--- /dev/null
+From 9deb343189b3cf45e84dd08480f330575ffe2004 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 16 Mar 2010 09:50:26 +0900
+Subject: ahci: use BIOS date in broken_suspend list
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 9deb343189b3cf45e84dd08480f330575ffe2004 upstream.
+
+HP is recycling both DMI_PRODUCT_NAME and DMI_BIOS_VERSION making
+ahci_broken_suspend() trigger for later products which are not
+affected by the original problems. Match BIOS date instead of version
+and add references to bko's so that full information can be found
+easier later.
+
+This fixes http://bugzilla.kernel.org/show_bug.cgi?id=15462
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: tigerfishdaisy@gmail.com
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/ahci.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -2831,6 +2831,14 @@ static bool ahci_broken_suspend(struct p
+ * On HP dv[4-6] and HDX18 with earlier BIOSen, link
+ * to the harddisk doesn't become online after
+ * resuming from STR. Warn and fail suspend.
++ *
++ * http://bugzilla.kernel.org/show_bug.cgi?id=12276
++ *
++ * Use dates instead of versions to match as HP is
++ * apparently recycling both product and version
++ * strings.
++ *
++ * http://bugzilla.kernel.org/show_bug.cgi?id=15462
+ */
+ {
+ .ident = "dv4",
+@@ -2839,7 +2847,7 @@ static bool ahci_broken_suspend(struct p
+ DMI_MATCH(DMI_PRODUCT_NAME,
+ "HP Pavilion dv4 Notebook PC"),
+ },
+- .driver_data = "F.30", /* cutoff BIOS version */
++ .driver_data = "20090105", /* F.30 */
+ },
+ {
+ .ident = "dv5",
+@@ -2848,7 +2856,7 @@ static bool ahci_broken_suspend(struct p
+ DMI_MATCH(DMI_PRODUCT_NAME,
+ "HP Pavilion dv5 Notebook PC"),
+ },
+- .driver_data = "F.16", /* cutoff BIOS version */
++ .driver_data = "20090506", /* F.16 */
+ },
+ {
+ .ident = "dv6",
+@@ -2857,7 +2865,7 @@ static bool ahci_broken_suspend(struct p
+ DMI_MATCH(DMI_PRODUCT_NAME,
+ "HP Pavilion dv6 Notebook PC"),
+ },
+- .driver_data = "F.21", /* cutoff BIOS version */
++ .driver_data = "20090423", /* F.21 */
+ },
+ {
+ .ident = "HDX18",
+@@ -2866,7 +2874,7 @@ static bool ahci_broken_suspend(struct p
+ DMI_MATCH(DMI_PRODUCT_NAME,
+ "HP HDX18 Notebook PC"),
+ },
+- .driver_data = "F.23", /* cutoff BIOS version */
++ .driver_data = "20090430", /* F.23 */
+ },
+ /*
+ * Acer eMachines G725 has the same problem. BIOS
+@@ -2874,6 +2882,8 @@ static bool ahci_broken_suspend(struct p
+ * work. Inbetween, there are V1.06, V2.06 and V3.03
+ * that we don't have much idea about. For now,
+ * blacklist anything older than V3.04.
++ *
++ * http://bugzilla.kernel.org/show_bug.cgi?id=15104
+ */
+ {
+ .ident = "G725",
+@@ -2881,19 +2891,21 @@ static bool ahci_broken_suspend(struct p
+ DMI_MATCH(DMI_SYS_VENDOR, "eMachines"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "eMachines G725"),
+ },
+- .driver_data = "V3.04", /* cutoff BIOS version */
++ .driver_data = "20091216", /* V3.04 */
+ },
+ { } /* terminate list */
+ };
+ const struct dmi_system_id *dmi = dmi_first_match(sysids);
+- const char *ver;
++ int year, month, date;
++ char buf[9];
+
+ if (!dmi || pdev->bus->number || pdev->devfn != PCI_DEVFN(0x1f, 2))
+ return false;
+
+- ver = dmi_get_system_info(DMI_BIOS_VERSION);
++ dmi_get_date(DMI_BIOS_DATE, &year, &month, &date);
++ snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date);
+
+- return !ver || strcmp(ver, dmi->driver_data) < 0;
++ return strcmp(buf, dmi->driver_data) < 0;
+ }
+
+ static bool ahci_broken_online(struct pci_dev *pdev)
--- /dev/null
+From Larry.Finger@lwfinger.net Tue Mar 30 14:13:06 2010
+From: Michael Buesch <mb@bu3sch.de>
+Date: Fri, 19 Mar 2010 10:38:33 -0500
+Subject: b43: Workaround circular locking in hw-tkip key update callback
+To: Greg Kroah-Hartman <gregkh@suse.de>
+Message-ID: <4ba39a79.mevaykhV84IAaVlI%Larry.Finger@lwfinger.net>
+
+From: Michael Buesch <mb@bu3sch.de>
+
+commit 96869a39399269a776a94812e9fff3d38b47d838 upstream
+
+The TKIP key update callback is called from the RX path, where the driver
+mutex is already locked. This results in a circular locking bug.
