--- /dev/null
+From 78b8d5d2ee280c463908fd75f3bdf246bcb6ac8d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 28 Dec 2009 12:24:22 +0100
+Subject: ALSA: usb-audio - Avoid Oops after disconnect
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 78b8d5d2ee280c463908fd75f3bdf246bcb6ac8d upstream.
+
+As the release of substreams may be done asynchronously from the
+disconnection, close callback needs to check the shutdown flag before
+actually accessing the usb interface.
+
+Reference: Novell bnc#505027
+ http://bugzilla.novell.com/show_bug.cgi?id=565027
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/usb/usbaudio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/usbaudio.c
++++ b/sound/usb/usbaudio.c
+@@ -1934,7 +1934,7 @@ static int snd_usb_pcm_close(struct snd_
+ struct snd_usb_stream *as = snd_pcm_substream_chip(substream);
+ struct snd_usb_substream *subs = &as->substream[direction];
+
+- if (subs->interface >= 0) {
++ if (!as->chip->shutdown && subs->interface >= 0) {
+ usb_set_interface(subs->dev, subs->interface, 0);
+ subs->interface = -1;
+ }
--- /dev/null
+From 359207c687cc8f4f9845c8dadd0d6dabad44e584 Mon Sep 17 00:00:00 2001
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+Date: Mon, 4 Jan 2010 10:40:39 -0500
+Subject: ath5k: Fix eeprom checksum check for custom sized eeproms
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+commit 359207c687cc8f4f9845c8dadd0d6dabad44e584 upstream.
+
+Commit 8bf3d79bc401ca417ccf9fc076d3295d1a71dbf5 enabled EEPROM
+checksum checks to avoid bogus bug reports but failed to address
+updating the code to consider devices with custom EEPROM sizes.
+Devices with custom sized EEPROMs have the upper limit size stuffed
+in the EEPROM. Use this as the upper limit instead of the static
+default size. In case of a checksum error also provide back the
+max size and whether or not this was the default size or a custom
+one. If the EEPROM is busted we add a failsafe check to ensure
+we don't loop forever or try to read bogus areas of hardware.
+
+This closes bug 14874
+
+http://bugzilla.kernel.org/show_bug.cgi?id=14874
+
+Cc: stable@kernel.org
+Cc: David Quan <david.quan@atheros.com>
+Cc: Stephen Beahm <stephenbeahm@comcast.net>
+Reported-by: Joshua Covington <joshuacov@googlemail.com>
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+---
+ drivers/net/wireless/ath/ath5k/eeprom.c | 32 +++++++++++++++++++++++++++++---
+ drivers/net/wireless/ath/ath5k/eeprom.h | 8 ++++++++
+ 2 files changed, 37 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath5k/eeprom.c
++++ b/drivers/net/wireless/ath/ath5k/eeprom.c
+@@ -97,7 +97,7 @@ ath5k_eeprom_init_header(struct ath5k_hw
+ struct ath5k_eeprom_info *ee = &ah->ah_capabilities.cap_eeprom;
+ int ret;
+ u16 val;
+- u32 cksum, offset;
++ u32 cksum, offset, eep_max = AR5K_EEPROM_INFO_MAX;
+
+ /*
+ * Read values from EEPROM and store them in the capability structure
+@@ -116,12 +116,38 @@ ath5k_eeprom_init_header(struct ath5k_hw
+ * Validate the checksum of the EEPROM date. There are some
+ * devices with invalid EEPROMs.
+ */
+- for (cksum = 0, offset = 0; offset < AR5K_EEPROM_INFO_MAX; offset++) {
++ AR5K_EEPROM_READ(AR5K_EEPROM_SIZE_UPPER, val);
++ if (val) {
++ eep_max = (val & AR5K_EEPROM_SIZE_UPPER_MASK) <<
++ AR5K_EEPROM_SIZE_ENDLOC_SHIFT;
++ AR5K_EEPROM_READ(AR5K_EEPROM_SIZE_LOWER, val);
++ eep_max = (eep_max | val) - AR5K_EEPROM_INFO_BASE;
++
++ /*
++ * Fail safe check to prevent stupid loops due
++ * to busted EEPROMs. XXX: This value is likely too
++ * big still, waiting on a better value.
++ */
++ if (eep_max > (3 * AR5K_EEPROM_INFO_MAX)) {
++ ATH5K_ERR(ah->ah_sc, "Invalid max custom EEPROM size: "
++ "%d (0x%04x) max expected: %d (0x%04x)\n",
++ eep_max, eep_max,
++ 3 * AR5K_EEPROM_INFO_MAX,
++ 3 * AR5K_EEPROM_INFO_MAX);
++ return -EIO;
++ }
++ }
++
++ for (cksum = 0, offset = 0; offset < eep_max; offset++) {
+ AR5K_EEPROM_READ(AR5K_EEPROM_INFO(offset), val);
+ cksum ^= val;
+ }
+ if (cksum != AR5K_EEPROM_INFO_CKSUM) {
+- ATH5K_ERR(ah->ah_sc, "Invalid EEPROM checksum 0x%04x\n", cksum);
++ ATH5K_ERR(ah->ah_sc, "Invalid EEPROM "
++ "checksum: 0x%04x eep_max: 0x%04x (%s)\n",
++ cksum, eep_max,
++ eep_max == AR5K_EEPROM_INFO_MAX ?
++ "default size" : "custom size");
+ return -EIO;
+ }
+
+--- a/drivers/net/wireless/ath/ath5k/eeprom.h
++++ b/drivers/net/wireless/ath/ath5k/eeprom.h
+@@ -34,6 +34,14 @@
+ #define AR5K_EEPROM_RFKILL_POLARITY_S 1
+
+ #define AR5K_EEPROM_REG_DOMAIN 0x00bf /* EEPROM regdom */
++
++/* FLASH(EEPROM) Defines for AR531X chips */
++#define AR5K_EEPROM_SIZE_LOWER 0x1b /* size info -- lower */
++#define AR5K_EEPROM_SIZE_UPPER 0x1c /* size info -- upper */
++#define AR5K_EEPROM_SIZE_UPPER_MASK 0xfff0
++#define AR5K_EEPROM_SIZE_UPPER_SHIFT 4
++#define AR5K_EEPROM_SIZE_ENDLOC_SHIFT 12
++
+ #define AR5K_EEPROM_CHECKSUM 0x00c0 /* EEPROM checksum */
+ #define AR5K_EEPROM_INFO_BASE 0x00c0 /* EEPROM header */
+ #define AR5K_EEPROM_INFO_MAX (0x400 - AR5K_EEPROM_INFO_BASE)
--- /dev/null
+From ea9d8e3f45404d411c00ae67b45cc35c58265bb7 Mon Sep 17 00:00:00 2001
+From: Xiaotian Feng <dfeng@redhat.com>
+Date: Thu, 7 Jan 2010 11:22:44 +0800
+Subject: clockevent: Don't remove broadcast device when cpu is dead
+
+From: Xiaotian Feng <dfeng@redhat.com>
+
+commit ea9d8e3f45404d411c00ae67b45cc35c58265bb7 upstream.
+
+Marc reported that the BUG_ON in clockevents_notify() triggers on his
+system. This happens because the kernel tries to remove an active
+clock event device (used for broadcasting) from the device list.
+
+The handling of devices which can be used as per cpu device and as a
+global broadcast device is suboptimal.
+
+The simplest solution for now (and for stable) is to check whether the
+device is used as global broadcast device, but this needs to be
+revisited.
+
+[ tglx: restored the cpuweight check and massaged the changelog ]
+
+Reported-by: Marc Dionne <marc.c.dionne@gmail.com>
+Tested-by: Marc Dionne <marc.c.dionne@gmail.com>
+Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
+LKML-Reference: <1262834564-13033-1-git-send-email-dfeng@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/clockevents.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -20,6 +20,8 @@
+ #include <linux/sysdev.h>
+ #include <linux/tick.h>
+
++#include "tick-internal.h"
++
+ /* The registered clock event devices */
+ static LIST_HEAD(clockevent_devices);
+ static LIST_HEAD(clockevents_released);
+@@ -258,7 +260,8 @@ void clockevents_notify(unsigned long re
+ cpu = *((int *)arg);
+ list_for_each_entry_safe(dev, tmp, &clockevent_devices, list) {
+ if (cpumask_test_cpu(cpu, dev->cpumask) &&
+- cpumask_weight(dev->cpumask) == 1) {
++ cpumask_weight(dev->cpumask) == 1 &&
++ !tick_is_broadcast_device(dev)) {
+ BUG_ON(dev->mode != CLOCK_EVT_MODE_UNUSED);
+ list_del(&dev->list);
+ }
--- /dev/null
+From f98bfbd78c37c5946cc53089da32a5f741efdeb7 Mon Sep 17 00:00:00 2001
+From: Evgeniy Polyakov <zbr@ioremap.net>
+Date: Tue, 2 Feb 2010 15:58:48 -0800
+Subject: connector: Delete buggy notification code.
+
+From: Evgeniy Polyakov <zbr@ioremap.net>
+
+commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 upstream.
+
+On Tue, Feb 02, 2010 at 02:57:14PM -0800, Greg KH (gregkh@suse.de) wrote:
+> > There are at least two ways to fix it: using a big cannon and a small
+> > one. The former way is to disable notification registration, since it is
+> > not used by anyone at all. Second way is to check whether calling
+> > process is root and its destination group is -1 (kind of priveledged
+> > one) before command is dispatched to workqueue.
+>
+> Well if no one is using it, removing it makes the most sense, right?
+>
+> No objection from me, care to make up a patch either way for this?
+
+Getting it is not used, let's drop support for notifications about
+(un)registered events from connector.
+Another option was to check credentials on receiving, but we can always
+restore it without bugs if needed, but genetlink has a wider code base
+and none complained, that userspace can not get notification when some
+other clients were (un)registered.
+
+Kudos for Sebastian Krahmer <krahmer@suse.de>, who found a bug in the
+code.
+
+Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
+Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/connector/connector.c | 175 ------------------------------------------
+ include/linux/connector.h | 32 -------
+ 2 files changed, 207 deletions(-)
+
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -36,17 +36,6 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Evgeniy Polyakov <zbr@ioremap.net>");
+ MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
+
+-static u32 cn_idx = CN_IDX_CONNECTOR;
+-static u32 cn_val = CN_VAL_CONNECTOR;
+-
+-module_param(cn_idx, uint, 0);
+-module_param(cn_val, uint, 0);
+-MODULE_PARM_DESC(cn_idx, "Connector's main device idx.");
+-MODULE_PARM_DESC(cn_val, "Connector's main device val.");
+-
+-static DEFINE_MUTEX(notify_lock);
+-static LIST_HEAD(notify_list);
+-
+ static struct cn_dev cdev;
+
+ static int cn_already_initialized;
+@@ -210,54 +199,6 @@ static void cn_rx_skb(struct sk_buff *__
+ }
+
+ /*
+- * Notification routing.
+- *
+- * Gets id and checks if there are notification request for it's idx
+- * and val. If there are such requests notify the listeners with the
+- * given notify event.
+- *
+- */
+-static void cn_notify(struct cb_id *id, u32 notify_event)
+-{
+- struct cn_ctl_entry *ent;
+-
+- mutex_lock(¬ify_lock);
+- list_for_each_entry(ent, ¬ify_list, notify_entry) {
+- int i;
+- struct cn_notify_req *req;
+- struct cn_ctl_msg *ctl = ent->msg;
+- int idx_found, val_found;
+-
+- idx_found = val_found = 0;
+-
+- req = (struct cn_notify_req *)ctl->data;
+- for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
+- if (id->idx >= req->first &&
+- id->idx < req->first + req->range) {
+- idx_found = 1;
+- break;
+- }
+- }
+-
+- for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
+- if (id->val >= req->first &&
+- id->val < req->first + req->range) {
+- val_found = 1;
+- break;
+- }
+- }
+-
+- if (idx_found && val_found) {
+- struct cn_msg m = { .ack = notify_event, };
+-
+- memcpy(&m.id, id, sizeof(m.id));
+- cn_netlink_send(&m, ctl->group, GFP_KERNEL);
+- }
+- }
+- mutex_unlock(¬ify_lock);
+-}
+-
+-/*
+ * Callback add routing - adds callback with given ID and name.
+ * If there is registered callback with the same ID it will not be added.
+ *
+@@ -276,8 +217,6 @@ int cn_add_callback(struct cb_id *id, ch
+ if (err)
+ return err;
+
+- cn_notify(id, 0);
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(cn_add_callback);
+@@ -295,111 +234,9 @@ void cn_del_callback(struct cb_id *id)
+ struct cn_dev *dev = &cdev;
+
+ cn_queue_del_callback(dev->cbdev, id);
+- cn_notify(id, 1);
+ }
+ EXPORT_SYMBOL_GPL(cn_del_callback);
+
+-/*
+- * Checks two connector's control messages to be the same.
+- * Returns 1 if they are the same or if the first one is corrupted.
