--- /dev/null
+From 2a88464ceb1bda2571f88902fd8068a6168e3f7b Mon Sep 17 00:00:00 2001
+From: Luke Yelavich <themuso@ubuntu.com>
+Date: Wed, 28 Jan 2009 15:58:38 +1100
+Subject: ALSA: hda - add another MacBook Pro 4, 1 subsystem ID
+
+From: Luke Yelavich <themuso@ubuntu.com>
+
+commit 2a88464ceb1bda2571f88902fd8068a6168e3f7b upstream.
+
+Add another MacBook Pro 4,1 SSID (106b:3800). It seems that latter revisions,
+(at least mine), have different IDs to earlier revisions.
+
+Signed-off-by: Luke Yelavich <themuso@ubuntu.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6780,6 +6780,7 @@ static int patch_alc882(struct hda_codec
+ case 0x106b00a4: /* MacbookPro4,1 */
+ case 0x106b2c00: /* Macbook Pro rev3 */
+ case 0x106b3600: /* Macbook 3.1 */
++ case 0x106b3800: /* MacbookPro4,1 - latter revision */
+ board_config = ALC885_MBP3;
+ break;
+ default:
--- /dev/null
+From aa9d823bb347fb66cb07f98c686be8bb85cb6a74 Mon Sep 17 00:00:00 2001
+From: Joerg Schirottke <master@kanotix.com>
+Date: Tue, 27 Jan 2009 11:01:34 +0100
+Subject: ALSA: hda - Add quirk for HP DV6700 laptop
+
+From: Joerg Schirottke <master@kanotix.com>
+
+commit aa9d823bb347fb66cb07f98c686be8bb85cb6a74 upstream.
+
+Added the matching model=laptop for HP DV6700 laptop.
+
+Signed-off-by: Joerg Schirottke <master@kanotix.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1470,6 +1470,7 @@ static struct snd_pci_quirk cxt5047_cfg_
+ SND_PCI_QUIRK(0x103c, 0x30a5, "HP DV5200T/DV8000T", CXT5047_LAPTOP_HP),
+ SND_PCI_QUIRK(0x103c, 0x30b2, "HP DV2000T/DV3000T", CXT5047_LAPTOP),
+ SND_PCI_QUIRK(0x103c, 0x30b5, "HP DV2000Z", CXT5047_LAPTOP),
++ SND_PCI_QUIRK(0x103c, 0x30cf, "HP DV6700", CXT5047_LAPTOP),
+ SND_PCI_QUIRK(0x1179, 0xff31, "Toshiba P100", CXT5047_LAPTOP_EAPD),
+ {}
+ };
--- /dev/null
+From 00a602db1ce9d61319d6f769dee206ec85f19bda Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 23 Jan 2009 11:55:42 +0100
+Subject: ALSA: hda - Fix PCM reference NID for STAC/IDT analog outputs
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 00a602db1ce9d61319d6f769dee206ec85f19bda upstream.
+
+The reference NID for the analog outputs of STAC/IDT codecs is set
+to a fixed number 0x02. But this isn't always correct and in many
+codecs it points to a non-existing NID.
+
+This patch fixes the initialization of the PCM reference NID taken
+from the actually probed DAC list.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_sigmatel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -2428,6 +2428,8 @@ static int stac92xx_build_pcms(struct hd
+
+ info->name = "STAC92xx Analog";
+ info->stream[SNDRV_PCM_STREAM_PLAYBACK] = stac92xx_pcm_analog_playback;
++ info->stream[SNDRV_PCM_STREAM_PLAYBACK].nid =
++ spec->multiout.dac_nids[0];
+ info->stream[SNDRV_PCM_STREAM_CAPTURE] = stac92xx_pcm_analog_capture;
+ info->stream[SNDRV_PCM_STREAM_CAPTURE].nid = spec->adc_nids[0];
+ info->stream[SNDRV_PCM_STREAM_CAPTURE].substreams = spec->num_adcs;
--- /dev/null
+From 2add3acb11a26cc14b54669433ae6ace6406cbf2 Mon Sep 17 00:00:00 2001
+From: Eilon Greenstein <eilong@broadcom.com>
+Date: Wed, 14 Jan 2009 06:44:07 +0000
+Subject: bnx2x: Block nvram access when the device is inactive
+
+From: Eilon Greenstein <eilong@broadcom.com>
+
+commit 2add3acb11a26cc14b54669433ae6ace6406cbf2 upstream.
+
+Don't dump eeprom when bnx2x adapter is down. Running ethtool -e causes an eeh
+without it when the device is down
+
+Signed-off-by: Paul Larson <pl@linux.vnet.ibm.com>
+Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bnx2x_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/bnx2x_main.c
++++ b/drivers/net/bnx2x_main.c
+@@ -8079,6 +8079,9 @@ static int bnx2x_get_eeprom(struct net_d
+ struct bnx2x *bp = netdev_priv(dev);
+ int rc;
+
++ if (!netif_running(dev))
++ return -EAGAIN;
++
+ DP(BNX2X_MSG_NVM, "ethtool_eeprom: cmd %d\n"
+ DP_LEVEL " magic 0x%x offset 0x%x (%d) len 0x%x (%d)\n",
+ eeprom->cmd, eeprom->magic, eeprom->offset, eeprom->offset,
--- /dev/null
+From 29b37f42127f7da511560a40ea74f5047da40c13 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 13 Jan 2009 11:26:18 +1100
+Subject: crypto: authenc - Fix zero-length IV crash
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 29b37f42127f7da511560a40ea74f5047da40c13 upstream.
