diff --git a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch b/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch deleted file mode 100644 index f0ecb03c0..000000000 --- a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch +++ /dev/null @@ -1,189 +0,0 @@ -From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001 -From: H. Peter Anvin -Date: Tue, 7 Sep 2010 16:16:18 -0700 -Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok() - -compat_alloc_user_space() expects the caller to independently call -access_ok() to verify the returned area. A missing call could -introduce problems on some architectures. - -This patch incorporates the access_ok() check into -compat_alloc_user_space() and also adds a sanity check on the length. -The existing compat_alloc_user_space() implementations are renamed -arch_compat_alloc_user_space() and are used as part of the -implementation of the new global function. - -This patch assumes NULL will cause __get_user()/__put_user() to either -fail or access userspace on all architectures. This should be -followed by checking the return value of compat_access_user_space() -for NULL in the callers, at which time the access_ok() in the callers -can also be removed. - -Reported-by: Ben Hawkes -Signed-off-by: H. Peter Anvin -Acked-by: Benjamin Herrenschmidt -Acked-by: Chris Metcalf -Acked-by: David S. Miller -Acked-by: Ingo Molnar -Acked-by: Thomas Gleixner -Acked-by: Tony Luck -Cc: Andrew Morton -Cc: Arnd Bergmann -Cc: Fenghua Yu -Cc: H. Peter Anvin -Cc: Heiko Carstens -Cc: Helge Deller -Cc: James Bottomley -Cc: Kyle McMartin -Cc: Martin Schwidefsky -Cc: Paul Mackerras -Cc: Ralf Baechle -Cc: ---- - arch/ia64/include/asm/compat.h | 2 +- - arch/mips/include/asm/compat.h | 2 +- - arch/parisc/include/asm/compat.h | 2 +- - arch/powerpc/include/asm/compat.h | 2 +- - arch/s390/include/asm/compat.h | 2 +- - arch/sparc/include/asm/compat.h | 2 +- - arch/x86/include/asm/compat.h | 2 +- - include/linux/compat.h | 3 +++ - kernel/compat.c | 21 +++++++++++++++++++++ - 10 files changed, 32 insertions(+), 8 deletions(-) - -diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h -index f90edc8..9301a28 100644 ---- a/arch/ia64/include/asm/compat.h -+++ b/arch/ia64/include/asm/compat.h -@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr) - } - - static __inline__ void __user * --compat_alloc_user_space (long len) -+arch_compat_alloc_user_space (long len) - { - struct pt_regs *regs = task_pt_regs(current); - return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len); -diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h -index 613f691..dbc5106 100644 ---- a/arch/mips/include/asm/compat.h -+++ b/arch/mips/include/asm/compat.h -@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = (struct pt_regs *) - ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1; -diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h -index 02b77ba..efa0b60 100644 ---- a/arch/parisc/include/asm/compat.h -+++ b/arch/parisc/include/asm/compat.h -@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static __inline__ void __user *compat_alloc_user_space(long len) -+static __inline__ void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = ¤t->thread.regs; - return (void __user *)regs->gr[30]; -diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h -index 396d21a..a11d4ea 100644 ---- a/arch/powerpc/include/asm/compat.h -+++ b/arch/powerpc/include/asm/compat.h -@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = current->thread.regs; - unsigned long usp = regs->gpr[1]; -diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h -index 104f200..a875c2f 100644 ---- a/arch/s390/include/asm/compat.h -+++ b/arch/s390/include/asm/compat.h -@@ -181,7 +181,7 @@ static inline int is_compat_task(void) - - #endif - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - unsigned long stack; - -diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h -index 5016f76..6f57325 100644 ---- a/arch/sparc/include/asm/compat.h -+++ b/arch/sparc/include/asm/compat.h -@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = current_thread_info()->kregs; - unsigned long usp = regs->u_regs[UREG_I6]; -diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h -index 306160e..1d9cd27 100644 ---- a/arch/x86/include/asm/compat.h -+++ b/arch/x86/include/asm/compat.h -@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) - return (u32)(unsigned long)uptr; - } - --static inline void __user *compat_alloc_user_space(long len) -+static inline void __user *arch_compat_alloc_user_space(long len) - { - struct pt_regs *regs = task_pt_regs(current); - return (void __user *)regs->sp - len; -diff --git a/include/linux/compat.h b/include/linux/compat.h -index 9ddc878..5778b55 100644 ---- a/include/linux/compat.h -+++ b/include/linux/compat.h -@@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvector(int type, - const struct compat_iovec __user *uvector, unsigned long nr_segs, - unsigned long fast_segs, struct iovec *fast_pointer, - struct iovec **ret_pointer); -+ -+extern void __user *compat_alloc_user_space(unsigned long len); -+ - #endif /* CONFIG_COMPAT */ - #endif /* _LINUX_COMPAT_H */ -diff --git a/kernel/compat.c b/kernel/compat.c -index e167efc..c9e2ec0 100644 ---- a/kernel/compat.c -+++ b/kernel/compat.c -@@ -1126,3 +1126,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info) - - return 0; - } -+ -+/* -+ * Allocate user-space memory for the duration of a single system call, -+ * in order to marshall parameters inside a compat thunk. -+ */ -+void __user *compat_alloc_user_space(unsigned long len) -+{ -+ void __user *ptr; -+ -+ /* If len would occupy more than half of the entire compat space... */ -+ if (unlikely(len > (((compat_uptr_t)~0) >> 1))) -+ return NULL; -+ -+ ptr = arch_compat_alloc_user_space(len); -+ -+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len))) -+ return NULL; -+ -+ return ptr; -+} -+EXPORT_SYMBOL_GPL(compat_alloc_user_space); --- -1.7.2.3 - diff --git a/02-compat-test-rax-for-the-system-call-number-not-eax.patch b/02-compat-test-rax-for-the-system-call-number-not-eax.patch deleted file mode 100644 index 15ff0ca85..000000000 --- a/02-compat-test-rax-for-the-system-call-number-not-eax.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 36d001c70d8a0144ac1d038f6876c484849a74de Mon Sep 17 00:00:00 2001 -From: H. Peter Anvin -Date: Tue, 14 Sep 2010 12:42:41 -0700 -Subject: [PATCH] x86-64, compat: Test %rax for the syscall number, not %eax - -On 64 bits, we always, by necessity, jump through the system call -table via %rax. For 32-bit system calls, in theory the system call -number is stored in %eax, and the code was testing %eax for a valid -system call number. At one point we loaded the stored value back from -the stack to enforce zero-extension, but that was removed in checkin -d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process -will not be able to introduce a non-zero-extended number, but it can -happen via ptrace. - -Instead of re-introducing the zero-extension, test what we are -actually going to use, i.e. %rax. This only adds a handful of REX -prefixes to the code. - -Reported-by: Ben Hawkes -Signed-off-by: H. Peter Anvin -Cc: -Cc: Roland McGrath -Cc: Andrew Morton ---- - arch/x86/ia32/ia32entry.S | 14 +++++++------- - 1 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index b86feab..84e3a4e 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - CFI_REMEMBER_STATE - jnz sysenter_tracesys -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - sysenter_do_call: - IA32_ARG_FIXUP -@@ -195,7 +195,7 @@ sysexit_from_sys_call: - movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ - call audit_syscall_entry - movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - movl %ebx,%edi /* reload 1st syscall arg */ - movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */ -@@ -248,7 +248,7 @@ sysenter_tracesys: - call syscall_trace_enter - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ - jmp sysenter_do_call - CFI_ENDPROC -@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - CFI_REMEMBER_STATE - jnz cstar_tracesys -- cmpl $IA32_NR_syscalls-1,%eax -+ cmpq $IA32_NR_syscalls-1,%rax - ja ia32_badsys - cstar_do_call: - IA32_ARG_FIXUP 1 -@@ -367,7 +367,7 @@ cstar_tracesys: - LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ - RESTORE_REST - xchgl %ebp,%r9d -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ - jmp cstar_do_call - END(ia32_cstar_target) -@@ -425,7 +425,7 @@ ENTRY(ia32_syscall) - orl $TS_COMPAT,TI_status(%r10) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) - jnz ia32_tracesys -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja ia32_badsys - ia32_do_call: - IA32_ARG_FIXUP -@@ -444,7 +444,7 @@ ia32_tracesys: - call syscall_trace_enter - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST -- cmpl $(IA32_NR_syscalls-1),%eax -+ cmpq $(IA32_NR_syscalls-1),%rax - ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ - jmp ia32_do_call - END(ia32_syscall) --- -1.7.2.3 - diff --git a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch b/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch deleted file mode 100644 index b7fa7391a..000000000 --- a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch +++ /dev/null @@ -1,49 +0,0 @@ -From eefdca043e8391dcd719711716492063030b55ac Mon Sep 17 00:00:00 2001 -From: Roland McGrath -Date: Tue, 14 Sep 2010 12:22:58 -0700 -Subject: [PATCH] x86-64, compat: Retruncate rax after ia32 syscall entry tracing - -In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a -32-bit tracee in system call entry. A %rax value set via ptrace at the -entry tracing stop gets used whole as a 32-bit syscall number, while we -only check the low 32 bits for validity. - -Fix it by truncating %rax back to 32 bits after syscall_trace_enter, -in addition to testing the full 64 bits as has already been added. - -Reported-by: Ben Hawkes -Signed-off-by: Roland McGrath -Signed-off-by: H. Peter Anvin ---- - arch/x86/ia32/ia32entry.S | 8 +++++++- - 1 files changed, 7 insertions(+), 1 deletions(-) - -diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 84e3a4e..518bb99 100644 ---- a/arch/x86/ia32/ia32entry.S -+++ b/arch/x86/ia32/ia32entry.S -@@ -50,7 +50,12 @@ - /* - * Reload arg registers from stack in case ptrace changed them. - * We don't reload %eax because syscall_trace_enter() returned -- * the value it wants us to use in the table lookup. -+ * the %rax value we should see. Instead, we just truncate that -+ * value to 32 bits again as we did on entry from user mode. -+ * If it's a new value set by user_regset during entry tracing, -+ * this matches the normal truncation of the user-mode value. -+ * If it's -1 to make us punt the syscall, then (u32)-1 is still -+ * an appropriately invalid value. - */ - .macro LOAD_ARGS32 offset, _r9=0 - .if \_r9 -@@ -60,6 +65,7 @@ - movl \offset+48(%rsp),%edx - movl \offset+56(%rsp),%esi - movl \offset+64(%rsp),%edi -+ movl %eax,%eax /* zero extension */ - .endm - - .macro CFI_STARTPROC32 simple --- -1.7.2.3 - diff --git a/aio-check-for-multiplication-overflow-in-do_io_submit.patch b/aio-check-for-multiplication-overflow-in-do_io_submit.patch deleted file mode 100644 index 36b949c27..000000000 --- a/aio-check-for-multiplication-overflow-in-do_io_submit.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 75e1c70fc31490ef8a373ea2a4bea2524099b478 Mon Sep 17 00:00:00 2001 -From: Jeff Moyer -Date: Fri, 10 Sep 2010 14:16:00 -0700 -Subject: [PATCH] aio: check for multiplication overflow in do_io_submit -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -Tavis Ormandy pointed out that do_io_submit does not do proper bounds -checking on the passed-in iocb array: - -       if (unlikely(nr < 0)) -               return -EINVAL; - -       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp))))) -               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^ - -The attached patch checks for overflow, and if it is detected, the -number of iocbs submitted is scaled down to a number that will fit in -the long.  This is an ok thing to do, as sys_io_submit is documented as -returning the number of iocbs submitted, so callers should handle a -return value of less than the 'nr' argument passed in. - -Reported-by: Tavis Ormandy -Signed-off-by: Jeff Moyer -Signed-off-by: Linus Torvalds ---- - fs/aio.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 3006b5b..1320b2a 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id, long nr, - if (unlikely(nr < 0)) - return -EINVAL; - -+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp))) -+ nr = LONG_MAX/sizeof(*iocbpp); -+ - if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) - return -EFAULT; - --- -1.7.2.3 - diff --git a/alsa-prevent-heap-corruption-in-snd_ctl_new.patch b/alsa-prevent-heap-corruption-in-snd_ctl_new.patch deleted file mode 100644 index 0dbab01b6..000000000 --- a/alsa-prevent-heap-corruption-in-snd_ctl_new.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Dan Rosenberg -Date: Tue, 28 Sep 2010 18:18:20 +0000 (-0400) -Subject: ALSA: prevent heap corruption in snd_ctl_new() -X-Git-Tag: v2.6.36-rc7~12^2~1 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftiwai%2Fsound-2.6.git;a=commitdiff_plain;h=5591bf07225523600450edd9e6ad258bb877b779 - -ALSA: prevent heap corruption in snd_ctl_new() - -The snd_ctl_new() function in sound/core/control.c allocates space for a -snd_kcontrol struct by performing arithmetic operations on a -user-provided size without checking for integer overflow. If a user -provides a large enough size, an overflow will occur, the allocated -chunk will be too small, and a second user-influenced value will be -written repeatedly past the bounds of this chunk. This code is -reachable by unprivileged users who have permission to open -a /dev/snd/controlC* device (on many distros, this is group "audio") via -the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. - -Signed-off-by: Dan Rosenberg -Cc: -Signed-off-by: Takashi Iwai ---- - -diff --git a/sound/core/control.c b/sound/core/control.c -index 070aab4..45a8180 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -31,6 +31,7 @@ - - /* max number of user-defined controls */ - #define MAX_USER_CONTROLS 32 -+#define MAX_CONTROL_COUNT 1028 - - struct snd_kctl_ioctl { - struct list_head list; /* list of all ioctls */ -@@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control, - - if (snd_BUG_ON(!control || !control->count)) - return NULL; -+ -+ if (control->count > MAX_CONTROL_COUNT) -+ return NULL; -+ - kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL); - if (kctl == NULL) { - snd_printk(KERN_ERR "Cannot allocate control instance\n"); diff --git a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch deleted file mode 100644 index 73e65ecda..000000000 --- a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Takashi Iwai -Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200) -Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd - -ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() - -The error handling in snd_seq_oss_open() has several bad codes that -do dereferecing released pointers and double-free of kmalloc'ed data. -The object dp is release in free_devinfo() that is called via -private_free callback. The rest shouldn't touch this object any more. - -The patch changes delete_port() to call kfree() in any case, and gets -rid of unnecessary calls of destructors in snd_seq_oss_open(). - -Fixes CVE-2010-3080. - -Reported-and-tested-by: Tavis Ormandy -Cc: -Signed-off-by: Takashi Iwai ---- - -diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c -index 6857122..69cd7b3 100644 ---- a/sound/core/seq/oss/seq_oss_init.c -+++ b/sound/core/seq/oss/seq_oss_init.c -@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level) - return 0; - - _error: -- snd_seq_oss_writeq_delete(dp->writeq); -- snd_seq_oss_readq_delete(dp->readq); - snd_seq_oss_synth_cleanup(dp); - snd_seq_oss_midi_cleanup(dp); -- delete_port(dp); - delete_seq_queue(dp->queue); -- kfree(dp); -+ delete_port(dp); - - return rc; - } -@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp) - static int - delete_port(struct seq_oss_devinfo *dp) - { -- if (dp->port < 0) -+ if (dp->port < 0) { -+ kfree(dp); - return 0; -+ } - - debug_printk(("delete_port %i\n", dp->port)); - return snd_seq_event_port_detach(dp->cseq, dp->port); diff --git a/cifs-fix-dns-resolver.patch b/cifs-fix-dns-resolver.patch deleted file mode 100644 index 6a74fba1f..000000000 --- a/cifs-fix-dns-resolver.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Chuck Ebbert - -CIFS: Fix DNS resolver build - -In file included from fs/cifs/dns_resolve.c:29: -fs/cifs/dns_resolve.h:27: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cifs_init_dns_resolver' - -Just remove the __init and __exit attributes from the init and exit -functions. __exit was removed upstream in 51c20fcced5badee0e2021c6c89f44aa3cbd72aa -anyway, and there's no point trying to save every byte by fixing -this properly. - -Signed-Off-By: Chuck Ebbert - ---- a/fs/cifs/dns_resolve.c -+++ b/fs/cifs/dns_resolve.c -@@ -176,7 +176,7 @@ out: - return rc; - } - --int __init cifs_init_dns_resolver(void) -+int cifs_init_dns_resolver(void) - { - struct cred *cred; - struct key *keyring; -@@ -226,7 +226,7 @@ failed_put_cred: - return ret; - } - --void __exit cifs_exit_dns_resolver(void) -+void cifs_exit_dns_resolver(void) - { - key_revoke(dns_resolver_cache->thread_keyring); - unregister_key_type(&key_type_dns_resolver); ---- a/fs/cifs/dns_resolve.h -+++ b/fs/cifs/dns_resolve.h -@@ -24,8 +24,8 @@ - #define _DNS_RESOLVE_H - - #ifdef __KERNEL__ --extern int __init cifs_init_dns_resolver(void); --extern void __exit cifs_exit_dns_resolver(void); -+extern int cifs_init_dns_resolver(void); -+extern void cifs_exit_dns_resolver(void); - extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr); - #endif /* KERNEL */ - diff --git a/depessimize-rds_copy_page_user.patch b/depessimize-rds_copy_page_user.patch deleted file mode 100644 index aec8bff4d..000000000 --- a/depessimize-rds_copy_page_user.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Fri, 15 Oct 2010 11:09:28 -0700 -Subject: [PATCH] De-pessimize rds_page_copy_user - -Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and -the unsafe atomic user mode accessor functions. It's actually slower -than the straightforward code on any reasonable modern CPU. - -Back when the code was written (although probably not by the time it was -actually merged, though), 32-bit x86 may have been the dominant -architecture. And there kmap_atomic() can be a lot faster than kmap() -(unless you have very good locality, in which case the virtual address -caching by kmap() can overcome all the downsides). - -But these days, x86-64 may not be more populous, but it's getting there -(and if you care about performance, it's definitely already there - -you'd have upgraded your CPU's already in the last few years). And on -x86-64, the non-kmap_atomic() version is faster, simply because the code -is simpler and doesn't have the "re-try page fault" case. - -People with old hardware are not likely to care about RDS anyway, and -the optimization for the 32-bit case is simply buggy, since it doesn't -verify the user addresses properly. - -Reported-by: Dan Rosenberg -Acked-by: Andrew Morton -Cc: stable@kernel.org -Signed-off-by: Linus Torvalds ---- - net/rds/page.c | 27 +++++++-------------------- - 1 files changed, 7 insertions(+), 20 deletions(-) - -diff --git a/net/rds/page.c b/net/rds/page.c -index 595a952..1dfbfea 100644 ---- a/net/rds/page.c -+++ b/net/rds/page.c -@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset, - unsigned long ret; - void *addr; - -- if (to_user) -+ addr = kmap(page); -+ if (to_user) { - rds_stats_add(s_copy_to_user, bytes); -- else -+ ret = copy_to_user(ptr, addr + offset, bytes); -+ } else { - rds_stats_add(s_copy_from_user, bytes); -- -- addr = kmap_atomic(page, KM_USER0); -- if (to_user) -- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes); -- else -- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes); -- kunmap_atomic(addr, KM_USER0); -- -- if (ret) { -- addr = kmap(page); -- if (to_user) -- ret = copy_to_user(ptr, addr + offset, bytes); -- else -- ret = copy_from_user(addr + offset, ptr, bytes); -- kunmap(page); -- if (ret) -- return -EFAULT; -+ ret = copy_from_user(addr + offset, ptr, bytes); - } -+ kunmap(page); - -- return 0; -+ return ret ? -EFAULT : 0; - } - EXPORT_SYMBOL_GPL(rds_page_copy_user); - --- -1.7.3.2 - diff --git a/drm-next.patch b/drm-next.patch index b0954d8bf..aa2574004 100644 --- a/drm-next.patch +++ b/drm-next.patch @@ -202,7 +202,6 @@ Date: Fri May 21 11:14:52 2010 -0700 8e36ed0 drm/radeon/kms: hpd cleanup 2bfcc0f drm/radeon/kms: reset ddc_bus in object header parsing 6fd0248 amd64-agp: Probe unknown AGP devices the right way - d831692 sis-agp: Remove SIS 760, handled by amd64-agp 26481fb drm/radeon/pm: fix device_create_file return value checks. 4bff517 drm/radeon/kms/pm: fix r6xx+ profile setup ce8a3eb drm/radeon/kms/pm: make pm spam debug only @@ -5815,21 +5814,6 @@ index 6c3837a..29aacd8 100644 .configure = sis_configure, .fetch_size = sis_fetch_size, .cleanup = sis_cleanup, -@@ -415,14 +416,6 @@ static struct pci_device_id agp_sis_pci_table[] = { - .subvendor = PCI_ANY_ID, - .subdevice = PCI_ANY_ID, - }, -- { -- .class = (PCI_CLASS_BRIDGE_HOST << 8), -- .class_mask = ~0, -- .vendor = PCI_VENDOR_ID_SI, -- .device = PCI_DEVICE_ID_SI_760, -- .subvendor = PCI_ANY_ID, -- .subdevice = PCI_ANY_ID, -- }, - { } - }; - diff --git a/drivers/char/agp/uninorth-agp.c b/drivers/char/agp/uninorth-agp.c index 6f48931..95db713 100644 --- a/drivers/char/agp/uninorth-agp.c diff --git a/execve-improve-interactivity-with-large-arguments.patch b/execve-improve-interactivity-with-large-arguments.patch deleted file mode 100644 index 7908e6ca4..000000000 --- a/execve-improve-interactivity-with-large-arguments.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Roland McGrath -Date: Wed, 8 Sep 2010 02:36:28 +0000 (-0700) -Subject: execve: improve interactivity with large arguments -X-Git-Tag: v2.6.36-rc4~13 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7993bc1f4663c0db67bb8f0d98e6678145b387cd - -execve: improve interactivity with large arguments - -This adds a preemption point during the copying of the argument and -environment strings for execve, in copy_strings(). There is already -a preemption point in the count() loop, so this doesn't add any new -points in the abstract sense. - -When the total argument+environment strings are very large, the time -spent copying them can be much more than a normal user time slice. -So this change improves the interactivity of the rest of the system -when one process is doing an execve with very large arguments. - -Signed-off-by: Roland McGrath -Reviewed-by: KOSAKI Motohiro -Signed-off-by: Linus Torvalds ---- - -diff --git a/fs/exec.c b/fs/exec.c -index 1b63237..6f2d777 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -419,6 +419,8 @@ static int copy_strings(int argc, const char __user *const __user *argv, - while (len > 0) { - int offset, bytes_to_copy; - -+ cond_resched(); -+ - offset = pos % PAGE_SIZE; - if (offset == 0) - offset = PAGE_SIZE; diff --git a/execve-make-responsive-to-sigkill-with-large-arguments.patch b/execve-make-responsive-to-sigkill-with-large-arguments.patch deleted file mode 100644 index a9e531a76..000000000 --- a/execve-make-responsive-to-sigkill-with-large-arguments.