--- /dev/null
+From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009
+Message-Id: <20091106215950.184976817@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:04 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Benjamin Herrenschmidt <benh@kernel.crashing.org>,
+ Alan Cox <alan@linux.intel.com>,
+ Michael Reed <mreed10@us.ibm.com>
+Subject: [01/30] 8250_pci: add IBM Saturn serial card
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=8250_pci-add-ibm-saturn-serial-card.patch
+Content-Length: 2147
+Lines: 69
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit c68d2b1594548cda7f6dbac6a4d9d30a9b01558c upstream.
+
+The IBM Saturn serial card has only one port. Without that fixup,
+the kernel thinks it has two, which confuses userland setup and
+admin tools as well.
+
+[akpm@linux-foundation.org: fix pci-ids.h layout]
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Alan Cox <alan@linux.intel.com>
+Cc: Michael Reed <mreed10@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/serial/8250_pci.c | 11 +++++++++++
+ include/linux/pci_ids.h | 3 +++
+ 2 files changed, 14 insertions(+)
+
+--- a/drivers/serial/8250_pci.c
++++ b/drivers/serial/8250_pci.c
+@@ -1218,6 +1218,7 @@ enum pci_board_num_t {
+ pbn_exar_XR17C152,
+ pbn_exar_XR17C154,
+ pbn_exar_XR17C158,
++ pbn_exar_ibm_saturn,
+ pbn_pasemi_1682M,
+ };
+
+@@ -1746,6 +1747,13 @@ static struct pciserial_board pci_boards
+ .base_baud = 921600,
+ .uart_offset = 0x200,
+ },
++ [pbn_exar_ibm_saturn] = {
++ .flags = FL_BASE0,
++ .num_ports = 1,
++ .base_baud = 921600,
++ .uart_offset = 0x200,
++ },
++
+ /*
+ * PA Semi PWRficient PA6T-1682M on-chip UART
+ */
+@@ -2217,6 +2225,9 @@ static struct pci_device_id serial_pci_t
+ PCI_SUBVENDOR_ID_CONNECT_TECH,
+ PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_485, 0, 0,
+ pbn_b0_8_1843200_200 },
++ { PCI_VENDOR_ID_EXAR, PCI_DEVICE_ID_EXAR_XR17C152,
++ PCI_VENDOR_ID_IBM, PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT,
++ 0, 0, pbn_exar_ibm_saturn },
+
+ { PCI_VENDOR_ID_SEALEVEL, PCI_DEVICE_ID_SEALEVEL_U530,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -478,6 +478,9 @@
+ #define PCI_DEVICE_ID_IBM_ICOM_V2_ONE_PORT_RVX_ONE_PORT_MDM_PCIE 0x0361
+ #define PCI_DEVICE_ID_IBM_ICOM_FOUR_PORT_MODEL 0x252
+
++#define PCI_SUBVENDOR_ID_IBM 0x1014
++#define PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT 0x03d4
++
+ #define PCI_VENDOR_ID_UNISYS 0x1018
+ #define PCI_DEVICE_ID_UNISYS_DMA_DIRECTOR 0x001C
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009
+Message-Id: <20091106215950.309655651@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:05 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Larry Finger <Larry.Finger@lwfinger.net>,
+ "John W. Linville" <linville@tuxdriver.com>
+Subject: [02/30] b43: Fix Bugzilla #14181 and the bug from the previous fix
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch
+Content-Length: 1322
+Lines: 35
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream.
+
+"b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported
+in Bugzilla No. 14181; however, it introduced a new bug. Whenever the
+radio switch was turned off, it was necessary to unload and reload
+the driver for it to recognize the switch again.
+
+This patch fixes both the original bug in #14181 and the bug introduced by
+the previous patch. It must be stated, however, that if there is a BCM4306/3
+with an rfkill switch (not yet proven), then the driver will need an
+unload/reload cycle to turn the device back on.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43/rfkill.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/b43/rfkill.c
++++ b/drivers/net/wireless/b43/rfkill.c
+@@ -36,7 +36,8 @@ static bool b43_is_hw_radio_enabled(stru
+ & B43_MMIO_RADIO_HWENABLED_HI_MASK))
+ return 1;
+ } else {
+- if (b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO)
++ if (b43_status(dev) >= B43_STAT_STARTED &&
++ b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO)
+ & B43_MMIO_RADIO_HWENABLED_LO_MASK)
+ return 1;
+ }
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009
+Message-Id: <20091106215950.444170520@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:06 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alan Cox <alan@linux.intel.com>
+Subject: [03/30] dpt_i2o: Fix up copy*user
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=dpt_i2o-fix-up-copy-user.patch
+Content-Length: 680
+Lines: 26
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Alan Cox <alan@linux.intel.com>
+
+commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 upstream.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/dpt_i2o.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/dpt_i2o.c
++++ b/drivers/scsi/dpt_i2o.c
+@@ -1918,6 +1918,10 @@ static int adpt_i2o_passthru(adpt_hba* p
+ }
+ size = size>>16;
+ size *= 4;
++ if (size > MAX_MESSAGE_SIZE) {
++ rcode = EINVAL;
++ goto cleanup;
++ }
+ /* Copy in the user's I2O command */
+ if (copy_from_user (msg, user_msg, size)) {
+ rcode = -EFAULT;
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009
+Message-Id: <20091106215950.565514514@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:07 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>,
+ Alan Cox <alan@linux.intel.com>
+Subject: [04/30] dpt_i2o: Fix typo of EINVAL
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=dpt_i2o-fix-typo-of-einval.patch
+Content-Length: 824
+Lines: 28
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit aefba418bfecd1985a08f50a95bd854a119f0153 upstream.
+
+Commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 ("dpt_i2o: Fix up
+copy*user") had a silly typo: EINVAL should be -EINVAL.
+
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Cc: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/dpt_i2o.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/dpt_i2o.c
++++ b/drivers/scsi/dpt_i2o.c
+@@ -1919,7 +1919,7 @@ static int adpt_i2o_passthru(adpt_hba* p
+ size = size>>16;
+ size *= 4;
+ if (size > MAX_MESSAGE_SIZE) {
+- rcode = EINVAL;
++ rcode = -EINVAL;
+ goto cleanup;
+ }
+ /* Copy in the user's I2O command */
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009
+Message-Id: <20091106215950.692406972@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:08 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Stas Sergeev <stsp@aknet.ru>
+Subject: [05/30] Driver core: fix driver_register() return value
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=driver-core-fix-driver_register-return-value.patch
+Content-Length: 1078
+Lines: 31
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Stas Sergeev <stsp@aknet.ru>
+
+commit 39acbc12affcaa23ef1d887ba3d197baca8e6e47 upstream.
+
+In this patch:
+http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=16dc42e018c2868211b4928f20a957c0c216126c
+the check was added for another driver to already claim the same device
+on the same bus. But the returned error code was wrong: to modprobe, the
+-EEXIST means that _this_ driver is already installed. It therefore
+doesn't produce the needed error message when _another_ driver is trying
+to register for the same device. Returning -EBUSY fixes the problem.
