--- /dev/null
+From ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 Mon Sep 17 00:00:00 2001
+From: Luca Tettamanti <kronos.it@gmail.com>
+Date: Wed, 22 Sep 2010 10:41:58 +0000
+Subject: atl1: fix resume
+
+From: Luca Tettamanti <kronos.it@gmail.com>
+
+commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream.
+
+adapter->cmb.cmb is initialized when the device is opened and freed when
+it's closed. Accessing it unconditionally during resume results either
+in a crash (NULL pointer dereference, when the interface has not been
+opened yet) or data corruption (when the interface has been used and
+brought down adapter->cmb.cmb points to a deallocated memory area).
+
+Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
+Acked-by: Chris Snook <chris.snook@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/atlx/atl1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/atlx/atl1.c
++++ b/drivers/net/atlx/atl1.c
+@@ -2849,10 +2849,11 @@ static int atl1_resume(struct pci_dev *p
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
+ atl1_reset_hw(&adapter->hw);
+- adapter->cmb.cmb->int_stats = 0;
+
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ adapter->cmb.cmb->int_stats = 0;
+ atl1_up(adapter);
++ }
+ netif_device_attach(netdev);
+
+ return 0;
--- /dev/null
+From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 15 Oct 2010 11:09:28 -0700
+Subject: De-pessimize rds_page_copy_user
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream.
+
+Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and
+the unsafe atomic user mode accessor functions. It's actually slower
+than the straightforward code on any reasonable modern CPU.
+
+Back when the code was written (although probably not by the time it was
+actually merged, though), 32-bit x86 may have been the dominant
+architecture. And there kmap_atomic() can be a lot faster than kmap()
+(unless you have very good locality, in which case the virtual address
+caching by kmap() can overcome all the downsides).
+
+But these days, x86-64 may not be more populous, but it's getting there
+(and if you care about performance, it's definitely already there -
+you'd have upgraded your CPU's already in the last few years). And on
+x86-64, the non-kmap_atomic() version is faster, simply because the code
+is simpler and doesn't have the "re-try page fault" case.
+
+People with old hardware are not likely to care about RDS anyway, and
+the optimization for the 32-bit case is simply buggy, since it doesn't
+verify the user addresses properly.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rds/page.c | 27 +++++++--------------------
+ 1 file changed, 7 insertions(+), 20 deletions(-)
+
+--- a/net/rds/page.c
++++ b/net/rds/page.c
+@@ -56,30 +56,17 @@ int rds_page_copy_user(struct page *page
+ unsigned long ret;
+ void *addr;
+
+- if (to_user)
++ addr = kmap(page);
++ if (to_user) {
+ rds_stats_add(s_copy_to_user, bytes);
+- else
++ ret = copy_to_user(ptr, addr + offset, bytes);
++ } else {
+ rds_stats_add(s_copy_from_user, bytes);
+-
+- addr = kmap_atomic(page, KM_USER0);
+- if (to_user)
+- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
+- else
+- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
+- kunmap_atomic(addr, KM_USER0);
+-
+- if (ret) {
+- addr = kmap(page);
+- if (to_user)
+- ret = copy_to_user(ptr, addr + offset, bytes);
+- else
+- ret = copy_from_user(addr + offset, ptr, bytes);
+- kunmap(page);
+- if (ret)
+- return -EFAULT;
++ ret = copy_from_user(addr + offset, ptr, bytes);
+ }
++ kunmap(page);
+
+- return 0;
++ return ret ? -EFAULT : 0;
+ }
+ EXPORT_SYMBOL_GPL(rds_page_copy_user);
+
--- /dev/null
+From cc60f8878eab892c03d06b10f389232b9b66bd83 Mon Sep 17 00:00:00 2001
+From: Simon Guinot <sguinot@lacie.com>
+Date: Fri, 17 Sep 2010 23:33:51 +0200
+Subject: dmaengine: fix interrupt clearing for mv_xor
+
+From: Simon Guinot <sguinot@lacie.com>
+
+commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream.
+
+When using simultaneously the two DMA channels on a same engine, some
+transfers are never completed. For example, an endless lock can occur
+while writing heavily on a RAID5 array (with async-tx offload support
+enabled).
+
+Note that this issue can also be reproduced by using the DMA test
+client.
+
+On a same engine, the interrupt cause register is shared between two
+DMA channels. This patch make sure that the cause bit is only cleared
+for the requested channel.
+
+Signed-off-by: Simon Guinot <sguinot@lacie.com>
+Tested-by: Luc Saillard <luc@saillard.org>
+Acked-by: saeed bishara <saeed.bishara@gmail.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/dma/mv_xor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -161,7 +161,7 @@ static int mv_is_err_intr(u32 intr_cause
+
+ static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan)
+ {
+- u32 val = (1 << (1 + (chan->idx * 16)));
++ u32 val = ~(1 << (chan->idx * 16));
+ dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val);
+ __raw_writel(val, XOR_INTR_CAUSE(chan));
+ }
--- /dev/null
+From f459ffbdfd04edb4a8ce6eea33170eb057a5e695 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Sat, 25 Sep 2010 17:45:50 +1000
+Subject: drm/radeon: fix PCI ID 5657 to be an RV410
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream.
