.32 patches

13 files changed, 943 insertions, 0 deletions

diff --git a/queue-2.6.32/alpha-fix-several-security-issues.patch b/queue-2.6.32/alpha-fix-several-security-issues.patch
new file mode 100644
index 0000000..ad1c281
--- /dev/null
+++ b/queue-2.6.32/alpha-fix-several-security-issues.patch
@@ -0,0 +1,91 @@
+From 21c5977a836e399fc710ff2c5367845ed5c2527f Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 15 Jun 2011 15:09:01 -0700
+Subject: alpha: fix several security issues
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream.
+
+Fix several security issues in Alpha-specific syscalls.  Untested, but
+mostly trivial.
+
+1. Signedness issue in osf_getdomainname allows copying out-of-bounds
+kernel memory to userland.
+
+2. Signedness issue in osf_sysinfo allows copying large amounts of
+kernel memory to userland.
+
+3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
+size, allowing copying large amounts of kernel memory to userland.
+
+4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
+privilege escalation via writing return value of sys_wait4 to kernel
+memory.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/alpha/kernel/osf_sys.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -431,7 +431,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
+ 		return -EFAULT;
+ 
+ 	len = namelen;
+-	if (namelen > 32)
++	if (len > 32)
+ 		len = 32;
+ 
+ 	down_read(&uts_sem);
+@@ -618,7 +618,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ 	down_read(&uts_sem);
+ 	res = sysinfo_table[offset];
+ 	len = strlen(res)+1;
+-	if (len > count)
++	if ((unsigned long)len > (unsigned long)count)
+ 		len = count;
+ 	if (copy_to_user(buf, res, len))
+ 		err = -EFAULT;
+@@ -673,7 +673,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
+ 		return 1;
+ 
+ 	case GSI_GET_HWRPB:
+-		if (nbytes < sizeof(*hwrpb))
++		if (nbytes > sizeof(*hwrpb))
+ 			return -EINVAL;
+ 		if (copy_to_user(buffer, hwrpb, nbytes) != 0)
+ 			return -EFAULT;
+@@ -1035,6 +1035,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ {
+ 	struct rusage r;
+ 	long ret, err;
++	unsigned int status = 0;
+ 	mm_segment_t old_fs;
+ 
+ 	if (!ur)
+@@ -1043,13 +1044,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ 	old_fs = get_fs();
+ 		
+ 	set_fs (KERNEL_DS);
+-	ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
++	ret = sys_wait4(pid, (unsigned int __user *) &status, options,
++			(struct rusage __user *) &r);
+ 	set_fs (old_fs);
+ 
+ 	if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ 		return -EFAULT;
+ 
+ 	err = 0;
++	err |= put_user(status, ustatus);
+ 	err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ 	err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ 	err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
diff --git a/queue-2.6.32/cifs-check-for-null-session-password.patch b/queue-2.6.32/cifs-check-for-null-session-password.patch
new file mode 100644
index 0000000..b11f0a2
--- /dev/null
+++ b/queue-2.6.32/cifs-check-for-null-session-password.patch
@@ -0,0 +1,30 @@
+From 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Mon, 23 Aug 2010 11:38:04 -0400
+Subject: cifs: check for NULL session password
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 upstream.
+
+It's possible for a cifsSesInfo struct to have a NULL password, so we
+need to check for that prior to running strncmp on it.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1605,6 +1605,7 @@ cifs_find_smb_ses(struct TCP_Server_Info
+ 				    MAX_USERNAME_SIZE))
+ 				continue;
+ 			if (strlen(vol->username) != 0 &&
++			    ses->password != NULL &&
+ 			    strncmp(ses->password,
+ 				    vol->password ? vol->password : "",
+ 				    MAX_PASSWORD_SIZE))
diff --git a/queue-2.6.32/cifs-clean-up-cifs_find_smb_ses-try-2.patch b/queue-2.6.32/cifs-clean-up-cifs_find_smb_ses-try-2.patch
new file mode 100644
index 0000000..b49d423
--- /dev/null
+++ b/queue-2.6.32/cifs-clean-up-cifs_find_smb_ses-try-2.patch
@@ -0,0 +1,93 @@
+From 4ff67b720c02c36e54d55b88c2931879b7db1cd2 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 6 Jul 2010 20:43:02 -0400
+Subject: cifs: clean up cifs_find_smb_ses (try #2)
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 4ff67b720c02c36e54d55b88c2931879b7db1cd2 upstream.
+
+This patch replaces the earlier patch by the same name. The only
+difference is that MAX_PASSWORD_SIZE has been increased to attempt to
+match the limits that windows enforces.
+
+Do a better job of matching sessions by authtype. Matching by username
+for a Kerberos session is incorrect, and anonymous sessions need special
+handling.
+
+Also, in the case where we do match by username, we also need to match
+by password. That ensures that someone else doesn't "borrow" an existing
+session without needing to know the password.
+
+Finally, passwords can be longer than 16 bytes. Bump MAX_PASSWORD_SIZE
+to 512 to match the size that the userspace mount helper allows.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+[dannf: backported to Debian's 2.6.32]
+Cc: Moritz Muehlenhoff <jmm@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ fs/cifs/cifsglob.h |    2 +-
+ fs/cifs/connect.c  |   26 ++++++++++++++++++--------
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -33,7 +33,7 @@
+ #define MAX_SHARE_SIZE  64	/* used to be 20, this should still be enough */
+ #define MAX_USERNAME_SIZE 32	/* 32 is to allow for 15 char names + null
+ 				   termination then *2 for unicode versions */
+-#define MAX_PASSWORD_SIZE 16
++#define MAX_PASSWORD_SIZE 512  /* max for windows seems to be 256 wide chars */
+ 
+ #define CIFS_MIN_RCV_POOL 4
+ 
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1588,17 +1588,27 @@ out_err:
+ }
+ 
+ static struct cifsSesInfo *
+-cifs_find_smb_ses(struct TCP_Server_Info *server, char *username)
++cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol)
+ {
+-	struct list_head *tmp;
+ 	struct cifsSesInfo *ses;
+ 
+ 	write_lock(&cifs_tcp_ses_lock);
+-	list_for_each(tmp, &server->smb_ses_list) {
+-		ses = list_entry(tmp, struct cifsSesInfo, smb_ses_list);
+-		if (strncmp(ses->userName, username, MAX_USERNAME_SIZE))
+-			continue;
+-
++	list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
++		switch (server->secType) {
++		case Kerberos:
++			if (vol->linux_uid != ses->linux_uid)
++				continue;
++			break;
++		default:
++			/* anything else takes username/password */
++			if (strncmp(ses->userName, vol->username,
++				    MAX_USERNAME_SIZE))
++				continue;
++			if (strlen(vol->username) != 0 &&
++			    strncmp(ses->password, vol->password,
++				    MAX_PASSWORD_SIZE))
++				continue;
++		}
+ 		++ses->ses_count;
+ 		write_unlock(&cifs_tcp_ses_lock);
+ 		return ses;
+@@ -2362,7 +2372,7 @@ try_mount_again:
+ 		goto out;
+ 	}
+ 
+-	pSesInfo = cifs_find_smb_ses(srvTcp, volume_info->username);
++	pSesInfo = cifs_find_smb_ses(srvTcp, volume_info);
+ 	if (pSesInfo) {
+ 		cFYI(1, ("Existing smb sess found (status=%d)",
+ 			pSesInfo->status));
diff --git a/queue-2.6.32/cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch b/queue-2.6.32/cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch
new file mode 100644
index 0000000..0877b31
--- /dev/null
+++ b/queue-2.6.32/cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch
@@ -0,0 +1,35 @@
+From fc87a40677bbe0937e2ff0642c7e83c9a4813f3d Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 18 Aug 2010 13:13:39 -0400
+Subject: cifs: fix NULL pointer dereference in cifs_find_smb_ses
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit fc87a40677bbe0937e2ff0642c7e83c9a4813f3d upstream.
+
+cifs_find_smb_ses assumes that the vol->password field is a valid
+pointer, but that's only the case if a password was passed in via
+the options string. It's possible that one won't be if there is
+no mount helper on the box.
+
+Reported-by: diabel <gacek-2004@wp.pl>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1605,7 +1605,8 @@ cifs_find_smb_ses(struct TCP_Server_Info
+ 				    MAX_USERNAME_SIZE))
+ 				continue;
+ 			if (strlen(vol->username) != 0 &&
+-			    strncmp(ses->password, vol->password,
++			    strncmp(ses->password,
++				    vol->password ? vol->password : "",
+ 				    MAX_PASSWORD_SIZE))
+ 				continue;
+ 		}
diff --git a/queue-2.6.32/gre-fix-netns-vs-proto-registration-ordering.patch b/queue-2.6.32/gre-fix-netns-vs-proto-registration-ordering.patch
new file mode 100644
index 0000000..98e1bfc
--- /dev/null
+++ b/queue-2.6.32/gre-fix-netns-vs-proto-registration-ordering.patch
@@ -0,0 +1,72 @@
+From c2892f02712e9516d72841d5c019ed6916329794 Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Tue, 16 Feb 2010 07:57:44 +0000
+Subject: gre: fix netns vs proto registration ordering
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+commit c2892f02712e9516d72841d5c019ed6916329794 upstream.
+
+GRE protocol receive hook can be called right after protocol addition is done.
+If netns stuff is not yet initialized, we're going to oops in
+net_generic().
+
+This is remotely oopsable if ip_gre is compiled as module and packet
+comes at unfortunate moment of module loading.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[dannf: backported to Debian's 2.6.32]
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_gre.c |   19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -1665,14 +1665,15 @@ static int __init ipgre_init(void)
+ 
+ 	printk(KERN_INFO "GRE over IPv4 tunneling driver\n");
+ 
+-	if (inet_add_protocol(&ipgre_protocol, IPPROTO_GRE) < 0) {
+-		printk(KERN_INFO "ipgre init: can't add protocol\n");
+-		return -EAGAIN;
+-	}
+-
+ 	err = register_pernet_gen_device(&ipgre_net_id, &ipgre_net_ops);
+ 	if (err < 0)
+-		goto gen_device_failed;
++		return err;
++
++	err = inet_add_protocol(&ipgre_protocol, IPPROTO_GRE);
++	if (err < 0) {
++		printk(KERN_INFO "ipgre init: can't add protocol\n");
++		goto add_proto_failed;
++	}
+ 
+ 	err = rtnl_link_register(&ipgre_link_ops);
+ 	if (err < 0)
+@@ -1688,9 +1689,9 @@ out:
+ tap_ops_failed:
+ 	rtnl_link_unregister(&ipgre_link_ops);
+ rtnl_link_failed:
+-	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+-gen_device_failed:
+ 	inet_del_protocol(&ipgre_protocol, IPPROTO_GRE);
++add_proto_failed:
++	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+ 	goto out;
+ }
+ 
+@@ -1698,9 +1699,9 @@ static void __exit ipgre_fini(void)
+ {
+ 	rtnl_link_unregister(&ipgre_tap_ops);
+ 	rtnl_link_unregister(&ipgre_link_ops);
+-	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+ 	if (inet_del_protocol(&ipgre_protocol, IPPROTO_GRE) < 0)
+ 		printk(KERN_INFO "ipgre close: can't remove protocol\n");
++	unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
+ }
+ 
+ module_init(ipgre_init);
diff --git a/queue-2.6.32/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch b/queue-2.6.32/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch
new file mode 100644
index 0000000..2134f32
--- /dev/null
+++ b/queue-2.6.32/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch
@@ -0,0 +1,52 @@
+From e924960dacdf85d118a98c7262edf2f99c3015cf Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Mon, 25 Jan 2010 10:28:21 +0000
+Subject: netns xfrm: fixup xfrm6_tunnel error propagation
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+commit e924960dacdf85d118a98c7262edf2f99c3015cf upstream.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/xfrm6_tunnel.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -344,13 +344,19 @@ static struct xfrm6_tunnel xfrm46_tunnel
+ 
+ static int __init xfrm6_tunnel_init(void)
+ {
+-	if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0)
++	int rv;
++
++	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++	if (rv < 0)
+ 		goto err;
+-	if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6))
++	rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
++	if (rv < 0)
+ 		goto unreg;
+-	if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET))
++	rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
++	if (rv < 0)
+ 		goto dereg6;
+-	if (xfrm6_tunnel_spi_init() < 0)
++	rv = xfrm6_tunnel_spi_init();
++	if (rv < 0)
+ 		goto dereg46;
+ 	return 0;
+ 
+@@ -361,7 +367,7 @@ dereg6:
+ unreg:
+ 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+ err:
+-	return -EAGAIN;
++	return rv;
+ }
+ 
+ static void __exit xfrm6_tunnel_fini(void)
diff --git a/queue-2.6.32/powerpc-pseries-hvconsole-fix-dropped-console-output.patch b/queue-2.6.32/powerpc-pseries-hvconsole-fix-dropped-console-output.patch
new file mode 100644
index 0000000..07776a9
--- /dev/null
+++ b/queue-2.6.32/powerpc-pseries-hvconsole-fix-dropped-console-output.patch
@@ -0,0 +1,31 @@
+From 51d33021425e1f905beb4208823146f2fb6517da Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Tue, 5 Jul 2011 21:51:36 +0000
+Subject: powerpc/pseries/hvconsole: Fix dropped console output
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 51d33021425e1f905beb4208823146f2fb6517da upstream.
+
+Return -EAGAIN when we get H_BUSY back from the hypervisor. This
+makes the hvc console driver retry, avoiding dropped printks.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/platforms/pseries/hvconsole.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/hvconsole.c
++++ b/arch/powerpc/platforms/pseries/hvconsole.c
+@@ -73,7 +73,7 @@ int hvc_put_chars(uint32_t vtermno, cons
+ 	if (ret == H_SUCCESS)
+ 		return count;
+ 	if (ret == H_BUSY)
+-		return 0;
++		return -EAGAIN;
+ 	return -EIO;
+ }
+ 
diff --git a/queue-2.6.32/proc-restrict-access-to-proc-pid-io.patch b/queue-2.6.32/proc-restrict-access-to-proc-pid-io.patch
new file mode 100644
index 0000000..727be0a
--- /dev/null
+++ b/queue-2.6.32/proc-restrict-access-to-proc-pid-io.patch
@@ -0,0 +1,56 @@
+From 1d1221f375c94ef961ba8574ac4f85c8870ddd51 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Fri, 24 Jun 2011 16:08:38 +0400
+Subject: proc: restrict access to /proc/PID/io
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream.
+
+/proc/PID/io may be used for gathering private information.  E.g.  for
+openssh and vsftpd daemons wchars/rchars may be used to learn the
+precise password length.  Restrict it to processes being able to ptrace
+the target process.
+
+ptrace_may_access() is needed to prevent keeping open file descriptor of
+"io" file, executing setuid binary and gathering io information of the
+setuid'ed process.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/base.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2454,6 +2454,9 @@ static int do_io_accounting(struct task_
+ 	struct task_io_accounting acct = task->ioac;
+ 	unsigned long flags;
+ 
++	if (!ptrace_may_access(task, PTRACE_MODE_READ))
++		return -EACCES;
++
+ 	if (whole && lock_task_sighand(task, &flags)) {
+ 		struct task_struct *t = task;
+ 
+@@ -2575,7 +2578,7 @@ static const struct pid_entry tgid_base_
+ 	REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+-	INF("io",	S_IRUGO, proc_tgid_io_accounting),
++	INF("io",	S_IRUSR, proc_tgid_io_accounting),
+ #endif
+ };
+ 
+@@ -2910,7 +2913,7 @@ static const struct pid_entry tid_base_s
+ 	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+-	INF("io",	S_IRUGO, proc_tid_io_accounting),
++	INF("io",	S_IRUSR, proc_tid_io_accounting),
+ #endif
+ };
+ 
diff --git a/queue-2.6.32/revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch b/queue-2.6.32/revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch
new file mode 100644
index 0000000..b6e0cbd
--- /dev/null
+++ b/queue-2.6.32/revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch
@@ -0,0 +1,84 @@
+From a68753aa46dad44915db20f715d9bfbc5815fb8d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Tue, 2 Aug 2011 14:45:26 -0700
+Subject: Revert "block: rescan partitions on invalidated devices on -ENOMEDIA
+ too"
+
+This reverts commit 5b2745db12a3f97a9ec9efd4ffa077da707d3e4c (commit
+02e352287a40bd456eb78df705bf888bc3161d3f upstream)
+
+This should have only been commited on .38 and newer, not older kernels
+like this one, sorry.
+
+Cc: Tejun Heo <tj@kernel.org>
+Cc: David Zeuthen <zeuthen@gmail.com>
+Cc: Martin Pitt <martin.pitt@ubuntu.com>
+Cc: Kay Sievers <kay.sievers@vrfy.org>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: Jens Axboe <jaxboe@fusionio.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/block_dev.c |   27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -1203,7 +1203,6 @@ static int __blkdev_get(struct block_dev
+ 			if (!bdev->bd_part)
+ 				goto out_clear;
+ 
+-			ret = 0;
+ 			if (disk->fops->open) {
+ 				ret = disk->fops->open(bdev, mode);
+ 				if (ret == -ERESTARTSYS) {
+@@ -1219,18 +1218,9 @@ static int __blkdev_get(struct block_dev
+ 					mutex_unlock(&bdev->bd_mutex);
+ 					goto restart;
+ 				}
++				if (ret)
++					goto out_clear;
+ 			}
+-			/*
+-			 * If the device is invalidated, rescan partition
+-			 * if open succeeded or failed with -ENOMEDIUM.
+-			 * The latter is necessary to prevent ghost
+-			 * partitions on a removed medium.
+-			 */
+-			if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
+-				rescan_partitions(disk, bdev);
+-			if (ret)
+-				goto out_clear;
+-
+ 			if (!bdev->bd_openers) {
+ 				bd_set_size(bdev,(loff_t)get_capacity(disk)<<9);
+ 				bdi = blk_get_backing_dev_info(bdev);
+@@ -1238,6 +1228,8 @@ static int __blkdev_get(struct block_dev
+ 					bdi = &default_backing_dev_info;
+ 				bdev->bd_inode->i_data.backing_dev_info = bdi;
+ 			}
++			if (bdev->bd_invalidated)
++				rescan_partitions(disk, bdev);
+ 		} else {
+ 			struct block_device *whole;
+ 			whole = bdget_disk(disk, 0);
+@@ -1264,14 +1256,13 @@ static int __blkdev_get(struct block_dev
+ 		put_disk(disk);
+ 		disk = NULL;
+ 		if (bdev->bd_contains == bdev) {
+-			ret = 0;
+-			if (bdev->bd_disk->fops->open)
++			if (bdev->bd_disk->fops->open) {
+ 				ret = bdev->bd_disk->fops->open(bdev, mode);
+-			/* the same as first opener case, read comment there */
+-			if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
++				if (ret)
++					goto out_unlock_bdev;
++			}
++			if (bdev->bd_invalidated)
+ 				rescan_partitions(bdev->bd_disk, bdev);
+-			if (ret)
+-				goto out_unlock_bdev;
+ 		}
+ 	}
+ 	bdev->bd_openers++;
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index 11f6902..5500752 100644
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -36,3 +36,15 @@ ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch
 svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch
 ehci-only-power-off-port-if-over-current-is-active.patch
 ehci-fix-direction-handling-for-interrupt-data-toggles.patch
+powerpc-pseries-hvconsole-fix-dropped-console-output.patch
+x86-hpet-avoid-the-comparator-readback-penalty.patch
+x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch
+revert-block-rescan-partitions-on-invalidated-devices-on-enomedia.patch
+cifs-clean-up-cifs_find_smb_ses-try-2.patch
+cifs-fix-null-pointer-dereference-in-cifs_find_smb_ses.patch
+cifs-check-for-null-session-password.patch
+gre-fix-netns-vs-proto-registration-ordering.patch
+netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch
+tunnels-fix-netns-vs-proto-registration-ordering.patch
+alpha-fix-several-security-issues.patch
+proc-restrict-access-to-proc-pid-io.patch
diff --git a/queue-2.6.32/tunnels-fix-netns-vs-proto-registration-ordering.patch b/queue-2.6.32/tunnels-fix-netns-vs-proto-registration-ordering.patch
new file mode 100644
index 0000000..3327ac3
--- /dev/null
+++ b/queue-2.6.32/tunnels-fix-netns-vs-proto-registration-ordering.patch
@@ -0,0 +1,166 @@
+From d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Tue, 16 Feb 2010 09:05:04 +0000
+Subject: tunnels: fix netns vs proto registration ordering
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 upstream.
+
+Same stuff as in ip_gre patch: receive hook can be called before netns
+setup is done, oopsing in net_generic().
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ipip.c         |   13 ++++++-------
+ net/ipv6/ip6_tunnel.c   |   28 +++++++++++++++-------------
+ net/ipv6/sit.c          |   13 ++++++-------
+ net/ipv6/xfrm6_tunnel.c |   22 +++++++++++-----------
+ 4 files changed, 38 insertions(+), 38 deletions(-)
+
+--- a/net/ipv4/ipip.c
++++ b/net/ipv4/ipip.c
+@@ -830,15 +830,14 @@ static int __init ipip_init(void)
+ 
+ 	printk(banner);
+ 
+-	if (xfrm4_tunnel_register(&ipip_handler, AF_INET)) {
++	err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
++	if (err < 0)
++		return err;
++	err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
++	if (err < 0) {
++		unregister_pernet_device(&ipip_net_ops);
+ 		printk(KERN_INFO "ipip init: can't register tunnel\n");
+-		return -EAGAIN;
+ 	}
+-
+-	err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
+-	if (err)
+-		xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+-
+ 	return err;
+ }
+ 
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1466,27 +1466,29 @@ static int __init ip6_tunnel_init(void)
+ {
+ 	int  err;
+ 
+-	if (xfrm6_tunnel_register(&ip4ip6_handler, AF_INET)) {
++	err = register_pernet_device(&ip6_tnl_net_ops);
++	if (err < 0)
++		goto out_pernet;
++
++	err = xfrm6_tunnel_register(&ip4ip6_handler, AF_INET);
++	if (err < 0) {
+ 		printk(KERN_ERR "ip6_tunnel init: can't register ip4ip6\n");
+-		err = -EAGAIN;
+-		goto out;
++		goto out_ip4ip6;
+ 	}
+ 
+-	if (xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6)) {
++	err = xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6);
++	if (err < 0) {
+ 		printk(KERN_ERR "ip6_tunnel init: can't register ip6ip6\n");
+-		err = -EAGAIN;
+-		goto unreg_ip4ip6;
++		goto out_ip6ip6;
+ 	}
+ 
+-	err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
+-	if (err < 0)
+-		goto err_pernet;
+ 	return 0;
+-err_pernet:
+-	xfrm6_tunnel_deregister(&ip6ip6_handler, AF_INET6);
+-unreg_ip4ip6:
++
++out_ip6ip6:
+ 	xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
+-out:
++out_ip4ip6:
++	unregister_pernet_device(&ip6_tnl_net_ops);
++out_pernet:
+ 	return err;
+ }
+ 
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1086,15 +1086,14 @@ static int __init sit_init(void)
+ 
+ 	printk(KERN_INFO "IPv6 over IPv4 tunneling driver\n");
+ 
+-	if (xfrm4_tunnel_register(&sit_handler, AF_INET6) < 0) {
+-		printk(KERN_INFO "sit init: Can't add protocol\n");
+-		return -EAGAIN;
+-	}
+-
+ 	err = register_pernet_gen_device(&sit_net_id, &sit_net_ops);
+ 	if (err < 0)
+-		xfrm4_tunnel_deregister(&sit_handler, AF_INET6);
+-
++		return err;
++	err = xfrm4_tunnel_register(&sit_handler, AF_INET6);
++	if (err < 0) {
++		unregister_pernet_device(&sit_net_ops);
++		printk(KERN_INFO "sit init: Can't add protocol\n");
++	}
+ 	return err;
+ }
+ 
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -346,36 +346,36 @@ static int __init xfrm6_tunnel_init(void
+ {
+ 	int rv;
+ 
+-	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++	rv = xfrm6_tunnel_spi_init();
+ 	if (rv < 0)
+ 		goto err;
++	rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++	if (rv < 0)
++		goto out_type;
+ 	rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
+ 	if (rv < 0)
+-		goto unreg;
++		goto out_xfrm6;
+ 	rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
+ 	if (rv < 0)
+-		goto dereg6;
+-	rv = xfrm6_tunnel_spi_init();
+-	if (rv < 0)
+-		goto dereg46;
++		goto out_xfrm46;
+ 	return 0;
+ 
+-dereg46:
+-	xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+-dereg6:
++out_xfrm46:
+ 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+-unreg:
++out_xfrm6:
+ 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++out_type:
++	xfrm6_tunnel_spi_fini();
+ err:
+ 	return rv;
+ }
+ 
+ static void __exit xfrm6_tunnel_fini(void)
+ {
+-	xfrm6_tunnel_spi_fini();
+ 	xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+ 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+ 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++	xfrm6_tunnel_spi_fini();
+ }
+ 
+ module_init(xfrm6_tunnel_init);
diff --git a/queue-2.6.32/x86-hpet-avoid-the-comparator-readback-penalty.patch b/queue-2.6.32/x86-hpet-avoid-the-comparator-readback-penalty.patch
new file mode 100644
index 0000000..1f9627f
--- /dev/null
+++ b/queue-2.6.32/x86-hpet-avoid-the-comparator-readback-penalty.patch
@@ -0,0 +1,119 @@
+From khlebnikov@openvz.org  Tue Aug  2 14:42:04 2011
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Date: Fri, 29 Jul 2011 14:07:43 +0400
+Subject: x86: Hpet: Avoid the comparator readback penalty
+To: <stable@kernel.org>
+Message-ID: <20110729100743.15668.89332.stgit@localhost6>
+
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+(imported from commit v2.6.36-rc4-167-g995bd3b)
+
+Due to the overly intelligent design of HPETs, we need to workaround
+the problem that the compare value which we write is already behind
+the actual counter value at the point where the value hits the real
+compare register. This happens for two reasons:
+
+1) We read out the counter, add the delta and write the result to the
+   compare register. When a NMI or SMI hits between the read out and
+   the write then the counter can be ahead of the event already
+
+2) The write to the compare register is delayed by up to two HPET
+   cycles in certain chipsets.
+
+We worked around this by reading back the compare register to make
+sure that the written value has hit the hardware. For certain ICH9+
+chipsets this can require two readouts, as the first one can return
+the previous compare register value. That's bad performance wise for
+the normal case where the event is far enough in the future.
+
+As we already know that the write can be delayed by up to two cycles
+we can avoid the read back of the compare register completely if we
+make the decision whether the delta has elapsed already or not based
+on the following calculation:
+
+  cmp = event - actual_count;
+
+If cmp is less than 8 HPET clock cycles, then we decide that the event
+has happened already and return -ETIME. That covers the above #1 and
+#2 problems which would cause a wait for HPET wraparound (~306
+seconds).
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Nix <nix@esperi.org.uk>
+Tested-by: Artur Skawina <art.08.09@gmail.com>
+Cc: Damien Wyart <damien.wyart@free.fr>
+Tested-by: John Drescher <drescherjm@gmail.com>
+Cc: Venkatesh Pallipadi <venki@google.com>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Andreas Herrmann <andreas.herrmann3@amd.com>
+Tested-by: Borislav Petkov <borislav.petkov@amd.com>
+Cc: Suresh Siddha <suresh.b.siddha@intel.com>
+LKML-Reference: <alpine.LFD.2.00.1009151500060.2416@localhost6.localdomain6>
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kernel/hpet.c |   43 +++++++++++++++++++++----------------------
+ 1 file changed, 21 insertions(+), 22 deletions(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -379,36 +379,35 @@ static int hpet_next_event(unsigned long
+ 			   struct clock_event_device *evt, int timer)
+ {
+ 	u32 cnt;
++	s32 res;
+ 
+ 	cnt = hpet_readl(HPET_COUNTER);
+ 	cnt += (u32) delta;
+ 	hpet_writel(cnt, HPET_Tn_CMP(timer));
+ 
+ 	/*
+-	 * We need to read back the CMP register on certain HPET
+-	 * implementations (ATI chipsets) which seem to delay the
+-	 * transfer of the compare register into the internal compare
+-	 * logic. With small deltas this might actually be too late as
+-	 * the counter could already be higher than the compare value
+-	 * at that point and we would wait for the next hpet interrupt
+-	 * forever. We found out that reading the CMP register back
+-	 * forces the transfer so we can rely on the comparison with
+-	 * the counter register below. If the read back from the
+-	 * compare register does not match the value we programmed
+-	 * then we might have a real hardware problem. We can not do
+-	 * much about it here, but at least alert the user/admin with
+-	 * a prominent warning.
+-	 * An erratum on some chipsets (ICH9,..), results in comparator read
+-	 * immediately following a write returning old value. Workaround
+-	 * for this is to read this value second time, when first
+-	 * read returns old value.
++	 * HPETs are a complete disaster. The compare register is
++	 * based on a equal comparison and neither provides a less
++	 * than or equal functionality (which would require to take
++	 * the wraparound into account) nor a simple count down event
++	 * mode. Further the write to the comparator register is
++	 * delayed internally up to two HPET clock cycles in certain
++	 * chipsets (ATI, ICH9,10). We worked around that by reading
++	 * back the compare register, but that required another
++	 * workaround for ICH9,10 chips where the first readout after
++	 * write can return the old stale value. We already have a
++	 * minimum delta of 5us enforced, but a NMI or SMI hitting
++	 * between the counter readout and the comparator write can
++	 * move us behind that point easily. Now instead of reading
++	 * the compare register back several times, we make the ETIME
++	 * decision based on the following: Return ETIME if the
++	 * counter value after the write is less than 8 HPET cycles
++	 * away from the event or if the counter is already ahead of
++	 * the event.
+ 	 */
+-	if (unlikely((u32)hpet_readl(HPET_Tn_CMP(timer)) != cnt)) {
+-		WARN_ONCE((u32)hpet_readl(HPET_Tn_CMP(timer)) != cnt,
+-		  KERN_WARNING "hpet: compare register read back failed.\n");
+-	}
++	res = (s32)(cnt - (u32)hpet_readl(HPET_COUNTER));
+ 
+-	return (s32)((u32)hpet_readl(HPET_COUNTER) - cnt) >= 0 ? -ETIME : 0;
++	return res < 8 ? -ETIME : 0;
+ }
+ 
+ static void hpet_legacy_set_mode(enum clock_event_mode mode,
diff --git a/queue-2.6.32/x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch b/queue-2.6.32/x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch
new file mode 100644
index 0000000..46d8296
--- /dev/null
+++ b/queue-2.6.32/x86-hpet-chose-a-paranoid-safe-value-for-the-etime-check.patch
@@ -0,0 +1,102 @@
+From khlebnikov@openvz.org  Tue Aug  2 14:42:16 2011
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Date: Fri, 29 Jul 2011 14:07:44 +0400
+Subject: x86: HPET: Chose a paranoid safe value for the ETIME check
+To: <stable@kernel.org>
+Message-ID: <20110729100744.15668.23742.stgit@localhost6>
+
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+(imported from commit v2.6.37-rc5-64-gf1c1807)
+
+commit 995bd3bb5 (x86: Hpet: Avoid the comparator readback penalty)
+chose 8 HPET cycles as a safe value for the ETIME check, as we had the
+confirmation that the posted write to the comparator register is
+delayed by two HPET clock cycles on Intel chipsets which showed
+readback problems.
+
+After that patch hit mainline we got reports from machines with newer
+AMD chipsets which seem to have an even longer delay. See
+http://thread.gmane.org/gmane.linux.kernel/1054283 and
+http://thread.gmane.org/gmane.linux.kernel/1069458 for further
+information.
+
+Boris tried to come up with an ACPI based selection of the minimum
+HPET cycles, but this failed on a couple of test machines. And of
+course we did not get any useful information from the hardware folks.
+
+For now our only option is to chose a paranoid high and safe value for
+the minimum HPET cycles used by the ETIME check. Adjust the minimum ns
+value for the HPET clockevent accordingly.
+
+Reported-Bistected-and-Tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+LKML-Reference: <alpine.LFD.2.00.1012131222420.2653@localhost6.localdomain6>
+Cc: Simon Kirby <sim@hostway.ca>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Andreas Herrmann <Andreas.Herrmann3@amd.com>
+Cc: John Stultz <johnstul@us.ibm.com>
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kernel/hpet.c |   26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -27,6 +27,9 @@
+ #define HPET_DEV_FSB_CAP		0x1000
+ #define HPET_DEV_PERI_CAP		0x2000
+ 
++#define HPET_MIN_CYCLES			128
++#define HPET_MIN_PROG_DELTA		(HPET_MIN_CYCLES + (HPET_MIN_CYCLES >> 1))
++
+ #define EVT_TO_HPET_DEV(evt) container_of(evt, struct hpet_dev, evt)
+ 
+ /*
+@@ -298,8 +301,9 @@ static void hpet_legacy_clockevent_regis
+ 	/* Calculate the min / max delta */
+ 	hpet_clockevent.max_delta_ns = clockevent_delta2ns(0x7FFFFFFF,
+ 							   &hpet_clockevent);
+-	/* 5 usec minimum reprogramming delta. */
+-	hpet_clockevent.min_delta_ns = 5000;
++	/* Setup minimum reprogramming delta. */
++	hpet_clockevent.min_delta_ns = clockevent_delta2ns(HPET_MIN_PROG_DELTA,
++							   &hpet_clockevent);
+ 
+ 	/*
+ 	 * Start hpet with the boot cpu mask and make it
+@@ -392,22 +396,24 @@ static int hpet_next_event(unsigned long
+ 	 * the wraparound into account) nor a simple count down event
+ 	 * mode. Further the write to the comparator register is
+ 	 * delayed internally up to two HPET clock cycles in certain
+-	 * chipsets (ATI, ICH9,10). We worked around that by reading
+-	 * back the compare register, but that required another
+-	 * workaround for ICH9,10 chips where the first readout after
+-	 * write can return the old stale value. We already have a
+-	 * minimum delta of 5us enforced, but a NMI or SMI hitting
++	 * chipsets (ATI, ICH9,10). Some newer AMD chipsets have even
++	 * longer delays. We worked around that by reading back the
++	 * compare register, but that required another workaround for
++	 * ICH9,10 chips where the first readout after write can
++	 * return the old stale value. We already had a minimum
++	 * programming delta of 5us enforced, but a NMI or SMI hitting
+ 	 * between the counter readout and the comparator write can
+ 	 * move us behind that point easily. Now instead of reading
+ 	 * the compare register back several times, we make the ETIME
+ 	 * decision based on the following: Return ETIME if the
+-	 * counter value after the write is less than 8 HPET cycles
++	 * counter value after the write is less than HPET_MIN_CYCLES
+ 	 * away from the event or if the counter is already ahead of
+-	 * the event.
++	 * the event. The minimum programming delta for the generic
++	 * clockevents code is set to 1.5 * HPET_MIN_CYCLES.
+ 	 */
+ 	res = (s32)(cnt - (u32)hpet_readl(HPET_COUNTER));
+ 
+-	return res < 8 ? -ETIME : 0;
++	return res < HPET_MIN_CYCLES ? -ETIME : 0;
+ }
+ 
+ static void hpet_legacy_set_mode(enum clock_event_mode mode,