1 diff --git a/Makefile b/Makefile
2 index 1f60819..259a378 100644
10 +EXTRAVERSION = .55-rc1
11 NAME = Trembling Tortoise
14 diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S
15 index cc8fb47..835994e 100644
16 --- a/arch/powerpc/kernel/head_64.S
17 +++ b/arch/powerpc/kernel/head_64.S
18 @@ -1479,15 +1479,21 @@ __secondary_start:
22 - /* Do early setup for that CPU (stab, slb, hash table pointer) */
23 - bl .early_setup_secondary
25 /* Initialize the kernel stack. Just a repeat for iSeries. */
26 LOAD_REG_ADDR(r3, current_set)
27 sldi r28,r24,3 /* get current_set[cpu#] */
29 - addi r1,r1,THREAD_SIZE-STACK_FRAME_OVERHEAD
30 - std r1,PACAKSAVE(r13)
32 + addi r14,r14,THREAD_SIZE-STACK_FRAME_OVERHEAD
33 + std r14,PACAKSAVE(r13)
35 + /* Do early setup for that CPU (stab, slb, hash table pointer) */
36 + bl .early_setup_secondary
39 + * setup the new stack pointer, but *don't* use this until
40 + * translation is on.
44 /* Clear backchain so we get nice backtraces */
46 diff --git a/block/bsg.c b/block/bsg.c
47 index 9cfbea8..dcdbcd3 100644
50 @@ -421,7 +421,7 @@ static int blk_complete_sgv4_hdr_rq(struct request *rq, struct sg_io_v4 *hdr,
52 * fill in all the output members
54 - hdr->device_status = status_byte(rq->errors);
55 + hdr->device_status = rq->errors & 0xff;
56 hdr->transport_status = host_byte(rq->errors);
57 hdr->driver_status = driver_byte(rq->errors);
59 diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
60 index bcda174..369612e 100644
61 --- a/drivers/dma/mv_xor.c
62 +++ b/drivers/dma/mv_xor.c
63 @@ -162,7 +162,7 @@ static int mv_is_err_intr(u32 intr_cause)
65 static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan)
67 - u32 val = (1 << (1 + (chan->idx * 16)));
68 + u32 val = ~(1 << (chan->idx * 16));
69 dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val);
70 __raw_writel(val, XOR_INTR_CAUSE(chan));
72 diff --git a/drivers/media/video/compat_ioctl32.c b/drivers/media/video/compat_ioctl32.c
73 index e6ca401..ec850b5 100644
74 --- a/drivers/media/video/compat_ioctl32.c
75 +++ b/drivers/media/video/compat_ioctl32.c
76 @@ -499,17 +499,24 @@ struct video_code32
78 char loadwhat[16]; /* name or tag of file being passed */
79 compat_int_t datasize;
80 - unsigned char *data;
84 -static inline int microcode32(struct video_code *kp, struct video_code32 __user *up)
85 +static struct video_code __user *get_microcode32(struct video_code32 *kp)
87 - if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
88 - copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) ||
89 - get_user(kp->datasize, &up->datasize) ||
90 - copy_from_user(kp->data, up->data, up->datasize))
93 + struct video_code __user *up;
95 + up = compat_alloc_user_space(sizeof(*up));
98 + * NOTE! We don't actually care if these fail. If the
99 + * user address is invalid, the native ioctl will do
100 + * the error handling for us
102 + (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
103 + (void) put_user(kp->datasize, &up->datasize);
104 + (void) put_user(compat_ptr(kp->data), &up->data);
108 #define VIDIOCGTUNER32 _IOWR('v',4, struct video_tuner32)
109 @@ -618,7 +625,7 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
110 struct video_tuner vt;
111 struct video_buffer vb;
112 struct video_window vw;
113 - struct video_code vc;
114 + struct video_code32 vc;
115 struct video_audio va;
117 struct v4l2_format v2f;
118 @@ -745,8 +752,11 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
120 #ifdef CONFIG_VIDEO_V4L1_COMPAT
121 case VIDIOCSMICROCODE:
122 - err = microcode32(&karg.vc, up);
123 - compatible_arg = 0;
124 + /* Copy the 32-bit "video_code32" to kernel space */
125 + if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
127 + /* Convert the 32-bit version to a 64-bit version in user space */
128 + up = get_microcode32(&karg.vc);
132 diff --git a/drivers/net/atlx/atl1.c b/drivers/net/atlx/atl1.c
133 index b46e599..13a3885 100644
134 --- a/drivers/net/atlx/atl1.c
135 +++ b/drivers/net/atlx/atl1.c
136 @@ -2881,10 +2881,11 @@ static int atl1_resume(struct pci_dev *pdev)
137 pci_enable_wake(pdev, PCI_D3cold, 0);
139 atl1_reset_hw(&adapter->hw);
