--- /dev/null
+From ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 Mon Sep 17 00:00:00 2001
+From: Luca Tettamanti <kronos.it@gmail.com>
+Date: Wed, 22 Sep 2010 10:41:58 +0000
+Subject: atl1: fix resume
+
+From: Luca Tettamanti <kronos.it@gmail.com>
+
+commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream.
+
+adapter->cmb.cmb is initialized when the device is opened and freed when
+it's closed. Accessing it unconditionally during resume results either
+in a crash (NULL pointer dereference, when the interface has not been
+opened yet) or data corruption (when the interface has been used and
+brought down adapter->cmb.cmb points to a deallocated memory area).
+
+Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
+Acked-by: Chris Snook <chris.snook@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/atlx/atl1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/atlx/atl1.c
++++ b/drivers/net/atlx/atl1.c
+@@ -2847,10 +2847,11 @@ static int atl1_resume(struct pci_dev *p
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
+ atl1_reset_hw(&adapter->hw);
+- adapter->cmb.cmb->int_stats = 0;
+
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ adapter->cmb.cmb->int_stats = 0;
+ atl1_up(adapter);
++ }
+ netif_device_attach(netdev);
+
+ return 0;
--- /dev/null
+From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 15 Oct 2010 11:09:28 -0700
+Subject: De-pessimize rds_page_copy_user
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream.
+
+Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and
+the unsafe atomic user mode accessor functions. It's actually slower
+than the straightforward code on any reasonable modern CPU.
+
+Back when the code was written (although probably not by the time it was
+actually merged, though), 32-bit x86 may have been the dominant
+architecture. And there kmap_atomic() can be a lot faster than kmap()
+(unless you have very good locality, in which case the virtual address
+caching by kmap() can overcome all the downsides).
+
+But these days, x86-64 may not be more populous, but it's getting there
+(and if you care about performance, it's definitely already there -
+you'd have upgraded your CPU's already in the last few years). And on
+x86-64, the non-kmap_atomic() version is faster, simply because the code
+is simpler and doesn't have the "re-try page fault" case.
+
+People with old hardware are not likely to care about RDS anyway, and
+the optimization for the 32-bit case is simply buggy, since it doesn't
+verify the user addresses properly.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rds/page.c | 27 +++++++--------------------
+ 1 file changed, 7 insertions(+), 20 deletions(-)
+
+--- a/net/rds/page.c
++++ b/net/rds/page.c
+@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page
+ unsigned long ret;
+ void *addr;
+
+- if (to_user)
++ addr = kmap(page);
++ if (to_user) {
+ rds_stats_add(s_copy_to_user, bytes);
+- else
++ ret = copy_to_user(ptr, addr + offset, bytes);
++ } else {
+ rds_stats_add(s_copy_from_user, bytes);
+-
+- addr = kmap_atomic(page, KM_USER0);
+- if (to_user)
+- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
+- else
+- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
+- kunmap_atomic(addr, KM_USER0);
+-
+- if (ret) {
+- addr = kmap(page);
+- if (to_user)
+- ret = copy_to_user(ptr, addr + offset, bytes);
+- else
+- ret = copy_from_user(addr + offset, ptr, bytes);
+- kunmap(page);
+- if (ret)
+- return -EFAULT;
++ ret = copy_from_user(addr + offset, ptr, bytes);
+ }
++ kunmap(page);
+
+- return 0;
++ return ret ? -EFAULT : 0;
+ }
+ EXPORT_SYMBOL_GPL(rds_page_copy_user);
+
--- /dev/null
+From cc60f8878eab892c03d06b10f389232b9b66bd83 Mon Sep 17 00:00:00 2001
+From: Simon Guinot <sguinot@lacie.com>
+Date: Fri, 17 Sep 2010 23:33:51 +0200
+Subject: dmaengine: fix interrupt clearing for mv_xor
+
+From: Simon Guinot <sguinot@lacie.com>
+
+commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream.
+
+When using simultaneously the two DMA channels on a same engine, some
+transfers are never completed. For example, an endless lock can occur
+while writing heavily on a RAID5 array (with async-tx offload support
+enabled).
+
+Note that this issue can also be reproduced by using the DMA test
+client.
+
+On a same engine, the interrupt cause register is shared between two
+DMA channels. This patch make sure that the cause bit is only cleared
+for the requested channel.
+
+Signed-off-by: Simon Guinot <sguinot@lacie.com>
+Tested-by: Luc Saillard <luc@saillard.org>
+Acked-by: saeed bishara <saeed.bishara@gmail.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/dma/mv_xor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -162,7 +162,7 @@ static int mv_is_err_intr(u32 intr_cause
+
+ static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan)
+ {
+- u32 val = (1 << (1 + (chan->idx * 16)));
++ u32 val = ~(1 << (chan->idx * 16));
+ dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val);
+ __raw_writel(val, XOR_INTR_CAUSE(chan));
+ }
--- /dev/null
+From 929f49bf225b1b6cd04d0a7b9c0f7377d9131220 Mon Sep 17 00:00:00 2001
+From: Julia Lawall <julia@diku.dk>
+Date: Sat, 2 Oct 2010 15:59:17 +0200
+Subject: drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code
+
+From: Julia Lawall <julia@diku.dk>
+
+commit 929f49bf225b1b6cd04d0a7b9c0f7377d9131220 upstream.
+
+Extend the error handling code with operations found in other nearby error
+handling code
+
+A simplified version of the sematic match that finds this problem is as
+follows: (http://coccinelle.lip6.fr/)
+
+// <smpl>
+@r exists@
+@r@
+statement S1,S2,S3;
+constant C1,C2,C3;
+@@
+
+*if (...)
+ {... S1 return -C1;}
+...
+*if (...)
+ {... when != S1
+ return -C2;}
+...
+*if (...)
+ {... S1 return -C3;}
+// </smpl>
+
+Signed-off-by: Julia Lawall <julia@diku.dk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_gem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -3367,6 +3367,8 @@ i915_gem_object_pin_and_relocate(struct
+ (int) reloc->offset,
+ reloc->read_domains,
+ reloc->write_domain);
++ drm_gem_object_unreference(target_obj);
++ i915_gem_object_unpin(obj);
+ return -EINVAL;
+ }
+ if (reloc->write_domain & I915_GEM_DOMAIN_CPU ||
--- /dev/null
+From 39b4d07aa3583ceefe73622841303a0a3e942ca1 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 30 Sep 2010 09:10:26 +0100
+Subject: drm: Hold the mutex when dropping the last GEM reference (v2)
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 39b4d07aa3583ceefe73622841303a0a3e942ca1 upstream.
+
+In order to be fully threadsafe we need to check that the drm_gem_object
+refcount is still 0 after acquiring the mutex in order to call the free
+function. Otherwise, we may encounter scenarios like:
+
+Thread A: Thread B:
+drm_gem_close
+unreference_unlocked
+kref_put mutex_lock
+... i915_gem_evict
+... kref_get -> BUG
+... i915_gem_unbind
+... kref_put
+... i915_gem_object_free
+... mutex_unlock
+mutex_lock
+i915_gem_object_free -> BUG
+i915_gem_object_unbind
+kfree
+mutex_unlock
+
+Note that no driver is currently using the free_unlocked vfunc and it is
+scheduled for removal, hasten that process.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454
+Reported-and-Tested-by: Magnus Kessler <Magnus.Kessler@gmx.net>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/drm_gem.c | 22 ----------------------
+ include/drm/drmP.h | 10 ++++++----
+ 2 files changed, 6 insertions(+), 26 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem.c
++++ b/drivers/gpu/drm/drm_gem.c
+@@ -451,28 +451,6 @@ drm_gem_object_free(struct kref *kref)
+ }
+ EXPORT_SYMBOL(drm_gem_object_free);
+
+-/**
+- * Called after the last reference to the object has been lost.
+- * Must be called without holding struct_mutex
+- *
+- * Frees the object
+- */
+-void
+-drm_gem_object_free_unlocked(struct kref *kref)
+-{
+- struct drm_gem_object *obj = (struct drm_gem_object *) kref;
+- struct drm_device *dev = obj->dev;
+-
+- if (dev->driver->gem_free_object_unlocked != NULL)
+- dev->driver->gem_free_object_unlocked(obj);
+- else if (dev->driver->gem_free_object != NULL) {
+- mutex_lock(&dev->struct_mutex);
+- dev->driver->gem_free_object(obj);
+- mutex_unlock(&dev->struct_mutex);
+- }
+-}
+-EXPORT_SYMBOL(drm_gem_object_free_unlocked);
+-
+ static void drm_gem_object_ref_bug(struct kref *list_kref)
+ {
+ BUG();
+--- a/include/drm/drmP.h
++++ b/include/drm/drmP.h
+@@ -802,7 +802,6 @@ struct drm_driver {
+ */
+ int (*gem_init_object) (struct drm_gem_object *obj);
+ void (*gem_free_object) (struct drm_gem_object *obj);
+- void (*gem_free_object_unlocked) (struct drm_gem_object *obj);
+
+ /* vga arb irq handler */
+ void (*vgaarb_irq)(struct drm_device *dev, bool state);
+@@ -1431,7 +1430,6 @@ int drm_gem_init(struct drm_device *dev)
+ void drm_gem_destroy(struct drm_device *dev);
+ void drm_gem_object_release(struct drm_gem_object *obj);
+ void drm_gem_object_free(struct kref *kref);
+-void drm_gem_object_free_unlocked(struct kref *kref);
+ struct drm_gem_object *drm_gem_object_alloc(struct drm_device *dev,
+ size_t size);
+ int drm_gem_object_init(struct drm_device *dev,
+@@ -1457,8 +1455,12 @@ drm_gem_object_unreference(struct drm_ge
+ static inline void
+ drm_gem_object_unreference_unlocked(struct drm_gem_object *obj)
+ {
+- if (obj != NULL)
+- kref_put(&obj->refcount, drm_gem_object_free_unlocked);
++ if (obj != NULL) {
++ struct drm_device *dev = obj->dev;
++ mutex_lock(&dev->struct_mutex);
++ kref_put(&obj->refcount, drm_gem_object_free);
++ mutex_unlock(&dev->struct_mutex);
++ }
+ }
+
+ int drm_gem_handle_create(struct drm_file *file_priv,
--- /dev/null
+From d270ae34eb77c58dea60e5b1e300a698d2ce39ac Mon Sep 17 00:00:00 2001
+From: Jesse Barnes <jbarnes@virtuousgeek.org>
+Date: Mon, 27 Sep 2010 10:35:44 -0700
+Subject: drm/i915: fix GMCH power reporting
+
+From: Jesse Barnes <jbarnes@virtuousgeek.org>
+
+commit d270ae34eb77c58dea60e5b1e300a698d2ce39ac upstream.