+
+Signed-off-by: Stas Sergeev <stsp@aknet.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/driver.c
++++ b/drivers/base/driver.c
+@@ -227,7 +227,7 @@ int driver_register(struct device_driver
+ put_driver(other);
+ printk(KERN_ERR "Error: Driver '%s' is already registered, "
+ "aborting...\n", drv->name);
+- return -EEXIST;
++ return -EBUSY;
+ }
+
+ ret = bus_add_driver(drv);
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009
+Message-Id: <20091106215950.827974192@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:09 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Earl Chew <earl_chew@agilent.com>
+Subject: [06/30] fs: pipe.c null pointer dereference
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=fs-pipe.c-null-pointer-dereference.patch
+Content-Length: 3550
+Lines: 131
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Earl Chew <earl_chew@agilent.com>
+
+commit ad3960243e55320d74195fb85c975e0a8cc4466c upstream.
+
+This patch fixes a null pointer exception in pipe_rdwr_open() which
+generates the stack trace:
+
+> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
+> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
+> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
+> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
+> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
+> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
+
+The failure mode is triggered by an attempt to open an anonymous
+pipe via /proc/pid/fd/* as exemplified by this script:
+
+=============================================================
+while : ; do
+ { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
+ PID=$!
+ OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
+ { read PID REST ; echo $PID; } )
+ OUT="${OUT%% *}"
+ DELAY=$((RANDOM * 1000 / 32768))
+ usleep $((DELAY * 1000 + RANDOM % 1000 ))
+ echo n > /proc/$OUT/fd/1 # Trigger defect
+done
+=============================================================
+
+Note that the failure window is quite small and I could only
+reliably reproduce the defect by inserting a small delay
+in pipe_rdwr_open(). For example:
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ msleep(100);
+ mutex_lock(&inode->i_mutex);
+
+Although the defect was observed in pipe_rdwr_open(), I think it
+makes sense to replicate the change through all the pipe_*_open()
+functions.
+
+The core of the change is to verify that inode->i_pipe has not
+been released before attempting to manipulate it. If inode->i_pipe
+is no longer present, return ENOENT to indicate so.
+
+The comment about potentially using atomic_t for i_pipe->readers
+and i_pipe->writers has also been removed because it is no longer
+relevant in this context. The inode->i_mutex lock must be used so
+that inode->i_pipe can be dealt with correctly.
+
+Signed-off-by: Earl Chew <earl_chew@agilent.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/pipe.c | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -742,36 +742,55 @@ pipe_rdwr_release(struct inode *inode, s
+ static int
+ pipe_read_open(struct inode *inode, struct file *filp)
+ {
+- /* We could have perhaps used atomic_t, but this and friends
+- below are the only places. So it doesn't seem worthwhile. */
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->readers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->readers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_write_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- if (filp->f_mode & FMODE_READ)
+- inode->i_pipe->readers++;
+- if (filp->f_mode & FMODE_WRITE)
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ if (filp->f_mode & FMODE_READ)
++ inode->i_pipe->readers++;
++ if (filp->f_mode & FMODE_WRITE)
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ /*
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215950.946752422@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:10 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ben Hutchings <ben@decadent.org.uk>,
+ Eric Sesterhenn <snakebyte@gmx.de>,
+ Roman Zippel <zippel@linux-m68k.org>
+Subject: [07/30] hfsplus: refuse to mount volumes larger than 2TB
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch
+Content-Length: 1480
+Lines: 43
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 5c36fe3d87b3f0c85894a49193c66096a3d6b26f upstream.
+
+As found in <http://bugs.debian.org/550010>, hfsplus is using type u32
+rather than sector_t for some sector number calculations.
+
+In particular, hfsplus_get_block() does:
+
+ u32 ablock, dblock, mask;
+...
+ map_bh(bh_result, sb, (dblock << HFSPLUS_SB(sb).fs_shift) + HFSPLUS_SB(sb).blockoffset + (iblock & mask));
+
+I am not confident that I can find and fix all cases where a sector number
+may be truncated. For now, avoid data loss by refusing to mount HFS+
+volumes with more than 2^32 sectors (2TB).
+
+[akpm@linux-foundation.org: fix 32 and 64-bit issues]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Eric Sesterhenn <snakebyte@gmx.de>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hfsplus/wrapper.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/hfsplus/wrapper.c
++++ b/fs/hfsplus/wrapper.c
+@@ -99,6 +99,10 @@ int hfsplus_read_wrapper(struct super_bl
+
+ if (hfsplus_get_last_session(sb, &part_start, &part_size))
+ return -EINVAL;
++ if ((u64)part_start + part_size > 0x100000000ULL) {
++ pr_err("hfs: volumes larger than 2TB are not supported yet\n");
++ return -EINVAL;
++ }
+ while (1) {
+ bh = sb_bread512(sb, part_start + HFSPLUS_VOLHEAD_SECTOR, vhdr);
+ if (!bh)
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215951.081519349@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:11 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Dmitry Torokhov <dtor@mail.ru>
+Subject: [08/30] Input: synaptics - add another Protege M300 to rate blacklist
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=input-synaptics-add-another-protege-m300-to-rate-blacklist.patch
+Content-Length: 1080
+Lines: 38
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 5f5eeff4c93256ee93435a3bf08cf18c45e9a994 upstream.
+
+Apparently some of Toshiba Protege M300 identify themselves as
+"Portable PC" in DMI so we need to add that to the DMI table as
+well. We need DMI data so we can automatically lower Synaptics
+reporting rate from 80 to 40 pps to avoid over-taxing their
+keyboard controllers.
+
+Tested-by: Rod Davison <roddavison@gmail.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/mouse/synaptics.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -623,6 +623,16 @@ static const struct dmi_system_id toshib
+ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
+ },
++
++ },
++ {
++ .ident = "Toshiba Portege M300",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
++ },
++
+ },
+ { }
+ };
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215951.213173511@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:12 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Tejun Heo <tj@kernel.org>,
+ Jeff Garzik <jgarzik@redhat.com>
+Subject: [09/30] libata: fix internal command failure handling
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=libata-fix-internal-command-failure-handling.patch
+Content-Length: 1544
+Lines: 47
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Tejun Heo <tj@kernel.org>
+
+commit f4b31db92d163df8a639f5a8c8633bdeb6e8432d upstream.
+
+When an internal command fails, it should be failed directly without
+invoking EH. In the original implemetation, this was accomplished by
+letting internal command bypass failure handling in ata_qc_complete().
+However, later changes added post-successful-completion handling to
+that code path and the success path is no longer adequate as internal
+command failure path. One of the visible problems is that internal
+command failure due to timeout or other freeze conditions would
+spuriously trigger WARN_ON_ONCE() in the success path.
+
+This patch updates failure path such that internal command failure
+handling is contained there.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/libata-core.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4747,12 +4747,14 @@ void ata_qc_complete(struct ata_queued_c
+ qc->flags |= ATA_QCFLAG_FAILED;
+
+ if (unlikely(qc->flags & ATA_QCFLAG_FAILED)) {
+- if (!ata_tag_internal(qc->tag)) {
+- /* always fill result TF for failed qc */
+- fill_result_tf(qc);
++ /* always fill result TF for failed qc */
++ fill_result_tf(qc);
++
++ if (!ata_tag_internal(qc->tag))
+ ata_qc_schedule_eh(qc);
+- return;
+- }
++ else
++ __ata_qc_complete(qc);
++ return;
+ }
+
+ /* read result TF if requested */
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215951.349463309@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:13 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Woodhouse <David.Woodhouse@intel.com>,
+ "David S. Miller" <davem@davemloft.net>,
+ "John W. Linville" <linville@tuxdriver.com>
+Subject: [10/30] libertas if_usb: Fix crash on 64-bit machines
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=libertas-if_usb-fix-crash-on-64-bit-machines.patch
+Content-Length: 1455
+Lines: 37
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57 upstream.
