--- /dev/null
+From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009
+Message-Id: <20090429220922.910328940@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:00 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alan Stern <stern@rowland.harvard.edu>,
+ David Brownell <david-b@pacbell.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 01/58] USB: EHCI: add software retry for transaction errors
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0008-USB-EHCI-add-software-retry-for-transaction-errors.patch
+Content-Length: 3248
+Lines: 99
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+upstream commit: a2c2706e1043c17139c2dafd171c4a5cf008ef7e
+
+This patch (as1204) adds a software retry mechanism to ehci-hcd. It
+gets invoked when the driver encounters transaction errors on an
+asynchronous endpoint. On many systems, hardware deficiencies cause
+such errors to occur if one device is unplugged while the host is
+communicating with another device. With the patch, the failed
+transactions are retried and generally succeed the second or third
+time through.
+
+This is based on code originally written by Koichiro Saito.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested by: Koichiro Saito <Saito.Koichiro@adniss.jp>
+CC: David Brownell <david-b@pacbell.net>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/host/ehci-q.c | 32 ++++++++++++++++++++++++++++++++
+ drivers/usb/host/ehci.h | 3 +++
+ 2 files changed, 35 insertions(+)
+
+--- a/drivers/usb/host/ehci.h
++++ b/drivers/usb/host/ehci.h
+@@ -500,6 +500,9 @@ struct ehci_qh {
+ #define QH_STATE_UNLINK_WAIT 4 /* LINKED and on reclaim q */
+ #define QH_STATE_COMPLETING 5 /* don't touch token.HALT */
+
++ u8 xacterrs; /* XactErr retry counter */
++#define QH_XACTERR_MAX 32 /* XactErr retry limit */
++
+ /* periodic schedule info */
+ u8 usecs; /* intr bandwidth */
+ u8 gap_uf; /* uframes split/csplit gap */
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -333,12 +333,40 @@ qh_completions (struct ehci_hcd *ehci, s
+ token = hc32_to_cpu(ehci, qtd->hw_token);
+
+ /* always clean up qtds the hc de-activated */
++ retry_xacterr:
+ if ((token & QTD_STS_ACTIVE) == 0) {
+
+ /* on STALL, error, and short reads this urb must
+ * complete and all its qtds must be recycled.
+ */
+ if ((token & QTD_STS_HALT) != 0) {
++
++ /* retry transaction errors until we
++ * reach the software xacterr limit
++ */
++ if ((token & QTD_STS_XACT) &&
++ QTD_CERR(token) == 0 &&
++ --qh->xacterrs > 0 &&
++ !urb->unlinked) {
++ ehci_dbg(ehci,
++ "detected XactErr len %d/%d retry %d\n",
++ qtd->length - QTD_LENGTH(token), qtd->length,
++ QH_XACTERR_MAX - qh->xacterrs);
++
++ /* reset the token in the qtd and the
++ * qh overlay (which still contains
++ * the qtd) so that we pick up from
++ * where we left off
++ */
++ token &= ~QTD_STS_HALT;
++ token |= QTD_STS_ACTIVE |
++ (EHCI_TUNE_CERR << 10);
++ qtd->hw_token = cpu_to_hc32(ehci,
++ token);
++ wmb();
++ qh->hw_token = cpu_to_hc32(ehci, token);
++ goto retry_xacterr;
++ }
+ stopped = 1;
+
+ /* magic dummy for some short reads; qh won't advance.
+@@ -421,6 +449,9 @@ halt:
+ /* remove qtd; it's recycled after possible urb completion */
+ list_del (&qtd->qtd_list);
+ last = qtd;
++
++ /* reinit the xacterr counter for the next qtd */
++ qh->xacterrs = QH_XACTERR_MAX;
+ }
+
+ /* last urb's completion might still need calling */
+@@ -862,6 +893,7 @@ static void qh_link_async (struct ehci_h
+ head->qh_next.qh = qh;
+ head->hw_next = dma;
+
++ qh->xacterrs = QH_XACTERR_MAX;
+ qh->qh_state = QH_STATE_LINKED;
+ /* qtd completions reported later by interrupt */
+ }
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009
+Message-Id: <20090429220923.070621183@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:01 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Boaz Harrosh <bharrosh@panasas.com>,
+ Matthieu CASTET <castet.matthieu@free.fr>,
+ James Bottomley <James.Bottomley@HansenPartnership.com>,
+ Matthew Dharm <mdharm-kernel@one-eyed-alien.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 02/58] USB: fix USB_STORAGE_CYPRESS_ATACB
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0009-USB-fix-USB_STORAGE_CYPRESS_ATACB.patch
+Content-Length: 2743
+Lines: 70
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Boaz Harrosh <bharrosh@panasas.com>
+
+upstream commit: 1f4159c1620f74377e26d8a569d10ca5907ef475
+
+commit 64a87b24: [SCSI] Let scsi_cmnd->cmnd use request->cmd buffer
+changed the scsi_eh_prep_cmnd logic by making it clear
+the ->cmnd buffer. But the sat to cypress atacb translation supposed
+the ->cmnd buffer wasn't modified.
+
+This patch makes it set the ->cmnd buffer after scsi_eh_prep_cmnd call.
+The problem and a fix was reported by Matthieu CASTET <castet.matthieu@free.fr>
+
+It also removes all the hackery fiddling of scsi_cmnd and scsi_eh_save by
+requesting from scsi_eh_prep_cmnd to prepare a read into ->sense_buffer,
+which is much more suitable a buffer for HW transfers, then after the command
+execution the regs read is copied into regs buffer before actual preparation
+of sense_buffer.
+
+Also fix an alien comment character to my utf-8 editor.
+
+Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
+Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>
+Cc: stable <stable@kernel.org>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Cc: Matthew Dharm <mdharm-kernel@one-eyed-alien.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/storage/cypress_atacb.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/storage/cypress_atacb.c
++++ b/drivers/usb/storage/cypress_atacb.c
+@@ -133,19 +133,18 @@ void cypress_atacb_passthrough(struct sc
+
+ /* build the command for
+ * reading the ATA registers */
+- scsi_eh_prep_cmnd(srb, &ses, NULL, 0, 0);
+- srb->sdb.length = sizeof(regs);
+- sg_init_one(&ses.sense_sgl, regs, srb->sdb.length);
+- srb->sdb.table.sgl = &ses.sense_sgl;
+- srb->sc_data_direction = DMA_FROM_DEVICE;
+- srb->sdb.table.nents = 1;
++ scsi_eh_prep_cmnd(srb, &ses, NULL, 0, sizeof(regs));
++
+ /* we use the same command as before, but we set
+ * the read taskfile bit, for not executing atacb command,
+ * but reading register selected in srb->cmnd[4]
+ */
++ srb->cmd_len = 16;
++ srb->cmnd = ses.cmnd;
+ srb->cmnd[2] = 1;
+
+ usb_stor_transparent_scsi_command(srb, us);
++ memcpy(regs, srb->sense_buffer, sizeof(regs));
+ tmp_result = srb->result;
+ scsi_eh_restore_cmnd(srb, &ses);
+ /* we fail to get registers, report invalid command */
+@@ -162,8 +161,8 @@ void cypress_atacb_passthrough(struct sc
+
+ /* XXX we should generate sk, asc, ascq from status and error
+ * regs
+- * (see 11.1 Error translation  ATA device error to SCSI error map)
+- * and ata_to_sense_error from libata.
++ * (see 11.1 Error translation ATA device error to SCSI error
++ * map, and ata_to_sense_error from libata.)
+ */
+
+ /* Sense data is current and format is descriptor. */
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009
+Message-Id: <20090429220923.226388330@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:02 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alan Stern <stern@rowland.harvard.edu>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 03/58] USB: usb-storage: increase max_sectors for tape drives
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0010-USB-usb-storage-increase-max_sectors-for-tape-driv.patch
+Content-Length: 1421
+Lines: 37
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+upstream commit: 5c16034d73da2c1b663aa25dedadbc533b3d811c
+
+This patch (as1203) increases the max_sector limit for USB tape
+drives. By default usb-storage sets max_sectors to 240 (i.e., 120 KB)
+for all devices. But tape drives need a higher limit, since tapes can
+and do have very large block sizes. Without the ability to transfer
+an entire large block in a single command, such tapes can't be used.
+
+This fixes Bugzilla #12207.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Phil Mitchell <philipm@sybase.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/storage/scsiglue.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -135,6 +135,12 @@ static int slave_configure(struct scsi_d
+ if (sdev->request_queue->max_sectors > max_sectors)
+ blk_queue_max_sectors(sdev->request_queue,
+ max_sectors);
++ } else if (sdev->type == TYPE_TAPE) {
++ /* Tapes need much higher max_sector limits, so just
++ * raise it to the maximum possible (4 GB / 512) and
++ * let the queue segment size sort out the real limit.
++ */
++ blk_queue_max_sectors(sdev->request_queue, 0x7FFFFF);
+ }
+
+ /* We can't put these settings in slave_alloc() because that gets
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009
+Message-Id: <20090429220923.354602106@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:03 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Brownell <dbrownell@users.sourceforge.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 04/58] USB: gadget: fix rndis regression
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0011-USB-gadget-fix-rndis-regression.patch
+Content-Length: 1382
+Lines: 37
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: David Brownell <dbrownell@users.sourceforge.net>
+
+upstream commit: 090b90118207e786d2990310d063fda5d52cce6e
+
+Restore some code that was wrongly dropped from the RNDIS
+driver, and caused interop problems observed with OpenMoko.
+
+The issue is with hardware which needs help conforming to part
+of the USB 2.0 spec (section 8.5.3.2); some can automagically
+send a ZLP in response to an unexpected IN, but not all chips
+will do that. We don't need to check the packet length ourselves
+the way earlier code did, since the UDC must already check it.
+But we do need to tell the UDC when it must force a short packet
+termination of the data stage.
+
+(Based on a patch from Aric D. Blumer <aric at sdgsystems.com>)
+
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/gadget/f_rndis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/f_rndis.c
++++ b/drivers/usb/gadget/f_rndis.c
+@@ -437,7 +437,7 @@ invalid:
+ DBG(cdev, "rndis req%02x.%02x v%04x i%04x l%d\n",
+ ctrl->bRequestType, ctrl->bRequest,
+ w_value, w_index, w_length);
+- req->zero = 0;
++ req->zero = (value < w_length);
+ req->length = value;
+ value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
+ if (value < 0)
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009
+Message-Id: <20090429220923.509152271@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:04 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jeff Layton <jlayton@redhat.com>,
+ Steve French <sfrench@us.ibm.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 05/58] cifs: fix buffer format byte on NT Rename/hardlink
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0016-cifs-fix-buffer-format-byte-on-NT-Rename-hardlink.patch
+Content-Length: 1262
+Lines: 36
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jeff Layton <jlayton@tupile.poochiereds.net>
+
+upstream commit: fcc7c09d94be7b75c9ea2beb22d0fae191c6b4b9
+
+Discovered at Connnectathon 2009...
+
+The buffer format byte and the pad are transposed in NT_RENAME calls
+(which are used to set hardlinks). Most servers seem to ignore this
+fact, but NetApp filers throw back an error due to this problem. This
+patch fixes it.
+
+CC: Stable <stable@kernel.org>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/cifs/cifssmb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -2348,8 +2348,10 @@ winCreateHardLinkRetry:
+ PATH_MAX, nls_codepage, remap);
+ name_len++; /* trailing null */
+ name_len *= 2;
+- pSMB->OldFileName[name_len] = 0; /* pad */
+- pSMB->OldFileName[name_len + 1] = 0x04;
++
++ /* protocol specifies ASCII buffer format (0x04) for unicode */
++ pSMB->OldFileName[name_len] = 0x04;
++ pSMB->OldFileName[name_len + 1] = 0x00; /* pad */
+ name_len2 =
+ cifsConvertToUCS((__le16 *)&pSMB->OldFileName[name_len + 2],
+ toName, PATH_MAX, nls_codepage, remap);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009
+Message-Id: <20090429220923.643128666@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:05 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Lorenzo Nava <navalorenx@gmail.com>,
+ Michael Buesch <mb@bu3sch.de>,
+ "John W. Linville" <linville@tuxdriver.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 06/58] b43: fix b43_plcp_get_bitrate_idx_ofdm return type
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0019-b43-fix-b43_plcp_get_bitrate_idx_ofdm-return-type.patch
+Content-Length: 1130
+Lines: 31
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Lorenzo Nava <navalorenx@gmail.com>
+
+upstream commit: a3c0b87c4f21911fb7185902dd13f0e3cd7f33f7
+
+This patch fixes the return type of b43_plcp_get_bitrate_idx_ofdm. If
+the plcp contains an error, the function return value is 255 instead
+of -1, and the packet was not dropped. This causes a warning in
+__ieee80211_rx function because rate idx is out of range.
+
+Cc: stable@kernel.org
+Signed-off-by: Lorenzo Nava <navalorenx@gmail.com>
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/wireless/b43/xmit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/b43/xmit.c
++++ b/drivers/net/wireless/b43/xmit.c
+@@ -51,7 +51,7 @@ static int b43_plcp_get_bitrate_idx_cck(
+ }
+
+ /* Extract the bitrate index out of an OFDM PLCP header. */
+-static u8 b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy)
++static int b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy)
+ {
+ int base = aphy ? 0 : 4;
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:23 2009
+Message-Id: <20090429220923.770520966@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:06 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sridhar Vinay <vinaysridhar@in.ibm.com>,
+ Shirish Pargaonkar <shirishp@us.ibm.com>,
+ Steve French <sfrench@us.ibm.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 07/58] CIFS: Fix memory overwrite when saving nativeFileSystem field during mount
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0022-CIFS-Fix-memory-overwrite-when-saving-nativeFileSys.patch
+Content-Length: 1454
+Lines: 42
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Steve French <sfrench@us.ibm.com>
+
+upstream commit: b363b3304bcf68c4541683b2eff70b29f0446a5b
+
+CIFS can allocate a few bytes to little for the nativeFileSystem field
+during tree connect response processing during mount. This can result
+in a "Redzone overwritten" message to be logged.
+
+Signed-off-by: Sridhar Vinay <vinaysridhar@in.ibm.com>
+Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com>
+CC: Stable <stable@kernel.org>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+[chrisw: minor backport to CHANGES file]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/cifs/CHANGES | 3 +++
+ fs/cifs/connect.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/CHANGES
++++ b/fs/cifs/CHANGES
+@@ -1,4 +1,7 @@
+ Fix oops in cifs_dfs_ref.c when prefixpath is not reachable when using DFS.
++Fix "redzone overwritten" bug in cifs_put_tcon (CIFSTcon may allocate too
++little memory for the "nativeFileSystem" field returned by the server
++during mount).
+
+ Version 1.54
+ ------------
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3549,7 +3549,7 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(length + 2, GFP_KERNEL);
++ kzalloc(2*(length + 1), GFP_KERNEL);
+ if (tcon->nativeFileSystem)
+ cifs_strfromUCS_le(
+ tcon->nativeFileSystem,
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009
+Message-Id: <20090429220923.917712366@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:07 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Dan Carpenter <error27@gmail.com>,
+ Jonathan Corbet <corbet@lwn.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 08/58] Add a missing unlock_kernel() in raw_open()
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0032-Add-a-missing-unlock_kernel-in-raw_open.patch
+Content-Length: 553
+Lines: 24
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Dan Carpenter <error27@gmail.com>
+
+upstream commit: 996ff68d8b358885c1de82a45517c607999947c7
+
+Cc: stable@kernel.org
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/char/raw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/char/raw.c
++++ b/drivers/char/raw.c
+@@ -90,6 +90,7 @@ out1:
+ blkdev_put(bdev);
+ out:
+ mutex_unlock(&raw_mutex);
++ unlock_kernel();
+ return err;
+ }
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009
+Message-Id: <20090429220924.051987610@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:08 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>,
+ Suresh Siddha <suresh.b.siddha@intel.com>,
+ Jesse Barnes <jbarnes@virtuousgeek.org>,
+ Dave Airlie <airlied@redhat.com>,
+ Ingo Molnar <mingo@elte.hu>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 09/58] x86, PAT, PCI: Change vma prot in pci_mmap to reflect inherited prot
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0033-x86-PAT-PCI-Change-vma-prot-in-pci_mmap-to-reflec.patch
+Content-Length: 1447
+Lines: 43
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Pallipadi, Venkatesh <venkatesh.pallipadi@intel.com>
+
+upstream commit: 9cdec049389ce2c324fd1ec508a71528a27d4a07
+
+While looking at the issue in the thread:
+
+ http://marc.info/?l=dri-devel&m=123606627824556&w=2
+
+noticed a bug in pci PAT code and memory type setting.
+
+PCI mmap code did not set the proper protection in vma, when it
+inherited protection in reserve_memtype. This bug only affects
+the case where there exists a WC mapping before X does an mmap
+with /proc or /sys pci interface. This will cause X userlevel
+mmap from /proc or /sysfs to fail on fork.
+
+Reported-by: Kevin Winchester <kjwinchester@gmail.com>
+Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: <stable@kernel.org>
+LKML-Reference: <20090323190720.GA16831@linux-os.sc.intel.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/pci/i386.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/pci/i386.c
++++ b/arch/x86/pci/i386.c
+@@ -326,6 +326,9 @@ int pci_mmap_page_range(struct pci_dev *
+ return -EINVAL;
+ }
+ flags = new_flags;
++ vma->vm_page_prot = __pgprot(
++ (pgprot_val(vma->vm_page_prot) & ~_PAGE_CACHE_MASK) |
++ flags);
+ }
+
+ if (((vma->vm_pgoff < max_low_pfn_mapped) ||
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009
+Message-Id: <20090429220924.195548317@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:09 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Andreas Herrmann <andreas.herrmann3@amd.com>,
+ trenn@suse.de,
+ Yinghai Lu <yinghai@kernel.org>,
+ Ingo Molnar <mingo@elte.hu>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 10/58] x86: mtrr: dont modify RdDram/WrDram bits of fixed MTRRs
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0037-x86-mtrr-don-t-modify-RdDram-WrDram-bits-of-fixed.patch
+Content-Length: 6114
+Lines: 163
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Andreas Herrmann <andreas.herrmann3@amd.com>
+
+upstream commit: 3ff42da5048649503e343a32be37b14a6a4e8aaf
+
+Impact: bug fix + BIOS workaround
+
+BIOS is expected to clear the SYSCFG[MtrrFixDramModEn] on AMD CPUs
+after fixed MTRRs are configured.
+
+Some BIOSes do not clear SYSCFG[MtrrFixDramModEn] on BP (and on APs).
