From: Greg Kroah-Hartman Date: Fri, 7 Nov 2008 22:19:38 +0000 (-0800) Subject: some .25 patches X-Git-Tag: v2.6.25.20~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c65dd651b225b9812b74b3620a9674266a440bf2;p=thirdparty%2Fkernel%2Fstable-queue.git some .25 patches --- diff --git a/queue-2.6.25/acpi-dock-avoid-check-_sta-method.patch b/queue-2.6.25/acpi-dock-avoid-check-_sta-method.patch new file mode 100644 index 00000000000..0b49ff3715f --- /dev/null +++ b/queue-2.6.25/acpi-dock-avoid-check-_sta-method.patch @@ -0,0 +1,50 @@ +From lenb@kernel.org Fri Nov 7 14:08:55 2008 +From: Shaohua Li +Date: Thu, 06 Nov 2008 14:18:55 -0500 (EST) +Subject: ACPI: dock: avoid check _STA method +To: stable@kernel.org +Cc: linux-acpi@vger.kernel.org, Linux Kernel Mailing List , Shaohua Li +Message-ID: + +From: Shaohua Li + +commit 8b59560a3baf2e7c24e0fb92ea5d09eca92805db upstream. + +ACPI: dock: avoid check _STA method + +In some BIOSes, every _STA method call will send a notification again, +this cause freeze. And in some BIOSes, it appears _STA should be called +after _DCK. This tries to avoid calls _STA, and still keep the device +present check. + +http://bugzilla.kernel.org/show_bug.cgi?id=10431 + +Signed-off-by: Shaohua Li +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/dock.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/dock.c ++++ b/drivers/acpi/dock.c +@@ -599,14 +599,17 @@ static int handle_eject_request(struct d + static void dock_notify(acpi_handle handle, u32 event, void *data) + { + struct dock_station *ds = data; ++ struct acpi_device *tmp; + + switch (event) { + case ACPI_NOTIFY_BUS_CHECK: +- if (!dock_in_progress(ds) && dock_present(ds)) { ++ if (!dock_in_progress(ds) && acpi_bus_get_device(ds->handle, ++ &tmp)) { + begin_dock(ds); + dock(ds); + if (!dock_present(ds)) { + printk(KERN_ERR PREFIX "Unable to dock!\n"); ++ complete_dock(ds); + break; + } + atomic_notifier_call_chain(&dock_notifier_list, diff --git a/queue-2.6.25/alsa-use-correct-lock-in-snd_ctl_dev_disconnect.patch b/queue-2.6.25/alsa-use-correct-lock-in-snd_ctl_dev_disconnect.patch new file mode 100644 index 00000000000..0f811c70729 --- /dev/null +++ b/queue-2.6.25/alsa-use-correct-lock-in-snd_ctl_dev_disconnect.patch @@ -0,0 +1,40 @@ +From d8009882e9f5e1a76986c741f071edd2ad760c97 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 7 Sep 2008 12:51:13 +0200 +Subject: ALSA: use correct lock in snd_ctl_dev_disconnect() +Message-ID: <20081031164425.GA10625@puku.stupidest.org> + +From: Takashi Iwai + +commit d8009882e9f5e1a76986c741f071edd2ad760c97 upstream + +The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock +for protection of card->ctl_files entries, instead of card->controls_rwsem. + +Reported-by: Vegard Nossum +Signed-off-by: Takashi Iwai +Signed-off-by: Jaroslav Kysela +Cc: Chris Wedgwood +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1426,12 +1426,12 @@ static int snd_ctl_dev_disconnect(struct + cardnum = card->number; + snd_assert(cardnum >= 0 && cardnum < SNDRV_CARDS, return -ENXIO); + +- down_read(&card->controls_rwsem); ++ read_lock(&card->ctl_files_rwlock); + list_for_each_entry(ctl, &card->ctl_files, list) { + wake_up(&ctl->change_sleep); + kill_fasync(&ctl->fasync, SIGIO, POLL_ERR); + } +- up_read(&card->controls_rwsem); ++ read_unlock(&card->ctl_files_rwlock); + + if ((err = snd_unregister_device(SNDRV_DEVICE_TYPE_CONTROL, + card, -1)) < 0) diff --git a/queue-2.6.25/file-caps-always-start-with-clear-bprm-caps_.patch b/queue-2.6.25/file-caps-always-start-with-clear-bprm-caps_.patch new file mode 100644 index 00000000000..56cd4220d7b --- /dev/null +++ b/queue-2.6.25/file-caps-always-start-with-clear-bprm-caps_.patch @@ -0,0 +1,44 @@ +From 3318a386e4ca68c76e0294363d29bdc46fcad670 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Thu, 30 Oct 2008 11:52:23 -0500 +Subject: file caps: always start with clear bprm->caps_* + +From: Serge Hallyn + +commit 3318a386e4ca68c76e0294363d29bdc46fcad670 upstream + +While Linux doesn't honor setuid on scripts. However, it mistakenly +behaves differently for file capabilities. + +This patch fixes that behavior by making sure that get_file_caps() +begins with empty bprm->caps_*. That way when a script is loaded, +its bprm->caps_* may be filled when binfmt_misc calls prepare_binprm(), +but they will be cleared again when binfmt_elf calls prepare_binprm() +next to read the interpreter's file capabilities. + +Signed-off-by: Serge Hallyn +Acked-by: David Howells +Acked-by: Andrew G. Morgan +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + security/commoncap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -244,10 +244,10 @@ static int get_file_caps(struct linux_bi + struct vfs_cap_data vcaps; + struct inode *inode; + +- if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) { +- bprm_clear_caps(bprm); ++ bprm_clear_caps(bprm); ++ ++ if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) + return 0; +- } + + dentry = dget(bprm->file->f_dentry); + inode = dentry->d_inode; diff --git a/queue-2.6.25/libertas-fix-buffer-overrun.patch b/queue-2.6.25/libertas-fix-buffer-overrun.patch new file mode 100644 index 00000000000..d362a7e5d50 --- /dev/null +++ b/queue-2.6.25/libertas-fix-buffer-overrun.patch @@ -0,0 +1,36 @@ +From jejb@kernel.org Tue Nov 4 11:44:30 2008 +From: Johannes Berg +Date: Sun, 2 Nov 2008 19:30:21 GMT +Subject: libertas: fix buffer overrun +To: jejb@kernel.org, stable@kernel.org +Message-ID: <200811021930.mA2JULX5009457@hera.kernel.org> + +From: Johannes Berg + +commit 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 upstream + +If somebody sends an invalid beacon/probe response, that can trash the +whole BSS descriptor. The descriptor is, luckily, large enough so that +it cannot scribble past the end of it; it's well above 400 bytes long. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/scan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/libertas/scan.c ++++ b/drivers/net/wireless/libertas/scan.c +@@ -787,8 +787,8 @@ static int lbs_process_bss(struct bss_de + + switch (elem->id) { + case MFIE_TYPE_SSID: +- bss->ssid_len = elem->len; +- memcpy(bss->ssid, elem->data, elem->len); ++ bss->ssid_len = min_t(int, 32, elem->len); ++ memcpy(bss->ssid, elem->data, bss->ssid_len); + lbs_deb_scan("got SSID IE: '%s', len %u\n", + escape_essid(bss->ssid, bss->ssid_len), + bss->ssid_len); diff --git a/queue-2.6.25/net-fix-recursive-descent-in-__scm_destroy.patch b/queue-2.6.25/net-fix-recursive-descent-in-__scm_destroy.patch new file mode 100644 index 00000000000..9bd7d01132d --- /dev/null +++ b/queue-2.6.25/net-fix-recursive-descent-in-__scm_destroy.patch @@ -0,0 +1,107 @@ +From f8d570a4745835f2238a33b537218a1bb03fc671 Mon Sep 17 00:00:00 2001 +From: David Miller +Date: Thu, 6 Nov 2008 00:37:40 -0800 +Subject: net: Fix recursive descent in __scm_destroy(). + +From: David Miller + +commit f8d570a4745835f2238a33b537218a1bb03fc671 and +3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't +good enough...) + +__scm_destroy() walks the list of file descriptors in the scm_fp_list +pointed to by the scm_cookie argument. + +Those, in turn, can close sockets and invoke __scm_destroy() again. + +There is nothing which limits how deeply this can occur. + +The idea for how to fix this is from Linus. Basically, we do all of +the fput()s at the top level by collecting all of the scm_fp_list +objects hit by an fput(). Inside of the initial __scm_destroy() we +keep running the list until it is empty. + +Signed-off-by: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sched.h | 4 +++- + include/net/scm.h | 5 +++-- + net/core/scm.c | 24 +++++++++++++++++++++--- + 3 files changed, 27 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1256,7 +1256,9 @@ struct task_struct { + atomic_t fs_excl; /* holding fs exclusive resources */ + struct rcu_head rcu; + +- /* ++ struct list_head *scm_work_list; ++ ++/* + * cache last used pipe for splice + */ + struct pipe_inode_info *splice_pipe; +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -14,8 +14,9 @@ + + struct scm_fp_list + { +- int count; +- struct file *fp[SCM_MAX_FD]; ++ struct list_head list; ++ int count; ++ struct file *fp[SCM_MAX_FD]; + }; + + struct scm_cookie +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -75,6 +75,7 @@ static int scm_fp_copy(struct cmsghdr *c + if (!fpl) + return -ENOMEM; + *fplp = fpl; ++ INIT_LIST_HEAD(&fpl->list); + fpl->count = 0; + } + fpp = &fpl->fp[fpl->count]; +@@ -106,9 +107,25 @@ void __scm_destroy(struct scm_cookie *sc + + if (fpl) { + scm->fp = NULL; +- for (i=fpl->count-1; i>=0; i--) +- fput(fpl->fp[i]); +- kfree(fpl); ++ if (current->scm_work_list) { ++ list_add_tail(&fpl->list, current->scm_work_list); ++ } else { ++ LIST_HEAD(work_list); ++ ++ current->scm_work_list = &work_list; ++ ++ list_add(&fpl->list, &work_list); ++ while (!list_empty(&work_list)) { ++ fpl = list_first_entry(&work_list, struct scm_fp_list, list); ++ ++ list_del(&fpl->list); ++ for (i=fpl->count-1; i>=0; i--) ++ fput(fpl->fp[i]); ++ kfree(fpl); ++ } ++ ++ current->scm_work_list = NULL; ++ } + } + } + +@@ -284,6 +301,7 @@ struct scm_fp_list *scm_fp_dup(struct sc + + new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL); + if (new_fpl) { ++ INIT_LIST_HEAD(&new_fpl->list); + for (i=fpl->count-1; i>=0; i--) + get_file(fpl->fp[i]); + memcpy(new_fpl, fpl, sizeof(*fpl)); diff --git a/queue-2.6.25/series b/queue-2.6.25/series index debab75419a..112b26d087e 100644 --- a/queue-2.6.25/series +++ b/queue-2.6.25/series @@ -1,3 +1,8 @@ gpiolib-fix-oops-in-gpio_get_value_cansleep.patch ext-avoid-printk-floods-in-the-face-of-directory-corruption.patch edac-cell-fix-incorrect-edac_mode.patch +net-fix-recursive-descent-in-__scm_destroy.patch +libertas-fix-buffer-overrun.patch +file-caps-always-start-with-clear-bprm-caps_.patch +alsa-use-correct-lock-in-snd_ctl_dev_disconnect.patch +acpi-dock-avoid-check-_sta-method.patch