--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 28 16:28:03 2007
+From: Jean Delvare <khali@linux-fr.org>
+Date: Wed, 28 Nov 2007 16:21:35 -0800
+Subject: fb_ddc: fix DDC lines quirk
+To: torvalds@linux-foundation.org
+Cc: rleigh@whinlatter.ukfsn.org, benh@kernel.crashing.org, mb@bu3sch.de, khali@linux-fr.org, adaplas@pol.net, akpm@linux-foundation.org, stable@kernel.org
+Message-ID: <200711290021.lAT0LZgT026655@imap1.linux-foundation.org>
+
+
+From: Jean Delvare <khali@linux-fr.org>
+
+patch b64d70825abbf706bbe80be1b11b09514b71f45e in mainline.
+
+The code in fb_ddc_read() is said to be based on the implementation of the
+radeon driver:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fc5891c8a3ba284f13994d7bc1f1bfa8283982de
+
+However, comparing the old radeon driver code with the new fb_ddc code
+reveals some differences. Most notably, the I2C bus lines are held at the
+end of the function, while the original code was releasing them (as the
+comment above correctly says.)
+
+There are a few other differences, which appear to be responsible for read
+failures on my system. While tracing low-level I2C code in i2c-algo-bit, I
+noticed that the initial attempt to read the EDID always failed. It takes
+one retry for the read to succeed. As we are about to remove this
+automatic retry property from i2c-algo-bit, reading the EDID would really
+fail.
+
+As a summary, the I2C lines quirk which is supposedly needed to read EDID
+on some older monitors is currently breaking the (first) read on all other
+monitors (and might not even work with older ones - did anyone try since
+October 2006?)
+
+After applying the patch below, which makes the code in fb_ddc_read()
+really similar to what the radeon driver used to have, the first EDID read
+succeeds again.
+
+On top of that, as it appears that this code has been broken for one year
+now and nobody seems to have complained, I'm curious if it makes sense to
+keep this quirk in place. It makes the code more complex and slower just
+for the sake of monitors which I guess nobody uses anymore. Can't we just
+get rid of it?
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Tested-by: Roger Leigh <rleigh@whinlatter.ukfsn.org>
+Tested-by: Michael Buesch <mb@bu3sch.de>
+Cc: "Antonino A. Daplas" <adaplas@pol.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/fb_ddc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fb_ddc.c
++++ b/drivers/video/fb_ddc.c
+@@ -56,13 +56,12 @@ unsigned char *fb_ddc_read(struct i2c_ad
+ int i, j;
+
+ algo_data->setscl(algo_data->data, 1);
+- algo_data->setscl(algo_data->data, 0);
+
+ for (i = 0; i < 3; i++) {
+ /* For some old monitors we need the
+ * following process to initialize/stop DDC
+ */
+- algo_data->setsda(algo_data->data, 0);
++ algo_data->setsda(algo_data->data, 1);
+ msleep(13);
+
+ algo_data->setscl(algo_data->data, 1);
+@@ -97,14 +96,15 @@ unsigned char *fb_ddc_read(struct i2c_ad
+ algo_data->setsda(algo_data->data, 1);
+ msleep(15);
+ algo_data->setscl(algo_data->data, 0);
++ algo_data->setsda(algo_data->data, 0);
+ if (edid)
+ break;
+ }
+ /* Release the DDC lines when done or the Apple Cinema HD display
+ * will switch off
+ */
+- algo_data->setsda(algo_data->data, 0);
+- algo_data->setscl(algo_data->data, 0);
++ algo_data->setsda(algo_data->data, 1);
++ algo_data->setscl(algo_data->data, 1);
+
+ return edid;
+ }
--- /dev/null
+From 9e555930bd873d238f5f7b9d76d3bf31e6e3ce93 Mon Sep 17 00:00:00 2001
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+Date: Wed, 21 Nov 2007 15:02:58 -0800
+Subject: forcedeth boot delay fix
+
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+
+patch 9e555930bd873d238f5f7b9d76d3bf31e6e3ce93 in mainline.
