--- /dev/null
+From 497fb54f578efd2b479727bc88d5ef942c0a1e2d Mon Sep 17 00:00:00 2001
+From: Rafael J. Wysocki <rjw@sisk.pl>
+Date: Tue, 13 Oct 2009 01:01:57 +0200
+Subject: ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2)
+
+From: Rafael J. Wysocki <rjw@sisk.pl>
+
+commit 497fb54f578efd2b479727bc88d5ef942c0a1e2d upstream.
+
+acpi_get_pci_dev() may be called for a non-PCI device, in which case
+it should return NULL. However, it assumes that every handle it
+finds in the ACPI CA name space, between given device handle and the
+PCI root bridge handle, corresponds to a PCI-to-PCI bridge with an
+existing secondary bus. For this reason, when it finds a struct
+pci_dev object corresponding to one of them, it doesn't check if
+its 'subordinate' field is a valid pointer. This obviously leads to
+a NULL pointer dereference if acpi_get_pci_dev() is called for a
+non-PCI device with a PCI parent which is not a bridge.
+
+To fix this issue make acpi_get_pci_dev() check if pdev->subordinate
+is not NULL for every device it finds on the path between the root
+bridge and the device it's supposed to get to and return NULL if the
+"target" device cannot be found.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=14129
+(worked in 2.6.30, regression in 2.6.31)
+
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Reported-by: Danny Feng <dfeng@redhat.com>
+Reviewed-by: Alex Chiang <achiang@hp.com>
+Tested-by: chepioq <chepioq@gmail.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/pci_root.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/acpi/pci_root.c
++++ b/drivers/acpi/pci_root.c
+@@ -400,6 +400,17 @@ struct pci_dev *acpi_get_pci_dev(acpi_ha
+
+ pbus = pdev->subordinate;
+ pci_dev_put(pdev);
++
++ /*
++ * This function may be called for a non-PCI device that has a
++ * PCI parent (eg. a disk under a PCI SATA controller). In that
++ * case pdev->subordinate will be NULL for the parent.
++ */
++ if (!pbus) {
++ dev_dbg(&pdev->dev, "Not a PCI-to-PCI bridge\n");
++ pdev = NULL;
++ break;
++ }
+ }
+ out:
+ list_for_each_entry_safe(node, tmp, &device_list, node)
--- /dev/null
+From 38d8a95621b20ed7868e232a35a26ee61bdcae6f Mon Sep 17 00:00:00 2001
+From: Fabian Henze <hoacha@quantentunnel.de>
+Date: Tue, 8 Sep 2009 00:59:58 +0800
+Subject: agp/intel: Add B43 chipset support
+
+From: Fabian Henze <hoacha@quantentunnel.de>
+
+commit 38d8a95621b20ed7868e232a35a26ee61bdcae6f upstream.
+
+Signed-off-by: Fabian Henze <hoacha@quantentunnel.de>
+[Fix reversed HB & IG ids for B43]
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/agp/intel-agp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/char/agp/intel-agp.c
++++ b/drivers/char/agp/intel-agp.c
+@@ -36,6 +36,8 @@
+ #define PCI_DEVICE_ID_INTEL_Q35_IG 0x29B2
+ #define PCI_DEVICE_ID_INTEL_Q33_HB 0x29D0
+ #define PCI_DEVICE_ID_INTEL_Q33_IG 0x29D2
++#define PCI_DEVICE_ID_INTEL_B43_HB 0x2E40
++#define PCI_DEVICE_ID_INTEL_B43_IG 0x2E42
+ #define PCI_DEVICE_ID_INTEL_GM45_HB 0x2A40
+ #define PCI_DEVICE_ID_INTEL_GM45_IG 0x2A42
+ #define PCI_DEVICE_ID_INTEL_IGD_E_HB 0x2E00
+@@ -81,6 +83,7 @@
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_G45_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_GM45_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_G41_HB || \
++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_B43_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_IGDNG_D_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_IGDNG_M_HB || \
+ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_IGDNG_MA_HB)
+@@ -1232,6 +1235,7 @@ static void intel_i965_get_gtt_range(int
+ case PCI_DEVICE_ID_INTEL_Q45_HB:
+ case PCI_DEVICE_ID_INTEL_G45_HB:
+ case PCI_DEVICE_ID_INTEL_G41_HB:
++ case PCI_DEVICE_ID_INTEL_B43_HB:
+ case PCI_DEVICE_ID_INTEL_IGDNG_D_HB:
+ case PCI_DEVICE_ID_INTEL_IGDNG_M_HB:
+ case PCI_DEVICE_ID_INTEL_IGDNG_MA_HB:
+@@ -2208,6 +2212,8 @@ static const struct intel_driver_descrip
+ "Q45/Q43", NULL, &intel_i965_driver },
+ { PCI_DEVICE_ID_INTEL_G45_HB, PCI_DEVICE_ID_INTEL_G45_IG, 0,
+ "G45/G43", NULL, &intel_i965_driver },
++ { PCI_DEVICE_ID_INTEL_B43_HB, PCI_DEVICE_ID_INTEL_B43_IG, 0,
++ "B43", NULL, &intel_i965_driver },
+ { PCI_DEVICE_ID_INTEL_G41_HB, PCI_DEVICE_ID_INTEL_G41_IG, 0,
+ "G41", NULL, &intel_i965_driver },
+ { PCI_DEVICE_ID_INTEL_IGDNG_D_HB, PCI_DEVICE_ID_INTEL_IGDNG_D_IG, 0,
+@@ -2408,6 +2414,7 @@ static struct pci_device_id agp_intel_pc
+ ID(PCI_DEVICE_ID_INTEL_Q45_HB),
+ ID(PCI_DEVICE_ID_INTEL_G45_HB),
+ ID(PCI_DEVICE_ID_INTEL_G41_HB),
++ ID(PCI_DEVICE_ID_INTEL_B43_HB),
+ ID(PCI_DEVICE_ID_INTEL_IGDNG_D_HB),
+ ID(PCI_DEVICE_ID_INTEL_IGDNG_M_HB),
+ ID(PCI_DEVICE_ID_INTEL_IGDNG_MA_HB),
--- /dev/null
+From de078ef55c74d02ee93d44513da5ee88a089d71d Mon Sep 17 00:00:00 2001
+From: Sam Ravnborg <sam@ravnborg.org>
+Date: Fri, 25 Sep 2009 19:53:43 +0200
+Subject: alpha: fix build after vmlinux.lds.S cleanup
+
+From: Sam Ravnborg <sam@ravnborg.org>
+
+commit de078ef55c74d02ee93d44513da5ee88a089d71d upstream.
+
+Add include to get missing THREAD_SIZE definition
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: Tim Abbott <tabbott@ksplice.com>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/alpha/kernel/vmlinux.lds.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/alpha/kernel/vmlinux.lds.S
++++ b/arch/alpha/kernel/vmlinux.lds.S
+@@ -1,4 +1,5 @@
+ #include <asm-generic/vmlinux.lds.h>
++#include <asm/thread_info.h>
+ #include <asm/page.h>
+
+ OUTPUT_FORMAT("elf64-alpha")
--- /dev/null
+From d50bae33d1358b909ade05ae121d83d3a60ab63f Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Fri, 16 Oct 2009 10:18:09 -0500
+Subject: b43: Fix Bugzilla #14181 and the bug from the previous 'fix'
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream.
+
+"b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported
+in Bugzilla No. 14181; however, it introduced a new bug. Whenever the
+radio switch was turned off, it was necessary to unload and reload
+the driver for it to recognize the switch again.
+
+This patch fixes both the original bug in #14181 and the bug introduced by
+the previous patch. It must be stated, however, that if there is a BCM4306/3
+with an rfkill switch (not yet proven), then the driver will need an
+unload/reload cycle to turn the device back on.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43/rfkill.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/b43/rfkill.c
++++ b/drivers/net/wireless/b43/rfkill.c
+@@ -33,7 +33,8 @@ bool b43_is_hw_radio_enabled(struct b43_
+ & B43_MMIO_RADIO_HWENABLED_HI_MASK))
+ return 1;
+ } else {
+- if (b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO)
++ if (b43_status(dev) >= B43_STAT_STARTED &&
++ b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO)
+ & B43_MMIO_RADIO_HWENABLED_LO_MASK)
+ return 1;
+ }
--- /dev/null
+From 8347a5cdd1422eea0470ed586274c7f29e274b47 Mon Sep 17 00:00:00 2001
+From: Steve French <sfrench@us.ibm.com>
+Date: Tue, 6 Oct 2009 18:31:29 +0000
+Subject: CIFS: Fixing to avoid invalid kfree() in cifs_get_tcp_session()
+
+From: Steve French <sfrench@us.ibm.com>
+
+commit 8347a5cdd1422eea0470ed586274c7f29e274b47 upstream.
+
+trivial bug in fs/cifs/connect.c .
+The bug is caused by fail of extract_hostname()
+when mounting cifs file system.
+
+This is the situation when I noticed this bug.
+
+% sudo mount -t cifs //192.168.10.208 mountpoint -o options...
+
+Then my kernel says,
+
+[ 1461.807776] ------------[ cut here ]------------
+[ 1461.807781] kernel BUG at mm/slab.c:521!
