--- /dev/null
+From 396087eaead95fcb29eb36f1e59517aeb58c545e Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Wed, 9 Dec 2009 10:44:47 +0100
+Subject: ALSA: hda - Terradici HDA controllers does not support 64-bit mode
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+commit 396087eaead95fcb29eb36f1e59517aeb58c545e upstream.
+
+Confirmed from vendor and tests in RedHat bugzilla #536782 .
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/hda_intel.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2436,6 +2436,11 @@ static int __devinit azx_create(struct s
+ }
+ }
+
++ /* disable 64bit DMA address for Teradici */
++ /* it does not work with device 6549:1200 subsys e4a2:040b */
++ if (chip->driver_type == AZX_DRIVER_TERA)
++ gcap &= ~ICH6_GCAP_64OK;
++
+ /* allow 64bit DMA address if supported by H/W */
+ if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64)))
+ pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64));
--- /dev/null
+From fcfdebe70759c74e2e701f69aaa7f0e5e32cf5a6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 11 Dec 2009 12:51:05 +0100
+Subject: ALSA: hrtimer - Fix lock-up
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit fcfdebe70759c74e2e701f69aaa7f0e5e32cf5a6 upstream.
+
+The timer stop callback can be called from snd_timer_interrupt(), which
+is called from the hrtimer callback. Since hrtimer_cancel() waits for
+the callback completion, this eventually results in a lock-up.
+
+This patch fixes the problem by just toggling a flag at stop callback
+and call hrtimer_cancel() later.
+
+Reported-and-tested-by: Wojtek Zabolotny <W.Zabolotny@elka.pw.edu.pl>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/core/hrtimer.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/sound/core/hrtimer.c
++++ b/sound/core/hrtimer.c
+@@ -37,14 +37,22 @@ static unsigned int resolution;
+ struct snd_hrtimer {
+ struct snd_timer *timer;
+ struct hrtimer hrt;
++ atomic_t running;
+ };
+
+ static enum hrtimer_restart snd_hrtimer_callback(struct hrtimer *hrt)
+ {
+ struct snd_hrtimer *stime = container_of(hrt, struct snd_hrtimer, hrt);
+ struct snd_timer *t = stime->timer;
++
++ if (!atomic_read(&stime->running))
++ return HRTIMER_NORESTART;
++
+ hrtimer_forward_now(hrt, ns_to_ktime(t->sticks * resolution));
+ snd_timer_interrupt(stime->timer, t->sticks);
++
++ if (!atomic_read(&stime->running))
++ return HRTIMER_NORESTART;
+ return HRTIMER_RESTART;
+ }
+
+@@ -58,6 +66,7 @@ static int snd_hrtimer_open(struct snd_t
+ hrtimer_init(&stime->hrt, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+ stime->timer = t;
+ stime->hrt.function = snd_hrtimer_callback;
++ atomic_set(&stime->running, 0);
+ t->private_data = stime;
+ return 0;
+ }
+@@ -78,16 +87,18 @@ static int snd_hrtimer_start(struct snd_
+ {
+ struct snd_hrtimer *stime = t->private_data;
+
++ atomic_set(&stime->running, 0);
++ hrtimer_cancel(&stime->hrt);
+ hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
+ HRTIMER_MODE_REL);
++ atomic_set(&stime->running, 1);
+ return 0;
+ }
+
+ static int snd_hrtimer_stop(struct snd_timer *t)
+ {
+ struct snd_hrtimer *stime = t->private_data;
+-
+- hrtimer_cancel(&stime->hrt);
++ atomic_set(&stime->running, 0);
+ return 0;
+ }
+
--- /dev/null
+From 2eb2fa67e5462a36e98172fb92c78bc405b3035f Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Mon, 16 Nov 2009 08:30:29 -0500
+Subject: ath5k: allow setting txpower to 0
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 2eb2fa67e5462a36e98172fb92c78bc405b3035f upstream.
+
+As a holdover from earlier code when we used to set
+the power limit to '0' after a reset to configure the
+default transmit power, ath5k interprets txpower=0 as
+12.5 dBm. Fix that by just passing 0 through.
+
+This fixes http://bugzilla.kernel.org/show_bug.cgi?id=14567
+
+Reported-by: Daniel Folkers <daniel.folkers@task24.nl>
+Tested-by: Daniel Folkers <daniel.folkers@task24.nl>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath5k/phy.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath5k/phy.c
++++ b/drivers/net/wireless/ath/ath5k/phy.c
+@@ -2954,8 +2954,6 @@ ath5k_hw_txpower(struct ath5k_hw *ah, st
+ ATH5K_ERR(ah->ah_sc, "invalid tx power: %u\n", txpower);
+ return -EINVAL;
+ }
+- if (txpower == 0)
+- txpower = AR5K_TUNE_DEFAULT_TXPOWER;
+
+ /* Reset TX power values */
+ memset(&ah->ah_txpower, 0, sizeof(ah->ah_txpower));
--- /dev/null
+From 512414b0bed0d376ac4d5ec1dd6f0b1a3551febc Mon Sep 17 00:00:00 2001
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+Date: Wed, 25 Nov 2009 17:23:26 -0500
+Subject: ath5k: enable EEPROM checksum check
+
+From: Luis R. Rodriguez <lrodriguez@atheros.com>
+
+commit 512414b0bed0d376ac4d5ec1dd6f0b1a3551febc upstream.
+
+Without this we have no gaurantee of the integrity of the
+EEPROM and are likely to encounter a lot of bogus bug reports
+due to actual issues on the EEPROM. With the EEPROM checksum
+check in place we can easily rule those issues out.
+
+If you run patch during a revert *you* have a card with a busted
+EEPROM and only older kernel will support that concoction. This
+patch is a trade off between not accepitng bogus EEPROMs and
+avoiding bogus bug reports allowing developers to focus instead
+on real concrete issues.
+
+If stable keeps bogus bug reports because of a possibly busted EEPROM
+feel free to apply this there too.
+
+Tested on an AR5414
+
+Cc: jirislaby@gmail.com
+Cc: akpm@linux-foundation.org
+Cc: rjw@sisk.pl
+Cc: me@bobcopeland.com
+Cc: david.quan@atheros.com
+Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath5k/eeprom.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath5k/eeprom.c
++++ b/drivers/net/wireless/ath/ath5k/eeprom.c
+@@ -97,6 +97,7 @@ ath5k_eeprom_init_header(struct ath5k_hw
+ struct ath5k_eeprom_info *ee = &ah->ah_capabilities.cap_eeprom;
+ int ret;
+ u16 val;
++ u32 cksum, offset;
+
+ /*
+ * Read values from EEPROM and store them in the capability structure
+@@ -111,7 +112,6 @@ ath5k_eeprom_init_header(struct ath5k_hw
+ if (ah->ah_ee_version < AR5K_EEPROM_VERSION_3_0)
+ return 0;
+
+-#ifdef notyet
+ /*
+ * Validate the checksum of the EEPROM date. There are some
+ * devices with invalid EEPROMs.
+@@ -124,7 +124,6 @@ ath5k_eeprom_init_header(struct ath5k_hw
+ ATH5K_ERR(ah->ah_sc, "Invalid EEPROM checksum 0x%04x\n", cksum);
+ return -EIO;
+ }
+-#endif
+
+ AR5K_EEPROM_READ_HDR(AR5K_EEPROM_ANT_GAIN(ah->ah_ee_version),
+ ee_ant_gain);
--- /dev/null
+From 4b731d50ff3df6b9141a6c12b088e8eb0109e83c Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Mon, 14 Dec 2009 17:57:34 -0800
+Subject: bsdacct: fix uid/gid misreporting
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+commit 4b731d50ff3df6b9141a6c12b088e8eb0109e83c upstream.
+
+commit d8e180dcd5bbbab9cd3ff2e779efcf70692ef541 "bsdacct: switch
+credentials for writing to the accounting file" introduced credential
+switching during final acct data collecting. However, uid/gid pair
+continued to be collected from current which became credentials of who
+created acct file, not who exits.
+
+Addresses http://bugzilla.kernel.org/show_bug.cgi?id=14676
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Reported-by: Juho K. Juopperi <jkj@kapsi.fi>
+Acked-by: Serge Hallyn <serue@us.ibm.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
+Cc: James Morris <jmorris@namei.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/acct.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -536,7 +536,8 @@ static void do_acct_process(struct bsd_a
+ do_div(elapsed, AHZ);
+ ac.ac_btime = get_seconds() - elapsed;
+ /* we really need to bite the bullet and change layout */
+- current_uid_gid(&ac.ac_uid, &ac.ac_gid);
++ ac.ac_uid = orig_cred->uid;
++ ac.ac_gid = orig_cred->gid;
+ #if ACCT_VERSION==2
+ ac.ac_ahz = AHZ;
+ #endif
--- /dev/null
+From d3a3b0adad0865c12e39b712ca89efbd0a3a0dbc Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
+Date: Tue, 17 Nov 2009 14:40:26 -0800
+Subject: debugfs: fix create mutex racy fops and private data
+
+From: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
+
+commit d3a3b0adad0865c12e39b712ca89efbd0a3a0dbc upstream.
+
+Setting fops and private data outside of the mutex at debugfs file
+creation introduces a race where the files can be opened with the wrong
+file operations and private data. It is easy to trigger with a process
+waiting on file creation notification.
+
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/debugfs/inode.c | 55 ++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 23 deletions(-)
+
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -32,7 +32,9 @@ static struct vfsmount *debugfs_mount;
+ static int debugfs_mount_count;
+ static bool debugfs_registered;
+
+-static struct inode *debugfs_get_inode(struct super_block *sb, int mode, dev_t dev)
++static struct inode *debugfs_get_inode(struct super_block *sb, int mode, dev_t dev,
++ void *data, const struct file_operations *fops)
++
+ {
+ struct inode *inode = new_inode(sb);
+
+@@ -44,14 +46,18 @@ static struct inode *debugfs_get_inode(s
+ init_special_inode(inode, mode, dev);
+ break;
+ case S_IFREG:
+- inode->i_fop = &debugfs_file_operations;
++ inode->i_fop = fops ? fops : &debugfs_file_operations;
++ inode->i_private = data;
+ break;
+ case S_IFLNK:
+ inode->i_op = &debugfs_link_operations;
++ inode->i_fop = fops;
++ inode->i_private = data;
+ break;
+ case S_IFDIR:
+ inode->i_op = &simple_dir_inode_operations;
+- inode->i_fop = &simple_dir_operations;
++ inode->i_fop = fops ? fops : &simple_dir_operations;
++ inode->i_private = data;
+
+ /* directory inodes start off with i_nlink == 2
+ * (for "." entry) */
+@@ -64,7 +70,8 @@ static struct inode *debugfs_get_inode(s
+
+ /* SMP-safe */
+ static int debugfs_mknod(struct inode *dir, struct dentry *dentry,
+- int mode, dev_t dev)
++ int mode, dev_t dev, void *data,
++ const struct file_operations *fops)
+ {
+ struct inode *inode;
+ int error = -EPERM;
+@@ -72,7 +79,7 @@ static int debugfs_mknod(struct inode *d
+ if (dentry->d_inode)
+ return -EEXIST;
+
+- inode = debugfs_get_inode(dir->i_sb, mode, dev);
++ inode = debugfs_get_inode(dir->i_sb, mode, dev, data, fops);
+ if (inode) {
+ d_instantiate(dentry, inode);
+ dget(dentry);
+@@ -81,12 +88,13 @@ static int debugfs_mknod(struct inode *d
+ return error;
+ }
+
+-static int debugfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
++static int debugfs_mkdir(struct inode *dir, struct dentry *dentry, int mode,
++ void *data, const struct file_operations *fops)
+ {
+ int res;
+
+ mode = (mode & (S_IRWXUGO | S_ISVTX)) | S_IFDIR;
+- res = debugfs_mknod(dir, dentry, mode, 0);
++ res = debugfs_mknod(dir, dentry, mode, 0, data, fops);
+ if (!res) {
+ inc_nlink(dir);
+ fsnotify_mkdir(dir, dentry);
+@@ -94,18 +102,20 @@ static int debugfs_mkdir(struct inode *d
+ return res;
+ }
+
+-static int debugfs_link(struct inode *dir, struct dentry *dentry, int mode)
++static int debugfs_link(struct inode *dir, struct dentry *dentry, int mode,
++ void *data, const struct file_operations *fops)
+ {
+ mode = (mode & S_IALLUGO) | S_IFLNK;
+- return debugfs_mknod(dir, dentry, mode, 0);
++ return debugfs_mknod(dir, dentry, mode, 0, data, fops);
+ }
+
+-static int debugfs_create(struct inode *dir, struct dentry *dentry, int mode)
++static int debugfs_create(struct inode *dir, struct dentry *dentry, int mode,
++ void *data, const struct file_operations *fops)
+ {
+ int res;
+
+ mode = (mode & S_IALLUGO) | S_IFREG;
+- res = debugfs_mknod(dir, dentry, mode, 0);
++ res = debugfs_mknod(dir, dentry, mode, 0, data, fops);
+ if (!res)
+ fsnotify_create(dir, dentry);
+ return res;
+@@ -139,7 +149,9 @@ static struct file_system_type debug_fs_
+
+ static int debugfs_create_by_name(const char *name, mode_t mode,
+ struct dentry *parent,
+- struct dentry **dentry)
++ struct dentry **dentry,
++ void *data,
++ const struct file_operations *fops)
+ {
+ int error = 0;
+
+@@ -164,13 +176,16 @@ static int debugfs_create_by_name(const
+ if (!IS_ERR(*dentry)) {
+ switch (mode & S_IFMT) {
+ case S_IFDIR:
+- error = debugfs_mkdir(parent->d_inode, *dentry, mode);
++ error = debugfs_mkdir(parent->d_inode, *dentry, mode,
++ data, fops);
+ break;
+ case S_IFLNK:
+- error = debugfs_link(parent->d_inode, *dentry, mode);
++ error = debugfs_link(parent->d_inode, *dentry, mode,
++ data, fops);
+ break;
+ default:
+- error = debugfs_create(parent->d_inode, *dentry, mode);
++ error = debugfs_create(parent->d_inode, *dentry, mode,
++ data, fops);
+ break;
+ }
+ dput(*dentry);
+@@ -221,19 +236,13 @@ struct dentry *debugfs_create_file(const
+ if (error)
+ goto exit;
+
+- error = debugfs_create_by_name(name, mode, parent, &dentry);
++ error = debugfs_create_by_name(name, mode, parent, &dentry,
++ data, fops);
+ if (error) {
+ dentry = NULL;
+ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
+ goto exit;
+ }
+-
+- if (dentry->d_inode) {
+- if (data)
+- dentry->d_inode->i_private = data;
+- if (fops)
+- dentry->d_inode->i_fop = fops;
+- }
+ exit:
+ return dentry;
+ }
--- /dev/null
+From edfacdd6f81119b9005615593f2cbd94b8c7e2d8 Mon Sep 17 00:00:00 2001
+From: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+Date: Tue, 17 Nov 2009 18:35:43 -0800
+Subject: devpts_get_tty() should validate inode
+
+From: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+
+commit edfacdd6f81119b9005615593f2cbd94b8c7e2d8 upstream.
+
+devpts_get_tty() assumes that the inode passed in is associated with a valid
+pty. But if the only reference to the pty is via a bind-mount, the inode
+passed to devpts_get_tty() while valid, would refer to a pty that no longer
+exists.
+
+With a lot of debug effort, Grzegorz Nosek developed a small program (see
+below) to reproduce a crash on recent kernels. This crash is a regression
+introduced by the commit:
+
+ commit 527b3e4773628b30d03323a2cb5fb0d84441990f
+ Author: Sukadev Bhattiprolu <sukadev@us.ibm.com>
+ Date: Mon Oct 13 10:43:08 2008 +0100
+
+To fix, ensure that the dentry associated with the inode has not yet been
+deleted/unhashed by devpts_pty_kill().
+
+See also:
+https://lists.linux-foundation.org/pipermail/containers/2009-July/019273.html
+
+tty-bug.c:
+
+#define _GNU_SOURCE
+#include <fcntl.h>
+#include <sched.h>
+#include <stdlib.h>
+#include <sys/mount.h>
+#include <sys/signal.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#include <linux/fs.h>
+
+void dummy(int sig)
+{
+}
+
+static int child(void *unused)
+{
+ int fd;
+
+ signal(SIGINT, dummy); signal(SIGHUP, dummy);
+ pause(); /* cheesy synchronisation to wait for /dev/pts/0 to appear */
+
+ mount("/dev/pts/0", "/dev/console", NULL, MS_BIND, NULL);
+ sleep(2);
+
+ fd = open("/dev/console", O_RDWR);
+ dup(0); dup(0);
+ write(1, "Hello world!\n", sizeof("Hello world!\n")-1);
+ return 0;
+}
+
+int main(void)
+{
+ pid_t pid;
+ char *stack;
+
+ stack = malloc(16384);
+ pid = clone(child, stack+16384, CLONE_NEWNS|SIGCHLD, NULL);
+
+ open("/dev/ptmx", O_RDWR|O_NOCTTY|O_NONBLOCK);
+
+ unlockpt(fd); grantpt(fd);
+
+ sleep(2);
+ kill(pid, SIGHUP);
+ sleep(1);
+ return 0; /* exit before child opens /dev/console */
+}
+
+Reported-by: Grzegorz Nosek <root@localdomain.pl>
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+Tested-by: Serge Hallyn <serue@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/devpts/inode.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/devpts/inode.c
++++ b/fs/devpts/inode.c
+@@ -517,11 +517,23 @@ int devpts_pty_new(struct inode *ptmx_in
+
+ struct tty_struct *devpts_get_tty(struct inode *pts_inode, int number)
+ {
++ struct dentry *dentry;
++ struct tty_struct *tty;
++
+ BUG_ON(pts_inode->i_rdev == MKDEV(TTYAUX_MAJOR, PTMX_MINOR));
+
++ /* Ensure dentry has not been deleted by devpts_pty_kill() */
++ dentry = d_find_alias(pts_inode);
++ if (!dentry)
++ return NULL;
++
++ tty = NULL;
+ if (pts_inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)
+- return (struct tty_struct *)pts_inode->i_private;
+- return NULL;
++ tty = (struct tty_struct *)pts_inode->i_private;
++
++ dput(dentry);
++
++ return tty;
+ }
+
+ void devpts_pty_kill(struct tty_struct *tty)
--- /dev/null
+From 722d0172377a5697919b9f7e5beb95165b1dec4e Mon Sep 17 00:00:00 2001
+From: Andi Kleen <andi@firstfloor.org>
+Date: Tue, 8 Dec 2009 13:19:42 +0100
+Subject: futex: Take mmap_sem for get_user_pages in fault_in_user_writeable
+
+From: Andi Kleen <andi@firstfloor.org>
+
+commit 722d0172377a5697919b9f7e5beb95165b1dec4e upstream.
