Contents of /trunk/kernel26-magellan/patches-2.6.16-r12/0132-2.6.16.17-all-fixes.patch
Parent Directory | Revision Log
Revision 72 -
(show annotations)
(download)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 23659 byte(s)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 23659 byte(s)
ver bump to 2.6.16-r12: - updated to linux-2.6.16.19 - updated to ck11
1 | diff --git a/block/elevator.c b/block/elevator.c |
2 | index 24b702d..ef1e606 100644 |
3 | --- a/block/elevator.c |
4 | +++ b/block/elevator.c |
5 | @@ -314,6 +314,7 @@ void elv_insert(request_queue_t *q, stru |
6 | { |
7 | struct list_head *pos; |
8 | unsigned ordseq; |
9 | + int unplug_it = 1; |
10 | |
11 | rq->q = q; |
12 | |
13 | @@ -378,6 +379,11 @@ void elv_insert(request_queue_t *q, stru |
14 | } |
15 | |
16 | list_add_tail(&rq->queuelist, pos); |
17 | + /* |
18 | + * most requeues happen because of a busy condition, don't |
19 | + * force unplug of the queue for that case. |
20 | + */ |
21 | + unplug_it = 0; |
22 | break; |
23 | |
24 | default: |
25 | @@ -386,7 +392,7 @@ void elv_insert(request_queue_t *q, stru |
26 | BUG(); |
27 | } |
28 | |
29 | - if (blk_queue_plugged(q)) { |
30 | + if (unplug_it && blk_queue_plugged(q)) { |
31 | int nrq = q->rq.count[READ] + q->rq.count[WRITE] |
32 | - q->in_flight; |
33 | |
34 | diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c |
35 | index 0ef2971..cd995c3 100644 |
36 | --- a/block/ll_rw_blk.c |
37 | +++ b/block/ll_rw_blk.c |
38 | @@ -1719,8 +1719,21 @@ void blk_run_queue(struct request_queue |
39 | |
40 | spin_lock_irqsave(q->queue_lock, flags); |
41 | blk_remove_plug(q); |
42 | - if (!elv_queue_empty(q)) |
43 | - q->request_fn(q); |
44 | + |
45 | + /* |
46 | + * Only recurse once to avoid overrunning the stack, let the unplug |
47 | + * handling reinvoke the handler shortly if we already got there. |
48 | + */ |
49 | + if (!elv_queue_empty(q)) { |
50 | + if (!test_and_set_bit(QUEUE_FLAG_REENTER, &q->queue_flags)) { |
51 | + q->request_fn(q); |
52 | + clear_bit(QUEUE_FLAG_REENTER, &q->queue_flags); |
53 | + } else { |
54 | + blk_plug_device(q); |
55 | + kblockd_schedule_work(&q->unplug_work); |
56 | + } |
57 | + } |
58 | + |
59 | spin_unlock_irqrestore(q->queue_lock, flags); |
60 | } |
61 | EXPORT_SYMBOL(blk_run_queue); |
62 | diff --git a/drivers/block/ub.c b/drivers/block/ub.c |
63 | index f04d864..a9485e5 100644 |
64 | --- a/drivers/block/ub.c |
65 | +++ b/drivers/block/ub.c |
66 | @@ -704,6 +704,9 @@ static void ub_cleanup(struct ub_dev *sc |
67 | kfree(lun); |
68 | } |
69 | |
70 | + usb_set_intfdata(sc->intf, NULL); |
71 | + usb_put_intf(sc->intf); |
72 | + usb_put_dev(sc->dev); |
73 | kfree(sc); |
74 | } |
75 | |
76 | @@ -2428,7 +2431,12 @@ static int ub_probe(struct usb_interface |
77 | // sc->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; |
78 | usb_set_intfdata(intf, sc); |
79 | usb_get_dev(sc->dev); |
80 | - // usb_get_intf(sc->intf); /* Do we need this? */ |
81 | + /* |
82 | + * Since we give the interface struct to the block level through |
83 | + * disk->driverfs_dev, we have to pin it. Otherwise, block_uevent |
84 | + * oopses on close after a disconnect (kernels 2.6.16 and up). |
85 | + */ |
86 | + usb_get_intf(sc->intf); |
87 | |
88 | snprintf(sc->name, 12, DRV_NAME "(%d.%d)", |
89 | sc->dev->bus->busnum, sc->dev->devnum); |
90 | @@ -2509,7 +2517,7 @@ #endif |
91 | err_diag: |
92 | err_dev_desc: |
93 | usb_set_intfdata(intf, NULL); |
94 | - // usb_put_intf(sc->intf); |
95 | + usb_put_intf(sc->intf); |
96 | usb_put_dev(sc->dev); |
97 | kfree(sc); |
98 | err_core: |
99 | @@ -2688,12 +2696,6 @@ static void ub_disconnect(struct usb_int |
