--- /dev/null
+From stable-bounces@linux.kernel.org Sat Mar 28 01:45:18 2009
+Date: Sat, 28 Mar 2009 01:45:12 GMT
+Message-Id: <200903280145.n2S1jCCq031174@hera.kernel.org>
+From: Bob Copeland <me@bobcopeland.com>
+To: stable@kernel.org
+Subject: ath5k: disable MIB interrupts
+
+From: Bob Copeland <me@bobcopeland.com>
+
+upstream commit: 9ca9fb8aa8422595956af9681518cdb8b167055e
+
+The MIB interrupt fires whenever counters overflow; however without
+support for automatic noise immunity, we can sometimes get an interrupt
+storm. The get_stats() callback reads the counters anyway so we can
+disable the interrupt for now until ANI is implemented. This fixes
+the issue reported in http://bugzilla.kernel.org/show_bug.cgi?id=12647.
+
+Changes-licensed-under: 3-Clause-BSD
+
+Cc: stable@kernel.org
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/ath5k/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath5k/base.c
++++ b/drivers/net/wireless/ath5k/base.c
+@@ -2259,7 +2259,7 @@ ath5k_init(struct ath5k_softc *sc, bool
+ sc->curband = &sc->sbands[sc->curchan->band];
+ sc->imask = AR5K_INT_RXOK | AR5K_INT_RXERR | AR5K_INT_RXEOL |
+ AR5K_INT_RXORN | AR5K_INT_TXDESC | AR5K_INT_TXEOL |
+- AR5K_INT_FATAL | AR5K_INT_GLOBAL | AR5K_INT_MIB;
++ AR5K_INT_FATAL | AR5K_INT_GLOBAL;
+ ret = ath5k_reset(sc, false, false);
+ if (ret)
+ goto done;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 23:05:33 2009
+Date: Thu, 26 Mar 2009 23:05:28 GMT
+Message-Id: <200903262305.n2QN5Sei007495@hera.kernel.org>
+From: Bob Copeland <me@bobcopeland.com>
+To: stable@kernel.org
+Subject: ath5k: use spin_lock_irqsave for beacon lock
+
+From: Bob Copeland <me@bobcopeland.com>
+
+upstream commit: b5f03956c56d72ad336e5c2c42a025f25d952c30
+
+ath5k_reset can be called from process context, which in turn can
+call ath5k_beacon_config which takes the sc->block spinlock. Since
+it can also be taken in hard irq context, use spin_lock_irqsave
+everywhere. This fixes a potential deadlock in adhoc mode.
+
+Changes-licensed-under: 3-Clause-BSD
+
+Cc: stable@kernel.org
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/ath5k/base.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath5k/base.c
++++ b/drivers/net/wireless/ath5k/base.c
+@@ -1668,7 +1668,6 @@ ath5k_check_ibss_tsf(struct ath5k_softc
+ }
+ }
+
+-
+ static void
+ ath5k_tasklet_rx(unsigned long data)
+ {
+@@ -2188,6 +2187,7 @@ static void
+ ath5k_beacon_config(struct ath5k_softc *sc)
+ {
+ struct ath5k_hw *ah = sc->ah;
++ unsigned long flags;
+
+ ath5k_hw_set_imr(ah, 0);
+ sc->bmisscount = 0;
+@@ -2211,9 +2211,9 @@ ath5k_beacon_config(struct ath5k_softc *
+
+ if (sc->opmode == NL80211_IFTYPE_ADHOC) {
+ if (ath5k_hw_hasveol(ah)) {
+- spin_lock(&sc->block);
++ spin_lock_irqsave(&sc->block, flags);
+ ath5k_beacon_send(sc);
+- spin_unlock(&sc->block);
++ spin_unlock_irqrestore(&sc->block, flags);
+ }
+ } else
+ ath5k_beacon_update_timers(sc, -1);
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Mar 28 01:45:09 2009
+Date: Sat, 28 Mar 2009 01:45:04 GMT
+Message-Id: <200903280145.n2S1j4Fd030744@hera.kernel.org>
+From: Bob Copeland <me@bobcopeland.com>
+To: stable@kernel.org
+Subject: ath5k: warn and correct rate for unknown hw rate indexes
+
+From: Bob Copeland <me@bobcopeland.com>
+
+upstream commit: b726604706ad88d8b28bc487e45e710f58cc19ee
+
+ath5k sets up a mapping table from the hardware rate index to
+the rate index used by mac80211; however, we have seen some
+received frames with incorrect rate indexes. Such frames
+normally get dropped with a warning in __ieee80211_rx(),
+but it doesn't include enough information to track down the
+error.
+
+This patch adds a warning to hw_to_driver_rix for any lookups
+that result in a rate index of -1, then returns a valid rate so
+the frame can be processed.
+
+Changes-licensed-under: 3-Clause-BSD
+
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Cc: stable@kernel.org
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+[chrisw: add db5b4f7ae3901fdc48c5b988fc2a5e0cb4ec1870 to backport]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/ath5k/base.c | 14 ++++++++++++--
+ drivers/net/wireless/ath5k/base.h | 2 +-
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath5k/base.c
++++ b/drivers/net/wireless/ath5k/base.c
+@@ -1090,8 +1090,18 @@ ath5k_mode_setup(struct ath5k_softc *sc)
+ static inline int
+ ath5k_hw_to_driver_rix(struct ath5k_softc *sc, int hw_rix)
+ {
+- WARN_ON(hw_rix < 0 || hw_rix > AR5K_MAX_RATES);
+- return sc->rate_idx[sc->curband->band][hw_rix];
++ int rix;
++
++ /* return base rate on errors */
++ if (WARN(hw_rix < 0 || hw_rix >= AR5K_MAX_RATES,
++ "hw_rix out of bounds: %x\n", hw_rix))
++ return 0;
++
++ rix = sc->rate_idx[sc->curband->band][hw_rix];
++ if (WARN(rix < 0, "invalid hw_rix: %x\n", hw_rix))
++ rix = 0;
++
++ return rix;
+ }
+
+ /***************\
+--- a/drivers/net/wireless/ath5k/base.h
++++ b/drivers/net/wireless/ath5k/base.h
+@@ -112,7 +112,7 @@ struct ath5k_softc {
+ struct ieee80211_supported_band sbands[IEEE80211_NUM_BANDS];
+ struct ieee80211_channel channels[ATH_CHAN_MAX];
+ struct ieee80211_rate rates[IEEE80211_NUM_BANDS][AR5K_MAX_RATES];
+- u8 rate_idx[IEEE80211_NUM_BANDS][AR5K_MAX_RATES];
++ s8 rate_idx[IEEE80211_NUM_BANDS][AR5K_MAX_RATES];
+ enum nl80211_iftype opmode;
+ struct ath5k_hw *ah; /* Atheros HW */
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 23:05:22 2009
+Date: Thu, 26 Mar 2009 23:05:17 GMT
+Message-Id: <200903262305.n2QN5Hcp006681@hera.kernel.org>
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+To: stable@kernel.org
+Subject: ath9k: downgrade xmit queue full message to xmit debug
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+upstream commit: c117fa0bf5f5b3d362b590ed6e80499defe14505
+
+This is not a fatal message, hitting it simply means we're
+going to tell the upper layers to slow their horses down but
+as we make more descriptors available we let the show continue
+by waking up the queues in ath_wake_mac80211_queue().
+
+We downgrade this as otherwise we fill up your kernel log with
+messages which can be common under heavy traffic.
+
+Cc: stable@kernel.org
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/ath9k/xmit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath9k/xmit.c
++++ b/drivers/net/wireless/ath9k/xmit.c
+@@ -2035,7 +2035,7 @@ struct ath_txq *ath_test_get_txq(struct
+
+ /* Try to avoid running out of descriptors */
+ if (txq->axq_depth >= (ATH_TXBUF - 20)) {
+- DPRINTF(sc, ATH_DBG_FATAL,
++ DPRINTF(sc, ATH_DBG_XMIT,
+ "TX queue: %d is full, depth: %d\n",
+ qnum, txq->axq_depth);
+ ieee80211_stop_queue(sc->hw, skb_get_queue_mapping(skb));
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Mar 28 01:45:07 2009
+Date: Sat, 28 Mar 2009 01:45:02 GMT
+Message-Id: <200903280145.n2S1j2vl030524@hera.kernel.org>
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+To: stable@kernel.org
+Subject: ath9k: fix dma mapping leak of rx buffer upon rmmod
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+upstream commit: 051b919188650fe4c93ca8701183ae88439388f6
+
+We were claiming DMA buffers on the RX tasklet but never
+upon a simple module removal.
+
+Cc: stable@kernel.org
+Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/ath9k/recv.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath9k/recv.c
++++ b/drivers/net/wireless/ath9k/recv.c
+@@ -322,8 +322,13 @@ void ath_rx_cleanup(struct ath_softc *sc
+
+ list_for_each_entry(bf, &sc->rx.rxbuf, list) {
+ skb = bf->bf_mpdu;
+- if (skb)
++ if (skb) {
++ dma_unmap_single(sc->dev,
++ bf->bf_buf_addr,
++ sc->rx.bufsize,
++ DMA_FROM_DEVICE);
+ dev_kfree_skb(skb);
++ }
+ }
+
+ if (sc->rx.rxdma.dd_desc_len != 0)
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Mar 28 01:45:11 2009
+Date: Sat, 28 Mar 2009 01:45:06 GMT
+Message-Id: <200903280145.n2S1j6TQ030903@hera.kernel.org>
+From: Lorenzo Nava <navalorenx@gmail.com>
+To: stable@kernel.org
+Subject: b43: fix b43_plcp_get_bitrate_idx_ofdm return type
+
+From: Lorenzo Nava <navalorenx@gmail.com>
+
+upstream commit: a3c0b87c4f21911fb7185902dd13f0e3cd7f33f7
+
+This patch fixes the return type of b43_plcp_get_bitrate_idx_ofdm. If
+the plcp contains an error, the function return value is 255 instead
+of -1, and the packet was not dropped. This causes a warning in
+__ieee80211_rx function because rate idx is out of range.
