--- /dev/null
+From t.powa@gmx.de Wed Nov 14 23:04:38 2007
+From: Alexey Starikovskiy <astarikovskiy@suse.de>
+Date: Thu, 15 Nov 2007 08:04:29 +0100
+Subject: ACPI: VIDEO: Adjust current level to closest available one.
+To: gregkh@suse.de
+Message-ID: <200711150804.29958.t.powa@gmx.de>
+
+From: Alexey Starikovskiy <astarikovskiy@suse.de>
+
+patch 63f0edfc0b7f8058f9d3f9b572615ec97ae011ba in mainline.
+
+ACPI: VIDEO: Adjust current level to closest available one.
+
+
+Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: Tobias Powalowski <t.powa@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/video.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -1633,9 +1633,20 @@ static int
+ acpi_video_get_next_level(struct acpi_video_device *device,
+ u32 level_current, u32 event)
+ {
+- int min, max, min_above, max_below, i, l;
++ int min, max, min_above, max_below, i, l, delta = 255;
+ max = max_below = 0;
+ min = min_above = 255;
++ /* Find closest level to level_current */
++ for (i = 0; i < device->brightness->count; i++) {
++ l = device->brightness->levels[i];
++ if (abs(l - level_current) < abs(delta)) {
++ delta = l - level_current;
++ if (!delta)
++ break;
++ }
++ }
++ /* Ajust level_current to closest available level */
++ level_current += delta;
+ for (i = 0; i < device->brightness->count; i++) {
+ l = device->brightness->levels[i];
+ if (l < min)
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 14 17:08:20 2007
+From: Haavard Skinnemoen <hskinnemoen@atmel.com>
+Date: Wed, 14 Nov 2007 16:59:27 -0800
+Subject: dmaengine: fix broken device refcounting
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, shannon.nelson@intel.com, dan.j.williams@intel.com, hskinnemoen@atmel.com, stable@kernel.org
+Message-ID: <200711150059.lAF0xRbZ002677@imap1.linux-foundation.org>
+
+
+From: Haavard Skinnemoen <hskinnemoen@atmel.com>
+
+patch 348badf1e825323c419dd118f65783db0f7d2ec8 in mainline.
+
+When a DMA device is unregistered, its reference count is decremented twice
+for each channel: Once dma_class_dev_release() and once in
+dma_chan_cleanup(). This may result in the DMA device driver's remove()
+function completing before all channels have been cleaned up, causing lots
+of use-after-free fun.
+
+Fix it by incrementing the device's reference count twice for each
+channel during registration.
+
+[dan.j.williams@intel.com: kill unnecessary client refcounting]
+Signed-off-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Shannon Nelson <shannon.nelson@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/dma/dmaengine.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+--- a/drivers/dma/dmaengine.c
++++ b/drivers/dma/dmaengine.c
+@@ -182,10 +182,9 @@ static void dma_client_chan_alloc(struct
+ /* we are done once this client rejects
+ * an available resource
+ */
+- if (ack == DMA_ACK) {
++ if (ack == DMA_ACK)
+ dma_chan_get(chan);
+- kref_get(&device->refcount);
+- } else if (ack == DMA_NAK)
++ else if (ack == DMA_NAK)
+ return;
+ }
+ }
+@@ -272,11 +271,8 @@ static void dma_clients_notify_removed(s
+ /* client was holding resources for this channel so
+ * free it
+ */
+- if (ack == DMA_ACK) {
++ if (ack == DMA_ACK)
+ dma_chan_put(chan);
+- kref_put(&chan->device->refcount,
+- dma_async_device_cleanup);
+- }
+ }
+
+ mutex_unlock(&dma_list_mutex);
+@@ -316,11 +312,8 @@ void dma_async_client_unregister(struct
+ ack = client->event_callback(client, chan,
+ DMA_RESOURCE_REMOVED);
+
+- if (ack == DMA_ACK) {
++ if (ack == DMA_ACK)
+ dma_chan_put(chan);
+- kref_put(&chan->device->refcount,
+- dma_async_device_cleanup);
+- }
+ }
+
+ list_del(&client->global_node);
+@@ -397,6 +390,8 @@ int dma_async_device_register(struct dma
+ goto err_out;
+ }
+
++ /* One for the channel, one of the class device */
++ kref_get(&device->refcount);
+ kref_get(&device->refcount);
+ kref_init(&chan->refcount);
+ chan->slow_ref = 0;
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 14 16:59:13 2007
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Wed, 14 Nov 2007 16:58:33 -0800
+Subject: drivers/video/ps3fb: fix memset size error
+To: torvalds@linux-foundation.org
+Cc: Geert.Uytterhoeven@sonycom.com, akpm@linux-foundation.org, lizf@cn.fujitsu.com, stable@kernel.org
+Message-ID: <200711150058.lAF0wXPr002540@imap1.linux-foundation.org>
+
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+patch 3cc2c17700c98b0af778566b0af6292b23b01430 in mainline.
+
+The size passing to memset is wrong.
