[kernel] r18478 - in dists/lenny-security/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/s390 debian/patches/bugfix/x86 debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Jan 8 10:53:27 UTC 2012
Author: dannf
Date: Sun Jan 8 10:53:26 2012
New Revision: 18478
Log:
merge 2.6.26-27
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cciss-fix-lost-command-issue.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cciss-fix-lost-command-issue.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-check-that-last-search-entry-resume-key-is-valid.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cifs-check-that-last-search-entry-resume-key-is-valid.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-saving-of-resume-key-before-CIFSFindNext.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cifs-fix-saving-of-resume-key-before-CIFSFindNext.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-raid1-fail-writes-if-errors-are-not-handled-and-log-fails.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/dm-raid1-fail-writes-if-errors-are-not-handled-and-log-fails.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext2-fix-link-count-corruption-under-heavy-link+rename-load.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ext2-fix-link-count-corruption-under-heavy-link+rename-load.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext3-skip-orphan-cleanup-on-rocompat-fs.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ext3-skip-orphan-cleanup-on-rocompat-fs.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/libsas-fix-runaway-error-handler-problem
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/libsas-fix-runaway-error-handler-problem
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-deal-with-merge_bvec_fn-in-component-devices-bett.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-deal-with-merge_bvec_fn-in-component-devices-bett.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device-regression.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device-regression.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-aio-fix-use-after-free.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfs-aio-fix-use-after-free.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ocfs2_connection_find-returns-pointer-to-bad-structure.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ocfs2_connection_find-returns-pointer-to-bad-structure.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion-regression.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion-regression.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/asus_acpi-world-writeable-procfs-files.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/asus_acpi-world-writeable-procfs-files.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/flush-tlb-if-pgd-entry-is-changed-in-pae-mode.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/flush-tlb-if-pgd-entry-is-changed-in-pae-mode.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/mm-avoid-possible-bogus-tlb-entries-by-clearing-prev-mm_cpumask-after.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/mm-avoid-possible-bogus-tlb-entries-by-clearing-prev-mm_cpumask-after.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/virtio-set-pci-bus-master-enable-bit.patch
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/virtio-set-pci-bus-master-enable-bit.patch
dists/lenny-security/linux-2.6/debian/patches/series/27
- copied unchanged from r18477, releases/linux-2.6/2.6.26-27/debian/patches/series/27
Modified:
dists/lenny-security/linux-2.6/ (props changed)
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Jan 8 10:51:43 2012 (r18477)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Jan 8 10:53:26 2012 (r18478)
@@ -6,6 +6,43 @@
-- dann frazier <dannf at debian.org> Fri, 06 Jan 2012 21:15:07 -0700
+linux-2.6 (2.6.26-27) oldstable; urgency=high
+
+ [ Ben Hutchings ]
+ * dm,md: Deal with merge_bvec_fn in component devices better
+ (Closes: #604457)
+ * rt2x00: Fix memory leak after failing to insert RTS/CTS frame
+ (Closes: #561890)
+
+ [ dann frazier ]
+ * Include selected backport from 2.6.27.58:
+ - md: fix bug with re-adding of partially recovered device.
+ * Include selected backports from 2.6.27.59:
+ - NFS: fix the return value of nfs_file_fsync()
+ - ptrace: use safer wake up on ptrace_detach()
+ - [x86] mm: avoid possible bogus tlb entries by clearing prev mm_cpumask
+ after switching mm
+ - dm raid1: fail writes if errors are not handled and log fails
+ - [x86] asus_acpi: world-writable procfs files
+ - [x86] acer-wmi: world-writable sysfs threeg file
+ - [x86] tc1100-wmi: world-writable sysfs wireless and jogdial files
+ - NFSD: memory corruption due to writing beyond the stat array
+ - ext2: Fix link count corruption under heavy link+rename load
+ - virtio: set pci bus master enable bit
+ - [s390] keyboard: integer underflow bug
+ - ocfs2_connection_find() returns pointer to bad structure
+ - libsas: fix runaway error handler problem
+ - NFS: Fix "kernel BUG at fs/aio.c:554!"
+ - md: fix regression with re-adding devices to arrays with no metadata
+ - [x86] Flush TLB if PGD entry is changed in i386 PAE mode
+ - ext3: skip orphan cleanup on rocompat fs
+ - cciss: fix lost command issue
+ * cifs: fix an oops that can occur when accessing filenames containing
+ accented characters from a Windows ME server (Closes: #524438)
+ * [hppa] Fix FTBFS caused by CVE-2011-2496 fix
+
+ -- dann frazier <dannf at debian.org> Mon, 19 Sep 2011 22:30:56 -0600
+
linux-2.6 (2.6.26-26lenny4) oldstable-security; urgency=high
[ dann frazier ]
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cciss-fix-lost-command-issue.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cciss-fix-lost-command-issue.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cciss-fix-lost-command-issue.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cciss-fix-lost-command-issue.patch)
@@ -0,0 +1,32 @@
+commit 798d07510c753dd6a63a991f256a4dbfb366ebe2
+Author: Bud Brown <bud.brown at redhat.com>
+Date: Wed Mar 23 20:47:11 2011 +0100
+
+ cciss: fix lost command issue
+
+ commit 1ddd5049545e0aa1a0ed19bca4d9c9c3ce1ac8a2 upstream.
+
+ Under certain workloads a command may seem to get lost. IOW, the Smart Array
+ thinks all commands have been completed but we still have commands in our
+ completion queue. This may lead to system instability, filesystems going
+ read-only, or even panics depending on the affected filesystem. We add an
+ extra read to force the write to complete.
+
+ Testing shows this extra read avoids the problem.
+
+ Signed-off-by: Mike Miller <mike.miller at hp.com>
+ Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h
+index 24a7efa..2e5816c 100644
+--- a/drivers/block/cciss.h
++++ b/drivers/block/cciss.h
+@@ -157,6 +157,7 @@ static void SA5_submit_command( ctlr_info_t *h, CommandList_struct *c)
+ printk("Sending %x - down to controller\n", c->busaddr );
+ #endif /* CCISS_DEBUG */
+ writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET);
++ readl(h->vaddr + SA5_REQUEST_PORT_OFFSET);
+ h->commands_outstanding++;
+ if ( h->commands_outstanding > h->max_outstanding)
+ h->max_outstanding = h->commands_outstanding;
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-check-that-last-search-entry-resume-key-is-valid.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cifs-check-that-last-search-entry-resume-key-is-valid.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-check-that-last-search-entry-resume-key-is-valid.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cifs-check-that-last-search-entry-resume-key-is-valid.patch)
@@ -0,0 +1,72 @@
+commit b77d753c413e02559669df66e543869dad40c847
+Author: Steve French <sfrench at us.ibm.com>
+Date: Wed Oct 8 19:13:46 2008 +0000
+
+ [CIFS] Check that last search entry resume key is valid
+
+ Jeff's recent patch to add a last_entry field in the search structure
+ to better construct resume keys did not validate that the server
+ sent us a plausible pointer to the last entry. This adds that.
