--- /dev/null
+From ac852edb47b15900886ba2564eeeb13b3b526e3e Mon Sep 17 00:00:00 2001
+From: Henrik Rydberg <rydberg@euromail.se>
+Date: Thu, 7 Jun 2012 04:54:29 -0400
+Subject: hwmon: (applesmc) Limit key length in warning messages
+
+From: Henrik Rydberg <rydberg@euromail.se>
+
+commit ac852edb47b15900886ba2564eeeb13b3b526e3e upstream.
+
+Key lookups may call read_smc() with a fixed-length key string,
+and if the lookup fails, trailing stack content may appear in the
+kernel log. Fixed with this patch.
+
+Signed-off-by: Henrik Rydberg <rydberg@euromail.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/applesmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/applesmc.c
++++ b/drivers/hwmon/applesmc.c
+@@ -215,7 +215,7 @@ static int read_smc(u8 cmd, const char *
+ int i;
+
+ if (send_command(cmd) || send_argument(key)) {
+- pr_warn("%s: read arg fail\n", key);
++ pr_warn("%.4s: read arg fail\n", key);
+ return -EIO;
+ }
+
+@@ -223,7 +223,7 @@ static int read_smc(u8 cmd, const char *
+
+ for (i = 0; i < len; i++) {
+ if (__wait_status(0x05)) {
+- pr_warn("%s: read data fail\n", key);
++ pr_warn("%.4s: read data fail\n", key);
+ return -EIO;
+ }
+ buffer[i] = inb(APPLESMC_DATA_PORT);
--- /dev/null
+From 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Date: Mon, 25 Jun 2012 16:05:27 +0200
+Subject: NFC: Prevent multiple buffer overflows in NCI
+
+From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+
+commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
+
+Fix multiple remotely-exploitable stack-based buffer overflows due to
+the NCI code pulling length fields directly from incoming frames and
+copying too much data into statically-sized arrays.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Cc: security@kernel.org
+Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
+Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Cc: David S. Miller <davem@davemloft.net>
+Acked-by: Ilan Elias <ilane@ti.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/ntf.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/nfc/nci/ntf.c
++++ b/net/nfc/nci/ntf.c
+@@ -106,7 +106,7 @@ static __u8 *nci_extract_rf_params_nfca_
+ nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
+ data += 2;
+
+- nfca_poll->nfcid1_len = *data++;
++ nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
+
+ pr_debug("sens_res 0x%x, nfcid1_len %d\n",
+ nfca_poll->sens_res, nfca_poll->nfcid1_len);
+@@ -130,7 +130,7 @@ static __u8 *nci_extract_rf_params_nfcb_
+ struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
+ __u8 *data)
+ {
+- nfcb_poll->sensb_res_len = *data++;
++ nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
+
+ pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
+
+@@ -145,7 +145,7 @@ static __u8 *nci_extract_rf_params_nfcf_
+ __u8 *data)
+ {
+ nfcf_poll->bit_rate = *data++;
+- nfcf_poll->sensf_res_len = *data++;
++ nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
+
+ pr_debug("bit_rate %d, sensf_res_len %d\n",
+ nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
+@@ -331,7 +331,7 @@ static int nci_extract_activation_params
+ switch (ntf->activation_rf_tech_and_mode) {
+ case NCI_NFC_A_PASSIVE_POLL_MODE:
+ nfca_poll = &ntf->activation_params.nfca_poll_iso_dep;
+- nfca_poll->rats_res_len = *data++;
++ nfca_poll->rats_res_len = min_t(__u8, *data++, 20);
+ pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len);
+ if (nfca_poll->rats_res_len > 0) {
+ memcpy(nfca_poll->rats_res,
+@@ -341,7 +341,7 @@ static int nci_extract_activation_params
+
+ case NCI_NFC_B_PASSIVE_POLL_MODE:
+ nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep;
+- nfcb_poll->attrib_res_len = *data++;
++ nfcb_poll->attrib_res_len = min_t(__u8, *data++, 50);
+ pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len);
+ if (nfcb_poll->attrib_res_len > 0) {
+ memcpy(nfcb_poll->attrib_res,
--- /dev/null
+From 03e934f620101ca2cfc9383bd76172dd3e1f8567 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 12 Jun 2012 00:47:58 +0200
+Subject: NFC: Return from rawsock_release when sk is NULL
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 03e934f620101ca2cfc9383bd76172dd3e1f8567 upstream.
