commit 5861c853a3f529b9c6a338dd7c4a7afec397ea7a Author: Greg Kroah-Hartman Date: Sat May 2 11:54:43 2009 -0700 Linux 2.6.28.10 commit e0021955d0511e0f3ed867d5dcc7e6c3aefe7371 Author: Eugene Teo Date: Mon Apr 13 10:04:41 2009 +0800 unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184) Not upstream in 2.6.30, as the function was removed there, making this a non-issue. Node and port send checks can skip in the compat_net=1 case. This bug was introduced in commit effad8d. Signed-off-by: Eugene Teo Reported-by: Dan Carpenter Acked-by: James Morris Acked-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 9817e237916af43481820974759da79df7487c6f Author: Henrique de Moraes Holschuh Date: Tue Apr 14 02:44:11 2009 +0000 thinkpad-acpi: fix LED blinking through timer trigger commit 75bd3bf2ade9d548be0d2bde60b5ee0fdce0b127 upstream. The set_blink hook code in the LED subdriver would never manage to get a LED to blink, and instead it would just turn it on. The consequence of this is that the "timer" trigger would not cause the LED to blink if given default parameters. This problem exists since 2.6.26-rc1. To fix it, switch the deferred LED work handling to use the thinkpad-acpi-specific LED status (off/on/blink) directly. This also makes the code easier to read, and to extend later. Signed-off-by: Henrique de Moraes Holschuh Cc: stable@kernel.org Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 8967d37deb2ce9a2e5d0685680e6ea8eea85deb3 Author: Michael Buesch Date: Mon Apr 6 09:52:27 2009 +0000 b44: Use kernel DMA addresses for the kernel DMA API commit 37efa239901493694a48f1d6f59f8de17c2c4509 upstream. We must not use the device DMA addresses for the kernel DMA API, because device DMA addresses have an additional offset added for the SSB translation. Use the original dma_addr_t for the sync operation. Cc: stable@kernel.org Signed-off-by: Michael Buesch Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eab3d542839412d2e7fa712d0dfcc1b90f2755ed Author: Oleg Nesterov Date: Mon Apr 6 16:16:02 2009 +0200 exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337) CVE-2009-1337 commit 432870dab85a2f69dc417022646cb9a70acf7f94 upstream. The CAP_KILL check in exit_notify() looks just wrong, kill it. Whatever logic we have to reset ->exit_signal, the malicious user can bypass it if it execs the setuid application before exiting. Signed-off-by: Oleg Nesterov Acked-by: Serge Hallyn Acked-by: Roland McGrath Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1151ad37983dbd4aa58ebec866042ae762fdc83b Author: Yu Zhao Date: Wed Feb 25 13:15:52 2009 +0800 PCI: fix incorrect mask of PM No_Soft_Reset bit commit 998dd7c719f62dcfa91d7bf7f4eb9c160e03d817 upstream. Reviewed-by: Matthew Wilcox Signed-off-by: Yu Zhao Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 82a8becb9c2c52fc5e67057a43aeded1f0731e7b Author: Christian Hohnstaedt Date: Fri Mar 27 15:09:05 2009 +0800 crypto: ixp4xx - Fix handling of chained sg buffers commit 0d44dc59b2b434b29aafeae581d06f81efac7c83 upstream. - keep dma functions away from chained scatterlists. Use the existing scatterlist iteration inside the driver to call dma_map_single() for each chunk and avoid dma_map_sg(). Signed-off-by: Christian Hohnstaedt Tested-By: Karl Hiramoto Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 358c4bcd8b00452f7e38550cee5ee4fddbca2dfb Author: Miklos Szeredi Date: Mon Mar 23 16:07:24 2009 +0100 fix ptrace slowness commit 53da1d9456fe7f87a920a78fdbdcf1225d197cb7 upstream. This patch fixes bug #12208: Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=12208 Subject : uml is very slow on 2.6.28 host This turned out to be not a scheduler regression, but an already existing problem in ptrace being triggered by subtle scheduler changes. The problem is this: - task A is ptracing task B - task B stops on a trace event - task A is woken up and preempts task B - task A calls ptrace on task B, which does ptrace_check_attach() - this calls wait_task_inactive(), which sees that task B is still on the runq - task A goes to sleep for a jiffy - ... Since UML does lots of the above sequences, those jiffies quickly add up to make it slow as hell. This patch solves this by not rescheduling in read_unlock() after ptrace_stop() has woken up the tracer. Thanks to Oleg Nesterov and Ingo Molnar for the feedback. Signed-off-by: Miklos Szeredi CC: stable@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e179e9a870e62094d238e826fa37ca9c8d27f9eb Author: Hugh Dickins Date: Sat Apr 25 17:52:56 2009 +0100 fs core fixes Please add the following 4 commits to 2.6.27-stable and 2.6.28-stable. However, there has been a lot of change here between 2.6.28 and 2.6.29: in particular, fs/exec.c's unsafe_exec() grew into the more complicated check_unsafe_exec(). So applying the original patches gives too many rejects: at the bottom is the diffstat and the combined patch required. 1 Commit: 53e9309e01277ec99c38e84e0ca16921287cf470 Author: Hugh Dickins Date: Sat, 28 Mar 2009 23:16:03 +0000 (+0000) Subject: compat_do_execve should unshare_files 2 Commit: e426b64c412aaa3e9eb3e4b261dc5be0d5a83e78 Author: Hugh Dickins Date: Sat, 28 Mar 2009 23:20:19 +0000 (+0000) Subject: fix setuid sometimes doesn't 3 Commit: 7c2c7d993044cddc5010f6f429b100c63bc7dffb Author: Hugh Dickins Date: Sat, 28 Mar 2009 23:21:27 +0000 (+0000) Subject: fix setuid sometimes wouldn't 4 Commit: f1191b50ec11c8e2ca766d6d99eb5bb9d2c084a3 Author: Al Viro Date: Mon, 30 Mar 2009 11:35:18 +0000 (-0400) Subject: check_unsafe_exec() doesn't care about signal handlers sharing Signed-off-by: Hugh Dickins Signed-off-by: Greg Kroah-Hartman commit 898c2fdf1de930606bbcafc30649d6d8ff4e2e9a Author: Josh Boyer Date: Tue Apr 28 11:14:01 2009 -0400 powerpc: Sanitize stack pointer in signal handling code This has been backported to 2.6.28.x from commit efbda86098 in Linus' tree On powerpc64 machines running 32-bit userspace, we can get garbage bits in the stack pointer passed into the kernel. Most places handle this correctly, but the signal handling code uses the passed value directly for allocating signal stack frames. This fixes the issue by introducing a get_clean_sp function that returns a sanitized stack pointer. For 32-bit tasks on a 64-bit kernel, the stack pointer is masked correctly. In all other cases, the stack pointer is simply returned. Additionally, we pass an 'is_32' parameter to get_sigframe now in order to get the properly sanitized stack. The callers are know to be 32 or 64-bit statically. Signed-off-by: Josh Boyer Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit ef2ef1cee9f63c060204c258b62f9a321b1887f5 Author: Tejun Heo Date: Fri Apr 17 08:34:48 2009 +0200 block: include empty disks in /proc/diskstats commit 71982a409f12c50d011325a4471aa20666bb908d upstream. /proc/diskstats used to show stats for all disks whether they're zero-sized or not and their non-zero partitions. Commit 074a7aca7afa6f230104e8e65eba3420263714a5 accidentally changed the behavior such that it doesn't print out zero sized disks. This patch implements DISK_PITER_INCL_EMPTY_PART0 flag to partition iterator and uses it in diskstats_show() such that empty part0 is shown in /proc/diskstats. Reported and bisectd by Dianel Collins. Signed-off-by: Tejun Heo Reported-by: Daniel Collins Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 05c75f1ce36d4d72aa9ed5fe895a178c01e875d3 Author: Dan Williams Date: Fri Mar 27 14:38:11 2009 -0700 md: fix deadlock when stopping arrays [backport of 5fd3a17ed456637a224cf4ca82b9ad9d005bc8d4] Resolve a deadlock when stopping redundant arrays, i.e. ones that require a call to sysfs_remove_group when shutdown. The deadlock is summarized below: Thread1 Thread2 ------- ------- read sysfs attribute stop array take mddev lock sysfs_remove_group sysfs_get_active wait for mddev lock wait for active Sysrq-w: -------- mdmon S 00000017 2212 4163 1 f1982ea8 00000046 2dcf6b85 00000017 c0b23100 f2f83ed0 c0b23100 f2f8413c c0b23100 c0b23100 c0b1fb98 f2f8413c 00000000 f2f8413c c0b23100 f2291ecc 00000002 c0b23100 00000000 00000017 f2f83ed0 f1982eac 00000046 c044d9dd Call Trace: [] ? debug_mutex_add_waiter+0x1d/0x58 [] __mutex_lock_common+0x1d9/0x338 [] ? __mutex_lock_common+0x1d9/0x338 [] mutex_lock_interruptible_nested+0x33/0x3a [] ? mddev_lock+0x14/0x16 [] mddev_lock+0x14/0x16 [] md_attr_show+0x2a/0x49 [] sysfs_read_file+0x93/0xf9 mdadm D 00000017 2812 4177 1 f0401d78 00000046 430456f8 00000017 f0401d58 f0401d20 c0b23100 f2da2c4c c0b23100 c0b23100 c0b1fb98 f2da2c4c 0a10fc36 00000000 c0b23100 f0401d70 00000003 c0b23100 00000000 00000017 f2da29e0 00000001 00000002 00000000 Call Trace: [] schedule_timeout+0x1b/0x95 [] ? schedule_timeout+0x1b/0x95 [] ? wait_for_common+0x34/0xdc [] ? trace_hardirqs_on_caller+0x18/0x145 [] ? trace_hardirqs_on+0xb/0xd [] wait_for_common+0xa0/0xdc [] ? default_wake_function+0x0/0x12 [] wait_for_completion+0x17/0x19 [] sysfs_addrm_finish+0x19f/0x1d1 [] sysfs_hash_and_remove+0x42/0x55 [] sysfs_remove_group+0x57/0x86 [] do_md_stop+0x13a/0x499 This has been there for a while, but is easier to trigger now that mdmon is closely watching sysfs. Cc: Neil Brown Reported-by: Jacek Danecki Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit b11cd4acc4274a84c6b11500c317d47e7210af6f Author: Luis R. Rodriguez Date: Mon Mar 23 19:03:27 2009 -0400 ath9k: AR9280 PCI devices must serialize IO as well This is a port of: commit SHA1 5ec905a8df3fa877566ba98298433fbfb3d688cc for 2.6.28 Signed-off-by: Luis R. Rodriguez commit 10c5743dc4ee84416a5af7741dfce6ce7c2db0af Author: Luis R. Rodriguez Date: Mon Mar 23 19:03:26 2009 -0400 ath9k: implement IO serialization This is a port of: commit SHA1 6158425be398936af1fd04451f78ffad01529cb0 for 2.6.28. All 802.11n PCI devices (Cardbus, PCI, mini-PCI) require serialization of IO when on non-uniprocessor systems. PCI express devices not not require this. This should fix our only last standing open ath9k kernel.org bugzilla bug report: http://bugzilla.kernel.org/show_bug.cgi?id=12110 Signed-off-by: Luis R. Rodriguez Signed-off-by: Greg Kroah-Hartman commit 7b6d4c8c3d17f59572d254784a770e058dc9d31e Author: Avi Kivity Date: Mon Mar 23 17:51:38 2009 -0300 KVM: VMX: Flush volatile msrs before emulating rdmsr (cherry picked from 516a1a7e9dc80358030fe01aabb3bedf882db9e2) Some msrs (notable MSR_KERNEL_GS_BASE) are held in the processor registers and need to be flushed to the vcpu struture before they can be read. This fixes cygwin longjmp() failure on Windows x64. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 4de8a03e9dd90058db4ccde1ba3b8bf589bff9b3 Author: Marcelo Tosatti Date: Mon Mar 23 17:51:37 2009 -0300 KVM: x86: fix LAPIC pending count calculation (cherry picked from b682b814e3cc340f905c14dff87ce8bdba7c5eba) Simplify LAPIC TMCCT calculation by using hrtimer provided function to query remaining time until expiration. Fixes host hang with nested ESX. Signed-off-by: Marcelo Tosatti Signed-off-by: Alexander Graf Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit dfccb2ea806875b9379f72af1a6f86f3811b2e88 Author: Marcelo Tosatti Date: Mon Mar 23 17:51:36 2009 -0300 KVM: x86: disable kvmclock on non constant TSC hosts (cherry picked from abe6655dd699069b53bcccbc65b2717f60203b12) This is better. Currently, this code path is posing us big troubles, and we won't have a decent patch in time. So, temporarily disable it. Signed-off-by: Glauber Costa Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit fcae516675463fce5123d5dc0c861ad9dd283ffe Author: Marcelo Tosatti Date: Mon Mar 23 17:51:35 2009 -0300 KVM: PIT: fix i8254 pending count read (cherry picked from d2a8284e8fca9e2a938bee6cd074064d23864886) count_load_time assignment is bogus: its supposed to contain what it means, not the expiration time. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 2aa2267cc3836db2680d99e1c5da08af6a7243bd Author: Marcelo Tosatti Date: Mon Mar 23 17:51:34 2009 -0300 KVM: mmu_notifiers release method (cherry picked from 85db06e514422ae429b5f85742d8111b70bd56f3) The destructor for huge pages uses the backing inode for adjusting hugetlbfs accounting. Hugepage mappings are destroyed by exit_mmap, after mmu_notifier_release, so there are no notifications through unmap_hugepage_range at this point. The hugetlbfs inode can be freed with pages backed by it referenced by the shadow. When the shadow releases its reference, the huge page destructor will access a now freed inode. Implement the release operation for kvm mmu notifiers to release page refs before the hugetlbfs inode is gone. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 2ef5df79ae93e27162a3ff9f9326cc53ef42a970 Author: Marcelo Tosatti Date: Mon Mar 23 17:51:33 2009 -0300 KVM: MMU: handle large host sptes on invlpg/resync (cherry picked from 87917239204d67a316cb89751750f86c9ed3640b) The invlpg and sync walkers lack knowledge of large host sptes, descending to non-existant pagetable level. Stop at directory level in such case. Fixes SMP Windows XP with hugepages. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 3899af53551a9d5f0b316b9b5d1afba2ac47d0a9 Author: Marcelo Tosatti Date: Mon Mar 23 17:51:32 2009 -0300 KVM: MMU: check for present pdptr shadow page in walk_shadow (cherry picked from eb64f1e8cd5c3cae912db30a77d062367f7a11a6) walk_shadow assumes the caller verified validity of the pdptr pointer in question, which is not the case for the invlpg handler. Fixes oops during Solaris 10 install. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 14e360ee2c711a4ce10d90389773cadea30c54f6 Author: Avi Kivity Date: Mon Mar 23 17:51:31 2009 -0300 KVM: Advertise the bug in memory region destruction as fixed (cherry picked from 1a811b6167089bcdb84284f2dc9fd0b4d0f1899d) Userspace might need to act differently. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 622d662934afe335af62dd8a0e9e64a39e8372dc Author: Christian Borntraeger Date: Mon Mar 23 17:51:30 2009 -0300 KVM: set owner of cpu and vm file operations (cherry picked from 3d3aab1b973b01bd2a1aa46307e94a1380b1d802) There is a race between a "close of the file descriptors" and module unload in the kvm module. You can easily trigger this problem by applying this debug patch: >--- kvm.orig/virt/kvm/kvm_main.c >+++ kvm/virt/kvm/kvm_main.c >@@ -648,10 +648,14 @@ void kvm_free_physmem(struct kvm *kvm) > kvm_free_physmem_slot(&kvm->memslots[i], NULL); > } > >+#include > static void kvm_destroy_vm(struct kvm *kvm) > { > struct mm_struct *mm = kvm->mm; > >+ printk("off1\n"); >+ msleep(5000); >+ printk("off2\n"); > spin_lock(&kvm_lock); > list_del(&kvm->vm_list); > spin_unlock(&kvm_lock); and killing the userspace, followed by an rmmod. The problem is that kvm_destroy_vm can run while the module count is 0. That means, you can remove the module while kvm_destroy_vm is running. But kvm_destroy_vm is part of the module text. This causes a kerneloops. The race exists without the msleep but is much harder to trigger. This patch requires the fix for anon_inodes (anon_inodes: use fops->owner for module refcount). With this patch, we can set the owner of all anonymous KVM inodes file operations. The VFS will then control the KVM module refcount as long as there is an open file. kvm_destroy_vm will be called by the release function of the last closed file - before the VFS drops the module refcount. Signed-off-by: Christian Borntraeger Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 11cccb1f39e3607ea776b512c2258229cbaf855b Author: Amit Shah Date: Mon Mar 23 17:51:29 2009 -0300 KVM: x86 emulator: Fix handling of VMMCALL instruction (cherry picked from fbce554e940a983d005e29849636d0ef54b3eb18) The VMMCALL instruction doesn't get recognised and isn't processed by the emulator. This is seen on an Intel host that tries to execute the VMMCALL instruction after a guest live migrates from an AMD host. Signed-off-by: Amit Shah Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 6ccf86c186a8c02b7d30015145259b65d92972cd Author: Glauber Costa Date: Mon Mar 23 17:51:28 2009 -0300 KVM: Really remove a slot when a user ask us so (cherry picked from 6f89724829cfd4ad6771a92fd4b8d59c90c7220c) Right now, KVM does not remove a slot when we do a register ioctl for size 0 (would be the expected behaviour). Instead, we only mark it as empty, but keep all bitmaps and allocated data structures present. It completely nullifies our chances of reusing that same slot again for mapping a different piece of memory. In this patch, we destroy rmaps, and vfree() the pointers that used to hold the dirty bitmap, rmap and lpage_info structures. Signed-off-by: Glauber Costa Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 3b3d3c98c95ea353d95299016973b99f569f6c64 Author: Wu Fengguang Date: Mon Mar 23 17:51:27 2009 -0300 KVM: Prevent trace call into unloaded module text (cherry picked from b82091824ee4970adf92d5cd6d57b12273171625) Add marker_synchronize_unregister() before module unloading. This prevents possible trace calls into unloaded module text. Signed-off-by: Wu Fengguang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 4cb5b1f5b577184ef9d7b23b8146a25700f6d555 Author: Nitin A Kamble Date: Mon Mar 23 17:51:26 2009 -0300 KVM: Fix cpuid iteration on multiple leaves per eac (cherry picked from 0fdf8e59faa5c60e9d77c8e14abe3a0f8bfcf586) The code to traverse the cpuid data array list for counting type of leaves is currently broken. This patches fixes the 2 things in it. 1. Set the 1st counting entry's flag KVM_CPUID_FLAG_STATE_READ_NEXT. Without it the code will never find a valid entry. 