+
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 7b00a16..6f4ffe1 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -3614,6 +3614,8 @@ findFirstRetry:
+ /* BB remember to free buffer if error BB */
+ rc = validate_t2((struct smb_t2_rsp *)pSMBr);
+ if (rc == 0) {
++ unsigned int lnoff;
++
+ if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
+ psrch_inf->unicode = true;
+ else
+@@ -3636,8 +3638,17 @@ findFirstRetry:
+ le16_to_cpu(parms->SearchCount);
+ psrch_inf->index_of_last_entry = 2 /* skip . and .. */ +
+ psrch_inf->entries_in_buffer;
++ lnoff = le16_to_cpu(parms->LastNameOffset);
++ if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <
++ lnoff) {
++ cERROR(1, ("ignoring corrupt resume name"));
++ psrch_inf->last_entry = NULL;
++ return rc;
++ }
++
+ psrch_inf->last_entry = psrch_inf->srch_entries_start +
+- le16_to_cpu(parms->LastNameOffset);
++ lnoff;
++
+ *pnetfid = parms->SearchHandle;
+ } else {
+ cifs_buf_release(pSMB);
+@@ -3727,6 +3738,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
+ rc = validate_t2((struct smb_t2_rsp *)pSMBr);
+
+ if (rc == 0) {
++ unsigned int lnoff;
++
+ /* BB fixme add lock for file (srch_info) struct here */
+ if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
+ psrch_inf->unicode = true;
+@@ -3753,8 +3766,16 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
+ le16_to_cpu(parms->SearchCount);
+ psrch_inf->index_of_last_entry +=
+ psrch_inf->entries_in_buffer;
+- psrch_inf->last_entry = psrch_inf->srch_entries_start +
+- le16_to_cpu(parms->LastNameOffset);
++ lnoff = le16_to_cpu(parms->LastNameOffset);
++ if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <
++ lnoff) {
++ cERROR(1, ("ignoring corrupt resume name"));
++ psrch_inf->last_entry = NULL;
++ return rc;
++ } else
++ psrch_inf->last_entry =
++ psrch_inf->srch_entries_start + lnoff;
++
+ /* cFYI(1,("fnxt2 entries in buf %d index_of_last %d",
+ psrch_inf->entries_in_buffer, psrch_inf->index_of_last_entry)); */
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-saving-of-resume-key-before-CIFSFindNext.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cifs-fix-saving-of-resume-key-before-CIFSFindNext.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-saving-of-resume-key-before-CIFSFindNext.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/cifs-fix-saving-of-resume-key-before-CIFSFindNext.patch)
@@ -0,0 +1,39 @@
+commit a364bc0b37f14ffd66c1f982af42990a9d77fa43
+Author: Jeff Layton <sfrench at us.ibm.com>
+Date: Tue Oct 21 14:42:13 2008 +0000
+
+ [CIFS] fix saving of resume key before CIFSFindNext
+
+ We recently fixed the cifs readdir code so that it saves the resume key
+ before calling CIFSFindNext. Unfortunately, this assumes that we have
+ just done a CIFSFindFirst (or FindNext) and have resume info to save.
+ This isn't necessarily the case. Fix the code to save resume info if we
+ had to reinitiate the search, and after a FindNext.
+
+ This fixes connectathon basic test6 against NetApp filers.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ CC: Stable <stable at kernel.org>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index 765adf1..58d5729 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -762,14 +762,15 @@ static int find_cifs_entry(const int xid, struct cifsTconInfo *pTcon,
+ rc));
+ return rc;
+ }
++ cifs_save_resume_key(cifsFile->srch_inf.last_entry, cifsFile);
+ }
+
+ while ((index_to_find >= cifsFile->srch_inf.index_of_last_entry) &&
+ (rc == 0) && !cifsFile->srch_inf.endOfSearch) {
+ cFYI(1, ("calling findnext2"));
+- cifs_save_resume_key(cifsFile->srch_inf.last_entry, cifsFile);
+ rc = CIFSFindNext(xid, pTcon, cifsFile->netfid,
+ &cifsFile->srch_inf);
++ cifs_save_resume_key(cifsFile->srch_inf.last_entry, cifsFile);
+ if (rc)
+ return -ENOENT;
+ }
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch)
@@ -0,0 +1,59 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 28 Nov 2010 23:46:46 +0000
+Subject: [PATCH 2/2] dm: Deal with merge_bvec_fn in component devices better
+
+This is analogous to commit 627a2d3c29427637f4c5d31ccc7fcbd8d312cd71,
+which does the same for md-devices at the top of the stack. The
+following explanation is taken from that commit. Thanks to Neil Brown
+<neilb at suse.de> for the advice.
+
+If a component device has a merge_bvec_fn then as we never call it
+we must ensure we never need to. Currently this is done by setting
+max_sector to 1 PAGE, however this does not stop a bio being created
+with several sub-page iovecs that would violate the merge_bvec_fn.
+
+So instead set max_segments to 1 and set the segment boundary to the
+same as a page boundary to ensure there is only ever one single-page
+segment of IO requested at a time.
+
+This can particularly be an issue when 'xen' is used as it is
+known to submit multiple small buffers in a single bio.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/md/dm-table.c | 18 ++++++++----------
+ 1 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
+index 94116ea..186445d0 100644
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -506,17 +506,15 @@ void dm_set_device_limits(struct dm_target *ti, struct block_device *bdev)
+ rs->max_sectors =
+ min_not_zero(rs->max_sectors, q->max_sectors);
+
+- /* FIXME: Device-Mapper on top of RAID-0 breaks because DM
+- * currently doesn't honor MD's merge_bvec_fn routine.
+- * In this case, we'll force DM to use PAGE_SIZE or
+- * smaller I/O, just to be safe. A better fix is in the
+- * works, but add this for the time being so it will at
+- * least operate correctly.
++ /*
++ * Since we don't call merge_bvec_fn, we must never risk
++ * violating it, so limit max_phys_segments to 1 lying within
++ * a single page.
+ */
+- if (q->merge_bvec_fn)
+- rs->max_sectors =
+- min_not_zero(rs->max_sectors,
+- (unsigned int) (PAGE_SIZE >> 9));
++ if (q->merge_bvec_fn) {
++ rs->max_phys_segments = 1;
++ rs->seg_boundary_mask = PAGE_CACHE_SIZE - 1;
++ }
+
+ rs->max_phys_segments =
+ min_not_zero(rs->max_phys_segments,
+--
+1.7.2.3
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-raid1-fail-writes-if-errors-are-not-handled-and-log-fails.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/dm-raid1-fail-writes-if-errors-are-not-handled-and-log-fails.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-raid1-fail-writes-if-errors-are-not-handled-and-log-fails.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/dm-raid1-fail-writes-if-errors-are-not-handled-and-log-fails.patch)
@@ -0,0 +1,45 @@
+commit 7404ccad11827e62290b0b4dc2dfe0b6ba70f8ad
+Author: Mikulas Patocka <mpatocka at redhat.com>
+Date: Tue Feb 16 18:42:55 2010 +0000
+
+ dm raid1: fail writes if errors are not handled and log fails
+
+ commit 5528d17de1cf1462f285c40ccaf8e0d0e4c64dc0 upstream.
+
+ If the mirror log fails when the handle_errors option was not selected
+ and there is no remaining valid mirror leg, writes return success even
+ though they weren't actually written to any device. This patch
+ completes them with EIO instead.
+
+ This code path is taken:
+ do_writes:
+ bio_list_merge(&ms->failures, &sync);
+ do_failures:
+ if (!get_valid_mirror(ms)) (false)
+ else if (errors_handled(ms)) (false)
+ else bio_endio(bio, 0);
+
+ The logic in do_failures is based on presuming that the write was already
+ tried: if it succeeded at least on one leg (without handle_errors) it
+ is reported as success.
+
+ Reference: https://bugzilla.redhat.com/show_bug.cgi?id=555197
+
+ Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
+ Signed-off-by: Alasdair G Kergon <agk at redhat.com>
+ Cc: maximilian attems <max at stro.at>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
+index 8fe418b..3520607 100644
+--- a/drivers/md/dm-raid1.c
++++ b/drivers/md/dm-raid1.c
+@@ -1198,7 +1198,7 @@ static void do_writes(struct mirror_set *ms, struct bio_list *writes)
+ /*
+ * Dispatch io.
+ */
+- if (unlikely(ms->log_failure)) {
++ if (unlikely(ms->log_failure) && errors_handled(ms)) {
+ spin_lock_irq(&ms->lock);
+ bio_list_merge(&ms->failures, &sync);
+ spin_unlock_irq(&ms->lock);
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext2-fix-link-count-corruption-under-heavy-link+rename-load.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ext2-fix-link-count-corruption-under-heavy-link+rename-load.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext2-fix-link-count-corruption-under-heavy-link+rename-load.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ext2-fix-link-count-corruption-under-heavy-link+rename-load.patch)
@@ -0,0 +1,64 @@
+commit cd84420e6113dfd340ef8ae7f28a12347295748d
+Author: Josh Hunt <johunt at akamai.com>
+Date: Thu Feb 24 11:48:22 2011 +0100
+
+ ext2: Fix link count corruption under heavy link+rename load
+
+ commit e8a80c6f769dd4622d8b211b398452158ee60c0b upstream.
+
+ vfs_rename_other() does not lock renamed inode with i_mutex. Thus changing
+ i_nlink in a non-atomic manner (which happens in ext2_rename()) can corrupt
+ it as reported and analyzed by Josh.
+
+ In fact, there is no good reason to mess with i_nlink of the moved file.