+Avoid this by removing the lock.
+
+Johannes noted that there is a separate bug: The callback still breaks on SDIO
+hardware, because SDIO hardware access needs to sleep, but we are not allowed
+to sleep in the callback due to mac80211's RCU locking.
+
+Signed-off-by: Michael Buesch <mb@bu3sch.de>
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reported-by: kecsa@kutfo.hit.bme.hu
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43/main.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -852,19 +852,16 @@ static void b43_op_update_tkip_key(struc
+ if (B43_WARN_ON(!modparam_hwtkip))
+ return;
+
+- mutex_lock(&wl->mutex);
+-
++ /* This is only called from the RX path through mac80211, where
++ * our mutex is already locked. */
++ B43_WARN_ON(!mutex_is_locked(&wl->mutex));
+ dev = wl->current_dev;
+- if (!dev || b43_status(dev) < B43_STAT_INITIALIZED)
+- goto out_unlock;
++ B43_WARN_ON(!dev || b43_status(dev) < B43_STAT_INITIALIZED);
+
+ keymac_write(dev, index, NULL); /* First zero out mac to avoid race */
+
+ rx_tkip_phase1_write(dev, index, iv32, phase1key);
+ keymac_write(dev, index, addr);
+-
+-out_unlock:
+- mutex_unlock(&wl->mutex);
+ }
+
+ static void do_key_write(struct b43_wldev *dev,
--- /dev/null
+From martin.petersen@oracle.com Tue Mar 30 14:15:30 2010
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Tue, 16 Mar 2010 20:30:01 -0400
+Subject: block: Backport of various I/O topology fixes from 2.6.33 and 2.6.34
+To: Mike Snitzer <snitzer@redhat.com>
+Cc: stable@kernel.org, martin.petersen@oracle.com, jens.axboe@oracle.com
+Message-ID: <yq1wrxbokmu.fsf@sermon.lab.mkp.net>
+
+block: Backport of various I/O topology fixes from 2.6.33 and 2.6.34
+
+The stacking code incorrectly scaled up the data offset in some cases
+causing misaligned devices to report alignment. Rewrite the stacking
+algorithm to remedy this.
+
+(Upstream commit 9504e0864b58b4a304820dcf3755f1da80d5e72f)
+
+The top device misalignment flag would not be set if the added bottom
+device was already misaligned as opposed to causing a stacking failure.
+
+Also massage the reporting so that an error is only returned if adding
+the bottom device caused the misalignment. I.e. don't return an error
+if the top is already flagged as misaligned.
+
+(Upstream commit fe0b393f2c0a0d23a9bc9ed7dc51a1ee511098bd)
+
+
+lcm() was defined to take integer-sized arguments. The supplied
+arguments are multiplied, however, causing us to overflow given
+sufficiently large input. That in turn led to incorrect optimal I/O
+size reporting in some cases. Switch lcm() over to unsigned long
+similar to gcd() and move the function from blk-settings.c to lib.
+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-settings.c | 93 +++++++++++++++++++++++++++++++++++++--------------
+ include/linux/lcm.h | 8 ++++
+ lib/Makefile | 2 -
+ lib/lcm.c | 15 ++++++++
+ 4 files changed, 92 insertions(+), 26 deletions(-)
+
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -8,6 +8,7 @@
+ #include <linux/blkdev.h>
+ #include <linux/bootmem.h> /* for max_pfn/max_low_pfn */
+ #include <linux/gcd.h>
++#include <linux/lcm.h>
+
+ #include "blk.h"
+
+@@ -490,18 +491,31 @@ EXPORT_SYMBOL(blk_queue_stack_limits);
+
+ /**
+ * blk_stack_limits - adjust queue_limits for stacked devices
+- * @t: the stacking driver limits (top)
+- * @b: the underlying queue limits (bottom)
++ * @t: the stacking driver limits (top device)
++ * @b: the underlying queue limits (bottom, component device)
+ * @offset: offset to beginning of data within component device
+ *
+ * Description:
+- * Merges two queue_limit structs. Returns 0 if alignment didn't
+- * change. Returns -1 if adding the bottom device caused
+- * misalignment.