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Roland McGrath -Date: Wed, 8 Sep 2010 02:37:06 +0000 (-0700) -Subject: execve: make responsive to SIGKILL with large arguments -X-Git-Tag: v2.6.36-rc4~12 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 - -execve: make responsive to SIGKILL with large arguments - -An execve with a very large total of argument/environment strings -can take a really long time in the execve system call. It runs -uninterruptibly to count and copy all the strings. This change -makes it abort the exec quickly if sent a SIGKILL. - -Note that this is the conservative change, to interrupt only for -SIGKILL, by using fatal_signal_pending(). It would be perfectly -correct semantics to let any signal interrupt the string-copying in -execve, i.e. use signal_pending() instead of fatal_signal_pending(). -We'll save that change for later, since it could have user-visible -consequences, such as having a timer set too quickly make it so that -an execve can never complete, though it always happened to work before. - -Signed-off-by: Roland McGrath -Reviewed-by: KOSAKI Motohiro -Signed-off-by: Linus Torvalds ---- - -diff --git a/fs/exec.c b/fs/exec.c -index 6f2d777..828dd24 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -376,6 +376,9 @@ static int count(const char __user * const __user * argv, int max) - argv++; - if (i++ >= max) - return -E2BIG; -+ -+ if (fatal_signal_pending(current)) -+ return -ERESTARTNOHAND; - cond_resched(); - } - } -@@ -419,6 +422,10 @@ static int copy_strings(int argc, const char __user *const __user *argv, - while (len > 0) { - int offset, bytes_to_copy; - -+ if (fatal_signal_pending(current)) { -+ ret = -ERESTARTNOHAND; -+ goto out; -+ } - cond_resched(); - - offset = pos % PAGE_SIZE; diff --git a/gdth-integer-overflow-in-ioctl.patch b/gdth-integer-overflow-in-ioctl.patch deleted file mode 100644 index f8d560b3f..000000000 --- a/gdth-integer-overflow-in-ioctl.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Dan Carpenter -Date: Fri, 8 Oct 2010 07:03:07 +0000 (+0200) -Subject: [SCSI] gdth: integer overflow in ioctl -X-Git-Tag: v2.6.37-rc1~6^2~48 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f63ae56e4e97fb12053590e41a4fa59e7daa74a4 - -[SCSI] gdth: integer overflow in ioctl - -gdth_ioctl_alloc() takes the size variable as an int. -copy_from_user() takes the size variable as an unsigned long. -gen.data_len and gen.sense_len are unsigned longs. -On x86_64 longs are 64 bit and ints are 32 bit. - -We could pass in a very large number and the allocation would truncate -the size to 32 bits and allocate a small buffer. Then when we do the -copy_from_user(), it would result in a memory corruption. - -CC: stable@kernel.org -Signed-off-by: Dan Carpenter -Signed-off-by: James Bottomley ---- - -diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c -index 5a3f931..8411018 100644 ---- a/drivers/scsi/gdth.c -+++ b/drivers/scsi/gdth.c -@@ -4177,6 +4177,14 @@ static int ioc_general(void __user *arg, char *cmnd) - ha = gdth_find_ha(gen.ionode); - if (!ha) - return -EFAULT; -+ -+ if (gen.data_len > INT_MAX) -+ return -EINVAL; -+ if (gen.sense_len > INT_MAX) -+ return -EINVAL; -+ if (gen.data_len + gen.sense_len > INT_MAX) -+ return -EINVAL; -+ - if (gen.data_len + gen.sense_len != 0) { - if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len, - FALSE, &paddr))) diff --git a/inotify-fix-inotify-oneshot-support.patch b/inotify-fix-inotify-oneshot-support.patch deleted file mode 100644 index ba63e1090..000000000 --- a/inotify-fix-inotify-oneshot-support.patch +++ /dev/null @@ -1,25 +0,0 @@ -#607327 - -During the large inotify rewrite to fsnotify I completely dropped support -for IN_ONESHOT. Reimplement that support. - -Signed-off-by: Eric Paris ---- - - fs/notify/inotify/inotify_fsnotify.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c -index daa666a..388a150 100644 ---- a/fs/notify/inotify/inotify_fsnotify.c -+++ b/fs/notify/inotify/inotify_fsnotify.c -@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev - ret = 0; - } - -+ if (entry->mask & IN_ONESHOT) -+ fsnotify_destroy_mark_by_entry(entry); -+ - /* - * If we hold the entry until after the event is on the queue - * IN_IGNORED won't be able to pass this event in the queue diff --git a/inotify-send-IN_UNMOUNT-events.patch b/inotify-send-IN_UNMOUNT-events.patch deleted file mode 100644 index cf1d4c4bf..000000000 --- a/inotify-send-IN_UNMOUNT-events.patch +++ /dev/null @@ -1,29 +0,0 @@ -#607327 ? - -Since the .31 or so notify rewrite inotify has not sent events about -inodes which are unmounted. This patch restores those events. - -Signed-off-by: Eric Paris ---- - - fs/notify/inotify/inotify_user.c | 7 +++++-- - 1 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c -index 44aeb0f..f381daf 100644 ---- a/fs/notify/inotify/inotify_user.c -+++ b/fs/notify/inotify/inotify_user.c -@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg) - { - __u32 mask; - -- /* everything should accept their own ignored and cares about children */ -- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD); -+ /* -+ * everything should accept their own ignored, cares about children, -+ * and should receive events when the inode is unmounted -+ */ -+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT); - - /* mask off the flags used to open the fd */ - mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT)); diff --git a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch deleted file mode 100644 index 7afc4df7a..000000000 --- a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: David S. Miller -Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700) -Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure. -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257 - -irda: Correctly clean up self->ias_obj on irda_bind() failure. - -If irda_open_tsap() fails, the irda_bind() code tries to destroy -the ->ias_obj object by hand, but does so wrongly. - -In particular, it fails to a) release the hashbin attached to the -object and b) reset the self->ias_obj pointer to NULL. - -Fix both problems by using irias_delete_object() and explicitly -setting self->ias_obj to NULL, just as irda_release() does. - -Reported-by: Tavis Ormandy -Signed-off-by: David S. Miller ---- - -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index 79986a6..fd55b51 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - - err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name); - if (err < 0) { -- kfree(self->ias_obj->name); -- kfree(self->ias_obj); -+ irias_delete_object(self->ias_obj); -+ self->ias_obj = NULL; - goto out; - } - diff --git a/kernel.spec b/kernel.spec index 29b4ed10b..6fb1c8b4e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -48,7 +48,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 66 +%global baserelease 67 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -60,7 +60,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -611,13 +611,6 @@ Patch23: linux-2.6-utrace-ptrace.patch Patch50: linux-2.6-x86-cfi_sections.patch -# CVE-2010-3301, CVE-2010-3081 -Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch -Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch -Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch -# CVE-2010-3067 -Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch - Patch144: linux-2.6-vio-modalias.patch Patch150: linux-2.6.29-sparc-IOC_TYPECHECK.patch @@ -772,14 +765,10 @@ Patch12035: quiet-prove_RCU-in-cgroups.patch Patch12040: iwlwifi-manage-QoS-by-mac-stack.patch Patch12042: mac80211-explicitly-disable-enable-QoS.patch -Patch12250: inotify-fix-inotify-oneshot-support.patch -Patch12260: inotify-send-IN_UNMOUNT-events.patch - Patch12270: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch Patch12400: input-synaptics-relax-capability-id-checks-on-new-hardware.patch -Patch12410: cifs-fix-dns-resolver.patch Patch12430: cred-dont-resurrect-dead-credentials.patch Patch12440: direct-io-move-aio_complete-into-end_io.patch @@ -790,42 +779,11 @@ Patch12470: drivers-hwmon-coretemp-c-detect-the-thermal-sensors-by-cpuid.patch Patch12480: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch Patch12490: dell-wmi-add-support-for-eject-key.patch -Patch12500: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch -Patch12510: wireless-extensions-fix-kernel-heap-content-leak.patch Patch12517: flexcop-fix-xlate_proc_name-warning.patch Patch12520: acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch Patch12521: nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch -Patch12522: keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch -Patch12523: keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch - -Patch12530: pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch -Patch12531: pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch - -Patch12532: x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch -# fix bug caused by above patch -Patch12533: x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch - -# Mitigate DOS with large argument lists. -Patch12540: execve-improve-interactivity-with-large-arguments.patch -Patch12541: execve-make-responsive-to-sigkill-with-large-arguments.patch -Patch12542: setup_arg_pages-diagnose-excessive-argument-size.patch - -# CVE-2010-3080 -Patch12550: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch - -# CVE-2010-3079 -Patch12560: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch - -Patch12570: sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch - -# bz 636534 -Patch12580: xen-handle-events-as-edge-triggered.patch -Patch12581: xen-use-percpu-interrupts-for-ipis-and-virqs.patch - -# CVE-2010-3432 -Patch12590: sctp-do-not-reset-the-packet-during-sctp_packet_config.patch #Bonding sysfs WARN_ON (bz 604630) Patch12591: linux-2.6-bonding-sysfs-warning.patch @@ -833,9 +791,6 @@ Patch12591: linux-2.6-bonding-sysfs-warning.patch #twsock rcu warning fix (bz 642905) Patch12592: linux-2.6-twsock-rcu-lockdep-warn.patch -Patch13635: r8169-fix-dma-allocations.patch -Patch13636: skge-quirk-to-4gb-dma.patch - Patch13637: dmar-disable-when-ricoh-multifunction.patch Patch13640: mmc-SDHCI_INT_DATA_MASK-typo-error.patch @@ -843,9 +798,6 @@ Patch13641: mmc-add-ricoh-e822-pci-id.patch Patch13642: mmc-make-sdhci-work-with-ricoh-mmc-controller.patch Patch13643: sdhci-8-bit-data-transfer-width-support.patch -# CVE-2010-3904 -Patch13645: depessimize-rds_copy_page_user.patch - Patch13646: rt2x00-disable-auto-wakeup-before-waking-up-device.patch Patch13647: rt2x00-fix-failed-SLEEP-AWAKE-and-AWAKE-SLEEP-transitions.patch @@ -861,8 +813,6 @@ Patch13705: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch # CVE-2010-4248 Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch -Patch13704: via-ioctl-prevent-reading-uninit-memory.patch - Patch13710: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch Patch13711: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch @@ -883,14 +833,8 @@ Patch13900: ima-allow-it-to-be-completely-disabled-and-default-off.patch Patch13901: ioat2-catch-and-recover-from-broken-vtd-configurations.patch -# CVE-2010-2963 -Patch13910: v4l1-fix-32-bit-compat-microcode-loading-translation.patch -# CVE-2010-3698 -Patch13911: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch # CVE-2010-3705 Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch -# CVE-2010-3442 -Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch # CVE-2010-4258 Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch # CVE-2010-4169 @@ -900,8 +844,6 @@ Patch13916: bio-take-care-not-overflow-page-count-when-mapping-copying-user-data # CVE-2010-4249 Patch13917: af_unix-limit-unix_tot_inflight.patch Patch13918: scm-lower-SCM-MAX-FD.patch -# CVE-2010-4157 -Patch13919: gdth-integer-overflow-in-ioctl.patch # CVE-2010-4158 Patch13920: filter-make-sure-filters-dont-read-uninitialized-memory.patch # CVE-2010-3874 @@ -1373,9 +1315,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch ApplyPatch linux-2.6-x86-cfi_sections.patch # CVE-2010-3301, CVE-2010-3081 -ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch -ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch -ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch # # Intel IOMMU @@ -1400,7 +1339,6 @@ ApplyPatch linux-2.6-execshield.patch # # bugfixes to drivers and filesystems # -ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch # ext4 @@ -1601,19 +1539,12 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch ApplyPatch quiet-prove_RCU-in-cgroups.patch -# fix broken oneshot support and missing umount events (#607327) -ApplyPatch inotify-fix-inotify-oneshot-support.patch -ApplyPatch inotify-send-IN_UNMOUNT-events.patch - # 610911 ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch # fix newer synaptics touchpads not being recognized ApplyPatch input-synaptics-relax-capability-id-checks-on-new-hardware.patch -# Remove __init and __exit attributes from resolver code -ApplyPatch cifs-fix-dns-resolver.patch - # RHBZ #591015 ApplyPatch cred-dont-resurrect-dead-credentials.patch @@ -1631,12 +1562,6 @@ ApplyPatch kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch # bz #513530 ApplyPatch dell-wmi-add-support-for-eject-key.patch -# cve-2010-2954 -ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch - -# cve-2010-2955 -ApplyPatch wireless-extensions-fix-kernel-heap-content-leak.patch - # bz #575873 ApplyPatch flexcop-fix-xlate_proc_name-warning.patch @@ -1646,51 +1571,12 @@ ApplyPatch acpi-ec-pm-fix-race-between-ec-transactions-and-system-suspend.patch # this went in 2.6.35-stable ApplyPatch nfs-fix-an-oops-in-the-nfsv4-atomic-open-code.patch -# CVE-2010-2960 -ApplyPatch keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch -ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch - -# more suspend/resume fixes form 2.6.32 / 2.6.35 queue -# Fix unsafe access to MSI registers during suspend -ApplyPatch pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch -ApplyPatch pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch -# Fix scheduler load balancing after suspend/resume cycle -ApplyPatch x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch -# fix bug caused by above patch -ApplyPatch x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch - -# Mitigate DOS with large argument lists. -ApplyPatch execve-improve-interactivity-with-large-arguments.patch -ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch -ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch - -# CVE-2010-3080 -ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch - -# CVE-2010-3079 -ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch - -# BZ 633037 -ApplyPatch sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch - -# BZ 636534 -ApplyPatch xen-handle-events-as-edge-triggered.patch -ApplyPatch xen-use-percpu-interrupts-for-ipis-and-virqs.patch - -# CVE-2010-3432 -ApplyPatch sctp-do-not-reset-the-packet-during-sctp_packet_config.patch - # BZ 604630 ApplyPatch linux-2.6-bonding-sysfs-warning.patch # BZ 642905 ApplyPatch linux-2.6-twsock-rcu-lockdep-warn.patch -# rhbz#629158 -ApplyPatch r8169-fix-dma-allocations.patch -# rhbz#447489 -ApplyPatch skge-quirk-to-4gb-dma.patch - # rhbz#605888 ApplyPatch dmar-disable-when-ricoh-multifunction.patch @@ -1699,8 +1585,6 @@ ApplyPatch sdhci-8-bit-data-transfer-width-support.patch ApplyPatch mmc-make-sdhci-work-with-ricoh-mmc-controller.patch ApplyPatch mmc-add-ricoh-e822-pci-id.patch -ApplyPatch depessimize-rds_copy_page_user.patch - ApplyPatch tpm-autodetect-itpm-devices.patch # rhbz#530393 ApplyPatch tpm-fix-stall-on-boot.patch @@ -1721,9 +1605,6 @@ ApplyPatch netlink-make-nlmsg_find_attr-take-a-const-ptr.patch # rhbz#656264 (CVE-2010-4248) ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch -# rhbz#648671 (CVE-2010-4082) -ApplyPatch via-ioctl-prevent-reading-uninit-memory.patch - ApplyPatch rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch ApplyPatch rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch @@ -1749,14 +1630,8 @@ ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch # rhbz605845 [556ab45f] ApplyPatch ioat2-catch-and-recover-from-broken-vtd-configurations.patch -# CVE-2010-2963 -ApplyPatch v4l1-fix-32-bit-compat-microcode-loading-translation.patch -# CVE-2010-3698 -ApplyPatch kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch # CVE-2010-3705 ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch -# CVE-2010-3442 -ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch # CVE-2010-4258 ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch # CVE-2010-4169 @@ -1766,8 +1641,6 @@ ApplyPatch bio-take-care-not-overflow-page-count-when-mapping-copying-user-data. # CVE-2010-4249 ApplyPatch af_unix-limit-unix_tot_inflight.patch ApplyPatch scm-lower-SCM-MAX-FD.patch -# CVE-2010-4157 -ApplyPatch gdth-integer-overflow-in-ioctl.patch # CVE-2010-4158 ApplyPatch filter-make-sure-filters-dont-read-uninitialized-memory.patch # CVE-2010-3874 @@ -2430,6 +2303,45 @@ fi %changelog +* Sat Feb 05 2011 Chuck Ebbert +- Linux 2.6.34.8 +- Drop merged patches: + 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch + 02-compat-test-rax-for-the-system-call-number-not-eax.patch + 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch + aio-check-for-multiplication-overflow-in-do_io_submit.patch + cifs-fix-dns-resolver.patch + inotify-fix-inotify-oneshot-support.patch + inotify-send-IN_UNMOUNT-events.patch + irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch + keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch + keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch + wireless-extensions-fix-kernel-heap-content-leak.patch + pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch + pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch + x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch + x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch + execve-improve-interactivity-with-large-arguments.patch + execve-make-responsive-to-sigkill-with-large-arguments.patch + setup_arg_pages-diagnose-excessive-argument-size.patch + alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch + tracing-do-not-allow-llseek-to-set_ftrace_filter.patch + sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch + xen-handle-events-as-edge-triggered.patch + xen-use-percpu-interrupts-for-ipis-and-virqs.patch + sctp-do-not-reset-the-packet-during-sctp_packet_config.patch + r8169-fix-dma-allocations.patch + skge-quirk-to-4gb-dma.patch + depessimize-rds_copy_page_user.patch + via-ioctl-prevent-reading-uninit-memory.patch + v4l1-fix-32-bit-compat-microcode-loading-translation.patch + kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch + alsa-prevent-heap-corruption-in-snd_ctl_new.patch + gdth-integer-overflow-in-ioctl.patch +- Drop from drm-next patch: + d831692 sis-agp: Remove SIS 760, handled by amd64-agp +- Drop hunk of quiet-prove_RCU-in-cgroups.patch, now upstream. + * Sun Jan 30 2011 Chuck Ebbert - Copy sunrpc oops fix from F14 diff --git a/keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch b/keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch deleted file mode 100644 index 4e4a3ffda..000000000 --- a/keys-fix-bug-in-keyctl-session-to-parent-if-parent-has-no-session-keyring.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: David Howells -Subject: [PATCH] KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring - -Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership -of the parent process's session keyring whether or not the parent has a session -keyring [CVE-2010-2960]. - -A program like the following: - - #include - #include - int main(int argc, char **argv) - { - keyctl(KEYCTL_SESSION_TO_PARENT); - } - -can be used to trigger the following bug report: - - BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 - IP: [] keyctl_session_to_parent+0x251/0x443 - ... - Call Trace: - [] ? keyctl_session_to_parent+0x67/0x443 - [] ? __do_fault+0x24b/0x3d0 - [] sys_keyctl+0xb4/0xb8 - [] system_call_fastpath+0x16/0x1b - -if there is no parent process. - -If the system is using pam_keyinit then it mostly protected against this as all -processes derived from a login will have inherited the session keyring created -by pam_keyinit during the log in procedure. - -To test this, pam_keyinit calls need to be commented out in /etc/pam.d/. - -Signed-off-by: David Howells ---- - - security/keys/keyctl.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - - -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index 3868c67..60924f6 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -1305,7 +1305,8 @@ long keyctl_session_to_parent(void) - goto not_permitted; - - /* the keyrings must have the same UID */ -- if (pcred ->tgcred->session_keyring->uid != mycred->euid || -+ if ((pcred->tgcred->session_keyring && -+ pcred->tgcred->session_keyring->uid != mycred->euid) || - mycred->tgcred->session_keyring->uid != mycred->euid) - goto not_permitted; - - diff --git a/keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch b/keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch deleted file mode 100644 index 4a2b472b8..000000000 --- a/keys-fix-rcu-no-lock-warning-in-keyctl-session-to-parent.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: David Howells -Subject: [PATCH] KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() - -There's an protected access to the parent process's credentials in the middle -of keyctl_session_to_parent(). This results in the following RCU warning: - -=================================================== -[ INFO: suspicious rcu_dereference_check() usage. ] ---------------------------------------------------- -security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection! - -other info that might help us debug this: - -rcu_scheduler_active = 1, debug_locks = 0 -1 lock held by keyctl-session-/2137: - #0: (tasklist_lock){.+.+..}, at: [] keyctl_session_to_parent+0x60/0x236 - -stack backtrace: -Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1 -Call Trace: - [] lockdep_rcu_dereference+0xaa/0xb3 - [] keyctl_session_to_parent+0xed/0x236 - [] sys_keyctl+0xb4/0xb6 - [] system_call_fastpath+0x16/0x1b - -The code should take the RCU read lock to make sure the parents credentials -don't go away, even though it's holding a spinlock and has IRQ disabled. - -Signed-off-by: David Howells ---- - - security/keys/keyctl.