--- /dev/null
+From ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 Mon Sep 17 00:00:00 2001
+From: Luca Tettamanti <kronos.it@gmail.com>
+Date: Wed, 22 Sep 2010 10:41:58 +0000
+Subject: atl1: fix resume
+
+From: Luca Tettamanti <kronos.it@gmail.com>
+
+commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream.
+
+adapter->cmb.cmb is initialized when the device is opened and freed when
+it's closed. Accessing it unconditionally during resume results either
+in a crash (NULL pointer dereference, when the interface has not been
+opened yet) or data corruption (when the interface has been used and
+brought down adapter->cmb.cmb points to a deallocated memory area).
+
+Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
+Acked-by: Chris Snook <chris.snook@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/atlx/atl1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/atlx/atl1.c
++++ b/drivers/net/atlx/atl1.c
+@@ -2856,10 +2856,11 @@ static int atl1_resume(struct pci_dev *p
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
+ atl1_reset_hw(&adapter->hw);
+- adapter->cmb.cmb->int_stats = 0;
+
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ adapter->cmb.cmb->int_stats = 0;
+ atl1_up(adapter);
++ }
+ netif_device_attach(netdev);
+
+ return 0;
--- /dev/null
+From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 15 Oct 2010 11:09:28 -0700
+Subject: De-pessimize rds_page_copy_user
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream.
+
+Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and
+the unsafe atomic user mode accessor functions. It's actually slower
+than the straightforward code on any reasonable modern CPU.
+
+Back when the code was written (although probably not by the time it was
+actually merged, though), 32-bit x86 may have been the dominant
+architecture. And there kmap_atomic() can be a lot faster than kmap()
+(unless you have very good locality, in which case the virtual address
+caching by kmap() can overcome all the downsides).
+
+But these days, x86-64 may not be more populous, but it's getting there
+(and if you care about performance, it's definitely already there -
+you'd have upgraded your CPU's already in the last few years). And on
+x86-64, the non-kmap_atomic() version is faster, simply because the code
+is simpler and doesn't have the "re-try page fault" case.
+
+People with old hardware are not likely to care about RDS anyway, and
+the optimization for the 32-bit case is simply buggy, since it doesn't
+verify the user addresses properly.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rds/page.c | 27 +++++++--------------------
+ 1 file changed, 7 insertions(+), 20 deletions(-)
+
+--- a/net/rds/page.c
++++ b/net/rds/page.c
+@@ -56,30 +56,17 @@ int rds_page_copy_user(struct page *page
+ unsigned long ret;
+ void *addr;
+
+- if (to_user)
++ addr = kmap(page);
++ if (to_user) {
+ rds_stats_add(s_copy_to_user, bytes);
+- else
++ ret = copy_to_user(ptr, addr + offset, bytes);
++ } else {
+ rds_stats_add(s_copy_from_user, bytes);
+-
+- addr = kmap_atomic(page, KM_USER0);
+- if (to_user)
+- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
+- else
+- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
+- kunmap_atomic(addr, KM_USER0);
+-
+- if (ret) {
+- addr = kmap(page);
+- if (to_user)
+- ret = copy_to_user(ptr, addr + offset, bytes);
+- else
+- ret = copy_from_user(addr + offset, ptr, bytes);
+- kunmap(page);
+- if (ret)
+- return -EFAULT;
++ ret = copy_from_user(addr + offset, ptr, bytes);
+ }
++ kunmap(page);
+
+- return 0;
++ return ret ? -EFAULT : 0;
+ }
+ EXPORT_SYMBOL_GPL(rds_page_copy_user);
+
--- /dev/null
+From cc60f8878eab892c03d06b10f389232b9b66bd83 Mon Sep 17 00:00:00 2001
+From: Simon Guinot <sguinot@lacie.com>
+Date: Fri, 17 Sep 2010 23:33:51 +0200
+Subject: dmaengine: fix interrupt clearing for mv_xor
+
+From: Simon Guinot <sguinot@lacie.com>
+
+commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream.
+
+When using simultaneously the two DMA channels on a same engine, some
+transfers are never completed. For example, an endless lock can occur
+while writing heavily on a RAID5 array (with async-tx offload support
+enabled).
+
+Note that this issue can also be reproduced by using the DMA test
+client.
