--- /dev/null
+From 7b14f58ad65f9d74e4273fb45360cfea824495aa Mon Sep 17 00:00:00 2001
+From: adam radford <aradford@gmail.com>
+Date: Mon, 11 May 2009 14:55:55 -0700
+Subject: [SCSI] 3w-xxxx: scsi_dma_unmap fix
+
+From: adam radford <aradford@gmail.com>
+
+commit 7b14f58ad65f9d74e4273fb45360cfea824495aa upstream.
+
+This patch fixes the following regression that occurred during the
+scsi_dma_map()/unmap()
+changes when compiling with CONFIG_DMA_API_DEBUG=y :
+
+WARNING: at lib/dma-debug.c:496 check_unmap+0x142/0x542()
+Hardware name:
+3w-xxxx 0000:02:02.0: DMA-API: device driver tries to free DMA memory
+it has not allocated [device address=0x0000000000000000] [size=36
+bytes]
+
+Signed-off-by: Adam Radford <aradford@gmail.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/3w-xxxx.c | 5 +++--
+ drivers/scsi/3w-xxxx.h | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/3w-xxxx.c
++++ b/drivers/scsi/3w-xxxx.c
+@@ -6,7 +6,7 @@
+ Arnaldo Carvalho de Melo <acme@conectiva.com.br>
+ Brad Strand <linux@3ware.com>
+
+- Copyright (C) 1999-2007 3ware Inc.
++ Copyright (C) 1999-2009 3ware Inc.
+
+ Kernel compatiblity By: Andre Hedrick <andre@suse.com>
+ Non-Copyright (C) 2000 Andre Hedrick <andre@suse.com>
+@@ -1294,7 +1294,8 @@ static void tw_unmap_scsi_data(struct pc
+ {
+ dprintk(KERN_WARNING "3w-xxxx: tw_unmap_scsi_data()\n");
+
+- scsi_dma_unmap(cmd);
++ if (cmd->SCp.phase == TW_PHASE_SGLIST)
++ scsi_dma_unmap(cmd);
+ } /* End tw_unmap_scsi_data() */
+
+ /* This function will reset a device extension */
+--- a/drivers/scsi/3w-xxxx.h
++++ b/drivers/scsi/3w-xxxx.h
+@@ -6,7 +6,7 @@
+ Arnaldo Carvalho de Melo <acme@conectiva.com.br>
+ Brad Strand <linux@3ware.com>
+
+- Copyright (C) 1999-2007 3ware Inc.
++ Copyright (C) 1999-2009 3ware Inc.
+
+ Kernel compatiblity By: Andre Hedrick <andre@suse.com>
+ Non-Copyright (C) 2000 Andre Hedrick <andre@suse.com>
--- /dev/null
+From 581daf7e00c5e766f26aff80a61a860a17b0d75a Mon Sep 17 00:00:00 2001
+From: Michael Chan <mchan@broadcom.com>
+Date: Wed, 6 May 2009 16:46:47 -0700
+Subject: bnx2: Fix panic in bnx2_poll_work().
+
+From: Michael Chan <mchan@broadcom.com>
+
+commit 581daf7e00c5e766f26aff80a61a860a17b0d75a upstream.
+
+Add barrier() to bnx2_get_hw_{tx|rx}_cons() to fix this issue:
+
+http://bugzilla.kernel.org/show_bug.cgi?id=12698
+
+This issue was reported by multiple i386 users. Without barrier(),
+the compiled code looks like the following where %eax contains the
+address of the tx_cons or rx_cons in the DMA status block. The
+status block contents can change between the cmpb and the movzwl
+instruction. The driver would crash if the value was not 0xff during
+the cmpb instruction, but changed to 0xff during the movzwl
+instruction.
+
+6828: 80 38 ff cmpb $0xff,(%eax)
+682b: 0f b7 10 movzwl (%eax),%edx
+
+With the added barrier(), the compiled code now looks correct:
+
+683d: 0f b7 10 movzwl (%eax),%edx
+6840: 0f b6 c2 movzbl %dl,%eax
+6843: 3d ff 00 00 00 cmp $0xff,%eax
+
+Thanks to Pascal de Bruijn <pmjdebruijn@pcode.nl> for reporting the
+problem and Holger Noefer <hnoefer@pironet-ndh.com> for patiently
+testing test patches for us.
+
+[greg - took out version change]
+
+Signed-off-by: Michael Chan <mchan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bnx2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/bnx2.c
++++ b/drivers/net/bnx2.c
+@@ -2585,6 +2585,7 @@ bnx2_get_hw_tx_cons(struct bnx2_napi *bn
+ /* Tell compiler that status block fields can change. */
+ barrier();
+ cons = *bnapi->hw_tx_cons_ptr;
++ barrier();
+ if (unlikely((cons & MAX_TX_DESC_CNT) == MAX_TX_DESC_CNT))
+ cons++;
+ return cons;
+@@ -2864,6 +2865,7 @@ bnx2_get_hw_rx_cons(struct bnx2_napi *bn
+ /* Tell compiler that status block fields can change. */
+ barrier();
+ cons = *bnapi->hw_rx_cons_ptr;
++ barrier();
+ if (unlikely((cons & MAX_RX_DESC_CNT) == MAX_RX_DESC_CNT))
+ cons++;
+ return cons;
--- /dev/null
+From 7d60e8ab0d5507229dfbdf456501cc378610fa01 Mon Sep 17 00:00:00 2001
+From: Shaohua Li <shaohua.li@intel.com>
+Date: Tue, 19 May 2009 16:09:54 +0800
+Subject: cpuidle: fix AMD C1E suspend hang
+
+From: Shaohua Li <shaohua.li@intel.com>
+
+commit 7d60e8ab0d5507229dfbdf456501cc378610fa01 upstream.
+
+When AMD C1E is enabled, local APIC timer will stop even in C1. To avoid
+suspend/resume hang, this patch removes C1 and replace it with a cpu_relax() in
+suspend/resume path. This hasn't any impact in runtime path.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=13233
+
+[ impact: avoid suspend/resume hang in AMD CPU with C1E enabled ]
+
+Tested-by: Dmitry Lyzhyn <thisistempbox@yahoo.com>
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/processor_idle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -870,8 +870,8 @@ static int acpi_idle_enter_c1(struct cpu
+
+ /* Do not access any ACPI IO ports in suspend path */
+ if (acpi_idle_suspend) {
+- acpi_safe_halt();
+ local_irq_enable();
++ cpu_relax();
+ return 0;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jun 9 01:03:56 2009
+From: Shaohua Li <shaohua.li@intel.com>
+Date: Tue, 2 Jun 2009 10:51:58 +0800
+Subject: cpuidle: make AMC C1E work in processor_idle
+To: stable@kernel.org
+Cc: linux-acpi@vger.kernel.org, lenb@kernel.org
+Message-ID: <20090602025158.GA21337@sli10-desk.sh.intel.com>
+Content-Disposition: inline
+
+From: Shaohua Li <shaohua.li@intel.com>
+
+commit 87ad57bacb25c3f24c54f142ef445f68277705f0 upstream
+
+When AMD C1E is enabled, local APIC timer will stop even in C1. This patch uses
+broadcast ipi to replace local APIC timer in C1.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=13233
+
+[ impact: avoid boot hang in AMD CPU with C1E enabled ]
+
+Tested-by: Dmitry Lyzhyn <thisistempbox@yahoo.com>
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/processor_idle.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -212,6 +212,9 @@ static void acpi_timer_check_state(int s
+ struct acpi_processor_power *pwr = &pr->power;
+ u8 type = local_apic_timer_c2_ok ? ACPI_STATE_C3 : ACPI_STATE_C2;
+
++ if (boot_cpu_has(X86_FEATURE_AMDC1E))
++ type = ACPI_STATE_C1;
++
+ /*
+ * Check, if one of the previous states already marked the lapic
+ * unstable
+@@ -648,6 +651,7 @@ static int acpi_processor_power_verify(s
+ switch (cx->type) {
+ case ACPI_STATE_C1:
+ cx->valid = 1;
++ acpi_timer_check_state(i, pr, cx);
+ break;
+
+ case ACPI_STATE_C2:
+@@ -871,12 +875,14 @@ static int acpi_idle_enter_c1(struct cpu
+ return 0;
+ }
+
++ acpi_state_timer_broadcast(pr, cx, 1);
+ t1 = inl(acpi_gbl_FADT.xpm_timer_block.address);
+ acpi_idle_do_entry(cx);
+ t2 = inl(acpi_gbl_FADT.xpm_timer_block.address);
+
+ local_irq_enable();
+ cx->usage++;
++ acpi_state_timer_broadcast(pr, cx, 0);
+
+ return ticks_elapsed_in_us(t1, t2);
+ }
--- /dev/null
+From b898f4f869da5b9d41f297fff87aca4cd42d80b3 Mon Sep 17 00:00:00 2001
+From: Roel Kluin <roel.kluin@gmail.com>
+Date: Thu, 28 May 2009 14:34:29 -0700
+Subject: drivers/serial/mpc52xx_uart.c: fix array overindexing check
+
+From: Roel Kluin <roel.kluin@gmail.com>
+
+commit b898f4f869da5b9d41f297fff87aca4cd42d80b3 upstream.
+
+The check for an overindexing of mpc52xx_uart_{ports,nodes} has an
+off-by-one.
+
+Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
+Acked-by: Wolfram Sang <w.sang@pengutronix.de>
+Acked-by: Grant Likely <grant.likely@secretlab.ca>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/serial/mpc52xx_uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/serial/mpc52xx_uart.c
++++ b/drivers/serial/mpc52xx_uart.c
+@@ -988,7 +988,7 @@ mpc52xx_console_setup(struct console *co
+ pr_debug("mpc52xx_console_setup co=%p, co->index=%i, options=%s\n",
+ co, co->index, options);
+
+- if ((co->index < 0) || (co->index > MPC52xx_PSC_MAXNUM)) {
++ if ((co->index < 0) || (co->index >= MPC52xx_PSC_MAXNUM)) {
+ pr_debug("PSC%x out of range\n", co->index);
+ return -EINVAL;
+ }
--- /dev/null
+From ea30e11970a96cfe5e32c03a29332554573b4a10 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue, 2 Jun 2009 01:29:58 -0700
+Subject: e1000: add missing length check to e1000 receive routine
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+commit ea30e11970a96cfe5e32c03a29332554573b4a10 upstream.
+
+ Patch to fix bad length checking in e1000. E1000 by default does two
+things:
+
+1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
+2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
+doing an skb_put
+
+Since the e1000 driver isn't written to support receiving packets that span
+multiple rx buffers, it checks the End of Packet bit of every frame, and
+discards it if its not set. This places us in a situation where, if we have a
+spanning packet, the first part is discarded, but the second part is not (since
+it is the end of packet, and it passes the EOP bit test). If the second part of
+the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
+underflow the length, and wind up in skb_over_panic, when we try to skb_put a
+huge number of bytes into the skb. This amounts to a remote DOS attack through
+careful selection of frame size in relation to interface MTU. The fix for this
+is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
+one ever pushed it to e1000. This is lifted straight from e1000e, and prevents
+small frames from causing the underflow described above
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Tested-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/drivers/net/e1000/e1000_main.c
++++ b/drivers/net/e1000/e1000_main.c
+@@ -4027,8 +4027,9 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter,
+ PCI_DMA_FROMDEVICE);
+
+ length = le16_to_cpu(rx_desc->length);
+-
+- if (unlikely(!(status & E1000_RXD_STAT_EOP))) {
++ /* !EOP means multiple descriptors were used to store a single
++ * packet, also make sure the frame isn't just CRC only */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) {
+ /* All receives must fit into a single buffer */
+ E1000_DBG("%s: Receive packet consumed multiple"
+ " buffers\n", netdev->name);
--- /dev/null
+From f5208997087e6eb2096532b5a313eeb236535bdc Mon Sep 17 00:00:00 2001
+From: Zoltan Karcagi <zkr@freemail.hu>
+Date: Wed, 6 May 2009 16:30:21 +0200
+Subject: HID: fix dropped device-specific quirks
+
+From: Zoltan Karcagi <zkr@freemail.hu>
+
+commit f5208997087e6eb2096532b5a313eeb236535bdc upstream.
+
+Device-specific quirks are set up correctly in their respective vendor-specific
+driver, then get overwritten in usbhid_parse().
+
+This is only issue for device-specific NOGET quirks being set by driver for a
+few devices out there.
+
+Signed-off-by: Zoltan Karcagi <zkr@freemail.hu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/usbhid/hid-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -765,7 +765,7 @@ static int usbhid_parse(struct hid_devic
+ goto err;
+ }
+
+- hid->quirks = quirks;
++ hid->quirks |= quirks;
+
+ return 0;
+ err:
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jun 9 01:01:58 2009
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Tue, 2 Jun 2009 14:22:49 +0200
+Subject: hwmon: (lm78) Add missing __devexit_p()
+To: stable@kernel.org
+Message-ID: <20090602142249.0ee4ea83@hyperion.delvare>
+
+From: Mike Frysinger <vapier@gentoo.org>
+
+commit 39d8bbedb9571a89d638f5b05358f26ab503d7a6 upstream.
+
+The remove function uses __devexit, so the .remove assignment needs
+__devexit_p() to fix a build error with hotplug disabled.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hwmon/lm78.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm78.c
++++ b/drivers/hwmon/lm78.c
+@@ -182,7 +182,7 @@ static struct platform_driver lm78_isa_d
+ .name = "lm78",
+ },
+ .probe = lm78_isa_probe,
+- .remove = lm78_isa_remove,
++ .remove = __devexit_p(lm78_isa_remove),
+ };
+
+
--- /dev/null
+From 8369d5fa63260cc54464b4687aa6a0f78402d98e Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Date: Fri, 22 May 2009 16:23:36 +0200
+Subject: ide: fix 40-wire cable detection for TSST SH-S202* ATAPI devices (v2)
+
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+
+commit 8369d5fa63260cc54464b4687aa6a0f78402d98e upstream.
+
+Since 2.6.26 we support UDMA66 on ATAPI devices requiring IVB quirk:
+
+ commit 8588a2b732928b343233af9b1855705b8286bed4
+ ("ide: add SH-S202J to ivb_list[]")
+
+We also later added support for more such devices in:
+
+ commit e97564f362a93f8c248246c19828895950341252
+ ("ide: More TSST drives with broken cable detection")
+
+and in:
+
+ commit 3ced5c49bd2d1f2c7f769e3a54385883de63a652
+ ("ide: add TSSTcorp CDDVDW SH-S202H to ivb_list[]")
+
+It turns out that such devices lack cable detection altogether
+(which in turn results in incorrect detection of 40-wire cables
+by our current cable detection strategy) so always handle them
+by trusting host-side cable detection only.
+
+v2:
+Model detection fixup from Martin.
+
+Reported-and-tested-by: Martin Lottermoser <Martin.Lottermoser@t-online.de>
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ide/ide-iops.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/ide/ide-iops.c
++++ b/drivers/ide/ide-iops.c
+@@ -587,8 +587,6 @@ EXPORT_SYMBOL_GPL(ide_in_drive_list);
+
+ /*
+ * Early UDMA66 devices don't set bit14 to 1, only bit13 is valid.
+- * We list them here and depend on the device side cable detection for them.
+- *
+ * Some optical devices with the buggy firmwares have the same problem.
+ */
+ static const struct drive_list_entry ivb_list[] = {
+@@ -632,10 +630,25 @@ u8 eighty_ninty_three (ide_drive_t *driv
+ * - force bit13 (80c cable present) check also for !ivb devices
+ * (unless the slave device is pre-ATA3)
+ */
+- if ((id[ATA_ID_HW_CONFIG] & 0x4000) ||
+- (ivb && (id[ATA_ID_HW_CONFIG] & 0x2000)))
++ if (id[ATA_ID_HW_CONFIG] & 0x4000)
+ return 1;
+
++ if (ivb) {
++ const char *model = (char *)&id[ATA_ID_PROD];
++
++ if (strstr(model, "TSSTcorp CDDVDW SH-S202")) {
++ /*
++ * These ATAPI devices always report 80c cable
++ * so we have to depend on the host in this case.
++ */
++ if (hwif->cbl == ATA_CBL_PATA80)
++ return 1;
++ } else {
++ /* Depend on the device side cable detection. */
++ if (id[ATA_ID_HW_CONFIG] & 0x2000)
++ return 1;
++ }
++ }
+ no_80w:
+ if (drive->dev_flags & IDE_DFLAG_UDMA33_WARNED)
+ return 0;
--- /dev/null
+From e3b29f05124b07303088795396ff858811d2acb8 Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Date: Fri, 22 May 2009 16:23:37 +0200
+Subject: ide: fix OOPS during ide-cd error recovery
+
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+
+commit e3b29f05124b07303088795396ff858811d2acb8 upstream.
