--- /dev/null
+From ben@decadent.org.uk Wed Apr 21 12:11:57 2010
+From: Alexey Starikovskiy <astarikovskiy@suse.de>
+Date: Sat, 10 Apr 2010 02:18:35 +0100
+Subject: ACPI: EC: Allow multibyte access to EC
+To: stable@kernel.org
+Cc: Len Brown <len.brown@intel.com>, 563313@bugs.debian.org, Alexey Starikovskiy <astarikovskiy@suse.de>
+Message-ID: <1270862315.2176.69.camel@localhost>
+
+
+From: Alexey Starikovskiy <astarikovskiy@suse.de>
+
+commit dadf28a10c3eb29421837a2e413ab869ebd upstream
+
+http://bugzilla.kernel.org/show_bug.cgi?id=14667
+
+[bwh: Backport to 2.6.32; same applies to 2.6.33]
+
+Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/acpica/exprep.c | 12 ++++++++++++
+ drivers/acpi/ec.c | 35 +++++++++--------------------------
+ 2 files changed, 21 insertions(+), 26 deletions(-)
+
+--- a/drivers/acpi/acpica/exprep.c
++++ b/drivers/acpi/acpica/exprep.c
+@@ -468,6 +468,18 @@ acpi_status acpi_ex_prep_field_value(str
+
+ acpi_ut_add_reference(obj_desc->field.region_obj);
+
++ /* allow full data read from EC address space */
++ if (obj_desc->field.region_obj->region.space_id ==
++ ACPI_ADR_SPACE_EC) {
++ if (obj_desc->common_field.bit_length > 8)
++ obj_desc->common_field.access_bit_width =
++ ACPI_ROUND_UP(obj_desc->common_field.
++ bit_length, 8);
++ obj_desc->common_field.access_byte_width =
++ ACPI_DIV_8(obj_desc->common_field.
++ access_bit_width);
++ }
++
+ ACPI_DEBUG_PRINT((ACPI_DB_BFIELD,
+ "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n",
+ obj_desc->field.start_field_bit_offset,
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -588,12 +588,12 @@ static u32 acpi_ec_gpe_handler(void *dat
+
+ static acpi_status
+ acpi_ec_space_handler(u32 function, acpi_physical_address address,
+- u32 bits, acpi_integer *value,
++ u32 bits, acpi_integer *value64,
+ void *handler_context, void *region_context)
+ {
+ struct acpi_ec *ec = handler_context;
+- int result = 0, i;
+- u8 temp = 0;
++ int result = 0, i, bytes = bits / 8;
++ u8 *value = (u8 *)value64;
+
+ if ((address > 0xFF) || !value || !handler_context)
+ return AE_BAD_PARAMETER;
+@@ -601,32 +601,15 @@ acpi_ec_space_handler(u32 function, acpi
+ if (function != ACPI_READ && function != ACPI_WRITE)
+ return AE_BAD_PARAMETER;
+
+- if (bits != 8 && acpi_strict)
+- return AE_BAD_PARAMETER;
+-
+- if (EC_FLAGS_MSI)
++ if (EC_FLAGS_MSI || bits > 8)
+ acpi_ec_burst_enable(ec);
+
+- if (function == ACPI_READ) {
+- result = acpi_ec_read(ec, address, &temp);
+- *value = temp;
+- } else {
+- temp = 0xff & (*value);
+- result = acpi_ec_write(ec, address, temp);
+- }
+-
+- for (i = 8; unlikely(bits - i > 0); i += 8) {
+- ++address;
+- if (function == ACPI_READ) {
+- result = acpi_ec_read(ec, address, &temp);
+- (*value) |= ((acpi_integer)temp) << i;
+- } else {
+- temp = 0xff & ((*value) >> i);
+- result = acpi_ec_write(ec, address, temp);
+- }
+- }
++ for (i = 0; i < bytes; ++i, ++address, ++value)
++ result = (function == ACPI_READ) ?
++ acpi_ec_read(ec, address, value) :
++ acpi_ec_write(ec, address, *value);
+
+- if (EC_FLAGS_MSI)
++ if (EC_FLAGS_MSI || bits > 8)
+ acpi_ec_burst_disable(ec);
+
+ switch (result) {
--- /dev/null
+From 88499ab3d8dbbf9c080416952603742666c71262 Mon Sep 17 00:00:00 2001
+From: Michael Buesch <mb@bu3sch.de>
+Date: Fri, 9 Oct 2009 20:33:32 +0200
+Subject: b43: Optimize PIO scratchbuffer usage
+
+From: Michael Buesch <mb@bu3sch.de>
+
+commit 88499ab3d8dbbf9c080416952603742666c71262 upstream.
+
+This optimizes the PIO scratchbuffer usage.
+
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43/b43.h | 16 +-------
+ drivers/net/wireless/b43/pio.c | 79 +++++++++++++++++++++++-----------------
+ drivers/net/wireless/b43/xmit.c | 2 -
+ 3 files changed, 51 insertions(+), 46 deletions(-)
+
+--- a/drivers/net/wireless/b43/b43.h
++++ b/drivers/net/wireless/b43/b43.h
+@@ -751,12 +751,6 @@ struct b43_wldev {
+ #endif
+ };
+
+-/*
+- * Include goes here to avoid a dependency problem.
+- * A better fix would be to integrate xmit.h into b43.h.
+- */
+-#include "xmit.h"
+-
+ /* Data structure for the WLAN parts (802.11 cores) of the b43 chip. */
+ struct b43_wl {
+ /* Pointer to the active wireless device on this chip */
+@@ -831,13 +825,9 @@ struct b43_wl {
+ /* The device LEDs. */
+ struct b43_leds leds;
+
+- /*
+- * RX/TX header/tail buffers used by the frame transmit functions.
+- */
+- struct b43_rxhdr_fw4 rxhdr;
+- struct b43_txhdr txhdr;
+- u8 rx_tail[4];
+- u8 tx_tail[4];
++ /* Kmalloc'ed scratch space for PIO TX/RX. Protected by wl->mutex. */
++ u8 pio_scratchspace[110] __attribute__((__aligned__(8)));
++ u8 pio_tailspace[4] __attribute__((__aligned__(8)));
+ };
+
+ static inline struct b43_wl *hw_to_b43_wl(struct ieee80211_hw *hw)
+--- a/drivers/net/wireless/b43/pio.c
++++ b/drivers/net/wireless/b43/pio.c
+@@ -342,12 +342,15 @@ static u16 tx_write_2byte_queue(struct b
+ q->mmio_base + B43_PIO_TXDATA,
+ sizeof(u16));
+ if (data_len & 1) {
++ u8 *tail = wl->pio_tailspace;
++ BUILD_BUG_ON(sizeof(wl->pio_tailspace) < 2);
++
+ /* Write the last byte. */
+ ctl &= ~B43_PIO_TXCTL_WRITEHI;
+ b43_piotx_write16(q, B43_PIO_TXCTL, ctl);
+- wl->tx_tail[0] = data[data_len - 1];
+- wl->tx_tail[1] = 0;
+- ssb_block_write(dev->dev, wl->tx_tail, 2,
++ tail[0] = data[data_len - 1];
++ tail[1] = 0;
++ ssb_block_write(dev->dev, tail, 2,
+ q->mmio_base + B43_PIO_TXDATA,
+ sizeof(u16));
+ }
+@@ -393,31 +396,31 @@ static u32 tx_write_4byte_queue(struct b
+ q->mmio_base + B43_PIO8_TXDATA,
+ sizeof(u32));
+ if (data_len & 3) {
+- wl->tx_tail[3] = 0;
++ u8 *tail = wl->pio_tailspace;
++ BUILD_BUG_ON(sizeof(wl->pio_tailspace) < 4);
++
++ memset(tail, 0, 4);
+ /* Write the last few bytes. */
+ ctl &= ~(B43_PIO8_TXCTL_8_15 | B43_PIO8_TXCTL_16_23 |
+ B43_PIO8_TXCTL_24_31);
+ switch (data_len & 3) {
+ case 3:
+ ctl |= B43_PIO8_TXCTL_16_23 | B43_PIO8_TXCTL_8_15;
+- wl->tx_tail[0] = data[data_len - 3];
+- wl->tx_tail[1] = data[data_len - 2];
+- wl->tx_tail[2] = data[data_len - 1];
++ tail[0] = data[data_len - 3];
++ tail[1] = data[data_len - 2];
++ tail[2] = data[data_len - 1];
+ break;
+ case 2:
+ ctl |= B43_PIO8_TXCTL_8_15;
+- wl->tx_tail[0] = data[data_len - 2];
+- wl->tx_tail[1] = data[data_len - 1];
+- wl->tx_tail[2] = 0;
++ tail[0] = data[data_len - 2];
++ tail[1] = data[data_len - 1];
+ break;
+ case 1:
+- wl->tx_tail[0] = data[data_len - 1];
+- wl->tx_tail[1] = 0;
+- wl->tx_tail[2] = 0;
++ tail[0] = data[data_len - 1];
+ break;
+ }
+ b43_piotx_write32(q, B43_PIO8_TXCTL, ctl);
+- ssb_block_write(dev->dev, wl->tx_tail, 4,
++ ssb_block_write(dev->dev, tail, 4,
+ q->mmio_base + B43_PIO8_TXDATA,
+ sizeof(u32));
+ }
+@@ -456,6 +459,7 @@ static int pio_tx_frame(struct b43_pio_t
+ int err;
+ unsigned int hdrlen;
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
++ struct b43_txhdr *txhdr = (struct b43_txhdr *)wl->pio_scratchspace;
+
+ B43_WARN_ON(list_empty(&q->packets_list));
+ pack = list_entry(q->packets_list.next,
+@@ -463,7 +467,9 @@ static int pio_tx_frame(struct b43_pio_t
+
+ cookie = generate_cookie(q, pack);
+ hdrlen = b43_txhdr_size(dev);
+- err = b43_generate_txhdr(dev, (u8 *)&wl->txhdr, skb,
++ BUILD_BUG_ON(sizeof(wl->pio_scratchspace) < sizeof(struct b43_txhdr));
++ B43_WARN_ON(sizeof(wl->pio_scratchspace) < hdrlen);
++ err = b43_generate_txhdr(dev, (u8 *)txhdr, skb,
+ info, cookie);
+ if (err)
+ return err;
+@@ -477,9 +483,9 @@ static int pio_tx_frame(struct b43_pio_t
+
+ pack->skb = skb;
+ if (q->rev >= 8)
+- pio_tx_frame_4byte_queue(pack, (const u8 *)&wl->txhdr, hdrlen);
++ pio_tx_frame_4byte_queue(pack, (const u8 *)txhdr, hdrlen);
+ else
+- pio_tx_frame_2byte_queue(pack, (const u8 *)&wl->txhdr, hdrlen);
++ pio_tx_frame_2byte_queue(pack, (const u8 *)txhdr, hdrlen);
+
+ /* Remove it from the list of available packet slots.
+ * It will be put back when we receive the status report. */
+@@ -625,8 +631,11 @@ static bool pio_rx_frame(struct b43_pio_
+ unsigned int i, padding;
+ struct sk_buff *skb;
+ const char *err_msg = NULL;
++ struct b43_rxhdr_fw4 *rxhdr =
++ (struct b43_rxhdr_fw4 *)wl->pio_scratchspace;
+
+- memset(&wl->rxhdr, 0, sizeof(wl->rxhdr));
++ BUILD_BUG_ON(sizeof(wl->pio_scratchspace) < sizeof(*rxhdr));
++ memset(rxhdr, 0, sizeof(*rxhdr));
+
+ /* Check if we have data and wait for it to get ready. */
+ if (q->rev >= 8) {
+@@ -664,16 +673,16 @@ data_ready:
+
+ /* Get the preamble (RX header) */
+ if (q->rev >= 8) {
+- ssb_block_read(dev->dev, &wl->rxhdr, sizeof(wl->rxhdr),
++ ssb_block_read(dev->dev, rxhdr, sizeof(*rxhdr),
+ q->mmio_base + B43_PIO8_RXDATA,
+ sizeof(u32));
+ } else {
+- ssb_block_read(dev->dev, &wl->rxhdr, sizeof(wl->rxhdr),
++ ssb_block_read(dev->dev, rxhdr, sizeof(*rxhdr),
+ q->mmio_base + B43_PIO_RXDATA,
+ sizeof(u16));
+ }
+ /* Sanity checks. */
+- len = le16_to_cpu(wl->rxhdr.frame_len);
++ len = le16_to_cpu(rxhdr->frame_len);
+ if (unlikely(len > 0x700)) {
+ err_msg = "len > 0x700";
+ goto rx_error;
+@@ -683,7 +692,7 @@ data_ready:
+ goto rx_error;
+ }
+
+- macstat = le32_to_cpu(wl->rxhdr.mac_status);
++ macstat = le32_to_cpu(rxhdr->mac_status);
+ if (macstat & B43_RX_MAC_FCSERR) {
+ if (!(q->dev->wl->filter_flags & FIF_FCSFAIL)) {
+ /* Drop frames with failed FCS. */
+@@ -708,22 +717,25 @@ data_ready:
+ q->mmio_base + B43_PIO8_RXDATA,
+ sizeof(u32));
+ if (len & 3) {
++ u8 *tail = wl->pio_tailspace;
++ BUILD_BUG_ON(sizeof(wl->pio_tailspace) < 4);
++
+ /* Read the last few bytes. */
+- ssb_block_read(dev->dev, wl->rx_tail, 4,
++ ssb_block_read(dev->dev, tail, 4,
+ q->mmio_base + B43_PIO8_RXDATA,
+ sizeof(u32));
+ switch (len & 3) {
+ case 3:
+- skb->data[len + padding - 3] = wl->rx_tail[0];
+- skb->data[len + padding - 2] = wl->rx_tail[1];
+- skb->data[len + padding - 1] = wl->rx_tail[2];
++ skb->data[len + padding - 3] = tail[0];
++ skb->data[len + padding - 2] = tail[1];
++ skb->data[len + padding - 1] = tail[2];
+ break;
+ case 2:
+- skb->data[len + padding - 2] = wl->rx_tail[0];
+- skb->data[len + padding - 1] = wl->rx_tail[1];
++ skb->data[len + padding - 2] = tail[0];
++ skb->data[len + padding - 1] = tail[1];
+ break;
+ case 1:
+- skb->data[len + padding - 1] = wl->rx_tail[0];
++ skb->data[len + padding - 1] = tail[0];
+ break;
+ }
+ }
+@@ -732,15 +744,18 @@ data_ready:
+ q->mmio_base + B43_PIO_RXDATA,
+ sizeof(u16));
+ if (len & 1) {
++ u8 *tail = wl->pio_tailspace;
++ BUILD_BUG_ON(sizeof(wl->pio_tailspace) < 2);
++
+ /* Read the last byte. */
+- ssb_block_read(dev->dev, wl->rx_tail, 2,
++ ssb_block_read(dev->dev, tail, 2,
+ q->mmio_base + B43_PIO_RXDATA,
+ sizeof(u16));
+- skb->data[len + padding - 1] = wl->rx_tail[0];
++ skb->data[len + padding - 1] = tail[0];
+ }
+ }
+
+- b43_rx(q->dev, skb, &wl->rxhdr);
++ b43_rx(q->dev, skb, rxhdr);
+
+ return 1;
+
+--- a/drivers/net/wireless/b43/xmit.c
++++ b/drivers/net/wireless/b43/xmit.c
+@@ -27,7 +27,7 @@
+
+ */
+
+-#include "b43.h"
++#include "xmit.h"
+ #include "phy_common.h"
+ #include "dma.h"
+ #include "pio.h"
--- /dev/null
+From dac876193cd79ced36d0462749ea47c05844fb49 Mon Sep 17 00:00:00 2001
+From: Terry Loftin <terry.loftin@hp.com>
+Date: Fri, 9 Apr 2010 10:29:49 +0000
+Subject: e1000e: stop cleaning when we reach tx_ring->next_to_use
+
+From: Terry Loftin <terry.loftin@hp.com>
+
+commit dac876193cd79ced36d0462749ea47c05844fb49 upstream.
