Skip to content
Commits on Jul 20, 2009
  1. @gregkh

    Linux 2.6.30.2

    gregkh committed Jul 19, 2009
  2. @torvalds @gregkh

    Don't use '-fwrapv' compiler option: it's buggy in gcc-4.1.x

    commit a137802 upstream.
    
    This causes kernel images that don't run init to completion with certain
    broken gcc versions.
    
    This fixes kernel bugzilla entry:
    	http://bugzilla.kernel.org/show_bug.cgi?id=13012
    
    I suspect the gcc problem is this:
    	http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28230
    
    Fix the problem by using the -fno-strict-overflow flag instead, which
    not only does not exist in the known-to-be-broken versions of gcc (it
    was introduced later than fwrapv), but seems to be much less disturbing
    to gcc too: the difference in the generated code by -fno-strict-overflow
    are smaller (compared to using neither flag) than when using -fwrapv.
    
    Reported-by: Barry K. Nathan <barryn@pobox.com>
    Pushed-by: Frans Pop <elendil@planet.nl>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    torvalds committed with gregkh Jul 12, 2009
  3. @csabahenk @gregkh

    fuse: fix return value of fuse_dev_write()

    commit b4c458b upstream.
    
    On 64 bit systems -- where sizeof(ssize_t) > sizeof(int) -- the following test
    exposes a bug due to a non-careful return of an int or unsigned value:
    
    implement a FUSE filesystem which sends an unsolicited notification to
    the kernel with invalid opcode. The respective write to /dev/fuse
    will return (1 << 32) - EINVAL with errno == 0 instead of -1 with
    errno == EINVAL.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    csabahenk committed with gregkh Jun 29, 2009
  4. @gregkh

    fuse: fix bad return value in fuse_file_poll()

    commit 201fa69 upstream.
    
    Fix fuse_file_poll() which returned a -errno value instead of a poll
    mask.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Miklos Szeredi committed with gregkh Jun 30, 2009
  5. @dwmw2 @gregkh

    Fix iommu address space allocation

    commit a15a519 upstream.
    
    This fixes kernel.org bug #13584. The IOVA code attempted to optimise
    the insertion of new ranges into the rbtree, with the unfortunate result
    that some ranges just didn't get inserted into the tree at all. Then
    those ranges would be handed out more than once, and things kind of go
    downhill from there.
    
    Introduced after 2.6.25 by ddf0288
    ("PCI: iova RB tree setup tweak").
    
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Cc: mark gross <mgross@linux.intel.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    dwmw2 committed with gregkh Jul 1, 2009
  6. @dwmw2 @gregkh

    Fix pci_unmap_addr() et al on i386.

    commit 788d84b upstream.
    
    We can run a 32-bit kernel on boxes with an IOMMU, so we need
    pci_unmap_addr() etc. to work -- without it, drivers will leak mappings.
    
    To be honest, this whole thing looks like it's more pain than it's
    worth; I'm half inclined to remove the no-op #else case altogether.
    
    But this is the minimal fix, which just does the right thing if
    CONFIG_DMAR is set.
    
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    dwmw2 committed with gregkh Jul 1, 2009
  7. @jirislaby @gregkh

    floppy: fix lock imbalance

    commit 8516a50 upstream.
    
    A crappy macro prevents us unlocking on a fail path.
    
    Expand the macro and unlock appropriatelly.
    
    Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
    Cc: Jens Axboe <jens.axboe@oracle.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jirislaby committed with gregkh Jun 30, 2009
  8. @ebiederm @gregkh

    Revert "ipv4: arp announce, arp_proxy and windows ip conflict verific…

    …ation"
    
    commit f8a68e7 upstream.
    
    This reverts commit 73ce7b0.
    
    After discovering that we don't listen to gratuitious arps in 2.6.30
    I tracked the failure down to this commit.
    
