--- /dev/null
+From c68d2b1594548cda7f6dbac6a4d9d30a9b01558c Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 26 Oct 2009 16:50:05 -0700
+Subject: 8250_pci: add IBM Saturn serial card
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit c68d2b1594548cda7f6dbac6a4d9d30a9b01558c upstream.
+
+The IBM Saturn serial card has only one port. Without that fixup,
+the kernel thinks it has two, which confuses userland setup and
+admin tools as well.
+
+[akpm@linux-foundation.org: fix pci-ids.h layout]
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Alan Cox <alan@linux.intel.com>
+Cc: Michael Reed <mreed10@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/serial/8250_pci.c | 11 +++++++++++
+ include/linux/pci_ids.h | 3 +++
+ 2 files changed, 14 insertions(+)
+
+--- a/drivers/serial/8250_pci.c
++++ b/drivers/serial/8250_pci.c
+@@ -1218,6 +1218,7 @@ enum pci_board_num_t {
+ pbn_exar_XR17C152,
+ pbn_exar_XR17C154,
+ pbn_exar_XR17C158,
++ pbn_exar_ibm_saturn,
+ pbn_pasemi_1682M,
+ };
+
+@@ -1746,6 +1747,13 @@ static struct pciserial_board pci_boards
+ .base_baud = 921600,
+ .uart_offset = 0x200,
+ },
++ [pbn_exar_ibm_saturn] = {
++ .flags = FL_BASE0,
++ .num_ports = 1,
++ .base_baud = 921600,
++ .uart_offset = 0x200,
++ },
++
+ /*
+ * PA Semi PWRficient PA6T-1682M on-chip UART
+ */
+@@ -2217,6 +2225,9 @@ static struct pci_device_id serial_pci_t
+ PCI_SUBVENDOR_ID_CONNECT_TECH,
+ PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_485, 0, 0,
+ pbn_b0_8_1843200_200 },
++ { PCI_VENDOR_ID_EXAR, PCI_DEVICE_ID_EXAR_XR17C152,
++ PCI_VENDOR_ID_IBM, PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT,
++ 0, 0, pbn_exar_ibm_saturn },
+
+ { PCI_VENDOR_ID_SEALEVEL, PCI_DEVICE_ID_SEALEVEL_U530,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -478,6 +478,9 @@
+ #define PCI_DEVICE_ID_IBM_ICOM_V2_ONE_PORT_RVX_ONE_PORT_MDM_PCIE 0x0361
+ #define PCI_DEVICE_ID_IBM_ICOM_FOUR_PORT_MODEL 0x252
+
++#define PCI_SUBVENDOR_ID_IBM 0x1014
++#define PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT 0x03d4
++
+ #define PCI_VENDOR_ID_UNISYS 0x1018
+ #define PCI_DEVICE_ID_UNISYS_DMA_DIRECTOR 0x001C
+
--- /dev/null
+From d50bae33d1358b909ade05ae121d83d3a60ab63f Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Fri, 16 Oct 2009 10:18:09 -0500
+Subject: b43: Fix Bugzilla #14181 and the bug from the previous 'fix'
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream.
+
+"b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported
+in Bugzilla No. 14181; however, it introduced a new bug. Whenever the
+radio switch was turned off, it was necessary to unload and reload
+the driver for it to recognize the switch again.
+
+This patch fixes both the original bug in #14181 and the bug introduced by
+the previous patch. It must be stated, however, that if there is a BCM4306/3
+with an rfkill switch (not yet proven), then the driver will need an
+unload/reload cycle to turn the device back on.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43/rfkill.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/b43/rfkill.c
++++ b/drivers/net/wireless/b43/rfkill.c
+@@ -36,7 +36,8 @@ static bool b43_is_hw_radio_enabled(stru
+ & B43_MMIO_RADIO_HWENABLED_HI_MASK))
+ return 1;
+ } else {
+- if (b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO)
++ if (b43_status(dev) >= B43_STAT_STARTED &&
++ b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO)
+ & B43_MMIO_RADIO_HWENABLED_LO_MASK)
+ return 1;
+ }
--- /dev/null
+From aefba418bfecd1985a08f50a95bd854a119f0153 Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Fri, 30 Oct 2009 17:02:31 +0900
+Subject: dpt_i2o: Fix typo of EINVAL
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit aefba418bfecd1985a08f50a95bd854a119f0153 upstream.
+
+Commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 ("dpt_i2o: Fix up
+copy*user") had a silly typo: EINVAL should be -EINVAL.
+
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Cc: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/dpt_i2o.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/dpt_i2o.c
++++ b/drivers/scsi/dpt_i2o.c
+@@ -1919,7 +1919,7 @@ static int adpt_i2o_passthru(adpt_hba* p
+ size = size>>16;
+ size *= 4;
+ if (size > MAX_MESSAGE_SIZE) {
+- rcode = EINVAL;
++ rcode = -EINVAL;
+ goto cleanup;
+ }
+ /* Copy in the user's I2O command */
--- /dev/null
+From ef7562b7f28319e6dd1f85dc1af87df2a7a84832 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 27 Oct 2009 15:35:35 +0000
+Subject: dpt_i2o: Fix up copy*user
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 upstream.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/dpt_i2o.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/dpt_i2o.c
++++ b/drivers/scsi/dpt_i2o.c
+@@ -1918,6 +1918,10 @@ static int adpt_i2o_passthru(adpt_hba* p
+ }
+ size = size>>16;
+ size *= 4;
++ if (size > MAX_MESSAGE_SIZE) {
++ rcode = EINVAL;
++ goto cleanup;
++ }
+ /* Copy in the user's I2O command */
+ if (copy_from_user (msg, user_msg, size)) {
+ rcode = -EFAULT;
--- /dev/null
+From 39acbc12affcaa23ef1d887ba3d197baca8e6e47 Mon Sep 17 00:00:00 2001
+From: Stas Sergeev <stsp@aknet.ru>
+Date: Sun, 18 Oct 2009 00:31:38 +0400
+Subject: Driver core: fix driver_register() return value
+
+From: Stas Sergeev <stsp@aknet.ru>
+
+commit 39acbc12affcaa23ef1d887ba3d197baca8e6e47 upstream.
+
+In this patch:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=16dc42e018c2868211b4928f20a957c0c216126c
+the check was added for another driver to already claim the same device
+on the same bus. But the returned error code was wrong: to modprobe, the
+-EEXIST means that _this_ driver is already installed. It therefore
+doesn't produce the needed error message when _another_ driver is trying
+to register for the same device. Returning -EBUSY fixes the problem.
+
+Signed-off-by: Stas Sergeev <stsp@aknet.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/driver.c
++++ b/drivers/base/driver.c
+@@ -227,7 +227,7 @@ int driver_register(struct device_driver
+ put_driver(other);
+ printk(KERN_ERR "Error: Driver '%s' is already registered, "
+ "aborting...\n", drv->name);
+- return -EEXIST;
++ return -EBUSY;
+ }
+
+ ret = bus_add_driver(drv);
--- /dev/null
+From ad3960243e55320d74195fb85c975e0a8cc4466c Mon Sep 17 00:00:00 2001
+From: Earl Chew <earl_chew@agilent.com>
+Date: Mon, 19 Oct 2009 15:55:41 -0700
+Subject: fs: pipe.c null pointer dereference
+
+From: Earl Chew <earl_chew@agilent.com>
+
+commit ad3960243e55320d74195fb85c975e0a8cc4466c upstream.
+
+This patch fixes a null pointer exception in pipe_rdwr_open() which
+generates the stack trace:
+
+> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
+> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
+> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
+> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
+> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
+> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
+
+The failure mode is triggered by an attempt to open an anonymous
+pipe via /proc/pid/fd/* as exemplified by this script:
+
+=============================================================
+while : ; do
+ { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
+ PID=$!
+ OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
+ { read PID REST ; echo $PID; } )
+ OUT="${OUT%% *}"
+ DELAY=$((RANDOM * 1000 / 32768))
+ usleep $((DELAY * 1000 + RANDOM % 1000 ))
+ echo n > /proc/$OUT/fd/1 # Trigger defect
+done
+=============================================================
+
+Note that the failure window is quite small and I could only
+reliably reproduce the defect by inserting a small delay
+in pipe_rdwr_open(). For example:
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ msleep(100);
+ mutex_lock(&inode->i_mutex);
+
+Although the defect was observed in pipe_rdwr_open(), I think it
+makes sense to replicate the change through all the pipe_*_open()
+functions.
+
+The core of the change is to verify that inode->i_pipe has not
+been released before attempting to manipulate it. If inode->i_pipe
+is no longer present, return ENOENT to indicate so.
+
+The comment about potentially using atomic_t for i_pipe->readers
+and i_pipe->writers has also been removed because it is no longer
+relevant in this context. The inode->i_mutex lock must be used so
+that inode->i_pipe can be dealt with correctly.
+
+Signed-off-by: Earl Chew <earl_chew@agilent.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/pipe.c | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -742,36 +742,55 @@ pipe_rdwr_release(struct inode *inode, s
+ static int
+ pipe_read_open(struct inode *inode, struct file *filp)
+ {
+- /* We could have perhaps used atomic_t, but this and friends
+- below are the only places. So it doesn't seem worthwhile. */
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->readers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->readers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_write_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- if (filp->f_mode & FMODE_READ)
+- inode->i_pipe->readers++;
+- if (filp->f_mode & FMODE_WRITE)
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ if (filp->f_mode & FMODE_READ)
++ inode->i_pipe->readers++;
++ if (filp->f_mode & FMODE_WRITE)
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ /*
--- /dev/null
+From 5c36fe3d87b3f0c85894a49193c66096a3d6b26f Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 26 Oct 2009 16:49:51 -0700
+Subject: hfsplus: refuse to mount volumes larger than 2TB
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 5c36fe3d87b3f0c85894a49193c66096a3d6b26f upstream.
+
+As found in <http://bugs.debian.org/550010>, hfsplus is using type u32
+rather than sector_t for some sector number calculations.
+
+In particular, hfsplus_get_block() does:
+
+ u32 ablock, dblock, mask;
+...
+ map_bh(bh_result, sb, (dblock << HFSPLUS_SB(sb).fs_shift) + HFSPLUS_SB(sb).blockoffset + (iblock & mask));
+
+I am not confident that I can find and fix all cases where a sector number
+may be truncated. For now, avoid data loss by refusing to mount HFS+
+volumes with more than 2^32 sectors (2TB).
+
+[akpm@linux-foundation.org: fix 32 and 64-bit issues]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Eric Sesterhenn <snakebyte@gmx.de>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hfsplus/wrapper.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/hfsplus/wrapper.c
++++ b/fs/hfsplus/wrapper.c
+@@ -99,6 +99,10 @@ int hfsplus_read_wrapper(struct super_bl
+
+ if (hfsplus_get_last_session(sb, &part_start, &part_size))
+ return -EINVAL;
++ if ((u64)part_start + part_size > 0x100000000ULL) {
++ pr_err("hfs: volumes larger than 2TB are not supported yet\n");
++ return -EINVAL;
++ }
+ while (1) {
+ bh = sb_bread512(sb, part_start + HFSPLUS_VOLHEAD_SECTOR, vhdr);
+ if (!bh)
--- /dev/null
+From 5f5eeff4c93256ee93435a3bf08cf18c45e9a994 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 12 Oct 2009 21:35:00 -0700
+Subject: Input: synaptics - add another Protege M300 to rate blacklist
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 5f5eeff4c93256ee93435a3bf08cf18c45e9a994 upstream.
+
+Apparently some of Toshiba Protege M300 identify themselves as
+"Portable PC" in DMI so we need to add that to the DMI table as
+well. We need DMI data so we can automatically lower Synaptics
+reporting rate from 80 to 40 pps to avoid over-taxing their
+keyboard controllers.
+
+Tested-by: Rod Davison <roddavison@gmail.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/mouse/synaptics.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -623,6 +623,16 @@ static const struct dmi_system_id toshib
+ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
+ },
++
++ },
++ {
++ .ident = "Toshiba Portege M300",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
++ },
++
+ },
+ { }
+ };
--- /dev/null
+From f4b31db92d163df8a639f5a8c8633bdeb6e8432d Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 16 Oct 2009 13:00:51 +0900
+Subject: libata: fix internal command failure handling
+
+From: Tejun Heo <tj@kernel.org>
+
+commit f4b31db92d163df8a639f5a8c8633bdeb6e8432d upstream.
+
+When an internal command fails, it should be failed directly without
+invoking EH. In the original implemetation, this was accomplished by
+letting internal command bypass failure handling in ata_qc_complete().
+However, later changes added post-successful-completion handling to
+that code path and the success path is no longer adequate as internal
+command failure path. One of the visible problems is that internal
+command failure due to timeout or other freeze conditions would
+spuriously trigger WARN_ON_ONCE() in the success path.
+
+This patch updates failure path such that internal command failure
+handling is contained there.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/libata-core.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4747,12 +4747,14 @@ void ata_qc_complete(struct ata_queued_c
+ qc->flags |= ATA_QCFLAG_FAILED;
+
+ if (unlikely(qc->flags & ATA_QCFLAG_FAILED)) {
+- if (!ata_tag_internal(qc->tag)) {
+- /* always fill result TF for failed qc */
+- fill_result_tf(qc);
++ /* always fill result TF for failed qc */
++ fill_result_tf(qc);
++
++ if (!ata_tag_internal(qc->tag))
+ ata_qc_schedule_eh(qc);
+- return;
+- }
++ else
++ __ata_qc_complete(qc);
++ return;
+ }
+
+ /* read result TF if requested */
--- /dev/null
+From e9024a059f2c17fb2bfab212ee9d31511d7b8e57 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Fri, 30 Oct 2009 17:45:14 +0000
+Subject: libertas if_usb: Fix crash on 64-bit machines
+
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57 upstream.
+
+On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas
+usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting
+crashes. Fix that by using skb->data instead.
+
+This highlights a problem with usb_fill_bulk_urb(). It doesn't notice
+when dma_map_single() fails and return the error to its caller as it
+should. In fact it _can't_ currently return the error, since it returns
+void.
+
+So this problem was showing up only at unmap time, after we'd already
+suffered memory corruption by doing DMA to a bogus address.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/if_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/libertas/if_usb.c
++++ b/drivers/net/wireless/libertas/if_usb.c
+@@ -443,7 +443,7 @@ static int __if_usb_submit_rx_urb(struct
+ /* Fill the receive configuration URB and initialise the Rx call back */
+ usb_fill_bulk_urb(cardp->rx_urb, cardp->udev,
+ usb_rcvbulkpipe(cardp->udev, cardp->ep_in),
+- (void *) (skb->tail + (size_t) IPFIELD_ALIGN_OFFSET),
++ skb->data + IPFIELD_ALIGN_OFFSET,
+ MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn,
+ cardp);
+
--- /dev/null
+From ab8a3e14e6f8e567560f664bbd29aefb306a274e Mon Sep 17 00:00:00 2001
+From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Mon, 26 Oct 2009 16:49:58 -0700
+Subject: mbind(): fix leak of never putback pages
+
+From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+
+commit ab8a3e14e6f8e567560f664bbd29aefb306a274e upstream.
+
+If mbind() receives an invalid address, do_mbind leaks a page. The
+following test program detects this leak.
+
+This patch fixes it.
