--- /dev/null
+From 0d0cd72fa1e6bfd419c99478ec70b4877ed0ef86 Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Sat, 4 Jul 2009 12:59:54 -0400
+Subject: ath5k: do not release irq across suspend/resume
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 0d0cd72fa1e6bfd419c99478ec70b4877ed0ef86 upstream.
+
+Paraphrasing Rafael J. Wysocki: "drivers should not release PCI IRQs
+in suspend." Doing so causes a warning during suspend/resume on some
+platforms.
+
+Cc: Rafael J. Wysocki <rjw@sisk.pl>
+Reported-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath5k/base.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath5k/base.c
++++ b/drivers/net/wireless/ath/ath5k/base.c
+@@ -666,7 +666,6 @@ ath5k_pci_suspend(struct pci_dev *pdev,
+
+ ath5k_led_off(sc);
+
+- free_irq(pdev->irq, sc);
+ pci_save_state(pdev);
+ pci_disable_device(pdev);
+ pci_set_power_state(pdev, PCI_D3hot);
+@@ -694,18 +693,8 @@ ath5k_pci_resume(struct pci_dev *pdev)
+ */
+ pci_write_config_byte(pdev, 0x41, 0);
+
+- err = request_irq(pdev->irq, ath5k_intr, IRQF_SHARED, "ath", sc);
+- if (err) {
+- ATH5K_ERR(sc, "request_irq failed\n");
+- goto err_no_irq;
+- }
+-
+ ath5k_led_enable(sc);
+ return 0;
+-
+-err_no_irq:
+- pci_disable_device(pdev);
+- return err;
+ }
+ #endif /* CONFIG_PM */
+
--- /dev/null
+From edd7fc7003f31da48d06e215a93ea966a22c2a03 Mon Sep 17 00:00:00 2001
+From: Nick Kossifidis <mick@madwifi-project.org>
+Date: Mon, 10 Aug 2009 03:29:02 +0300
+Subject: ath5k: Wakeup fixes
+
+From: Nick Kossifidis <mick@madwifi-project.org>
+
+commit edd7fc7003f31da48d06e215a93ea966a22c2a03 upstream.
+
+* Don't put chip to full sleep because there are problems during
+ wakeup. Instead hold MAC/Baseband on warm reset state via a new
+ function ath5k_hw_on_hold.
+
+ * Minor cleanups
+
+Signed-off-by: Nick Kossifidis <mickflemm@gmail.com>
+Tested-by: Ben Greear <greearb@candelatech.com>
+Tested-by: Johannes Stezenbach <js@sig21.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath5k/ath5k.h | 1
+ drivers/net/wireless/ath/ath5k/attach.c | 2
+ drivers/net/wireless/ath/ath5k/base.c | 44 ++++-----
+ drivers/net/wireless/ath/ath5k/reset.c | 155 +++++++++++++++++++++++---------
+ 4 files changed, 140 insertions(+), 62 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath5k/ath5k.h
++++ b/drivers/net/wireless/ath/ath5k/ath5k.h
+@@ -1164,6 +1164,7 @@ extern void ath5k_unregister_leds(struct
+
+ /* Reset Functions */
+ extern int ath5k_hw_nic_wakeup(struct ath5k_hw *ah, int flags, bool initial);
++extern int ath5k_hw_on_hold(struct ath5k_hw *ah);
+ extern int ath5k_hw_reset(struct ath5k_hw *ah, enum nl80211_iftype op_mode, struct ieee80211_channel *channel, bool change_channel);
+ /* Power management functions */
+ extern int ath5k_hw_set_power(struct ath5k_hw *ah, enum ath5k_power_mode mode, bool set_chip, u16 sleep_duration);
+--- a/drivers/net/wireless/ath/ath5k/attach.c
++++ b/drivers/net/wireless/ath/ath5k/attach.c
+@@ -145,7 +145,7 @@ struct ath5k_hw *ath5k_hw_attach(struct
+ goto err_free;
+
+ /* Bring device out of sleep and reset it's units */
+- ret = ath5k_hw_nic_wakeup(ah, CHANNEL_B, true);
++ ret = ath5k_hw_nic_wakeup(ah, 0, true);
+ if (ret)
+ goto err_free;
+
+--- a/drivers/net/wireless/ath/ath5k/base.c
++++ b/drivers/net/wireless/ath/ath5k/base.c
+@@ -2445,27 +2445,29 @@ ath5k_stop_hw(struct ath5k_softc *sc)
+ ret = ath5k_stop_locked(sc);
+ if (ret == 0 && !test_bit(ATH_STAT_INVALID, sc->status)) {
+ /*
+- * Set the chip in full sleep mode. Note that we are
+- * careful to do this only when bringing the interface
+- * completely to a stop. When the chip is in this state
+- * it must be carefully woken up or references to
+- * registers in the PCI clock domain may freeze the bus
+- * (and system). This varies by chip and is mostly an
+- * issue with newer parts that go to sleep more quickly.
