From: Greg Kroah-Hartman Date: Thu, 20 Apr 2006 22:43:21 +0000 (-0700) Subject: more patches added for 2.6.16 review X-Git-Tag: v2.6.16.10~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6522b2e4ba0bb7665d925e500c04daefbeb0d693;p=thirdparty%2Fkernel%2Fstable-queue.git more patches added for 2.6.16 review --- diff --git a/queue-2.6.16/add-more-prevent_tail_call.patch b/queue-2.6.16/add-more-prevent_tail_call.patch new file mode 100644 index 00000000000..4ce19e71a17 --- /dev/null +++ b/queue-2.6.16/add-more-prevent_tail_call.patch @@ -0,0 +1,149 @@ +From git-commits-head-owner@vger.kernel.org Wed Apr 19 16:59:51 2006 +Date: Wed, 19 Apr 2006 23:59:40 GMT +Message-Id: <200604192359.k3JNxeXu016029@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: [PATCH] Add more prevent_tail_call() + +From: OGAWA Hirofumi + +[PATCH] Add more prevent_tail_call() + +Those also break userland regs like following. + + 00000000 : + 0: 0f b7 44 24 0c movzwl 0xc(%esp),%eax + 5: 83 ca ff or $0xffffffff,%edx + 8: 0f b7 4c 24 08 movzwl 0x8(%esp),%ecx + d: 66 83 f8 ff cmp $0xffffffff,%ax + 11: 0f 44 c2 cmove %edx,%eax + 14: 66 83 f9 ff cmp $0xffffffff,%cx + 18: 0f 45 d1 cmovne %ecx,%edx + 1b: 89 44 24 0c mov %eax,0xc(%esp) + 1f: 89 54 24 08 mov %edx,0x8(%esp) + 23: e9 fc ff ff ff jmp 24 + +where the tailcall at the end overwrites the incoming stack-frame. + +Signed-off-by: OGAWA Hirofumi +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/uid16.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 46 insertions(+), 13 deletions(-) + +--- linux-2.6.16.9.orig/kernel/uid16.c ++++ linux-2.6.16.9/kernel/uid16.c +@@ -20,43 +20,67 @@ + + asmlinkage long sys_chown16(const char __user * filename, old_uid_t user, old_gid_t group) + { +- return sys_chown(filename, low2highuid(user), low2highgid(group)); ++ long ret = sys_chown(filename, low2highuid(user), low2highgid(group)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_lchown16(const char __user * filename, old_uid_t user, old_gid_t group) + { +- return sys_lchown(filename, low2highuid(user), low2highgid(group)); ++ long ret = sys_lchown(filename, low2highuid(user), low2highgid(group)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group) + { +- return sys_fchown(fd, low2highuid(user), low2highgid(group)); ++ long ret = sys_fchown(fd, low2highuid(user), low2highgid(group)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid) + { +- return sys_setregid(low2highgid(rgid), low2highgid(egid)); ++ long ret = sys_setregid(low2highgid(rgid), low2highgid(egid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setgid16(old_gid_t gid) + { +- return sys_setgid(low2highgid(gid)); ++ long ret = sys_setgid(low2highgid(gid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid) + { +- return sys_setreuid(low2highuid(ruid), low2highuid(euid)); ++ long ret = sys_setreuid(low2highuid(ruid), low2highuid(euid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setuid16(old_uid_t uid) + { +- return sys_setuid(low2highuid(uid)); ++ long ret = sys_setuid(low2highuid(uid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid) + { +- return sys_setresuid(low2highuid(ruid), low2highuid(euid), +- low2highuid(suid)); ++ long ret = sys_setresuid(low2highuid(ruid), low2highuid(euid), ++ low2highuid(suid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_getresuid16(old_uid_t __user *ruid, old_uid_t __user *euid, old_uid_t __user *suid) +@@ -72,8 +96,11 @@ asmlinkage long sys_getresuid16(old_uid_ + + asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid) + { +- return sys_setresgid(low2highgid(rgid), low2highgid(egid), +- low2highgid(sgid)); ++ long ret = sys_setresgid(low2highgid(rgid), low2highgid(egid), ++ low2highgid(sgid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_getresgid16(old_gid_t __user *rgid, old_gid_t __user *egid, old_gid_t __user *sgid) +@@ -89,12 +116,18 @@ asmlinkage long sys_getresgid16(old_gid_ + + asmlinkage long sys_setfsuid16(old_uid_t uid) + { +- return sys_setfsuid(low2highuid(uid)); ++ long ret = sys_setfsuid(low2highuid(uid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setfsgid16(old_gid_t gid) + { +- return sys_setfsgid(low2highgid(gid)); ++ long ret = sys_setfsgid(low2highgid(gid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + static int groups16_to_user(old_gid_t __user *grouplist, diff --git a/queue-2.6.16/alim15x3-uli-m-1573-south-bridge-support.patch b/queue-2.6.16/alim15x3-uli-m-1573-south-bridge-support.patch new file mode 100644 index 00000000000..a4f6c8cbc07 --- /dev/null +++ b/queue-2.6.16/alim15x3-uli-m-1573-south-bridge-support.patch @@ -0,0 +1,41 @@ +From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:59 2006 +Date: Wed, 19 Apr 2006 17:01:17 GMT +Message-Id: <200604191701.k3JH1Ham026619@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: [PATCH] alim15x3: ULI M-1573 south Bridge support + +From: KAI.HSU + +[PATCH] alim15x3: ULI M-1573 south Bridge support + +>From http://bugzilla.kernel.org/show_bug.cgi?id=6358 + +The alim15x3.c havn't been update for 3 years. Recently when we use this +"ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly, +must waiting for a long time. After I check the "ULI M1573" south bridge +datasheet, I found the reason. The reason is the "ULI M1573" version in +the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it +was successed. + +Cc: Bartlomiej Zolnierkiewicz +Acked-by: Alan Cox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/pci/alim15x3.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.16.9.orig/drivers/ide/pci/alim15x3.c ++++ linux-2.6.16.9/drivers/ide/pci/alim15x3.c +@@ -731,6 +731,8 @@ static unsigned int __devinit ata66_ali1 + + if(m5229_revision <= 0x20) + tmpbyte = (tmpbyte & (~0x02)) | 0x01; ++ else if (m5229_revision == 0xc7) ++ tmpbyte |= 0x03; + else + tmpbyte |= 0x01; + diff --git a/queue-2.6.16/apm-fix-armada-laptops-again.patch b/queue-2.6.16/apm-fix-armada-laptops-again.patch new file mode 100644 index 00000000000..bfecc3cc475 --- /dev/null +++ b/queue-2.6.16/apm-fix-armada-laptops-again.patch @@ -0,0 +1,44 @@ +From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:11:06 2006 +Date: Wed, 19 Apr 2006 17:00:54 GMT +Message-Id: <200604191700.k3JH0seF026271@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: [PATCH] apm: fix Armada laptops again + +From: Samuel Thibault + +[PATCH] apm: fix Armada laptops again + +Fix the "apm: set display: Interface not engaged" error on Armada laptops +again. + +Jordan said: + + I think this is fine. It seems to me that this may be the fault of one or + both of the APM solutions handling this situation in a non-standard way, but + since APM is used very little on the Geode, and I have direct access to our + BIOS folks, if this problem comes up with a customer again, we'll solve it + from the firmware. + +Signed-off-by: Samuel Thibault +Cc: "Jordan Crouse" +Cc: Zachary Amsden +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/i386/kernel/apm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.16.9.orig/arch/i386/kernel/apm.c ++++ linux-2.6.16.9/arch/i386/kernel/apm.c +@@ -1081,7 +1081,7 @@ static int apm_console_blank(int blank) + break; + } + +- if (error == APM_NOT_ENGAGED && state != APM_STATE_READY) { ++ if (error == APM_NOT_ENGAGED) { + static int tried; + int eng_error; + if (tried++ == 0) { diff --git a/queue-2.6.16/fbdev-fix-return-error-of-fb_write.patch b/queue-2.6.16/fbdev-fix-return-error-of-fb_write.patch new file mode 100644 index 00000000000..b85a5df0fba --- /dev/null +++ b/queue-2.6.16/fbdev-fix-return-error-of-fb_write.patch @@ -0,0 +1,63 @@ +From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:59 2006 +Date: Wed, 19 