+
+As it is if an algorithm with a zero-length IV is used (e.g.,
+NULL encryption) with authenc, authenc may generate an SG entry
+of length zero, which will trigger a BUG check in the hash layer.
+
+This patch fixes it by skipping the IV SG generation if the IV
+size is zero.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ crypto/authenc.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -157,16 +157,19 @@ static int crypto_authenc_genicv(struct
+ dstp = sg_page(dst);
+ vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
+
+- sg_init_table(cipher, 2);
+- sg_set_buf(cipher, iv, ivsize);
+- authenc_chain(cipher, dst, vdst == iv + ivsize);
++ if (ivsize) {
++ sg_init_table(cipher, 2);
++ sg_set_buf(cipher, iv, ivsize);
++ authenc_chain(cipher, dst, vdst == iv + ivsize);
++ dst = cipher;
++ }
+
+ cryptlen = req->cryptlen + ivsize;
+- hash = crypto_authenc_hash(req, flags, cipher, cryptlen);
++ hash = crypto_authenc_hash(req, flags, dst, cryptlen);
+ if (IS_ERR(hash))
+ return PTR_ERR(hash);
+
+- scatterwalk_map_and_copy(hash, cipher, cryptlen,
++ scatterwalk_map_and_copy(hash, dst, cryptlen,
+ crypto_aead_authsize(authenc), 1);
+ return 0;
+ }
+@@ -284,11 +287,14 @@ static int crypto_authenc_iverify(struct
+ srcp = sg_page(src);
+ vsrc = PageHighMem(srcp) ? NULL : page_address(srcp) + src->offset;
+
+- sg_init_table(cipher, 2);
+- sg_set_buf(cipher, iv, ivsize);
+- authenc_chain(cipher, src, vsrc == iv + ivsize);
++ if (ivsize) {
++ sg_init_table(cipher, 2);
++ sg_set_buf(cipher, iv, ivsize);
++ authenc_chain(cipher, src, vsrc == iv + ivsize);
++ src = cipher;
++ }
+
+- return crypto_authenc_verify(req, cipher, cryptlen + ivsize);
++ return crypto_authenc_verify(req, src, cryptlen + ivsize);
+ }
+
+ static int crypto_authenc_decrypt(struct aead_request *req)
--- /dev/null
+From 516280e735b034216de97eb7ba080ec6acbfc58f Mon Sep 17 00:00:00 2001
+From: Jarod Wilson <jarod@redhat.com>
+Date: Thu, 22 Jan 2009 19:58:15 +1100
+Subject: crypto: ccm - Fix handling of null assoc data
+
+From: Jarod Wilson <jarod@redhat.com>
+
+commit 516280e735b034216de97eb7ba080ec6acbfc58f upstream.
+
+Its a valid use case to have null associated data in a ccm vector, but
+this case isn't being handled properly right now.
+
+The following ccm decryption/verification test vector, using the
+rfc4309 implementation regularly triggers a panic, as will any
+other vector with null assoc data:
+
+* key: ab2f8a74b71cd2b1ff802e487d82f8b9
+* iv: c6fb7d800d13abd8a6b2d8
+* Associated Data: [NULL]
+* Tag Length: 8
+* input: d5e8939fc7892e2b
+
+The resulting panic looks like so:
+
+Unable to handle kernel paging request at ffff810064ddaec0 RIP:
+ [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
+PGD 8063 PUD 0
+Oops: 0002 [1] SMP
+last sysfs file: /module/libata/version
+CPU 0
+Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a
+lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_
+tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg
+snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p
+c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h
+cd ohci_hcd ehci_hcd
+Pid: 12844, comm: crypto-tester Tainted: G 2.6.18-128.el5.fips1 #1
+RIP: 0010:[<ffffffff8864c4d7>] [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
+RSP: 0018:ffff8100134434e8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10
+RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0
+RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000
+R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858
+R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000
+FS: 00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0
+Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860)
+Stack: ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000
+ 0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858
+ 0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634
+Call Trace:
+ [<ffffffff8864c634>] :ccm:crypto_ccm_auth+0x12d/0x140
+ [<ffffffff8864cf73>] :ccm:crypto_ccm_decrypt+0x161/0x23a
+ [<ffffffff88633643>] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559
+[...]
+
+The above is from a RHEL5-based kernel, but upstream is susceptible too.
+
+The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains
+whatever was in memory when pctx was allocated if assoclen is 0. The tested
+fix is to simply add an else clause setting pctx->ilen to 0 for the
+assoclen == 0 case, so that get_data_to_compute() doesn't try doing
+things its not supposed to.