+ We did it presumably to simulate linking into the new directory and unlinking
+ from an old one. But the practical effect of this is disputable because fsck
+ can possibly treat file as being properly linked into both directories without
+ writing any error which is confusing. So we just stop increment-decrement
+ games with i_nlink which also fixes the corruption.
+
+ CC: Al Viro <viro at ZenIV.linux.org.uk>
+ Signed-off-by: Josh Hunt <johunt at akamai.com>
+ Signed-off-by: Jan Kara <jack at suse.cz>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c
+index 80c97fd..fba953d 100644
+--- a/fs/ext2/namei.c
++++ b/fs/ext2/namei.c
+@@ -322,7 +322,6 @@ static int ext2_rename (struct inode * old_dir, struct dentry * old_dentry,
+ new_de = ext2_find_entry (new_dir, new_dentry, &new_page);
+ if (!new_de)
+ goto out_dir;
+- inode_inc_link_count(old_inode);
+ ext2_set_link(new_dir, new_de, new_page, old_inode);
+ new_inode->i_ctime = CURRENT_TIME_SEC;
+ if (dir_de)
+@@ -334,12 +333,9 @@ static int ext2_rename (struct inode * old_dir, struct dentry * old_dentry,
+ if (new_dir->i_nlink >= EXT2_LINK_MAX)
+ goto out_dir;
+ }
+- inode_inc_link_count(old_inode);
+ err = ext2_add_link(new_dentry, old_inode);
+- if (err) {
+- inode_dec_link_count(old_inode);
++ if (err)
+ goto out_dir;
+- }
+ if (dir_de)
+ inode_inc_link_count(new_dir);
+ }
+@@ -347,12 +343,11 @@ static int ext2_rename (struct inode * old_dir, struct dentry * old_dentry,
+ /*
+ * Like most other Unix systems, set the ctime for inodes on a
+ * rename.
+- * inode_dec_link_count() will mark the inode dirty.
+ */
+ old_inode->i_ctime = CURRENT_TIME_SEC;
++ mark_inode_dirty(old_inode);
+
+ ext2_delete_entry (old_de, old_page);
+- inode_dec_link_count(old_inode);
+
+ if (dir_de) {
+ ext2_set_link(old_inode, dir_de, dir_page, new_dir);
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext3-skip-orphan-cleanup-on-rocompat-fs.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ext3-skip-orphan-cleanup-on-rocompat-fs.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext3-skip-orphan-cleanup-on-rocompat-fs.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ext3-skip-orphan-cleanup-on-rocompat-fs.patch)
@@ -0,0 +1,38 @@
+commit 51da779c8cea43a029cf87f65dedd9a75fdc2fcb
+Author: Amir Goldstein <amir73il at gmail.com>
+Date: Sat Feb 26 22:40:19 2011 +0200
+
+ ext3: skip orphan cleanup on rocompat fs
+
+ commit ce654b37f87980d95f339080e4c3bdb2370bdf22 upstream.
+
+ Orphan cleanup is currently executed even if the file system has some
+ number of unknown ROCOMPAT features, which deletes inodes and frees
+ blocks, which could be very bad for some RO_COMPAT features.
+
+ This patch skips the orphan cleanup if it contains readonly compatible
+ features not known by this ext3 implementation, which would prevent
+ the fs from being mounted (or remounted) readwrite.
+
+ Signed-off-by: Amir Goldstein <amir73il at users.sf.net>
+ Signed-off-by: Jan Kara <jack at suse.cz>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/ext3/super.c b/fs/ext3/super.c
+index 810bf7c..d7c5c6b 100644
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -1362,6 +1362,13 @@ static void ext3_orphan_cleanup (struct super_block * sb,
+ return;
+ }
+
++ /* Check if feature set allows readwrite operations */
++ if (EXT3_HAS_RO_COMPAT_FEATURE(sb, ~EXT3_FEATURE_RO_COMPAT_SUPP)) {
++ printk(KERN_INFO "EXT3-fs: %s: Skipping orphan cleanup due to "
++ "unknown ROCOMPAT features\n", sb->s_id);
++ return;
++ }
++
+ if (EXT3_SB(sb)->s_mount_state & EXT3_ERROR_FS) {
+ if (es->s_last_orphan)
+ jbd_debug(1, "Errors on filesystem, "
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/libsas-fix-runaway-error-handler-problem (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/libsas-fix-runaway-error-handler-problem)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/libsas-fix-runaway-error-handler-problem Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/libsas-fix-runaway-error-handler-problem)
@@ -0,0 +1,30 @@
+commit 3f51182e8c7a3dc5415f4b31811f1fa1ab4d27e9
+Author: James Bottomley <James.Bottomley at suse.de>
+Date: Thu Jan 20 17:26:44 2011 -0600
+
+ libsas: fix runaway error handler problem
+
+ commit 9ee91f7fb550a4c82f82d9818e42493484c754af upstream.
+
+ libsas makes use of scsi_schedule_eh() but forgets to clear the
+ host_eh_scheduled flag in its error handling routine. Because of this,
+ the error handler thread never gets to sleep; it's constantly awake and
+ trying to run the error routine leading to console spew and inability to
+ run anything else (at least on a UP system). The fix is to clear the
+ flag as we splice the work queue.
+
+ Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c
+index a8e3ef3..c8508ca 100644
+--- a/drivers/scsi/libsas/sas_scsi_host.c
++++ b/drivers/scsi/libsas/sas_scsi_host.c
+@@ -648,6 +648,7 @@ void sas_scsi_recover_host(struct Scsi_Host *shost)
+
+ spin_lock_irqsave(shost->host_lock, flags);
+ list_splice_init(&shost->eh_cmd_q, &eh_work_q);
++ shost->host_eh_scheduled = 0;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+
+ SAS_DPRINTK("Enter %s\n", __func__);
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-deal-with-merge_bvec_fn-in-component-devices-bett.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-deal-with-merge_bvec_fn-in-component-devices-bett.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-deal-with-merge_bvec_fn-in-component-devices-bett.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-deal-with-merge_bvec_fn-in-component-devices-bett.patch)
@@ -0,0 +1,219 @@
+From: NeilBrown <neilb at suse.de>
+Date: Mon, 8 Mar 2010 16:44:38 +1100
+Subject: [PATCH 1/2] md: deal with merge_bvec_fn in component devices better.
+
+commit 627a2d3c29427637f4c5d31ccc7fcbd8d312cd71 upstream.
+
+If a component device has a merge_bvec_fn then as we never call it
+we must ensure we never need to. Currently this is done by setting
+max_sector to 1 PAGE, however this does not stop a bio being created
+with several sub-page iovecs that would violate the merge_bvec_fn.
+
+So instead set max_segments to 1 and set the segment boundary to the
+same as a page boundary to ensure there is only ever one single-page
+segment of IO requested at a time.
+
+This can particularly be an issue when 'xen' is used as it is
+known to submit multiple small buffers in a single bio.
+
+Signed-off-by: NeilBrown <neilb at suse.de>
+Cc: stable at kernel.org
+[bwh: Backport to Linux 2.6.26]
+---
+ drivers/md/linear.c | 12 +++++++-----
+ drivers/md/multipath.c | 20 ++++++++++++--------
+ drivers/md/raid0.c | 13 +++++++------
+ drivers/md/raid1.c | 28 +++++++++++++++++-----------
+ drivers/md/raid10.c | 28 +++++++++++++++++-----------
+ 5 files changed, 60 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/md/linear.c b/drivers/md/linear.c
+index ec921f5..fe8508a 100644
+--- a/drivers/md/linear.c
++++ b/drivers/md/linear.c
+@@ -136,12 +136,14 @@ static linear_conf_t *linear_conf(mddev_t *mddev, int raid_disks)
+ blk_queue_stack_limits(mddev->queue,
+ rdev->bdev->bd_disk->queue);
+ /* as we don't honour merge_bvec_fn, we must never risk
+- * violating it, so limit ->max_sector to one PAGE, as
+- * a one page request is never in violation.
++ * violating it, so limit max_segments to 1 lying within
++ * a single page.
