--- /dev/null
+From 1e0ad2881d50becaeea70ec696a80afeadf944d2 Mon Sep 17 00:00:00 2001
+From: Graham Gower <graham.gower@gmail.com>
+Date: Wed, 27 Oct 2010 15:33:00 -0700
+Subject: drivers/char/vt_ioctl.c: fix VT_OPENQRY error value
+
+From: Graham Gower <graham.gower@gmail.com>
+
+commit 1e0ad2881d50becaeea70ec696a80afeadf944d2 upstream.
+
+When all VT's are in use, VT_OPENQRY casts -1 to unsigned char before
+returning it to userspace as an int. VT255 is not the next available
+console.
+
+Signed-off-by: Graham Gower <graham.gower@gmail.com>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/vt_ioctl.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/vt_ioctl.c
++++ b/drivers/char/vt_ioctl.c
+@@ -503,6 +503,7 @@ int vt_ioctl(struct tty_struct *tty, str
+ struct kbd_struct * kbd;
+ unsigned int console;
+ unsigned char ucval;
++ unsigned int uival;
+ void __user *up = (void __user *)arg;
+ int i, perm;
+ int ret = 0;
+@@ -657,7 +658,7 @@ int vt_ioctl(struct tty_struct *tty, str
+ break;
+
+ case KDGETMODE:
+- ucval = vc->vc_mode;
++ uival = vc->vc_mode;
+ goto setint;
+
+ case KDMAPDISP:
+@@ -695,7 +696,7 @@ int vt_ioctl(struct tty_struct *tty, str
+ break;
+
+ case KDGKBMODE:
+- ucval = ((kbd->kbdmode == VC_RAW) ? K_RAW :
++ uival = ((kbd->kbdmode == VC_RAW) ? K_RAW :
+ (kbd->kbdmode == VC_MEDIUMRAW) ? K_MEDIUMRAW :
+ (kbd->kbdmode == VC_UNICODE) ? K_UNICODE :
+ K_XLATE);
+@@ -717,9 +718,9 @@ int vt_ioctl(struct tty_struct *tty, str
+ break;
+
+ case KDGKBMETA:
+- ucval = (vc_kbd_mode(kbd, VC_META) ? K_ESCPREFIX : K_METABIT);
++ uival = (vc_kbd_mode(kbd, VC_META) ? K_ESCPREFIX : K_METABIT);
+ setint:
+- ret = put_user(ucval, (int __user *)arg);
++ ret = put_user(uival, (int __user *)arg);
+ break;
+
+ case KDGETKEYCODE:
+@@ -949,7 +950,7 @@ int vt_ioctl(struct tty_struct *tty, str
+ for (i = 0; i < MAX_NR_CONSOLES; ++i)
+ if (! VT_IS_IN_USE(i))
+ break;
+- ucval = i < MAX_NR_CONSOLES ? (i+1) : -1;
++ uival = i < MAX_NR_CONSOLES ? (i+1) : -1;
+ goto setint;
+
+ /*
--- /dev/null
+From 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Date: Thu, 23 Sep 2010 02:35:04 -0500
+Subject: eCryptfs: Clear LOOKUP_OPEN flag when creating lower file
+
+From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+
+commit 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 upstream.
+
+eCryptfs was passing the LOOKUP_OPEN flag through to the lower file
+system, even though ecryptfs_create() doesn't support the flag. A valid
+filp for the lower filesystem could be returned in the nameidata if the
+lower file system's create() function supported LOOKUP_OPEN, possibly
+resulting in unencrypted writes to the lower file.
+
+However, this is only a potential problem in filesystems (FUSE, NFS,
+CIFS, CEPH, 9p) that eCryptfs isn't known to support today.
+
+https://bugs.launchpad.net/ecryptfs/+bug/641703
+
+Reported-by: Kevin Buhr
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/inode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -69,15 +69,19 @@ ecryptfs_create_underlying_file(struct i
+ struct vfsmount *lower_mnt = ecryptfs_dentry_to_lower_mnt(dentry);
+ struct dentry *dentry_save;
+ struct vfsmount *vfsmount_save;
++ unsigned int flags_save;
+ int rc;
+
+ dentry_save = nd->path.dentry;
+ vfsmount_save = nd->path.mnt;
++ flags_save = nd->flags;
+ nd->path.dentry = lower_dentry;
+ nd->path.mnt = lower_mnt;
++ nd->flags &= ~LOOKUP_OPEN;
+ rc = vfs_create(lower_dir_inode, lower_dentry, mode, nd);
+ nd->path.dentry = dentry_save;
+ nd->path.mnt = vfsmount_save;
++ nd->flags = flags_save;
+ return rc;
+ }
+
--- /dev/null
+From 96e9694df446d1154ec2f4fdba8908588b9cba38 Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Tue, 26 Oct 2010 14:22:13 -0700
+Subject: hpet: fix unwanted interrupt due to stale irq status bit
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit 96e9694df446d1154ec2f4fdba8908588b9cba38 upstream.
+
+Jaswinder Singh Rajput wrote:
+> By executing Documentation/timers/hpet_example.c
+>
+> for polling, I requested for 3 iterations but it seems iteration work
+> for only 2 as first expired time is always very small.
+>
+> # ./hpet_example poll /dev/hpet 10 3
+> -hpet: executing poll
+> hpet_poll: info.hi_flags 0x0
+> hpet_poll: expired time = 0x13
+> hpet_poll: revents = 0x1
+> hpet_poll: data 0x1
+> hpet_poll: expired time = 0x1868c
+> hpet_poll: revents = 0x1
+> hpet_poll: data 0x1
+> hpet_poll: expired time = 0x18645
+> hpet_poll: revents = 0x1
+> hpet_poll: data 0x1
+
+Clearing the HPET interrupt enable bit disables interrupt generation
+but does not disable the timer, so the interrupt status bit will still
+be set when the timer elapses. If another interrupt arrives before
+the timer has been correctly programmed (due to some other device on
+the same interrupt line, or CONFIG_DEBUG_SHIRQ), this results in an
+extra unwanted interrupt event because the status bit is likely to be
+set from comparator matches that happened before the device was opened.
+
+Therefore, we have to ensure that the interrupt status bit is and
+stays cleared until we actually program the timer.
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Reported-by: Jaswinder Singh Rajput <jaswinderlinux@gmail.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: john stultz <johnstul@us.ibm.com>
+Cc: Bob Picco <bpicco@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/hpet.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/char/hpet.c
++++ b/drivers/char/hpet.c
+@@ -476,6 +476,21 @@ static int hpet_ioctl_ieon(struct hpet_d
+ if (irq) {
+ unsigned long irq_flags;
+
++ if (devp->hd_flags & HPET_SHARED_IRQ) {
++ /*
++ * To prevent the interrupt handler from seeing an
++ * unwanted interrupt status bit, program the timer
++ * so that it will not fire in the near future ...
++ */
++ writel(readl(&timer->hpet_config) & ~Tn_TYPE_CNF_MASK,
++ &timer->hpet_config);
++ write_counter(read_counter(&hpet->hpet_mc),
++ &timer->hpet_compare);
++ /* ... and clear any left-over status. */
++ isr = 1 << (devp - devp->hd_hpets->hp_dev);
++ writel(isr, &hpet->hpet_isr);
++ }
++
+ sprintf(devp->hd_name, "hpet%d", (int)(devp - hpetp->hp_dev));
+ irq_flags = devp->hd_flags & HPET_SHARED_IRQ
+ ? IRQF_SHARED : IRQF_DISABLED;
--- /dev/null
+From a56d5318716d120e040294bb258901ba89fb9c90 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Tue, 26 Oct 2010 14:22:11 -0700
+Subject: hpet: unmap unused I/O space
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit a56d5318716d120e040294bb258901ba89fb9c90 upstream.
+
+When the initialization code in hpet finds a memory resource and does not
+find an IRQ, it does not unmap the memory resource previously mapped.
+
+There are buggy BIOSes which report resources exactly like this and what
+is worse the memory region bases point to normal RAM. This normally would
+not matter since the space is not touched. But when PAT is turned on,
+ioremap causes the page to be uncached and sets this bit in page->flags.
+
+Then when the page is about to be used by the allocator, it is reported
+as:
+
+BUG: Bad page state in process md5sum pfn:3ed00
+page:ffffea0000dbd800 count:0 mapcount:0 mapping:(null) index:0x0
+page flags: 0x20000001000000(uncached)
+Pid: 7956, comm: md5sum Not tainted 2.6.34-12-desktop #1
+Call Trace:
+ [<ffffffff810df851>] bad_page+0xb1/0x100
+ [<ffffffff810dfa45>] prep_new_page+0x1a5/0x1c0
+ [<ffffffff810dfe01>] get_page_from_freelist+0x3a1/0x640
+ [<ffffffff810e01af>] __alloc_pages_nodemask+0x10f/0x6b0
+...
+
+In this particular case:
+
+1) HPET returns 3ed00000 as memory region base, but it is not in
+reserved ranges reported by the BIOS (excerpt):
+ BIOS-e820: 0000000000100000 - 00000000af6cf000 (usable)
+ BIOS-e820: 00000000af6cf000 - 00000000afdcf000 (reserved)
+
+2) there is no IRQ resource reported by HPET method. On the other
+hand, the Intel HPET specs (1.0a) says (3.2.5.1):
+_CRS (
+ // Report 1K of memory consumed by this Timer Block
+ memory range consumed
+ // Optional: only used if BIOS allocates Interrupts [1]
+ IRQs consumed
+)
+
+[1] For case where Timer Block is configured to consume IRQ0/IRQ8 AND
+Legacy 8254/Legacy RTC hardware still exists, the device objects
+associated with 8254 & RTC devices should not report IRQ0/IRQ8 as
+"consumed resources".
+
+So in theory we should check whether if it is the case and use those
+interrupts instead.
+
+Anyway the address reported by the BIOS here is bogus, so non-presence
+of IRQ doesn't mean the "optional" part in point 2).
+
+Since I got no reply previously, fix this by simply unmapping the space
+when IRQ is not found and memory region was mapped previously. It would
+be probably more safe to walk the resources again and unmap appropriately
+depending on type. But as we now use only ioremap for both 2 memory
+resource types, it is not necessarily needed right now.
+
+Addresses https://bugzilla.novell.com/show_bug.cgi?id=629908
+
+Reported-by: Olaf Hering <olaf@aepfle.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/hpet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/char/hpet.c
++++ b/drivers/char/hpet.c
+@@ -982,6 +982,8 @@ static int hpet_acpi_add(struct acpi_dev
+ return -ENODEV;
+
+ if (!data.hd_address || !data.hd_nirqs) {
++ if (data.hd_address)
++ iounmap(data.hd_address);
+ printk("%s: no address or irqs in _CRS\n", __func__);
+ return -ENODEV;
+ }
--- /dev/null
+From fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <khali@linux-fr.org>
+Date: Thu, 28 Oct 2010 20:31:50 +0200
+Subject: hwmon: (lm85) Fix ADT7468 frequency table
+
+From: Jean Delvare <khali@linux-fr.org>
+
+commit fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 upstream.
+
+The ADT7468 uses the same frequency table as the ADT7463.
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Cc: Darrick J. Wong <djwong@us.ibm.com>
+Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hwmon/lm85.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hwmon/lm85.c
++++ b/drivers/hwmon/lm85.c
+@@ -1259,6 +1259,7 @@ static int lm85_probe(struct i2c_client
+ switch (data->type) {
+ case adm1027:
+ case adt7463:
++ case adt7468:
+ case emc6d100:
+ case emc6d102:
+ data->freq_map = adm1027_freq_map;
--- /dev/null
+From 03145beb455cf5c20a761e8451e30b8a74ba58d9 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 27 Oct 2010 15:34:17 -0700
+Subject: ipc: initialize structure memory to zero for compat functions
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream.
+
+This takes care of leaking uninitialized kernel stack memory to
+userspace from non-zeroed fields in structs in compat ipc functions.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ ipc/compat.c | 6 ++++++
+ ipc/compat_mq.c | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+--- a/ipc/compat.c
++++ b/ipc/compat.c
+@@ -242,6 +242,8 @@ long compat_sys_semctl(int first, int se
+ struct semid64_ds __user *up64;
+ int version = compat_ipc_parse_version(&third);
+
++ memset(&s64, 0, sizeof(s64));
++
+ if (!uptr)
+ return -EINVAL;
+ if (get_user(pad, (u32 __user *) uptr))
+@@ -422,6 +424,8 @@ long compat_sys_msgctl(int first, int se
+ int version = compat_ipc_parse_version(&second);
+ void __user *p;
+
++ memset(&m64, 0, sizeof(m64));
++
+ switch (second & (~IPC_64)) {
+ case IPC_INFO:
+ case IPC_RMID:
+@@ -595,6 +599,8 @@ long compat_sys_shmctl(int first, int se
+ int err, err2;
+ int version = compat_ipc_parse_version(&second);
+
++ memset(&s64, 0, sizeof(s64));
++
+ switch (second & (~IPC_64)) {
+ case IPC_RMID:
+ case SHM_LOCK:
+--- a/ipc/compat_mq.c
++++ b/ipc/compat_mq.c
+@@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const
+ void __user *p = NULL;
+ if (u_attr && oflag & O_CREAT) {
+ struct mq_attr attr;
++
++ memset(&attr, 0, sizeof(attr));
++
+ p = compat_alloc_user_space(sizeof(attr));
+ if (get_compat_mq_attr(&attr, u_attr) ||
+ copy_to_user(p, &attr, sizeof(attr)))
+@@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr
+ struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
+ long ret;
+
++ memset(&mqstat, 0, sizeof(mqstat));
++
+ if (u_mqstat) {
+ if (get_compat_mq_attr(&mqstat, u_mqstat) ||
+ copy_to_user(p, &mqstat, sizeof(mqstat)))
--- /dev/null
+From 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 30 Oct 2010 18:22:49 +0400
+Subject: ipc: shm: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream.
+
+The shmid_ds structure is copied to userland with shm_unused{,2,3}
+fields unitialized. It leads to leaking of contents of kernel stack
+memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ ipc/shm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -476,6 +476,7 @@ static inline unsigned long copy_shmid_t
+ {
+ struct shmid_ds out;
+
++ memset(&out, 0, sizeof(out));
+ ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
+ out.shm_segsz = in->shm_segsz;
+ out.shm_atime = in->shm_atime;
--- /dev/null
+From c26a44ed1e552aaa1d4ceb71842002d235fe98d7 Mon Sep 17 00:00:00 2001
+From: Justin Maggard <jmaggard10@gmail.com>
+Date: Wed, 24 Nov 2010 16:36:17 +1100
+Subject: md: fix return value of rdev_size_change()
+
+From: Justin Maggard <jmaggard10@gmail.com>
+
+commit c26a44ed1e552aaa1d4ceb71842002d235fe98d7 upstream.
+
+When trying to grow an array by enlarging component devices,
+rdev_size_store() expects the return value of rdev_size_change() to be
+in sectors, but the actual value is returned in KBs.
+
+This functionality was broken by commit
+ dd8ac336c13fd8afdb082ebacb1cddd5cf727889
+so this patch is suitable for any kernel since 2.6.30.
+
+Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/md.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1255,7 +1255,7 @@ super_90_rdev_size_change(mdk_rdev_t *rd
+ md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size,
+ rdev->sb_page);
+ md_super_wait(rdev->mddev);
+- return num_sectors / 2; /* kB for sysfs */
++ return num_sectors;
+ }
+
+
+@@ -1617,7 +1617,7 @@ super_1_rdev_size_change(mdk_rdev_t *rde
+ md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size,
+ rdev->sb_page);
+ md_super_wait(rdev->mddev);
+- return num_sectors / 2; /* kB for sysfs */
++ return num_sectors;
+ }
+
+ static struct super_type super_types[] = {
--- /dev/null
+From 8f9e0ee38f75d4740daa9e42c8af628d33d19a02 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Wed, 24 Nov 2010 16:39:46 +1100
+Subject: md/raid1: really fix recovery looping when single good device fails.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: NeilBrown <neilb@suse.de>
+
+commit 8f9e0ee38f75d4740daa9e42c8af628d33d19a02 upstream.
