--- /dev/null
+From 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 10 Nov 2010 12:10:30 +0000
+Subject: can-bcm: fix minor heap overflow
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream.
+
+On 64-bit platforms the ASCII representation of a pointer may be up to 17
+bytes long. This patch increases the length of the buffer accordingly.
+
+http://marc.info/?l=linux-netdev&m=128872251418192&w=2
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+CC: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/bcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -124,7 +124,7 @@ struct bcm_sock {
+ struct list_head tx_ops;
+ unsigned long dropped_usr_msgs;
+ struct proc_dir_entry *bcm_proc_read;
+- char procname [9]; /* pointer printed in ASCII with \0 */
++ char procname [20]; /* pointer printed in ASCII with \0 */
+ };
+
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
--- /dev/null
+From 8a3bdfe6cd841880a5d849c40f90093b3817f6e0 Mon Sep 17 00:00:00 2001
+From: Thomas Gerlach <t.m.gerlach@freenet.de>
+Date: Fri, 23 Apr 2010 13:17:50 -0400
+Subject: drivers/video/efifb.c: support framebuffer for NVIDIA 9400M in MacBook Pro 5,1
+
+From: Thomas Gerlach <t.m.gerlach@freenet.de>
+
+commit 8a3bdfe6cd841880a5d849c40f90093b3817f6e0 upstream.
+
+Description of patch:
+---------------------
+
+This is a patch for the EFI framebuffer driver to enable the framebuffer
+of the NVIDIA 9400M as found in MacBook Pro (MBP) 5,1 and up. The
+framebuffer of the NVIDIA graphic cards are located at the following
+addresses in memory:
+
+9400M: 0xC0010000
+9600M GT: 0xB0030000
+
+The patch delivered right here only provides the memory location of the
+framebuffer of the 9400M device. The 9600M GT is not covered. It is
+assumed that the 9400M is used when powered up the MBP.
+
+The information which device is currently powered and in use is stored in
+the 64 bytes large EFI variable "gpu-power-prefs". More specifically,
+byte 0x3B indicates whether 9600M GT (0x00) or 9400M (0x01) is online.
+
+The PCI bus IDs are the following:
+9400M: PCI 03:00:00
+9600M GT: PCI 02:00:00
+
+The EFI variables can be easily read-out and manipulated with "rEFIt", an
+MBP specific bootloader tool. For more information on how handle rEFIt
+and EFI variables please consult "http://refit.sourceforge.net" and
+"http://ubuntuforums.org/archive/index.php/t-1076879.html".
+
+IMPORTANT NOTE: The information on how to activate the 9400M device given
+at "ubuntuforums.org" is not correct, since it states
+
+gpu-power-prefs[0x3B] = 0x00 -> 9400M (PCI 02:00:00)
+gpu-power-prefs[0x3B] = 0x01 -> 9600M GT (PCI 03:00:00)
+
+Actually, the assignment of the values and the PCI bus IDs are swapped.
+
+Suggestions:
+------------
+
+To cover framebuffers of both 9400M and 9600M GT, I would suggest to
+implement a conditional on "gpu-power-prefs". Depending on the value of
+byte 0x3B, the according framebuffer is selected. However, this requires
+kernel access to the EFI variables.
+
+[akpm@linux-foundation.org: rename optname, per Peter Jones]
+Signed-off-by: Thomas Gerlach <t.m.gerlach@freenet.de>
+Acked-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/efifb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/efifb.c
++++ b/drivers/video/efifb.c
+@@ -49,6 +49,7 @@ enum {
+ M_MBP_2, /* MacBook Pro 2nd gen */
+ M_MBP_SR, /* MacBook Pro (Santa Rosa) */
+ M_MBP_4, /* MacBook Pro, 4th gen */
++ M_MBP_5_1, /* MacBook Pro, 5,1th gen */
+ M_UNKNOWN /* placeholder */
+ };
+
+@@ -70,6 +71,7 @@ static struct efifb_dmi_info {
+ [M_MBP_2] = { "mbp2", 0, 0, 0, 0 }, /* placeholder */
+ [M_MBP_SR] = { "mbp3", 0x80030000, 2048 * 4, 1440, 900 },
+ [M_MBP_4] = { "mbp4", 0xc0060000, 2048 * 4, 1920, 1200 },
++ [M_MBP_5_1] = { "mbp51", 0xc0010000, 2048 * 4, 1440, 900 },
+ [M_UNKNOWN] = { NULL, 0, 0, 0, 0 }
+ };
+
+@@ -106,6 +108,7 @@ static struct dmi_system_id __initdata d
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro3,1", M_MBP_SR),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro3,1", M_MBP_SR),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro4,1", M_MBP_4),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,1", M_MBP_5_1),
+ {},
+ };
+
--- /dev/null
+From a5757c2a474a15f87e5baa9a4caacc31cde2bae6 Mon Sep 17 00:00:00 2001
+From: Luke Macken <lmacken@redhat.com>
+Date: Wed, 22 Sep 2010 13:05:04 -0700
+Subject: efifb: support the EFI framebuffer on more Apple hardware
+
+From: Luke Macken <lmacken@redhat.com>
+
+commit a5757c2a474a15f87e5baa9a4caacc31cde2bae6 upstream.
+
+Enable the EFI framebuffer on 14 more Macs, including the iMac11,1
+iMac10,1 iMac8,1 Macmini3,1 Macmini4,1 MacBook5,1 MacBook6,1 MacBook7,1
+MacBookPro2,2 MacBookPro5,2 MacBookPro5,3 MacBookPro6,1 MacBookPro6,2 and
+MacBookPro7,1
+
+Information gathered from various user submissions.