+ */
+- if (rdev->bdev->bd_disk->queue->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- blk_queue_max_sectors(mddev->queue, PAGE_SIZE>>9);
++ if (rdev->bdev->bd_disk->queue->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+
+ disk->size = rdev->size;
+ conf->array_size += rdev->size;
+diff --git a/drivers/md/multipath.c b/drivers/md/multipath.c
+index e968116..67dd8a3 100644
+--- a/drivers/md/multipath.c
++++ b/drivers/md/multipath.c
+@@ -293,14 +293,16 @@ static int multipath_add_disk(mddev_t *mddev, mdk_rdev_t *rdev)
+ blk_queue_stack_limits(mddev->queue, q);
+
+ /* as we don't honour merge_bvec_fn, we must never risk
+- * violating it, so limit ->max_sector to one PAGE, as
+- * a one page request is never in violation.
++ * violating it, so limit ->max_segments to one, lying
++ * within a single page.
+ * (Note: it is very unlikely that a device with
+ * merge_bvec_fn will be involved in multipath.)
+ */
+- if (q->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- blk_queue_max_sectors(mddev->queue, PAGE_SIZE>>9);
++ if (q->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+
+ conf->working_disks++;
+ mddev->degraded--;
+@@ -453,9 +455,11 @@ static int multipath_run (mddev_t *mddev)
+ /* as we don't honour merge_bvec_fn, we must never risk
+ * violating it, not that we ever expect a device with
+ * a merge_bvec_fn to be involved in multipath */
+- if (rdev->bdev->bd_disk->queue->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- blk_queue_max_sectors(mddev->queue, PAGE_SIZE>>9);
++ if (rdev->bdev->bd_disk->queue->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+
+ if (!test_bit(Faulty, &rdev->flags))
+ conf->working_disks++;
+diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c
+index 914c04d..b344e0e 100644
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -141,14 +141,15 @@ static int create_strip_zones (mddev_t *mddev)
+ blk_queue_stack_limits(mddev->queue,
+ rdev1->bdev->bd_disk->queue);
+ /* as we don't honour merge_bvec_fn, we must never risk
+- * violating it, so limit ->max_sector to one PAGE, as
+- * a one page request is never in violation.
++ * violating it, so limit ->max_segments to 1, lying within
++ * a single page.
+ */
+
+- if (rdev1->bdev->bd_disk->queue->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- blk_queue_max_sectors(mddev->queue, PAGE_SIZE>>9);
+-
++ if (rdev1->bdev->bd_disk->queue->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+ if (!smallest || (rdev1->size <smallest->size))
+ smallest = rdev1;
+ cnt++;
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index c610b94..360c079 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1109,13 +1109,17 @@ static int raid1_add_disk(mddev_t *mddev, mdk_rdev_t *rdev)
+
+ blk_queue_stack_limits(mddev->queue,
+ rdev->bdev->bd_disk->queue);
+- /* as we don't honour merge_bvec_fn, we must never risk
+- * violating it, so limit ->max_sector to one PAGE, as
+- * a one page request is never in violation.
++ /* as we don't honour merge_bvec_fn, we must
++ * never risk violating it, so limit
++ * ->max_segments to one lying with a single
++ * page, as a one page request is never in
++ * violation.
+ */
+- if (rdev->bdev->bd_disk->queue->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- blk_queue_max_sectors(mddev->queue, PAGE_SIZE>>9);
++ if (rdev->bdev->bd_disk->queue->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+
+ p->head_position = 0;
+ rdev->raid_disk = mirror;
+@@ -1971,12 +1975,14 @@ static int run(mddev_t *mddev)
+ blk_queue_stack_limits(mddev->queue,
+ rdev->bdev->bd_disk->queue);
+ /* as we don't honour merge_bvec_fn, we must never risk
+- * violating it, so limit ->max_sector to one PAGE, as
+- * a one page request is never in violation.
++ * violating it, so limit ->max_segments to 1 lying within
++ * a single page, as a one page request is never in violation.
+ */
+- if (rdev->bdev->bd_disk->queue->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- blk_queue_max_sectors(mddev->queue, PAGE_SIZE>>9);
++ if (rdev->bdev->bd_disk->queue->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+
+ disk->head_position = 0;
+ }
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index a71277b..bf7654d 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1135,13 +1135,17 @@ static int raid10_add_disk(mddev_t *mddev, mdk_rdev_t *rdev)
+
+ blk_queue_stack_limits(mddev->queue,
+ rdev->bdev->bd_disk->queue);
+- /* as we don't honour merge_bvec_fn, we must never risk
+- * violating it, so limit ->max_sector to one PAGE, as
+- * a one page request is never in violation.
++ /* as we don't honour merge_bvec_fn, we must
++ * never risk violating it, so limit
++ * ->max_segments to one lying with a single
++ * page, as a one page request is never in
++ * violation.
+ */
+- if (rdev->bdev->bd_disk->queue->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- mddev->queue->max_sectors = (PAGE_SIZE>>9);
++ if (rdev->bdev->bd_disk->queue->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+
+ p->head_position = 0;
+ rdev->raid_disk = mirror;
+@@ -2107,12 +2111,14 @@ static int run(mddev_t *mddev)
+ blk_queue_stack_limits(mddev->queue,
+ rdev->bdev->bd_disk->queue);
+ /* as we don't honour merge_bvec_fn, we must never risk
+- * violating it, so limit ->max_sector to one PAGE, as
+- * a one page request is never in violation.
++ * violating it, so limit max_segments to 1 lying
++ * within a single page.
+ */
+- if (rdev->bdev->bd_disk->queue->merge_bvec_fn &&
+- mddev->queue->max_sectors > (PAGE_SIZE>>9))
+- mddev->queue->max_sectors = (PAGE_SIZE>>9);
++ if (rdev->bdev->bd_disk->queue->merge_bvec_fn) {
++ blk_queue_max_phys_segments(mddev->queue, 1);
++ blk_queue_segment_boundary(mddev->queue,
++ PAGE_CACHE_SIZE - 1);
++ }
+
+ disk->head_position = 0;
+ }
+--
+1.7.2.3
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device-regression.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device-regression.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device-regression.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device-regression.patch)
@@ -0,0 +1,43 @@
+commit 2d43dcfb1bf7486f3208e8bb37e37fd41588353b
+Author: NeilBrown <neilb at suse.de>
+Date: Wed Jan 12 09:03:35 2011 +1100
+
+ md: fix regression with re-adding devices to arrays with no metadata
+
+ commit bf572541ab44240163eaa2d486b06f306a31d45a upstream.
+
+ Commit 1a855a0606 (2.6.37-rc4) fixed a problem where devices were
+ re-added when they shouldn't be but caused a regression in a less
+ common case that means sometimes devices cannot be re-added when they
+ should be.
+
+ In particular, when re-adding a device to an array without metadata
+ we should always access the device, but after the above commit we
+ didn't.
+
+ This patch sets the In_sync flag in that case so that the re-add
+ succeeds.
+
+ This patch is suitable for any -stable kernel to which 1a855a0606 was
+ applied.
+
+ Signed-off-by: NeilBrown <neilb at suse.de>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: adjusted to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/drivers/md/md.c linux-source-2.6.26/drivers/md/md.c
+--- linux-source-2.6.26.orig/drivers/md/md.c 2011-05-15 17:41:11.319677736 -0600
++++ linux-source-2.6.26/drivers/md/md.c 2011-05-15 17:42:40.684415518 -0600
+@@ -4146,9 +4146,10 @@ static int add_new_disk(mddev_t * mddev,
+ /* set saved_raid_disk if appropriate */
+ if (!mddev->persistent) {
+ if (info->state & (1<<MD_DISK_SYNC) &&
+- info->raid_disk < mddev->raid_disks)
++ info->raid_disk < mddev->raid_disks) {
+ rdev->raid_disk = info->raid_disk;
+- else
++ set_bit(In_sync, &rdev->flags);
++ } else
+ rdev->raid_disk = -1;
+ } else
+ super_types[mddev->major_version].
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device.patch)
@@ -0,0 +1,60 @@
+commit 69b74dfe7cc2022a2f2e0cf920f0c24e72c0d387
+Author: NeilBrown <neilb at suse.de>
+Date: Thu Dec 9 16:36:28 2010 +1100
+
+ md: fix bug with re-adding of partially recovered device.
+
+ commit 1a855a0606653d2d82506281e2c686bacb4b2f45 upstream.
+
+ With v0.90 metadata, a hot-spare does not become a full member of the
+ array until recovery is complete. So if we re-add such a device to
+ the array, we know that all of it is as up-to-date as the event count
+ would suggest, and so it a bitmap-based recovery is possible.