Apr 2006 17:01:21 GMT +Message-Id: <200604191701.k3JH1LWO026687@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: [PATCH] fbdev: Fix return error of fb_write + +From: Antonino A. Daplas + +[PATCH] fbdev: Fix return error of fb_write + +Fix return code of fb_write(): + +If at least 1 byte was transferred to the device, return number of bytes, +otherwise: + + - return -EFBIG - if file offset is past the maximum allowable offset or + size is greater than framebuffer length + - return -ENOSPC - if size is greater than framebuffer length - offset + +Signed-off-by: Antonino Daplas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbmem.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- linux-2.6.16.9.orig/drivers/video/fbmem.c ++++ linux-2.6.16.9/drivers/video/fbmem.c +@@ -669,13 +669,19 @@ fb_write(struct file *file, const char _ + total_size = info->fix.smem_len; + + if (p > total_size) +- return 0; ++ return -EFBIG; + +- if (count >= total_size) ++ if (count > total_size) { ++ err = -EFBIG; + count = total_size; ++ } ++ ++ if (count + p > total_size) { ++ if (!err) ++ err = -ENOSPC; + +- if (count + p > total_size) + count = total_size - p; ++ } + + buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, + GFP_KERNEL); +@@ -717,7 +723,7 @@ fb_write(struct file *file, const char _ + + kfree(buffer); + +- return (err) ? err : cnt; ++ return (cnt) ? cnt : err; + } + + #ifdef CONFIG_KMOD diff --git a/queue-2.6.16/fix-file-lookup-without-ref.patch b/queue-2.6.16/fix-file-lookup-without-ref.patch new file mode 100644 index 00000000000..cfa0bdda4ec --- /dev/null +++ b/queue-2.6.16/fix-file-lookup-without-ref.patch @@ -0,0 +1,137 @@ +From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:59 2006 +Date: Wed, 19 Apr 2006 17:00:12 GMT +Message-Id: <200604191700.k3JH0C9P025871@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: [PATCH] Fix file lookup without ref + +From: Dipankar Sarma + +[PATCH] Fix file lookup without ref + +There are places in the kernel where we look up files in fd tables and +access the file structure without holding refereces to the file. So, we +need special care to avoid the race between looking up files in the fd +table and tearing down of the file in another CPU. Otherwise, one might +see a NULL f_dentry or such torn down version of the file. This patch +fixes those special places where such a race may happen. + +Signed-off-by: Dipankar Sarma +Acked-by: "Paul E. McKenney" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tty_io.c | 8 ++++++-- + fs/locks.c | 9 +++++++-- + fs/proc/base.c | 21 +++++++++++++++------ + 3 files changed, 28 insertions(+), 10 deletions(-) + +--- linux-2.6.16.9.orig/drivers/char/tty_io.c ++++ linux-2.6.16.9/drivers/char/tty_io.c +@@ -2706,7 +2706,11 @@ static void __do_SAK(void *arg) + } + task_lock(p); + if (p->files) { +- rcu_read_lock(); ++ /* ++ * We don't take a ref to the file, so we must ++ * hold ->file_lock instead. ++ */ ++ spin_lock(&p->files->file_lock); + fdt = files_fdtable(p->files); + for (i=0; i < fdt->max_fds; i++) { + filp = fcheck_files(p->files, i); +@@ -2721,7 +2725,7 @@ static void __do_SAK(void *arg) + break; + } + } +- rcu_read_unlock(); ++ spin_unlock(&p->files->file_lock); + } + task_unlock(p); + } while_each_task_pid(session, PIDTYPE_SID, p); +--- linux-2.6.16.9.orig/fs/locks.c ++++ linux-2.6.16.9/fs/locks.c +@@ -2212,7 +2212,12 @@ void steal_locks(fl_owner_t from) + + lock_kernel(); + j = 0; +- rcu_read_lock(); ++ ++ /* ++ * We are not taking a ref to the file structures, so ++ * we need to acquire ->file_lock. ++ */ ++ spin_lock(&files->file_lock); + fdt = files_fdtable(files); + for (;;) { + unsigned long set; +@@ -2230,7 +2235,7 @@ void steal_locks(fl_owner_t from) + set >>= 1; + } + } +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + unlock_kernel(); + } + EXPORT_SYMBOL(steal_locks); +--- linux-2.6.16.9.orig/fs/proc/base.c ++++ linux-2.6.16.9/fs/proc/base.c +@@ -294,16 +294,20 @@ static int proc_fd_link(struct inode *in + + files = get_files_struct(task); + if (files) { +- rcu_read_lock(); ++ /* ++ * We are not taking a ref to the file structure, so we must ++ * hold ->file_lock. ++ */ ++ spin_lock(&files->file_lock); + file = fcheck_files(files, fd); + if (file) { + *mnt = mntget(file->f_vfsmnt); + *dentry = dget(file->f_dentry); +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + return 0; + } +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + } + return -ENOENT; +@@ -1485,7 +1489,12 @@ static struct dentry *proc_lookupfd(stru + if (!files) + goto out_unlock; + inode->i_mode = S_IFLNK; +- rcu_read_lock(); ++ ++ /* ++ * We are not taking a ref to the file structure, so we must ++ * hold ->file_lock. ++ */ ++ spin_lock(&files->file_lock); + file = fcheck_files(files, fd); + if (!file) + goto out_unlock2; +@@ -1493,7 +1502,7 @@ static struct dentry *proc_lookupfd(stru + inode->i_mode |= S_IRUSR | S_IXUSR; + if (file->f_mode & 2) + inode->i_mode |= S_IWUSR | S_IXUSR; +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + inode->i_op = &proc_pid_link_inode_operations; + inode->i_size = 64; +@@ -1503,7 +1512,7 @@ static struct dentry *proc_lookupfd(stru + return NULL; + + out_unlock2: +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + out_unlock: + iput(inode); diff --git a/queue-2.6.16/ipc-access-to-unmapped-vmalloc-area-in-grow_ary.patch b/queue-2.6.16/ipc-access-to-unmapped-vmalloc-area-in-grow_ary.patch new file mode 100644 index 00000000000..6e738f05c02 --- /dev/null +++ b/queue-2.6.16/ipc-access-to-unmapped-vmalloc-area-in-grow_ary.patch @@ -0,0 +1,38 @@ +From git-commits-head-owner@vger.kernel.org Mon Apr 17 20:15:38 2006 +Date: Tue, 18 Apr 2006 03:04:00 GMT +Message-Id: <200604180304.k3I340pP023209@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: IPC: access to unmapped vmalloc area in grow_ary() + +>From Alexey Kuznetsov + +[PATCH] IPC: access to unmapped vmalloc area in grow_ary() + +grow_ary() should not copy struct ipc_id_ary (it copies new->p, not +new). Due to this, memcpy() src pointer could hit unmapped vmalloc page +when near page boundary. + +Found during OpenVZ stress testing + +Signed-off-by: Alexey Kuznetsov +Signed-off-by: Kirill Korotaev +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/util.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- linux-2.6.16.9.orig/ipc/util.c ++++ linux-2.6.16.9/ipc/util.c +@@ -182,8 +182,7 @@ static int grow_ary(struct ipc_ids* ids, + if(new == NULL) + return size; + new->size = newsize; +- memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size + +- sizeof(struct ipc_id_ary)); ++ memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size); + for(i=size;ip[i] = NULL; + } diff --git a/queue-2.6.16/m41t00-fix-bitmasks-when-writing-to-chip.patch b/queue-2.6.16/m41t00-fix-bitmasks-when-writing-to-chip.patch new file mode 100644 index 00000000000..a9c638dc2e1 --- /dev/null +++ b/queue-2.6.16/m41t00-fix-bitmasks-when-writing-to-chip.patch @@ -0,0 +1,47 @@ +From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:10:57 2006 +Date: Wed, 19 Apr 2006 16:59:54 GMT +Message-Id: <200604191659.k3JGxs2M025081@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: [PATCH] m41t00: fix bitmasks when writing to chip + +From: David Barksdale + +[PATCH] m41t00: fix bitmasks when writing to chip + +Fix the bitmasks used when writing to the M41T00 registers. + +The original code used a mask of 0x7f when writing to each register, +this is incorrect and probably the result of a copy-paste error. As a +result years from 1980 to 1999 will be read back as 2000 to 2019. + +Signed-off-by: David Barksdale +Acked-by: Jean Delvare +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/chips/m41t00.