100 | */ |
101 | |
102 | device_remove_file(&sc->intf->dev, &dev_attr_diag); |
103 | - usb_set_intfdata(intf, NULL); |
104 | - // usb_put_intf(sc->intf); |
105 | - sc->intf = NULL; |
106 | - usb_put_dev(sc->dev); |
107 | - sc->dev = NULL; |
108 | - |
109 | ub_put(sc); |
110 | } |
111 | |
112 | diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c |
113 | index 5fdf185..b61354a 100644 |
114 | --- a/drivers/char/pcmcia/cm4000_cs.c |
115 | +++ b/drivers/char/pcmcia/cm4000_cs.c |
116 | @@ -2010,10 +2010,6 @@ static int __init cmm_init(void) |
117 | if (!cmm_class) |
118 | return -1; |
119 | |
120 | - rc = pcmcia_register_driver(&cm4000_driver); |
121 | - if (rc < 0) |
122 | - return rc; |
123 | - |
124 | major = register_chrdev(0, DEVICE_NAME, &cm4000_fops); |
125 | if (major < 0) { |
126 | printk(KERN_WARNING MODULE_NAME |
127 | @@ -2021,6 +2017,12 @@ static int __init cmm_init(void) |
128 | return -1; |
129 | } |
130 | |
131 | + rc = pcmcia_register_driver(&cm4000_driver); |
132 | + if (rc < 0) { |
133 | + unregister_chrdev(major, DEVICE_NAME); |
134 | + return rc; |
135 | + } |
136 | + |
137 | return 0; |
138 | } |
139 | |
140 | diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c |
141 | index 466e33b..744b57d 100644 |
142 | --- a/drivers/char/pcmcia/cm4040_cs.c |
143 | +++ b/drivers/char/pcmcia/cm4040_cs.c |
144 | @@ -769,16 +769,19 @@ static int __init cm4040_init(void) |
145 | if (!cmx_class) |
146 | return -1; |
147 | |
148 | - rc = pcmcia_register_driver(&reader_driver); |
149 | - if (rc < 0) |
150 | - return rc; |
151 | - |
152 | major = register_chrdev(0, DEVICE_NAME, &reader_fops); |
153 | if (major < 0) { |
154 | printk(KERN_WARNING MODULE_NAME |
155 | ": could not get major number\n"); |
156 | return -1; |
157 | } |
158 | + |
159 | + rc = pcmcia_register_driver(&reader_driver); |
160 | + if (rc < 0) { |
161 | + unregister_chrdev(major, DEVICE_NAME); |
162 | + return rc; |
163 | + } |
164 | + |
165 | return 0; |
166 | } |
167 | |
168 | diff --git a/drivers/i2c/busses/scx200_acb.c b/drivers/i2c/busses/scx200_acb.c |
169 | index d3478e0..ad44dd5 100644 |
170 | --- a/drivers/i2c/busses/scx200_acb.c |
171 | +++ b/drivers/i2c/busses/scx200_acb.c |
172 | @@ -440,7 +440,6 @@ static int __init scx200_acb_create(int |
173 | struct scx200_acb_iface *iface; |
174 | struct i2c_adapter *adapter; |
175 | int rc = 0; |
176 | - char description[64]; |
177 | |
178 | iface = kzalloc(sizeof(*iface), GFP_KERNEL); |
179 | if (!iface) { |
180 | @@ -459,8 +458,7 @@ static int __init scx200_acb_create(int |
181 | |
182 | init_MUTEX(&iface->sem); |
183 | |
184 | - snprintf(description, sizeof(description), "NatSemi SCx200 ACCESS.bus [%s]", adapter->name); |
185 | - if (request_region(base, 8, description) == 0) { |
186 | + if (!request_region(base, 8, adapter->name)) { |
187 | dev_err(&adapter->dev, "can't allocate io 0x%x-0x%x\n", |
188 | base, base + 8-1); |
189 | rc = -EBUSY; |
190 | diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c |
191 | index ab90a6d..039ed49 100644 |
192 | --- a/drivers/md/raid10.c |
193 | +++ b/drivers/md/raid10.c |
194 | @@ -1436,9 +1436,9 @@ static void raid10d(mddev_t *mddev) |
195 | sl--; |
196 | d = r10_bio->devs[sl].devnum; |
197 | rdev = conf->mirrors[d].rdev; |
198 | - atomic_add(s, &rdev->corrected_errors); |
199 | if (rdev && |
200 | test_bit(In_sync, &rdev->flags)) { |
201 | + atomic_add(s, &rdev->corrected_errors); |
202 | if (sync_page_io(rdev->bdev, |
203 | r10_bio->devs[sl].addr + |
204 | sect + rdev->data_offset, |
205 | diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c |
