This is the start of the stable review cycle for the 2.6.24.3 release.
There are 38 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let us know. If anyone is a maintainer of the proper subsystem, and
wants to add a Signed-off-by: line to the patch, please respond with it.
These patches are sent out with a number of different people on the
Cc: line. If you wish to be a reviewer, please email [email protected]
to add your name to the list. If you want to be off the reviewer list,
also email us.
Responses should be made by Tuesday, Feb 25, 2008, 00:10:00 UTC.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.24.3-rc1.gz
and the diffstat can be found below.
thanks,
greg k-h
Makefile | 9 +-
arch/powerpc/platforms/chrp/pci.c | 4 -
arch/powerpc/platforms/powermac/feature.c | 11 +++
arch/s390/lib/uaccess_std.c | 8 +-
arch/sparc/lib/rwsem.S | 2
arch/sparc64/lib/rwsem.S | 2
arch/x86/mm/pageattr_64.c | 2
drivers/macintosh/smu.c | 25 +++++++
drivers/net/bonding/bond_main.c | 16 ++--
drivers/net/dl2k.h | 4 -
drivers/net/pcmcia/smc91c92_cs.c | 12 +++
drivers/scsi/gdth.c | 9 ++
drivers/scsi/sd.c | 34 ++++------
drivers/usb/class/usblp.c | 1
fs/inotify_user.c | 2
fs/nfs/write.c | 20 +++++-
fs/super.c | 1
fs/xfs/linux-2.6/xfs_file.c | 3
include/asm-powerpc/pmac_feature.h | 8 ++
include/linux/Kbuild | 1
include/linux/hrtimer.h | 2
include/linux/hugetlb.h | 1
include/linux/ktime.h | 2
kernel/audit.c | 10 ++-
kernel/compat.c | 44 ++++++++++++-
kernel/futex.c | 2
kernel/futex_compat.c | 2
kernel/hrtimer.c | 100 +++++++++++++++++-------------
kernel/irq/chip.c | 20 +++++-
kernel/posix-timers.c | 25 ++-----
kernel/sysctl.c | 2
mm/hugetlb.c | 10 +++
mm/memory.c | 2
mm/slub.c | 3
net/bluetooth/hci_sysfs.c | 48 +++++++++++---
net/ipv4/fib_hash.c | 47 +++++++++-----
net/ipv4/fib_trie.c | 57 ++++++++++-------
net/ipv4/inet_diag.c | 11 +--
net/ipv4/ip_output.c | 4 -
net/ipv4/ipcomp.c | 5 +
net/ipv4/sysctl_net_ipv4.c | 2
net/ipv4/xfrm4_tunnel.c | 2
net/ipv6/ip6_output.c | 4 -
net/ipv6/ipcomp6.c | 5 +
net/netfilter/nf_conntrack_proto_tcp.c | 35 ++++++++--
net/sched/em_meta.c | 10 +--
net/sched/ematch.c | 5 -
security/selinux/ss/services.c | 1
48 files changed, 439 insertions(+), 196 deletions(-)
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
[SPARC/SPARC64]: Fix usage of .section .sched.text in assembler code.
Upstream commit: c6d64c16bb193c8ca2ccc0b3c556a4574a02408b
ld will generate an unique named section when assembler do not use
"ax" but gcc does. Add the missing annotation.
Signed-off-by: Sam Ravnborg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/sparc/lib/rwsem.S | 2 +-
arch/sparc64/lib/rwsem.S | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/sparc/lib/rwsem.S
+++ b/arch/sparc/lib/rwsem.S
@@ -7,7 +7,7 @@
#include <asm/ptrace.h>
#include <asm/psr.h>
- .section .sched.text
+ .section .sched.text, "ax"
.align 4
.globl ___down_read
--- a/arch/sparc64/lib/rwsem.S
+++ b/arch/sparc64/lib/rwsem.S
@@ -6,7 +6,7 @@
#include <asm/rwsem-const.h>
- .section .sched.text
+ .section .sched.text, "ax"
.globl __down_read
__down_read:
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Jozsef Kadlecsik <[email protected]>
[NETFILTER]: nf_conntrack_tcp: conntrack reopening fix
[Upstream commits b2155e7f + d0c1fd7a]
TCP connection tracking in netfilter did not handle TCP reopening
properly: active close was taken into account for one side only and
not for any side, which is fixed now. The patch includes more comments
to explain the logic how the different cases are handled.
The bug was discovered by Jeff Chua.
Signed-off-by: Jozsef Kadlecsik <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -135,7 +135,7 @@ enum tcp_bit_set {
* CLOSE_WAIT: ACK seen (after FIN)
* LAST_ACK: FIN seen (after FIN)
* TIME_WAIT: last ACK seen
- * CLOSE: closed connection
+ * CLOSE: closed connection (RST)
*
* LISTEN state is not used.
*
@@ -834,8 +834,21 @@ static int tcp_packet(struct nf_conn *conntrack,
case TCP_CONNTRACK_SYN_SENT:
if (old_state < TCP_CONNTRACK_TIME_WAIT)
break;
- if ((conntrack->proto.tcp.seen[!dir].flags &
- IP_CT_TCP_FLAG_CLOSE_INIT)
+ /* RFC 1122: "When a connection is closed actively,
+ * it MUST linger in TIME-WAIT state for a time 2xMSL
+ * (Maximum Segment Lifetime). However, it MAY accept
+ * a new SYN from the remote TCP to reopen the connection
+ * directly from TIME-WAIT state, if..."
+ * We ignore the conditions because we are in the
+ * TIME-WAIT state anyway.
+ *
+ * Handle aborted connections: we and the server
+ * think there is an existing connection but the client
+ * aborts it and starts a new one.
+ */
+ if (((conntrack->proto.tcp.seen[dir].flags
+ | conntrack->proto.tcp.seen[!dir].flags)
+ & IP_CT_TCP_FLAG_CLOSE_INIT)
|| (conntrack->proto.tcp.last_dir == dir
&& conntrack->proto.tcp.last_index == TCP_RST_SET)) {
/* Attempt to reopen a closed/aborted connection.
@@ -848,18 +861,25 @@ static int tcp_packet(struct nf_conn *conntrack,
}
/* Fall through */
case TCP_CONNTRACK_IGNORE:
- /* Ignored packets:
+ /* Ignored packets:
+ *
+ * Our connection entry may be out of sync, so ignore
+ * packets which may signal the real connection between
+ * the client and the server.
*
* a) SYN in ORIGINAL
* b) SYN/ACK in REPLY
* c) ACK in reply direction after initial SYN in original.
+ *
+ * If the ignored packet is invalid, the receiver will send
+ * a RST we'll catch below.
*/
if (index == TCP_SYNACK_SET
&& conntrack->proto.tcp.last_index == TCP_SYN_SET
&& conntrack->proto.tcp.last_dir != dir
&& ntohl(th->ack_seq) ==
conntrack->proto.tcp.last_end) {
- /* This SYN/ACK acknowledges a SYN that we earlier
+ /* b) This SYN/ACK acknowledges a SYN that we earlier
* ignored as invalid. This means that the client and
* the server are both in sync, while the firewall is
* not. We kill this session and block the SYN/ACK so
@@ -884,7 +904,7 @@ static int tcp_packet(struct nf_conn *conntrack,
write_unlock_bh(&tcp_lock);
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
- "nf_ct_tcp: invalid packed ignored ");
+ "nf_ct_tcp: invalid packet ignored ");
return NF_ACCEPT;
case TCP_CONNTRACK_MAX:
/* Invalid packet */
@@ -938,8 +958,7 @@ static int tcp_packet(struct nf_conn *conntrack,
conntrack->proto.tcp.state = new_state;
if (old_state != new_state
- && (new_state == TCP_CONNTRACK_FIN_WAIT
- || new_state == TCP_CONNTRACK_CLOSE))
+ && new_state == TCP_CONNTRACK_FIN_WAIT)
conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans
&& *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Trond Myklebust <[email protected]>
patch 5d47a35600270e7115061cb1320ee60ae9bcb6b8 in mainline.
If the inode is flagged as having an invalid mapping, then we can't rely on
the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation"
write optimisation in nfs_updatepage(), since that will cause NFS to write
out areas of the page that are no longer guaranteed to be up to date.
A potential corruption could occur in the following scenario:
client 1 client 2
=============== ===============
fd=open("f",O_CREAT|O_WRONLY,0644);
write(fd,"fubar\n",6); // cache last page
close(fd);
fd=open("f",O_WRONLY|O_APPEND);
write(fd,"foo\n",4);
close(fd);
fd=open("f",O_WRONLY|O_APPEND);
write(fd,"bar\n",4);
close(fd);
-----
The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because
client 2 does not update the cached page after re-opening the file for
write. Instead it keeps it marked as PageUptodate() until someone calls
invalidate_inode_pages2() (typically by calling read()).
The bug was introduced by commit 44b11874ff583b6e766a05856b04f3c492c32b84
"NFS: Separate metadata and page cache revalidation mechanisms"
Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/nfs/write.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -701,6 +701,17 @@ int nfs_flush_incompatible(struct file *
}
/*
+ * If the page cache is marked as unsafe or invalid, then we can't rely on
+ * the PageUptodate() flag. In this case, we will need to turn off
+ * write optimisations that depend on the page contents being correct.
+ */
+static int nfs_write_pageuptodate(struct page *page, struct inode *inode)
+{
+ return PageUptodate(page) &&
+ !(NFS_I(inode)->cache_validity & (NFS_INO_REVAL_PAGECACHE|NFS_INO_INVALID_DATA));
+}
+
+/*
* Update and possibly write a cached page of an NFS file.
*
* XXX: Keep an eye on generic_file_read to make sure it doesn't do bad
@@ -721,10 +732,13 @@ int nfs_updatepage(struct file *file, st
(long long)(page_offset(page) +offset));
/* If we're not using byte range locks, and we know the page
- * is entirely in cache, it may be more efficient to avoid
- * fragmenting write requests.
+ * is up to date, it may be more efficient to extend the write
+ * to cover the entire page in order to avoid fragmentation
+ * inefficiencies.
*/
- if (PageUptodate(page) && inode->i_flock == NULL && !(file->f_mode & O_SYNC)) {
+ if (nfs_write_pageuptodate(page, inode) &&
+ inode->i_flock == NULL &&
+ !(file->f_mode & O_SYNC)) {
count = max(count + offset, nfs_page_length(page));
offset = 0;
}
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Nishanth Aravamudan <[email protected]>
patch a3d0c6aa1bb342b9b2c7b123b52ac2f48a4d4d0a in mainline.
When I replaced hugetlb_dynamic_pool with nr_overcommit_hugepages I used
proc_doulongvec_minmax() directly. However, hugetlb.c's locking rules
require that all counter modifications occur under the hugetlb_lock. Add a
callback into the hugetlb code similar to the one for nr_hugepages. Grab
the lock around the manipulation of nr_overcommit_hugepages in
proc_doulongvec_minmax().
Signed-off-by: Nishanth Aravamudan <[email protected]>
Acked-by: Adam Litke <[email protected]>
Cc: David Gibson <[email protected]>
Cc: William Lee Irwin III <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/hugetlb.h | 1 +
kernel/sysctl.c | 2 +-
mm/hugetlb.c | 10 ++++++++++
3 files changed, 12 insertions(+), 1 deletion(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -17,6 +17,7 @@ static inline int is_vm_hugetlb_page(str
}
int hugetlb_sysctl_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
+int hugetlb_overcommit_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
int hugetlb_treat_movable_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
int copy_hugetlb_page_range(struct mm_struct *, struct mm_struct *, struct vm_area_struct *);
int follow_hugetlb_page(struct mm_struct *, struct vm_area_struct *, struct page **, struct vm_area_struct **, unsigned long *, int *, int, int);
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -910,7 +910,7 @@ static struct ctl_table vm_table[] = {
.data = &nr_overcommit_huge_pages,
.maxlen = sizeof(nr_overcommit_huge_pages),
.mode = 0644,
- .proc_handler = &proc_doulongvec_minmax,
+ .proc_handler = &hugetlb_overcommit_handler,
},
#endif
{
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -605,6 +605,16 @@ int hugetlb_treat_movable_handler(struct
return 0;
}
+int hugetlb_overcommit_handler(struct ctl_table *table, int write,
+ struct file *file, void __user *buffer,
+ size_t *length, loff_t *ppos)
+{
+ spin_lock(&hugetlb_lock);
+ proc_doulongvec_minmax(table, write, file, buffer, length, ppos);
+ spin_unlock(&hugetlb_lock);
+ return 0;
+}
+
#endif /* CONFIG_SYSCTL */
int hugetlb_report_meminfo(char *buf)
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Jan Kara <[email protected]>
patch 66191dc622f5ff0a541524c4e96fdacfacfda206 in mainline.
Turn off quotas before filesystem is remounted read only. Otherwise quota
will try to write to read-only filesystem which does no good... We could
also just refuse to remount ro when quota is enabled but turning quota off
is consistent with what we do on umount.
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/super.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/super.c
+++ b/fs/super.c
@@ -603,6 +603,7 @@ int do_remount_sb(struct super_block *sb
mark_files_ro(sb);
else if (!fs_may_remount_ro(sb))
return -EBUSY;
+ DQUOT_OFF(sb);
}
if (sb->s_op->remount_fs) {
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: David Chinner <[email protected]>
patch 450790a2c51e6d9d47ed30dbdcf486656b8e186f in mainline.
Several occurrences of oops in xfs_file_readdir() on ia32 have been
reported since 2.6.24 was released. This is a regression introduced
in 2.6.24 and is relatively easy to hit. The patch below fixes the
problem.
Signed-off-by: Dave Chinner <[email protected]>
Signed-off-by: Lachlan McIlroy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/xfs/linux-2.6/xfs_file.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/xfs/linux-2.6/xfs_file.c
+++ b/fs/xfs/linux-2.6/xfs_file.c
@@ -350,8 +350,8 @@ xfs_file_readdir(
size = buf.used;
de = (struct hack_dirent *)buf.dirent;
- curr_offset = de->offset /* & 0x7fffffff */;
while (size > 0) {
+ curr_offset = de->offset /* & 0x7fffffff */;
if (filldir(dirent, de->name, de->namlen,
curr_offset & 0x7fffffff,
de->ino, de->d_type)) {
@@ -362,7 +362,6 @@ xfs_file_readdir(
sizeof(u64));
size -= reclen;
de = (struct hack_dirent *)((char *)de + reclen);
- curr_offset = de->offset /* & 0x7fffffff */;
}
}
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
patch 9c52fab2f187636b39afb0dcf562872ed42ab608 in mainline.
The MSSR constants didn't match the reality - bitfield declarations
used to be correct (1000BT_FD - bit 11, 1000BT_HD - bit 10), but enum
had them the other way round. Went unnoticed until the switch from
the bitfields use to the explicit arithmetics and I hadn't caught that one
when verifying correctness of change...
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/dl2k.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/dl2k.h
+++ b/drivers/net/dl2k.h
@@ -388,8 +388,8 @@ enum _mii_mssr {
MII_MSSR_CFG_RES = 0x4000,
MII_MSSR_LOCAL_RCV_STATUS = 0x2000,
MII_MSSR_REMOTE_RCVR = 0x1000,
- MII_MSSR_LP_1000BT_HD = 0x0800,
- MII_MSSR_LP_1000BT_FD = 0x0400,
+ MII_MSSR_LP_1000BT_FD = 0x0800,
+ MII_MSSR_LP_1000BT_HD = 0x0400,
MII_MSSR_IDLE_ERR_COUNT = 0x00ff,
};
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: James Bottomley <[email protected]>
patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline.
Some devices report medium error locations incorrectly. Add guards to
make sure the reported bad lba is actually in the request that caused
it. Additionally remove the large case statment for sector sizes and
replace it with the proper u64 divisions.
Tested-by: Mike Snitzer <[email protected]>
Cc: Stable Tree <[email protected]>
Cc: Tony Battersby <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/sd.c | 34 ++++++++++++++++------------------
1 file changed, 16 insertions(+), 18 deletions(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -907,6 +907,7 @@ static int sd_done(struct scsi_cmnd *SCp
unsigned int xfer_size = SCpnt->request_bufflen;
unsigned int good_bytes = result ? 0 : xfer_size;
u64 start_lba = SCpnt->request->sector;
+ u64 end_lba = SCpnt->request->sector + (xfer_size / 512);
u64 bad_lba;
struct scsi_sense_hdr sshdr;
int sense_valid = 0;
@@ -945,26 +946,23 @@ static int sd_done(struct scsi_cmnd *SCp
goto out;
if (xfer_size <= SCpnt->device->sector_size)
goto out;
- switch (SCpnt->device->sector_size) {
- case 256:
+ if (SCpnt->device->sector_size < 512) {
+ /* only legitimate sector_size here is 256 */
start_lba <<= 1;
- break;
- case 512:
- break;
- case 1024:
- start_lba >>= 1;
- break;
- case 2048:
- start_lba >>= 2;
- break;
- case 4096:
- start_lba >>= 3;
- break;
- default:
- /* Print something here with limiting frequency. */
- goto out;
- break;
+ end_lba <<= 1;
+ } else {
+ /* be careful ... don't want any overflows */
+ u64 factor = SCpnt->device->sector_size / 512;
+ do_div(start_lba, factor);
+ do_div(end_lba, factor);
}
+
+ if (bad_lba < start_lba || bad_lba >= end_lba)
+ /* the bad lba was reported incorrectly, we have
+ * no idea where the error is
+ */
+ goto out;
+
/* This computation should always be done in terms of
* the resolution of the device's medium.
*/
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 16ca3f913001efdb6171a2781ef41c77474e3895
In strategy_allowed_congestion_control of the 2.6.24 kernel, when
sysctl_string return 1 on success,it should call
tcp_set_allowed_congestion_control to set the allowed congestion
control.But, it don't. the sysctl_string return 1 on success,
otherwise return negative, never return 0.The patch fix the problem.
Signed-off-by: Shan Wei <[email protected]>
Acked-by: Stephen Hemminger <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/sysctl_net_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -248,7 +248,7 @@ static int strategy_allowed_congestion_c
tcp_get_available_congestion_control(tbl.data, tbl.maxlen);
ret = sysctl_string(&tbl, name, nlen, oldval, oldlenp, newval, newlen);
- if (ret == 0 && newval && newlen)
+ if (ret == 1 && newval && newlen)
ret = tcp_set_allowed_congestion_control(tbl.data);
kfree(tbl.data);
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 04f217aca4d803fe72c2c54fe460d68f5233ce52
If userspace passes a unknown match index into em_meta, then
em_meta_change will return an error and the data for the match will
not be set. This then causes an null pointer dereference when the
cleanup is done in the error path via tcf_em_tree_destroy. Since the
tree structure comes kzalloc, it is initialized to NULL.
Discovered when testing a new version of tc command against an
accidental older kernel.
Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sched/em_meta.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/sched/em_meta.c
+++ b/net/sched/em_meta.c
@@ -719,11 +719,13 @@ static int em_meta_match(struct sk_buff
static inline void meta_delete(struct meta_match *meta)
{
- struct meta_type_ops *ops = meta_type_ops(&meta->lvalue);
+ if (meta) {
+ struct meta_type_ops *ops = meta_type_ops(&meta->lvalue);
- if (ops && ops->destroy) {
- ops->destroy(&meta->lvalue);
- ops->destroy(&meta->rvalue);
+ if (ops && ops->destroy) {
+ ops->destroy(&meta->lvalue);
+ ops->destroy(&meta->rvalue);
+ }
}
kfree(meta);
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: e1770d97a730ff4c3aa1775d98f4d0558390607f
As pointed out by Adrian Bunk, commit
45c950e0f839fded922ebc0bfd59b1081cc71b70 ("fix memory leak in netlabel
code") caused a double-free when security_netlbl_sid_to_secattr()
fails. This patch fixes this by removing the netlbl_secattr_destroy()
call from that function since we are already releasing the secattr
memory in selinux_netlbl_sock_setsid().
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
security/selinux/ss/services.c | 1 -
1 file changed, 1 deletion(-)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2629,7 +2629,6 @@ int security_netlbl_sid_to_secattr(u32 s
netlbl_sid_to_secattr_failure:
POLICY_RDUNLOCK;
- netlbl_secattr_destroy(secattr);
return rc;
}
#endif /* CONFIG_NETLABEL */
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 268bcca1e7b0d244afd07ea89cda672e61b0fc4a
Setting up a meta match causes a kernel OOPS because of uninitialized
elements in tree.
[ 37.322381] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 37.322381] IP: [<ffffffff883fc717>] :em_meta:em_meta_destroy+0x17/0x80
[ 37.322381] Call Trace:
[ 37.322381] [<ffffffff803ec83d>] tcf_em_tree_destroy+0x2d/0xa0
[ 37.322381] [<ffffffff803ecc8c>] tcf_em_tree_validate+0x2dc/0x4a0
[ 37.322381] [<ffffffff803f06d2>] nla_parse+0x92/0xe0
[ 37.322381] [<ffffffff883f9672>] :cls_basic:basic_change+0x202/0x3c0
[ 37.322381] [<ffffffff802a3917>] kmem_cache_alloc+0x67/0xa0
[ 37.322381] [<ffffffff803ea221>] tc_ctl_tfilter+0x3b1/0x580
[ 37.322381] [<ffffffff803dffd0>] rtnetlink_rcv_msg+0x0/0x260
[ 37.322381] [<ffffffff803ee944>] netlink_rcv_skb+0x74/0xa0
[ 37.322381] [<ffffffff803dffc8>] rtnetlink_rcv+0x18/0x20
[ 37.322381] [<ffffffff803ee6c3>] netlink_unicast+0x263/0x290
[ 37.322381] [<ffffffff803cf276>] __alloc_skb+0x96/0x160
[ 37.322381] [<ffffffff803ef014>] netlink_sendmsg+0x274/0x340
[ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
[ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
[ 37.322381] [<ffffffff8024de90>] autoremove_wake_function+0x0/0x30
[ 37.322381] [<ffffffff803c7c3b>] sock_sendmsg+0x12b/0x140
[ 37.322381] [<ffffffff80288611>] zone_statistics+0xb1/0xc0
[ 37.322381] [<ffffffff803c7e5e>] sys_sendmsg+0x20e/0x360
[ 37.322381] [<ffffffff803c7411>] sockfd_lookup_light+0x41/0x80
[ 37.322381] [<ffffffff8028d04b>] handle_mm_fault+0x3eb/0x7f0
[ 37.322381] [<ffffffff8020c2fb>] system_call_after_swapgs+0x7b/0x80
Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sched/ematch.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -305,10 +305,9 @@ int tcf_em_tree_validate(struct tcf_prot
struct tcf_ematch_tree_hdr *tree_hdr;
struct tcf_ematch *em;
- if (!rta) {
- memset(tree, 0, sizeof(*tree));
+ memset(tree, 0, sizeof(*tree));
+ if (!rta)
return 0;
- }
if (rtattr_parse_nested(tb, TCA_EMATCH_TREE_MAX, rta) < 0)
goto errout;
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: dded91611a728d65721cdab3dd41d801a356fa15
if_addrlabel.h is needed for iproute2 usage.
Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/Kbuild | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/Kbuild
+++ b/include/linux/Kbuild
@@ -217,6 +217,7 @@ unifdef-y += i2o-dev.h
unifdef-y += icmp.h
unifdef-y += icmpv6.h
unifdef-y += if_addr.h
+unifdef-y += if_addrlabel.h
unifdef-y += if_arp.h
unifdef-y += if_bridge.h
unifdef-y += if_ec.h
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 936f6f8e1bc46834bbb3e3fa3ac13ab44f1e7ba6
Update fib_trie with some fib_hash fixes:
- check for duplicate alternative routes for prefix+tos+priority when
replacing route
- properly insert by matching tos together with priority
- fix alias walking to use list_for_each_entry_continue for insertion
and deletion when fa_head is not NULL
- copy state from fa to new_fa on replace (not a problem for now)
- additionally, avoid replacement without error if new route is same,
as Joonwoo Park suggests.
Signed-off-by: Julian Anastasov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/fib_trie.c | 57 ++++++++++++++++++++++++++++++++--------------------
1 file changed, 36 insertions(+), 21 deletions(-)
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1203,20 +1203,45 @@ static int fn_trie_insert(struct fib_tab
* and we need to allocate a new one of those as well.
*/
- if (fa && fa->fa_info->fib_priority == fi->fib_priority) {
- struct fib_alias *fa_orig;
+ if (fa && fa->fa_tos == tos &&
+ fa->fa_info->fib_priority == fi->fib_priority) {
+ struct fib_alias *fa_first, *fa_match;
err = -EEXIST;
if (cfg->fc_nlflags & NLM_F_EXCL)
goto out;
+ /* We have 2 goals:
+ * 1. Find exact match for type, scope, fib_info to avoid
+ * duplicate routes
+ * 2. Find next 'fa' (or head), NLM_F_APPEND inserts before it
+ */
+ fa_match = NULL;
+ fa_first = fa;
+ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
+ list_for_each_entry_continue(fa, fa_head, fa_list) {
+ if (fa->fa_tos != tos)
+ break;
+ if (fa->fa_info->fib_priority != fi->fib_priority)
+ break;
+ if (fa->fa_type == cfg->fc_type &&
+ fa->fa_scope == cfg->fc_scope &&
+ fa->fa_info == fi) {
+ fa_match = fa;
+ break;
+ }
+ }
+
if (cfg->fc_nlflags & NLM_F_REPLACE) {
struct fib_info *fi_drop;
u8 state;
- if (fi->fib_treeref > 1)
+ fa = fa_first;
+ if (fa_match) {
+ if (fa == fa_match)
+ err = 0;
goto out;
-
+ }
err = -ENOBUFS;
new_fa = kmem_cache_alloc(fn_alias_kmem, GFP_KERNEL);
if (new_fa == NULL)
@@ -1228,7 +1253,7 @@ static int fn_trie_insert(struct fib_tab
new_fa->fa_type = cfg->fc_type;
new_fa->fa_scope = cfg->fc_scope;
state = fa->fa_state;
- new_fa->fa_state &= ~FA_S_ACCESSED;
+ new_fa->fa_state = state & ~FA_S_ACCESSED;
list_replace_rcu(&fa->fa_list, &new_fa->fa_list);
alias_free_mem_rcu(fa);
@@ -1245,20 +1270,11 @@ static int fn_trie_insert(struct fib_tab
* uses the same scope, type, and nexthop
* information.
*/
- fa_orig = fa;
- list_for_each_entry(fa, fa_orig->fa_list.prev, fa_list) {
- if (fa->fa_tos != tos)
- break;
- if (fa->fa_info->fib_priority != fi->fib_priority)
- break;
- if (fa->fa_type == cfg->fc_type &&
- fa->fa_scope == cfg->fc_scope &&
- fa->fa_info == fi) {
- goto out;
- }
- }
+ if (fa_match)
+ goto out;
+
if (!(cfg->fc_nlflags & NLM_F_APPEND))
- fa = fa_orig;
+ fa = fa_first;
}
err = -ENOENT;
if (!(cfg->fc_nlflags & NLM_F_CREATE))
@@ -1614,9 +1630,8 @@ static int fn_trie_delete(struct fib_tab
pr_debug("Deleting %08x/%d tos=%d t=%p\n", key, plen, tos, t);
fa_to_delete = NULL;
- fa_head = fa->fa_list.prev;
-
- list_for_each_entry(fa, fa_head, fa_list) {
+ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
+ list_for_each_entry_continue(fa, fa_head, fa_list) {
struct fib_info *fi = fa->fa_info;
if (fa->fa_tos != tos)
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: c18865f39276435abb9286f9a816cb5b66c99a00
fib_info can be shared by many route prefixes but we don't want
duplicate alternative routes for a prefix+tos+priority. Last change
was not correct to check fib_treeref because it accounts usage from
other prefixes. Additionally, avoid replacement without error if new
route is same, as Joonwoo Park suggests.
Signed-off-by: Julian Anastasov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/fib_hash.c | 47 +++++++++++++++++++++++++++++++----------------
1 file changed, 31 insertions(+), 16 deletions(-)
--- a/net/ipv4/fib_hash.c
+++ b/net/ipv4/fib_hash.c
@@ -434,19 +434,43 @@ static int fn_hash_insert(struct fib_tab
if (fa && fa->fa_tos == tos &&
fa->fa_info->fib_priority == fi->fib_priority) {
- struct fib_alias *fa_orig;
+ struct fib_alias *fa_first, *fa_match;
err = -EEXIST;
if (cfg->fc_nlflags & NLM_F_EXCL)
goto out;
+ /* We have 2 goals:
+ * 1. Find exact match for type, scope, fib_info to avoid
+ * duplicate routes
+ * 2. Find next 'fa' (or head), NLM_F_APPEND inserts before it
+ */
+ fa_match = NULL;
+ fa_first = fa;
+ fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
+ list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
+ if (fa->fa_tos != tos)
+ break;
+ if (fa->fa_info->fib_priority != fi->fib_priority)
+ break;
+ if (fa->fa_type == cfg->fc_type &&
+ fa->fa_scope == cfg->fc_scope &&
+ fa->fa_info == fi) {
+ fa_match = fa;
+ break;
+ }
+ }
+
if (cfg->fc_nlflags & NLM_F_REPLACE) {
struct fib_info *fi_drop;
u8 state;
- if (fi->fib_treeref > 1)
+ fa = fa_first;
+ if (fa_match) {
+ if (fa == fa_match)
+ err = 0;
goto out;
-
+ }
write_lock_bh(&fib_hash_lock);
fi_drop = fa->fa_info;
fa->fa_info = fi;
@@ -469,20 +493,11 @@ static int fn_hash_insert(struct fib_tab
* uses the same scope, type, and nexthop
* information.
*/
- fa_orig = fa;
- fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
- list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
- if (fa->fa_tos != tos)
- break;
- if (fa->fa_info->fib_priority != fi->fib_priority)
- break;
- if (fa->fa_type == cfg->fc_type &&
- fa->fa_scope == cfg->fc_scope &&
- fa->fa_info == fi)
- goto out;
- }
+ if (fa_match)
+ goto out;
+
if (!(cfg->fc_nlflags & NLM_F_APPEND))
- fa = fa_orig;
+ fa = fa_first;
}
err = -ENOENT;
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: b1641064a3f4a58644bc2e8edf40c025c58473b4
I made a silly typo by entering IPPROTO_IP (== 0) instead of
IPPROTO_IPIP (== 4). This broke the reception of incompressible
packets.
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/xfrm4_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/xfrm4_tunnel.c
+++ b/net/ipv4/xfrm4_tunnel.c
@@ -50,7 +50,7 @@ static struct xfrm_type ipip_type = {
static int xfrm_tunnel_rcv(struct sk_buff *skb)
{
- return xfrm4_rcv_spi(skb, IPPROTO_IP, ip_hdr(skb)->saddr);
+ return xfrm4_rcv_spi(skb, IPPROTO_IPIP, ip_hdr(skb)->saddr);
}
static int xfrm_tunnel_err(struct sk_buff *skb, u32 info)
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 2614fa59fa805cd488083c5602eb48533cdbc018
When I moved the nexthdr setting out of IPComp I accidently moved
the reading of ipch->nexthdr after the decompression. Unfortunately
this means that we'd be reading from a stale ipch pointer which
doesn't work very well.
This patch moves the reading up so that we get the correct nexthdr
value.
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/ipcomp.c | 5 ++++-
net/ipv6/ipcomp6.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -74,6 +74,7 @@ out:
static int ipcomp_input(struct xfrm_state *x, struct sk_buff *skb)
{
+ int nexthdr;
int err = -ENOMEM;
struct ip_comp_hdr *ipch;
@@ -84,13 +85,15 @@ static int ipcomp_input(struct xfrm_stat
/* Remove ipcomp header and decompress original payload */
ipch = (void *)skb->data;
+ nexthdr = ipch->nexthdr;
+
skb->transport_header = skb->network_header + sizeof(*ipch);
__skb_pull(skb, sizeof(*ipch));
err = ipcomp_decompress(x, skb);
if (err)
goto out;
- err = ipch->nexthdr;
+ err = nexthdr;
out:
return err;
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -64,6 +64,7 @@ static LIST_HEAD(ipcomp6_tfms_list);
static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
{
+ int nexthdr;
int err = -ENOMEM;
struct ip_comp_hdr *ipch;
int plen, dlen;
@@ -79,6 +80,8 @@ static int ipcomp6_input(struct xfrm_sta
/* Remove ipcomp header and decompress original payload */
ipch = (void *)skb->data;
+ nexthdr = ipch->nexthdr;
+
skb->transport_header = skb->network_header + sizeof(*ipch);
__skb_pull(skb, sizeof(*ipch));
@@ -108,7 +111,7 @@ static int ipcomp6_input(struct xfrm_sta
skb->truesize += dlen - plen;
__skb_put(skb, dlen - plen);
skb_copy_to_linear_data(skb, scratch, dlen);
- err = ipch->nexthdr;
+ err = nexthdr;
out_put_cpu:
put_cpu();
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 8cf8e5a67fb07f583aac94482ba51a7930dab493
Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=9825
The inet_diag_lock_handler function uses ERR_PTR to encode errors but
its callers were testing against NULL.
This only happens when the only inet_diag modular user, DCCP, is not
built into the kernel or available as a module.
Also there was a problem with not dropping the mutex lock when a handler
was not found, also fixed in this patch.
This caused an OOPS and ss would then hang on subsequent calls, as
&inet_diag_table_mutex was being left locked.
Thanks to spike at ml.yaroslavl.ru for report it after trying 'ss -d'
on a kernel that doesn't have DCCP available.
This bug was introduced in cset
d523a328fb0271e1a763e985a21f2488fd816e7e ("Fix inet_diag dead-lock
regression"), after 2.6.24-rc3, so just 2.6.24 seems to be affected.
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Acked-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/inet_diag.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -259,8 +259,10 @@ static int inet_diag_get_exact(struct sk
const struct inet_diag_handler *handler;
handler = inet_diag_lock_handler(nlh->nlmsg_type);
- if (!handler)
- return -ENOENT;
+ if (IS_ERR(handler)) {
+ err = PTR_ERR(handler);
+ goto unlock;
+ }
hashinfo = handler->idiag_hashinfo;
err = -EINVAL;
@@ -708,8 +710,8 @@ static int inet_diag_dump(struct sk_buff
struct inet_hashinfo *hashinfo;
handler = inet_diag_lock_handler(cb->nlh->nlmsg_type);
- if (!handler)
- goto no_handler;
+ if (IS_ERR(handler))
+ goto unlock;
hashinfo = handler->idiag_hashinfo;
@@ -838,7 +840,6 @@ done:
cb->args[2] = num;
unlock:
inet_diag_unlock_handler(handler);
-no_handler:
return skb->len;
}
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 29ffe1a5c52dae13b6efead97aab9b058f38fce4
When ip_fragment has to hit the slow path the value of skb->truesize
may go out of sync because we would have updated it without changing
the packet length. This violates the constraints on truesize.
This patch postpones the update of skb->truesize to prevent this.
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/ip_output.c | 4 +++-
net/ipv6/ip6_output.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -462,6 +462,7 @@ int ip_fragment(struct sk_buff *skb, int
if (skb_shinfo(skb)->frag_list) {
struct sk_buff *frag;
int first_len = skb_pagelen(skb);
+ int truesizes = 0;
if (first_len - hlen > mtu ||
((first_len - hlen) & 7) ||
@@ -485,7 +486,7 @@ int ip_fragment(struct sk_buff *skb, int
sock_hold(skb->sk);
frag->sk = skb->sk;
frag->destructor = sock_wfree;
- skb->truesize -= frag->truesize;
+ truesizes += frag->truesize;
}
}
@@ -496,6 +497,7 @@ int ip_fragment(struct sk_buff *skb, int
frag = skb_shinfo(skb)->frag_list;
skb_shinfo(skb)->frag_list = NULL;
skb->data_len = first_len - skb_headlen(skb);
+ skb->truesize -= truesizes;
skb->len = first_len;
iph->tot_len = htons(first_len);
iph->frag_off = htons(IP_MF);
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -609,6 +609,7 @@ static int ip6_fragment(struct sk_buff *
if (skb_shinfo(skb)->frag_list) {
int first_len = skb_pagelen(skb);
+ int truesizes = 0;
if (first_len - hlen > mtu ||
((first_len - hlen) & 7) ||
@@ -631,7 +632,7 @@ static int ip6_fragment(struct sk_buff *
sock_hold(skb->sk);
frag->sk = skb->sk;
frag->destructor = sock_wfree;
- skb->truesize -= frag->truesize;
+ truesizes += frag->truesize;
}
}
@@ -662,6 +663,7 @@ static int ip6_fragment(struct sk_buff *
first_len = skb_pagelen(skb);
skb->data_len = first_len - skb_headlen(skb);
+ skb->truesize -= truesizes;
skb->len = first_len;
ipv6_hdr(skb)->payload_len = htons(first_len -
sizeof(struct ipv6hdr));
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: b6c0632105f7d7548f1d642ba830088478d4f2b0
The bluetooth hci_conn sysfs add/del executed in the default
workqueue. If the del_conn is executed after the new add_conn with
same target, add_conn will failed with warning of "same kobject name".