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- linux-2.6.16.9.orig/drivers/i2c/chips/m41t00.c ++++ linux-2.6.16.9/drivers/i2c/chips/m41t00.c +@@ -129,13 +129,13 @@ m41t00_set_tlet(ulong arg) + if ((i2c_smbus_write_byte_data(save_client, 0, tm.tm_sec & 0x7f) < 0) + || (i2c_smbus_write_byte_data(save_client, 1, tm.tm_min & 0x7f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x3f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x3f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x1f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0xff) + < 0)) + + dev_warn(&save_client->dev,"m41t00: can't write to rtc chip\n"); diff --git a/queue-2.6.16/open-ipmi-bt-overflow.patch b/queue-2.6.16/open-ipmi-bt-overflow.patch new file mode 100644 index 00000000000..60fbb83ac9c --- /dev/null +++ b/queue-2.6.16/open-ipmi-bt-overflow.patch @@ -0,0 +1,43 @@ +From git-commits-head-owner@vger.kernel.org Wed Apr 19 10:11:09 2006 +Date: Wed, 19 Apr 2006 17:01:01 GMT +Message-Id: <200604191701.k3JH11nR026338@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: [PATCH] Open IPMI BT overflow + +From: Heikki Orsila + +[PATCH] Open IPMI BT overflow + +I was looking into random driver code and found a suspicious looking +memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: + + if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) + return -1; + ... + memcpy(bt->write_data + 3, data + 1, size - 1); + +where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the +memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch +attached to limit size to (IPMI_MAX_LENGTH - 2). + +Cc: Corey Minyard +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_bt_sm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- linux-2.6.16.9.orig/drivers/char/ipmi/ipmi_bt_sm.c ++++ linux-2.6.16.9/drivers/char/ipmi/ipmi_bt_sm.c +@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s + { + unsigned int i; + +- if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) ++ if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2))) + return -1; + + if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED)) diff --git a/queue-2.6.16/series b/queue-2.6.16/series index c13c8b92095..343765cdbdc 100644 --- a/queue-2.6.16/series +++ b/queue-2.6.16/series @@ -10,3 +10,13 @@ selinux-fix-mls-compatibility-off-by-one-bug.patch ipv6-ensure-to-have-hop-by-hop-options-in-our-header-of-sk_buff.patch ipv6-xfrm-don-t-use-old-copy-of-pointer-after-pskb_may_pull.patch ipv6-xfrm-fix-decoding-session-with-preceding-extension-header.patch +x86-don-t-allow-tail-calls-in-sys_ftruncate.patch +x86-be-careful-about-tailcall-breakage-for-sys_open-too.patch +open-ipmi-bt-overflow.patch +m41t00-fix-bitmasks-when-writing-to-chip.patch +ipc-access-to-unmapped-vmalloc-area-in-grow_ary.patch +fix-file-lookup-without-ref.patch +fbdev-fix-return-error-of-fb_write.patch +apm-fix-armada-laptops-again.patch +alim15x3-uli-m-1573-south-bridge-support.patch +add-more-prevent_tail_call.patch diff --git a/queue-2.6.16/x86-be-careful-about-tailcall-breakage-for-sys_open-too.patch b/queue-2.6.16/x86-be-careful-about-tailcall-breakage-for-sys_open-too.patch new file mode 100644 index 00000000000..7c59f3465f4 --- /dev/null +++ b/queue-2.6.16/x86-be-careful-about-tailcall-breakage-for-sys_open-too.patch @@ -0,0 +1,79 @@ +From git-commits-head-owner@vger.kernel.org Tue Apr 18 14:00:16 2006 +Date: Tue, 18 Apr 2006 20:59:27 GMT +Message-Id: <200604182059.k3IKxR0V011701@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: x86: be careful about tailcall breakage for sys_open[at] too + +From: Linus Torvalds + +x86: be careful about tailcall breakage for sys_open[at] too + +Came up through a quick grep for other cases similar to the ftruncate() +one in commit 0a489cb3b6a7b277030cdbc97c2c65905db94536. + +Also, add a comment, so that people who read the code understand why we +do what looks like a no-op. + +(Again, this won't actually matter to any sane user, since libc will +save and restore the register gcc stomps on, but it's still wrong to +stomp on it) + +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/open.