+
+Tx ring buffers after tx_ring->next_to_use are volatile and could
+change, possibly causing a crash. Stop cleaning when we hit
+tx_ring->next_to_use.
+
+Signed-off-by: Terry Loftin <terry.loftin@hp.com>
+Acked-by: Bruce Allan <bruce.w.allan@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Matthew Burgess <matthew@linuxfromscratch.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/e1000e/netdev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/e1000e/netdev.c
++++ b/drivers/net/e1000e/netdev.c
+@@ -665,6 +665,8 @@ static bool e1000_clean_tx_irq(struct e1
+ i = 0;
+ }
+
++ if (i == tx_ring->next_to_use)
++ break;
+ eop = tx_ring->buffer_info[i].next_to_watch;
+ eop_desc = E1000_TX_DESC(*tx_ring, eop);
+ }
--- /dev/null
+From 3a60a1686f0d51c99bd0df8ac93050fb6dfce647 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Date: Mon, 22 Mar 2010 00:41:35 -0500
+Subject: eCryptfs: Decrypt symlink target for stat size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+
+commit 3a60a1686f0d51c99bd0df8ac93050fb6dfce647 upstream.
+
+Create a getattr handler for eCryptfs symlinks that is capable of
+reading the lower target and decrypting its path. Prior to this patch,
+a stat's st_size field would represent the strlen of the encrypted path,
+while readlink() would return the strlen of the decrypted path. This
+could lead to confusion in some userspace applications, since the two
+values should be equal.
+
+https://bugs.launchpad.net/bugs/524919
+
+Reported-by: Loïc Minier <loic.minier@canonical.com>
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/inode.c | 100 +++++++++++++++++++++++++++-------------------------
+ 1 file changed, 52 insertions(+), 48 deletions(-)
+
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -638,38 +638,17 @@ out_lock:
+ return rc;
+ }
+
+-static int
+-ecryptfs_readlink(struct dentry *dentry, char __user *buf, int bufsiz)
++static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
++ size_t *bufsiz)
+ {
++ struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
+ char *lower_buf;
+- size_t lower_bufsiz;
+- struct dentry *lower_dentry;
+- struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
+- char *plaintext_name;
+- size_t plaintext_name_size;
++ size_t lower_bufsiz = PATH_MAX;
+ mm_segment_t old_fs;
+ int rc;
+
+- lower_dentry = ecryptfs_dentry_to_lower(dentry);
+- if (!lower_dentry->d_inode->i_op->readlink) {
+- rc = -EINVAL;
+- goto out;
+- }
+- mount_crypt_stat = &ecryptfs_superblock_to_private(
+- dentry->d_sb)->mount_crypt_stat;
+- /*
+- * If the lower filename is encrypted, it will result in a significantly
+- * longer name. If needed, truncate the name after decode and decrypt.
+- */
+- if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
+- lower_bufsiz = PATH_MAX;
+- else
+- lower_bufsiz = bufsiz;
+- /* Released in this function */
+ lower_buf = kmalloc(lower_bufsiz, GFP_KERNEL);
+- if (lower_buf == NULL) {
+- printk(KERN_ERR "%s: Out of memory whilst attempting to "
+- "kmalloc [%zd] bytes\n", __func__, lower_bufsiz);
++ if (!lower_buf) {
+ rc = -ENOMEM;
+ goto out;
+ }
+@@ -679,29 +658,31 @@ ecryptfs_readlink(struct dentry *dentry,
+ (char __user *)lower_buf,
+ lower_bufsiz);
+ set_fs(old_fs);
+- if (rc >= 0) {
+- rc = ecryptfs_decode_and_decrypt_filename(&plaintext_name,
+- &plaintext_name_size,
+- dentry, lower_buf,
+- rc);
+- if (rc) {
+- printk(KERN_ERR "%s: Error attempting to decode and "
+- "decrypt filename; rc = [%d]\n", __func__,
+- rc);
+- goto out_free_lower_buf;
+- }
+- /* Check for bufsiz <= 0 done in sys_readlinkat() */
+- rc = copy_to_user(buf, plaintext_name,
+- min((size_t) bufsiz, plaintext_name_size));
+- if (rc)
+- rc = -EFAULT;
+- else
+- rc = plaintext_name_size;
+- kfree(plaintext_name);
+- fsstack_copy_attr_atime(dentry->d_inode, lower_dentry->d_inode);
+- }
+-out_free_lower_buf:
++ if (rc < 0)
++ goto out;
++ lower_bufsiz = rc;
++ rc = ecryptfs_decode_and_decrypt_filename(buf, bufsiz, dentry,
++ lower_buf, lower_bufsiz);
++out:
+ kfree(lower_buf);
++ return rc;
++}
++
++static int
++ecryptfs_readlink(struct dentry *dentry, char __user *buf, int bufsiz)
++{
++ char *kbuf;
++ size_t kbufsiz, copied;
++ int rc;
++
++ rc = ecryptfs_readlink_lower(dentry, &kbuf, &kbufsiz);
++ if (rc)
++ goto out;
++ copied = min_t(size_t, bufsiz, kbufsiz);
++ rc = copy_to_user(buf, kbuf, copied) ? -EFAULT : copied;
++ kfree(kbuf);
++ fsstack_copy_attr_atime(dentry->d_inode,
++ ecryptfs_dentry_to_lower(dentry)->d_inode);
+ out:
+ return rc;
+ }
+@@ -971,6 +952,28 @@ out:
+ return rc;
+ }
+
++int ecryptfs_getattr_link(struct vfsmount *mnt, struct dentry *dentry,
++ struct kstat *stat)
++{
++ struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
++ int rc = 0;
++
++ mount_crypt_stat = &ecryptfs_superblock_to_private(
++ dentry->d_sb)->mount_crypt_stat;
++ generic_fillattr(dentry->d_inode, stat);
++ if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
++ char *target;
++ size_t targetsiz;
++
++ rc = ecryptfs_readlink_lower(dentry, &target, &targetsiz);
++ if (!rc) {
++ kfree(target);
++ stat->size = targetsiz;
++ }
++ }