+
+get_user_pages() must be called with mmap_sem held.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Cc: Andrew Morton <akpm@linuxfoundation.org>
+Cc: Nick Piggin <npiggin@suse.de>
+Cc: Darren Hart <dvhltc@us.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+LKML-Reference: <20091208121942.GA21298@basil.fritz.box>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/futex.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -304,8 +304,14 @@ void put_futex_key(int fshared, union fu
+ */
+ static int fault_in_user_writeable(u32 __user *uaddr)
+ {
+- int ret = get_user_pages(current, current->mm, (unsigned long)uaddr,
+- 1, 1, 0, NULL, NULL);
++ struct mm_struct *mm = current->mm;
++ int ret;
++
++ down_read(&mm->mmap_sem);
++ ret = get_user_pages(current, mm, (unsigned long)uaddr,
++ 1, 1, 0, NULL, NULL);
++ up_read(&mm->mmap_sem);
++
+ return ret < 0 ? ret : 0;
+ }
+
--- /dev/null
+From ec81aecb29668ad71f699f4e7b96ec46691895b6 Mon Sep 17 00:00:00 2001
+From: Amerigo Wang <amwang@redhat.com>
+Date: Mon, 14 Dec 2009 17:57:37 -0800
+Subject: hfs: fix a potential buffer overflow
+
+From: Amerigo Wang <amwang@redhat.com>
+
+commit ec81aecb29668ad71f699f4e7b96ec46691895b6 upstream.
+
+A specially-crafted Hierarchical File System (HFS) filesystem could cause
+a buffer overflow to occur in a process's kernel stack during a memcpy()
+call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The
+attacker can provide the source buffer and length, and the destination
+buffer is a local variable of a fixed length. This local variable (passed
+as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in
+the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir().
+Because the hfs_readdir() function executes upon any attempt to read a
+directory on the filesystem, it gets called whenever a user attempts to
+inspect any filesystem contents.
+
+[amwang@redhat.com: modify this patch and fix coding style problems]
+Signed-off-by: WANG Cong <amwang@redhat.com>
+Cc: Eugene Teo <eteo@redhat.com>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Dave Anderson <anderson@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hfs/catalog.c | 4 ++++
+ fs/hfs/dir.c | 11 +++++++++++
+ fs/hfs/super.c | 7 ++++++-
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -289,6 +289,10 @@ int hfs_cat_move(u32 cnid, struct inode
+ err = hfs_brec_find(&src_fd);
+ if (err)
+ goto out;
++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
+
+ hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ src_fd.entrylength);
+--- a/fs/hfs/dir.c
++++ b/fs/hfs/dir.c
+@@ -79,6 +79,11 @@ static int hfs_readdir(struct file *filp
+ filp->f_pos++;
+ /* fall through */
+ case 1:
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ if (entry.type != HFS_CDR_THD) {
+ printk(KERN_ERR "hfs: bad catalog folder thread\n");
+@@ -109,6 +114,12 @@ static int hfs_readdir(struct file *filp
+ err = -EIO;
+ goto out;
+ }
++
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ type = entry.type;
+ len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName);
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -409,8 +409,13 @@ static int hfs_fill_super(struct super_b
+ /* try to get the root inode */
+ hfs_find_init(HFS_SB(sb)->cat_tree, &fd);
+ res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);
+- if (!res)
++ if (!res) {
++ if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) {
++ res = -EIO;
++ goto bail;
++ }
+ hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
++ }
+ if (res) {
+ hfs_find_exit(&fd);
+ goto bail_no_root;
--- /dev/null
+From 8629ea2eaba8ca0de2e38ce1b4a825e16255976e Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@intel.com>
+Date: Thu, 3 Sep 2009 16:32:53 +0800
+Subject: hrtimer: Fix /proc/timer_list regression
+
+From: Feng Tang <feng.tang@intel.com>
+
+commit 8629ea2eaba8ca0de2e38ce1b4a825e16255976e upstream.
+
+commit 507e1231 (timer stats: Optimize by adding quick check to avoid
+function calls) introduced a regression in /proc/timer_list.
+
+/proc/timer_list shows now
+ #0: <c27d46b0>, tick_sched_timer, S:01, <(null)>, /-1
+instead of
+ #0: <c27d46b0>, tick_sched_timer, S:01, hrtimer_start, swapper/0
+
+Revert the hrtimer quick check for now. The optimization needs more
+thought, but this is neither 2.6.32-rc7 nor stable material.
+
+[ tglx: - Removed unrelated changes from the original patch
+ - Prevent unneccesary call to timer_stats_update_stats
+ - massaged the changelog ]
+
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+LKML-Reference: <alpine.LFD.2.00.0911181933540.24119@localhost.localdomain>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/hrtimer.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -446,7 +446,7 @@ extern void timer_stats_update_stats(voi
+
+ static inline void timer_stats_account_hrtimer(struct hrtimer *timer)
+ {
+- if (likely(!timer->start_site))
++ if (likely(!timer_stats_active))
+ return;
+ timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
+ timer->function, timer->start_comm, 0);
+@@ -457,8 +457,6 @@ extern void __timer_stats_hrtimer_set_st
+
+ static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
+ {
+- if (likely(!timer_stats_active))
+- return;
+ __timer_stats_hrtimer_set_start_info(timer, __builtin_return_address(0));
+ }
+
--- /dev/null
+From e6a47428de84e19fda52f21ab73fde2906c40d09 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 15 Nov 2009 15:31:37 -0500
+Subject: jbd2: don't wipe the journal on a failed journal checksum
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit e6a47428de84e19fda52f21ab73fde2906c40d09 upstream.
+
+If there is a failed journal checksum, don't reset the journal. This
+allows for userspace programs to decide how to recover from this
+situation. It may be that ignoring the journal checksum failure might
+be a better way of recovering the file system. Once we add per-block
+checksums, we can definitely do better. Until then, a system
+administrator can try backing up the file system image (or taking a
+snapshot) and and trying to determine experimentally whether ignoring
+the checksum failure or aborting the journal replay results in less
+data loss.
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/jbd2/journal.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1253,6 +1253,13 @@ int jbd2_journal_load(journal_t *journal
+ if (jbd2_journal_recover(journal))
+ goto recovery_error;
+
++ if (journal->j_failed_commit) {
++ printk(KERN_ERR "JBD2: journal transaction %u on %s "
++ "is corrupt.\n", journal->j_failed_commit,
++ journal->j_devname);
++ return -EIO;
++ }
++
+ /* OK, we've finished with the dynamic journal bits:
+ * reinitialise the dynamic contents of the superblock in memory
+ * and reset them on disk. */
--- /dev/null
+From cd5a2685de4a642fd0bd763e8c19711ef08dbe27 Mon Sep 17 00:00:00 2001
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Sat, 17 Oct 2009 22:47:23 -0300
+Subject: KVM: fix irq_source_id size verification
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+commit cd5a2685de4a642fd0bd763e8c19711ef08dbe27 upstream.
+
+find_first_zero_bit works with bit numbers, not bytes.
+
+Fixes
+
+https://sourceforge.net/tracker/?func=detail&aid=2847560&group_id=180599&atid=893831
+
+Reported-by: "Xu, Jiajun" <jiajun.xu@intel.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ virt/kvm/irq_comm.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/virt/kvm/irq_comm.c
++++ b/virt/kvm/irq_comm.c
+@@ -205,10 +205,9 @@ int kvm_request_irq_source_id(struct kvm
+ int irq_source_id;
+
+ mutex_lock(&kvm->irq_lock);
+- irq_source_id = find_first_zero_bit(bitmap,
+- sizeof(kvm->arch.irq_sources_bitmap));
++ irq_source_id = find_first_zero_bit(bitmap, BITS_PER_LONG);
+
+- if (irq_source_id >= sizeof(kvm->arch.irq_sources_bitmap)) {
++ if (irq_source_id >= BITS_PER_LONG) {
+ printk(KERN_WARNING "kvm: exhaust allocatable IRQ sources!\n");
+ return -EFAULT;
+ }
+@@ -228,7 +227,7 @@ void kvm_free_irq_source_id(struct kvm *
+
+ mutex_lock(&kvm->irq_lock);
+ if (irq_source_id < 0 ||
+- irq_source_id >= sizeof(kvm->arch.irq_sources_bitmap)) {
++ irq_source_id >= BITS_PER_LONG) {
+ printk(KERN_ERR "kvm: IRQ source ID out of range!\n");
+ return;
+ }
--- /dev/null
+From f50146bd7bdb75435638e60d4960edd9bcdf88b8 Mon Sep 17 00:00:00 2001
+From: Carsten Otte <carsteno@de.ibm.com>
+Date: Mon, 30 Nov 2009 17:14:41 +0100
+Subject: KVM: s390: Fix prefix register checking in arch/s390/kvm/sigp.c
+
+From: Carsten Otte <carsteno@de.ibm.com>
+
+commit f50146bd7bdb75435638e60d4960edd9bcdf88b8 upstream.
+
+This patch corrects the checking of the new address for the prefix register.
+On s390, the prefix register is used to address the cpu's lowcore (address
+0...8k). This check is supposed to verify that the memory is readable and
+present.
+copy_from_guest is a helper function, that can be used to read from guest
+memory. It applies prefixing, adds the start address of the guest memory in
+user, and then calls copy_from_user. Previous code was obviously broken for
+two reasons:
+- prefixing should not be applied here. The current prefix register is
+ going to be updated soon, and the address we're looking for will be
+ 0..8k after we've updated the register
+- we're adding the guest origin (gmsor) twice: once in subject code
+ and once in copy_from_guest
+
+With kuli, we did not hit this problem because (a) we were lucky with
+previous prefix register content, and (b) our guest memory was mmaped
+very low into user address space.
+
+Signed-off-by: Carsten Otte <cotte@de.ibm.com>
+Reported-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/arch/s390/kvm/sigp.c
++++ b/arch/s390/kvm/sigp.c
+@@ -188,9 +188,9 @@ static int __sigp_set_prefix(struct kvm_vcpu *vcpu, u16 cpu_addr, u32 address,
+
+ /* make sure that the new value is valid memory */
+ address = address & 0x7fffe000u;
+- if ((copy_from_guest(vcpu, &tmp,
+- (u64) (address + vcpu->arch.sie_block->gmsor) , 1)) ||
+- (copy_from_guest(vcpu, &tmp, (u64) (address +
++ if ((copy_from_user(&tmp, (void __user *)
++ (address + vcpu->arch.sie_block->gmsor) , 1)) ||
++ (copy_from_user(&tmp, (void __user *)(address +
+ vcpu->arch.sie_block->gmsor + PAGE_SIZE), 1))) {
+ *reg |= SIGP_STAT_INVALID_PARAMETER;
+ return 1; /* invalid parameter */
--- /dev/null
+From d7b0b5eb3000c6fb902f08c619fcd673a23d8fab Mon Sep 17 00:00:00 2001
+From: Carsten Otte <carsteno@de.ibm.com>
+Date: Thu, 19 Nov 2009 14:21:16 +0100
+Subject: KVM: s390: Make psw available on all exits, not just a subset
+
+From: Carsten Otte <carsteno@de.ibm.com>
+
+commit d7b0b5eb3000c6fb902f08c619fcd673a23d8fab upstream.
+
+This patch moves s390 processor status word into the base kvm_run
+struct and keeps it up-to date on all userspace exits.
+
+The userspace ABI is broken by this, however there are no applications
+in the wild using this. A capability check is provided so users can
+verify the updated API exists.
+
+Signed-off-by: Carsten Otte <cotte@de.ibm.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/include/asm/kvm.h | 3 ++-
+ arch/s390/kvm/kvm-s390.c | 25 +++++++++++++++++--------
+ include/linux/kvm.h | 8 ++++++--
+ 3 files changed, 25 insertions(+), 11 deletions(-)
+
+--- a/arch/s390/include/asm/kvm.h
++++ b/arch/s390/include/asm/kvm.h
+@@ -1,6 +1,5 @@
+ #ifndef __LINUX_KVM_S390_H
+ #define __LINUX_KVM_S390_H
+-
+ /*
+ * asm-s390/kvm.h - KVM s390 specific structures and definitions
+ *
+@@ -15,6 +14,8 @@
+ */
+ #include <linux/types.h>
+
++#define __KVM_S390
++
+ /* for KVM_GET_REGS and KVM_SET_REGS */
+ struct kvm_regs {
+ /* general purpose regs for s390 */
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -116,10 +116,16 @@ long kvm_arch_dev_ioctl(struct file *fil
+
+ int kvm_dev_ioctl_check_extension(long ext)
+ {
++ int r;
++
+ switch (ext) {
++ case KVM_CAP_S390_PSW:
++ r = 1;
++ break;
+ default:
+- return 0;
++ r = 0;
+ }
++ return r;
+ }
+
+ /* Section: vm related */
+@@ -419,8 +425,10 @@ static int kvm_arch_vcpu_ioctl_set_initi
+ vcpu_load(vcpu);
+ if (atomic_read(&vcpu->arch.sie_block->cpuflags) & CPUSTAT_RUNNING)
+ rc = -EBUSY;
+- else
+- vcpu->arch.sie_block->gpsw = psw;
++ else {
++ vcpu->run->psw_mask = psw.mask;
++ vcpu->run->psw_addr = psw.addr;
++ }
+ vcpu_put(vcpu);
+ return rc;
+ }
+@@ -508,9 +516,6 @@ rerun_vcpu:
+
+ switch (kvm_run->exit_reason) {
+ case KVM_EXIT_S390_SIEIC:
+- vcpu->arch.sie_block->gpsw.mask = kvm_run->s390_sieic.mask;
+- vcpu->arch.sie_block->gpsw.addr = kvm_run->s390_sieic.addr;
+- break;
+ case KVM_EXIT_UNKNOWN:
+ case KVM_EXIT_INTR:
+ case KVM_EXIT_S390_RESET:
+@@ -519,6 +524,9 @@ rerun_vcpu:
+ BUG();
+ }
+
++ vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask;
++ vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr;
++
+ might_fault();
+
+ do {
+@@ -538,8 +546,6 @@ rerun_vcpu:
+ /* intercept cannot be handled in-kernel, prepare kvm-run */
+ kvm_run->exit_reason = KVM_EXIT_S390_SIEIC;
+ kvm_run->s390_sieic.icptcode = vcpu->arch.sie_block->icptcode;
+- kvm_run->s390_sieic.mask = vcpu->arch.sie_block->gpsw.mask;
+- kvm_run->s390_sieic.addr = vcpu->arch.sie_block->gpsw.addr;
+ kvm_run->s390_sieic.ipa = vcpu->arch.sie_block->ipa;
+ kvm_run->s390_sieic.ipb = vcpu->arch.sie_block->ipb;
+ rc = 0;
+@@ -551,6 +557,9 @@ rerun_vcpu:
+ rc = 0;
+ }
+
++ kvm_run->psw_mask = vcpu->arch.sie_block->gpsw.mask;
++ kvm_run->psw_addr = vcpu->arch.sie_block->gpsw.addr;
++
+ if (vcpu->sigset_active)
+ sigprocmask(SIG_SETMASK, &sigsaved, NULL);
+
+--- a/include/linux/kvm.h
++++ b/include/linux/kvm.h
+@@ -116,6 +116,11 @@ struct kvm_run {
+ __u64 cr8;
+ __u64 apic_base;
+
++#ifdef __KVM_S390
++ /* the processor status word for s390 */
++ __u64 psw_mask; /* psw upper half */
++ __u64 psw_addr; /* psw lower half */
++#endif
+ union {
+ /* KVM_EXIT_UNKNOWN */
+ struct {
+@@ -167,8 +172,6 @@ struct kvm_run {
+ /* KVM_EXIT_S390_SIEIC */
+ struct {
+ __u8 icptcode;
+- __u64 mask; /* psw upper half */
+- __u64 addr; /* psw lower half */
+ __u16 ipa;
+ __u32 ipb;
+ } s390_sieic;
+@@ -474,6 +477,7 @@ struct kvm_irq_routing {
+ };
+
+ #endif
++#define KVM_CAP_S390_PSW 42
+
+ #ifdef KVM_CAP_MCE
+ /* x86 MCE */
--- /dev/null
+From eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@redhat.com>
+Date: Tue, 24 Nov 2009 15:20:15 +0200
+Subject: KVM: x86 emulator: limit instructions to 15 bytes
+
+From: Avi Kivity <avi@redhat.com>
+
+commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb upstream.
+
+While we are never normally passed an instruction that exceeds 15 bytes,
+smp games can cause us to attempt to interpret one, which will cause
+large latencies in non-preempt hosts.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -129,7 +129,7 @@ struct decode_cache {
+ u8 seg_override;
+ unsigned int d;
+ unsigned long regs[NR_VCPU_REGS];
+- unsigned long eip;
++ unsigned long eip, eip_orig;
+ /* modrm */
+ u8 modrm;
+ u8 modrm_mod;
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index d226dff..7e8faea 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -622,6 +622,9 @@ static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
+ {
+ int rc = 0;
+
++ /* x86 instructions are limited to 15 bytes. */
++ if (eip + size - ctxt->decode.eip_orig > 15)
++ return X86EMUL_UNHANDLEABLE;
+ eip += ctxt->cs_base;
+ while (size--) {
+ rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
+@@ -880,7 +883,7 @@ x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
+ /* Shadow copy of register state. Committed on successful emulation. */
+
+ memset(c, 0, sizeof(struct decode_cache));
+- c->eip = kvm_rip_read(ctxt->vcpu);
++ c->eip = c->eip_orig = kvm_rip_read(ctxt->vcpu);
+ ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
+ memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
+
--- /dev/null
+From e3267cbbbfbcbe9c18833e89b10beabb1117cb55 Mon Sep 17 00:00:00 2001
+From: Glauber Costa <glommer@redhat.com>
+Date: Tue, 6 Oct 2009 13:24:50 -0400
+Subject: KVM: x86: include pvclock MSRs in msrs_to_save
+
+From: Glauber Costa <glommer@redhat.com>
+
+commit e3267cbbbfbcbe9c18833e89b10beabb1117cb55 upstream.
+
+For a while now, we are issuing a rdmsr instruction to find out which
+msrs in our save list are really supported by the underlying machine.
+However, it fails to account for kvm-specific msrs, such as the pvclock
+ones.
+
+This patch moves then to the beginning of the list, and skip testing them.
+
+Signed-off-by: Glauber Costa <glommer@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -484,16 +484,19 @@ static inline u32 bit(int bitno)
+ * and KVM_SET_MSRS, and KVM_GET_MSR_INDEX_LIST.
+ *
+ * This list is modified at module load time to reflect the
+- * capabilities of the host cpu.
++ * capabilities of the host cpu. This capabilities test skips MSRs that are
++ * kvm-specific. Those are put in the beginning of the list.
+ */
++
++#define KVM_SAVE_MSRS_BEGIN 2
+ static u32 msrs_to_save[] = {
++ MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK,
+ MSR_IA32_SYSENTER_CS, MSR_IA32_SYSENTER_ESP, MSR_IA32_SYSENTER_EIP,
+ MSR_K6_STAR,
+ #ifdef CONFIG_X86_64
+ MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
+ #endif
+- MSR_IA32_TSC, MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK,
+- MSR_IA32_PERF_STATUS, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
++ MSR_IA32_TSC, MSR_IA32_PERF_STATUS, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
+ };
+
+ static unsigned num_msrs_to_save;
+@@ -2433,7 +2436,8 @@ static void kvm_init_msr_list(void)
+ u32 dummy[2];
+ unsigned i, j;
+
+- for (i = j = 0; i < ARRAY_SIZE(msrs_to_save); i++) {
++ /* skip the first msrs in the list. KVM-specific */
++ for (i = j = KVM_SAVE_MSRS_BEGIN; i < ARRAY_SIZE(msrs_to_save); i++) {
+ if (rdmsr_safe(msrs_to_save[i], &dummy[0], &dummy[1]) < 0)
+ continue;
+ if (j < i)
--- /dev/null
+From aa5cbd103887011b4830355f88fb055f9ad2d556 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 14 Dec 2009 12:49:46 +1100
+Subject: md/bitmap: protect against bitmap removal while being updated.
+
+From: NeilBrown <neilb@suse.de>
+
+commit aa5cbd103887011b4830355f88fb055f9ad2d556 upstream.
+
+A write intent bitmap can be removed from an array while the
+array is active.
+When this happens, all IO is suspended and flushed before the
+bitmap is removed.
+However it is possible that bitmap_daemon_work is still running to
+clear old bits from the bitmap. If it is, it can dereference the
+bitmap after it has been freed.
+
+So introduce a new mutex to protect bitmap_daemon_work and get it
+before destroying a bitmap.
+
+This is suitable for any current -stable kernel.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/bitmap.c | 24 ++++++++++++++++++------
+ drivers/md/bitmap.h | 2 +-
+ drivers/md/md.c | 3 ++-
+ drivers/md/md.h | 1 +
+ 4 files changed, 22 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/bitmap.c
++++ b/drivers/md/bitmap.c
+@@ -1078,23 +1078,31 @@ static bitmap_counter_t *bitmap_get_coun
+ * out to disk
+ */
+
+-void bitmap_daemon_work(struct bitmap *bitmap)
++void bitmap_daemon_work(mddev_t *mddev)
+ {
++ struct bitmap *bitmap;
+ unsigned long j;
+ unsigned long flags;
+ struct page *page = NULL, *lastpage = NULL;
+ int blocks;
+ void *paddr;
+
+- if (bitmap == NULL)
++ /* Use a mutex to guard daemon_work against
++ * bitmap_destroy.
++ */
++ mutex_lock(&mddev->bitmap_mutex);
++ bitmap = mddev->bitmap;
++ if (bitmap == NULL) {
++ mutex_unlock(&mddev->bitmap_mutex);
+ return;
++ }
+ if (time_before(jiffies, bitmap->daemon_lastrun + bitmap->daemon_sleep*HZ))
+ goto done;
+
+ bitmap->daemon_lastrun = jiffies;
+ if (bitmap->allclean) {
+ bitmap->mddev->thread->timeout = MAX_SCHEDULE_TIMEOUT;
+- return;
++ goto done;
+ }
+ bitmap->allclean = 1;
+
+@@ -1203,6 +1211,7 @@ void bitmap_daemon_work(struct bitmap *b
+ done:
+ if (bitmap->allclean == 0)
+ bitmap->mddev->thread->timeout = bitmap->daemon_sleep * HZ;
++ mutex_unlock(&mddev->bitmap_mutex);
+ }
+
+ static bitmap_counter_t *bitmap_get_counter(struct bitmap *bitmap,
+@@ -1541,9 +1550,9 @@ void bitmap_flush(mddev_t *mddev)
+ */
+ sleep = bitmap->daemon_sleep;
+ bitmap->daemon_sleep = 0;
+- bitmap_daemon_work(bitmap);
+- bitmap_daemon_work(bitmap);
+- bitmap_daemon_work(bitmap);
++ bitmap_daemon_work(mddev);
++ bitmap_daemon_work(mddev);
++ bitmap_daemon_work(mddev);
+ bitmap->daemon_sleep = sleep;
+ bitmap_update_sb(bitmap);
+ }
+@@ -1574,6 +1583,7 @@ static void bitmap_free(struct bitmap *b
+ kfree(bp);
+ kfree(bitmap);
+ }
++
+ void bitmap_destroy(mddev_t *mddev)
+ {
+ struct bitmap *bitmap = mddev->bitmap;
+@@ -1581,7 +1591,9 @@ void bitmap_destroy(mddev_t *mddev)
+ if (!bitmap) /* there was no bitmap */
+ return;
+
++ mutex_lock(&mddev->bitmap_mutex);
+ mddev->bitmap = NULL; /* disconnect from the md device */
++ mutex_unlock(&mddev->bitmap_mutex);
+ if (mddev->thread)
+ mddev->thread->timeout = MAX_SCHEDULE_TIMEOUT;
+
+--- a/drivers/md/bitmap.h
++++ b/drivers/md/bitmap.h
+@@ -282,7 +282,7 @@ void bitmap_close_sync(struct bitmap *bi
+ void bitmap_cond_end_sync(struct bitmap *bitmap, sector_t sector);
+
+ void bitmap_unplug(struct bitmap *bitmap);
+-void bitmap_daemon_work(struct bitmap *bitmap);
++void bitmap_daemon_work(mddev_t *mddev);
+ #endif
+
+ #endif
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -367,6 +367,7 @@ static mddev_t * mddev_find(dev_t unit)
+
+ mutex_init(&new->open_mutex);
+ mutex_init(&new->reconfig_mutex);
++ mutex_init(&new->bitmap_mutex);
+ INIT_LIST_HEAD(&new->disks);
+ INIT_LIST_HEAD(&new->all_mddevs);
+ init_timer(&new->safemode_timer);
+@@ -6629,7 +6630,7 @@ void md_check_recovery(mddev_t *mddev)
+
+
+ if (mddev->bitmap)
+- bitmap_daemon_work(mddev->bitmap);
++ bitmap_daemon_work(mddev);
+
+ if (mddev->ro)
+ return;
+--- a/drivers/md/md.h
++++ b/drivers/md/md.h
+@@ -289,6 +289,7 @@ struct mddev_s
+ * hot-adding a bitmap. It should
+ * eventually be settable by sysfs.
+ */
++ struct mutex bitmap_mutex;
+
+ struct list_head all_mddevs;
+ };
--- /dev/null
+From 190f38e5cedc910940b1da9015f00458c18f97b4 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 10 Dec 2009 09:05:55 -0500
+Subject: NFS: Fix nfs_migrate_page()
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 190f38e5cedc910940b1da9015f00458c18f97b4 upstream.
+
+The call to migrate_page() will cause the page->private field to be
+cleared.
+Also fix up the locking around the page->private transfer, so that we ensure
+that calls to nfs_page_find_request() don't end up racing.
+
+Finally, fix up a double free bug: nfs_unlock_request() already calls
+nfs_release_request() for us...
+
+Reported-by: Wu Fengguang <fengguang.wu@intel.com>
+Tested-by: Andi Kleen <andi@firstfloor.org>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/write.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1612,15 +1612,16 @@ int nfs_migrate_page(struct address_spac
+ if (ret)
+ goto out_unlock;
+ page_cache_get(newpage);
++ spin_lock(&mapping->host->i_lock);
+ req->wb_page = newpage;
+ SetPagePrivate(newpage);
+- set_page_private(newpage, page_private(page));
++ set_page_private(newpage, (unsigned long)req);
+ ClearPagePrivate(page);
+ set_page_private(page, 0);
++ spin_unlock(&mapping->host->i_lock);
+ page_cache_release(page);
+ out_unlock:
+ nfs_clear_page_tag_locked(req);
+- nfs_release_request(req);
+ out:
+ return ret;
+ }
--- /dev/null
+From 5600c70e576199a7552e1c0fff43f3fe16f5566e Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Date: Fri, 27 Nov 2009 22:29:02 +0400
+Subject: pata_hpt{37x|3x2n}: fix timing register masks (take 2)
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+commit 5600c70e576199a7552e1c0fff43f3fe16f5566e upstream.
+
+These drivers inherited from the older 'hpt366' IDE driver the buggy timing
+register masks in their set_piomode() metods. As a result, too low command
+cycle active time is programmed for slow PIO modes. Quite fortunately, it's
+later "fixed up" by the set_dmamode() methods which also "helpfully" reprogram
+the command timings, usually to PIO mode 4; unfortunately, setting an UltraDMA
+mode #N also reprograms already set PIO data timings, usually to MWDMA mode #
+max(N, 2) timings...
+
+However, the drivers added some breakage of their own too: the bit that they
+set/clear to control the FIFO is sometimes wrong -- it's actually the MSB of
+the command cycle setup time; also, setting it in DMA mode is wrong as this
+bit is only for PIO actually and clearing it for PIO modes is not needed as
+no mode in any timing table has it set...
+
+Fix all this, inverting the masks while at it, like in the 'hpt366' and
+'pata_hpt366' drivers; bump the drivers' versions, accounting for recent
+patches that forgot to do it...
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/pata_hpt37x.c | 32 +++++++++++++++-----------------
+ drivers/ata/pata_hpt3x2n.c | 17 ++++++++---------
+ 2 files changed, 23 insertions(+), 26 deletions(-)
+
+--- a/drivers/ata/pata_hpt37x.c
++++ b/drivers/ata/pata_hpt37x.c
+@@ -24,7 +24,7 @@
+ #include <linux/libata.h>
+
+ #define DRV_NAME "pata_hpt37x"
+-#define DRV_VERSION "0.6.12"
++#define DRV_VERSION "0.6.14"
+
+ struct hpt_clock {
+ u8 xfer_speed;
+@@ -404,9 +404,8 @@ static void hpt370_set_piomode(struct at
+
+ pci_read_config_dword(pdev, addr1, ®);
+ mode = hpt37x_find_mode(ap, adev->pio_mode);
+- mode &= ~0x8000000; /* No FIFO in PIO */
+- mode &= ~0x30070000; /* Leave config bits alone */
+- reg &= 0x30070000; /* Strip timing bits */
++ mode &= 0xCFC3FFFF; /* Leave DMA bits alone */
++ reg &= ~0xCFC3FFFF; /* Strip timing bits */
+ pci_write_config_dword(pdev, addr1, reg | mode);
+ }
+
+@@ -423,8 +422,7 @@ static void hpt370_set_dmamode(struct at
+ {
+ struct pci_dev *pdev = to_pci_dev(ap->host->dev);
+ u32 addr1, addr2;
+- u32 reg;
+- u32 mode;
++ u32 reg, mode, mask;
+ u8 fast;
+
+ addr1 = 0x40 + 4 * (adev->devno + 2 * ap->port_no);
+@@ -436,11 +434,12 @@ static void hpt370_set_dmamode(struct at
+ fast |= 0x01;
+ pci_write_config_byte(pdev, addr2, fast);
+
++ mask = adev->dma_mode < XFER_UDMA_0 ? 0x31C001FF : 0x303C0000;
++
+ pci_read_config_dword(pdev, addr1, ®);
+ mode = hpt37x_find_mode(ap, adev->dma_mode);
+- mode |= 0x8000000; /* FIFO in MWDMA or UDMA */
+- mode &= ~0xC0000000; /* Leave config bits alone */
+- reg &= 0xC0000000; /* Strip timing bits */
++ mode &= mask;
++ reg &= ~mask;
+ pci_write_config_dword(pdev, addr1, reg | mode);
+ }
+
+@@ -508,9 +507,8 @@ static void hpt372_set_piomode(struct at
+ mode = hpt37x_find_mode(ap, adev->pio_mode);
+
+ printk("Find mode for %d reports %X\n", adev->pio_mode, mode);
+- mode &= ~0x80000000; /* No FIFO in PIO */
+- mode &= ~0x30070000; /* Leave config bits alone */
+- reg &= 0x30070000; /* Strip timing bits */
++ mode &= 0xCFC3FFFF; /* Leave DMA bits alone */
++ reg &= ~0xCFC3FFFF; /* Strip timing bits */
+ pci_write_config_dword(pdev, addr1, reg | mode);
+ }
+
+@@ -527,8 +525,7 @@ static void hpt372_set_dmamode(struct at
+ {
+ struct pci_dev *pdev = to_pci_dev(ap->host->dev);
+ u32 addr1, addr2;
+- u32 reg;
+- u32 mode;
++ u32 reg, mode, mask;
+ u8 fast;
+
+ addr1 = 0x40 + 4 * (adev->devno + 2 * ap->port_no);
+@@ -539,12 +536,13 @@ static void hpt372_set_dmamode(struct at
+ fast &= ~0x07;
+ pci_write_config_byte(pdev, addr2, fast);
+
++ mask = adev->dma_mode < XFER_UDMA_0 ? 0x31C001FF : 0x303C0000;
++
+ pci_read_config_dword(pdev, addr1, ®);
+ mode = hpt37x_find_mode(ap, adev->dma_mode);
+ printk("Find mode for DMA %d reports %X\n", adev->dma_mode, mode);
+- mode &= ~0xC0000000; /* Leave config bits alone */
+- mode |= 0x80000000; /* FIFO in MWDMA or UDMA */
+- reg &= 0xC0000000; /* Strip timing bits */
++ mode &= mask;
++ reg &= ~mask;
+ pci_write_config_dword(pdev, addr1, reg | mode);
+ }
+
+--- a/drivers/ata/pata_hpt3x2n.c
++++ b/drivers/ata/pata_hpt3x2n.c
+@@ -25,7 +25,7 @@
+ #include <linux/libata.h>
+
+ #define DRV_NAME "pata_hpt3x2n"
+-#define DRV_VERSION "0.3.4"
++#define DRV_VERSION "0.3.7"
+
+ enum {
+ HPT_PCI_FAST = (1 << 31),
+@@ -185,9 +185,8 @@ static void hpt3x2n_set_piomode(struct a
+
+ pci_read_config_dword(pdev, addr1, ®);
+ mode = hpt3x2n_find_mode(ap, adev->pio_mode);
+- mode &= ~0x8000000; /* No FIFO in PIO */
+- mode &= ~0x30070000; /* Leave config bits alone */
+- reg &= 0x30070000; /* Strip timing bits */
++ mode &= 0xCFC3FFFF; /* Leave DMA bits alone */
++ reg &= ~0xCFC3FFFF; /* Strip timing bits */
+ pci_write_config_dword(pdev, addr1, reg | mode);
+ }
+
+@@ -204,8 +203,7 @@ static void hpt3x2n_set_dmamode(struct a
+ {
+ struct pci_dev *pdev = to_pci_dev(ap->host->dev);
+ u32 addr1, addr2;
+- u32 reg;
+- u32 mode;
++ u32 reg, mode, mask;
+ u8 fast;
+
+ addr1 = 0x40 + 4 * (adev->devno + 2 * ap->port_no);
+@@ -216,11 +214,12 @@ static void hpt3x2n_set_dmamode(struct a
+ fast &= ~0x07;
+ pci_write_config_byte(pdev, addr2, fast);
+
++ mask = adev->dma_mode < XFER_UDMA_0 ? 0x31C001FF : 0x303C0000;
++
+ pci_read_config_dword(pdev, addr1, ®);
+ mode = hpt3x2n_find_mode(ap, adev->dma_mode);
+- mode |= 0x8000000; /* FIFO in MWDMA or UDMA */
+- mode &= ~0xC0000000; /* Leave config bits alone */
+- reg &= 0xC0000000; /* Strip timing bits */
++ mode &= mask;
++ reg &= ~mask;
+ pci_write_config_dword(pdev, addr1, reg | mode);
+ }
+
--- /dev/null
+From ec70ccd806111ba3caf596def91a8580138b12db Mon Sep 17 00:00:00 2001
+From: Kristian Høgsberg <krh@bitplanet.net>
+Date: Tue, 1 Dec 2009 15:05:01 -0500
+Subject: perf: Don't free perf_mmap_data until work has been done
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kristian Høgsberg <krh@bitplanet.net>
+
+commit ec70ccd806111ba3caf596def91a8580138b12db upstream.
+
+In the CONFIG_PERF_USE_VMALLOC case, perf_mmap_data_free() only
+schedules the cleanup of the perf_mmap_data struct. In that
+case we have to wait until the work has been done before we free
+data.
+
+Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+LKML-Reference: <1259697901-1747-1-git-send-email-krh@bitplanet.net>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/perf_event.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/perf_event.c
++++ b/kernel/perf_event.c
+@@ -2174,6 +2174,7 @@ static void perf_mmap_data_free(struct p
+ perf_mmap_free_page((unsigned long)data->user_page);
+ for (i = 0; i < data->nr_pages; i++)
+ perf_mmap_free_page((unsigned long)data->data_pages[i]);
++ kfree(data);
+ }
+
+ #else
+@@ -2214,6 +2215,7 @@ static void perf_mmap_data_free_work(str
+ perf_mmap_unmark_page(base + (i * PAGE_SIZE));
+
+ vfree(base);
++ kfree(data);
+ }
+
+ static void perf_mmap_data_free(struct perf_mmap_data *data)
+@@ -2319,7 +2321,6 @@ static void perf_mmap_data_free_rcu(stru
+
+ data = container_of(rcu_head, struct perf_mmap_data, rcu_head);
+ perf_mmap_data_free(data);
+- kfree(data);
+ }
+
+ static void perf_mmap_data_release(struct perf_event *event)
--- /dev/null
+From 4c49b12853fbb5eff4849b7b6a1e895776f027a1 Mon Sep 17 00:00:00 2001
+From: Arjan van de Ven <arjan@infradead.org>
+Date: Fri, 13 Nov 2009 21:47:33 -0800
+Subject: perf_event: Fix invalid type in ioctl definition
+
+From: Arjan van de Ven <arjan@infradead.org>
+
+commit 4c49b12853fbb5eff4849b7b6a1e895776f027a1 upstream.
+
+u64 is invalid in userspace headers, including ioctl
+definitions; use __u64 instead
+
+Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
+LKML-Reference: <20091113214733.7cd76be9@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/perf_event.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -219,7 +219,7 @@ struct perf_event_attr {
+ #define PERF_EVENT_IOC_DISABLE _IO ('$', 1)
+ #define PERF_EVENT_IOC_REFRESH _IO ('$', 2)
+ #define PERF_EVENT_IOC_RESET _IO ('$', 3)
+-#define PERF_EVENT_IOC_PERIOD _IOW('$', 4, u64)
++#define PERF_EVENT_IOC_PERIOD _IOW('$', 4, __u64)
+ #define PERF_EVENT_IOC_SET_OUTPUT _IO ('$', 5)
+
+ enum perf_event_ioc_flags {
--- /dev/null
+From 59d069eb5ae9b033ed1c124c92e1532c4a958991 Mon Sep 17 00:00:00 2001
+From: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+Date: Tue, 1 Dec 2009 17:30:08 +0800
+Subject: perf_event: Initialize data.period in perf_swevent_hrtimer()
+
+From: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+
+commit 59d069eb5ae9b033ed1c124c92e1532c4a958991 upstream.
+
+In current code in perf_swevent_hrtimer(), data.period is not
+initialized, The result is obvious wrong:
+
+ # ./perf record -f -e cpu-clock make
+ # ./perf report
+ # Samples: 1740
+ #
+ # Overhead Command ......
+ # ........ ........ ..........................................
+ #
+ 1025422183050275328.00% sh libc-2.9.90.so ...
+ 1025422183050275328.00% perl libperl.so ...
+ 1025422168240043264.00% perl [kernel] ...
+ 1025422030011210752.00% perl [kernel] ...
+
+Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+LKML-Reference: <4B14E220.2050107@cn.fujitsu.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/perf_event.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/perf_event.c
++++ b/kernel/perf_event.c
+@@ -3949,6 +3949,7 @@ static enum hrtimer_restart perf_swevent
+ event->pmu->read(event);
+
+ data.addr = 0;
++ data.period = event->hw.last_period;
+ regs = get_irq_regs();
+ /*
+ * In case we exclude kernel IPs or are somehow not in interrupt
--- /dev/null
+From bab636b921017f0db6e0c2979438f50b898a9808 Mon Sep 17 00:00:00 2001
+From: Rafael J. Wysocki <rjw@sisk.pl>
+Date: Thu, 3 Dec 2009 20:21:21 +0100
+Subject: PM / Runtime: Fix lockdep warning in __pm_runtime_set_status()
+
+From: Rafael J. Wysocki <rjw@sisk.pl>
+
+commit bab636b921017f0db6e0c2979438f50b898a9808 upstream.
+
+Lockdep complains about taking the parent lock in
+__pm_runtime_set_status(), so mark it as nested.
+
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Reported-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/power/runtime.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -777,7 +777,7 @@ int __pm_runtime_set_status(struct devic
+ }
+
+ if (parent) {
+- spin_lock(&parent->power.lock);
++ spin_lock_nested(&parent->power.lock, SINGLE_DEPTH_NESTING);
+
+ /*
+ * It is invalid to put an active child under a parent that is
--- /dev/null
+From 1b82e4c32fba96d8805b1e2126ba5382e56fac32 Mon Sep 17 00:00:00 2001
+From: Igor Grinberg <grinberg@compulab.co.il>
+Date: Sun, 6 Dec 2009 15:45:43 +0200
+Subject: [ARM] pxa/em-x270: fix usb hub power up/reset sequence
+
+From: Igor Grinberg <grinberg@compulab.co.il>
+
+commit 1b82e4c32fba96d8805b1e2126ba5382e56fac32 upstream.
+
+Signed-off-by: Igor Grinberg <grinberg@compulab.co.il>
+Signed-off-by: Mike Rapoport <mike@compulab.co.il>
+Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/arm/mach-pxa/em-x270.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/mach-pxa/em-x270.c
++++ b/arch/arm/mach-pxa/em-x270.c
+@@ -497,16 +497,15 @@ static int em_x270_usb_hub_init(void)
+ goto err_free_vbus_gpio;
+
+ /* USB Hub power-on and reset */
+- gpio_direction_output(usb_hub_reset, 0);
++ gpio_direction_output(usb_hub_reset, 1);
++ gpio_direction_output(GPIO9_USB_VBUS_EN, 0);
+ regulator_enable(em_x270_usb_ldo);
+- gpio_set_value(usb_hub_reset, 1);
+ gpio_set_value(usb_hub_reset, 0);
++ gpio_set_value(usb_hub_reset, 1);
+ regulator_disable(em_x270_usb_ldo);
+ regulator_enable(em_x270_usb_ldo);
+- gpio_set_value(usb_hub_reset, 1);
+-
+- /* enable VBUS */
+- gpio_direction_output(GPIO9_USB_VBUS_EN, 1);
++ gpio_set_value(usb_hub_reset, 0);
++ gpio_set_value(GPIO9_USB_VBUS_EN, 1);
+
+ return 0;
+
--- /dev/null
+From 9160306e6f5b68bb64630c9031c517ca1cf463db Mon Sep 17 00:00:00 2001
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Date: Mon, 2 Nov 2009 13:52:29 -0800
+Subject: rcu: Fix note_new_gpnum() uses of ->gpnum
+
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+
+commit 9160306e6f5b68bb64630c9031c517ca1cf463db upstream.
+
+Impose a clear locking design on the note_new_gpnum()
+function's use of the ->gpnum counter. This is done by updating
+rdp->gpnum only from the corresponding leaf rcu_node structure's
+rnp->gpnum field, and even then only under the protection of
+that same rcu_node structure's ->lock field. Performance and
+scalability are maintained using a form of double-checked
+locking, and excessive spinning is avoided by use of the
+spin_trylock() function. The use of spin_trylock() is safe due
+to the fact that CPUs who fail to acquire this lock will try
+again later. The hierarchical nature of the rcu_node data
+structure limits contention (which could be limited further if
+need be using the RCU_FANOUT kernel parameter).
+
+Without this patch, obscure but quite possible races could
+result in a quiescent state that occurred during one grace
+period to be accounted to the following grace period, causing
+this following grace period to end prematurely. Not good!
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: laijs@cn.fujitsu.com
+Cc: dipankar@in.ibm.com
+Cc: mathieu.desnoyers@polymtl.ca
+Cc: josh@joshtriplett.org
+Cc: dvhltc@us.ibm.com
+Cc: niv@us.ibm.com
+Cc: peterz@infradead.org
+Cc: rostedt@goodmis.org
+Cc: Valdis.Kletnieks@vt.edu
+Cc: dhowells@redhat.com
+LKML-Reference: <12571987492350-git-send-email->
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/rcutree.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+--- a/kernel/rcutree.c
++++ b/kernel/rcutree.c
+@@ -538,13 +538,33 @@ static void check_cpu_stall(struct rcu_s
+ /*
+ * Update CPU-local rcu_data state to record the newly noticed grace period.
+ * This is used both when we started the grace period and when we notice
+- * that someone else started the grace period.
+- */
++ * that someone else started the grace period. The caller must hold the
++ * ->lock of the leaf rcu_node structure corresponding to the current CPU,
++ * and must have irqs disabled.
++ */
++static void __note_new_gpnum(struct rcu_state *rsp, struct rcu_node *rnp, struct rcu_data *rdp)
++{
++ if (rdp->gpnum != rnp->gpnum) {
++ rdp->qs_pending = 1;
++ rdp->passed_quiesc = 0;
++ rdp->gpnum = rnp->gpnum;
++ }
++}
++
+ static void note_new_gpnum(struct rcu_state *rsp, struct rcu_data *rdp)
+ {
+- rdp->qs_pending = 1;
+- rdp->passed_quiesc = 0;
+- rdp->gpnum = rsp->gpnum;
++ unsigned long flags;
++ struct rcu_node *rnp;
++
++ local_irq_save(flags);
++ rnp = rdp->mynode;
++ if (rdp->gpnum == ACCESS_ONCE(rnp->gpnum) || /* outside lock. */
++ !spin_trylock(&rnp->lock)) { /* irqs already off, retry later. */
++ local_irq_restore(flags);
++ return;
++ }
++ __note_new_gpnum(rsp, rnp, rdp);
++ spin_unlock_irqrestore(&rnp->lock, flags);
+ }
+
+ /*
+@@ -635,6 +655,9 @@ rcu_start_gp_per_cpu(struct rcu_state *r
+ */
+ rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
+ rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
++
++ /* Set state so that this CPU will detect the next quiescent state. */
++ __note_new_gpnum(rsp, rnp, rdp);
+ }
+
+ /*
+@@ -662,7 +685,6 @@ rcu_start_gp(struct rcu_state *rsp, unsi
+ rsp->jiffies_force_qs = jiffies + RCU_JIFFIES_TILL_FORCE_QS;
+ record_gp_stall_check_time(rsp);
+ dyntick_record_completed(rsp, rsp->completed - 1);
+- note_new_gpnum(rsp, rdp);
+
+ /* Special-case the common single-level case. */
+ if (NUM_RCU_NODES == 1) {
--- /dev/null
+From d09b62dfa336447c52a5ec9bb88adbc479b0f3b8 Mon Sep 17 00:00:00 2001
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Date: Mon, 2 Nov 2009 13:52:28 -0800
+Subject: rcu: Fix synchronization for rcu_process_gp_end() uses of ->completed counter
+
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+
+commit d09b62dfa336447c52a5ec9bb88adbc479b0f3b8 upstream.
+
+Impose a clear locking design on the rcu_process_gp_end()
+function's use of the ->completed counter. This is done by
+creating a ->completed field in the rcu_node structure, which
+can safely be accessed under the protection of that structure's
+lock. Performance and scalability are maintained by using a
+form of double-checked locking, so that rcu_process_gp_end()
+only acquires the leaf rcu_node structure's ->lock if a grace
+period has recently ended.
+
+This fix reduces rcutorture failure rate by at least two orders
+of magnitude under heavy stress with force_quiescent_state()
+being invoked artificially often. Without this fix,
+unsynchronized access to the ->completed field can cause
+rcu_process_gp_end() to advance callbacks whose grace period has
+not yet expired. (Bad idea!)
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: laijs@cn.fujitsu.com
+Cc: dipankar@in.ibm.com
+Cc: mathieu.desnoyers@polymtl.ca
+Cc: josh@joshtriplett.org
+Cc: dvhltc@us.ibm.com
+Cc: niv@us.ibm.com
+Cc: peterz@infradead.org
+Cc: rostedt@goodmis.org
+Cc: Valdis.Kletnieks@vt.edu
+Cc: dhowells@redhat.com
+LKML-Reference: <12571987494069-git-send-email->
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/rcutree.c | 128 ++++++++++++++++++++++++++++++++++---------------------
+ kernel/rcutree.h | 3 +
+ 2 files changed, 83 insertions(+), 48 deletions(-)
+
+--- a/kernel/rcutree.c
++++ b/kernel/rcutree.c
+@@ -568,6 +568,76 @@ check_for_new_grace_period(struct rcu_st
+ }
+
+ /*
++ * Advance this CPU's callbacks, but only if the current grace period
++ * has ended. This may be called only from the CPU to whom the rdp
++ * belongs. In addition, the corresponding leaf rcu_node structure's
++ * ->lock must be held by the caller, with irqs disabled.
++ */
++static void
++__rcu_process_gp_end(struct rcu_state *rsp, struct rcu_node *rnp, struct rcu_data *rdp)
++{
++ /* Did another grace period end? */
++ if (rdp->completed != rnp->completed) {
++
++ /* Advance callbacks. No harm if list empty. */
++ rdp->nxttail[RCU_DONE_TAIL] = rdp->nxttail[RCU_WAIT_TAIL];
++ rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_READY_TAIL];
++ rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
++
++ /* Remember that we saw this grace-period completion. */
++ rdp->completed = rnp->completed;
++ }
++}
++
++/*
++ * Advance this CPU's callbacks, but only if the current grace period
++ * has ended. This may be called only from the CPU to whom the rdp
++ * belongs.
++ */
++static void
++rcu_process_gp_end(struct rcu_state *rsp, struct rcu_data *rdp)
++{
++ unsigned long flags;
++ struct rcu_node *rnp;
++
++ local_irq_save(flags);
++ rnp = rdp->mynode;
++ if (rdp->completed == ACCESS_ONCE(rnp->completed) || /* outside lock. */
++ !spin_trylock(&rnp->lock)) { /* irqs already off, retry later. */
++ local_irq_restore(flags);
++ return;
++ }
++ __rcu_process_gp_end(rsp, rnp, rdp);
++ spin_unlock_irqrestore(&rnp->lock, flags);
++}
++
++/*
++ * Do per-CPU grace-period initialization for running CPU. The caller
++ * must hold the lock of the leaf rcu_node structure corresponding to
++ * this CPU.
++ */
++static void
++rcu_start_gp_per_cpu(struct rcu_state *rsp, struct rcu_node *rnp, struct rcu_data *rdp)
++{
++ /* Prior grace period ended, so advance callbacks for current CPU. */
++ __rcu_process_gp_end(rsp, rnp, rdp);
++
++ /*
++ * Because this CPU just now started the new grace period, we know
++ * that all of its callbacks will be covered by this upcoming grace
++ * period, even the ones that were registered arbitrarily recently.
++ * Therefore, advance all outstanding callbacks to RCU_WAIT_TAIL.
++ *
++ * Other CPUs cannot be sure exactly when the grace period started.
++ * Therefore, their recently registered callbacks must pass through
++ * an additional RCU_NEXT_READY stage, so that they will be handled
++ * by the next RCU grace period.
++ */
++ rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
++ rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
++}
++
++/*
+ * Start a new RCU grace period if warranted, re-initializing the hierarchy
+ * in preparation for detecting the next grace period. The caller must hold
+ * the root node's ->lock, which is released before return. Hard irqs must
+@@ -594,26 +664,14 @@ rcu_start_gp(struct rcu_state *rsp, unsi
+ dyntick_record_completed(rsp, rsp->completed - 1);
+ note_new_gpnum(rsp, rdp);
+
+- /*
+- * Because this CPU just now started the new grace period, we know
+- * that all of its callbacks will be covered by this upcoming grace
+- * period, even the ones that were registered arbitrarily recently.
+- * Therefore, advance all outstanding callbacks to RCU_WAIT_TAIL.
+- *
+- * Other CPUs cannot be sure exactly when the grace period started.
+- * Therefore, their recently registered callbacks must pass through
+- * an additional RCU_NEXT_READY stage, so that they will be handled
+- * by the next RCU grace period.
+- */
+- rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
+- rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
+-
+ /* Special-case the common single-level case. */
+ if (NUM_RCU_NODES == 1) {
+ rcu_preempt_check_blocked_tasks(rnp);
+ rnp->qsmask = rnp->qsmaskinit;
+ rnp->gpnum = rsp->gpnum;
++ rnp->completed = rsp->completed;
+ rsp->signaled = RCU_SIGNAL_INIT; /* force_quiescent_state OK. */
++ rcu_start_gp_per_cpu(rsp, rnp, rdp);
+ spin_unlock_irqrestore(&rnp->lock, flags);
+ return;
+ }
+@@ -646,6 +704,9 @@ rcu_start_gp(struct rcu_state *rsp, unsi
+ rcu_preempt_check_blocked_tasks(rnp);
+ rnp->qsmask = rnp->qsmaskinit;
+ rnp->gpnum = rsp->gpnum;
++ rnp->completed = rsp->completed;
++ if (rnp == rdp->mynode)
++ rcu_start_gp_per_cpu(rsp, rnp, rdp);
+ spin_unlock(&rnp->lock); /* irqs remain disabled. */
+ }
+
+@@ -657,34 +718,6 @@ rcu_start_gp(struct rcu_state *rsp, unsi
+ }
+
+ /*
+- * Advance this CPU's callbacks, but only if the current grace period
+- * has ended. This may be called only from the CPU to whom the rdp
+- * belongs.
+- */
+-static void
+-rcu_process_gp_end(struct rcu_state *rsp, struct rcu_data *rdp)
+-{
+- long completed_snap;
+- unsigned long flags;
+-
+- local_irq_save(flags);
+- completed_snap = ACCESS_ONCE(rsp->completed); /* outside of lock. */
+-
+- /* Did another grace period end? */
+- if (rdp->completed != completed_snap) {
+-
+- /* Advance callbacks. No harm if list empty. */
+- rdp->nxttail[RCU_DONE_TAIL] = rdp->nxttail[RCU_WAIT_TAIL];
+- rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_READY_TAIL];
+- rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL];
+-
+- /* Remember that we saw this grace-period completion. */
+- rdp->completed = completed_snap;
+- }
+- local_irq_restore(flags);
+-}
+-
+-/*
+ * Clean up after the prior grace period and let rcu_start_gp() start up
+ * the next grace period if one is needed. Note that the caller must
+ * hold rnp->lock, as required by rcu_start_gp(), which will release it.
+@@ -695,7 +728,6 @@ static void cpu_quiet_msk_finish(struct
+ WARN_ON_ONCE(!rcu_gp_in_progress(rsp));
+ rsp->completed = rsp->gpnum;
+ rsp->signaled = RCU_GP_IDLE;
+- rcu_process_gp_end(rsp, rsp->rda[smp_processor_id()]);
+ rcu_start_gp(rsp, flags); /* releases root node's rnp->lock. */
+ }
+
+@@ -1537,21 +1569,16 @@ static void __cpuinit
+ rcu_init_percpu_data(int cpu, struct rcu_state *rsp, int preemptable)
+ {
+ unsigned long flags;
+- long lastcomp;
+ unsigned long mask;
+ struct rcu_data *rdp = rsp->rda[cpu];
+ struct rcu_node *rnp = rcu_get_root(rsp);
+
+ /* Set up local state, ensuring consistent view of global state. */
+ spin_lock_irqsave(&rnp->lock, flags);
+- lastcomp = rsp->completed;
+- rdp->completed = lastcomp;
+- rdp->gpnum = lastcomp;
+ rdp->passed_quiesc = 0; /* We could be racing with new GP, */
+ rdp->qs_pending = 1; /* so set up to respond to current GP. */
+ rdp->beenonline = 1; /* We have now been online. */
+ rdp->preemptable = preemptable;
+- rdp->passed_quiesc_completed = lastcomp - 1;
+ rdp->qlen_last_fqs_check = 0;
+ rdp->n_force_qs_snap = rsp->n_force_qs;
+ rdp->blimit = blimit;
+@@ -1573,6 +1600,11 @@ rcu_init_percpu_data(int cpu, struct rcu
+ spin_lock(&rnp->lock); /* irqs already disabled. */
+ rnp->qsmaskinit |= mask;
+ mask = rnp->grpmask;
++ if (rnp == rdp->mynode) {
++ rdp->gpnum = rnp->completed; /* if GP in progress... */
++ rdp->completed = rnp->completed;
++ rdp->passed_quiesc_completed = rnp->completed - 1;
++ }
+ spin_unlock(&rnp->lock); /* irqs already disabled. */
+ rnp = rnp->parent;
+ } while (rnp != NULL && !(rnp->qsmaskinit & mask));
+--- a/kernel/rcutree.h
++++ b/kernel/rcutree.h
+@@ -84,6 +84,9 @@ struct rcu_node {
+ long gpnum; /* Current grace period for this node. */
+ /* This will either be equal to or one */
+ /* behind the root rcu_node's gpnum. */
++ long completed; /* Last grace period completed for this node. */
++ /* This will either be equal to or one */
++ /* behind the root rcu_node's gpnum. */
+ unsigned long qsmask; /* CPUs or groups that need to switch in */
+ /* order for current grace period to proceed.*/
+ /* In leaf rcu_node, each bit corresponds to */
--- /dev/null
+From 281d150c5f8892f158747594ab49ce2823fd8b8c Mon Sep 17 00:00:00 2001
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Date: Mon, 2 Nov 2009 13:52:27 -0800
+Subject: rcu: Prepare for synchronization fixes: clean up for non-NO_HZ handling of ->completed counter
+
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+
+commit 281d150c5f8892f158747594ab49ce2823fd8b8c upstream.
