From: Greg Kroah-Hartman Date: Tue, 5 Jan 2010 19:58:39 +0000 (-0800) Subject: start 2.6.27.43 review cycle X-Git-Tag: v2.6.31.10~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8557a405d6bb1ee02e1bf917c1056b54c4b57410;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.27.43 review cycle --- diff --git a/queue-2.6.27/generic_permission-may_open-is-not-write-access.patch b/review-2.6.27/generic_permission-may_open-is-not-write-access.patch similarity index 100% rename from queue-2.6.27/generic_permission-may_open-is-not-write-access.patch rename to review-2.6.27/generic_permission-may_open-is-not-write-access.patch diff --git a/queue-2.6.27/i2c-tsl2550-fix-lux-value-in-extended-mode.patch b/review-2.6.27/i2c-tsl2550-fix-lux-value-in-extended-mode.patch similarity index 100% rename from queue-2.6.27/i2c-tsl2550-fix-lux-value-in-extended-mode.patch rename to review-2.6.27/i2c-tsl2550-fix-lux-value-in-extended-mode.patch diff --git a/queue-2.6.27/ipv6-reassembly-use-seperate-reassembly-queues-for-conntrack-and-local-delivery.patch b/review-2.6.27/ipv6-reassembly-use-seperate-reassembly-queues-for-conntrack-and-local-delivery.patch similarity index 100% rename from queue-2.6.27/ipv6-reassembly-use-seperate-reassembly-queues-for-conntrack-and-local-delivery.patch rename to review-2.6.27/ipv6-reassembly-use-seperate-reassembly-queues-for-conntrack-and-local-delivery.patch diff --git a/queue-2.6.27/libertas-fix-buffer-overflow-in-lbs_get_essid.patch b/review-2.6.27/libertas-fix-buffer-overflow-in-lbs_get_essid.patch similarity index 100% rename from queue-2.6.27/libertas-fix-buffer-overflow-in-lbs_get_essid.patch rename to review-2.6.27/libertas-fix-buffer-overflow-in-lbs_get_essid.patch diff --git a/review-2.6.27/mbox b/review-2.6.27/mbox new file mode 100644 index 00000000000..c1e3dd9595b --- /dev/null +++ b/review-2.6.27/mbox @@ -0,0 +1,781 @@ +From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010 +Message-Id: <20100105194914.321801567@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:52 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Daniel Mack , + Stephen Hemminger , + Maithili Hinge , + Kiran Divekar , + Michael Hirsch , + netdev@vger.kernel.org, + libertas-dev@lists.infradead.org, + linux-wireless@lists.infradead.org, + Holger Schurig , + Dan Williams , + "John W. Linville" +Subject: [01/10] Libertas: fix buffer overflow in lbs_get_essid() + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ + +From: Daniel Mack + +commit 45b241689179a6065384260242637cf21dabfb2d upstream. + +The libertas driver copies the SSID buffer back to the wireless core and +appends a trailing NULL character for termination. This is + +a) unnecessary because the buffer is allocated with kzalloc and is hence + already NULLed when this function is called, and + +b) for priv->curbssparams.ssid_len == 32, it writes back one byte too + much which causes memory corruptions. + +Fix this by removing the extra write. + +Signed-off-by: Daniel Mack +Cc: Stephen Hemminger +Cc: Maithili Hinge +Cc: Kiran Divekar +Cc: Michael Hirsch +Cc: netdev@vger.kernel.org +Cc: libertas-dev@lists.infradead.org +Cc: linux-wireless@lists.infradead.org +Acked-by: Holger Schurig +Acked-by: Dan Williams +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/wext.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/libertas/wext.c ++++ b/drivers/net/wireless/libertas/wext.c +@@ -1899,10 +1899,8 @@ static int lbs_get_essid(struct net_devi + if (priv->connect_status == LBS_CONNECTED) { + memcpy(extra, priv->curbssparams.ssid, + priv->curbssparams.ssid_len); +- extra[priv->curbssparams.ssid_len] = '\0'; + } else { + memset(extra, 0, 32); +- extra[priv->curbssparams.ssid_len] = '\0'; + } + /* + * If none, we may want to get the one that was set + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010 +Message-Id: <20100105194914.456262307@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:53 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Bartlomiej Zolnierkiewicz , + Jeff Garzik +Subject: [02/10] pata_cmd64x: fix overclocking of UDMA0-2 modes + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Bartlomiej Zolnierkiewicz + +commit 509426bd46ad0903dca409803e0ee3d30f99f1e8 upstream. + +adev->dma_mode stores the transfer mode value not UDMA mode number +so the condition in cmd64x_set_dmamode() is always true and the higher +UDMA clock is always selected. This can potentially result in data +corruption when UDMA33 device is used, when 40-wire cable is used or +when the error recovery code decides to lower the device speed down. + +The issue was introduced in the commit 6a40da0 ("libata cmd64x: whack +into a shape that looks like the documentation") which goes back to +kernel 2.6.20. + +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/pata_cmd64x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/pata_cmd64x.c ++++ b/drivers/ata/pata_cmd64x.c +@@ -219,7 +219,7 @@ static void cmd64x_set_dmamode(struct at + regU |= udma_data[adev->dma_mode - XFER_UDMA_0] << shift; + /* Merge the control bits */ + regU |= 1 << adev->devno; /* UDMA on */ +- if (adev->dma_mode > 2) /* 15nS timing */ ++ if (adev->dma_mode > XFER_UDMA_2) /* 15nS timing */ + regU |= 4 << adev->devno; + } else { + regU &= ~ (1 << adev->devno); /* UDMA off */ + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010 +Message-Id: <20100105194914.586693908@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:54 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Clemens Ladisch , + Takashi Iwai +Subject: [03/10] sound: sgio2audio/pdaudiocf/usb-audio: initialize PCM buffer + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Clemens Ladisch + +commit 3e85fd614c7b6bb7f33bb04a0dcb5a3bfca4c0fe upstream. + +When allocating the PCM buffer, use vmalloc_user() instead of vmalloc(). +Otherwise, it would be possible for applications to play the previous +contents of the kernel memory to the speakers, or to read it directly if +the buffer is exported to userspace. + +Signed-off-by: Clemens Ladisch +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/mips/sgio2audio.c | 2 +- + sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c | 2 +- + sound/usb/usbaudio.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/mips/sgio2audio.c ++++ b/sound/mips/sgio2audio.c +@@ -609,7 +609,7 @@ static int snd_sgio2audio_pcm_hw_params( + /* alloc virtual 'dma' area */ + if (runtime->dma_area) + vfree(runtime->dma_area); +- runtime->dma_area = vmalloc(size); ++ runtime->dma_area = vmalloc_user(size); + if (runtime->dma_area == NULL) + return -ENOMEM; + runtime->dma_bytes = size; +--- a/sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c ++++ b/sound/pcmcia/pdaudiocf/pdaudiocf_pcm.c +@@ -51,7 +51,7 @@ static int snd_pcm_alloc_vmalloc_buffer( + return 0; /* already enough large */ + vfree(runtime->dma_area); + } +- runtime->dma_area = vmalloc_32(size); ++ runtime->dma_area = vmalloc_32_user(size); + if (! runtime->dma_area) + return -ENOMEM; + runtime->dma_bytes = size; +--- a/sound/usb/usbaudio.c ++++ b/sound/usb/usbaudio.c +@@ -740,7 +740,7 @@ static int snd_pcm_alloc_vmalloc_buffer( + return 0; /* already large enough */ + vfree(runtime->dma_area); + } +- runtime->dma_area = vmalloc(size); ++ runtime->dma_area = vmalloc_user(size); + if (!runtime->dma_area) + return -ENOMEM; + runtime->dma_bytes = size; + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010 +Message-Id: <20100105194914.719225486@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:55 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Michele Jr De Candia , + Jean Delvare +Subject: [04/10] i2c/tsl2550: Fix lux value in extended mode + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Michele Jr De Candia + +commit 5f5bfb09d81c9a1d26238ae6668e584c14ae3daf upstream. + +According to the TAOS Application Note 'Controlling a Backlight with +the TSL2550 Ambient Light Sensor' (page 14), the actual lux value in +extended mode should be obtained multiplying the calculated lux value +by 5. + +Signed-off-by: Michele Jr De Candia +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/chips/tsl2550.