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - - -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index b2b0998..3868c67 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void) - keyring_r = NULL; - - me = current; -+ rcu_read_lock(); - write_lock_irq(&tasklist_lock); - - parent = me->real_parent; -@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void) - set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME); - - write_unlock_irq(&tasklist_lock); -+ rcu_read_unlock(); - if (oldcred) - put_cred(oldcred); - return 0; -@@ -1327,6 +1329,7 @@ already_same: - ret = 0; - not_permitted: - write_unlock_irq(&tasklist_lock); -+ rcu_read_unlock(); - put_cred(cred); - return ret; - - diff --git a/kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch b/kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch deleted file mode 100644 index d65904e04..000000000 --- a/kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch +++ /dev/null @@ -1,164 +0,0 @@ -From: Avi Kivity -Date: Tue, 19 Oct 2010 14:46:55 +0000 (+0200) -Subject: KVM: Fix fs/gs reload oops with invalid ldt -X-Git-Tag: v2.6.36~4^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9581d442b9058d3699b4be568b6e5eae38a41493 - -KVM: Fix fs/gs reload oops with invalid ldt - -kvm reloads the host's fs and gs blindly, however the underlying segment -descriptors may be invalid due to the user modifying the ldt after loading -them. - -Fix by using the safe accessors (loadsegment() and load_gs_index()) instead -of home grown unsafe versions. - -This is CVE-2010-3698. - -KVM-Stable-Tag. -Signed-off-by: Avi Kivity -Signed-off-by: Marcelo Tosatti ---- - -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index 502e53f..c52e2eb 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -652,20 +652,6 @@ static inline struct kvm_mmu_page *page_header(hpa_t shadow_page) - return (struct kvm_mmu_page *)page_private(page); - } - --static inline u16 kvm_read_fs(void) --{ -- u16 seg; -- asm("mov %%fs, %0" : "=g"(seg)); -- return seg; --} -- --static inline u16 kvm_read_gs(void) --{ -- u16 seg; -- asm("mov %%gs, %0" : "=g"(seg)); -- return seg; --} -- - static inline u16 kvm_read_ldt(void) - { - u16 ldt; -@@ -673,16 +659,6 @@ static inline u16 kvm_read_ldt(void) - return ldt; - } - --static inline void kvm_load_fs(u16 sel) --{ -- asm("mov %0, %%fs" : : "rm"(sel)); --} -- --static inline void kvm_load_gs(u16 sel) --{ -- asm("mov %0, %%gs" : : "rm"(sel)); --} -- - static inline void kvm_load_ldt(u16 sel) - { - asm("lldt %0" : : "rm"(sel)); -diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 81ed28c..8a3f9f6 100644 ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -3163,8 +3163,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) - sync_lapic_to_cr8(vcpu); - - save_host_msrs(vcpu); -- fs_selector = kvm_read_fs(); -- gs_selector = kvm_read_gs(); -+ savesegment(fs, fs_selector); -+ savesegment(gs, gs_selector); - ldt_selector = kvm_read_ldt(); - svm->vmcb->save.cr2 = vcpu->arch.cr2; - /* required for live migration with NPT */ -@@ -3251,10 +3251,15 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) - vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp; - vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip; - -- kvm_load_fs(fs_selector); -- kvm_load_gs(gs_selector); -- kvm_load_ldt(ldt_selector); - load_host_msrs(vcpu); -+ loadsegment(fs, fs_selector); -+#ifdef CONFIG_X86_64 -+ load_gs_index(gs_selector); -+ wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs); -+#else -+ loadsegment(gs, gs_selector); -+#endif -+ kvm_load_ldt(ldt_selector); - - reload_tss(vcpu); - -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 49b25ee..7bddfab 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -803,7 +803,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu) - */ - vmx->host_state.ldt_sel = kvm_read_ldt(); - vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel; -- vmx->host_state.fs_sel = kvm_read_fs(); -+ savesegment(fs, vmx->host_state.fs_sel); - if (!(vmx->host_state.fs_sel & 7)) { - vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel); - vmx->host_state.fs_reload_needed = 0; -@@ -811,7 +811,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu) - vmcs_write16(HOST_FS_SELECTOR, 0); - vmx->host_state.fs_reload_needed = 1; - } -- vmx->host_state.gs_sel = kvm_read_gs(); -+ savesegment(gs, vmx->host_state.gs_sel); - if (!(vmx->host_state.gs_sel & 7)) - vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel); - else { -@@ -841,27 +841,21 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu) - - static void __vmx_load_host_state(struct vcpu_vmx *vmx) - { -- unsigned long flags; -- - if (!vmx->host_state.loaded) - return; - - ++vmx->vcpu.stat.host_state_reload; - vmx->host_state.loaded = 0; - if (vmx->host_state.fs_reload_needed) -- kvm_load_fs(vmx->host_state.fs_sel); -+ loadsegment(fs, vmx->host_state.fs_sel); - if (vmx->host_state.gs_ldt_reload_needed) { - kvm_load_ldt(vmx->host_state.ldt_sel); -- /* -- * If we have to reload gs, we must take care to -- * preserve our gs base. -- */ -- local_irq_save(flags); -- kvm_load_gs(vmx->host_state.gs_sel); - #ifdef CONFIG_X86_64 -- wrmsrl(MSR_GS_BASE, vmcs_readl(HOST_GS_BASE)); -+ load_gs_index(vmx->host_state.gs_sel); -+ wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs); -+#else -+ loadsegment(gs, vmx->host_state.gs_sel); - #endif -- local_irq_restore(flags); - } - reload_tss(); - #ifdef CONFIG_X86_64 -@@ -2589,8 +2583,8 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx) - vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ - vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ - vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */ -- vmcs_write16(HOST_FS_SELECTOR, kvm_read_fs()); /* 22.2.4 */ -- vmcs_write16(HOST_GS_SELECTOR, kvm_read_gs()); /* 22.2.4 */ -+ vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */ -+ vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */ - vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ - #ifdef CONFIG_X86_64 - rdmsrl(MSR_FS_BASE, a); diff --git a/pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch b/pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch deleted file mode 100644 index 6ed821556..000000000 --- a/pci-msi-remove-unsafe-and-unnecessary-hardware-access.patch +++ /dev/null @@ -1,86 +0,0 @@ -From fcd097f31a6ee207cc0c3da9cccd2a86d4334785 Mon Sep 17 00:00:00 2001 -From: Ben Hutchings -Date: Thu, 17 Jun 2010 20:16:36 +0100 -Subject: PCI: MSI: Remove unsafe and unnecessary hardware access - -From: Ben Hutchings - -commit fcd097f31a6ee207cc0c3da9cccd2a86d4334785 upstream. - -During suspend on an SMP system, {read,write}_msi_msg_desc() may be -called to mask and unmask interrupts on a device that is already in a -reduced power state. At this point memory-mapped registers including -MSI-X tables are not accessible, and config space may not be fully -functional either. - -While a device is in a reduced power state its interrupts are -effectively masked and its MSI(-X) state will be restored when it is -brought back to D0. Therefore these functions can simply read and -write msi_desc::msg for devices not in D0. - -Further, read_msi_msg_desc() should only ever be used to update a -previously written message, so it can always read msi_desc::msg -and never needs to touch the hardware. - -Tested-by: "Michael Chan" -Signed-off-by: Ben Hutchings -Signed-off-by: Jesse Barnes -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/pci/msi.c | 36 ++++++++++++------------------------ - 1 file changed, 12 insertions(+), 24 deletions(-) - ---- a/drivers/pci/msi.c -+++ b/drivers/pci/msi.c -@@ -195,30 +195,15 @@ void unmask_msi_irq(unsigned int irq) - void read_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg) - { - struct msi_desc *entry = get_irq_desc_msi(desc); -- if (entry->msi_attrib.is_msix) { -- void __iomem *base = entry->mask_base + -- entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE; - -- msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR); -- msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR); -- msg->data = readl(base + PCI_MSIX_ENTRY_DATA); -- } else { -- struct pci_dev *dev = entry->dev; -- int pos = entry->msi_attrib.pos; -- u16 data; -- -- pci_read_config_dword(dev, msi_lower_address_reg(pos), -- &msg->address_lo); -- if (entry->msi_attrib.is_64) { -- pci_read_config_dword(dev, msi_upper_address_reg(pos), -- &msg->address_hi); -- pci_read_config_word(dev, msi_data_reg(pos, 1), &data); -- } else { -- msg->address_hi = 0; -- pci_read_config_word(dev, msi_data_reg(pos, 0), &data); -- } -- msg->data = data; -- } -+ /* We do not touch the hardware (which may not even be -+ * accessible at the moment) but return the last message -+ * written. Assert that this is valid, assuming that -+ * valid messages are not all-zeroes. */ -+ BUG_ON(!(entry->msg.address_hi | entry->msg.address_lo | -+ entry->msg.data)); -+ -+ *msg = entry->msg; - } - - void read_msi_msg(unsigned int irq, struct msi_msg *msg) -@@ -231,7 +216,10 @@ void read_msi_msg(unsigned int irq, stru - void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg) - { - struct msi_desc *entry = get_irq_desc_msi(desc); -- if (entry->msi_attrib.is_msix) { -+ -+ if (entry->dev->current_state != PCI_D0) { -+ /* Don't touch the hardware now */ -+ } else if (entry->msi_attrib.is_msix) { - void __iomem *base; - base = entry->mask_base + - entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE; diff --git a/pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch b/pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch deleted file mode 100644 index b421a8bba..000000000 --- a/pci-msi-restore-read_msi_msg_desc-add-get_cached_msi_msg_desc.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 30da55242818a8ca08583188ebcbaccd283ad4d9 Mon Sep 17 00:00:00 2001 -From: Ben Hutchings -Date: Fri, 23 Jul 2010 14:56:28 +0100 -Subject: PCI: MSI: Restore read_msi_msg_desc(); add get_cached_msi_msg_desc() - -From: Ben Hutchings - -commit 30da55242818a8ca08583188ebcbaccd283ad4d9 upstream. - -commit 2ca1af9aa3285c6a5f103ed31ad09f7399fc65d7 "PCI: MSI: Remove -unsafe and unnecessary hardware access" changed read_msi_msg_desc() to -return the last MSI message written instead of reading it from the -device, since it may be called while the device is in a reduced -power state. - -However, the pSeries platform code really does need to read messages -from the device, since they are initially written by firmware. -Therefore: -- Restore the previous behaviour of read_msi_msg_desc() -- Add new functions get_cached_msi_msg{,_desc}() which return the - last MSI message written -- Use the new functions where appropriate - -Acked-by: Michael Ellerman -Signed-off-by: Ben Hutchings -Signed-off-by: Jesse Barnes -Signed-off-by: Greg Kroah-Hartman - ---- - arch/ia64/kernel/msi_ia64.c | 2 - - arch/ia64/sn/kernel/msi_sn.c | 2 - - arch/x86/kernel/apic/io_apic.c | 2 - - drivers/pci/msi.c | 47 ++++++++++++++++++++++++++++++++++++----- - include/linux/msi.h | 2 + - 5 files changed, 47 insertions(+), 8 deletions(-) - ---- a/arch/ia64/kernel/msi_ia64.c -+++ b/arch/ia64/kernel/msi_ia64.c -@@ -25,7 +25,7 @@ static int ia64_set_msi_irq_affinity(uns - if (irq_prepare_move(irq, cpu)) - return -1; - -- read_msi_msg(irq, &msg); -+ get_cached_msi_msg(irq, &msg); - - addr = msg.address_lo; - addr &= MSI_ADDR_DEST_ID_MASK; ---- a/arch/ia64/sn/kernel/msi_sn.c -+++ b/arch/ia64/sn/kernel/msi_sn.c -@@ -174,7 +174,7 @@ static int sn_set_msi_irq_affinity(unsig - * Release XIO resources for the old MSI PCI address - */ - -- read_msi_msg(irq, &msg); -+ get_cached_msi_msg(irq, &msg); - sn_pdev = (struct pcidev_info *)sn_irq_info->irq_pciioinfo; - pdev = sn_pdev->pdi_linux_pcidev; - provider = SN_PCIDEV_BUSPROVIDER(pdev); ---- a/arch/x86/kernel/apic/io_apic.c -+++ b/arch/x86/kernel/apic/io_apic.c -@@ -3338,7 +3338,7 @@ static int set_msi_irq_affinity(unsigned - - cfg = desc->chip_data; - -- read_msi_msg_desc(desc, &msg); -+ get_cached_msi_msg_desc(desc, &msg); - - msg.data &= ~MSI_DATA_VECTOR_MASK; - msg.data |= MSI_DATA_VECTOR(cfg->vector); ---- a/drivers/pci/msi.c -+++ b/drivers/pci/msi.c -@@ -196,9 +196,46 @@ void read_msi_msg_desc(struct irq_desc * - { - struct msi_desc *entry = get_irq_desc_msi(desc); - -- /* We do not touch the hardware (which may not even be -- * accessible at the moment) but return the last message -- * written. Assert that this is valid, assuming that -+ BUG_ON(entry->dev->current_state != PCI_D0); -+ -+ if (entry->msi_attrib.is_msix) { -+ void __iomem *base = entry->mask_base + -+ entry->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE; -+ -+ msg->address_lo = readl(base + PCI_MSIX_ENTRY_LOWER_ADDR); -+ msg->address_hi = readl(base + PCI_MSIX_ENTRY_UPPER_ADDR); -+ msg->data = readl(base + PCI_MSIX_ENTRY_DATA); -+ } else { -+ struct pci_dev *dev = entry->dev; -+ int pos = entry->msi_attrib.pos; -+ u16 data; -+ -+ pci_read_config_dword(dev, msi_lower_address_reg(pos), -+ &msg->address_lo); -+ if (entry->msi_attrib.is_64) { -+ pci_read_config_dword(dev, msi_upper_address_reg(pos), -+ &msg->address_hi); -+ pci_read_config_word(dev, msi_data_reg(pos, 1), &data); -+ } else { -+ msg->address_hi = 0; -+ pci_read_config_word(dev, msi_data_reg(pos, 0), &data); -+ } -+ msg->data = data; -+ } -+} -+ -+void read_msi_msg(unsigned int irq, struct msi_msg *msg) -+{ -+ struct irq_desc *desc = irq_to_desc(irq); -+ -+ read_msi_msg_desc(desc, msg); -+} -+ -+void get_cached_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg) -+{ -+ struct msi_desc *entry = get_irq_desc_msi(desc); -+ -+ /* Assert that the cache is valid, assuming that - * valid messages are not all-zeroes. */ - BUG_ON(!