+
+Commit 4044ba58dd15cb01797c4fd034f39ef4a75f7cc3 supposedly fixed a
+problem where if a raid1 with just one good device gets a read-error
+during recovery, the recovery would abort and immediately restart in
+an infinite loop.
+
+However it depended on raid1_remove_disk removing the spare device
+from the array. But that does not happen in this case. So add a test
+so that in the 'recovery_disabled' case, the device will be removed.
+
+This suitable for any kernel since 2.6.29 which is when
+recovery_disabled was introduced.
+
+Reported-by: Sebastian Färber <faerber@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/raid1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1196,6 +1196,7 @@ static int raid1_remove_disk(mddev_t *md
+ * is not possible.
+ */
+ if (!test_bit(Faulty, &rdev->flags) &&
++ !mddev->recovery_disabled &&
+ mddev->degraded < conf->raid_disks) {
+ err = -EBUSY;
+ goto abort;
--- /dev/null
+From 572438f9b52236bd8938b1647cc15e027d27ef55 Mon Sep 17 00:00:00 2001
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Date: Tue, 26 Oct 2010 14:22:08 -0700
+Subject: mm: fix is_mem_section_removable() page_order BUG_ON check
+
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+
+commit 572438f9b52236bd8938b1647cc15e027d27ef55 upstream.
+
+page_order() is called by memory hotplug's user interface to check the
+section is removable or not. (is_mem_section_removable())
+
+It calls page_order() withoug holding zone->lock.
+So, even if the caller does
+
+ if (PageBuddy(page))
+ ret = page_order(page) ...
+The caller may hit BUG_ON().
+
+For fixing this, there are 2 choices.
+ 1. add zone->lock.
+ 2. remove BUG_ON().
+
+is_mem_section_removable() is used for some "advice" and doesn't need to
+be 100% accurate. This is_removable() can be called via user program..
+We don't want to take this important lock for long by user's request. So,
+this patch removes BUG_ON().
+
+Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Acked-by: Wu Fengguang <fengguang.wu@intel.com>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Acked-by: Mel Gorman <mel@csn.ul.ie>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/internal.h
++++ b/mm/internal.h
+@@ -62,7 +62,7 @@ extern bool is_free_buddy_page(struct pa
+ */
+ static inline unsigned long page_order(struct page *page)
+ {
+- VM_BUG_ON(!PageBuddy(page));
++ /* PageBuddy() must be checked by the caller */
+ return page_private(page);
+ }
+
--- /dev/null
+From f8f72ad5396987e05a42cf7eff826fb2a15ff148 Mon Sep 17 00:00:00 2001
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Date: Tue, 26 Oct 2010 14:21:10 -0700
+Subject: mm: fix return value of scan_lru_pages in memory unplug
+
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+
+commit f8f72ad5396987e05a42cf7eff826fb2a15ff148 upstream.
+
+scan_lru_pages returns pfn. So, it's type should be "unsigned long"
+not "int".
+
+Note: I guess this has been work until now because memory hotplug tester's
+ machine has not very big memory....
+ physical address < 32bit << PAGE_SHIFT.
+
+Reported-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/memory_hotplug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -629,7 +629,7 @@ static int test_pages_in_a_zone(unsigned
+ * Scanning pfn is much easier than scanning lru list.
+ * Scan pfn from start to end and Find LRU page.
+ */
+-int scan_lru_pages(unsigned long start, unsigned long end)
++unsigned long scan_lru_pages(unsigned long start, unsigned long end)
+ {
+ unsigned long pfn;
+ struct page *page;
--- /dev/null
+From 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings@solarflare.com>
+Date: Fri, 22 Oct 2010 04:38:26 +0000
+Subject: net: NETIF_F_HW_CSUM does not imply FCoE CRC offload
+
+From: Ben Hutchings <bhutchings@solarflare.com>
+
+commit 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 upstream.
+
+NETIF_F_HW_CSUM indicates the ability to update an TCP/IP-style 16-bit
+checksum with the checksum of an arbitrary part of the packet data,
+whereas the FCoE CRC is something entirely different.
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/dev.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1590,10 +1590,10 @@ EXPORT_SYMBOL(netif_device_attach);
+
+ static bool can_checksum_protocol(unsigned long features, __be16 protocol)
+ {
+- return ((features & NETIF_F_GEN_CSUM) ||
+- ((features & NETIF_F_IP_CSUM) &&
++ return ((features & NETIF_F_NO_CSUM) ||
++ ((features & NETIF_F_V4_CSUM) &&
+ protocol == htons(ETH_P_IP)) ||
+- ((features & NETIF_F_IPV6_CSUM) &&
++ ((features & NETIF_F_V6_CSUM) &&
+ protocol == htons(ETH_P_IPV6)) ||
+ ((features & NETIF_F_FCOE_CRC) &&
+ protocol == htons(ETH_P_FCOE)));
--- /dev/null
+From 800416f799e0723635ac2d720ad4449917a1481c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Wed, 27 Oct 2010 19:33:43 +0200
+Subject: numa: fix slab_node(MPOL_BIND)
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 800416f799e0723635ac2d720ad4449917a1481c upstream.
