--- /dev/null
+From lenb@kernel.org Fri Nov 7 14:08:55 2008
+From: Shaohua Li <shaohua.li@intel.com>
+Date: Thu, 06 Nov 2008 14:18:55 -0500 (EST)
+Subject: ACPI: dock: avoid check _STA method
+To: stable@kernel.org
+Cc: linux-acpi@vger.kernel.org, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, Shaohua Li <shaohua.li@intel.com>
+Message-ID: <alpine.LFD.2.00.0811061417380.3106@localhost.localdomain>
+
+From: Shaohua Li <shaohua.li@intel.com>
+
+commit 8b59560a3baf2e7c24e0fb92ea5d09eca92805db upstream.
+
+ACPI: dock: avoid check _STA method
+
+In some BIOSes, every _STA method call will send a notification again,
+this cause freeze. And in some BIOSes, it appears _STA should be called
+after _DCK. This tries to avoid calls _STA, and still keep the device
+present check.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=10431
+
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/dock.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/dock.c
++++ b/drivers/acpi/dock.c
+@@ -599,14 +599,17 @@ static int handle_eject_request(struct d
+ static void dock_notify(acpi_handle handle, u32 event, void *data)
+ {
+ struct dock_station *ds = data;
++ struct acpi_device *tmp;
+
+ switch (event) {
+ case ACPI_NOTIFY_BUS_CHECK:
+- if (!dock_in_progress(ds) && dock_present(ds)) {
++ if (!dock_in_progress(ds) && acpi_bus_get_device(ds->handle,
++ &tmp)) {
+ begin_dock(ds);
+ dock(ds);
+ if (!dock_present(ds)) {
+ printk(KERN_ERR PREFIX "Unable to dock!\n");
++ complete_dock(ds);
+ break;
+ }
+ atomic_notifier_call_chain(&dock_notifier_list,
--- /dev/null
+From d8009882e9f5e1a76986c741f071edd2ad760c97 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 7 Sep 2008 12:51:13 +0200
+Subject: ALSA: use correct lock in snd_ctl_dev_disconnect()
+Message-ID: <20081031164425.GA10625@puku.stupidest.org>
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d8009882e9f5e1a76986c741f071edd2ad760c97 upstream
+
+The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock
+for protection of card->ctl_files entries, instead of card->controls_rwsem.
+
+Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Cc: Chris Wedgwood <cw@f00f.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/core/control.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1426,12 +1426,12 @@ static int snd_ctl_dev_disconnect(struct
+ cardnum = card->number;
+ snd_assert(cardnum >= 0 && cardnum < SNDRV_CARDS, return -ENXIO);
+
+- down_read(&card->controls_rwsem);
++ read_lock(&card->ctl_files_rwlock);
+ list_for_each_entry(ctl, &card->ctl_files, list) {
+ wake_up(&ctl->change_sleep);
+ kill_fasync(&ctl->fasync, SIGIO, POLL_ERR);
+ }
+- up_read(&card->controls_rwsem);
++ read_unlock(&card->ctl_files_rwlock);
+
+ if ((err = snd_unregister_device(SNDRV_DEVICE_TYPE_CONTROL,
+ card, -1)) < 0)
--- /dev/null
+From 3318a386e4ca68c76e0294363d29bdc46fcad670 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serue@us.ibm.com>
+Date: Thu, 30 Oct 2008 11:52:23 -0500
+Subject: file caps: always start with clear bprm->caps_*
+
+From: Serge Hallyn <serue@us.ibm.com>
+
+commit 3318a386e4ca68c76e0294363d29bdc46fcad670 upstream
+
+While Linux doesn't honor setuid on scripts. However, it mistakenly
+behaves differently for file capabilities.
+
+This patch fixes that behavior by making sure that get_file_caps()
+begins with empty bprm->caps_*. That way when a script is loaded,
+its bprm->caps_* may be filled when binfmt_misc calls prepare_binprm(),
+but they will be cleared again when binfmt_elf calls prepare_binprm()
+next to read the interpreter's file capabilities.