+
+Cc: stable@kernel.org
+Signed-off-by: Lorenzo Nava <navalorenx@gmail.com>
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/net/wireless/b43/xmit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/b43/xmit.c
++++ b/drivers/net/wireless/b43/xmit.c
+@@ -50,7 +50,7 @@ static int b43_plcp_get_bitrate_idx_cck(
+ }
+
+ /* Extract the bitrate index out of an OFDM PLCP header. */
+-static u8 b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy)
++static int b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy)
+ {
+ int base = aphy ? 0 : 4;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Mar 28 01:45:15 2009
+Date: Sat, 28 Mar 2009 01:45:10 GMT
+Message-Id: <200903280145.n2S1jAG9031115@hera.kernel.org>
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+To: stable@kernel.org
+Subject: cfg80211: force last_request to be set for OLD_REG if regdom is EU
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+upstream commit: 2e097dc65673ed421bbc2e49f52c125aa43a8ee6
+
+Although EU is a bogus alpha2 we need to process the send request
+as our code depends on last_request being set.
+
+Cc: stable@kernel.org
+Reported-by: Quentin Armitage <Quentin@armitage.org.uk>
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+[chrisw: backport to 2.6.29]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Port-acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+---
+
+ net/wireless/reg.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1469,13 +1469,20 @@ int regulatory_init(void)
+
+ printk(KERN_INFO "cfg80211: Using static regulatory domain info\n");
+ print_regdomain_info(cfg80211_regdomain);
+- /* The old code still requests for a new regdomain and if
++ /*
++ * The old code still requests for a new regdomain and if
+ * you have CRDA you get it updated, otherwise you get
+ * stuck with the static values. We ignore "EU" code as
+- * that is not a valid ISO / IEC 3166 alpha2 */
+- if (ieee80211_regdom[0] != 'E' || ieee80211_regdom[1] != 'U')
+- err = __regulatory_hint(NULL, REGDOM_SET_BY_CORE,
+- ieee80211_regdom, 0, ENVIRON_ANY);
++ * that is not a valid ISO / IEC 3166 alpha2
++ * stuck with the static values. Since "EU" is not a valid
++ * ISO / IEC 3166 alpha2 code we can't expect userpace to
++ * give us a regulatory domain for it. We need last_request
++ * iniitalized though so lets just send a request which we
++ * know will be ignored... this crap will be removed once
++ * OLD_REG dies.
++ */
++ err = __regulatory_hint(NULL, REGDOM_SET_BY_CORE,
++ ieee80211_regdom, 0, ENVIRON_ANY);
+ #else
+ cfg80211_regdomain = cfg80211_world_regdom;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 23:05:26 2009
+Date: Thu, 26 Mar 2009 23:05:21 GMT
+Message-Id: <200903262305.n2QN5LPa006977@hera.kernel.org>
+From: Jeff Layton <jlayton@tupile.poochiereds.net>
+To: stable@kernel.org
+Subject: cifs: fix buffer format byte on NT Rename/hardlink
+
+From: Jeff Layton <jlayton@tupile.poochiereds.net>
+
+upstream commit: fcc7c09d94be7b75c9ea2beb22d0fae191c6b4b9
+
+Discovered at Connnectathon 2009...
+
+The buffer format byte and the pad are transposed in NT_RENAME calls
+(which are used to set hardlinks). Most servers seem to ignore this
+fact, but NetApp filers throw back an error due to this problem. This
+patch fixes it.
+
+CC: Stable <stable@kernel.org>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/cifs/cifssmb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -2356,8 +2356,10 @@ winCreateHardLinkRetry:
+ PATH_MAX, nls_codepage, remap);
+ name_len++; /* trailing null */
+ name_len *= 2;
+- pSMB->OldFileName[name_len] = 0; /* pad */
+- pSMB->OldFileName[name_len + 1] = 0x04;
++
++ /* protocol specifies ASCII buffer format (0x04) for unicode */
++ pSMB->OldFileName[name_len] = 0x04;
++ pSMB->OldFileName[name_len + 1] = 0x00; /* pad */
+ name_len2 =
+ cifsConvertToUCS((__le16 *)&pSMB->OldFileName[name_len + 2],
+ toName, PATH_MAX, nls_codepage, remap);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 23:05:20 2009
+Date: Thu, 26 Mar 2009 23:05:15 GMT
+Message-Id: <200903262305.n2QN5FKD006573@hera.kernel.org>
+From: Steve French <sfrench@us.ibm.com>
+To: stable@kernel.org
+Subject: CIFS: Fix memory overwrite when saving nativeFileSystem field during mount
+
+From: Steve French <sfrench@us.ibm.com>
+
+upstream commit: b363b3304bcf68c4541683b2eff70b29f0446a5b
+
+CIFS can allocate a few bytes to little for the nativeFileSystem field
+during tree connect response processing during mount. This can result
+in a "Redzone overwritten" message to be logged.
