--- /dev/null
+From stable-bounces@linux.kernel.org Sun Oct 28 10:15:04 2007
+From: Roland Dreier <rdreier@cisco.com>
+Date: Sun, 28 Oct 2007 10:14:32 -0700
+Subject: IB/uverbs: Fix checking of userspace object ownership
+To: stable@kernel.org
+Message-ID: <ada7il7xitj.fsf@cisco.com>
+
+From: Roland Dreier <rolandd@cisco.com>
+
+Upstream as cbfb50e6e2e9c580848c0f51d37c24cdfb1cb704
+
+Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex")
+rewrote how userspace objects are looked up in the uverbs module's
+idrs, and introduced a severe bug in the process: there is no checking
+that an operation is being performed by the right process any more.
+Fix this by adding the missing check of uobj->context in __idr_get_uobj().
+
+Apparently everyone is being very careful to only touch their own
+objects, because this bug was introduced in June 2006 in 2.6.18, and
+has gone undetected until now.
+
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -147,8 +147,12 @@ static struct ib_uobject *__idr_get_uobj
+
+ spin_lock(&ib_uverbs_idr_lock);
+ uobj = idr_find(idr, id);
+- if (uobj)
+- kref_get(&uobj->ref);
++ if (uobj) {
++ if (uobj->context == context)
++ kref_get(&uobj->ref);
++ else
++ uobj = NULL;
++ }
+ spin_unlock(&ib_uverbs_idr_lock);
+
+ return uobj;
--- /dev/null
+From f44ec6f3f89889a469773b1fd894f8fcc07c29cf Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Tue, 16 Oct 2007 23:27:15 -0700
+Subject: minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
+Message-ID: <47276102.30608@redhat.com>
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+patch f44ec6f3f89889a469773b1fd894f8fcc07c29cf upstream.
+
+This attempts to address CVE-2006-6058
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
+
+first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+
+Essentially a corrupted minix dir inode reporting a very large
+i_size will loop for a very long time in minix_readdir, minix_find_entry,
+etc, because on EIO they just move on to try the next page. This is
+under the BKL, printk-storming as well. This can lock up the machine
+for a very long time. Simply ratelimiting the printks gets things back
+under control. Make the message a bit more informative while we're here.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: Bodo Eggert <7eggert@gmx.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/minix/itree_v1.c | 9 +++++++--
+ fs/minix/itree_v2.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/fs/minix/itree_v1.c
++++ b/fs/minix/itree_v1.c
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ int n = 0;
++ char b[BDEVNAME_SIZE];
+
+ if (block < 0) {
+- printk("minix_bmap: block<0\n");
++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++ block, bdevname(inode->i_sb->s_bdev, b));
+ } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+- printk("minix_bmap: block>big\n");
++ if (printk_ratelimit())
++ printk("MINIX-fs: block_to_path: "
++ "block %ld too big on dev %s\n",
++ block, bdevname(inode->i_sb->s_bdev, b));
+ } else if (block < 7) {
+ offsets[n++] = block;
+ } else if ((block -= 7) < 512) {
+--- a/fs/minix/itree_v2.c
++++ b/fs/minix/itree_v2.c
+@@ -23,12 +23,17 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ int n = 0;
++ char b[BDEVNAME_SIZE];
+ struct super_block *sb = inode->i_sb;
+
+ if (block < 0) {
+- printk("minix_bmap: block<0\n");
++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++ block, bdevname(sb->s_bdev, b));
+ } else if (block >= (minix_sb(inode->i_sb)->s_max_size/sb->s_blocksize)) {
+- printk("minix_bmap: block>big\n");
++ if (printk_ratelimit())
++ printk("MINIX-fs: block_to_path: "
++ "block %ld too big on dev %s\n",
++ block, bdevname(sb->s_bdev, b));
+ } else if (block < 7) {
+ offsets[n++] = block;
+ } else if ((block -= 7) < 256) {
--- /dev/null
+From faf8c714f4508207a9c81cc94dafc76ed6680b44 Mon Sep 17 00:00:00 2001
+From: Dave Young <hidave.darkstar@gmail.com>
+Date: Thu, 18 Oct 2007 03:05:07 -0700
+Subject: param_sysfs_builtin memchr argument fix
+Message-ID: <4720EBA6.60803@redhat.com>
+
+From: Dave Young <hidave.darkstar@gmail.com>
+
+patch faf8c714f4508207a9c81cc94dafc76ed6680b44 in mainline.
+
+If memchr argument is longer than strlen(kp->name), there will be some
+weird result.
+
+It will casuse duplicate filenames in sysfs for the "nousb". kernel
+warning messages are as bellow:
+
+sysfs: duplicate filename 'usbcore' can not be created
+WARNING: at fs/sysfs/dir.c:416 sysfs_add_one()
+ [<c01c4750>] sysfs_add_one+0xa0/0xe0
+ [<c01c4ab8>] create_dir+0x48/0xb0
+ [<c01c4b69>] sysfs_create_dir+0x29/0x50
+ [<c024e0fb>] create_dir+0x1b/0x50
+ [<c024e3b6>] kobject_add+0x46/0x150
+ [<c024e2da>] kobject_init+0x3a/0x80
+ [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
+ [<c053b9ce>] param_sysfs_builtin+0xee/0x130
+ [<c053ba33>] param_sysfs_init+0x23/0x60
+ [<c024d062>] __next_cpu+0x12/0x20
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052a856>] do_initcalls+0x46/0x1e0
+ [<c01bdb12>] create_proc_entry+0x52/0x90
+ [<c0158d4c>] register_irq_proc+0x9c/0xc0
+ [<c01bda94>] proc_mkdir_mode+0x34/0x50
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa92>] kernel_init+0x62/0xb0
+ [<c0104f83>] kernel_thread_helper+0x7/0x14
+ =======================
+kobject_add failed for usbcore with -EEXIST, don't try to register things with the same name in the same directory.