+- */
+- if (sc->ah->ah_mac_srev >= 0x78) {
+- /*
+- * XXX
+- * don't put newer MAC revisions > 7.8 to sleep because
+- * of the above mentioned problems
+- */
+- ATH5K_DBG(sc, ATH5K_DEBUG_RESET, "mac version > 7.8, "
+- "not putting device to sleep\n");
+- } else {
+- ATH5K_DBG(sc, ATH5K_DEBUG_RESET,
+- "putting device to full sleep\n");
+- ath5k_hw_set_power(sc->ah, AR5K_PM_FULL_SLEEP, true, 0);
+- }
++ * Don't set the card in full sleep mode!
++ *
++ * a) When the device is in this state it must be carefully
++ * woken up or references to registers in the PCI clock
++ * domain may freeze the bus (and system). This varies
++ * by chip and is mostly an issue with newer parts
++ * (madwifi sources mentioned srev >= 0x78) that go to
++ * sleep more quickly.
++ *
++ * b) On older chips full sleep results a weird behaviour
++ * during wakeup. I tested various cards with srev < 0x78
++ * and they don't wake up after module reload, a second
++ * module reload is needed to bring the card up again.
++ *
++ * Until we figure out what's going on don't enable
++ * full chip reset on any chip (this is what Legacy HAL
++ * and Sam's HAL do anyway). Instead Perform a full reset
++ * on the device (same as initial state after attach) and
++ * leave it idle (keep MAC/BB on warm reset) */
++ ret = ath5k_hw_on_hold(sc->ah);
++
++ ATH5K_DBG(sc, ATH5K_DEBUG_RESET,
++ "putting device to sleep\n");
+ }
+ ath5k_txbuf_free(sc, sc->bbuf);
+
+--- a/drivers/net/wireless/ath/ath5k/reset.c
++++ b/drivers/net/wireless/ath/ath5k/reset.c
+@@ -258,29 +258,35 @@ int ath5k_hw_set_power(struct ath5k_hw *
+ if (!set_chip)
+ goto commit;
+
+- /* Preserve sleep duration */
+ data = ath5k_hw_reg_read(ah, AR5K_SLEEP_CTL);
++
++ /* If card is down we 'll get 0xffff... so we
++ * need to clean this up before we write the register
++ */
+ if (data & 0xffc00000)
+ data = 0;
+ else
+- data = data & 0xfffcffff;
++ /* Preserve sleep duration etc */
++ data = data & ~AR5K_SLEEP_CTL_SLE;
+
+- ath5k_hw_reg_write(ah, data, AR5K_SLEEP_CTL);
++ ath5k_hw_reg_write(ah, data | AR5K_SLEEP_CTL_SLE_WAKE,
++ AR5K_SLEEP_CTL);
+ udelay(15);
+
+- for (i = 50; i > 0; i--) {
++ for (i = 200; i > 0; i--) {
+ /* Check if the chip did wake up */
+ if ((ath5k_hw_reg_read(ah, AR5K_PCICFG) &
+ AR5K_PCICFG_SPWR_DN) == 0)
+ break;
+
+ /* Wait a bit and retry */
+- udelay(200);
+- ath5k_hw_reg_write(ah, data, AR5K_SLEEP_CTL);
++ udelay(50);
++ ath5k_hw_reg_write(ah, data | AR5K_SLEEP_CTL_SLE_WAKE,
++ AR5K_SLEEP_CTL);
+ }
+
+ /* Fail if the chip didn't wake up */
+- if (i <= 0)
++ if (i == 0)
+ return -EIO;
+
+ break;
+@@ -297,6 +303,64 @@ commit:
+ }
+
+ /*
++ * Put device on hold
++ *
++ * Put MAC and Baseband on warm reset and
++ * keep that state (don't clean sleep control
++ * register). After this MAC and Baseband are
++ * disabled and a full reset is needed to come
++ * back. This way we save as much power as possible
++ * without puting the card on full sleep.
++ */
++int ath5k_hw_on_hold(struct ath5k_hw *ah)
++{
++ struct pci_dev *pdev = ah->ah_sc->pdev;
++ u32 bus_flags;
++ int ret;
++
++ /* Make sure device is awake */
++ ret = ath5k_hw_set_power(ah, AR5K_PM_AWAKE, true, 0);
++ if (ret) {
++ ATH5K_ERR(ah->ah_sc, "failed to wakeup the MAC Chip\n");
++ return ret;
++ }
++
++ /*
++ * Put chipset on warm reset...
++ *
++ * Note: puting PCI core on warm reset on PCI-E cards
++ * results card to hang and always return 0xffff... so
++ * we ingore that flag for PCI-E cards. On PCI cards
++ * this flag gets cleared after 64 PCI clocks.
