--- /dev/null
+From 5d76cf411cb7eb4bb419ec77ddbb528127d3d906 Mon Sep 17 00:00:00 2001
+From: Roel Kluin <roel.kluin@gmail.com>
+Date: Thu, 29 Jan 2009 17:32:20 -0800
+Subject: drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic
+
+From: Roel Kluin <roel.kluin@gmail.com>
+
+[ Upstream commit c25b9abbc2c2c0da88e180c3933d6e773245815a ]
+
+Fix inverted logic
+
+Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/skfp/skfddi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/skfp/skfddi.c
++++ b/drivers/net/skfp/skfddi.c
+@@ -998,9 +998,9 @@ static int skfp_ioctl(struct net_device
+ break;
+ case SKFP_CLR_STATS: /* Zero out the driver statistics */
+ if (!capable(CAP_NET_ADMIN)) {
+- memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+- } else {
+ status = -EPERM;
++ } else {
++ memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+ }
+ break;
+ default:
--- /dev/null
+From 3a4c6800f31ea8395628af5e7e490270ee5d0585 Mon Sep 17 00:00:00 2001
+From: Nick Piggin <npiggin@suse.de>
+Date: Thu, 12 Feb 2009 04:34:23 +0100
+Subject: Fix page writeback thinko, causing Berkeley DB slowdown
+
+From: Nick Piggin <npiggin@suse.de>
+
+commit 3a4c6800f31ea8395628af5e7e490270ee5d0585 upstream.
+
+A bug was introduced into write_cache_pages cyclic writeout by commit
+31a12666d8f0c22235297e1c1575f82061480029 ("mm: write_cache_pages cyclic
+fix"). The intention (and comments) is that we should cycle back and
+look for more dirty pages at the beginning of the file if there is no
+more work to be done.
+
+But the !done condition was dropped from the test. This means that any
+time the page writeout loop breaks (eg. due to nr_to_write == 0), we
+will set index to 0, then goto again. This will set done_index to
+index, then find done is set, so will proceed to the end of the
+function. When updating mapping->writeback_index for cyclic writeout,
+we now use done_index == 0, so we're always cycling back to 0.
+
+This seemed to be causing random mmap writes (slapadd and iozone) to
+start writing more pages from the LRU and writeout would slowdown, and
+caused bugzilla entry
+
+ http://bugzilla.kernel.org/show_bug.cgi?id=12604
+
+about Berkeley DB slowing down dramatically.
+
+With this patch, iozone random write performance is increased nearly
+5x on my system (iozone -B -r 4k -s 64k -s 512m -s 1200m on ext2).
+
+Signed-off-by: Nick Piggin <npiggin@suse.de>
+Reported-and-tested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/page-writeback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -997,7 +997,7 @@ continue_unlock:
+ pagevec_release(&pvec);
+ cond_resched();
+ }
+- if (!cycled) {
++ if (!cycled && !done) {
+ /*
+ * range_cyclic:
+ * We hit the last page and there is more work to be done: wrap
--- /dev/null
+From 6ae4f7efc741daa77ce6a84dce8963e07aabdc65 Mon Sep 17 00:00:00 2001
+From: Benjamin Zores <benjamin.zores@alcatel-lucent.fr>
+Date: Thu, 29 Jan 2009 16:19:13 -0800
+Subject: ipv4: fix infinite retry loop in IP-Config
+
+From: Benjamin Zores <benjamin.zores@alcatel-lucent.fr>
+
+[ Upstream commit 9d8dba6c979fa99c96938c869611b9a23b73efa9 ]
+
+Signed-off-by: Benjamin Zores <benjamin.zores@alcatel-lucent.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ipconfig.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/ipconfig.c
++++ b/net/ipv4/ipconfig.c
+@@ -1272,6 +1272,9 @@ __be32 __init root_nfs_parse_addr(char *
+ static int __init ip_auto_config(void)
+ {
+ __be32 addr;
++#ifdef IPCONFIG_DYNAMIC
++ int retries = CONF_OPEN_RETRIES;
++#endif
+
+ #ifdef CONFIG_PROC_FS
+ proc_net_fops_create(&init_net, "pnp", S_IRUGO, &pnp_seq_fops);
+@@ -1308,9 +1311,6 @@ static int __init ip_auto_config(void)
+ #endif
+ ic_first_dev->next) {
+ #ifdef IPCONFIG_DYNAMIC
+-
+- int retries = CONF_OPEN_RETRIES;
+-
+ if (ic_dynamic() < 0) {
+ ic_close_devs();
+
--- /dev/null
+From 262c04a7231abf2df257db43ab3e800bf260b6a6 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 5 Feb 2009 15:15:50 -0800
+Subject: ipv6: Copy cork options in ip6_append_data
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 0178b695fd6b40a62a215cbeb03dd51ada3bb5e0 ]
+
+As the options passed to ip6_append_data may be ephemeral, we need
+to duplicate it for corking. This patch applies the simplest fix
+which is to memdup all the relevant bits.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_output.c | 67 ++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 52 insertions(+), 15 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1104,6 +1104,18 @@ static inline int ip6_ufo_append_data(st
+ return err;
+ }
+
++static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
++ gfp_t gfp)
++{
++ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
++}
++
++static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
++ gfp_t gfp)
++{
++ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
++}
++
+ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+ int offset, int len, int odd, struct sk_buff *skb),
+ void *from, int length, int transhdrlen,
+@@ -1129,17 +1141,37 @@ int ip6_append_data(struct sock *sk, int
+ * setup for corking
+ */
+ if (opt) {
+- if (np->cork.opt == NULL) {
+- np->cork.opt = kmalloc(opt->tot_len,
+- sk->sk_allocation);
+- if (unlikely(np->cork.opt == NULL))
+- return -ENOBUFS;
+- } else if (np->cork.opt->tot_len < opt->tot_len) {
+- printk(KERN_DEBUG "ip6_append_data: invalid option length\n");
++ if (WARN_ON(np->cork.opt))
+ return -EINVAL;
+- }
+- memcpy(np->cork.opt, opt, opt->tot_len);
+- inet->cork.flags |= IPCORK_OPT;
++
++ np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
++ if (unlikely(np->cork.opt == NULL))
++ return -ENOBUFS;
++
++ np->cork.opt->tot_len = opt->tot_len;
++ np->cork.opt->opt_flen = opt->opt_flen;
++ np->cork.opt->opt_nflen = opt->opt_nflen;
++
++ np->cork.opt->dst0opt = ip6_opt_dup(opt->dst0opt,
++ sk->sk_allocation);
++ if (opt->dst0opt && !np->cork.opt->dst0opt)
++ return -ENOBUFS;
++
++ np->cork.opt->dst1opt = ip6_opt_dup(opt->dst1opt,
++ sk->sk_allocation);
++ if (opt->dst1opt && !np->cork.opt->dst1opt)
++ return -ENOBUFS;
++
++ np->cork.opt->hopopt = ip6_opt_dup(opt->hopopt,
++ sk->sk_allocation);
++ if (opt->hopopt && !np->cork.opt->hopopt)
++ return -ENOBUFS;
++
++ np->cork.opt->srcrt = ip6_rthdr_dup(opt->srcrt,
++ sk->sk_allocation);
++ if (opt->srcrt && !np->cork.opt->srcrt)
++ return -ENOBUFS;
++
+ /* need source address above miyazawa*/
+ }
+ dst_hold(&rt->u.dst);
+@@ -1166,8 +1198,7 @@ int ip6_append_data(struct sock *sk, int
+ } else {
+ rt = (struct rt6_info *)inet->cork.dst;
+ fl = &inet->cork.fl;
+- if (inet->cork.flags & IPCORK_OPT)
+- opt = np->cork.opt;
++ opt = np->cork.opt;
+ transhdrlen = 0;
+ exthdrlen = 0;
+ mtu = inet->cork.fragsize;
+@@ -1406,9 +1437,15 @@ error:
+
+ static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
+ {
+- inet->cork.flags &= ~IPCORK_OPT;
+- kfree(np->cork.opt);
+- np->cork.opt = NULL;
++ if (np->cork.opt) {
++ kfree(np->cork.opt->dst0opt);
++ kfree(np->cork.opt->dst1opt);
++ kfree(np->cork.opt->hopopt);
++ kfree(np->cork.opt->srcrt);
++ kfree(np->cork.opt);
++ np->cork.opt = NULL;
++ }
++
+ if (inet->cork.dst) {
+ dst_release(inet->cork.dst);
+ inet->cork.dst = NULL;
--- /dev/null
+From 04417e3c6b3b2c98be1f472e0de6eefe24e9ef2f Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Fri, 6 Feb 2009 00:49:55 -0800
+Subject: ipv6: Disallow rediculious flowlabel option sizes.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 684de409acff8b1fe8bf188d75ff2f99c624387d ]
+
+Just like PKTINFO, limit the options area to 64K.
+
+Based upon report by Eric Sesterhenn and analysis by
+Roland Dreier.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_flowlabel.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -323,17 +323,21 @@ static struct ip6_flowlabel *
+ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
+ int optlen, int *err_p)
+ {
+- struct ip6_flowlabel *fl;
++ struct ip6_flowlabel *fl = NULL;
+ int olen;
+ int addr_type;
+ int err;
+
++ olen = optlen - CMSG_ALIGN(sizeof(*freq));
++ err = -EINVAL;
++ if (olen > 64 * 1024)
++ goto done;
++
+ err = -ENOMEM;
+ fl = kzalloc(sizeof(*fl), GFP_KERNEL);
+ if (fl == NULL)
+ goto done;
+
+- olen = optlen - CMSG_ALIGN(sizeof(*freq));
+ if (olen > 0) {
+ struct msghdr msg;
+ struct flowi flowi;
--- /dev/null
+From b4870bc5ee8c7a37541a3eb1208b5c76c13a078a Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <randy.dunlap@oracle.com>
+Date: Wed, 11 Feb 2009 13:04:33 -0800
+Subject: kernel-doc: fix syscall wrapper processing
+
+From: Randy Dunlap <randy.dunlap@oracle.com>
+
+commit b4870bc5ee8c7a37541a3eb1208b5c76c13a078a upstream.
+
+Fix kernel-doc processing of SYSCALL wrappers.
+
+The SYSCALL wrapper patches played havoc with kernel-doc for
+syscalls. Syscalls that were scanned for DocBook processing
+reported warnings like this one, for sys_tgkill:
+
+Warning(kernel/signal.c:2285): No description found for parameter 'tgkill'
+Warning(kernel/signal.c:2285): No description found for parameter 'pid_t'
+Warning(kernel/signal.c:2285): No description found for parameter 'int'
+
+because the macro parameters all "look like" function parameters,
+although they are not:
+
+/**
+ * sys_tgkill - send signal to one specific thread
+ * @tgid: the thread group ID of the thread
+ * @pid: the PID of the thread
+ * @sig: signal to be sent
+ *
+ * This syscall also checks the @tgid and returns -ESRCH even if the PID
+ * exists but it's not belonging to the target process anymore. This
+ * method solves the problem of threads exiting and PIDs getting reused.
+ */
+SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid_t, pid, int, sig)
+{
+...
+
+This patch special-cases the handling SYSCALL_DEFINE* function
+prototypes by expanding them to
+ long sys_foobar(type1 arg1, type1 arg2, ...)
+
+Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ scripts/kernel-doc | 40 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 1 deletion(-)
+
+--- a/scripts/kernel-doc
++++ b/scripts/kernel-doc
+@@ -1762,6 +1762,40 @@ sub reset_state {
+ $state = 0;
+ }
+
++sub syscall_munge() {
++ my $void = 0;
++
++ $prototype =~ s@[\r\n\t]+@ @gos; # strip newlines/CR's/tabs
++## if ($prototype =~ m/SYSCALL_DEFINE0\s*\(\s*(a-zA-Z0-9_)*\s*\)/) {
++ if ($prototype =~ m/SYSCALL_DEFINE0/) {
++ $void = 1;
++## $prototype = "long sys_$1(void)";
++ }
++
++ $prototype =~ s/SYSCALL_DEFINE.*\(/long sys_/; # fix return type & func name
++ if ($prototype =~ m/long (sys_.*?),/) {
++ $prototype =~ s/,/\(/;
++ } elsif ($void) {
++ $prototype =~ s/\)/\(void\)/;
++ }
++
++ # now delete all of the odd-number commas in $prototype
++ # so that arg types & arg names don't have a comma between them
++ my $count = 0;
++ my $len = length($prototype);
++ if ($void) {
++ $len = 0; # skip the for-loop
++ }
++ for (my $ix = 0; $ix < $len; $ix++) {
++ if (substr($prototype, $ix, 1) eq ',') {
++ $count++;
++ if ($count % 2 == 1) {
++ substr($prototype, $ix, 1) = ' ';
++ }
++ }
++ }
++}
++
+ sub process_state3_function($$) {
+ my $x = shift;
+ my $file = shift;
+@@ -1774,11 +1808,15 @@ sub process_state3_function($$) {
+ elsif ($x =~ /([^\{]*)/) {
+ $prototype .= $1;
+ }
++
+ if (($x =~ /\{/) || ($x =~ /\#\s*define/) || ($x =~ /;/)) {
+ $prototype =~ s@/\*.*?\*/@@gos; # strip comments.
+ $prototype =~ s@[\r\n]+@ @gos; # strip newlines/cr's.
+ $prototype =~ s@^\s+@@gos; # strip leading spaces
+- dump_function($prototype,$file);
++ if ($prototype =~ /SYSCALL_DEFINE/) {
++ syscall_munge();
++ }
++ dump_function($prototype, $file);
+ reset_state();
+ }
+ }
--- /dev/null
+From 9d9b87c1218be78ddecbc85ec3bb91c79c1d56ab Mon Sep 17 00:00:00 2001
+From: J. Bruce Fields <bfields@citi.umich.edu>
+Date: Wed, 4 Feb 2009 17:35:38 -0500
+Subject: lockd: fix regression in lockd's handling of blocked locks
+
+From: J. Bruce Fields <bfields@citi.umich.edu>
+
+commit 9d9b87c1218be78ddecbc85ec3bb91c79c1d56ab upstream.
+
+If a client requests a blocking lock, is denied, then requests it again,
+then here in nlmsvc_lock() we will call vfs_lock_file() without FL_SLEEP
+set, because we've already queued a block and don't need the locks code
+to do it again.
+
+But that means vfs_lock_file() will return -EAGAIN instead of
+FILE_LOCK_DENIED. So we still need to translate that -EAGAIN return
+into a nlm_lck_blocked error in this case, and put ourselves back on
+lockd's block list.
+
+The bug was introduced by bde74e4bc64415b1 "locks: add special return
+value for asynchronous locks".
+
+Thanks to Frank van Maarseveen for the report; his original test
+case was essentially
+
+ for i in `seq 30`; do flock /nfsmount/foo sleep 10 & done
+
+Tested-by: Frank van Maarseveen <frankvm@frankvm.com>
+Reported-by: Frank van Maarseveen <frankvm@frankvm.com>
+Cc: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/lockd/svclock.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/lockd/svclock.c
++++ b/fs/lockd/svclock.c
+@@ -427,7 +427,7 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru
+ goto out;
+ case -EAGAIN:
+ ret = nlm_lck_denied;
+- goto out;
++ break;
+ case FILE_LOCK_DEFERRED:
+ if (wait)
+ break;
+@@ -443,6 +443,10 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru
+ goto out;
+ }
+
++ ret = nlm_lck_denied;
++ if (!wait)
++ goto out;
++
+ ret = nlm_lck_blocked;
+
+ /* Append to list of blocked */
--- /dev/null
+From f1b33cb1c25ac476cbf22783f9ca2016f99648ed Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Fri, 6 Feb 2009 00:27:32 +0100
+Subject: mac80211: restrict to AP in outgoing interface heuristic
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+commit f1b33cb1c25ac476cbf22783f9ca2016f99648ed upstream.
+
+We try to find the correct outgoing interface for injected frames
+based on the TA, but since this is a hack for hostapd 11w, restrict
+the heuristic to AP mode interfaces. At some point we'll add the
+ability to give an interface index in radiotap or so and just
+remove this heuristic again.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1335,6 +1335,8 @@ int ieee80211_master_start_xmit(struct s
+ list) {
+ if (!netif_running(sdata->dev))
+ continue;
++ if (sdata->vif.type != NL80211_IFTYPE_AP)
++ continue;
+ if (compare_ether_addr(sdata->dev->dev_addr,
+ hdr->addr2)) {
+ dev_hold(sdata->dev);
--- /dev/null
+From 9480c53e9b2aa13a06283ffb96bb8f1873ac4e9a Mon Sep 17 00:00:00 2001
+From: Jeremy Fitzhardinge <jeremy@goop.org>
+Date: Wed, 11 Feb 2009 13:04:41 -0800
+Subject: mm: rearrange exit_mmap() to unlock before arch_exit_mmap
+
+From: Jeremy Fitzhardinge <jeremy@goop.org>
+
+commit 9480c53e9b2aa13a06283ffb96bb8f1873ac4e9a upstream.
+
+Christophe Saout reported [in precursor to:
+http://marc.info/?l=linux-kernel&m=123209902707347&w=4]:
+
+> Note that I also some a different issue with CONFIG_UNEVICTABLE_LRU.
+> Seems like Xen tears down current->mm early on process termination, so
+> that __get_user_pages in exit_mmap causes nasty messages when the
+> process had any mlocked pages. (in fact, it somehow manages to get into
+> the swapping code and produces a null pointer dereference trying to get
+> a swap token)
+
+Jeremy explained:
+
+Yes. In the normal case under Xen, an in-use pagetable is "pinned",
+meaning that it is RO to the kernel, and all updates must go via hypercall
+(or writes are trapped and emulated, which is much the same thing). An
+unpinned pagetable is not currently in use by any process, and can be
+directly accessed as normal RW pages.
+
+As an optimisation at process exit time, we unpin the pagetable as early
+as possible (switching the process to init_mm), so that all the normal
+pagetable teardown can happen with direct memory accesses.
+
+This happens in exit_mmap() -> arch_exit_mmap(). The munlocking happens
+a few lines below. The obvious thing to do would be to move
+arch_exit_mmap() to below the munlock code, but I think we'd want to
+call it even if mm->mmap is NULL, just to be on the safe side.
+
+Thus, this patch:
+
+exit_mmap() needs to unlock any locked vmas before calling arch_exit_mmap,
+as the latter may switch the current mm to init_mm, which would cause the
+former to fail.
+
+Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Signed-off-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Cc: Christophe Saout <christophe@saout.de>
+Cc: Keir Fraser <keir.fraser@eu.citrix.com>
+Cc: Christophe Saout <christophe@saout.de>
+Cc: Alex Williamson <alex.williamson@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mmap.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2093,7 +2093,6 @@ void exit_mmap(struct mm_struct *mm)
+ unsigned long end;
+
+ /* mm's last user has gone, and its about to be pulled down */
+- arch_exit_mmap(mm);
+ mmu_notifier_release(mm);
+
+ if (mm->locked_vm) {
+@@ -2104,7 +2103,13 @@ void exit_mmap(struct mm_struct *mm)
+ vma = vma->vm_next;
+ }
+ }
++
++ arch_exit_mmap(mm);
++
+ vma = mm->mmap;
++ if (!vma) /* Can happen if dup_mmap() received an OOM */
++ return;
++
+ lru_add_drain();
+ flush_cache_mm(mm);
+ tlb = tlb_gather_mmu(mm, 1);
--- /dev/null
+From 4d48a542b42747c36a5937447d9c3de7c897ea50 Mon Sep 17 00:00:00 2001
+From: Paul Clements <paul.clements@steeleye.com>
+Date: Wed, 11 Feb 2009 13:04:45 -0800
+Subject: nbd: fix I/O hang on disconnected nbds
+
+From: Paul Clements <paul.clements@steeleye.com>
+
+commit 4d48a542b42747c36a5937447d9c3de7c897ea50 upstream.
+
+Fix a problem that causes I/O to a disconnected (or partially initialized)
+nbd device to hang indefinitely. To reproduce:
+
+# ioctl NBD_SET_SIZE_BLOCKS /dev/nbd23 514048
+# dd if=/dev/nbd23 of=/dev/null bs=4096 count=1
+
+...hangs...
+
+This can also occur when an nbd device loses its nbd-client/server
+connection. Although we clear the queue of any outstanding I/Os after the
+client/server connection fails, any additional I/Os that get queued later
+will hang.
+
+This bug may also be the problem reported in this bug report:
+http://bugzilla.kernel.org/show_bug.cgi?id=12277
+
+Testing would need to be performed to determine if the two issues are the
+same.
+
+This problem was introduced by the new request handling thread code ("NBD:
+allow nbd to be used locally", 3/2008), which entered into mainline around
+2.6.25.
+
+The fix, which is fairly simple, is to restore the check for lo->sock
+being NULL in do_nbd_request. This causes I/O to an uninitialized nbd to
+immediately fail with an I/O error, as it did prior to the introduction of
+this bug.
+
+Signed-off-by: Paul Clements <paul.clements@steeleye.com>
+Reported-by: Jon Nelson <jnelson-kernel-bugzilla@jamponi.net>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/nbd.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -549,6 +549,15 @@ static void do_nbd_request(struct reques
+
+ BUG_ON(lo->magic != LO_MAGIC);
+
++ if (unlikely(!lo->sock)) {
++ printk(KERN_ERR "%s: Attempted send on closed socket\n",
++ lo->disk->disk_name);
++ req->errors++;
++ nbd_end_request(req);
++ spin_lock_irq(q->queue_lock);
++ continue;
++ }
++
+ spin_lock_irq(&lo->queue_lock);
+ list_add_tail(&req->queuelist, &lo->waiting_queue);
+ spin_unlock_irq(&lo->queue_lock);
--- /dev/null
+From 0fc3e3f9d9a09d4b79b662f2ff8493b73d690b00 Mon Sep 17 00:00:00 2001
+From: Clément Lecigne <clement.lecigne@netasq.com>
+Date: Thu, 12 Feb 2009 16:59:09 -0800
+Subject: net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+
+From: Clément Lecigne <clement.lecigne@netasq.com>
+
+[ Upstream commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da ]
+
+In function sock_getsockopt() located in net/core/sock.c, optval v.val
+is not correctly initialized and directly returned in userland in case
+we have SO_BSDCOMPAT option set.
+
+This dummy code should trigger the bug:
+
+int main(void)
+{
+ unsigned char buf[4] = { 0, 0, 0, 0 };
+ int len;
+ int sock;
+ sock = socket(33, 2, 2);
+ getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+ printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+ close(sock);
+}
+
+Here is a patch that fix this bug by initalizing v.val just after its
+declaration.