++ * This function is used by stacking drivers like MD and DM to ensure
++ * that all component devices have compatible block sizes and
++ * alignments. The stacking driver must provide a queue_limits
++ * struct (top) and then iteratively call the stacking function for
++ * all component (bottom) devices. The stacking function will
++ * attempt to combine the values and ensure proper alignment.
++ *
++ * Returns 0 if the top and bottom queue_limits are compatible. The
++ * top device's block sizes and alignment offsets may be adjusted to
++ * ensure alignment with the bottom device. If no compatible sizes
++ * and alignments exist, -1 is returned and the resulting top
++ * queue_limits will have the misaligned flag set to indicate that
++ * the alignment_offset is undefined.
+ */
+ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
+ sector_t offset)
+ {
++ sector_t alignment;
++ unsigned int top, bottom, ret = 0;
++
+ t->max_sectors = min_not_zero(t->max_sectors, b->max_sectors);
+ t->max_hw_sectors = min_not_zero(t->max_hw_sectors, b->max_hw_sectors);
+ t->bounce_pfn = min_not_zero(t->bounce_pfn, b->bounce_pfn);
+@@ -518,6 +532,26 @@ int blk_stack_limits(struct queue_limits
+ t->max_segment_size = min_not_zero(t->max_segment_size,
+ b->max_segment_size);
+
++ t->misaligned |= b->misaligned;
++
++ alignment = queue_limit_alignment_offset(b, offset);
++
++ /* Bottom device has different alignment. Check that it is
++ * compatible with the current top alignment.
++ */
++ if (t->alignment_offset != alignment) {
++
++ top = max(t->physical_block_size, t->io_min)
++ + t->alignment_offset;
++ bottom = max(b->physical_block_size, b->io_min) + alignment;
++
++ /* Verify that top and bottom intervals line up */
++ if (max(top, bottom) & (min(top, bottom) - 1)) {
++ t->misaligned = 1;
++ ret = -1;
++ }
++ }
++
+ t->logical_block_size = max(t->logical_block_size,
+ b->logical_block_size);
+
+@@ -525,37 +559,46 @@ int blk_stack_limits(struct queue_limits
+ b->physical_block_size);
+
+ t->io_min = max(t->io_min, b->io_min);
++ t->io_opt = lcm(t->io_opt, b->io_opt);
++
+ t->no_cluster |= b->no_cluster;
+
+- /* Bottom device offset aligned? */
+- if (offset &&
+- (offset & (b->physical_block_size - 1)) != b->alignment_offset) {
++ /* Physical block size a multiple of the logical block size? */
++ if (t->physical_block_size & (t->logical_block_size - 1)) {
++ t->physical_block_size = t->logical_block_size;
+ t->misaligned = 1;
+- return -1;
++ ret = -1;
+ }
+
+- /* If top has no alignment offset, inherit from bottom */
+- if (!t->alignment_offset)
+- t->alignment_offset =
+- b->alignment_offset & (b->physical_block_size - 1);
++ /* Minimum I/O a multiple of the physical block size? */
++ if (t->io_min & (t->physical_block_size - 1)) {
++ t->io_min = t->physical_block_size;
++ t->misaligned = 1;
++ ret = -1;
++ }
+
+- /* Top device aligned on logical block boundary? */
+- if (t->alignment_offset & (t->logical_block_size - 1)) {
++ /* Optimal I/O a multiple of the physical block size? */
++ if (t->io_opt & (t->physical_block_size - 1)) {
++ t->io_opt = 0;
+ t->misaligned = 1;
+- return -1;
++ ret = -1;
+ }
+
+- /* Find lcm() of optimal I/O size */
+- if (t->io_opt && b->io_opt)
+- t->io_opt = (t->io_opt * b->io_opt) / gcd(t->io_opt, b->io_opt);
+- else if (b->io_opt)
+- t->io_opt = b->io_opt;
++ /* Find lowest common alignment_offset */
++ t->alignment_offset = lcm(t->alignment_offset, alignment)
++ & (max(t->physical_block_size, t->io_min) - 1);
++
++ /* Verify that new alignment_offset is on a logical block boundary */
++ if (t->alignment_offset & (t->logical_block_size - 1)) {
++ t->misaligned = 1;
++ ret = -1;
++ }
+
+- /* Verify that optimal I/O size is a multiple of io_min */
+- if (t->io_min && t->io_opt % t->io_min)
+- return -1;
++ /* Discard */
++ t->max_discard_sectors = min_not_zero(t->max_discard_sectors,