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=528232
+ http://ubuntuforums.org/showthread.php?t=1557326
+
+[akpm@linux-foundation.org: coding-style fixes]
+Signed-off-by: Luke Macken <lmacken@redhat.com>
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/efifb.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/drivers/video/efifb.c
++++ b/drivers/video/efifb.c
+@@ -39,17 +39,31 @@ enum {
+ M_I20, /* 20-Inch iMac */
+ M_I20_SR, /* 20-Inch iMac (Santa Rosa) */
+ M_I24, /* 24-Inch iMac */
++ M_I24_8_1, /* 24-Inch iMac, 8,1th gen */
++ M_I24_10_1, /* 24-Inch iMac, 10,1th gen */
++ M_I27_11_1, /* 27-Inch iMac, 11,1th gen */
+ M_MINI, /* Mac Mini */
++ M_MINI_3_1, /* Mac Mini, 3,1th gen */
++ M_MINI_4_1, /* Mac Mini, 4,1th gen */
+ M_MB, /* MacBook */
+ M_MB_2, /* MacBook, 2nd rev. */
+ M_MB_3, /* MacBook, 3rd rev. */
++ M_MB_5_1, /* MacBook, 5th rev. */
++ M_MB_6_1, /* MacBook, 6th rev. */
++ M_MB_7_1, /* MacBook, 7th rev. */
+ M_MB_SR, /* MacBook, 2nd gen, (Santa Rosa) */
+ M_MBA, /* MacBook Air */
+ M_MBP, /* MacBook Pro */
+ M_MBP_2, /* MacBook Pro 2nd gen */
++ M_MBP_2_2, /* MacBook Pro 2,2nd gen */
+ M_MBP_SR, /* MacBook Pro (Santa Rosa) */
+ M_MBP_4, /* MacBook Pro, 4th gen */
+ M_MBP_5_1, /* MacBook Pro, 5,1th gen */
++ M_MBP_5_2, /* MacBook Pro, 5,2th gen */
++ M_MBP_5_3, /* MacBook Pro, 5,3rd gen */
++ M_MBP_6_1, /* MacBook Pro, 6,1th gen */
++ M_MBP_6_2, /* MacBook Pro, 6,2th gen */
++ M_MBP_7_1, /* MacBook Pro, 7,1th gen */
+ M_UNKNOWN /* placeholder */
+ };
+
+@@ -64,14 +78,28 @@ static struct efifb_dmi_info {
+ [M_I20] = { "i20", 0x80010000, 1728 * 4, 1680, 1050 }, /* guess */
+ [M_I20_SR] = { "imac7", 0x40010000, 1728 * 4, 1680, 1050 },
+ [M_I24] = { "i24", 0x80010000, 2048 * 4, 1920, 1200 }, /* guess */
++ [M_I24_8_1] = { "imac8", 0xc0060000, 2048 * 4, 1920, 1200 },
++ [M_I24_10_1] = { "imac10", 0xc0010000, 2048 * 4, 1920, 1080 },
++ [M_I27_11_1] = { "imac11", 0xc0010000, 2560 * 4, 2560, 1440 },
+ [M_MINI]= { "mini", 0x80000000, 2048 * 4, 1024, 768 },
++ [M_MINI_3_1] = { "mini31", 0x40010000, 1024 * 4, 1024, 768 },
++ [M_MINI_4_1] = { "mini41", 0xc0010000, 2048 * 4, 1920, 1200 },
+ [M_MB] = { "macbook", 0x80000000, 2048 * 4, 1280, 800 },
++ [M_MB_5_1] = { "macbook51", 0x80010000, 2048 * 4, 1280, 800 },
++ [M_MB_6_1] = { "macbook61", 0x80010000, 2048 * 4, 1280, 800 },
++ [M_MB_7_1] = { "macbook71", 0x80010000, 2048 * 4, 1280, 800 },
+ [M_MBA] = { "mba", 0x80000000, 2048 * 4, 1280, 800 },
+ [M_MBP] = { "mbp", 0x80010000, 1472 * 4, 1440, 900 },
+ [M_MBP_2] = { "mbp2", 0, 0, 0, 0 }, /* placeholder */
++ [M_MBP_2_2] = { "mbp22", 0x80010000, 1472 * 4, 1440, 900 },
+ [M_MBP_SR] = { "mbp3", 0x80030000, 2048 * 4, 1440, 900 },
+ [M_MBP_4] = { "mbp4", 0xc0060000, 2048 * 4, 1920, 1200 },
+ [M_MBP_5_1] = { "mbp51", 0xc0010000, 2048 * 4, 1440, 900 },
++ [M_MBP_5_2] = { "mbp52", 0xc0010000, 2048 * 4, 1920, 1200 },
++ [M_MBP_5_3] = { "mbp53", 0xd0010000, 2048 * 4, 1440, 900 },
++ [M_MBP_6_1] = { "mbp61", 0x90030000, 2048 * 4, 1920, 1200 },
++ [M_MBP_6_2] = { "mbp62", 0x90030000, 2048 * 4, 1680, 1050 },
++ [M_MBP_7_1] = { "mbp71", 0xc0010000, 2048 * 4, 1280, 800 },
+ [M_UNKNOWN] = { NULL, 0, 0, 0, 0 }
+ };
+
+@@ -92,7 +120,12 @@ static struct dmi_system_id __initdata d
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "iMac6,1", M_I24),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac6,1", M_I24),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac7,1", M_I20_SR),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac8,1", M_I24_8_1),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac10,1", M_I24_10_1),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "iMac11,1", M_I27_11_1),
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "Macmini1,1", M_MINI),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "Macmini3,1", M_MINI_3_1),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "Macmini4,1", M_MINI_4_1),
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBook1,1", M_MB),
+ /* At least one of these two will be right; maybe both? */
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBook2,1", M_MB),
+@@ -101,14 +134,23 @@ static struct dmi_system_id __initdata d
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBook3,1", M_MB),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook3,1", M_MB),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook4,1", M_MB),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook5,1", M_MB_5_1),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook6,1", M_MB_6_1),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBook7,1", M_MB_7_1),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookAir1,1", M_MBA),
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro1,1", M_MBP),
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro2,1", M_MBP_2),
++ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro2,2", M_MBP_2_2),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro2,1", M_MBP_2),
+ EFIFB_DMI_SYSTEM_ID("Apple Computer, Inc.", "MacBookPro3,1", M_MBP_SR),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro3,1", M_MBP_SR),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro4,1", M_MBP_4),
+ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,1", M_MBP_5_1),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,2", M_MBP_5_2),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro5,3", M_MBP_5_3),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro6,1", M_MBP_6_1),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro6,2", M_MBP_6_2),
++ EFIFB_DMI_SYSTEM_ID("Apple Inc.", "MacBookPro7,1", M_MBP_7_1),
+ {},
+ };
+
--- /dev/null
+From 45d640b3ac6aedc166ec16f2581763fbf36ed6e7 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Tue, 19 Oct 2010 00:06:36 +0000
+Subject: gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New: linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic)
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit 0d1fe1111c667e9c713d7efc7ae468a605f236a4 ]
+
+The rx_recycle queue is global per device but can be accesed by many
+napi handlers at the same time, so it needs full skb_queue primitives
+(with locking). Otherwise, various crashes caused by broken skbs are
+possible.
+
+This patch resolves, at least partly, bugzilla bug 19692. (Because of
+some doubts that there could be still something around which is hard
+to reproduce my proposal is to leave this bug opened for a month.)
+
+Fixes commit: 0fd56bb5be6455d0d42241e65aed057244665e5e ("gianfar: Add
+support for skb recycling")
+
+Reported-by: emin ak <eminak71@gmail.com>
+Tested-by: emin ak <eminak71@gmail.com>
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+CC: Andy Fleming <afleming@freescale.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/gianfar.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/gianfar.c
++++ b/drivers/net/gianfar.c
+@@ -1621,7 +1621,7 @@ static int gfar_clean_tx_ring(struct net
+ if (skb_queue_len(&priv->rx_recycle) < priv->rx_ring_size &&
+ skb_recycle_check(skb, priv->rx_buffer_size +
+ RXBUF_ALIGNMENT))
+- __skb_queue_head(&priv->rx_recycle, skb);
++ skb_queue_head(&priv->rx_recycle, skb);
+ else
+ dev_kfree_skb_any(skb);
+
+@@ -1703,7 +1703,7 @@ struct sk_buff * gfar_new_skb(struct net
+ struct gfar_private *priv = netdev_priv(dev);
+ struct sk_buff *skb = NULL;
+
+- skb = __skb_dequeue(&priv->rx_recycle);
++ skb = skb_dequeue(&priv->rx_recycle);
+ if (!skb)
+ skb = netdev_alloc_skb(dev,
+ priv->rx_buffer_size + RXBUF_ALIGNMENT);
+@@ -1862,7 +1862,7 @@ int gfar_clean_rx_ring(struct net_device
+ * recycle list.
+ */
+ skb->data = skb->head + NET_SKB_PAD;
+- __skb_queue_head(&priv->rx_recycle, skb);
++ skb_queue_head(&priv->rx_recycle, skb);
+ }
+ } else {
+ /* Increment the number of packets */
--- /dev/null
+From e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 Mon Sep 17 00:00:00 2001
+From: Antonio Ospite <ospite@studenti.unina.it>
+Date: Tue, 5 Oct 2010 17:20:17 +0200
+Subject: HID: hidraw, fix a NULL pointer dereference in hidraw_write
+
+From: Antonio Ospite <ospite@studenti.unina.it>
+
+commit e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 upstream.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+IP: [<ffffffffa0f0a625>] hidraw_write+0x3b/0x116 [hid]
+[...]
