--- /dev/null
+From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010
+Message-Id: <20100105194914.321801567@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:52 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Daniel Mack <daniel@caiaq.de>,
+ Stephen Hemminger <shemminger@vyatta.com>,
+ Maithili Hinge <maithili@marvell.com>,
+ Kiran Divekar <dkiran@marvell.com>,
+ Michael Hirsch <m.hirsch@raumfeld.com>,
+ netdev@vger.kernel.org,
+ libertas-dev@lists.infradead.org,
+ linux-wireless@lists.infradead.org,
+ Holger Schurig <holgerschurig@gmail.com>,
+ Dan Williams <dcbw@redhat.com>,
+ "John W. Linville" <linville@tuxdriver.com>
+Subject: [01/10] Libertas: fix buffer overflow in lbs_get_essid()
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Daniel Mack <daniel@caiaq.de>
+
+commit 45b241689179a6065384260242637cf21dabfb2d upstream.
+
+The libertas driver copies the SSID buffer back to the wireless core and
+appends a trailing NULL character for termination. This is
+
+a) unnecessary because the buffer is allocated with kzalloc and is hence
+ already NULLed when this function is called, and
+
+b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
+ much which causes memory corruptions.
+
+Fix this by removing the extra write.
+
+Signed-off-by: Daniel Mack <daniel@caiaq.de>
+Cc: Stephen Hemminger <shemminger@vyatta.com>
+Cc: Maithili Hinge <maithili@marvell.com>
+Cc: Kiran Divekar <dkiran@marvell.com>
+Cc: Michael Hirsch <m.hirsch@raumfeld.com>
+Cc: netdev@vger.kernel.org
+Cc: libertas-dev@lists.infradead.org
+Cc: linux-wireless@lists.infradead.org
+Acked-by: Holger Schurig <holgerschurig@gmail.com>
+Acked-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/wext.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/libertas/wext.c
++++ b/drivers/net/wireless/libertas/wext.c
+@@ -1899,10 +1899,8 @@ static int lbs_get_essid(struct net_devi
+ if (priv->connect_status == LBS_CONNECTED) {
+ memcpy(extra, priv->curbssparams.ssid,
+ priv->curbssparams.ssid_len);
+- extra[priv->curbssparams.ssid_len] = '\0';
+ } else {
+ memset(extra, 0, 32);
+- extra[priv->curbssparams.ssid_len] = '\0';
+ }
+ /*
+ * If none, we may want to get the one that was set
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010
+Message-Id: <20100105194914.456262307@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:53 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>,
+ Jeff Garzik <jgarzik@redhat.com>
+Subject: [02/10] pata_cmd64x: fix overclocking of UDMA0-2 modes
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+
+commit 509426bd46ad0903dca409803e0ee3d30f99f1e8 upstream.
+
+adev->dma_mode stores the transfer mode value not UDMA mode number
+so the condition in cmd64x_set_dmamode() is always true and the higher
+UDMA clock is always selected. This can potentially result in data
+corruption when UDMA33 device is used, when 40-wire cable is used or
+when the error recovery code decides to lower the device speed down.
+
+The issue was introduced in the commit 6a40da0 ("libata cmd64x: whack
+into a shape that looks like the documentation") which goes back to
+kernel 2.6.20.
+
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/pata_cmd64x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/pata_cmd64x.c
++++ b/drivers/ata/pata_cmd64x.c
+@@ -219,7 +219,7 @@ static void cmd64x_set_dmamode(struct at
+ regU |= udma_data[adev->dma_mode - XFER_UDMA_0] << shift;
+ /* Merge the control bits */
+ regU |= 1 << adev->devno; /* UDMA on */
+- if (adev->dma_mode > 2) /* 15nS timing */
++ if (adev->dma_mode > XFER_UDMA_2) /* 15nS timing */
+ regU |= 4 << adev->devno;
+ } else {
+ regU &= ~ (1 << adev->devno); /* UDMA off */
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010
+Message-Id: <20100105194914.586693908@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:54 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Clemens Ladisch <clemens@ladisch.de>,
+ Takashi Iwai <tiwai@suse.de>
+Subject: [03/10] sound: sgio2audio/pdaudiocf/usb-audio: initialize PCM buffer
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit 3e85fd614c7b6bb7f33bb04a0dcb5a3bfca4c0fe upstream.
+
+When allocating the PCM buffer, use vmalloc_user() instead of vmalloc().
+Otherwise, it would be possible for applications to play the previous
+contents of the kernel memory to the speakers, or to read it directly if
+the buffer is exported to userspace.
