This is the start of the longterm review cycle for the 2.6.35.12 release.
There are a large number of patches in this series, all will be posted as a
response to this one. If anyone has any issues with these being applied,
please let me know. If anyone is a maintainer of the proper subsystem, and
wants to add a Signed-off-by: line to the patch, please respond with it.
The full quilt queue can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/longterm/longterm-queue-2.6.35
Responses should be made within 48 hours.
-Andi
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Arjan Mels <[email protected]>
commit d2dd0b07c3e725d386d20294ec906f7ddef207fa upstream.
When doing a usb port reset do a queued reset instead to prevent a
deadlock: the reset will cause the driver to unbind, causing the
usb_driver_lock_for_reset to stall.
Signed-off-by: Arjan Mels <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Takahiro Hirofuchi <[email protected]>
Cc: Max Vozeler <[email protected]>
Cc: Arnd Bergmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/usbip/stub_rx.c | 40 +++++++++++++++-------------------------
1 file changed, 15 insertions(+), 25 deletions(-)
Index: linux-2.6.35.y/drivers/staging/usbip/stub_rx.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/usbip/stub_rx.c
+++ linux-2.6.35.y/drivers/staging/usbip/stub_rx.c
@@ -170,33 +170,23 @@ static int tweak_set_configuration_cmd(s
static int tweak_reset_device_cmd(struct urb *urb)
{
- struct usb_ctrlrequest *req;
- __u16 value;
- __u16 index;
- int ret;
-
- req = (struct usb_ctrlrequest *) urb->setup_packet;
- value = le16_to_cpu(req->wValue);
- index = le16_to_cpu(req->wIndex);
-
- usbip_uinfo("reset_device (port %d) to %s\n", index,
- dev_name(&urb->dev->dev));
-
- /* all interfaces should be owned by usbip driver, so just reset it. */
- ret = usb_lock_device_for_reset(urb->dev, NULL);
- if (ret < 0) {
- dev_err(&urb->dev->dev, "lock for reset\n");
- return ret;
- }
+ struct stub_priv *priv = (struct stub_priv *) urb->context;
+ struct stub_device *sdev = priv->sdev;
- /* try to reset the device */
- ret = usb_reset_device(urb->dev);
- if (ret < 0)
- dev_err(&urb->dev->dev, "device reset\n");
+ usbip_uinfo("reset_device %s\n", dev_name(&urb->dev->dev));
- usb_unlock_device(urb->dev);
-
- return ret;
+ /*
+ * usb_lock_device_for_reset caused a deadlock: it causes the driver
+ * to unbind. In the shutdown the rx thread is signalled to shut down
+ * but this thread is pending in the usb_lock_device_for_reset.
+ *
+ * Instead queue the reset.
+ *
+ * Unfortunatly an existing usbip connection will be dropped due to
+ * driver unbinding.
+ */
+ usb_queue_reset_device(sdev->interface);
+ return 0;
}
/*
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Li Zefan <[email protected]>
commit 08fe4db170b4193603d9d31f40ebaf652d07ac9c upstream.
root_item->flags and root_item->byte_limit are not initialized when
a subvolume is created. This bug is not revealed until we added
readonly snapshot support - now you mount a btrfs filesystem and you
may find the subvolumes in it are readonly.
To work around this problem, we steal a bit from root_item->inode_item->flags,
and use it to indicate if those fields have been properly initialized.
When we read a tree root from disk, we check if the bit is set, and if
not we'll set the flag and initialize the two fields of the root item.
Reported-by: Andreas Philipp <[email protected]>
Signed-off-by: Li Zefan <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Tested-by: Andreas Philipp <[email protected]>
Signed-off-by: Chris Mason <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/btrfs/ctree.h | 4 ++++
fs/btrfs/disk-io.c | 4 +++-
fs/btrfs/ioctl.c | 4 ++++
fs/btrfs/root-tree.c | 18 ++++++++++++++++++
fs/btrfs/transaction.c | 1 +
5 files changed, 30 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/fs/btrfs/ctree.h
===================================================================
--- linux-2.6.35.y.orig/fs/btrfs/ctree.h
+++ linux-2.6.35.y/fs/btrfs/ctree.h
@@ -1212,6 +1212,8 @@ struct btrfs_root {
#define BTRFS_INODE_NOATIME (1 << 9)
#define BTRFS_INODE_DIRSYNC (1 << 10)
+#define BTRFS_INODE_ROOT_ITEM_INIT (1 << 31)
+
/* some macros to generate set/get funcs for the struct fields. This
* assumes there is a lefoo_to_cpu for every type, so lets make a simple
* one for u8:
@@ -2239,6 +2241,8 @@ int btrfs_find_dead_roots(struct btrfs_r
int btrfs_find_orphan_roots(struct btrfs_root *tree_root);
int btrfs_set_root_node(struct btrfs_root_item *item,
struct extent_buffer *node);
+void btrfs_check_and_init_root_item(struct btrfs_root_item *item);
+
/* dir-item.c */
int btrfs_insert_dir_item(struct btrfs_trans_handle *trans,
struct btrfs_root *root, const char *name,
Index: linux-2.6.35.y/fs/btrfs/disk-io.c
===================================================================
--- linux-2.6.35.y.orig/fs/btrfs/disk-io.c
+++ linux-2.6.35.y/fs/btrfs/disk-io.c
@@ -1127,8 +1127,10 @@ struct btrfs_root *btrfs_read_fs_root_no
root->commit_root = btrfs_root_node(root);
BUG_ON(!root->node);
out:
- if (location->objectid != BTRFS_TREE_LOG_OBJECTID)
+ if (location->objectid != BTRFS_TREE_LOG_OBJECTID) {
root->ref_cows = 1;
+ btrfs_check_and_init_root_item(&root->root_item);
+ }
return root;
}
Index: linux-2.6.35.y/fs/btrfs/ioctl.c
===================================================================
--- linux-2.6.35.y.orig/fs/btrfs/ioctl.c
+++ linux-2.6.35.y/fs/btrfs/ioctl.c
@@ -282,6 +282,10 @@ static noinline int create_subvol(struct
inode_item->nbytes = cpu_to_le64(root->leafsize);
inode_item->mode = cpu_to_le32(S_IFDIR | 0755);
+ root_item.flags = 0;
+ root_item.byte_limit = 0;
+ inode_item->flags = cpu_to_le64(BTRFS_INODE_ROOT_ITEM_INIT);
+
btrfs_set_root_bytenr(&root_item, leaf->start);
btrfs_set_root_generation(&root_item, trans->transid);
btrfs_set_root_level(&root_item, 0);
Index: linux-2.6.35.y/fs/btrfs/root-tree.c
===================================================================
--- linux-2.6.35.y.orig/fs/btrfs/root-tree.c
+++ linux-2.6.35.y/fs/btrfs/root-tree.c
@@ -473,3 +473,21 @@ again:
btrfs_free_path(path);
return 0;
}
+
+/*
+ * Old btrfs forgets to init root_item->flags and root_item->byte_limit
+ * for subvolumes. To work around this problem, we steal a bit from
+ * root_item->inode_item->flags, and use it to indicate if those fields
+ * have been properly initialized.
+ */
+void btrfs_check_and_init_root_item(struct btrfs_root_item *root_item)
+{
+ u64 inode_flags = le64_to_cpu(root_item->inode.flags);
+
+ if (!(inode_flags & BTRFS_INODE_ROOT_ITEM_INIT)) {
+ inode_flags |= BTRFS_INODE_ROOT_ITEM_INIT;
+ root_item->inode.flags = cpu_to_le64(inode_flags);
+ root_item->flags = 0;
+ root_item->byte_limit = 0;
+ }
+}
Index: linux-2.6.35.y/fs/btrfs/transaction.c
===================================================================
--- linux-2.6.35.y.orig/fs/btrfs/transaction.c
+++ linux-2.6.35.y/fs/btrfs/transaction.c
@@ -895,6 +895,7 @@ static noinline int create_pending_snaps
record_root_in_trans(trans, root);
btrfs_set_root_last_snapshot(&root->root_item, trans->transid);
memcpy(new_root_item, &root->root_item, sizeof(*new_root_item));
+ btrfs_check_and_init_root_item(new_root_item);
old = btrfs_lock_root_node(root);
btrfs_cow_block(trans, root, old, NULL, 0, &old);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <[email protected]>
commit 8b229c76765816796eec7ccd428f03bd8de8b525 upstream.
This fix makes the 'dbg_check_old_index()' function return
immediately if debugging is disabled, instead of executing
incorrect 'goto out' which causes UBIFS to:
1. Allocate memory
2. Read the flash
On every commit. OK, we do not commit that often, but it is
still silly to do unneeded I/O anyway.
Credits to coverity for spotting this silly issue.
Signed-off-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ubifs/commit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/fs/ubifs/commit.c
===================================================================
--- linux-2.6.35.y.orig/fs/ubifs/commit.c
+++ linux-2.6.35.y/fs/ubifs/commit.c
@@ -519,7 +519,7 @@ int dbg_check_old_index(struct ubifs_inf
size_t sz;
if (!(ubifs_chk_flags & UBIFS_CHK_OLD_IDX))
- goto out;
+ return 0;
INIT_LIST_HEAD(&list);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: John W. Linville <[email protected]>
commit c85ce65ecac078ab1a1835c87c4a6319cf74660a upstream.
Otherwise, skb_put inside of dma_rx can fail...
https://bugzilla.kernel.org/show_bug.cgi?id=32042
Signed-off-by: John W. Linville <[email protected]>
Acked-by: Larry Finger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/net/wireless/b43/dma.c | 2 +-
drivers/net/wireless/b43/dma.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/drivers/net/wireless/b43/dma.c
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/b43/dma.c
+++ linux-2.6.35.y/drivers/net/wireless/b43/dma.c
@@ -1538,7 +1538,7 @@ static void dma_rx(struct b43_dmaring *r
dmaaddr = meta->dmaaddr;
goto drop_recycle_buffer;
}
- if (unlikely(len > ring->rx_buffersize)) {
+ if (unlikely(len + ring->frameoffset > ring->rx_buffersize)) {
/* The data did not fit into one descriptor buffer
* and is split over multiple buffers.
* This should never happen, as we try to allocate buffers
Index: linux-2.6.35.y/drivers/net/wireless/b43/dma.h
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/b43/dma.h
+++ linux-2.6.35.y/drivers/net/wireless/b43/dma.h
@@ -163,7 +163,7 @@ struct b43_dmadesc_generic {
/* DMA engine tuning knobs */
#define B43_TXRING_SLOTS 256
#define B43_RXRING_SLOTS 64
-#define B43_DMA0_RX_BUFFERSIZE IEEE80211_MAX_FRAME_LEN
+#define B43_DMA0_RX_BUFFERSIZE (B43_DMA0_RX_FRAMEOFFSET + IEEE80211_MAX_FRAME_LEN)
/* Pointer poison */
#define B43_DMA_PTR_POISON ((void *)ERR_PTR(-ENOMEM))
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream.
Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace. Fields of these structs that are
zero-terminated strings are not checked. When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.
The first and the third bugs were introduced before the git epoch; the
second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug
one should have CAP_NET_ADMIN.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/ipv4/netfilter/ip_tables.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6.35.y/net/ipv4/netfilter/ip_tables.c
===================================================================
--- linux-2.6.35.y.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.35.y/net/ipv4/netfilter/ip_tables.c
@@ -1273,6 +1273,7 @@ do_replace(struct net *net, const void _
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
@@ -1817,6 +1818,7 @@ compat_do_replace(struct net *net, void
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
@@ -2046,6 +2048,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd,
ret = -EFAULT;
break;
}
+ rev.name[sizeof(rev.name)-1] = 0;
if (cmd == IPT_SO_GET_REVISION_TARGET)
target = 1;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <[email protected]>
commit 54acbaaa523ca0bd284a18f67ad213c379679e86 upstream.
Thanks to coverity which spotted that UBIFS will oops if 'kmalloc()'
in 'read_pnode()' fails and we dereference a NULL 'pnode' pointer
when we 'goto out'.
Signed-off-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ubifs/lpt.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
Index: linux-2.6.35.y/fs/ubifs/lpt.c
===================================================================
--- linux-2.6.35.y.orig/fs/ubifs/lpt.c
+++ linux-2.6.35.y/fs/ubifs/lpt.c
@@ -1270,10 +1270,9 @@ static int read_pnode(struct ubifs_info
lnum = branch->lnum;
offs = branch->offs;
pnode = kzalloc(sizeof(struct ubifs_pnode), GFP_NOFS);
- if (!pnode) {
- err = -ENOMEM;
- goto out;
- }
+ if (!pnode)
+ return -ENOMEM;
+
if (lnum == 0) {
/*
* This pnode was not written which just means that the LEB
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream.
Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
copied from userspace. Fields of these structs that are
zero-terminated strings are not checked. When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.
The first bug was introduced before the git epoch; the second was
introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by
6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
CAP_NET_ADMIN.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/ipv6/netfilter/ip6_tables.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6.35.y/net/ipv6/netfilter/ip6_tables.c
===================================================================
--- linux-2.6.35.y.orig/net/ipv6/netfilter/ip6_tables.c
+++ linux-2.6.35.y/net/ipv6/netfilter/ip6_tables.c
@@ -1289,6 +1289,7 @@ do_replace(struct net *net, const void _
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
@@ -1835,6 +1836,7 @@ compat_do_replace(struct net *net, void
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
@@ -2064,6 +2066,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd
ret = -EFAULT;
break;
}
+ rev.name[sizeof(rev.name)-1] = 0;
if (cmd == IP6T_SO_GET_REVISION_TARGET)
target = 1;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Alex Elder <[email protected]>
commit af24ee9ea8d532e16883251a6684dfa1be8eec29 upstream.
Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
xfs_fs_geometry() in order to avoid passing kernel stack data back
to user space:
+ memset(geo, 0, sizeof(*geo));
Unfortunately, one of the callers of that function passes the
address of a smaller data type, cast to fit the type that
xfs_fs_geometry() requires. As a result, this can happen:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
in: f87aca93
Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
Call Trace:
[<c12991ac>] ? panic+0x50/0x150
[<c102ed71>] ? __stack_chk_fail+0x10/0x18
[<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
Fix this by fixing that one caller to pass the right type and then
copy out the subset it is interested in.
Note: This patch is an alternative to one originally proposed by
Eric Sandeen.
Reported-by: Jeffrey Hundstad <[email protected]>
Signed-off-by: Alex Elder <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Reviewed-by: Eric Sandeen <[email protected]>
Tested-by: Jeffrey Hundstad <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/xfs/linux-2.6/xfs_ioctl.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/fs/xfs/linux-2.6/xfs_ioctl.c
===================================================================
--- linux-2.6.35.y.orig/fs/xfs/linux-2.6/xfs_ioctl.c
+++ linux-2.6.35.y/fs/xfs/linux-2.6/xfs_ioctl.c
@@ -703,14 +703,19 @@ xfs_ioc_fsgeometry_v1(
xfs_mount_t *mp,
void __user *arg)
{
- xfs_fsop_geom_v1_t fsgeo;
+ xfs_fsop_geom_t fsgeo;
int error;
- error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
+ error = xfs_fs_geometry(mp, &fsgeo, 3);
if (error)
return -error;
- if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
+ /*
+ * Caller should have passed an argument of type
+ * xfs_fsop_geom_v1_t. This is a proper subset of the
+ * xfs_fsop_geom_t that xfs_fs_geometry() fills in.
+ */
+ if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t)))
return -XFS_ERROR(EFAULT);
return 0;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <[email protected]>
commit b4a6b3436531f6c5256e6d60d388c3c28ff1a0e9 upstream.
The prototype for sn_pci_provider->{dma_map,dma_map_consistent} expects
an unsigned long instead of a u64.
Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Tony Luck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
arch/ia64/sn/pci/tioca_provider.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/arch/ia64/sn/pci/tioca_provider.c
===================================================================
--- linux-2.6.35.y.orig/arch/ia64/sn/pci/tioca_provider.c
+++ linux-2.6.35.y/arch/ia64/sn/pci/tioca_provider.c
@@ -509,7 +509,7 @@ tioca_dma_unmap(struct pci_dev *pdev, dm
* use the GART mapped mode.
*/
static u64
-tioca_dma_map(struct pci_dev *pdev, u64 paddr, size_t byte_count, int dma_flags)
+tioca_dma_map(struct pci_dev *pdev, unsigned long paddr, size_t byte_count, int dma_flags)
{
u64 mapaddr;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Marius B. Kotsbak <[email protected]>
commit 80f9df3e0093ad9f1eeefd2ff7fd27daaa518d25 upstream.
Bind only modem AT command endpoint to option.
Signed-off-by: Marius B. Kotsbak <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
Index: linux-2.6.35.y/drivers/usb/serial/option.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/option.c
+++ linux-2.6.35.y/drivers/usb/serial/option.c
@@ -387,6 +387,10 @@ static void option_instat_callback(struc
/* ONDA MT825UP HSDPA 14.2 modem */
#define ONDA_MT825UP 0x000b
+/* Samsung products */
+#define SAMSUNG_VENDOR_ID 0x04e8
+#define SAMSUNG_PRODUCT_GT_B3730 0x6889
+
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
OPTION_BLACKLIST_NONE = 0,
@@ -941,6 +945,7 @@ static const struct usb_device_id option
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100) },
{ USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
{ USB_DEVICE(ONDA_VENDOR_ID, ONDA_MT825UP) }, /* ONDA MT825UP modem */
+ { USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730/GT-B3710 LTE USB modem.*/
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 05f7676dc3559c2b9061fda4e44c085a8d32fb05.
To quote Len Brown:
intel_idle was deemed a "feature", and thus not included in
2.6.33.stable, and thus 2.6.33.stable does not need this patch.
so I'm removing it.
Cc: Len Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/pci/quirks.c | 20 --------------------
1 file changed, 20 deletions(-)
Index: linux-2.6.35.y/drivers/pci/quirks.c
===================================================================
--- linux-2.6.35.y.orig/drivers/pci/quirks.c
+++ linux-2.6.35.y/drivers/pci/quirks.c
@@ -150,26 +150,6 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NE
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NEC, PCI_DEVICE_ID_NEC_CBUS_3, quirk_isa_dma_hangs);
/*
- * Intel NM10 "TigerPoint" LPC PM1a_STS.BM_STS must be clear
- * for some HT machines to use C4 w/o hanging.
- */
-static void __devinit quirk_tigerpoint_bm_sts(struct pci_dev *dev)
-{
- u32 pmbase;
- u16 pm1a;
-
- pci_read_config_dword(dev, 0x40, &pmbase);
- pmbase = pmbase & 0xff80;
- pm1a = inw(pmbase);
-
- if (pm1a & 0x10) {
- dev_info(&dev->dev, FW_BUG "TigerPoint LPC.BM_STS cleared\n");
- outw(0x10, pmbase);
- }
-}
-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGP_LPC, quirk_tigerpoint_bm_sts);
-
-/*
* Chipsets where PCI->PCI transfers vanish or hang
*/
static void __devinit quirk_nopcipci(struct pci_dev *dev)
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Lydia Wang <[email protected]>
commit ab657e0cacc39d88145871c6a3c844597c02d406 upstream.
Modify mute_aa_path() function to support VT1718S codec.
Signed-off-by: Lydia Wang <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
sound/pci/hda/patch_via.c | 5 +++++
1 file changed, 5 insertions(+)
Index: linux-2.6.35.y/sound/pci/hda/patch_via.c
===================================================================
--- linux-2.6.35.y.orig/sound/pci/hda/patch_via.c
+++ linux-2.6.35.y/sound/pci/hda/patch_via.c
@@ -1300,6 +1300,11 @@ static void mute_aa_path(struct hda_code
start_idx = 2;
end_idx = 4;
break;
+ case VT1718S:
+ nid_mixer = 0x21;
+ start_idx = 1;
+ end_idx = 3;
+ break;
default:
return;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <[email protected]>
commit 70945643722ffeac779d2529a348f99567fa5c33 upstream.
Currently, we skip doing the is_path_accessible check in cifs_mount if
there is no prefixpath. I have a report of at least one server however
that allows a TREE_CONNECT to a share that has a DFS referral at its
root. The reporter in this case was using a UNC that had no prefixpath,
so the is_path_accessible check was not triggered and the box later hit
a BUG() because we were chasing a DFS referral on the root dentry for
the mount.
This patch fixes this by removing the check for a zero-length
prefixpath. That should make the is_path_accessible check be done in
this situation and should allow the client to chase the DFS referral at
mount time instead.
Reported-and-Tested-by: Yogesh Sharma <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/cifs/connect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/fs/cifs/connect.c
===================================================================
--- linux-2.6.35.y.orig/fs/cifs/connect.c
+++ linux-2.6.35.y/fs/cifs/connect.c
@@ -2606,7 +2606,7 @@ try_mount_again:
remote_path_check:
/* check if a whole path (including prepath) is not remote */
- if (!rc && cifs_sb->prepathlen && tcon) {
+ if (!rc && tcon) {
/* build_path_to_root works only when we have a valid tcon */
full_path = cifs_build_path_to_root(cifs_sb);
if (full_path == NULL) {
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
Date: Thu, 14 Apr 2011 16:11:35 +0100
Subject: 2.6.35.y: Revert "SH: Add missing consts to sys_execve() declaration"
This reverts commit 1219932ca26da2026e598590a3b7a2f36b3c3621
(commit d8b5fc01683c66060edc202d6bb5635365822181 upstream).
The reverted commit depends on an upstream commit that has not
been applied to 2.6.35.y (d7627467b7a8dd6944885290a03a07ceb28c10eb).
This fixes a build failure on all SH devices:
/arch/sh/kernel/process_32.c:299: error: conflicting types for 'sys_execve'
/arch/sh/include/asm/syscalls_32.h:22: note: previous declaration of 'sys_execve' was here
Signed-off-by: Phil Edworthy <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
arch/sh/include/asm/syscalls_32.h | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/arch/sh/include/asm/syscalls_32.h
===================================================================
--- linux-2.6.35.y.orig/arch/sh/include/asm/syscalls_32.h
+++ linux-2.6.35.y/arch/sh/include/asm/syscalls_32.h
@@ -19,8 +19,8 @@ asmlinkage int sys_clone(unsigned long c
asmlinkage int sys_vfork(unsigned long r4, unsigned long r5,
unsigned long r6, unsigned long r7,
struct pt_regs __regs);
-asmlinkage int sys_execve(char __user *ufilename, const char __user * __user *uargv,
- const char __user * __user *uenvp, unsigned long r7,
+asmlinkage int sys_execve(char __user *ufilename, char __user * __user *uargv,
+ char __user * __user *uenvp, unsigned long r7,
struct pt_regs __regs);
asmlinkage int sys_sigsuspend(old_sigset_t mask, unsigned long r5,
unsigned long r6, unsigned long r7,
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Fry, Donald H <[email protected]>
commit 41504cce240f791f1e16561db95728c5537fbad9 upstream.
New iwlwifi-5000 microcode requires driver support for API version 5.
Signed-off-by: Don Fry <[email protected]>
Signed-off-by: Wey-Yi Guy <[email protected]>
Signed-off-by: Stanislaw Gruszka <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/net/wireless/iwlwifi/iwl-5000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/net/wireless/iwlwifi/iwl-5000.c
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/iwlwifi/iwl-5000.c
+++ linux-2.6.35.y/drivers/net/wireless/iwlwifi/iwl-5000.c
@@ -51,7 +51,7 @@
#include "iwl-agn-debugfs.h"
/* Highest firmware API version supported */
-#define IWL5000_UCODE_API_MAX 2
+#define IWL5000_UCODE_API_MAX 5
#define IWL5150_UCODE_API_MAX 2
/* Lowest firmware API version supported */
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: J. Bruce Fields <[email protected]>
commit 954032d2527f2fce7355ba70709b5e143d6b686f upstream.
This was noticed by users who performed more than 2^32 lock operations
and hence made this counter overflow (eventually leading to
use-after-free's). Setting rq_client to NULL here means that it won't
later get auth_domain_put() when it should be.
Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth
domain lookup into svcauth" which moved most of the rq_client handling
to common svcauth code, but left behind this one line.
Cc: Neil Brown <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/nfsd/lockd.c | 1 -
1 file changed, 1 deletion(-)
Index: linux-2.6.35.y/fs/nfsd/lockd.c
===================================================================
--- linux-2.6.35.y.orig/fs/nfsd/lockd.c
+++ linux-2.6.35.y/fs/nfsd/lockd.c
@@ -38,7 +38,6 @@ nlm_fopen(struct svc_rqst *rqstp, struct
exp_readlock();
nfserr = nfsd_open(rqstp, &fh, S_IFREG, NFSD_MAY_LOCK, filp);
fh_put(&fh);
- rqstp->rq_client = NULL;
exp_readunlock();
/* We return nlm error codes as nlm doesn't know
* about nfsd, but nfsd does know about nlm..
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Andi Kleen <[email protected]>
Release 2.6.35.13
Signed-off-by: Andi Kleen <[email protected]>
Index: linux-2.6.35.y/Makefile
===================================================================
--- linux-2.6.35.y.orig/Makefile
+++ linux-2.6.35.y/Makefile
@@ -1,7 +1,7 @@
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 35
-EXTRAVERSION = .12
+EXTRAVERSION = .13
NAME = Yokohama
# *DOCUMENTATION*
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Lydia Wang <[email protected]>
commit bff5fbf50bd498c217994bd2d41a53ac3141185a upstream.
Modify function via_mux_enum_put() to fix stereo mixer recording
no sound issue.
Signed-off-by: Lydia Wang <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
sound/pci/hda/patch_via.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/sound/pci/hda/patch_via.c
===================================================================
--- linux-2.6.35.y.orig/sound/pci/hda/patch_via.c
+++ linux-2.6.35.y/sound/pci/hda/patch_via.c
@@ -1091,6 +1091,7 @@ static int via_mux_enum_put(struct snd_k
struct hda_codec *codec = snd_kcontrol_chip(kcontrol);
struct via_spec *spec = codec->spec;
unsigned int adc_idx = snd_ctl_get_ioffidx(kcontrol, &ucontrol->id);
+ int ret;
if (!spec->mux_nids[adc_idx])
return -EINVAL;
@@ -1099,12 +1100,14 @@ static int via_mux_enum_put(struct snd_k
AC_VERB_GET_POWER_STATE, 0x00) != AC_PWRST_D0)
snd_hda_codec_write(codec, spec->mux_nids[adc_idx], 0,
AC_VERB_SET_POWER_STATE, AC_PWRST_D0);
- /* update jack power state */
- set_jack_power_state(codec);
- return snd_hda_input_mux_put(codec, spec->input_mux, ucontrol,
+ ret = snd_hda_input_mux_put(codec, spec->input_mux, ucontrol,
spec->mux_nids[adc_idx],
&spec->cur_mux[adc_idx]);
+ /* update jack power state */
+ set_jack_power_state(codec);
+
+ return ret;
}
static int via_independent_hp_info(struct snd_kcontrol *kcontrol,
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
Date: Tue, 28 Sep 2010 00:57:32 -0400
Subject: USB: Fix unplug of device with active streams
upstream commit: b214f191d95ba4b5a35aebd69cd129cf7e3b1884
If I unplug a device while the UAS driver is loaded, I get an oops
in usb_free_streams(). This is because usb_unbind_interface() calls
usb_disable_interface() which calls usb_disable_endpoint() which sets
ep_out and ep_in to NULL. Then the UAS driver calls usb_pipe_endpoint()
which returns a NULL pointer and passes an array of NULL pointers to
usb_free_streams().
I think the correct fix for this is to check for the NULL pointer
in usb_free_streams() rather than making the driver check for this
situation. My original patch for this checked for dev->state ==
USB_STATE_NOTATTACHED, but the call to usb_disable_interface() is
conditional, so not all drivers would want this check.