2. Also the stop condition in the for loop while looking for the next unflaged entry is broken. It needs to stop when it find one matching entry; and in the case of count of 1, it will be the same entry found in this iteration. Signed-Off-By: Nitin A Kamble Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 8e70c4b199e53b33004edbe710ca5425a4b40c94 Author: Nitin A Kamble Date: Mon Mar 23 17:51:25 2009 -0300 KVM: Fix cpuid leaf 0xb loop termination (cherry picked from 0853d2c1d849ef69884d2447d90d04007590b72b) For cpuid leaf 0xb the bits 8-15 in ECX register define the end of counting leaf. The previous code was using bits 0-7 for this purpose, which is a bug. Signed-off-by: Nitin A Kamble Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit e93d4df4cf013df5ab84c4967b9bfeecbb0f8c0d Author: Izik Eidus Date: Mon Mar 23 17:51:24 2009 -0300 KVM: MMU: Fix aliased gfns treated as unaliased (cherry picked from 2843099fee32a6020e1caa95c6026f28b5d43bff) Some areas of kvm x86 mmu are using gfn offset inside a slot without unaliasing the gfn first. This patch makes sure that the gfn will be unaliased and add gfn_to_memslot_unaliased() to save the calculating of the gfn unaliasing in case we have it unaliased already. Signed-off-by: Izik Eidus Acked-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit ae88df0aa69791cdaff74e89e65f2703f22e398e Author: Amit Shah Date: Mon Mar 23 17:51:23 2009 -0300 KVM: SVM: Set the 'busy' flag of the TR selector (cherry picked from c0d09828c870f90c6bc72070ada281568f89c63b) The busy flag of the TR selector is not set by the hardware. This breaks migration from amd hosts to intel hosts. Signed-off-by: Amit Shah Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit ca4bd92990aadcbea84fa25ec0cc5b0cd387cb9a Author: Amit Shah Date: Mon Mar 23 17:51:22 2009 -0300 KVM: SVM: Set the 'g' bit of the cs selector for cross-vendor migration (cherry picked from 25022acc3dd5f0b54071c7ba7c371860f2971b52) The hardware does not set the 'g' bit of the cs selector and this breaks migration from amd hosts to intel hosts. Set this bit if the segment limit is beyond 1 MB. Signed-off-by: Amit Shah Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit ff896b463d96419ceef8465e2c3624501e4da4b0 Author: Sheng Yang Date: Mon Mar 23 17:51:21 2009 -0300 KVM: VMX: Move private memory slot position (cherry picked from 6fe639792c7b8e462baeaac39ecc33541fd5da6e) PCI device assignment would map guest MMIO spaces as separate slot, so it is possible that the device has more than 2 MMIO spaces and overwrite current private memslot. The patch move private memory slot to the top of userspace visible memory slots. Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 503e5b567be966f1ad7193c1e58878f8c0a9b5f2 Author: Sheng Yang Date: Mon Mar 23 17:51:20 2009 -0300 KVM: MMU: Extend kvm_mmu_page->slot_bitmap size (cherry picked from 291f26bc0f89518ad7ee3207c09eb8a743ac8fcc) Otherwise set_bit() for private memory slot(above KVM_MEMORY_SLOTS) would corrupted memory in 32bit host. Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 3ddbf793d09ede441eb2e7b9663e8c777840377d Author: Gleb Natapov Date: Mon Mar 23 17:51:19 2009 -0300 KVM: call kvm_arch_vcpu_reset() instead of the kvm_x86_ops callback (cherry picked from 5f179287fa02723215eecf681d812b303c243973) Call kvm_arch_vcpu_reset() instead of directly using arch callback. The function does additional things. Signed-off-by: Gleb Natapov Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit ff61781ec0194ae5a644b4e1114a4ca62d138749 Author: Jan Kiszka Date: Mon Mar 23 17:51:18 2009 -0300 KVM: x86: Reset pending/inject NMI state on CPU reset (cherry picked from 448fa4a9c5dbc6941dd19ed09692c588d815bb06) CPU reset invalidates pending or already injected NMIs, therefore reset the related state variables. Based on original patch by Gleb Natapov. Signed-off-by: Gleb Natapov Signed-off-by: Jan Kiszka Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 38a9de467cba9d691a22fe689b759fad0dec4d69 Author: Christian Borntraeger Date: Mon Mar 23 17:51:17 2009 -0300 anon_inodes: use fops->owner for module refcount There is an imbalance for anonymous inodes. If the fops->owner field is set, the module reference count of owner is decreases on release. ("filp_close" --> "__fput" ---> "fops_put") On the other hand, anon_inode_getfd does not increase the module reference count of owner. This causes two problems: - if owner is set, the module refcount goes negative - if owner is not set, the module can be unloaded while code is running This patch changes anon_inode_getfd to be symmetric regarding fops->owner handling. I have checked all existing users of anon_inode_getfd. Noone sets fops->owner, thats why nobody has seen the module refcount negative. The refcounting was tested with a patched and unpatched KVM module.(see patch 2/2) I also did an epoll_open/close test. Signed-off-by: Christian Borntraeger Reviewed-by: Davide Libenzi Signed-off-by: Avi Kivity (cherry picked from commit e3a2a0d4e5ace731e60e2eff4fb7056ecb34adc1) Signed-off-by: Greg Kroah-Hartman commit 7f871d00b7b32cafb8800a45b1d4eca94479deff Author: Jens Axboe Date: Tue Feb 17 13:59:08 2009 +0100 block: revert part of 18ce3751ccd488c78d3827e9f6bf54e6322676fb commit 78f707bfc723552e8309b7c38a8d0cc51012e813 upstream. The above commit added WRITE_SYNC and switched various places to using that for committing writes that will be waited upon immediately after submission. However, this causes a performance regression with AS and CFQ for ext3 at least, since sync_dirty_buffer() will submit some writes with WRITE_SYNC while ext3 has sumitted others dependent writes without the sync flag set. This causes excessive anticipation/idling in the IO scheduler because sync and async writes get interleaved, causing a big performance regression for the below test case (which is meant to simulate sqlite like behaviour). ---- test case ---- int main(int argc, char **argv) { int fdes, i; FILE *fp; struct timeval start; struct timeval end; struct timeval res; gettimeofday(&start, NULL); for (i=0; i Signed-off-by: Greg Kroah-Hartman commit c556a02dbc527b7a181bb33f181f4dfc9df21cc2 Author: Akinobu Mita Date: Tue Apr 21 21:20:04 2009 +0000 hugetlbfs: return negative error code for bad mount option upstream commit: c12ddba09394c60e1120e6997794fa6ed52da884 This fixes the following BUG: # mount -o size=MM -t hugetlbfs none /huge hugetlbfs: Bad value 'MM' for mount option 'size=MM' ------------[ cut here ]------------ kernel BUG at fs/super.c:996! Due to BUG_ON(!mnt->mnt_sb); in vfs_kern_mount(). Also, remove unused #include Cc: William Irwin Signed-off-by: Akinobu Mita Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit bdfbcb0b2409a9bb5702944be5d809a730724163 Author: Shaohua Li Date: Mon Apr 20 10:08:35 2009 +1000 agp: zero pages before sending to userspace upstream commit: 59de2bebabc5027f93df999d59cc65df591c3e6e CVE-2009-1192 AGP pages might be mapped into userspace finally, so the pages should be set to zero before userspace can use it. Otherwise there is potential information leakage. Signed-off-by: Shaohua Li Signed-off-by: Dave Airlie Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 52c540c12d84ff014b5e9151daed80d67740a13a Author: Francois Romieu Date: Mon Apr 6 23:35:13 2009 +0200 r8169: Reset IntrStatus after chip reset upstream commit: d78ad8cbfe73ad568de38814a75e9c92ad0a907c Original