    The patch makes absolutely no sense.  RFC2131 RFC3927 and RFC5227.
    are all in agreement that an arp request with sip == 0 should be used
    for the probe (to prevent learning) and an arp request with sip == tip
    should be used for the gratitous announcement that people can learn
    from.
    
    It appears the author of the broken patch got those two cases confused
    and modified the code to drop all gratuitous arp traffic.  Ouch!
    
    Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    ebiederm committed with gregkh Jun 30, 2009
  9. @neilbrown @gregkh

    md: avoid dereferencing NULL pointer when accessing suspend_* sysfs a…

    …ttributes.
    
    commit b8d966e upstream.
    
    If we try to modify one of the md/ sysfs files
      suspend_lo or suspend_hi
    when the array is not active, we dereference a NULL.
    Protect against that.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    neilbrown committed with gregkh Jul 1, 2009
  10. @neilbrown @gregkh

    md: fix error path when duplicate name is found on md device creation.

    commit 1ec22eb upstream.
    
    When an md device is created by name (rather than number) we need to
    check that the name is not already in use.  If this check finds a
    duplicate, we return an error without dropping the lock or freeing
    the newly create mddev.
    This patch fixes that.
    
    Found-by: Jiri Slaby <jirislaby@gmail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    neilbrown committed with gregkh Jul 1, 2009
  11. @neilbrown @gregkh

    md/raid5: suspend shouldn't affect read requests.

    commit a5c308d upstream.
    
    md allows write to regions on an array to be suspended temporarily.
    This allows user-space to participate is aspects of reshape.
    In particular, data can be copied with not risk of a race.
    We should not be blocking read requests though, so don't.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    neilbrown committed with gregkh Jul 1, 2009
  12. @neilbrown @gregkh

    blocK: Restore barrier support for md and probably other virtual devi…

    …ces.
    
    commit db64f68 upstream.
    
    The next_ordered flag is only meaningful for devices that use __make_request.
    So move the test against next_ordered out of generic code and in to
    __make_request
    
    Since this test was added, barriers have not worked on md or any
    devices that don't use __make_request and so don't bother to set
    next_ordered.  (dm explicitly sets something other than
    QUEUE_ORDERED_NONE since
      commit 99360b4
    but notes in the comments that it is otherwise meaningless).
    
    Cc: Ken Milmore <ken.milmore@googlemail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    neilbrown committed with gregkh Jun 30, 2009
  13. @gregkh

    dma-debug: fix off-by-one error in overlap function

    commit c79ee4e upstream.
    
    This patch fixes a bug in the overlap function which returned true if
    one region ends exactly before the second region begins. This is no
    overlap but the function returned true in that case.
    
    Reported-by: Andrew Randrianasulu <randrik@mail.ru>
    Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Joerg Roedel committed with gregkh Jun 16, 2009
  14. @htejun @gregkh

    alpha: fix percpu build breakage

    commit b01e8dc upstream.
    
    alpha percpu access requires custom SHIFT_PERCPU_PTR() definition for
    modules to work around addressing range limitation.  This is done via
    generating inline assembly using C preprocessing which forces the
    assembler to generate external reference.  This happens behind the
    compiler's back and makes the compiler think that static percpu variables
    in modules are unused.
    
    This used to be worked around by using __unused attribute for percpu
    variables which prevent the compiler from omitting the variable; however,
    recent declare/definition attribute unification change broke this as
    __used can't be used for declaration.  Also, in the process,
    PER_CPU_ATTRIBUTES definition in alpha percpu.h got broken.
    
    This patch adds PER_CPU_DEF_ATTRIBUTES which is only used for definitions
    and make alpha use it to add __used for percpu variables in modules.  This
    also fixes the PER_CPU_ATTRIBUTES double definition bug.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Tested-by: maximilian attems <max@stro.at>
    Acked-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
    Cc: Richard Henderson <rth@twiddle.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Jun 30, 2009
  15. @zhang-rui @gregkh

    kernel/resource.c: fix sign extension in reserve_setup()

    commit 8bc1ad7 upstream.
    