+ [<c024e466>] kobject_add+0xf6/0x150
+ [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
+ [<c053b9ce>] param_sysfs_builtin+0xee/0x130
+ [<c053ba33>] param_sysfs_init+0x23/0x60
+ [<c024d062>] __next_cpu+0x12/0x20
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052a856>] do_initcalls+0x46/0x1e0
+ [<c01bdb12>] create_proc_entry+0x52/0x90
+ [<c0158d4c>] register_irq_proc+0x9c/0xc0
+ [<c01bda94>] proc_mkdir_mode+0x34/0x50
+ [<c052aa30>] kernel_init+0x0/0xb0
+ [<c052aa92>] kernel_init+0x62/0xb0
+ [<c0104f83>] kernel_thread_helper+0x7/0x14
+ =======================
+Module 'usbcore' failed to be added to sysfs, error number -17
+The system will be unstable now.
+
+Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/params.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -595,11 +595,17 @@ static void __init param_sysfs_builtin(v
+
+ for (i=0; i < __stop___param - __start___param; i++) {
+ char *dot;
++ size_t kplen;
+
+ kp = &__start___param[i];
++ kplen = strlen(kp->name);
+
+ /* We do not handle args without periods. */
+- dot = memchr(kp->name, '.', MAX_KBUILD_MODNAME);
++ if (kplen > MAX_KBUILD_MODNAME) {
++ DEBUGP("kernel parameter name is too long: %s\n", kp->name);
++ continue;
++ }
++ dot = memchr(kp->name, '.', kplen);
+ if (!dot) {
+ DEBUGP("couldn't find period in %s\n", kp->name);
+ continue;
add-get_unaligned-to-ieee80211_get_radiotap_len.patch
mac80211-improve-sanity-checks-on-injected-packets.patch
remove-broken-ptrace-special-case-code-from-file-mapping.patch
+x86-fix-global_flush_tlb-bug.patch
+param_sysfs_builtin-memchr-argument-fix.patch
+minixfs-limit-minixfs-printks-on-corrupted-dir-i_size.patch
+ib-uverbs-fix-checking-of-userspace-object-ownership.patch
--- /dev/null
+From 9a24d04a3c26c223f22493492c5c9085b8773d4a Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@elte.hu>
+Date: Fri, 19 Oct 2007 12:19:26 +0200
+Subject: [PATCH] x86: fix global_flush_tlb() bug
+
+From: Ingo Molnar <mingo@elte.hu>
+
+patch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream
+
+While we were reviewing pageattr_32/64.c for unification,
+Thomas Gleixner noticed the following serious SMP bug in
+global_flush_tlb():
+
+ down_read(&init_mm.mmap_sem);
+ list_replace_init(&deferred_pages, &l);
+ up_read(&init_mm.mmap_sem);
+
+this is SMP-unsafe because list_replace_init() done on two CPUs in
+parallel can corrupt the list.
+
+This bug has been introduced about a year ago in the 64-bit tree:
+
+ commit ea7322decb974a4a3e804f96a0201e893ff88ce3
+ Author: Andi Kleen <ak@suse.de>
+ Date: Thu Dec 7 02:14:05 2006 +0100
+
+ [PATCH] x86-64: Speed and clean up cache flushing in change_page_attr
+
+ down_read(&init_mm.mmap_sem);
+ - dpage = xchg(&deferred_pages, NULL);
+ + list_replace_init(&deferred_pages, &l);
+ up_read(&init_mm.mmap_sem);
+
+the xchg() based version was SMP-safe, but list_replace_init() is not.
+So this "cleanup" introduced a nasty bug.
+
+why this bug never become prominent is a mystery - it can probably be
+explained with the (still) relative obscurity of the x86_64 architecture.
+
+the safe fix for now is to write-lock init_mm.mmap_sem.
+
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andi Kleen <ak@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86_64/mm/pageattr.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86_64/mm/pageattr.c
++++ b/arch/x86_64/mm/pageattr.c
+@@ -229,9 +229,14 @@ void global_flush_tlb(void)
+ struct page *pg, *next;
+ struct list_head l;
+
+- down_read(&init_mm.mmap_sem);
++ /*
++ * Write-protect the semaphore, to exclude two contexts
++ * doing a list_replace_init() call in parallel and to
++ * exclude new additions to the deferred_pages list:
++ */
++ down_write(&init_mm.mmap_sem);
+ list_replace_init(&deferred_pages, &l);
+- up_read(&init_mm.mmap_sem);
++ up_write(&init_mm.mmap_sem);
+
+ flush_map(&l);
+