+
+On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas
+usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting
+crashes. Fix that by using skb->data instead.
+
+This highlights a problem with usb_fill_bulk_urb(). It doesn't notice
+when dma_map_single() fails and return the error to its caller as it
+should. In fact it _can't_ currently return the error, since it returns
+void.
+
+So this problem was showing up only at unmap time, after we'd already
+suffered memory corruption by doing DMA to a bogus address.
+
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/if_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/libertas/if_usb.c
++++ b/drivers/net/wireless/libertas/if_usb.c
+@@ -443,7 +443,7 @@ static int __if_usb_submit_rx_urb(struct
+ /* Fill the receive configuration URB and initialise the Rx call back */
+ usb_fill_bulk_urb(cardp->rx_urb, cardp->udev,
+ usb_rcvbulkpipe(cardp->udev, cardp->ep_in),
+- (void *) (skb->tail + (size_t) IPFIELD_ALIGN_OFFSET),
++ skb->data + IPFIELD_ALIGN_OFFSET,
+ MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn,
+ cardp);
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215951.465536726@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:14 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
+ Christoph Lameter <cl@linux-foundation.org>
+Subject: [11/30] mbind(): fix leak of never putback pages
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=mbind-fix-leak-of-never-putback-pages.patch
+Content-Length: 2098
+Lines: 101
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+
+commit ab8a3e14e6f8e567560f664bbd29aefb306a274e upstream.
+
+If mbind() receives an invalid address, do_mbind leaks a page. The
+following test program detects this leak.
+
+This patch fixes it.
+
+migrate_efault.c
+=======================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+static unsigned long pagesize;
+
+static void* make_hole_mapping(void)
+{
+
+ void* addr;
+
+ addr = mmap(NULL, pagesize*3, PROT_READ|PROT_WRITE,
+ MAP_ANON|MAP_PRIVATE, 0, 0);
+ if (addr == MAP_FAILED)
+ return NULL;
+
+ /* make page populate */
+ memset(addr, 0, pagesize*3);
+
+ /* make memory hole */
+ munmap(addr+pagesize, pagesize);
+
+ return addr;
+}
+
+int main(int argc, char** argv)
+{
+ void* addr;
+ int ch;
+ int node;
+ struct bitmask *nmask = numa_allocate_nodemask();
+ int err;
+ int node_set = 0;
+
+ while ((ch = getopt(argc, argv, "n:")) != -1){
+ switch (ch){
+ case 'n':
+ node = strtol(optarg, NULL, 0);
+ numa_bitmask_setbit(nmask, node);
+ node_set = 1;
+ break;
+ default:
+ ;
+ }
+ }
+ argc -= optind;
+ argv += optind;
+
+ if (!node_set)
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ addr = make_hole_mapping();
+
+ err = mbind(addr, pagesize*3, MPOL_BIND, nmask->maskp, nmask->size, MPOL_MF_MOVE_ALL);
+ if (err)
+ perror("mbind ");
+
+ return 0;
+}
+=======================================
+
+Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Acked-by: Christoph Lameter <cl@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mempolicy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -985,7 +985,8 @@ static long do_mbind(unsigned long start
+
+ if (!err && nr_failed && (flags & MPOL_MF_STRICT))
+ err = -EIO;
+- }
++ } else
++ putback_lru_pages(&pagelist);
+
+ up_write(&mm->mmap_sem);
+ mpol_put(new);
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215951.589569188@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:15 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alan Cox <alan@linux.intel.com>
+Subject: [12/30] ray_cs: Fix copy_from_user handling
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=ray_cs-fix-copy_from_user-handling.patch
+Content-Length: 779
+Lines: 26
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Alan Cox <alan@linux.intel.com>
+
+commit 575c9ed7798218dc923f319c0d78f0c25ca506b9 upstream.
+
+I've not touched the other stuff here but the word "locking" comes to mind.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ray_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -2758,7 +2758,7 @@ static void raycs_write(const char *name
+ static int write_essid(struct file *file, const char __user *buffer, unsigned long count, void *data)
+ {
+ static char proc_essid[33];
+- int len = count;
++ unsigned int len = count;
+
+ if (len > 32)
+ len = 32;
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215951.713217304@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:16 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Len Brown <len.brown@intel.com>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [13/30] Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible"
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch
+Content-Length: 1211
+Lines: 45
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Len Brown <len.brown@intel.com>
+
+commit f61f925859c57f6175082aeeee17743c68558a6e upstream.
+
+This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=13002
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/scan.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1262,16 +1262,6 @@ acpi_add_single_object(struct acpi_devic
+ acpi_device_set_id(device, parent, handle, type);
+
+ /*
+- * The ACPI device is attached to acpi handle before getting
+- * the power/wakeup/peformance flags. Otherwise OS can't get
+- * the corresponding ACPI device by the acpi handle in the course
+- * of getting the power/wakeup/performance flags.
+- */
+- result = acpi_device_set_context(device, type);
+- if (result)
+- goto end;
+-
+- /*
+ * Power Management
+ * ----------------
+ */
+@@ -1301,6 +1291,8 @@ acpi_add_single_object(struct acpi_devic
+ goto end;
+ }
+
++ if ((result = acpi_device_set_context(device, type)))
++ goto end;
+
+ result = acpi_device_register(device, parent);
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:51 2009
+Message-Id: <20091106215951.841486806@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:17 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alan Cox <alan@linux.intel.com>
+Subject: [14/30] tty: Mark generic_serial users as BROKEN
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=tty-mark-generic_serial-users-as-broken.patch
+Content-Length: 2444
+Lines: 73
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Alan Cox <alan@linux.intel.com>
+
+commit 412145947adfca60a4b5b4893fbae82dffa25edd upstream.
+
+There isn't much else I can do with these. I can find no hardware for any
+of them and no users. The code is broken.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/m68k/Kconfig | 6 +++---
+ drivers/char/Kconfig | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/m68k/Kconfig
++++ b/arch/m68k/Kconfig
+@@ -572,7 +572,7 @@ config HPAPCI
+
+ config MVME147_SCC
+ bool "SCC support for MVME147 serial ports"
+- depends on MVME147
++ depends on MVME147 && BROKEN
+ help
+ This is the driver for the serial ports on the Motorola MVME147
+ boards. Everyone using one of these boards should say Y here.
+@@ -587,14 +587,14 @@ config SERIAL167
+
+ config MVME162_SCC
+ bool "SCC support for MVME162 serial ports"
+- depends on MVME16x
++ depends on MVME16x && BROKEN
+ help
+ This is the driver for the serial ports on the Motorola MVME162 and
+ 172 boards. Everyone using one of these boards should say Y here.
+
+ config BVME6000_SCC
+ bool "SCC support for BVME6000 serial ports"
+- depends on BVME6000
++ depends on BVME6000 && BROKEN
+ help
+ This is the driver for the serial ports on the BVME4000 and BVME6000
+ boards from BVM Ltd. Everyone using one of these boards should say
+--- a/drivers/char/Kconfig
++++ b/drivers/char/Kconfig
+@@ -310,7 +310,7 @@ config SPECIALIX
+
+ config SX
+ tristate "Specialix SX (and SI) card support"
+- depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA)
++ depends on SERIAL_NONSTANDARD && (PCI || EISA || ISA) && BROKEN
+ help
+ This is a driver for the SX and SI multiport serial cards.
+ Please read the file <file:Documentation/sx.txt> for details.
+@@ -321,7 +321,7 @@ config SX
+
+ config RIO
+ tristate "Specialix RIO system support"
+- depends on SERIAL_NONSTANDARD
++ depends on SERIAL_NONSTANDARD && BROKEN
+ help
+ This is a driver for the Specialix RIO, a smart serial card which
+ drives an outboard box that can support up to 128 ports. Product
+@@ -382,7 +382,7 @@ config NOZOMI
+
+ config A2232
+ tristate "Commodore A2232 serial support (EXPERIMENTAL)"
+- depends on EXPERIMENTAL && ZORRO && BROKEN_ON_SMP
++ depends on EXPERIMENTAL && ZORRO && BROKEN
+ ---help---
+ This option supports the 2232 7-port serial card shipped with the
+ Amiga 2000 and other Zorro-bus machines, dating from 1989. At
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215951.964924845@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:18 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jan Beulich <jbeulich@novell.com>,
+ Roland McGrath <roland@redhat.com>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [15/30] x86-64: Fix register leak in 32-bit syscall audting
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=x86-64-fix-register-leak-in-32-bit-syscall-audting.patch
+Content-Length: 1651
+Lines: 50
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Jan Beulich <JBeulich@novell.com>
+
+commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream.
+
+Restoring %ebp after the call to audit_syscall_exit() is not
+only unnecessary (because the register didn't get clobbered),
+but in the sysenter case wasn't even doing the right thing: It
+loaded %ebp from a location below the top of stack (RBP <
+ARGOFFSET), i.e. arbitrary kernel data got passed back to user
+mode in the register.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Acked-by: Roland McGrath <roland@redhat.com>
+LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -204,7 +204,7 @@ sysexit_from_sys_call:
+ movl RDI-ARGOFFSET(%rsp),%r8d /* reload 5th syscall arg */
+ .endm
+
+- .macro auditsys_exit exit,ebpsave=RBP
++ .macro auditsys_exit exit
+ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
+ jnz ia32_ret_from_sys_call
+ TRACE_IRQS_ON
+@@ -217,7 +217,6 @@ sysexit_from_sys_call:
+ call audit_syscall_exit
+ GET_THREAD_INFO(%r10)
+ movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall return value */
+- movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
+ movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
+ cli
+ TRACE_IRQS_OFF
+@@ -351,7 +350,7 @@ cstar_auditsys:
+ jmp cstar_dispatch
+
+ sysretl_audit:
+- auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
++ auditsys_exit sysretl_from_sys_call
+ #endif
+
+ cstar_tracesys:
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215952.100901703@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:19 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>,
+ Masanori Yoshida <masanori.yoshida.tv@hitachi.com>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [16/30] AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=af_unix-fix-deadlock-on-connecting-to-shutdown-socket-cve-2009-3621.patch
+Content-Length: 2533
+Lines: 85
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
+
+commit 77238f2b942b38ab4e7f3aced44084493e4a8675 upstream.
+
+I found a deadlock bug in UNIX domain socket, which makes able to DoS
+attack against the local machine by non-root users.
+
+How to reproduce:
+1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
+ namespace(*), and shutdown(2) it.
+ 2. Repeat connect(2)ing to the listening socket from the other sockets
+ until the connection backlog is full-filled.
+ 3. connect(2) takes the CPU forever. If every core is taken, the
+ system hangs.
+
+PoC code: (Run as many times as cores on SMP machines.)
+
+int main(void)
+{
+ int ret;
+ int csd;
+ int lsd;
+ struct sockaddr_un sun;
+
+ /* make an abstruct name address (*) */
+ memset(&sun, 0, sizeof(sun));
+ sun.sun_family = PF_UNIX;
+ sprintf(&sun.sun_path[1], "%d", getpid());
+
+ /* create the listening socket and shutdown */
+ lsd = socket(AF_UNIX, SOCK_STREAM, 0);
+ bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
+ listen(lsd, 1);
+ shutdown(lsd, SHUT_RDWR);
+
+ /* connect loop */
+ alarm(15); /* forcely exit the loop after 15 sec */
+ for (;;) {
+ csd = socket(AF_UNIX, SOCK_STREAM, 0);
+ ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
+ if (-1 == ret) {
+ perror("connect()");
+ break;
+ }
+ puts("Connection OK");
+ }
+ return 0;
+}
+
+(*) Make sun_path[0] = 0 to use the abstruct namespace.
+ If a file-based socket is used, the system doesn't deadlock because
+ of context switches in the file system layer.
+
+Why this happens:
+ Error checks between unix_socket_connect() and unix_wait_for_peer() are
+ inconsistent. The former calls the latter to wait until the backlog is
+ processed. Despite the latter returns without doing anything when the
+ socket is shutdown, the former doesn't check the shutdown state and
+ just retries calling the latter forever.
+
+Patch:
+ The patch below adds shutdown check into unix_socket_connect(), so
+ connect(2) to the shutdown socket will return -ECONREFUSED.
+
+Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
+Signed-off-by: Masanori Yoshida <masanori.yoshida.tv@hitachi.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ net/unix/af_unix.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1061,6 +1061,8 @@ restart:
+ err = -ECONNREFUSED;
+ if (other->sk_state != TCP_LISTEN)
+ goto out_unlock;
++ if (other->sk_shutdown & RCV_SHUTDOWN)
++ goto out_unlock;
+
+ if (unix_recvq_full(other)) {
+ err = -EAGAIN;
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215952.229428650@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:20 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ David Miller <davem@davemloft.net>,
+ Arnaldo Carvalho de Melo <acme@redhat.com>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [17/30] appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903)
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded-cve-2009-2903.patch
+Content-Length: 5719
+Lines: 199
+
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+commit ffcfb8db540ff879c2a85bf7e404954281443414 upstream
+
+appletalk: Fix skb leak when ipddp interface is not loaded
+
+[ backport to 2.6.27 : Chuck Ebbert <cebbert@redhat.com ]
+
+And also do a better job of returning proper NET_{RX,XMIT}_ values.
+
+Based on a patch and suggestions by Mark Smith.