++ return rc;
++}
++
+ int ecryptfs_getattr(struct vfsmount *mnt, struct dentry *dentry,
+ struct kstat *stat)
+ {
+@@ -1088,6 +1091,7 @@ const struct inode_operations ecryptfs_s
+ .put_link = ecryptfs_put_link,
+ .permission = ecryptfs_permission,
+ .setattr = ecryptfs_setattr,
++ .getattr = ecryptfs_getattr_link,
+ .setxattr = ecryptfs_setxattr,
+ .getxattr = ecryptfs_getxattr,
+ .listxattr = ecryptfs_listxattr,
--- /dev/null
+From cfce08c6bdfb20ade979284e55001ca1f100ed51 Mon Sep 17 00:00:00 2001
+From: Christian Pulvermacher <pulvermacher@gmx.de>
+Date: Tue, 23 Mar 2010 11:51:38 -0500
+Subject: ecryptfs: fix error code for missing xattrs in lower fs
+
+From: Christian Pulvermacher <pulvermacher@gmx.de>
+
+commit cfce08c6bdfb20ade979284e55001ca1f100ed51 upstream.
+
+If the lower file system driver has extended attributes disabled,
+ecryptfs' own access functions return -ENOSYS instead of -EOPNOTSUPP.
+This breaks execution of programs in the ecryptfs mount, since the
+kernel expects the latter error when checking for security
+capabilities in xattrs.
+
+Signed-off-by: Christian Pulvermacher <pulvermacher@gmx.de>
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -998,7 +998,7 @@ ecryptfs_setxattr(struct dentry *dentry,
+
+ lower_dentry = ecryptfs_dentry_to_lower(dentry);
+ if (!lower_dentry->d_inode->i_op->setxattr) {
+- rc = -ENOSYS;
++ rc = -EOPNOTSUPP;
+ goto out;
+ }
+ mutex_lock(&lower_dentry->d_inode->i_mutex);
+@@ -1016,7 +1016,7 @@ ecryptfs_getxattr_lower(struct dentry *l
+ int rc = 0;
+
+ if (!lower_dentry->d_inode->i_op->getxattr) {
+- rc = -ENOSYS;
++ rc = -EOPNOTSUPP;
+ goto out;
+ }
+ mutex_lock(&lower_dentry->d_inode->i_mutex);
+@@ -1043,7 +1043,7 @@ ecryptfs_listxattr(struct dentry *dentry
+
+ lower_dentry = ecryptfs_dentry_to_lower(dentry);
+ if (!lower_dentry->d_inode->i_op->listxattr) {
+- rc = -ENOSYS;
++ rc = -EOPNOTSUPP;
+ goto out;
+ }
+ mutex_lock(&lower_dentry->d_inode->i_mutex);
+@@ -1060,7 +1060,7 @@ static int ecryptfs_removexattr(struct d
+
+ lower_dentry = ecryptfs_dentry_to_lower(dentry);
+ if (!lower_dentry->d_inode->i_op->removexattr) {
+- rc = -ENOSYS;
++ rc = -EOPNOTSUPP;
+ goto out;
+ }
+ mutex_lock(&lower_dentry->d_inode->i_mutex);
--- /dev/null
+From 133b8f9d632cc23715c6d72d1c5ac449e054a12a Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@jeffreymahoney.com>
+Date: Fri, 19 Mar 2010 15:35:46 -0400
+Subject: ecryptfs: fix use with tmpfs by removing d_drop from ecryptfs_destroy_inode
+
+From: Jeff Mahoney <jeffm@jeffreymahoney.com>
+
+commit 133b8f9d632cc23715c6d72d1c5ac449e054a12a upstream.
+
+Since tmpfs has no persistent storage, it pins all its dentries in memory
+so they have d_count=1 when other file systems would have d_count=0.
+->lookup is only used to create new dentries. If the caller doesn't
+instantiate it, it's freed immediately at dput(). ->readdir reads
+directly from the dcache and depends on the dentries being hashed.
+
+When an ecryptfs mount is mounted, it associates the lower file and dentry
+with the ecryptfs files as they're accessed. When it's umounted and
+destroys all the in-memory ecryptfs inodes, it fput's the lower_files and
+d_drop's the lower_dentries. Commit 4981e081 added this and a d_delete in
+2008 and several months later commit caeeeecf removed the d_delete. I
+believe the d_drop() needs to be removed as well.
+
+The d_drop effectively hides any file that has been accessed via ecryptfs
+from the underlying tmpfs since it depends on it being hashed for it to
+be accessible. I've removed the d_drop on my development node and see no
+ill effects with basic testing on both tmpfs and persistent storage.
+
+As a side effect, after ecryptfs d_drops the dentries on tmpfs, tmpfs
+BUGs on umount. This is due to the dentries being unhashed.
+tmpfs->kill_sb is kill_litter_super which calls d_genocide to drop
+the reference pinning the dentry. It skips unhashed and negative dentries,
+but shrink_dcache_for_umount_subtree doesn't. Since those dentries
+still have an elevated d_count, we get a BUG().
+
+This patch removes the d_drop call and fixes both issues.
+
+This issue was reported at:
+https://bugzilla.novell.com/show_bug.cgi?id=567887
+
+Reported-by: Árpád Bíró <biroa@demasz.hu>
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Cc: Dustin Kirkland <kirkland@canonical.com>
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/super.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/ecryptfs/super.c
++++ b/fs/ecryptfs/super.c
+@@ -85,7 +85,6 @@ static void ecryptfs_destroy_inode(struc
+ if (lower_dentry->d_inode) {
+ fput(inode_info->lower_file);
+ inode_info->lower_file = NULL;
+- d_drop(lower_dentry);
+ }
+ }
+ ecryptfs_destroy_crypt_stat(&inode_info->crypt_stat);
--- /dev/null
+From dff010ac8e57e43669518a14c0e945dfeb80c2a7 Mon Sep 17 00:00:00 2001
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Date: Tue, 2 Feb 2010 16:58:34 -0800
+Subject: iwlwifi: clear all tx queues when firmware ready
+
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+
+commit dff010ac8e57e43669518a14c0e945dfeb80c2a7 upstream.