+
+Fix a long boot delay in the forcedeth driver. During initialization, the
+timeout for the handshake between mgmt unit and driver can be very long.
+The patch reduces the timeout by eliminating a extra loop around the
+timeout logic.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9308
+
+Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
+Cc: Alex Howells <astinus@gentoo.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/forcedeth.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/forcedeth.c
++++ b/drivers/net/forcedeth.c
+@@ -5283,19 +5283,15 @@ static int __devinit nv_probe(struct pci
+ if (readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_PHY_INIT) {
+ np->mac_in_use = readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_MGMT_ST;
+ dprintk(KERN_INFO "%s: mgmt unit is running. mac in use %x.\n", pci_name(pci_dev), np->mac_in_use);
+- for (i = 0; i < 5000; i++) {
+- msleep(1);
+- if (nv_mgmt_acquire_sema(dev)) {
+- /* management unit setup the phy already? */
+- if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) ==
+- NVREG_XMITCTL_SYNC_PHY_INIT) {
+- /* phy is inited by mgmt unit */
+- phyinitialized = 1;
+- dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev));
+- } else {
+- /* we need to init the phy */
+- }
+- break;
++ if (nv_mgmt_acquire_sema(dev)) {
++ /* management unit setup the phy already? */
++ if ((readl(base + NvRegTransmitterControl) & NVREG_XMITCTL_SYNC_MASK) ==
++ NVREG_XMITCTL_SYNC_PHY_INIT) {
++ /* phy is inited by mgmt unit */
++ phyinitialized = 1;
++ dprintk(KERN_INFO "%s: Phy already initialized by mgmt unit.\n", pci_name(pci_dev));
++ } else {
++ /* we need to init the phy */
+ }
+ }
+ }
--- /dev/null
+From 490dde8990c55662596a4be71b5070bd7d382d4a Mon Sep 17 00:00:00 2001
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+Date: Fri, 23 Nov 2007 20:54:01 -0500
+Subject: forcedeth: new mcp79 pci ids
+
+From: Ayaz Abdulla <aabdulla@nvidia.com>
+
+patch 490dde8990c55662596a4be71b5070bd7d382d4a in mainline.
+
+This patch adds new device ids and features for mcp79 devices into the
+forcedeth driver.
+
+Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+index 92ce2e3..f9ba0ac 100644
+---
+ drivers/net/forcedeth.c | 16 ++++++++++++++++
+ include/linux/pci_ids.h | 4 ++++
+ 2 files changed, 20 insertions(+)
+
+--- a/drivers/net/forcedeth.c
++++ b/drivers/net/forcedeth.c
+@@ -5553,6 +5553,22 @@ static struct pci_device_id pci_tbl[] =
+ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_27),
+ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_HIGH_DMA|DEV_HAS_POWER_CNTRL|DEV_HAS_MSI|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
+ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_36),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_37),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_38),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
++ { /* MCP79 Ethernet Controller */
++ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_39),
++ .driver_data = DEV_NEED_TIMERIRQ|DEV_NEED_LINKTIMER|DEV_HAS_CHECKSUM|DEV_HAS_HIGH_DMA|DEV_HAS_MSI|DEV_HAS_POWER_CNTRL|DEV_HAS_PAUSEFRAME_TX|DEV_HAS_STATISTICS_V2|DEV_HAS_TEST_EXTENDED|DEV_HAS_MGMT_UNIT,
++ },
+ {0,},
+ };
+
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -1239,6 +1239,10 @@
+ #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP67_IDE 0x0560
+ #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP73_IDE 0x056C
+ #define PCI_DEVICE_ID_NVIDIA_NFORCE_MCP77_IDE 0x0759
++#define PCI_DEVICE_ID_NVIDIA_NVENET_36 0x0AB0
++#define PCI_DEVICE_ID_NVIDIA_NVENET_37 0x0AB1
++#define PCI_DEVICE_ID_NVIDIA_NVENET_38 0x0AB2
++#define PCI_DEVICE_ID_NVIDIA_NVENET_39 0x0AB3
+
+ #define PCI_VENDOR_ID_IMS 0x10e0
+ #define PCI_DEVICE_ID_IMS_TT128 0x9128
--- /dev/null
+From ce6bd420f43b28038a2c6e8fbb86ad24014727b6 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <srostedt@redhat.com>
+Date: Wed, 5 Dec 2007 15:46:09 +0100
+Subject: [PATCH] futex: fix for futex_wait signal stack corruption
+
+From Steven Rostedt <srostedt@redhat.com>
+
+patch ce6bd420f43b28038a2c6e8fbb86ad24014727b6 in mainline.
+
+David Holmes found a bug in the -rt tree with respect to
+pthread_cond_timedwait. After trying his test program on the latest git
+from mainline, I found the bug was there too. The bug he was seeing
+that his test program showed, was that if one were to do a "Ctrl-Z" on a
+process that was in the pthread_cond_timedwait, and then did a "bg" on
+that process, it would return with a "-ETIMEDOUT" but early. That is,
+the timer would go off early.
+
+Looking into this, I found the source of the problem. And it is a rather
+nasty bug at that.
+
+Here's the relevant code from kernel/futex.c: (not in order in the file)
+
+[...]
+smlinkage long sys_futex(u32 __user *uaddr, int op, u32 val,
+ struct timespec __user *utime, u32 __user *uaddr2,
+ u32 val3)
+{
+ struct timespec ts;
+ ktime_t t, *tp = NULL;
+ u32 val2 = 0;
+ int cmd = op & FUTEX_CMD_MASK;
+
+ if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI)) {
+ if (copy_from_user(&ts, utime, sizeof(ts)) != 0)
+ return -EFAULT;
+ if (!timespec_valid(&ts))
+ return -EINVAL;
+
+ t = timespec_to_ktime(ts);
+ if (cmd == FUTEX_WAIT)
+ t = ktime_add(ktime_get(), t);
+ tp = &t;
+ }
+[...]
+ return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
+}
+
+[...]
+
+long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
+ u32 __user *uaddr2, u32 val2, u32 val3)
+{
+ int ret;
+ int cmd = op & FUTEX_CMD_MASK;
+ struct rw_semaphore *fshared = NULL;
+
+ if (!(op & FUTEX_PRIVATE_FLAG))
+ fshared = ¤t->mm->mmap_sem;
+
+ switch (cmd) {
+ case FUTEX_WAIT:
+ ret = futex_wait(uaddr, fshared, val, timeout);
+
+[...]
+
+static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
+ u32 val, ktime_t *abs_time)
+{
+[...]
+ struct restart_block *restart;
+ restart = ¤t_thread_info()->restart_block;
+ restart->fn = futex_wait_restart;
+ restart->arg0 = (unsigned long)uaddr;
+ restart->arg1 = (unsigned long)val;
+ restart->arg2 = (unsigned long)abs_time;
+ restart->arg3 = 0;
+ if (fshared)
+ restart->arg3 |= ARG3_SHARED;
+ return -ERESTART_RESTARTBLOCK;
+[...]
+
+static long futex_wait_restart(struct restart_block *restart)
+{
+ u32 __user *uaddr = (u32 __user *)restart->arg0;
+ u32 val = (u32)restart->arg1;
+ ktime_t *abs_time = (ktime_t *)restart->arg2;
+ struct rw_semaphore *fshared = NULL;
+
+ restart->fn = do_no_restart_syscall;
+ if (restart->arg3 & ARG3_SHARED)
+ fshared = ¤t->mm->mmap_sem;
+ return (long)futex_wait(uaddr, fshared, val, abs_time);
+}
+
+So when the futex_wait is interrupt by a signal we break out of the
+hrtimer code and set up or return from signal. This code does not return
+back to userspace, so we set up a RESTARTBLOCK. The bug here is that we
+save the "abs_time" which is a pointer to the stack variable "ktime_t t"
+from sys_futex.
+
+This returns and unwinds the stack before we get to call our signal. On
+return from the signal we go to futex_wait_restart, where we update all
+the parameters for futex_wait and call it. But here we have a problem
+where abs_time is no longer valid.
+
+I verified this with print statements, and sure enough, what abs_time
+was set to ends up being garbage when we get to futex_wait_restart.
