--- /dev/null
+From gregkh@mini.kroah.org Mon Oct 6 16:05:33 2008
+Message-Id: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:49 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 00/28] 2.6.25-stable review
+Content-Length: 2225
+Lines: 52
+
+This is the start of the stable review cycle for the 2.6.25.18 release.
+There are @num@ patches in this series, all will be posted as a response
+to this one. If anyone has any issues with these being applied, please
+let us know. If anyone is a maintainer of the proper subsystem, and
+wants to add a Signed-off-by: line to the patch, please respond with it.
+
+These patches are sent out with a number of different people on the
+Cc: line. If you wish to be a reviewer, please email stable@kernel.org
+to add your name to the list. If you want to be off the reviewer list,
+also email us.
+
+Responses should be made by Wed Oct 8, 22:00:00 UTC. Anything received
+after that time might be too late.
+
+The whole patch series can be found in one patch at:
+ kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.25.18-rc1.gz
+and the diffstat can be found below.
+
+
+thanks,
+
+the -stable release team
+
+-------------------
+
+ Makefile | 2
+ arch/x86/kernel/hpet.c | 19 ++++--
+ arch/x86/kernel/io_delay.c | 8 ++
+ arch/x86/kernel/vmi_32.c | 2
+ drivers/acpi/ec.c | 2
+ drivers/acpi/processor_perflib.c | 2
+ drivers/i2c/i2c-dev.c | 4 +
+ drivers/mmc/card/block.c | 4 +
+ drivers/net/niu.c | 56 ++++++++++++++++++
+ drivers/spi/pxa2xx_spi.c | 116 ++++++++++++++++++++++++++++++---------
+ drivers/usb/core/hcd.c | 3 -
+ include/asm-generic/rtc.h | 12 +---
+ include/linux/clockchips.h | 2
+ include/net/netlink.h | 2
+ kernel/time/clockevents.c | 3 -
+ kernel/time/ntp.c | 2
+ kernel/time/tick-broadcast.c | 78 +++++++++++++++++++-------
+ kernel/time/tick-common.c | 1
+ kernel/time/tick-internal.h | 2
+ kernel/time/tick-oneshot.c | 44 ++++++++++++--
+ net/ipv4/udp.c | 57 +++++++++++--------
+ net/ipv6/ip6_output.c | 64 ++++++++++-----------
+ net/ipv6/udp.c | 6 +-
+ net/sctp/associola.c | 9 +--
+ net/sctp/sm_make_chunk.c | 15 +++--
+ sound/pci/hda/patch_sigmatel.c | 2
+ 26 files changed, 372 insertions(+), 145 deletions(-)
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:33 2008
+Message-Id: <20081006230533.051212769@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:50 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Geoff Levand <geoffrey.levand@am.sony.com>,
+ Alan Stern <stern@rowland.harvard.edu>,
+ Stefan Becker <Stefan.Becker@nokia.com>
+Subject: [patch 01/28] USB: fix hcd interrupt disabling
+Content-Disposition: inline; filename=usb-fix-hcd-interrupt-disabling.patch
+Content-Length: 1745
+Lines: 49
+
+
+2.6.25-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Geoff Levand <geoffrey.levand@am.sony.com>
+
+commit 83a798207361cc26385187b2e71efa2b5d75de7f upstream
+
+Commit de85422b94ddb23c021126815ea49414047c13dc, 'USB: fix interrupt
+disabling for HCDs with shared interrupt handlers' changed usb_add_hcd()
+to strip IRQF_DISABLED from irqflags prior to calling request_irq()
+with the justification that such a removal was necessary for shared
+interrupts to work properly. Unfortunately, the change in that commit
+unconditionally removes the IRQF_DISABLED flag, causing problems on
+platforms that don't use a shared interrupt but require IRQF_DISABLED.
+This change adds a check for IRQF_SHARED prior to removing the
+IRQF_DISABLED flag.
+
+Fixes the PS3 system startup hang reported with recent Fedora and
+OpenSUSE kernels.
+
+Note that this problem is hidden when CONFIG_LOCKDEP=y (ps3_defconfig),
+as local_irq_enable_in_hardirq() is defined as a null statement for
+that config.
+
+Signed-off-by: Geoff Levand <geoffrey.levand@am.sony.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Stefan Becker <Stefan.Becker@nokia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/hcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -1877,7 +1877,8 @@ int usb_add_hcd(struct usb_hcd *hcd,
+ * with IRQF_SHARED. As usb_hcd_irq() will always disable
+ * interrupts we can remove it here.
+ */
+- irqflags &= ~IRQF_DISABLED;
++ if (irqflags & IRQF_SHARED)
++ irqflags &= ~IRQF_DISABLED;
+
+ snprintf(hcd->irq_descr, sizeof(hcd->irq_descr), "%s:usb%d",
+ hcd->driver->description, hcd->self.busnum);
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:33 2008
+Message-Id: <20081006230533.236931065@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:51 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ned Forrester <nforrester@whoi.edu>,
+ Vernon Sauder <vernoninhand@gmail.com>,
+ Eric Miao <eric.y.miao@gmail.com>,
+ David Brownell <dbrownell@users.sourceforge.net>
+Subject: [patch 02/28] pxa2xx_spi: dma bugfixes
+Content-Disposition: inline; filename=pxa2xx_spi-dma-bugfixes.patch
+Content-Length: 4822
+Lines: 129
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Ned Forrester <nforrester@whoi.edu>
+
+commit 7e96445533ac3f4f7964646a202ff3620602fab4 upstream
+
+Fixes two DMA bugs in the pxa2xx_spi driver. The first bug is in all
+versions of this driver; the second was introduced in the 2.6.20 kernel,
+and prevents using the driver with chips like m25p16 flash (which can
+issue large DMA reads).
+
+ 1. Zero length transfers are permitted for use to insert timing,
+ but pxa2xx_spi.c will fail if this is requested in DMA mode.
+ Fixed by using programmed I/O (PIO) mode for such transfers.
+
+ 2. Transfers larger than 8191 are not permitted in DMA mode. A
+ test for length rejects all large transfers regardless of DMA
+ or PIO mode. Worked around by rejecting only large transfers
+ with DMA mapped buffers, and forcing all other transfers
+ larger than 8191 to use PIO mode. A rate limited warning is
+ issued for DMA transfers forced to PIO mode.