+- */
+-static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2)
+-{
+- int i;
+- struct cn_notify_req *req1, *req2;
+-
+- if (m1->idx_notify_num != m2->idx_notify_num)
+- return 0;
+-
+- if (m1->val_notify_num != m2->val_notify_num)
+- return 0;
+-
+- if (m1->len != m2->len)
+- return 0;
+-
+- if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) !=
+- m1->len)
+- return 1;
+-
+- req1 = (struct cn_notify_req *)m1->data;
+- req2 = (struct cn_notify_req *)m2->data;
+-
+- for (i = 0; i < m1->idx_notify_num; ++i) {
+- if (req1->first != req2->first || req1->range != req2->range)
+- return 0;
+- req1++;
+- req2++;
+- }
+-
+- for (i = 0; i < m1->val_notify_num; ++i) {
+- if (req1->first != req2->first || req1->range != req2->range)
+- return 0;
+- req1++;
+- req2++;
+- }
+-
+- return 1;
+-}
+-
+-/*
+- * Main connector device's callback.
+- *
+- * Used for notification of a request's processing.
+- */
+-static void cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+-{
+- struct cn_ctl_msg *ctl;
+- struct cn_ctl_entry *ent;
+- u32 size;
+-
+- if (msg->len < sizeof(*ctl))
+- return;
+-
+- ctl = (struct cn_ctl_msg *)msg->data;
+-
+- size = (sizeof(*ctl) + ((ctl->idx_notify_num +
+- ctl->val_notify_num) *
+- sizeof(struct cn_notify_req)));
+-
+- if (msg->len != size)
+- return;
+-
+- if (ctl->len + sizeof(*ctl) != msg->len)
+- return;
+-
+- /*
+- * Remove notification.
+- */
+- if (ctl->group == 0) {
+- struct cn_ctl_entry *n;
+-
+- mutex_lock(¬ify_lock);
+- list_for_each_entry_safe(ent, n, ¬ify_list, notify_entry) {
+- if (cn_ctl_msg_equals(ent->msg, ctl)) {
+- list_del(&ent->notify_entry);
+- kfree(ent);
+- }
+- }
+- mutex_unlock(¬ify_lock);
+-
+- return;
+- }
+-
+- size += sizeof(*ent);
+-
+- ent = kzalloc(size, GFP_KERNEL);
+- if (!ent)
+- return;
+-
+- ent->msg = (struct cn_ctl_msg *)(ent + 1);
+-
+- memcpy(ent->msg, ctl, size - sizeof(*ent));
+-
+- mutex_lock(¬ify_lock);
+- list_add(&ent->notify_entry, ¬ify_list);
+- mutex_unlock(¬ify_lock);
+-}
+-
+ static int cn_proc_show(struct seq_file *m, void *v)
+ {
+ struct cn_queue_dev *dev = cdev.cbdev;
+@@ -437,11 +274,8 @@ static const struct file_operations cn_f
+ static int __devinit cn_init(void)
+ {
+ struct cn_dev *dev = &cdev;
+- int err;
+
+ dev->input = cn_rx_skb;
+- dev->id.idx = cn_idx;
+- dev->id.val = cn_val;
+
+ dev->nls = netlink_kernel_create(&init_net, NETLINK_CONNECTOR,
+ CN_NETLINK_USERS + 0xf,
+@@ -457,14 +291,6 @@ static int __devinit cn_init(void)
+
+ cn_already_initialized = 1;
+
+- err = cn_add_callback(&dev->id, "connector", &cn_callback);
+- if (err) {
+- cn_already_initialized = 0;
+- cn_queue_free_dev(dev->cbdev);
+- netlink_kernel_release(dev->nls);
+- return -EINVAL;
+- }
+-
+ proc_net_fops_create(&init_net, "connector", S_IRUGO, &cn_file_ops);
+
+ return 0;
+@@ -478,7 +304,6 @@ static void __devexit cn_fini(void)
+
+ proc_net_remove(&init_net, "connector");
+
+- cn_del_callback(&dev->id);
+ cn_queue_free_dev(dev->cbdev);
+ netlink_kernel_release(dev->nls);
+ }
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -24,9 +24,6 @@
+
+ #include <linux/types.h>
+
+-#define CN_IDX_CONNECTOR 0xffffffff
+-#define CN_VAL_CONNECTOR 0xffffffff
+-
+ /*
+ * Process Events connector unique ids -- used for message routing
+ */
+@@ -73,30 +70,6 @@ struct cn_msg {
+ __u8 data[0];
+ };
+
+-/*
+- * Notify structure - requests notification about
+- * registering/unregistering idx/val in range [first, first+range].
+- */
+-struct cn_notify_req {
+- __u32 first;
+- __u32 range;
+-};
+-
+-/*
+- * Main notification control message
+- * *_notify_num - number of appropriate cn_notify_req structures after
+- * this struct.
+- * group - notification receiver's idx.
+- * len - total length of the attached data.
+- */
+-struct cn_ctl_msg {
+- __u32 idx_notify_num;
+- __u32 val_notify_num;
+- __u32 group;
+- __u32 len;
+- __u8 data[0];
+-};
+-
+ #ifdef __KERNEL__
+
+ #include <asm/atomic.h>
+@@ -149,11 +122,6 @@ struct cn_callback_entry {
+ u32 seq, group;
+ };
+
+-struct cn_ctl_entry {
+- struct list_head notify_entry;
+- struct cn_ctl_msg *msg;
+-};
+-
+ struct cn_dev {
+ struct cb_id id;
+
--- /dev/null
+From e27759d7a333d1f25d628c4f7caf845c51be51c2 Mon Sep 17 00:00:00 2001
+From: Erez Zadok <ezk@cs.sunysb.edu>
+Date: Thu, 3 Dec 2009 13:35:27 -0500
+Subject: ecryptfs: initialize private persistent file before dereferencing pointer
+Patch-mainline: 2.6.33
+
+From: Erez Zadok <ezk@cs.sunysb.edu>
+
+commit e27759d7a333d1f25d628c4f7caf845c51be51c2 upstream.
+
+Ecryptfs_open dereferences a pointer to the private lower file (the one
+stored in the ecryptfs inode), without checking if the pointer is NULL.
+Right afterward, it initializes that pointer if it is NULL. Swap order of
+statements to first initialize. Bug discovered by Duckjin Kang.
+
+Signed-off-by: Duckjin Kang <fromdj2k@gmail.com>
+Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu>
+Cc: Dustin Kirkland <kirkland@canonical.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/file.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -191,13 +191,6 @@ static int ecryptfs_open(struct inode *i
+ | ECRYPTFS_ENCRYPTED);
+ }
+ mutex_unlock(&crypt_stat->cs_mutex);
+- if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_RDONLY)
+- && !(file->f_flags & O_RDONLY)) {
+- rc = -EPERM;
+- printk(KERN_WARNING "%s: Lower persistent file is RO; eCryptfs "
+- "file must hence be opened RO\n", __func__);
+- goto out;
+- }
+ if (!ecryptfs_inode_to_private(inode)->lower_file) {
+ rc = ecryptfs_init_persistent_file(ecryptfs_dentry);
+ if (rc) {
+@@ -208,6 +201,13 @@ static int ecryptfs_open(struct inode *i
+ goto out;
+ }
+ }
++ if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_RDONLY)
++ && !(file->f_flags & O_RDONLY)) {
++ rc = -EPERM;
++ printk(KERN_WARNING "%s: Lower persistent file is RO; eCryptfs "
++ "file must hence be opened RO\n", __func__);
++ goto out;
++ }
+ ecryptfs_set_file_lower(
+ file, ecryptfs_inode_to_private(inode)->lower_file);
+ if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) {
--- /dev/null
+From ece550f51ba175c14ec3ec047815927d7386ea1f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Tue, 19 Jan 2010 12:34:32 +0300
+Subject: ecryptfs: use after free
+Patch-mainline: 2.6.33
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit ece550f51ba175c14ec3ec047815927d7386ea1f upstream.
+
+The "full_alg_name" variable is used on a couple error paths, so we
+shouldn't free it until the end.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -1745,7 +1745,7 @@ ecryptfs_process_key_cipher(struct crypt
+ char *cipher_name, size_t *key_size)
+ {
+ char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
+- char *full_alg_name;
++ char *full_alg_name = NULL;
+ int rc;
+
+ *key_tfm = NULL;
+@@ -1760,7 +1760,6 @@ ecryptfs_process_key_cipher(struct crypt
+ if (rc)
+ goto out;
+ *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
+- kfree(full_alg_name);
+ if (IS_ERR(*key_tfm)) {
+ rc = PTR_ERR(*key_tfm);
+ printk(KERN_ERR "Unable to allocate crypto cipher with name "
+@@ -1782,6 +1781,7 @@ ecryptfs_process_key_cipher(struct crypt
+ goto out;
+ }
+ out:
++ kfree(full_alg_name);
+ return rc;
+ }
+
--- /dev/null
+From 118f3e1afd5534c15f9701f33514186cfc841a27 Mon Sep 17 00:00:00 2001
+From: Tamas Vincze <tom@vincze.org>
+Date: Fri, 15 Jan 2010 17:01:10 -0800
+Subject: edac: i5000_edac critical fix panic out of bounds
+Patch-mainline: 2.6.33
+
+From: Tamas Vincze <tom@vincze.org>
+
+commit 118f3e1afd5534c15f9701f33514186cfc841a27 upstream.
+
+EDAC MC0: INTERNAL ERROR: channel-b out of range (4 >= 4)
+Kernel panic - not syncing: EDAC MC0: Uncorrected Error (XEN) Domain 0 crashed: 'noreboot' set - not rebooting.
+
+This happens because FERR_NF_FBD bit 28 is not updated on i5000. Due to
+that, both bits 28 and 29 may be equal to one, returning channel = 3. As
+this value is invalid, EDAC core generates the panic.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=14568
+
+Signed-off-by: Tamas Vincze <tom@vincze.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Doug Thompson <dougthompson@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/edac/i5000_edac.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/edac/i5000_edac.c
++++ b/drivers/edac/i5000_edac.c
+@@ -577,7 +577,13 @@ static void i5000_process_nonfatal_error
+ debugf0("\tUncorrected bits= 0x%x\n", ue_errors);
+
+ branch = EXTRACT_FBDCHAN_INDX(info->ferr_nf_fbd);
+- channel = branch;
++
++ /*
++ * According with i5000 datasheet, bit 28 has no significance
++ * for errors M4Err-M12Err and M17Err-M21Err, on FERR_NF_FBD
++ */
++ channel = branch & 2;
++
+ bank = NREC_BANK(info->nrecmema);
+ rank = NREC_RANK(info->nrecmema);
+ rdwr = NREC_RDWR(info->nrecmema);
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/char/tty_io.c | 4 +++-
+ fs/fcntl.c | 6 ++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
-@@ -1951,8 +1951,10 @@ static int tty_fasync(int fd, struct file *filp, int on)
+@@ -1912,8 +1912,10 @@ static int tty_fasync(int fd, struct fil
pid = task_pid(current);
type = PIDTYPE_PID;
}
if (retval)
goto out;
} else {
-diff --git a/fs/fcntl.c b/fs/fcntl.c
-index 5ef953e..97e01dc 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
-@@ -199,9 +199,7 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
+@@ -199,9 +199,7 @@ static int setfl(int fd, struct file * f
static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
int force)
{
if (force || !filp->f_owner.pid) {
put_pid(filp->f_owner.pid);
filp->f_owner.pid = get_pid(pid);
-@@ -213,7 +211,7 @@ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
+@@ -213,7 +211,7 @@ static void f_modown(struct file *filp,
filp->f_owner.euid = cred->euid;
}
}
--- /dev/null
+From b04da8bfdfbbd79544cab2fadfdc12e87eb01600 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Tue, 26 Jan 2010 15:04:02 -0800
+Subject: fnctl: f_modown should call write_lock_irqsave/restore
+Patch-mainline: 2.6.33
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit b04da8bfdfbbd79544cab2fadfdc12e87eb01600 upstream.
+
+Commit 703625118069f9f8960d356676662d3db5a9d116 exposed that f_modown()
+should call write_lock_irqsave instead of just write_lock_irq so that
+because a caller could have a spinlock held and it would not be good to
+renable interrupts.
+
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: Tavis Ormandy <taviso@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ fs/fcntl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -199,7 +199,9 @@ static int setfl(int fd, struct file * f
+ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
+ int force)
+ {
+- write_lock_irq(&filp->f_owner.lock);
++ unsigned long flags;
++
++ write_lock_irqsave(&filp->f_owner.lock, flags);
+ if (force || !filp->f_owner.pid) {
+ put_pid(filp->f_owner.pid);
+ filp->f_owner.pid = get_pid(pid);
+@@ -211,7 +213,7 @@ static void f_modown(struct file *filp,
+ filp->f_owner.euid = cred->euid;
+ }
+ }
+- write_unlock_irq(&filp->f_owner.lock);
++ write_unlock_irqrestore(&filp->f_owner.lock, flags);
+ }
+
+ int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
--- /dev/null
+From 23aeb61e7e1f02fb0f3b8f9e798e75537ca1731d Mon Sep 17 00:00:00 2001
+From: Christian Schuerer-Waldheim <csw@xray.at>
+Date: Wed, 6 Jan 2010 14:49:57 +0100
+Subject: HID: add device IDs for new model of Apple Wireless Keyboard
+
+From: Christian Schuerer-Waldheim <csw@xray.at>
+
+commit 23aeb61e7e1f02fb0f3b8f9e798e75537ca1731d upstream.