+
+fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/drm/drm_pciids.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/drm/drm_pciids.h
++++ b/include/drm/drm_pciids.h
+@@ -85,7 +85,6 @@
+ {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+@@ -103,6 +102,7 @@
+ {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
++ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \
+ {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \
--- /dev/null
+From f13d4f979c518119bba5439dd2364d76d31dcd3f Mon Sep 17 00:00:00 2001
+From: Salman Qazi <sqazi@google.com>
+Date: Tue, 12 Oct 2010 07:25:19 -0700
+Subject: hrtimer: Preserve timer state in remove_hrtimer()
+
+From: Salman Qazi <sqazi@google.com>
+
+commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream.
+
+The race is described as follows:
+
+CPU X CPU Y
+remove_hrtimer
+// state & QUEUED == 0
+timer->state = CALLBACK
+unlock timer base
+timer->f(n) //very long
+ hrtimer_start
+ lock timer base
+ remove_hrtimer // no effect
+ hrtimer_enqueue
+ timer->state = CALLBACK |
+ QUEUED
+ unlock timer base
+ hrtimer_start
+ lock timer base
+ remove_hrtimer
+ mode = INACTIVE
+ // CALLBACK bit lost!
+ switch_hrtimer_base
+ CALLBACK bit not set:
+ timer->base
+ changes to a
+ different CPU.
+lock this CPU's timer base
+
+The bug was introduced with commit ca109491f (hrtimer: removing all ur
+callback modes) in 2.6.29
+
+[ tglx: Feed new state via local variable and add a comment. ]
+
+Signed-off-by: Salman Qazi <sqazi@google.com>
+Cc: akpm@linux-foundation.org
+Cc: Peter Zijlstra <peterz@infradead.org>
+LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/hrtimer.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -936,6 +936,7 @@ static inline int
+ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
+ {
+ if (hrtimer_is_queued(timer)) {
++ unsigned long state;
+ int reprogram;
+
+ /*
+@@ -949,8 +950,13 @@ remove_hrtimer(struct hrtimer *timer, st
+ debug_deactivate(timer);
+ timer_stats_hrtimer_clear_start_info(timer);
+ reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
+- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE,
+- reprogram);
++ /*
++ * We must preserve the CALLBACK state flag here,
++ * otherwise we could move the timer base in
++ * switch_hrtimer_base.
++ */
++ state = timer->state & HRTIMER_STATE_CALLBACK;
++ __remove_hrtimer(timer, base, state, reprogram);
+ return 1;
+ }
+ return 0;
+@@ -1237,6 +1243,9 @@ static void __run_hrtimer(struct hrtimer
+ BUG_ON(timer->state != HRTIMER_STATE_CALLBACK);
+ enqueue_hrtimer(timer, base);
+ }
++
++ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK));
++
+ timer->state &= ~HRTIMER_STATE_CALLBACK;
+ }
+
--- /dev/null
+From d2520a426dc3033c00077e923a553fc6c98c7564 Mon Sep 17 00:00:00 2001
+From: Kenneth Waters <kwwaters@gmail.com>
+Date: Tue, 21 Sep 2010 00:58:23 -0700
+Subject: Input: joydev - fix JSIOCSAXMAP ioctl
+
+From: Kenneth Waters <kwwaters@gmail.com>
+
+commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream.
+
+Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to
+event axis in addition to abspam. This fixes a regression introduced
+by 999b874f.
+
+Signed-off-by: Kenneth Waters <kwwaters@gmail.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/joydev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -481,6 +481,9 @@ static int joydev_handle_JSIOCSAXMAP(str
+
+ memcpy(joydev->abspam, abspam, len);
+
++ for (i = 0; i < joydev->nabs; i++)
++ joydev->absmap[joydev->abspam[i]] = i;
++
+ out:
+ kfree(abspam);
+ return retval;
--- /dev/null
+From cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 24 Sep 2010 11:20:47 +0200
+Subject: mac80211: fix use-after-free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 upstream.
+
+commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1
+Author: Johannes Berg <johannes@sipsolutions.net>
+Date: Wed Nov 25 17:46:15 2009 +0100
+
+ mac80211: move cmntr flag out of rx flags
+
+moved the CMTR flag into the skb's status, and
+in doing so introduced a use-after-free -- when
+the skb has been handed to cooked monitors the
+status setting will touch now invalid memory.
+
+Additionally, moving it there has effectively
+discarded the optimisation -- since the bit is
+only ever set on freed SKBs, and those were a
+copy, it could never be checked.