Here add btaddconn & btdelconn workqueues, flush the btdelconn
workqueue in the add_conn function to avoid the issue.
Signed-off-by: Dave Young <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/hci_sysfs.c | 48 +++++++++++++++++++++++++++++++++++-----------
1 file changed, 37 insertions(+), 11 deletions(-)
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -12,6 +12,8 @@
#undef BT_DBG
#define BT_DBG(D...)
#endif
+static struct workqueue_struct *btaddconn;
+static struct workqueue_struct *btdelconn;
static inline char *typetostr(int type)
{
@@ -279,6 +281,7 @@ static void add_conn(struct work_struct
struct hci_conn *conn = container_of(work, struct hci_conn, work);
int i;
+ flush_workqueue(btdelconn);
if (device_add(&conn->dev) < 0) {
BT_ERR("Failed to register connection device");
return;
@@ -313,6 +316,7 @@ void hci_conn_add_sysfs(struct hci_conn
INIT_WORK(&conn->work, add_conn);
+ queue_work(btaddconn, &conn->work);
schedule_work(&conn->work);
}
@@ -349,6 +353,7 @@ void hci_conn_del_sysfs(struct hci_conn
INIT_WORK(&conn->work, del_conn);
+ queue_work(btdelconn, &conn->work);
schedule_work(&conn->work);
}
@@ -398,31 +403,52 @@ int __init bt_sysfs_init(void)
{
int err;
+ btaddconn = create_singlethread_workqueue("btaddconn");
+ if (!btaddconn) {
+ err = -ENOMEM;
+ goto out;
+ }
+ btdelconn = create_singlethread_workqueue("btdelconn");
+ if (!btdelconn) {
+ err = -ENOMEM;
+ goto out_del;
+ }
+
bt_platform = platform_device_register_simple("bluetooth", -1, NULL, 0);
- if (IS_ERR(bt_platform))
- return PTR_ERR(bt_platform);
+ if (IS_ERR(bt_platform)) {
+ err = PTR_ERR(bt_platform);
+ goto out_platform;
+ }
err = bus_register(&bt_bus);
- if (err < 0) {
- platform_device_unregister(bt_platform);
- return err;
- }
+ if (err < 0)
+ goto out_bus;
bt_class = class_create(THIS_MODULE, "bluetooth");
if (IS_ERR(bt_class)) {
- bus_unregister(&bt_bus);
- platform_device_unregister(bt_platform);
- return PTR_ERR(bt_class);
+ err = PTR_ERR(bt_class);
+ goto out_class;
}
return 0;
+
+out_class:
+ bus_unregister(&bt_bus);
+out_bus:
+ platform_device_unregister(bt_platform);
+out_platform:
+ destroy_workqueue(btdelconn);
+out_del:
+ destroy_workqueue(btaddconn);
+out:
+ return err;
}
void bt_sysfs_cleanup(void)
{
+ destroy_workqueue(btaddconn);
+ destroy_workqueue(btdelconn);
class_destroy(bt_class);
-
bus_unregister(&bt_bus);
-
platform_device_unregister(bt_platform);
}
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
Upstream commit: 406a1d868001423c85a3165288e566e65f424fe6
The recent UDP patch exposed this bug in the audit code. It
was calling pskb_expand_head without increasing skb->truesize.
The caller of pskb_expand_head needs to do so because that function
is designed to be called in places where truesize is already fixed
and therefore it doesn't update its value.
Because the audit system is using it in a place where the truesize
has not yet been fixed, it needs to update its value manually.
Signed-off-by: Herbert Xu <[email protected]>
Acked-by: James Morris <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/audit.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1200,13 +1200,17 @@ struct audit_buffer *audit_log_start(str
static inline int audit_expand(struct audit_buffer *ab, int extra)
{
struct sk_buff *skb = ab->skb;
- int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
- ab->gfp_mask);
+ int oldtail = skb_tailroom(skb);
+ int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
+ int newtail = skb_tailroom(skb);
+
if (ret < 0) {
audit_log_lost("out of memory in audit_expand");
return 0;
}
- return skb_tailroom(skb);
+
+ skb->truesize += newtail - oldtail;
+ return newtail;
}
/*
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Jonathan Corbet <[email protected]>
patch 900cf086fd2fbad07f72f4575449e0d0958f860f in mainline.
So I spent a while pounding my head against my monitor trying to figure
out the vmsplice() vulnerability - how could a failure to check for
*read* access turn into a root exploit? It turns out that it's a buffer
overflow problem which is made easy by the way get_user_pages() is
coded.
In particular, "len" is a signed int, and it is only checked at the
*end* of a do {} while() loop. So, if it is passed in as zero, the loop
will execute once and decrement len to -1. At that point, the loop will
proceed until the next invalid address is found; in the process, it will
likely overflow the pages array passed in to get_user_pages().
I think that, if get_user_pages() has been asked to grab zero pages,
that's what it should do. Thus this patch; it is, among other things,
enough to block the (already fixed) root exploit and any others which
might be lurking in similar code. I also think that the number of pages
should be unsigned, but changing the prototype of this function probably
requires some more careful review.
Signed-off-by: Jonathan Corbet <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
mm/memory.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -980,6 +980,8 @@ int get_user_pages(struct task_struct *t
int i;
unsigned int vm_flags;
+ if (len <= 0)
+ return 0;
/*
* Require read or write permissions.
* If 'force' is set, we only require the "MAY" flags.
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Benjamin Herrenschmidt <[email protected]>
patch 592a607bbc053bc6f614a0e619326009f4b3829e in mainline.
It appears that with the U3 northbridge, if the processor is in NAP
mode the whole time while waiting for an SMU command to complete,
then the SMU will fail. It could be related to the weird backward
mechanism the SMU uses to get to system memory via i2c to the
northbridge that doesn't operate properly when the said bridge is
in napping along with the CPU. That is on U3 at least, U4 doesn't
seem to be affected.
This didn't show before NO_HZ as the timer wakeup was enough to make
it work it seems, but that is no longer the case.
This fixes it by disabling NAP mode on those machines while
an SMU command is in flight.
Signed-off-by: Benjamin Herrenschmidt <[email protected]>
Signed-off-by: Paul Mackerras <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/powerpc/platforms/powermac/feature.c | 11 ++++++++++-
drivers/macintosh/smu.c | 25 ++++++++++++++++++++++++-
include/asm-powerpc/pmac_feature.h | 8 ++++++++
3 files changed, 42 insertions(+), 2 deletions(-)
--- a/arch/powerpc/platforms/powermac/feature.c
+++ b/arch/powerpc/platforms/powermac/feature.c
@@ -2565,6 +2565,8 @@ static void __init probe_uninorth(void)
/* Locate core99 Uni-N */
uninorth_node = of_find_node_by_name(NULL, "uni-n");
+ uninorth_maj = 1;
+
/* Locate G5 u3 */
if (uninorth_node == NULL) {
uninorth_node = of_find_node_by_name(NULL, "u3");
@@ -2575,8 +2577,10 @@ static void __init probe_uninorth(void)
uninorth_node = of_find_node_by_name(NULL, "u4");
uninorth_maj = 4;
}
- if (uninorth_node == NULL)
+ if (uninorth_node == NULL) {
+ uninorth_maj = 0;
return;
+ }
addrp = of_get_property(uninorth_node, "reg", NULL);
if (addrp == NULL)
@@ -3029,3 +3033,8 @@ void pmac_resume_agp_for_card(struct pci
pmac_agp_resume(pmac_agp_bridge);
}
EXPORT_SYMBOL(pmac_resume_agp_for_card);
+
+int pmac_get_uninorth_variant(void)
+{
+ return uninorth_maj;
+}
--- a/drivers/macintosh/smu.c
+++ b/drivers/macintosh/smu.c
@@ -85,6 +85,7 @@ struct smu_device {
u32 cmd_buf_abs; /* command buffer absolute */
struct list_head cmd_list;
struct smu_cmd *cmd_cur; /* pending command */
+ int broken_nap;
struct list_head cmd_i2c_list;
struct smu_i2c_cmd *cmd_i2c_cur; /* pending i2c command */
struct timer_list i2c_timer;
@@ -135,6 +136,19 @@ static void smu_start_cmd(void)
fend = faddr + smu->cmd_buf->length + 2;
flush_inval_dcache_range(faddr, fend);
+
+ /* We also disable NAP mode for the duration of the command
+ * on U3 based machines.
+ * This is slightly racy as it can be written back to 1 by a sysctl
+ * but that never happens in practice. There seem to be an issue with
+ * U3 based machines such as the iMac G5 where napping for the
+ * whole duration of the command prevents the SMU from fetching it
+ * from memory. This might be related to the strange i2c based
+ * mechanism the SMU uses to access memory.
+ */
+ if (smu->broken_nap)
+ powersave_nap = 0;
+
/* This isn't exactly a DMA mapping here, I suspect
* the SMU is actually communicating with us via i2c to the
* northbridge or the CPU to access RAM.
@@ -211,6 +225,10 @@ static irqreturn_t smu_db_intr(int irq,
misc = cmd->misc;
mb();
cmd->status = rc;
+
+ /* Re-enable NAP mode */
+ if (smu->broken_nap)
+ powersave_nap = 1;
bail:
/* Start next command if any */
smu_start_cmd();
@@ -461,7 +479,7 @@ int __init smu_init (void)
if (np == NULL)
return -ENODEV;
- printk(KERN_INFO "SMU driver %s %s\n", VERSION, AUTHOR);
+ printk(KERN_INFO "SMU: Driver %s %s\n", VERSION, AUTHOR);
if (smu_cmdbuf_abs == 0) {
printk(KERN_ERR "SMU: Command buffer not allocated !\n");
@@ -533,6 +551,11 @@ int __init smu_init (void)
goto fail;
}
+ /* U3 has an issue with NAP mode when issuing SMU commands */
+ smu->broken_nap = pmac_get_uninorth_variant() < 4;
+ if (smu->broken_nap)
+ printk(KERN_INFO "SMU: using NAP mode workaround\n");
+
sys_ctrler = SYS_CTRLER_SMU;
return 0;
--- a/include/asm-powerpc/pmac_feature.h
+++ b/include/asm-powerpc/pmac_feature.h
@@ -392,6 +392,14 @@ extern u32 __iomem *uninorth_base;
#define UN_BIS(r,v) (UN_OUT((r), UN_IN(r) | (v)))
#define UN_BIC(r,v) (UN_OUT((r), UN_IN(r) & ~(v)))
+/* Uninorth variant:
+ *
+ * 0 = not uninorth
+ * 1 = U1.x or U2.x
+ * 3 = U3
+ * 4 = U4
+ */
+extern int pmac_get_uninorth_variant(void);
#endif /* __ASM_POWERPC_PMAC_FEATURE_H */
#endif /* __KERNEL__ */
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Oleg Nesterov <[email protected]>
commit 080344b98805553f9b01de0f59a41b1533036d8d
Spotted by Pavel Emelyanov and Alexey Dobriyan.
hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
the local variable which lives in the caller's stack frame. This means that
if sys_restart_syscall() actually happens and it is interrupted as well, we
don't update the user-space variable, but write into the already dead stack
frame.
Introduced by commit 04c227140fed77587432667a574b14736a06dd7f
hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier
Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
Small problem remains. man 2 nanosleep states that *rtmp should be written if
nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
if nanosleep returns 0), but (with or without this patch) we can dirty *rem
even if nanosleep() returns 0.
NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
bugs. Fixed by the next patch.
