From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu, 3 Sep 2009 23:16:53 +0000 (-0700)
Subject: .27 patches
X-Git-Tag: v2.6.27.32~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8fbe3c4b127fe6f2c6e8dc82d6190e5408b83195;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/appletalk-fix-atalk_getname-leak.patch b/queue-2.6.27/appletalk-fix-atalk_getname-leak.patch
new file mode 100644
index 00000000000..a8bb9eea643
--- /dev/null
+++ b/queue-2.6.27/appletalk-fix-atalk_getname-leak.patch
@@ -0,0 +1,29 @@
+From 3d392475c873c10c10d6d96b94d092a34ebd4791 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 02:27:43 +0000
+Subject: appletalk: fix atalk_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 3d392475c873c10c10d6d96b94d092a34ebd4791 upstream.
+
+atalk_getname() can leak 8 bytes of kernel memory to user
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/appletalk/ddp.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1245,6 +1245,7 @@ static int atalk_getname(struct socket *
+ 			return -ENOBUFS;
+ 
+ 	*uaddr_len = sizeof(struct sockaddr_at);
++	memset(&sat.sat_zero, 0, sizeof(sat.sat_zero));
+ 
+ 	if (peer) {
+ 		if (sk->sk_state != TCP_ESTABLISHED)
diff --git a/queue-2.6.27/can-fix-raw_getname-leak.patch b/queue-2.6.27/can-fix-raw_getname-leak.patch
new file mode 100644
index 00000000000..c303edb13c9
--- /dev/null
+++ b/queue-2.6.27/can-fix-raw_getname-leak.patch
@@ -0,0 +1,33 @@
+From e84b90ae5eb3c112d1f208964df1d8156a538289 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 20:27:04 +0000
+Subject: can: Fix raw_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream.
+
+raw_getname() can leak 10 bytes of kernel memory to user
+
+(two bytes hole between can_family and can_ifindex,
+8 bytes at the end of sockaddr_can structure)
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Acked-by: Oliver Hartkopp <oliver@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/raw.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -396,6 +396,7 @@ static int raw_getname(struct socket *so
+ 	if (peer)
+ 		return -EOPNOTSUPP;
+ 
++	memset(addr, 0, sizeof(*addr));
+ 	addr->can_family  = AF_CAN;
+ 	addr->can_ifindex = ro->ifindex;
+ 
diff --git a/queue-2.6.27/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch b/queue-2.6.27/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch
new file mode 100644
index 00000000000..995dedb1bdb
--- /dev/null
+++ b/queue-2.6.27/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch
@@ -0,0 +1,66 @@
+From 0083fc2c50e6c5127c2802ad323adf8143ab7856 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 1 Aug 2009 10:34:56 -0700
+Subject: do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0083fc2c50e6c5127c2802ad323adf8143ab7856 upstream.
+
+Ulrich Drepper correctly points out that there is generally padding in
+the structure on 64-bit hosts, and that copying the structure from
+kernel to user space can leak information from the kernel stack in those
+padding bytes.
+
+Avoid the whole issue by just copying the three members one by one
+instead, which also means that the function also can avoid the need for
+a stack frame.  This also happens to match how we copy the new structure
+from user space, so it all even makes sense.
