[arch-commits] CVS update of core/base/kernel26 (pre-2.6.23.2.patch)
Tobias Powalowski
tpowa at archlinux.org
Fri Nov 9 17:35:29 UTC 2007
Date: Friday, November 9, 2007 @ 12:35:29
Author: tpowa
Path: /home/cvs-core/core/base/kernel26
Added: pre-2.6.23.2.patch (1.1)
'upgpgk: added missing patch'
--------------------+
pre-2.6.23.2.patch | 1051 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 1051 insertions(+)
Index: core/base/kernel26/pre-2.6.23.2.patch
diff -u /dev/null core/base/kernel26/pre-2.6.23.2.patch:1.1
--- /dev/null Fri Nov 9 12:35:29 2007
+++ core/base/kernel26/pre-2.6.23.2.patch Fri Nov 9 12:35:28 2007
@@ -0,0 +1,1051 @@
+From 3aa416b07f0adf01c090baab26fb70c35ec17623 Mon Sep 17 00:00:00 2001
+From: Gregory Haskins <ghaskins at novell.com>
+Date: Thu, 11 Oct 2007 22:11:11 +0200
+Subject: [PATCH] lockdep: fix mismatched lockdep_depth/curr_chain_hash
+ It is possible for the current->curr_chain_key to become inconsistent with the
+ current index if the chain fails to validate. The end result is that future
+ lock_acquire() operations may inadvertently fail to find a hit in the cache
+ resulting in a new node being added to the graph for every acquire.
+
+Signed-off-by: Gregory Haskins <ghaskins at novell.com>
+Signed-off-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+Cc: Chuck Ebbert <cebbert at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ kernel/lockdep.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/lockdep.c
++++ b/kernel/lockdep.c
+@@ -1521,7 +1521,7 @@ cache_hit:
+ }
+
+ static int validate_chain(struct task_struct *curr, struct lockdep_map *lock,
+- struct held_lock *hlock, int chain_head)
++ struct held_lock *hlock, int chain_head, u64 chain_key)
+ {
+ /*
+ * Trylock needs to maintain the stack of held locks, but it
+@@ -1534,7 +1534,7 @@ static int validate_chain(struct task_st
+ * graph_lock for us)
+ */
+ if (!hlock->trylock && (hlock->check == 2) &&
+- lookup_chain_cache(curr->curr_chain_key, hlock->class)) {
++ lookup_chain_cache(chain_key, hlock->class)) {
+ /*
+ * Check whether last held lock:
+ *
+@@ -1576,7 +1576,7 @@ static int validate_chain(struct task_st
+ #else
+ static inline int validate_chain(struct task_struct *curr,
+ struct lockdep_map *lock, struct held_lock *hlock,
+- int chain_head)
++ int chain_head, u64 chain_key)
+ {
+ return 1;
+ }
+@@ -2450,11 +2450,11 @@ static int __lock_acquire(struct lockdep
+ chain_head = 1;
+ }
+ chain_key = iterate_chain_key(chain_key, id);
+- curr->curr_chain_key = chain_key;
+
+- if (!validate_chain(curr, lock, hlock, chain_head))
++ if (!validate_chain(curr, lock, hlock, chain_head, chain_key))
+ return 0;
+
++ curr->curr_chain_key = chain_key;
+ curr->lockdep_depth++;
+ check_chain_key(curr);
+ #ifdef CONFIG_DEBUG_LOCKDEP
+From ba02946a903015840ef672ccc9dc8620a7e83de6 Mon Sep 17 00:00:00 2001
+From: Kumar Gala <galak at kernel.crashing.org>
+Date: Thu, 11 Oct 2007 17:07:34 -0500
+Subject: POWERPC: Fix handling of stfiwx math emulation
+
+From: Kumar Gala <galak at kernel.crashing.org>
+
+patch ba02946a903015840ef672ccc9dc8620a7e83de6 in mainline
+
+Its legal for the stfiwx instruction to have RA = 0 as part of its
+effective address calculation. This is illegal for all other XE
+form instructions.
+
+Add code to compute the proper effective address for stfiwx if
+RA = 0 rather than treating it as illegal.
+
+Signed-off-by: Kumar Gala <galak at kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/powerpc/math-emu/math.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/math-emu/math.c
++++ b/arch/powerpc/math-emu/math.c
+@@ -407,11 +407,16 @@ do_mathemu(struct pt_regs *regs)
+
+ case XE:
+ idx = (insn >> 16) & 0x1f;
+- if (!idx)
+- goto illegal;
+-
+ op0 = (void *)¤t->thread.fpr[(insn >> 21) & 0x1f];
+- op1 = (void *)(regs->gpr[idx] + regs->gpr[(insn >> 11) & 0x1f]);
++ if (!idx) {
++ if (((insn >> 1) & 0x3ff) == STFIWX)
++ op1 = (void *)(regs->gpr[(insn >> 11) & 0x1f]);
++ else
++ goto illegal;
++ } else {
++ op1 = (void *)(regs->gpr[idx] + regs->gpr[(insn >> 11) & 0x1f]);
++ }
++
+ break;
+
+ case XEU:
+From linville at tuxdriver.com Wed Oct 31 07:42:39 2007
+From: "John W. Linville" <linville at tuxdriver.com>
+Date: Tue, 9 Oct 2007 22:46:35 -0400
+Subject: mac80211: filter locally-originated multicast frames
+To: stable at kernel.org
+Cc: "John W. Linville" <linville at tuxdriver.com>
+Message-ID: <1191984397477-git-send-email-linville at tuxdriver.com>
+
+
+From: John W. Linville <linville at tuxdriver.com>
+
+patch b331615722779b078822988843ddffd4eaec9f83 in mainline.
+
+In STA mode, the AP will echo our traffic. This includes multicast
+traffic.
+
+Receiving these frames confuses some protocols and applications,
+notably IPv6 Duplicate Address Detection.
+
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+Acked-by: Michael Wu <flamingice at sourmilk.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/mac80211/ieee80211.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/ieee80211.c
++++ b/net/mac80211/ieee80211.c
+@@ -2836,9 +2836,10 @@ ieee80211_rx_h_data(struct ieee80211_txr
+ memcpy(dst, hdr->addr1, ETH_ALEN);
+ memcpy(src, hdr->addr3, ETH_ALEN);
+
+- if (sdata->type != IEEE80211_IF_TYPE_STA) {
++ if (sdata->type != IEEE80211_IF_TYPE_STA ||
++ (is_multicast_ether_addr(dst) &&
++ !compare_ether_addr(src, dev->dev_addr)))
+ return TXRX_DROP;
+- }
+ break;
+ case 0:
+ /* DA SA BSSID */
+From linville at tuxdriver.com Wed Oct 31 07:47:33 2007
+From: "John W. Linville" <linville at tuxdriver.com>
+Date: Tue, 9 Oct 2007 22:46:37 -0400
+Subject: libertas: more endianness breakage
+To: stable at kernel.org
+Cc: Al Viro <viro at zeniv.linux.org.uk>, "John W. Linville" <linville at tuxdriver.com>, Al Viro <viro at ftp.linux.org.uk>
+Message-ID: <11919843974173-git-send-email-linville at tuxdriver.com>
+
+
+From: Al Viro <viro at ftp.linux.org.uk>
+
+based on patch 8362cd413e8116306fafbaf414f0419db0595142 in mainline.
+
+ domain->header.len is le16 and has just been assigned
+cpu_to_le16(arithmetical expression). And all fields of adapter->logmsg
+are __le32; not a single 16-bit among them...
+ That's incremental to the previous one
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Dan Williams <dcbw at redhat.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/net/wireless/libertas/11d.c | 2 +-
+ drivers/net/wireless/libertas/wext.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/libertas/11d.c
++++ b/drivers/net/wireless/libertas/11d.c
+@@ -562,7 +562,7 @@ int libertas_cmd_802_11d_domain_info(wla
+ nr_subband * sizeof(struct ieeetypes_subbandset));
+
+ cmd->size = cpu_to_le16(sizeof(pdomaininfo->action) +
+- domain->header.len +
++ le16_to_cpu(domain->header.len) +
+ sizeof(struct mrvlietypesheader) +
+ S_DS_GEN);
+ } else {
+--- a/drivers/net/wireless/libertas/wext.c
++++ b/drivers/net/wireless/libertas/wext.c
+@@ -973,7 +973,7 @@ static struct iw_statistics *wlan_get_wi
+ /* Quality by TX errors */
+ priv->wstats.discard.retries = priv->stats.tx_errors;
+
+- tx_retries = le16_to_cpu(adapter->logmsg.retry);
++ tx_retries = le32_to_cpu(adapter->logmsg.retry);
+
+ if (tx_retries > 75)
+ tx_qual = (90 - tx_retries) * POOR / 15;
+@@ -989,10 +989,10 @@ static struct iw_statistics *wlan_get_wi
+ (PERFECT - VERY_GOOD) / 50 + VERY_GOOD;
+ quality = min(quality, tx_qual);
+
+- priv->wstats.discard.code = le16_to_cpu(adapter->logmsg.wepundecryptable);
+- priv->wstats.discard.fragment = le16_to_cpu(adapter->logmsg.rxfrag);
++ priv->wstats.discard.code = le32_to_cpu(adapter->logmsg.wepundecryptable);
++ priv->wstats.discard.fragment = le32_to_cpu(adapter->logmsg.rxfrag);
+ priv->wstats.discard.retries = tx_retries;
+- priv->wstats.discard.misc = le16_to_cpu(adapter->logmsg.ackfailure);
++ priv->wstats.discard.misc = le32_to_cpu(adapter->logmsg.ackfailure);
+
+ /* Calculate quality */
+ priv->wstats.qual.qual = max(quality, (u32)100);
+From linville at tuxdriver.com Wed Oct 31 07:43:56 2007
+From: "John W. Linville" <linville at tuxdriver.com>
+Date: Tue, 9 Oct 2007 22:46:36 -0400
+Subject: libertas: fix endianness breakage
+To: stable at kernel.org
+Cc: Al Viro <viro at zeniv.linux.org.uk>, "John W. Linville" <linville at tuxdriver.com>, Al Viro <viro at ftp.linux.org.uk>
+Message-ID: <11919843971952-git-send-email-linville at tuxdriver.com>
+
+
+From: Al Viro <viro at ftp.linux.org.uk>
+
+patch 5707708111ca6c4e9a1160acffdc98a98d95e462 in mainline.
+
+ wep->keytype[] is u8
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Dan Williams <dcbw at redhat.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/net/wireless/libertas/cmd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/libertas/cmd.c
++++ b/drivers/net/wireless/libertas/cmd.c
+@@ -185,14 +185,12 @@ static int wlan_cmd_802_11_set_wep(wlan_
+
+ switch (pkey->len) {
+ case KEY_LEN_WEP_40:
+- wep->keytype[i] =
+- cpu_to_le16(cmd_type_wep_40_bit);
++ wep->keytype[i] = cmd_type_wep_40_bit;
+ memmove(&wep->keymaterial[i], pkey->key,
+ pkey->len);
+ break;
+ case KEY_LEN_WEP_104:
+- wep->keytype[i] =
+- cpu_to_le16(cmd_type_wep_104_bit);
++ wep->keytype[i] = cmd_type_wep_104_bit;
+ memmove(&wep->keymaterial[i], pkey->key,
+ pkey->len);
+ break;
+From airlied at linux.ie Wed Oct 31 08:00:29 2007
+From: Dave Airlie <airlied at linux.ie>
+Date: Tue, 16 Oct 2007 01:05:49 +0100 (IST)
+Subject: i915: fix vbl swap allocation size.
+To: stable at kernel.org
+Message-ID: <alpine.DEB.0.82.0710160104270.13104 at skynet.skynet.ie>
+
+From: Dave Airlie <airlied at linux.ie>
+
+This is upstream as 54583bf4efda79388fc13163e35c016c8bc5de81
+
+Oops...
+
+Signed-off-by: Dave Airlie <airlied at linux.ie>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/char/drm/i915_irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/drm/i915_irq.c
++++ b/drivers/char/drm/i915_irq.c
+@@ -553,7 +553,7 @@ int i915_vblank_swap(DRM_IOCTL_ARGS)
+ return DRM_ERR(EBUSY);
+ }
+
+- vbl_swap = drm_calloc(1, sizeof(vbl_swap), DRM_MEM_DRIVER);
++ vbl_swap = drm_calloc(1, sizeof(*vbl_swap), DRM_MEM_DRIVER);
+
+ if (!vbl_swap) {
+ DRM_ERROR("Failed to allocate memory to queue swap\n");
+From khali at linux-fr.org Wed Oct 31 07:58:46 2007
+From: Jean Delvare <khali at linux-fr.org>
+Date: Mon, 15 Oct 2007 14:32:27 +0200
+Subject: hwmon/w83627hf: Fix setting fan min right after driver load
+To: stable at kernel.org
+Cc: "Mark M. Hoffman" <mhoffman at lightlink.com>
+Message-ID: <20071015143227.6548d45b at hyperion.delvare>
+
+From: Jean Delvare <khali at linux-fr.org>
+
+Already in Linus' tree:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c09c5184a26158da32801e89d5849d774605f0dd
+
+We need to read the fan clock dividers at initialization time,
+otherwise the code in store_fan_min() may use uninitialized values.
+That's pretty much the same bug and same fix as for the w83627ehf
+driver last month.
+
+Signed-off-by: Jean Delvare <khali at linux-fr.org>
+Signed-off-by: Mark M. Hoffman <mhoffman at lightlink.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/hwmon/w83627hf.c | 34 ++++++++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 12 deletions(-)
+
+--- a/drivers/hwmon/w83627hf.c
++++ b/drivers/hwmon/w83627hf.c
+@@ -391,6 +391,7 @@ static int __devexit w83627hf_remove(str
+
+ static int w83627hf_read_value(struct w83627hf_data *data, u16 reg);
+ static int w83627hf_write_value(struct w83627hf_data *data, u16 reg, u16 value);
++static void w83627hf_update_fan_div(struct w83627hf_data *data);
+ static struct w83627hf_data *w83627hf_update_device(struct device *dev);
+ static void w83627hf_init_device(struct platform_device *pdev);
+
+@@ -1244,6 +1245,7 @@ static int __devinit w83627hf_probe(stru
+ data->fan_min[0] = w83627hf_read_value(data, W83781D_REG_FAN_MIN(1));
+ data->fan_min[1] = w83627hf_read_value(data, W83781D_REG_FAN_MIN(2));
+ data->fan_min[2] = w83627hf_read_value(data, W83781D_REG_FAN_MIN(3));
++ w83627hf_update_fan_div(data);
+
+ /* Register common device attributes */
+ if ((err = sysfs_create_group(&dev->kobj, &w83627hf_group)))
+@@ -1556,6 +1558,24 @@ static void __devinit w83627hf_init_devi
+ | 0x01);
+ }
+
++static void w83627hf_update_fan_div(struct w83627hf_data *data)
++{
++ int reg;
++
++ reg = w83627hf_read_value(data, W83781D_REG_VID_FANDIV);
++ data->fan_div[0] = (reg >> 4) & 0x03;
++ data->fan_div[1] = (reg >> 6) & 0x03;
++ if (data->type != w83697hf) {
++ data->fan_div[2] = (w83627hf_read_value(data,
++ W83781D_REG_PIN) >> 6) & 0x03;
++ }
++ reg = w83627hf_read_value(data, W83781D_REG_VBAT);
++ data->fan_div[0] |= (reg >> 3) & 0x04;
++ data->fan_div[1] |= (reg >> 4) & 0x04;
++ if (data->type != w83697hf)
++ data->fan_div[2] |= (reg >> 5) & 0x04;
++}
++
+ static struct w83627hf_data *w83627hf_update_device(struct device *dev)
+ {
+ struct w83627hf_data *data = dev_get_drvdata(dev);
+@@ -1633,18 +1653,8 @@ static struct w83627hf_data *w83627hf_up
+ w83627hf_read_value(data, W83781D_REG_TEMP_HYST(3));
+ }
+
+- i = w83627hf_read_value(data, W83781D_REG_VID_FANDIV);
+- data->fan_div[0] = (i >> 4) & 0x03;
+- data->fan_div[1] = (i >> 6) & 0x03;
+- if (data->type != w83697hf) {
+- data->fan_div[2] = (w83627hf_read_value(data,
+- W83781D_REG_PIN) >> 6) & 0x03;
+- }
+- i = w83627hf_read_value(data, W83781D_REG_VBAT);
+- data->fan_div[0] |= (i >> 3) & 0x04;
+- data->fan_div[1] |= (i >> 4) & 0x04;
+- if (data->type != w83697hf)
+- data->fan_div[2] |= (i >> 5) & 0x04;
++ w83627hf_update_fan_div(data);
++
+ data->alarms =
+ w83627hf_read_value(data, W83781D_REG_ALARM1) |
+ (w83627hf_read_value(data, W83781D_REG_ALARM2) << 8) |
+From khali at linux-fr.org Wed Oct 31 07:59:11 2007
+From: Jean Delvare <khali at linux-fr.org>
+Date: Mon, 15 Oct 2007 15:02:42 +0200
+Subject: hwmon/w83627hf: Don't assume bank 0
+To: stable at kernel.org
+Cc: "Mark M. Hoffman" <mhoffman at lightlink.com>
+Message-ID: <20071015150242.643837b8 at hyperion.delvare>
+
+From: Jean Delvare <khali at linux-fr.org>
+
+Already in Linus' tree:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d58df9cd788e6fb4962e1c8d5ba7b8b95d639a44
+
+The bank switching code assumes that the bank selector is set to 0
+when the driver is loaded. This might not be the case. This is exactly
+the same bug as was fixed in the w83627ehf driver two months ago:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0956895aa6f8dc6a33210967252fd7787652537d
+
+In practice, this bug was causing the sensor thermal types to be
+improperly reported for my W83627THF the first time I was loading the
+w83627hf driver. From the driver history, I'd say that it has been
+broken since September 2005 (when we stopped resetting the chip by
+default at driver load.)
+
+Signed-off-by: Jean Delvare <khali at linux-fr.org>
+Signed-off-by: Mark M. Hoffman <mhoffman at lightlink.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/hwmon/w83627hf.c | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+--- a/drivers/hwmon/w83627hf.c
++++ b/drivers/hwmon/w83627hf.c
+@@ -1335,6 +1335,24 @@ static int __devexit w83627hf_remove(str
+ }
+
+
++/* Registers 0x50-0x5f are banked */
++static inline void w83627hf_set_bank(struct w83627hf_data *data, u16 reg)
++{
++ if ((reg & 0x00f0) == 0x50) {
++ outb_p(W83781D_REG_BANK, data->addr + W83781D_ADDR_REG_OFFSET);
++ outb_p(reg >> 8, data->addr + W83781D_DATA_REG_OFFSET);
++ }
++}
++
++/* Not strictly necessary, but play it safe for now */
++static inline void w83627hf_reset_bank(struct w83627hf_data *data, u16 reg)
++{
++ if (reg & 0xff00) {
++ outb_p(W83781D_REG_BANK, data->addr + W83781D_ADDR_REG_OFFSET);
++ outb_p(0, data->addr + W83781D_DATA_REG_OFFSET);
++ }
++}
++
+ static int w83627hf_read_value(struct w83627hf_data *data, u16 reg)
+ {
+ int res, word_sized;
+@@ -1345,12 +1363,7 @@ static int w83627hf_read_value(struct w8
+ && (((reg & 0x00ff) == 0x50)
+ || ((reg & 0x00ff) == 0x53)
+ || ((reg & 0x00ff) == 0x55));
+- if (reg & 0xff00) {
+- outb_p(W83781D_REG_BANK,
+- data->addr + W83781D_ADDR_REG_OFFSET);
+- outb_p(reg >> 8,
+- data->addr + W83781D_DATA_REG_OFFSET);
+- }
++ w83627hf_set_bank(data, reg);
+ outb_p(reg & 0xff, data->addr + W83781D_ADDR_REG_OFFSET);
+ res = inb_p(data->addr + W83781D_DATA_REG_OFFSET);
+ if (word_sized) {
+@@ -1360,11 +1373,7 @@ static int w83627hf_read_value(struct w8
+ (res << 8) + inb_p(data->addr +
+ W83781D_DATA_REG_OFFSET);
+ }
+- if (reg & 0xff00) {
+- outb_p(W83781D_REG_BANK,
+- data->addr + W83781D_ADDR_REG_OFFSET);
+- outb_p(0, data->addr + W83781D_DATA_REG_OFFSET);
+- }
++ w83627hf_reset_bank(data, reg);
+ mutex_unlock(&data->lock);
+ return res;
+ }
+@@ -1435,12 +1444,7 @@ static int w83627hf_write_value(struct w
+ || ((reg & 0xff00) == 0x200))
+ && (((reg & 0x00ff) == 0x53)
+ || ((reg & 0x00ff) == 0x55));
+- if (reg & 0xff00) {
+- outb_p(W83781D_REG_BANK,
+- data->addr + W83781D_ADDR_REG_OFFSET);
+- outb_p(reg >> 8,
+- data->addr + W83781D_DATA_REG_OFFSET);
+- }
++ w83627hf_set_bank(data, reg);
+ outb_p(reg & 0xff, data->addr + W83781D_ADDR_REG_OFFSET);
+ if (word_sized) {
+ outb_p(value >> 8,
+@@ -1450,11 +1454,7 @@ static int w83627hf_write_value(struct w
+ }
+ outb_p(value & 0xff,
+ data->addr + W83781D_DATA_REG_OFFSET);
+- if (reg & 0xff00) {
+- outb_p(W83781D_REG_BANK,
+- data->addr + W83781D_ADDR_REG_OFFSET);
+- outb_p(0, data->addr + W83781D_DATA_REG_OFFSET);
+- }
++ w83627hf_reset_bank(data, reg);
+ mutex_unlock(&data->lock);
+ return 0;
+ }
+From khali at linux-fr.org Wed Oct 31 07:57:45 2007
+From: Jean Delvare <khali at linux-fr.org>
+Date: Mon, 15 Oct 2007 13:49:50 +0200
+Subject: hwmon/lm87: Fix a division by zero
+To: stable at kernel.org
+Cc: "Mark M. Hoffman" <mhoffman at lightlink.com>
+Message-ID: <20071015134950.15b1e97d at hyperion.delvare>
+
+From: Jean Delvare <khali at linux-fr.org>
+
+Already in Linus' tree:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b965d4b7f614522170af6a7e450be0333792ccd2
+
+Missing parentheses in the definition of FAN_FROM_REG cause a
+division by zero for a specific register value.
+
+Signed-off-by: Jean Delvare <khali at linux-fr.org>
+Acked-by: Hans de Goede <j.w.r.degoede at hhs.nl>
+Signed-off-by: Mark M. Hoffman <mhoffman at lightlink.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/hwmon/lm87.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm87.c
++++ b/drivers/hwmon/lm87.c
+@@ -129,7 +129,7 @@ static u8 LM87_REG_TEMP_LOW[3] = { 0x3A,
+ (((val) < 0 ? (val)-500 : (val)+500) / 1000))
+
+ #define FAN_FROM_REG(reg,div) ((reg) == 255 || (reg) == 0 ? 0 : \
+- 1350000 + (reg)*(div) / 2) / ((reg)*(div))
++ (1350000 + (reg)*(div) / 2) / ((reg)*(div)))
+ #define FAN_TO_REG(val,div) ((val)*(div) * 255 <= 1350000 ? 255 : \
+ (1350000 + (val)*(div) / 2) / ((val)*(div)))
+
+From khali at linux-fr.org Wed Oct 31 07:58:20 2007
+From: Jean Delvare <khali at linux-fr.org>
+Date: Mon, 15 Oct 2007 14:02:36 +0200
+Subject: hwmon/lm87: Disable VID when it should be
+To: stable at kernel.org
+Cc: "Mark M. Hoffman" <mhoffman at lightlink.com>
+Message-ID: <20071015140236.06b4d97a at hyperion.delvare>
+
+From: Jean Delvare <khali at linux-fr.org>
+
+Already in Linus' tree:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=889af3d5d9586db795a06c619e416b4baee11da8
+
+A stupid bit shifting bug caused the VID value to be always exported
+even when the hardware is configured for something different.
+
+Signed-off-by: Jean Delvare <khali at linux-fr.org>
+Signed-off-by: Mark M. Hoffman <mhoffman at lightlink.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/hwmon/lm87.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm87.c
++++ b/drivers/hwmon/lm87.c
+@@ -145,7 +145,7 @@ static u8 LM87_REG_TEMP_LOW[3] = { 0x3A,
+ #define CHAN_NO_FAN(nr) (1 << (nr))
+ #define CHAN_TEMP3 (1 << 2)
+ #define CHAN_VCC_5V (1 << 3)
+-#define CHAN_NO_VID (1 << 8)
++#define CHAN_NO_VID (1 << 7)
+
+ /*
+ * Functions declaration
+From linville at tuxdriver.com Wed Oct 31 07:40:46 2007
+From: "John W. Linville" <linville at tuxdriver.com>
+Date: Tue, 9 Oct 2007 22:46:33 -0400
+Subject: Add get_unaligned to ieee80211_get_radiotap_len
+To: stable at kernel.org
+Cc: warmcat <andy at warmcat.com>, "John W. Linville" <linville at tuxdriver.com>
+Message-ID: <11919843974140-git-send-email-linville at tuxdriver.com>
+
+
+From: Andy Green <andy at warmcat.com>
+
+patch dfe6e81deaa79c85086c0cc8d85b229e444ab97f in mainline.
+
+ieee80211_get_radiotap_len() tries to dereference radiotap length without
+taking care that it is completely unaligned and get_unaligned()
+is required.
+
+Signed-off-by: Andy Green <andy at warmcat.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/mac80211/ieee80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/ieee80211.c
++++ b/net/mac80211/ieee80211.c
+@@ -350,7 +350,7 @@ static int ieee80211_get_radiotap_len(st
+ struct ieee80211_radiotap_header *hdr =
+ (struct ieee80211_radiotap_header *) skb->data;
+
+- return le16_to_cpu(hdr->it_len);
++ return le16_to_cpu(get_unaligned(&hdr->it_len));
+ }
+
+ #ifdef CONFIG_MAC80211_LOWTX_FRAME_DUMP
+From linville at tuxdriver.com Wed Oct 31 09:02:49 2007
+From: Andy Green <andy at warmcat.com>
+Date: Tue, 9 Oct 2007 22:46:34 -0400
+Subject: mac80211: Improve sanity checks on injected packets
+To: stable at kernel.org
+Cc: warmcat <andy at warmcat.com>, "John W. Linville" <linville at tuxdriver.com>
+Message-ID: <11919843971189-git-send-email-linville at tuxdriver.com>
+
+From: Andy Green <andy at warmcat.com>
+
+patch 9b8a74e3482f9fc077a88c13fa0ceca8feb0b772 in mainline.
+
+Michael Wu noticed that the skb length checking is not taken care of enough when
+a packet is presented on the Monitor interface for injection.
+
+This patch improves the sanity checking and removes fake offsets placed
+into the skb network and transport header.
+
+Signed-off-by: Andy Green <andy at warmcat.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/mac80211/ieee80211.c | 48 +++++++++++++++++++++++++++--------------------
+ 1 file changed, 28 insertions(+), 20 deletions(-)
+
+--- a/net/mac80211/ieee80211.c
++++ b/net/mac80211/ieee80211.c
+@@ -1680,46 +1680,54 @@ int ieee80211_monitor_start_xmit(struct
+ struct ieee80211_tx_packet_data *pkt_data;
+ struct ieee80211_radiotap_header *prthdr =
+ (struct ieee80211_radiotap_header *)skb->data;
+- u16 len;
++ u16 len_rthdr;
+
+- /*
+- * there must be a radiotap header at the
+- * start in this case
+- */
+- if (unlikely(prthdr->it_version)) {
+- /* only version 0 is supported */
+- dev_kfree_skb(skb);
+- return NETDEV_TX_OK;
+- }
++ /* check for not even having the fixed radiotap header part */
++ if (unlikely(skb->len < sizeof(struct ieee80211_radiotap_header)))
++ goto fail; /* too short to be possibly valid */
++
++ /* is it a header version we can trust to find length from? */
++ if (unlikely(prthdr->it_version))
++ goto fail; /* only version 0 is supported */
++
++ /* then there must be a radiotap header with a length we can use */
++ len_rthdr = ieee80211_get_radiotap_len(skb);
++
++ /* does the skb contain enough to deliver on the alleged length? */
++ if (unlikely(skb->len < len_rthdr))
++ goto fail; /* skb too short for claimed rt header extent */
+
+ skb->dev = local->mdev;
+
+ pkt_data = (struct ieee80211_tx_packet_data *)skb->cb;
+ memset(pkt_data, 0, sizeof(*pkt_data));
++ /* needed because we set skb device to master */
+ pkt_data->ifindex = dev->ifindex;
++
+ pkt_data->mgmt_iface = 0;
+ pkt_data->do_not_encrypt = 1;
+
+- /* above needed because we set skb device to master */
+-
+ /*
+ * fix up the pointers accounting for the radiotap
+ * header still being in there. We are being given
+ * a precooked IEEE80211 header so no need for
+ * normal processing
+ */
+- len = le16_to_cpu(get_unaligned(&prthdr->it_len));
+- skb_set_mac_header(skb, len);
+- skb_set_network_header(skb, len + sizeof(struct ieee80211_hdr));
+- skb_set_transport_header(skb, len + sizeof(struct ieee80211_hdr));
+-
++ skb_set_mac_header(skb, len_rthdr);
+ /*
+- * pass the radiotap header up to
+- * the next stage intact
++ * these are just fixed to the end of the rt area since we
++ * don't have any better information and at this point, nobody cares
+ */
+- dev_queue_xmit(skb);
++ skb_set_network_header(skb, len_rthdr);
++ skb_set_transport_header(skb, len_rthdr);
+
++ /* pass the radiotap header up to the next stage intact */
++ dev_queue_xmit(skb);
+ return NETDEV_TX_OK;
++
++fail:
++ dev_kfree_skb(skb);
++ return NETDEV_TX_OK; /* meaning, we dealt with the skb */
+ }
+
+
+From 5307cc1aa53850f017c8053db034cf950b670ac9 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at woody.linux-foundation.org>
+Date: Wed, 31 Oct 2007 09:19:46 -0700
+Subject: Remove broken ptrace() special-case code from file mapping
+
+The kernel has for random historical reasons allowed ptrace() accesses
+to access (and insert) pages into the page cache above the size of the
+file.
+
+However, Nick broke that by mistake when doing the new fault handling in
+commit 54cb8821de07f2ffcd28c380ce9b93d5784b40d7 ("mm: merge populate and
+nopage into fault (fixes nonlinear)". The breakage caused a hang with
+gdb when trying to access the invalid page.
+
+The ptrace "feature" really isn't worth resurrecting, since it really is
+wrong both from a portability _and_ from an internal page cache validity
+standpoint. So this removes those old broken remnants, and fixes the
+ptrace() hang in the process.
+
+Noticed and bisected by Duane Griffin, who also supplied a test-case
+(quoth Nick: "Well that's probably the best bug report I've ever had,
+thanks Duane!").
+
+Cc: Duane Griffin <duaneg at dghda.com>
+Acked-by: Nick Piggin <npiggin at suse.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ mm/filemap.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -1312,7 +1312,7 @@ int filemap_fault(struct vm_area_struct
+
+ size = (i_size_read(inode) + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
+ if (vmf->pgoff >= size)
+- goto outside_data_content;
++ return VM_FAULT_SIGBUS;
+
+ /* If we don't want any read-ahead, don't bother */
+ if (VM_RandomReadHint(vma))
+@@ -1389,7 +1389,7 @@ retry_find:
+ if (unlikely(vmf->pgoff >= size)) {
+ unlock_page(page);
+ page_cache_release(page);
+- goto outside_data_content;
++ return VM_FAULT_SIGBUS;
+ }
+
+ /*
+@@ -1400,15 +1400,6 @@ retry_find:
+ vmf->page = page;
+ return ret | VM_FAULT_LOCKED;
+
+-outside_data_content:
+- /*
+- * An external ptracer can access pages that normally aren't
+- * accessible..
+- */
+- if (vma->vm_mm == current->mm)
+- return VM_FAULT_SIGBUS;
+-
+- /* Fall through to the non-read-ahead case */
+ no_cached_page:
+ /*
+ * We're only likely to ever get here if MADV_RANDOM is in
+From 9a24d04a3c26c223f22493492c5c9085b8773d4a Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo at elte.hu>
+Date: Fri, 19 Oct 2007 12:19:26 +0200
+Subject: [PATCH] x86: fix global_flush_tlb() bug
+
+From: Ingo Molnar <mingo at elte.hu>
+
+patch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream
+
+While we were reviewing pageattr_32/64.c for unification,
+Thomas Gleixner noticed the following serious SMP bug in
+global_flush_tlb():
+
+ down_read(&init_mm.mmap_sem);
+ list_replace_init(&deferred_pages, &l);
+ up_read(&init_mm.mmap_sem);
+
+this is SMP-unsafe because list_replace_init() done on two CPUs in
+parallel can corrupt the list.
+
+This bug has been introduced about a year ago in the 64-bit tree:
+
+ commit ea7322decb974a4a3e804f96a0201e893ff88ce3
+ Author: Andi Kleen <ak at suse.de>
+ Date: Thu Dec 7 02:14:05 2006 +0100
+
+ [PATCH] x86-64: Speed and clean up cache flushing in change_page_attr
+
+ down_read(&init_mm.mmap_sem);
+ - dpage = xchg(&deferred_pages, NULL);
+ + list_replace_init(&deferred_pages, &l);
+ up_read(&init_mm.mmap_sem);
+
+the xchg() based version was SMP-safe, but list_replace_init() is not.
+So this "cleanup" introduced a nasty bug.
+
+why this bug never become prominent is a mystery - it can probably be
+explained with the (still) relative obscurity of the x86_64 architecture.
+
+the safe fix for now is to write-lock init_mm.mmap_sem.
+
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Cc: Andi Kleen <ak at suse.de>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/x86_64/mm/pageattr.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86_64/mm/pageattr.c
++++ b/arch/x86_64/mm/pageattr.c
+@@ -229,9 +229,14 @@ void global_flush_tlb(void)
+ struct page *pg, *next;
+ struct list_head l;
+
+- down_read(&init_mm.mmap_sem);
++ /*
++ * Write-protect the semaphore, to exclude two contexts
++ * doing a list_replace_init() call in parallel and to
++ * exclude new additions to the deferred_pages list:
++ */
++ down_write(&init_mm.mmap_sem);
+ list_replace_init(&deferred_pages, &l);
+- up_read(&init_mm.mmap_sem);
++ up_write(&init_mm.mmap_sem);
+
+ flush_map(&l);
+
+From faf8c714f4508207a9c81cc94dafc76ed6680b44 Mon Sep 17 00:00:00 2001
+From: Dave Young <hidave.darkstar at gmail.com>
+Date: Thu, 18 Oct 2007 03:05:07 -0700
+Subject: param_sysfs_builtin memchr argument fix
+Message-ID: <4720EBA6.60803 at redhat.com>
+
+From: Dave Young <hidave.darkstar at gmail.com>
+
+patch faf8c714f4508207a9c81cc94dafc76ed6680b44 in mainline.
+
+If memchr argument is longer than strlen(kp->name), there will be some
+weird result.
+
+It will casuse duplicate filenames in sysfs for the "nousb". kernel
+warning messages are as bellow:
+
+sysfs: duplicate filename 'usbcore' can not be created
+WARNING: at fs/sysfs/dir.c:416 sysfs_add_one()
+ [<c01c4750>] sysfs_add_one+0xa0/0xe0
+ [<c01c4ab8>] create_dir+0x48/0xb0
+ [<c01c4b69>] sysfs_create_dir+0x29/0x50
+ [<c024e0fb>] create_dir+0x1b/0x50
+ [<c024e3b6>] kobject_add+0x46/0x150
+ [<c024e2da>] kobject_init+0x3a/0x80
+ [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
+ [<c053b9ce>] param_sysfs_builtin+0xee/0x130
+ [<c053ba33>] param_sysfs_init+0x23/0x60
+ [<c024d062>] __next_cpu+0x12/0x20
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052a856>] do_initcalls+0x46/0x1e0
+ [<c01bdb12>] create_proc_entry+0x52/0x90
+ [<c0158d4c>] register_irq_proc+0x9c/0xc0
+ [<c01bda94>] proc_mkdir_mode+0x34/0x50
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa92>] kernel_init+0x62/0xb0
+ [<c0104f83>] kernel_thread_helper+0x7/0x14
+ =======================
+kobject_add failed for usbcore with -EEXIST, don't try to register things with the same name in the same directory.
