This is the start of the stable review cycle for the 2.6.16.1 release.
There are 20 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a signed-off-by: line to the patch, please respond with it.
These patches are sent out with a number of different people on the Cc:
line. If you wish to be a reviewer, please email [email protected] to
add your name to the list. If you want to be off the reviewer list,
also email us.
Responses should be made by Tuesday March 28 02:00:00 UTC. Anything
received after that time, might be too late.
thanks,
the -stable release team
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jeff Garzik <[email protected]>
Interrupt handler did not properly initialize a variable on a per-port
basis, leading to incorrect behavior on ports other than port 0.
Bug caught and fixed by Mark Lord.
Signed-off-by: Jeff Garzik <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/sata_mv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.orig/drivers/scsi/sata_mv.c
+++ linux-2.6.16/drivers/scsi/sata_mv.c
@@ -1192,7 +1192,6 @@ static void mv_host_intr(struct ata_host
u32 hc_irq_cause;
int shift, port, port0, hard_port, handled;
unsigned int err_mask;
- u8 ata_status = 0;
if (hc == 0) {
port0 = 0;
@@ -1210,6 +1209,7 @@ static void mv_host_intr(struct ata_host
hc,relevant,hc_irq_cause);
for (port = port0; port < port0 + MV_PORTS_PER_HC; port++) {
+ u8 ata_status = 0;
ap = host_set->ports[port];
hard_port = port & MV_PORT_MASK; /* range 0-3 */
handled = 0; /* ensure ata_status is set if handled++ */
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Hans Verkuil <[email protected]>
Forgot to take the NTSC frequency offset into account.
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Michael Krufky <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/video/tuner-types.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.16.orig/drivers/media/video/tuner-types.c
+++ linux-2.6.16/drivers/media/video/tuner-types.c
@@ -1087,8 +1087,8 @@ static struct tuner_params tuner_tnf_533
/* ------------ TUNER_SAMSUNG_TCPN_2121P30A - Samsung NTSC ------------ */
static struct tuner_range tuner_samsung_tcpn_2121p30a_ntsc_ranges[] = {
- { 16 * 175.75 /*MHz*/, 0x01, },
- { 16 * 410.25 /*MHz*/, 0x02, },
+ { 16 * 130.00 /*MHz*/, 0x01, },
+ { 16 * 364.50 /*MHz*/, 0x02, },
{ 16 * 999.99 , 0x08, },
};
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alexey Kuznetsov <[email protected]>
The problem is in ip_push_pending_frames(), which uses:
if (!df) {
__ip_select_ident(iph, &rt->u.dst, 0);
} else {
iph->id = htons(inet->id++);
}
instead of ip_select_ident().
Right now I think the code is a nonsense. Most likely, I copied it from
old ip_build_xmit(), where it was really special, we had to decide
whether to generate unique ID when generating the first (well, the last)
fragment.
In ip_push_pending_frames() it does not make sense, it should use plain
ip_select_ident() instead.
Signed-off-by: Alexey Kuznetsov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/ip_output.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- linux-2.6.16.orig/net/ipv4/ip_output.c
+++ linux-2.6.16/net/ipv4/ip_output.c
@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock *
iph->tos = inet->tos;
iph->tot_len = htons(skb->len);
iph->frag_off = df;
- if (!df) {
- __ip_select_ident(iph, &rt->u.dst, 0);
- } else {
- iph->id = htons(inet->id++);
- }
+ ip_select_ident(iph, &rt->u.dst, sk);
iph->ttl = ttl;
iph->protocol = sk->sk_protocol;
iph->saddr = rt->rt_src;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Mark Lord <[email protected]>
This patch addresses a number of weird behaviours observed
for the sata_mv driver, by fixing an "off by one" bug in processing
of the EDMA response queue.
Basically, sata_mv was looking in the wrong place for
command results, and this produced a lot of unpredictable behaviour.