+
+This can lead to obfuscation in Linux when this bit is not cleared on
+BP but cleared on APs. A consequence of this is that the saved
+fixed-MTRR state (from BP) differs from the fixed-MTRRs of APs --
+because RdDram/WrDram bits are read as zero when
+SYSCFG[MtrrFixDramModEn] is cleared -- and Linux tries to sync
+fixed-MTRR state from BP to AP. This implies that Linux sets
+SYSCFG[MtrrFixDramEn] and activates those bits.
+
+More important is that (some) systems change these bits in SMM when
+ACPI is enabled. Hence it is racy if Linux modifies RdMem/WrMem bits,
+too.
+
+(1) The patch modifies an old fix from Bernhard Kaindl to get
+ suspend/resume working on some Acer Laptops. Bernhard's patch
+ tried to sync RdMem/WrMem bits of fixed MTRR registers and that
+ helped on those old Laptops. (Don't ask me why -- can't test it
+ myself). But this old problem was not the motivation for the
+ patch. (See http://lkml.org/lkml/2007/4/3/110)
+
+(2) The more important effect is to fix issues on some more current systems.
+
+ On those systems Linux panics or just freezes, see
+
+ http://bugzilla.kernel.org/show_bug.cgi?id=11541
+ (and also duplicates of this bug:
+ http://bugzilla.kernel.org/show_bug.cgi?id=11737
+ http://bugzilla.kernel.org/show_bug.cgi?id=11714)
+
+ The affected systems boot only using acpi=ht, acpi=off or
+ when the kernel is built with CONFIG_MTRR=n.
+
+ The acpi options prevent full enablement of ACPI. Obviously when
+ ACPI is enabled the BIOS/SMM modfies RdMem/WrMem bits. When
+ CONFIG_MTRR=y Linux also accesses and modifies those bits when it
+ needs to sync fixed-MTRRs across cores (Bernhard's fix, see (1)).
+ How do you synchronize that? You can't. As a consequence Linux
+ shouldn't touch those bits at all (Rationale are AMD's BKDGs which
+ recommend to clear the bit that makes RdMem/WrMem accessible).
+ This is the purpose of this patch. And (so far) this suffices to
+ fix (1) and (2).
+
+I suggest not to touch RdDram/WrDram bits of fixed-MTRRs and
+SYSCFG[MtrrFixDramEn] and to clear SYSCFG[MtrrFixDramModEn] as
+suggested by AMD K8, and AMD family 10h/11h BKDGs.
+BIOS is expected to do this anyway. This should avoid that
+Linux and SMM tread on each other's toes ...
+
+Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
+Cc: trenn@suse.de
+Cc: Yinghai Lu <yinghai@kernel.org>
+LKML-Reference: <20090312163937.GH20716@alberich.amd.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kernel/cpu/mtrr/generic.c | 51 +++++++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -45,6 +45,32 @@ u64 mtrr_tom2;
+ static int mtrr_show;
+ module_param_named(show, mtrr_show, bool, 0);
+
++/**
++ * BIOS is expected to clear MtrrFixDramModEn bit, see for example
++ * "BIOS and Kernel Developer's Guide for the AMD Athlon 64 and AMD
++ * Opteron Processors" (26094 Rev. 3.30 February 2006), section
++ * "13.2.1.2 SYSCFG Register": "The MtrrFixDramModEn bit should be set
++ * to 1 during BIOS initalization of the fixed MTRRs, then cleared to
++ * 0 for operation."
++ */
++static inline void k8_check_syscfg_dram_mod_en(void)
++{
++ u32 lo, hi;
++
++ if (!((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) &&
++ (boot_cpu_data.x86 >= 0x0f)))
++ return;
++
++ rdmsr(MSR_K8_SYSCFG, lo, hi);
++ if (lo & K8_MTRRFIXRANGE_DRAM_MODIFY) {
++ printk(KERN_ERR "MTRR: CPU %u: SYSCFG[MtrrFixDramModEn]"
++ " not cleared by BIOS, clearing this bit\n",
++ smp_processor_id());
++ lo &= ~K8_MTRRFIXRANGE_DRAM_MODIFY;
++ mtrr_wrmsr(MSR_K8_SYSCFG, lo, hi);
++ }
++}
++
+ /*
+ * Returns the effective MTRR type for the region
+ * Error returns:
+@@ -178,6 +204,8 @@ get_fixed_ranges(mtrr_type * frs)
+ unsigned int *p = (unsigned int *) frs;
+ int i;
+
++ k8_check_syscfg_dram_mod_en();
++
+ rdmsr(MTRRfix64K_00000_MSR, p[0], p[1]);
+
+ for (i = 0; i < 2; i++)
+@@ -312,27 +340,10 @@ void mtrr_wrmsr(unsigned msr, unsigned a
+ }
+
+ /**
+- * Enable and allow read/write of extended fixed-range MTRR bits on K8 CPUs
+- * see AMD publication no. 24593, chapter 3.2.1 for more information
+- */
+-static inline void k8_enable_fixed_iorrs(void)
+-{
+- unsigned lo, hi;
+-
+- rdmsr(MSR_K8_SYSCFG, lo, hi);
+- mtrr_wrmsr(MSR_K8_SYSCFG, lo
+- | K8_MTRRFIXRANGE_DRAM_ENABLE
+- | K8_MTRRFIXRANGE_DRAM_MODIFY, hi);
+-}
+-
+-/**
+ * set_fixed_range - checks & updates a fixed-range MTRR if it differs from the value it should have
+ * @msr: MSR address of the MTTR which should be checked and updated
+ * @changed: pointer which indicates whether the MTRR needed to be changed
+ * @msrwords: pointer to the MSR values which the MSR should have
+- *
+- * If K8 extentions are wanted, update the K8 SYSCFG MSR also.
+- * See AMD publication no. 24593, chapter 7.8.1, page 233 for more information.
+ */
+ static void set_fixed_range(int msr, bool *changed, unsigned int *msrwords)
+ {
+@@ -341,10 +352,6 @@ static void set_fixed_range(int msr, boo
+ rdmsr(msr, lo, hi);
+
+ if (lo != msrwords[0] || hi != msrwords[1]) {
+- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
+- (boot_cpu_data.x86 >= 0x0f && boot_cpu_data.x86 <= 0x11) &&
+- ((msrwords[0] | msrwords[1]) & K8_MTRR_RDMEM_WRMEM_MASK))
+- k8_enable_fixed_iorrs();
+ mtrr_wrmsr(msr, msrwords[0], msrwords[1]);
+ *changed = true;
+ }
+@@ -428,6 +435,8 @@ static int set_fixed_ranges(mtrr_type *
+ bool changed = false;
+ int block=-1, range;
+
++ k8_check_syscfg_dram_mod_en();
++
+ while (fixed_range_blocks[++block].ranges)
+ for (range=0; range < fixed_range_blocks[block].ranges; range++)
+ set_fixed_range(fixed_range_blocks[block].base_msr + range,
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009
+Message-Id: <20090429220924.343650646@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:10 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Tilman Schmidt <tilman@imap.cc>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 11/58] bas_gigaset: correctly allocate USB interrupt transfer buffer
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=bas_gigaset-correctly-allocate-usb-interrupt-transfer-buffer.patch
+Content-Length: 2616
+Lines: 78
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Tilman Schmidt <tilman@imap.cc>
+
+[ Upstream commit 170ebf85160dd128e1c4206cc197cce7d1424705 ]
+
+Every USB transfer buffer has to be allocated individually by kmalloc.
+
+Impact: bugfix, no functional change
+
+Signed-off-by: Tilman Schmidt <tilman@imap.cc>
+Tested-by: Kolja Waschk <kawk@users.sourceforge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/isdn/gigaset/bas-gigaset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/gigaset/bas-gigaset.c
++++ b/drivers/isdn/gigaset/bas-gigaset.c
+@@ -46,6 +46,9 @@ MODULE_PARM_DESC(cidmode, "Call-ID mode"
+ /* length limit according to Siemens 3070usb-protokoll.doc ch. 2.1 */
+ #define IF_WRITEBUF 264
+
++/* interrupt pipe message size according to ibid. ch. 2.2 */
++#define IP_MSGSIZE 3
++
+ /* Values for the Gigaset 307x */
+ #define USB_GIGA_VENDOR_ID 0x0681
+ #define USB_3070_PRODUCT_ID 0x0001
+@@ -110,7 +113,7 @@ struct bas_cardstate {
+ unsigned char *rcvbuf; /* AT reply receive buffer */
+
+ struct urb *urb_int_in; /* URB for interrupt pipe */
+- unsigned char int_in_buf[3];
++ unsigned char *int_in_buf;
+
+ spinlock_t lock; /* locks all following */
+ int basstate; /* bitmap (BS_*) */
+@@ -657,7 +660,7 @@ static void read_int_callback(struct urb
+ }
+
+ /* drop incomplete packets even if the missing bytes wouldn't matter */
+- if (unlikely(urb->actual_length < 3)) {
++ if (unlikely(urb->actual_length < IP_MSGSIZE)) {
+ dev_warn(cs->dev, "incomplete interrupt packet (%d bytes)\n",
+ urb->actual_length);
+ goto resubmit;
+@@ -2127,6 +2130,7 @@ static void gigaset_reinitbcshw(struct b
+ static void gigaset_freecshw(struct cardstate *cs)
+ {
+ /* timers, URBs and rcvbuf are disposed of in disconnect */
++ kfree(cs->hw.bas->int_in_buf);
+ kfree(cs->hw.bas);
+ cs->hw.bas = NULL;
+ }
+@@ -2232,6 +2236,12 @@ static int gigaset_probe(struct usb_inte
+ }
+ hostif = interface->cur_altsetting;
+ }
++ ucs->int_in_buf = kmalloc(IP_MSGSIZE, GFP_KERNEL);
++ if (!ucs->int_in_buf) {
++ kfree(ucs);
++ pr_err("out of memory\n");
++ return 0;
++ }
+
+ /* Reject application specific interfaces
+ */
+@@ -2290,7 +2300,7 @@ static int gigaset_probe(struct usb_inte
+ usb_fill_int_urb(ucs->urb_int_in, udev,
+ usb_rcvintpipe(udev,
+ (endpoint->bEndpointAddress) & 0x0f),
+- ucs->int_in_buf, 3, read_int_callback, cs,
++ ucs->int_in_buf, IP_MSGSIZE, read_int_callback, cs,
+ endpoint->bInterval);
+ if ((rc = usb_submit_urb(ucs->urb_int_in, GFP_KERNEL)) != 0) {
+ dev_err(cs->dev, "could not submit interrupt URB: %s\n",
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009
+Message-Id: <20090429220924.494895991@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:11 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jay Vosburgh <fubar@us.ibm.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 12/58] bonding: Fix updating of speed/duplex changes
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=bonding-fix-updating-of-speed-duplex-changes.patch
+Content-Length: 2305
+Lines: 79
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jay Vosburgh <fubar@us.ibm.com>
+
+[ Upstream commit 17d04500e2528217de5fe967599f98ee84348a9c ]
+
+ This patch corrects an omission from the following commit:
+
+commit f0c76d61779b153dbfb955db3f144c62d02173c2
+Author: Jay Vosburgh <fubar@us.ibm.com>
+Date: Wed Jul 2 18:21:58 2008 -0700
+
+ bonding: refactor mii monitor
+
+ The un-refactored code checked the link speed and duplex of
+every slave on every pass; the refactored code did not do so.
+
+ The 802.3ad and balance-alb/tlb modes utilize the speed and
+duplex information, and require it to be kept up to date. This patch
+adds a notifier check to perform the appropriate updating when the slave
+device speed changes.
+
+Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bonding/bond_main.c | 25 ++++++++++++++++++++-----
+ drivers/net/bonding/bonding.h | 6 ++++++
+ 2 files changed, 26 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/bonding/bonding.h
++++ b/drivers/net/bonding/bonding.h
+@@ -248,6 +248,12 @@ static inline struct bonding *bond_get_b
+ return (struct bonding *)slave->dev->master->priv;
+ }
+
++static inline bool bond_is_lb(const struct bonding *bond)
++{
++ return bond->params.mode == BOND_MODE_TLB
++ || bond->params.mode == BOND_MODE_ALB;
++}
++
+ #define BOND_FOM_NONE 0
+ #define BOND_FOM_ACTIVE 1
+ #define BOND_FOM_FOLLOW 2
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3516,11 +3516,26 @@ static int bond_slave_netdev_event(unsig
+ }
+ break;
+ case NETDEV_CHANGE:
+- /*
+- * TODO: is this what we get if somebody
+- * sets up a hierarchical bond, then rmmod's
+- * one of the slave bonding devices?
+- */
++ if (bond->params.mode == BOND_MODE_8023AD || bond_is_lb(bond)) {
++ struct slave *slave;
++
++ slave = bond_get_slave_by_dev(bond, slave_dev);
++ if (slave) {
++ u16 old_speed = slave->speed;
++ u16 old_duplex = slave->duplex;
++
++ bond_update_speed_duplex(slave);
++
++ if (bond_is_lb(bond))
++ break;
++
++ if (old_speed != slave->speed)
++ bond_3ad_adapter_speed_changed(slave);
++ if (old_duplex != slave->duplex)
++ bond_3ad_adapter_duplex_changed(slave);
++ }
++ }
++
+ break;
+ case NETDEV_DOWN:
+ /*
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:24 2009
+Message-Id: <20090429220924.768577493@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:12 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stephen Hemminger <shemminger@vyatta.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 13/58] bridge: bad error handling when adding invalid ether address
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=bridge-bad-error-handling-when-adding-invalid-ether-address.patch
+Content-Length: 937
+Lines: 30
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Stephen Hemminger <shemminger@vyatta.com>
+
+[ Upstream commit cda6d377ec6b2ee2e58d563d0bd7eb313e0165df ]
+
+This fixes an crash when empty bond device is added to a bridge.
+If an interface with invalid ethernet address (all zero) is added
+to a bridge, then bridge code detects it when setting up the forward
+databas entry. But the error unwind is broken, the bridge port object
+can get freed twice: once when ref count went to zeo, and once by kfree.
+Since object is never really accessible, just free it.
+
+Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br_if.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -419,7 +419,6 @@ err2:
+ err1:
+ kobject_del(&p->kobj);
+ err0:
+- kobject_put(&p->kobj);
+ dev_set_promiscuity(dev, -1);
+ put_back:
+ dev_put(dev);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009
+Message-Id: <20090429220924.931811645@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:13 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Pavel Emelyanov <xemul@openvz.org>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 14/58] ipv6: dont use tw net when accounting for recycled tw
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=ipv6-don-t-use-tw-net-when-accounting-for-recycled-tw.patch
+Content-Length: 1149
+Lines: 38
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Pavel Emelyanov <xemul@openvz.org>
+
+[ Upstream commit 3f53a38131a4e7a053c0aa060aba0411242fb6b9 ]
+
+We already have a valid net in that place, but this is not just a
+cleanup - the tw pointer can be NULL there sometimes, thus causing
+an oops in NET_NS=y case.
+
+The same place in ipv4 code already works correctly using existing
+net, rather than tw's one.
+
+The bug exists since 2.6.27.
+
+Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/inet6_hashtables.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -210,11 +210,11 @@ unique:
+
+ if (twp != NULL) {
+ *twp = tw;
+- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED);
++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED);
+ } else if (tw != NULL) {
+ /* Silly. Should hash-dance instead... */
+ inet_twsk_deschedule(tw, death_row);
+- NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITRECYCLED);
++ NET_INC_STATS_BH(net, LINUX_MIB_TIMEWAITRECYCLED);
+
+ inet_twsk_put(tw);
+ }
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009
+Message-Id: <20090429220925.111124389@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:14 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jesper Nilsson <jesper.nilsson@axis.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 15/58] ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c)
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch
+Content-Length: 1573
+Lines: 49
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jesper Nilsson <jesper.nilsson@axis.com>
+
+[ Upstream commit 71f6f6dfdf7c7a67462386d9ea05c1095a89c555 ]
+
+Commit 778d80be52699596bf70e0eb0761cf5e1e46088d
+(ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface)
+seems to have introduced a leak of sk_buff's for ipv6 traffic,
+at least in some configurations where idev is NULL, or when ipv6
+is disabled via sysctl.
+
+The problem is that if the first condition of the if-statement
+returns non-NULL, it returns an skb with only one reference,
+and when the other conditions apply, execution jumps to the "out"
+label, which does not call kfree_skb for it.
+
+To plug this leak, change to use the "drop" label instead.
+(this relies on it being ok to call kfree_skb on NULL)
+This also allows us to avoid calling rcu_read_unlock here,
+and removes the only user of the "out" label.
