--- /dev/null
+From git-commits-head-owner@vger.kernel.org Wed Apr 19 16:59:51 2006
+Date: Wed, 19 Apr 2006 23:59:40 GMT
+Message-Id: <200604192359.k3JNxeXu016029@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: [PATCH] Add more prevent_tail_call()
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+[PATCH] Add more prevent_tail_call()
+
+Those also break userland regs like following.
+
+ 00000000 <sys_chown16>:
+ 0: 0f b7 44 24 0c movzwl 0xc(%esp),%eax
+ 5: 83 ca ff or $0xffffffff,%edx
+ 8: 0f b7 4c 24 08 movzwl 0x8(%esp),%ecx
+ d: 66 83 f8 ff cmp $0xffffffff,%ax
+ 11: 0f 44 c2 cmove %edx,%eax
+ 14: 66 83 f9 ff cmp $0xffffffff,%cx
+ 18: 0f 45 d1 cmovne %ecx,%edx
+ 1b: 89 44 24 0c mov %eax,0xc(%esp)
+ 1f: 89 54 24 08 mov %edx,0x8(%esp)
+ 23: e9 fc ff ff ff jmp 24 <sys_chown16+0x24>
+
+where the tailcall at the end overwrites the incoming stack-frame.
+
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/uid16.c | 59 ++++++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 46 insertions(+), 13 deletions(-)
+
+--- linux-2.6.16.9.orig/kernel/uid16.c
++++ linux-2.6.16.9/kernel/uid16.c
+@@ -20,43 +20,67 @@
+
+ asmlinkage long sys_chown16(const char __user * filename, old_uid_t user, old_gid_t group)
+ {
+- return sys_chown(filename, low2highuid(user), low2highgid(group));
++ long ret = sys_chown(filename, low2highuid(user), low2highgid(group));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_lchown16(const char __user * filename, old_uid_t user, old_gid_t group)
+ {
+- return sys_lchown(filename, low2highuid(user), low2highgid(group));
++ long ret = sys_lchown(filename, low2highuid(user), low2highgid(group));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
+ {
+- return sys_fchown(fd, low2highuid(user), low2highgid(group));
++ long ret = sys_fchown(fd, low2highuid(user), low2highgid(group));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid)
+ {
+- return sys_setregid(low2highgid(rgid), low2highgid(egid));
++ long ret = sys_setregid(low2highgid(rgid), low2highgid(egid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_setgid16(old_gid_t gid)
+ {
+- return sys_setgid(low2highgid(gid));
++ long ret = sys_setgid(low2highgid(gid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
+ {
+- return sys_setreuid(low2highuid(ruid), low2highuid(euid));
++ long ret = sys_setreuid(low2highuid(ruid), low2highuid(euid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_setuid16(old_uid_t uid)
+ {
+- return sys_setuid(low2highuid(uid));
++ long ret = sys_setuid(low2highuid(uid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
+ {
+- return sys_setresuid(low2highuid(ruid), low2highuid(euid),
+- low2highuid(suid));
++ long ret = sys_setresuid(low2highuid(ruid), low2highuid(euid),
++ low2highuid(suid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_getresuid16(old_uid_t __user *ruid, old_uid_t __user *euid, old_uid_t __user *suid)
+@@ -72,8 +96,11 @@ asmlinkage long sys_getresuid16(old_uid_
+
+ asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid)
+ {
+- return sys_setresgid(low2highgid(rgid), low2highgid(egid),
+- low2highgid(sgid));
++ long ret = sys_setresgid(low2highgid(rgid), low2highgid(egid),
++ low2highgid(sgid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_getresgid16(old_gid_t __user *rgid, old_gid_t __user *egid, old_gid_t __user *sgid)
+@@ -89,12 +116,18 @@ asmlinkage long sys_getresgid16(old_gid_
+
+ asmlinkage long sys_setfsuid16(old_uid_t uid)
+ {
+- return sys_setfsuid(low2highuid(uid));
++ long ret = sys_setfsuid(low2highuid(uid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ asmlinkage long sys_setfsgid16(old_gid_t gid)
+ {
+- return sys_setfsgid(low2highgid(gid));
++ long ret = sys_setfsgid(low2highgid(gid));
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ static int groups16_to_user(old_gid_t __user *grouplist,
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:59 2006
+Date: Wed, 19 Apr 2006 17:01:17 GMT
+Message-Id: <200604191701.k3JH1Ham026619@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: [PATCH] alim15x3: ULI M-1573 south Bridge support
+
+From: KAI.HSU <windsboy@gmail.com>
+
+[PATCH] alim15x3: ULI M-1573 south Bridge support
+
+>From http://bugzilla.kernel.org/show_bug.cgi?id=6358
+
+The alim15x3.c havn't been update for 3 years. Recently when we use this
+"ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly,
+must waiting for a long time. After I check the "ULI M1573" south bridge
+datasheet, I found the reason. The reason is the "ULI M1573" version in
+the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it
+was successed.
+
+Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
+Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ide/pci/alim15x3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.16.9.orig/drivers/ide/pci/alim15x3.c
++++ linux-2.6.16.9/drivers/ide/pci/alim15x3.c
+@@ -731,6 +731,8 @@ static unsigned int __devinit ata66_ali1
+
+ if(m5229_revision <= 0x20)
+ tmpbyte = (tmpbyte & (~0x02)) | 0x01;
++ else if (m5229_revision == 0xc7)
++ tmpbyte |= 0x03;
+ else
+ tmpbyte |= 0x01;
+
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:11:06 2006
+Date: Wed, 19 Apr 2006 17:00:54 GMT
+Message-Id: <200604191700.k3JH0seF026271@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: [PATCH] apm: fix Armada laptops again
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+[PATCH] apm: fix Armada laptops again
+
+Fix the "apm: set display: Interface not engaged" error on Armada laptops
+again.
+
+Jordan said:
+
+ I think this is fine. It seems to me that this may be the fault of one or
+ both of the APM solutions handling this situation in a non-standard way, but
+ since APM is used very little on the Geode, and I have direct access to our
+ BIOS folks, if this problem comes up with a customer again, we'll solve it
+ from the firmware.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Cc: "Jordan Crouse" <jordan.crouse@amd.com>
+Cc: Zachary Amsden <zach@vmware.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/apm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.16.9.orig/arch/i386/kernel/apm.c
++++ linux-2.6.16.9/arch/i386/kernel/apm.c
+@@ -1081,7 +1081,7 @@ static int apm_console_blank(int blank)
+ break;
+ }
+
+- if (error == APM_NOT_ENGAGED && state != APM_STATE_READY) {
++ if (error == APM_NOT_ENGAGED) {
+ static int tried;
+ int eng_error;
+ if (tried++ == 0) {
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:59 2006
+Date: Wed, 19 Apr 2006 17:01:21 GMT
+Message-Id: <200604191701.k3JH1LWO026687@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: [PATCH] fbdev: Fix return error of fb_write
+
+From: Antonino A. Daplas <adaplas@gmail.com>
+
+[PATCH] fbdev: Fix return error of fb_write
+
+Fix return code of fb_write():
+
+If at least 1 byte was transferred to the device, return number of bytes,
+otherwise:
+
+ - return -EFBIG - if file offset is past the maximum allowable offset or
+ size is greater than framebuffer length
+ - return -ENOSPC - if size is greater than framebuffer length - offset
+
+Signed-off-by: Antonino Daplas <adaplas@pol.net>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/fbmem.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- linux-2.6.16.9.orig/drivers/video/fbmem.c
++++ linux-2.6.16.9/drivers/video/fbmem.c
+@@ -669,13 +669,19 @@ fb_write(struct file *file, const char _
+ total_size = info->fix.smem_len;
+
+ if (p > total_size)
+- return 0;
++ return -EFBIG;
+
+- if (count >= total_size)
++ if (count > total_size) {
++ err = -EFBIG;
+ count = total_size;
++ }
++
++ if (count + p > total_size) {
++ if (!err)
++ err = -ENOSPC;
+
+- if (count + p > total_size)
+ count = total_size - p;
++ }
+
+ buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count,
+ GFP_KERNEL);
+@@ -717,7 +723,7 @@ fb_write(struct file *file, const char _
+
+ kfree(buffer);
+
+- return (err) ? err : cnt;
++ return (cnt) ? cnt : err;
+ }
+
+ #ifdef CONFIG_KMOD
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:59 2006
+Date: Wed, 19 Apr 2006 17:00:12 GMT
+Message-Id: <200604191700.k3JH0C9P025871@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: [PATCH] Fix file lookup without ref
+
+From: Dipankar Sarma <dipankar@in.ibm.com>
+
+[PATCH] Fix file lookup without ref
+
+There are places in the kernel where we look up files in fd tables and
+access the file structure without holding refereces to the file. So, we
+need special care to avoid the race between looking up files in the fd
+table and tearing down of the file in another CPU. Otherwise, one might
+see a NULL f_dentry or such torn down version of the file. This patch
+fixes those special places where such a race may happen.