+
+On a same engine, the interrupt cause register is shared between two
+DMA channels. This patch make sure that the cause bit is only cleared
+for the requested channel.
+
+Signed-off-by: Simon Guinot <sguinot@lacie.com>
+Tested-by: Luc Saillard <luc@saillard.org>
+Acked-by: saeed bishara <saeed.bishara@gmail.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/dma/mv_xor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -161,7 +161,7 @@ static int mv_is_err_intr(u32 intr_cause
+
+ static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan)
+ {
+- u32 val = (1 << (1 + (chan->idx * 16)));
++ u32 val = ~(1 << (chan->idx * 16));
+ dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val);
+ __raw_writel(val, XOR_INTR_CAUSE(chan));
+ }
--- /dev/null
+From f459ffbdfd04edb4a8ce6eea33170eb057a5e695 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Sat, 25 Sep 2010 17:45:50 +1000
+Subject: drm/radeon: fix PCI ID 5657 to be an RV410
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream.
+
+fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/drm/drm_pciids.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/drm/drm_pciids.h
++++ b/include/drm/drm_pciids.h
+@@ -85,7 +85,6 @@
+ {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
+- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
+@@ -103,6 +102,7 @@
+ {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
++ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \
+ {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \
+ {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \
--- /dev/null
+From f13d4f979c518119bba5439dd2364d76d31dcd3f Mon Sep 17 00:00:00 2001
+From: Salman Qazi <sqazi@google.com>
+Date: Tue, 12 Oct 2010 07:25:19 -0700
+Subject: hrtimer: Preserve timer state in remove_hrtimer()
+
+From: Salman Qazi <sqazi@google.com>
+
+commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream.
+
+The race is described as follows:
+
+CPU X CPU Y
+remove_hrtimer
+// state & QUEUED == 0
+timer->state = CALLBACK
+unlock timer base
+timer->f(n) //very long
+ hrtimer_start
+ lock timer base
+ remove_hrtimer // no effect
+ hrtimer_enqueue
+ timer->state = CALLBACK |
+ QUEUED
+ unlock timer base
+ hrtimer_start
+ lock timer base
+ remove_hrtimer
+ mode = INACTIVE
+ // CALLBACK bit lost!
+ switch_hrtimer_base
+ CALLBACK bit not set:
+ timer->base
+ changes to a
+ different CPU.
+lock this CPU's timer base
+
+The bug was introduced with commit ca109491f (hrtimer: removing all ur
+callback modes) in 2.6.29
+
+[ tglx: Feed new state via local variable and add a comment. ]
+
+Signed-off-by: Salman Qazi <sqazi@google.com>
+Cc: akpm@linux-foundation.org
+Cc: Peter Zijlstra <peterz@infradead.org>
+LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/hrtimer.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -920,6 +920,7 @@ static inline int
+ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
+ {
+ if (hrtimer_is_queued(timer)) {
++ unsigned long state;
+ int reprogram;
+
+ /*
+@@ -933,8 +934,13 @@ remove_hrtimer(struct hrtimer *timer, st
+ debug_deactivate(timer);
+ timer_stats_hrtimer_clear_start_info(timer);
+ reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
+- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE,
+- reprogram);
++ /*
++ * We must preserve the CALLBACK state flag here,
++ * otherwise we could move the timer base in
++ * switch_hrtimer_base.
++ */
++ state = timer->state & HRTIMER_STATE_CALLBACK;
++ __remove_hrtimer(timer, base, state, reprogram);
+ return 1;
+ }
+ return 0;
+@@ -1221,6 +1227,9 @@ static void __run_hrtimer(struct hrtimer
+ BUG_ON(timer->state != HRTIMER_STATE_CALLBACK);
+ enqueue_hrtimer(timer, base);
+ }
++
++ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK));
++
+ timer->state &= ~HRTIMER_STATE_CALLBACK;
+ }
+
--- /dev/null
+From 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 Mon Sep 17 00:00:00 2001
+From: Yegor Yefremov <yegor_sub1@visionsystems.de>
+Date: Thu, 30 Sep 2010 14:14:22 +0200
+Subject: i2c-pca: Fix waitforcompletion() return value
+
+From: Yegor Yefremov <yegor_sub1@visionsystems.de>
+
+commit 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 upstream.