comment (Karsten): On a MSI MS-6702E mainboard, when in rtl8169_init_one() for the first time after BIOS has run, IntrStatus reads 5 after chip has been reset. IntrStatus should equal 0 there, so patch changes IntrStatus reset to happen after chip reset instead of before. Remark (Francois): Assuming that the loglevel of the driver is increased above NETIF_MSG_INTR, the bug reveals itself with a typical "interrupt 0025 in poll" message at startup. In retrospect, the message should had been read as an hint of an unexpected hardware state several months ago :o( Fixes (at least part of) https://bugzilla.redhat.com/show_bug.cgi?id=460747 Signed-off-by: Karsten Wiese Signed-off-by: Francois Romieu Tested-by: Josep Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9458dc01a3249439a54f4b6d5f9814bbeaa6c7aa Author: Dmitry Torokhov Date: Mon Apr 13 15:27:49 2009 -0700 Input: gameport - fix attach driver code upstream commit: 4ced8e7cb990a2c3bbf0ac7f27b35c890e7ce895 The commit 6902c0bead4ce266226fc0c5b3828b850bdc884a that moved driver registration out of kgameportd thread was incomplete and did not add the code necessary to actually attach driver to already registered devices, rectify that. Signed-off-by: Dmitry Torokhov Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 2d6cff75432a26c3b4064dc9d65fa1e395eebba7 Author: Alan Stern Date: Fri Apr 17 21:20:03 2009 +0000 USB: usb-storage: augment unusual_devs entry for Simple Tech/Datafab upstream commit: e4813eec8d47c8299d968bd5349dc881fa481c26 This patch (as1227) adds the MAX_SECTORS_64 flag to the unusual_devs entry for the Simple Tech/Datafab controller. This fixes Bugzilla #12882. Signed-off-by: Alan Stern Reported-and-tested-by: binbin Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 114ff4beb99fbe3ef04beea9131f11933d5c9bf6 Author: Oliver Neukum Date: Fri Apr 17 21:20:06 2009 +0000 USB: fix oops in cdc-wdm in case of malformed descriptors upstream commit: e13c594f3a1fc2c78e7a20d1a07974f71e4b448f cdc-wdm needs to ignore extremely malformed descriptors. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit b24bfa2e8104e5fd5301314607f21f6f0e52222d Author: Peter Korsgaard Date: Fri Apr 17 21:20:07 2009 +0000 USB: ftdi_sio: add vendor/project id for JETI specbos 1201 spectrometer upstream commit: ae27d84351f1f3568118318a8c40ff3a154bd629 Signed-off-by: Peter Korsgaard Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 4e0cccfdf1b0dd88207806b38fa60d9d286a37f8 Author: Jonathan McDowell Date: Fri Apr 17 21:20:10 2009 +0000 usb gadget: fix ethernet link reports to ethtool upstream commit: 237e75bf1e558f7330f8deb167fa3116405bef2c The g_ether USB gadget driver currently decides whether or not there's a link to report back for eth_get_link based on if the USB link speed is set. The USB gadget speed is however often set even before the device is enumerated. It seems more sensible to only report a "link" if we're actually connected to a host that wants to talk to us. The patch below does this for me - tested with the PXA27x UDC driver. Signed-off-by: Jonathan McDowell Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 3e0562c3d63103c0a8402c09663fb5a7014a8568 Author: FUJITA Tomonori Date: Wed Feb 4 11:36:27 2009 +0900 SCSI: sg: avoid blk_put_request/blk_rq_unmap_user in interrupt upstream commit: c96952ed7031e7c576ecf90cf95b8ec099d5295a This fixes the following oops: http://marc.info/?l=linux-kernel&m=123316111415677&w=2 You can reproduce this bug by interrupting a program before a sg response completes. This leads to the special sg state (the orphan state), then sg calls blk_put_request in interrupt (rq->end_io). The above bug report shows the recursive lock problem because sg calls blk_put_request in interrupt. We could call __blk_put_request here instead however we also need to handle blk_rq_unmap_user here, which can't be called in interrupt too. In the orphan state, we don't need to care about the data transfer (the program revoked the command) so adding 'just free the resource' mode to blk_rq_unmap_user is a possible option. I prefer to avoid complicating the blk mapping API when possible. I change the orphan state to call sg_finish_rem_req via execute_in_process_context. We hold sg_fd->kref so sg_fd doesn't go away until keventd_wq finishes our work. copy_from_user/to_user fails so blk_rq_unmap_user just frees the resource without the data transfer. Signed-off-by: FUJITA Tomonori Acked-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit dc3a52a6af7f0c6dbcbc8abf121d93f9356b87ac Author: Tony Battersby Date: Tue Jan 20 17:00:09 2009 -0500 SCSI: sg: fix races with ioctl(SG_IO) upstream commit: a2dd3b4cea335713b58996bb07b3abcde1175f47 sg_io_owned needs to be set before the command is sent to the midlevel; otherwise, a quickly-completing command may cause a different CPU to see "srp->done == 1 && !srp->sg_io_owned", which would lead to incorrect behavior. Check srp->done and set srp->orphan while holding rq_list_lock to prevent races with sg_rq_end_io(). There is no need to check sfp->closed from read/write/ioctl/poll/etc. since the kernel guarantees that this won't happen. The usefulness of sg_srp_done() was questionable before; now it is definitely not needed. Signed-off-by: Tony Battersby Acked-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit a0fe972f78eaaf352d593f9ed9079de590ceb286 Author: Tony Battersby Date: Wed Jan 21 14:45:50 2009 -0500 SCSI: sg: fix races during device removal upstream commit: c6517b7942fad663cc1cf3235cbe4207cf769332 sg has the following problems related to device removal: * opening a sg fd races with removing a device * closing a sg fd races with removing a device * /proc/scsi/sg/* access races with removing a device * command completion races with removing a device * command completion races with closing a sg fd * can rmmod sg with active commands These problems can cause kernel oopses, memory-use-after-free, or double-free errors. This patch fixes these problems by using krefs to manage the lifetime of sg_device and sg_fd. Each command submitted to the midlevel holds a reference to sg_fd until the completion callback. This ensures that sg_fd doesn't go away if the fd is closed with commands still outstanding. sg_fd gets the reference of sg_device (with scsi_device) and also makes sure that the sg module doesn't go away. /proc/scsi/sg/* functions don't play nicely with krefs because they give information about sg_fds which have been closed but not yet freed due to still having outstanding commands and sg_devices which have been removed but not yet freed due to still being referenced by one or more sg_fds. To deal with this safely without removing functionality, /proc functions now access sg_device and sg_fd while holding a lock instead of using kref_get()/kref_put(). Signed-off-by: Tony Battersby Acked-by: Douglas Gilbert Signed-off-by: James Bottomley [chrisw: big for -stable, helps fix real bug, and made it through rc2 upstream] Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 0892fc01748f57ede72d51afa7bd45ab655ced30 Author: Hugh Dickins Date: Thu Apr 16 21:45:05 2009 +0000 mm: pass correct mm when growing stack upstream commit: 05fa199d45c54a9bda7aa3ae6537253d6f097aa9 Tetsuo Handa reports seeing the WARN_ON(current->mm == NULL) in security_vm_enough_memory(), when do_execve() is touching the target mm's stack, to set up its args and environment. Yes, a UMH_NO_WAIT or UMH_WAIT_PROC call_usermodehelper() spawns an mm-less kernel thread to do the exec. And in any case, that vm_enough_memory check when growing stack ought to be done on the target mm, not on the execer's mm (though apart from the warning, it only makes a slight tweak to OVERCOMMIT_NEVER behaviour). Reported-by: Tetsuo Handa Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 0564f1ff1ce57a1fe207fadeeaa52fc1dd6e7e05 Author: Sergei Shtylyov Date: Tue Apr 14 18:39:14 2009 +0400 pata_hpt37x: fix HPT370 DMA timeouts upstream commit: 265b7215aed36941620b65ecfff516200fb190c1 The libata driver has copied the code from the IDE driver which caused a post 2.4.18 regression on many HPT370[A] chips -- DMA stopped to work completely, only causing timeouts. Now remove hpt370_bmdma_start() for good... Signed-off-by: Sergei Shtylyov Signed-off-by: Jeff Garzik Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 8b3e421a7dc4683b64c661453ed06def08105bf2 Author: Sergei Shtylyov Date: Sat Apr 18 17:42:19 2009 +0200 hpt366: fix HPT370 DMA timeouts upstream commit: c018f1ee5cf81e58b93d9e93a2ee39cad13dc1ac The big driver change in 2.4.19-rc1 introduced a regression for many HPT370[A] chips -- DMA stopped to work completely, only causing endless timeouts... The culprit has been identified (at last!): it turned to be the code resetting the DMA state machine before each transfer. Stop doing it now as this counter- measure has clearly caused more harm than good. This should fix the kernel.org bug #7703. Signed-off-by: Sergei Shtylyov Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 58990be4f35616f120d734fd0d63fabaa17049cd Author: Paul Mackerras Date: Wed Apr 15 17:25:05 2009 +0000 powerpc: Fix data-corrupting bug in __futex_atomic_op upstream commit: 306a82881b14d950d59e0b59a55093a07d82aa9a Richard Henderson pointed out that the powerpc __futex_atomic_op has a bug: it will write the wrong value if the stwcx. fails and it has to retry the lwarx/stwcx. loop, since 'oparg' will have been overwritten by the result from the first time around the loop. This happens because it uses the same register for 'oparg' (an input) as it uses for the result. This fixes it by using separate registers for 'oparg' and 'ret'. Cc: stable@kernel.org Signed-off-by: Paul Mackerras Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 2e59b05f014868ffaa019923cc6b4953110d006b Author: David Brownell Date: Mon Apr 13 22:35:03 2009 +0000 spi: spi_write_then_read() bugfixes upstream commit: bdff549ebeff92b1a6952e5501caf16a6f8898c8 The "simplify spi_write_then_read()" patch included two regressions from the 2.6.27 behaviors: - The data it wrote out during the (full duplex) read side of the transfer was not zeroed. - It fails completely on half duplex hardware, such as Microwire and most "3-wire" SPI variants. So, revert that patch. A revised version should be submitted at some point, which can get the speedup on standard hardware (full duplex) without breaking on less-capable half-duplex stuff. Signed-off-by: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9d6daefcb03e760fa79c89b41d1078a89d09c999 Author: Serge E. Hallyn Date: Mon Apr 13 17:25:03 2009 +0000 add some long-missing capabilities to fs_mask upstream commit: 0ad30b8fd5fe798aae80df6344b415d8309342cc When POSIX capabilities were introduced during the 2.1 Linux cycle, the fs mask, which represents the capabilities which having fsuid==0 is supposed to grant, did not include CAP_MKNOD and CAP_LINUX_IMMUTABLE. However, before capabilities the privilege to call these did in fact depend upon fsuid==0. This patch introduces those capabilities into the fsmask, restoring the old behavior. See the thread starting at http://lkml.org/lkml/2009/3/11/157 for reference. Note that if this fix is deemed valid, then earlier kernel versions (2.4 and 2.2) ought to be fixed too. Changelog: [Mar 23] Actually delete old CAP_FS_SET definition... [Mar 20] Updated against J. Bruce Fields's patch Reported-by: Igor Zhbanov Signed-off-by: Serge E. Hallyn Cc: stable@kernel.org Cc: J. Bruce Fields Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 2c8a5ffdefb7e231f3d8ecdc029112a646c1562e Author: Nathan Lynch Date: Thu Apr 9 18:20:02 2009 +0000 sched: do not count frozen tasks toward load upstream commit: e3c8ca8336707062f3f7cb1cd7e6b3c753baccdd Freezing tasks via the cgroup freezer causes the load average to climb because the freezer's current implementation puts frozen tasks in uninterruptible sleep (D state). Some applications which perform job-scheduling functions consult the load average when making decisions. If a cgroup is frozen, the load average does not provide a useful measure of the system's utilization to such applications. This is especially inconvenient if the job scheduler employs the cgroup freezer as a mechanism for preempting low priority jobs. Contrast this with using SIGSTOP for the same purpose: the stopped tasks do not count toward system load. Change task_contributes_to_load() to return false if the task is frozen. This results in /proc/loadavg behavior that better meets users' expectations. Signed-off-by: Nathan Lynch Acked-by: Andrew Morton Acked-by: Nigel Cunningham Tested-by: Nigel Cunningham Cc: containers@lists.linux-foundation.org Cc: linux-pm@lists.linux-foundation.org Cc: Matt Helsley LKML-Reference: <20090408194512.47a99b95@manatee.lan> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 03c8ba6109c7cd28edb072b2a84f46e4d9bb0fdd Author: Hidetoshi Seto Date: Thu Apr 9 18:20:12 2009 +0000 posixtimers, sched: Fix posix clock monotonicity upstream commit: c5f8d99585d7b5b7e857fabf8aefd0174903a98c Impact: Regression fix (against clock_gettime() backwarding bug) This patch re-introduces a couple of functions, task_sched_runtime and thread_group_sched_runtime, which was once removed at the time of 2.6.28-rc1. These functions protect the sampling of thread/process clock with rq lock. This rq lock is required not to update rq->clock during the sampling. i.e. The clock_gettime() may return ((accounted runtime before update) + (delta after update)) that is less than what it should be. v2 -> v3: - Rename static helper function __task_delta_exec() to do_task_delta_exec() since -tip tree already has a __task_delta_exec() of different version. v1 -> v2: - Revises comments of function and patch description. - Add note about accuracy of thread group's runtime. Signed-off-by: Hidetoshi Seto Acked-by: Peter Zijlstra LKML-Reference: <49D1CC93.4080401@jp.fujitsu.com> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit de78e2e0a1d3c9a27af37e9ea6b00bbbabf04350 Author: Jean Delvare Date: Wed Apr 1 13:11:29 2009 -0500 SCSI: libiscsi: fix iscsi pool error path again upstream commit: fd6e1c14b73dbab89cb76af895d5612e4a8b5522 Le lundi 30 mars 2009, Chris Wright a écrit : > q->queue could be ERR_PTR(-ENOMEM) which will break unwinding > on error. Make iscsi_pool_free more defensive. > Making the freeing of q->queue dependent on q->pool being set looks really weird (although it is correct at the moment. But this seems to be fixable in a much simpler way. With the benefit that only the error case is slowed down. In both cases we have a problem if q->queue contains an error value but it's not -ENOMEM. Apparently this can't happen today, but it doesn't feel right to assume this will always be true. Maybe it's the right time to fix this as well. Signed-off-by: Mike Christie Signed-off-by: James Bottomley [chrisw: this is a fixlet to f474a37b, also in -stable] Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 28007cf3d87ce574610a3f8a6b0ca4275eaac6dc Author: Jean Delvare Date: Thu Mar 5 14:45:55 2009 -0600 SCSI: libiscsi: fix iscsi pool error path upstream commit: f474a37bc48667595b5653a983b635c95ed82a3b Memory freeing in iscsi_pool_free() looks wrong to me. Either q->pool can be NULL and this should be tested before dereferencing it, or it can't be NULL and it shouldn't be tested at all. As far as I can see, the only case where q->pool is NULL is on early error in iscsi_pool_init(). One possible way to fix the bug is thus to not call iscsi_pool_free() in this case (nothing needs to be freed anyway) and then we can get rid of the q->pool check. Signed-off-by: Jean Delvare Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d2f500f5d2bb54093f59fd32e223a333c32f5604 Author: Akinobu Mita Date: Tue Apr 7 16:25:04 2009 +0000 ALSA: hda - add missing comma in ad1884_slave_vols upstream commit: bca68467b59a24396554d8dd5979ee363c174854 Signed-off-by: Akinobu Mita Signed-off-by: Takashi Iwai Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit af85932753d252ac37a01b00ab857197ee0bac16 Author: Miklos Szeredi Date: Tue Apr 7 16:25:02 2009 +0000 splice: fix deadlock in splicing to file upstream commit: 7bfac9ecf0585962fe13584f5cf526d8c8e76f17 There's a possible deadlock in generic_file_splice_write(), splice_from_pipe() and ocfs2_file_splice_write(): - task A calls generic_file_splice_write() - this calls inode_double_lock(), which locks i_mutex on both pipe->inode and target inode - ordering depends on inode pointers, can happen that pipe->inode is locked first - __splice_from_pipe() needs more data, calls pipe_wait() - this releases