--- /dev/null
+From 80007efeff0568375b08faf93c7aad65602cb97e Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@frijolero.org>
+Date: Fri, 23 Mar 2012 07:23:31 -0700
+Subject: cfg80211: warn if db.txt is empty with CONFIG_CFG80211_INTERNAL_REGDB
+
+From: "Luis R. Rodriguez" <mcgrof@frijolero.org>
+
+commit 80007efeff0568375b08faf93c7aad65602cb97e upstream.
+
+It has happened twice now where elaborate troubleshooting has
+undergone on systems where CONFIG_CFG80211_INTERNAL_REGDB [0]
+has been set but yet net/wireless/db.txt was not updated.
+
+Despite the documentation on this it seems system integrators could
+use some more help with this, so throw out a kernel warning at boot time
+when their database is empty.
+
+This does mean that the error-prone system integrator won't likely
+realize the issue until they boot the machine but -- it does not seem
+to make sense to enable a build bug breaking random build testing.
+
+[0] http://wireless.kernel.org/en/developers/Regulatory/CRDA#CONFIG_CFG80211_INTERNAL_REGDB
+
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Youngsin Lee <youngsin@qualcomm.com>
+Cc: Raja Mani <rmani@qca.qualcomm.com>
+Cc: Senthil Kumar Balasubramanian <senthilb@qca.qualcomm.com>
+Cc: Vipin Mehta <vipimeht@qca.qualcomm.com>
+Cc: yahuan@qca.qualcomm.com
+Cc: jjan@qca.qualcomm.com
+Cc: vthiagar@qca.qualcomm.com
+Cc: henrykim@qualcomm.com
+Cc: jouni@qca.qualcomm.com
+Cc: athiruve@qca.qualcomm.com
+Cc: cjkim@qualcomm.com
+Cc: philipk@qca.qualcomm.com
+Cc: sunnykim@qualcomm.com
+Cc: sskwak@qualcomm.com
+Cc: kkim@qualcomm.com
+Cc: mattbyun@qualcomm.com
+Cc: ryanlee@qualcomm.com
+Cc: simbap@qualcomm.com
+Cc: krislee@qualcomm.com
+Cc: conner@qualcomm.com
+Cc: hojinkim@qualcomm.com
+Cc: honglee@qualcomm.com
+Cc: johnwkim@qualcomm.com
+Cc: jinyong@qca.qualcomm.com
+Signed-off-by: Luis R. Rodriguez <mcgrof@frijolero.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/reg.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -379,7 +379,15 @@ static void reg_regdb_query(const char *
+
+ schedule_work(®_regdb_work);
+ }
++
++/* Feel free to add any other sanity checks here */
++static void reg_regdb_size_check(void)
++{
++ /* We should ideally BUILD_BUG_ON() but then random builds would fail */
++ WARN_ONCE(!reg_regdb_size, "db.txt is empty, you should update it...");
++}
+ #else
++static inline void reg_regdb_size_check(void) {}
+ static inline void reg_regdb_query(const char *alpha2) {}
+ #endif /* CONFIG_CFG80211_INTERNAL_REGDB */
+
+@@ -2225,6 +2233,8 @@ int __init regulatory_init(void)
+ spin_lock_init(®_requests_lock);
+ spin_lock_init(®_pending_beacons_lock);
+
++ reg_regdb_size_check();
++
+ cfg80211_regdomain = cfg80211_world_regdom;
+
+ user_alpha2[0] = '9';
--- /dev/null
+From abae41e6438b798e046d721b6ccdd55b4a398170 Mon Sep 17 00:00:00 2001
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Sun, 22 Apr 2012 13:37:09 +0200
+Subject: drivers/staging/comedi/comedi_fops.c: add missing vfree
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+commit abae41e6438b798e046d721b6ccdd55b4a398170 upstream.
+
+aux_free is freed on all other exits from the function. By removing the
+return, we can benefit from the vfree already at the end of the function.
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -280,7 +280,7 @@ static int do_devconfig_ioctl(struct com
+ if (ret == 0) {
+ if (!try_module_get(dev->driver->module)) {
+ comedi_device_detach(dev);
+- return -ENOSYS;
++ ret = -ENOSYS;
+ }
+ }
+
--- /dev/null
+From 31a67102f4762df5544bc2dfb34a931233d2a5b2 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 21 May 2012 12:52:42 -0700
+Subject: Fix blocking allocations called very early during bootup
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31a67102f4762df5544bc2dfb34a931233d2a5b2 upstream.
