--- /dev/null
+From f62d816fc4324afbb7cf90110c70b6a14139b225 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Fri, 25 Mar 2011 17:43:41 +0100
+Subject: ath9k: fix a chip wakeup related crash in ath9k_start
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit f62d816fc4324afbb7cf90110c70b6a14139b225 upstream.
+
+When the chip is still asleep when ath9k_start is called,
+ath9k_hw_configpcipowersave can trigger a data bus error.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath9k/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -1063,6 +1063,8 @@ static int ath9k_start(struct ieee80211_
+ "Starting driver with initial channel: %d MHz\n",
+ curchan->center_freq);
+
++ ath9k_ps_wakeup(sc);
++
+ mutex_lock(&sc->mutex);
+
+ if (ath9k_wiphy_started(sc)) {
+@@ -1179,6 +1181,8 @@ static int ath9k_start(struct ieee80211_
+ mutex_unlock:
+ mutex_unlock(&sc->mutex);
+
++ ath9k_ps_restore(sc);
++
+ return r;
+ }
+
--- /dev/null
+From c85ce65ecac078ab1a1835c87c4a6319cf74660a Mon Sep 17 00:00:00 2001
+From: John W. Linville <linville@tuxdriver.com>
+Date: Wed, 30 Mar 2011 14:02:46 -0400
+Subject: b43: allocate receive buffers big enough for max frame len + offset
+
+From: John W. Linville <linville@tuxdriver.com>
+
+commit c85ce65ecac078ab1a1835c87c4a6319cf74660a upstream.
+
+Otherwise, skb_put inside of dma_rx can fail...
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=32042
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/b43/dma.c | 2 +-
+ drivers/net/wireless/b43/dma.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/b43/dma.c
++++ b/drivers/net/wireless/b43/dma.c
+@@ -1536,7 +1536,7 @@ static void dma_rx(struct b43_dmaring *r
+ dmaaddr = meta->dmaaddr;
+ goto drop_recycle_buffer;
+ }
+- if (unlikely(len > ring->rx_buffersize)) {
++ if (unlikely(len + ring->frameoffset > ring->rx_buffersize)) {
+ /* The data did not fit into one descriptor buffer
+ * and is split over multiple buffers.
+ * This should never happen, as we try to allocate buffers
+--- a/drivers/net/wireless/b43/dma.h
++++ b/drivers/net/wireless/b43/dma.h
+@@ -163,7 +163,7 @@ struct b43_dmadesc_generic {
+ /* DMA engine tuning knobs */
+ #define B43_TXRING_SLOTS 256
+ #define B43_RXRING_SLOTS 64
+-#define B43_DMA0_RX_BUFFERSIZE IEEE80211_MAX_FRAME_LEN
++#define B43_DMA0_RX_BUFFERSIZE (B43_DMA0_RX_FRAMEOFFSET + IEEE80211_MAX_FRAME_LEN)
+
+ /* Pointer poison */
+ #define B43_DMA_PTR_POISON ((void *)ERR_PTR(-ENOMEM))
--- /dev/null
+From 63a8588debd4dc72becb9e27add9343c76301c7d Mon Sep 17 00:00:00 2001
+From: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
+Date: Thu, 24 Mar 2011 14:51:21 -0300
+Subject: Bluetooth: add support for Apple MacBook Pro 8,2
+
+From: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
+
+commit 63a8588debd4dc72becb9e27add9343c76301c7d upstream.
+
+Just adding the vendor details makes it work fine.
+
+Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
+Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -71,6 +71,9 @@ static struct usb_device_id btusb_table[
+ /* Apple MacBookAir3,1, MacBookAir3,2 */
+ { USB_DEVICE(0x05ac, 0x821b) },
+
++ /* Apple MacBookPro8,2 */
++ { USB_DEVICE(0x05ac, 0x821a) },
++
+ /* AVM BlueFRITZ! USB v2.0 */
+ { USB_DEVICE(0x057c, 0x3800) },
+
--- /dev/null
+From 43629f8f5ea32a998d06d1bb41eefa0e821ff573 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Mon, 14 Feb 2011 13:54:31 +0300
+Subject: Bluetooth: bnep: fix buffer overflow
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.
+
+Struct ca is copied from userspace. It is not checked whether the "device"
+field is NULL terminated. This potentially leads to BUG() inside of
+alloc_netdev_mqs() and/or information leak by creating a device with a name
+made of contents of kernel stack.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bluetooth/bnep/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/bnep/sock.c
++++ b/net/bluetooth/bnep/sock.c
+@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket
+ sockfd_put(nsock);
+ return -EBADFD;
+ }
++ ca.device[sizeof(ca.device)-1] = 0;
+
+ err = bnep_add_connection(&ca, nsock);
+ if (!err) {
--- /dev/null
+From c4c896e1471aec3b004a693c689f60be3b17ac86 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Mon, 14 Feb 2011 13:54:26 +0300
+Subject: Bluetooth: sco: fix information leak to userspace
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.
+
+struct sco_conninfo has one padding byte in the end. Local variable
+cinfo of type sco_conninfo is copied to userspace with this uninizialized
+one byte, leading to old stack contents leak.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bluetooth/sco.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -703,6 +703,7 @@ static int sco_sock_getsockopt_old(struc
+ break;
+ }
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
+
--- /dev/null
+From d846f71195d57b0bbb143382647c2c6638b04c5a Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Mon, 14 Feb 2011 16:49:23 +0100
+Subject: bridge: netfilter: fix information leak
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream.
+
+Struct tmp is copied from userspace. It is not checked whether the "name"
+field is NULL terminated. This may lead to buffer overflow and passing
+contents of kernel stack as a module name to try_then_request_module() and,
+consequently, to modprobe commandline. It would be seen by all userspace
+processes.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/netfilter/ebtables.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, c
+ if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ return -ENOMEM;
+
++ tmp.name[sizeof(tmp.name) - 1] = 0;
++
+ countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
+ newinfo = vmalloc(sizeof(*newinfo) + countersize);
+ if (!newinfo)
--- /dev/null
+From 08fe4db170b4193603d9d31f40ebaf652d07ac9c Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Mon, 28 Mar 2011 02:01:25 +0000
+Subject: Btrfs: Fix uninitialized root flags for subvolumes
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+commit 08fe4db170b4193603d9d31f40ebaf652d07ac9c upstream.
+
+root_item->flags and root_item->byte_limit are not initialized when
+a subvolume is created. This bug is not revealed until we added
+readonly snapshot support - now you mount a btrfs filesystem and you
+may find the subvolumes in it are readonly.
+
+To work around this problem, we steal a bit from root_item->inode_item->flags,
+and use it to indicate if those fields have been properly initialized.
+When we read a tree root from disk, we check if the bit is set, and if
+not we'll set the flag and initialize the two fields of the root item.
+
+Reported-by: Andreas Philipp <philipp.andreas@gmail.com>
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Tested-by: Andreas Philipp <philipp.andreas@gmail.com>
+Signed-off-by: Chris Mason <chris.mason@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/btrfs/ctree.h | 4 ++++
+ fs/btrfs/disk-io.c | 4 +++-
+ fs/btrfs/ioctl.c | 4 ++++
+ fs/btrfs/root-tree.c | 18 ++++++++++++++++++
+ fs/btrfs/transaction.c | 1 +
+ 5 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1284,6 +1284,8 @@ struct btrfs_root {
+ #define BTRFS_INODE_NOATIME (1 << 9)
+ #define BTRFS_INODE_DIRSYNC (1 << 10)
+
++#define BTRFS_INODE_ROOT_ITEM_INIT (1 << 31)
++
+ /* some macros to generate set/get funcs for the struct fields. This
+ * assumes there is a lefoo_to_cpu for every type, so lets make a simple
+ * one for u8:
+@@ -2355,6 +2357,8 @@ int btrfs_find_dead_roots(struct btrfs_r
+ int btrfs_find_orphan_roots(struct btrfs_root *tree_root);
+ int btrfs_set_root_node(struct btrfs_root_item *item,
+ struct extent_buffer *node);
++void btrfs_check_and_init_root_item(struct btrfs_root_item *item);
++
+ /* dir-item.c */
+ int btrfs_insert_dir_item(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root, const char *name,
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1184,8 +1184,10 @@ struct btrfs_root *btrfs_read_fs_root_no
+ root->commit_root = btrfs_root_node(root);
+ BUG_ON(!root->node);
+ out:
+- if (location->objectid != BTRFS_TREE_LOG_OBJECTID)
++ if (location->objectid != BTRFS_TREE_LOG_OBJECTID) {
+ root->ref_cows = 1;
++ btrfs_check_and_init_root_item(&root->root_item);
++ }
+
+ return root;
+ }
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -294,6 +294,10 @@ static noinline int create_subvol(struct
+ inode_item->nbytes = cpu_to_le64(root->leafsize);
+ inode_item->mode = cpu_to_le32(S_IFDIR | 0755);
+
++ root_item.flags = 0;
++ root_item.byte_limit = 0;
++ inode_item->flags = cpu_to_le64(BTRFS_INODE_ROOT_ITEM_INIT);
++
+ btrfs_set_root_bytenr(&root_item, leaf->start);
+ btrfs_set_root_generation(&root_item, trans->transid);
+ btrfs_set_root_level(&root_item, 0);
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -471,3 +471,21 @@ again:
+ btrfs_free_path(path);
+ return 0;
+ }
++
++/*
++ * Old btrfs forgets to init root_item->flags and root_item->byte_limit
++ * for subvolumes. To work around this problem, we steal a bit from
++ * root_item->inode_item->flags, and use it to indicate if those fields
++ * have been properly initialized.
++ */
++void btrfs_check_and_init_root_item(struct btrfs_root_item *root_item)
++{
++ u64 inode_flags = le64_to_cpu(root_item->inode.flags);
++
++ if (!(inode_flags & BTRFS_INODE_ROOT_ITEM_INIT)) {
++ inode_flags |= BTRFS_INODE_ROOT_ITEM_INIT;
++ root_item->inode.flags = cpu_to_le64(inode_flags);
++ root_item->flags = 0;
++ root_item->byte_limit = 0;
++ }
++}
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -970,6 +970,7 @@ static noinline int create_pending_snaps
+ record_root_in_trans(trans, root);
+ btrfs_set_root_last_snapshot(&root->root_item, trans->transid);
+ memcpy(new_root_item, &root->root_item, sizeof(*new_root_item));
++ btrfs_check_and_init_root_item(new_root_item);
+
+ root_flags = btrfs_root_flags(new_root_item);
+ if (pending->readonly)
--- /dev/null
+From 708748670c7c6dd5bd3b141473086e6937e72737 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@novell.com>
+Date: Thu, 31 Mar 2011 00:01:58 -0700
+Subject: Input: synaptics - fix crash in synaptics_module_init()
+
+From: Jan Beulich <JBeulich@novell.com>
+
+commit 708748670c7c6dd5bd3b141473086e6937e72737 upstream.
+
+'struct dmi_system_id' arrays must always have a terminator to keep
+dmi_check_system() from looking at data (and possibly crashing) it
+isn't supposed to look at.
+
+The issue went unnoticed until ef8313bb1a22e7d2125d9d758aa8a81f1de91d81,
+but was introduced about a year earlier with
+7705d548cbe33f18ea7713b9a07aa11047aaeca4 (which also similarly changed
+lifebook.c, but the problem there got eliminated shortly afterwards).
+
+The first hunk therefore is a stable candidate back to 2.6.33, while
+the full change is needed only on 2.6.38.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/input/mouse/synaptics.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -836,8 +836,8 @@ static const struct dmi_system_id __init
+ },
+
+ },
+- { }
+ #endif
++ { }
+ };
+
+ static bool broken_olpc_ec;
+@@ -851,8 +851,8 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "XO"),
+ },
+ },
+- { }
+ #endif
++ { }
+ };
+
+ void __init synaptics_module_init(void)
--- /dev/null
+From 3d7dc7e8c1566acb0fc55df228b2ed91f5638e9d Mon Sep 17 00:00:00 2001
+From: John W. Linville <linville@tuxdriver.com>
+Date: Mon, 4 Apr 2011 13:18:44 -0400
+Subject: iwlwifi: accept EEPROM version 0x423 for iwl6000
+
+From: John W. Linville <linville@tuxdriver.com>
+
+commit 3d7dc7e8c1566acb0fc55df228b2ed91f5638e9d upstream.
+
+A number of these devices have appeared "in the wild", and apparently
+the Windows driver is perfectly happy to support this EEPROM version.
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-eeprom.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-eeprom.h
++++ b/drivers/net/wireless/iwlwifi/iwl-eeprom.h
+@@ -241,7 +241,7 @@ struct iwl_eeprom_enhanced_txpwr {
+
+ /* 6x00 Specific */
+ #define EEPROM_6000_TX_POWER_VERSION (4)
+-#define EEPROM_6000_EEPROM_VERSION (0x434)
++#define EEPROM_6000_EEPROM_VERSION (0x423)
+
+ /* 6x50 Specific */
+ #define EEPROM_6050_TX_POWER_VERSION (4)
--- /dev/null
+From 4dc217df68a17a57f8464c74c1b4785e40bddf77 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Fri, 25 Mar 2011 15:30:38 +0100
+Subject: mac80211: fix a crash in minstrel_ht in HT mode with no supported MCS rates
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 4dc217df68a17a57f8464c74c1b4785e40bddf77 upstream.
+
+When a client connects in HT mode but does not provide any valid MCS
+rates, the function that finds the next sample rate gets stuck in an
+infinite loop.
+Fix this by falling back to legacy rates if no usable MCS rates are found.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rc80211_minstrel_ht.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/net/mac80211/rc80211_minstrel_ht.c
++++ b/net/mac80211/rc80211_minstrel_ht.c
+@@ -639,18 +639,14 @@ minstrel_ht_update_caps(void *priv, stru
+ struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs;
+ struct ieee80211_local *local = hw_to_local(mp->hw);
+ u16 sta_cap = sta->ht_cap.cap;
++ int n_supported = 0;
+ int ack_dur;
+ int stbc;
+ int i;
+
+ /* fall back to the old minstrel for legacy stations */
+- if (!sta->ht_cap.ht_supported) {
+- msp->is_ht = false;
+- memset(&msp->legacy, 0, sizeof(msp->legacy));
+- msp->legacy.r = msp->ratelist;
+- msp->legacy.sample_table = msp->sample_table;
+- return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
+- }
++ if (!sta->ht_cap.ht_supported)
++ goto use_legacy;
+
+ BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) !=
+ MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS);
+@@ -705,7 +701,22 @@ minstrel_ht_update_caps(void *priv, stru
+
+ mi->groups[i].supported =
+ mcs->rx_mask[minstrel_mcs_groups[i].streams - 1];
++
++ if (mi->groups[i].supported)
++ n_supported++;
+ }
++
++ if (!n_supported)
++ goto use_legacy;
++
++ return;
++
++use_legacy:
++ msp->is_ht = false;
++ memset(&msp->legacy, 0, sizeof(msp->legacy));
++ msp->legacy.r = msp->ratelist;
++ msp->legacy.sample_table = msp->sample_table;
++ return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
+ }
+
+ static void
--- /dev/null
+From 1b149bbe9156d2eb2afd5a072bd61ad0d4bfaca7 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <randy.dunlap@oracle.com>
+Date: Sun, 27 Feb 2011 14:51:54 -0300
+Subject: [media] media/radio/wl1273: fix build errors
+
+From: Randy Dunlap <randy.dunlap@oracle.com>
+
+commit 1b149bbe9156d2eb2afd5a072bd61ad0d4bfaca7 upstream.
+
+RADIO_WL1273 needs to make sure that the mfd core is built to avoid
+build errors:
+
+ERROR: "mfd_add_devices" [drivers/mfd/wl1273-core.ko] undefined!
+ERROR: "mfd_remove_devices" [drivers/mfd/wl1273-core.ko] undefined!
+
+Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
+Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Cc: Mike Frysinger <vapier.adi@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/radio/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/radio/Kconfig
++++ b/drivers/media/radio/Kconfig
+@@ -441,6 +441,7 @@ config RADIO_TIMBERDALE
+ config RADIO_WL1273
+ tristate "Texas Instruments WL1273 I2C FM Radio"
+ depends on I2C && VIDEO_V4L2
++ select MFD_CORE
+ select MFD_WL1273_CORE
+ select FW_LOADER
+ ---help---
--- /dev/null
+From 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 7 Apr 2011 07:35:50 -0700
+Subject: mm: avoid wrapping vm_pgoff in mremap()
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 upstream.
+
+The normal mmap paths all avoid creating a mapping where the pgoff
+inside the mapping could wrap around due to overflow. However, an
+expanding mremap() can take such a non-wrapping mapping and make it
+bigger and cause a wrapping condition.
+
+Noticed by Robert Swiecki when running a system call fuzzer, where it
+caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A
+vma dumping patch by Hugh then pinpointed the crazy wrapped case.
+
+Reported-and-tested-by: Robert Swiecki <robert@swiecki.net>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mremap.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -277,9 +277,16 @@ static struct vm_area_struct *vma_to_res
+ if (old_len > vma->vm_end - addr)
+ goto Efault;
+
+- if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
+- if (new_len > old_len)
++ /* Need to be careful about a growing mapping */
++ if (new_len > old_len) {
++ unsigned long pgoff;
++
++ if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
+ goto Efault;
++ pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
++ pgoff += vma->vm_pgoff;
++ if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
++ goto Einval;
+ }
+
+ if (vma->vm_flags & VM_LOCKED) {
--- /dev/null
+From 220107610c7c2c9703e09eb363e8ab31025b9315 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Sat, 2 Apr 2011 11:31:29 +0200
+Subject: p54usb: IDs for two new devices
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+commit 220107610c7c2c9703e09eb363e8ab31025b9315 upstream.
+
+Reported-by: Mark Davis [via p54/devices wiki]
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/p54/p54usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/p54/p54usb.c
++++ b/drivers/net/wireless/p54/p54usb.c
+@@ -56,6 +56,7 @@ static struct usb_device_id p54u_table[]
+ {USB_DEVICE(0x0846, 0x4210)}, /* Netgear WG121 the second ? */
+ {USB_DEVICE(0x0846, 0x4220)}, /* Netgear WG111 */
+ {USB_DEVICE(0x09aa, 0x1000)}, /* Spinnaker Proto board */
++ {USB_DEVICE(0x0bf8, 0x1007)}, /* Fujitsu E-5400 USB */
+ {USB_DEVICE(0x0cde, 0x0006)}, /* Medion 40900, Roper Europe */
+ {USB_DEVICE(0x0db0, 0x6826)}, /* MSI UB54G (MS-6826) */
+ {USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */
+@@ -68,6 +69,7 @@ static struct usb_device_id p54u_table[]
+ {USB_DEVICE(0x1915, 0x2235)}, /* Linksys WUSB54G Portable OEM */
+ {USB_DEVICE(0x2001, 0x3701)}, /* DLink DWL-G120 Spinnaker */
+ {USB_DEVICE(0x2001, 0x3703)}, /* DLink DWL-G122 */
++ {USB_DEVICE(0x2001, 0x3762)}, /* Conceptronic C54U */
+ {USB_DEVICE(0x5041, 0x2234)}, /* Linksys WUSB54G */
+ {USB_DEVICE(0x5041, 0x2235)}, /* Linksys WUSB54G Portable */
+
--- /dev/null
+From b03f24567ce7caf2420b8be4c6eb74c191d59a91 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 31 Mar 2011 18:36:52 +0200
+Subject: quota: Don't write quota info in dquot_commit()
+
+From: Jan Kara <jack@suse.cz>
+
+commit b03f24567ce7caf2420b8be4c6eb74c191d59a91 upstream.
+
+There's no reason to write quota info in dquot_commit(). The writing is a
+relict from the old days when we didn't have dquot_acquire() and
+dquot_release() and thus dquot_commit() could have created / removed quota
+structures from the file. These days dquot_commit() only updates usage counters
+/ limits in quota structure and thus there's no need to write quota info.
+
+This also fixes an issue with journaling filesystem which didn't reserve
+enough space in the transaction for write of quota info (it could have been
+dirty at the time of dquot_commit() because of a race with other operation
+changing it).
+
+Reported-and-tested-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/quota/dquot.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -442,7 +442,7 @@ EXPORT_SYMBOL(dquot_acquire);
+ */
+ int dquot_commit(struct dquot *dquot)
+ {
+- int ret = 0, ret2 = 0;
++ int ret = 0;
+ struct quota_info *dqopt = sb_dqopt(dquot->dq_sb);
+
+ mutex_lock(&dqopt->dqio_mutex);
+@@ -454,15 +454,10 @@ int dquot_commit(struct dquot *dquot)
+ spin_unlock(&dq_list_lock);
+ /* Inactive dquot can be only if there was error during read/init
+ * => we have better not writing it */
+- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) {
++ if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags))
+ ret = dqopt->ops[dquot->dq_type]->commit_dqblk(dquot);
+- if (info_dirty(&dqopt->info[dquot->dq_type])) {
+- ret2 = dqopt->ops[dquot->dq_type]->write_file_info(
+- dquot->dq_sb, dquot->dq_type);
+- }
+- if (ret >= 0)
+- ret = ret2;
+- }
++ else
++ ret = -EIO;
+ out_sem:
+ mutex_unlock(&dqopt->dqio_mutex);
+ return ret;
--- /dev/null
+From 0867659fa3c245bf203d837a82e0f6ea5079c2c5 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed, 6 Apr 2011 10:13:32 -0700
+Subject: Revert "net/sunrpc: Use static const char arrays"
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 0867659fa3c245bf203d837a82e0f6ea5079c2c5 upstream.
+
+This reverts commit 411b5e05617593efebc06241dbc56f42150f2abe.
+
+Olga Kornievskaia reports:
+
+Problem: linux client mounting linux server using rc4-hmac-md5
+enctype. gssd fails with create a context after receiving a reply from
+the server.
+
+Diagnose: putting printout statements in the server kernel and
+kerberos libraries revealed that client and server derived different
+integrity keys.
+
+Server kernel code was at fault due the the commit
+
+[aglo@skydive linux-pnfs]$ git show 411b5e05617593efebc06241dbc56f42150f2abe
+
+Trond: The problem is that since it relies on virt_to_page(), you cannot
+call sg_set_buf() for data in the const section.
+
+Reported-by: Olga Kornievskaia <aglo@citi.umich.edu>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/auth_gss/gss_krb5_mech.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
++++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
+@@ -427,7 +427,7 @@ static int
+ context_derive_keys_rc4(struct krb5_ctx *ctx)
+ {
+ struct crypto_hash *hmac;
+- static const char sigkeyconstant[] = "signaturekey";
++ char sigkeyconstant[] = "signaturekey";
+ int slen = strlen(sigkeyconstant) + 1; /* include null terminator */
+ struct hash_desc desc;
+ struct scatterlist sg[1];
--- /dev/null
+From be20250c13f88375345ad99950190685eda51eb8 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Sat, 19 Mar 2011 20:43:43 +0000
+Subject: ROSE: prevent heap corruption with bad facilities
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit be20250c13f88375345ad99950190685eda51eb8 upstream.
+
+When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
+a remote host to provide more digipeaters than expected, resulting in
+heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and
+abort facilities parsing on failure.
+
+Additionally, when parsing the FAC_CCITT_DEST_NSAP and
+FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
+of less than 10, resulting in an underflow in a memcpy size, causing a
+kernel panic due to massive heap corruption. A length of greater than
+20 results in a stack overflow of the callsign array. Abort facilities
+parsing on these invalid length values.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rose/rose_subr.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/net/rose/rose_subr.c
++++ b/net/rose/rose_subr.c
+@@ -290,10 +290,15 @@ static int rose_parse_national(unsigned
+ facilities->source_ndigis = 0;
+ facilities->dest_ndigis = 0;
+ for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
+- if (pt[6] & AX25_HBIT)
++ if (pt[6] & AX25_HBIT) {
++ if (facilities->dest_ndigis >= ROSE_MAX_DIGIS)
++ return -1;
+ memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN);
+- else
++ } else {
++ if (facilities->source_ndigis >= ROSE_MAX_DIGIS)
++ return -1;
+ memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN);
++ }
+ }
+ }
+ p += l + 2;
+@@ -333,6 +338,11 @@ static int rose_parse_ccitt(unsigned cha
+
+ case 0xC0:
+ l = p[1];
++
++ /* Prevent overflows*/
++ if (l < 10 || l > 20)
++ return -1;
++
+ if (*p == FAC_CCITT_DEST_NSAP) {
+ memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
+ memcpy(callsign, p + 12, l - 10);
+@@ -373,12 +383,16 @@ int rose_parse_facilities(unsigned char
+ switch (*p) {
+ case FAC_NATIONAL: /* National */
+ len = rose_parse_national(p + 1, facilities, facilities_len - 1);
++ if (len < 0)
++ return 0;
+ facilities_len -= len + 1;
+ p += len + 1;
+ break;
+
+ case FAC_CCITT: /* CCITT */
+ len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
++ if (len < 0)
++ return 0;
+ facilities_len -= len + 1;
+ p += len + 1;
+ break;
--- /dev/null
+From 37f4ee0b6b39640828dac5937a482c20e8ac794f Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Mon, 4 Apr 2011 13:50:32 +0200
+Subject: rt2x00: fix cancelling uninitialized work
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 37f4ee0b6b39640828dac5937a482c20e8ac794f upstream.
+
+{rx,tx}done_work's are only initialized for usb devices.
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rt2x00/rt2x00dev.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
++++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
+@@ -1031,8 +1031,10 @@ void rt2x00lib_remove_dev(struct rt2x00_
+ * Stop all work.
+ */
+ cancel_work_sync(&rt2x00dev->intf_work);
+- cancel_work_sync(&rt2x00dev->rxdone_work);
+- cancel_work_sync(&rt2x00dev->txdone_work);
++ if (rt2x00_is_usb(rt2x00dev)) {
++ cancel_work_sync(&rt2x00dev->rxdone_work);
++ cancel_work_sync(&rt2x00dev->txdone_work);
++ }
+
+ /*
+ * Free the tx status fifo.
--- /dev/null
+From 7f6e144fb99a4a70d3c5ad5f074204c5b89a6f65 Mon Sep 17 00:00:00 2001
+From: RA-Jay Hung <jay_hung@ralinktech.com>
+Date: Mon, 10 Jan 2011 11:27:43 +0100
+Subject: rt2x00: Fix radio off hang issue for PCIE interface
+
+From: RA-Jay Hung <jay_hung@ralinktech.com>
+
+commit 7f6e144fb99a4a70d3c5ad5f074204c5b89a6f65 upstream.