+
+The solution I did to solve this (with input from Linus Torvalds)
+was to add unions to the restart_block to allow system calls to
+use the restart with specific parameters. This way the futex code now
+saves the time in a 64bit value in the restart block instead of storing
+it on the stack.
+
+Note: I'm a bit nervious to add "linux/types.h" and use u32 and u64
+in thread_info.h, when there's a #ifdef __KERNEL__ just below that.
+Not sure what that is there for. If this turns out to be a problem, I've
+tested this with using "unsigned int" for u32 and "unsigned long long" for
+u64 and it worked just the same. I'm using u32 and u64 just to be
+consistent with what the futex code uses.
+
+Signed-off-by: Steven Rostedt <srostedt@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/thread_info.h | 17 +++++++++++++++--
+ kernel/futex.c | 25 +++++++++++++------------
+ 2 files changed, 28 insertions(+), 14 deletions(-)
+
+--- a/include/linux/thread_info.h
++++ b/include/linux/thread_info.h
+@@ -7,12 +7,25 @@
+ #ifndef _LINUX_THREAD_INFO_H
+ #define _LINUX_THREAD_INFO_H
+
++#include <linux/types.h>
++
+ /*
+- * System call restart block.
++ * System call restart block.
+ */
+ struct restart_block {
+ long (*fn)(struct restart_block *);
+- unsigned long arg0, arg1, arg2, arg3;
++ union {
++ struct {
++ unsigned long arg0, arg1, arg2, arg3;
++ };
++ /* For futex_wait */
++ struct {
++ u32 *uaddr;
++ u32 val;
++ u32 flags;
++ u64 time;
++ } futex;
++ };
+ };
+
+ extern long do_no_restart_syscall(struct restart_block *parm);
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1129,9 +1129,9 @@ static int fixup_pi_state_owner(u32 __us
+
+ /*
+ * In case we must use restart_block to restart a futex_wait,
+- * we encode in the 'arg3' shared capability
++ * we encode in the 'flags' shared capability
+ */
+-#define ARG3_SHARED 1
++#define FLAGS_SHARED 1
+
+ static long futex_wait_restart(struct restart_block *restart);
+ static int futex_wait(u32 __user *uaddr, struct rw_semaphore *fshared,
+@@ -1272,12 +1272,13 @@ static int futex_wait(u32 __user *uaddr,
+ struct restart_block *restart;
+ restart = ¤t_thread_info()->restart_block;
+ restart->fn = futex_wait_restart;
+- restart->arg0 = (unsigned long)uaddr;
+- restart->arg1 = (unsigned long)val;
+- restart->arg2 = (unsigned long)abs_time;
+- restart->arg3 = 0;
++ restart->futex.uaddr = (u32 *)uaddr;
++ restart->futex.val = val;
++ restart->futex.time = abs_time->tv64;
++ restart->futex.flags = 0;
++
+ if (fshared)
+- restart->arg3 |= ARG3_SHARED;
++ restart->futex.flags |= FLAGS_SHARED;
+ return -ERESTART_RESTARTBLOCK;
+ }
+
+@@ -1293,15 +1294,15 @@ static int futex_wait(u32 __user *uaddr,
+
+ static long futex_wait_restart(struct restart_block *restart)
+ {
+- u32 __user *uaddr = (u32 __user *)restart->arg0;
+- u32 val = (u32)restart->arg1;
+- ktime_t *abs_time = (ktime_t *)restart->arg2;
++ u32 __user *uaddr = (u32 __user *)restart->futex.uaddr;
+ struct rw_semaphore *fshared = NULL;
++ ktime_t t;
+
++ t.tv64 = restart->futex.time;
+ restart->fn = do_no_restart_syscall;
+- if (restart->arg3 & ARG3_SHARED)
++ if (restart->futex.flags & FLAGS_SHARED)
+ fshared = ¤t->mm->mmap_sem;
+- return (long)futex_wait(uaddr, fshared, val, abs_time);
++ return (long)futex_wait(uaddr, fshared, restart->futex.val, &t);
+ }
+
+
--- /dev/null
+From 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 7 Dec 2007 19:16:17 +0100
+Subject: hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966)
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline
+
+Relative hrtimers with a large timeout value might end up as negative
+timer values, when the current time is added in hrtimer_start().