+
+Signed-off-by Li Zefan <lizf@cn.fujitsu.com>
+Acked-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/video/ps3fb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/ps3fb.c
++++ b/drivers/video/ps3fb.c
+@@ -659,7 +659,7 @@ static int ps3fb_blank(int blank, struct
+
+ static int ps3fb_get_vblank(struct fb_vblank *vblank)
+ {
+- memset(vblank, 0, sizeof(&vblank));
++ memset(vblank, 0, sizeof(*vblank));
+ vblank->flags = FB_VBLANK_HAVE_VSYNC;
+ return 0;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 14 15:34:00 2007
+From: Chuck Ebbert <cebbert@redhat.com>
+Date: Wed, 14 Nov 2007 18:33:16 -0500
+Subject: Fix divide-by-zero in the 2.6.23 scheduler code
+To: linux-stable <stable@kernel.org>
+Message-ID: <473B85BC.6080705@redhat.com>
+
+
+From: Chuck Ebbert <cebbert@redhat.com>
+
+No patch in mainline as this logic has been removed from 2.6.24 so it is
+not necessary.
+
+
+https://bugzilla.redhat.com/show_bug.cgi?id=340161
+
+The problem code has been removed in 2.6.24. The below patch disables
+SCHED_FEAT_PRECISE_CPU_LOAD which causes the offending code to be skipped
+but does not prevent the user from enabling it.
+
+The divide-by-zero is here in kernel/sched.c:
+
+static void update_cpu_load(struct rq *this_rq)
+{
+ u64 fair_delta64, exec_delta64, idle_delta64, sample_interval64, tmp64;
+ unsigned long total_load = this_rq->ls.load.weight;
+ unsigned long this_load = total_load;
+ struct load_stat *ls = &this_rq->ls;
+ int i, scale;
+
+ this_rq->nr_load_updates++;
+ if (unlikely(!(sysctl_sched_features & SCHED_FEAT_PRECISE_CPU_LOAD)))
+ goto do_avg;
+
+ /* Update delta_fair/delta_exec fields first */
+ update_curr_load(this_rq);
+
+ fair_delta64 = ls->delta_fair + 1;
+ ls->delta_fair = 0;
+
+ exec_delta64 = ls->delta_exec + 1;
+ ls->delta_exec = 0;
+
+ sample_interval64 = this_rq->clock - ls->load_update_last;
+ ls->load_update_last = this_rq->clock;
+
+ if ((s64)sample_interval64 < (s64)TICK_NSEC)
+ sample_interval64 = TICK_NSEC;
+
+ if (exec_delta64 > sample_interval64)
+ exec_delta64 = sample_interval64;
+
+ idle_delta64 = sample_interval64 - exec_delta64;
+
+======> tmp64 = div64_64(SCHED_LOAD_SCALE * exec_delta64, fair_delta64);
+ tmp64 = div64_64(tmp64 * exec_delta64, sample_interval64);
+
+ this_load = (unsigned long)tmp64;
+
+do_avg:
+
+ /* Update our load: */
+ for (i = 0, scale = 1; i < CPU_LOAD_IDX_MAX; i++, scale += scale) {
+ unsigned long old_load, new_load;
+
+ /* scale is effectively 1 << i now, and >> i divides by scale */
+
+ old_load = this_rq->cpu_load[i];
+ new_load = this_load;
+
+ this_rq->cpu_load[i] = (old_load*(scale-1) + new_load) >> i;
+ }
+}
+
+For stable only; the code has been removed in 2.6.24.
+
+Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sched_fair.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched_fair.c
++++ b/kernel/sched_fair.c
+@@ -93,7 +93,7 @@ unsigned int sysctl_sched_features __rea
+ SCHED_FEAT_FAIR_SLEEPERS *1 |
+ SCHED_FEAT_SLEEPER_AVG *0 |
+ SCHED_FEAT_SLEEPER_LOAD_AVG *1 |
+- SCHED_FEAT_PRECISE_CPU_LOAD *1 |
++ SCHED_FEAT_PRECISE_CPU_LOAD *0 |
+ SCHED_FEAT_START_DEBIT *1 |
+ SCHED_FEAT_SKIP_INITIAL *0;
+
--- /dev/null
+From 2e21630ddc3fb717dc645356b75771c6a52dc627 Mon Sep 17 00:00:00 2001
+From: Sebastian Siewior <sebastian@breakpoint.cc>
+Date: Sat, 10 Nov 2007 19:37:49 +0800
+Subject: [PATCH] [CRYPTO] geode: Fix not inplace encryption
+Message-ID: <20071115060547.GA23552@gondor.apana.org.au>
+
+From: Sebastian Siewior <sebastian@breakpoint.cc>
+
+patch 2e21630ddc3fb717dc645356b75771c6a52dc627 in mainline.
+
+Currently the Geode AES module fails to encrypt or decrypt if
+the coherent bits are not set what is currently the case if the
+encryption does not occur inplace. However, the encryption works
+on my Geode machine _only_ if the coherent bits are always set.
+
+Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
+Acked-by: Jordan Crouse <jordan.crouse@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/crypto/geode-aes.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/crypto/geode-aes.c
++++ b/drivers/crypto/geode-aes.c
+@@ -110,8 +110,7 @@ geode_aes_crypt(struct geode_aes_op *op)
+ * we don't need to worry
+ */
+
+- if (op->src == op->dst)
+- flags |= (AES_CTRL_DCA | AES_CTRL_SCA);
++ flags |= (AES_CTRL_DCA | AES_CTRL_SCA);
+
+ if (op->dir == AES_DIR_ENCRYPT)
+ flags |= AES_CTRL_ENCRYPT;
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Nov 12 13:05:38 2007
+From: "J. Bruce Fields" <bfields@citi.umich.edu>
+Date: Mon, 12 Nov 2007 16:05:02 -0500
+Subject: knfsd: fix spurious EINVAL errors on first access of new filesystem
+To: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Roland <devzero@web.de>, Neil Brown <neilb@suse.de>, "J. Bruce Fields" <bfields@citi.umich.edu>, linux-kernel@vger.kernel.org, nfs@lists.sourceforge.net, stable@kernel.org
+Message-ID: <1194901503-23105-2-git-send-email-bfields@citi.umich.edu>
+
+From: J. Bruce Fields <bfields@citi.umich.edu>
+
+patch ac8587dcb58e40dd336d99d60f852041e06cc3dd in mainline.
+
+The v2/v3 acl code in nfsd is translating any return from fh_verify() to
+nfserr_inval. This is particularly unfortunate in the case of an
+nfserr_dropit return, which is an internal error meant to indicate to
+callers that this request has been deferred and should just be dropped
+pending the results of an upcall to mountd.
+
+Thanks to Roland <devzero@web.de> for bug report and data collection.
+
+Cc: Roland <devzero@web.de>
+Acked-by: Andreas Gruenbacher <agruen@suse.de>
+Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
+Reviewed-By: NeilBrown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs2acl.c | 2 +-
+ fs/nfsd/nfs3acl.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -41,7 +41,7 @@ static __be32 nfsacld_proc_getacl(struct
+
+ fh = fh_copy(&resp->fh, &argp->fh);
+ if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP)))
+- RETURN_STATUS(nfserr_inval);
++ RETURN_STATUS(nfserr);
+
+ if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT))
+ RETURN_STATUS(nfserr_inval);
+--- a/fs/nfsd/nfs3acl.c
++++ b/fs/nfsd/nfs3acl.c
+@@ -37,7 +37,7 @@ static __be32 nfsd3_proc_getacl(struct s
+
+ fh = fh_copy(&resp->fh, &argp->fh);
+ if ((nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP)))
+- RETURN_STATUS(nfserr_inval);
++ RETURN_STATUS(nfserr);
+
+ if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT))
+ RETURN_STATUS(nfserr_inval);
--- /dev/null
+From t.powa@gmx.de Wed Nov 14 22:59:56 2007
+Date: Thu, 15 Nov 2007 07:59:44 +0100
+From: Jeff Garzik <jeff@garzik.org>
+Subject: libata: sata_sis: use correct S/G table size
+To: gregkh@suse.de
+Message-ID: <200711150759.48161.t.powa@gmx.de>
+
+From: Jeff Garzik <jeff@garzik.org>
+
+patch 96af154710d44b574515431a0bb014888398a741 in mainline.
+
+[libata] sata_sis: use correct S/G table size
+
+sata_sis has the same restrictions as other SFF controllers, and so must
+use LIBATA_MAX_PRD to denote that SCSI may only fill ATA_MAX_PRD/2
+entries, due to our need to handle IOMMU merging.
+
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Cc: Tobias Powalowski <t.powa@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/sata_sis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/sata_sis.c
++++ b/drivers/ata/sata_sis.c
+@@ -92,7 +92,7 @@ static struct scsi_host_template sis_sht
+ .queuecommand = ata_scsi_queuecmd,
+ .can_queue = ATA_DEF_QUEUE,
+ .this_id = ATA_SHT_THIS_ID,
+- .sg_tablesize = ATA_MAX_PRD,
++ .sg_tablesize = LIBATA_MAX_PRD,
+ .cmd_per_lun = ATA_SHT_CMD_PER_LUN,
+ .emulated = ATA_SHT_EMULATED,
+ .use_clustering = ATA_SHT_USE_CLUSTERING,
--- /dev/null
+From herbert@gondor.apana.org.au Wed Nov 14 17:07:36 2007
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 15 Nov 2007 09:07:23 +0800
+Subject: libcrc32c: keep intermediate crc state in cpu order
+To: Greg KH <greg@kroah.com>
+Cc: stable@kernel.org
+Message-ID: <20071115010723.GA20904@gondor.apana.org.au>
+Content-Disposition: inline
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+It's upstream changeset ef19454bd437b2ba14c9cda1de85debd9f383484.
+
+[LIB] crc32c: Keep intermediate crc state in cpu order
+
+crypto/crc32.c:chksum_final() is computing the digest as
+*(__le32 *)out = ~cpu_to_le32(mctx->crc);
+so the low-level crc32c_le routines should just keep
+the crc in cpu order, otherwise it is getting swabbed
+one too many times on big-endian machines.
+
+Signed-off-by: Benny Halevy <bhalevy@fs1.bhalevy.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/libcrc32c.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/lib/libcrc32c.c
++++ b/lib/libcrc32c.c
+@@ -33,7 +33,6 @@
+ #include <linux/crc32c.h>
+ #include <linux/compiler.h>
+ #include <linux/module.h>
+-#include <asm/byteorder.h>
+
+ MODULE_AUTHOR("Clay Haapala <chaapala@cisco.com>");
+ MODULE_DESCRIPTION("CRC32c (Castagnoli) calculations");
+@@ -161,15 +160,13 @@ static const u32 crc32c_table[256] = {
+ */
+
+ u32 __attribute_pure__
+-crc32c_le(u32 seed, unsigned char const *data, size_t length)
++crc32c_le(u32 crc, unsigned char const *data, size_t length)
+ {
+- u32 crc = __cpu_to_le32(seed);
+-
+ while (length--)
+ crc =
+ crc32c_table[(crc ^ *data++) & 0xFFL] ^ (crc >> 8);
+
+- return __le32_to_cpu(crc);
++ return crc;
+ }
+
+ #endif /* CRC_LE_BITS == 8 */
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Nov 12 13:05:49 2007
+From: "J. Bruce Fields" <bfields@citi.umich.edu>
+Date: Mon, 12 Nov 2007 16:05:03 -0500
+Subject: nfsd4: recheck for secure ports in fh_verify
+To: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Neil Brown <neilb@suse.de>, "J. Bruce Fields" <bfields@citi.umich.edu>, nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org, stable@kernel.org
+Message-ID: <1194901503-23105-3-git-send-email-bfields@citi.umich.edu>
+
+From: J. Bruce Fields <bfields@citi.umich.edu>
+
+patch 6fa02839bf9412e18e773d04e96182b4cd0b5d57 in mainline.
+
+As with
+
+ 7fc90ec93a5eb71f4b08... "call nfsd_setuser() on fh_compose()..."
+
+this is a case where we need to redo a security check in fh_verify()
+even though the filehandle already has an associated dentry--if the
+filehandle was created by fh_compose() in an earlier operation of the
+nfsv4 compound, then we may not have done these checks yet.
+
+Without this fix it is possible, for example, to traverse from an export
+without the secure ports requirement to one with it in a single
+compound, and bypass the secure port check on the new export.
+
+While we're here, fix up some minor style problems and change a printk()
+to a dprintk(), to make it harder for random unprivileged users to spam
+the logs.
+
+Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
+Reviewed-By: NeilBrown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfsfh.c | 43 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+--- a/fs/nfsd/nfsfh.c
++++ b/fs/nfsd/nfsfh.c
+@@ -95,6 +95,22 @@ nfsd_mode_check(struct svc_rqst *rqstp,
+ return 0;
+ }
+
++static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
++ struct svc_export *exp)
++{
++ /* Check if the request originated from a secure port. */
++ if (!rqstp->rq_secure && EX_SECURE(exp)) {
++ char buf[RPC_MAX_ADDRBUFLEN];
++ dprintk(KERN_WARNING
++ "nfsd: request from insecure port %s!\n",
++ svc_print_addr(rqstp, buf, sizeof(buf)));
++ return nfserr_perm;
++ }
++
++ /* Set user creds for this exportpoint */
++ return nfserrno(nfsd_setuser(rqstp, exp));
++}
++
+ /*
+ * Perform sanity checks on the dentry in a client's file handle.
+ *
+@@ -167,18 +183,7 @@ fh_verify(struct svc_rqst *rqstp, struct
+ goto out;
+ }
+
+- /* Check if the request originated from a secure port. */
+- error = nfserr_perm;
+- if (!rqstp->rq_secure && EX_SECURE(exp)) {
+- char buf[RPC_MAX_ADDRBUFLEN];
+- printk(KERN_WARNING
+- "nfsd: request from insecure port %s!\n",
+- svc_print_addr(rqstp, buf, sizeof(buf)));
+- goto out;
+- }
+-
+- /* Set user creds for this exportpoint */
+- error = nfserrno(nfsd_setuser(rqstp, exp));
++ error = nfsd_setuser_and_check_port(rqstp, exp);
+ if (error)
+ goto out;
+
+@@ -227,18 +232,22 @@ fh_verify(struct svc_rqst *rqstp, struct
+ fhp->fh_export = exp;
+ nfsd_nr_verified++;
+ } else {
+- /* just rechecking permissions
+- * (e.g. nfsproc_create calls fh_verify, then nfsd_create does as well)
++ /*
++ * just rechecking permissions
++ * (e.g. nfsproc_create calls fh_verify, then nfsd_create
++ * does as well)
+ */
+ dprintk("nfsd: fh_verify - just checking\n");
+ dentry = fhp->fh_dentry;
+ exp = fhp->fh_export;
+- /* Set user creds for this exportpoint; necessary even
++ /*
++ * Set user creds for this exportpoint; necessary even
+ * in the "just checking" case because this may be a
+ * filehandle that was created by fh_compose, and that
+ * is about to be used in another nfsv4 compound
+- * operation */
+- error = nfserrno(nfsd_setuser(rqstp, exp));
++ * operation.