+
+PCI/PCIE radio off behavior is different from SOC/USB.
+They mainly use MCU command to disable DMA, TX/RX and enter power saving mode.
+
+Signed-off-by: RA-Jay Hung <jay_hung@ralinktech.com>
+Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rt2x00/rt2800lib.c | 6 -----
+ drivers/net/wireless/rt2x00/rt2800pci.c | 36 ++++++++------------------------
+ 2 files changed, 10 insertions(+), 32 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
+@@ -2810,10 +2810,7 @@ void rt2800_disable_radio(struct rt2x00_
+
+ rt2800_register_read(rt2x00dev, WPDMA_GLO_CFG, ®);
+ rt2x00_set_field32(®, WPDMA_GLO_CFG_ENABLE_TX_DMA, 0);
+- rt2x00_set_field32(®, WPDMA_GLO_CFG_TX_DMA_BUSY, 0);
+ rt2x00_set_field32(®, WPDMA_GLO_CFG_ENABLE_RX_DMA, 0);
+- rt2x00_set_field32(®, WPDMA_GLO_CFG_RX_DMA_BUSY, 0);
+- rt2x00_set_field32(®, WPDMA_GLO_CFG_TX_WRITEBACK_DONE, 1);
+ rt2800_register_write(rt2x00dev, WPDMA_GLO_CFG, reg);
+
+ /* Wait for DMA, ignore error */
+@@ -2823,9 +2820,6 @@ void rt2800_disable_radio(struct rt2x00_
+ rt2x00_set_field32(®, MAC_SYS_CTRL_ENABLE_TX, 0);
+ rt2x00_set_field32(®, MAC_SYS_CTRL_ENABLE_RX, 0);
+ rt2800_register_write(rt2x00dev, MAC_SYS_CTRL, reg);
+-
+- rt2800_register_write(rt2x00dev, PWR_PIN_CFG, 0);
+- rt2800_register_write(rt2x00dev, TX_PIN_CFG, 0);
+ }
+ EXPORT_SYMBOL_GPL(rt2800_disable_radio);
+
+--- a/drivers/net/wireless/rt2x00/rt2800pci.c
++++ b/drivers/net/wireless/rt2x00/rt2800pci.c
+@@ -475,39 +475,23 @@ static int rt2800pci_enable_radio(struct
+
+ static void rt2800pci_disable_radio(struct rt2x00_dev *rt2x00dev)
+ {
+- u32 reg;
+-
+- rt2800_disable_radio(rt2x00dev);
+-
+- rt2800_register_write(rt2x00dev, PBF_SYS_CTRL, 0x00001280);
+-
+- rt2800_register_read(rt2x00dev, WPDMA_RST_IDX, ®);
+- rt2x00_set_field32(®, WPDMA_RST_IDX_DTX_IDX0, 1);
+- rt2x00_set_field32(®, WPDMA_RST_IDX_DTX_IDX1, 1);
+- rt2x00_set_field32(®, WPDMA_RST_IDX_DTX_IDX2, 1);
+- rt2x00_set_field32(®, WPDMA_RST_IDX_DTX_IDX3, 1);
+- rt2x00_set_field32(®, WPDMA_RST_IDX_DTX_IDX4, 1);
+- rt2x00_set_field32(®, WPDMA_RST_IDX_DTX_IDX5, 1);
+- rt2x00_set_field32(®, WPDMA_RST_IDX_DRX_IDX0, 1);
+- rt2800_register_write(rt2x00dev, WPDMA_RST_IDX, reg);
+-
+- rt2800_register_write(rt2x00dev, PBF_SYS_CTRL, 0x00000e1f);
+- rt2800_register_write(rt2x00dev, PBF_SYS_CTRL, 0x00000e00);
++ if (rt2x00_is_soc(rt2x00dev)) {
++ rt2800_disable_radio(rt2x00dev);
++ rt2800_register_write(rt2x00dev, PWR_PIN_CFG, 0);
++ rt2800_register_write(rt2x00dev, TX_PIN_CFG, 0);
++ }
+ }
+
+ static int rt2800pci_set_state(struct rt2x00_dev *rt2x00dev,
+ enum dev_state state)
+ {
+- /*
+- * Always put the device to sleep (even when we intend to wakeup!)
+- * if the device is booting and wasn't asleep it will return
+- * failure when attempting to wakeup.
+- */
+- rt2800_mcu_request(rt2x00dev, MCU_SLEEP, 0xff, 0xff, 2);
+-
+ if (state == STATE_AWAKE) {
+- rt2800_mcu_request(rt2x00dev, MCU_WAKEUP, TOKEN_WAKUP, 0, 0);
++ rt2800_mcu_request(rt2x00dev, MCU_WAKEUP, TOKEN_WAKUP, 0, 0x02);
+ rt2800pci_mcu_status(rt2x00dev, TOKEN_WAKUP);
++ } else if (state == STATE_SLEEP) {
++ rt2800_register_write(rt2x00dev, H2M_MAILBOX_STATUS, 0xffffffff);
++ rt2800_register_write(rt2x00dev, H2M_MAILBOX_CID, 0xffffffff);
++ rt2800_mcu_request(rt2x00dev, MCU_SLEEP, 0x01, 0xff, 0x01);
+ }
+
+ return 0;
hid-hid-magicmouse-increase-evdev-buffer-size.patch
perf-fix-task_struct-reference-leak.patch
perf-rebase-max-unprivileged-mlock-threshold-on-top-of-page-size.patch
+rose-prevent-heap-corruption-with-bad-facilities.patch
+btrfs-fix-uninitialized-root-flags-for-subvolumes.patch
+x86-mtrr-pat-fix-one-cpu-getting-out-of-sync-during-resume.patch
+input-synaptics-fix-crash-in-synaptics_module_init.patch
+ath9k-fix-a-chip-wakeup-related-crash-in-ath9k_start.patch
+mac80211-fix-a-crash-in-minstrel_ht-in-ht-mode-with-no-supported-mcs-rates.patch
+staging-iio-imu-adis16400-fix-up-spi-messages-cs_change-behavior.patch
+staging-iio-imu-adis16400-add-delay-after-self-test.patch
+staging-iio-imu-adis16400-fix-addresses-of-gyro-and-accel-calibration-offset.patch
+staging-iio-imu-adis16400-make-sure-only-enabled-scan_elements-are-pushed-into-the-ring.patch
+ubifs-do-not-read-flash-unnecessarily.patch
+ubifs-fix-oops-on-error-path-in-read_pnode.patch
+ubifs-fix-debugging-failure-in-dbg_check_space_info.patch
+quota-don-t-write-quota-info-in-dquot_commit.patch
+mm-avoid-wrapping-vm_pgoff-in-mremap.patch
+revert-net-sunrpc-use-static-const-char-arrays.patch
+iwlwifi-accept-eeprom-version-0x423-for-iwl6000.patch
+p54usb-ids-for-two-new-devices.patch
+rt2x00-fix-radio-off-hang-issue-for-pcie-interface.patch
+rt2x00-fix-cancelling-uninitialized-work.patch
+wl12xx-fix-potential-buffer-overflow-in-testmode-nvs-push.patch
+media-radio-wl1273-fix-build-errors.patch
+b43-allocate-receive-buffers-big-enough-for-max-frame-len-offset.patch
+bluetooth-sco-fix-information-leak-to-userspace.patch
+bridge-netfilter-fix-information-leak.patch
+bluetooth-bnep-fix-buffer-overflow.patch
+bluetooth-add-support-for-apple-macbook-pro-8-2.patch
--- /dev/null
+From c59c95ce6ace6d256401fc3a3648a95375ef4e63 Mon Sep 17 00:00:00 2001
+From: Michael Hennerich <michael.hennerich@analog.com>
+Date: Mon, 21 Mar 2011 16:44:36 +0100
+Subject: staging: IIO: IMU: ADIS16400: Add delay after self test
+
+From: Michael Hennerich <michael.hennerich@analog.com>
+
+commit c59c95ce6ace6d256401fc3a3648a95375ef4e63 upstream.
