Hello community,
here is the log from the commit of package kernel-source for openSUSE:11.3
checked in at Wed Jan 4 00:45:41 CET 2012.
--------
--- old-versions/11.3/UPDATES/all/kernel-source/kernel-debug.changes 2011-10-24 17:22:09.000000000 +0200
+++ 11.3/kernel-source/kernel-debug.changes 2011-12-21 17:26:42.000000000 +0100
@@ -1,0 +2,124 @@
+Tue Dec 13 18:27:21 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/batman-adv-Only-write-requested-number-of-byte-to-us.patch:
+ batman-adv: Only write requested number of byte to user buffer
+ (bnc#736149 CVE-2011-4604).
+- patches.fixes/batman-adv-bat_socket_read-missing-checks.patch:
+ batman-adv: bat_socket_read missing checks (bnc#736149
+ CVE-2011-4604).
+
+-------------------------------------------------------------------
+Mon Dec 12 19:58:02 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/net_sched-Fix-qdisc_notify.patch: net_sched:
+ Fix qdisc_notify() (bnc#735612 CVE-2011-2525).
+
+-------------------------------------------------------------------
+Thu Dec 8 16:40:13 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/ipv6-fix-NULL-dereference-in-udp6_ufo_fragment.patch:
+ ipv6: fix NULL dereference in udp6_ufo_fragment() (bnc#707288
+ CVE-2011-2699).
+
+-------------------------------------------------------------------
+Wed Nov 30 23:58:35 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/inet_diag-fix-inet_diag_bc_audit.patch: inet_diag:
+ fix inet_diag_bc_audit() (bnc#700879 CVE-2011-2213).
+
+-------------------------------------------------------------------
+Tue Nov 29 10:06:42 CET 2011 - mhocko@suse.cz
+
+- patches.fixes/x86-mm-Fix-pgd_lock-deadlock.patch: x86/mm:
+ Fix pgd_lock deadlock (bnc#728661).
+- patches.xen/xen-x86_64-pgd-alloc-order: Refresh.
+- patches.xen/xen3-x86-mm-Fix-pgd_lock-deadlock.patch: x86/mm:
+ Fix pgd_lock deadlock (bnc#728661).
+
+-------------------------------------------------------------------
+Fri Nov 25 16:17:48 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/vlan-reset-skb-vlan_tci-field-before-reusing-skb.patch:
+ vlan: reset skb->vlan_tci field before reusing skb (bnc#698450
+ CVE-2011-1576).
+
+-------------------------------------------------------------------
+Tue Nov 22 16:39:46 CET 2011 - jdelvare@suse.de
+
+- patches.fixes/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx.patch:
+ drm/radeon/kms: fix up gpio i2c mask bits for r4xx (bnc#691052).
+
+-------------------------------------------------------------------
+Mon Nov 21 21:48:10 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/netfilter-ipt_CLUSTERIP-fix-buffer-overflow:
+ netfilter: ipt_CLUSTERIP: fix buffer overflow (bnc#702037
+ CVE-2011-2534).
+
+-------------------------------------------------------------------
+Fri Nov 18 23:33:57 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/dccp-handle-invalid-feature-options-length:
+ dccp: handle invalid feature options length (bnc#692498
+ CVE-2011-1770).
+
+-------------------------------------------------------------------
+Wed Nov 16 13:49:34 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/igbvf-remove-extra-struct-page-member:
+ Remove extra struct page member from
+ the buffer info structure declaration
+ (http://article.gmane.org/gmane.linux.network/180760).
+
+-------------------------------------------------------------------
+Tue Nov 15 17:40:37 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/ipv6-make-fragment-identifications-less-predictable.patch:
+ ipv6: make fragment identifications less predictable (bnc#707288
+ CVE-2011-2699).
+
+-------------------------------------------------------------------
+Mon Nov 14 16:41:45 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/gro-only-reset-frag0-when-skb-can-be-pulled:
+ gro: Only reset frag0 when skb can be pulled (bnc#709764
+ CVE-2011-2723).
+
+-------------------------------------------------------------------
+Fri Nov 11 22:01:29 CET 2011 - bpoirier@suse.de
+
+- patches.fixes/af_packet-prevent-information-leak:
+ af_packet: prevent information leak
+ (bnc#710235 CVE-2011-2898).
+
+-------------------------------------------------------------------
+Thu Nov 3 17:56:07 CET 2011 - mszeredi@suse.cz
+
+- patches.fixes/hfs-fix-hfs_find_init-sb-ext_tree-null-ptr-oops.patch:
+ hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops
+ (CVE-2011-2203 bnc#699709).
+
+-------------------------------------------------------------------
+Thu Nov 3 17:05:06 CET 2011 - jeffm@suse.com
+
+- patches.fixes/crypto-ghash-avoid-null-pointer-dereference-if-no-key-is-set:
+ crypto: ghash - Avoid null pointer dereference if no key is set
+ (CVE-2011-4081 bnc#726788).
+
+-------------------------------------------------------------------
+Thu Nov 3 16:31:05 CET 2011 - jdelvare@suse.de
+
+- patches.fixes/drm-radeon-kms-fix-i2c-masks.patch: Add git commit
+ ID.
+
+-------------------------------------------------------------------
+Thu Nov 3 15:42:12 CET 2011 - jdelvare@suse.de
+
+- patches.fixes/ata-pata_it821x-fix-types-array.patch:
+ pata_it821x: Fix RAID type display.
+- patches.fixes/i2c-taos-evm-fix-log-messages.patch: i2c-taos-evm:
+ Fix log messages.
+- patches.fixes/i8k-avoid-lahf-in-64bit-code.patch: i8k: Avoid
+ lahf in 64-bit code.
+
+-------------------------------------------------------------------
kernel-default.changes: same change
kernel-desktop.changes: same change
kernel-docs.changes: same change
kernel-ec2.changes: same change
kernel-net.changes: same change
kernel-pae.changes: same change
kernel-ppc64.changes: same change
kernel-ps3.changes: same change
kernel-s390.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-trace.changes: same change
kernel-vanilla.changes: same change
kernel-vmi.changes: same change
kernel-xen.changes: same change
calling whatdependson for 11.3-i586
Old:
----
minmem
needed_space_in_mb
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-debug.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-debug
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -56,7 +56,7 @@
Name: kernel-debug
Summary: A Debug Version of the Kernel
Version: 2.6.34.10
-Release: 0.<RELEASE4>
+Release: 0.<RELEASE6>
%if %using_buildservice
%else
%endif
kernel-default.spec: same change
kernel-desktop.spec: same change
++++++ kernel-docs.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-docs
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -30,7 +30,7 @@
Group: Documentation/Man
AutoReqProv: on
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE3>
%if %using_buildservice
%else
%endif
++++++ kernel-ec2.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-ec2
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -56,7 +56,7 @@
Name: kernel-ec2
Summary: The Amazon EC2 Xen Kernel
Version: 2.6.34.10
-Release: 0.<RELEASE4>
+Release: 0.<RELEASE6>
%if %using_buildservice
%else
%endif
++++++ kernel-net.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-net
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -56,7 +56,7 @@
Name: kernel-net
Summary: Minimal kernel with disk and net support
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE3>
%if %using_buildservice
%else
%endif
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-pae
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -56,7 +56,7 @@
Name: kernel-pae
Summary: Kernel with PAE Support
Version: 2.6.34.10
-Release: 0.<RELEASE4>
+Release: 0.<RELEASE6>
%if %using_buildservice
%else
%endif
++++++ kernel-ppc64.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-ppc64
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -56,7 +56,7 @@
Name: kernel-ppc64
Summary: Kernel for ppc64 Systems
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE3>
%if %using_buildservice
%else
%endif
kernel-ps3.spec: same change
kernel-s390.spec: same change
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-source
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,7 +31,7 @@
Name: kernel-source
Summary: The Linux Kernel Sources
Version: 2.6.34.10
-Release: 0.<RELEASE4>
+Release: 0.<RELEASE6>
%if %using_buildservice
%else
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-syms
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
Name: kernel-syms
Summary: Kernel Symbol Versions (modversions)
Version: 2.6.34.10
-Release: 0.<RELEASE4>
+Release: 0.<RELEASE6>
%if %using_buildservice
%else
%define kernel_source_release %(LC_ALL=C rpm -q kernel-devel%variant-%version --qf "%{RELEASE}" | grep -v 'not installed' || echo 0)
++++++ kernel-trace.spec ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:39.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:39.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kernel-trace
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -56,7 +56,7 @@
Name: kernel-trace
Summary: The Realtime Linux Kernel
Version: 2.6.34.10
-Release: 0.<RELEASE4>
+Release: 0.<RELEASE6>
%if %using_buildservice
%else
%endif
kernel-vanilla.spec: same change
kernel-vmi.spec: same change
kernel-xen.spec: same change
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/af_packet-prevent-information-leak new/patches.fixes/af_packet-prevent-information-leak
--- old/patches.fixes/af_packet-prevent-information-leak 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/af_packet-prevent-information-leak 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,59 @@
+From: Eric Dumazet
+Date: Mon, 6 Jun 2011 22:42:06 -0700
+Subject: af_packet: prevent information leak
+Patch-mainline: v3.0-rc3
+Git-commit: 13fcb7bd322164c67926ffe272846d4860196dc6
+References: bnc#710235 CVE-2011-2898
+
+af_packet: prevent information leak
+
+In 2.6.27, commit 393e52e33c6c2 (packet: deliver VLAN TCI to userspace)
+added a small information leak.
+
+Add padding field and make sure its zeroed before copy to user.
+
+Signed-off-by: Eric Dumazet
+CC: Patrick McHardy
+Signed-off-by: David S. Miller
+Acked-by: Benjamin Poirier
+---
+ include/linux/if_packet.h | 2 ++
+ net/packet/af_packet.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/include/linux/if_packet.h
++++ b/include/linux/if_packet.h
+@@ -60,6 +60,7 @@ struct tpacket_auxdata {
+ __u16 tp_mac;
+ __u16 tp_net;
+ __u16 tp_vlan_tci;
++ __u16 tp_padding;
+ };
+
+ /* Rx ring - header status */
+@@ -98,6 +99,7 @@ struct tpacket2_hdr {
+ __u32 tp_sec;
+ __u32 tp_nsec;
+ __u16 tp_vlan_tci;
++ __u16 tp_padding;
+ };
+
+ #define TPACKET2_HDRLEN (TPACKET_ALIGN(sizeof(struct tpacket2_hdr)) + sizeof(struct sockaddr_ll))
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -751,6 +751,7 @@ static int tpacket_rcv(struct sk_buff *s
+ h.h2->tp_sec = ts.tv_sec;
+ h.h2->tp_nsec = ts.tv_nsec;
+ h.h2->tp_vlan_tci = vlan_tx_tag_get(skb);
++ h.h2->tp_padding = 0;
+ hdrlen = sizeof(*h.h2);
+ break;
+ default:
+@@ -1616,6 +1617,7 @@ static int packet_recvmsg(struct kiocb *
+ aux.tp_mac = 0;
+ aux.tp_net = skb_network_offset(skb);
+ aux.tp_vlan_tci = vlan_tx_tag_get(skb);
++ aux.tp_padding = 0;
+
+ put_cmsg(msg, SOL_PACKET, PACKET_AUXDATA, sizeof(aux), &aux);
+ }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ata-pata_it821x-fix-types-array.patch new/patches.fixes/ata-pata_it821x-fix-types-array.patch
--- old/patches.fixes/ata-pata_it821x-fix-types-array.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ata-pata_it821x-fix-types-array.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,28 @@
+From: Jean Delvare
+Subject: pata_it821x: Fix RAID type display
+Patch-mainline: 3.1
+Git-commit: 1c30c02757027ed2da1b0e26609ac8b9b1c2bb1f
+
+The missing comma causes the wrong RAID type to be displayed.
+Introduced by commit 963e4975c6f93c148ca809d986d412201df9af89 three
+years ago, odd that nobody noticed before.
+
+Signed-off-by: Jean Delvare
+Cc: Jeff Garzik
+Cc: Alan Cox
+Acked-by: Jean Delvare
+---
+ drivers/ata/pata_it821x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-3.0-rc5.orig/drivers/ata/pata_it821x.c 2011-05-20 10:42:40.000000000 +0200
++++ linux-3.0-rc5/drivers/ata/pata_it821x.c 2011-07-04 15:05:14.000000000 +0200
+@@ -610,7 +610,7 @@ static void it821x_display_disk(int n, u
+ char *cbl = "(40 wire cable)";
+
+ static const char *types[5] = {
+- "RAID0", "RAID1" "RAID 0+1", "JBOD", "DISK"
++ "RAID0", "RAID1", "RAID 0+1", "JBOD", "DISK"
+ };
+
+ if (buf[52] > 4) /* No Disk */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/batman-adv-Only-write-requested-number-of-byte-to-us.patch new/patches.fixes/batman-adv-Only-write-requested-number-of-byte-to-us.patch
--- old/patches.fixes/batman-adv-Only-write-requested-number-of-byte-to-us.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/batman-adv-Only-write-requested-number-of-byte-to-us.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,50 @@
+From: Sven Eckelmann
+Date: Sat, 10 Dec 2011 15:28:36 +0100
+Subject: [PATCH 2/2] batman-adv: Only write requested number of byte to user
+ buffer
+Git-commit: b5a1eeef04cc7859f34dec9b72ea1b28e4aba07c
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
+Patch-mainline: Queued in subsystem maintainer repo
+References: bnc#736149 CVE-2011-4604
+
+Don't write more than the requested number of bytes of an batman-adv icmp
+packet to the userspace buffer. Otherwise unrelated userspace memory might get
+overridden by the kernel.
+
+Signed-off-by: Sven Eckelmann
+Signed-off-by: Marek Lindner
+Acked-by: Benjamin Poirier
+---
+ drivers/staging/batman-adv/device.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/batman-adv/device.c
++++ b/drivers/staging/batman-adv/device.c
+@@ -162,6 +162,7 @@ ssize_t bat_device_read(struct file *fil
+ struct device_client *device_client =
+ (struct device_client *)file->private_data;
+ struct device_packet *device_packet;
++ size_t packet_len;
+ int error;
+ unsigned long flags;
+
+@@ -189,15 +190,15 @@ ssize_t bat_device_read(struct file *fil
+
+ spin_unlock_irqrestore(&device_client->lock, flags);
+
+- error = copy_to_user(buf, &device_packet->icmp_packet,
+- sizeof(struct icmp_packet));
++ packet_len = min(count, sizeof(struct icmp_packet));
++ error = copy_to_user(buf, &device_packet->icmp_packet, packet_len);
+
+ kfree(device_packet);
+
+ if (error)
+- return error;
++ return -EFAULT;
+
+- return sizeof(struct icmp_packet);
++ return packet_len;
+ }
+
+ ssize_t bat_device_write(struct file *file, const char __user *buff,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/batman-adv-bat_socket_read-missing-checks.patch new/patches.fixes/batman-adv-bat_socket_read-missing-checks.patch
--- old/patches.fixes/batman-adv-bat_socket_read-missing-checks.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/batman-adv-bat_socket_read-missing-checks.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,33 @@
+From: Paul Kot
+Date: Sat, 10 Dec 2011 15:28:34 +0100
+Subject: [PATCH 1/2] batman-adv: bat_socket_read missing checks
+Git-commit: c00b6856fc642b234895cfabd15b289e76726430
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
+Patch-mainline: Queued in subsystem maintainer repo
+References: bnc#736149 CVE-2011-4604
+
+Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel
+memory corruption, if __user *buf is just below TASK_SIZE.
+
+Signed-off-by: Paul Kot
+[sven@narfation.org: made it checkpatch clean]
+Signed-off-by: Sven Eckelmann
+Signed-off-by: Marek Lindner
+Acked-by: Benjamin Poirier
+---
+ drivers/staging/batman-adv/device.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/batman-adv/device.c
++++ b/drivers/staging/batman-adv/device.c
+@@ -189,8 +189,8 @@ ssize_t bat_device_read(struct file *fil
+
+ spin_unlock_irqrestore(&device_client->lock, flags);
+
+- error = __copy_to_user(buf, &device_packet->icmp_packet,
+- sizeof(struct icmp_packet));
++ error = copy_to_user(buf, &device_packet->icmp_packet,
++ sizeof(struct icmp_packet));
+
+ kfree(device_packet);
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/crypto-ghash-avoid-null-pointer-dereference-if-no-key-is-set new/patches.fixes/crypto-ghash-avoid-null-pointer-dereference-if-no-key-is-set
--- old/patches.fixes/crypto-ghash-avoid-null-pointer-dereference-if-no-key-is-set 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/crypto-ghash-avoid-null-pointer-dereference-if-no-key-is-set 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,105 @@
+From 7ed47b7d142ec99ad6880bbbec51e9f12b3af74c Mon Sep 17 00:00:00 2001
+From: Nick Bowler
+Date: Thu, 20 Oct 2011 14:16:55 +0200
+Subject: crypto: ghash - Avoid null pointer dereference if no key is set
+Git-commit: 7ed47b7d142ec99ad6880bbbec51e9f12b3af74c
+Patch-mainline: v3.1
+References: CVE-2011-4081 bnc#726788
+Introduced-by: 2.6.32-rc1
+
+The ghash_update function passes a pointer to gf128mul_4k_lle which will
+be NULL if ghash_setkey is not called or if the most recent call to
+ghash_setkey failed to allocate memory. This causes an oops. Fix this
+up by returning an error code in the null case.
+
+This is trivially triggered from unprivileged userspace through the
+AF_ALG interface by simply writing to the socket without setting a key.
+
+The ghash_final function has a similar issue, but triggering it requires
+a memory allocation failure in ghash_setkey _after_ at least one
+successful call to ghash_update.
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000670
+ IP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc
+
+ Pid: 1502, comm: hashatron Tainted: G W 3.1.0-rc9-00085-ge9308cf #32 Bochs Bochs
+ EIP: 0060:[<d88c92d4>] EFLAGS: 00000202 CPU: 0
+ EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul]
+ EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000
+ ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4
+ DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
+ Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000)
+ Stack:
+ 00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000
+ 00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc
+ 00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000
+ Call Trace:
+ [<c101a520>] ? kmap_atomic_prot+0x37/0xa6
+ [<d88d310f>] ghash_update+0x85/0xbe [ghash_generic]
+ [<c11676ed>] crypto_shash_update+0x18/0x1b
+ [<c11679ad>] shash_ahash_update+0x22/0x36
+ [<c11679cc>] shash_async_update+0xb/0xd
+ [<d88ce0ba>] hash_sendpage+0xba/0xf2 [algif_hash]
+ [<c121b24c>] kernel_sendpage+0x39/0x4e
+ [<d88ce000>] ? 0xd88cdfff
+ [<c121b298>] sock_sendpage+0x37/0x3e
+ [<c121b261>] ? kernel_sendpage+0x4e/0x4e
+ [<c10b4dbc>] pipe_to_sendpage+0x56/0x61
+ [<c10b4e1f>] splice_from_pipe_feed+0x58/0xcd
+ [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
+ [<c10b51f5>] __splice_from_pipe+0x36/0x55
+ [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
+ [<c10b6383>] splice_from_pipe+0x51/0x64
+ [<c10b63c2>] ? default_file_splice_write+0x2c/0x2c
+ [<c10b63d5>] generic_splice_sendpage+0x13/0x15
+ [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
+ [<c10b527f>] do_splice_from+0x5d/0x67
+ [<c10b6865>] sys_splice+0x2bf/0x363
+ [<c129373b>] ? sysenter_exit+0xf/0x16
+ [<c104dc1e>] ? trace_hardirqs_on_caller+0x10e/0x13f
+ [<c129370c>] sysenter_do_call+0x12/0x32
+ Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 <f3> a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f
+ EIP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4
+ CR2: 0000000000000670
+ ---[ end trace 4eaa2a86a8e2da24 ]---
+ note: hashatron[1502] exited with preempt_count 1
+ BUG: scheduling while atomic: hashatron/1502/0x10000002
+ INFO: lockdep is turned off.
+ [...]