+
+This fixes CVE-2009-2903
+
+Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/appletalk/ipddp.c | 3 --
+ net/appletalk/aarp.c | 16 +++++++++-----
+ net/appletalk/ddp.c | 47 +++++++++++++++++++++---------------------
+ 3 files changed, 36 insertions(+), 30 deletions(-)
+
+--- a/drivers/net/appletalk/ipddp.c
++++ b/drivers/net/appletalk/ipddp.c
+@@ -173,8 +173,7 @@ static int ipddp_xmit(struct sk_buff *sk
+ ((struct net_device_stats *) dev->priv)->tx_packets++;
+ ((struct net_device_stats *) dev->priv)->tx_bytes+=skb->len;
+
+- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0)
+- dev_kfree_skb(skb);
++ aarp_send_ddp(rt->dev, skb, &rt->at, NULL);
+
+ return 0;
+ }
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -598,7 +598,7 @@ int aarp_send_ddp(struct net_device *dev
+
+ /* Non ELAP we cannot do. */
+ if (dev->type != ARPHRD_ETHER)
+- return -1;
++ goto free_it;
+
+ skb->dev = dev;
+ skb->protocol = htons(ETH_P_ATALK);
+@@ -633,7 +633,7 @@ int aarp_send_ddp(struct net_device *dev
+ if (!a) {
+ /* Whoops slipped... good job it's an unreliable protocol 8) */
+ write_unlock_bh(&aarp_lock);
+- return -1;
++ goto free_it;
+ }
+
+ /* Set up the queue */
+@@ -662,15 +662,21 @@ out_unlock:
+ write_unlock_bh(&aarp_lock);
+
+ /* Tell the ddp layer we have taken over for this frame. */
+- return 0;
++ goto sent;
+
+ sendit:
+ if (skb->sk)
+ skb->priority = skb->sk->sk_priority;
+- dev_queue_xmit(skb);
++ if (dev_queue_xmit(skb))
++ goto drop;
+ sent:
+- return 1;
++ return NET_XMIT_SUCCESS;
++free_it:
++ kfree_skb(skb);
++drop:
++ return NET_XMIT_DROP;
+ }
++EXPORT_SYMBOL(aarp_send_ddp);
+
+ /*
+ * An entry in the aarp unresolved queue has become resolved. Send
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1277,8 +1277,10 @@ static int handle_ip_over_ddp(struct sk_
+ struct net_device_stats *stats;
+
+ /* This needs to be able to handle ipddp"N" devices */
+- if (!dev)
+- return -ENODEV;
++ if (!dev) {
++ kfree_skb(skb);
++ return NET_RX_DROP;
++ }
+
+ skb->protocol = htons(ETH_P_IP);
+ skb_pull(skb, 13);
+@@ -1288,8 +1290,7 @@ static int handle_ip_over_ddp(struct sk_
+ stats = dev->priv;
+ stats->rx_packets++;
+ stats->rx_bytes += skb->len + 13;
+- netif_rx(skb); /* Send the SKB up to a higher place. */
+- return 0;
++ return netif_rx(skb); /* Send the SKB up to a higher place. */
+ }
+ #else
+ /* make it easy for gcc to optimize this test out, i.e. kill the code */
+@@ -1297,9 +1298,8 @@ static int handle_ip_over_ddp(struct sk_
+ #define handle_ip_over_ddp(skb) 0
+ #endif
+
+-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+- struct ddpehdr *ddp, __u16 len_hops,
+- int origlen)
++static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
++ struct ddpehdr *ddp, __u16 len_hops, int origlen)
+ {
+ struct atalk_route *rt;
+ struct atalk_addr ta;
+@@ -1366,8 +1366,6 @@ static void atalk_route_packet(struct sk
+ /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */
+ struct sk_buff *nskb = skb_realloc_headroom(skb, 32);
+ kfree_skb(skb);
+- if (!nskb)
+- goto out;
+ skb = nskb;
+ } else
+ skb = skb_unshare(skb, GFP_ATOMIC);
+@@ -1376,12 +1374,16 @@ static void atalk_route_packet(struct sk
+ * If the buffer didn't vanish into the lack of space bitbucket we can
+ * send it.
+ */
+- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1)
+- goto free_it;
+-out:
+- return;
++ if (skb == NULL)
++ goto drop;
++
++ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP)
++ return NET_RX_DROP;
++ return NET_XMIT_SUCCESS;
+ free_it:
+ kfree_skb(skb);
++drop:
++ return NET_RX_DROP;
+ }
+
+ /**
+@@ -1455,8 +1457,7 @@ static int atalk_rcv(struct sk_buff *skb
+ /* Not ours, so we route the packet via the correct
+ * AppleTalk iface
+ */
+- atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+- goto out;
++ return atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+ }
+
+ /* if IP over DDP is not selected this code will be optimized out */
+@@ -1663,10 +1664,10 @@ static int atalk_sendmsg(struct kiocb *i
+ if (skb2) {
+ loopback = 1;
+ SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk);
+- if (aarp_send_ddp(dev, skb2,
+- &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb2);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL);
+ }
+ }
+
+@@ -1696,9 +1697,10 @@ static int atalk_sendmsg(struct kiocb *i
+ usat = &gsat;
+ }
+
+- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL);
+ }
+ SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
+
+@@ -1877,7 +1879,6 @@ static struct packet_type ppptalk_packet
+ static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B };
+
+ /* Export symbols for use by drivers when AppleTalk is a module */
+-EXPORT_SYMBOL(aarp_send_ddp);
+ EXPORT_SYMBOL(atrtr_get_dev);
+ EXPORT_SYMBOL(atalk_find_dev_addr);
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215952.357515032@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:21 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jiri Pirko <jpirko@redhat.com>,
+ "David S. Miller" <davem@davemloft.net>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [18/30] netlink: fix typo in initialization (CVE-2009-3612)
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=netlink-fix-typo-in-initialization-cve-2009-3612.patch
+Content-Length: 902
+Lines: 29
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Jiri Pirko <jpirko@redhat.com>
+
+commit ad61df918c44316940404891d5082c63e79c256a upstream.
+
+Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing
+initializations in dumped data") introduced a typo in
+initialization. This patch fixes this.
+
+Signed-off-by: Jiri Pirko <jpirko@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/cls_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -337,7 +337,7 @@ static int tcf_fill_node(struct sk_buff
+ tcm = NLMSG_DATA(nlh);
+ tcm->tcm_family = AF_UNSPEC;
+ tcm->tcm__pad1 = 0;
+- tcm->tcm__pad1 = 0;
++ tcm->tcm__pad2 = 0;
+ tcm->tcm_ifindex = qdisc_dev(tp->q)->ifindex;
+ tcm->tcm_parent = tp->classid;
+ tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215952.485583618@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:22 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [19/30] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638)
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-prevent-overflow-in-kvm_get_supported_cpuid-cve-2009-3638.patch
+Content-Length: 775
+Lines: 24
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@redhat.com>
+
+commit 6a54435560efdab1a08f429a954df4d6c740bddf upstream.
+
+The number of entries is multiplied by the entry size, which can
+overflow on 32-bit hosts. Bound the entry count instead.
+
+Reported-by: David Wagner <daw@cs.berkeley.edu>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1591,6 +1591,8 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
+
+ if (cpuid->nent < 1)
+ goto out;
++ if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
++ cpuid->nent = KVM_MAX_CPUID_ENTRIES;
+ r = -ENOMEM;
+ cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
+ if (!cpuid_entries)
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215952.613942748@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:23 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Samuel Ortiz <samuel@sortiz.org>,
+ "David S. Miller" <davem@davemloft.net>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [20/30] irda: Add irda_skb_cb qdisc related padding
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=irda-add-irda_skb_cb-qdisc-related-padding.patch
+Content-Length: 1270
+Lines: 35
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit 69c30e1e7492192f882a3fc11888b320fde5206a upstream.