+
+Added device IDs for the new model of the Apple Wireless Keyboard
+(November 2009).
+
+Signed-off-by: Christian Schuerer-Waldheim <csw@xray.at>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/hid-apple.c | 7 +++++++
+ drivers/hid/hid-core.c | 3 +++
+ drivers/hid/hid-ids.h | 3 +++
+ 3 files changed, 13 insertions(+)
+
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -431,6 +431,13 @@ static const struct hid_device_id apple_
+ .driver_data = APPLE_HAS_FN | APPLE_ISO_KEYBOARD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_JIS),
+ .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ANSI),
++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ISO),
++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN |
++ APPLE_ISO_KEYBOARD },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS),
++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY),
+ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY),
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1259,6 +1259,9 @@ static const struct hid_device_id hid_bl
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_ANSI) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_ISO) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_JIS) },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ANSI) },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ISO) },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_BELKIN, USB_DEVICE_ID_FLIP_KVM) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -88,6 +88,9 @@
+ #define USB_DEVICE_ID_APPLE_WELLSPRING3_ANSI 0x0236
+ #define USB_DEVICE_ID_APPLE_WELLSPRING3_ISO 0x0237
+ #define USB_DEVICE_ID_APPLE_WELLSPRING3_JIS 0x0238
++#define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ANSI 0x0239
++#define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ISO 0x023a
++#define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS 0x023b
+ #define USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY 0x030a
+ #define USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY 0x030b
+ #define USB_DEVICE_ID_APPLE_ATV_IRCONTROL 0x8241
--- /dev/null
+From 9e572cc9877ee6c43af60778f6b8d5ba0692d935 Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Fri, 15 Jan 2010 12:12:24 -0500
+Subject: inotify: do not reuse watch descriptors
+Patch-mainline: 2.6.33
+
+From: Eric Paris <eparis@redhat.com>
+
+commit 9e572cc9877ee6c43af60778f6b8d5ba0692d935 upstream.
+
+Since commit 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 ("inotify: fix
+error paths in inotify_update_watch") inotify changed the manor in which
+it gave watch descriptors back to userspace. Previous to this commit
+inotify acted like the following:
+
+ inotify_add_watch(X, Y, Z) = 1
+ inotify_rm_watch(X, 1);
+ inotify_add_watch(X, Y, Z) = 2
+
+but after this patch inotify would return watch descriptors like so:
+
+ inotify_add_watch(X, Y, Z) = 1
+ inotify_rm_watch(X, 1);
+ inotify_add_watch(X, Y, Z) = 1
+
+which I saw as equivalent to opening an fd where
+
+ open(file) = 1;
+ close(1);
+ open(file) = 1;
+
+seemed perfectly reasonable. The issue is that quite a bit of userspace
+apparently relies on the behavior in which watch descriptors will not be
+quickly reused. KDE relies on it, I know some selinux packages rely on
+it, and I have heard complaints from other random sources such as debian
+bug 558981.
+
+Although the man page implies what we do is ok, we broke userspace so
+this patch almost reverts us to the old behavior. It is still slightly
+racey and I have patches that would fix that, but they are rather large
+and this will fix it for all real world cases. The race is as follows:
+
+ - task1 creates a watch and blocks in idr_new_watch() before it updates
+ the hint.
+ - task2 creates a watch and updates the hint.
+ - task1 updates the hint with it's older wd
+ - task removes the watch created by task2
+ - task adds a new watch and will reuse the wd originally given to task2
+
+it requires moving some locking around the hint (last_wd) but this should
+solve it for the real world and be -stable safe.
+
+As a side effect this patch papers over a bug in the lib/idr code which
+is causing a large number WARN's to pop on people's system and many
+reports in kerneloops.org. I'm working on the root cause of that idr
+bug seperately but this should make inotify immune to that issue.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/notify/inotify/inotify_user.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/notify/inotify/inotify_user.c
++++ b/fs/notify/inotify/inotify_user.c
+@@ -558,7 +558,7 @@ retry:
+
+ spin_lock(&group->inotify_data.idr_lock);
+ ret = idr_get_new_above(&group->inotify_data.idr, &tmp_ientry->fsn_entry,
+- group->inotify_data.last_wd,
++ group->inotify_data.last_wd+1,
+ &tmp_ientry->wd);
+ spin_unlock(&group->inotify_data.idr_lock);
+ if (ret) {
+@@ -638,7 +638,7 @@ static struct fsnotify_group *inotify_ne
+
+ spin_lock_init(&group->inotify_data.idr_lock);
+ idr_init(&group->inotify_data.idr);
+- group->inotify_data.last_wd = 1;
++ group->inotify_data.last_wd = 0;
+ group->inotify_data.user = user;
+ group->inotify_data.fa = NULL;
+
--- /dev/null
+From 976ae32be45a736acd49215a7e4771ff91f161c3 Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Fri, 15 Jan 2010 12:12:25 -0500
+Subject: inotify: only warn once for inotify problems
+Patch-mainline: 2.6.33
+
+From: Eric Paris <eparis@redhat.com>
+
+commit 976ae32be45a736acd49215a7e4771ff91f161c3 upstream.
+
+inotify will WARN() if it finds that the idr and the fsnotify internals
+somehow got out of sync. It was only supposed to do this once but due
+to this stupid bug it would warn every single time a problem was
+detected.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/notify/inotify/inotify_fsnotify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/notify/inotify/inotify_fsnotify.c
++++ b/fs/notify/inotify/inotify_fsnotify.c
+@@ -121,7 +121,7 @@ static int idr_callback(int id, void *p,
+ if (warned)
+ return 0;
+
+- warned = false;
++ warned = true;
+ entry = p;
+ ientry = container_of(entry, struct inotify_inode_mark_entry, fsn_entry);
+
--- /dev/null
+From adi@hexapodia.org Mon Jan 25 11:19:41 2010
+From: Sebastian Kapfer <sebastian_kapfer@gmx.net>
+Date: Fri, 15 Jan 2010 10:11:22 -0800
+Subject: Input: ALPS - add interleaved protocol support (Dell E6x00 series)
+To: stable@kernel.org
+Cc: Dmitry Torokhov <dtor@mail.ru>, kernel-team@lists.ubuntu.com, Sebastian Kapfer <sebastian_kapfer@gmx.net>, 296610@bugs.launchpad.net
+Message-ID: <20100115181122.GA11414@hexapodia.org>
+Content-Disposition: inline
+
+From: Sebastian Kapfer <sebastian_kapfer@gmx.net>
+
+commit 1d9f26262aef6d63ff65eba0fd5f1583f342b69b upstream
+
+Properly handle version of the protocol where standard PS/2 packets
+from trackpoint are stuffed into middle (byte 3-6) of the standard
+ALPS packets when both the touchpad and trackpoint are used together.
+
+The patch is based on work done by Matthew Chapman and additional
+research done by David Kubicek and Erik Osterholm:
+
+ https://bugs.launchpad.net/ubuntu/+source/linux/+bug/296610
+
+Many thanks to David Kubicek for his efforts in researching fine points
+of this new version of the protocol, especially interaction between pad
+and stick in these models.
+
+Cc: Andy Isaacson <adi@hexapodia.org>
+Signed-off-by: Sebastian Kapfer <sebastian_kapfer@gmx.net>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/mouse/alps.c | 252 ++++++++++++++++++++++++++++++++++++++++-----
+ drivers/input/mouse/alps.h | 1
+ 2 files changed, 228 insertions(+), 25 deletions(-)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -5,6 +5,7 @@
+ * Copyright (c) 2003-2005 Peter Osterlund <petero2@telia.com>
+ * Copyright (c) 2004 Dmitry Torokhov <dtor@mail.ru>
+ * Copyright (c) 2005 Vojtech Pavlik <vojtech@suse.cz>
++ * Copyright (c) 2009 Sebastian Kapfer <sebastian_kapfer@gmx.net>
+ *
+ * ALPS detection, tap switching and status querying info is taken from
+ * tpconfig utility (by C. Scott Ananian and Bruce Kall).
+@@ -35,6 +36,8 @@
+ #define ALPS_OLDPROTO 0x10
+ #define ALPS_PASS 0x20
+ #define ALPS_FW_BK_2 0x40
++#define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with
++ 6-byte ALPS packet */
+
+ static const struct alps_model_info alps_model_data[] = {
+ { { 0x32, 0x02, 0x14 }, 0xf8, 0xf8, ALPS_PASS | ALPS_DUALPOINT }, /* Toshiba Salellite Pro M10 */
+@@ -55,7 +58,9 @@ static const struct alps_model_info alps
+ { { 0x20, 0x02, 0x0e }, 0xf8, 0xf8, ALPS_PASS | ALPS_DUALPOINT }, /* XXX */
+ { { 0x22, 0x02, 0x0a }, 0xf8, 0xf8, ALPS_PASS | ALPS_DUALPOINT },
+ { { 0x22, 0x02, 0x14 }, 0xff, 0xff, ALPS_PASS | ALPS_DUALPOINT }, /* Dell Latitude D600 */
+- { { 0x62, 0x02, 0x14 }, 0xcf, 0xcf, ALPS_PASS | ALPS_DUALPOINT }, /* Dell Latitude E6500 */
++ /* Dell Latitude E5500, E6400, E6500, Precision M4400 */
++ { { 0x62, 0x02, 0x14 }, 0xcf, 0xcf,
++ ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED },
+ { { 0x73, 0x02, 0x50 }, 0xcf, 0xcf, ALPS_FW_BK_1 }, /* Dell Vostro 1400 */
+ };
+
+@@ -66,20 +71,88 @@ static const struct alps_model_info alps
+ */
+
+ /*
+- * ALPS abolute Mode - new format
++ * PS/2 packet format
++ *
++ * byte 0: 0 0 YSGN XSGN 1 M R L
++ * byte 1: X7 X6 X5 X4 X3 X2 X1 X0
++ * byte 2: Y7 Y6 Y5 Y4 Y3 Y2 Y1 Y0
++ *
++ * Note that the device never signals overflow condition.
++ *
++ * ALPS absolute Mode - new format
+ *
+ * byte 0: 1 ? ? ? 1 ? ? ?
+ * byte 1: 0 x6 x5 x4 x3 x2 x1 x0
+- * byte 2: 0 x10 x9 x8 x7 ? fin ges
++ * byte 2: 0 x10 x9 x8 x7 ? fin ges
+ * byte 3: 0 y9 y8 y7 1 M R L
+ * byte 4: 0 y6 y5 y4 y3 y2 y1 y0
+ * byte 5: 0 z6 z5 z4 z3 z2 z1 z0
+ *
++ * Dualpoint device -- interleaved packet format
++ *
++ * byte 0: 1 1 0 0 1 1 1 1
++ * byte 1: 0 x6 x5 x4 x3 x2 x1 x0
++ * byte 2: 0 x10 x9 x8 x7 0 fin ges
++ * byte 3: 0 0 YSGN XSGN 1 1 1 1
++ * byte 4: X7 X6 X5 X4 X3 X2 X1 X0
++ * byte 5: Y7 Y6 Y5 Y4 Y3 Y2 Y1 Y0
++ * byte 6: 0 y9 y8 y7 1 m r l
++ * byte 7: 0 y6 y5 y4 y3 y2 y1 y0
++ * byte 8: 0 z6 z5 z4 z3 z2 z1 z0
++ *
++ * CAPITALS = stick, miniscules = touchpad
++ *
+ * ?'s can have different meanings on different models,
+ * such as wheel rotation, extra buttons, stick buttons
+ * on a dualpoint, etc.
+ */
+
++static bool alps_is_valid_first_byte(const struct alps_model_info *model,
++ unsigned char data)
++{
++ return (data & model->mask0) == model->byte0;
++}
++
++static void alps_report_buttons(struct psmouse *psmouse,
++ struct input_dev *dev1, struct input_dev *dev2,
++ int left, int right, int middle)
++{
++ struct alps_data *priv = psmouse->private;
++ const struct alps_model_info *model = priv->i;
++
++ if (model->flags & ALPS_PS2_INTERLEAVED) {
++ struct input_dev *dev;
++
++ /*
++ * If shared button has already been reported on the
++ * other device (dev2) then this event should be also
++ * sent through that device.