+
+This is reproducible by disconnecting the device while userspace writes
+to dev node in a loop and doesn't check return values in order to exit
+the loop.
+
+Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/hidraw.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -105,11 +105,15 @@ out:
+ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos)
+ {
+ unsigned int minor = iminor(file->f_path.dentry->d_inode);
+- /* FIXME: What stops hidraw_table going NULL */
+- struct hid_device *dev = hidraw_table[minor]->hid;
++ struct hid_device *dev;
+ __u8 *buf;
+ int ret = 0;
+
++ if (!hidraw_table[minor])
++ return -ENODEV;
++
++ dev = hidraw_table[minor]->hid;
++
+ if (!dev->hid_output_raw_report)
+ return -ENODEV;
+
--- /dev/null
+From dmitry.torokhov@gmail.com Tue Dec 7 11:41:18 2010
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 4 Nov 2010 09:12:44 -0700
+Subject: Input: i8042 - add Sony VAIO VPCZ122GX to nomux list
+To: stable@kernel.org
+Message-ID: <20101104161243.GA11168@core.coreip.homeip.net>
+Content-Disposition: inline
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[Note that the mainline will not have this particular fix but rather
+will blacklist entire VAIO line based off DMI board name. For stable
+I am being a bit more cautious and blacklist one particular product.]
+
+Trying to query/activate active multiplexing mode on this VAIO makes
+both keyboard and touchpad inoperable. Futher kernels will blacklist
+entire VAIO line, however here we blacklist just one particular model.
+
+Reported-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -329,6 +329,13 @@ static const struct dmi_system_id __init
+ },
+ },
+ {
++ /* Sony Vaio VPCZ122GX */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "VPCZ122GX"),
++ },
++ },
++ {
+ /* Sony Vaio FS-115b */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
--- /dev/null
+From a599d3751b0eb60592e8ee8e020c8239dcd25264 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Wed, 20 Oct 2010 02:03:37 +0000
+Subject: Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.
+
+
+From: Robin Holt <holt@sgi.com>
+
+[ Upstream fixed this in a different way. -DaveM ]
+
+On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and
+sysctl_sctp_mem[2] can integer overflow. Set limit such that they are
+maximized without overflowing.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: linux-kernel@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: linux-sctp@vger.kernel.org
+Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
+Cc: James Morris <jmorris@namei.org>
+Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+Cc: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/tcp.c | 4 +++-
+ net/ipv4/udp.c | 4 +++-
+ net/sctp/protocol.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2940,12 +2940,14 @@ void __init tcp_init(void)
+
+ /* Set the pressure threshold to be a fraction of global memory that
+ * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
+- * memory, with a floor of 128 pages.
++ * memory, with a floor of 128 pages, and a ceiling that prevents an
++ * integer overflow.
+ */
+ nr_pages = totalram_pages - totalhigh_pages;
+ limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
+ limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
+ limit = max(limit, 128UL);
++ limit = min(limit, INT_MAX * 4UL / 3 / 2);
+ sysctl_tcp_mem[0] = limit / 4 * 3;
+ sysctl_tcp_mem[1] = limit;
+ sysctl_tcp_mem[2] = sysctl_tcp_mem[0] * 2;
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1832,12 +1832,14 @@ void __init udp_init(void)
+ udp_table_init(&udp_table);
+ /* Set the pressure threshold up by the same strategy of TCP. It is a
+ * fraction of global memory that is up to 1/2 at 256 MB, decreasing
+- * toward zero with the amount of memory, with a floor of 128 pages.
++ * toward zero with the amount of memory, with a floor of 128 pages,
++ * and a ceiling that prevents an integer overflow.
+ */
+ nr_pages = totalram_pages - totalhigh_pages;
+ limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
+ limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
+ limit = max(limit, 128UL);
++ limit = min(limit, INT_MAX * 4UL / 3 / 2);
+ sysctl_udp_mem[0] = limit / 4 * 3;
+ sysctl_udp_mem[1] = limit;
+ sysctl_udp_mem[2] = sysctl_udp_mem[0] * 2;
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -1157,7 +1157,8 @@ SCTP_STATIC __init int sctp_init(void)
+
+ /* Set the pressure threshold to be a fraction of global memory that
+ * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
+- * memory, with a floor of 128 pages.
++ * memory, with a floor of 128 pages, and a ceiling that prevents an
++ * integer overflow.
+ * Note this initalizes the data in sctpv6_prot too
+ * Unabashedly stolen from tcp_init
+ */
+@@ -1165,6 +1166,7 @@ SCTP_STATIC __init int sctp_init(void)
+ limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
+ limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
+ limit = max(limit, 128UL);
++ limit = min(limit, INT_MAX * 4UL / 3 / 2);
+ sysctl_sctp_mem[0] = limit / 4 * 3;
+ sysctl_sctp_mem[1] = limit;
+ sysctl_sctp_mem[2] = sysctl_sctp_mem[0] * 2;
--- /dev/null
+From a6331d6f9a4298173b413cf99a40cc86a9d92c37 Mon Sep 17 00:00:00 2001
+From: andrew hendry <andrew.hendry@gmail.com>
+Date: Wed, 3 Nov 2010 12:54:53 +0000
+Subject: memory corruption in X.25 facilities parsing
+
+From: andrew hendry <andrew.hendry@gmail.com>
+
+commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.
+
+Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_facilities.c | 8 ++++----
+ net/x25/x25_in.c | 2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff
+ case X25_FAC_CLASS_D:
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->calling_len = p[2];
+ memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLING_AE;
+ break;
+ case X25_FAC_CALLED_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->called_len = p[2];
+ memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLED_AE;
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -118,6 +118,8 @@ static int x25_state1_machine(struct soc
+ &x25->vc_facil_mask);
+ if (len > 0)
+ skb_pull(skb, len);
++ else
++ return -1;
+ /*
+ * Copy any Call User Data.
+ */
--- /dev/null
+From 8acfe468b0384e834a303f08ebc4953d72fb690a Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Thu, 28 Oct 2010 11:41:55 -0700
+Subject: net: Limit socket I/O iovec total length to INT_MAX.
+
+From: David S. Miller <davem@davemloft.net>
+
+commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream.
+
+This helps protect us from overflow issues down in the
+individual protocol sendmsg/recvmsg handlers. Once
+we hit INT_MAX we truncate out the rest of the iovec
+by setting the iov_len members to zero.
+
+This works because:
+
+1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
+ writes are allowed and the application will just continue
+ with another write to send the rest of the data.
+
+2) For datagram oriented sockets, where there must be a
+ one-to-one correspondance between write() calls and
+ packets on the wire, INT_MAX is going to be far larger
+ than the packet size limit the protocol is going to
+ check for and signal with -EMSGSIZE.