+
+On Tuesday 19 May 2009 20:29:28 Martin Lottermoser wrote:
+
+> hdc: cdrom_decode_status: error=0x40 <3>{ LastFailedSense=0x04 }
+> ide: failed opcode was: unknown
+> hdc: DMA disabled
+> ------------[ cut here ]------------
+> kernel BUG at drivers/ide/ide-io.c:872!
+
+It is possible for ide-cd to ignore ide_error()'s return value under
+some circumstances. Workaround it in ide_intr() and ide_timer_expiry()
+by checking if there is a device/port reset pending currently.
+
+Fixes bug #13345:
+
+ http://bugzilla.kernel.org/show_bug.cgi?id=13345
+
+Reported-by: Martin Lottermoser <Martin.Lottermoser@t-online.de>
+Reported-and-tested-by: Modestas Vainius <modestas@vainius.eu>
+Cc: Borislav Petkov <petkovbb@gmail.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ide/ide-io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ide/ide-io.c
++++ b/drivers/ide/ide-io.c
+@@ -967,7 +967,7 @@ void ide_timer_expiry (unsigned long dat
+ }
+ spin_lock_irq(&hwif->lock);
+ enable_irq(hwif->irq);
+- if (startstop == ide_stopped) {
++ if (startstop == ide_stopped && hwif->polling == 0) {
+ ide_unlock_port(hwif);
+ plug_device = 1;
+ }
+@@ -1145,7 +1145,7 @@ irqreturn_t ide_intr (int irq, void *dev
+ * same irq as is currently being serviced here, and Linux
+ * won't allow another of the same (on any CPU) until we return.
+ */
+- if (startstop == ide_stopped) {
++ if (startstop == ide_stopped && hwif->polling == 0) {
+ BUG_ON(hwif->handler);
+ ide_unlock_port(hwif);
+ plug_device = 1;
--- /dev/null
+From 36999a5af1b6c5379e59f0ddf434db08d03c19e4 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Sun, 19 Apr 2009 07:00:41 +0900
+Subject: ide-tape: remove back-to-back REQUEST_SENSE detection
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 36999a5af1b6c5379e59f0ddf434db08d03c19e4 upstream.
+
+Impact: fix an oops which always triggers
+
+ide_tape_issue_pc() assumed drive->pc isn't NULL on invocation when
+checking for back-to-back request sense issues but drive->pc can be
+NULL and even when it's not NULL, it's not safe to dereference it once
+the previous command is complete because pc could have been freed or
+was on stack. Kill back-to-back REQUEST_SENSE detection.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ide/ide-tape.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/ide/ide-tape.c
++++ b/drivers/ide/ide-tape.c
+@@ -654,12 +654,6 @@ static ide_startstop_t idetape_issue_pc(
+ {
+ idetape_tape_t *tape = drive->driver_data;
+
+- if (drive->pc->c[0] == REQUEST_SENSE &&
+- pc->c[0] == REQUEST_SENSE) {
+- printk(KERN_ERR "ide-tape: possible ide-tape.c bug - "
+- "Two request sense in serial were issued\n");
+- }
+-
+ if (tape->failed_pc == NULL && pc->c[0] != REQUEST_SENSE)
+ tape->failed_pc = pc;
+
--- /dev/null
+From c339dfdd65b52bfd947ab29d1210314a2f6d622d Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Date: Sat, 30 May 2009 20:06:54 +0200
+Subject: ide_pci_generic: add quirk for Netcell ATA RAID
+
+From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+
+commit c339dfdd65b52bfd947ab29d1210314a2f6d622d upstream.
+
+We need to explicitly mark words 85-87 as valid ones since
+firmware doesn't do it.
+
+This should fix support for LBA48 and FLUSH CACHE [EXT] command
+which stopped working after we applied more strict checking of
+identify words in:
+
+ commit 942dcd85bf8edf38cdc3745306ca250684d99a61
+ ("ide: idedisk_supports_lba48() -> ata_id_lba48_enabled()")
+
+and
+
+ commit 4b58f17d7c45a8e5f4acda641bec388398b9c0fa
+ ("ide: ide_id_has_flush_cache() -> ata_id_flush_enabled()")
+
+Reported-and-tested-by: "Trevor Hemsley" <trevor.hemsley@ntlworld.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ide/ide-pci-generic.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/ide/ide-pci-generic.c
++++ b/drivers/ide/ide-pci-generic.c
+@@ -35,6 +35,16 @@ MODULE_PARM_DESC(all_generic_ide, "IDE g
+
+ #define IDE_HFLAGS_UMC (IDE_HFLAG_NO_DMA | IDE_HFLAG_FORCE_LEGACY_IRQS)
+
++static void netcell_quirkproc(ide_drive_t *drive)
++{
++ /* mark words 85-87 as valid */
++ drive->id[ATA_ID_CSF_DEFAULT] |= 0x4000;
++}
++
++static const struct ide_port_ops netcell_port_ops = {
++ .quirkproc = netcell_quirkproc,
++};
++
+ #define DECLARE_GENERIC_PCI_DEV(extra_flags) \
+ { \
+ .name = DRV_NAME, \
+@@ -76,6 +86,7 @@ static const struct ide_port_info generi
+
+ { /* 6: Revolution */
+ .name = DRV_NAME,
++ .port_ops = &netcell_port_ops,
+ .host_flags = IDE_HFLAG_CLEAR_SIMPLEX |
+ IDE_HFLAG_TRUST_BIOS_FOR_DMA |
+ IDE_HFLAG_OFF_BOARD,
--- /dev/null
+From jeffrey.t.kirsher@intel.com Tue Jun 9 01:13:47 2009
+From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Date: Tue, 02 Jun 2009 16:38:52 -0700
+Subject: igb: fix LRO warning
+To: greg@kroah.com
+Cc: stable@kernel.org, Jeff Kirsher <jeffrey.t.kirsher@intel.com>, Stephen Hemminger <shemminger@vyatta.com>
+Message-ID: <20090602233851.24887.98909.stgit@localhost.localdomain>
+
+From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+
+This fix is only needed for 2.6.29.y tree, since in 2.6.30 and later IGB
+has moved to using GRO instead of LRO.
+
+igb supports LRO, but was not setting any hooks to the ->set_flags
+ethtool_ops function. This would trigger warnings if the user tried
+to enable or disable LRO.
+
+Based on the patch provided by Stephen Hemminger <shemminger@vyatta.com>
+
+Reported-by: Sergey Kononenko <sergk@sergk.org.ua>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+CC: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/igb/igb_ethtool.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/igb/igb_ethtool.c
++++ b/drivers/net/igb/igb_ethtool.c
+@@ -2024,6 +2024,10 @@ static struct ethtool_ops igb_ethtool_op
+ .get_ethtool_stats = igb_get_ethtool_stats,
+ .get_coalesce = igb_get_coalesce,
+ .set_coalesce = igb_set_coalesce,
++ .get_flags = ethtool_op_get_flags,
++#ifdef CONFIG_IGB_LRO
++ .set_flags = ethtool_op_set_flags,
++#endif
+ };
+
+ void igb_set_ethtool_ops(struct net_device *netdev)
--- /dev/null
+From 299f5462087f3bc2141e6bc83ba7e2b15d8a07d2 Mon Sep 17 00:00:00 2001
+From: Reinette Chatre <reinette.chatre@intel.com>
+Date: Thu, 30 Apr 2009 13:56:31 -0700
+Subject: iwlwifi: update key flags at time key is set
+
+From: Reinette Chatre <reinette.chatre@intel.com>
+
+commit 299f5462087f3bc2141e6bc83ba7e2b15d8a07d2 upstream.
+
+We need to be symmetrical in what is done when key is set and cleared.
+This is important wrt the key flags as they are used during key
+clearing and if they are not set when the key is set the key cannot be
+cleared completely.
+
+This addresses the many occurences of the WARN found in
+iwl_set_tkip_dynamic_key_info() and tracked in
+http://www.kerneloops.org/searchweek.php?search=iwl_set_dynamic_key
+
+If calling iwl_set_tkip_dynamic_key_info()/iwl_remove_dynamic_key()
+pair a few times in a row will cause that we run out of key space.