+
+Signed-off-by: Sridhar Vinay <vinaysridhar@in.ibm.com>
+Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com>
+CC: Stable <stable@kernel.org>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+[chrisw: minor backport to CHANGES file]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/cifs/CHANGES | 3 +++
+ fs/cifs/connect.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/CHANGES
++++ b/fs/cifs/CHANGES
+@@ -7,6 +7,9 @@ are authenticated as guest, as reconnect
+ user's smb session. This fix allows cifs to mount multiple times to the
+ same server with different userids without risking invalidating earlier
+ established security contexts.
++Fix "redzone overwritten" bug in cifs_put_tcon (CIFSTcon may allocate too
++little memory for the "nativeFileSystem" field returned by the server
++during mount).
+
+ Version 1.56
+ ------------
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3667,7 +3667,7 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(length + 2, GFP_KERNEL);
++ kzalloc(2*(length + 1), GFP_KERNEL);
+ if (tcon->nativeFileSystem)
+ cifs_strfromUCS_le(
+ tcon->nativeFileSystem,
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Mar 28 01:45:21 2009
+Date: Sat, 28 Mar 2009 01:45:15 GMT
+Message-Id: <200903280145.n2S1jFew031224@hera.kernel.org>
+From: Beat Michel Liechti <bml303@gmail.com>
+To: stable@kernel.org
+Subject: DVB: firedtv: FireDTV S2 problems with tuning solved
+
+From: Beat Michel Liechti <bml303@gmail.com>
+
+upstream commit: 32a0f488ce5e8a9a148491f15edc508ab5e8265b
+
+Tuning was broken on FireDTV S2 (and presumably FloppyDTV S2) because a
+wrong opcode was sent. The box only gave "not implemented" responses.
+Changing the opcode to _TUNE_QPSK2 fixes this for good.
+
+Cc: stable@kernel.org
+Signed-off-by: Beat Michel Liechti <bml303@gmail.com>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/media/dvb/firewire/firedtv-avc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb/firewire/firedtv-avc.c
++++ b/drivers/media/dvb/firewire/firedtv-avc.c
+@@ -135,6 +135,7 @@ static const char *debug_fcp_opcode(unsi
+ case SFE_VENDOR_OPCODE_REGISTER_REMOTE_CONTROL: return "RegisterRC";
+ case SFE_VENDOR_OPCODE_LNB_CONTROL: return "LNBControl";
+ case SFE_VENDOR_OPCODE_TUNE_QPSK: return "TuneQPSK";
++ case SFE_VENDOR_OPCODE_TUNE_QPSK2: return "TuneQPSK2";
+ case SFE_VENDOR_OPCODE_HOST2CA: return "Host2CA";
+ case SFE_VENDOR_OPCODE_CA2HOST: return "CA2Host";
+ }
+@@ -266,7 +267,10 @@ static void avc_tuner_tuneqpsk(struct fi
+ c->operand[0] = SFE_VENDOR_DE_COMPANYID_0;
+ c->operand[1] = SFE_VENDOR_DE_COMPANYID_1;
+ c->operand[2] = SFE_VENDOR_DE_COMPANYID_2;
+- c->operand[3] = SFE_VENDOR_OPCODE_TUNE_QPSK;
++ if (fdtv->type == FIREDTV_DVB_S2)
++ c->operand[3] = SFE_VENDOR_OPCODE_TUNE_QPSK2;
++ else
++ c->operand[3] = SFE_VENDOR_OPCODE_TUNE_QPSK;
+
+ c->operand[4] = (params->frequency >> 24) & 0xff;
+ c->operand[5] = (params->frequency >> 16) & 0xff;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 23:05:14 2009
+Date: Thu, 26 Mar 2009 23:05:09 GMT
+Message-Id: <200903262305.n2QN59iF006038@hera.kernel.org>
+From: Andre Przywara <andre.przywara@amd.com>
+To: stable@kernel.org
+Subject: KVM: SVM: set accessed bit for VMCB segment selectors
+
+From: Andre Przywara <andre.przywara@amd.com>
+
+upstream commit: 1fbdc7a58512a6283e10fd27108197679db95ffa
+
+In the segment descriptor _cache_ the accessed bit is always set
+(although it can be cleared in the descriptor itself). Since Intel
+checks for this condition on a VMENTRY, set this bit in the AMD path
+to enable cross vendor migration.
+
+Cc: stable@kernel.org
+Signed-off-by: Andre Przywara <andre.przywara@amd.com>
+Acked-By: Amit Shah <amit.shah@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/x86/kvm/svm.c | 41 +++++++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -760,20 +760,37 @@ static void svm_get_segment(struct kvm_v
+ var->db = (s->attrib >> SVM_SELECTOR_DB_SHIFT) & 1;
+ var->g = (s->attrib >> SVM_SELECTOR_G_SHIFT) & 1;
+
+- /*
+- * SVM always stores 0 for the 'G' bit in the CS selector in
+- * the VMCB on a VMEXIT. This hurts cross-vendor migration:
+- * Intel's VMENTRY has a check on the 'G' bit.