+
+Based upon a patch by Linus Torvalds.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/socket.h | 2 +-
+ net/compat.c | 10 ++++++----
+ net/core/iovec.c | 20 +++++++++-----------
+ 3 files changed, 16 insertions(+), 16 deletions(-)
+
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -304,7 +304,7 @@ extern int csum_partial_copy_fromiovecen
+ int offset,
+ unsigned int len, __wsum *csump);
+
+-extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
++extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
+ extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
+ extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
+ int offset, int len);
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -40,10 +40,12 @@ static inline int iov_from_user_compat_t
+ compat_size_t len;
+
+ if (get_user(len, &uiov32->iov_len) ||
+- get_user(buf, &uiov32->iov_base)) {
+- tot_len = -EFAULT;
+- break;
+- }
++ get_user(buf, &uiov32->iov_base))
++ return -EFAULT;
++
++ if (len > INT_MAX - tot_len)
++ len = INT_MAX - tot_len;
++
+ tot_len += len;
+ kiov->iov_base = compat_ptr(buf);
+ kiov->iov_len = (__kernel_size_t) len;
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -36,10 +36,9 @@
+ * in any case.
+ */
+
+-long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
++int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
+ {
+- int size, ct;
+- long err;
++ int size, ct, err;
+
+ if (m->msg_namelen) {
+ if (mode == VERIFY_READ) {
+@@ -61,14 +60,13 @@ long verify_iovec(struct msghdr *m, stru
+ err = 0;
+
+ for (ct = 0; ct < m->msg_iovlen; ct++) {
+- err += iov[ct].iov_len;
+- /*
+- * Goal is not to verify user data, but to prevent returning
+- * negative value, which is interpreted as errno.
+- * Overflow is still possible, but it is harmless.
+- */
+- if (err < 0)
+- return -EMSGSIZE;
++ size_t len = iov[ct].iov_len;
++
++ if (len > INT_MAX - err) {
++ len = INT_MAX - err;
++ iov[ct].iov_len = len;
++ }
++ err += len;
+ }
+
+ return err;
--- /dev/null
+From 253eacc070b114c2ec1f81b067d2fed7305467b0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 30 Oct 2010 16:43:10 -0700
+Subject: net: Truncate recvfrom and sendto length to INT_MAX.
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1673,6 +1673,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __
+ struct iovec iov;
+ int fput_needed;
+
++ if (len > INT_MAX)
++ len = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1730,6 +1732,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
+ int err, err2;
+ int fput_needed;
+
++ if (size > INT_MAX)
++ size = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
staging-rtl8187se-change-panic-to-warn-when-rf-switch-turned-off.patch
net-sched-fix-kernel-leak-in-act_police.patch
hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch
+hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_write.patch
+gianfar-fix-crashes-on-rx-path-was-re-new-linux-2.6.36-rc5-crash-with-gianfar-ethernet-at-full-line-rate-traffic.patch
+limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers-to-prevent-integer-overflows.patch
+sparc64-fix-race-in-signal-instruction-flushing.patch
+sparc-don-t-mask-signal-when-we-can-t-setup-signal-frame.patch
+sparc-prevent-no-handler-signal-syscall-restart-recursion.patch
+x86-uv-delete-unneeded-boot-messages.patch
+x86-uv-fix-initialization-of-max_pnode.patch
+drivers-video-efifb.c-support-framebuffer-for-nvidia-9400m-in-macbook-pro-5-1.patch
+efifb-support-the-efi-framebuffer-on-more-apple-hardware.patch
+v4l-dvb-13154-uvcvideo-handle-garbage-at-the-end-of-streaming-interface-descriptors.patch
+input-i8042-add-sony-vaio-vpcz122gx-to-nomux-list.patch
+x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch
+memory-corruption-in-x.25-facilities-parsing.patch
+can-bcm-fix-minor-heap-overflow.patch
+v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch
+x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
+net-truncate-recvfrom-and-sendto-length-to-int_max.patch
+net-limit-socket-i-o-iovec-total-length-to-int_max.patch
--- /dev/null
+From c036c08cb4749a66ea4fbbfd665daa0f485207c4 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Tue, 21 Sep 2010 21:41:12 -0700
+Subject: sparc: Don't mask signal when we can't setup signal frame.
+
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 392c21802ee3aa85cee0e703105f797a8a7b9416 ]
+
+Don't invoke the signal handler tracehook in that situation
+either.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/sparc/kernel/signal32.c | 55 +++++++++++++++++++++++++-----------------
+ arch/sparc/kernel/signal_32.c | 53 +++++++++++++++++++++++++---------------
+ arch/sparc/kernel/signal_64.c | 43 +++++++++++++++++++-------------
+ 3 files changed, 93 insertions(+), 58 deletions(-)
+
+--- a/arch/sparc/kernel/signal32.c
++++ b/arch/sparc/kernel/signal32.c
+@@ -511,8 +511,8 @@ out_irqs_on:
+
+ }
+
+-static void setup_frame32(struct k_sigaction *ka, struct pt_regs *regs,
+- int signo, sigset_t *oldset)
++static int setup_frame32(struct k_sigaction *ka, struct pt_regs *regs,
++ int signo, sigset_t *oldset)
+ {
+ struct signal_frame32 __user *sf;
+ int sigframe_size;
+@@ -620,13 +620,16 @@ static void setup_frame32(struct k_sigac
+
+ sigill:
+ do_exit(SIGILL);
++ return -EINVAL;
++
+ sigsegv:
+ force_sigsegv(signo, current);
++ return -EFAULT;
+ }
+
+-static void setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs,
+- unsigned long signr, sigset_t *oldset,
+- siginfo_t *info)
++static int setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs,
++ unsigned long signr, sigset_t *oldset,
++ siginfo_t *info)
+ {
+ struct rt_signal_frame32 __user *sf;
+ int sigframe_size;
+@@ -738,22 +741,30 @@ static void setup_rt_frame32(struct k_si
+
+ flush_signal_insns(address);
+ }
+- return;
++ return 0;
+
+ sigill:
+ do_exit(SIGILL);
++ return -EINVAL;
++
+ sigsegv:
+ force_sigsegv(signr, current);
++ return -EFAULT;
+ }
+
+-static inline void handle_signal32(unsigned long signr, struct k_sigaction *ka,
+- siginfo_t *info,
+- sigset_t *oldset, struct pt_regs *regs)
++static inline int handle_signal32(unsigned long signr, struct k_sigaction *ka,
++ siginfo_t *info,
++ sigset_t *oldset, struct pt_regs *regs)
+ {
++ int err;
++
+ if (ka->sa.sa_flags & SA_SIGINFO)
+- setup_rt_frame32(ka, regs, signr, oldset, info);
++ err = setup_rt_frame32(ka, regs, signr, oldset, info);
+ else
+- setup_frame32(ka, regs, signr, oldset);
++ err = setup_frame32(ka, regs, signr, oldset);
++
++ if (err)
++ return err;
+
+ spin_lock_irq(¤t->sighand->siglock);
+ sigorsets(¤t->blocked,¤t->blocked,&ka->sa.sa_mask);
+@@ -761,6 +772,10 @@ static inline void handle_signal32(unsig
+ sigaddset(¤t->blocked,signr);
+ recalc_sigpending();
+ spin_unlock_irq(¤t->sighand->siglock);
++
++ tracehook_signal_handler(signr, info, ka, regs, 0);
++
++ return 0;
+ }
+
+ static inline void syscall_restart32(unsigned long orig_i0, struct pt_regs *regs,
+@@ -807,16 +822,14 @@ void do_signal32(sigset_t *oldset, struc
+ if (signr > 0) {
+ if (restart_syscall)
+ syscall_restart32(orig_i0, regs, &ka.sa);
+- handle_signal32(signr, &ka, &info, oldset, regs);
+-
+- /* A signal was successfully delivered; the saved
+- * sigmask will have been stored in the signal frame,
+- * and will be restored by sigreturn, so we can simply
+- * clear the TS_RESTORE_SIGMASK flag.