Note from Sarah Sharp: This patch does avoid a potential dereference,
but the real fix (which will be implemented later) is to set the
.soft_unbind flag in the usb_driver structure for the UAS driver, and
all drivers that allocate streams. The driver should free any streams
when it is unbound from the interface. This avoids leaking stream rings
in the xHCI driver when usb_disable_interface() is called.
This should be queued for stable trees back to 2.6.35.
Signed-off-by: Matthew Wilcox <[email protected]>
Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: [email protected]
---
drivers/usb/core/hcd.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Index: linux-2.6.35.y/drivers/usb/core/hcd.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/core/hcd.c
+++ linux-2.6.35.y/drivers/usb/core/hcd.c
@@ -1874,7 +1874,7 @@ void usb_free_streams(struct usb_interfa
/* Streams only apply to bulk endpoints. */
for (i = 0; i < num_eps; i++)
- if (!usb_endpoint_xfer_bulk(&eps[i]->desc))
+ if (!eps[i] || !usb_endpoint_xfer_bulk(&eps[i]->desc))
return;
hcd->driver->free_streams(hcd, dev, eps, num_eps, mem_flags);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
Date: Tue, 12 Apr 2011 23:06:28 -0700
Subject: [PATCH] USB: xhci - also free streams when resetting devices
upstream commit: 2dea75d96ade3c7cd2bfe73f99c7b3291dc3d03a
Currently, when resetting a device, xHCI driver disables all but one
endpoints and frees their rings, but leaves alone any streams that
might have been allocated. Later, when users try to free allocated
streams, we oops in xhci_setup_no_streams_ep_input_ctx() because
ep->ring is NULL.
Let's free not only rings but also stream data as well, so that
calling free_streams() on a device that was reset will be safe.
This should be queued for stable trees back to 2.6.35.
Reviewed-by: Micah Elizabeth Scott <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: [email protected]
---
drivers/usb/host/xhci.c | 16 ++++++++++++----
1 files changed, 12 insertions(+), 4 deletions(-)
Index: linux-2.6.35.y/drivers/usb/host/xhci.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/host/xhci.c
+++ linux-2.6.35.y/drivers/usb/host/xhci.c
@@ -2010,10 +2010,18 @@ int xhci_reset_device(struct usb_hcd *hc
/* Everything but endpoint 0 is disabled, so free or cache the rings. */
last_freed_endpoint = 1;
for (i = 1; i < 31; ++i) {
- if (!virt_dev->eps[i].ring)
- continue;
- xhci_free_or_cache_endpoint_ring(xhci, virt_dev, i);
- last_freed_endpoint = i;
+ struct xhci_virt_ep *ep = &virt_dev->eps[i];
+
+ if (ep->ep_state & EP_HAS_STREAMS) {
+ xhci_free_stream_info(xhci, ep->stream_info);
+ ep->stream_info = NULL;
+ ep->ep_state &= ~EP_HAS_STREAMS;
+ }
+
+ if (ep->ring) {
+ xhci_free_or_cache_endpoint_ring(xhci, virt_dev, i);
+ last_freed_endpoint = i;
+ }
}
xhci_dbg(xhci, "Output context after successful reset device cmd:\n");
xhci_dbg_ctx(xhci, virt_dev->out_ctx, last_freed_endpoint);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
Date: Tue, 2 Nov 2010 08:05:51 +0100
Subject: [PATCH] intel-iommu: Fix use after release during device attach
Obtain the new pgd pointer before releasing the page containing this
value.
Cc: [email protected]
Signed-off-by: Jan Kiszka <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Reviewed-by: Sheng Yang <[email protected]>
Signed-off-by: David Woodhouse <[email protected]>
---
drivers/pci/intel-iommu.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Index: linux-2.6.35.y/drivers/pci/intel-iommu.c
===================================================================
--- linux-2.6.35.y.orig/drivers/pci/intel-iommu.c
+++ linux-2.6.35.y/drivers/pci/intel-iommu.c
@@ -3638,9 +3638,9 @@ static int intel_iommu_attach_device(str
pte = dmar_domain->pgd;
if (dma_pte_present(pte)) {
- free_pgtable_page(dmar_domain->pgd);
dmar_domain->pgd = (struct dma_pte *)
phys_to_virt(dma_pte_addr(pte));
+ free_pgtable_page(pte);
}
dmar_domain->agaw--;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
Date: Wed, 20 Apr 2011 15:57:14 +0200
Subject: iwlwifi: fix skb usage after free
[AK: Did some changes for the backport to .35. Stanislaw, please verify
them]
Since
commit a120e912eb51e347f36c71b60a1d13af74d30e83
Author: Stanislaw Gruszka <[email protected]>
Date: Fri Feb 19 15:47:33 2010 -0800
iwlwifi: sanity check before counting number of tfds can be free
we use skb->data after calling ieee80211_tx_status_irqsafe(), which
could free skb instantly.
On current kernels I do not observe practical problems related with
bug, but on 2.6.35.y it cause random system hangs when stressing
wireless link.
Cc: [email protected] # 2.6.32+
Signed-off-by: Stanislaw Gruszka <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/net/wireless/iwlwifi/iwl-agn-tx.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/drivers/net/wireless/iwlwifi/iwl-agn-tx.c
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/iwlwifi/iwl-agn-tx.c
+++ linux-2.6.35.y/drivers/net/wireless/iwlwifi/iwl-agn-tx.c
@@ -1141,11 +1141,14 @@ int iwlagn_tx_queue_reclaim(struct iwl_p
q->read_ptr = iwl_queue_inc_wrap(q->read_ptr, q->n_bd)) {
tx_info = &txq->txb[txq->q.read_ptr];
- iwlagn_tx_status(priv, tx_info->skb[0]);
+
+ if (WARN_ON_ONCE(tx_info->skb[0] == NULL))
+ continue;
hdr = (struct ieee80211_hdr *)tx_info->skb[0]->data;
- if (hdr && ieee80211_is_data_qos(hdr->frame_control))
+ if (ieee80211_is_data_qos(hdr->frame_control))
nfreed++;
+ iwlagn_tx_status(priv, tx_info->skb[0]);
tx_info->skb[0] = NULL;
if (priv->cfg->ops->lib->txq_inval_byte_cnt_tbl)
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <[email protected]>
commit 8e461123f28e6b17456225e70eb834b3b30d28bb upstream.
Noticed by Patrick Lowry.
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/gpu/drm/radeon/atom.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/drivers/gpu/drm/radeon/atom.c
===================================================================
--- linux-2.6.35.y.orig/drivers/gpu/drm/radeon/atom.c
+++ linux-2.6.35.y/drivers/gpu/drm/radeon/atom.c
@@ -131,7 +131,7 @@ static uint32_t atom_iio_execute(struct
case ATOM_IIO_MOVE_INDEX:
temp &=
~((0xFFFFFFFF >> (32 - CU8(base + 1))) <<
- CU8(base + 2));
+ CU8(base + 3));
temp |=
((index >> CU8(base + 2)) &
(0xFFFFFFFF >> (32 - CU8(base + 1)))) << CU8(base +
@@ -141,7 +141,7 @@ static uint32_t atom_iio_execute(struct
case ATOM_IIO_MOVE_DATA:
temp &=
~((0xFFFFFFFF >> (32 - CU8(base + 1))) <<
- CU8(base + 2));
+ CU8(base + 3));
temp |=
((data >> CU8(base + 2)) &
(0xFFFFFFFF >> (32 - CU8(base + 1)))) << CU8(base +
@@ -151,7 +151,7 @@ static uint32_t atom_iio_execute(struct
case ATOM_IIO_MOVE_ATTR:
temp &=
~((0xFFFFFFFF >> (32 - CU8(base + 1))) <<
- CU8(base + 2));
+ CU8(base + 3));
temp |=
((ctx->
io_attr >> CU8(base + 2)) & (0xFFFFFFFF >> (32 -
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <[email protected]>
commit 4093a5c4a3f59cba1a085bbf87b6ffdddc5a443d upstream.
Commit 4057ac6ca9a77c4275b34b5925ab5c99557913b1
V4L/DVB (13505): uvcvideo: Refactor chain scan
broke output terminals parsing. Fix it.
Signed-off-by: Laurent Pinchart <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/media/video/uvc/uvc_driver.c | 8 ++++++++
1 file changed, 8 insertions(+)
Index: linux-2.6.35.y/drivers/media/video/uvc/uvc_driver.c
===================================================================
--- linux-2.6.35.y.orig/drivers/media/video/uvc/uvc_driver.c
+++ linux-2.6.35.y/drivers/media/video/uvc/uvc_driver.c
@@ -1261,6 +1261,14 @@ static int uvc_scan_chain_entity(struct
break;
+ case UVC_OTT_VENDOR_SPECIFIC:
+ case UVC_OTT_DISPLAY:
+ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT:
+ if (uvc_trace_param & UVC_TRACE_PROBE)
+ printk(" OT %d", entity->id);
+
+ break;
+
case UVC_TT_STREAMING:
if (UVC_ENTITY_IS_ITERM(entity)) {
if (uvc_trace_param & UVC_TRACE_PROBE)
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <[email protected]>
commit 5da24b7627ff821e154a3aaecd5d60e1d8e228a5 upstream.
The 3880 storage control unit supports a 3380 device
type, but not a 3390 device type.
Reported-by: Stephen Powell <[email protected]>
Signed-off-by: Stefan Haberland <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Stephen Powell <[email protected]>
Cc: Jonathan Nieder <[email protected]>
Cc: Bastian Blank <[email protected]>
---
drivers/s390/block/dasd_eckd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/s390/block/dasd_eckd.c
===================================================================
--- linux-2.6.35.y.orig/drivers/s390/block/dasd_eckd.c
+++ linux-2.6.35.y/drivers/s390/block/dasd_eckd.c
@@ -63,7 +63,7 @@ static struct dasd_discipline dasd_eckd_
static struct ccw_device_id dasd_eckd_ids[] = {
{ CCW_DEVICE_DEVTYPE (0x3990, 0, 0x3390, 0), .driver_info = 0x1},
{ CCW_DEVICE_DEVTYPE (0x2105, 0, 0x3390, 0), .driver_info = 0x2},
- { CCW_DEVICE_DEVTYPE (0x3880, 0, 0x3390, 0), .driver_info = 0x3},
+ { CCW_DEVICE_DEVTYPE (0x3880, 0, 0x3380, 0), .driver_info = 0x3},
{ CCW_DEVICE_DEVTYPE (0x3990, 0, 0x3380, 0), .driver_info = 0x4},
{ CCW_DEVICE_DEVTYPE (0x2105, 0, 0x3380, 0), .driver_info = 0x5},
{ CCW_DEVICE_DEVTYPE (0x9343, 0, 0x9345, 0), .driver_info = 0x6},
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <[email protected]>
commit 3ba41621156681afcdbcd624e3191cbc65eb94f4 upstream.
Commit 40aee729b350 ('kconfig: fix default value for choice input')
fixed some cases where kconfig would select the wrong option from a
choice with a single valid option and thus enter an infinite loop.
However, this broke the test for user input of the form 'N?', because
when kconfig selects the single valid option the input is zero-length
and the test will read the byte before the input buffer. If this
happens to contain '?' (as it will in a mips build on Debian unstable
today) then kconfig again enters an infinite loop.
Signed-off-by: Ben Hutchings <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
scripts/kconfig/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/scripts/kconfig/conf.c
===================================================================
--- linux-2.6.35.y.orig/scripts/kconfig/conf.c
+++ linux-2.6.35.y/scripts/kconfig/conf.c
@@ -330,7 +330,7 @@ static int conf_choice(struct menu *menu
}
if (!child)
continue;
- if (line[strlen(line) - 1] == '?') {
+ if (line[0] && line[strlen(line) - 1] == '?') {
print_help(child);
continue;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <[email protected]>
commit 6e0d9fd38b750d678bf9fd07db23582f52fafa55 upstream.
This patch fixes the following symptoms:
1. Unmount UBIFS cleanly.
2. Start mounting UBIFS R/W and have a power cut immediately
3. Start mounting UBIFS R/O, this succeeds
4. Try to re-mount UBIFS R/W - this fails immediately or later on,
because UBIFS will write the master node to the flash area
which has been written before.
The analysis of the problem:
1. UBIFS is unmounted cleanly, both copies of the master node are clean.
2. UBIFS is being mounter R/W, starts changing master node copy 1, and
a power cut happens. The copy N1 becomes corrupted.
3. UBIFS is being mounted R/O. It notices the copy N1 is corrupted and
reads copy N2. Copy N2 is clean.
4. Because of R/O mode, UBIFS cannot recover copy 1.
5. The mount code (ubifs_mount()) sees that the master node is clean,
so it decides that no recovery is needed.
6. We are re-mounting R/W. UBIFS believes no recovery is needed and
starts updating the master node, but copy N1 is still corrupted
and was not recovered!
Fix this problem by marking the master node as dirty every time we
recover it and we are in R/O mode. This forces further recovery and
the UBIFS cleans-up the corruptions and recovers the copy N1 when
re-mounting R/W later.
Signed-off-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ubifs/recovery.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
Index: linux-2.6.35.y/fs/ubifs/recovery.c
===================================================================
--- linux-2.6.35.y.orig/fs/ubifs/recovery.c
+++ linux-2.6.35.y/fs/ubifs/recovery.c
@@ -300,6 +300,32 @@ int ubifs_recover_master_node(struct ubi
goto out_free;
}
memcpy(c->rcvrd_mst_node, c->mst_node, UBIFS_MST_NODE_SZ);
+
+ /*
+ * We had to recover the master node, which means there was an
+ * unclean reboot. However, it is possible that the master node
+ * is clean at this point, i.e., %UBIFS_MST_DIRTY is not set.
+ * E.g., consider the following chain of events:
+ *
+ * 1. UBIFS was cleanly unmounted, so the master node is clean
+ * 2. UBIFS is being mounted R/W and starts changing the master
+ * node in the first (%UBIFS_MST_LNUM). A power cut happens,
+ * so this LEB ends up with some amount of garbage at the
+ * end.
+ * 3. UBIFS is being mounted R/O. We reach this place and
+ * recover the master node from the second LEB
+ * (%UBIFS_MST_LNUM + 1). But we cannot update the media
+ * because we are being mounted R/O. We have to defer the
+ * operation.
+ * 4. However, this master node (@c->mst_node) is marked as
+ * clean (since the step 1). And if we just return, the
+ * mount code will be confused and won't recover the master
+ * node when it is re-mounter R/W later.
+ *
+ * Thus, to force the recovery by marking the master node as
+ * dirty.
+ */
+ c->mst_node->flags |= cpu_to_le32(UBIFS_MST_DIRTY);
} else {
/* Write the recovered master node */
c->max_sqnum = le64_to_cpu(mst->ch.sqnum) - 1;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Greg Rose <[email protected]>
commit b1d670f10e8078485884f0cf7e384d890909aeaa upstream.
declaration.
Reported-by: Andi Kleen <[email protected]>
Signed-off-by: Greg Rose <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Tested-by: Emil Tantilov <[email protected]>
Signed-off-by: Jeff Kirsher <[email protected]>
Cc: Andreas Radke <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/igbvf/igbvf.h | 1 -
1 file changed, 1 deletion(-)
Index: linux-2.6.35.y/drivers/net/igbvf/igbvf.h
===================================================================
--- linux-2.6.35.y.orig/drivers/net/igbvf/igbvf.h
+++ linux-2.6.35.y/drivers/net/igbvf/igbvf.h
@@ -126,7 +126,6 @@ struct igbvf_buffer {
unsigned int page_offset;
};
};
- struct page *page;
};
union igbvf_desc {
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <[email protected]>
commit 39cca168bdfaef9d0c496ec27f292445d6184946 upstream.
The output PGA was not being powered up in headphone and speaker paths,
removing the ability to offer volume control and mute with the output
PGA.
Signed-off-by: Mark Brown <[email protected]>
Acked-by: Liam Girdwood <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
sound/soc/codecs/wm_hubs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Index: linux-2.6.35.y/sound/soc/codecs/wm_hubs.c
===================================================================
--- linux-2.6.35.y.orig/sound/soc/codecs/wm_hubs.c
+++ linux-2.6.35.y/sound/soc/codecs/wm_hubs.c
@@ -705,12 +705,12 @@ static const struct snd_soc_dapm_route a
{ "SPKL", "Input Switch", "MIXINL" },
{ "SPKL", "IN1LP Switch", "IN1LP" },
- { "SPKL", "Output Switch", "Left Output Mixer" },
+ { "SPKL", "Output Switch", "Left Output PGA" },
{ "SPKL", NULL, "TOCLK" },
{ "SPKR", "Input Switch", "MIXINR" },
{ "SPKR", "IN1RP Switch", "IN1RP" },
- { "SPKR", "Output Switch", "Right Output Mixer" },
+ { "SPKR", "Output Switch", "Right Output PGA" },
{ "SPKR", NULL, "TOCLK" },
{ "SPKL Boost", "Direct Voice Switch", "Direct Voice" },
@@ -732,8 +732,8 @@ static const struct snd_soc_dapm_route a
{ "SPKOUTRP", NULL, "SPKR Driver" },
{ "SPKOUTRN", NULL, "SPKR Driver" },
- { "Left Headphone Mux", "Mixer", "Left Output Mixer" },
- { "Right Headphone Mux", "Mixer", "Right Output Mixer" },
+ { "Left Headphone Mux", "Mixer", "Left Output PGA" },
+ { "Right Headphone Mux", "Mixer", "Right Output PGA" },
{ "Headphone PGA", NULL, "Left Headphone Mux" },
{ "Headphone PGA", NULL, "Right Headphone Mux" },
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <[email protected]>
commit 5680e94148a86e8c31fdc5cb0ea0d5c6810c05b0 upstream.
If cts changes between reading the level at the cts input (USR1_RTSS)
and acking the irq (USR1_RTSD) the last edge doesn't generate an irq and
uart_handle_cts_change is called with a outdated value for cts.
The race was introduced by commit
ceca629 ([ARM] 2971/1: i.MX uart handle rts irq)
Reported-by: Arwed Springer <[email protected]>
Tested-by: Arwed Springer <[email protected]>
Signed-off-by: Uwe Kleine-König <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/serial/imx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/serial/imx.c
===================================================================
--- linux-2.6.35.y.orig/drivers/serial/imx.c
+++ linux-2.6.35.y/drivers/serial/imx.c
@@ -383,12 +383,13 @@ static void imx_start_tx(struct uart_por
static irqreturn_t imx_rtsint(int irq, void *dev_id)
{
struct imx_port *sport = dev_id;
- unsigned int val = readl(sport->port.membase + USR1) & USR1_RTSS;
+ unsigned int val;
unsigned long flags;
spin_lock_irqsave(&sport->port.lock, flags);
writel(USR1_RTSD, sport->port.membase + USR1);
+ val = readl(sport->port.membase + USR1) & USR1_RTSS;
uart_handle_cts_change(&sport->port, !!val);
wake_up_interruptible(&sport->port.state->port.delta_msr_wait);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <[email protected]>
commit 27dc1cd3ad9300f81e1219e5fc305d91d85353f8 upstream.
If the call to nfs_wcc_update_inode() results in an attribute update, we
need to ensure that the inode's attr_gencount gets bumped too, otherwise
we are not protected against races with other GETATTR calls.
Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/nfs/inode.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
Index: linux-2.6.35.y/fs/nfs/inode.c
===================================================================
--- linux-2.6.35.y.orig/fs/nfs/inode.c
+++ linux-2.6.35.y/fs/nfs/inode.c
@@ -811,9 +811,10 @@ out:
return ret;
}
-static void nfs_wcc_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+static unsigned long nfs_wcc_update_inode(struct inode *inode, struct nfs_fattr *fattr)
{
struct nfs_inode *nfsi = NFS_I(inode);
+ unsigned long ret = 0;
if ((fattr->valid & NFS_ATTR_FATTR_PRECHANGE)
&& (fattr->valid & NFS_ATTR_FATTR_CHANGE)
@@ -821,25 +822,32 @@ static void nfs_wcc_update_inode(struct
nfsi->change_attr = fattr->change_attr;
if (S_ISDIR(inode->i_mode))
nfsi->cache_validity |= NFS_INO_INVALID_DATA;
+ ret |= NFS_INO_INVALID_ATTR;
}
/* If we have atomic WCC data, we may update some attributes */
if ((fattr->valid & NFS_ATTR_FATTR_PRECTIME)
&& (fattr->valid & NFS_ATTR_FATTR_CTIME)
- && timespec_equal(&inode->i_ctime, &fattr->pre_ctime))
- memcpy(&inode->i_ctime, &fattr->ctime, sizeof(inode->i_ctime));
+ && timespec_equal(&inode->i_ctime, &fattr->pre_ctime)) {
+ memcpy(&inode->i_ctime, &fattr->ctime, sizeof(inode->i_ctime));
+ ret |= NFS_INO_INVALID_ATTR;
+ }
if ((fattr->valid & NFS_ATTR_FATTR_PREMTIME)
&& (fattr->valid & NFS_ATTR_FATTR_MTIME)
&& timespec_equal(&inode->i_mtime, &fattr->pre_mtime)) {
- memcpy(&inode->i_mtime, &fattr->mtime, sizeof(inode->i_mtime));
- if (S_ISDIR(inode->i_mode))
- nfsi->cache_validity |= NFS_INO_INVALID_DATA;
+ memcpy(&inode->i_mtime, &fattr->mtime, sizeof(inode->i_mtime));
+ if (S_ISDIR(inode->i_mode))
+ nfsi->cache_validity |= NFS_INO_INVALID_DATA;
+ ret |= NFS_INO_INVALID_ATTR;
}
if ((fattr->valid & NFS_ATTR_FATTR_PRESIZE)
&& (fattr->valid & NFS_ATTR_FATTR_SIZE)
&& i_size_read(inode) == nfs_size_to_loff_t(fattr->pre_size)
- && nfsi->npages == 0)
- i_size_write(inode, nfs_size_to_loff_t(fattr->size));
+ && nfsi->npages == 0) {
+ i_size_write(inode, nfs_size_to_loff_t(fattr->size));
+ ret |= NFS_INO_INVALID_ATTR;
+ }
+ return ret;
}
/**
@@ -1153,7 +1161,7 @@ static int nfs_update_inode(struct inode
| NFS_INO_REVAL_PAGECACHE);
/* Do atomic weak cache consistency updates */
- nfs_wcc_update_inode(inode, fattr);
+ invalid |= nfs_wcc_update_inode(inode, fattr);
/* More cache consistency checks */
if (fattr->valid & NFS_ATTR_FATTR_CHANGE) {
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Paul Friedrich <[email protected]>
commit c53c2fab40cf16e13af66f40bfd27200cda98d2f upstream.
usb serial: ftdi_sio: add two missing USB ID's for Hameg interfaces HO720
and HO730
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 2 ++
2 files changed, 4 insertions(+)
Index: linux-2.6.35.y/drivers/usb/serial/ftdi_sio.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/ftdi_sio.c
+++ linux-2.6.35.y/drivers/usb/serial/ftdi_sio.c
@@ -787,6 +787,8 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
{ USB_DEVICE(FTDI_VID, HAMEG_HO820_PID) },
+ { USB_DEVICE(FTDI_VID, HAMEG_HO720_PID) },
+ { USB_DEVICE(FTDI_VID, HAMEG_HO730_PID) },
{ USB_DEVICE(FTDI_VID, HAMEG_HO870_PID) },
{ USB_DEVICE(FTDI_VID, MJSG_GENERIC_PID) },
{ USB_DEVICE(FTDI_VID, MJSG_SR_RADIO_PID) },
Index: linux-2.6.35.y/drivers/usb/serial/ftdi_sio_ids.h
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/ftdi_sio_ids.h
+++ linux-2.6.35.y/drivers/usb/serial/ftdi_sio_ids.h
@@ -300,6 +300,8 @@
* Hameg HO820 and HO870 interface (using VID 0x0403)
*/
#define HAMEG_HO820_PID 0xed74
+#define HAMEG_HO730_PID 0xed73
+#define HAMEG_HO720_PID 0xed72
#define HAMEG_HO870_PID 0xed71
/*
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Hans Rosenfeld <[email protected]>
commit 9d8888c2a214aece2494a49e699a097c2ba9498b upstream.
Remove check_c1e_idle() and use the new AMD errata checking framework
instead.
Signed-off-by: Hans Rosenfeld <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
LKML-Reference: <[email protected]>
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/include/asm/processor.h | 1 +
arch/x86/kernel/cpu/amd.c | 5 +++++
arch/x86/kernel/process.c | 39 ++-------------------------------------
3 files changed, 8 insertions(+), 37 deletions(-)
Index: linux-2.6.35.y/arch/x86/include/asm/processor.h
===================================================================
--- linux-2.6.35.y.orig/arch/x86/include/asm/processor.h
+++ linux-2.6.35.y/arch/x86/include/asm/processor.h
@@ -1006,6 +1006,7 @@ unsigned long calc_aperfmperf_ratio(stru
* AMD errata checking
*/
#ifdef CONFIG_CPU_SUP_AMD
+extern const int amd_erratum_400[];
extern bool cpu_has_amd_erratum(const int *);
#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 }
Index: linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/cpu/amd.c
+++ linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
@@ -627,6 +627,11 @@ cpu_dev_register(amd_cpu_dev);
* AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0));
*/
+const int amd_erratum_400[] =
+ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf),
+ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf));
+
+
bool cpu_has_amd_erratum(const int *erratum)
{
struct cpuinfo_x86 *cpu = ¤t_cpu_data;
Index: linux-2.6.35.y/arch/x86/kernel/process.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/process.c
+++ linux-2.6.35.y/arch/x86/kernel/process.c
@@ -525,42 +525,6 @@ static int __cpuinit mwait_usable(const
return (edx & MWAIT_EDX_C1);
}
-/*
- * Check for AMD CPUs, where APIC timer interrupt does not wake up CPU from C1e.
- * For more information see
- * - Erratum #400 for NPT family 0xf and family 0x10 CPUs
- * - Erratum #365 for family 0x11 (not affected because C1e not in use)
- */
-static int __cpuinit check_c1e_idle(const struct cpuinfo_x86 *c)
-{
- u64 val;
- if (c->x86_vendor != X86_VENDOR_AMD)
- goto no_c1e_idle;
-
- /* Family 0x0f models < rev F do not have C1E */
- if (c->x86 == 0x0F && c->x86_model >= 0x40)
- return 1;
-
- if (c->x86 == 0x10) {
- /*
- * check OSVW bit for CPUs that are not affected
- * by erratum #400
- */
- if (cpu_has(c, X86_FEATURE_OSVW)) {
- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, val);
- if (val >= 2) {
- rdmsrl(MSR_AMD64_OSVW_STATUS, val);
- if (!(val & BIT(1)))
- goto no_c1e_idle;
- }
- }
- return 1;
- }
-
-no_c1e_idle:
- return 0;
-}
-
static cpumask_var_t c1e_mask;
static int c1e_detected;
@@ -638,7 +602,8 @@ void __cpuinit select_idle_routine(const
*/
printk(KERN_INFO "using mwait in idle threads.\n");
pm_idle = mwait_idle;
- } else if (check_c1e_idle(c)) {
+ } else if (cpu_has_amd_erratum(amd_erratum_400)) {
+ /* E400: APIC timer interrupt does not wake up CPU from C1e */
printk(KERN_INFO "using C1E aware idle routine\n");
pm_idle = c1e_idle;
} else
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <[email protected]>
commit a97590e56d0d58e1dd262353f7cbd84e81d8e600 upstream.
When we remove a device, we unlink the iommu from the domain, but
we never do the reverse unlinking of the domain from the iommu.
This means that we never clear iommu->domain_ids, eventually leading
to resource exhaustion if we repeatedly bind and unbind a device
to a driver. Also free empty domains to avoid a resource leak.