+
+ However with v1.x metadata, the hot-spare immediately becomes a full
+ member of the array, but it record how much of the device has been
+ recovered. If the array is stopped and re-assembled recovery starts
+ from this point.
+
+ When such a device is hot-added to an array we currently lose the 'how
+ much is recovered' information and incorrectly included it as a full
+ in-sync member (after bitmap-based fixup).
+ This is wrong and unsafe and could corrupt data.
+
+ So be more careful about setting saved_raid_disk - which is what
+ guides the re-adding of devices back into an array.
+ The new code matches the code in slot_store which does a similar
+ thing, which is encouraging.
+
+ This is suitable for any -stable kernel.
+
+ Reported-by: "Dailey, Nate" <Nate.Dailey at stratus.com>
+ Signed-off-by: NeilBrown <neilb at suse.de>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ Signed-off-by: Willy Tarreau <w at 1wt.eu>
+ [dannf: adjusted to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/drivers/md/md.c linux-source-2.6.26/drivers/md/md.c
+--- linux-source-2.6.26.orig/drivers/md/md.c 2011-01-24 22:55:29.000000000 -0700
++++ linux-source-2.6.26/drivers/md/md.c 2011-05-15 17:41:11.319677736 -0600
+@@ -4143,7 +4143,7 @@ static int add_new_disk(mddev_t * mddev,
+ PTR_ERR(rdev));
+ return PTR_ERR(rdev);
+ }
+- /* set save_raid_disk if appropriate */
++ /* set saved_raid_disk if appropriate */
+ if (!mddev->persistent) {
+ if (info->state & (1<<MD_DISK_SYNC) &&
+ info->raid_disk < mddev->raid_disks)
+@@ -4153,7 +4153,10 @@ static int add_new_disk(mddev_t * mddev,
+ } else
+ super_types[mddev->major_version].
+ validate_super(mddev, rdev);
+- rdev->saved_raid_disk = rdev->raid_disk;
++ if (test_bit(In_sync, &rdev->flags))
++ rdev->saved_raid_disk = rdev->raid_disk;
++ else
++ rdev->saved_raid_disk = -1;
+
+ clear_bit(In_sync, &rdev->flags); /* just to be sure */
+ if (info->state & (1<<MD_DISK_WRITEMOSTLY))
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-aio-fix-use-after-free.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfs-aio-fix-use-after-free.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-aio-fix-use-after-free.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfs-aio-fix-use-after-free.patch)
@@ -0,0 +1,100 @@
+commit bd85a2d1f15bce9b1ae6789eba52f7340d604936
+Author: Chuck Lever <chuck.lever at oracle.com>
+Date: Fri Jan 21 15:54:57 2011 +0000
+
+ NFS: Fix "kernel BUG at fs/aio.c:554!"
+
+ commit 839f7ad6932d95f4d5ae7267b95c574714ff3d5b upstream.
+
+ Nick Piggin reports:
+
+ > I'm getting use after frees in aio code in NFS
+ >
+ > [ 2703.396766] Call Trace:
+ > [ 2703.396858] [<ffffffff8100b057>] ? native_sched_clock+0x27/0x80
+ > [ 2703.396959] [<ffffffff8108509e>] ? put_lock_stats+0xe/0x40
+ > [ 2703.397058] [<ffffffff81088348>] ? lock_release_holdtime+0xa8/0x140
+ > [ 2703.397159] [<ffffffff8108a2a5>] lock_acquire+0x95/0x1b0
+ > [ 2703.397260] [<ffffffff811627db>] ? aio_put_req+0x2b/0x60
+ > [ 2703.397361] [<ffffffff81039701>] ? get_parent_ip+0x11/0x50
+ > [ 2703.397464] [<ffffffff81612a31>] _raw_spin_lock_irq+0x41/0x80
+ > [ 2703.397564] [<ffffffff811627db>] ? aio_put_req+0x2b/0x60
+ > [ 2703.397662] [<ffffffff811627db>] aio_put_req+0x2b/0x60
+ > [ 2703.397761] [<ffffffff811647fe>] do_io_submit+0x2be/0x7c0
+ > [ 2703.397895] [<ffffffff81164d0b>] sys_io_submit+0xb/0x10
+ > [ 2703.397995] [<ffffffff8100307b>] system_call_fastpath+0x16/0x1b
+ >
+ > Adding some tracing, it is due to nfs completing the request then
+ > returning something other than -EIOCBQUEUED, so aio.c
+ > also completes the request.
+
+ To address this, prevent the NFS direct I/O engine from completing
+ async iocbs when the forward path returns an error without starting
+ any I/O.
+
+ This fix appears to survive ^C during both "xfstest no. 208" and "fsx
+ -Z."
+
+ It's likely this bug has existed for a very long while, as we are seeing
+ very similar symptoms in OEL 5. Copying stable.
+
+ Signed-off-by: Chuck Lever <chuck.lever at oracle.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
+index 8a5c1d5..72204b8 100644
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -397,15 +397,18 @@ static ssize_t nfs_direct_read_schedule_iovec(struct nfs_direct_req *dreq,
+ pos += vec->iov_len;
+ }
+
++ /*
++ * If no bytes were started, return the error, and let the
++ * generic layer handle the completion.
++ */
++ if (requested_bytes == 0) {
++ nfs_direct_req_release(dreq);
++ return result < 0 ? result : -EIO;
++ }
++
+ if (put_dreq(dreq))
+ nfs_direct_complete(dreq);
+-
+- if (requested_bytes != 0)
+- return 0;
+-
+- if (result < 0)
+- return result;
+- return -EIO;
++ return 0;
+ }
+
+ static ssize_t nfs_direct_read(struct kiocb *iocb, const struct iovec *iov,
+@@ -817,15 +820,18 @@ static ssize_t nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq,
+ pos += vec->iov_len;
+ }
+
++ /*
++ * If no bytes were started, return the error, and let the
++ * generic layer handle the completion.
++ */
++ if (requested_bytes == 0) {
++ nfs_direct_req_release(dreq);
++ return result < 0 ? result : -EIO;
++ }
++
+ if (put_dreq(dreq))
+ nfs_direct_write_complete(dreq, dreq->inode);
+-
+- if (requested_bytes != 0)
+- return 0;
+-
+- if (result < 0)
+- return result;
+- return -EIO;
++ return 0;
+ }
+
+ static ssize_t nfs_direct_write(struct kiocb *iocb, const struct iovec *iov,
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch)
@@ -0,0 +1,30 @@
+commit fb35bcad2fe725cace7d25e03952ecd1a46da557
+Author: J. R. Okajima <hooanon05 at yahoo.co.jp>
+Date: Wed Aug 11 13:10:16 2010 -0400
+
+ NFS: fix the return value of nfs_file_fsync()
+
+ commit 0702099bd86c33c2dcdbd3963433a61f3f503901 upstream.
+
+ By the commit af7fa16 2010-08-03 NFS: Fix up the fsync code
+ close(2) became returning the non-zero value even if it went well.
+ nfs_file_fsync() should return 0 when "status" is positive.
+
+ Signed-off-by: J. R. Okajima <hooanon05 at yahoo.co.jp>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/nfs/file.c b/fs/nfs/file.c
+index e5a0874..7e11f13 100644
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -218,7 +218,7 @@ static int nfs_do_fsync(struct nfs_open_context *ctx, struct inode *inode)
+ have_error |= test_bit(NFS_CONTEXT_ERROR_WRITE, &ctx->flags);
+ if (have_error)
+ ret = xchg(&ctx->error, 0);
+- if (!ret)
++ if (!ret && status < 0)
+ ret = status;
+ return ret;
+ }
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch)
@@ -0,0 +1,36 @@
+commit 3bfbc5f759cae3e0c227d627ee76e9e6d5f6fb49
+Author: Konstantin Khorenko <khorenko at parallels.com>
+Date: Tue Feb 1 17:16:29 2011 +0300
+
+ NFSD: memory corruption due to writing beyond the stat array
+
+ commit 3aa6e0aa8ab3e64bbfba092c64d42fd1d006b124 upstream.
+
+ If nfsd fails to find an exported via NFS file in the readahead cache, it
+ should increment corresponding nfsdstats counter (ra_depth[10]), but due to a
+ bug it may instead write to ra_depth[11], corrupting the following field.
+
+ In a kernel with NFSDv4 compiled in the corruption takes the form of an
+ increment of a counter of the number of NFSv4 operation 0's received; since
+ there is no operation 0, this is harmless.
+
+ In a kernel with NFSDv4 disabled it corrupts whatever happens to be in the
+ memory beyond nfsdstats.
+
+ Signed-off-by: Konstantin Khorenko <khorenko at openvz.org>
+ Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index ac31e0c..81284c6 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -805,7 +805,7 @@ nfsd_get_raparms(dev_t dev, ino_t ino)
+ if (ra->p_count == 0)
+ frap = rap;
+ }
+- depth = nfsdstats.ra_size*11/10;
++ depth = nfsdstats.ra_size;
+ if (!frap) {
+ spin_unlock(&rab->pb_lock);
+ return NULL;
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ocfs2_connection_find-returns-pointer-to-bad-structure.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ocfs2_connection_find-returns-pointer-to-bad-structure.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ocfs2_connection_find-returns-pointer-to-bad-structure.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ocfs2_connection_find-returns-pointer-to-bad-structure.patch)
@@ -0,0 +1,39 @@
+commit 95dbe336d30e9356c20fc37f6351a0d0c17ad790
+Author: dann frazier <dann.frazier at canonical.com>
+Date: Thu Nov 18 15:03:09 2010 -0700
+
+ ocfs2_connection_find() returns pointer to bad structure
+
+ commit 226291aa4641fa13cb5dec3bcb3379faa83009e2 upstream.
+
+ If ocfs2_live_connection_list is empty, ocfs2_connection_find() will return
+ a pointer to the LIST_HEAD, cast as a ocfs2_live_connection. This can cause
+ an oops when ocfs2_control_send_down() dereferences c->oc_conn:
+
+ Call Trace:
+ [<ffffffffa00c2a3c>] ocfs2_control_message+0x28c/0x2b0 [ocfs2_stack_user]
+ [<ffffffffa00c2a95>] ocfs2_control_write+0x35/0xb0 [ocfs2_stack_user]
+ [<ffffffff81143a88>] vfs_write+0xb8/0x1a0
+ [<ffffffff8155cc13>] ? do_page_fault+0x153/0x3b0
+ [<ffffffff811442f1>] sys_write+0x51/0x80
+ [<ffffffff810121b2>] system_call_fastpath+0x16/0x1b
+
+ Fix by explicitly returning NULL if no match is found.
+
+ Signed-off-by: dann frazier <dann.frazier at canonical.com>
+ Signed-off-by: Joel Becker <joel.becker at oracle.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/ocfs2/stack_user.c b/fs/ocfs2/stack_user.c
+index 353fc35..2179c7d 100644
+--- a/fs/ocfs2/stack_user.c
++++ b/fs/ocfs2/stack_user.c
+@@ -190,7 +190,7 @@ static struct ocfs2_live_connection *ocfs2_connection_find(const char *name)
+ return c;
+ }
+
+- return c;
++ return NULL;
+ }
+
+ /*
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch)
@@ -0,0 +1,45 @@
+commit 8c4cabbf2516c203b76eeef04d03b260aeb6a941
+Author: Tejun Heo <tj at kernel.org>
+Date: Thu Feb 10 15:01:22 2011 -0800
+
+ ptrace: use safer wake up on ptrace_detach()
+
+ commit 01e05e9a90b8f4c3997ae0537e87720eb475e532 upstream.
+
+ The wake_up_process() call in ptrace_detach() is spurious and not
+ interlocked with the tracee state. IOW, the tracee could be running or
+ sleeping in any place in the kernel by the time wake_up_process() is
+ called. This can lead to the tracee waking up unexpectedly which can be
+ dangerous.
+
+ The wake_up is spurious and should be removed but for now reduce its
+ toxicity by only waking up if the tracee is in TRACED or STOPPED state.
+
+ This bug can possibly be used as an attack vector. I don't think it
+ will take too much effort to come up with an attack which triggers oops
+ somewhere. Most sleeps are wrapped in condition test loops and should
+ be safe but we have quite a number of places where sleep and wakeup
+ conditions are expected to be interlocked. Although the window of
+ opportunity is tiny, ptrace can be used by non-privileged users and with
+ some loading the window can definitely be extended and exploited.
+
+ Signed-off-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Roland McGrath <roland at redhat.com>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 85c1983..e194cd1 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -213,7 +213,7 @@ static inline void __ptrace_detach(struct task_struct *child, unsigned int data)
+ __ptrace_unlink(child);
+ /* .. and wake it up. */
+ if (child->exit_state != EXIT_ZOMBIE)
+- wake_up_process(child);
++ wake_up_state(child, TASK_TRACED | TASK_STOPPED);
+ }
+
+ int ptrace_detach(struct task_struct *child, unsigned int data)
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch)
@@ -0,0 +1,31 @@
+From: Ivo van Doorn <ivdoorn at gmail.com>
+Date: Sun, 20 Jul 2008 18:03:58 +0200
+Subject: [PATCH] rt2x00: Fix memleak when RTS/CTS fails
+
+commit e7087a828f8714e464fff18d93618727530dfd89 upstream.
+
+When sending the RTS/CTS frame fails, we should
+free the skb buffer which was created.
+
+Signed-off-by: Ivo van Doorn <IvDoorn at gmail.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+[bwh: Adjust context for 2.6.26]
+---
+ drivers/net/wireless/rt2x00/rt2x00mac.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
+index 802ddba..591e0ed 100644
+--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
+@@ -69,6 +69,7 @@ static int rt2x00mac_tx_rts_cts(struct rt2x00_dev *rt2x00dev,
+ skbdesc->flags |= FRAME_DESC_DRIVER_GENERATED;
+
+ if (rt2x00dev->ops->lib->write_tx_data(rt2x00dev, queue, skb, control)) {
++ dev_kfree_skb_any(skb);
+ WARNING(rt2x00dev, "Failed to send RTS/CTS frame.\n");
+ return NETDEV_TX_BUSY;
+ }
+--
+1.7.2.3
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion-regression.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion-regression.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion-regression.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion-regression.patch)
@@ -0,0 +1,22 @@
+commit 66f6339311a6f6c314219f74867799320e83a4fd
+Author: dann frazier <dannf at debian.org>
+Date: Mon Sep 19 21:26:32 2011 -0600
+
+ Remove unintentional call to perf_event_mmap()
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index acb42df..0b18249 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1628,10 +1628,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ error = -ENOMEM;
+ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
+ error = acct_stack_growth(vma, size, grow);
+- if (!error) {
++ if (!error)
+ vma->vm_end = address;
+- perf_event_mmap(vma);
+- }
+ }
+ }
+ anon_vma_unlock(vma);
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch)
@@ -0,0 +1,32 @@
+commit a88dfcc1c22750be6ea3283ae08e20019c876234
+Author: Dan Carpenter <error27 at gmail.com>
+Date: Thu Mar 3 17:56:06 2011 +0100
+
+ keyboard: integer underflow bug
+
+ commit b652277b09d3d030cb074cc6a98ba80b34244c03 upstream.
+
+ The "ct" variable should be an unsigned int. Both struct kbdiacrs
+ ->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.
+
+ Making it signed causes a problem in KBDIACRUC because the user could
+ set the signed bit and cause a buffer overflow.
+
+ Signed-off-by: Dan Carpenter <error27 at gmail.com>
+ Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c
+index cee4d4e..1160fca 100644
+--- a/drivers/s390/char/keyboard.c
++++ b/drivers/s390/char/keyboard.c
+@@ -462,7 +462,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
+ void __user *argp;
+- int ct, perm;
++ unsigned int ct;
++ int perm;
+
+ argp = (void __user *)arg;
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch)
@@ -0,0 +1,37 @@
+commit 166e7fface1b580cffb17363eab47d59e4d07147
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Fri Feb 4 15:23:56 2011 +0300
+
+ platform: x86: acer-wmi: world-writable sysfs threeg file
+
+ commit b80b168f918bba4b847e884492415546b340e19d upstream.
+
+ Don't allow everybody to write to hardware registers.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Matthew Garrett <mjg at redhat.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [wt: also fixed permission on interface]
+
+diff --git a/drivers/misc/acer-wmi.c b/drivers/misc/acer-wmi.c
+index d8b0d32..aca21f7 100644
+--- a/drivers/misc/acer-wmi.c
++++ b/drivers/misc/acer-wmi.c
+@@ -957,7 +957,7 @@ set_bool_##value(struct device *dev, struct device_attribute *attr, \
+ return -EINVAL; \
+ return count; \
+ } \
+-static DEVICE_ATTR(value, S_IWUGO | S_IRUGO | S_IWUSR, \
++static DEVICE_ATTR(value, S_IRUGO | S_IWUSR, \
+ show_bool_##value, set_bool_##value);
+
+ show_set_bool(wireless, ACER_CAP_WIRELESS);
+@@ -982,7 +982,7 @@ static ssize_t show_interface(struct device *dev, struct device_attribute *attr,
+ }
+ }
+
+-static DEVICE_ATTR(interface, S_IWUGO | S_IRUGO | S_IWUSR,
++static DEVICE_ATTR(interface, S_IRUGO | S_IWUSR,
+ show_interface, NULL);
+
+ /*
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/asus_acpi-world-writeable-procfs-files.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/asus_acpi-world-writeable-procfs-files.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/asus_acpi-world-writeable-procfs-files.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/asus_acpi-world-writeable-procfs-files.patch)
@@ -0,0 +1,36 @@
+commit ad2696852ffe240fbe4d88cbfd9e1ee890cff7aa
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Fri Feb 4 15:23:59 2011 +0300
+
+ platform: x86: asus_acpi: world-writable procfs files
+
+ commit 8040835760adf0ef66876c063d47f79f015fb55d upstream.
+
+ Don't allow everybody to change ACPI settings. The comment says that it
+ is done deliberatelly, however, the comment before disp_proc_write()
+ says that at least one of these setting is experimental.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Matthew Garrett <mjg at redhat.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/acpi/asus_acpi.c b/drivers/acpi/asus_acpi.c
+index e2ab023..0037320 100644
+--- a/drivers/acpi/asus_acpi.c
++++ b/drivers/acpi/asus_acpi.c
+@@ -985,14 +985,8 @@ static int asus_hotk_add_fs(struct acpi_device *device)
+ struct proc_dir_entry *proc;
+ mode_t mode;
+
+- /*
+- * If parameter uid or gid is not changed, keep the default setting for
+- * our proc entries (-rw-rw-rw-) else, it means we care about security,
+- * and then set to -rw-rw----
+- */
+-
+ if ((asus_uid == 0) && (asus_gid == 0)) {
+- mode = S_IFREG | S_IRUGO | S_IWUGO;
++ mode = S_IFREG | S_IRUGO | S_IWUSR | S_IWGRP;
+ } else {
+ mode = S_IFREG | S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP;
+ printk(KERN_WARNING " asus_uid and asus_gid parameters are "
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/flush-tlb-if-pgd-entry-is-changed-in-pae-mode.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/flush-tlb-if-pgd-entry-is-changed-in-pae-mode.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/flush-tlb-if-pgd-entry-is-changed-in-pae-mode.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/flush-tlb-if-pgd-entry-is-changed-in-pae-mode.patch)
@@ -0,0 +1,77 @@
+commit 89296f1f0b4ad37daa78859155708f1cbb568d15
+Author: Shaohua Li <shaohua.li at intel.com>
+Date: Wed Mar 16 11:37:29 2011 +0800
+
+ x86: Flush TLB if PGD entry is changed in i386 PAE mode
+
+ commit 4981d01eada5354d81c8929d5b2836829ba3df7b upstream.
+
+ According to intel CPU manual, every time PGD entry is changed in i386 PAE
+ mode, we need do a full TLB flush. Current code follows this and there is
+ comment for this too in the code.
+
+ But current code misses the multi-threaded case. A changed page table
+ might be used by several CPUs, every such CPU should flush TLB. Usually
+ this isn't a problem, because we prepopulate all PGD entries at process
+ fork. But when the process does munmap and follows new mmap, this issue
+ will be triggered.
+
+ When it happens, some CPUs keep doing page faults:
+
+ http://marc.info/?l=linux-kernel&m=129915020508238&w=2
+
+ Reported-by: Yasunori Goto<y-goto at jp.fujitsu.com>
+ Tested-by: Yasunori Goto<y-goto at jp.fujitsu.com>
+ Reviewed-by: Rik van Riel <riel at redhat.com>
+ Signed-off-by: Shaohua Li<shaohua.li at intel.com>
+ Cc: Mallick Asit K <asit.k.mallick at intel.com>
+ Cc: Linus Torvalds <torvalds at linux-foundation.org>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Cc: linux-mm <linux-mm at kvack.org>
+ LKML-Reference: <1300246649.2337.95.camel at sli10-conroe>
+ Signed-off-by: Ingo Molnar <mingo at elte.hu>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: adjusted to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/mm/pgtable.c linux-source-2.6.26/arch/x86/mm/pgtable.c
+--- linux-source-2.6.26.orig/arch/x86/mm/pgtable.c 2011-01-24 22:55:27.000000000 -0700
++++ linux-source-2.6.26/arch/x86/mm/pgtable.c 2011-05-15 17:52:48.497318444 -0600
+@@ -193,8 +193,7 @@ void pud_populate(struct mm_struct *mm,
+ * section 8.1: in PAE mode we explicitly have to flush the
+ * TLB via cr3 if the top-level pgd is changed...
+ */
+- if (mm == current->active_mm)
+- write_cr3(read_cr3());
++ flush_tlb_mm(mm);
+ }
+ #else /* !CONFIG_X86_PAE */
+ /* No need to prepopulate any pagetable entries in non-PAE modes. */
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/pgtable-3level.h linux-source-2.6.26/include/asm-x86/pgtable-3level.h
+--- linux-source-2.6.26.orig/include/asm-x86/pgtable-3level.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-x86/pgtable-3level.h 2011-05-15 17:52:48.497318444 -0600
+@@ -101,8 +101,6 @@ static inline void native_pmd_clear(pmd_
+
+ static inline void pud_clear(pud_t *pudp)
+ {
+- unsigned long pgd;
+-
+ set_pud(pudp, __pud(0));
+
+ /*
+@@ -111,13 +109,10 @@ static inline void pud_clear(pud_t *pudp
+ * section 8.1: in PAE mode we explicitly have to flush the
+ * TLB via cr3 if the top-level pgd is changed...
+ *
+- * Make sure the pud entry we're updating is within the
+- * current pgd to avoid unnecessary TLB flushes.
++ * Currently all places where pud_clear() is called either have
++ * flush_tlb_mm() followed or don't need TLB flush (x86_64 code or
++ * pud_clear_bad()), so we don't need TLB flush here.
+ */
+- pgd = read_cr3();
+- if (__pa(pudp) >= pgd && __pa(pudp) <
+- (pgd + sizeof(pgd_t)*PTRS_PER_PGD))
+- write_cr3(pgd);
+ }
+
+ #define pud_page(pud) ((struct page *) __va(pud_val(pud) & PTE_MASK))
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/mm-avoid-possible-bogus-tlb-entries-by-clearing-prev-mm_cpumask-after.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/mm-avoid-possible-bogus-tlb-entries-by-clearing-prev-mm_cpumask-after.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/mm-avoid-possible-bogus-tlb-entries-by-clearing-prev-mm_cpumask-after.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/mm-avoid-possible-bogus-tlb-entries-by-clearing-prev-mm_cpumask-after.patch)
@@ -0,0 +1,95 @@
+commit 999fd584fe18a07364399f8c71e13eb8aa74e054
+Author: Suresh Siddha <suresh.b.siddha at intel.com>
+Date: Thu Feb 3 12:20:04 2011 -0800
+
+ x86, mm: avoid possible bogus tlb entries by clearing prev mm_cpumask after switching mm
+
+ commit 831d52bc153971b70e64eccfbed2b232394f22f8 upstream.
+
+ Clearing the cpu in prev's mm_cpumask early will avoid the flush tlb
+ IPI's while the cr3 is still pointing to the prev mm. And this window
+ can lead to the possibility of bogus TLB fills resulting in strange
+ failures. One such problematic scenario is mentioned below.
+
+ T1. CPU-1 is context switching from mm1 to mm2 context and got a NMI
+ etc between the point of clearing the cpu from the mm_cpumask(mm1)
+ and before reloading the cr3 with the new mm2.
+
+ T2. CPU-2 is tearing down a specific vma for mm1 and will proceed with
+ flushing the TLB for mm1. It doesn't send the flush TLB to CPU-1
+ as it doesn't see that cpu listed in the mm_cpumask(mm1).