Signed-off-by: Mark Lord <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/sata_mv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- linux-2.6.16.orig/drivers/scsi/sata_mv.c
+++ linux-2.6.16/drivers/scsi/sata_mv.c
@@ -1102,6 +1102,7 @@ static u8 mv_get_crpb_status(struct ata_
void __iomem *port_mmio = mv_ap_base(ap);
struct mv_port_priv *pp = ap->private_data;
u32 out_ptr;
+ u8 ata_status;
out_ptr = readl(port_mmio + EDMA_RSP_Q_OUT_PTR_OFS);
@@ -1109,6 +1110,8 @@ static u8 mv_get_crpb_status(struct ata_
assert(((out_ptr >> EDMA_RSP_Q_PTR_SHIFT) & MV_MAX_Q_DEPTH_MASK) ==
pp->rsp_consumer);
+ ata_status = pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT;
+
/* increment our consumer index... */
pp->rsp_consumer = mv_inc_q_index(&pp->rsp_consumer);
@@ -1123,7 +1126,7 @@ static u8 mv_get_crpb_status(struct ata_
writelfl(out_ptr, port_mmio + EDMA_RSP_Q_OUT_PTR_OFS);
/* Return ATA status register for completed CRPB */
- return (pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT);
+ return ata_status;
}
/**
--
-stable review patch. If anyone has any objections, please let us know.
------------------
When calling sysfs_remove_dir() don't allow any further sysfs functions
to work for this kobject anymore. This fixes a nasty USB cdc-acm oops
on disconnect.
Many thanks to Bob Copeland and Paul Fulghum for taking the time to
track this down.
Cc: Bob Copeland <[email protected]>
Cc: Paul Fulghum <[email protected]>
Cc: Maneesh Soni <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/sysfs/dir.c | 1 +
fs/sysfs/inode.c | 6 +++++-
2 files changed, 6 insertions(+), 1 deletion(-)
641e6f30a095f3752ed84fd9d279382f5d3ef4c1
--- linux-2.6.16.orig/fs/sysfs/dir.c
+++ linux-2.6.16/fs/sysfs/dir.c
@@ -302,6 +302,7 @@ void sysfs_remove_dir(struct kobject * k
* Drop reference from dget() on entrance.
*/
dput(dentry);
+ kobj->dentry = NULL;
}
int sysfs_rename_dir(struct kobject * kobj, const char *new_name)
--- linux-2.6.16.orig/fs/sysfs/inode.c
+++ linux-2.6.16/fs/sysfs/inode.c
@@ -227,12 +227,16 @@ void sysfs_drop_dentry(struct sysfs_dire
void sysfs_hash_and_remove(struct dentry * dir, const char * name)
{
struct sysfs_dirent * sd;
- struct sysfs_dirent * parent_sd = dir->d_fsdata;
+ struct sysfs_dirent * parent_sd;
+
+ if (!dir)
+ return;
if (dir->d_inode == NULL)
/* no inode means this hasn't been made visible yet */
return;
+ parent_sd = dir->d_fsdata;
mutex_lock(&dir->d_inode->i_mutex);
list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
if (!sd->s_element)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Michael Krufky <[email protected]>
The cx25840 module requires external firmware in order to function,
so it must select FW_LOADER, but saa7115 and saa7129 do not require it.
Signed-off-by: Michael Krufky <[email protected]>
Cc: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/video/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- linux-2.6.16.orig/drivers/media/video/Kconfig
+++ linux-2.6.16/drivers/media/video/Kconfig
@@ -349,6 +349,7 @@ config VIDEO_AUDIO_DECODER
config VIDEO_DECODER
tristate "Add support for additional video chipsets"
depends on VIDEO_DEV && I2C && EXPERIMENTAL
+ select FW_LOADER
---help---
Say Y here to compile drivers for SAA7115, SAA7127 and CX25840
video decoders.
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Andrey Panin <[email protected]>
Attached patch fixes invalid pointer arithmetic in DMI code to make onboard
device discovery working again.
akpm: bug has been present since dmi_find_device() was added in 2.6.14.
Affects ipmi only (I think) - the symptoms weren't described.
akpm: changed to use pointer arithmetic rather than open-coded sizeof.
Signed-off-by: Andrey Panin <[email protected]>
Cc: Corey Minyard <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/i386/kernel/dmi_scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.orig/arch/i386/kernel/dmi_scan.c
+++ linux-2.6.16/arch/i386/kernel/dmi_scan.c
@@ -106,7 +106,7 @@ static void __init dmi_save_devices(stru
struct dmi_device *dev;
for (i = 0; i < count; i++) {
- char *d = ((char *) dm) + (i * 2);
+ char *d = (char *)(dm + 1) + (i * 2);
/* Skip disabled device */
if ((*d & 0x80) == 0)
--
-stable review patch. If anyone has any objections, please let us know.
------------------
Doing (int < NR_CPUS) doesn't dtrt if it's negative..
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/base/cpu.c | 2 +-
include/linux/cpu.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
a29d642a4aa99c5234314ab2523281139226c231
--- linux-2.6.16.orig/drivers/base/cpu.c
+++ linux-2.6.16/drivers/base/cpu.c
@@ -141,7 +141,7 @@ int __devinit register_cpu(struct cpu *c
return error;
}
-struct sys_device *get_cpu_sysdev(int cpu)
+struct sys_device *get_cpu_sysdev(unsigned cpu)
{
if (cpu < NR_CPUS)
return cpu_sys_devices[cpu];
--- linux-2.6.16.orig/include/linux/cpu.h
+++ linux-2.6.16/include/linux/cpu.h
@@ -32,7 +32,7 @@ struct cpu {
};
extern int register_cpu(struct cpu *, int, struct node *);
-extern struct sys_device *get_cpu_sysdev(int cpu);
+extern struct sys_device *get_cpu_sysdev(unsigned cpu);
#ifdef CONFIG_HOTPLUG_CPU
extern void unregister_cpu(struct cpu *, struct node *);
#endif
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Joe Korty <[email protected]>
Git patch 52dfa9a64cfb3dd01fa1ee1150d589481e54e28e
[PATCH] move rtc_interrupt() prototype to rtc.h
broke strace(1) builds. The below moves the kernel-only additions lower,
under the already provided #ifdef __KERNEL__ statement.
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/rtc.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.16.orig/include/linux/rtc.h
+++ linux-2.6.16/include/linux/rtc.h
@@ -11,8 +11,6 @@
#ifndef _LINUX_RTC_H_
#define _LINUX_RTC_H_
-#include <linux/interrupt.h>
-
/*
* The struct used to pass data via the following ioctl. Similar to the
* struct tm in <time.h>, but it needs to be here so that the kernel
@@ -95,6 +93,8 @@ struct rtc_pll_info {
#ifdef __KERNEL__
+#include <linux/interrupt.h>
+
typedef struct rtc_task {
void (*func)(void *private_data);
void *private_data;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Anton Blanchard <[email protected]>
We have noticed lockups during boot when stress testing kexec on ppc64.
Two cpus would deadlock in scheduler code trying to grab already taken
spinlocks.
The double_rq_lock code uses the address of the runqueue to order the
taking of multiple locks. This address is a per cpu variable:
if (rq1 < rq2) {
spin_lock(&rq1->lock);
spin_lock(&rq2->lock);
} else {
spin_lock(&rq2->lock);
spin_lock(&rq1->lock);
}
On the other hand, the code in wake_sleeping_dependent uses the cpu id
order to grab locks:
for_each_cpu_mask(i, sibling_map)
spin_lock(&cpu_rq(i)->lock);
This means we rely on the address of per cpu data increasing as cpu ids
increase. While this will be true for the generic percpu implementation it
may not be true for arch specific implementations.
One way to solve this is to always take runqueues in cpu id order. To do
this we add a cpu variable to the runqueue and check it in the
double runqueue locking functions.
Signed-off-by: Anton Blanchard <[email protected]>
Acked-by: Ingo Molnar <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/sched.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- linux-2.6.16.orig/kernel/sched.c
+++ linux-2.6.16/kernel/sched.c
@@ -237,6 +237,7 @@ struct runqueue {
task_t *migration_thread;
struct list_head migration_queue;
+ int cpu;
#endif
#ifdef CONFIG_SCHEDSTATS
@@ -1660,6 +1661,9 @@ unsigned long nr_iowait(void)
/*
* double_rq_lock - safely lock two runqueues
*
+ * We must take them in cpu order to match code in
+ * dependent_sleeper and wake_dependent_sleeper.