Signed-off-by: Alex Williamson <[email protected]>
Acked-by: Donald Dutile <[email protected]>
Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/pci/intel-iommu.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/pci/intel-iommu.c
===================================================================
--- linux-2.6.35.y.orig/drivers/pci/intel-iommu.c
+++ linux-2.6.35.y/drivers/pci/intel-iommu.c
@@ -3260,9 +3260,15 @@ static int device_notifier(struct notifi
if (!domain)
return 0;
- if (action == BUS_NOTIFY_UNBOUND_DRIVER && !iommu_pass_through)
+ if (action == BUS_NOTIFY_UNBOUND_DRIVER && !iommu_pass_through) {
domain_remove_one_dev_info(domain, pdev);
+ if (!(domain->flags & DOMAIN_FLAG_VIRTUAL_MACHINE) &&
+ !(domain->flags & DOMAIN_FLAG_STATIC_IDENTITY) &&
+ list_empty(&domain->devices))
+ domain_exit(domain);
+ }
+
return 0;
}
@@ -3411,6 +3417,11 @@ static void domain_remove_one_dev_info(s
domain->iommu_count--;
domain_update_iommu_cap(domain);
spin_unlock_irqrestore(&domain->iommu_lock, tmp_flags);
+
+ spin_lock_irqsave(&iommu->lock, tmp_flags);
+ clear_bit(domain->id, iommu->domain_ids);
+ iommu->domains[domain->id] = NULL;
+ spin_unlock_irqrestore(&iommu->lock, tmp_flags);
}
spin_unlock_irqrestore(&device_domain_lock, flags);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <[email protected]>
commit 2fe9723df8e45fd247782adea244a5e653c30bf4 upstream.
If we run out of domain_ids and fail iommu_attach_domain(), we
fall into domain_exit() without having setup enough of the
domain structure for this to do anything useful. In fact, it
typically runs off into the weeds walking the bogus domain->devices
list. Just free the domain.
Signed-off-by: Alex Williamson <[email protected]>
Acked-by: Donald Dutile <[email protected]>
Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/pci/intel-iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/pci/intel-iommu.c
===================================================================
--- linux-2.6.35.y.orig/drivers/pci/intel-iommu.c
+++ linux-2.6.35.y/drivers/pci/intel-iommu.c
@@ -1835,7 +1835,7 @@ static struct dmar_domain *get_domain_fo
ret = iommu_attach_domain(domain, iommu);
if (ret) {
- domain_exit(domain);
+ free_domain_mem(domain);
goto error;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <[email protected]>
commit 78530bf7f2559b317c04991b52217c1608d5a58d upstream.
This patch fixes severe UBIFS bug: UBIFS oopses when we 'fsync()' an
file on R/O-mounter file-system. We (the UBIFS authors) incorrectly
thought that VFS would not propagate 'fsync()' down to the file-system
if it is read-only, but this is not the case.
It is easy to exploit this bug using the following simple perl script:
use strict;
use File::Sync qw(fsync sync);
die "File path is not specified" if not defined $ARGV[0];
my $path = $ARGV[0];
open FILE, "<", "$path" or die "Cannot open $path: $!";
fsync(\*FILE) or die "cannot fsync $path: $!";
close FILE or die "Cannot close $path: $!";
Thanks to Reuben Dowle <[email protected]> for reporting about this
issue.
Signed-off-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Reported-by: Reuben Dowle <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/ubifs/file.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6.35.y/fs/ubifs/file.c
===================================================================
--- linux-2.6.35.y.orig/fs/ubifs/file.c
+++ linux-2.6.35.y/fs/ubifs/file.c
@@ -1315,6 +1315,9 @@ int ubifs_fsync(struct file *file, int d
dbg_gen("syncing inode %lu", inode->i_ino);
+ if (inode->i_sb->s_flags & MS_RDONLY)
+ return 0;
+
/*
* VFS has already synchronized dirty pages for this inode. Synchronize
* the inode unless this is a 'datasync()' call.
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Joerg Roedel <[email protected]>
commit 665d3e2af83c8fbd149534db8f57d82fa6fa6753 upstream.
The GART can only map physical memory below 1TB. Make sure
the gart driver in the kernel does not try to map memory
above 1TB.
Signed-off-by: Joerg Roedel <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/kernel/pci-gart_64.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/arch/x86/kernel/pci-gart_64.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/pci-gart_64.c
+++ linux-2.6.35.y/arch/x86/kernel/pci-gart_64.c
@@ -80,6 +80,9 @@ static u32 gart_unmapped_entry;
#define AGPEXTERN
#endif
+/* GART can only remap to physical addresses < 1TB */
+#define GART_MAX_PHYS_ADDR (1ULL << 40)
+
/* backdoor interface to AGP driver */
AGPEXTERN int agp_memory_reserved;
AGPEXTERN __u32 *agp_gatt_table;
@@ -211,9 +214,13 @@ static dma_addr_t dma_map_area(struct de
size_t size, int dir, unsigned long align_mask)
{
unsigned long npages = iommu_num_pages(phys_mem, size, PAGE_SIZE);
- unsigned long iommu_page = alloc_iommu(dev, npages, align_mask);
+ unsigned long iommu_page;
int i;
+ if (unlikely(phys_mem + size > GART_MAX_PHYS_ADDR))
+ return bad_dma_addr;
+
+ iommu_page = alloc_iommu(dev, npages, align_mask);
if (iommu_page == -1) {
if (!nonforced_iommu(dev, phys_mem, size))
return phys_mem;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jason Conti <[email protected]>
commit a6756da9eace8b4af73e9dea43f1fc2889224c94 upstream.
This patch fixes a very serious off-by-one bug in
the driver, which could leave the device in an
unresponsive state.
The problem was that the extra_len variable [used to
reserve extra scratch buffer space for the firmware]
was left uninitialized. Because p54_assign_address
later needs the value to reserve additional space,
the resulting frame could be to big for the small
device's memory window and everything would
immediately come to a grinding halt.
Reference: https://bugs.launchpad.net/bugs/722185
Acked-by: Christian Lamparter <[email protected]>
Signed-off-by: Jason Conti <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/net/wireless/p54/txrx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/net/wireless/p54/txrx.c
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/p54/txrx.c
+++ linux-2.6.35.y/drivers/net/wireless/p54/txrx.c
@@ -702,7 +702,7 @@ int p54_tx_80211(struct ieee80211_hw *de
struct p54_tx_info *p54info;
struct p54_hdr *hdr;
struct p54_tx_data *txhdr;
- unsigned int padding, len, extra_len;
+ unsigned int padding, len, extra_len = 0;
int i, j, ridx;
u16 hdr_flags = 0, aid = 0;
u8 rate, queue = 0, crypt_offset = 0;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Liu Yuan <[email protected]>
commit ed5302d3c25006a9edc7a7fbea97a30483f89ef7 upstream.
We do not call blk_trace_remove_sysfs() in err return path
if kobject_add() fails. This path fixes it.
Signed-off-by: Liu Yuan <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
block/blk-sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/block/blk-sysfs.c
===================================================================
--- linux-2.6.35.y.orig/block/blk-sysfs.c
+++ linux-2.6.35.y/block/blk-sysfs.c
@@ -502,8 +502,10 @@ int blk_register_queue(struct gendisk *d
return ret;
ret = kobject_add(&q->kobj, kobject_get(&dev->kobj), "%s", "queue");
- if (ret < 0)
+ if (ret < 0) {
+ blk_trace_remove_sysfs(dev);
return ret;
+ }
kobject_uevent(&q->kobj, KOBJ_ADD);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Christian Lamparter <[email protected]>
commit bd39a274fb7b43374c797bafdb7f506598f36f77 upstream.
Joe Culler reported a problem with his AR9170 device:
> ath: EEPROM regdomain: 0x5c
> ath: EEPROM indicates we should expect a direct regpair map
> ath: invalid regulatory domain/country code 0x5c
> ath: Invalid EEPROM contents
It turned out that the regdomain 'APL7_FCCA' was not mapped yet.
According to Luis R. Rodriguez [Atheros' engineer] APL7 maps to
FCC_CTL and FCCA maps to FCC_CTL as well, so the attached patch
should be correct.
Reported-by: Joe Culler <[email protected]>
Acked-by: Luis R. Rodriguez <[email protected]>
Signed-off-by: Christian Lamparter <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/net/wireless/ath/regd_common.h | 1 +
1 file changed, 1 insertion(+)
Index: linux-2.6.35.y/drivers/net/wireless/ath/regd_common.h
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/ath/regd_common.h
+++ linux-2.6.35.y/drivers/net/wireless/ath/regd_common.h
@@ -195,6 +195,7 @@ static struct reg_dmn_pair_mapping regDo
{APL9_WORLD, CTL_ETSI, CTL_ETSI},
{APL3_FCCA, CTL_FCC, CTL_FCC},
+ {APL7_FCCA, CTL_FCC, CTL_FCC},
{APL1_ETSIC, CTL_FCC, CTL_ETSI},
{APL2_ETSIC, CTL_FCC, CTL_ETSI},
{APL2_APLD, CTL_FCC, NO_CTL},
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <[email protected]>
[ upstream commit f62d816fc4324afbb7cf90110c70b6a14139b225 ]
When the chip is still asleep when ath9k_start is called,
ath9k_hw_configpcipowersave can trigger a data bus error.
Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: [email protected]
Signed-off-by: John W. Linville <[email protected]>
Index: linux-2.6.35.y/drivers/net/wireless/ath/ath9k/main.c
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/ath/ath9k/main.c
+++ linux-2.6.35.y/drivers/net/wireless/ath/ath9k/main.c
@@ -1124,6 +1124,8 @@ static int ath9k_start(struct ieee80211_
"Starting driver with initial channel: %d MHz\n",
curchan->center_freq);
+ ath9k_ps_wakeup(sc);
+
mutex_lock(&sc->mutex);
if (ath9k_wiphy_started(sc)) {
@@ -1238,6 +1240,8 @@ static int ath9k_start(struct ieee80211_
mutex_unlock:
mutex_unlock(&sc->mutex);
+ ath9k_ps_restore(sc);
+
return r;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Hans Rosenfeld <[email protected]>
commit d78d671db478eb8b14c78501c0cee1cc7baf6967 upstream.
Errata are defined using the AMD_LEGACY_ERRATUM() or AMD_OSVW_ERRATUM()
macros. The latter is intended for newer errata that have an OSVW id
assigned, which it takes as first argument. Both take a variable number
of family-specific model-stepping ranges created by AMD_MODEL_RANGE().
Iff an erratum has an OSVW id, OSVW is available on the CPU, and the
OSVW id is known to the hardware, it is used to determine whether an
erratum is present. Otherwise, the model-stepping ranges are matched
against the current CPU to find out whether the erratum applies.
For certain special errata, the code using this framework might have to
conduct further checks to make sure an erratum is really (not) present.
Signed-off-by: Hans Rosenfeld <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
LKML-Reference: <[email protected]>
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/include/asm/processor.h | 18 +++++++++++
arch/x86/kernel/cpu/amd.c | 60 +++++++++++++++++++++++++++++++++++++++
2 files changed, 78 insertions(+)
Index: linux-2.6.35.y/arch/x86/include/asm/processor.h
===================================================================
--- linux-2.6.35.y.orig/arch/x86/include/asm/processor.h
+++ linux-2.6.35.y/arch/x86/include/asm/processor.h
@@ -1002,4 +1002,22 @@ unsigned long calc_aperfmperf_ratio(stru
return ratio;
}
+/*
+ * AMD errata checking
+ */
+#ifdef CONFIG_CPU_SUP_AMD
+extern bool cpu_has_amd_erratum(const int *);
+
+#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 }
+#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 }
+#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \
+ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end))
+#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff)
+#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff)
+#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff)
+
+#else
+#define cpu_has_amd_erratum(x) (false)
+#endif /* CONFIG_CPU_SUP_AMD */
+
#endif /* _ASM_X86_PROCESSOR_H */
Index: linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/cpu/amd.c
+++ linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
@@ -608,3 +608,63 @@ static const struct cpu_dev __cpuinitcon
};
cpu_dev_register(amd_cpu_dev);
+
+/*
+ * AMD errata checking
+ *
+ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or
+ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that
+ * have an OSVW id assigned, which it takes as first argument. Both take a
+ * variable number of family-specific model-stepping ranges created by
+ * AMD_MODEL_RANGE(). Each erratum also has to be declared as extern const
+ * int[] in arch/x86/include/asm/processor.h.
+ *
+ * Example:
+ *
+ * const int amd_erratum_319[] =
+ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2),
+ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0),
+ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0));
+ */
+
+bool cpu_has_amd_erratum(const int *erratum)
+{
+ struct cpuinfo_x86 *cpu = ¤t_cpu_data;
+ int osvw_id = *erratum++;
+ u32 range;
+ u32 ms;
+
+ /*
+ * If called early enough that current_cpu_data hasn't been initialized
+ * yet, fall back to boot_cpu_data.
+ */
+ if (cpu->x86 == 0)
+ cpu = &boot_cpu_data;
+
+ if (cpu->x86_vendor != X86_VENDOR_AMD)
+ return false;
+
+ if (osvw_id >= 0 && osvw_id < 65536 &&
+ cpu_has(cpu, X86_FEATURE_OSVW)) {
+ u64 osvw_len;
+
+ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len);
+ if (osvw_id < osvw_len) {
+ u64 osvw_bits;
+
+ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6),
+ osvw_bits);
+ return osvw_bits & (1ULL << (osvw_id & 0x3f));
+ }
+ }
+
+ /* OSVW unavailable or ID unknown, match family-model-stepping range */
+ ms = (cpu->x86_model << 8) | cpu->x86_mask;
+ while ((range = *erratum++))
+ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) &&
+ (ms >= AMD_MODEL_RANGE_START(range)) &&
+ (ms <= AMD_MODEL_RANGE_END(range)))
+ return true;
+
+ return false;
+}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <[email protected]>
[ upstream commit 708748670c7c6dd5bd3b141473086e6937e72737 ]
'struct dmi_system_id' arrays must always have a terminator to keep
dmi_check_system() from looking at data (and possibly crashing) it
isn't supposed to look at.
The issue went unnoticed until ef8313bb1a22e7d2125d9d758aa8a81f1de91d81,
but was introduced about a year earlier with
7705d548cbe33f18ea7713b9a07aa11047aaeca4 (which also similarly changed
lifebook.c, but the problem there got eliminated shortly afterwards).
The first hunk therefore is a stable candidate back to 2.6.33, while
the full change is needed only on 2.6.38.
Signed-off-by: Jan Beulich <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: [email protected]
Signed-off-by: Dmitry Torokhov <[email protected]>
Index: linux-2.6.35.y/drivers/input/mouse/synaptics.c
===================================================================
--- linux-2.6.35.y.orig/drivers/input/mouse/synaptics.c
+++ linux-2.6.35.y/drivers/input/mouse/synaptics.c
@@ -712,8 +712,8 @@ static const struct dmi_system_id __init
},
},
- { }
#endif
+ { }
};
void __init synaptics_module_init(void)
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <[email protected]>
commit 5b919f833d9d60588d026ad82d17f17e8872c7a9 upstream.
Commit fe10ae53384e48c51996941b7720ee16995cbcb7 adds a memset() to clear
the structure being sent back to userspace, but accidentally used the
wrong size.
Reported-by: Brad Spengler <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/ax25/af_ax25.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/net/ax25/af_ax25.c
===================================================================
--- linux-2.6.35.y.orig/net/ax25/af_ax25.c
+++ linux-2.6.35.y/net/ax25/af_ax25.c
@@ -1392,7 +1392,7 @@ static int ax25_getname(struct socket *s
ax25_cb *ax25;
int err = 0;
- memset(fsa, 0, sizeof(fsa));
+ memset(fsa, 0, sizeof(*fsa));
lock_sock(sk);
ax25 = ax25_sk(sk);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Hans Rosenfeld <[email protected]>
commit 07a7795ca2e6e66d00b184efb46bd0e23d90d3fe upstream.
A bug in the family-model-stepping matching code caused the presence of
errata to go undetected when OSVW was not used. This causes hangs on
some K8 systems because the E400 workaround is not enabled.
Signed-off-by: Hans Rosenfeld <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
LKML-Reference: <[email protected]>
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/kernel/cpu/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/cpu/amd.c
+++ linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
@@ -687,7 +687,7 @@ bool cpu_has_amd_erratum(const int *erra
}
/* OSVW unavailable or ID unknown, match family-model-stepping range */
- ms = (cpu->x86_model << 8) | cpu->x86_mask;
+ ms = (cpu->x86_model << 4) | cpu->x86_mask;
while ((range = *erratum++))
if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) &&
(ms >= AMD_MODEL_RANGE_START(range)) &&
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <[email protected]>
commit dfa49c4ad120a784ef1ff0717168aa79f55a483a upstream.
When parsing exponent-expressed intervals we subtract 1 from the
value and then expect it to match with original + 1, which is
highly unlikely, and we end with frequent spew:
usb 3-4: ep 0x83 - rounding interval to 512 microframes
Also, parsing interval for fullspeed isochronous endpoints was
incorrect - according to USB spec they use exponent-based
intervals (but xHCI spec claims frame-based intervals). I trust
USB spec more, especially since USB core agrees with it.
This should be queued for stable kernels back to 2.6.31.
Reviewed-by: Micah Elizabeth Scott <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/host/xhci-mem.c | 85 ++++++++++++++++++++++++++++++++------------
1 file changed, 62 insertions(+), 23 deletions(-)
Index: linux-2.6.35.y/drivers/usb/host/xhci-mem.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/host/xhci-mem.c
+++ linux-2.6.35.y/drivers/usb/host/xhci-mem.c
@@ -961,6 +961,47 @@ int xhci_setup_addressable_virt_dev(stru
return 0;
}
+/*
+ * Convert interval expressed as 2^(bInterval - 1) == interval into
+ * straight exponent value 2^n == interval.
+ *
+ */
+static unsigned int xhci_parse_exponent_interval(struct usb_device *udev,
+ struct usb_host_endpoint *ep)
+{
+ unsigned int interval;
+
+ interval = clamp_val(ep->desc.bInterval, 1, 16) - 1;
+ if (interval != ep->desc.bInterval - 1)
+ dev_warn(&udev->dev,
+ "ep %#x - rounding interval to %d microframes\n",
+ ep->desc.bEndpointAddress,
+ 1 << interval);
+
+ return interval;
+}
+
+/*
+ * Convert bInterval expressed in frames (in 1-255 range) to exponent of
+ * microframes, rounded down to nearest power of 2.
+ */
+static unsigned int xhci_parse_frame_interval(struct usb_device *udev,
+ struct usb_host_endpoint *ep)
+{
+ unsigned int interval;
+
+ interval = fls(8 * ep->desc.bInterval) - 1;
+ interval = clamp_val(interval, 3, 10);
+ if ((1 << interval) != 8 * ep->desc.bInterval)
+ dev_warn(&udev->dev,
+ "ep %#x - rounding interval to %d microframes, ep desc says %d microframes\n",
+ ep->desc.bEndpointAddress,
+ 1 << interval,
+ 8 * ep->desc.bInterval);
+
+ return interval;
+}
+
/* Return the polling or NAK interval.
*
* The polling interval is expressed in "microframes". If xHCI's Interval field
@@ -978,43 +1019,35 @@ static inline unsigned int xhci_get_endp
case USB_SPEED_HIGH:
/* Max NAK rate */
if (usb_endpoint_xfer_control(&ep->desc) ||
- usb_endpoint_xfer_bulk(&ep->desc))
+ usb_endpoint_xfer_bulk(&ep->desc)) {
interval = ep->desc.bInterval;
+ break;
+ }
/* Fall through - SS and HS isoc/int have same decoding */
case USB_SPEED_SUPER:
if (usb_endpoint_xfer_int(&ep->desc) ||
- usb_endpoint_xfer_isoc(&ep->desc)) {
- if (ep->desc.bInterval == 0)
- interval = 0;
- else
- interval = ep->desc.bInterval - 1;
- if (interval > 15)
- interval = 15;
- if (interval != ep->desc.bInterval + 1)
- dev_warn(&udev->dev, "ep %#x - rounding interval to %d microframes\n",
- ep->desc.bEndpointAddress, 1 << interval);
+ usb_endpoint_xfer_isoc(&ep->desc)) {
+ interval = xhci_parse_exponent_interval(udev, ep);
}
break;
/* Convert bInterval (in 1-255 frames) to microframes and round down to
* nearest power of 2.
*/
case USB_SPEED_FULL:
+ if (usb_endpoint_xfer_int(&ep->desc)) {
+ interval = xhci_parse_exponent_interval(udev, ep);
+ break;
+ }
+ /*
+ * Fall through for isochronous endpoint interval decoding
+ * since it uses the same rules as low speed interrupt
+ * endpoints.
+ */
case USB_SPEED_LOW:
if (usb_endpoint_xfer_int(&ep->desc) ||
- usb_endpoint_xfer_isoc(&ep->desc)) {
- interval = fls(8*ep->desc.bInterval) - 1;
- if (interval > 10)
- interval = 10;
- if (interval < 3)
- interval = 3;
- if ((1 << interval) != 8*ep->desc.bInterval)
- dev_warn(&udev->dev,
- "ep %#x - rounding interval"
- " to %d microframes, "
- "ep desc says %d microframes\n",
- ep->desc.bEndpointAddress,
- 1 << interval,
- 8*ep->desc.bInterval);
+ usb_endpoint_xfer_isoc(&ep->desc)) {
+
+ interval = xhci_parse_frame_interval(udev, ep);
}
break;
default:
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <[email protected]>
commit 5a6c2f3ff039154872ce597952f8b8900ea0d732 upstream.
Macro arguments used in expressions need to be enclosed in parenthesis
to avoid unpleasant surprises.
This should be queued for kernels back to 2.6.31
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/host/xhci.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/drivers/usb/host/xhci.h
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/host/xhci.h
+++ linux-2.6.35.y/drivers/usb/host/xhci.h
@@ -232,7 +232,7 @@ struct xhci_op_regs {
* notification type that matches a bit set in this bit field.
*/
#define DEV_NOTE_MASK (0xffff)
-#define ENABLE_DEV_NOTE(x) (1 << x)
+#define ENABLE_DEV_NOTE(x) (1 << (x))
/* Most of the device notification types should only be used for debug.
* SW does need to pay attention to function wake notifications.
*/
@@ -598,11 +598,11 @@ struct xhci_ep_ctx {
#define EP_STATE_STOPPED 3
#define EP_STATE_ERROR 4
/* Mult - Max number of burtst within an interval, in EP companion desc. */
-#define EP_MULT(p) ((p & 0x3) << 8)
+#define EP_MULT(p) (((p) & 0x3) << 8)
/* bits 10:14 are Max Primary Streams */
/* bit 15 is Linear Stream Array */
/* Interval - period between requests to an endpoint - 125u increments. */
-#define EP_INTERVAL(p) ((p & 0xff) << 16)
+#define EP_INTERVAL(p) (((p) & 0xff) << 16)
#define EP_INTERVAL_TO_UFRAMES(p) (1 << (((p) >> 16) & 0xff))
#define EP_MAXPSTREAMS_MASK (0x1f << 10)
#define EP_MAXPSTREAMS(p) (((p) << 10) & EP_MAXPSTREAMS_MASK)
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <[email protected]>
commit 2868a2b1ba8f9c7f6c4170519ebb6c62934df70e upstream.
Isochronous and interrupt SuperSpeed endpoints use the same mechanisms
for decoding bInterval values as HighSpeed ones so adjust the code
accordingly.
Also bandwidth reservation for SuperSpeed matches highspeed, not
low/full speed.
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/core/devices.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
Index: linux-2.6.35.y/drivers/usb/core/devices.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/core/devices.c
+++ linux-2.6.35.y/drivers/usb/core/devices.c
@@ -222,7 +222,7 @@ static char *usb_dump_endpoint_descripto
break;
case USB_ENDPOINT_XFER_INT:
type = "Int.";
- if (speed == USB_SPEED_HIGH)
+ if (speed == USB_SPEED_HIGH || speed == USB_SPEED_SUPER)
interval = 1 << (desc->bInterval - 1);
else
interval = desc->bInterval;
@@ -230,7 +230,8 @@ static char *usb_dump_endpoint_descripto
default: /* "can't happen" */
return start;
}
- interval *= (speed == USB_SPEED_HIGH) ? 125 : 1000;
+ interval *= (speed == USB_SPEED_HIGH ||
+ speed == USB_SPEED_SUPER) ? 125 : 1000;
if (interval % 1000)
unit = 'u';
else {
@@ -540,8 +541,9 @@ static ssize_t usb_device_dump(char __us
if (level == 0) {
int max;
- /* high speed reserves 80%, full/low reserves 90% */
- if (usbdev->speed == USB_SPEED_HIGH)
+ /* super/high speed reserves 80%, full/low reserves 90% */
+ if (usbdev->speed == USB_SPEED_HIGH ||
+ usbdev->speed == USB_SPEED_SUPER)
max = 800;
else
max = FRAME_TIME_MAX_USECS_ALLOC;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <[email protected]>
commit 94ae4976e253757e9b03a44d27d41b20f1829d80 upstream.
This patch (as1458) fixes a problem affecting ultra-reliable systems:
When hardware failover of an EHCI controller occurs, the data
structures do not get released correctly. This is because the routine
responsible for removing unused QHs from the async schedule assumes
the controller is running properly (the frame counter is used in
determining how long the QH has been idle) -- but when a failover
causes the controller to be electronically disconnected from the PCI
bus, obviously it stops running.
The solution is simple: Allow scan_async() to remove a QH from the
async schedule if it has been idle for long enough _or_ if the
controller is stopped.
Signed-off-by: Alan Stern <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Reported-and-Tested-by: Dan Duval <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/host/ehci-q.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
Index: linux-2.6.35.y/drivers/usb/host/ehci-q.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/host/ehci-q.c
+++ linux-2.6.35.y/drivers/usb/host/ehci-q.c
@@ -1246,24 +1246,27 @@ static void start_unlink_async (struct e
static void scan_async (struct ehci_hcd *ehci)
{
+ bool stopped;
struct ehci_qh *qh;
enum ehci_timer_action action = TIMER_IO_WATCHDOG;
ehci->stamp = ehci_readl(ehci, &ehci->regs->frame_index);
timer_action_done (ehci, TIMER_ASYNC_SHRINK);
rescan:
+ stopped = !HC_IS_RUNNING(ehci_to_hcd(ehci)->state);
qh = ehci->async->qh_next.qh;
if (likely (qh != NULL)) {
do {
/* clean any finished work for this qh */
- if (!list_empty (&qh->qtd_list)
- && qh->stamp != ehci->stamp) {
+ if (!list_empty(&qh->qtd_list) && (stopped ||
+ qh->stamp != ehci->stamp)) {
int temp;
/* unlinks could happen here; completion
* reporting drops the lock. rescan using
* the latest schedule, but don't rescan
- * qhs we already finished (no looping).
+ * qhs we already finished (no looping)
+ * unless the controller is stopped.
*/
qh = qh_get (qh);
qh->stamp = ehci->stamp;
@@ -1284,9 +1287,9 @@ rescan:
*/
if (list_empty(&qh->qtd_list)
&& qh->qh_state == QH_STATE_LINKED) {
- if (!ehci->reclaim
- && ((ehci->stamp - qh->stamp) & 0x1fff)
- >= (EHCI_SHRINK_FRAMES * 8))
+ if (!ehci->reclaim && (stopped ||
+ ((ehci->stamp - qh->stamp) & 0x1fff)
+ >= EHCI_SHRINK_FRAMES * 8))
start_unlink_async(ehci, qh);
else
action = TIMER_ASYNC_SHRINK;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <[email protected]>
commit d00ebeac5f24f290636f7a895dafc124b2930a08 upstream.
Drop Chris Wright from STABLE maintainers. He hasn't done STABLE release
work for quite some time.