+
+This patch should apply to all kernels back to and including 2.6.20;
+it was test patched against 2.6.20. An additional patch would be
+required for older kernels, but those versions are very buggy anyway.
+
+Signed-off-by: Ned Forrester <nforrester@whoi.edu>
+Cc: Vernon Sauder <vernoninhand@gmail.com>
+Cc: Eric Miao <eric.y.miao@gmail.com>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/spi/pxa2xx_spi.c | 57 +++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 43 insertions(+), 14 deletions(-)
+
+--- a/drivers/spi/pxa2xx_spi.c
++++ b/drivers/spi/pxa2xx_spi.c
+@@ -48,9 +48,10 @@ MODULE_ALIAS("platform:pxa2xx-spi");
+
+ #define MAX_BUSES 3
+
+-#define DMA_INT_MASK (DCSR_ENDINTR | DCSR_STARTINTR | DCSR_BUSERR)
+-#define RESET_DMA_CHANNEL (DCSR_NODESC | DMA_INT_MASK)
+-#define IS_DMA_ALIGNED(x) (((u32)(x)&0x07)==0)
++#define DMA_INT_MASK (DCSR_ENDINTR | DCSR_STARTINTR | DCSR_BUSERR)
++#define RESET_DMA_CHANNEL (DCSR_NODESC | DMA_INT_MASK)
++#define IS_DMA_ALIGNED(x) (((x) & 0x07) == 0)
++#define MAX_DMA_LEN 8191
+
+ /*
+ * for testing SSCR1 changes that require SSP restart, basically
+@@ -846,14 +847,27 @@ static void pump_transfers(unsigned long
+ udelay(previous->delay_usecs);
+ }
+
+- /* Check transfer length */
+- if (transfer->len > 8191)
+- {
+- dev_warn(&drv_data->pdev->dev, "pump_transfers: transfer "
+- "length greater than 8191\n");
+- message->status = -EINVAL;
+- giveback(drv_data);
+- return;
++ /* Check for transfers that need multiple DMA segments */
++ if (transfer->len > MAX_DMA_LEN && chip->enable_dma) {
++
++ /* reject already-mapped transfers; PIO won't always work */
++ if (message->is_dma_mapped
++ || transfer->rx_dma || transfer->tx_dma) {
++ dev_err(&drv_data->pdev->dev,
++ "pump_transfers: mapped transfer length "
++ "of %lu is greater than %d\n",
++ transfer->len, MAX_DMA_LEN);
++ message->status = -EINVAL;
++ giveback(drv_data);
++ return;
++ }
++
++ /* warn ... we force this to PIO mode */
++ if (printk_ratelimit())
++ dev_warn(&message->spi->dev, "pump_transfers: "
++ "DMA disabled for transfer length %ld "
++ "greater than %d\n",
++ (long)drv_data->len, MAX_DMA_LEN);
+ }
+
+ /* Setup the transfer state based on the type of transfer */
+@@ -922,7 +936,7 @@ static void pump_transfers(unsigned long
+ &dma_thresh))
+ if (printk_ratelimit())
+ dev_warn(&message->spi->dev,
+- "pump_transfer: "
++ "pump_transfers: "
+ "DMA burst size reduced to "
+ "match bits_per_word\n");
+ }
+@@ -936,8 +950,23 @@ static void pump_transfers(unsigned long
+
+ message->state = RUNNING_STATE;
+
+- /* Try to map dma buffer and do a dma transfer if successful */
+- if ((drv_data->dma_mapped = map_dma_buffers(drv_data))) {
++ /* Try to map dma buffer and do a dma transfer if successful, but
++ * only if the length is non-zero and less than MAX_DMA_LEN.
++ *
++ * Zero-length non-descriptor DMA is illegal on PXA2xx; force use
++ * of PIO instead. Care is needed above because the transfer may
++ * have have been passed with buffers that are already dma mapped.
++ * A zero-length transfer in PIO mode will not try to write/read
++ * to/from the buffers
++ *
++ * REVISIT large transfers are exactly where we most want to be
++ * using DMA. If this happens much, split those transfers into
++ * multiple DMA segments rather than forcing PIO.
++ */
++ drv_data->dma_mapped = 0;
++ if (drv_data->len > 0 && drv_data->len <= MAX_DMA_LEN)
++ drv_data->dma_mapped = map_dma_buffers(drv_data);
++ if (drv_data->dma_mapped) {
+
+ /* Ensure we have the correct interrupt handler */
+ drv_data->transfer_handler = dma_transfer;
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:33 2008
+Message-Id: <20081006230533.386886925@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:52 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ned Forrester <nforrester@whoi.edu>,
+ Vernon Sauder <vernoninhand@gmail.com>,
+ Eric Miao <eric.y.miao@gmail.com>,
+ David Brownell <dbrownell@users.sourceforge.net>
+Subject: [patch 03/28] pxa2xx_spi: chipselect bugfixes
+Content-Disposition: inline; filename=pxa2xx_spi-chipselect-bugfixes.patch
+Content-Length: 5814
+Lines: 163
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Ned Forrester <nforrester@whoi.edu>
+
+commit 8423597d676615f3dd2d9ab36f59f147086b90b8 upstream
+
+Fixes several chipselect bugs in the pxa2xx_spi driver. These bugs are in
+all versions of this driver and prevent using it with chips like m25p16
+flash.
+
+ 1. The spi_transfer.cs_change flag is handled too early:
+ before spi_transfer.delay_usecs applies, thus making the
+ delay ineffective at holding chip select.
+
+ 2. spi_transfer.delay_usecs is ignored on the last transfer
+ of a message (likewise not holding chipselect long enough).
+
+ 3. If spi_transfer.cs_change is set on the last transfer, the
+ chip select is always disabled, instead of the intended
+ meaning: optionally holding chip select enabled for the
+ next message.
+
+Those first three bugs were fixed with a relocation of delays
+and chip select de-assertions.
+
+ 4. If a message has the cs_change flag set on the last transfer,
+ and had the chip select stayed enabled as requested (see 3,
+ above), it would not have been disabled if the next message is
+ for a different chip. Fixed by dropping chip select regardless
+ of cs_change at end of a message, if there is no next message
+ or if the next message is for a different chip.