++ */
++ dev = test_bit(BTN_LEFT, dev2->key) ? dev2 : dev1;
++ input_report_key(dev, BTN_LEFT, left);
++
++ dev = test_bit(BTN_RIGHT, dev2->key) ? dev2 : dev1;
++ input_report_key(dev, BTN_RIGHT, right);
++
++ dev = test_bit(BTN_MIDDLE, dev2->key) ? dev2 : dev1;
++ input_report_key(dev, BTN_MIDDLE, middle);
++
++ /*
++ * Sync the _other_ device now, we'll do the first
++ * device later once we report the rest of the events.
++ */
++ input_sync(dev2);
++ } else {
++ /*
++ * For devices with non-interleaved packets we know what
++ * device buttons belong to so we can simply report them.
++ */
++ input_report_key(dev1, BTN_LEFT, left);
++ input_report_key(dev1, BTN_RIGHT, right);
++ input_report_key(dev1, BTN_MIDDLE, middle);
++ }
++}
++
+ static void alps_process_packet(struct psmouse *psmouse)
+ {
+ struct alps_data *priv = psmouse->private;
+@@ -89,18 +162,6 @@ static void alps_process_packet(struct p
+ int x, y, z, ges, fin, left, right, middle;
+ int back = 0, forward = 0;
+
+- if ((packet[0] & 0xc8) == 0x08) { /* 3-byte PS/2 packet */
+- input_report_key(dev2, BTN_LEFT, packet[0] & 1);
+- input_report_key(dev2, BTN_RIGHT, packet[0] & 2);
+- input_report_key(dev2, BTN_MIDDLE, packet[0] & 4);
+- input_report_rel(dev2, REL_X,
+- packet[1] ? packet[1] - ((packet[0] << 4) & 0x100) : 0);
+- input_report_rel(dev2, REL_Y,
+- packet[2] ? ((packet[0] << 3) & 0x100) - packet[2] : 0);
+- input_sync(dev2);
+- return;
+- }
+-
+ if (priv->i->flags & ALPS_OLDPROTO) {
+ left = packet[2] & 0x10;
+ right = packet[2] & 0x08;
+@@ -136,18 +197,13 @@ static void alps_process_packet(struct p
+ input_report_rel(dev2, REL_X, (x > 383 ? (x - 768) : x));
+ input_report_rel(dev2, REL_Y, -(y > 255 ? (y - 512) : y));
+
+- input_report_key(dev2, BTN_LEFT, left);
+- input_report_key(dev2, BTN_RIGHT, right);
+- input_report_key(dev2, BTN_MIDDLE, middle);
++ alps_report_buttons(psmouse, dev2, dev, left, right, middle);
+
+- input_sync(dev);
+ input_sync(dev2);
+ return;
+ }
+
+- input_report_key(dev, BTN_LEFT, left);
+- input_report_key(dev, BTN_RIGHT, right);
+- input_report_key(dev, BTN_MIDDLE, middle);
++ alps_report_buttons(psmouse, dev, dev2, left, right, middle);
+
+ /* Convert hardware tap to a reasonable Z value */
+ if (ges && !fin) z = 40;
+@@ -188,25 +244,168 @@ static void alps_process_packet(struct p
+ input_sync(dev);
+ }
+
++static void alps_report_bare_ps2_packet(struct psmouse *psmouse,
++ unsigned char packet[],
++ bool report_buttons)
++{
++ struct alps_data *priv = psmouse->private;
++ struct input_dev *dev2 = priv->dev2;
++
++ if (report_buttons)
++ alps_report_buttons(psmouse, dev2, psmouse->dev,
++ packet[0] & 1, packet[0] & 2, packet[0] & 4);
++
++ input_report_rel(dev2, REL_X,
++ packet[1] ? packet[1] - ((packet[0] << 4) & 0x100) : 0);
++ input_report_rel(dev2, REL_Y,
++ packet[2] ? ((packet[0] << 3) & 0x100) - packet[2] : 0);
++
++ input_sync(dev2);
++}
++
++static psmouse_ret_t alps_handle_interleaved_ps2(struct psmouse *psmouse)
++{
++ struct alps_data *priv = psmouse->private;
++
++ if (psmouse->pktcnt < 6)
++ return PSMOUSE_GOOD_DATA;
++
++ if (psmouse->pktcnt == 6) {
++ /*
++ * Start a timer to flush the packet if it ends up last
++ * 6-byte packet in the stream. Timer needs to fire
++ * psmouse core times out itself. 20 ms should be enough
++ * to decide if we are getting more data or not.
++ */
++ mod_timer(&priv->timer, jiffies + msecs_to_jiffies(20));
++ return PSMOUSE_GOOD_DATA;
++ }
++
++ del_timer(&priv->timer);
++
++ if (psmouse->packet[6] & 0x80) {
++
++ /*
++ * Highest bit is set - that means we either had
++ * complete ALPS packet and this is start of the
++ * next packet or we got garbage.
++ */
++
++ if (((psmouse->packet[3] |
++ psmouse->packet[4] |
++ psmouse->packet[5]) & 0x80) ||
++ (!alps_is_valid_first_byte(priv->i, psmouse->packet[6]))) {
++ dbg("refusing packet %x %x %x %x "
++ "(suspected interleaved ps/2)\n",
++ psmouse->packet[3], psmouse->packet[4],
++ psmouse->packet[5], psmouse->packet[6]);
++ return PSMOUSE_BAD_DATA;
++ }
++
++ alps_process_packet(psmouse);
++
++ /* Continue with the next packet */
++ psmouse->packet[0] = psmouse->packet[6];
++ psmouse->pktcnt = 1;
++
++ } else {
++
++ /*
++ * High bit is 0 - that means that we indeed got a PS/2
++ * packet in the middle of ALPS packet.
++ *
++ * There is also possibility that we got 6-byte ALPS
++ * packet followed by 3-byte packet from trackpoint. We
++ * can not distinguish between these 2 scenarios but
++ * becase the latter is unlikely to happen in course of
++ * normal operation (user would need to press all
++ * buttons on the pad and start moving trackpoint
++ * without touching the pad surface) we assume former.
++ * Even if we are wrong the wost thing that would happen
++ * the cursor would jump but we should not get protocol
++ * desynchronization.
++ */
++
++ alps_report_bare_ps2_packet(psmouse, &psmouse->packet[3],
++ false);
++
++ /*
++ * Continue with the standard ALPS protocol handling,
++ * but make sure we won't process it as an interleaved
++ * packet again, which may happen if all buttons are
++ * pressed. To avoid this let's reset the 4th bit which
++ * is normally 1.
++ */
++ psmouse->packet[3] = psmouse->packet[6] & 0xf7;
++ psmouse->pktcnt = 4;
++ }
++
++ return PSMOUSE_GOOD_DATA;
++}
++
++static void alps_flush_packet(unsigned long data)
++{
++ struct psmouse *psmouse = (struct psmouse *)data;
++
++ serio_pause_rx(psmouse->ps2dev.serio);
++
++ if (psmouse->pktcnt == 6) {
++
++ /*
++ * We did not any more data in reasonable amount of time.
++ * Validate the last 3 bytes and process as a standard
++ * ALPS packet.
++ */
++ if ((psmouse->packet[3] |
++ psmouse->packet[4] |
++ psmouse->packet[5]) & 0x80) {
++ dbg("refusing packet %x %x %x "
++ "(suspected interleaved ps/2)\n",
++ psmouse->packet[3], psmouse->packet[4],
++ psmouse->packet[5]);
++ } else {
++ alps_process_packet(psmouse);
++ }
++ psmouse->pktcnt = 0;
++ }
++
++ serio_continue_rx(psmouse->ps2dev.serio);
++}
++
+ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
+ {
+ struct alps_data *priv = psmouse->private;
++ const struct alps_model_info *model = priv->i;
+
+ if ((psmouse->packet[0] & 0xc8) == 0x08) { /* PS/2 packet */
+ if (psmouse->pktcnt == 3) {
+- alps_process_packet(psmouse);
++ alps_report_bare_ps2_packet(psmouse, psmouse->packet,
++ true);
+ return PSMOUSE_FULL_PACKET;
+ }
+ return PSMOUSE_GOOD_DATA;
+ }
+
+- if ((psmouse->packet[0] & priv->i->mask0) != priv->i->byte0)
++ /* Check for PS/2 packet stuffed in the middle of ALPS packet. */
++
++ if ((model->flags & ALPS_PS2_INTERLEAVED) &&
++ psmouse->pktcnt >= 4 && (psmouse->packet[3] & 0x0f) == 0x0f) {
++ return alps_handle_interleaved_ps2(psmouse);
++ }
++
++ if (!alps_is_valid_first_byte(model, psmouse->packet[0])) {
++ dbg("refusing packet[0] = %x (mask0 = %x, byte0 = %x)\n",
++ psmouse->packet[0], model->mask0, model->byte0);
+ return PSMOUSE_BAD_DATA;
++ }
+
+ /* Bytes 2 - 6 should have 0 in the highest bit */
+ if (psmouse->pktcnt >= 2 && psmouse->pktcnt <= 6 &&
+- (psmouse->packet[psmouse->pktcnt - 1] & 0x80))
++ (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) {
++ dbg("refusing packet[%i] = %x\n",
++ psmouse->pktcnt - 1, psmouse->packet[psmouse->pktcnt - 1]);
+ return PSMOUSE_BAD_DATA;
++ }
+
+ if (psmouse->pktcnt == 6) {
+ alps_process_packet(psmouse);
+@@ -441,6 +640,7 @@ static void alps_disconnect(struct psmou
+ struct alps_data *priv = psmouse->private;
+
+ psmouse_reset(psmouse);
++ del_timer_sync(&priv->timer);
+ input_unregister_device(priv->dev2);
+ kfree(priv);
+ }
+@@ -457,6 +657,8 @@ int alps_init(struct psmouse *psmouse)
+ goto init_fail;
+
+ priv->dev2 = dev2;
++ setup_timer(&priv->timer, alps_flush_packet, (unsigned long)psmouse);
++
+ psmouse->private = priv;
+
+ if (alps_hw_init(psmouse, &version))
+--- a/drivers/input/mouse/alps.h
++++ b/drivers/input/mouse/alps.h
+@@ -23,6 +23,7 @@ struct alps_data {
+ char phys[32]; /* Phys */
+ const struct alps_model_info *i;/* Info */
+ int prev_fin; /* Finger bit from previous packet */
++ struct timer_list timer;
+ };
+
+ #ifdef CONFIG_MOUSE_PS2_ALPS
--- /dev/null
+From 7d6feeb287c61aafa88f06345387b1188edf4b86 Mon Sep 17 00:00:00 2001
+From: Serge E. Hallyn <serue@us.ibm.com>
+Date: Tue, 15 Dec 2009 16:47:27 -0800
+Subject: ipc ns: fix memory leak (idr)
+Patch-mainline: 2.6.33
+
+From: Serge E. Hallyn <serue@us.ibm.com>
+
+commit 7d6feeb287c61aafa88f06345387b1188edf4b86 upstream.
+
+We have apparently had a memory leak since
+7ca7e564e049d8b350ec9d958ff25eaa24226352 "ipc: store ipcs into IDRs" in
+2007. The idr of which 3 exist for each ipc namespace is never freed.
+
+This patch simply frees them when the ipcns is freed. I don't believe any
+idr_remove() are done from rcu (and could therefore be delayed until after
+this idr_destroy()), so the patch should be safe. Some quick testing
+showed no harm, and the memory leak fixed.
+
+Caught by kmemleak.