+
+Add delay after self test to satisfy timing requirements.
+Increase start-up delay.
+
+Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
+Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/staging/iio/imu/adis16400.h | 3 ++-
+ drivers/staging/iio/imu/adis16400_core.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/iio/imu/adis16400.h
++++ b/drivers/staging/iio/imu/adis16400.h
+@@ -17,7 +17,8 @@
+ #ifndef SPI_ADIS16400_H_
+ #define SPI_ADIS16400_H_
+
+-#define ADIS16400_STARTUP_DELAY 220 /* ms */
++#define ADIS16400_STARTUP_DELAY 290 /* ms */
++#define ADIS16400_MTEST_DELAY 90 /* ms */
+
+ #define ADIS16400_READ_REG(a) a
+ #define ADIS16400_WRITE_REG(a) ((a) | 0x80)
+--- a/drivers/staging/iio/imu/adis16400_core.c
++++ b/drivers/staging/iio/imu/adis16400_core.c
+@@ -373,7 +373,7 @@ static int adis16400_self_test(struct de
+ dev_err(dev, "problem starting self test");
+ goto err_ret;
+ }
+-
++ msleep(ADIS16400_MTEST_DELAY);
+ adis16400_check_status(dev);
+
+ err_ret:
--- /dev/null
+From b181119723d62b19904e1f12e467e996631c5a29 Mon Sep 17 00:00:00 2001
+From: Michael Hennerich <michael.hennerich@analog.com>
+Date: Mon, 21 Mar 2011 16:44:37 +0100
+Subject: staging: IIO: IMU: ADIS16400: Fix addresses of GYRO and ACCEL calibration offset
+
+From: Michael Hennerich <michael.hennerich@analog.com>
+
+commit b181119723d62b19904e1f12e467e996631c5a29 upstream.
+
+Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
+Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/staging/iio/imu/adis16400_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/iio/imu/adis16400_core.c
++++ b/drivers/staging/iio/imu/adis16400_core.c
+@@ -495,12 +495,12 @@ err_ret:
+ _reg)
+
+ static ADIS16400_DEV_ATTR_CALIBBIAS(GYRO_X, ADIS16400_XGYRO_OFF);
+-static ADIS16400_DEV_ATTR_CALIBBIAS(GYRO_Y, ADIS16400_XGYRO_OFF);
+-static ADIS16400_DEV_ATTR_CALIBBIAS(GYRO_Z, ADIS16400_XGYRO_OFF);
++static ADIS16400_DEV_ATTR_CALIBBIAS(GYRO_Y, ADIS16400_YGYRO_OFF);
++static ADIS16400_DEV_ATTR_CALIBBIAS(GYRO_Z, ADIS16400_ZGYRO_OFF);
+
+ static ADIS16400_DEV_ATTR_CALIBBIAS(ACCEL_X, ADIS16400_XACCL_OFF);
+-static ADIS16400_DEV_ATTR_CALIBBIAS(ACCEL_Y, ADIS16400_XACCL_OFF);
+-static ADIS16400_DEV_ATTR_CALIBBIAS(ACCEL_Z, ADIS16400_XACCL_OFF);
++static ADIS16400_DEV_ATTR_CALIBBIAS(ACCEL_Y, ADIS16400_YACCL_OFF);
++static ADIS16400_DEV_ATTR_CALIBBIAS(ACCEL_Z, ADIS16400_ZACCL_OFF);
+
+
+ static IIO_DEV_ATTR_IN_NAMED_RAW(0, supply, adis16400_read_14bit_signed,
--- /dev/null
+From fc5b85b0ad1f9da948e4d683710081a9bda357cb Mon Sep 17 00:00:00 2001
+From: Michael Hennerich <michael.hennerich@analog.com>
+Date: Mon, 21 Mar 2011 16:44:35 +0100
+Subject: staging: IIO: IMU: ADIS16400: Fix up SPI messages cs_change behavior
+
+From: Michael Hennerich <michael.hennerich@analog.com>
+
+commit fc5b85b0ad1f9da948e4d683710081a9bda357cb upstream.
+
+cs_change must not be set in the last transfer of a spi message
+
+Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
+Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/staging/iio/imu/adis16400_core.c | 2 --
+ drivers/staging/iio/imu/adis16400_ring.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+--- a/drivers/staging/iio/imu/adis16400_core.c
++++ b/drivers/staging/iio/imu/adis16400_core.c
+@@ -93,7 +93,6 @@ static int adis16400_spi_write_reg_16(st
+ .tx_buf = st->tx + 2,
+ .bits_per_word = 8,
+ .len = 2,
+- .cs_change = 1,
+ },
+ };
+
+@@ -137,7 +136,6 @@ static int adis16400_spi_read_reg_16(str
+ .rx_buf = st->rx,
+ .bits_per_word = 8,
+ .len = 2,
+- .cs_change = 1,
+ },
+ };
+
+--- a/drivers/staging/iio/imu/adis16400_ring.c
++++ b/drivers/staging/iio/imu/adis16400_ring.c
+@@ -122,12 +122,10 @@ static int adis16400_spi_read_burst(stru
+ .tx_buf = st->tx,
+ .bits_per_word = 8,
+ .len = 2,
+- .cs_change = 0,
+ }, {
+ .rx_buf = rx,
+ .bits_per_word = 8,
+ .len = 24,
+- .cs_change = 1,
+ },
+ };
+
--- /dev/null
+From 0fea4d6192cb82789e28905240d3c1dac6529c7c Mon Sep 17 00:00:00 2001
+From: Michael Hennerich <michael.hennerich@analog.com>
+Date: Mon, 21 Mar 2011 16:44:38 +0100
+Subject: staging: IIO: IMU: ADIS16400: Make sure only enabled scan_elements are pushed into the ring
+
+From: Michael Hennerich <michael.hennerich@analog.com>
+
+commit 0fea4d6192cb82789e28905240d3c1dac6529c7c upstream.