+
+For the current release, fixing this properly
+is a bit too involved, so let's just remove the
+problematic code and leave userspace with one
+copy of each frame for each virtual interface.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rx.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2123,9 +2123,6 @@ static void ieee80211_rx_cooked_monitor(
+ struct net_device *prev_dev = NULL;
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+
+- if (status->flag & RX_FLAG_INTERNAL_CMTR)
+- goto out_free_skb;
+-
+ if (skb_headroom(skb) < sizeof(*rthdr) &&
+ pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
+ goto out_free_skb;
+@@ -2184,7 +2181,6 @@ static void ieee80211_rx_cooked_monitor(
+ } else
+ goto out_free_skb;
+
+- status->flag |= RX_FLAG_INTERNAL_CMTR;
+ return;
+
+ out_free_skb:
--- /dev/null
+From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001
+From: Joel Becker <joel.becker@oracle.com>
+Date: Wed, 29 Sep 2010 17:33:05 -0700
+Subject: ocfs2: Don't walk off the end of fast symlinks.
+
+From: Joel Becker <joel.becker@oracle.com>
+
+commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream.
+
+ocfs2 fast symlinks are NUL terminated strings stored inline in the
+inode data area. However, disk corruption or a local attacker could, in
+theory, remove that NUL. Because we're using strlen() (my fault,
+introduced in a731d1 when removing vfs_follow_link()), we could walk off
+the end of that string.
+
+Signed-off-by: Joel Becker <joel.becker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ocfs2/symlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/symlink.c
++++ b/fs/ocfs2/symlink.c
+@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru
+ }
+
+ /* Fast symlinks can't be large */
+- len = strlen(target);
++ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb));
+ link = kzalloc(len + 1, GFP_NOFS);
+ if (!link) {
+ status = -ENOMEM;
--- /dev/null
+From 3f259d092c7a2fdf217823e8f1838530adb0cdb0 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Thu, 30 Sep 2010 15:15:37 -0700
+Subject: reiserfs: fix dependency inversion between inode and reiserfs mutexes
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 3f259d092c7a2fdf217823e8f1838530adb0cdb0 upstream.
+
+The reiserfs mutex already depends on the inode mutex, so we can't lock
+the inode mutex in reiserfs_unpack() without using the safe locking API,
+because reiserfs_unpack() is always called with the reiserfs mutex locked.
+
+This fixes:
+
+ =======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 2.6.35c #13
+ -------------------------------------------------------
+ lilo/1606 is trying to acquire lock:
+ (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
+
+ but task is already holding lock:
+ (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
+ [<c1056347>] lock_acquire+0x67/0x80
+ [<c12f083d>] __mutex_lock_common+0x4d/0x410
+ [<c12f0c58>] mutex_lock_nested+0x18/0x20
+ [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+ [<d0329e9a>] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs]
+ [<d0316b81>] reiserfs_fill_super+0x941/0xe60 [reiserfs]
+ [<c10b7d17>] get_sb_bdev+0x117/0x170
+ [<d0313e21>] get_super_block+0x21/0x30 [reiserfs]
+ [<c10b74ba>] vfs_kern_mount+0x6a/0x1b0
+ [<c10b7659>] do_kern_mount+0x39/0xe0
+ [<c10cebe0>] do_mount+0x340/0x790
+ [<c10cf0b4>] sys_mount+0x84/0xb0
+ [<c12f25cd>] syscall_call+0x7/0xb
+
+ -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}:
+ [<c1056186>] __lock_acquire+0x1026/0x1180
+ [<c1056347>] lock_acquire+0x67/0x80
+ [<c12f083d>] __mutex_lock_common+0x4d/0x410
+ [<c12f0c58>] mutex_lock_nested+0x18/0x20
+ [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
+ [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3228>] vfs_ioctl+0x28/0xa0
+ [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3f53>] sys_ioctl+0x63/0x70
+ [<c12f25cd>] syscall_call+0x7/0xb
+
+ other info that might help us debug this:
+
+ 1 lock held by lilo/1606:
+ #0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ stack backtrace:
+ Pid: 1606, comm: lilo Not tainted 2.6.35c #13
+ Call Trace:
+ [<c1056186>] __lock_acquire+0x1026/0x1180
+ [<c1056347>] lock_acquire+0x67/0x80
+ [<c12f083d>] __mutex_lock_common+0x4d/0x410
+ [<c12f0c58>] mutex_lock_nested+0x18/0x20
+ [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
+ [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3228>] vfs_ioctl+0x28/0xa0
+ [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3f53>] sys_ioctl+0x63/0x70
+ [<c12f25cd>] syscall_call+0x7/0xb
+
+Reported-by: Jarek Poplawski <jarkao2@gmail.com>
+Tested-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/ioctl.c
++++ b/fs/reiserfs/ioctl.c
+@@ -188,7 +188,7 @@ int reiserfs_unpack(struct inode *inode,
+ /* we need to make sure nobody is changing the file size beneath
+ ** us
+ */
+- mutex_lock(&inode->i_mutex);
++ reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb);
+ reiserfs_write_lock(inode->i_sb);
+
+ write_from = inode->i_size & (blocksize - 1);
--- /dev/null
+From 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Thu, 30 Sep 2010 15:15:38 -0700
+Subject: reiserfs: fix unwanted reiserfs lock recursion
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 upstream.
