--- /dev/null
+From jlayton@redhat.com Mon Feb 2 15:10:37 2009
+From: Jeff Layton <jlayton@redhat.com>
+Date: Thu, 22 Jan 2009 10:35:13 -0500
+Subject: cifs: make sure we allocate enough storage for socket address
+To: stable@kernel.org
+Message-ID: <1232638513-9022-1-git-send-email-jlayton@redhat.com>
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit a9ac49d303f967be0dabd97cb722c4a13109c6c2 upstream.
+
+cifs_mount declares a struct sockaddr on the stack and then casts it
+to the proper address type. The storage allocated is fine for ipv4,
+but is too small for ipv6 addresses. Declare it as
+"struct sockaddr_storage" instead of struct sockaddr".
+
+This bug was manifesting itself as oopses and address corruption when
+mounting IPv6 addresses.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Tested-by: Stefan Bader <stefan.bader@canonical.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1356,7 +1356,7 @@ cifs_parse_mount_options(char *options,
+ }
+
+ static struct TCP_Server_Info *
+-cifs_find_tcp_session(struct sockaddr *addr)
++cifs_find_tcp_session(struct sockaddr_storage *addr)
+ {
+ struct list_head *tmp;
+ struct TCP_Server_Info *server;
+@@ -1376,11 +1376,11 @@ cifs_find_tcp_session(struct sockaddr *a
+ if (server->tcpStatus == CifsNew)
+ continue;
+
+- if (addr->sa_family == AF_INET &&
++ if (addr->ss_family == AF_INET &&
+ (addr4->sin_addr.s_addr !=
+ server->addr.sockAddr.sin_addr.s_addr))
+ continue;
+- else if (addr->sa_family == AF_INET6 &&
++ else if (addr->ss_family == AF_INET6 &&
+ memcmp(&server->addr.sockAddr6.sin6_addr,
+ &addr6->sin6_addr, sizeof(addr6->sin6_addr)))
+ continue;
+@@ -2036,7 +2036,7 @@ cifs_mount(struct super_block *sb, struc
+ int rc = 0;
+ int xid;
+ struct socket *csocket = NULL;
+- struct sockaddr addr;
++ struct sockaddr_storage addr;
+ struct sockaddr_in *sin_server = (struct sockaddr_in *) &addr;
+ struct sockaddr_in6 *sin_server6 = (struct sockaddr_in6 *) &addr;
+ struct smb_vol volume_info;
+@@ -2048,7 +2048,7 @@ cifs_mount(struct super_block *sb, struc
+
+ /* cFYI(1, ("Entering cifs_mount. Xid: %d with: %s", xid, mount_data)); */
+
+- memset(&addr, 0, sizeof(struct sockaddr));
++ memset(&addr, 0, sizeof(struct sockaddr_storage));
+ memset(&volume_info, 0, sizeof(struct smb_vol));
+ if (cifs_parse_mount_options(mount_data, devname, &volume_info)) {
+ rc = -EINVAL;
+@@ -2078,9 +2078,9 @@ cifs_mount(struct super_block *sb, struc
+ rc = cifs_inet_pton(AF_INET6, volume_info.UNCip,
+ &sin_server6->sin6_addr.in6_u);
+ if (rc > 0)
+- addr.sa_family = AF_INET6;
++ addr.ss_family = AF_INET6;
+ } else {
+- addr.sa_family = AF_INET;
++ addr.ss_family = AF_INET;
+ }
+
+ if (rc <= 0) {
+@@ -2122,7 +2122,7 @@ cifs_mount(struct super_block *sb, struc
+
+ srvTcp = cifs_find_tcp_session(&addr);
+ if (!srvTcp) { /* create socket */
+- if (addr.sa_family == AF_INET6) {
++ if (addr.ss_family == AF_INET6) {
+ cFYI(1, ("attempting ipv6 connect"));
+ /* BB should we allow ipv6 on port 139? */
+ /* other OS never observed in Wild doing 139 with v6 */
+@@ -2153,7 +2153,7 @@ cifs_mount(struct super_block *sb, struc
+ } else {
+ srvTcp->noblocksnd = volume_info.noblocksnd;
+ srvTcp->noautotune = volume_info.noautotune;
+- if (addr.sa_family == AF_INET6)
++ if (addr.ss_family == AF_INET6)
+ memcpy(&srvTcp->addr.sockAddr6, sin_server6,
+ sizeof(struct sockaddr_in6));
+ else
--- /dev/null
+From e0212e72186e855027dd35b37e9d7a99a078448c Mon Sep 17 00:00:00 2001
+From: Adrian Bunk <bunk@kernel.org>
+Date: Wed, 29 Oct 2008 12:15:47 +0200
+Subject: m68knommu: set NO_DMA
+
+From: Adrian Bunk <bunk@kernel.org>
+
+commit e0212e72186e855027dd35b37e9d7a99a078448c upstream.