+
+During early boot, when the scheduler hasn't really been fully set up,
+we really can't do blocking allocations because with certain (dubious)
+configurations the "might_resched()" calls can actually result in
+scheduling events.
+
+We could just make such users always use GFP_ATOMIC, but quite often the
+code that does the allocation isn't really aware of the fact that the
+scheduler isn't up yet, and forcing that kind of random knowledge on the
+initialization code is just annoying and not good for anybody.
+
+And we actually have a the 'gfp_allowed_mask' exactly for this reason:
+it's just that the kernel init sequence happens to set it to allow
+blocking allocations much too early.
+
+So move the 'gfp_allowed_mask' initialization from 'start_kernel()'
+(which is some of the earliest init code, and runs with preemption
+disabled for good reasons) into 'kernel_init()'. kernel_init() is run
+in the newly created thread that will become the 'init' process, as
+opposed to the early startup code that runs within the context of what
+will be the first idle thread.
+
+So by the time we reach 'kernel_init()', we know that the scheduler must
+be at least limping along, because we've already scheduled from the idle
+thread into the init thread.
+
+Reported-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: David Rientjes <rientjes@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ init/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/init/main.c
++++ b/init/main.c
+@@ -549,9 +549,6 @@ asmlinkage void __init start_kernel(void
+ early_boot_irqs_disabled = false;
+ local_irq_enable();
+
+- /* Interrupts are enabled now so all GFP allocations are safe. */
+- gfp_allowed_mask = __GFP_BITS_MASK;
+-
+ kmem_cache_init_late();
+
+ /*
+@@ -783,6 +780,10 @@ static int __init kernel_init(void * unu
+ * Wait until kthreadd is all set-up.
+ */
+ wait_for_completion(&kthreadd_done);
++
++ /* Now the scheduler is fully set up and can do blocking allocations */
++ gfp_allowed_mask = __GFP_BITS_MASK;
++
+ /*
+ * init can allocate pages on any node
+ */
--- /dev/null
+From c4870eb874ac16dccef40e1bc7a002c7e9156adc Mon Sep 17 00:00:00 2001
+From: Yishai Hadas <yishaih@mellanox.com>
+Date: Thu, 10 May 2012 23:28:05 +0300
+Subject: IB/core: Fix mismatch between locked and pinned pages
+
+From: Yishai Hadas <yishaih@mellanox.com>
+
+commit c4870eb874ac16dccef40e1bc7a002c7e9156adc upstream.
+
+Commit bc3e53f682d9 ("mm: distinguish between mlocked and pinned
+pages") introduced a separate counter for pinned pages and used it in
+the IB stack. However, in ib_umem_get() the pinned counter is
+incremented, but ib_umem_release() wrongly decrements the locked
+counter. Fix this.
+
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Reviewed-by: Christoph Lameter <cl@linux.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/umem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -268,7 +268,7 @@ void ib_umem_release(struct ib_umem *ume
+ } else
+ down_write(&mm->mmap_sem);
+
+- current->mm->locked_vm -= diff;
++ current->mm->pinned_vm -= diff;
+ up_write(&mm->mmap_sem);
+ mmput(mm);
+ kfree(umem);
--- /dev/null
+From 45de6767dc51358a188f75dc4ad9dfddb7fb9480 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 11 May 2012 10:56:56 +0100
+Subject: KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat
+
+From: David Howells <dhowells@redhat.com>
+
+commit 45de6767dc51358a188f75dc4ad9dfddb7fb9480 upstream.
+
+Use the 32-bit compat keyctl() syscall wrapper on Sparc64 for Sparc32 binary
+compatibility.
+
+Without this, keyctl(KEYCTL_INSTANTIATE_IOV) is liable to malfunction as it
+uses an iovec array read from userspace - though the kernel should survive this
+as it checks pointers and sizes anyway.
+
+I think all the other keyctl() function should just work, provided (a) the top
+32-bits of each 64-bit argument register are cleared prior to invoking the
+syscall routine, and the 32-bit address space is right at the 0-end of the
+64-bit address space. Most of the arguments are 32-bit anyway, and so for
+those clearing is not required.