+
+Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_input.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -74,8 +74,7 @@ int ipv6_rcv(struct sk_buff *skb, struct
+ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL ||
+ !idev || unlikely(idev->cnf.disable_ipv6)) {
+ IP6_INC_STATS_BH(idev, IPSTATS_MIB_INDISCARDS);
+- rcu_read_unlock();
+- goto out;
++ goto drop;
+ }
+
+ memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
+@@ -145,7 +144,6 @@ err:
+ drop:
+ rcu_read_unlock();
+ kfree_skb(skb);
+-out:
+ return 0;
+ }
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009
+Message-Id: <20090429220925.292347131@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:15 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "David S. Miller" <davem@davemloft.net>,
+ Patrick McHardy <kaber@trash.net>
+Subject: [patch 16/58] netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch
+Content-Length: 1246
+Lines: 39
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Mark H. Weaver <mhw@netris.org>
+
+[ Upstream commit 534f81a5068799799e264fd162e9488a129f98d4 ]
+
+This patch fixes an unaligned memory access in tcp_sack while reading
+sequence numbers from TCP selective acknowledgement options. Prior to
+applying this patch, upstream linux-2.6.27.20 was occasionally
+generating messages like this on my sparc64 system:
+
+ [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00
+
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -15,6 +15,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/ipv6.h>
+ #include <net/ip6_checksum.h>
++#include <asm/unaligned.h>
+
+ #include <net/tcp.h>
+
+@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buf
+ for (i = 0;
+ i < (opsize - TCPOLEN_SACK_BASE);
+ i += TCPOLEN_SACK_PERBLOCK) {
+- tmp = ntohl(*((__be32 *)(ptr+i)+1));
++ tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
+
+ if (after(tmp, *sack))
+ *sack = tmp;
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009
+Message-Id: <20090429220925.448819883@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:16 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Al Viro <viro@zeniv.linux.org.uk>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 17/58] net: fix sctp breakage
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=net-fix-sctp-breakage.patch
+Content-Length: 879
+Lines: 29
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit cb0dc77de0d23615a845e45844a2e22fc224d7fe ]
+
+broken by commit 5e739d1752aca4e8f3e794d431503bfca3162df4; AFAICS should
+be -stable fodder as well...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Aced-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/endpointola.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/endpointola.c
++++ b/net/sctp/endpointola.c
+@@ -111,7 +111,8 @@ static struct sctp_endpoint *sctp_endpoi
+ if (sctp_addip_enable) {
+ auth_chunks->chunks[0] = SCTP_CID_ASCONF;
+ auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
+- auth_chunks->param_hdr.length += htons(2);
++ auth_chunks->param_hdr.length =
++ htons(sizeof(sctp_paramhdr_t) + 2);
+ }
+ }
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009
+Message-Id: <20090429220925.606219157@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:17 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Etienne Basset <etienne.basset@numericable.fr>,
+ Casey Schaufler <casey@schaufler-ca.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 18/58] security/smack: fix oops when setting a size 0 SMACK64 xattr
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0001-security-smack-fix-oops-when-setting-a-size-0-SMACK.patch
+Content-Length: 1232
+Lines: 38
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Etienne Basset <etienne.basset@numericable.fr>
+
+upstream commit: 4303154e86597885bc3cbc178a48ccbc8213875f
+
+this patch fix an oops in smack when setting a size 0 SMACK64 xattr eg
+attr -S -s SMACK64 -V '' somefile
+This oops because smk_import_entry treats a 0 length as SMK_MAXLEN
+
+Signed-off-by: Etienne Basset <etienne.basset@numericable.fr>
+Reviewed-by: James Morris <jmorris@namei.org>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ security/smack/smack_lsm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -604,6 +604,8 @@ static int smack_inode_setxattr(struct d
+ strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
+ if (!capable(CAP_MAC_ADMIN))
+ rc = -EPERM;
++ if (size == 0)
++ rc = -EINVAL;
+ } else
+ rc = cap_inode_setxattr(dentry, name, value, size, flags);
+
+@@ -1360,7 +1362,7 @@ static int smack_inode_setsecurity(struc
+ struct socket *sock;
+ int rc = 0;
+
+- if (value == NULL || size > SMK_LABELLEN)
++ if (value == NULL || size > SMK_LABELLEN || size == 0)
+ return -EACCES;
+
+ sp = smk_import(value, size);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:25 2009
+Message-Id: <20090429220925.755690732@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:18 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Michael K Johnson <johnsonm@rpath.com>,
+ "H. Peter Anvin" <hpa@zytor.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 19/58] x86, setup: mark %esi as clobbered in E820 BIOS call
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0011-x86-setup-mark-esi-as-clobbered-in-E820-BIOS-call.patch
+Content-Length: 1512
+Lines: 42
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Michael K. Johnson <johnsonm@rpath.com>
+
+upstream commit: 01522df346f846906eaf6ca57148641476209909
+
+Jordan Hargrave diagnosed a BIOS clobbering %esi in the E820 call.
+That particular BIOS has been fixed, but there is a possibility that
+this is responsible for other occasional reports of early boot
+failure, and it does not hurt to add %esi to the clobbers.
+
+-stable candidate patch.
+
+Cc: Justin Forbes <jmforbes@linuxtx.org>
+Signed-off-by: Michael K Johnson <johnsonm@rpath.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Cc: stable@kernel.org
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/boot/memory.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/boot/memory.c
++++ b/arch/x86/boot/memory.c
+@@ -27,13 +27,14 @@ static int detect_memory_e820(void)
+ do {
+ size = sizeof(struct e820entry);
+
+- /* Important: %edx is clobbered by some BIOSes,
+- so it must be either used for the error output
++ /* Important: %edx and %esi are clobbered by some BIOSes,
++ so they must be either used for the error output
+ or explicitly marked clobbered. */
+ asm("int $0x15; setc %0"
+ : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
+ "=m" (*desc)
+- : "D" (desc), "d" (SMAP), "a" (0xe820));
++ : "D" (desc), "d" (SMAP), "a" (0xe820)
++ : "esi");
+
+ /* BIOSes which terminate the chain with CF = 1 as opposed
+ to %ebx = 0 don't always report the SMAP signature on
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009
+Message-Id: <20090429220925.948430238@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:19 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 20/58] mm: do_xip_mapping_read: fix length calculation
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0031-mm-do_xip_mapping_read-fix-length-calculation.patch
+Content-Length: 922
+Lines: 31
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8
+
+The calculation of the value nr in do_xip_mapping_read is incorrect. If
+the copy required more than one iteration in the do while loop the copies
+variable will be non-zero. The maximum length that may be passed to the
+call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the
+check only compares against (nr > len).
+
+This bug is the cause for the heap corruption Carsten has been chasing
+for so long:
+
+---
+ mm/filemap_xip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/filemap_xip.c
++++ b/mm/filemap_xip.c
+@@ -89,8 +89,8 @@ do_xip_mapping_read(struct address_space
+ }
+ }
+ nr = nr - offset;
+- if (nr > len)
+- nr = len;
++ if (nr > len - copied)
++ nr = len - copied;
+
+ error = mapping->a_ops->get_xip_mem(mapping, index, 0,
+ &xip_mem, &xip_pfn);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009
+Message-Id: <20090429220926.062021009@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:20 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Wu Fengguang <fengguang.wu@intel.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 21/58] vfs: skip I_CLEAR state inodes
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0034-vfs-skip-I_CLEAR-state-inodes.patch
+Content-Length: 3523
+Lines: 91
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Wu Fengguang <fengguang.wu@intel.com>
+
+upstream commit: b6fac63cc1f52ec27f29fe6c6c8494a2ffac33fd
+
+clear_inode() will switch inode state from I_FREEING to I_CLEAR, and do so
+_outside_ of inode_lock. So any I_FREEING testing is incomplete without a
+coupled testing of I_CLEAR.
+
+So add I_CLEAR tests to drop_pagecache_sb(), generic_sync_sb_inodes() and
+add_dquot_ref().
+
+Masayoshi MIZUMA discovered the bug in drop_pagecache_sb() and Jan Kara
+reminds fixing the other two cases.
+
+Masayoshi MIZUMA has a nice panic flow:
+
+=====================================================================
+ [process A] | [process B]
+ | |
+ | prune_icache() | drop_pagecache()
+ | spin_lock(&inode_lock) | drop_pagecache_sb()
+ | inode->i_state |= I_FREEING; | |
+ | spin_unlock(&inode_lock) | V
+ | | | spin_lock(&inode_lock)
+ | V | |
+ | dispose_list() | |
+ | list_del() | |
+ | clear_inode() | |
+ | inode->i_state = I_CLEAR | |
+ | | | V
+ | | | if (inode->i_state & (I_FREEING|I_WILL_FREE))
+ | | | continue; <==== NOT MATCH
+ | | |
+ | | | (DANGER from here on! Accessing disposing inode!)
+ | | |
+ | | | __iget()
+ | | | list_move() <===== PANIC on poisoned list !!
+ V V |
+(time)
+=====================================================================
+
+Reported-by: Masayoshi MIZUMA <m.mizuma@jp.fujitsu.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[chrisw: backport to 2.6.29]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/dquot.c | 2 +-
+ fs/drop_caches.c | 2 +-
+ fs/fs-writeback.c | 3 ++-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/dquot.c
++++ b/fs/dquot.c
+@@ -726,7 +726,7 @@ static void add_dquot_ref(struct super_b
+ continue;
+ if (!dqinit_needed(inode, type))
+ continue;
+- if (inode->i_state & (I_FREEING|I_WILL_FREE))
++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE))
+ continue;
+
+ __iget(inode);
+--- a/fs/drop_caches.c
++++ b/fs/drop_caches.c
+@@ -18,7 +18,7 @@ static void drop_pagecache_sb(struct sup
+
+ spin_lock(&inode_lock);
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+- if (inode->i_state & (I_FREEING|I_WILL_FREE))
++ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE))
+ continue;
+ if (inode->i_mapping->nrpages == 0)
+ continue;
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -538,7 +538,8 @@ void generic_sync_sb_inodes(struct super
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+ struct address_space *mapping;
+
+- if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW))
++ if (inode->i_state &
++ (I_FREEING|I_CLEAR|I_WILL_FREE|I_NEW))
+ continue;
+ mapping = inode->i_mapping;
+ if (mapping->nrpages == 0)
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009
+Message-Id: <20090429220926.269495766@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:21 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "David S. Miller" <davem@davemloft.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 22/58] af_rose/x25: Sanity check the maximum user frame size
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch
+Content-Length: 1833
+Lines: 64
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Alan Cox <alan@lxorguk.ukuu.org.uk>
+
+upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
+
+CVE-2009-0795.
+
+Otherwise we can wrap the sizes and end up sending garbage.
+
+Closes #10423
+
+Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/netrom/af_netrom.c | 6 +++++-
+ net/rose/af_rose.c | 4 ++++
+ net/x25/af_x25.c | 6 ++++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb
+
+ SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
+
+- /* Build a packet */
++ /* Build a packet - the conventional user limit is 236 bytes. We can
++ do ludicrously large NetROM frames but must not overflow */
++ if (len > 65536)
++ return -EMSGSIZE;
++
+ SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1120,6 +1120,10 @@ static int rose_sendmsg(struct kiocb *io
+
+ /* Build a packet */
+ SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
++ /* Sanity check the packet size */
++ if (len > 65535)
++ return -EMSGSIZE;
++
+ size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
+
+ if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc
+ sx25.sx25_addr = x25->dest_addr;
+ }
+
++ /* Sanity check the packet size */
++ if (len > 65535) {
++ rc = -EMSGSIZE;
++ goto out;
++ }
++
+ SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
+
+ /* Build a packet */
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009
+Message-Id: <20090429220926.377289559@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:22 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jean Delvare <jdelvare@suse.de>,
+ "David S. Miller" <davem@davemloft.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 23/58] net/netrom: Fix socket locking
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0044-net-netrom-Fix-socket-locking.patch
+Content-Length: 1098
+Lines: 33
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jean Delvare <jdelvare@suse.de>
+
+upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab
+
+Patch "af_rose/x25: Sanity check the maximum user frame size"
+(commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got
+locking wrong. If we bail out due to user frame size being too large,
+we must unlock the socket beforehand.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/netrom/af_netrom.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1084,8 +1084,10 @@ static int nr_sendmsg(struct kiocb *iocb
+
+ /* Build a packet - the conventional user limit is 236 bytes. We can
+ do ludicrously large NetROM frames but must not overflow */
+- if (len > 65536)
+- return -EMSGSIZE;
++ if (len > 65536) {
++ err = -EMSGSIZE;
++ goto out;
++ }
+
+ SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009
+Message-Id: <20090429220926.523009901@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:23 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Patrick McHardy <kaber@trash.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 24/58] netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0048-netfilter-ip-ip6-arp-_tables-fix-incorrect-loop.patch
+Content-Length: 2546
+Lines: 66
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Patrick McHardy <kaber@trash.net>
+
+upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558
+
+Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
+search for loops) introduced a regression in the loop detection algorithm,
+causing sporadic incorrectly detected loops.
+
+When a chain has already been visited during the check, it is treated as
+having a standard target containing a RETURN verdict directly at the
+beginning in order to not check it again. The real target of the first
+rule is then incorrectly treated as STANDARD target and checked not to
+contain invalid verdicts.
+
+Fix by making sure the rule does actually contain a standard target.
+
+Based on patch by Francis Dupont <Francis_Dupont@isc.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/netfilter/arp_tables.c | 4 +++-
+ net/ipv4/netfilter/ip_tables.c | 4 +++-
+ net/ipv6/netfilter/ip6_tables.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -372,7 +372,9 @@ static int mark_source_chains(struct xt_
+ && unconditional(&e->arp)) || visited) {
+ unsigned int oldpos, size;
+
+- if (t->verdict < -NF_MAX_VERDICT - 1) {
++ if ((strcmp(t->target.u.user.name,
++ ARPT_STANDARD_TARGET) == 0) &&
++ t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -502,7 +502,9 @@ mark_source_chains(struct xt_table_info
+ && unconditional(&e->ip)) || visited) {
+ unsigned int oldpos, size;
+
+- if (t->verdict < -NF_MAX_VERDICT - 1) {
++ if ((strcmp(t->target.u.user.name,
++ IPT_STANDARD_TARGET) == 0) &&
++ t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -529,7 +529,9 @@ mark_source_chains(struct xt_table_info
+ && unconditional(&e->ipv6)) || visited) {
+ unsigned int oldpos, size;
+
+- if (t->verdict < -NF_MAX_VERDICT - 1) {
++ if ((strcmp(t->target.u.user.name,
++ IP6T_STANDARD_TARGET) == 0) &&
++ t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:26 2009
+Message-Id: <20090429220926.729595728@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:24 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Miklos Szeredi <mszeredi@suse.cz>,
+ Mark Fasheh <mfasheh@suse.com>,
+ Jens Axboe <jens.axboe@oracle.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 25/58] splice: fix deadlock in splicing to file
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0049-splice-fix-deadlock-in-splicing-to-file.patch
+Content-Length: 3869
+Lines: 114
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+upstream commit: 7bfac9ecf0585962fe13584f5cf526d8c8e76f17
+
+There's a possible deadlock in generic_file_splice_write(),
+splice_from_pipe() and ocfs2_file_splice_write():
+
+ - task A calls generic_file_splice_write()
+ - this calls inode_double_lock(), which locks i_mutex on both
+ pipe->inode and target inode
+ - ordering depends on inode pointers, can happen that pipe->inode is
+ locked first
+ - __splice_from_pipe() needs more data, calls pipe_wait()
+ - this releases lock on pipe->inode, goes to interruptible sleep
+ - task B calls generic_file_splice_write(), similarly to the first
+ - this locks pipe->inode, then tries to lock inode, but that is
+ already held by task A
+ - task A is interrupted, it tries to lock pipe->inode, but fails, as
+ it is already held by task B
+ - ABBA deadlock
+
+Fix this by explicitly ordering locks: the outer lock must be on
+target inode and the inner lock (which is later unlocked and relocked)
+must be on pipe->inode. This is OK, pipe inodes and target inodes
+form two nonoverlapping sets, generic_file_splice_write() and friends
+are not called with a target which is a pipe.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Acked-by: Mark Fasheh <mfasheh@suse.com>
+Acked-by: Jens Axboe <jens.axboe@oracle.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/ocfs2/file.c | 8 ++++++--
+ fs/splice.c | 25 ++++++++++++++++++++-----
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2089,7 +2089,7 @@ static ssize_t ocfs2_file_splice_write(s
+ out->f_path.dentry->d_name.len,
+ out->f_path.dentry->d_name.name);
+
+- inode_double_lock(inode, pipe->inode);
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
+
+ ret = ocfs2_rw_lock(inode, 1);
+ if (ret < 0) {
+@@ -2104,12 +2104,16 @@ static ssize_t ocfs2_file_splice_write(s
+ goto out_unlock;
+ }
+
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
+
+ out_unlock:
+ ocfs2_rw_unlock(inode, 1);
+ out:
+- inode_double_unlock(inode, pipe->inode);
++ mutex_unlock(&inode->i_mutex);
+
+ mlog_exit(ret);
+ return ret;
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -735,10 +735,19 @@ ssize_t splice_from_pipe(struct pipe_ino
+ * ->commit_write. Most of the time, these expect i_mutex to
+ * be held. Since this may result in an ABBA deadlock with
+ * pipe->inode, we have to order lock acquiry here.
++ *
++ * Outer lock must be inode->i_mutex, as pipe_wait() will
++ * release and reacquire pipe->inode->i_mutex, AND inode must
++ * never be a pipe.
+ */
+- inode_double_lock(inode, pipe->inode);
++ WARN_ON(S_ISFIFO(inode->i_mode));
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = __splice_from_pipe(pipe, &sd, actor);
+- inode_double_unlock(inode, pipe->inode);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
++ mutex_unlock(&inode->i_mutex);
+
+ return ret;
+ }
+@@ -829,11 +838,17 @@ generic_file_splice_write(struct pipe_in
+ };
+ ssize_t ret;
+
+- inode_double_lock(inode, pipe->inode);
++ WARN_ON(S_ISFIFO(inode->i_mode));
++ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
+ ret = file_remove_suid(out);
+- if (likely(!ret))
++ if (likely(!ret)) {
++ if (pipe->inode)
++ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
+ ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
+- inode_double_unlock(inode, pipe->inode);
++ if (pipe->inode)
++ mutex_unlock(&pipe->inode->i_mutex);
++ }
++ mutex_unlock(&inode->i_mutex);
+ if (ret > 0) {
+ unsigned long nr_pages;
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009
+Message-Id: <20090429220926.934898140@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:25 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Akinobu Mita <akinobu.mita@gmail.com>,
+ Takashi Iwai <tiwai@suse.de>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 26/58] ALSA: hda - add missing comma in ad1884_slave_vols
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0050-ALSA-hda-add-missing-comma-in-ad1884_slave_vols.patch
+Content-Length: 737
+Lines: 24
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+upstream commit: bca68467b59a24396554d8dd5979ee363c174854
+
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ sound/pci/hda/patch_analog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_analog.c
++++ b/sound/pci/hda/patch_analog.c
+@@ -3220,7 +3220,7 @@ static const char *ad1884_slave_vols[] =
+ "Mic Playback Volume",
+ "CD Playback Volume",
+ "Internal Mic Playback Volume",
+- "Docking Mic Playback Volume"
++ "Docking Mic Playback Volume",
+ "Beep Playback Volume",
+ "IEC958 Playback Volume",
+ NULL
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009
+Message-Id: <20090429220927.114222967@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:26 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jean Delvare <jdelvare@suse.de>,
+ Mike Christie <michaelc@cs.wisc.edu>,
+ James Bottomley <James.Bottomley@HansenPartnership.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 27/58] SCSI: libiscsi: fix iscsi pool error path
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0052-SCSI-libiscsi-fix-iscsi-pool-error-path.patch
+Content-Length: 1498
+Lines: 43
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jean Delvare <jdelvare@suse.de>
+
+upstream commit: f474a37bc48667595b5653a983b635c95ed82a3b
+
+Memory freeing in iscsi_pool_free() looks wrong to me. Either q->pool
+can be NULL and this should be tested before dereferencing it, or it
+can't be NULL and it shouldn't be tested at all. As far as I can see,
+the only case where q->pool is NULL is on early error in
+iscsi_pool_init(). One possible way to fix the bug is thus to not
+call iscsi_pool_free() in this case (nothing needs to be freed anyway)
+and then we can get rid of the q->pool check.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/scsi/libiscsi.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1807,7 +1807,7 @@ iscsi_pool_init(struct iscsi_pool *q, in
+ num_arrays++;
+ q->pool = kzalloc(num_arrays * max * sizeof(void*), GFP_KERNEL);
+ if (q->pool == NULL)
+- goto enomem;
++ return -ENOMEM;
+
+ q->queue = kfifo_init((void*)q->pool, max * sizeof(void*),
+ GFP_KERNEL, NULL);
+@@ -1842,8 +1842,7 @@ void iscsi_pool_free(struct iscsi_pool *
+
+ for (i = 0; i < q->max; i++)
+ kfree(q->pool[i]);
+- if (q->pool)
+- kfree(q->pool);
++ kfree(q->pool);
+ kfree(q->queue);
+ }
+ EXPORT_SYMBOL_GPL(iscsi_pool_free);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009
+Message-Id: <20090429220927.309155133@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:27 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Mike Christie <michaelc@cs.wisc.edu>,
+ James Bottomley <James.Bottomley@HansenPartnership.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 28/58] SCSI: libiscsi: fix iscsi pool error path again
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0053-SCSI-libiscsi-fix-iscsi-pool-error-path.patch
+Content-Length: 1499
+Lines: 43
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jean Delvare <jdelvare@suse.de>
+
+upstream commit: fd6e1c14b73dbab89cb76af895d5612e4a8b5522
+
+Le lundi 30 mars 2009, Chris Wright a écrit :
+> q->queue could be ERR_PTR(-ENOMEM) which will break unwinding
+> on error. Make iscsi_pool_free more defensive.
+>
+
+Making the freeing of q->queue dependent on q->pool being set looks
+really weird (although it is correct at the moment. But this seems
+to be fixable in a much simpler way.
+
+With the benefit that only the error case is slowed down. In both
+cases we have a problem if q->queue contains an error value but it's
+not -ENOMEM. Apparently this can't happen today, but it doesn't feel
+right to assume this will always be true. Maybe it's the right time
+to fix this as well.
+
+Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+[chrisw: this is a fixlet to f474a37b, also in -stable]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/scsi/libiscsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1811,8 +1811,10 @@ iscsi_pool_init(struct iscsi_pool *q, in
+
+ q->queue = kfifo_init((void*)q->pool, max * sizeof(void*),
+ GFP_KERNEL, NULL);
+- if (q->queue == ERR_PTR(-ENOMEM))
++ if (IS_ERR(q->queue)) {
++ q->queue = NULL;
+ goto enomem;
++ }
+
+ for (i = 0; i < max; i++) {
+ q->pool[i] = kzalloc(item_size, GFP_KERNEL);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009
+Message-Id: <20090429220927.416887820@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:28 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Nathan Lynch <ntl@pobox.com>,
+ Nigel Cunningham <nigel@tuxonice.net>,
+ containers@lists.linux-foundation.org,
+ linux-pm@lists.linux-foundation.org,
+ Matt Helsley <matthltc@us.ibm.com>,
+ Ingo Molnar <mingo@elte.hu>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 29/58] sched: do not count frozen tasks toward load
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0060-sched-do-not-count-frozen-tasks-toward-load.patch
+Content-Length: 1987
+Lines: 48
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Nathan Lynch <ntl@pobox.com>
+
+upstream commit: e3c8ca8336707062f3f7cb1cd7e6b3c753baccdd
+
+Freezing tasks via the cgroup freezer causes the load average to climb
+because the freezer's current implementation puts frozen tasks in
+uninterruptible sleep (D state).
+
+Some applications which perform job-scheduling functions consult the
+load average when making decisions. If a cgroup is frozen, the load
+average does not provide a useful measure of the system's utilization
+to such applications. This is especially inconvenient if the job
+scheduler employs the cgroup freezer as a mechanism for preempting low
+priority jobs. Contrast this with using SIGSTOP for the same purpose:
+the stopped tasks do not count toward system load.
+
+Change task_contributes_to_load() to return false if the task is
+frozen. This results in /proc/loadavg behavior that better meets
+users' expectations.
+
+Signed-off-by: Nathan Lynch <ntl@pobox.com>
+Acked-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Nigel Cunningham <nigel@tuxonice.net>
+Tested-by: Nigel Cunningham <nigel@tuxonice.net>
+Cc: containers@lists.linux-foundation.org
+Cc: linux-pm@lists.linux-foundation.org
+Cc: Matt Helsley <matthltc@us.ibm.com>
+LKML-Reference: <20090408194512.47a99b95@manatee.lan>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ include/linux/sched.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -201,7 +201,8 @@ extern unsigned long long time_sync_thre
+ #define task_is_stopped_or_traced(task) \
+ ((task->state & (__TASK_STOPPED | __TASK_TRACED)) != 0)
+ #define task_contributes_to_load(task) \
+- ((task->state & TASK_UNINTERRUPTIBLE) != 0)
++ ((task->state & TASK_UNINTERRUPTIBLE) != 0 && \
++ (task->flags & PF_FROZEN) == 0)
+
+ #define __set_task_state(tsk, state_value) \
+ do { (tsk)->state = (state_value); } while (0)
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009
+Message-Id: <20090429220927.546987392@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:29 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "Serge E. Hallyn" <serue@us.ibm.com>,
+ "J. Bruce Fields" <bfields@citi.umich.edu>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 30/58] add some long-missing capabilities to fs_mask
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0063-add-some-long-missing-capabilities-to-fs_mask.patch
+Content-Length: 2904
+Lines: 76
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Serge E. Hallyn <serue@us.ibm.com>
+
+upstream commit: 0ad30b8fd5fe798aae80df6344b415d8309342cc
+
+When POSIX capabilities were introduced during the 2.1 Linux
+cycle, the fs mask, which represents the capabilities which having
+fsuid==0 is supposed to grant, did not include CAP_MKNOD and
+CAP_LINUX_IMMUTABLE. However, before capabilities the privilege
+to call these did in fact depend upon fsuid==0.
+
+This patch introduces those capabilities into the fsmask,
+restoring the old behavior.
+
+See the thread starting at http://lkml.org/lkml/2009/3/11/157 for
+reference.
+
+Note that if this fix is deemed valid, then earlier kernel versions (2.4
+and 2.2) ought to be fixed too.
+
+Changelog:
+ [Mar 23] Actually delete old CAP_FS_SET definition...
+ [Mar 20] Updated against J. Bruce Fields's patch
+
+Reported-by: Igor Zhbanov <izh1979@gmail.com>
+Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
+Cc: stable@kernel.org
+Cc: J. Bruce Fields <bfields@citi.umich.edu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ include/linux/capability.h | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -366,7 +366,21 @@ typedef struct kernel_cap_struct {
+ #define CAP_FOR_EACH_U32(__capi) \
+ for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
+
++/*
++ * CAP_FS_MASK and CAP_NFSD_MASKS:
++ *
++ * The fs mask is all the privileges that fsuid==0 historically meant.
++ * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
++ *
++ * It has never meant setting security.* and trusted.* xattrs.
++ *
++ * We could also define fsmask as follows:
++ * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
++ * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
++ */
++
+ # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
++ | CAP_TO_MASK(CAP_MKNOD) \
+ | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
+ | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
+ | CAP_TO_MASK(CAP_FOWNER) \
+@@ -381,11 +395,12 @@ typedef struct kernel_cap_struct {
+ # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
+ # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
+ # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
+-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } })
++# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
++ | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
++ CAP_FS_MASK_B1 } })
+ # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+- | CAP_TO_MASK(CAP_SYS_RESOURCE) \
+- | CAP_TO_MASK(CAP_MKNOD), \
+- CAP_FS_MASK_B1 } })
++ | CAP_TO_MASK(CAP_SYS_RESOURCE), \
++ CAP_FS_MASK_B1 } })
+
+ #endif /* _KERNEL_CAPABILITY_U32S != 2 */
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009
+Message-Id: <20090429220927.709990654@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:30 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Paul Mackerras <paulus@samba.org>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 31/58] powerpc: Fix data-corrupting bug in __futex_atomic_op
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0068-powerpc-Fix-data-corrupting-bug-in-__futex_atomic_o.patch
+Content-Length: 2090
+Lines: 58
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Paul Mackerras <paulus@samba.org>
+
+upstream commit: 306a82881b14d950d59e0b59a55093a07d82aa9a
+
+Richard Henderson pointed out that the powerpc __futex_atomic_op has a
+bug: it will write the wrong value if the stwcx. fails and it has to
+retry the lwarx/stwcx. loop, since 'oparg' will have been overwritten
+by the result from the first time around the loop. This happens
+because it uses the same register for 'oparg' (an input) as it uses
+for the result.
+
+This fixes it by using separate registers for 'oparg' and 'ret'.
+
+Cc: stable@kernel.org
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/powerpc/include/asm/futex.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/include/asm/futex.h
++++ b/arch/powerpc/include/asm/futex.h
+@@ -27,7 +27,7 @@
+ PPC_LONG "1b,4b,2b,4b\n" \
+ ".previous" \
+ : "=&r" (oldval), "=&r" (ret) \
+- : "b" (uaddr), "i" (-EFAULT), "1" (oparg) \
++ : "b" (uaddr), "i" (-EFAULT), "r" (oparg) \
+ : "cr0", "memory")
+
+ static inline int futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
+@@ -47,19 +47,19 @@ static inline int futex_atomic_op_inuser
+
+ switch (op) {
+ case FUTEX_OP_SET:
+- __futex_atomic_op("", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("mr %1,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_ADD:
+- __futex_atomic_op("add %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("add %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_OR:
+- __futex_atomic_op("or %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("or %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_ANDN:
+- __futex_atomic_op("andc %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("andc %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_XOR:
+- __futex_atomic_op("xor %1,%0,%1\n", ret, oldval, uaddr, oparg);
++ __futex_atomic_op("xor %1,%0,%4\n", ret, oldval, uaddr, oparg);
+ break;
+ default:
+ ret = -ENOSYS;
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:27 2009
+Message-Id: <20090429220927.836931426@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:31 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sergei Shtylyov <sshtylyov@ru.mvista.com>,
+ Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 32/58] hpt366: fix HPT370 DMA timeouts
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0069-hpt366-fix-HPT370-DMA-timeouts.patch
+Content-Length: 1519
+Lines: 42
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+upstream commit: c018f1ee5cf81e58b93d9e93a2ee39cad13dc1ac
+
+The big driver change in 2.4.19-rc1 introduced a regression for many HPT370[A]
+chips -- DMA stopped to work completely, only causing endless timeouts...
+
+The culprit has been identified (at last!): it turned to be the code resetting
+the DMA state machine before each transfer. Stop doing it now as this counter-
+measure has clearly caused more harm than good.
+
+This should fix the kernel.org bug #7703.
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/ide/pci/hpt366.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ide/pci/hpt366.c
++++ b/drivers/ide/pci/hpt366.c
+@@ -114,6 +114,8 @@
+ * the register setting lists into the table indexed by the clock selected
+ * - set the correct hwif->ultra_mask for each individual chip
+ * - add Ultra and MW DMA mode filtering for the HPT37[24] based SATA cards
++ * - stop resetting HPT370's state machine before each DMA transfer as that has
++ * caused more harm than good
+ * Sergei Shtylyov, <sshtylyov@ru.mvista.com> or <source@mvista.com>
+ */
+
+@@ -134,7 +136,7 @@
+ #define DRV_NAME "hpt366"
+
+ /* various tuning parameters */
+-#define HPT_RESET_STATE_ENGINE
++#undef HPT_RESET_STATE_ENGINE
+ #undef HPT_DELAY_INTERRUPT
+ #define HPT_SERIALIZE_IO 0
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009
+Message-Id: <20090429220927.980460357@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:32 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sergei Shtylyov <sshtylyov@ru.mvista.com>,
+ Jeff Garzik <jgarzik@redhat.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 33/58] pata_hpt37x: fix HPT370 DMA timeouts
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0070-pata_hpt37x-fix-HPT370-DMA-timeouts.patch
+Content-Length: 2123
+Lines: 69
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+upstream commit: 265b7215aed36941620b65ecfff516200fb190c1
+
+The libata driver has copied the code from the IDE driver which caused a post
+2.4.18 regression on many HPT370[A] chips -- DMA stopped to work completely,
+only causing timeouts. Now remove hpt370_bmdma_start() for good...
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/ata/pata_hpt37x.c | 22 ++--------------------
+ 1 file changed, 2 insertions(+), 20 deletions(-)
+
+--- a/drivers/ata/pata_hpt37x.c
++++ b/drivers/ata/pata_hpt37x.c
+@@ -8,7 +8,7 @@
+ * Copyright (C) 1999-2003 Andre Hedrick <andre@linux-ide.org>
+ * Portions Copyright (C) 2001 Sun Microsystems, Inc.
+ * Portions Copyright (C) 2003 Red Hat Inc
+- * Portions Copyright (C) 2005-2007 MontaVista Software, Inc.
++ * Portions Copyright (C) 2005-2009 MontaVista Software, Inc.
+ *
+ * TODO
+ * Look into engine reset on timeout errors. Should not be required.
+@@ -24,7 +24,7 @@
+ #include <linux/libata.h>
+
+ #define DRV_NAME "pata_hpt37x"
+-#define DRV_VERSION "0.6.11"
++#define DRV_VERSION "0.6.12"
+
+ struct hpt_clock {
+ u8 xfer_speed;
+@@ -445,23 +445,6 @@ static void hpt370_set_dmamode(struct at
+ }
+
+ /**
+- * hpt370_bmdma_start - DMA engine begin
+- * @qc: ATA command
+- *
+- * The 370 and 370A want us to reset the DMA engine each time we
+- * use it. The 372 and later are fine.
+- */
+-
+-static void hpt370_bmdma_start(struct ata_queued_cmd *qc)
+-{
+- struct ata_port *ap = qc->ap;
+- struct pci_dev *pdev = to_pci_dev(ap->host->dev);
+- pci_write_config_byte(pdev, 0x50 + 4 * ap->port_no, 0x37);
+- udelay(10);
+- ata_bmdma_start(qc);
+-}
+-
+-/**
+ * hpt370_bmdma_end - DMA engine stop
+ * @qc: ATA command
+ *
+@@ -598,7 +581,6 @@ static struct scsi_host_template hpt37x_
+ static struct ata_port_operations hpt370_port_ops = {
+ .inherits = &ata_bmdma_port_ops,
+
+- .bmdma_start = hpt370_bmdma_start,
+ .bmdma_stop = hpt370_bmdma_stop,
+
+ .mode_filter = hpt370_filter,
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009
+Message-Id: <20090429220928.132621395@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:33 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jonathan McDowell <noodles@earth.li>,
+ David Brownell <dbrownell@users.sourceforge.net>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 34/58] usb gadget: fix ethernet link reports to ethtool
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0077-usb-gadget-fix-ethernet-link-reports-to-ethtool.patch
+Content-Length: 1583
+Lines: 44
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jonathan McDowell <noodles@earth.li>
+
+upstream commit: 237e75bf1e558f7330f8deb167fa3116405bef2c
+
+The g_ether USB gadget driver currently decides whether or not there's a
+link to report back for eth_get_link based on if the USB link speed is
+set. The USB gadget speed is however often set even before the device is
+enumerated. It seems more sensible to only report a "link" if we're
+actually connected to a host that wants to talk to us. The patch below
+does this for me - tested with the PXA27x UDC driver.
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/gadget/u_ether.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/usb/gadget/u_ether.c
++++ b/drivers/usb/gadget/u_ether.c
+@@ -175,12 +175,6 @@ static void eth_get_drvinfo(struct net_d
+ strlcpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof p->bus_info);
+ }
+
+-static u32 eth_get_link(struct net_device *net)
+-{
+- struct eth_dev *dev = netdev_priv(net);
+- return dev->gadget->speed != USB_SPEED_UNKNOWN;
+-}
+-
+ /* REVISIT can also support:
+ * - WOL (by tracking suspends and issuing remote wakeup)
+ * - msglevel (implies updated messaging)
+@@ -189,7 +183,7 @@ static u32 eth_get_link(struct net_devic
+
+ static struct ethtool_ops ops = {
+ .get_drvinfo = eth_get_drvinfo,
+- .get_link = eth_get_link
++ .get_link = ethtool_op_get_link,
+ };
+
+ static void defer_kevent(struct eth_dev *dev, int flag)
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009
+Message-Id: <20090429220928.280580763@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:34 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Peter Korsgaard <jacmet@sunsite.dk>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 35/58] USB: ftdi_sio: add vendor/project id for JETI specbos 1201 spectrometer
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0078-USB-ftdi_sio-add-vendor-project-id-for-JETI-specbo.patch
+Content-Length: 1149
+Lines: 39
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Peter Korsgaard <jacmet@sunsite.dk>
+
+upstream commit: ae27d84351f1f3568118318a8c40ff3a154bd629
+
+Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio.h | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -662,6 +662,7 @@ static struct usb_device_id id_table_com
+ { USB_DEVICE(DE_VID, WHT_PID) },
+ { USB_DEVICE(ADI_VID, ADI_GNICE_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++ { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
+ { }, /* Optional parameter entry */
+ { } /* Terminating entry */
+ };
+--- a/drivers/usb/serial/ftdi_sio.h
++++ b/drivers/usb/serial/ftdi_sio.h
+@@ -890,6 +890,13 @@
+ #define ADI_GNICE_PID 0xF000
+
+ /*
++ * JETI SPECTROMETER SPECBOS 1201
++ * http://www.jeti.com/products/sys/scb/scb1201.php
++ */
++#define JETI_VID 0x0c6c
++#define JETI_SPC1201_PID 0x04b2
++
++/*
+ * BmRequestType: 1100 0000b
+ * bRequest: FTDI_E2_READ
+ * wValue: 0
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009
+Message-Id: <20090429220928.432626483@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:35 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oliver Neukum <oliver@neukum.org>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 36/58] USB: fix oops in cdc-wdm in case of malformed descriptors
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0079-USB-fix-oops-in-cdc-wdm-in-case-of-malformed-descri.patch
+Content-Length: 681
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Oliver Neukum <oliver@neukum.org>
+
+upstream commit: e13c594f3a1fc2c78e7a20d1a07974f71e4b448f
+
+cdc-wdm needs to ignore extremely malformed descriptors.