++ b->max_discard_sectors);
+
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL(blk_stack_limits);
+
+--- /dev/null
++++ b/include/linux/lcm.h
+@@ -0,0 +1,8 @@
++#ifndef _LCM_H
++#define _LCM_H
++
++#include <linux/compiler.h>
++
++unsigned long lcm(unsigned long a, unsigned long b) __attribute_const__;
++
++#endif /* _LCM_H */
+--- a/lib/Makefile
++++ b/lib/Makefile
+@@ -21,7 +21,7 @@ lib-y += kobject.o kref.o klist.o
+
+ obj-y += bcd.o div64.o sort.o parser.o halfmd4.o debug_locks.o random32.o \
+ bust_spinlocks.o hexdump.o kasprintf.o bitmap.o scatterlist.o \
+- string_helpers.o gcd.o
++ string_helpers.o gcd.o lcm.o
+
+ ifeq ($(CONFIG_DEBUG_KOBJECT),y)
+ CFLAGS_kobject.o += -DDEBUG
+--- /dev/null
++++ b/lib/lcm.c
+@@ -0,0 +1,15 @@
++#include <linux/kernel.h>
++#include <linux/gcd.h>
++#include <linux/module.h>
++
++/* Lowest common multiple */
++unsigned long lcm(unsigned long a, unsigned long b)
++{
++ if (a && b)
++ return (a * b) / gcd(a, b);
++ else if (b)
++ return b;
++
++ return a;
++}
++EXPORT_SYMBOL_GPL(lcm);
--- /dev/null
+From c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 Mon Sep 17 00:00:00 2001
+From: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
+Date: Fri, 19 Mar 2010 10:26:28 +0200
+Subject: Bluetooth: Fix kernel crash on L2CAP stress tests
+
+From: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
+
+commit c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 upstream.
+
+Added very simple check that req buffer has enough space to
+fit configuration parameters. Shall be enough to reject packets
+with configuration size more than req buffer.
+
+Crash trace below
+
+[ 6069.659393] Unable to handle kernel paging request at virtual address 02000205
+[ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT
+...
+[ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap]
+[ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap]
+...
+[ 6070.030303] Backtrace:
+[ 6070.032806] [<bf1c2880>] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from
+[<bf1c6624>] (l2cap_recv_frame+0x1350/0x2e78 [l2cap])
+[ 6070.043823] r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200
+[ 6070.050659] [<bf1c52d4>] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from
+[<bf1c8408>] (l2cap_recv_acldata+0x2bc/0x350 [l2cap])
+[ 6070.061798] [<bf1c814c>] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from
+[<bf0037a4>] (hci_rx_task+0x244/0x478 [bluetooth])
+[ 6070.072631] r6:dc647700 r5:00000001 r4:df2ab740
+[ 6070.077362] [<bf003560>] (hci_rx_task+0x0/0x478 [bluetooth]) from
+[<c006b9fc>] (tasklet_action+0x78/0xd8)
+[ 6070.087005] [<c006b984>] (tasklet_action+0x0/0xd8) from [<c006c160>]
+
+Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
+Acked-by: Gustavo F. Padovan <gustavo@padovan.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bluetooth/l2cap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2813,6 +2813,11 @@ static inline int l2cap_config_rsp(struc
+ int len = cmd->len - sizeof(*rsp);
+ char req[64];
+
++ if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
++ l2cap_send_disconn_req(conn, sk);
++ goto done;
++ }
++
+ /* throw out any old stored conf requests */
+ result = L2CAP_CONF_SUCCESS;
+ len = l2cap_parse_conf_rsp(sk, rsp->data,
--- /dev/null
+From 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Mon, 15 Mar 2010 14:12:58 -0700
+Subject: Bluetooth: Fix potential bad memory access with sysfs files
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+commit 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 upstream.
+
+When creating a high number of Bluetooth sockets (L2CAP, SCO
+and RFCOMM) it is possible to scribble repeatedly on arbitrary
+pages of memory. Ensure that the content of these sysfs files is
+always less than one page. Even if this means truncating. The
+files in question are scheduled to be moved over to debugfs in
+the future anyway.