+
+We need to pad irda_skb_cb in order to keep it safe accross dev_queue_xmit()
+calls. This is some ugly and temporary hack triggered by recent qisc code
+changes.
+Even though it fixes bugzilla.kernel.org bug #11795, it will be replaced by a
+proper fix before 2.6.29 is released.
+
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/irda/irda_device.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/irda/irda_device.h
++++ b/include/net/irda/irda_device.h
+@@ -135,9 +135,11 @@ struct dongle_reg {
+
+ /*
+ * Per-packet information we need to hide inside sk_buff
+- * (must not exceed 48 bytes, check with struct sk_buff)
++ * (must not exceed 48 bytes, check with struct sk_buff)
++ * The default_qdisc_pad field is a temporary hack.
+ */
+ struct irda_skb_cb {
++ unsigned int default_qdisc_pad;
+ magic_t magic; /* Be sure that we can trust the information */
+ __u32 next_speed; /* The Speed to be set *after* this frame */
+ __u16 mtt; /* Minimum turn around time */
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215952.733588955@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:24 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Terry Loftin <terry.loftin@hp.com>,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [21/30] nfs: Panic when commit fails
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=nfs-panic-when-commit-fails.patch
+Content-Length: 1250
+Lines: 34
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Terry Loftin <terry.loftin@hp.com>
+
+commit a8b40bc7e635831b61c43acc71a86d3a68b2dff0 upstream.
+
+Actually pass the NFS_FILE_SYNC option to the server to avoid a
+Panic in nfs_direct_write_complete() when a commit fails.
+
+At the end of an nfs write, if the nfs commit fails, all the writes
+will be rescheduled. They are supposed to be rescheduled as NFS_FILE_SYNC
+writes, but the rpc_task structure is not completely intialized and so
+the option is not passed. When the rescheduled writes complete, the
+return indicates that they are NFS_UNSTABLE and we try to do another
+commit. This leads to a Panic because the commit data structure pointer
+was set to null in the initial (failed) commit attempt.
+
+Signed-off-by: Terry Loftin <terry.loftin@hp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/direct.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -454,6 +454,7 @@ static void nfs_direct_write_reschedule(
+ };
+ struct rpc_task_setup task_setup_data = {
+ .rpc_client = NFS_CLIENT(inode),
++ .rpc_message = &msg,
+ .callback_ops = &nfs_write_direct_ops,
+ .workqueue = nfsiod_workqueue,
+ .flags = RPC_TASK_ASYNC,
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:52 2009
+Message-Id: <20091106215952.861425234@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:25 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [22/30] NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=nfsv4-fix-a-bug-when-the-server-returns-nfs4err_resource.patch
+Content-Length: 1575
+Lines: 55
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 52567b03ca38b6e556ced450d64dba8d66e23b0e upstream.
+
+RFC 3530 states that when we recieve the error NFS4ERR_RESOURCE, we are not
+supposed to bump the sequence number on OPEN, LOCK, LOCKU, CLOSE, etc
+operations. The problem is that we map that error into EREMOTEIO in the XDR
+layer, and so the NFSv4 middle-layer routines like seqid_mutating_err(),
+and nfs_increment_seqid() don't recognise it.
+
+The fix is to defer the mapping until after the middle layers have
+processed the error.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/nfs4proc.c | 11 ++++++++---
+ fs/nfs/nfs4xdr.c | 1 -
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -71,12 +71,17 @@ static int _nfs4_proc_getattr(struct nfs
+ /* Prevent leaks of NFSv4 errors into userland */
+ int nfs4_map_errors(int err)
+ {
+- if (err < -1000) {
++ if (err >= -1000)
++ return err;
++ switch (err) {
++ case -NFS4ERR_RESOURCE:
++ return -EREMOTEIO;
++ default:
+ dprintk("%s could not handle NFSv4 error %d\n",
+ __func__, -err);
+- return -EIO;
++ break;
+ }
+- return err;
++ return -EIO;
+ }
+
+ /*
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4671,7 +4671,6 @@ static struct {
+ { NFS4ERR_SERVERFAULT, -ESERVERFAULT },
+ { NFS4ERR_BADTYPE, -EBADTYPE },
+ { NFS4ERR_LOCKED, -EAGAIN },
+- { NFS4ERR_RESOURCE, -EREMOTEIO },
+ { NFS4ERR_SYMLINK, -ELOOP },
+ { NFS4ERR_OP_ILLEGAL, -EOPNOTSUPP },
+ { NFS4ERR_DEADLOCK, -EDEADLK },
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009
+Message-Id: <20091106215952.988107330@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:26 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ben Hutchings <ben@decadent.org.uk>,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [23/30] nfs: Avoid overrun when copying client IP address string
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=nfs-avoid-overrun-when-copying-client-ip-address-string.patch
+Content-Length: 1004
+Lines: 30
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream.
+
+As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
+overrun the source string when copying the client IP address from
+nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
+these are both treated as null-terminated strings elsewhere, the copy
+should be done with strlcpy() not memcpy().
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -983,7 +983,7 @@ static int nfs4_init_client(struct nfs_c
+ RPC_CLNT_CREATE_DISCRTRY);
+ if (error < 0)
+ goto error;
+- memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
++ strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
+
+ error = nfs_idmap_new(clp);
+ if (error < 0) {
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009
+Message-Id: <20091106215953.120260379@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:27 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [24/30] NFSv4: Kill nfs4_renewd_prepare_shutdown()
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=nfsv4-kill-nfs4_renewd_prepare_shutdown.patch
+Content-Length: 1305
+Lines: 46
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 3050141bae57984dd660e6861632ccf9b8bca77e upstream.
+
+The NFSv4 renew daemon is shared between all active super blocks that refer
+to a particular NFS server, so it is wrong to be shutting it down in
+nfs4_kill_super every time a super block is destroyed.
+
+This patch therefore kills nfs4_renewd_prepare_shutdown altogether, and
+leaves it up to nfs4_shutdown_client() to also shut down the renew daemon
+by means of the existing call to nfs4_kill_renewd().
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/nfs4renewd.c | 6 ------
+ fs/nfs/super.c | 1 -
+ 2 files changed, 7 deletions(-)
+
+--- a/fs/nfs/nfs4renewd.c
++++ b/fs/nfs/nfs4renewd.c
+@@ -125,12 +125,6 @@ nfs4_schedule_state_renewal(struct nfs_c
+ }
+
+ void
+-nfs4_renewd_prepare_shutdown(struct nfs_server *server)
+-{
+- cancel_delayed_work(&server->nfs_client->cl_renewd);
+-}
+-
+-void
+ nfs4_kill_renewd(struct nfs_client *clp)
+ {
+ cancel_delayed_work_sync(&clp->cl_renewd);
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2398,7 +2398,6 @@ static void nfs4_kill_super(struct super
+ nfs_return_all_delegations(sb);
+ kill_anon_super(sb);
+
+- nfs4_renewd_prepare_shutdown(server);
+ nfs_free_server(server);
+ }
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009
+Message-Id: <20091106215953.252395742@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:28 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [25/30] NFSv4: Fix a problem whereby a buggy server can oops the kernel
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=nfsv4-fix-a-problem-whereby-a-buggy-server-can-oops-the-kernel.patch
+Content-Length: 2298
+Lines: 70
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit d953126a28f97ec965d23c69fd5795854c048f30 upstream.