+
+ret is still -1, if during the polling read_byte() returns at once
+with I2C_PCA_CON_SI set. So ret > 0 would lead *_waitforcompletion()
+to return 0, in spite of the proper behavior.
+
+The routine was rewritten, so that ret has always a proper value,
+before returning.
+
+Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
+Reviewed-by: Wolfram Sang <w.sang@pengutronix.de>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/busses/i2c-pca-isa.c | 12 ++++++++----
+ drivers/i2c/busses/i2c-pca-platform.c | 11 +++++++----
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-pca-isa.c
++++ b/drivers/i2c/busses/i2c-pca-isa.c
+@@ -71,8 +71,8 @@ static int pca_isa_readbyte(void *pd, in
+
+ static int pca_isa_waitforcompletion(void *pd)
+ {
+- long ret = ~0;
+ unsigned long timeout;
++ long ret;
+
+ if (irq > -1) {
+ ret = wait_event_timeout(pca_wait,
+@@ -81,11 +81,15 @@ static int pca_isa_waitforcompletion(voi
+ } else {
+ /* Do polling */
+ timeout = jiffies + pca_isa_ops.timeout;
+- while (((pca_isa_readbyte(pd, I2C_PCA_CON)
+- & I2C_PCA_CON_SI) == 0)
+- && (ret = time_before(jiffies, timeout)))
++ do {
++ ret = time_before(jiffies, timeout);
++ if (pca_isa_readbyte(pd, I2C_PCA_CON)
++ & I2C_PCA_CON_SI)
++ break;
+ udelay(100);
++ } while (ret);
+ }
++
+ return ret > 0;
+ }
+
+--- a/drivers/i2c/busses/i2c-pca-platform.c
++++ b/drivers/i2c/busses/i2c-pca-platform.c
+@@ -80,8 +80,8 @@ static void i2c_pca_pf_writebyte32(void
+ static int i2c_pca_pf_waitforcompletion(void *pd)
+ {
+ struct i2c_pca_pf_data *i2c = pd;
+- long ret = ~0;
+ unsigned long timeout;
++ long ret;
+
+ if (i2c->irq) {
+ ret = wait_event_timeout(i2c->wait,
+@@ -90,10 +90,13 @@ static int i2c_pca_pf_waitforcompletion(
+ } else {
+ /* Do polling */
+ timeout = jiffies + i2c->adap.timeout;
+- while (((i2c->algo_data.read_byte(i2c, I2C_PCA_CON)
+- & I2C_PCA_CON_SI) == 0)
+- && (ret = time_before(jiffies, timeout)))
++ do {
++ ret = time_before(jiffies, timeout);
++ if (i2c->algo_data.read_byte(i2c, I2C_PCA_CON)
++ & I2C_PCA_CON_SI)
++ break;
+ udelay(100);
++ } while (ret);
+ }
+
+ return ret > 0;
--- /dev/null
+From d2520a426dc3033c00077e923a553fc6c98c7564 Mon Sep 17 00:00:00 2001
+From: Kenneth Waters <kwwaters@gmail.com>
+Date: Tue, 21 Sep 2010 00:58:23 -0700
+Subject: Input: joydev - fix JSIOCSAXMAP ioctl
+
+From: Kenneth Waters <kwwaters@gmail.com>
+
+commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream.
+
+Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to
+event axis in addition to abspam. This fixes a regression introduced
+by 999b874f.
+
+Signed-off-by: Kenneth Waters <kwwaters@gmail.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/joydev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -481,6 +481,9 @@ static int joydev_handle_JSIOCSAXMAP(str
+
+ memcpy(joydev->abspam, abspam, len);
+
++ for (i = 0; i < joydev->nabs; i++)
++ joydev->absmap[joydev->abspam[i]] = i;
++
+ out:
+ kfree(abspam);
+ return retval;
--- /dev/null
+From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001
+From: Joel Becker <joel.becker@oracle.com>
+Date: Wed, 29 Sep 2010 17:33:05 -0700
+Subject: ocfs2: Don't walk off the end of fast symlinks.
+
+From: Joel Becker <joel.becker@oracle.com>
+
+commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream.
+
+ocfs2 fast symlinks are NUL terminated strings stored inline in the
+inode data area. However, disk corruption or a local attacker could, in
+theory, remove that NUL. Because we're using strlen() (my fault,
+introduced in a731d1 when removing vfs_follow_link()), we could walk off
+the end of that string.
+
+Signed-off-by: Joel Becker <joel.becker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ocfs2/symlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/symlink.c
++++ b/fs/ocfs2/symlink.c
+@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru
+ }
+
+ /* Fast symlinks can't be large */
+- len = strlen(target);
++ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb));
+ link = kzalloc(len + 1, GFP_NOFS);
+ if (!link) {
+ status = -ENOMEM;
--- /dev/null
+From d01343244abdedd18303d0323b518ed9cdcb1988 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <srostedt@redhat.com>
+Date: Tue, 12 Oct 2010 12:06:43 -0400
+Subject: ring-buffer: Fix typo of time extends per page
+
+From: Steven Rostedt <srostedt@redhat.com>
+
+commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream.
+
+Time stamps for the ring buffer are created by the difference between
+two events. Each page of the ring buffer holds a full 64 bit timestamp.
+Each event has a 27 bit delta stamp from the last event. The unit of time
+is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events
+happen more than 134 milliseconds apart, a time extend is inserted
+to add more bits for the delta. The time extend has 59 bits, which
+is good for ~18 years.
+
+Currently the time extend is committed separately from the event.
+If an event is discarded before it is committed, due to filtering,
+the time extend still exists. If all events are being filtered, then
+after ~134 milliseconds a new time extend will be added to the buffer.
+
+This can only happen till the end of the page. Since each page holds
+a full timestamp, there is no reason to add a time extend to the
+beginning of a page. Time extends can only fill a page that has actual
+data at the beginning, so there is no fear that time extends will fill
+more than a page without any data.
+
+When reading an event, a loop is made to skip over time extends
+since they are only used to maintain the time stamp and are never
+given to the caller. As a paranoid check to prevent the loop running
+forever, with the knowledge that time extends may only fill a page,
+a check is made that tests the iteration of the loop, and if the
+iteration is more than the number of time extends that can fit in a page
+a warning is printed and the ring buffer is disabled (all of ftrace
+is also disabled with it).
+
+There is another event type that is called a TIMESTAMP which can
+hold 64 bits of data in the theoretical case that two events happen
+18 years apart. This code has not been implemented, but the name
+of this event exists, as well as the structure for it. The
+size of a TIMESTAMP is 16 bytes, where as a time extend is only
+8 bytes. The macro used to calculate how many time extends can fit on
+a page used the TIMESTAMP size instead of the time extend size
+cutting the amount in half.
+
+The following test case can easily trigger the warning since we only
+need to have half the page filled with time extends to trigger the
+warning:
+
+ # cd /sys/kernel/debug/tracing/
+ # echo function > current_tracer
+ # echo 'common_pid < 0' > events/ftrace/function/filter
+ # echo > trace
+ # echo 1 > trace_marker
+ # sleep 120
+ # cat trace
+
+Enabling the function tracer and then setting the filter to only trace
+functions where the process id is negative (no events), then clearing
+the trace buffer to ensure that we have nothing in the buffer,
+then write to trace_marker to add an event to the beginning of a page,
+sleep for 2 minutes (only 35 seconds is probably needed, but this
+guarantees the bug), and then finally reading the trace which will
+trigger the bug.
+
+This patch fixes the typo and prevents the false positive of that warning.
+
+Reported-by: Hans J. Koch <hjk@linutronix.de>
+Tested-by: Hans J. Koch <hjk@linutronix.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/trace/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -389,7 +389,7 @@ static inline int test_time_stamp(u64 de
+ #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2))
+
+ /* Max number of timestamps that can fit on a page */
+-#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP)
++#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND)
+
+ int ring_buffer_print_page_header(struct trace_seq *s)
+ {
x86-amd-iommu-work-around-s3-bios-bug.patch
tracing-x86-don-t-use-mcount-in-pvclock.c.patch
tracing-x86-don-t-use-mcount-in-kvmclock.c.patch
+v4l1-fix-32-bit-compat-microcode-loading-translation.patch
+v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch
+v4l-dvb-13966-dvb-t-regression-fix-for-saa7134-cards.patch
+input-joydev-fix-jsiocsaxmap-ioctl.patch
+x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch
+x86-irq-plug-memory-leak-in-sparse-irq.patch
+ubd-fix-incorrect-sector-handling-during-request-restart.patch
+ring-buffer-fix-typo-of-time-extends-per-page.patch
+dmaengine-fix-interrupt-clearing-for-mv_xor.patch
+hrtimer-preserve-timer-state-in-remove_hrtimer.patch
+i2c-pca-fix-waitforcompletion-return-value.patch
+ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch
+wext-fix-potential-private-ioctl-memory-content-leak.patch
+atl1-fix-resume.patch
+x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch
+de-pessimize-rds_page_copy_user.patch
+drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch
--- /dev/null
+From 47526903feb52f4c26a6350370bdf74e337fcdb1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 15 Oct 2010 12:56:21 +0200
+Subject: ubd: fix incorrect sector handling during request restart
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream.
