Skip to content
Commits on Apr 27, 2009
  1. @chriswright

    Linux 2.6.29.2

    chriswright committed Apr 27, 2009
  2. @chriswright

    Bonding: fix zero address hole bug in arp_ip_target list

    Brian Haley committed with chriswright Apr 13, 2009
    upstream commit: 5a31bec
    
    Fix a zero address hole bug in the bonding arp_ip_target list
    that was causing the bond to ignore ARP replies (bugz 13006).
    Instead of just setting the array entry to zero, we now
    copy any additional entries down one slot, putting the
    zero entry at the end.  With this change we can now have
    all the loops that walk the array stop when they hit a zero
    since there will be no addresses after it.
    
    Changes are based in part on code fragment provided in kernel:
    bugzilla 13006:
    
    	http://bugzilla.kernel.org/show_bug.cgi?id=13006
    
    by Steve Howard <steve@astutenetworks.com>
    
    Signed-off-by: Brian Haley <brian.haley@hp.com>
    Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  3. @michich @chriswright

    skge: fix occasional BUG during MTU change

    michich committed with chriswright Apr 14, 2009
    upstream commit: d119b39
    
    The BUG_ON(skge->tx_ring.to_use != skge->tx_ring.to_clean) in skge_up()
    was sometimes observed when setting MTU.
    
    skge_down() disables the TX queue, but then reenables it by mistake via
    skge_tx_clean().
    Fix it by moving the waking of the queue from skge_tx_clean() to the
    other caller. And to make sure start_xmit is not in progress on another
    CPU, skge_down() should call netif_tx_disable().
    
    The bug was reported to me by Jiri Jilek whose Debian system sometimes
    failed to boot. He tested the patch and the bug did not happen anymore.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Acked-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  4. @eparis @chriswright

    scsi: mpt: suppress debugobjects warning

    eparis committed with chriswright Apr 21, 2009
    upstream commit: b298cec
    
    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13133
    
    ODEBUG: object is on stack, but not annotated
    ------------[ cut here ]------------
    WARNING: at lib/debugobjects.c:253 __debug_object_init+0x1f3/0x276()
    Hardware name: VMware Virtual Platform
    Modules linked in: mptspi(+) mptscsih mptbase scsi_transport_spi ext3 jbd mbcache
    Pid: 540, comm: insmod Not tainted 2.6.28-mm1 #2
    Call Trace:
     [<c042c51c>] warn_slowpath+0x74/0x8a
     [<c0469600>] ? start_critical_timing+0x96/0xb7
     [<c060c8ea>] ? _spin_unlock_irqrestore+0x2f/0x3c
     [<c0446fad>] ? trace_hardirqs_off_caller+0x18/0xaf
     [<c044704f>] ? trace_hardirqs_off+0xb/0xd
     [<c060c8ea>] ? _spin_unlock_irqrestore+0x2f/0x3c
     [<c042cb84>] ? release_console_sem+0x1a5/0x1ad
     [<c05013e6>] __debug_object_init+0x1f3/0x276
     [<c0501494>] debug_object_init+0x13/0x17
     [<c0433c56>] init_timer+0x10/0x1a
     [<e08e5b54>] mpt_config+0x1c1/0x2b7 [mptbase]
     [<e08e3b82>] ? kmalloc+0x8/0xa [mptbase]
     [<e08e3b82>] ? kmalloc+0x8/0xa [mptbase]
     [<e08e6fa2>] mpt_do_ioc_recovery+0x950/0x1212 [mptbase]
     [<c04496c2>] ? __lock_acquire+0xa69/0xacc
     [<c060c8f1>] ? _spin_unlock_irqrestore+0x36/0x3c
     [<c060c3af>] ? _spin_unlock_irq+0x22/0x26
     [<c04f2d8b>] ? string+0x2b/0x76
     [<c04f310e>] ? vsnprintf+0x338/0x7b3
     [<c04496c2>] ? __lock_acquire+0xa69/0xacc
     [<c060c8ea>] ? _spin_unlock_irqrestore+0x2f/0x3c
     [<c04496c2>] ? __lock_acquire+0xa69/0xacc
     [<c044897d>] ? debug_check_no_locks_freed+0xeb/0x105
     [<c060c8f1>] ? _spin_unlock_irqrestore+0x36/0x3c
     [<c04488bc>] ? debug_check_no_locks_freed+0x2a/0x105
     [<c0446b8c>] ? lock_release_holdtime+0x43/0x48
     [<c043f742>] ? up_read+0x16/0x29
     [<c05076f8>] ? pci_get_slot+0x66/0x72
     [<e08e89ca>] mpt_attach+0x881/0x9b1 [mptbase]
     [<e091c8e5>] mptspi_probe+0x11/0x354 [mptspi]
    
    Noticing that every caller of mpt_config has its CONFIGPARMS struct
    declared on the stack and thus the &pCfg->timer is always on the stack I
    changed init_timer() to init_timer_on_stack() and it seems to have shut
    up.....
    
    Cc: "Moore, Eric Dean" <Eric.Moore@lsil.com>
    Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: "Desai, Kashyap" <Kashyap.Desai@lsi.com>
    Cc: <stable@kernel.org>		[2.6.29.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  5. @mita @chriswright

    hugetlbfs: return negative error code for bad mount option

    mita committed with chriswright Apr 21, 2009
    upstream commit: c12ddba
    
    This fixes the following BUG:
    
      # mount -o size=MM -t hugetlbfs none /huge
      hugetlbfs: Bad value 'MM' for mount option 'size=MM'
      ------------[ cut here ]------------
      kernel BUG at fs/super.c:996!
    
    Due to
    
    	BUG_ON(!mnt->mnt_sb);
    
    in vfs_kern_mount().
    
    Also, remove unused #include <linux/quotaops.h>
    
    Cc: William Irwin <wli@holomorphy.com>
    Cc: <stable@kernel.org>
    Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  6. @chriswright

    NFS: Fix the XDR iovec calculation in nfs3_xdr_setaclargs

    Trond Myklebust committed with chriswright Apr 21, 2009
    upstream commit: 8340437
    
    Commit ae46141 (NFSv3: Fix posix ACL code)
    introduces a bug in the calculation of the XDR header iovec. In the case
    where we are inlining the acls, we need to adjust the length of the iovec
    req->rq_svec, in addition to adjusting the total buffer length.
    
    Tested-by: Leonardo Chiquitto <leonardo.lists@gmail.com>
    Tested-by: Suresh Jayaraman <sjayaraman@suse.de>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  7. @herbertx @chriswright

    gso: Fix support for linear packets

    herbertx committed with chriswright Apr 21, 2009
    upstream commit: 2f18185
    
    When GRO/frag_list support was added to GSO, I made an error
    which broke the support for segmenting linear GSO packets (GSO
    packets are normally non-linear in the payload).
    
    These days most of these packets are constructed by the tun
    driver, which prefers to allocate linear memory if possible.
    This is fixed in the latest kernel, but for 2.6.29 and earlier
    it is still the norm.
    
    Therefore this bug causes failures with GSO when used with tun
    in 2.6.29.
    
    Reported-by: James Huang <jamesclhuang@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  8. @chriswright

    agp: zero pages before sending to userspace

    Shaohua Li committed with chriswright Apr 20, 2009
    upstream commit: 59de2be
    
    CVE-2009-1192
    
    AGP pages might be mapped into userspace finally, so the pages should be
    set to zero before userspace can use it. Otherwise there is potential
    information leakage.
    
    Signed-off-by: Shaohua Li <shaohua.li@intel.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  9. @chriswright

    virtio: fix suspend when using virtio_balloon

    Marcelo Tosatti committed with chriswright Apr 19, 2009
    upstream commit: 84a139a
    
    Break out of wait_event_interruptible() if freezing has been requested,
    in the vballoon thread. Without this change vballoon refuses to stop and
    the system can't suspend.
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
    Cc: stable@kernel.org
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  10. @sthibaul @chriswright

    Revert "console ASCII glyph 1:1 mapping"

    sthibaul committed with chriswright Apr 19, 2009
    upstream commit: c0b7988
    
    This reverts commit 1c55f18.
    
    Ingo Brueckl was assuming that reverting to 1:1 mapping for chars >= 128
    was not useful, but it happens to be: due to the limitations of the
    Linux console, when a blind user wants to read BIG5 on it, he has no
    other way than loading a font without SFM and let the 1:1 mapping permit
    the screen reader to get the BIG5 encoding.
    
    Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  11. @dtor @chriswright

    Input: gameport - fix attach driver code

    dtor committed with chriswright Apr 13, 2009
    upstream commit: 4ced8e7
    
    The commit 6902c0b that moved
    driver registration out of kgameportd thread was incomplete and
    did not add the code necessary to actually attach driver to
    already registered devices, rectify that.
    
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  12. @chriswright

    x86, PAT: Remove page granularity tracking for vm_insert_pfn maps

    Pallipadi, Venkatesh committed with chriswright Apr 18, 2009
    upstream commit: 4b06504
    
    This change resolves the problem of too many single page entries
    in pat_memtype_list and "freeing invalid memtype" errors with i915,
    reported here:
    
      http://marc.info/?l=linux-kernel&m=123845244713183&w=2
    
    Remove page level granularity track and untrack of vm_insert_pfn.
    memtype tracking at page granularity does not scale and cleaner
    approach would be for the driver to request a type for a bigger
    IO address range or PCI io memory range for that device, either at
    mmap time or driver init time and just use that type during
    vm_insert_pfn.
    
    This patch just removes the track/untrack of vm_insert_pfn. That
    means we will be in same state as 2.6.28, with respect to these APIs.
    
    Newer APIs for the drivers to request a memtype for a bigger region
    is coming soon.
    
    [ Impact: fix Xorg startup warnings and hangs ]
    
    Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
    Tested-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
    Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
    Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
    Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
    LKML-Reference: <20090408223716.GC3493@linux-os.sc.intel.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  13. @chriswright

    KVM: is_long_mode() should check for EFER.LMA

    Amit Shah committed with chriswright Apr 17, 2009
    upstream commit: 41d6af1
    
    is_long_mode currently checks the LongModeEnable bit in
    EFER instead of the LongModeActive bit. This is wrong, but
    we survived this till now since it wasn't triggered. This
    breaks guests that go from long mode to compatibility mode.
    
    This is noticed on a solaris guest and fixes bug #1842160
    
    Signed-off-by: Amit Shah <amit.shah@qumranet.com>
    Signed-off-by: Avi Kivity <avi@qumranet.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  14. @chriswright

    KVM: VMX: Update necessary state when guest enters long mode

    Amit Shah committed with chriswright Apr 17, 2009
    upstream commit: 401d10d
    
    setup_msrs() should be called when entering long mode to save the
    shadow state for the 64-bit guest state.
    
    Using vmx_set_efer() in enter_lmode() removes some duplicated code
    and also ensures we call setup_msrs(). We can safely pass the value
    of shadow_efer to vmx_set_efer() as no other bits in the efer change
    while enabling long mode (guest first sets EFER.LME, then sets CR0.PG
    which causes a vmexit where we activate long mode).
    
    With this fix, is_long_mode() can check for EFER.LMA set instead of
    EFER.LME and 5e23049 can be reverted.
    
    Signed-off-by: Amit Shah <amit.shah@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  15. @chriswright

    KVM: fix kvm_vm_ioctl_deassign_device

    Weidong Han committed with chriswright Apr 17, 2009
    upstream commit: 4a906e4
    
    only need to set assigned_dev_id for deassignment, use
    match->flags to judge and deassign it.
    
    Acked-by: Mark McLoughlin <markmc@redhat.com>
    Signed-off-by: Weidong Han <weidong.han@intel.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  16. @chriswright

    KVM: MMU: handle compound pages in kvm_is_mmio_pfn

    Joerg Roedel committed with chriswright Apr 17, 2009
    upstream commit: fc5659c
    
    The function kvm_is_mmio_pfn is called before put_page is called on a
    page by KVM. This is a problem when when this function is called on some
    struct page which is part of a compund page. It does not test the
    reserved flag of the compound page but of the struct page within the
    compount page. This is a problem when KVM works with hugepages allocated
    at boot time. These pages have the reserved bit set in all tail pages.
    Only the flag in the compount head is cleared. KVM would not put such a
    page which results in a memory leak.
    
    Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
    Acked-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  17. @chriswright

    KVM: Reset PIT irq injection logic when the PIT IRQ is unmasked

    Avi Kivity committed with chriswright Apr 17, 2009
    upstream commit: 4780c65
    
    While the PIT is masked the guest cannot ack the irq, so the reinject logic
    will never allow the interrupt to be injected.
    
    Fix by resetting the reinjection counters on unmask.
    
    Unbreaks Xen.
    
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  18. @chriswright

    KVM: Interrupt mask notifiers for ioapic

    Avi Kivity committed with chriswright Apr 17, 2009
    upstream commit: 75858a8
    
    Allow clients to request notifications when the guest masks or unmasks a
    particular irq line.  This complements irq ack notifications, as the guest
    will not ack an irq line that is masked.
    
    Currently implemented for the ioapic only.
    
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  19. @chriswright

    KVM: Add CONFIG_HAVE_KVM_IRQCHIP

    Avi Kivity committed with chriswright Apr 17, 2009
    upstream commit: 5d9b8e3
    
    Two KVM archs support irqchips and two don't.  Add a Kconfig item to
    make selecting between the two models easier.
    
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  20. @chriswright

    KVM: Fix missing smp tlb flush in invlpg

    Andrea Arcangeli committed with chriswright Apr 17, 2009
    upstream commit: 4539b35
    
    When kvm emulates an invlpg instruction, it can drop a shadow pte, but
    leaves the guest tlbs intact.  This can cause memory corruption when
    swapping out.
    
    Without this the other cpu can still write to a freed host physical page.
    tlb smp flush must happen if rmap_remove is called always before mmu_lock
    is released because the VM will take the mmu_lock before it can finally add
    the page to the freelist after swapout. mmu notifier makes it safe to flush
    the tlb after freeing the page (otherwise it would never be safe) so we can do
    a single flush for multiple sptes invalidated.
    
    Cc: stable@kernel.org
    Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
    Acked-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    [mtosatti: backport to 2.6.29]
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  21. @chriswright

    USB: usb-storage: augment unusual_devs entry for Simple Tech/Datafab

    Alan Stern committed with chriswright Apr 17, 2009
    upstream commit: e4813ee
    
    This patch (as1227) adds the MAX_SECTORS_64 flag to the unusual_devs
    entry for the Simple Tech/Datafab controller.  This fixes Bugzilla
    #12882.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-and-tested-by: binbin <binbinsh@gmail.com>
    Cc: stable <stable@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  22. @chriswright

    USB: fix oops in cdc-wdm in case of malformed descriptors

    Oliver Neukum committed with chriswright Apr 17, 2009
    upstream commit: e13c594
    
    cdc-wdm needs to ignore extremely malformed descriptors.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    Cc: stable <stable@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  23. @jacmet @chriswright

    USB: ftdi_sio: add vendor/project id for JETI specbos 1201 spectrometer

    jacmet committed with chriswright Apr 17, 2009
    upstream commit: ae27d84
    
    Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
    Cc: stable <stable@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  24. @u1f35c @chriswright

    usb gadget: fix ethernet link reports to ethtool

    u1f35c committed with chriswright Apr 17, 2009
    upstream commit: 237e75b
    
    The g_ether USB gadget driver currently decides whether or not there's a
    link to report back for eth_get_link based on if the USB link speed is
    set. The USB gadget speed is however often set even before the device is
    enumerated. It seems more sensible to only report a "link" if we're
    actually connected to a host that wants to talk to us. The patch below
    does this for me - tested with the PXA27x UDC driver.
    
    Signed-off-by: Jonathan McDowell <noodles@earth.li>
    Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
    Cc: stable <stable@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  25. @chriswright

    x86: disable X86_PTRACE_BTS for now

    Ingo Molnar committed with chriswright Apr 15, 2009
    upstream commit: d45b41a
    
    Oleg Nesterov found a couple of races in the ptrace-bts code
    and fixes are queued up for it but they did not get ready in time
    for the merge window. We'll merge them in v2.6.31 - until then
    mark the feature as CONFIG_BROKEN. There's no user-space yet
    making use of this so it's not a big issue.
    
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    [chrisw: trivial 2.6.29 backport]
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  26. @fujita @chriswright

    SCSI: sg: fix q->queue_lock on scsi_error_handler path

    fujita committed with chriswright Apr 6, 2009
    upstream commit: 015640e
    
    sg_rq_end_io() is called via rq->end_io. In some rare cases,
    sg_rq_end_io calls blk_put_request/blk_rq_unmap_user (when a program
    issuing a command has gone before the command completion; e.g. by
    interrupting a program issuing a command before the command
    completes).
    
    We can't call blk_put_request/blk_rq_unmap_user in interrupt so the
    commit c96952e uses
    execute_in_process_context().
    
    The problem is that scsi_error_handler() calls rq->end_io too. We
    can't call blk_put_request/blk_rq_unmap_user too in this path (we hold
    q->queue_lock).
    
    To avoid the above problem, in these rare cases, this patch always
    uses schedule_work() instead of execute_in_process_context().
    
    Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
    Acked-by: Douglas Gilbert <dgilbert@interlog.com>
    Cc: Stable Tree <stable@kernel.org>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  27. @fujita @chriswright

    SCSI: sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

    fujita committed with chriswright Feb 4, 2009
    upstream commit: c96952e
    
    This fixes the following oops:
    
    http://marc.info/?l=linux-kernel&m=123316111415677&w=2
    
    You can reproduce this bug by interrupting a program before a sg
    response completes. This leads to the special sg state (the orphan
    state), then sg calls blk_put_request in interrupt (rq->end_io).
    
    The above bug report shows the recursive lock problem because sg calls
    blk_put_request in interrupt. We could call __blk_put_request here
    instead however we also need to handle blk_rq_unmap_user here, which
    can't be called in interrupt too.
    
    In the orphan state, we don't need to care about the data transfer
    (the program revoked the command) so adding 'just free the resource'
    mode to blk_rq_unmap_user is a possible option.
    
    I prefer to avoid complicating the blk mapping API when possible. I
    change the orphan state to call sg_finish_rem_req via
    execute_in_process_context. We hold sg_fd->kref so sg_fd doesn't go
    away until keventd_wq finishes our work. copy_from_user/to_user fails
    so blk_rq_unmap_user just frees the resource without the data
    transfer.
    
    Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
    Acked-by: Douglas Gilbert <dgilbert@interlog.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  28. @abattersby @chriswright

    SCSI: sg: fix races with ioctl(SG_IO)

    abattersby committed with chriswright Jan 20, 2009
    upstream commit: a2dd3b4
    
    sg_io_owned needs to be set before the command is sent to the midlevel;
    otherwise, a quickly-completing command may cause a different CPU
    to see "srp->done == 1 && !srp->sg_io_owned", which would lead to
    incorrect behavior.
    
    Check srp->done and set srp->orphan while holding rq_list_lock to
    prevent races with sg_rq_end_io().
    
    There is no need to check sfp->closed from read/write/ioctl/poll/etc.
    since the kernel guarantees that this won't happen.
    
    The usefulness of sg_srp_done() was questionable before; now it is
    definitely not needed.
    
    Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
    Acked-by: Douglas Gilbert <dgilbert@interlog.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  29. @abattersby @chriswright

    SCSI: sg: fix races during device removal

    abattersby committed with chriswright Jan 21, 2009
    upstream commit: c6517b7
    
    sg has the following problems related to device removal:
    
    * opening a sg fd races with removing a device
    * closing a sg fd races with removing a device
    * /proc/scsi/sg/* access races with removing a device
    * command completion races with removing a device
    * command completion races with closing a sg fd
    * can rmmod sg with active commands
    
    These problems can cause kernel oopses, memory-use-after-free, or
    double-free errors.  This patch fixes these problems by using krefs
    to manage the lifetime of sg_device and sg_fd.
    
    Each command submitted to the midlevel holds a reference to sg_fd
    until the completion callback.  This ensures that sg_fd doesn't go
    away if the fd is closed with commands still outstanding.
    
    sg_fd gets the reference of sg_device (with scsi_device) and also
    makes sure that the sg module doesn't go away.
    
    /proc/scsi/sg/* functions don't play nicely with krefs because they
    give information about sg_fds which have been closed but not yet
    freed due to still having outstanding commands and sg_devices which
    have been removed but not yet freed due to still being referenced
    by one or more sg_fds.  To deal with this safely without removing
    functionality, /proc functions now access sg_device and sg_fd while
    holding a lock instead of using kref_get()/kref_put().
    
    Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
    Acked-by: Douglas Gilbert <dgilbert@interlog.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    [chrisw: big for -stable, helps fix real bug, and made it through rc2 upstream]
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  30. @chriswright

    mm: pass correct mm when growing stack

    Hugh Dickins committed with chriswright Apr 16, 2009
    upstream commit: 05fa199
    
    Tetsuo Handa reports seeing the WARN_ON(current->mm == NULL) in
    security_vm_enough_memory(), when do_execve() is touching the
    target mm's stack, to set up its args and environment.
    
    Yes, a UMH_NO_WAIT or UMH_WAIT_PROC call_usermodehelper() spawns
    an mm-less kernel thread to do the exec.  And in any case, that
    vm_enough_memory check when growing stack ought to be done on the
    target mm, not on the execer's mm (though apart from the warning,
    it only makes a slight tweak to OVERCOMMIT_NEVER behaviour).
    
    Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  31. @chriswright

    pata_hpt37x: fix HPT370 DMA timeouts

    Sergei Shtylyov committed with chriswright Apr 14, 2009
    upstream commit: 265b721
    
    The libata driver has copied the code from the IDE driver which caused a post
    2.4.18 regression on many HPT370[A] chips -- DMA stopped to work completely,
    only causing timeouts.  Now remove hpt370_bmdma_start() for good...
    
    Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  32. @chriswright

    hpt366: fix HPT370 DMA timeouts

    Sergei Shtylyov committed with chriswright Apr 18, 2009
    upstream commit: c018f1e
    
    The big driver change in 2.4.19-rc1 introduced a regression for many HPT370[A]
    chips -- DMA stopped to work completely, only causing endless timeouts...
    
    The culprit has been identified (at last!): it turned to be the code resetting
    the DMA state machine before each transfer. Stop doing it now as this counter-
    measure has clearly caused more harm than good.
    
    This should fix the kernel.org bug #7703.
    
    Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
    Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  33. @paulusmack @chriswright

    powerpc: Fix data-corrupting bug in __futex_atomic_op

    paulusmack committed with chriswright Apr 15, 2009
    upstream commit: 306a828
    
    Richard Henderson pointed out that the powerpc __futex_atomic_op has a
    bug: it will write the wrong value if the stwcx. fails and it has to
    retry the lwarx/stwcx. loop, since 'oparg' will have been overwritten
    by the result from the first time around the loop.  This happens
    because it uses the same register for 'oparg' (an input) as it uses
    for the result.
    
    This fixes it by using separate registers for 'oparg' and 'ret'.
    
    Cc: stable@kernel.org
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  34. @tiwai @chriswright

    ALSA: hda - Fix the cmd cache keys for amp verbs

    tiwai committed with chriswright Apr 15, 2009
    upstream commit: fcad94a
    
    Fix the key value generation for get/set amp verbs.  The upper bits of
    the parameter have to be combined with the verb value to be unique for
    each direction/index of amp access.
    
    This fixes the resume problem on some hardwares like Macbook after
    the channel mode is changed.
    
    Tested-by: Johannes Berg <johannes@sipsolutions.net>
    Cc: <stable@kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  35. @chriswright

    sfc: Match calls to netif_napi_add() and netif_napi_del()

    Ben Hutchings committed with chriswright Apr 15, 2009
    upstream commit: 718cff1
    
    sfc could call netif_napi_add() multiple times for the same
    napi_struct, corrupting the list of napi_structs for the associated
    device and leading to a busy-loop on device removal.  Move the call to
    netif_napi_add() and add a call to netif_napi_del() in the obvious
    places.
    
    [bhutchings: backport to 2.6.29]
    Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Something went wrong with that request. Please try again.