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/chips/tsl2550.c ++++ b/drivers/i2c/chips/tsl2550.c +@@ -277,6 +277,7 @@ static DEVICE_ATTR(operating_mode, S_IWU + + static ssize_t __tsl2550_show_lux(struct i2c_client *client, char *buf) + { ++ struct tsl2550_data *data = i2c_get_clientdata(client); + u8 ch0, ch1; + int ret; + +@@ -296,6 +297,8 @@ static ssize_t __tsl2550_show_lux(struct + ret = tsl2550_calculate_lux(ch0, ch1); + if (ret < 0) + return ret; ++ if (data->operating_mode == 1) ++ ret *= 5; + + return sprintf(buf, "%d\n", ret); + } + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:14 2010 +Message-Id: <20100105194914.844399696@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:56 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Patrick McHardy +Subject: [05/10] ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Patrick McHardy + +commit 0b5ccb2ee250136dd7385b1c7da28417d0d4d32d upstream. + +Currently the same reassembly queue might be used for packets reassembled +by conntrack in different positions in the stack (PREROUTING/LOCAL_OUT), +as well as local delivery. This can cause "packet jumps" when the fragment +completing a reassembled packet is queued from a different position in the +stack than the previous ones. + +Add a "user" identifier to the reassembly queue key to seperate the queues +of each caller, similar to what we do for IPv4. + +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/ipv6.h | 7 +++++++ + include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 2 +- + net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 13 +++++++++++-- + net/ipv6/netfilter/nf_conntrack_reasm.c | 7 ++++--- + net/ipv6/reassembly.c | 5 ++++- + 5 files changed, 27 insertions(+), 7 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -342,8 +342,15 @@ static inline int ipv6_prefix_equal(cons + + struct inet_frag_queue; + ++enum ip6_defrag_users { ++ IP6_DEFRAG_LOCAL_DELIVER, ++ IP6_DEFRAG_CONNTRACK_IN, ++ IP6_DEFRAG_CONNTRACK_OUT, ++}; ++ + struct ip6_create_arg { + __be32 id; ++ u32 user; + struct in6_addr *src; + struct in6_addr *dst; + }; +--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h ++++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h +@@ -9,7 +9,7 @@ extern struct nf_conntrack_l4proto nf_co + + extern int nf_ct_frag6_init(void); + extern void nf_ct_frag6_cleanup(void); +-extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb); ++extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); + extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, + struct net_device *in, + struct net_device *out, +--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c ++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +@@ -183,6 +183,16 @@ out: + return nf_conntrack_confirm(skb); + } + ++static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum, ++ struct sk_buff *skb) ++{ ++ if (hooknum == NF_INET_PRE_ROUTING) ++ return IP6_DEFRAG_CONNTRACK_IN; ++ else ++ return IP6_DEFRAG_CONNTRACK_OUT; ++ ++} ++ + static unsigned int ipv6_defrag(unsigned int hooknum, + struct sk_buff *skb, + const struct net_device *in, +@@ -195,8 +205,7 @@ static unsigned int ipv6_defrag(unsigned + if (skb->nfct) + return NF_ACCEPT; + +- reasm = nf_ct_frag6_gather(skb); +- ++ reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb)); + /* queued */ + if (reasm == NULL) + return NF_STOLEN; +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -198,13 +198,14 @@ out: + /* Creation primitives. */ + + static __inline__ struct nf_ct_frag6_queue * +-fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst) ++fq_find(__be32 id, u32 user, struct in6_addr *src, struct in6_addr *dst) + { + struct inet_frag_queue *q; + struct ip6_create_arg arg; + unsigned int hash; + + arg.id = id; ++ arg.user = user; + arg.src = src; + arg.dst = dst; + +@@ -589,7 +590,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 * + return 0; + } + +-struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb) ++struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user) + { + struct sk_buff *clone; + struct net_device *dev = skb->dev; +@@ -635,7 +636,7 @@ struct sk_buff *nf_ct_frag6_gather(struc + if (atomic_read(&nf_init_frags.mem) > nf_init_frags.high_thresh) + nf_ct_frag6_evictor(); + +- fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr); ++ fq = fq_find(fhdr->identification, user, &hdr->saddr, &hdr->daddr); + if (fq == NULL) { + pr_debug("Can't find and