+
+The IPS driver needs to know the current power consumption of the GMCH
+in order to make decisions about when to increase or decrease the CPU
+and/or GPU power envelope. So fix up the divisions to save the results
+so the numbers are actually correct (contrary to some earlier comments
+and code, these functions do not modify the first argument and use it
+for the result).
+
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_dma.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_dma.c
++++ b/drivers/gpu/drm/i915/i915_dma.c
+@@ -1778,9 +1778,9 @@ unsigned long i915_chipset_val(struct dr
+ }
+ }
+
+- div_u64(diff, diff1);
++ diff = div_u64(diff, diff1);
+ ret = ((m * diff) + c);
+- div_u64(ret, 10);
++ ret = div_u64(ret, 10);
+
+ dev_priv->last_count1 = total_count;
+ dev_priv->last_time1 = now;
+@@ -1849,7 +1849,7 @@ void i915_update_gfx_val(struct drm_i915
+
+ /* More magic constants... */
+ diff = diff * 1181;
+- div_u64(diff, diffms * 10);
++ diff = div_u64(diff, diffms * 10);
+ dev_priv->gfx_power = diff;
+ }
+
--- /dev/null
+From 6939a5aca7cfada279a24c307e772f33104fca20 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Fri, 8 Oct 2010 13:40:27 +0100
+Subject: drm/i915: Prevent module unload to avoid random memory corruption
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 6939a5aca7cfada279a24c307e772f33104fca20 upstream.
+
+The i915 driver has quite a few module unload bugs, the known ones at
+least have fixes that are targeting 2.6.37. However, in order to
+maintain a stable kernel, we should prevent this known random memory
+corruption following driver unload. This should have very low impact on
+normal users who are unlikely to need to unload the i915 driver.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_dma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_dma.c
++++ b/drivers/gpu/drm/i915/i915_dma.c
+@@ -2222,6 +2222,9 @@ int i915_driver_load(struct drm_device *
+ dev_priv->mchdev_lock = &mchdev_lock;
+ spin_unlock(&mchdev_lock);
+
++ /* XXX Prevent module unload due to memory corruption bugs. */
++ __module_get(THIS_MODULE);
++
+ return 0;
+
+ out_workqueue_free:
--- /dev/null
+From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sun, 26 Sep 2010 20:50:05 +0100
+Subject: drm/i915: Sanity check pread/pwrite
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream.
+
+Move the access control up from the fast paths, which are no longer
+universally taken first, up into the caller. This then duplicates some
+sanity checking along the slow paths, but is much simpler.
+Tracked as CVE-2010-2962.
+
+Reported-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_gem.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device *
+ */
+ if (args->offset > obj->size || args->size > obj->size ||
+ args->offset + args->size > obj->size) {
+- drm_gem_object_unreference_unlocked(obj);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err;
++ }
++
++ if (!access_ok(VERIFY_WRITE,
++ (char __user *)(uintptr_t)args->data_ptr,
++ args->size)) {
++ ret = -EFAULT;
++ goto err;
+ }
+
+ if (i915_gem_object_needs_bit17_swizzle(obj)) {
+@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ file_priv);
+ }
+
++err:
+ drm_gem_object_unreference_unlocked(obj);
+-
+ return ret;
+ }
+
+@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
+
+ user_data = (char __user *) (uintptr_t) args->data_ptr;
+ remain = args->size;
+- if (!access_ok(VERIFY_READ, user_data, remain))
+- return -EFAULT;
+
+
+ mutex_lock(&dev->struct_mutex);
+@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device
+ */
+ if (args->offset > obj->size || args->size > obj->size ||
+ args->offset + args->size > obj->size) {
+- drm_gem_object_unreference_unlocked(obj);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err;
++ }
++
++ if (!access_ok(VERIFY_READ,
++ (char __user *)(uintptr_t)args->data_ptr,
++ args->size)) {
++ ret = -EFAULT;
++ goto err;
+ }
+
+ /* We can only do the GTT pwrite on untiled buffers, as otherwise
+@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ DRM_INFO("pwrite failed %d\n", ret);
+ #endif
+
++err:
+ drm_gem_object_unreference_unlocked(obj);
+-
+ return ret;
+ }
+
--- /dev/null
+From 31dfbc93923c0aaa0440b809f80ff2830c6a531a Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Mon, 27 Sep 2010 21:28:30 +0100
+Subject: drm: Prune GEM vma entries
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 31dfbc93923c0aaa0440b809f80ff2830c6a531a upstream.
+
+Hook the GEM vm open/close ops into the generic drm vm open/close so
+that the private vma entries are created and destroy appropriately.
+Fixes the leak of the drm_vma_entries during the lifetime of the filp.
+
+Reported-by: Matt Mackall <mpm@selenic.com>
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/drm_gem.c | 9 ++++++++-
+ drivers/gpu/drm/drm_vm.c | 28 ++++++++++++++++++----------
+ include/drm/drmP.h | 1 +
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem.c
++++ b/drivers/gpu/drm/drm_gem.c
+@@ -517,6 +517,10 @@ void drm_gem_vm_open(struct vm_area_stru
+ struct drm_gem_object *obj = vma->vm_private_data;
+
+ drm_gem_object_reference(obj);
++
++ mutex_lock(&obj->dev->struct_mutex);
++ drm_vm_open_locked(vma);
++ mutex_unlock(&obj->dev->struct_mutex);
+ }
+ EXPORT_SYMBOL(drm_gem_vm_open);
+
+@@ -524,7 +528,10 @@ void drm_gem_vm_close(struct vm_area_str
+ {
+ struct drm_gem_object *obj = vma->vm_private_data;
+
+- drm_gem_object_unreference_unlocked(obj);
++ mutex_lock(&obj->dev->struct_mutex);
++ drm_vm_close_locked(vma);
++ drm_gem_object_unreference(obj);
++ mutex_unlock(&obj->dev->struct_mutex);
+ }
+ EXPORT_SYMBOL(drm_gem_vm_close);
+
+--- a/drivers/gpu/drm/drm_vm.c
++++ b/drivers/gpu/drm/drm_vm.c
+@@ -433,15 +433,7 @@ static void drm_vm_open(struct vm_area_s
+ mutex_unlock(&dev->struct_mutex);
+ }
+
+-/**
+- * \c close method for all virtual memory types.
+- *
+- * \param vma virtual memory area.
+- *
+- * Search the \p vma private data entry in drm_device::vmalist, unlink it, and
+- * free it.
+- */
+-static void drm_vm_close(struct vm_area_struct *vma)
++void drm_vm_close_locked(struct vm_area_struct *vma)
+ {
+ struct drm_file *priv = vma->vm_file->private_data;
+ struct drm_device *dev = priv->minor->dev;
+@@ -451,7 +443,6 @@ static void drm_vm_close(struct vm_area_
+ vma->vm_start, vma->vm_end - vma->vm_start);
+ atomic_dec(&dev->vma_count);
+
+- mutex_lock(&dev->struct_mutex);
+ list_for_each_entry_safe(pt, temp, &dev->vmalist, head) {
+ if (pt->vma == vma) {
+ list_del(&pt->head);
+@@ -459,6 +450,23 @@ static void drm_vm_close(struct vm_area_
+ break;
+ }
+ }
++}
++
++/**
++ * \c close method for all virtual memory types.
++ *
++ * \param vma virtual memory area.
++ *
++ * Search the \p vma private data entry in drm_device::vmalist, unlink it, and
++ * free it.
++ */
++static void drm_vm_close(struct vm_area_struct *vma)
++{
++ struct drm_file *priv = vma->vm_file->private_data;
++ struct drm_device *dev = priv->minor->dev;
++
++ mutex_lock(&dev->struct_mutex);
++ drm_vm_close_locked(vma);
+ mutex_unlock(&dev->struct_mutex);
+ }
+
+--- a/include/drm/drmP.h
++++ b/include/drm/drmP.h
+@@ -1149,6 +1149,7 @@ extern int drm_release(struct inode *ino
+ extern int drm_mmap(struct file *filp, struct vm_area_struct *vma);
+ extern int drm_mmap_locked(struct file *filp, struct vm_area_struct *vma);
+ extern void drm_vm_open_locked(struct vm_area_struct *vma);
++extern void drm_vm_close_locked(struct vm_area_struct *vma);
+ extern resource_size_t drm_core_get_map_ofs(struct drm_local_map * map);
+ extern resource_size_t drm_core_get_reg_ofs(struct drm_device *dev);
+ extern unsigned int drm_poll(struct file *filp, struct poll_table_struct *wait);
--- /dev/null
+From f459ffbdfd04edb4a8ce6eea33170eb057a5e695 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Sat, 25 Sep 2010 17:45:50 +1000
+Subject: drm/radeon: fix PCI ID 5657 to be an RV410
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream.
+
+fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/drm/drm_pciids.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/drm/drm_pciids.h
++++ b/include/drm/drm_pciids.h
+@@ -85,7 +85,6 @@
+ {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+@@ -103,6 +102,7 @@
+ {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
++ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \
+ {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \
--- /dev/null
+From f36fce0f49ed40f3e843d45fa53d476d63444b58 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Mon, 27 Sep 2010 11:33:00 -0400
+Subject: drm/radeon/kms: add quirk for MSI K9A2GM motherboard
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit f36fce0f49ed40f3e843d45fa53d476d63444b58 upstream.
+
+Board has no digital connectors
+
+Reported-by: Andy Walls <awalls@md.metrocast.net>
+Tested-by: Andy Walls <awalls@md.metrocast.net>
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -226,6 +226,15 @@ static bool radeon_atom_apply_quirks(str
+ *connector_type = DRM_MODE_CONNECTOR_DVID;
+ }
+
++ /* MSI K9A2GM V2/V3 board has no HDMI or DVI */
++ if ((dev->pdev->device == 0x796e) &&
++ (dev->pdev->subsystem_vendor == 0x1462) &&
++ (dev->pdev->subsystem_device == 0x7302)) {
++ if ((supported_device == ATOM_DEVICE_DFP2_SUPPORT) ||
++ (supported_device == ATOM_DEVICE_DFP3_SUPPORT))
++ return false;
++ }
++
+ /* a-bit f-i90hd - ciaranm on #radeonhd - this board has no DVI */
+ if ((dev->pdev->device == 0x7941) &&
+ (dev->pdev->subsystem_vendor == 0x147b) &&
--- /dev/null
+From alexdeucher@gmail.com Tue Oct 19 17:38:17 2010
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Tue, 12 Oct 2010 12:20:31 -0400
+Subject: drm/radeon/kms: fix possible sigbus in evergreen accel code
+To: airlied@gmail.com, dri-devel@lists.freedesktop.org
+Cc: Alex Deucher <alexdeucher@gmail.com>, stable@kernel.org
+Message-ID: <1286900431-7497-1-git-send-email-alexdeucher@gmail.com>
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+Not upstream in Linus's tree as it was fixed by a much more intrusive
+patch in a different manner, commit c919b371cb734f42b11
+
+
+2.6.35 and 2.6.36 do not contain blit support for evergreen
+asics so if they use unmappable vram, you can end up with an
+unreachable buffer address. This should not be applied to drm-next
+as that tree already contains evergreen blit support. This should
+only be applied to the 2.6.35 and 2.6.36 stable trees.
+
+Fixes:
+https://bugs.freedesktop.org/show_bug.cgi?id=30188
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Acked-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/evergreen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -1389,6 +1389,8 @@ int evergreen_mc_init(struct radeon_devi
+ rdev->mc.mc_vram_size = RREG32(CONFIG_MEMSIZE) * 1024 * 1024;
+ rdev->mc.real_vram_size = RREG32(CONFIG_MEMSIZE) * 1024 * 1024;
+ rdev->mc.visible_vram_size = rdev->mc.aper_size;
++ /* limit it to the aperture size for now as there is no blit support in 2.6.35/36*/
++ rdev->mc.real_vram_size = rdev->mc.visible_vram_size;
+ r600_vram_gtt_location(rdev, &rdev->mc);
+ radeon_update_bandwidth_info(rdev);
+
--- /dev/null
+From e488459a0e131acc9e14df093cfee740bc431953 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Mon, 27 Sep 2010 10:57:10 -0400
+Subject: drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit e488459a0e131acc9e14df093cfee740bc431953 upstream.
+
+radeon_gem_wait_idle_ioctl can apparently get called prior to
+the vram page being set up or even if accel if false, so make
+sure it's valid before using it.
+
+Should fix:
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597636
+https://bugs.freedesktop.org/show_bug.cgi?id=29834
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/r600.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/r600.c
++++ b/drivers/gpu/drm/radeon/r600.c
+@@ -3522,7 +3522,8 @@ void r600_ioctl_wait_idle(struct radeon_
+ /* r7xx hw bug. write to HDP_DEBUG1 followed by fb read
+ * rather than write to HDP_REG_COHERENCY_FLUSH_CNTL
+ */
+- if ((rdev->family >= CHIP_RV770) && (rdev->family <= CHIP_RV740)) {
++ if ((rdev->family >= CHIP_RV770) && (rdev->family <= CHIP_RV740) &&
++ rdev->vram_scratch.ptr) {
+ void __iomem *ptr = (void *)rdev->vram_scratch.ptr;
+ u32 tmp;
+
--- /dev/null
+From 73758a5d51280ca0613b8380fc07351f4d64f9c8 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Fri, 24 Sep 2010 14:59:32 -0400
+Subject: drm/radeon/kms: fix up encoder info messages for DFP6
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit 73758a5d51280ca0613b8380fc07351f4d64f9c8 upstream.
+
+encoder info was not printed properly on boards using the
+DFP6 id.
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -349,6 +349,8 @@ static void radeon_print_display_setup(s
+ DRM_INFO(" DFP4: %s\n", encoder_names[radeon_encoder->encoder_id]);
+ if (devices & ATOM_DEVICE_DFP5_SUPPORT)
+ DRM_INFO(" DFP5: %s\n", encoder_names[radeon_encoder->encoder_id]);
++ if (devices & ATOM_DEVICE_DFP6_SUPPORT)
++ DRM_INFO(" DFP6: %s\n", encoder_names[radeon_encoder->encoder_id]);
+ if (devices & ATOM_DEVICE_TV1_SUPPORT)
+ DRM_INFO(" TV1: %s\n", encoder_names[radeon_encoder->encoder_id]);
+ if (devices & ATOM_DEVICE_CV_SUPPORT)
--- /dev/null
+From aa0170fff3c26bf2b42159af2dd9cf86444c292a Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Sun, 17 Oct 2010 14:09:12 +0200
+Subject: firewire: ohci: fix TI TSB82AA2 regression since 2.6.35
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit aa0170fff3c26bf2b42159af2dd9cf86444c292a upstream.
+
+Revert commit 54672386ccf36ffa21d1de8e75624af83f9b0eeb
+"firewire: ohci: fix up configuration of TI chips".
+It caused massive slow-down and data corruption with a TSB82AA2 based
+StarTech EC1394B2 ExpressCard and FireWire 800 harddisks.
+
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/657081
+http://thread.gmane.org/gmane.linux.kernel.firewire.user/4013
+
+The fact that some card EEPROMs do not program these enhancements may be
+related to TSB81BA3 phy chip errata, if not to bugs of TSB82AA2 itself.
+We could re-add these configuration steps, but only conditional on a
+whitelist of cards on which these enhancements bring a proven positive
+effect.
+
+Reported-and-tested-by: Eric Shattow <lucent@gmail.com>
+Cc: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/firewire/ohci.c | 19 +------------------
+ drivers/firewire/ohci.h | 8 --------
+ 2 files changed, 1 insertion(+), 26 deletions(-)
+
+--- a/drivers/firewire/ohci.c
++++ b/drivers/firewire/ohci.c
+@@ -2439,7 +2439,7 @@ static int __devinit pci_probe(struct pc
+ const struct pci_device_id *ent)
+ {
+ struct fw_ohci *ohci;
+- u32 bus_options, max_receive, link_speed, version, link_enh;
++ u32 bus_options, max_receive, link_speed, version;
+ u64 guid;
+ int i, err, n_ir, n_it;
+ size_t size;
+@@ -2492,23 +2492,6 @@ static int __devinit pci_probe(struct pc
+ if (param_quirks)
+ ohci->quirks = param_quirks;
+
+- /* TI OHCI-Lynx and compatible: set recommended configuration bits. */
+- if (dev->vendor == PCI_VENDOR_ID_TI) {
+- pci_read_config_dword(dev, PCI_CFG_TI_LinkEnh, &link_enh);
+-
+- /* adjust latency of ATx FIFO: use 1.7 KB threshold */
+- link_enh &= ~TI_LinkEnh_atx_thresh_mask;
+- link_enh |= TI_LinkEnh_atx_thresh_1_7K;
+-
+- /* use priority arbitration for asynchronous responses */
+- link_enh |= TI_LinkEnh_enab_unfair;
+-
+- /* required for aPhyEnhanceEnable to work */
+- link_enh |= TI_LinkEnh_enab_accel;
+-
+- pci_write_config_dword(dev, PCI_CFG_TI_LinkEnh, link_enh);
+- }
+-
+ ar_context_init(&ohci->ar_request_ctx, ohci,
+ OHCI1394_AsReqRcvContextControlSet);
+
+--- a/drivers/firewire/ohci.h
++++ b/drivers/firewire/ohci.h
+@@ -154,12 +154,4 @@
+
+ #define OHCI1394_phy_tcode 0xe
+
+-/* TI extensions */
+-
+-#define PCI_CFG_TI_LinkEnh 0xf4
+-#define TI_LinkEnh_enab_accel 0x00000002
+-#define TI_LinkEnh_enab_unfair 0x00000080
+-#define TI_LinkEnh_atx_thresh_mask 0x00003000
+-#define TI_LinkEnh_atx_thresh_1_7K 0x00001000
+-
+ #endif /* _FIREWIRE_OHCI_H */
--- /dev/null
+From f13d4f979c518119bba5439dd2364d76d31dcd3f Mon Sep 17 00:00:00 2001
+From: Salman Qazi <sqazi@google.com>
+Date: Tue, 12 Oct 2010 07:25:19 -0700
+Subject: hrtimer: Preserve timer state in remove_hrtimer()
+
+From: Salman Qazi <sqazi@google.com>
+
+commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream.
+
+The race is described as follows:
+
+CPU X CPU Y
+remove_hrtimer
+// state & QUEUED == 0
+timer->state = CALLBACK
+unlock timer base
+timer->f(n) //very long
+ hrtimer_start
+ lock timer base
+ remove_hrtimer // no effect
+ hrtimer_enqueue
+ timer->state = CALLBACK |
+ QUEUED
+ unlock timer base
+ hrtimer_start
+ lock timer base
+ remove_hrtimer
+ mode = INACTIVE
+ // CALLBACK bit lost!
+ switch_hrtimer_base
+ CALLBACK bit not set:
+ timer->base
+ changes to a
+ different CPU.
+lock this CPU's timer base
+
+The bug was introduced with commit ca109491f (hrtimer: removing all ur
+callback modes) in 2.6.29
+
+[ tglx: Feed new state via local variable and add a comment. ]
+
+Signed-off-by: Salman Qazi <sqazi@google.com>
+Cc: akpm@linux-foundation.org
+Cc: Peter Zijlstra <peterz@infradead.org>
+LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/hrtimer.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -936,6 +936,7 @@ static inline int
+ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
+ {
+ if (hrtimer_is_queued(timer)) {
++ unsigned long state;
+ int reprogram;
+
+ /*
+@@ -949,8 +950,13 @@ remove_hrtimer(struct hrtimer *timer, st
+ debug_deactivate(timer);
+ timer_stats_hrtimer_clear_start_info(timer);
+ reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
+- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE,
+- reprogram);
++ /*
++ * We must preserve the CALLBACK state flag here,
++ * otherwise we could move the timer base in
++ * switch_hrtimer_base.
++ */
++ state = timer->state & HRTIMER_STATE_CALLBACK;
++ __remove_hrtimer(timer, base, state, reprogram);
+ return 1;
+ }
+ return 0;
+@@ -1237,6 +1243,9 @@ static void __run_hrtimer(struct hrtimer
+ BUG_ON(timer->state != HRTIMER_STATE_CALLBACK);
+ enqueue_hrtimer(timer, base);
+ }
++
++ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK));
++
+ timer->state &= ~HRTIMER_STATE_CALLBACK;
+ }
+
--- /dev/null
+From 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 Mon Sep 17 00:00:00 2001
+From: Yegor Yefremov <yegor_sub1@visionsystems.de>
+Date: Thu, 30 Sep 2010 14:14:22 +0200
+Subject: i2c-pca: Fix waitforcompletion() return value
+
+From: Yegor Yefremov <yegor_sub1@visionsystems.de>
+
+commit 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 upstream.
+
+ret is still -1, if during the polling read_byte() returns at once
+with I2C_PCA_CON_SI set. So ret > 0 would lead *_waitforcompletion()
+to return 0, in spite of the proper behavior.
+
+The routine was rewritten, so that ret has always a proper value,
+before returning.
+
+Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
+Reviewed-by: Wolfram Sang <w.sang@pengutronix.de>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/busses/i2c-pca-isa.c | 12 ++++++++----
+ drivers/i2c/busses/i2c-pca-platform.c | 11 +++++++----
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-pca-isa.c
++++ b/drivers/i2c/busses/i2c-pca-isa.c
+@@ -71,8 +71,8 @@ static int pca_isa_readbyte(void *pd, in
+
+ static int pca_isa_waitforcompletion(void *pd)
+ {
+- long ret = ~0;
+ unsigned long timeout;
++ long ret;
+
+ if (irq > -1) {
+ ret = wait_event_timeout(pca_wait,
+@@ -81,11 +81,15 @@ static int pca_isa_waitforcompletion(voi
+ } else {
+ /* Do polling */
+ timeout = jiffies + pca_isa_ops.timeout;
+- while (((pca_isa_readbyte(pd, I2C_PCA_CON)
+- & I2C_PCA_CON_SI) == 0)
+- && (ret = time_before(jiffies, timeout)))
++ do {
++ ret = time_before(jiffies, timeout);
++ if (pca_isa_readbyte(pd, I2C_PCA_CON)
++ & I2C_PCA_CON_SI)
++ break;
+ udelay(100);
++ } while (ret);
+ }
++
+ return ret > 0;
+ }
+
+--- a/drivers/i2c/busses/i2c-pca-platform.c
++++ b/drivers/i2c/busses/i2c-pca-platform.c
+@@ -80,8 +80,8 @@ static void i2c_pca_pf_writebyte32(void
+ static int i2c_pca_pf_waitforcompletion(void *pd)
+ {
+ struct i2c_pca_pf_data *i2c = pd;
+- long ret = ~0;
+ unsigned long timeout;
++ long ret;
+
+ if (i2c->irq) {
+ ret = wait_event_timeout(i2c->wait,
+@@ -90,10 +90,13 @@ static int i2c_pca_pf_waitforcompletion(
+ } else {
+ /* Do polling */
+ timeout = jiffies + i2c->adap.timeout;
+- while (((i2c->algo_data.read_byte(i2c, I2C_PCA_CON)
+- & I2C_PCA_CON_SI) == 0)
+- && (ret = time_before(jiffies, timeout)))
++ do {
++ ret = time_before(jiffies, timeout);
++ if (i2c->algo_data.read_byte(i2c, I2C_PCA_CON)
++ & I2C_PCA_CON_SI)
++ break;
+ udelay(100);
++ } while (ret);
+ }
+
+ return ret > 0;
--- /dev/null
+From d2520a426dc3033c00077e923a553fc6c98c7564 Mon Sep 17 00:00:00 2001
+From: Kenneth Waters <kwwaters@gmail.com>
+Date: Tue, 21 Sep 2010 00:58:23 -0700
+Subject: Input: joydev - fix JSIOCSAXMAP ioctl
+
+From: Kenneth Waters <kwwaters@gmail.com>
+
+commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream.
+
+Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to
+event axis in addition to abspam. This fixes a regression introduced
+by 999b874f.
+
+Signed-off-by: Kenneth Waters <kwwaters@gmail.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/joydev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -483,6 +483,9 @@ static int joydev_handle_JSIOCSAXMAP(str
+
+ memcpy(joydev->abspam, abspam, len);
+
++ for (i = 0; i < joydev->nabs; i++)
++ joydev->absmap[joydev->abspam[i]] = i;
++
+ out:
+ kfree(abspam);
+ return retval;
--- /dev/null
+From ca047fedd89bbb4b79b61e0656a7b799e4e45e6d Mon Sep 17 00:00:00 2001
+From: Aristeu Rozanski <aris@redhat.com>
+Date: Sun, 10 Oct 2010 14:12:33 -0700
+Subject: Input: wacom - fix pressure in Cintiq 21UX2
+
+From: Aristeu Rozanski <aris@redhat.com>
+
+commit ca047fedd89bbb4b79b61e0656a7b799e4e45e6d upstream.
+
+Currently the pressure range in Cintiq 21UX2 is limited to half of the
+supported. This patch fixes the problem.
+
+Signed-off-by: Aristeu Rozanski <aris@redhat.com>
+Acked-by: Ping Cheng <pingc@wacom.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/tablet/wacom_wac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/tablet/wacom_wac.c
++++ b/drivers/input/tablet/wacom_wac.c
+@@ -409,8 +409,10 @@ static void wacom_intuos_general(struct
+ /* general pen packet */
+ if ((data[1] & 0xb8) == 0xa0) {
+ t = (data[6] << 2) | ((data[7] >> 6) & 3);
+- if (features->type >= INTUOS4S && features->type <= INTUOS4L)
++ if ((features->type >= INTUOS4S && features->type <= INTUOS4L) ||
++ features->type == WACOM_21UX2) {
+ t = (t << 1) | (data[1] & 1);
++ }
+ input_report_abs(input, ABS_PRESSURE, t);
+ input_report_abs(input, ABS_TILT_X,
+ ((data[7] << 1) & 0x7e) | (data[8] >> 7));
--- /dev/null
+From c50a898fd4e736623ee175920db056194e0bb483 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Oct 2010 15:43:10 -0700
+Subject: ioat2: fix performance regression
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit c50a898fd4e736623ee175920db056194e0bb483 upstream.
+
+Commit 0793448 "DMAENGINE: generic channel status v2" changed the interface for
+how dma channel progress is retrieved. It inadvertently exported an internal
+helper function ioat_tx_status() instead of ioat_dma_tx_status(). The latter
+polls the hardware to get the latest completion state, while the helper just
+evaluates the current state without touching hardware. The effect is that we
+end up waiting for completion timeouts or descriptor allocation errors before
+the completion state is updated.
+
+iperf (before fix):
+[SUM] 0.0-41.3 sec 364 MBytes 73.9 Mbits/sec
+
+iperf (after fix):
+[SUM] 0.0- 4.5 sec 499 MBytes 940 Mbits/sec
+
+This is a regression starting with 2.6.35.
+
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Cc: Linus Walleij <linus.walleij@stericsson.com>
+Cc: Maciej Sosnowski <maciej.sosnowski@intel.com>
+Reported-by: Richard Scobie <richard@sauce.co.nz>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/dma/ioat/dma_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/ioat/dma_v2.c
++++ b/drivers/dma/ioat/dma_v2.c
+@@ -879,7 +879,7 @@ int __devinit ioat2_dma_probe(struct ioa
+ dma->device_issue_pending = ioat2_issue_pending;
+ dma->device_alloc_chan_resources = ioat2_alloc_chan_resources;
+ dma->device_free_chan_resources = ioat2_free_chan_resources;
+- dma->device_tx_status = ioat_tx_status;
++ dma->device_tx_status = ioat_dma_tx_status;
+
+ err = ioat_probe(device);
+ if (err)
--- /dev/null
+From cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 24 Sep 2010 11:20:47 +0200
+Subject: mac80211: fix use-after-free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 upstream.
+
+commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1
+Author: Johannes Berg <johannes@sipsolutions.net>
+Date: Wed Nov 25 17:46:15 2009 +0100
+
+ mac80211: move cmntr flag out of rx flags
+
+moved the CMTR flag into the skb's status, and
+in doing so introduced a use-after-free -- when
+the skb has been handed to cooked monitors the
+status setting will touch now invalid memory.
+
+Additionally, moving it there has effectively
+discarded the optimisation -- since the bit is
+only ever set on freed SKBs, and those were a
+copy, it could never be checked.
+
+For the current release, fixing this properly
+is a bit too involved, so let's just remove the
+problematic code and leave userspace with one
+copy of each frame for each virtual interface.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rx.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2156,9 +2156,6 @@ static void ieee80211_rx_cooked_monitor(
+ struct net_device *prev_dev = NULL;
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+
+- if (status->flag & RX_FLAG_INTERNAL_CMTR)
+- goto out_free_skb;
+-
+ if (skb_headroom(skb) < sizeof(*rthdr) &&
+ pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
+ goto out_free_skb;
+@@ -2217,7 +2214,6 @@ static void ieee80211_rx_cooked_monitor(
+ } else
+ goto out_free_skb;
+
+- status->flag |= RX_FLAG_INTERNAL_CMTR;
+ return;
+
+ out_free_skb:
--- /dev/null
+From c9d66d3515bbb0ad8062721487de7ade02d2b936 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Date: Mon, 16 Aug 2010 20:26:51 +0100
+Subject: mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types
+
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+
+commit c9d66d3515bbb0ad8062721487de7ade02d2b936 upstream.
+
+The driver was originally tested with an additional patch which
+made this unneeded but that patch had issuges and got lost on the
+way to mainline, causing problems when the errors are reported.
+
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mfd/wm831x-irq.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/wm831x-irq.c
++++ b/drivers/mfd/wm831x-irq.c
+@@ -394,8 +394,13 @@ static int wm831x_irq_set_type(unsigned
+
+ irq = irq - wm831x->irq_base;
+
+- if (irq < WM831X_IRQ_GPIO_1 || irq > WM831X_IRQ_GPIO_11)
+- return -EINVAL;
++ if (irq < WM831X_IRQ_GPIO_1 || irq > WM831X_IRQ_GPIO_11) {
++ /* Ignore internal-only IRQs */
++ if (irq >= 0 && irq < WM831X_NUM_IRQS)
++ return 0;
++ else
++ return -EINVAL;
++ }
+
+ switch (type) {
+ case IRQ_TYPE_EDGE_BOTH:
--- /dev/null
+From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001
+From: Joel Becker <joel.becker@oracle.com>
+Date: Wed, 29 Sep 2010 17:33:05 -0700
+Subject: ocfs2: Don't walk off the end of fast symlinks.
+
+From: Joel Becker <joel.becker@oracle.com>
+
+commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream.
+
+ocfs2 fast symlinks are NUL terminated strings stored inline in the
+inode data area. However, disk corruption or a local attacker could, in
+theory, remove that NUL. Because we're using strlen() (my fault,
+introduced in a731d1 when removing vfs_follow_link()), we could walk off
+the end of that string.
+
+Signed-off-by: Joel Becker <joel.becker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ocfs2/symlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/symlink.c
++++ b/fs/ocfs2/symlink.c
+@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru
+ }
+
+ /* Fast symlinks can't be large */
+- len = strlen(target);
++ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb));
+ link = kzalloc(len + 1, GFP_NOFS);
+ if (!link) {
+ status = -ENOMEM;
--- /dev/null
+From d4cfa4d12f46e2520f4c1d1a92e891ce068b7464 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Sun, 10 Oct 2010 19:33:52 +0200
+Subject: OSS: soundcard: locking bug in sound_ioctl()
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit d4cfa4d12f46e2520f4c1d1a92e891ce068b7464 upstream.
+
+We shouldn't return directly here because we're still holding the
+&soundcard_mutex.
+
+This bug goes all the way back to the start of git. It's strange that
+no one has complained about it as a runtime bug.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/oss/soundcard.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -389,11 +389,11 @@ static long sound_ioctl(struct file *fil
+ case SND_DEV_DSP:
+ case SND_DEV_DSP16:
+ case SND_DEV_AUDIO:
+- return audio_ioctl(dev, file, cmd, p);
++ ret = audio_ioctl(dev, file, cmd, p);
+ break;
+
+ case SND_DEV_MIDIN:
+- return MIDIbuf_ioctl(dev, file, cmd, p);
++ ret = MIDIbuf_ioctl(dev, file, cmd, p);
+ break;
+
+ }
--- /dev/null
+From 3f259d092c7a2fdf217823e8f1838530adb0cdb0 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Thu, 30 Sep 2010 15:15:37 -0700
+Subject: reiserfs: fix dependency inversion between inode and reiserfs mutexes
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 3f259d092c7a2fdf217823e8f1838530adb0cdb0 upstream.
+
+The reiserfs mutex already depends on the inode mutex, so we can't lock
+the inode mutex in reiserfs_unpack() without using the safe locking API,
+because reiserfs_unpack() is always called with the reiserfs mutex locked.
+
+This fixes:
+
+ =======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 2.6.35c #13
+ -------------------------------------------------------
+ lilo/1606 is trying to acquire lock:
+ (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
+
+ but task is already holding lock:
+ (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
+ [<c1056347>] lock_acquire+0x67/0x80
+ [<c12f083d>] __mutex_lock_common+0x4d/0x410
+ [<c12f0c58>] mutex_lock_nested+0x18/0x20
+ [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+ [<d0329e9a>] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs]
+ [<d0316b81>] reiserfs_fill_super+0x941/0xe60 [reiserfs]
+ [<c10b7d17>] get_sb_bdev+0x117/0x170
+ [<d0313e21>] get_super_block+0x21/0x30 [reiserfs]
+ [<c10b74ba>] vfs_kern_mount+0x6a/0x1b0
+ [<c10b7659>] do_kern_mount+0x39/0xe0
+ [<c10cebe0>] do_mount+0x340/0x790
+ [<c10cf0b4>] sys_mount+0x84/0xb0
+ [<c12f25cd>] syscall_call+0x7/0xb
+
+ -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}:
+ [<c1056186>] __lock_acquire+0x1026/0x1180
+ [<c1056347>] lock_acquire+0x67/0x80
+ [<c12f083d>] __mutex_lock_common+0x4d/0x410
+ [<c12f0c58>] mutex_lock_nested+0x18/0x20
+ [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
+ [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3228>] vfs_ioctl+0x28/0xa0
+ [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3f53>] sys_ioctl+0x63/0x70
+ [<c12f25cd>] syscall_call+0x7/0xb
+
+ other info that might help us debug this:
+
+ 1 lock held by lilo/1606:
+ #0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ stack backtrace:
+ Pid: 1606, comm: lilo Not tainted 2.6.35c #13
+ Call Trace:
+ [<c1056186>] __lock_acquire+0x1026/0x1180
+ [<c1056347>] lock_acquire+0x67/0x80
+ [<c12f083d>] __mutex_lock_common+0x4d/0x410
+ [<c12f0c58>] mutex_lock_nested+0x18/0x20
+ [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
+ [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3228>] vfs_ioctl+0x28/0xa0
+ [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3f53>] sys_ioctl+0x63/0x70
+ [<c12f25cd>] syscall_call+0x7/0xb
+
+Reported-by: Jarek Poplawski <jarkao2@gmail.com>
+Tested-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/ioctl.c
++++ b/fs/reiserfs/ioctl.c
+@@ -188,7 +188,7 @@ int reiserfs_unpack(struct inode *inode,
+ /* we need to make sure nobody is changing the file size beneath
+ ** us
+ */
+- mutex_lock(&inode->i_mutex);
++ reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb);
+ reiserfs_write_lock(inode->i_sb);
+
+ write_from = inode->i_size & (blocksize - 1);
--- /dev/null
+From 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Thu, 30 Sep 2010 15:15:38 -0700
+Subject: reiserfs: fix unwanted reiserfs lock recursion
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 upstream.
+
+Prevent from recursively locking the reiserfs lock in reiserfs_unpack()
+because we may call journal_begin() that requires the lock to be taken
+only once, otherwise it won't be able to release the lock while taking
+other mutexes, ending up in inverted dependencies between the journal
+mutex and the reiserfs lock for example.
+
+This fixes:
+
+ =======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 2.6.35.4.4a #3
+ -------------------------------------------------------
+ lilo/1620 is trying to acquire lock:
+ (&journal->j_mutex){+.+...}, at: [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
+
+ but task is already holding lock:
+ (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
+ [<c10562b7>] lock_acquire+0x67/0x80
+ [<c12facad>] __mutex_lock_common+0x4d/0x410
+ [<c12fb0c8>] mutex_lock_nested+0x18/0x20
+ [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+ [<d0325c06>] do_journal_begin_r+0x86/0x340 [reiserfs]
+ [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
+ [<d0315be4>] reiserfs_remount+0x224/0x530 [reiserfs]
+ [<c10b6a20>] do_remount_sb+0x60/0x110
+ [<c10cee25>] do_mount+0x625/0x790
+ [<c10cf014>] sys_mount+0x84/0xb0
+ [<c12fca3d>] syscall_call+0x7/0xb
+
+ -> #0 (&journal->j_mutex){+.+...}:
+ [<c10560f6>] __lock_acquire+0x1026/0x1180
+ [<c10562b7>] lock_acquire+0x67/0x80
+ [<c12facad>] __mutex_lock_common+0x4d/0x410
+ [<c12fb0c8>] mutex_lock_nested+0x18/0x20
+ [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
+ [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
+ [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
+ [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
+ [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
+ [<c10dbbe6>] block_prepare_write+0x26/0x40
+ [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
+ [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
+ [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3188>] vfs_ioctl+0x28/0xa0
+ [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3eb3>] sys_ioctl+0x63/0x70
+ [<c12fca3d>] syscall_call+0x7/0xb
+
+ other info that might help us debug this:
+
+ 2 locks held by lilo/1620:
+ #0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d032945a>] reiserfs_unpack+0x6a/0x120 [reiserfs]
+ #1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ stack backtrace:
+ Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3
+ Call Trace:
+ [<c10560f6>] __lock_acquire+0x1026/0x1180
+ [<c10562b7>] lock_acquire+0x67/0x80
+ [<c12facad>] __mutex_lock_common+0x4d/0x410
+ [<c12fb0c8>] mutex_lock_nested+0x18/0x20
+ [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
+ [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
+ [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
+ [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
+ [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
+ [<c10dbbe6>] block_prepare_write+0x26/0x40
+ [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
+ [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
+ [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3188>] vfs_ioctl+0x28/0xa0
+ [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3eb3>] sys_ioctl+0x63/0x70
+ [<c12fca3d>] syscall_call+0x7/0xb
+
+Reported-by: Jarek Poplawski <jarkao2@gmail.com>
+Tested-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/ioctl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/reiserfs/ioctl.c
++++ b/fs/reiserfs/ioctl.c
+@@ -170,6 +170,7 @@ int reiserfs_prepare_write(struct file *
+ int reiserfs_unpack(struct inode *inode, struct file *filp)
+ {
+ int retval = 0;
++ int depth;
+ int index;
+ struct page *page;
+ struct address_space *mapping;
+@@ -189,7 +190,7 @@ int reiserfs_unpack(struct inode *inode,
+ ** us
+ */
+ reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb);
+- reiserfs_write_lock(inode->i_sb);
++ depth = reiserfs_write_lock_once(inode->i_sb);
+
+ write_from = inode->i_size & (blocksize - 1);
+ /* if we are on a block boundary, we are already unpacked. */
+@@ -224,6 +225,6 @@ int reiserfs_unpack(struct inode *inode,
+
+ out:
+ mutex_unlock(&inode->i_mutex);
+- reiserfs_write_unlock(inode->i_sb);
++ reiserfs_write_unlock_once(inode->i_sb, depth);
+ return retval;
+ }
--- /dev/null
+From d01343244abdedd18303d0323b518ed9cdcb1988 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <srostedt@redhat.com>
+Date: Tue, 12 Oct 2010 12:06:43 -0400
+Subject: ring-buffer: Fix typo of time extends per page
+
+From: Steven Rostedt <srostedt@redhat.com>
+
+commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream.
+
+Time stamps for the ring buffer are created by the difference between
+two events. Each page of the ring buffer holds a full 64 bit timestamp.
+Each event has a 27 bit delta stamp from the last event. The unit of time
+is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events
+happen more than 134 milliseconds apart, a time extend is inserted
+to add more bits for the delta. The time extend has 59 bits, which
+is good for ~18 years.
+
+Currently the time extend is committed separately from the event.
+If an event is discarded before it is committed, due to filtering,
+the time extend still exists. If all events are being filtered, then
+after ~134 milliseconds a new time extend will be added to the buffer.
+
+This can only happen till the end of the page. Since each page holds
+a full timestamp, there is no reason to add a time extend to the
+beginning of a page. Time extends can only fill a page that has actual
+data at the beginning, so there is no fear that time extends will fill
+more than a page without any data.
+
+When reading an event, a loop is made to skip over time extends
+since they are only used to maintain the time stamp and are never
+given to the caller. As a paranoid check to prevent the loop running
+forever, with the knowledge that time extends may only fill a page,
+a check is made that tests the iteration of the loop, and if the
+iteration is more than the number of time extends that can fit in a page
+a warning is printed and the ring buffer is disabled (all of ftrace
+is also disabled with it).
+
+There is another event type that is called a TIMESTAMP which can
+hold 64 bits of data in the theoretical case that two events happen
+18 years apart. This code has not been implemented, but the name
+of this event exists, as well as the structure for it. The
+size of a TIMESTAMP is 16 bytes, where as a time extend is only
+8 bytes. The macro used to calculate how many time extends can fit on
+a page used the TIMESTAMP size instead of the time extend size
+cutting the amount in half.
+
+The following test case can easily trigger the warning since we only
+need to have half the page filled with time extends to trigger the
+warning:
+
+ # cd /sys/kernel/debug/tracing/
+ # echo function > current_tracer
+ # echo 'common_pid < 0' > events/ftrace/function/filter
+ # echo > trace
+ # echo 1 > trace_marker
+ # sleep 120
+ # cat trace
+
+Enabling the function tracer and then setting the filter to only trace
+functions where the process id is negative (no events), then clearing
+the trace buffer to ensure that we have nothing in the buffer,
+then write to trace_marker to add an event to the beginning of a page,
+sleep for 2 minutes (only 35 seconds is probably needed, but this
+guarantees the bug), and then finally reading the trace which will
+trigger the bug.
+
+This patch fixes the typo and prevents the false positive of that warning.
+
+Reported-by: Hans J. Koch <hjk@linutronix.de>
+Tested-by: Hans J. Koch <hjk@linutronix.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/trace/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -405,7 +405,7 @@ static inline int test_time_stamp(u64 de
+ #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2))
+
+ /* Max number of timestamps that can fit on a page */
+-#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP)
++#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND)
+
+ int ring_buffer_print_page_header(struct trace_seq *s)
+ {
tracing-x86-don-t-use-mcount-in-kvmclock.c.patch
ksm-fix-bad-user-data-when-swapping.patch
i7core_edac-fix-panic-in-udimm-sysfs-attributes-registration.patch
+v4l1-fix-32-bit-compat-microcode-loading-translation.patch
+v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch
+v4l-dvb-ir-fix-keys-beeing-stuck-down-forever.patch
+v4l-dvb-don-t-identify-pv-sbtvd-hybrid-as-a-dibcom-device.patch
+input-joydev-fix-jsiocsaxmap-ioctl.patch
+input-wacom-fix-pressure-in-cintiq-21ux2.patch
+ioat2-fix-performance-regression.patch
+mac80211-fix-use-after-free.patch
+x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch
+x86-irq-plug-memory-leak-in-sparse-irq.patch
+ubd-fix-incorrect-sector-handling-during-request-restart.patch
+oss-soundcard-locking-bug-in-sound_ioctl.patch
+virtio-blk-fix-request-leak.patch
+ring-buffer-fix-typo-of-time-extends-per-page.patch
+dmaengine-fix-interrupt-clearing-for-mv_xor.patch
+drivers-gpu-drm-i915-i915_gem.c-add-missing-error-handling-code.patch
+hrtimer-preserve-timer-state-in-remove_hrtimer.patch
+i2c-pca-fix-waitforcompletion-return-value.patch
+reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch
+reiserfs-fix-unwanted-reiserfs-lock-recursion.patch
+ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch
+mfd-ignore-non-gpio-irqs-when-setting-wm831x-irq-types.patch
+wext-fix-potential-private-ioctl-memory-content-leak.patch
+atl1-fix-resume.patch
+x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch
+x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch
+de-pessimize-rds_page_copy_user.patch
+firewire-ohci-fix-ti-tsb82aa2-regression-since-2.6.35.patch
+drm-i915-prevent-module-unload-to-avoid-random-memory-corruption.patch
+drm-i915-sanity-check-pread-pwrite.patch
+drm-i915-fix-gmch-power-reporting.patch
+drm-prune-gem-vma-entries.patch
+drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch
+drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch
+drm-radeon-kms-fix-possible-sigbus-in-evergreen-accel-code.patch
+drm-radeon-kms-fix-up-encoder-info-messages-for-dfp6.patch
+drm-radeon-kms-fix-potential-segfault-in-r600_ioctl_wait_idle.patch
+drm-radeon-kms-add-quirk-for-msi-k9a2gm-motherboard.patch
--- /dev/null
+From 47526903feb52f4c26a6350370bdf74e337fcdb1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 15 Oct 2010 12:56:21 +0200
+Subject: ubd: fix incorrect sector handling during request restart
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream.
+
+Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation)
+dropped request->sector manipulation in preparation for global request
+handling cleanup; unfortunately, it incorrectly assumed that the
+updated sector wasn't being used.
+
+ubd tries to issue as many requests as possible to io_thread. When
+issuing fails due to memory pressure or other reasons, the device is
+put on the restart list and issuing stops. On IO completion, devices
+on the restart list are scanned and IO issuing is restarted.
+
+ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a
+request, so each device on the restart queue needs to remember where
+to restart in its current request. ubd needs to keep track of the
+issue position itself because,
+
+* blk_rq_pos(req) is now updated by the block layer to keep track of
+ _completion_ position.
+
+* Multiple io_req's for the current request may be in flight, so it's
+ difficult to tell where blk_rq_pos(req) currently is.
+
+Add ubd->rq_pos to keep track of the issue position and use it to
+correctly restart io_req issue.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Richard Weinberger <richard@nod.at>
+Tested-by: Richard Weinberger <richard@nod.at>
+Tested-by: Chris Frey <cdfrey@foursquare.net>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/um/drivers/ubd_kern.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/um/drivers/ubd_kern.c
++++ b/arch/um/drivers/ubd_kern.c
+@@ -162,6 +162,7 @@ struct ubd {
+ struct scatterlist sg[MAX_SG];
+ struct request *request;
+ int start_sg, end_sg;
++ sector_t rq_pos;
+ };
+
+ #define DEFAULT_COW { \
+@@ -186,6 +187,7 @@ struct ubd {
+ .request = NULL, \
+ .start_sg = 0, \
+ .end_sg = 0, \
++ .rq_pos = 0, \
+ }
+
+ /* Protected by ubd_lock */
+@@ -1223,7 +1225,6 @@ static void do_ubd_request(struct reques
+ {
+ struct io_thread_req *io_req;
+ struct request *req;
+- sector_t sector;
+ int n;
+
+ while(1){
+@@ -1234,12 +1235,12 @@ static void do_ubd_request(struct reques
+ return;
+
+ dev->request = req;
++ dev->rq_pos = blk_rq_pos(req);
+ dev->start_sg = 0;
+ dev->end_sg = blk_rq_map_sg(q, req, dev->sg);
+ }
+
+ req = dev->request;
+- sector = blk_rq_pos(req);
+ while(dev->start_sg < dev->end_sg){
+ struct scatterlist *sg = &dev->sg[dev->start_sg];
+
+@@ -1251,10 +1252,9 @@ static void do_ubd_request(struct reques
+ return;
+ }
+ prepare_request(req, io_req,
+- (unsigned long long)sector << 9,
++ (unsigned long long)dev->rq_pos << 9,
+ sg->offset, sg->length, sg_page(sg));
+
+- sector += sg->length >> 9;
+ n = os_write_file(thread_fd, &io_req,
+ sizeof(struct io_thread_req *));
+ if(n != sizeof(struct io_thread_req *)){
+@@ -1267,6 +1267,7 @@ static void do_ubd_request(struct reques
+ return;
+ }
+
++ dev->rq_pos += sg->length >> 9;
+ dev->start_sg++;
+ }
+ dev->end_sg = 0;
--- /dev/null
+From c10469c637602c2385e2993d8c730cc44fd47d23 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+Date: Sat, 11 Sep 2010 11:37:51 -0300
+Subject: V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0)
+
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream.
+
+As reported by: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>:
+
+[ 220.033500] cx231xx v4l2 driver loaded.
+[ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces
+[ 220.033577] cx231xx #0: registering interface 0
+[ 220.033591] cx231xx #0: registering interface 1
+[ 220.033654] cx231xx #0: registering interface 6
+[ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0)
+[ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 220.033955] IP: [<ffffffffa0d3c8bd>] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx]
+
+Thanks-to: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/cx231xx/cx231xx-cards.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/video/cx231xx/cx231xx-cards.c
++++ b/drivers/media/video/cx231xx/cx231xx-cards.c
+@@ -226,14 +226,16 @@ void cx231xx_pre_card_setup(struct cx231
+ dev->board.name, dev->model);
+
+ /* set the direction for GPIO pins */
+- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
+- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
+- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
++ if (dev->board.tuner_gpio) {
++ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
++ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
++ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
+
+- /* request some modules if any required */
++ /* request some modules if any required */
+
+- /* reset the Tuner */
+- cx231xx_gpio_set(dev, dev->board.tuner_gpio);
++ /* reset the Tuner */
++ cx231xx_gpio_set(dev, dev->board.tuner_gpio);
++ }
+
+ /* set the mode to Analog mode initially */
+ cx231xx_set_mode(dev, CX231XX_ANALOG_MODE);
--- /dev/null
+From 3bfb317f97cfddbbec67bbe8e35ad38af3507397 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+Date: Fri, 3 Sep 2010 10:50:24 -0300
+Subject: V4L/DVB: Don't identify PV SBTVD Hybrid as a DibCom device
+
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 3bfb317f97cfddbbec67bbe8e35ad38af3507397 upstream.
+
+As reported by Carlos, Prolink Pixelview SBTVD Hybrid is based on
+Conexant cx231xx + Fujitsu 86A20S demodulator. However, both shares
+the same USB ID. So, we need to use USB bcdDevice, in order to
+properly discover what's the board.
+
+We know for sure that bcd 0x100 is used for a dib0700 device, while
+bcd 0x4001 is used for a cx23102 device. This patch reserves two ranges,
+the first one from 0x0000-0x3f00 for dib0700, and the second from
+0x4000-0x4fff for cx231xx devices.
+
+This may need fixes in the future, as we get access to other devices.
+
+Thanks-to: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/dvb/dvb-usb/dib0700_devices.c | 2 +-
+ drivers/media/video/cx231xx/Makefile | 1 +
+ drivers/media/video/cx231xx/cx231xx-cards.c | 3 +++
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb/dvb-usb/dib0700_devices.c
++++ b/drivers/media/dvb/dvb-usb/dib0700_devices.c
+@@ -2081,7 +2081,7 @@ struct usb_device_id dib0700_usb_id_tabl
+ /* 60 */{ USB_DEVICE(USB_VID_TERRATEC, USB_PID_TERRATEC_CINERGY_T_XXS_2) },
+ { USB_DEVICE(USB_VID_DIBCOM, USB_PID_DIBCOM_STK807XPVR) },
+ { USB_DEVICE(USB_VID_DIBCOM, USB_PID_DIBCOM_STK807XP) },
+- { USB_DEVICE(USB_VID_PIXELVIEW, USB_PID_PIXELVIEW_SBTVD) },
++ { USB_DEVICE_VER(USB_VID_PIXELVIEW, USB_PID_PIXELVIEW_SBTVD, 0x000, 0x3f00) },
+ { USB_DEVICE(USB_VID_EVOLUTEPC, USB_PID_TVWAY_PLUS) },
+ /* 65 */{ USB_DEVICE(USB_VID_PINNACLE, USB_PID_PINNACLE_PCTV73ESE) },
+ { USB_DEVICE(USB_VID_PINNACLE, USB_PID_PINNACLE_PCTV282E) },
+--- a/drivers/media/video/cx231xx/Makefile
++++ b/drivers/media/video/cx231xx/Makefile
+@@ -11,4 +11,5 @@ EXTRA_CFLAGS += -Idrivers/media/video
+ EXTRA_CFLAGS += -Idrivers/media/common/tuners
+ EXTRA_CFLAGS += -Idrivers/media/dvb/dvb-core
+ EXTRA_CFLAGS += -Idrivers/media/dvb/frontends
++EXTRA_CFLAGS += -Idrivers/media/dvb/dvb-usb
+
+--- a/drivers/media/video/cx231xx/cx231xx-cards.c
++++ b/drivers/media/video/cx231xx/cx231xx-cards.c
+@@ -32,6 +32,7 @@
+ #include <media/v4l2-chip-ident.h>
+
+ #include <media/cx25840.h>
++#include "dvb-usb-ids.h"
+ #include "xc5000.h"
+
+ #include "cx231xx.h"
+@@ -175,6 +176,8 @@ struct usb_device_id cx231xx_id_table[]
+ .driver_info = CX231XX_BOARD_CNXT_RDE_250},
+ {USB_DEVICE(0x0572, 0x58A1),
+ .driver_info = CX231XX_BOARD_CNXT_RDU_250},
++ {USB_DEVICE_VER(USB_VID_PIXELVIEW, USB_PID_PIXELVIEW_SBTVD, 0x4000,0x4fff),
++ .driver_info = CX231XX_BOARD_UNKNOWN},
+ {},
+ };
+
--- /dev/null
+From e0172fd373ab77a83ea952fd6a75c612e1b0bf9e Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <maximlevitsky@gmail.com>
+Date: Mon, 6 Sep 2010 18:26:09 -0300
+Subject: V4L/DVB: IR: fix keys beeing stuck down forever
+
+From: Maxim Levitsky <maximlevitsky@gmail.com>
+
+commit e0172fd373ab77a83ea952fd6a75c612e1b0bf9e upstream.
+
+The logic in ir_timer_keyup was inverted.
+
+In case that values aren't equal,
+the meaning of the time_is_after_eq_jiffies(ir->keyup_jiffies) is that
+ir->keyup_jiffies is after the the jiffies or equally that
+that jiffies are before the the ir->keyup_jiffies which is
+exactly the situation we want to avoid (that the timeout is in the future)
+Confusing Eh?
+
+Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
+Acked-by: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/IR/ir-keytable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/IR/ir-keytable.c
++++ b/drivers/media/IR/ir-keytable.c
+@@ -319,7 +319,7 @@ static void ir_timer_keyup(unsigned long
+ * a keyup event might follow immediately after the keydown.
+ */
+ spin_lock_irqsave(&ir->keylock, flags);
+- if (time_is_after_eq_jiffies(ir->keyup_jiffies))
++ if (time_is_before_eq_jiffies(ir->keyup_jiffies))
+ ir_keyup(ir);
+ spin_unlock_irqrestore(&ir->keylock, flags);
+ }
--- /dev/null
+From 3e645d6b485446c54c6745c5e2cf5c528fe4deec Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 15 Oct 2010 11:12:38 -0700
+Subject: v4l1: fix 32-bit compat microcode loading translation
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream.
+
+The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
+It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
+staging and eventually removed unless somebody steps up to maintain it
+(at which point it should use request_firmware() rather than some magic
+ioctl). So we'll get rid of it eventually.
+
+But in the meantime, the compatibility ioctl code is broken, and this
+tries to get it to at least limp along (even if Mauro suggested just
+deleting it entirely, which may be the right thing to do - I don't think
+the compatibility translation code has ever worked unless you were very
+lucky).
