--- /dev/null
+From 5078b2e32ad4b1f753b1c837c15892202f753c97 Mon Sep 17 00:00:00 2001
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+Date: Wed, 13 May 2009 17:04:42 -0400
+Subject: cfg80211: fix race between core hint and driver's custom apply
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+commit 5078b2e32ad4b1f753b1c837c15892202f753c97 upstream.
+
+Its possible for cfg80211 to have scheduled the work and for
+the global workqueue to not have kicked in prior to a cfg80211
+driver's regulatory hint or wiphy_apply_custom_regulatory().
+
+Although this is very unlikely its possible and should fix
+this race. When this race would happen you are expected to have
+hit a null pointer dereference panic.
+
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Tested-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/reg.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1497,6 +1497,13 @@ int regulatory_init(void)
+ "using static definition\n");
+ #endif
+
++ /*
++ * This ensures last_request is populated once modules
++ * come swinging in and calling regulatory hints and
++ * wiphy_apply_custom_regulatory().
++ */
++ flush_scheduled_work();
++
+ return 0;
+ }
+
--- /dev/null
+From 42beefc0093725ec0f8cea340cc54c36ccaceea0 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Wed, 6 May 2009 09:04:52 +1000
+Subject: drm/r128: fix r128 ioremaps to use ioremap_wc.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit 42beefc0093725ec0f8cea340cc54c36ccaceea0 upstream.
+
+This should allow r128 to start working again since PAT changes.
+
+taken from F-11 kernel.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Cc: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/r128/r128_cce.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/r128/r128_cce.c
++++ b/drivers/gpu/drm/r128/r128_cce.c
+@@ -511,9 +511,9 @@ static int r128_do_init_cce(struct drm_d
+
+ #if __OS_HAS_AGP
+ if (!dev_priv->is_pci) {
+- drm_core_ioremap(dev_priv->cce_ring, dev);
+- drm_core_ioremap(dev_priv->ring_rptr, dev);
+- drm_core_ioremap(dev->agp_buffer_map, dev);
++ drm_core_ioremap_wc(dev_priv->cce_ring, dev);
++ drm_core_ioremap_wc(dev_priv->ring_rptr, dev);
++ drm_core_ioremap_wc(dev->agp_buffer_map, dev);
+ if (!dev_priv->cce_ring->handle ||
+ !dev_priv->ring_rptr->handle ||
+ !dev->agp_buffer_map->handle) {
--- /dev/null
+From 80193195f87ebca6d7417516d6edeb3969631c15 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Mon, 18 May 2009 13:07:35 +0100
+Subject: Fix oops on close of hot-unplugged FTDI serial converter
+
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit 80193195f87ebca6d7417516d6edeb3969631c15 upstream.
+
+Commit c45d6320 ("fix reference counting of ftdi_private") stopped
+ftdi_sio_port_remove() from directly freeing the port-private data, with
+the intention if the port was still open, it would be freed when
+ftdi_close() is eventually called and releases the last refcount on the
+structure.
+
+That's all very well, but ftdi_sio_port_remove() still contains a call
+to usb_set_serial_port_data(port, NULL) -- so by the time we get to
+ftdi_close() for the port which was unplugged, it _still_ oopses on
+dereferencing that NULL pointer, as it did before (and does in 2.6.29).
+
+The fix is just not to clear the private data in ftdi_sio_port_remove().
+Then the refcount is properly reduced to zero when the final kref_put()
+happens in ftdi_close().
+
+Remove a bogus comment too, while we're at it. And stop doing things
+inside "if (priv)" -- it must _always_ be there.