can't create new queue\n"); + goto ret_orig; +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -72,6 +72,7 @@ struct frag_queue + struct inet_frag_queue q; + + __be32 id; /* fragment id */ ++ u32 user; + struct in6_addr saddr; + struct in6_addr daddr; + +@@ -140,7 +141,7 @@ int ip6_frag_match(struct inet_frag_queu + struct ip6_create_arg *arg = a; + + fq = container_of(q, struct frag_queue, q); +- return (fq->id == arg->id && ++ return (fq->id == arg->id && fq->user == arg->user && + ipv6_addr_equal(&fq->saddr, arg->src) && + ipv6_addr_equal(&fq->daddr, arg->dst)); + } +@@ -162,6 +163,7 @@ void ip6_frag_init(struct inet_frag_queu + struct ip6_create_arg *arg = a; + + fq->id = arg->id; ++ fq->user = arg->user; + ipv6_addr_copy(&fq->saddr, arg->src); + ipv6_addr_copy(&fq->daddr, arg->dst); + } +@@ -243,6 +245,7 @@ fq_find(struct net *net, __be32 id, stru + unsigned int hash; + + arg.id = id; ++ arg.user = IP6_DEFRAG_LOCAL_DELIVER; + arg.src = src; + arg.dst = dst; + + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010 +Message-Id: <20100105194914.976056797@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:57 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Stefan Weinhuber , + Martin Schwidefsky , + Stephen Powell +Subject: [06/10] S390: dasd: support DIAG access for read-only devices + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Stefan Weinhuber + +commit 22825ab7693fd29769518a0d25ba43c01a50092a upstream. + +When a DASD device is used with the DIAG discipline, the DIAG +initialization will indicate success or error with a respective +return code. So far we have interpreted a return code of 4 as error, +but it actually means that the initialization was successful, but +the device is read-only. To allow read-only devices to be used with +DIAG we need to accept a return code of 4 as success. + +Re-initialization of the DIAG access is also part of the DIAG error +recovery. If we find that the access mode of a device has been +changed from writable to read-only while the device was in use, +we print an error message. + +Signed-off-by: Stefan Weinhuber +Signed-off-by: Martin Schwidefsky +Cc: Stephen Powell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd_diag.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/s390/block/dasd_diag.c ++++ b/drivers/s390/block/dasd_diag.c +@@ -143,6 +143,15 @@ dasd_diag_erp(struct dasd_device *device + + mdsk_term_io(device); + rc = mdsk_init_io(device, device->block->bp_block, 0, NULL); ++ if (rc == 4) { ++ if (!(device->features & DASD_FEATURE_READONLY)) { ++ dev_warn(&device->cdev->dev, ++ "The access mode of a DIAG device changed" ++ " to read-only"); ++ device->features |= DASD_FEATURE_READONLY; ++ } ++ rc = 0; ++ } + if (rc) + DEV_MESSAGE(KERN_WARNING, device, "DIAG ERP unsuccessful, " + "rc=%d", rc); +@@ -432,16 +441,20 @@ dasd_diag_check_device(struct dasd_devic + for (sb = 512; sb < bsize; sb = sb << 1) + block->s2b_shift++; + rc = mdsk_init_io(device, block->bp_block, 0, NULL); +- if (rc) { ++ if (rc && (rc != 4)) { + DEV_MESSAGE(KERN_WARNING, device, "DIAG initialization " + "failed (rc=%d)", rc); + rc = -EIO; + } else { ++ if (rc == 4) ++ device->features |= DASD_FEATURE_READONLY; + DEV_MESSAGE(KERN_INFO, device, +- "(%ld B/blk): %ldkB", ++ "(%ld B/blk): %ldkB%s", + (unsigned long) block->bp_block, + (unsigned long) (block->blocks << +- block->s2b_shift) >> 1); ++ block->s2b_shift) >> 1, ++ (rc == 4) ? ", read-only device" : ""); ++ rc = 0; + } + out_label: + free_page((long) label); + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010 +Message-Id: <20100105194915.108147616@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:58 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Roland McGrath +Subject: [07/10] x86/ptrace: make genregs[32]_get/set more robust + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Linus Torvalds + +commit 04a1e62c2cec820501f93526ad1e46073b802dc4 upstream. + +The loop condition is fragile: we compare an unsigned value to zero, and +then decrement it by something larger than one in the loop. All the +callers should be passing in appropriately aligned buffer lengths, but +it's better to just not rely on it, and have some appropriate defensive +loop limits. + +Acked-by: Roland McGrath +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/ptrace.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -416,14 +416,14 @@ static int genregs_get(struct task_struc + { + if (kbuf) { + unsigned long *k = kbuf; +- while (count > 0) { ++ while (count >= sizeof(*k)) { + *k++ = getreg(target, pos); + count -= sizeof(*k); + pos += sizeof(*k); + } + } else { + unsigned long __user *u = ubuf; +- while (count > 0) { ++ while (count >= sizeof(*u)) { + if (__put_user(getreg(target, pos), u++)) + return -EFAULT; + count -= sizeof(*u); +@@ -442,14 +442,14 @@ static int genregs_set(struct task_struc + int ret = 0; + if (kbuf) { + const unsigned long *k = kbuf; +- while (count > 0 && !ret) { ++ while (count >= sizeof(*k) && !ret) { + ret = putreg(target, pos, *k++); + count -= sizeof(*k); + pos += sizeof(*k); + } + } else { + const unsigned long __user *u = ubuf; +- while (count > 0 && !ret) { ++ while (count >= sizeof(*u) && !ret) { + unsigned long word; + ret = __get_user(word, u++); + if (ret) +@@ -1159,14 +1159,14 @@ static int genregs32_get(struct task_str + { + if (kbuf) { + compat_ulong_t *k = kbuf; +- while (count > 0) { ++ while (count >= sizeof(*k)) { + getreg32(target, pos, k++); + count -= sizeof(*k); + pos += sizeof(*k); + } + } else { + compat_ulong_t __user *u = ubuf; +- while (count > 0) { ++ while (count >= sizeof(*u)) { + compat_ulong_t word; + getreg32(target, pos, &word); + if (__put_user(word, u++)) +@@ -1187,14 +1187,14 @@ static int genregs32_set(struct task_str + int ret = 0; + if (kbuf) { + const compat_ulong_t *k = kbuf; +- while (count > 0 && !ret) { ++ while (count >= sizeof(*k) && !ret) { + ret = putreg32(target, pos, *k++); + count -= sizeof(*k); + pos += sizeof(*k); + } + } else { + const compat_ulong_t __user *u = ubuf; +- while (count > 0 && !ret) { ++ while (count >= sizeof(*u) && !ret) { + compat_ulong_t word; + ret = __get_user(word, u++); + if (ret) + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010 +Message-Id: <20100105194915.239350321@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:47:59 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Gertjan van Wingerde , + Ivo van Doorn , + "John W. Linville" +Subject: [08/10] rt2x00: Disable powersaving for rt61pci and rt2800pci. + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Gertjan van Wingerde + +commit 93b6bd26b74efe46b4579592560f9f1cb7b61994 upstream. + +We've had many reports of rt61pci failures with powersaving enabled. +Therefore, as a stop-gap measure, disable powersaving of the rt61pci +until we have found a proper solution. +Also disable powersaving on rt2800pci as it most probably will show +the same problem. + +Signed-off-by: Gertjan van Wingerde +Acked-by: Ivo van Doorn +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rt2x00/rt61pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/rt2x00/rt61pci.c ++++ b/drivers/net/wireless/rt2x00/rt61pci.c +@@ -2281,6 +2281,11 @@ static void rt61pci_probe_hw_mode(struct + unsigned int i; + + /* ++ * Disable powersaving as default. ++ */ ++ rt2x00dev->hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT; ++ ++ /* + * Initialize all hw fields. + */ + rt2x00dev->hw->flags = + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010 +Message-Id: <20100105194915.376656312@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:48:00 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: "Serge E. Hallyn" +Subject: [09/10] generic_permission: MAY_OPEN is not write access + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +From: Serge E. Hallyn + +commit 7ea6600148c265b1fd53e521022b1d7aec81d974 upstream. + +generic_permission was refusing CAP_DAC_READ_SEARCH-enabled +processes from opening DAC-protected files read-only, because +do_filp_open adds MAY_OPEN to the open mask. + +Ignore MAY_OPEN. After this patch, CAP_DAC_READ_SEARCH is +again sufficient to open(fname, O_RDONLY) on a file to which +DAC otherwise refuses us read permission. + +Reported-by: Mike Kazantsev +Signed-off-by: Serge E. Hallyn +Tested-by: Mike Kazantsev +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -220,6 +220,7 @@ int generic_permission(struct inode *ino + /* + * Searching includes executable on directories, else just read. + */ ++ mask &= MAY_READ | MAY_WRITE | MAY_EXEC; + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) + if (capable(CAP_DAC_READ_SEARCH)) + return 0; + + +From gregkh@mini.kroah.org Tue Jan 5 11:49:15 2010 +Message-Id: <20100105194915.508413494@mini.kroah.org> +User-Agent: quilt/0.48-1 +Date: Tue, 05 Jan 2010 11:48:01 -0800 +From: Greg KH +To: linux-kernel@vger.kernel.org, + stable@kernel.org, + akpm@linux-foundation.org, + torvalds@linux-foundation.org, + stable-review@kernel.org +Cc: Gleb Natapov , + Avi Kivity +Subject: [10/10] Revert: KVM: MMU: do not free active mmu pages in free_mmu_pages() + +2.6.27-stable review patch. If anyone has any objections, please let us know. + +------------------ +This reverts the commit d2127c8300fb1ec54af56faee17170e7a525326d, which was +the commit f00be0cae4e6ad0a8c7be381c6d9be3586800b3e upstream. + +This was done based on comments saying it was causing problems. + +Cc: Gleb Natapov +Cc: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/x86/kvm/mmu.c | 8 ++++++++ + virt/kvm/kvm_main.c | 2 -- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -1995,6 +1995,14 @@ EXPORT_SYMBOL_GPL(kvm_disable_tdp); + + static void free_mmu_pages(struct kvm_vcpu *vcpu) + { ++ struct kvm_mmu_page *sp; ++ ++ while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) { ++ sp = container_of(vcpu->kvm->arch.active_mmu_pages.next, ++ struct kvm_mmu_page, link); ++ kvm_mmu_zap_page(vcpu->kvm, sp); ++ cond_resched(); ++ } + free_page((unsigned long)vcpu->arch.mmu.pae_root); + } + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -406,8 +406,6 @@ static void kvm_destroy_vm(struct kvm *k + #endif + #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER) + mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm); +-#else +- kvm_arch_flush_shadow(kvm); + #endif + kvm_arch_destroy_vm(kvm); + mmdrop(mm); + + diff --git a/queue-2.6.27/pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch b/review-2.6.27/pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch similarity index 100% rename from queue-2.6.27/pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch rename to review-2.6.27/pata_cmd64x-fix-overclocking-of-udma0-2-modes.patch diff --git a/queue-2.6.27/revert-kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch b/review-2.6.27/revert-kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch similarity index 100% rename from queue-2.6.27/revert-kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch rename to review-2.6.27/revert-kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch diff --git a/queue-2.6.27/rt2x00-disable-powersaving-for-rt61pci-and-rt2800pci.patch b/review-2.6.27/rt2x00-disable-powersaving-for-rt61pci-and-rt2800pci.patch similarity index 100% rename from queue-2.6.27/rt2x00-disable-powersaving-for-rt61pci-and-rt2800pci.patch rename to review-2.6.27/rt2x00-disable-powersaving-for-rt61pci-and-rt2800pci.patch diff --git a/queue-2.6.27/s390-dasd-support-diag-access-for-read-only-devices.patch b/review-2.6.27/s390-dasd-support-diag-access-for-read-only-devices.patch similarity index 100% rename from queue-2.6.27/s390-dasd-support-diag-access-for-read-only-devices.patch rename to review-2.6.27/s390-dasd-support-diag-access-for-read-only-devices.patch diff --git a/queue-2.6.27/series b/review-2.6.27/series similarity index 100% rename from queue-2.6.27/series rename to review-2.6.27/series diff --git a/queue-2.6.27/sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch b/review-2.6.27/sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch similarity index 100% rename from queue-2.6.27/sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch rename to review-2.6.27/sound-sgio2audio-pdaudiocf-usb-audio-initialize-pcm-buffer.patch diff --git a/queue-2.6.27/x86-ptrace-make-genregs_get-set-more-robust.patch b/review-2.6.27/x86-ptrace-make-genregs_get-set-more-robust.patch similarity index 100% rename from queue-2.6.27/x86-ptrace-make-genregs_get-set-more-robust.patch rename to review-2.6.27/x86-ptrace-make-genregs_get-set-more-robust.patch