+
+This in turn is causing the clockevents_set_next() function to set an
+huge timeout and sleep for quite a long time when we have a clock
+source which is capable of long sleeps like HPET. With PIT this almost
+goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code
+sorts this out in the next timer interrupt, so we never noticed that
+problem which has been there since the first day of hrtimers.
+
+This bug became more apparent in 2.6.24 which activates HPET on more
+hardware.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/hrtimer.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -825,6 +825,14 @@ hrtimer_start(struct hrtimer *timer, kti
+ #ifdef CONFIG_TIME_LOW_RES
+ tim = ktime_add(tim, base->resolution);
+ #endif
++ /*
++ * Careful here: User space might have asked for a
++ * very long sleep, so the add above might result in a
++ * negative number, which enqueues the timer in front
++ * of the queue.
++ */
++ if (tim.tv64 < 0)
++ tim.tv64 = KTIME_MAX;
+ }
+ timer->expires = tim;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Dec 1 12:17:01 2007
+From: akpm@linux-foundation.org
+Date: Sat, 01 Dec 2007 12:16:15 -0800
+Subject: I4L: fix isdn_ioctl memory overrun vulnerability
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, adlab@venustech.com.cn, kkeil@suse.de, stable@kernel.org
+Message-ID: <200712012016.lB1KGFmF005739@imap1.linux-foundation.org>
+
+
+From: Karsten Keil <kkeil@suse.de>
+
+patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline.
+
+Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB
+<adlab@venustech.com.cn>
+
+Signed-off-by: Karsten Keil <kkeil@suse.de>
+Cc: ADLAB <adlab@venustech.com.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/isdn/i4l/isdn_common.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1514,6 +1514,7 @@ isdn_ioctl(struct inode *inode, struct f
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
+@@ -1598,6 +1599,7 @@ isdn_ioctl(struct inode *inode, struct f
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ drvidx = -1;
+ for (i = 0; i < ISDN_MAX_DRIVERS; i++)
+@@ -1642,7 +1644,7 @@ isdn_ioctl(struct inode *inode, struct f
+ } else {
+ p = (char __user *) iocts.arg;
+ for (i = 0; i < 10; i++) {
+- sprintf(bname, "%s%s",
++ snprintf(bname, sizeof(bname), "%s%s",
+ strlen(dev->drv[drvidx]->msn2eaz[i]) ?
+ dev->drv[drvidx]->msn2eaz[i] : "_",
+ (i < 9) ? "," : "\0");
+@@ -1672,6 +1674,7 @@ isdn_ioctl(struct inode *inode, struct f
+ char *p;
+ if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
--- /dev/null
+From 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 Mon Sep 17 00:00:00 2001
+From: Karsten Keil <kkeil@suse.de>
+Date: Thu, 22 Nov 2007 12:43:13 +0100
+Subject: isdn: avoid copying overly-long strings
+Message-ID: <20071122120142.GA2407@pingi.kke.suse.de>
+
+From: Karsten Keil <kkeil@suse.de>
+
+patch 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 in mainline.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416
+
+Signed-off-by: Karsten Keil <kkeil@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/isdn/i4l/isdn_net.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_net.c
++++ b/drivers/isdn/i4l/isdn_net.c
+@@ -2126,7 +2126,7 @@ isdn_net_find_icall(int di, int ch, int
+ u_long flags;
+ isdn_net_dev *p;
+ isdn_net_phone *n;
+- char nr[32];
++ char nr[ISDN_MSNLEN];
+ char *my_eaz;
+
+ /* Search name in netdev-chain */