+
+Signed-off-by: Clément Lecigne <clement.lecigne@netasq.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -696,6 +696,8 @@ int sock_getsockopt(struct socket *sock,
+ if (len < 0)
+ return -EINVAL;
+
++ v.val = 0;
++
+ switch(optname) {
+ case SO_DEBUG:
+ v.val = sock_flag(sk, SOCK_DBG);
--- /dev/null
+From 0d9f5eaa9dd48804aaebcba85e5ec55a26337976 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 29 Jan 2009 16:07:52 -0800
+Subject: net: Fix frag_list handling in skb_seq_read
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 95e3b24cfb4ec0479d2c42f7a1780d68063a542a ]
+
+The frag_list handling was broken in skb_seq_read:
+
+1) We didn't add the stepped offset when looking at the head
+are of fragments other than the first.
+
+2) We didn't take the stepped offset away when setting the data
+pointer in the head area.
+
+3) The frag index wasn't reset.
+
+This patch fixes both issues.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/skbuff.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2072,10 +2072,10 @@ unsigned int skb_seq_read(unsigned int c
+ return 0;
+
+ next_skb:
+- block_limit = skb_headlen(st->cur_skb);
++ block_limit = skb_headlen(st->cur_skb) + st->stepped_offset;
+
+ if (abs_offset < block_limit) {
+- *data = st->cur_skb->data + abs_offset;
++ *data = st->cur_skb->data + (abs_offset - st->stepped_offset);
+ return block_limit - abs_offset;
+ }
+
+@@ -2117,6 +2117,7 @@ next_skb:
+ } else if (st->root_skb == st->cur_skb &&
+ skb_shinfo(st->root_skb)->frag_list) {
+ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
++ st->frag_idx = 0;
+ goto next_skb;
+ }
+
--- /dev/null
+From 08e91648b2b61db8f42e285285fe41571dd8dac3 Mon Sep 17 00:00:00 2001
+From: Shyam Iyer <shyam_iyer@dell.com>
+Date: Thu, 29 Jan 2009 16:12:42 -0800
+Subject: net: Fix OOPS in skb_seq_read().
+
+From: Shyam Iyer <shyam_iyer@dell.com>
+
+[ Upstream commit 71b3346d182355f19509fadb8fe45114a35cc499 ]
+
+It oopsd for me in skb_seq_read. addr2line said it was
+linux-2.6/net/core/skbuff.c:2228, which is this line:
+
+ while (st->frag_idx < skb_shinfo(st->cur_skb)->nr_frags) {
+
+I added some printks in there and it looks like we hit this:
+
+ } else if (st->root_skb == st->cur_skb &&
+ skb_shinfo(st->root_skb)->frag_list) {
+ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
+ st->frag_idx = 0;
+ goto next_skb;
+ }
+
+Actually I did some testing and added a few printks and found that the
+st->cur_skb->data was 0 and hence the ptr used by iscsi_tcp was null.
+This caused the kernel panic.
+
+ if (abs_offset < block_limit) {
+- *data = st->cur_skb->data + abs_offset;
++ *data = st->cur_skb->data + (abs_offset - st->stepped_offset);
+
+I enabled the debug_tcp and with a few printks found that the code did
+not go to the next_skb label and could find that the sequence being
+followed was this -
+
+It hit this if condition -
+
+ if (st->cur_skb->next) {
+ st->cur_skb = st->cur_skb->next;
+ st->frag_idx = 0;
+ goto next_skb;
+
+And so, now the st pointer is shifted to the next skb whereas actually
+it should have hit the second else if first since the data is in the
+frag_list.
+
+ else if (st->root_skb == st->cur_skb &&
+ skb_shinfo(st->root_skb)->frag_list) {
+ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
+ goto next_skb;
+ }
+
+Reversing the two conditions the attached patch fixes the issue for me
+on top of Herbert's patches.
+
+Signed-off-by: Shyam Iyer <shyam_iyer@dell.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/skbuff.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2110,13 +2110,13 @@ next_skb:
+ st->frag_data = NULL;
+ }
+
+- if (st->cur_skb->next) {
+- st->cur_skb = st->cur_skb->next;
++ if (st->root_skb == st->cur_skb &&
++ skb_shinfo(st->root_skb)->frag_list) {
++ st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
+ st->frag_idx = 0;
+ goto next_skb;
+- } else if (st->root_skb == st->cur_skb &&
+- skb_shinfo(st->root_skb)->frag_list) {
+- st->cur_skb = skb_shinfo(st->root_skb)->frag_list;
++ } else if (st->cur_skb->next) {
++ st->cur_skb = st->cur_skb->next;
+ st->frag_idx = 0;
+ goto next_skb;
+ }
--- /dev/null
+From 5ab332248846509501dc82025f7024eae3851818 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Mon, 2 Feb 2009 13:27:44 -0800
+Subject: net: Fix userland breakage wrt. linux/if_tunnel.h
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 0afd4a21ba7d75e93fa79cf05d7a21774e149c0f ]
+
+Reported by Andrew Walrond <andrew@walrond.org>
+
+Changeset c19e654ddbe3831252f61e76a74d661e1a755530
+("gre: Add netlink interface") added an include
+of linux/ip.h to linux/if_tunnel.h
+
+We can't really let that get exposed to userspace
+because this conflicts with types defined in netinet/ip.h
+which userland is almost certainly going to have included
+either explicitly or implicitly.
+
+So guard this include with a __KERNEL__ ifdef.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/Kbuild | 2 +-
+ include/linux/if_tunnel.h | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/if_tunnel.h
++++ b/include/linux/if_tunnel.h
+@@ -2,7 +2,10 @@
+ #define _IF_TUNNEL_H_
+
+ #include <linux/types.h>
++
++#ifdef __KERNEL__
+ #include <linux/ip.h>
++#endif
+
+ #define SIOCGETTUNNEL (SIOCDEVPRIVATE + 0)
+ #define SIOCADDTUNNEL (SIOCDEVPRIVATE + 1)
+--- a/include/linux/Kbuild
++++ b/include/linux/Kbuild
+@@ -92,7 +92,6 @@ header-y += if_ppp.h
+ header-y += if_slip.h
+ header-y += if_strip.h
+ header-y += if_tun.h
+-header-y += if_tunnel.h
+ header-y += in_route.h
+ header-y += ioctl.h
+ header-y += ip6_tunnel.h
+@@ -241,6 +240,7 @@ unifdef-y += if_phonet.h
+ unifdef-y += if_pppol2tp.h
+ unifdef-y += if_pppox.h
+ unifdef-y += if_tr.h
++unifdef-y += if_tunnel.h
+ unifdef-y += if_vlan.h
+ unifdef-y += igmp.h
+ unifdef-y += inet_diag.h
--- /dev/null
+From 43f0342d2c6907fc842e28341fae2673808fd800 Mon Sep 17 00:00:00 2001
+From: Sebastiano Di Paola <sebastiano.dipaola@gmail.com>
+Date: Fri, 30 Jan 2009 23:37:17 +0000
+Subject: net: packet socket packet_lookup_frame fix
+
+From: Sebastiano Di Paola <sebastiano.dipaola@gmail.com>
+
+[ Upstream commit f9e6934502e46c363100245f137ddf0f4b1cb574 ]
+
+packet_lookup_frames() fails to get user frame if current frame header
+status contains extra flags.
+This is due to the wrong assumption on the operators precedence during
+frame status tests.
+Fixed by forcing the right operators precedence order with explicit brackets.
+
+Signed-off-by: Paolo Abeni <paolo.abeni@gmail.com>
+Signed-off-by: Sebastiano Di Paola <sebastiano.dipaola@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/packet/af_packet.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -220,13 +220,13 @@ static void *packet_lookup_frame(struct
+ h.raw = po->pg_vec[pg_vec_pos] + (frame_offset * po->frame_size);
+ switch (po->tp_version) {
+ case TPACKET_V1:
+- if (status != h.h1->tp_status ? TP_STATUS_USER :
+- TP_STATUS_KERNEL)
++ if (status != (h.h1->tp_status ? TP_STATUS_USER :
++ TP_STATUS_KERNEL))
+ return NULL;
+ break;
+ case TPACKET_V2:
+- if (status != h.h2->tp_status ? TP_STATUS_USER :
+- TP_STATUS_KERNEL)
++ if (status != (h.h2->tp_status ? TP_STATUS_USER :
++ TP_STATUS_KERNEL))
+ return NULL;
+ break;
+ }
--- /dev/null
+From 8defbc406ce43e232a749ce593917cbc266db475 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 30 Jan 2009 14:12:06 -0800
+Subject: packet: Avoid lock_sock in mmap handler
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 905db44087855e3c1709f538ecdc22fd149cadd8 ]
+
+As the mmap handler gets called under mmap_sem, and we may grab
+mmap_sem elsewhere under the socket lock to access user data, we
+should avoid grabbing the socket lock in the mmap handler.
+
+Since the only thing we care about in the mmap handler is for
+pg_vec* to be invariant, i.e., to exclude packet_set_ring, we
+can achieve this by simply using a new mutex.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Martin MOKREJÅ <mmokrejs@ribosome.natur.cuni.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/packet/af_packet.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -77,6 +77,7 @@
+ #include <linux/poll.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
++#include <linux/mutex.h>
+
+ #ifdef CONFIG_INET
+ #include <net/inet_common.h>
+@@ -175,6 +176,7 @@ struct packet_sock {
+ #endif
+ struct packet_type prot_hook;
+ spinlock_t bind_lock;
++ struct mutex pg_vec_lock;
+ unsigned int running:1, /* prot_hook is attached*/
+ auxdata:1,
+ origdev:1;
+@@ -1068,6 +1070,7 @@ static int packet_create(struct net *net
+ */
+
+ spin_lock_init(&po->bind_lock);
++ mutex_init(&po->pg_vec_lock);
+ po->prot_hook.func = packet_rcv;
+
+ if (sock->type == SOCK_PACKET)
+@@ -1863,6 +1866,7 @@ static int packet_set_ring(struct sock *
+ synchronize_net();
+
+ err = -EBUSY;
++ mutex_lock(&po->pg_vec_lock);
+ if (closing || atomic_read(&po->mapped) == 0) {
+ err = 0;
+ #define XC(a, b) ({ __typeof__ ((a)) __t; __t = (a); (a) = (b); __t; })
+@@ -1884,6 +1888,7 @@ static int packet_set_ring(struct sock *
+ if (atomic_read(&po->mapped))
+ printk(KERN_DEBUG "packet_mmap: vma is busy: %d\n", atomic_read(&po->mapped));
+ }
++ mutex_unlock(&po->pg_vec_lock);
+
+ spin_lock(&po->bind_lock);
+ if (was_running && !po->running) {
+@@ -1916,7 +1921,7 @@ static int packet_mmap(struct file *file
+
+ size = vma->vm_end - vma->vm_start;
+
+- lock_sock(sk);
++ mutex_lock(&po->pg_vec_lock);
+ if (po->pg_vec == NULL)
+ goto out;
+ if (size != po->pg_vec_len*po->pg_vec_pages*PAGE_SIZE)
+@@ -1939,7 +1944,7 @@ static int packet_mmap(struct file *file
+ err = 0;
+
+ out:
+- release_sock(sk);
++ mutex_unlock(&po->pg_vec_lock);
+ return err;
+ }
+ #endif
--- /dev/null
+From 3abdbf90a3ffb006108c831c56b092e35483b6ec Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Wed, 11 Feb 2009 13:04:40 -0800
+Subject: parport: parport_serial, don't bind netmos ibm 0299
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 3abdbf90a3ffb006108c831c56b092e35483b6ec upstream.
+
+Since netmos 9835 with subids 0x1014(IBM):0x0299 is now bound with
+serial/8250_pci, because it has no parallel ports and subdevice id isn't
+in the expected form, return -ENODEV from probe function.
+
+This is performed in netmos preinit_hook.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/parport/parport_serial.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/parport/parport_serial.c
++++ b/drivers/parport/parport_serial.c
+@@ -64,6 +64,11 @@ struct parport_pc_pci {
+
+ static int __devinit netmos_parallel_init(struct pci_dev *dev, struct parport_pc_pci *card, int autoirq, int autodma)
+ {
++ /* the rule described below doesn't hold for this device */
++ if (dev->device == PCI_DEVICE_ID_NETMOS_9835 &&
++ dev->subsystem_vendor == PCI_VENDOR_ID_IBM &&
++ dev->subsystem_device == 0x0299)
++ return -ENODEV;
+ /*
+ * Netmos uses the subdevice ID to indicate the number of parallel
+ * and serial ports. The form is 0x00PS, where <P> is the number of
--- /dev/null
+From 6c24b17453c8dc444a746e45b8a404498fc9fcf7 Mon Sep 17 00:00:00 2001
+From: Kumar Gala <galak@kernel.crashing.org>
+Date: Mon, 9 Feb 2009 21:08:07 -0600
+Subject: powerpc/fsl-booke: Fix mapping functions to use phys_addr_t
+
+From: Kumar Gala <galak@kernel.crashing.org>
+
+commit 6c24b17453c8dc444a746e45b8a404498fc9fcf7 upstream.
+
+Fixed v_mapped_by_tlbcam() and p_mapped_by_tlbcam() to use phys_addr_t
+instead of unsigned long. In 36-bit physical mode we really need these
+functions to deal with phys_addr_t when trying to match a physical
+address or when returning one.
+
+Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/mm/fsl_booke_mmu.c | 4 ++--
+ arch/powerpc/mm/pgtable_32.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/mm/fsl_booke_mmu.c
++++ b/arch/powerpc/mm/fsl_booke_mmu.c
+@@ -80,7 +80,7 @@ extern unsigned int tlbcam_index;
+ /*
+ * Return PA for this VA if it is mapped by a CAM, or 0
+ */
+-unsigned long v_mapped_by_tlbcam(unsigned long va)
++phys_addr_t v_mapped_by_tlbcam(unsigned long va)
+ {
+ int b;
+ for (b = 0; b < tlbcam_index; ++b)
+@@ -92,7 +92,7 @@ unsigned long v_mapped_by_tlbcam(unsigne
+ /*
+ * Return VA for a given PA or 0 if not mapped
+ */
+-unsigned long p_mapped_by_tlbcam(unsigned long pa)
++unsigned long p_mapped_by_tlbcam(phys_addr_t pa)
+ {
+ int b;
+ for (b = 0; b < tlbcam_index; ++b)
+--- a/arch/powerpc/mm/pgtable_32.c
++++ b/arch/powerpc/mm/pgtable_32.c
+@@ -65,8 +65,8 @@ void setbat(int index, unsigned long vir
+
+ #ifdef HAVE_TLBCAM
+ extern unsigned int tlbcam_index;
+-extern unsigned long v_mapped_by_tlbcam(unsigned long va);
+-extern unsigned long p_mapped_by_tlbcam(unsigned long pa);
++extern phys_addr_t v_mapped_by_tlbcam(unsigned long va);
++extern unsigned long p_mapped_by_tlbcam(phys_addr_t pa);
+ #else /* !HAVE_TLBCAM */
+ #define v_mapped_by_tlbcam(x) (0UL)
+ #define p_mapped_by_tlbcam(x) (0UL)
--- /dev/null
+From ad1d2d7ea3005dda363612c8ee7642f0a8970fe5 Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Thu, 22 Jan 2009 14:52:43 -0800
+Subject: sctp: Correctly start rtx timer on new packet transmissions.
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit 6574df9a89f9f7da3a4e5cee7633d430319d3350 ]
+
+Commit 62aeaff5ccd96462b7077046357a6d7886175a57
+(sctp: Start T3-RTX timer when fast retransmitting lowest TSN)
+introduced a regression where it was possible to forcibly
+restart the sctp retransmit timer at the transmission of any
+new chunk. This resulted in much longer timeout times and
+sometimes hung sctp connections.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/outqueue.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -929,7 +929,6 @@ static int sctp_outq_flush(struct sctp_o
+ }
+
+ /* Finally, transmit new packets. */
+- start_timer = 0;
+ while ((chunk = sctp_outq_dequeue_data(q)) != NULL) {
+ /* RFC 2960 6.5 Every DATA chunk MUST carry a valid
+ * stream identifier.
+@@ -1028,7 +1027,7 @@ static int sctp_outq_flush(struct sctp_o
+ list_add_tail(&chunk->transmitted_list,
+ &transport->transmitted);
+
+- sctp_transport_reset_timers(transport, start_timer-1);
++ sctp_transport_reset_timers(transport, 0);
+
+ q->empty = 0;
+
--- /dev/null
+From 18a053fe69e712d13c89dfc71fcd6ed4a60957bf Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Thu, 22 Jan 2009 14:52:23 -0800
+Subject: sctp: Fix crc32c calculations on big-endian arhes.
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit 9c5ff5f75d0d0a1c7928ecfae3f38418b51a88e3 ]
+
+crc32c algorithm provides a byteswaped result. On little-endian
+arches, the result ends up in big-endian/network byte order.
+On big-endinan arches, the result ends up in little-endian
+order and needs to be byte swapped again. Thus calling cpu_to_le32
+gives the right output.
+
+Tested-by: Jukka Taimisto <jukka.taimisto@mail.suomi.net>
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/sctp/checksum.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/sctp/checksum.h
++++ b/include/net/sctp/checksum.h
+@@ -79,5 +79,5 @@ static inline __be32 sctp_update_cksum(_
+
+ static inline __be32 sctp_end_cksum(__be32 crc32)
+ {
+- return ~crc32;
++ return (__force __be32)~cpu_to_le32((__force u32)crc32);
+ }
--- /dev/null
+From 3e85145187a4c52c38b3fcb1fe73d273b9e3bd55 Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Thu, 22 Jan 2009 14:53:01 -0800
+Subject: sctp: Properly timestamp outgoing data chunks for rtx purposes
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit 759af00ebef858015eb68876ac1f383bcb6a1774 ]
+
+Recent changes to the retransmit code exposed a long standing
+bug where it was possible for a chunk to be time stamped
+after the retransmit timer was reset. This caused a rare
+situation where the retrnamist timer has expired, but
+nothing was marked for retrnasmission because all of
+timesamps on data were less then 1 rto ago. As result,
+the timer was never restarted since nothing was retransmitted,
+and this resulted in a hung association that did couldn't
+complete the data transfer. The solution is to timestamp
+the chunk when it's added to the packet for transmission
+purposes. After the packet is trsnmitted the rtx timer
+is restarted. This guarantees that when the timer expires,
+there will be data to retransmit.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/output.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -324,14 +324,16 @@ append:
+ switch (chunk->chunk_hdr->type) {
+ case SCTP_CID_DATA:
+ retval = sctp_packet_append_data(packet, chunk);
++ if (SCTP_XMIT_OK != retval)
++ goto finish;
+ /* Disallow SACK bundling after DATA. */
+ packet->has_sack = 1;
+ /* Disallow AUTH bundling after DATA */
+ packet->has_auth = 1;
+ /* Let it be knows that packet has DATA in it */
+ packet->has_data = 1;
+- if (SCTP_XMIT_OK != retval)
+- goto finish;
++ /* timestamp the chunk for rtx purposes */
++ chunk->sent_at = jiffies;
+ break;
+ case SCTP_CID_COOKIE_ECHO:
+ packet->has_cookie_echo = 1;
+@@ -470,7 +472,6 @@ int sctp_packet_transmit(struct sctp_pac
+ } else
+ chunk->resent = 1;
+
+- chunk->sent_at = jiffies;
+ has_data = 1;
+ }
+
--- /dev/null
+x86-vmi-put-a-missing-paravirt_release_pmd-in-pgd_dtor.patch
+nbd-fix-i-o-hang-on-disconnected-nbds.patch
+mac80211-restrict-to-ap-in-outgoing-interface-heuristic.patch
+w1-w1-temp-calculation-overflow-fix.patch
+zd1211rw-adding-0ace-0xa211-as-a-zd1211-device.patch
+zd1211rw-treat-maxim_new_rf-as-uw2453_rf-for-tp-link-wn322-422g.patch
+parport-parport_serial-don-t-bind-netmos-ibm-0299.patch
+syscall-define-fix-uml-compile-bug.patch
+kernel-doc-fix-syscall-wrapper-processing.patch
+fix-page-writeback-thinko-causing-berkeley-db-slowdown.patch
+write-back-fix-nr_to_write-counter.patch
+writeback-fix-break-condition.patch
+mm-rearrange-exit_mmap-to-unlock-before-arch_exit_mmap.patch
+powerpc-fsl-booke-fix-mapping-functions-to-use-phys_addr_t.patch
+lockd-fix-regression-in-lockd-s-handling-of-blocked-locks.patch
+sctp-fix-crc32c-calculations-on-big-endian-arhes.patch
+sctp-correctly-start-rtx-timer-on-new-packet-transmissions.patch
+sctp-properly-timestamp-outgoing-data-chunks-for-rtx-purposes.patch
+net-fix-frag_list-handling-in-skb_seq_read.patch
+net-fix-oops-in-skb_seq_read.patch
+drivers-net-skfp-if-capable-inverted-logic.patch
+ipv4-fix-infinite-retry-loop-in-ip-config.patch
+net-fix-userland-breakage-wrt.-linux-if_tunnel.h.patch
+net-packet-socket-packet_lookup_frame-fix.patch
+packet-avoid-lock_sock-in-mmap-handler.patch
+sungem-soft-lockup-in-sungem-on-netra-ac200-when-switching-interface-up.patch
+udp-fix-udp-short-packet-false-positive.patch
+udp-increments-sk_drops-in-__udp_queue_rcv_skb.patch
+ipv6-disallow-rediculious-flowlabel-option-sizes.patch
+ipv6-copy-cork-options-in-ip6_append_data.patch
+net-4-bytes-kernel-memory-disclosure-in-so_bsdcompat-gsopt-try-2.patch
+sky2-fix-hard-hang-with-netconsoling-and-iface-going-up.patch
+tun-add-some-missing-tun-compat-ioctl-translations.patch
+tun-fix-unicast-filter-overflow.patch
+virtio_net-fix-max_packet_len-to-support-802.1q-vlans.patch
+tcp-splice-as-many-packets-as-possible-at-once.patch
+tcp-fix-length-tcp_splice_data_recv-passes-to-skb_splice_bits.patch
+sparc-enable-syscall-wrappers-for-64-bit.patch
+sparc64-annotate-sparc64-specific-syscalls-with-syscall_definex.patch
--- /dev/null
+From e10e3ce9793b1511c0deb4081d0ecb2fa6872614 Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Fri, 30 Jan 2009 13:45:31 -0800
+Subject: sky2: fix hard hang with netconsoling and iface going up
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit a11da890e4c9850411303efcf6514f048ca880ee ]
+
+Printing anything over netconsole before hw is up and running is,
+of course, not going to work.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Acked-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sky2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/sky2.c
++++ b/drivers/net/sky2.c
+@@ -1403,9 +1403,6 @@ static int sky2_up(struct net_device *de
+
+ }
+
+- if (netif_msg_ifup(sky2))
+- printk(KERN_INFO PFX "%s: enabling interface\n", dev->name);
+-
+ netif_carrier_off(dev);
+
+ /* must be power of 2 */
+@@ -1484,6 +1481,9 @@ static int sky2_up(struct net_device *de
+ sky2_write32(hw, B0_IMSK, imask);
+
+ sky2_set_multicast(dev);
++
++ if (netif_msg_ifup(sky2))
++ printk(KERN_INFO PFX "%s: enabling interface\n", dev->name);
+ return 0;
+
+ err_out:
--- /dev/null
+From 1caf71c29f3df0e070042e3c6be1699007882789 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 13 Feb 2009 00:25:10 -0800
+Subject: sparc: Enable syscall wrappers for 64-bit (CVE-2009-0029)
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+[ Upstream commit 67605d6812691bbd2158d2f60259e0407611bc1b ]
+
+sparc64 needs sign-extended function parameters. We have to enable
+the system call wrappers.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/sparc64/Kconfig
++++ b/arch/sparc64/Kconfig
+@@ -14,6 +14,7 @@ config SPARC64
+ select HAVE_FUNCTION_TRACER
+ select HAVE_IDE
+ select HAVE_LMB
++ select HAVE_SYSCALL_WRAPPERS
+ select HAVE_ARCH_KGDB
+ select USE_GENERIC_SMP_HELPERS if SMP
+ select HAVE_ARCH_TRACEHOOK
--- /dev/null
+From 17bb1acd4db2206779676b1641272cdc818059ae Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Fri, 13 Feb 2009 00:26:00 -0800
+Subject: sparc64: Annotate sparc64 specific syscalls with SYSCALL_DEFINEx()
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit e42650196df34789c825fa83f8bb37a5d5e52c14 ]
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/sys_sparc.c | 48 +++++++++++++++++++---------------------
+ arch/sparc64/kernel/syscalls.S | 2 -
+ arch/sparc64/kernel/systbls.S | 16 ++++++-------
+ arch/sparc64/kernel/systbls.h | 3 --
+ 4 files changed, 32 insertions(+), 37 deletions(-)
+
+--- a/arch/sparc64/kernel/syscalls.S
++++ b/arch/sparc64/kernel/syscalls.S
+@@ -21,7 +21,7 @@ execve_merge:
+
+ .align 32
+ sys_sparc_pipe:
+- ba,pt %xcc, sparc_pipe
++ ba,pt %xcc, sys_sparc_pipe_real
+ add %sp, PTREGS_OFF, %o0
+ sys_nis_syscall:
+ ba,pt %xcc, c_sys_nis_syscall
+--- a/arch/sparc64/kernel/sys_sparc.c
++++ b/arch/sparc64/kernel/sys_sparc.c
+@@ -397,7 +397,7 @@ void arch_pick_mmap_layout(struct mm_str
+ }
+ }
+
+-asmlinkage unsigned long sparc_brk(unsigned long brk)
++SYSCALL_DEFINE1(sparc_brk, unsigned long, brk)
+ {
+ /* People could try to be nasty and use ta 0x6d in 32bit programs */
+ if (test_thread_flag(TIF_32BIT) && brk >= STACK_TOP32)
+@@ -413,7 +413,7 @@ asmlinkage unsigned long sparc_brk(unsig
+ * sys_pipe() is the normal C calling standard for creating
+ * a pipe. It's not the way unix traditionally does this, though.