+
+Prevent from recursively locking the reiserfs lock in reiserfs_unpack()
+because we may call journal_begin() that requires the lock to be taken
+only once, otherwise it won't be able to release the lock while taking
+other mutexes, ending up in inverted dependencies between the journal
+mutex and the reiserfs lock for example.
+
+This fixes:
+
+ =======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 2.6.35.4.4a #3
+ -------------------------------------------------------
+ lilo/1620 is trying to acquire lock:
+ (&journal->j_mutex){+.+...}, at: [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
+
+ but task is already holding lock:
+ (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
+ [<c10562b7>] lock_acquire+0x67/0x80
+ [<c12facad>] __mutex_lock_common+0x4d/0x410
+ [<c12fb0c8>] mutex_lock_nested+0x18/0x20
+ [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+ [<d0325c06>] do_journal_begin_r+0x86/0x340 [reiserfs]
+ [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
+ [<d0315be4>] reiserfs_remount+0x224/0x530 [reiserfs]
+ [<c10b6a20>] do_remount_sb+0x60/0x110
+ [<c10cee25>] do_mount+0x625/0x790
+ [<c10cf014>] sys_mount+0x84/0xb0
+ [<c12fca3d>] syscall_call+0x7/0xb
+
+ -> #0 (&journal->j_mutex){+.+...}:
+ [<c10560f6>] __lock_acquire+0x1026/0x1180
+ [<c10562b7>] lock_acquire+0x67/0x80
+ [<c12facad>] __mutex_lock_common+0x4d/0x410
+ [<c12fb0c8>] mutex_lock_nested+0x18/0x20
+ [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
+ [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
+ [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
+ [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
+ [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
+ [<c10dbbe6>] block_prepare_write+0x26/0x40
+ [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
+ [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
+ [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3188>] vfs_ioctl+0x28/0xa0
+ [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3eb3>] sys_ioctl+0x63/0x70
+ [<c12fca3d>] syscall_call+0x7/0xb
+
+ other info that might help us debug this:
+
+ 2 locks held by lilo/1620:
+ #0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d032945a>] reiserfs_unpack+0x6a/0x120 [reiserfs]
+ #1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
+
+ stack backtrace:
+ Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3
+ Call Trace:
+ [<c10560f6>] __lock_acquire+0x1026/0x1180
+ [<c10562b7>] lock_acquire+0x67/0x80
+ [<c12facad>] __mutex_lock_common+0x4d/0x410
+ [<c12fb0c8>] mutex_lock_nested+0x18/0x20
+ [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
+ [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
+ [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
+ [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
+ [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
+ [<c10dbbe6>] block_prepare_write+0x26/0x40
+ [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
+ [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
+ [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
+ [<c10c3188>] vfs_ioctl+0x28/0xa0
+ [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
+ [<c10c3eb3>] sys_ioctl+0x63/0x70
+ [<c12fca3d>] syscall_call+0x7/0xb
+
+Reported-by: Jarek Poplawski <jarkao2@gmail.com>
+Tested-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/ioctl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/reiserfs/ioctl.c
++++ b/fs/reiserfs/ioctl.c
+@@ -170,6 +170,7 @@ int reiserfs_prepare_write(struct file *
+ int reiserfs_unpack(struct inode *inode, struct file *filp)
+ {
+ int retval = 0;
++ int depth;
+ int index;
+ struct page *page;
+ struct address_space *mapping;
+@@ -189,7 +190,7 @@ int reiserfs_unpack(struct inode *inode,
+ ** us
+ */
+ reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb);
+- reiserfs_write_lock(inode->i_sb);
++ depth = reiserfs_write_lock_once(inode->i_sb);
+
+ write_from = inode->i_size & (blocksize - 1);
+ /* if we are on a block boundary, we are already unpacked. */
+@@ -224,6 +225,6 @@ int reiserfs_unpack(struct inode *inode,
+
+ out:
+ mutex_unlock(&inode->i_mutex);
+- reiserfs_write_unlock(inode->i_sb);
++ reiserfs_write_unlock_once(inode->i_sb, depth);
+ return retval;
+ }
--- /dev/null
+From d01343244abdedd18303d0323b518ed9cdcb1988 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <srostedt@redhat.com>
+Date: Tue, 12 Oct 2010 12:06:43 -0400
+Subject: ring-buffer: Fix typo of time extends per page
+
+From: Steven Rostedt <srostedt@redhat.com>
+
+commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream.