+
+We just had a case in which a buggy server occasionally returns the wrong
+attributes during an OPEN call. While the client does catch this sort of
+condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return
+-EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a
+fallback to an ordinary lookup instead of just returning the error.
+
+When the buggy server then returns a regular file for the fallback lookup,
+the VFS allows the open, and bad things start to happen, since the open
+file doesn't have any associated NFSv4 state.
+
+The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and
+secondly to ensure that we are always careful when dereferencing the
+nfs_open_context state pointer.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1025,12 +1025,12 @@ static struct dentry *nfs_atomic_lookup(struct inode *dir, struct dentry *dentry
+ res = NULL;
+ goto out;
+ /* This turned out not to be a regular file */
+- case -EISDIR:
+ case -ENOTDIR:
+ goto no_open;
+ case -ELOOP:
+ if (!(nd->intent.open.flags & O_NOFOLLOW))
+ goto no_open;
++ /* case -EISDIR: */
+ /* case -EINVAL: */
+ default:
+ goto out;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index df24f67..6917311 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4093,15 +4093,23 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
+ if (request->fl_start < 0 || request->fl_end < 0)
+ return -EINVAL;
+
+- if (IS_GETLK(cmd))
+- return nfs4_proc_getlk(state, F_GETLK, request);
++ if (IS_GETLK(cmd)) {
++ if (state != NULL)
++ return nfs4_proc_getlk(state, F_GETLK, request);
++ return 0;
++ }
+
+ if (!(IS_SETLK(cmd) || IS_SETLKW(cmd)))
+ return -EINVAL;
+
+- if (request->fl_type == F_UNLCK)
+- return nfs4_proc_unlck(state, cmd, request);
++ if (request->fl_type == F_UNLCK) {
++ if (state != NULL)
++ return nfs4_proc_unlck(state, cmd, request);
++ return 0;
++ }
+
++ if (state == NULL)
++ return -ENOLCK;
+ do {
+ status = nfs4_proc_setlk(state, cmd, request);
+ if ((status != -EAGAIN) || IS_SETLK(cmd))
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009
+Message-Id: <20091106215953.387043228@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:29 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [26/30] NFSv4: The link() operation should return any delegation on the file
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=nfsv4-the-link-operation-should-return-any-delegation-on-the-file.patch
+Content-Length: 704
+Lines: 25
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 9a3936aac133037f65124fcb2d676a6c201a90a4 upstream.
+
+Otherwise, we have to wait for the server to recall it.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1526,6 +1526,8 @@ nfs_link(struct dentry *old_dentry, stru
+ old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
+ dentry->d_parent->d_name.name, dentry->d_name.name);
+
++ nfs_inode_return_delegation(inode);
++
+ d_drop(dentry);
+ error = NFS_PROTO(dir)->link(inode, dir, &dentry->d_name);
+ if (error == 0) {
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009
+Message-Id: <20091106215953.555767894@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:30 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Peter Zijlstra <a.p.zijlstra@chello.nl>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [27/30] printk: robustify printk
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=printk-robustify-printk.patch
+Content-Length: 2615
+Lines: 90
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+commit b845b517b5e3706a3729f6ea83b88ab85f0725b0 upstream.
+
+Avoid deadlocks against rq->lock and xtime_lock by deferring the klogd
+wakeup by polling from the timer tick.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/kernel.h | 4 ++++
+ kernel/printk.c | 19 +++++++++++++++++--
+ kernel/time/tick-sched.c | 2 +-
+ kernel/timer.c | 1 +
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -200,6 +200,8 @@ extern struct ratelimit_state printk_rat
+ extern int printk_ratelimit(void);
+ extern bool printk_timed_ratelimit(unsigned long *caller_jiffies,
+ unsigned int interval_msec);
++extern void printk_tick(void);
++extern int printk_needs_cpu(int);
+ #else
+ static inline int vprintk(const char *s, va_list args)
+ __attribute__ ((format (printf, 1, 0)));
+@@ -211,6 +213,8 @@ static inline int printk_ratelimit(void)
+ static inline bool printk_timed_ratelimit(unsigned long *caller_jiffies, \
+ unsigned int interval_msec) \
+ { return false; }
++static inline void printk_tick(void) { }
++static inline int printk_needs_cpu(int) { return 0; }
+ #endif
+
+ extern void asmlinkage __attribute__((format(printf, 1, 2)))
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -977,10 +977,25 @@ int is_console_locked(void)
+ return console_locked;
+ }
+
+-void wake_up_klogd(void)
++static DEFINE_PER_CPU(int, printk_pending);
++
++void printk_tick(void)
+ {
+- if (!oops_in_progress && waitqueue_active(&log_wait))
++ if (__get_cpu_var(printk_pending)) {
++ __get_cpu_var(printk_pending) = 0;
+ wake_up_interruptible(&log_wait);
++ }
++}
++
++int printk_needs_cpu(int cpu)
++{
++ return per_cpu(printk_pending, cpu);
++}
++
++void wake_up_klogd(void)
++{
++ if (waitqueue_active(&log_wait))
++ __get_cpu_var(printk_pending) = 1;
+ }
+
+ /**
+--- a/kernel/timer.c
++++ b/kernel/timer.c
+@@ -978,6 +978,7 @@ void update_process_times(int user_tick)
+ run_local_timers();
+ if (rcu_pending(cpu))
+ rcu_check_callbacks(cpu, user_tick);
++ printk_tick();
+ scheduler_tick();
+ run_posix_cpu_timers(p);
+ }
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -261,7 +261,7 @@ void tick_nohz_stop_sched_tick(int inidl
+ next_jiffies = get_next_timer_interrupt(last_jiffies);
+ delta_jiffies = next_jiffies - last_jiffies;
+
+- if (rcu_needs_cpu(cpu))
++ if (rcu_needs_cpu(cpu) || printk_needs_cpu(cpu))
+ delta_jiffies = 1;
+ /*
+ * Do not stop the tick, if we are only one off
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009
+Message-Id: <20091106215953.701406586@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:31 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jiri Bohac <jbohac@suse.cz>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [28/30] bonding: fix a race condition in calls to slave MII ioctls
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=bonding-fix-a-race-condition-in-calls-to-slave-mii-ioctls.patch
+Content-Length: 1434
+Lines: 39
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Jiri Bohac <jbohac@suse.cz>
+
+commit d9d5283228d0c752f199c901fff6e1405dc91bcb upstream.
+
+In mii monitor mode, bond_check_dev_link() calls the the ioctl
+handler of slave devices. It stores the ndo_do_ioctl function
+pointer to a static (!) ioctl variable and later uses it to call the
+handler with the IOCTL macro.
+
+If another thread executes bond_check_dev_link() at the same time
+(even with a different bond, which none of the locks prevent), a
+race condition occurs. If the two racing slaves have different
+drivers, this may result in one driver's ioctl handler being
+called with a pointer to a net_device controlled with a different
+driver, resulting in unpredictable breakage.
+
+Unless I am overlooking something, the "static" must be a
+copy'n'paste error (?).
+
+Signed-off-by: Jiri Bohac <jbohac@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -686,7 +686,7 @@ static int bond_update_speed_duplex(stru
+ */
+ static int bond_check_dev_link(struct bonding *bond, struct net_device *slave_dev, int reporting)
+ {
+- static int (* ioctl)(struct net_device *, struct ifreq *, int);
++ int (* ioctl)(struct net_device *, struct ifreq *, int);
+ struct ifreq ifr;
+ struct mii_ioctl_data *mii;
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:53 2009
+Message-Id: <20091106215953.842686540@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:32 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Joerg Roedel <joerg.roedel@amd.com>
+Subject: [29/30] x86/amd-iommu: Un__init function required on shutdown
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=x86-amd-iommu-un__init-function-required-on-shutdown.patch
+Content-Length: 857
+Lines: 28
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit ca0207114f1708b563f510b7781a360ec5b98359 upstream.
+
+The function iommu_feature_disable is required on system
+shutdown to disable the IOMMU but it is marked as __init.
+This may result in a panic if the memory is reused. This
+patch fixes this bug.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/amd_iommu_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/amd_iommu_init.c
++++ b/arch/x86/kernel/amd_iommu_init.c
+@@ -230,7 +230,7 @@ static void __init iommu_feature_enable(
+ writel(ctrl, iommu->mmio_base + MMIO_CONTROL_OFFSET);
+ }
+
+-static void __init iommu_feature_disable(struct amd_iommu *iommu, u8 bit)
++static void iommu_feature_disable(struct amd_iommu *iommu, u8 bit)
+ {
+ u32 ctrl;
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:54 2009
+Message-Id: <20091106215954.017532651@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:33 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ Greg KH <greg@kroah.com>
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Joerg Roedel <joerg.roedel@amd.com>
+Subject: [30/30] x86/amd-iommu: Workaround for erratum 63
+References: <20091106215603.413650799@mini.kroah.org>
+Content-Disposition: inline; filename=x86-amd-iommu-workaround-for-erratum-63.patch
+Content-Length: 1686
+Lines: 60
+
+2.6.29-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit c5cca146aa03e1f60fb179df65f0dbaf17bc64ed upstream.
+
+There is an erratum for IOMMU hardware which documents
+undefined behavior when forwarding SMI requests from
+peripherals and the DTE of that peripheral has a sysmgt
+value of 01b. This problem caused weird IO_PAGE_FAULTS in my
+case.
+This patch implements the suggested workaround for that
+erratum into the AMD IOMMU driver. The erratum is
+documented with number 63.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/amd_iommu_init.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/arch/x86/kernel/amd_iommu_init.c
++++ b/arch/x86/kernel/amd_iommu_init.c
+@@ -430,6 +430,27 @@ static void set_dev_entry_bit(u16 devid,
+ amd_iommu_dev_table[devid].data[i] |= (1 << _bit);
+ }
+
++static int get_dev_entry_bit(u16 devid, u8 bit)
++{
++ int i = (bit >> 5) & 0x07;
++ int _bit = bit & 0x1f;
++
++ return (amd_iommu_dev_table[devid].data[i] & (1 << _bit)) >> _bit;
++}
++
++
++void amd_iommu_apply_erratum_63(u16 devid)
++{
++ int sysmgt;
++
++ sysmgt = get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT1) |
++ (get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT2) << 1);
++
++ if (sysmgt == 0x01)
++ set_dev_entry_bit(devid, DEV_ENTRY_IW);
++}
++
++
+ /* Writes the specific IOMMU for a device into the rlookup table */
+ static void __init set_iommu_for_device(struct amd_iommu *iommu, u16 devid)
+ {
+@@ -458,6 +479,8 @@ static void __init set_dev_entry_from_ac
+ if (flags & ACPI_DEVFLAG_LINT1)
+ set_dev_entry_bit(devid, DEV_ENTRY_LINT1_PASS);
+
++ amd_iommu_apply_erratum_63(devid);
++
+ set_iommu_for_device(iommu, devid);
+ }
+
+
+
+From gregkh@mini.kroah.org Fri Nov 6 13:59:50 2009
+Message-Id: <20091106215603.413650799@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 06 Nov 2009 13:56:03 -0800
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [00/30] 2.6.27.39-stable review
+Content-Length: 2702
+Lines: 57
+
+This is the start of the stable review cycle for the 2.6.27.39 release.
+There are 30 patches in this series, all will be posted as a response to
+this one. If anyone has any issues with these being applied, please let
+us know. If anyone is a maintainer of the proper subsystem, and wants
+to add a Signed-off-by: line to the patch, please respond with it.
+
+Responses should be made by November 8, 2009, 20:00:00 UTC. Anything
+received after that time might be too late.
+
+The whole patch series can be found in one patch at:
+ kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.27.39-rc1.gz
+and the diffstat can be found below.
+
+
+thanks,
+
+greg k-h
+
+------------
+ Makefile | 2 +-
+ arch/m68k/Kconfig | 6 ++--
+ arch/x86/ia32/ia32entry.S | 5 +--
+ arch/x86/kernel/amd_iommu_init.c | 25 ++++++++++++++++-
+ arch/x86/kvm/x86.c | 2 +
+ drivers/acpi/scan.c | 12 +-------
+ drivers/ata/libata-core.c | 12 +++++---
+ drivers/base/driver.c | 2 +-
+ drivers/char/Kconfig | 6 ++--
+ drivers/input/mouse/synaptics.c | 10 +++++++
+ drivers/net/appletalk/ipddp.c | 3 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/wireless/b43/rfkill.c | 3 +-
+ drivers/net/wireless/libertas/if_usb.c | 2 +-
+ drivers/net/wireless/ray_cs.c | 2 +-
+ drivers/scsi/dpt_i2o.c | 4 +++
+ drivers/serial/8250_pci.c | 11 +++++++
+ fs/hfsplus/wrapper.c | 4 +++
+ fs/nfs/client.c | 2 +-
+ fs/nfs/dir.c | 4 ++-
+ fs/nfs/direct.c | 1 +
+ fs/nfs/nfs4proc.c | 27 +++++++++++++-----
+ fs/nfs/nfs4renewd.c | 6 ----
+ fs/nfs/nfs4xdr.c | 1 -
+ fs/nfs/super.c | 1 -
+ fs/pipe.c | 41 ++++++++++++++++++++-------
+ include/linux/kernel.h | 4 +++
+ include/linux/pci_ids.h | 3 ++
+ include/net/irda/irda_device.h | 4 ++-
+ kernel/printk.c | 19 +++++++++++-
+ kernel/time/tick-sched.c | 2 +-
+ kernel/timer.c | 1 +
+ mm/mempolicy.c | 3 +-
+ net/appletalk/aarp.c | 16 +++++++---
+ net/appletalk/ddp.c | 47 ++++++++++++++++---------------
+ net/sched/cls_api.c | 2 +-
+ net/unix/af_unix.c | 2 +
+ 37 files changed, 204 insertions(+), 95 deletions(-)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