+
+Reset and clear all the tx queues when finished downloading runtime
+uCode and ready to go into operation mode.
+
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-4965.c | 2 ++
+ drivers/net/wireless/iwlwifi/iwl-5000.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-4965.c
++++ b/drivers/net/wireless/iwlwifi/iwl-4965.c
+@@ -715,6 +715,8 @@ static int iwl4965_alive_notify(struct i
+
+ iwl4965_set_wr_ptrs(priv, IWL_CMD_QUEUE_NUM, 0);
+
++ /* reset to 0 to enable all the queue first */
++ priv->txq_ctx_active_msk = 0;
+ /* Map each Tx/cmd queue to its corresponding fifo */
+ for (i = 0; i < ARRAY_SIZE(default_queue_to_tx_fifo); i++) {
+ int ac = default_queue_to_tx_fifo[i];
+--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
+@@ -793,6 +793,8 @@ int iwl5000_alive_notify(struct iwl_priv
+
+ iwl5000_set_wr_ptrs(priv, IWL_CMD_QUEUE_NUM, 0);
+
++ /* reset to 0 to enable all the queue first */
++ priv->txq_ctx_active_msk = 0;
+ /* map qos queues to fifos one-to-one */
+ for (i = 0; i < ARRAY_SIZE(iwl5000_default_queue_to_tx_fifo); i++) {
+ int ac = iwl5000_default_queue_to_tx_fifo[i];
--- /dev/null
+From bbcbb9ef9735c67da303d30bd6beb9e699f0f508 Mon Sep 17 00:00:00 2001
+From: Reinette Chatre <reinette.chatre@intel.com>
+Date: Tue, 2 Feb 2010 10:57:12 -0800
+Subject: iwlwifi: fix scan race
+
+From: Reinette Chatre <reinette.chatre@intel.com>
+
+commit bbcbb9ef9735c67da303d30bd6beb9e699f0f508 upstream.
+
+There is a problem if an "internal short scan" is in progress when a
+mac80211 requested scan arrives. If this new scan request arrives within
+the "next_scan_jiffies" period then driver will immediately return success
+and complete the scan. The problem here is that the scan has not been
+fully initialized at this time (is_internal_short_scan is still set to true
+because of the currently running scan), which results in the scan
+completion never to be sent to mac80211. At this time also, evan though the
+internal short scan is still running the state (is_internal_short_scan)
+will be set to false, so when the internal scan does complete then mac80211
+will receive a scan completion.
+
+Fix this by checking right away if a scan is in progress when a scan
+request arrives from mac80211.
+
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-scan.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-scan.c
++++ b/drivers/net/wireless/iwlwifi/iwl-scan.c
+@@ -405,21 +405,6 @@ void iwl_init_scan_params(struct iwl_pri
+
+ static int iwl_scan_initiate(struct iwl_priv *priv)
+ {
+- if (!iwl_is_ready_rf(priv)) {
+- IWL_DEBUG_SCAN(priv, "Aborting scan due to not ready.\n");
+- return -EIO;
+- }
+-
+- if (test_bit(STATUS_SCANNING, &priv->status)) {
+- IWL_DEBUG_SCAN(priv, "Scan already in progress.\n");
+- return -EAGAIN;
+- }
+-
+- if (test_bit(STATUS_SCAN_ABORTING, &priv->status)) {
+- IWL_DEBUG_SCAN(priv, "Scan request while abort pending\n");
+- return -EAGAIN;
+- }
+-
+ IWL_DEBUG_INFO(priv, "Starting scan...\n");
+ set_bit(STATUS_SCANNING, &priv->status);
+ priv->scan_start = jiffies;
+@@ -450,6 +435,18 @@ int iwl_mac_hw_scan(struct ieee80211_hw
+ goto out_unlock;
+ }
+
++ if (test_bit(STATUS_SCANNING, &priv->status)) {
++ IWL_DEBUG_SCAN(priv, "Scan already in progress.\n");
++ ret = -EAGAIN;
++ goto out_unlock;
++ }
++
++ if (test_bit(STATUS_SCAN_ABORTING, &priv->status)) {
++ IWL_DEBUG_SCAN(priv, "Scan request while abort pending\n");
++ ret = -EAGAIN;
++ goto out_unlock;
++ }
++
+ /* We don't schedule scan within next_scan_jiffies period.
+ * Avoid scanning during possible EAPOL exchange, return
+ * success immediately.
--- /dev/null
+From youquan.song@linux.intel.com Wed Apr 21 11:57:31 2010
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 16 Apr 2010 05:14:41 -0400
+Subject: perf_events, x86: Implement Intel Westmere/Nehalem-EX support
+To: Vince Weaver <vweaver1@eecs.utk.edu>, gregkh@novell.com
+Cc: youquan.song@intel.com, a.p.zijlstra@chello.nl, gregkh@novell.com, "Youquan, Song" <youquan.song@linux.intel.com>, trenn@novell.com, stable@kernel.org
+Message-ID: <20100416091441.GA14199@youquan-linux.bj.intel.com>
+Content-Disposition: inline
+
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+original patch commit ids: 452a339a976e7f782c786eb3f73080401e2fa3a6 and
+134fbadf028a5977a1b06b0253d3ee33e6f0c642
+
+perf_events, x86: Implement Intel Westmere support
+
+The new Intel documentation includes Westmere arch specific
+event maps that are significantly different from the Nehalem
+ones. Add support for this generation.
+
+Found the CPUID model numbers on wikipedia.
+
+Also ammend some Nehalem constraints, spotted those when looking
+for the differences between Nehalem and Westmere.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Stephane Eranian <eranian@google.com>
+LKML-Reference: <20100127221122.151865645@chello.nl>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+
+perf, x86: Enable Nehalem-EX support
+
+According to Intel Software Devel Manual Volume 3B, the
+Nehalem-EX PMU is just like regular Nehalem (except for the
+uncore support, which is completely different).
+
+Signed-off-by: Vince Weaver <vweaver1@eecs.utk.edu>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Lin Ming <ming.m.lin@intel.com>
+LKML-Reference: <alpine.DEB.2.00.1004060956580.1417@cl320.eecs.utk.edu>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: Youquan Song <youquan.song@linux.intel.com>
+---
+
+
+---
+ arch/x86/kernel/cpu/perf_event.c | 104 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 103 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/perf_event.c
++++ b/arch/x86/kernel/cpu/perf_event.c
+@@ -190,6 +190,97 @@ static u64 __read_mostly hw_cache_event_
+ [PERF_COUNT_HW_CACHE_OP_MAX]
+ [PERF_COUNT_HW_CACHE_RESULT_MAX];
+
++static const u64 westmere_hw_cache_event_ids
++ [PERF_COUNT_HW_CACHE_MAX]
++ [PERF_COUNT_HW_CACHE_OP_MAX]
++ [PERF_COUNT_HW_CACHE_RESULT_MAX] =
++{
++ [ C(L1D) ] = {
++ [ C(OP_READ) ] = {
++ [ C(RESULT_ACCESS) ] = 0x010b, /* MEM_INST_RETIRED.LOADS */
++ [ C(RESULT_MISS) ] = 0x0151, /* L1D.REPL */
++ },
++ [ C(OP_WRITE) ] = {
++ [ C(RESULT_ACCESS) ] = 0x020b, /* MEM_INST_RETURED.STORES */
++ [ C(RESULT_MISS) ] = 0x0251, /* L1D.M_REPL */
++ },
++ [ C(OP_PREFETCH) ] = {
++ [ C(RESULT_ACCESS) ] = 0x014e, /* L1D_PREFETCH.REQUESTS */
++ [ C(RESULT_MISS) ] = 0x024e, /* L1D_PREFETCH.MISS */
++ },
++ },
++ [ C(L1I ) ] = {
++ [ C(OP_READ) ] = {
++ [ C(RESULT_ACCESS) ] = 0x0380, /* L1I.READS */
++ [ C(RESULT_MISS) ] = 0x0280, /* L1I.MISSES */
++ },
++ [ C(OP_WRITE) ] = {
++ [ C(RESULT_ACCESS) ] = -1,
++ [ C(RESULT_MISS) ] = -1,
++ },
++ [ C(OP_PREFETCH) ] = {
++ [ C(RESULT_ACCESS) ] = 0x0,
++ [ C(RESULT_MISS) ] = 0x0,
++ },
++ },
++ [ C(LL ) ] = {
++ [ C(OP_READ) ] = {
++ [ C(RESULT_ACCESS) ] = 0x0324, /* L2_RQSTS.LOADS */
++ [ C(RESULT_MISS) ] = 0x0224, /* L2_RQSTS.LD_MISS */
++ },
++ [ C(OP_WRITE) ] = {
++ [ C(RESULT_ACCESS) ] = 0x0c24, /* L2_RQSTS.RFOS */
++ [ C(RESULT_MISS) ] = 0x0824, /* L2_RQSTS.RFO_MISS */
++ },
++ [ C(OP_PREFETCH) ] = {
++ [ C(RESULT_ACCESS) ] = 0x4f2e, /* LLC Reference */
++ [ C(RESULT_MISS) ] = 0x412e, /* LLC Misses */
++ },
++ },
++ [ C(DTLB) ] = {
++ [ C(OP_READ) ] = {
++ [ C(RESULT_ACCESS) ] = 0x010b, /* MEM_INST_RETIRED.LOADS */
++ [ C(RESULT_MISS) ] = 0x0108, /* DTLB_LOAD_MISSES.ANY */
++ },
++ [ C(OP_WRITE) ] = {
++ [ C(RESULT_ACCESS) ] = 0x020b, /* MEM_INST_RETURED.STORES */
++ [ C(RESULT_MISS) ] = 0x010c, /* MEM_STORE_RETIRED.DTLB_MISS */
++ },
++ [ C(OP_PREFETCH) ] = {
++ [ C(RESULT_ACCESS) ] = 0x0,
++ [ C(RESULT_MISS) ] = 0x0,
++ },
++ },
++ [ C(ITLB) ] = {
++ [ C(OP_READ) ] = {
++ [ C(RESULT_ACCESS) ] = 0x01c0, /* INST_RETIRED.ANY_P */
++ [ C(RESULT_MISS) ] = 0x0185, /* ITLB_MISSES.ANY */
++ },
++ [ C(OP_WRITE) ] = {
++ [ C(RESULT_ACCESS) ] = -1,
++ [ C(RESULT_MISS) ] = -1,
++ },
++ [ C(OP_PREFETCH) ] = {
++ [ C(RESULT_ACCESS) ] = -1,
++ [ C(RESULT_MISS) ] = -1,
++ },
++ },
++ [ C(BPU ) ] = {
++ [ C(OP_READ) ] = {
++ [ C(RESULT_ACCESS) ] = 0x00c4, /* BR_INST_RETIRED.ALL_BRANCHES */
++ [ C(RESULT_MISS) ] = 0x03e8, /* BPU_CLEARS.ANY */
++ },
++ [ C(OP_WRITE) ] = {
++ [ C(RESULT_ACCESS) ] = -1,
++ [ C(RESULT_MISS) ] = -1,
++ },
++ [ C(OP_PREFETCH) ] = {
++ [ C(RESULT_ACCESS) ] = -1,
++ [ C(RESULT_MISS) ] = -1,
++ },
++ },
++};
++
+ static const u64 nehalem_hw_cache_event_ids
+ [PERF_COUNT_HW_CACHE_MAX]
+ [PERF_COUNT_HW_CACHE_OP_MAX]
+@@ -1999,6 +2090,7 @@ static int intel_pmu_init(void)
+ * Install the hw-cache-events table:
+ */
+ switch (boot_cpu_data.x86_model) {
++
+ case 15: /* original 65 nm celeron/pentium/core2/xeon, "Merom"/"Conroe" */
+ case 22: /* single-core 65 nm celeron/core2solo "Merom-L"/"Conroe-L" */
+ case 23: /* current 45 nm celeron/core2/xeon "Penryn"/"Wolfdale" */
+@@ -2009,7 +2101,9 @@ static int intel_pmu_init(void)
+ pr_cont("Core2 events, ");
+ break;
+ default:
+- case 26:
++ case 26: /* 45 nm nehalem, "Bloomfield" */
++ case 30: /* 45 nm nehalem, "Lynnfield" */
++ case 46: /* 45 nm nehalem-ex, "Beckton" */
+ memcpy(hw_cache_event_ids, nehalem_hw_cache_event_ids,
+ sizeof(hw_cache_event_ids));
+
+@@ -2021,6 +2115,14 @@ static int intel_pmu_init(void)
+
+ pr_cont("Atom events, ");
+ break;
++
++ case 37: /* 32 nm nehalem, "Clarkdale" */
++ case 44: /* 32 nm nehalem, "Gulftown" */
++ memcpy(hw_cache_event_ids, westmere_hw_cache_event_ids,
++ sizeof(hw_cache_event_ids));
++
++ pr_cont("Westmere events, ");
++ break;
+ }
+ return 0;
+ }
--- /dev/null
+From c0cd884af045338476b8e69a61fceb3f34ff22f1 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@redhat.com>
+Date: Mon, 29 Mar 2010 13:16:02 -0700
+Subject: r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
+
+From: Neil Horman <nhorman@redhat.com>
+
+commit c0cd884af045338476b8e69a61fceb3f34ff22f1 upstream.
+
+Official patch to fix the r8169 frame length check error.
+
+Based on this initial thread:
+http://marc.info/?l=linux-netdev&m=126202972828626&w=1
+This is the official patch to fix the frame length problems in the r8169
+driver. As noted in the previous thread, while this patch incurs a performance
+hit on the driver, its possible to improve performance dynamically by updating
+the mtu and rx_copybreak values at runtime to return performance to what it was
+for those NICS which are unaffected by the ideosyncracy (if there are any).