+This is because the index stored in the key flags is used by
+iwl_remove_dynamic_key() to decide if it should remove the key.
+Unfortunately the key flags, and hence the key index is currently only
+set at the time the key is written to the device (in
+iwl_update_tkip_key()) and _not_ in iwl_set_tkip_dynamic_key_info().
+Fix this by setting flags in iwl_set_tkip_dynamic_key_info().
+
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/net/wireless/iwlwifi/iwl-sta.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-sta.c
++++ b/drivers/net/wireless/iwlwifi/iwl-sta.c
+@@ -708,6 +708,14 @@ static int iwl_set_tkip_dynamic_key_info
+ {
+ unsigned long flags;
+ int ret = 0;
++ __le16 key_flags = 0;
++
++ key_flags |= (STA_KEY_FLG_TKIP | STA_KEY_FLG_MAP_KEY_MSK);
++ key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS);
++ key_flags &= ~STA_KEY_FLG_INVALID;
++
++ if (sta_id == priv->hw_params.bcast_sta_id)
++ key_flags |= STA_KEY_MULTICAST_MSK;
+
+ keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_IV;
+ keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
+@@ -727,6 +735,9 @@ static int iwl_set_tkip_dynamic_key_info
+ WARN(priv->stations[sta_id].sta.key.key_offset == WEP_INVALID_OFFSET,
+ "no space for new kew");
+
++ priv->stations[sta_id].sta.key.key_flags = key_flags;
++
++
+ /* This copy is acutally not needed: we get the key with each TX */
+ memcpy(priv->stations[sta_id].keyinfo.key, keyconf->key, 16);
+
+@@ -743,9 +754,7 @@ void iwl_update_tkip_key(struct iwl_priv
+ {
+ u8 sta_id = IWL_INVALID_STATION;
+ unsigned long flags;
+- __le16 key_flags = 0;
+ int i;
+- DECLARE_MAC_BUF(mac);
+
+ sta_id = iwl_find_station(priv, addr);
+ if (sta_id == IWL_INVALID_STATION) {
+@@ -760,16 +769,8 @@ void iwl_update_tkip_key(struct iwl_priv
+ return;
+ }
+
+- key_flags |= (STA_KEY_FLG_TKIP | STA_KEY_FLG_MAP_KEY_MSK);
+- key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS);
+- key_flags &= ~STA_KEY_FLG_INVALID;
+-
+- if (sta_id == priv->hw_params.bcast_sta_id)
+- key_flags |= STA_KEY_MULTICAST_MSK;
+-
+ spin_lock_irqsave(&priv->sta_lock, flags);
+
+- priv->stations[sta_id].sta.key.key_flags = key_flags;
+ priv->stations[sta_id].sta.key.tkip_rx_tsc_byte2 = (u8) iv32;
+
+ for (i = 0; i < 5; i++)
--- /dev/null
+From a4c0364be3f43d3e17fe19270f8b3d64881606e6 Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Sat, 6 Jun 2009 12:34:39 +0300
+Subject: KVM: Explicity initialize cpus_hardware_enabled
+
+From: Avi Kivity <avi@redhat.com>
+
+commit a4c0364be3f43d3e17fe19270f8b3d64881606e6 upstream.
+
+Under CONFIG_MAXSMP, cpus_hardware_enabled is allocated from the heap and
+not statically initialized. This causes a crash on reboot when kvm thinks
+vmx is enabled on random nonexistent cpus and accesses nonexistent percpu
+lists.
+
+Fix by explicitly clearing the variable.
+
+Reported-and-tested-by: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ virt/kvm/kvm_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2315,6 +2315,7 @@ int kvm_init(void *opaque, unsigned int
+ r = -ENOMEM;
+ goto out_free_0;
+ }
++ cpumask_clear(cpus_hardware_enabled);
+
+ r = kvm_arch_hardware_setup();
+ if (r < 0)
--- /dev/null
+From 621ad7c96aa138cfeab53cd4debc5a4e08b2189b Mon Sep 17 00:00:00 2001
+From: John W. Linville <linville@tuxdriver.com>
+Date: Tue, 5 May 2009 15:18:26 -0400
+Subject: mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel
+
+From: John W. Linville <linville@tuxdriver.com>
+
+commit 621ad7c96aa138cfeab53cd4debc5a4e08b2189b upstream.
+
+"There is another problem with this piece of code. The sband will be NULL
+after second iteration on single band device and cause null pointer
+dereference. Everything is working with dual band card. Sorry, but i
+don't know how to explain this clearly in English. I have looked on the
+second patch for pid algorithm and found similar bug."
+
+Reported-by: Karol Szuster <qflon@o2.pl>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rc80211_minstrel.c | 2 +-
+ net/mac80211/rc80211_pid_algo.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rc80211_minstrel.c
++++ b/net/mac80211/rc80211_minstrel.c
+@@ -477,7 +477,7 @@ minstrel_alloc_sta(void *priv, struct ie
+
+ for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
+ sband = hw->wiphy->bands[i];
+- if (sband->n_bitrates > max_rates)
++ if (sband && sband->n_bitrates > max_rates)
+ max_rates = sband->n_bitrates;
+ }
+
+--- a/net/mac80211/rc80211_pid_algo.c
++++ b/net/mac80211/rc80211_pid_algo.c
+@@ -378,7 +378,7 @@ static void *rate_control_pid_alloc(stru
+
+ for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
+ sband = hw->wiphy->bands[i];
+- if (sband->n_bitrates > max_rates)
++ if (sband && sband->n_bitrates > max_rates)
+ max_rates = sband->n_bitrates;
+ }
+
--- /dev/null
+From 8e532175277d9a5eae49768ed086555081f741a7 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Mon, 4 May 2009 18:04:55 +0200
+Subject: mac80211: minstrel, fix memory corruption
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 8e532175277d9a5eae49768ed086555081f741a7 upstream.
+
+minstrel doesn't count max rate count in fact, since it doesn't use
+a loop variable `i' and hence allocs space only for bitrates found in
+the first band.
+
+Fix it by involving the `i' as an index so that it traverses all the
+bands now and finds the real max bitrate count.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Cc: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rc80211_minstrel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rc80211_minstrel.c
++++ b/net/mac80211/rc80211_minstrel.c
+@@ -476,7 +476,7 @@ minstrel_alloc_sta(void *priv, struct ie
+ return NULL;
+
+ for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
+- sband = hw->wiphy->bands[hw->conf.channel->band];
++ sband = hw->wiphy->bands[i];
+ if (sband->n_bitrates > max_rates)
+ max_rates = sband->n_bitrates;
+ }
--- /dev/null
+From 6909268dc93ae4b0b8e1ebb4b2fa70b1a47dd347 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Mon, 4 May 2009 18:10:28 +0200
+Subject: mac80211: pid, fix memory corruption
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 6909268dc93ae4b0b8e1ebb4b2fa70b1a47dd347 upstream.
+
+pid doesn't count with some band having more bitrates than the one
+associated the first time.
+Fix that by counting the maximal available bitrate count and allocate
+big enough space.
+
+Secondly, fix touching uninitialized memory which causes panics.
+Index sucked from this random memory points to the hell.
+The fix is to sort the rates on each band change.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rc80211_pid_algo.c | 73 +++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 34 deletions(-)
+
+--- a/net/mac80211/rc80211_pid_algo.c
++++ b/net/mac80211/rc80211_pid_algo.c
+@@ -317,13 +317,44 @@ rate_control_pid_rate_init(void *priv, s
+ struct ieee80211_sta *sta, void *priv_sta)
+ {
+ struct rc_pid_sta_info *spinfo = priv_sta;
++ struct rc_pid_info *pinfo = priv;
++ struct rc_pid_rateinfo *rinfo = pinfo->rinfo;
+ struct sta_info *si;
++ int i, j, tmp;
++ bool s;
+
+ /* TODO: This routine should consider using RSSI from previous packets
+ * as we need to have IEEE 802.1X auth succeed immediately after assoc..
+ * Until that method is implemented, we will use the lowest supported
+ * rate as a workaround. */
+
++ /* Sort the rates. This is optimized for the most common case (i.e.
++ * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed
++ * mapping too. */
++ for (i = 0; i < sband->n_bitrates; i++) {
++ rinfo[i].index = i;
++ rinfo[i].rev_index = i;
++ if (RC_PID_FAST_START)
++ rinfo[i].diff = 0;
++ else
++ rinfo[i].diff = i * pinfo->norm_offset;
++ }
++ for (i = 1; i < sband->n_bitrates; i++) {
++ s = 0;
++ for (j = 0; j < sband->n_bitrates - i; j++)
++ if (unlikely(sband->bitrates[rinfo[j].index].bitrate >
++ sband->bitrates[rinfo[j + 1].index].bitrate)) {
++ tmp = rinfo[j].index;
++ rinfo[j].index = rinfo[j + 1].index;
++ rinfo[j + 1].index = tmp;
++ rinfo[rinfo[j].index].rev_index = j;
++ rinfo[rinfo[j + 1].index].rev_index = j + 1;
++ s = 1;
++ }
++ if (!s)
++ break;
++ }
++
+ spinfo->txrate_idx = rate_lowest_index(sband, sta);
+ /* HACK */
+ si = container_of(sta, struct sta_info, sta);
+@@ -336,21 +367,22 @@ static void *rate_control_pid_alloc(stru
+ struct rc_pid_info *pinfo;
+ struct rc_pid_rateinfo *rinfo;
+ struct ieee80211_supported_band *sband;
+- int i, j, tmp;
+- bool s;
++ int i, max_rates = 0;
+ #ifdef CONFIG_MAC80211_DEBUGFS
+ struct rc_pid_debugfs_entries *de;
+ #endif
+
+- sband = hw->wiphy->bands[hw->conf.channel->band];
+-
+ pinfo = kmalloc(sizeof(*pinfo), GFP_ATOMIC);
+ if (!pinfo)
+ return NULL;
+
+- /* We can safely assume that sband won't change unless we get
+- * reinitialized. */
+- rinfo = kmalloc(sizeof(*rinfo) * sband->n_bitrates, GFP_ATOMIC);
++ for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
++ sband = hw->wiphy->bands[i];
++ if (sband->n_bitrates > max_rates)
++ max_rates = sband->n_bitrates;
++ }
++
++ rinfo = kmalloc(sizeof(*rinfo) * max_rates, GFP_ATOMIC);
+ if (!rinfo) {
+ kfree(pinfo);
+ return NULL;
+@@ -368,33 +400,6 @@ static void *rate_control_pid_alloc(stru
+ pinfo->rinfo = rinfo;
+ pinfo->oldrate = 0;
+
+- /* Sort the rates. This is optimized for the most common case (i.e.
+- * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed
+- * mapping too. */
+- for (i = 0; i < sband->n_bitrates; i++) {
+- rinfo[i].index = i;
+- rinfo[i].rev_index = i;
+- if (RC_PID_FAST_START)
+- rinfo[i].diff = 0;
+- else
+- rinfo[i].diff = i * pinfo->norm_offset;
+- }
+- for (i = 1; i < sband->n_bitrates; i++) {
+- s = 0;
+- for (j = 0; j < sband->n_bitrates - i; j++)
+- if (unlikely(sband->bitrates[rinfo[j].index].bitrate >
+- sband->bitrates[rinfo[j + 1].index].bitrate)) {
+- tmp = rinfo[j].index;
+- rinfo[j].index = rinfo[j + 1].index;
+- rinfo[j + 1].index = tmp;
+- rinfo[rinfo[j].index].rev_index = j;
+- rinfo[rinfo[j + 1].index].rev_index = j + 1;
+- s = 1;
+- }
+- if (!s)
+- break;
+- }
+-
+ #ifdef CONFIG_MAC80211_DEBUGFS
+ de = &pinfo->dentries;
+ de->target = debugfs_create_u32("target_pf", S_IRUSR | S_IWUSR,
--- /dev/null
+From f83a275dbc5ca1721143698e844243fcadfabf6a Mon Sep 17 00:00:00 2001
+From: Mel Gorman <mel@csn.ul.ie>
+Date: Thu, 28 May 2009 14:34:40 -0700
+Subject: mm: account for MAP_SHARED mappings using VM_MAYSHARE and not VM_SHARED in hugetlbfs
+
+From: Mel Gorman <mel@csn.ul.ie>
+
+commit f83a275dbc5ca1721143698e844243fcadfabf6a upstream.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302
+
+hugetlbfs reserves huge pages but does not fault them at mmap() time to
+ensure that future faults succeed. The reservation behaviour differs
+depending on whether the mapping was mapped MAP_SHARED or MAP_PRIVATE.
+For MAP_SHARED mappings, hugepages are reserved when mmap() is first
+called and are tracked based on information associated with the inode.
+Other processes mapping MAP_SHARED use the same reservation. MAP_PRIVATE
+track the reservations based on the VMA created as part of the mmap()
+operation. Each process mapping MAP_PRIVATE must make its own
+reservation.
+
+hugetlbfs currently checks if a VMA is MAP_SHARED with the VM_SHARED flag
+and not VM_MAYSHARE. For file-backed mappings, such as hugetlbfs,
+VM_SHARED is set only if the mapping is MAP_SHARED and the file was opened
+read-write. If a shared memory mapping was mapped shared-read-write for
+populating of data and mapped shared-read-only by other processes, then
+hugetlbfs would account for the mapping as if it was MAP_PRIVATE. This
+causes processes to fail to map the file MAP_SHARED even though it should
+succeed as the reservation is there.
+
+This patch alters mm/hugetlb.c and replaces VM_SHARED with VM_MAYSHARE
+when the intent of the code was to check whether the VMA was mapped
+MAP_SHARED or MAP_PRIVATE.
+
+Signed-off-by: Mel Gorman <mel@csn.ul.ie>
+Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
+Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Cc: <starlight@binnacle.cx>
+Cc: Eric B Munson <ebmunson@us.ibm.com>
+Cc: Adam Litke <agl@us.ibm.com>
+Cc: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/hugetlb.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -316,7 +316,7 @@ static void resv_map_release(struct kref
+ static struct resv_map *vma_resv_map(struct vm_area_struct *vma)
+ {
+ VM_BUG_ON(!is_vm_hugetlb_page(vma));
+- if (!(vma->vm_flags & VM_SHARED))
++ if (!(vma->vm_flags & VM_MAYSHARE))
+ return (struct resv_map *)(get_vma_private_data(vma) &
+ ~HPAGE_RESV_MASK);
+ return NULL;
+@@ -325,7 +325,7 @@ static struct resv_map *vma_resv_map(str
+ static void set_vma_resv_map(struct vm_area_struct *vma, struct resv_map *map)
+ {
+ VM_BUG_ON(!is_vm_hugetlb_page(vma));
+- VM_BUG_ON(vma->vm_flags & VM_SHARED);
++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE);
+
+ set_vma_private_data(vma, (get_vma_private_data(vma) &
+ HPAGE_RESV_MASK) | (unsigned long)map);
+@@ -334,7 +334,7 @@ static void set_vma_resv_map(struct vm_a
+ static void set_vma_resv_flags(struct vm_area_struct *vma, unsigned long flags)
+ {
+ VM_BUG_ON(!is_vm_hugetlb_page(vma));
+- VM_BUG_ON(vma->vm_flags & VM_SHARED);
++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE);
+
+ set_vma_private_data(vma, get_vma_private_data(vma) | flags);
+ }
+@@ -353,7 +353,7 @@ static void decrement_hugepage_resv_vma(
+ if (vma->vm_flags & VM_NORESERVE)
+ return;
+
+- if (vma->vm_flags & VM_SHARED) {
++ if (vma->vm_flags & VM_MAYSHARE) {
+ /* Shared mappings always use reserves */
+ h->resv_huge_pages--;
+ } else if (is_vma_resv_set(vma, HPAGE_RESV_OWNER)) {
+@@ -369,14 +369,14 @@ static void decrement_hugepage_resv_vma(
+ void reset_vma_resv_huge_pages(struct vm_area_struct *vma)
+ {
+ VM_BUG_ON(!is_vm_hugetlb_page(vma));
+- if (!(vma->vm_flags & VM_SHARED))
++ if (!(vma->vm_flags & VM_MAYSHARE))
+ vma->vm_private_data = (void *)0;
+ }
+
+ /* Returns true if the VMA has associated reserve pages */
+ static int vma_has_reserves(struct vm_area_struct *vma)
+ {
+- if (vma->vm_flags & VM_SHARED)
++ if (vma->vm_flags & VM_MAYSHARE)
+ return 1;
+ if (is_vma_resv_set(vma, HPAGE_RESV_OWNER))
+ return 1;
+@@ -924,7 +924,7 @@ static int vma_needs_reservation(struct
+ struct address_space *mapping = vma->vm_file->f_mapping;
+ struct inode *inode = mapping->host;
+
+- if (vma->vm_flags & VM_SHARED) {
++ if (vma->vm_flags & VM_MAYSHARE) {
+ pgoff_t idx = vma_hugecache_offset(h, vma, addr);
+ return region_chg(&inode->i_mapping->private_list,
+ idx, idx + 1);
+@@ -949,7 +949,7 @@ static void vma_commit_reservation(struc
+ struct address_space *mapping = vma->vm_file->f_mapping;
+ struct inode *inode = mapping->host;
+
+- if (vma->vm_flags & VM_SHARED) {
++ if (vma->vm_flags & VM_MAYSHARE) {
+ pgoff_t idx = vma_hugecache_offset(h, vma, addr);
+ region_add(&inode->i_mapping->private_list, idx, idx + 1);
+
+@@ -1893,7 +1893,7 @@ retry_avoidcopy:
+ * at the time of fork() could consume its reserves on COW instead
+ * of the full address range.