+
+Signed-off-by: Jarod Wilson <jarod@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ crypto/ccm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/ccm.c
++++ b/crypto/ccm.c
+@@ -266,6 +266,8 @@ static int crypto_ccm_auth(struct aead_r
+ if (assoclen) {
+ pctx->ilen = format_adata(idata, assoclen);
+ get_data_to_compute(cipher, pctx, req->assoc, req->assoclen);
++ } else {
++ pctx->ilen = 0;
+ }
+
+ /* compute plaintext into mac */
--- /dev/null
+From yur@emcraft.com Fri Jan 30 17:40:59 2009
+From: Yuri Tikhonov <yur@emcraft.com>
+Date: Thu, 29 Jan 2009 15:37:13 +0300
+Subject: dmaengine: fix dependency chaining
+To: Greg KH <greg@kroah.com>
+Cc: stable@kernel.org, Dan Williams <dan.j.williams@intel.com>, wd@denx.de
+Message-ID: <200901291537.13536.yur@emcraft.com>
+Content-Disposition: inline
+
+From: Yuri Tikhonov <yur@emcraft.com>
+
+commit dd59b8537f6cb53ab863fafad86a5828f1e889a2 upstream
+
+
+ ASYNC_TX: fix dependency chaining
+
+ In ASYNC_TX we track the dependencies between the descriptors
+using the 'next' pointers of the structures. These pointers are
+set to NULL as soon as the corresponding descriptor has been
+submitted to the channel (in async_tx_run_dependencies()).
+ But, the first 'next' in chain still remains set, regardless
+the fact, that tx->next is already submitted. This may lead to
+multiple submisions of the same descriptor. This patch fixes this.
+
+Signed-off-by: Yuri Tikhonov <yur@emcraft.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ crypto/async_tx/async_tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/async_tx/async_tx.c
++++ b/crypto/async_tx/async_tx.c
+@@ -124,6 +124,8 @@ void async_tx_run_dependencies(struct dm
+ if (!dep)
+ return;
+
++ /* we'll submit tx->next now, so clear the link */
++ tx->next = NULL;
+ chan = dep->chan;
+
+ /* keep submitting up until a channel switch is detected
--- /dev/null
+From 9df04e1f25effde823a600e755b51475d438f56b Mon Sep 17 00:00:00 2001
+From: Davide Libenzi <davidel@xmailserver.org>
+Date: Thu, 29 Jan 2009 14:25:26 -0800
+Subject: epoll: drop max_user_instances and rely only on max_user_watches
+
+From: Davide Libenzi <davidel@xmailserver.org>
+
+commit 9df04e1f25effde823a600e755b51475d438f56b upstream.
+
+Linus suggested to put limits where the money is, and max_user_watches
+already does that w/out the need of max_user_instances. That has the
+advantage to mitigate the potential DoS while allowing pretty generous
+default behavior.
+
+Allowing top 4% of low memory (per user) to be allocated in epoll watches,
+we have:
+
+LOMEM MAX_WATCHES (per user)
+512MB ~178000
+1GB ~356000
+2GB ~712000
+
+A box with 512MB of lomem, will meet some challenge in hitting 180K
+watches, socket buffers math teaches us. No more max_user_instances
+limits then.
+
+Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
+Cc: Bron Gondwana <brong@fastmail.fm>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/eventpoll.c | 22 ++++------------------
+ include/linux/sched.h | 1 -
+ 2 files changed, 4 insertions(+), 19 deletions(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -234,8 +234,6 @@ struct ep_pqueue {
+ /*
+ * Configuration options available inside /proc/sys/fs/epoll/
+ */
+-/* Maximum number of epoll devices, per user */
+-static int max_user_instances __read_mostly;
+ /* Maximum number of epoll watched descriptors, per user */
+ static int max_user_watches __read_mostly;
+
+@@ -261,14 +259,6 @@ static int zero;
+
+ ctl_table epoll_table[] = {
+ {
+- .procname = "max_user_instances",
+- .data = &max_user_instances,
+- .maxlen = sizeof(int),
+- .mode = 0644,
+- .proc_handler = &proc_dointvec_minmax,
+- .extra1 = &zero,
+- },
+- {
+ .procname = "max_user_watches",
+ .data = &max_user_watches,
+ .maxlen = sizeof(int),
+@@ -491,7 +481,6 @@ static void ep_free(struct eventpoll *ep
+
+ mutex_unlock(&epmutex);
+ mutex_destroy(&ep->mtx);
+- atomic_dec(&ep->user->epoll_devs);
+ free_uid(ep->user);
+ kfree(ep);
+ }
+@@ -581,10 +570,6 @@ static int ep_alloc(struct eventpoll **p
+ struct eventpoll *ep;
+
+ user = get_current_user();
+- error = -EMFILE;
+- if (unlikely(atomic_read(&user->epoll_devs) >=
+- max_user_instances))
+- goto free_uid;
+ error = -ENOMEM;
+ ep = kzalloc(sizeof(*ep), GFP_KERNEL);
+ if (unlikely(!ep))
+@@ -1141,7 +1126,6 @@ SYSCALL_DEFINE1(epoll_create1, int, flag
+ flags & O_CLOEXEC);
+ if (fd < 0)
+ ep_free(ep);
+- atomic_inc(&ep->user->epoll_devs);
+
+ error_return:
+ DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n",
+@@ -1366,8 +1350,10 @@ static int __init eventpoll_init(void)
+ struct sysinfo si;
+
+ si_meminfo(&si);
+- max_user_instances = 128;
+- max_user_watches = (((si.totalram - si.totalhigh) / 32) << PAGE_SHIFT) /
++ /*
++ * Allows top 4% of lomem to be allocated for epoll watches (per user).