+
+Impose a clear locking design on non-NO_HZ handling of the
+->completed counter. This increases the distance between the
+RCU and the CPU-hotplug mechanisms.
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: laijs@cn.fujitsu.com
+Cc: dipankar@in.ibm.com
+Cc: mathieu.desnoyers@polymtl.ca
+Cc: josh@joshtriplett.org
+Cc: dvhltc@us.ibm.com
+Cc: niv@us.ibm.com
+Cc: peterz@infradead.org
+Cc: rostedt@goodmis.org
+Cc: Valdis.Kletnieks@vt.edu
+Cc: dhowells@redhat.com
+LKML-Reference: <12571987491353-git-send-email->
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/rcutree.c | 67 ++++++++++++++++++++++++-------------------------------
+ kernel/rcutree.h | 8 +++---
+ 2 files changed, 34 insertions(+), 41 deletions(-)
+
+--- a/kernel/rcutree.c
++++ b/kernel/rcutree.c
+@@ -176,9 +176,29 @@ static struct rcu_node *rcu_get_root(str
+ return &rsp->node[0];
+ }
+
++/*
++ * Record the specified "completed" value, which is later used to validate
++ * dynticks counter manipulations and CPU-offline checks. Specify
++ * "rsp->completed - 1" to unconditionally invalidate any future dynticks
++ * manipulations and CPU-offline checks. Such invalidation is useful at
++ * the beginning of a grace period.
++ */
++static void dyntick_record_completed(struct rcu_state *rsp, long comp)
++{
++ rsp->dynticks_completed = comp;
++}
++
+ #ifdef CONFIG_SMP
+
+ /*
++ * Recall the previously recorded value of the completion for dynticks.
++ */
++static long dyntick_recall_completed(struct rcu_state *rsp)
++{
++ return rsp->dynticks_completed;
++}
++
++/*
+ * If the specified CPU is offline, tell the caller that it is in
+ * a quiescent state. Otherwise, whack it with a reschedule IPI.
+ * Grace periods can end up waiting on an offline CPU when that
+@@ -335,28 +355,9 @@ void rcu_irq_exit(void)
+ set_need_resched();
+ }
+
+-/*
+- * Record the specified "completed" value, which is later used to validate
+- * dynticks counter manipulations. Specify "rsp->completed - 1" to
+- * unconditionally invalidate any future dynticks manipulations (which is
+- * useful at the beginning of a grace period).
+- */
+-static void dyntick_record_completed(struct rcu_state *rsp, long comp)
+-{
+- rsp->dynticks_completed = comp;
+-}
+-
+ #ifdef CONFIG_SMP
+
+ /*
+- * Recall the previously recorded value of the completion for dynticks.
+- */
+-static long dyntick_recall_completed(struct rcu_state *rsp)
+-{
+- return rsp->dynticks_completed;
+-}
+-
+-/*
+ * Snapshot the specified CPU's dynticks counter so that we can later
+ * credit them with an implicit quiescent state. Return 1 if this CPU
+ * is in dynticks idle mode, which is an extended quiescent state.
+@@ -419,24 +420,8 @@ static int rcu_implicit_dynticks_qs(stru
+
+ #else /* #ifdef CONFIG_NO_HZ */
+
+-static void dyntick_record_completed(struct rcu_state *rsp, long comp)
+-{
+-}
+-
+ #ifdef CONFIG_SMP
+
+-/*
+- * If there are no dynticks, then the only way that a CPU can passively
+- * be in a quiescent state is to be offline. Unlike dynticks idle, which
+- * is a point in time during the prior (already finished) grace period,
+- * an offline CPU is always in a quiescent state, and thus can be
+- * unconditionally applied. So just return the current value of completed.
+- */
+-static long dyntick_recall_completed(struct rcu_state *rsp)
+-{
+- return rsp->completed;
+-}
+-
+ static int dyntick_save_progress_counter(struct rcu_data *rdp)
+ {
+ return 0;
+@@ -1144,6 +1129,7 @@ static void force_quiescent_state(struct
+ long lastcomp;
+ struct rcu_node *rnp = rcu_get_root(rsp);
+ u8 signaled;
++ u8 forcenow;
+
+ if (!rcu_gp_in_progress(rsp))
+ return; /* No grace period in progress, nothing to force. */
+@@ -1180,16 +1166,23 @@ static void force_quiescent_state(struct
+ if (rcu_process_dyntick(rsp, lastcomp,
+ dyntick_save_progress_counter))
+ goto unlock_ret;
++ /* fall into next case. */
++
++ case RCU_SAVE_COMPLETED:
+
+ /* Update state, record completion counter. */
++ forcenow = 0;
+ spin_lock(&rnp->lock);
+ if (lastcomp == rsp->completed &&
+- rsp->signaled == RCU_SAVE_DYNTICK) {
++ rsp->signaled == signaled) {
+ rsp->signaled = RCU_FORCE_QS;
+ dyntick_record_completed(rsp, lastcomp);
++ forcenow = signaled == RCU_SAVE_COMPLETED;
+ }
+ spin_unlock(&rnp->lock);
+- break;
++ if (!forcenow)
++ break;
++ /* fall into next case. */
+
+ case RCU_FORCE_QS:
+
+--- a/kernel/rcutree.h
++++ b/kernel/rcutree.h
+@@ -204,11 +204,12 @@ struct rcu_data {
+ #define RCU_GP_IDLE 0 /* No grace period in progress. */
+ #define RCU_GP_INIT 1 /* Grace period being initialized. */
+ #define RCU_SAVE_DYNTICK 2 /* Need to scan dyntick state. */
+-#define RCU_FORCE_QS 3 /* Need to force quiescent state. */
++#define RCU_SAVE_COMPLETED 3 /* Need to save rsp->completed. */
++#define RCU_FORCE_QS 4 /* Need to force quiescent state. */
+ #ifdef CONFIG_NO_HZ
+ #define RCU_SIGNAL_INIT RCU_SAVE_DYNTICK
+ #else /* #ifdef CONFIG_NO_HZ */
+-#define RCU_SIGNAL_INIT RCU_FORCE_QS
++#define RCU_SIGNAL_INIT RCU_SAVE_COMPLETED
+ #endif /* #else #ifdef CONFIG_NO_HZ */
+
+ #define RCU_JIFFIES_TILL_FORCE_QS 3 /* for rsp->jiffies_force_qs */
+@@ -274,9 +275,8 @@ struct rcu_state {
+ unsigned long jiffies_stall; /* Time at which to check */
+ /* for CPU stalls. */
+ #endif /* #ifdef CONFIG_RCU_CPU_STALL_DETECTOR */
+-#ifdef CONFIG_NO_HZ
+ long dynticks_completed; /* Value of completed @ snap. */
+-#endif /* #ifdef CONFIG_NO_HZ */
++ /* Protected by fqslock. */
+ };
+
+ #ifdef RCU_TREE_NONCORE
--- /dev/null
+From dbe01350fa8ce0c11948ab7d6be71a4d901be151 Mon Sep 17 00:00:00 2001
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Date: Tue, 10 Nov 2009 13:37:19 -0800
+Subject: rcu: Remove inline from forward-referenced functions
+
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+
+commit dbe01350fa8ce0c11948ab7d6be71a4d901be151 upstream.
+
+Some variants of gcc are reputed to dislike forward references
+to functions declared "inline". Remove the "inline" keyword
+from such functions.
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: laijs@cn.fujitsu.com
+Cc: dipankar@in.ibm.com
+Cc: mathieu.desnoyers@polymtl.ca
+Cc: josh@joshtriplett.org
+Cc: dvhltc@us.ibm.com
+Cc: niv@us.ibm.com
+Cc: peterz@infradead.org
+Cc: rostedt@goodmis.org
+Cc: Valdis.Kletnieks@vt.edu
+Cc: dhowells@redhat.com
+Cc: Benjamin Gilbert <bgilbert@cs.cmu.edu
+LKML-Reference: <12578890422402-git-send-email->
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/rcutree.h | 2 +-
+ kernel/rcutree_plugin.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/rcutree.h
++++ b/kernel/rcutree.h
+@@ -301,7 +301,7 @@ DECLARE_PER_CPU(struct rcu_data, rcu_pre
+ #else /* #ifdef RCU_TREE_NONCORE */
+
+ /* Forward declarations for rcutree_plugin.h */
+-static inline void rcu_bootup_announce(void);
++static void rcu_bootup_announce(void);
+ long rcu_batches_completed(void);
+ static void rcu_preempt_note_context_switch(int cpu);
+ static int rcu_preempted_readers(struct rcu_node *rnp);
+--- a/kernel/rcutree_plugin.h
++++ b/kernel/rcutree_plugin.h
+@@ -33,7 +33,7 @@ DEFINE_PER_CPU(struct rcu_data, rcu_pree
+ /*
+ * Tell them what RCU they are running.
+ */
+-static inline void rcu_bootup_announce(void)
++static void rcu_bootup_announce(void)
+ {
+ printk(KERN_INFO
+ "Experimental preemptable hierarchical RCU implementation.\n");
+@@ -481,7 +481,7 @@ void exit_rcu(void)
+ /*
+ * Tell them what RCU they are running.
+ */
+-static inline void rcu_bootup_announce(void)
++static void rcu_bootup_announce(void)
+ {
+ printk(KERN_INFO "Hierarchical RCU implementation.\n");
+ }
--- /dev/null
+From cf87b7439ec81b9374e7772e44e9cb2eb9e57160 Mon Sep 17 00:00:00 2001
+From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Date: Mon, 7 Dec 2009 12:44:42 +0100
+Subject: [S390] s390: clear high-order bits of registers after sam64
+
+From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+
+commit cf87b7439ec81b9374e7772e44e9cb2eb9e57160 upstream.
+
+When the kernel is IPLed without the CLEAR option and switches
+to 64-bit, the high-order half of the registers might contain
+random values. This can cause addressing exceptions and the
+kernel enters an interrupt loop.
+
+Initialize the high-order half of the general purpose registers
+with zeros after switching to 64-bit mode.
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/kernel/head64.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/s390/kernel/head64.S
++++ b/arch/s390/kernel/head64.S
+@@ -83,6 +83,8 @@ startup_continue:
+ slr %r0,%r0 # set cpuid to zero
+ sigp %r1,%r0,0x12 # switch to esame mode
+ sam64 # switch to 64 bit mode
++ llgfr %r13,%r13 # clear high-order half of base reg
++ lmh %r0,%r15,.Lzero64-.LPG1(%r13) # clear high-order half
+ lctlg %c0,%c15,.Lctl-.LPG1(%r13) # load control registers
+ lg %r12,.Lparmaddr-.LPG1(%r13) # pointer to parameter area
+ # move IPL device to lowcore
+@@ -127,6 +129,7 @@ startup_continue:
+ .L4malign:.quad 0xffffffffffc00000
+ .Lscan2g:.quad 0x80000000 + 0x20000 - 8 # 2GB + 128K - 8
+ .Lnop: .long 0x07000700
++.Lzero64:.fill 16,4,0x0
+ #ifdef CONFIG_ZFCPDUMP
+ .Lcurrent_cpu:
+ .long 0x0
--- /dev/null
+From a1f84a3ab8e002159498814eaa7e48c33752b04b Mon Sep 17 00:00:00 2001
+From: Mike Galbraith <efault@gmx.de>
+Date: Tue, 27 Oct 2009 15:35:38 +0100
+Subject: sched: Check for an idle shared cache in select_task_rq_fair()
+
+From: Mike Galbraith <efault@gmx.de>
+
+commit a1f84a3ab8e002159498814eaa7e48c33752b04b upstream.
+
+When waking affine, check for an idle shared cache, and if
+found, wake to that CPU/sibling instead of the waker's CPU.
+
+This improves pgsql+oltp ramp up by roughly 8%. Possibly more
+for other loads, depending on overlap. The trade-off is a
+roughly 1% peak downturn if tasks are truly synchronous.
+
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Cc: Arjan van de Ven <arjan@infradead.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+LKML-Reference: <1256654138.17752.7.camel@marge.simson.net>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sched_fair.c | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched_fair.c
++++ b/kernel/sched_fair.c
+@@ -1398,11 +1398,36 @@ static int select_task_rq_fair(struct ta
+ want_sd = 0;
+ }
+
+- if (want_affine && (tmp->flags & SD_WAKE_AFFINE) &&
+- cpumask_test_cpu(prev_cpu, sched_domain_span(tmp))) {
++ if (want_affine && (tmp->flags & SD_WAKE_AFFINE)) {
++ int candidate = -1, i;
+
+- affine_sd = tmp;
+- want_affine = 0;
++ if (cpumask_test_cpu(prev_cpu, sched_domain_span(tmp)))
++ candidate = cpu;
++
++ /*
++ * Check for an idle shared cache.
++ */
++ if (tmp->flags & SD_PREFER_SIBLING) {
++ if (candidate == cpu) {
++ if (!cpu_rq(prev_cpu)->cfs.nr_running)
++ candidate = prev_cpu;
++ }
++
++ if (candidate == -1 || candidate == cpu) {
++ for_each_cpu(i, sched_domain_span(tmp)) {
++ if (!cpu_rq(i)->cfs.nr_running) {
++ candidate = i;
++ break;
++ }
++ }
++ }
++ }
++
++ if (candidate >= 0) {
++ affine_sd = tmp;
++ want_affine = 0;
++ cpu = candidate;
++ }
+ }
+
+ if (!want_sd && !want_affine)
--- /dev/null
+From fd210738f6601d0fb462df9a2fe5a41896ff6a8f Mon Sep 17 00:00:00 2001
+From: Mike Galbraith <efault@gmx.de>
+Date: Thu, 5 Nov 2009 10:57:46 +0100
+Subject: sched: Fix affinity logic in select_task_rq_fair()
+
+From: Mike Galbraith <efault@gmx.de>
+
+commit fd210738f6601d0fb462df9a2fe5a41896ff6a8f upstream.
+
+Ingo Molnar reported:
+
+[ 26.804000] BUG: using smp_processor_id() in preemptible [00000000] code: events/1/10
+[ 26.808000] caller is vmstat_update+0x26/0x70
+[ 26.812000] Pid: 10, comm: events/1 Not tainted 2.6.32-rc5 #6887
+[ 26.816000] Call Trace:
+[ 26.820000] [<c1924a24>] ? printk+0x28/0x3c
+[ 26.824000] [<c13258a0>] debug_smp_processor_id+0xf0/0x110
+[ 26.824000] mount used greatest stack depth: 1464 bytes left
+[ 26.828000] [<c111d086>] vmstat_update+0x26/0x70
+[ 26.832000] [<c1086418>] worker_thread+0x188/0x310
+[ 26.836000] [<c10863b7>] ? worker_thread+0x127/0x310
+[ 26.840000] [<c108d310>] ? autoremove_wake_function+0x0/0x60
+[ 26.844000] [<c1086290>] ? worker_thread+0x0/0x310
+[ 26.848000] [<c108cf0c>] kthread+0x7c/0x90
+[ 26.852000] [<c108ce90>] ? kthread+0x0/0x90
+[ 26.856000] [<c100c0a7>] kernel_thread_helper+0x7/0x10
+[ 26.860000] BUG: using smp_processor_id() in preemptible [00000000] code: events/1/10
+[ 26.864000] caller is vmstat_update+0x3c/0x70
+
+Because this commit:
+
+ a1f84a3: sched: Check for an idle shared cache in select_task_rq_fair()
+
+broke ->cpus_allowed.
+
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: arjan@infradead.org
+LKML-Reference: <1257415066.12867.1.camel@marge.simson.net>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sched_fair.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/sched_fair.c
++++ b/kernel/sched_fair.c
+@@ -1415,6 +1415,8 @@ static int select_task_rq_fair(struct ta
+
+ if (candidate == -1 || candidate == cpu) {
+ for_each_cpu(i, sched_domain_span(tmp)) {
++ if (!cpumask_test_cpu(i, &p->cpus_allowed))
++ continue;
+ if (!cpu_rq(i)->cfs.nr_running) {
+ candidate = i;
+ break;
--- /dev/null
+From eae0c9dfb534cb3449888b9601228efa6480fdb5 Mon Sep 17 00:00:00 2001
+From: Mike Galbraith <efault@gmx.de>
+Date: Tue, 10 Nov 2009 03:50:02 +0100
+Subject: sched: Fix and clean up rate-limit newidle code
+
+From: Mike Galbraith <efault@gmx.de>
+
+commit eae0c9dfb534cb3449888b9601228efa6480fdb5 upstream.
+
+Commit 1b9508f, "Rate-limit newidle" has been confirmed to fix
+the netperf UDP loopback regression reported by Alex Shi.
+
+This is a cleanup and a fix:
+
+ - moved to a more out of the way spot
+
+ - fix to ensure that balancing doesn't try to balance
+ runqueues which haven't gone online yet, which can
+ mess up CPU enumeration during boot.
+
+Reported-by: Alex Shi <alex.shi@intel.com>
+Reported-by: Zhang, Yanmin <yanmin_zhang@linux.intel.com>
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: <stable@kernel.org> # .32.x: a1f84a3: sched: Check for an idle shared cache
+Cc: <stable@kernel.org> # .32.x: 1b9508f: sched: Rate-limit newidle
+Cc: <stable@kernel.org> # .32.x: fd21073: sched: Fix affinity logic
+Cc: <stable@kernel.org> # .32.x
+LKML-Reference: <1257821402.5648.17.camel@marge.simson.net>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sched.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -2386,17 +2386,6 @@ static int try_to_wake_up(struct task_st
+ if (rq != orig_rq)
+ update_rq_clock(rq);
+
+- if (rq->idle_stamp) {
+- u64 delta = rq->clock - rq->idle_stamp;
+- u64 max = 2*sysctl_sched_migration_cost;
+-
+- if (delta > max)
+- rq->avg_idle = max;
+- else
+- update_avg(&rq->avg_idle, delta);
+- rq->idle_stamp = 0;
+- }
+-
+ WARN_ON(p->state != TASK_WAKING);
+ cpu = task_cpu(p);
+
+@@ -2453,6 +2442,17 @@ out_running:
+ #ifdef CONFIG_SMP
+ if (p->sched_class->task_wake_up)
+ p->sched_class->task_wake_up(rq, p);
++
++ if (unlikely(rq->idle_stamp)) {
++ u64 delta = rq->clock - rq->idle_stamp;
++ u64 max = 2*sysctl_sched_migration_cost;
++
++ if (delta > max)
++ rq->avg_idle = max;
++ else
++ update_avg(&rq->avg_idle, delta);
++ rq->idle_stamp = 0;
++ }
+ #endif
+ out:
+ task_rq_unlock(rq, &flags);
+@@ -4139,7 +4139,7 @@ static int load_balance(int this_cpu, st
+ unsigned long flags;
+ struct cpumask *cpus = __get_cpu_var(load_balance_tmpmask);
+
+- cpumask_setall(cpus);
++ cpumask_copy(cpus, cpu_online_mask);
+
+ /*
+ * When power savings policy is enabled for the parent domain, idle
+@@ -4302,7 +4302,7 @@ load_balance_newidle(int this_cpu, struc
+ int all_pinned = 0;
+ struct cpumask *cpus = __get_cpu_var(load_balance_tmpmask);
+
+- cpumask_setall(cpus);
++ cpumask_copy(cpus, cpu_online_mask);
+
+ /*
+ * When power savings policy is enabled for the parent domain, idle
+@@ -9542,6 +9542,8 @@ void __init sched_init(void)
+ rq->cpu = i;
+ rq->online = 0;
+ rq->migration_thread = NULL;
++ rq->idle_stamp = 0;
++ rq->avg_idle = 2*sysctl_sched_migration_cost;
+ INIT_LIST_HEAD(&rq->migration_queue);
+ rq_attach_root(rq, &def_root_domain);
+ #endif
--- /dev/null
+From 1b9508f6831e10d53256825de8904caa22d1ca2c Mon Sep 17 00:00:00 2001
+From: Mike Galbraith <efault@gmx.de>
+Date: Wed, 4 Nov 2009 17:53:50 +0100
+Subject: sched: Rate-limit newidle
+
+From: Mike Galbraith <efault@gmx.de>
+
+commit 1b9508f6831e10d53256825de8904caa22d1ca2c upstream.
