rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux 3.2.10

This commit is contained in:
Justin M. Forbes 2012-03-13 00:24:38 -05:00
parent e95ee579d9
commit 2eb45048c7
8 changed files with 6 additions and 411 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
bsg-fix-sysfs-link-remove-warning.patch
View File

@ -1,16 +0,0 @@
diff --git a/block/bsg.c b/block/bsg.c
index 4cf703f..ff64ae3 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -983,7 +983,8 @@ void bsg_unregister_queue(struct request_queue *q)
mutex_lock(&bsg_mutex);
idr_remove(&bsg_minor_idr, bcd->minor);
- sysfs_remove_link(&q->kobj, "bsg");
+ if (q->kobj.sd)
+ sysfs_remove_link(&q->kobj, "bsg");
device_unregister(bcd->class_dev);
bcd->class_dev = NULL;
kref_put(&bcd->ref, bsg_kref_release_function);
--
1.7.4.4

61
cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
View File

@ -1,61 +0,0 @@
From 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@redhat.com>
Date: Thu, 23 Feb 2012 09:37:45 -0500
Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
The cifs code will attempt to open files on lookup under certain
circumstances. What happens though if we find that the file we opened
was actually a FIFO or other special file?
Currently, the open filehandle just ends up being leaked leading to
a dentry refcount mismatch and oops on umount. Fix this by having the
code close the filehandle on the server if it turns out not to be a
regular file. While we're at it, change this spaghetti if statement
into a switch too.
Cc: stable@vger.kernel.org
Reported-by: CAI Qian <caiqian@redhat.com>
Tested-by: CAI Qian <caiqian@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
---
fs/cifs/dir.c | 20 ++++++++++++++++++--
1 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 63a196b..bc7e244 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
* If either that or op not supported returned, follow
* the normal lookup.
*/
- if ((rc == 0) || (rc == -ENOENT))
+ switch (rc) {
+ case 0:
+ /*
+ * The server may allow us to open things like
+ * FIFOs, but the client isn't set up to deal
+ * with that. If it's not a regular file, just
+ * close it and proceed as if it were a normal
+ * lookup.
+ */
+ if (newInode && !S_ISREG(newInode->i_mode)) {
+ CIFSSMBClose(xid, pTcon, fileHandle);
+ break;
+ }
+ case -ENOENT:
posix_open = true;
- else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
+ case -EOPNOTSUPP:
+ break;
+ default:
pTcon->broken_posix_open = true;
+ }
}
if (!posix_open)
rc = cifs_get_inode_info_unix(&newInode, full_path,
--
1.7.0.4