(entry->msg.address_hi | entry->msg.address_lo | - entry->msg.data)); -@@ -206,11 +243,11 @@ void read_msi_msg_desc(struct irq_desc * - *msg = entry->msg; - } - --void read_msi_msg(unsigned int irq, struct msi_msg *msg) -+void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg) - { - struct irq_desc *desc = irq_to_desc(irq); - -- read_msi_msg_desc(desc, msg); -+ get_cached_msi_msg_desc(desc, msg); - } - - void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg) ---- a/include/linux/msi.h -+++ b/include/linux/msi.h -@@ -14,8 +14,10 @@ struct irq_desc; - extern void mask_msi_irq(unsigned int irq); - extern void unmask_msi_irq(unsigned int irq); - extern void read_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg); -+extern void get_cached_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg); - extern void write_msi_msg_desc(struct irq_desc *desc, struct msi_msg *msg); - extern void read_msi_msg(unsigned int irq, struct msi_msg *msg); -+extern void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg); - extern void write_msi_msg(unsigned int irq, struct msi_msg *msg); - - struct msi_desc { diff --git a/quiet-prove_RCU-in-cgroups.patch b/quiet-prove_RCU-in-cgroups.patch index f043ef51c..2922962ba 100644 --- a/quiet-prove_RCU-in-cgroups.patch +++ b/quiet-prove_RCU-in-cgroups.patch @@ -12,25 +12,3 @@ index 4b493f6..ada1fcd 100644 /* initialize timestamp */ __touch_softlockup_watchdog(); -diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c -index 5a5ea2c..47ecc56 100644 ---- a/kernel/sched_fair.c -+++ b/kernel/sched_fair.c -@@ -1272,6 +1272,9 @@ static int wake_affine(struct sched_domain *sd, struct task_struct *p, int sync) - * effect of the currently running task from the load - * of the current CPU: - */ -+ -+ rcu_read_lock(); -+ - if (sync) { - tg = task_group(current); - weight = current->se.load.weight; -@@ -1298,6 +1301,7 @@ static int wake_affine(struct sched_domain *sd, struct task_struct *p, int sync) - 100*(this_load + effective_load(tg, this_cpu, weight, weight)) <= - imbalance*(load + effective_load(tg, prev_cpu, 0, weight)); - -+ rcu_read_unlock(); - /* - * If the currently running task will sleep within - * a reasonable amount of time then attract this newly diff --git a/r8169-fix-dma-allocations.patch b/r8169-fix-dma-allocations.patch deleted file mode 100644 index e4aa160d1..000000000 --- a/r8169-fix-dma-allocations.patch +++ /dev/null @@ -1,120 +0,0 @@ -From sgruszka@redhat.com Mon Oct 18 05:10:00 2010 -Return-Path: sgruszka@redhat.com -Received: from zmta01.collab.prod.int.phx2.redhat.com (LHLO - zmta01.collab.prod.int.phx2.redhat.com) (10.5.5.31) by - mail03.corp.redhat.com with LMTP; Mon, 18 Oct 2010 05:10:00 -0400 (EDT) -Received: from localhost (localhost.localdomain [127.0.0.1]) - by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 5E48E928A4; - Mon, 18 Oct 2010 05:10:00 -0400 (EDT) -Received: from zmta01.collab.prod.int.phx2.redhat.com ([127.0.0.1]) - by localhost (zmta01.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024) - with ESMTP id q3QJQ+TOP+bt; Mon, 18 Oct 2010 05:10:00 -0400 (EDT) -Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) - by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 423CC91A7C; - Mon, 18 Oct 2010 05:10:00 -0400 (EDT) -Received: from localhost (dhcp-1-246.brq.redhat.com [10.34.1.246]) - by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id o9I99x6b006228; - Mon, 18 Oct 2010 05:09:59 -0400 -From: Stanislaw Gruszka -To: stable@kernel.org -Cc: Kyle McMartin , - Stanislaw Gruszka , - "David S. Miller" -Subject: [PATCH -stable 2.6.34+] r8169: allocate with GFP_KERNEL flag when able to sleep -Date: Mon, 18 Oct 2010 11:12:22 +0200 -Message-Id: <1287393142-2566-1-git-send-email-sgruszka@redhat.com> -X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 - -Upstream aeb19f6052b5e5c8a24aa444fbff73b84341beac commit. - -We have fedora bug report where driver fail to initialize after -suspend/resume because of memory allocation errors: -https://bugzilla.redhat.com/show_bug.cgi?id=629158 - -To fix use GFP_KERNEL allocation where possible. - -Patch should fix any allocation errors with calltrace like that: - -NetworkManager: page allocation failure. order:3, mode:0x4020 -Pid: 1427, comm: NetworkManager Not tainted 2.6.31.12-rhapsody.fc12-121 #1 -Call Trace: - [] __alloc_pages_nodemask+0x57a/0x5bb - [] alloc_pages_node+0x48/0x4a - [] kmalloc_large_node+0x2a/0x67 - [] __kmalloc_node_track_caller+0x31/0x11b - [] ? __netdev_alloc_skb+0x34/0x50 - [] __alloc_skb+0x80/0x170 - [] __netdev_alloc_skb+0x34/0x50 - [] rtl8169_rx_fill+0xa8/0x154 [r8169] - [] rtl8169_init_ring+0x71/0x9f [r8169] - [] rtl8169_open+0x7f/0x199 [r8169] - -Tested-by: Neal Becker -Signed-off-by: Stanislaw Gruszka -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - drivers/net/r8169.c | 12 ++++++------ - 1 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c -index a0da4a1..a68ec8f 100644 ---- a/drivers/net/r8169.c -+++ b/drivers/net/r8169.c -@@ -4000,7 +4000,7 @@ static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping, - static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev, - struct net_device *dev, - struct RxDesc *desc, int rx_buf_sz, -- unsigned int align) -+ unsigned int align, gfp_t gfp) - { - struct sk_buff *skb; - dma_addr_t mapping; -@@ -4008,7 +4008,7 @@ static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev, - - pad = align ? align : NET_IP_ALIGN; - -- skb = netdev_alloc_skb(dev, rx_buf_sz + pad); -+ skb = __netdev_alloc_skb(dev, rx_buf_sz + pad, gfp); - if (!skb) - goto err_out; - -@@ -4039,7 +4039,7 @@ static void rtl8169_rx_clear(struct rtl8169_private *tp) - } - - static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev, -- u32 start, u32 end) -+ u32 start, u32 end, gfp_t gfp) - { - u32 cur; - -@@ -4054,7 +4054,7 @@ static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev, - - skb = rtl8169_alloc_rx_skb(tp->pci_dev, dev, - tp->RxDescArray + i, -- tp->rx_buf_sz, tp->align); -+ tp->rx_buf_sz, tp->align, gfp); - if (!skb) - break; - -@@ -4082,7 +4082,7 @@ static int rtl8169_init_ring(struct net_device *dev) - memset(tp->tx_skb, 0x0, NUM_TX_DESC * sizeof(struct ring_info)); - memset(tp->Rx_skbuff, 0x0, NUM_RX_DESC * sizeof(struct sk_buff *)); - -- if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC) != NUM_RX_DESC) -+ if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC, GFP_KERNEL) != NUM_RX_DESC) - goto err_out; - - rtl8169_mark_as_last_descriptor(tp->RxDescArray + NUM_RX_DESC - 1); -@@ -4583,7 +4583,7 @@ static int rtl8169_rx_interrupt(struct net_device *dev, - count = cur_rx - tp->cur_rx; - tp->cur_rx = cur_rx; - -- delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx); -+ delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx, GFP_ATOMIC); - if (!delta && count) - netif_info(tp, intr, dev, "no Rx buffer allocated\n"); - tp->dirty_rx += delta; --- -1.7.1 - diff --git a/sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch b/sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch deleted file mode 100644 index 7c1512201..000000000 --- a/sched-00-fix-user-time-incorrectly-accounted-as-system-time-on-32-bit.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Stanislaw Gruszka -Date: Tue, 14 Sep 2010 14:35:14 +0000 (+0200) -Subject: sched: Fix user time incorrectly accounted as system time on 32-bit -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fx86%2Flinux-2.6-tip.git;a=commitdiff_plain;h=e75e863dd5c7d96b91ebbd241da5328fc38a78cc - -sched: Fix user time incorrectly accounted as system time on 32-bit - -We have 32-bit variable overflow possibility when multiply in -task_times() and thread_group_times() functions. When the -overflow happens then the scaled utime value becomes erroneously -small and the scaled stime becomes i erroneously big. - -Reported here: - - https://bugzilla.redhat.com/show_bug.cgi?id=633037 - https://bugzilla.kernel.org/show_bug.cgi?id=16559 - -Reported-by: Michael Chapman -Reported-by: Ciriaco Garcia de Celis -Signed-off-by: Stanislaw Gruszka -Signed-off-by: Peter Zijlstra -Cc: Hidetoshi Seto -Cc: # 2.6.32.19+ (partially) and 2.6.33+ -LKML-Reference: <20100914143513.GB8415@redhat.com> -Signed-off-by: Ingo Molnar ---- - -diff --git a/kernel/sched.c b/kernel/sched.c -index ed09d4f..dc85ceb 100644 ---- a/kernel/sched.c -+++ b/kernel/sched.c -@@ -3513,9 +3513,9 @@ void task_times(struct task_struct *p, cputime_t *ut, cputime_t *st) - rtime = nsecs_to_cputime(p->se.sum_exec_runtime); - - if (total) { -- u64 temp; -+ u64 temp = rtime; - -- temp = (u64)(rtime * utime); -+ temp *= utime; - do_div(temp, total); - utime = (cputime_t)temp; - } else -@@ -3546,9 +3546,9 @@ void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *st) - rtime = nsecs_to_cputime(cputime.sum_exec_runtime); - - if (total) { -- u64 temp; -+ u64 temp = rtime; - -- temp = (u64)(rtime * cputime.utime); -+ temp *= cputime.utime; - do_div(temp, total); - utime = (cputime_t)temp; - } else diff --git a/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch b/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch deleted file mode 100644 index c88c12aad..000000000 --- a/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4bdab43323b459900578b200a4b8cf9713ac8fab Mon Sep 17 00:00:00 2001 -From: Vlad Yasevich -Date: Wed, 15 Sep 2010 10:00:26 -0400 -Subject: sctp: Do not reset the packet during sctp_packet_config(). - -From: Vlad Yasevich - -commit 4bdab43323b459900578b200a4b8cf9713ac8fab upstream. - -sctp_packet_config() is called when getting the packet ready -for appending of chunks. The function should not touch the -current state, since it's possible to ping-pong between two -transports when sending, and that can result packet corruption -followed by skb overlfow crash. - -Reported-by: Thomas Dreibholz -Signed-off-by: Vlad Yasevich -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman - ---- - net/sctp/output.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/net/sctp/output.c -+++ b/net/sctp/output.c -@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s - SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__, - packet, vtag); - -- sctp_packet_reset(packet); - packet->vtag = vtag; - - if (ecn_capable && sctp_packet_empty(packet)) { diff --git a/setup_arg_pages-diagnose-excessive-argument-size.patch b/setup_arg_pages-diagnose-excessive-argument-size.patch deleted file mode 100644 index ead972a68..000000000 --- a/setup_arg_pages-diagnose-excessive-argument-size.