++ */
++ bus_flags = (pdev->is_pcie) ? 0 : AR5K_RESET_CTL_PCI;
++
++ if (ah->ah_version == AR5K_AR5210) {
++ ret = ath5k_hw_nic_reset(ah, AR5K_RESET_CTL_PCU |
++ AR5K_RESET_CTL_MAC | AR5K_RESET_CTL_DMA |
++ AR5K_RESET_CTL_PHY | AR5K_RESET_CTL_PCI);
++ mdelay(2);
++ } else {
++ ret = ath5k_hw_nic_reset(ah, AR5K_RESET_CTL_PCU |
++ AR5K_RESET_CTL_BASEBAND | bus_flags);
++ }
++
++ if (ret) {
++ ATH5K_ERR(ah->ah_sc, "failed to put device on warm reset\n");
++ return -EIO;
++ }
++
++ /* ...wakeup again!*/
++ ret = ath5k_hw_set_power(ah, AR5K_PM_AWAKE, true, 0);
++ if (ret) {
++ ATH5K_ERR(ah->ah_sc, "failed to put device on hold\n");
++ return ret;
++ }
++
++ return ret;
++}
++
++/*
+ * Bring up MAC + PHY Chips and program PLL
+ * TODO: Half/Quarter rate support
+ */
+@@ -319,6 +383,50 @@ int ath5k_hw_nic_wakeup(struct ath5k_hw
+ return ret;
+ }
+
++ /*
++ * Put chipset on warm reset...
++ *
++ * Note: puting PCI core on warm reset on PCI-E cards
++ * results card to hang and always return 0xffff... so
++ * we ingore that flag for PCI-E cards. On PCI cards
++ * this flag gets cleared after 64 PCI clocks.
++ */
++ bus_flags = (pdev->is_pcie) ? 0 : AR5K_RESET_CTL_PCI;
++
++ if (ah->ah_version == AR5K_AR5210) {
++ ret = ath5k_hw_nic_reset(ah, AR5K_RESET_CTL_PCU |
++ AR5K_RESET_CTL_MAC | AR5K_RESET_CTL_DMA |
++ AR5K_RESET_CTL_PHY | AR5K_RESET_CTL_PCI);
++ mdelay(2);
++ } else {
++ ret = ath5k_hw_nic_reset(ah, AR5K_RESET_CTL_PCU |
++ AR5K_RESET_CTL_BASEBAND | bus_flags);
++ }
++
++ if (ret) {
++ ATH5K_ERR(ah->ah_sc, "failed to reset the MAC Chip\n");
++ return -EIO;
++ }
++
++ /* ...wakeup again!...*/
++ ret = ath5k_hw_set_power(ah, AR5K_PM_AWAKE, true, 0);
++ if (ret) {
++ ATH5K_ERR(ah->ah_sc, "failed to resume the MAC Chip\n");
++ return ret;
++ }
++
++ /* ...clear reset control register and pull device out of
++ * warm reset */
++ if (ath5k_hw_nic_reset(ah, 0)) {
++ ATH5K_ERR(ah->ah_sc, "failed to warm reset the MAC Chip\n");
++ return -EIO;
++ }
++
++ /* On initialization skip PLL programming since we don't have
++ * a channel / mode set yet */
++ if (initial)
++ return 0;
++
+ if (ah->ah_version != AR5K_AR5210) {
+ /*
+ * Get channel mode flags
+@@ -384,39 +492,6 @@ int ath5k_hw_nic_wakeup(struct ath5k_hw
+ AR5K_PHY_TURBO);
+ }
+
+- /* reseting PCI on PCI-E cards results card to hang
+- * and always return 0xffff... so we ingore that flag
+- * for PCI-E cards */
+- bus_flags = (pdev->is_pcie) ? 0 : AR5K_RESET_CTL_PCI;
+-
+- /* Reset chipset */
+- if (ah->ah_version == AR5K_AR5210) {
+- ret = ath5k_hw_nic_reset(ah, AR5K_RESET_CTL_PCU |
+- AR5K_RESET_CTL_MAC | AR5K_RESET_CTL_DMA |
+- AR5K_RESET_CTL_PHY | AR5K_RESET_CTL_PCI);
+- mdelay(2);
+- } else {
+- ret = ath5k_hw_nic_reset(ah, AR5K_RESET_CTL_PCU |
+- AR5K_RESET_CTL_BASEBAND | bus_flags);
+- }
+- if (ret) {
+- ATH5K_ERR(ah->ah_sc, "failed to reset the MAC Chip\n");
+- return -EIO;
+- }
+-
+- /* ...wakeup again!*/
+- ret = ath5k_hw_set_power(ah, AR5K_PM_AWAKE, true, 0);
+- if (ret) {
+- ATH5K_ERR(ah->ah_sc, "failed to resume the MAC Chip\n");
+- return ret;
+- }
+-
+- /* ...final warm reset */
+- if (ath5k_hw_nic_reset(ah, 0)) {
+- ATH5K_ERR(ah->ah_sc, "failed to warm reset the MAC Chip\n");
+- return -EIO;
+- }
+-
+ if (ah->ah_version != AR5K_AR5210) {
+
+ /* ...update PLL if needed */
--- /dev/null
+From f0adb134d8dc9993a9998dc50845ec4f6ff4fadc Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Wed, 16 Sep 2009 11:09:32 -0400
+Subject: [CPUFREQ] Fix NULL ptr regression in powernow-k8
+
+From: Kurt Roeckx <kurt@roeckx.be>
+
+commit f0adb134d8dc9993a9998dc50845ec4f6ff4fadc upstream.