+
+m68knommu does not set the Kconfig NO_DMA variable, but also does
+not provide the required functions, resulting in the following
+build error triggered by commit a40c24a13366e324bc0ff8c3bb107db89312c984
+(net: Add SKB DMA mapping helper functions.):
+
+<-- snip -->
+
+..
+ LD vmlinux
+net/built-in.o: In function `skb_dma_unmap':
+(.text+0xac5e): undefined reference to `dma_unmap_single'
+net/built-in.o: In function `skb_dma_unmap':
+(.text+0xac7a): undefined reference to `dma_unmap_page'
+net/built-in.o: In function `skb_dma_map':
+(.text+0xacdc): undefined reference to `dma_map_single'
+net/built-in.o: In function `skb_dma_map':
+(.text+0xace8): undefined reference to `dma_mapping_error'
+net/built-in.o: In function `skb_dma_map':
+(.text+0xad10): undefined reference to `dma_map_page'
+net/built-in.o: In function `skb_dma_map':
+(.text+0xad82): undefined reference to `dma_unmap_page'
+net/built-in.o: In function `skb_dma_map':
+(.text+0xadc6): undefined reference to `dma_unmap_single'
+make[1]: *** [vmlinux] Error 1
+
+<-- snip -->
+
+Signed-off-by: Adrian Bunk <bunk@kernel.org>
+Signed-off-by: Greg Ungerer <gerg@uclinux.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/m68knommu/Kconfig | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/m68knommu/Kconfig
++++ b/arch/m68knommu/Kconfig
+@@ -14,6 +14,10 @@ config MMU
+ bool
+ default n
+
++config NO_DMA
++ bool
++ default y
++
+ config FPU
+ bool
+ default n
--- /dev/null
+From 27421e211a39784694b597dbf35848b88363c248 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 1 Feb 2009 11:00:16 -0800
+Subject: Manually revert "mlock: downgrade mmap sem while populating mlocked regions"
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 27421e211a39784694b597dbf35848b88363c248 upstream.
+
+This essentially reverts commit 8edb08caf68184fb170f4f69c7445929e199eaea.
+
+It downgraded our mmap semaphore to a read-lock while mlocking pages, in
+order to allow other threads (and external accesses like "ps" et al) to
+walk the vma lists and take page faults etc. Which is a nice idea, but
+the implementation does not work.
+
+Because we cannot upgrade the lock back to a write lock without
+releasing the mmap semaphore, the code had to release the lock entirely
+and then re-take it as a writelock. However, that meant that the caller
+possibly lost the vma chain that it was following, since now another
+thread could come in and mmap/munmap the range.
+
+The code tried to work around that by just looking up the vma again and
+erroring out if that happened, but quite frankly, that was just a buggy
+hack that doesn't actually protect against anything (the other thread
+could just have replaced the vma with another one instead of totally
+unmapping it).
+
+The only way to downgrade to a read map _reliably_ is to do it at the
+end, which is likely the right thing to do: do all the 'vma' operations
+with the write-lock held, then downgrade to a read after completing them
+all, and then do the "populate the newly mlocked regions" while holding
+just the read lock. And then just drop the read-lock and return to user
+space.
+
+The (perhaps somewhat simpler) alternative is to just make all the
+callers of mlock_vma_pages_range() know that the mmap lock got dropped,
+and just re-grab the mmap semaphore if it needs to mlock more than one
+vma region.
+
+So we can do this "downgrade mmap sem while populating mlocked regions"
+thing right, but the way it was done here was absolutely not correct.
+Thus the revert, in the expectation that we will do it all correctly
+some day.
+
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mlock.c | 47 ++---------------------------------------------
+ 1 file changed, 2 insertions(+), 45 deletions(-)
+
+--- a/mm/mlock.c
++++ b/mm/mlock.c
+@@ -293,14 +293,10 @@ static inline int __mlock_posix_error_re
+ *
+ * return number of pages [> 0] to be removed from locked_vm on success
+ * of "special" vmas.
+- *
+- * return negative error if vma spanning @start-@range disappears while
+- * mmap semaphore is dropped. Unlikely?
+ */
+ long mlock_vma_pages_range(struct vm_area_struct *vma,
+ unsigned long start, unsigned long end)
+ {
+- struct mm_struct *mm = vma->vm_mm;
+ int nr_pages = (end - start) / PAGE_SIZE;
+ BUG_ON(!(vma->vm_flags & VM_LOCKED));
+
+@@ -313,20 +309,8 @@ long mlock_vma_pages_range(struct vm_are
+ if (!((vma->vm_flags & (VM_DONTEXPAND | VM_RESERVED)) ||
+ is_vm_hugetlb_page(vma) ||
+ vma == get_gate_vma(current))) {
+- long error;
+- downgrade_write(&mm->mmap_sem);
+-
+- error = __mlock_vma_pages_range(vma, start, end, 1);
+
+- up_read(&mm->mmap_sem);
+- /* vma can change or disappear */
+- down_write(&mm->mmap_sem);
+- vma = find_vma(mm, start);
+- /* non-NULL vma must contain @start, but need to check @end */
+- if (!vma || end > vma->vm_end)
+- return -ENOMEM;
+-
+- return 0; /* hide other errors from mmap(), et al */
++ return __mlock_vma_pages_range(vma, start, end, 1);
+ }
+
+ /*
+@@ -437,41 +421,14 @@ success:
+ vma->vm_flags = newflags;
+
+ if (lock) {
+- /*
+- * mmap_sem is currently held for write. Downgrade the write
+- * lock to a read lock so that other faults, mmap scans, ...
+- * while we fault in all pages.
+- */
+- downgrade_write(&mm->mmap_sem);
+-
+ ret = __mlock_vma_pages_range(vma, start, end, 1);
+
+- /*
+- * Need to reacquire mmap sem in write mode, as our callers
+- * expect this. We have no support for atomically upgrading
+- * a sem to write, so we need to check for ranges while sem
+- * is unlocked.
+- */
+- up_read(&mm->mmap_sem);
+- /* vma can change or disappear */
+- down_write(&mm->mmap_sem);
+- *prev = find_vma(mm, start);
+- /* non-NULL *prev must contain @start, but need to check @end */
+- if (!(*prev) || end > (*prev)->vm_end)
+- ret = -ENOMEM;
+- else if (ret > 0) {
++ if (ret > 0) {
+ mm->locked_vm -= ret;
+ ret = 0;
+ } else
+ ret = __mlock_posix_error_return(ret); /* translate if needed */
+ } else {
+- /*
+- * TODO: for unlocking, pages will already be resident, so
+- * we don't need to wait for allocations/reclaim/pagein, ...