+
+Rate limit newidle to migration_cost. It's a win for all
+stages of sysbench oltp tests.
+
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+LKML-Reference: <new-submission>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sched.c | 22 +++++++++++++++++++++-
+ kernel/sched_debug.c | 4 ++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -591,6 +591,8 @@ struct rq {
+
+ u64 rt_avg;
+ u64 age_stamp;
++ u64 idle_stamp;
++ u64 avg_idle;
+ #endif
+
+ /* calc_load related fields */
+@@ -2384,6 +2386,17 @@ static int try_to_wake_up(struct task_st
+ if (rq != orig_rq)
+ update_rq_clock(rq);
+
++ if (rq->idle_stamp) {
++ u64 delta = rq->clock - rq->idle_stamp;
++ u64 max = 2*sysctl_sched_migration_cost;
++
++ if (delta > max)
++ rq->avg_idle = max;
++ else
++ update_avg(&rq->avg_idle, delta);
++ rq->idle_stamp = 0;
++ }
++
+ WARN_ON(p->state != TASK_WAKING);
+ cpu = task_cpu(p);
+
+@@ -4429,6 +4442,11 @@ static void idle_balance(int this_cpu, s
+ int pulled_task = 0;
+ unsigned long next_balance = jiffies + HZ;
+
++ this_rq->idle_stamp = this_rq->clock;
++
++ if (this_rq->avg_idle < sysctl_sched_migration_cost)
++ return;
++
+ for_each_domain(this_cpu, sd) {
+ unsigned long interval;
+
+@@ -4443,8 +4461,10 @@ static void idle_balance(int this_cpu, s
+ interval = msecs_to_jiffies(sd->balance_interval);
+ if (time_after(next_balance, sd->last_balance + interval))
+ next_balance = sd->last_balance + interval;
+- if (pulled_task)
++ if (pulled_task) {
++ this_rq->idle_stamp = 0;
+ break;
++ }
+ }
+ if (pulled_task || time_after(jiffies, this_rq->next_balance)) {
+ /*
+--- a/kernel/sched_debug.c
++++ b/kernel/sched_debug.c
+@@ -285,12 +285,16 @@ static void print_cpu(struct seq_file *m
+
+ #ifdef CONFIG_SCHEDSTATS
+ #define P(n) SEQ_printf(m, " .%-30s: %d\n", #n, rq->n);
++#define P64(n) SEQ_printf(m, " .%-30s: %Ld\n", #n, rq->n);
+
+ P(yld_count);
+
+ P(sched_switch);
+ P(sched_count);
+ P(sched_goidle);
++#ifdef CONFIG_SMP
++ P64(avg_idle);
++#endif
+
+ P(ttwu_count);
+ P(ttwu_local);
usb-usb-storage-fix-bug-in-fill_inquiry.patch
usb-option-add-pid-for-zte.patch
firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch
+rcu-prepare-for-synchronization-fixes-clean-up-for-non-no_hz-handling-of-completed-counter.patch
+rcu-fix-synchronization-for-rcu_process_gp_end-uses-of-completed-counter.patch
+rcu-fix-note_new_gpnum-uses-of-gpnum.patch
+rcu-remove-inline-from-forward-referenced-functions.patch
+perf_event-fix-invalid-type-in-ioctl-definition.patch
+perf_event-initialize-data.period-in-perf_swevent_hrtimer.patch
+perf-don-t-free-perf_mmap_data-until-work-has-been-done.patch
+pm-runtime-fix-lockdep-warning-in-__pm_runtime_set_status.patch
+sched-check-for-an-idle-shared-cache-in-select_task_rq_fair.patch
+sched-fix-affinity-logic-in-select_task_rq_fair.patch
+sched-rate-limit-newidle.patch
+sched-fix-and-clean-up-rate-limit-newidle-code.patch
+x86-amd-iommu-attach-devices-to-pre-allocated-domains-early.patch
+x86-amd-iommu-un__init-iommu_setup_msi.patch
+x86-calgary-iommu-quirk-find-nearest-matching-calgary-while-walking-up-the-pci-tree.patch
+x86-fix-iommu-nodac-parameter-handling.patch
+x86-gart-pci-gart_64.c-use-correct-length-in-strncmp.patch
+x86-asus-p4s800-reboot-bios-quirk.patch
+x86-apic-enable-lapic-nmi-watchdog-on-amd-family-11h.patch
+ssb-fix-range-check-in-sprom-write.patch
+ath5k-allow-setting-txpower-to-0.patch
+ath5k-enable-eeprom-checksum-check.patch
+hrtimer-fix-proc-timer_list-regression.patch
+alsa-hrtimer-fix-lock-up.patch
+alsa-hda-terradici-hda-controllers-does-not-support-64-bit-mode.patch
+kvm-x86-emulator-limit-instructions-to-15-bytes.patch
+kvm-s390-fix-prefix-register-checking-in-arch-s390-kvm-sigp.c.patch
+kvm-s390-make-psw-available-on-all-exits-not-just-a-subset.patch
+kvm-fix-irq_source_id-size-verification.patch
+kvm-x86-include-pvclock-msrs-in-msrs_to_save.patch
+x86-prevent-gcc-4.4.x-pentium-mmx-et-al-function-prologue-wreckage.patch
+x86-use-maccumulate-outgoing-args-for-sane-mcount-prologues.patch
+x86-mce-don-t-restart-timer-if-disabled.patch
+x86-mce-set-up-timer-unconditionally.patch
+x86-sgi-uv-fix-bau-initialization.patch
+x86-fix-duplicated-uv-bau-interrupt-vector.patch
+x86-add-new-intel-cpu-cache-size-descriptors.patch
+x86-fix-typo-in-intel-cpu-cache-size-descriptor.patch
+pata_hpt-37x-3x2n-fix-timing-register-masks-take-2.patch
+s390-clear-high-order-bits-of-registers-after-sam64.patch
+v4l-dvb-fix-test-in-copy_reg_bits.patch
+bsdacct-fix-uid-gid-misreporting.patch
+ubi-flush-wl-before-clearing-update-marker.patch
+jbd2-don-t-wipe-the-journal-on-a-failed-journal-checksum.patch
+usb-xhci-add-correct-email-and-files-to-maintainers-entry.patch
+usb-musb_gadget_ep0-fix-unhandled-endpoint-0-irqs-again.patch
+usb-option.c-add-support-for-d-link-dwm-162-u5.patch
+usb-usbtmc-repeat-usb_bulk_msg-until-whole-message-is-transfered.patch
+usb-usb-storage-add-bad_sense-flag.patch
+usb-close-usb_find_interface-race-v3.patch
+pxa-em-x270-fix-usb-hub-power-up-reset-sequence.patch
+hfs-fix-a-potential-buffer-overflow.patch
+sunrpc-is_err-ptr_err-confusion.patch
+nfs-fix-nfs_migrate_page.patch
+md-bitmap-protect-against-bitmap-removal-while-being-updated.patch
+futex-take-mmap_sem-for-get_user_pages-in-fault_in_user_writeable.patch
+devpts_get_tty-should-validate-inode.patch
+debugfs-fix-create-mutex-racy-fops-and-private-data.patch
--- /dev/null
+From e33761e6f23881de9f3ee77cc2204ab2e26f3d9a Mon Sep 17 00:00:00 2001
+From: Michael Buesch <mb@bu3sch.de>
+Date: Mon, 23 Nov 2009 20:58:06 +0100
+Subject: ssb: Fix range check in sprom write
+
+From: Michael Buesch <mb@bu3sch.de>
+
+commit e33761e6f23881de9f3ee77cc2204ab2e26f3d9a upstream.
+
+The range check in the sprom image parser hex2sprom() is broken.
+One sprom word is 4 hex characters.
+This fixes the check and also adds much better sanity checks to the code.
+We better make sure the image is OK by doing some sanity checks to avoid
+bricking the device by accident.
+
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ssb/sprom.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/ssb/sprom.c
++++ b/drivers/ssb/sprom.c
+@@ -13,6 +13,8 @@
+
+ #include "ssb_private.h"
+
++#include <linux/ctype.h>
++
+
+ static const struct ssb_sprom *fallback_sprom;
+
+@@ -33,17 +35,27 @@ static int sprom2hex(const u16 *sprom, c
+ static int hex2sprom(u16 *sprom, const char *dump, size_t len,
+ size_t sprom_size_words)
+ {
+- char tmp[5] = { 0 };
+- int cnt = 0;
++ char c, tmp[5] = { 0 };
++ int err, cnt = 0;
+ unsigned long parsed;
+
+- if (len < sprom_size_words * 2)
++ /* Strip whitespace at the end. */
++ while (len) {
++ c = dump[len - 1];
++ if (!isspace(c) && c != '\0')
++ break;
++ len--;
++ }
++ /* Length must match exactly. */
++ if (len != sprom_size_words * 4)
+ return -EINVAL;
+
+ while (cnt < sprom_size_words) {
+ memcpy(tmp, dump, 4);
+ dump += 4;
+- parsed = simple_strtoul(tmp, NULL, 16);
++ err = strict_strtoul(tmp, 16, &parsed);
++ if (err)
++ return err;
+ sprom[cnt++] = swab16((u16)parsed);
+ }
+
--- /dev/null
+From 480e3243df156e39eea6c91057e2ae612a6bbe19 Mon Sep 17 00:00:00 2001
+From: Roel Kluin <roel.kluin@gmail.com>
+Date: Tue, 8 Dec 2009 13:13:03 -0500
+Subject: SUNRPC: IS_ERR/PTR_ERR confusion
+
+From: Roel Kluin <roel.kluin@gmail.com>
+
+commit 480e3243df156e39eea6c91057e2ae612a6bbe19 upstream.
+
+IS_ERR returns 1 or 0, PTR_ERR returns the error value.
+
+Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/auth_gss/auth_gss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/auth_gss.c
++++ b/net/sunrpc/auth_gss/auth_gss.c
+@@ -485,7 +485,7 @@ gss_refresh_upcall(struct rpc_task *task
+ dprintk("RPC: %5u gss_refresh_upcall for uid %u\n", task->tk_pid,
+ cred->cr_uid);
+ gss_msg = gss_setup_upcall(task->tk_client, gss_auth, cred);
+- if (IS_ERR(gss_msg) == -EAGAIN) {
++ if (PTR_ERR(gss_msg) == -EAGAIN) {
+ /* XXX: warning on the first, under the assumption we
+ * shouldn't normally hit this case on a refresh. */
+ warn_gssd();
--- /dev/null
+From 6afaf8a484cbbfd2ccf58a4e5396d1f280469789 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Sun, 29 Nov 2009 19:46:02 +0100
+Subject: UBI: flush wl before clearing update marker
+
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+
+commit 6afaf8a484cbbfd2ccf58a4e5396d1f280469789 upstream.
+
+ubiupdatevol -t does the following:
+- ubi_start_update()
+ - set_update_marker()
+ - for all LEBs ubi_eba_unmap_leb()
+ - clear_update_marker()
+ - ubi_wl_flush()
+
+ubi_wl_flush() physically erases all PEB, once it returns all PEBs are
+empty. clear_update_marker() has the update marker written after return.
+If there is a power cut between the last two functions then the UBI
+volume has no longer the "update" marker set and may have some valid
+LEBs while some of them may be gone.
+If that volume in question happens to be a UBIFS volume, then mount
+will fail with
+
+|UBIFS error (pid 1361): ubifs_read_node: bad node type (255 but expected 6)
+|UBIFS error (pid 1361): ubifs_read_node: bad node at LEB 0:0
+|Not a node, first 24 bytes:
+|00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+if there is at least one valid LEB and the wear-leveling worker managed
+to clear LEB 0.
+
+The patch waits for the wl worker to finish prior clearing the "update"
+marker on flash. The two new LEB which are scheduled for erasing after
+clear_update_marker() should not matter because they are only visible to
+UBI.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mtd/ubi/upd.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/mtd/ubi/upd.c
++++ b/drivers/mtd/ubi/upd.c
+@@ -147,12 +147,14 @@ int ubi_start_update(struct ubi_device *
+ }
+
+ if (bytes == 0) {
++ err = ubi_wl_flush(ubi);
++ if (err)
++ return err;
++
+ err = clear_update_marker(ubi, vol, 0);
+ if (err)
+ return err;
+- err = ubi_wl_flush(ubi);
+- if (!err)
+- vol->updating = 0;
++ vol->updating = 0;
+ }
+
+ vol->upd_buf = vmalloc(ubi->leb_size);
+@@ -362,16 +364,16 @@ int ubi_more_update_data(struct ubi_devi
+
+ ubi_assert(vol->upd_received <= vol->upd_bytes);
+ if (vol->upd_received == vol->upd_bytes) {
++ err = ubi_wl_flush(ubi);
++ if (err)
++ return err;
+ /* The update is finished, clear the update marker */
+ err = clear_update_marker(ubi, vol, vol->upd_bytes);
+ if (err)
+ return err;
+- err = ubi_wl_flush(ubi);
+- if (err == 0) {
+- vol->updating = 0;
+- err = to_write;
+- vfree(vol->upd_buf);
+- }
++ vol->updating = 0;
++ err = to_write;
++ vfree(vol->upd_buf);
+ }
+
+ return err;
--- /dev/null
+From c2d284ee04ab6f6718de2ddcf1b43160e046c41d Mon Sep 17 00:00:00 2001
+From: Russ Dill <Russ.Dill@gmail.com>
+Date: Mon, 14 Dec 2009 21:45:35 -0700
+Subject: USB: Close usb_find_interface race v3
+
+From: Russ Dill <Russ.Dill@gmail.com>
+
+commit c2d284ee04ab6f6718de2ddcf1b43160e046c41d upstream.
+
+USB drivers that create character devices call usb_register_dev in their
+probe function. This associates the usb_interface device with that minor
+number and creates the character device and announces it to the world.
+However, the driver's probe function is called before the new
+usb_interface is added to the driver's klist_devices.
+
+This is a problem because userspace will respond to the character device
+creation announcement by opening the character device. The driver's open
+function will the call usb_find_interface to find the usb_interface
+associated with that minor number. usb_find_interface will walk the
+driver's list of devices and find the usb_interface with the matching
+minor number.
+
+Because the announcement happens before the usb_interface is added to the
+driver's klist_devices, a race condition exists. A straightforward fix
+is to walk the list of devices on usb_bus_type instead since the device
+is added to that list before the announcement occurs.
+
+bus_find_device calls get_device to bump the reference count on the found
+device. It is arguable that the reference count should be dropped by the
+caller of usb_find_interface instead of usb_find_interface, however,
+the current users of usb_find_interface do not expect this.
+
+The original version of this patch only matched against minor number
+instead of driver and minor number. This version matches against both.
+
+Signed-off-by: Russ Dill <Russ.Dill@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/usb.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -132,7 +132,7 @@ EXPORT_SYMBOL_GPL(usb_altnum_to_altsetti
+
+ struct find_interface_arg {
+ int minor;
+- struct usb_interface *interface;
++ struct device_driver *drv;
+ };
+
+ static int __find_interface(struct device *dev, void *data)
+@@ -143,12 +143,10 @@ static int __find_interface(struct devic
+ if (!is_usb_interface(dev))
+ return 0;
+
++ if (dev->driver != arg->drv)
++ return 0;
+ intf = to_usb_interface(dev);
+- if (intf->minor != -1 && intf->minor == arg->minor) {
+- arg->interface = intf;
+- return 1;
+- }
+- return 0;
++ return intf->minor == arg->minor;
+ }
+
+ /**
+@@ -156,21 +154,24 @@ static int __find_interface(struct devic
+ * @drv: the driver whose current configuration is considered
+ * @minor: the minor number of the desired device
+ *
+- * This walks the driver device list and returns a pointer to the interface
+- * with the matching minor. Note, this only works for devices that share the
+- * USB major number.
++ * This walks the bus device list and returns a pointer to the interface
++ * with the matching minor and driver. Note, this only works for devices
++ * that share the USB major number.
+ */
+ struct usb_interface *usb_find_interface(struct usb_driver *drv, int minor)
+ {
+ struct find_interface_arg argb;
+- int retval;
++ struct device *dev;
+
+ argb.minor = minor;
+- argb.interface = NULL;
+- /* eat the error, it will be in argb.interface */
+- retval = driver_for_each_device(&drv->drvwrap.driver, NULL, &argb,
+- __find_interface);
+- return argb.interface;
++ argb.drv = &drv->drvwrap.driver;
++
++ dev = bus_find_device(&usb_bus_type, NULL, &argb, __find_interface);
++
++ /* Drop reference count from bus_find_device */
++ put_device(dev);
++
++ return dev ? to_usb_interface(dev) : NULL;
+ }
+ EXPORT_SYMBOL_GPL(usb_find_interface);
+
--- /dev/null
+From 196f1b7a387546f425df2f1fad26772e3d513aea Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Date: Mon, 16 Nov 2009 16:24:05 +0530
+Subject: USB: musb_gadget_ep0: fix unhandled endpoint 0 IRQs, again
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+commit 196f1b7a387546f425df2f1fad26772e3d513aea upstream.
+
+Commit a5073b52833e4df8e16c93dc4cbb7e0c558c74a2 (musb_gadget: fix
+unhandled endpoint 0 IRQs) somehow missed its key change:
+
+"The gadget EP0 code routinely ignores an interrupt at end of
+the data phase because of musb_g_ep0_giveback() resetting the
+state machine to "idle, waiting for SETUP" phase prematurely."