+
+Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Nick Piggin <npiggin@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ ipc/msg.c | 1 +
+ ipc/sem.c | 1 +
+ ipc/shm.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -125,6 +125,7 @@ void msg_init_ns(struct ipc_namespace *n
+ void msg_exit_ns(struct ipc_namespace *ns)
+ {
+ free_ipcs(ns, &msg_ids(ns), freeque);
++ idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr);
+ }
+ #endif
+
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -129,6 +129,7 @@ void sem_init_ns(struct ipc_namespace *n
+ void sem_exit_ns(struct ipc_namespace *ns)
+ {
+ free_ipcs(ns, &sem_ids(ns), freeary);
++ idr_destroy(&ns->ids[IPC_SEM_IDS].ipcs_idr);
+ }
+ #endif
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -101,6 +101,7 @@ static void do_shm_rmid(struct ipc_names
+ void shm_exit_ns(struct ipc_namespace *ns)
+ {
+ free_ipcs(ns, &shm_ids(ns), do_shm_rmid);
++ idr_destroy(&ns->ids[IPC_SHM_IDS].ipcs_idr);
+ }
+ #endif
+
--- /dev/null
+From: Avi Kivity <avi@redhat.com>
+Date: Tue, 24 Nov 2009 15:20:15 +0200
+Subject: KVM: x86 emulator: limit instructions to 15 bytes
+
+From: Avi Kivity <avi@redhat.com>
+
+commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb upstream
+
+While we are never normally passed an instruction that exceeds 15 bytes,
+smp games can cause us to attempt to interpret one, which will cause
+large latencies in non-preempt hosts.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/include/asm/kvm_x86_emulate.h | 2 +-
+ arch/x86/kvm/x86_emulate.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_x86_emulate.h
++++ b/arch/x86/include/asm/kvm_x86_emulate.h
+@@ -129,7 +129,7 @@ struct decode_cache {
+ u8 seg_override;
+ unsigned int d;
+ unsigned long regs[NR_VCPU_REGS];
+- unsigned long eip;
++ unsigned long eip, eip_orig;
+ /* modrm */
+ u8 modrm;
+ u8 modrm_mod;
+--- a/arch/x86/kvm/x86_emulate.c
++++ b/arch/x86/kvm/x86_emulate.c
+@@ -606,6 +606,9 @@ static int do_insn_fetch(struct x86_emul
+ {
+ int rc = 0;
+
++ /* x86 instructions are limited to 15 bytes. */
++ if (eip + size - ctxt->decode.eip_orig > 15)
++ return X86EMUL_UNHANDLEABLE;
+ eip += ctxt->cs_base;
+ while (size--) {
+ rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
+@@ -864,7 +867,7 @@ x86_decode_insn(struct x86_emulate_ctxt
+ /* Shadow copy of register state. Committed on successful emulation. */
+
+ memset(c, 0, sizeof(struct decode_cache));
+- c->eip = kvm_rip_read(ctxt->vcpu);
++ c->eip = c->eip_orig = kvm_rip_read(ctxt->vcpu);
+ ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
+ memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
+
--- /dev/null
+From bb7d3f24c71e528989501617651b669fbed798cb Mon Sep 17 00:00:00 2001
+From: Bryn M. Reeves <bmr@redhat.com>
+Date: Thu, 12 Nov 2009 18:31:54 +0000
+Subject: [SCSI] megaraid_sas: remove sysfs poll_mode_io world writeable permissions
+Patch-mainline: 2.6.33
+References: bnc#557180 CVE-2009-3939
+
+From: Bryn M. Reeves <bmr@redhat.com>
+
+commit bb7d3f24c71e528989501617651b669fbed798cb upstream.
+
+/sys/bus/pci/drivers/megaraid_sas/poll_mode_io defaults to being
+world-writable, which seems bad (letting any user affect kernel driver
+behavior).
+
+This turns off group and user write permissions, so that on typical
+production systems only root can write to it.
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/megaraid/megaraid_sas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas.c
++++ b/drivers/scsi/megaraid/megaraid_sas.c
+@@ -3451,7 +3451,7 @@ out:
+ return retval;
+ }
+
+-static DRIVER_ATTR(poll_mode_io, S_IRUGO|S_IWUGO,
++static DRIVER_ATTR(poll_mode_io, S_IRUGO|S_IWUSR,
+ megasas_sysfs_show_poll_mode_io,
+ megasas_sysfs_set_poll_mode_io);
+
--- /dev/null
+From eeec32a731631a9bad9abb21c626b9f2840bee0d Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Mon, 4 Jan 2010 16:26:50 +0000
+Subject: nozomi: quick fix for the close/close bug
+Patch-mainline: 2.6.33
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit eeec32a731631a9bad9abb21c626b9f2840bee0d upstream.
+
+Nozomi goes wrong if you get the sequence
+
+ open
+ open
+ close
+
+ [stuff]
+ close
+
+which turns out to occur on some ppp type setups.
+
+This is a quick patch up for the problem. It's not really fixing Nozomi
+which completely fails to implement tty open/close semantics and all the
+other needed stuff. Doing it right is a rather more invasive patch set and
+not one that will backport.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/nozomi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/nozomi.c
++++ b/drivers/char/nozomi.c
+@@ -1628,10 +1628,10 @@ static void ntty_close(struct tty_struct
+
+ dc->open_ttys--;
+ port->count--;
+- tty_port_tty_set(port, NULL);
+
+ if (port->count == 0) {
+ DBG1("close: %d", nport->token_dl);
++ tty_port_tty_set(port, NULL);
+ spin_lock_irqsave(&dc->spin_mutex, flags);
+ dc->last_ier &= ~(nport->token_dl);
+ writew(dc->last_ier, dc->reg_ier);
--- /dev/null
+From 6ccf80eb15ccaca4d3f1ab5162b9ded5eecd9971 Mon Sep 17 00:00:00 2001
+From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Fri, 15 Jan 2010 17:01:18 -0800
+Subject: page allocator: update NR_FREE_PAGES only when necessary
+Patch-mainline: 2.6.33
+
+From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+
+commit 6ccf80eb15ccaca4d3f1ab5162b9ded5eecd9971 upstream.
+
+commit f2260e6b (page allocator: update NR_FREE_PAGES only as necessary)
+made one minor regression. if __rmqueue() was failed, NR_FREE_PAGES stat
+go wrong. this patch fixes it.
+
+Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Cc: Mel Gorman <mel@csn.ul.ie>
+Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
+Reported-by: Huang Shijie <shijie8@gmail.com>
+Reviewed-by: Christoph Lameter <cl@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -1167,10 +1167,10 @@ again:
+ }
+ spin_lock_irqsave(&zone->lock, flags);
+ page = __rmqueue(zone, order, migratetype);
+- __mod_zone_page_state(zone, NR_FREE_PAGES, -(1 << order));
+ spin_unlock(&zone->lock);
+ if (!page)
+ goto failed;
++ __mod_zone_page_state(zone, NR_FREE_PAGES, -(1 << order));
+ }
+
+ __count_zone_vm_events(PGALLOC, zone, 1 << order);
--- /dev/null
+From 87038c2d5bda2418fda8b1456a0ae81cc3ff5bd8 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 23 Nov 2009 09:29:58 +0100
+Subject: partitions: read whole sector with EFI GPT header
+
+From: Karel Zak <kzak@redhat.com>
+
+commit 87038c2d5bda2418fda8b1456a0ae81cc3ff5bd8 upstream.
+
+The size of EFI GPT header is not static, but whole sector is
+allocated for the header. The HeaderSize field must be greater
+than 92 (= sizeof(struct gpt_header) and must be less than or
+equal to the logical block size.
+
+It means we have to read whole sector with the header, because the
+header crc32 checksum is calculated according to HeaderSize.
+
+For more details see UEFI standard (version 2.3, May 2009):
+ - 5.3.1 GUID Format overview, page 93
+ - Table 13. GUID Partition Table Header, page 96
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/partitions/efi.c | 7 ++++---
+ fs/partitions/efi.h | 8 ++++++--
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -257,15 +257,16 @@ static gpt_header *
+ alloc_read_gpt_header(struct block_device *bdev, u64 lba)
+ {
+ gpt_header *gpt;
++ unsigned ssz = bdev_logical_block_size(bdev);
++
+ if (!bdev)
+ return NULL;
+
+- gpt = kzalloc(sizeof (gpt_header), GFP_KERNEL);
++ gpt = kzalloc(ssz, GFP_KERNEL);
+ if (!gpt)
+ return NULL;
+
+- if (read_lba(bdev, lba, (u8 *) gpt,
+- sizeof (gpt_header)) < sizeof (gpt_header)) {
++ if (read_lba(bdev, lba, (u8 *) gpt, ssz) < ssz) {
+ kfree(gpt);
+ gpt=NULL;
+ return NULL;
+--- a/fs/partitions/efi.h
++++ b/fs/partitions/efi.h
+@@ -37,7 +37,6 @@
+ #define EFI_PMBR_OSTYPE_EFI 0xEF
+ #define EFI_PMBR_OSTYPE_EFI_GPT 0xEE
+
+-#define GPT_BLOCK_SIZE 512
+ #define GPT_HEADER_SIGNATURE 0x5452415020494645ULL
+ #define GPT_HEADER_REVISION_V1 0x00010000
+ #define GPT_PRIMARY_PARTITION_TABLE_LBA 1
+@@ -79,7 +78,12 @@ typedef struct _gpt_header {
+ __le32 num_partition_entries;
+ __le32 sizeof_partition_entry;
+ __le32 partition_entry_array_crc32;
+- u8 reserved2[GPT_BLOCK_SIZE - 92];
++
++ /* The rest of the logical block is reserved by UEFI and must be zero.
++ * EFI standard handles this by:
++ *
++ * uint8_t reserved2[ BlockSize - 92 ];
++ */
+ } __attribute__ ((packed)) gpt_header;
+
+ typedef struct _gpt_entry_attributes {
--- /dev/null
+From 7d13af3279985f554784a45cc961f706dbcdbdd1 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 23 Nov 2009 09:29:13 +0100
+Subject: partitions: use sector size for EFI GPT
+
+From: Karel Zak <kzak@redhat.com>
+
+commit 7d13af3279985f554784a45cc961f706dbcdbdd1 upstream.
+
+Currently, kernel uses strictly 512-byte sectors for EFI GPT parsing.
+That's wrong.
+
+UEFI standard (version 2.3, May 2009, 5.3.1 GUID Format overview, page
+95) defines that LBA is always based on the logical block size. It
+means bdev_logical_block_size() (aka BLKSSZGET) for Linux.
+
+This patch removes static sector size from EFI GPT parser.
+
+The problem is reproducible with the latest GNU Parted:
+
+ # modprobe scsi_debug dev_size_mb=50 sector_size=4096
+
+ # ./parted /dev/sdb print
+ Model: Linux scsi_debug (scsi)
+ Disk /dev/sdb: 52.4MB
+ Sector size (logical/physical): 4096B/4096B
+ Partition Table: gpt
+
+ Number Start End Size File system Name Flags
+ 1 24.6kB 3002kB 2978kB primary
+ 2 3002kB 6001kB 2998kB primary
+ 3 6001kB 9003kB 3002kB primary
+
+ # blockdev --rereadpt /dev/sdb
+ # dmesg | tail -1
+ sdb: unknown partition table <---- !!!
+
+with this patch:
+
+ # blockdev --rereadpt /dev/sdb
+ # dmesg | tail -1
+ sdb: sdb1 sdb2 sdb3
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/partitions/efi.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -1,7 +1,9 @@
+ /************************************************************
+ * EFI GUID Partition Table handling
+- * Per Intel EFI Specification v1.02
+- * http://developer.intel.com/technology/efi/efi.htm
++ *
++ * http://www.uefi.org/specs/
++ * http://www.intel.com/technology/efi/
++ *
+ * efi.[ch] by Matt Domsch <Matt_Domsch@dell.com>
+ * Copyright 2000,2001,2002,2004 Dell Inc.
+ *
+@@ -92,6 +94,7 @@
+ *
+ ************************************************************/
+ #include <linux/crc32.h>
++#include <linux/math64.h>
+ #include "check.h"
+ #include "efi.h"
+
+@@ -141,7 +144,8 @@ last_lba(struct block_device *bdev)
+ {
+ if (!bdev || !bdev->bd_inode)
+ return 0;
+- return (bdev->bd_inode->i_size >> 9) - 1ULL;
++ return div_u64(bdev->bd_inode->i_size,
++ bdev_logical_block_size(bdev)) - 1ULL;
+ }
+
+ static inline int
+@@ -188,6 +192,7 @@ static size_t
+ read_lba(struct block_device *bdev, u64 lba, u8 * buffer, size_t count)
+ {
+ size_t totalreadcount = 0;
++ sector_t n = lba * (bdev_logical_block_size(bdev) / 512);
+
+ if (!bdev || !buffer || lba > last_lba(bdev))
+ return 0;
+@@ -195,7 +200,7 @@ read_lba(struct block_device *bdev, u64
+ while (count) {
+ int copied = 512;
+ Sector sect;
+- unsigned char *data = read_dev_sector(bdev, lba++, §);
++ unsigned char *data = read_dev_sector(bdev, n++, §);
+ if (!data)
+ break;
+ if (copied > count)
+@@ -602,6 +607,7 @@ efi_partition(struct parsed_partitions *
+ gpt_header *gpt = NULL;
+ gpt_entry *ptes = NULL;
+ u32 i;
++ unsigned ssz = bdev_logical_block_size(bdev) / 512;
+
+ if (!find_valid_gpt(bdev, &gpt, &ptes) || !gpt || !ptes) {
+ kfree(gpt);
+@@ -612,13 +618,14 @@ efi_partition(struct parsed_partitions *
+ pr_debug("GUID Partition Table is valid! Yea!\n");
+
+ for (i = 0; i < le32_to_cpu(gpt->num_partition_entries) && i < state->limit-1; i++) {
++ u64 start = le64_to_cpu(ptes[i].starting_lba);
++ u64 size = le64_to_cpu(ptes[i].ending_lba) -
++ le64_to_cpu(ptes[i].starting_lba) + 1ULL;
++
+ if (!is_pte_valid(&ptes[i], last_lba(bdev)))
+ continue;
+
+- put_partition(state, i+1, le64_to_cpu(ptes[i].starting_lba),
+- (le64_to_cpu(ptes[i].ending_lba) -
+- le64_to_cpu(ptes[i].starting_lba) +
+- 1ULL));
++ put_partition(state, i+1, start * ssz, size * ssz);
+
+ /* If this is a RAID volume, tell md */
+ if (!efi_guidcmp(ptes[i].partition_type_guid,
--- /dev/null
+From ec8e2f7466ca370f5e09000ca40a71759afc9ac8 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 17 Dec 2009 15:27:06 -0800
+Subject: reiserfs: truncate blocks not used by a write
+Patch-mainline: 2.6.33
+
+From: Jan Kara <jack@suse.cz>
+
+commit ec8e2f7466ca370f5e09000ca40a71759afc9ac8 upstream.