+
+Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation)
+dropped request->sector manipulation in preparation for global request
+handling cleanup; unfortunately, it incorrectly assumed that the
+updated sector wasn't being used.
+
+ubd tries to issue as many requests as possible to io_thread. When
+issuing fails due to memory pressure or other reasons, the device is
+put on the restart list and issuing stops. On IO completion, devices
+on the restart list are scanned and IO issuing is restarted.
+
+ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a
+request, so each device on the restart queue needs to remember where
+to restart in its current request. ubd needs to keep track of the
+issue position itself because,
+
+* blk_rq_pos(req) is now updated by the block layer to keep track of
+ _completion_ position.
+
+* Multiple io_req's for the current request may be in flight, so it's
+ difficult to tell where blk_rq_pos(req) currently is.
+
+Add ubd->rq_pos to keep track of the issue position and use it to
+correctly restart io_req issue.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Richard Weinberger <richard@nod.at>
+Tested-by: Richard Weinberger <richard@nod.at>
+Tested-by: Chris Frey <cdfrey@foursquare.net>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/um/drivers/ubd_kern.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/um/drivers/ubd_kern.c
++++ b/arch/um/drivers/ubd_kern.c
+@@ -160,6 +160,7 @@ struct ubd {
+ struct scatterlist sg[MAX_SG];
+ struct request *request;
+ int start_sg, end_sg;
++ sector_t rq_pos;
+ };
+
+ #define DEFAULT_COW { \
+@@ -184,6 +185,7 @@ struct ubd {
+ .request = NULL, \
+ .start_sg = 0, \
+ .end_sg = 0, \
++ .rq_pos = 0, \
+ }
+
+ /* Protected by ubd_lock */
+@@ -1222,7 +1224,6 @@ static void do_ubd_request(struct reques
+ {
+ struct io_thread_req *io_req;
+ struct request *req;
+- sector_t sector;
+ int n;
+
+ while(1){
+@@ -1233,12 +1234,12 @@ static void do_ubd_request(struct reques
+ return;
+
+ dev->request = req;
++ dev->rq_pos = blk_rq_pos(req);
+ dev->start_sg = 0;
+ dev->end_sg = blk_rq_map_sg(q, req, dev->sg);
+ }
+
+ req = dev->request;
+- sector = blk_rq_pos(req);
+ while(dev->start_sg < dev->end_sg){
+ struct scatterlist *sg = &dev->sg[dev->start_sg];
+
+@@ -1250,10 +1251,9 @@ static void do_ubd_request(struct reques
+ return;
+ }
+ prepare_request(req, io_req,
+- (unsigned long long)sector << 9,
++ (unsigned long long)dev->rq_pos << 9,
+ sg->offset, sg->length, sg_page(sg));
+
+- sector += sg->length >> 9;
+ n = os_write_file(thread_fd, &io_req,
+ sizeof(struct io_thread_req *));
+ if(n != sizeof(struct io_thread_req *)){
+@@ -1266,6 +1266,7 @@ static void do_ubd_request(struct reques
+ return;
+ }
+
++ dev->rq_pos += sg->length >> 9;
+ dev->start_sg++;
+ }
+ dev->end_sg = 0;
--- /dev/null
+From 08be64be3d1e5ecd72e7ba3147aea518e527f08e Mon Sep 17 00:00:00 2001
+From: Dmitri Belimov <d.belimov@gmail.com>
+Date: Fri, 8 Jan 2010 06:38:28 -0300
+Subject: V4L/DVB (13966): DVB-T regression fix for saa7134 cards
+
+From: Dmitri Belimov <d.belimov@gmail.com>
+
+commit 08be64be3d1e5ecd72e7ba3147aea518e527f08e upstream.
+
+Some customers has problem with quality of DVB-T
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/446575
+
+After this patch http://patchwork.kernel.org/patch/23345/
+
+This is patch for fix regression with DVB-T. Tested with many people.
+
+Signed-off-by: Alexey Osipov <lion-simba@pridelands.ru>
+Signed-off-by: Beholder Intl. Ltd. Dmitry Belimov <d.belimov@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/saa7134/saa7134-core.c | 13 -------------
+ drivers/media/video/saa7134/saa7134-ts.c | 13 +++++++++++++
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/video/saa7134/saa7134-core.c
++++ b/drivers/media/video/saa7134/saa7134-core.c
+@@ -420,19 +420,6 @@ int saa7134_set_dmabits(struct saa7134_d
+ ctrl |= SAA7134_MAIN_CTRL_TE5;
+ irq |= SAA7134_IRQ1_INTE_RA2_1 |
+ SAA7134_IRQ1_INTE_RA2_0;
+-
+- /* dma: setup channel 5 (= TS) */
+-
+- saa_writeb(SAA7134_TS_DMA0, (dev->ts.nr_packets - 1) & 0xff);
+- saa_writeb(SAA7134_TS_DMA1,
+- ((dev->ts.nr_packets - 1) >> 8) & 0xff);
+- /* TSNOPIT=0, TSCOLAP=0 */
+- saa_writeb(SAA7134_TS_DMA2,
+- (((dev->ts.nr_packets - 1) >> 16) & 0x3f) | 0x00);
+- saa_writel(SAA7134_RS_PITCH(5), TS_PACKET_SIZE);
+- saa_writel(SAA7134_RS_CONTROL(5), SAA7134_RS_CONTROL_BURST_16 |
+- SAA7134_RS_CONTROL_ME |
+- (dev->ts.pt_ts.dma >> 12));
+ }
+
+ /* set task conditions + field handling */
+--- a/drivers/media/video/saa7134/saa7134-ts.c
++++ b/drivers/media/video/saa7134/saa7134-ts.c
+@@ -250,6 +250,19 @@ int saa7134_ts_start(struct saa7134_dev
+
+ BUG_ON(dev->ts_started);
+
++ /* dma: setup channel 5 (= TS) */
++ saa_writeb(SAA7134_TS_DMA0, (dev->ts.nr_packets - 1) & 0xff);
++ saa_writeb(SAA7134_TS_DMA1,
++ ((dev->ts.nr_packets - 1) >> 8) & 0xff);
++ /* TSNOPIT=0, TSCOLAP=0 */
++ saa_writeb(SAA7134_TS_DMA2,
++ (((dev->ts.nr_packets - 1) >> 16) & 0x3f) | 0x00);
++ saa_writel(SAA7134_RS_PITCH(5), TS_PACKET_SIZE);
++ saa_writel(SAA7134_RS_CONTROL(5), SAA7134_RS_CONTROL_BURST_16 |
++ SAA7134_RS_CONTROL_ME |
++ (dev->ts.pt_ts.dma >> 12));
++
++ /* reset hardware TS buffers */
+ saa_writeb(SAA7134_TS_SERIAL1, 0x00);
+ saa_writeb(SAA7134_TS_SERIAL1, 0x03);
+ saa_writeb(SAA7134_TS_SERIAL1, 0x00);
--- /dev/null
+From c10469c637602c2385e2993d8c730cc44fd47d23 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+Date: Sat, 11 Sep 2010 11:37:51 -0300
+Subject: V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0)
+
+From: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream.
+
+As reported by: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>:
+
+[ 220.033500] cx231xx v4l2 driver loaded.