+
+Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
+Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/staging/iio/imu/adis16400_ring.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/iio/imu/adis16400_ring.c
++++ b/drivers/staging/iio/imu/adis16400_ring.c
+@@ -160,9 +160,10 @@ static void adis16400_trigger_bh_to_ring
+ work_trigger_to_ring);
+ struct iio_ring_buffer *ring = st->indio_dev->ring;
+
+- int i = 0;
++ int i = 0, j;
+ s16 *data;
+ size_t datasize = ring->access.get_bytes_per_datum(ring);
++ unsigned long mask = ring->scan_mask;
+
+ data = kmalloc(datasize , GFP_KERNEL);
+ if (data == NULL) {
+@@ -172,9 +173,12 @@ static void adis16400_trigger_bh_to_ring
+
+ if (ring->scan_count)
+ if (adis16400_spi_read_burst(&st->indio_dev->dev, st->rx) >= 0)
+- for (; i < ring->scan_count; i++)
++ for (; i < ring->scan_count; i++) {
++ j = __ffs(mask);
++ mask &= ~(1 << j);
+ data[i] = be16_to_cpup(
+- (__be16 *)&(st->rx[i*2]));
++ (__be16 *)&(st->rx[j*2]));
++ }
+
+ /* Guaranteed to be aligned with 8 byte boundary */
+ if (ring->scan_timestamp)
--- /dev/null
+From 8b229c76765816796eec7ccd428f03bd8de8b525 Mon Sep 17 00:00:00 2001
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Date: Fri, 25 Mar 2011 18:33:57 +0200
+Subject: UBIFS: do not read flash unnecessarily
+
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+
+commit 8b229c76765816796eec7ccd428f03bd8de8b525 upstream.
+
+This fix makes the 'dbg_check_old_index()' function return
+immediately if debugging is disabled, instead of executing
+incorrect 'goto out' which causes UBIFS to:
+
+1. Allocate memory
+2. Read the flash
+
+On every commit. OK, we do not commit that often, but it is
+still silly to do unneeded I/O anyway.
+
+Credits to coverity for spotting this silly issue.
+
+Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ubifs/commit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ubifs/commit.c
++++ b/fs/ubifs/commit.c
+@@ -521,7 +521,7 @@ int dbg_check_old_index(struct ubifs_inf
+ size_t sz;
+
+ if (!(ubifs_chk_flags & UBIFS_CHK_OLD_IDX))
+- goto out;
++ return 0;
+
+ INIT_LIST_HEAD(&list);
+
--- /dev/null
+From 7da6443aca9be29c6948dcbd636ad50154d0bc0c Mon Sep 17 00:00:00 2001
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Date: Mon, 4 Apr 2011 17:16:39 +0300
+Subject: UBIFS: fix debugging failure in dbg_check_space_info
+
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+
+commit 7da6443aca9be29c6948dcbd636ad50154d0bc0c upstream.
+
+This patch fixes a debugging failure with which looks like this:
+UBIFS error (pid 32313): dbg_check_space_info: free space changed from 6019344 to 6022654
+
+The reason for this failure is described in the comment this patch adds
+to the code. But in short - 'c->freeable_cnt' may be different before
+and after re-mounting, and this is normal. So the debugging code should
+make sure that free space calculations do not depend on 'c->freeable_cnt'.
+
+A similar issue has been reported here:
+http://lists.infradead.org/pipermail/linux-mtd/2011-April/034647.html
+
+This patch should fix it.
+
+For the -stable guys: this patch is only relevant for kernels 2.6.30
+onwards.
+
+Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ubifs/debug.c | 41 ++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 36 insertions(+), 5 deletions(-)
+
+--- a/fs/ubifs/debug.c
++++ b/fs/ubifs/debug.c
+@@ -961,11 +961,39 @@ void dbg_dump_index(struct ubifs_info *c
+ void dbg_save_space_info(struct ubifs_info *c)
+ {
+ struct ubifs_debug_info *d = c->dbg;
+-
+- ubifs_get_lp_stats(c, &d->saved_lst);
++ int freeable_cnt;
+
+ spin_lock(&c->space_lock);
++ memcpy(&d->saved_lst, &c->lst, sizeof(struct ubifs_lp_stats));
++
++ /*
++ * We use a dirty hack here and zero out @c->freeable_cnt, because it
++ * affects the free space calculations, and UBIFS might not know about
++ * all freeable eraseblocks. Indeed, we know about freeable eraseblocks
++ * only when we read their lprops, and we do this only lazily, upon the
++ * need. So at any given point of time @c->freeable_cnt might be not
++ * exactly accurate.
++ *
++ * Just one example about the issue we hit when we did not zero
++ * @c->freeable_cnt.
++ * 1. The file-system is mounted R/O, c->freeable_cnt is %0. We save the
++ * amount of free space in @d->saved_free
++ * 2. We re-mount R/W, which makes UBIFS to read the "lsave"
++ * information from flash, where we cache LEBs from various
++ * categories ('ubifs_remount_fs()' -> 'ubifs_lpt_init()'
++ * -> 'lpt_init_wr()' -> 'read_lsave()' -> 'ubifs_lpt_lookup()'
++ * -> 'ubifs_get_pnode()' -> 'update_cats()'
++ * -> 'ubifs_add_to_cat()').
++ * 3. Lsave contains a freeable eraseblock, and @c->freeable_cnt
++ * becomes %1.
++ * 4. We calculate the amount of free space when the re-mount is
++ * finished in 'dbg_check_space_info()' and it does not match
++ * @d->saved_free.