+
+Time stamps for the ring buffer are created by the difference between
+two events. Each page of the ring buffer holds a full 64 bit timestamp.
+Each event has a 27 bit delta stamp from the last event. The unit of time
+is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events
+happen more than 134 milliseconds apart, a time extend is inserted
+to add more bits for the delta. The time extend has 59 bits, which
+is good for ~18 years.
+
+Currently the time extend is committed separately from the event.
+If an event is discarded before it is committed, due to filtering,
+the time extend still exists. If all events are being filtered, then
+after ~134 milliseconds a new time extend will be added to the buffer.
+
+This can only happen till the end of the page. Since each page holds
+a full timestamp, there is no reason to add a time extend to the
+beginning of a page. Time extends can only fill a page that has actual
+data at the beginning, so there is no fear that time extends will fill
+more than a page without any data.
+
+When reading an event, a loop is made to skip over time extends
+since they are only used to maintain the time stamp and are never
+given to the caller. As a paranoid check to prevent the loop running
+forever, with the knowledge that time extends may only fill a page,
+a check is made that tests the iteration of the loop, and if the
+iteration is more than the number of time extends that can fit in a page
+a warning is printed and the ring buffer is disabled (all of ftrace
+is also disabled with it).
+
+There is another event type that is called a TIMESTAMP which can
+hold 64 bits of data in the theoretical case that two events happen
+18 years apart. This code has not been implemented, but the name
+of this event exists, as well as the structure for it. The
+size of a TIMESTAMP is 16 bytes, where as a time extend is only
+8 bytes. The macro used to calculate how many time extends can fit on
+a page used the TIMESTAMP size instead of the time extend size
+cutting the amount in half.
+
+The following test case can easily trigger the warning since we only
+need to have half the page filled with time extends to trigger the
+warning:
+
+ # cd /sys/kernel/debug/tracing/
+ # echo function > current_tracer
+ # echo 'common_pid < 0' > events/ftrace/function/filter
+ # echo > trace
+ # echo 1 > trace_marker
+ # sleep 120
+ # cat trace
+
+Enabling the function tracer and then setting the filter to only trace
+functions where the process id is negative (no events), then clearing
+the trace buffer to ensure that we have nothing in the buffer,
+then write to trace_marker to add an event to the beginning of a page,
+sleep for 2 minutes (only 35 seconds is probably needed, but this
+guarantees the bug), and then finally reading the trace which will
+trigger the bug.
+
+This patch fixes the typo and prevents the false positive of that warning.
+
+Reported-by: Hans J. Koch <hjk@linutronix.de>
+Tested-by: Hans J. Koch <hjk@linutronix.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/trace/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -389,7 +389,7 @@ static inline int test_time_stamp(u64 de
+ #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2))
+
+ /* Max number of timestamps that can fit on a page */
+-#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP)
++#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND)
+
+ int ring_buffer_print_page_header(struct trace_seq *s)
+ {
x86-amd-iommu-work-around-s3-bios-bug.patch
tracing-x86-don-t-use-mcount-in-pvclock.c.patch
tracing-x86-don-t-use-mcount-in-kvmclock.c.patch
+v4l1-fix-32-bit-compat-microcode-loading-translation.patch
+v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch
+input-joydev-fix-jsiocsaxmap-ioctl.patch
+mac80211-fix-use-after-free.patch
+x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch
+x86-irq-plug-memory-leak-in-sparse-irq.patch
+ubd-fix-incorrect-sector-handling-during-request-restart.patch
+ring-buffer-fix-typo-of-time-extends-per-page.patch
+dmaengine-fix-interrupt-clearing-for-mv_xor.patch
+hrtimer-preserve-timer-state-in-remove_hrtimer.patch
+reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch
+reiserfs-fix-unwanted-reiserfs-lock-recursion.patch
+ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch
+wext-fix-potential-private-ioctl-memory-content-leak.patch
+atl1-fix-resume.patch
+x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch
+x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch
+de-pessimize-rds_page_copy_user.patch
+drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch
--- /dev/null
+From 47526903feb52f4c26a6350370bdf74e337fcdb1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 15 Oct 2010 12:56:21 +0200
+Subject: ubd: fix incorrect sector handling during request restart
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream.
+
+Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation)
+dropped request->sector manipulation in preparation for global request
+handling cleanup; unfortunately, it incorrectly assumed that the
+updated sector wasn't being used.
+
+ubd tries to issue as many requests as possible to io_thread. When
+issuing fails due to memory pressure or other reasons, the device is
+put on the restart list and issuing stops. On IO completion, devices
+on the restart list are scanned and IO issuing is restarted.
+
+ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a
+request, so each device on the restart queue needs to remember where
+to restart in its current request. ubd needs to keep track of the
+issue position itself because,
+
+* blk_rq_pos(req) is now updated by the block layer to keep track of
+ _completion_ position.