+[ 1461.807784] invalid opcode: 0000 [#2] PREEMPT SMP
+[ 1461.807790] last sysfs file:
+/sys/devices/pci0000:00/0000:00:1e.0/0000:09:02.0/resource
+[ 1461.807793] CPU 0
+[ 1461.807796] Modules linked in: nls_iso8859_1 usbhid sbp2 uhci_hcd
+ehci_hcd i2c_i801 ohci1394 ieee1394 psmouse serio_raw pcspkr sky2 usbcore
+evdev
+[ 1461.807816] Pid: 3446, comm: mount Tainted: G D 2.6.32-rc2-vanilla
+[ 1461.807820] RIP: 0010:[<ffffffff810b888e>] [<ffffffff810b888e>]
+kfree+0x63/0x156
+[ 1461.807829] RSP: 0018:ffff8800b4f7fbb8 EFLAGS: 00010046
+[ 1461.807832] RAX: ffffea00033fff98 RBX: ffff8800afbae7e2 RCX:
+0000000000000000
+[ 1461.807836] RDX: ffffea0000000000 RSI: 000000000000005c RDI:
+ffffffffffffffea
+[ 1461.807839] RBP: ffff8800b4f7fbf8 R08: 0000000000000001 R09:
+0000000000000000
+[ 1461.807842] R10: 0000000000000000 R11: ffff8800b4f7fbf8 R12:
+00000000ffffffea
+[ 1461.807845] R13: ffff8800afb23000 R14: ffff8800b4f87bc0 R15:
+ffffffffffffffea
+[ 1461.807849] FS: 00007f52b6f187c0(0000) GS:ffff880007600000(0000)
+knlGS:0000000000000000
+[ 1461.807852] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 1461.807855] CR2: 0000000000613000 CR3: 00000000af8f9000 CR4:
+00000000000006f0
+[ 1461.807858] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
+0000000000000000
+[ 1461.807861] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
+0000000000000400
+[ 1461.807865] Process mount (pid: 3446, threadinfo ffff8800b4f7e000, task
+ffff8800950e4380)
+[ 1461.807867] Stack:
+[ 1461.807869] 0000000000000202 0000000000000282 ffff8800b4f7fbf8
+ffff8800afbae7e2
+[ 1461.807876] <0> 00000000ffffffea ffff8800afb23000 ffff8800b4f87bc0
+ffff8800b4f7fc28
+[ 1461.807884] <0> ffff8800b4f7fcd8 ffffffff81159f6d ffffffff81147bc2
+ffffffff816bfb48
+[ 1461.807892] Call Trace:
+[ 1461.807899] [<ffffffff81159f6d>] cifs_get_tcp_session+0x440/0x44b
+[ 1461.807904] [<ffffffff81147bc2>] ? find_nls+0x1c/0xe9
+[ 1461.807909] [<ffffffff8115b889>] cifs_mount+0x16bc/0x2167
+[ 1461.807917] [<ffffffff814455bd>] ? _spin_unlock+0x30/0x4b
+[ 1461.807923] [<ffffffff81150da9>] cifs_get_sb+0xa5/0x1a8
+[ 1461.807928] [<ffffffff810c1b94>] vfs_kern_mount+0x56/0xc9
+[ 1461.807933] [<ffffffff810c1c64>] do_kern_mount+0x47/0xe7
+[ 1461.807938] [<ffffffff810d8632>] do_mount+0x712/0x775
+[ 1461.807943] [<ffffffff810d671f>] ? copy_mount_options+0xcf/0x132
+[ 1461.807948] [<ffffffff810d8714>] sys_mount+0x7f/0xbf
+[ 1461.807953] [<ffffffff8144509a>] ? lockdep_sys_exit_thunk+0x35/0x67
+[ 1461.807960] [<ffffffff81011cc2>] system_call_fastpath+0x16/0x1b
+[ 1461.807963] Code: 00 00 00 00 ea ff ff 48 c1 e8 0c 48 6b c0 68 48 01 d0
+66 83 38 00 79 04 48 8b 40 10 66 83 38 00 79 04 48 8b 40 10 80 38 00 78 04
+<0f> 0b eb fe 4c 8b 70 58 4c 89 ff 41 8b 76 4c e8 b8 49 fb ff e8
+[ 1461.808022] RIP [<ffffffff810b888e>] kfree+0x63/0x156
+[ 1461.808027] RSP <ffff8800b4f7fbb8>
+[ 1461.808031] ---[ end trace ffe26fcdc72c0ce4 ]---
+
+The reason of this bug is that the error handling code of
+cifs_get_tcp_session()
+calls kfree() when corresponding kmalloc() failed.
+(The kmalloc() is called by extract_hostname().)
+
+Signed-off-by: Hitoshi Mitake <mitake@dcl.info.waseda.ac.jp>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1556,7 +1556,8 @@ cifs_get_tcp_session(struct smb_vol *vol
+
+ out_err:
+ if (tcp_ses) {
+- kfree(tcp_ses->hostname);
++ if (!IS_ERR(tcp_ses->hostname))
++ kfree(tcp_ses->hostname);
+ if (tcp_ses->ssocket)
+ sock_release(tcp_ses->ssocket);
+ kfree(tcp_ses);
--- /dev/null
+From 246eb7f0ed1a8aeddec5313137767658f378949b Mon Sep 17 00:00:00 2001
+From: Kevin Hilman <khilman@deeprootsystems.com>
+Date: Mon, 26 Oct 2009 16:50:18 -0700
+Subject: cpuidle: always return with interrupts enabled
+
+From: Kevin Hilman <khilman@deeprootsystems.com>
+
+commit 246eb7f0ed1a8aeddec5313137767658f378949b upstream.
+
+In the case where cpuidle_idle_call() returns before changing state due to
+a need_resched(), it was returning with IRQs disabled.
+
+The idle path assumes that the platform specific idle code returns with
+interrupts enabled (although this too is undocumented AFAICT) and on ARM
+we have a WARN_ON(!(irqs_disabled()) when returning from the idle loop, so
+the user-visible effects were only a warning since interrupts were
+eventually re-enabled later.
+
+On x86, this same problem exists, but there is no WARN_ON() to detect it.
+As on ARM, the interrupts are eventually re-enabled, so I'm not sure of
+any actual bugs triggered by this. It's primarily a
+correctness/consistency fix.
+
+This patch ensures IRQs are (re)enabled before returning.
+
+Reported-by: Hemanth V <hemanthv@ti.com>
+Signed-off-by: Kevin Hilman <khilman@deeprootsystems.com>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Len Brown <len.brown@intel.com>
+Cc: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
+Tested-by: Martin Michlmayr <tbm@cyrius.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/cpuidle/cpuidle.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpuidle/cpuidle.c
++++ b/drivers/cpuidle/cpuidle.c
+@@ -75,8 +75,11 @@ static void cpuidle_idle_call(void)
+ #endif
+ /* ask the governor for the next state */
+ next_state = cpuidle_curr_governor->select(dev);
+- if (need_resched())
++ if (need_resched()) {
++ local_irq_enable();
+ return;
++ }
++
+ target_state = &dev->states[next_state];
+
+ /* enter the state and update stats */
--- /dev/null
+From 7839c5d5519b6d9e2ccf3cdbf1c39e3817ad0835 Mon Sep 17 00:00:00 2001
+From: Fabian Henze <hoacha@quantentunnel.de>
+Date: Tue, 8 Sep 2009 00:59:59 +0800
+Subject: drm/i915: add B43 chipset support
+
+From: Fabian Henze <hoacha@quantentunnel.de>
+
+commit 7839c5d5519b6d9e2ccf3cdbf1c39e3817ad0835 upstream.
+
+Signed-off-by: Fabian Henze <hoacha@quantentunnel.de>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_drv.h | 2 ++
+ include/drm/drm_pciids.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -854,6 +854,7 @@ extern int i915_wait_ring(struct drm_dev
+ (dev)->pci_device == 0x2E12 || \
+ (dev)->pci_device == 0x2E22 || \
+ (dev)->pci_device == 0x2E32 || \
++ (dev)->pci_device == 0x2E42 || \
+ (dev)->pci_device == 0x0042 || \
+ (dev)->pci_device == 0x0046)
+
+@@ -866,6 +867,7 @@ extern int i915_wait_ring(struct drm_dev
+ (dev)->pci_device == 0x2E12 || \
+ (dev)->pci_device == 0x2E22 || \
+ (dev)->pci_device == 0x2E32 || \
++ (dev)->pci_device == 0x2E42 || \
+ IS_GM45(dev))
+
+ #define IS_IGDG(dev) ((dev)->pci_device == 0xa001)
+--- a/include/drm/drm_pciids.h
++++ b/include/drm/drm_pciids.h
+@@ -552,6 +552,7 @@
+ {0x8086, 0x2e12, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
+ {0x8086, 0x2e22, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
+ {0x8086, 0x2e32, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
++ {0x8086, 0x2e42, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
+ {0x8086, 0xa001, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
+ {0x8086, 0xa011, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
+ {0x8086, 0x35e8, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
--- /dev/null
+From 58a27471d00dc09945cbcfbbc5cbcdcd3c28211d Mon Sep 17 00:00:00 2001
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+Date: Fri, 25 Sep 2009 08:01:28 +0000
+Subject: drm/i915: Fix FDI M/N setting according with correct color depth
+
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+
+commit 58a27471d00dc09945cbcfbbc5cbcdcd3c28211d upstream.
+
+FDI M/N calculation hasn't taken the current pipe color depth into account,
+but always set as 24bpp. This one checks current pipe color depth setting,
+and change FDI M/N calculation a little to use bits_per_pixel first, then
+convert to bytes_per_pixel later.
+
+This fixes display corrupt issue on Arrandle LVDS with 1600x900 panel
+in 18bpp dual-channel mode.
+
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_reg.h | 5 +++++
+ drivers/gpu/drm/i915/intel_display.c | 31 +++++++++++++++++++++++++++----
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -1616,6 +1616,11 @@
+ #define PIPE_START_VBLANK_INTERRUPT_STATUS (1UL<<2) /* 965 or later */
+ #define PIPE_VBLANK_INTERRUPT_STATUS (1UL<<1)
+ #define PIPE_OVERLAY_UPDATED_STATUS (1UL<<0)
++#define PIPE_BPC_MASK (7 << 5) /* Ironlake */
++#define PIPE_8BPC (0 << 5)
++#define PIPE_10BPC (1 << 5)
++#define PIPE_6BPC (2 << 5)
++#define PIPE_12BPC (3 << 5)
+
+ #define DSPARB 0x70030
+ #define DSPARB_CSTART_MASK (0x7f << 7)
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -1764,7 +1764,7 @@ fdi_reduce_ratio(u32 *num, u32 *den)
+ #define LINK_N 0x80000
+
+ static void
+-igdng_compute_m_n(int bytes_per_pixel, int nlanes,
++igdng_compute_m_n(int bits_per_pixel, int nlanes,
+ int pixel_clock, int link_clock,
+ struct fdi_m_n *m_n)
+ {
+@@ -1774,7 +1774,8 @@ igdng_compute_m_n(int bytes_per_pixel, i
+
+ temp = (u64) DATA_N * pixel_clock;
+ temp = div_u64(temp, link_clock);
+- m_n->gmch_m = div_u64(temp * bytes_per_pixel, nlanes);
++ m_n->gmch_m = div_u64(temp * bits_per_pixel, nlanes);
++ m_n->gmch_m >>= 3; /* convert to bytes_per_pixel */
+ m_n->gmch_n = DATA_N;
+ fdi_reduce_ratio(&m_n->gmch_m, &m_n->gmch_n);
+
+@@ -2396,7 +2397,7 @@ static int intel_crtc_mode_set(struct dr
+
+ /* FDI link */
+ if (IS_IGDNG(dev)) {
+- int lane, link_bw;
++ int lane, link_bw, bpp;
+ /* eDP doesn't require FDI link, so just set DP M/N
+ according to current link config */
+ if (is_edp) {
+@@ -2415,7 +2416,29 @@ static int intel_crtc_mode_set(struct dr
+ lane = 4;
+ link_bw = 270000;
+ }
+- igdng_compute_m_n(3, lane, target_clock,
++
++ /* determine panel color depth */
++ temp = I915_READ(pipeconf_reg);
++
++ switch (temp & PIPE_BPC_MASK) {
++ case PIPE_8BPC:
++ bpp = 24;
++ break;
++ case PIPE_10BPC:
++ bpp = 30;
++ break;
++ case PIPE_6BPC:
++ bpp = 18;
++ break;
++ case PIPE_12BPC:
++ bpp = 36;
++ break;
++ default:
++ DRM_ERROR("unknown pipe bpc value\n");
++ bpp = 24;
++ }
++
++ igdng_compute_m_n(bpp, lane, target_clock,
+ link_bw, &m_n);
+ }
+
--- /dev/null
+From b1f60b7029989da71fd8ea1b1176480fac9e846c Mon Sep 17 00:00:00 2001
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+Date: Mon, 19 Oct 2009 15:43:49 +0800
+Subject: drm/i915: fix panel fitting filter coefficient select for Ironlake
+
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+
+commit b1f60b7029989da71fd8ea1b1176480fac9e846c upstream.
+
+Must set filter selection as hardcoded coefficients for medium 3x3
+filtering, which matches vbios setting for Ironlake.
+
+This fixes display corrupt issue on HP arrandale with new vbios.
+
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_reg.h | 5 +++++
+ drivers/gpu/drm/i915/intel_display.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -1871,6 +1871,11 @@
+ #define PFA_CTL_1 0x68080
+ #define PFB_CTL_1 0x68880
+ #define PF_ENABLE (1<<31)
++#define PF_FILTER_MASK (3<<23)
++#define PF_FILTER_PROGRAMMED (0<<23)
++#define PF_FILTER_MED_3x3 (1<<23)
++#define PF_FILTER_EDGE_ENHANCE (2<<23)
++#define PF_FILTER_EDGE_SOFTEN (3<<23)
+ #define PFA_WIN_SZ 0x68074
+ #define PFB_WIN_SZ 0x68874
+ #define PFA_WIN_POS 0x68070
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -1213,7 +1213,7 @@ static void igdng_crtc_dpms(struct drm_c
+ /* Enable panel fitting for LVDS */
+ if (intel_pipe_has_type(crtc, INTEL_OUTPUT_LVDS)) {
+ temp = I915_READ(pf_ctl_reg);
+- I915_WRITE(pf_ctl_reg, temp | PF_ENABLE);
++ I915_WRITE(pf_ctl_reg, temp | PF_ENABLE | PF_FILTER_MED_3x3);
+
+ /* currently full aspect */
+ I915_WRITE(pf_win_pos, 0);
--- /dev/null
+From c038e51e841581cc3fb9a76e5e16331331e9c85c Mon Sep 17 00:00:00 2001
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+Date: Mon, 19 Oct 2009 15:43:48 +0800
+Subject: drm/i915: fix to setup display reference clock control on Ironlake
+
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+
+commit c038e51e841581cc3fb9a76e5e16331331e9c85c upstream.
+
+For new stepping of PCH, the display reference clock
+is fully under driver's control. This one trys to setup
+all needed reference clock for different outputs. Older
+stepping of PCH chipset should be ignoring this.
+
+This fixes output failure issue on newer PCH which requires
+driver to take control of reference clock enabling.
+
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_reg.h | 4 +--
+ drivers/gpu/drm/i915/intel_display.c | 40 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -1990,11 +1990,11 @@
+ #define DREF_CPU_SOURCE_OUTPUT_MASK (3<<13)
+ #define DREF_SSC_SOURCE_DISABLE (0<<11)
+ #define DREF_SSC_SOURCE_ENABLE (2<<11)
+-#define DREF_SSC_SOURCE_MASK (2<<11)
++#define DREF_SSC_SOURCE_MASK (3<<11)
+ #define DREF_NONSPREAD_SOURCE_DISABLE (0<<9)
+ #define DREF_NONSPREAD_CK505_ENABLE (1<<9)
+ #define DREF_NONSPREAD_SOURCE_ENABLE (2<<9)
+-#define DREF_NONSPREAD_SOURCE_MASK (2<<9)
++#define DREF_NONSPREAD_SOURCE_MASK (3<<9)
+ #define DREF_SUPERSPREAD_SOURCE_DISABLE (0<<7)
+ #define DREF_SUPERSPREAD_SOURCE_ENABLE (2<<7)
+ #define DREF_SSC4_DOWNSPREAD (0<<6)
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -2442,6 +2442,46 @@ static int intel_crtc_mode_set(struct dr
+ link_bw, &m_n);
+ }
+
++ /* Ironlake: try to setup display ref clock before DPLL
++ * enabling. This is only under driver's control after
++ * PCH B stepping, previous chipset stepping should be
++ * ignoring this setting.
++ */
++ if (IS_IGDNG(dev)) {
++ temp = I915_READ(PCH_DREF_CONTROL);
++ /* Always enable nonspread source */
++ temp &= ~DREF_NONSPREAD_SOURCE_MASK;
++ temp |= DREF_NONSPREAD_SOURCE_ENABLE;
++ I915_WRITE(PCH_DREF_CONTROL, temp);
++ POSTING_READ(PCH_DREF_CONTROL);
++
++ temp &= ~DREF_SSC_SOURCE_MASK;
++ temp |= DREF_SSC_SOURCE_ENABLE;
++ I915_WRITE(PCH_DREF_CONTROL, temp);
++ POSTING_READ(PCH_DREF_CONTROL);
++
++ udelay(200);
++
++ if (is_edp) {
++ if (dev_priv->lvds_use_ssc) {
++ temp |= DREF_SSC1_ENABLE;
++ I915_WRITE(PCH_DREF_CONTROL, temp);
++ POSTING_READ(PCH_DREF_CONTROL);
++
++ udelay(200);
++
++ temp &= ~DREF_CPU_SOURCE_OUTPUT_MASK;
++ temp |= DREF_CPU_SOURCE_OUTPUT_DOWNSPREAD;
++ I915_WRITE(PCH_DREF_CONTROL, temp);
++ POSTING_READ(PCH_DREF_CONTROL);
++ } else {
++ temp |= DREF_CPU_SOURCE_OUTPUT_NONSPREAD;
++ I915_WRITE(PCH_DREF_CONTROL, temp);
++ POSTING_READ(PCH_DREF_CONTROL);
++ }
++ }
++ }
++
+ if (IS_IGD(dev))
+ fp = (1 << clock.n) << 16 | clock.m1 << 8 | clock.m2;
+ else
--- /dev/null
+From 9f0d793b52eb2266359661369ef6303838904855 Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Fri, 11 Sep 2009 13:03:19 -0400
+Subject: fsnotify: do not set group for a mark before it is on the i_list
+
+From: Eric Paris <eparis@redhat.com>
+
+commit 9f0d793b52eb2266359661369ef6303838904855 upstream.
+
+fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to
+set the group and inode for the mark. fsnotify_destroy_mark_by_entry uses
+the fact that ->group != NULL to know if this group should be destroyed or
+if it's already been done.
+
+But fsnotify_add_mark sets the group and inode before it actually adds the
+mark to the i_list and g_list. This can result in a race in inotify, it
+requires 3 threads.
+
+sys_inotify_add_watch("file") sys_inotify_add_watch("file") sys_inotify_rm_watch([a])
+inotify_update_watch()
+inotify_new_watch()
+inotify_add_to_idr()
+ ^--- returns wd = [a]
+ inotfiy_update_watch()
+ inotify_new_watch()
+ inotify_add_to_idr()
+ fsnotify_add_mark()
+ ^--- returns wd = [b]
+ returns to userspace;
+ inotify_idr_find([a])
+ ^--- gives us the pointer from task 1
+fsnotify_add_mark()
+ ^--- this is going to set the mark->group and mark->inode fields, but will
+return -EEXIST because of the race with [b].
+ fsnotify_destroy_mark()
+ ^--- since ->group != NULL we call back
+ into inotify_freeing_mark() which calls
+ inotify_remove_from_idr([a])
+
+since fsnotify_add_mark() failed we call:
+inotify_remove_from_idr([a]) <------WHOOPS it's not in the idr, this could
+ have been any entry added later!
+
+The fix is to make sure we don't set mark->group until we are sure the mark is
+on the inode and fsnotify_add_mark will return success.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/notify/inode_mark.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/notify/inode_mark.c
++++ b/fs/notify/inode_mark.c
+@@ -324,11 +324,11 @@ int fsnotify_add_mark(struct fsnotify_ma
+ spin_lock(&group->mark_lock);
+ spin_lock(&inode->i_lock);
+
+- entry->group = group;
+- entry->inode = inode;
+-
+ lentry = fsnotify_find_mark_entry(group, inode);
+ if (!lentry) {
++ entry->group = group;
++ entry->inode = inode;
++
+ hlist_add_head(&entry->i_list, &inode->i_fsnotify_mark_entries);
+ list_add(&entry->g_list, &group->mark_entries);
+
--- /dev/null
+From 0bd87182d3ab18a32a8e9175d3f68754c58e3432 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jens.axboe@oracle.com>
+Date: Tue, 3 Nov 2009 11:40:44 +0100
+Subject: fuse: fix kunmap in fuse_ioctl_copy_user
+
+From: Jens Axboe <jens.axboe@oracle.com>
+
+commit 0bd87182d3ab18a32a8e9175d3f68754c58e3432 upstream.
+
+Looks like another victim of the confusing kmap() vs kmap_atomic() API
+differences.
+
+Reported-by: Todor Gyumyushev <yodor1@gmail.com>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1600,7 +1600,7 @@ static int fuse_ioctl_copy_user(struct p
+ kaddr += copy;
+ }
+
+- kunmap(map);
++ kunmap(page);
+ }
+
+ return 0;
--- /dev/null
+From f60311d5f7670d9539b424e4ed8b5c0872fc9e83 Mon Sep 17 00:00:00 2001
+From: Anand V. Avati <avati@gluster.com>
+Date: Thu, 22 Oct 2009 06:24:52 -0700
+Subject: fuse: prevent fuse_put_request on invalid pointer
+
+From: Anand V. Avati <avati@gluster.com>
+
+commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83 upstream.
+
+fuse_direct_io() has a loop where requests are allocated in each
+iteration. if allocation fails, the loop is broken out and follows
+into an unconditional fuse_put_request() on that invalid pointer.
+
+Signed-off-by: Anand V. Avati <avati@gluster.com>
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/fuse/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1063,7 +1063,8 @@ ssize_t fuse_direct_io(struct file *file
+ break;
+ }
+ }
+- fuse_put_request(fc, req);
++ if (!IS_ERR(req))
++ fuse_put_request(fc, req);
+ if (res > 0)
+ *ppos = pos;
+
--- /dev/null
+From 21279cfa107af07ef985539ac0de2152b9cba5f5 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 15 Oct 2009 10:14:35 +0100
+Subject: KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases
+
+From: David Howells <dhowells@redhat.com>
+
+commit 21279cfa107af07ef985539ac0de2152b9cba5f5 upstream.
+
+The destination keyring specified to request_key() and co. is made available to
+the process that instantiates the key (the slave process started by
+/sbin/request-key typically). This is passed in the request_key_auth struct as
+the dest_keyring member.
+
+keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()
+to get the keyring to attach the newly constructed key to at the end of
+instantiation. This may be given a specific keyring into which a link will be
+made later, or it may be asked to find the keyring passed to request_key(). In
+the former case, it returns a keyring with the refcount incremented by
+lookup_user_key(); in the latter case, it returns the keyring from the
+request_key_auth struct - and does _not_ increment the refcount.
+
+The latter case will eventually result in an oops when the keyring prematurely
+runs out of references and gets destroyed. The effect may take some time to
+show up as the key is destroyed lazily.
+
+To fix this, the keyring returned by get_instantiation_keyring() must always
+have its refcount incremented, no matter where it comes from.
+
+This can be tested by setting /etc/request-key.conf to:
+
+#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
+#====== ======= =============== =============== ===============================
+create * test:* * |/bin/false %u %g %d %{user:_display}
+negate * * * /bin/keyctl negate %k 10 @u
+
+and then doing:
+
+ keyctl add user _display aaaaaaaa @u
+ while keyctl request2 user test:x test:x @u &&
+ keyctl list @u;
+ do
+ keyctl request2 user test:x test:x @u;
+ sleep 31;
+ keyctl list @u;
+ done
+
+which will oops eventually. Changing the negate line to have @u rather than
+%S at the end is important as that forces the latter case by passing a special
+keyring ID rather than an actual keyring ID.
+
+Reported-by: Alexander Zangerl <az@bond.edu.au>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Alexander Zangerl <az@bond.edu.au>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/keys/keyctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -860,7 +860,7 @@ static long get_instantiation_keyring(ke
+ /* otherwise specify the destination keyring recorded in the
+ * authorisation key (any KEY_SPEC_*_KEYRING) */
+ if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {
+- *_dest_keyring = rka->dest_keyring;
++ *_dest_keyring = key_get(rka->dest_keyring);
+ return 0;
+ }
+
--- /dev/null
+From abb3911965c1bd8eea305f64d4840a314259d96d Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Sun, 25 Oct 2009 17:42:02 +0200
+Subject: KVM: get_tss_base_addr() should return a gpa_t
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit abb3911965c1bd8eea305f64d4840a314259d96d upstream.
+
+If TSS we are switching to resides in high memory task switch will fail
+since address will be truncated. Windows2k3 does this sometimes when
+running with more then 4G
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3762,7 +3762,7 @@ static int save_guest_segment_descriptor
+ return kvm_write_guest(vcpu->kvm, gpa, seg_desc, 8);
+ }
+
+-static u32 get_tss_base_addr(struct kvm_vcpu *vcpu,
++static gpa_t get_tss_base_addr(struct kvm_vcpu *vcpu,
+ struct desc_struct *seg_desc)
+ {
+ u32 base_addr;
--- /dev/null
+From e9024a059f2c17fb2bfab212ee9d31511d7b8e57 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Fri, 30 Oct 2009 17:45:14 +0000
+Subject: libertas if_usb: Fix crash on 64-bit machines
+
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57 upstream.
+
+On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas
+usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting
+crashes. Fix that by using skb->data instead.
+
+This highlights a problem with usb_fill_bulk_urb(). It doesn't notice
+when dma_map_single() fails and return the error to its caller as it
+should. In fact it _can't_ currently return the error, since it returns
+void.
+
+So this problem was showing up only at unmap time, after we'd already
+suffered memory corruption by doing DMA to a bogus address.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/if_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/libertas/if_usb.c
++++ b/drivers/net/wireless/libertas/if_usb.c
+@@ -507,7 +507,7 @@ static int __if_usb_submit_rx_urb(struct
+ /* Fill the receive configuration URB and initialise the Rx call back */
+ usb_fill_bulk_urb(cardp->rx_urb, cardp->udev,
+ usb_rcvbulkpipe(cardp->udev, cardp->ep_in),
+- (void *) (skb->tail + (size_t) IPFIELD_ALIGN_OFFSET),
++ skb->data + IPFIELD_ALIGN_OFFSET,
+ MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn,
+ cardp);
+
--- /dev/null
+From c1f9a764cf47686b1f5a0cf87ada68d90056136a Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Sun, 1 Nov 2009 19:25:40 +0100
+Subject: mac80211: check interface is down before type change
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+commit c1f9a764cf47686b1f5a0cf87ada68d90056136a upstream.
+
+For some strange reason the netif_running() check
+ended up after the actual type change instead of
+before, potentially causing all kinds of problems
+if the interface is up while changing the type;
+one of the problems manifests itself as a warning:
+
+WARNING: at net/mac80211/iface.c:651 ieee80211_teardown_sdata+0xda/0x1a0 [mac80211]()
+Hardware name: Aspire one
+Pid: 2596, comm: wpa_supplicant Tainted: G W 2.6.31-10-generic #32-Ubuntu
+Call Trace:
+ [] warn_slowpath_common+0x6d/0xa0
+ [] warn_slowpath_null+0x15/0x20
+ [] ieee80211_teardown_sdata+0xda/0x1a0 [mac80211]
+ [] ieee80211_if_change_type+0x4a/0xc0 [mac80211]
+ [] ieee80211_change_iface+0x61/0xa0 [mac80211]
+ [] cfg80211_wext_siwmode+0xc7/0x120 [cfg80211]
+ [] ioctl_standard_call+0x58/0xf0
+
+(http://www.kerneloops.org/searchweek.php?search=ieee80211_teardown_sdata)
+
+Cc: Arjan van de Ven <arjan@infradead.org>
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/cfg.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -87,6 +87,9 @@ static int ieee80211_change_iface(struct
+ if (!dev)
+ return -ENODEV;
+
++ if (netif_running(dev))
++ return -EBUSY;
++
+ if (!nl80211_type_check(type))
+ return -EINVAL;
+
+@@ -96,9 +99,6 @@ static int ieee80211_change_iface(struct
+ if (ret)
+ return ret;
+
+- if (netif_running(sdata->dev))
+- return -EBUSY;
+-
+ if (ieee80211_vif_is_mesh(&sdata->vif) && params->mesh_id_len)
+ ieee80211_sdata_set_mesh_id(sdata,
+ params->mesh_id_len,
--- /dev/null
+From 9b1ce526eb917c8b5c8497c327768130ee683392 Mon Sep 17 00:00:00 2001
+From: Björn Smedman <bjorn.smedman@venatech.se>
+Date: Sat, 24 Oct 2009 20:55:09 +0200
+Subject: mac80211: fix for incorrect sequence number on hostapd injected frames
+
+From: Björn Smedman <bjorn.smedman@venatech.se>
+
+commit 9b1ce526eb917c8b5c8497c327768130ee683392 upstream.
+
+When hostapd injects a frame, e.g. an authentication or association
+response, mac80211 looks for a suitable access point virtual interface
+to associate the frame with based on its source address. This makes it
+possible e.g. to correctly assign sequence numbers to the frames.
+
+A small typo in the ethernet address comparison statement caused a
+failure to find a suitable ap interface. Sequence numbers on such
+frames where therefore left unassigned causing some clients
+(especially windows-based 11b/g clients) to reject them and fail to
+authenticate or associate with the access point. This patch fixes the
+typo in the address comparison statement.
+
+Signed-off-by: Björn Smedman <bjorn.smedman@venatech.se>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1478,7 +1478,7 @@ int ieee80211_master_start_xmit(struct s
+ if (sdata->vif.type != NL80211_IFTYPE_AP)
+ continue;
+ if (compare_ether_addr(sdata->dev->dev_addr,
+- hdr->addr2)) {
++ hdr->addr2) == 0) {
+ dev_hold(sdata->dev);
+ dev_put(odev);
+ osdata = sdata;
--- /dev/null
+From d71789b6fa37c21ce5eb588d279f57904a62e7e2 Mon Sep 17 00:00:00 2001
+From: Manuel Lauss <manuel.lauss@gmail.com>
+Date: Thu, 24 Sep 2009 21:44:24 +0200
+Subject: mips: fix build of vmlinux.lds
+
+From: Manuel Lauss <manuel.lauss@gmail.com>
+
+commit d71789b6fa37c21ce5eb588d279f57904a62e7e2 upstream.
+
+Commit 51b563fc93c8cb5bff1d67a0a71c374e4a4ea049 ("arm, cris, mips,
+sparc, powerpc, um, xtensa: fix build with bash 4.0") removed a few
+CPPFLAGS with vital include paths necessary to build vmlinux.lds
+on MIPS, and moved the calculation of the 'jiffies' symbol
+directly to vmlinux.lds.S but forgot to change make ifdef/... to
+cpp macros.
+
+Signed-off-by: Manuel Lauss <manuel.lauss@gmail.com>
+[sam: moved assignment of CPPFLAGS arch/mips/kernel/Makefile]
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Acked-by: Dmitri Vorobiev <dmitri.vorobiev@movial.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/mips/kernel/Makefile | 2 ++
+ arch/mips/kernel/vmlinux.lds.S | 12 ++++++------
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/mips/kernel/Makefile
++++ b/arch/mips/kernel/Makefile
+@@ -2,6 +2,8 @@
+ # Makefile for the Linux/MIPS kernel.
+ #
+
++CPPFLAGS_vmlinux.lds := $(KBUILD_CFLAGS)
++
+ extra-y := head.o init_task.o vmlinux.lds
+
+ obj-y += cpu-probe.o branch.o entry.o genex.o irq.o process.o \
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -10,15 +10,15 @@ PHDRS {
+ note PT_NOTE FLAGS(4); /* R__ */
+ }
+
+-ifdef CONFIG_32BIT
+- ifdef CONFIG_CPU_LITTLE_ENDIAN
++#ifdef CONFIG_32BIT
++ #ifdef CONFIG_CPU_LITTLE_ENDIAN
+ jiffies = jiffies_64;
+- else
++ #else
+ jiffies = jiffies_64 + 4;
+- endif
+-else
++ #endif
++#else
+ jiffies = jiffies_64;
+-endif
++#endif
+
+ SECTIONS
+ {
--- /dev/null
+From 32c5fc10e79a7053ac5728b01a0bff55cbcb9d49 Mon Sep 17 00:00:00 2001
+From: Bo Liu <bo-liu@hotmail.com>
+Date: Mon, 2 Nov 2009 16:50:33 +0000
+Subject: mm: remove incorrect swap_count() from try_to_unuse()
+
+From: Bo Liu <bo-liu@hotmail.com>
+
+commit 32c5fc10e79a7053ac5728b01a0bff55cbcb9d49 upstream.
+
+In try_to_unuse(), swcount is a local copy of *swap_map, including the
+SWAP_HAS_CACHE bit; but a wrong comparison against swap_count(*swap_map),
+which masks off the SWAP_HAS_CACHE bit, succeeded where it should fail.
+
+That had the effect of resetting the mm from which to start searching
+for the next swap page, to an irrelevant mm instead of to an mm in which
+this swap page had been found: which may increase search time by ~20%.
+But we're used to swapoff being slow, so never noticed the slowdown.
+
+Remove that one spurious use of swap_count(): Bo Liu thought it merely
+redundant, Hugh rewrote the description since it was measurably wrong.
+
+Signed-off-by: Bo Liu <bo-liu@hotmail.com>
+Signed-off-by: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/swapfile.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -1149,8 +1149,7 @@ static int try_to_unuse(unsigned int typ
+ } else
+ retval = unuse_mm(mm, entry, page);
+
+- if (set_start_mm &&
+- swap_count(*swap_map) < swcount) {
++ if (set_start_mm && *swap_map < swcount) {
+ mmput(new_start_mm);
+ atomic_inc(&mm->mm_users);
+ new_start_mm = mm;
--- /dev/null
+From b1e19e5601277845b4f17ecd7c9ba04f73ee11aa Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Tue, 3 Nov 2009 00:25:53 +0900
+Subject: nilfs2: fix dirty page accounting leak causing hang at write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+
+commit b1e19e5601277845b4f17ecd7c9ba04f73ee11aa upstream.
+
+Bruno Prémont and Dunphy, Bill noticed me that NILFS will certainly
+hang on ARM-based targets.
+
+I found this was caused by an underflow of dirty pages counter. A
+b-tree cache routine was marking page dirty without adjusting page
+account information.
+
+This fixes the dirty page accounting leak and resolves the hang on
+arm-based targets.
+
+Reported-by: Bruno Prémont <bonbons@linux-vserver.org>
+Reported-by: Dunphy, Bill <WDunphy@tandbergdata.com>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Tested-by: Bruno Prémont <bonbons@linux-vserver.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nilfs2/btnode.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/nilfs2/btnode.c
++++ b/fs/nilfs2/btnode.c
+@@ -276,8 +276,7 @@ void nilfs_btnode_commit_change_key(stru
+ "invalid oldkey %lld (newkey=%lld)",
+ (unsigned long long)oldkey,
+ (unsigned long long)newkey);
+- if (!test_set_buffer_dirty(obh) && TestSetPageDirty(opage))
+- BUG();
++ nilfs_btnode_mark_dirty(obh);
+
+ spin_lock_irq(&btnc->tree_lock);
+ radix_tree_delete(&btnc->page_tree, oldkey);
--- /dev/null
+From 89a8640279f8bb78aaf778d1fc5c4a6778f18064 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 30 Oct 2009 13:13:26 +0000
+Subject: NOMMU: Don't pass NULL pointers to fput() in do_mmap_pgoff()
+
+From: David Howells <dhowells@redhat.com>
+
+commit 89a8640279f8bb78aaf778d1fc5c4a6778f18064 upstream.
+
+Don't pass NULL pointers to fput() in the error handling paths of the NOMMU
+do_mmap_pgoff() as it can't handle it.
+
+The following can be used as a test program:
+
+ int main() { static long long a[1024 * 1024 * 20] = { 0 }; return a;}
+
+Without the patch, the code oopses in atomic_long_dec_and_test() as called by
+fput() after the kernel complains that it can't allocate that big a chunk of
+memory. With the patch, the kernel just complains about the allocation size
+and then the program segfaults during execve() as execve() can't complete the
+allocation of all the new ELF program segments.
+
+Reported-by: Robin Getz <rgetz@blackfin.uclinux.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Robin Getz <rgetz@blackfin.uclinux.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/nommu.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/nommu.c
++++ b/mm/nommu.c
+@@ -1384,9 +1384,11 @@ share:
+ error_just_free:
+ up_write(&nommu_region_sem);
+ error:
+- fput(region->vm_file);
++ if (region->vm_file)
++ fput(region->vm_file);
+ kmem_cache_free(vm_region_jar, region);
+- fput(vma->vm_file);
++ if (vma->vm_file)
++ fput(vma->vm_file);
+ if (vma->vm_flags & VM_EXECUTABLE)
+ removed_exe_file_vma(vma->vm_mm);
+ kmem_cache_free(vm_area_cachep, vma);
--- /dev/null
+From 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Thu, 29 Oct 2009 08:56:16 -0600
+Subject: param: fix lots of bugs with writing charp params from sysfs, by leaking mem.
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef upstream.
+
+e180a6b7759a "param: fix charp parameters set via sysfs" fixed the case
+where charp parameters written via sysfs were freed, leaving drivers
+accessing random memory.
+
+Unfortunately, storing a flag in the kparam struct was a bad idea: it's
+rodata so setting it causes an oops on some archs. But that's not all:
+
+1) module_param_array() on charp doesn't work reliably, since we use an
+ uninitialized temporary struct kernel_param.
+2) there's a fundamental race if a module uses this parameter and then
+ it's changed: they will still access the old, freed, memory.
+
+The simplest fix (ie. for 2.6.32) is to never free the memory. This
+prevents all these problems, at cost of a memory leak. In practice, there
+are only 18 places where a charp is writable via sysfs, and all are
+root-only writable.
+
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Cc: Sitsofe Wheeler <sitsofe@yahoo.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Christof Schmitt <christof.schmitt@de.ibm.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/moduleparam.h | 1 -
+ kernel/params.c | 10 +---------
+ 2 files changed, 1 insertion(+), 10 deletions(-)
+
+--- a/include/linux/moduleparam.h
++++ b/include/linux/moduleparam.h
+@@ -37,7 +37,6 @@ typedef int (*param_set_fn)(const char *
+ typedef int (*param_get_fn)(char *buffer, struct kernel_param *kp);
+
+ /* Flag bits for kernel_param.flags */
+-#define KPARAM_KMALLOCED 1
+ #define KPARAM_ISBOOL 2
+
+ struct kernel_param {
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -217,13 +217,9 @@ int param_set_charp(const char *val, str
+ return -ENOSPC;
+ }
+
+- if (kp->flags & KPARAM_KMALLOCED)
+- kfree(*(char **)kp->arg);
+-
+ /* This is a hack. We can't need to strdup in early boot, and we
+ * don't need to; this mangled commandline is preserved. */
+ if (slab_is_available()) {
+- kp->flags |= KPARAM_KMALLOCED;
+ *(char **)kp->arg = kstrdup(val, GFP_KERNEL);
+ if (!kp->arg)
+ return -ENOMEM;
+@@ -604,11 +600,7 @@ void module_param_sysfs_remove(struct mo
+
+ void destroy_params(const struct kernel_param *params, unsigned num)
+ {
+- unsigned int i;
+-
+- for (i = 0; i < num; i++)
+- if (params[i].flags & KPARAM_KMALLOCED)
+- kfree(*(char **)params[i].arg);
++ /* FIXME: This should free kmalloced charp parameters. It doesn't. */
+ }
+
+ static void __init kernel_add_sysfs_param(const char *name,
--- /dev/null
+From d553ad864e3b3dde3f1038d491e207021b2d6293 Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Thu, 29 Oct 2009 08:56:17 -0600
+Subject: param: fix NULL comparison on oom
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit d553ad864e3b3dde3f1038d491e207021b2d6293 upstream.
+
+kp->arg is always true: it's the contents of that pointer we care about.
+
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/params.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -221,7 +221,7 @@ int param_set_charp(const char *val, str
+ * don't need to; this mangled commandline is preserved. */
+ if (slab_is_available()) {
+ *(char **)kp->arg = kstrdup(val, GFP_KERNEL);
+- if (!kp->arg)
++ if (!*(char **)kp->arg)
+ return -ENOMEM;
+ } else
+ *(const char **)kp->arg = val;
--- /dev/null
+From 3c7d76e371ac1a3802ae1673f5c63554af59325c Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Thu, 29 Oct 2009 08:56:19 -0600
+Subject: param: fix setting arrays of bool
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit 3c7d76e371ac1a3802ae1673f5c63554af59325c upstream.
+
+We create a dummy struct kernel_param on the stack for parsing each
+array element, but we didn't initialize the flags word. This matters
+for arrays of type "bool", where the flag indicates if it really is
+an array of bools or unsigned int (old-style).
+
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/params.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -299,6 +299,7 @@ static int param_array(const char *name,
+ unsigned int min, unsigned int max,
+ void *elem, int elemsize,
+ int (*set)(const char *, struct kernel_param *kp),
++ u16 flags,
+ unsigned int *num)
+ {
+ int ret;
+@@ -308,6 +309,7 @@ static int param_array(const char *name,
+ /* Get the name right for errors. */
+ kp.name = name;
+ kp.arg = elem;
++ kp.flags = flags;
+
+ /* No equals sign? */
+ if (!val) {
+@@ -353,7 +355,8 @@ int param_array_set(const char *val, str
+ unsigned int temp_num;
+
+ return param_array(kp->name, val, 1, arr->max, arr->elem,
+- arr->elemsize, arr->set, arr->num ?: &temp_num);
++ arr->elemsize, arr->set, kp->flags,
++ arr->num ?: &temp_num);
+ }
+
+ int param_array_get(char *buffer, struct kernel_param *kp)
--- /dev/null
+From 6d4f950e9ea15816c6a4f266ce6b9e438346771e Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 6 Oct 2009 16:07:51 +0100
+Subject: pata_sc1200: Fix crash on boot
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit 6d4f950e9ea15816c6a4f266ce6b9e438346771e upstream.
+
+The SC1200 needs a NULL terminator or it may cause a crash on boot.
+
+Bug #14227
+
+Also correct a bogus comment as the driver had serializing added so can run
+dual port.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/pata_sc1200.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/ata/pata_sc1200.c
++++ b/drivers/ata/pata_sc1200.c
+@@ -235,8 +235,7 @@ static int sc1200_init_one(struct pci_de
+ .udma_mask = ATA_UDMA2,
+ .port_ops = &sc1200_port_ops
+ };
+- /* Can't enable port 2 yet, see top comments */
+- const struct ata_port_info *ppi[] = { &info, };
++ const struct ata_port_info *ppi[] = { &info, NULL };
+
+ return ata_pci_sff_init_one(dev, ppi, &sc1200_sht, NULL);
+ }
--- /dev/null
+From f61f925859c57f6175082aeeee17743c68558a6e Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Sat, 5 Sep 2009 13:33:23 -0400
+Subject: Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible"
+
+From: Len Brown <len.brown@intel.com>
+
+commit f61f925859c57f6175082aeeee17743c68558a6e upstream.
+
+This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=13002
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/scan.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1264,16 +1264,6 @@ acpi_add_single_object(struct acpi_devic
+ acpi_device_set_id(device, parent, handle, type);
+
+ /*
+- * The ACPI device is attached to acpi handle before getting
+- * the power/wakeup/peformance flags. Otherwise OS can't get
+- * the corresponding ACPI device by the acpi handle in the course
+- * of getting the power/wakeup/performance flags.
+- */
+- result = acpi_device_set_context(device, type);
+- if (result)
+- goto end;
+-
+- /*
+ * Power Management
+ * ----------------
+ */
+@@ -1303,6 +1293,8 @@ acpi_add_single_object(struct acpi_devic
+ goto end;
+ }
+
++ if ((result = acpi_device_set_context(device, type)))
++ goto end;
+
+ result = acpi_device_register(device, parent);
+
hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch
driver-core-fix-driver_register-return-value.patch
tty-mark-generic_serial-users-as-broken.patch
+param-fix-lots-of-bugs-with-writing-charp-params-from-sysfs-by-leaking-mem.patch
+param-fix-null-comparison-on-oom.patch
+param-fix-setting-arrays-of-bool.patch
+usb-serial-sierra-driver-send_setup-autopm-fix.patch
+usb-option-patch-for-huawei-mobile-broadband-e270-modem.patch
+usb-option-support-for-airplus-mcd650-datacard.patch
+usb-option-tlaytech-tue800-support.patch
+libertas-if_usb-fix-crash-on-64-bit-machines.patch
+cpuidle-always-return-with-interrupts-enabled.patch
+virtio-order-used-ring-after-used-index-read.patch
+cifs-fixing-to-avoid-invalid-kfree-in-cifs_get_tcp_session.patch
+mac80211-fix-for-incorrect-sequence-number-on-hostapd-injected-frames.patch
+mac80211-check-interface-is-down-before-type-change.patch
+x86-uv-fix-information-in-__uv_hub_info-structure.patch
+x86-uv-set-delivery_mode-4-for-vector-nmi_vector-in-uv_hub_send_ipi.patch
+nommu-don-t-pass-null-pointers-to-fput-in-do_mmap_pgoff.patch
+mm-remove-incorrect-swap_count-from-try_to_unuse.patch
+x86-64-fix-register-leak-in-32-bit-syscall-audting.patch
+nilfs2-fix-dirty-page-accounting-leak-causing-hang-at-write.patch
+drm-i915-fix-fdi-m-n-setting-according-with-correct-color-depth.patch
+drm-i915-fix-to-setup-display-reference-clock-control-on-ironlake.patch
+drm-i915-fix-panel-fitting-filter-coefficient-select-for-ironlake.patch
+agp-intel-add-b43-chipset-support.patch
+drm-i915-add-b43-chipset-support.patch
+xen-hvc-make-sure-console-output-is-always-emitted-with-explicit-polling.patch
+xen-mask-extended-topology-info-in-cpuid.patch
+sgi-gru-decrapfiy-options_write-function.patch
+kvm-get_tss_base_addr-should-return-a-gpa_t.patch
+fuse-prevent-fuse_put_request-on-invalid-pointer.patch
+fuse-fix-kunmap-in-fuse_ioctl_copy_user.patch
+x86-amd-iommu-workaround-for-erratum-63.patch
+fsnotify-do-not-set-group-for-a-mark-before-it-is-on-the-i_list.patch
+mips-fix-build-of-vmlinux.lds.patch
+alpha-fix-build-after-vmlinux.lds.s-cleanup.patch
+acpi-pci-fix-null-pointer-dereference-in-acpi_get_pci_dev-rev.-2.patch
+revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch
+keys-get_instantiation_keyring-should-inc-the-keyring-refcount-in-all-cases.patch
+b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch
+pata_sc1200-fix-crash-on-boot.patch
--- /dev/null
+From d39b7dd1dcbf394a1cb897457c862dafe9a20ac5 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 5 Nov 2009 10:48:30 -0800
+Subject: sgi-gru: decrapfiy options_write() function
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d39b7dd1dcbf394a1cb897457c862dafe9a20ac5 upstream.
+
+Not a single line of actual code in the function was really
+fundamentally correct.
+
+Problems ranged from lack of proper range checking, to removing the last
+character written (which admittedly is usually '\n'), to not accepting
+hex numbers even though the 'show' routine would show the data in that
+format.
+
+This tries to do better.
+
+Acked-by: Michael Buesch <mb@bu3sch.de>
+Tested-and-acked-by: Jack Steiner <steiner@sgi.com>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Michael Gilbert <michael.s.gilbert@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sgi-gru/gruprocfs.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/misc/sgi-gru/gruprocfs.c
++++ b/drivers/misc/sgi-gru/gruprocfs.c
+@@ -161,14 +161,15 @@ static int options_show(struct seq_file
+ static ssize_t options_write(struct file *file, const char __user *userbuf,
+ size_t count, loff_t *data)
+ {
+- unsigned long val;
+- char buf[80];
++ char buf[20];
+
+- if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
++ if (count >= sizeof(buf))
++ return -EINVAL;
++ if (copy_from_user(buf, userbuf, count))
+ return -EFAULT;
+- buf[count - 1] = '\0';
+- if (!strict_strtoul(buf, 10, &val))
+- gru_options = val;
++ buf[count] = '\0';
++ if (strict_strtoul(buf, 0, &gru_options))
++ return -EINVAL;
+
+ return count;
+ }
--- /dev/null
+From 0ee3a33a0481c8f5c9edb7a5a02f3c76496d9551 Mon Sep 17 00:00:00 2001
+From: Ronnie Furuskog <rofu7@hotmail.com>
+Date: Mon, 21 Sep 2009 21:20:55 +0200
+Subject: USB: option: Patch for Huawei Mobile Broadband E270+ Modem
+
+From: Ronnie Furuskog <rofu7@hotmail.com>
+
+commit 0ee3a33a0481c8f5c9edb7a5a02f3c76496d9551 upstream.
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -166,6 +166,7 @@ static int option_resume(struct usb_ser
+ #define HUAWEI_PRODUCT_E143D 0x143D
+ #define HUAWEI_PRODUCT_E143E 0x143E
+ #define HUAWEI_PRODUCT_E143F 0x143F
++#define HUAWEI_PRODUCT_E14AC 0x14AC
+
+ #define QUANTA_VENDOR_ID 0x0408
+ #define QUANTA_PRODUCT_Q101 0xEA02
+@@ -426,6 +427,7 @@ static struct usb_device_id option_ids[]
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143D, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143E, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143F, 0xff, 0xff, 0xff) },
++ { USB_DEVICE(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC) },
+ { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_9508) },
+ { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) }, /* Novatel Merlin V640/XV620 */
+ { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V620) }, /* Novatel Merlin V620/S620 */
--- /dev/null
+From 12148da6722be3b44c2220206b6ccb80d2d9d8f8 Mon Sep 17 00:00:00 2001
+From: Huzaifa Sidhpurwala <sidhpurwala.huzaifa@gmail.com>
+Date: Mon, 12 Oct 2009 14:34:45 +0530
+Subject: USB: option: Support for AIRPLUS MCD650 Datacard
+
+From: Huzaifa Sidhpurwala <sidhpurwala.huzaifa@gmail.com>
+
+commit 12148da6722be3b44c2220206b6ccb80d2d9d8f8 upstream.
+
+Here is a patch for Airplus MCD 650 card
+
+Note: This device is with Victor V Kudlak, and he confirmed that this
+device works with the patch.
+
+Signed-off-by: Huzaifa Sidhpurwala <sidhpurwala.huzaifa@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -329,6 +329,9 @@ static int option_resume(struct usb_ser
+ #define ALCATEL_VENDOR_ID 0x1bbb
+ #define ALCATEL_PRODUCT_X060S 0x0000
+
++/* Airplus products */
++#define AIRPLUS_VENDOR_ID 0x1011
++#define AIRPLUS_PRODUCT_MCD650 0x3198
+
+ static struct usb_device_id option_ids[] = {
+ { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
+@@ -590,6 +593,7 @@ static struct usb_device_id option_ids[]
+ { USB_DEVICE(ALINK_VENDOR_ID, 0x9000) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) },
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S) },
++ { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
--- /dev/null
+From fead2ab6cf9ad3a84a06e68ccc20d1e460fad13e Mon Sep 17 00:00:00 2001
+From: Bryan Wu <bryan.wu@canonical.com>
+Date: Thu, 22 Oct 2009 15:00:36 +0800
+Subject: USB: option: TLAYTECH TUE800 support
+
+From: Bryan Wu <bryan.wu@canonical.com>
+
+commit fead2ab6cf9ad3a84a06e68ccc20d1e460fad13e upstream.
+
+Add ID for Tlaytech TUE800 CDMA modem to the option driver.
+
+Signed-off-by: Bryan Wu <bryan.wu@canonical.com>
+Acked-By: Matthias Urlichs <matthias@urlichs.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -316,6 +316,9 @@ static int option_resume(struct usb_ser
+ #define QISDA_PRODUCT_H20_4515 0x4515
+ #define QISDA_PRODUCT_H20_4519 0x4519
+
++/* TLAYTECH PRODUCTS */
++#define TLAYTECH_VENDOR_ID 0x20B9
++#define TLAYTECH_PRODUCT_TEU800 0x1682
+
+ /* TOSHIBA PRODUCTS */
+ #define TOSHIBA_VENDOR_ID 0x0930
+@@ -594,6 +597,7 @@ static struct usb_device_id option_ids[]
+ { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) },
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S) },
+ { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
++ { USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
--- /dev/null
+From 3c77d5137d3f4ff41721e9b4f4812db56a6065c0 Mon Sep 17 00:00:00 2001
+From: Elina Pasheva <epasheva@sierrawireless.com>
+Date: Fri, 16 Oct 2009 12:04:54 -0700
+Subject: USB: serial: sierra driver send_setup() autopm fix
+
+From: Elina Pasheva <epasheva@sierrawireless.com>
+
+commit 3c77d5137d3f4ff41721e9b4f4812db56a6065c0 upstream.
+
+This patch presents a fix for the autosuspend feature implementation in
+sierra usb serial driver for function sierra_send_setup(). Because it
+is possible to call sierra_send_setup() before sierra_open() or after
+sierra_close() we added a get/put interface activity to assure that the
+usb control can happen even when the device is autosuspended.
+
+Signed-off-by: Elina Pasheva <epasheva@sierrawireless.com>
+Tested-by: Matthew Safar <msafar@sierrawireless.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/sierra.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -287,6 +287,8 @@ static int sierra_send_setup(struct usb_
+ struct sierra_port_private *portdata;
+ __u16 interface = 0;
+ int val = 0;
++ int do_send = 0;
++ int retval;
+
+ dev_dbg(&port->dev, "%s\n", __func__);
+
+@@ -305,10 +307,7 @@ static int sierra_send_setup(struct usb_
+ */
+ if (port->interrupt_in_urb) {
+ /* send control message */
+- return usb_control_msg(serial->dev,
+- usb_rcvctrlpipe(serial->dev, 0),
+- 0x22, 0x21, val, interface,
+- NULL, 0, USB_CTRL_SET_TIMEOUT);
++ do_send = 1;
+ }
+ }
+
+@@ -320,12 +319,18 @@ static int sierra_send_setup(struct usb_
+ interface = 1;
+ else if (port->bulk_out_endpointAddress == 5)
+ interface = 2;
+- return usb_control_msg(serial->dev,
+- usb_rcvctrlpipe(serial->dev, 0),
+- 0x22, 0x21, val, interface,
+- NULL, 0, USB_CTRL_SET_TIMEOUT);
++
++ do_send = 1;
+ }
+- return 0;
++ if (!do_send)
++ return 0;
++
++ usb_autopm_get_interface(serial->interface);
++ retval = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
++ 0x22, 0x21, val, interface, NULL, 0, USB_CTRL_SET_TIMEOUT);
++ usb_autopm_put_interface(serial->interface);
++
++ return retval;
+ }
+
+ static void sierra_set_termios(struct tty_struct *tty,
--- /dev/null
+From 2d61ba95034f1abbdec7729d52c740870a5eddb6 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun, 25 Oct 2009 15:28:53 +0200
+Subject: virtio: order used ring after used index read
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit 2d61ba95034f1abbdec7729d52c740870a5eddb6 upstream.
+
+On SMP guests, reads from the ring might bypass used index reads. This
+causes guest crashes because host writes to used index to signal ring
+data readiness. Fix this by inserting rmb before used ring reads.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/virtio/virtio_ring.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -281,6 +281,9 @@ static void *vring_get_buf(struct virtqu
+ return NULL;
+ }
+
++ /* Only get used array entries after they have been exposed by host. */
++ rmb();
++
+ i = vq->vring.used->ring[vq->last_used_idx%vq->vring.num].id;
+ *len = vq->vring.used->ring[vq->last_used_idx%vq->vring.num].len;
+
--- /dev/null
+From 81766741fe1eee3884219e8daaf03f466f2ed52f Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@novell.com>
+Date: Mon, 26 Oct 2009 15:20:29 +0000
+Subject: x86-64: Fix register leak in 32-bit syscall audting
+
+From: Jan Beulich <JBeulich@novell.com>
+
+commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream.
+
+Restoring %ebp after the call to audit_syscall_exit() is not
+only unnecessary (because the register didn't get clobbered),
+but in the sysenter case wasn't even doing the right thing: It
+loaded %ebp from a location below the top of stack (RBP <
+ARGOFFSET), i.e. arbitrary kernel data got passed back to user
+mode in the register.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Acked-by: Roland McGrath <roland@redhat.com>
+LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -204,7 +204,7 @@ sysexit_from_sys_call:
+ movl RDI-ARGOFFSET(%rsp),%r8d /* reload 5th syscall arg */
+ .endm
+
+- .macro auditsys_exit exit,ebpsave=RBP
++ .macro auditsys_exit exit
+ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
+ jnz ia32_ret_from_sys_call
+ TRACE_IRQS_ON
+@@ -217,7 +217,6 @@ sysexit_from_sys_call:
+ call audit_syscall_exit
+ GET_THREAD_INFO(%r10)
+ movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall return value */
+- movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
+ movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
+ cli
+ TRACE_IRQS_OFF
+@@ -351,7 +350,7 @@ cstar_auditsys:
+ jmp cstar_dispatch
+
+ sysretl_audit:
+- auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
++ auditsys_exit sysretl_from_sys_call
+ #endif
+
+ cstar_tracesys:
--- /dev/null
+From c5cca146aa03e1f60fb179df65f0dbaf17bc64ed Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Fri, 9 Oct 2009 18:31:20 +0200
+Subject: x86/amd-iommu: Workaround for erratum 63
+
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit c5cca146aa03e1f60fb179df65f0dbaf17bc64ed upstream.
+
+There is an erratum for IOMMU hardware which documents
+undefined behavior when forwarding SMI requests from
+peripherals and the DTE of that peripheral has a sysmgt
+value of 01b. This problem caused weird IO_PAGE_FAULTS in my
+case.
+This patch implements the suggested workaround for that
+erratum into the AMD IOMMU driver. The erratum is
+documented with number 63.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/amd_iommu.h | 1 +
+ arch/x86/kernel/amd_iommu.c | 2 ++
+ arch/x86/kernel/amd_iommu_init.c | 22 ++++++++++++++++++++++
+ 3 files changed, 25 insertions(+)
+
+--- a/arch/x86/include/asm/amd_iommu.h
++++ b/arch/x86/include/asm/amd_iommu.h
+@@ -30,6 +30,7 @@ extern irqreturn_t amd_iommu_int_handler
+ extern void amd_iommu_flush_all_domains(void);
+ extern void amd_iommu_flush_all_devices(void);
+ extern void amd_iommu_shutdown(void);
++extern void amd_iommu_apply_erratum_63(u16 devid);
+ #else
+ static inline int amd_iommu_init(void) { return -ENODEV; }
+ static inline void amd_iommu_detect(void) { }
+--- a/arch/x86/kernel/amd_iommu.c
++++ b/arch/x86/kernel/amd_iommu.c
+@@ -1112,6 +1112,8 @@ static void __detach_device(struct prote
+ amd_iommu_dev_table[devid].data[1] = 0;
+ amd_iommu_dev_table[devid].data[2] = 0;
+
++ amd_iommu_apply_erratum_63(devid);
++
+ /* decrease reference counter */
+ domain->dev_cnt -= 1;
+
+--- a/arch/x86/kernel/amd_iommu_init.c
++++ b/arch/x86/kernel/amd_iommu_init.c
+@@ -509,6 +509,26 @@ static void set_dev_entry_bit(u16 devid,
+ amd_iommu_dev_table[devid].data[i] |= (1 << _bit);
+ }
+
++static int get_dev_entry_bit(u16 devid, u8 bit)
++{
++ int i = (bit >> 5) & 0x07;
++ int _bit = bit & 0x1f;
++
++ return (amd_iommu_dev_table[devid].data[i] & (1 << _bit)) >> _bit;
++}
++
++
++void amd_iommu_apply_erratum_63(u16 devid)
++{
++ int sysmgt;
++
++ sysmgt = get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT1) |
++ (get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT2) << 1);
++
++ if (sysmgt == 0x01)
++ set_dev_entry_bit(devid, DEV_ENTRY_IW);
++}
++
+ /* Writes the specific IOMMU for a device into the rlookup table */
+ static void __init set_iommu_for_device(struct amd_iommu *iommu, u16 devid)
+ {
+@@ -537,6 +557,8 @@ static void __init set_dev_entry_from_ac
+ if (flags & ACPI_DEVFLAG_LINT1)
+ set_dev_entry_bit(devid, DEV_ENTRY_LINT1_PASS);
+
++ amd_iommu_apply_erratum_63(devid);
++
+ set_iommu_for_device(iommu, devid);
+ }
+
--- /dev/null
+From 036ed8ba61b72c19dc5759446d4fe0844aa88255 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Thu, 15 Oct 2009 17:40:00 -0500
+Subject: x86, UV: Fix information in __uv_hub_info structure
+
+From: Robin Holt <holt@sgi.com>
+
+commit 036ed8ba61b72c19dc5759446d4fe0844aa88255 upstream.