206 | index caf4102..7d00722 100644 |
207 | --- a/drivers/net/tg3.c |
208 | +++ b/drivers/net/tg3.c |
209 | @@ -7368,21 +7368,23 @@ static int tg3_get_settings(struct net_d |
210 | cmd->supported |= (SUPPORTED_1000baseT_Half | |
211 | SUPPORTED_1000baseT_Full); |
212 | |
213 | - if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES)) |
214 | + if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES)) { |
215 | cmd->supported |= (SUPPORTED_100baseT_Half | |
216 | SUPPORTED_100baseT_Full | |
217 | SUPPORTED_10baseT_Half | |
218 | SUPPORTED_10baseT_Full | |
219 | SUPPORTED_MII); |
220 | - else |
221 | + cmd->port = PORT_TP; |
222 | + } else { |
223 | cmd->supported |= SUPPORTED_FIBRE; |
224 | + cmd->port = PORT_FIBRE; |
225 | + } |
226 | |
227 | cmd->advertising = tp->link_config.advertising; |
228 | if (netif_running(dev)) { |
229 | cmd->speed = tp->link_config.active_speed; |
230 | cmd->duplex = tp->link_config.active_duplex; |
231 | } |
232 | - cmd->port = 0; |
233 | cmd->phy_address = PHY_ADDR; |
234 | cmd->transceiver = 0; |
235 | cmd->autoneg = tp->link_config.autoneg; |
236 | diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c |
237 | index 2418715..56864ff 100644 |
238 | --- a/drivers/net/via-rhine.c |
239 | +++ b/drivers/net/via-rhine.c |
240 | @@ -129,6 +129,7 @@ |
241 | - Massive clean-up |
242 | - Rewrite PHY, media handling (remove options, full_duplex, backoff) |
243 | - Fix Tx engine race for good |
244 | + - Craig Brind: Zero padded aligned buffers for short packets. |
245 | |
246 | */ |
247 | |
248 | @@ -1306,7 +1307,12 @@ static int rhine_start_tx(struct sk_buff |
249 | rp->stats.tx_dropped++; |
250 | return 0; |
251 | } |
252 | + |
253 | + /* Padding is not copied and so must be redone. */ |
254 | skb_copy_and_csum_dev(skb, rp->tx_buf[entry]); |
255 | + if (skb->len < ETH_ZLEN) |
256 | + memset(rp->tx_buf[entry] + skb->len, 0, |
257 | + ETH_ZLEN - skb->len); |
258 | rp->tx_skbuff_dma[entry] = 0; |
259 | rp->tx_ring[entry].addr = cpu_to_le32(rp->tx_bufs_dma + |
260 | (rp->tx_buf[entry] - |
261 | diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c |
262 | index 6917c6c..c2ecae5 100644 |
263 | --- a/drivers/pci/pci-acpi.c |
264 | +++ b/drivers/pci/pci-acpi.c |
265 | @@ -33,13 +33,10 @@ acpi_query_osc ( |
266 | acpi_status status; |
267 | struct acpi_object_list input; |
268 | union acpi_object in_params[4]; |
269 | - struct acpi_buffer output; |
270 | - union acpi_object out_obj; |
271 | + struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL}; |
272 | + union acpi_object *out_obj; |
273 | u32 osc_dw0; |
274 | |
275 | - /* Setting up output buffer */ |
276 | - output.length = sizeof(out_obj) + 3*sizeof(u32); |
277 | - output.pointer = &out_obj; |
278 | |
279 | /* Setting up input parameters */ |
280 | input.count = 4; |
281 | @@ -61,12 +58,15 @@ acpi_query_osc ( |
282 | "Evaluate _OSC Set fails. Status = 0x%04x\n", status); |
283 | return status; |
284 | } |
285 | - if (out_obj.type != ACPI_TYPE_BUFFER) { |
286 | + out_obj = output.pointer; |
287 | + |
288 | + if (out_obj->type != ACPI_TYPE_BUFFER) { |
289 | printk(KERN_DEBUG |
290 | "Evaluate _OSC returns wrong type\n"); |
291 | - return AE_TYPE; |
292 | + status = AE_TYPE; |
293 | + goto query_osc_out; |
294 | } |
295 | - osc_dw0 = *((u32 *) out_obj.buffer.pointer); |
296 | + osc_dw0 = *((u32 *) out_obj->buffer.pointer); |
297 | if (osc_dw0) { |
298 | if (osc_dw0 & OSC_REQUEST_ERROR) |
299 | printk(KERN_DEBUG "_OSC request fails\n"); |
300 | @@ -76,15 +76,21 @@ acpi_query_osc ( |
301 | printk(KERN_DEBUG "_OSC invalid revision\n"); |