+
+Fixes bugzilla #13780
+
+From: Kurt Roeckx <kurt@roeckx.be>
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/cpufreq/powernow-k8.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/cpu/cpufreq/powernow-k8.c
++++ b/arch/x86/kernel/cpu/cpufreq/powernow-k8.c
+@@ -605,9 +605,10 @@ static int check_pst_table(struct powern
+ return 0;
+ }
+
+-static void invalidate_entry(struct powernow_k8_data *data, unsigned int entry)
++static void invalidate_entry(struct cpufreq_frequency_table *powernow_table,
++ unsigned int entry)
+ {
+- data->powernow_table[entry].frequency = CPUFREQ_ENTRY_INVALID;
++ powernow_table[entry].frequency = CPUFREQ_ENTRY_INVALID;
+ }
+
+ static void print_basics(struct powernow_k8_data *data)
+@@ -914,13 +915,13 @@ static int fill_powernow_table_pstate(st
+ "bad value %d.\n", i, index);
+ printk(KERN_ERR PFX "Please report to BIOS "
+ "manufacturer\n");
+- invalidate_entry(data, i);
++ invalidate_entry(powernow_table, i);
+ continue;
+ }
+ rdmsr(MSR_PSTATE_DEF_BASE + index, lo, hi);
+ if (!(hi & HW_PSTATE_VALID_MASK)) {
+ dprintk("invalid pstate %d, ignoring\n", index);
+- invalidate_entry(data, i);
++ invalidate_entry(powernow_table, i);
+ continue;
+ }
+
+@@ -970,7 +971,7 @@ static int fill_powernow_table_fidvid(st
+ /* verify frequency is OK */
+ if ((freq > (MAX_FREQ * 1000)) || (freq < (MIN_FREQ * 1000))) {
+ dprintk("invalid freq %u kHz, ignoring\n", freq);
+- invalidate_entry(data, i);
++ invalidate_entry(powernow_table, i);
+ continue;
+ }
+
+@@ -978,7 +979,7 @@ static int fill_powernow_table_fidvid(st
+ * BIOSs are using "off" to indicate invalid */
+ if (vid == VID_OFF) {
+ dprintk("invalid vid %u, ignoring\n", vid);
+- invalidate_entry(data, i);
++ invalidate_entry(powernow_table, i);
+ continue;
+ }
+
+@@ -1009,7 +1010,7 @@ static int fill_powernow_table_fidvid(st
+ (unsigned int)
+ (data->acpi_data.states[i].core_frequency
+ * 1000));
+- invalidate_entry(data, i);
++ invalidate_entry(powernow_table, i);
+ continue;
+ }
+ }
--- /dev/null
+From mtosatti@redhat.com Thu Oct 1 13:01:54 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 18 Sep 2009 17:29:25 -0300
+Subject: KVM: fix cpuid E2BIG handling for extended request types
+To: stable@kernel.org
+Cc: Mark McLoughlin <markmc@redhat.com>, avi@redhat.com
+Message-ID: <1253305768-30438-2-git-send-email-mtosatti@redhat.com>
+
+
+From: Mark McLoughlin <markmc@redhat.com>
+
+(cherry picked from commit cb007648de83cf226d69ec76e1c01848b4e8e49f)
+
+If we run out of cpuid entries for extended request types
+we should return -E2BIG, just like we do for the standard
+request types.
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1448,6 +1448,10 @@ static int kvm_dev_ioctl_get_supported_c
+ for (func = 0x80000001; func <= limit && nent < cpuid->nent; ++func)
+ do_cpuid_ent(&cpuid_entries[nent], func, 0,
+ &nent, cpuid->nent);
++ r = -E2BIG;
++ if (nent >= cpuid->nent)
++ goto out_free;
++
+ r = -EFAULT;
+ if (copy_to_user(entries, cpuid_entries,
+ nent * sizeof(struct kvm_cpuid_entry2)))
--- /dev/null
+From mtosatti@redhat.com Thu Oct 1 13:03:13 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 18 Sep 2009 17:29:27 -0300
+Subject: KVM: MMU: fix bogus alloc_mmu_pages assignment
+To: stable@kernel.org
+Cc: Marcelo Tosatti <mtosatti@redhat.com>, avi@redhat.com
+Message-ID: <1253305768-30438-4-git-send-email-mtosatti@redhat.com>
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit b90c062c65cc8839edfac39778a37a55ca9bda36)
+
+Remove the bogus n_free_mmu_pages assignment from alloc_mmu_pages.
+
+It breaks accounting of mmu pages, since n_free_mmu_pages is modified
+but the real number of pages remains the same.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/mmu.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2713,14 +2713,6 @@ static int alloc_mmu_pages(struct kvm_vc
+
+ ASSERT(vcpu);
+
+- spin_lock(&vcpu->kvm->mmu_lock);
+- if (vcpu->kvm->arch.n_requested_mmu_pages)
+- vcpu->kvm->arch.n_free_mmu_pages =
+- vcpu->kvm->arch.n_requested_mmu_pages;
+- else
+- vcpu->kvm->arch.n_free_mmu_pages =
+- vcpu->kvm->arch.n_alloc_mmu_pages;
+- spin_unlock(&vcpu->kvm->mmu_lock);
+ /*
+ * When emulating 32-bit mode, cr3 is only 32 bits even on x86_64.
+ * Therefore we need to allocate shadow page tables in the first
--- /dev/null
+From mtosatti@redhat.com Thu Oct 1 13:02:49 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 18 Sep 2009 17:29:26 -0300
+Subject: KVM: MMU: fix missing locking in alloc_mmu_pages
+To: stable@kernel.org
+Cc: Marcelo Tosatti <mtosatti@redhat.com>, avi@redhat.com
+Message-ID: <1253305768-30438-3-git-send-email-mtosatti@redhat.com>
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit 6a1ac77110ee3e8d8dfdef8442f3b30b3d83e6a2)
+
+n_requested_mmu_pages/n_free_mmu_pages are used by
+kvm_mmu_change_mmu_pages to calculate the number of pages to zap.
+
+alloc_mmu_pages, called from the vcpu initialization path, modifies this
+variables without proper locking, which can result in a negative value
+in kvm_mmu_change_mmu_pages (say, with cpu hotplug).
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/mmu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2713,12 +2713,14 @@ static int alloc_mmu_pages(struct kvm_vc
+
+ ASSERT(vcpu);
+
++ spin_lock(&vcpu->kvm->mmu_lock);
+ if (vcpu->kvm->arch.n_requested_mmu_pages)
+ vcpu->kvm->arch.n_free_mmu_pages =
+ vcpu->kvm->arch.n_requested_mmu_pages;
+ else
+ vcpu->kvm->arch.n_free_mmu_pages =
+ vcpu->kvm->arch.n_alloc_mmu_pages;
++ spin_unlock(&vcpu->kvm->mmu_lock);
+ /*
+ * When emulating 32-bit mode, cr3 is only 32 bits even on x86_64.
+ * Therefore we need to allocate shadow page tables in the first
--- /dev/null
+From mtosatti@redhat.com Thu Oct 1 13:03:34 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Fri, 18 Sep 2009 17:29:28 -0300
+Subject: KVM: Protect update_cr8_intercept() when running without an apic
+To: stable@kernel.org
+Cc: Avi Kivity <avi@redhat.com>
+Message-ID: <1253305768-30438-5-git-send-email-mtosatti@redhat.com>
+
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit 88c808fd42b53a7e01a2ac3253ef31fef74cb5af)
+
+update_cr8_intercept() can be triggered from userspace while there
+is no apic present.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Cc: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3202,6 +3202,9 @@ static void update_cr8_intercept(struct
+ if (!kvm_x86_ops->update_cr8_intercept)
+ return;
+
++ if (!vcpu->arch.apic)
++ return;
++
+ if (!vcpu->arch.apic->vapic_addr)
+ max_irr = kvm_lapic_find_highest_irr(vcpu);
+ else
--- /dev/null
+From sheng@linux.intel.com Thu Oct 1 12:59:22 2009
+From: Sheng Yang <sheng@linux.intel.com>
+Date: Thu, 17 Sep 2009 10:42:04 +0800
+Subject: KVM: VMX: Fix EPT with WP bit change during paging
+To: Greg KH <greg@kroah.com>
+Cc: Avi Kivity <avi@redhat.com>, Sheng Yang <sheng@linux.intel.com>, stable@kernel.org
+Message-ID: <1253155324-30842-1-git-send-email-sheng@linux.intel.com>
+
+From: Sheng Yang <sheng@linux.intel.com>
+
+commit 95eb84a7588d7d7afd3096807efc052adc7479e1 upstream
+
+QNX update WP bit when paging enabled, which is not covered yet. This one
+fix QNX boot with EPT.