+- */
+- if (seg == VCPU_SREG_CS)
++ switch (seg) {
++ case VCPU_SREG_CS:
++ /*
++ * SVM always stores 0 for the 'G' bit in the CS selector in
++ * the VMCB on a VMEXIT. This hurts cross-vendor migration:
++ * Intel's VMENTRY has a check on the 'G' bit.
++ */
+ var->g = s->limit > 0xfffff;
+-
+- /*
+- * Work around a bug where the busy flag in the tr selector
+- * isn't exposed
+- */
+- if (seg == VCPU_SREG_TR)
++ break;
++ case VCPU_SREG_TR:
++ /*
++ * Work around a bug where the busy flag in the tr selector
++ * isn't exposed
++ */
+ var->type |= 0x2;
++ break;
++ case VCPU_SREG_DS:
++ case VCPU_SREG_ES:
++ case VCPU_SREG_FS:
++ case VCPU_SREG_GS:
++ /*
++ * The accessed bit must always be set in the segment
++ * descriptor cache, although it can be cleared in the
++ * descriptor, the cached bit always remains at 1. Since
++ * Intel has a check on this, set it here to support
++ * cross-vendor migration.
++ */
++ if (!var->unusable)
++ var->type |= 0x1;
++ break;
++ }
+
+ var->unusable = !var->present;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 23:05:08 2009
+Date: Thu, 26 Mar 2009 23:05:03 GMT
+From: Avi Kivity <avi@redhat.com>
+Message-Id: <200903262305.n2QN53AB005694@hera.kernel.org>
+To: stable@kernel.org
+Subject: KVM: VMX: Don't allow uninhibited access to EFER on i386
+
+From: Avi Kivity <avi@redhat.com>
+
+upstream commit: 16175a796d061833aacfbd9672235f2d2725df65
+
+vmx_set_msr() does not allow i386 guests to touch EFER, but they can still
+do so through the default: label in the switch. If they set EFER_LME, they
+can oops the host.
+
+Fix by having EFER access through the normal channel (which will check for
+EFER_LME) even on i386.
+
+Reported-and-tested-by: Benjamin Gilbert <bgilbert@cs.cmu.edu>
+Cc: stable@kernel.org
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -928,11 +928,11 @@ static int vmx_set_msr(struct kvm_vcpu *
+ int ret = 0;
+
+ switch (msr_index) {
+-#ifdef CONFIG_X86_64
+ case MSR_EFER:
+ vmx_load_host_state(vmx);
+ ret = kvm_set_msr_common(vcpu, msr_index, data);
+ break;
++#ifdef CONFIG_X86_64
+ case MSR_FS_BASE:
+ vmcs_writel(GUEST_FS_BASE, data);
+ break;
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 23:25:10 2009
+Date: Thu, 26 Mar 2009 23:25:05 GMT
+Message-Id: <200903262325.n2QNP5lM020281@hera.kernel.org>
+From: Oleg Nesterov <oleg@redhat.com>
+To: stable@kernel.org
+Subject: posix timers: fix RLIMIT_CPU && fork()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+upstream commit: 37bebc70d7ad4144c571d74500db3bb26ec0c0eb
+
+See http://bugzilla.kernel.org/show_bug.cgi?id=12911
+
+copy_signal() copies signal->rlim, but RLIMIT_CPU is "lost". Because
+posix_cpu_timers_init_group() sets cputime_expires.prof_exp = 0 and thus
+fastpath_timer_check() returns false unless we have other cpu timers.
+
+This is the minimal fix for 2.6.29 (tested) and 2.6.28. The patch is not
+optimal, we need further cleanups here. With this patch update_rlimit_cpu()
+is not really needed, but I don't think it should be removed.
+
+The proper fix (I think) is:
+
+ - set_process_cpu_timer() should just start the cputimer->running
+ logic (it does), no need to change cputime_expires.xxx_exp
+
+ - posix_cpu_timers_init_group() should set ->running when needed
+
+ - fastpath_timer_check() can check ->running instead of
+ task_cputime_zero(signal->cputime_expires)
+
+Reported-by: Peter Lojkin <ia6432@inbox.ru>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Roland McGrath <roland@redhat.com>
+Cc: <stable@kernel.org> [for 2.6.29.x]
+LKML-Reference: <20090323193411.GA17514@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Oleg, what about the other two patches you send?