+
+So, the majority of the cases of unhandled IRQs is still unfixed...
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Anand Gadiyar <gadiyar@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/musb/musb_gadget_ep0.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/musb/musb_gadget_ep0.c
++++ b/drivers/usb/musb/musb_gadget_ep0.c
+@@ -199,7 +199,6 @@ service_in_request(struct musb *musb, co
+ static void musb_g_ep0_giveback(struct musb *musb, struct usb_request *req)
+ {
+ musb_g_giveback(&musb->endpoints[0].ep_in, req, 0);
+- musb->ep0_state = MUSB_EP0_STAGE_SETUP;
+ }
+
+ /*
--- /dev/null
+From 54a8e144acad6506920f385f4ef2779664f05b21 Mon Sep 17 00:00:00 2001
+From: Zhang Le <r0bertz@gentoo.org>
+Date: Tue, 17 Nov 2009 14:53:42 -0800
+Subject: USB: option.c: add support for D-Link DWM-162-U5
+
+From: Zhang Le <r0bertz@gentoo.org>
+
+commit 54a8e144acad6506920f385f4ef2779664f05b21 upstream.
+
+Add D-Link DWM-162-U5 device id 1e0e:ce16 into option driver. The device
+has 4 interfaces, of which 1 is handled by storage and the other 3 by
+option driver.
+
+The device appears first as CD-only 05c6:2100 device and must be switched
+to 1e0e:ce16 mode either by using "eject CD" or usb_modeswitch.
+
+The MessageContent for usb_modeswitch.conf is:
+"55534243e0c26a85000000000000061b000000020000000000000000000000"
+
+Signed-off-by: Zhang Le <r0bertz@gentoo.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/option.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -635,6 +635,7 @@ static struct usb_device_id option_ids[]
+ { USB_DEVICE(TOSHIBA_VENDOR_ID, TOSHIBA_PRODUCT_G450) },
+ { USB_DEVICE(TOSHIBA_VENDOR_ID, TOSHIBA_PRODUCT_HSDPA_MINICARD ) }, /* Toshiba 3G HSDPA == Novatel Expedite EU870D MiniCard */
+ { USB_DEVICE(ALINK_VENDOR_ID, 0x9000) },
++ { USB_DEVICE(ALINK_VENDOR_ID, 0xce16) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) },
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S) },
+ { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
--- /dev/null
+From a0bb108112a872c0b0c4b3ef4974f95fb75b155d Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 7 Dec 2009 16:39:16 -0500
+Subject: USB: usb-storage: add BAD_SENSE flag
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit a0bb108112a872c0b0c4b3ef4974f95fb75b155d upstream.
+
+This patch (as1311) fixes a problem in usb-storage: Some devices are
+pretty broken when it comes to reporting sense data. The information
+they send back indicates that they have more than 18 bytes of sense
+data available, but when the system asks for more than 18 they fail or
+hang. The symptom is that probing fails with multiple resets.
+
+The patch adds a new BAD_SENSE flag to indicate that usb-storage
+should never ask for more than 18 bytes of sense data. The flag can
+be set in an unusual_devs entry or via the "quirks=" module parameter,
+and it is set automatically whenever a REQUEST SENSE command for more
+than 18 bytes fails or times out.
+
+An unusual_devs entry is added for the Agfa photo frame, which uses a
+Prolific chip having this bug.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Daniel Kukula <daniel.kuku@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -2663,6 +2663,8 @@ and is between 256 and 4096 characters. It is defined in the file
+ to a common usb-storage quirk flag as follows:
+ a = SANE_SENSE (collect more than 18 bytes
+ of sense data);
++ b = BAD_SENSE (don't collect more than 18
++ bytes of sense data);
+ c = FIX_CAPACITY (decrease the reported
+ device capacity by one sector);
+ h = CAPACITY_HEURISTICS (decrease the
+diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
+index 589f6b4..cc313d1 100644
+--- a/drivers/usb/storage/transport.c
++++ b/drivers/usb/storage/transport.c
+@@ -666,10 +666,11 @@ void usb_stor_invoke_transport(struct scsi_cmnd *srb, struct us_data *us)
+ * to wait for at least one CHECK_CONDITION to determine
+ * SANE_SENSE support
+ */
+- if ((srb->cmnd[0] == ATA_16 || srb->cmnd[0] == ATA_12) &&
++ if (unlikely((srb->cmnd[0] == ATA_16 || srb->cmnd[0] == ATA_12) &&
+ result == USB_STOR_TRANSPORT_GOOD &&
+ !(us->fflags & US_FL_SANE_SENSE) &&
+- !(srb->cmnd[2] & 0x20)) {
++ !(us->fflags & US_FL_BAD_SENSE) &&
++ !(srb->cmnd[2] & 0x20))) {
+ US_DEBUGP("-- SAT supported, increasing auto-sense\n");
+ us->fflags |= US_FL_SANE_SENSE;
+ }
+@@ -718,6 +719,12 @@ Retry_Sense:
+ if (test_bit(US_FLIDX_TIMED_OUT, &us->dflags)) {
+ US_DEBUGP("-- auto-sense aborted\n");
+ srb->result = DID_ABORT << 16;
++
++ /* If SANE_SENSE caused this problem, disable it */
++ if (sense_size != US_SENSE_SIZE) {
++ us->fflags &= ~US_FL_SANE_SENSE;
++ us->fflags |= US_FL_BAD_SENSE;
++ }
+ goto Handle_Errors;
+ }
+
+@@ -727,10 +734,11 @@ Retry_Sense:
+ * (small) sense request. This fixes some USB GSM modems
+ */
+ if (temp_result == USB_STOR_TRANSPORT_FAILED &&
+- (us->fflags & US_FL_SANE_SENSE) &&
+- sense_size != US_SENSE_SIZE) {
++ sense_size != US_SENSE_SIZE) {
+ US_DEBUGP("-- auto-sense failure, retry small sense\n");
+ sense_size = US_SENSE_SIZE;
++ us->fflags &= ~US_FL_SANE_SENSE;
++ us->fflags |= US_FL_BAD_SENSE;
+ goto Retry_Sense;
+ }
+
+@@ -754,6 +762,7 @@ Retry_Sense:
+ */
+ if (srb->sense_buffer[7] > (US_SENSE_SIZE - 8) &&
+ !(us->fflags & US_FL_SANE_SENSE) &&
++ !(us->fflags & US_FL_BAD_SENSE) &&
+ (srb->sense_buffer[0] & 0x7C) == 0x70) {
+ US_DEBUGP("-- SANE_SENSE support enabled\n");
+ us->fflags |= US_FL_SANE_SENSE;
+diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
+index d4f034e..64a0a2c 100644
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -818,6 +818,13 @@ UNUSUAL_DEV( 0x066f, 0x8000, 0x0001, 0x0001,
+ US_SC_DEVICE, US_PR_DEVICE, NULL,
+ US_FL_FIX_CAPACITY ),
+
++/* Reported by Daniel Kukula <daniel.kuku@gmail.com> */
++UNUSUAL_DEV( 0x067b, 0x1063, 0x0100, 0x0100,
++ "Prolific Technology, Inc.",
++ "Prolific Storage Gadget",
++ US_SC_DEVICE, US_PR_DEVICE, NULL,
++ US_FL_BAD_SENSE ),
++
+ /* Reported by Rogerio Brito <rbrito@ime.usp.br> */
+ UNUSUAL_DEV( 0x067b, 0x2317, 0x0001, 0x001,
+ "Prolific Technology, Inc.",
+diff --git a/drivers/usb/storage/usb.c b/drivers/usb/storage/usb.c
+index 1599d86..f5c0264 100644
+--- a/drivers/usb/storage/usb.c
++++ b/drivers/usb/storage/usb.c
+@@ -463,6 +463,9 @@ static void adjust_quirks(struct us_data *us)
+ case 'a':
+ f |= US_FL_SANE_SENSE;
+ break;
++ case 'b':
++ f |= US_FL_BAD_SENSE;
++ break;
+ case 'c':
+ f |= US_FL_FIX_CAPACITY;
+ break;
+diff --git a/include/linux/usb_usual.h b/include/linux/usb_usual.h
+index 3d15fb9..a4b947e 100644
+--- a/include/linux/usb_usual.h
++++ b/include/linux/usb_usual.h
+@@ -56,7 +56,9 @@
+ US_FLAG(SANE_SENSE, 0x00008000) \
+ /* Sane Sense (> 18 bytes) */ \
+ US_FLAG(CAPACITY_OK, 0x00010000) \
+- /* READ CAPACITY response is correct */
++ /* READ CAPACITY response is correct */ \
++ US_FLAG(BAD_SENSE, 0x00020000) \
++ /* Bad Sense (never more than 18 bytes) */
+
+ #define US_FLAG(name, value) US_FL_##name = value ,
+ enum { US_DO_ALL_FLAGS };
--- /dev/null
+From ec412b92dbe3ea839716853eea058d1bcc5e6ca4 Mon Sep 17 00:00:00 2001
+From: Andre Herms <andre.herms@tec-venture.de>
+Date: Thu, 19 Nov 2009 18:14:49 +0100
+Subject: USB: usbtmc: repeat usb_bulk_msg until whole message is transfered
+
+From: Andre Herms <andre.herms@tec-venture.de>
+
+commit ec412b92dbe3ea839716853eea058d1bcc5e6ca4 upstream.
+
+usb_bulk_msg() transfers only bytes up to the maximum packet size.
+It must be repeated by the usbtmc driver until all bytes of a TMC message
+are transfered.
+
+Without this patch, ETIMEDOUT is reported when writing TMC messages
+larger than the maximum USB bulk size and the transfer remains incomplete.
+The user will notice that the device hangs and must be reset by either closing
+the application or pulling the plug.
+
+Signed-off-by: Andre Herms <andre.herms@tec-venture.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/usbtmc.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -562,10 +562,16 @@ static ssize_t usbtmc_write(struct file
+ n_bytes = roundup(12 + this_part, 4);
+ memset(buffer + 12 + this_part, 0, n_bytes - (12 + this_part));
+
+- retval = usb_bulk_msg(data->usb_dev,
+- usb_sndbulkpipe(data->usb_dev,
+- data->bulk_out),
+- buffer, n_bytes, &actual, USBTMC_TIMEOUT);
++ do {
++ retval = usb_bulk_msg(data->usb_dev,
++ usb_sndbulkpipe(data->usb_dev,
++ data->bulk_out),
++ buffer, n_bytes,
++ &actual, USBTMC_TIMEOUT);
++ if (retval != 0)
++ break;
++ n_bytes -= actual;
++ } while (n_bytes);
+
+ data->bTag_last_write = data->bTag;
+ data->bTag++;
--- /dev/null
+From 36d0344c254a7b333272757f858c403ea3a2d29f Mon Sep 17 00:00:00 2001
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Date: Tue, 1 Dec 2009 10:37:07 -0800
+Subject: USB: xhci: Add correct email and files to MAINTAINERS entry.
+
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+
+commit 36d0344c254a7b333272757f858c403ea3a2d29f upstream.
+
+Add the xHCI driver files to its MAINTAINERS entry so that I'm Cc'd on
+cleanup patches. Update the email address to one I actually use for
+sending patches and responding to Linux mailing list emails.
+
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ MAINTAINERS | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -5594,9 +5594,11 @@ S: Maintained
+ F: drivers/net/wireless/rndis_wlan.c
+
+ USB XHCI DRIVER
+-M: Sarah Sharp <sarah.a.sharp@intel.com>
++M: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+ L: linux-usb@vger.kernel.org
+ S: Supported
++F: drivers/usb/host/xhci*
++F: drivers/usb/host/pci-quirks*
+
+ USB ZC0301 DRIVER
+ M: Luca Risolia <luca.risolia@studio.unibo.it>
--- /dev/null
+From c95a419a5604ec8a23cd73f61e9bb151e8cbe89b Mon Sep 17 00:00:00 2001
+From: Roel Kluin <roel.kluin@gmail.com>
+Date: Fri, 20 Nov 2009 15:34:13 -0300
+Subject: V4L/DVB: Fix test in copy_reg_bits()
+
+From: Roel Kluin <roel.kluin@gmail.com>
+
+commit c95a419a5604ec8a23cd73f61e9bb151e8cbe89b upstream.
+
+The reg_pair2[j].reg was tested twice.
+
+Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
+Acked-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/common/tuners/mxl5007t.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/common/tuners/mxl5007t.c
++++ b/drivers/media/common/tuners/mxl5007t.c
+@@ -196,7 +196,7 @@ static void copy_reg_bits(struct reg_pai
+ i = j = 0;
+
+ while (reg_pair1[i].reg || reg_pair1[i].val) {
+- while (reg_pair2[j].reg || reg_pair2[j].reg) {
++ while (reg_pair2[j].reg || reg_pair2[j].val) {
+ if (reg_pair1[i].reg != reg_pair2[j].reg) {
+ j++;
+ continue;
--- /dev/null
+From 85160b92fbd35321104819283c91bfed2b553e3c Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Tue, 10 Nov 2009 13:49:24 -0500
+Subject: x86: Add new Intel CPU cache size descriptors
+
+From: Dave Jones <davej@redhat.com>
+
+commit 85160b92fbd35321104819283c91bfed2b553e3c upstream.
+
+The latest rev of Intel doc AP-485 details new cache descriptors
+that we don't yet support. 12MB, 18MB and 24MB 24-way assoc L3
+caches.
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+LKML-Reference: <20091110184924.GA20337@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
+@@ -102,6 +102,9 @@ static const struct _cache_table __cpuin
+ { 0xe2, LVL_3, 2048 }, /* 16-way set assoc, 64 byte line size */
+ { 0xe3, LVL_3, 4096 }, /* 16-way set assoc, 64 byte line size */
+ { 0xe4, LVL_3, 8192 }, /* 16-way set assoc, 64 byte line size */
++ { 0xea, LVL_3, 12288 }, /* 24-way set assoc, 64 byte line size */
++ { 0xeb, LVL_3, 18432 }, /* 24-way set assoc, 64 byte line size */
++ { 0xec, LVL_3, 24576 }, /* 24-way set assoc, 64 byte line size */
+ { 0x00, 0, 0}
+ };
+
--- /dev/null
+From be831297716036de5b24308447ecb69f1706a846 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Mon, 23 Nov 2009 12:50:00 +0100
+Subject: x86/amd-iommu: attach devices to pre-allocated domains early
+
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit be831297716036de5b24308447ecb69f1706a846 upstream.
+
+For some devices the ACPI table may define unity map
+requirements which must me met when the IOMMU is enabled. So
+we need to attach devices to their domains as early as
+possible so that these mappings are in place when needed.
+This patch assigns the domains right after they are
+allocated. Otherwise this can result in I/O page faults
+before a driver binds to a device and BIOS is still using
+it.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/amd_iommu.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/amd_iommu.c
++++ b/arch/x86/kernel/amd_iommu.c
+@@ -2047,10 +2047,10 @@ static void prealloc_protection_domains(
+ struct pci_dev *dev = NULL;
+ struct dma_ops_domain *dma_dom;
+ struct amd_iommu *iommu;
+- u16 devid;
++ u16 devid, __devid;
+
+ while ((dev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, dev)) != NULL) {
+- devid = calc_devid(dev->bus->number, dev->devfn);
++ __devid = devid = calc_devid(dev->bus->number, dev->devfn);
+ if (devid > amd_iommu_last_bdf)
+ continue;
+ devid = amd_iommu_alias_table[devid];
+@@ -2065,6 +2065,10 @@ static void prealloc_protection_domains(
+ init_unity_mappings_for_device(dma_dom, devid);
+ dma_dom->target_dev = devid;
+
++ attach_device(iommu, &dma_dom->domain, devid);
++ if (__devid != devid)
++ attach_device(iommu, &dma_dom->domain, __devid);
++
+ list_add_tail(&dma_dom->list, &iommu_pd_list);
+ }
+ }
--- /dev/null
+From 9f800de38b05d84809e89f16671d636a140eede7 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Mon, 23 Nov 2009 12:45:25 +0100
+Subject: x86/amd-iommu: un__init iommu_setup_msi
+
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit 9f800de38b05d84809e89f16671d636a140eede7 upstream.
+
+This function may be called on the resume path and can not
+be dropped after booting.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/amd_iommu_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/amd_iommu_init.c
++++ b/arch/x86/kernel/amd_iommu_init.c
+@@ -925,7 +925,7 @@ static int __init init_iommu_all(struct
+ *
+ ****************************************************************************/
+
+-static int __init iommu_setup_msi(struct amd_iommu *iommu)
++static int iommu_setup_msi(struct amd_iommu *iommu)
+ {
+ int r;
+
--- /dev/null
+From 7d1849aff6687a135a8da3a75e32a00e3137a5e2 Mon Sep 17 00:00:00 2001
+From: Mikael Pettersson <mikpe@it.uu.se>
+Date: Thu, 3 Dec 2009 15:52:44 +0100
+Subject: x86, apic: Enable lapic nmi watchdog on AMD Family 11h
+
+From: Mikael Pettersson <mikpe@it.uu.se>
+
+commit 7d1849aff6687a135a8da3a75e32a00e3137a5e2 upstream.
+
+The x86 lapic nmi watchdog does not recognize AMD Family 11h,
+resulting in:
+
+ NMI watchdog: CPU not supported
+
+As far as I can see from available documentation (the BKDM),
+family 11h looks identical to family 10h as far as the PMU
+is concerned.
+
+Extending the check to accept family 11h results in:
+
+ Testing NMI watchdog ... OK.
+
+I've been running with this change on a Turion X2 Ultra ZM-82
+laptop for a couple of weeks now without problems.
+
+Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
+Cc: Andreas Herrmann <andreas.herrmann3@amd.com>
+Cc: Joerg Roedel <joerg.roedel@amd.com>
+LKML-Reference: <19223.53436.931768.278021@pilspetsen.it.uu.se>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/perfctr-watchdog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/perfctr-watchdog.c
++++ b/arch/x86/kernel/cpu/perfctr-watchdog.c
+@@ -712,7 +712,7 @@ static void probe_nmi_watchdog(void)
+ switch (boot_cpu_data.x86_vendor) {
+ case X86_VENDOR_AMD:
+ if (boot_cpu_data.x86 != 6 && boot_cpu_data.x86 != 15 &&
+- boot_cpu_data.x86 != 16)
++ boot_cpu_data.x86 != 16 && boot_cpu_data.x86 != 17)
+ return;
+ wd_ops = &k7_wd_ops;
+ break;
--- /dev/null
+From 4832ddda2ec4df96ea1eed334ae2dbd65fc1f541 Mon Sep 17 00:00:00 2001
+From: Leann Ogasawara <leann.ogasawara@canonical.com>
+Date: Fri, 4 Dec 2009 15:42:22 -0800
+Subject: x86: ASUS P4S800 reboot=bios quirk
+
+From: Leann Ogasawara <leann.ogasawara@canonical.com>
+
+commit 4832ddda2ec4df96ea1eed334ae2dbd65fc1f541 upstream.