+
+Based on initial patches from Neil Brown and Linus Torvalds
+
+Reported-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bluetooth/l2cap.c | 10 +++++++++-
+ net/bluetooth/rfcomm/core.c | 13 ++++++++++++-
+ net/bluetooth/rfcomm/sock.c | 11 ++++++++++-
+ net/bluetooth/sco.c | 11 ++++++++++-
+ 4 files changed, 41 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -3885,16 +3885,24 @@ static ssize_t l2cap_sysfs_show(struct c
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&l2cap_sk_list.lock);
+
+ sk_for_each(sk, node, &l2cap_sk_list.head) {
+ struct l2cap_pinfo *pi = l2cap_pi(sk);
++ int len;
+
+- str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
++ len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
+ pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&l2cap_sk_list.lock);
+--- a/net/bluetooth/rfcomm/core.c
++++ b/net/bluetooth/rfcomm/core.c
+@@ -2096,6 +2096,7 @@ static ssize_t rfcomm_dlc_sysfs_show(str
+ struct rfcomm_session *s;
+ struct list_head *pp, *p;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ rfcomm_lock();
+
+@@ -2104,11 +2105,21 @@ static ssize_t rfcomm_dlc_sysfs_show(str
+ list_for_each(pp, &s->dlcs) {
+ struct sock *sk = s->sock->sk;
+ struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
++ int len;
+
+- str += sprintf(str, "%s %s %ld %d %d %d %d\n",
++ len = snprintf(str, size, "%s %s %ld %d %d %d %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
++
++ if (size <= 0)
++ break;
+ }
+
+ rfcomm_unlock();
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -1065,13 +1065,22 @@ static ssize_t rfcomm_sock_sysfs_show(st
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&rfcomm_sk_list.lock);
+
+ sk_for_each(sk, node, &rfcomm_sk_list.head) {
+- str += sprintf(str, "%s %s %d %d\n",
++ int len;
++
++ len = snprintf(str, size, "%s %s %d %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state, rfcomm_pi(sk)->channel);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&rfcomm_sk_list.lock);
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -957,13 +957,22 @@ static ssize_t sco_sysfs_show(struct cla
+ struct sock *sk;
+ struct hlist_node *node;
+ char *str = buf;
++ int size = PAGE_SIZE;
+
+ read_lock_bh(&sco_sk_list.lock);
+
+ sk_for_each(sk, node, &sco_sk_list.head) {
+- str += sprintf(str, "%s %s %d\n",
++ int len;
++
++ len = snprintf(str, size, "%s %s %d\n",
+ batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
+ sk->sk_state);
++
++ size -= len;
++ if (size <= 0)
++ break;
++
++ str += len;
+ }
+
+ read_unlock_bh(&sco_sk_list.lock);
--- /dev/null
+From 720e7749279bde0d08684b1bb4e7a2eedeec6394 Mon Sep 17 00:00:00 2001
+From: Sachin Prabhu <sprabhu@redhat.com>
+Date: Thu, 11 Mar 2010 12:24:45 -0500
+Subject: GFS2: Skip check for mandatory locks when unlocking
+
+From: Sachin Prabhu <sprabhu@redhat.com>
+
+commit 720e7749279bde0d08684b1bb4e7a2eedeec6394 upstream.
+
+gfs2_lock() will skip locks on file which have mode set to 02666. This is a problem in cases where the mode of the file is changed after a process has obtained a lock on the file. Such a lock will be skipped and will result in a BUG in locks_remove_flock().
+
+gfs2_lock() should skip the check for mandatory locks when unlocking a file.
+
+Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/gfs2/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -606,7 +606,7 @@ static int gfs2_lock(struct file *file,
+
+ if (!(fl->fl_flags & FL_POSIX))
+ return -ENOLCK;
+- if (__mandatory_lock(&ip->i_inode))
++ if (__mandatory_lock(&ip->i_inode) && fl->fl_type != F_UNLCK)
+ return -ENOLCK;
+
+ if (cmd == F_CANCELLK) {
--- /dev/null
+From 0a5a9c725512461d19397490f3adf29931dca1f2 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 9 Feb 2010 18:20:39 +0100
+Subject: quota: Fix warning when a delayed write happens before quota is enabled
+
+From: Jan Kara <jack@suse.cz>
+
+commit 0a5a9c725512461d19397490f3adf29931dca1f2 upstream.
+
+If a delayed-allocation write happens before quota is enabled, the
+kernel spits out a warning:
+WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112()
+
+because the fact that user has some delayed allocation is not recorded
+in quota structure.