+
+Sasha Levin reported following panic :
+
+[ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at
+00000000000003b0
+[ 2136.384022] IP: [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
+[ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0
+[ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+[ 2136.388106] CPU 1
+[ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G W
+3.5.0-rc2-sasha-00015-g7b268f7 #374
+[ 2136.388106] RIP: 0010:[<ffffffff8114e400>] [<ffffffff8114e400>]
+__lock_acquire+0xc0/0x4b0
+[ 2136.388106] RSP: 0018:ffff8800130b3ca8 EFLAGS: 00010046
+[ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX:
+0000000000000000
+[ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
+0000000000000000
+[ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09:
+0000000000000000
+[ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12:
+0000000000000002
+[ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15:
+0000000000000000
+[ 2136.388106] FS: 00007fa5b1bd4700(0000) GS:ffff88001b800000(0000)
+knlGS:0000000000000000
+[ 2136.388106] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4:
+00000000000406e0
+[ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
+0000000000000000
+[ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
+0000000000000400
+[ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo
+ffff8800130b2000, task ffff88001186b000)
+[ 2136.388106] Stack:
+[ 2136.388106] ffff8800130b3cd8 ffffffff81121785 ffffffff81236774
+000080d000000001
+[ 2136.388106] ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08
+ffff88001186b000
+[ 2136.388106] 0000000000000000 0000000000000002 0000000000000000
+0000000000000000
+[ 2136.388106] Call Trace:
+[ 2136.388106] [<ffffffff81121785>] ? sched_clock_local+0x25/0x90
+[ 2136.388106] [<ffffffff81236774>] ? get_empty_filp+0x74/0x220
+[ 2136.388106] [<ffffffff8114e97a>] lock_acquire+0x18a/0x1e0
+[ 2136.388106] [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
+[ 2136.388106] [<ffffffff837c0ef0>] _raw_write_lock_bh+0x40/0x80
+[ 2136.388106] [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0
+[ 2136.388106] [<ffffffff836b37df>] rawsock_release+0x4f/0xa0
+[ 2136.388106] [<ffffffff8321cfe8>] sock_release+0x18/0x70
+[ 2136.388106] [<ffffffff8321d069>] sock_close+0x29/0x30
+[ 2136.388106] [<ffffffff81236bca>] __fput+0x11a/0x2c0
+[ 2136.388106] [<ffffffff81236d85>] fput+0x15/0x20
+[ 2136.388106] [<ffffffff8321de34>] sys_accept4+0x1b4/0x200
+[ 2136.388106] [<ffffffff837c165c>] ? _raw_spin_unlock_irq+0x4c/0x80
+[ 2136.388106] [<ffffffff837c1669>] ? _raw_spin_unlock_irq+0x59/0x80
+[ 2136.388106] [<ffffffff837c2565>] ? sysret_check+0x22/0x5d
+[ 2136.388106] [<ffffffff8321de8b>] sys_accept+0xb/0x10
+[ 2136.388106] [<ffffffff837c2539>] system_call_fastpath+0x16/0x1b
+[ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7
+8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00
+00 00 <49> 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77
+[ 2136.388106] RIP [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0
+[ 2136.388106] RSP <ffff8800130b3ca8>
+[ 2136.388106] CR2: 00000000000003b0
+[ 2136.388106] ---[ end trace 6d450e935ee18982 ]---
+[ 2136.388106] Kernel panic - not syncing: Fatal exception in interrupt
+
+rawsock_release() should test if sock->sk is NULL before calling
+sock_orphan()/sock_put()
+
+Reported-by: Sasha Levin <levinsasha928@gmail.com>
+Tested-by: Sasha Levin <levinsasha928@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/rawsock.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -54,7 +54,10 @@ static int rawsock_release(struct socket
+ {
+ struct sock *sk = sock->sk;
+
+- pr_debug("sock=%p\n", sock);
++ pr_debug("sock=%p sk=%p\n", sock, sk);
++
++ if (!sk)
++ return 0;
+
+ sock_orphan(sk);
+ sock_put(sk);
--- /dev/null
+From fbb24a3a915f105016f1c828476be11aceac8504 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Wed, 20 Jun 2012 12:52:57 -0700
+Subject: nilfs2: ensure proper cache clearing for gc-inodes
+
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+
+commit fbb24a3a915f105016f1c828476be11aceac8504 upstream.
+
+A gc-inode is a pseudo inode used to buffer the blocks to be moved by
+garbage collection.
+
+Block caches of gc-inodes must be cleared every time a garbage collection
+function (nilfs_clean_segments) completes. Otherwise, stale blocks
+buffered in the caches may be wrongly reused in successive calls of the GC
+function.
+
+For user files, this is not a problem because their gc-inodes are
+distinguished by a checkpoint number as well as an inode number. They
+never buffer different blocks if either an inode number, a checkpoint
+number, or a block offset differs.
+
+However, gc-inodes of sufile, cpfile and DAT file can store different data
+for the same block offset. Thus, the nilfs_clean_segments function can
+move incorrect block for these meta-data files if an old block is cached.
+I found this is really causing meta-data corruption in nilfs.
+
+This fixes the issue by ensuring cache clear of gc-inodes and resolves
+reported GC problems including checkpoint file corruption, b-tree
+corruption, and the following warning during GC.
+
+ nilfs_palloc_freev: entry number 307234 already freed.
+ ...
+
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nilfs2/gcinode.c | 2 ++
+ fs/nilfs2/segment.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/fs/nilfs2/gcinode.c
++++ b/fs/nilfs2/gcinode.c
+@@ -191,6 +191,8 @@ void nilfs_remove_all_gcinodes(struct th
+ while (!list_empty(head)) {
+ ii = list_first_entry(head, struct nilfs_inode_info, i_dirty);
+ list_del_init(&ii->i_dirty);
++ truncate_inode_pages(&ii->vfs_inode.i_data, 0);
++ nilfs_btnode_cache_clear(&ii->i_btnode_cache);
+ iput(&ii->vfs_inode);
+ }
+ }
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -2309,6 +2309,8 @@ nilfs_remove_written_gcinodes(struct the
+ if (!test_bit(NILFS_I_UPDATED, &ii->i_state))
+ continue;
+ list_del_init(&ii->i_dirty);
++ truncate_inode_pages(&ii->vfs_inode.i_data, 0);
++ nilfs_btnode_cache_clear(&ii->i_btnode_cache);
+ iput(&ii->vfs_inode);
+ }
+ }
--- /dev/null
+From 21b2de341270bd7bb7a811027ffe63276d9b3b75 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Tue, 10 Jul 2012 18:37:56 +1000
+Subject: powerpc: Fix build of some debug irq code
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 21b2de341270bd7bb7a811027ffe63276d9b3b75 upstream.