+ *
* Note this does not disable interrupts like task_rq_lock,
* you need to do so manually before calling.
*/
@@ -1671,7 +1675,7 @@ static void double_rq_lock(runqueue_t *r
spin_lock(&rq1->lock);
__acquire(rq2->lock); /* Fake it out ;) */
} else {
- if (rq1 < rq2) {
+ if (rq1->cpu < rq2->cpu) {
spin_lock(&rq1->lock);
spin_lock(&rq2->lock);
} else {
@@ -1707,7 +1711,7 @@ static void double_lock_balance(runqueue
__acquires(this_rq->lock)
{
if (unlikely(!spin_trylock(&busiest->lock))) {
- if (busiest < this_rq) {
+ if (busiest->cpu < this_rq->cpu) {
spin_unlock(&this_rq->lock);
spin_lock(&busiest->lock);
spin_lock(&this_rq->lock);
@@ -6035,6 +6039,7 @@ void __init sched_init(void)
rq->push_cpu = 0;
rq->migration_thread = NULL;
INIT_LIST_HEAD(&rq->migration_queue);
+ rq->cpu = i;
#endif
atomic_set(&rq->nr_iowait, 0);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Neil Horman <[email protected]>
Fix a duplicate block device line printed after the "Block device" header
in /proc/devices.
Signed-off-by: Neil Horman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/proc/proc_misc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.orig/fs/proc/proc_misc.c
+++ linux-2.6.16/fs/proc/proc_misc.c
@@ -312,7 +312,7 @@ static void *devinfo_next(struct seq_fil
case BLK_HDR:
info->state = BLK_LIST;
(*pos)++;
- break;
+ /*fallthrough*/
case BLK_LIST:
if (get_blkdev_info(info->blkdev,&idummy,&ndummy)) {
/*
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <[email protected]>
free_hba() sets hba[i] to NULL, the dereference afterwards results in this
crash. Setting busy_initializing to 0 actually looks unnecessary, but I'm
not entirely sure, which is why I left it in.
cciss: controller appears to be disabled
Unable to handle kernel NULL pointer dereference at virtual address 00000370
printing eip:
c1114d53
*pde = 00000000
Oops: 0002 [#1]
Modules linked in:
CPU: 0
EIP: 0060:[<c1114d53>] Not tainted VLI
EFLAGS: 00010286 (2.6.16 #1)
EIP is at cciss_init_one+0x4e9/0x4fe
eax: 00000000 ebx: c132cd60 ecx: c13154e4 edx: c27d3c00
esi: 00000000 edi: c2748800 ebp: c2536ee4 esp: c2536eb8
ds: 007b es: 007b ss: 0068
Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30)
Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38
f7c74740
c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04
c10c1d85
c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000
c2536f28
Call Trace:
[<c10031d5>] show_stack_log_lvl+0xa8/0xb0
[<c1003305>] show_registers+0x102/0x16a
[<c10034a2>] die+0xc1/0x13c
[<c1288160>] do_page_fault+0x38a/0x525
[<c1002e9b>] error_code+0x4f/0x54
[<c10c1d51>] pci_call_probe+0xd/0x10
[<c10c1d85>] __pci_device_probe+0x31/0x43
[<c10c1db8>] pci_device_probe+0x21/0x34
[<c110a654>] driver_probe_device+0x44/0x99
[<c110a73f>] __driver_attach+0x39/0x5d
[<c1109e1c>] bus_for_each_dev+0x35/0x5a
[<c110a777>] driver_attach+0x14/0x16
[<c110a220>] bus_add_driver+0x5c/0x8f
[<c110ab22>] driver_register+0x73/0x78
[<c10c1f6d>] __pci_register_driver+0x5f/0x71
[<c13bf935>] cciss_init+0x1a/0x1c
[<c13aa718>] do_initcalls+0x4c/0x96
[<c13aa77e>] do_basic_setup+0x1c/0x1e
[<c10002b1>] init+0x35/0x118
[<c1000cf5>] kernel_thread_helper+0x5/0xb
Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de
40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 <c7> 80
70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3
<0>Kernel panic - not syncing: Attempted to kill init!