+
+migrate_efault.c
+=======================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+static unsigned long pagesize;
+
+static void* make_hole_mapping(void)
+{
+
+ void* addr;
+
+ addr = mmap(NULL, pagesize*3, PROT_READ|PROT_WRITE,
+ MAP_ANON|MAP_PRIVATE, 0, 0);
+ if (addr == MAP_FAILED)
+ return NULL;
+
+ /* make page populate */
+ memset(addr, 0, pagesize*3);
+
+ /* make memory hole */
+ munmap(addr+pagesize, pagesize);
+
+ return addr;
+}
+
+int main(int argc, char** argv)
+{
+ void* addr;
+ int ch;
+ int node;
+ struct bitmask *nmask = numa_allocate_nodemask();
+ int err;
+ int node_set = 0;
+
+ while ((ch = getopt(argc, argv, "n:")) != -1){
+ switch (ch){
+ case 'n':
+ node = strtol(optarg, NULL, 0);
+ numa_bitmask_setbit(nmask, node);
+ node_set = 1;
+ break;
+ default:
+ ;
+ }
+ }
+ argc -= optind;
+ argv += optind;
+
+ if (!node_set)
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ addr = make_hole_mapping();
+
+ err = mbind(addr, pagesize*3, MPOL_BIND, nmask->maskp, nmask->size, MPOL_MF_MOVE_ALL);
+ if (err)
+ perror("mbind ");
+
+ return 0;
+}
+=======================================
+
+Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Acked-by: Christoph Lameter <cl@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mempolicy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -985,7 +985,8 @@ static long do_mbind(unsigned long start
+
+ if (!err && nr_failed && (flags & MPOL_MF_STRICT))
+ err = -EIO;
+- }
++ } else
++ putback_lru_pages(&pagelist);
+
+ up_write(&mm->mmap_sem);
+ mpol_put(new);
--- /dev/null
+From 575c9ed7798218dc923f319c0d78f0c25ca506b9 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Tue, 27 Oct 2009 15:35:55 +0000
+Subject: ray_cs: Fix copy_from_user handling
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit 575c9ed7798218dc923f319c0d78f0c25ca506b9 upstream.
+
+I've not touched the other stuff here but the word "locking" comes to mind.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ray_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -2758,7 +2758,7 @@ static void raycs_write(const char *name
+ static int write_essid(struct file *file, const char __user *buffer, unsigned long count, void *data)
+ {
+ static char proc_essid[33];
+- int len = count;
++ unsigned int len = count;
+
+ if (len > 32)
+ len = 32;
--- /dev/null
+From f61f925859c57f6175082aeeee17743c68558a6e Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Sat, 5 Sep 2009 13:33:23 -0400
+Subject: Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible"
+
+From: Len Brown <len.brown@intel.com>
+
+commit f61f925859c57f6175082aeeee17743c68558a6e upstream.
+
+This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=13002
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/scan.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1262,16 +1262,6 @@ acpi_add_single_object(struct acpi_devic
+ acpi_device_set_id(device, parent, handle, type);
+
+ /*
+- * The ACPI device is attached to acpi handle before getting
+- * the power/wakeup/peformance flags. Otherwise OS can't get
+- * the corresponding ACPI device by the acpi handle in the course
+- * of getting the power/wakeup/performance flags.
+- */
+- result = acpi_device_set_context(device, type);
+- if (result)
+- goto end;
+-
+- /*
+ * Power Management
+ * ----------------
+ */
+@@ -1301,6 +1291,8 @@ acpi_add_single_object(struct acpi_devic
+ goto end;
+ }
+
++ if ((result = acpi_device_set_context(device, type)))
++ goto end;
+
+ result = acpi_device_register(device, parent);
+
--- /dev/null
+8250_pci-add-ibm-saturn-serial-card.patch
+b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch
+dpt_i2o-fix-up-copy-user.patch
+dpt_i2o-fix-typo-of-einval.patch
+driver-core-fix-driver_register-return-value.patch
+fs-pipe.c-null-pointer-dereference.patch
+hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch
+input-synaptics-add-another-protege-m300-to-rate-blacklist.patch
+libata-fix-internal-command-failure-handling.patch
+libertas-if_usb-fix-crash-on-64-bit-machines.patch
+mbind-fix-leak-of-never-putback-pages.patch
+ray_cs-fix-copy_from_user-handling.patch
+revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch
+tty-mark-generic_serial-users-as-broken.patch
+x86-64-fix-register-leak-in-32-bit-syscall-audting.patch
--- /dev/null
+From 412145947adfca60a4b5b4893fbae82dffa25edd Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Thu, 29 Oct 2009 12:16:22 +0000
+Subject: tty: Mark generic_serial users as BROKEN
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit 412145947adfca60a4b5b4893fbae82dffa25edd upstream.