+- * However, unlocking a very large region can still take a
+- * while. Should we downgrade the semaphore for both lock
+- * AND unlock ?
+- */
+ __mlock_vma_pages_range(vma, start, end, 0);
+ }
+
--- /dev/null
+From 748085fcbedbf7b0f38d95e178265d7b13360b44 Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 21 Jan 2009 12:19:49 -0800
+Subject: netfilter: ctnetlink: fix scheduling while atomic
+
+From: Patrick McHardy <kaber@trash.net>
+
+commit 748085fcbedbf7b0f38d95e178265d7b13360b44 upstream.
+
+Caused by call to request_module() while holding nf_conntrack_lock.
+
+Reported-and-tested-by: Kövesdi György <kgy@teledigit.hu>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -825,13 +825,16 @@ ctnetlink_parse_nat_setup(struct nf_conn
+ if (!parse_nat_setup) {
+ #ifdef CONFIG_MODULES
+ rcu_read_unlock();
++ spin_unlock_bh(&nf_conntrack_lock);
+ nfnl_unlock();
+ if (request_module("nf-nat-ipv4") < 0) {
+ nfnl_lock();
++ spin_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
+ return -EOPNOTSUPP;
+ }
+ nfnl_lock();
++ spin_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
+ if (nfnetlink_parse_nat_setup_hook)
+ return -EAGAIN;
--- /dev/null
+From arvidjaar@mail.ru Mon Feb 2 15:34:51 2009
+From: Andrey Borzenkov <arvidjaar@mail.ru>
+Date: Thu, 29 Jan 2009 20:39:32 +0300
+Subject: orinoco: move kmalloc(..., GFP_KERNEL) outside spinlock in orinoco_ioctl_set_genie
+To: Greg KH <greg@kroah.com>
+Cc: "John W. Linville" <linville@tuxdriver.com>, stable@kernel.org
+Message-ID: <200901292039.51554.arvidjaar@mail.ru>
+
+
+From: Andrey Borzenkov <arvidjaar@mail.ru>
+
+commit 7fe99c4e28ab54eada8aa456b417114e6ef21587 upstream
+
+orinoco: move kmalloc(..., GFP_KERNEL) outside spinlock in orinoco_ioctl_set_genie
+
+[ 56.923623] BUG: sleeping function called from invalid context at /home/bor/src/linux-git/mm/slub.c:1599
+[ 56.923644] in_atomic(): 0, irqs_disabled(): 1, pid: 3031, name: wpa_supplicant
+[ 56.923656] 2 locks held by wpa_supplicant/3031:
+[ 56.923662] #0: (rtnl_mutex){--..}, at: [<c02abd1f>] rtnl_lock+0xf/0x20
+[ 56.923703] #1: (&priv->lock){++..}, at: [<dfc840c2>] orinoco_ioctl_set_genie+0x52/0x130 [orinoco]
+[ 56.923782] irq event stamp: 910
+[ 56.923788] hardirqs last enabled at (909): [<c01957db>] __kmalloc+0x7b/0x140
+[ 56.923820] hardirqs last disabled at (910): [<c0309419>] _spin_lock_irqsave+0x19/0x80
+[ 56.923847] softirqs last enabled at (880): [<c0124f54>] __do_softirq+0xc4/0x110
+[ 56.923865] softirqs last disabled at (871): [<c01049ae>] do_softirq+0x8e/0xe0
+[ 56.923895] Pid: 3031, comm: wpa_supplicant Not tainted 2.6.29-rc2-1avb #1
+[ 56.923905] Call Trace:
+[ 56.923919] [<c01049ae>] ? do_softirq+0x8e/0xe0
+[ 56.923941] [<c011ad12>] __might_sleep+0xd2/0x100
+[ 56.923952] [<c0195837>] __kmalloc+0xd7/0x140
+[ 56.923963] [<c030946a>] ? _spin_lock_irqsave+0x6a/0x80
+[ 56.923981] [<dfc840e9>] ? orinoco_ioctl_set_genie+0x79/0x130 [orinoco]
+[ 56.923999] [<dfc840c2>] ? orinoco_ioctl_set_genie+0x52/0x130 [orinoco]
+[ 56.924017] [<dfc840e9>] orinoco_ioctl_set_genie+0x79/0x130 [orinoco]
+[ 56.924036] [<c0209325>] ? copy_from_user+0x35/0x130
+[ 56.924061] [<c02ffd96>] ioctl_standard_call+0x196/0x380
+[ 56.924085] [<c029f945>] ? __dev_get_by_name+0x85/0xb0
+[ 56.924096] [<c02ff88f>] wext_handle_ioctl+0x14f/0x230
+[ 56.924113] [<dfc84070>] ? orinoco_ioctl_set_genie+0x0/0x130 [orinoco]
+[ 56.924132] [<c02a3da5>] dev_ioctl+0x495/0x570
+[ 56.924155] [<c0293e05>] ? sys_sendto+0xa5/0xd0
+[ 56.924171] [<c0142fe8>] ? mark_held_locks+0x48/0x90
+[ 56.924183] [<c0292880>] ? sock_ioctl+0x0/0x280
+[ 56.924193] [<c029297d>] sock_ioctl+0xfd/0x280
+[ 56.924203] [<c0292880>] ? sock_ioctl+0x0/0x280
+[ 56.924235] [<c01a51d0>] vfs_ioctl+0x20/0x80
+[ 56.924246] [<c01a53e2>] do_vfs_ioctl+0x72/0x570
+[ 56.924257] [<c0293e62>] ? sys_send+0x32/0x40
+[ 56.924268] [<c02947c0>] ? sys_socketcall+0x1d0/0x2a0
+[ 56.924280] [<c010339f>] ? sysenter_exit+0xf/0x16
+[ 56.924292] [<c01a5919>] sys_ioctl+0x39/0x70
+[ 56.924302] [<c0103371>] sysenter_do_call+0x12/0x31
+
+Signed-off-by: Andrey Borzenkov <arvidjaar@mail.ru>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/orinoco.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/wireless/orinoco.c
++++ b/drivers/net/wireless/orinoco.c
+@@ -4938,32 +4938,29 @@ static int orinoco_ioctl_set_genie(struc
+ struct orinoco_private *priv = netdev_priv(dev);
+ u8 *buf;
+ unsigned long flags;
+- int err = 0;
+
+ if ((wrqu->data.length > MAX_WPA_IE_LEN) ||
+ (wrqu->data.length && (extra == NULL)))
+ return -EINVAL;
+
+- if (orinoco_lock(priv, &flags) != 0)
+- return -EBUSY;
+-
+ if (wrqu->data.length) {
+ buf = kmalloc(wrqu->data.length, GFP_KERNEL);
+- if (buf == NULL) {
+- err = -ENOMEM;
+- goto out;
+- }
++ if (buf == NULL)
++ return -ENOMEM;
+
+ memcpy(buf, extra, wrqu->data.length);
+- kfree(priv->wpa_ie);
+- priv->wpa_ie = buf;
+- priv->wpa_ie_len = wrqu->data.length;
+- } else {
+- kfree(priv->wpa_ie);
+- priv->wpa_ie = NULL;
+- priv->wpa_ie_len = 0;
++ } else
++ buf = NULL;
++
++ if (orinoco_lock(priv, &flags) != 0) {
++ kfree(buf);
++ return -EBUSY;
+ }
+
++ kfree(priv->wpa_ie);
++ priv->wpa_ie = buf;
++ priv->wpa_ie_len = wrqu->data.length;
++
+ if (priv->wpa_ie) {
+ /* Looks like wl_lkm wants to check the auth alg, and
+ * somehow pass it to the firmware.