+[ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces
+[ 220.033577] cx231xx #0: registering interface 0
+[ 220.033591] cx231xx #0: registering interface 1
+[ 220.033654] cx231xx #0: registering interface 6
+[ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0)
+[ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 220.033955] IP: [<ffffffffa0d3c8bd>] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx]
+
+Thanks-to: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/cx231xx/cx231xx-cards.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/video/cx231xx/cx231xx-cards.c
++++ b/drivers/media/video/cx231xx/cx231xx-cards.c
+@@ -225,14 +225,16 @@ void cx231xx_pre_card_setup(struct cx231
+ dev->board.name, dev->model);
+
+ /* set the direction for GPIO pins */
+- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
+- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
+- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
++ if (dev->board.tuner_gpio) {
++ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
++ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
++ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
+
+- /* request some modules if any required */
++ /* request some modules if any required */
+
+- /* reset the Tuner */
+- cx231xx_gpio_set(dev, dev->board.tuner_gpio);
++ /* reset the Tuner */
++ cx231xx_gpio_set(dev, dev->board.tuner_gpio);
++ }
+
+ /* set the mode to Analog mode initially */
+ cx231xx_set_mode(dev, CX231XX_ANALOG_MODE);
--- /dev/null
+From 3e645d6b485446c54c6745c5e2cf5c528fe4deec Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 15 Oct 2010 11:12:38 -0700
+Subject: v4l1: fix 32-bit compat microcode loading translation
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream.
+
+The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
+It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
+staging and eventually removed unless somebody steps up to maintain it
+(at which point it should use request_firmware() rather than some magic
+ioctl). So we'll get rid of it eventually.
+
+But in the meantime, the compatibility ioctl code is broken, and this
+tries to get it to at least limp along (even if Mauro suggested just
+deleting it entirely, which may be the right thing to do - I don't think
+the compatibility translation code has ever worked unless you were very
+lucky).
+
+Reported-by: Kees Cook <kees.cook@canonical.com>
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/v4l2-compat-ioctl32.c | 32 +++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/video/v4l2-compat-ioctl32.c
++++ b/drivers/media/video/v4l2-compat-ioctl32.c
+@@ -193,17 +193,24 @@ static int put_video_window32(struct vid
+ struct video_code32 {
+ char loadwhat[16]; /* name or tag of file being passed */
+ compat_int_t datasize;
+- unsigned char *data;
++ compat_uptr_t data;
+ };
+
+-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
++static struct video_code __user *get_microcode32(struct video_code32 *kp)
+ {
+- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
+- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
+- get_user(kp->datasize, &up->datasize) ||
+- copy_from_user(kp->data, up->data, up->datasize))
+- return -EFAULT;
+- return 0;
++ struct video_code __user *up;
++
++ up = compat_alloc_user_space(sizeof(*up));
++
++ /*
++ * NOTE! We don't actually care if these fail. If the
++ * user address is invalid, the native ioctl will do
++ * the error handling for us
++ */
++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
++ (void) put_user(kp->datasize, &up->datasize);
++ (void) put_user(compat_ptr(kp->data), &up->data);
++ return up;
+ }
+
+ #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
+@@ -741,7 +748,7 @@ static long do_video_ioctl(struct file *
+ struct video_tuner vt;
+ struct video_buffer vb;
+ struct video_window vw;
+- struct video_code vc;
++ struct video_code32 vc;
+ struct video_audio va;
+ #endif
+ struct v4l2_format v2f;
+@@ -820,8 +827,11 @@ static long do_video_ioctl(struct file *
+ break;
+
+ case VIDIOCSMICROCODE:
+- err = get_microcode32(&karg.vc, up);
+- compatible_arg = 0;
++ /* Copy the 32-bit "video_code32" to kernel space */
++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
++ return -EFAULT;
++ /* Convert the 32-bit version to a 64-bit version in user space */
++ up = get_microcode32(&karg.vc);
+ break;
+
+ case VIDIOCSFREQ:
--- /dev/null
+From df6d02300f7c2fbd0fbe626d819c8e5237d72c62 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 17 Sep 2010 00:38:25 +0200
+Subject: wext: fix potential private ioctl memory content leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream.
+
+When a driver doesn't fill the entire buffer, old
+heap contents may remain, and if it also doesn't
+update the length properly, this old heap content
+will be copied back to userspace.
+
+It is very unlikely that this happens in any of
+the drivers using private ioctls since it would
+show up as junk being reported by iwpriv, but it
+seems better to be safe here, so use kzalloc.