    When the 32-bit signed quantities get assigned to the u64 resource_size_t,
    they are incorrectly sign-extended.
    
    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13253
    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9905
    
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Reported-by: Leann Ogasawara <leann@ubuntu.com>
    Cc: Pierre Ossman <drzeus@drzeus.cx>
    Reported-by: <pablomme@googlemail.com>
    Tested-by: <pablomme@googlemail.com>
    Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    zhang-rui committed with gregkh Jun 30, 2009
  16. @gregkh

    futexes: Fix infinite loop in get_futex_key() on huge page

    commit ce2ae53 upstream.
    
    get_futex_key() can infinitely loop if it is called on a
    virtual address that is within a huge page but not aligned to
    the beginning of that page.  The call to get_user_pages_fast
    will return the struct page for a sub-page within the huge page
    and the check for page->mapping will always fail.
    
    The fix is to call compound_head on the page before checking
    that it's mapped.
    
    Signed-off-by: Sonny Rao <sonnyrao@us.ibm.com>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: anton@samba.org
    Cc: rajamony@us.ibm.com
    Cc: speight@us.ibm.com
    Cc: mstephen@us.ibm.com
    Cc: grimm@us.ibm.com
    Cc: mikey@ozlabs.au.ibm.com
    LKML-Reference: <20090710231313.GA23572@us.ibm.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Sonny Rao committed with gregkh Jul 10, 2009
  17. @gregkh

    futex: Fix the write access fault problem for real

    commit d072599 and aa71528 upstream
    
    commit 64d1304 (futex: setup writeable mapping for futex ops which
    modify user space data) did address only half of the problem of write
    access faults.
    
    The patch was made on two wrong assumptions:
    
    1) access_ok(VERIFY_WRITE,...) would actually check write access.
    
       On x86 it does _NOT_. It's a pure address range check.
    
    2) a RW mapped region can not go away under us.
    
       That's wrong as well. Nobody can prevent another thread to call
       mprotect(PROT_READ) on that region where the futex resides. If that
       call hits between the get_user_pages_fast() verification and the
       actual write access in the atomic region we are toast again.
    
    The solution is to not rely on access_ok and get_user() for any write
    access related fault on private and shared futexes. Instead we need to
    fault it in with verification of write access.
    
    There is no generic non destructive write mechanism which would fault
    the user page in trough a #PF, but as we already know that we will
    fault we can as well call get_user_pages() directly and avoid the #PF
    overhead.
    
    If get_user_pages() returns -EFAULT we know that we can not fix it
    anymore and need to bail out to user space.
    
    Remove a bunch of confusing comments on this issue as well.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas Gleixner committed with gregkh Jul 2, 2009
  18. @vapier @gregkh

    Blackfin: fix command line corruption with DEBUG_DOUBLEFAULT

    commit 3708251 upstream.
    
    Commit 6b3087c (which introduced Blackfin SMP) broke command line passing
    when the DEBUG_DOUBLEFAULT config option was enabled.  Switch the code to
    using a scratch register and not R7 which holds the command line.
    
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    vapier committed with gregkh May 26, 2009
  19. @sonicz @gregkh

    Blackfin: fix deadlock in SMP IPI handler

    commit 86f2008 upstream.
    
    When a low priority interrupt (like ethernet) is triggered between 2 high
    priority IPI messages, a deadlock in disable_irq() is hit by the second
    IPI handler.  This is because the second IPI message is queued within the
    first IPI handler, but the handler doesn't process all messages, and new
    ones are inserted rather than appended.  So now we process all the pending
    messages, and append new ones to the pending list.
    
    URL: http://blackfin.uclinux.org/gf/tracker/5226
    
    Signed-off-by: Sonic Zhang <sonic.zhang@analog.com>
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    sonicz committed with gregkh Jun 10, 2009
  20. @vapier @gregkh

    Blackfin: redo handling of bad irqs

    commit 2657921 upstream.
    