+
+Signed-off-by: Nick Bowler
+Cc: stable@kernel.org [2.6.37+]
+Signed-off-by: Herbert Xu
+Acked-by: Jeff Mahoney
+---
+ crypto/ghash-generic.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c
+index be44256..7835b8f 100644
+--- a/crypto/ghash-generic.c
++++ b/crypto/ghash-generic.c
+@@ -67,6 +67,9 @@ static int ghash_update(struct shash_desc *desc,
+ struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
+ u8 *dst = dctx->buffer;
+
++ if (!ctx->gf128)
++ return -ENOKEY;
++
+ if (dctx->bytes) {
+ int n = min(srclen, dctx->bytes);
+ u8 *pos = dst + (GHASH_BLOCK_SIZE - dctx->bytes);
+@@ -119,6 +122,9 @@ static int ghash_final(struct shash_desc *desc, u8 *dst)
+ struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
+ u8 *buf = dctx->buffer;
+
++ if (!ctx->gf128)
++ return -ENOKEY;
++
+ ghash_flush(ctx, dctx);
+ memcpy(dst, buf, GHASH_BLOCK_SIZE);
+
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/dccp-handle-invalid-feature-options-length new/patches.fixes/dccp-handle-invalid-feature-options-length
--- old/patches.fixes/dccp-handle-invalid-feature-options-length 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/dccp-handle-invalid-feature-options-length 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,33 @@
+From: Dan Rosenberg
+Date: Fri, 6 May 2011 03:27:18 +0000
+Subject: [PATCH] dccp: handle invalid feature options length
+Patch-mainline: v2.6.39
+Git-commit: a294865978b701e4d0d90135672749531b9a900d
+References: bnc#692498 CVE-2011-1770
+
+A length of zero (after subtracting two for the type and len fields) for
+the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
+the subtraction. The subsequent code may read past the end of the
+options value buffer when parsing. I'm unsure of what the consequences
+of this might be, but it's probably not good.
+
+Signed-off-by: Dan Rosenberg
+Cc: stable@kernel.org
+Acked-by: Gerrit Renker
+Signed-off-by: David S. Miller
+Acked-by: Benjamin Poirier
+---
+ net/dccp/options.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dccp/options.c
++++ b/net/dccp/options.c
+@@ -131,6 +131,8 @@ int dccp_parse_options(struct sock *sk,
+ case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
+ if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */
+ break;
++ if (len == 0)
++ goto out_invalid_option;
+ rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
+ *value, value + 1, len - 1);
+ if (rc)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch new/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch
--- old/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch 2011-10-19 22:16:41.000000000 +0200
+++ new/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch 2011-12-13 18:27:38.000000000 +0100
@@ -1,6 +1,7 @@
From: Jean Delvare
Subject: drm/radeon/kms: Fix I2C mask definitions
-Patch-mainline: Not yet, should happen soon
+Patch-mainline: 3.2
+Git-commit: 286e0c94f9c3f292cb38a977fbbde3433347a868
References: bnc#712023
Commit 9b9fe724 accidentally used RADEON_GPIO_EN_* where
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx.patch new/patches.fixes/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx.patch
--- old/patches.fixes/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,39 @@
+From: Alex Deucher
+Subject: drm/radeon/kms: fix up gpio i2c mask bits for r4xx
+References: bnc#691052
+Patch-mainline: 3.2
+Git-commit: 6c47e5c23aa2a7c54ad7ac13af4bd56cd9e703bf
+
+Fixes i2c test failures when i2c_algo_bit.bit_test=1.
+
+The hw doesn't actually require a mask, so just set it
+to the default mask bits for r1xx-r4xx radeon ddc.
+
+Signed-off-by: Alex Deucher
+Cc: stable@kernel.org
+Acked-by: Jean Delvare
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -84,6 +84,18 @@ static inline struct radeon_i2c_bus_rec
+ for (i = 0; i < num_indices; i++) {
+ gpio = &i2c_info->asGPIO_Info[i];
+
++ /* r4xx mask is technically not used by the hw, so patch in the legacy mask bits */
++ if ((rdev->family == CHIP_R420) ||
++ (rdev->family == CHIP_R423) ||
++ (rdev->family == CHIP_RV410)) {
++ if ((le16_to_cpu(gpio->usClkMaskRegisterIndex) == 0x0018) ||
++ (le16_to_cpu(gpio->usClkMaskRegisterIndex) == 0x0019) ||
++ (le16_to_cpu(gpio->usClkMaskRegisterIndex) == 0x001a)) {
++ gpio->ucClkMaskShift = 0x19;
++ gpio->ucDataMaskShift = 0x18;
++ }
++ }
++
+ if (gpio->sucI2cId.ucAccess == id) {
+ i2c.mask_clk_reg = le16_to_cpu(gpio->usClkMaskRegisterIndex) * 4;
+ i2c.mask_data_reg = le16_to_cpu(gpio->usDataMaskRegisterIndex) * 4;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/gro-only-reset-frag0-when-skb-can-be-pulled new/patches.fixes/gro-only-reset-frag0-when-skb-can-be-pulled
--- old/patches.fixes/gro-only-reset-frag0-when-skb-can-be-pulled 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/gro-only-reset-frag0-when-skb-can-be-pulled 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,37 @@
+From: Herbert Xu
+Date: Wed, 27 Jul 2011 06:16:28 -0700
+Subject: [PATCH] gro: Only reset frag0 when skb can be pulled
+Patch-mainline: v3.1-rc1
+Git-commit: 17dd759c67f21e34f2156abcf415e1f60605a188
+References: bnc#709764 CVE-2011-2723
+
+Currently skb_gro_header_slow unconditionally resets frag0 and
+frag0_len. However, when we can't pull on the skb this leaves
+the GRO fields in an inconsistent state.
+
+This patch fixes this by only resetting those fields after the
+pskb_may_pull test.
+
+Signed-off-by: Herbert Xu
+Signed-off-by: David S. Miller
+Acked-by: Benjamin Poirier
+---
+ include/linux/netdevice.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1261,9 +1261,12 @@ static inline int skb_gro_header_hard(st
+ static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
+ unsigned int offset)
+ {
++ if (!pskb_may_pull(skb, hlen))
++ return NULL;
++
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+- return pskb_may_pull(skb, hlen) ? skb->data + offset : NULL;
++ return skb->data + offset;
+ }
+
+ static inline void *skb_gro_mac_header(struct sk_buff *skb)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/hfs-fix-hfs_find_init-sb-ext_tree-null-ptr-oops.patch new/patches.fixes/hfs-fix-hfs_find_init-sb-ext_tree-null-ptr-oops.patch
--- old/patches.fixes/hfs-fix-hfs_find_init-sb-ext_tree-null-ptr-oops.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/hfs-fix-hfs_find_init-sb-ext_tree-null-ptr-oops.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,91 @@
+From 434a964daa14b9db083ce20404a4a2add54d037a Mon Sep 17 00:00:00 2001
+From: Phillip Lougher
+Date: Wed, 2 Nov 2011 13:38:01 -0700
+Subject: hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops
+Patch-mainline: yes
+References: CVE-2011-2203 bnc#699709
+
+Clement Lecigne reports a filesystem which causes a kernel oops in
+hfs_find_init() trying to dereference sb->ext_tree which is NULL.
+
+This proves to be because the filesystem has a corrupted MDB extent
+record, where the extents file does not fit into the first three extents
+in the file record (the first blocks).
+
+In hfs_get_block() when looking up the blocks for the extent file
+(HFS_EXT_CNID), it fails the first blocks special case, and falls
+through to the extent code (which ultimately calls hfs_find_init())
+which is in the process of being initialised.
+
+Hfs avoids this scenario by always having the extents b-tree fitting
+into the first blocks (the extents B-tree can't have overflow extents).
+
+The fix is to check at mount time that the B-tree fits into first
+blocks, i.e. fail if HFS_I(inode)->alloc_blocks >=
+HFS_I(inode)->first_blocks
+
+Note, the existing commit 47f365eb57573 ("hfs: fix oops on mount with
+corrupted btree extent records") becomes subsumed into this as a special
+case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
+acceptable for the catalog B-Tree file to grow beyond three extents,
+with the remaining extent descriptors in the extents overfow.
+
+This fixes CVE-2011-2203
+
+Reported-by: Clement LECIGNE
+Signed-off-by: Phillip Lougher
+Cc: Jeff Mahoney
+Cc: Christoph Hellwig
+Signed-off-by: Andrew Morton
+Signed-off-by: Linus Torvalds
+Acked-by: Miklos Szeredi
+---
+ fs/hfs/btree.c | 20 +++++++++++++++-----
+ 1 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index 3ebc437..1cbdeea 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -46,11 +46,26 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
+ case HFS_EXT_CNID:
+ hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
+ mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
++ if (HFS_I(tree->inode)->alloc_blocks >
++ HFS_I(tree->inode)->first_blocks) {
++ printk(KERN_ERR "hfs: invalid btree extent records\n");
++ unlock_new_inode(tree->inode);
++ goto free_inode;
++ }
++
+ tree->inode->i_mapping->a_ops = &hfs_btree_aops;
+ break;
+ case HFS_CAT_CNID:
+ hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
+ mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
++
++ if (!HFS_I(tree->inode)->first_blocks) {
++ printk(KERN_ERR "hfs: invalid btree extent records "
++ "(0 size).\n");
++ unlock_new_inode(tree->inode);
++ goto free_inode;
++ }
++
+ tree->inode->i_mapping->a_ops = &hfs_btree_aops;
+ break;
+ default:
+@@ -59,11 +74,6 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
+ }
+ unlock_new_inode(tree->inode);
+
+- if (!HFS_I(tree->inode)->first_blocks) {
+- printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n");
+- goto free_inode;
+- }
+-
+ mapping = tree->inode->i_mapping;
+ page = read_mapping_page(mapping, 0, NULL);
+ if (IS_ERR(page))
+--
+1.7.3.4
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/i2c-taos-evm-fix-log-messages.patch new/patches.fixes/i2c-taos-evm-fix-log-messages.patch
--- old/patches.fixes/i2c-taos-evm-fix-log-messages.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/i2c-taos-evm-fix-log-messages.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,54 @@
+From: Jean Delvare
+Subject: i2c-taos-evm: Fix log messages
+Patch-mainline: 3.0
+Git-commit: 9b640f2e154268cb516efcaf9c434f2e73c6783e
+
+* Print all error and information messages even when debugging is
+ disabled.
+* Don't use adapter device to log messages before it is ready.