+
+Signed-off-by: Oliver Neukum <oliver@neukum.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/class/cdc-wdm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -641,7 +641,7 @@ next_desc:
+
+ iface = &intf->altsetting[0];
+ ep = &iface->endpoint[0].desc;
+- if (!usb_endpoint_is_int_in(ep)) {
++ if (!ep || !usb_endpoint_is_int_in(ep)) {
+ rv = -EINVAL;
+ goto err;
+ }
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009
+Message-Id: <20090429220928.583064537@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:36 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alan Stern <stern@rowland.harvard.edu>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 37/58] USB: usb-storage: augment unusual_devs entry for Simple Tech/Datafab
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0080-USB-usb-storage-augment-unusual_devs-entry-for-Sim.patch
+Content-Length: 1277
+Lines: 36
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+upstream commit: e4813eec8d47c8299d968bd5349dc881fa481c26
+
+This patch (as1227) adds the MAX_SECTORS_64 flag to the unusual_devs
+entry for the Simple Tech/Datafab controller. This fixes Bugzilla
+#12882.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: binbin <binbinsh@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/usb/storage/unusual_devs.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1241,12 +1241,14 @@ UNUSUAL_DEV( 0x07c4, 0xa400, 0x0000, 0x
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+ US_FL_FIX_INQUIRY ),
+
+-/* Reported by Rauch Wolke <rauchwolke@gmx.net> */
++/* Reported by Rauch Wolke <rauchwolke@gmx.net>
++ * and augmented by binbin <binbinsh@gmail.com> (Bugzilla #12882)
++ */
+ UNUSUAL_DEV( 0x07c4, 0xa4a5, 0x0000, 0xffff,
+ "Simple Tech/Datafab",
+ "CF+SM Reader",
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+- US_FL_IGNORE_RESIDUE ),
++ US_FL_IGNORE_RESIDUE | US_FL_MAX_SECTORS_64 ),
+
+ /* Casio QV 2x00/3x00/4000/8000 digital still cameras are not conformant
+ * to the USB storage specification in two ways:
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:28 2009
+Message-Id: <20090429220928.710421504@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:37 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Shaohua Li <shaohua.li@intel.com>,
+ Dave Airlie <airlied@redhat.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 38/58] agp: zero pages before sending to userspace
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0093-agp-zero-pages-before-sending-to-userspace.patch
+Content-Length: 825
+Lines: 28
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+upstream commit: 59de2bebabc5027f93df999d59cc65df591c3e6e
+
+CVE-2009-1192
+
+AGP pages might be mapped into userspace finally, so the pages should be
+set to zero before userspace can use it. Otherwise there is potential
+information leakage.
+
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/char/agp/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/agp/generic.c
++++ b/drivers/char/agp/generic.c
+@@ -1207,7 +1207,7 @@ void *agp_generic_alloc_page(struct agp_
+ {
+ struct page * page;
+
+- page = alloc_page(GFP_KERNEL | GFP_DMA32);
++ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO);
+ if (page == NULL)
+ return NULL;
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220928.849214831@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:38 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ William Irwin <wli@holomorphy.com>,
+ Akinobu Mita <akinobu.mita@gmail.com>,
+ Chris Wright <chrisw@sous-sol.org>
+Subject: [patch 39/58] hugetlbfs: return negative error code for bad mount option
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=0096-hugetlbfs-return-negative-error-code-for-bad-mount.patch
+Content-Length: 1289
+Lines: 49
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+upstream commit: c12ddba09394c60e1120e6997794fa6ed52da884
+
+This fixes the following BUG:
+
+ # mount -o size=MM -t hugetlbfs none /huge
+ hugetlbfs: Bad value 'MM' for mount option 'size=MM'
+ ------------[ cut here ]------------
+ kernel BUG at fs/super.c:996!
+
+Due to
+
+ BUG_ON(!mnt->mnt_sb);
+
+in vfs_kern_mount().
+
+Also, remove unused #include <linux/quotaops.h>
+
+Cc: William Irwin <wli@holomorphy.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ fs/hugetlbfs/inode.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -26,7 +26,6 @@
+ #include <linux/pagevec.h>
+ #include <linux/parser.h>
+ #include <linux/mman.h>
+-#include <linux/quotaops.h>
+ #include <linux/slab.h>
+ #include <linux/dnotify.h>
+ #include <linux/statfs.h>
+@@ -838,7 +837,7 @@ hugetlbfs_parse_options(char *options, s
+ bad_val:
+ printk(KERN_ERR "hugetlbfs: Bad value '%s' for mount option '%s'\n",
+ args[0].from, p);
+- return 1;
++ return -EINVAL;
+ }
+
+ static int
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220929.014406153@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:39 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ananth N Mavinakayanahalli <ananth@in.ibm.com>,
+ Masami Hiramatsu <mhiramat@redhat.com>,
+ Jim Keniston <jkenisto@us.ibm.com>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 40/58] kprobes: Fix locking imbalance in kretprobes
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=kprobes-fix-locking-imbalance-in-kretprobes.patch
+Content-Length: 2891
+Lines: 82
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+
+commit f02b8624fedca39886b0eef770dca70c2f0749b3 upstream.
+
+Fix locking imbalance in kretprobes:
+
+=====================================
+[ BUG: bad unlock balance detected! ]
+-------------------------------------
+kthreadd/2 is trying to release lock (&rp->lock) at:
+[<c06b3080>] pre_handler_kretprobe+0xea/0xf4
+but there are no more locks to release!
+
+other info that might help us debug this:
+1 lock held by kthreadd/2:
+ #0: (rcu_read_lock){..--}, at: [<c06b2b24>] __atomic_notifier_call_chain+0x0/0x5a
+
+stack backtrace:
+Pid: 2, comm: kthreadd Not tainted 2.6.29-rc8 #1
+Call Trace:
+ [<c06ae498>] ? printk+0xf/0x17
+ [<c06b3080>] ? pre_handler_kretprobe+0xea/0xf4
+ [<c044ce6c>] print_unlock_inbalance_bug+0xc3/0xce
+ [<c0444d4b>] ? clocksource_read+0x7/0xa
+ [<c04450a4>] ? getnstimeofday+0x5f/0xf6
+ [<c044a9ca>] ? register_lock_class+0x17/0x293
+ [<c044b72c>] ? mark_lock+0x1e/0x30b
+ [<c0448956>] ? tick_dev_program_event+0x4a/0xbc
+ [<c0498100>] ? __slab_alloc+0xa5/0x415
+ [<c06b2fbe>] ? pre_handler_kretprobe+0x28/0xf4
+ [<c06b3080>] ? pre_handler_kretprobe+0xea/0xf4
+ [<c044cf1b>] lock_release_non_nested+0xa4/0x1a5
+ [<c06b3080>] ? pre_handler_kretprobe+0xea/0xf4
+ [<c044d15d>] lock_release+0x141/0x166
+ [<c06b07dd>] _spin_unlock_irqrestore+0x19/0x50
+ [<c06b3080>] pre_handler_kretprobe+0xea/0xf4
+ [<c06b20b5>] kprobe_exceptions_notify+0x1c9/0x43e
+ [<c06b2b02>] notifier_call_chain+0x26/0x48
+ [<c06b2b5b>] __atomic_notifier_call_chain+0x37/0x5a
+ [<c06b2b24>] ? __atomic_notifier_call_chain+0x0/0x5a
+ [<c06b2b8a>] atomic_notifier_call_chain+0xc/0xe
+ [<c0442d0d>] notify_die+0x2d/0x2f
+ [<c06b0f9c>] do_int3+0x1f/0x71
+ [<c06b0e84>] int3+0x2c/0x34
+ [<c042d476>] ? do_fork+0x1/0x288
+ [<c040221b>] ? kernel_thread+0x71/0x79
+ [<c043ed1b>] ? kthread+0x0/0x60
+ [<c043ed1b>] ? kthread+0x0/0x60
+ [<c04040b8>] ? kernel_thread_helper+0x0/0x10
+ [<c043ec7f>] kthreadd+0xac/0x148
+ [<c043ebd3>] ? kthreadd+0x0/0x148
+ [<c04040bf>] kernel_thread_helper+0x7/0x10
+
+Signed-off-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Tested-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
+Cc: Masami Hiramatsu <mhiramat@redhat.com>
+Cc: Jim Keniston <jkenisto@us.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+LKML-Reference: <20090318113621.GB4129@in.ibm.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/kprobes.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -890,10 +890,8 @@ static int __kprobes pre_handler_kretpro
+ ri->rp = rp;
+ ri->task = current;
+
+- if (rp->entry_handler && rp->entry_handler(ri, regs)) {
+- spin_unlock_irqrestore(&rp->lock, flags);
++ if (rp->entry_handler && rp->entry_handler(ri, regs))
+ return 0;
+- }
+
+ arch_prepare_kretprobe(ri, regs);
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220929.139768044@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:40 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jens Axboe <jens.axboe@oracle.com>
+Subject: [patch 41/58] block: revert part of 18ce3751ccd488c78d3827e9f6bf54e6322676fb
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=block-revert-part-of-18ce3751ccd488c78d3827e9f6bf54e6322676fb.patch
+Content-Length: 1854
+Lines: 66
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Jens Axboe <jens.axboe@oracle.com>
+
+commit 78f707bfc723552e8309b7c38a8d0cc51012e813 upstream.
+
+The above commit added WRITE_SYNC and switched various places to using
+that for committing writes that will be waited upon immediately after
+submission. However, this causes a performance regression with AS and CFQ
+for ext3 at least, since sync_dirty_buffer() will submit some writes with
+WRITE_SYNC while ext3 has sumitted others dependent writes without the sync
+flag set. This causes excessive anticipation/idling in the IO scheduler
+because sync and async writes get interleaved, causing a big performance
+regression for the below test case (which is meant to simulate sqlite
+like behaviour).
+
+---- test case ----
+
+int main(int argc, char **argv)
+{
+
+ int fdes, i;
+ FILE *fp;
+ struct timeval start;
+ struct timeval end;
+ struct timeval res;
+
+ gettimeofday(&start, NULL);
+ for (i=0; i<ROWS; i++) {
+ fp = fopen("test_file", "a");
+ fprintf(fp, "Some Text Data\n");
+ fdes = fileno(fp);
+ fsync(fdes);
+ fclose(fp);
+ }
+ gettimeofday(&end, NULL);
+
+ timersub(&end, &start, &res);
+ fprintf(stdout, "time to write %d lines is %ld(msec)\n", ROWS,
+ (res.tv_sec*1000000 + res.tv_usec)/1000);
+
+ return 0;
+}
+
+-------------------
+
+Thanks to Sean.White@APCC.com for tracking down this performance
+regression and providing a test case.
+
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -3042,7 +3042,7 @@ int sync_dirty_buffer(struct buffer_head
+ if (test_clear_buffer_dirty(bh)) {
+ get_bh(bh);
+ bh->b_end_io = end_buffer_write_sync;
+- ret = submit_bh(WRITE_SYNC, bh);
++ ret = submit_bh(WRITE, bh);
+ wait_on_buffer(bh);
+ if (buffer_eopnotsupp(bh)) {
+ clear_buffer_eopnotsupp(bh);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220929.295259303@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:41 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ivan Vecera <ivecera@redhat.com>,
+ Francois Romieu <romieu@fr.zoreil.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 42/58] r8169: Dont update statistics counters when interface is down
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=r8169-don-t-update-statistics-counters-when-interface-is-down.patch
+Content-Length: 5482
+Lines: 177
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Francois Romieu <romieu@fr.zoreil.com>
+
+Upstream as 355423d0849f4506bc71ab2738d38cb74429aaef (post 2.6.28).
+
+Some Realtek chips (RTL8169sb/8110sb in my case) are unable to retrieve
+ethtool statistics when the interface is down. The process stays in
+endless loop in rtl8169_get_ethtool_stats. This is because these chips
+need to have receiver enabled (CmdRxEnb bit in ChipCmd register) that is
+cleared when the interface is going down. It's better to update statistics
+only when the interface is up and otherwise return copy of statistics
+grabbed when the interface was up (in rtl8169_close).
+
+It is interesting that PCI-E NICs (like 8168b/8111b...) are not affected.
+
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Acked-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r8169.c | 93 ++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 58 insertions(+), 35 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -375,6 +375,22 @@ enum features {
+ RTL_FEATURE_GMII = (1 << 2),
+ };
+
++struct rtl8169_counters {
++ __le64 tx_packets;
++ __le64 rx_packets;
++ __le64 tx_errors;
++ __le32 rx_errors;
++ __le16 rx_missed;
++ __le16 align_errors;
++ __le32 tx_one_collision;
++ __le32 tx_multi_collision;
++ __le64 rx_unicast;
++ __le64 rx_broadcast;
++ __le32 rx_multicast;
++ __le16 tx_aborted;
++ __le16 tx_underun;
++};
++
+ struct rtl8169_private {
+ void __iomem *mmio_addr; /* memory map physical address */
+ struct pci_dev *pci_dev; /* Index of PCI device */
+@@ -416,6 +432,7 @@ struct rtl8169_private {
+ unsigned features;
+
+ struct mii_if_info mii;
++ struct rtl8169_counters counters;
+ };
+
+ MODULE_AUTHOR("Realtek and the Linux r8169 crew <netdev@vger.kernel.org>");
+@@ -960,22 +977,6 @@ static const char rtl8169_gstrings[][ETH
+ "tx_underrun",
+ };
+
+-struct rtl8169_counters {
+- __le64 tx_packets;
+- __le64 rx_packets;
+- __le64 tx_errors;
+- __le32 rx_errors;
+- __le16 rx_missed;
+- __le16 align_errors;
+- __le32 tx_one_collision;
+- __le32 tx_multi_collision;
+- __le64 rx_unicast;
+- __le64 rx_broadcast;
+- __le32 rx_multicast;
+- __le16 tx_aborted;
+- __le16 tx_underun;
+-};
+-
+ static int rtl8169_get_sset_count(struct net_device *dev, int sset)
+ {
+ switch (sset) {
+@@ -986,16 +987,21 @@ static int rtl8169_get_sset_count(struct
+ }
+ }
+
+-static void rtl8169_get_ethtool_stats(struct net_device *dev,
+- struct ethtool_stats *stats, u64 *data)
++static void rtl8169_update_counters(struct net_device *dev)
+ {
+ struct rtl8169_private *tp = netdev_priv(dev);
+ void __iomem *ioaddr = tp->mmio_addr;
+ struct rtl8169_counters *counters;
+ dma_addr_t paddr;
+ u32 cmd;
++ int wait = 1000;
+
+- ASSERT_RTNL();
++ /*
++ * Some chips are unable to dump tally counters when the receiver
++ * is disabled.
++ */
++ if ((RTL_R8(ChipCmd) & CmdRxEnb) == 0)
++ return;
+
+ counters = pci_alloc_consistent(tp->pci_dev, sizeof(*counters), &paddr);
+ if (!counters)
+@@ -1006,31 +1012,45 @@ static void rtl8169_get_ethtool_stats(st
+ RTL_W32(CounterAddrLow, cmd);
+ RTL_W32(CounterAddrLow, cmd | CounterDump);
+
+- while (RTL_R32(CounterAddrLow) & CounterDump) {
+- if (msleep_interruptible(1))
++ while (wait--) {
++ if ((RTL_R32(CounterAddrLow) & CounterDump) == 0) {
++ /* copy updated counters */
++ memcpy(&tp->counters, counters, sizeof(*counters));
+ break;
++ }
++ udelay(10);
+ }
+
+ RTL_W32(CounterAddrLow, 0);
+ RTL_W32(CounterAddrHigh, 0);
+
+- data[0] = le64_to_cpu(counters->tx_packets);
+- data[1] = le64_to_cpu(counters->rx_packets);
+- data[2] = le64_to_cpu(counters->tx_errors);
+- data[3] = le32_to_cpu(counters->rx_errors);
+- data[4] = le16_to_cpu(counters->rx_missed);
+- data[5] = le16_to_cpu(counters->align_errors);
+- data[6] = le32_to_cpu(counters->tx_one_collision);
+- data[7] = le32_to_cpu(counters->tx_multi_collision);
+- data[8] = le64_to_cpu(counters->rx_unicast);
+- data[9] = le64_to_cpu(counters->rx_broadcast);
+- data[10] = le32_to_cpu(counters->rx_multicast);
+- data[11] = le16_to_cpu(counters->tx_aborted);
+- data[12] = le16_to_cpu(counters->tx_underun);
+-
+ pci_free_consistent(tp->pci_dev, sizeof(*counters), counters, paddr);
+ }
+
++static void rtl8169_get_ethtool_stats(struct net_device *dev,
++ struct ethtool_stats *stats, u64 *data)
++{
++ struct rtl8169_private *tp = netdev_priv(dev);
++
++ ASSERT_RTNL();
++
++ rtl8169_update_counters(dev);
++
++ data[0] = le64_to_cpu(tp->counters.tx_packets);
++ data[1] = le64_to_cpu(tp->counters.rx_packets);
++ data[2] = le64_to_cpu(tp->counters.tx_errors);
++ data[3] = le32_to_cpu(tp->counters.rx_errors);
++ data[4] = le16_to_cpu(tp->counters.rx_missed);
++ data[5] = le16_to_cpu(tp->counters.align_errors);
++ data[6] = le32_to_cpu(tp->counters.tx_one_collision);
++ data[7] = le32_to_cpu(tp->counters.tx_multi_collision);
++ data[8] = le64_to_cpu(tp->counters.rx_unicast);
++ data[9] = le64_to_cpu(tp->counters.rx_broadcast);
++ data[10] = le32_to_cpu(tp->counters.rx_multicast);
++ data[11] = le16_to_cpu(tp->counters.tx_aborted);
++ data[12] = le16_to_cpu(tp->counters.tx_underun);
++}
++
+ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ {
+ switch(stringset) {
+@@ -2979,6 +2999,9 @@ static int rtl8169_close(struct net_devi
+ struct rtl8169_private *tp = netdev_priv(dev);
+ struct pci_dev *pdev = tp->pci_dev;
+
++ /* update counters before going down */
++ rtl8169_update_counters(dev);
++
+ rtl8169_down(dev);
+
+ free_irq(dev->irq, dev);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220929.451364200@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:42 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Francois Romieu <romieu@fr.zoreil.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 43/58] r8169: use hardware auto-padding.
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=r8169-use-hardware-auto-padding.patch
+Content-Length: 961
+Lines: 40
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Francois Romieu <romieu@fr.zoreil.com>
+
+Upstream as 97d477a914b146e7e6722ded21afa79886ae8ccd (post 2.6.28).
+
+It shortens the code and fixes the current pci_unmap leak with
+padded skb reported by Dave Jones.
+
+Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r8169.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -2549,13 +2549,6 @@ static int rtl8169_start_xmit(struct sk_
+ opts1 |= FirstFrag;
+ } else {
+ len = skb->len;
+-
+- if (unlikely(len < ETH_ZLEN)) {
+- if (skb_padto(skb, ETH_ZLEN))
+- goto err_update_stats;
+- len = ETH_ZLEN;
+- }
+-
+ opts1 |= FirstFrag | LastFrag;
+ tp->tx_skb[entry].skb = skb;
+ }
+@@ -2593,7 +2586,6 @@ out:
+ err_stop:
+ netif_stop_queue(dev);
+ ret = NETDEV_TX_BUSY;
+-err_update_stats:
+ dev->stats.tx_dropped++;
+ goto out;
+ }
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220929.573174522@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:43 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Karsten Wiese <fzu@wemgehoertderstaat.de>,
+ Francois Romieu <romieu@fr.zoreil.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 44/58] r8169: reset IntrStatus after chip reset
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=r8169-reset-intrstatus-after-chip-reset.patch
+Content-Length: 1652
+Lines: 50
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Francois Romieu <romieu@fr.zoreil.com>
+
+Upstream as d78ad8cbfe73ad568de38814a75e9c92ad0a907c (post 2.6.29).