+
+Based loosely on an earlier patch by Daniel Mack, and suggestions by
+Alan Stern.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Tested-by: Daniel Mack <daniel@caiaq.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1485,14 +1485,7 @@ static int ftdi_sio_port_remove(struct u
+
+ remove_sysfs_attrs(port);
+
+- /* all open ports are closed at this point
+- * (by usbserial.c:__serial_close, which calls ftdi_close)
+- */
+-
+- if (priv) {
+- usb_set_serial_port_data(port, NULL);
+- kref_put(&priv->kref, ftdi_sio_priv_release);
+- }
++ kref_put(&priv->kref, ftdi_sio_priv_release);
+
+ return 0;
+ }
--- /dev/null
+From 64d1304a64477629cb16b75491a77bafe6f86963 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 18 May 2009 21:20:10 +0200
+Subject: futex: setup writeable mapping for futex ops which modify user space data
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 64d1304a64477629cb16b75491a77bafe6f86963 upstream.
+
+The futex code installs a read only mapping via get_user_pages_fast()
+even if the futex op function has to modify user space data. The
+eventual fault was fixed up by futex_handle_fault() which walked the
+VMA with mmap_sem held.
+
+After the cleanup patches which removed the mmap_sem dependency of the
+futex code commit 4dc5b7a36a49eff97050894cf1b3a9a02523717 (futex:
+clean up fault logic) removed the private VMA walk logic from the
+futex code. This change results in a stale RO mapping which is not
+fixed up.
+
+Instead of reintroducing the previous fault logic we set up the
+mapping in get_user_pages_fast() read/write for all operations which
+modify user space data. Also handle private futexes in the same way
+and make the current unconditional access_ok(VERIFY_WRITE) depend on
+the futex op.
+
+Reported-by: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/futex.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -192,6 +192,7 @@ static void drop_futex_key_refs(union fu
+ * @shared: NULL for a PROCESS_PRIVATE futex,
+ * ¤t->mm->mmap_sem for a PROCESS_SHARED futex
+ * @key: address where result is stored.
++ * @rw: mapping needs to be read/write (values: VERIFY_READ, VERIFY_WRITE)
+ *
+ * Returns a negative error code or 0
+ * The key words are stored in *key on success.
+@@ -204,7 +205,8 @@ static void drop_futex_key_refs(union fu
+ * For other futexes, it points to ¤t->mm->mmap_sem and
+ * caller must have taken the reader lock. but NOT any spinlocks.
+ */
+-static int get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key)
++static int
++get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
+ {
+ unsigned long address = (unsigned long)uaddr;
+ struct mm_struct *mm = current->mm;
+@@ -227,7 +229,7 @@ static int get_futex_key(u32 __user *uad
+ * but access_ok() should be faster than find_vma()
+ */
+ if (!fshared) {
+- if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))))
++ if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
+ return -EFAULT;
+ key->private.mm = mm;
+ key->private.address = address;
+@@ -236,7 +238,7 @@ static int get_futex_key(u32 __user *uad
+ }
+
+ again:
+- err = get_user_pages_fast(address, 1, 0, &page);
++ err = get_user_pages_fast(address, 1, rw == VERIFY_WRITE, &page);
+ if (err < 0)
+ return err;
+
+@@ -707,7 +709,7 @@ static int futex_wake(u32 __user *uaddr,
+ if (!bitset)
+ return -EINVAL;
+
+- ret = get_futex_key(uaddr, fshared, &key);
++ ret = get_futex_key(uaddr, fshared, &key, VERIFY_READ);
+ if (unlikely(ret != 0))
+ goto out;
+
+@@ -753,10 +755,10 @@ futex_wake_op(u32 __user *uaddr1, int fs
+ int ret, op_ret, attempt = 0;
+
+ retryfull:
+- ret = get_futex_key(uaddr1, fshared, &key1);
++ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
+ if (unlikely(ret != 0))
+ goto out;
+- ret = get_futex_key(uaddr2, fshared, &key2);
++ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
+ if (unlikely(ret != 0))
+ goto out_put_key1;
+
+@@ -859,10 +861,10 @@ static int futex_requeue(u32 __user *uad
+ int ret, drop_count = 0;
+
+ retry:
+- ret = get_futex_key(uaddr1, fshared, &key1);
++ ret = get_futex_key(uaddr1, fshared, &key1, VERIFY_READ);
+ if (unlikely(ret != 0))
+ goto out;
+- ret = get_futex_key(uaddr2, fshared, &key2);
++ ret = get_futex_key(uaddr2, fshared, &key2, VERIFY_WRITE);
+ if (unlikely(ret != 0))
+ goto out_put_key1;
+
+@@ -1181,7 +1183,7 @@ static int futex_wait(u32 __user *uaddr,
+ q.bitset = bitset;
+ retry:
+ q.key = FUTEX_KEY_INIT;
+- ret = get_futex_key(uaddr, fshared, &q.key);
++ ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_READ);
+ if (unlikely(ret != 0))
+ goto out;
+
+@@ -1370,7 +1372,7 @@ static int futex_lock_pi(u32 __user *uad
+ q.pi_state = NULL;
+ retry:
+ q.key = FUTEX_KEY_INIT;
+- ret = get_futex_key(uaddr, fshared, &q.key);
++ ret = get_futex_key(uaddr, fshared, &q.key, VERIFY_WRITE);
+ if (unlikely(ret != 0))
+ goto out;
+
+@@ -1630,7 +1632,7 @@ retry:
+ if ((uval & FUTEX_TID_MASK) != task_pid_vnr(current))
+ return -EPERM;
+
+- ret = get_futex_key(uaddr, fshared, &key);
++ ret = get_futex_key(uaddr, fshared, &key, VERIFY_WRITE);
+ if (unlikely(ret != 0))
+ goto out;
+
--- /dev/null
+From 95caa0a9bdaf93607bd0cc8932f53112496f2f22 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@linux.vnet.ibm.com>
+Date: Fri, 22 May 2009 21:30:39 -0300
+Subject: icom: fix rmmod crash
+
+From: Breno Leitao <leitao@linux.vnet.ibm.com>
+
+commit 95caa0a9bdaf93607bd0cc8932f53112496f2f22 upstream.
+
+Actually the icom driver is crashing when is being removed because
+the driver is kfreeing the adapter structure before calling
+pci_release_regions(), which result in the following error:
+
+ Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6b6d33
+ Faulting instruction address: 0xc000000000246b80
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ ....
+ [c000000012d436a0] [c0000000001002d0] .kfree+0x120/0x34c (unreliable)
+ [c000000012d43730] [c000000000246d60] .pci_release_selected_regions+0x3c/0x68
+ [c000000012d437c0] [d000000002d54700] .icom_kref_release+0xf4/0x118 [icom]
+ [c000000012d43850] [c000000000232e50] .kref_put+0x74/0x94
+ [c000000012d438d0] [d000000002d56c58] .icom_remove+0x40/0xa4 [icom]
+ [c000000012d43960] [c000000000249e48] .pci_device_remove+0x50/0x90
+ [c000000012d439e0] [c0000000002d68d8] .__device_release_driver+0x94/0xd4
+ [c000000012d43a70] [c0000000002d7104] .driver_detach+0xf8/0x12c
+ [c000000012d43b00] [c0000000002d549c] .bus_remove_driver+0xbc/0x11c
+ [c000000012d43b90] [c0000000002d71dc] .driver_unregister+0x60/0x80
+ [c000000012d43c20] [c00000000024a07c] .pci_unregister_driver+0x44/0xe8
+ [c000000012d43cb0] [d000000002d56bf4] .icom_exit+0x1c/0x40 [icom]
+ [c000000012d43d30] [c000000000095fa8] .SyS_delete_module+0x214/0x2a8
+ [c000000012d43e30] [c00000000000852c] syscall_exit+0x0/0x40
+
+Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/serial/icom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/serial/icom.c
++++ b/drivers/serial/icom.c
+@@ -1482,8 +1482,8 @@ static void icom_remove_adapter(struct i
+
+ free_irq(icom_adapter->pci_dev->irq, (void *) icom_adapter);
+ iounmap(icom_adapter->base_addr);
+- icom_free_adapter(icom_adapter);
+ pci_release_regions(icom_adapter->pci_dev);
++ icom_free_adapter(icom_adapter);
+ }
+
+ static void icom_kref_release(struct kref *kref)
--- /dev/null
+From a2edf57f510cce6a389cc14e58c6ad0a4296d6f9 Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Sun, 24 May 2009 22:19:00 +0300
+Subject: KVM: Fix PDPTR reloading on CR4 writes
+
+From: Avi Kivity <avi@redhat.com>
+
+commit a2edf57f510cce6a389cc14e58c6ad0a4296d6f9 upstream.
+
+The processor is documented to reload the PDPTRs while in PAE mode if any
+of the CR4 bits PSE, PGE, or PAE change. Linux relies on this
+behaviour when zapping the low mappings of PAE kernels during boot.
+
+The code already handled changes to CR4.PAE; augment it to also notice changes
+to PSE and PGE.
+
+This triggered while booting an F11 PAE kernel; the futex initialization code
+runs before any CR3 reloads and writes to a NULL pointer; the futex subsystem
+ended up uninitialized, killing PI futexes and pulseaudio which uses them.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -334,6 +334,9 @@ EXPORT_SYMBOL_GPL(kvm_lmsw);
+
+ void kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
++ unsigned long old_cr4 = vcpu->arch.cr4;
++ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE;
++
+ if (cr4 & CR4_RESERVED_BITS) {
+ printk(KERN_DEBUG "set_cr4: #GP, reserved bits\n");
+ kvm_inject_gp(vcpu, 0);
+@@ -347,7 +350,8 @@ void kvm_set_cr4(struct kvm_vcpu *vcpu,
+ kvm_inject_gp(vcpu, 0);
+ return;
+ }
+- } else if (is_paging(vcpu) && !is_pae(vcpu) && (cr4 & X86_CR4_PAE)
++ } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE)
++ && ((cr4 ^ old_cr4) & pdptr_bits)
+ && !load_pdptrs(vcpu, vcpu->arch.cr3)) {
+ printk(KERN_DEBUG "set_cr4: #GP, pdptrs reserved bits\n");
+ kvm_inject_gp(vcpu, 0);
--- /dev/null
+From a8cd0244e9cebcf9b358d24c7e7410062f3665cb Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Sun, 24 May 2009 22:15:25 +0300
+Subject: KVM: Make paravirt tlb flush also reload the PAE PDPTRs
+
+From: Avi Kivity <avi@redhat.com>
+
+commit a8cd0244e9cebcf9b358d24c7e7410062f3665cb upstream.
+
+The paravirt tlb flush may be used not only to flush TLBs, but also
+to reload the four page-directory-pointer-table entries, as it is used
+as a replacement for reloading CR3. Change the code to do the entire
+CR3 reloading dance instead of simply flushing the TLB.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/mmu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2906,8 +2906,7 @@ static int kvm_pv_mmu_write(struct kvm_v
+
+ static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu)
+ {
+- kvm_x86_ops->tlb_flush(vcpu);
+- set_bit(KVM_REQ_MMU_SYNC, &vcpu->requests);
++ kvm_set_cr3(vcpu, vcpu->arch.cr3);
+ return 1;
+ }
+
--- /dev/null
+From 1eb5ac6466d4be7b15b38ce3ab709600f1bc891f Mon Sep 17 00:00:00 2001
+From: Nick Piggin <npiggin@suse.de>
+Date: Tue, 5 May 2009 19:13:44 +1000
+Subject: mm: SLUB fix reclaim_state
+
+From: Nick Piggin <npiggin@suse.de>
+
+commit 1eb5ac6466d4be7b15b38ce3ab709600f1bc891f upstream.
+
+SLUB does not correctly account reclaim_state.reclaimed_slab, so it will
+break memory reclaim. Account it like SLAB does.
+
+Cc: linux-mm@kvack.org
+Cc: Matt Mackall <mpm@selenic.com>
+Acked-by: Christoph Lameter <cl@linux-foundation.org>
+Signed-off-by: Nick Piggin <npiggin@suse.de>
+Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/slub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/mm.h>
++#include <linux/swap.h> /* struct reclaim_state */
+ #include <linux/module.h>
+ #include <linux/bit_spinlock.h>
+ #include <linux/interrupt.h>
+@@ -1175,6 +1176,8 @@ static void __free_slab(struct kmem_cach
+
+ __ClearPageSlab(page);
+ reset_page_mapcount(page);
++ if (current->reclaim_state)
++ current->reclaim_state->reclaimed_slab += pages;
+ __free_pages(page, order);
+ }
+
--- /dev/null
+From 7ee2cb7f32b299c2b06a31fde155457203e4b7dd Mon Sep 17 00:00:00 2001
+From: Frank Filz <ffilzlnx@us.ibm.com>
+Date: Mon, 18 May 2009 17:41:40 -0400
+Subject: nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission.
+
+From: Frank Filz <ffilzlnx@us.ibm.com>
+
+commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd upstream.
+
+The problem is that permission checking is skipped if atomic open is
+possible, but when exec opens a file, it just opens it O_READONLY which
+means EXEC permission will not be checked at that time.
+
+This problem is observed by the following sequence (executed as root):
+
+ mount -t nfs4 server:/ /mnt4
+ echo "ls" >/mnt4/foo
+ chmod 744 /mnt4/foo
+ su guest -c "mnt4/foo"
+
+Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Tested-by: Eugene Teo <eugeneteo@kernel.sg>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1943,7 +1943,8 @@ int nfs_permission(struct inode *inode,
+ case S_IFREG:
+ /* NFSv4 has atomic_open... */
+ if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
+- && (mask & MAY_OPEN))
++ && (mask & MAY_OPEN)
++ && !(mask & MAY_EXEC))
+ goto out;
+ break;
+ case S_IFDIR:
r8169-avoid-losing-msi-interrupts.patch
sparc-fix-bus-type-probing-for-esp-and-le-devices.patch
sparc64-fix-smp_callin-locking.patch
+mm-slub-fix-reclaim_state.patch
+fix-oops-on-close-of-hot-unplugged-ftdi-serial-converter.patch
+wimax-fix-oops-if-netlink-fails-to-add-attribute.patch
+nfs-fix-nfs-v4-client-handling-of-may_exec-in-nfs_permission.patch
+futex-setup-writeable-mapping-for-futex-ops-which-modify-user-space-data.patch
+xen-blkfront-allow-xenbus-state-transition-to-closing-closed-when-not-connected.patch
+tpm-get_event_name-stack-corruption.patch
+icom-fix-rmmod-crash.patch
+kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch
+kvm-fix-pdptr-reloading-on-cr4-writes.patch
+cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch
+drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch
--- /dev/null
+From fbaa58696cef848de818768783ef185bd3f05158 Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Wed, 13 May 2009 12:50:40 -0400
+Subject: TPM: get_event_name stack corruption
+
+From: Eric Paris <eparis@redhat.com>
+
+commit fbaa58696cef848de818768783ef185bd3f05158 upstream.