+
+Reported-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/wext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/wext.c
++++ b/net/wireless/wext.c
+@@ -1029,7 +1029,7 @@ static int ioctl_private_iw_point(struct
+ } else if (!iwp->pointer)
+ return -EFAULT;
+
+- extra = kmalloc(extra_size, GFP_KERNEL);
++ extra = kzalloc(extra_size, GFP_KERNEL);
+ if (!extra)
+ return -ENOMEM;
+
--- /dev/null
+From 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <borislav.petkov@amd.com>
+Date: Fri, 8 Oct 2010 12:08:34 +0200
+Subject: x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order
+
+From: Borislav Petkov <borislav.petkov@amd.com>
+
+commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream.
+
+This fixes possible cases of not collecting valid error info in
+the MCE error thresholding groups on F10h hardware.
+
+The current code contains a subtle problem of checking only the
+Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM
+thresholding group) in its first iteration and breaking out if
+the bit is cleared.
+
+But (!), this MSR contains an offset value, BlkPtr[31:24], which
+points to the remaining MSRs in this thresholding group which
+might contain valid information too. But if we bail out only
+after we checked the valid bit in the first MSR and not the
+block pointer too, we miss that other information.
+
+The thing is, MC4_MISC0[BlkPtr] is not predicated on
+MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked
+prior to iterating over the MCI_MISCj thresholding group,
+irrespective of the MC4_MISC0[Valid] setting.
+
+Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -140,6 +140,7 @@ void mce_amd_feature_init(struct cpuinfo
+ address = (low & MASK_BLKPTR_LO) >> 21;
+ if (!address)
+ break;
++
+ address += MCG_XBLK_ADDR;
+ } else
+ ++address;
+@@ -147,12 +148,8 @@ void mce_amd_feature_init(struct cpuinfo
+ if (rdmsr_safe(address, &low, &high))
+ break;
+
+- if (!(high & MASK_VALID_HI)) {
+- if (block)
+- continue;
+- else
+- break;
+- }
++ if (!(high & MASK_VALID_HI))
++ continue;
+
+ if (!(high & MASK_CNTP_HI) ||
+ (high & MASK_LOCKED_HI))
--- /dev/null
+From 021989622810b02aab4b24f91e1f5ada2b654579 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 28 Sep 2010 23:20:23 +0200
+Subject: x86, hpet: Fix bogus error check in hpet_assign_irq()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream.
+
+create_irq() returns -1 if the interrupt allocation failed, but the
+code checks for irq == 0.
+
+Use create_irq_nr() instead.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Venkatesh Pallipadi <venki@google.com>
+LKML-Reference: <alpine.LFD.2.00.1009282310360.2416@localhost6.localdomain6>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/hpet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -497,7 +497,7 @@ static int hpet_assign_irq(struct hpet_d
+ {
+ unsigned int irq;
+
+- irq = create_irq();
++ irq = create_irq_nr(0, -1);
+ if (!irq)
+ return -EINVAL;
+
--- /dev/null
+From 1cf180c94e9166cda083ff65333883ab3648e852 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 28 Sep 2010 20:57:19 +0200
+Subject: x86, irq: Plug memory leak in sparse irq
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream.
+
+free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this
+triggers a use after free caused by the fact that copying struct
+irq_cfg is done with memcpy, which copies the pointer not the cpumask.
+
+Fix both places.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yinghai Lu <yhlu.kernel@gmail.com>
+LKML-Reference: <alpine.LFD.2.00.1009282052570.2416@localhost6.localdomain6>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -332,14 +332,19 @@ void arch_init_copy_chip_data(struct irq
+
+ old_cfg = old_desc->chip_data;
+
+- memcpy(cfg, old_cfg, sizeof(struct irq_cfg));
++ cfg->vector = old_cfg->vector;
++ cfg->move_in_progress = old_cfg->move_in_progress;
++ cpumask_copy(cfg->domain, old_cfg->domain);
++ cpumask_copy(cfg->old_domain, old_cfg->old_domain);
+
+ init_copy_irq_2_pin(old_cfg, cfg, node);
+ }
+
+-static void free_irq_cfg(struct irq_cfg *old_cfg)
++static void free_irq_cfg(struct irq_cfg *cfg)
+ {
+- kfree(old_cfg);
++ free_cpumask_var(cfg->domain);
++ free_cpumask_var(cfg->old_domain);
++ kfree(cfg);
+ }
+
+ void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc)
projects / thirdparty / kernel / stable-queue.git / commitdiff