Signed-off-by: Randy Dunlap <[email protected]>
Acked-by: Chris Wright <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
MAINTAINERS | 1 -
1 file changed, 1 deletion(-)
Index: linux-2.6.35.y/MAINTAINERS
===================================================================
--- linux-2.6.35.y.orig/MAINTAINERS
+++ linux-2.6.35.y/MAINTAINERS
@@ -5442,7 +5442,6 @@ F: arch/alpha/kernel/srm_env.c
STABLE BRANCH
M: Greg Kroah-Hartman <[email protected]>
-M: Chris Wright <[email protected]>
L: [email protected]
S: Maintained
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <[email protected]>
commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream.
next_pidmap() just quietly accepted whatever 'last' pid that was passed
in, which is not all that safe when one of the users is /proc.
Admittedly the proc code should do some sanity checking on the range
(and that will be the next commit), but that doesn't mean that the
helper functions should just do that pidmap pointer arithmetic without
checking the range of its arguments.
So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1"
doesn't really matter, the for-loop does check against the end of the
pidmap array properly (it's only the actual pointer arithmetic overflow
case we need to worry about, and going one bit beyond isn't going to
overflow).
[ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]
Reported-by: Tavis Ormandy <[email protected]>
Analyzed-by: Robert Święcki <[email protected]>
Cc: Eric W. Biederman <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
include/linux/pid.h | 2 +-
kernel/pid.c | 5 ++++-
2 files changed, 5 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/include/linux/pid.h
===================================================================
--- linux-2.6.35.y.orig/include/linux/pid.h
+++ linux-2.6.35.y/include/linux/pid.h
@@ -117,7 +117,7 @@ extern struct pid *find_vpid(int nr);
*/
extern struct pid *find_get_pid(int nr);
extern struct pid *find_ge_pid(int nr, struct pid_namespace *);
-int next_pidmap(struct pid_namespace *pid_ns, int last);
+int next_pidmap(struct pid_namespace *pid_ns, unsigned int last);
extern struct pid *alloc_pid(struct pid_namespace *ns);
extern void free_pid(struct pid *pid);
Index: linux-2.6.35.y/kernel/pid.c
===================================================================
--- linux-2.6.35.y.orig/kernel/pid.c
+++ linux-2.6.35.y/kernel/pid.c
@@ -183,11 +183,14 @@ static int alloc_pidmap(struct pid_names
return -1;
}
-int next_pidmap(struct pid_namespace *pid_ns, int last)
+int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
{
int offset;
struct pidmap *map, *end;
+ if (last >= PID_MAX_LIMIT)
+ return -1;
+
offset = (last + 1) & BITS_PER_PAGE_MASK;
map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];
end = &pid_ns->pidmap[PIDMAP_ENTRIES];
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <[email protected]>
commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream.
Rather than pass in some random truncated offset to the pid-related
functions, check that the offset is in range up-front.
This is just cleanup, the previous commit fixed the real problem.
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/proc/base.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/fs/proc/base.c
===================================================================
--- linux-2.6.35.y.orig/fs/proc/base.c
+++ linux-2.6.35.y/fs/proc/base.c
@@ -2867,11 +2867,16 @@ static int proc_pid_fill_cache(struct fi
/* for the /proc/ directory itself, after non-process stuff has been done */
int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
{
- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ unsigned int nr;
+ struct task_struct *reaper;
struct tgid_iter iter;
struct pid_namespace *ns;
+ if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
+ goto out_no_task;
+ nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+
+ reaper = get_proc_task(filp->f_path.dentry->d_inode);
if (!reaper)
goto out_no_task;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Enrico Mioso <[email protected]>
commit c6991b6fd2b4201174dc4620d0c8c4f5ff27b36f upstream.
This patch, adds to the option driver the Onda Communication
(http://www.ondacommunication.com) vendor id, and the MT825UP modem
device id.
Note that many variants of this same device are being release here in
Italy (at least one or two per telephony operator).
These devices are perfectly equivalent except for some predefined
settings (which can be changed of course).
It should be noted that most ONDA devices are allready supported (they
used other vendor's ids in the past). The patch seems working fine here,
and the rest of the driver seems uninfluenced.
Signed-off-by: Enrico Mioso <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/serial/option.c | 7 +++++++
1 file changed, 7 insertions(+)
Index: linux-2.6.35.y/drivers/usb/serial/option.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/option.c
+++ linux-2.6.35.y/drivers/usb/serial/option.c
@@ -381,6 +381,12 @@ static void option_instat_callback(struc
#define CELOT_VENDOR_ID 0x211f
#define CELOT_PRODUCT_CT680M 0x6801
+/* ONDA Communication vendor id */
+#define ONDA_VENDOR_ID 0x1ee8
+
+/* ONDA MT825UP HSDPA 14.2 modem */
+#define ONDA_MT825UP 0x000b
+
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
OPTION_BLACKLIST_NONE = 0,
@@ -934,6 +940,7 @@ static const struct usb_device_id option
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100) },
{ USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
+ { USB_DEVICE(ONDA_VENDOR_ID, ONDA_MT825UP) }, /* ONDA MT825UP modem */
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit 11a31d84129dc3133417d626643d714c9df5317e upstream.
Add PID 0x0103 for serial port of the OCT DK201 docking station.
Reported-by: Jan Hoogenraad <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 1 +
2 files changed, 2 insertions(+)
Index: linux-2.6.35.y/drivers/usb/serial/ftdi_sio.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/ftdi_sio.c
+++ linux-2.6.35.y/drivers/usb/serial/ftdi_sio.c
@@ -526,6 +526,7 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(SEALEVEL_VID, SEALEVEL_2803_8_PID) },
{ USB_DEVICE(IDTECH_VID, IDTECH_IDT1221U_PID) },
{ USB_DEVICE(OCT_VID, OCT_US101_PID) },
+ { USB_DEVICE(OCT_VID, OCT_DK201_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_HE_TIRA1_PID),
.driver_info = (kernel_ulong_t)&ftdi_HE_TIRA1_quirk },
{ USB_DEVICE(FTDI_VID, FTDI_USB_UIRT_PID),
Index: linux-2.6.35.y/drivers/usb/serial/ftdi_sio_ids.h
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/ftdi_sio_ids.h
+++ linux-2.6.35.y/drivers/usb/serial/ftdi_sio_ids.h
@@ -572,6 +572,7 @@
/* Note: OCT US101 is also rebadged as Dick Smith Electronics (NZ) XH6381 */
/* Also rebadged as Dick Smith Electronics (Aus) XH6451 */
/* Also rebadged as SIIG Inc. model US2308 hardware version 1 */
+#define OCT_DK201_PID 0x0103 /* OCT DK201 USB docking station */
#define OCT_US101_PID 0x0421 /* OCT US101 USB to RS-232 */
/*
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Christian Simon <[email protected]>
commit 5a9443f08c83c294c5c806a689c1184b27cb26b3 upstream.
I added new ProdutIds for two devices from CTI GmbH Leipzig.
Signed-off-by: Christian Simon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 9 +++++++++
2 files changed, 11 insertions(+)
Index: linux-2.6.35.y/drivers/usb/serial/ftdi_sio.c
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/ftdi_sio.c
+++ linux-2.6.35.y/drivers/usb/serial/ftdi_sio.c
@@ -150,6 +150,8 @@ static struct ftdi_sio_quirk ftdi_stmcli
* /sys/bus/usb/ftdi_sio/new_id, then send patch/report!
*/
static struct usb_device_id id_table_combined [] = {
+ { USB_DEVICE(FTDI_VID, FTDI_CTI_MINI_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_CTI_NANO_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_AMC232_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CANUSB_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CANDAPTER_PID) },
Index: linux-2.6.35.y/drivers/usb/serial/ftdi_sio_ids.h
===================================================================
--- linux-2.6.35.y.orig/drivers/usb/serial/ftdi_sio_ids.h
+++ linux-2.6.35.y/drivers/usb/serial/ftdi_sio_ids.h
@@ -1140,3 +1140,12 @@
#define QIHARDWARE_VID 0x20B7
#define MILKYMISTONE_JTAGSERIAL_PID 0x0713
+/*
+ * CTI GmbH RS485 Converter http://www.cti-lean.com/
+ */
+/* USB-485-Mini*/
+#define FTDI_CTI_MINI_PID 0xF608
+/* USB-Nano-485*/
+#define FTDI_CTI_NANO_PID 0xF60B
+
+
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <[email protected]>
commit 9f260e0efa4766e56d0ac14f1aeea6ee5eb8fe83 upstream.
Since the socket address is just being used as a unique identifier, its
inode number is an alternative that does not leak potentially sensitive
information.
CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
Signed-off-by: Dan Rosenberg <[email protected]>
Acked-by: Oliver Hartkopp <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/can/bcm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/net/can/bcm.c
===================================================================
--- linux-2.6.35.y.orig/net/can/bcm.c
+++ linux-2.6.35.y/net/can/bcm.c
@@ -125,7 +125,7 @@ struct bcm_sock {
struct list_head tx_ops;
unsigned long dropped_usr_msgs;
struct proc_dir_entry *bcm_proc_read;
- char procname [20]; /* pointer printed in ASCII with \0 */
+ char procname [32]; /* inode number in decimal with \0 */
};
static inline struct bcm_sock *bcm_sk(const struct sock *sk)
@@ -1521,7 +1521,7 @@ static int bcm_connect(struct socket *so
if (proc_dir) {
/* unique socket address as filename */
- sprintf(bo->procname, "%p", sock);
+ sprintf(bo->procname, "%lu", sock_i_ino(sk));
bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
proc_dir,
&bcm_proc_fops, sk);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <[email protected]>
commit c1d036c4d1cb00b7e8473a2ad0a78f13e13a8183 upstream.
ia64_mca_cpu_init has a void *data local variable that is assigned
the value from either __get_free_pages() or mca_bootmem(). The problem
is that __get_free_pages returns an unsigned long and mca_bootmem, via
alloc_bootmem(), returns a void *. format_mca_init_stack takes the void *,
and it's also used with __pa(), but that casts it to long anyway.
This results in the following build warning:
arch/ia64/kernel/mca.c:1898: warning: assignment makes pointer from
integer without a cast
Cast the return of __get_free_pages to a void * to avoid
the warning.
Signed-off-by: Jeff Mahoney <[email protected]>
Signed-off-by: Tony Luck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
arch/ia64/kernel/mca.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/arch/ia64/kernel/mca.c
===================================================================
--- linux-2.6.35.y.orig/arch/ia64/kernel/mca.c
+++ linux-2.6.35.y/arch/ia64/kernel/mca.c
@@ -1859,7 +1859,8 @@ ia64_mca_cpu_init(void *cpu_data)
data = mca_bootmem();
first_time = 0;
} else
- data = __get_free_pages(GFP_KERNEL, get_order(sz));
+ data = (void *)__get_free_pages(GFP_KERNEL,
+ get_order(sz));
if (!data)
panic("Could not allocate MCA memory for cpu %d\n",
cpu);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Joerg Roedel <[email protected]>
commit 5bbc097d890409d8eff4e3f1d26f11a9d6b7c07e upstream.
This patch disables GartTlbWlk errors on AMD Fam10h CPUs if
the BIOS forgets to do is (or is just too old). Letting
these errors enabled can cause a sync-flood on the CPU
causing a reboot.
The AMD BKDG recommends disabling GART TLB Wlk Error completely.
This patch is the fix for
https://bugzilla.kernel.org/show_bug.cgi?id=33012
on my machine.
Signed-off-by: Joerg Roedel <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Tested-by: Alexandre Demers <[email protected]>
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/include/asm/msr-index.h | 4 ++++
arch/x86/kernel/cpu/amd.c | 19 +++++++++++++++++++
2 files changed, 23 insertions(+)
Index: linux-2.6.35.y/arch/x86/include/asm/msr-index.h
===================================================================
--- linux-2.6.35.y.orig/arch/x86/include/asm/msr-index.h
+++ linux-2.6.35.y/arch/x86/include/asm/msr-index.h
@@ -85,11 +85,15 @@
#define MSR_IA32_MC0_ADDR 0x00000402
#define MSR_IA32_MC0_MISC 0x00000403
+#define MSR_AMD64_MC0_MASK 0xc0010044
+
#define MSR_IA32_MCx_CTL(x) (MSR_IA32_MC0_CTL + 4*(x))
#define MSR_IA32_MCx_STATUS(x) (MSR_IA32_MC0_STATUS + 4*(x))
#define MSR_IA32_MCx_ADDR(x) (MSR_IA32_MC0_ADDR + 4*(x))
#define MSR_IA32_MCx_MISC(x) (MSR_IA32_MC0_MISC + 4*(x))
+#define MSR_AMD64_MCx_MASK(x) (MSR_AMD64_MC0_MASK + (x))
+
/* These are consecutive and not in the normal 4er MCE bank block */
#define MSR_IA32_MC0_CTL2 0x00000280
#define MSR_IA32_MCx_CTL2(x) (MSR_IA32_MC0_CTL2 + (x))
Index: linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/cpu/amd.c
+++ linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
@@ -568,6 +568,25 @@ static void __cpuinit init_amd(struct cp
/* As a rule processors have APIC timer running in deep C states */
if (c->x86 >= 0xf && !cpu_has_amd_erratum(amd_erratum_400))
set_cpu_cap(c, X86_FEATURE_ARAT);
+
+ /*
+ * Disable GART TLB Walk Errors on Fam10h. We do this here
+ * because this is always needed when GART is enabled, even in a
+ * kernel which has no MCE support built in.
+ */
+ if (c->x86 == 0x10) {
+ /*
+ * BIOS should disable GartTlbWlk Errors themself. If
+ * it doesn't do it here as suggested by the BKDG.
+ *
+ * Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=33012
+ */
+ u64 mask;
+
+ rdmsrl(MSR_AMD64_MCx_MASK(4), mask);
+ mask |= (1 << 10);
+ wrmsrl(MSR_AMD64_MCx_MASK(4), mask);
+ }
}
#ifdef CONFIG_X86_32
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Boris Ostrovsky <[email protected]>
commit b87cf80af3ba4b4c008b4face3c68d604e1715c6 upstream.
Support for Always Running APIC timer (ARAT) was introduced in
commit db954b5898dd3ef3ef93f4144158ea8f97deb058. This feature
allows us to avoid switching timers from LAPIC to something else
(e.g. HPET) and go into timer broadcasts when entering deep
C-states.
AMD processors don't provide a CPUID bit for that feature but
they also keep APIC timers running in deep C-states (except for
cases when the processor is affected by erratum 400). Therefore
we should set ARAT feature bit on AMD CPUs.
Tested-by: Borislav Petkov <[email protected]>
Acked-by: Andreas Herrmann <[email protected]>
Acked-by: Mark Langsdorf <[email protected]>
Acked-by: Thomas Gleixner <[email protected]>
Signed-off-by: Boris Ostrovsky <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
LKML-Reference: <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/kernel/cpu/amd.c | 4 ++++
1 file changed, 4 insertions(+)
Index: linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/cpu/amd.c
+++ linux-2.6.35.y/arch/x86/kernel/cpu/amd.c
@@ -564,6 +564,10 @@ static void __cpuinit init_amd(struct cp
}
}
#endif
+
+ /* As a rule processors have APIC timer running in deep C states */
+ if (c->x86 >= 0xf && !cpu_has_amd_erratum(amd_erratum_400))
+ set_cpu_cap(c, X86_FEATURE_ARAT);
}
#ifdef CONFIG_X86_32
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <[email protected]>
commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/irda/af_irda.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
Index: linux-2.6.35.y/net/irda/af_irda.c
===================================================================
--- linux-2.6.35.y.orig/net/irda/af_irda.c
+++ linux-2.6.35.y/net/irda/af_irda.c
@@ -2278,6 +2278,14 @@ static int __irda_getsockopt(struct sock
switch (optname) {
case IRLMP_ENUMDEVICES:
+
+ /* Offset to first device entry */
+ offset = sizeof(struct irda_device_list) -
+ sizeof(struct irda_device_info);
+
+ if (len < offset)
+ return -EINVAL;
+
/* Ask lmp for the current discovery log */
discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
self->nslots);
@@ -2287,15 +2295,9 @@ static int __irda_getsockopt(struct sock
err = 0;
/* Write total list length back to client */
- if (copy_to_user(optval, &list,
- sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info)))
+ if (copy_to_user(optval, &list, offset))
err = -EFAULT;
- /* Offset to first device entry */
- offset = sizeof(struct irda_device_list) -
- sizeof(struct irda_device_info);
-
/* Copy the list itself - watch for overflow */
if(list.len > 2048)
{
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <[email protected]>
commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream.
As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).
So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.
Catch the case of tot_pages turning negative, and return the appropriate
error code.
Reported-by: Thomas Pollet <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Andy Grover <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
[v2: nr is unsigned in the old code]
Signed-off-by: Stefan Bader <[email protected]>
Acked-by: Tim Gardner <[email protected]>
Acked-by: Brad Figg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/rds/rdma.c | 11 +++++++++++
1 file changed, 11 insertions(+)
Index: linux-2.6.35.y/net/rds/rdma.c
===================================================================
--- linux-2.6.35.y.orig/net/rds/rdma.c
+++ linux-2.6.35.y/net/rds/rdma.c
@@ -500,6 +500,17 @@ static struct rds_rdma_op *rds_rdma_prep
max_pages = max(nr, max_pages);
nr_pages += nr;
+
+ /*
+ * nr for one entry in limited to (UINT_MAX>>PAGE_SHIFT)+1
+ * so nr_pages cannot overflow without becoming bigger than
+ * INT_MAX first. If nr cannot overflow then max_pages should
+ * be ok.
+ */
+ if (nr_pages > INT_MAX) {
+ ret = -EINVAL;
+ goto out;
+ }
}
pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Bob Liu <[email protected]>
commit b836aec53e2bce71de1d5415313380688c851477 upstream.
On no-mmu arch, there is a memleak during shmem test. The cause of this
memleak is ramfs_nommu_expand_for_mapping() added page refcount to 2
which makes iput() can't free that pages.
The simple test file is like this:
int main(void)
{
int i;
key_t k = ftok("/etc", 42);
for ( i=0; i<100; ++i) {
int id = shmget(k, 10000, 0644|IPC_CREAT);
if (id == -1) {
printf("shmget error\n");
}
if(shmctl(id, IPC_RMID, NULL ) == -1) {
printf("shm rm error\n");
return -1;
}
}
printf("run ok...\n");
return 0;
}
And the result:
root:/> free
total used free shared buffers
Mem: 60320 17912 42408 0 0
-/+ buffers: 17912 42408
root:/> shmem
run ok...
root:/> free
total used free shared buffers
Mem: 60320 19096 41224 0 0
-/+ buffers: 19096 41224
root:/> shmem
run ok...
root:/> free
total used free shared buffers
Mem: 60320 20296 40024 0 0
-/+ buffers: 20296 40024
...
After this patch the test result is:(no memleak anymore)
root:/> free
total used free shared buffers
Mem: 60320 16668 43652 0 0
-/+ buffers: 16668 43652
root:/> shmem
run ok...
root:/> free
total used free shared buffers
Mem: 60320 16668 43652 0 0
-/+ buffers: 16668 43652
Signed-off-by: Bob Liu <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ramfs/file-nommu.c | 1 +
1 file changed, 1 insertion(+)
Index: linux-2.6.35.y/fs/ramfs/file-nommu.c
===================================================================
--- linux-2.6.35.y.orig/fs/ramfs/file-nommu.c
+++ linux-2.6.35.y/fs/ramfs/file-nommu.c
@@ -112,6 +112,7 @@ int ramfs_nommu_expand_for_mapping(struc
SetPageDirty(page);
unlock_page(page);
+ put_page(page);
}
return 0;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Kulikov Vasiliy <[email protected]>
commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream.
Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized. It leads to leaking of
contents of kernel stack memory. We have to initialize them to zero.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/tipc/socket.c | 1 +
1 file changed, 1 insertion(+)
Index: linux-2.6.35.y/net/tipc/socket.c
===================================================================
--- linux-2.6.35.y.orig/net/tipc/socket.c
+++ linux-2.6.35.y/net/tipc/socket.c
@@ -395,6 +395,7 @@ static int get_name(struct socket *sock,
struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
struct tipc_sock *tsock = tipc_sk(sock->sk);
+ memset(addr, 0, sizeof(*addr));
if (peer) {
if ((sock->state != SS_CONNECTED) &&
((peer != 2) || (sock->state != SS_DISCONNECTING)))
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <[email protected]>
commit 468c3f924f043cad7a04f4f4d5224a2c9bc886c1 upstream.
Currently, for N 5800 XM I get:
cdc_phonet: probe of 1-6:1.10 failed with error -22
It's because phonet_header is empty. Extra altsetting looks like
there:
E 05 24 00 01 10 03 24 ab 05 24 06 0a 0b 04 24 fd .$....$..$....$.
E 00 .
I don't see the header used anywhere so just check if the phonet
descriptor is there, not the structure itself.
Signed-off-by: Jiri Slaby <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Rémi Denis-Courmont <[email protected]>
Cc: David S. Miller <[email protected]>
Acked-by: Rémi Denis-Courmont <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/usb/cdc-phonet.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
Index: linux-2.6.35.y/drivers/net/usb/cdc-phonet.c
===================================================================
--- linux-2.6.35.y.orig/drivers/net/usb/cdc-phonet.c
+++ linux-2.6.35.y/drivers/net/usb/cdc-phonet.c
@@ -326,13 +326,13 @@ int usbpn_probe(struct usb_interface *in
{
static const char ifname[] = "usbpn%d";
const struct usb_cdc_union_desc *union_header = NULL;
- const struct usb_cdc_header_desc *phonet_header = NULL;
const struct usb_host_interface *data_desc;
struct usb_interface *data_intf;
struct usb_device *usbdev = interface_to_usbdev(intf);
struct net_device *dev;
struct usbpn_dev *pnd;
u8 *data;
+ int phonet = 0;
int len, err;
data = intf->altsetting->extra;
@@ -353,10 +353,7 @@ int usbpn_probe(struct usb_interface *in
(struct usb_cdc_union_desc *)data;
break;
case 0xAB:
- if (phonet_header || dlen < 5)
- break;
- phonet_header =
- (struct usb_cdc_header_desc *)data;
+ phonet = 1;
break;
}
}
@@ -364,7 +361,7 @@ int usbpn_probe(struct usb_interface *in
len -= dlen;
}
- if (!union_header || !phonet_header)
+ if (!union_header || !phonet)
return -EINVAL;
data_intf = usb_ifnum_to_if(usbdev, union_header->bSlaveInterface0);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <[email protected]>
commit e938c287ea8d977e079f07464ac69923412663ce upstream.
'simple' would have required specifying current frame address
and return address location manually, but that's obviously not
the case (and not necessary) here.
Signed-off-by: Jan Beulich <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
LKML-Reference: <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/lib/semaphore_32.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/arch/x86/lib/semaphore_32.S
===================================================================
--- linux-2.6.35.y.orig/arch/x86/lib/semaphore_32.S
+++ linux-2.6.35.y/arch/x86/lib/semaphore_32.S
@@ -36,7 +36,7 @@
*/
#ifdef CONFIG_SMP
ENTRY(__write_lock_failed)
- CFI_STARTPROC simple
+ CFI_STARTPROC
FRAME
2: LOCK_PREFIX
addl $ RW_LOCK_BIAS,(%eax)
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 8c559d30b4e59cf6994215ada1fe744928f494bf upstream.
Don't allow everybody to dump sensitive information about filesystems.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ubifs/debug.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/fs/ubifs/debug.c
===================================================================
--- linux-2.6.35.y.orig/fs/ubifs/debug.c
+++ linux-2.6.35.y/fs/ubifs/debug.c
@@ -2687,19 +2687,19 @@ int dbg_debugfs_init_fs(struct ubifs_inf
}
fname = "dump_lprops";
- dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
+ dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
if (IS_ERR(dent))
goto out_remove;
d->dfs_dump_lprops = dent;
fname = "dump_budg";
- dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
+ dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
if (IS_ERR(dent))
goto out_remove;
d->dfs_dump_budg = dent;
fname = "dump_tnc";
- dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
+ dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
if (IS_ERR(dent))
goto out_remove;
d->dfs_dump_tnc = dent;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Philip A. Prindeville <[email protected]>
commit 18b429e74eeafe42e947b1b0f9a760c7153a0b5c upstream.
Omit pkt_hdr preamble when dumping transmitted packet as hex-dump;
we can pull this up because the frame has already been sent, and
dumping it is the last thing we do with it before freeing it.
Also include the size, vpi, and vci in the debug as is done on
receive.
Use "port" consistently instead of "device" intermittently.
Signed-off-by: Philip Prindeville <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/atm/solos-pci.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/atm/solos-pci.c
===================================================================
--- linux-2.6.35.y.orig/drivers/atm/solos-pci.c
+++ linux-2.6.35.y/drivers/atm/solos-pci.c
@@ -695,7 +695,7 @@ void solos_bh(unsigned long card_arg)
size);
}
if (atmdebug) {
- dev_info(&card->dev->dev, "Received: device %d\n", port);
+ dev_info(&card->dev->dev, "Received: port %d\n", port);
dev_info(&card->dev->dev, "size: %d VPI: %d VCI: %d\n",
size, le16_to_cpu(header->vpi),
le16_to_cpu(header->vci));
@@ -1015,8 +1015,15 @@ static uint32_t fpga_tx(struct solos_car
/* Clean up and free oldskb now it's gone */
if (atmdebug) {
+ struct pkt_hdr *header = (void *)oldskb->data;
+ int size = le16_to_cpu(header->size);
+
+ skb_pull(oldskb, sizeof(*header));
dev_info(&card->dev->dev, "Transmitted: port %d\n",
port);
+ dev_info(&card->dev->dev, "size: %d VPI: %d VCI: %d\n",
+ size, le16_to_cpu(header->vpi),
+ le16_to_cpu(header->vci));
print_buffer(oldskb);
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 14ddc3188d50855ae2a419a6aced995e2834e5d4 upstream.
Don't allow everybody to change video settings.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Acked-by: Mauro Carvalho Chehab <[email protected]>
Acked-by: Luca Risolia <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/media/video/sn9c102/sn9c102_core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/drivers/media/video/sn9c102/sn9c102_core.c
===================================================================
--- linux-2.6.35.y.orig/drivers/media/video/sn9c102/sn9c102_core.c
+++ linux-2.6.35.y/drivers/media/video/sn9c102/sn9c102_core.c
@@ -1430,9 +1430,9 @@ static DEVICE_ATTR(i2c_reg, S_IRUGO | S_
sn9c102_show_i2c_reg, sn9c102_store_i2c_reg);
static DEVICE_ATTR(i2c_val, S_IRUGO | S_IWUSR,
sn9c102_show_i2c_val, sn9c102_store_i2c_val);
-static DEVICE_ATTR(green, S_IWUGO, NULL, sn9c102_store_green);
-static DEVICE_ATTR(blue, S_IWUGO, NULL, sn9c102_store_blue);
-static DEVICE_ATTR(red, S_IWUGO, NULL, sn9c102_store_red);
+static DEVICE_ATTR(green, S_IWUSR, NULL, sn9c102_store_green);
+static DEVICE_ATTR(blue, S_IWUSR, NULL, sn9c102_store_blue);
+static DEVICE_ATTR(red, S_IWUSR, NULL, sn9c102_store_red);
static DEVICE_ATTR(frame_header, S_IRUGO, sn9c102_show_frame_header, NULL);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit f8a0697722d12a201588225999cfc8bfcbc82781 upstream.
Don't allow everybody to change device hardware registers.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Acked-by: Linus Walleij <[email protected]>
Signed-off-by: Samuel Ortiz <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/mfd/ab3100-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/drivers/mfd/ab3100-core.c
===================================================================
--- linux-2.6.35.y.orig/drivers/mfd/ab3100-core.c
+++ linux-2.6.35.y/drivers/mfd/ab3100-core.c
@@ -611,7 +611,7 @@ static void ab3100_setup_debugfs(struct
ab3100_get_priv.ab3100 = ab3100;
ab3100_get_priv.mode = false;
ab3100_get_reg_file = debugfs_create_file("get_reg",
- S_IWUGO, ab3100_dir, &ab3100_get_priv,
+ S_IWUSR, ab3100_dir, &ab3100_get_priv,
&ab3100_get_set_reg_fops);
if (!ab3100_get_reg_file) {
err = -ENOMEM;
@@ -621,7 +621,7 @@ static void ab3100_setup_debugfs(struct
ab3100_set_priv.ab3100 = ab3100;
ab3100_set_priv.mode = true;
ab3100_set_reg_file = debugfs_create_file("set_reg",
- S_IWUGO, ab3100_dir, &ab3100_set_priv,
+ S_IWUSR, ab3100_dir, &ab3100_set_priv,
&ab3100_get_set_reg_fops);
if (!ab3100_set_reg_file) {
err = -ENOMEM;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Nelson Elhage <[email protected]>
commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 upstream.
We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.
Fix this by consistently using nlmsg_find_attr everywhere.
[AK: Add const to nlmsg_find_attr to fix new warning]
Signed-off-by: Nelson Elhage <[email protected]>
Signed-off-by: Thomas Graf <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
[jmm: Slightly adapted to apply against 2.6.32]
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/inet_diag.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
Index: linux-2.6.35.y/net/ipv4/inet_diag.c
===================================================================
--- linux-2.6.35.y.orig/net/ipv4/inet_diag.c
+++ linux-2.6.35.y/net/ipv4/inet_diag.c
@@ -490,9 +490,11 @@ static int inet_csk_diag_dump(struct soc
{
struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
struct inet_diag_entry entry;
- struct rtattr *bc = (struct rtattr *)(r + 1);
+ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
+ sizeof(*r),
+ INET_DIAG_REQ_BYTECODE);
struct inet_sock *inet = inet_sk(sk);
entry.family = sk->sk_family;
@@ -512,7 +514,7 @@ static int inet_csk_diag_dump(struct soc
entry.dport = ntohs(inet->inet_dport);
entry.userlocks = sk->sk_userlocks;
- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
+ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
return 0;
}
@@ -527,9 +529,11 @@ static int inet_twsk_diag_dump(struct in
{
struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
struct inet_diag_entry entry;
- struct rtattr *bc = (struct rtattr *)(r + 1);
+ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
+ sizeof(*r),
+ INET_DIAG_REQ_BYTECODE);
entry.family = tw->tw_family;
#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
@@ -548,7 +552,7 @@ static int inet_twsk_diag_dump(struct in
entry.dport = ntohs(tw->tw_dport);
entry.userlocks = 0;
- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
+ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
return 0;
}
@@ -618,7 +622,7 @@ static int inet_diag_dump_reqs(struct sk
struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
struct inet_connection_sock *icsk = inet_csk(sk);
struct listen_sock *lopt;
- struct rtattr *bc = NULL;
+ const struct nlattr *bc = NULL;
struct inet_sock *inet = inet_sk(sk);
int j, s_j;
int reqnum, s_reqnum;
@@ -638,8 +642,9 @@ static int inet_diag_dump_reqs(struct sk
if (!lopt || !lopt->qlen)
goto out;
- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
- bc = (struct rtattr *)(r + 1);
+ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ bc = nlmsg_find_attr(cb->nlh, sizeof(*r),
+ INET_DIAG_REQ_BYTECODE);
entry.sport = inet->inet_num;
entry.userlocks = sk->sk_userlocks;
}
@@ -672,8 +677,8 @@ static int inet_diag_dump_reqs(struct sk
&ireq->rmt_addr;
entry.dport = ntohs(ireq->rmt_port);
- if (!inet_diag_bc_run(RTA_DATA(bc),
- RTA_PAYLOAD(bc), &entry))
+ if (!inet_diag_bc_run(nla_data(bc),
+ nla_len(bc), &entry))
continue;
}
Index: linux-2.6.35.y/include/net/netlink.h
===================================================================
--- linux-2.6.35.y.orig/include/net/netlink.h
+++ linux-2.6.35.y/include/net/netlink.h
@@ -384,7 +384,7 @@ static inline int nlmsg_parse(const stru
*
* Returns the first attribute which matches the specified type.
*/
-static inline struct nlattr *nlmsg_find_attr(struct nlmsghdr *nlh,
+static inline struct nlattr *nlmsg_find_attr(const struct nlmsghdr *nlh,
int hdrlen, int attrtype)
{
return nla_find(nlmsg_attrdata(nlh, hdrlen),
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <[email protected]>
Upstream commit: 44d60c0f5c58c2168f31df9a481761451840eb54
The different families have a different max size for the ucode patch,
adjust size checking to the family we're running on. Also, do not
vzalloc the max size of the ucode but only the actual size that is
passed on from the firmware loader.
Cc: <[email protected]>
Signed-off-by: Borislav Petkov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
arch/x86/kernel/microcode_amd.c | 63 +++++++++++++++++++++++++++-------------
1 file changed, 44 insertions(+), 19 deletions(-)
Index: linux-2.6.35.y/arch/x86/kernel/microcode_amd.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/microcode_amd.c
+++ linux-2.6.35.y/arch/x86/kernel/microcode_amd.c
@@ -66,7 +66,6 @@ struct microcode_amd {
unsigned int mpb[0];
};
-#define UCODE_MAX_SIZE 2048
#define UCODE_CONTAINER_SECTION_HDR 8
#define UCODE_CONTAINER_HEADER_SIZE 12
@@ -125,6 +124,37 @@ static int get_matching_microcode(int cp
return 1;
}
+static unsigned int verify_ucode_size(int cpu, const u8 *buf, unsigned int size)
+{
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
+ unsigned int max_size, actual_size;
+
+#define F1XH_MPB_MAX_SIZE 2048
+#define F14H_MPB_MAX_SIZE 1824
+#define F15H_MPB_MAX_SIZE 4096
+
+ switch (c->x86) {
+ case 0x14:
+ max_size = F14H_MPB_MAX_SIZE;
+ break;
+ case 0x15:
+ max_size = F15H_MPB_MAX_SIZE;
+ break;
+ default:
+ max_size = F1XH_MPB_MAX_SIZE;
+ break;
+ }
+
+ actual_size = buf[4] + (buf[5] << 8);
+
+ if (actual_size > size || actual_size > max_size) {
+ pr_err("section size mismatch\n");
+ return 0;
+ }
+
+ return actual_size;
+}
+
static int apply_microcode_amd(int cpu)
{
u32 rev, dummy;
@@ -162,11 +192,11 @@ static int get_ucode_data(void *to, cons
}
static void *
-get_next_ucode(const u8 *buf, unsigned int size, unsigned int *mc_size)
+get_next_ucode(int cpu, const u8 *buf, unsigned int size, unsigned int *mc_size)
{
- unsigned int total_size;
+ unsigned int actual_size = 0;
u8 section_hdr[UCODE_CONTAINER_SECTION_HDR];
- void *mc;
+ void *mc = NULL;
if (get_ucode_data(section_hdr, buf, UCODE_CONTAINER_SECTION_HDR))
return NULL;
@@ -176,23 +206,18 @@ get_next_ucode(const u8 *buf, unsigned i
return NULL;
}
- total_size = (unsigned long) (section_hdr[4] + (section_hdr[5] << 8));
-
- if (total_size > size || total_size > UCODE_MAX_SIZE) {
- pr_err("error: size mismatch\n");
+ actual_size = verify_ucode_size(cpu, buf, size);
+ if (!actual_size)
return NULL;
- }
- mc = vmalloc(UCODE_MAX_SIZE);
- if (mc) {
- memset(mc, 0, UCODE_MAX_SIZE);
- if (get_ucode_data(mc, buf + UCODE_CONTAINER_SECTION_HDR,
- total_size)) {
- vfree(mc);
- mc = NULL;
- } else
- *mc_size = total_size + UCODE_CONTAINER_SECTION_HDR;
- }
+ mc = vmalloc(actual_size);
+ if (!mc)
+ return NULL;
+
+ memset(mc, 0, actual_size);
+ get_ucode_data(mc, buf + UCODE_CONTAINER_SECTION_HDR, actual_size);
+ *mc_size = actual_size + UCODE_CONTAINER_SECTION_HDR;
+
return mc;
}
@@ -258,7 +283,7 @@ generic_load_microcode(int cpu, const u8
unsigned int uninitialized_var(mc_size);
struct microcode_header_amd *mc_header;
- mc = get_next_ucode(ucode_ptr, leftover, &mc_size);
+ mc = get_next_ucode(cpu, ucode_ptr, leftover, &mc_size);
if (!mc)
break;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream.
Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace. Fields of these structs that are
zero-terminated strings are not checked. When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.
The first bug was introduced before the git epoch; the second is
introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by
6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
CAP_NET_ADMIN.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/ipv4/netfilter/arp_tables.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6.35.y/net/ipv4/netfilter/arp_tables.c
===================================================================
--- linux-2.6.35.y.orig/net/ipv4/netfilter/arp_tables.c
+++ linux-2.6.35.y/net/ipv4/netfilter/arp_tables.c
@@ -1081,6 +1081,7 @@ static int do_replace(struct net *net, c
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
@@ -1502,6 +1503,7 @@ static int compat_do_replace(struct net
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
if (!newinfo)
@@ -1754,6 +1756,7 @@ static int do_arpt_get_ctl(struct sock *
ret = -EFAULT;
break;
}
+ rev.name[sizeof(rev.name)-1] = 0;
try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name,
rev.revision, 1, &ret),
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.
'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Acked-by: Changli Gao <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.35.y.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.35.y/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -663,8 +663,11 @@ static ssize_t clusterip_proc_write(stru
char buffer[PROC_WRITELEN+1];
unsigned long nodenum;
- if (copy_from_user(buffer, input, PROC_WRITELEN))
+ if (size > PROC_WRITELEN)
+ return -EIO;
+ if (copy_from_user(buffer, input, size))
return -EFAULT;
+ buffer[size] = 0;
if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <[email protected]>
commit b769f49463711205d57286e64cf535ed4daf59e9 upstream.
Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
uninitialized value, and signedness issue
The offset passed to midi_synth_load_patch() can be essentially
arbitrary. If it's greater than the header length, this will result in
a copy_from_user(dst, src, negative_val). While this will just return
-EFAULT on x86, on other architectures this may cause memory corruption.
Additionally, the length field of the sysex_info structure may not be
initialized prior to its use. Finally, a signed comparison may result
in an unintentionally large loop.
On suggestion by Takashi Iwai, version two removes the offset argument
from the load_patch callbacks entirely, which also resolves similar
issues in opl3. Compile tested only.
v3 adjusts comments and hopefully gets copy offsets right.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
sound/oss/dev_table.h | 2 +-
sound/oss/midi_synth.c | 30 +++++++++++++-----------------
sound/oss/midi_synth.h | 2 +-
sound/oss/opl3.c | 8 ++------
sound/oss/sequencer.c | 2 +-
5 files changed, 18 insertions(+), 26 deletions(-)
Index: linux-2.6.35.y/sound/oss/dev_table.h
===================================================================
--- linux-2.6.35.y.orig/sound/oss/dev_table.h
+++ linux-2.6.35.y/sound/oss/dev_table.h
@@ -271,7 +271,7 @@ struct synth_operations
void (*reset) (int dev);
void (*hw_control) (int dev, unsigned char *event);
int (*load_patch) (int dev, int format, const char __user *addr,
- int offs, int count, int pmgr_flag);
+ int count, int pmgr_flag);
void (*aftertouch) (int dev, int voice, int pressure);
void (*controller) (int dev, int voice, int ctrl_num, int value);
void (*panning) (int dev, int voice, int value);
Index: linux-2.6.35.y/sound/oss/midi_synth.c
===================================================================
--- linux-2.6.35.y.orig/sound/oss/midi_synth.c
+++ linux-2.6.35.y/sound/oss/midi_synth.c
@@ -476,7 +476,7 @@ EXPORT_SYMBOL(midi_synth_hw_control);
int
midi_synth_load_patch(int dev, int format, const char __user *addr,
- int offs, int count, int pmgr_flag)
+ int count, int pmgr_flag)
{
int orig_dev = synth_devs[dev]->midi_dev;
@@ -491,33 +491,29 @@ midi_synth_load_patch(int dev, int forma
if (!prefix_cmd(orig_dev, 0xf0))
return 0;
+ /* Invalid patch format */
if (format != SYSEX_PATCH)
- {
-/* printk("MIDI Error: Invalid patch format (key) 0x%x\n", format);*/
return -EINVAL;
- }
+
+ /* Patch header too short */
if (count < hdr_size)
- {
-/* printk("MIDI Error: Patch header too short\n");*/
return -EINVAL;
- }
+
count -= hdr_size;
/*
- * Copy the header from user space but ignore the first bytes which have
- * been transferred already.
+ * Copy the header from user space
*/
- if(copy_from_user(&((char *) &sysex)[offs], &(addr)[offs], hdr_size - offs))
+ if (copy_from_user(&sysex, addr, hdr_size))
return -EFAULT;
-
- if (count < sysex.len)
- {
-/* printk(KERN_WARNING "MIDI Warning: Sysex record too short (%d<%d)\n", count, (int) sysex.len);*/
+
+ /* Sysex record too short */
+ if ((unsigned)count < (unsigned)sysex.len)
sysex.len = count;
- }
- left = sysex.len;
- src_offs = 0;
+
+ left = sysex.len;
+ src_offs = 0;
for (i = 0; i < left && !signal_pending(current); i++)
{
Index: linux-2.6.35.y/sound/oss/midi_synth.h
===================================================================
--- linux-2.6.35.y.orig/sound/oss/midi_synth.h
+++ linux-2.6.35.y/sound/oss/midi_synth.h
@@ -8,7 +8,7 @@ int midi_synth_open (int dev, int mode);
void midi_synth_close (int dev);
void midi_synth_hw_control (int dev, unsigned char *event);
int midi_synth_load_patch (int dev, int format, const char __user * addr,
- int offs, int count, int pmgr_flag);
+ int count, int pmgr_flag);
void midi_synth_panning (int dev, int channel, int pressure);
void midi_synth_aftertouch (int dev, int channel, int pressure);
void midi_synth_controller (int dev, int channel, int ctrl_num, int value);
Index: linux-2.6.35.y/sound/oss/opl3.c
===================================================================
--- linux-2.6.35.y.orig/sound/oss/opl3.c
+++ linux-2.6.35.y/sound/oss/opl3.c
@@ -820,7 +820,7 @@ static void opl3_hw_control(int dev, uns
}
static int opl3_load_patch(int dev, int format, const char __user *addr,
- int offs, int count, int pmgr_flag)
+ int count, int pmgr_flag)
{
struct sbi_instrument ins;
@@ -830,11 +830,7 @@ static int opl3_load_patch(int dev, int
return -EINVAL;
}
- /*
- * What the fuck is going on here? We leave junk in the beginning
- * of ins and then check the field pretty close to that beginning?
- */
- if(copy_from_user(&((char *) &ins)[offs], addr + offs, sizeof(ins) - offs))
+ if (copy_from_user(&ins, addr, sizeof(ins)))
return -EFAULT;
if (ins.channel < 0 || ins.channel >= SBFM_MAXINSTR)
Index: linux-2.6.35.y/sound/oss/sequencer.c
===================================================================
--- linux-2.6.35.y.orig/sound/oss/sequencer.c
+++ linux-2.6.35.y/sound/oss/sequencer.c
@@ -241,7 +241,7 @@ int sequencer_write(int dev, struct file
return -ENXIO;
fmt = (*(short *) &event_rec[0]) & 0xffff;
- err = synth_devs[dev]->load_patch(dev, fmt, buf, p + 4, c, 0);
+ err = synth_devs[dev]->load_patch(dev, fmt, buf + p, c, 0);
if (err < 0)
return err;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Yongqiang Yang <[email protected]>
commit 5b41395fcc0265fc9f193aef9df39ce49d64677c upstream.
When writing a contiguous set of blocks, two indirect blocks could be
needed depending on how the blocks are aligned, so we need to increase
the number of credits needed by one.
[ Also fixed a another bug which could further underestimate the
number of journal credits needed by 1; the code was using integer
division instead of DIV_ROUND_UP() -- tytso]
Signed-off-by: Yongqiang Yang <[email protected]>
Signed-off-by: "Theodore Ts'o" <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ext4/inode.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
Index: linux-2.6.35.y/fs/ext4/inode.c
===================================================================
--- linux-2.6.35.y.orig/fs/ext4/inode.c
+++ linux-2.6.35.y/fs/ext4/inode.c
@@ -5593,13 +5593,12 @@ static int ext4_indirect_trans_blocks(st
/* if nrblocks are contiguous */
if (chunk) {
/*
- * With N contiguous data blocks, it need at most
- * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) indirect blocks
- * 2 dindirect blocks
- * 1 tindirect block
+ * With N contiguous data blocks, we need at most
+ * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) + 1 indirect blocks,
+ * 2 dindirect blocks, and 1 tindirect block
*/
- indirects = nrblocks / EXT4_ADDR_PER_BLOCK(inode->i_sb);
- return indirects + 3;
+ return DIV_ROUND_UP(nrblocks,
+ EXT4_ADDR_PER_BLOCK(inode->i_sb)) + 4;
}
/*
* if nrblocks are not contiguous, worse case, each block touch
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 upstream.
Don't allow everybogy to write to NVRAM.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Andy Sharp <[email protected]>
Cc: Alessandro Zummo <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/rtc/rtc-ds1511.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/rtc/rtc-ds1511.c
===================================================================
--- linux-2.6.35.y.orig/drivers/rtc/rtc-ds1511.c
+++ linux-2.6.35.y/drivers/rtc/rtc-ds1511.c
@@ -485,7 +485,7 @@ ds1511_nvram_write(struct file *filp, st
static struct bin_attribute ds1511_nvram_attr = {
.attr = {
.name = "nvram",
- .mode = S_IRUGO | S_IWUGO,
+ .mode = S_IRUGO | S_IWUSR,
},
.size = DS1511_RAM_MAX,
.read = ds1511_nvram_read,
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Andy Gospodarek <[email protected]>
commit 6d152e23ad1a7a5b40fef1f42e017d66e6115159 upstream.
Like Herbert's change from a few days ago:
66c46d741e2e60f0e8b625b80edb0ab820c46d7a gro: Reset dev pointer on reuse
this may not be necessary at this point, but we should still clean up
the skb->skb_iif. If not we may end up with an invalid valid for
skb->skb_iif when the skb is reused and the check is done in
__netif_receive_skb.
Signed-off-by: Andy Gospodarek <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Brandon Philips <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/core/dev.c | 1 +
1 file changed, 1 insertion(+)
Index: linux-2.6.35.y/net/core/dev.c
===================================================================
--- linux-2.6.35.y.orig/net/core/dev.c
+++ linux-2.6.35.y/net/core/dev.c
@@ -3232,6 +3232,7 @@ void napi_reuse_skb(struct napi_struct *
__skb_pull(skb, skb_headlen(skb));
skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb));
skb->dev = napi->dev;
+ skb->skb_iif = 0;
napi->skb = skb;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <[email protected]>
commit 44cff8a9ee8a974f9e931df910688e7fc1f0b0f9 upstream.
Handle the rare case where a directory metadata block is uncompressed and
corrupted, leading to a kernel oops in directory scanning (memcpy).
Normally corruption is detected at the decompression stage and dealt with
then, however, this will not happen if:
- metadata isn't compressed (users can optionally request no metadata
compression), or
- the compressed metadata block was larger than the original, in which
case the uncompressed version was used, or
- the data was corrupt after decompression
This patch fixes this by adding some sanity checks against known maximum
values.
Signed-off-by: Phillip Lougher <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/squashfs/dir.c | 9 +++++++++
fs/squashfs/namei.c | 12 ++++++++++++
2 files changed, 21 insertions(+)
Index: linux-2.6.35.y/fs/squashfs/dir.c
===================================================================
--- linux-2.6.35.y.orig/fs/squashfs/dir.c
+++ linux-2.6.35.y/fs/squashfs/dir.c
@@ -172,6 +172,11 @@ static int squashfs_readdir(struct file
length += sizeof(dirh);
dir_count = le32_to_cpu(dirh.count) + 1;
+
+ /* dir_count should never be larger than 256 */
+ if (dir_count > 256)
+ goto failed_read;
+
while (dir_count--) {
/*
* Read directory entry.
@@ -183,6 +188,10 @@ static int squashfs_readdir(struct file
size = le16_to_cpu(dire->size) + 1;
+ /* size should never be larger than SQUASHFS_NAME_LEN */
+ if (size > SQUASHFS_NAME_LEN)
+ goto failed_read;
+
err = squashfs_read_metadata(inode->i_sb, dire->name,
&block, &offset, size);
if (err < 0)
Index: linux-2.6.35.y/fs/squashfs/namei.c
===================================================================
--- linux-2.6.35.y.orig/fs/squashfs/namei.c
+++ linux-2.6.35.y/fs/squashfs/namei.c
@@ -176,6 +176,11 @@ static struct dentry *squashfs_lookup(st
length += sizeof(dirh);
dir_count = le32_to_cpu(dirh.count) + 1;
+
+ /* dir_count should never be larger than 256 */
+ if (dir_count > 256)
+ goto data_error;
+
while (dir_count--) {
/*
* Read directory entry.
@@ -187,6 +192,10 @@ static struct dentry *squashfs_lookup(st
size = le16_to_cpu(dire->size) + 1;
+ /* size should never be larger than SQUASHFS_NAME_LEN */
+ if (size > SQUASHFS_NAME_LEN)
+ goto data_error;
+
err = squashfs_read_metadata(dir->i_sb, dire->name,
&block, &offset, size);
if (err < 0)
@@ -228,6 +237,9 @@ exit_lookup:
d_add(dentry, inode);
return ERR_PTR(0);
+data_error:
+ err = -EIO;
+
read_failure:
ERROR("Unable to read directory block [%llx:%x]\n",
squashfs_i(dir)->start + msblk->directory_table,
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Kulikov Vasiliy <[email protected]>
commit b3390ceab95601afc12213c3ec5551d3bc7b638f upstream.
get_user() may fail, if so return -EFAULT.
Signed-off-by: Kulikov Vasiliy <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
sound/oss/midi_synth.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/sound/oss/midi_synth.c
===================================================================
--- linux-2.6.35.y.orig/sound/oss/midi_synth.c
+++ linux-2.6.35.y/sound/oss/midi_synth.c
@@ -519,7 +519,9 @@ midi_synth_load_patch(int dev, int forma
{
unsigned char data;
- get_user(*(unsigned char *) &data, (unsigned char __user *) &((addr)[hdr_size + i]));
+ if (get_user(data,
+ (unsigned char __user *)(addr + hdr_size + i)))
+ return -EFAULT;
eox_seen = (i > 0 && data & 0x80); /* End of sysex */
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <[email protected]>
commit 66c46d741e2e60f0e8b625b80edb0ab820c46d7a upstream.
On older kernels the VLAN code may zero skb->dev before dropping
it and causing it to be reused by GRO.
Unfortunately we didn't reset skb->dev in that case which causes
the next GRO user to get a bogus skb->dev pointer.
This particular problem no longer happens with the current upstream
kernel due to changes in VLAN processing.
However, for correctness we should still reset the skb->dev pointer
in the GRO reuse function in case a future user does the same thing.
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Brandon Philips <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/core/dev.c | 1 +
1 file changed, 1 insertion(+)
Index: linux-2.6.35.y/net/core/dev.c
===================================================================
--- linux-2.6.35.y.orig/net/core/dev.c
+++ linux-2.6.35.y/net/core/dev.c
@@ -3231,6 +3231,7 @@ void napi_reuse_skb(struct napi_struct *
{
__skb_pull(skb, skb_headlen(skb));
skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb));
+ skb->dev = napi->dev;
napi->skb = skb;
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream.
struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64. These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network. This leads to 4 bytes kernel stack
infoleak.
This bug was introduced before the git epoch.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Acked-by: Phil Blundell <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/econet/af_econet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/net/econet/af_econet.c
===================================================================
--- linux-2.6.35.y.orig/net/econet/af_econet.c
+++ linux-2.6.35.y/net/econet/af_econet.c
@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *
udpdest.sin_addr.s_addr = htonl(network | addr.station);
}
+ memset(&ah, 0, sizeof(ah));
ah.port = port;
ah.cb = cb & 0x7f;
ah.code = 2; /* magic */
- ah.pad = 0;
/* tack our header on the front of the iovec */
size = sizeof(struct aunhdr);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <[email protected]>
commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 upstream.
The normal mmap paths all avoid creating a mapping where the pgoff
inside the mapping could wrap around due to overflow. However, an
expanding mremap() can take such a non-wrapping mapping and make it
bigger and cause a wrapping condition.
Noticed by Robert Swiecki when running a system call fuzzer, where it
caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A
vma dumping patch by Hugh then pinpointed the crazy wrapped case.
Reported-and-tested-by: Robert Swiecki <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
mm/mremap.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/mm/mremap.c
===================================================================
--- linux-2.6.35.y.orig/mm/mremap.c
+++ linux-2.6.35.y/mm/mremap.c
@@ -274,9 +274,16 @@ static struct vm_area_struct *vma_to_res
if (old_len > vma->vm_end - addr)
goto Efault;
- if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
- if (new_len > old_len)
+ /* Need to be careful about a growing mapping */
+ if (new_len > old_len) {
+ unsigned long pgoff;
+
+ if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
goto Efault;
+ pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
+ pgoff += vma->vm_pgoff;
+ if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
+ goto Einval;
}
if (vma->vm_flags & VM_LOCKED) {
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit deb187e72470b0382d4f0cb859e76e1ebc3a1082 upstream.
Don't allow everybody to change device settings.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Acked-by: Hartley Sweeten <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Matthieu Crapet <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/misc/ep93xx_pwm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: linux-2.6.35.y/drivers/misc/ep93xx_pwm.c
===================================================================
--- linux-2.6.35.y.orig/drivers/misc/ep93xx_pwm.c
+++ linux-2.6.35.y/drivers/misc/ep93xx_pwm.c
@@ -249,11 +249,11 @@ static ssize_t ep93xx_pwm_set_invert(str
static DEVICE_ATTR(min_freq, S_IRUGO, ep93xx_pwm_get_min_freq, NULL);
static DEVICE_ATTR(max_freq, S_IRUGO, ep93xx_pwm_get_max_freq, NULL);
-static DEVICE_ATTR(freq, S_IWUGO | S_IRUGO,
+static DEVICE_ATTR(freq, S_IWUSR | S_IRUGO,
ep93xx_pwm_get_freq, ep93xx_pwm_set_freq);
-static DEVICE_ATTR(duty_percent, S_IWUGO | S_IRUGO,
+static DEVICE_ATTR(duty_percent, S_IWUSR | S_IRUGO,
ep93xx_pwm_get_duty_percent, ep93xx_pwm_set_duty_percent);
-static DEVICE_ATTR(invert, S_IWUGO | S_IRUGO,
+static DEVICE_ATTR(invert, S_IWUSR | S_IRUGO,
ep93xx_pwm_get_invert, ep93xx_pwm_set_invert);
static struct attribute *ep93xx_pwm_attrs[] = {
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Peter Huewe <[email protected]>
commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream.
This patch fixes information leakage to the userspace by initializing
the data buffer to zero.
Reported-by: Peter Huewe <[email protected]>
Signed-off-by: Peter Huewe <[email protected]>
Signed-off-by: Marcel Selhorst <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
[ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way
deeper problems than a simple multiplication can fix. - Linus ]
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/char/tpm/tpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/char/tpm/tpm.c
===================================================================
--- linux-2.6.35.y.orig/drivers/char/tpm/tpm.c
+++ linux-2.6.35.y/drivers/char/tpm/tpm.c
@@ -970,7 +970,7 @@ int tpm_open(struct inode *inode, struct
return -EBUSY;
}
- chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
+ chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
if (chip->data_buffer == NULL) {
clear_bit(0, &chip->is_open);
put_device(chip->dev);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Goldwyn Rodrigues <[email protected]>
commit 272b62c1f0f6f742046e45b50b6fec98860208a0 upstream.