++ */
++ max_user_watches = (((si.totalram - si.totalhigh) / 25) << PAGE_SHIFT) /
+ EP_ITEM_COST;
+
+ /* Initialize the structure used to perform safe poll wait head wake ups */
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -631,7 +631,6 @@ struct user_struct {
+ atomic_t inotify_devs; /* How many inotify devs does this user have opened? */
+ #endif
+ #ifdef CONFIG_EPOLL
+- atomic_t epoll_devs; /* The number of epoll descriptors currently open */
+ atomic_t epoll_watches; /* The number of file descriptors currently watched */
+ #endif
+ #ifdef CONFIG_POSIX_MQUEUE
--- /dev/null
+From a21102b55c4f8dfd3adb4a15a34cd62237b46039 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 16 Jan 2009 11:13:47 -0500
+Subject: ext3: Add sanity check to make_indexed_dir
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit a21102b55c4f8dfd3adb4a15a34cd62237b46039 upstream.
+
+Make sure the rec_len field in the '..' entry is sane, lest we overrun
+the directory block and cause a kernel oops on a purposefully
+corrupted filesystem.
+
+This fixes a bug related to a bug originally reported by Sami Liedes
+for ext4 at:
+
+http://bugzilla.kernel.org/show_bug.cgi?id=12430
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/namei.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/fs/ext3/namei.c
++++ b/fs/ext3/namei.c
+@@ -1357,7 +1357,7 @@ static int make_indexed_dir(handle_t *ha
+ struct fake_dirent *fde;
+
+ blocksize = dir->i_sb->s_blocksize;
+- dxtrace(printk("Creating index\n"));
++ dxtrace(printk(KERN_DEBUG "Creating index: inode %lu\n", dir->i_ino));
+ retval = ext3_journal_get_write_access(handle, bh);
+ if (retval) {
+ ext3_std_error(dir->i_sb, retval);
+@@ -1366,6 +1366,19 @@ static int make_indexed_dir(handle_t *ha
+ }
+ root = (struct dx_root *) bh->b_data;
+
++ /* The 0th block becomes the root, move the dirents out */
++ fde = &root->dotdot;
++ de = (struct ext3_dir_entry_2 *)((char *)fde +
++ ext3_rec_len_from_disk(fde->rec_len));
++ if ((char *) de >= (((char *) root) + blocksize)) {
++ ext3_error(dir->i_sb, __func__,
++ "invalid rec_len for '..' in inode %lu",
++ dir->i_ino);
++ brelse(bh);
++ return -EIO;
++ }
++ len = ((char *) root) + blocksize - (char *) de;
++
+ bh2 = ext3_append (handle, dir, &block, &retval);
+ if (!(bh2)) {
+ brelse(bh);
+@@ -1374,11 +1387,6 @@ static int make_indexed_dir(handle_t *ha
+ EXT3_I(dir)->i_flags |= EXT3_INDEX_FL;
+ data1 = bh2->b_data;
+
+- /* The 0th block becomes the root, move the dirents out */
+- fde = &root->dotdot;
+- de = (struct ext3_dir_entry_2 *)((char *)fde +
+- ext3_rec_len_from_disk(fde->rec_len));
+- len = ((char *) root) + blocksize - (char *) de;
+ memcpy (data1, de, len);
+ de = (struct ext3_dir_entry_2 *) data1;
+ top = data1 + len;
--- /dev/null
+From akpm@linux-foundation.org Wed Jan 28 13:44:38 2009
+From: Andrew Morton <akpm@linux-foundation.org>
+Date: Wed, 28 Jan 2009 13:43:50 -0800
+Subject: Fix OOPS in mmap_region() when merging adjacent VM_LOCKED file segments
+To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
+Cc: npiggin@suse.de, torvalds@linux-foundation.org, gregkh@suse.de, will@crowder-design.com, Hugh Dickins <hugh@veritas.com>, Rik van Riel <riel@redhat.com>
+Message-ID: <20090128134350.034ac6a7.akpm@linux-foundation.org>
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+This patch differs from the upstream commit
+de33c8db5910cda599899dd431cc30d7c1018cbf written by Linus, as it aims to
+only prevent the oops from happening, not attempt to change anything
+else.
+
+
+The problem was introduced by commit
+ba470de43188cdbff795b5da43a1474523c6c2fb
+
+which added new references to *vma after we've potentially freed it.
+
+From: Andrew Morton <akpm@linux-foundation.org>
+Reported-by: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
+Tested-by: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
+Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
+Cc: Nick Piggin <npiggin@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Hugh Dickins <hugh@veritas.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ mm/mmap.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1095,6 +1095,7 @@ unsigned long mmap_region(struct file *f
+ {
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma, *prev;
++ struct vm_area_struct *merged_vma;
+ int correct_wcount = 0;
+ int error;
+ struct rb_node **rb_link, *rb_parent;
+@@ -1207,13 +1208,17 @@ munmap_back:
+ if (vma_wants_writenotify(vma))
+ vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
+
+- if (file && vma_merge(mm, prev, addr, vma->vm_end,
+- vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
++ merged_vma = NULL;
++ if (file)
++ merged_vma = vma_merge(mm, prev, addr, vma->vm_end,
++ vma->vm_flags, NULL, file, pgoff, vma_policy(vma));
++ if (merged_vma) {
+ mpol_put(vma_policy(vma));
+ kmem_cache_free(vm_area_cachep, vma);
+ fput(file);
+ if (vm_flags & VM_EXECUTABLE)
+ removed_exe_file_vma(mm);
++ vma = merged_vma;
+ } else {
+ vma_link(mm, vma, prev, rb_link, rb_parent);
+ file = vma->vm_file;
--- /dev/null
+From suresh.b.siddha@intel.com Fri Jan 30 17:39:13 2009
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+Date: Wed, 28 Jan 2009 16:51:52 -0800
+Subject: x86, pat: fix reserve_memtype() for legacy 1MB range
+To: greg@kroah.com
+Cc: stable@kernel.org, Suresh Siddha <suresh.b.siddha@intel.com>, Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>, Ingo Molnar <mingo@elte.hu>, tvignaud@mandriva.com
+Message-ID: <20090129005328.952031000@intel.com>
+Content-Disposition: inline; filename=fix_reserve_memtype_1MB.patch
+
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+
+commit 5cca0cf15a94417f49625ce52e23589eed0a1675 upstream
+
+Thierry Vignaud reported:
+> http://bugzilla.kernel.org/show_bug.cgi?id=12372
+>
+> On P4 with an SiS motherboard (video card is a SiS 651)
+> X server fails to start with error:
+> xf86MapVidMem: Could not mmap framebuffer (0x00000000,0x2000) (Invalid
+> argument)
+
+Here X is trying to map first 8KB of memory using /dev/mem. Existing
+code treats first 0-4KB of memory as non-RAM and 4KB-8KB as RAM. Recent
+code changes don't allow to map memory with different attributes
+at the same time.
+
+Fix this by treating the first 1MB legacy region as special and always
+track the attribute requests with in this region using linear linked
+list (and don't bother if the range is RAM or non-RAM or mixed)
+
+Reported-and-tested-by: Thierry Vignaud <tvignaud@mandriva.com>
+Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
+Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/mm/pat.c | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/mm/pat.c
++++ b/arch/x86/mm/pat.c
+@@ -333,11 +333,20 @@ int reserve_memtype(u64 start, u64 end,
+ req_type & _PAGE_CACHE_MASK);
+ }
+
+- is_range_ram = pagerange_is_ram(start, end);
+- if (is_range_ram == 1)
+- return reserve_ram_pages_type(start, end, req_type, new_type);
+- else if (is_range_ram < 0)
+- return -EINVAL;
++ /*
++ * For legacy reasons, some parts of the physical address range in the
++ * legacy 1MB region is treated as non-RAM (even when listed as RAM in
++ * the e820 tables). So we will track the memory attributes of this
++ * legacy 1MB region using the linear memtype_list always.
++ */
++ if (end >= ISA_END_ADDRESS) {
++ is_range_ram = pagerange_is_ram(start, end);
++ if (is_range_ram == 1)
++ return reserve_ram_pages_type(start, end, req_type,
++ new_type);
++ else if (is_range_ram < 0)
++ return -EINVAL;
++ }
+
+ new = kmalloc(sizeof(struct memtype), GFP_KERNEL);
+ if (!new)
+@@ -437,11 +446,19 @@ int free_memtype(u64 start, u64 end)
+ if (is_ISA_range(start, end - 1))
+ return 0;
+
+- is_range_ram = pagerange_is_ram(start, end);
+- if (is_range_ram == 1)
+- return free_ram_pages_type(start, end);
+- else if (is_range_ram < 0)
+- return -EINVAL;
++ /*
++ * For legacy reasons, some parts of the physical address range in the
++ * legacy 1MB region is treated as non-RAM (even when listed as RAM in
++ * the e820 tables). So we will track the memory attributes of this
++ * legacy 1MB region using the linear memtype_list always.
++ */
++ if (end >= ISA_END_ADDRESS) {
++ is_range_ram = pagerange_is_ram(start, end);
++ if (is_range_ram == 1)
++ return free_ram_pages_type(start, end);
++ else if (is_range_ram < 0)
++ return -EINVAL;
++ }
+
+ spin_lock(&memtype_lock);
+ list_for_each_entry(entry, &memtype_list, nd) {
--- /dev/null
+From 7460db567bbca76bf087d1694d792a1a96bdaa26 Mon Sep 17 00:00:00 2001
+From: Magnus Damm <damm@igel.co.jp>
+Date: Thu, 29 Jan 2009 14:25:12 -0800
+Subject: gpiolib: fix request related issue
+
+From: Magnus Damm <damm@igel.co.jp>
+
+commit 7460db567bbca76bf087d1694d792a1a96bdaa26 upstream.
+
+Fix request-already-requested handling in gpio_request().