++ */
++ error = nfsd_setuser_and_check_port(rqstp, exp);
+ if (error)
+ goto out;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 14 16:59:24 2007
+From: Philippe Elie <phil.el@wanadoo.fr>
+Date: Wed, 14 Nov 2007 16:58:48 -0800
+Subject: oProfile: oops when profile_pc() returns ~0LU
+To: torvalds@linux-foundation.org
+Cc: phil.el@wanadoo.fr, akpm@linux-foundation.org, stable@kernel.org, safari-kernel@safari.iki.fi
+Message-ID: <200711150058.lAF0wmqX002585@imap1.linux-foundation.org>
+
+
+From: Philippe Elie <phil.el@wanadoo.fr>
+
+patch df9d177aa28d50e64bae6fbd6b263833079e3571 in mainline.
+
+Instruction pointer returned by profile_pc() can be a random value. This
+break the assumption than we can safely set struct op_sample.eip field to a
+magic value to signal to the per-cpu buffer reader side special event like
+task switch ending up in a segfault in get_task_mm() when profile_pc()
+return ~0UL. Fixed by sanitizing the sampled eip and reject/log invalid
+eip.
+
+Problem reported by Sami Farin, patch tested by him.
+
+Signed-off-by: Philippe Elie <phil.el@wanadoo.fr>
+Tested-by: Sami Farin <safari-kernel@safari.iki.fi>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/oprofile/cpu_buffer.c | 7 +++++++
+ drivers/oprofile/cpu_buffer.h | 1 +
+ drivers/oprofile/oprofile_stats.c | 4 ++++
+ 3 files changed, 12 insertions(+)
+
+--- a/drivers/oprofile/cpu_buffer.c
++++ b/drivers/oprofile/cpu_buffer.c
+@@ -64,6 +64,8 @@ int alloc_cpu_buffers(void)
+ b->head_pos = 0;
+ b->sample_received = 0;
+ b->sample_lost_overflow = 0;
++ b->backtrace_aborted = 0;
++ b->sample_invalid_eip = 0;
+ b->cpu = i;
+ INIT_DELAYED_WORK(&b->work, wq_sync_buffer);
+ }
+@@ -175,6 +177,11 @@ static int log_sample(struct oprofile_cp
+
+ cpu_buf->sample_received++;
+
++ if (pc == ESCAPE_CODE) {
++ cpu_buf->sample_invalid_eip++;
++ return 0;
++ }
++
+ if (nr_available_slots(cpu_buf) < 3) {
+ cpu_buf->sample_lost_overflow++;
+ return 0;
+--- a/drivers/oprofile/cpu_buffer.h
++++ b/drivers/oprofile/cpu_buffer.h
+@@ -42,6 +42,7 @@ struct oprofile_cpu_buffer {
+ unsigned long sample_received;
+ unsigned long sample_lost_overflow;
+ unsigned long backtrace_aborted;
++ unsigned long sample_invalid_eip;
+ int cpu;
+ struct delayed_work work;
+ } ____cacheline_aligned;
+--- a/drivers/oprofile/oprofile_stats.c
++++ b/drivers/oprofile/oprofile_stats.c
+@@ -26,6 +26,8 @@ void oprofile_reset_stats(void)
+ cpu_buf = &cpu_buffer[i];
+ cpu_buf->sample_received = 0;
+ cpu_buf->sample_lost_overflow = 0;
++ cpu_buf->backtrace_aborted = 0;
++ cpu_buf->sample_invalid_eip = 0;
+ }
+
+ atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
+@@ -61,6 +63,8 @@ void oprofile_create_stats_files(struct
+ &cpu_buf->sample_lost_overflow);
+ oprofilefs_create_ro_ulong(sb, cpudir, "backtrace_aborted",
+ &cpu_buf->backtrace_aborted);
++ oprofilefs_create_ro_ulong(sb, cpudir, "sample_invalid_eip",
++ &cpu_buf->sample_invalid_eip);
+ }
+
+ oprofilefs_create_ro_atomic(sb, dir, "sample_lost_no_mm",
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 14 17:08:09 2007
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 14 Nov 2007 16:59:35 -0800
+Subject: raid5: fix unending write sequence
+To: torvalds@linux-foundation.org
+Cc: joel.bertrand@systella.fr, neilb@suse.de, akpm@linux-foundation.org, dan.j.williams@intel.com, stable@kernel.org
+Message-ID: <200711150059.lAF0xZ59002692@imap1.linux-foundation.org>
+
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+patch 6c55be8b962f1bdc592d579e81fc27b11ea53dfc in mainline.
+
+<debug output from Joel's system>
+handling stripe 7629696, state=0x14 cnt=1, pd_idx=2 ops=0:0:0
+check 5: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800ffcffcc0 written 0000000000000000
+check 4: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800fdd4e360 written 0000000000000000
+check 3: state 0x1 toread 0000000000000000 read 0000000000000000 write 0000000000000000 written 0000000000000000
+check 2: state 0x1 toread 0000000000000000 read 0000000000000000 write 0000000000000000 written 0000000000000000
+check 1: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800ff517e40 written 0000000000000000
+check 0: state 0x6 toread 0000000000000000 read 0000000000000000 write fffff800fd4cae60 written 0000000000000000
+locked=4 uptodate=2 to_read=0 to_write=4 failed=0 failed_num=0
+for sector 7629696, rmw=0 rcw=0
+</debug>
+
+These blocks were prepared to be written out, but were never handled in
+ops_run_biodrain(), so they remain locked forever. The operations flags
+are all clear which means handle_stripe() thinks nothing else needs to be
+done.
+
+This state suggests that the STRIPE_OP_PREXOR bit was sampled 'set' when it
+should not have been. This patch cleans up cases where the code looks at
+sh->ops.pending when it should be looking at the consistent stack-based
+snapshot of the operations flags.
+
+Report from Joel:
+ Resync done. Patch fix this bug.
+
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Tested-by: Joel Bertrand <joel.bertrand@systella.fr>
+Cc: <stable@kernel.org>
+Cc: Neil Brown <neilb@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/raid5.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -689,7 +689,8 @@ ops_run_prexor(struct stripe_head *sh, s
+ }
+
+ static struct dma_async_tx_descriptor *
+-ops_run_biodrain(struct stripe_head *sh, struct dma_async_tx_descriptor *tx)
++ops_run_biodrain(struct stripe_head *sh, struct dma_async_tx_descriptor *tx,
++ unsigned long pending)
+ {
+ int disks = sh->disks;
+ int pd_idx = sh->pd_idx, i;
+@@ -697,7 +698,7 @@ ops_run_biodrain(struct stripe_head *sh,
+ /* check if prexor is active which means only process blocks
+ * that are part of a read-modify-write (Wantprexor)
+ */
+- int prexor = test_bit(STRIPE_OP_PREXOR, &sh->ops.pending);
++ int prexor = test_bit(STRIPE_OP_PREXOR, &pending);
+
+ pr_debug("%s: stripe %llu\n", __FUNCTION__,
+ (unsigned long long)sh->sector);
+@@ -774,7 +775,8 @@ static void ops_complete_write(void *str
+ }
+
+ static void
+-ops_run_postxor(struct stripe_head *sh, struct dma_async_tx_descriptor *tx)
++ops_run_postxor(struct stripe_head *sh, struct dma_async_tx_descriptor *tx,
++ unsigned long pending)
+ {
+ /* kernel stack size limits the total number of disks */
+ int disks = sh->disks;
+@@ -782,7 +784,7 @@ ops_run_postxor(struct stripe_head *sh,
+
+ int count = 0, pd_idx = sh->pd_idx, i;
+ struct page *xor_dest;
+- int prexor = test_bit(STRIPE_OP_PREXOR, &sh->ops.pending);
++ int prexor = test_bit(STRIPE_OP_PREXOR, &pending);
+ unsigned long flags;
+ dma_async_tx_callback callback;
+
+@@ -809,7 +811,7 @@ ops_run_postxor(struct stripe_head *sh,
+ }
+
+ /* check whether this postxor is part of a write */
+- callback = test_bit(STRIPE_OP_BIODRAIN, &sh->ops.pending) ?
++ callback = test_bit(STRIPE_OP_BIODRAIN, &pending) ?
+ ops_complete_write : ops_complete_postxor;
+
+ /* 1/ if we prexor'd then the dest is reused as a source
+@@ -897,12 +899,12 @@ static void raid5_run_ops(struct stripe_
+ tx = ops_run_prexor(sh, tx);
+
+ if (test_bit(STRIPE_OP_BIODRAIN, &pending)) {
+- tx = ops_run_biodrain(sh, tx);
++ tx = ops_run_biodrain(sh, tx, pending);
+ overlap_clear++;
+ }
+
+ if (test_bit(STRIPE_OP_POSTXOR, &pending))
+- ops_run_postxor(sh, tx);
++ ops_run_postxor(sh, tx, pending);
+
+ if (test_bit(STRIPE_OP_CHECK, &pending))
+ ops_run_check(sh);
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 14 17:09:04 2007
+From: Fengguang Wu <wfg@mail.ustc.edu.cn>
+Date: Wed, 14 Nov 2007 16:59:54 -0800
+Subject: reiserfs: don't drop PG_dirty when releasing sub-page-sized dirty file
+To: torvalds@linux-foundation.org
+Cc: maximlevitsky@gmail.com, peterz@infradead.org, jeffm@suse.com, wfg@mail.ustc.edu.cn, akpm@linux-foundation.org, stable@kernel.org, chris.mason@oracle.com
+Message-ID: <200711150059.lAF0xsOv002756@imap1.linux-foundation.org>
+
+
+From: Fengguang Wu <wfg@mail.ustc.edu.cn>
+
+patch c06a018fa5362fa9ed0768bd747c0fab26bc8849 in mainline.
+
+This is not a new problem in 2.6.23-git17. 2.6.22/2.6.23 is buggy in the
+same way.
+
+Reiserfs could accumulate dirty sub-page-size files until umount time.
+They cannot be synced to disk by pdflush routines or explicit `sync'
+commands. Only `umount' can do the trick.
+
+The direct cause is: the dirty page's PG_dirty is wrongly _cleared_.