+
+There was a typo, checking for CONFIG_TRACE_IRQFLAG instead of
+CONFIG_TRACE_IRQFLAGS causing some useful debug code to not be
+built
+
+This in turns causes a build error on BookE 64-bit due to incorrect
+semicolons at the end of a couple of macros, so let's fix that too
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/hw_irq.h | 4 ++--
+ arch/powerpc/kernel/irq.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/include/asm/hw_irq.h
++++ b/arch/powerpc/include/asm/hw_irq.h
+@@ -85,8 +85,8 @@ static inline bool arch_irqs_disabled(vo
+ }
+
+ #ifdef CONFIG_PPC_BOOK3E
+-#define __hard_irq_enable() asm volatile("wrteei 1" : : : "memory");
+-#define __hard_irq_disable() asm volatile("wrteei 0" : : : "memory");
++#define __hard_irq_enable() asm volatile("wrteei 1" : : : "memory")
++#define __hard_irq_disable() asm volatile("wrteei 0" : : : "memory")
+ #else
+ #define __hard_irq_enable() __mtmsrd(local_paca->kernel_msr | MSR_EE, 1)
+ #define __hard_irq_disable() __mtmsrd(local_paca->kernel_msr, 1)
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -229,7 +229,7 @@ notrace void arch_local_irq_restore(unsi
+ */
+ if (unlikely(irq_happened != PACA_IRQ_HARD_DIS))
+ __hard_irq_disable();
+-#ifdef CONFIG_TRACE_IRQFLAG
++#ifdef CONFIG_TRACE_IRQFLAGS
+ else {
+ /*
+ * We should already be hard disabled here. We had bugs
--- /dev/null
+From be2cf20a5ad31ebb13562c1c866ecc626fbd721e Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Tue, 10 Jul 2012 18:36:40 +1000
+Subject: powerpc: More fixes for lazy IRQ vs. idle
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit be2cf20a5ad31ebb13562c1c866ecc626fbd721e upstream.
+
+Looks like we still have issues with pSeries and Cell idle code
+vs. the lazy irq state. In fact, the reset fixes that went upstream
+are exposing the problem more by causing BUG_ON() to trigger (which
+this patch turns into a WARN_ON instead).
+
+We need to be careful when using a variant of low power state that
+has the side effect of turning interrupts back on, to properly set
+all the SW & lazy state to look as if everything is enabled before
+we enter the low power state with MSR:EE off as we will return with
+MSR:EE on. If not, we have a discrepancy of state which can cause
+things to go very wrong later on.
+
+This patch moves the logic into a helper and uses it from the
+pseries and cell idle code. The power4/970 idle code already got
+things right (in assembly even !) so I'm not touching it. The power7
+"bare metal" idle code is subtly different and correct. Remains PA6T
+and some hypervisor based Cell platforms which have questionable
+code in there, but they are mostly dead platforms so I'll fix them
+when I manage to get final answers from the respective maintainers
+about how the low power state actually works on them.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/hw_irq.h | 2 +
+ arch/powerpc/kernel/irq.c | 46 ++++++++++++++++++++++++
+ arch/powerpc/platforms/cell/pervasive.c | 11 +++--
+ arch/powerpc/platforms/pseries/processor_idle.c | 17 +++++---
+ 4 files changed, 64 insertions(+), 12 deletions(-)
+
+--- a/arch/powerpc/include/asm/hw_irq.h
++++ b/arch/powerpc/include/asm/hw_irq.h
+@@ -124,6 +124,8 @@ static inline bool arch_irq_disabled_reg
+ return !regs->softe;
+ }
+
++extern bool prep_irq_for_idle(void);
++
+ #else /* CONFIG_PPC64 */
+
+ #define SET_MSR_EE(x) mtmsr(x)
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -286,6 +286,52 @@ void notrace restore_interrupts(void)
+ __hard_irq_enable();
+ }
+
++/*
++ * This is a helper to use when about to go into idle low-power
++ * when the latter has the side effect of re-enabling interrupts
++ * (such as calling H_CEDE under pHyp).
++ *
++ * You call this function with interrupts soft-disabled (this is
++ * already the case when ppc_md.power_save is called). The function
++ * will return whether to enter power save or just return.
++ *
++ * In the former case, it will have notified lockdep of interrupts
++ * being re-enabled and generally sanitized the lazy irq state,
++ * and in the latter case it will leave with interrupts hard
++ * disabled and marked as such, so the local_irq_enable() call
++ * in cpu_idle() will properly re-enable everything.
++ */
++bool prep_irq_for_idle(void)
++{
++ /*
++ * First we need to hard disable to ensure no interrupt
++ * occurs before we effectively enter the low power state
++ */
++ hard_irq_disable();
++
++ /*
++ * If anything happened while we were soft-disabled,
++ * we return now and do not enter the low power state.