+
+Signed-off-by: Magnus Damm <damm@igel.co.jp>
+Acked-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpio/gpiolib.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -789,6 +789,7 @@ int gpio_request(unsigned gpio, const ch
+ } else {
+ status = -EBUSY;
+ module_put(chip->owner);
++ goto done;
+ }
+
+ if (chip->request) {
--- /dev/null
+From a229fc61ef0ee3c30fd193beee0eeb87410227f1 Mon Sep 17 00:00:00 2001
+From: Boaz Harrosh <bharrosh@panasas.com>
+Date: Mon, 19 Jan 2009 10:37:38 +0100
+Subject: include/linux: Add bsg.h to the Kernel exported headers
+
+From: Boaz Harrosh <bharrosh@panasas.com>
+
+commit a229fc61ef0ee3c30fd193beee0eeb87410227f1 upstream.
+
+bsg.h in current form is perfectly suitable for user-mode
+consumption. It is needed together with scsi/sg.h for applications
+that want to interface with the bsg driver.
+
+Currently the few projects that use it would copy it over into
+the projects. But that is not acceptable for projects that need
+to provide source and devel packages for distros.
+
+This should also be submitted to stable 2.6.28 and 2.6.27 since bsg had
+a stable API since these Kernels and distro users will need the header
+for these kernels a swell
+
+Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
+Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/Kbuild
++++ b/include/linux/Kbuild
+@@ -41,6 +41,7 @@ header-y += baycom.h
+ header-y += bfs_fs.h
+ header-y += blkpg.h
+ header-y += bpqether.h
++header-y += bsg.h
+ header-y += can.h
+ header-y += cdk.h
+ header-y += chio.h
--- /dev/null
+From 357f5b0b91054ae23385ea4b0634bb8b43736e83 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sat, 17 Jan 2009 06:47:12 +0000
+Subject: NET: net_namespace, fix lock imbalance
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 357f5b0b91054ae23385ea4b0634bb8b43736e83 upstream.
+
+register_pernet_gen_subsys omits mutex_unlock in one fail path.
+Fix it.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/net_namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -342,8 +342,8 @@ again:
+ rv = register_pernet_operations(first_device, ops);
+ if (rv < 0)
+ ida_remove(&net_generic_ids, *id);
+- mutex_unlock(&net_mutex);
+ out:
++ mutex_unlock(&net_mutex);
+ return rv;
+ }
+ EXPORT_SYMBOL_GPL(register_pernet_gen_subsys);
--- /dev/null
+From c2fdd36b550659f5ac2240d1f5a83ffa1a092289 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sat, 17 Jan 2009 16:23:55 +0100
+Subject: PCI hotplug: fix lock imbalance in pciehp
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit c2fdd36b550659f5ac2240d1f5a83ffa1a092289 upstream.
+
+set_lock_status omits mutex_unlock in fail path. Add the omitted
+unlock.
+
+As a result a lockup caused by this can be triggered from userspace
+by writing 1 to /sys/bus/pci/slots/.../lock often enough.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Reviewed-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/hotplug/pciehp_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -126,8 +126,10 @@ static int set_lock_status(struct hotplu
+ mutex_lock(&slot->ctrl->crit_sect);
+
+ /* has it been >1 sec since our last toggle? */
+- if ((get_seconds() - slot->last_emi_toggle) < 1)
++ if ((get_seconds() - slot->last_emi_toggle) < 1) {
++ mutex_unlock(&slot->ctrl->crit_sect);
+ return -EINVAL;
++ }
+
+ /* see what our current state is */
+ retval = get_lock_status(hotplug_slot, &value);
--- /dev/null
+From b786c6a98ef6fa81114ba7b9fbfc0d67060775e3 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sat, 17 Jan 2009 12:04:36 +0100
+Subject: relay: fix lock imbalance in relay_late_setup_files
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit b786c6a98ef6fa81114ba7b9fbfc0d67060775e3 upstream.
+
+One fail path in relay_late_setup_files() omits
+mutex_unlock(&relay_channels_mutex);
+Add it.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -663,8 +663,10 @@ int relay_late_setup_files(struct rchan *chan,
+
+ mutex_lock(&relay_channels_mutex);
+ /* Is chan already set up? */
+- if (unlikely(chan->has_base_filename))
++ if (unlikely(chan->has_base_filename)) {
++ mutex_unlock(&relay_channels_mutex);
+ return -EEXIST;
++ }
+ chan->has_base_filename = 1;
+ chan->parent = parent;
+ curr_cpu = get_cpu();
--- /dev/null
+From eb83bbf57429ab80f49b413e3e44d3b19c3fdc5a Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Tue, 27 Jan 2009 12:31:23 -0600
+Subject: rtl8187: Fix error in setting OFDM power settings for RTL8187L
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: 8bit
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit eb83bbf57429ab80f49b413e3e44d3b19c3fdc5a upstream.
+
+After reports of poor performance, a review of the latest vendor driver
+(rtl8187_linux_26.1025.0328.2007) for RTL8187L devices was undertaken.
+
+A difference was found in the code used to index the OFDM power tables. When
+the Linux driver was changed, my unit works at a much greater range than
+before. I think this fixes Bugzilla #12380 and has been tested by at least
+two other users.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Tested-by: MartÃn Ernesto Barreyro <barreyromartin@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rtl8187_rtl8225.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/rtl8187_rtl8225.c
++++ b/drivers/net/wireless/rtl8187_rtl8225.c
+@@ -287,7 +287,10 @@ static void rtl8225_rf_set_tx_power(stru
+ ofdm_power = priv->channels[channel - 1].hw_value >> 4;
+
+ cck_power = min(cck_power, (u8)11);
+- ofdm_power = min(ofdm_power, (u8)35);
++ if (ofdm_power > (u8)15)
++ ofdm_power = 25;
++ else
++ ofdm_power += 10;
+
+ rtl818x_iowrite8(priv, &priv->map->TX_GAIN_CCK,
+ rtl8225_tx_gain_cck_ofdm[cck_power / 6] >> 1);
+@@ -540,7 +543,10 @@ static void rtl8225z2_rf_set_tx_power(st
+ cck_power += priv->txpwr_base & 0xF;
+ cck_power = min(cck_power, (u8)35);
+
+- ofdm_power = min(ofdm_power, (u8)15);
++ if (ofdm_power > (u8)15)
++ ofdm_power = 25;
++ else
++ ofdm_power += 10;
+ ofdm_power += priv->txpwr_base >> 4;
+ ofdm_power = min(ofdm_power, (u8)35);
+
libata-pata_via-support-vx855-future-chips-whose-ide-controller-use-0x0571.patch
serial_8250-support-for-sealevel-systems-model-7803-comm-8.patch
drm-stash-agp-include-under-the-do-we-have-agp-ifdef.patch
+fix-oops-in-mmap_region-when-merging-adjacent-vm_locked-file-segments.patch
+bnx2x-block-nvram-access-when-the-device-is-inactive.patch
+ext3-add-sanity-check-to-make_indexed_dir.patch
+rtl8187-fix-error-in-setting-ofdm-power-settings-for-rtl8187l.patch
+epoll-drop-max_user_instances-and-rely-only-on-max_user_watches.patch
+gpiolib-fix-request-related-issue.patch
+sgi-xpc-remove-null-pointer-dereference.patch
+sgi-xpc-ensure-flags-are-updated-before-bte_copy.patch
+include-linux-add-bsg.h-to-the-kernel-exported-headers.patch
+alsa-hda-fix-pcm-reference-nid-for-stac-idt-analog-outputs.patch
+alsa-hda-add-another-macbook-pro-4-1-subsystem-id.patch
+alsa-hda-add-quirk-for-hp-dv6700-laptop.patch
+crypto-authenc-fix-zero-length-iv-crash.patch
+crypto-ccm-fix-handling-of-null-assoc-data.patch
+fix_reserve_memtype_1MB.patch
+x86-pat-fix-pte-corruption-issue-while-mapping-ram-using-dev-mem.patch
+pci-hotplug-fix-lock-imbalance-in-pciehp.patch
+dmaengine-fix-dependency-chaining.patch
+net-net_namespace-fix-lock-imbalance.patch
+relay-fix-lock-imbalance-in-relay_late_setup_files.patch
--- /dev/null
+From 69b3bb65fa97a1e8563518dbbc35cd57beefb2d4 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Thu, 29 Jan 2009 14:25:06 -0800
+Subject: sgi-xpc: ensure flags are updated before bte_copy
+
+From: Robin Holt <holt@sgi.com>
+
+commit 69b3bb65fa97a1e8563518dbbc35cd57beefb2d4 upstream.
+
+The clearing of the msg->flags needs a barrier between it and the notify
+of the channel threads that the messages are cleaned and ready for use.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Signed-off-by: Dean Nelson <dcn@sgi.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sgi-xp/xpc_sn2.c | 9 +++++----
+ drivers/misc/sgi-xp/xpc_uv.c | 2 +-
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/misc/sgi-xp/xpc_sn2.c
++++ b/drivers/misc/sgi-xp/xpc_sn2.c
+@@ -1841,6 +1841,7 @@ xpc_process_msg_chctl_flags_sn2(struct x
+ */
+ xpc_clear_remote_msgqueue_flags_sn2(ch);
+
++ smp_wmb(); /* ensure flags have been cleared before bte_copy */
+ ch_sn2->w_remote_GP.put = ch_sn2->remote_GP.put;
+
+ dev_dbg(xpc_chan, "w_remote_GP.put changed to %ld, partid=%d, "
+@@ -1939,7 +1940,7 @@ xpc_get_deliverable_payload_sn2(struct x
+ break;
+
+ get = ch_sn2->w_local_GP.get;
+- rmb(); /* guarantee that .get loads before .put */
++ smp_rmb(); /* guarantee that .get loads before .put */
+ if (get == ch_sn2->w_remote_GP.put)
+ break;
+
+@@ -2060,7 +2061,7 @@ xpc_allocate_msg_sn2(struct xpc_channel
+ while (1) {
+
+ put = ch_sn2->w_local_GP.put;
+- rmb(); /* guarantee that .put loads before .get */
++ smp_rmb(); /* guarantee that .put loads before .get */
+ if (put - ch_sn2->w_remote_GP.get < ch->local_nentries) {
+
+ /* There are available message entries. We need to try
+@@ -2193,7 +2194,7 @@ xpc_send_payload_sn2(struct xpc_channel
+ * The preceding store of msg->flags must occur before the following
+ * load of local_GP->put.