+
+There isn't much else I can do with these. I can find no hardware for any
+of them and no users. The code is broken.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/m68k/Kconfig | 6 +++---
+ drivers/char/Kconfig | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/m68k/Kconfig
++++ b/arch/m68k/Kconfig
+@@ -572,7 +572,7 @@ config HPAPCI
+
+ config MVME147_SCC
+ bool "SCC support for MVME147 serial ports"
+- depends on MVME147
++ depends on MVME147 && BROKEN
+ help
+ This is the driver for the serial ports on the Motorola MVME147
+ boards. Everyone using one of these boards should say Y here.
+@@ -587,14 +587,14 @@ config SERIAL167
+
+ config MVME162_SCC
+ bool "SCC support for MVME162 serial ports"
+- depends on MVME16x
++ depends on MVME16x && BROKEN
+ help
+ This is the driver for the serial ports on the Motorola MVME162 and
+ 172 boards. Everyone using one of these boards should say Y here.
+
+ config BVME6000_SCC
+ bool "SCC support for BVME6000 serial ports"
+- depends on BVME6000
++ depends on BVME6000 && BROKEN
+ help
+ This is the driver for the serial ports on the BVME4000 and BVME6000
+ boards from BVM Ltd. Everyone using one of these boards should say
+--- a/drivers/char/Kconfig
++++ b/drivers/char/Kconfig
+@@ -310,7 +310,7 @@ config SPECIALIX
+
+ config SX
+ tristate "Specialix SX (and SI) card support"
+- depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA)
++ depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA) && BROKEN
+ help
+ This is a driver for the SX and SI multiport serial cards.
+ Please read the file <file:Documentation/sx.txt> for details.
+@@ -321,7 +321,7 @@ config SX
+
+ config RIO
+ tristate "Specialix RIO system support"
+- depends on SERIAL_NONSTANDARD
++ depends on SERIAL_NONSTANDARD && BROKEN
+ help
+ This is a driver for the Specialix RIO, a smart serial card which
+ drives an outboard box that can support up to 128 ports. Product
+@@ -382,7 +382,7 @@ config NOZOMI
+
+ config A2232
+ tristate "Commodore A2232 serial support (EXPERIMENTAL)"
+- depends on EXPERIMENTAL && ZORRO && BROKEN_ON_SMP
++ depends on EXPERIMENTAL && ZORRO && BROKEN
+ ---help---
+ This option supports the 2232 7-port serial card shipped with the
+ Amiga 2000 and other Zorro-bus machines, dating from 1989. At
--- /dev/null
+From 81766741fe1eee3884219e8daaf03f466f2ed52f Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@novell.com>
+Date: Mon, 26 Oct 2009 15:20:29 +0000
+Subject: x86-64: Fix register leak in 32-bit syscall audting
+
+From: Jan Beulich <JBeulich@novell.com>
+
+commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream.
+
+Restoring %ebp after the call to audit_syscall_exit() is not
+only unnecessary (because the register didn't get clobbered),
+but in the sysenter case wasn't even doing the right thing: It
+loaded %ebp from a location below the top of stack (RBP <
+ARGOFFSET), i.e. arbitrary kernel data got passed back to user
+mode in the register.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Acked-by: Roland McGrath <roland@redhat.com>
+LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -204,7 +204,7 @@ sysexit_from_sys_call:
+ movl RDI-ARGOFFSET(%rsp),%r8d /* reload 5th syscall arg */
+ .endm
+
+- .macro auditsys_exit exit,ebpsave=RBP
++ .macro auditsys_exit exit
+ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
+ jnz ia32_ret_from_sys_call
+ TRACE_IRQS_ON
+@@ -217,7 +217,6 @@ sysexit_from_sys_call:
+ call audit_syscall_exit
+ GET_THREAD_INFO(%r10)
+ movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall return value */
+- movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
+ movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
+ cli
+ TRACE_IRQS_OFF
+@@ -351,7 +350,7 @@ cstar_auditsys:
+ jmp cstar_dispatch
+
+ sysretl_audit:
+- auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
++ auditsys_exit sysretl_from_sys_call
+ #endif
+
+ cstar_tracesys:
projects / thirdparty / kernel / stable-queue.git / commitdiff