+
+ kernel/posix-cpu-timers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/posix-cpu-timers.c
++++ b/kernel/posix-cpu-timers.c
+@@ -1370,7 +1370,8 @@ static inline int fastpath_timer_check(s
+ if (task_cputime_expired(&group_sample, &sig->cputime_expires))
+ return 1;
+ }
+- return 0;
++
++ return sig->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY;
+ }
+
+ /*
gro-disable-gro-on-legacy-netif_rx-path.patch
ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch
xfrm-spin_lock-should-be-spin_unlock-in-xfrm_state.c.patch
+usb-ehci-add-software-retry-for-transaction-errors.patch
+usb-fix-usb_storage_cypress_atacb.patch
+usb-usb-storage-increase-max_sectors-for-tape-drives.patch
+usb-gadget-fix-rndis-regression.patch
+usb-add-quirk-to-avoid-config-and-interface-strings.patch
+kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch
+kvm-svm-set-accessed-bit-for-vmcb-segment-selectors.patch
+ath9k-downgrade-xmit-queue-full-message-to-xmit-debug.patch
+cifs-fix-buffer-format-byte-on-nt-rename-hardlink.patch
+ath5k-use-spin_lock_irqsave-for-beacon-lock.patch
+posix-timers-fix-rlimit_cpu-fork.patch
+ath9k-fix-dma-mapping-leak-of-rx-buffer-upon-rmmod.patch
+b43-fix-b43_plcp_get_bitrate_idx_ofdm-return-type.patch
+ath5k-disable-mib-interrupts.patch
+ath5k-warn-and-correct-rate-for-unknown-hw-rate-indexes.patch
+cifs-fix-memory-overwrite-when-saving-nativefilesystem-field-during-mount.patch
+cfg80211-force-last_request-to-be-set-for-old_reg-if-regdom-is-eu.patch
+dvb-firedtv-firedtv-s2-problems-with-tuning-solved.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 18:25:24 2009
+Date: Thu, 26 Mar 2009 18:25:19 GMT
+Message-Id: <200903261825.n2QIPJ6T021123@hera.kernel.org>
+From: Alan Stern <stern@rowland.harvard.edu>
+To: stable@kernel.org
+Subject: USB: add quirk to avoid config and interface strings
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+upstream commit: 1662e3a7f076e51e3073faf9ce77157b529c475b
+
+Apparently the Configuration and Interface strings aren't used as
+often as the Vendor, Product, and Serial strings. In at least one
+device (a Saitek Cyborg Gold 3D joystick), attempts to read the
+Configuration string cause the device to stop responding to Control
+requests.
+
+This patch (as1226) adds a quirks flag, telling the kernel not to
+read a device's Configuration or Interface strings, together with a
+new quirk for the offending joystick.
+
+Reported-by: Melchior FRANZ <melchior.franz@gmail.com>
+Tested-by: Melchior FRANZ <melchior.franz@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@kernel.org> [2.6.28 and 2.6.29, nothing earlier]
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/core/message.c | 3 ++-
+ drivers/usb/core/quirks.c | 4 ++++
+ drivers/usb/core/sysfs.c | 4 +++-
+ include/linux/usb/quirks.h | 3 +++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -1719,7 +1719,8 @@ free_interfaces:
+ }
+ kfree(new_interfaces);
+
+- if (cp->string == NULL)
++ if (cp->string == NULL &&
++ !(dev->quirks & USB_QUIRK_CONFIG_INTF_STRINGS))
+ cp->string = usb_cache_string(dev, cp->desc.iConfiguration);
+
+ /* Now that all the interfaces are set up, register them
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -54,6 +54,10 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x0638, 0x0a13), .driver_info =
+ USB_QUIRK_STRING_FETCH_255 },
+
++ /* Saitek Cyborg Gold Joystick */
++ { USB_DEVICE(0x06a3, 0x0006), .driver_info =
++ USB_QUIRK_CONFIG_INTF_STRINGS },
++
+ /* M-Systems Flash Disk Pioneers */
+ { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
+
+--- a/drivers/usb/core/sysfs.c
++++ b/drivers/usb/core/sysfs.c
+@@ -13,6 +13,7 @@
+ #include <linux/kernel.h>
+ #include <linux/string.h>
+ #include <linux/usb.h>
++#include <linux/usb/quirks.h>
+ #include "usb.h"
+
+ /* Active configuration fields */
+@@ -813,7 +814,8 @@ int usb_create_sysfs_intf_files(struct u
+ if (intf->sysfs_files_created || intf->unregistering)
+ return 0;
+
+- if (alt->string == NULL)
++ if (alt->string == NULL &&
++ !(udev->quirks & USB_QUIRK_CONFIG_INTF_STRINGS))
+ alt->string = usb_cache_string(udev, alt->desc.iInterface);
+ if (alt->string)
+ retval = device_create_file(&intf->dev, &dev_attr_interface);
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -16,4 +16,7 @@
+ /* device can't handle Set-Interface requests */
+ #define USB_QUIRK_NO_SET_INTF 0x00000004
+
++/* device can't handle its Configuration or Interface strings */
++#define USB_QUIRK_CONFIG_INTF_STRINGS 0x00000008
++
+ #endif /* __LINUX_USB_QUIRKS_H */
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 18:25:10 2009
+Date: Thu, 26 Mar 2009 18:25:05 GMT
+Message-Id: <200903261825.n2QIP5hV020995@hera.kernel.org>
+From: Alan Stern <stern@rowland.harvard.edu>
+To: stable@kernel.org
+Subject: USB: EHCI: add software retry for transaction errors
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+upstream commit: a2c2706e1043c17139c2dafd171c4a5cf008ef7e
+
+This patch (as1204) adds a software retry mechanism to ehci-hcd. It
+gets invoked when the driver encounters transaction errors on an
+asynchronous endpoint. On many systems, hardware deficiencies cause
+such errors to occur if one device is unplugged while the host is
+communicating with another device. With the patch, the failed
+transactions are retried and generally succeed the second or third
+time through.