+
+This patch should apply to all kernels back to and including 2.6.20;
+it was test patched against 2.6.20. An additional patch would be
+required for older kernels, but those versions are very buggy anyway.
+
+Signed-off-by: Ned Forrester <nforrester@whoi.edu>
+Cc: Vernon Sauder <vernoninhand@gmail.com>
+Cc: Eric Miao <eric.y.miao@gmail.com>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/spi/pxa2xx_spi.c | 59 ++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 48 insertions(+), 11 deletions(-)
+
+--- a/drivers/spi/pxa2xx_spi.c
++++ b/drivers/spi/pxa2xx_spi.c
+@@ -143,7 +143,6 @@ struct driver_data {
+ size_t tx_map_len;
+ u8 n_bytes;
+ u32 dma_width;
+- int cs_change;
+ int (*write)(struct driver_data *drv_data);
+ int (*read)(struct driver_data *drv_data);
+ irqreturn_t (*transfer_handler)(struct driver_data *drv_data);
+@@ -405,8 +404,45 @@ static void giveback(struct driver_data
+ struct spi_transfer,
+ transfer_list);
+
++ /* Delay if requested before any change in chip select */
++ if (last_transfer->delay_usecs)
++ udelay(last_transfer->delay_usecs);
++
++ /* Drop chip select UNLESS cs_change is true or we are returning
++ * a message with an error, or next message is for another chip
++ */
+ if (!last_transfer->cs_change)
+ drv_data->cs_control(PXA2XX_CS_DEASSERT);
++ else {
++ struct spi_message *next_msg;
++
++ /* Holding of cs was hinted, but we need to make sure
++ * the next message is for the same chip. Don't waste
++ * time with the following tests unless this was hinted.
++ *
++ * We cannot postpone this until pump_messages, because
++ * after calling msg->complete (below) the driver that
++ * sent the current message could be unloaded, which
++ * could invalidate the cs_control() callback...
++ */
++
++ /* get a pointer to the next message, if any */
++ spin_lock_irqsave(&drv_data->lock, flags);
++ if (list_empty(&drv_data->queue))
++ next_msg = NULL;
++ else
++ next_msg = list_entry(drv_data->queue.next,
++ struct spi_message, queue);
++ spin_unlock_irqrestore(&drv_data->lock, flags);
++
++ /* see if the next and current messages point
++ * to the same chip
++ */
++ if (next_msg && next_msg->spi != msg->spi)
++ next_msg = NULL;
++ if (!next_msg || msg->state == ERROR_STATE)
++ drv_data->cs_control(PXA2XX_CS_DEASSERT);
++ }
+
+ msg->state = NULL;
+ if (msg->complete)
+@@ -489,10 +525,9 @@ static void dma_transfer_complete(struct
+ msg->actual_length += drv_data->len -
+ (drv_data->rx_end - drv_data->rx);
+
+- /* Release chip select if requested, transfer delays are
+- * handled in pump_transfers */
+- if (drv_data->cs_change)
+- drv_data->cs_control(PXA2XX_CS_DEASSERT);
++ /* Transfer delays and chip select release are
++ * handled in pump_transfers or giveback
++ */
+
+ /* Move to next transfer */
+ msg->state = next_transfer(drv_data);
+@@ -601,10 +636,9 @@ static void int_transfer_complete(struct
+ drv_data->cur_msg->actual_length += drv_data->len -
+ (drv_data->rx_end - drv_data->rx);
+
+- /* Release chip select if requested, transfer delays are
+- * handled in pump_transfers */
+- if (drv_data->cs_change)
+- drv_data->cs_control(PXA2XX_CS_DEASSERT);
++ /* Transfer delays and chip select release are
++ * handled in pump_transfers or giveback
++ */
+
+ /* Move to next transfer */
+ drv_data->cur_msg->state = next_transfer(drv_data);
+@@ -838,13 +872,17 @@ static void pump_transfers(unsigned long
+ return;
+ }
+
+- /* Delay if requested at end of transfer*/
++ /* Delay if requested at end of transfer before CS change */
+ if (message->state == RUNNING_STATE) {
+ previous = list_entry(transfer->transfer_list.prev,
+ struct spi_transfer,
+ transfer_list);
+ if (previous->delay_usecs)
+ udelay(previous->delay_usecs);
++
++ /* Drop chip select only if cs_change is requested */
++ if (previous->cs_change)
++ drv_data->cs_control(PXA2XX_CS_DEASSERT);
+ }
+
+ /* Check for transfers that need multiple DMA segments */
+@@ -889,7 +927,6 @@ static void pump_transfers(unsigned long
+ drv_data->len = transfer->len & DCMD_LENGTH;
+ drv_data->write = drv_data->tx ? chip->write : null_writer;
+ drv_data->read = drv_data->rx ? chip->read : null_reader;
+- drv_data->cs_change = transfer->cs_change;
+
+ /* Change speed and bit per word on a per transfer */
+ cr0 = chip->cr0;
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:33 2008
+Message-Id: <20081006230533.569224135@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:53 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Pierre Ossman <drzeus-list@drzeus.cx>
+Subject: [patch 04/28] drivers/mmc/card/block.c: fix refcount leak in mmc_block_open()
+Content-Disposition: inline; filename=drivers-mmc-card-block.c-fix-refcount-leak-in-mmc_block_open.patch
+Content-Length: 1214
+Lines: 40
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Andrew Morton <akpm@linux-foundation.org>
+
+commit 70bb08962ea9bd50797ae9f16b2493f5f7c65053 upstream
+
+mmc_block_open() increments md->usage although it returns with -EROFS when
+default mounting a MMC/SD card with write protect switch on. This
+reference counting bug prevents /dev/mmcblkX from being released on card
+removal, and situation worsen with reinsertion until the minor number
+range runs out.
+
+Reported-by: <sasin@solomon-systech.com>
+Acked-by: Pierre Ossman <drzeus-list@drzeus.cx>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mmc/card/block.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -103,8 +103,10 @@ static int mmc_blk_open(struct inode *in
+ check_disk_change(inode->i_bdev);
+ ret = 0;
+
+- if ((filp->f_mode & FMODE_WRITE) && md->read_only)
++ if ((filp->f_mode & FMODE_WRITE) && md->read_only) {
++ mmc_blk_put(md);
+ ret = -EROFS;
++ }
+ }
+
+ return ret;
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:33 2008
+Message-Id: <20081006230533.716648878@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:54 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Takashi Iwai <tiwai@suse.de>
+Subject: [patch 05/28] ALSA: hda - Fix model for Dell Inspiron 1525
+Content-Disposition: inline; filename=alsa-hda-fix-model-for-dell-inspiron-1525.patch
+Content-Length: 1432
+Lines: 35
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 24918b61b55c21e09a3e07cd82e1b3a8154782dc upstream
+
+Dell Inspiron 1525 seems to have a buggy BIOS setup and screws up
+the recent codec parser, as reported by Oleksandr Natalenko:
+ http://lkml.org/lkml/2008/9/12/203
+
+This patch adds the working model, dell-3stack, statically.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_sigmatel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -1541,8 +1541,8 @@ static struct snd_pci_quirk stac927x_cfg
+ /* Dell 3 stack systems with verb table in BIOS */
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x01f3, "Dell Inspiron 1420", STAC_DELL_BIOS),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0227, "Dell Vostro 1400 ", STAC_DELL_BIOS),
+- SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x022f, "Dell ", STAC_DELL_BIOS),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x022e, "Dell ", STAC_DELL_BIOS),
++ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x022f, "Dell Inspiron 1525", STAC_DELL_3ST),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0242, "Dell ", STAC_DELL_BIOS),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0243, "Dell ", STAC_DELL_BIOS),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02ff, "Dell ", STAC_DELL_BIOS),
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:34 2008
+Message-Id: <20081006230533.867941501@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:55 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sven Wegener <sven.wegener@stealer.net>,
+ Jean Delvare <khali@linux-fr.org>
+Subject: [patch 06/28] i2c-dev: Return correct error code on class_create() failure
+Content-Disposition: inline; filename=i2c-dev-return-correct-error-code-on-class_create-failure.patch
+Content-Length: 1038
+Lines: 37
+
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Sven Wegener <sven.wegener@stealer.net>
+
+In Linus' tree:
+http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commit;h=e74783ec3cb981211689bd2cfd3248f8dc48ec01
+
+We need to convert the error pointer from class_create(), else we'll return the
+successful return code from register_chrdev() on failure.
+
+Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/i2c/i2c-dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -574,8 +574,10 @@ static int __init i2c_dev_init(void)
+ goto out;
+
+ i2c_dev_class = class_create(THIS_MODULE, "i2c-dev");
+- if (IS_ERR(i2c_dev_class))
++ if (IS_ERR(i2c_dev_class)) {
++ res = PTR_ERR(i2c_dev_class);
+ goto out_unreg_chrdev;
++ }
+
+ res = i2c_add_driver(&i2cdev_driver);
+ if (res)
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:34 2008
+Message-Id: <20081006230534.018570073@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:56 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Andi Kleen <ak@linux.intel.com>,
+ Milan Broz <mbroz@redhat.com>
+Subject: [patch 07/28] ACPI: Fix thermal shutdowns
+Content-Disposition: inline; filename=acpi-fix-thermal-shutdowns.patch
+Content-Length: 1238
+Lines: 41
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Milan Broz <mbroz@redhat.com>
+
+commit 9f497bcc695fb828da023d74ad3c966b1e58ad21 upstream
+
+ACPI: Fix thermal shutdowns
+
+Do not use unsigned int if there is test for negative number...
+
+See drivers/acpi/processor_perflib.c
+ static unsigned int ignore_ppc = -1;
+...
+ if (event == CPUFREQ_START && ignore_ppc <= 0) {
+ ignore_ppc = 0;
+...
+
+Signed-off-by: Milan Broz <mbroz@redhat.com>
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/processor_perflib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/processor_perflib.c
++++ b/drivers/acpi/processor_perflib.c
+@@ -70,7 +70,7 @@ static DEFINE_MUTEX(performance_mutex);
+ * 0 -> cpufreq low level drivers initialized -> consider _PPC values
+ * 1 -> ignore _PPC totally -> forced by user through boot param
+ */
+-static unsigned int ignore_ppc = -1;
++static int ignore_ppc = -1;
+ module_param(ignore_ppc, uint, 0644);
+ MODULE_PARM_DESC(ignore_ppc, "If the frequency of your machine gets wrongly" \
+ "limited by BIOS, this should help");
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:34 2008
+Message-Id: <20081006230534.176674245@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:57 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "H. Peter Anvin" <hpa@zytor.com>
+Subject: [patch 08/28] x86: add io delay quirk for Presario F700
+Content-Disposition: inline; filename=x86-add-io-delay-quirk-for-presario-f700.patch
+Content-Length: 1108
+Lines: 50
+
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Chuck Ebbert <cebbert@redhat.com>
+
+commit e6a5652fd156a286faadbf7a4062b5354d4e346e upstream
+
+Manually adding "io_delay=0xed" fixes system lockups in ioapic
+mode on this machine.
+
+System Information
+ Manufacturer: Hewlett-Packard
+ Product Name: Presario F700 (KA695EA#ABF)
+
+Base Board Information
+ Manufacturer: Quanta
+ Product Name: 30D3
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=459546
+
+Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/io_delay.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/x86/kernel/io_delay.c
++++ b/arch/x86/kernel/io_delay.c
+@@ -92,6 +92,14 @@ static struct dmi_system_id __initdata i
+ DMI_MATCH(DMI_BOARD_NAME, "30BF")
+ }
+ },
++ {
++ .callback = dmi_io_delay_0xed_port,
++ .ident = "Presario F700",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Quanta"),
++ DMI_MATCH(DMI_BOARD_NAME, "30D3")
++ }
++ },
+ { }
+ };
+
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:34 2008
+Message-Id: <20081006230534.324474804@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:58 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 09/28] rtc: fix deadlock
+Content-Disposition: inline; filename=rtc-fix-deadlock.patch
+Content-Length: 2054
+Lines: 67
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Ingo Molnar <mingo@elte.hu>
+
+commit 38c052f8cff1bd323ccfa968136a9556652ee420 upstream
+
+if get_rtc_time() is _ever_ called with IRQs off, we deadlock badly
+in it, waiting for jiffies to increment.
+
+So make the code more robust by doing an explicit mdelay(20).
+
+This solves a very hard to reproduce/debug hard lockup reported
+by Mikael Pettersson.
+
+Reported-by: Mikael Pettersson <mikpe@it.uu.se>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/asm-generic/rtc.h | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/include/asm-generic/rtc.h
++++ b/include/asm-generic/rtc.h
+@@ -17,6 +17,7 @@
+ #include <linux/mc146818rtc.h>
+ #include <linux/rtc.h>
+ #include <linux/bcd.h>
++#include <linux/delay.h>
+
+ #define RTC_PIE 0x40 /* periodic interrupt enable */
+ #define RTC_AIE 0x20 /* alarm interrupt enable */
+@@ -45,7 +46,6 @@ static inline unsigned char rtc_is_updat
+
+ static inline unsigned int get_rtc_time(struct rtc_time *time)
+ {
+- unsigned long uip_watchdog = jiffies;
+ unsigned char ctrl;
+ unsigned long flags;
+
+@@ -55,19 +55,15 @@ static inline unsigned int get_rtc_time(
+
+ /*
+ * read RTC once any update in progress is done. The update
+- * can take just over 2ms. We wait 10 to 20ms. There is no need to
++ * can take just over 2ms. We wait 20ms. There is no need to
+ * to poll-wait (up to 1s - eeccch) for the falling edge of RTC_UIP.
+ * If you need to know *exactly* when a second has started, enable
+ * periodic update complete interrupts, (via ioctl) and then
+ * immediately read /dev/rtc which will block until you get the IRQ.
+ * Once the read clears, read the RTC time (again via ioctl). Easy.
+ */
+-
+- if (rtc_is_updating() != 0)
+- while (jiffies - uip_watchdog < 2*HZ/100) {
+- barrier();
+- cpu_relax();
+- }
++ if (rtc_is_updating())
++ mdelay(20);
+
+ /*
+ * Only the values that we read from the RTC are set. We leave
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:34 2008
+Message-Id: <20081006230534.477196379@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 15:59:59 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ epprecht@solnet.ch,
+ Zhao Yakui <yakui.zhao@intel.com>,
+ Zhang Rui <rui.zhang@intel.com>,
+ Andi Kleen <ak@linux.intel.com>
+Subject: [patch 10/28] ACPI: Avoid bogus EC timeout when EC is in Polling mode
+Content-Disposition: inline; filename=acpi-avoid-bogus-ec-timeout-when-ec-is-in-polling-mode.patch
+Content-Length: 2246
+Lines: 61
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Zhao Yakui <yakui.zhao@intel.com>
+
+commit 9d699ed92a459cb408e2577e8bbeabc8ec3989e1 upstream
+
+When EC is in Polling mode, OS will check the EC status continually by using
+the following source code:
+ clear_bit(EC_FLAGS_WAIT_GPE, &ec->flags);
+ while (time_before(jiffies, delay)) {
+ if (acpi_ec_check_status(ec, event))
+ return 0;
+ msleep(1);
+ }
+But msleep is realized by the function of schedule_timeout. At the same time
+although one process is already waken up by some events, it won't be scheduled
+immediately. So maybe there exists the following phenomena:
+ a. The current jiffies is already after the predefined jiffies.
+ But before timeout happens, OS has no chance to check the EC
+ status again.
+ b. If preemptible schedule is enabled, maybe preempt schedule will happen
+ before checking loop. When the process is resumed again, maybe
+ timeout already happens, which means that OS has no chance to check
+ the EC status.
+
+In such case maybe EC status is already what OS expects when timeout happens.
+But OS has no chance to check the EC status and regards it as AE_TIME.
+
+So it will be more appropriate that OS will try to check the EC status again
+when timeout happens. If the EC status is what we expect, it won't be regarded
+as timeout. Only when the EC status is not what we expect, it will be regarded
+as timeout, which means that EC controller can't give a response in time.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=9823
+http://bugzilla.kernel.org/show_bug.cgi?id=11141
+
+Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/acpi/ec.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -228,6 +228,8 @@ static int acpi_ec_wait(struct acpi_ec *
+ if (acpi_ec_check_status(ec, event))
+ goto end;
+ }
++ if (acpi_ec_check_status(ec,event))
++ return 0;
+ }
+ pr_err(PREFIX "acpi_ec_wait timeout,"
+ " status = %d, expect_event = %d\n",
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:34 2008
+Message-Id: <20081006230534.644340806@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:00 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>,
+ Shaohua Li <shaohua.li@intel.com>,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 11/28] clockevents: prevent clockevent event_handler ending up handler_noop
+Content-Disposition: inline; filename=timer-fix-01.patch
+Content-Length: 3074
+Lines: 85
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+
+commit 7c1e76897492d92b6a1c2d6892494d39ded9680c upstream
+
+There is a ordering related problem with clockevents code, due to which
+clockevents_register_device() called after tickless/highres switch
+will not work. The new clockevent ends up with clockevents_handle_noop as
+event handler, resulting in no timer activity.
+
+The problematic path seems to be
+
+* old device already has hrtimer_interrupt as the event_handler
+* new clockevent device registers with a higher rating
+* tick_check_new_device() is called
+ * clockevents_exchange_device() gets called
+ * old->event_handler is set to clockevents_handle_noop
+ * tick_setup_device() is called for the new device
+ * which sets new->event_handler using the old->event_handler which is noop.
+
+Change the ordering so that new device inherits the proper handler.
+
+This does not have any issue in normal case as most likely all the clockevent
+devices are setup before the highres switch. But, can potentially be affecting
+some corner case where HPET force detect happens after the highres switch.
+This was a problem with HPET in MSI mode code that we have been experimenting
+with.
+
+Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/clockchips.h | 2 ++
+ kernel/time/clockevents.c | 3 +--
+ kernel/time/tick-common.c | 1 +
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/include/linux/clockchips.h
++++ b/include/linux/clockchips.h
+@@ -127,6 +127,8 @@ extern int clockevents_register_notifier
+ extern int clockevents_program_event(struct clock_event_device *dev,
+ ktime_t expires, ktime_t now);
+
++extern void clockevents_handle_noop(struct clock_event_device *dev);
++
+ #ifdef CONFIG_GENERIC_CLOCKEVENTS
+ extern void clockevents_notify(unsigned long reason, void *arg);
+ #else
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -177,7 +177,7 @@ void clockevents_register_device(struct
+ /*
+ * Noop handler when we shut down an event device
+ */
+-static void clockevents_handle_noop(struct clock_event_device *dev)
++void clockevents_handle_noop(struct clock_event_device *dev)
+ {
+ }
+
+@@ -199,7 +199,6 @@ void clockevents_exchange_device(struct
+ * released list and do a notify add later.
+ */
+ if (old) {
+- old->event_handler = clockevents_handle_noop;
+ clockevents_set_mode(old, CLOCK_EVT_MODE_UNUSED);
+ list_del(&old->list);
+ list_add(&old->list, &clockevents_released);
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -159,6 +159,7 @@ static void tick_setup_device(struct tic
+ } else {
+ handler = td->evtdev->event_handler;
+ next_event = td->evtdev->next_event;
++ td->evtdev->event_handler = clockevents_handle_noop;
+ }
+
+ td->evtdev = newdev;
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:34 2008
+Message-Id: <20081006230534.796291542@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:01 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 12/28] clockevents: prevent endless loop in periodic broadcast handler
+Content-Disposition: inline; filename=timer-fix-02.patch
+Content-Length: 1686
+Lines: 53
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit d4496b39559c6d43f83e4c08b899984f8b8089b5 upstream
+
+The reprogramming of the periodic broadcast handler was broken,
+when the first programming returned -ETIME. The clockevents code
+stores the new expiry value in the clock events device next_event field
+only when the programming time has not been elapsed yet. The loop in
+question calculates the new expiry value from the next_event value
+and therefor never increases.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/tick-broadcast.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -174,6 +174,8 @@ static void tick_do_periodic_broadcast(v
+ */
+ static void tick_handle_periodic_broadcast(struct clock_event_device *dev)
+ {
++ ktime_t next;
++
+ tick_do_periodic_broadcast();
+
+ /*
+@@ -184,10 +186,13 @@ static void tick_handle_periodic_broadca
+
+ /*
+ * Setup the next period for devices, which do not have
+- * periodic mode:
++ * periodic mode. We read dev->next_event first and add to it
++ * when the event alrady expired. clockevents_program_event()
++ * sets dev->next_event only when the event is really
++ * programmed to the device.
+ */
+- for (;;) {
+- ktime_t next = ktime_add(dev->next_event, tick_period);
++ for (next = dev->next_event; ;) {
++ next = ktime_add(next, tick_period);
+
+ if (!clockevents_program_event(dev, next, ktime_get()))
+ return;
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:35 2008
+Message-Id: <20081006230535.004560260@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:02 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 13/28] clockevents: enforce reprogram in oneshot setup
+Content-Disposition: inline; filename=timer-fix-03.patch
+Content-Length: 1992
+Lines: 68
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 7205656ab48da29a95d7f55e43a81db755d3cb3a upstream
+
+In tick_oneshot_setup we program the device to the given next_event,
+but we do not check the return value. We need to make sure that the
+device is programmed enforced so the interrupt handler engine starts
+working. Split out the reprogramming function from tick_program_event()
+and call it with the device, which was handed in to tick_setup_oneshot().
+Set the force argument, so the devices is firing an interrupt.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/tick-oneshot.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/kernel/time/tick-oneshot.c
++++ b/kernel/time/tick-oneshot.c
+@@ -23,11 +23,11 @@
+ #include "tick-internal.h"
+
+ /**
+- * tick_program_event
++ * tick_program_event internal worker function
+ */
+-int tick_program_event(ktime_t expires, int force)
++static int __tick_program_event(struct clock_event_device *dev,
++ ktime_t expires, int force)
+ {
+- struct clock_event_device *dev = __get_cpu_var(tick_cpu_device).evtdev;
+ ktime_t now = ktime_get();
+
+ while (1) {
+@@ -41,6 +41,16 @@ int tick_program_event(ktime_t expires,
+ }
+
+ /**
++ * tick_program_event
++ */
++int tick_program_event(ktime_t expires, int force)
++{
++ struct clock_event_device *dev = __get_cpu_var(tick_cpu_device).evtdev;
++
++ return __tick_program_event(dev, expires, force);
++}
++
++/**
+ * tick_resume_onshot - resume oneshot mode
+ */
+ void tick_resume_oneshot(void)
+@@ -61,7 +71,7 @@ void tick_setup_oneshot(struct clock_eve
+ {
+ newdev->event_handler = handler;
+ clockevents_set_mode(newdev, CLOCK_EVT_MODE_ONESHOT);
+- clockevents_program_event(newdev, next_event, ktime_get());
++ __tick_program_event(newdev, next_event, 1);
+ }
+
+ /**
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:35 2008
+Message-Id: <20081006230535.107422636@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:03 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 14/28] clockevents: prevent multiple init/shutdown
+Content-Disposition: inline; filename=timer-fix-04.patch
+Content-Length: 2423
+Lines: 75
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 9c17bcda991000351cb2373f78be7e4b1c44caa3 upstream
+
+While chasing the C1E/HPET bugreports I went through the clock events
+code inch by inch and found that the broadcast device can be initialized
+and shutdown multiple times. Multiple shutdowns are not critical, but
+useless waste of time. Multiple initializations are simply broken. Another
+CPU might have the device in use already after the first initialization and
+the second init could just render it unusable again.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/tick-broadcast.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -209,7 +209,7 @@ static void tick_do_broadcast_on_off(voi
+ struct clock_event_device *bc, *dev;
+ struct tick_device *td;
+ unsigned long flags, *reason = why;
+- int cpu;
++ int cpu, bc_stopped;
+
+ spin_lock_irqsave(&tick_broadcast_lock, flags);
+
+@@ -227,6 +227,8 @@ static void tick_do_broadcast_on_off(voi
+ if (!tick_device_is_functional(dev))
+ goto out;
+
++ bc_stopped = cpus_empty(tick_broadcast_mask);
++
+ switch (*reason) {
+ case CLOCK_EVT_NOTIFY_BROADCAST_ON:
+ case CLOCK_EVT_NOTIFY_BROADCAST_FORCE:
+@@ -248,9 +250,10 @@ static void tick_do_broadcast_on_off(voi
+ break;
+ }
+
+- if (cpus_empty(tick_broadcast_mask))
+- clockevents_set_mode(bc, CLOCK_EVT_MODE_SHUTDOWN);
+- else {
++ if (cpus_empty(tick_broadcast_mask)) {
++ if (!bc_stopped)
++ clockevents_set_mode(bc, CLOCK_EVT_MODE_SHUTDOWN);
++ } else if (bc_stopped) {
+ if (tick_broadcast_device.mode == TICKDEV_MODE_PERIODIC)
+ tick_broadcast_start_periodic(bc);
+ else
+@@ -500,9 +503,12 @@ static void tick_broadcast_clear_oneshot
+ */
+ void tick_broadcast_setup_oneshot(struct clock_event_device *bc)
+ {
+- bc->event_handler = tick_handle_oneshot_broadcast;
+- clockevents_set_mode(bc, CLOCK_EVT_MODE_ONESHOT);
+- bc->next_event.tv64 = KTIME_MAX;
++ /* Set it up only once ! */
++ if (bc->event_handler != tick_handle_oneshot_broadcast) {
++ bc->event_handler = tick_handle_oneshot_broadcast;
++ clockevents_set_mode(bc, CLOCK_EVT_MODE_ONESHOT);
++ bc->next_event.tv64 = KTIME_MAX;
++ }
+ }
+
+ /*
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:35 2008
+Message-Id: <20081006230535.264703450@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:04 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 15/28] clockevents: prevent endless loop lockup
+Content-Disposition: inline; filename=timer-fix-05.patch
+Content-Length: 4249
+Lines: 130
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 1fb9b7d29d8e85ba3196eaa7ab871bf76fc98d36 upstream
+
+The C1E/HPET bug reports on AMDX2/RS690 systems where tracked down to a
+too small value of the HPET minumum delta for programming an event.
+
+The clockevents code needs to enforce an interrupt event on the clock event
+device in some cases. The enforcement code was stupid and naive, as it just
+added the minimum delta to the current time and tried to reprogram the device.
+When the minimum delta is too small, then this loops forever.
+
+Add a sanity check. Allow reprogramming to fail 3 times, then print a warning
+and double the minimum delta value to make sure, that this does not happen again.
+Use the same function for both tick-oneshot and tick-broadcast code.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/tick-broadcast.c | 10 +---------
+ kernel/time/tick-internal.h | 2 ++
+ kernel/time/tick-oneshot.c | 36 ++++++++++++++++++++++++++++++------
+ 3 files changed, 33 insertions(+), 15 deletions(-)
+
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -370,16 +370,8 @@ cpumask_t *tick_get_broadcast_oneshot_ma
+ static int tick_broadcast_set_event(ktime_t expires, int force)
+ {
+ struct clock_event_device *bc = tick_broadcast_device.evtdev;
+- ktime_t now = ktime_get();
+- int res;
+
+- for(;;) {
+- res = clockevents_program_event(bc, expires, now);
+- if (!res || !force)
+- return res;
+- now = ktime_get();
+- expires = ktime_add(now, ktime_set(0, bc->min_delta_ns));
+- }
++ return tick_dev_program_event(bc, expires, force);
+ }
+
+ int tick_resume_broadcast_oneshot(struct clock_event_device *bc)
+--- a/kernel/time/tick-internal.h
++++ b/kernel/time/tick-internal.h
+@@ -17,6 +17,8 @@ extern void tick_handle_periodic(struct
+ extern void tick_setup_oneshot(struct clock_event_device *newdev,
+ void (*handler)(struct clock_event_device *),
+ ktime_t nextevt);
++extern int tick_dev_program_event(struct clock_event_device *dev,
++ ktime_t expires, int force);
+ extern int tick_program_event(ktime_t expires, int force);
+ extern void tick_oneshot_notify(void);
+ extern int tick_switch_to_oneshot(void (*handler)(struct clock_event_device *));
+--- a/kernel/time/tick-oneshot.c
++++ b/kernel/time/tick-oneshot.c
+@@ -25,18 +25,42 @@
+ /**
+ * tick_program_event internal worker function
+ */
+-static int __tick_program_event(struct clock_event_device *dev,
+- ktime_t expires, int force)
++int tick_dev_program_event(struct clock_event_device *dev, ktime_t expires,
++ int force)
+ {
+ ktime_t now = ktime_get();
++ int i;
+
+- while (1) {
++ for (i = 0;;) {
+ int ret = clockevents_program_event(dev, expires, now);
+
+ if (!ret || !force)
+ return ret;
++
++ /*
++ * We tried 2 times to program the device with the given
++ * min_delta_ns. If that's not working then we double it
++ * and emit a warning.
++ */
++ if (++i > 2) {
++ printk(KERN_WARNING "CE: __tick_program_event of %s is "
++ "stuck %llx %llx\n", dev->name ? dev->name : "?",
++ now.tv64, expires.tv64);
++ printk(KERN_WARNING
++ "CE: increasing min_delta_ns %ld to %ld nsec\n",
++ dev->min_delta_ns, dev->min_delta_ns << 1);
++ WARN_ON(1);
++
++ /* Double the min. delta and try again */
++ if (!dev->min_delta_ns)
++ dev->min_delta_ns = 5000;
++ else
++ dev->min_delta_ns <<= 1;
++ i = 0;
++ }
++
+ now = ktime_get();
+- expires = ktime_add(now, ktime_set(0, dev->min_delta_ns));
++ expires = ktime_add_ns(now, dev->min_delta_ns);
+ }
+ }
+
+@@ -47,7 +71,7 @@ int tick_program_event(ktime_t expires,
+ {
+ struct clock_event_device *dev = __get_cpu_var(tick_cpu_device).evtdev;
+
+- return __tick_program_event(dev, expires, force);
++ return tick_dev_program_event(dev, expires, force);
+ }
+
+ /**
+@@ -71,7 +95,7 @@ void tick_setup_oneshot(struct clock_eve
+ {
+ newdev->event_handler = handler;
+ clockevents_set_mode(newdev, CLOCK_EVT_MODE_ONESHOT);
+- __tick_program_event(newdev, next_event, 1);
++ tick_dev_program_event(newdev, next_event, 1);
+ }
+
+ /**
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:35 2008
+Message-Id: <20081006230535.459811976@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:05 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 16/28] HPET: make minimum reprogramming delta useful
+Content-Disposition: inline; filename=timer-fix-06.patch
+Content-Length: 1475
+Lines: 41
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 7cfb0435330364f90f274a26ecdc5f47f738498c upstream
+
+The minimum reprogramming delta was hardcoded in HPET ticks,
+which is stupid as it does not work with faster running HPETs.