+
+Original comment (Karsten):
+On a MSI MS-6702E mainboard, when in rtl8169_init_one() for the first time
+after BIOS has run, IntrStatus reads 5 after chip has been reset.
+IntrStatus should equal 0 there, so patch changes IntrStatus reset to happen
+after chip reset instead of before.
+
+Remark (Francois):
+Assuming that the loglevel of the driver is increased above NETIF_MSG_INTR,
+the bug reveals itself with a typical "interrupt 0025 in poll" message
+at startup. In retrospect, the message should had been read as an hint of
+an unexpected hardware state several months ago :o(
+
+Fixes (at least part of) https://bugzilla.redhat.com/show_bug.cgi?id=460747
+
+Signed-off-by: Karsten Wiese <fzu@wemgehoertderstaat.de>
+Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+Tested-by: Josep <josep.puigdemont@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/r8169.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -1687,8 +1687,7 @@ rtl8169_init_one(struct pci_dev *pdev, c
+ goto err_out_free_res_4;
+ }
+
+- /* Unneeded ? Don't mess with Mrs. Murphy. */
+- rtl8169_irq_mask_and_ack(ioaddr);
++ RTL_W16(IntrMask, 0x0000);
+
+ /* Soft reset the chip. */
+ RTL_W8(ChipCmd, CmdReset);
+@@ -1700,6 +1699,8 @@ rtl8169_init_one(struct pci_dev *pdev, c
+ msleep_interruptible(1);
+ }
+
++ RTL_W16(IntrStatus, 0xffff);
++
+ /* Identify chip attached to board */
+ rtl8169_get_mac_version(tp, ioaddr);
+
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220929.694765675@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:44 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Johannes Weiner <hannes@cmpxchg.org>,
+ Nick Piggin <nickpiggin@yahoo.com.au>,
+ Hugh Dickins <hugh@veritas.com>
+Subject: [patch 45/58] mm: check for no mmaps in exit_mmap()
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=mm-check-for-no-mmaps-in-exit_mmap.patch
+Content-Length: 1194
+Lines: 39
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit dcd4a049b9751828c516c59709f3fdf50436df85 upstream.
+
+When dup_mmap() ooms we can end up with mm->mmap == NULL. The error
+path does mmput() and unmap_vmas() gets a NULL vma which it
+dereferences.
+
+In exit_mmap() there is nothing to do at all for this case, we can
+cancel the callpath right there.
+
+[akpm@linux-foundation.org: add sorely-needed comment]
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reported-by: Akinobu Mita <akinobu.mita@gmail.com>
+Cc: Nick Piggin <nickpiggin@yahoo.com.au>
+Cc: Hugh Dickins <hugh@veritas.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reported-by: Kir Kolyshkin <kir@openvz.org>
+Tested-by: Kir Kolyshkin <kir@openvz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2068,6 +2068,9 @@ void exit_mmap(struct mm_struct *mm)
+ arch_exit_mmap(mm);
+ mmu_notifier_release(mm);
+
++ if (!mm->mmap) /* Can happen if dup_mmap() received an OOM */
++ return;
++
+ lru_add_drain();
+ flush_cache_mm(mm);
+ tlb = tlb_gather_mmu(mm, 1);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:29 2009
+Message-Id: <20090429220929.842695986@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:45 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ benh@kernel.crashing.org,
+ Josh Boyer <jwboyer@linux.vnet.ibm.com>
+Subject: [patch 46/58] powerpc: Sanitize stack pointer in signal handling code
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=powerpc-sanitize-stack-pointer-in-signal-handling-code.patch
+Content-Length: 3876
+Lines: 118
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Josh Boyer <jwboyer@linux.vnet.ibm.com>
+
+This has been backported to 2.6.27.x from commit efbda86098 in Linus' tree.
+
+On powerpc64 machines running 32-bit userspace, we can get garbage bits in the
+stack pointer passed into the kernel. Most places handle this correctly, but
+the signal handling code uses the passed value directly for allocating signal
+stack frames.
+
+This fixes the issue by introducing a get_clean_sp function that returns a
+sanitized stack pointer. For 32-bit tasks on a 64-bit kernel, the stack
+pointer is masked correctly. In all other cases, the stack pointer is simply
+returned.
+
+Additionally, we pass an 'is_32' parameter to get_sigframe now in order to
+get the properly sanitized stack. The callers are know to be 32 or 64-bit
+statically.
+
+Signed-off-by: Josh Boyer <jwboyer@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/include/asm/processor.h | 19 +++++++++++++++++++
+ arch/powerpc/kernel/signal.c | 4 ++--
+ arch/powerpc/kernel/signal.h | 2 +-
+ arch/powerpc/kernel/signal_32.c | 4 ++--
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ 5 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/include/asm/processor.h
++++ b/arch/powerpc/include/asm/processor.h
+@@ -309,6 +309,25 @@ static inline void prefetchw(const void
+ #define HAVE_ARCH_PICK_MMAP_LAYOUT
+ #endif
+
++#ifdef CONFIG_PPC64
++static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
++{
++ unsigned long sp;
++
++ if (is_32)
++ sp = regs->gpr[1] & 0x0ffffffffUL;
++ else
++ sp = regs->gpr[1];
++
++ return sp;
++}
++#else
++static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
++{
++ return regs->gpr[1];
++}
++#endif
++
+ #endif /* __KERNEL__ */
+ #endif /* __ASSEMBLY__ */
+ #endif /* _ASM_POWERPC_PROCESSOR_H */
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -836,7 +836,7 @@ int handle_rt_signal32(unsigned long sig
+
+ /* Set up Signal Frame */
+ /* Put a Real Time Context onto stack */
+- rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf));
++ rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf), 1);
+ addr = rt_sf;
+ if (unlikely(rt_sf == NULL))
+ goto badframe;
+@@ -1170,7 +1170,7 @@ int handle_signal32(unsigned long sig, s
+ unsigned long newsp = 0;
+
+ /* Set up Signal Frame */
+- frame = get_sigframe(ka, regs, sizeof(*frame));
++ frame = get_sigframe(ka, regs, sizeof(*frame), 1);
+ if (unlikely(frame == NULL))
+ goto badframe;
+ sc = (struct sigcontext __user *) &frame->sctx;
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -404,7 +404,7 @@ int handle_rt_signal64(int signr, struct
+ unsigned long newsp = 0;
+ long err = 0;
+
+- frame = get_sigframe(ka, regs, sizeof(*frame));
++ frame = get_sigframe(ka, regs, sizeof(*frame), 0);
+ if (unlikely(frame == NULL))
+ goto badframe;
+
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -26,12 +26,12 @@ int show_unhandled_signals = 0;
+ * Allocate space for the signal frame
+ */
+ void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
+- size_t frame_size)
++ size_t frame_size, int is_32)
+ {
+ unsigned long oldsp, newsp;
+
+ /* Default to using normal stack */
+- oldsp = regs->gpr[1];
++ oldsp = get_clean_sp(regs, is_32);
+
+ /* Check for alt stack */
+ if ((ka->sa.sa_flags & SA_ONSTACK) &&
+--- a/arch/powerpc/kernel/signal.h
++++ b/arch/powerpc/kernel/signal.h
+@@ -13,7 +13,7 @@
+ #define _BLOCKABLE (~(sigmask(SIGKILL) | sigmask(SIGSTOP)))
+
+ extern void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
+- size_t frame_size);
++ size_t frame_size, int is_32);
+ extern void restore_sigmask(sigset_t *set);
+
+ extern int handle_signal32(unsigned long sig, struct k_sigaction *ka,
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009
+Message-Id: <20090429220929.995031553@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:46 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "Luis R. Rodriguez" <lrodriguez@atheros.com>,
+ ath9k-devel@venema.h4ckr.net,
+ linux-wireless@vger.kernel.org
+Subject: [patch 47/58] ath9k: implement IO serialization
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=ath9k-implement-io-serialization.patch
+Content-Length: 4390
+Lines: 123
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+This is a port of:
+commit SHA1 6158425be398936af1fd04451f78ffad01529cb0
+for 2.6.27
+
+All 802.11n PCI devices (Cardbus, PCI, mini-PCI) require
+serialization of IO when on non-uniprocessor systems. PCI
+express devices not not require this.
+
+This should fix our only last standing open ath9k kernel.org
+bugzilla bug report:
+
+http://bugzilla.kernel.org/show_bug.cgi?id=12110
+
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/wireless/ath9k/ath9k.h | 4 ++--
+ drivers/net/wireless/ath9k/core.c | 1 +
+ drivers/net/wireless/ath9k/core.h | 33 +++++++++++++++++++++++++++++++++
+ drivers/net/wireless/ath9k/hw.c | 19 +++++++++++++++++++
+ 4 files changed, 55 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath9k/ath9k.h
++++ b/drivers/net/wireless/ath9k/ath9k.h
+@@ -591,8 +591,8 @@ struct ath9k_country_entry {
+ u8 iso[3];
+ };
+
+-#define REG_WRITE(_ah, _reg, _val) iowrite32(_val, _ah->ah_sh + _reg)
+-#define REG_READ(_ah, _reg) ioread32(_ah->ah_sh + _reg)
++#define REG_WRITE(_ah, _reg, _val) ath9k_iowrite32((_ah), (_reg), (_val))
++#define REG_READ(_ah, _reg) ath9k_ioread32((_ah), (_reg))
+
+ #define SM(_v, _f) (((_v) << _f##_S) & _f)
+ #define MS(_v, _f) (((_v) & _f) >> _f##_S)
+--- a/drivers/net/wireless/ath9k/core.c
++++ b/drivers/net/wireless/ath9k/core.c
+@@ -1120,6 +1120,7 @@ int ath_init(u16 devid, struct ath_softc
+ sc->sc_cachelsz = csz << 2; /* convert to bytes */
+
+ spin_lock_init(&sc->sc_resetlock);
++ spin_lock_init(&sc->sc_serial_rw);
+
+ ah = ath9k_hw_attach(devid, sc, sc->mem, &status);
+ if (ah == NULL) {
+--- a/drivers/net/wireless/ath9k/core.h
++++ b/drivers/net/wireless/ath9k/core.h
+@@ -1022,6 +1022,7 @@ struct ath_softc {
+ spinlock_t sc_rxbuflock;
+ spinlock_t sc_txbuflock;
+ spinlock_t sc_resetlock;
++ spinlock_t sc_serial_rw;
+ spinlock_t node_lock;
+ };
+
+@@ -1069,4 +1070,36 @@ void ath_skb_unmap_single(struct ath_sof
+ void ath_mcast_merge(struct ath_softc *sc, u32 mfilt[2]);
+ enum ath9k_ht_macmode ath_cwm_macmode(struct ath_softc *sc);
+
++/*
++ * Read and write, they both share the same lock. We do this to serialize
++ * reads and writes on Atheros 802.11n PCI devices only. This is required
++ * as the FIFO on these devices can only accept sanely 2 requests. After
++ * that the device goes bananas. Serializing the reads/writes prevents this
++ * from happening.
++ */
++
++static inline void ath9k_iowrite32(struct ath_hal *ah, u32 reg_offset, u32 val)
++{
++ if (ah->ah_config.serialize_regmode == SER_REG_MODE_ON) {
++ unsigned long flags;
++ spin_lock_irqsave(&ah->ah_sc->sc_serial_rw, flags);
++ iowrite32(val, ah->ah_sc->mem + reg_offset);
++ spin_unlock_irqrestore(&ah->ah_sc->sc_serial_rw, flags);
++ } else
++ iowrite32(val, ah->ah_sc->mem + reg_offset);
++}
++
++static inline unsigned int ath9k_ioread32(struct ath_hal *ah, u32 reg_offset)
++{
++ u32 val;
++ if (ah->ah_config.serialize_regmode == SER_REG_MODE_ON) {
++ unsigned long flags;
++ spin_lock_irqsave(&ah->ah_sc->sc_serial_rw, flags);
++ val = ioread32(ah->ah_sc->mem + reg_offset);
++ spin_unlock_irqrestore(&ah->ah_sc->sc_serial_rw, flags);
++ } else
++ val = ioread32(ah->ah_sc->mem + reg_offset);
++ return val;
++}
++
+ #endif /* CORE_H */
+--- a/drivers/net/wireless/ath9k/hw.c
++++ b/drivers/net/wireless/ath9k/hw.c
+@@ -369,6 +369,25 @@ static void ath9k_hw_set_defaults(struct
+ }
+
+ ah->ah_config.intr_mitigation = 0;
++
++ /*
++ * We need this for PCI devices only (Cardbus, PCI, miniPCI)
++ * _and_ if on non-uniprocessor systems (Multiprocessor/HT).
++ * This means we use it for all AR5416 devices, and the few
++ * minor PCI AR9280 devices out there.
++ *
++ * Serialization is required because these devices do not handle
++ * well the case of two concurrent reads/writes due to the latency
++ * involved. During one read/write another read/write can be issued
++ * on another CPU while the previous read/write may still be working
++ * on our hardware, if we hit this case the hardware poops in a loop.
++ * We prevent this by serializing reads and writes.
++ *
++ * This issue is not present on PCI-Express devices or pre-AR5416
++ * devices (legacy, 802.11abg).
++ */
++ if (num_possible_cpus() > 1)
++ ah->ah_config.serialize_regmode = SER_REG_MODE_AUTO;
+ }
+
+ static inline void ath9k_hw_override_ini(struct ath_hal *ah,
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009
+Message-Id: <20090429220930.126527883@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:47 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "Luis R. Rodriguez" <lrodriguez@atheros.com>,
+ ath9k-devel@venema.h4ckr.net,
+ linux-wireless@vger.kernel.org
+Subject: [patch 48/58] ath9k: AR9280 PCI devices must serialize IO as well
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=ath9k-ar9280-pci-devices-must-serialize-io-as-well.patch
+Content-Length: 785
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+This is a port of:
+commit SHA1 5ec905a8df3fa877566ba98298433fbfb3d688cc
+for 2.6.27
+
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/wireless/ath9k/hw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath9k/hw.c
++++ b/drivers/net/wireless/ath9k/hw.c
+@@ -3313,7 +3313,8 @@ static struct ath_hal *ath9k_hw_do_attac
+ }
+
+ if (ah->ah_config.serialize_regmode == SER_REG_MODE_AUTO) {
+- if (ah->ah_macVersion == AR_SREV_VERSION_5416_PCI) {
++ if (ah->ah_macVersion == AR_SREV_VERSION_5416_PCI ||
++ (AR_SREV_9280(ah) && !ah->ah_isPciExpress)) {
+ ah->ah_config.serialize_regmode =
+ SER_REG_MODE_ON;
+ } else {
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009
+Message-Id: <20090429220930.269909506@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:48 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Michael Buesch <mb@bu3sch.de>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 49/58] b44: Use kernel DMA addresses for the kernel DMA API
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=b44-use-kernel-dma-addresses-for-the-kernel-dma-api.patch
+Content-Length: 932
+Lines: 30
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Michael Buesch <mb@bu3sch.de>
+
+commit 37efa239901493694a48f1d6f59f8de17c2c4509 upstream.
+
+We must not use the device DMA addresses for the kernel DMA API, because
+device DMA addresses have an additional offset added for the SSB translation.
+
+Use the original dma_addr_t for the sync operation.
+
+Cc: stable@kernel.org
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/b44.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/b44.c
++++ b/drivers/net/b44.c
+@@ -750,7 +750,7 @@ static void b44_recycle_rx(struct b44 *b
+ dest_idx * sizeof(dest_desc),
+ DMA_BIDIRECTIONAL);
+
+- ssb_dma_sync_single_for_device(bp->sdev, le32_to_cpu(src_desc->addr),
++ ssb_dma_sync_single_for_device(bp->sdev, dest_map->mapping,
+ RX_PKT_BUF_SZ,
+ DMA_FROM_DEVICE);
+ }
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009
+Message-Id: <20090429220930.399148414@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:49 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Christian Hohnstaedt <chohnstaedt@innominate.com>,
+ Herbert Xu <herbert@gondor.apana.org.au>
+Subject: [patch 50/58] crypto: ixp4xx - Fix handling of chained sg buffers
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=crypto-ixp4xx-fix-handling-of-chained-sg-buffers.patch
+Content-Length: 12134
+Lines: 386
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Christian Hohnstaedt <chohnstaedt@innominate.com>
+
+commit 0d44dc59b2b434b29aafeae581d06f81efac7c83 upstream.
+
+ - keep dma functions away from chained scatterlists.
+ Use the existing scatterlist iteration inside the driver
+ to call dma_map_single() for each chunk and avoid dma_map_sg().
+
+Signed-off-by: Christian Hohnstaedt <chohnstaedt@innominate.com>
+Tested-By: Karl Hiramoto <karl@hiramoto.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/crypto/ixp4xx_crypto.c | 184 ++++++++++++++---------------------------
+ 1 file changed, 64 insertions(+), 120 deletions(-)
+
+--- a/drivers/crypto/ixp4xx_crypto.c
++++ b/drivers/crypto/ixp4xx_crypto.c
+@@ -101,6 +101,7 @@ struct buffer_desc {
+ u32 phys_addr;
+ u32 __reserved[4];
+ struct buffer_desc *next;
++ enum dma_data_direction dir;
+ };
+
+ struct crypt_ctl {
+@@ -132,14 +133,10 @@ struct crypt_ctl {
+ struct ablk_ctx {
+ struct buffer_desc *src;
+ struct buffer_desc *dst;
+- unsigned src_nents;
+- unsigned dst_nents;
+ };
+
+ struct aead_ctx {
+ struct buffer_desc *buffer;
+- unsigned short assoc_nents;
+- unsigned short src_nents;
+ struct scatterlist ivlist;
+ /* used when the hmac is not on one sg entry */
+ u8 *hmac_virt;
+@@ -312,7 +309,7 @@ static struct crypt_ctl *get_crypt_desc_
+ }
+ }
+
+-static void free_buf_chain(struct buffer_desc *buf, u32 phys)
++static void free_buf_chain(struct device *dev, struct buffer_desc *buf,u32 phys)
+ {
+ while (buf) {
+ struct buffer_desc *buf1;
+@@ -320,6 +317,7 @@ static void free_buf_chain(struct buffer
+
+ buf1 = buf->next;
+ phys1 = buf->phys_next;
++ dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir);
+ dma_pool_free(buffer_pool, buf, phys);
+ buf = buf1;
+ phys = phys1;
+@@ -348,7 +346,6 @@ static void one_packet(dma_addr_t phys)
+ struct crypt_ctl *crypt;
+ struct ixp_ctx *ctx;
+ int failed;
+- enum dma_data_direction src_direction = DMA_BIDIRECTIONAL;
+
+ failed = phys & 0x1 ? -EBADMSG : 0;
+ phys &= ~0x3;
+@@ -358,13 +355,8 @@ static void one_packet(dma_addr_t phys)
+ case CTL_FLAG_PERFORM_AEAD: {
+ struct aead_request *req = crypt->data.aead_req;
+ struct aead_ctx *req_ctx = aead_request_ctx(req);
+- dma_unmap_sg(dev, req->assoc, req_ctx->assoc_nents,
+- DMA_TO_DEVICE);
+- dma_unmap_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL);
+- dma_unmap_sg(dev, req->src, req_ctx->src_nents,
+- DMA_BIDIRECTIONAL);
+
+- free_buf_chain(req_ctx->buffer, crypt->src_buf);
++ free_buf_chain(dev, req_ctx->buffer, crypt->src_buf);
+ if (req_ctx->hmac_virt) {
+ finish_scattered_hmac(crypt);
+ }
+@@ -374,16 +366,11 @@ static void one_packet(dma_addr_t phys)
+ case CTL_FLAG_PERFORM_ABLK: {
+ struct ablkcipher_request *req = crypt->data.ablk_req;
+ struct ablk_ctx *req_ctx = ablkcipher_request_ctx(req);
+- int nents;
++
+ if (req_ctx->dst) {
+- nents = req_ctx->dst_nents;
+- dma_unmap_sg(dev, req->dst, nents, DMA_FROM_DEVICE);
+- free_buf_chain(req_ctx->dst, crypt->dst_buf);
+- src_direction = DMA_TO_DEVICE;
+- }
+- nents = req_ctx->src_nents;
+- dma_unmap_sg(dev, req->src, nents, src_direction);
+- free_buf_chain(req_ctx->src, crypt->src_buf);
++ free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
++ }
++ free_buf_chain(dev, req_ctx->src, crypt->src_buf);
+ req->base.complete(&req->base, failed);
+ break;
+ }
+@@ -748,56 +735,35 @@ static int setup_cipher(struct crypto_tf
+ return 0;
+ }
+
+-static int count_sg(struct scatterlist *sg, int nbytes)
+-{
+- int i;
+- for (i = 0; nbytes > 0; i++, sg = sg_next(sg))
+- nbytes -= sg->length;
+- return i;
+-}
+-
+-static struct buffer_desc *chainup_buffers(struct scatterlist *sg,
+- unsigned nbytes, struct buffer_desc *buf, gfp_t flags)
++static struct buffer_desc *chainup_buffers(struct device *dev,
++ struct scatterlist *sg, unsigned nbytes,
++ struct buffer_desc *buf, gfp_t flags,
++ enum dma_data_direction dir)
+ {
+- int nents = 0;
+-
+- while (nbytes > 0) {
++ for (;nbytes > 0; sg = scatterwalk_sg_next(sg)) {
++ unsigned len = min(nbytes, sg->length);
+ struct buffer_desc *next_buf;
+ u32 next_buf_phys;
+- unsigned len = min(nbytes, sg_dma_len(sg));
++ void *ptr;
+
+- nents++;
+ nbytes -= len;
+- if (!buf->phys_addr) {
+- buf->phys_addr = sg_dma_address(sg);
+- buf->buf_len = len;
+- buf->next = NULL;
+- buf->phys_next = 0;
+- goto next;
+- }
+- /* Two consecutive chunks on one page may be handled by the old
+- * buffer descriptor, increased by the length of the new one
+- */
+- if (sg_dma_address(sg) == buf->phys_addr + buf->buf_len) {
+- buf->buf_len += len;
+- goto next;
+- }
++ ptr = page_address(sg_page(sg)) + sg->offset;
+ next_buf = dma_pool_alloc(buffer_pool, flags, &next_buf_phys);
+- if (!next_buf)
+- return NULL;
++ if (!next_buf) {
++ buf = NULL;
++ break;
++ }
++ sg_dma_address(sg) = dma_map_single(dev, ptr, len, dir);
+ buf->next = next_buf;
+ buf->phys_next = next_buf_phys;
+-
+ buf = next_buf;
+- buf->next = NULL;
+- buf->phys_next = 0;
++
+ buf->phys_addr = sg_dma_address(sg);
+ buf->buf_len = len;
+-next:
+- if (nbytes > 0) {
+- sg = sg_next(sg);
+- }
++ buf->dir = dir;
+ }
++ buf->next = NULL;
++ buf->phys_next = 0;
+ return buf;
+ }
+
+@@ -858,12 +824,12 @@ static int ablk_perform(struct ablkciphe
+ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
+ struct ixp_ctx *ctx = crypto_ablkcipher_ctx(tfm);
+ unsigned ivsize = crypto_ablkcipher_ivsize(tfm);
+- int ret = -ENOMEM;
+ struct ix_sa_dir *dir;
+ struct crypt_ctl *crypt;
+- unsigned int nbytes = req->nbytes, nents;
++ unsigned int nbytes = req->nbytes;
+ enum dma_data_direction src_direction = DMA_BIDIRECTIONAL;
+ struct ablk_ctx *req_ctx = ablkcipher_request_ctx(req);
++ struct buffer_desc src_hook;
+ gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
+ GFP_KERNEL : GFP_ATOMIC;
+
+@@ -876,7 +842,7 @@ static int ablk_perform(struct ablkciphe
+
+ crypt = get_crypt_desc();
+ if (!crypt)
+- return ret;
++ return -ENOMEM;
+
+ crypt->data.ablk_req = req;
+ crypt->crypto_ctx = dir->npe_ctx_phys;
+@@ -889,53 +855,41 @@ static int ablk_perform(struct ablkciphe
+ BUG_ON(ivsize && !req->info);
+ memcpy(crypt->iv, req->info, ivsize);
+ if (req->src != req->dst) {
++ struct buffer_desc dst_hook;
+ crypt->mode |= NPE_OP_NOT_IN_PLACE;
+- nents = count_sg(req->dst, nbytes);
+ /* This was never tested by Intel
+ * for more than one dst buffer, I think. */
+- BUG_ON(nents != 1);
+- req_ctx->dst_nents = nents;
+- dma_map_sg(dev, req->dst, nents, DMA_FROM_DEVICE);
+- req_ctx->dst = dma_pool_alloc(buffer_pool, flags,&crypt->dst_buf);
+- if (!req_ctx->dst)
+- goto unmap_sg_dest;
+- req_ctx->dst->phys_addr = 0;
+- if (!chainup_buffers(req->dst, nbytes, req_ctx->dst, flags))
++ BUG_ON(req->dst->length < nbytes);
++ req_ctx->dst = NULL;
++ if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook,
++ flags, DMA_FROM_DEVICE))
+ goto free_buf_dest;
+ src_direction = DMA_TO_DEVICE;
++ req_ctx->dst = dst_hook.next;
++ crypt->dst_buf = dst_hook.phys_next;
+ } else {
+ req_ctx->dst = NULL;
+- req_ctx->dst_nents = 0;
+ }
+- nents = count_sg(req->src, nbytes);
+- req_ctx->src_nents = nents;
+- dma_map_sg(dev, req->src, nents, src_direction);
+-
+- req_ctx->src = dma_pool_alloc(buffer_pool, flags, &crypt->src_buf);
+- if (!req_ctx->src)
+- goto unmap_sg_src;
+- req_ctx->src->phys_addr = 0;
+- if (!chainup_buffers(req->src, nbytes, req_ctx->src, flags))
++ req_ctx->src = NULL;
++ if (!chainup_buffers(dev, req->src, nbytes, &src_hook,
++ flags, src_direction))
+ goto free_buf_src;
+
++ req_ctx->src = src_hook.next;
++ crypt->src_buf = src_hook.phys_next;
+ crypt->ctl_flags |= CTL_FLAG_PERFORM_ABLK;
+ qmgr_put_entry(SEND_QID, crypt_virt2phys(crypt));
+ BUG_ON(qmgr_stat_overflow(SEND_QID));
+ return -EINPROGRESS;
+
+ free_buf_src:
+- free_buf_chain(req_ctx->src, crypt->src_buf);
+-unmap_sg_src:
+- dma_unmap_sg(dev, req->src, req_ctx->src_nents, src_direction);
++ free_buf_chain(dev, req_ctx->src, crypt->src_buf);
+ free_buf_dest:
+ if (req->src != req->dst) {
+- free_buf_chain(req_ctx->dst, crypt->dst_buf);
+-unmap_sg_dest:
+- dma_unmap_sg(dev, req->src, req_ctx->dst_nents,
+- DMA_FROM_DEVICE);
++ free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
+ }
+ crypt->ctl_flags = CTL_FLAG_UNUSED;
+- return ret;
++ return -ENOMEM;
+ }
+
+ static int ablk_encrypt(struct ablkcipher_request *req)
+@@ -983,7 +937,7 @@ static int hmac_inconsistent(struct scat
+ break;
+
+ offset += sg->length;
+- sg = sg_next(sg);
++ sg = scatterwalk_sg_next(sg);
+ }
+ return (start + nbytes > offset + sg->length);
+ }
+@@ -995,11 +949,10 @@ static int aead_perform(struct aead_requ
+ struct ixp_ctx *ctx = crypto_aead_ctx(tfm);
+ unsigned ivsize = crypto_aead_ivsize(tfm);
+ unsigned authsize = crypto_aead_authsize(tfm);
+- int ret = -ENOMEM;
+ struct ix_sa_dir *dir;
+ struct crypt_ctl *crypt;
+- unsigned int cryptlen, nents;
+- struct buffer_desc *buf;
++ unsigned int cryptlen;
++ struct buffer_desc *buf, src_hook;
+ struct aead_ctx *req_ctx = aead_request_ctx(req);
+ gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
+ GFP_KERNEL : GFP_ATOMIC;
+@@ -1020,7 +973,7 @@ static int aead_perform(struct aead_requ
+ }
+ crypt = get_crypt_desc();
+ if (!crypt)
+- return ret;
++ return -ENOMEM;
+
+ crypt->data.aead_req = req;
+ crypt->crypto_ctx = dir->npe_ctx_phys;
+@@ -1039,31 +992,27 @@ static int aead_perform(struct aead_requ
+ BUG(); /* -ENOTSUP because of my lazyness */
+ }
+
+- req_ctx->buffer = dma_pool_alloc(buffer_pool, flags, &crypt->src_buf);
+- if (!req_ctx->buffer)
+- goto out;
+- req_ctx->buffer->phys_addr = 0;
+ /* ASSOC data */
+- nents = count_sg(req->assoc, req->assoclen);
+- req_ctx->assoc_nents = nents;
+- dma_map_sg(dev, req->assoc, nents, DMA_TO_DEVICE);
+- buf = chainup_buffers(req->assoc, req->assoclen, req_ctx->buffer,flags);
++ buf = chainup_buffers(dev, req->assoc, req->assoclen, &src_hook,
++ flags, DMA_TO_DEVICE);
++ req_ctx->buffer = src_hook.next;
++ crypt->src_buf = src_hook.phys_next;
+ if (!buf)
+- goto unmap_sg_assoc;
++ goto out;
+ /* IV */
+ sg_init_table(&req_ctx->ivlist, 1);
+ sg_set_buf(&req_ctx->ivlist, iv, ivsize);
+- dma_map_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL);
+- buf = chainup_buffers(&req_ctx->ivlist, ivsize, buf, flags);
++ buf = chainup_buffers(dev, &req_ctx->ivlist, ivsize, buf, flags,
++ DMA_BIDIRECTIONAL);
+ if (!buf)
+- goto unmap_sg_iv;
++ goto free_chain;
+ if (unlikely(hmac_inconsistent(req->src, cryptlen, authsize))) {
+ /* The 12 hmac bytes are scattered,
+ * we need to copy them into a safe buffer */
+ req_ctx->hmac_virt = dma_pool_alloc(buffer_pool, flags,
+ &crypt->icv_rev_aes);
+ if (unlikely(!req_ctx->hmac_virt))
+- goto unmap_sg_iv;
++ goto free_chain;
+ if (!encrypt) {
+ scatterwalk_map_and_copy(req_ctx->hmac_virt,
+ req->src, cryptlen, authsize, 0);
+@@ -1073,33 +1022,28 @@ static int aead_perform(struct aead_requ
+ req_ctx->hmac_virt = NULL;
+ }
+ /* Crypt */
+- nents = count_sg(req->src, cryptlen + authsize);
+- req_ctx->src_nents = nents;
+- dma_map_sg(dev, req->src, nents, DMA_BIDIRECTIONAL);
+- buf = chainup_buffers(req->src, cryptlen + authsize, buf, flags);
++ buf = chainup_buffers(dev, req->src, cryptlen + authsize, buf, flags,
++ DMA_BIDIRECTIONAL);
+ if (!buf)
+- goto unmap_sg_src;
++ goto free_hmac_virt;
+ if (!req_ctx->hmac_virt) {
+ crypt->icv_rev_aes = buf->phys_addr + buf->buf_len - authsize;
+ }
++
+ crypt->ctl_flags |= CTL_FLAG_PERFORM_AEAD;
+ qmgr_put_entry(SEND_QID, crypt_virt2phys(crypt));
+ BUG_ON(qmgr_stat_overflow(SEND_QID));
+ return -EINPROGRESS;
+-unmap_sg_src:
+- dma_unmap_sg(dev, req->src, req_ctx->src_nents, DMA_BIDIRECTIONAL);
++free_hmac_virt:
+ if (req_ctx->hmac_virt) {
+ dma_pool_free(buffer_pool, req_ctx->hmac_virt,
+ crypt->icv_rev_aes);
+ }
+-unmap_sg_iv:
+- dma_unmap_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL);
+-unmap_sg_assoc:
+- dma_unmap_sg(dev, req->assoc, req_ctx->assoc_nents, DMA_TO_DEVICE);
+- free_buf_chain(req_ctx->buffer, crypt->src_buf);
++free_chain:
++ free_buf_chain(dev, req_ctx->buffer, crypt->src_buf);
+ out:
+ crypt->ctl_flags = CTL_FLAG_UNUSED;
+- return ret;
++ return -ENOMEM;
+ }
+
+ static int aead_setup(struct crypto_aead *tfm, unsigned int authsize)
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009
+Message-Id: <20090429220930.548659812@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:50 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oleg Nesterov <oleg@redhat.com>,
+ Serge Hallyn <serue@us.ibm.com>,
+ Roland McGrath <roland@redhat.com>
+Subject: [patch 51/58] exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=exit_notify-kill-the-wrong-capable-check.patch
+Content-Length: 1090
+Lines: 34
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+CVE-2009-1337
+
+commit 432870dab85a2f69dc417022646cb9a70acf7f94 upstream.
+
+The CAP_KILL check in exit_notify() looks just wrong, kill it.
+
+Whatever logic we have to reset ->exit_signal, the malicious user
+can bypass it if it execs the setuid application before exiting.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Serge Hallyn <serue@us.ibm.com>
+Acked-by: Roland McGrath <roland@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/exit.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -938,8 +938,7 @@ static void exit_notify(struct task_stru
+ */
+ if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) &&
+ (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
+- tsk->self_exec_id != tsk->parent_exec_id) &&
+- !capable(CAP_KILL))
++ tsk->self_exec_id != tsk->parent_exec_id))
+ tsk->exit_signal = SIGCHLD;
+
+ signal = tracehook_notify_death(tsk, &cookie, group_dead);
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009
+Message-Id: <20090429220930.695005091@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:51 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Miklos Szeredi <mszeredi@suse.cz>
+Subject: [patch 52/58] fix ptrace slowness
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=fix-ptrace-slowness.patch
+Content-Length: 1729
+Lines: 59
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit 53da1d9456fe7f87a920a78fdbdcf1225d197cb7 upstream.
+
+This patch fixes bug #12208:
+
+ Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=12208
+ Subject : uml is very slow on 2.6.28 host
+
+This turned out to be not a scheduler regression, but an already
+existing problem in ptrace being triggered by subtle scheduler
+changes.
+
+The problem is this:
+
+ - task A is ptracing task B
+ - task B stops on a trace event
+ - task A is woken up and preempts task B
+ - task A calls ptrace on task B, which does ptrace_check_attach()
+ - this calls wait_task_inactive(), which sees that task B is still on the runq
+ - task A goes to sleep for a jiffy
+ - ...
+
+Since UML does lots of the above sequences, those jiffies quickly add
+up to make it slow as hell.
+
+This patch solves this by not rescheduling in read_unlock() after
+ptrace_stop() has woken up the tracer.
+
+Thanks to Oleg Nesterov and Ingo Molnar for the feedback.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+CC: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/signal.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1549,7 +1549,15 @@ static void ptrace_stop(int exit_code, i
+ read_lock(&tasklist_lock);
+ if (may_ptrace_stop()) {
+ do_notify_parent_cldstop(current, CLD_TRAPPED);
++ /*
++ * Don't want to allow preemption here, because
++ * sys_ptrace() needs this task to be inactive.
++ *
++ * XXX: implement read_unlock_no_resched().
++ */
++ preempt_disable();
+ read_unlock(&tasklist_lock);
++ preempt_enable_no_resched();
+ schedule();
+ } else {
+ /*
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:30 2009
+Message-Id: <20090429220930.850358132@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:52 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Chris Wright <chrisw@sous-sol.org>
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Hugh Dickins <hugh@veritas.com>
+Subject: [patch 53/58] fs core fixes
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=fs-core-fixes.patch
+Content-Length: 5107
+Lines: 203
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Hugh Dickins <hugh@veritas.com>
+
+Please add the following 4 commits to 2.6.27-stable and 2.6.28-stable.
+However, there has been a lot of change here between 2.6.28 and 2.6.29:
+in particular, fs/exec.c's unsafe_exec() grew into the more complicated
+check_unsafe_exec(). So applying the original patches gives too many
+rejects: at the bottom is the diffstat and the combined patch required.