+
+It can happen that write does not use all the blocks allocated in
+write_begin either because of some filesystem error (like ENOSPC) or
+because page with data to write has been removed from memory. We truncate
+these blocks so that we don't have dangling blocks beyond i_size.
+
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/inode.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/fs/reiserfs/inode.c
++++ b/fs/reiserfs/inode.c
+@@ -2531,6 +2531,12 @@ static int reiserfs_writepage(struct pag
+ return reiserfs_write_full_page(page, wbc);
+ }
+
++static void reiserfs_truncate_failed_write(struct inode *inode)
++{
++ truncate_inode_pages(inode->i_mapping, inode->i_size);
++ reiserfs_truncate_file(inode, 0);
++}
++
+ static int reiserfs_write_begin(struct file *file,
+ struct address_space *mapping,
+ loff_t pos, unsigned len, unsigned flags,
+@@ -2597,6 +2603,8 @@ static int reiserfs_write_begin(struct f
+ if (ret) {
+ unlock_page(page);
+ page_cache_release(page);
++ /* Truncate allocated blocks */
++ reiserfs_truncate_failed_write(inode);
+ }
+ return ret;
+ }
+@@ -2689,8 +2697,7 @@ static int reiserfs_write_end(struct fil
+ ** transaction tracking stuff when the size changes. So, we have
+ ** to do the i_size updates here.
+ */
+- pos += copied;
+- if (pos > inode->i_size) {
++ if (pos + copied > inode->i_size) {
+ struct reiserfs_transaction_handle myth;
+ reiserfs_write_lock(inode->i_sb);
+ /* If the file have grown beyond the border where it
+@@ -2708,7 +2715,7 @@ static int reiserfs_write_end(struct fil
+ goto journal_error;
+ }
+ reiserfs_update_inode_transaction(inode);
+- inode->i_size = pos;
++ inode->i_size = pos + copied;
+ /*
+ * this will just nest into our transaction. It's important
+ * to use mark_inode_dirty so the inode gets pushed around on the
+@@ -2735,6 +2742,10 @@ static int reiserfs_write_end(struct fil
+ out:
+ unlock_page(page);
+ page_cache_release(page);
++
++ if (pos + len > inode->i_size)
++ reiserfs_truncate_failed_write(inode);
++
+ return ret == 0 ? copied : ret;
+
+ journal_error:
--- /dev/null
+From cc9b2e9f6603190c009e5d2629ce8e3f99571346 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@suse.de>
+Date: Thu, 26 Nov 2009 09:50:20 -0600
+Subject: SCSI: enclosure: fix oops while iterating enclosure_status array
+Patch-mainline: 2.6.33
+
+From: James Bottomley <James.Bottomley@suse.de>
+
+commit cc9b2e9f6603190c009e5d2629ce8e3f99571346 upstream.
+
+Based on patch originally by Jeff Mahoney <jeffm@suse.com>
+
+ enclosure_status is expected to be a NULL terminated array of strings
+ but isn't actually NULL terminated. When writing an invalid value to
+ /sys/class/enclosure/.../.../status, it goes off the end of the array
+ and Oopses.
+
+
+Fix by making the assumption true and adding NULL at the end.
+
+Reported-by: Artur Wojcik <artur.wojcik@intel.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/enclosure.c | 1 +
+ include/linux/enclosure.h | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/misc/enclosure.c
++++ b/drivers/misc/enclosure.c
+@@ -362,6 +362,7 @@ static const char *const enclosure_statu
+ [ENCLOSURE_STATUS_NOT_INSTALLED] = "not installed",
+ [ENCLOSURE_STATUS_UNKNOWN] = "unknown",
+ [ENCLOSURE_STATUS_UNAVAILABLE] = "unavailable",
++ [ENCLOSURE_STATUS_MAX] = NULL,
+ };
+
+ static const char *const enclosure_type [] = {
+--- a/include/linux/enclosure.h
++++ b/include/linux/enclosure.h
+@@ -42,6 +42,8 @@ enum enclosure_status {
+ ENCLOSURE_STATUS_NOT_INSTALLED,
+ ENCLOSURE_STATUS_UNKNOWN,
+ ENCLOSURE_STATUS_UNAVAILABLE,
++ /* last element for counting purposes */
++ ENCLOSURE_STATUS_MAX
+ };
+
+ /* SFF-8485 activity light settings */
--- /dev/null
+From 6d34855d9aa281f72c533ecb827405139d1b0fe9 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Wed, 9 Dec 2009 12:31:37 -0800
+Subject: serial: 8250_pnp: use wildcard for serial Wacom tablets
+Patch-mainline: 2.6.33
+
+From: Matthew Garrett <mjg@redhat.com>
+
+commit 6d34855d9aa281f72c533ecb827405139d1b0fe9 upstream.
+
+Wacom claims that the WACF namespace will always be devoted to serial
+Wacom tablets. Remove the existing entries and add a wildcard to avoid
+having to update the kernel every time they add a new device.
+
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Signed-off-by: Matthew Garrett <mjg@redhat.com>
+Tested-by: Ping Cheng <pingc@wacom.com>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/serial/8250_pnp.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/drivers/serial/8250_pnp.c
++++ b/drivers/serial/8250_pnp.c
+@@ -328,15 +328,7 @@ static const struct pnp_device_id pnp_de
+ /* U.S. Robotics 56K Voice INT PnP*/
+ { "USR9190", 0 },
+ /* Wacom tablets */
+- { "WACF004", 0 },
+- { "WACF005", 0 },
+- { "WACF006", 0 },
+- { "WACF007", 0 },
+- { "WACF008", 0 },
+- { "WACF009", 0 },
+- { "WACF00A", 0 },
+- { "WACF00B", 0 },
+- { "WACF00C", 0 },
++ { "WACFXXX", 0 },
+ /* Compaq touchscreen */
+ { "FPI2002", 0 },
+ /* Fujitsu Stylistic touchscreens */
cpufreq-fix-use-after-free-of-struct-powernow_k8_data.patch
resource-add-helpers-for-fetching-rlimits.patch
fs-exec.c-restrict-initial-stack-space-expansion-to-rlimit.patch
-
-# needs more to be added first
rtc-fm3130-add-missing-braces.patch
+ath5k-fix-eeprom-checksum-check-for-custom-sized-eeproms.patch
+clockevent-don-t-remove-broadcast-device-when-cpu-is-dead.patch
+connector-delete-buggy-notification-code.patch
+kvm-x86-emulator-limit-instructions-to-15-bytes.patch
+alsa-usb-audio-avoid-oops-after-disconnect.patch
+hid-add-device-ids-for-new-model-of-apple-wireless-keyboard.patch
+inotify-do-not-reuse-watch-descriptors.patch
+inotify-only-warn-once-for-inotify-problems.patch
+edac-i5000_edac-critical-fix-panic-out-of-bounds.patch
+megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-permissions.patch
+page-allocator-update-nr_free_pages-only-when-necessary.patch
+x86-apic-use-physical-mode-for-ibm-summit-platforms.patch
+reiserfs-truncate-blocks-not-used-by-a-write.patch
+ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch
+ecryptfs-use-after-free.patch
+nozomi-quick-fix-for-the-close-close-bug.patch
+serial-8250_pnp-use-wildcard-for-serial-wacom-tablets.patch
+tty-fix-race-in-tty_fasync.patch
+usb-add-missing-delay-during-remote-wakeup.patch
+usb-add-speed-values-for-usb-3.0-and-wireless-controllers.patch
+usb-don-t-use-gfp_kernel-while-we-cannot-reset-a-storage-device.patch
+usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch
+usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch
+usb-fix-bitmask-merge-error.patch
+usb-serial-fix-memory-leak-in-generic-driver.patch
+scsi-enclosure-fix-oops-while-iterating-enclosure_status-array.patch
+x86-pci-pat-return-einval-for-pci-mmap-wc-request-for-pat_enabled.patch
+usb-fix-usbstorage-for-2770-915d-delivers-no-fat.patch
+vmalloc-remove-bug_on-due-to-racy-counting-of-vm_lazy_free.patch
+input-alps-add-interleaved-protocol-support-dell-e6x00-series.patch
+partitions-read-whole-sector-with-efi-gpt-header.patch
+partitions-use-sector-size-for-efi-gpt.patch
+sfc-fix-dma-mapping-cleanup-in-case-of-an-error-in-tso.patch
+v4l-dvb-af9015-add-new-usb-id-for-kworld-plustv-dual-dvb-t-stick-dvb-t-399u.patch
+ipc-ns-fix-memory-leak-idr.patch
+fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
fix-race-in-tty_fasync-properly.patch
-
--- /dev/null
+From a7ebd27a13757248863cd61e541af7fa9e7727ee Mon Sep 17 00:00:00 2001
+From: Neil Turton <nturton@solarflare.com>
+Date: Wed, 23 Dec 2009 13:47:13 +0000
+Subject: sfc: Fix DMA mapping cleanup in case of an error in TSO
+
+From: Neil Turton <nturton@solarflare.com>
+
+commit a7ebd27a13757248863cd61e541af7fa9e7727ee upstream.
+
+We need buffer->len to remain valid to work out the correct address to
+be unmapped. We therefore need to clear buffer->len after the unmap
+operation.
+
+Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sfc/tx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/sfc/tx.c
++++ b/drivers/net/sfc/tx.c
+@@ -823,8 +823,6 @@ static void efx_enqueue_unwind(struct ef
+ tx_queue->efx->type->txd_ring_mask];
+ efx_tsoh_free(tx_queue, buffer);
+ EFX_BUG_ON_PARANOID(buffer->skb);
+- buffer->len = 0;
+- buffer->continuation = true;
+ if (buffer->unmap_len) {
+ unmap_addr = (buffer->dma_addr + buffer->len -
+ buffer->unmap_len);
+@@ -838,6 +836,8 @@ static void efx_enqueue_unwind(struct ef
+ PCI_DMA_TODEVICE);
+ buffer->unmap_len = 0;
+ }
++ buffer->len = 0;
++ buffer->continuation = true;
+ }
+ }
+
--- /dev/null
+From 703625118069f9f8960d356676662d3db5a9d116 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Thu, 17 Dec 2009 07:07:19 -0800
+Subject: tty: fix race in tty_fasync
+Patch-mainline: 2.6.33
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit 703625118069f9f8960d356676662d3db5a9d116 upstream.
+
+We need to keep the lock held over the call to __f_setown() to
+prevent a PID race.
+
+Thanks to Al Viro for pointing out the problem, and to Travis for
+making us look here in the first place.
+
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Tavis Ormandy <taviso@google.com>
+Cc: Jeff Dike <jdike@addtoit.com>
+Cc: Julien Tinnes <jln@google.com>
+Cc: Matt Mackall <mpm@selenic.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/tty_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tty_io.c
++++ b/drivers/char/tty_io.c
+@@ -1912,8 +1912,8 @@ static int tty_fasync(int fd, struct fil
+ pid = task_pid(current);
+ type = PIDTYPE_PID;
+ }
+- spin_unlock_irqrestore(&tty->ctrl_lock, flags);
+ retval = __f_setown(filp, pid, type, 0);
++ spin_unlock_irqrestore(&tty->ctrl_lock, flags);
+ if (retval)
+ goto out;
+ } else {
--- /dev/null
+From 49d0f078f494b9d81e820a13dd8093a9bfb0b6b1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 8 Jan 2010 11:18:38 -0500
+Subject: USB: add missing delay during remote wakeup
+Patch-mainline: 2.6.33
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 49d0f078f494b9d81e820a13dd8093a9bfb0b6b1 upstream.
+
+This patch (as1330) fixes a bug in khbud's handling of remote
+wakeups. When a device sends a remote-wakeup request, the parent hub
+(or the host controller driver, for directly attached devices) begins
+the resume sequence and notifies khubd when the sequence finishes. At
+this point the port's SUSPEND feature is automatically turned off.
+
+However the device needs an additional 10-ms resume-recovery time
+(TRSMRCY in the USB spec). Khubd does not wait for this delay if the
+SUSPEND feature is off, and as a result some devices fail to behave
+properly following a remote wakeup. This patch adds the missing
+delay to the remote-wakeup path.