+
+Summary:
+
+ A while back Eric submitted a patch for r8169 in which the proper
+allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too
+much data. This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4. A
+long time prior to that however, Francois posted
+126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize
+setting due to the fact that the hardware behaved in odd ways when overlong
+frames were received on NIC's supported by this driver. This was mentioned in a
+security conference recently:
+http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
+
+It seems that if we can't enable frame size filtering, then, as Eric correctly
+noticed, we can find ourselves DMA-ing too much data to a buffer, causing
+corruption. As a result is seems that we are forced to allocate a frame which
+is ready to handle a maximally sized receive.
+
+This obviously has performance issues with it, so to mitigate that issue, this
+patch does two things:
+
+1) Raises the copybreak value to the frame allocation size, which should force
+appropriately sized packets to get allocated on rx, rather than a full new 16k
+buffer.
+
+2) This patch only disables frame filtering initially (i.e., during the NIC
+open), changing the MTU results in ring buffer allocation of a size in relation
+to the new mtu (along with a warning indicating that this is dangerous).
+
+Because of item (2), individuals who can't cope with the performance hit (or can
+otherwise filter frames to prevent the bug), or who have hardware they are sure
+is unaffected by this issue, can manually lower the copybreak and reset the mtu
+such that performance is restored easily.
+
+Signed-off-by: Neil Horman <nhorman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r8169.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -186,7 +186,12 @@ static struct pci_device_id rtl8169_pci_
+
+ MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
+
+-static int rx_copybreak = 200;
++/*
++ * we set our copybreak very high so that we don't have
++ * to allocate 16k frames all the time (see note in
++ * rtl8169_open()
++ */
++static int rx_copybreak = 16383;
+ static int use_dac;
+ static struct {
+ u32 msg_enable;
+@@ -3245,9 +3250,13 @@ static void __devexit rtl8169_remove_one
+ }
+
+ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+- struct net_device *dev)
++ unsigned int mtu)
+ {
+- unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++ unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++
++ if (max_frame != 16383)
++ printk(KERN_WARNING "WARNING! Changing of MTU on this NIC"
++ "May lead to frame reception errors!\n");
+
+ tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+@@ -3259,7 +3268,17 @@ static int rtl8169_open(struct net_devic
+ int retval = -ENOMEM;
+
+
+- rtl8169_set_rxbufsize(tp, dev);
++ /*
++ * Note that we use a magic value here, its wierd I know
++ * its done because, some subset of rtl8169 hardware suffers from
++ * a problem in which frames received that are longer than
++ * the size set in RxMaxSize register return garbage sizes
++ * when received. To avoid this we need to turn off filtering,
++ * which is done by setting a value of 16383 in the RxMaxSize register
++ * and allocating 16k frames to handle the largest possible rx value
++ * thats what the magic math below does.
++ */
++ rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
+
+ /*
+ * Rx and Tx desscriptors needs 256 bytes alignment.
+@@ -3912,7 +3931,7 @@ static int rtl8169_change_mtu(struct net
+
+ rtl8169_down(dev);
+
+- rtl8169_set_rxbufsize(tp, dev);
++ rtl8169_set_rxbufsize(tp, dev->mtu);
+
+ ret = rtl8169_init_ring(dev);
+ if (ret < 0)
--- /dev/null
+From john.wright@hp.com Wed Apr 21 11:41:33 2010
+From: John Wright <john.wright@hp.com>
+Date: Tue, 13 Apr 2010 16:55:37 -0600
+Subject: sched: Fix a race between ttwu() and migrate_task()
+Cc: Ingo Molnar <mingo@elte.hu>, Peter Zijlstra <peterz@infradead.org>, Greg Kroah-Hartman <gregkh@suse.de>, Terry Loftin <terry.loftin@hp.com>, John Wright <john.wright@hp.com>
+Message-ID: <1271199337-23284-2-git-send-email-john.wright@hp.com>
+
+Based on commit e2912009fb7b715728311b0d8fe327a1432b3f79 upstream, but
+done differently as this issue is not present in .33 or .34 kernels due
+to rework in this area.
+
+If a task is in the TASK_WAITING state, then try_to_wake_up() is working
+on it, and it will place it on the correct cpu.
+
+This commit ensures that neither migrate_task() nor __migrate_task()
+calls set_task_cpu(p) while p is in the TASK_WAKING state. Otherwise,
+there could be two concurrent calls to set_task_cpu(p), resulting in
+the task's cfs_rq being inconsistent with its cpu.
+
+Signed-off-by: John Wright <john.wright@hp.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sched.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -2116,12 +2116,10 @@ migrate_task(struct task_struct *p, int
+
+ /*
+ * If the task is not on a runqueue (and not running), then
+- * it is sufficient to simply update the task's cpu field.
++ * the next wake-up will properly place the task.
+ */
+- if (!p->se.on_rq && !task_running(rq, p)) {
+- set_task_cpu(p, dest_cpu);
++ if (!p->se.on_rq && !task_running(rq, p))
+ return 0;
+- }
+
+ init_completion(&req->done);
+ req->task = p;
+@@ -7167,6 +7165,9 @@ static int __migrate_task(struct task_st
+ /* Already moved. */
+ if (task_cpu(p) != src_cpu)
+ goto done;
++ /* Waking up, don't get in the way of try_to_wake_up(). */
++ if (p->state == TASK_WAKING)
++ goto fail;
+ /* Affinity changed (again). */
+ if (!cpumask_test_cpu(dest_cpu, &p->cpus_allowed))
+ goto fail;
b43-fall-back-gracefully-to-pio-mode-after-fatal-dma-errors.patch
alsa-hda-add-position_fix-quirk-for-biostar-mobo.patch
agp-hp-fixup-hp-agp-after-acpi-changes.patch
+b43-optimize-pio-scratchbuffer-usage.patch
+ecryptfs-fix-use-with-tmpfs-by-removing-d_drop-from-ecryptfs_destroy_inode.patch
+ecryptfs-decrypt-symlink-target-for-stat-size.patch
+ecryptfs-fix-error-code-for-missing-xattrs-in-lower-fs.patch
+sched-fix-a-race-between-ttwu-and-migrate_task.patch
+usb-cdc-acm-update-to-new-autopm-api.patch
+usb-cdc-acm-fix-stupid-null-pointer-in-resume.patch
+iwlwifi-clear-all-tx-queues-when-firmware-ready.patch
+iwlwifi-fix-scan-race.patch
+e1000e-stop-cleaning-when-we-reach-tx_ring-next_to_use.patch
+r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
+tcp-fix-icmp-rto-war.patch
+perf_events-x86-implement-intel-westmere-nehalem-ex-support.patch
+acpi-ec-allow-multibyte-access-to-ec.patch
--- /dev/null
+From 598856407d4e20ebb4de01a91a93d89325924d43 Mon Sep 17 00:00:00 2001
+From: Damian Lukowski <damian@tvk.rwth-aachen.de>
+Date: Wed, 10 Feb 2010 18:04:08 -0800
+Subject: tcp: fix ICMP-RTO war
+
+From: Damian Lukowski <damian@tvk.rwth-aachen.de>
+
+commit 598856407d4e20ebb4de01a91a93d89325924d43 upstream.
+
+Make sure, that TCP has a nonzero RTT estimation after three-way
+handshake. Currently, a listening TCP has a value of 0 for srtt,
+rttvar and rto right after the three-way handshake is completed
+with TCP timestamps disabled.