+@@ -2135,7 +2135,7 @@ isdn_net_find_icall(int di, int ch, int
+ nr[1] = '\0';
+ printk(KERN_INFO "isdn_net: Incoming call without OAD, assuming '0'\n");
+ } else
+- strcpy(nr, setup->phone);
++ strlcpy(nr, setup->phone, ISDN_MSNLEN);
+ si1 = (int) setup->si1;
+ si2 = (int) setup->si2;
+ if (!setup->eazmsn[0]) {
+@@ -2802,7 +2802,7 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg
+ chidx = -1;
+ }
+ }
+- strcpy(lp->msn, cfg->eaz);
++ strlcpy(lp->msn, cfg->eaz, sizeof(lp->msn));
+ lp->pre_device = drvidx;
+ lp->pre_channel = chidx;
+ lp->onhtime = cfg->onhtime;
+@@ -2951,7 +2951,7 @@ isdn_net_addphone(isdn_net_ioctl_phone *
+ if (p) {
+ if (!(n = kmalloc(sizeof(isdn_net_phone), GFP_KERNEL)))
+ return -ENOMEM;
+- strcpy(n->num, phone->phone);
++ strlcpy(n->num, phone->phone, sizeof(n->num));
+ n->next = p->local->phone[phone->outgoing & 1];
+ p->local->phone[phone->outgoing & 1] = n;
+ return 0;
--- /dev/null
+From herbert@gondor.apana.org.au Wed Nov 14 17:07:36 2007
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 15 Nov 2007 09:07:23 +0800
+Subject: libcrc32c: keep intermediate crc state in cpu order
+To: Greg KH <greg@kroah.com>
+Cc: stable@kernel.org
+Message-ID: <20071115010723.GA20904@gondor.apana.org.au>
+Content-Disposition: inline
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+It's upstream changeset ef19454bd437b2ba14c9cda1de85debd9f383484.
+
+[LIB] crc32c: Keep intermediate crc state in cpu order
+
+crypto/crc32.c:chksum_final() is computing the digest as
+*(__le32 *)out = ~cpu_to_le32(mctx->crc);
+so the low-level crc32c_le routines should just keep
+the crc in cpu order, otherwise it is getting swabbed
+one too many times on big-endian machines.
+
+Signed-off-by: Benny Halevy <bhalevy@fs1.bhalevy.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/libcrc32c.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/lib/libcrc32c.c
++++ b/lib/libcrc32c.c
+@@ -33,7 +33,6 @@
+ #include <linux/crc32c.h>
+ #include <linux/compiler.h>
+ #include <linux/module.h>
+-#include <asm/byteorder.h>
+
+ MODULE_AUTHOR("Clay Haapala <chaapala@cisco.com>");
+ MODULE_DESCRIPTION("CRC32c (Castagnoli) calculations");
+@@ -161,15 +160,13 @@ static const u32 crc32c_table[256] = {
+ */
+
+ u32 __attribute_pure__
+-crc32c_le(u32 seed, unsigned char const *data, size_t length)
++crc32c_le(u32 crc, unsigned char const *data, size_t length)
+ {
+- u32 crc = __cpu_to_le32(seed);
+-
+ while (length--)
+ crc =
+ crc32c_table[(crc ^ *data++) & 0xFFL] ^ (crc >> 8);
+
+- return __le32_to_cpu(crc);
++ return crc;
+ }
+
+ #endif /* CRC_LE_BITS == 8 */
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 28 00:56:55 2007
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Wed, 28 Nov 2007 09:56:27 +0100
+Subject: nf_nat: fix memset error
+To: stable@kernel.org
+Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>, "David S. Miller" <davem@davemloft.net>
+Message-ID: <474D2D3B.5030909@trash.net>
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+This patch fixes an incorrect memset in the NAT code, causing
+misbehaviour when unloading and reloading the NAT module.
+Applies to stable-2.6.22 and stable-2.6.23.
+
+Please apply, thanks.
+[NETFILTER]: nf_nat: fix memset error
+
+Upstream commit e0bf9cf15fc30d300b7fbd821c6bc975531fab44
+
+The size passing to memset is the size of a pointer. Fixes
+misbehaviour when unloading and reloading the NAT module.
