--- /dev/null
+From jejb@kernel.org Mon Oct 6 15:30:17 2008
+From: Risto Suominen <Risto.Suominen@gmail.com>
+Date: Thu, 2 Oct 2008 22:55:15 GMT
+Subject: ALSA: snd-powermac: HP detection for 1st iMac G3 SL
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810022255.m92MtFC3022982@hera.kernel.org>
+
+From: Risto Suominen <Risto.Suominen@gmail.com>
+
+commit 030b655b062fe5190fc490e0091ea50307d7a86f upstream
+
+Correct headphone detection for 1st generation iMac G3 Slot-loading (Screamer).
+
+This patch fixes the regression in the recent snd-powermac which
+doesn't support some G3/G4 PowerMacs:
+ http://lkml.org/lkml/2008/10/1/220
+
+Signed-off-by: Risto Suominen <Risto.Suominen@gmail.com>
+Tested-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/ppc/awacs.c | 31 ++++++++++++++++++++++---------
+ 1 file changed, 22 insertions(+), 9 deletions(-)
+
+--- a/sound/ppc/awacs.c
++++ b/sound/ppc/awacs.c
+@@ -695,7 +695,10 @@ static struct snd_kcontrol_new snd_pmac_
+ static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw __initdata =
+ AWACS_SWITCH("PC Speaker Playback Switch", 1, SHIFT_SPKMUTE, 1);
+
+-static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw_imac __initdata =
++static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw_imac1 __initdata =
++AWACS_SWITCH("PC Speaker Playback Switch", 1, SHIFT_PAROUT1, 1);
++
++static struct snd_kcontrol_new snd_pmac_awacs_speaker_sw_imac2 __initdata =
+ AWACS_SWITCH("PC Speaker Playback Switch", 1, SHIFT_PAROUT1, 0);
+
+
+@@ -772,12 +775,12 @@ static void snd_pmac_awacs_resume(struct
+
+ #define IS_PM7500 (machine_is_compatible("AAPL,7500"))
+ #define IS_BEIGE (machine_is_compatible("AAPL,Gossamer"))
+-#define IS_IMAC (machine_is_compatible("PowerMac2,1") \
+- || machine_is_compatible("PowerMac2,2") \
++#define IS_IMAC1 (machine_is_compatible("PowerMac2,1"))
++#define IS_IMAC2 (machine_is_compatible("PowerMac2,2") \
+ || machine_is_compatible("PowerMac4,1"))
+ #define IS_G4AGP (machine_is_compatible("PowerMac3,1"))
+
+-static int imac;
++static int imac1, imac2;
+
+ #ifdef PMAC_SUPPORT_AUTOMUTE
+ /*
+@@ -823,13 +826,18 @@ static void snd_pmac_awacs_update_automu
+ {
+ int reg = chip->awacs_reg[1]
+ | (MASK_HDMUTE | MASK_SPKMUTE);
+- if (imac) {
++ if (imac1) {
++ reg &= ~MASK_SPKMUTE;
++ reg |= MASK_PAROUT1;
++ } else if (imac2) {
+ reg &= ~MASK_SPKMUTE;
+ reg &= ~MASK_PAROUT1;
+ }
+ if (snd_pmac_awacs_detect_headphone(chip))
+ reg &= ~MASK_HDMUTE;
+- else if (imac)
++ else if (imac1)
++ reg &= ~MASK_PAROUT1;
++ else if (imac2)
+ reg |= MASK_PAROUT1;
+ else
+ reg &= ~MASK_SPKMUTE;
+@@ -859,9 +867,12 @@ snd_pmac_awacs_init(struct snd_pmac *chi
+ int pm7500 = IS_PM7500;
+ int beige = IS_BEIGE;
+ int g4agp = IS_G4AGP;
++ int imac;
+ int err, vol;
+
+- imac = IS_IMAC;
++ imac1 = IS_IMAC1;
++ imac2 = IS_IMAC2;
++ imac = imac1 || imac2;
+ /* looks like MASK_GAINLINE triggers something, so we set here
+ * as start-up
+ */
+@@ -1017,8 +1028,10 @@ snd_pmac_awacs_init(struct snd_pmac *chi
+ snd_pmac_awacs_speaker_vol);
+ if (err < 0)
+ return err;
+- chip->speaker_sw_ctl = snd_ctl_new1(imac
+- ? &snd_pmac_awacs_speaker_sw_imac
++ chip->speaker_sw_ctl = snd_ctl_new1(imac1
++ ? &snd_pmac_awacs_speaker_sw_imac1
++ : imac2
++ ? &snd_pmac_awacs_speaker_sw_imac2
+ : &snd_pmac_awacs_speaker_sw, chip);
+ err = snd_ctl_add(chip->card, chip->speaker_sw_ctl);
+ if (err < 0)
--- /dev/null
+From jejb@kernel.org Mon Oct 6 15:30:43 2008
+From: Risto Suominen <Risto.Suominen@gmail.com>
+Date: Thu, 2 Oct 2008 22:55:18 GMT
+Subject: ALSA: snd-powermac: mixers for PowerMac G4 AGP
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810022255.m92MtIJm022994@hera.kernel.org>
+
+From: Risto Suominen <Risto.Suominen@gmail.com>
+
+commit 4dbf95ba6c344186ec6d38ff514dc675da464bec upstream
+
+Add mixer controls for PowerMac G4 AGP (Screamer).