+
+Signed-off-by: David Howells <dhowells@redhat.com
+cc: "David S. Miller" <davem@davemloft.net>
+cc: sparclinux@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sparc/Kconfig | 3 +++
+ arch/sparc/kernel/systbls_64.S | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/Kconfig
++++ b/arch/sparc/Kconfig
+@@ -590,6 +590,9 @@ config SYSVIPC_COMPAT
+ depends on COMPAT && SYSVIPC
+ default y
+
++config KEYS_COMPAT
++ def_bool y if COMPAT && KEYS
++
+ endmenu
+
+ source "net/Kconfig"
+--- a/arch/sparc/kernel/systbls_64.S
++++ b/arch/sparc/kernel/systbls_64.S
+@@ -74,7 +74,7 @@ sys_call_table32:
+ .word sys_timer_delete, compat_sys_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
+ /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
+ .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
+-/*280*/ .word sys32_tee, sys_add_key, sys_request_key, sys_keyctl, compat_sys_openat
++/*280*/ .word sys32_tee, sys_add_key, sys_request_key, compat_sys_keyctl, compat_sys_openat
+ .word sys_mkdirat, sys_mknodat, sys_fchownat, compat_sys_futimesat, compat_sys_fstatat64
+ /*290*/ .word sys_unlinkat, sys_renameat, sys_linkat, sys_symlinkat, sys_readlinkat
+ .word sys_fchmodat, sys_faccessat, compat_sys_pselect6, compat_sys_ppoll, sys_unshare
--- /dev/null
+From 5bcdf5e4fee3c45e1281c25e4941f2163cb28c65 Mon Sep 17 00:00:00 2001
+From: Robert Richter <robert.richter@amd.com>
+Date: Fri, 18 May 2012 12:40:42 +0200
+Subject: perf/x86: Update event scheduling constraints for AMD family 15h models
+
+From: Robert Richter <robert.richter@amd.com>
+
+commit 5bcdf5e4fee3c45e1281c25e4941f2163cb28c65 upstream.
+
+This update is for newer family 15h cpu models from 0x02 to 0x1f.
+
+Signed-off-by: Robert Richter <robert.richter@amd.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lkml.kernel.org/r/1337337642-1621-1-git-send-email-robert.richter@amd.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_amd.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_amd.c
++++ b/arch/x86/kernel/cpu/perf_event_amd.c
+@@ -437,6 +437,7 @@ static __initconst const struct x86_pmu
+ * 0x023 DE PERF_CTL[2:0]
+ * 0x02D LS PERF_CTL[3]
+ * 0x02E LS PERF_CTL[3,0]
++ * 0x031 LS PERF_CTL[2:0] (**)
+ * 0x043 CU PERF_CTL[2:0]
+ * 0x045 CU PERF_CTL[2:0]
+ * 0x046 CU PERF_CTL[2:0]
+@@ -450,10 +451,12 @@ static __initconst const struct x86_pmu
+ * 0x0DD LS PERF_CTL[5:0]
+ * 0x0DE LS PERF_CTL[5:0]
+ * 0x0DF LS PERF_CTL[5:0]
++ * 0x1C0 EX PERF_CTL[5:3]
+ * 0x1D6 EX PERF_CTL[5:0]
+ * 0x1D8 EX PERF_CTL[5:0]
+ *
+- * (*) depending on the umask all FPU counters may be used
++ * (*) depending on the umask all FPU counters may be used
++ * (**) only one unitmask enabled at a time
+ */
+
+ static struct event_constraint amd_f15_PMC0 = EVENT_CONSTRAINT(0, 0x01, 0);
+@@ -503,6 +506,12 @@ amd_get_event_constraints_f15h(struct cp
+ return &amd_f15_PMC3;
+ case 0x02E:
+ return &amd_f15_PMC30;
++ case 0x031:
++ if (hweight_long(hwc->config & ARCH_PERFMON_EVENTSEL_UMASK) <= 1)
++ return &amd_f15_PMC20;
++ return &emptyconstraint;
++ case 0x1C0:
++ return &amd_f15_PMC53;
+ default:
+ return &amd_f15_PMC50;
+ }
--- /dev/null
+From 14b9222808bb8bfefc71f72bc0dbdcf3b2f0140f Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Mon, 30 Apr 2012 15:31:29 -0500
+Subject: RDMA/cxgb4: Drop peer_abort when no endpoint found
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit 14b9222808bb8bfefc71f72bc0dbdcf3b2f0140f upstream.
+
+Log a warning and drop the abort message. Otherwise we will do a
+bogus wake_up() and crash.