+- */
+- current_thread_info()->status &= ~TS_RESTORE_SIGMASK;
+-
+- tracehook_signal_handler(signr, &info, &ka, regs, 0);
++ if (handle_signal32(signr, &ka, &info, oldset, regs) == 0) {
++ /* A signal was successfully delivered; the saved
++ * sigmask will have been stored in the signal frame,
++ * and will be restored by sigreturn, so we can simply
++ * clear the TS_RESTORE_SIGMASK flag.
++ */
++ current_thread_info()->status &= ~TS_RESTORE_SIGMASK;
++ }
+ return;
+ }
+ if (restart_syscall &&
+--- a/arch/sparc/kernel/signal_32.c
++++ b/arch/sparc/kernel/signal_32.c
+@@ -315,8 +315,8 @@ save_fpu_state(struct pt_regs *regs, __s
+ return err;
+ }
+
+-static void setup_frame(struct k_sigaction *ka, struct pt_regs *regs,
+- int signo, sigset_t *oldset)
++static int setup_frame(struct k_sigaction *ka, struct pt_regs *regs,
++ int signo, sigset_t *oldset)
+ {
+ struct signal_frame __user *sf;
+ int sigframe_size, err;
+@@ -384,16 +384,19 @@ static void setup_frame(struct k_sigacti
+ /* Flush instruction space. */
+ flush_sig_insns(current->mm, (unsigned long) &(sf->insns[0]));
+ }
+- return;
++ return 0;
+
+ sigill_and_return:
+ do_exit(SIGILL);
++ return -EINVAL;
++
+ sigsegv:
+ force_sigsegv(signo, current);
++ return -EFAULT;
+ }
+
+-static void setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs,
+- int signo, sigset_t *oldset, siginfo_t *info)
++static int setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs,
++ int signo, sigset_t *oldset, siginfo_t *info)
+ {
+ struct rt_signal_frame __user *sf;
+ int sigframe_size;
+@@ -466,22 +469,30 @@ static void setup_rt_frame(struct k_siga
+ /* Flush instruction space. */
+ flush_sig_insns(current->mm, (unsigned long) &(sf->insns[0]));
+ }
+- return;
++ return 0;
+
+ sigill:
+ do_exit(SIGILL);
++ return -EINVAL;
++
+ sigsegv:
+ force_sigsegv(signo, current);
++ return -EFAULT;
+ }
+
+-static inline void
++static inline int
+ handle_signal(unsigned long signr, struct k_sigaction *ka,
+ siginfo_t *info, sigset_t *oldset, struct pt_regs *regs)
+ {
++ int err;
++
+ if (ka->sa.sa_flags & SA_SIGINFO)
+- setup_rt_frame(ka, regs, signr, oldset, info);
++ err = setup_rt_frame(ka, regs, signr, oldset, info);
+ else
+- setup_frame(ka, regs, signr, oldset);
++ err = setup_frame(ka, regs, signr, oldset);
++
++ if (err)
++ return err;
+
+ spin_lock_irq(¤t->sighand->siglock);
+ sigorsets(¤t->blocked,¤t->blocked,&ka->sa.sa_mask);
+@@ -489,6 +500,10 @@ handle_signal(unsigned long signr, struc
+ sigaddset(¤t->blocked, signr);
+ recalc_sigpending();
+ spin_unlock_irq(¤t->sighand->siglock);
++
++ tracehook_signal_handler(signr, info, ka, regs, 0);
++
++ return 0;
+ }
+
+ static inline void syscall_restart(unsigned long orig_i0, struct pt_regs *regs,
+@@ -546,17 +561,15 @@ static void do_signal(struct pt_regs *re
+ if (signr > 0) {
+ if (restart_syscall)
+ syscall_restart(orig_i0, regs, &ka.sa);
+- handle_signal(signr, &ka, &info, oldset, regs);
+-
+- /* a signal was successfully delivered; the saved
+- * sigmask will have been stored in the signal frame,
+- * and will be restored by sigreturn, so we can simply
+- * clear the TIF_RESTORE_SIGMASK flag.
+- */
+- if (test_thread_flag(TIF_RESTORE_SIGMASK))
+- clear_thread_flag(TIF_RESTORE_SIGMASK);
+-
+- tracehook_signal_handler(signr, &info, &ka, regs, 0);
++ if (handle_signal(signr, &ka, &info, oldset, regs) == 0) {
++ /* a signal was successfully delivered; the saved
++ * sigmask will have been stored in the signal frame,
++ * and will be restored by sigreturn, so we can simply
++ * clear the TIF_RESTORE_SIGMASK flag.
++ */
++ if (test_thread_flag(TIF_RESTORE_SIGMASK))
++ clear_thread_flag(TIF_RESTORE_SIGMASK);
++ }
+ return;
+ }
+ if (restart_syscall &&
+--- a/arch/sparc/kernel/signal_64.c
++++ b/arch/sparc/kernel/signal_64.c
+@@ -409,7 +409,7 @@ static inline void __user *get_sigframe(
+ return (void __user *) sp;
+ }
+
+-static inline void
++static inline int
+ setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs,
+ int signo, sigset_t *oldset, siginfo_t *info)
+ {
+@@ -483,26 +483,37 @@ setup_rt_frame(struct k_sigaction *ka, s
+ }
+ /* 4. return to kernel instructions */
+ regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer;
+- return;
++ return 0;
+
+ sigill:
+ do_exit(SIGILL);
++ return -EINVAL;
++
+ sigsegv:
+ force_sigsegv(signo, current);
++ return -EFAULT;
+ }
+
+-static inline void handle_signal(unsigned long signr, struct k_sigaction *ka,
+- siginfo_t *info,
+- sigset_t *oldset, struct pt_regs *regs)
++static inline int handle_signal(unsigned long signr, struct k_sigaction *ka,
++ siginfo_t *info,
++ sigset_t *oldset, struct pt_regs *regs)
+ {
+- setup_rt_frame(ka, regs, signr, oldset,
+- (ka->sa.sa_flags & SA_SIGINFO) ? info : NULL);
++ int err;
++
++ err = setup_rt_frame(ka, regs, signr, oldset,
++ (ka->sa.sa_flags & SA_SIGINFO) ? info : NULL);
++ if (err)
++ return err;
+ spin_lock_irq(¤t->sighand->siglock);
+ sigorsets(¤t->blocked,¤t->blocked,&ka->sa.sa_mask);
+ if (!(ka->sa.sa_flags & SA_NOMASK))
+ sigaddset(¤t->blocked,signr);
+ recalc_sigpending();
+ spin_unlock_irq(¤t->sighand->siglock);
++
++ tracehook_signal_handler(signr, info, ka, regs, 0);
++
++ return 0;
+ }
+
+ static inline void syscall_restart(unsigned long orig_i0, struct pt_regs *regs,
+@@ -571,16 +582,14 @@ static void do_signal(struct pt_regs *re
+ if (signr > 0) {
+ if (restart_syscall)
+ syscall_restart(orig_i0, regs, &ka.sa);
+- handle_signal(signr, &ka, &info, oldset, regs);
+-
+- /* A signal was successfully delivered; the saved
+- * sigmask will have been stored in the signal frame,
+- * and will be restored by sigreturn, so we can simply
+- * clear the TS_RESTORE_SIGMASK flag.
+- */
+- current_thread_info()->status &= ~TS_RESTORE_SIGMASK;
+-
+- tracehook_signal_handler(signr, &info, &ka, regs, 0);
++ if (handle_signal(signr, &ka, &info, oldset, regs) == 0) {
++ /* A signal was successfully delivered; the saved
++ * sigmask will have been stored in the signal frame,
++ * and will be restored by sigreturn, so we can simply
++ * clear the TS_RESTORE_SIGMASK flag.
++ */
++ current_thread_info()->status &= ~TS_RESTORE_SIGMASK;
++ }
+ return;
+ }
+ if (restart_syscall &&
--- /dev/null
+From e1c8548d96185aba30c84187758d0b68f73d70a4 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Tue, 21 Sep 2010 22:30:13 -0700
+Subject: sparc: Prevent no-handler signal syscall restart recursion.
+
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit c27852597829128a9c9d96d79ec454a83c6b0da5 ]
+
+Explicitly clear the "in-syscall" bit when we have no signal
+handler and back up the program counters to back up the system
+call.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/sparc/kernel/signal32.c | 4 +++-
+ arch/sparc/kernel/signal_32.c | 2 ++
+ arch/sparc/kernel/signal_64.c | 2 ++
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/kernel/signal32.c
++++ b/arch/sparc/kernel/signal32.c
+@@ -616,7 +616,7 @@ static int setup_frame32(struct k_sigact
+
+ flush_signal_insns(address);
+ }
+- return;
++ return 0;
+
+ sigill:
+ do_exit(SIGILL);
+@@ -840,12 +840,14 @@ void do_signal32(sigset_t *oldset, struc
+ regs->u_regs[UREG_I0] = orig_i0;
+ regs->tpc -= 4;
+ regs->tnpc -= 4;
++ pt_regs_clear_syscall(regs);
+ }
+ if (restart_syscall &&
+ regs->u_regs[UREG_I0] == ERESTART_RESTARTBLOCK) {
+ regs->u_regs[UREG_G1] = __NR_restart_syscall;
+ regs->tpc -= 4;
+ regs->tnpc -= 4;
++ pt_regs_clear_syscall(regs);
+ }
+
+ /* If there's no signal to deliver, we just put the saved sigmask
+--- a/arch/sparc/kernel/signal_32.c
++++ b/arch/sparc/kernel/signal_32.c
+@@ -580,12 +580,14 @@ static void do_signal(struct pt_regs *re
+ regs->u_regs[UREG_I0] = orig_i0;
+ regs->pc -= 4;
+ regs->npc -= 4;
++ pt_regs_clear_syscall(regs);
+ }
+ if (restart_syscall &&
+ regs->u_regs[UREG_I0] == ERESTART_RESTARTBLOCK) {
+ regs->u_regs[UREG_G1] = __NR_restart_syscall;
+ regs->pc -= 4;
+ regs->npc -= 4;
++ pt_regs_clear_syscall(regs);
+ }
+
+ /* if there's no signal to deliver, we just put the saved sigmask
+--- a/arch/sparc/kernel/signal_64.c
++++ b/arch/sparc/kernel/signal_64.c
+@@ -600,12 +600,14 @@ static void do_signal(struct pt_regs *re
+ regs->u_regs[UREG_I0] = orig_i0;
+ regs->tpc -= 4;
+ regs->tnpc -= 4;
++ pt_regs_clear_syscall(regs);
+ }
+ if (restart_syscall &&
+ regs->u_regs[UREG_I0] == ERESTART_RESTARTBLOCK) {
+ regs->u_regs[UREG_G1] = __NR_restart_syscall;
+ regs->tpc -= 4;
+ regs->tnpc -= 4;
++ pt_regs_clear_syscall(regs);
+ }
+
+ /* If there's no signal to deliver, we just put the saved sigmask
--- /dev/null
+From e0832e5ad62316d6b64b73c69dd13abdf76e0ffa Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Mon, 20 Sep 2010 23:24:52 -0700
+Subject: sparc64: Fix race in signal instruction flushing.
+
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 05c5e7698bdc54b3079a3517d86077f49ebcc788 ]
+
+If another cpu does a very wide munmap() on the signal frame area,
+it can tear down the page table hierarchy from underneath us.
+
+Borrow an idea from the 64-bit fault path's get_user_insn(), and
+disable cross call interrupts during the page table traversal
+to lock them in place while we operate.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/sparc/kernel/signal32.c | 102 +++++++++++++++++++++++++------------------
+ 1 file changed, 60 insertions(+), 42 deletions(-)
+
+--- a/arch/sparc/kernel/signal32.c
++++ b/arch/sparc/kernel/signal32.c
+@@ -453,6 +453,64 @@ static int save_fpu_state32(struct pt_re
+ return err;
+ }
+
++/* The I-cache flush instruction only works in the primary ASI, which
++ * right now is the nucleus, aka. kernel space.
++ *
++ * Therefore we have to kick the instructions out using the kernel
++ * side linear mapping of the physical address backing the user
++ * instructions.
++ */
++static void flush_signal_insns(unsigned long address)
++{
++ unsigned long pstate, paddr;
++ pte_t *ptep, pte;
++ pgd_t *pgdp;
++ pud_t *pudp;
++ pmd_t *pmdp;
++
++ /* Commit all stores of the instructions we are about to flush. */
++ wmb();
++
++ /* Disable cross-call reception. In this way even a very wide
++ * munmap() on another cpu can't tear down the page table
++ * hierarchy from underneath us, since that can't complete
++ * until the IPI tlb flush returns.
++ */
++
++ __asm__ __volatile__("rdpr %%pstate, %0" : "=r" (pstate));
++ __asm__ __volatile__("wrpr %0, %1, %%pstate"
++ : : "r" (pstate), "i" (PSTATE_IE));
++
++ pgdp = pgd_offset(current->mm, address);
++ if (pgd_none(*pgdp))
++ goto out_irqs_on;
++ pudp = pud_offset(pgdp, address);
++ if (pud_none(*pudp))
++ goto out_irqs_on;
++ pmdp = pmd_offset(pudp, address);
++ if (pmd_none(*pmdp))
++ goto out_irqs_on;
++
++ ptep = pte_offset_map(pmdp, address);
++ pte = *ptep;
++ if (!pte_present(pte))
++ goto out_unmap;
++
++ paddr = (unsigned long) page_address(pte_page(pte));
++
++ __asm__ __volatile__("flush %0 + %1"
++ : /* no outputs */
++ : "r" (paddr),
++ "r" (address & (PAGE_SIZE - 1))
++ : "memory");
++
++out_unmap:
++ pte_unmap(ptep);
++out_irqs_on:
++ __asm__ __volatile__("wrpr %0, 0x0, %%pstate" : : "r" (pstate));
++
++}
++
+ static void setup_frame32(struct k_sigaction *ka, struct pt_regs *regs,
+ int signo, sigset_t *oldset)
+ {
+@@ -547,13 +605,7 @@ static void setup_frame32(struct k_sigac
+ if (ka->ka_restorer) {
+ regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer;
+ } else {
+- /* Flush instruction space. */
+ unsigned long address = ((unsigned long)&(sf->insns[0]));
+- pgd_t *pgdp = pgd_offset(current->mm, address);
+- pud_t *pudp = pud_offset(pgdp, address);
+- pmd_t *pmdp = pmd_offset(pudp, address);
+- pte_t *ptep;
+- pte_t pte;
+
+ regs->u_regs[UREG_I7] = (unsigned long) (&(sf->insns[0]) - 2);
+
+@@ -562,22 +614,7 @@ static void setup_frame32(struct k_sigac
+ if (err)
+ goto sigsegv;
+
+- preempt_disable();
+- ptep = pte_offset_map(pmdp, address);
+- pte = *ptep;
+- if (pte_present(pte)) {
+- unsigned long page = (unsigned long)
+- page_address(pte_page(pte));
+-
+- wmb();
+- __asm__ __volatile__("flush %0 + %1"
+- : /* no outputs */
+- : "r" (page),
+- "r" (address & (PAGE_SIZE - 1))
+- : "memory");
+- }
+- pte_unmap(ptep);
+- preempt_enable();
++ flush_signal_insns(address);
+ }
+ return;
+
+@@ -687,12 +724,7 @@ static void setup_rt_frame32(struct k_si
+ if (ka->ka_restorer)
+ regs->u_regs[UREG_I7] = (unsigned long)ka->ka_restorer;
+ else {
+- /* Flush instruction space. */
+ unsigned long address = ((unsigned long)&(sf->insns[0]));
+- pgd_t *pgdp = pgd_offset(current->mm, address);
+- pud_t *pudp = pud_offset(pgdp, address);
+- pmd_t *pmdp = pmd_offset(pudp, address);
+- pte_t *ptep;
+
+ regs->u_regs[UREG_I7] = (unsigned long) (&(sf->insns[0]) - 2);
+
+@@ -704,21 +736,7 @@ static void setup_rt_frame32(struct k_si
+ if (err)
+ goto sigsegv;
+
+- preempt_disable();
+- ptep = pte_offset_map(pmdp, address);
+- if (pte_present(*ptep)) {
+- unsigned long page = (unsigned long)
+- page_address(pte_page(*ptep));
+-
+- wmb();
+- __asm__ __volatile__("flush %0 + %1"
+- : /* no outputs */
+- : "r" (page),
+- "r" (address & (PAGE_SIZE - 1))
+- : "memory");
+- }
+- pte_unmap(ptep);
+- preempt_enable();
++ flush_signal_insns(address);
+ }
+ return;
+
--- /dev/null
+From c4ed8c66d79d707d89fe732ff5b97739edf1ba62 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Thu, 8 Oct 2009 19:38:10 -0300
+Subject: V4L/DVB (13154): uvcvideo: Handle garbage at the end of streaming interface descriptors
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+commit c4ed8c66d79d707d89fe732ff5b97739edf1ba62 upstream.
+
+At least one 5986:0241 webcam model includes vendor-specific descriptors
+at the end of its streaming interface descriptors. Print an information
+UVC_TRACE_DESCR message and try to continue parsing the descriptors
+rather than bailing out with an error.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_driver.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/video/uvc/uvc_driver.c
++++ b/drivers/media/video/uvc/uvc_driver.c
+@@ -436,7 +436,8 @@ static int uvc_parse_format(struct uvc_d
+ /* Parse the frame descriptors. Only uncompressed, MJPEG and frame
+ * based formats have frame descriptors.
+ */
+- while (buflen > 2 && buffer[2] == ftype) {
++ while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
++ buffer[2] == ftype) {
+ frame = &format->frame[format->nframes];
+ if (ftype != UVC_VS_FRAME_FRAME_BASED)
+ n = buflen > 25 ? buffer[25] : 0;
+@@ -513,12 +514,14 @@ static int uvc_parse_format(struct uvc_d
+ buffer += buffer[0];
+ }
+
+- if (buflen > 2 && buffer[2] == UVC_VS_STILL_IMAGE_FRAME) {
++ if (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
++ buffer[2] == UVC_VS_STILL_IMAGE_FRAME) {
+ buflen -= buffer[0];
+ buffer += buffer[0];
+ }
+
+- if (buflen > 2 && buffer[2] == UVC_VS_COLORFORMAT) {
++ if (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
++ buffer[2] == UVC_VS_COLORFORMAT) {
+ if (buflen < 6) {
+ uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming "
+ "interface %d COLORFORMAT error\n",
+@@ -759,6 +762,11 @@ static int uvc_parse_streaming(struct uv
+ buffer += buffer[0];
+ }
+
++ if (buflen)
++ uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming interface "
++ "%d has %u bytes of trailing descriptor garbage.\n",
++ dev->udev->devnum, alts->desc.bInterfaceNumber, buflen);
++
+ /* Parse the alternate settings to find the maximum bandwidth. */
+ for (i = 0; i < intf->num_altsetting; ++i) {
+ struct usb_host_endpoint *ep;
--- /dev/null
+From 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 15 Sep 2010 18:44:22 -0300
+Subject: V4L/DVB: ivtvfb: prevent reading uninitialized stack memory
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 upstream.
+
+The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
+bytes of uninitialized stack memory, because the "reserved" member of
+the fb_vblank struct declared on the stack is not altered or zeroed
+before being copied back to the user. This patch takes care of it.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Signed-off-by: Andy Walls <awalls@md.metrocast.net>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/ivtv/ivtvfb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/video/ivtv/ivtvfb.c
++++ b/drivers/media/video/ivtv/ivtvfb.c
+@@ -457,6 +457,8 @@ static int ivtvfb_ioctl(struct fb_info *
+ struct fb_vblank vblank;
+ u32 trace;
+
++ memset(&vblank, 0, sizeof(struct fb_vblank));
++
+ vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
+ FB_VBLANK_HAVE_VSYNC;
+ trace = read_reg(0x028c0) >> 16;
--- /dev/null
+From f5eb917b861828da18dc28854308068c66d1449a Mon Sep 17 00:00:00 2001
+From: John Hughes <john@calva.com>
+Date: Wed, 7 Apr 2010 21:29:25 -0700
+Subject: x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
+
+From: John Hughes <john@calva.com>
+
+commit f5eb917b861828da18dc28854308068c66d1449a upstream.
+
+Here is a patch to stop X.25 examining fields beyond the end of the packet.
+
+For example, when a simple CALL ACCEPTED was received:
+
+ 10 10 0f
+
+x25_parse_facilities was attempting to decode the FACILITIES field, but this
+packet contains no facilities field.
+
+Signed-off-by: John Hughes <john@calva.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/x25.h | 4 ++++
+ net/x25/af_x25.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
+ net/x25/x25_facilities.c | 12 +++++++++++-
+ net/x25/x25_in.c | 15 +++++++++++----
+ 4 files changed, 72 insertions(+), 6 deletions(-)
+
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -182,6 +182,10 @@ extern int sysctl_x25_clear_request_tim
+ extern int sysctl_x25_ack_holdback_timeout;
+ extern int sysctl_x25_forward;
+
++extern int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr);
++
+ extern int x25_addr_ntoa(unsigned char *, struct x25_address *,
+ struct x25_address *);
+ extern int x25_addr_aton(unsigned char *, struct x25_address *,
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -81,6 +81,41 @@ struct compat_x25_subscrip_struct {
+ };
+ #endif
+
++
++int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr)
++{
++ unsigned char len;
++ int needed;
++ int rc;
++
++ if (skb->len < 1) {
++ /* packet has no address block */
++ rc = 0;
++ goto empty;
++ }
++
++ len = *skb->data;
++ needed = 1 + (len >> 4) + (len & 0x0f);
++
++ if (skb->len < needed) {
++ /* packet is too short to hold the addresses it claims
++ to hold */
++ rc = -1;
++ goto empty;
++ }
++
++ return x25_addr_ntoa(skb->data, called_addr, calling_addr);
++
++empty:
++ *called_addr->x25_addr = 0;
++ *calling_addr->x25_addr = 0;
++
++ return rc;
++}
++
++
+ int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,
+ struct x25_address *calling_addr)
+ {
+@@ -871,16 +906,26 @@ int x25_rx_call_request(struct sk_buff *
+ /*
+ * Extract the X.25 addresses and convert them to ASCII strings,
+ * and remove them.
++ *
++ * Address block is mandatory in call request packets
+ */
+- addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);
++ addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);
++ if (addr_len <= 0)
++ goto out_clear_request;
+ skb_pull(skb, addr_len);
+
+ /*
+ * Get the length of the facilities, skip past them for the moment
+ * get the call user data because this is needed to determine
+ * the correct listener
++ *
++ * Facilities length is mandatory in call request packets
+ */
++ if (skb->len < 1)
++ goto out_clear_request;
+ len = skb->data[0] + 1;
++ if (skb->len < len)
++ goto out_clear_request;
+ skb_pull(skb,len);
+
+ /*
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff
+ struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
+ {
+ unsigned char *p = skb->data;
+- unsigned int len = *p++;
++ unsigned int len;
+
+ *vc_fac_mask = 0;
+
+@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff
+ memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
+ memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
+
++ if (skb->len < 1)
++ return 0;
++
++ len = *p++;
++
++ if (len >= skb->len)
++ return -1;
++
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
+@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_b
+ memcpy(new, ours, sizeof(*new));
+
+ len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
++ if (len < 0)
++ return len;
+
+ /*
+ * They want reverse charging, we won't accept it.
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct soc
+ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)
+ {
+ struct x25_address source_addr, dest_addr;
++ int len;
+
+ switch (frametype) {
+ case X25_CALL_ACCEPTED: {
+@@ -106,11 +107,17 @@ static int x25_state1_machine(struct soc
+ * Parse the data in the frame.
+ */
+ skb_pull(skb, X25_STD_MIN_LEN);
+- skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));
+- skb_pull(skb,
+- x25_parse_facilities(skb, &x25->facilities,
++
++ len = x25_parse_address_block(skb, &source_addr,
++ &dest_addr);
++ if (len > 0)
++ skb_pull(skb, len);
++
++ len = x25_parse_facilities(skb, &x25->facilities,
+ &x25->dte_facilities,
+- &x25->vc_facil_mask));
++ &x25->vc_facil_mask);
++ if (len > 0)
++ skb_pull(skb, len);
+ /*
+ * Copy any Call User Data.
+ */
--- /dev/null
+From 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 12 Nov 2010 12:44:42 -0800
+Subject: x25: Prevent crashing when parsing bad X.25 facilities
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
+
+Now with improved comma support.
+
+On parsing malformed X.25 facilities, decrementing the remaining length
+may cause it to underflow. Since the length is an unsigned integer,
+this will result in the loop continuing until the kernel crashes.
+
+This patch adds checks to ensure decrementing the remaining length does
+not cause it to wrap around.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_facilities.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
++ if (len < 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_REVERSE:
+ if((p[1] & 0x81) == 0x81) {
+@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff
+ len -= 2;
+ break;
+ case X25_FAC_CLASS_B:
++ if (len < 3)
++ return 0;
+ switch (*p) {
+ case X25_FAC_PACKET_SIZE:
+ facilities->pacsize_in = p[1];
+@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff
+ len -= 3;
+ break;
+ case X25_FAC_CLASS_C:
++ if (len < 4)
++ return 0;
+ printk(KERN_DEBUG "X.25: unknown facility %02X, "
+ "values %02X, %02X, %02X\n",
+ p[0], p[1], p[2], p[3]);
+@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff
+ len -= 4;
+ break;
+ case X25_FAC_CLASS_D:
++ if (len < p[1] + 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff
+ break;
+ default:
+ printk(KERN_DEBUG "X.25: unknown facility %02X,"
+- "length %d, values %02X, %02X, "
+- "%02X, %02X\n",
+- p[0], p[1], p[2], p[3], p[4], p[5]);
++ "length %d\n", p[0], p[1]);
+ break;
+ }
+ len -= p[1] + 2;
--- /dev/null
+From 2acebe9ecb2b77876e87a1480729cfb2db4570dd Mon Sep 17 00:00:00 2001
+From: Jack Steiner <steiner@sgi.com>
+Date: Wed, 17 Mar 2010 10:40:38 -0500
+Subject: x86, UV: Delete unneeded boot messages
+
+From: Jack Steiner <steiner@sgi.com>
+
+commit 2acebe9ecb2b77876e87a1480729cfb2db4570dd upstream.
+
+SGI:UV: Delete extra boot messages that describe the system
+topology. These messages are no longer useful.
+
+Signed-off-by: Jack Steiner <steiner@sgi.com>
+LKML-Reference: <20100317154038.GA29346@sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/apic/x2apic_uv_x.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/x2apic_uv_x.c
++++ b/arch/x86/kernel/apic/x2apic_uv_x.c
+@@ -636,9 +636,6 @@ void __init uv_system_init(void)
+ uv_node_to_blade[nid] = blade;
+ uv_cpu_to_blade[cpu] = blade;
+ max_pnode = max(pnode, max_pnode);
+-
+- printk(KERN_DEBUG "UV: cpu %d, apicid 0x%x, pnode %d, nid %d, lcpu %d, blade %d\n",
+- cpu, apicid, pnode, nid, lcpu, blade);
+ }
+
+ /* Add blade/pnode info for nodes without cpus */
--- /dev/null
+From 36ac4b987bea9a95217e1af552252f275ca7fc44 Mon Sep 17 00:00:00 2001
+From: Jack Steiner <steiner@sgi.com>
+Date: Fri, 10 Sep 2010 10:08:08 -0500
+Subject: x86, UV: Fix initialization of max_pnode
+
+From: Jack Steiner <steiner@sgi.com>
+
+commit 36ac4b987bea9a95217e1af552252f275ca7fc44 upstream.
+
+Fix calculation of "max_pnode" for systems where the the highest
+blade has neither cpus or memory. (And, yes, although rare this
+does occur).
+
+Signed-off-by: Jack Steiner <steiner@sgi.com>
+LKML-Reference: <20100910150808.GA19802@sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/apic/x2apic_uv_x.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/x2apic_uv_x.c
++++ b/arch/x86/kernel/apic/x2apic_uv_x.c
+@@ -595,9 +595,11 @@ void __init uv_system_init(void)
+ for (j = 0; j < 64; j++) {
+ if (!test_bit(j, &present))
+ continue;
+- uv_blade_info[blade].pnode = (i * 64 + j);
++ pnode = (i * 64 + j);
++ uv_blade_info[blade].pnode = pnode;
+ uv_blade_info[blade].nr_possible_cpus = 0;
+ uv_blade_info[blade].nr_online_cpus = 0;
++ max_pnode = max(pnode, max_pnode);
+ blade++;
+ }
+ }
+@@ -635,7 +637,6 @@ void __init uv_system_init(void)
+ uv_cpu_hub_info(cpu)->scir.offset = uv_scir_offset(apicid);
+ uv_node_to_blade[nid] = blade;
+ uv_cpu_to_blade[cpu] = blade;
+- max_pnode = max(pnode, max_pnode);
+ }
+
+ /* Add blade/pnode info for nodes without cpus */
+@@ -647,7 +648,6 @@ void __init uv_system_init(void)
+ pnode = (paddr >> m_val) & pnode_mask;
+ blade = boot_pnode_to_blade(pnode);
+ uv_node_to_blade[nid] = blade;
+- max_pnode = max(pnode, max_pnode);
+ }
+
+ map_gru_high(max_pnode);
projects / thirdparty / kernel / stable-queue.git / commitdiff