+
+Bug reporter noted their system with an ASUS P4S800 motherboard would
+hang when rebooting unless reboot=b was specified. Their dmidecode
+didn't contain descriptive System Information for Manufacturer or
+Product Name, so I used their Base Board Information to create a
+reboot quirk patch. The bug reporter confirmed this patch resolves
+the reboot hang.
+
+Handle 0x0001, DMI type 1, 25 bytes
+System Information
+ Manufacturer: System Manufacturer
+ Product Name: System Name
+ Version: System Version
+ Serial Number: SYS-1234567890
+ UUID: E0BFCD8B-7948-D911-A953-E486B4EEB67F
+ Wake-up Type: Power Switch
+
+Handle 0x0002, DMI type 2, 8 bytes
+Base Board Information
+ Manufacturer: ASUSTeK Computer INC.
+ Product Name: P4S800
+ Version: REV 1.xx
+ Serial Number: xxxxxxxxxxx
+
+BugLink: http://bugs.launchpad.net/bugs/366682
+
+ASUS P4S800 will hang when rebooting unless reboot=b is specified.
+Add a quirk to reboot through the bios.
+
+Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
+LKML-Reference: <1259972107.4629.275.camel@emiko>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/reboot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -259,6 +259,14 @@ static struct dmi_system_id __initdata r
+ DMI_MATCH(DMI_PRODUCT_NAME, "SBC-FITPC2"),
+ },
+ },
++ { /* Handle problems with rebooting on ASUS P4S800 */
++ .callback = set_bios_reboot,
++ .ident = "ASUS P4S800",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From 4528752f49c1f4025473d12bc5fa9181085c3f22 Mon Sep 17 00:00:00 2001
+From: Darrick J. Wong <djwong@us.ibm.com>
+Date: Wed, 2 Dec 2009 15:05:56 -0800
+Subject: x86, Calgary IOMMU quirk: Find nearest matching Calgary while walking up the PCI tree
+
+From: Darrick J. Wong <djwong@us.ibm.com>
+
+commit 4528752f49c1f4025473d12bc5fa9181085c3f22 upstream.
+
+On a multi-node x3950M2 system, there's a slight oddity in the
+PCI device tree for all secondary nodes:
+
+ 30:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev e1)
+ \-33:00.0 PCI bridge: IBM CalIOC2 PCI-E Root Port (rev 01)
+ \-34:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS 1078 (rev 04)
+
+...as compared to the primary node:
+
+ 00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev e1)
+ \-01:00.0 VGA compatible controller: ATI Technologies Inc ES1000 (rev 02)
+ 03:00.0 PCI bridge: IBM CalIOC2 PCI-E Root Port (rev 01)
+ \-04:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS 1078 (rev 04)
+
+In both nodes, the LSI RAID controller hangs off a CalIOC2
+device, but on the secondary nodes, the BIOS hides the VGA
+device and substitutes the device tree ending with the disk
+controller.
+
+It would seem that Calgary devices don't necessarily appear at
+the top of the PCI tree, which means that the current code to
+find the Calgary IOMMU that goes with a particular device is
+buggy.
+
+Rather than walk all the way to the top of the PCI
+device tree and try to match bus number with Calgary descriptor,
+the code needs to examine each parent of the particular device;
+if it encounters a Calgary with a matching bus number, simply
+use that.
+
+Otherwise, we BUG() when the bus number of the Calgary doesn't
+match the bus number of whatever's at the top of the device tree.
+
+Extra note: This patch appears to work correctly for the x3950
+that came before the x3950 M2.
+
+Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
+Acked-by: Muli Ben-Yehuda <muli@il.ibm.com>
+Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Cc: Joerg Roedel <joerg.roedel@amd.com>
+Cc: Yinghai Lu <yhlu.kernel@gmail.com>
+Cc: Jon D. Mason <jdmason@kudzu.us>
+Cc: Corinna Schultz <coschult@us.ibm.com>
+LKML-Reference: <20091202230556.GG10295@tux1.beaverton.ibm.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/pci-calgary_64.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/pci-calgary_64.c
++++ b/arch/x86/kernel/pci-calgary_64.c
+@@ -318,13 +318,15 @@ static inline struct iommu_table *find_i
+
+ pdev = to_pci_dev(dev);
+
++ /* search up the device tree for an iommu */
+ pbus = pdev->bus;
+-
+- /* is the device behind a bridge? Look for the root bus */
+- while (pbus->parent)
++ do {
++ tbl = pci_iommu(pbus);
++ if (tbl && tbl->it_busno == pbus->number)
++ break;
++ tbl = NULL;
+ pbus = pbus->parent;
+-
+- tbl = pci_iommu(pbus);
++ } while (pbus);
+
+ BUG_ON(tbl && (tbl->it_busno != pbus->number));
+
--- /dev/null
+From 1d865fb728bd6bbcdfbd6ec1e2b8ade3b4805641 Mon Sep 17 00:00:00 2001
+From: Cliff Wickman <cpw@sgi.com>
+Date: Fri, 11 Dec 2009 11:36:18 -0600
+Subject: x86: Fix duplicated UV BAU interrupt vector
+
+From: Cliff Wickman <cpw@sgi.com>
+
+commit 1d865fb728bd6bbcdfbd6ec1e2b8ade3b4805641 upstream.
+
+Interrupt vector 0xec has been doubly defined in irq_vectors.h
+
+It seems arbitrary whether LOCAL_PENDING_VECTOR or
+UV_BAU_MESSAGE is the higher number. As long as they are
+unique. If they are not unique we'll hit a BUG in
+alloc_system_vector().
+
+Signed-off-by: Cliff Wickman <cpw@sgi.com>
+LKML-Reference: <E1NJ9Pe-0004P7-0Q@eag09.americas.sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/irq_vectors.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/irq_vectors.h
++++ b/arch/x86/include/asm/irq_vectors.h
+@@ -113,7 +113,7 @@
+ */
+ #define LOCAL_PENDING_VECTOR 0xec
+
+-#define UV_BAU_MESSAGE 0xec
++#define UV_BAU_MESSAGE 0xea
+
+ /*
+ * Self IPI vector for machine checks
--- /dev/null
+From 2ae8bb75db1f3de422eb5898f2a063c46c36dba8 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 26 Oct 2009 15:41:46 +0100
+Subject: x86: Fix iommu=nodac parameter handling
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 2ae8bb75db1f3de422eb5898f2a063c46c36dba8 upstream.
+
+iommu=nodac should forbid dac instead of enabling it. Fix it.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Cc: Matteo Frigo <athena@fftw.org>
+LKML-Reference: <4AE5B52A.4050408@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/pci-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/pci-dma.c
++++ b/arch/x86/kernel/pci-dma.c
+@@ -214,7 +214,7 @@ static __init int iommu_setup(char *p)
+ if (!strncmp(p, "allowdac", 8))
+ forbid_dac = 0;
+ if (!strncmp(p, "nodac", 5))
+- forbid_dac = -1;
++ forbid_dac = 1;
+ if (!strncmp(p, "usedac", 6)) {
+ forbid_dac = -1;
+ return 1;
--- /dev/null
+From e02e0e1a130b9ca37c5186d38ad4b3aaf58bb149 Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Tue, 10 Nov 2009 15:01:20 -0500
+Subject: x86: Fix typo in Intel CPU cache size descriptor
+
+From: Dave Jones <davej@redhat.com>
+
+commit e02e0e1a130b9ca37c5186d38ad4b3aaf58bb149 upstream.
+
+I double-checked the datasheet. One of the existing
+descriptors has a typo: it should be 2MB not 2038 KB.
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+Cc: <stable@kernel.org> # .3x.x: 85160b9: x86: Add new Intel CPU cache size descriptors
+Cc: <stable@kernel.org> # .3x.x
+LKML-Reference: <20091110200120.GA27090@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
+@@ -94,7 +94,7 @@ static const struct _cache_table __cpuin
+ { 0xd1, LVL_3, 1024 }, /* 4-way set assoc, 64 byte line size */
+ { 0xd2, LVL_3, 2048 }, /* 4-way set assoc, 64 byte line size */
+ { 0xd6, LVL_3, 1024 }, /* 8-way set assoc, 64 byte line size */
+- { 0xd7, LVL_3, 2038 }, /* 8-way set assoc, 64 byte line size */
++ { 0xd7, LVL_3, 2048 }, /* 8-way set assoc, 64 byte line size */
+ { 0xd8, LVL_3, 4096 }, /* 12-way set assoc, 64 byte line size */
+ { 0xdc, LVL_3, 2048 }, /* 12-way set assoc, 64 byte line size */
+ { 0xdd, LVL_3, 4096 }, /* 12-way set assoc, 64 byte line size */
--- /dev/null
+From 41855b77547fa18d90ed6a5d322983d3fdab1959 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Mon, 9 Nov 2009 17:58:50 -0800
+Subject: x86: GART: pci-gart_64.c: Use correct length in strncmp
+
+From: Joe Perches <joe@perches.com>
+
+commit 41855b77547fa18d90ed6a5d322983d3fdab1959 upstream.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+LKML-Reference: <1257818330.12852.72.camel@Joe-Laptop.home>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/pci-gart_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/pci-gart_64.c
++++ b/arch/x86/kernel/pci-gart_64.c
+@@ -856,7 +856,7 @@ void __init gart_parse_options(char *p)
+ #endif
+ if (isdigit(*p) && get_option(&p, &arg))
+ iommu_size = arg;
+- if (!strncmp(p, "fullflush", 8))
++ if (!strncmp(p, "fullflush", 9))
+ iommu_fullflush = 1;
+ if (!strncmp(p, "nofullflush", 11))
+ iommu_fullflush = 0;
--- /dev/null
+From fe5ed91ddce85a0ed0e4f92c10b099873ef62167 Mon Sep 17 00:00:00 2001
+From: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
+Date: Thu, 3 Dec 2009 11:33:08 +0900
+Subject: x86, mce: don't restart timer if disabled
+
+From: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
+
+commit fe5ed91ddce85a0ed0e4f92c10b099873ef62167 upstream.
+
+Even it is in error path unlikely taken, add_timer_on() at
+CPU_DOWN_FAILED* needs to be skipped if mce_timer is disabled.
+
+Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Jan Beulich <jbeulich@novell.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -1991,9 +1991,11 @@ mce_cpu_callback(struct notifier_block *
+ break;
+ case CPU_DOWN_FAILED:
+ case CPU_DOWN_FAILED_FROZEN:
+- t->expires = round_jiffies(jiffies +
++ if (!mce_ignore_ce && check_interval) {
++ t->expires = round_jiffies(jiffies +
+ __get_cpu_var(mce_next_interval));
+- add_timer_on(t, cpu);
++ add_timer_on(t, cpu);
++ }
+ smp_call_function_single(cpu, mce_reenable_cpu, &action, 1);
+ break;
+ case CPU_POST_DEAD:
--- /dev/null
+From bc09effabf0c5c6c7021e5ef9af15a23579b32a8 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@novell.com>
+Date: Tue, 8 Dec 2009 11:21:37 +0900
+Subject: x86/mce: Set up timer unconditionally
+
+From: Jan Beulich <jbeulich@novell.com>
+
+commit bc09effabf0c5c6c7021e5ef9af15a23579b32a8 upstream.
+
+mce_timer must be passed to setup_timer() in all cases, no
+matter whether it is going to be actually used. Otherwise, when
+the CPU gets brought down, its call to del_timer_sync() will
+never return, as the timer won't have a base associated, and
+hence lock_timer_base() will loop infinitely.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
+LKML-Reference: <4B1DB831.2030801@jp.fujitsu.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -1374,13 +1374,14 @@ static void mce_init_timer(void)
+ struct timer_list *t = &__get_cpu_var(mce_timer);
+ int *n = &__get_cpu_var(mce_next_interval);
+
++ setup_timer(t, mcheck_timer, smp_processor_id());
++
+ if (mce_ignore_ce)
+ return;
+
+ *n = check_interval * HZ;
+ if (!*n)
+ return;
+- setup_timer(t, mcheck_timer, smp_processor_id());
+ t->expires = round_jiffies(jiffies + *n);
+ add_timer_on(t, smp_processor_id());
+ }
--- /dev/null
+From 746357d6a526d6da9d89a2ec645b28406e959c2e Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 20 Nov 2009 12:01:43 +0100
+Subject: x86: Prevent GCC 4.4.x (pentium-mmx et al) function prologue wreckage
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 746357d6a526d6da9d89a2ec645b28406e959c2e upstream.
+
+When the kernel is compiled with -pg for tracing GCC 4.4.x inserts
+stack alignment of a function _before_ the mcount prologue if the
+-march=pentium-mmx is set and -mtune=generic is not set. This breaks
+the assumption of the function graph tracer which expects that the
+mcount prologue
+
+ push %ebp
+ mov %esp, %ebp
+
+is the first stack operation in a function because it needs to modify
+the function return address on the stack to trap into the tracer
+before returning to the real caller.
+
+The generated code is:
+
+ push %edi
+ lea 0x8(%esp),%edi
+ and $0xfffffff0,%esp
+ pushl -0x4(%edi)
+ push %ebp
+ mov %esp,%ebp
+
+so the tracer modifies the copy of the return address which is stored
+after the stack alignment and therefor does not trap the return which
+in turn breaks the call chain logic of the tracer and leads to a
+kernel panic.
+
+Aside of the fact that the generated code is horrible for no good
+reason other -march -mtune options generate the expected:
+
+ push %ebp
+ mov %esp,%ebp
+ and $0xfffffff0,%esp
+
+which does the same and keeps everything intact.
+
+After some experimenting we found out that this problem is restricted
+to gcc4.4.x and to the following -march settings:
+
+i586, pentium, pentium-mmx, k6, k6-2, k6-3, winchip-c6, winchip2, c3,
+geode
+
+By adding -mtune=generic the code generator produces always the
+expected code.
+
+So forcing -mtune=generic when CONFIG_FUNCTION_GRAPH_TRACER=y is not
+pretty, but at the moment the only way to prevent that the kernel
+trips over gcc-shrooms induced code madness.
+
+Most distro kernels have CONFIG_X86_GENERIC=y anyway which forces
+-mtune=generic as well so it will not impact those.
+
+References: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109
+ http://lkml.org/lkml/2009/11/19/17
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+LKML-Reference: <alpine.LFD.2.00.0911200206570.24119@localhost.localdomain>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>,
+Cc: Jeff Law <law@redhat.com>
+Cc: gcc@gcc.gnu.org
+Cc: David Daney <ddaney@caviumnetworks.com>
+Cc: Andrew Haley <aph@redhat.com>
+Cc: Richard Guenther <richard.guenther@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/Makefile_32.cpu | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/Makefile_32.cpu
++++ b/arch/x86/Makefile_32.cpu
+@@ -46,6 +46,12 @@ cflags-$(CONFIG_MGEODEGX1) += -march=pen
+ # cpu entries
+ cflags-$(CONFIG_X86_GENERIC) += $(call tune,generic,$(call tune,i686))
+
++# Work around the pentium-mmx code generator madness of gcc4.4.x which
++# does stack alignment by generating horrible code _before_ the mcount
++# prologue (push %ebp, mov %esp, %ebp) which breaks the function graph
++# tracer assumptions
++cflags-$(CONFIG_FUNCTION_GRAPH_TRACER) += $(call cc-option,-mtune=generic)
++
+ # Bug fix for binutils: this option is required in order to keep
+ # binutils from generating NOPL instructions against our will.
+ ifneq ($(CONFIG_X86_P6_NOP),y)
--- /dev/null
+From e38e2af1c57c3eb5211331a5b4fcaae0c4a2a918 Mon Sep 17 00:00:00 2001
+From: Cliff Wickman <cpw@sgi.com>
+Date: Thu, 19 Nov 2009 17:12:43 -0600
+Subject: x86: SGI UV: Fix BAU initialization
+
+From: Cliff Wickman <cpw@sgi.com>
+
+commit e38e2af1c57c3eb5211331a5b4fcaae0c4a2a918 upstream.
+
+A memory mapped register that affects the SGI UV Broadcast
+Assist Unit's interrupt handling may sometimes be unintialized.
+
+Remove the condition on its initialization, as that condition
+can be randomly satisfied by a hardware reset.
+
+Signed-off-by: Cliff Wickman <cpw@sgi.com>
+LKML-Reference: <E1NBGB9-0005nU-Dp@eag09.americas.sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/tlb_uv.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/tlb_uv.c
++++ b/arch/x86/kernel/tlb_uv.c
+@@ -817,10 +817,8 @@ static int __init uv_init_blade(int blad
+ */
+ apicid = blade_to_first_apicid(blade);
+ pa = uv_read_global_mmr64(pnode, UVH_BAU_DATA_CONFIG);
+- if ((pa & 0xff) != UV_BAU_MESSAGE) {
+- uv_write_global_mmr64(pnode, UVH_BAU_DATA_CONFIG,
++ uv_write_global_mmr64(pnode, UVH_BAU_DATA_CONFIG,
+ ((apicid << 32) | UV_BAU_MESSAGE));
+- }
+ return 0;
+ }
+
--- /dev/null
+From b8b7d791a8ff01d2380089279a69afa99115fb23 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sat, 28 Nov 2009 15:03:03 +0100
+Subject: x86: Use -maccumulate-outgoing-args for sane mcount prologues
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit b8b7d791a8ff01d2380089279a69afa99115fb23 upstream.
+
+commit 746357d (x86: Prevent GCC 4.4.x (pentium-mmx et al) function
+prologue wreckage) uses -mtune=generic to work around the function
+prologue problem with mcount on -march=pentium-mmx and others.
+
+Jakub pointed out that we can use -maccumulate-outgoing-args instead
+which is selected by -mtune=generic and prevents the problem without
+losing the -march specific optimizations.
+
+Pointed-out-by: Jakub Jelinek <jakub@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/Makefile_32.cpu | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/Makefile_32.cpu
++++ b/arch/x86/Makefile_32.cpu
+@@ -49,8 +49,9 @@ cflags-$(CONFIG_X86_GENERIC) += $(call
+ # Work around the pentium-mmx code generator madness of gcc4.4.x which
+ # does stack alignment by generating horrible code _before_ the mcount
+ # prologue (push %ebp, mov %esp, %ebp) which breaks the function graph
+-# tracer assumptions
+-cflags-$(CONFIG_FUNCTION_GRAPH_TRACER) += $(call cc-option,-mtune=generic)
++# tracer assumptions. For i686, generic, core2 this is set by the
++# compiler anyway
++cflags-$(CONFIG_FUNCTION_GRAPH_TRACER) += $(call cc-option,-maccumulate-outgoing-args)
+
+ # Bug fix for binutils: this option is required in order to keep
+ # binutils from generating NOPL instructions against our will.
projects / thirdparty / kernel / stable-queue.git / commitdiff