+Call trace:
+ [<ffffffff8027e920>] cancel_dirty_page+0xd0/0xf0
+ [<ffffffff8816d470>] :reiserfs:reiserfs_cut_from_item+0x660/0x710
+ [<ffffffff8816d791>] :reiserfs:reiserfs_do_truncate+0x271/0x530
+ [<ffffffff8815872d>] :reiserfs:reiserfs_truncate_file+0xfd/0x3b0
+ [<ffffffff8815d3d0>] :reiserfs:reiserfs_file_release+0x1e0/0x340
+ [<ffffffff802a187c>] __fput+0xcc/0x1b0
+ [<ffffffff802a1ba6>] fput+0x16/0x20
+ [<ffffffff8029e676>] filp_close+0x56/0x90
+ [<ffffffff8029fe0d>] sys_close+0xad/0x110
+ [<ffffffff8020c41e>] system_call+0x7e/0x83
+
+Fix the bug by removing the cancel_dirty_page() call. Tests show that
+it causes no bad behaviors on various write sizes.
+
+=== for the patient ===
+Here are more detailed demonstrations of the problem.
+
+1) the page has both PG_dirty(D)/PAGECACHE_TAG_DIRTY(d) after being written to;
+ and then only PAGECACHE_TAG_DIRTY(d) remains after the file is closed.
+
+------------------------------ screen 0 ------------------------------
+[T0] root /home/wfg# cat > /test/tiny
+[T1] hi
+[T2] root /home/wfg#
+
+------------------------------ screen 1 ------------------------------
+[T1] root /home/wfg# echo /test/tiny > /proc/filecache
+[T1] root /home/wfg# cat /proc/filecache
+ # file /test/tiny
+ # flags R:referenced A:active M:mmap U:uptodate D:dirty W:writeback O:owner B:buffer d:dirty w:writeback
+ # idx len state refcnt
+ 0 1 ___UD__Bd_ 2
+[T2] root /home/wfg# cat /proc/filecache
+ # file /test/tiny
+ # flags R:referenced A:active M:mmap U:uptodate D:dirty W:writeback O:owner B:buffer d:dirty w:writeback
+ # idx len state refcnt
+ 0 1 ___U___Bd_ 2
+
+2) note the non-zero 'cancelled_write_bytes' after /tmp/hi is copied.
+
+------------------------------ screen 0 ------------------------------
+[T0] root /home/wfg# echo hi > /tmp/hi
+[T1] root /home/wfg# cp /tmp/hi /dev/stdin /test
+[T2] hi
+[T3] root /home/wfg#
+
+------------------------------ screen 1 ------------------------------
+[T1] root /proc/4397# cd /proc/`pidof cp`
+[T1] root /proc/4713# cat io
+ rchar: 8396
+ wchar: 3
+ syscr: 20
+ syscw: 1
+ read_bytes: 0
+ write_bytes: 20480
+ cancelled_write_bytes: 4096
+[T2] root /proc/4713# cat io
+ rchar: 8399
+ wchar: 6
+ syscr: 21
+ syscw: 2
+ read_bytes: 0
+ write_bytes: 24576
+ cancelled_write_bytes: 4096
+
+//Question: the 'write_bytes' is a bit more than expected ;-)
+
+Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Fengguang Wu <wfg@mail.ustc.edu.cn>
+Reviewed-by: Chris Mason <chris.mason@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/stree.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -1458,9 +1458,6 @@ static void unmap_buffers(struct page *p
+ }
+ bh = next;
+ } while (bh != head);
+- if (PAGE_SIZE == bh->b_size) {
+- cancel_dirty_page(page, PAGE_CACHE_SIZE);
+- }
+ }
+ }
+ }
--- /dev/null
+From t.powa@gmx.de Wed Nov 14 22:59:56 2007
+From: Tejun Heo <htejun@gmail.com>
+Date: Thu, 15 Nov 2007 07:59:44 +0100
+Subject: sata_sis: fix SCR read breakage
+To: gregkh@suse.de
+Message-ID: <200711150759.48161.t.powa@gmx.de>
+
+From: Tejun Heo <htejun@gmail.com>
+
+patch aaa092a114696f4425cd57c4d7fa05110007e247 in mainline.
+
+sata_sis: fix SCR read breakage
+
+SCR read for controllers which uses PCI configuration space for SCR
+access got broken while adding @val argument to SCR accessors. Fix
+it.
+
+Signed-off-by: Tejun Heo <htejun@gmail.com>
+Signed-off-by: Jeff Garzik <jeff@garzik.org>
+Cc: Tobias Powalowski <t.powa@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/sata_sis.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/ata/sata_sis.c
++++ b/drivers/ata/sata_sis.c
+@@ -168,11 +168,11 @@ static unsigned int get_scr_cfg_addr(str
+ return addr;
+ }
+
+-static u32 sis_scr_cfg_read (struct ata_port *ap, unsigned int sc_reg)
++static u32 sis_scr_cfg_read (struct ata_port *ap, unsigned int sc_reg, u32 *val)
+ {
+ struct pci_dev *pdev = to_pci_dev(ap->host->dev);
+ unsigned int cfg_addr = get_scr_cfg_addr(ap, sc_reg);
+- u32 val, val2 = 0;
++ u32 val2 = 0;
+ u8 pmr;
+
+ if (sc_reg == SCR_ERROR) /* doesn't exist in PCI cfg space */
+@@ -180,13 +180,16 @@ static u32 sis_scr_cfg_read (struct ata_
+
+ pci_read_config_byte(pdev, SIS_PMR, &pmr);
+
+- pci_read_config_dword(pdev, cfg_addr, &val);
++ pci_read_config_dword(pdev, cfg_addr, val);
+
+ if ((pdev->device == 0x0182) || (pdev->device == 0x0183) ||
+ (pdev->device == 0x1182) || (pmr & SIS_PMR_COMBINED))
+ pci_read_config_dword(pdev, cfg_addr+0x10, &val2);
+
+- return (val|val2) & 0xfffffffb; /* avoid problems with powerdowned ports */
++ *val |= val2;
++ *val &= 0xfffffffb; /* avoid problems with powerdowned ports */
++
++ return 0;
+ }
+
+ static void sis_scr_cfg_write (struct ata_port *ap, unsigned int sc_reg, u32 val)
+@@ -216,7 +219,7 @@ static int sis_scr_read(struct ata_port
+ return -EINVAL;
+
+ if (ap->flags & SIS_FLAG_CFGSCR)
+- return sis_scr_cfg_read(ap, sc_reg);
++ return sis_scr_cfg_read(ap, sc_reg, val);
+
+ pci_read_config_byte(pdev, SIS_PMR, &pmr);
+
i2c-pasemi-fix-nack-detection.patch
i2c-eeprom-recognize-vgn-as-a-valid-sony-vaio-name-prefix.patch
i2c-eeprom-hide-sony-vaio-serial-numbers.patch
+drivers-video-ps3fb-fix-memset-size-error.patch
+oprofile-oops-when-profile_pc-returns-0lu.patch
+raid5-fix-unending-write-sequence.patch
+knfsd-fix-spurious-einval-errors-on-first-access-of-new-filesystem.patch
+nfsd4-recheck-for-secure-ports-in-fh_verify.patch
+dmaengine-fix-broken-device-refcounting.patch
+x86-disable-preemption-in-delay_tsc.patch
+reiserfs-don-t-drop-pg_dirty-when-releasing-sub-page-sized-dirty-file.patch
+sata_sis-fix-scr-read-breakage.patch
+libata-sata_sis-use-correct-s-g-table-size.patch
+acpi-video-adjust-current-level-to-closest-available-one.patch
+fix-divide-by-zero-in-the-2.6.23-scheduler-code.patch
+geode-fix-not-inplace-encryption.patch
+libcrc32c-keep-intermediate-crc-state-in-cpu-order.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Nov 14 17:08:53 2007
+From: Andrew Morton <akpm@linux-foundation.org>
+Date: Wed, 14 Nov 2007 17:00:41 -0800
+Subject: x86: disable preemption in delay_tsc()
+To: torvalds@linux-foundation.org
+Cc: mitov@issp.bas.bg, ak@suse.de, stable@kernel.org, tglx@linutronix.de, akpm@linux-foundation.org, mingo@elte.hu
+Message-ID: <200711150100.lAF10fUR002915@imap1.linux-foundation.org>
+
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+patch 35d5d08a085c56f153458c3f5d8ce24123617faf in mainline.
+
+Marin Mitov points out that delay_tsc() can misbehave if it is preempted and
+rescheduled on a different CPU which has a skewed TSC. Fix it by disabling
+preemption.
+
+(I assume that the worst-case behaviour here is a stall of 2^32 cycles)
+
+Cc: Andi Kleen <ak@suse.de>
+Cc: Marin Mitov <mitov@issp.bas.bg>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/lib/delay.c | 3 +++
+ arch/x86_64/lib/delay.c | 11 +++++++----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/i386/lib/delay.c
++++ b/arch/i386/lib/delay.c
+@@ -12,6 +12,7 @@
+
+ #include <linux/module.h>
+ #include <linux/sched.h>
++#include <linux/preempt.h>
+ #include <linux/delay.h>
+
+ #include <asm/processor.h>
+@@ -42,11 +43,13 @@ static void delay_tsc(unsigned long loop
+ {
+ unsigned long bclock, now;
+
++ preempt_disable(); /* TSC's are per-cpu */
+ rdtscl(bclock);
+ do {
+ rep_nop();
+ rdtscl(now);
+ } while ((now-bclock) < loops);
++ preempt_enable();
+ }
+
+ /*
+--- a/arch/x86_64/lib/delay.c
++++ b/arch/x86_64/lib/delay.c
+@@ -10,7 +10,9 @@
+
+ #include <linux/module.h>
+ #include <linux/sched.h>
++#include <linux/preempt.h>
+ #include <linux/delay.h>
++
+ #include <asm/delay.h>
+ #include <asm/msr.h>
+
+@@ -27,14 +29,15 @@ int read_current_timer(unsigned long *ti
+ void __delay(unsigned long loops)
+ {
+ unsigned bclock, now;
+-
++
++ preempt_disable(); /* TSC's are pre-cpu */
+ rdtscl(bclock);
+- do
+- {
++ do {
+ rep_nop();
+ rdtscl(now);
+ }
+- while((now-bclock) < loops);
++ while ((now-bclock) < loops);
++ preempt_enable();
+ }
+ EXPORT_SYMBOL(__delay);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