+
+When a node contains only HighMem memory, slab_node(MPOL_BIND)
+dereferences a NULL pointer.
+
+[ This code seems to go back all the way to commit 19770b32609b: "mm:
+ filter based on a nodemask as well as a gfp_mask". Which was back in
+ April 2008, and it got merged into 2.6.26. - Linus ]
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Mel Gorman <mel@csn.ul.ie>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mempolicy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1480,7 +1480,7 @@ unsigned slab_node(struct mempolicy *pol
+ (void)first_zones_zonelist(zonelist, highest_zoneidx,
+ &policy->v.nodes,
+ &zone);
+- return zone->node;
++ return zone ? zone->node : numa_node_id();
+ }
+
+ default:
--- /dev/null
+From 7cfbb29466633e6ecdc14f76a693c8478c2b22af Mon Sep 17 00:00:00 2001
+From: Richard A. Smith <richard@laptop.org>
+Date: Sat, 25 Sep 2010 19:19:26 +0100
+Subject: olpc_battery: Fix endian neutral breakage for s16 values
+
+From: Richard A. Smith <richard@laptop.org>
+
+commit 7cfbb29466633e6ecdc14f76a693c8478c2b22af upstream.
+
+When the driver was updated to be endian neutral (8e9c7716c)
+the signed part of the s16 values was lost. This is because be16_to_cpu()
+returns an unsigned value. This patch casts the values back to a s16
+number prior to the the implicit cast up to an int.
+
+Signed-off-by: Richard A. Smith <richard@laptop.org>
+Signed-off-by: Daniel Drake <dsd@laptop.org>
+Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/power/olpc_battery.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/power/olpc_battery.c
++++ b/drivers/power/olpc_battery.c
+@@ -271,14 +271,14 @@ static int olpc_bat_get_property(struct
+ if (ret)
+ return ret;
+
+- val->intval = (int)be16_to_cpu(ec_word) * 9760L / 32;
++ val->intval = (s16)be16_to_cpu(ec_word) * 9760L / 32;
+ break;
+ case POWER_SUPPLY_PROP_CURRENT_AVG:
+ ret = olpc_ec_cmd(EC_BAT_CURRENT, NULL, 0, (void *)&ec_word, 2);
+ if (ret)
+ return ret;
+
+- val->intval = (int)be16_to_cpu(ec_word) * 15625L / 120;
++ val->intval = (s16)be16_to_cpu(ec_word) * 15625L / 120;
+ break;
+ case POWER_SUPPLY_PROP_CAPACITY:
+ ret = olpc_ec_cmd(EC_BAT_SOC, NULL, 0, &ec_byte, 1);
+@@ -299,7 +299,7 @@ static int olpc_bat_get_property(struct
+ if (ret)
+ return ret;
+
+- val->intval = (int)be16_to_cpu(ec_word) * 100 / 256;
++ val->intval = (s16)be16_to_cpu(ec_word) * 100 / 256;
+ break;
+ case POWER_SUPPLY_PROP_TEMP_AMBIENT:
+ ret = olpc_ec_cmd(EC_AMB_TEMP, NULL, 0, (void *)&ec_word, 2);
+@@ -313,7 +313,7 @@ static int olpc_bat_get_property(struct
+ if (ret)
+ return ret;
+
+- val->intval = (int)be16_to_cpu(ec_word) * 6250 / 15;
++ val->intval = (s16)be16_to_cpu(ec_word) * 6250 / 15;
+ break;
+ case POWER_SUPPLY_PROP_SERIAL_NUMBER:
+ ret = olpc_ec_cmd(EC_BAT_SERIAL, NULL, 0, (void *)&ser_buf, 8);
--- /dev/null
+From 8474b591faf3bb0a1e08a60d21d6baac498f15e4 Mon Sep 17 00:00:00 2001
+From: Masanori ITOH <itoumsn@nttdata.co.jp>
+Date: Tue, 26 Oct 2010 14:21:20 -0700
+Subject: percpu: fix list_head init bug in __percpu_counter_init()
+
+From: Masanori ITOH <itoumsn@nttdata.co.jp>
+
+commit 8474b591faf3bb0a1e08a60d21d6baac498f15e4 upstream.
+
+WARNING: at lib/list_debug.c:26 __list_add+0x3f/0x81()
+Hardware name: Express5800/B120a [N8400-085]
+list_add corruption. next->prev should be prev (ffffffff81a7ea00), but was dead000000200200. (next=ffff88080b872d58).
