 and x86_64.
+
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Acked-by: Paul Menage <menage@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/cgroup.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -1722,7 +1722,12 @@ void cgroup_enable_task_cg_lists(void)
+ use_task_css_set_links = 1;
+ do_each_thread(g, p) {
+ task_lock(p);
+- if (list_empty(&p->cg_list))
++ /*
++ * We should check if the process is exiting, otherwise
++ * it will race with cgroup_exit() in that the list
++ * entry won't be deleted though the process has exited.
++ */
++ if (!(p->flags & PF_EXITING) && list_empty(&p->cg_list))
+ list_add(&p->cg_list, &p->cgroups->tasks);
+ task_unlock(p);
+ } while_each_thread(g, p);
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 25 13:47:58 2008
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 25 Apr 2008 20:05:39 GMT
+Subject: dm snapshot: fix chunksize sector conversion
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200804252005.m3PK5dXs013576@hera.kernel.org>
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit: 924362629bf5645aee5f49f8a0d0d5b193e65997
+
+If a snapshot has a smaller chunksize than the page size the
+conversion to pages currently returns 0 instead of 1, causing:
+kernel BUG in mempool_resize.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Milan Broz <mbroz@redhat.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/dm-exception-store.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-exception-store.c
++++ b/drivers/md/dm-exception-store.c
+@@ -131,7 +131,7 @@ struct pstore {
+
+ static unsigned sectors_to_pages(unsigned sectors)
+ {
+- return sectors / (PAGE_SIZE >> 9);
++ return DIV_ROUND_UP(sectors, PAGE_SIZE >> 9);
+ }
+
+ static int alloc_area(struct pstore *ps)
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 18 09:25:26 2008
+From: Roland Dreier <rolandd@cisco.com>
+Date: Fri, 18 Apr 2008 16:25:17 GMT
+Subject: RDMA/nes: Free IRQ before killing tasklet
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200804181625.m3IGPHn7017519@hera.kernel.org>
+
+From: Roland Dreier <rolandd@cisco.com>
+
+commit: 4cd1e5eb3cbe6e0cc934959770b4c60eac6ecf66
+
+Move the free_irq() call in nes_remove() to before the tasklet_kill();
+otherwise there is a window after tasklet_kill() where a new interrupt
+can be handled and reschedule the tasklet, leading to a use-after-free
+crash.
+
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/infiniband/hw/nes/nes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/nes/nes.c
++++ b/drivers/infiniband/hw/nes/nes.c
+@@ -751,13 +751,13 @@ static void __devexit nes_remove(struct
+
+ list_del(&nesdev->list);
+ nes_destroy_cqp(nesdev);
++
++ free_irq(pcidev->irq, nesdev);
+ tasklet_kill(&nesdev->dpc_tasklet);
+
+ /* Deallocate the Adapter Structure */
+ nes_destroy_adapter(nesdev->nesadapter);
+
+- free_irq(pcidev->irq, nesdev);
+-
+ if (nesdev->msi_enabled) {
+ pci_disable_msi(pcidev);
+ }
+usb-log-an-error-message-when-usb-enumeration-fails.patch
+usb-add-hp-hs2300-broadband-wireless-module-to-sierra.c.patch
jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch
tg3-5701-dma-corruption-fix.patch
tcp-tcp_probe-buffer-overflow-and-incorrect-return-value.patch
rose-socket-lock-was-not-released-before-returning-to-user-space.patch
net-fix-wrong-interpretation-of-some-copy_to_user-results.patch
ipsec-fix-catch-22-with-algorithm-ids-above-31.patch
+usb-ohci-fix-bug-in-controller-resume.patch
+dm-snapshot-fix-chunksize-sector-conversion.patch
+cgroup-fix-a-race-condition-in-manipulating-tsk-cg_list.patch
+rdma-nes-free-irq-before-killing-tasklet.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 25 13:48:07 2008
+From: Stefan Seyfried <seife@suse.de>
+Date: Fri, 25 Apr 2008 20:05:51 GMT
+Subject: USB: Add HP hs2300 Broadband Wireless Module to sierra.c
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200804252005.m3PK5p8g014153@hera.kernel.org>
+
+From: Stefan Seyfried <seife@suse.de>
+
+
+Add the HP hs2300 Broadband Wireless Module (relabeled MC8775) USB IDs
+
+Signed-off-by: Stefan Seyfried <seife@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/sierra.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -164,6 +164,7 @@ static struct usb_device_id id_table []
+ { USB_DEVICE(0x1199, 0x6812) }, /* Sierra Wireless MC8775 & AC 875U */
+ { USB_DEVICE(0x1199, 0x6813) }, /* Sierra Wireless MC8775 (Thinkpad internal) */
+ { USB_DEVICE(0x1199, 0x6815) }, /* Sierra Wireless MC8775 */
++ { USB_DEVICE(0x03f0, 0x1e1d) }, /* HP hs2300 a.k.a MC8775 */
+ { USB_DEVICE(0x1199, 0x6820) }, /* Sierra Wireless AirCard 875 */
+ { USB_DEVICE(0x1199, 0x6832) }, /* Sierra Wireless MC8780*/
+ { USB_DEVICE(0x1199, 0x6833) }, /* Sierra Wireless MC8781*/
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 25 13:47:58 2008
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 25 Apr 2008 20:05:44 GMT
+Subject: USB: log an error message when USB enumeration fails
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200804252005.m3PK5iVB013844@hera.kernel.org>
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit: 6427f7995338387ddded92f98adec19ddbf0ae5e
+
+This patch (as1077) logs an error message whenever the kernel is
+unable to enumerate a new USB device.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/hub.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2664,6 +2664,7 @@ loop:
+ if ((status == -ENOTCONN) || (status == -ENOTSUPP))
+ break;
+ }
++ dev_err(hub_dev, "unable to enumerate USB device on port %d\n", port1);
+
+ done:
+ hub_port_disable(hub, port1, 1);
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 25 13:48:07 2008
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 25 Apr 2008 20:05:46 GMT
+Subject: USB: OHCI: fix bug in controller resume
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200804252005.m3PK5kbv013942@hera.kernel.org>
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit: 0d22f65515307c878ddd20b1305cce925ca9516c
+
+This patch (as1063) fixes a bug in the way ohci-hcd resumes its
+controllers. It leaves the Master Interrupt Enable bit turned off.
+
+If the root hub is resumed immediately this won't matter. But if the
+root hub is suspended (say because no devices are plugged in), it won't
+ever wake up by itself.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: David Brownell <david-b@pacbell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ohci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ohci-pci.c
++++ b/drivers/usb/host/ohci-pci.c
+@@ -312,11 +312,13 @@ static int ohci_pci_suspend (struct usb_
+
+ static int ohci_pci_resume (struct usb_hcd *hcd)
+ {
++ struct ohci_hcd *ohci = hcd_to_ohci(hcd);
++
+ set_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags);
+
+ /* FIXME: we should try to detect loss of VBUS power here */
+ prepare_for_handover(hcd);
+-
++ ohci_writel(ohci, OHCI_INTR_MIE, &ohci->regs->intrenable);
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