Signed-off-by: Oleg Nesterov <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Michael Kerrisk <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Toyo Abe <[email protected]>
Cc: Andrew Morton <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/hrtimer.h | 2 -
kernel/hrtimer.c | 51 +++++++++++++++++++++++++-----------------------
kernel/posix-timers.c | 17 ++--------------
3 files changed, 31 insertions(+), 39 deletions(-)
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -300,7 +300,7 @@ hrtimer_forward(struct hrtimer *timer, k
/* Precise sleep: */
extern long hrtimer_nanosleep(struct timespec *rqtp,
- struct timespec *rmtp,
+ struct timespec __user *rmtp,
const enum hrtimer_mode mode,
const clockid_t clockid);
extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -1291,11 +1291,26 @@ static int __sched do_nanosleep(struct h
return t->task == NULL;
}
+static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
+{
+ struct timespec rmt;
+ ktime_t rem;
+
+ rem = ktime_sub(timer->expires, timer->base->get_time());
+ if (rem.tv64 <= 0)
+ return 0;
+ rmt = ktime_to_timespec(rem);
+
+ if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
+ return -EFAULT;
+
+ return 1;
+}
+
long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
{
struct hrtimer_sleeper t;
- struct timespec *rmtp;
- ktime_t time;
+ struct timespec __user *rmtp;
restart->fn = do_no_restart_syscall;
@@ -1305,12 +1320,11 @@ long __sched hrtimer_nanosleep_restart(s
if (do_nanosleep(&t, HRTIMER_MODE_ABS))
return 0;
- rmtp = (struct timespec *)restart->arg1;
+ rmtp = (struct timespec __user *)restart->arg1;
if (rmtp) {
- time = ktime_sub(t.timer.expires, t.timer.base->get_time());
- if (time.tv64 <= 0)
- return 0;
- *rmtp = ktime_to_timespec(time);
+ int ret = update_rmtp(&t.timer, rmtp);
+ if (ret <= 0)
+ return ret;
}
restart->fn = hrtimer_nanosleep_restart;
@@ -1319,12 +1333,11 @@ long __sched hrtimer_nanosleep_restart(s
return -ERESTART_RESTARTBLOCK;
}
-long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
+long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
const enum hrtimer_mode mode, const clockid_t clockid)
{
struct restart_block *restart;
struct hrtimer_sleeper t;
- ktime_t rem;
hrtimer_init(&t.timer, clockid, mode);
t.timer.expires = timespec_to_ktime(*rqtp);
@@ -1336,10 +1349,9 @@ long hrtimer_nanosleep(struct timespec *
return -ERESTARTNOHAND;
if (rmtp) {
- rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
- if (rem.tv64 <= 0)
- return 0;
- *rmtp = ktime_to_timespec(rem);
+ int ret = update_rmtp(&t.timer, rmtp);
+ if (ret <= 0)
+ return ret;
}
restart = ¤t_thread_info()->restart_block;
@@ -1355,8 +1367,7 @@ long hrtimer_nanosleep(struct timespec *
asmlinkage long
sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
{
- struct timespec tu, rmt;
- int ret;
+ struct timespec tu;
if (copy_from_user(&tu, rqtp, sizeof(tu)))
return -EFAULT;
@@ -1364,15 +1375,7 @@ sys_nanosleep(struct timespec __user *rq
if (!timespec_valid(&tu))
return -EINVAL;
- ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
- CLOCK_MONOTONIC);
-
- if (ret && rmtp) {
- if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
- return -EFAULT;
- }
-
- return ret;
+ return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
}
/*
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -981,20 +981,9 @@ sys_clock_getres(const clockid_t which_c
static int common_nsleep(const clockid_t which_clock, int flags,
struct timespec *tsave, struct timespec __user *rmtp)
{
- struct timespec rmt;
- int ret;
-
- ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
- flags & TIMER_ABSTIME ?
- HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
- which_clock);
-
- if (ret && rmtp) {
- if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
- return -EFAULT;
- }
-
- return ret;
+ return hrtimer_nanosleep(tsave, rmtp, flags & TIMER_ABSTIME ?
+ HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
+ which_clock);
}
asmlinkage long
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Oleg Nesterov <[email protected]>
commit 416529374b4793ba2d2e97e736d108a2e0f3ef07
Spotted by Pavel Emelyanov and Alexey Dobriyan.
compat_sys_nanosleep() implicitly uses hrtimer_nanosleep_restart(), this can't
work. Make a suitable compat_nanosleep_restart() helper.
Introduced by commit c70878b4e0b6cf8d2f1e46319e48e821ef4a8aba
hrtimer: hook compat_sys_nanosleep up to high res timer code
Also, set ->addr_limit = KERNEL_DS before doing hrtimer_nanosleep(), this func
was changed by the previous patch and now takes the "__user *" parameter.
Thanks to Ingo Molnar for fixing the bug in this patch.
Signed-off-by: Oleg Nesterov <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Toyo Abe <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/compat.c | 44 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 4 deletions(-)
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -40,10 +40,36 @@ int put_compat_timespec(const struct tim
__put_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
}
+static long compat_nanosleep_restart(struct restart_block *restart)
+{
+ struct compat_timespec __user *rmtp;
+ struct timespec rmt;
+ mm_segment_t oldfs;
+ long ret;
+
+ rmtp = (struct compat_timespec __user *)(restart->arg1);
+ restart->arg1 = (unsigned long)&rmt;
+ oldfs = get_fs();
+ set_fs(KERNEL_DS);
+ ret = hrtimer_nanosleep_restart(restart);
+ set_fs(oldfs);
+
+ if (ret) {
+ restart->fn = compat_nanosleep_restart;
+ restart->arg1 = (unsigned long)rmtp;
+
+ if (rmtp && put_compat_timespec(&rmt, rmtp))
+ return -EFAULT;
+ }
+
+ return ret;
+}
+
asmlinkage long compat_sys_nanosleep(struct compat_timespec __user *rqtp,
struct compat_timespec __user *rmtp)
{
struct timespec tu, rmt;
+ mm_segment_t oldfs;
long ret;
if (get_compat_timespec(&tu, rqtp))
@@ -52,11 +78,21 @@ asmlinkage long compat_sys_nanosleep(str
if (!timespec_valid(&tu))
return -EINVAL;
- ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
- CLOCK_MONOTONIC);
+ oldfs = get_fs();
+ set_fs(KERNEL_DS);
+ ret = hrtimer_nanosleep(&tu,
+ rmtp ? (struct timespec __user *)&rmt : NULL,
+ HRTIMER_MODE_REL, CLOCK_MONOTONIC);
+ set_fs(oldfs);
+
+ if (ret) {
+ struct restart_block *restart
+ = ¤t_thread_info()->restart_block;
+
+ restart->fn = compat_nanosleep_restart;
+ restart->arg1 = (unsigned long)rmtp;
- if (ret && rmtp) {
- if (put_compat_timespec(&rmt, rmtp))
+ if (rmtp && put_compat_timespec(&rmt, rmtp))
return -EFAULT;
}
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Christoph Lameter <[email protected]>
patch 5bb983b0cce9b7b281af15730f7019116dd42568 in mainline.
gcc 4.2 spits out an annoying warning if one casts a const void *
pointer to a void * pointer. No warning is generated if the
conversion is done through an assignment.
Signed-off-by: Christoph Lameter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
mm/slub.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2592,6 +2592,7 @@ EXPORT_SYMBOL(ksize);
void kfree(const void *x)
{
struct page *page;
+ void *object = (void *)x;
if (unlikely(ZERO_OR_NULL_PTR(x)))
return;
@@ -2601,7 +2602,7 @@ void kfree(const void *x)
put_page(page);
return;
}
- slab_free(page->slab, page, (void *)x, __builtin_return_address(0));
+ slab_free(page->slab, page, object, __builtin_return_address(0));
}
EXPORT_SYMBOL(kfree);
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Thomas Gleixner <[email protected]>
commit: 5a7780e725d1bb4c3094fcc12f1c5c5faea1e988
Various user space callers ask for relative timeouts. While we fixed
that overflow issue in hrtimer_start(), the sites which convert
relative user space values to absolute timeouts themself were uncovered.
Instead of putting overflow checks into each place add a function
which does the sanity checking and convert all affected callers to use
it.
Thanks to Frans Pop, who reported the problem and tested the fixes.
Signed-off-by: Thomas Gleixner <[email protected]>
Acked-by: Ingo Molnar <[email protected]>
Tested-by: Frans Pop <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/ktime.h | 2 ++
kernel/futex.c | 2 +-
kernel/futex_compat.c | 2 +-
kernel/hrtimer.c | 38 +++++++++++++++++++++-----------------
kernel/posix-timers.c | 8 +++++---
5 files changed, 30 insertions(+), 22 deletions(-)
--- a/include/linux/ktime.h
+++ b/include/linux/ktime.h
@@ -310,6 +310,8 @@ static inline ktime_t ktime_sub_us(const
return ktime_sub_ns(kt, usec * 1000);
}
+extern ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs);
+
/*
* The resolution of the clocks. The resolution value is returned in
* the clock_getres() system call to give application programmers an
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2094,7 +2094,7 @@ asmlinkage long sys_futex(u32 __user *ua
t = timespec_to_ktime(ts);
if (cmd == FUTEX_WAIT)
- t = ktime_add(ktime_get(), t);
+ t = ktime_add_safe(ktime_get(), t);
tp = &t;
}
/*
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -175,7 +175,7 @@ asmlinkage long compat_sys_futex(u32 __u
t = timespec_to_ktime(ts);
if (cmd == FUTEX_WAIT)
- t = ktime_add(ktime_get(), t);
+ t = ktime_add_safe(ktime_get(), t);
tp = &t;
}
if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE)
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -325,6 +325,24 @@ unsigned long ktime_divns(const ktime_t
}
#endif /* BITS_PER_LONG >= 64 */
+/*
+ * Add two ktime values and do a safety check for overflow:
+ */
+
+ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs)
+{
+ ktime_t res = ktime_add(lhs, rhs);
+
+ /*
+ * We use KTIME_SEC_MAX here, the maximum timeout which we can
+ * return to user space in a timespec:
+ */
+ if (res.tv64 < 0 || res.tv64 < lhs.tv64 || res.tv64 < rhs.tv64)
+ res = ktime_set(KTIME_SEC_MAX, 0);
+
+ return res;
+}
+
/* High resolution timer related functions */
#ifdef CONFIG_HIGH_RES_TIMERS
@@ -682,13 +700,7 @@ hrtimer_forward(struct hrtimer *timer, k
*/
orun++;
}
- timer->expires = ktime_add(timer->expires, interval);
- /*
- * Make sure, that the result did not wrap with a very large
- * interval.
- */
- if (timer->expires.tv64 < 0)
- timer->expires = ktime_set(KTIME_SEC_MAX, 0);
+ timer->expires = ktime_add_safe(timer->expires, interval);
return orun;
}
@@ -839,7 +851,7 @@ hrtimer_start(struct hrtimer *timer, kti
new_base = switch_hrtimer_base(timer, base);
if (mode == HRTIMER_MODE_REL) {
- tim = ktime_add(tim, new_base->get_time());
+ tim = ktime_add_safe(tim, new_base->get_time());
/*
* CONFIG_TIME_LOW_RES is a temporary way for architectures
* to signal that they simply return xtime in
@@ -848,16 +860,8 @@ hrtimer_start(struct hrtimer *timer, kti
* timeouts. This will go away with the GTOD framework.
*/
#ifdef CONFIG_TIME_LOW_RES
- tim = ktime_add(tim, base->resolution);
+ tim = ktime_add_safe(tim, base->resolution);
#endif
- /*
- * Careful here: User space might have asked for a
- * very long sleep, so the add above might result in a
- * negative number, which enqueues the timer in front
- * of the queue.
- */
- if (tim.tv64 < 0)
- tim.tv64 = KTIME_MAX;
}
timer->expires = tim;
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -766,9 +766,11 @@ common_timer_set(struct k_itimer *timr,
/* SIGEV_NONE timers are not queued ! See common_timer_get */
if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) {
/* Setup correct expiry time for relative timers */
- if (mode == HRTIMER_MODE_REL)
- timer->expires = ktime_add(timer->expires,
- timer->base->get_time());
+ if (mode == HRTIMER_MODE_REL) {
+ timer->expires =
+ ktime_add_safe(timer->expires,
+ timer->base->get_time());
+ }
return 0;
}
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Thomas Gleixner <[email protected]>
commit 63070a79ba482c274bad10ac8c4b587a3e011f2c
A CLOCK_REALTIME timer, which has an absolute expiry time less than
the clock realtime offset calls with a negative delta into the clock
events code and triggers the WARN_ON() there.
This is a false positive and needs to be prevented. Check the result
of timer->expires - timer->base->offset right away and return -ETIME
right away.
Thanks to Frans Pop, who reported the problem and tested the fixes.
Signed-off-by: Thomas Gleixner <[email protected]>
Tested-by: Frans Pop <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/hrtimer.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -427,6 +427,8 @@ static int hrtimer_reprogram(struct hrti
ktime_t expires = ktime_sub(timer->expires, base->offset);
int res;
+ WARN_ON_ONCE(timer->expires.tv64 < 0);
+
/*
* When the callback is running, we do not reprogram the clock event
* device. The timer callback is either running on a different CPU or
@@ -437,6 +439,15 @@ static int hrtimer_reprogram(struct hrti
if (hrtimer_callback_running(timer))
return 0;
+ /*
+ * CLOCK_REALTIME timer might be requested with an absolute
+ * expiry time which is less than base->offset. Nothing wrong
+ * about that, just avoid to call into the tick code, which
+ * has now objections against negative expiry values.
+ */
+ if (expires.tv64 < 0)
+ return -ETIME;
+
if (expires.tv64 >= expires_next->tv64)
return 0;
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Thomas Gleixner <[email protected]>
commit 89d694b9dbe769ca1004e01db0ca43964806a611
The default_disable() function was changed in commit:
76d2160147f43f982dfe881404cfde9fd0a9da21
genirq: do not mask interrupts by default
It removed the mask function in favour of the default delayed
interrupt disabling. Unfortunately this also broke the shutdown in
free_irq() when the last handler is removed from the interrupt for
those architectures which rely on the default implementations. Now we
can end up with a enabled interrupt line after the last handler was
removed, which can result in spurious interrupts.
Fix this by adding a default_shutdown function, which is only
installed, when the irqchip implementation does provide neither a
shutdown nor a disable function.
Pointed-out-by: Michael Hennerich <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Acked-by: Ingo Molnar <[email protected]>
Tested-by: Michael Hennerich <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/irq/chip.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
--- a/kernel/irq/chip.c
+++ b/kernel/irq/chip.c
@@ -246,6 +246,17 @@ static unsigned int default_startup(unsi
}
/*
+ * default shutdown function
+ */
+static void default_shutdown(unsigned int irq)
+{
+ struct irq_desc *desc = irq_desc + irq;
+
+ desc->chip->mask(irq);
+ desc->status |= IRQ_MASKED;
+}
+
+/*
* Fixup enable/disable function pointers
*/
void irq_chip_set_defaults(struct irq_chip *chip)
@@ -256,8 +267,15 @@ void irq_chip_set_defaults(struct irq_ch
chip->disable = default_disable;
if (!chip->startup)
chip->startup = default_startup;
+ /*
+ * We use chip->disable, when the user provided its own. When
+ * we have default_disable set for chip->disable, then we need
+ * to use default_shutdown, otherwise the irq line is not
+ * disabled on free_irq():
+ */
if (!chip->shutdown)
- chip->shutdown = chip->disable;
+ chip->shutdown = chip->disable != default_disable ?
+ chip->disable : default_shutdown;
if (!chip->name)
chip->name = chip->typename;
if (!chip->end)
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Heiko Carstens <[email protected]>
commit: d5b02b3ff1d9a2e1074f559c84ed378cfa6fc3c0 upstream
Add missing exception table entry so that the kernel can handle
proctection exceptions as well on the cs instruction. Currently only
specification exceptions are handled correctly.
The missing entry allows user space to crash the kernel.
Signed-off-by: Heiko Carstens <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/s390/lib/uaccess_std.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/s390/lib/uaccess_std.c
+++ b/arch/s390/lib/uaccess_std.c
@@ -293,10 +293,10 @@ int futex_atomic_cmpxchg_std(int __user
asm volatile(
" sacf 256\n"
- " cs %1,%4,0(%5)\n"
- "0: lr %0,%1\n"
- "1: sacf 0\n"
- EX_TABLE(0b,1b)
+ "0: cs %1,%4,0(%5)\n"
+ "1: lr %0,%1\n"
+ "2: sacf 0\n"
+ EX_TABLE(0b,2b) EX_TABLE(1b,2b)
: "=d" (ret), "+d" (oldval), "=m" (*uaddr)
: "0" (-EFAULT), "d" (newval), "a" (uaddr), "m" (*uaddr)
: "cc", "memory" );
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Oliver Neukum <[email protected]>
commit 1902869019918411c148c18cc3a22aade569ac9a upstream
if you fail in open() you must decrement the pm counter again.
Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Pete Zaitcev <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/class/usblp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -428,6 +428,7 @@ static int usblp_open(struct inode *inod
usblp->rcomplete = 0;
if (handle_bidir(usblp) < 0) {
+ usb_autopm_put_interface(intf);
usblp->used = 0;
file->private_data = NULL;
retval = -EIO;
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Boaz Harrosh <[email protected]>
commit: 61c92814dc324b541391757062ff02fbf3b08086
The patch: "gdth: switch to modern scsi host registration"
missed one simple fact when moving a way from scsi_module.c.
That is to call scsi_scan_host() on the probed host.
With this the gdth driver from 2.6.24 is again able to
see drives and boot.
Signed-off-by: Boaz Harrosh <[email protected]>
Tested-by: Joerg Dorchain <[email protected]>
Tested-by: Stefan Priebe <[email protected]>
Tested-by: Jon Chelton <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/gdth.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -4838,6 +4838,9 @@ static int __init gdth_isa_probe_one(ulo
if (error)
goto out_free_coal_stat;
list_add_tail(&ha->list, &gdth_instances);
+
+ scsi_scan_host(shp);
+
return 0;
out_free_coal_stat:
@@ -4965,6 +4968,9 @@ static int __init gdth_eisa_probe_one(us
if (error)
goto out_free_coal_stat;
list_add_tail(&ha->list, &gdth_instances);
+
+ scsi_scan_host(shp);
+
return 0;
out_free_ccb_phys:
@@ -5102,6 +5108,9 @@ static int __init gdth_pci_probe_one(gdt
if (error)
goto out_free_coal_stat;
list_add_tail(&ha->list, &gdth_instances);
+
+ scsi_scan_host(shp);
+
return 0;
out_free_coal_stat:
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Sam Ravnborg <[email protected]>
commit: e06b8b98da071f7dd78fb7822991694288047df0
Arjan van de Ven <[email protected]> wrote:
===
I just read the excellent LWN writeup of the vmsplice
security thing, and that got me wondering why this attack
wasn't stopped by the CONFIG_CC_STACKPROTECTOR option...
because it plain should have been...
Some analysis later.. it turns out that the following line
in the top level Makefile, added by you in October 2007,
entirely disables CONFIG_CC_STACKPROTECTOR ;(
With this line removed the exploit will be nicely stopped.
CFLAGS += $(call cc-option, -fno-stack-protector)
Now I realize that certain distros have patched gcc to
compensate for their lack of distro wide CFLAGS, and it's
great to work around that... but would there be a way to NOT
disable this for CONFIG_CC_STACKPROTECTOR please?
It would have made this exploit not possible for those kernels
that enable this feature (and that includes distros like Fedora)
===
Move the assignment to KBUILD_CFLAGS up before including
the arch specific Makefile so arch makefiles may override
the setting.
Signed-off-by: Sam Ravnborg <[email protected]>
Cc: Arjan van de Ven <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
Makefile | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -507,6 +507,10 @@ else
KBUILD_CFLAGS += -O2
endif
+# Force gcc to behave correct even for buggy distributions
+# Arch Makefiles may override this setting
+KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
+
include $(srctree)/arch/$(SRCARCH)/Makefile
ifdef CONFIG_FRAME_POINTER
@@ -520,9 +524,6 @@ KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
endif
-# Force gcc to behave correct even for buggy distributions
-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
-
# arch Makefile may override CC so keep this after arch Makefile is included
NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)
CHECKFLAGS += $(NOSTDINC_FLAGS)
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Chuck Ebbert <[email protected]>
Commit: a1a98b72dbd17e53cd92b8e78f404525ebcfd981
Fix station address detection in smc
Megahertz EM1144 PCMCIA ethernet adapter needs special handling
because it has two VERS_1 tuples and the station address is in
the second one. Conversion to generic handling of these fields
broke it. Reverting that fixes the device.
https://bugzilla.redhat.com/show_bug.cgi?id=233255
Thanks go to Jon Stanley for not giving up on this one until the
problem was found.
Signed-off-by: Chuck Ebbert <[email protected]>
Signed-off-by: Jeff Garzik <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/pcmcia/smc91c92_cs.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/net/pcmcia/smc91c92_cs.c
+++ b/drivers/net/pcmcia/smc91c92_cs.c
@@ -559,8 +559,16 @@ static int mhz_setup(struct pcmcia_devic
/* Read the station address from the CIS. It is stored as the last
(fourth) string in the Version 1 Version/ID tuple. */
- if (link->prod_id[3]) {
- station_addr = link->prod_id[3];
+ tuple->DesiredTuple = CISTPL_VERS_1;
+ if (first_tuple(link, tuple, parse) != CS_SUCCESS) {
+ rc = -1;
+ goto free_cfg_mem;
+ }
+ /* Ugh -- the EM1144 card has two VERS_1 tuples!?! */
+ if (next_tuple(link, tuple, parse) != CS_SUCCESS)
+ first_tuple(link, tuple, parse);
+ if (parse->version_1.ns > 3) {
+ station_addr = parse->version_1.str + parse->version_1.ofs[3];
if (cvt_ascii_address(dev, station_addr) == 0) {
rc = 0;
goto free_cfg_mem;
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Olaf Hering <[email protected]>
Commit: 092ca5bd61da6344f3b249754b337f2d48dfe08d
[POWERPC] Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos
Commit 6d98bda79bea0e1be26c0767d0e9923ad3b72f2e changed the init order
for chrp_pci_fixup_vt8231_ata().
It can not work anymore because either the irq is not yet set to 14 or
pci_get_device() returns nothing. At least the printk() in
chrp_pci_fixup_vt8231_ata() does not trigger anymore.
pata_via works again on Pegasos with the change below.
Signed-off-by: Olaf Hering <[email protected]>
Signed-off-by: Paul Mackerras <[email protected]>
Cc: Chuck Ebbert <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/powerpc/platforms/chrp/pci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/powerpc/platforms/chrp/pci.c
+++ b/arch/powerpc/platforms/chrp/pci.c
@@ -354,7 +354,7 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_WI
* mode as well. The same fixup must be done to the class-code property in
* the IDE node /pci@80000000/ide@C,1
*/
-static void __devinit chrp_pci_fixup_vt8231_ata(struct pci_dev *viaide)
+static void chrp_pci_fixup_vt8231_ata(struct pci_dev *viaide)
{
u8 progif;
struct pci_dev *viaisa;
@@ -375,4 +375,4 @@ static void __devinit chrp_pci_fixup_vt8
pci_dev_put(viaisa);
}
-DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, chrp_pci_fixup_vt8231_ata);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, chrp_pci_fixup_vt8231_ata);
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Jay Vosburgh <[email protected]>
patch 4fe4763cd8cacd81d892193efb48b99c99c15323 in mainline.
Fix the "are we creating a duplicate" check to not compare
the name if the name is NULL (meaning that the system should select
a name). Bug reported by Benny Amorsen <[email protected]>.
Signed-off-by: Jay Vosburgh <[email protected]>
Signed-off-by: Jeff Garzik <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/bonding/bond_main.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4883,14 +4883,16 @@ int bond_create(char *name, struct bond_
down_write(&bonding_rwsem);
/* Check to see if the bond already exists. */
- list_for_each_entry_safe(bond, nxt, &bond_dev_list, bond_list)
- if (strnicmp(bond->dev->name, name, IFNAMSIZ) == 0) {
- printk(KERN_ERR DRV_NAME
+ if (name) {
+ list_for_each_entry_safe(bond, nxt, &bond_dev_list, bond_list)
+ if (strnicmp(bond->dev->name, name, IFNAMSIZ) == 0) {
+ printk(KERN_ERR DRV_NAME
": cannot add bond %s; it already exists\n",
- name);
- res = -EPERM;
- goto out_rtnl;
- }
+ name);
+ res = -EPERM;
+ goto out_rtnl;
+ }
+ }
bond_dev = alloc_netdev(sizeof(struct bonding), name ? name : "",
ether_setup);
--
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Ingo Molnar <[email protected]>
(no matching git id as the upstream code is rewritten)
fix CPA cache attribute bug in v2.6.24. When phys_base is nonzero (when
CONFIG_RELOCATABLE=y) then change_page_attr_addr() miscalculates the
secondary alias address by -14 MB (depending on the configured offset).
The default 64-bit kernels of Fedora and Ubuntu are affected:
$ grep RELOCA /boot/config-2.6.23.9-85.fc8
CONFIG_RELOCATABLE=y
$ grep RELOC /boot/config-2.6.22-14-generic
CONFIG_RELOCATABLE=y
and probably on many other distros as well.
the bug affects all pages in the first 40 MB of physical RAM that
are allocated by some subsystem that does ioremap_nocache() on them:
if (__pa(address) < KERNEL_TEXT_SIZE) {
Hence we might leave page table entries with inconsistent cache
attributes around (pages mapped at both UnCacheable and Write-Back),
and we can also set the wrong kernel text pages to UnCacheable.
the effects of this bug can be random slowdowns and other misbehavior.
If for example AGP allocates its aperture pages into the first 40 MB
of physical RAM, then the -14 MB bug might mark random kernel texto
pages as uncacheable, slowing down a random portion of the 64-bit
kernel until the AGP driver is unloaded.
Signed-off-by: Ingo Molnar <[email protected]>
Acked-by: Thomas Gleixner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/mm/pageattr_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/mm/pageattr_64.c
+++ b/arch/x86/mm/pageattr_64.c
@@ -207,7 +207,7 @@ int change_page_attr_addr(unsigned long
if (__pa(address) < KERNEL_TEXT_SIZE) {
unsigned long addr2;
pgprot_t prot2;
- addr2 = __START_KERNEL_map + __pa(address);
+ addr2 = __START_KERNEL_map + __pa(address) - phys_base;
/* Make sure the kernel mappings stay executable */
prot2 = pte_pgprot(pte_mkexec(pfn_pte(0, prot)));
err = __change_page_attr(addr2, pfn, prot2,
--
On Fri, 22 Feb 2008 16:31:33 -0800
Greg KH <[email protected]> wrote:
> 2.6.24-stable review patch. If anyone has any objections, please let
> us know.
not ready for -stable yet. if ever for backporting (doubtful)
>
> ------------------
> From: Sam Ravnborg <[email protected]>
>
> commit: e06b8b98da071f7dd78fb7822991694288047df0
>
> Arjan van de Ven <[email protected]> wrote:
> ===
> I just read the excellent LWN writeup of the vmsplice
> security thing, and that got me wondering why this attack
> wasn't stopped by the CONFIG_CC_STACKPROTECTOR option...
> because it plain should have been...
>
> Some analysis later.. it turns out that the following line
> in the top level Makefile, added by you in October 2007,
> entirely disables CONFIG_CC_STACKPROTECTOR ;(
> With this line removed the exploit will be nicely stopped.
>
> CFLAGS += $(call cc-option, -fno-stack-protector)
>
> Now I realize that certain distros have patched gcc to
> compensate for their lack of distro wide CFLAGS, and it's
> great to work around that... but would there be a way to NOT
> disable this for CONFIG_CC_STACKPROTECTOR please?
> It would have made this exploit not possible for those kernels
> that enable this feature (and that includes distros like Fedora)
> ===
>
> Move the assignment to KBUILD_CFLAGS up before including
> the arch specific Makefile so arch makefiles may override
> the setting.
>
> Signed-off-by: Sam Ravnborg <[email protected]>
> Cc: Arjan van de Ven <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ---
> Makefile | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> --- a/Makefile
> +++ b/Makefile
> @@ -507,6 +507,10 @@ else
> KBUILD_CFLAGS += -O2
> endif
>
> +# Force gcc to behave correct even for buggy distributions
> +# Arch Makefiles may override this setting
> +KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
> +
> include $(srctree)/arch/$(SRCARCH)/Makefile
>
> ifdef CONFIG_FRAME_POINTER
> @@ -520,9 +524,6 @@ KBUILD_CFLAGS += -g
> KBUILD_AFLAGS += -gdwarf-2
> endif
>
> -# Force gcc to behave correct even for buggy distributions
> -KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
> -
> # arch Makefile may override CC so keep this after arch Makefile is
> included NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC)
> -print-file-name=include) CHECKFLAGS += $(NOSTDINC_FLAGS)
>
--
If you want to reach me at my work email, use [email protected]
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
On Fri, Feb 22, 2008 at 04:46:17PM -0800, Arjan van de Ven wrote:
> On Fri, 22 Feb 2008 16:31:33 -0800
> Greg KH <[email protected]> wrote:
>
> > 2.6.24-stable review patch. If anyone has any objections, please let
> > us know.
>
>
> not ready for -stable yet. if ever for backporting (doubtful)
Ok, dropped from -stable, thanks.
greg k-h
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Ulisses Furquim <[email protected]>
patch ac74c00e499ed276a965e5b5600667d5dc04a84a in mainline.
As the IN_ONESHOT bit is never set when an event is sent we must check it
in the watch's mask and not in the event's mask.
Signed-off-by: Ulisses Furquim <[email protected]>
Reported-by: "Clem Taylor" <[email protected]>
Tested-by: "Clem Taylor" <[email protected]>
Cc: Amy Griffis <[email protected]>
Cc: Robert Love <[email protected]>
Cc: John McCutchan <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/inotify_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/inotify_user.c
+++ b/fs/inotify_user.c
@@ -269,7 +269,7 @@ static void inotify_dev_queue_event(stru
/* we can safely put the watch as we don't reference it while
* generating the event
*/
- if (mask & IN_IGNORED || mask & IN_ONESHOT)
+ if (mask & IN_IGNORED || w->mask & IN_ONESHOT)
put_inotify_watch(w); /* final put */
/* coalescing: drop this event if it is a dupe of the previous */
--
On Sat, Feb 23, 2008 at 2:31 AM, Greg KH <[email protected]> wrote:
>
> 2.6.24-stable review patch. If anyone has any objections, please let us
> know.
>
> ------------------
> From: Boaz Harrosh <[email protected]>
>
> commit: 61c92814dc324b541391757062ff02fbf3b08086
>
> The patch: "gdth: switch to modern scsi host registration"
>
> missed one simple fact when moving a way from scsi_module.c.
> That is to call scsi_scan_host() on the probed host.
> With this the gdth driver from 2.6.24 is again able to
> see drives and boot.
>
> Signed-off-by: Boaz Harrosh <[email protected]>
> Tested-by: Joerg Dorchain <[email protected]>
> Tested-by: Stefan Priebe <[email protected]>
> Tested-by: Jon Chelton <[email protected]>
> Signed-off-by: James Bottomley <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ---
> drivers/scsi/gdth.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> --- a/drivers/scsi/gdth.c
> +++ b/drivers/scsi/gdth.c
> @@ -4838,6 +4838,9 @@ static int __init gdth_isa_probe_one(ulo
> if (error)
> goto out_free_coal_stat;
> list_add_tail(&ha->list, &gdth_instances);
> +
> + scsi_scan_host(shp);
> +
> return 0;
>
> out_free_coal_stat:
> @@ -4965,6 +4968,9 @@ static int __init gdth_eisa_probe_one(us
> if (error)
> goto out_free_coal_stat;
> list_add_tail(&ha->list, &gdth_instances);
> +
> + scsi_scan_host(shp);
> +
> return 0;
>
> out_free_ccb_phys:
> @@ -5102,6 +5108,9 @@ static int __init gdth_pci_probe_one(gdt
> if (error)
> goto out_free_coal_stat;
> list_add_tail(&ha->list, &gdth_instances);
> +
> + scsi_scan_host(shp);
> +
> return 0;
>
> out_free_coal_stat:
>
> --
Greg, James Hi
This patch is not enough, and will not return a gdth system to working
order. With this patch disks
will show up again, only to crash later. All the 5 patches I sent are
needed, to return to a working
state. James please apply to mainline, so they can be accepted into stable.
of the 5 only 2 I have seen in mainline. 3 are missing.
(if they were submitted, I might have missed them, as I'm traveling, then sorry)
Boaz
On Fri, Feb 22, 2008 at 04:53:49PM -0800, Greg KH wrote:
> On Fri, Feb 22, 2008 at 04:46:17PM -0800, Arjan van de Ven wrote:
> > On Fri, 22 Feb 2008 16:31:33 -0800
> > Greg KH <[email protected]> wrote:
> >
> > > 2.6.24-stable review patch. If anyone has any objections, please let
> > > us know.
> >
> >
> > not ready for -stable yet. if ever for backporting (doubtful)
>
> Ok, dropped from -stable, thanks.
For the record I agree with Arjan that it is not yet -stable ready.
Sam
On Sat, Feb 23, 2008 at 05:02:40AM +0200, Boaz Harrosh wrote:
> On Sat, Feb 23, 2008 at 2:31 AM, Greg KH <[email protected]> wrote:
> >
> > 2.6.24-stable review patch. If anyone has any objections, please let us
> > know.
> >
> > ------------------
> > From: Boaz Harrosh <[email protected]>
> >
> > commit: 61c92814dc324b541391757062ff02fbf3b08086
> >
> > The patch: "gdth: switch to modern scsi host registration"
> >
> > missed one simple fact when moving a way from scsi_module.c.
> > That is to call scsi_scan_host() on the probed host.
> > With this the gdth driver from 2.6.24 is again able to
> > see drives and boot.
> >
> > Signed-off-by: Boaz Harrosh <[email protected]>
> > Tested-by: Joerg Dorchain <[email protected]>
> > Tested-by: Stefan Priebe <[email protected]>
> > Tested-by: Jon Chelton <[email protected]>
> > Signed-off-by: James Bottomley <[email protected]>
> > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> >
> > ---
> > drivers/scsi/gdth.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
> > --- a/drivers/scsi/gdth.c
> > +++ b/drivers/scsi/gdth.c
> > @@ -4838,6 +4838,9 @@ static int __init gdth_isa_probe_one(ulo
> > if (error)
> > goto out_free_coal_stat;
> > list_add_tail(&ha->list, &gdth_instances);
> > +
> > + scsi_scan_host(shp);
> > +
> > return 0;
> >
> > out_free_coal_stat:
> > @@ -4965,6 +4968,9 @@ static int __init gdth_eisa_probe_one(us
> > if (error)
> > goto out_free_coal_stat;
> > list_add_tail(&ha->list, &gdth_instances);
> > +
> > + scsi_scan_host(shp);
> > +
> > return 0;
> >
> > out_free_ccb_phys:
> > @@ -5102,6 +5108,9 @@ static int __init gdth_pci_probe_one(gdt
> > if (error)
> > goto out_free_coal_stat;
> > list_add_tail(&ha->list, &gdth_instances);
> > +
> > + scsi_scan_host(shp);
> > +
> > return 0;
> >
> > out_free_coal_stat:
> >
> > --
>
> Greg, James Hi
>
> This patch is not enough, and will not return a gdth system to working
> order. With this patch disks
> will show up again, only to crash later. All the 5 patches I sent are
> needed, to return to a working
> state. James please apply to mainline, so they can be accepted into stable.
> of the 5 only 2 I have seen in mainline. 3 are missing.
> (if they were submitted, I might have missed them, as I'm traveling, then sorry)
Ok, I'll take this for now, and let James send me any further ones he
deems necessary.
thanks,
greg k-h
On Sat, Feb 23, 2008 at 04:41:15AM +0100, Sam Ravnborg wrote:
> On Fri, Feb 22, 2008 at 04:53:49PM -0800, Greg KH wrote:
> > On Fri, Feb 22, 2008 at 04:46:17PM -0800, Arjan van de Ven wrote:
> > > On Fri, 22 Feb 2008 16:31:33 -0800
> > > Greg KH <[email protected]> wrote:
> > >
> > > > 2.6.24-stable review patch. If anyone has any objections, please let
> > > > us know.
> > >
> > >
> > > not ready for -stable yet. if ever for backporting (doubtful)
> >
> > Ok, dropped from -stable, thanks.
>
> For the record I agree with Arjan that it is not yet -stable ready.
Ok. Then who sent this to the stable alias in the first place?
Sam, you added the "cc: [email protected]" to the patch, and that caused
it to be sent to us when it went into Linus's tree. If you don't want
things like this to go into the -stable tree, don't mark it as such :)
thanks,
greg k-h
On Sat, 2008-02-23 at 05:02 +0200, Boaz Harrosh wrote:
> On Sat, Feb 23, 2008 at 2:31 AM, Greg KH <[email protected]> wrote:
> >
> > 2.6.24-stable review patch. If anyone has any objections, please let us
> > know.
> >
> > ------------------
> > From: Boaz Harrosh <[email protected]>
> >
> > commit: 61c92814dc324b541391757062ff02fbf3b08086
> >
> > The patch: "gdth: switch to modern scsi host registration"
> >
> > missed one simple fact when moving a way from scsi_module.c.
> > That is to call scsi_scan_host() on the probed host.
> > With this the gdth driver from 2.6.24 is again able to
> > see drives and boot.
> >
> > Signed-off-by: Boaz Harrosh <[email protected]>
> > Tested-by: Joerg Dorchain <[email protected]>
> > Tested-by: Stefan Priebe <[email protected]>
> > Tested-by: Jon Chelton <[email protected]>
> > Signed-off-by: James Bottomley <[email protected]>
> > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> >
> > ---
> > drivers/scsi/gdth.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
> > --- a/drivers/scsi/gdth.c
> > +++ b/drivers/scsi/gdth.c
> > @@ -4838,6 +4838,9 @@ static int __init gdth_isa_probe_one(ulo
> > if (error)
> > goto out_free_coal_stat;
> > list_add_tail(&ha->list, &gdth_instances);
> > +
> > + scsi_scan_host(shp);
> > +
> > return 0;
> >
> > out_free_coal_stat:
> > @@ -4965,6 +4968,9 @@ static int __init gdth_eisa_probe_one(us
> > if (error)
> > goto out_free_coal_stat;
> > list_add_tail(&ha->list, &gdth_instances);
> > +
> > + scsi_scan_host(shp);
> > +
> > return 0;
> >
> > out_free_ccb_phys:
> > @@ -5102,6 +5108,9 @@ static int __init gdth_pci_probe_one(gdt
> > if (error)
> > goto out_free_coal_stat;
> > list_add_tail(&ha->list, &gdth_instances);
> > +
> > + scsi_scan_host(shp);
> > +
> > return 0;
> >
> > out_free_coal_stat:
> >
> > --
>
> Greg, James Hi
>
> This patch is not enough, and will not return a gdth system to working
> order. With this patch disks
> will show up again, only to crash later. All the 5 patches I sent are
> needed, to return to a working
> state. James please apply to mainline, so they can be accepted into stable.
> of the 5 only 2 I have seen in mainline. 3 are missing.
> (if they were submitted, I might have missed them, as I'm traveling, then sorry)
OK, If I look at mainline plust rc fixes, there are three patches, two
of which were confirmed by testers, and one of which is obvious. Could
you send the missing two to linux-scsi with a Tested-by tag?
Thanks,
James
On Fri, Feb 22, 2008 at 07:53:56PM -0800, Greg KH wrote:
> On Sat, Feb 23, 2008 at 04:41:15AM +0100, Sam Ravnborg wrote:
> > On Fri, Feb 22, 2008 at 04:53:49PM -0800, Greg KH wrote:
> > > On Fri, Feb 22, 2008 at 04:46:17PM -0800, Arjan van de Ven wrote:
> > > > On Fri, 22 Feb 2008 16:31:33 -0800
> > > > Greg KH <[email protected]> wrote:
> > > >
> > > > > 2.6.24-stable review patch. If anyone has any objections, please let
> > > > > us know.
> > > >
> > > >
> > > > not ready for -stable yet. if ever for backporting (doubtful)
> > >
> > > Ok, dropped from -stable, thanks.
> >
> > For the record I agree with Arjan that it is not yet -stable ready.
>
> Ok. Then who sent this to the stable alias in the first place?
>
> Sam, you added the "cc: [email protected]" to the patch, and that caused
> it to be sent to us when it went into Linus's tree. If you don't want
> things like this to go into the -stable tree, don't mark it as such :)
When I added the tag I was convinced this was -stable material.
Only later the testing done by James revealed that this was bogus
and I had long forgotten I added -stable to the patch.
Sam
On 02/22/2008 07:29 PM, Greg KH wrote:
> This is the start of the stable review cycle for the 2.6.24.3 release.
> There are 38 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let us know. If anyone is a maintainer of the proper subsystem, and
> wants to add a Signed-off-by: line to the patch, please respond with it.
>
> These patches are sent out with a number of different people on the
> Cc: line. If you wish to be a reviewer, please email [email protected]
> to add your name to the list. If you want to be off the reviewer list,
> also email us.
>
> Responses should be made by Tuesday, Feb 25, 2008, 00:10:00 UTC.
> Anything received after that time might be too late.
>
Also still missing this one (backported):
Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9d55b9923a1b7ea8193b8875c57ec940dc2ff027
Commit: 9d55b9923a1b7ea8193b8875c57ec940dc2ff027
Parent: 5df7fa1c62146a0933767d040d400013310dbcc7
Author: Thomas Gleixner <[email protected]>
AuthorDate: Fri Feb 1 17:45:14 2008 +0100
Committer: Ingo Molnar <[email protected]>
CommitDate: Fri Feb 1 17:45:14 2008 +0100
x86: replace LOCK_PREFIX in futex.h
The exception fixup for the futex macros __futex_atomic_op1/2 and
futex_atomic_cmpxchg_inatomic() is missing an entry when the lock
prefix is replaced by a NOP via SMP alternatives.
Chuck Ebert tracked this down from the information provided in:
https://bugzilla.redhat.com/show_bug.cgi?id=429412
A possible solution would be to add another fixup after the
LOCK_PREFIX, so both the LOCK and NOP case have their own entry in the
exception table, but it's not really worth the trouble.
Simply replace LOCK_PREFIX with lock and keep those untouched by SMP
alternatives.
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
[[email protected]: backport to 2.6.24]
---
include/asm-x86/futex_32.h | 6 +++---
include/asm-x86/futex_64.h | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
--- vanilla.orig/include/asm-x86/futex_32.h
+++ vanilla/include/asm-x86/futex_32.h
@@ -28,7 +28,7 @@
"1: movl %2, %0\n\
movl %0, %3\n" \
insn "\n" \
-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
+"2: lock ; cmpxchgl %3, %2\n\
jnz 1b\n\
3: .section .fixup,\"ax\"\n\
4: mov %5, %1\n\
@@ -68,7 +68,7 @@ futex_atomic_op_inuser (int encoded_op,
#endif
switch (op) {
case FUTEX_OP_ADD:
- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret,
+ __futex_atomic_op1("lock ; xaddl %0, %2", ret,
oldval, uaddr, oparg);
break;
case FUTEX_OP_OR:
@@ -111,7 +111,7 @@ futex_atomic_cmpxchg_inatomic(int __user
return -EFAULT;
__asm__ __volatile__(
- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
+ "1: lock ; cmpxchgl %3, %1 \n"
"2: .section .fixup, \"ax\" \n"
"3: mov %2, %0 \n"
--- vanilla.orig/include/asm-x86/futex_64.h
+++ vanilla/include/asm-x86/futex_64.h
@@ -27,7 +27,7 @@
"1: movl %2, %0\n\
movl %0, %3\n" \
insn "\n" \
-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
+"2: lock ; cmpxchgl %3, %2\n\
jnz 1b\n\
3: .section .fixup,\"ax\"\n\
4: mov %5, %1\n\
@@ -62,7 +62,7 @@ futex_atomic_op_inuser (int encoded_op,
__futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
break;
case FUTEX_OP_ADD:
- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
+ __futex_atomic_op1("lock ; xaddl %0, %2", ret, oldval,
uaddr, oparg);
break;
case FUTEX_OP_OR:
@@ -101,7 +101,7 @@ futex_atomic_cmpxchg_inatomic(int __user
return -EFAULT;
__asm__ __volatile__(
- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
+ "1: lock ; cmpxchgl %3, %1 \n"
"2: .section .fixup, \"ax\" \n"
"3: mov %2, %0 \n"
Hi stable-team,
Could you please include the attached patch [1] to the next stable release.
The patch fixes the otherwise unusable bluetooth uart on pxa25x . The patch is
written by Russell King [1] who also gave his OK for stable inclusion [2].
The patch is also available as commit a0dd005d1d9f4c3beab52086f3844ef9342d1e67
to Linus' tree.
Thanks,
Uli
[1] http://marc.info/?l=linux-arm-kernel&m=120298366510315
[2] http://marc.info/?l=linux-arm-kernel&m=120384388411097
diff --git a/arch/arm/mach-pxa/clock.c b/arch/arm/mach-pxa/clock.c
index 83ef5ec..df5ae27 100644
--- a/arch/arm/mach-pxa/clock.c
+++ b/arch/arm/mach-pxa/clock.c
@@ -23,18 +23,27 @@ static LIST_HEAD(clocks);
static DEFINE_MUTEX(clocks_mutex);
static DEFINE_SPINLOCK(clocks_lock);
+static struct clk *clk_lookup(struct device *dev, const char *id)
+{
+ struct clk *p;
+
+ list_for_each_entry(p, &clocks, node)
+ if (strcmp(id, p->name) == 0 && p->dev == dev)
+ return p;
+
+ return NULL;
+}
+
struct clk *clk_get(struct device *dev, const char *id)
{
struct clk *p, *clk = ERR_PTR(-ENOENT);
mutex_lock(&clocks_mutex);
- list_for_each_entry(p, &clocks, node) {
- if (strcmp(id, p->name) == 0 &&
- (p->dev == NULL || p->dev == dev)) {
- clk = p;
- break;
- }
- }
+ p = clk_lookup(dev, id);
+ if (!p)
+ p = clk_lookup(NULL, id);
+ if (p)
+ clk = p;
mutex_unlock(&clocks_mutex);
return clk;
On Fri 22-02-08 16:29:51, Greg KH wrote:
> 2.6.24-stable review patch. If anyone has any objections, please let us
> know.
Hmm, this patch is certainly safe from a kernel POV but changes a
behavior WRT userspace. Previously, user could do:
quotaon /
mount -o remount,ro /
<be lucky>
mount -o remount,rw /
<have quotas still turned on>
But with the patch, the quotas will be turned off. So I'm not sure
whether it's acceptable as a -stable thing...
Honza
>
> ------------------
>
>
> From: Jan Kara <[email protected]>
>
> patch 66191dc622f5ff0a541524c4e96fdacfacfda206 in mainline.
>
> Turn off quotas before filesystem is remounted read only. Otherwise quota
> will try to write to read-only filesystem which does no good... We could
> also just refuse to remount ro when quota is enabled but turning quota off
> is consistent with what we do on umount.
>
> Signed-off-by: Jan Kara <[email protected]>
> Signed-off-by: Andrew Morton <[email protected]>
> Signed-off-by: Linus Torvalds <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ---
> fs/super.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -603,6 +603,7 @@ int do_remount_sb(struct super_block *sb
> mark_files_ro(sb);
> else if (!fs_may_remount_ro(sb))
> return -EBUSY;
> + DQUOT_OFF(sb);
> }
>
> if (sb->s_op->remount_fs) {
>
> --
--
Jan Kara <[email protected]>
SUSE Labs, CR
On Mon, Feb 25, 2008 at 10:57:49PM +0100, Jan Kara wrote:
> On Fri 22-02-08 16:29:51, Greg KH wrote:
> > 2.6.24-stable review patch. If anyone has any objections, please let us
> > know.
> Hmm, this patch is certainly safe from a kernel POV but changes a
> behavior WRT userspace. Previously, user could do:
> quotaon /
> mount -o remount,ro /
> <be lucky>
> mount -o remount,rw /
> <have quotas still turned on>
>
> But with the patch, the quotas will be turned off. So I'm not sure
> whether it's acceptable as a -stable thing...
Ok, I'll drop it.
thanks,
greg k-h