302 | if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) { |
303 | /* Update Global Control Set */ |
304 | - global_ctrlsets = *((u32 *)(out_obj.buffer.pointer+8)); |
305 | - return AE_OK; |
306 | + global_ctrlsets = *((u32 *)(out_obj->buffer.pointer+8)); |
307 | + status = AE_OK; |
308 | + goto query_osc_out; |
309 | } |
310 | - return AE_ERROR; |
311 | + status = AE_ERROR; |
312 | + goto query_osc_out; |
313 | } |
314 | |
315 | /* Update Global Control Set */ |
316 | - global_ctrlsets = *((u32 *)(out_obj.buffer.pointer + 8)); |
317 | - return AE_OK; |
318 | + global_ctrlsets = *((u32 *)(out_obj->buffer.pointer + 8)); |
319 | + status = AE_OK; |
320 | + |
321 | +query_osc_out: |
322 | + kfree(output.pointer); |
323 | + return status; |
324 | } |
325 | |
326 | |
327 | @@ -96,14 +102,10 @@ acpi_run_osc ( |
328 | acpi_status status; |
329 | struct acpi_object_list input; |
330 | union acpi_object in_params[4]; |
331 | - struct acpi_buffer output; |
332 | - union acpi_object out_obj; |
333 | + struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL}; |
334 | + union acpi_object *out_obj; |
335 | u32 osc_dw0; |
336 | |
337 | - /* Setting up output buffer */ |
338 | - output.length = sizeof(out_obj) + 3*sizeof(u32); |
339 | - output.pointer = &out_obj; |
340 | - |
341 | /* Setting up input parameters */ |
342 | input.count = 4; |
343 | input.pointer = in_params; |
344 | @@ -124,12 +126,14 @@ acpi_run_osc ( |
345 | "Evaluate _OSC Set fails. Status = 0x%04x\n", status); |
346 | return status; |
347 | } |
348 | - if (out_obj.type != ACPI_TYPE_BUFFER) { |
349 | + out_obj = output.pointer; |
350 | + if (out_obj->type != ACPI_TYPE_BUFFER) { |
351 | printk(KERN_DEBUG |
352 | "Evaluate _OSC returns wrong type\n"); |
353 | - return AE_TYPE; |
354 | + status = AE_TYPE; |
355 | + goto run_osc_out; |
356 | } |
357 | - osc_dw0 = *((u32 *) out_obj.buffer.pointer); |
358 | + osc_dw0 = *((u32 *) out_obj->buffer.pointer); |
359 | if (osc_dw0) { |
360 | if (osc_dw0 & OSC_REQUEST_ERROR) |
361 | printk(KERN_DEBUG "_OSC request fails\n"); |
362 | @@ -139,11 +143,17 @@ acpi_run_osc ( |
363 | printk(KERN_DEBUG "_OSC invalid revision\n"); |
364 | if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) { |
365 | printk(KERN_DEBUG "_OSC FW not grant req. control\n"); |
366 | - return AE_SUPPORT; |
367 | + status = AE_SUPPORT; |
368 | + goto run_osc_out; |
369 | } |
370 | - return AE_ERROR; |
371 | + status = AE_ERROR; |
372 | + goto run_osc_out; |
373 | } |
374 | - return AE_OK; |
375 | + status = AE_OK; |
376 | + |
377 | +run_osc_out: |
378 | + kfree(output.pointer); |
379 | + return status; |
380 | } |
381 | |
382 | /** |
383 | diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c |
384 | index dda6099..381f36b 100644 |
385 | --- a/drivers/pci/quirks.c |
386 | +++ b/drivers/pci/quirks.c |
387 | @@ -631,6 +631,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_V |
388 | * non-x86 architectures (yes Via exists on PPC among other places), |
389 | * we must mask the PCI_INTERRUPT_LINE value versus 0xf to get |
390 | * interrupts delivered properly. |
391 | + * |
392 | + * Some of the on-chip devices are actually '586 devices' so they are |
393 | + * listed here. |
394 | */ |
395 | static void quirk_via_irq(struct pci_dev *dev) |
396 | { |
397 | @@ -639,13 +642,19 @@ static void quirk_via_irq(struct pci_dev |
398 | new_irq = dev->irq & 0xf; |
399 | pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &irq); |
400 | if (new_irq != irq) { |
401 | - printk(KERN_INFO "PCI: Via IRQ fixup for %s, from %d to %d\n", |
402 | + printk(KERN_INFO "PCI: VIA IRQ fixup for %s, from %d to %d\n", |