+
+It also extends the resume-signalling delay used by ehci-hcd and
+uhci-hcd from 20 ms (the value in the spec) to 25 ms (the value we use
+for non-remote-wakeup resumes). The extra time appears to help some
+devices.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: Rickard Bellini <rickard.bellini@ericsson.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/hub.c | 3 +++
+ drivers/usb/host/ehci-hcd.c | 5 +++--
+ drivers/usb/host/uhci-hub.c | 2 +-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -3188,6 +3188,9 @@ static void hub_events(void)
+ USB_PORT_FEAT_C_SUSPEND);
+ udev = hdev->children[i-1];
+ if (udev) {
++ /* TRSMRCY = 10 msec */
++ msleep(10);
++
+ usb_lock_device(udev);
+ ret = remote_wakeup(hdev->
+ children[i-1]);
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -764,9 +764,10 @@ static irqreturn_t ehci_irq (struct usb_
+
+ /* start 20 msec resume signaling from this port,
+ * and make khubd collect PORT_STAT_C_SUSPEND to
+- * stop that signaling.
++ * stop that signaling. Use 5 ms extra for safety,
++ * like usb_port_resume() does.
+ */
+- ehci->reset_done [i] = jiffies + msecs_to_jiffies (20);
++ ehci->reset_done[i] = jiffies + msecs_to_jiffies(25);
+ ehci_dbg (ehci, "port %d remote wakeup\n", i + 1);
+ mod_timer(&hcd->rh_timer, ehci->reset_done[i]);
+ }
+--- a/drivers/usb/host/uhci-hub.c
++++ b/drivers/usb/host/uhci-hub.c
+@@ -167,7 +167,7 @@ static void uhci_check_ports(struct uhci
+ /* Port received a wakeup request */
+ set_bit(port, &uhci->resuming_ports);
+ uhci->ports_timeout = jiffies +
+- msecs_to_jiffies(20);
++ msecs_to_jiffies(25);
+
+ /* Make sure we see the port again
+ * after the resuming period is over. */
--- /dev/null
+From b132b04e193908a94d95065d0628f8fb0159cc55 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Thu, 14 Jan 2010 10:33:19 -0800
+Subject: USB: add speed values for USB 3.0 and wireless controllers
+Patch-mainline: 2.6.33
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit b132b04e193908a94d95065d0628f8fb0159cc55 upstream.
+
+These controllers say "unknown" for their speed in sysfs, which
+obviously isn't correct.
+
+Reported-by: Kurt Garloff <garloff@novell.com>
+Cc: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/sysfs.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/core/sysfs.c
++++ b/drivers/usb/core/sysfs.c
+@@ -111,6 +111,12 @@ show_speed(struct device *dev, struct de
+ case USB_SPEED_HIGH:
+ speed = "480";
+ break;
++ case USB_SPEED_VARIABLE:
++ speed = "480";
++ break;
++ case USB_SPEED_SUPER:
++ speed = "5000";
++ break;
+ default:
+ speed = "unknown";
+ }
--- /dev/null
+From acbe2febe71abb2360b008e9ab3ee5c44169f78c Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oliver@neukum.org>
+Date: Tue, 12 Jan 2010 12:32:50 +0100
+Subject: USB: Don't use GFP_KERNEL while we cannot reset a storage device
+Patch-mainline: 2.6.33
+
+From: Oliver Neukum <oliver@neukum.org>
+
+commit acbe2febe71abb2360b008e9ab3ee5c44169f78c upstream.
+
+Memory allocations with GFP_KERNEL can cause IO to a storage
+device which can fail resulting in a need to reset the device.
+Therefore GFP_KERNEL cannot be safely used between usb_lock_device()
+and usb_unlock_device(). Replace by GFP_NOIO.
+
+Signed-off-by: Oliver Neukum <oliver@neukum.org>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devices.c | 2 +-
+ drivers/usb/core/message.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/core/devices.c
++++ b/drivers/usb/core/devices.c
+@@ -494,7 +494,7 @@ static ssize_t usb_device_dump(char __us
+ return 0;
+ /* allocate 2^1 pages = 8K (on i386);
+ * should be more than enough for one device */
+- pages_start = (char *)__get_free_pages(GFP_KERNEL, 1);
++ pages_start = (char *)__get_free_pages(GFP_NOIO, 1);
+ if (!pages_start)
+ return -ENOMEM;
+
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -923,11 +923,11 @@ char *usb_cache_string(struct usb_device
+ if (index <= 0)
+ return NULL;
+
+- buf = kmalloc(MAX_USB_STRING_SIZE, GFP_KERNEL);
++ buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
+ if (buf) {
+ len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
+ if (len > 0) {
+- smallbuf = kmalloc(++len, GFP_KERNEL);
++ smallbuf = kmalloc(++len, GFP_NOIO);
+ if (!smallbuf)
+ return buf;
+ memcpy(smallbuf, buf, len);
+@@ -1694,7 +1694,7 @@ int usb_set_configuration(struct usb_dev
+ if (cp) {
+ nintf = cp->desc.bNumInterfaces;
+ new_interfaces = kmalloc(nintf * sizeof(*new_interfaces),
+- GFP_KERNEL);
++ GFP_NOIO);
+ if (!new_interfaces) {
+ dev_err(&dev->dev, "Out of memory\n");
+ return -ENOMEM;
+@@ -1703,7 +1703,7 @@ int usb_set_configuration(struct usb_dev
+ for (; n < nintf; ++n) {
+ new_interfaces[n] = kzalloc(
+ sizeof(struct usb_interface),
+- GFP_KERNEL);
++ GFP_NOIO);
+ if (!new_interfaces[n]) {
+ dev_err(&dev->dev, "Out of memory\n");
+ ret = -ENOMEM;
--- /dev/null
+From 1b9a38bfa6e664ff02511314f5586d711c83cc91 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 8 Jan 2010 11:17:55 -0500
+Subject: USB: EHCI: fix handling of unusual interrupt intervals
+Patch-mainline: 2.6.33
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 1b9a38bfa6e664ff02511314f5586d711c83cc91 upstream.
+
+This patch (as1320) fixes two problems related to interrupt-URB
+scheduling in ehci-hcd.
+
+ URBs with an interval of 2 or 4 microframes aren't handled.
+ For the time being, the patch reduces to interval to 1 uframe.
+
+ URBs are constrained to have an interval no larger than 1024
+ frames by usb_submit_urb(). But some EHCI controllers allow
+ use of a schedule as short as 256 frames; for these
+ controllers we may have to decrease the interval to the
+ actual schedule length.
+
+The second problem isn't very significant since few devices expose
+interrupt endpoints with an interval larger than 256 frames. But the
+first problem is critical; it will prevent the kernel from working
+with devices having interrupt intervals of 2 or 4 uframes.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Glynn Farrow <farrowg@sg.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-q.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -802,9 +802,10 @@ qh_make (
+ * But interval 1 scheduling is simpler, and
+ * includes high bandwidth.
+ */
+- dbg ("intr period %d uframes, NYET!",
+- urb->interval);
+- goto done;
++ urb->interval = 1;
++ } else if (qh->period > ehci->periodic_size) {
++ qh->period = ehci->periodic_size;
++ urb->interval = qh->period << 3;
+ }
+ } else {
+ int think_time;
+@@ -827,6 +828,10 @@ qh_make (
+ usb_calc_bus_time (urb->dev->speed,
+ is_input, 0, max_packet (maxp)));
+ qh->period = urb->interval;
++ if (qh->period > ehci->periodic_size) {
++ qh->period = ehci->periodic_size;
++ urb->interval = qh->period;
++ }
+ }
+ }
+
--- /dev/null
+From cec3a53c7fe794237b582e8e77fc0e48465e65ee Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 8 Jan 2010 11:18:20 -0500
+Subject: USB: EHCI & UHCI: fix race between root-hub suspend and port resume
+Patch-mainline: 2.6.33
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit cec3a53c7fe794237b582e8e77fc0e48465e65ee upstream.
+
+This patch (as1321) fixes a problem with EHCI and UHCI root-hub
+suspends: If the suspend occurs while a port is trying to resume, the
+resume doesn't finish and simply gets lost. When remote wakeup is
+enabled, this is undesirable behavior.
+
+The patch checks first to see if any port resumes are in progress, and
+if they are then it fails the root-hub suspend with -EBUSY.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-hub.c | 20 +++++++++++++++++++-
+ drivers/usb/host/uhci-hcd.c | 15 ++++++++++++++-
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/ehci-hub.c
++++ b/drivers/usb/host/ehci-hub.c
+@@ -119,9 +119,26 @@ static int ehci_bus_suspend (struct usb_
+ del_timer_sync(&ehci->watchdog);
+ del_timer_sync(&ehci->iaa_watchdog);
+
+- port = HCS_N_PORTS (ehci->hcs_params);
+ spin_lock_irq (&ehci->lock);
+
++ /* Once the controller is stopped, port resumes that are already
++ * in progress won't complete. Hence if remote wakeup is enabled
++ * for the root hub and any ports are in the middle of a resume or
++ * remote wakeup, we must fail the suspend.
++ */
++ if (hcd->self.root_hub->do_remote_wakeup) {
++ port = HCS_N_PORTS(ehci->hcs_params);
++ while (port--) {
++ if (ehci->reset_done[port] != 0) {
++ spin_unlock_irq(&ehci->lock);
++ ehci_dbg(ehci, "suspend failed because "
++ "port %d is resuming\n",
++ port + 1);
++ return -EBUSY;
++ }
++ }
++ }
++
+ /* stop schedules, clean any completed work */
+ if (HC_IS_RUNNING(hcd->state)) {
+ ehci_quiesce (ehci);
+@@ -137,6 +154,7 @@ static int ehci_bus_suspend (struct usb_
+ */
+ ehci->bus_suspended = 0;
+ ehci->owned_ports = 0;
++ port = HCS_N_PORTS(ehci->hcs_params);
+ while (port--) {
+ u32 __iomem *reg = &ehci->regs->port_status [port];
+ u32 t1 = ehci_readl(ehci, reg) & ~PORT_RWC_BITS;
+--- a/drivers/usb/host/uhci-hcd.c
++++ b/drivers/usb/host/uhci-hcd.c
+@@ -749,7 +749,20 @@ static int uhci_rh_suspend(struct usb_hc
+ spin_lock_irq(&uhci->lock);
+ if (!test_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags))
+ rc = -ESHUTDOWN;
+- else if (!uhci->dead)
++ else if (uhci->dead)
++ ; /* Dead controllers tell no tales */
++
++ /* Once the controller is stopped, port resumes that are already
++ * in progress won't complete. Hence if remote wakeup is enabled
++ * for the root hub and any ports are in the middle of a resume or
++ * remote wakeup, we must fail the suspend.
++ */
++ else if (hcd->self.root_hub->do_remote_wakeup &&
++ uhci->resuming_ports) {
++ dev_dbg(uhci_dev(uhci), "suspend failed because a port "
++ "is resuming\n");
++ rc = -EBUSY;
++ } else
+ suspend_rh(uhci, UHCI_RH_SUSPENDED);
+ spin_unlock_irq(&uhci->lock);
+ return rc;
--- /dev/null
+From a91b593edd4b3e8aa91f671b763b27b8119eb49d Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 22 Dec 2009 23:16:32 -0500
+Subject: USB: fix bitmask merge error
+Patch-mainline: 2.6.33
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit a91b593edd4b3e8aa91f671b763b27b8119eb49d upstream.
+
+This patch adds a mask bit which was mistakenly omitted from the
+as1311 patch (usb-storage: add BAD_SENSE flag).
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/storage/usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/usb.c
++++ b/drivers/usb/storage/usb.c
+@@ -430,7 +430,8 @@ static void adjust_quirks(struct us_data
+ u16 vid = le16_to_cpu(us->pusb_dev->descriptor.idVendor);
+ u16 pid = le16_to_cpu(us->pusb_dev->descriptor.idProduct);
+ unsigned f = 0;
+- unsigned int mask = (US_FL_SANE_SENSE | US_FL_FIX_CAPACITY |
++ unsigned int mask = (US_FL_SANE_SENSE | US_FL_BAD_SENSE |
++ US_FL_FIX_CAPACITY |
+ US_FL_CAPACITY_HEURISTICS | US_FL_IGNORE_DEVICE |
+ US_FL_NOT_LOCKABLE | US_FL_MAX_SECTORS_64 |
+ US_FL_CAPACITY_OK | US_FL_IGNORE_RESIDUE |
--- /dev/null
+From 10d2cdb6102669279bee2d9a00a22431b74583d5 Mon Sep 17 00:00:00 2001
+From: Ryan May <rmay31@gmail.com>
+Date: Wed, 6 Jan 2010 10:09:25 -0600
+Subject: USB: fix usbstorage for 2770:915d delivers no FAT
+Patch-mainline: 2.6.33
+References: bnc#552353
+
+From: Ryan May <rmay31@gmail.com>
+
+commit 10d2cdb6102669279bee2d9a00a22431b74583d5 upstream.
+
+Resolves kernel.org bug 14914.
+
+Remove entry for 2770:915d (usb digital camera with mass storage
+support) from unusual_devs.h. The fix triggered by the entry causes
+the file system on the camera to be completely inaccessible (no
+partition table, the device is not mountable).