+
+[ The obvious solution of adding a memset() generates horrid code, gcc
+  does really stupid things. ]
+
+Reported-by: Ulrich Drepper <drepper@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/signal.c |   15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2353,11 +2353,9 @@ do_sigaltstack (const stack_t __user *us
+ 	stack_t oss;
+ 	int error;
+ 
+-	if (uoss) {
+-		oss.ss_sp = (void __user *) current->sas_ss_sp;
+-		oss.ss_size = current->sas_ss_size;
+-		oss.ss_flags = sas_ss_flags(sp);
+-	}
++	oss.ss_sp = (void __user *) current->sas_ss_sp;
++	oss.ss_size = current->sas_ss_size;
++	oss.ss_flags = sas_ss_flags(sp);
+ 
+ 	if (uss) {
+ 		void __user *ss_sp;
+@@ -2400,13 +2398,16 @@ do_sigaltstack (const stack_t __user *us
+ 		current->sas_ss_size = ss_size;
+ 	}
+ 
++	error = 0;
+ 	if (uoss) {
+ 		error = -EFAULT;
+-		if (copy_to_user(uoss, &oss, sizeof(oss)))
++		if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
+ 			goto out;
++		error = __put_user(oss.ss_sp, &uoss->ss_sp) |
++			__put_user(oss.ss_size, &uoss->ss_size) |
++			__put_user(oss.ss_flags, &uoss->ss_flags);
+ 	}
+ 
+-	error = 0;
+ out:
+ 	return error;
+ }
diff --git a/queue-2.6.27/econet-fix-econet_getname-leak.patch b/queue-2.6.27/econet-fix-econet_getname-leak.patch
new file mode 100644
index 00000000000..86419f36efa
--- /dev/null
+++ b/queue-2.6.27/econet-fix-econet_getname-leak.patch
@@ -0,0 +1,29 @@
+From 80922bbb12a105f858a8f0abb879cb4302d0ecaa Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:48:36 +0000
+Subject: econet: Fix econet_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa upstream.
+
+econet_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -520,6 +520,7 @@ static int econet_getname(struct socket 
+ 	if (peer)
+ 		return -EOPNOTSUPP;
+ 
++	memset(sec, 0, sizeof(*sec));
+ 	mutex_lock(&econet_mutex);
+ 
+ 	sk = sock->sk;
diff --git a/queue-2.6.27/irda-fix-irda_getname-leak.patch b/queue-2.6.27/irda-fix-irda_getname-leak.patch
new file mode 100644
index 00000000000..1935fbc74d8
--- /dev/null
+++ b/queue-2.6.27/irda-fix-irda_getname-leak.patch
@@ -0,0 +1,29 @@
+From 09384dfc76e526c3993c09c42e016372dc9dd22c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:55:04 +0000
+Subject: irda: Fix irda_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 09384dfc76e526c3993c09c42e016372dc9dd22c upstream.
+
+irda_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -714,6 +714,7 @@ static int irda_getname(struct socket *s
+ 	struct sock *sk = sock->sk;
+ 	struct irda_sock *self = irda_sk(sk);
+ 
++	memset(&saddr, 0, sizeof(saddr));
+ 	if (peer) {
+ 		if (sk->sk_state != TCP_ESTABLISHED)
+ 			return -ENOTCONN;
diff --git a/queue-2.6.27/kthreads-fix-kthread_create-vs-kthread_stop-race.patch b/queue-2.6.27/kthreads-fix-kthread_create-vs-kthread_stop-race.patch
new file mode 100644
index 00000000000..c5154fb94e2
--- /dev/null
+++ b/queue-2.6.27/kthreads-fix-kthread_create-vs-kthread_stop-race.patch
@@ -0,0 +1,51 @@
+From oleg@redhat.com  Thu Sep  3 15:22:09 2009
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Mon, 24 Aug 2009 12:45:29 +0200
+Subject: kthreads: fix kthread_create() vs kthread_stop() race
+To: Greg Kroah-Hartman <gregkh@suse.de>, Rusty Russell <rusty@rustcorp.com.au>
+Cc: Robert Peterson <rpeterso@redhat.com>, stable@kernel.org, linux-kernel@vger.kernel.org
+Message-ID: <20090824104529.GA6899@redhat.com>
+Content-Disposition: inline
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+The bug should be "accidently" fixed by recent changes in 2.6.31,
+all kernels <= 2.6.30 need the fix. The problem was never noticed before,
+it was found because it causes mysterious failures with GFS mount/umount.
+
+Credits to Robert Peterson. He blaimed kthread.c from the very beginning.
+But, despite my promise, I forgot to inspect the old implementation until
+he did a lot of testing and reminded me. This led to huge delay in fixing
+this bug.
+
+kthread_stop() does put_task_struct(k) before it clears kthread_stop_info.k.
+This means another kthread_create() can re-use this task_struct, but the
+new kthread can still see kthread_should_stop() == T and exit even without
+calling threadfn().
+
+Reported-by: Robert Peterson <rpeterso@redhat.com>
+Tested-by: Robert Peterson <rpeterso@redhat.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/kthread.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -213,12 +213,12 @@ int kthread_stop(struct task_struct *k)
+ 	/* Now set kthread_should_stop() to true, and wake it up. */
+ 	kthread_stop_info.k = k;
+ 	wake_up_process(k);
+-	put_task_struct(k);
+ 
+ 	/* Once it dies, reset stop ptr, gather result and we're done. */
+ 	wait_for_completion(&kthread_stop_info.done);
+ 	kthread_stop_info.k = NULL;
+ 	ret = kthread_stop_info.err;
++	put_task_struct(k);
+ 	mutex_unlock(&kthread_stop_lock);
+ 
+ 	return ret;
diff --git a/queue-2.6.27/net-llc-zero-sockaddr_llc-struct.patch b/queue-2.6.27/net-llc-zero-sockaddr_llc-struct.patch
new file mode 100644
index 00000000000..8c815c01828
--- /dev/null
+++ b/queue-2.6.27/net-llc-zero-sockaddr_llc-struct.patch
@@ -0,0 +1,30 @@
+From 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sun, 23 Aug 2009 22:55:51 -0700
+Subject: NET: llc, zero sockaddr_llc struct
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc upstream.
+
+sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
+before copying to the above layer's structure.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/llc/af_llc.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -915,6 +915,7 @@ static int llc_ui_getname(struct socket 
+ 	struct llc_sock *llc = llc_sk(sk);
+ 	int rc = 0;
+ 
++	memset(&sllc, 0, sizeof(sllc));
+ 	lock_sock(sk);
+ 	if (sock_flag(sk, SOCK_ZAPPED))
+ 		goto out;
diff --git a/queue-2.6.27/netrom-fix-nr_getname-leak.patch b/queue-2.6.27/netrom-fix-nr_getname-leak.patch
new file mode 100644
index 00000000000..d5dab667b6e
--- /dev/null
+++ b/queue-2.6.27/netrom-fix-nr_getname-leak.patch
@@ -0,0 +1,29 @@
+From f6b97b29513950bfbf621a83d85b6f86b39ec8db Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:31:07 +0000
+Subject: netrom: Fix nr_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit f6b97b29513950bfbf621a83d85b6f86b39ec8db upstream.
+
+nr_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netrom/af_netrom.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -848,6 +848,7 @@ static int nr_getname(struct socket *soc
+ 		sax->fsa_ax25.sax25_family = AF_NETROM;
+ 		sax->fsa_ax25.sax25_ndigis = 1;
+ 		sax->fsa_ax25.sax25_call   = nr->user_addr;
++		memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater));
+ 		sax->fsa_digipeater[0]     = nr->dest_addr;
+ 		*uaddr_len = sizeof(struct full_sockaddr_ax25);
+ 	} else {
diff --git a/queue-2.6.27/ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch b/queue-2.6.27/ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch
new file mode 100644
index 00000000000..50b72ff7210
--- /dev/null
+++ b/queue-2.6.27/ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch
@@ -0,0 +1,187 @@
+From e7432675f8ca868a4af365759a8d4c3779a3d922 Mon Sep 17 00:00:00 2001
+From: Sunil Mushran <sunil.mushran@oracle.com>
+Date: Thu, 6 Aug 2009 16:12:58 -0700
+Subject: ocfs2: Initialize the cluster we're writing to in a non-sparse extend
+
+From: Sunil Mushran <sunil.mushran@oracle.com>
+
+commit e7432675f8ca868a4af365759a8d4c3779a3d922 upstream.
+
+In a non-sparse extend, we correctly allocate (and zero) the clusters between
+the old_i_size and pos, but we don't zero the portions of the cluster we're
+writing to outside of pos<->len.
+
+It handles clustersize > pagesize and blocksize < pagesize.
+
+[Cleaned up by Joel Becker.]
