--- /dev/null
+From 97ecdadc284e820931f27c6345b0ff8b85792346 Mon Sep 17 00:00:00 2001
+From: Etienne Basset <etienne.basset@numericable.fr>
+Date: Tue, 31 Mar 2009 23:54:11 +0200
+Subject: security/smack: fix oops when setting a size 0 SMACK64 xattr
+
+From: Etienne Basset <etienne.basset@numericable.fr>
+
+upstream commit: 4303154e86597885bc3cbc178a48ccbc8213875f
+
+this patch fix an oops in smack when setting a size 0 SMACK64 xattr eg
+attr -S -s SMACK64 -V '' somefile
+This oops because smk_import_entry treats a 0 length as SMK_MAXLEN
+
+Signed-off-by: Etienne Basset <etienne.basset@numericable.fr>
+Reviewed-by: James Morris <jmorris@namei.org>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ security/smack/smack_lsm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -604,6 +604,8 @@ static int smack_inode_setxattr(struct d
+ strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
+ if (!capable(CAP_MAC_ADMIN))
+ rc = -EPERM;
++ if (size == 0)
++ rc = -EINVAL;
+ } else
+ rc = cap_inode_setxattr(dentry, name, value, size, flags);
+
+@@ -1360,7 +1362,7 @@ static int smack_inode_setsecurity(struc
+ struct socket *sock;
+ int rc = 0;
+
+- if (value == NULL || size > SMK_LABELLEN)
++ if (value == NULL || size > SMK_LABELLEN || size == 0)
+ return -EACCES;
+
+ sp = smk_import(value, size);
--- /dev/null
+From 32626208c6548358e28b0857ad030b8a3fa12d86 Mon Sep 17 00:00:00 2001
+From: Michael K. Johnson <johnsonm@rpath.com>
+Date: Wed, 1 Apr 2009 20:40:02 +0000
+Subject: x86, setup: mark %esi as clobbered in E820 BIOS call
+
+From: Michael K. Johnson <johnsonm@rpath.com>
+
+upstream commit: 01522df346f846906eaf6ca57148641476209909
+
+Jordan Hargrave diagnosed a BIOS clobbering %esi in the E820 call.
+That particular BIOS has been fixed, but there is a possibility that
+this is responsible for other occasional reports of early boot
+failure, and it does not hurt to add %esi to the clobbers.
+
+-stable candidate patch.
+
+Cc: Justin Forbes <jmforbes@linuxtx.org>
+Signed-off-by: Michael K Johnson <johnsonm@rpath.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Cc: stable@kernel.org
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/boot/memory.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/boot/memory.c
++++ b/arch/x86/boot/memory.c
+@@ -27,13 +27,14 @@ static int detect_memory_e820(void)
+ do {
+ size = sizeof(struct e820entry);
+
+- /* Important: %edx is clobbered by some BIOSes,
+- so it must be either used for the error output
++ /* Important: %edx and %esi are clobbered by some BIOSes,
++ so they must be either used for the error output
+ or explicitly marked clobbered. */
+ asm("int $0x15; setc %0"
+ : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
+ "=m" (*desc)
+- : "D" (desc), "d" (SMAP), "a" (0xe820));
++ : "D" (desc), "d" (SMAP), "a" (0xe820)
++ : "esi");
+
+ /* BIOSes which terminate the chain with CF = 1 as opposed
+ to %ebx = 0 don't always report the SMAP signature on
--- /dev/null
+From d4a0936d21ddba01f85daf686625f0004b896aae Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Fri, 3 Apr 2009 04:35:12 +0000
+Subject: mm: do_xip_mapping_read: fix length calculation
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8
+
+The calculation of the value nr in do_xip_mapping_read is incorrect. If
+the copy required more than one iteration in the do while loop the copies
+variable will be non-zero. The maximum length that may be passed to the
+call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the
+check only compares against (nr > len).
+
+This bug is the cause for the heap corruption Carsten has been chasing
+for so long:
+
+---
+ mm/filemap_xip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/filemap_xip.c
++++ b/mm/filemap_xip.c
+@@ -89,8 +89,8 @@ do_xip_mapping_read(struct address_space
+ }
+ }
+ nr = nr - offset;
+- if (nr > len)
+- nr = len;
++ if (nr > len - copied)
++ nr = len - copied;
+
+ error = mapping->a_ops->get_xip_mem(mapping, index, 0,
+ &xip_mem, &xip_pfn);
--- /dev/null
+From 187ab6618c3afae07d5ca0727966ea461e5d07a7 Mon Sep 17 00:00:00 2001
+From: Wu Fengguang <fengguang.wu@intel.com>
+Date: Fri, 3 Apr 2009 04:35:14 +0000
+Subject: vfs: skip I_CLEAR state inodes
+
+From: Wu Fengguang <fengguang.wu@intel.com>
+
+upstream commit: b6fac63cc1f52ec27f29fe6c6c8494a2ffac33fd
+
+clear_inode() will switch inode state from I_FREEING to I_CLEAR, and do so
+_outside_ of inode_lock. So any I_FREEING testing is incomplete without a
+coupled testing of I_CLEAR.
+
+So add I_CLEAR tests to drop_pagecache_sb(), generic_sync_sb_inodes() and
+add_dquot_ref().
+
+Masayoshi MIZUMA discovered the bug in drop_pagecache_sb() and Jan Kara
+reminds fixing the other two cases.
+
+Masayoshi MIZUMA has a nice panic flow:
+
+=====================================================================
+ [process A] | [process B]
+ | |
+ | prune_icache() | drop_pagecache()
+ | spin_lock(&inode_lock) | drop_pagecache_sb()
+ | inode->i_state |= I_FREEING; | |
+ | spin_unlock(&inode_lock) | V
+ | | | spin_lock(&inode_lock)
+ | V | |
+ | dispose_list() | |
+ | list_del() | |
+ | clear_inode() | |
+ | inode->i_state = I_CLEAR | |
+ | | | V
+ | | | if (inode->i_state & (I_FREEING|I_WILL_FREE))
+ | | | continue; <==== NOT MATCH
+ | | |
+ | | | (DANGER from here on! Accessing disposing inode!)
+ | | |
+ | | | __iget()
+ | | | list_move() <===== PANIC on poisoned list !!
+ V V |
+(time)
+=====================================================================
+
+Reported-by: Masayoshi MIZUMA <m.mizuma@jp.fujitsu.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[chrisw: backport to 2.6.29]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/dquot.c | 2 +-
+ fs/drop_caches.c | 2 +-
+ fs/fs-writeback.c | 3 ++-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/dquot.c
++++ b/fs/dquot.c
+@@ -726,7 +726,7 @@ static void add_dquot_ref(struct super_b
+ continue;
+ if (!dqinit_needed(inode, type))
+ continue;
+- if (inode->i_state & (I_FREEING|I_WILL_FREE))
++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE))
+ continue;
+
+ __iget(inode);
+--- a/fs/drop_caches.c
++++ b/fs/drop_caches.c
+@@ -18,7 +18,7 @@ static void drop_pagecache_sb(struct sup
+
+ spin_lock(&inode_lock);
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+- if (inode->i_state & (I_FREEING|I_WILL_FREE))
++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE))
+ continue;
+ if (inode->i_mapping->nrpages == 0)
+ continue;
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -538,7 +538,8 @@ void generic_sync_sb_inodes(struct super
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+ struct address_space *mapping;
+
+- if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW))
++ if (inode->i_state &
++ (I_FREEING|I_CLEAR|I_WILL_FREE|I_NEW))
+ continue;
+ mapping = inode->i_mapping;
+ if (mapping->nrpages == 0)
--- /dev/null
+From 33d06566b593703a972da232d08b6a12176f1854 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Date: Fri, 27 Mar 2009 00:28:21 -0700
+Subject: af_rose/x25: Sanity check the maximum user frame size
+
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+
+upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
+
+CVE-2009-0795.
+
+Otherwise we can wrap the sizes and end up sending garbage.
+
+Closes #10423
+
+Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/netrom/af_netrom.c | 6 +++++-
+ net/rose/af_rose.c | 4 ++++
+ net/x25/af_x25.c | 6 ++++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb
+
+ SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
+
+- /* Build a packet */
++ /* Build a packet - the conventional user limit is 236 bytes. We can
++ do ludicrously large NetROM frames but must not overflow */
++ if (len > 65536)
++ return -EMSGSIZE;
++
+ SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1120,6 +1120,10 @@ static int rose_sendmsg(struct kiocb *io
+
+ /* Build a packet */
+ SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
++ /* Sanity check the packet size */
++ if (len > 65535)
++ return -EMSGSIZE;
++
+ size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
+
+ if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc
+ sx25.sx25_addr = x25->dest_addr;
+ }
+
++ /* Sanity check the packet size */
++ if (len > 65535) {
++ rc = -EMSGSIZE;
++ goto out;
++ }
++
+ SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
+
+ /* Build a packet */
--- /dev/null
+From df5b6025d1a9e2e61dde1fd28257082751264c07 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 22 Apr 2009 00:49:51 -0700
+Subject: net/netrom: Fix socket locking
+
+From: Jean Delvare <jdelvare@suse.de>
+
+upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab
+
+Patch "af_rose/x25: Sanity check the maximum user frame size"
+(commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got
+locking wrong. If we bail out due to user frame size being too large,
+we must unlock the socket beforehand.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/netrom/af_netrom.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1084,8 +1084,10 @@ static int nr_sendmsg(struct kiocb *iocb
+
+ /* Build a packet - the conventional user limit is 236 bytes. We can
+ do ludicrously large NetROM frames but must not overflow */
+- if (len > 65536)
+- return -EMSGSIZE;
++ if (len > 65536) {
++ err = -EMSGSIZE;
++ goto out;
++ }
+
+ SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
--- /dev/null
+From 6bc1b5deb47f0fc3d697abd2fcd417618cf07e3f Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Mon, 6 Apr 2009 17:31:29 +0200
+Subject: netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection
+
+From: Patrick McHardy <kaber@trash.net>
+
+upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558
+
+Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
+search for loops) introduced a regression in the loop detection algorithm,
+causing sporadic incorrectly detected loops.
+
+When a chain has already been visited during the check, it is treated as
+having a standard target containing a RETURN verdict directly at the
+beginning in order to not check it again. The real target of the first
+rule is then incorrectly treated as STANDARD target and checked not to
+contain invalid verdicts.
+
+Fix by making sure the rule does actually contain a standard target.
+
+Based on patch by Francis Dupont <Francis_Dupont@isc.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/netfilter/arp_tables.c | 4 +++-
+ net/ipv4/netfilter/ip_tables.c | 4 +++-
+ net/ipv6/netfilter/ip6_tables.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -372,7 +372,9 @@ static int mark_source_chains(struct xt_
+ && unconditional(&e->arp)) || visited) {
+ unsigned int oldpos, size;
+
+- if (t->verdict < -NF_MAX_VERDICT - 1) {
++ if ((strcmp(t->target.u.user.name,
++ ARPT_STANDARD_TARGET) == 0) &&
++ t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -502,7 +502,9 @@ mark_source_chains(struct xt_table_info
+ && unconditional(&e->ip)) || visited) {
+ unsigned int oldpos, size;
+
+- if (t->verdict < -NF_MAX_VERDICT - 1) {
++ if ((strcmp(t->target.u.user.name,
++ IPT_STANDARD_TARGET) == 0) &&
++ t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -529,7 +529,9 @@ mark_source_chains(struct xt_table_info
+ && unconditional(&e->ipv6)) || visited) {
+ unsigned int oldpos, size;
+
+- if (t->verdict < -NF_MAX_VERDICT - 1) {
++ if ((strcmp(t->target.u.user.name,
++ IP6T_STANDARD_TARGET) == 0) &&
++ t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
--- /dev/null
+From ed960ac61e12e298d1cdcd52b21b9ee07d36755c Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue, 7 Apr 2009 16:25:02 +0000
+Subject: splice: fix deadlock in splicing to file
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+upstream commit: 7bfac9ecf0585962fe13584f5cf526d8c8e76f17
+
+There's a possible deadlock in generic_file_splice_write(),
+splice_from_pipe() and ocfs2_file_splice_write():
+
+ - task A calls generic_file_splice_write()
+ - this calls inode_double_lock(), which locks i_mutex on both
+ pipe->inode and target inode
+ - ordering depends on inode pointers, can happen that pipe->inode is
+ locked first
+ - __splice_from_pipe() needs more data, calls pipe_wait()
+ - this releases lock on pipe->inode, goes to interruptible sleep
+ - task B calls generic_file_splice_write(), similarly to the first
+ - this locks pipe->inode, then tries to lock inode, but that is
+ already held by task A
+ - task A is interrupted, it tries to lock pipe->inode, but fails, as
+ it is already held by task B
+ - ABBA deadlock
+
+Fix this by explicitly ordering locks: the outer lock must be on
+target inode and the inner lock (which is later unlocked and relocked)
+must be on pipe->inode. This is OK, pipe inodes and target inodes
+form two nonoverlapping sets, generic_file_splice_write() and friends
+are not called with a target which is a pipe.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Acked-by: Mark Fasheh <mfasheh@suse.com>
+Acked-by: Jens Axboe <jens.axboe@oracle.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c | 25 ++++++++++++++++++++-----
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2089,7 +2089,7 @@ static ssize_t ocfs2_file_splice_write(s
+ out->f_path.dentry->d_name.len,
+ out->f_path.dentry->d_name.name);
+
+- inode_double_lock(inode, pipe->inode);
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
+
+ ret = ocfs2_rw_lock(inode, 1);
+ if (ret < 0) {
+@@ -2104,12 +2104,16 @@ static ssize_t ocfs2_file_splice_write(s
+ goto out_unlock;
+ }
+
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
+
+ out_unlock:
+ ocfs2_rw_unlock(inode, 1);
+ out:
+- inode_double_unlock(inode, pipe->inode);
++ mutex_unlock(&inode->i_mutex);
+
+ mlog_exit(ret);
+ return ret;
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -735,10 +735,19 @@ ssize_t splice_from_pipe(struct pipe_ino
+ * ->commit_write. Most of the time, these expect i_mutex to
+ * be held. Since this may result in an ABBA deadlock with
+ * pipe->inode, we have to order lock acquiry here.
++ *
++ * Outer lock must be inode->i_mutex, as pipe_wait() will
++ * release and reacquire pipe->inode->i_mutex, AND inode must
++ * never be a pipe.
+ */
+- inode_double_lock(inode, pipe->inode);
++ WARN_ON(S_ISFIFO(inode->i_mode));
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = __splice_from_pipe(pipe, &sd, actor);
+- inode_double_unlock(inode, pipe->inode);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
++ mutex_unlock(&inode->i_mutex);
+
+ return ret;
+ }
+@@ -829,11 +838,17 @@ generic_file_splice_write(struct pipe_in
+ };
+ ssize_t ret;
+
+- inode_double_lock(inode, pipe->inode);
++ WARN_ON(S_ISFIFO(inode->i_mode));
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
+ ret = file_remove_suid(out);
+- if (likely(!ret))
++ if (likely(!ret)) {
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
+- inode_double_unlock(inode, pipe->inode);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
++ }
++ mutex_unlock(&inode->i_mutex);
+ if (ret > 0) {
+ unsigned long nr_pages;
+
--- /dev/null
+From 37a8bca218bf6c4cad295b7d250c3590f57e3cf6 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Tue, 7 Apr 2009 16:25:04 +0000
+Subject: ALSA: hda - add missing comma in ad1884_slave_vols
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+upstream commit: bca68467b59a24396554d8dd5979ee363c174854
+
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ sound/pci/hda/patch_analog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_analog.c
++++ b/sound/pci/hda/patch_analog.c
+@@ -3220,7 +3220,7 @@ static const char *ad1884_slave_vols[] =
+ "Mic Playback Volume",
+ "CD Playback Volume",
+ "Internal Mic Playback Volume",
+- "Docking Mic Playback Volume"
++ "Docking Mic Playback Volume",
+ "Beep Playback Volume",
+ "IEC958 Playback Volume",
+ NULL
--- /dev/null
+From 10b9c3cd8848919561d16570759c0146988cb8d5 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 5 Mar 2009 14:45:55 -0600
+Subject: SCSI: libiscsi: fix iscsi pool error path
+
+From: Jean Delvare <jdelvare@suse.de>
+
+upstream commit: f474a37bc48667595b5653a983b635c95ed82a3b
+
+Memory freeing in iscsi_pool_free() looks wrong to me. Either q->pool
+can be NULL and this should be tested before dereferencing it, or it
+can't be NULL and it shouldn't be tested at all. As far as I can see,
+the only case where q->pool is NULL is on early error in
+iscsi_pool_init(). One possible way to fix the bug is thus to not
+call iscsi_pool_free() in this case (nothing needs to be freed anyway)
+and then we can get rid of the q->pool check.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/scsi/libiscsi.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1807,7 +1807,7 @@ iscsi_pool_init(struct iscsi_pool *q, in
+ num_arrays++;
+ q->pool = kzalloc(num_arrays * max * sizeof(void*), GFP_KERNEL);
+ if (q->pool == NULL)
+- goto enomem;
++ return -ENOMEM;
+
+ q->queue = kfifo_init((void*)q->pool, max * sizeof(void*),
+ GFP_KERNEL, NULL);
+@@ -1842,8 +1842,7 @@ void iscsi_pool_free(struct iscsi_pool *
+
+ for (i = 0; i < q->max; i++)
+ kfree(q->pool[i]);
+- if (q->pool)
+- kfree(q->pool);
++ kfree(q->pool);
+ kfree(q->queue);
+ }
+ EXPORT_SYMBOL_GPL(iscsi_pool_free);
--- /dev/null
+From b76d2b612cd5c0c6fb82340f9ec241ca75b942f9 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 1 Apr 2009 13:11:29 -0500
+Subject: SCSI: libiscsi: fix iscsi pool error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: 8bit
+
+From: Jean Delvare <jdelvare@suse.de>
+
+upstream commit: fd6e1c14b73dbab89cb76af895d5612e4a8b5522
+
+Le lundi 30 mars 2009, Chris Wright a écrit :
+> q->queue could be ERR_PTR(-ENOMEM) which will break unwinding
+> on error. Make iscsi_pool_free more defensive.
+>
+
+Making the freeing of q->queue dependent on q->pool being set looks
+really weird (although it is correct at the moment. But this seems
+to be fixable in a much simpler way.
+
+With the benefit that only the error case is slowed down. In both
+cases we have a problem if q->queue contains an error value but it's
+not -ENOMEM. Apparently this can't happen today, but it doesn't feel
+right to assume this will always be true. Maybe it's the right time
+to fix this as well.
+
+Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+[chrisw: this is a fixlet to f474a37b, also in -stable]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/scsi/libiscsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1811,8 +1811,10 @@ iscsi_pool_init(struct iscsi_pool *q, in
+
+ q->queue = kfifo_init((void*)q->pool, max * sizeof(void*),
+ GFP_KERNEL, NULL);
+- if (q->queue == ERR_PTR(-ENOMEM))
++ if (IS_ERR(q->queue)) {
++ q->queue = NULL;
+ goto enomem;
++ }
+
+ for (i = 0; i < max; i++) {
+ q->pool[i] = kzalloc(item_size, GFP_KERNEL);
--- /dev/null
+From 3f22ebd2f4d191631a7b867addc8bd99e948873f Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <ntl@pobox.com>
+Date: Thu, 9 Apr 2009 18:20:02 +0000
+Subject: sched: do not count frozen tasks toward load
+
+From: Nathan Lynch <ntl@pobox.com>
+
+upstream commit: e3c8ca8336707062f3f7cb1cd7e6b3c753baccdd
+
+Freezing tasks via the cgroup freezer causes the load average to climb
+because the freezer's current implementation puts frozen tasks in
+uninterruptible sleep (D state).
+
+Some applications which perform job-scheduling functions consult the
+load average when making decisions. If a cgroup is frozen, the load
+average does not provide a useful measure of the system's utilization
+to such applications. This is especially inconvenient if the job
+scheduler employs the cgroup freezer as a mechanism for preempting low
+priority jobs. Contrast this with using SIGSTOP for the same purpose:
+the stopped tasks do not count toward system load.
+
+Change task_contributes_to_load() to return false if the task is
+frozen. This results in /proc/loadavg behavior that better meets
+users' expectations.
+
+Signed-off-by: Nathan Lynch <ntl@pobox.com>
+Acked-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Nigel Cunningham <nigel@tuxonice.net>
+Tested-by: Nigel Cunningham <nigel@tuxonice.net>
+Cc: containers@lists.linux-foundation.org
+Cc: linux-pm@lists.linux-foundation.org
+Cc: Matt Helsley <matthltc@us.ibm.com>
+LKML-Reference: <20090408194512.47a99b95@manatee.lan>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ include/linux/sched.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -201,7 +201,8 @@ extern unsigned long long time_sync_thre
+ #define task_is_stopped_or_traced(task) \
+ ((task->state & (__TASK_STOPPED | __TASK_TRACED)) != 0)
+ #define task_contributes_to_load(task) \
+- ((task->state & TASK_UNINTERRUPTIBLE) != 0)
++ ((task->state & TASK_UNINTERRUPTIBLE) != 0 && \
++ (task->flags & PF_FROZEN) == 0)
+
+ #define __set_task_state(tsk, state_value) \
+ do { (tsk)->state = (state_value); } while (0)
--- /dev/null
+From d11a29e323dfd141183cdc918e31acdff02ef450 Mon Sep 17 00:00:00 2001
+From: Serge E. Hallyn <serue@us.ibm.com>
+Date: Mon, 13 Apr 2009 17:25:03 +0000
+Subject: add some long-missing capabilities to fs_mask
+
+From: Serge E. Hallyn <serue@us.ibm.com>
+
+upstream commit: 0ad30b8fd5fe798aae80df6344b415d8309342cc
+
+When POSIX capabilities were introduced during the 2.1 Linux
+cycle, the fs mask, which represents the capabilities which having
+fsuid==0 is supposed to grant, did not include CAP_MKNOD and
+CAP_LINUX_IMMUTABLE. However, before capabilities the privilege
+to call these did in fact depend upon fsuid==0.
+
+This patch introduces those capabilities into the fsmask,
+restoring the old behavior.
+
+See the thread starting at http://lkml.org/lkml/2009/3/11/157 for
+reference.
+
+Note that if this fix is deemed valid, then earlier kernel versions (2.4
+and 2.2) ought to be fixed too.
+
+Changelog:
+ [Mar 23] Actually delete old CAP_FS_SET definition...
+ [Mar 20] Updated against J. Bruce Fields's patch
+
+Reported-by: Igor Zhbanov <izh1979@gmail.com>
+Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
+Cc: stable@kernel.org
+Cc: J. Bruce Fields <bfields@citi.umich.edu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ include/linux/capability.h | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -366,7 +366,21 @@ typedef struct kernel_cap_struct {
+ #define CAP_FOR_EACH_U32(__capi) \
+ for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
+
++/*
++ * CAP_FS_MASK and CAP_NFSD_MASKS:
++ *
++ * The fs mask is all the privileges that fsuid==0 historically meant.
++ * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
++ *
++ * It has never meant setting security.* and trusted.* xattrs.
++ *
++ * We could also define fsmask as follows:
++ * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
++ * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
++ */
++
+ # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
++ | CAP_TO_MASK(CAP_MKNOD) \
+ | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
+ | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
+ | CAP_TO_MASK(CAP_FOWNER) \
+@@ -381,11 +395,12 @@ typedef struct kernel_cap_struct {
+ # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
+ # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
+ # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
+-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } })
++# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
++ | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
++ CAP_FS_MASK_B1 } })
+ # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+- | CAP_TO_MASK(CAP_SYS_RESOURCE) \
+- | CAP_TO_MASK(CAP_MKNOD), \
+- CAP_FS_MASK_B1 } })
++ | CAP_TO_MASK(CAP_SYS_RESOURCE), \
++ CAP_FS_MASK_B1 } })
+
+ #endif /* _KERNEL_CAPABILITY_U32S != 2 */
+
--- /dev/null
+From 6c6737beae9981a707c1a4e1e9f1baf7cc47ce5f Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@samba.org>
+Date: Wed, 15 Apr 2009 17:25:05 +0000
+Subject: powerpc: Fix data-corrupting bug in __futex_atomic_op
+
+From: Paul Mackerras <paulus@samba.org>
+
+upstream commit: 306a82881b14d950d59e0b59a55093a07d82aa9a
+
+Richard Henderson pointed out that the powerpc __futex_atomic_op has a
+bug: it will write the wrong value if the stwcx. fails and it has to
+retry the lwarx/stwcx. loop, since 'oparg' will have been overwritten
+by the result from the first time around the loop. This happens
+because it uses the same register for 'oparg' (an input) as it uses
+for the result.
+
+This fixes it by using separate registers for 'oparg' and 'ret'.
+
+Cc: stable@kernel.org
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/powerpc/include/asm/futex.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/include/asm/futex.h
++++ b/arch/powerpc/include/asm/futex.h
+@@ -27,7 +27,7 @@
+ PPC_LONG "1b,4b,2b,4b\n" \
+ ".previous" \
+ : "=&r" (oldval), "=&r" (ret) \
+- : "b" (uaddr), "i" (-EFAULT), "1" (oparg) \
++ : "b" (uaddr), "i" (-EFAULT), "r" (oparg) \
+ : "cr0", "memory")
+
+ static inline int futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
+@@ -47,19 +47,19 @@ static inline int futex_atomic_op_inuser
+
+ switch (op) {
+ case FUTEX_OP_SET:
+- __futex_atomic_op("", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("mr %1,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_ADD:
+- __futex_atomic_op("add %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("add %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_OR:
+- __futex_atomic_op("or %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("or %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_ANDN:
+- __futex_atomic_op("andc %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("andc %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_XOR:
+- __futex_atomic_op("xor %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("xor %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ default:
+ ret = -ENOSYS;
--- /dev/null
+From 2a3403fd95cbf6f548198be0fd37a056d12a56fe Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Date: Sat, 18 Apr 2009 17:42:19 +0200
+Subject: hpt366: fix HPT370 DMA timeouts
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+upstream commit: c018f1ee5cf81e58b93d9e93a2ee39cad13dc1ac
+
+The big driver change in 2.4.19-rc1 introduced a regression for many HPT370[A]
+chips -- DMA stopped to work completely, only causing endless timeouts...
+
+The culprit has been identified (at last!): it turned to be the code resetting
+the DMA state machine before each transfer. Stop doing it now as this counter-
+measure has clearly caused more harm than good.
+
+This should fix the kernel.org bug #7703.
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/ide/pci/hpt366.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ide/pci/hpt366.c
++++ b/drivers/ide/pci/hpt366.c
+@@ -114,6 +114,8 @@
+ * the register setting lists into the table indexed by the clock selected
+ * - set the correct hwif->ultra_mask for each individual chip
+ * - add Ultra and MW DMA mode filtering for the HPT37[24] based SATA cards
++ * - stop resetting HPT370's state machine before each DMA transfer as that has
++ * caused more harm than good
+ * Sergei Shtylyov, <sshtylyov@ru.mvista.com> or <source@mvista.com>
+ */
+
+@@ -134,7 +136,7 @@
+ #define DRV_NAME "hpt366"
+
+ /* various tuning parameters */
+-#define HPT_RESET_STATE_ENGINE
++#undef HPT_RESET_STATE_ENGINE
+ #undef HPT_DELAY_INTERRUPT
+ #define HPT_SERIALIZE_IO 0
+
--- /dev/null
+From d683876908060916ada0091d1db3b09afccb1517 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Date: Tue, 14 Apr 2009 18:39:14 +0400
+Subject: pata_hpt37x: fix HPT370 DMA timeouts
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+upstream commit: 265b7215aed36941620b65ecfff516200fb190c1
+
+The libata driver has copied the code from the IDE driver which caused a post
+2.4.18 regression on many HPT370[A] chips -- DMA stopped to work completely,
+only causing timeouts. Now remove hpt370_bmdma_start() for good...
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/ata/pata_hpt37x.c | 22 ++--------------------
+ 1 file changed, 2 insertions(+), 20 deletions(-)
+
+--- a/drivers/ata/pata_hpt37x.c
++++ b/drivers/ata/pata_hpt37x.c
+@@ -8,7 +8,7 @@
+ * Copyright (C) 1999-2003 Andre Hedrick <andre@linux-ide.org>
+ * Portions Copyright (C) 2001 Sun Microsystems, Inc.
+ * Portions Copyright (C) 2003 Red Hat Inc
+- * Portions Copyright (C) 2005-2007 MontaVista Software, Inc.
++ * Portions Copyright (C) 2005-2009 MontaVista Software, Inc.
+ *
+ * TODO
+ * Look into engine reset on timeout errors. Should not be required.
+@@ -24,7 +24,7 @@
+ #include <linux/libata.h>
+
+ #define DRV_NAME "pata_hpt37x"
+-#define DRV_VERSION "0.6.11"
++#define DRV_VERSION "0.6.12"
+
+ struct hpt_clock {
+ u8 xfer_speed;
+@@ -445,23 +445,6 @@ static void hpt370_set_dmamode(struct at
+ }
+
+ /**
+- * hpt370_bmdma_start - DMA engine begin
+- * @qc: ATA command
+- *
+- * The 370 and 370A want us to reset the DMA engine each time we
+- * use it. The 372 and later are fine.
+- */
+-
+-static void hpt370_bmdma_start(struct ata_queued_cmd *qc)
+-{
+- struct ata_port *ap = qc->ap;
+- struct pci_dev *pdev = to_pci_dev(ap->host->dev);
+- pci_write_config_byte(pdev, 0x50 + 4 * ap->port_no, 0x37);
+- udelay(10);
+- ata_bmdma_start(qc);
+-}
+-
+-/**
+ * hpt370_bmdma_end - DMA engine stop
+ * @qc: ATA command
+ *
+@@ -598,7 +581,6 @@ static struct scsi_host_template hpt37x_
+ static struct ata_port_operations hpt370_port_ops = {
+ .inherits = &ata_bmdma_port_ops,
+
+- .bmdma_start = hpt370_bmdma_start,
+ .bmdma_stop = hpt370_bmdma_stop,
+
+ .mode_filter = hpt370_filter,
--- /dev/null
+From 5c435c37e2652e5d066dc81fcc108a0dffbdb33d Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Fri, 17 Apr 2009 21:20:10 +0000
+Subject: usb gadget: fix ethernet link reports to ethtool
+
+From: Jonathan McDowell <noodles@earth.li>
+
+upstream commit: 237e75bf1e558f7330f8deb167fa3116405bef2c
+
+The g_ether USB gadget driver currently decides whether or not there's a
+link to report back for eth_get_link based on if the USB link speed is
+set. The USB gadget speed is however often set even before the device is
+enumerated. It seems more sensible to only report a "link" if we're
+actually connected to a host that wants to talk to us. The patch below
+does this for me - tested with the PXA27x UDC driver.
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/gadget/u_ether.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/usb/gadget/u_ether.c
++++ b/drivers/usb/gadget/u_ether.c
+@@ -175,12 +175,6 @@ static void eth_get_drvinfo(struct net_d
+ strlcpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof p->bus_info);
+ }
+
+-static u32 eth_get_link(struct net_device *net)
+-{
+- struct eth_dev *dev = netdev_priv(net);
+- return dev->gadget->speed != USB_SPEED_UNKNOWN;
+-}
+-
+ /* REVISIT can also support:
+ * - WOL (by tracking suspends and issuing remote wakeup)
+ * - msglevel (implies updated messaging)
+@@ -189,7 +183,7 @@ static u32 eth_get_link(struct net_devic
+
+ static struct ethtool_ops ops = {
+ .get_drvinfo = eth_get_drvinfo,
+- .get_link = eth_get_link
++ .get_link = ethtool_op_get_link,
+ };
+
+ static void defer_kevent(struct eth_dev *dev, int flag)
--- /dev/null
+From 082240d79158decfc9918b96487da38a750b4d1d Mon Sep 17 00:00:00 2001
+From: Peter Korsgaard <jacmet@sunsite.dk>
+Date: Fri, 17 Apr 2009 21:20:07 +0000
+Subject: USB: ftdi_sio: add vendor/project id for JETI specbos 1201 spectrometer
+
+From: Peter Korsgaard <jacmet@sunsite.dk>
+
+upstream commit: ae27d84351f1f3568118318a8c40ff3a154bd629
+
+Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio.h | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -662,6 +662,7 @@ static struct usb_device_id id_table_com
+ { USB_DEVICE(DE_VID, WHT_PID) },
+ { USB_DEVICE(ADI_VID, ADI_GNICE_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++ { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
+ { }, /* Optional parameter entry */
+ { } /* Terminating entry */
+ };
+--- a/drivers/usb/serial/ftdi_sio.h
++++ b/drivers/usb/serial/ftdi_sio.h
+@@ -890,6 +890,13 @@
+ #define ADI_GNICE_PID 0xF000
+
+ /*
++ * JETI SPECTROMETER SPECBOS 1201
++ * http://www.jeti.com/products/sys/scb/scb1201.php
++ */
++#define JETI_VID 0x0c6c
++#define JETI_SPC1201_PID 0x04b2
++
++/*
+ * BmRequestType: 1100 0000b
+ * bRequest: FTDI_E2_READ
+ * wValue: 0
--- /dev/null
+From 4be149f9b684906505d49932fd18e1f17721b30f Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oliver@neukum.org>
+Date: Fri, 17 Apr 2009 21:20:06 +0000
+Subject: USB: fix oops in cdc-wdm in case of malformed descriptors
+
+From: Oliver Neukum <oliver@neukum.org>
+
+upstream commit: e13c594f3a1fc2c78e7a20d1a07974f71e4b448f
+
+cdc-wdm needs to ignore extremely malformed descriptors.
+
+Signed-off-by: Oliver Neukum <oliver@neukum.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/class/cdc-wdm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -641,7 +641,7 @@ next_desc:
+
+ iface = &intf->altsetting[0];
+ ep = &iface->endpoint[0].desc;
+- if (!usb_endpoint_is_int_in(ep)) {
++ if (!ep || !usb_endpoint_is_int_in(ep)) {
+ rv = -EINVAL;
+ goto err;
+ }
--- /dev/null
+From 35fe207a082d775b0bbaac3f49a9dc2d7c02779c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 17 Apr 2009 21:20:03 +0000
+Subject: USB: usb-storage: augment unusual_devs entry for Simple Tech/Datafab
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+upstream commit: e4813eec8d47c8299d968bd5349dc881fa481c26
+
+This patch (as1227) adds the MAX_SECTORS_64 flag to the unusual_devs
+entry for the Simple Tech/Datafab controller. This fixes Bugzilla
+#12882.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: binbin <binbinsh@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/storage/unusual_devs.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1241,12 +1241,14 @@ UNUSUAL_DEV( 0x07c4, 0xa400, 0x0000, 0x
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+ US_FL_FIX_INQUIRY ),
+
+-/* Reported by Rauch Wolke <rauchwolke@gmx.net> */
++/* Reported by Rauch Wolke <rauchwolke@gmx.net>
++ * and augmented by binbin <binbinsh@gmail.com> (Bugzilla #12882)
++ */
+ UNUSUAL_DEV( 0x07c4, 0xa4a5, 0x0000, 0xffff,
+ "Simple Tech/Datafab",
+ "CF+SM Reader",
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+- US_FL_IGNORE_RESIDUE ),
++ US_FL_IGNORE_RESIDUE | US_FL_MAX_SECTORS_64 ),
+
+ /* Casio QV 2x00/3x00/4000/8000 digital still cameras are not conformant
+ * to the USB storage specification in two ways:
--- /dev/null
+From 0702b646e5bdc16af64ef6f663e5275a02bf40cd Mon Sep 17 00:00:00 2001
+From: Shaohua Li <shaohua.li@intel.com>
+Date: Mon, 20 Apr 2009 10:08:35 +1000
+Subject: agp: zero pages before sending to userspace
+
+upstream commit: 59de2bebabc5027f93df999d59cc65df591c3e6e
+
+CVE-2009-1192
+
+AGP pages might be mapped into userspace finally, so the pages should be
+set to zero before userspace can use it. Otherwise there is potential
+information leakage.
+
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/char/agp/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/agp/generic.c
++++ b/drivers/char/agp/generic.c
+@@ -1207,7 +1207,7 @@ void *agp_generic_alloc_page(struct agp_
+ {
+ struct page * page;
+
+- page = alloc_page(GFP_KERNEL | GFP_DMA32);
++ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO);
+ if (page == NULL)
+ return NULL;
+
--- /dev/null
+From 5a9b5af39e948919f272867516faa61c093124f6 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Tue, 21 Apr 2009 21:20:04 +0000
+Subject: hugetlbfs: return negative error code for bad mount option
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+upstream commit: c12ddba09394c60e1120e6997794fa6ed52da884
+
+This fixes the following BUG:
+
+ # mount -o size=MM -t hugetlbfs none /huge
+ hugetlbfs: Bad value 'MM' for mount option 'size=MM'
+ ------------[ cut here ]------------
+ kernel BUG at fs/super.c:996!
+
+Due to
+
+ BUG_ON(!mnt->mnt_sb);
+
+in vfs_kern_mount().
+
+Also, remove unused #include <linux/quotaops.h>
+
+Cc: William Irwin <wli@holomorphy.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/hugetlbfs/inode.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -26,7 +26,6 @@
+ #include <linux/pagevec.h>
+ #include <linux/parser.h>
+ #include <linux/mman.h>
+-#include <linux/quotaops.h>
+ #include <linux/slab.h>
+ #include <linux/dnotify.h>
+ #include <linux/statfs.h>
+@@ -838,7 +837,7 @@ hugetlbfs_parse_options(char *options, s
+ bad_val:
+ printk(KERN_ERR "hugetlbfs: Bad value '%s' for mount option '%s'\n",
+ args[0].from, p);
+- return 1;
++ return -EINVAL;
+ }
+
+ static int
--- /dev/null
+From f02b8624fedca39886b0eef770dca70c2f0749b3 Mon Sep 17 00:00:00 2001
+From: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Date: Wed, 18 Mar 2009 17:06:21 +0530
+Subject: kprobes: Fix locking imbalance in kretprobes
+
+From: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+
+commit f02b8624fedca39886b0eef770dca70c2f0749b3 upstream.
+
+Fix locking imbalance in kretprobes:
+
+=====================================
+[ BUG: bad unlock balance detected! ]
+-------------------------------------
+kthreadd/2 is trying to release lock (&rp->lock) at:
+[<c06b3080>] pre_handler_kretprobe+0xea/0xf4
+but there are no more locks to release!
+
+other info that might help us debug this:
+1 lock held by kthreadd/2:
+ #0: (rcu_read_lock){..--}, at: [<c06b2b24>] __atomic_notifier_call_chain+0x0/0x5a
+
+stack backtrace:
+Pid: 2, comm: kthreadd Not tainted 2.6.29-rc8 #1
+Call Trace:
+ [<c06ae498>] ? printk+0xf/0x17
+ [<c06b3080>] ? pre_handler_kretprobe+0xea/0xf4
+ [<c044ce6c>] print_unlock_inbalance_bug+0xc3/0xce
+ [<c0444d4b>] ? clocksource_read+0x7/0xa
+ [<c04450a4>] ? getnstimeofday+0x5f/0xf6
+ [<c044a9ca>] ? register_lock_class+0x17/0x293
+ [<c044b72c>] ? mark_lock+0x1e/0x30b
+ [<c0448956>] ? tick_dev_program_event+0x4a/0xbc
+ [<c0498100>] ? __slab_alloc+0xa5/0x415
+ [<c06b2fbe>] ? pre_handler_kretprobe+0x28/0xf4
+ [<c06b3080>] ? pre_handler_kretprobe+0xea/0xf4
+ [<c044cf1b>] lock_release_non_nested+0xa4/0x1a5
+ [<c06b3080>] ? pre_handler_kretprobe+0xea/0xf4
+ [<c044d15d>] lock_release+0x141/0x166
+ [<c06b07dd>] _spin_unlock_irqrestore+0x19/0x50
+ [<c06b3080>] pre_handler_kretprobe+0xea/0xf4
+ [<c06b20b5>] kprobe_exceptions_notify+0x1c9/0x43e
+ [<c06b2b02>] notifier_call_chain+0x26/0x48
+ [<c06b2b5b>] __atomic_notifier_call_chain+0x37/0x5a
+ [<c06b2b24>] ? __atomic_notifier_call_chain+0x0/0x5a
+ [<c06b2b8a>] atomic_notifier_call_chain+0xc/0xe
+ [<c0442d0d>] notify_die+0x2d/0x2f
+ [<c06b0f9c>] do_int3+0x1f/0x71
+ [<c06b0e84>] int3+0x2c/0x34
+ [<c042d476>] ? do_fork+0x1/0x288
+ [<c040221b>] ? kernel_thread+0x71/0x79
+ [<c043ed1b>] ? kthread+0x0/0x60
+ [<c043ed1b>] ? kthread+0x0/0x60
+ [<c04040b8>] ? kernel_thread_helper+0x0/0x10
+ [<c043ec7f>] kthreadd+0xac/0x148
+ [<c043ebd3>] ? kthreadd+0x0/0x148
+ [<c04040bf>] kernel_thread_helper+0x7/0x10
+
+Signed-off-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Tested-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
+Cc: Masami Hiramatsu <mhiramat@redhat.com>
+Cc: Jim Keniston <jkenisto@us.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: <stable@kernel.org> [2.6.29.x, 2.6.28.x, 2.6.27.x]
+LKML-Reference: <20090318113621.GB4129@in.ibm.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/kprobes.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -890,10 +890,8 @@ static int __kprobes pre_handler_kretpro
+ ri->rp = rp;
+ ri->task = current;
+
+- if (rp->entry_handler && rp->entry_handler(ri, regs)) {
+- spin_unlock_irqrestore(&rp->lock, flags);
++ if (rp->entry_handler && rp->entry_handler(ri, regs))
+ return 0;
+- }
+
+ arch_prepare_kretprobe(ri, regs);
+
ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch
netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch
net-fix-sctp-breakage.patch
+0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch
+0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch
+0031-mm-do_xip_mapping_read-fix-length-calculation.patch
+0034-vfs-skip-I_CLEAR-state-inodes.patch
+0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch
+0044-net-netrom-Fix-socket-locking.patch
+0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch
+0049-splice-fix-deadlock-in-splicing-to-file.patch
+0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch
+0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch
+0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch
+0060-sched-do-not-count-frozen-tasks-toward-load.patch
+0063-add-some-long-missing-capabilities-to-fs_mask.patch
+0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch
+0069-hpt366-fix-HPT370-DMA-timeouts.patch
+0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch
+0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch
+0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch
+0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch
+0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch
+0093-agp-zero-pages-before-sending-to-userspace.patch
+0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch
+kprobes-fix-locking-imbalance-in-kretprobes.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