+ [<c024e466>] kobject_add+0xf6/0x150
+ [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
+ [<c053b9ce>] param_sysfs_builtin+0xee/0x130
+ [<c053ba33>] param_sysfs_init+0x23/0x60
+ [<c024d062>] __next_cpu+0x12/0x20
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052a856>] do_initcalls+0x46/0x1e0
+ [<c01bdb12>] create_proc_entry+0x52/0x90
+ [<c0158d4c>] register_irq_proc+0x9c/0xc0
+ [<c01bda94>] proc_mkdir_mode+0x34/0x50
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa92>] kernel_init+0x62/0xb0
+ [<c0104f83>] kernel_thread_helper+0x7/0x14
+ =======================
+Module 'usbcore' failed to be added to sysfs, error number -17
+The system will be unstable now.
+
+Signed-off-by: Dave Young <hidave.darkstar at gmail.com>
+Cc: Greg KH <greg at kroah.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Chuck Ebbert <cebbert at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ kernel/params.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -595,11 +595,17 @@ static void __init param_sysfs_builtin(v
+
+ for (i=0; i < __stop___param - __start___param; i++) {
+ char *dot;
++ size_t kplen;
+
+ kp = &__start___param[i];
++ kplen = strlen(kp->name);
+
+ /* We do not handle args without periods. */
+- dot = memchr(kp->name, '.', MAX_KBUILD_MODNAME);
++ if (kplen > MAX_KBUILD_MODNAME) {
++ DEBUGP("kernel parameter name is too long: %s\n", kp->name);
++ continue;
++ }
++ dot = memchr(kp->name, '.', kplen);
+ if (!dot) {
+ DEBUGP("couldn't find period in %s\n", kp->name);
+ continue;
+From f44ec6f3f89889a469773b1fd894f8fcc07c29cf Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen at redhat.com>
+Date: Tue, 16 Oct 2007 23:27:15 -0700
+Subject: minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
+Message-ID: <47276102.30608 at redhat.com>
+
+From: Eric Sandeen <sandeen at redhat.com>
+
+patch f44ec6f3f89889a469773b1fd894f8fcc07c29cf upstream.
+
+This attempts to address CVE-2006-6058
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
+
+first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+
+Essentially a corrupted minix dir inode reporting a very large
+i_size will loop for a very long time in minix_readdir, minix_find_entry,
+etc, because on EIO they just move on to try the next page. This is
+under the BKL, printk-storming as well. This can lock up the machine
+for a very long time. Simply ratelimiting the printks gets things back
+under control. Make the message a bit more informative while we're here.
+
+Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+Cc: Bodo Eggert <7eggert at gmx.de>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/minix/itree_v1.c | 9 +++++++--
+ fs/minix/itree_v2.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/fs/minix/itree_v1.c
++++ b/fs/minix/itree_v1.c
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ int n = 0;
++ char b[BDEVNAME_SIZE];
+
+ if (block < 0) {
+- printk("minix_bmap: block<0\n");
++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++ block, bdevname(inode->i_sb->s_bdev, b));
+ } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+- printk("minix_bmap: block>big\n");
++ if (printk_ratelimit())
++ printk("MINIX-fs: block_to_path: "
++ "block %ld too big on dev %s\n",
++ block, bdevname(inode->i_sb->s_bdev, b));
+ } else if (block < 7) {
+ offsets[n++] = block;
+ } else if ((block -= 7) < 512) {
+--- a/fs/minix/itree_v2.c
++++ b/fs/minix/itree_v2.c
+@@ -23,12 +23,17 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ int n = 0;
++ char b[BDEVNAME_SIZE];
+ struct super_block *sb = inode->i_sb;
+
+ if (block < 0) {
+- printk("minix_bmap: block<0\n");
++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++ block, bdevname(sb->s_bdev, b));
+ } else if (block >= (minix_sb(inode->i_sb)->s_max_size/sb->s_blocksize)) {
+- printk("minix_bmap: block>big\n");
++ if (printk_ratelimit())
++ printk("MINIX-fs: block_to_path: "
++ "block %ld too big on dev %s\n",
++ block, bdevname(sb->s_bdev, b));
+ } else if (block < 7) {
+ offsets[n++] = block;
+ } else if ((block -= 7) < 256) {
+From stable-bounces at linux.kernel.org Sun Oct 28 10:15:04 2007
+From: Roland Dreier <rdreier at cisco.com>
+Date: Sun, 28 Oct 2007 10:14:32 -0700
+Subject: IB/uverbs: Fix checking of userspace object ownership
+To: stable at kernel.org
+Message-ID: <ada7il7xitj.fsf at cisco.com>
+
+From: Roland Dreier <rolandd at cisco.com>
+
+Upstream as cbfb50e6e2e9c580848c0f51d37c24cdfb1cb704
+
+Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex")
+rewrote how userspace objects are looked up in the uverbs module's
+idrs, and introduced a severe bug in the process: there is no checking
+that an operation is being performed by the right process any more.
+Fix this by adding the missing check of uobj->context in __idr_get_uobj().
+
+Apparently everyone is being very careful to only touch their own
+objects, because this bug was introduced in June 2006 in 2.6.18, and
+has gone undetected until now.
+
+Signed-off-by: Roland Dreier <rolandd at cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -147,8 +147,12 @@ static struct ib_uobject *__idr_get_uobj
+
+ spin_lock(&ib_uverbs_idr_lock);
+ uobj = idr_find(idr, id);
+- if (uobj)
+- kref_get(&uobj->ref);
++ if (uobj) {
++ if (uobj->context == context)
++ kref_get(&uobj->ref);
++ else
++ uobj = NULL;
++ }
+ spin_unlock(&ib_uverbs_idr_lock);
+
+ return uobj;
More information about the arch-commits
mailing list