+
+Signed-off-by: Sheng Yang <sheng@linux.intel.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1572,7 +1572,6 @@ static void ept_update_paging_mode_cr0(unsigned long *hw_cr0,
+ vcpu->arch.cr0 = cr0;
+ vmx_set_cr4(vcpu, vcpu->arch.cr4);
+ *hw_cr0 |= X86_CR0_PE | X86_CR0_PG;
+- *hw_cr0 &= ~X86_CR0_WP;
+ } else if (!is_paging(vcpu)) {
+ /* From nonpaging to paging */
+ vmcs_write32(CPU_BASED_VM_EXEC_CONTROL,
+@@ -1581,9 +1580,10 @@ static void ept_update_paging_mode_cr0(unsigned long *hw_cr0,
+ CPU_BASED_CR3_STORE_EXITING));
+ vcpu->arch.cr0 = cr0;
+ vmx_set_cr4(vcpu, vcpu->arch.cr4);
+- if (!(vcpu->arch.cr0 & X86_CR0_WP))
+- *hw_cr0 &= ~X86_CR0_WP;
+ }
++
++ if (!(cr0 & X86_CR0_WP))
++ *hw_cr0 &= ~X86_CR0_WP;
+ }
+
+ static void ept_update_paging_mode_cr4(unsigned long *hw_cr4,
+--
+1.5.4.5
+
--- /dev/null
+From kaber@trash.net Thu Oct 1 13:35:28 2009
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 17 Sep 2009 13:58:29 +0200 (MEST)
+Subject: netfilter: bridge: refcount fix
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20090917115827.12728.41214.sendpatchset@x2.localnet>
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+netfilter: bridge: refcount fix
+
+Upstream commit f3abc9b9:
+
+commit f216f082b2b37c4943f1e7c393e2786648d48f6f
+([NETFILTER]: bridge netfilter: deal with martians correctly)
+added a refcount leak on in_dev.
+
+Instead of using in_dev_get(), we can use __in_dev_get_rcu(),
+as netfilter hooks are running under rcu_read_lock(), as pointed
+by Patrick.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br_netfilter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bridge/br_netfilter.c
++++ b/net/bridge/br_netfilter.c
+@@ -359,7 +359,7 @@ static int br_nf_pre_routing_finish(stru
+ },
+ .proto = 0,
+ };
+- struct in_device *in_dev = in_dev_get(dev);
++ struct in_device *in_dev = __in_dev_get_rcu(dev);
+
+ /* If err equals -EHOSTUNREACH the error is due to a
+ * martian destination or due to the fact that
--- /dev/null
+From kaber@trash.net Thu Oct 1 13:36:34 2009
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 17 Sep 2009 13:58:30 +0200 (MEST)
+Subject: netfilter: ebt_ulog: fix checkentry return value
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20090917115828.12728.63548.sendpatchset@x2.localnet>
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+netfilter: ebt_ulog: fix checkentry return value
+
+Upstream commit 8a56df0a:
+
+Commit 19eda87 (netfilter: change return types of check functions for
+Ebtables extensions) broke the ebtables ulog module by missing a return
+value conversion.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/netfilter/ebt_ulog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebt_ulog.c
++++ b/net/bridge/netfilter/ebt_ulog.c
+@@ -266,7 +266,7 @@ static bool ebt_ulog_tg_check(const stru
+ if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
+ uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
+
+- return 0;
++ return true;
+ }
+
+ static struct xt_target ebt_ulog_tg_reg __read_mostly = {
--- /dev/null
+From kaber@trash.net Thu Oct 1 13:34:13 2009
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 17 Sep 2009 13:58:28 +0200 (MEST)
+Subject: netfilter: nf_conntrack: netns fix re reliable conntrack event delivery
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20090917115825.12728.69202.sendpatchset@x2.localnet>
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+netfilter: nf_conntrack: netns fix re reliable conntrack event delivery
+
+Upstream commit ee254fa4:
+
+Conntracks in netns other than init_net dying list were never killed.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1089,14 +1089,14 @@ void nf_conntrack_flush_report(struct ne
+ }
+ EXPORT_SYMBOL_GPL(nf_conntrack_flush_report);
+
+-static void nf_ct_release_dying_list(void)
++static void nf_ct_release_dying_list(struct net *net)
+ {
+ struct nf_conntrack_tuple_hash *h;
+ struct nf_conn *ct;
+ struct hlist_nulls_node *n;
+
+ spin_lock_bh(&nf_conntrack_lock);
+- hlist_nulls_for_each_entry(h, n, &init_net.ct.dying, hnnode) {
++ hlist_nulls_for_each_entry(h, n, &net->ct.dying, hnnode) {
+ ct = nf_ct_tuplehash_to_ctrack(h);
+ /* never fails to remove them, no listeners at this point */
+ nf_ct_kill(ct);
+@@ -1115,7 +1115,7 @@ static void nf_conntrack_cleanup_net(str
+ {
+ i_see_dead_people:
+ nf_ct_iterate_cleanup(net, kill_all, NULL);
+- nf_ct_release_dying_list();
++ nf_ct_release_dying_list(net);
+ if (atomic_read(&net->ct.count) != 0) {
+ schedule();
+ goto i_see_dead_people;
--- /dev/null
+From kaber@trash.net Thu Oct 1 13:33:05 2009
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 17 Sep 2009 13:58:26 +0200 (MEST)
+Subject: netfilter: nf_nat: fix inverted logic for persistent NAT mappings
+To: stable@kernel.org
+Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Message-ID: <20090917115824.12728.59451.sendpatchset@x2.localnet>
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+netfilter: nf_nat: fix inverted logic for persistent NAT mappings
+
+Upstream commit cce5a5c3:
+
+Kernel 2.6.30 introduced a patch [1] for the persistent option in the
+netfilter SNAT target. This is exactly what we need here so I had a quick look
+at the code and noticed that the patch is wrong. The logic is simply inverted.