+Modules linked in: aoe ipt_MASQUERADE iptable_nat nf_nat autofs4 sunrpc bridge 8021q garp stp llc ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_round_robin dm_multipath kvm_intel kvm uinput lpfc scsi_transport_fc igb ioatdma scsi_tgt i2c_i801 i2c_core dca iTCO_wdt iTCO_vendor_support pcspkr shpchp megaraid_sas [last unloaded: aoe]
+Pid: 54, comm: events/3 Tainted: G W 2.6.34-vanilla1 #1
+Call Trace:
+[<ffffffff8104bd77>] warn_slowpath_common+0x7c/0x94
+[<ffffffff8104bde6>] warn_slowpath_fmt+0x41/0x43
+[<ffffffff8120fd2e>] __list_add+0x3f/0x81
+[<ffffffff81212a12>] __percpu_counter_init+0x59/0x6b
+[<ffffffff810d8499>] bdi_init+0x118/0x17e
+[<ffffffff811f2c50>] blk_alloc_queue_node+0x79/0x143
+[<ffffffff811f2d2b>] blk_alloc_queue+0x11/0x13
+[<ffffffffa02a931d>] aoeblk_gdalloc+0x8e/0x1c9 [aoe]
+[<ffffffffa02aa655>] aoecmd_sleepwork+0x25/0xa8 [aoe]
+[<ffffffff8106186c>] worker_thread+0x1a9/0x237
+[<ffffffffa02aa630>] ? aoecmd_sleepwork+0x0/0xa8 [aoe]
+[<ffffffff81065827>] ? autoremove_wake_function+0x0/0x39
+[<ffffffff810616c3>] ? worker_thread+0x0/0x237
+[<ffffffff810653ad>] kthread+0x7f/0x87
+[<ffffffff8100aa24>] kernel_thread_helper+0x4/0x10
+[<ffffffff8106532e>] ? kthread+0x0/0x87
+[<ffffffff8100aa20>] ? kernel_thread_helper+0x0/0x10
+
+It's because there is no initialization code for a list_head contained in
+the struct backing_dev_info under CONFIG_HOTPLUG_CPU, and the bug comes up
+when block device drivers calling blk_alloc_queue() are used. In case of
+me, I got them by using aoe.
+
+Signed-off-by: Masanori Itoh <itoumsn@nttdata.co.jp>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/percpu_counter.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/percpu_counter.c
++++ b/lib/percpu_counter.c
+@@ -76,6 +76,7 @@ int __percpu_counter_init(struct percpu_
+ if (!fbc->counters)
+ return -ENOMEM;
+ #ifdef CONFIG_HOTPLUG_CPU
++ INIT_LIST_HEAD(&fbc->list);
+ mutex_lock(&percpu_counters_lock);
+ list_add(&fbc->list, &percpu_counters);
+ mutex_unlock(&percpu_counters_lock);
staging-asus_oled-fix-up-some-sysfs-attribute-permissions.patch
staging-asus_oled-fix-up-my-fixup-for-some-sysfs-attribute-permissions.patch
staging-line6-fix-up-some-sysfs-attribute-permissions.patch
+hpet-fix-unwanted-interrupt-due-to-stale-irq-status-bit.patch
+hpet-unmap-unused-i-o-space.patch
+olpc_battery-fix-endian-neutral-breakage-for-s16-values.patch
+percpu-fix-list_head-init-bug-in-__percpu_counter_init.patch
+um-remove-page_size-alignment-in-linker-script-causing-kernel-segfault.patch
+um-fix-global-timer-issue-when-using-config_no_hz.patch
+numa-fix-slab_node-mpol_bind.patch
+hwmon-lm85-fix-adt7468-frequency-table.patch
+mm-fix-return-value-of-scan_lru_pages-in-memory-unplug.patch
+mm-fix-is_mem_section_removable-page_order-bug_on-check.patch
+ssb-b43-pci-bridge-add-new-vendor-for-bcm4318.patch
+sgi-xpc-xpc-fails-to-discover-partitions-with-all-nasids-above-128.patch
+xen-ensure-that-all-event-channels-start-off-bound-to-vcpu-0.patch
+xen-don-t-bother-to-stop-other-cpus-on-shutdown-reboot.patch
+ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
+ipc-shm-fix-information-leak-to-userland.patch
+sys_semctl-fix-kernel-stack-leakage.patch
+net-netif_f_hw_csum-does-not-imply-fcoe-crc-offload.patch
+drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch
+viafb-use-proper-register-for-colour-when-doing-fill-ops.patch
+ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch
+md-raid1-really-fix-recovery-looping-when-single-good-device-fails.patch
+md-fix-return-value-of-rdev_size_change.patch
--- /dev/null
+From c22c7aeff69796f46ae0fcec141538e28f50b24e Mon Sep 17 00:00:00 2001
+From: Robin@sgi.com <Robin@sgi.com>
+Date: Wed, 24 Nov 2010 12:56:59 -0800
+Subject: sgi-xpc: XPC fails to discover partitions with all nasids above 128
+
+From: Robin@sgi.com <Robin@sgi.com>
+
+commit c22c7aeff69796f46ae0fcec141538e28f50b24e upstream.
+
+UV hardware defines 256 memory protection regions versus the baseline 64
+with increasing size for the SN2 ia64. This was overlooked when XPC was
+modified to accomodate both UV and SN2.
+
+Without this patch, a user could reconfigure their existing system and
+suddenly disable cross-partition communications with no indication of what
+has gone wrong. It also prevents larger configurations from using
+cross-partition communication.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/sgi-xp/xpc_partition.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/drivers/misc/sgi-xp/xpc_partition.c
++++ b/drivers/misc/sgi-xp/xpc_partition.c
+@@ -438,18 +438,23 @@ xpc_discovery(void)
+ * nodes that can comprise an access protection grouping. The access
+ * protection is in regards to memory, IOI and IPI.