++ */
++ if (lazy_irq_pending())
++ return false;
++
++ /* Tell lockdep we are about to re-enable */
++ trace_hardirqs_on();
++
++ /*
++ * Mark interrupts as soft-enabled and clear the
++ * PACA_IRQ_HARD_DIS from the pending mask since we
++ * are about to hard enable as well as a side effect
++ * of entering the low power state.
++ */
++ local_paca->irq_happened &= ~PACA_IRQ_HARD_DIS;
++ local_paca->soft_enabled = 1;
++
++ /* Tell the caller to enter the low power state */
++ return true;
++}
++
+ #endif /* CONFIG_PPC64 */
+
+ int arch_show_interrupts(struct seq_file *p, int prec)
+--- a/arch/powerpc/platforms/cell/pervasive.c
++++ b/arch/powerpc/platforms/cell/pervasive.c
+@@ -42,11 +42,9 @@ static void cbe_power_save(void)
+ {
+ unsigned long ctrl, thread_switch_control;
+
+- /*
+- * We need to hard disable interrupts, the local_irq_enable() done by
+- * our caller upon return will hard re-enable.
+- */
+- hard_irq_disable();
++ /* Ensure our interrupt state is properly tracked */
++ if (!prep_irq_for_idle())
++ return;
+
+ ctrl = mfspr(SPRN_CTRLF);
+
+@@ -81,6 +79,9 @@ static void cbe_power_save(void)
+ */
+ ctrl &= ~(CTRL_RUNLATCH | CTRL_TE);
+ mtspr(SPRN_CTRLT, ctrl);
++
++ /* Re-enable interrupts in MSR */
++ __hard_irq_enable();
+ }
+
+ static int cbe_system_reset_exception(struct pt_regs *regs)
+--- a/arch/powerpc/platforms/pseries/processor_idle.c
++++ b/arch/powerpc/platforms/pseries/processor_idle.c
+@@ -99,15 +99,18 @@ out:
+ static void check_and_cede_processor(void)
+ {
+ /*
+- * Interrupts are soft-disabled at this point,
+- * but not hard disabled. So an interrupt might have
+- * occurred before entering NAP, and would be potentially
+- * lost (edge events, decrementer events, etc...) unless
+- * we first hard disable then check.
++ * Ensure our interrupt state is properly tracked,
++ * also checks if no interrupt has occurred while we
++ * were soft-disabled
+ */
+- hard_irq_disable();
+- if (!lazy_irq_pending())
++ if (prep_irq_for_idle()) {
+ cede_processor();
++#ifdef CONFIG_TRACE_IRQFLAGS
++ /* Ensure that H_CEDE returns with IRQs on */
++ if (WARN_ON(!(mfmsr() & MSR_EE)))
++ __hard_irq_enable();
++#endif
++ }
+ }
+
+ static int dedicated_cede_loop(struct cpuidle_device *dev,
bridge-assign-rtnl_link_ops-to-bridge-devices-created-via-ioctl-v2.patch
xen-netfront-teardown-the-device-before-unregistering-it.patch
mm-fix-slab-page-_count-corruption-when-using-slub.patch
+powerpc-more-fixes-for-lazy-irq-vs.-idle.patch
+powerpc-fix-build-of-some-debug-irq-code.patch
+nfc-return-from-rawsock_release-when-sk-is-null.patch
+nfc-prevent-multiple-buffer-overflows-in-nci.patch
+hwmon-applesmc-limit-key-length-in-warning-messages.patch
+staging-r8712u-add-new-usb-ids.patch
+nilfs2-ensure-proper-cache-clearing-for-gc-inodes.patch
+udf-use-ret-instead-of-abusing-i-in-udf_load_logicalvol.patch
+udf-avoid-run-away-loop-when-partition-table-length-is-corrupted.patch
+udf-fortify-loading-of-sparing-table.patch
--- /dev/null
+From 3026b0e942c65c65c8fc80d391d004228b52b916 Mon Sep 17 00:00:00 2001
+From: Lubomir Schmidt <gentoo.lubomir@googlemail.com>
+Date: Fri, 15 Jun 2012 15:12:17 -0500
+Subject: staging: r8712u: Add new USB IDs
+
+From: Lubomir Schmidt <gentoo.lubomir@googlemail.com>
+
+commit 3026b0e942c65c65c8fc80d391d004228b52b916 upstream.
+
+There are two new devices for this driver.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/usb_intf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -102,6 +102,8 @@ static struct usb_device_id rtl871x_usb_
+ /* - */
+ {USB_DEVICE(0x20F4, 0x646B)},
+ {USB_DEVICE(0x083A, 0xC512)},
++ {USB_DEVICE(0x25D4, 0x4CA1)},
++ {USB_DEVICE(0x25D4, 0x4CAB)},
+
+ /* RTL8191SU */
+ /* Realtek */
--- /dev/null
+From adee11b2085bee90bd8f4f52123ffb07882d6256 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 27 Jun 2012 20:20:22 +0200
+Subject: udf: Avoid run away loop when partition table length is corrupted
+
+From: Jan Kara <jack@suse.cz>
+
+commit adee11b2085bee90bd8f4f52123ffb07882d6256 upstream.
+
+Check provided length of partition table so that (possibly maliciously)
+corrupted partition table cannot cause accessing data beyond current buffer.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/super.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1225,6 +1225,7 @@ static int udf_load_logicalvol(struct su
+ struct genericPartitionMap *gpm;
+ uint16_t ident;
+ struct buffer_head *bh;
++ unsigned int table_len;
+ int ret = 0;
+
+ bh = udf_read_tagged(sb, block, block, &ident);
+@@ -1232,13 +1233,20 @@ static int udf_load_logicalvol(struct su
+ return 1;
+ BUG_ON(ident != TAG_IDENT_LVD);
+ lvd = (struct logicalVolDesc *)bh->b_data;
++ table_len = le32_to_cpu(lvd->mapTableLength);
++ if (sizeof(*lvd) + table_len > sb->s_blocksize) {
++ udf_err(sb, "error loading logical volume descriptor: "
++ "Partition table too long (%u > %lu)\n", table_len,
++ sb->s_blocksize - sizeof(*lvd));
++ goto out_bh;
++ }
+
+ ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+ if (ret)
+ goto out_bh;
+
+ for (i = 0, offset = 0;
+- i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
++ i < sbi->s_partitions && offset < table_len;
+ i++, offset += gpm->partitionMapLength) {
+ struct udf_part_map *map = &sbi->s_partmaps[i];
+ gpm = (struct genericPartitionMap *)
--- /dev/null
+From 1df2ae31c724e57be9d7ac00d78db8a5dabdd050 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 27 Jun 2012 21:23:07 +0200
+Subject: udf: Fortify loading of sparing table
+
+From: Jan Kara <jack@suse.cz>
+
+commit 1df2ae31c724e57be9d7ac00d78db8a5dabdd050 upstream.