lock on pipe->inode, goes to interruptible sleep - task B calls generic_file_splice_write(), similarly to the first - this locks pipe->inode, then tries to lock inode, but that is already held by task A - task A is interrupted, it tries to lock pipe->inode, but fails, as it is already held by task B - ABBA deadlock Fix this by explicitly ordering locks: the outer lock must be on target inode and the inner lock (which is later unlocked and relocked) must be on pipe->inode. This is OK, pipe inodes and target inodes form two nonoverlapping sets, generic_file_splice_write() and friends are not called with a target which is a pipe. Signed-off-by: Miklos Szeredi Acked-by: Mark Fasheh Acked-by: Jens Axboe Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 045918d8181b1a06632173d225120e832fbac3bc Author: Patrick McHardy Date: Mon Apr 6 17:31:29 2009 +0200 netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558 Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case search for loops) introduced a regression in the loop detection algorithm, causing sporadic incorrectly detected loops. When a chain has already been visited during the check, it is treated as having a standard target containing a RETURN verdict directly at the beginning in order to not check it again. The real target of the first rule is then incorrectly treated as STANDARD target and checked not to contain invalid verdicts. Fix by making sure the rule does actually contain a standard target. Based on patch by Francis Dupont Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit cf9796ba9125e991f27b20dd984a23d52857bcbd Author: Ananth N Mavinakayanahalli Date: Wed Mar 18 17:06:21 2009 +0530 kprobes: Fix locking imbalance in kretprobes commit f02b8624fedca39886b0eef770dca70c2f0749b3 upstream. Fix locking imbalance in kretprobes: ===================================== [ BUG: bad unlock balance detected! ] ------------------------------------- kthreadd/2 is trying to release lock (&rp->lock) at: [] pre_handler_kretprobe+0xea/0xf4 but there are no more locks to release! other info that might help us debug this: 1 lock held by kthreadd/2: #0: (rcu_read_lock){..--}, at: [] __atomic_notifier_call_chain+0x0/0x5a stack backtrace: Pid: 2, comm: kthreadd Not tainted 2.6.29-rc8 #1 Call Trace: [] ? printk+0xf/0x17 [] ? pre_handler_kretprobe+0xea/0xf4 [] print_unlock_inbalance_bug+0xc3/0xce [] ? clocksource_read+0x7/0xa [] ? getnstimeofday+0x5f/0xf6 [] ? register_lock_class+0x17/0x293 [] ? mark_lock+0x1e/0x30b [] ? tick_dev_program_event+0x4a/0xbc [] ? __slab_alloc+0xa5/0x415 [] ? pre_handler_kretprobe+0x28/0xf4 [] ? pre_handler_kretprobe+0xea/0xf4 [] lock_release_non_nested+0xa4/0x1a5 [] ? pre_handler_kretprobe+0xea/0xf4 [] lock_release+0x141/0x166 [] _spin_unlock_irqrestore+0x19/0x50 [] pre_handler_kretprobe+0xea/0xf4 [] kprobe_exceptions_notify+0x1c9/0x43e [] notifier_call_chain+0x26/0x48 [] __atomic_notifier_call_chain+0x37/0x5a [] ? __atomic_notifier_call_chain+0x0/0x5a [] atomic_notifier_call_chain+0xc/0xe [] notify_die+0x2d/0x2f [] do_int3+0x1f/0x71 [] int3+0x2c/0x34 [] ? do_fork+0x1/0x288 [] ? kernel_thread+0x71/0x79 [] ? kthread+0x0/0x60 [] ? kthread+0x0/0x60 [] ? kernel_thread_helper+0x0/0x10 [] kthreadd+0xac/0x148 [] ? kthreadd+0x0/0x148 [] kernel_thread_helper+0x7/0x10 Signed-off-by: Ananth N Mavinakayanahalli Tested-by: Bharata B Rao Cc: Masami Hiramatsu Cc: Jim Keniston Cc: Linus Torvalds Cc: Andrew Morton LKML-Reference: <20090318113621.GB4129@in.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit fb70b5af2a48db2d1b2f3de7f06672d1d0ba7a89 Author: Jean Delvare Date: Wed Apr 22 00:49:51 2009 -0700 net/netrom: Fix socket locking upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab Patch "af_rose/x25: Sanity check the maximum user frame size" (commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got locking wrong. If we bail out due to user frame size being too large, we must unlock the socket beforehand. Signed-off-by: Jean Delvare Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9478d6fd5f764369da3457c9a5c74855d34262e4 Author: Alan Cox Date: Fri Mar 27 00:28:21 2009 -0700 af_rose/x25: Sanity check the maximum user frame size upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 CVE-2009-0795. Otherwise we can wrap the sizes and end up sending garbage. Closes #10423 Signed-off-by: Alan Cox Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 6f34347a7993c9b9c1b4f131801937ec0284e016 Author: Wu Fengguang Date: Fri Apr 3 04:35:14 2009 +0000 vfs: skip I_CLEAR state inodes upstream commit: b6fac63cc1f52ec27f29fe6c6c8494a2ffac33fd clear_inode() will switch inode state from I_FREEING to I_CLEAR, and do so _outside_ of inode_lock. So any I_FREEING testing is incomplete without a coupled testing of I_CLEAR. So add I_CLEAR tests to drop_pagecache_sb(), generic_sync_sb_inodes() and add_dquot_ref(). Masayoshi MIZUMA discovered the bug in drop_pagecache_sb() and Jan Kara reminds fixing the other two cases. Masayoshi MIZUMA has a nice panic flow: ===================================================================== [process A] | [process B] | | | prune_icache() | drop_pagecache() | spin_lock(&inode_lock) | drop_pagecache_sb() | inode->i_state |= I_FREEING; | | | spin_unlock(&inode_lock) | V | | | spin_lock(&inode_lock) | V | | | dispose_list() | | | list_del() | | | clear_inode() | | | inode->i_state = I_CLEAR | | | | | V | | | if (inode->i_state & (I_FREEING|I_WILL_FREE)) | | | continue; <==== NOT MATCH | | | | | | (DANGER from here on! Accessing disposing inode!) | | | | | | __iget() | | | list_move() <===== PANIC on poisoned list !! V V | (time) ===================================================================== Reported-by: Masayoshi MIZUMA Reviewed-by: Jan Kara Signed-off-by: Wu Fengguang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [chrisw: backport to 2.6.29] Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9f029c069678d751aee1159f5a6813acd7ae9e7e Author: Martin Schwidefsky Date: Fri Apr 3 04:35:12 2009 +0000 mm: do_xip_mapping_read: fix length calculation upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8 The calculation of the value nr in do_xip_mapping_read is incorrect. If the copy required more than one iteration in the do while loop the copies variable will be non-zero. The maximum length that may be passed to the call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the check only compares against (nr > len). This bug is the cause for the heap corruption Carsten has been chasing for so long: *** glibc detected *** /bin/bash: free(): invalid next size (normal): 0x00000000800e39f0 *** ======= Backtrace: ========= /lib64/libc.so.6[0x200000b9b44] /lib64/libc.so.6(cfree+0x8e)[0x200000bdade] /bin/bash(free_buffered_stream+0x32)[0x80050e4e] /bin/bash(close_buffered_stream+0x1c)[0x80050ea4] /bin/bash(unset_bash_input+0x2a)[0x8001c366] /bin/bash(make_child+0x1d4)[0x8004115c] /bin/bash[0x8002fc3c] /bin/bash(execute_command_internal+0x656)[0x8003048e] /bin/bash(execute_command+0x5e)[0x80031e1e] /bin/bash(execute_command_internal+0x79a)[0x800305d2] /bin/bash(execute_command+0x5e)[0x80031e1e] /bin/bash(reader_loop+0x270)[0x8001efe0] /bin/bash(main+0x1328)[0x8001e960] /lib64/libc.so.6(__libc_start_main+0x100)[0x200000592a8] /bin/bash(clearerr+0x5e)[0x8001c092] With this bug fix the commit 0e4a9b59282914fe057ab17027f55123964bc2e2 "ext2/xip: refuse to change xip flag during remount with busy inodes" can be removed again. Cc: Carsten Otte Cc: Nick Piggin Cc: Jared Hulbert Signed-off-by: Martin Schwidefsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 36cb7b50ee14945f41d0493daa186e2372b9a3e6 Author: Lee Schermerhorn Date: Fri Apr 3 04:35:10 2009 +0000 mm: define a UNIQUE value for AS_UNEVICTABLE flag upstream commit: 9a896c9a48ac6704c0ce8ee081b836644d0afe40 A new "address_space flag"--AS_MM_ALL_LOCKS--was defined to use the next available AS flag while the Unevictable LRU was under development. The Unevictable LRU was using the same flag and "no one" noticed. Current mainline, since 2.6.28, has same value for two symbolic flag names. So, define a unique flag value for AS_UNEVICTABLE--up close to the other flags, [at the cost of an additional #ifdef] so we'll notice next time. Note that #ifdef is not actually required, if we don't mind having the unused flag value defined. Replace #defines with an enum. Signed-off-by: Lee Schermerhorn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit e3e11cd276c1b93c1dea3b94e0225c5cff7c94d7 Author: Dan Carpenter Date: Mon Apr 6 23:56:46 2009 -0400 dock: fix dereference after kfree() upstream commit: f240729832dff3785104d950dad2d3ced4387f6d dock_remove() calls kfree() on dock_station so we should use list_for_each_entry_safe() to avoid dereferencing freed memory. Found by smatch (http://repo.or.cz/w/smatch.git/). Compile tested. Signed-off-by: Dan Carpenter Signed-off-by: Len Brown Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit bce68d7679d3441f41ff97fba07bb1c47f9bc0c6 Author: Michael K. Johnson Date: Wed Apr 1 20:40:02 2009 +0000 x86, setup: mark %esi as clobbered in E820 BIOS call upstream commit: 01522df346f846906eaf6ca57148641476209909 Jordan Hargrave diagnosed a BIOS clobbering %esi in the E820 call. That particular BIOS has been fixed, but there is a possibility that this is responsible for other occasional reports of early boot failure, and it does not hurt to add %esi to the clobbers. -stable candidate patch. Cc: Justin Forbes Signed-off-by: Michael K Johnson Signed-off-by: H. Peter Anvin Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 42354485a028e31fad51ba86eb6958ce42045343 Author: Etienne Basset Date: Tue Mar 31 23:54:11 2009 +0200 security/smack: fix oops when setting a size 0 SMACK64 xattr upstream commit: 4303154e86597885bc3cbc178a48ccbc8213875f this patch fix an oops in smack when setting a size 0 SMACK64 xattr eg attr -S -s SMACK64 -V '' somefile This oops because smk_import_entry treats a 0 length as SMK_MAXLEN Signed-off-by: Etienne Basset Reviewed-by: James Morris Acked-by: Casey Schaufler Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 32c4e663de535b524a9c6c9e7b0ab85371097f5e Author: Andreas Herrmann Date: Mon Mar 30 18:50:32 2009 +0000 x86: mtrr: don't modify RdDram/WrDram bits of fixed MTRRs upstream commit: 3ff42da5048649503e343a32be37b14a6a4e8aaf Impact: bug fix + BIOS workaround BIOS is expected to clear the SYSCFG[MtrrFixDramModEn] on AMD CPUs after fixed MTRRs are configured. Some BIOSes do not clear SYSCFG[MtrrFixDramModEn] on BP (and on APs). This can lead to obfuscation in Linux when this bit is not cleared on BP but cleared on APs. A consequence of this is that the saved fixed-MTRR state (from BP) differs from the fixed-MTRRs of APs -- because RdDram/WrDram bits are read as zero when SYSCFG[MtrrFixDramModEn] is cleared -- and Linux tries to sync fixed-MTRR state from BP to AP. This implies that Linux sets SYSCFG[MtrrFixDramEn] and activates those bits. More important is that (some) systems change these bits in SMM when ACPI is enabled. Hence it is racy if Linux modifies RdMem/WrMem bits, too. (1) The patch modifies an old fix from Bernhard Kaindl to get suspend/resume working on some Acer Laptops. Bernhard's patch tried to sync RdMem/WrMem bits of fixed MTRR registers and that helped on those old Laptops. (Don't ask me why -- can't test it myself). But this old problem was not the motivation for the patch. (See http://lkml.org/lkml/2007/4/3/110) (2) The more important effect is to fix issues on some more current systems. On those systems Linux panics or just freezes, see http://bugzilla.kernel.org/show_bug.cgi?id=11541 (and also duplicates of this bug: http://bugzilla.kernel.org/show_bug.cgi?id=11737 http://bugzilla.kernel.org/show_bug.cgi?id=11714) The affected systems boot only using acpi=ht, acpi=off or when the kernel is built with CONFIG_MTRR=n. The acpi options prevent full enablement of ACPI. Obviously when ACPI is enabled the BIOS/SMM modfies RdMem/WrMem bits. When CONFIG_MTRR=y Linux also accesses and modifies those bits when it needs to sync fixed-MTRRs across cores (Bernhard's fix, see (1)). How do you synchronize that? You can't. As a consequence Linux shouldn't touch those bits at all (Rationale are AMD's BKDGs which recommend to clear the bit that makes RdMem/WrMem accessible). This is the purpose of this patch. And (so far) this suffices to fix (1) and (2). I suggest not to touch RdDram/WrDram bits of fixed-MTRRs and SYSCFG[MtrrFixDramEn] and to clear SYSCFG[MtrrFixDramModEn] as suggested by AMD K8, and AMD family 10h/11h BKDGs. BIOS is expected to do this anyway. This should avoid that Linux and SMM tread on each other's toes ... Signed-off-by: Andreas Herrmann Cc: trenn@suse.de Cc: Yinghai Lu LKML-Reference: <20090312163937.GH20716@alberich.amd.com> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 6eee1bbad1c39396bcfc2add3fd5bde5b1e7c561 Author: Venkatesh Pallipadi Date: Mon Mar 30 18:50:19 2009 +0000 x86, PAT, PCI: Change vma prot in pci_mmap to reflect inherited prot upstream commit: 9cdec049389ce2c324fd1ec508a71528a27d4a07 While looking at the issue in the thread: http://marc.info/?l=dri-devel&m=123606627824556&w=2 noticed a bug in pci PAT code and memory type setting. PCI mmap code did not set the proper protection in vma, when it inherited protection in reserve_memtype. This bug only affects the case where there exists a WC mapping before X does an mmap with /proc or /sys pci interface. This will cause X userlevel mmap from /proc or /sysfs to fail on fork. Reported-by: Kevin Winchester Signed-off-by: Venkatesh Pallipadi Signed-off-by: Suresh Siddha Cc: Jesse Barnes Cc: Dave Airlie LKML-Reference: <20090323190720.GA16831@linux-os.sc.intel.com> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 1fc27e2ba0b0af45b10bb63abaf24b94b469c5a2 Author: Dan Carpenter Date: Mon Mar 30 18:50:16 2009 +0000 Add a missing unlock_kernel() in raw_open() upstream commit: 996ff68d8b358885c1de82a45517c607999947c7 Signed-off-by: Dan Carpenter Signed-off-by: Jonathan Corbet Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit fd460577ce2d8a027154afacebb6c00d556bde17 Author: Steve French Date: Thu Mar 26 23:05:15 2009 +0000 CIFS: Fix memory overwrite when saving nativeFileSystem field during mount upstream commit: b363b3304bcf68c4541683b2eff70b29f0446a5b CIFS can allocate a few bytes to little for the nativeFileSystem field during tree connect response processing during mount. This can result in a "Redzone overwritten" message to be logged. Signed-off-by: Sridhar Vinay Acked-by: Shirish Pargaonkar Signed-off-by: Steve French [chrisw: minor backport to CHANGES file] Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9e0ed472981a24acaea2f10b1c17238ccd898bc7 Author: Lorenzo Nava Date: Sat Mar 28 01:45:06 2009 +0000 b43: fix b43_plcp_get_bitrate_idx_ofdm return type upstream commit: a3c0b87c4f21911fb7185902dd13f0e3cd7f33f7 This patch fixes the return type of b43_plcp_get_bitrate_idx_ofdm. If the plcp contains an error, the function return value is 255 instead of -1, and the packet was not dropped. This causes a warning in __ieee80211_rx function because rate idx is out of range. Signed-off-by: Lorenzo Nava Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d5496f8996e53b6a6841c9bf1889d04dbcfc55b3 Author: Jeff Layton Date: Thu Mar 26 23:05:21 2009 +0000 cifs: fix buffer format byte on NT Rename/hardlink upstream commit: fcc7c09d94be7b75c9ea2beb22d0fae191c6b4b9 Discovered at Connnectathon 2009... The buffer format byte and the pad are transposed in NT_RENAME calls (which are used to set hardlinks). Most servers seem to ignore this fact, but NetApp filers throw back an error due to this problem. This patch fixes it. Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d5e252c5a10b951763b6fcfe3dac447e23222792 Author: Alan Stern Date: Thu Mar 26 18:25:19 2009 +0000 USB: add quirk to avoid config and interface strings upstream commit: 1662e3a7f076e51e3073faf9ce77157b529c475b Apparently the Configuration and Interface strings aren't used as often as the Vendor, Product, and Serial strings. In at least one device (a Saitek Cyborg Gold 3D joystick), attempts to read the Configuration string cause the device to stop responding to Control requests. This patch (as1226) adds a quirks flag, telling the kernel not to read a device's Configuration or Interface strings, together with a new quirk for the offending joystick. Reported-by: Melchior FRANZ Tested-by: Melchior FRANZ Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 7ad5f44e85cfc8d5ecc5fb98b9d53e0c1906b9ee Author: David Brownell Date: Thu Mar 26 18:25:12 2009 +0000 USB: gadget: fix rndis regression upstream commit: 090b90118207e786d2990310d063fda5d52cce6e Restore some code that was wrongly dropped from the RNDIS driver, and caused interop problems observed with OpenMoko. The issue is with hardware which needs help conforming to part of the USB 2.0 spec (section 8.5.3.2); some can automagically send a ZLP in response to an unexpected IN, but not all chips will do that. We don't need to check the packet length ourselves the way earlier code did, since the UDC must already check it. But we do need to tell the UDC when it must force a short packet termination of the data stage. (Based on a patch from Aric D. Blumer ) Signed-off-by: David Brownell Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 0365bc913201d9012bcf0c0c9b5448dfb3673204 Author: Alan Stern Date: Thu Mar 26 18:25:09 2009 +0000 USB: usb-storage: increase max_sectors for tape drives ' upstream commit: 5c16034d73da2c1b663aa25dedadbc533b3d811c This patch (as1203) increases the max_sector limit for USB tape drives. By default usb-storage sets max_sectors to 240 (i.e., 120 KB) for all devices. But tape drives need a higher limit, since tapes can and do have very large block sizes. Without the ability to transfer an entire large block in a single command, such tapes can't be used. This fixes Bugzilla #12207. Signed-off-by: Alan Stern Reported-and-tested-by: Phil Mitchell Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 3f4106cae25c59d405963c2e1326ecccc312839b Author: Boaz Harrosh Date: Thu Mar 26 18:25:07 2009 +0000 USB: fix USB_STORAGE_CYPRESS_ATACB upstream commit: 1f4159c1620f74377e26d8a569d10ca5907ef475 commit 64a87b24: [SCSI] Let scsi_cmnd->cmnd use request->cmd buffer changed the scsi_eh_prep_cmnd logic by making it clear the ->cmnd buffer. But the sat to cypress atacb translation supposed the ->cmnd buffer wasn't modified. This patch makes it set the ->cmnd buffer after scsi_eh_prep_cmnd call. The problem and a fix was reported by Matthieu CASTET It also removes all the hackery fiddling of scsi_cmnd and scsi_eh_save by requesting from scsi_eh_prep_cmnd to prepare a read into ->sense_buffer, which is much more suitable a buffer for HW transfers, then after the command execution the regs read is copied into regs buffer before actual preparation of sense_buffer. Also fix an alien comment character to my utf-8 editor. Signed-off-by: Boaz Harrosh Signed-off-by: Matthieu CASTET Cc: stable Cc: James Bottomley Cc: Matthew Dharm Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit eb11b91ac6f877f7f3eb5794ac0c82418a18bfd3 Author: Alan Stern Date: Thu Mar 26 18:25:05 2009 +0000 USB: EHCI: add software retry for transaction errors upstream commit: a2c2706e1043c17139c2dafd171c4a5cf008ef7e This patch (as1204) adds a software retry mechanism to ehci-hcd. It gets invoked when the driver encounters transaction errors on an asynchronous endpoint. On many systems, hardware deficiencies cause such errors to occur if one device is unplugged while the host is communicating with another device. With the patch, the failed transactions are retried and generally succeed the second or third time through. This is based on code originally written by Koichiro Saito. Signed-off-by: Alan Stern Tested by: Koichiro Saito CC: David Brownell Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit e555465a98d259a923999245010c45f46a823b68 Author: Tilman Schmidt Date: Wed Apr 15 03:25:43 2009 -0700 bas_gigaset: correctly allocate USB interrupt transfer buffer [ Upstream commit 170ebf85160dd128e1c4206cc197cce7d1424705 ] Every USB transfer buffer has to be allocated individually by kmalloc. Impact: bugfix, no functional change Signed-off-by: Tilman Schmidt Tested-by: Kolja Waschk Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aa9c1ad9dedf3608e1449c65579001b27e573e18 Author: Stephen Hemminger Date: Wed Mar 25 21:01:47 2009 -0700 bridge: bad error handling when adding invalid ether address [ Upstream commit cda6d377ec6b2ee2e58d563d0bd7eb313e0165df ] This fixes an crash when empty bond device is added to a bridge. If an interface with invalid ethernet address (all zero) is added to a bridge, then bridge code detects it when setting up the forward databas entry. But the error unwind is broken, the bridge port object can get freed twice: once when ref count went to zeo, and once by kfree. Since object is never really accessible, just free it. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 167b397eb1dd142f14855357d692f98c3e0c0538 Author: Chuck Ebbert Date: Fri Mar 27 00:22:01 2009 -0700 xfrm: spin_lock() should be spin_unlock() in xfrm_state.c [ Upstream commit 7d0b591c655ca0d72ebcbd242cf659a20a8995c5 ] spin_lock() should be spin_unlock() in xfrm_state_walk_done(). caused by: commit 12a169e7d8f4b1c95252d8b04ed0f1033ed7cfe2 "ipsec: Put dumpers on the dump list" Reported-by: Marc Milgram Signed-off-by: Chuck Ebbert Signed-off-by: David S. Miller commit e4030ba95e9f00b02e71a1018862164bc48768ab Author: Mark H. Weaver Date: Mon Mar 23 13:46:12 2009 +0100 netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack [ Upstream commit 534f81a5068799799e264fd162e9488a129f98d4 ] This patch fixes an unaligned memory access in tcp_sack while reading sequence numbers from TCP selective acknowledgement options. Prior to applying this patch, upstream linux-2.6.27.20 was occasionally generating messages like this on my sparc64 system: [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00 Acked-by: David S. Miller Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 147ef5ab74fb71f9bc088962e1a09213096edeb6 Author: Jesper Nilsson Date: Fri Mar 27 00:17:45 2009 -0700 ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c) [ Upstream commit 71f6f6dfdf7c7a67462386d9ea05c1095a89c555 ] Commit 778d80be52699596bf70e0eb0761cf5e1e46088d (ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface) seems to have introduced a leak of sk_buff's for ipv6 traffic, at least in some configurations where idev is NULL, or when ipv6 is disabled via sysctl. The problem is that if the first condition of the if-statement returns non-NULL, it returns an skb with only one reference, and when the other conditions apply, execution jumps to the "out" label, which does not call kfree_skb for it. To plug this leak, change to use the "drop" label instead. (this relies on it being ok to call kfree_skb on NULL) This also allows us to avoid calling rcu_read_unlock here, and removes the only user of the "out" label. Signed-off-by: Jesper Nilsson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b0bc360ef22df5239c4de5d1bb45d795bbcb5db3 Author: Pavel Emelyanov Date: Thu Feb 26 03:35:13 2009 -0800 ipv6: don't use tw net when accounting for recycled tw [ Upstream commit 3f53a38131a4e7a053c0aa060aba0411242fb6b9 ] We already have a valid net in that place, but this is not just a cleanup - the tw pointer can be NULL there sometimes, thus causing an oops in NET_NS=y case. The same place in ipv4 code already works correctly using existing net, rather than tw's one. The bug exists since 2.6.27. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 47a520e8e3f15e8d8ad4103b7a4ae615d8ca5512 Author: Al Viro Date: Wed Mar 18 19:12:42 2009 -0700 net: fix sctp breakage [ Upstream commit cb0dc77de0d23615a845e45844a2e22fc224d7fe ] broken by commit 5e739d1752aca4e8f3e794d431503bfca3162df4; AFAICS should be -stable fodder as well... Signed-off-by: Al Viro Aced-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8d8d56cf87ff0cb75746535e8025265dc85bc201 Author: Jay Vosburgh Date: Sat Apr 4 17:23:15 2009 -0700 bonding: Fix updating of speed/duplex changes [ Upstream commit 17d04500e2528217de5fe967599f98ee84348a9c ] This patch corrects an omission from the following commit: commit f0c76d61779b153dbfb955db3f144c62d02173c2 Author: Jay Vosburgh Date: Wed Jul 2 18:21:58 2008 -0700 bonding: refactor mii monitor The un-refactored code checked the link speed and duplex of every slave on every pass; the refactored code did not do so. The 802.3ad and balance-alb/tlb modes utilize the speed and duplex information, and require it to be kept up to date. This patch adds a notifier check to perform the appropriate updating when the slave device speed changes. Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman