--- /dev/null
+From gregkh@mini.kroah.org Fri Nov 7 15:23:45 2008
+Message-Id: <20081107232345.215602160@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:50 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Brownell <dbrownell@users.sourceforge.net>
+Subject: [patch 01/16] gpiolib: fix oops in gpio_get_value_cansleep()
+Content-Disposition: inline; filename=gpiolib-fix-oops-in-gpio_get_value_cansleep.patch
+Content-Length: 1981
+Lines: 53
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: David Brownell <dbrownell@users.sourceforge.net>
+
+commit 978ccaa8ea5d8c7bf6b676209f2fc126eae6355b upstream
+
+We can get the following oops from gpio_get_value_cansleep() when a GPIO
+controller doesn't provide a get() callback:
+
+ Unable to handle kernel paging request for instruction fetch
+ Faulting instruction address: 0x00000000
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ [...]
+ NIP [00000000] 0x0
+ LR [c0182fb0] gpio_get_value_cansleep+0x40/0x50
+ Call Trace:
+ [c7b79e80] [c0183f28] gpio_value_show+0x5c/0x94
+ [c7b79ea0] [c01a584c] dev_attr_show+0x30/0x7c
+ [c7b79eb0] [c00d6b48] fill_read_buffer+0x68/0xe0
+ [c7b79ed0] [c00d6c54] sysfs_read_file+0x94/0xbc
+ [c7b79ef0] [c008f24c] vfs_read+0xb4/0x16c
+ [c7b79f10] [c008f580] sys_read+0x4c/0x90
+ [c7b79f40] [c0013a14] ret_from_syscall+0x0/0x38
+
+It's OK to request the value of *any* GPIO; most GPIOs are bidirectional,
+so configuring them as outputs just enables an output driver and doesn't
+disable the input logic.
+
+So the problem is that gpio_get_value_cansleep() isn't making the same
+sanity check that gpio_get_value() does: making sure this GPIO isn't one
+of the atypical "no input logic" cases.
+
+Reported-by: Anton Vorontsov <avorontsov@ru.mvista.com>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpio/gpiolib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -426,7 +426,7 @@ int gpio_get_value_cansleep(unsigned gpi
+
+ might_sleep_if(extra_checks);
+ chip = gpio_to_chip(gpio);
+- return chip->get(chip, gpio - chip->base);
++ return chip->get ? chip->get(chip, gpio - chip->base) : 0;
+ }
+ EXPORT_SYMBOL_GPL(gpio_get_value_cansleep);
+
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:45 2008
+Message-Id: <20081107232345.370024082@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:51 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ ext4 development <linux-ext4@vger.kernel.org>,
+ Eric Sandeen <sandeen@redhat.com>,
+ Eugene Teo <eugeneteo@kernel.sg>
+Subject: [patch 02/16] ext: Avoid printk floods in the face of directory corruption (CVE-2008-3528)
+Content-Disposition: inline; filename=ext-avoid-printk-floods-in-the-face-of-directory-corruption.patch
+Content-Length: 7505
+Lines: 241
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+This is a trivial backport of the following upstream commits:
+
+- bd39597cbd42a784105a04010100e27267481c67 (ext2)
+- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
+- 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)
+
+This addresses CVE-2008-3528
+
+ext[234]: Avoid printk floods in the face of directory corruption
+
+Note: some people thinks this represents a security bug, since it
+might make the system go away while it is printing a large number of
+console messages, especially if a serial console is involved. Hence,
+it has been assigned CVE-2008-3528, but it requires that the attacker
+either has physical access to your machine to insert a USB disk with a
+corrupted filesystem image (at which point why not just hit the power
+button), or is otherwise able to convince the system administrator to
+mount an arbitrary filesystem image (at which point why not just
+include a setuid shell or world-writable hard disk device file or some
+such). Me, I think they're just being silly. --tytso
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Cc: linux-ext4@vger.kernel.org
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext2/dir.c | 60 +++++++++++++++++++++++++++++++++-------------------------
+ fs/ext3/dir.c | 10 ++++++---
+ fs/ext4/dir.c | 11 +++++++---
+ 3 files changed, 50 insertions(+), 31 deletions(-)
+
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -103,7 +103,7 @@ static int ext2_commit_chunk(struct page
+ return err;
+ }
+
+-static void ext2_check_page(struct page *page)
++static void ext2_check_page(struct page *page, int quiet)
+ {
+ struct inode *dir = page->mapping->host;
+ struct super_block *sb = dir->i_sb;
+@@ -146,10 +146,10 @@ out:
+ /* Too bad, we had an error */
+
+ Ebadsize:
+- ext2_error(sb, "ext2_check_page",
+- "size of directory #%lu is not a multiple of chunk size",
+- dir->i_ino
+- );
++ if (!quiet)
++ ext2_error(sb, __func__,
++ "size of directory #%lu is not a multiple "
++ "of chunk size", dir->i_ino);
+ goto fail;
+ Eshort:
+ error = "rec_len is smaller than minimal";
+@@ -166,32 +166,36 @@ Espan:
+ Einumber:
+ error = "inode out of bounds";
+ bad_entry:
+- ext2_error (sb, "ext2_check_page", "bad entry in directory #%lu: %s - "
+- "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
+- dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
+- (unsigned long) le32_to_cpu(p->inode),
+- rec_len, p->name_len);
++ if (!quiet)
++ ext2_error(sb, __func__, "bad entry in directory #%lu: : %s - "
++ "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
++ dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
++ (unsigned long) le32_to_cpu(p->inode),
++ rec_len, p->name_len);
+ goto fail;
+ Eend:
+- p = (ext2_dirent *)(kaddr + offs);
+- ext2_error (sb, "ext2_check_page",
+- "entry in directory #%lu spans the page boundary"
+- "offset=%lu, inode=%lu",
+- dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
+- (unsigned long) le32_to_cpu(p->inode));
++ if (!quiet) {
++ p = (ext2_dirent *)(kaddr + offs);
++ ext2_error(sb, "ext2_check_page",
++ "entry in directory #%lu spans the page boundary"
++ "offset=%lu, inode=%lu",
++ dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
++ (unsigned long) le32_to_cpu(p->inode));
++ }
+ fail:
+ SetPageChecked(page);
+ SetPageError(page);
+ }
+
+-static struct page * ext2_get_page(struct inode *dir, unsigned long n)
++static struct page * ext2_get_page(struct inode *dir, unsigned long n,
++ int quiet)
+ {
+ struct address_space *mapping = dir->i_mapping;
+ struct page *page = read_mapping_page(mapping, n, NULL);
+ if (!IS_ERR(page)) {
+ kmap(page);
+ if (!PageChecked(page))
+- ext2_check_page(page);
++ ext2_check_page(page, quiet);
+ if (PageError(page))
+ goto fail;
+ }
+@@ -292,7 +296,7 @@ ext2_readdir (struct file * filp, void *
+ for ( ; n < npages; n++, offset = 0) {
+ char *kaddr, *limit;
+ ext2_dirent *de;
+- struct page *page = ext2_get_page(inode, n);
++ struct page *page = ext2_get_page(inode, n, 0);
+
+ if (IS_ERR(page)) {
+ ext2_error(sb, __FUNCTION__,
+@@ -361,6 +365,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
+ struct page *page = NULL;
+ struct ext2_inode_info *ei = EXT2_I(dir);
+ ext2_dirent * de;
++ int dir_has_error = 0;
+
+ if (npages == 0)
+ goto out;
+@@ -374,7 +379,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
+ n = start;
+ do {
+ char *kaddr;
+- page = ext2_get_page(dir, n);
++ page = ext2_get_page(dir, n, dir_has_error);
+ if (!IS_ERR(page)) {
+ kaddr = page_address(page);
+ de = (ext2_dirent *) kaddr;
+@@ -391,7 +396,9 @@ struct ext2_dir_entry_2 * ext2_find_entr
+ de = ext2_next_entry(de);
+ }
+ ext2_put_page(page);
+- }
++ } else
++ dir_has_error = 1;
++
+ if (++n >= npages)
+ n = 0;
+ /* next page is past the blocks we've got */
+@@ -414,7 +421,7 @@ found:
+
+ struct ext2_dir_entry_2 * ext2_dotdot (struct inode *dir, struct page **p)
+ {
+- struct page *page = ext2_get_page(dir, 0);
++ struct page *page = ext2_get_page(dir, 0, 0);
+ ext2_dirent *de = NULL;
+
+ if (!IS_ERR(page)) {
+@@ -487,7 +494,7 @@ int ext2_add_link (struct dentry *dentry
+ for (n = 0; n <= npages; n++) {
+ char *dir_end;
+
+- page = ext2_get_page(dir, n);
++ page = ext2_get_page(dir, n, 0);
+ err = PTR_ERR(page);
+ if (IS_ERR(page))
+ goto out;
+@@ -655,14 +662,17 @@ int ext2_empty_dir (struct inode * inode
+ {
+ struct page *page = NULL;
+ unsigned long i, npages = dir_pages(inode);
++ int dir_has_error = 0;
+
+ for (i = 0; i < npages; i++) {
+ char *kaddr;
+ ext2_dirent * de;
+- page = ext2_get_page(inode, i);
++ page = ext2_get_page(inode, i, dir_has_error);
+
+- if (IS_ERR(page))
++ if (IS_ERR(page)) {
++ dir_has_error = 1;
+ continue;
++ }
+
+ kaddr = page_address(page);
+ de = (ext2_dirent *)kaddr;
+--- a/fs/ext3/dir.c
++++ b/fs/ext3/dir.c
+@@ -102,6 +102,7 @@ static int ext3_readdir(struct file * fi
+ int err;
+ struct inode *inode = filp->f_path.dentry->d_inode;
+ int ret = 0;
++ int dir_has_error = 0;
+
+ sb = inode->i_sb;
+
+@@ -148,9 +149,12 @@ static int ext3_readdir(struct file * fi
+ * of recovering data when there's a bad sector
+ */
+ if (!bh) {
+- ext3_error (sb, "ext3_readdir",
+- "directory #%lu contains a hole at offset %lu",
+- inode->i_ino, (unsigned long)filp->f_pos);
++ if (!dir_has_error) {
++ ext3_error(sb, __func__, "directory #%lu "
++ "contains a hole at offset %lld",
++ inode->i_ino, filp->f_pos);
++ dir_has_error = 1;
++ }
+ /* corrupt size? Maybe no more blocks to read */
+ if (filp->f_pos > inode->i_blocks << 9)
+ break;
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -102,6 +102,7 @@ static int ext4_readdir(struct file * fi
+ int err;
+ struct inode *inode = filp->f_path.dentry->d_inode;
+ int ret = 0;
++ int dir_has_error = 0;
+
+ sb = inode->i_sb;
+
+@@ -147,9 +148,13 @@ static int ext4_readdir(struct file * fi
+ * of recovering data when there's a bad sector
+ */
+ if (!bh) {
+- ext4_error (sb, "ext4_readdir",
+- "directory #%lu contains a hole at offset %lu",
+- inode->i_ino, (unsigned long)filp->f_pos);
++ if (!dir_has_error) {
++ ext4_error(sb, __func__, "directory #%lu "
++ "contains a hole at offset %Lu",
++ inode->i_ino,
++ (unsigned long long) filp->f_pos);
++ dir_has_error = 1;
++ }
+ /* corrupt size? Maybe no more blocks to read */
+ if (filp->f_pos > inode->i_blocks << 9)
+ break;
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:45 2008
+Message-Id: <20081107232345.542037223@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:52 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Benjamin Herrenschmidt <benh@kernel.crashing.org>,
+ Doug Thompson <dougthompson@xmission.com>
+Subject: [patch 03/16] edac cell: fix incorrect edac_mode
+Content-Disposition: inline; filename=edac-cell-fix-incorrect-edac_mode.patch
+Content-Length: 1269
+Lines: 31
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 3b274f44d2ca05f719fe39947b6a5293a2dbd8fd upstream
+
+The cell_edac driver is setting the edac_mode field of the csrow's to an
+incorrect value, causing the sysfs show routine for that field to go out
+of an array bound and Oopsing the kernel when used.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Doug Thompson <dougthompson@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/edac/cell_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/cell_edac.c
++++ b/drivers/edac/cell_edac.c
+@@ -141,7 +141,7 @@ static void __devinit cell_edac_init_csr
+ csrow->nr_pages = (r.end - r.start + 1) >> PAGE_SHIFT;
+ csrow->last_page = csrow->first_page + csrow->nr_pages - 1;
+ csrow->mtype = MEM_XDR;
+- csrow->edac_mode = EDAC_FLAG_EC | EDAC_FLAG_SECDED;
++ csrow->edac_mode = EDAC_SECDED;
+ dev_dbg(mci->dev,
+ "Initialized on node %d, chanmask=0x%x,"
+ " first_page=0x%lx, nr_pages=0x%x\n",
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:45 2008
+Message-Id: <20081107232345.701114781@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:53 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 04/16] net: Fix recursive descent in __scm_destroy().
+Content-Disposition: inline; filename=net-fix-recursive-descent-in-__scm_destroy.patch
+Content-Length: 2802
+Lines: 104
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: David Miller <davem@davemloft.net>
+
+commit f8d570a4745835f2238a33b537218a1bb03fc671 and
+3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't
+good enough...)
+
+__scm_destroy() walks the list of file descriptors in the scm_fp_list
+pointed to by the scm_cookie argument.
+
+Those, in turn, can close sockets and invoke __scm_destroy() again.
+
+There is nothing which limits how deeply this can occur.
+
+The idea for how to fix this is from Linus. Basically, we do all of
+the fput()s at the top level by collecting all of the scm_fp_list
+objects hit by an fput(). Inside of the initial __scm_destroy() we
+keep running the list until it is empty.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/sched.h | 4 +++-
+ include/net/scm.h | 5 +++--
+ net/core/scm.c | 24 +++++++++++++++++++++---
+ 3 files changed, 27 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1256,7 +1256,9 @@ struct task_struct {
+ atomic_t fs_excl; /* holding fs exclusive resources */
+ struct rcu_head rcu;
+
+- /*
++ struct list_head *scm_work_list;
++
++/*
+ * cache last used pipe for splice
+ */
+ struct pipe_inode_info *splice_pipe;
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -14,8 +14,9 @@
+
+ struct scm_fp_list
+ {
+- int count;
+- struct file *fp[SCM_MAX_FD];
++ struct list_head list;
++ int count;
++ struct file *fp[SCM_MAX_FD];
+ };
+
+ struct scm_cookie
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -75,6 +75,7 @@ static int scm_fp_copy(struct cmsghdr *c
+ if (!fpl)
+ return -ENOMEM;
+ *fplp = fpl;
++ INIT_LIST_HEAD(&fpl->list);
+ fpl->count = 0;
+ }
+ fpp = &fpl->fp[fpl->count];
+@@ -106,9 +107,25 @@ void __scm_destroy(struct scm_cookie *sc
+
+ if (fpl) {
+ scm->fp = NULL;
+- for (i=fpl->count-1; i>=0; i--)
+- fput(fpl->fp[i]);
+- kfree(fpl);
++ if (current->scm_work_list) {
++ list_add_tail(&fpl->list, current->scm_work_list);
++ } else {
++ LIST_HEAD(work_list);
++
++ current->scm_work_list = &work_list;
++
++ list_add(&fpl->list, &work_list);
++ while (!list_empty(&work_list)) {
++ fpl = list_first_entry(&work_list, struct scm_fp_list, list);
++
++ list_del(&fpl->list);
++ for (i=fpl->count-1; i>=0; i--)
++ fput(fpl->fp[i]);
++ kfree(fpl);
++ }
++
++ current->scm_work_list = NULL;
++ }
+ }
+ }
+
+@@ -284,6 +301,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
+
+ new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
+ if (new_fpl) {
++ INIT_LIST_HEAD(&new_fpl->list);
+ for (i=fpl->count-1; i>=0; i--)
+ get_file(fpl->fp[i]);
+ memcpy(new_fpl, fpl, sizeof(*fpl));
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:45 2008
+Message-Id: <20081107232345.851030752@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:54 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Johannes Berg <johannes@sipsolutions.net>,
+ "John W. Linville" <linville@tuxdriver.com>
+Subject: [patch 05/16] libertas: fix buffer overrun
+Content-Disposition: inline; filename=libertas-fix-buffer-overrun.patch
+Content-Length: 1204
+Lines: 31
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+commit 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 upstream
+
+If somebody sends an invalid beacon/probe response, that can trash the
+whole BSS descriptor. The descriptor is, luckily, large enough so that
+it cannot scribble past the end of it; it's well above 400 bytes long.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/scan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/libertas/scan.c
++++ b/drivers/net/wireless/libertas/scan.c
+@@ -787,8 +787,8 @@ static int lbs_process_bss(struct bss_de
+
+ switch (elem->id) {
+ case MFIE_TYPE_SSID:
+- bss->ssid_len = elem->len;
+- memcpy(bss->ssid, elem->data, elem->len);
++ bss->ssid_len = min_t(int, 32, elem->len);
++ memcpy(bss->ssid, elem->data, bss->ssid_len);
+ lbs_deb_scan("got SSID IE: '%s', len %u\n",
+ escape_essid(bss->ssid, bss->ssid_len),
+ bss->ssid_len);
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:46 2008
+Message-Id: <20081107232346.014579546@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:55 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Serge Hallyn <serue@us.ibm.com>,
+ David Howells <dhowells@redhat.com>,
+ "Andrew G. Morgan" <morgan@kernel.org>
+Subject: [patch 06/16] file caps: always start with clear bprm->caps_*
+Content-Disposition: inline; filename=file-caps-always-start-with-clear-bprm-caps_.patch
+Content-Length: 1401
+Lines: 41
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Serge Hallyn <serue@us.ibm.com>
+
+commit 3318a386e4ca68c76e0294363d29bdc46fcad670 upstream
+
+While Linux doesn't honor setuid on scripts. However, it mistakenly
+behaves differently for file capabilities.
+
+This patch fixes that behavior by making sure that get_file_caps()
+begins with empty bprm->caps_*. That way when a script is loaded,
+its bprm->caps_* may be filled when binfmt_misc calls prepare_binprm(),
+but they will be cleared again when binfmt_elf calls prepare_binprm()
+next to read the interpreter's file capabilities.
+
+Signed-off-by: Serge Hallyn <serue@us.ibm.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Acked-by: Andrew G. Morgan <morgan@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/commoncap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -244,10 +244,10 @@ static int get_file_caps(struct linux_bi
+ struct vfs_cap_data vcaps;
+ struct inode *inode;
+
+- if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) {
+- bprm_clear_caps(bprm);
++ bprm_clear_caps(bprm);
++
++ if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
+ return 0;
+- }
+
+ dentry = dget(bprm->file->f_dentry);
+ inode = dentry->d_inode;
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:46 2008
+Message-Id: <20081107232346.173582235@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:56 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Takashi Iwai <tiwai@suse.de>,
+ Jaroslav Kysela <perex@perex.cz>,
+ Chris Wedgwood <cw@f00f.org>
+Subject: [patch 07/16] ALSA: use correct lock in snd_ctl_dev_disconnect()
+Content-Disposition: inline; filename=alsa-use-correct-lock-in-snd_ctl_dev_disconnect.patch
+Content-Length: 1255
+Lines: 36
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d8009882e9f5e1a76986c741f071edd2ad760c97 upstream
+
+The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock
+for protection of card->ctl_files entries, instead of card->controls_rwsem.
+
+Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Cc: Chris Wedgwood <cw@f00f.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/core/control.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1426,12 +1426,12 @@ static int snd_ctl_dev_disconnect(struct
+ cardnum = card->number;
+ snd_assert(cardnum >= 0 && cardnum < SNDRV_CARDS, return -ENXIO);
+
+- down_read(&card->controls_rwsem);
++ read_lock(&card->ctl_files_rwlock);
+ list_for_each_entry(ctl, &card->ctl_files, list) {
+ wake_up(&ctl->change_sleep);
+ kill_fasync(&ctl->fasync, SIGIO, POLL_ERR);
+ }
+- up_read(&card->controls_rwsem);
++ read_unlock(&card->ctl_files_rwlock);
+
+ if ((err = snd_unregister_device(SNDRV_DEVICE_TYPE_CONTROL,
+ card, -1)) < 0)
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:46 2008
+Message-Id: <20081107232346.332660333@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:57 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ linux-acpi@vger.kernel.org,
+ Shaohua Li <shaohua.li@intel.com>,
+ Len Brown <len.brown@intel.com>
+Subject: [patch 08/16] ACPI: dock: avoid check _STA method
+Content-Disposition: inline; filename=acpi-dock-avoid-check-_sta-method.patch
+Content-Length: 1392
+Lines: 44
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Shaohua Li <shaohua.li@intel.com>
+
+commit 8b59560a3baf2e7c24e0fb92ea5d09eca92805db upstream.
+
+ACPI: dock: avoid check _STA method
+
+In some BIOSes, every _STA method call will send a notification again,
+this cause freeze. And in some BIOSes, it appears _STA should be called
+after _DCK. This tries to avoid calls _STA, and still keep the device
+present check.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=10431
+
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/dock.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/dock.c
++++ b/drivers/acpi/dock.c
+@@ -599,14 +599,17 @@ static int handle_eject_request(struct d
+ static void dock_notify(acpi_handle handle, u32 event, void *data)
+ {
+ struct dock_station *ds = data;
++ struct acpi_device *tmp;
+
+ switch (event) {
+ case ACPI_NOTIFY_BUS_CHECK:
+- if (!dock_in_progress(ds) && dock_present(ds)) {
++ if (!dock_in_progress(ds) && acpi_bus_get_device(ds->handle,
++ &tmp)) {
+ begin_dock(ds);
+ dock(ds);
+ if (!dock_present(ds)) {
+ printk(KERN_ERR PREFIX "Unable to dock!\n");
++ complete_dock(ds);
+ break;
+ }
+ atomic_notifier_call_chain(&dock_notifier_list,
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:46 2008
+Message-Id: <20081107232346.492696318@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:58 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ =?ISO-8859-15?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@helsinki.fi>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 09/16] tcpv6: fix option space offsets with md5
+Content-Disposition: inline; filename=0001-tcpv6-fix-option-space-offsets-with-md5.patch
+Content-Length: 877
+Lines: 28
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+[ Upstream commit 53b125779fb0b29e5b316bf3dc7d199e6dcea567 ]
+
+More breakage :-), part of timestamps just were previously
+overwritten.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1130,7 +1130,7 @@ static void tcp_v6_send_ack(struct tcp_t
+ *topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
+ (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
+ *topt++ = htonl(tcp_time_stamp);
+- *topt = htonl(ts);
++ *topt++ = htonl(ts);
+ }
+
+ #ifdef CONFIG_TCP_MD5SIG
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:46 2008
+Message-Id: <20081107232346.656755936@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:59 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 10/16] net: Fix netdev_run_todo dead-lock
+Content-Disposition: inline; filename=0002-net-Fix-netdev_run_todo-dead-lock.patch
+Content-Length: 3530
+Lines: 112
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 58ec3b4db9eb5a28e3aec5f407a54e28f7039c19 ]
+
+Benjamin Thery tracked down a bug that explains many instances
+of the error
+
+unregister_netdevice: waiting for %s to become free. Usage count = %d
+
+It turns out that netdev_run_todo can dead-lock with itself if
+a second instance of it is run in a thread that will then free
+a reference to the device waited on by the first instance.
+
+The problem is really quite silly. We were trying to create
+parallelism where none was required. As netdev_run_todo always
+follows a RTNL section, and that todo tasks can only be added
+with the RTNL held, by definition you should only need to wait
+for the very ones that you've added and be done with it.
+
+There is no need for a second mutex or spinlock.
+
+This is exactly what the following patch does.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/dev.c | 27 ++++++---------------------
+ net/core/rtnetlink.c | 2 +-
+ 2 files changed, 7 insertions(+), 22 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3593,14 +3593,11 @@ static int dev_new_index(struct net *net
+ }
+
+ /* Delayed registration/unregisteration */
+-static DEFINE_SPINLOCK(net_todo_list_lock);
+ static LIST_HEAD(net_todo_list);
+
+ static void net_set_todo(struct net_device *dev)
+ {
+- spin_lock(&net_todo_list_lock);
+ list_add_tail(&dev->todo_list, &net_todo_list);
+- spin_unlock(&net_todo_list_lock);
+ }
+
+ static void rollback_registered(struct net_device *dev)
+@@ -3909,33 +3906,24 @@ static void netdev_wait_allrefs(struct n
+ * free_netdev(y1);
+ * free_netdev(y2);
+ *
+- * We are invoked by rtnl_unlock() after it drops the semaphore.
++ * We are invoked by rtnl_unlock().
+ * This allows us to deal with problems:
+ * 1) We can delete sysfs objects which invoke hotplug
+ * without deadlocking with linkwatch via keventd.
+ * 2) Since we run with the RTNL semaphore not held, we can sleep
+ * safely in order to wait for the netdev refcnt to drop to zero.
++ *
++ * We must not return until all unregister events added during
++ * the interval the lock was held have been completed.
+ */
+-static DEFINE_MUTEX(net_todo_run_mutex);
+ void netdev_run_todo(void)
+ {
+ struct list_head list;
+
+- /* Need to guard against multiple cpu's getting out of order. */
+- mutex_lock(&net_todo_run_mutex);
+-
+- /* Not safe to do outside the semaphore. We must not return
+- * until all unregister events invoked by the local processor
+- * have been completed (either by this todo run, or one on
+- * another cpu).
+- */
+- if (list_empty(&net_todo_list))
+- goto out;
+-
+ /* Snapshot list, allow later requests */
+- spin_lock(&net_todo_list_lock);
+ list_replace_init(&net_todo_list, &list);
+- spin_unlock(&net_todo_list_lock);
++
++ __rtnl_unlock();
+
+ while (!list_empty(&list)) {
+ struct net_device *dev
+@@ -3965,9 +3953,6 @@ void netdev_run_todo(void)
+ /* Free network device */
+ kobject_put(&dev->dev.kobj);
+ }
+-
+-out:
+- mutex_unlock(&net_todo_run_mutex);
+ }
+
+ static struct net_device_stats *internal_stats(struct net_device *dev)
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -73,7 +73,7 @@ void __rtnl_unlock(void)
+
+ void rtnl_unlock(void)
+ {
+- mutex_unlock(&rtnl_mutex);
++ /* This fellow will unlock it for us. */
+ netdev_run_todo();
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:46 2008
+Message-Id: <20081107232346.816789042@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:19:00 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Andrea Shepard <andrea@persephoneslair.org>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 11/16] sparc64: Fix race in arch/sparc64/kernel/trampoline.S
+Content-Disposition: inline; filename=0001-sparc64-Fix-race-in-arch-sparc64-kernel-trampoline.patch
+Content-Length: 1908
+Lines: 70
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Andrea Shepard <andrea@persephoneslair.org>
+
+[ Upstream commit e0037df3852b4b60edbe01f70f4968e4a9fdb272 ]
+
+Make arch/sparc64/kernel/trampoline.S in 2.6.27.1 lock prom_entry_lock
+when calling the PROM. This prevents a race condition that I observed
+causing a hang on startup on a 12-CPU E4500.
+
+I am not subscribed to this list, so please CC me on replies.
+
+Signed-off-by: Andrea Shepard <andrea@persephoneslair.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/trampoline.S | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/arch/sparc64/kernel/trampoline.S
++++ b/arch/sparc64/kernel/trampoline.S
+@@ -328,6 +328,12 @@ after_lock_tlb:
+
+ wrpr %g0, 0, %wstate
+
++ sethi %hi(prom_entry_lock), %g2
++1: ldstub [%g2 + %lo(prom_entry_lock)], %g1
++ membar #StoreLoad | #StoreStore
++ brnz,pn %g1, 1b
++ nop
++
+ /* As a hack, put &init_thread_union into %g6.
+ * prom_world() loads from here to restore the %asi
+ * register.
+@@ -337,7 +343,7 @@ after_lock_tlb:
+
+ sethi %hi(is_sun4v), %o0
+ lduw [%o0 + %lo(is_sun4v)], %o0
+- brz,pt %o0, 1f
++ brz,pt %o0, 2f
+ nop
+
+ TRAP_LOAD_TRAP_BLOCK(%g2, %g3)
+@@ -369,10 +375,10 @@ after_lock_tlb:
+ call %o1
+ add %sp, (2047 + 128), %o0
+
+- ba,pt %xcc, 2f
++ ba,pt %xcc, 3f
+ nop
+
+-1: sethi %hi(sparc64_ttable_tl0), %o0
++2: sethi %hi(sparc64_ttable_tl0), %o0
+ set prom_set_trap_table_name, %g2
+ stx %g2, [%sp + 2047 + 128 + 0x00]
+ mov 1, %g2
+@@ -386,7 +392,11 @@ after_lock_tlb:
+ call %o1
+ add %sp, (2047 + 128), %o0
+
+-2: ldx [%l0], %g6
++3: sethi %hi(prom_entry_lock), %g2
++ stb %g0, [%g2 + %lo(prom_entry_lock)]
++ membar #StoreStore | #StoreLoad
++
++ ldx [%l0], %g6
+ ldx [%g6 + TI_TASK], %g4
+
+ mov 1, %g5
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:47 2008
+Message-Id: <20081107232347.023714786@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:19:01 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 12/16] math-emu: Fix signalling of underflow and inexact while packing result.
+Content-Disposition: inline; filename=0002-math-emu-Fix-signalling-of-underflow-and-inexact-wh.patch
+Content-Length: 3677
+Lines: 116
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Kumar Gala <galak@kernel.crashing.org>
+
+[ Upstream commit 930cc144a043ff95e56b6888fa51c618b33f89e7 ]
+
+I'm trying to move the powerpc math-emu code to use the include/math-emu bits.
+
+In doing so I've been using TestFloat to see how good or bad we are
+doing. For the most part the current math-emu code that PPC uses has
+a number of issues that the code in include/math-emu seems to solve
+(plus bugs we've had for ever that no one every realized).
+
+Anyways, I've come across a case that we are flagging underflow and
+inexact because we think we have a denormalized result from a double
+precision divide:
+
+000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE
+ soft: 001.0000000000000 ..... syst: 001.0000000000000 ...ux
+
+What it looks like is the results out of FP_DIV_D are:
+
+D:
+sign: 0
+mantissa: 01000000 00000000
+exp: -1023 (0)
+
+The problem seems like we aren't normalizing the result and bumping the exp.
+
+Now that I'm digging into this a bit I'm thinking my issue has to do with
+the fix DaveM put in place from back in Aug 2007 (commit
+405849610fd96b4f34cd1875c4c033228fea6c0f):
+
+[MATH-EMU]: Fix underflow exception reporting.
+
+ 2) we ended up rounding back up to normal (this is the case where
+ we set the exponent to 1 and set the fraction to zero), this
+ should set inexact too
+...
+
+ Another example, "0x0.0000000000001p-1022 / 16.0", should signal both
+ inexact and underflow. The cpu implementations and ieee1754
+ literature is very clear about this. This is case #2 above.
+
+Here is the distilled glibc test case from Jakub Jelinek which prompted that
+commit:
+
+--------------------
+#include <float.h>
+#include <fenv.h>
+#include <stdio.h>
+
+volatile double d = DBL_MIN;
+volatile double e = 0x0.0000000000001p-1022;
+volatile double f = 16.0;
+int
+main (void)
+{
+ printf ("%x\n", fetestexcept (FE_UNDERFLOW));
+ d /= f;
+ printf ("%x\n", fetestexcept (FE_UNDERFLOW));
+ e /= f;
+ printf ("%x\n", fetestexcept (FE_UNDERFLOW));
+ return 0;
+}
+--------------------
+
+It looks like the case I have we are exact before rounding, but think it
+looks like the rounding case since it appears as if "overflow is set".
+
+000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE = 001.0000000000000
+
+I think the following adds the check for my case and still works for the
+issue your commit was trying to resolve.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/math-emu/op-common.h | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/include/math-emu/op-common.h
++++ b/include/math-emu/op-common.h
+@@ -139,18 +139,27 @@ do { \
+ if (X##_e <= _FP_WFRACBITS_##fs) \
+ { \
+ _FP_FRAC_SRS_##wc(X, X##_e, _FP_WFRACBITS_##fs); \
+- _FP_ROUND(wc, X); \
+ if (_FP_FRAC_HIGH_##fs(X) \
+ & (_FP_OVERFLOW_##fs >> 1)) \
+ { \
+ X##_e = 1; \
+ _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \
+- FP_SET_EXCEPTION(FP_EX_INEXACT); \
+ } \
+ else \
+ { \
+- X##_e = 0; \
+- _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \
++ _FP_ROUND(wc, X); \
++ if (_FP_FRAC_HIGH_##fs(X) \
++ & (_FP_OVERFLOW_##fs >> 1)) \
++ { \
++ X##_e = 1; \
++ _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \
++ FP_SET_EXCEPTION(FP_EX_INEXACT); \
++ } \
++ else \
++ { \
++ X##_e = 0; \
++ _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \
++ } \
+ } \
+ if ((FP_CUR_EXCEPTIONS & FP_EX_INEXACT) || \
+ (FP_TRAPPING_EXCEPTIONS & FP_EX_UNDERFLOW)) \
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:47 2008
+Message-Id: <20081107232347.126808973@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:19:02 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Julia Jomantaite <julia.jomantaite@gmail.com>,
+ linux-acpi@vger.kernel.org,
+ Arjan van de Ven <arjan@infradead.org>,
+ Andi Kleen <ak@linux.intel.com>,
+ Zhang Rui <rui.zhang@intel.com>,
+ Len Brown <len.brown@intel.com>
+Subject: [patch 13/16] ACPI: video: fix brightness allocation
+Content-Disposition: inline; filename=acpi-video-fix-brightness-allocation.patch
+Content-Length: 4768
+Lines: 178
+
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Julia Jomantaite <julia.jomantaite@gmail.com>
+
+Thanks to Arjan for spotting this for .stable:
+http://www.kerneloops.org/search.php?search=acpi_video_switch_brightness
+
+upstream commit 469778c1740fcf3113498b6fdf4559bdec25c58f
+
+ACPI: video: fix brightness allocation
+
+Fix use of uninitialized device->brightness.
+
+Signed-off-by: Julia Jomantaite <julia.jomantaite@gmail.com>
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/video.c | 123 ++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 73 insertions(+), 50 deletions(-)
+
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -624,6 +624,76 @@ acpi_video_bus_DOS(struct acpi_video_bus
+ * device : video output device (LCD, CRT, ..)
+ *
+ * Return Value:
++ * Maximum brightness level
++ *
++ * Allocate and initialize device->brightness.
++ */
++
++static int
++acpi_video_init_brightness(struct acpi_video_device *device)
++{
++ union acpi_object *obj = NULL;
++ int i, max_level = 0, count = 0;
++ union acpi_object *o;
++ struct acpi_video_device_brightness *br = NULL;
++
++ if (!ACPI_SUCCESS(acpi_video_device_lcd_query_levels(device, &obj))) {
++ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Could not query available "
++ "LCD brightness level\n"));
++ goto out;
++ }
++
++ if (obj->package.count < 2)
++ goto out;
++
++ br = kzalloc(sizeof(*br), GFP_KERNEL);
++ if (!br) {
++ printk(KERN_ERR "can't allocate memory\n");
++ goto out;
++ }
++
++ br->levels = kmalloc(obj->package.count * sizeof *(br->levels),
++ GFP_KERNEL);
++ if (!br->levels)
++ goto out_free;
++
++ for (i = 0; i < obj->package.count; i++) {
++ o = (union acpi_object *)&obj->package.elements[i];
++ if (o->type != ACPI_TYPE_INTEGER) {
++ printk(KERN_ERR PREFIX "Invalid data\n");
++ continue;
++ }
++ br->levels[count] = (u32) o->integer.value;
++
++ if (br->levels[count] > max_level)
++ max_level = br->levels[count];
++ count++;
++ }
++
++ if (count < 2)
++ goto out_free_levels;
++
++ br->count = count;
++ device->brightness = br;
++ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "found %d brightness levels\n", count));
++ kfree(obj);
++ return max_level;
++
++out_free_levels:
++ kfree(br->levels);
++out_free:
++ kfree(br);
++out:
++ device->brightness = NULL;
++ kfree(obj);
++ return 0;
++}
++
++/*
++ * Arg:
++ * device : video output device (LCD, CRT, ..)
++ *
++ * Return Value:
+ * None
+ *
+ * Find out all required AML methods defined under the output
+@@ -633,10 +703,7 @@ acpi_video_bus_DOS(struct acpi_video_bus
+ static void acpi_video_device_find_cap(struct acpi_video_device *device)
+ {
+ acpi_handle h_dummy1;
+- int i;
+ u32 max_level = 0;
+- union acpi_object *obj = NULL;
+- struct acpi_video_device_brightness *br = NULL;
+
+
+ memset(&device->cap, 0, sizeof(device->cap));
+@@ -665,53 +732,7 @@ static void acpi_video_device_find_cap(s
+ device->cap._DSS = 1;
+ }
+
+- if (ACPI_SUCCESS(acpi_video_device_lcd_query_levels(device, &obj))) {
+-
+- if (obj->package.count >= 2) {
+- int count = 0;
+- union acpi_object *o;
+-
+- br = kzalloc(sizeof(*br), GFP_KERNEL);
+- if (!br) {
+- printk(KERN_ERR "can't allocate memory\n");
+- } else {
+- br->levels = kmalloc(obj->package.count *
+- sizeof *(br->levels), GFP_KERNEL);
+- if (!br->levels)
+- goto out;
+-
+- for (i = 0; i < obj->package.count; i++) {
+- o = (union acpi_object *)&obj->package.
+- elements[i];
+- if (o->type != ACPI_TYPE_INTEGER) {
+- printk(KERN_ERR PREFIX "Invalid data\n");
+- continue;
+- }
+- br->levels[count] = (u32) o->integer.value;
+-
+- if (br->levels[count] > max_level)
+- max_level = br->levels[count];
+- count++;
+- }
+- out:
+- if (count < 2) {
+- kfree(br->levels);
+- kfree(br);
+- } else {
+- br->count = count;
+- device->brightness = br;
+- ACPI_DEBUG_PRINT((ACPI_DB_INFO,
+- "found %d brightness levels\n",
+- count));
+- }
+- }
+- }
+-
+- } else {
+- ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Could not query available LCD brightness level\n"));
+- }
+-
+- kfree(obj);
++ max_level = acpi_video_init_brightness(device);
+
+ if (device->cap._BCL && device->cap._BCM && device->cap._BQC && max_level > 0){
+ int result;
+@@ -1710,6 +1731,8 @@ static void
+ acpi_video_switch_brightness(struct acpi_video_device *device, int event)
+ {
+ unsigned long level_current, level_next;
++ if (!device->brightness)
++ return;
+ acpi_video_device_lcd_get_level_current(device, &level_current);
+ level_next = acpi_video_get_next_level(device, level_current, event);
+ acpi_video_device_lcd_set_level(device, level_next);
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:47 2008
+Message-Id: <20081107232347.327229126@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:19:03 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ netfilter-devel@vger.kernel.org,
+ Patrick McHardy <kaber@trash.net>,
+ davem@davemloft.net,
+ Alexey Dobriyan <adobriyan@gmail.com>,
+ Jan Engelhardt <jengelh@medozas.de>
+Subject: [patch 14/16] netfilter: xt_iprange: fix range inversion match
+Content-Disposition: inline; filename=netfilter-xt_iprange-fix-range-inversion-match.patch
+Content-Length: 2073
+Lines: 57
+
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+netfilter: xt_iprange: fix range inversion match
+
+Upstream commit 6def1eb48:
+
+Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1!