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Roland McGrath -Date: Wed, 8 Sep 2010 02:35:49 +0000 (-0700) -Subject: setup_arg_pages: diagnose excessive argument size -X-Git-Tag: v2.6.36-rc4~14 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1b528181b2ffa14721fb28ad1bd539fe1732c583 - -setup_arg_pages: diagnose excessive argument size - -The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not -check the size of the argument/environment area on the stack. -When it is unworkably large, shift_arg_pages() hits its BUG_ON. -This is exploitable with a very large RLIMIT_STACK limit, to -create a crash pretty easily. - -Check that the initial stack is not too large to make it possible -to map in any executable. We're not checking that the actual -executable (or intepreter, for binfmt_elf) will fit. So those -mappings might clobber part of the initial stack mapping. But -that is just userland lossage that userland made happen, not a -kernel problem. - -Signed-off-by: Roland McGrath -Reviewed-by: KOSAKI Motohiro -Signed-off-by: Linus Torvalds ---- - -diff --git a/fs/exec.c b/fs/exec.c -index 2d94552..1b63237 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -594,6 +594,11 @@ int setup_arg_pages(struct linux_binprm *bprm, - #else - stack_top = arch_align_stack(stack_top); - stack_top = PAGE_ALIGN(stack_top); -+ -+ if (unlikely(stack_top < mmap_min_addr) || -+ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr)) -+ return -ENOMEM; -+ - stack_shift = vma->vm_end - stack_top; - - bprm->p -= stack_shift; diff --git a/skge-quirk-to-4gb-dma.patch b/skge-quirk-to-4gb-dma.patch deleted file mode 100644 index ffa0fff55..000000000 --- a/skge-quirk-to-4gb-dma.patch +++ /dev/null @@ -1,98 +0,0 @@ -From sgruszka@redhat.com Mon Oct 18 05:19:21 2010 -Return-Path: sgruszka@redhat.com -Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO - zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by - mail03.corp.redhat.com with LMTP; Mon, 18 Oct 2010 05:19:21 -0400 (EDT) -Received: from localhost (localhost.localdomain [127.0.0.1]) - by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id A11F69E559; - Mon, 18 Oct 2010 05:19:21 -0400 (EDT) -Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1]) - by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024) - with ESMTP id IhyIgD7E4aj3; Mon, 18 Oct 2010 05:19:21 -0400 (EDT) -Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21]) - by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 9007B9E55E; - Mon, 18 Oct 2010 05:19:21 -0400 (EDT) -Received: from localhost (dhcp-1-246.brq.redhat.com [10.34.1.246]) - by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o9I9JKsF025385; - Mon, 18 Oct 2010 05:19:21 -0400 -From: Stanislaw Gruszka -To: stable@kernel.org -Cc: Kyle McMartin , - Stanislaw Gruszka , - "David S. Miller" -Subject: [PATCH -stable 2.6.34+] skge: add quirk to limit DMA -Date: Mon, 18 Oct 2010 11:21:54 +0200 -Message-Id: <1287393714-3720-1-git-send-email-sgruszka@redhat.com> -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21 - -Upstream 392bd0cb000d4aac9e88e4f50823db85e7220688 commit. - -Skge devices installed on some Gigabyte motherboards are not able to -perform 64 dma correctly due to board PCI implementation, so limit -DMA to 32bit if such boards are detected. - -Bug was reported here: -https://bugzilla.redhat.com/show_bug.cgi?id=447489 - -Signed-off-by: Stanislaw Gruszka -Tested-by: Luya Tshimbalanga -Signed-off-by: David S. Miller ---- - drivers/net/skge.c | 18 +++++++++++++++++- - 1 files changed, 17 insertions(+), 1 deletions(-) - -diff --git a/drivers/net/skge.c b/drivers/net/skge.c -index 40e5c46..465ae7e 100644 ---- a/drivers/net/skge.c -+++ b/drivers/net/skge.c -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - #include - - #include "skge.h" -@@ -3868,6 +3869,8 @@ static void __devinit skge_show_addr(struct net_device *dev) - netif_info(skge, probe, skge->netdev, "addr %pM\n", dev->dev_addr); - } - -+static int only_32bit_dma; -+ - static int __devinit skge_probe(struct pci_dev *pdev, - const struct pci_device_id *ent) - { -@@ -3889,7 +3892,7 @@ static int __devinit skge_probe(struct pci_dev *pdev, - - pci_set_master(pdev); - -- if (!pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) { -+ if (!only_32bit_dma && !pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) { - using_dac = 1; - err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)); - } else if (!(err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) { -@@ -4147,8 +4150,21 @@ static struct pci_driver skge_driver = { - .shutdown = skge_shutdown, - }; - -+static struct dmi_system_id skge_32bit_dma_boards[] = { -+ { -+ .ident = "Gigabyte nForce boards", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co"), -+ DMI_MATCH(DMI_BOARD_NAME, "nForce"), -+ }, -+ }, -+ {} -+}; -+ - static int __init skge_init_module(void) - { -+ if (dmi_check_system(skge_32bit_dma_boards)) -+ only_32bit_dma = 1; - skge_debug_init(); - return pci_register_driver(&skge_driver); - } --- -1.7.1 - diff --git a/sources b/sources index 19835d843..63b96794c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 10eebcb0178fb4540e2165bfd7efc7ad linux-2.6.34.tar.bz2 -a88e4b5a9fcb23c2229301ac4dae1f1a patch-2.6.34.7.bz2 +de755877dbd32ed783067987c095c278 patch-2.6.34.8.bz2 diff --git a/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch b/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch deleted file mode 100644 index 4bbae7110..000000000 --- a/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Steven Rostedt -Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400) -Subject: tracing: Do not allow llseek to set_ftrace_filter -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 - -tracing: Do not allow llseek to set_ftrace_filter - -Reading the file set_ftrace_filter does three things. - -1) shows whether or not filters are set for the function tracer -2) shows what functions are set for the function tracer -3) shows what triggers are set on any functions - -3 is independent from 1 and 2. - -The way this file currently works is that it is a state machine, -and as you read it, it may change state. But this assumption breaks -when you use lseek() on the file. The state machine gets out of sync -and the t_show() may use the wrong pointer and cause a kernel oops. - -Luckily, this will only kill the app that does the lseek, but the app -dies while holding a mutex. This prevents anyone else from using the -set_ftrace_filter file (or any other function tracing file for that matter). - -A real fix for this is to rewrite the code, but that is too much for -a -rc release or stable. This patch simply disables llseek on the -set_ftrace_filter() file for now, and we can do the proper fix for the -next major release. - -Reported-by: Robert Swiecki -Cc: Chris Wright -Cc: Tavis Ormandy -Cc: Eugene Teo -Cc: vendor-sec@lst.de -Cc: -Signed-off-by: Steven Rostedt ---- - -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 7cb1f45..83a16e9 100644 ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = { - .open = ftrace_filter_open, - .read = seq_read, - .write = ftrace_filter_write, -- .llseek = ftrace_regex_lseek, -+ .llseek = no_llseek, - .release = ftrace_filter_release, - }; - diff --git a/v4l1-fix-32-bit-compat-microcode-loading-translation.patch b/v4l1-fix-32-bit-compat-microcode-loading-translation.patch deleted file mode 100644 index 14f6fcb84..000000000 --- a/v4l1-fix-32-bit-compat-microcode-loading-translation.patch +++ /dev/null @@ -1,86 +0,0 @@ -From: Linus Torvalds -Date: Fri, 15 Oct 2010 18:12:38 +0000 (-0700) -Subject: v4l1: fix 32-bit compat microcode loading translation -X-Git-Tag: v2.6.36~11^2 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3e645d6b485446c54c6745c5e2cf5c528fe4deec - -v4l1: fix 32-bit compat microcode loading translation - -The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. -It's only used by the VIDEO_STRADIS driver, and that one is scheduled to -staging and eventually removed unless somebody steps up to maintain it -(at which point it should use request_firmware() rather than some magic -ioctl). So we'll get rid of it eventually. - -But in the meantime, the compatibility ioctl code is broken, and this -tries to get it to at least limp along (even if Mauro suggested just -deleting it entirely, which may be the right thing to do - I don't think -the compatibility translation code has ever worked unless you were very -lucky). - -Reported-by: Kees Cook -Cc: Mauro Carvalho Chehab -Cc: stable@kernel.org -Signed-off-by: Linus Torvalds ---- - -diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c -index 073f013..86294ed3 100644 ---- a/drivers/media/video/v4l2-compat-ioctl32.c -+++ b/drivers/media/video/v4l2-compat-ioctl32.c -@@ -193,17 +193,24 @@ static int put_video_window32(struct video_window *kp, struct video_window32 __u - struct video_code32 { - char loadwhat[16]; /* name or tag of file being passed */ - compat_int_t datasize; -- unsigned char *data; -+ compat_uptr_t data; - }; - --static int get_microcode32(struct video_code *kp, struct video_code32 __user *up) -+static struct video_code __user *get_microcode32(struct video_code32 *kp) - { -- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) || -- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) || -- get_user(kp->datasize, &up->datasize) || -- copy_from_user(kp->data, up->data, up->datasize)) -- return -EFAULT; -- return 0; -+ struct video_code __user *up; -+ -+ up = compat_alloc_user_space(sizeof(*up)); -+ -+ /* -+ * NOTE! We don't actually care if these fail. If the -+ * user address is invalid, the native ioctl will do -+ * the error handling for us -+ */ -+ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat)); -+ (void) put_user(kp->datasize, &up->datasize); -+ (void) put_user(compat_ptr(kp->data), &up->data); -+ return up; - } - - #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32) -@@ -739,7 +746,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar - struct video_tuner vt; - struct video_buffer vb; - struct video_window vw; -- struct video_code vc; -+ struct video_code32 vc; - struct video_audio va; - #endif - struct v4l2_format v2f; -@@ -818,8 +825,11 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar - break; - - case VIDIOCSMICROCODE: -- err = get_microcode32(&karg.vc, up); -- compatible_arg = 0; -+ /* Copy the 32-bit "video_code32" to kernel space */ -+ if (copy_from_user(&karg.vc, up, sizeof(karg.vc))) -+ return -EFAULT; -+ /* Convert the 32-bit version to a 64-bit version in user space */ -+ up = get_microcode32(&karg.vc); - break; - - case VIDIOCSFREQ: diff --git a/via-ioctl-prevent-reading-uninit-memory.patch b/via-ioctl-prevent-reading-uninit-memory.patch deleted file mode 100644 index a5d984c0a..000000000 --- a/via-ioctl-prevent-reading-uninit-memory.patch +++ /dev/null @@ -1,33 +0,0 @@ -From aaa3e9152f27f6cd83c074d7dc99e79897ac8c20 Mon Sep 17 00:00:00 2001 -From: Dan Rosenberg -Date: Wed, 15 Sep 2010 19:08:24 -0400 -Subject: [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory - -The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246 -bytes of uninitialized stack memory, because the "reserved" member of -the viafb_ioctl_info struct declared on the stack is not altered or -zeroed before being copied back to the user. This patch takes care of -it. - -Signed-off-by: Dan Rosenberg -Signed-off-by: Florian Tobias Schandinat ---- - drivers/video/via/ioctl.c | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c -index da03c07..4d553d0 100644 ---- a/drivers/video/via/ioctl.c -+++ b/drivers/video/via/ioctl.c -@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg) - { - struct viafb_ioctl_info viainfo; - -+ memset(&viainfo, 0, sizeof(struct viafb_ioctl_info)); -+ - viainfo.viafb_id = VIAID; - viainfo.vendor_id = PCI_VIA_VENDOR_ID; - --- -1.7.3.2 - diff --git a/wireless-extensions-fix-kernel-heap-content-leak.patch b/wireless-extensions-fix-kernel-heap-content-leak.patch deleted file mode 100644 index 27cc4fcec..000000000 --- a/wireless-extensions-fix-kernel-heap-content-leak.