commit 5e20b95750867086fff98e5c3eaa00c3bc01d8ee Author: Greg Kroah-Hartman Date: Mon Jan 18 10:30:45 2010 -0800 Linux 2.6.31.12 commit e7da4bd9b74e0afd0d30a9fb40c336b8261462be Author: Len Brown Date: Mon Nov 23 11:44:12 2009 -0500 ACPI: DMI init_set_sci_en_on_resume for HP-Compaq C700 commit 87c687be055e67bc04189ce476690be73d16063e upstream. ...else ACPI thermal controls fail after resume. http://bugzilla.kernel.org/show_bug.cgi?id=13745 Signed-off-by: Len Brown Cc: Stefan Bader Signed-off-by: Greg Kroah-Hartman commit fc6382496f19887d152af61171130c390433a913 Author: Vaibhav Verma Date: Thu Nov 5 23:13:36 2009 -0500 ACPI: sleep: another HP/Compaq DMI entries for init_set_sci_en_on_resume commit 2839d396e3ae0891c1fdd87aa1cea218e6f5c4df upstream. http://bugzilla.kernel.org/show_bug.cgi?id=13745 Signed-off-by: Len Brown Cc: Stefan Bader Signed-off-by: Greg Kroah-Hartman commit 8f942982e2dba45d6a2e869d02931d5bea45e0cb Author: Gustavo Maciel Dias Vieira Date: Mon Oct 19 09:41:53 2009 -0200 ACPI: add DMI entry for SCI_EN resume quirk on HP dv4 commit 8a1cbf64977f89e9e9bc1d80dd01503337424f96 upstream. Fixes the missing battery on sleep problem for yet another HP laptop ("HP Pavilion dv4"). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=13449 Signed-off-by: Gustavo Maciel Dias Vieira Signed-off-by: Len Brown Cc: Stefan Bader Signed-off-by: Greg Kroah-Hartman commit fa8c5971274d9c389369b16712486a7e0506d4f2 Author: Len Brown Date: Sat Aug 29 22:39:06 2009 -0400 ACPI: sleep: another HP DMI entry for init_set_sci_en_on_resume commit eb0ca849863ecdc593ba7faa95fda5695af891c8 upstream. DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv3 Notebook PC") http://bugzilla.kernel.org/show_bug.cgi?id=13745 Signed-off-by: Len Brown Cc: Stefan Bader Signed-off-by: Greg Kroah-Hartman commit 6f9d3875b1db654ff06f3003a38cc8d64c03564d Author: David S. Miller Date: Wed Jan 13 17:27:37 2010 -0800 ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream. This fixes CERT-FI FICORA #341748 Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd. Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on skb->dst before it is assigned.") However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function. Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur. So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled. Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development. With help from Eugene Teo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 33e07b58ec6f3f3a6056e9a0205e1bd9b3e9612c Author: Al Viro Date: Sat Dec 19 16:03:30 2009 +0000 fix more leaks in audit_tree.c tag_chunk() commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream. Several leaks in audit_tree didn't get caught by commit 318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal exit in case of multiple rules refering to the same chunk. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 591e4112cc4b18a1ad64241a589d3368d1c5ac3a Author: Al Viro Date: Sat Dec 19 15:59:45 2009 +0000 fix braindamage in audit_tree.c untag_chunk() commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream. ... aka "Al had badly fscked up when writing that thing and nobody noticed until Eric had fixed leaks that used to mask the breakage". The function essentially creates a copy of old array sans one element and replaces the references to elements of original (they are on cyclic lists) with those to corresponding elements of new one. After that the old one is fair game for freeing. First of all, there's a dumb braino: when we get to list_replace_init we use indices for wrong arrays - position in new one with the old array and vice versa. Another bug is more subtle - termination condition is wrong if the element to be excluded happens to be the last one. We shouldn't go until we fill the new array, we should go until we'd finished the old one. Otherwise the element we are trying to kill will remain on the cyclic lists... That crap used to be masked by several leaks, so it was not quite trivial to hit. Eric had fixed some of those leaks a while ago and the shit had hit the fan... Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e49ba5624b6524846876a4de8729a89f9dbcbac3 Author: Jan Kara Date: Wed Jan 6 18:03:36 2010 +0100 quota: Fix dquot_transfer for filesystems different from ext4 commit 05b5d898235401c489c68e1f3bc5706a29ad5713 upstream. Commit fd8fbfc1 modified the way we find amount of reserved space belonging to an inode. The amount of reserved space is checked from dquot_transfer and thus inode_reserved_space gets called even for filesystems that don't provide get_reserved_space callback which results in a BUG. Fix the problem by checking get_reserved_space callback and return 0 if the filesystem does not provide it. CC: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 5f5f8158a86047e140a159cee361705190b665fb Author: Patrick McHardy Date: Thu Jan 7 18:33:18 2010 +0100 netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() commit aaff23a95aea5f000895f50d90e91f1e2f727002 upstream. As noticed by Dan Carpenter , update_nl_seq() currently contains an out of bounds read of the seq_aft_nl array when looking for the oldest sequence number position. Fix it to only compare valid positions. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 6f2a4ac36508d8984c1a6a9ef5d9c1c2c61485b9 Author: Florian Westphal Date: Fri Jan 8 17:31:24 2010 +0100 netfilter: ebtables: enforce CAP_NET_ADMIN commit dce766af541f6605fa9889892c0280bab31c66ab upstream. normal users are currently allowed to set/modify ebtables rules. Restrict it to processes with CAP_NET_ADMIN. Note that this cannot be reproduced with unmodified ebtables binary because it uses SOCK_RAW. Signed-off-by: Florian Westphal Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 87506bf2614e12d1cc4882613af0cb972aaa319a Author: Andi Kleen Date: Fri Jan 8 14:42:52 2010 -0800 kernel/signal.c: fix kernel information leak with print-fatal-signals=1 commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream. When print-fatal-signals is enabled it's possible to dump any memory reachable by the kernel to the log by simply jumping to that address from user space. Or crash the system if there's some hardware with read side effects. The fatal signals handler will dump 16 bytes at the execution address, which is fully controlled by ring 3. In addition when something jumps to a unmapped address there will be up to 16 additional useless page faults, which might be potentially slow (and at least is not very efficient) Fortunately this option is off by default and only there on i386. But fix it by checking for kernel addresses and also stopping when there's a page fault. Signed-off-by: Andi Kleen Cc: Ingo Molnar Cc: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fb99d026f4d9392ff9979beb26b5800188a56891 Author: Roger Blofeld Date: Sun Jan 10 20:52:32 2010 +0100 hwmon: (adt7462) Fix pin 28 monitoring commit bb595c923bc51dff9cdd112de18deb57ac7945d2 upstream. The ADT7462_PIN28_VOLT value is a 4-bit field, so the corresponding shift must be 4. Signed-off-by: Roger Blofeld Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 41b324e3dd32ce8418e661f9e16149a6ec5b76ce Author: Linus Torvalds Date: Wed Dec 16 08:23:37 2009 -0800 fasync: split 'fasync_helper()' into separate add/remove functions commit 53281b6d34d44308372d16acb7fb5327609f68b6 upstream. Yes, the add and remove cases do share the same basic loop and the locking, but the compiler can inline and then CSE some of the end result anyway. And splitting it up makes the code way easier to follow, and makes it clearer exactly what the semantics are. In particular, we must make sure that the FASYNC flag in file->f_flags exactly matches the state of "is this file on any fasync list", since not only is that flag visible to user space (F_GETFL), but we also use that flag to check whether we need to remove any fasync entries on file close. We got that wrong for the case of a mixed use of file locking (which tries to remove any fasync entries for file leases) and fasync. Splitting the function up also makes it possible to do some future optimizations without making the function even messier. In particular, since the FASYNC flag has to match the state of "is this on a list", we can do the following future optimizations: - on remove, we don't even need to get the locks and traverse the list if FASYNC isn't set, since we can know a priori that there is no point (this is effectively the same optimization that we already do in __fput() wrt removing fasync on file close) - on add, we can use the FASYNC flag to decide whether we are changing an existing entry or need to allocate a new one. but this is just the cleanup + fix for the FASYNC flag. Acked-by: Al Viro Tested-by: Tavis Ormandy Cc: Jeff Dike Cc: Matt Mackall Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman