--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:23 2009
+Date: Fri, 24 Apr 2009 16:05:19 GMT
+Message-Id: <200904241605.n3OG5Ju8007936@hera.kernel.org>
+From: Karsten Wiese <fzu@wemgehoertderstaat.de>
+To: jejb@kernel.org, stable@kernel.org
+Subject: ALSA: us122l: add snd_us122l_free()
+
+upstream commit: 5d4af1be06affa2b42cdf59cd376752be1f934b3
+
+Use it to clean up snd_us122l_card_used[].
+
+Without patch unplugging of an US122L soundcard didn't reset the
+corresponding element of snd_us122l_card_used[] to 0.
+The (SNDRV_CARDS + 1)th plugging in did not result in creating the soundcard
+device anymore.
+Index values supplied with the modprobe command line were not used correctly
+anymore after the first unplugging of an US122L.
+
+Signed-off-by: Karsten Wiese <fzu@wemgehoertderstaat.de>
+Cc: stable@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[chrisw: backport to 2.6.29]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ sound/usb/usx2y/us122l.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/usx2y/us122l.c
++++ b/sound/usb/usx2y/us122l.c
+@@ -478,6 +478,14 @@ static bool us122l_create_card(struct sn
+ return true;
+ }
+
++static void snd_us122l_free(struct snd_card *card)
++{
++ struct us122l *us122l = US122L(card);
++ int index = us122l->chip.index;
++ if (index >= 0 && index < SNDRV_CARDS)
++ snd_us122l_card_used[index] = 0;
++}
++
+ static struct snd_card *usx2y_create_card(struct usb_device *device)
+ {
+ int dev;
+@@ -492,7 +500,7 @@ static struct snd_card *usx2y_create_car
+ if (!card)
+ return NULL;
+ snd_us122l_card_used[US122L(card)->chip.index = dev] = 1;
+-
++ card->private_free = snd_us122l_free;
+ US122L(card)->chip.dev = device;
+ US122L(card)->chip.card = card;
+ mutex_init(&US122L(card)->mutex);
+@@ -575,7 +583,7 @@ static void snd_us122l_disconnect(struct
+ }
+
+ usb_put_intf(intf);
+- usb_put_dev(US122L(card)->chip.dev);
++ usb_put_dev(us122l->chip.dev);
+
+ while (atomic_read(&us122l->mmap_count))
+ msleep(500);
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:36 2009
+Date: Fri, 24 Apr 2009 16:05:31 GMT
+Message-Id: <200904241605.n3OG5VSB008123@hera.kernel.org>
+From: Michael Buesch <mb@bu3sch.de>
+To: jejb@kernel.org, stable@kernel.org
+Subject: b43: Poison RX buffers
+
+upstream commit: ec9a1d8c13e36440eda0f3c79b8149080e3ab5ba
+
+This patch adds poisoning and sanity checking to the RX DMA buffers.
+This is used for protection against buggy hardware/firmware that raises
+RX interrupts without doing an actual DMA transfer.
+
+This mechanism protects against rare "bad packets" (due to uninitialized skb data)
+and rare kernel crashes due to uninitialized RX headers.
+
+The poison is selected to not match on valid frames and to be cheap for checking.
+
+The poison check mechanism _might_ trigger incorrectly, if we are voluntarily
+receiving frames with bad PLCP headers. However, this is nonfatal, because the
+chance of such a match is basically zero and in case it happens it just results
+in dropping the packet.
+Bad-PLCP RX defaults to off, and you should leave it off unless you want to listen
+to the latest news broadcasted by your microwave oven.
+
+This patch also moves the initialization of the RX-header "length" field in front of
+the mapping of the DMA buffer. The CPU should not touch the buffer after we mapped it.
+
+Cc: stable@kernel.org
+Reported-by: Francesco Gringoli <francesco.gringoli@ing.unibs.it>
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/b43/dma.c | 37 +++++++++++++++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/b43/dma.c
++++ b/drivers/net/wireless/b43/dma.c
+@@ -551,11 +551,32 @@ address_error:
+ return 1;
+ }
+
++static bool b43_rx_buffer_is_poisoned(struct b43_dmaring *ring, struct sk_buff *skb)
++{
++ unsigned char *f = skb->data + ring->frameoffset;
++
++ return ((f[0] & f[1] & f[2] & f[3] & f[4] & f[5] & f[6] & f[7]) == 0xFF);
++}
++
++static void b43_poison_rx_buffer(struct b43_dmaring *ring, struct sk_buff *skb)
++{
++ struct b43_rxhdr_fw4 *rxhdr;
++ unsigned char *frame;
++
++ /* This poisons the RX buffer to detect DMA failures. */
++
++ rxhdr = (struct b43_rxhdr_fw4 *)(skb->data);
++ rxhdr->frame_len = 0;
++
++ B43_WARN_ON(ring->rx_buffersize < ring->frameoffset + sizeof(struct b43_plcp_hdr6) + 2);
++ frame = skb->data + ring->frameoffset;
++ memset(frame, 0xFF, sizeof(struct b43_plcp_hdr6) + 2 /* padding */);
++}
++
+ static int setup_rx_descbuffer(struct b43_dmaring *ring,
+ struct b43_dmadesc_generic *desc,
+ struct b43_dmadesc_meta *meta, gfp_t gfp_flags)
+ {
+- struct b43_rxhdr_fw4 *rxhdr;
+ dma_addr_t dmaaddr;
+ struct sk_buff *skb;
+
+@@ -564,6 +585,7 @@ static int setup_rx_descbuffer(struct b4
+ skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags);
+ if (unlikely(!skb))
+ return -ENOMEM;
++ b43_poison_rx_buffer(ring, skb);
+ dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0);
+ if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) {
+ /* ugh. try to realloc in zone_dma */
+@@ -574,6 +596,7 @@ static int setup_rx_descbuffer(struct b4
+ skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags);
+ if (unlikely(!skb))
+ return -ENOMEM;
++ b43_poison_rx_buffer(ring, skb);
+ dmaaddr = map_descbuffer(ring, skb->data,
+ ring->rx_buffersize, 0);
+ }
+@@ -589,9 +612,6 @@ static int setup_rx_descbuffer(struct b4
+ ring->ops->fill_descriptor(ring, desc, dmaaddr,
+ ring->rx_buffersize, 0, 0, 0);
+
+- rxhdr = (struct b43_rxhdr_fw4 *)(skb->data);
+- rxhdr->frame_len = 0;
+-
+ return 0;
+ }
+
+@@ -1482,6 +1502,15 @@ static void dma_rx(struct b43_dmaring *r
+ goto drop;
+ }
+ }
++ if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) {
++ /* Something went wrong with the DMA.
++ * The device did not touch the buffer and did not overwrite the poison. */
++ b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n");
++ /* recycle the descriptor buffer. */
++ sync_descbuffer_for_device(ring, meta->dmaaddr,
++ ring->rx_buffersize);
++ goto drop;
++ }
+ if (unlikely(len > ring->rx_buffersize)) {
+ /* The data did not fit into one descriptor buffer
+ * and is split over multiple buffers.
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:34 2009
+Date: Fri, 24 Apr 2009 16:05:29 GMT
+Message-Id: <200904241605.n3OG5TGL008104@hera.kernel.org>
+From: Michael Buesch <mb@bu3sch.de>
+To: jejb@kernel.org, stable@kernel.org
+Subject: b43: Refresh RX poison on buffer recycling
+
+upstream commit: cf68636a9773aa97915497fe54fa4a51e3f08f3a
+
+The RX buffer poison needs to be refreshed, if we recycle an RX buffer,
+because it might be (partially) overwritten by some DMA operations.
+
+Cc: stable@kernel.org
+Cc: Francesco Gringoli <francesco.gringoli@ing.unibs.it>
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/b43/dma.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/wireless/b43/dma.c
++++ b/drivers/net/wireless/b43/dma.c
+@@ -1496,20 +1496,16 @@ static void dma_rx(struct b43_dmaring *r
+ len = le16_to_cpu(rxhdr->frame_len);
+ } while (len == 0 && i++ < 5);
+ if (unlikely(len == 0)) {
+- /* recycle the descriptor buffer. */
+- sync_descbuffer_for_device(ring, meta->dmaaddr,
+- ring->rx_buffersize);
+- goto drop;
++ dmaaddr = meta->dmaaddr;
++ goto drop_recycle_buffer;
+ }
+ }
+ if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) {
+ /* Something went wrong with the DMA.
+ * The device did not touch the buffer and did not overwrite the poison. */
+ b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n");
+- /* recycle the descriptor buffer. */
+- sync_descbuffer_for_device(ring, meta->dmaaddr,
+- ring->rx_buffersize);
+- goto drop;
++ dmaaddr = meta->dmaaddr;
++ goto drop_recycle_buffer;
+ }
+ if (unlikely(len > ring->rx_buffersize)) {
+ /* The data did not fit into one descriptor buffer
+@@ -1523,6 +1519,7 @@ static void dma_rx(struct b43_dmaring *r
+ while (1) {
+ desc = ops->idx2desc(ring, *slot, &meta);
+ /* recycle the descriptor buffer. */
++ b43_poison_rx_buffer(ring, meta->skb);
+ sync_descbuffer_for_device(ring, meta->dmaaddr,
+ ring->rx_buffersize);
+ *slot = next_slot(ring, *slot);
+@@ -1541,8 +1538,7 @@ static void dma_rx(struct b43_dmaring *r
+ err = setup_rx_descbuffer(ring, desc, meta, GFP_ATOMIC);
+ if (unlikely(err)) {
+ b43dbg(ring->dev->wl, "DMA RX: setup_rx_descbuffer() failed\n");
+- sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize);
+- goto drop;
++ goto drop_recycle_buffer;
+ }
+
+ unmap_descbuffer(ring, dmaaddr, ring->rx_buffersize, 0);
+@@ -1552,6 +1548,11 @@ static void dma_rx(struct b43_dmaring *r
+ b43_rx(ring->dev, skb, rxhdr);
+ drop:
+ return;
++
++drop_recycle_buffer:
++ /* Poison and recycle the RX buffer. */
++ b43_poison_rx_buffer(ring, skb);
++ sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize);
+ }
+
+ void b43_dma_rx(struct b43_dmaring *ring)
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:14 2009
+Date: Fri, 24 Apr 2009 16:05:09 GMT
+Message-Id: <200904241605.n3OG59WB007756@hera.kernel.org>
+From: Jan Kiszka <jan.kiszka@web.de>
+To: jejb@kernel.org, stable@kernel.org
+Subject: KVM: Fix overlapping check for memory slots
+
+upstream commit: 4cd481f68dde99ac416003b825c835f71e364393
+
+When checking for overlapping slots on registration of a new one, kvm
+currently also considers zero-length (ie. deleted) slots and rejects
+requests incorrectly. This finally denies user space from joining slots.
+Fix the check by skipping deleted slots and advertise this via a
+KVM_CAP_JOIN_MEMORY_REGIONS_WORKS.
+
+Cc: stable@kernel.org
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ include/linux/kvm.h | 2 ++
+ virt/kvm/kvm_main.c | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/kvm.h
++++ b/include/linux/kvm.h
+@@ -396,6 +396,8 @@ struct kvm_trace_rec {
+ #ifdef __KVM_HAVE_USER_NMI
+ #define KVM_CAP_USER_NMI 22
+ #endif
++/* Another bug in KVM_SET_USER_MEMORY_REGION fixed: */
++#define KVM_CAP_JOIN_MEMORY_REGIONS_WORKS 30
+
+ /*
+ * ioctls for VM fds
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1005,7 +1005,7 @@ int __kvm_set_memory_region(struct kvm *
+ for (i = 0; i < KVM_MEMORY_SLOTS; ++i) {
+ struct kvm_memory_slot *s = &kvm->memslots[i];
+
+- if (s == memslot)
++ if (s == memslot || !s->npages)
+ continue;
+ if (!((base_gfn + npages <= s->base_gfn) ||
+ (base_gfn >= s->base_gfn + s->npages)))
+@@ -1997,6 +1997,7 @@ static long kvm_dev_ioctl_check_extensio
+ switch (arg) {
+ case KVM_CAP_USER_MEMORY:
+ case KVM_CAP_DESTROY_MEMORY_REGION_WORKS:
++ case KVM_CAP_JOIN_MEMORY_REGIONS_WORKS:
+ return 1;
+ default:
+ break;
--- /dev/null
+From mtosatti@redhat.com Fri Apr 24 15:05:03 2009
+Date: Fri, 24 Apr 2009 18:18:27 -0300
+From: Marcelo Tosatti <mtosatti@redhat.com>
+To: Chris Wright <chrisw@redhat.com>
+Subject: KVM: MMU: disable global page optimization
+Message-ID: <20090424211827.GA13223@amt.cnet>
+
+upstream commit: bf47a760f66add7870fba33ab50f58b550d6bbd1
+
+Complexity to fix it not worthwhile the gains, as discussed
+in http://article.gmane.org/gmane.comp.emulators.kvm.devel/28649.
+
+Cc: stable@kernel.org
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+[mtosatti: backport to 2.6.29]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ arch/x86/kvm/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -797,7 +797,7 @@ static struct kvm_mmu_page *kvm_mmu_allo
+ ASSERT(is_empty_shadow_page(sp->spt));
+ bitmap_zero(sp->slot_bitmap, KVM_MEMORY_SLOTS + KVM_PRIVATE_MEM_SLOTS);
+ sp->multimapped = 0;
+- sp->global = 1;
++ sp->global = 0;
+ sp->parent_pte = parent_pte;
+ --vcpu->kvm->arch.n_free_mmu_pages;
+ return sp;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:20 2009
+Date: Fri, 24 Apr 2009 16:05:14 GMT
+Message-Id: <200904241605.n3OG5EXJ007808@hera.kernel.org>
+From: Avi Kivity <avi@redhat.com>
+To: jejb@kernel.org, stable@kernel.org
+Subject: KVM: MMU: Fix off-by-one calculating large page count
+
+upstream commit: 99894a799f09cf9e28296bb16e75bd5830fd2c4e
+
+The large page initialization code concludes there are two large pages spanned
+by a slot covering 1 (small) page starting at gfn 1. This is incorrect, and
+also results in incorrect write_count initialization in some cases (base = 1,
+npages = 513 for example).
+
+Cc: stable@kernel.org
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ virt/kvm/kvm_main.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -964,6 +964,7 @@ int __kvm_set_memory_region(struct kvm *
+ int r;
+ gfn_t base_gfn;
+ unsigned long npages;
++ int largepages;
+ unsigned long i;
+ struct kvm_memory_slot *memslot;
+ struct kvm_memory_slot old, new;
+@@ -1039,11 +1040,8 @@ int __kvm_set_memory_region(struct kvm *
+ new.userspace_addr = 0;
+ }
+ if (npages && !new.lpage_info) {
+- int largepages = npages / KVM_PAGES_PER_HPAGE;
+- if (npages % KVM_PAGES_PER_HPAGE)
+- largepages++;
+- if (base_gfn % KVM_PAGES_PER_HPAGE)
+- largepages++;
++ largepages = 1 + (base_gfn + npages - 1) / KVM_PAGES_PER_HPAGE;
++ largepages -= base_gfn / KVM_PAGES_PER_HPAGE;
+
+ new.lpage_info = vmalloc(largepages * sizeof(*new.lpage_info));
+
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:12 2009
+Date: Fri, 24 Apr 2009 16:05:07 GMT
+Message-Id: <200904241605.n3OG57Qs007736@hera.kernel.org>
+From: Joerg Roedel <joerg.roedel@amd.com>
+To: jejb@kernel.org, stable@kernel.org
+Subject: KVM: x86: release time_page on vcpu destruction
+
+upstream commit: 7f1ea208968f021943d4103ba59e06bb6d8239cb
+
+Not releasing the time_page causes a leak of that page or the compound
+page it is situated in.
+
+Cc: stable@kernel.org
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/x86/kvm/x86.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3962,6 +3962,11 @@ EXPORT_SYMBOL_GPL(kvm_put_guest_fpu);
+
+ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
+ {
++ if (vcpu->arch.time_page) {
++ kvm_release_page_dirty(vcpu->arch.time_page);
++ vcpu->arch.time_page = NULL;
++ }
++
+ kvm_x86_ops->vcpu_free(vcpu);
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:22 2009
+Date: Fri, 24 Apr 2009 16:05:16 GMT
+Message-Id: <200904241605.n3OG5GvL007897@hera.kernel.org>
+From: Johannes Berg <johannes@sipsolutions.net>
+To: jejb@kernel.org, stable@kernel.org
+Subject: mac80211: fix basic rate bitmap calculation
+
+upstream commit: 7e0986c17f695952ce5d61ed793ce048ba90a661
+
+"mac80211: fix basic rates setting from association response"
+introduced a copy/paste error.
+
+Unfortunately, this not just leads to wrong data being passed
+to the driver but is remotely exploitable for some hardware or
+driver combinations.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Cc: stable@kernel.org [2.6.29]
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/mac80211/mlme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1342,7 +1342,7 @@ static void ieee80211_rx_mgmt_assoc_resp
+
+ for (i = 0; i < elems.ext_supp_rates_len; i++) {
+ int rate = (elems.ext_supp_rates[i] & 0x7f) * 5;
+- bool is_basic = !!(elems.supp_rates[i] & 0x80);
++ bool is_basic = !!(elems.ext_supp_rates[i] & 0x80);
+
+ if (rate > 110)
+ have_higher_than_11mbit = true;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:38 2009
+Date: Fri, 24 Apr 2009 16:05:33 GMT
+Message-Id: <200904241605.n3OG5XPq008148@hera.kernel.org>
+From: Vasanthakumar Thiagarajan <vasanth@atheros.com>
+To: jejb@kernel.org, stable@kernel.org
+Subject: mac80211: Fix bug in getting rx status for frames pending in reorder buffer
+
+upstream commit: b3631286aca3f54427ca0eb950981e9753866f6c
+
+Currently rx status for frames which are completed from reorder buffer
+is taken from it's cb area which is not always right, cb is not holding
+the rx status when driver uses mac80211's non-irq rx handler to pass it's
+received frames. This results in dropping almost all frames from reorder
+buffer when security is enabled by doing double decryption (first in hw,
+second in sw because of wrong rx status). This patch copies rx status into
+cb area before the frame is put into reorder buffer. After this patch,
+there is a significant improvement in throughput with ath9k + WPA2(AES).
+
+Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
+Acked-by: Johannes Berg <johannes@sipsolutions.net>
+Cc: stable@kernel.org
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/mac80211/rx.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -29,6 +29,7 @@
+ static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
+ struct tid_ampdu_rx *tid_agg_rx,
+ struct sk_buff *skb,
++ struct ieee80211_rx_status *status,
+ u16 mpdu_seq_num,
+ int bar_req);
+ /*
+@@ -1538,7 +1539,7 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_
+ /* manage reordering buffer according to requested */
+ /* sequence number */
+ rcu_read_lock();
+- ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL,
++ ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, NULL,
+ start_seq_num, 1);
+ rcu_read_unlock();
+ return RX_DROP_UNUSABLE;
+@@ -2034,6 +2035,7 @@ static inline u16 seq_sub(u16 sq1, u16 s
+ static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
+ struct tid_ampdu_rx *tid_agg_rx,
+ struct sk_buff *skb,
++ struct ieee80211_rx_status *rxstatus,
+ u16 mpdu_seq_num,
+ int bar_req)
+ {
+@@ -2115,6 +2117,8 @@ static u8 ieee80211_sta_manage_reorder_b
+
+ /* put the frame in the reordering buffer */
+ tid_agg_rx->reorder_buf[index] = skb;
++ memcpy(tid_agg_rx->reorder_buf[index]->cb, rxstatus,
++ sizeof(*rxstatus));
+ tid_agg_rx->stored_mpdu_num++;
+ /* release the buffer until next missing frame */
+ index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn)
+@@ -2140,7 +2144,8 @@ static u8 ieee80211_sta_manage_reorder_b
+ }
+
+ static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local,
+- struct sk_buff *skb)
++ struct sk_buff *skb,
++ struct ieee80211_rx_status *status)
+ {
+ struct ieee80211_hw *hw = &local->hw;
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+@@ -2191,7 +2196,7 @@ static u8 ieee80211_rx_reorder_ampdu(str
+
+ /* according to mpdu sequence number deal with reordering buffer */
+ mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
+- ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb,
++ ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, status,
+ mpdu_seq_num, 0);
+ end_reorder:
+ return ret;
+@@ -2255,7 +2260,7 @@ void __ieee80211_rx(struct ieee80211_hw
+ return;
+ }
+
+- if (!ieee80211_rx_reorder_ampdu(local, skb))
++ if (!ieee80211_rx_reorder_ampdu(local, skb, status))
+ __ieee80211_rx_handle_packet(hw, skb, status, rate);
+
+ rcu_read_unlock();
forcedeth-fix-resume-from-hibernation-regression.patch
+mac80211-fix-bug-in-getting-rx-status-for-frames-pending-in-reorder-buffer.patch
+b43-poison-rx-buffers.patch
+b43-refresh-rx-poison-on-buffer-recycling.patch
+thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch
+alsa-us122l-add-snd_us122l_free.patch
+mac80211-fix-basic-rate-bitmap-calculation.patch
+kvm-mmu-fix-off-by-one-calculating-large-page-count.patch
+kvm-mmu-disable-global-page-optimization.patch
+kvm-fix-overlapping-check-for-memory-slots.patch
+kvm-x86-release-time_page-on-vcpu-destruction.patch
+usb-unusual-device-support-for-gold-mp3-player-energy.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:26 2009
+Date: Fri, 24 Apr 2009 16:05:21 GMT
+Message-Id: <200904241605.n3OG5LVS007983@hera.kernel.org>
+From: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
+To: jejb@kernel.org, stable@kernel.org
+Subject: thinkpad-acpi: fix LED blinking through timer trigger
+
+upstream commit: 75bd3bf2ade9d548be0d2bde60b5ee0fdce0b127
+
+The set_blink hook code in the LED subdriver would never manage to get
+a LED to blink, and instead it would just turn it on. The consequence
+of this is that the "timer" trigger would not cause the LED to blink
+if given default parameters.
+
+This problem exists since 2.6.26-rc1.
+
+To fix it, switch the deferred LED work handling to use the
+thinkpad-acpi-specific LED status (off/on/blink) directly.
+
+This also makes the code easier to read, and to extend later.
+
+Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
+Cc: stable@kernel.org
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 41 ++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 22 deletions(-)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -306,11 +306,17 @@ static u32 dbg_level;
+
+ static struct workqueue_struct *tpacpi_wq;
+
++enum led_status_t {
++ TPACPI_LED_OFF = 0,
++ TPACPI_LED_ON,
++ TPACPI_LED_BLINK,
++};
++
+ /* Special LED class that can defer work */
+ struct tpacpi_led_classdev {
+ struct led_classdev led_classdev;
+ struct work_struct work;
+- enum led_brightness new_brightness;
++ enum led_status_t new_state;
+ unsigned int led;
+ };
+
+@@ -4057,7 +4063,7 @@ static void light_set_status_worker(stru
+ container_of(work, struct tpacpi_led_classdev, work);
+
+ if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING))
+- light_set_status((data->new_brightness != LED_OFF));
++ light_set_status((data->new_state != TPACPI_LED_OFF));
+ }
+
+ static void light_sysfs_set(struct led_classdev *led_cdev,
+@@ -4067,7 +4073,8 @@ static void light_sysfs_set(struct led_c
+ container_of(led_cdev,
+ struct tpacpi_led_classdev,
+ led_classdev);
+- data->new_brightness = brightness;
++ data->new_state = (brightness != LED_OFF) ?
++ TPACPI_LED_ON : TPACPI_LED_OFF;
+ queue_work(tpacpi_wq, &data->work);
+ }
+
+@@ -4574,12 +4581,6 @@ enum { /* For TPACPI_LED_OLD */
+ TPACPI_LED_EC_HLMS = 0x0e, /* EC reg to select led to command */
+ };
+
+-enum led_status_t {
+- TPACPI_LED_OFF = 0,
+- TPACPI_LED_ON,
+- TPACPI_LED_BLINK,
+-};
+-
+ static enum led_access_mode led_supported;
+
+ TPACPI_HANDLE(led, ec, "SLED", /* 570 */
+@@ -4673,23 +4674,13 @@ static int led_set_status(const unsigned
+ return rc;
+ }
+
+-static void led_sysfs_set_status(unsigned int led,
+- enum led_brightness brightness)
+-{
+- led_set_status(led,
+- (brightness == LED_OFF) ?
+- TPACPI_LED_OFF :
+- (tpacpi_led_state_cache[led] == TPACPI_LED_BLINK) ?
+- TPACPI_LED_BLINK : TPACPI_LED_ON);
+-}
+-
+ static void led_set_status_worker(struct work_struct *work)
+ {
+ struct tpacpi_led_classdev *data =
+ container_of(work, struct tpacpi_led_classdev, work);
+
+ if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING))
+- led_sysfs_set_status(data->led, data->new_brightness);
++ led_set_status(data->led, data->new_state);
+ }
+
+ static void led_sysfs_set(struct led_classdev *led_cdev,
+@@ -4698,7 +4689,13 @@ static void led_sysfs_set(struct led_cla
+ struct tpacpi_led_classdev *data = container_of(led_cdev,
+ struct tpacpi_led_classdev, led_classdev);
+
+- data->new_brightness = brightness;
++ if (brightness == LED_OFF)
++ data->new_state = TPACPI_LED_OFF;
++ else if (tpacpi_led_state_cache[data->led] != TPACPI_LED_BLINK)
++ data->new_state = TPACPI_LED_ON;
++ else
++ data->new_state = TPACPI_LED_BLINK;
++
+ queue_work(tpacpi_wq, &data->work);
+ }
+
+@@ -4716,7 +4713,7 @@ static int led_sysfs_blink_set(struct le
+ } else if ((*delay_on != 500) || (*delay_off != 500))
+ return -EINVAL;
+
+- data->new_brightness = TPACPI_LED_BLINK;
++ data->new_state = TPACPI_LED_BLINK;
+ queue_work(tpacpi_wq, &data->work);
+
+ return 0;
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Apr 24 16:05:08 2009
+Date: Fri, 24 Apr 2009 16:05:04 GMT
+Message-Id: <200904241605.n3OG54gX007660@hera.kernel.org>
+From: Chuck Short <zulcss@ubuntu.com>
+To: jejb@kernel.org, stable@kernel.org
+Subject: USB: Unusual Device support for Gold MP3 Player Energy
+
+upstream commit: 46c6e93faa85d1362e1d127dc28cf9d0b304a6f1
+
+Reported by Alessio Treglia on
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/125250
+
+User was getting the following errors in dmesg:
+
+[ 2158.139386] sd 5:0:0:1: ioctl_internal_command return code = 8000002
+[ 2158.139390] : Current: sense key: No Sense
+[ 2158.139393] Additional sense: No additional sense information
+
+Adds unusual device support.
+
+modified: drivers/usb/storage/unusual_devs.h
+
+Signed-off-by: Chuck Short <zulcss@ubuntu.com>
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/storage/unusual_devs.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2134,6 +2134,12 @@ UNUSUAL_DEV( 0xed06, 0x4500, 0x0001, 0x
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+ US_FL_CAPACITY_HEURISTICS),
+
++/* Reported by Alessio Treglia <quadrispro@ubuntu.com> */
++UNUSUAL_DEV( 0xed10, 0x7636, 0x0001, 0x0001,
++ "TGE",
++ "Digital MP3 Audio Player",
++ US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_NOT_LOCKABLE ),
++
+ /* Control/Bulk transport for all SubClass values */
+ USUAL_DEV(US_SC_RBC, US_PR_CB, USB_US_TYPE_STOR),
+ USUAL_DEV(US_SC_8020, US_PR_CB, USB_US_TYPE_STOR),
projects / thirdparty / kernel / stable-queue.git / commitdiff