+@@ -4972,9 +4969,8 @@ static int orinoco_ioctl_set_genie(struc
+ */
+ }
+
+-out:
+ orinoco_unlock(priv, &flags);
+- return err;
++ return 0;
+ }
+
+ static int orinoco_ioctl_get_genie(struct net_device *dev,
--- /dev/null
+From 0db29af1e767464d71b89410d61a1e5b668d0370 Mon Sep 17 00:00:00 2001
+From: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
+Date: Wed, 24 Dec 2008 17:27:04 +0900
+Subject: PCI/MSI: bugfix/utilize for msi_capability_init()
+
+From: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
+
+commit 0db29af1e767464d71b89410d61a1e5b668d0370 upstream.
+
+This patch fix a following bug and does a cleanup.
+
+bug:
+ commit 5993760f7fc75b77e4701f1e56dc84c0d6cf18d5
+ had a wrong change (since is_64 is boolean[0|1]):
+
+- pci_write_config_dword(dev,
+- msi_mask_bits_reg(pos, is_64bit_address(control)),
+- maskbits);
++ pci_write_config_dword(dev, entry->msi_attrib.is_64, maskbits);
+
+utilize:
+ Unify separated if (entry->msi_attrib.maskbit) statements.
+
+Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
+Acked-by: "Jike Song" <albcamus@gmail.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/msi.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -378,21 +378,19 @@ static int msi_capability_init(struct pc
+ entry->msi_attrib.masked = 1;
+ entry->msi_attrib.default_irq = dev->irq; /* Save IOAPIC IRQ */
+ entry->msi_attrib.pos = pos;
+- if (entry->msi_attrib.maskbit) {
+- entry->mask_base = (void __iomem *)(long)msi_mask_bits_reg(pos,
+- entry->msi_attrib.is_64);
+- }
+ entry->dev = dev;
+ if (entry->msi_attrib.maskbit) {
+- unsigned int maskbits, temp;
++ unsigned int base, maskbits, temp;
++
++ base = msi_mask_bits_reg(pos, entry->msi_attrib.is_64);
++ entry->mask_base = (void __iomem *)(long)base;
++
+ /* All MSIs are unmasked by default, Mask them all */
+- pci_read_config_dword(dev,
+- msi_mask_bits_reg(pos, entry->msi_attrib.is_64),
+- &maskbits);
++ pci_read_config_dword(dev, base, &maskbits);
+ temp = (1 << multi_msi_capable(control));
+ temp = ((temp - 1) & ~temp);
+ maskbits |= temp;
+- pci_write_config_dword(dev, entry->msi_attrib.is_64, maskbits);
++ pci_write_config_dword(dev, base, maskbits);
+ entry->msi_attrib.maskbits_mask = temp;
+ }
+ list_add_tail(&entry->list, &dev->msi_list);
--- /dev/null
+From b0bccb18bc523d1d5060d25958f12438062829a9 Mon Sep 17 00:00:00 2001
+From: Mark Lord <liml@rtr.ca>
+Date: Mon, 19 Jan 2009 18:04:37 -0500
+Subject: sata_mv: fix 8-port timeouts on 508x/6081 chips
+
+From: Mark Lord <liml@rtr.ca>
+
+commit b0bccb18bc523d1d5060d25958f12438062829a9 upstream.
+
+Fix a longstanding bug for the 8-port Marvell Sata controllers (508x/6081),
+where accesses to the upper 4 ports would cause lost-interrupts / timeouts
+for the lower 4-ports. With this patch, the 6081 boards should finally be
+reliable enough for mainstream use with Linux.
+
+Signed-off-by: Mark Lord <mlord@pobox.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/sata_mv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -883,7 +883,7 @@ static void mv_start_dma(struct ata_port
+ struct mv_host_priv *hpriv = ap->host->private_data;
+ int hardport = mv_hardport_from_port(ap->port_no);
+ void __iomem *hc_mmio = mv_hc_base_from_port(
+- mv_host_base(ap->host), hardport);
++ mv_host_base(ap->host), ap->port_no);
+ u32 hc_irq_cause, ipending;
+
+ /* clear EDMA event indicators, if any */
--- /dev/null
+manually-revert-mlock-downgrade-mmap-sem-while-populating-mlocked-regions.patch
+xen-make-sysfs-files-behave-as-their-names-suggest.patch
+sata_mv-fix-8-port-timeouts-on-508x-6081-chips.patch
+m68knommu-set-no_dma.patch
+pci-msi-bugfix-utilize-for-msi_capability_init.patch
+x86-use-early-clobbers-in-usercopy-.c.patch
+cifs-make-sure-we-allocate-enough-storage-for-socket-address.patch
+netfilter-ctnetlink-fix-scheduling-while-atomic.patch
+orinoco-move-kmalloc-outside-spinlock-in-orinoco_ioctl_set_genie.patch
--- /dev/null
+From e0a96129db574d6365e3439d16d88517c437ab33 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <andi@firstfloor.org>
+Date: Fri, 16 Jan 2009 15:22:11 +0100
+Subject: x86: use early clobbers in usercopy*.c
+
+From: Andi Kleen <andi@firstfloor.org>
+
+commit e0a96129db574d6365e3439d16d88517c437ab33 upstream.
+
+Impact: fix rare (but currently harmless) miscompile with certain configs and gcc versions
+
+Hugh Dickins noticed that strncpy_from_user() was miscompiled
+in some circumstances with gcc 4.3.
+
+Thanks to Hugh's excellent analysis it was easy to track down.
+
+Hugh writes:
+
+> Try building an x86_64 defconfig 2.6.29-rc1 kernel tree,
+> except not quite defconfig, switch CONFIG_PREEMPT_NONE=y
+> and CONFIG_PREEMPT_VOLUNTARY off (because it expands a
+> might_fault() there, which hides the issue): using a
+> gcc 4.3.2 (I've checked both openSUSE 11.1 and Fedora 10).
+>
+> It generates the following:
+>
+> 0000000000000000 <__strncpy_from_user>:
+> 0: 48 89 d1 mov %rdx,%rcx
+> 3: 48 85 c9 test %rcx,%rcx
+> 6: 74 0e je 16 <__strncpy_from_user+0x16>
+> 8: ac lods %ds:(%rsi),%al
+> 9: aa stos %al,%es:(%rdi)
+> a: 84 c0 test %al,%al
+> c: 74 05 je 13 <__strncpy_from_user+0x13>
+> e: 48 ff c9 dec %rcx
+> 11: 75 f5 jne 8 <__strncpy_from_user+0x8>
+> 13: 48 29 c9 sub %rcx,%rcx
+> 16: 48 89 c8 mov %rcx,%rax
+> 19: c3 retq
+>
+> Observe that "sub %rcx,%rcx; mov %rcx,%rax", whereas gcc 4.2.1
+> (and many other configs) say "sub %rcx,%rdx; mov %rdx,%rax".
+> Isn't it returning 0 when it ought to be returning strlen?
+
+The asm constraints for the strncpy_from_user() result were missing an
+early clobber, which tells gcc that the last output arguments
+are written before all input arguments are read.
+
+Also add more early clobbers in the rest of the file and fix 32-bit
+usercopy.c in the same way.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+[ since this API is rarely used and no in-kernel user relies on a 'len'
+ return value (they only rely on negative return values) this miscompile
+ was never noticed in the field. But it's worth fixing it nevertheless. ]
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/lib/usercopy_32.c | 4 ++--
+ arch/x86/lib/usercopy_64.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/lib/usercopy_32.c
++++ b/arch/x86/lib/usercopy_32.c
+@@ -56,7 +56,7 @@ do { \
+ " jmp 2b\n" \
+ ".previous\n" \
+ _ASM_EXTABLE(0b,3b) \
+- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
++ : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
+ "=&D" (__d2) \
+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
+ : "memory"); \
+@@ -218,7 +218,7 @@ long strnlen_user(const char __user *s,
+ " .align 4\n"
+ " .long 0b,2b\n"
+ ".previous"
+- :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
++ :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
+ :"0" (n), "1" (s), "2" (0), "3" (mask)
+ :"cc");
+ return res & mask;
+--- a/arch/x86/lib/usercopy_64.c
++++ b/arch/x86/lib/usercopy_64.c
+@@ -32,7 +32,7 @@ do { \
+ " jmp 2b\n" \
+ ".previous\n" \
+ _ASM_EXTABLE(0b,3b) \
+- : "=r"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
++ : "=&r"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
+ "=&D" (__d2) \
+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
+ : "memory"); \
+@@ -86,7 +86,7 @@ unsigned long __clear_user(void __user *
+ ".previous\n"
+ _ASM_EXTABLE(0b,3b)
+ _ASM_EXTABLE(1b,2b)
+- : [size8] "=c"(size), [dst] "=&D" (__d0)
++ : [size8] "=&c"(size), [dst] "=&D" (__d0)
+ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr),
+ [zero] "r" (0UL), [eight] "r" (8UL));
+ return size;
--- /dev/null
+From 618b2c8db24522ae273d8299c6a936ea13793c4d Mon Sep 17 00:00:00 2001
+From: Jeremy Fitzhardinge <jeremy@goop.org>
+Date: Wed, 28 Jan 2009 16:50:20 -0800
+Subject: xen: make sysfs files behave as their names suggest
+
+From: Jeremy Fitzhardinge <jeremy@goop.org>
+
+commit 618b2c8db24522ae273d8299c6a936ea13793c4d upstream.
+
+1: make "target_kb" only accept and produce a memory size in kilobytes.
+2: add a second "target" file which produces output in bytes, and will accept
+ memparse input (scaled bytes)
+
+This fixes the rather irritating problem that writing the same value
+read back into target_kb would end up shrinking the domain by a factor
+of 1024, with generally bad results.
+
+Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Cc: "dan.magenheimer@oracle.com" <dan.magenheimer@oracle.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/xen/balloon.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -488,7 +488,7 @@ static ssize_t store_target_kb(struct sy
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+- target_bytes = memparse(buf, &endchar);
++ target_bytes = simple_strtoull(buf, &endchar, 0) * 1024;
+
+ balloon_set_new_target(target_bytes >> PAGE_SHIFT);
+
+@@ -498,8 +498,39 @@ static ssize_t store_target_kb(struct sy
+ static SYSDEV_ATTR(target_kb, S_IRUGO | S_IWUSR,
+ show_target_kb, store_target_kb);
+
++
++static ssize_t show_target(struct sys_device *dev, struct sysdev_attribute *attr,
++ char *buf)
++{
++ return sprintf(buf, "%llu\n",
++ (u64)balloon_stats.target_pages << PAGE_SHIFT);
++}
++
++static ssize_t store_target(struct sys_device *dev,
++ struct sysdev_attribute *attr,
++ const char *buf,
++ size_t count)
++{
++ char *endchar;
++ unsigned long long target_bytes;
++
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
++ target_bytes = memparse(buf, &endchar);
++
++ balloon_set_new_target(target_bytes >> PAGE_SHIFT);
++
++ return count;
++}
++
++static SYSDEV_ATTR(target, S_IRUGO | S_IWUSR,
++ show_target, store_target);
++
++
+ static struct sysdev_attribute *balloon_attrs[] = {
+ &attr_target_kb,
++ &attr_target,
+ };
+
+ static struct attribute *balloon_info_attrs[] = {
projects / thirdparty / kernel / stable-queue.git / commitdiff