+
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2316,6 +2316,12 @@ static int peer_abort_intr(struct c4iw_d
+ unsigned int tid = GET_TID(req);
+
+ ep = lookup_tid(t, tid);
++ if (!ep) {
++ printk(KERN_WARNING MOD
++ "Abort on non-existent endpoint, tid %d\n", tid);
++ kfree_skb(skb);
++ return 0;
++ }
+ if (is_neg_adv_abort(req->status)) {
+ PDBG("%s neg_adv_abort ep %p tid %u\n", __func__, ep,
+ ep->hwtid);
--- /dev/null
+From d5e50a51ccbda36b379aba9d1131a852eb908dda Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Wed, 9 May 2012 09:37:30 +0200
+Subject: s390/pfault: fix task state race
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit d5e50a51ccbda36b379aba9d1131a852eb908dda upstream.
+
+When setting the current task state to TASK_UNINTERRUPTIBLE this can
+race with a different cpu. The other cpu could set the task state after
+it inspected it (while it was still TASK_RUNNING) to TASK_RUNNING which
+would change the state from TASK_UNINTERRUPTIBLE to TASK_RUNNING again.
+
+This race was always present in the pfault interrupt code but didn't
+cause anything harmful before commit f2db2e6c "[S390] pfault: cpu hotplug
+vs missing completion interrupts" which relied on the fact that after
+setting the task state to TASK_UNINTERRUPTIBLE the task would really
+sleep.
+Since this is not necessarily the case the result may be a list corruption
+of the pfault_list or, as observed, a use-after-free bug while trying to
+access the task_struct of a task which terminated itself already.
+
+To fix this, we need to get a reference of the affected task when receiving
+the initial pfault interrupt and add special handling if we receive yet
+another initial pfault interrupt when the task is already enqueued in the
+pfault list.
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Reviewed-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/fault.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/mm/fault.c
++++ b/arch/s390/mm/fault.c
+@@ -567,6 +567,7 @@ static void pfault_interrupt(unsigned in
+ tsk->thread.pfault_wait = 0;
+ list_del(&tsk->thread.list);
+ wake_up_process(tsk);
++ put_task_struct(tsk);
+ } else {
+ /* Completion interrupt was faster than initial
+ * interrupt. Set pfault_wait to -1 so the initial
+@@ -576,14 +577,22 @@ static void pfault_interrupt(unsigned in
+ put_task_struct(tsk);
+ } else {
+ /* signal bit not set -> a real page is missing. */
+- if (tsk->thread.pfault_wait == -1) {
++ if (tsk->thread.pfault_wait == 1) {
++ /* Already on the list with a reference: put to sleep */
++ set_task_state(tsk, TASK_UNINTERRUPTIBLE);
++ set_tsk_need_resched(tsk);
++ } else if (tsk->thread.pfault_wait == -1) {
+ /* Completion interrupt was faster than the initial
+ * interrupt (pfault_wait == -1). Set pfault_wait
+ * back to zero and exit. */
+ tsk->thread.pfault_wait = 0;
+ } else {
+ /* Initial interrupt arrived before completion
+- * interrupt. Let the task sleep. */
++ * interrupt. Let the task sleep.
++ * An extra task reference is needed since a different
++ * cpu may set the task state to TASK_RUNNING again
++ * before the scheduler is reached. */
++ get_task_struct(tsk);
+ tsk->thread.pfault_wait = 1;
+ list_add(&tsk->thread.list, &pfault_list);
+ set_task_state(tsk, TASK_UNINTERRUPTIBLE);
+@@ -608,6 +617,7 @@ static int __cpuinit pfault_cpu_notify(s
+ list_del(&thread->list);
+ tsk = container_of(thread, struct task_struct, thread);
+ wake_up_process(tsk);
++ put_task_struct(tsk);
+ }
+ spin_unlock_irq(&pfault_lock);
+ break;
--- /dev/null
+From e42fafc25fa86c61824e8d4c5e7582316415d24f Mon Sep 17 00:00:00 2001
+From: "nagalakshmi.nandigama@lsi.com" <nagalakshmi.nandigama@lsi.com>
+Date: Tue, 20 Mar 2012 12:10:01 +0530
+Subject: SCSI: mpt2sas: Fix for panic happening because of improper memory allocation
+
+From: "nagalakshmi.nandigama@lsi.com" <nagalakshmi.nandigama@lsi.com>
+
+commit e42fafc25fa86c61824e8d4c5e7582316415d24f upstream.