+
+Reported-by: Kees Cook <kees.cook@canonical.com>
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/v4l2-compat-ioctl32.c | 32 +++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/video/v4l2-compat-ioctl32.c
++++ b/drivers/media/video/v4l2-compat-ioctl32.c
+@@ -193,17 +193,24 @@ static int put_video_window32(struct vid
+ struct video_code32 {
+ char loadwhat[16]; /* name or tag of file being passed */
+ compat_int_t datasize;
+- unsigned char *data;
++ compat_uptr_t data;
+ };
+
+-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
++static struct video_code __user *get_microcode32(struct video_code32 *kp)
+ {
+- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
+- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
+- get_user(kp->datasize, &up->datasize) ||
+- copy_from_user(kp->data, up->data, up->datasize))
+- return -EFAULT;
+- return 0;
++ struct video_code __user *up;
++
++ up = compat_alloc_user_space(sizeof(*up));
++
++ /*
++ * NOTE! We don't actually care if these fail. If the
++ * user address is invalid, the native ioctl will do
++ * the error handling for us
++ */
++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
++ (void) put_user(kp->datasize, &up->datasize);
++ (void) put_user(compat_ptr(kp->data), &up->data);
++ return up;
+ }
+
+ #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
+@@ -744,7 +751,7 @@ static long do_video_ioctl(struct file *
+ struct video_tuner vt;
+ struct video_buffer vb;
+ struct video_window vw;
+- struct video_code vc;
++ struct video_code32 vc;
+ struct video_audio va;
+ #endif
+ struct v4l2_format v2f;
+@@ -823,8 +830,11 @@ static long do_video_ioctl(struct file *
+ break;
+
+ case VIDIOCSMICROCODE:
+- err = get_microcode32(&karg.vc, up);
+- compatible_arg = 0;
++ /* Copy the 32-bit "video_code32" to kernel space */
++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
++ return -EFAULT;
++ /* Convert the 32-bit version to a 64-bit version in user space */
++ up = get_microcode32(&karg.vc);
+ break;
+
+ case VIDIOCSFREQ:
--- /dev/null
+From e4c4776dea9fd0295ebb3b215599d52938d6d7a3 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Sat, 9 Oct 2010 12:12:13 +1030
+Subject: virtio-blk: fix request leak.
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit e4c4776dea9fd0295ebb3b215599d52938d6d7a3 upstream.
+
+Must drop reference taken by blk_make_request().
+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/virtio_blk.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -203,6 +203,7 @@ static int virtblk_get_id(struct gendisk
+ struct virtio_blk *vblk = disk->private_data;
+ struct request *req;
+ struct bio *bio;
++ int err;
+
+ bio = bio_map_kern(vblk->disk->queue, id_str, VIRTIO_BLK_ID_BYTES,
+ GFP_KERNEL);
+@@ -216,7 +217,10 @@ static int virtblk_get_id(struct gendisk
+ }
+
+ req->cmd_type = REQ_TYPE_SPECIAL;
+- return blk_execute_rq(vblk->disk->queue, vblk->disk, req, false);
++ err = blk_execute_rq(vblk->disk->queue, vblk->disk, req, false);
++ blk_put_request(req);
++
++ return err;
+ }
+
+ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
--- /dev/null
+From df6d02300f7c2fbd0fbe626d819c8e5237d72c62 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 17 Sep 2010 00:38:25 +0200
+Subject: wext: fix potential private ioctl memory content leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream.
+
+When a driver doesn't fill the entire buffer, old
+heap contents may remain, and if it also doesn't
+update the length properly, this old heap content
+will be copied back to userspace.
+
+It is very unlikely that this happens in any of
+the drivers using private ioctls since it would
+show up as junk being reported by iwpriv, but it
+seems better to be safe here, so use kzalloc.
+
+Reported-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/wext-priv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/wext-priv.c
++++ b/net/wireless/wext-priv.c
+@@ -152,7 +152,7 @@ static int ioctl_private_iw_point(struct
+ } else if (!iwp->pointer)
+ return -EFAULT;
+
+- extra = kmalloc(extra_size, GFP_KERNEL);
++ extra = kzalloc(extra_size, GFP_KERNEL);
+ if (!extra)
+ return -ENOMEM;
+
--- /dev/null
+From 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <borislav.petkov@amd.com>
+Date: Fri, 8 Oct 2010 12:08:34 +0200
+Subject: x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order
+
+From: Borislav Petkov <borislav.petkov@amd.com>
+
+commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream.
+
+This fixes possible cases of not collecting valid error info in
+the MCE error thresholding groups on F10h hardware.
+
+The current code contains a subtle problem of checking only the
+Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM
+thresholding group) in its first iteration and breaking out if
+the bit is cleared.
+
+But (!), this MSR contains an offset value, BlkPtr[31:24], which
+points to the remaining MSRs in this thresholding group which
+might contain valid information too. But if we bail out only
+after we checked the valid bit in the first MSR and not the
+block pointer too, we miss that other information.
+
+The thing is, MC4_MISC0[BlkPtr] is not predicated on
+MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked
+prior to iterating over the MCI_MISCj thresholding group,
+irrespective of the MC4_MISC0[Valid] setting.
+
+Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -141,6 +141,7 @@ void mce_amd_feature_init(struct cpuinfo
+ address = (low & MASK_BLKPTR_LO) >> 21;
+ if (!address)
+ break;
++
+ address += MCG_XBLK_ADDR;
+ } else
+ ++address;
+@@ -148,12 +149,8 @@ void mce_amd_feature_init(struct cpuinfo
+ if (rdmsr_safe(address, &low, &high))
+ break;
+
+- if (!(high & MASK_VALID_HI)) {
+- if (block)
+- continue;
+- else
+- break;
+- }
++ if (!(high & MASK_VALID_HI))
++ continue;
+
+ if (!(high & MASK_CNTP_HI) ||
+ (high & MASK_LOCKED_HI))
--- /dev/null
+From 021989622810b02aab4b24f91e1f5ada2b654579 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 28 Sep 2010 23:20:23 +0200
+Subject: x86, hpet: Fix bogus error check in hpet_assign_irq()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream.
+
+create_irq() returns -1 if the interrupt allocation failed, but the
+code checks for irq == 0.
+
+Use create_irq_nr() instead.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Venkatesh Pallipadi <venki@google.com>
+LKML-Reference: <alpine.LFD.2.00.1009282310360.2416@localhost6.localdomain6>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/hpet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -507,7 +507,7 @@ static int hpet_assign_irq(struct hpet_d
+ {
+ unsigned int irq;
+
+- irq = create_irq();
++ irq = create_irq_nr(0, -1);
+ if (!irq)
+ return -EINVAL;
+
--- /dev/null
+From 1cf180c94e9166cda083ff65333883ab3648e852 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 28 Sep 2010 20:57:19 +0200
+Subject: x86, irq: Plug memory leak in sparse irq
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream.
+
+free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this
+triggers a use after free caused by the fact that copying struct
+irq_cfg is done with memcpy, which copies the pointer not the cpumask.
+
+Fix both places.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yinghai Lu <yhlu.kernel@gmail.com>
+LKML-Reference: <alpine.LFD.2.00.1009282052570.2416@localhost6.localdomain6>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -306,14 +306,19 @@ void arch_init_copy_chip_data(struct irq
+
+ old_cfg = old_desc->chip_data;
+
+- memcpy(cfg, old_cfg, sizeof(struct irq_cfg));
++ cfg->vector = old_cfg->vector;
++ cfg->move_in_progress = old_cfg->move_in_progress;
++ cpumask_copy(cfg->domain, old_cfg->domain);
++ cpumask_copy(cfg->old_domain, old_cfg->old_domain);
+
+ init_copy_irq_2_pin(old_cfg, cfg, node);
+ }
+
+-static void free_irq_cfg(struct irq_cfg *old_cfg)
++static void free_irq_cfg(struct irq_cfg *cfg)
+ {
+- kfree(old_cfg);
++ free_cpumask_var(cfg->domain);
++ free_cpumask_var(cfg->old_domain);
++ kfree(cfg);
+ }
+
+ void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc)
--- /dev/null
+From 73cf624d029d776a33d0a80c695485b3f9b36231 Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Sun, 10 Oct 2010 19:52:15 -0700
+Subject: x86, numa: For each node, register the memory blocks actually used
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit 73cf624d029d776a33d0a80c695485b3f9b36231 upstream.
+
+Russ reported SGI UV is broken recently. He said:
+
+| The SRAT table shows that memory range is spread over two nodes.
+|
+| SRAT: Node 0 PXM 0 100000000-800000000
+| SRAT: Node 1 PXM 1 800000000-1000000000
+| SRAT: Node 0 PXM 0 1000000000-1080000000
+|
+|Previously, the kernel early_node_map[] would show three entries
+|with the proper node.
+|
+|[ 0.000000] 0: 0x00100000 -> 0x00800000
+|[ 0.000000] 1: 0x00800000 -> 0x01000000
+|[ 0.000000] 0: 0x01000000 -> 0x01080000
+|
+|The problem is recent community kernel early_node_map[] shows
+|only two entries with the node 0 entry overlapping the node 1
+|entry.
+|
+| 0: 0x00100000 -> 0x01080000
+| 1: 0x00800000 -> 0x01000000
+
+After looking at the changelog, Found out that it has been broken for a while by
+following commit
+
+|commit 8716273caef7f55f39fe4fc6c69c5f9f197f41f1
+|Author: David Rientjes <rientjes@google.com>
+|Date: Fri Sep 25 15:20:04 2009 -0700
+|
+| x86: Export srat physical topology
+
+Before that commit, register_active_regions() is called for every SRAT memory
+entry right away.
+
+Use nodememblk_range[] instead of nodes[] in order to make sure we
+capture the actual memory blocks registered with each node. nodes[]
+contains an extended range which spans all memory regions associated
+with a node, but that does not mean that all the memory in between are
+included.
+
+Reported-by: Russ Anderson <rja@sgi.com>
+Tested-by: Russ Anderson <rja@sgi.com>
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+LKML-Reference: <4CB27BDF.5000800@kernel.org>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/mm/srat_64.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/srat_64.c
++++ b/arch/x86/mm/srat_64.c
+@@ -420,9 +420,11 @@ int __init acpi_scan_nodes(unsigned long
+ return -1;
+ }
+
+- for_each_node_mask(i, nodes_parsed)
+- e820_register_active_regions(i, nodes[i].start >> PAGE_SHIFT,
+- nodes[i].end >> PAGE_SHIFT);
++ for (i = 0; i < num_node_memblks; i++)
++ e820_register_active_regions(memblk_nodeid[i],
++ node_memblk_range[i].start >> PAGE_SHIFT,
++ node_memblk_range[i].end >> PAGE_SHIFT);
++
+ /* for out of order entries in SRAT */
+ sort_node_map();
+ if (!nodes_cover_memory(nodes)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