+
+1
+Commit: 53e9309e01277ec99c38e84e0ca16921287cf470
+Author: Hugh Dickins <hugh@veritas.com>
+Date: Sat, 28 Mar 2009 23:16:03 +0000 (+0000)
+Subject: [patch 53/58] compat_do_execve should unshare_files
+
+2
+Commit: e426b64c412aaa3e9eb3e4b261dc5be0d5a83e78
+Author: Hugh Dickins <hugh@veritas.com>
+Date: Sat, 28 Mar 2009 23:20:19 +0000 (+0000)
+Subject: [patch 53/58] fix setuid sometimes doesn't
+
+3
+Commit: 7c2c7d993044cddc5010f6f429b100c63bc7dffb
+Author: Hugh Dickins <hugh@veritas.com>
+Date: Sat, 28 Mar 2009 23:21:27 +0000 (+0000)
+Subject: [patch 53/58] fix setuid sometimes wouldn't
+
+4
+Commit: f1191b50ec11c8e2ca766d6d99eb5bb9d2c084a3
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 30 Mar 2009 11:35:18 +0000 (-0400)
+Subject: [patch 53/58] check_unsafe_exec() doesn't care about signal handlers sharing
+
+Signed-off-by: Hugh Dickins <hugh@veritas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/compat.c | 12 +++++++++++-
+ fs/exec.c | 4 +---
+ fs/proc/base.c | 50 ++++++++++++++++----------------------------------
+ 3 files changed, 28 insertions(+), 38 deletions(-)
+
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -1353,12 +1353,17 @@ int compat_do_execve(char * filename,
+ {
+ struct linux_binprm *bprm;
+ struct file *file;
++ struct files_struct *displaced;
+ int retval;
+
++ retval = unshare_files(&displaced);
++ if (retval)
++ goto out_ret;
++
+ retval = -ENOMEM;
+ bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
+ if (!bprm)
+- goto out_ret;
++ goto out_files;
+
+ file = open_exec(filename);
+ retval = PTR_ERR(file);
+@@ -1410,6 +1415,8 @@ int compat_do_execve(char * filename,
+ security_bprm_free(bprm);
+ acct_update_integrals(current);
+ free_bprm(bprm);
++ if (displaced)
++ put_files_struct(displaced);
+ return retval;
+ }
+
+@@ -1430,6 +1437,9 @@ out_file:
+ out_kfree:
+ free_bprm(bprm);
+
++out_files:
++ if (displaced)
++ reset_files_struct(displaced);
+ out_ret:
+ return retval;
+ }
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1089,9 +1089,7 @@ static int unsafe_exec(struct task_struc
+ {
+ int unsafe = tracehook_unsafe_exec(p);
+
+- if (atomic_read(&p->fs->count) > 1 ||
+- atomic_read(&p->files->count) > 1 ||
+- atomic_read(&p->sighand->count) > 1)
++ if (atomic_read(&p->fs->count) > 1)
+ unsafe |= LSM_UNSAFE_SHARE;
+
+ return unsafe;
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -151,15 +151,22 @@ static unsigned int pid_entry_count_dirs
+ int maps_protect;
+ EXPORT_SYMBOL(maps_protect);
+
+-static struct fs_struct *get_fs_struct(struct task_struct *task)
++static int get_fs_path(struct task_struct *task, struct path *path, bool root)
+ {
+ struct fs_struct *fs;
++ int result = -ENOENT;
++
+ task_lock(task);
+ fs = task->fs;
+- if(fs)
+- atomic_inc(&fs->count);
++ if (fs) {
++ read_lock(&fs->lock);
++ *path = root ? fs->root : fs->pwd;
++ path_get(path);
++ read_unlock(&fs->lock);
++ result = 0;
++ }
+ task_unlock(task);
+- return fs;
++ return result;
+ }
+
+ static int get_nr_threads(struct task_struct *tsk)
+@@ -178,42 +185,24 @@ static int get_nr_threads(struct task_st
+ static int proc_cwd_link(struct inode *inode, struct path *path)
+ {
+ struct task_struct *task = get_proc_task(inode);
+- struct fs_struct *fs = NULL;
+ int result = -ENOENT;
+
+ if (task) {
+- fs = get_fs_struct(task);
++ result = get_fs_path(task, path, 0);
+ put_task_struct(task);
+ }
+- if (fs) {
+- read_lock(&fs->lock);
+- *path = fs->pwd;
+- path_get(&fs->pwd);
+- read_unlock(&fs->lock);
+- result = 0;
+- put_fs_struct(fs);
+- }
+ return result;
+ }
+
+ static int proc_root_link(struct inode *inode, struct path *path)
+ {
+ struct task_struct *task = get_proc_task(inode);
+- struct fs_struct *fs = NULL;
+ int result = -ENOENT;
+
+ if (task) {
+- fs = get_fs_struct(task);
++ result = get_fs_path(task, path, 1);
+ put_task_struct(task);
+ }
+- if (fs) {
+- read_lock(&fs->lock);
+- *path = fs->root;
+- path_get(&fs->root);
+- read_unlock(&fs->lock);
+- result = 0;
+- put_fs_struct(fs);
+- }
+ return result;
+ }
+
+@@ -575,7 +564,6 @@ static int mounts_open_common(struct ino
+ struct task_struct *task = get_proc_task(inode);
+ struct nsproxy *nsp;
+ struct mnt_namespace *ns = NULL;
+- struct fs_struct *fs = NULL;
+ struct path root;
+ struct proc_mounts *p;
+ int ret = -EINVAL;
+@@ -589,22 +577,16 @@ static int mounts_open_common(struct ino
+ get_mnt_ns(ns);
+ }
+ rcu_read_unlock();
+- if (ns)
+- fs = get_fs_struct(task);
++ if (ns && get_fs_path(task, &root, 1) == 0)
++ ret = 0;
+ put_task_struct(task);
+ }
+
+ if (!ns)
+ goto err;
+- if (!fs)
++ if (ret)
+ goto err_put_ns;
+
+- read_lock(&fs->lock);
+- root = fs->root;
+- path_get(&root);
+- read_unlock(&fs->lock);
+- put_fs_struct(fs);
+-
+ ret = -ENOMEM;
+ p = kmalloc(sizeof(struct proc_mounts), GFP_KERNEL);
+ if (!p)
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009
+Message-Id: <20090429220930.974826191@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:53 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Yu Zhao <yu.zhao@intel.com>,
+ Jesse Barnes <jbarnes@virtuousgeek.org>
+Subject: [patch 54/58] PCI: fix incorrect mask of PM No_Soft_Reset bit
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=pci-fix-incorrect-mask-of-pm-no_soft_reset-bit.patch
+Content-Length: 1005
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Yu Zhao <yu.zhao@intel.com>
+
+commit 998dd7c719f62dcfa91d7bf7f4eb9c160e03d817 upstream.
+
+Reviewed-by: Matthew Wilcox <matthew@wil.cx>
+Signed-off-by: Yu Zhao <yu.zhao@intel.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/pci_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/pci_regs.h
++++ b/include/linux/pci_regs.h
+@@ -234,7 +234,7 @@
+ #define PCI_PM_CAP_PME_SHIFT 11 /* Start of the PME Mask in PMC */
+ #define PCI_PM_CTRL 4 /* PM control and status register */
+ #define PCI_PM_CTRL_STATE_MASK 0x0003 /* Current power state (D0 to D3) */
+-#define PCI_PM_CTRL_NO_SOFT_RESET 0x0004 /* No reset for D3hot->D0 */
++#define PCI_PM_CTRL_NO_SOFT_RESET 0x0008 /* No reset for D3hot->D0 */
+ #define PCI_PM_CTRL_PME_ENABLE 0x0100 /* PME pin enable */
+ #define PCI_PM_CTRL_DATA_SEL_MASK 0x1e00 /* Data select (??) */
+ #define PCI_PM_CTRL_DATA_SCALE_MASK 0x6000 /* Data scale (??) */
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009
+Message-Id: <20090429220931.129827045@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:54 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Henrique de Moraes Holschuh <hmh@hmh.eng.br>,
+ Len Brown <len.brown@intel.com>
+Subject: [patch 55/58] thinkpad-acpi: fix LED blinking through timer trigger
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch
+Content-Length: 3824
+Lines: 128
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
+
+commit 75bd3bf2ade9d548be0d2bde60b5ee0fdce0b127 upstream.
+
+The set_blink hook code in the LED subdriver would never manage to get
+a LED to blink, and instead it would just turn it on. The consequence
+of this is that the "timer" trigger would not cause the LED to blink
+if given default parameters.
+
+This problem exists since 2.6.26-rc1.
+
+To fix it, switch the deferred LED work handling to use the
+thinkpad-acpi-specific LED status (off/on/blink) directly.
+
+This also makes the code easier to read, and to extend later.
+
+Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
+Cc: stable@kernel.org
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/thinkpad_acpi.c | 41 +++++++++++++++++++----------------------
+ 1 file changed, 19 insertions(+), 22 deletions(-)
+
+--- a/drivers/misc/thinkpad_acpi.c
++++ b/drivers/misc/thinkpad_acpi.c
+@@ -282,11 +282,17 @@ static u32 dbg_level;
+
+ static struct workqueue_struct *tpacpi_wq;
+
++enum led_status_t {
++ TPACPI_LED_OFF = 0,
++ TPACPI_LED_ON,
++ TPACPI_LED_BLINK,
++};
++
+ /* Special LED class that can defer work */
+ struct tpacpi_led_classdev {
+ struct led_classdev led_classdev;
+ struct work_struct work;
+- enum led_brightness new_brightness;
++ enum led_status_t new_state;
+ unsigned int led;
+ };
+
+@@ -3478,7 +3484,7 @@ static void light_set_status_worker(stru
+ container_of(work, struct tpacpi_led_classdev, work);
+
+ if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING))
+- light_set_status((data->new_brightness != LED_OFF));
++ light_set_status((data->new_state != TPACPI_LED_OFF));
+ }
+
+ static void light_sysfs_set(struct led_classdev *led_cdev,
+@@ -3488,7 +3494,8 @@ static void light_sysfs_set(struct led_c
+ container_of(led_cdev,
+ struct tpacpi_led_classdev,
+ led_classdev);
+- data->new_brightness = brightness;
++ data->new_state = (brightness != LED_OFF) ?
++ TPACPI_LED_ON : TPACPI_LED_OFF;
+ queue_work(tpacpi_wq, &data->work);
+ }
+
+@@ -3995,12 +4002,6 @@ enum { /* For TPACPI_LED_OLD */
+ TPACPI_LED_EC_HLMS = 0x0e, /* EC reg to select led to command */
+ };
+
+-enum led_status_t {
+- TPACPI_LED_OFF = 0,
+- TPACPI_LED_ON,
+- TPACPI_LED_BLINK,
+-};
+-
+ static enum led_access_mode led_supported;
+
+ TPACPI_HANDLE(led, ec, "SLED", /* 570 */
+@@ -4094,23 +4095,13 @@ static int led_set_status(const unsigned
+ return rc;
+ }
+
+-static void led_sysfs_set_status(unsigned int led,
+- enum led_brightness brightness)
+-{
+- led_set_status(led,
+- (brightness == LED_OFF) ?
+- TPACPI_LED_OFF :
+- (tpacpi_led_state_cache[led] == TPACPI_LED_BLINK) ?
+- TPACPI_LED_BLINK : TPACPI_LED_ON);
+-}
+-
+ static void led_set_status_worker(struct work_struct *work)
+ {
+ struct tpacpi_led_classdev *data =
+ container_of(work, struct tpacpi_led_classdev, work);
+
+ if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING))
+- led_sysfs_set_status(data->led, data->new_brightness);
++ led_set_status(data->led, data->new_state);
+ }
+
+ static void led_sysfs_set(struct led_classdev *led_cdev,
+@@ -4119,7 +4110,13 @@ static void led_sysfs_set(struct led_cla
+ struct tpacpi_led_classdev *data = container_of(led_cdev,
+ struct tpacpi_led_classdev, led_classdev);
+
+- data->new_brightness = brightness;
++ if (brightness == LED_OFF)
++ data->new_state = TPACPI_LED_OFF;
++ else if (tpacpi_led_state_cache[data->led] != TPACPI_LED_BLINK)
++ data->new_state = TPACPI_LED_ON;
++ else
++ data->new_state = TPACPI_LED_BLINK;
++
+ queue_work(tpacpi_wq, &data->work);
+ }
+
+@@ -4137,7 +4134,7 @@ static int led_sysfs_blink_set(struct le
+ } else if ((*delay_on != 500) || (*delay_off != 500))
+ return -EINVAL;
+
+- data->new_brightness = TPACPI_LED_BLINK;
++ data->new_state = TPACPI_LED_BLINK;
+ queue_work(tpacpi_wq, &data->work);
+
+ return 0;
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009
+Message-Id: <20090429220931.285231983@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:55 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alexey Starikovskiy <astarikovskiy@suse.de>,
+ Len Brown <len.brown@intel.com>
+Subject: [patch 56/58] ACPI: EC: Add some basic check for ECDT data
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=acpi-ec-add-some-basic-check-for-ecdt-data.patch
+Content-Length: 2663
+Lines: 80
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Alexey Starikovskiy <astarikovskiy@suse.de>
+
+commit c5279dee26c0e8d7c4200993bfc4b540d2469598 upstream.
+
+One more ASUS comes with empty ECDT, add a guard for it...
+
+http://bugzilla.kernel.org/show_bug.cgi?id=11880
+
+Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/ec.c | 43 ++++++++++++++++++++++---------------------
+ 1 file changed, 22 insertions(+), 21 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -968,7 +968,6 @@ static const struct acpi_device_id ec_de
+
+ int __init acpi_ec_ecdt_probe(void)
+ {
+- int ret;
+ acpi_status status;
+ struct acpi_table_ecdt *ecdt_ptr;
+
+@@ -996,30 +995,32 @@ int __init acpi_ec_ecdt_probe(void)
+ boot_ec->gpe = ecdt_ptr->gpe;
+ boot_ec->handle = ACPI_ROOT_OBJECT;
+ acpi_get_handle(ACPI_ROOT_OBJECT, ecdt_ptr->id, &boot_ec->handle);
+- } else {
+- /* This workaround is needed only on some broken machines,
+- * which require early EC, but fail to provide ECDT */
+- acpi_handle x;
+- printk(KERN_DEBUG PREFIX "Look up EC in DSDT\n");
+- status = acpi_get_devices(ec_device_ids[0].id, ec_parse_device,
+- boot_ec, NULL);
+- /* Check that acpi_get_devices actually find something */
+- if (ACPI_FAILURE(status) || !boot_ec->handle)
+- goto error;
+- /* We really need to limit this workaround, the only ASUS,
+- * which needs it, has fake EC._INI method, so use it as flag.
+- * Keep boot_ec struct as it will be needed soon.
+- */
+- if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &x)))
+- return -ENODEV;
++ /* Add some basic check against completely broken table */
++ if (boot_ec->data_addr != boot_ec->command_addr)
++ goto install;
++ /* fall through */
+ }
+-
+- ret = ec_install_handlers(boot_ec);
+- if (!ret) {
++ /* This workaround is needed only on some broken machines,
++ * which require early EC, but fail to provide ECDT */
++ acpi_handle x;
++ printk(KERN_DEBUG PREFIX "Look up EC in DSDT\n");
++ status = acpi_get_devices(ec_device_ids[0].id, ec_parse_device,
++ boot_ec, NULL);
++ /* Check that acpi_get_devices actually find something */
++ if (ACPI_FAILURE(status) || !boot_ec->handle)
++ goto error;
++ /* We really need to limit this workaround, the only ASUS,
++ * which needs it, has fake EC._INI method, so use it as flag.
++ * Keep boot_ec struct as it will be needed soon.
++ */
++ if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &x)))
++ return -ENODEV;
++install:
++ if (!ec_install_handlers(boot_ec)) {
+ first_ec = boot_ec;
+ return 0;
+ }
+- error:
++error:
+ kfree(boot_ec);
+ boot_ec = NULL;
+ return -ENODEV;
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009
+Message-Id: <20090429220931.429528114@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:56 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Hannes Eder <hannes@hanneseder.net>,
+ Alexey Starikovskiy <astarikovskiy@suse.de>,
+ Len Brown <len.brown@intel.com>
+Subject: [patch 57/58] ACPI: EC: fix compilation warning
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=acpi-ec-fix-compilation-warning.patch
+Content-Length: 1610
+Lines: 47
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Hannes Eder <hannes@hanneseder.net>
+
+commit 3e54048691bce3f323fd5460695273be379803b9 upstream.
+
+Fix the warning introduced in commit c5279dee26c0e8d7c4200993bfc4b540d2469598,
+and give the dummy variable a more verbose name.
+
+ drivers/acpi/ec.c: In function 'acpi_ec_ecdt_probe':
+ drivers/acpi/ec.c:1015: warning: ISO C90 forbids mixed declarations and code
+
+Signed-off-by: Hannes Eder <hannes@hanneseder.net>
+Acked-by: Alexey Starikovskiy <astarikovskiy@suse.de>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/ec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -970,6 +970,7 @@ int __init acpi_ec_ecdt_probe(void)
+ {
+ acpi_status status;
+ struct acpi_table_ecdt *ecdt_ptr;
++ acpi_handle dummy;
+
+ boot_ec = make_acpi_ec();
+ if (!boot_ec)
+@@ -1002,7 +1003,6 @@ int __init acpi_ec_ecdt_probe(void)
+ }
+ /* This workaround is needed only on some broken machines,
+ * which require early EC, but fail to provide ECDT */
+- acpi_handle x;
+ printk(KERN_DEBUG PREFIX "Look up EC in DSDT\n");
+ status = acpi_get_devices(ec_device_ids[0].id, ec_parse_device,
+ boot_ec, NULL);
+@@ -1013,7 +1013,7 @@ int __init acpi_ec_ecdt_probe(void)
+ * which needs it, has fake EC._INI method, so use it as flag.
+ * Keep boot_ec struct as it will be needed soon.
+ */
+- if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &x)))
++ if (ACPI_FAILURE(acpi_get_handle(boot_ec->handle, "_INI", &dummy)))
+ return -ENODEV;
+ install:
+ if (!ec_install_handlers(boot_ec)) {
+
+
+From gregkh@mini.kroah.org Wed Apr 29 15:09:31 2009
+Message-Id: <20090429220931.578718104@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Wed, 29 Apr 2009 15:07:57 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ paul.moore@hp.com
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ jmorris@namei.org,
+ greg@kroah.com,
+ chrisw@redhat.com,
+ error27@gmail.com,
+ Eugene Teo <eugeneteo@kernel.sg>
+Subject: [patch 58/58] unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184)
+References: <20090429220659.339950874@mini.kroah.org>
+Content-Disposition: inline; filename=unreached-code-in-selinux_ip_postroute_iptables_compat.patch
+Content-Length: 830
+Lines: 29
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Eugene Teo <eteo@redhat.com>
+
+Not upstream in 2.6.30, as the function was removed there, making this a
+non-issue.
+
+Node and port send checks can skip in the compat_net=1 case. This bug
+was introduced in commit effad8d.
+
+Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Acked-by: James Morris <jmorris@namei.org>
+Acked-by: Paul Moore <paul.moore@hp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/selinux/hooks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4467,6 +4467,7 @@ static int selinux_ip_postroute_iptables
+ if (err)
+ return err;
+ err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
++ if (err)
+ return err;
+
+ err = sel_netnode_sid(addrp, family, &node_sid);
+
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