+
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/ipv4/netfilter/nf_nat_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/nf_nat_core.c
++++ b/net/ipv4/netfilter/nf_nat_core.c
+@@ -633,7 +633,7 @@ static int clean_nat(struct nf_conn *i,
+
+ if (!nat)
+ return 0;
+- memset(nat, 0, sizeof(nat));
++ memset(nat, 0, sizeof(*nat));
+ i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK | IPS_SEQ_ADJUST);
+ return 0;
+ }
atl1-disable-broken-64-bit-dma.patch
rd-fix-data-corruption-on-memory-pressure.patch
+wait_task_stopped-pass-correct-exit_code-to-wait_noreap_copyout.patch
+usb-make-the-microtek-driver-and-hal-cooperate.patch
+usb-fix-up-ehci-startup-synchronization.patch
+tmpfs-restore-missing-clear_highpage.patch
+nf_nat-fix-memset-error.patch
+libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch
+isdn-avoid-copying-overly-long-strings.patch
+i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch
+hrtimers-avoid-overflow-for-large-relative-timeouts.patch
+futex-fix-for-futex_wait-signal-stack-corruption.patch
+forcedeth-new-mcp79-pci-ids.patch
+forcedeth-boot-delay-fix.patch
+fb_ddc-fix-ddc-lines-quirk.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 28 10:56:26 2007
+From: Hugh Dickins <hugh@veritas.com>
+Date: Wed, 28 Nov 2007 18:55:10 +0000 (GMT)
+Subject: tmpfs: restore missing clear_highpage
+To: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-kernel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>, Adrian Bunk <bunk@kernel.org>, Willy Tarreau <wtarreau@hera.kernel.org>, stable@kernel.org
+Message-ID: <Pine.LNX.4.64.0711281844370.25292@blonde.wat.veritas.com>
+
+From: Hugh Dickins <hugh@veritas.com>
+
+patch e84e2e132c9c66d8498e7710d4ea532d1feaaac5 in mainline
+
+tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in
+which shmem_getpage receives the page from its caller instead of allocating.
+We must cover this case by clear_highpage before SetPageUptodate, as before.
+
+Signed-off-by: Hugh Dickins <hugh@veritas.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/shmem.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1066,7 +1066,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem
+ pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx);
+ pvma.vm_pgoff = idx;
+ pvma.vm_end = PAGE_SIZE;
+- page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0);
++ page = alloc_page_vma(gfp, &pvma, 0);
+ mpol_free(pvma.vm_policy);
+ return page;
+ }
+@@ -1086,7 +1086,7 @@ shmem_swapin(struct shmem_inode_info *in
+ static inline struct page *
+ shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx)
+ {
+- return alloc_page(gfp | __GFP_ZERO);
++ return alloc_page(gfp);
+ }
+ #endif
+
+@@ -1295,6 +1295,7 @@ repeat:
+
+ info->alloced++;
+ spin_unlock(&info->lock);
++ clear_highpage(filepage);
+ flush_dcache_page(filepage);
+ SetPageUptodate(filepage);
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 28 14:52:46 2007
+From: David Brownell <david-b@pacbell.net>
+Date: Wed, 28 Nov 2007 14:50:03 -0800
+Subject: USB: fix up EHCI startup synchronization
+To: linux-usb@vger.kernel.org
+Cc: David Brownell <dbrownell@users.sourceforge.net>, Greg Kroah-Hartman <gregkh@suse.de>, stable <stable@kernel.org>, David Brownell <david-b@pacbell.net>, Alan Stern <stern@rowland.harvard.edu>, Dely Sy <dely.l.sy@intel.com>, Dave Miller <davem@davemloft.net>
+Message-ID: <1196290207-28564-21-git-send-email-gregkh@suse.de>
+
+
+From: David Brownell <david-b@pacbell.net>
+
+patch 1cb52658b4f5b10a9e91f8e1c21ca2bcc1b9a3ca in mainline.
+
+A recent patch added software synchronization during EHCI startup,
+so ports aren't switched away from the companion controllers after
+resets have started. This patch adds a short delay letting hardware
+finish that port switching before any new resets begin ... so both
+ends of that hardware race window are closed.