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/mips/sgio2audio.c | 2 +-
+ sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c | 2 +-
+ sound/usb/usbaudio.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/mips/sgio2audio.c
++++ b/sound/mips/sgio2audio.c
+@@ -609,7 +609,7 @@ static int snd_sgio2audio_pcm_hw_params(
+ /* alloc virtual 'dma' area */
+ if (runtime->dma_area)
+ vfree(runtime->dma_area);
+- runtime->dma_area = vmalloc(size);
++ runtime->dma_area = vmalloc_user(size);
+ if (runtime->dma_area == NULL)
+ return -ENOMEM;
+ runtime->dma_bytes = size;
+--- a/sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c
++++ b/sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c
+@@ -51,7 +51,7 @@ static int snd_pcm_alloc_vmalloc_buffer(
+ return 0; /* already enough large */
+ vfree(runtime->dma_area);
+ }
+- runtime->dma_area = vmalloc_32(size);
++ runtime->dma_area = vmalloc_32_user(size);
+ if (! runtime->dma_area)
+ return -ENOMEM;
+ runtime->dma_bytes = size;
+--- a/sound/usb/usbaudio.c
++++ b/sound/usb/usbaudio.c
+@@ -740,7 +740,7 @@ static int snd_pcm_alloc_vmalloc_buffer(
+ return 0; /* already large enough */
+ vfree(runtime->dma_area);
+ }
+- runtime->dma_area = vmalloc(size);
++ runtime->dma_area = vmalloc_user(size);
+ if (!runtime->dma_area)
+ return -ENOMEM;
+ runtime->dma_bytes = size;
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010
+Message-Id: <20100105194914.719225486@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:55 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Michele Jr De Candia <michele.decandia@valueteam.com>,
+ Jean Delvare <khali@linux-fr.org>
+Subject: [04/10] i2c/tsl2550: Fix lux value in extended mode
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Michele Jr De Candia <michele.decandia@valueteam.com>
+
+commit 5f5bfb09d81c9a1d26238ae6668e584c14ae3daf upstream.
+
+According to the TAOS Application Note 'Controlling a Backlight with
+the TSL2550 Ambient Light Sensor' (page 14), the actual lux value in
+extended mode should be obtained multiplying the calculated lux value
+by 5.
+
+Signed-off-by: Michele Jr De Candia <michele.decandia@valueteam.com>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/chips/tsl2550.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/chips/tsl2550.c
++++ b/drivers/i2c/chips/tsl2550.c
+@@ -277,6 +277,7 @@ static DEVICE_ATTR(operating_mode, S_IWU
+
+ static ssize_t __tsl2550_show_lux(struct i2c_client *client, char *buf)
+ {
++ struct tsl2550_data *data = i2c_get_clientdata(client);
+ u8 ch0, ch1;
+ int ret;
+
+@@ -296,6 +297,8 @@ static ssize_t __tsl2550_show_lux(struct
+ ret = tsl2550_calculate_lux(ch0, ch1);
+ if (ret < 0)
+ return ret;
++ if (data->operating_mode == 1)
++ ret *= 5;
+
+ return sprintf(buf, "%d\n", ret);
+ }
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010
+Message-Id: <20100105194914.844399696@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:56 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Patrick McHardy <kaber@trash.net>
+Subject: [05/10] ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Patrick McHardy <kaber@trash.net>
+
+commit 0b5ccb2ee250136dd7385b1c7da28417d0d4d32d upstream.
+
+Currently the same reassembly queue might be used for packets reassembled
+by conntrack in different positions in the stack (PREROUTING/LOCAL_OUT),
+as well as local delivery. This can cause "packet jumps" when the fragment
+completing a reassembled packet is queued from a different position in the
+stack than the previous ones.