+
+Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com>
+Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/tty_io.c | 8 ++++++--
+ fs/locks.c | 9 +++++++--
+ fs/proc/base.c | 21 +++++++++++++++------
+ 3 files changed, 28 insertions(+), 10 deletions(-)
+
+--- linux-2.6.16.9.orig/drivers/char/tty_io.c
++++ linux-2.6.16.9/drivers/char/tty_io.c
+@@ -2706,7 +2706,11 @@ static void __do_SAK(void *arg)
+ }
+ task_lock(p);
+ if (p->files) {
+- rcu_read_lock();
++ /*
++ * We don't take a ref to the file, so we must
++ * hold ->file_lock instead.
++ */
++ spin_lock(&p->files->file_lock);
+ fdt = files_fdtable(p->files);
+ for (i=0; i < fdt->max_fds; i++) {
+ filp = fcheck_files(p->files, i);
+@@ -2721,7 +2725,7 @@ static void __do_SAK(void *arg)
+ break;
+ }
+ }
+- rcu_read_unlock();
++ spin_unlock(&p->files->file_lock);
+ }
+ task_unlock(p);
+ } while_each_task_pid(session, PIDTYPE_SID, p);
+--- linux-2.6.16.9.orig/fs/locks.c
++++ linux-2.6.16.9/fs/locks.c
+@@ -2212,7 +2212,12 @@ void steal_locks(fl_owner_t from)
+
+ lock_kernel();
+ j = 0;
+- rcu_read_lock();
++
++ /*
++ * We are not taking a ref to the file structures, so
++ * we need to acquire ->file_lock.
++ */
++ spin_lock(&files->file_lock);
+ fdt = files_fdtable(files);
+ for (;;) {
+ unsigned long set;
+@@ -2230,7 +2235,7 @@ void steal_locks(fl_owner_t from)
+ set >>= 1;
+ }
+ }
+- rcu_read_unlock();
++ spin_unlock(&files->file_lock);
+ unlock_kernel();
+ }
+ EXPORT_SYMBOL(steal_locks);
+--- linux-2.6.16.9.orig/fs/proc/base.c
++++ linux-2.6.16.9/fs/proc/base.c
+@@ -294,16 +294,20 @@ static int proc_fd_link(struct inode *in
+
+ files = get_files_struct(task);
+ if (files) {
+- rcu_read_lock();
++ /*
++ * We are not taking a ref to the file structure, so we must
++ * hold ->file_lock.
++ */
++ spin_lock(&files->file_lock);
+ file = fcheck_files(files, fd);
+ if (file) {
+ *mnt = mntget(file->f_vfsmnt);
+ *dentry = dget(file->f_dentry);
+- rcu_read_unlock();
++ spin_unlock(&files->file_lock);
+ put_files_struct(files);
+ return 0;
+ }
+- rcu_read_unlock();
++ spin_unlock(&files->file_lock);
+ put_files_struct(files);
+ }
+ return -ENOENT;
+@@ -1485,7 +1489,12 @@ static struct dentry *proc_lookupfd(stru
+ if (!files)
+ goto out_unlock;
+ inode->i_mode = S_IFLNK;
+- rcu_read_lock();
++
++ /*
++ * We are not taking a ref to the file structure, so we must
++ * hold ->file_lock.
++ */
++ spin_lock(&files->file_lock);
+ file = fcheck_files(files, fd);
+ if (!file)
+ goto out_unlock2;
+@@ -1493,7 +1502,7 @@ static struct dentry *proc_lookupfd(stru
+ inode->i_mode |= S_IRUSR | S_IXUSR;
+ if (file->f_mode & 2)
+ inode->i_mode |= S_IWUSR | S_IXUSR;
+- rcu_read_unlock();
++ spin_unlock(&files->file_lock);
+ put_files_struct(files);
+ inode->i_op = &proc_pid_link_inode_operations;
+ inode->i_size = 64;
+@@ -1503,7 +1512,7 @@ static struct dentry *proc_lookupfd(stru
+ return NULL;
+
+ out_unlock2:
+- rcu_read_unlock();
++ spin_unlock(&files->file_lock);
+ put_files_struct(files);
+ out_unlock:
+ iput(inode);
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Mon Apr 17 20:15:38 2006
+Date: Tue, 18 Apr 2006 03:04:00 GMT
+Message-Id: <200604180304.k3I340pP023209@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: IPC: access to unmapped vmalloc area in grow_ary()
+
+>From Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+[PATCH] IPC: access to unmapped vmalloc area in grow_ary()
+
+grow_ary() should not copy struct ipc_id_ary (it copies new->p, not
+new). Due to this, memcpy() src pointer could hit unmapped vmalloc page
+when near page boundary.