When a hole spans across page boundaries, the next write forces
a read of the block. This could end up reading existing garbage
data from the disk in ocfs2_map_page_blocks. This leads to
non-zero holes. In order to avoid this, mark the writes as new
when the holes span across page boundaries.
Signed-off-by: Goldwyn Rodrigues <[email protected]>
Signed-off-by: jlbec <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ocfs2/aops.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: linux-2.6.35.y/fs/ocfs2/aops.c
===================================================================
--- linux-2.6.35.y.orig/fs/ocfs2/aops.c
+++ linux-2.6.35.y/fs/ocfs2/aops.c
@@ -1039,6 +1039,12 @@ static int ocfs2_prepare_page_for_write(
ocfs2_figure_cluster_boundaries(OCFS2_SB(inode->i_sb), cpos,
&cluster_start, &cluster_end);
+ /* treat the write as new if the a hole/lseek spanned across
+ * the page boundary.
+ */
+ new = new | ((i_size_read(inode) <= page_offset(page)) &&
+ (page_offset(page) <= user_pos));
+
if (page == wc->w_target_page) {
map_from = user_pos & (PAGE_CACHE_SIZE - 1);
map_to = map_from + user_len;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Marc-Antoine Perennou <[email protected]>
commit 63a8588debd4dc72becb9e27add9343c76301c7d upstream.
Just adding the vendor details makes it work fine.
Signed-off-by: Marc-Antoine Perennou <[email protected]>
Signed-off-by: Gustavo F. Padovan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/bluetooth/btusb.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6.35.y/drivers/bluetooth/btusb.c
===================================================================
--- linux-2.6.35.y.orig/drivers/bluetooth/btusb.c
+++ linux-2.6.35.y/drivers/bluetooth/btusb.c
@@ -62,6 +62,9 @@ static struct usb_device_id btusb_table[
/* Apple iMac11,1 */
{ USB_DEVICE(0x05ac, 0x8215) },
+ /* Apple MacBookPro8,2 */
+ { USB_DEVICE(0x05ac, 0x821a) },
+
/* AVM BlueFRITZ! USB v2.0 */
{ USB_DEVICE(0x057c, 0x3800) },
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Gustavo F. Padovan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/bluetooth/bnep/sock.c | 1 +
1 file changed, 1 insertion(+)
Index: linux-2.6.35.y/net/bluetooth/bnep/sock.c
===================================================================
--- linux-2.6.35.y.orig/net/bluetooth/bnep/sock.c
+++ linux-2.6.35.y/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream.
Struct tmp is copied from userspace. It is not checked whether the "name"
field is NULL terminated. This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen by all userspace
processes.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/bridge/netfilter/ebtables.c | 2 ++
1 file changed, 2 insertions(+)
Index: linux-2.6.35.y/net/bridge/netfilter/ebtables.c
===================================================================
--- linux-2.6.35.y.orig/net/bridge/netfilter/ebtables.c
+++ linux-2.6.35.y/net/bridge/netfilter/ebtables.c
@@ -1098,6 +1098,8 @@ static int do_replace(struct net *net, c
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name) - 1] = 0;
+
countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
newinfo = vmalloc(sizeof(*newinfo) + countersize);
if (!newinfo)
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Christian Lamparter <[email protected]>
commit 220107610c7c2c9703e09eb363e8ab31025b9315 upstream.
Reported-by: Mark Davis [via p54/devices wiki]
Signed-off-by: Christian Lamparter <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/net/wireless/p54/p54usb.c | 2 ++
1 file changed, 2 insertions(+)
Index: linux-2.6.35.y/drivers/net/wireless/p54/p54usb.c
===================================================================
--- linux-2.6.35.y.orig/drivers/net/wireless/p54/p54usb.c
+++ linux-2.6.35.y/drivers/net/wireless/p54/p54usb.c
@@ -56,6 +56,7 @@ static struct usb_device_id p54u_table[]
{USB_DEVICE(0x0846, 0x4210)}, /* Netgear WG121 the second ? */
{USB_DEVICE(0x0846, 0x4220)}, /* Netgear WG111 */
{USB_DEVICE(0x09aa, 0x1000)}, /* Spinnaker Proto board */
+ {USB_DEVICE(0x0bf8, 0x1007)}, /* Fujitsu E-5400 USB */
{USB_DEVICE(0x0cde, 0x0006)}, /* Medion 40900, Roper Europe */
{USB_DEVICE(0x0db0, 0x6826)}, /* MSI UB54G (MS-6826) */
{USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */
@@ -68,6 +69,7 @@ static struct usb_device_id p54u_table[]
{USB_DEVICE(0x1915, 0x2235)}, /* Linksys WUSB54G Portable OEM */
{USB_DEVICE(0x2001, 0x3701)}, /* DLink DWL-G120 Spinnaker */
{USB_DEVICE(0x2001, 0x3703)}, /* DLink DWL-G122 */
+ {USB_DEVICE(0x2001, 0x3762)}, /* Conceptronic C54U */
{USB_DEVICE(0x5041, 0x2234)}, /* Linksys WUSB54G */
{USB_DEVICE(0x5041, 0x2235)}, /* Linksys WUSB54G Portable */
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <[email protected]>
commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.
struct sco_conninfo has one padding byte in the end. Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Gustavo F. Padovan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/bluetooth/sco.c | 1 +
1 file changed, 1 insertion(+)
Index: linux-2.6.35.y/net/bluetooth/sco.c
===================================================================
--- linux-2.6.35.y.orig/net/bluetooth/sco.c
+++ linux-2.6.35.y/net/bluetooth/sco.c
@@ -700,6 +700,7 @@ static int sco_sock_getsockopt_old(struc
break;
}
+ memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <[email protected]>
commit b03f24567ce7caf2420b8be4c6eb74c191d59a91 upstream.
There's no reason to write quota info in dquot_commit(). The writing is a
relict from the old days when we didn't have dquot_acquire() and
dquot_release() and thus dquot_commit() could have created / removed quota
structures from the file. These days dquot_commit() only updates usage counters
/ limits in quota structure and thus there's no need to write quota info.
This also fixes an issue with journaling filesystem which didn't reserve
enough space in the transaction for write of quota info (it could have been
dirty at the time of dquot_commit() because of a race with other operation
changing it).
Reported-and-tested-by: Lukas Czerner <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/quota/dquot.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
Index: linux-2.6.35.y/fs/quota/dquot.c
===================================================================
--- linux-2.6.35.y.orig/fs/quota/dquot.c
+++ linux-2.6.35.y/fs/quota/dquot.c
@@ -422,7 +422,7 @@ EXPORT_SYMBOL(dquot_acquire);
*/
int dquot_commit(struct dquot *dquot)
{
- int ret = 0, ret2 = 0;
+ int ret = 0;
struct quota_info *dqopt = sb_dqopt(dquot->dq_sb);
mutex_lock(&dqopt->dqio_mutex);
@@ -434,15 +434,10 @@ int dquot_commit(struct dquot *dquot)
spin_unlock(&dq_list_lock);
/* Inactive dquot can be only if there was error during read/init
* => we have better not writing it */
- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) {
+ if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags))
ret = dqopt->ops[dquot->dq_type]->commit_dqblk(dquot);
- if (info_dirty(&dqopt->info[dquot->dq_type])) {
- ret2 = dqopt->ops[dquot->dq_type]->write_file_info(
- dquot->dq_sb, dquot->dq_type);
- }
- if (ret >= 0)
- ret = ret2;
- }
+ else
+ ret = -EIO;
out_sem:
mutex_unlock(&dqopt->dqio_mutex);
return ret;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <[email protected]>
commit 7da6443aca9be29c6948dcbd636ad50154d0bc0c upstream.
This patch fixes a debugging failure with which looks like this:
UBIFS error (pid 32313): dbg_check_space_info: free space changed from 6019344 to 6022654
The reason for this failure is described in the comment this patch adds
to the code. But in short - 'c->freeable_cnt' may be different before
and after re-mounting, and this is normal. So the debugging code should
make sure that free space calculations do not depend on 'c->freeable_cnt'.
A similar issue has been reported here:
http://lists.infradead.org/pipermail/linux-mtd/2011-April/034647.html
This patch should fix it.
For the -stable guys: this patch is only relevant for kernels 2.6.30
onwards.
Signed-off-by: Artem Bityutskiy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
fs/ubifs/debug.c | 41 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 36 insertions(+), 5 deletions(-)
Index: linux-2.6.35.y/fs/ubifs/debug.c
===================================================================
--- linux-2.6.35.y.orig/fs/ubifs/debug.c
+++ linux-2.6.35.y/fs/ubifs/debug.c
@@ -961,11 +961,39 @@ void dbg_dump_index(struct ubifs_info *c
void dbg_save_space_info(struct ubifs_info *c)
{
struct ubifs_debug_info *d = c->dbg;
-
- ubifs_get_lp_stats(c, &d->saved_lst);
+ int freeable_cnt;
spin_lock(&c->space_lock);
+ memcpy(&d->saved_lst, &c->lst, sizeof(struct ubifs_lp_stats));
+
+ /*
+ * We use a dirty hack here and zero out @c->freeable_cnt, because it
+ * affects the free space calculations, and UBIFS might not know about
+ * all freeable eraseblocks. Indeed, we know about freeable eraseblocks
+ * only when we read their lprops, and we do this only lazily, upon the
+ * need. So at any given point of time @c->freeable_cnt might be not
+ * exactly accurate.
+ *
+ * Just one example about the issue we hit when we did not zero
+ * @c->freeable_cnt.
+ * 1. The file-system is mounted R/O, c->freeable_cnt is %0. We save the
+ * amount of free space in @d->saved_free
+ * 2. We re-mount R/W, which makes UBIFS to read the "lsave"
+ * information from flash, where we cache LEBs from various
+ * categories ('ubifs_remount_fs()' -> 'ubifs_lpt_init()'
+ * -> 'lpt_init_wr()' -> 'read_lsave()' -> 'ubifs_lpt_lookup()'
+ * -> 'ubifs_get_pnode()' -> 'update_cats()'
+ * -> 'ubifs_add_to_cat()').
+ * 3. Lsave contains a freeable eraseblock, and @c->freeable_cnt
+ * becomes %1.
+ * 4. We calculate the amount of free space when the re-mount is
+ * finished in 'dbg_check_space_info()' and it does not match
+ * @d->saved_free.
+ */
+ freeable_cnt = c->freeable_cnt;
+ c->freeable_cnt = 0;
d->saved_free = ubifs_get_free_space_nolock(c);
+ c->freeable_cnt = freeable_cnt;
spin_unlock(&c->space_lock);
}
@@ -982,12 +1010,15 @@ int dbg_check_space_info(struct ubifs_in
{
struct ubifs_debug_info *d = c->dbg;
struct ubifs_lp_stats lst;
- long long avail, free;
+ long long free;
+ int freeable_cnt;
spin_lock(&c->space_lock);
- avail = ubifs_calc_available(c, c->min_idx_lebs);
+ freeable_cnt = c->freeable_cnt;
+ c->freeable_cnt = 0;
+ free = ubifs_get_free_space_nolock(c);
+ c->freeable_cnt = freeable_cnt;
spin_unlock(&c->space_lock);
- free = ubifs_get_free_space(c);
if (free != d->saved_free) {
ubifs_err("free space changed from %lld to %lld",
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Olaf Hering <[email protected]>
commit 22356585712d1ff08fbfed152edd8b386873b238 upstream.
Locking is required when tweaking bits located in a shared page, use the
sync_ version of bitops. Without this change vmbus_on_event() will miss
events and as a result, vmbus_isr() will not schedule the receive tasklet.
[Backported to 2.6.32 stable kernel by Haiyang Zhang <[email protected]>]
Signed-off-by: Olaf Hering <[email protected]>
Acked-by: Haiyang Zhang <[email protected]>
Acked-by: Hank Janssen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/staging/hv/Channel.c | 8 ++++----
drivers/staging/hv/Connection.c | 6 ++++--
drivers/staging/hv/Vmbus.c | 2 +-
drivers/staging/hv/VmbusPrivate.h | 1 +
4 files changed, 10 insertions(+), 7 deletions(-)
Index: linux-2.6.35.y/drivers/staging/hv/channel.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/hv/channel.c
+++ linux-2.6.35.y/drivers/staging/hv/channel.c
@@ -78,14 +78,14 @@ static void VmbusChannelSetEvent(struct
if (Channel->OfferMsg.MonitorAllocated) {
/* Each u32 represents 32 channels */
- set_bit(Channel->OfferMsg.ChildRelId & 31,
+ sync_set_bit(Channel->OfferMsg.ChildRelId & 31,
(unsigned long *) gVmbusConnection.SendInterruptPage +
(Channel->OfferMsg.ChildRelId >> 5));
monitorPage = gVmbusConnection.MonitorPages;
monitorPage++; /* Get the child to parent monitor page */
- set_bit(Channel->MonitorBit,
+ sync_set_bit(Channel->MonitorBit,
(unsigned long *)&monitorPage->TriggerGroup
[Channel->MonitorGroup].Pending);
@@ -105,7 +105,7 @@ static void VmbusChannelClearEvent(struc
if (Channel->OfferMsg.MonitorAllocated) {
/* Each u32 represents 32 channels */
- clear_bit(Channel->OfferMsg.ChildRelId & 31,
+ sync_clear_bit(Channel->OfferMsg.ChildRelId & 31,
(unsigned long *)gVmbusConnection.SendInterruptPage +
(Channel->OfferMsg.ChildRelId >> 5));
@@ -113,7 +113,7 @@ static void VmbusChannelClearEvent(struc
(struct hv_monitor_page *)gVmbusConnection.MonitorPages;
monitorPage++; /* Get the child to parent monitor page */
- clear_bit(Channel->MonitorBit,
+ sync_clear_bit(Channel->MonitorBit,
(unsigned long *)&monitorPage->TriggerGroup
[Channel->MonitorGroup].Pending);
}
Index: linux-2.6.35.y/drivers/staging/hv/connection.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/hv/connection.c
+++ linux-2.6.35.y/drivers/staging/hv/connection.c
@@ -292,7 +292,9 @@ void VmbusOnEvents(void)
for (dword = 0; dword < maxdword; dword++) {
if (recvInterruptPage[dword]) {
for (bit = 0; bit < 32; bit++) {
- if (test_and_clear_bit(bit, (unsigned long *)&recvInterruptPage[dword])) {
+ if (sync_test_and_clear_bit(bit,
+ (unsigned long *)
+ &recvInterruptPage[dword])) {
relid = (dword << 5) + bit;
DPRINT_DBG(VMBUS, "event detected for relid - %d", relid);
@@ -337,7 +339,7 @@ int VmbusSetEvent(u32 childRelId)
DPRINT_ENTER(VMBUS);
/* Each u32 represents 32 channels */
- set_bit(childRelId & 31,
+ sync_set_bit(childRelId & 31,
(unsigned long *)gVmbusConnection.SendInterruptPage +
(childRelId >> 5));
Index: linux-2.6.35.y/drivers/staging/hv/vmbus.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/hv/vmbus.c
+++ linux-2.6.35.y/drivers/staging/hv/vmbus.c
@@ -254,7 +254,7 @@ static int VmbusOnISR(struct hv_driver *
event = (union hv_synic_event_flags *)page_addr + VMBUS_MESSAGE_SINT;
/* Since we are a child, we only need to check bit 0 */
- if (test_and_clear_bit(0, (unsigned long *) &event->Flags32[0])) {
+ if (sync_test_and_clear_bit(0, (unsigned long *) &event->Flags32[0])) {
DPRINT_DBG(VMBUS, "received event %d", event->Flags32[0]);
ret |= 0x2;
}
Index: linux-2.6.35.y/drivers/staging/hv/vmbus_private.h
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/hv/vmbus_private.h
+++ linux-2.6.35.y/drivers/staging/hv/vmbus_private.h
@@ -32,6 +32,7 @@
#include "channel_interface.h"
#include "ring_buffer.h"
#include <linux/list.h>
+#include <asm/sync_bitops.h>
/*
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Suresh Siddha <[email protected]>
commit 84ac7cdbdd0f04df6b96153f7a79127fd6e45467 upstream.
On laptops with core i5/i7, there were reports that after resume
graphics workloads were performing poorly on a specific AP, while
the other cpu's were ok. This was observed on a 32bit kernel
specifically.
Debug showed that the PAT init was not happening on that AP
during resume and hence it contributing to the poor workload
performance on that cpu.
On this system, resume flow looked like this:
1. BP starts the resume sequence and we reinit BP's MTRR's/PAT
early on using mtrr_bp_restore()
2. Resume sequence brings all AP's online
3. Resume sequence now kicks off the MTRR reinit on all the AP's.
4. For some reason, between point 2 and 3, we moved from BP
to one of the AP's. My guess is that printk() during resume
sequence is contributing to this. We don't see similar
behavior with the 64bit kernel but there is no guarantee that
at this point the remaining resume sequence (after AP's bringup)
has to happen on BP.
5. set_mtrr() was assuming that we are still on BP and skipped the
MTRR/PAT init on that cpu (because of 1 above)
6. But we were on an AP and this led to not reprogramming PAT
on this cpu leading to bad performance.
Fix this by doing unconditional mtrr_if->set_all() in set_mtrr()
during MTRR/PAT init. This might be unnecessary if we are still
running on BP. But it is of no harm and will guarantee that after
resume, all the cpu's will be in sync with respect to the
MTRR/PAT registers.
Signed-off-by: Suresh Siddha <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
LKML-Reference: <[email protected]>
Signed-off-by: Eric Anholt <[email protected]>
Tested-by: Keith Packard <[email protected]>
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/kernel/cpu/mtrr/main.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
Index: linux-2.6.35.y/arch/x86/kernel/cpu/mtrr/main.c
===================================================================
--- linux-2.6.35.y.orig/arch/x86/kernel/cpu/mtrr/main.c
+++ linux-2.6.35.y/arch/x86/kernel/cpu/mtrr/main.c
@@ -292,14 +292,24 @@ set_mtrr(unsigned int reg, unsigned long
/*
* HACK!
- * We use this same function to initialize the mtrrs on boot.
- * The state of the boot cpu's mtrrs has been saved, and we want
- * to replicate across all the APs.
- * If we're doing that @reg is set to something special...
+ *
+ * We use this same function to initialize the mtrrs during boot,
+ * resume, runtime cpu online and on an explicit request to set a
+ * specific MTRR.
+ *
+ * During boot or suspend, the state of the boot cpu's mtrrs has been
+ * saved, and we want to replicate that across all the cpus that come
+ * online (either at the end of boot or resume or during a runtime cpu
+ * online). If we're doing that, @reg is set to something special and on
+ * this cpu we still do mtrr_if->set_all(). During boot/resume, this
+ * is unnecessary if at this point we are still on the cpu that started
+ * the boot/resume sequence. But there is no guarantee that we are still
+ * on the same cpu. So we do mtrr_if->set_all() on this cpu aswell to be
+ * sure that we are in sync with everyone else.
*/
if (reg != ~0U)
mtrr_if->set(reg, base, size, type);
- else if (!mtrr_aps_delayed_init)
+ else
mtrr_if->set_all();
/* Wait for the others */
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <[email protected]>
commit 34094537943113467faee98fe67c8a3d3f9a0a8b upstream.
>From the result of a function test of mmap, mmap write to shared pages
turned out to be broken for hole blocks. It doesn't write out filled
blocks and the data will be lost after umount. This is due to a bug
that the target file is not queued for log writer when filling hole
blocks.
Also, nilfs_page_mkwrite function exits normal code path even after
successfully filled hole blocks due to a change of block_page_mkwrite
function; just after nilfs was merged into the mainline,
block_page_mkwrite() started to return VM_FAULT_LOCKED instead of zero
by the patch "mm: close page_mkwrite races" (commit:
b827e496c893de0c). The current nilfs_page_mkwrite() is not handling
this value properly.
This corrects nilfs_page_mkwrite() and will resolve the data loss
problem in mmap write.
[This should be applied to every kernel since 2.6.30 but a fix is
needed for 2.6.37 and prior kernels]
Signed-off-by: Ryusuke Konishi <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Tested-by: Ryusuke Konishi <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/nilfs2/file.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
Index: linux-2.6.35.y/fs/nilfs2/file.c
===================================================================
--- linux-2.6.35.y.orig/fs/nilfs2/file.c
+++ linux-2.6.35.y/fs/nilfs2/file.c
@@ -72,10 +72,9 @@ static int nilfs_page_mkwrite(struct vm_
/*
* check to see if the page is mapped already (no holes)
*/
- if (PageMappedToDisk(page)) {
- unlock_page(page);
+ if (PageMappedToDisk(page))
goto mapped;
- }
+
if (page_has_buffers(page)) {
struct buffer_head *bh, *head;
int fully_mapped = 1;
@@ -90,7 +89,6 @@ static int nilfs_page_mkwrite(struct vm_
if (fully_mapped) {
SetPageMappedToDisk(page);
- unlock_page(page);
goto mapped;
}
}
@@ -105,16 +103,18 @@ static int nilfs_page_mkwrite(struct vm_
return VM_FAULT_SIGBUS;
ret = block_page_mkwrite(vma, vmf, nilfs_get_block);
- if (unlikely(ret)) {
+ if (ret != VM_FAULT_LOCKED) {
nilfs_transaction_abort(inode->i_sb);
return ret;
}
+ nilfs_set_file_dirty(NILFS_SB(inode->i_sb), inode,
+ 1 << (PAGE_SHIFT - inode->i_blkbits));
nilfs_transaction_commit(inode->i_sb);
mapped:
SetPageChecked(page);
wait_on_page_writeback(page);
- return 0;
+ return VM_FAULT_LOCKED;
}
static const struct vm_operations_struct nilfs_file_vm_ops = {
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Ladisch <[email protected]>
commit 6ebb8a4a43e34f999ab36f27f972f3cd751cda4f upstream.
To make the EV1938 chip work, add a magic bit and an extra delay.
Signed-off-by: Clemens Ladisch <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Tested-by: Tino Schmidt <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/pci/ens1370.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
Index: linux-2.6.35.y/sound/pci/ens1370.c
===================================================================
--- linux-2.6.35.y.orig/sound/pci/ens1370.c
+++ linux-2.6.35.y/sound/pci/ens1370.c
@@ -229,6 +229,7 @@ MODULE_PARM_DESC(lineio, "Line In to Rea
#define ES_REG_1371_CODEC 0x14 /* W/R: Codec Read/Write register address */
#define ES_1371_CODEC_RDY (1<<31) /* codec ready */
#define ES_1371_CODEC_WIP (1<<30) /* codec register access in progress */
+#define EV_1938_CODEC_MAGIC (1<<26)
#define ES_1371_CODEC_PIRD (1<<23) /* codec read/write select register */
#define ES_1371_CODEC_WRITE(a,d) ((((a)&0x7f)<<16)|(((d)&0xffff)<<0))
#define ES_1371_CODEC_READS(a) ((((a)&0x7f)<<16)|ES_1371_CODEC_PIRD)
@@ -603,12 +604,18 @@ static void snd_es1370_codec_write(struc
#ifdef CHIP1371
+static inline bool is_ev1938(struct ensoniq *ensoniq)
+{
+ return ensoniq->pci->device == 0x8938;
+}
+
static void snd_es1371_codec_write(struct snd_ac97 *ac97,
unsigned short reg, unsigned short val)
{
struct ensoniq *ensoniq = ac97->private_data;
- unsigned int t, x;
+ unsigned int t, x, flag;
+ flag = is_ev1938(ensoniq) ? EV_1938_CODEC_MAGIC : 0;
mutex_lock(&ensoniq->src_mutex);
for (t = 0; t < POLL_COUNT; t++) {
if (!(inl(ES_REG(ensoniq, 1371_CODEC)) & ES_1371_CODEC_WIP)) {
@@ -630,7 +637,8 @@ static void snd_es1371_codec_write(struc
0x00010000)
break;
}
- outl(ES_1371_CODEC_WRITE(reg, val), ES_REG(ensoniq, 1371_CODEC));
+ outl(ES_1371_CODEC_WRITE(reg, val) | flag,
+ ES_REG(ensoniq, 1371_CODEC));
/* restore SRC reg */
snd_es1371_wait_src_ready(ensoniq);
outl(x, ES_REG(ensoniq, 1371_SMPRATE));
@@ -647,8 +655,9 @@ static unsigned short snd_es1371_codec_r
unsigned short reg)
{
struct ensoniq *ensoniq = ac97->private_data;
- unsigned int t, x, fail = 0;
+ unsigned int t, x, flag, fail = 0;
+ flag = is_ev1938(ensoniq) ? EV_1938_CODEC_MAGIC : 0;
__again:
mutex_lock(&ensoniq->src_mutex);
for (t = 0; t < POLL_COUNT; t++) {
@@ -671,7 +680,8 @@ static unsigned short snd_es1371_codec_r
0x00010000)
break;
}
- outl(ES_1371_CODEC_READS(reg), ES_REG(ensoniq, 1371_CODEC));
+ outl(ES_1371_CODEC_READS(reg) | flag,
+ ES_REG(ensoniq, 1371_CODEC));
/* restore SRC reg */
snd_es1371_wait_src_ready(ensoniq);
outl(x, ES_REG(ensoniq, 1371_SMPRATE));
@@ -683,6 +693,11 @@ static unsigned short snd_es1371_codec_r
/* now wait for the stinkin' data (RDY) */
for (t = 0; t < POLL_COUNT; t++) {
if ((x = inl(ES_REG(ensoniq, 1371_CODEC))) & ES_1371_CODEC_RDY) {
+ if (is_ev1938(ensoniq)) {
+ for (t = 0; t < 100; t++)
+ inl(ES_REG(ensoniq, CONTROL));
+ x = inl(ES_REG(ensoniq, 1371_CODEC));
+ }
mutex_unlock(&ensoniq->src_mutex);
return ES_1371_CODEC_READ(x);
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <[email protected]>
commit c4d0c3b097f7584772316ee4d64a09fe0e4ddfca upstream.
The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
xfs_fs_geometry() with a version number of 3. This code path does not
fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
the leaking of four bytes of uninitialized stack data to potentially
unprivileged callers.
v2 switches to memset() to avoid future issues if structure members
change, on suggestion of Dave Chinner.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Reviewed-by: Eugene Teo <[email protected]>
Signed-off-by: Alex Elder <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/xfs/xfs_fsops.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6.35.y/fs/xfs/xfs_fsops.c
===================================================================
--- linux-2.6.35.y.orig/fs/xfs/xfs_fsops.c
+++ linux-2.6.35.y/fs/xfs/xfs_fsops.c
@@ -57,6 +57,9 @@ xfs_fs_geometry(
xfs_fsop_geom_t *geo,
int new_version)
{
+
+ memset(geo, 0, sizeof(*geo));
+
geo->blocksize = mp->m_sb.sb_blocksize;
geo->rtextsize = mp->m_sb.sb_rextsize;
geo->agblocks = mp->m_sb.sb_agblocks;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <[email protected]>
commit be20250c13f88375345ad99950190685eda51eb8 upstream.
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.
Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption. A length of greater than
20 results in a stack overflow of the callsign array. Abort facilities
parsing on these invalid length values.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/rose/rose_subr.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
Index: linux-2.6.35.y/net/rose/rose_subr.c
===================================================================
--- linux-2.6.35.y.orig/net/rose/rose_subr.c
+++ linux-2.6.35.y/net/rose/rose_subr.c
@@ -290,10 +290,15 @@ static int rose_parse_national(unsigned
facilities->source_ndigis = 0;
facilities->dest_ndigis = 0;
for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
- if (pt[6] & AX25_HBIT)
+ if (pt[6] & AX25_HBIT) {
+ if (facilities->dest_ndigis >= ROSE_MAX_DIGIS)
+ return -1;
memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN);
- else
+ } else {
+ if (facilities->source_ndigis >= ROSE_MAX_DIGIS)
+ return -1;
memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN);
+ }
}
}
p += l + 2;
@@ -333,6 +338,11 @@ static int rose_parse_ccitt(unsigned cha
case 0xC0:
l = p[1];
+
+ /* Prevent overflows*/
+ if (l < 10 || l > 20)
+ return -1;
+
if (*p == FAC_CCITT_DEST_NSAP) {
memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
memcpy(callsign, p + 12, l - 10);
@@ -373,12 +383,16 @@ int rose_parse_facilities(unsigned char
switch (*p) {
case FAC_NATIONAL: /* National */
len = rose_parse_national(p + 1, facilities, facilities_len - 1);
+ if (len < 0)
+ return 0;
facilities_len -= len + 1;
p += len + 1;
break;
case FAC_CCITT: /* CCITT */
len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+ if (len < 0)
+ return 0;
facilities_len -= len + 1;
p += len + 1;
break;
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <[email protected]>
commit c996edcf1c451b81740abbcca5257ed7e353fcc6 upstream.