+
+Add a "user" identifier to the reassembly queue key to seperate the queues
+of each caller, similar to what we do for IPv4.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/ipv6.h | 7 +++++++
+ include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 2 +-
+ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 13 +++++++++++--
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 7 ++++---
+ net/ipv6/reassembly.c | 5 ++++-
+ 5 files changed, 27 insertions(+), 7 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -342,8 +342,15 @@ static inline int ipv6_prefix_equal(cons
+
+ struct inet_frag_queue;
+
++enum ip6_defrag_users {
++ IP6_DEFRAG_LOCAL_DELIVER,
++ IP6_DEFRAG_CONNTRACK_IN,
++ IP6_DEFRAG_CONNTRACK_OUT,
++};
++
+ struct ip6_create_arg {
+ __be32 id;
++ u32 user;
+ struct in6_addr *src;
+ struct in6_addr *dst;
+ };
+--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
++++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+@@ -9,7 +9,7 @@ extern struct nf_conntrack_l4proto nf_co
+
+ extern int nf_ct_frag6_init(void);
+ extern void nf_ct_frag6_cleanup(void);
+-extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb);
++extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);
+ extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
+ struct net_device *in,
+ struct net_device *out,
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -183,6 +183,16 @@ out:
+ return nf_conntrack_confirm(skb);
+ }
+
++static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
++ struct sk_buff *skb)
++{
++ if (hooknum == NF_INET_PRE_ROUTING)
++ return IP6_DEFRAG_CONNTRACK_IN;
++ else
++ return IP6_DEFRAG_CONNTRACK_OUT;
++
++}
++
+ static unsigned int ipv6_defrag(unsigned int hooknum,
+ struct sk_buff *skb,
+ const struct net_device *in,
+@@ -195,8 +205,7 @@ static unsigned int ipv6_defrag(unsigned
+ if (skb->nfct)
+ return NF_ACCEPT;
+
+- reasm = nf_ct_frag6_gather(skb);
+-
++ reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb));
+ /* queued */
+ if (reasm == NULL)
+ return NF_STOLEN;
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -198,13 +198,14 @@ out:
+ /* Creation primitives. */
+
+ static __inline__ struct nf_ct_frag6_queue *
+-fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst)
++fq_find(__be32 id, u32 user, struct in6_addr *src, struct in6_addr *dst)
+ {
+ struct inet_frag_queue *q;
+ struct ip6_create_arg arg;
+ unsigned int hash;
+
+ arg.id = id;
++ arg.user = user;
+ arg.src = src;
+ arg.dst = dst;
+
+@@ -589,7 +590,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 *
+ return 0;
+ }
+
+-struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb)
++struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
+ {
+ struct sk_buff *clone;
+ struct net_device *dev = skb->dev;
+@@ -635,7 +636,7 @@ struct sk_buff *nf_ct_frag6_gather(struc
+ if (atomic_read(&nf_init_frags.mem) > nf_init_frags.high_thresh)
+ nf_ct_frag6_evictor();
+
+- fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr);
++ fq = fq_find(fhdr->identification, user, &hdr->saddr, &hdr->daddr);
+ if (fq == NULL) {
+ pr_debug("Can't find and can't create new queue\n");
+ goto ret_orig;
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -72,6 +72,7 @@ struct frag_queue
+ struct inet_frag_queue q;
+
+ __be32 id; /* fragment id */
++ u32 user;
+ struct in6_addr saddr;
+ struct in6_addr daddr;
+
+@@ -140,7 +141,7 @@ int ip6_frag_match(struct inet_frag_queu
+ struct ip6_create_arg *arg = a;
+
+ fq = container_of(q, struct frag_queue, q);
+- return (fq->id == arg->id &&
++ return (fq->id == arg->id && fq->user == arg->user &&
+ ipv6_addr_equal(&fq->saddr, arg->src) &&
+ ipv6_addr_equal(&fq->daddr, arg->dst));
+ }
+@@ -162,6 +163,7 @@ void ip6_frag_init(struct inet_frag_queu
+ struct ip6_create_arg *arg = a;
+
+ fq->id = arg->id;
++ fq->user = arg->user;
+ ipv6_addr_copy(&fq->saddr, arg->src);
+ ipv6_addr_copy(&fq->daddr, arg->dst);
+ }
+@@ -243,6 +245,7 @@ fq_find(struct net *net, __be32 id, stru
+ unsigned int hash;
+
+ arg.id = id;
++ arg.user = IP6_DEFRAG_LOCAL_DELIVER;
+ arg.src = src;
+ arg.dst = dst;
+
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010
+Message-Id: <20100105194914.976056797@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:57 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Stefan Weinhuber <wein@de.ibm.com>,
+ Martin Schwidefsky <schwidefsky@de.ibm.com>,
+ Stephen Powell <zlinuxman@wowway.com>
+Subject: [06/10] S390: dasd: support DIAG access for read-only devices
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Stefan Weinhuber <wein@de.ibm.com>
+
+commit 22825ab7693fd29769518a0d25ba43c01a50092a upstream.
+
+When a DASD device is used with the DIAG discipline, the DIAG
+initialization will indicate success or error with a respective
+return code. So far we have interpreted a return code of 4 as error,
+but it actually means that the initialization was successful, but
+the device is read-only. To allow read-only devices to be used with
+DIAG we need to accept a return code of 4 as success.
+
+Re-initialization of the DIAG access is also part of the DIAG error
+recovery. If we find that the access mode of a device has been
+changed from writable to read-only while the device was in use,
+we print an error message.