+
+Signed-off-by: Jean Delvare
+Cc: stable@kernel.org
+Acked-by: Jean Delvare
+---
+ drivers/i2c/busses/i2c-taos-evm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- linux-3.0-rc2.orig/drivers/i2c/busses/i2c-taos-evm.c 2010-08-02 00:11:14.000000000 +0200
++++ linux-3.0-rc2/drivers/i2c/busses/i2c-taos-evm.c 2011-06-08 18:06:32.000000000 +0200
+@@ -234,7 +234,7 @@ static int taos_connect(struct serio *se
+
+ if (taos->state != TAOS_STATE_IDLE) {
+ err = -ENODEV;
+- dev_dbg(&serio->dev, "TAOS EVM reset failed (state=%d, "
++ dev_err(&serio->dev, "TAOS EVM reset failed (state=%d, "
+ "pos=%d)\n", taos->state, taos->pos);
+ goto exit_close;
+ }
+@@ -255,7 +255,7 @@ static int taos_connect(struct serio *se
+ msecs_to_jiffies(250));
+ if (taos->state != TAOS_STATE_IDLE) {
+ err = -ENODEV;
+- dev_err(&adapter->dev, "Echo off failed "
++ dev_err(&serio->dev, "TAOS EVM echo off failed "
+ "(state=%d)\n", taos->state);
+ goto exit_close;
+ }
+@@ -263,7 +263,7 @@ static int taos_connect(struct serio *se
+ err = i2c_add_adapter(adapter);
+ if (err)
+ goto exit_close;
+- dev_dbg(&serio->dev, "Connected to TAOS EVM\n");
++ dev_info(&serio->dev, "Connected to TAOS EVM\n");
+
+ taos->client = taos_instantiate_device(adapter);
+ return 0;
+@@ -288,7 +288,7 @@ static void taos_disconnect(struct serio
+ serio_set_drvdata(serio, NULL);
+ kfree(taos);
+
+- dev_dbg(&serio->dev, "Disconnected from TAOS EVM\n");
++ dev_info(&serio->dev, "Disconnected from TAOS EVM\n");
+ }
+
+ static struct serio_device_id taos_serio_ids[] = {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/i8k-avoid-lahf-in-64bit-code.patch new/patches.fixes/i8k-avoid-lahf-in-64bit-code.patch
--- old/patches.fixes/i8k-avoid-lahf-in-64bit-code.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/i8k-avoid-lahf-in-64bit-code.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,35 @@
+From: Luca Tettamanti
+Subject: i8k: Avoid lahf in 64-bit code
+Patch-mainline: 3.0
+Git-commit: bc1f419c76a2d6450413ce4349f4e4a07be011d5
+
+i8k uses lahf to read the flag register in 64-bit code; early x86-64
+CPUs, however, lack this instruction and we get an invalid opcode
+exception at runtime.
+Use pushf to load the flag register into the stack instead.
+
+Signed-off-by: Luca Tettamanti
+Reported-by: Jeff Rickman
+Tested-by: Jeff Rickman
+Tested-by: Harry G McGavran Jr
+Cc: stable@kernel.org
+Cc: Massimo Dal Zotto
+Signed-off-by: Jean Delvare
+Acked-by: Jean Delvare
+---
+ drivers/char/i8k.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/i8k.c
++++ b/drivers/char/i8k.c
+@@ -138,8 +138,8 @@ static int i8k_smm(struct smm_regs *regs
+ "movl %%edi,20(%%rax)\n\t"
+ "popq %%rdx\n\t"
+ "movl %%edx,0(%%rax)\n\t"
+- "lahf\n\t"
+- "shrl $8,%%eax\n\t"
++ "pushfq\n\t"
++ "popq %%rax\n\t"
+ "andl $1,%%eax\n"
+ :"=a"(rc)
+ : "a"(regs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/igbvf-remove-extra-struct-page-member new/patches.fixes/igbvf-remove-extra-struct-page-member
--- old/patches.fixes/igbvf-remove-extra-struct-page-member 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/igbvf-remove-extra-struct-page-member 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,26 @@
+From: Greg Rose
+Date: Tue, 16 Nov 2010 19:41:36 -0800
+Subject: Remove extra struct page member from the buffer info structure declaration.
+Patch-mainline: v2.6.38-rc2
+Git-commit: b1d670f10e8078485884f0cf7e384d890
+References: http://article.gmane.org/gmane.linux.network/180760
+
+Reported-by: Andi Kleen
+Signed-off-by: Greg Rose
+Tested-by: Emil Tantilov
+Signed-off-by: Jeff Kirsher
+Acked-by: Benjamin Poirier
+---
+ drivers/net/igbvf/igbvf.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/igbvf/igbvf.h
++++ b/drivers/net/igbvf/igbvf.h
+@@ -126,7 +126,6 @@ struct igbvf_buffer {
+ unsigned int page_offset;
+ };
+ };
+- struct page *page;
+ };
+
+ union igbvf_desc {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/inet_diag-fix-inet_diag_bc_audit.patch new/patches.fixes/inet_diag-fix-inet_diag_bc_audit.patch
--- old/patches.fixes/inet_diag-fix-inet_diag_bc_audit.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/inet_diag-fix-inet_diag_bc_audit.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,75 @@
+From: Eric Dumazet
+Date: Fri, 17 Jun 2011 16:25:39 -0400
+Subject: [PATCH] inet_diag: fix inet_diag_bc_audit()
+Patch-mainline: v3.0-rc4
+Git-commit: eeb1497277d6b1a0a34ed36b97e18f2bd7d6de0d
+References: bnc#700879 CVE-2011-2213
+
+[ Upstream commit eeb1497277d6b1a0a34ed36b97e18f2bd7d6de0d ]
+
+A malicious user or buggy application can inject code and trigger an
+infinite loop in inet_diag_bc_audit()
+
+Also make sure each instruction is aligned on 4 bytes boundary, to avoid
+unaligned accesses.
+
+Reported-by: Dan Rosenberg
+Signed-off-by: Eric Dumazet
+Signed-off-by: David S. Miller
+Signed-off-by: Greg Kroah-Hartman
+Acked-by: Benjamin Poirier
+---
+ net/ipv4/inet_diag.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int
+ return 0;
+ if (cc == len)
+ return 1;
+- if (op->yes < 4)
++ if (op->yes < 4 || op->yes & 3)
+ return 0;
+ len -= op->yes;
+ bc += op->yes;
+@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int
+
+ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ {
+- const unsigned char *bc = bytecode;
++ const void *bc = bytecode;
+ int len = bytecode_len;
+
+ while (len > 0) {
+- struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
++ const struct inet_diag_bc_op *op = bc;
+
+ //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
+ switch (op->code) {
+@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void
+ case INET_DIAG_BC_S_LE:
+ case INET_DIAG_BC_D_GE:
+ case INET_DIAG_BC_D_LE:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ case INET_DIAG_BC_JMP:
+- if (op->no < 4 || op->no > len + 4)
++ if (op->no < 4 || op->no > len + 4 || op->no & 3)
+ return -EINVAL;
+ if (op->no < len &&
+ !valid_cc(bytecode, bytecode_len, len - op->no))
+ return -EINVAL;
+ break;
+ case INET_DIAG_BC_NOP:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
++ if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
++ return -EINVAL;
+ bc += op->yes;
+ len -= op->yes;
+ }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-fix-NULL-dereference-in-udp6_ufo_fragment.patch new/patches.fixes/ipv6-fix-NULL-dereference-in-udp6_ufo_fragment.patch
--- old/patches.fixes/ipv6-fix-NULL-dereference-in-udp6_ufo_fragment.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ipv6-fix-NULL-dereference-in-udp6_ufo_fragment.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,101 @@
+From: Jason Wang
+Date: Sun, 9 Oct 2011 10:56:44 +0800
+Subject: [PATCH] ipv6: fix NULL dereference in udp6_ufo_fragment()
+Patch-mainline: v3.0.7
+Git-commit: a1b7ab0836a56fa4c9578f88ba1042398d7d9316
+References: bnc#707288 CVE-2011-2699
+
+This patch fixes the issue caused by ef81bb40bf15f350fe865f31fa42f1082772a576
+which is a backport of upstream 87c48fa3b4630905f98268dde838ee43626a060c. The
+problem does not exist in upstream.
+
+We do not check whether route is attached before trying to assign ip
+identification through route dest which lead NULL pointer dereference. This
+happens when host bridge transmit a packet from guest.
+
+This patch changes ipv6_select_ident() to accept in6_addr as its paramter and
+fix the issue by using the destination address in ipv6 header when no route is
+attached.
+
+Signed-off-by: Jason Wang
+Acked-by: David S. Miller
+Signed-off-by: Greg Kroah-Hartman
+Acked-by: Benjamin Poirier
+---
+ include/net/ipv6.h | 2 +-
+ net/ipv6/ip6_output.c | 10 +++++-----
+ net/ipv6/udp.c | 4 +++-
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -449,7 +449,7 @@ static inline int ipv6_addr_diff(const s
+ return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
+ }
+
+-extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
++extern void ipv6_select_ident(struct frag_hdr *fhdr, struct in6_addr *addr);
+
+ /*
+ * Prototypes exported by ipv6
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -632,9 +632,9 @@ static u32 __ipv6_select_ident(const str
+ return hash + newid;
+ }
+
+-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
++void ipv6_select_ident(struct frag_hdr *fhdr, struct in6_addr *addr)
+ {
+- fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr));
++ fhdr->identification = htonl(__ipv6_select_ident(addr));
+ }
+
+ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
+@@ -721,7 +721,7 @@ static int ip6_fragment(struct sk_buff *
+ skb_reset_network_header(skb);
+ memcpy(skb_network_header(skb), tmp_hdr, hlen);
+
+- ipv6_select_ident(fh, rt);
++ ipv6_select_ident(fh, &rt->rt6i_dst.addr);
+ fh->nexthdr = nexthdr;
+ fh->reserved = 0;
+ fh->frag_off = htons(IP6_MF);
+@@ -867,7 +867,7 @@ slow_path:
+ fh->nexthdr = nexthdr;
+ fh->reserved = 0;
+ if (!frag_id) {
+- ipv6_select_ident(fh, rt);
++ ipv6_select_ident(fh, &rt->rt6i_dst.addr);
+ frag_id = fh->identification;
+ } else
+ fh->identification = frag_id;
+@@ -1117,7 +1117,7 @@ static inline int ip6_ufo_append_data(st
+ skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
+ sizeof(struct frag_hdr)) & ~7;
+ skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+- ipv6_select_ident(&fhdr, rt);
++ ipv6_select_ident(&fhdr, &rt->rt6i_dst.addr);
+ skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+ __skb_queue_tail(&sk->sk_write_queue, skb);
+
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1284,6 +1284,7 @@ static struct sk_buff *udp6_ufo_fragment
+ u8 frag_hdr_sz = sizeof(struct frag_hdr);
+ int offset;
+ __wsum csum;
++ struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
+
+ mss = skb_shinfo(skb)->gso_size;
+ if (unlikely(skb->len <= mss))
+@@ -1334,7 +1335,8 @@ static struct sk_buff *udp6_ufo_fragment
+ fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
+ fptr->nexthdr = nexthdr;
+ fptr->reserved = 0;
+- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
++ ipv6_select_ident(fptr,
++ rt ? &rt->rt6i_dst.addr : &ipv6_hdr(skb)->daddr);
+
+ /* Fragment the skb. ipv6 header and the remaining fields of the
+ * fragment header are updated in ipv6_gso_segment()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-make-fragment-identifications-less-predictable.patch new/patches.fixes/ipv6-make-fragment-identifications-less-predictable.patch
--- old/patches.fixes/ipv6-make-fragment-identifications-less-predictable.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ipv6-make-fragment-identifications-less-predictable.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,175 @@
+From: Eric Dumazet
+Date: Mon, 8 Aug 2011 23:44:00 -0700
+Subject: ipv6: make fragment identifications less predictable
+Patch-mainline: v3.1-rc1
+Git-commit: 87c48fa3b4630905f98268dde838ee43626a060c (for >= v3.1-rc1 kernels)
+Git-commit: ef81bb40bf15f350fe865f31fa42f1082772a576 (for -stable kernels)
+References: bnc#707288 CVE-2011-2699
+
+[ Backport of upstream commit 87c48fa3b4630905f98268dde838ee43626a060c ]
+
+Fernando Gont reported current IPv6 fragment identification generation
+was not secure, because using a very predictable system-wide generator,
+allowing various attacks.
+
+IPv4 uses inetpeer cache to address this problem and to get good
+performance. We'll use this mechanism when IPv6 inetpeer is stable
+enough in linux-3.1
+
+For the time being, we use jhash on destination address to provide less
+predictable identifications. Also remove a spinlock and use cmpxchg() to
+get better SMP performance.
+
+Reported-by: Fernando Gont
+Signed-off-by: Eric Dumazet
+Signed-off-by: David S. Miller
+Signed-off-by: Greg Kroah-Hartman
+Acked-by: Benjamin Poirier
+---
+ include/net/ipv6.h | 12 +-----------
+ include/net/transp_v6.h | 4 +++-
+ net/ipv6/af_inet6.c | 2 ++
+ net/ipv6/ip6_output.c | 40 +++++++++++++++++++++++++++++++++++-----
+ net/ipv6/udp.c | 2 +-
+ 5 files changed, 42 insertions(+), 18 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -449,17 +449,7 @@ static inline int ipv6_addr_diff(const s
+ return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
+ }
+
+-static __inline__ void ipv6_select_ident(struct frag_hdr *fhdr)
+-{
+- static u32 ipv6_fragmentation_id = 1;
+- static DEFINE_SPINLOCK(ip6_id_lock);
+-
+- spin_lock_bh(&ip6_id_lock);
+- fhdr->identification = htonl(ipv6_fragmentation_id);
+- if (++ipv6_fragmentation_id == 0)
+- ipv6_fragmentation_id = 1;
+- spin_unlock_bh(&ip6_id_lock);
+-}
++extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
+
+ /*
+ * Prototypes exported by ipv6
+--- a/include/net/transp_v6.h
++++ b/include/net/transp_v6.h
+@@ -16,7 +16,9 @@ extern struct proto tcpv6_prot;
+
+ struct flowi;
+
+-/* extention headers */
++extern void initialize_hashidentrnd(void);
++
++/* extension headers */
+ extern int ipv6_exthdrs_init(void);
+ extern void ipv6_exthdrs_exit(void);
+ extern int ipv6_frag_init(void);
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -1077,6 +1077,8 @@ static int __init inet6_init(void)
+ goto out;
+ }
+
++ initialize_hashidentrnd();
++
+ err = proto_register(&tcpv6_prot, 1);
+ if (err)
+ goto out;
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -608,6 +608,35 @@ int ip6_find_1stfragopt(struct sk_buff *
+ return offset;
+ }
+
++static u32 hashidentrnd __read_mostly;
++#define FID_HASH_SZ 16
++static u32 ipv6_fragmentation_id[FID_HASH_SZ];
++
++void __init initialize_hashidentrnd(void)
++{
++ get_random_bytes(&hashidentrnd, sizeof(hashidentrnd));
++}
++
++static u32 __ipv6_select_ident(const struct in6_addr *addr)
++{
++ u32 newid, oldid, hash = jhash2((u32 *)addr, 4, hashidentrnd);
++ u32 *pid = &ipv6_fragmentation_id[hash % FID_HASH_SZ];
++
++ do {
++ oldid = *pid;
++ newid = oldid + 1;
++ if (!(hash + newid))
++ newid++;
++ } while (cmpxchg(pid, oldid, newid) != oldid);
++
++ return hash + newid;
++}
++
++void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
++{
++ fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr));
++}
++
+ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
+ {
+ struct sk_buff *frag;
+@@ -692,7 +721,7 @@ static int ip6_fragment(struct sk_buff *
+ skb_reset_network_header(skb);
+ memcpy(skb_network_header(skb), tmp_hdr, hlen);
+
+- ipv6_select_ident(fh);
++ ipv6_select_ident(fh, rt);
+ fh->nexthdr = nexthdr;
+ fh->reserved = 0;
+ fh->frag_off = htons(IP6_MF);
+@@ -838,7 +867,7 @@ slow_path:
+ fh->nexthdr = nexthdr;
+ fh->reserved = 0;
+ if (!frag_id) {
+- ipv6_select_ident(fh);
++ ipv6_select_ident(fh, rt);
+ frag_id = fh->identification;
+ } else
+ fh->identification = frag_id;
+@@ -1042,7 +1071,8 @@ static inline int ip6_ufo_append_data(st
+ int getfrag(void *from, char *to, int offset, int len,
+ int odd, struct sk_buff *skb),
+ void *from, int length, int hh_len, int fragheaderlen,
+- int transhdrlen, int mtu,unsigned int flags)
++ int transhdrlen, int mtu,unsigned int flags,
++ struct rt6_info *rt)
+
+ {
+ struct sk_buff *skb;
+@@ -1087,7 +1117,7 @@ static inline int ip6_ufo_append_data(st
+ skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
+ sizeof(struct frag_hdr)) & ~7;
+ skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+- ipv6_select_ident(&fhdr);
++ ipv6_select_ident(&fhdr, rt);
+ skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+ __skb_queue_tail(&sk->sk_write_queue, skb);
+
+@@ -1236,7 +1266,7 @@ int ip6_append_data(struct sock *sk, int
+
+ err = ip6_ufo_append_data(sk, getfrag, from, length, hh_len,
+ fragheaderlen, transhdrlen, mtu,
+- flags);
++ flags, rt);
+ if (err)
+ goto error;
+ return 0;
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1334,7 +1334,7 @@ static struct sk_buff *udp6_ufo_fragment
+ fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
+ fptr->nexthdr = nexthdr;
+ fptr->reserved = 0;
+- ipv6_select_ident(fptr);
++ ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
+
+ /* Fragment the skb. ipv6 header and the remaining fields of the
+ * fragment header are updated in ipv6_gso_segment()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/net_sched-Fix-qdisc_notify.patch new/patches.fixes/net_sched-Fix-qdisc_notify.patch
--- old/patches.fixes/net_sched-Fix-qdisc_notify.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/net_sched-Fix-qdisc_notify.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,66 @@
+From: Eric Dumazet
+Date: Sat, 22 May 2010 20:37:44 +0000
+Subject: [PATCH] net_sched: Fix qdisc_notify()
+Patch-mainline: v2.6.35-rc1
+Git-commit: 53b0f08042f04813cd1a7473dacd3edfacb28eb3
+References: bnc#735612 CVE-2011-2525
+
+Ben Pfaff reported a kernel oops and provided a test program to
+reproduce it.
+
+https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805
+
+tc_fill_qdisc() should not be called for builtin qdisc, or it
+dereference a NULL pointer to get device ifindex.
+
+Fix is to always use tc_qdisc_dump_ignore() before calling
+tc_fill_qdisc().
+
+Reported-by: Ben Pfaff
+Signed-off-by: Eric Dumazet
+Signed-off-by: David S. Miller
+Acked-by: Benjamin Poirier
+---
+ net/sched/sch_api.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1196,6 +1196,11 @@ nla_put_failure:
+ return -1;
+ }
+
++static bool tc_qdisc_dump_ignore(struct Qdisc *q)
++{
++ return (q->flags & TCQ_F_BUILTIN) ? true : false;
++}
++
+ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ u32 clid, struct Qdisc *old, struct Qdisc *new)
+ {
+@@ -1206,11 +1211,11 @@ static int qdisc_notify(struct sk_buff *
+ if (!skb)
+ return -ENOBUFS;
+
+- if (old && old->handle) {
++ if (old && !tc_qdisc_dump_ignore(old)) {
+ if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
+ goto err_out;
+ }
+- if (new) {
++ if (new && !tc_qdisc_dump_ignore(new)) {
+ if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
+ goto err_out;
+ }
+@@ -1223,11 +1228,6 @@ err_out:
+ return -EINVAL;
+ }
+
+-static bool tc_qdisc_dump_ignore(struct Qdisc *q)
+-{
+- return (q->flags & TCQ_F_BUILTIN) ? true : false;
+-}
+-
+ static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb,
+ struct netlink_callback *cb,
+ int *q_idx_p, int s_q_idx)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/netfilter-ipt_CLUSTERIP-fix-buffer-overflow new/patches.fixes/netfilter-ipt_CLUSTERIP-fix-buffer-overflow
--- old/patches.fixes/netfilter-ipt_CLUSTERIP-fix-buffer-overflow 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/netfilter-ipt_CLUSTERIP-fix-buffer-overflow 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,41 @@
+From: Vasiliy Kulikov
+Date: Sun, 20 Mar 2011 15:42:52 +0100
+Subject: [PATCH] netfilter: ipt_CLUSTERIP: fix buffer overflow
+Patch-mainline: v2.6.39-rc5
+Git-commit: 961ed183a9fd080cf306c659b8736007e44065a5
+References: bnc#702037 CVE-2011-2534
+
+commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.
+
+'buffer' string is copied from userspace. It is not checked whether it is
+zero terminated. This may lead to overflow inside of simple_strtoul().
+Changli Gao suggested to copy not more than user supplied 'size' bytes.
+
+It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
+root writable only by default, however, on some setups permissions might be
+relaxed to e.g. network admin user.
+
+Signed-off-by: Vasiliy Kulikov
+Acked-by: Changli Gao
+Signed-off-by: Patrick McHardy
+Signed-off-by: Greg Kroah-Hartman
+Acked-by: Benjamin Poirier
+---
+ net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -663,8 +663,11 @@ static ssize_t clusterip_proc_write(stru
+ char buffer[PROC_WRITELEN+1];
+ unsigned long nodenum;
+
+- if (copy_from_user(buffer, input, PROC_WRITELEN))
++ if (size > PROC_WRITELEN)
++ return -EIO;
++ if (copy_from_user(buffer, input, size))
+ return -EFAULT;
++ buffer[size] = 0;
+
+ if (*buffer == '+') {
+ nodenum = simple_strtoul(buffer+1, NULL, 10);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/vlan-reset-skb-vlan_tci-field-before-reusing-skb.patch new/patches.fixes/vlan-reset-skb-vlan_tci-field-before-reusing-skb.patch
--- old/patches.fixes/vlan-reset-skb-vlan_tci-field-before-reusing-skb.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/vlan-reset-skb-vlan_tci-field-before-reusing-skb.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,34 @@
+From: Benjamin Poirier
+Date: Fri, 25 Nov 2011 08:50:21 -0500
+Subject: [PATCH] vlan: reset skb->vlan_tci field before reusing skb
+Patch-mainline: v2.6.37-rc1
+Git-commit: 3701e51382a026cba10c60b03efabe534fba4ca4
+References: bnc#698450 CVE-2011-1576
+
+This same line is present in upstream commit 3701e51382a026cba10c60b03efab
+
+For drivers using the vlan_gro_frags() interface, a packet with invalid tci
+leads to GRO_DROP and napi_reuse_skb(). The skb has to be sanitized before
+being reused lest we face problems of a similar nature to those described
+here:
+http://thread.gmane.org/gmane.linux.kernel/1069597
+
+Note that this is a different fix than what was applied by RH (and picked up
+by others) for this CVE issue, which is "core: Fix memory leak/corruption on
+VLAN GRO_DROP" http://patchwork.ozlabs.org/patch/115348/
+
+Signed-off-by: Benjamin Poirier
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2950,6 +2950,7 @@ void napi_reuse_skb(struct napi_struct *
+ {
+ __skb_pull(skb, skb_headlen(skb));
+ skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb));
++ skb->vlan_tci = 0;
+ skb->dev = napi->dev;
+ skb->skb_iif = 0;
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/x86-mm-Fix-pgd_lock-deadlock.patch new/patches.fixes/x86-mm-Fix-pgd_lock-deadlock.patch
--- old/patches.fixes/x86-mm-Fix-pgd_lock-deadlock.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/x86-mm-Fix-pgd_lock-deadlock.patch 2011-12-13 18:27:38.000000000 +0100
@@ -0,0 +1,246 @@
+From 864034c49639fd6caafbbef23f3ef2536cf9af13 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli
+Date: Wed, 16 Feb 2011 15:45:22 -0800
+Subject: [PATCH] x86/mm: Fix pgd_lock deadlock
+Patch-mainline: v2.6.38
+Git-commit: a79e53d85683c6dd9f99c90511028adc2043031f
+References: bnc#728661
+
+It's forbidden to take the page_table_lock with the irq disabled
+or if there's contention the IPIs (for tlb flushes) sent with
+the page_table_lock held will never run leading to a deadlock.
+
+Nobody takes the pgd_lock from irq context so the _irqsave can be
+removed.
+
+Signed-off-by: Andrea Arcangeli
+Acked-by: Rik van Riel
+Tested-by: Konrad Rzeszutek Wilk
+Signed-off-by: Andrew Morton
+Cc: Peter Zijlstra
+Cc: Linus Torvalds
+Cc:
+Lkml-reference: <201102162345.p1GNjMjm021738@imap1.linux-foundation.org>
+Signed-off-by: Ingo Molnar
+Acked-by: Michal Hocko
+
+Conflicts:
+
+ arch/x86/mm/fault.c
+ arch/x86/mm/init_64.c
+
+---
+ mm/fault.c | 11 ++++-------
+ mm/pageattr.c | 18 ++++++++----------
+ mm/pgtable.c | 11 ++++-------
+ xen/mmu.c | 10 ++++------
+ 4 files changed, 20 insertions(+), 30 deletions(-)
+Index: linux-2.6.32-SLE11-SP1/arch/x86/mm/fault.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/arch/x86/mm/fault.c
++++ linux-2.6.32-SLE11-SP1/arch/x86/mm/fault.c
+@@ -222,16 +222,14 @@ void vmalloc_sync_all(void)
+ for (address = VMALLOC_START & PMD_MASK;
+ address >= TASK_SIZE && address < FIXADDR_TOP;
+ address += PMD_SIZE) {
+-
+- unsigned long flags;
+ struct page *page;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (!vmalloc_sync_one(page_address(page), address))
+ break;
+ }
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+ }
+
+@@ -331,13 +329,12 @@ void vmalloc_sync_all(void)
+ address += PGDIR_SIZE) {
+
+ const pgd_t *pgd_ref = pgd_offset_k(address);
+- unsigned long flags;
+ struct page *page;
+
+ if (pgd_none(*pgd_ref))
+ continue;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ pgd_t *pgd;
+ pgd = (pgd_t *)page_address(page) + pgd_index(address);
+@@ -346,7 +343,7 @@ void vmalloc_sync_all(void)
+ else
+ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
+ }
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+ }
+
+Index: linux-2.6.32-SLE11-SP1/arch/x86/mm/pageattr.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/arch/x86/mm/pageattr.c
++++ linux-2.6.32-SLE11-SP1/arch/x86/mm/pageattr.c
+@@ -56,12 +56,10 @@ static unsigned long direct_pages_count[
+
+ void update_page_count(int level, unsigned long pages)
+ {
+- unsigned long flags;
+-
+ /* Protect against CPA */
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ direct_pages_count[level] += pages;
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ static void split_page_count(int level)
+@@ -376,7 +374,7 @@ static int
+ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ struct cpa_data *cpa)
+ {
+- unsigned long nextpage_addr, numpages, pmask, psize, flags, addr, pfn;
++ unsigned long nextpage_addr, numpages, pmask, psize, addr, pfn;
+ pte_t new_pte, old_pte, *tmp;
+ pgprot_t old_prot, new_prot;
+ int i, do_split = 1;
+@@ -385,7 +383,7 @@ try_preserve_large_page(pte_t *kpte, uns
+ if (cpa->force_split)
+ return 1;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ /*
+ * Check for races, another CPU might have split this page
+ * up already:
+@@ -480,14 +478,14 @@ try_preserve_large_page(pte_t *kpte, uns
+ }
+
+ out_unlock:
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return do_split;
+ }
+
+ static int split_large_page(pte_t *kpte, unsigned long address)
+ {
+- unsigned long flags, pfn, pfninc = 1;
++ unsigned long pfn, pfninc = 1;
+ unsigned int i, level;
+ pte_t *pbase, *tmp;
+ pgprot_t ref_prot;
+@@ -501,7 +499,7 @@ static int split_large_page(pte_t *kpte,
+ if (!base)
+ return -ENOMEM;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ /*
+ * Check for races, another CPU might have split this page
+ * up for us already:
+@@ -573,7 +571,7 @@ out_unlock:
+ */
+ if (base)
+ __free_page(base);
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return 0;
+ }
+Index: linux-2.6.32-SLE11-SP1/arch/x86/mm/pgtable.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/arch/x86/mm/pgtable.c
++++ linux-2.6.32-SLE11-SP1/arch/x86/mm/pgtable.c
+@@ -110,14 +110,12 @@ static void pgd_ctor(pgd_t *pgd)
+
+ static void pgd_dtor(pgd_t *pgd)
+ {
+- unsigned long flags; /* can be called from interrupt context */
+-
+ if (SHARED_KERNEL_PMD)
+ return;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ pgd_list_del(pgd);
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ /*
+@@ -248,7 +246,6 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ {
+ pgd_t *pgd;
+ pmd_t *pmds[PREALLOCATED_PMDS];
+- unsigned long flags;
+
+ pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
+
+@@ -268,12 +265,12 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ * respect to anything walking the pgd_list, so that they
+ * never see a partially populated pgd.
+ */
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+
+ pgd_ctor(pgd);
+ pgd_prepopulate_pmd(mm, pgd, pmds);
+
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return pgd;
+
+Index: linux-2.6.32-SLE11-SP1/arch/x86/xen/mmu.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/arch/x86/xen/mmu.c
++++ linux-2.6.32-SLE11-SP1/arch/x86/xen/mmu.c
+@@ -987,10 +987,9 @@ static void xen_pgd_pin(struct mm_struct
+ */
+ void xen_mm_pin_all(void)
+ {
+- unsigned long flags;
+ struct page *page;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (!PagePinned(page)) {
+@@ -999,7 +998,7 @@ void xen_mm_pin_all(void)
+ }
+ }
+
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ /*
+@@ -1100,10 +1099,9 @@ static void xen_pgd_unpin(struct mm_stru
+ */
+ void xen_mm_unpin_all(void)
+ {
+- unsigned long flags;
+ struct page *page;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (PageSavePinned(page)) {
+@@ -1113,7 +1111,7 @@ void xen_mm_unpin_all(void)
+ }
+ }
+
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ void xen_activate_mm(struct mm_struct *prev, struct mm_struct *next)
++++++ patches.xen.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.xen/xen-x86_64-pgd-alloc-order new/patches.xen/xen-x86_64-pgd-alloc-order
--- old/patches.xen/xen-x86_64-pgd-alloc-order 2011-10-11 14:57:23.000000000 +0200
+++ new/patches.xen/xen-x86_64-pgd-alloc-order 2011-11-29 10:06:49.000000000 +0100
@@ -4,8 +4,10 @@
At the same time remove the useless user mode pair of init_level4_pgt.
---- 11.3-2011-07-25.orig/arch/x86/include/mach-xen/asm/hypervisor.h 2010-03-25 14:45:56.000000000 +0100
-+++ 11.3-2011-07-25/arch/x86/include/mach-xen/asm/hypervisor.h 2010-03-25 14:46:03.000000000 +0100
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/hypervisor.h
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/include/mach-xen/asm/hypervisor.h
++++ linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/hypervisor.h
@@ -102,8 +102,8 @@ void do_hypervisor_callback(struct pt_re
* be MACHINE addresses.
*/
@@ -26,8 +28,10 @@
void xen_pgd_pin(pgd_t *);
void xen_pgd_unpin(pgd_t *);
---- 11.3-2011-07-25.orig/arch/x86/include/mach-xen/asm/mmu_context.h 2011-07-25 13:06:21.000000000 +0200
-+++ 11.3-2011-07-25/arch/x86/include/mach-xen/asm/mmu_context.h 2011-07-25 13:12:30.000000000 +0200
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/mmu_context.h
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/include/mach-xen/asm/mmu_context.h
++++ linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/mmu_context.h
@@ -82,6 +82,9 @@ static inline void switch_mm(struct mm_s
{
unsigned cpu = smp_processor_id();
@@ -61,8 +65,10 @@
load_LDT_nolock(&next->context);
}
}
---- 11.3-2011-07-25.orig/arch/x86/include/mach-xen/asm/pgalloc.h 2010-03-25 14:41:00.000000000 +0100
-+++ 11.3-2011-07-25/arch/x86/include/mach-xen/asm/pgalloc.h 2010-03-25 14:46:03.000000000 +0100
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/pgalloc.h
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/include/mach-xen/asm/pgalloc.h
++++ linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/pgalloc.h
@@ -123,15 +123,13 @@ static inline void pud_populate(struct m
#endif /* CONFIG_X86_PAE */
@@ -80,8 +86,10 @@
else
*__user_pgd(pgd) = *pgd = ent;
}
---- 11.3-2011-07-25.orig/arch/x86/include/mach-xen/asm/pgtable_64.h 2010-03-25 14:41:15.000000000 +0100
-+++ 11.3-2011-07-25/arch/x86/include/mach-xen/asm/pgtable_64.h 2010-03-25 14:46:03.000000000 +0100
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/pgtable_64.h
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/include/mach-xen/asm/pgtable_64.h
++++ linux-2.6.34-openSUSE-11.3/arch/x86/include/mach-xen/asm/pgtable_64.h
@@ -100,18 +100,25 @@ static inline void xen_set_pud(pud_t *pu
: (void)(*__pudp = xen_make_pud(0)); \
})
@@ -111,8 +119,10 @@
: (void)(*__user_pgd(__pgdp) = *__pgdp = xen_make_pgd(0)); \
})
---- 11.3-2011-07-25.orig/arch/x86/kernel/cpu/common-xen.c 2010-03-25 14:41:15.000000000 +0100
-+++ 11.3-2011-07-25/arch/x86/kernel/cpu/common-xen.c 2010-03-25 14:46:03.000000000 +0100
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/kernel/cpu/common-xen.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/kernel/cpu/common-xen.c
++++ linux-2.6.34-openSUSE-11.3/arch/x86/kernel/cpu/common-xen.c
@@ -1037,8 +1037,7 @@ DEFINE_PER_CPU_FIRST(union irq_stack_uni
void xen_switch_pt(void)
{
@@ -123,8 +133,10 @@
#endif
}
---- 11.3-2011-07-25.orig/arch/x86/kernel/head_64-xen.S 2010-03-24 16:00:05.000000000 +0100
-+++ 11.3-2011-07-25/arch/x86/kernel/head_64-xen.S 2010-03-25 14:46:03.000000000 +0100
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/kernel/head_64-xen.S
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/kernel/head_64-xen.S
++++ linux-2.6.34-openSUSE-11.3/arch/x86/kernel/head_64-xen.S
@@ -56,14 +56,6 @@ ENTRY(name)
__PAGE_ALIGNED_BSS
NEXT_PAGE(init_level4_pgt)
@@ -140,8 +152,10 @@
NEXT_PAGE(level3_kernel_pgt)
.fill 512,8,0
---- 11.3-2011-07-25.orig/arch/x86/mm/hypervisor.c 2010-03-25 17:55:14.000000000 +0100
-+++ 11.3-2011-07-25/arch/x86/mm/hypervisor.c 2010-03-25 17:55:21.000000000 +0100
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/mm/hypervisor.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/mm/hypervisor.c
++++ linux-2.6.34-openSUSE-11.3/arch/x86/mm/hypervisor.c
@@ -524,7 +524,7 @@ void xen_l3_entry_update(pud_t *ptr, pud
#endif
@@ -223,8 +237,10 @@
#endif
if (HYPERVISOR_mmuext_op(op, NR_PGD_PIN_OPS, NULL, DOMID_SELF) < 0)
BUG();
---- 11.3-2011-07-25.orig/arch/x86/mm/init_64-xen.c 2010-04-15 11:49:06.000000000 +0200
-+++ 11.3-2011-07-25/arch/x86/mm/init_64-xen.c 2010-04-15 11:49:18.000000000 +0200
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/mm/init_64-xen.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/mm/init_64-xen.c
++++ linux-2.6.34-openSUSE-11.3/arch/x86/mm/init_64-xen.c
@@ -724,9 +724,6 @@ void __init xen_init_pt(void)
(PTRS_PER_PUD - pud_index(__START_KERNEL_map))
* sizeof(*level3_kernel_pgt));
@@ -244,8 +260,10 @@
early_make_page_readonly(level3_kernel_pgt,
XENFEAT_writable_page_tables);
early_make_page_readonly(level3_user_pgt,
---- 11.3-2011-07-25.orig/arch/x86/mm/pgtable-xen.c 2010-04-15 11:49:08.000000000 +0200
-+++ 11.3-2011-07-25/arch/x86/mm/pgtable-xen.c 2011-07-25 13:12:23.000000000 +0200
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/mm/pgtable-xen.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/mm/pgtable-xen.c
++++ linux-2.6.34-openSUSE-11.3/arch/x86/mm/pgtable-xen.c
@@ -291,9 +291,11 @@ static void pgd_walk(pgd_t *pgd_base, pg
BUG();
seq = 0;
@@ -260,7 +278,7 @@
0);
MULTI_update_va_mapping(mcl + seq + 1,
(unsigned long)pgd_base,
-@@ -680,12 +682,29 @@ static void pgd_prepopulate_pmd(struct m
+@@ -678,19 +680,36 @@ static void pgd_prepopulate_pmd(struct m
}
}
@@ -294,16 +312,15 @@
pgd_t *pgd_alloc(struct mm_struct *mm)
{
-@@ -693,7 +712,7 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ pgd_t *pgd;
pmd_t *pmds[PREALLOCATED_PMDS];
- unsigned long flags;
- pgd = (pgd_t *)__get_free_pages(PGALLOC_GFP, PGD_ORDER);
+ pgd = user_pgd_alloc((void *)__get_free_page(PGALLOC_GFP));
if (pgd == NULL)
goto out;
-@@ -732,7 +751,8 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+@@ -729,7 +748,8 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
out_free_pmds:
free_pmds(pmds, mm, !xen_feature(XENFEAT_pae_pgdir_above_4gb));
out_free_pgd:
@@ -313,7 +330,7 @@
out:
return NULL;
}
-@@ -751,7 +771,8 @@ void pgd_free(struct mm_struct *mm, pgd_
+@@ -748,7 +768,8 @@ void pgd_free(struct mm_struct *mm, pgd_
pgd_mop_up_pmds(mm, pgd);
paravirt_pgd_free(mm, pgd);
@@ -323,8 +340,10 @@
}
/* blktap and gntdev need this, as otherwise they would implicitly (and
---- 11.3-2011-07-25.orig/drivers/xen/core/machine_reboot.c 2010-05-26 17:12:21.000000000 +0200
-+++ 11.3-2011-07-25/drivers/xen/core/machine_reboot.c 2011-07-25 13:12:40.000000000 +0200
+Index: linux-2.6.34-openSUSE-11.3/drivers/xen/core/machine_reboot.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/drivers/xen/core/machine_reboot.c
++++ linux-2.6.34-openSUSE-11.3/drivers/xen/core/machine_reboot.c
@@ -193,8 +193,7 @@ static int take_machine_down(void *_susp
* in fast-suspend mode as that implies a new enough Xen.
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.xen/xen3-x86-mm-Fix-pgd_lock-deadlock.patch new/patches.xen/xen3-x86-mm-Fix-pgd_lock-deadlock.patch
--- old/patches.xen/xen3-x86-mm-Fix-pgd_lock-deadlock.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.xen/xen3-x86-mm-Fix-pgd_lock-deadlock.patch 2011-11-29 10:06:49.000000000 +0100
@@ -0,0 +1,225 @@
+From: Andrea Arcangeli
+Date: Wed, 16 Feb 2011 15:45:22 -0800
+Subject: [PATCH] x86/mm: Fix pgd_lock deadlock
+Patch-mainline: v2.6.38
+Git-commit: a79e53d85683c6dd9f99c90511028adc2043031f
+References: bnc#728661
+
+It's forbidden to take the page_table_lock with the irq disabled
+or if there's contention the IPIs (for tlb flushes) sent with
+the page_table_lock held will never run leading to a deadlock.
+
+Nobody takes the pgd_lock from irq context so the _irqsave can be
+removed.
+
+Signed-off-by: Andrea Arcangeli
+Acked-by: Rik van Riel
+Tested-by: Konrad Rzeszutek Wilk
+Signed-off-by: Andrew Morton
+Cc: Peter Zijlstra
+Cc: Linus Torvalds
+Cc:
+Lkml-reference: <201102162345.p1GNjMjm021738@imap1.linux-foundation.org>
+Signed-off-by: Ingo Molnar
+Acked-by: Michal Hocko
+
+Conflicts:
+
+ arch/x86/mm/fault.c
+ arch/x86/mm/init_64.c
+
+
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/mm/fault-xen.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/mm/fault-xen.c
++++ linux-2.6.34-openSUSE-11.3/arch/x86/mm/fault-xen.c
+@@ -232,15 +232,14 @@ void vmalloc_sync_all(void)
+ address >= TASK_SIZE && address < FIXADDR_TOP;
+ address += PMD_SIZE) {
+
+- unsigned long flags;
+ struct page *page;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (!vmalloc_sync_one(page_address(page), address))
+ break;
+ }
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+ }
+
+@@ -340,13 +339,12 @@ void vmalloc_sync_all(void)
+ address += PGDIR_SIZE) {
+
+ const pgd_t *pgd_ref = pgd_offset_k(address);
+- unsigned long flags;
+ struct page *page;
+
+ if (pgd_none(*pgd_ref))
+ continue;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ pgd_t *pgd;
+ pgd = (pgd_t *)page_address(page) + pgd_index(address);
+@@ -355,7 +353,7 @@ void vmalloc_sync_all(void)
+ else
+ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
+ }
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+ }
+
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/mm/pageattr-xen.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/mm/pageattr-xen.c
++++ linux-2.6.34-openSUSE-11.3/arch/x86/mm/pageattr-xen.c
+@@ -56,12 +56,10 @@ static unsigned long direct_pages_count[
+
+ void update_page_count(int level, unsigned long pages)
+ {
+- unsigned long flags;
+-
+ /* Protect against CPA */
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ direct_pages_count[level] += pages;
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ static void split_page_count(int level)
+@@ -409,7 +407,7 @@ static int
+ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ struct cpa_data *cpa)
+ {
+- unsigned long nextpage_addr, numpages, pmask, psize, flags, addr, pfn;
++ unsigned long nextpage_addr, numpages, pmask, psize, addr, pfn;
+ pte_t new_pte, old_pte, *tmp;
+ pgprot_t old_prot, new_prot;
+ int i, do_split = 1;
+@@ -418,7 +416,7 @@ try_preserve_large_page(pte_t *kpte, uns
+ if (cpa->force_split)
+ return 1;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ /*
+ * Check for races, another CPU might have split this page
+ * up already:
+@@ -515,14 +513,14 @@ try_preserve_large_page(pte_t *kpte, uns
+ }
+
+ out_unlock:
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return do_split;
+ }
+
+ static int split_large_page(pte_t *kpte, unsigned long address)
+ {
+- unsigned long flags, mfn, mfninc = 1;
++ unsigned long mfn, mfninc = 1;
+ unsigned int i, level;
+ pte_t *pbase, *tmp;
+ pgprot_t ref_prot;
+@@ -536,7 +534,7 @@ static int split_large_page(pte_t *kpte,
+ if (!base)
+ return -ENOMEM;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ /*
+ * Check for races, another CPU might have split this page
+ * up for us already:
+@@ -612,7 +610,7 @@ out_unlock:
+ */
+ if (base)
+ __free_page(base);
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return 0;
+ }
+Index: linux-2.6.34-openSUSE-11.3/arch/x86/mm/pgtable-xen.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/arch/x86/mm/pgtable-xen.c
++++ linux-2.6.34-openSUSE-11.3/arch/x86/mm/pgtable-xen.c
+@@ -358,7 +358,6 @@ void mm_unpin(struct mm_struct *mm)
+ void mm_pin_all(void)
+ {
+ struct page *page;
+- unsigned long flags;
+
+ if (xen_feature(XENFEAT_writable_page_tables))
+ return;
+@@ -369,12 +368,13 @@ void mm_pin_all(void)
+ * All other CPUs must be at a safe point (e.g., in stop_machine
+ * or offlined entirely).
+ */
+- spin_lock_irqsave(&pgd_lock, flags);
++ BUG_ON(!irqs_disabled());
++ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (!PagePinned(page))
+ __pgd_pin((pgd_t *)page_address(page));
+ }
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ void arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm)
+@@ -460,12 +460,10 @@ static void pgd_ctor(pgd_t *pgd)
+
+ static void pgd_dtor(pgd_t *pgd)
+ {
+- unsigned long flags; /* can be called from interrupt context */
+-
+ if (!SHARED_KERNEL_PMD) {
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ pgd_list_del(pgd);
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ pgd_test_and_unpin(pgd);
+@@ -630,7 +628,6 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ {
+ pgd_t *pgd;
+ pmd_t *pmds[PREALLOCATED_PMDS];
+- unsigned long flags;
+
+ pgd = (pgd_t *)__get_free_pages(PGALLOC_GFP, PGD_ORDER);
+
+@@ -650,13 +647,13 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ * respect to anything walking the pgd_list, so that they
+ * never see a partially populated pgd.
+ */
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+
+ #ifdef CONFIG_X86_PAE
+ /* Protect against save/restore: move below 4GB under pgd_lock. */
+ if (!xen_feature(XENFEAT_pae_pgdir_above_4gb)
+ && xen_create_contiguous_region((unsigned long)pgd, 0, 32)) {
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ goto out_free_pmds;
+ }
+ #endif
+@@ -664,7 +661,7 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ pgd_ctor(pgd);
+ pgd_prepopulate_pmd(mm, pgd, pmds);
+
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return pgd;
+
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:43.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:43.000000000 +0100
@@ -292,6 +292,7 @@
patches.fixes/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
patches.fixes/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
patches.fixes/validate-size-of-efi-guid-partition-entries.patch
+ patches.fixes/x86-mm-Fix-pgd_lock-deadlock.patch
# bug 697901
patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch
@@ -406,6 +407,8 @@
patches.drivers/gro-Reset-dev-pointer-on-reuse.patch
patches.drivers/gro-reset-skb_iif-on-reuse.patch
patches.fixes/limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers.patch
+ patches.fixes/ipv6-make-fragment-identifications-less-predictable.patch
+ patches.fixes/ipv6-fix-NULL-dereference-in-udp6_ufo_fragment.patch
########################################################
# NFS
@@ -579,6 +582,7 @@
patches.suse/0016-ext4-Implement-richacl-support-in-ext4.patch
patches.fixes/writeback_fix_sb_locking.diff
+ patches.fixes/hfs-fix-hfs_find_init-sb-ext_tree-null-ptr-oops.patch
patches.fixes/debugfs_remove_corruption.diff
patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch
@@ -680,6 +684,8 @@
patches.fixes/scsi-ibmvscsi-module_alias.patch
+ patches.fixes/ata-pata_it821x-fix-types-array.patch
+
########################################################
# DRM/Video
########################################################
@@ -692,6 +698,7 @@
patches.fixes/drm-radeon-kms-check-AA-resolve-registers-on-r300.patch
patches.fixes/drm-radeon-kms-register-an-i2c-adapter-name-for-the-dp-aux-bus.patch
patches.fixes/drm-radeon-kms-fix-i2c-masks.patch
+ patches.fixes/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx.patch
########################################################
# video4linux
@@ -726,6 +733,14 @@
patches.fixes/phonet-some-signedness-bugs
patches.fixes/rose-prevent-heap-corruption-with-bad-facilities.patch
patches.fixes/rose-add-length-checks-to-CALL_REQUEST-parsing.patch
+ patches.fixes/af_packet-prevent-information-leak
+ patches.fixes/igbvf-remove-extra-struct-page-member
+ patches.fixes/gro-only-reset-frag0-when-skb-can-be-pulled
+ patches.fixes/dccp-handle-invalid-feature-options-length
+ patches.fixes/netfilter-ipt_CLUSTERIP-fix-buffer-overflow
+ patches.fixes/vlan-reset-skb-vlan_tci-field-before-reusing-skb.patch
+ patches.fixes/inet_diag-fix-inet_diag_bc_audit.patch
+ patches.fixes/net_sched-Fix-qdisc_notify.patch
########################################################
# Wireless Networking
@@ -757,6 +772,8 @@
patches.kabi/rt2x00-channel_info.patch
patches.fixes/orinoco-allow-IW_AUTH_MFP-to-pass-through.patch
patches.fixes/orinoco-abort-scan-on-interface-down.patch
+ patches.fixes/batman-adv-bat_socket_read-missing-checks.patch
+ patches.fixes/batman-adv-Only-write-requested-number-of-byte-to-us.patch
########################################################
# ISDN
@@ -787,6 +804,7 @@
# I2C
########################################################
patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch
+ patches.fixes/i2c-taos-evm-fix-log-messages.patch
########################################################
# Input & Console
@@ -837,6 +855,7 @@
########################################################
patches.fixes/ieee1394-sbp2_long_sysfs_ieee1394_id.patch
patches.fixes/parport-mutex
+ patches.fixes/i8k-avoid-lahf-in-64bit-code.patch
# suse-2.4 compatible crypto loop driver
patches.suse/twofish-2.6
@@ -1003,6 +1022,12 @@
patches.fixes/kvm-macos.patch
patches.fixes/kvm-move-dr-register-access-handling-into-generic-code
+ ########################################################
+ # Crypto
+ ########################################################
+ patches.fixes/crypto-ghash-avoid-null-pointer-dereference-if-no-key-is-set
+
+
########################################################
# Staging tree patches
# new drivers that are going upstream
@@ -1129,6 +1154,7 @@
patches.xen/xen3-stack-unwind
patches.xen/xen3-x86_64-unwind-annotations
patches.xen/xen3-x86_cpufreq_make_trace_power_frequency_cpufreq_driver_independent.patch
+ patches.xen/xen3-x86-mm-Fix-pgd_lock-deadlock.patch
# bugfixes and enhancements
patches.xen/xen-balloon-max-target
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.ZA1beI/_old 2012-01-04 00:42:43.000000000 +0100
+++ /var/tmp/diff_new_pack.ZA1beI/_new 2012-01-04 00:42:43.000000000 +0100
@@ -1,3 +1,3 @@
-2011-10-19 22:16:41 +0200
-GIT Revision: e5de38737cdc6b3c05a1c5214630aac9dd7ca1c4
+2011-12-13 18:27:38 +0100
+GIT Revision: 427d633d184922f18028a7370798315199e94475
GIT Branch: openSUSE-11.3
continue with "q"...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org