+ */
+- if (!(vma->vm_flags & VM_SHARED) &&
++ if (!(vma->vm_flags & VM_MAYSHARE) &&
+ is_vma_resv_set(vma, HPAGE_RESV_OWNER) &&
+ old_page != pagecache_page)
+ outside_reserve = 1;
+@@ -2000,7 +2000,7 @@ retry:
+ clear_huge_page(page, address, huge_page_size(h));
+ __SetPageUptodate(page);
+
+- if (vma->vm_flags & VM_SHARED) {
++ if (vma->vm_flags & VM_MAYSHARE) {
+ int err;
+ struct inode *inode = mapping->host;
+
+@@ -2104,7 +2104,7 @@ int hugetlb_fault(struct mm_struct *mm,
+ goto out_mutex;
+ }
+
+- if (!(vma->vm_flags & VM_SHARED))
++ if (!(vma->vm_flags & VM_MAYSHARE))
+ pagecache_page = hugetlbfs_pagecache_page(h,
+ vma, address);
+ }
+@@ -2289,7 +2289,7 @@ int hugetlb_reserve_pages(struct inode *
+ * to reserve the full area even if read-only as mprotect() may be
+ * called to make the mapping read-write. Assume !vma is a shm mapping
+ */
+- if (!vma || vma->vm_flags & VM_SHARED)
++ if (!vma || vma->vm_flags & VM_MAYSHARE)
+ chg = region_chg(&inode->i_mapping->private_list, from, to);
+ else {
+ struct resv_map *resv_map = resv_map_alloc();
+@@ -2330,7 +2330,7 @@ int hugetlb_reserve_pages(struct inode *
+ * consumed reservations are stored in the map. Hence, nothing
+ * else has to be done for private mappings here
+ */
+- if (!vma || vma->vm_flags & VM_SHARED)
++ if (!vma || vma->vm_flags & VM_MAYSHARE)
+ region_add(&inode->i_mapping->private_list, from, to);
+ return 0;
+ }
--- /dev/null
+From dbf8c11f821b6ff83302c34f2403b4f7231f50ae Mon Sep 17 00:00:00 2001
+From: Peter Korsgaard <jacmet@sunsite.dk>
+Date: Mon, 18 May 2009 11:13:54 +0100
+Subject: mtd_dataflash: unbreak erase support
+
+From: Peter Korsgaard <jacmet@sunsite.dk>
+
+commit dbf8c11f821b6ff83302c34f2403b4f7231f50ae upstream.
+
+Commit 5b7f3a50 (fix dataflash 64-bit divisions) unfortunately
+introduced a typo. Erase addr and len were swapped in the pageaddr
+calculation, causing the wrong sectors to get erased.
+
+Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
+Acked-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mtd/devices/mtd_dataflash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/devices/mtd_dataflash.c
++++ b/drivers/mtd/devices/mtd_dataflash.c
+@@ -184,7 +184,7 @@ static int dataflash_erase(struct mtd_in
+ /* Calculate flash page address; use block erase (for speed) if
+ * we're at a block boundary and need to erase the whole block.
+ */
+- pageaddr = div_u64(instr->len, priv->page_size);
++ pageaddr = div_u64(instr->addr, priv->page_size);
+ do_block = (pageaddr & 0x7) == 0 && instr->len >= blocksize;
+ pageaddr = pageaddr << priv->page_offset;
+
--- /dev/null
+From b62c31ae401c6df25c61b206681a6e904ef97169 Mon Sep 17 00:00:00 2001
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+Date: Thu, 23 Apr 2009 22:56:11 +1000
+Subject: powerpc: fix for long standing bug noticed by gcc 4.4.0
+
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+
+commit b62c31ae401c6df25c61b206681a6e904ef97169 upstream.
+
+Previous gcc versions didn't notice this because one of the preceding
+#ifs always evaluated to true.
+
+gcc 4.4.0 produced this error:
+
+arch/powerpc/mm/tlb_nohash_low.S:206:6: error: #elif with no expression
+
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Acked-by: Josh Boyer <jwboyer@linux.vnet.ibm.com>
+Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/arch/powerpc/mm/tlb_nohash_low.S
++++ b/arch/powerpc/mm/tlb_nohash_low.S
+@@ -191,6 +191,6 @@ ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_TLBILX)
+ isync
+ 1: wrtee r10
+ blr
+-#elif
++#else
+ #error Unsupported processor type !
+ #endif
--- /dev/null
+From 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 5 May 2009 08:17:43 -0700
+Subject: random: make get_random_int() more random
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 upstream.
+
+It's a really simple patch that basically just open-codes the current
+"secure_ip_id()" call, but when open-coding it we now use a _static_
+hashing area, so that it gets updated every time.
+
+And to make sure somebody can't just start from the same original seed of
+all-zeroes, and then do the "half_md4_transform()" over and over until
+they get the same sequence as the kernel has, each iteration also mixes in
+the same old "current->pid + jiffies" we used - so we should now have a
+regular strong pseudo-number generator, but we also have one that doesn't
+have a single seed.
+
+Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It
+has no real meaning. It could be anything. I just picked the previous
+seed, it's just that now we keep the state in between calls and that will
+feed into the next result, and that should make all the difference.
+
+I made that hash be a per-cpu data just to avoid cache-line ping-pong:
+having multiple CPU's write to the same data would be fine for randomness,
+and add yet another layer of chaos to it, but since get_random_int() is
+supposed to be a fast interface I did it that way instead. I considered
+using "__raw_get_cpu_var()" to avoid any preemption overhead while still
+getting the hash be _mostly_ ping-pong free, but in the end good taste won
+out.
+
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jake Edge <jake@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/random.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1660,15 +1660,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_numbe
+ * value is not cryptographically secure but for several uses the cost of
+ * depleting entropy is too high
+ */
++DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+- /*
+- * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
+- * every second, from the entropy pool (and thus creates a limited
+- * drain on it), and uses halfMD4Transform within the second. We
+- * also mix it with jiffies and the PID:
+- */
+- return secure_ip_id((__force __be32)(current->pid + jiffies));
++ struct keydata *keyptr;
++ __u32 *hash = get_cpu_var(get_random_int_hash);
++ int ret;
++
++ keyptr = get_keyptr();
++ hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;
++
++ ret = half_md4_transform(hash, keyptr->secret);
++ put_cpu_var(get_random_int_hash);
++
++ return ret;
+ }
+
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jun 9 01:08:36 2009
+From: Eric Paris <eparis@redhat.com>
+Date: Mon, 01 Jun 2009 10:21:05 -0400
+Subject: SELinux: BUG in SELinux compat_net code
+To: stable@kernel.org
+Message-ID: <1243866065.3050.7.camel@dhcp231-142.rdu.redhat.com>
+
+From: Eric Paris <eparis@redhat.com>
+
+This patch is not applicable to Linus's tree as the code in question has
+been removed for 2.6.30. I'm sending in case any of the stable
+maintainers would like to push to their branches (which I think anything
+pre 2.6.30 would like to do).