+
+Signed-off-by: Stefan Weinhuber <wein@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Stephen Powell <zlinuxman@wowway.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/s390/block/dasd_diag.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/s390/block/dasd_diag.c
++++ b/drivers/s390/block/dasd_diag.c
+@@ -143,6 +143,15 @@ dasd_diag_erp(struct dasd_device *device
+
+ mdsk_term_io(device);
+ rc = mdsk_init_io(device, device->block->bp_block, 0, NULL);
++ if (rc == 4) {
++ if (!(device->features & DASD_FEATURE_READONLY)) {
++ dev_warn(&device->cdev->dev,
++ "The access mode of a DIAG device changed"
++ " to read-only");
++ device->features |= DASD_FEATURE_READONLY;
++ }
++ rc = 0;
++ }
+ if (rc)
+ DEV_MESSAGE(KERN_WARNING, device, "DIAG ERP unsuccessful, "
+ "rc=%d", rc);
+@@ -432,16 +441,20 @@ dasd_diag_check_device(struct dasd_devic
+ for (sb = 512; sb < bsize; sb = sb << 1)
+ block->s2b_shift++;
+ rc = mdsk_init_io(device, block->bp_block, 0, NULL);
+- if (rc) {
++ if (rc && (rc != 4)) {
+ DEV_MESSAGE(KERN_WARNING, device, "DIAG initialization "
+ "failed (rc=%d)", rc);
+ rc = -EIO;
+ } else {
++ if (rc == 4)
++ device->features |= DASD_FEATURE_READONLY;
+ DEV_MESSAGE(KERN_INFO, device,
+- "(%ld B/blk): %ldkB",
++ "(%ld B/blk): %ldkB%s",
+ (unsigned long) block->bp_block,
+ (unsigned long) (block->blocks <<
+- block->s2b_shift) >> 1);
++ block->s2b_shift) >> 1,
++ (rc == 4) ? ", read-only device" : "");
++ rc = 0;
+ }
+ out_label:
+ free_page((long) label);
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010
+Message-Id: <20100105194915.108147616@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:58 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Roland McGrath <roland@redhat.com>
+Subject: [07/10] x86/ptrace: make genregs[32]_get/set more robust
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 04a1e62c2cec820501f93526ad1e46073b802dc4 upstream.
+
+The loop condition is fragile: we compare an unsigned value to zero, and
+then decrement it by something larger than one in the loop. All the
+callers should be passing in appropriately aligned buffer lengths, but
+it's better to just not rely on it, and have some appropriate defensive
+loop limits.
+
+Acked-by: Roland McGrath <roland@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/ptrace.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -416,14 +416,14 @@ static int genregs_get(struct task_struc
+ {
+ if (kbuf) {
+ unsigned long *k = kbuf;
+- while (count > 0) {
++ while (count >= sizeof(*k)) {
+ *k++ = getreg(target, pos);
+ count -= sizeof(*k);
+ pos += sizeof(*k);
+ }
+ } else {
+ unsigned long __user *u = ubuf;
+- while (count > 0) {
++ while (count >= sizeof(*u)) {
+ if (__put_user(getreg(target, pos), u++))
+ return -EFAULT;
+ count -= sizeof(*u);
+@@ -442,14 +442,14 @@ static int genregs_set(struct task_struc
+ int ret = 0;
+ if (kbuf) {
+ const unsigned long *k = kbuf;
+- while (count > 0 && !ret) {
++ while (count >= sizeof(*k) && !ret) {
+ ret = putreg(target, pos, *k++);
+ count -= sizeof(*k);
+ pos += sizeof(*k);
+ }
+ } else {
+ const unsigned long __user *u = ubuf;
+- while (count > 0 && !ret) {
++ while (count >= sizeof(*u) && !ret) {
+ unsigned long word;
+ ret = __get_user(word, u++);
+ if (ret)
+@@ -1159,14 +1159,14 @@ static int genregs32_get(struct task_str
+ {
+ if (kbuf) {
+ compat_ulong_t *k = kbuf;
+- while (count > 0) {
++ while (count >= sizeof(*k)) {
+ getreg32(target, pos, k++);
+ count -= sizeof(*k);
+ pos += sizeof(*k);
+ }
+ } else {
+ compat_ulong_t __user *u = ubuf;
+- while (count > 0) {
++ while (count >= sizeof(*u)) {
+ compat_ulong_t word;
+ getreg32(target, pos, &word);
+ if (__put_user(word, u++))
+@@ -1187,14 +1187,14 @@ static int genregs32_set(struct task_str
+ int ret = 0;
+ if (kbuf) {
+ const compat_ulong_t *k = kbuf;
+- while (count > 0 && !ret) {
++ while (count >= sizeof(*k) && !ret) {
+ ret = putreg32(target, pos, *k++);
+ count -= sizeof(*k);
+ pos += sizeof(*k);
+ }
+ } else {
+ const compat_ulong_t __user *u = ubuf;
+- while (count > 0 && !ret) {
++ while (count >= sizeof(*u) && !ret) {
+ compat_ulong_t word;
+ ret = __get_user(word, u++);
+ if (ret)
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010
+Message-Id: <20100105194915.239350321@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:47:59 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Gertjan van Wingerde <gwingerde@gmail.com>,
+ Ivo van Doorn <IvDoorn@gmail.com>,
+ "John W. Linville" <linville@tuxdriver.com>
+Subject: [08/10] rt2x00: Disable powersaving for rt61pci and rt2800pci.