+
+Signed-off-by: Sunil Mushran <sunil.mushran@oracle.com>
+Signed-off-by: Joel Becker <joel.becker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ocfs2/aops.c |   64 ++++++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 46 insertions(+), 18 deletions(-)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -908,18 +908,17 @@ struct ocfs2_write_cluster_desc {
+ 	 */
+ 	unsigned	c_new;
+ 	unsigned	c_unwritten;
++	unsigned	c_needs_zero;
+ };
+ 
+-static inline int ocfs2_should_zero_cluster(struct ocfs2_write_cluster_desc *d)
+-{
+-	return d->c_new || d->c_unwritten;
+-}
+-
+ struct ocfs2_write_ctxt {
+ 	/* Logical cluster position / len of write */
+ 	u32				w_cpos;
+ 	u32				w_clen;
+ 
++	/* First cluster allocated in a nonsparse extend */
++	u32				w_first_new_cpos;
++
+ 	struct ocfs2_write_cluster_desc	w_desc[OCFS2_MAX_CLUSTERS_PER_PAGE];
+ 
+ 	/*
+@@ -997,6 +996,7 @@ static int ocfs2_alloc_write_ctxt(struct
+ 		return -ENOMEM;
+ 
+ 	wc->w_cpos = pos >> osb->s_clustersize_bits;
++	wc->w_first_new_cpos = UINT_MAX;
+ 	cend = (pos + len - 1) >> osb->s_clustersize_bits;
+ 	wc->w_clen = cend - wc->w_cpos + 1;
+ 	get_bh(di_bh);
+@@ -1239,13 +1239,11 @@ static int ocfs2_write_cluster(struct ad
+ 			       struct ocfs2_write_ctxt *wc, u32 cpos,
+ 			       loff_t user_pos, unsigned user_len)
+ {
+-	int ret, i, new, should_zero = 0;
++	int ret, i, new;
+ 	u64 v_blkno, p_blkno;
+ 	struct inode *inode = mapping->host;
+ 
+ 	new = phys == 0 ? 1 : 0;
+-	if (new || unwritten)
+-		should_zero = 1;
+ 
+ 	if (new) {
+ 		u32 tmp_pos;
+@@ -1356,7 +1354,9 @@ static int ocfs2_write_cluster_by_desc(s
+ 			local_len = osb->s_clustersize - cluster_off;
+ 
+ 		ret = ocfs2_write_cluster(mapping, desc->c_phys,
+-					  desc->c_unwritten, data_ac, meta_ac,
++					  desc->c_unwritten,
++					  desc->c_needs_zero,
++					  data_ac, meta_ac,
+ 					  wc, desc->c_cpos, pos, local_len);
+ 		if (ret) {
+ 			mlog_errno(ret);
+@@ -1406,14 +1406,14 @@ static void ocfs2_set_target_boundaries(
+ 		 * newly allocated cluster.
+ 		 */
+ 		desc = &wc->w_desc[0];
+-		if (ocfs2_should_zero_cluster(desc))
++		if (desc->c_needs_zero)
+ 			ocfs2_figure_cluster_boundaries(osb,
+ 							desc->c_cpos,
+ 							&wc->w_target_from,
+ 							NULL);
+ 
+ 		desc = &wc->w_desc[wc->w_clen - 1];
+-		if (ocfs2_should_zero_cluster(desc))
++		if (desc->c_needs_zero)
+ 			ocfs2_figure_cluster_boundaries(osb,
+ 							desc->c_cpos,
+ 							NULL,
+@@ -1481,13 +1481,28 @@ static int ocfs2_populate_write_desc(str
+ 			phys++;
+ 		}
+ 
++		/*
++		 * If w_first_new_cpos is < UINT_MAX, we have a non-sparse
++		 * file that got extended.  w_first_new_cpos tells us
++		 * where the newly allocated clusters are so we can
++		 * zero them.
++		 */
++		if (desc->c_cpos >= wc->w_first_new_cpos) {
++			BUG_ON(phys == 0);
++			desc->c_needs_zero = 1;
++		}
++
+ 		desc->c_phys = phys;
+ 		if (phys == 0) {
+ 			desc->c_new = 1;
++			desc->c_needs_zero = 1;
+ 			*clusters_to_alloc = *clusters_to_alloc + 1;
+ 		}
+-		if (ext_flags & OCFS2_EXT_UNWRITTEN)
++
++		if (ext_flags & OCFS2_EXT_UNWRITTEN) {
+ 			desc->c_unwritten = 1;
++			desc->c_needs_zero = 1;
++		}
+ 
+ 		num_clusters--;
+ 	}
+@@ -1644,10 +1659,13 @@ static int ocfs2_expand_nonsparse_inode(
+ 	if (newsize <= i_size_read(inode))
+ 		return 0;
+ 
+-	ret = ocfs2_extend_no_holes(inode, newsize, newsize - len);
++	ret = ocfs2_extend_no_holes(inode, newsize, pos);
+ 	if (ret)
+ 		mlog_errno(ret);
+ 
++	wc->w_first_new_cpos =
++		ocfs2_clusters_for_bytes(inode->i_sb, i_size_read(inode));
++
+ 	return ret;
+ }
+ 
+@@ -1656,7 +1674,7 @@ int ocfs2_write_begin_nolock(struct addr
+ 			     struct page **pagep, void **fsdata,
+ 			     struct buffer_head *di_bh, struct page *mmap_page)
+ {
+-	int ret, credits = OCFS2_INODE_UPDATE_CREDITS;
++	int ret, cluster_of_pages, credits = OCFS2_INODE_UPDATE_CREDITS;
+ 	unsigned int clusters_to_alloc, extents_to_split;
+ 	struct ocfs2_write_ctxt *wc;
+ 	struct inode *inode = mapping->host;
+@@ -1724,8 +1742,19 @@ int ocfs2_write_begin_nolock(struct addr
+ 
+ 	}
+ 
+-	ocfs2_set_target_boundaries(osb, wc, pos, len,
+-				    clusters_to_alloc + extents_to_split);
++	/*
++	 * We have to zero sparse allocated clusters, unwritten extent clusters,
++	 * and non-sparse clusters we just extended.  For non-sparse writes,
++	 * we know zeros will only be needed in the first and/or last cluster.
++	 */
++	if (clusters_to_alloc || extents_to_split ||
++	    wc->w_desc[0].c_needs_zero ||
++	    wc->w_desc[wc->w_clen - 1].c_needs_zero)
++		cluster_of_pages = 1;
++	else
++		cluster_of_pages = 0;
++
++	ocfs2_set_target_boundaries(osb, wc, pos, len, cluster_of_pages);
+ 
+ 	handle = ocfs2_start_trans(osb, credits);
+ 	if (IS_ERR(handle)) {
+@@ -1753,8 +1782,7 @@ int ocfs2_write_begin_nolock(struct addr
+ 	 * extent.
+ 	 */
+ 	ret = ocfs2_grab_pages_for_write(mapping, wc, wc->w_cpos, pos,
+-					 clusters_to_alloc + extents_to_split,
+-					 mmap_page);
++					 cluster_of_pages, mmap_page);
+ 	if (ret) {
+ 		mlog_errno(ret);
+ 		goto out_commit;
diff --git a/queue-2.6.27/rose-fix-rose_getname-leak.patch b/queue-2.6.27/rose-fix-rose_getname-leak.patch
new file mode 100644
index 00000000000..2b018e767d0
--- /dev/null
+++ b/queue-2.6.27/rose-fix-rose_getname-leak.patch
@@ -0,0 +1,29 @@
+From 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:34:06 +0000
+Subject: rose: Fix rose_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 upstream.
+
+rose_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rose/af_rose.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -957,6 +957,7 @@ static int rose_getname(struct socket *s
+ 	struct rose_sock *rose = rose_sk(sk);
+ 	int n;
+ 
++	memset(srose, 0, sizeof(*srose));
+ 	if (peer != 0) {
+ 		if (sk->sk_state != TCP_ESTABLISHED)
+ 			return -ENOTCONN;
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 1e3a958910c..aeea70a3d5e 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -30,3 +30,13 @@ kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch
 kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch
 kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch
 kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch
+appletalk-fix-atalk_getname-leak.patch
+can-fix-raw_getname-leak.patch
+do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch
+econet-fix-econet_getname-leak.patch
+irda-fix-irda_getname-leak.patch
+kthreads-fix-kthread_create-vs-kthread_stop-race.patch
+net-llc-zero-sockaddr_llc-struct.patch
+netrom-fix-nr_getname-leak.patch
+ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch
+rose-fix-rose_getname-leak.patch