+
+This is based on code originally written by Koichiro Saito.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested by: Koichiro Saito <Saito.Koichiro@adniss.jp>
+CC: David Brownell <david-b@pacbell.net>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/host/ehci-q.c | 32 ++++++++++++++++++++++++++++++++
+ drivers/usb/host/ehci.h | 3 +++
+ 2 files changed, 35 insertions(+)
+
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -333,12 +333,40 @@ qh_completions (struct ehci_hcd *ehci, s
+ token = hc32_to_cpu(ehci, qtd->hw_token);
+
+ /* always clean up qtds the hc de-activated */
++ retry_xacterr:
+ if ((token & QTD_STS_ACTIVE) == 0) {
+
+ /* on STALL, error, and short reads this urb must
+ * complete and all its qtds must be recycled.
+ */
+ if ((token & QTD_STS_HALT) != 0) {
++
++ /* retry transaction errors until we
++ * reach the software xacterr limit
++ */
++ if ((token & QTD_STS_XACT) &&
++ QTD_CERR(token) == 0 &&
++ --qh->xacterrs > 0 &&
++ !urb->unlinked) {
++ ehci_dbg(ehci,
++ "detected XactErr len %d/%d retry %d\n",
++ qtd->length - QTD_LENGTH(token), qtd->length,
++ QH_XACTERR_MAX - qh->xacterrs);
++
++ /* reset the token in the qtd and the
++ * qh overlay (which still contains
++ * the qtd) so that we pick up from
++ * where we left off
++ */
++ token &= ~QTD_STS_HALT;
++ token |= QTD_STS_ACTIVE |
++ (EHCI_TUNE_CERR << 10);
++ qtd->hw_token = cpu_to_hc32(ehci,
++ token);
++ wmb();
++ qh->hw_token = cpu_to_hc32(ehci, token);
++ goto retry_xacterr;
++ }
+ stopped = 1;
+
+ /* magic dummy for some short reads; qh won't advance.
+@@ -421,6 +449,9 @@ halt:
+ /* remove qtd; it's recycled after possible urb completion */
+ list_del (&qtd->qtd_list);
+ last = qtd;
++
++ /* reinit the xacterr counter for the next qtd */
++ qh->xacterrs = QH_XACTERR_MAX;
+ }
+
+ /* last urb's completion might still need calling */
+@@ -862,6 +893,7 @@ static void qh_link_async (struct ehci_h
+ head->qh_next.qh = qh;
+ head->hw_next = dma;
+
++ qh->xacterrs = QH_XACTERR_MAX;
+ qh->qh_state = QH_STATE_LINKED;
+ /* qtd completions reported later by interrupt */
+ }
+--- a/drivers/usb/host/ehci.h
++++ b/drivers/usb/host/ehci.h
+@@ -376,6 +376,9 @@ struct ehci_qh {
+ #define QH_STATE_UNLINK_WAIT 4 /* LINKED and on reclaim q */
+ #define QH_STATE_COMPLETING 5 /* don't touch token.HALT */
+
++ u8 xacterrs; /* XactErr retry counter */
++#define QH_XACTERR_MAX 32 /* XactErr retry limit */
++
+ /* periodic schedule info */
+ u8 usecs; /* intr bandwidth */
+ u8 gap_uf; /* uframes split/csplit gap */
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 18:25:11 2009
+Date: Thu, 26 Mar 2009 18:25:07 GMT
+Message-Id: <200903261825.n2QIP7w0021010@hera.kernel.org>
+From: Boaz Harrosh <bharrosh@panasas.com>
+To: stable@kernel.org
+Subject: USB: fix USB_STORAGE_CYPRESS_ATACB
+
+From: Boaz Harrosh <bharrosh@panasas.com>
+
+upstream commit: 1f4159c1620f74377e26d8a569d10ca5907ef475
+
+commit 64a87b24: [SCSI] Let scsi_cmnd->cmnd use request->cmd buffer
+changed the scsi_eh_prep_cmnd logic by making it clear
+the ->cmnd buffer. But the sat to cypress atacb translation supposed
+the ->cmnd buffer wasn't modified.
+
+This patch makes it set the ->cmnd buffer after scsi_eh_prep_cmnd call.
+The problem and a fix was reported by Matthieu CASTET <castet.matthieu@free.fr>
+
+It also removes all the hackery fiddling of scsi_cmnd and scsi_eh_save by
+requesting from scsi_eh_prep_cmnd to prepare a read into ->sense_buffer,
+which is much more suitable a buffer for HW transfers, then after the command
+execution the regs read is copied into regs buffer before actual preparation
+of sense_buffer.
+
+Also fix an alien comment character to my utf-8 editor.