+
+* Multiple io_req's for the current request may be in flight, so it's
+ difficult to tell where blk_rq_pos(req) currently is.
+
+Add ubd->rq_pos to keep track of the issue position and use it to
+correctly restart io_req issue.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Richard Weinberger <richard@nod.at>
+Tested-by: Richard Weinberger <richard@nod.at>
+Tested-by: Chris Frey <cdfrey@foursquare.net>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/um/drivers/ubd_kern.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/um/drivers/ubd_kern.c
++++ b/arch/um/drivers/ubd_kern.c
+@@ -161,6 +161,7 @@ struct ubd {
+ struct scatterlist sg[MAX_SG];
+ struct request *request;
+ int start_sg, end_sg;
++ sector_t rq_pos;
+ };
+
+ #define DEFAULT_COW { \
+@@ -185,6 +186,7 @@ struct ubd {
+ .request = NULL, \
+ .start_sg = 0, \
+ .end_sg = 0, \
++ .rq_pos = 0, \
+ }
+
+ /* Protected by ubd_lock */
+@@ -1222,7 +1224,6 @@ static void do_ubd_request(struct reques
+ {
+ struct io_thread_req *io_req;
+ struct request *req;
+- sector_t sector;
+ int n;
+
+ while(1){
+@@ -1233,12 +1234,12 @@ static void do_ubd_request(struct reques
+ return;
+
+ dev->request = req;
++ dev->rq_pos = blk_rq_pos(req);
+ dev->start_sg = 0;
+ dev->end_sg = blk_rq_map_sg(q, req, dev->sg);
+ }
+
+ req = dev->request;
+- sector = blk_rq_pos(req);
+ while(dev->start_sg < dev->end_sg){
+ struct scatterlist *sg = &dev->sg[dev->start_sg];
+
+@@ -1250,10 +1251,9 @@ static void do_ubd_request(struct reques
+ return;
+ }
+ prepare_request(req, io_req,
+- (unsigned long long)sector << 9,
++ (unsigned long long)dev->rq_pos << 9,
+ sg->offset, sg->length, sg_page(sg));
+
+- sector += sg->length >> 9;
+ n = os_write_file(thread_fd, &io_req,
+ sizeof(struct io_thread_req *));
+ if(n != sizeof(struct io_thread_req *)){
+@@ -1266,6 +1266,7 @@ static void do_ubd_request(struct reques
+ return;
+ }
+
++ dev->rq_pos += sg->length >> 9;
+ dev->start_sg++;
+ }
+ dev->end_sg = 0;
--- /dev/null
+From c10469c637602c2385e2993d8c730cc44fd47d23 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+Date: Sat, 11 Sep 2010 11:37:51 -0300
+Subject: V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0)
+
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream.
+
+As reported by: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>:
+
+[ 220.033500] cx231xx v4l2 driver loaded.
+[ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces
+[ 220.033577] cx231xx #0: registering interface 0
+[ 220.033591] cx231xx #0: registering interface 1
+[ 220.033654] cx231xx #0: registering interface 6
+[ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0)
+[ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 220.033955] IP: [<ffffffffa0d3c8bd>] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx]
+
+Thanks-to: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/cx231xx/cx231xx-cards.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/video/cx231xx/cx231xx-cards.c
++++ b/drivers/media/video/cx231xx/cx231xx-cards.c
+@@ -225,14 +225,16 @@ void cx231xx_pre_card_setup(struct cx231
+ dev->board.name, dev->model);
+
+ /* set the direction for GPIO pins */
+- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
+- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
+- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
++ if (dev->board.tuner_gpio) {
++ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
++ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
++ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
+
+- /* request some modules if any required */
++ /* request some modules if any required */
+
+- /* reset the Tuner */
+- cx231xx_gpio_set(dev, dev->board.tuner_gpio);
++ /* reset the Tuner */
++ cx231xx_gpio_set(dev, dev->board.tuner_gpio);
++ }
+
+ /* set the mode to Analog mode initially */
+ cx231xx_set_mode(dev, CX231XX_ANALOG_MODE);
--- /dev/null
+From 3e645d6b485446c54c6745c5e2cf5c528fe4deec Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 15 Oct 2010 11:12:38 -0700
+Subject: v4l1: fix 32-bit compat microcode loading translation
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream.
+
+The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
+It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
+staging and eventually removed unless somebody steps up to maintain it
+(at which point it should use request_firmware() rather than some magic
+ioctl). So we'll get rid of it eventually.
+
+But in the meantime, the compatibility ioctl code is broken, and this
+tries to get it to at least limp along (even if Mauro suggested just
+deleting it entirely, which may be the right thing to do - I don't think
+the compatibility translation code has ever worked unless you were very
+lucky).