+ */
+- max_regions = 64;
+ region_size = xp_region_size;
+
+- switch (region_size) {
+- case 128:
+- max_regions *= 2;
+- case 64:
+- max_regions *= 2;
+- case 32:
+- max_regions *= 2;
+- region_size = 16;
+- DBUG_ON(!is_shub2());
++ if (is_uv())
++ max_regions = 256;
++ else {
++ max_regions = 64;
++
++ switch (region_size) {
++ case 128:
++ max_regions *= 2;
++ case 64:
++ max_regions *= 2;
++ case 32:
++ max_regions *= 2;
++ region_size = 16;
++ DBUG_ON(!is_shub2());
++ }
+ }
+
+ for (region = 0; region < max_regions; region++) {
--- /dev/null
+From 1d8638d4038eb8709edc80e37a0bbb77253d86e9 Mon Sep 17 00:00:00 2001
+From: Daniel Klaffenbach <danielklaffenbach@gmail.com>
+Date: Fri, 19 Nov 2010 21:25:21 -0600
+Subject: ssb: b43-pci-bridge: Add new vendor for BCM4318
+
+From: Daniel Klaffenbach <danielklaffenbach@gmail.com>
+
+commit 1d8638d4038eb8709edc80e37a0bbb77253d86e9 upstream.
+
+Add new vendor for Broadcom 4318.
+
+Signed-off-by: Daniel Klaffenbach <danielklaffenbach@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ssb/b43_pci_bridge.c | 1 +
+ include/linux/pci_ids.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/ssb/b43_pci_bridge.c
++++ b/drivers/ssb/b43_pci_bridge.c
+@@ -24,6 +24,7 @@ static const struct pci_device_id b43_pc
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4312) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4315) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4318) },
++ { PCI_DEVICE(PCI_VENDOR_ID_BCM_GVC, 0x4318) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4319) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4320) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4321) },
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -2039,6 +2039,7 @@
+ #define PCI_DEVICE_ID_AFAVLAB_P030 0x2182
+ #define PCI_SUBDEVICE_ID_AFAVLAB_P061 0x2150
+
++#define PCI_VENDOR_ID_BCM_GVC 0x14a4
+ #define PCI_VENDOR_ID_BROADCOM 0x14e4
+ #define PCI_DEVICE_ID_TIGON3_5752 0x1600
+ #define PCI_DEVICE_ID_TIGON3_5752M 0x1601
--- /dev/null
+From 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Thu, 30 Sep 2010 15:15:31 -0700
+Subject: sys_semctl: fix kernel stack leakage
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream.
+
+The semctl syscall has several code paths that lead to the leakage of
+uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
+IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
+version of the semid_ds struct.
+
+The copy_semid_to_user() function declares a semid_ds struct on the stack
+and copies it back to the user without initializing or zeroing the
+"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
+allowing the leakage of 16 bytes of kernel stack memory.
+
+The code is still reachable on 32-bit systems - when calling semctl()
+newer glibc's automatically OR the IPC command with the IPC_64 flag, but
+invoking the syscall directly allows users to use the older versions of
+the struct.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ ipc/sem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -608,6 +608,8 @@ static unsigned long copy_semid_to_user(
+ {
+ struct semid_ds out;
+
++ memset(&out, 0, sizeof(out));
++
+ ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
+
+ out.sem_otime = in->sem_otime;
--- /dev/null
+From 482db6df1746c4fa7d64a2441d4cb2610249c679 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 26 Oct 2010 14:21:13 -0700
+Subject: um: fix global timer issue when using CONFIG_NO_HZ
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 482db6df1746c4fa7d64a2441d4cb2610249c679 upstream.
+
+This fixes a issue which was introduced by fe2cc53e ("uml: track and make
+up lost ticks").
+
+timeval_to_ns() returns long long and not int. Due to that UML's timer
+did not work properlt and caused timer freezes.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Acked-by: Pekka Enberg <penberg@kernel.org>
+Cc: Jeff Dike <jdike@addtoit.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/um/os-Linux/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/um/os-Linux/time.c
++++ b/arch/um/os-Linux/time.c
+@@ -60,7 +60,7 @@ static inline long long timeval_to_ns(co
+ long long disable_timer(void)
+ {
+ struct itimerval time = ((struct itimerval) { { 0, 0 }, { 0, 0 } });
+- int remain, max = UM_NSEC_PER_SEC / UM_HZ;
++ long long remain, max = UM_NSEC_PER_SEC / UM_HZ;
+
+ if (setitimer(ITIMER_VIRTUAL, &time, &time) < 0)
+ printk(UM_KERN_ERR "disable_timer - setitimer failed, "
--- /dev/null
+From 6915e04f8847bea16d0890f559694ad8eedd026c Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 26 Oct 2010 14:21:16 -0700
+Subject: um: remove PAGE_SIZE alignment in linker script causing kernel segfault.
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 6915e04f8847bea16d0890f559694ad8eedd026c upstream.
+
+The linker script cleanup that I did in commit 5d150a97f93 ("um: Clean up
+linker script using standard macros.") (2.6.32) accidentally introduced an
+ALIGN(PAGE_SIZE) when converting to use INIT_TEXT_SECTION; Richard
+Weinberger reported that this causes the kernel to segfault with
+CONFIG_STATIC_LINK=y.
+
+I'm not certain why this extra alignment is a problem, but it seems likely
+it is because previously
+
+__init_begin = _stext = _text = _sinittext
+
+and with the extra ALIGN(PAGE_SIZE), _sinittext becomes different from the
+rest. So there is likely a bug here where something is assuming that
+_sinittext is the same as one of those other symbols. But reverting the
+accidental change fixes the regression, so it seems worth committing that
+now.
+
+Signed-off-by: Tim Abbott <tabbott@ksplice.com>
+Reported-by: Richard Weinberger <richard@nod.at>
+Cc: Jeff Dike <jdike@addtoit.com>
+Tested by: Antoine Martin <antoine@nagafix.co.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/um/kernel/uml.lds.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/um/kernel/uml.lds.S
++++ b/arch/um/kernel/uml.lds.S
+@@ -22,7 +22,7 @@ SECTIONS
+ _text = .;
+ _stext = .;
+ __init_begin = .;
+- INIT_TEXT_SECTION(PAGE_SIZE)
++ INIT_TEXT_SECTION(0)
+ . = ALIGN(PAGE_SIZE);
+
+ .text :
--- /dev/null
+From efd4f6398dc92b5bf392670df862f42a19f34cf2 Mon Sep 17 00:00:00 2001
+From: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+Date: Wed, 22 Sep 2010 02:33:52 +0000
+Subject: viafb: use proper register for colour when doing fill ops
+
+From: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+
+commit efd4f6398dc92b5bf392670df862f42a19f34cf2 upstream.
+
+The colour was written to a wrong register for fillrect operations.
+This sometimes caused empty console space (for example after 'clear')
+to have a different colour than desired. Fix this by writing to the
+correct register.
+Many thanks to Daniel Drake and Jon Nettleton for pointing out this
+issue and pointing me in the right direction for the fix.
+
+Fixes http://dev.laptop.org/ticket/9323
+
+Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+Cc: Joseph Chan <JosephChan@via.com.tw>
+Cc: Daniel Drake <dsd@laptop.org>
+Cc: Jon Nettleton <jon.nettleton@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/via/accel.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/video/via/accel.c
++++ b/drivers/video/via/accel.c
+@@ -277,11 +277,12 @@ static int hw_bitblt_2(void __iomem *eng
+ writel(tmp, engine + 0x1C);
+ }
+
+- if (op != VIA_BITBLT_COLOR)
++ if (op == VIA_BITBLT_FILL) {
++ writel(fg_color, engine + 0x58);
++ } else if (op == VIA_BITBLT_MONO) {
+ writel(fg_color, engine + 0x4C);
+-
+- if (op == VIA_BITBLT_MONO)
+ writel(bg_color, engine + 0x50);
++ }
+
+ if (op == VIA_BITBLT_FILL)
+ ge_cmd |= fill_rop << 24 | 0x00002000 | 0x00000001;
--- /dev/null
+From 31e323cca9d5c8afd372976c35a5d46192f540d1 Mon Sep 17 00:00:00 2001
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Date: Mon, 29 Nov 2010 14:16:53 -0800
+Subject: xen: don't bother to stop other cpus on shutdown/reboot
+
+From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+
+commit 31e323cca9d5c8afd372976c35a5d46192f540d1 upstream.
+
+Xen will shoot all the VCPUs when we do a shutdown hypercall, so there's
+no need to do it manually.
+
+In any case it will fail because all the IPI irqs have been pulled
+down by this point, so the cross-CPU calls will simply hang forever.
+
+Until change 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce the function calls
+were not synchronously waited for, so this wasn't apparent. However after
+that change the calls became synchronous leading to a hang on shutdown
+on multi-VCPU guests.
+
+Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Cc: Alok Kataria <akataria@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/xen/enlighten.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -999,10 +999,6 @@ static void xen_reboot(int reason)
+ {
+ struct sched_shutdown r = { .reason = reason };
+
+-#ifdef CONFIG_SMP
+- stop_other_cpus();
+-#endif
+-
+ if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r))
+ BUG();
+ }
--- /dev/null
+From b0097adeec27e30223c989561ab0f7aa60d1fe93 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <ian.campbell@citrix.com>
+Date: Fri, 8 Oct 2010 16:59:12 +0100
+Subject: xen: ensure that all event channels start off bound to VCPU 0
+
+From: Ian Campbell <ian.campbell@citrix.com>
+
+commit b0097adeec27e30223c989561ab0f7aa60d1fe93 upstream.
+
+All event channels startbound to VCPU 0 so ensure that cpu_evtchn_mask
+is initialised to reflect this. Otherwise there is a race after registering an
+event channel but before the affinity is explicitly set where the event channel
+can be delivered. If this happens then the event channel remains pending in the
+L1 (evtchn_pending) array but is cleared in L2 (evtchn_pending_sel), this means
+the event channel cannot be reraised until another event channel happens to
+trigger the same L2 entry on that VCPU.
+
+sizeof(cpu_evtchn_mask(0))==sizeof(unsigned long*) which is not correct, and
+causes only the first 32 or 64 event channels (depending on architecture) to be
+initially bound to VCPU0. Use sizeof(struct cpu_evtchn_s) instead.
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Cc: Jeremy Fitzhardinge <jeremy@goop.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/xen/events.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/events.c
++++ b/drivers/xen/events.c
+@@ -254,7 +254,7 @@ static void init_evtchn_cpu_bindings(voi
+ }
+ #endif
+
+- memset(cpu_evtchn_mask(0), ~0, sizeof(cpu_evtchn_mask(0)));
++ memset(cpu_evtchn_mask(0), ~0, sizeof(struct cpu_evtchn_s));
+ }
+
+ static inline void clear_evtchn(int port)
projects / thirdparty / kernel / stable-queue.git / commitdiff