+
+Make dquot_initialize() update amount of reserved space for user if it sees
+inode has some space reserved. Also make sure that reserved quota space does
+not go negative and we warn about the filesystem bug just once.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/quota/dquot.c | 35 +++++++++++++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -229,6 +229,8 @@ static struct hlist_head *dquot_hash;
+ struct dqstats dqstats;
+ EXPORT_SYMBOL(dqstats);
+
++static qsize_t inode_get_rsv_space(struct inode *inode);
++
+ static inline unsigned int
+ hashfn(const struct super_block *sb, unsigned int id, int type)
+ {
+@@ -820,11 +822,14 @@ static int dqinit_needed(struct inode *i
+ static void add_dquot_ref(struct super_block *sb, int type)
+ {
+ struct inode *inode, *old_inode = NULL;
++ int reserved = 0;
+
+ spin_lock(&inode_lock);
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE|I_NEW))
+ continue;
++ if (unlikely(inode_get_rsv_space(inode) > 0))
++ reserved = 1;
+ if (!atomic_read(&inode->i_writecount))
+ continue;
+ if (!dqinit_needed(inode, type))
+@@ -845,6 +850,12 @@ static void add_dquot_ref(struct super_b
+ }
+ spin_unlock(&inode_lock);
+ iput(old_inode);
++
++ if (reserved) {
++ printk(KERN_WARNING "VFS (%s): Writes happened before quota"
++ " was turned on thus quota information is probably "
++ "inconsistent. Please run quotacheck(8).\n", sb->s_id);
++ }
+ }
+
+ /*
+@@ -958,10 +969,12 @@ static inline void dquot_resv_space(stru
+ /*
+ * Claim reserved quota space
+ */
+-static void dquot_claim_reserved_space(struct dquot *dquot,
+- qsize_t number)
++static void dquot_claim_reserved_space(struct dquot *dquot, qsize_t number)
+ {
+- WARN_ON(dquot->dq_dqb.dqb_rsvspace < number);
++ if (dquot->dq_dqb.dqb_rsvspace < number) {
++ WARN_ON_ONCE(1);
++ number = dquot->dq_dqb.dqb_rsvspace;
++ }
+ dquot->dq_dqb.dqb_curspace += number;
+ dquot->dq_dqb.dqb_rsvspace -= number;
+ }
+@@ -969,7 +982,12 @@ static void dquot_claim_reserved_space(s
+ static inline
+ void dquot_free_reserved_space(struct dquot *dquot, qsize_t number)
+ {
+- dquot->dq_dqb.dqb_rsvspace -= number;
++ if (dquot->dq_dqb.dqb_rsvspace >= number)
++ dquot->dq_dqb.dqb_rsvspace -= number;
++ else {
++ WARN_ON_ONCE(1);
++ dquot->dq_dqb.dqb_rsvspace = 0;
++ }
+ }
+
+ static void dquot_decr_inodes(struct dquot *dquot, qsize_t number)
+@@ -1287,6 +1305,7 @@ static int info_bdq_free(struct dquot *d
+ return QUOTA_NL_BHARDBELOW;
+ return QUOTA_NL_NOWARN;
+ }
++
+ /*
+ * Initialize quota pointers in inode
+ * We do things in a bit complicated way but by that we avoid calling
+@@ -1298,6 +1317,7 @@ int dquot_initialize(struct inode *inode
+ int cnt, ret = 0;
+ struct dquot *got[MAXQUOTAS] = { NULL, NULL };
+ struct super_block *sb = inode->i_sb;
++ qsize_t rsv;
+
+ /* First test before acquiring mutex - solves deadlocks when we
+ * re-enter the quota code and are already holding the mutex */
+@@ -1332,6 +1352,13 @@ int dquot_initialize(struct inode *inode
+ if (!inode->i_dquot[cnt]) {
+ inode->i_dquot[cnt] = got[cnt];
+ got[cnt] = NULL;
++ /*
++ * Make quota reservation system happy if someone
++ * did a write before quota was turned on
++ */
++ rsv = inode_get_rsv_space(inode);
++ if (unlikely(rsv))
++ dquot_resv_space(inode->i_dquot[cnt], rsv);
+ }
+ }
+ out_err:
--- /dev/null
+From c469070aea5a0ada45a836937c776fd3083dae2b Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Tue, 9 Feb 2010 17:53:36 +0100
+Subject: quota: manage reserved space when quota is not active [v2]
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+commit c469070aea5a0ada45a836937c776fd3083dae2b upstream.
+
+Since we implemented generic reserved space management interface,
+then it is possible to account reserved space even when quota
+is not active (similar to i_blocks/i_bytes).