+
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Cc: Dave Miller <davem@davemloft.net>
+Cc: Dely Sy <dely.l.sy@intel.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-hcd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -571,12 +571,15 @@ static int ehci_run (struct usb_hcd *hcd
+ * from the companions to the EHCI controller. If any of the
+ * companions are in the middle of a port reset at the time, it
+ * could cause trouble. Write-locking ehci_cf_port_reset_rwsem
+- * guarantees that no resets are in progress.
++ * guarantees that no resets are in progress. After we set CF,
++ * a short delay lets the hardware catch up; new resets shouldn't
++ * be started before the port switching actions could complete.
+ */
+ down_write(&ehci_cf_port_reset_rwsem);
+ hcd->state = HC_STATE_RUNNING;
+ ehci_writel(ehci, FLAG_CF, &ehci->regs->configured_flag);
+ ehci_readl(ehci, &ehci->regs->command); /* unblock posted writes */
++ msleep(5);
+ up_write(&ehci_cf_port_reset_rwsem);
+
+ temp = HC_VERSION(ehci_readl(ehci, &ehci->caps->hc_capbase));
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 28 14:52:43 2007
+From: Oliver Neukum <oliver@neukum.org>
+Date: Wed, 28 Nov 2007 14:50:02 -0800
+Subject: USB: make the microtek driver and HAL cooperate
+To: linux-usb@vger.kernel.org
+Cc: Oliver Neukum <oneukum@suse.de>, Oliver Neukum <oliver@neukum.org>, stable <stable@kernel.org>, Greg Kroah-Hartman <gregkh@suse.de>
+Message-ID: <1196290207-28564-20-git-send-email-gregkh@suse.de>
+
+
+From: Oliver Neukum <oliver@neukum.org>
+
+patch 5cf1973a44bd298e3cfce6f6af8faa8c9d0a6d55 in mainline
+
+to make HAL like the microtek driver's devices the parent must be
+correctly set.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/image/microtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/image/microtek.c
++++ b/drivers/usb/image/microtek.c
+@@ -823,7 +823,7 @@ static int mts_usb_probe(struct usb_inte
+ goto out_kfree2;
+
+ new_desc->host->hostdata[0] = (unsigned long)new_desc;
+- if (scsi_add_host(new_desc->host, NULL)) {
++ if (scsi_add_host(new_desc->host, &dev->dev)) {
+ err_retval = -EIO;
+ goto out_host_put;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 28 16:27:42 2007
+From: Scott James Remnant <scott@ubuntu.com>
+Date: Wed, 28 Nov 2007 16:22:07 -0800
+Subject: wait_task_stopped(): pass correct exit_code to wait_noreap_copyout()
+To: torvalds@linux-foundation.org
+Cc: stable@kernel.org, akpm@linux-foundation.org, oleg@tv-sign.ru, roland@redhat.com, scott@ubuntu.com
+Message-ID: <200711290022.lAT0M7kw026781@imap1.linux-foundation.org>
+
+
+From: Scott James Remnant <scott@ubuntu.com>
+
+patch e6ceb32aa25fc33f21af84cc7a32fe289b3e860c in mainline.
+
+In wait_task_stopped() exit_code already contains the right value for the
+si_status member of siginfo, and this is simply set in the non WNOWAIT
+case.
+
+If you call waitid() with a stopped or traced process, you'll get the signal
+in siginfo.si_status as expected -- however if you call waitid(WNOWAIT) at the
+same time, you'll get the signal << 8 | 0x7f
+
+Pass it unchanged to wait_noreap_copyout(); we would only need to shift it
+and add 0x7f if we were returning it in the user status field and that
+isn't used for any function that permits WNOWAIT.
+
+Signed-off-by: Scott James Remnant <scott@ubuntu.com>
+Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Roland McGrath <roland@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/exit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1339,7 +1339,7 @@ static int wait_task_stopped(struct task
+ if (unlikely(!exit_code) || unlikely(p->exit_state))
+ goto bail_ref;
+ return wait_noreap_copyout(p, pid, uid,
+- why, (exit_code << 8) | 0x7f,
++ why, exit_code,
+ infop, ru);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