    With the common IRQ code initializing much more of the irq_desc state, we
    can't blindly initialize it ourselves to the local bad_irq state.  If we
    do, we end up wrongly clobbering many fields.  So punt most of the bad irq
    code as the common layers will handle the default state, and simply call
    handle_bad_irq() directly when the IRQ we are processing is invalid.
    
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    vapier committed with gregkh Jun 15, 2009
  21. @sonicz @gregkh

    Blackfin: fix accidental reset in some boot modes

    commit 0de4adf upstream.
    
    We read the SWRST (Software Reset) register to get at the last reset
    state, and then we may configure the DOUBLE_FAULT bit to control behavior
    when a double fault occurs.  But if the lower bits of the register is
    already set (like UART boot mode on a BF54x), we inadvertently make the
    system reset by writing to the SYSTEM_RESET field at the same time.  So
    make sure the lower 4 bits are always cleared.
    
    Signed-off-by: Sonic Zhang <sonic.zhang@analog.com>
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    sonicz committed with gregkh Jun 15, 2009
  22. @gregkh

    personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)

    commit f9fabcb upstream.
    
    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
    
    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
    
    We believe it is important to add MMAP_PAGE_ZERO, because by using this
    personality it is possible to have the first page mapped inside a
    process running as setuid root.  This could be used in those scenarios:
    
     - Exploiting a NULL pointer dereference issue in a setuid root binary
     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
       running a setuid binary that would drop privileges before giving us
       control back (for instance by loading a user-supplied library), we
       could get the first page mapped in a process we control.  By further
       using mremap and mprotect on this mapping, we can then completely
       bypass the mmap_min_addr restrictions.
    
    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
    since on x86 32bits it will in practice disable most of the address
    space layout randomization (only the stack will remain randomized).
    
    Signed-off-by: Julien Tinnes <jt@cr0.org>
    Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
    Acked-by: Christoph Hellwig <hch@infradead.org>
    Acked-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Eugene Teo <eugene@redhat.com>
    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Julien Tinnes committed with gregkh Jun 26, 2009
  23. @gregkh

    tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-…

    …2009-1897)
    
    commit 3c8a9c6 upstream.
    
    Fix NULL pointer dereference in tun_chr_pool() introduced by commit
    33dccbb ("tun: Limit amount of queued
    packets per device") and triggered by this code:
    
    	int fd;
    	struct pollfd pfd;
    	fd = open("/dev/net/tun", O_RDWR);
    	pfd.fd = fd;
    	pfd.events = POLLIN | POLLOUT;
    	poll(&pfd, 1, 0);
    
    Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
    Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Mariusz Kozlowski committed with gregkh Jul 5, 2009
  24. @gregkh

    security: use mmap_min_addr indepedently of security models

    commit e0a94c2 upstream.
    
    This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
    It also sets a default mmap_min_addr of 4096.
    
    mmapping of addresses below 4096 will only be possible for processes
    with CAP_SYS_RAWIO.
    
    Signed-off-by: Christoph Lameter <cl@linux-foundation.org>
    Acked-by: Eric Paris <eparis@redhat.com>
    Looks-ok-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: James Morris <jmorris@namei.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Christoph Lameter committed with gregkh Jun 3, 2009
  25. @gregkh

    Add '-fno-delete-null-pointer-checks' to gcc CFLAGS

    commit a3ca86a upstream.
    
    Turning on this flag could prevent the compiler from optimising away
    some "useless" checks for null pointers.  Such bugs can sometimes become
    exploitable at compile time because of the -O2 optimisation.
    
    See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html
    
    An example that clearly shows this 'problem' is commit 6bf6767.
    
     static void __devexit agnx_pci_remove(struct pci_dev *pdev)
     {
         struct ieee80211_hw *dev = pci_get_drvdata(pdev);
    -    struct agnx_priv *priv = dev->priv;
    +    struct agnx_priv *priv;
         AGNX_TRACE;
    
         if (!dev)
             return;
    +    priv = dev->priv;
    
    By reverting this patch, and compile it with and without
    -fno-delete-null-pointer-checks flag, we can see that the check for dev
    is compiled away.
    
        call    printk  #
    -   testq   %r12, %r12  # dev
    -   je  .L94    #,
        movq    %r12, %rdi  # dev,
    
    Clearly the 'fix' is to stop using dev before it is tested, but building
    with -fno-delete-null-pointer-checks flag at least makes it harder to
    abuse.
    
    Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
    Acked-by: Eric Paris <eparis@redhat.com>
    Acked-by: Wang Cong <amwang@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Eugene Teo committed with gregkh Jul 15, 2009
Commits on Jul 2, 2009
  1. @gregkh

    Linux 2.6.30.1

    gregkh committed Jul 2, 2009
  2. @gregkh

    bsdacct: fix access to invalid filp in acct_on()

    commit df279ca upstream.
    
    The file opened in acct_on and freshly stored in the ns->bacct struct can
    be closed in acct_file_reopen by a concurrent call after we release
    acct_lock and before we call mntput(file->f_path.mnt).
    
    Record file->f_path.mnt in a local variable and use this variable only.
    
    Signed-off-by: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
    Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Renaud Lottiaux committed with gregkh Jun 30, 2009
  3. @gregkh

    xfs: fix freeing memory in xfs_getbmap()

    commit 7747a0b upstream.
    
    Regression from commit 28e2117.
    Need to free temporary buffer allocated in xfs_getbmap().
    
    Signed-off-by: Felix Blyakher <felixb@sgi.com>
    Signed-off-by: Hedi Berriche <hedi@sgi.com>
    Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com>
    Reviewed-by: Eric Sandeen <sandeen@sandeen.net>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Felix Blyakher committed with gregkh Jun 11, 2009
  4. @gregkh

    KVM: x86: silence preempt warning on kvm_write_guest_time

    commit 2dea4c8 upstream.
    
    This issue just appeared in kvm-84 when running on 2.6.28.7 (x86-64)
    with PREEMPT enabled.
    
    We're getting syslog warnings like this many (but not all) times qemu
    tells KVM to run the VCPU:
    
    BUG: using smp_processor_id() in preemptible [00000000] code:
    qemu-system-x86/28938
    caller is kvm_arch_vcpu_ioctl_run+0x5d1/0xc70 [kvm]
    Pid: 28938, comm: qemu-system-x86 2.6.28.7-mtyrel-64bit
    Call Trace:
    debug_smp_processor_id+0xf7/0x100
    kvm_arch_vcpu_ioctl_run+0x5d1/0xc70 [kvm]
    ? __wake_up+0x4e/0x70
    ? wake_futex+0x27/0x40
    kvm_vcpu_ioctl+0x2e9/0x5a0 [kvm]
    enqueue_hrtimer+0x8a/0x110
    _spin_unlock_irqrestore+0x27/0x50
    vfs_ioctl+0x31/0xa0
    do_vfs_ioctl+0x74/0x480
    sys_futex+0xb4/0x140
    sys_ioctl+0x99/0xa0
    system_call_fastpath+0x16/0x1b
    
    As it turns out, the call trace is messed up due to gcc's inlining, but
    I isolated the problem anyway: kvm_write_guest_time() is being used in a
    non-thread-safe manner on preemptable kernels.
    
    Basically kvm_write_guest_time()'s body needs to be surrounded by
    preempt_disable() and preempt_enable(), since the kernel won't let us
    query any per-CPU data (indirectly using smp_processor_id()) without
    preemption disabled. The attached patch fixes this issue by disabling
    preemption inside kvm_write_guest_time().
    
    [marcelo: surround only __get_cpu_var calls since the warning
    is harmless]
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Matt T. Yourst committed with gregkh Feb 24, 2009
  5. @jbarnes993 @gregkh

    drm/i915: correct suspend/resume ordering

    commit 9e06dd3 upstream.
    
    We need to save register state *after* idling GEM, clearing the ring,
    and uninstalling the IRQ handler, or we might end up saving bogus
    fence regs, for one.  Our restore ordering should already be correct,
    since we do GEM, ring and IRQ init after restoring the last register
    state, which prevents us from clobbering things.
    
    I put this together to potentially address a bug, but I haven't heard
    back if it fixes it yet.  However I think it stands on its own, so I'm
    sending it in.
    
    Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Eric Anholt <eric@anholt.net>
    Cc: Jie Luo <clotho67@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jbarnes993 committed with gregkh Jun 22, 2009
  6. @gregkh

    ide-cd: prevent null pointer deref via cdrom_newpc_intr

    commit 39c58f3 upstream.
    
    With 2.6.30, the error handling code in cdrom_newpc_intr was changed
    to deal with partial request failures by normally completing the 'good'
    parts of a request and only 'error' the last (and presumably,
    incompletely transferred) bio associated with a particular
    request. In order to do this, ide_complete_rq is called over
    ide_cd_error_cmd() to partially complete the rq. The block layer
    does partial completion only for requests with bio's and if the
    rq doesn't have one (eg 'GPCMD_READ_DISC_INFO') the request is
    completed as a whole and the drive->hwif->rq pointer set to NULL
    afterwards. When calling ide_complete_rq again to report
    the error, this null pointer is derefenced, resulting in a kernel
    crash.
    
    This fixes http://bugzilla.kernel.org/show_bug.cgi?id=13399.
    
    Signed-off-by: Rainer Weikusat <rweikusat@mssgmbh.com>
    Signed-off-by: Borislav Petkov <petkovbb@gmail.com>
    Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Rainer Weikusat committed with gregkh Jun 18, 2009
  7. @gregkh

    ocfs2: Fix ocfs2_osb_dump()

    commit c3d3884 upstream.
    
    Skip printing information that is not valid for local mounts.
    
    Signed-off-by: Sunil Mushran <sunil.mushran@oracle.com>
    Signed-off-by: Joel Becker <joel.becker@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Sunil Mushran committed with gregkh Jun 19, 2009
  8. @vapier @gregkh

    serial: bfin_5xx: fix building as module when early printk is enabled

    commit 607c268 upstream.
    
    Since early printk only makes sense/works when the serial driver is built
    into the kernel, disable the option for this driver when it is going to be
    built as a module.  Otherwise we get build failures due to the ifdef
    handling.
    
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    vapier committed with gregkh Jun 22, 2009
  9. @gregkh

    CONFIG_FILE_LOCKING should not depend on CONFIG_BLOCK

    commit 69050ee upstream.
    
    CONFIG_FILE_LOCKING should not depend on CONFIG_BLOCK.
    
    This makes it possible to run complete systems out of a CONFIG_BLOCK=n
    initramfs on current kernels again (this last worked on 2.6.27.*).
    
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Tomas Szepe committed with gregkh Jun 16, 2009
  10. @gregkh

    lib/genalloc.c: remove unmatched write_lock() in gen_pool_destroy

    commit 8e8a2de upstream.
    
    There is a call to write_lock() in gen_pool_destroy which is not balanced
    by any corresponding write_unlock().  This causes problems with preemption
    because the preemption-disable counter is incremented in the write_lock()
    call, but never decremented by any call to write_unlock().  This bug is
    gen_pool_destroy, and one of them is non-x86 arch-specific code.
    
    Signed-off-by: Zygo Blaxell <zygo.blaxell@xandros.com>
    Cc: Jiri Kosina <trivial@kernel.org>
    Cc: Steve Wise <swise@opengridcomputing.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Zygo Blaxell committed with gregkh Jun 16, 2009
Something went wrong with that request. Please try again.