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Gertjan van Wingerde <gwingerde@gmail.com>
+
+commit 93b6bd26b74efe46b4579592560f9f1cb7b61994 upstream.
+
+We've had many reports of rt61pci failures with powersaving enabled.
+Therefore, as a stop-gap measure, disable powersaving of the rt61pci
+until we have found a proper solution.
+Also disable powersaving on rt2800pci as it most probably will show
+the same problem.
+
+Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rt2x00/rt61pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/rt2x00/rt61pci.c
++++ b/drivers/net/wireless/rt2x00/rt61pci.c
+@@ -2281,6 +2281,11 @@ static void rt61pci_probe_hw_mode(struct
+ unsigned int i;
+
+ /*
++ * Disable powersaving as default.
++ */
++ rt2x00dev->hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
++
++ /*
+ * Initialize all hw fields.
+ */
+ rt2x00dev->hw->flags =
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010
+Message-Id: <20100105194915.376656312@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:48:00 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: "Serge E. Hallyn" <serue@us.ibm.com>
+Subject: [09/10] generic_permission: MAY_OPEN is not write access
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Serge E. Hallyn <serue@us.ibm.com>
+
+commit 7ea6600148c265b1fd53e521022b1d7aec81d974 upstream.
+
+generic_permission was refusing CAP_DAC_READ_SEARCH-enabled
+processes from opening DAC-protected files read-only, because
+do_filp_open adds MAY_OPEN to the open mask.
+
+Ignore MAY_OPEN. After this patch, CAP_DAC_READ_SEARCH is
+again sufficient to open(fname, O_RDONLY) on a file to which
+DAC otherwise refuses us read permission.
+
+Reported-by: Mike Kazantsev <mk.fraggod@gmail.com>
+Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
+Tested-by: Mike Kazantsev <mk.fraggod@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -220,6 +220,7 @@ int generic_permission(struct inode *ino
+ /*
+ * Searching includes executable on directories, else just read.
+ */
++ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
+ if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
+ if (capable(CAP_DAC_READ_SEARCH))
+ return 0;
+
+
+From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010
+Message-Id: <20100105194915.508413494@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Tue, 05 Jan 2010 11:48:01 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ akpm@linux-foundation.org,
+ torvalds@linux-foundation.org,
+ stable-review@kernel.org
+Cc: Gleb Natapov <gleb@redhat.com>,
+ Avi Kivity <avi@redhat.com>
+Subject: [10/10] Revert: KVM: MMU: do not free active mmu pages in free_mmu_pages()
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+This reverts the commit d2127c8300fb1ec54af56faee17170e7a525326d, which was
+the commit f00be0cae4e6ad0a8c7be381c6d9be3586800b3e upstream.
+
+This was done based on comments saying it was causing problems.
+
+Cc: Gleb Natapov <gleb@redhat.com>
+Cc: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ arch/x86/kvm/mmu.c | 8 ++++++++
+ virt/kvm/kvm_main.c | 2 --
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -1995,6 +1995,14 @@ EXPORT_SYMBOL_GPL(kvm_disable_tdp);
+
+ static void free_mmu_pages(struct kvm_vcpu *vcpu)
+ {
++ struct kvm_mmu_page *sp;
++
++ while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) {
++ sp = container_of(vcpu->kvm->arch.active_mmu_pages.next,
++ struct kvm_mmu_page, link);
++ kvm_mmu_zap_page(vcpu->kvm, sp);
++ cond_resched();
++ }
+ free_page((unsigned long)vcpu->arch.mmu.pae_root);
+ }
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -406,8 +406,6 @@ static void kvm_destroy_vm(struct kvm *k
+ #endif
+ #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
+ mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm);
+-#else
+- kvm_arch_flush_shadow(kvm);
+ #endif
+ kvm_arch_destroy_vm(kvm);
+ mmdrop(mm);
+
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
