update to stable-review 2.6.38.6-rc1

can-add-missing-socket-check-in-can_raw_release.patch

@@ -0,0 +1,39 @@
+From b3be9dcd312f13563b68d0432830ef94dd3b33de Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 20 Apr 2011 01:57:15 +0000
+Subject: [PATCH] can: add missing socket check in can/raw release
+
+v2: added space after 'if' according code style.
+
+We can get here with a NULL socket argument passed from userspace,
+so we need to handle it accordingly.
+
+Thanks to Dave Jones pointing at this issue in net/can/bcm.c
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/can/raw.c |    7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/net/can/raw.c b/net/can/raw.c
+index 883e9d7..241b2b6 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -305,7 +305,12 @@ static int raw_init(struct sock *sk)
+ static int raw_release(struct socket *sock)
+ {
+ 	struct sock *sk = sock->sk;
+-	struct raw_sock *ro = raw_sk(sk);
++	struct raw_sock *ro;
++
++	if (!sk)
++		return 0;
++
++	ro = raw_sk(sk);
+ 
+ 	unregister_netdevice_notifier(&ro->notifier);
+ 
+-- 
+1.7.5.1
+

cx88-Fix-HVR4000-IR-keymap.patch

@@ -0,0 +1,55 @@
+From linux-kernel-owner@vger.kernel.org Thu May  5 20:14:44 2011
+Date:	Thu, 05 May 2011 17:11:08 -0700
+From:	Greg KH <gregkh@suse.de>
+To:	linux-kernel@vger.kernel.org, stable@kernel.org,
+	Greg KH <greg@kroah.com>
+Cc:	stable-review@kernel.org, torvalds@linux-foundation.org,
+	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
+	Jarod Wilson <jarod@wilsonet.com>,
+	Lawrence Rust <lawrence@softsystem.co.uk>,
+	Linux Media Mailing List <linux-media@vger.kernel.org>,
+	Lawrence Rust <lvr@softsystem.dot.uk>,
+	Mauro Carvalho Chehab <mchehab@redhat.com>
+Subject: [patch 36/38] [media] cx88: Fix HVR4000 IR keymap
+In-Reply-To: <20110506001225.GA10547@kroah.com>
+X-Mailing-List:	linux-kernel@vger.kernel.org
+
+2.6.38-stable review patch.  If anyone has any objections, please let us know.
+
+------------------
+
+From: Lawrence Rust <lvr@softsystem.dot.uk>
+
+[fixed in .39 in a much different way that is too big to backport to
+.38 - gregkh]
+
+Fixes the RC key input for Nova-S plus, HVR1100, HVR3000 and HVR4000 in
+the 2.6.38 kernel.
+
+Signed-off-by: Lawrence Rust <lvr@softsystem.dot.uk>
+Acked-by: Jarod Wilson <jarod@wilsonet.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+---
+ drivers/media/video/cx88/cx88-input.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/video/cx88/cx88-input.c
++++ b/drivers/media/video/cx88/cx88-input.c
+@@ -283,7 +283,7 @@ int cx88_ir_init(struct cx88_core *core,
+ 	case CX88_BOARD_PCHDTV_HD3000:
+ 	case CX88_BOARD_PCHDTV_HD5500:
+ 	case CX88_BOARD_HAUPPAUGE_IRONLY:
+-		ir_codes = RC_MAP_HAUPPAUGE_NEW;
++		ir_codes = RC_MAP_RC5_HAUPPAUGE_NEW;
+ 		ir->sampling = 1;
+ 		break;
+ 	case CX88_BOARD_WINFAST_DTV2000H:
+
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at  http://www.tux.org/lkml/
+

drm-radeon-fix-regression-on-atom-cards-with-hardcoded-EDID-record.patch

@@ -0,0 +1,56 @@
+From linux-kernel-owner@vger.kernel.org Thu May  5 20:17:19 2011
+Date:	Thu, 05 May 2011 17:10:51 -0700
+From:	Greg KH <gregkh@suse.de>
+To:	linux-kernel@vger.kernel.org, stable@kernel.org
+Cc:	stable-review@kernel.org, torvalds@linux-foundation.org,
+	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
+	Dave Airlie <airlied@redhat.com>
+Subject: [patch 19/38] drm/radeon: fix regression on atom cards with hardcoded EDID record.
+In-Reply-To: <20110506001225.GA10547@kroah.com>
+X-Mailing-List:	linux-kernel@vger.kernel.org
+
+2.6.38-stable review patch.  If anyone has any objections, please let us know.
+
+------------------
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit eaa4f5e1d0b816291a59a47917e569c0384f2b6f upstream.
+
+Since fafcf94e2b5732d1e13b440291c53115d2b172e9 introduced an edid size, it seems to have broken this path.
+
+This manifest as oops on T500 Lenovo laptops with dual graphics primarily.
+
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=33812
+
+Reviewed-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -1599,9 +1599,10 @@ struct radeon_encoder_atom_dig *radeon_a
+ 							memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
+ 							       fake_edid_record->ucFakeEDIDLength);
+ 
+-							if (drm_edid_is_valid(edid))
++							if (drm_edid_is_valid(edid)) {
+ 								rdev->mode_info.bios_hardcoded_edid = edid;
+-							else
++								rdev->mode_info.bios_hardcoded_edid_size = edid_size;
++							} else
+ 								kfree(edid);
+ 						}
+ 					}
+
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at  http://www.tux.org/lkml/
+

kernel.spec

@@ -51,7 +51,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be prepended with "0.", so
 # for example a 3 here will become 0.3
 #
-%global baserelease 24
+%global baserelease 25
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -63,9 +63,9 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 5
+%define stable_update 6
 # Is it a -stable RC?
-%define stable_rc 0
+%define stable_rc 1
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev .%{stable_update}
@@ -685,6 +685,7 @@ Patch1826: drm-intel-edp-fixes.patch
 Patch1828: drm-intel-eeebox-eb1007-quirk.patch
 Patch1829: drm-intel-restore-mode.patch
 # radeon - new hw + fixes for fusion and t500 regression
+Patch1839: drm-radeon-fix-regression-on-atom-cards-with-hardcoded-EDID-record.patch
 Patch1840: drm-radeon-update.patch
 
 Patch1900: linux-2.6-intel-iommu-igfx.patch
@@ -698,6 +699,7 @@ Patch2201: linux-2.6-firewire-git-pending.patch
 Patch2802: linux-2.6-silence-acpi-blacklist.patch
 
 # media patches
+Patch2898: cx88-Fix-HVR4000-IR-keymap.patch
 Patch2899: linux-2.6-v4l-dvb-fixes.patch
 Patch2900: linux-2.6-v4l-dvb-update.patch
 Patch2901: linux-2.6-v4l-dvb-experimental.patch
@@ -730,9 +732,6 @@ Patch12306: scsi-sd-downgrade-caching-printk-from-error-to-notice.patch
 #netconsole fixes
 Patch12400: linux-2.6-netconsole-deadlock.patch
 
-# CVE-2011-1494, CVE-2011-1495
-Patch12401: scsi-mptsas-prevent-heap-overflows-and-unchecked-reads.patch
-
 # CVE-2011-1581
 Patch12402: bonding-incorrect-tx-queue-offset.patch
 
@@ -742,6 +741,10 @@ Patch12403: x86-dumpstack-correct-stack-dump-info-when-frame-pointer-is-availabl
 # Fix breakage of PCI network adapter names on older Dell systems
 Patch12404: x86-pci-preserve-existing-pci-bfsort-whitelist-for-dell-systems.patch
 
+Patch12410: scsi-fix-oops-in-scsi_run_queue.patch
+
+Patch12420: can-add-missing-socket-check-in-can_raw_release.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1327,6 +1330,7 @@ ApplyPatch drm-intel-eeebox-eb1007-quirk.patch
 ApplyPatch drm-intel-restore-mode.patch
 
 # radeon DRM (add cayman support)
+ApplyPatch drm-radeon-fix-regression-on-atom-cards-with-hardcoded-EDID-record.patch -R
 ApplyPatch drm-radeon-update.patch
 
 # linux1394 git patches
@@ -1338,6 +1342,7 @@ ApplyPatch linux-2.6-silence-acpi-blacklist.patch
 
 # V4L/DVB updates/fixes/experimental drivers
 #  apply if non-empty
+ApplyPatch cx88-Fix-HVR4000-IR-keymap.patch -R
 ApplyOptionalPatch linux-2.6-v4l-dvb-fixes.patch
 ApplyOptionalPatch linux-2.6-v4l-dvb-update.patch
 ApplyOptionalPatch linux-2.6-v4l-dvb-experimental.patch
@@ -1371,12 +1376,12 @@ ApplyPatch scsi-sd-downgrade-caching-printk-from-error-to-notice.patch
 #rhbz 668231
 ApplyPatch linux-2.6-netconsole-deadlock.patch
 
-# CVE-2011-1494, CVE-2011-1495
-ApplyPatch scsi-mptsas-prevent-heap-overflows-and-unchecked-reads.patch
-
 # CVE-2011-1581
 ApplyPatch bonding-incorrect-tx-queue-offset.patch
 
+ApplyPatch can-add-missing-socket-check-in-can_raw_release.patch
+ApplyPatch scsi-fix-oops-in-scsi_run_queue.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1985,6 +1990,15 @@ fi
 # and build.
 
 %changelog
+* Mon May 09 2011 Kyle McMartin <kmcmartin@redhat.com>
+- Update to stable review 2.6.38.6-rc1
+- Revert DRM patch duplicated in drm-radeon-update rollup.
+- Revert cx88 fix in stable which has been fixed differently in the
+  v4l-dvb-update backport.
+- Add two patches which should make it into the final 2.6.38.6 release.
+ - can-add-missing-socket-check-in-can_raw_release.patch
+ - scsi-fix-oops-in-scsi_run_queue.patch
+
 * Mon May 09 2011 Chuck Ebbert <cebbert@redhat.com>
 - Enable CONFIG_FB_UDL (#634636)
 

scsi-fix-oops-in-scsi_run_queue.patch

@@ -0,0 +1,49 @@
+From 02bac892354cafaf84ca8fe657c34145bd1d1f1a Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@suse.de>
+Date: Sun, 1 May 2011 09:42:07 -0500
+Subject: [PATCH] [SCSI] fix oops in scsi_run_queue()
+
+The recent commit closing the race window in device teardown:
+
+commit 86cbfb5607d4b81b1a993ff689bbd2addd5d3a9b
+Author: James Bottomley <James.Bottomley@suse.de>
+Date:   Fri Apr 22 10:39:59 2011 -0500
+
+    [SCSI] put stricter guards on queue dead checks
+
+is causing a potential NULL deref in scsi_run_queue() because the
+q->queuedata may already be NULL by the time this function is called.
+Since we shouldn't be running a queue that is being torn down, simply
+add a NULL check in scsi_run_queue() to forestall this.
+
+Tested-by: Jim Schutt <jaschut@sandia.gov>
+Cc: stable@kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+---
+ drivers/scsi/scsi_lib.c |    7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index fb2bb35..415fdf2 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -400,10 +400,15 @@ static inline int scsi_host_is_busy(struct Scsi_Host *shost)
+ static void scsi_run_queue(struct request_queue *q)
+ {
+ 	struct scsi_device *sdev = q->queuedata;
+-	struct Scsi_Host *shost = sdev->host;
++	struct Scsi_Host *shost;
+ 	LIST_HEAD(starved_list);
+ 	unsigned long flags;
+ 
++	/* if the device is dead, sdev will be NULL, so no queue to run */
++	if (!sdev)
++		return;
++
++	shost = sdev->host;
+ 	if (scsi_target(sdev)->single_lun)
+ 		scsi_single_lun_run(sdev);
+ 
+-- 
+1.7.5.1
+

scsi-mptsas-prevent-heap-overflows-and-unchecked-reads.patch

@@ -1,83 +0,0 @@
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Tue, 5 Apr 2011 16:45:59 +0000 (-0400)
-Subject: [SCSI] mpt2sas: prevent heap overflows and unchecked reads
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a1f74ae82d133ebb2aabb19d181944b4e83e9960
-
-[SCSI] mpt2sas: prevent heap overflows and unchecked reads
-
-At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
-length values are used to copy data from userspace into heap buffers
-without bounds checking, allowing controllable heap corruption and
-subsequently privilege escalation.
-
-Additionally, user-supplied values are used to determine the size of a
-copy_to_user() as well as the offset into the buffer to be read, with no
-bounds checking, allowing users to read arbitrary kernel memory.
-
-Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Cc: stable@kernel.org
-Acked-by: Eric Moore <eric.moore@lsi.com>
-Signed-off-by: James Bottomley <James.Bottomley@suse.de>
----
-
-diff --git a/drivers/scsi/mpt2sas/mpt2sas_ctl.c b/drivers/scsi/mpt2sas/mpt2sas_ctl.c
-index 1c6d2b4..d72f1f2 100644
---- a/drivers/scsi/mpt2sas/mpt2sas_ctl.c
-+++ b/drivers/scsi/mpt2sas/mpt2sas_ctl.c
-@@ -688,6 +688,13 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc,
- 		goto out;
- 	}
- 
-+	/* Check for overflow and wraparound */
-+	if (karg.data_sge_offset * 4 > ioc->request_sz ||
-+	    karg.data_sge_offset > (UINT_MAX / 4)) {
-+		ret = -EINVAL;
-+		goto out;
-+	}
-+
- 	/* copy in request message frame from user */
- 	if (copy_from_user(mpi_request, mf, karg.data_sge_offset*4)) {
- 		printk(KERN_ERR "failure at %s:%d/%s()!\n", __FILE__, __LINE__,
-@@ -1963,7 +1970,7 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state)
- 	Mpi2DiagBufferPostReply_t *mpi_reply;
- 	int rc, i;
- 	u8 buffer_type;
--	unsigned long timeleft;
-+	unsigned long timeleft, request_size, copy_size;
- 	u16 smid;
- 	u16 ioc_status;
- 	u8 issue_reset = 0;
-@@ -1999,6 +2006,8 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state)
- 		return -ENOMEM;
- 	}
- 
-+	request_size = ioc->diag_buffer_sz[buffer_type];
-+
- 	if ((karg.starting_offset % 4) || (karg.bytes_to_read % 4)) {
- 		printk(MPT2SAS_ERR_FMT "%s: either the starting_offset "
- 		    "or bytes_to_read are not 4 byte aligned\n", ioc->name,
-@@ -2006,13 +2015,23 @@ _ctl_diag_read_buffer(void __user *arg, enum block_state state)
- 		return -EINVAL;
- 	}
- 
-+	if (karg.starting_offset > request_size)
-+		return -EINVAL;
-+
- 	diag_data = (void *)(request_data + karg.starting_offset);
- 	dctlprintk(ioc, printk(MPT2SAS_INFO_FMT "%s: diag_buffer(%p), "
- 	    "offset(%d), sz(%d)\n", ioc->name, __func__,
- 	    diag_data, karg.starting_offset, karg.bytes_to_read));
- 
-+	/* Truncate data on requests that are too large */
-+	if ((diag_data + karg.bytes_to_read < diag_data) ||
-+	    (diag_data + karg.bytes_to_read > request_data + request_size))
-+		copy_size = request_size - karg.starting_offset;
-+	else
-+		copy_size = karg.bytes_to_read;
-+
- 	if (copy_to_user((void __user *)uarg->diagnostic_data,
--	    diag_data, karg.bytes_to_read)) {
-+	    diag_data, copy_size)) {
- 		printk(MPT2SAS_ERR_FMT "%s: Unable to write "
- 		    "mpt_diag_read_buffer_t data @ %p\n", ioc->name,
- 		    __func__, diag_data);

sources

@@ -1,2 +1,3 @@
 7d471477bfa67546f902da62227fa976  linux-2.6.38.tar.bz2
 c8f233d1d31030eb019ab391071e65c2  patch-2.6.38.5.bz2
+786f63ba166fbcf811dae759d04d00a3  patch-2.6.38.6-rc1.bz2