+The patch below fixes this.
+
+Also note that because of this the default behavior of the SNAT target has
+changed since kernel 2.6.30 as it now ignores the destination IP in choosing
+the source IP for nating (which should only be the case if the persistent
+option is set).
+
+[1] http://git.eu.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=98d500d66cb7940747b424b245fc6a51ecfbf005
+
+Signed-off-by: Maximilian Engelhardt <maxi@daemonizer.de>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/nf_nat_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/nf_nat_core.c
++++ b/net/ipv4/netfilter/nf_nat_core.c
+@@ -212,7 +212,7 @@ find_best_ips_proto(struct nf_conntrack_
+ maxip = ntohl(range->max_ip);
+ j = jhash_2words((__force u32)tuple->src.u3.ip,
+ range->flags & IP_NAT_RANGE_PERSISTENT ?
+- (__force u32)tuple->dst.u3.ip : 0, 0);
++ 0 : (__force u32)tuple->dst.u3.ip, 0);
+ j = ((u64)j * (maxip - minip + 1)) >> 32;
+ *var_ipp = htonl(minip + j);
+ }
--- /dev/null
+From pierre.habouzit@intersec.com Thu Oct 1 13:30:38 2009
+From: Pierre Habouzit <pierre.habouzit@intersec.com>
+Date: Thu, 17 Sep 2009 09:47:09 +0200
+Subject: perf tools: do not complain if root is owning perf.data
+To: Greg KH <greg@kroah.com>
+Cc: Ingo Molnar <mingo@elte.hu>, Paul Mackerras <paulus@samba.org>, Peter Zijlstra <a.p.zijlstra@chello.nl>, stable@kernel.org
+Message-ID: <20090917074708.GE22131@laphroaig.corp>
+Content-Disposition: inline
+
+From: Pierre Habouzit <pierre.habouzit@intersec.com>
+
+commit 119e7a22bb70d84849384e5113792cd45afa4f85 upstream.
+
+This improves patch fa6963b24 so that perf.data stuff that has
+been dumped as root can be read (annotate/report) by a user
+without the use of the --force.
+
+Rationale is that root has plenty of ways to screw us (usually)
+that do not require twisted schemes involving specially
+crafting a perf.data.
+
+Signed-off-by: Pierre Habouzit <pierre.habouzit@intersec.com>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+LKML-Reference: <20090827075902.GF19653@laphroaig.corp>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ tools/perf/builtin-annotate.c | 4 ++--
+ tools/perf/builtin-report.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/perf/builtin-annotate.c
++++ b/tools/perf/builtin-annotate.c
+@@ -1335,8 +1335,8 @@ static int __cmd_annotate(void)
+ exit(-1);
+ }
+
+- if (!force && (stat.st_uid != geteuid())) {
+- fprintf(stderr, "file: %s not owned by current user\n", input_name);
++ if (!force && stat.st_uid && (stat.st_uid != geteuid())) {
++ fprintf(stderr, "file: %s not owned by current user or root\n", input_name);
+ exit(-1);
+ }
+
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -1857,8 +1857,8 @@ static int __cmd_report(void)
+ exit(-1);
+ }
+
+- if (!force && (stat.st_uid != geteuid())) {
+- fprintf(stderr, "file: %s not owned by current user\n", input_name);
++ if (!force && stat.st_uid && (stat.st_uid != geteuid())) {
++ fprintf(stderr, "file: %s not owned by current user or root\n", input_name);
+ exit(-1);
+ }
+
--- /dev/null
+From 202c4675c55ddf6b443c7e057d2dff6b42ef71aa Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 18 Sep 2009 07:05:58 -0700
+Subject: pty_write: don't do a tty_wakeup() when the buffers are full
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 202c4675c55ddf6b443c7e057d2dff6b42ef71aa upstream.