39
kernel.spec
View File

@ -42,7 +42,7 @@ Summary: The Linux kernel
# When changing real_sublevel below, reset this by hand to 1
# (or to 0 and then use rpmdev-bumpspec).
#
%global baserelease 4
%global baserelease 1
%global fedora_build %{baserelease}
# real_sublevel is the 3.x kernel version we're starting with
@ -51,7 +51,7 @@ Summary: The Linux kernel
%define fake_sublevel %(echo $((40 + %{real_sublevel})))
# Do we have a -stable update to apply?
%define stable_update 9
%define stable_update 10
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -617,7 +617,6 @@ Patch1500: fix_xen_guest_on_old_EC2.patch
Patch1810: drm-nouveau-updates.patch
# intel drm is all merged upstream
Patch1824: drm-intel-next.patch
Patch1825: drm-intel-crtc-dpms-fix.patch
# hush the i915 fbc noise
Patch1826: drm-i915-fbc-stfu.patch
@ -643,8 +642,6 @@ Patch3500: jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch
Patch12016: disable-i8042-check-on-apple-mac.patch
Patch12026: bsg-fix-sysfs-link-remove-warning.patch
Patch12303: dmar-disable-when-ricoh-multifunction.patch
Patch13002: revert-efi-rtclock.patch
@ -715,25 +712,12 @@ Patch21101: hpsa-add-irqf-shared.patch
#rhbz 727865 730007
Patch21102: ACPICA-Fix-regression-in-FADT-revision-checks.patch
# rhbz 798296
Patch21103: cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
#rhbz 728478
Patch21104: sony-laptop-Enable-keyboard-backlight-by-default.patch
# Disable threading in hibernate compression
Patch21105: disable-threading-in-compression-for-hibernate.patch
#rhbz 799782 CVE-2012-1097
Patch21106: regset-Prevent-null-pointer-reference-on-readonly-re.patch
Patch21107: regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
#rhbz 786632
Patch21108: mm-thp-fix-BUG-on-mm-nr_ptes.patch
#rhbz 800817
Patch21109: mm-memcg-Correct-unregistring-of-events-attached-to-.patch
Patch21110: x86-ioapic-add-register-checks-for-bogus-io-apic-entries.patch
Patch21200: unhandled-irqs-switch-to-polling.patch
@ -1262,7 +1246,6 @@ ApplyOptionalPatch drm-nouveau-updates.patch
# Intel DRM
ApplyOptionalPatch drm-intel-next.patch
ApplyPatch drm-intel-crtc-dpms-fix.patch
ApplyPatch drm-i915-fbc-stfu.patch
ApplyPatch linux-2.6-intel-iommu-igfx.patch
@ -1281,8 +1264,6 @@ ApplyOptionalPatch linux-2.6-v4l-dvb-experimental.patch
ApplyPatch disable-i8042-check-on-apple-mac.patch
ApplyPatch bsg-fix-sysfs-link-remove-warning.patch
# rhbz#605888
ApplyPatch dmar-disable-when-ricoh-multifunction.patch
@ -1346,29 +1327,16 @@ ApplyPatch bcma-brcmsmac-compat.patch
#rhbz 727865 730007
ApplyPatch ACPICA-Fix-regression-in-FADT-revision-checks.patch
# rhbz 798296
ApplyPatch cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
#rhbz 728478
ApplyPatch sony-laptop-Enable-keyboard-backlight-by-default.patch
#Disable threading in hibernate compression
ApplyPatch disable-threading-in-compression-for-hibernate.patch
#rhbz 799782 CVE-2012-1097
ApplyPatch regset-Prevent-null-pointer-reference-on-readonly-re.patch
ApplyPatch regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
ApplyPatch unhandled-irqs-switch-to-polling.patch
ApplyPatch weird-root-dentry-name-debug.patch
#rhbz 786632
ApplyPatch mm-thp-fix-BUG-on-mm-nr_ptes.patch
#rhbz 800817
ApplyPatch mm-memcg-Correct-unregistring-of-events-attached-to-.patch
ApplyPatch x86-ioapic-add-register-checks-for-bogus-io-apic-entries.patch
# END OF PATCH APPLICATIONS
@ -2018,6 +1986,9 @@ fi
# and build.
%changelog
* Mon Mar 12 2012 Justin M. Forbes <jforbes@redhat.com> - 2.6.42.10-1
- Linux 3.2.10
* Mon Mar 12 2012 Josh Boyer <jwboyer@redhat.com>
- Add patch to ignore bogus io-apic entries (rhbz 801501)

69
mm-memcg-Correct-unregistring-of-events-attached-to-.patch
View File

@ -1,69 +0,0 @@
From 371528caec553785c37f73fa3926ea0de84f986f Mon Sep 17 00:00:00 2001
From: Anton Vorontsov <anton.vorontsov@linaro.org>
Date: Fri, 24 Feb 2012 05:14:46 +0400
Subject: [PATCH] mm: memcg: Correct unregistring of events attached to the
same eventfd
There is an issue when memcg unregisters events that were attached to
the same eventfd:
- On the first call mem_cgroup_usage_unregister_event() removes all
events attached to a given eventfd, and if there were no events left,
thresholds->primary would become NULL;
- Since there were several events registered, cgroups core will call
mem_cgroup_usage_unregister_event() again, but now kernel will oops,
as the function doesn't expect that threshold->primary may be NULL.
That's a good question whether mem_cgroup_usage_unregister_event()
should actually remove all events in one go, but nowadays it can't
do any better as cftype->unregister_event callback doesn't pass
any private event-associated cookie. So, let's fix the issue by
simply checking for threshold->primary.
FWIW, w/o the patch the following oops may be observed:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
RIP: 0010:[<ffffffff810be32c>] [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
RSP: 0018:ffff88001d0b9d60 EFLAGS: 00010246
Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
Call Trace:
[<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
[<ffffffff8103db94>] process_one_work+0x174/0x450
[<ffffffff8103e413>] worker_thread+0x123/0x2d0
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 6728a7a..228d646 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4414,6 +4414,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
*/
BUG_ON(!thresholds);
+ if (!thresholds->primary)
+ goto unlock;
+
usage = mem_cgroup_usage(memcg, type == _MEMSWAP);
/* Check if a threshold crossed before removing */
@@ -4462,7 +4465,7 @@ swap_buffers:
/* To be sure that nobody uses thresholds */
synchronize_rcu();
-
+unlock:
mutex_unlock(&memcg->thresholds_lock);
}
--
1.7.7.6

