commit 04739ab606d5cd9dfa8e96eeea274bf62f40c328 Author: Greg Kroah-Hartman Date: Mon Feb 2 09:10:35 2009 -0800 Linux 2.6.27.14 commit 4fd5fccf67fb4944df10ddec1975dbfed38fd0d6 Author: Jiri Slaby Date: Sat Jan 17 12:04:36 2009 +0100 relay: fix lock imbalance in relay_late_setup_files commit b786c6a98ef6fa81114ba7b9fbfc0d67060775e3 upstream. One fail path in relay_late_setup_files() omits mutex_unlock(&relay_channels_mutex); Add it. Signed-off-by: Jiri Slaby Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ae934bc9b4f3b49fc83617792cce6ca938e3fbd0 Author: Jiri Slaby Date: Sat Jan 17 16:23:55 2009 +0100 PCI hotplug: fix lock imbalance in pciehp commit c2fdd36b550659f5ac2240d1f5a83ffa1a092289 upstream. set_lock_status omits mutex_unlock in fail path. Add the omitted unlock. As a result a lockup caused by this can be triggered from userspace by writing 1 to /sys/bus/pci/slots/.../lock often enough. Signed-off-by: Jiri Slaby Reviewed-by: Kenji Kaneshige Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 74ecc88002472e3a880e3fe346d24eb9276eb2dc Author: Larry Finger Date: Tue Jan 27 12:31:23 2009 -0600 rtl8187: Fix error in setting OFDM power settings for RTL8187L commit eb83bbf57429ab80f49b413e3e44d3b19c3fdc5a upstream. After reports of poor performance, a review of the latest vendor driver (rtl8187_linux_26.1025.0328.2007) for RTL8187L devices was undertaken. A difference was found in the code used to index the OFDM power tables. When the Linux driver was changed, my unit works at a much greater range than before. I think this fixes Bugzilla #12380 and has been tested by at least two other users. Signed-off-by: Larry Finger Tested-by: Martín Ernesto Barreyro Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b421b4088f340ef9a3c1f083d432f942f1620614 Author: Clemens Ladisch Date: Thu Jan 15 10:21:23 2009 +0100 sound: virtuoso: do not overwrite EEPROM on Xonar D2/D2X commit 7e86c0e6850504ec9516b953f316a47277825e33 upstream. On the Asus Xonar D2 and D2X models, the SPI chip select signal for the fourth DAC shares its pin with the serial clock for the EEPROM that contains the PCI subdevice ID values. It appears that when DAC registers are written and some other unknown conditions occur (probably noise on the EEPROM's chip select line), the EEPROM gets overwritten with garbage, which makes it impossible to properly detect the card later. Therefore, we better avoid DAC register writes and make sure that the driver works with the DAC's registers' default values. Consequently, the sample format is now I2S instead of left-justified (no user-visible change), and the DAC's volume/mute registers cannot be used anymore (volume changes are now done by the software volume plugin). Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a0d7c5fa0846e922f379189812ceae2f75fce356 Author: Robin Holt Date: Thu Jan 29 14:25:07 2009 -0800 sgi-xpc: Remove NULL pointer dereference. commit 17e2161654da4e6bdfd8d53d4f52e820ee93f423 upstream. If the bte copy fails, the attempt to retrieve payloads merely returns a null pointer deref and not NULL as was expected. Signed-off-by: Robin Holt Signed-off-by: Dean Nelson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b706840821ea31290cdb235534578aed02e83330 Author: Robin Holt Date: Thu Jan 29 14:25:06 2009 -0800 sgi-xpc: ensure flags are updated before bte_copy commit 69b3bb65fa97a1e8563518dbbc35cd57beefb2d4 upstream. The clearing of the msg->flags needs a barrier between it and the notify of the channel threads that the messages are cleaned and ready for use. Signed-off-by: Robin Holt Signed-off-by: Dean Nelson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5f1681ab9d073dd4810e89e547abedc8ccb2f143 Author: Boaz Harrosh Date: Mon Jan 19 10:37:38 2009 +0100 include/linux: Add bsg.h to the Kernel exported headers commit a229fc61ef0ee3c30fd193beee0eeb87410227f1 upstream. bsg.h in current form is perfectly suitable for user-mode consumption. It is needed together with scsi/sg.h for applications that want to interface with the bsg driver. Currently the few projects that use it would copy it over into the projects. But that is not acceptable for projects that need to provide source and devel packages for distros. This should also be submitted to stable 2.6.28 and 2.6.27 since bsg had a stable API since these Kernels and distro users will need the header for these kernels a swell Signed-off-by: Boaz Harrosh Acked-by: FUJITA Tomonori Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 6d3910dec56c78543e35550fad433366047e6878 Author: Theodore Ts'o Date: Fri Jan 16 11:13:47 2009 -0500 ext3: Add sanity check to make_indexed_dir commit a21102b55c4f8dfd3adb4a15a34cd62237b46039 upstream. Make sure the rec_len field in the '..' entry is sane, lest we overrun the directory block and cause a kernel oops on a purposefully corrupted filesystem. This fixes a bug related to a bug originally reported by Sami Liedes for ext4 at: http://bugzilla.kernel.org/show_bug.cgi?id=12430 Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit a0aec447b8076f10f0f46433f20ad3fa32e2c500 Author: Davide Libenzi Date: Thu Jan 29 14:25:26 2009 -0800 epoll: drop max_user_instances and rely only on max_user_watches commit 9df04e1f25effde823a600e755b51475d438f56b upstream. Linus suggested to put limits where the money is, and max_user_watches already does that w/out the need of max_user_instances. That has the advantage to mitigate the potential DoS while allowing pretty generous default behavior. Allowing top 4% of low memory (per user) to be allocated in epoll watches, we have: LOMEM MAX_WATCHES (per user) 512MB ~178000 1GB ~356000 2GB ~712000 A box with 512MB of lomem, will meet some challenge in hitting 180K watches, socket buffers math teaches us. No more max_user_instances limits then. Signed-off-by: Davide Libenzi Cc: Willy Tarreau Cc: Michael Kerrisk Cc: Bron Gondwana Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f2c89cc2a9827679bfa950a14875661e26d9e492 Author: Jarod Wilson Date: Thu Jan 22 19:58:15 2009 +1100 crypto: ccm - Fix handling of null assoc data commit 516280e735b034216de97eb7ba080ec6acbfc58f upstream. Its a valid use case to have null associated data in a ccm vector, but this case isn't being handled properly right now. The following ccm decryption/verification test vector, using the rfc4309 implementation regularly triggers a panic, as will any other vector with null assoc data: * key: ab2f8a74b71cd2b1ff802e487d82f8b9 * iv: c6fb7d800d13abd8a6b2d8 * Associated Data: [NULL] * Tag Length: 8 * input: d5e8939fc7892e2b The resulting panic looks like so: Unable to handle kernel paging request at ffff810064ddaec0 RIP: [] :ccm:get_data_to_compute+0x1a6/0x1d6 PGD 8063 PUD 0 Oops: 0002 [1] SMP last sysfs file: /module/libata/version CPU 0 Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_ tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h cd ohci_hcd ehci_hcd Pid: 12844, comm: crypto-tester Tainted: G 2.6.18-128.el5.fips1 #1 RIP: 0010:[] [] :ccm:get_data_to_compute+0x1a6/0x1d6 RSP: 0018:ffff8100134434e8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10 RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0 RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000 R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858 R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000 FS: 00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0 Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860) Stack: ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000 0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858 0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634 Call Trace: [] :ccm:crypto_ccm_auth+0x12d/0x140 [] :ccm:crypto_ccm_decrypt+0x161/0x23a [] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559 [...] The above is from a RHEL5-based kernel, but upstream is susceptible too. The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains whatever was in memory when pctx was allocated if assoclen is 0. The tested fix is to simply add an else clause setting pctx->ilen to 0 for the assoclen == 0 case, so that get_data_to_compute() doesn't try doing things its not supposed to. Signed-off-by: Jarod Wilson Acked-by: Neil Horman Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d493ba54d96d117fb3dff027141444584f852054 Author: Herbert Xu Date: Tue Jan 13 11:26:18 2009 +1100 crypto: authenc - Fix zero-length IV crash commit 29b37f42127f7da511560a40ea74f5047da40c13 upstream. As it is if an algorithm with a zero-length IV is used (e.g., NULL encryption) with authenc, authenc may generate an SG entry of length zero, which will trigger a BUG check in the hash layer. This patch fixes it by skipping the IV SG generation if the IV size is zero. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit e230bf234f40f493a284c4dbcec0b331529b609f Author: Eilon Greenstein Date: Wed Jan 14 06:44:07 2009 +0000 bnx2x: Block nvram access when the device is inactive commit 2add3acb11a26cc14b54669433ae6ace6406cbf2 upstream. Don't dump eeprom when bnx2x adapter is down. Running ethtool -e causes an eeh without it when the device is down Signed-off-by: Paul Larson Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2081e491dd998c75a206f8a8a75df586197aace9 Author: Takashi Iwai Date: Fri Jan 23 11:55:42 2009 +0100 ALSA: hda - Fix PCM reference NID for STAC/IDT analog outputs commit 00a602db1ce9d61319d6f769dee206ec85f19bda upstream. The reference NID for the analog outputs of STAC/IDT codecs is set to a fixed number 0x02. But this isn't always correct and in many codecs it points to a non-existing NID. This patch fixes the initialization of the PCM reference NID taken from the actually probed DAC list. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 01ae8169836a9041d2d7f15d758ed6c3f96fc185 Author: Joerg Schirottke Date: Tue Jan 27 11:01:34 2009 +0100 ALSA: hda - Add quirk for HP DV6700 laptop commit aa9d823bb347fb66cb07f98c686be8bb85cb6a74 upstream. Added the matching model=laptop for HP DV6700 laptop. Signed-off-by: Joerg Schirottke Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d12819f75ef7a8c651961b51c0b29e1b8c0d5488 Author: Luke Yelavich Date: Wed Jan 28 15:58:38 2009 +1100 ALSA: hda - add another MacBook Pro 4, 1 subsystem ID commit 2a88464ceb1bda2571f88902fd8068a6168e3f7b upstream. Add another MacBook Pro 4,1 SSID (106b:3800). It seems that latter revisions, (at least mine), have different IDs to earlier revisions. Signed-off-by: Luke Yelavich Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f2bb7df9a905d90d0b725c7aca3813f190a0b734 Author: Pete Zaitcev Date: Sat Dec 20 12:56:08 2008 -0700 USB: usbmon: Implement compat_ioctl commit 7abce6bedc118eb39fe177c2c26be5d008505c14 upstream. Running a 32-bit usbmon(8) on 2.6.28-rc9 produces the following: ioctl32(usbmon:28563): Unknown cmd fd(3) cmd(400c9206){t:ffffff92;sz:12} arg(ffd3f458) on /dev/usbmon0 It happens because the compatibility mode was implemented for 2.6.18 and not updated for the fsops.compat_ioctl API. This patch relocates the pieces from under #ifdef CONFIG_COMPAT into compat_ioctl with no other changes except one new whitespace. Signed-off-by: Pete Zaitcev Signed-off-by: Greg Kroah-Hartman commit cebba0f34cf88a239df6d9e601bf26a39796b041 Author: Oliver Neukum Date: Wed Jan 14 16:17:19 2009 +0100 USB: storage: add unusual devs entry commit b90de8aea36ae6fe8050a6e91b031369c4f251b2 upstream. This adds an unusual devs entry for 2116:0320 Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit bb74fdbb0c7138a397b58141791eae4b2e7e4cfe Author: Alan Stern Date: Tue Jan 13 11:33:42 2009 -0500 USB: fix char-device disconnect handling commit 501950d846218ed80a776d2aae5aed9c8b92e778 upstream. This patch (as1198) fixes a conceptual bug: Somewhere along the line we managed to confuse USB class devices with USB char devices. As a result, the code to send a disconnect signal to userspace would not be built if both CONFIG_USB_DEVICE_CLASS and CONFIG_USB_DEVICEFS were disabled. The usb_fs_classdev_common_remove() routine has been renamed to usbdev_remove() and it is now called whenever any USB device is removed, not just when a class device is unregistered. The notifier registration and unregistration calls are no longer conditionally compiled. And since the common removal code will always be called as part of the char device interface, there's no need to call it again as part of the usbfs interface; thus the invocation of usb_fs_classdev_common_remove() has been taken out of usbfs_remove_device(). Signed-off-by: Alan Stern Reported-by: Alon Bar-Lev Tested-by: Alon Bar-Lev Signed-off-by: Greg Kroah-Hartman commit 010703af998cf0c3927cb587d88641ed5a3ef358 Author: Trond Myklebust Date: Fri Oct 3 16:48:34 2008 -0400 SUNRPC: Fix autobind on cloned rpc clients commit 9a4bd29fe8f6d3f015fe1c8e5450eb62cfebfcc9 upstream. Despite the fact that cloned rpc clients won't have the cl_autobind flag set, they may still find themselves calling rpcb_getport_async(). For this to happen, it suffices for a _parent_ rpc_clnt to use autobinding, in which case any clone may find itself triggering the !xprt_bound() case in call_bind(). The correct fix for this is to walk back up the tree of cloned rpc clients, in order to find the parent that 'owns' the transport, either because it has clnt->cl_autobind set, or because it originally created the transport... Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit bdd35ffe1d8b1a4197dd459eef653028bf521327 Author: Trond Myklebust Date: Fri Oct 3 16:48:40 2008 -0400 SUNRPC: Fix a memory leak in rpcb_getport_async commit 96165e2b7c4e2c82a0b60c766d4a2036444c21a0 upstream. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 7c9356ec88d04245a62028f7c8ddfa8608fb8e4a Author: Flavio Leitner Date: Fri Jan 2 13:50:43 2009 +0000 serial_8250: support for Sealevel Systems Model 7803 COMM+8 commit e65f0f8271b1b0452334e5da37fd35413a000de4 upstream. Add support for Sealevel Systems Model 7803 COMM+8 Signed-off-by: Flavio Leitner Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b98b56e302366e2a84c09812a67ca30eacb9792d Author: Larry Finger Date: Fri Jan 23 11:46:32 2009 -0600 rtl8187: Add termination packet to prevent stall commit 2fcbab044a3faf4d4a6e269148dd1f188303b206 upstream. The RTL8187 and RTL8187B devices can stall unless an explicit termination packet is sent. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 1f57f8e071a434dc65eb5692e92abd21b69a8356 Author: JosephChan@via.com.tw Date: Fri Jan 23 15:37:39 2009 +0800 libata: pata_via: support VX855, future chips whose IDE controller use 0x0571 commit e4d866cdea24543ee16ce6d07d80c513e86ba983 upstream. It supports VX855 and future chips whose IDE controller uses PCI ID 0x0571. Signed-off-by: Joseph Chan Acked-by: Tejun Heo Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 5ea2e1cc0b50f5d386ceeb30ffffea50e144e88c Author: Brandon Philips Date: Wed Jan 14 19:19:02 2009 +0100 it821x: Add ultra_mask quirk for Vortex86SX commit b94b898f3107046b5c97c556e23529283ea5eadd upstream. On Vortex86SX with IDE controller revision 0x11 ultra DMA must be disabled. This patch was tested by DMP and seems to work. It is a cleaned up version of their older Kernel patch: http://www.dmp.com.tw/tech/vortex86sx/patch-2.6.24-DMP.gz Tested-by: Shawn Lin Signed-off-by: Brandon Philips Cc: Alan Cox Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 1de15f4a49afd35f51a32c691413d26569cb7e1f Author: Ivan Kokshaysky Date: Thu Jan 15 13:51:17 2009 -0800 alpha: nautilus - fix compile failure with gcc-4.3 commit 70b66cbfd3316b792a855cb9a2574e85f1a63d0f upstream. init_srm_irq() deals with irq's #16 and above, but size of irq_desc array on nautilus and some other system types is 16. So gcc-4.3 complains that "array subscript is above array bounds", even though this function is never called on those systems. This adds a check for NR_IRQS <= 16, which effectively optimizes init_srm_irq() code away on problematic platforms. Thanks to Daniel Drake for detailed analysis of the problem. Signed-off-by: Ivan Kokshaysky Cc: Richard Henderson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Tobias Klausmann Signed-off-by: Greg Kroah-Hartman commit 8ca2918f99b5861359de1805f27b08023c82abd2 Author: Peter Zijlstra Date: Fri Jan 23 17:37:49 2009 +0100 x86, mm: fix pte_free() commit 42ef73fe134732b2e91c0326df5fd568da17c4b2 upstream. On -rt we were seeing spurious bad page states like: Bad page state in process 'firefox' page:c1bc2380 flags:0x40000000 mapping:c1bc2390 mapcount:0 count:0 Trying to fix it up, but a reboot is needed Backtrace: Pid: 503, comm: firefox Not tainted 2.6.26.8-rt13 #3 [] ? printk+0x14/0x19 [] bad_page+0x4e/0x79 [] free_hot_cold_page+0x5b/0x1d3 [] free_hot_page+0xf/0x11 [] __free_pages+0x20/0x2b [] __pte_alloc+0x87/0x91 [] handle_mm_fault+0xe4/0x733 [] ? rt_mutex_down_read_trylock+0x57/0x63 [] ? rt_mutex_down_read_trylock+0x57/0x63 [] do_page_fault+0x36f/0x88a This is the case where a concurrent fault already installed the PTE and we get to free the newly allocated one. This is due to pgtable_page_ctor() doing the spin_lock_init(&page->ptl) which is overlaid with the {private, mapping} struct. union { struct { unsigned long private; struct address_space *mapping; }; spinlock_t ptl; struct kmem_cache *slab; struct page *first_page; }; Normally the spinlock is small enough to not stomp on page->mapping, but PREEMPT_RT=y has huge 'spin'locks. But lockdep kernels should also be able to trigger this splat, as the lock tracking code grows the spinlock to cover page->mapping. The obvious fix is calling pgtable_page_dtor() like the regular pte free path __pte_free_tlb() does. It seems all architectures except x86 and nm10300 already do this, and nm10300 doesn't seem to use pgtable_page_ctor(), which suggests it doesn't do SMP or simply doesnt do MMU at all or something. Signed-off-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2085509e2715178a54cf23dc63f87cb2c58f3bf4 Author: Greg Kroah-Hartman Date: Tue Jan 20 15:51:16 2009 -0800 sysfs: fix problems with binary files commit 4503efd0891c40e30928afb4b23dc3f99c62a6b2 upstream. Some sysfs binary files don't like having 0 passed to them as a size. Fix this up at the root by just returning to the vfs if userspace asks us for a zero sized buffer. Thanks to Pavel Roskin for pointing this out. Reported-by: Pavel Roskin Signed-off-by: Greg Kroah-Hartman commit 803f9eb9987e92e1b4c382c33892ec623d821d1d Author: Brian Cavagnolo Date: Fri Jan 16 19:04:49 2009 -0800 mac80211: decrement ref count to netdev after launching mesh discovery commit 5dc306f3bd1d4cfdf79df39221b3036eab1ddcf3 upstream. After launching mesh discovery in tx path, reference count was not being decremented. This was preventing module unload. Signed-off-by: Brian Cavagnolo Signed-off-by: Andrey Yurovsky Acked-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8682f8563f4e2160845779237ee5762fa37a4c4e Author: Vegard Nossum Date: Thu Jan 22 15:29:45 2009 +0100 inotify: clean up inotify_read and fix locking problems commit 3632dee2f8b8a9720329f29eeaa4ec4669a3aff8 upstream. If userspace supplies an invalid pointer to a read() of an inotify instance, the inotify device's event list mutex is unlocked twice. This causes an unbalance which effectively leaves the data structure unprotected, and we can trigger oopses by accessing the inotify instance from different tasks concurrently. The best fix (contributed largely by Linus) is a total rewrite of the function in question: On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote: > The thing to notice is that: > > - locking is done in just one place, and there is no question about it > not having an unlock. > > - that whole double-while(1)-loop thing is gone. > > - use multiple functions to make nesting and error handling sane > > - do error testing after doing the things you always need to do, ie do > this: > > mutex_lock(..) > ret = function_call(); > mutex_unlock(..) > > .. test ret here .. > > instead of doing conditional exits with unlocking or freeing. > > So if the code is written in this way, it may still be buggy, but at least > it's not buggy because of subtle "forgot to unlock" or "forgot to free" > issues. > > This _always_ unlocks if it locked, and it always frees if it got a > non-error kevent. Cc: John McCutchan Cc: Robert Love Signed-off-by: Vegard Nossum Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 225b478c54c8774a9a987753702260e323a79c97 Author: Dan Carpenter Date: Mon Jan 26 15:00:58 2009 +0100 fuse: fix NULL deref in fuse_file_alloc() commit bb875b38dc5e343bdb696b2eab8233e4d195e208 upstream. ff is set to NULL and then dereferenced on line 65. Compile tested only. Signed-off-by: Dan Carpenter Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit fa4da45cb75a9abc5356ca822368f405698b3d24 Author: Miklos Szeredi Date: Mon Jan 26 15:00:58 2009 +0100 fuse: fix missing fput on error commit 3ddf1e7f57237ac7c5d5bfb7058f1ea4f970b661 upstream. Fix the leaking file reference if allocation or initialization of fuse_conn failed. Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 438095bc881d76bdfd2e6a2c7d1303622461f4b8 Author: Miklos Szeredi Date: Mon Jan 26 15:00:59 2009 +0100 fuse: destroy bdi on umount commit 26c3679101dbccc054dcf370143941844ba70531 upstream. If a fuse filesystem is unmounted but the device file descriptor remains open and a new mount reuses the old device number, then the mount fails with EEXIST and the following warning is printed in the kernel log: WARNING: at fs/sysfs/dir.c:462 sysfs_add_one+0x35/0x3d() sysfs: duplicate filename '0:15' can not be created The cause is that the bdi belonging to the fuse filesystem was destoryed only after the device file was released. Fix this by calling bdi_destroy() from fuse_put_super() instead. Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman