--- /dev/null
+From 2a88464ceb1bda2571f88902fd8068a6168e3f7b Mon Sep 17 00:00:00 2001
+From: Luke Yelavich <themuso@ubuntu.com>
+Date: Wed, 28 Jan 2009 15:58:38 +1100
+Subject: ALSA: hda - add another MacBook Pro 4, 1 subsystem ID
+
+From: Luke Yelavich <themuso@ubuntu.com>
+
+commit 2a88464ceb1bda2571f88902fd8068a6168e3f7b upstream.
+
+Add another MacBook Pro 4,1 SSID (106b:3800). It seems that latter revisions,
+(at least mine), have different IDs to earlier revisions.
+
+Signed-off-by: Luke Yelavich <themuso@ubuntu.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6631,6 +6631,7 @@ static int patch_alc882(struct hda_codec
+ case 0x106b00a1: /* Macbook (might be wrong - PCI SSID?) */
+ case 0x106b2c00: /* Macbook Pro rev3 */
+ case 0x106b3600: /* Macbook 3.1 */
++ case 0x106b3800: /* MacbookPro4,1 - latter revision */
+ board_config = ALC885_MBP3;
+ break;
+ default:
--- /dev/null
+From aa9d823bb347fb66cb07f98c686be8bb85cb6a74 Mon Sep 17 00:00:00 2001
+From: Joerg Schirottke <master@kanotix.com>
+Date: Tue, 27 Jan 2009 11:01:34 +0100
+Subject: ALSA: hda - Add quirk for HP DV6700 laptop
+
+From: Joerg Schirottke <master@kanotix.com>
+
+commit aa9d823bb347fb66cb07f98c686be8bb85cb6a74 upstream.
+
+Added the matching model=laptop for HP DV6700 laptop.
+
+Signed-off-by: Joerg Schirottke <master@kanotix.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1470,6 +1470,7 @@ static struct snd_pci_quirk cxt5047_cfg_
+ SND_PCI_QUIRK(0x103c, 0x30a5, "HP DV5200T/DV8000T", CXT5047_LAPTOP_HP),
+ SND_PCI_QUIRK(0x103c, 0x30b2, "HP DV2000T/DV3000T", CXT5047_LAPTOP),
+ SND_PCI_QUIRK(0x103c, 0x30b5, "HP DV2000Z", CXT5047_LAPTOP),
++ SND_PCI_QUIRK(0x103c, 0x30cf, "HP DV6700", CXT5047_LAPTOP),
+ SND_PCI_QUIRK(0x1179, 0xff31, "Toshiba P100", CXT5047_LAPTOP_EAPD),
+ {}
+ };
--- /dev/null
+From 00a602db1ce9d61319d6f769dee206ec85f19bda Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 23 Jan 2009 11:55:42 +0100
+Subject: ALSA: hda - Fix PCM reference NID for STAC/IDT analog outputs
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 00a602db1ce9d61319d6f769dee206ec85f19bda upstream.
+
+The reference NID for the analog outputs of STAC/IDT codecs is set
+to a fixed number 0x02. But this isn't always correct and in many
+codecs it points to a non-existing NID.
+
+This patch fixes the initialization of the PCM reference NID taken
+from the actually probed DAC list.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_sigmatel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -2048,6 +2048,8 @@ static int stac92xx_build_pcms(struct hd
+
+ info->name = "STAC92xx Analog";
+ info->stream[SNDRV_PCM_STREAM_PLAYBACK] = stac92xx_pcm_analog_playback;
++ info->stream[SNDRV_PCM_STREAM_PLAYBACK].nid =
++ spec->multiout.dac_nids[0];
+ info->stream[SNDRV_PCM_STREAM_CAPTURE] = stac92xx_pcm_analog_capture;
+ info->stream[SNDRV_PCM_STREAM_CAPTURE].nid = spec->adc_nids[0];
+ info->stream[SNDRV_PCM_STREAM_CAPTURE].substreams = spec->num_adcs;
--- /dev/null
+From 2add3acb11a26cc14b54669433ae6ace6406cbf2 Mon Sep 17 00:00:00 2001
+From: Eilon Greenstein <eilong@broadcom.com>
+Date: Wed, 14 Jan 2009 06:44:07 +0000
+Subject: bnx2x: Block nvram access when the device is inactive
+
+From: Eilon Greenstein <eilong@broadcom.com>
+
+commit 2add3acb11a26cc14b54669433ae6ace6406cbf2 upstream.
+
+Don't dump eeprom when bnx2x adapter is down. Running ethtool -e causes an eeh
+without it when the device is down
+
+Signed-off-by: Paul Larson <pl@linux.vnet.ibm.com>
+Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bnx2x_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/bnx2x_main.c
++++ b/drivers/net/bnx2x_main.c
+@@ -8078,6 +8078,9 @@ static int bnx2x_get_eeprom(struct net_d
+ struct bnx2x *bp = netdev_priv(dev);
+ int rc;
+
++ if (!netif_running(dev))
++ return -EAGAIN;
++
+ DP(BNX2X_MSG_NVM, "ethtool_eeprom: cmd %d\n"
+ DP_LEVEL " magic 0x%x offset 0x%x (%d) len 0x%x (%d)\n",
+ eeprom->cmd, eeprom->magic, eeprom->offset, eeprom->offset,
--- /dev/null
+From 29b37f42127f7da511560a40ea74f5047da40c13 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 13 Jan 2009 11:26:18 +1100
+Subject: crypto: authenc - Fix zero-length IV crash
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 29b37f42127f7da511560a40ea74f5047da40c13 upstream.
+
+As it is if an algorithm with a zero-length IV is used (e.g.,
+NULL encryption) with authenc, authenc may generate an SG entry
+of length zero, which will trigger a BUG check in the hash layer.
+
+This patch fixes it by skipping the IV SG generation if the IV
+size is zero.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ crypto/authenc.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -157,16 +157,19 @@ static int crypto_authenc_genicv(struct
+ dstp = sg_page(dst);
+ vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
+
+- sg_init_table(cipher, 2);
+- sg_set_buf(cipher, iv, ivsize);
+- authenc_chain(cipher, dst, vdst == iv + ivsize);
++ if (ivsize) {
++ sg_init_table(cipher, 2);
++ sg_set_buf(cipher, iv, ivsize);
++ authenc_chain(cipher, dst, vdst == iv + ivsize);
++ dst = cipher;
++ }
+
+ cryptlen = req->cryptlen + ivsize;
+- hash = crypto_authenc_hash(req, flags, cipher, cryptlen);
++ hash = crypto_authenc_hash(req, flags, dst, cryptlen);
+ if (IS_ERR(hash))
+ return PTR_ERR(hash);
+
+- scatterwalk_map_and_copy(hash, cipher, cryptlen,
++ scatterwalk_map_and_copy(hash, dst, cryptlen,
+ crypto_aead_authsize(authenc), 1);
+ return 0;
+ }
+@@ -284,11 +287,14 @@ static int crypto_authenc_iverify(struct
+ srcp = sg_page(src);
+ vsrc = PageHighMem(srcp) ? NULL : page_address(srcp) + src->offset;
+
+- sg_init_table(cipher, 2);
+- sg_set_buf(cipher, iv, ivsize);
+- authenc_chain(cipher, src, vsrc == iv + ivsize);
++ if (ivsize) {
++ sg_init_table(cipher, 2);
++ sg_set_buf(cipher, iv, ivsize);
++ authenc_chain(cipher, src, vsrc == iv + ivsize);
++ src = cipher;
++ }
+
+- return crypto_authenc_verify(req, cipher, cryptlen + ivsize);
++ return crypto_authenc_verify(req, src, cryptlen + ivsize);
+ }
+
+ static int crypto_authenc_decrypt(struct aead_request *req)
--- /dev/null
+From 516280e735b034216de97eb7ba080ec6acbfc58f Mon Sep 17 00:00:00 2001
+From: Jarod Wilson <jarod@redhat.com>
+Date: Thu, 22 Jan 2009 19:58:15 +1100
+Subject: crypto: ccm - Fix handling of null assoc data
+
+From: Jarod Wilson <jarod@redhat.com>
+
+commit 516280e735b034216de97eb7ba080ec6acbfc58f upstream.
+
+Its a valid use case to have null associated data in a ccm vector, but
+this case isn't being handled properly right now.
+
+The following ccm decryption/verification test vector, using the
+rfc4309 implementation regularly triggers a panic, as will any
+other vector with null assoc data:
+
+* key: ab2f8a74b71cd2b1ff802e487d82f8b9
+* iv: c6fb7d800d13abd8a6b2d8
+* Associated Data: [NULL]
+* Tag Length: 8
+* input: d5e8939fc7892e2b
+
+The resulting panic looks like so:
+
+Unable to handle kernel paging request at ffff810064ddaec0 RIP:
+ [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
+PGD 8063 PUD 0
+Oops: 0002 [1] SMP
+last sysfs file: /module/libata/version
+CPU 0
+Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a
+lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_
+tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg
+snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p
+c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h
+cd ohci_hcd ehci_hcd
+Pid: 12844, comm: crypto-tester Tainted: G 2.6.18-128.el5.fips1 #1
+RIP: 0010:[<ffffffff8864c4d7>] [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
+RSP: 0018:ffff8100134434e8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10
+RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0
+RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000
+R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858
+R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000
+FS: 00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0
+Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860)
+Stack: ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000
+ 0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858
+ 0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634
+Call Trace:
+ [<ffffffff8864c634>] :ccm:crypto_ccm_auth+0x12d/0x140
+ [<ffffffff8864cf73>] :ccm:crypto_ccm_decrypt+0x161/0x23a
+ [<ffffffff88633643>] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559
+[...]
+
+The above is from a RHEL5-based kernel, but upstream is susceptible too.
+
+The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains
+whatever was in memory when pctx was allocated if assoclen is 0. The tested
+fix is to simply add an else clause setting pctx->ilen to 0 for the
+assoclen == 0 case, so that get_data_to_compute() doesn't try doing
+things its not supposed to.
+
+Signed-off-by: Jarod Wilson <jarod@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ crypto/ccm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/ccm.c
++++ b/crypto/ccm.c
+@@ -266,6 +266,8 @@ static int crypto_ccm_auth(struct aead_r
+ if (assoclen) {
+ pctx->ilen = format_adata(idata, assoclen);
+ get_data_to_compute(cipher, pctx, req->assoc, req->assoclen);
++ } else {
++ pctx->ilen = 0;
+ }
+
+ /* compute plaintext into mac */
--- /dev/null
+From 9df04e1f25effde823a600e755b51475d438f56b Mon Sep 17 00:00:00 2001
+From: Davide Libenzi <davidel@xmailserver.org>
+Date: Thu, 29 Jan 2009 14:25:26 -0800
+Subject: epoll: drop max_user_instances and rely only on max_user_watches
+
+From: Davide Libenzi <davidel@xmailserver.org>
+
+commit 9df04e1f25effde823a600e755b51475d438f56b upstream.
+
+Linus suggested to put limits where the money is, and max_user_watches
+already does that w/out the need of max_user_instances. That has the
+advantage to mitigate the potential DoS while allowing pretty generous
+default behavior.
+
+Allowing top 4% of low memory (per user) to be allocated in epoll watches,
+we have:
+
+LOMEM MAX_WATCHES (per user)
+512MB ~178000
+1GB ~356000
+2GB ~712000
+
+A box with 512MB of lomem, will meet some challenge in hitting 180K
+watches, socket buffers math teaches us. No more max_user_instances
+limits then.
+
+Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
+Cc: Bron Gondwana <brong@fastmail.fm>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/eventpoll.c | 22 ++++------------------
+ include/linux/sched.h | 1 -
+ 2 files changed, 4 insertions(+), 19 deletions(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -234,8 +234,6 @@ struct ep_pqueue {
+ /*
+ * Configuration options available inside /proc/sys/fs/epoll/
+ */
+-/* Maximum number of epoll devices, per user */
+-static int max_user_instances __read_mostly;
+ /* Maximum number of epoll watched descriptors, per user */
+ static int max_user_watches __read_mostly;
+
+@@ -261,14 +259,6 @@ static int zero;
+
+ ctl_table epoll_table[] = {
+ {
+- .procname = "max_user_instances",
+- .data = &max_user_instances,
+- .maxlen = sizeof(int),
+- .mode = 0644,
+- .proc_handler = &proc_dointvec_minmax,
+- .extra1 = &zero,
+- },
+- {
+ .procname = "max_user_watches",
+ .data = &max_user_watches,
+ .maxlen = sizeof(int),
+@@ -491,7 +481,6 @@ static void ep_free(struct eventpoll *ep
+
+ mutex_unlock(&epmutex);
+ mutex_destroy(&ep->mtx);
+- atomic_dec(&ep->user->epoll_devs);
+ free_uid(ep->user);
+ kfree(ep);
+ }
+@@ -581,10 +570,6 @@ static int ep_alloc(struct eventpoll **p
+ struct eventpoll *ep;
+
+ user = get_current_user();
+- error = -EMFILE;
+- if (unlikely(atomic_read(&user->epoll_devs) >=
+- max_user_instances))
+- goto free_uid;
+ error = -ENOMEM;
+ ep = kzalloc(sizeof(*ep), GFP_KERNEL);
+ if (unlikely(!ep))
+@@ -1137,7 +1122,6 @@ SYSCALL_DEFINE1(epoll_create1, int, flag
+ flags & O_CLOEXEC);
+ if (fd < 0)
+ ep_free(ep);
+- atomic_inc(&ep->user->epoll_devs);
+
+ error_return:
+ DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n",
+@@ -1362,8 +1346,10 @@ static int __init eventpoll_init(void)
+ struct sysinfo si;
+
+ si_meminfo(&si);
+- max_user_instances = 128;
+- max_user_watches = (((si.totalram - si.totalhigh) / 32) << PAGE_SHIFT) /
++ /*
++ * Allows top 4% of lomem to be allocated for epoll watches (per user).
++ */
++ max_user_watches = (((si.totalram - si.totalhigh) / 25) << PAGE_SHIFT) /
+ EP_ITEM_COST;
+
+ /* Initialize the structure used to perform safe poll wait head wake ups */
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -588,7 +588,6 @@ struct user_struct {
+ atomic_t inotify_devs; /* How many inotify devs does this user have opened? */
+ #endif
+ #ifdef CONFIG_EPOLL
+- atomic_t epoll_devs; /* The number of epoll descriptors currently open */
+ atomic_t epoll_watches; /* The number of file descriptors currently watched */
+ #endif
+ #ifdef CONFIG_POSIX_MQUEUE
--- /dev/null
+From a21102b55c4f8dfd3adb4a15a34cd62237b46039 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 16 Jan 2009 11:13:47 -0500
+Subject: ext3: Add sanity check to make_indexed_dir
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit a21102b55c4f8dfd3adb4a15a34cd62237b46039 upstream.
+
+Make sure the rec_len field in the '..' entry is sane, lest we overrun
+the directory block and cause a kernel oops on a purposefully
+corrupted filesystem.
+
+This fixes a bug related to a bug originally reported by Sami Liedes
+for ext4 at:
+
+http://bugzilla.kernel.org/show_bug.cgi?id=12430
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/namei.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/fs/ext3/namei.c
++++ b/fs/ext3/namei.c
+@@ -1374,7 +1374,7 @@ static int make_indexed_dir(handle_t *ha
+ struct fake_dirent *fde;
+
+ blocksize = dir->i_sb->s_blocksize;
+- dxtrace(printk("Creating index\n"));
++ dxtrace(printk(KERN_DEBUG "Creating index: inode %lu\n", dir->i_ino));
+ retval = ext3_journal_get_write_access(handle, bh);
+ if (retval) {
+ ext3_std_error(dir->i_sb, retval);
+@@ -1383,6 +1383,19 @@ static int make_indexed_dir(handle_t *ha
+ }
+ root = (struct dx_root *) bh->b_data;
+
++ /* The 0th block becomes the root, move the dirents out */
++ fde = &root->dotdot;
++ de = (struct ext3_dir_entry_2 *)((char *)fde +
++ ext3_rec_len_from_disk(fde->rec_len));
++ if ((char *) de >= (((char *) root) + blocksize)) {
++ ext3_error(dir->i_sb, __func__,
++ "invalid rec_len for '..' in inode %lu",
++ dir->i_ino);
++ brelse(bh);
++ return -EIO;
++ }
++ len = ((char *) root) + blocksize - (char *) de;
++
+ bh2 = ext3_append (handle, dir, &block, &retval);
+ if (!(bh2)) {
+ brelse(bh);
+@@ -1391,11 +1404,6 @@ static int make_indexed_dir(handle_t *ha
+ EXT3_I(dir)->i_flags |= EXT3_INDEX_FL;
+ data1 = bh2->b_data;
+
+- /* The 0th block becomes the root, move the dirents out */
+- fde = &root->dotdot;
+- de = (struct ext3_dir_entry_2 *)((char *)fde +
+- ext3_rec_len_from_disk(fde->rec_len));
+- len = ((char *) root) + blocksize - (char *) de;
+ memcpy (data1, de, len);
+ de = (struct ext3_dir_entry_2 *) data1;
+ top = data1 + len;
--- /dev/null
+From a229fc61ef0ee3c30fd193beee0eeb87410227f1 Mon Sep 17 00:00:00 2001
+From: Boaz Harrosh <bharrosh@panasas.com>
+Date: Mon, 19 Jan 2009 10:37:38 +0100
+Subject: include/linux: Add bsg.h to the Kernel exported headers
+
+From: Boaz Harrosh <bharrosh@panasas.com>
+
+commit a229fc61ef0ee3c30fd193beee0eeb87410227f1 upstream.
+
+bsg.h in current form is perfectly suitable for user-mode
+consumption. It is needed together with scsi/sg.h for applications
+that want to interface with the bsg driver.
+
+Currently the few projects that use it would copy it over into
+the projects. But that is not acceptable for projects that need
+to provide source and devel packages for distros.
+
+This should also be submitted to stable 2.6.28 and 2.6.27 since bsg had
+a stable API since these Kernels and distro users will need the header
+for these kernels a swell
+
+Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
+Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/Kbuild
++++ b/include/linux/Kbuild
+@@ -41,6 +41,7 @@ header-y += baycom.h
+ header-y += bfs_fs.h
+ header-y += blkpg.h
+ header-y += bpqether.h
++header-y += bsg.h
+ header-y += can.h
+ header-y += cdk.h
+ header-y += chio.h
--- /dev/null
+From c2fdd36b550659f5ac2240d1f5a83ffa1a092289 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sat, 17 Jan 2009 16:23:55 +0100
+Subject: PCI hotplug: fix lock imbalance in pciehp
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit c2fdd36b550659f5ac2240d1f5a83ffa1a092289 upstream.
+
+set_lock_status omits mutex_unlock in fail path. Add the omitted
+unlock.
+
+As a result a lockup caused by this can be triggered from userspace
+by writing 1 to /sys/bus/pci/slots/.../lock often enough.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Reviewed-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/hotplug/pciehp_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -126,8 +126,10 @@ static int set_lock_status(struct hotplu
+ mutex_lock(&slot->ctrl->crit_sect);
+
+ /* has it been >1 sec since our last toggle? */
+- if ((get_seconds() - slot->last_emi_toggle) < 1)
++ if ((get_seconds() - slot->last_emi_toggle) < 1) {
++ mutex_unlock(&slot->ctrl->crit_sect);
+ return -EINVAL;
++ }
+
+ /* see what our current state is */
+ retval = get_lock_status(hotplug_slot, &value);
--- /dev/null
+From b786c6a98ef6fa81114ba7b9fbfc0d67060775e3 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sat, 17 Jan 2009 12:04:36 +0100
+Subject: relay: fix lock imbalance in relay_late_setup_files
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit b786c6a98ef6fa81114ba7b9fbfc0d67060775e3 upstream.
+
+One fail path in relay_late_setup_files() omits
+mutex_unlock(&relay_channels_mutex);
+Add it.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/relay.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -664,8 +664,10 @@ int relay_late_setup_files(struct rchan
+
+ mutex_lock(&relay_channels_mutex);
+ /* Is chan already set up? */
+- if (unlikely(chan->has_base_filename))
++ if (unlikely(chan->has_base_filename)) {
++ mutex_unlock(&relay_channels_mutex);
+ return -EEXIST;
++ }
+ chan->has_base_filename = 1;
+ chan->parent = parent;
+ curr_cpu = get_cpu();
--- /dev/null
+From eb83bbf57429ab80f49b413e3e44d3b19c3fdc5a Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Tue, 27 Jan 2009 12:31:23 -0600
+Subject: rtl8187: Fix error in setting OFDM power settings for RTL8187L
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: 8bit
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit eb83bbf57429ab80f49b413e3e44d3b19c3fdc5a upstream.
+
+After reports of poor performance, a review of the latest vendor driver
+(rtl8187_linux_26.1025.0328.2007) for RTL8187L devices was undertaken.
+
+A difference was found in the code used to index the OFDM power tables. When
+the Linux driver was changed, my unit works at a much greater range than
+before. I think this fixes Bugzilla #12380 and has been tested by at least
+two other users.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Tested-by: MartÃn Ernesto Barreyro <barreyromartin@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rtl8187_rtl8225.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/rtl8187_rtl8225.c
++++ b/drivers/net/wireless/rtl8187_rtl8225.c
+@@ -287,7 +287,10 @@ static void rtl8225_rf_set_tx_power(stru
+ ofdm_power = priv->channels[channel - 1].hw_value >> 4;
+
+ cck_power = min(cck_power, (u8)11);
+- ofdm_power = min(ofdm_power, (u8)35);
++ if (ofdm_power > (u8)15)
++ ofdm_power = 25;
++ else
++ ofdm_power += 10;
+
+ rtl818x_iowrite8(priv, &priv->map->TX_GAIN_CCK,
+ rtl8225_tx_gain_cck_ofdm[cck_power / 6] >> 1);
+@@ -540,7 +543,10 @@ static void rtl8225z2_rf_set_tx_power(st
+ cck_power += priv->txpwr_base & 0xF;
+ cck_power = min(cck_power, (u8)35);
+
+- ofdm_power = min(ofdm_power, (u8)15);
++ if (ofdm_power > (u8)15)
++ ofdm_power = 25;
++ else
++ ofdm_power += 10;
+ ofdm_power += priv->txpwr_base >> 4;
+ ofdm_power = min(ofdm_power, (u8)35);
+
usb-fix-char-device-disconnect-handling.patch
usb-storage-add-unusual-devs-entry.patch
usb-usbmon-implement-compat_ioctl.patch
+alsa-hda-add-another-macbook-pro-4-1-subsystem-id.patch
+alsa-hda-add-quirk-for-hp-dv6700-laptop.patch
+alsa-hda-fix-pcm-reference-nid-for-stac-idt-analog-outputs.patch
+bnx2x-block-nvram-access-when-the-device-is-inactive.patch
+crypto-authenc-fix-zero-length-iv-crash.patch
+crypto-ccm-fix-handling-of-null-assoc-data.patch
+epoll-drop-max_user_instances-and-rely-only-on-max_user_watches.patch
+ext3-add-sanity-check-to-make_indexed_dir.patch
+include-linux-add-bsg.h-to-the-kernel-exported-headers.patch
+sgi-xpc-ensure-flags-are-updated-before-bte_copy.patch
+sgi-xpc-remove-null-pointer-dereference.patch
+sound-virtuoso-do-not-overwrite-eeprom-on-xonar-d2-d2x.patch
+rtl8187-fix-error-in-setting-ofdm-power-settings-for-rtl8187l.patch
+pci-hotplug-fix-lock-imbalance-in-pciehp.patch
+relay-fix-lock-imbalance-in-relay_late_setup_files.patch
--- /dev/null
+From 69b3bb65fa97a1e8563518dbbc35cd57beefb2d4 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Thu, 29 Jan 2009 14:25:06 -0800
+Subject: sgi-xpc: ensure flags are updated before bte_copy
+
+From: Robin Holt <holt@sgi.com>
+
+commit 69b3bb65fa97a1e8563518dbbc35cd57beefb2d4 upstream.
+
+The clearing of the msg->flags needs a barrier between it and the notify
+of the channel threads that the messages are cleaned and ready for use.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Signed-off-by: Dean Nelson <dcn@sgi.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sgi-xp/xpc_sn2.c | 9 +++++----
+ drivers/misc/sgi-xp/xpc_uv.c | 2 +-
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/misc/sgi-xp/xpc_sn2.c
++++ b/drivers/misc/sgi-xp/xpc_sn2.c
+@@ -1841,6 +1841,7 @@ xpc_process_msg_chctl_flags_sn2(struct x
+ */
+ xpc_clear_remote_msgqueue_flags_sn2(ch);
+
++ smp_wmb(); /* ensure flags have been cleared before bte_copy */
+ ch_sn2->w_remote_GP.put = ch_sn2->remote_GP.put;
+
+ dev_dbg(xpc_chan, "w_remote_GP.put changed to %ld, partid=%d, "
+@@ -1939,7 +1940,7 @@ xpc_get_deliverable_payload_sn2(struct x
+ break;
+
+ get = ch_sn2->w_local_GP.get;
+- rmb(); /* guarantee that .get loads before .put */
++ smp_rmb(); /* guarantee that .get loads before .put */
+ if (get == ch_sn2->w_remote_GP.put)
+ break;
+
+@@ -2058,7 +2059,7 @@ xpc_allocate_msg_sn2(struct xpc_channel
+ while (1) {
+
+ put = ch_sn2->w_local_GP.put;
+- rmb(); /* guarantee that .put loads before .get */
++ smp_rmb(); /* guarantee that .put loads before .get */
+ if (put - ch_sn2->w_remote_GP.get < ch->local_nentries) {
+
+ /* There are available message entries. We need to try
+@@ -2191,7 +2192,7 @@ xpc_send_payload_sn2(struct xpc_channel
+ * The preceding store of msg->flags must occur before the following
+ * load of local_GP->put.
+ */
+- mb();
++ smp_mb();
+
+ /* see if the message is next in line to be sent, if so send it */
+
+@@ -2292,7 +2293,7 @@ xpc_received_payload_sn2(struct xpc_chan
+ * The preceding store of msg->flags must occur before the following
+ * load of local_GP->get.
+ */
+- mb();
++ smp_mb();
+
+ /*
+ * See if this message is next in line to be acknowledged as having
+--- a/drivers/misc/sgi-xp/xpc_uv.c
++++ b/drivers/misc/sgi-xp/xpc_uv.c
+@@ -1238,7 +1238,7 @@ xpc_send_payload_uv(struct xpc_channel *
+ atomic_inc(&ch->n_to_notify);
+
+ msg_slot->key = key;
+- wmb(); /* a non-NULL func must hit memory after the key */
++ smp_wmb(); /* a non-NULL func must hit memory after the key */
+ msg_slot->func = func;
+
+ if (ch->flags & XPC_C_DISCONNECTING) {
--- /dev/null
+From 17e2161654da4e6bdfd8d53d4f52e820ee93f423 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Thu, 29 Jan 2009 14:25:07 -0800
+Subject: sgi-xpc: Remove NULL pointer dereference.
+
+From: Robin Holt <holt@sgi.com>
+
+commit 17e2161654da4e6bdfd8d53d4f52e820ee93f423 upstream.
+
+If the bte copy fails, the attempt to retrieve payloads merely returns a
+null pointer deref and not NULL as was expected.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Signed-off-by: Dean Nelson <dcn@sgi.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sgi-xp/xpc_sn2.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/sgi-xp/xpc_sn2.c
++++ b/drivers/misc/sgi-xp/xpc_sn2.c
+@@ -1962,11 +1962,13 @@ xpc_get_deliverable_payload_sn2(struct x
+
+ msg = xpc_pull_remote_msg_sn2(ch, get);
+
+- DBUG_ON(msg != NULL && msg->number != get);
+- DBUG_ON(msg != NULL && (msg->flags & XPC_M_SN2_DONE));
+- DBUG_ON(msg != NULL && !(msg->flags & XPC_M_SN2_READY));
++ if (msg != NULL) {
++ DBUG_ON(msg->number != get);
++ DBUG_ON(msg->flags & XPC_M_SN2_DONE);
++ DBUG_ON(!(msg->flags & XPC_M_SN2_READY));
+
+- payload = &msg->payload;
++ payload = &msg->payload;
++ }
+ break;
+ }
+
--- /dev/null
+From 7e86c0e6850504ec9516b953f316a47277825e33 Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Thu, 15 Jan 2009 10:21:23 +0100
+Subject: sound: virtuoso: do not overwrite EEPROM on Xonar D2/D2X
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit 7e86c0e6850504ec9516b953f316a47277825e33 upstream.
+
+On the Asus Xonar D2 and D2X models, the SPI chip select signal for the
+fourth DAC shares its pin with the serial clock for the EEPROM that
+contains the PCI subdevice ID values. It appears that when DAC
+registers are written and some other unknown conditions occur (probably
+noise on the EEPROM's chip select line), the EEPROM gets overwritten
+with garbage, which makes it impossible to properly detect the card
+later.
+
+Therefore, we better avoid DAC register writes and make sure that the
+driver works with the DAC's registers' default values. Consequently,
+the sample format is now I2S instead of left-justified (no user-visible
+change), and the DAC's volume/mute registers cannot be used anymore
+(volume changes are now done by the software volume plugin).
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/oxygen/virtuoso.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/sound/pci/oxygen/virtuoso.c
++++ b/sound/pci/oxygen/virtuoso.c
+@@ -26,7 +26,7 @@
+ * SPI 0 -> 1st PCM1796 (front)
+ * SPI 1 -> 2nd PCM1796 (surround)
+ * SPI 2 -> 3rd PCM1796 (center/LFE)
+- * SPI 4 -> 4th PCM1796 (back)
++ * SPI 4 -> 4th PCM1796 (back) and EEPROM self-destruct (do not use!)
+ *
+ * GPIO 2 -> M0 of CS5381
+ * GPIO 3 -> M1 of CS5381
+@@ -142,6 +142,12 @@ struct xonar_data {
+ static void pcm1796_write(struct oxygen *chip, unsigned int codec,
+ u8 reg, u8 value)
+ {
++ /*
++ * We don't want to do writes on SPI 4 because the EEPROM, which shares
++ * the same pin, might get confused and broken. We'd better take care
++ * that the driver works with the default register values ...
++ */
++#if 0
+ /* maps ALSA channel pair number to SPI output */
+ static const u8 codec_map[4] = {
+ 0, 1, 2, 4
+@@ -152,6 +158,7 @@ static void pcm1796_write(struct oxygen
+ (codec_map[codec] << OXYGEN_SPI_CODEC_SHIFT) |
+ OXYGEN_SPI_CEN_LATCH_CLOCK_HI,
+ (reg << 8) | value);
++#endif
+ }
+
+ static void cs4398_write(struct oxygen *chip, u8 reg, u8 value)
+@@ -539,6 +546,9 @@ static const DECLARE_TLV_DB_SCALE(cs4362
+
+ static int xonar_d2_control_filter(struct snd_kcontrol_new *template)
+ {
++ if (!strncmp(template->name, "Master Playback ", 16))
++ /* disable volume/mute because they would require SPI writes */
++ return 1;
+ if (!strncmp(template->name, "CD Capture ", 11))
+ /* CD in is actually connected to the video in pin */
+ template->private_value ^= AC97_CD ^ AC97_VIDEO;
+@@ -588,9 +598,8 @@ static const struct oxygen_model xonar_m
+ .dac_volume_min = 0x0f,
+ .dac_volume_max = 0xff,
+ .misc_flags = OXYGEN_MISC_MIDI,
+- .function_flags = OXYGEN_FUNCTION_SPI |
+- OXYGEN_FUNCTION_ENABLE_SPI_4_5,
+- .dac_i2s_format = OXYGEN_I2S_FORMAT_LJUST,
++ .function_flags = OXYGEN_FUNCTION_SPI,
++ .dac_i2s_format = OXYGEN_I2S_FORMAT_I2S,
+ .adc_i2s_format = OXYGEN_I2S_FORMAT_LJUST,
+ },
+ [MODEL_D2X] = {
+@@ -619,9 +628,8 @@ static const struct oxygen_model xonar_m
+ .dac_volume_min = 0x0f,
+ .dac_volume_max = 0xff,
+ .misc_flags = OXYGEN_MISC_MIDI,
+- .function_flags = OXYGEN_FUNCTION_SPI |
+- OXYGEN_FUNCTION_ENABLE_SPI_4_5,
+- .dac_i2s_format = OXYGEN_I2S_FORMAT_LJUST,
++ .function_flags = OXYGEN_FUNCTION_SPI,
++ .dac_i2s_format = OXYGEN_I2S_FORMAT_I2S,
+ .adc_i2s_format = OXYGEN_I2S_FORMAT_LJUST,
+ },
+ [MODEL_D1] = {
projects / thirdparty / kernel / stable-queue.git / commitdiff