++ */
++ freeable_cnt = c->freeable_cnt;
++ c->freeable_cnt = 0;
+ d->saved_free = ubifs_get_free_space_nolock(c);
++ c->freeable_cnt = freeable_cnt;
+ spin_unlock(&c->space_lock);
+ }
+
+@@ -982,12 +1010,15 @@ int dbg_check_space_info(struct ubifs_in
+ {
+ struct ubifs_debug_info *d = c->dbg;
+ struct ubifs_lp_stats lst;
+- long long avail, free;
++ long long free;
++ int freeable_cnt;
+
+ spin_lock(&c->space_lock);
+- avail = ubifs_calc_available(c, c->min_idx_lebs);
++ freeable_cnt = c->freeable_cnt;
++ c->freeable_cnt = 0;
++ free = ubifs_get_free_space_nolock(c);
++ c->freeable_cnt = freeable_cnt;
+ spin_unlock(&c->space_lock);
+- free = ubifs_get_free_space(c);
+
+ if (free != d->saved_free) {
+ ubifs_err("free space changed from %lld to %lld",
--- /dev/null
+From 54acbaaa523ca0bd284a18f67ad213c379679e86 Mon Sep 17 00:00:00 2001
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Date: Fri, 25 Mar 2011 19:09:54 +0200
+Subject: UBIFS: fix oops on error path in read_pnode
+
+From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+
+commit 54acbaaa523ca0bd284a18f67ad213c379679e86 upstream.
+
+Thanks to coverity which spotted that UBIFS will oops if 'kmalloc()'
+in 'read_pnode()' fails and we dereference a NULL 'pnode' pointer
+when we 'goto out'.
+
+Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ubifs/lpt.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/ubifs/lpt.c
++++ b/fs/ubifs/lpt.c
+@@ -1270,10 +1270,9 @@ static int read_pnode(struct ubifs_info
+ lnum = branch->lnum;
+ offs = branch->offs;
+ pnode = kzalloc(sizeof(struct ubifs_pnode), GFP_NOFS);
+- if (!pnode) {
+- err = -ENOMEM;
+- goto out;
+- }
++ if (!pnode)
++ return -ENOMEM;
++
+ if (lnum == 0) {
+ /*
+ * This pnode was not written which just means that the LEB
--- /dev/null
+From 09b661b33268698d3b453dceb78cda129ad899b4 Mon Sep 17 00:00:00 2001
+From: Luciano Coelho <coelho@ti.com>
+Date: Fri, 1 Apr 2011 19:42:02 +0300
+Subject: wl12xx: fix potential buffer overflow in testmode nvs push
+
+From: Luciano Coelho <coelho@ti.com>
+
+commit 09b661b33268698d3b453dceb78cda129ad899b4 upstream.
+
+We were allocating the size of the NVS file struct and not checking
+whether the length of the buffer passed was correct before copying it
+into the allocated memory. This is a security hole because buffer
+overflows can occur if the userspace passes a bigger file than what is
+expected.
+
+With this patch, we check if the size of the data passed from
+userspace matches the size required.
+
+This bug was introduced in 2.6.36.
+
+Reported-by: Ido Yariv <ido@wizery.com>
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/wl12xx/testmode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/wl12xx/testmode.c
++++ b/drivers/net/wireless/wl12xx/testmode.c
+@@ -204,7 +204,10 @@ static int wl1271_tm_cmd_nvs_push(struct
+
+ kfree(wl->nvs);
+
+- wl->nvs = kzalloc(sizeof(struct wl1271_nvs_file), GFP_KERNEL);
++ if (len != sizeof(struct wl1271_nvs_file))
++ return -EINVAL;
++
++ wl->nvs = kzalloc(len, GFP_KERNEL);
+ if (!wl->nvs) {
+ wl1271_error("could not allocate memory for the nvs file");
+ ret = -ENOMEM;
--- /dev/null
+From 84ac7cdbdd0f04df6b96153f7a79127fd6e45467 Mon Sep 17 00:00:00 2001
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+Date: Tue, 29 Mar 2011 15:38:12 -0700
+Subject: x86, mtrr, pat: Fix one cpu getting out of sync during resume
+
+From: Suresh Siddha <suresh.b.siddha@intel.com>
+
+commit 84ac7cdbdd0f04df6b96153f7a79127fd6e45467 upstream.
+
+On laptops with core i5/i7, there were reports that after resume
+graphics workloads were performing poorly on a specific AP, while
+the other cpu's were ok. This was observed on a 32bit kernel
+specifically.
+
+Debug showed that the PAT init was not happening on that AP
+during resume and hence it contributing to the poor workload
+performance on that cpu.
+
+On this system, resume flow looked like this:
+
+1. BP starts the resume sequence and we reinit BP's MTRR's/PAT
+ early on using mtrr_bp_restore()
+
+2. Resume sequence brings all AP's online
+
+3. Resume sequence now kicks off the MTRR reinit on all the AP's.
+
+4. For some reason, between point 2 and 3, we moved from BP
+ to one of the AP's. My guess is that printk() during resume
+ sequence is contributing to this. We don't see similar
+ behavior with the 64bit kernel but there is no guarantee that
+ at this point the remaining resume sequence (after AP's bringup)
+ has to happen on BP.
+
+5. set_mtrr() was assuming that we are still on BP and skipped the
+ MTRR/PAT init on that cpu (because of 1 above)
+
+6. But we were on an AP and this led to not reprogramming PAT
+ on this cpu leading to bad performance.
+
+Fix this by doing unconditional mtrr_if->set_all() in set_mtrr()
+during MTRR/PAT init. This might be unnecessary if we are still
+running on BP. But it is of no harm and will guarantee that after
+resume, all the cpu's will be in sync with respect to the
+MTRR/PAT registers.
+
+Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
+LKML-Reference: <1301438292-28370-1-git-send-email-eric@anholt.net>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Tested-by: Keith Packard <keithp@keithp.com>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/mtrr/main.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mtrr/main.c
++++ b/arch/x86/kernel/cpu/mtrr/main.c
+@@ -292,14 +292,24 @@ set_mtrr(unsigned int reg, unsigned long
+
+ /*
+ * HACK!
+- * We use this same function to initialize the mtrrs on boot.
+- * The state of the boot cpu's mtrrs has been saved, and we want
+- * to replicate across all the APs.
+- * If we're doing that @reg is set to something special...
++ *
++ * We use this same function to initialize the mtrrs during boot,
++ * resume, runtime cpu online and on an explicit request to set a
++ * specific MTRR.
++ *
++ * During boot or suspend, the state of the boot cpu's mtrrs has been
++ * saved, and we want to replicate that across all the cpus that come
++ * online (either at the end of boot or resume or during a runtime cpu
++ * online). If we're doing that, @reg is set to something special and on
++ * this cpu we still do mtrr_if->set_all(). During boot/resume, this
++ * is unnecessary if at this point we are still on the cpu that started
++ * the boot/resume sequence. But there is no guarantee that we are still
++ * on the same cpu. So we do mtrr_if->set_all() on this cpu aswell to be
++ * sure that we are in sync with everyone else.
+ */
+ if (reg != ~0U)
+ mtrr_if->set(reg, base, size, type);
+- else if (!mtrr_aps_delayed_init)
++ else
+ mtrr_if->set_all();
+
+ /* Wait for the others */
projects / thirdparty / kernel / stable-queue.git / commitdiff