+
+Commit ac89a9174 ("pty: don't limit the writes to 'pty_space()' inside
+'pty_write()'") removed the pty_space() checking, in order to let the
+regular tty buffer code limit the buffering itself.
+
+That was all good, but as a subtle side effect it meant that we'd be
+doing a tty_wakeup() even in the case where the buffers were all filled
+up, and didn't actually make any progress on the write.
+
+Which sounds innocuous, but it interacts very badly with the ppp_async
+code, which has an infinite loop in ppp_async_push() that tries to push
+out data to the tty. When we call tty_wakeup(), that loop ends up
+thinking that progress was made (see the subtle interactions between
+XMIT_WAKEUP and 'tty_stuffed' for details). End result: one unhappy ppp
+user.
+
+Fixed by noticing when tty_insert_flip_string() didn't actually do
+anything, and then not doing any more processing (including, very much
+not calling tty_wakeup()).
+
+Bisected-and-tested-by: Peter Volkov <pva@gentoo.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/pty.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/pty.c
++++ b/drivers/char/pty.c
+@@ -120,8 +120,10 @@ static int pty_write(struct tty_struct *
+ /* Stuff the data into the input queue of the other end */
+ c = tty_insert_flip_string(to, buf, c);
+ /* And shovel */
+- tty_flip_buffer_push(to);
+- tty_wakeup(tty);
++ if (c) {
++ tty_flip_buffer_push(to);
++ tty_wakeup(tty);
++ }
+ }
+ return c;
+ }
--- /dev/null
+From mtosatti@redhat.com Thu Oct 1 13:04:29 2009
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Mon, 28 Sep 2009 15:09:55 -0300
+Subject: Revert "KVM: x86: check for cr3 validity in ioctl_set_sregs"
+To: stable@kernel.org, avi@redhat.com
+Cc: Juan Quintela <quintela@redhat.com>
+Message-ID: <20090928180955.GB9603@amt.cnet>
+Content-Disposition: inline
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit dc7e795e3dd2a763e5ceaa1615f307e808cf3932)
+
+This reverts commit 6c20e1442bb1c62914bb85b7f4a38973d2a423ba.
+
+To my understanding, it became obsolete with the advent of the more
+robust check in mmu_alloc_roots (89da4ff17f). Moreover, it prevents
+the conceptually safe pattern
+
+ 1. set sregs
+ 2. register mem-slots
+ 3. run vcpu
+
+by setting a sticky triple fault during step 1.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4125,13 +4125,7 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct
+
+ vcpu->arch.cr2 = sregs->cr2;
+ mmu_reset_needed |= vcpu->arch.cr3 != sregs->cr3;
+-
+- down_read(&vcpu->kvm->slots_lock);
+- if (gfn_to_memslot(vcpu->kvm, sregs->cr3 >> PAGE_SHIFT))
+- vcpu->arch.cr3 = sregs->cr3;
+- else
+- set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests);
+- up_read(&vcpu->kvm->slots_lock);
++ vcpu->arch.cr3 = sregs->cr3;
+
+ kvm_set_cr8(vcpu, sregs->cr8);
+
+kvm-vmx-fix-ept-with-wp-bit-change-during-paging.patch
pata_amd-do-not-filter-out-valid-modes-in-nv_mode_filter.patch
p54usb-add-zcomax-xg-705a-usbid.patch
x86-increase-min_gap-to-include-randomized-stack.patch
pxa-sharpsl_pm-zaurus-c3000-aka-spitz-fix-resume.patch
net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
net-make-the-copy-length-in-af_packet-sockopt-handler-unsigned.patch
+pty_write-don-t-do-a-tty_wakeup-when-the-buffers-are-full.patch
+kvm-fix-cpuid-e2big-handling-for-extended-request-types.patch
+kvm-mmu-fix-missing-locking-in-alloc_mmu_pages.patch
+kvm-mmu-fix-bogus-alloc_mmu_pages-assignment.patch
+kvm-protect-update_cr8_intercept-when-running-without-an-apic.patch
+revert-kvm-x86-check-for-cr3-validity-in-ioctl_set_sregs.patch
+fix-null-ptr-regression-in-powernow-k8.patch
+perf-tools-do-not-complain-if-root-is-owning-perf.data.patch
+netfilter-nf_nat-fix-inverted-logic-for-persistent-nat-mappings.patch
+netfilter-nf_conntrack-netns-fix-re-reliable-conntrack-event-delivery.patch
+netfilter-bridge-refcount-fix.patch
+netfilter-ebt_ulog-fix-checkentry-return-value.patch
+ath5k-wakeup-fixes.patch
+ath5k-do-not-release-irq-across-suspend-resume.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