403 | pci_name(dev), irq, new_irq); |
404 | udelay(15); /* unknown if delay really needed */ |
405 | pci_write_config_byte(dev, PCI_INTERRUPT_LINE, new_irq); |
406 | } |
407 | } |
408 | -DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_ANY_ID, quirk_via_irq); |
409 | +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_0, quirk_via_irq); |
410 | +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, quirk_via_irq); |
411 | +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_2, quirk_via_irq); |
412 | +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_3, quirk_via_irq); |
413 | +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686, quirk_via_irq); |
414 | +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4, quirk_via_irq); |
415 | +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_5, quirk_via_irq); |
416 | |
417 | /* |
418 | * VIA VT82C598 has its device ID settable and many BIOSes |
419 | @@ -861,6 +870,7 @@ static void __init quirk_eisa_bridge(str |
420 | } |
421 | DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82375, quirk_eisa_bridge ); |
422 | |
423 | +#ifndef CONFIG_ACPI_SLEEP |
424 | /* |
425 | * On ASUS P4B boards, the SMBus PCI Device within the ICH2/4 southbridge |
426 | * is not activated. The myth is that Asus said that they do not want the |
427 | @@ -872,8 +882,12 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I |
428 | * bridge. Unfortunately, this device has no subvendor/subdevice ID. So it |
429 | * becomes necessary to do this tweak in two steps -- I've chosen the Host |
430 | * bridge as trigger. |
431 | + * |
432 | + * Actually, leaving it unhidden and not redoing the quirk over suspend2ram |
433 | + * will cause thermal management to break down, and causing machine to |
434 | + * overheat. |
435 | */ |
436 | -static int __initdata asus_hides_smbus = 0; |
437 | +static int __initdata asus_hides_smbus; |
438 | |
439 | static void __init asus_hides_smbus_hostbridge(struct pci_dev *dev) |
440 | { |
441 | @@ -1008,6 +1022,8 @@ static void __init asus_hides_smbus_lpc_ |
442 | } |
443 | DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, asus_hides_smbus_lpc_ich6 ); |
444 | |
445 | +#endif |
446 | + |
447 | /* |
448 | * SiS 96x south bridge: BIOS typically hides SMBus device... |
449 | */ |
450 | diff --git a/fs/compat.c b/fs/compat.c |
451 | index 04f6fb5..8491bb8 100644 |
452 | --- a/fs/compat.c |
453 | +++ b/fs/compat.c |
454 | @@ -1901,7 +1901,7 @@ asmlinkage long compat_sys_ppoll(struct |
455 | } |
456 | |
457 | if (sigmask) { |
458 | - if (sigsetsize |= sizeof(compat_sigset_t)) |
459 | + if (sigsetsize != sizeof(compat_sigset_t)) |
460 | return -EINVAL; |
461 | if (copy_from_user(&ss32, sigmask, sizeof(ss32))) |
462 | return -EFAULT; |
463 | diff --git a/fs/locks.c b/fs/locks.c |
464 | index aa7f660..39b038b 100644 |
465 | --- a/fs/locks.c |
466 | +++ b/fs/locks.c |
467 | @@ -714,8 +714,9 @@ EXPORT_SYMBOL(posix_locks_deadlock); |
468 | * at the head of the list, but that's secret knowledge known only to |
469 | * flock_lock_file and posix_lock_file. |
470 | */ |
471 | -static int flock_lock_file(struct file *filp, struct file_lock *new_fl) |
472 | +static int flock_lock_file(struct file *filp, struct file_lock *request) |
473 | { |
474 | + struct file_lock *new_fl = NULL; |
475 | struct file_lock **before; |
476 | struct inode * inode = filp->f_dentry->d_inode; |
477 | int error = 0; |
478 | @@ -730,17 +731,19 @@ static int flock_lock_file(struct file * |
479 | continue; |
480 | if (filp != fl->fl_file) |
481 | continue; |
482 | - if (new_fl->fl_type == fl->fl_type) |