+
+Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
+Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>
+Cc: stable <stable@kernel.org>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Cc: Matthew Dharm <mdharm-kernel@one-eyed-alien.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/storage/cypress_atacb.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/storage/cypress_atacb.c
++++ b/drivers/usb/storage/cypress_atacb.c
+@@ -133,19 +133,18 @@ void cypress_atacb_passthrough(struct sc
+
+ /* build the command for
+ * reading the ATA registers */
+- scsi_eh_prep_cmnd(srb, &ses, NULL, 0, 0);
+- srb->sdb.length = sizeof(regs);
+- sg_init_one(&ses.sense_sgl, regs, srb->sdb.length);
+- srb->sdb.table.sgl = &ses.sense_sgl;
+- srb->sc_data_direction = DMA_FROM_DEVICE;
+- srb->sdb.table.nents = 1;
++ scsi_eh_prep_cmnd(srb, &ses, NULL, 0, sizeof(regs));
++
+ /* we use the same command as before, but we set
+ * the read taskfile bit, for not executing atacb command,
+ * but reading register selected in srb->cmnd[4]
+ */
++ srb->cmd_len = 16;
++ srb->cmnd = ses.cmnd;
+ srb->cmnd[2] = 1;
+
+ usb_stor_transparent_scsi_command(srb, us);
++ memcpy(regs, srb->sense_buffer, sizeof(regs));
+ tmp_result = srb->result;
+ scsi_eh_restore_cmnd(srb, &ses);
+ /* we fail to get registers, report invalid command */
+@@ -162,8 +161,8 @@ void cypress_atacb_passthrough(struct sc
+
+ /* XXX we should generate sk, asc, ascq from status and error
+ * regs
+- * (see 11.1 Error translation ATA device error to SCSI error map)
+- * and ata_to_sense_error from libata.
++ * (see 11.1 Error translation ATA device error to SCSI error
++ * map, and ata_to_sense_error from libata.)
+ */
+
+ /* Sense data is current and format is descriptor. */
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 18:25:22 2009
+Date: Thu, 26 Mar 2009 18:25:12 GMT
+Message-Id: <200903261825.n2QIPCIh021094@hera.kernel.org>
+From: David Brownell <dbrownell@users.sourceforge.net>
+To: stable@kernel.org
+Subject: USB: gadget: fix rndis regression
+
+From: David Brownell <dbrownell@users.sourceforge.net>
+
+upstream commit: 090b90118207e786d2990310d063fda5d52cce6e
+
+Restore some code that was wrongly dropped from the RNDIS
+driver, and caused interop problems observed with OpenMoko.
+
+The issue is with hardware which needs help conforming to part
+of the USB 2.0 spec (section 8.5.3.2); some can automagically
+send a ZLP in response to an unexpected IN, but not all chips
+will do that. We don't need to check the packet length ourselves
+the way earlier code did, since the UDC must already check it.
+But we do need to tell the UDC when it must force a short packet
+termination of the data stage.
+
+(Based on a patch from Aric D. Blumer <aric at sdgsystems.com>)
+
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/gadget/f_rndis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/f_rndis.c
++++ b/drivers/usb/gadget/f_rndis.c
+@@ -437,7 +437,7 @@ invalid:
+ DBG(cdev, "rndis req%02x.%02x v%04x i%04x l%d\n",
+ ctrl->bRequestType, ctrl->bRequest,
+ w_value, w_index, w_length);
+- req->zero = 0;
++ req->zero = (value < w_length);
+ req->length = value;
+ value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
+ if (value < 0)
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Mar 26 18:25:15 2009
+Date: Thu, 26 Mar 2009 18:25:09 GMT
+Message-Id: <200903261825.n2QIP9SU021067@hera.kernel.org>
+From: Alan Stern <stern@rowland.harvard.edu>
+To: stable@kernel.org
+Subject: USB: usb-storage: increase max_sectors for tape drives
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+upstream commit: 5c16034d73da2c1b663aa25dedadbc533b3d811c
+
+This patch (as1203) increases the max_sector limit for USB tape
+drives. By default usb-storage sets max_sectors to 240 (i.e., 120 KB)
+for all devices. But tape drives need a higher limit, since tapes can
+and do have very large block sizes. Without the ability to transfer
+an entire large block in a single command, such tapes can't be used.
+
+This fixes Bugzilla #12207.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Phil Mitchell <philipm@sybase.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/storage/scsiglue.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -135,6 +135,12 @@ static int slave_configure(struct scsi_d
+ if (sdev->request_queue->max_sectors > max_sectors)
+ blk_queue_max_sectors(sdev->request_queue,
+ max_sectors);
++ } else if (sdev->type == TYPE_TAPE) {
++ /* Tapes need much higher max_sector limits, so just
++ * raise it to the maximum possible (4 GB / 512) and
++ * let the queue segment size sort out the real limit.
++ */
++ blk_queue_max_sectors(sdev->request_queue, 0x7FFFFF);
+ }
+
+ /* Some USB host controllers can't do DMA; they have to use PIO.
projects / thirdparty / kernel / stable-queue.git / commitdiff