+
+get_event_name uses sprintf to fill a buffer declared on the stack. It fills
+the buffer 2 bytes at a time. What the code doesn't take into account is that
+sprintf(buf, "%02x", data) actually writes 3 bytes. 2 bytes for the data and
+then it nul terminates the string. Since we declare buf to be 40 characters
+long and then we write 40 bytes of data into buf sprintf is going to write 41
+characters. The fix is to leave room in buf for the nul terminator.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/tpm/tpm_bios.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_bios.c
++++ b/drivers/char/tpm/tpm_bios.c
+@@ -212,7 +212,8 @@ static int get_event_name(char *dest, st
+ unsigned char * event_entry)
+ {
+ const char *name = "";
+- char data[40] = "";
++ /* 41 so there is room for 40 data and 1 nul */
++ char data[41] = "";
+ int i, n_len = 0, d_len = 0;
+ struct tcpa_pc_event *pc_event;
+
--- /dev/null
+From d1a2627a29667fe7c4a9d06e1579a2d65bd39bba Mon Sep 17 00:00:00 2001
+From: Inaky Perez-Gonzalez <inaky@linux.intel.com>
+Date: Mon, 30 Mar 2009 17:50:17 -0700
+Subject: wimax: fix oops if netlink fails to add attribute
+
+From: Inaky Perez-Gonzalez <inaky@linux.intel.com>
+
+commit d1a2627a29667fe7c4a9d06e1579a2d65bd39bba upstream.
+
+When sending a message to user space using wimax_msg(), if nla_put()
+fails, correctly interpret the return code from wimax_msg_alloc() as
+an err ptr and return the error code instead of crashing (as it is
+assuming than non-NULL means the pointer is ok).
+
+Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wimax/op-msg.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/wimax/op-msg.c
++++ b/net/wimax/op-msg.c
+@@ -149,7 +149,8 @@ struct sk_buff *wimax_msg_alloc(struct w
+ }
+ result = nla_put(skb, WIMAX_GNL_MSG_DATA, size, msg);
+ if (result < 0) {
+- dev_err(dev, "no memory to add payload in attribute\n");
++ dev_err(dev, "no memory to add payload (msg %p size %zu) in "
++ "attribute: %d\n", msg, size, result);
+ goto error_nla_put;
+ }
+ genlmsg_end(skb, genl_msg);
+@@ -302,10 +303,10 @@ int wimax_msg(struct wimax_dev *wimax_de
+ struct sk_buff *skb;
+
+ skb = wimax_msg_alloc(wimax_dev, pipe_name, buf, size, gfp_flags);
+- if (skb == NULL)
+- goto error_msg_new;
+- result = wimax_msg_send(wimax_dev, skb);
+-error_msg_new:
++ if (IS_ERR(skb))
++ result = PTR_ERR(skb);
++ else
++ result = wimax_msg_send(wimax_dev, skb);
+ return result;
+ }
+ EXPORT_SYMBOL_GPL(wimax_msg);
--- /dev/null
+From 28afea5b2ffaa48f4f43d22ae8edcc384c05df80 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <ian.campbell@citrix.com>
+Date: Tue, 19 May 2009 08:25:48 +0200
+Subject: xen/blkfront: allow xenbus state transition to Closing->Closed when not Connected
+
+From: Ian Campbell <ian.campbell@citrix.com>
+
+commit 28afea5b2ffaa48f4f43d22ae8edcc384c05df80 upstream.
+
+This situation can occur when attempting to attach a block device whose
+backend is an empty physical CD-ROM driver. The backend in this case
+will go directly from the Initialising state to Closing->Closed.
+Previously this would result in a NULL pointer deref on info->gd
+(xenbus_dev_fatal does not return as a1a15ac5 seems to expect)
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/xen-blkfront.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/xen-blkfront.c
++++ b/drivers/block/xen-blkfront.c
+@@ -977,8 +977,10 @@ static void backend_changed(struct xenbu
+ break;
+
+ case XenbusStateClosing:
+- if (info->gd == NULL)
+- xenbus_dev_fatal(dev, -ENODEV, "gd is NULL");
++ if (info->gd == NULL) {
++ xenbus_frontend_closed(dev);
++ break;
++ }
+ bd = bdget_disk(info->gd, 0);
+ if (bd == NULL)
+ xenbus_dev_fatal(dev, -ENODEV, "bdget failed");
projects / thirdparty / kernel / stable-queue.git / commitdiff