+
+The patch works, but let me clarify a few things about it. All the
+patch does is remove the entry for this device from the
+drivers/usb/storage/unusual_devs.h, which is supposed to help with a
+problem with the device's reported size (I think). I'm pretty sure it
+was originally added for a reason, so I'm not sure removing it won't
+cause other problems to reappear. Also, I should note that this
+unusual_devs.h entry was present (and activating workarounds) in
+2.6.29, but in that version everything works fine. Starting with
+2.6.30, things no longer work.
+
+Signed-off-by: Ryan May <rmay31@gmail.com>
+Cc: Rohan Hart <rohan.hart17@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1827,13 +1827,6 @@ UNUSUAL_DEV( 0x2735, 0x100b, 0x0000, 0x
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+ US_FL_GO_SLOW ),
+
+-/* Reported by Rohan Hart <rohan.hart17@gmail.com> */
+-UNUSUAL_DEV( 0x2770, 0x915d, 0x0010, 0x0010,
+- "INTOVA",
+- "Pixtreme",
+- US_SC_DEVICE, US_PR_DEVICE, NULL,
+- US_FL_FIX_CAPACITY ),
+-
+ /* Reported by Frederic Marchal <frederic.marchal@wowcompany.com>
+ * Mio Moov 330
+ */
--- /dev/null
+From 2591530204a76fecc843529ade56afe865dd2657 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Wed, 6 Jan 2010 15:48:42 -0800
+Subject: usb: serial: fix memory leak in generic driver
+Patch-mainline: 2.6.33
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 2591530204a76fecc843529ade56afe865dd2657 upstream.
+
+Fix a regression introduced by commit
+715b1dc01fe44537e8fce9566e4bb48d6821d84b ("USB: usb_debug,
+usb_generic_serial: implement multi urb write").
+
+URB transfer buffer was never freed when using multi-urb writes.
+Currently the only driver enabling multi-urb writes is usb_debug.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Cc: Greg KH <greg@kroah.com>
+Acked-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/generic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/generic.c
++++ b/drivers/usb/serial/generic.c
+@@ -480,6 +480,8 @@ void usb_serial_generic_write_bulk_callb
+ dbg("%s - port %d", __func__, port->number);
+
+ if (port->serial->type->max_in_flight_urbs) {
++ kfree(urb->transfer_buffer);
++
+ spin_lock_irqsave(&port->lock, flags);
+ --port->urbs_in_flight;
+ port->tx_bytes_flight -= urb->transfer_buffer_length;
--- /dev/null
+From c92f056308c4a77a833e1cc1e16c1b68974483a6 Mon Sep 17 00:00:00 2001
+From: Mart Raudsepp <mart.raudsepp@artecdesign.ee>
+Date: Fri, 24 Jul 2009 13:45:41 -0300
+Subject: V4L/DVB: af9015: add new USB ID for KWorld PlusTV Dual DVB-T Stick (DVB-T 399U)
+
+From: Mart Raudsepp <mart.raudsepp@artecdesign.ee>
+
+commit c92f056308c4a77a833e1cc1e16c1b68974483a6 upstream.
+
+Add new USB ID (1b80:e400) for KWorld PlusTV Dual DVB-T Stick (DVB-T 399U).
+The model number on the devices sticker label is "KW-DVB-T 399UR".
+
+Signed-off-by: Mart Raudsepp <mart.raudsepp@artecdesign.ee>
+Acked-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/dvb/dvb-usb/af9015.c | 4 +++-
+ drivers/media/dvb/dvb-usb/dvb-usb-ids.h | 1 +
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb/dvb-usb/af9015.c
++++ b/drivers/media/dvb/dvb-usb/af9015.c
+@@ -1266,6 +1266,7 @@ static struct usb_device_id af9015_usb_t
+ {USB_DEVICE(USB_VID_KWORLD_2, USB_PID_CONCEPTRONIC_CTVDIGRCU)},
+ {USB_DEVICE(USB_VID_KWORLD_2, USB_PID_KWORLD_MC810)},
+ {USB_DEVICE(USB_VID_KYE, USB_PID_GENIUS_TVGO_DVB_T03)},
++/* 25 */{USB_DEVICE(USB_VID_KWORLD_2, USB_PID_KWORLD_399U_2)},
+ {0},
+ };
+ MODULE_DEVICE_TABLE(usb, af9015_usb_table);
+@@ -1346,7 +1347,8 @@ static struct dvb_usb_device_properties
+ {
+ .name = "KWorld PlusTV Dual DVB-T Stick " \
+ "(DVB-T 399U)",
+- .cold_ids = {&af9015_usb_table[4], NULL},
++ .cold_ids = {&af9015_usb_table[4],
++ &af9015_usb_table[25], NULL},
+ .warm_ids = {NULL},
+ },
+ {
+--- a/drivers/media/dvb/dvb-usb/dvb-usb-ids.h
++++ b/drivers/media/dvb/dvb-usb/dvb-usb-ids.h
+@@ -103,6 +103,7 @@
+ #define USB_PID_GRANDTEC_DVBT_USB_WARM 0x0fa1
+ #define USB_PID_INTEL_CE9500 0x9500
+ #define USB_PID_KWORLD_399U 0xe399
++#define USB_PID_KWORLD_399U_2 0xe400
+ #define USB_PID_KWORLD_395U 0xe396
+ #define USB_PID_KWORLD_395U_2 0xe39b
+ #define USB_PID_KWORLD_395U_3 0xe395
--- /dev/null
+From 88f5004430babb836cfce886d5d54c82166f8ba4 Mon Sep 17 00:00:00 2001
+From: Yongseok Koh <yongseok.koh@samsung.com>
+Date: Tue, 19 Jan 2010 17:33:49 +0900
+Subject: vmalloc: remove BUG_ON due to racy counting of VM_LAZY_FREE
+Patch-mainline: 2.6.33
+
+From: Yongseok Koh <yongseok.koh@samsung.com>
+
+commit 88f5004430babb836cfce886d5d54c82166f8ba4 upstream.
+
+In free_unmap_area_noflush(), va->flags is marked as VM_LAZY_FREE first, and
+then vmap_lazy_nr is increased atomically.
+
+But, in __purge_vmap_area_lazy(), while traversing of vmap_are_list, nr
+is counted by checking VM_LAZY_FREE is set to va->flags. After counting
+the variable nr, kernel reads vmap_lazy_nr atomically and checks a
+BUG_ON condition whether nr is greater than vmap_lazy_nr to prevent
+vmap_lazy_nr from being negative.
+
+The problem is that, if interrupted right after marking VM_LAZY_FREE,
+increment of vmap_lazy_nr can be delayed. Consequently, BUG_ON
+condition can be met because nr is counted more than vmap_lazy_nr.
+
+It is highly probable when vmalloc/vfree are called frequently. This
+scenario have been verified by adding delay between marking VM_LAZY_FREE
+and increasing vmap_lazy_nr in free_unmap_area_noflush().
+
+Even the vmap_lazy_nr is for checking high watermark, it never be the
+strict watermark. Although the BUG_ON condition is to prevent
+vmap_lazy_nr from being negative, vmap_lazy_nr is signed variable. So,
+it could go down to negative value temporarily.
+
+Consequently, removing the BUG_ON condition is proper.
+
+A possible BUG_ON message is like the below.
+
+ kernel BUG at mm/vmalloc.c:517!
+ invalid opcode: 0000 [#1] SMP
+ EIP: 0060:[<c04824a4>] EFLAGS: 00010297 CPU: 3
+ EIP is at __purge_vmap_area_lazy+0x144/0x150
+ EAX: ee8a8818 EBX: c08e77d4 ECX: e7c7ae40 EDX: c08e77ec
+ ESI: 000081fe EDI: e7c7ae60 EBP: e7c7ae64 ESP: e7c7ae3c
+ DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
+ Call Trace:
+ [<c0482ad9>] free_unmap_vmap_area_noflush+0x69/0x70
+ [<c0482b02>] remove_vm_area+0x22/0x70
+ [<c0482c15>] __vunmap+0x45/0xe0
+ [<c04831ec>] vmalloc+0x2c/0x30
+ Code: 8d 59 e0 eb 04 66 90 89 cb 89 d0 e8 87 fe ff ff 8b 43 20 89 da 8d 48 e0 8d 43 20 3b 04 24 75 e7 fe 05 a8 a5 a3 c0 e9 78 ff ff ff <0f> 0b eb fe 90 8d b4 26 00 00 00 00 56 89 c6 b8 ac a5 a3 c0 31
+ EIP: [<c04824a4>] __purge_vmap_area_lazy+0x144/0x150 SS:ESP 0068:e7c7ae3c
+
+[ See also http://marc.info/?l=linux-kernel&m=126335856228090&w=2 ]
+
+Signed-off-by: Yongseok Koh <yongseok.koh@samsung.com>
+Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
+Cc: Nick Piggin <npiggin@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/vmalloc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -546,10 +546,8 @@ static void __purge_vmap_area_lazy(unsig
+ }
+ rcu_read_unlock();
+
+- if (nr) {
+- BUG_ON(nr > atomic_read(&vmap_lazy_nr));
++ if (nr)
+ atomic_sub(nr, &vmap_lazy_nr);
+- }
+
+ if (nr || force_flush)
+ flush_tlb_kernel_range(*start, *end);
--- /dev/null
+From dfea91d5a7c795fd6f4e1a97489a98e4e767463e Mon Sep 17 00:00:00 2001
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+Date: Mon, 18 Jan 2010 12:10:48 -0800
+Subject: x86, apic: use physical mode for IBM summit platforms
+Patch-mainline: 2.6.33
+
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+
+commit dfea91d5a7c795fd6f4e1a97489a98e4e767463e upstream.
+
+Chris McDermott from IBM confirmed that hurricane chipset in IBM summit
+platforms doesn't support logical flat mode. Irrespective of the other
+things like apic_id's, total number of logical cpu's, Linux kernel
+should default to physical mode for this system.
+
+The 32-bit kernel does so using the OEM checks for the IBM summit
+platform. Add a similar OEM platform check for the 64bit kernel too.
+
+Otherwise the linux kernel boot can hang on this platform under certain
+bios/platform settings.
+
+Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
+Tested-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Cc: Chris McDermott <lcm@linux.vnet.ibm.com>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/apic/apic_flat_64.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kernel/apic/apic_flat_64.c
++++ b/arch/x86/kernel/apic/apic_flat_64.c
+@@ -240,6 +240,11 @@ static int physflat_acpi_madt_oem_check(
+ printk(KERN_DEBUG "system APIC only can use physical flat");
+ return 1;
+ }
++
++ if (!strncmp(oem_id, "IBM", 3) && !strncmp(oem_table_id, "EXA", 3)) {
++ printk(KERN_DEBUG "IBM Summit detected, will use apic physical");
++ return 1;
++ }
+ #endif
+
+ return 0;
--- /dev/null
+From 2992e545ea006992ec9dc91c4fa996ce1e15f921 Mon Sep 17 00:00:00 2001
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+Date: Mon, 26 Oct 2009 13:21:32 -0800
+Subject: x86/PCI/PAT: return EINVAL for pci mmap WC request for !pat_enabled
+Patch-mainline: 2.6.33
+
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+
+commit 2992e545ea006992ec9dc91c4fa996ce1e15f921 upstream.
+
+Thomas Schlichter reported:
+> X.org uses libpciaccess which tries to mmap with write combining enabled via
+> /sys/bus/pci/devices/*/resource0_wc. Currently, when PAT is not enabled, the
+> kernel does fall back to uncached mmap. Then libpciaccess thinks it succeeded
+> mapping with write combining enabled and does not set up suited MTRR entries.
+> ;-(
+
+Instead of silently mapping pci mmap region as UC minus in the case
+of !pat_enabled and wc request, we can return error. Eric Anholt mentioned
+that caller (like X) typically follows up with UC minus pci mmap request and
+if there is a free mtrr slot, caller will manage adding WC mtrr.
+
+Jesse Barnes says:
+> Older versions of libpciaccess will behave better if we do it that way
+> (iirc it only allocates an MTRR if the resource_wc file doesn't exist or
+> fails to get mapped).
+
+Reported-by: Thomas Schlichter <thomas.schlichter@web.de>
+Signed-off-by: Thomas Schlichter <thomas.schlichter@web.de>
+Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
+Acked-by: Eric Anholt <eric@anholt.net>
+Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/pci/i386.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/x86/pci/i386.c
++++ b/arch/x86/pci/i386.c
+@@ -282,6 +282,15 @@ int pci_mmap_page_range(struct pci_dev *
+ return -EINVAL;
+
+ prot = pgprot_val(vma->vm_page_prot);
++
++ /*
++ * Return error if pat is not enabled and write_combine is requested.
++ * Caller can followup with UC MINUS request and add a WC mtrr if there
++ * is a free mtrr slot.
++ */
++ if (!pat_enabled && write_combine)
++ return -EINVAL;
++
+ if (pat_enabled && write_combine)
+ prot |= _PAGE_CACHE_WC;
+ else if (pat_enabled || boot_cpu_data.x86 > 3)
projects / thirdparty / kernel / stable-queue.git / commitdiff