+ */
+-asmlinkage long sparc_pipe(struct pt_regs *regs)
++SYSCALL_DEFINE1(sparc_pipe_real, struct pt_regs *, regs)
+ {
+ int fd[2];
+ int error;
+@@ -433,8 +433,8 @@ out:
+ * This is really horribly ugly.
+ */
+
+-asmlinkage long sys_ipc(unsigned int call, int first, unsigned long second,
+- unsigned long third, void __user *ptr, long fifth)
++SYSCALL_DEFINE6(ipc, unsigned int, call, int, first, unsigned long, second,
++ unsigned long, third, void __user *, ptr, long, fifth)
+ {
+ long err;
+
+@@ -517,7 +517,7 @@ out:
+ return err;
+ }
+
+-asmlinkage long sparc64_newuname(struct new_utsname __user *name)
++SYSCALL_DEFINE1(sparc64_newuname, struct new_utsname __user *, name)
+ {
+ int ret = sys_newuname(name);
+
+@@ -528,7 +528,7 @@ asmlinkage long sparc64_newuname(struct
+ return ret;
+ }
+
+-asmlinkage long sparc64_personality(unsigned long personality)
++SYSCALL_DEFINE1(sparc64_personality, unsigned long, personality)
+ {
+ int ret;
+
+@@ -562,9 +562,9 @@ int sparc_mmap_check(unsigned long addr,
+ }
+
+ /* Linux version of mmap */
+-asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags, unsigned long fd,
+- unsigned long off)
++SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len,
++ unsigned long, prot, unsigned long, flags, unsigned long, fd,
++ unsigned long, off)
+ {
+ struct file * file = NULL;
+ unsigned long retval = -EBADF;
+@@ -587,7 +587,7 @@ out:
+ return retval;
+ }
+
+-asmlinkage long sys64_munmap(unsigned long addr, size_t len)
++SYSCALL_DEFINE2(64_munmap, unsigned long, addr, size_t, len)
+ {
+ long ret;
+
+@@ -604,9 +604,9 @@ extern unsigned long do_mremap(unsigned
+ unsigned long old_len, unsigned long new_len,
+ unsigned long flags, unsigned long new_addr);
+
+-asmlinkage unsigned long sys64_mremap(unsigned long addr,
+- unsigned long old_len, unsigned long new_len,
+- unsigned long flags, unsigned long new_addr)
++SYSCALL_DEFINE5(64_mremap, unsigned long, addr, unsigned long, old_len,
++ unsigned long, new_len, unsigned long, flags,
++ unsigned long, new_addr)
+ {
+ unsigned long ret = -EINVAL;
+
+@@ -669,7 +669,7 @@ asmlinkage void sparc_breakpoint(struct
+
+ extern void check_pending(int signum);
+
+-asmlinkage long sys_getdomainname(char __user *name, int len)
++SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
+ {
+ int nlen, err;
+
+@@ -692,11 +692,10 @@ out:
+ return err;
+ }
+
+-asmlinkage long sys_utrap_install(utrap_entry_t type,
+- utrap_handler_t new_p,
+- utrap_handler_t new_d,
+- utrap_handler_t __user *old_p,
+- utrap_handler_t __user *old_d)
++SYSCALL_DEFINE5(utrap_install, utrap_entry_t, type,
++ utrap_handler_t, new_p, utrap_handler_t, new_d,
++ utrap_handler_t __user *, old_p,
++ utrap_handler_t __user *, old_d)
+ {
+ if (type < UT_INSTRUCTION_EXCEPTION || type > UT_TRAP_INSTRUCTION_31)
+ return -EINVAL;
+@@ -762,11 +761,9 @@ asmlinkage long sparc_memory_ordering(un
+ return 0;
+ }
+
+-asmlinkage long sys_rt_sigaction(int sig,
+- const struct sigaction __user *act,
+- struct sigaction __user *oact,
+- void __user *restorer,
+- size_t sigsetsize)
++SYSCALL_DEFINE5(rt_sigaction, int, sig, const struct sigaction __user *, act,
++ struct sigaction __user *, oact, void __user *, restorer,
++ size_t, sigsetsize)
+ {
+ struct k_sigaction new_ka, old_ka;
+ int ret;
+@@ -806,7 +803,8 @@ asmlinkage void update_perfctrs(void)
+ reset_pic();
+ }
+
+-asmlinkage long sys_perfctr(int opcode, unsigned long arg0, unsigned long arg1, unsigned long arg2)
++SYSCALL_DEFINE4(perfctr, int, opcode, unsigned long, arg0,
++ unsigned long, arg1, unsigned long, arg2)
+ {
+ int err = 0;
+
+--- a/arch/sparc64/kernel/systbls.h
++++ b/arch/sparc64/kernel/systbls.h
+@@ -16,9 +16,6 @@ extern asmlinkage long sys_ipc(unsigned
+ void __user *ptr, long fifth);
+ extern asmlinkage long sparc64_newuname(struct new_utsname __user *name);
+ extern asmlinkage long sparc64_personality(unsigned long personality);
+-extern asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long off);
+ extern asmlinkage long sys64_munmap(unsigned long addr, size_t len);
+ extern asmlinkage unsigned long sys64_mremap(unsigned long addr,
+ unsigned long old_len,
+--- a/arch/sparc64/kernel/systbls.S
++++ b/arch/sparc64/kernel/systbls.S
+@@ -21,7 +21,7 @@ sys_call_table32:
+ /*0*/ .word sys_restart_syscall, sys32_exit, sys_fork, sys_read, sys_write
+ /*5*/ .word sys32_open, sys_close, sys32_wait4, sys32_creat, sys_link
+ /*10*/ .word sys_unlink, sunos_execv, sys_chdir, sys_chown16, sys32_mknod
+-/*15*/ .word sys_chmod, sys_lchown16, sparc_brk, sys32_perfctr, sys32_lseek
++/*15*/ .word sys_chmod, sys_lchown16, sys_sparc_brk, sys32_perfctr, sys32_lseek
+ /*20*/ .word sys_getpid, sys_capget, sys_capset, sys_setuid16, sys_getuid16
+ /*25*/ .word sys32_vmsplice, compat_sys_ptrace, sys_alarm, sys32_sigaltstack, sys_pause
+ /*30*/ .word compat_sys_utime, sys_lchown, sys_fchown, sys32_access, sys32_nice
+@@ -55,8 +55,8 @@ sys_call_table32:
+ /*170*/ .word sys32_lsetxattr, sys32_fsetxattr, sys_getxattr, sys_lgetxattr, compat_sys_getdents
+ .word sys_setsid, sys_fchdir, sys32_fgetxattr, sys_listxattr, sys_llistxattr
+ /*180*/ .word sys32_flistxattr, sys_removexattr, sys_lremovexattr, compat_sys_sigpending, sys_ni_syscall
+- .word sys32_setpgid, sys32_fremovexattr, sys32_tkill, sys32_exit_group, sparc64_newuname
+-/*190*/ .word sys32_init_module, sparc64_personality, sys_remap_file_pages, sys32_epoll_create, sys32_epoll_ctl
++ .word sys32_setpgid, sys32_fremovexattr, sys32_tkill, sys32_exit_group, sys_sparc64_newuname
++/*190*/ .word sys32_init_module, sys_sparc64_personality, sys_remap_file_pages, sys32_epoll_create, sys32_epoll_ctl
+ .word sys32_epoll_wait, sys32_ioprio_set, sys_getppid, sys32_sigaction, sys_sgetmask
+ /*200*/ .word sys32_ssetmask, sys_sigsuspend, compat_sys_newlstat, sys_uselib, compat_sys_old_readdir
+ .word sys32_readahead, sys32_socketcall, sys32_syslog, sys32_lookup_dcookie, sys32_fadvise64
+@@ -95,7 +95,7 @@ sys_call_table:
+ /*0*/ .word sys_restart_syscall, sparc_exit, sys_fork, sys_read, sys_write
+ /*5*/ .word sys_open, sys_close, sys_wait4, sys_creat, sys_link
+ /*10*/ .word sys_unlink, sys_nis_syscall, sys_chdir, sys_chown, sys_mknod
+-/*15*/ .word sys_chmod, sys_lchown, sparc_brk, sys_perfctr, sys_lseek
++/*15*/ .word sys_chmod, sys_lchown, sys_sparc_brk, sys_perfctr, sys_lseek
+ /*20*/ .word sys_getpid, sys_capget, sys_capset, sys_setuid, sys_getuid
+ /*25*/ .word sys_vmsplice, sys_ptrace, sys_alarm, sys_sigaltstack, sys_nis_syscall
+ /*30*/ .word sys_utime, sys_nis_syscall, sys_nis_syscall, sys_access, sys_nice
+@@ -106,7 +106,7 @@ sys_call_table:
+ .word sys_reboot, sys_nis_syscall, sys_symlink, sys_readlink, sys_execve
+ /*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_fstat64, sys_getpagesize
+ .word sys_msync, sys_vfork, sys_pread64, sys_pwrite64, sys_nis_syscall
+-/*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys64_munmap, sys_mprotect
++/*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys_64_munmap, sys_mprotect
+ .word sys_madvise, sys_vhangup, sys_nis_syscall, sys_mincore, sys_getgroups
+ /*80*/ .word sys_setgroups, sys_getpgrp, sys_nis_syscall, sys_setitimer, sys_nis_syscall
+ .word sys_swapon, sys_getitimer, sys_nis_syscall, sys_sethostname, sys_nis_syscall
+@@ -129,8 +129,8 @@ sys_call_table:
+ /*170*/ .word sys_lsetxattr, sys_fsetxattr, sys_getxattr, sys_lgetxattr, sys_getdents
+ .word sys_setsid, sys_fchdir, sys_fgetxattr, sys_listxattr, sys_llistxattr
+ /*180*/ .word sys_flistxattr, sys_removexattr, sys_lremovexattr, sys_nis_syscall, sys_ni_syscall
+- .word sys_setpgid, sys_fremovexattr, sys_tkill, sys_exit_group, sparc64_newuname
+-/*190*/ .word sys_init_module, sparc64_personality, sys_remap_file_pages, sys_epoll_create, sys_epoll_ctl
++ .word sys_setpgid, sys_fremovexattr, sys_tkill, sys_exit_group, sys_sparc64_newuname
++/*190*/ .word sys_init_module, sys_sparc64_personality, sys_remap_file_pages, sys_epoll_create, sys_epoll_ctl
+ .word sys_epoll_wait, sys_ioprio_set, sys_getppid, sys_nis_syscall, sys_sgetmask
+ /*200*/ .word sys_ssetmask, sys_nis_syscall, sys_newlstat, sys_uselib, sys_nis_syscall
+ .word sys_readahead, sys_socketcall, sys_syslog, sys_lookup_dcookie, sys_fadvise64
+@@ -142,7 +142,7 @@ sys_call_table:
+ .word sys_fstatfs64, sys_llseek, sys_mlock, sys_munlock, sys_mlockall
+ /*240*/ .word sys_munlockall, sys_sched_setparam, sys_sched_getparam, sys_sched_setscheduler, sys_sched_getscheduler
+ .word sys_sched_yield, sys_sched_get_priority_max, sys_sched_get_priority_min, sys_sched_rr_get_interval, sys_nanosleep
+-/*250*/ .word sys64_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl
++/*250*/ .word sys_64_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl
+ .word sys_sync_file_range, sys_clock_settime, sys_clock_gettime, sys_clock_getres, sys_clock_nanosleep
+ /*260*/ .word sys_sched_getaffinity, sys_sched_setaffinity, sys_timer_settime, sys_timer_gettime, sys_timer_getoverrun
+ .word sys_timer_delete, sys_timer_create, sys_ni_syscall, sys_io_setup, sys_io_destroy
--- /dev/null
+From 07a2a2f9314f6e61d9c544d6ada9892fb65cef00 Mon Sep 17 00:00:00 2001
+From: Ilkka Virta <itvirta@iki.fi>
+Date: Fri, 6 Feb 2009 22:00:36 -0800
+Subject: sungem: Soft lockup in sungem on Netra AC200 when switching interface up
+
+From: Ilkka Virta <itvirta@iki.fi>
+
+[ Upstream commit 71822faa3bc0af5dbf5e333a2d085f1ed7cd809f ]
+
+From: Ilkka Virta <itvirta@iki.fi>
+
+In the lockup situation the driver seems to go off in an eternal storm
+of interrupts right after calling request_irq(). It doesn't actually
+do anything interesting in the interrupt handler. Since connecting the link
+afterwards works, something later in initialization must fix this.
+
+Looking at gem_do_start() and gem_open(), it seems that the only thing
+done while opening the device after the request_irq(), is a call to
+napi_enable().
+
+I don't know what the ordering requirements are for the
+initialization, but I boldly tried to move the napi_enable() call
+inside gem_do_start() before the link state is checked and interrupts
+subsequently enabled, and it seems to work for me. Doesn't even break
+anything too obvious...
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sungem.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/sungem.c
++++ b/drivers/net/sungem.c
+@@ -2222,6 +2222,8 @@ static int gem_do_start(struct net_devic
+
+ gp->running = 1;
+
++ napi_enable(&gp->napi);
++
+ if (gp->lstate == link_up) {
+ netif_carrier_on(gp->dev);
+ gem_set_link_modes(gp);
+@@ -2239,6 +2241,8 @@ static int gem_do_start(struct net_devic
+ spin_lock_irqsave(&gp->lock, flags);
+ spin_lock(&gp->tx_lock);
+
++ napi_disable(&gp->napi);
++
+ gp->running = 0;
+ gem_reset(gp);
+ gem_clean_rings(gp);
+@@ -2339,8 +2343,6 @@ static int gem_open(struct net_device *d
+ if (!gp->asleep)
+ rc = gem_do_start(dev);
+ gp->opened = (rc == 0);
+- if (gp->opened)
+- napi_enable(&gp->napi);
+
+ mutex_unlock(&gp->pm_mutex);
+
+@@ -2477,8 +2479,6 @@ static int gem_resume(struct pci_dev *pd
+
+ /* Re-attach net device */
+ netif_device_attach(dev);
+-
+- napi_enable(&gp->napi);
+ }
+
+ spin_lock_irqsave(&gp->lock, flags);
--- /dev/null
+From 6c5979631b4b03c9288776562c18036765e398c1 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Wed, 11 Feb 2009 13:04:38 -0800
+Subject: syscall define: fix uml compile bug
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 6c5979631b4b03c9288776562c18036765e398c1 upstream.
+
+With the new system call defines we get this on uml:
+
+arch/um/sys-i386/built-in.o: In function `sys_call_table':
+(.rodata+0x308): undefined reference to `sys_sigprocmask'
+
+Reason for this is that uml passes the preprocessor option
+-Dsigprocmask=kernel_sigprocmask to gcc when compiling the kernel.
+This causes SYSCALL_DEFINE3(sigprocmask, ...) to be expanded to
+SYSCALL_DEFINEx(3, kernel_sigprocmask, ...) and finally to a system
+call named sys_kernel_sigprocmask. However sys_sigprocmask is missing
+because of this.
+
+To avoid macro expansion for the system call name just concatenate the
+name at first define instead of carrying it through severel levels.
+This was pointed out by Al Viro.
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: WANG Cong <wangcong@zeuux.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/syscalls.h | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+--- a/include/linux/syscalls.h
++++ b/include/linux/syscalls.h
+@@ -95,13 +95,13 @@ struct old_linux_dirent;
+ #define __SC_TEST5(t5, a5, ...) __SC_TEST(t5); __SC_TEST4(__VA_ARGS__)
+ #define __SC_TEST6(t6, a6, ...) __SC_TEST(t6); __SC_TEST5(__VA_ARGS__)
+
+-#define SYSCALL_DEFINE0(name) asmlinkage long sys_##name(void)
+-#define SYSCALL_DEFINE1(...) SYSCALL_DEFINEx(1, __VA_ARGS__)
+-#define SYSCALL_DEFINE2(...) SYSCALL_DEFINEx(2, __VA_ARGS__)
+-#define SYSCALL_DEFINE3(...) SYSCALL_DEFINEx(3, __VA_ARGS__)
+-#define SYSCALL_DEFINE4(...) SYSCALL_DEFINEx(4, __VA_ARGS__)
+-#define SYSCALL_DEFINE5(...) SYSCALL_DEFINEx(5, __VA_ARGS__)
+-#define SYSCALL_DEFINE6(...) SYSCALL_DEFINEx(6, __VA_ARGS__)
++#define SYSCALL_DEFINE0(name) asmlinkage long sys_##name(void)
++#define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
++#define SYSCALL_DEFINE2(name, ...) SYSCALL_DEFINEx(2, _##name, __VA_ARGS__)
++#define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
++#define SYSCALL_DEFINE4(name, ...) SYSCALL_DEFINEx(4, _##name, __VA_ARGS__)
++#define SYSCALL_DEFINE5(name, ...) SYSCALL_DEFINEx(5, _##name, __VA_ARGS__)
++#define SYSCALL_DEFINE6(name, ...) SYSCALL_DEFINEx(6, _##name, __VA_ARGS__)
+
+ #ifdef CONFIG_PPC64
+ #define SYSCALL_ALIAS(alias, name) \
+@@ -116,21 +116,21 @@ struct old_linux_dirent;
+
+ #define SYSCALL_DEFINE(name) static inline long SYSC_##name
+ #define SYSCALL_DEFINEx(x, name, ...) \
+- asmlinkage long sys_##name(__SC_DECL##x(__VA_ARGS__)); \
+- static inline long SYSC_##name(__SC_DECL##x(__VA_ARGS__)); \
+- asmlinkage long SyS_##name(__SC_LONG##x(__VA_ARGS__)) \
++ asmlinkage long sys##name(__SC_DECL##x(__VA_ARGS__)); \
++ static inline long SYSC##name(__SC_DECL##x(__VA_ARGS__)); \
++ asmlinkage long SyS##name(__SC_LONG##x(__VA_ARGS__)) \
+ { \
+ __SC_TEST##x(__VA_ARGS__); \
+- return (long) SYSC_##name(__SC_CAST##x(__VA_ARGS__)); \
++ return (long) SYSC##name(__SC_CAST##x(__VA_ARGS__)); \
+ } \
+- SYSCALL_ALIAS(sys_##name, SyS_##name); \
+- static inline long SYSC_##name(__SC_DECL##x(__VA_ARGS__))
++ SYSCALL_ALIAS(sys##name, SyS##name); \
++ static inline long SYSC##name(__SC_DECL##x(__VA_ARGS__))
+
+ #else /* CONFIG_HAVE_SYSCALL_WRAPPERS */
+
+ #define SYSCALL_DEFINE(name) asmlinkage long sys_##name
+ #define SYSCALL_DEFINEx(x, name, ...) \
+- asmlinkage long sys_##name(__SC_DECL##x(__VA_ARGS__))
++ asmlinkage long sys##name(__SC_DECL##x(__VA_ARGS__))
+
+ #endif /* CONFIG_HAVE_SYSCALL_WRAPPERS */
+
--- /dev/null
+From 422fdbf8d7a4cb686a70d174f06555a821d06216 Mon Sep 17 00:00:00 2001
+From: Dimitris Michailidis <dm@chelsio.com>
+Date: Mon, 26 Jan 2009 22:15:31 -0800
+Subject: tcp: Fix length tcp_splice_data_recv passes to skb_splice_bits.
+
+From: Dimitris Michailidis <dm@chelsio.com>
+
+[ Upstream commit 9fa5fdf291c9b58b1cb8b4bb2a0ee57efa21d635 ]
+
+tcp_splice_data_recv has two lengths to consider: the len parameter it
+gets from tcp_read_sock, which specifies the amount of data in the skb,
+and rd_desc->count, which is the amount of data the splice caller still
+wants. Currently it passes just the latter to skb_splice_bits, which then
+splices min(rd_desc->count, skb->len - offset) bytes.
+
+Most of the time this is fine, except when the skb contains urgent data.
+In that case len goes only up to the urgent byte and is less than
+skb->len - offset. By ignoring len tcp_splice_data_recv may a) splice
+data tcp_read_sock told it not to, b) return to tcp_read_sock a value > len.