+ */
+- mb();
++ smp_mb();
+
+ /* see if the message is next in line to be sent, if so send it */
+
+@@ -2294,7 +2295,7 @@ xpc_received_payload_sn2(struct xpc_chan
+ * The preceding store of msg->flags must occur before the following
+ * load of local_GP->get.
+ */
+- mb();
++ smp_mb();
+
+ /*
+ * See if this message is next in line to be acknowledged as having
+--- a/drivers/misc/sgi-xp/xpc_uv.c
++++ b/drivers/misc/sgi-xp/xpc_uv.c
+@@ -1238,7 +1238,7 @@ xpc_send_payload_uv(struct xpc_channel *
+ atomic_inc(&ch->n_to_notify);
+
+ msg_slot->key = key;
+- wmb(); /* a non-NULL func must hit memory after the key */
++ smp_wmb(); /* a non-NULL func must hit memory after the key */
+ msg_slot->func = func;
+
+ if (ch->flags & XPC_C_DISCONNECTING) {
--- /dev/null
+From 17e2161654da4e6bdfd8d53d4f52e820ee93f423 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Thu, 29 Jan 2009 14:25:07 -0800
+Subject: sgi-xpc: Remove NULL pointer dereference.
+
+From: Robin Holt <holt@sgi.com>
+
+commit 17e2161654da4e6bdfd8d53d4f52e820ee93f423 upstream.
+
+If the bte copy fails, the attempt to retrieve payloads merely returns a
+null pointer deref and not NULL as was expected.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Signed-off-by: Dean Nelson <dcn@sgi.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sgi-xp/xpc_sn2.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/sgi-xp/xpc_sn2.c
++++ b/drivers/misc/sgi-xp/xpc_sn2.c
+@@ -1961,11 +1961,13 @@ xpc_get_deliverable_payload_sn2(struct x
+
+ msg = xpc_pull_remote_msg_sn2(ch, get);
+
+- DBUG_ON(msg != NULL && msg->number != get);
+- DBUG_ON(msg != NULL && (msg->flags & XPC_M_SN2_DONE));
+- DBUG_ON(msg != NULL && !(msg->flags & XPC_M_SN2_READY));
++ if (msg != NULL) {
++ DBUG_ON(msg->number != get);
++ DBUG_ON(msg->flags & XPC_M_SN2_DONE);
++ DBUG_ON(!(msg->flags & XPC_M_SN2_READY));
+
+- payload = &msg->payload;
++ payload = &msg->payload;
++ }
+ break;
+ }
+
--- /dev/null
+From suresh.b.siddha@intel.com Fri Jan 30 17:39:50 2009
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+Date: Wed, 28 Jan 2009 16:51:53 -0800
+Subject: x86, pat: fix PTE corruption issue while mapping RAM using /dev/mem
+To: greg@kroah.com
+Cc: stable@kernel.org, Suresh Siddha <suresh.b.siddha@intel.com>, Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>, Ingo Molnar <mingo@elte.hu>, Daniel.Beschorner@facton.com, pageexec@freemail.hu
+Message-ID: <20090129005329.064526000@intel.com>
+
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+
+commit 9597134218300c045cf219be3664615e97cb239c upstream.
+
+Beschorner Daniel reported:
+> hwinfo problem since 2.6.28, showing this in the oops:
+> Corrupted page table at address 7fd04de3ec00
+
+Also, PaX Team reported a regression with this commit:
+
+> commit 9542ada803198e6eba29d3289abb39ea82047b92
+> Author: Suresh Siddha <suresh.b.siddha@intel.com>
+> Date: Wed Sep 24 08:53:33 2008 -0700
+>
+> x86: track memtype for RAM in page struct
+
+This commit breaks mapping any RAM page through /dev/mem, as the
+reserve_memtype() was not initializing the return attribute type and as such
+corrupting the PTE entry that was setup with the return attribute type.
+
+Because of this bug, application mapping this RAM page through /dev/mem
+will die with "Corrupted page table at address xxxx" message in the kernel
+log and also the kernel identity mapping which maps the underlying RAM
+page gets converted to UC.
+
+Fix this by initializing the return attribute type before calling
+reserve_ram_pages_type()
+
+Reported-by: PaX Team <pageexec@freemail.hu>
+Reported-and-tested-by: Beschorner Daniel <Daniel.Beschorner@facton.com>
+Tested-and-Acked-by: PaX Team <pageexec@freemail.hu>
+Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
+Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/mm/pat.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/pat.c
++++ b/arch/x86/mm/pat.c
+@@ -333,6 +333,9 @@ int reserve_memtype(u64 start, u64 end,
+ req_type & _PAGE_CACHE_MASK);
+ }
+
++ if (new_type)
++ *new_type = actual_type
++
+ /*
+ * For legacy reasons, some parts of the physical address range in the
+ * legacy 1MB region is treated as non-RAM (even when listed as RAM in
+@@ -356,9 +359,6 @@ int reserve_memtype(u64 start, u64 end,
+ new->end = end;
+ new->type = actual_type;
+
+- if (new_type)
+- *new_type = actual_type;
+-
+ spin_lock(&memtype_lock);
+
+ if (cached_entry && start >= cached_start)
projects / thirdparty / kernel / stable-queue.git / commitdiff