+
+Without this patch following testcase result in massive comlain from
+WARN_ON in dquot_claim_space()
+
+TEST_CASE:
+mount /dev/sdb /mnt -oquota
+dd if=/dev/zero of=/mnt/test bs=1M count=1
+quotaon /mnt
+# fs_reserved_spave == 1Mb
+# quota_reserved_space == 0, because quota was disabled
+dd if=/dev/zero of=/mnt/test seek=1 bs=1M count=1
+# fs_reserved_spave == 2Mb
+# quota_reserved_space == 1Mb
+sync # ->dquot_claim_space() -> WARN_ON
+
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/quota/dquot.c | 10 ++++++----
+ include/linux/quotaops.h | 11 +++++++++--
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -1399,28 +1399,30 @@ static qsize_t *inode_reserved_space(str
+ return inode->i_sb->dq_op->get_reserved_space(inode);
+ }
+
+-static void inode_add_rsv_space(struct inode *inode, qsize_t number)
++void inode_add_rsv_space(struct inode *inode, qsize_t number)
+ {
+ spin_lock(&inode->i_lock);
+ *inode_reserved_space(inode) += number;
+ spin_unlock(&inode->i_lock);
+ }
++EXPORT_SYMBOL(inode_add_rsv_space);
+
+-
+-static void inode_claim_rsv_space(struct inode *inode, qsize_t number)
++void inode_claim_rsv_space(struct inode *inode, qsize_t number)
+ {
+ spin_lock(&inode->i_lock);
+ *inode_reserved_space(inode) -= number;
+ __inode_add_bytes(inode, number);
+ spin_unlock(&inode->i_lock);
+ }
++EXPORT_SYMBOL(inode_claim_rsv_space);
+
+-static void inode_sub_rsv_space(struct inode *inode, qsize_t number)
++void inode_sub_rsv_space(struct inode *inode, qsize_t number)
+ {
+ spin_lock(&inode->i_lock);
+ *inode_reserved_space(inode) -= number;
+ spin_unlock(&inode->i_lock);
+ }
++EXPORT_SYMBOL(inode_sub_rsv_space);
+
+ static qsize_t inode_get_rsv_space(struct inode *inode)
+ {
+--- a/include/linux/quotaops.h
++++ b/include/linux/quotaops.h
+@@ -26,6 +26,10 @@ static inline void writeout_quota_sb(str
+ sb->s_qcop->quota_sync(sb, type);
+ }
+
++void inode_add_rsv_space(struct inode *inode, qsize_t number);
++void inode_claim_rsv_space(struct inode *inode, qsize_t number);
++void inode_sub_rsv_space(struct inode *inode, qsize_t number);
++
+ int dquot_initialize(struct inode *inode, int type);
+ int dquot_drop(struct inode *inode);
+ struct dquot *dqget(struct super_block *sb, unsigned int id, int type);
+@@ -42,7 +46,6 @@ int dquot_alloc_inode(const struct inode
+ int dquot_reserve_space(struct inode *inode, qsize_t number, int prealloc);
+ int dquot_claim_space(struct inode *inode, qsize_t number);
+ void dquot_release_reserved_space(struct inode *inode, qsize_t number);
+-qsize_t dquot_get_reserved_space(struct inode *inode);
+
+ int dquot_free_space(struct inode *inode, qsize_t number);
+ int dquot_free_inode(const struct inode *inode, qsize_t number);
+@@ -199,6 +202,8 @@ static inline int vfs_dq_reserve_space(s
+ if (inode->i_sb->dq_op->reserve_space(inode, nr, 0) == NO_QUOTA)
+ return 1;
+ }
++ else
++ inode_add_rsv_space(inode, nr);
+ return 0;
+ }
+
+@@ -221,7 +226,7 @@ static inline int vfs_dq_claim_space(str
+ if (inode->i_sb->dq_op->claim_space(inode, nr) == NO_QUOTA)
+ return 1;
+ } else
+- inode_add_bytes(inode, nr);
++ inode_claim_rsv_space(inode, nr);
+
+ mark_inode_dirty(inode);
+ return 0;
+@@ -235,6 +240,8 @@ void vfs_dq_release_reservation_space(st
+ {
+ if (sb_any_quota_active(inode->i_sb))
+ inode->i_sb->dq_op->release_rsv(inode, nr);
++ else
++ inode_sub_rsv_space(inode, nr);
+ }
+
+ static inline void vfs_dq_free_space_nodirty(struct inode *inode, qsize_t nr)
--- /dev/null
+From e1dcbab5755d0ffa32f8f6cbeb562c769872bd7c Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 5 Mar 2010 13:43:35 -0800
+Subject: s3cmci: initialize default platform data no_wprotect and no_detect with 1
+
+commit c212808a1ba6bfba489006399b8152a047305acf upstream.