+
+Now, tcp_read_sock doesn't handle used > len and leaves the socket in a
+bad state (both sk_receive_queue and copied_seq are bad at that point)
+resulting in duplicated data and corruption.
+
+Fix by passing min(rd_desc->count, len) to skb_splice_bits.
+
+Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
+Acked-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -522,7 +522,8 @@ static int tcp_splice_data_recv(read_des
+ struct tcp_splice_state *tss = rd_desc->arg.data;
+ int ret;
+
+- ret = skb_splice_bits(skb, offset, tss->pipe, rd_desc->count, tss->flags);
++ ret = skb_splice_bits(skb, offset, tss->pipe, min(rd_desc->count, len),
++ tss->flags);
+ if (ret > 0)
+ rd_desc->count -= ret;
+ return ret;
--- /dev/null
+From e1037dab62346300c370b6017ea5083c0c1c5366 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 13 Jan 2009 16:04:36 -0800
+Subject: tcp: splice as many packets as possible at once
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 33966dd0e2f68f26943cd9ee93ec6abbc6547a8e ]
+
+As spotted by Willy Tarreau, current splice() from tcp socket to pipe is not
+optimal. It processes at most one segment per call.
+This results in low performance and very high overhead due to syscall rate
+when splicing from interfaces which do not support LRO.
+
+Willy provided a patch inside tcp_splice_read(), but a better fix
+is to let tcp_read_sock() process as many segments as possible, so
+that tcp_rcv_space_adjust() and tcp_cleanup_rbuf() are called less
+often.
+
+With this change, splice() behaves like tcp_recvmsg(), being able
+to consume many skbs in one system call. With typical 1460 bytes
+of payload per frame, that means splice(SPLICE_F_NONBLOCK) can return
+16*1460 = 23360 bytes.
+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -520,8 +520,12 @@ static int tcp_splice_data_recv(read_des
+ unsigned int offset, size_t len)
+ {
+ struct tcp_splice_state *tss = rd_desc->arg.data;
++ int ret;
+
+- return skb_splice_bits(skb, offset, tss->pipe, tss->len, tss->flags);
++ ret = skb_splice_bits(skb, offset, tss->pipe, rd_desc->count, tss->flags);
++ if (ret > 0)
++ rd_desc->count -= ret;
++ return ret;
+ }
+
+ static int __tcp_splice_read(struct sock *sk, struct tcp_splice_state *tss)
+@@ -529,6 +533,7 @@ static int __tcp_splice_read(struct sock
+ /* Store TCP splice context information in read_descriptor_t. */
+ read_descriptor_t rd_desc = {
+ .arg.data = tss,
++ .count = tss->len,
+ };
+
+ return tcp_read_sock(sk, &rd_desc, tcp_splice_data_recv);
+@@ -613,11 +618,13 @@ ssize_t tcp_splice_read(struct socket *s
+ tss.len -= ret;
+ spliced += ret;
+
++ if (!timeo)
++ break;
+ release_sock(sk);
+ lock_sock(sk);
+
+ if (sk->sk_err || sk->sk_state == TCP_CLOSE ||
+- (sk->sk_shutdown & RCV_SHUTDOWN) || !timeo ||
++ (sk->sk_shutdown & RCV_SHUTDOWN) ||
+ signal_pending(current))
+ break;
+ }
--- /dev/null
+From f25e709c3968c8a8ab5c9bcf54005437e6de20ec Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Thu, 29 Jan 2009 16:53:35 -0800
+Subject: tun: Add some missing TUN compat ioctl translations.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit df1c46b2b6876d0a1b1b4740f009fa69d95ebbc9 ]
+
+Based upon a report from Michael Tokarev <mjt@tls.msk.ru>:
+
+ Just saw in dmesg:
+
+ ioctl32(kvm:4408): Unknown cmd fd(9) cmd(800454cf){t:'T';sz:4} arg(ffc668e4) on /dev/net/tun
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/compat_ioctl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -538,6 +538,7 @@ static int dev_ifsioc(unsigned int fd, u
+ * cannot be fixed without breaking all existing apps.
+ */
+ case TUNSETIFF:
++ case TUNGETIFF:
+ case SIOCGIFFLAGS:
+ case SIOCGIFMETRIC:
+ case SIOCGIFMTU:
+@@ -1982,6 +1983,11 @@ COMPATIBLE_IOCTL(TUNSETNOCSUM)
+ COMPATIBLE_IOCTL(TUNSETDEBUG)
+ COMPATIBLE_IOCTL(TUNSETPERSIST)
+ COMPATIBLE_IOCTL(TUNSETOWNER)
++COMPATIBLE_IOCTL(TUNSETLINK)
++COMPATIBLE_IOCTL(TUNSETGROUP)
++COMPATIBLE_IOCTL(TUNGETFEATURES)
++COMPATIBLE_IOCTL(TUNSETOFFLOAD)
++COMPATIBLE_IOCTL(TUNSETTXFILTER)
+ /* Big V */
+ COMPATIBLE_IOCTL(VT_SETMODE)
+ COMPATIBLE_IOCTL(VT_GETMODE)
+@@ -2573,6 +2579,7 @@ HANDLE_IOCTL(SIOCGIFPFLAGS, dev_ifsioc)
+ HANDLE_IOCTL(SIOCGIFTXQLEN, dev_ifsioc)
+ HANDLE_IOCTL(SIOCSIFTXQLEN, dev_ifsioc)
+ HANDLE_IOCTL(TUNSETIFF, dev_ifsioc)
++HANDLE_IOCTL(TUNGETIFF, dev_ifsioc)
+ HANDLE_IOCTL(SIOCETHTOOL, ethtool_ioctl)
+ HANDLE_IOCTL(SIOCBONDENSLAVE, bond_ioctl)
+ HANDLE_IOCTL(SIOCBONDRELEASE, bond_ioctl)
--- /dev/null
+From 5fcfe132d54414cc4c4df456bccce29a383c1d25 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@hp.com>
+Date: Sun, 8 Feb 2009 17:49:17 -0800
+Subject: tun: Fix unicast filter overflow
+
+From: Alex Williamson <alex.williamson@hp.com>
+
+[ Upstream commit cfbf84fcbcda98bb91ada683a8dc8e6901a83ebd ]
+
+Tap devices can make use of a small MAC filter set via the
+TUNSETTXFILTER ioctl. The filter has a set of exact matches
+plus a hash for imperfect filtering of additional multicast
+addresses. The current code is unbalanced, adding unicast
+addresses to the multicast hash, but only checking the hash
+against multicast addresses. This results in the filter
+dropping unicast addresses that overflow the exact filter.
+The fix is simply to disable the filter by leaving count set
+to zero if we find non-multicast addresses after the exact
+match table is filled.
+
+Signed-off-by: Alex Williamson <alex.williamson@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tun.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -157,10 +157,16 @@ static int update_filter(struct tap_filt
+
+ nexact = n;
+
+- /* The rest is hashed */
++ /* Remaining multicast addresses are hashed,
++ * unicast will leave the filter disabled. */
+ memset(filter->mask, 0, sizeof(filter->mask));
+- for (; n < uf.count; n++)
++ for (; n < uf.count; n++) {
++ if (!is_multicast_ether_addr(addr[n].u)) {
++ err = 0; /* no filter */
++ goto done;
++ }
+ addr_hash_set(filter->mask, addr[n].u);
++ }
+
+ /* For ALLMULTI just set the mask to all ones.
+ * This overrides the mask populated above. */
--- /dev/null
+From 287465ec54f475979395aa2a3b0781b72c1c9667 Mon Sep 17 00:00:00 2001
+From: Jesper Dangaard Brouer <hawk@comx.dk>
+Date: Thu, 5 Feb 2009 15:05:45 -0800
+Subject: udp: Fix UDP short packet false positive
+
+From: Jesper Dangaard Brouer <hawk@comx.dk>
+
+[ Upstream commit 7b5e56f9d635643ad54f2f42e69ad16b80a2cff1 ]
+
+The UDP header pointer assignment must happen after calling
+pskb_may_pull(). As pskb_may_pull() can potentially alter the SKB
+buffer.
+
+This was exposted by running multicast traffic through the NIU driver,
+as it won't prepull the protocol headers into the linear area on
+receive.
+
+Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/udp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1155,7 +1155,7 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+ int proto)
+ {
+ struct sock *sk;
+- struct udphdr *uh = udp_hdr(skb);
++ struct udphdr *uh;
+ unsigned short ulen;
+ struct rtable *rt = (struct rtable*)skb->dst;
+ __be32 saddr = ip_hdr(skb)->saddr;
+@@ -1168,6 +1168,7 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+ if (!pskb_may_pull(skb, sizeof(struct udphdr)))
+ goto drop; /* No space for header. */
+
++ uh = udp_hdr(skb);
+ ulen = ntohs(uh->len);
+ if (ulen > skb->len)
+ goto short_packet;
--- /dev/null
+From d6d7578f048f4cd98bc47d7235fdc558c587292b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <dada1@cosmosbay.com>
+Date: Mon, 2 Feb 2009 13:41:57 -0800
+Subject: udp: increments sk_drops in __udp_queue_rcv_skb()
+
+From: Eric Dumazet <dada1@cosmosbay.com>
+
+[ Upstream commit e408b8dcb5ce42243a902205005208e590f28454 ]
+
+Commit 93821778def10ec1e69aa3ac10adee975dad4ff3 (udp: Fix rcv socket
+locking) accidentally removed sk_drops increments for UDP IPV4
+sockets.
+
+This field can be used to detect incorrect sizing of socket receive
+buffers.
+
+Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/udp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -942,9 +942,11 @@ static int __udp_queue_rcv_skb(struct so
+
+ if ((rc = sock_queue_rcv_skb(sk, skb)) < 0) {
+ /* Note that an ENOMEM error is charged twice */
+- if (rc == -ENOMEM)
++ if (rc == -ENOMEM) {
+ UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
+ is_udplite);
++ atomic_inc(&sk->sk_drops);
++ }
+ goto drop;
+ }
+
--- /dev/null
+From 1d9a6e1f77cdc3e34f1033df3ffecbc63fd6123e Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@hp.com>
+Date: Fri, 13 Feb 2009 00:06:29 -0800
+Subject: virtio_net: Fix MAX_PACKET_LEN to support 802.1Q VLANs
+
+From: Alex Williamson <alex.williamson@hp.com>
+
+[ Upstream commit e918085aaff34086e265f825dd469926b1aec4a4 ]
+
+802.1Q expanded the maximum ethernet frame size by 4 bytes for the
+VLAN tag. We're not taking this into account in virtio_net, which
+means the buffers we provide to the backend in the virtqueue RX ring
+aren't big enough to hold a full MTU VLAN packet. For QEMU/KVM,
+this results in the backend exiting with a packet truncation error.
+
+Signed-off-by: Alex Williamson <alex.williamson@hp.com>
+Acked-by: Mark McLoughlin <markmc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/virtio_net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -24,6 +24,7 @@
+ #include <linux/virtio.h>
+ #include <linux/virtio_net.h>
+ #include <linux/scatterlist.h>
++#include <linux/if_vlan.h>
+
+ static int napi_weight = 128;
+ module_param(napi_weight, int, 0444);
+@@ -33,7 +34,7 @@ module_param(csum, bool, 0444);
+ module_param(gso, bool, 0444);
+
+ /* FIXME: MTU in config. */
+-#define MAX_PACKET_LEN (ETH_HLEN+ETH_DATA_LEN)
++#define MAX_PACKET_LEN (ETH_HLEN + VLAN_HLEN + ETH_DATA_LEN)
+
+ struct virtnet_info
+ {
--- /dev/null
+From 507e2fbaaacb6f164b4125b87c5002f95143174b Mon Sep 17 00:00:00 2001
+From: Ian Dall <ian@beware.dropbear.id.au>
+Date: Wed, 11 Feb 2009 13:04:46 -0800
+Subject: w1: w1 temp calculation overflow fix
+
+From: Ian Dall <ian@beware.dropbear.id.au>
+
+commit 507e2fbaaacb6f164b4125b87c5002f95143174b upstream.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=12646
+
+When the temperature exceeds 32767 milli-degrees the temperature overflows
+to -32768 millidegrees. These are bothe well within the -55 - +125 degree
+range for the sensor.
+
+Fix overflow in left-shift of a u8.
+
+Signed-off-by: Ian Dall <ian@beware.dropbear.id.au>
+Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/w1/slaves/w1_therm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/w1/slaves/w1_therm.c
++++ b/drivers/w1/slaves/w1_therm.c
+@@ -115,7 +115,7 @@ static struct w1_therm_family_converter
+
+ static inline int w1_DS18B20_convert_temp(u8 rom[9])
+ {
+- s16 t = (rom[1] << 8) | rom[0];
++ int t = ((s16)rom[1] << 8) | rom[0];
+ t = t*1000/16;
+ return t;
+ }
--- /dev/null
+From dcf6a79dda5cc2a2bec183e50d829030c0972aaa Mon Sep 17 00:00:00 2001
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Date: Mon, 2 Feb 2009 18:33:49 +0200
+Subject: write-back: fix nr_to_write counter
+
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+
+commit dcf6a79dda5cc2a2bec183e50d829030c0972aaa upstream.
+
+Commit 05fe478dd04e02fa230c305ab9b5616669821dd3 introduced some
+@wbc->nr_to_write breakage.
+
+It made the following changes:
+ 1. Decrement wbc->nr_to_write instead of nr_to_write
+ 2. Decrement wbc->nr_to_write _only_ if wbc->sync_mode == WB_SYNC_NONE
+ 3. If synced nr_to_write pages, stop only if if wbc->sync_mode ==
+ WB_SYNC_NONE, otherwise keep going.
+
+However, according to the commit message, the intention was to only make
+change 3. Change 1 is a bug. Change 2 does not seem to be necessary,
+and it breaks UBIFS expectations, so if needed, it should be done
+separately later. And change 2 does not seem to be documented in the
+commit message.
+
+This patch does the following:
+ 1. Undo changes 1 and 2
+ 2. Add a comment explaining change 3 (it very useful to have comments
+ in _code_, not only in the commit).
+
+Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Acked-by: Nick Piggin <npiggin@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/page-writeback.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -981,13 +981,22 @@ continue_unlock:
+ }
+ }
+
+- if (wbc->sync_mode == WB_SYNC_NONE) {
+- wbc->nr_to_write--;
+- if (wbc->nr_to_write <= 0) {
+- done = 1;
+- break;
+- }
++ if (nr_to_write > 0)
++ nr_to_write--;
++ else if (wbc->sync_mode == WB_SYNC_NONE) {
++ /*
++ * We stop writing back only if we are not
++ * doing integrity sync. In case of integrity
++ * sync we have to keep going because someone
++ * may be concurrently dirtying pages, and we
++ * might have synced a lot of newly appeared
++ * dirty pages, but have not synced all of the
++ * old dirty pages.
++ */
++ done = 1;
++ break;
+ }
++
+ if (wbc->nonblocking && bdi_write_congested(bdi)) {
+ wbc->encountered_congestion = 1;
+ done = 1;
--- /dev/null
+From 89e1219004b3657cc014521663eeef0744f1c99d Mon Sep 17 00:00:00 2001
+From: Federico Cuello <fedux@lugmen.org.ar>
+Date: Wed, 11 Feb 2009 13:04:39 -0800
+Subject: writeback: fix break condition
+
+From: Federico Cuello <fedux@lugmen.org.ar>
+
+commit 89e1219004b3657cc014521663eeef0744f1c99d upstream.
+
+Commit dcf6a79dda5cc2a2bec183e50d829030c0972aaa ("write-back: fix
+nr_to_write counter") fixed nr_to_write counter, but didn't set the break
+condition properly.
+
+If nr_to_write == 0 after being decremented it will loop one more time
+before setting done = 1 and breaking the loop.
+
+[akpm@linux-foundation.org: coding-style fixes]
+Cc: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Acked-by: Nick Piggin <npiggin@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/page-writeback.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -981,20 +981,23 @@ continue_unlock:
+ }
+ }
+
+- if (nr_to_write > 0)
++ if (nr_to_write > 0) {
+ nr_to_write--;
+- else if (wbc->sync_mode == WB_SYNC_NONE) {
+- /*
+- * We stop writing back only if we are not
+- * doing integrity sync. In case of integrity
+- * sync we have to keep going because someone
+- * may be concurrently dirtying pages, and we
+- * might have synced a lot of newly appeared
+- * dirty pages, but have not synced all of the
+- * old dirty pages.
+- */
+- done = 1;
+- break;
++ if (nr_to_write == 0 &&
++ wbc->sync_mode == WB_SYNC_NONE) {
++ /*
++ * We stop writing back only if we are
++ * not doing integrity sync. In case of
++ * integrity sync we have to keep going
++ * because someone may be concurrently
++ * dirtying pages, and we might have
++ * synced a lot of newly appeared dirty
++ * pages, but have not synced all of the
++ * old dirty pages.
++ */
++ done = 1;
++ break;
++ }
+ }
+
+ if (wbc->nonblocking && bdi_write_congested(bdi)) {
--- /dev/null
+From 55a8ba4b7f76bebd7e8ce3f74c04b140627a1bad Mon Sep 17 00:00:00 2001
+From: Alok Kataria <akataria@vmware.com>
+Date: Fri, 6 Feb 2009 10:29:35 -0800
+Subject: x86, vmi: put a missing paravirt_release_pmd in pgd_dtor
+
+From: Alok Kataria <akataria@vmware.com>
+
+commit 55a8ba4b7f76bebd7e8ce3f74c04b140627a1bad upstream.
+
+Commit 6194ba6ff6ccf8d5c54c857600843c67aa82c407 ("x86: don't special-case
+pmd allocations as much") made changes to the way we handle pmd allocations,
+and while doing that it dropped a call to paravirt_release_pd on the
+pgd page from the pgd_dtor code path.
+
+As a result of this missing release, the hypervisor is now unaware of the
+pgd page being freed, and as a result it ends up tracking this page as a
+page table page.
+
+After this the guest may start using the same page for other purposes, and
+depending on what use the page is put to, it may result in various performance
+and/or functional issues ( hangs, reboots).
+
+Since this release is only required for VMI, I now release the pgd page from
+the (vmi)_pgd_free hook.
+
+Signed-off-by: Alok N Kataria <akataria@vmware.com>
+Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/vmi_32.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/kernel/vmi_32.c
++++ b/arch/x86/kernel/vmi_32.c
+@@ -430,6 +430,16 @@ static void vmi_release_pmd(unsigned lon
+ }
+
+ /*
++ * We use the pgd_free hook for releasing the pgd page:
++ */
++static void vmi_pgd_free(struct mm_struct *mm, pgd_t *pgd)
++{
++ unsigned long pfn = __pa(pgd) >> PAGE_SHIFT;
++
++ vmi_ops.release_page(pfn, VMI_PAGE_L2);
++}
++
++/*
+ * Helper macros for MMU update flags. We can defer updates until a flush
+ * or page invalidation only if the update is to the current address space
+ * (otherwise, there is no flush). We must check against init_mm, since
+@@ -881,6 +891,7 @@ static inline int __init activate_vmi(vo
+ if (vmi_ops.release_page) {
+ pv_mmu_ops.release_pte = vmi_release_pte;
+ pv_mmu_ops.release_pmd = vmi_release_pmd;
++ pv_mmu_ops.pgd_free = vmi_pgd_free;
+ }
+
+ /* Set linear is needed in all cases */
--- /dev/null
+From 14990c69b5f51dd57b4e0e2373de50239ac861e2 Mon Sep 17 00:00:00 2001
+From: Hin-Tak Leung <hintak.leung@gmail.com>
+Date: Sun, 8 Feb 2009 02:13:56 +0000
+Subject: zd1211rw: adding 0ace:0xa211 as a ZD1211 device
+
+From: Hin-Tak Leung <hintak.leung@gmail.com>
+
+commit 14990c69b5f51dd57b4e0e2373de50239ac861e2 upstream.
+
+Christoph Biedl <sourceforge.bnwi@manchmal.in-ulm.de> reported success
+in the sourceforge zd1211 mailing list on this addition. This product ID
+was supported by the vendor driver ZD1211LnxDrv 2.22.0.0 (and possibly
+earlier) and it probably should have been added earlier.
+
+Signed-off-by: Hin-Tak Leung <htl10@users.sourceforge.net>
+Tested-by: Christoph Biedl <sourceforge.bnwi@manchmal.in-ulm.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/zd1211rw/zd_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/zd1211rw/zd_usb.c
++++ b/drivers/net/wireless/zd1211rw/zd_usb.c
+@@ -37,6 +37,7 @@
+ static struct usb_device_id usb_ids[] = {
+ /* ZD1211 */
+ { USB_DEVICE(0x0ace, 0x1211), .driver_info = DEVICE_ZD1211 },
++ { USB_DEVICE(0x0ace, 0xa211), .driver_info = DEVICE_ZD1211 },
+ { USB_DEVICE(0x07b8, 0x6001), .driver_info = DEVICE_ZD1211 },
+ { USB_DEVICE(0x126f, 0xa006), .driver_info = DEVICE_ZD1211 },
+ { USB_DEVICE(0x6891, 0xa727), .driver_info = DEVICE_ZD1211 },
--- /dev/null
+From efb43f4b2ccf8066abc3920a0e6858e4350a65c7 Mon Sep 17 00:00:00 2001
+From: Hin-Tak Leung <hintak.leung@gmail.com>
+Date: Wed, 4 Feb 2009 23:40:43 +0000
+Subject: zd1211rw: treat MAXIM_NEW_RF(0x08) as UW2453_RF(0x09) for TP-Link WN322/422G
+
+From: Hin-Tak Leung <hintak.leung@gmail.com>
+
+commit efb43f4b2ccf8066abc3920a0e6858e4350a65c7 upstream.
+
+Three people (Petr Mensik <pihhan@cipis.net>
+["si" should be U+0161 U+00ED], Stephen Ho <stephenhoinhk@gmail.com>
+on zd1211-devs and Ismael Ojeda Perez <iojedaperez@gmail.com>
+on linux-wireless) reported success in getting TP-Link WN322G/WN422G
+working by treating MAXIM_NEW_RF(0x08) as UW2453_RF(0x09) for rf
+chip hardware initialization.
+
+Signed-off-by: Hin-Tak Leung <htl10@users.sourceforge.net>
+Tested-by: Petr Mensik <pihhan@cipis.net>
+Tested-by: Stephen Ho <stephenhoinhk@gmail.com>
+Tested-by: Ismael Ojeda Perez <iojedaperez@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/zd1211rw/zd_rf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/zd1211rw/zd_rf.c
++++ b/drivers/net/wireless/zd1211rw/zd_rf.c
+@@ -86,6 +86,7 @@ int zd_rf_init_hw(struct zd_rf *rf, u8 t
+ case AL7230B_RF:
+ r = zd_rf_init_al7230b(rf);
+ break;
++ case MAXIM_NEW_RF:
+ case UW2453_RF:
+ r = zd_rf_init_uw2453(rf);
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