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Acked-by: Jan Engelhardt <jengelh@medozas.de>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/xt_iprange.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/xt_iprange.c
++++ b/net/netfilter/xt_iprange.c
+@@ -67,7 +67,7 @@ iprange_mt4(const struct sk_buff *skb, c
+ if (info->flags & IPRANGE_SRC) {
+ m = ntohl(iph->saddr) < ntohl(info->src_min.ip);
+ m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
+- m ^= info->flags & IPRANGE_SRC_INV;
++ m ^= !!(info->flags & IPRANGE_SRC_INV);
+ if (m) {
+ pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+@@ -81,7 +81,7 @@ iprange_mt4(const struct sk_buff *skb, c
+ if (info->flags & IPRANGE_DST) {
+ m = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
+ m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
+- m ^= info->flags & IPRANGE_DST_INV;
++ m ^= !!(info->flags & IPRANGE_DST_INV);
+ if (m) {
+ pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+@@ -123,14 +123,14 @@ iprange_mt6(const struct sk_buff *skb, c
+ if (info->flags & IPRANGE_SRC) {
+ m = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
+- m ^= info->flags & IPRANGE_SRC_INV;
++ m ^= !!(info->flags & IPRANGE_SRC_INV);
+ if (m)
+ return false;
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
+- m ^= info->flags & IPRANGE_DST_INV;
++ m ^= !!(info->flags & IPRANGE_DST_INV);
+ if (m)
+ return false;
+ }
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:47 2008
+Message-Id: <20081107232347.498275659@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:19:04 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ netfilter-devel@vger.kernel.org,
+ Patrick McHardy <kaber@trash.net>,
+ davem@davemloft.net,
+ Ilpo Jarvinen <ilpo.jarvinen@helsinki.fi>
+Subject: [patch 15/16] netfilter: snmp nat leaks memory in case of failure
+Content-Disposition: inline; filename=netfilter-snmp-nat-leaks-memory-in-case-of-failure.patch
+Content-Length: 785
+Lines: 25
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+netfilter: snmp nat leaks memory in case of failure
+
+Upstream commit 311670f3e:
+
+Signed-off-by: Ilpo Jarvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -742,6 +742,7 @@ static unsigned char snmp_object_decode(
+ *obj = kmalloc(sizeof(struct snmp_object) + len,
+ GFP_ATOMIC);
+ if (*obj == NULL) {
++ kfree(p);
+ kfree(id);
+ if (net_ratelimit())
+ printk("OOM in bsalg (%d)\n", __LINE__);
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:47 2008
+Message-Id: <20081107232347.649132131@mini.kroah.org>
+References: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:19:05 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ netfilter-devel@vger.kernel.org,
+ Patrick McHardy <kaber@trash.net>,
+ davem@davemloft.net
+Subject: [patch 16/16] netfilter: restore lost ifdef guarding defrag exception
+Content-Disposition: inline; filename=netfilter-restore-lost-ifdef-guarding-defrag-exception.patch
+Content-Length: 1518
+Lines: 42
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Patrick McHardy <kaber@trash.net>
+
+netfilter: restore lost #ifdef guarding defrag exception
+
+Upstream commit 38f7ac3eb:
+
+Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending
+fragments over loopback with NAT:
+
+[ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
+
+The reason is that defragmentation is skipped for already tracked connections.
+This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
+to avoid this behaviour when NAT is compiled in.
+
+The entire "optimization" may seem a bit silly, for now simply restoring the
+lost #ifdef is the easiest solution until we can come up with something better.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+@@ -138,10 +138,12 @@ static unsigned int ipv4_conntrack_defra
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+ {
++#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
+ /* Previously seen (loopback)? Ignore. Do this before
+ fragment check. */
+ if (skb->nfct)
+ return NF_ACCEPT;
++#endif
+
+ /* Gather fragments. */
+ if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
+
+--
+
+From gregkh@mini.kroah.org Fri Nov 7 15:23:45 2008
+Message-Id: <20081107231848.995297975@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Fri, 07 Nov 2008 15:18:49 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 00/16] 2.6.25.20-stable review
+Content-Length: 2251
+Lines: 48
+
+This is the start of the stable review cycle for the 2.6.25.20 release.
+There are 16 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a Signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the
+Cc: line. If you wish to be a reviewer, please email stable@kernel.org
+to add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Monday, November 10, 20:00:00 UTC. Anything
+received after that time might be too late.
+
+The whole patch series can be found in one patch at:
+ kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.20-rc1.gz
+and the diffstat can be found below.
+
+
+thanks,
+
+greg k-h
+
+-----------------
+
+ Makefile | 2
+ arch/sparc64/kernel/trampoline.S | 18 ++-
+ drivers/acpi/dock.c | 5 -
+ drivers/acpi/video.c | 123 ++++++++++++++-----------
+ drivers/edac/cell_edac.c | 2
+ drivers/gpio/gpiolib.c | 2
+ drivers/net/wireless/libertas/scan.c | 4
+ fs/ext2/dir.c | 60 +++++++-----
+ fs/ext3/dir.c | 10 +-
+ fs/ext4/dir.c | 11 +-
+ include/linux/sched.h | 4
+ include/math-emu/op-common.h | 17 ++-
+ include/net/scm.h | 5 -
+ net/core/dev.c | 27 +----
+ net/core/rtnetlink.c | 2
+ net/core/scm.c | 24 ++++
+ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 1
+ net/ipv6/tcp_ipv6.c | 2
+ net/netfilter/xt_iprange.c | 8 -
+ security/commoncap.c | 6 -
+ sound/core/control.c | 4
+ 22 files changed, 206 insertions(+), 133 deletions(-)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