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- linux-2.6.16.9.orig/fs/open.c ++++ linux-2.6.16.9/fs/open.c +@@ -331,6 +331,7 @@ out: + asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length) + { + long ret = do_sys_ftruncate(fd, length, 1); ++ /* avoid REGPARM breakage on x86: */ + prevent_tail_call(ret); + return ret; + } +@@ -345,6 +346,7 @@ asmlinkage long sys_truncate64(const cha + asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length) + { + long ret = do_sys_ftruncate(fd, length, 0); ++ /* avoid REGPARM breakage on x86: */ + prevent_tail_call(ret); + return ret; + } +@@ -1087,20 +1089,30 @@ long do_sys_open(int dfd, const char __u + + asmlinkage long sys_open(const char __user *filename, int flags, int mode) + { ++ long ret; ++ + if (force_o_largefile()) + flags |= O_LARGEFILE; + +- return do_sys_open(AT_FDCWD, filename, flags, mode); ++ ret = do_sys_open(AT_FDCWD, filename, flags, mode); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + EXPORT_SYMBOL_GPL(sys_open); + + asmlinkage long sys_openat(int dfd, const char __user *filename, int flags, + int mode) + { ++ long ret; ++ + if (force_o_largefile()) + flags |= O_LARGEFILE; + +- return do_sys_open(dfd, filename, flags, mode); ++ ret = do_sys_open(dfd, filename, flags, mode); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + EXPORT_SYMBOL_GPL(sys_openat); + diff --git a/queue-2.6.16/x86-don-t-allow-tail-calls-in-sys_ftruncate.patch b/queue-2.6.16/x86-don-t-allow-tail-calls-in-sys_ftruncate.patch new file mode 100644 index 00000000000..9de7bec4c1a --- /dev/null +++ b/queue-2.6.16/x86-don-t-allow-tail-calls-in-sys_ftruncate.patch @@ -0,0 +1,58 @@ +From git-commits-head-owner@vger.kernel.org Tue Apr 18 14:00:16 2006 +Date: Tue, 18 Apr 2006 20:59:26 GMT +Message-Id: <200604182059.k3IKxQG1011693@hera.kernel.org> +From: Linux Kernel Mailing List +To: git-commits-head@vger.kernel.org +Subject: x86: don't allow tail-calls in sys_ftruncate[64]() + +From: Linus Torvalds + +x86: don't allow tail-calls in sys_ftruncate[64]() + +Gcc thinks it owns the incoming argument stack, but that's not true for +"asmlinkage" functions, and it corrupts the caller-set-up argument stack +when it pushes the third argument onto the stack. Which can result in +%ebx getting corrupted in user space. + +Now, normally nobody sane would ever notice, since libc will save and +restore %ebx anyway over the system call, but it's still wrong. + +I'd much rather have "asmlinkage" tell gcc directly that it doesn't own +the stack, but no such attribute exists, so we're stuck with our hacky +manual "prevent_tail_call()" macro once more (we've had the same issue +before with sys_waitpid() and sys_wait4()). + +Thanks to Hans-Werner Hilse for reporting +the issue and testing the fix. + +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/open.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- linux-2.6.16.9.orig/fs/open.c ++++ linux-2.6.16.9/fs/open.c +@@ -330,7 +330,9 @@ out: + + asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length) + { +- return do_sys_ftruncate(fd, length, 1); ++ long ret = do_sys_ftruncate(fd, length, 1); ++ prevent_tail_call(ret); ++ return ret; + } + + /* LFS versions of truncate are only needed on 32 bit machines */ +@@ -342,7 +344,9 @@ asmlinkage long sys_truncate64(const cha + + asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length) + { +- return do_sys_ftruncate(fd, length, 0); ++ long ret = do_sys_ftruncate(fd, length, 0); ++ prevent_tail_call(ret); ++ return ret; + } + #endif +