+This will lead to corrupt RTO recalculation and retransmission
+flood when RTO is recalculated on backoff reversion as introduced
+in "Revert RTO on ICMP destination unreachable"
+(f1ecd5d9e7366609d640ff4040304ea197fbc618).
+This behaviour can be provoked by connecting to a server which
+"responds first" (like SMTP) and rejecting every packet after
+the handshake with dest-unreachable, which will lead to softirq
+load on the server (up to 30% per socket in some tests).
+
+Thanks to Ilpo Jarvinen for providing debug patches and to
+Denys Fedoryshchenko for reporting and testing.
+
+Changes since v3: Removed bad characters in patchfile.
+
+Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
+Signed-off-by: Damian Lukowski <damian@tvk.rwth-aachen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_input.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5699,11 +5699,9 @@ int tcp_rcv_state_process(struct sock *s
+
+ /* tcp_ack considers this ACK as duplicate
+ * and does not calculate rtt.
+- * Fix it at least with timestamps.
++ * Force it here.
+ */
+- if (tp->rx_opt.saw_tstamp &&
+- tp->rx_opt.rcv_tsecr && !tp->srtt)
+- tcp_ack_saw_tstamp(sk, 0);
++ tcp_ack_update_rtt(sk, 0, 0);
+
+ if (tp->rx_opt.tstamp_ok)
+ tp->advmss -= TCPOLEN_TSTAMP_ALIGNED;
--- /dev/null
+From f0730924e9e32bb8935c60040a26d94179355088 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oliver@neukum.org>
+Date: Wed, 3 Mar 2010 00:37:56 +0100
+Subject: USB: cdc-acm: Fix stupid NULL pointer in resume()
+
+From: Oliver Neukum <oliver@neukum.org>
+
+commit f0730924e9e32bb8935c60040a26d94179355088 upstream.
+
+Stupid logic bug passing a just nulled pointer
+
+Signed-off-by: Oliver Neukum <neukum@b1-systems.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1441,7 +1441,7 @@ static int acm_resume(struct usb_interfa
+ wb = acm->delayed_wb;
+ acm->delayed_wb = NULL;
+ spin_unlock_irq(&acm->write_lock);
+- acm_start_wb(acm, acm->delayed_wb);
++ acm_start_wb(acm, wb);
+ } else {
+ spin_unlock_irq(&acm->write_lock);
+ }
--- /dev/null
+From 97d35f95552c9a0ee4777a7f04431a9fd1260478 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oliver@neukum.org>
+Date: Wed, 16 Dec 2009 17:05:57 +0100
+Subject: USB: cdc-acm: Update to new autopm API
+
+From: Oliver Neukum <oliver@neukum.org>
+
+commit 97d35f95552c9a0ee4777a7f04431a9fd1260478 upstream.
+
+Update cdc-acm to the async methods eliminating the workqueue
+
+[This fixes a reported lockup for the cdc-acm driver - gregkh]
+
+Signed-off-by: Oliver Neukum <oliver@neukum.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c | 43 ++++++++++++++++++++++---------------------
+ drivers/usb/class/cdc-acm.h | 1 -
+ 2 files changed, 22 insertions(+), 22 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -170,6 +170,7 @@ static void acm_write_done(struct acm *a
+ {
+ wb->use = 0;
+ acm->transmitting--;
++ usb_autopm_put_interface_async(acm->control);
+ }
+
+ /*
+@@ -211,9 +212,12 @@ static int acm_write_start(struct acm *a
+ }
+
+ dbg("%s susp_count: %d", __func__, acm->susp_count);
++ usb_autopm_get_interface_async(acm->control);
+ if (acm->susp_count) {
+- acm->delayed_wb = wb;
+- schedule_work(&acm->waker);
++ if (!acm->delayed_wb)
++ acm->delayed_wb = wb;
++ else
++ usb_autopm_put_interface_async(acm->control);
+ spin_unlock_irqrestore(&acm->write_lock, flags);
+ return 0; /* A white lie */
+ }
+@@ -534,23 +538,6 @@ static void acm_softint(struct work_stru
+ tty_kref_put(tty);
+ }
+
+-static void acm_waker(struct work_struct *waker)
+-{
+- struct acm *acm = container_of(waker, struct acm, waker);
+- int rv;
+-
+- rv = usb_autopm_get_interface(acm->control);
+- if (rv < 0) {
+- dev_err(&acm->dev->dev, "Autopm failure in %s\n", __func__);
+- return;
+- }
+- if (acm->delayed_wb) {
+- acm_start_wb(acm, acm->delayed_wb);
+- acm->delayed_wb = NULL;
+- }
+- usb_autopm_put_interface(acm->control);
+-}
+-
+ /*
+ * TTY handlers
+ */
+@@ -1178,7 +1165,6 @@ made_compressed_probe:
+ acm->urb_task.func = acm_rx_tasklet;
+ acm->urb_task.data = (unsigned long) acm;
+ INIT_WORK(&acm->work, acm_softint);
+- INIT_WORK(&acm->waker, acm_waker);
+ init_waitqueue_head(&acm->drain_wait);
+ spin_lock_init(&acm->throttle_lock);
+ spin_lock_init(&acm->write_lock);
+@@ -1343,7 +1329,6 @@ static void stop_data_traffic(struct acm
+ tasklet_enable(&acm->urb_task);
+
+ cancel_work_sync(&acm->work);
+- cancel_work_sync(&acm->waker);
+ }
+
+ static void acm_disconnect(struct usb_interface *intf)
+@@ -1435,6 +1420,7 @@ static int acm_suspend(struct usb_interf
+ static int acm_resume(struct usb_interface *intf)
+ {
+ struct acm *acm = usb_get_intfdata(intf);
++ struct acm_wb *wb;
+ int rv = 0;
+ int cnt;
+
+@@ -1449,6 +1435,21 @@ static int acm_resume(struct usb_interfa
+ mutex_lock(&acm->mutex);
+ if (acm->port.count) {
+ rv = usb_submit_urb(acm->ctrlurb, GFP_NOIO);
++
++ spin_lock_irq(&acm->write_lock);
++ if (acm->delayed_wb) {
++ wb = acm->delayed_wb;
++ acm->delayed_wb = NULL;
++ spin_unlock_irq(&acm->write_lock);
++ acm_start_wb(acm, acm->delayed_wb);
++ } else {
++ spin_unlock_irq(&acm->write_lock);
++ }
++
++ /*
++ * delayed error checking because we must
++ * do the write path at all cost
++ */
+ if (rv < 0)
+ goto err_out;
+
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -112,7 +112,6 @@ struct acm {
+ struct mutex mutex;
+ struct usb_cdc_line_coding line; /* bits, stop, parity */
+ struct work_struct work; /* work queue entry for line discipline waking up */
+- struct work_struct waker;
+ wait_queue_head_t drain_wait; /* close processing */
+ struct tasklet_struct urb_task; /* rx processing */
+ spinlock_t throttle_lock; /* synchronize throtteling and read callback */
projects / thirdparty / kernel / stable-queue.git / commitdiff