+
+Reported-by: Kees Cook <kees.cook@canonical.com>
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/v4l2-compat-ioctl32.c | 32 +++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/video/v4l2-compat-ioctl32.c
++++ b/drivers/media/video/v4l2-compat-ioctl32.c
+@@ -193,17 +193,24 @@ static int put_video_window32(struct vid
+ struct video_code32 {
+ char loadwhat[16]; /* name or tag of file being passed */
+ compat_int_t datasize;
+- unsigned char *data;
++ compat_uptr_t data;
+ };
+
+-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
++static struct video_code __user *get_microcode32(struct video_code32 *kp)
+ {
+- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
+- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
+- get_user(kp->datasize, &up->datasize) ||
+- copy_from_user(kp->data, up->data, up->datasize))
+- return -EFAULT;
+- return 0;
++ struct video_code __user *up;
++
++ up = compat_alloc_user_space(sizeof(*up));
++
++ /*
++ * NOTE! We don't actually care if these fail. If the
++ * user address is invalid, the native ioctl will do
++ * the error handling for us
++ */
++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
++ (void) put_user(kp->datasize, &up->datasize);
++ (void) put_user(compat_ptr(kp->data), &up->data);
++ return up;
+ }
+
+ #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
+@@ -741,7 +748,7 @@ static long do_video_ioctl(struct file *
+ struct video_tuner vt;
+ struct video_buffer vb;
+ struct video_window vw;
+- struct video_code vc;
++ struct video_code32 vc;
+ struct video_audio va;
+ #endif
+ struct v4l2_format v2f;
+@@ -820,8 +827,11 @@ static long do_video_ioctl(struct file *
+ break;
+
+ case VIDIOCSMICROCODE:
+- err = get_microcode32(&karg.vc, up);
+- compatible_arg = 0;
++ /* Copy the 32-bit "video_code32" to kernel space */
++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
++ return -EFAULT;
++ /* Convert the 32-bit version to a 64-bit version in user space */
++ up = get_microcode32(&karg.vc);
+ break;
+
+ case VIDIOCSFREQ:
--- /dev/null
+From df6d02300f7c2fbd0fbe626d819c8e5237d72c62 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 17 Sep 2010 00:38:25 +0200
+Subject: wext: fix potential private ioctl memory content leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream.
+
+When a driver doesn't fill the entire buffer, old
+heap contents may remain, and if it also doesn't
+update the length properly, this old heap content
+will be copied back to userspace.
+
+It is very unlikely that this happens in any of
+the drivers using private ioctls since it would
+show up as junk being reported by iwpriv, but it
+seems better to be safe here, so use kzalloc.
+
+Reported-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/wext-priv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/wext-priv.c
++++ b/net/wireless/wext-priv.c
+@@ -151,7 +151,7 @@ static int ioctl_private_iw_point(struct
+ } else if (!iwp->pointer)
+ return -EFAULT;
+
+- extra = kmalloc(extra_size, GFP_KERNEL);
++ extra = kzalloc(extra_size, GFP_KERNEL);
+ if (!extra)
+ return -ENOMEM;
+
--- /dev/null
+From 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <borislav.petkov@amd.com>
+Date: Fri, 8 Oct 2010 12:08:34 +0200
+Subject: x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order
+
+From: Borislav Petkov <borislav.petkov@amd.com>
+
+commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream.
+
+This fixes possible cases of not collecting valid error info in
+the MCE error thresholding groups on F10h hardware.
+
+The current code contains a subtle problem of checking only the
+Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM
+thresholding group) in its first iteration and breaking out if
+the bit is cleared.
+
+But (!), this MSR contains an offset value, BlkPtr[31:24], which
+points to the remaining MSRs in this thresholding group which
+might contain valid information too. But if we bail out only
+after we checked the valid bit in the first MSR and not the
+block pointer too, we miss that other information.
+
+The thing is, MC4_MISC0[BlkPtr] is not predicated on
+MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked
+prior to iterating over the MCI_MISCj thresholding group,
+irrespective of the MC4_MISC0[Valid] setting.
+
+Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -140,6 +140,7 @@ void mce_amd_feature_init(struct cpuinfo
+ address = (low & MASK_BLKPTR_LO) >> 21;
+ if (!address)
+ break;
++
+ address += MCG_XBLK_ADDR;
+ } else
+ ++address;
+@@ -147,12 +148,8 @@ void mce_amd_feature_init(struct cpuinfo
+ if (rdmsr_safe(address, &low, &high))
+ break;
+
+- if (!(high & MASK_VALID_HI)) {
+- if (block)
+- continue;
+- else
+- break;
+- }
++ if (!(high & MASK_VALID_HI))
++ continue;
+
+ if (!(high & MASK_CNTP_HI) ||
+ (high & MASK_LOCKED_HI))
--- /dev/null
+From 021989622810b02aab4b24f91e1f5ada2b654579 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 28 Sep 2010 23:20:23 +0200
+Subject: x86, hpet: Fix bogus error check in hpet_assign_irq()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream.