+
+If no platform_data was givin to the device it's going to use it's default
+platform data struct which has all fields initialized to zero. As a
+result the driver is going to try to request gpio0 both as write protect
+and card detect pin. Which of course will fail and makes the driver
+unusable
+
+Previously to the introduction of no_wprotect and no_detect the behavior
+was to assume that if no platform data was given there is no write protect
+or card detect pin. This patch restores that behavior.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Cc: Ben Dooks <ben-linux@fluff.org>
+Cc: <linux-mmc@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/mmc/host/s3cmci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/s3cmci.c
++++ b/drivers/mmc/host/s3cmci.c
+@@ -1361,6 +1361,8 @@ static struct mmc_host_ops s3cmci_ops =
+ static struct s3c24xx_mci_pdata s3cmci_def_pdata = {
+ /* This is currently here to avoid a number of if (host->pdata)
+ * checks. Any zero fields to ensure reaonable defaults are picked. */
++ .no_wprotect = 1,
++ .no_detect = 1,
+ };
+
+ #ifdef CONFIG_CPU_FREQ
ath9k-enable-ieee80211_hw_reports_tx_ack_status-flag-for-ath9k.patch
mac80211-reset-dynamic-ps-timer-in-rx-path.patch
leds-gpio-fix-default-state-handling-on-of-platforms.patch
+quota-manage-reserved-space-when-quota-is-not-active.patch
+quota-fix-warning-when-a-delayed-write-happens-before-quota-is-enabled.patch
+ahci-use-bios-date-in-broken_suspend-list.patch
+bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
+bluetooth-fix-kernel-crash-on-l2cap-stress-tests.patch
+sh-fix-zimage-boot-using-fixed-pmb.patch
+b43-workaround-circular-locking-in-hw-tkip-key-update-callback.patch
+block-backport-of-various-i-o-topology-fixes-from-2.6.33-and-2.6.34.patch
+s3cmci-initialize-default-platform-data-no_wprotect-and-no_detect-with-1.patch
+x86-fix-sched_clock_cpu-for-systems-with-unsynchronized-tsc.patch
+gfs2-skip-check-for-mandatory-locks-when-unlocking.patch
--- /dev/null
+From bf917b0f87eac066566345a845b8dc41c3daae71 Mon Sep 17 00:00:00 2001
+From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
+Date: Sat, 20 Mar 2010 16:42:54 +0900
+Subject: [PATCH] sh: Fix zImage boot using fixed PMB.
+
+commit 319c2cc761505ee54a9536c5d0b9c2ee3fb33866 upstream.
+
+Signed-off-by: Nobuhiro Iwamatsu <iwamatsu.nobuhiro@renesas.com>
+Signed-off-by: Yoshihiro Shimoda <shimoda.yoshihiro@renesas.com>
+Signed-off-by: Paul Mundt <lethal@linux-sh.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sh/boot/compressed/misc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sh/boot/compressed/misc.c
++++ b/arch/sh/boot/compressed/misc.c
+@@ -132,7 +132,7 @@ void decompress_kernel(void)
+ output_addr = (CONFIG_MEMORY_START + 0x2000);
+ #else
+ output_addr = PHYSADDR((unsigned long)&_text+PAGE_SIZE);
+-#ifdef CONFIG_29BIT
++#if defined(CONFIG_29BIT) || defined(CONFIG_PMB_FIXED)
+ output_addr |= P2SEG;
+ #endif
+ #endif
--- /dev/null
+From 14be1f7454ea96ee614467a49cf018a1a383b189 Mon Sep 17 00:00:00 2001
+From: Dimitri Sivanich <sivanich@sgi.com>
+Date: Mon, 1 Mar 2010 11:48:15 -0600
+Subject: x86: Fix sched_clock_cpu for systems with unsynchronized TSC
+
+From: Dimitri Sivanich <sivanich@sgi.com>
+
+commit 14be1f7454ea96ee614467a49cf018a1a383b189 upstream.
+
+On UV systems, the TSC is not synchronized across blades. The
+sched_clock_cpu() function is returning values that can go
+backwards (I've seen as much as 8 seconds) when switching
+between cpus.
+
+As each cpu comes up, early_init_intel() will currently set the
+sched_clock_stable flag true. When mark_tsc_unstable() runs, it
+clears the flag, but this only occurs once (the first time a cpu
+comes up whose TSC is not synchronized with cpu 0). After this,
+early_init_intel() will set the flag again as the next cpu comes
+up.
+
+Only set sched_clock_stable if tsc has not been marked unstable.
+
+Signed-off-by: Dimitri Sivanich <sivanich@sgi.com>
+Acked-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+LKML-Reference: <20100301174815.GC8224@sgi.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/intel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -70,7 +70,8 @@ static void __cpuinit early_init_intel(s
+ if (c->x86_power & (1 << 8)) {
+ set_cpu_cap(c, X86_FEATURE_CONSTANT_TSC);
+ set_cpu_cap(c, X86_FEATURE_NONSTOP_TSC);
+- sched_clock_stable = 1;
++ if (!check_tsc_unstable())
++ sched_clock_stable = 1;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