121
mm-thp-fix-BUG-on-mm-nr_ptes.patch
View File

@ -1,121 +0,0 @@
On Thu, 16 Feb 2012, Andrea Arcangeli wrote:
> On Thu, Feb 16, 2012 at 01:53:04AM -0800, Hugh Dickins wrote:
> > Yes (and I think less troublesome than most BUGs, coming at exit
> > while not holding locks; though we could well make it a WARN_ON,
> > I don't think that existed back in the day).
>
> A WARN_ON would be fine with me, go ahead if you prefer it... only
> risk would be to go unnoticed or be underestimated. I am ok with the
> BUG_ON too (even if this time it triggered false positives... sigh).
>
> > Acked-by: Hugh Dickins <hughd@google.com>
>
> Thanks for the quick review!
>
> > In looking into the bug, it had actually bothered me a little that you
> > were setting aside those pages, yet not counting them into nr_ptes;
> > though the only thing that cares is oom_kill.c, and the count of pages
> > in each hugepage can only dwarf the count in nr_ptes (whereas, without
> > hugepages, it's possible to populate very sparsely and nr_ptes become
> > significant).
>
> Agreed, it's not significant either ways.
>
> Running my two primary systems with this applied for half a day and no
> problem so far so it should be good foro -mm at least.
And I've had no trouble running your patch since then (but I never hit
the bug it fixes either). But we've all forgottent about it, so let me
bring your patch back inline (I've added one introductory sentence) and
address to akpm...
From: Andrea Arcangeli <aarcange@redhat.com>
Subject: [PATCH] mm: thp: fix BUG on mm->nr_ptes
Dave Jones reports a few Fedora users hitting the BUG_ON(mm->nr_ptes...)
in exit_mmap() recently.
Quoting Hugh's discovery and explanation of the SMP race condition:
===
mm->nr_ptes had unusual locking: down_read mmap_sem plus
page_table_lock when incrementing, down_write mmap_sem (or mm_users 0)
when decrementing; whereas THP is careful to increment and decrement
it under page_table_lock.
Now most of those paths in THP also hold mmap_sem for read or write
(with appropriate checks on mm_users), but two do not: when
split_huge_page() is called by hwpoison_user_mappings(), and when
called by add_to_swap().
It's conceivable that the latter case is responsible for the
exit_mmap() BUG_ON mm->nr_ptes that has been reported on Fedora.
===
The simplest way to fix it without having to alter the locking is to
make split_huge_page() a noop in nr_ptes terms, so by counting the
preallocated pagetables that exists for every mapped hugepage. It was
an arbitrary choice not to count them and either way is not wrong or
right, because they are not used but they're still allocated.
Reported-by: Dave Jones <davej@redhat.com>
Reported-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
---
mm/huge_memory.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 91d3efb..8f7fc39 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -671,6 +671,7 @@ static int __do_huge_pmd_anonymous_page(struct mm_struct *mm,
set_pmd_at(mm, haddr, pmd, entry);
prepare_pmd_huge_pte(pgtable, mm);
add_mm_counter(mm, MM_ANONPAGES, HPAGE_PMD_NR);
+ mm->nr_ptes++;
spin_unlock(&mm->page_table_lock);
}
@@ -789,6 +790,7 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
pmd = pmd_mkold(pmd_wrprotect(pmd));
set_pmd_at(dst_mm, addr, dst_pmd, pmd);
prepare_pmd_huge_pte(pgtable, dst_mm);
+ dst_mm->nr_ptes++;
ret = 0;
out_unlock:
@@ -887,7 +889,6 @@ static int do_huge_pmd_wp_page_fallback(struct mm_struct *mm,
}
kfree(pages);
- mm->nr_ptes++;
smp_wmb(); /* make pte visible before pmd */
pmd_populate(mm, pmd, pgtable);
page_remove_rmap(page);
@@ -1047,6 +1048,7 @@ int zap_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
VM_BUG_ON(page_mapcount(page) < 0);
add_mm_counter(tlb->mm, MM_ANONPAGES, -HPAGE_PMD_NR);
VM_BUG_ON(!PageHead(page));
+ tlb->mm->nr_ptes--;
spin_unlock(&tlb->mm->page_table_lock);
tlb_remove_page(tlb, page);
pte_free(tlb->mm, pgtable);
@@ -1375,7 +1377,6 @@ static int __split_huge_page_map(struct page *page,
pte_unmap(pte);
}
- mm->nr_ptes++;
smp_wmb(); /* make pte visible before pmd */
/*
* Up to this point the pmd is present and huge and
@@ -1988,7 +1989,6 @@ static void collapse_huge_page(struct mm_struct *mm,
set_pmd_at(mm, address, pmd, _pmd);
update_mmu_cache(vma, address, _pmd);
prepare_pmd_huge_pte(pgtable, mm);
- mm->nr_ptes--;
spin_unlock(&mm->page_table_lock);
#ifndef CONFIG_NUMA