+
+ T3. After the TLB flush is complete, CPU-2 goes ahead and frees the
+ page-table pages associated with the removed vma mapping.
+
+ T4. CPU-2 now allocates those freed page-table pages for something
+ else.
+
+ T5. As the CR3 and TLB caches for mm1 is still active on CPU-1, CPU-1
+ can potentially speculate and walk through the page-table caches
+ and can insert new TLB entries. As the page-table pages are
+ already freed and being used on CPU-2, this page walk can
+ potentially insert a bogus global TLB entry depending on the
+ (random) contents of the page that is being used on CPU-2.
+
+ T6. This bogus TLB entry being global will be active across future CR3
+ changes and can result in weird memory corruption etc.
+
+ To avoid this issue, for the prev mm that is handing over the cpu to
+ another mm, clear the cpu from the mm_cpumask(prev) after the cr3 is
+ changed.
+
+ Marking it for -stable, though we haven't seen any reported failure that
+ can be attributed to this.
+
+ Signed-off-by: Suresh Siddha <suresh.b.siddha at intel.com>
+ Acked-by: Ingo Molnar <mingo at elte.hu>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/include/asm-x86/mmu_context_32.h b/include/asm-x86/mmu_context_32.h
+index 824fc57..d275232 100644
+--- a/include/asm-x86/mmu_context_32.h
++++ b/include/asm-x86/mmu_context_32.h
+@@ -17,8 +17,6 @@ static inline void switch_mm(struct mm_struct *prev,
+ int cpu = smp_processor_id();
+
+ if (likely(prev != next)) {
+- /* stop flush ipis for the previous mm */
+- cpu_clear(cpu, prev->cpu_vm_mask);
+ #ifdef CONFIG_SMP
+ per_cpu(cpu_tlbstate, cpu).state = TLBSTATE_OK;
+ per_cpu(cpu_tlbstate, cpu).active_mm = next;
+@@ -28,6 +26,9 @@ static inline void switch_mm(struct mm_struct *prev,
+ /* Re-load page tables */
+ load_cr3(next->pgd);
+
++ /* stop flush ipis for the previous mm */
++ cpu_clear(cpu, prev->cpu_vm_mask);
++
+ /*
+ * load the LDT, if the LDT is different:
+ */
+diff --git a/include/asm-x86/mmu_context_64.h b/include/asm-x86/mmu_context_64.h
+index c700063..ffa3a24 100644
+--- a/include/asm-x86/mmu_context_64.h
++++ b/include/asm-x86/mmu_context_64.h
+@@ -16,8 +16,6 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ {
+ unsigned cpu = smp_processor_id();
+ if (likely(prev != next)) {
+- /* stop flush ipis for the previous mm */
+- cpu_clear(cpu, prev->cpu_vm_mask);
+ #ifdef CONFIG_SMP
+ write_pda(mmu_state, TLBSTATE_OK);
+ write_pda(active_mm, next);
+@@ -25,6 +23,9 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ cpu_set(cpu, next->cpu_vm_mask);
+ load_cr3(next->pgd);
+
++ /* stop flush ipis for the previous mm */
++ cpu_clear(cpu, prev->cpu_vm_mask);
++
+ if (unlikely(next->context.ldt != prev->context.ldt))
+ load_LDT_nolock(&next->context);
+ }
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch)
@@ -0,0 +1,27 @@
+commit d6bac7d360ac2c8bb3e6a72ca3741c07785279f9
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Fri Feb 4 15:24:03 2011 +0300
+
+ platform: x86: tc1100-wmi: world-writable sysfs wireless and jogdial files
+
+ commit 8a6a142c1286797978e4db266d22875a5f424897 upstream.
+
+ Don't allow everybody to change WMI settings.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Matthew Garrett <mjg at redhat.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/misc/tc1100-wmi.c b/drivers/misc/tc1100-wmi.c
+index f25e4c9..84733f3 100644
+--- a/drivers/misc/tc1100-wmi.c
++++ b/drivers/misc/tc1100-wmi.c
+@@ -179,7 +179,7 @@ set_bool_##value(struct device *dev, struct device_attribute *attr, \
+ return -EINVAL; \
+ return count; \
+ } \
+-static DEVICE_ATTR(value, S_IWUGO | S_IRUGO | S_IWUSR, \
++static DEVICE_ATTR(value, S_IRUGO | S_IWUSR, \
+ show_bool_##value, set_bool_##value);
+
+ show_set_bool(wireless, TC1100_INSTANCE_WIRELESS);
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/virtio-set-pci-bus-master-enable-bit.patch (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/virtio-set-pci-bus-master-enable-bit.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/virtio-set-pci-bus-master-enable-bit.patch Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/bugfix/x86/virtio-set-pci-bus-master-enable-bit.patch)
@@ -0,0 +1,32 @@
+commit c18fa2893211d4706911d90c8c64c291f08f33e5
+Author: Michael S. Tsirkin <mst at redhat.com>
+Date: Sun Nov 29 17:52:00 2009 +0200
+
+ virtio: set pci bus master enable bit
+
+ commit bc505f373979692d51a86d40925f77a8b09d17b9 upstream.
+
+ As all virtio devices perform DMA, we
+ must enable bus mastering for them to be
+ spec compliant.
+
+ This patch fixes hotplug of virtio devices
+ with Linux guests and qemu 0.11-0.12.
+
+ Tested-by: Alexander Graf <agraf at suse.de>
+ Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+ Cc: maximilian attems <max at stro.at>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c
+index c7dc37c..19150e7 100644
+--- a/drivers/virtio/virtio_pci.c
++++ b/drivers/virtio/virtio_pci.c
+@@ -347,6 +347,7 @@ static int __devinit virtio_pci_probe(struct pci_dev *pci_dev,
+ goto out_req_regions;
+
+ pci_set_drvdata(pci_dev, vp_dev);
++ pci_set_master(pci_dev);
+
+ /* we use the subsystem vendor/device id as the virtio vendor/device
+ * id. this allows us to use the same PCI vendor/device id for all
Copied: dists/lenny-security/linux-2.6/debian/patches/series/27 (from r18477, releases/linux-2.6/2.6.26-27/debian/patches/series/27)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/27 Sun Jan 8 10:53:26 2012 (r18478, copy of r18477, releases/linux-2.6/2.6.26-27/debian/patches/series/27)
@@ -0,0 +1,25 @@
++ bugfix/all/md-deal-with-merge_bvec_fn-in-component-devices-bett.patch
++ bugfix/all/dm-Deal-with-merge_bvec_fn-in-component-devices-bett.patch
++ bugfix/all/rt2x00-Fix-memleak-when-RTS-CTS-fails.patch
++ bugfix/all/nfs-fix-the-return-value-of-nfs_file_fsync.patch
++ bugfix/all/ptrace-use-safer-wake-up-on-ptrace_detach.patch
++ bugfix/x86/mm-avoid-possible-bogus-tlb-entries-by-clearing-prev-mm_cpumask-after.patch
++ bugfix/all/dm-raid1-fail-writes-if-errors-are-not-handled-and-log-fails.patch
++ bugfix/x86/asus_acpi-world-writeable-procfs-files.patch
++ bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch
++ bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch
++ bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
++ bugfix/all/ext2-fix-link-count-corruption-under-heavy-link+rename-load.patch
++ bugfix/x86/virtio-set-pci-bus-master-enable-bit.patch
++ bugfix/s390/keyboard-integer-underflow-bug.patch
++ bugfix/all/ocfs2_connection_find-returns-pointer-to-bad-structure.patch
++ bugfix/all/libsas-fix-runaway-error-handler-problem
++ bugfix/all/nfs-aio-fix-use-after-free.patch
++ bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device.patch
++ bugfix/all/md-fix-bug-with-re-adding-of-partially-recovered-device-regression.patch
++ bugfix/x86/flush-tlb-if-pgd-entry-is-changed-in-pae-mode.patch
++ bugfix/all/ext3-skip-orphan-cleanup-on-rocompat-fs.patch
++ bugfix/all/cciss-fix-lost-command-issue.patch
++ bugfix/all/cifs-check-that-last-search-entry-resume-key-is-valid.patch
++ bugfix/all/cifs-fix-saving-of-resume-key-before-CIFSFindNext.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion-regression.patch
More information about the Kernel-svn-changes
mailing list