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Johannes Berg -Date: Mon, 30 Aug 2010 10:24:54 +0000 (+0200) -Subject: wireless extensions: fix kernel heap content leak -X-Git-Tag: master-2010-08-30 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Flinville%2Fwireless-2.6.git;a=commitdiff_plain;h=42da2f948d949efd0111309f5827bf0298bcc9a4 - -wireless extensions: fix kernel heap content leak - -Wireless extensions have an unfortunate, undocumented -requirement which requires drivers to always fill -iwp->length when returning a successful status. When -a driver doesn't do this, it leads to a kernel heap -content leak when userspace offers a larger buffer -than would have been necessary. - -Arguably, this is a driver bug, as it should, if it -returns 0, fill iwp->length, even if it separately -indicated that the buffer contents was not valid. - -However, we can also at least avoid the memory content -leak if the driver doesn't do this by setting the iwp -length to max_tokens, which then reflects how big the -buffer is that the driver may fill, regardless of how -big the userspace buffer is. - -To illustrate the point, this patch also fixes a -corresponding cfg80211 bug (since this requirement -isn't documented nor was ever pointed out by anyone -during code review, I don't trust all drivers nor -all cfg80211 handlers to implement it correctly). - -Cc: stable@kernel.org [all the way back] -Signed-off-by: Johannes Berg -Signed-off-by: John W. Linville ---- - -diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c -index bb5e0a5..7e5c3a4 100644 ---- a/net/wireless/wext-compat.c -+++ b/net/wireless/wext-compat.c -@@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_device *dev, - { - struct wireless_dev *wdev = dev->ieee80211_ptr; - -+ data->flags = 0; -+ data->length = 0; -+ - switch (wdev->iftype) { - case NL80211_IFTYPE_ADHOC: - return cfg80211_ibss_wext_giwessid(dev, info, data, ssid); -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index 0ef17bc..8f5116f 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, - } - } - -+ if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) { -+ /* -+ * If this is a GET, but not NOMAX, it means that the extra -+ * data is not bounded by userspace, but by max_tokens. Thus -+ * set the length to max_tokens. This matches the extra data -+ * allocation. -+ * The driver should fill it with the number of tokens it -+ * provided, and it may check iwp->length rather than having -+ * knowledge of max_tokens. If the driver doesn't change the -+ * iwp->length, this ioctl just copies back max_token tokens -+ * filled with zeroes. Hopefully the driver isn't claiming -+ * them to be valid data. -+ */ -+ iwp->length = descr->max_tokens; -+ } -+ - err = handler(dev, info, (union iwreq_data *) iwp, extra); - - iwp->length += essid_compat; diff --git a/x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch b/x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch deleted file mode 100644 index e08509d92..000000000 --- a/x86-tsc-fix-a-preemption-leak-in-restore_sched_clock_state.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Peter Zijlstra -Date: Fri, 10 Sep 2010 20:32:53 +0000 (+0200) -Subject: x86, tsc: Fix a preemption leak in restore_sched_clock_state() -X-Git-Tag: v2.6.36-rc4~11 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5ee5e97ee9bca919af11c562beeaf61741ad33f1 - -x86, tsc: Fix a preemption leak in restore_sched_clock_state() - -A real life genuine preemption leak.. - -Reported-and-tested-by: Jeff Chua -Signed-off-by: Peter Zijlstra -Acked-by: Suresh Siddha -Signed-off-by: Linus Torvalds ---- - -diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c -index d632934..26a863a 100644 ---- a/arch/x86/kernel/tsc.c -+++ b/arch/x86/kernel/tsc.c -@@ -655,7 +655,7 @@ void restore_sched_clock_state(void) - - local_irq_save(flags); - -- get_cpu_var(cyc2ns_offset) = 0; -+ __get_cpu_var(cyc2ns_offset) = 0; - offset = cyc2ns_suspend - sched_clock(); - - for_each_possible_cpu(cpu) diff --git a/x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch b/x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch deleted file mode 100644 index c0d1e8604..000000000 --- a/x86-tsc-sched-recompute-cyc2ns_offset-s-during-resume-from-sleep-states.patch +++ /dev/null @@ -1,115 +0,0 @@ -From cd7240c0b900eb6d690ccee088a6c9b46dae815a Mon Sep 17 00:00:00 2001 -From: Suresh Siddha -Date: Thu, 19 Aug 2010 17:03:38 -0700 -Subject: x86, tsc, sched: Recompute cyc2ns_offset's during resume from sleep states - -From: Suresh Siddha - -commit cd7240c0b900eb6d690ccee088a6c9b46dae815a upstream. - -TSC's get reset after suspend/resume (even on cpu's with invariant TSC -which runs at a constant rate across ACPI P-, C- and T-states). And in -some systems BIOS seem to reinit TSC to arbitrary large value (still -sync'd across cpu's) during resume. - -This leads to a scenario of scheduler rq->clock (sched_clock_cpu()) less -than rq->age_stamp (introduced in 2.6.32). This leads to a big value -returned by scale_rt_power() and the resulting big group power set by the -update_group_power() is causing improper load balancing between busy and -idle cpu's after suspend/resume. - -This resulted in multi-threaded workloads (like kernel-compilation) go -slower after suspend/resume cycle on core i5 laptops. - -Fix this by recomputing cyc2ns_offset's during resume, so that -sched_clock() continues from the point where it was left off during -suspend. - -Reported-by: Florian Pritz -Signed-off-by: Suresh Siddha -Signed-off-by: Peter Zijlstra -LKML-Reference: <1282262618.2675.24.camel@sbsiddha-MOBL3.sc.intel.com> -Signed-off-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/include/asm/tsc.h | 2 ++ - arch/x86/kernel/tsc.c | 38 ++++++++++++++++++++++++++++++++++++++ - arch/x86/power/cpu.c | 2 ++ - 3 files changed, 42 insertions(+) - ---- a/arch/x86/include/asm/tsc.h -+++ b/arch/x86/include/asm/tsc.h -@@ -59,5 +59,7 @@ extern void check_tsc_sync_source(int cp - extern void check_tsc_sync_target(void); - - extern int notsc_setup(char *); -+extern void save_sched_clock_state(void); -+extern void restore_sched_clock_state(void); - - #endif /* _ASM_X86_TSC_H */ ---- a/arch/x86/kernel/tsc.c -+++ b/arch/x86/kernel/tsc.c -@@ -626,6 +626,44 @@ static void set_cyc2ns_scale(unsigned lo - local_irq_restore(flags); - } - -+static unsigned long long cyc2ns_suspend; -+ -+void save_sched_clock_state(void) -+{ -+ if (!sched_clock_stable) -+ return; -+ -+ cyc2ns_suspend = sched_clock(); -+} -+ -+/* -+ * Even on processors with invariant TSC, TSC gets reset in some the -+ * ACPI system sleep states. And in some systems BIOS seem to reinit TSC to -+ * arbitrary value (still sync'd across cpu's) during resume from such sleep -+ * states. To cope up with this, recompute the cyc2ns_offset for each cpu so -+ * that sched_clock() continues from the point where it was left off during -+ * suspend. -+ */ -+void restore_sched_clock_state(void) -+{ -+ unsigned long long offset; -+ unsigned long flags; -+ int cpu; -+ -+ if (!sched_clock_stable) -+ return; -+ -+ local_irq_save(flags); -+ -+ get_cpu_var(cyc2ns_offset) = 0; -+ offset = cyc2ns_suspend - sched_clock(); -+ -+ for_each_possible_cpu(cpu) -+ per_cpu(cyc2ns_offset, cpu) = offset; -+ -+ local_irq_restore(flags); -+} -+ - #ifdef CONFIG_CPU_FREQ - - /* Frequency scaling support. Adjust the TSC based timer when the cpu frequency ---- a/arch/x86/power/cpu.c -+++ b/arch/x86/power/cpu.c -@@ -112,6 +112,7 @@ static void __save_processor_state(struc - void save_processor_state(void) - { - __save_processor_state(&saved_context); -+ save_sched_clock_state(); - } - #ifdef CONFIG_X86_32 - EXPORT_SYMBOL(save_processor_state); -@@ -253,6 +254,7 @@ static void __restore_processor_state(st - void restore_processor_state(void) - { - __restore_processor_state(&saved_context); -+ restore_sched_clock_state(); - } - #ifdef CONFIG_X86_32 - EXPORT_SYMBOL(restore_processor_state); diff --git a/xen-handle-events-as-edge-triggered.patch b/xen-handle-events-as-edge-triggered.patch deleted file mode 100644 index dd06bbfb8..000000000 --- a/xen-handle-events-as-edge-triggered.patch +++ /dev/null @@ -1,44 +0,0 @@ -From dffe2e1e1a1ddb566a76266136c312801c66dcf7 Mon Sep 17 00:00:00 2001 -From: Jeremy Fitzhardinge -Date: Fri, 20 Aug 2010 19:10:01 -0700 -Subject: xen: handle events as edge-triggered - -From: Jeremy Fitzhardinge - -commit dffe2e1e1a1ddb566a76266136c312801c66dcf7 upstream. - -Xen events are logically edge triggered, as Xen only calls the event -upcall when an event is newly set, but not continuously as it remains set. -As a result, use handle_edge_irq rather than handle_level_irq. - -This has the important side-effect of fixing a long-standing bug of -events getting lost if: - - an event's interrupt handler is running - - the event is migrated to a different vcpu - - the event is re-triggered - -The most noticable symptom of these lost events is occasional lockups -of blkfront. - -Many thanks to Tom Kopec and Daniel Stodden in tracking this down. - -Signed-off-by: Jeremy Fitzhardinge -Cc: Tom Kopec -Cc: Daniel Stodden -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/xen/events.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/xen/events.c -+++ b/drivers/xen/events.c -@@ -363,7 +363,7 @@ int bind_evtchn_to_irq(unsigned int evtc - irq = find_unbound_irq(); - - set_irq_chip_and_handler_name(irq, &xen_dynamic_chip, -- handle_level_irq, "event"); -+ handle_edge_irq, "event"); - - evtchn_to_irq[evtchn] = irq; - irq_info[irq] = mk_evtchn_info(evtchn); diff --git a/xen-use-percpu-interrupts-for-ipis-and-virqs.patch b/xen-use-percpu-interrupts-for-ipis-and-virqs.patch deleted file mode 100644 index 742a46545..000000000 --- a/xen-use-percpu-interrupts-for-ipis-and-virqs.patch +++ /dev/null @@ -1,73 +0,0 @@ -From aaca49642b92c8a57d3ca5029a5a94019c7af69f Mon Sep 17 00:00:00 2001 -From: Jeremy Fitzhardinge -Date: Fri, 20 Aug 2010 18:57:53 -0700 -Subject: xen: use percpu interrupts for IPIs and VIRQs - -From: Jeremy Fitzhardinge - -commit aaca49642b92c8a57d3ca5029a5a94019c7af69f upstream. - -IPIs and VIRQs are inherently per-cpu event types, so treat them as such: - - use a specific percpu irq_chip implementation, and - - handle them with handle_percpu_irq - -This makes the path for delivering these interrupts more efficient -(no masking/unmasking, no locks), and it avoid problems with attempts -to migrate them. - -Signed-off-by: Jeremy Fitzhardinge -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/xen/events.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - ---- a/drivers/xen/events.c -+++ b/drivers/xen/events.c -@@ -107,6 +107,7 @@ static inline unsigned long *cpu_evtchn_ - #define VALID_EVTCHN(chn) ((chn) != 0) - - static struct irq_chip xen_dynamic_chip; -+static struct irq_chip xen_percpu_chip; - - /* Constructor for packed IRQ information. */ - static struct irq_info mk_unbound_info(void) -@@ -389,8 +390,8 @@ static int bind_ipi_to_irq(unsigned int - if (irq < 0) - goto out; - -- set_irq_chip_and_handler_name(irq, &xen_dynamic_chip, -- handle_level_irq, "ipi"); -+ set_irq_chip_and_handler_name(irq, &xen_percpu_chip, -+ handle_percpu_irq, "ipi"); - - bind_ipi.vcpu = cpu; - if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_ipi, -@@ -430,8 +431,8 @@ static int bind_virq_to_irq(unsigned int - - irq = find_unbound_irq(); - -- set_irq_chip_and_handler_name(irq, &xen_dynamic_chip, -- handle_level_irq, "virq"); -+ set_irq_chip_and_handler_name(irq, &xen_percpu_chip, -+ handle_percpu_irq, "virq"); - - evtchn_to_irq[evtchn] = irq; - irq_info[irq] = mk_virq_info(evtchn, virq); -@@ -934,6 +935,16 @@ static struct irq_chip xen_dynamic_chip - .retrigger = retrigger_dynirq, - }; - -+static struct irq_chip xen_percpu_chip __read_mostly = { -+ .name = "xen-percpu", -+ -+ .disable = disable_dynirq, -+ .mask = disable_dynirq, -+ .unmask = enable_dynirq, -+ -+ .ack = ack_dynirq, -+}; -+ - void __init xen_init_IRQ(void) - { - int i;