+
+The ioc->pfacts member in the IOC structure is getting set to zero
+following a call to _base_get_ioc_facts due to the memset in that routine.
+So if the ioc->pfacts was read after a host reset, there would be a NULL
+pointer dereference. The routine _base_get_ioc_facts is called from context
+of host reset. The problem in _base_get_ioc_facts is the size of
+Mpi2IOCFactsReply is 64, whereas the sizeof "struct mpt2sas_facts" is 60,
+so there is a four byte overflow resulting from the memset.
+
+Also, there is memset in _base_get_port_facts using the incorrect structure,
+it should be "struct mpt2sas_port_facts" instead of Mpi2PortFactsReply.
+
+Signed-off-by: Nagalakshmi Nandigama <nagalakshmi.nandigama@lsi.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt2sas/mpt2sas_base.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/mpt2sas/mpt2sas_base.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_base.c
+@@ -3056,7 +3056,7 @@ _base_get_port_facts(struct MPT2SAS_ADAP
+ }
+
+ pfacts = &ioc->pfacts[port];
+- memset(pfacts, 0, sizeof(Mpi2PortFactsReply_t));
++ memset(pfacts, 0, sizeof(struct mpt2sas_port_facts));
+ pfacts->PortNumber = mpi_reply.PortNumber;
+ pfacts->VP_ID = mpi_reply.VP_ID;
+ pfacts->VF_ID = mpi_reply.VF_ID;
+@@ -3098,7 +3098,7 @@ _base_get_ioc_facts(struct MPT2SAS_ADAPT
+ }
+
+ facts = &ioc->facts;
+- memset(facts, 0, sizeof(Mpi2IOCFactsReply_t));
++ memset(facts, 0, sizeof(struct mpt2sas_facts));
+ facts->MsgVersion = le16_to_cpu(mpi_reply.MsgVersion);
+ facts->HeaderVersion = le16_to_cpu(mpi_reply.HeaderVersion);
+ facts->VP_ID = mpi_reply.VP_ID;
+@@ -3779,7 +3779,7 @@ mpt2sas_base_attach(struct MPT2SAS_ADAPT
+ goto out_free_resources;
+
+ ioc->pfacts = kcalloc(ioc->facts.NumberOfPorts,
+- sizeof(Mpi2PortFactsReply_t), GFP_KERNEL);
++ sizeof(struct mpt2sas_port_facts), GFP_KERNEL);
+ if (!ioc->pfacts) {
+ r = -ENOMEM;
+ goto out_free_resources;
--- /dev/null
+From 154c50ca4eb9ae472f50b6a481213e21ead4457d Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Wed, 4 Apr 2012 13:47:11 -0400
+Subject: SELinux: if sel_make_bools errors don't leave inconsistent state
+
+From: Eric Paris <eparis@redhat.com>
+
+commit 154c50ca4eb9ae472f50b6a481213e21ead4457d upstream.
+
+We reset the bool names and values array to NULL, but do not reset the
+number of entries in these arrays to 0. If we error out and then get back
+into this function we will walk these NULL pointers based on the belief
+that they are non-zero length.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/selinuxfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -1241,6 +1241,7 @@ static int sel_make_bools(void)
+ kfree(bool_pending_names[i]);
+ kfree(bool_pending_names);
+ kfree(bool_pending_values);
++ bool_num = 0;
+ bool_pending_names = NULL;
+ bool_pending_values = NULL;
+
parisc-fix-panic-on-prefetch-null-on-pa7300lc.patch
isdn-gigaset-ratelimit-capi-message-dumps.patch
vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch
+cfg80211-warn-if-db.txt-is-empty-with-config_cfg80211_internal_regdb.patch
+fix-blocking-allocations-called-very-early-during-bootup.patch
+s390-pfault-fix-task-state-race.patch
+scsi-mpt2sas-fix-for-panic-happening-because-of-improper-memory-allocation.patch
+rdma-cxgb4-drop-peer_abort-when-no-endpoint-found.patch
+keys-use-the-compat-keyctl-syscall-wrapper-on-sparc64-for-sparc32-compat.patch
+selinux-if-sel_make_bools-errors-don-t-leave-inconsistent-state.patch
+ib-core-fix-mismatch-between-locked-and-pinned-pages.patch
+drivers-staging-comedi-comedi_fops.c-add-missing-vfree.patch
+perf-x86-update-event-scheduling-constraints-for-amd-family-15h-models.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