+
+Signed-off-by: Serge Hallyn <serue@us.ibm.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Acked-by: Andrew G. Morgan <morgan@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/commoncap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -244,10 +244,10 @@ static int get_file_caps(struct linux_bi
+ struct vfs_cap_data vcaps;
+ struct inode *inode;
+
+- if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) {
+- bprm_clear_caps(bprm);
++ bprm_clear_caps(bprm);
++
++ if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
+ return 0;
+- }
+
+ dentry = dget(bprm->file->f_dentry);
+ inode = dentry->d_inode;
--- /dev/null
+From jejb@kernel.org Tue Nov 4 11:44:30 2008
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Sun, 2 Nov 2008 19:30:21 GMT
+Subject: libertas: fix buffer overrun
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200811021930.mA2JULX5009457@hera.kernel.org>
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+commit 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 upstream
+
+If somebody sends an invalid beacon/probe response, that can trash the
+whole BSS descriptor. The descriptor is, luckily, large enough so that
+it cannot scribble past the end of it; it's well above 400 bytes long.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/scan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/libertas/scan.c
++++ b/drivers/net/wireless/libertas/scan.c
+@@ -787,8 +787,8 @@ static int lbs_process_bss(struct bss_de
+
+ switch (elem->id) {
+ case MFIE_TYPE_SSID:
+- bss->ssid_len = elem->len;
+- memcpy(bss->ssid, elem->data, elem->len);
++ bss->ssid_len = min_t(int, 32, elem->len);
++ memcpy(bss->ssid, elem->data, bss->ssid_len);
+ lbs_deb_scan("got SSID IE: '%s', len %u\n",
+ escape_essid(bss->ssid, bss->ssid_len),
+ bss->ssid_len);
--- /dev/null
+From f8d570a4745835f2238a33b537218a1bb03fc671 Mon Sep 17 00:00:00 2001
+From: David Miller <davem@davemloft.net>
+Date: Thu, 6 Nov 2008 00:37:40 -0800
+Subject: net: Fix recursive descent in __scm_destroy().
+
+From: David Miller <davem@davemloft.net>
+
+commit f8d570a4745835f2238a33b537218a1bb03fc671 and
+3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't
+good enough...)
+
+__scm_destroy() walks the list of file descriptors in the scm_fp_list
+pointed to by the scm_cookie argument.
+
+Those, in turn, can close sockets and invoke __scm_destroy() again.
+
+There is nothing which limits how deeply this can occur.
+
+The idea for how to fix this is from Linus. Basically, we do all of
+the fput()s at the top level by collecting all of the scm_fp_list
+objects hit by an fput(). Inside of the initial __scm_destroy() we
+keep running the list until it is empty.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/sched.h | 4 +++-
+ include/net/scm.h | 5 +++--
+ net/core/scm.c | 24 +++++++++++++++++++++---
+ 3 files changed, 27 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1256,7 +1256,9 @@ struct task_struct {
+ atomic_t fs_excl; /* holding fs exclusive resources */
+ struct rcu_head rcu;
+
+- /*
++ struct list_head *scm_work_list;
++
++/*
+ * cache last used pipe for splice
+ */
+ struct pipe_inode_info *splice_pipe;
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -14,8 +14,9 @@
+
+ struct scm_fp_list
+ {
+- int count;
+- struct file *fp[SCM_MAX_FD];
++ struct list_head list;
++ int count;
++ struct file *fp[SCM_MAX_FD];
+ };
+
+ struct scm_cookie
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -75,6 +75,7 @@ static int scm_fp_copy(struct cmsghdr *c
+ if (!fpl)
+ return -ENOMEM;
+ *fplp = fpl;
++ INIT_LIST_HEAD(&fpl->list);
+ fpl->count = 0;
+ }
+ fpp = &fpl->fp[fpl->count];
+@@ -106,9 +107,25 @@ void __scm_destroy(struct scm_cookie *sc
+
+ if (fpl) {
+ scm->fp = NULL;
+- for (i=fpl->count-1; i>=0; i--)
+- fput(fpl->fp[i]);
+- kfree(fpl);
++ if (current->scm_work_list) {
++ list_add_tail(&fpl->list, current->scm_work_list);
++ } else {
++ LIST_HEAD(work_list);
++
++ current->scm_work_list = &work_list;
++
++ list_add(&fpl->list, &work_list);
++ while (!list_empty(&work_list)) {
++ fpl = list_first_entry(&work_list, struct scm_fp_list, list);
++
++ list_del(&fpl->list);
++ for (i=fpl->count-1; i>=0; i--)
++ fput(fpl->fp[i]);
++ kfree(fpl);
++ }
++
++ current->scm_work_list = NULL;
++ }
+ }
+ }
+
+@@ -284,6 +301,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
+
+ new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
+ if (new_fpl) {
++ INIT_LIST_HEAD(&new_fpl->list);
+ for (i=fpl->count-1; i>=0; i--)
+ get_file(fpl->fp[i]);
+ memcpy(new_fpl, fpl, sizeof(*fpl));
gpiolib-fix-oops-in-gpio_get_value_cansleep.patch
ext-avoid-printk-floods-in-the-face-of-directory-corruption.patch
edac-cell-fix-incorrect-edac_mode.patch
+net-fix-recursive-descent-in-__scm_destroy.patch
+libertas-fix-buffer-overrun.patch
+file-caps-always-start-with-clear-bprm-caps_.patch
+alsa-use-correct-lock-in-snd_ctl_dev_disconnect.patch
+acpi-dock-avoid-check-_sta-method.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