Signed-off-by: Patrick McHardy <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/block/cciss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.orig/drivers/block/cciss.c
+++ linux-2.6.16/drivers/block/cciss.c
@@ -3269,8 +3269,8 @@ clean2:
unregister_blkdev(hba[i]->major, hba[i]->devname);
clean1:
release_io_mem(hba[i]);
- free_hba(i);
hba[i]->busy_initializing = 0;
+ free_hba(i);
return(-1);
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
The fw_realloc_buffer routine does not handle an increase in buffer size of
more than 4k. It's not clear to me why it expects that it will only get an
extra 4k of data. The attached patch modifies fw_realloc_buffer to vmalloc
as much memory as is requested, instead of what we previously had + 4k.
I've tested this on my laptop, which would crash occaisionally on boot
without the patch. With the patch, it hasn't crashed, but I can't be
certain that this code path is exercised.
Signed-off-by: Jeff Moyer <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/base/firmware_class.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
30560ba6eda308c13a361d08eb5d4eaab94ab37e
--- linux-2.6.16.orig/drivers/base/firmware_class.c
+++ linux-2.6.16/drivers/base/firmware_class.c
@@ -211,18 +211,20 @@ static int
fw_realloc_buffer(struct firmware_priv *fw_priv, int min_size)
{
u8 *new_data;
+ int new_size = fw_priv->alloc_size;
if (min_size <= fw_priv->alloc_size)
return 0;
- new_data = vmalloc(fw_priv->alloc_size + PAGE_SIZE);
+ new_size = ALIGN(min_size, PAGE_SIZE);
+ new_data = vmalloc(new_size);
if (!new_data) {
printk(KERN_ERR "%s: unable to alloc buffer\n", __FUNCTION__);
/* Make sure that we don't keep incomplete data */
fw_load_abort(fw_priv);
return -ENOMEM;
}
- fw_priv->alloc_size += PAGE_SIZE;
+ fw_priv->alloc_size = new_size;
if (fw_priv->fw->data) {
memcpy(new_data, fw_priv->fw->data, fw_priv->fw->size);
vfree(fw_priv->fw->data);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Neil Brown <[email protected]>
Both R1BIO_Barrier and R1BIO_Returned are 4 !!!!
This means that barrier requests don't get returned (i.e. b_endio called)
because it looks like they already have been.
Signed-off-by: Neil Brown <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/raid/raid1.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.orig/include/linux/raid/raid1.h
+++ linux-2.6.16/include/linux/raid/raid1.h
@@ -130,6 +130,6 @@ struct r1bio_s {
* with failure when last write completes (and all failed).
* Record that bi_end_io was called with this flag...
*/
-#define R1BIO_Returned 4
+#define R1BIO_Returned 6
#endif
--
table review patch. If anyone has any objections, please let us know.
------------------
From: Latchesar Ionkov <[email protected]>
If a file is not found in v9fs_vfs_lookup, the function creates negative
dentry, but doesn't assign any dentry ops. This leaves the negative entry
in the cache (there is no d_delete to mark it for removal). If the file is
created outside of the mounted v9fs filesystem, the file shows up in the
directory with weird permissions.
This patch assigns the default v9fs dentry ops to the negative dentry.
Signed-off-by: Latchesar Ionkov <[email protected]>
Signed-off-by: Eric Van Hensbergen <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/9p/vfs_inode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- linux-2.6.16.orig/fs/9p/vfs_inode.c
+++ linux-2.6.16/fs/9p/vfs_inode.c
@@ -614,6 +614,7 @@ static struct dentry *v9fs_vfs_lookup(st
sb = dir->i_sb;
v9ses = v9fs_inode2v9ses(dir);
+ dentry->d_op = &v9fs_dentry_operations;
dirfid = v9fs_fid_lookup(dentry->d_parent);
if (!dirfid) {
@@ -681,8 +682,6 @@ static struct dentry *v9fs_vfs_lookup(st
goto FreeFcall;
fid->qid = fcall->params.rstat.stat.qid;
-
- dentry->d_op = &v9fs_dentry_operations;
v9fs_stat2inode(&fcall->params.rstat.stat, inode, inode->i_sb);
d_add(dentry, inode);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
As pointed out by Oliver Neukum.
Cc: Maneesh Soni <[email protected]>
Cc: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/sysfs/symlink.c | 1 +
1 file changed, 1 insertion(+)
b3229087c5e08589cea4f5040dab56f7dc11332a
--- linux-2.6.16.orig/fs/sysfs/symlink.c
+++ linux-2.6.16/fs/sysfs/symlink.c
@@ -66,6 +66,7 @@ static int sysfs_add_link(struct dentry
if (!error)
return 0;
+ kobject_put(target);
kfree(sl->link_name);
exit2:
kfree(sl);
--
-stable review patch. If anyone has any objections, please let us know.
------------------
[XFS] Check that a page has dirty buffers before finding it acceptable for
rewrite clustering. This prevents writing excessive amounts of clean data
when doing random rewrites of a cached file.
Signed-off-by: David Chinner <[email protected]>
Signed-off-by: Nathan Scott <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/xfs/linux-2.6/xfs_aops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.orig/fs/xfs/linux-2.6/xfs_aops.c
+++ linux-2.6.16/fs/xfs/linux-2.6/xfs_aops.c
@@ -616,7 +616,7 @@ xfs_is_delayed_page(
acceptable = (type == IOMAP_UNWRITTEN);
else if (buffer_delay(bh))
acceptable = (type == IOMAP_DELAY);
- else if (buffer_mapped(bh))
+ else if (buffer_dirty(bh) && buffer_mapped(bh))
acceptable = (type == 0);
else
break;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alasdair G Kergon <[email protected]>
The code that handles bios that span table target boundaries by breaking
them up into smaller bios will not split an individual struct bio_vec into
more than two pieces. Sometimes more than that are required.
This patch adds a loop to break the second piece up into as many pieces as
are necessary.
Cc: "Abhishek Gupta" <[email protected]>
Cc: Dan Smith <[email protected]>
Signed-off-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/md/dm.c | 45 +++++++++++++++++++++++++--------------------
1 file changed, 25 insertions(+), 20 deletions(-)
--- linux-2.6.16.orig/drivers/md/dm.c
+++ linux-2.6.16/drivers/md/dm.c
@@ -533,30 +533,35 @@ static void __clone_and_map(struct clone
} else {
/*
- * Create two copy bios to deal with io that has
- * been split across a target.
+ * Handle a bvec that must be split between two or more targets.
*/
struct bio_vec *bv = bio->bi_io_vec + ci->idx;
+ sector_t remaining = to_sector(bv->bv_len);
+ unsigned int offset = 0;
- clone = split_bvec(bio, ci->sector, ci->idx,
- bv->bv_offset, max);
- __map_bio(ti, clone, tio);
-
- ci->sector += max;
- ci->sector_count -= max;
- ti = dm_table_find_target(ci->map, ci->sector);
-
- len = to_sector(bv->bv_len) - max;
- clone = split_bvec(bio, ci->sector, ci->idx,
- bv->bv_offset + to_bytes(max), len);
- tio = alloc_tio(ci->md);
- tio->io = ci->io;
- tio->ti = ti;
- memset(&tio->info, 0, sizeof(tio->info));
- __map_bio(ti, clone, tio);
+ do {
+ if (offset) {
+ ti = dm_table_find_target(ci->map, ci->sector);
+ max = max_io_len(ci->md, ci->sector, ti);
+
+ tio = alloc_tio(ci->md);
+ tio->io = ci->io;
+ tio->ti = ti;
+ memset(&tio->info, 0, sizeof(tio->info));
+ }
+
+ len = min(remaining, max);
+
+ clone = split_bvec(bio, ci->sector, ci->idx,
+ bv->bv_offset + offset, len);
+
+ __map_bio(ti, clone, tio);
+
+ ci->sector += len;
+ ci->sector_count -= len;
+ offset += to_bytes(len);
+ } while (remaining -= len);
- ci->sector += len;
- ci->sector_count -= len;
ci->idx++;
}
}
--
-stable review patch. If anyone has any objections, please let us know.
------------------
From: "Antonino A. Daplas" <[email protected]>
The console cursor can be called in atomic context. Change memory
allocation to use the GFP_ATOMIC flag in i810fb_cursor().
Signed-off-by: Antonino Daplas <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/video/i810/i810_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.orig/drivers/video/i810/i810_main.c
+++ linux-2.6.16/drivers/video/i810/i810_main.c
@@ -1508,7 +1508,7 @@ static int i810fb_cursor(struct fb_info
int size = ((cursor->image.width + 7) >> 3) *
cursor->image.height;
int i;
- u8 *data = kmalloc(64 * 8, GFP_KERNEL);
+ u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
if (data == NULL)
return -ENOMEM;
--
-stable review patch. If anyone has any objections, please let us know.
------------------
The user can pass us arbitrary garbage so we should ensure the
string they give us is null terminated before we pass it on
to dev_get_by_index() et al.
Found by Solar Designer.
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/core/sock.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- linux-2.6.16.orig/net/core/sock.c
+++ linux-2.6.16/net/core/sock.c
@@ -404,8 +404,9 @@ set_rcvbuf:
if (!valbool) {
sk->sk_bound_dev_if = 0;
} else {
- if (optlen > IFNAMSIZ)
- optlen = IFNAMSIZ;
+ if (optlen > IFNAMSIZ - 1)
+ optlen = IFNAMSIZ - 1;
+ memset(devname, 0, sizeof(devname));
if (copy_from_user(devname, optval, optlen)) {
ret = -EFAULT;
break;
--
One more last minute patch...
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Andrew Morton <[email protected]>
Fix bug identified by Linus Torvalds <[email protected]>: the `out'
instruction depends upon the state of memory_data[], so we need to tell gcc
that before executing it. (The opcode, not gcc).
Fixes http://bugzilla.kernel.org/show_bug.cgi?id=5553
Thanks to Antonio Ospite <[email protected]> for testing.
Cc: Dave Jones <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/i386/kernel/cpu/cpufreq/speedstep-smi.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
diff -puN arch/i386/kernel/cpu/cpufreq/speedstep-smi.c~cpufreq-speedstep-smi-asm-fix arch/i386/kernel/cpu/cpufreq/speedstep-smi.c
--- devel/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c~cpufreq-speedstep-smi-asm-fix 2006-03-24 10:35:45.000000000 -0800
+++ devel-akpm/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c 2006-03-24 10:36:07.000000000 -0800
@@ -75,7 +75,9 @@ static int speedstep_smi_ownership (void
__asm__ __volatile__(
"out %%al, (%%dx)\n"
: "=D" (result)
- : "a" (command), "b" (function), "c" (0), "d" (smi_port), "D" (0), "S" (magic)
+ : "a" (command), "b" (function), "c" (0), "d" (smi_port),
+ "D" (0), "S" (magic)
+ : "memory"
);
dprintk("result is %x\n", result);
_
Em Sex, 2006-03-24 ?s 20:26 -0800, Greg KH escreveu:
> anexo Documento somente texto
> (kconfig-video_decoder-must-select-fw_loader.patch)
> -stable review patch. If anyone has any objections, please let us know.
>
> ------------------
> From: Michael Krufky <[email protected]>
>
> The cx25840 module requires external firmware in order to function,
> so it must select FW_LOADER, but saa7115 and saa7129 do not require it.
>
> Signed-off-by: Michael Krufky <[email protected]>
> Cc: Mauro Carvalho Chehab <[email protected]>
> Signed-off-by: Chris Wright <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Acked-by: Mauro Carvalho Chehab <[email protected]>
Cheers,
Mauro.
> -----Original Message-----
> From: Greg KH [mailto:[email protected]]
> Sent: Friday, March 24, 2006 10:28 PM
> To: [email protected]; [email protected]; [email protected]
> Cc: Justin Forbes; Zwane Mwaikambo; Theodore Ts'o; Randy
> Dunlap; Dave Jones; Chuck Wolber; [email protected];
> [email protected]; [email protected]; Miller, Mike (OS
> Dev); Chris Wright; Greg Kroah-Hartman
> Subject: [patch 19/20] cciss: fix use-after-free in cciss_init_one
>
> -stable review patch. If anyone has any objections, please
> let us know.
ACKed by Mike Miller <[email protected]>
>
> ------------------
> From: Patrick McHardy <[email protected]>
>
> free_hba() sets hba[i] to NULL, the dereference afterwards
> results in this crash. Setting busy_initializing to 0
> actually looks unnecessary, but I'm not entirely sure, which
> is why I left it in.
>
> cciss: controller appears to be disabled Unable to handle
> kernel NULL pointer dereference at virtual address 00000370
> printing eip:
> c1114d53
> *pde = 00000000
> Oops: 0002 [#1]
> Modules linked in:
> CPU: 0
> EIP: 0060:[<c1114d53>] Not tainted VLI
> EFLAGS: 00010286 (2.6.16 #1)
> EIP is at cciss_init_one+0x4e9/0x4fe
> eax: 00000000 ebx: c132cd60 ecx: c13154e4 edx: c27d3c00
> esi: 00000000 edi: c2748800 ebp: c2536ee4 esp: c2536eb8
> ds: 007b es: 007b ss: 0068
> Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30)
> Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8
> c13159c0 c2536f38 f7c74740
> c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04
> c10c1d85
> c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000
> c2536f28
> Call Trace:
> [<c10031d5>] show_stack_log_lvl+0xa8/0xb0 [<c1003305>]
> show_registers+0x102/0x16a [<c10034a2>] die+0xc1/0x13c
> [<c1288160>] do_page_fault+0x38a/0x525 [<c1002e9b>]
> error_code+0x4f/0x54 [<c10c1d51>] pci_call_probe+0xd/0x10
> [<c10c1d85>] __pci_device_probe+0x31/0x43 [<c10c1db8>]
> pci_device_probe+0x21/0x34 [<c110a654>]
> driver_probe_device+0x44/0x99 [<c110a73f>]
> __driver_attach+0x39/0x5d [<c1109e1c>]
> bus_for_each_dev+0x35/0x5a [<c110a777>]
> driver_attach+0x14/0x16 [<c110a220>]
> bus_add_driver+0x5c/0x8f [<c110ab22>]
> driver_register+0x73/0x78 [<c10c1f6d>]
> __pci_register_driver+0x5f/0x71 [<c13bf935>]
> cciss_init+0x1a/0x1c [<c13aa718>] do_initcalls+0x4c/0x96
> [<c13aa77e>] do_basic_setup+0x1c/0x1e [<c10002b1>]
> init+0x35/0x118 [<c1000cf5>] kernel_thread_helper+0x5/0xb
> Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b
> 04 b5 e0 de 40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04
> b5 e0 de 40 c1 <c7> 80 70 03 00 00 00 00 00 00 83 c8 ff 8d 65
> f4 5b 5e 5f 5d c3 <0>Kernel panic - not syncing: Attempted
> to kill init!
>
> Signed-off-by: Patrick McHardy <[email protected]>
> Cc: <[email protected]>
> Signed-off-by: Andrew Morton <[email protected]>
> Signed-off-by: Chris Wright <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
> ---
>
> drivers/block/cciss.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- linux-2.6.16.orig/drivers/block/cciss.c
> +++ linux-2.6.16/drivers/block/cciss.c
> @@ -3269,8 +3269,8 @@ clean2:
> unregister_blkdev(hba[i]->major, hba[i]->devname);
> clean1:
> release_io_mem(hba[i]);
> - free_hba(i);
> hba[i]->busy_initializing = 0;
> + free_hba(i);
> return(-1);
> }
>
>
> --
>