+
+create_irq() returns -1 if the interrupt allocation failed, but the
+code checks for irq == 0.
+
+Use create_irq_nr() instead.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Venkatesh Pallipadi <venki@google.com>
+LKML-Reference: <alpine.LFD.2.00.1009282310360.2416@localhost6.localdomain6>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/hpet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -498,7 +498,7 @@ static int hpet_assign_irq(struct hpet_d
+ {
+ unsigned int irq;
+
+- irq = create_irq();
++ irq = create_irq_nr(0, -1);
+ if (!irq)
+ return -EINVAL;
+
--- /dev/null
+From 1cf180c94e9166cda083ff65333883ab3648e852 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 28 Sep 2010 20:57:19 +0200
+Subject: x86, irq: Plug memory leak in sparse irq
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream.
+
+free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this
+triggers a use after free caused by the fact that copying struct
+irq_cfg is done with memcpy, which copies the pointer not the cpumask.
+
+Fix both places.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yinghai Lu <yhlu.kernel@gmail.com>
+LKML-Reference: <alpine.LFD.2.00.1009282052570.2416@localhost6.localdomain6>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -316,14 +316,19 @@ void arch_init_copy_chip_data(struct irq
+
+ old_cfg = old_desc->chip_data;
+
+- memcpy(cfg, old_cfg, sizeof(struct irq_cfg));
++ cfg->vector = old_cfg->vector;
++ cfg->move_in_progress = old_cfg->move_in_progress;
++ cpumask_copy(cfg->domain, old_cfg->domain);
++ cpumask_copy(cfg->old_domain, old_cfg->old_domain);
+
+ init_copy_irq_2_pin(old_cfg, cfg, node);
+ }
+
+-static void free_irq_cfg(struct irq_cfg *old_cfg)
++static void free_irq_cfg(struct irq_cfg *cfg)
+ {
+- kfree(old_cfg);
++ free_cpumask_var(cfg->domain);
++ free_cpumask_var(cfg->old_domain);
++ kfree(cfg);
+ }
+
+ void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc)
--- /dev/null
+From 73cf624d029d776a33d0a80c695485b3f9b36231 Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Sun, 10 Oct 2010 19:52:15 -0700
+Subject: x86, numa: For each node, register the memory blocks actually used
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit 73cf624d029d776a33d0a80c695485b3f9b36231 upstream.
+
+Russ reported SGI UV is broken recently. He said:
+
+| The SRAT table shows that memory range is spread over two nodes.
+|
+| SRAT: Node 0 PXM 0 100000000-800000000
+| SRAT: Node 1 PXM 1 800000000-1000000000
+| SRAT: Node 0 PXM 0 1000000000-1080000000
+|
+|Previously, the kernel early_node_map[] would show three entries
+|with the proper node.
+|
+|[ 0.000000] 0: 0x00100000 -> 0x00800000
+|[ 0.000000] 1: 0x00800000 -> 0x01000000
+|[ 0.000000] 0: 0x01000000 -> 0x01080000
+|
+|The problem is recent community kernel early_node_map[] shows
+|only two entries with the node 0 entry overlapping the node 1
+|entry.
+|
+| 0: 0x00100000 -> 0x01080000
+| 1: 0x00800000 -> 0x01000000
+
+After looking at the changelog, Found out that it has been broken for a while by
+following commit
+
+|commit 8716273caef7f55f39fe4fc6c69c5f9f197f41f1
+|Author: David Rientjes <rientjes@google.com>
+|Date: Fri Sep 25 15:20:04 2009 -0700
+|
+| x86: Export srat physical topology
+
+Before that commit, register_active_regions() is called for every SRAT memory
+entry right away.
+
+Use nodememblk_range[] instead of nodes[] in order to make sure we
+capture the actual memory blocks registered with each node. nodes[]
+contains an extended range which spans all memory regions associated
+with a node, but that does not mean that all the memory in between are
+included.
+
+Reported-by: Russ Anderson <rja@sgi.com>
+Tested-by: Russ Anderson <rja@sgi.com>
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+LKML-Reference: <4CB27BDF.5000800@kernel.org>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/mm/srat_64.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/srat_64.c
++++ b/arch/x86/mm/srat_64.c
+@@ -372,9 +372,11 @@ int __init acpi_scan_nodes(unsigned long
+ return -1;
+ }
+
+- for_each_node_mask(i, nodes_parsed)
+- e820_register_active_regions(i, nodes[i].start >> PAGE_SHIFT,
+- nodes[i].end >> PAGE_SHIFT);
++ for (i = 0; i < num_node_memblks; i++)
++ e820_register_active_regions(memblk_nodeid[i],
++ node_memblk_range[i].start >> PAGE_SHIFT,
++ node_memblk_range[i].end >> PAGE_SHIFT);
++
+ /* for out of order entries in SRAT */
+ sort_node_map();
+ if (!nodes_cover_memory(nodes)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
