--- /dev/null
+From 166faf21bd14bc5c5295a44874bf7f3930c30b20 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Fri, 24 May 2013 07:40:04 -0400
+Subject: cifs: fix potential buffer overrun when composing a new options string
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 166faf21bd14bc5c5295a44874bf7f3930c30b20 upstream.
+
+Consider the case where we have a very short ip= string in the original
+mount options, and when we chase a referral we end up with a very long
+IPv6 address. Be sure to allow for that possibility when estimating the
+size of the string to allocate.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_dfs_ref.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/cifs_dfs_ref.c
++++ b/fs/cifs/cifs_dfs_ref.c
+@@ -18,6 +18,7 @@
+ #include <linux/slab.h>
+ #include <linux/vfs.h>
+ #include <linux/fs.h>
++#include <linux/inet.h>
+ #include "cifsglob.h"
+ #include "cifsproto.h"
+ #include "cifsfs.h"
+@@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const c
+ * assuming that we have 'unc=' and 'ip=' in
+ * the original sb_mountdata
+ */
+- md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12;
++ md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 +
++ INET6_ADDRSTRLEN;
+ mountdata = kzalloc(md_len+1, GFP_KERNEL);
+ if (mountdata == NULL) {
+ rc = -ENOMEM;
--- /dev/null
+From 09fb8bd1a63b0f9f15e655c4fe8d047e5d2bf67a Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 22 May 2013 11:22:51 -0400
+Subject: drm/radeon: fix card_posted check for newer asics
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 09fb8bd1a63b0f9f15e655c4fe8d047e5d2bf67a upstream.
+
+Newer asics have variable numbers of crtcs. Use that
+rather than the asic family to determine which crtcs
+to check. This avoids checking non-existent crtcs or
+missing crtcs on certain asics.
+
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_device.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -363,18 +363,17 @@ bool radeon_card_posted(struct radeon_de
+ return false;
+
+ /* first check CRTCs */
+- if (ASIC_IS_DCE41(rdev)) {
++ if (ASIC_IS_DCE4(rdev)) {
+ reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) |
+ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET);
+- if (reg & EVERGREEN_CRTC_MASTER_EN)
+- return true;
+- } else if (ASIC_IS_DCE4(rdev)) {
+- reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET);
++ if (rdev->num_crtc >= 4) {
++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) |
++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET);
++ }
++ if (rdev->num_crtc >= 6) {
++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) |
++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET);
++ }
+ if (reg & EVERGREEN_CRTC_MASTER_EN)
+ return true;
+ } else if (ASIC_IS_AVIVO(rdev)) {
drivers-block-brd.c-fix-brd_lookup_page-race.patch
mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch
mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch
+xfs-kill-suid-sgid-through-the-truncate-path.patch
+drm-radeon-fix-card_posted-check-for-newer-asics.patch
+cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch
+usb-io_ti-fix-null-dereference-in-chase_port.patch
--- /dev/null
+From 1ee0a224bc9aad1de496c795f96bc6ba2c394811 Mon Sep 17 00:00:00 2001
+From: Wolfgang Frisch <wfpub@roembden.net>
+Date: Thu, 17 Jan 2013 01:07:02 +0100
+Subject: USB: io_ti: Fix NULL dereference in chase_port()
+
+From: Wolfgang Frisch <wfpub@roembden.net>
+
+commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream.
+
+The tty is NULL when the port is hanging up.
+chase_port() needs to check for this.
+
+This patch is intended for stable series.
+The behavior was observed and tested in Linux 3.2 and 3.7.1.
+
+Johan Hovold submitted a more elaborate patch for the mainline kernel.
+
+[ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
+[ 56.278811] usb 1-1: USB disconnect, device number 3
+[ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
+[ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
+[ 56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
+[ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
+[ 56.282085] Oops: 0002 [#1] SMP
+[ 56.282744] Modules linked in:
+[ 56.283512] CPU 1
+[ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
+[ 56.283512] RIP: 0010:[<ffffffff8144e62a>] [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
+[ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046
+[ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
+[ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
+[ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
+[ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
+[ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
+[ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
+[ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
+[ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
+[ 56.283512] Stack:
+[ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
+[ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
+[ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
+[ 56.283512] Call Trace:
+[ 56.283512] [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
+[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
+[ 56.283512] [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
+[ 56.283512] [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
+[ 56.283512] [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
+[ 56.283512] [<ffffffff81300171>] ? edge_close+0x64/0x129
+[ 56.283512] [<ffffffff810612f7>] ? __wake_up+0x35/0x46
+[ 56.283512] [<ffffffff8106135b>] ? should_resched+0x5/0x23
+[ 56.283512] [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
+[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
+[ 56.283512] [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
+[ 56.283512] [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
+[ 56.283512] [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
+[ 56.283512] [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
+[ 56.283512] [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
+[ 56.283512] [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
+[ 56.283512] [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
+[ 56.283512] [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
+[ 56.283512] [<ffffffff8128b7a3>] ? device_del+0x119/0x167
+[ 56.283512] [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
+[ 56.283512] [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
+[ 56.283512] [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
+[ 56.283512] [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
+[ 56.283512] [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
+[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
+[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
+[ 56.283512] [<ffffffff810570b4>] ? kthread+0x81/0x89
+[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
+[ 56.283512] [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
+[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
+[ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
+<f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
+[ 56.283512] RIP [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
+[ 56.283512] RSP <ffff88001fa99ab0>
+[ 56.283512] CR2: 00000000000001c8
+[ 56.283512] ---[ end trace 49714df27e1679ce ]---
+
+Signed-off-by: Wolfgang Frisch <wfpub@roembden.net>
+Cc: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_ti.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -550,6 +550,9 @@ static void chase_port(struct edgeport_p
+ wait_queue_t wait;
+ unsigned long flags;
+
++ if (!tty)
++ return;
++
+ if (!timeout)
+ timeout = (HZ * EDGE_CLOSING_WAIT)/100;
+
--- /dev/null
+From 2962f5a5dcc56f69cbf62121a7be67cc15d6940b Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Mon, 27 May 2013 16:38:25 +1000
+Subject: xfs: kill suid/sgid through the truncate path.
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit 2962f5a5dcc56f69cbf62121a7be67cc15d6940b upstream.
+
+XFS has failed to kill suid/sgid bits correctly when truncating
+files of non-zero size since commit c4ed4243 ("xfs: split
+xfs_setattr") introduced in the 3.1 kernel. Fix it.
+
+Fix it.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Ben Myers <bpm@sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 32 insertions(+), 15 deletions(-)
+
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -457,6 +457,28 @@ xfs_vn_getattr(
+ return 0;
+ }
+
++static void
++xfs_setattr_mode(
++ struct xfs_trans *tp,
++ struct xfs_inode *ip,
++ struct iattr *iattr)
++{
++ struct inode *inode = VFS_I(ip);
++ umode_t mode = iattr->ia_mode;
++
++ ASSERT(tp);
++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
++
++ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
++ mode &= ~S_ISGID;
++
++ ip->i_d.di_mode &= S_IFMT;
++ ip->i_d.di_mode |= mode & ~S_IFMT;
++
++ inode->i_mode &= S_IFMT;
++ inode->i_mode |= mode & ~S_IFMT;
++}
++
+ int
+ xfs_setattr_nonsize(
+ struct xfs_inode *ip,
+@@ -608,18 +630,8 @@ xfs_setattr_nonsize(
+ /*
+ * Change file access modes.
+ */
+- if (mask & ATTR_MODE) {
+- umode_t mode = iattr->ia_mode;
+-
+- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
+- mode &= ~S_ISGID;
+-
+- ip->i_d.di_mode &= S_IFMT;
+- ip->i_d.di_mode |= mode & ~S_IFMT;
+-
+- inode->i_mode &= S_IFMT;
+- inode->i_mode |= mode & ~S_IFMT;
+- }
++ if (mask & ATTR_MODE)
++ xfs_setattr_mode(tp, ip, iattr);
+
+ /*
+ * Change file access or modified times.
+@@ -716,9 +728,8 @@ xfs_setattr_size(
+ return XFS_ERROR(error);
+
+ ASSERT(S_ISREG(ip->i_d.di_mode));
+- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
+- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID|
+- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
++ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
++ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
+
+ lock_flags = XFS_ILOCK_EXCL;
+ if (!(flags & XFS_ATTR_NOLOCK))
+@@ -861,6 +872,12 @@ xfs_setattr_size(
+ xfs_iflags_set(ip, XFS_ITRUNCATED);
+ }
+
++ /*
++ * Change file access modes.
++ */
++ if (mask & ATTR_MODE)
++ xfs_setattr_mode(tp, ip, iattr);
++
+ if (mask & ATTR_CTIME) {
+ inode->i_ctime = iattr->ia_ctime;
+ ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;
projects / thirdparty / kernel / stable-queue.git / commitdiff