63
regset-Prevent-null-pointer-reference-on-readonly-re.patch
View File

@ -1,63 +0,0 @@
From c8e252586f8d5de906385d8cf6385fee289a825e Mon Sep 17 00:00:00 2001
From: "H. Peter Anvin" <hpa@zytor.com>
Date: Fri, 2 Mar 2012 10:43:48 -0800
Subject: [PATCH 1/2] regset: Prevent null pointer reference on readonly
regsets
The regset common infrastructure assumed that regsets would always
have .get and .set methods, but not necessarily .active methods.
Unfortunately people have since written regsets without .set methods.
Rather than putting in stub functions everywhere, handle regsets with
null .get or .set methods explicitly.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
fs/binfmt_elf.c | 2 +-
include/linux/regset.h | 6 ++++++
2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index bcb884e..07d096c 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1421,7 +1421,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
for (i = 1; i < view->n; ++i) {
const struct user_regset *regset = &view->regsets[i];
do_thread_regset_writeback(t->task, regset);
- if (regset->core_note_type &&
+ if (regset->core_note_type && regset->get &&
(!regset->active || regset->active(t->task, regset))) {
int ret;
size_t size = regset->n * regset->size;
diff --git a/include/linux/regset.h b/include/linux/regset.h
index 8abee65..5150fd1 100644
--- a/include/linux/regset.h
+++ b/include/linux/regset.h
@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
{
const struct user_regset *regset = &view->regsets[setno];
+ if (!regset->get)
+ return -EOPNOTSUPP;
+
if (!access_ok(VERIFY_WRITE, data, size))
return -EIO;
@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
{
const struct user_regset *regset = &view->regsets[setno];
+ if (!regset->set)
+ return -EOPNOTSUPP;
+
if (!access_ok(VERIFY_READ, data, size))
return -EIO;
--
1.7.7.6

46
regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
View File

@ -1,46 +0,0 @@
From 5189fa19a4b2b4c3bec37c3a019d446148827717 Mon Sep 17 00:00:00 2001
From: "H. Peter Anvin" <hpa@zytor.com>
Date: Fri, 2 Mar 2012 10:43:49 -0800
Subject: [PATCH 2/2] regset: Return -EFAULT, not -EIO, on host-side memory
fault
There is only one error code to return for a bad user-space buffer
pointer passed to a system call in the same address space as the
system call is executed, and that is EFAULT. Furthermore, the
low-level access routines, which catch most of the faults, return
EFAULT already.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
include/linux/regset.h | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/regset.h b/include/linux/regset.h
index 5150fd1..686f373 100644
--- a/include/linux/regset.h
+++ b/include/linux/regset.h
@@ -339,7 +339,7 @@ static inline int copy_regset_to_user(struct task_struct *target,
return -EOPNOTSUPP;
if (!access_ok(VERIFY_WRITE, data, size))
- return -EIO;
+ return -EFAULT;
return regset->get(target, regset, offset, size, NULL, data);
}
@@ -365,7 +365,7 @@ static inline int copy_regset_from_user(struct task_struct *target,
return -EOPNOTSUPP;
if (!access_ok(VERIFY_READ, data, size))
- return -EIO;
+ return -EFAULT;
return regset->set(target, regset, offset, size, NULL, data);
}
--
1.7.7.6

2
sources
View File

@ -1,2 +1,2 @@
364066fa18767ec0ae5f4e4abcf9dc51 linux-3.2.tar.xz
3916159a999ee49cd6bd002556c629ad patch-3.2.9.xz
7481fa09f2efda915ed19a9da33a2e59 patch-3.2.10.xz