483 | + if (request->fl_type == fl->fl_type) |
484 | goto out; |
485 | found = 1; |
486 | locks_delete_lock(before); |
487 | break; |
488 | } |
489 | - unlock_kernel(); |
490 | |
491 | - if (new_fl->fl_type == F_UNLCK) |
492 | - return 0; |
493 | + if (request->fl_type == F_UNLCK) |
494 | + goto out; |
495 | |
496 | + new_fl = locks_alloc_lock(); |
497 | + if (new_fl == NULL) |
498 | + goto out; |
499 | /* |
500 | * If a higher-priority process was blocked on the old file lock, |
501 | * give it the opportunity to lock the file. |
502 | @@ -748,26 +751,27 @@ static int flock_lock_file(struct file * |
503 | if (found) |
504 | cond_resched(); |
505 | |
506 | - lock_kernel(); |
507 | for_each_lock(inode, before) { |
508 | struct file_lock *fl = *before; |
509 | if (IS_POSIX(fl)) |
510 | break; |
511 | if (IS_LEASE(fl)) |
512 | continue; |
513 | - if (!flock_locks_conflict(new_fl, fl)) |
514 | + if (!flock_locks_conflict(request, fl)) |
515 | continue; |
516 | error = -EAGAIN; |
517 | - if (new_fl->fl_flags & FL_SLEEP) { |
518 | - locks_insert_block(fl, new_fl); |
519 | - } |
520 | + if (request->fl_flags & FL_SLEEP) |
521 | + locks_insert_block(fl, request); |
522 | goto out; |
523 | } |
524 | + locks_copy_lock(new_fl, request); |
525 | locks_insert_lock(&inode->i_flock, new_fl); |
526 | - error = 0; |
527 | + new_fl = NULL; |
528 | |
529 | out: |
530 | unlock_kernel(); |
531 | + if (new_fl) |
532 | + locks_free_lock(new_fl); |
533 | return error; |
534 | } |
535 | |
536 | @@ -1532,9 +1536,7 @@ asmlinkage long sys_flock(unsigned int f |
537 | error = flock_lock_file_wait(filp, lock); |
538 | |
539 | out_free: |
540 | - if (list_empty(&lock->fl_link)) { |
541 | - locks_free_lock(lock); |
542 | - } |
543 | + locks_free_lock(lock); |
544 | |
545 | out_putf: |
546 | fput(filp); |
547 | diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c |
548 | index c71c375..c71dd27 100644 |
549 | --- a/fs/smbfs/request.c |
550 | +++ b/fs/smbfs/request.c |
551 | @@ -339,9 +339,11 @@ #endif |
552 | /* |
553 | * On timeout or on interrupt we want to try and remove the |
554 | * request from the recvq/xmitq. |
555 | + * First check if the request is still part of a queue. (May |
556 | + * have been removed by some error condition) |
557 | */ |
558 | smb_lock_server(server); |
559 | - if (!(req->rq_flags & SMB_REQ_RECEIVED)) { |
560 | + if (!list_empty(&req->rq_queue)) { |
561 | list_del_init(&req->rq_queue); |
562 | smb_rput(req); |
563 | } |
564 | diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h |
565 | index e673b2c..aa6033c 100644 |
566 | --- a/include/net/sctp/sctp.h |
567 | +++ b/include/net/sctp/sctp.h |
568 | @@ -461,12 +461,12 @@ static inline int sctp_frag_point(const |
569 | * there is room for a param header too. |
570 | */ |
571 | #define sctp_walk_params(pos, chunk, member)\ |
572 | -_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member) |
573 | +_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) |
574 | |
575 | #define _sctp_walk_params(pos, chunk, end, member)\ |
576 | for (pos.v = chunk->member;\ |
577 | pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\ |
578 | - pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\ |
579 | + pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ |
580 | ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ |
581 | pos.v += WORD_ROUND(ntohs(pos.p->length))) |
582 | |
583 | @@ -477,7 +477,7 @@ #define _sctp_walk_errors(err, chunk_hdr |
584 | for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ |
585 | sizeof(sctp_chunkhdr_t));\ |
586 | (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\ |
587 | - (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\ |
588 | + (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ |
589 | ntohs(err->length) >= sizeof(sctp_errhdr_t); \ |
590 | err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) |
591 | |
592 | diff --git a/kernel/ptrace.c b/kernel/ptrace.c |
593 | index b5eaeb9..48453c3 100644 |
594 | --- a/kernel/ptrace.c |
595 | +++ b/kernel/ptrace.c |
596 | @@ -149,12 +149,34 @@ int ptrace_may_attach(struct task_struct |
597 | int ptrace_attach(struct task_struct *task) |
598 | { |
599 | int retval; |
600 | - task_lock(task); |
601 | + |
602 | retval = -EPERM; |
603 | if (task->pid <= 1) |
604 | - goto bad; |
605 | + goto out; |
606 | if (task->tgid == current->tgid) |
607 | - goto bad; |
608 | + goto out; |
609 | + |
610 | +repeat: |
611 | + /* |
612 | + * Nasty, nasty. |
613 | + * |
614 | + * We want to hold both the task-lock and the |
615 | + * tasklist_lock for writing at the same time. |
616 | + * But that's against the rules (tasklist_lock |
617 | + * is taken for reading by interrupts on other |
618 | + * cpu's that may have task_lock). |
619 | + */ |
620 | + task_lock(task); |
621 | + local_irq_disable(); |
622 | + if (!write_trylock(&tasklist_lock)) { |
623 | + local_irq_enable(); |
624 | + task_unlock(task); |
625 | + do { |
626 | + cpu_relax(); |
627 | + } while (!write_can_lock(&tasklist_lock)); |
628 | + goto repeat; |
629 | + } |
630 | + |
631 | /* the same process cannot be attached many times */ |
632 | if (task->ptrace & PT_PTRACED) |
633 | goto bad; |
634 | @@ -167,17 +189,15 @@ int ptrace_attach(struct task_struct *ta |
635 | ? PT_ATTACHED : 0); |
636 | if (capable(CAP_SYS_PTRACE)) |
637 | task->ptrace |= PT_PTRACE_CAP; |
638 | - task_unlock(task); |
639 | |
640 | - write_lock_irq(&tasklist_lock); |
641 | __ptrace_link(task, current); |
642 | - write_unlock_irq(&tasklist_lock); |
643 | |
644 | force_sig_specific(SIGSTOP, task); |
645 | - return 0; |
646 | |
647 | bad: |
648 | + write_unlock_irq(&tasklist_lock); |
649 | task_unlock(task); |
650 | +out: |
651 | return retval; |
652 | } |
653 | |
654 | @@ -418,21 +438,22 @@ #endif |
655 | */ |
656 | int ptrace_traceme(void) |
657 | { |
658 | - int ret; |
659 | + int ret = -EPERM; |
660 | |
661 | /* |
662 | * Are we already being traced? |
663 | */ |
664 | - if (current->ptrace & PT_PTRACED) |
665 | - return -EPERM; |
666 | - ret = security_ptrace(current->parent, current); |
667 | - if (ret) |
668 | - return -EPERM; |
669 | - /* |
670 | - * Set the ptrace bit in the process ptrace flags. |
671 | - */ |
672 | - current->ptrace |= PT_PTRACED; |
673 | - return 0; |
674 | + task_lock(current); |
675 | + if (!(current->ptrace & PT_PTRACED)) { |
676 | + ret = security_ptrace(current->parent, current); |
677 | + /* |
678 | + * Set the ptrace bit in the process ptrace flags. |
679 | + */ |
680 | + if (!ret) |
681 | + current->ptrace |= PT_PTRACED; |
682 | + } |
683 | + task_unlock(current); |
684 | + return ret; |
685 | } |
686 | |
687 | /** |
688 | diff --git a/mm/mempolicy.c b/mm/mempolicy.c |
689 | index b21869a..8d7ddf0 100644 |
690 | --- a/mm/mempolicy.c |
691 | +++ b/mm/mempolicy.c |
692 | @@ -1796,7 +1796,6 @@ static void gather_stats(struct page *pa |
693 | md->mapcount_max = count; |
694 | |
695 | md->node[page_to_nid(page)]++; |
696 | - cond_resched(); |
697 | } |
698 | |
699 | #ifdef CONFIG_HUGETLB_PAGE |
700 | diff --git a/mm/shmem.c b/mm/shmem.c |
701 | index 7c455fb..f0eb2f2 100644 |
702 | --- a/mm/shmem.c |
703 | +++ b/mm/shmem.c |
704 | @@ -2172,6 +2172,7 @@ #ifdef CONFIG_TMPFS |
705 | .prepare_write = shmem_prepare_write, |