140 - adapter->cmb.cmb->int_stats = 0;
142 - if (netif_running(netdev))
143 + if (netif_running(netdev)) {
144 + adapter->cmb.cmb->int_stats = 0;
147 netif_device_attach(netdev);
150 diff --git a/drivers/net/b44.c b/drivers/net/b44.c
151 index 012614e..74b68de 100644
152 --- a/drivers/net/b44.c
153 +++ b/drivers/net/b44.c
154 @@ -2164,8 +2164,6 @@ static int __devinit b44_init_one(struct ssb_device *sdev,
155 dev->irq = sdev->irq;
156 SET_ETHTOOL_OPS(dev, &b44_ethtool_ops);
158 - netif_carrier_off(dev);
160 err = ssb_bus_powerup(sdev->bus, 0);
163 @@ -2205,6 +2203,8 @@ static int __devinit b44_init_one(struct ssb_device *sdev,
164 goto err_out_powerdown;
167 + netif_carrier_off(dev);
169 ssb_set_drvdata(sdev, dev);
171 /* Chip reset provides power to the b44 MAC & PCI cores, which
172 diff --git a/drivers/net/r6040.c b/drivers/net/r6040.c
173 index c71982d..2a473cc 100644
174 --- a/drivers/net/r6040.c
175 +++ b/drivers/net/r6040.c
177 #define RX_DESC_SIZE (RX_DCNT * sizeof(struct r6040_descriptor))
178 #define TX_DESC_SIZE (TX_DCNT * sizeof(struct r6040_descriptor))
179 #define MBCR_DEFAULT 0x012A /* MAC Bus Control Register */
180 -#define MCAST_MAX 4 /* Max number multicast addresses to filter */
181 +#define MCAST_MAX 3 /* Max number multicast addresses to filter */
183 /* Descriptor status */
184 #define DSC_OWNER_MAC 0x8000 /* MAC is the owner of this descriptor */
185 @@ -969,9 +969,6 @@ static void r6040_multicast_list(struct net_device *dev)
187 hash_table[crc >> 4] |= 1 << (15 - (crc & 0xf));
189 - /* Write the index of the hash table */
190 - for (i = 0; i < 4; i++)
191 - iowrite16(hash_table[i] << 14, ioaddr + MCR1);
192 /* Fill the MAC hash tables with their values */
193 iowrite16(hash_table[0], ioaddr + MAR0);
194 iowrite16(hash_table[1], ioaddr + MAR1);
195 @@ -979,6 +976,7 @@ static void r6040_multicast_list(struct net_device *dev)
196 iowrite16(hash_table[3], ioaddr + MAR3);
198 /* Multicast Address 1~4 case */
199 + dmi = dev->mc_list;
200 for (i = 0, dmi; (i < dev->mc_count) && (i < MCAST_MAX); i++) {
201 adrp = (u16 *)dmi->dmi_addr;
202 iowrite16(adrp[0], ioaddr + MID_1L + 8*i);
203 @@ -987,9 +985,9 @@ static void r6040_multicast_list(struct net_device *dev)
206 for (i = dev->mc_count; i < MCAST_MAX; i++) {
207 - iowrite16(0xffff, ioaddr + MID_0L + 8*i);
208 - iowrite16(0xffff, ioaddr + MID_0M + 8*i);
209 - iowrite16(0xffff, ioaddr + MID_0H + 8*i);
210 + iowrite16(0xffff, ioaddr + MID_1L + 8*i);
211 + iowrite16(0xffff, ioaddr + MID_1M + 8*i);
212 + iowrite16(0xffff, ioaddr + MID_1H + 8*i);
216 diff --git a/fs/aio.c b/fs/aio.c
217 index c1174b5..0f65453 100644
220 @@ -1677,6 +1677,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
221 if (unlikely(nr < 0))
224 + if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
225 + nr = LONG_MAX/sizeof(*iocbpp);
227 if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
230 diff --git a/fs/exec.c b/fs/exec.c
231 index 50da182..fc30de0 100644
234 @@ -393,6 +393,9 @@ static int count(char __user * __user * argv, int max)
239 + if (fatal_signal_pending(current))
240 + return -ERESTARTNOHAND;
244 @@ -436,6 +439,12 @@ static int copy_strings(int argc, char __user * __user * argv,
246 int offset, bytes_to_copy;
248 + if (fatal_signal_pending(current)) {
249 + ret = -ERESTARTNOHAND;
254 offset = pos % PAGE_SIZE;
257 @@ -608,6 +617,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
259 stack_top = arch_align_stack(stack_top);
260 stack_top = PAGE_ALIGN(stack_top);
262 + if (unlikely(stack_top < mmap_min_addr) ||
263 + unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
266 stack_shift = vma->vm_end - stack_top;
268 bprm->p -= stack_shift;
269 diff --git a/include/linux/mm.h b/include/linux/mm.h
270 index eeb7e56..c20007c 100644
271 --- a/include/linux/mm.h
272 +++ b/include/linux/mm.h
273 @@ -87,7 +87,11 @@ extern unsigned int kobjsize(const void *objp);
274 #define VM_MAYSHARE 0x00000080
276 #define VM_GROWSDOWN 0x00000100 /* general info on the segment */
277 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
278 #define VM_GROWSUP 0x00000200
280 +#define VM_GROWSUP 0x00000000
282 #define VM_PFNMAP 0x00000400 /* Page-ranges managed without "struct page", just pure PFN */
283 #define VM_DENYWRITE 0x00000800 /* ETXTBSY on write attempts.. */
285 @@ -1181,8 +1185,10 @@ unsigned long max_sane_readahead(unsigned long nr);
287 /* Do stack extension */
288 extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
291 extern int expand_upwards(struct vm_area_struct *vma, unsigned long address);
293 + #define expand_upwards(vma, address) do { } while (0)
295 extern int expand_stack_downwards(struct vm_area_struct *vma,
296 unsigned long address);
297 diff --git a/mm/memory.c b/mm/memory.c
298 index f0282eb..57309b1 100644
301 @@ -2396,11 +2396,9 @@ out_nomap:
305 - * This is like a special single-page "expand_downwards()",
306 - * except we must first make sure that 'address-PAGE_SIZE'
307 + * This is like a special single-page "expand_{down|up}wards()",
308 + * except we must first make sure that 'address{-|+}PAGE_SIZE'
309 * doesn't hit another vma.
311 - * The "find_vma()" will do the right thing even if we wrap
313 static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
315 @@ -2412,6 +2410,15 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo
317 expand_stack(vma, address);
319 + if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
320 + struct vm_area_struct *next = vma->vm_next;
322 + /* As VM_GROWSDOWN but s/below/above/ */
323 + if (next && next->vm_start == address + PAGE_SIZE)
324 + return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
326 + expand_upwards(vma, address + PAGE_SIZE);
331 diff --git a/mm/mmap.c b/mm/mmap.c
332 index 08a32cf..17d640d 100644
335 @@ -1589,9 +1589,6 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
336 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
337 * vma is the last one with address > vma->vm_end. Have to extend vma.
342 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
345 diff --git a/net/wireless/wext.c b/net/wireless/wext.c
346 index d98ffb7..6890b7e 100644
347 --- a/net/wireless/wext.c
348 +++ b/net/wireless/wext.c
349 @@ -947,7 +947,7 @@ static int ioctl_private_iw_point(struct iw_point *iwp, unsigned int cmd,
350 } else if (!iwp->pointer)
353 - extra = kmalloc(extra_size, GFP_KERNEL);
354 + extra = kzalloc(extra_size, GFP_KERNEL);
358 diff --git a/sound/core/control.c b/sound/core/control.c
359 index 236bbb1..a708b0b 100644
360 --- a/sound/core/control.c
361 +++ b/sound/core/control.c
364 /* max number of user-defined controls */
365 #define MAX_USER_CONTROLS 32
366 +#define MAX_CONTROL_COUNT 1028
368 struct snd_kctl_ioctl {
369 struct list_head list; /* list of all ioctls */
370 @@ -190,6 +191,8 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
372 snd_assert(control != NULL, return NULL);
373 snd_assert(control->count > 0, return NULL);
374 + if (control->count > MAX_CONTROL_COUNT)
376 kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
378 snd_printk(KERN_ERR "Cannot allocate control instance\n");
379 diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
380 index 4d6fbb3..cee643e 100644
381 --- a/sound/pci/rme9652/hdsp.c
382 +++ b/sound/pci/rme9652/hdsp.c
383 @@ -4569,6 +4569,7 @@ static int snd_hdsp_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, unsigne
384 snd_printk(KERN_ERR "Hammerfall-DSP: Firmware needs to be uploaded to the card.\n");
387 + memset(&info, 0, sizeof(info));
388 spin_lock_irqsave(&hdsp->lock, flags);
389 info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
390 info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
391 diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
392 index ab423bc..bd36bdd 100644
393 --- a/sound/pci/rme9652/hdspm.c
394 +++ b/sound/pci/rme9652/hdspm.c
395 @@ -4133,6 +4133,7 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep * hw, struct file *file,
397 case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
399 + memset(&info, 0, sizeof(info));
400 spin_lock_irq(&hdspm->lock);
401 info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
402 info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
git://git.onelab.eu / linux-2.6.git / blob