+
+Add sanity checks when loading sparing table from disk to avoid accessing
+unallocated memory or writing to it.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/super.c | 86 +++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 53 insertions(+), 33 deletions(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -56,6 +56,7 @@
+ #include <linux/seq_file.h>
+ #include <linux/bitmap.h>
+ #include <linux/crc-itu-t.h>
++#include <linux/log2.h>
+ #include <asm/byteorder.h>
+
+ #include "udf_sb.h"
+@@ -1215,11 +1216,59 @@ out_bh:
+ return ret;
+ }
+
++static int udf_load_sparable_map(struct super_block *sb,
++ struct udf_part_map *map,
++ struct sparablePartitionMap *spm)
++{
++ uint32_t loc;
++ uint16_t ident;
++ struct sparingTable *st;
++ struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing;
++ int i;
++ struct buffer_head *bh;
++
++ map->s_partition_type = UDF_SPARABLE_MAP15;
++ sdata->s_packet_len = le16_to_cpu(spm->packetLength);
++ if (!is_power_of_2(sdata->s_packet_len)) {
++ udf_err(sb, "error loading logical volume descriptor: "
++ "Invalid packet length %u\n",
++ (unsigned)sdata->s_packet_len);
++ return -EIO;
++ }
++ if (spm->numSparingTables > 4) {
++ udf_err(sb, "error loading logical volume descriptor: "
++ "Too many sparing tables (%d)\n",
++ (int)spm->numSparingTables);
++ return -EIO;
++ }
++
++ for (i = 0; i < spm->numSparingTables; i++) {
++ loc = le32_to_cpu(spm->locSparingTable[i]);
++ bh = udf_read_tagged(sb, loc, loc, &ident);
++ if (!bh)
++ continue;
++
++ st = (struct sparingTable *)bh->b_data;
++ if (ident != 0 ||
++ strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
++ strlen(UDF_ID_SPARING)) ||
++ sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
++ sb->s_blocksize) {
++ brelse(bh);
++ continue;
++ }
++
++ sdata->s_spar_map[i] = bh;
++ }
++ map->s_partition_func = udf_get_pblock_spar15;
++ return 0;
++}
++
+ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ struct kernel_lb_addr *fileset)
+ {
+ struct logicalVolDesc *lvd;
+- int i, j, offset;
++ int i, offset;
+ uint8_t type;
+ struct udf_sb_info *sbi = UDF_SB(sb);
+ struct genericPartitionMap *gpm;
+@@ -1281,38 +1330,9 @@ static int udf_load_logicalvol(struct su
+ } else if (!strncmp(upm2->partIdent.ident,
+ UDF_ID_SPARABLE,
+ strlen(UDF_ID_SPARABLE))) {
+- uint32_t loc;
+- struct sparingTable *st;
+- struct sparablePartitionMap *spm =
+- (struct sparablePartitionMap *)gpm;
+-
+- map->s_partition_type = UDF_SPARABLE_MAP15;
+- map->s_type_specific.s_sparing.s_packet_len =
+- le16_to_cpu(spm->packetLength);
+- for (j = 0; j < spm->numSparingTables; j++) {
+- struct buffer_head *bh2;
+-
+- loc = le32_to_cpu(
+- spm->locSparingTable[j]);
+- bh2 = udf_read_tagged(sb, loc, loc,
+- &ident);
+- map->s_type_specific.s_sparing.
+- s_spar_map[j] = bh2;
+-
+- if (bh2 == NULL)
+- continue;
+-
+- st = (struct sparingTable *)bh2->b_data;
+- if (ident != 0 || strncmp(
+- st->sparingIdent.ident,
+- UDF_ID_SPARING,
+- strlen(UDF_ID_SPARING))) {
+- brelse(bh2);
+- map->s_type_specific.s_sparing.
+- s_spar_map[j] = NULL;
+- }
+- }
+- map->s_partition_func = udf_get_pblock_spar15;
++ if (udf_load_sparable_map(sb, map,
++ (struct sparablePartitionMap *)gpm) < 0)
++ goto out_bh;
+ } else if (!strncmp(upm2->partIdent.ident,
+ UDF_ID_METADATA,
+ strlen(UDF_ID_METADATA))) {
--- /dev/null
+From cb14d340ef1737c24125dd663eff77734a482d47 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 27 Jun 2012 20:08:44 +0200
+Subject: udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()
+
+From: Jan Kara <jack@suse.cz>
+
+commit cb14d340ef1737c24125dd663eff77734a482d47 upstream.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/super.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1233,11 +1233,9 @@ static int udf_load_logicalvol(struct su
+ BUG_ON(ident != TAG_IDENT_LVD);
+ lvd = (struct logicalVolDesc *)bh->b_data;
+
+- i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+- if (i != 0) {
+- ret = i;
++ ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
++ if (ret)
+ goto out_bh;
+- }
+
+ for (i = 0, offset = 0;
+ i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
projects / thirdparty / kernel / stable-queue.git / commitdiff