706 | .commit_write = simple_commit_write, |
707 | #endif |
708 | + .migratepage = migrate_page, |
709 | }; |
710 | |
711 | static struct file_operations shmem_file_operations = { |
712 | diff --git a/mm/vmscan.c b/mm/vmscan.c |
713 | index 4fe7e3a..1d64dc1 100644 |
714 | --- a/mm/vmscan.c |
715 | +++ b/mm/vmscan.c |
716 | @@ -949,6 +949,17 @@ redo: |
717 | goto unlock_both; |
718 | } |
719 | |
720 | + /* Make sure the dirty bit is up to date */ |
721 | + if (try_to_unmap(page, 1) == SWAP_FAIL) { |
722 | + rc = -EPERM; |
723 | + goto unlock_both; |
724 | + } |
725 | + |
726 | + if (page_mapcount(page)) { |
727 | + rc = -EAGAIN; |
728 | + goto unlock_both; |
729 | + } |
730 | + |
731 | /* |
732 | * Default handling if a filesystem does not provide |
733 | * a migration function. We can only migrate clean |
734 | diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c |
735 | index 7d7ab94..12bfc25 100644 |
736 | --- a/net/ipv4/netfilter/arp_tables.c |
737 | +++ b/net/ipv4/netfilter/arp_tables.c |
738 | @@ -941,7 +941,7 @@ static int do_add_counters(void __user * |
739 | |
740 | write_lock_bh(&t->lock); |
741 | private = t->private; |
742 | - if (private->number != paddc->num_counters) { |
743 | + if (private->number != tmp.num_counters) { |
744 | ret = -EINVAL; |
745 | goto unlock_up_free; |
746 | } |
747 | diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c |
748 | index 16f47c6..735d5ff 100644 |
749 | --- a/net/ipv4/netfilter/ip_tables.c |
750 | +++ b/net/ipv4/netfilter/ip_tables.c |
751 | @@ -1063,7 +1063,7 @@ do_add_counters(void __user *user, unsig |
752 | |
753 | write_lock_bh(&t->lock); |
754 | private = t->private; |
755 | - if (private->number != paddc->num_counters) { |
756 | + if (private->number != tmp.num_counters) { |
757 | ret = -EINVAL; |
758 | goto unlock_up_free; |
759 | } |
760 | diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c |
761 | index 74ff56c..dd6ad42 100644 |
762 | --- a/net/ipv6/netfilter/ip6_tables.c |
763 | +++ b/net/ipv6/netfilter/ip6_tables.c |
764 | @@ -1120,7 +1120,7 @@ do_add_counters(void __user *user, unsig |
765 | |
766 | write_lock_bh(&t->lock); |
767 | private = t->private; |
768 | - if (private->number != paddc->num_counters) { |
769 | + if (private->number != tmp.num_counters) { |
770 | ret = -EINVAL; |
771 | goto unlock_up_free; |
772 | } |
773 | diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c |
774 | index 8cdba51..9395e09 100644 |
775 | --- a/net/sctp/sm_statefuns.c |
776 | +++ b/net/sctp/sm_statefuns.c |
777 | @@ -1030,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3( |
778 | commands); |
779 | |
780 | hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; |
781 | + /* Make sure that the length of the parameter is what we expect */ |
782 | + if (ntohs(hbinfo->param_hdr.length) != |
783 | + sizeof(sctp_sender_hb_info_t)) { |
784 | + return SCTP_DISPOSITION_DISCARD; |
785 | + } |
786 | + |
787 | from_addr = hbinfo->daddr; |
788 | link = sctp_assoc_lookup_paddr(asoc, &from_addr); |
789 | |
790 | diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c |
791 | index 8a76492..6375dd5 100644 |
792 | --- a/security/selinux/ss/services.c |
793 | +++ b/security/selinux/ss/services.c |
794 | @@ -592,6 +592,10 @@ int security_sid_to_context(u32 sid, cha |
795 | |
796 | *scontext_len = strlen(initial_sid_to_string[sid]) + 1; |
797 | scontextp = kmalloc(*scontext_len,GFP_ATOMIC); |
798 | + if (!scontextp) { |
799 | + rc = -ENOMEM; |
800 | + goto out; |
801 | + } |
802 | strcpy(scontextp, initial_sid_to_string[sid]); |
803 | *scontext = scontextp; |
804 | goto out; |