+
+Ubuntu users were experiencing a kernel panic when they enabled SELinux
+due to an old bug in our handling of the compatibility mode network
+controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
+Most distros have not used the compat_net code since the new code was
+introduced and so noone has hit this problem before. Ubuntu is the only
+distro I know that enabled that legacy cruft by default. But, I was ask
+to look at it and found that the above patch changed a call to
+avc_has_perm from if(send_perm) to if(!send_perm) in
+selinux_ip_postroute_iptables_compat(). The result is that users who
+turn on SELinux and have compat_net set can (and oftern will) BUG() in
+avc_has_perm_noaudit since they are requesting 0 permissions.
+
+This patch corrects that accidental bug introduction.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/selinux/hooks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4648,7 +4648,7 @@ static int selinux_ip_postroute_iptables
+ if (err)
+ return err;
+
+- if (send_perm != 0)
++ if (!send_perm)
+ return 0;
+
+ err = sel_netport_sid(sk->sk_protocol,
kvm-fix-pdptr-reloading-on-cr4-writes.patch
cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch
drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch
+drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch
+x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch
+mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch
+usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch
+sound-usb-audio-make-the-motu-fastlane-work-again.patch
+usb-serial-fix-crash-when-sub-driver-updates-firmware.patch
+x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch
+mtd_dataflash-unbreak-erase-support.patch
+hwmon-add-missing-__devexit_p.patch
+cpuidle-make-amc-c1e-work-in-processor_idle.patch
+cpuidle-fix-amd-c1e-suspend-hang.patch
+ide-fix-40-wire-cable-detection-for-tsst-sh-s202-atapi-devices.patch
+kvm-explicity-initialize-cpus_hardware_enabled.patch
+ide_pci_generic-add-quirk-for-netcell-ata-raid.patch
+ide-fix-oops-during-ide-cd-error-recovery.patch
+selinux-bug-in-selinux-compat_net-code.patch
+e1000-add-missing-length-check-to-e1000-receive-routine.patch
+igb-fix-lro-warning.patch
+iwlwifi-update-key-flags-at-time-key-is-set.patch
+mac80211-minstrel-fix-memory-corruption.patch
+mac80211-pid-fix-memory-corruption.patch
+mac80211-avoid-null-ptr-deref-when-finding-max_rates-in-pid-and-minstrel.patch
+bnx2-fix-panic-in-bnx2_poll_work.patch
+random-make-get_random_int-more-random.patch
+hid-fix-dropped-device-specific-quirks.patch
+3w-xxxx-scsi_dma_unmap-fix.patch
+powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch
+ide-tape-remove-back-to-back-request_sense-detection.patch
--- /dev/null
+From 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Wed, 27 May 2009 10:49:30 +0200
+Subject: sound: usb-audio: make the MotU Fastlane work again
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c upstream.
+
+Kernel 2.6.18 broke the MotU Fastlane, which uses duplicate endpoint
+numbers in a manner that is not only illegal but also confuses the
+kernel's endpoint descriptor caching mechanism. To work around this, we
+have to add a separate usb_set_interface() call to guide the USB core to
+the correct descriptors.
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Reported-and-tested-by: David Fries <david@fries.net>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/usb/usbaudio.c | 2 +-
+ sound/usb/usbaudio.h | 2 +-
+ sound/usb/usbmidi.c | 12 +++++++++++-
+ sound/usb/usbquirks.h | 2 +-
+ 4 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/usbaudio.c
++++ b/sound/usb/usbaudio.c
+@@ -3375,7 +3375,7 @@ static int snd_usb_create_quirk(struct s
+ [QUIRK_MIDI_YAMAHA] = snd_usb_create_midi_interface,
+ [QUIRK_MIDI_MIDIMAN] = snd_usb_create_midi_interface,
+ [QUIRK_MIDI_NOVATION] = snd_usb_create_midi_interface,
+- [QUIRK_MIDI_RAW] = snd_usb_create_midi_interface,
++ [QUIRK_MIDI_FASTLANE] = snd_usb_create_midi_interface,
+ [QUIRK_MIDI_EMAGIC] = snd_usb_create_midi_interface,
+ [QUIRK_MIDI_CME] = snd_usb_create_midi_interface,
+ [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk,
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -153,7 +153,7 @@ enum quirk_type {
+ QUIRK_MIDI_YAMAHA,
+ QUIRK_MIDI_MIDIMAN,
+ QUIRK_MIDI_NOVATION,
+- QUIRK_MIDI_RAW,
++ QUIRK_MIDI_FASTLANE,
+ QUIRK_MIDI_EMAGIC,
+ QUIRK_MIDI_CME,
+ QUIRK_MIDI_US122L,
+--- a/sound/usb/usbmidi.c
++++ b/sound/usb/usbmidi.c
+@@ -1778,8 +1778,18 @@ int snd_usb_create_midi_interface(struct
+ umidi->usb_protocol_ops = &snd_usbmidi_novation_ops;
+ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
+ break;
+- case QUIRK_MIDI_RAW:
++ case QUIRK_MIDI_FASTLANE:
+ umidi->usb_protocol_ops = &snd_usbmidi_raw_ops;
++ /*
++ * Interface 1 contains isochronous endpoints, but with the same
++ * numbers as in interface 0. Since it is interface 1 that the
++ * USB core has most recently seen, these descriptors are now
++ * associated with the endpoint numbers. This will foul up our
++ * attempts to submit bulk/interrupt URBs to the endpoints in
++ * interface 0, so we have to make sure that the USB core looks
++ * again at interface 0 by calling usb_set_interface() on it.
++ */
++ usb_set_interface(umidi->chip->dev, 0, 0);
+ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
+ break;
+ case QUIRK_MIDI_EMAGIC:
+--- a/sound/usb/usbquirks.h
++++ b/sound/usb/usbquirks.h
+@@ -1858,7 +1858,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
+ .data = & (const struct snd_usb_audio_quirk[]) {
+ {
+ .ifnum = 0,
+- .type = QUIRK_MIDI_RAW
++ .type = QUIRK_MIDI_FASTLANE
+ },
+ {
+ .ifnum = 1,
--- /dev/null
+From 0afb20e00b5053170c85298fed842b32d20b4ea9 Mon Sep 17 00:00:00 2001
+From: Warren Free <wfree@ipmn.com>
+Date: Fri, 8 May 2009 10:27:08 +0200
+Subject: USB: isp1760: urb_dequeue doesn't always find the urbs
+
+From: Warren Free <wfree@ipmn.com>
+
+commit 0afb20e00b5053170c85298fed842b32d20b4ea9 upstream.
+
+The option driver (and presumably others) allocates several URBs when it
+opens and tries to free them when it closes. The isp1760_urb_dequeue
+function gets called, but the packet being dequeued is not necessarily at
+the
+front of one of the 32 queues. If not, the isp1760_urb_done function doesn't
+get called for the URB and the process trying to free it hangs forever on a
+wait_queue. This patch does two things. If the URB being dequeued has others
+queued behind it, it re-queues them. And it searches the queues looking for
+the URB being dequeued rather than just looking at the one at the front of
+the queue.
+
+[bigeasy@linutronix] whitespace fixes, reformating
+
+Signed-off-by: Warren Free <wfree@ipmn.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/isp1760-hcd.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/isp1760-hcd.c
++++ b/drivers/usb/host/isp1760-hcd.c
+@@ -1644,6 +1644,7 @@ static int isp1760_urb_dequeue(struct us
+ u32 reg_base, or_reg, skip_reg;
+ unsigned long flags;
+ struct ptd ptd;
++ packet_enqueue *pe;
+
+ switch (usb_pipetype(urb->pipe)) {
+ case PIPE_ISOCHRONOUS:
+@@ -1655,6 +1656,7 @@ static int isp1760_urb_dequeue(struct us
+ reg_base = INT_REGS_OFFSET;
+ or_reg = HC_INT_IRQ_MASK_OR_REG;
+ skip_reg = HC_INT_PTD_SKIPMAP_REG;
++ pe = enqueue_an_INT_packet;
+ break;
+
+ default:
+@@ -1662,6 +1664,7 @@ static int isp1760_urb_dequeue(struct us
+ reg_base = ATL_REGS_OFFSET;
+ or_reg = HC_ATL_IRQ_MASK_OR_REG;
+ skip_reg = HC_ATL_PTD_SKIPMAP_REG;
++ pe = enqueue_an_ATL_packet;
+ break;
+ }
+
+@@ -1673,6 +1676,7 @@ static int isp1760_urb_dequeue(struct us
+ u32 skip_map;
+ u32 or_map;
+ struct isp1760_qtd *qtd;
++ struct isp1760_qh *qh = ints->qh;
+
+ skip_map = isp1760_readl(hcd->regs + skip_reg);
+ skip_map |= 1 << i;
+@@ -1685,8 +1689,7 @@ static int isp1760_urb_dequeue(struct us
+ priv_write_copy(priv, (u32 *)&ptd, hcd->regs + reg_base
+ + i * sizeof(ptd), sizeof(ptd));
+ qtd = ints->qtd;
+-
+- clean_up_qtdlist(qtd);
++ qtd = clean_up_qtdlist(qtd);
+
+ free_mem(priv, ints->payload);
+
+@@ -1697,7 +1700,24 @@ static int isp1760_urb_dequeue(struct us
+ ints->payload = 0;
+
+ isp1760_urb_done(priv, urb, status);
++ if (qtd)
++ pe(hcd, qh, qtd);
+ break;
++
++ } else if (ints->qtd) {
++ struct isp1760_qtd *qtd, *prev_qtd = ints->qtd;
++
++ for (qtd = ints->qtd->hw_next; qtd; qtd = qtd->hw_next) {
++ if (qtd->urb == urb) {
++ prev_qtd->hw_next = clean_up_qtdlist(qtd);
++ isp1760_urb_done(priv, urb, status);
++ break;
++ }
++ prev_qtd = qtd;
++ }
++ /* we found the urb before the end of the list */
++ if (qtd)
++ break;
+ }
+ ints++;
+ }
--- /dev/null
+From 0a3c8549ea7e94d74a41096d42bc6cdf43d183bf Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 27 May 2009 11:25:52 -0400
+Subject: usb-serial: fix crash when sub-driver updates firmware
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 0a3c8549ea7e94d74a41096d42bc6cdf43d183bf upstream.
+
+This patch (as1244) fixes a crash in usb-serial that occurs when a
+sub-driver returns a positive value from its attach method, indicating
+that new firmware was loaded and the device will disconnect and
+reconnect. The usb-serial core then skips the step of registering the
+port devices; when the disconnect occurs, the attempt to unregister
+the ports fails dramatically.
+
+This problem shows up with Keyspan devices and it might affect others
+as well.
+
+When the attach method returns a positive value, the patch sets
+num_ports to 0. This tells usb_serial_disconnect() not to try
+unregistering any of the ports; instead they are cleaned up by
+destroy_serial().
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/usb-serial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/usb-serial.c
++++ b/drivers/usb/serial/usb-serial.c
+@@ -978,6 +978,7 @@ int usb_serial_probe(struct usb_interfac
+ if (retval > 0) {
+ /* quietly accept this device, but don't bind to a
+ serial port as it's about to disappear */
++ serial->num_ports = 0;
+ goto exit;
+ }
+ }
--- /dev/null
+From 32b154c0b0bae2879bf4e549d861caf1759a3546 Mon Sep 17 00:00:00 2001
+From: Mel Gorman <mel@csn.ul.ie>
+Date: Thu, 28 May 2009 14:34:37 -0700
+Subject: x86: ignore VM_LOCKED when determining if hugetlb-backed page tables can be shared or not
+
+From: Mel Gorman <mel@csn.ul.ie>
+
+commit 32b154c0b0bae2879bf4e549d861caf1759a3546 upstream.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302
+
+On x86 and x86-64, it is possible that page tables are shared beween
+shared mappings backed by hugetlbfs. As part of this,
+page_table_shareable() checks a pair of vma->vm_flags and they must match
+if they are to be shared. All VMA flags are taken into account, including
+VM_LOCKED.
+
+The problem is that VM_LOCKED is cleared on fork(). When a process with a
+shared memory segment forks() to exec() a helper, there will be shared
+VMAs with different flags. The impact is that the shared segment is
+sometimes considered shareable and other times not, depending on what
+process is checking.
+
+What happens is that the segment page tables are being shared but the
+count is inaccurate depending on the ordering of events. As the page
+tables are freed with put_page(), bad pmd's are found when some of the
+children exit. The hugepage counters also get corrupted and the Total and
+Free count will no longer match even when all the hugepage-backed regions
+are freed. This requires a reboot of the machine to "fix".
+
+This patch addresses the problem by comparing all flags except VM_LOCKED
+when deciding if pagetables should be shared or not for hugetlbfs-backed
+mapping.
+
+Signed-off-by: Mel Gorman <mel@csn.ul.ie>
+Acked-by: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
+Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Cc: <starlight@binnacle.cx>
+Cc: Eric B Munson <ebmunson@us.ibm.com>
+Cc: Adam Litke <agl@us.ibm.com>
+Cc: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/mm/hugetlbpage.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/mm/hugetlbpage.c
++++ b/arch/x86/mm/hugetlbpage.c
+@@ -26,12 +26,16 @@ static unsigned long page_table_shareabl
+ unsigned long sbase = saddr & PUD_MASK;
+ unsigned long s_end = sbase + PUD_SIZE;
+
++ /* Allow segments to share if only one is marked locked */
++ unsigned long vm_flags = vma->vm_flags & ~VM_LOCKED;
++ unsigned long svm_flags = svma->vm_flags & ~VM_LOCKED;
++
+ /*
+ * match the virtual addresses, permission and the alignment of the
+ * page table page.
+ */
+ if (pmd_index(addr) != pmd_index(saddr) ||
+- vma->vm_flags != svma->vm_flags ||
++ vm_flags != svm_flags ||
+ sbase < svma->vm_start || svma->vm_end < s_end)
+ return 0;
+
--- /dev/null
+From 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Wed, 3 Jun 2009 00:13:13 -0700
+Subject: x86/pci: fix mmconfig detection with 32bit near 4g
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 upstream.
+
+Pascal reported and bisected a commit:
+| x86/PCI: don't call e820_all_mapped with -1 in the mmconfig case
+
+which broke one system system.
+
+ACPI: Using IOAPIC for interrupt routing
+PCI: MCFG configuration 0: base f0000000 segment 0 buses 0 - 255
+PCI: MCFG area at f0000000 reserved in ACPI motherboard resources
+PCI: Using MMCONFIG for extended config space
+
+it didn't have
+PCI: updated MCFG configuration 0: base f0000000 segment 0 buses 0 - 63
+anymore, and try to use 0xf000000 - 0xffffffff for mmconfig
+
+For 32bit, mcfg_res->end could be 32bit only (if 64 resources aren't used)
+So use end - 1 to pass the value in mcfg->end to avoid overflow.
+
+We don't need to worry about the e820 path, they are always 64 bit.
+
+Reported-by: Pascal Terjan <pterjan@mandriva.com>
+Bisected-by: Pascal Terjan <pterjan@mandriva.com>
+Tested-by: Pascal Terjan <pterjan@mandriva.com>
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/pci/mmconfig-shared.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/pci/mmconfig-shared.c
++++ b/arch/x86/pci/mmconfig-shared.c
+@@ -254,7 +254,7 @@ static acpi_status __init check_mcfg_res
+ if (!fixmem32)
+ return AE_OK;
+ if ((mcfg_res->start >= fixmem32->address) &&
+- (mcfg_res->end <= (fixmem32->address +
++ (mcfg_res->end < (fixmem32->address +
+ fixmem32->address_length))) {
+ mcfg_res->flags = 1;
+ return AE_CTRL_TERMINATE;
+@@ -271,7 +271,7 @@ static acpi_status __init check_mcfg_res
+ return AE_OK;
+
+ if ((mcfg_res->start >= address.minimum) &&
+- (mcfg_res->end <= (address.minimum + address.address_length))) {
++ (mcfg_res->end < (address.minimum + address.address_length))) {
+ mcfg_res->flags = 1;
+ return AE_CTRL_TERMINATE;
+ }
+@@ -297,7 +297,7 @@ static int __init is_acpi_reserved(u64 s
+ struct resource mcfg_res;
+
+ mcfg_res.start = start;
+- mcfg_res.end = end;
++ mcfg_res.end = end - 1;
+ mcfg_res.flags = 0;
+
+ acpi_get_devices("PNP0C01", find_mboard_resource, &mcfg_res, NULL);
projects / thirdparty / kernel / stable-queue.git / commitdiff