+
+This patch fixes the regression in the recent snd-powermac which
+doesn't support some G3/G4 PowerMacs:
+ http://lkml.org/lkml/2008/10/1/220
+
+Signed-off-by: Risto Suominen <Risto.Suominen@gmail.com>
+Tested-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/ppc/awacs.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/sound/ppc/awacs.c
++++ b/sound/ppc/awacs.c
+@@ -621,6 +621,13 @@ static struct snd_kcontrol_new snd_pmac_
+ AWACS_SWITCH("CD Capture Switch", 0, SHIFT_MUX_CD, 0),
+ };
+
++static struct snd_kcontrol_new snd_pmac_screamer_mixers_g4agp[] __initdata = {
++ AWACS_VOLUME("Line out Playback Volume", 2, 6, 1),
++ AWACS_VOLUME("Master Playback Volume", 5, 6, 1),
++ AWACS_SWITCH("CD Capture Switch", 0, SHIFT_MUX_CD, 0),
++ AWACS_SWITCH("Line Capture Switch", 0, SHIFT_MUX_MIC, 0),
++};
++
+ static struct snd_kcontrol_new snd_pmac_awacs_mixers_pmac7500[] __initdata = {
+ AWACS_VOLUME("Line out Playback Volume", 2, 6, 1),
+ AWACS_SWITCH("CD Capture Switch", 0, SHIFT_MUX_CD, 0),
+@@ -768,6 +775,7 @@ static void snd_pmac_awacs_resume(struct
+ #define IS_IMAC (machine_is_compatible("PowerMac2,1") \
+ || machine_is_compatible("PowerMac2,2") \
+ || machine_is_compatible("PowerMac4,1"))
++#define IS_G4AGP (machine_is_compatible("PowerMac3,1"))
+
+ static int imac;
+
+@@ -850,6 +858,7 @@ snd_pmac_awacs_init(struct snd_pmac *chi
+ {
+ int pm7500 = IS_PM7500;
+ int beige = IS_BEIGE;
++ int g4agp = IS_G4AGP;
+ int err, vol;
+
+ imac = IS_IMAC;
+@@ -939,7 +948,7 @@ snd_pmac_awacs_init(struct snd_pmac *chi
+ snd_pmac_awacs_mixers);
+ if (err < 0)
+ return err;
+- if (beige)
++ if (beige || g4agp)
+ ;
+ else if (chip->model == PMAC_SCREAMER)
+ err = build_mixers(chip, ARRAY_SIZE(snd_pmac_screamer_mixers2),
+@@ -961,13 +970,17 @@ snd_pmac_awacs_init(struct snd_pmac *chi
+ err = build_mixers(chip,
+ ARRAY_SIZE(snd_pmac_screamer_mixers_imac),
+ snd_pmac_screamer_mixers_imac);
++ else if (g4agp)
++ err = build_mixers(chip,
++ ARRAY_SIZE(snd_pmac_screamer_mixers_g4agp),
++ snd_pmac_screamer_mixers_g4agp);
+ else
+ err = build_mixers(chip,
+ ARRAY_SIZE(snd_pmac_awacs_mixers_pmac),
+ snd_pmac_awacs_mixers_pmac);
+ if (err < 0)
+ return err;
+- chip->master_sw_ctl = snd_ctl_new1((pm7500 || imac)
++ chip->master_sw_ctl = snd_ctl_new1((pm7500 || imac || g4agp)
+ ? &snd_pmac_awacs_master_sw_imac
+ : &snd_pmac_awacs_master_sw, chip);
+ err = snd_ctl_add(chip->card, chip->master_sw_ctl);
+@@ -1012,7 +1025,7 @@ snd_pmac_awacs_init(struct snd_pmac *chi
+ return err;
+ }
+
+- if (beige)
++ if (beige || g4agp)
+ err = build_mixers(chip,
+ ARRAY_SIZE(snd_pmac_screamer_mic_boost_beige),
+ snd_pmac_screamer_mic_boost_beige);
--- /dev/null
+From jejb@kernel.org Mon Oct 6 15:29:19 2008
+From: Pascal Terjan <pterjan@mandriva.com>
+Date: Fri, 3 Oct 2008 01:45:55 GMT
+Subject: braille_console: only register notifiers when the braille console is used
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810030145.m931jt1T007158@hera.kernel.org>
+
+From: Pascal Terjan <pterjan@mandriva.com>
+
+commit c0c9209ddd96bc4f1d70a8b9958710671e076080 upstream
+
+Only register the braille driver VT and keyboard notifiers when the
+braille console is used. Avoids eating insert or backspace keys.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=11242
+
+Signed-off-by: Pascal Terjan <pterjan@mandriva.com>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Moritz Muehlenhoff <jmm@inutil.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/accessibility/braille/braille_console.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/drivers/accessibility/braille/braille_console.c
++++ b/drivers/accessibility/braille/braille_console.c
+@@ -376,6 +376,8 @@ int braille_register_console(struct cons
+ console->flags |= CON_ENABLED;
+ console->index = index;
+ braille_co = console;
++ register_keyboard_notifier(&keyboard_notifier_block);
++ register_vt_notifier(&vt_notifier_block);
+ return 0;
+ }
+
+@@ -383,15 +385,8 @@ int braille_unregister_console(struct co
+ {
+ if (braille_co != console)
+ return -EINVAL;
++ unregister_keyboard_notifier(&keyboard_notifier_block);
++ unregister_vt_notifier(&vt_notifier_block);
+ braille_co = NULL;
+ return 0;
+ }
+-
+-static int __init braille_init(void)
+-{
+- register_keyboard_notifier(&keyboard_notifier_block);
+- register_vt_notifier(&vt_notifier_block);
+- return 0;
+-}
+-
+-console_initcall(braille_init);
--- /dev/null
+From jejb@kernel.org Mon Oct 6 15:31:35 2008
+From: David Winn <q-newsgroup@qypea.com>
+Date: Fri, 3 Oct 2008 01:46:02 GMT
+Subject: fbcon: fix monochrome color value calculation
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810030146.m931k2hV007197@hera.kernel.org>
+
+From: David Winn <q-newsgroup@qypea.com>
+
+commit 08650869e0ec581f8d88cfdb563d37f5383abfe2 upstream
+
+Commit 22af89aa0c0b4012a7431114a340efd3665a7617 ("fbcon: replace mono_col
+macro with static inline") changed the order of operations for computing
+monochrome color values. This generates 0xffff000f instead of 0x0000000f
+for a 4 bit monochrome color, leading to image corruption if it is passed
+to cfb_imageblit or other similar functions. Fix it up.
+
+Cc: Harvey Harrison <harvey.harrison@gmail.com>
+Cc: "Antonino A. Daplas" <adaplas@pol.net>
+Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/console/fbcon.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/console/fbcon.h
++++ b/drivers/video/console/fbcon.h
+@@ -110,7 +110,7 @@ static inline int mono_col(const struct
+ __u32 max_len;
+ max_len = max(info->var.green.length, info->var.red.length);
+ max_len = max(info->var.blue.length, max_len);
+- return ~(0xfff << (max_len & 0xff));
++ return (~(0xfff << max_len)) & 0xff;
+ }
+
+ static inline int attr_col_ec(int shift, struct vc_data *vc,
--- /dev/null
+From hugh@veritas.com Mon Oct 6 15:32:49 2008
+From: Balbir Singh <balbir@linux.vnet.ibm.com>
+Date: Sun, 5 Oct 2008 17:43:37 +0100 (BST)
+Subject: mm owner: fix race between swapoff and exit
+To: stable@kernel.org
+Cc: Jiri Slaby <jirislaby@gmail.com>, Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>, Andrew Morton <akpm@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org>, Paul Menage <menage@google.com>, KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>, Balbir Singh <balbir@linux.vnet.ibm.com>
+Message-ID: <Pine.LNX.4.64.0810051733160.5673@blonde.site>
+
+From: Balbir Singh <balbir@linux.vnet.ibm.com>
+
+[Here's a backport of 2.6.27-rc8's 31a78f23bac0069004e69f98808b6988baccb6b6
+ to 2.6.26 or 2.6.26.5: I wouldn't trouble -stable for the (root only)
+ swapoff case which uncovered the bug, but the /proc/<pid>/<mmstats> case
+ is open to all, so I think worth plugging in the next 2.6.26-stable.
+ - Hugh]
+
+
+There's a race between mm->owner assignment and swapoff, more easily
+seen when task slab poisoning is turned on. The condition occurs when
+try_to_unuse() runs in parallel with an exiting task. A similar race
+can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
+or ptrace or page migration.
+
+CPU0 CPU1
+ try_to_unuse
+ looks at mm = task0->mm
+ increments mm->mm_users
+task 0 exits
+mm->owner needs to be updated, but no
+new owner is found (mm_users > 1, but
+no other task has task->mm = task0->mm)
+mm_update_next_owner() leaves
+ mmput(mm) decrements mm->mm_users
+task0 freed
+ dereferencing mm->owner fails
+
+The fix is to notify the subsystem via mm_owner_changed callback(),
+if no new owner is found, by specifying the new task as NULL.
+
+Jiri Slaby:
+mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
+must be set after that, so as not to pass NULL as old owner causing oops.
+
+Daisuke Nishimura:
+mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
+and its callers need to take account of this situation to avoid oops.
+
+Hugh Dickins:
+Lockdep warning and hang below exec_mmap() when testing these patches.
+exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
+so exec_mmap() now needs to do the same. And with that repositioning,
+there's now no point in mm_need_new_owner() allowing for NULL mm.
+
+Reported-by: Hugh Dickins <hugh@veritas.com>
+Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
+Signed-off-by: Hugh Dickins <hugh@veritas.com>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Cc: Paul Menage <menage@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 2 +-
+ kernel/cgroup.c | 5 +++--
+ kernel/exit.c | 12 ++++++++++--
+ mm/memcontrol.c | 13 +++++++++++++
+ 4 files changed, 27 insertions(+), 5 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -740,11 +740,11 @@ static int exec_mmap(struct mm_struct *m
+ tsk->active_mm = mm;
+ activate_mm(active_mm, mm);
+ task_unlock(tsk);
+- mm_update_next_owner(old_mm);
+ arch_pick_mmap_layout(mm);
+ if (old_mm) {
+ up_read(&old_mm->mmap_sem);
+ BUG_ON(active_mm != old_mm);
++ mm_update_next_owner(old_mm);
+ mmput(old_mm);
+ return 0;
+ }
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -2761,14 +2761,15 @@ void cgroup_fork_callbacks(struct task_s
+ */
+ void cgroup_mm_owner_callbacks(struct task_struct *old, struct task_struct *new)
+ {
+- struct cgroup *oldcgrp, *newcgrp;
++ struct cgroup *oldcgrp, *newcgrp = NULL;
+
+ if (need_mm_owner_callback) {
+ int i;
+ for (i = 0; i < CGROUP_SUBSYS_COUNT; i++) {
+ struct cgroup_subsys *ss = subsys[i];
+ oldcgrp = task_cgroup(old, ss->subsys_id);
+- newcgrp = task_cgroup(new, ss->subsys_id);
++ if (new)
++ newcgrp = task_cgroup(new, ss->subsys_id);
+ if (oldcgrp == newcgrp)
+ continue;
+ if (ss->mm_owner_changed)
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -577,8 +577,6 @@ mm_need_new_owner(struct mm_struct *mm,
+ * If there are other users of the mm and the owner (us) is exiting
+ * we need to find a new owner to take on the responsibility.
+ */
+- if (!mm)
+- return 0;
+ if (atomic_read(&mm->mm_users) <= 1)
+ return 0;
+ if (mm->owner != p)
+@@ -621,6 +619,16 @@ retry:
+ } while_each_thread(g, c);
+
+ read_unlock(&tasklist_lock);
++ /*
++ * We found no owner yet mm_users > 1: this implies that we are
++ * most likely racing with swapoff (try_to_unuse()) or /proc or
++ * ptrace or page migration (get_task_mm()). Mark owner as NULL,
++ * so that subsystems can understand the callback and take action.
++ */
++ down_write(&mm->mmap_sem);
++ cgroup_mm_owner_callbacks(mm->owner, NULL);
++ mm->owner = NULL;
++ up_write(&mm->mmap_sem);
+ return;
+
+ assign_new_owner:
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -250,6 +250,14 @@ static struct mem_cgroup *mem_cgroup_fro
+
+ struct mem_cgroup *mem_cgroup_from_task(struct task_struct *p)
+ {
++ /*
++ * mm_update_next_owner() may clear mm->owner to NULL
++ * if it races with swapoff, page migration, etc.
++ * So this can be called with p == NULL.
++ */
++ if (unlikely(!p))
++ return NULL;
++
+ return container_of(task_subsys_state(p, mem_cgroup_subsys_id),
+ struct mem_cgroup, css);
+ }
+@@ -574,6 +582,11 @@ retry:
+
+ rcu_read_lock();
+ mem = mem_cgroup_from_task(rcu_dereference(mm->owner));
++ if (unlikely(!mem)) {
++ rcu_read_unlock();
++ kmem_cache_free(page_cgroup_cache, pc);
++ return 0;
++ }
+ /*
+ * For every charge from the cgroup, increment reference count
+ */
--- /dev/null
+From jejb@kernel.org Mon Oct 6 15:31:59 2008
+From: Marcin Slusarz <marcin.slusarz@gmail.com>
+Date: Sat, 4 Oct 2008 01:25:03 GMT
+Subject: rtc: fix kernel panic on second use of SIGIO nofitication
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200810040125.m941P38o017682@hera.kernel.org>
+
+From: Marcin Slusarz <marcin.slusarz@gmail.com>
+
+commit 2e4a75cdcb89ff53bb182dda3a6dcdc14befe007 upstream
+
+When userspace uses SIGIO notification and forgets to disable it before
+closing file descriptor, rtc->async_queue contains stale pointer to struct
+file. When user space enables again SIGIO notification in different
+process, kernel dereferences this (poisoned) pointer and crashes.
+
+So disable SIGIO notification on close.
+
+Kernel panic:
+(second run of qemu (requires echo 1024 > /sys/class/rtc/rtc0/max_user_freq))
+
+general protection fault: 0000 [1] PREEMPT
+CPU 0
+Modules linked in: af_packet snd_pcm_oss snd_mixer_oss snd_seq_oss snd_seq_midi_event snd_seq usbhid tuner tea5767 tda8290 tuner_xc2028 xc5000 tda9887 tuner_simple tuner_types mt20xx tea5761 tda9875 uhci_hcd ehci_hcd usbcore bttv snd_via82xx snd_ac97_codec ac97_bus snd_pcm snd_timer ir_common compat_ioctl32 snd_page_alloc videodev v4l1_compat snd_mpu401_uart snd_rawmidi v4l2_common videobuf_dma_sg videobuf_core snd_seq_device snd btcx_risc soundcore tveeprom i2c_viapro
+Pid: 5781, comm: qemu-system-x86 Not tainted 2.6.27-rc6 #363
+RIP: 0010:[<ffffffff8024f891>] [<ffffffff8024f891>] __lock_acquire+0x3db/0x73f
+RSP: 0000:ffffffff80674cb8 EFLAGS: 00010002
+RAX: ffff8800224c62f0 RBX: 0000000000000046 RCX: 0000000000000002
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800224c62f0
+RBP: ffffffff80674d08 R08: 0000000000000002 R09: 0000000000000001
+R10: ffffffff80238941 R11: 0000000000000001 R12: 0000000000000000
+R13: 6b6b6b6b6b6b6b6b R14: ffff88003a450080 R15: 0000000000000000
+FS: 00007f98b69516f0(0000) GS:ffffffff80623200(0000) knlGS:00000000f7cc86d0
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 0000000000a87000 CR3: 0000000022598000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process qemu-system-x86 (pid: 5781, threadinfo ffff880028812000, task ffff88003a450080)
+Stack: ffffffff80674cf8 0000000180238440 0000000200000002 0000000000000000
+ ffff8800224c62f0 0000000000000046 0000000000000000 0000000000000002
+ 0000000000000002 0000000000000000 ffffffff80674d68 ffffffff8024fc7a
+Call Trace:
+ <IRQ> [<ffffffff8024fc7a>] lock_acquire+0x85/0xa9
+ [<ffffffff8029cb62>] ? send_sigio+0x2a/0x184
+ [<ffffffff80491d1f>] _read_lock+0x3e/0x4a
+ [<ffffffff8029cb62>] ? send_sigio+0x2a/0x184
+ [<ffffffff8029cb62>] send_sigio+0x2a/0x184
+ [<ffffffff8024fb97>] ? __lock_acquire+0x6e1/0x73f
+ [<ffffffff8029cd4d>] ? kill_fasync+0x2c/0x4e
+ [<ffffffff8029cd10>] __kill_fasync+0x54/0x65
+ [<ffffffff8029cd5b>] kill_fasync+0x3a/0x4e
+ [<ffffffff80402896>] rtc_update_irq+0x9c/0xa5
+ [<ffffffff80404640>] cmos_interrupt+0xae/0xc0
+ [<ffffffff8025d1c1>] handle_IRQ_event+0x25/0x5a
+ [<ffffffff8025e5e4>] handle_edge_irq+0xdd/0x123
+ [<ffffffff8020da34>] do_IRQ+0xe4/0x144
+ [<ffffffff8020bad6>] ret_from_intr+0x0/0xf
+ <EOI> [<ffffffff8026fdc2>] ? __alloc_pages_internal+0xe7/0x3ad
+ [<ffffffff8033fe67>] ? clear_page_c+0x7/0x10
+ [<ffffffff8026fc10>] ? get_page_from_freelist+0x385/0x450
+ [<ffffffff8026fdc2>] ? __alloc_pages_internal+0xe7/0x3ad
+ [<ffffffff80280aac>] ? anon_vma_prepare+0x2e/0xf6
+ [<ffffffff80279400>] ? handle_mm_fault+0x227/0x6a5
+ [<ffffffff80494716>] ? do_page_fault+0x494/0x83f
+ [<ffffffff8049251d>] ? error_exit+0x0/0xa9
+
+Code: cc 41 39 45 28 74 24 e8 5e 1d 0f 00 85 c0 0f 84 6a 03 00 00 83 3d 8f a9 aa 00 00 be 47 03 00 00 0f 84 6a 02 00 00 e9 53 03 00 00 <41> ff 85 38 01 00 00 45 8b be 90 06 00 00 41 83 ff 2f 76 24 e8
+RIP [<ffffffff8024f891>] __lock_acquire+0x3db/0x73f
+ RSP <ffffffff80674cb8>
+---[ end trace 431877d860448760 ]---
+Kernel panic - not syncing: Aiee, killing interrupt handler!
+
+Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
+Acked-by: Alessandro Zummo <alessandro.zummo@towertech.it>
+Acked-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/rtc/rtc-dev.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/rtc/rtc-dev.c
++++ b/drivers/rtc/rtc-dev.c
+@@ -401,6 +401,12 @@ static int rtc_dev_ioctl(struct inode *i
+ return err;
+ }
+
++static int rtc_dev_fasync(int fd, struct file *file, int on)
++{
++ struct rtc_device *rtc = file->private_data;
++ return fasync_helper(fd, file, on, &rtc->async_queue);
++}
++
+ static int rtc_dev_release(struct inode *inode, struct file *file)
+ {
+ struct rtc_device *rtc = file->private_data;
+@@ -411,16 +417,13 @@ static int rtc_dev_release(struct inode
+ if (rtc->ops->release)
+ rtc->ops->release(rtc->dev.parent);
+
++ if (file->f_flags & FASYNC)
++ rtc_dev_fasync(-1, file, 0);
++
+ clear_bit_unlock(RTC_DEV_BUSY, &rtc->flags);
+ return 0;
+ }
+
+-static int rtc_dev_fasync(int fd, struct file *file, int on)
+-{
+- struct rtc_device *rtc = file->private_data;
+- return fasync_helper(fd, file, on, &rtc->async_queue);
+-}
+-
+ static const struct file_operations rtc_dev_fops = {
+ .owner = THIS_MODULE,
+ .llseek = no_llseek,
--- /dev/null
+From 3d6e48f43340343d97839eadb1ab7b6a3ea98797 Mon Sep 17 00:00:00 2001
+From: Jarod Wilson <jwilson@redhat.com>
+Date: Tue, 9 Sep 2008 12:38:56 +0200
+Subject: S390: CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
+
+From: Jarod Wilson <jwilson@redhat.com>
+
+commit 3d6e48f43340343d97839eadb1ab7b6a3ea98797 upstream
+
+When running a 31-bit ptrace, on either an s390 or s390x kernel,
+reads and writes into a padding area in struct user_regs_struct32
+will result in a kernel panic.
+
+This is also known as CVE-2008-1514.
+
+Test case available here:
+http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
+
+Steps to reproduce:
+1) wget the above
+2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
+3) ./user-area-padding-31bit
+<panic>
+
+Test status
+-----------
+Without patch, both s390 and s390x kernels panic. With patch, the test case,
+as well as the gdb testsuite, pass without incident, padding area reads
+returning zero, writes ignored.
+
+Nb: original version returned -EINVAL on write attempts, which broke the
+gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
+the change to return 0 on write attempts.
+
+Signed-off-by: Jarod Wilson <jarod@redhat.com>
+Tested-by: Jan Kratochvil <jan.kratochvil@redhat.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Moritz Muehlenhoff <jmm@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/kernel/compat_ptrace.h | 1 +
+ arch/s390/kernel/ptrace.c | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+--- a/arch/s390/kernel/compat_ptrace.h
++++ b/arch/s390/kernel/compat_ptrace.h
+@@ -42,6 +42,7 @@ struct user_regs_struct32
+ u32 gprs[NUM_GPRS];
+ u32 acrs[NUM_ACRS];
+ u32 orig_gpr2;
++ /* nb: there's a 4-byte hole here */
+ s390_fp_regs fp_regs;
+ /*
+ * These per registers are in here so that gdb can modify them
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -177,6 +177,13 @@ peek_user(struct task_struct *child, add
+ */
+ tmp = (addr_t) task_pt_regs(child)->orig_gpr2;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -268,6 +275,13 @@ poke_user(struct task_struct *child, add
+ */
+ task_pt_regs(child)->orig_gpr2 = data;
+
++ } else if (addr < (addr_t) &dummy->regs.fp_regs) {
++ /*
++ * prevent writes of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -409,6 +423,13 @@ peek_user_emu31(struct task_struct *chil
+ */
+ tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4);
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent reads of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ tmp = 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
+@@ -488,6 +509,13 @@ poke_user_emu31(struct task_struct *chil
+ */
+ *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp;
+
++ } else if (addr < (addr_t) &dummy32->regs.fp_regs) {
++ /*
++ * prevent writess of padding hole between
++ * orig_gpr2 and fp_regs on s390.
++ */
++ return 0;
++
+ } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) {
+ /*
+ * floating point regs. are stored in the thread structure
0003-sparc64-Fix-OOPS-in-psycho_pcierr_intr_other.patch
0004-sparc64-Fix-disappearing-PCI-devices-on-e3500.patch
0005-sparc64-Fix-missing-devices-due-to-PCI-bridge-test.patch
+braille_console-only-register-notifiers-when-the-braille-console-is-used.patch
+alsa-snd-powermac-mixers-for-powermac-g4-agp.patch
+alsa-snd-powermac-hp-detection-for-1st-imac-g3-sl.patch
+fbcon-fix-monochrome-color-value-calculation.patch
+rtc-fix-kernel-panic-on-second-use-of-sigio-nofitication.patch
+mm-owner-fix-race-between-swapoff-and-exit.patch
+s390-cve-2008-1514-prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