+
+Found during OpenVZ stress testing
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: Kirill Korotaev <dev@openvz.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ ipc/util.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- linux-2.6.16.9.orig/ipc/util.c
++++ linux-2.6.16.9/ipc/util.c
+@@ -182,8 +182,7 @@ static int grow_ary(struct ipc_ids* ids,
+ if(new == NULL)
+ return size;
+ new->size = newsize;
+- memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size +
+- sizeof(struct ipc_id_ary));
++ memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size);
+ for(i=size;i<newsize;i++) {
+ new->p[i] = NULL;
+ }
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:57 2006
+Date: Wed, 19 Apr 2006 16:59:54 GMT
+Message-Id: <200604191659.k3JGxs2M025081@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: [PATCH] m41t00: fix bitmasks when writing to chip
+
+From: David Barksdale <amatus@ocgnet.org>
+
+[PATCH] m41t00: fix bitmasks when writing to chip
+
+Fix the bitmasks used when writing to the M41T00 registers.
+
+The original code used a mask of 0x7f when writing to each register,
+this is incorrect and probably the result of a copy-paste error. As a
+result years from 1980 to 1999 will be read back as 2000 to 2019.
+
+Signed-off-by: David Barksdale <amatus@ocgnet.org>
+Acked-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/chips/m41t00.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- linux-2.6.16.9.orig/drivers/i2c/chips/m41t00.c
++++ linux-2.6.16.9/drivers/i2c/chips/m41t00.c
+@@ -129,13 +129,13 @@ m41t00_set_tlet(ulong arg)
+ if ((i2c_smbus_write_byte_data(save_client, 0, tm.tm_sec & 0x7f) < 0)
+ || (i2c_smbus_write_byte_data(save_client, 1, tm.tm_min & 0x7f)
+ < 0)
+- || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x7f)
++ || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x3f)
+ < 0)
+- || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x7f)
++ || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x3f)
+ < 0)
+- || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x7f)
++ || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x1f)
+ < 0)
+- || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0x7f)
++ || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0xff)
+ < 0))
+
+ dev_warn(&save_client->dev,"m41t00: can't write to rtc chip\n");
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:11:09 2006
+Date: Wed, 19 Apr 2006 17:01:01 GMT
+Message-Id: <200604191701.k3JH11nR026338@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: [PATCH] Open IPMI BT overflow
+
+From: Heikki Orsila <shd@jolt.modeemi.cs.tut.fi>
+
+[PATCH] Open IPMI BT overflow
+
+I was looking into random driver code and found a suspicious looking
+memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
+
+ if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
+ return -1;
+ ...
+ memcpy(bt->write_data + 3, data + 1, size - 1);
+
+where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the
+memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch
+attached to limit size to (IPMI_MAX_LENGTH - 2).
+
+Cc: Corey Minyard <minyard@acm.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/ipmi/ipmi_bt_sm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.16.9.orig/drivers/char/ipmi/ipmi_bt_sm.c
++++ linux-2.6.16.9/drivers/char/ipmi/ipmi_bt_sm.c
+@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s
+ {
+ unsigned int i;
+
+- if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
++ if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2)))
+ return -1;
+
+ if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))
ipv6-ensure-to-have-hop-by-hop-options-in-our-header-of-sk_buff.patch
ipv6-xfrm-don-t-use-old-copy-of-pointer-after-pskb_may_pull.patch
ipv6-xfrm-fix-decoding-session-with-preceding-extension-header.patch
+x86-don-t-allow-tail-calls-in-sys_ftruncate.patch
+x86-be-careful-about-tailcall-breakage-for-sys_open-too.patch
+open-ipmi-bt-overflow.patch
+m41t00-fix-bitmasks-when-writing-to-chip.patch
+ipc-access-to-unmapped-vmalloc-area-in-grow_ary.patch
+fix-file-lookup-without-ref.patch
+fbdev-fix-return-error-of-fb_write.patch
+apm-fix-armada-laptops-again.patch
+alim15x3-uli-m-1573-south-bridge-support.patch
+add-more-prevent_tail_call.patch
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Tue Apr 18 14:00:16 2006
+Date: Tue, 18 Apr 2006 20:59:27 GMT
+Message-Id: <200604182059.k3IKxR0V011701@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: x86: be careful about tailcall breakage for sys_open[at] too
+
+From: Linus Torvalds <torvalds@osdl.org>
+
+x86: be careful about tailcall breakage for sys_open[at] too
+
+Came up through a quick grep for other cases similar to the ftruncate()
+one in commit 0a489cb3b6a7b277030cdbc97c2c65905db94536.