After Quick Migration, the network is not immediately operational in the
current context when receiving RNDIS_STATUS_MEDIA_CONNECT event. So, I added
another netif_notify_peers() into a scheduled work, otherwise GARP packet will
not be sent after quick migration, and cause network disconnection.
Thanks to Mike Surcouf <[email protected]> for reporting the bug and
testing the patch.
Reported-by: Mike Surcouf <[email protected]>
Tested-by: Mike Surcouf <[email protected]>
Signed-off-by: Haiyang Zhang <[email protected]>
Signed-off-by: Hank Janssen <[email protected]>
Signed-off-by: Abhishek Kane <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
drivers/staging/hv/netvsc_drv.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
Index: linux-2.6.35.y/drivers/staging/hv/netvsc_drv.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/hv/netvsc_drv.c
+++ linux-2.6.35.y/drivers/staging/hv/netvsc_drv.c
@@ -46,6 +46,7 @@ struct net_device_context {
/* point back to our device context */
struct vm_device *device_ctx;
unsigned long avail;
+ struct work_struct work;
};
struct netvsc_driver_context {
@@ -237,6 +238,7 @@ static void netvsc_linkstatus_callback(s
{
struct vm_device *device_ctx = to_vm_device(device_obj);
struct net_device *net = dev_get_drvdata(&device_ctx->device);
+ struct net_device_context *ndev_ctx;
DPRINT_ENTER(NETVSC_DRV);
@@ -250,6 +252,8 @@ static void netvsc_linkstatus_callback(s
netif_carrier_on(net);
netif_wake_queue(net);
netif_notify_peers(net);
+ ndev_ctx = netdev_priv(net);
+ schedule_work(&ndev_ctx->work);
} else {
netif_carrier_off(net);
netif_stop_queue(net);
@@ -354,6 +358,25 @@ static const struct net_device_ops devic
.ndo_set_mac_address = eth_mac_addr,
};
+/*
+ * Send GARP packet to network peers after migrations.
+ * After Quick Migration, the network is not immediately operational in the
+ * current context when receiving RNDIS_STATUS_MEDIA_CONNECT event. So, add
+ * another netif_notify_peers() into a scheduled work, otherwise GARP packet
+ * will not be sent after quick migration, and cause network disconnection.
+ */
+static void netvsc_send_garp(struct work_struct *w)
+{
+ struct net_device_context *ndev_ctx;
+ struct net_device *net;
+
+ msleep(20);
+ ndev_ctx = container_of(w, struct net_device_context, work);
+ net = dev_get_drvdata(&ndev_ctx->device_ctx->device);
+ netif_notify_peers(net);
+}
+
+
static int netvsc_probe(struct device *device)
{
struct driver_context *driver_ctx =
@@ -385,6 +408,7 @@ static int netvsc_probe(struct device *d
net_device_ctx->device_ctx = device_ctx;
net_device_ctx->avail = ring_size;
dev_set_drvdata(device, net);
+ INIT_WORK(&net_device_ctx->work, netvsc_send_garp);
/* Notify the netvsc driver of the new device */
ret = net_drv_obj->Base.OnDeviceAdd(device_obj, &device_info);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <[email protected]>
commit 0ca03cd7d0fa3bfbd56958136a10f19733c4ce12 upstream.
This stops code that handles widgets generically from attempting to access
registers for these widgets.
Signed-off-by: Mark Brown <[email protected]>
Acked-by: Liam Girdwood <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
include/sound/soc-dapm.h | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
Index: linux-2.6.35.y/include/sound/soc-dapm.h
===================================================================
--- linux-2.6.35.y.orig/include/sound/soc-dapm.h
+++ linux-2.6.35.y/include/sound/soc-dapm.h
@@ -46,25 +46,25 @@
/* platform domain */
#define SND_SOC_DAPM_INPUT(wname) \
{ .id = snd_soc_dapm_input, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0}
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM }
#define SND_SOC_DAPM_OUTPUT(wname) \
{ .id = snd_soc_dapm_output, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0}
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM }
#define SND_SOC_DAPM_MIC(wname, wevent) \
{ .id = snd_soc_dapm_mic, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0, .event = wevent, \
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \
.event_flags = SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD}
#define SND_SOC_DAPM_HP(wname, wevent) \
{ .id = snd_soc_dapm_hp, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0, .event = wevent, \
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \
.event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD}
#define SND_SOC_DAPM_SPK(wname, wevent) \
{ .id = snd_soc_dapm_spk, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0, .event = wevent, \
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \
.event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD}
#define SND_SOC_DAPM_LINE(wname, wevent) \
{ .id = snd_soc_dapm_line, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0, .event = wevent, \
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \
.event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD}
/* path domain */
@@ -161,11 +161,11 @@
/* events that are pre and post DAPM */
#define SND_SOC_DAPM_PRE(wname, wevent) \
{ .id = snd_soc_dapm_pre, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0, .event = wevent, \
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \
.event_flags = SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD}
#define SND_SOC_DAPM_POST(wname, wevent) \
{ .id = snd_soc_dapm_post, .name = wname, .kcontrols = NULL, \
- .num_kcontrols = 0, .event = wevent, \
+ .num_kcontrols = 0, .reg = SND_SOC_NOPM, .event = wevent, \
.event_flags = SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD}
/* stream domain */
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <[email protected]>
commit d370af0ef7951188daeb15bae75db7ba57c67846 upstream.
Length fields provided by a peer for names and attributes may be longer
than the destination array sizes. Validate lengths to prevent stack
buffer overflows.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/irda/iriap.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: linux-2.6.35.y/net/irda/iriap.c
===================================================================
--- linux-2.6.35.y.orig/net/irda/iriap.c
+++ linux-2.6.35.y/net/irda/iriap.c
@@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indica
n = 1;
name_len = fp[n++];
+
+ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
+
memcpy(name, fp+n, name_len); n+=name_len;
name[name_len] = '\0';
attr_len = fp[n++];
+
+ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
+
memcpy(attr, fp+n, attr_len); n+=attr_len;
attr[attr_len] = '\0';
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <[email protected]>
commit d50e7e3604778bfc2dc40f440e0742dbae399d54 upstream.
Invalid nicknames containing only spaces will result in an underflow in
a memcpy size calculation, subsequently destroying the heap and
panicking.
v2 also catches the case where the provided nickname is longer than the
buffer size, which can result in controllable heap corruption.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
net/irda/irnet/irnet_ppp.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6.35.y/net/irda/irnet/irnet_ppp.c
===================================================================
--- linux-2.6.35.y.orig/net/irda/irnet/irnet_ppp.c
+++ linux-2.6.35.y/net/irda/irnet/irnet_ppp.c
@@ -106,6 +106,9 @@ irnet_ctrl_write(irnet_socket * ap,
while(isspace(start[length - 1]))
length--;
+ DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5,
+ -EINVAL, CTRL_ERROR, "Invalid nickname.\n");
+
/* Copy the name for later reuse */
memcpy(ap->rname, start + 5, length - 5);
ap->rname[length - 5] = '\0';
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Arjan Mels <[email protected]>
commit 28276a28d8b3cd19f4449991faad4945fe557656 upstream.
For isochronous packets the actual_length is the sum of the actual
length of each of the packets, however between the packets might be
padding, so it is not sufficient to just send the first actual_length
bytes of the buffer. To fix this and simultanesouly optimize the
bandwidth the content of the isochronous packets are send without the
padding, the padding is restored on the receiving end.
Signed-off-by: Arjan Mels <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Takahiro Hirofuchi <[email protected]>
Cc: Max Vozeler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/usbip/stub_tx.c | 74 ++++++++++++++++++++++++++++-------
drivers/staging/usbip/usbip_common.c | 57 ++++++++++++++++++++++++++
drivers/staging/usbip/usbip_common.h | 2
drivers/staging/usbip/vhci_rx.c | 3 +
4 files changed, 122 insertions(+), 14 deletions(-)
Index: linux-2.6.35.y/drivers/staging/usbip/stub_tx.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/usbip/stub_tx.c
+++ linux-2.6.35.y/drivers/staging/usbip/stub_tx.c
@@ -169,7 +169,6 @@ static int stub_send_ret_submit(struct s
struct stub_priv *priv, *tmp;
struct msghdr msg;
- struct kvec iov[3];
size_t txsize;
size_t total_size = 0;
@@ -179,28 +178,73 @@ static int stub_send_ret_submit(struct s
struct urb *urb = priv->urb;
struct usbip_header pdu_header;
void *iso_buffer = NULL;
+ struct kvec *iov = NULL;
+ int iovnum = 0;
txsize = 0;
memset(&pdu_header, 0, sizeof(pdu_header));
memset(&msg, 0, sizeof(msg));
- memset(&iov, 0, sizeof(iov));
- usbip_dbg_stub_tx("setup txdata urb %p\n", urb);
+ if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
+ iovnum = 2 + urb->number_of_packets;
+ else
+ iovnum = 2;
+
+ iov = kzalloc(iovnum * sizeof(struct kvec), GFP_KERNEL);
+ if (!iov) {
+ usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_MALLOC);
+ return -1;
+ }
+
+ iovnum = 0;
/* 1. setup usbip_header */
setup_ret_submit_pdu(&pdu_header, urb);
+ usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
+ pdu_header.base.seqnum, urb);
+ /*usbip_dump_header(pdu_header);*/
usbip_header_correct_endian(&pdu_header, 1);
- iov[0].iov_base = &pdu_header;
- iov[0].iov_len = sizeof(pdu_header);
+ iov[iovnum].iov_base = &pdu_header;
+ iov[iovnum].iov_len = sizeof(pdu_header);
+ iovnum++;
txsize += sizeof(pdu_header);
/* 2. setup transfer buffer */
- if (usb_pipein(urb->pipe) && urb->actual_length > 0) {
- iov[1].iov_base = urb->transfer_buffer;
- iov[1].iov_len = urb->actual_length;
+ if (usb_pipein(urb->pipe) &&
+ usb_pipetype(urb->pipe) != PIPE_ISOCHRONOUS &&
+ urb->actual_length > 0) {
+ iov[iovnum].iov_base = urb->transfer_buffer;
+ iov[iovnum].iov_len = urb->actual_length;
+ iovnum++;
txsize += urb->actual_length;
+ } else if (usb_pipein(urb->pipe) &&
+ usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) {
+ /*
+ * For isochronous packets: actual length is the sum of
+ * the actual length of the individual, packets, but as
+ * the packet offsets are not changed there will be
+ * padding between the packets. To optimally use the
+ * bandwidth the padding is not transmitted.
+ */
+
+ int i;
+ for (i = 0; i < urb->number_of_packets; i++) {
+ iov[iovnum].iov_base = urb->transfer_buffer + urb->iso_frame_desc[i].offset;
+ iov[iovnum].iov_len = urb->iso_frame_desc[i].actual_length;
+ iovnum++;
+ txsize += urb->iso_frame_desc[i].actual_length;
+ }
+
+ if (txsize != sizeof(pdu_header) + urb->actual_length) {
+ dev_err(&sdev->interface->dev,
+ "actual length of urb (%d) does not match iso packet sizes (%d)\n",
+ urb->actual_length, txsize-sizeof(pdu_header));
+ kfree(iov);
+ usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP);
+ return -1;
+ }
}
/* 3. setup iso_packet_descriptor */
@@ -211,32 +255,34 @@ static int stub_send_ret_submit(struct s
if (!iso_buffer) {
usbip_event_add(&sdev->ud,
SDEV_EVENT_ERROR_MALLOC);
+ kfree(iov);
return -1;
}
- iov[2].iov_base = iso_buffer;
- iov[2].iov_len = len;
+ iov[iovnum].iov_base = iso_buffer;
+ iov[iovnum].iov_len = len;
txsize += len;
+ iovnum++;
}
- ret = kernel_sendmsg(sdev->ud.tcp_socket, &msg, iov,
- 3, txsize);
+ ret = kernel_sendmsg(sdev->ud.tcp_socket, &msg,
+ iov, iovnum, txsize);
if (ret != txsize) {
dev_err(&sdev->interface->dev,
"sendmsg failed!, retval %d for %zd\n",
ret, txsize);
+ kfree(iov);
kfree(iso_buffer);
usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP);
return -1;
}
+ kfree(iov);
kfree(iso_buffer);
- usbip_dbg_stub_tx("send txdata\n");
total_size += txsize;
}
-
spin_lock_irqsave(&sdev->priv_lock, flags);
list_for_each_entry_safe(priv, tmp, &sdev->priv_free, list) {
Index: linux-2.6.35.y/drivers/staging/usbip/usbip_common.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/usbip/usbip_common.c
+++ linux-2.6.35.y/drivers/staging/usbip/usbip_common.c
@@ -835,6 +835,7 @@ int usbip_recv_iso(struct usbip_device *
int size = np * sizeof(*iso);
int i;
int ret;
+ int total_length = 0;
if (!usb_pipeisoc(urb->pipe))
return 0;
@@ -864,19 +865,75 @@ int usbip_recv_iso(struct usbip_device *
return -EPIPE;
}
+
for (i = 0; i < np; i++) {
iso = buff + (i * sizeof(*iso));
usbip_iso_pakcet_correct_endian(iso, 0);
usbip_pack_iso(iso, &urb->iso_frame_desc[i], 0);
+ total_length += urb->iso_frame_desc[i].actual_length;
}
kfree(buff);
+ if (total_length != urb->actual_length) {
+ dev_err(&urb->dev->dev,
+ "total length of iso packets (%d) not equal to actual length of buffer (%d)\n",
+ total_length, urb->actual_length);
+
+ if (ud->side == USBIP_STUB)
+ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
+ else
+ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
+
+ return -EPIPE;
+ }
+
return ret;
}
EXPORT_SYMBOL_GPL(usbip_recv_iso);
+/*
+ * This functions restores the padding which was removed for optimizing
+ * the bandwidth during transfer over tcp/ip
+ *
+ * buffer and iso packets need to be stored and be in propeper endian in urb
+ * before calling this function
+ */
+int usbip_pad_iso(struct usbip_device *ud, struct urb *urb)
+{
+ int np = urb->number_of_packets;
+ int i;
+ int ret;
+ int actualoffset = urb->actual_length;
+
+ if (!usb_pipeisoc(urb->pipe))
+ return 0;
+
+ /* if no packets or length of data is 0, then nothing to unpack */
+ if (np == 0 || urb->actual_length == 0)
+ return 0;
+
+ /*
+ * if actual_length is transfer_buffer_length then no padding is
+ * present.
+ */
+ if (urb->actual_length == urb->transfer_buffer_length)
+ return 0;
+
+ /*
+ * loop over all packets from last to first (to prevent overwritting
+ * memory when padding) and move them into the proper place
+ */
+ for (i = np-1; i > 0; i--) {
+ actualoffset -= urb->iso_frame_desc[i].actual_length;
+ memmove(urb->transfer_buffer + urb->iso_frame_desc[i].offset,
+ urb->transfer_buffer + actualoffset,
+ urb->iso_frame_desc[i].actual_length);
+ }
+ return ret;
+}
+EXPORT_SYMBOL_GPL(usbip_pad_iso);
/* some members of urb must be substituted before. */
int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb)
Index: linux-2.6.35.y/drivers/staging/usbip/usbip_common.h
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/usbip/usbip_common.h
+++ linux-2.6.35.y/drivers/staging/usbip/usbip_common.h
@@ -393,6 +393,8 @@ void usbip_header_correct_endian(struct
int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb);
/* some members of urb must be substituted before. */
int usbip_recv_iso(struct usbip_device *ud, struct urb *urb);
+/* some members of urb must be substituted before. */
+int usbip_pad_iso(struct usbip_device *ud, struct urb *urb);
void *usbip_alloc_iso_desc_pdu(struct urb *urb, ssize_t *bufflen);
Index: linux-2.6.35.y/drivers/staging/usbip/vhci_rx.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/usbip/vhci_rx.c
+++ linux-2.6.35.y/drivers/staging/usbip/vhci_rx.c
@@ -99,6 +99,9 @@ static void vhci_recv_ret_submit(struct
if (usbip_recv_iso(ud, urb) < 0)
return;
+ /* restore the padding in iso packets */
+ if (usbip_pad_iso(ud, urb) < 0)
+ return;
if (usbip_dbg_flag_vhci_rx)
usbip_dump_urb(urb);
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Arjan Mels <[email protected]>
commit 1325f85fa49f57df034869de430f7c302ae23109 upstream.
The number_of_packets was not transmitted for RET_SUBMIT packets. The
linux client used the stored number_of_packet from the submitted
request. The windows userland client does not do this however and needs
to know the number_of_packets to determine the size of the transmission.
Signed-off-by: Arjan Mels <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Cc: Takahiro Hirofuchi <[email protected]>
Cc: Max Vozeler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/usbip/usbip_common.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Index: linux-2.6.35.y/drivers/staging/usbip/usbip_common.c
===================================================================
--- linux-2.6.35.y.orig/drivers/staging/usbip/usbip_common.c
+++ linux-2.6.35.y/drivers/staging/usbip/usbip_common.c
@@ -334,10 +334,11 @@ void usbip_dump_header(struct usbip_head
usbip_udbg("CMD_UNLINK: seq %u\n", pdu->u.cmd_unlink.seqnum);
break;
case USBIP_RET_SUBMIT:
- usbip_udbg("RET_SUBMIT: st %d al %u sf %d ec %d\n",
+ usbip_udbg("RET_SUBMIT: st %d al %u sf %d #p %d ec %d\n",
pdu->u.ret_submit.status,
pdu->u.ret_submit.actual_length,
pdu->u.ret_submit.start_frame,
+ pdu->u.ret_submit.number_of_packets,
pdu->u.ret_submit.error_count);
case USBIP_RET_UNLINK:
usbip_udbg("RET_UNLINK: status %d\n", pdu->u.ret_unlink.status);
@@ -625,6 +626,7 @@ static void usbip_pack_ret_submit(struct
rpdu->status = urb->status;
rpdu->actual_length = urb->actual_length;
rpdu->start_frame = urb->start_frame;
+ rpdu->number_of_packets = urb->number_of_packets;
rpdu->error_count = urb->error_count;
} else {
/* vhci_rx.c */
@@ -632,6 +634,7 @@ static void usbip_pack_ret_submit(struct
urb->status = rpdu->status;
urb->actual_length = rpdu->actual_length;
urb->start_frame = rpdu->start_frame;
+ urb->number_of_packets = rpdu->number_of_packets;
urb->error_count = rpdu->error_count;
}
}
@@ -700,11 +703,13 @@ static void correct_endian_ret_submit(st
cpu_to_be32s(&pdu->status);
cpu_to_be32s(&pdu->actual_length);
cpu_to_be32s(&pdu->start_frame);
+ cpu_to_be32s(&pdu->number_of_packets);
cpu_to_be32s(&pdu->error_count);
} else {
be32_to_cpus(&pdu->status);
be32_to_cpus(&pdu->actual_length);
be32_to_cpus(&pdu->start_frame);
+ cpu_to_be32s(&pdu->number_of_packets);
be32_to_cpus(&pdu->error_count);
}
}
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Vasquez <[email protected]>
[ upstream commit b0cd579cde8ee0c7ed52239531ba09bcbc5b54c2 ]
In case of both target and initiator capabilities reported by fc port,
the fc port port capability is made mutualy exclusive with priority given
for target capabilities.
Signed-off-by: Giridhar Malavali <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
Acked-by: Madhuranath Iyengar <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Index: linux-2.6.35.y/drivers/scsi/qla2xxx/qla_isr.c
===================================================================
--- linux-2.6.35.y.orig/drivers/scsi/qla2xxx/qla_isr.c
+++ linux-2.6.35.y/drivers/scsi/qla2xxx/qla_isr.c
@@ -1119,9 +1119,9 @@ qla24xx_logio_entry(scsi_qla_host_t *vha
fcport->port_type = FCT_TARGET;
if (iop[0] & BIT_8)
fcport->flags |= FCF_FCP2_DEVICE;
- }
- if (iop[0] & BIT_5)
+ } else if (iop[0] & BIT_5)
fcport->port_type = FCT_INITIATOR;
+
if (logio->io_parameter[7] || logio->io_parameter[8])
fcport->supported_classes |= FC_COS_CLASS2;
if (logio->io_parameter[9] || logio->io_parameter[10])
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
Upstream commit 88f5acf88ae6a9778f6d25d0d5d7ec2d57764a97
Commit aa45484 ("calculate a better estimate of NR_FREE_PAGES when memory
is low") noted that watermarks were based on the vmstat NR_FREE_PAGES. To
avoid synchronization overhead, these counters are maintained on a per-cpu
basis and drained both periodically and when a threshold is above a
threshold. On large CPU systems, the difference between the estimate and
real value of NR_FREE_PAGES can be very high. The system can get into a
case where pages are allocated far below the min watermark potentially
causing livelock issues. The commit solved the problem by taking a better
reading of NR_FREE_PAGES when memory was low.
Unfortately, as reported by Shaohua Li this accurate reading can consume a
large amount of CPU time on systems with many sockets due to cache line
bouncing. This patch takes a different approach. For large machines
where counter drift might be unsafe and while kswapd is awake, the per-cpu
thresholds for the target pgdat are reduced to limit the level of drift to
what should be a safe level. This incurs a performance penalty in heavy
memory pressure by a factor that depends on the workload and the machine
but the machine should function correctly without accidentally exhausting
all memory on a node. There is an additional cost when kswapd wakes and
sleeps but the event is not expected to be frequent - in Shaohua's test
case, there was one recorded sleep and wake event at least.
To ensure that kswapd wakes up, a safe version of zone_watermark_ok() is
introduced that takes a more accurate reading of NR_FREE_PAGES when called
from wakeup_kswapd, when deciding whether it is really safe to go back to
sleep in sleeping_prematurely() and when deciding if a zone is really
balanced or not in balance_pgdat(). We are still using an expensive
function but limiting how often it is called.
When the test case is reproduced, the time spent in the watermark
functions is reduced. The following report is on the percentage of time
spent cumulatively spent in the functions zone_nr_free_pages(),
zone_watermark_ok(), __zone_watermark_ok(), zone_watermark_ok_safe(),
zone_page_state_snapshot(), zone_page_state().
vanilla 11.6615%
disable-threshold 0.2584%
David said:
: We had to pull aa454840 "mm: page allocator: calculate a better estimate
: of NR_FREE_PAGES when memory is low and kswapd is awake" from 2.6.36
: internally because tests showed that it would cause the machine to stall
: as the result of heavy kswapd activity. I merged it back with this fix as
: it is pending in the -mm tree and it solves the issue we were seeing, so I
: definitely think this should be pushed to -stable (and I would seriously
: consider it for 2.6.37 inclusion even at this late date).
Signed-off-by: Mel Gorman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Reported-by: Shaohua Li <[email protected]>
Reviewed-by: Christoph Lameter <[email protected]>
Tested-by: Nicolas Bareil <[email protected]>
Cc: David Rientjes <[email protected]>
Cc: Kyle McMartin <[email protected]>
Cc: <[email protected]> [2.6.37.1, 2.6.36.x]
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
backported from 88f5acf88ae6a9778f6d25d0d5d7ec2d57764a97
BugLink: http://bugs.launchpad.net/bugs/719446
Signed-off-by: Tim Gardner <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
---
include/linux/mmzone.h | 10 ++-----
include/linux/vmstat.h | 5 +++
mm/mmzone.c | 21 ---------------
mm/page_alloc.c | 35 +++++++++++++++++++------
mm/vmscan.c | 25 ++++++++++--------
mm/vmstat.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++-
6 files changed, 116 insertions(+), 48 deletions(-)
Index: linux-2.6.35.y/include/linux/mmzone.h
===================================================================
--- linux-2.6.35.y.orig/include/linux/mmzone.h
+++ linux-2.6.35.y/include/linux/mmzone.h
@@ -463,12 +463,6 @@ static inline int zone_is_oom_locked(con
return test_bit(ZONE_OOM_LOCKED, &zone->flags);
}
-#ifdef CONFIG_SMP
-unsigned long zone_nr_free_pages(struct zone *zone);
-#else
-#define zone_nr_free_pages(zone) zone_page_state(zone, NR_FREE_PAGES)
-#endif /* CONFIG_SMP */
-
/*
* The "priority" of VM scanning is how much of the queues we will scan in one
* go. A value of 12 for DEF_PRIORITY implies that we will scan 1/4096th of the
@@ -668,7 +662,9 @@ void get_zone_counts(unsigned long *acti
unsigned long *free);
void build_all_zonelists(void *data);
void wakeup_kswapd(struct zone *zone, int order);
-int zone_watermark_ok(struct zone *z, int order, unsigned long mark,
+bool zone_watermark_ok(struct zone *z, int order, unsigned long mark,
+ int classzone_idx, int alloc_flags);
+bool zone_watermark_ok_safe(struct zone *z, int order, unsigned long mark,
int classzone_idx, int alloc_flags);
enum memmap_context {
MEMMAP_EARLY,
Index: linux-2.6.35.y/include/linux/vmstat.h
===================================================================
--- linux-2.6.35.y.orig/include/linux/vmstat.h
+++ linux-2.6.35.y/include/linux/vmstat.h
@@ -254,6 +254,8 @@ extern void dec_zone_state(struct zone *
extern void __dec_zone_state(struct zone *, enum zone_stat_item);
void refresh_cpu_vm_stats(int);
+void reduce_pgdat_percpu_threshold(pg_data_t *pgdat);
+void restore_pgdat_percpu_threshold(pg_data_t *pgdat);
#else /* CONFIG_SMP */
/*
@@ -298,6 +300,9 @@ static inline void __dec_zone_page_state
#define dec_zone_page_state __dec_zone_page_state
#define mod_zone_page_state __mod_zone_page_state
+static inline void reduce_pgdat_percpu_threshold(pg_data_t *pgdat) { }
+static inline void restore_pgdat_percpu_threshold(pg_data_t *pgdat) { }
+
static inline void refresh_cpu_vm_stats(int cpu) { }
#endif
Index: linux-2.6.35.y/mm/mmzone.c
===================================================================
--- linux-2.6.35.y.orig/mm/mmzone.c
+++ linux-2.6.35.y/mm/mmzone.c
@@ -87,24 +87,3 @@ int memmap_valid_within(unsigned long pf
return 1;
}
#endif /* CONFIG_ARCH_HAS_HOLES_MEMORYMODEL */
-
-#ifdef CONFIG_SMP
-/* Called when a more accurate view of NR_FREE_PAGES is needed */
-unsigned long zone_nr_free_pages(struct zone *zone)
-{
- unsigned long nr_free_pages = zone_page_state(zone, NR_FREE_PAGES);
-
- /*
- * While kswapd is awake, it is considered the zone is under some
- * memory pressure. Under pressure, there is a risk that
- * per-cpu-counter-drift will allow the min watermark to be breached
- * potentially causing a live-lock. While kswapd is awake and
- * free pages are low, get a better estimate for free pages
- */
- if (nr_free_pages < zone->percpu_drift_mark &&
- !waitqueue_active(&zone->zone_pgdat->kswapd_wait))
- return zone_page_state_snapshot(zone, NR_FREE_PAGES);
-
- return nr_free_pages;
-}
-#endif /* CONFIG_SMP */
Index: linux-2.6.35.y/mm/page_alloc.c
===================================================================
--- linux-2.6.35.y.orig/mm/page_alloc.c
+++ linux-2.6.35.y/mm/page_alloc.c
@@ -1459,24 +1459,24 @@ static inline int should_fail_alloc_page
#endif /* CONFIG_FAIL_PAGE_ALLOC */
/*
- * Return 1 if free pages are above 'mark'. This takes into account the order
+ * Return true if free pages are above 'mark'. This takes into account the order
* of the allocation.