+
+A few parts of the uv_hub_info structure are initialized
+incorrectly.
+
+ - n_val is being loaded with m_val.
+ - gpa_mask is initialized with a bytes instead of an unsigned long.
+ - Handle the case where none of the alias registers are used.
+
+Lastly I converted the bau over to using the uv_hub_info->m_val
+which is the correct value.
+
+Without this patch, booting a large configuration hits a
+problem where the upper bits of the gnode affect the pnode
+and the bau will not operate.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Acked-by: Jack Steiner <steiner@sgi.com>
+Cc: Cliff Whickman <cpw@sgi.com>
+LKML-Reference: <20091015224946.396355000@alcatraz.americas.sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/apic/x2apic_uv_x.c | 8 ++++----
+ arch/x86/kernel/tlb_uv.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/apic/x2apic_uv_x.c
++++ b/arch/x86/kernel/apic/x2apic_uv_x.c
+@@ -352,14 +352,14 @@ static __init void get_lowmem_redirect(u
+
+ for (i = 0; i < ARRAY_SIZE(redir_addrs); i++) {
+ alias.v = uv_read_local_mmr(redir_addrs[i].alias);
+- if (alias.s.base == 0) {
++ if (alias.s.enable && alias.s.base == 0) {
+ *size = (1UL << alias.s.m_alias);
+ redirect.v = uv_read_local_mmr(redir_addrs[i].redirect);
+ *base = (unsigned long)redirect.s.dest_base << DEST_SHIFT;
+ return;
+ }
+ }
+- BUG();
++ *base = *size = 0;
+ }
+
+ enum map_type {map_wb, map_uc};
+@@ -609,12 +609,12 @@ void __init uv_system_init(void)
+ uv_cpu_hub_info(cpu)->lowmem_remap_base = lowmem_redir_base;
+ uv_cpu_hub_info(cpu)->lowmem_remap_top = lowmem_redir_size;
+ uv_cpu_hub_info(cpu)->m_val = m_val;
+- uv_cpu_hub_info(cpu)->n_val = m_val;
++ uv_cpu_hub_info(cpu)->n_val = n_val;
+ uv_cpu_hub_info(cpu)->numa_blade_id = blade;
+ uv_cpu_hub_info(cpu)->blade_processor_id = lcpu;
+ uv_cpu_hub_info(cpu)->pnode = pnode;
+ uv_cpu_hub_info(cpu)->pnode_mask = pnode_mask;
+- uv_cpu_hub_info(cpu)->gpa_mask = (1 << (m_val + n_val)) - 1;
++ uv_cpu_hub_info(cpu)->gpa_mask = (1UL << (m_val + n_val)) - 1;
+ uv_cpu_hub_info(cpu)->gnode_upper = gnode_upper;
+ uv_cpu_hub_info(cpu)->gnode_extra = gnode_extra;
+ uv_cpu_hub_info(cpu)->global_mmr_base = mmr_base;
+--- a/arch/x86/kernel/tlb_uv.c
++++ b/arch/x86/kernel/tlb_uv.c
+@@ -843,8 +843,8 @@ static int __init uv_bau_init(void)
+ GFP_KERNEL, cpu_to_node(cur_cpu));
+
+ uv_bau_retry_limit = 1;
+- uv_nshift = uv_hub_info->n_val;
+- uv_mmask = (1UL << uv_hub_info->n_val) - 1;
++ uv_nshift = uv_hub_info->m_val;
++ uv_mmask = (1UL << uv_hub_info->m_val) - 1;
+ nblades = uv_num_possible_blades();
+
+ uv_bau_table_bases = (struct bau_control **)
--- /dev/null
+From 02dd0a0613e0d84c7dd8315e3fe6204d005b7c79 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Tue, 20 Oct 2009 14:36:15 -0500
+Subject: x86, UV: Set DELIVERY_MODE=4 for vector=NMI_VECTOR in uv_hub_send_ipi()
+
+From: Robin Holt <holt@sgi.com>
+
+commit 02dd0a0613e0d84c7dd8315e3fe6204d005b7c79 upstream.
+
+When sending a NMI_VECTOR IPI using the UV_HUB_IPI_INT register,
+we need to ensure the delivery mode field of that register has
+NMI delivery selected.
+
+This makes those IPIs true NMIs, instead of flat IPIs. It
+matters to reboot sequences and KGDB, both of which use NMI
+IPIs.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Acked-by: Jack Steiner <steiner@sgi.com>
+Cc: Martin Hicks <mort@sgi.com>
+LKML-Reference: <20091020193620.877322000@alcatraz.americas.sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/uv/uv_hub.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/include/asm/uv/uv_hub.h
++++ b/arch/x86/include/asm/uv/uv_hub.h
+@@ -18,6 +18,8 @@
+ #include <asm/types.h>
+ #include <asm/percpu.h>
+ #include <asm/uv/uv_mmrs.h>
++#include <asm/irq_vectors.h>
++#include <asm/io_apic.h>
+
+
+ /*
+@@ -420,9 +422,14 @@ static inline void uv_set_cpu_scir_bits(
+ static inline void uv_hub_send_ipi(int pnode, int apicid, int vector)
+ {
+ unsigned long val;
++ unsigned long dmode = dest_Fixed;
++
++ if (vector == NMI_VECTOR)
++ dmode = dest_NMI;
+
+ val = (1UL << UVH_IPI_INT_SEND_SHFT) |
+ ((apicid) << UVH_IPI_INT_APIC_ID_SHFT) |
++ (dmode << UVH_IPI_INT_DELIVERY_MODE_SHFT) |
+ (vector << UVH_IPI_INT_VECTOR_SHFT);
+ uv_write_global_mmr64(pnode, UVH_IPI_INT, val);
+ }
--- /dev/null
+From 7825cf10e31c64ece3cac66fb01a742f1094da51 Mon Sep 17 00:00:00 2001
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Date: Tue, 20 Oct 2009 15:28:21 +0900
+Subject: xen/hvc: make sure console output is always emitted, with explicit polling
+
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+
+commit 7825cf10e31c64ece3cac66fb01a742f1094da51 upstream.
+
+We never want to rely on the hvc workqueue to emit output, because the
+most interesting output is when the kernel is broken. This will
+improve oops/crash/console message for better debugging.
+
+Instead, we force-poll until all output is emitted.
+
+Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/hvc_xen.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/hvc_xen.c
++++ b/drivers/char/hvc_xen.c
+@@ -55,7 +55,7 @@ static inline void notify_daemon(void)
+ notify_remote_via_evtchn(xen_start_info->console.domU.evtchn);
+ }
+
+-static int write_console(uint32_t vtermno, const char *data, int len)
++static int __write_console(const char *data, int len)
+ {
+ struct xencons_interface *intf = xencons_interface();
+ XENCONS_RING_IDX cons, prod;
+@@ -76,6 +76,29 @@ static int write_console(uint32_t vtermn
+ return sent;
+ }
+
++static int write_console(uint32_t vtermno, const char *data, int len)
++{
++ int ret = len;
++
++ /*
++ * Make sure the whole buffer is emitted, polling if
++ * necessary. We don't ever want to rely on the hvc daemon
++ * because the most interesting console output is when the
++ * kernel is crippled.
++ */
++ while (len) {
++ int sent = __write_console(data, len);
++
++ data += sent;
++ len -= sent;
++
++ if (unlikely(len))
++ HYPERVISOR_sched_op(SCHEDOP_yield, NULL);
++ }
++
++ return ret;
++}
++
+ static int read_console(uint32_t vtermno, char *buf, int len)
+ {
+ struct xencons_interface *intf = xencons_interface();
--- /dev/null
+From 82d6469916c6fcfa345636a49004c9d1753905d1 Mon Sep 17 00:00:00 2001
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Date: Thu, 22 Oct 2009 16:41:15 -0700
+Subject: xen: mask extended topology info in cpuid
+
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+
+commit 82d6469916c6fcfa345636a49004c9d1753905d1 upstream.
+
+A Xen guest never needs to know about extended topology, and knowing
+would just confuse it.
+
+This patch just zeros ebx in leaf 0xb which indicates no topology info,
+preventing a crash under Xen on cpus which support this leaf.
+
+Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+
+---
+ arch/x86/xen/enlighten.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -178,6 +178,7 @@ static __read_mostly unsigned int cpuid_
+ static void xen_cpuid(unsigned int *ax, unsigned int *bx,
+ unsigned int *cx, unsigned int *dx)
+ {
++ unsigned maskebx = ~0;
+ unsigned maskecx = ~0;
+ unsigned maskedx = ~0;
+
+@@ -185,9 +186,16 @@ static void xen_cpuid(unsigned int *ax,
+ * Mask out inconvenient features, to try and disable as many
+ * unsupported kernel subsystems as possible.
+ */
+- if (*ax == 1) {
++ switch (*ax) {
++ case 1:
+ maskecx = cpuid_leaf1_ecx_mask;
+ maskedx = cpuid_leaf1_edx_mask;
++ break;
++
++ case 0xb:
++ /* Suppress extended topology stuff */
++ maskebx = 0;
++ break;
+ }
+
+ asm(XEN_EMULATE_PREFIX "cpuid"
+@@ -197,6 +205,7 @@ static void xen_cpuid(unsigned int *ax,
+ "=d" (*dx)
+ : "0" (*ax), "2" (*cx));
+
++ *bx &= maskebx;
+ *cx &= maskecx;
+ *dx &= maskedx;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
