Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Jul 24, 2009
  1. @gregkh

    Linux 2.6.30.3

    gregkh authored
  2. @torvalds @gregkh

    fbmon: work around compiler bug in gcc-4.2.4

    torvalds authored gregkh committed
    commit 3730793 upstream.
    
    There's some odd bug in gcc-4.2 where it miscompiles a simple loop whent
    he loop counter is of type 'unsigned char' and it should count to 128.
    
    The compiler will incorrectly decide that a trivial loop like this:
    
    	unsigned char i, ...
    
    	for (i = 0; i < 128; i++) {
    		..
    
    is endless, and will compile it to a single instruction that just
    branches to itself.
    
    This was triggered by the addition of '-fno-strict-overflow', and we
    could play games with compiler versions and go back to '-fwrapv'
    instead, but the trivial way to avoid it is to just make the loop
    induction variable be an 'int' instead.
    
    Thanks to Krzysztof Oledzki for reporting and testing and to Troy Moure
    for digging through assembler differences and finding it.
    
    Reported-and-tested-by: Krzysztof Oledzki <olel@ans.pl>
    Found-by: Troy Moure <twmoure@szypr.net>
    Gcc-bug-acked-by: Ian Lance Taylor <iant@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Jul 20, 2009
  1. @gregkh

    Linux 2.6.30.2

    gregkh authored
  2. @torvalds @gregkh

    Don't use '-fwrapv' compiler option: it's buggy in gcc-4.1.x

    torvalds authored gregkh committed
    commit a137802 upstream.
    
    This causes kernel images that don't run init to completion with certain
    broken gcc versions.
    
    This fixes kernel bugzilla entry:
    	http://bugzilla.kernel.org/show_bug.cgi?id=13012
    
    I suspect the gcc problem is this:
    	http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28230
    
    Fix the problem by using the -fno-strict-overflow flag instead, which
    not only does not exist in the known-to-be-broken versions of gcc (it
    was introduced later than fwrapv), but seems to be much less disturbing
    to gcc too: the difference in the generated code by -fno-strict-overflow
    are smaller (compared to using neither flag) than when using -fwrapv.
    
    Reported-by: Barry K. Nathan <barryn@pobox.com>
    Pushed-by: Frans Pop <elendil@planet.nl>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @csabahenk @gregkh

    fuse: fix return value of fuse_dev_write()

    csabahenk authored gregkh committed
    commit b4c458b upstream.
    
    On 64 bit systems -- where sizeof(ssize_t) > sizeof(int) -- the following test
    exposes a bug due to a non-careful return of an int or unsigned value:
    
    implement a FUSE filesystem which sends an unsolicited notification to
    the kernel with invalid opcode. The respective write to /dev/fuse
    will return (1 << 32) - EINVAL with errno == 0 instead of -1 with
    errno == EINVAL.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @gregkh

    fuse: fix bad return value in fuse_file_poll()

    Miklos Szeredi authored gregkh committed
    commit 201fa69 upstream.
    
    Fix fuse_file_poll() which returned a -errno value instead of a poll
    mask.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @dwmw2 @gregkh

    Fix iommu address space allocation

    dwmw2 authored gregkh committed
    commit a15a519 upstream.
    
    This fixes kernel.org bug #13584. The IOVA code attempted to optimise
    the insertion of new ranges into the rbtree, with the unfortunate result
    that some ranges just didn't get inserted into the tree at all. Then
    those ranges would be handed out more than once, and things kind of go
    downhill from there.
    
    Introduced after 2.6.25 by ddf0288
    ("PCI: iova RB tree setup tweak").
    
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Cc: mark gross <mgross@linux.intel.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @dwmw2 @gregkh

    Fix pci_unmap_addr() et al on i386.

    dwmw2 authored gregkh committed
    commit 788d84b upstream.
    
    We can run a 32-bit kernel on boxes with an IOMMU, so we need
    pci_unmap_addr() etc. to work -- without it, drivers will leak mappings.
    
    To be honest, this whole thing looks like it's more pain than it's
    worth; I'm half inclined to remove the no-op #else case altogether.
    
    But this is the minimal fix, which just does the right thing if
    CONFIG_DMAR is set.
    
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @jirislaby @gregkh

    floppy: fix lock imbalance

    jirislaby authored gregkh committed
    commit 8516a50 upstream.
    
    A crappy macro prevents us unlocking on a fail path.
    
    Expand the macro and unlock appropriatelly.
    
    Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
    Cc: Jens Axboe <jens.axboe@oracle.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @ebiederm @gregkh

    Revert "ipv4: arp announce, arp_proxy and windows ip conflict verific…

    ebiederm authored gregkh committed
    …ation"
    
    commit f8a68e7 upstream.
    
    This reverts commit 73ce7b0.
    
    After discovering that we don't listen to gratuitious arps in 2.6.30
    I tracked the failure down to this commit.
    
    The patch makes absolutely no sense.  RFC2131 RFC3927 and RFC5227.
    are all in agreement that an arp request with sip == 0 should be used
    for the probe (to prevent learning) and an arp request with sip == tip
    should be used for the gratitous announcement that people can learn
    from.
    
    It appears the author of the broken patch got those two cases confused
    and modified the code to drop all gratuitous arp traffic.  Ouch!
    
    Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @neilbrown @gregkh

    md: avoid dereferencing NULL pointer when accessing suspend_* sysfs a…

    neilbrown authored gregkh committed
    …ttributes.
    
    commit b8d966e upstream.
    
    If we try to modify one of the md/ sysfs files
      suspend_lo or suspend_hi
    when the array is not active, we dereference a NULL.
    Protect against that.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  10. @neilbrown @gregkh

    md: fix error path when duplicate name is found on md device creation.

    neilbrown authored gregkh committed
    commit 1ec22eb upstream.
    
    When an md device is created by name (rather than number) we need to
    check that the name is not already in use.  If this check finds a
    duplicate, we return an error without dropping the lock or freeing
    the newly create mddev.
    This patch fixes that.
    
    Found-by: Jiri Slaby <jirislaby@gmail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  11. @neilbrown @gregkh

    md/raid5: suspend shouldn't affect read requests.

    neilbrown authored gregkh committed
    commit a5c308d upstream.
    
    md allows write to regions on an array to be suspended temporarily.
    This allows user-space to participate is aspects of reshape.
    In particular, data can be copied with not risk of a race.
    We should not be blocking read requests though, so don't.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  12. @neilbrown @gregkh

    blocK: Restore barrier support for md and probably other virtual devi…

    neilbrown authored gregkh committed
    …ces.
    
    commit db64f68 upstream.
    
    The next_ordered flag is only meaningful for devices that use __make_request.
    So move the test against next_ordered out of generic code and in to
    __make_request
    
    Since this test was added, barriers have not worked on md or any
    devices that don't use __make_request and so don't bother to set
    next_ordered.  (dm explicitly sets something other than
    QUEUE_ORDERED_NONE since
      commit 99360b4
    but notes in the comments that it is otherwise meaningless).
    
    Cc: Ken Milmore <ken.milmore@googlemail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  13. @gregkh

    dma-debug: fix off-by-one error in overlap function

    Joerg Roedel authored gregkh committed
    commit c79ee4e upstream.
    
    This patch fixes a bug in the overlap function which returned true if
    one region ends exactly before the second region begins. This is no
    overlap but the function returned true in that case.
    
    Reported-by: Andrew Randrianasulu <randrik@mail.ru>
    Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  14. @gregkh

    alpha: fix percpu build breakage

    Tejun Heo authored gregkh committed
    commit b01e8dc upstream.
    
    alpha percpu access requires custom SHIFT_PERCPU_PTR() definition for
    modules to work around addressing range limitation.  This is done via
    generating inline assembly using C preprocessing which forces the
    assembler to generate external reference.  This happens behind the
    compiler's back and makes the compiler think that static percpu variables
    in modules are unused.
    
    This used to be worked around by using __unused attribute for percpu
    variables which prevent the compiler from omitting the variable; however,
    recent declare/definition attribute unification change broke this as
    __used can't be used for declaration.  Also, in the process,
    PER_CPU_ATTRIBUTES definition in alpha percpu.h got broken.
    
    This patch adds PER_CPU_DEF_ATTRIBUTES which is only used for definitions
    and make alpha use it to add __used for percpu variables in modules.  This
    also fixes the PER_CPU_ATTRIBUTES double definition bug.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Tested-by: maximilian attems <max@stro.at>
    Acked-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
    Cc: Richard Henderson <rth@twiddle.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  15. @zhang-rui @gregkh

    kernel/resource.c: fix sign extension in reserve_setup()

    zhang-rui authored gregkh committed
    commit 8bc1ad7 upstream.
    
    When the 32-bit signed quantities get assigned to the u64 resource_size_t,
    they are incorrectly sign-extended.
    
    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13253
    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9905
    
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Reported-by: Leann Ogasawara <leann@ubuntu.com>
    Cc: Pierre Ossman <drzeus@drzeus.cx>
    Reported-by: <pablomme@googlemail.com>
    Tested-by: <pablomme@googlemail.com>
    Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  16. @gregkh

    futexes: Fix infinite loop in get_futex_key() on huge page

    Sonny Rao authored gregkh committed
    commit ce2ae53 upstream.
    
    get_futex_key() can infinitely loop if it is called on a
    virtual address that is within a huge page but not aligned to
    the beginning of that page.  The call to get_user_pages_fast
    will return the struct page for a sub-page within the huge page
    and the check for page->mapping will always fail.
    
    The fix is to call compound_head on the page before checking
    that it's mapped.
    
    Signed-off-by: Sonny Rao <sonnyrao@us.ibm.com>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: anton@samba.org
    Cc: rajamony@us.ibm.com
    Cc: speight@us.ibm.com
    Cc: mstephen@us.ibm.com
    Cc: grimm@us.ibm.com
    Cc: mikey@ozlabs.au.ibm.com
    LKML-Reference: <20090710231313.GA23572@us.ibm.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  17. @gregkh

    futex: Fix the write access fault problem for real

    Thomas Gleixner authored gregkh committed
    commit d072599 and aa71528 upstream
    
    commit 64d1304 (futex: setup writeable mapping for futex ops which
    modify user space data) did address only half of the problem of write
    access faults.
    
    The patch was made on two wrong assumptions:
    
    1) access_ok(VERIFY_WRITE,...) would actually check write access.
    
       On x86 it does _NOT_. It's a pure address range check.
    
    2) a RW mapped region can not go away under us.
    
       That's wrong as well. Nobody can prevent another thread to call
       mprotect(PROT_READ) on that region where the futex resides. If that
       call hits between the get_user_pages_fast() verification and the
       actual write access in the atomic region we are toast again.
    
    The solution is to not rely on access_ok and get_user() for any write
    access related fault on private and shared futexes. Instead we need to
    fault it in with verification of write access.
    
    There is no generic non destructive write mechanism which would fault
    the user page in trough a #PF, but as we already know that we will
    fault we can as well call get_user_pages() directly and avoid the #PF
    overhead.
    
    If get_user_pages() returns -EFAULT we know that we can not fix it
    anymore and need to bail out to user space.
    
    Remove a bunch of confusing comments on this issue as well.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @vapier @gregkh

    Blackfin: fix command line corruption with DEBUG_DOUBLEFAULT

    vapier authored gregkh committed
    commit 3708251 upstream.
    
    Commit 6b3087c (which introduced Blackfin SMP) broke command line passing
    when the DEBUG_DOUBLEFAULT config option was enabled.  Switch the code to
    using a scratch register and not R7 which holds the command line.
    
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  19. @sonicz @gregkh

    Blackfin: fix deadlock in SMP IPI handler

    sonicz authored gregkh committed
    commit 86f2008 upstream.
    
    When a low priority interrupt (like ethernet) is triggered between 2 high
    priority IPI messages, a deadlock in disable_irq() is hit by the second
    IPI handler.  This is because the second IPI message is queued within the
    first IPI handler, but the handler doesn't process all messages, and new
    ones are inserted rather than appended.  So now we process all the pending
    messages, and append new ones to the pending list.
    
    URL: http://blackfin.uclinux.org/gf/tracker/5226
    
    Signed-off-by: Sonic Zhang <sonic.zhang@analog.com>
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  20. @vapier @gregkh

    Blackfin: redo handling of bad irqs

    vapier authored gregkh committed
    commit 2657921 upstream.
    
    With the common IRQ code initializing much more of the irq_desc state, we
    can't blindly initialize it ourselves to the local bad_irq state.  If we
    do, we end up wrongly clobbering many fields.  So punt most of the bad irq
    code as the common layers will handle the default state, and simply call
    handle_bad_irq() directly when the IRQ we are processing is invalid.
    
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @sonicz @gregkh

    Blackfin: fix accidental reset in some boot modes

    sonicz authored gregkh committed
    commit 0de4adf upstream.
    
    We read the SWRST (Software Reset) register to get at the last reset
    state, and then we may configure the DOUBLE_FAULT bit to control behavior
    when a double fault occurs.  But if the lower bits of the register is
    already set (like UART boot mode on a BF54x), we inadvertently make the
    system reset by writing to the SYSTEM_RESET field at the same time.  So
    make sure the lower 4 bits are always cleared.
    
    Signed-off-by: Sonic Zhang <sonic.zhang@analog.com>
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. @gregkh

    personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)

    Julien Tinnes authored gregkh committed
    commit f9fabcb upstream.
    
    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
    
    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
    
    We believe it is important to add MMAP_PAGE_ZERO, because by using this
    personality it is possible to have the first page mapped inside a
    process running as setuid root.  This could be used in those scenarios:
    
     - Exploiting a NULL pointer dereference issue in a setuid root binary
     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
       running a setuid binary that would drop privileges before giving us
       control back (for instance by loading a user-supplied library), we
       could get the first page mapped in a process we control.  By further
       using mremap and mprotect on this mapping, we can then completely
       bypass the mmap_min_addr restrictions.
    
    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
    since on x86 32bits it will in practice disable most of the address
    space layout randomization (only the stack will remain randomized).
    
    Signed-off-by: Julien Tinnes <jt@cr0.org>
    Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
    Acked-by: Christoph Hellwig <hch@infradead.org>
    Acked-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Eugene Teo <eugene@redhat.com>
    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23. @gregkh

    tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-…

    Mariusz Kozlowski authored gregkh committed
    …2009-1897)
    
    commit 3c8a9c6 upstream.
    
    Fix NULL pointer dereference in tun_chr_pool() introduced by commit
    33dccbb ("tun: Limit amount of queued
    packets per device") and triggered by this code:
    
    	int fd;
    	struct pollfd pfd;
    	fd = open("/dev/net/tun", O_RDWR);
    	pfd.fd = fd;
    	pfd.events = POLLIN | POLLOUT;
    	poll(&pfd, 1, 0);
    
    Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
    Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24. @gregkh

    security: use mmap_min_addr indepedently of security models

    Christoph Lameter authored gregkh committed
    commit e0a94c2 upstream.
    
    This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
    It also sets a default mmap_min_addr of 4096.
    
    mmapping of addresses below 4096 will only be possible for processes
    with CAP_SYS_RAWIO.
    
    Signed-off-by: Christoph Lameter <cl@linux-foundation.org>
    Acked-by: Eric Paris <eparis@redhat.com>
    Looks-ok-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: James Morris <jmorris@namei.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  25. @gregkh

    Add '-fno-delete-null-pointer-checks' to gcc CFLAGS

    Eugene Teo authored gregkh committed
    commit a3ca86a upstream.
    
    Turning on this flag could prevent the compiler from optimising away
    some "useless" checks for null pointers.  Such bugs can sometimes become
    exploitable at compile time because of the -O2 optimisation.
    
    See http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Optimize-Options.html
    
    An example that clearly shows this 'problem' is commit 6bf6767.
    
     static void __devexit agnx_pci_remove(struct pci_dev *pdev)
     {
         struct ieee80211_hw *dev = pci_get_drvdata(pdev);
    -    struct agnx_priv *priv = dev->priv;
    +    struct agnx_priv *priv;
         AGNX_TRACE;
    
         if (!dev)
             return;
    +    priv = dev->priv;
    
    By reverting this patch, and compile it with and without
    -fno-delete-null-pointer-checks flag, we can see that the check for dev
    is compiled away.
    
        call    printk  #
    -   testq   %r12, %r12  # dev
    -   je  .L94    #,
        movq    %r12, %rdi  # dev,
    
    Clearly the 'fix' is to stop using dev before it is tested, but building
    with -fno-delete-null-pointer-checks flag at least makes it harder to
    abuse.
    
    Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
    Acked-by: Eric Paris <eparis@redhat.com>
    Acked-by: Wang Cong <amwang@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Jul 2, 2009
  1. @gregkh

    Linux 2.6.30.1

    gregkh authored
  2. @gregkh

    bsdacct: fix access to invalid filp in acct_on()

    Renaud Lottiaux authored gregkh committed
    commit df279ca upstream.
    
    The file opened in acct_on and freshly stored in the ns->bacct struct can
    be closed in acct_file_reopen by a concurrent call after we release
    acct_lock and before we call mntput(file->f_path.mnt).
    
    Record file->f_path.mnt in a local variable and use this variable only.
    
    Signed-off-by: Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
    Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @gregkh

    xfs: fix freeing memory in xfs_getbmap()

    Felix Blyakher authored gregkh committed
    commit 7747a0b upstream.
    
    Regression from commit 28e2117.
    Need to free temporary buffer allocated in xfs_getbmap().
    
    Signed-off-by: Felix Blyakher <felixb@sgi.com>
    Signed-off-by: Hedi Berriche <hedi@sgi.com>
    Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com>
    Reviewed-by: Eric Sandeen <sandeen@sandeen.net>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @gregkh

    KVM: x86: silence preempt warning on kvm_write_guest_time

    Matt T. Yourst authored gregkh committed
    commit 2dea4c8 upstream.
    
    This issue just appeared in kvm-84 when running on 2.6.28.7 (x86-64)
    with PREEMPT enabled.
    
    We're getting syslog warnings like this many (but not all) times qemu
    tells KVM to run the VCPU:
    
    BUG: using smp_processor_id() in preemptible [00000000] code:
    qemu-system-x86/28938
    caller is kvm_arch_vcpu_ioctl_run+0x5d1/0xc70 [kvm]
    Pid: 28938, comm: qemu-system-x86 2.6.28.7-mtyrel-64bit
    Call Trace:
    debug_smp_processor_id+0xf7/0x100
    kvm_arch_vcpu_ioctl_run+0x5d1/0xc70 [kvm]
    ? __wake_up+0x4e/0x70
    ? wake_futex+0x27/0x40
    kvm_vcpu_ioctl+0x2e9/0x5a0 [kvm]
    enqueue_hrtimer+0x8a/0x110
    _spin_unlock_irqrestore+0x27/0x50
    vfs_ioctl+0x31/0xa0
    do_vfs_ioctl+0x74/0x480
    sys_futex+0xb4/0x140
    sys_ioctl+0x99/0xa0
    system_call_fastpath+0x16/0x1b
    
    As it turns out, the call trace is messed up due to gcc's inlining, but
    I isolated the problem anyway: kvm_write_guest_time() is being used in a
    non-thread-safe manner on preemptable kernels.
    
    Basically kvm_write_guest_time()'s body needs to be surrounded by
    preempt_disable() and preempt_enable(), since the kernel won't let us
    query any per-CPU data (indirectly using smp_processor_id()) without
    preemption disabled. The attached patch fixes this issue by disabling
    preemption inside kvm_write_guest_time().
    
    [marcelo: surround only __get_cpu_var calls since the warning
    is harmless]
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @gregkh

    drm/i915: correct suspend/resume ordering

    Jesse Barnes authored gregkh committed
    commit 9e06dd3 upstream.
    
    We need to save register state *after* idling GEM, clearing the ring,
    and uninstalling the IRQ handler, or we might end up saving bogus
    fence regs, for one.  Our restore ordering should already be correct,
    since we do GEM, ring and IRQ init after restoring the last register
    state, which prevents us from clobbering things.
    
    I put this together to potentially address a bug, but I haven't heard
    back if it fixes it yet.  However I think it stands on its own, so I'm
    sending it in.
    
    Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Eric Anholt <eric@anholt.net>
    Cc: Jie Luo <clotho67@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    ide-cd: prevent null pointer deref via cdrom_newpc_intr

    Rainer Weikusat authored gregkh committed
    commit 39c58f3 upstream.
    
    With 2.6.30, the error handling code in cdrom_newpc_intr was changed
    to deal with partial request failures by normally completing the 'good'
    parts of a request and only 'error' the last (and presumably,
    incompletely transferred) bio associated with a particular
    request. In order to do this, ide_complete_rq is called over
    ide_cd_error_cmd() to partially complete the rq. The block layer
    does partial completion only for requests with bio's and if the
    rq doesn't have one (eg 'GPCMD_READ_DISC_INFO') the request is
    completed as a whole and the drive->hwif->rq pointer set to NULL
    afterwards. When calling ide_complete_rq again to report
    the error, this null pointer is derefenced, resulting in a kernel
    crash.
    
    This fixes http://bugzilla.kernel.org/show_bug.cgi?id=13399.
    
    Signed-off-by: Rainer Weikusat <rweikusat@mssgmbh.com>
    Signed-off-by: Borislav Petkov <petkovbb@gmail.com>
    Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @gregkh

    ocfs2: Fix ocfs2_osb_dump()

    Sunil Mushran authored gregkh committed
    commit c3d3884 upstream.
    
    Skip printing information that is not valid for local mounts.
    
    Signed-off-by: Sunil Mushran <sunil.mushran@oracle.com>
    Signed-off-by: Joel Becker <joel.becker@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @vapier @gregkh

    serial: bfin_5xx: fix building as module when early printk is enabled

    vapier authored gregkh committed
    commit 607c268 upstream.
    
    Since early printk only makes sense/works when the serial driver is built
    into the kernel, disable the option for this driver when it is going to be
    built as a module.  Otherwise we get build failures due to the ifdef
    handling.
    
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.