*/
-int zone_watermark_ok(struct zone *z, int order, unsigned long mark,
- int classzone_idx, int alloc_flags)
+static bool __zone_watermark_ok(struct zone *z, int order, unsigned long mark,
+ int classzone_idx, int alloc_flags, long free_pages)
{
/* free_pages my go negative - that's OK */
long min = mark;
- long free_pages = zone_nr_free_pages(z) - (1 << order) + 1;
int o;
+ free_pages -= (1 << order) + 1;
if (alloc_flags & ALLOC_HIGH)
min -= min / 2;
if (alloc_flags & ALLOC_HARDER)
min -= min / 4;
if (free_pages <= min + z->lowmem_reserve[classzone_idx])
- return 0;
+ return false;
for (o = 0; o < order; o++) {
/* At the next order, this order's pages become unavailable */
free_pages -= z->free_area[o].nr_free << o;
@@ -1485,9 +1485,28 @@ int zone_watermark_ok(struct zone *z, in
min >>= 1;
if (free_pages <= min)
- return 0;
+ return false;
}
- return 1;
+ return true;
+}
+
+bool zone_watermark_ok(struct zone *z, int order, unsigned long mark,
+ int classzone_idx, int alloc_flags)
+{
+ return __zone_watermark_ok(z, order, mark, classzone_idx, alloc_flags,
+ zone_page_state(z, NR_FREE_PAGES));
+}
+
+bool zone_watermark_ok_safe(struct zone *z, int order, unsigned long mark,
+ int classzone_idx, int alloc_flags)
+{
+ long free_pages = zone_page_state(z, NR_FREE_PAGES);
+
+ if (z->percpu_drift_mark && free_pages < z->percpu_drift_mark)
+ free_pages = zone_page_state_snapshot(z, NR_FREE_PAGES);
+
+ return __zone_watermark_ok(z, order, mark, classzone_idx, alloc_flags,
+ free_pages);
}
#ifdef CONFIG_NUMA
@@ -2430,7 +2449,7 @@ void show_free_areas(void)
" all_unreclaimable? %s"
"\n",
zone->name,
- K(zone_nr_free_pages(zone)),
+ K(zone_page_state(zone, NR_FREE_PAGES)),
K(min_wmark_pages(zone)),
K(low_wmark_pages(zone)),
K(high_wmark_pages(zone)),
Index: linux-2.6.35.y/mm/vmscan.c
===================================================================
--- linux-2.6.35.y.orig/mm/vmscan.c
+++ linux-2.6.35.y/mm/vmscan.c
@@ -2007,7 +2007,7 @@ static int sleeping_prematurely(pg_data_
if (zone->all_unreclaimable)
continue;
- if (!zone_watermark_ok(zone, order, high_wmark_pages(zone),
+ if (!zone_watermark_ok_safe(zone, order, high_wmark_pages(zone),
0, 0))
return 1;
}
@@ -2104,7 +2104,7 @@ loop_again:
shrink_active_list(SWAP_CLUSTER_MAX, zone,
&sc, priority, 0);
- if (!zone_watermark_ok(zone, order,
+ if (!zone_watermark_ok_safe(zone, order,
high_wmark_pages(zone), 0, 0)) {
end_zone = i;
break;
@@ -2155,7 +2155,7 @@ loop_again:
* We put equal pressure on every zone, unless one
* zone has way too many pages free already.
*/
- if (!zone_watermark_ok(zone, order,
+ if (!zone_watermark_ok_safe(zone, order,
8*high_wmark_pages(zone), end_zone, 0))
shrink_zone(priority, zone, &sc);
reclaim_state->reclaimed_slab = 0;
@@ -2176,7 +2176,7 @@ loop_again:
total_scanned > sc.nr_reclaimed + sc.nr_reclaimed / 2)
sc.may_writepage = 1;
- if (!zone_watermark_ok(zone, order,
+ if (!zone_watermark_ok_safe(zone, order,
high_wmark_pages(zone), end_zone, 0)) {
all_zones_ok = 0;
/*
@@ -2184,7 +2184,7 @@ loop_again:
* means that we have a GFP_ATOMIC allocation
* failure risk. Hurry up!
*/
- if (!zone_watermark_ok(zone, order,
+ if (!zone_watermark_ok_safe(zone, order,
min_wmark_pages(zone), end_zone, 0))
has_under_min_watermark_zone = 1;
}
@@ -2326,9 +2326,11 @@ static int kswapd(void *p)
* premature sleep. If not, then go fully
* to sleep until explicitly woken up
*/
- if (!sleeping_prematurely(pgdat, order, remaining))
+ if (!sleeping_prematurely(pgdat, order, remaining)) {
+ restore_pgdat_percpu_threshold(pgdat);
schedule();
- else {
+ reduce_pgdat_percpu_threshold(pgdat);
+ } else {
if (remaining)
count_vm_event(KSWAPD_LOW_WMARK_HIT_QUICKLY);
else
@@ -2364,15 +2366,16 @@ void wakeup_kswapd(struct zone *zone, in
if (!populated_zone(zone))
return;
- pgdat = zone->zone_pgdat;
- if (zone_watermark_ok(zone, order, low_wmark_pages(zone), 0, 0))
+ if (!cpuset_zone_allowed_hardwall(zone, GFP_KERNEL))
return;
+ pgdat = zone->zone_pgdat;
if (pgdat->kswapd_max_order < order)
pgdat->kswapd_max_order = order;
- if (!cpuset_zone_allowed_hardwall(zone, GFP_KERNEL))
- return;
if (!waitqueue_active(&pgdat->kswapd_wait))
return;
+ if (zone_watermark_ok_safe(zone, order, low_wmark_pages(zone), 0, 0))
+ return;
+
wake_up_interruptible(&pgdat->kswapd_wait);
}
Index: linux-2.6.35.y/mm/vmstat.c
===================================================================
--- linux-2.6.35.y.orig/mm/vmstat.c
+++ linux-2.6.35.y/mm/vmstat.c
@@ -81,6 +81,30 @@ EXPORT_SYMBOL(vm_stat);
#ifdef CONFIG_SMP
+static int calculate_pressure_threshold(struct zone *zone)
+{
+ int threshold;
+ int watermark_distance;
+
+ /*
+ * As vmstats are not up to date, there is drift between the estimated
+ * and real values. For high thresholds and a high number of CPUs, it
+ * is possible for the min watermark to be breached while the estimated
+ * value looks fine. The pressure threshold is a reduced value such
+ * that even the maximum amount of drift will not accidentally breach
+ * the min watermark
+ */
+ watermark_distance = low_wmark_pages(zone) - min_wmark_pages(zone);
+ threshold = max(1, (int)(watermark_distance / num_online_cpus()));
+
+ /*
+ * Maximum threshold is 125
+ */
+ threshold = min(125, threshold);
+
+ return threshold;
+}
+
static int calculate_threshold(struct zone *zone)
{
int threshold;
@@ -159,6 +183,48 @@ static void refresh_zone_stat_thresholds
}
}
+void reduce_pgdat_percpu_threshold(pg_data_t *pgdat)
+{
+ struct zone *zone;
+ int cpu;
+ int threshold;
+ int i;
+
+ get_online_cpus();
+ for (i = 0; i < pgdat->nr_zones; i++) {
+ zone = &pgdat->node_zones[i];
+ if (!zone->percpu_drift_mark)
+ continue;
+
+ threshold = calculate_pressure_threshold(zone);
+ for_each_online_cpu(cpu)
+ per_cpu_ptr(zone->pageset, cpu)->stat_threshold
+ = threshold;
+ }
+ put_online_cpus();
+}
+
+void restore_pgdat_percpu_threshold(pg_data_t *pgdat)
+{
+ struct zone *zone;
+ int cpu;
+ int threshold;
+ int i;
+
+ get_online_cpus();
+ for (i = 0; i < pgdat->nr_zones; i++) {
+ zone = &pgdat->node_zones[i];
+ if (!zone->percpu_drift_mark)
+ continue;
+
+ threshold = calculate_threshold(zone);
+ for_each_online_cpu(cpu)
+ per_cpu_ptr(zone->pageset, cpu)->stat_threshold
+ = threshold;
+ }
+ put_online_cpus();
+}
+
/*
* For use when we know that interrupts are disabled.
*/
@@ -826,7 +892,7 @@ static void zoneinfo_show_print(struct s
"\n scanned %lu"
"\n spanned %lu"
"\n present %lu",
- zone_nr_free_pages(zone),
+ zone_page_state(zone, NR_FREE_PAGES),
min_wmark_pages(zone),
low_wmark_pages(zone),
high_wmark_pages(zone),
On Tue, Apr 26, 2011 at 5:13 PM, Andi Kleen <[email protected]> wrote:
> 2.6.35-longterm review patch. ?If anyone has any objections, please let me know.
Minor nit, but git am complains about whitespace in this backport. I checked
the original, and at a glance it looks OK in this respect.
(42/106) Applying: x86, microcode, AMD: Extend ucode size verification
/home/paul/git/stable/linux-2.6.35.y/.git/rebase-apply/patch:95: space
before tab in indent.
return NULL;
/home/paul/git/stable/linux-2.6.35.y/.git/rebase-apply/patch:100:
trailing whitespace.
warning: 2 lines add whitespace errors.
Paul.
>
> ------------------
>
> From: Borislav Petkov <[email protected]>
>
> Upstream commit: 44d60c0f5c58c2168f31df9a481761451840eb54
>
> The different families have a different max size for the ucode patch,
> adjust size checking to the family we're running on. Also, do not
> vzalloc the max size of the ucode but only the actual size that is
> passed on from the firmware loader.
>
> Cc: <[email protected]>
> Signed-off-by: Borislav Petkov <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
> Signed-off-by: Andi Kleen <[email protected]>
>
> ---
> ?arch/x86/kernel/microcode_amd.c | ? 63 +++++++++++++++++++++++++++-------------
> ?1 file changed, 44 insertions(+), 19 deletions(-)
>
> Index: linux-2.6.35.y/arch/x86/kernel/microcode_amd.c
> ===================================================================
> --- linux-2.6.35.y.orig/arch/x86/kernel/microcode_amd.c
> +++ linux-2.6.35.y/arch/x86/kernel/microcode_amd.c
> @@ -66,7 +66,6 @@ struct microcode_amd {
> ? ? ? ?unsigned int ? ? ? ? ? ? ? ? ? ?mpb[0];
> ?};
>
> -#define UCODE_MAX_SIZE ? ? ? ? ? ? ? ? 2048
> ?#define UCODE_CONTAINER_SECTION_HDR ? ?8
> ?#define UCODE_CONTAINER_HEADER_SIZE ? ?12
>
> @@ -125,6 +124,37 @@ static int get_matching_microcode(int cp
> ? ? ? ?return 1;
> ?}
>
> +static unsigned int verify_ucode_size(int cpu, const u8 *buf, unsigned int size)
> +{
> + ? ? ? struct cpuinfo_x86 *c = &cpu_data(cpu);
> + ? ? ? unsigned int max_size, actual_size;
> +
> +#define F1XH_MPB_MAX_SIZE 2048
> +#define F14H_MPB_MAX_SIZE 1824
> +#define F15H_MPB_MAX_SIZE 4096
> +
> + ? ? ? switch (c->x86) {
> + ? ? ? case 0x14:
> + ? ? ? ? ? ? ? max_size = F14H_MPB_MAX_SIZE;
> + ? ? ? ? ? ? ? break;
> + ? ? ? case 0x15:
> + ? ? ? ? ? ? ? max_size = F15H_MPB_MAX_SIZE;
> + ? ? ? ? ? ? ? break;
> + ? ? ? default:
> + ? ? ? ? ? ? ? max_size = F1XH_MPB_MAX_SIZE;
> + ? ? ? ? ? ? ? break;
> + ? ? ? }
> +
> + ? ? ? actual_size = buf[4] + (buf[5] << 8);
> +
> + ? ? ? if (actual_size > size || actual_size > max_size) {
> + ? ? ? ? ? ? ? pr_err("section size mismatch\n");
> + ? ? ? ? ? ? ? return 0;
> + ? ? ? }
> +
> + ? ? ? return actual_size;
> +}
> +
> ?static int apply_microcode_amd(int cpu)
> ?{
> ? ? ? ?u32 rev, dummy;
> @@ -162,11 +192,11 @@ static int get_ucode_data(void *to, cons
> ?}
>
> ?static void *
> -get_next_ucode(const u8 *buf, unsigned int size, unsigned int *mc_size)
> +get_next_ucode(int cpu, const u8 *buf, unsigned int size, unsigned int *mc_size)
> ?{
> - ? ? ? unsigned int total_size;
> + ? ? ? unsigned int actual_size = 0;
> ? ? ? ?u8 section_hdr[UCODE_CONTAINER_SECTION_HDR];
> - ? ? ? void *mc;
> + ? ? ? void *mc = NULL;
>
> ? ? ? ?if (get_ucode_data(section_hdr, buf, UCODE_CONTAINER_SECTION_HDR))
> ? ? ? ? ? ? ? ?return NULL;
> @@ -176,23 +206,18 @@ get_next_ucode(const u8 *buf, unsigned i
> ? ? ? ? ? ? ? ?return NULL;
> ? ? ? ?}
>
> - ? ? ? total_size = (unsigned long) (section_hdr[4] + (section_hdr[5] << 8));
> -
> - ? ? ? if (total_size > size || total_size > UCODE_MAX_SIZE) {
> - ? ? ? ? ? ? ? pr_err("error: size mismatch\n");
> + ? ? ? actual_size = verify_ucode_size(cpu, buf, size);
> + ? ? ? if (!actual_size)
> ? ? ? ? ? ? ? ?return NULL;
> - ? ? ? }
>
> - ? ? ? mc = vmalloc(UCODE_MAX_SIZE);
> - ? ? ? if (mc) {
> - ? ? ? ? ? ? ? memset(mc, 0, UCODE_MAX_SIZE);
> - ? ? ? ? ? ? ? if (get_ucode_data(mc, buf + UCODE_CONTAINER_SECTION_HDR,
> - ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?total_size)) {
> - ? ? ? ? ? ? ? ? ? ? ? vfree(mc);
> - ? ? ? ? ? ? ? ? ? ? ? mc = NULL;
> - ? ? ? ? ? ? ? } else
> - ? ? ? ? ? ? ? ? ? ? ? *mc_size = total_size + UCODE_CONTAINER_SECTION_HDR;
> - ? ? ? }
> + ? ? ? mc = vmalloc(actual_size);
> + ? ? ? if (!mc)
> + ? ? ? ? ? ? ? return NULL;
> +
> + ? ? ? memset(mc, 0, actual_size);
> + ? ? ? get_ucode_data(mc, buf + UCODE_CONTAINER_SECTION_HDR, actual_size);
> + ? ? ? *mc_size = actual_size + UCODE_CONTAINER_SECTION_HDR;
> +
> ? ? ? ?return mc;
> ?}
>
> @@ -258,7 +283,7 @@ generic_load_microcode(int cpu, const u8
> ? ? ? ? ? ? ? ?unsigned int uninitialized_var(mc_size);
> ? ? ? ? ? ? ? ?struct microcode_header_amd *mc_header;
>
> - ? ? ? ? ? ? ? mc = get_next_ucode(ucode_ptr, leftover, &mc_size);
> + ? ? ? ? ? ? ? mc = get_next_ucode(cpu, ucode_ptr, leftover, &mc_size);
> ? ? ? ? ? ? ? ?if (!mc)
> ? ? ? ? ? ? ? ? ? ? ? ?break;
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at ?http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at ?http://www.tux.org/lkml/
>
On Tue, Apr 26, 2011 at 06:44:05PM -0400, Paul Gortmaker wrote:
> On Tue, Apr 26, 2011 at 5:13 PM, Andi Kleen <[email protected]> wrote:
> > 2.6.35-longterm review patch. ?If anyone has any objections, please let me know.
>
> Minor nit, but git am complains about whitespace in this backport. I checked
> the original, and at a glance it looks OK in this respect.
>
> (42/106) Applying: x86, microcode, AMD: Extend ucode size verification
> /home/paul/git/stable/linux-2.6.35.y/.git/rebase-apply/patch:95: space
> before tab in indent.
> return NULL;
> /home/paul/git/stable/linux-2.6.35.y/.git/rebase-apply/patch:100:
> trailing whitespace.
>
> warning: 2 lines add whitespace errors.
I ran cleanpatch over it.
-Andi
On Tue, 26 Apr 2011 14:12:37 -0700 (PDT)
Andi Kleen <[email protected]> wrote:
>
> This is the start of the longterm review cycle for the 2.6.35.12 release.
2.6.35.13...
Please revert the two TPM patches that went in 2.6.35.12. They cause timeouts
that break suspend on a bunch of HP machines, and they were reverted before
2.6.38-final was released and therefore should have never been put in -stable.
Here are the commits that revert them:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=e58713724059da7d2982d6ad945192c8fca5b729
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=8d1dc20e8d689c7e6a0a4d2c94e36a99d5793ecb
On 04/26/2011 02:12 PM, Andi Kleen wrote:
>
> This is the start of the longterm review cycle for the 2.6.35.12 release.
> There are a large number of patches in this series, all will be posted as a
> response to this one. If anyone has any issues with these being applied,
> please let me know. If anyone is a maintainer of the proper subsystem, and
> wants to add a Signed-off-by: line to the patch, please respond with it.
>
> The full quilt queue can be found at
> git://git.kernel.org/pub/scm/linux/kernel/git/longterm/longterm-queue-2.6.35
>
> Responses should be made within 48 hours.
I tested the 2.6.35.13 patches on 4 development boards (on 4 architectures: x86,
ppc, mips and ARM), and found no problems.
-- Tim
=============================
Tim Bird
Architecture Group Chair, CE Workgroup of the Linux Foundation
Senior Staff Engineer, Sony Network Entertainment
=============================
On Tue, 26 Apr 2011 14:12:37 -0700 (PDT)
Andi Kleen <[email protected]> wrote:
>
Also please revert the patch "fix-cred-leak-in-af_netlink" from 2.6.35.12.
The proper fix was "af_netlink-add-needed-scm_destroy-after-scm_send" which
was also added in that release. Here's a revert patch:
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1330,16 +1330,12 @@
return err;
if (msg->msg_namelen) {
+ if (addr->nl_family != AF_NETLINK)
+ return -EINVAL;
- if (addr->nl_family != AF_NETLINK) {
- err = -EINVAL;
- goto out;
- }
dst_pid = addr->nl_pid;
dst_group = ffs(addr->nl_groups);
+ if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+ return -EPERM;
- if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND)) {
- err = -EPERM;
- goto out;
- }
} else {
dst_pid = nlk->dst_pid;
dst_group = nlk->dst_group;
@@ -1391,8 +1387,6 @@
err = netlink_unicast(sk, skb, dst_pid, msg->msg_flags&MSG_DONTWAIT);
out:
- scm_destroy(siocb->scm);
- siocb->scm = NULL;
return err;
}
_
> Please revert the two TPM patches that went in 2.6.35.12. They cause timeouts
> that break suspend on a bunch of HP machines, and they were reverted before
> 2.6.38-final was released and therefore should have never been put in -stable.
Done. Thanks.
-Andi
On Tue, Apr 26, 2011 at 08:21:50PM -0400, Chuck Ebbert wrote:
> On Tue, 26 Apr 2011 14:12:37 -0700 (PDT)
> Andi Kleen <[email protected]> wrote:
>
> >
>
> Also please revert the patch "fix-cred-leak-in-af_netlink" from 2.6.35.12.
> The proper fix was "af_netlink-add-needed-scm_destroy-after-scm_send" which
> was also added in that release. Here's a revert patch:
Done.
-Andi
On Tue, Apr 26, 2011 at 02:12:46PM -0700, Andi Kleen wrote:
> 2.6.35-longterm review patch. If anyone has any objections, please let me know.
>
> ------------------
> From: Dan Rosenberg <[email protected]>
>
> commit c4d0c3b097f7584772316ee4d64a09fe0e4ddfca upstream.
>
> The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
> xfs_fs_geometry() with a version number of 3. This code path does not
> fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
> the leaking of four bytes of uninitialized stack data to potentially
> unprivileged callers.
>
> v2 switches to memset() to avoid future issues if structure members
> change, on suggestion of Dave Chinner.
Did you grab the followup patch that fixed the stack corruption
this change caused?
Cheers,
Dave.
--
Dave Chinner
[email protected]
> > v2 switches to memset() to avoid future issues if structure members
> > change, on suggestion of Dave Chinner.
>
> Did you grab the followup patch that fixed the stack corruption
> this change caused?
No. Which commit ID is that?
I don't see any obvious further changes to that file in mainline.
-Andi
On 04/26/2011 03:14 PM, Andi Kleen wrote:
> 2.6.35-longterm review patch. If anyone has any objections, please let me know.
>
> ------------------
> From: Fry, Donald H<[email protected]>
>
> commit 41504cce240f791f1e16561db95728c5537fbad9 upstream.
>
> New iwlwifi-5000 microcode requires driver support for API version 5.
>
> Signed-off-by: Don Fry<[email protected]>
> Signed-off-by: Wey-Yi Guy<[email protected]>
> Signed-off-by: Stanislaw Gruszka<[email protected]>
> Signed-off-by: Greg Kroah-Hartman<[email protected]>
> Signed-off-by: Andi Kleen<[email protected]>
>
> ---
> drivers/net/wireless/iwlwifi/iwl-5000.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Index: linux-2.6.35.y/drivers/net/wireless/iwlwifi/iwl-5000.c
> ===================================================================
> --- linux-2.6.35.y.orig/drivers/net/wireless/iwlwifi/iwl-5000.c
> +++ linux-2.6.35.y/drivers/net/wireless/iwlwifi/iwl-5000.c
> @@ -51,7 +51,7 @@
> #include "iwl-agn-debugfs.h"
>
> /* Highest firmware API version supported */
> -#define IWL5000_UCODE_API_MAX 2
> +#define IWL5000_UCODE_API_MAX 5
> #define IWL5150_UCODE_API_MAX 2
>
> /* Lowest firmware API version supported */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
Wey-yi,
Will this cause any issues with the existing 2.6.35.12 iwl-5000 driver?
Is the version 5 API backwards compatible? Ubuntu installs
iwlwifi-5000-5.ucode by default in order to support compat-wireless
backports from 2.6.3[678], so I'd hate to break those folks that are
using the stock 2.6.35.y driver.
rtg
--
Tim Gardner [email protected]
On Wed, 27 Apr 2011 11:42:46 MDT, Tim Gardner said:
> On 04/26/2011 03:14 PM, Andi Kleen wrote:
> > 2.6.35-longterm review patch. If anyone has any objections, please let me know.
> > From: Fry, Donald H<[email protected]>
> >
> > commit 41504cce240f791f1e16561db95728c5537fbad9 upstream.
> >
> > New iwlwifi-5000 microcode requires driver support for API version 5.
> Will this cause any issues with the existing 2.6.35.12 iwl-5000 driver?
> Is the version 5 API backwards compatible? Ubuntu installs
> iwlwifi-5000-5.ucode by default in order to support compat-wireless
> backports from 2.6.3[678], so I'd hate to break those folks that are
> using the stock 2.6.35.y driver.
I can't speak to Ubuntu, but I hit this on Fedora Rawhide a while ago, they
ended including several versions so different kernels would work OK:
% rpm -ql iwl5000-firmware
/lib/firmware/iwlwifi-5000-1.ucode
/lib/firmware/iwlwifi-5000-2.ucode
/lib/firmware/iwlwifi-5000-5.ucode
> I can't speak to Ubuntu, but I hit this on Fedora Rawhide a while ago, they
> ended including several versions so different kernels would work OK:
>
> % rpm -ql iwl5000-firmware
> /lib/firmware/iwlwifi-5000-1.ucode
> /lib/firmware/iwlwifi-5000-2.ucode
> /lib/firmware/iwlwifi-5000-5.ucode
I don't want people require to install new firmware for .35. This sounds
like I should
drop this patch. Wey-yi?
-Andi
Hi Andi,
On Wed, 2011-04-27 at 15:20 -0700, Andi Kleen wrote:
> > I can't speak to Ubuntu, but I hit this on Fedora Rawhide a while ago, they
> > ended including several versions so different kernels would work OK:
> >
> > % rpm -ql iwl5000-firmware
> > /lib/firmware/iwlwifi-5000-1.ucode
> > /lib/firmware/iwlwifi-5000-2.ucode
> > /lib/firmware/iwlwifi-5000-5.ucode
>
> I don't want people require to install new firmware for .35. This sounds
> like I should
> drop this patch. Wey-yi?
>
iwlwifi-5000-5.ucode is target to fix a 11n related issue we seen in the
field (especially for Ubuntu), so it is important for people to use -5
version of uCode. in order to allow driver to pick up the correct uCode
(-5), we need to move the maximum API version to "5" which is what this
patch does
Thanks
Wey
> iwlwifi-5000-5.ucode is target to fix a 11n related issue we seen in the
> field (especially for Ubuntu), so it is important for people to use -5
> version of uCode. in order to allow driver to pick up the correct uCode
> (-5), we need to move the maximum API version to "5" which is what this
> patch does
But this means that anyone who just updates the kernel without
having the new firmware will lose their wireless. Not good.
longterm is not supposed to break existing userland like this
Possible would be a patch to try 5 first and then fall back to
the older version. But that's not what this patch does, correct?
-Andi
On Wed, 2011-04-27 at 15:41 -0700, Andi Kleen wrote:
> > iwlwifi-5000-5.ucode is target to fix a 11n related issue we seen in the
> > field (especially for Ubuntu), so it is important for people to use -5
> > version of uCode. in order to allow driver to pick up the correct uCode
> > (-5), we need to move the maximum API version to "5" which is what this
> > patch does
>
> But this means that anyone who just updates the kernel without
> having the new firmware will lose their wireless. Not good.
> longterm is not supposed to break existing userland like this
>
> Possible would be a patch to try 5 first and then fall back to
> the older version. But that's not what this patch does, correct?
>
The current driver behavior, try to load the maximum version first, if
does not exist, then fall back to the older version. This patch just
increase the maximum API version to "5", so driver will try to load the
version "5" first.
Thanks
Wey
> The current driver behavior, try to load the maximum version first, if
> does not exist, then fall back to the older version. This patch just
> increase the maximum API version to "5", so driver will try to load the
> version "5" first.
Okay thanks for the explanation. I will keep this patch then.
-Andi
--
[email protected] -- Speaking for myself only.
On Wed, Apr 27, 2011 at 05:00:39PM +0200, Andi Kleen wrote:
> > > v2 switches to memset() to avoid future issues if structure members
> > > change, on suggestion of Dave Chinner.
> >
> > Did you grab the followup patch that fixed the stack corruption
> > this change caused?
>
> No. Which commit ID is that?
commit af24ee9ea8d532e16883251a6684dfa1be8eec29. I see it is patch
52 of the series, so everything shoul dbe OK. It took a while for
all the patches in the series to trickle into my mail box....
Cheers,
Dave.
--
Dave Chinner
[email protected]
On 04/27/2011 04:46 PM, Andi Kleen wrote:
>> The current driver behavior, try to load the maximum version first, if
>> does not exist, then fall back to the older version. This patch just
>> increase the maximum API version to "5", so driver will try to load the
>> version "5" first.
>
> Okay thanks for the explanation. I will keep this patch then.
>
> -Andi
I'm good with that. Thanks Wey.
--
Tim Gardner [email protected]