+
+Also, add a comment, so that people who read the code understand why we
+do what looks like a no-op.
+
+(Again, this won't actually matter to any sane user, since libc will
+save and restore the register gcc stomps on, but it's still wrong to
+stomp on it)
+
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/open.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- linux-2.6.16.9.orig/fs/open.c
++++ linux-2.6.16.9/fs/open.c
+@@ -331,6 +331,7 @@ out:
+ asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length)
+ {
+ long ret = do_sys_ftruncate(fd, length, 1);
++ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
+ }
+@@ -345,6 +346,7 @@ asmlinkage long sys_truncate64(const cha
+ asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)
+ {
+ long ret = do_sys_ftruncate(fd, length, 0);
++ /* avoid REGPARM breakage on x86: */
+ prevent_tail_call(ret);
+ return ret;
+ }
+@@ -1087,20 +1089,30 @@ long do_sys_open(int dfd, const char __u
+
+ asmlinkage long sys_open(const char __user *filename, int flags, int mode)
+ {
++ long ret;
++
+ if (force_o_largefile())
+ flags |= O_LARGEFILE;
+
+- return do_sys_open(AT_FDCWD, filename, flags, mode);
++ ret = do_sys_open(AT_FDCWD, filename, flags, mode);
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(sys_open);
+
+ asmlinkage long sys_openat(int dfd, const char __user *filename, int flags,
+ int mode)
+ {
++ long ret;
++
+ if (force_o_largefile())
+ flags |= O_LARGEFILE;
+
+- return do_sys_open(dfd, filename, flags, mode);
++ ret = do_sys_open(dfd, filename, flags, mode);
++ /* avoid REGPARM breakage on x86: */
++ prevent_tail_call(ret);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(sys_openat);
+
--- /dev/null
+From git-commits-head-owner@vger.kernel.org Tue Apr 18 14:00:16 2006
+Date: Tue, 18 Apr 2006 20:59:26 GMT
+Message-Id: <200604182059.k3IKxQG1011693@hera.kernel.org>
+From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+To: git-commits-head@vger.kernel.org
+Subject: x86: don't allow tail-calls in sys_ftruncate[64]()
+
+From: Linus Torvalds <torvalds@osdl.org>
+
+x86: don't allow tail-calls in sys_ftruncate[64]()
+
+Gcc thinks it owns the incoming argument stack, but that's not true for
+"asmlinkage" functions, and it corrupts the caller-set-up argument stack
+when it pushes the third argument onto the stack. Which can result in
+%ebx getting corrupted in user space.
+
+Now, normally nobody sane would ever notice, since libc will save and
+restore %ebx anyway over the system call, but it's still wrong.
+
+I'd much rather have "asmlinkage" tell gcc directly that it doesn't own
+the stack, but no such attribute exists, so we're stuck with our hacky
+manual "prevent_tail_call()" macro once more (we've had the same issue
+before with sys_waitpid() and sys_wait4()).
+
+Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting
+the issue and testing the fix.
+
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/open.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- linux-2.6.16.9.orig/fs/open.c
++++ linux-2.6.16.9/fs/open.c
+@@ -330,7 +330,9 @@ out:
+
+ asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length)
+ {
+- return do_sys_ftruncate(fd, length, 1);
++ long ret = do_sys_ftruncate(fd, length, 1);
++ prevent_tail_call(ret);
++ return ret;
+ }
+
+ /* LFS versions of truncate are only needed on 32 bit machines */
+@@ -342,7 +344,9 @@ asmlinkage long sys_truncate64(const cha
+
+ asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)
+ {
+- return do_sys_ftruncate(fd, length, 0);
++ long ret = do_sys_ftruncate(fd, length, 0);
++ prevent_tail_call(ret);
++ return ret;
+ }
+ #endif
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