+The C1E idle patches made this prominent on AMD/RS690 chipsets,
+where the HPET runs with 25MHz. Set it to 5us which seems to be
+a reasonable value and fixes the problems on the bug reporters
+machines. We have a further sanity check now in the clock events,
+which increases the delta when it is not sufficient.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
+Tested-by: Dmitry Nezhevenko <dion@inhex.net>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/hpet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -222,8 +222,8 @@ static void hpet_legacy_clockevent_regis
+ /* Calculate the min / max delta */
+ hpet_clockevent.max_delta_ns = clockevent_delta2ns(0x7FFFFFFF,
+ &hpet_clockevent);
+- hpet_clockevent.min_delta_ns = clockevent_delta2ns(0x30,
+- &hpet_clockevent);
++ /* 5 usec minimum reprogramming delta. */
++ hpet_clockevent.min_delta_ns = 5000;
+
+ /*
+ * Start hpet with the boot cpu mask and make it
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:35 2008
+Message-Id: <20081006230535.623499959@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:06 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 17/28] clockevents: broadcast fixup possible waiters
+Content-Disposition: inline; filename=timer-fix-07.patch
+Content-Length: 2236
+Lines: 77
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 7300711e8c6824fcfbd42a126980ff50439d8dd0 upstream
+
+Until the C1E patches arrived there where no users of periodic broadcast
+before switching to oneshot mode. Now we need to trigger a possible
+waiter for a periodic broadcast when switching to oneshot mode.
+Otherwise we can starve them for ever.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/tick-broadcast.c | 37 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -490,6 +490,18 @@ static void tick_broadcast_clear_oneshot
+ cpu_clear(cpu, tick_broadcast_oneshot_mask);
+ }
+
++static void tick_broadcast_init_next_event(cpumask_t *mask, ktime_t expires)
++{
++ struct tick_device *td;
++ int cpu;
++
++ for_each_cpu_mask(cpu, *mask) {
++ td = &per_cpu(tick_cpu_device, cpu);
++ if (td->evtdev)
++ td->evtdev->next_event = expires;
++ }
++}
++
+ /**
+ * tick_broadcast_setup_oneshot - setup the broadcast device
+ */
+@@ -497,9 +509,32 @@ void tick_broadcast_setup_oneshot(struct
+ {
+ /* Set it up only once ! */
+ if (bc->event_handler != tick_handle_oneshot_broadcast) {
++ int was_periodic = bc->mode == CLOCK_EVT_MODE_PERIODIC;
++ int cpu = smp_processor_id();
++ cpumask_t mask;
++
+ bc->event_handler = tick_handle_oneshot_broadcast;
+ clockevents_set_mode(bc, CLOCK_EVT_MODE_ONESHOT);
+- bc->next_event.tv64 = KTIME_MAX;
++
++ /* Take the do_timer update */
++ tick_do_timer_cpu = cpu;
++
++ /*
++ * We must be careful here. There might be other CPUs
++ * waiting for periodic broadcast. We need to set the
++ * oneshot_mask bits for those and program the
++ * broadcast device to fire.
++ */
++ mask = tick_broadcast_mask;
++ cpu_clear(cpu, mask);
++ cpus_or(tick_broadcast_oneshot_mask,
++ tick_broadcast_oneshot_mask, mask);
++
++ if (was_periodic && !cpus_empty(mask)) {
++ tick_broadcast_init_next_event(&mask, tick_next_period);
++ tick_broadcast_set_event(tick_next_period, 1);
++ } else
++ bc->next_event.tv64 = KTIME_MAX;
+ }
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:35 2008
+Message-Id: <20081006230535.820842778@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:07 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 18/28] x86: HPET fix moronic 32/64bit thinko
+Content-Disposition: inline; filename=timer-fix-08.patch
+Content-Length: 1518
+Lines: 55
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit f7676254f179eac6b5244a80195ec8ae0e9d4606 upstream
+
+We use the HPET only in 32bit mode because:
+1) some HPETs are 32bit only
+2) on i386 there is no way to read/write the HPET atomic 64bit wide
+
+The HPET code unification done by the "moron of the year" did
+not take into account that unsigned long is different on 32 and
+64 bit.
+
+This thinko results in a possible endless loop in the clockevents
+code, when the return comparison fails due to the 64bit/332bit
+unawareness.
+
+unsigned long cnt = (u32) hpet_read() + delta can wrap over 32bit.
+but the final compare will fail and return -ETIME causing endless
+loops.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/hpet.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -282,15 +282,15 @@ static void hpet_legacy_set_mode(enum cl
+ }
+
+ static int hpet_legacy_next_event(unsigned long delta,
+- struct clock_event_device *evt)
++ struct clock_event_device *evt)
+ {
+- unsigned long cnt;
++ u32 cnt;
+
+ cnt = hpet_readl(HPET_COUNTER);
+- cnt += delta;
++ cnt += (u32) delta;
+ hpet_writel(cnt, HPET_T0_CMP);
+
+- return ((long)(hpet_readl(HPET_COUNTER) - cnt ) > 0) ? -ETIME : 0;
++ return (s32)((u32)hpet_readl(HPET_COUNTER) - cnt) >= 0 ? -ETIME : 0;
+ }
+
+ /*
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:36 2008
+Message-Id: <20081006230535.964488549@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:08 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 19/28] x86: HPET: read back compare register before reading counter
+Content-Disposition: inline; filename=timer-fix-09.patch
+Content-Length: 1185
+Lines: 39
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 72d43d9bc9210d24d09202eaf219eac09e17b339 upstream
+
+After fixing the u32 thinko I sill had occasional hickups on ATI chipsets
+with small deltas. There seems to be a delay between writing the compare
+register and the transffer to the internal register which triggers the
+interrupt. Reading back the value makes sure, that it hit the internal
+match register befor we compare against the counter value.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/hpet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -290,6 +290,13 @@ static int hpet_legacy_next_event(unsign
+ cnt += (u32) delta;
+ hpet_writel(cnt, HPET_T0_CMP);
+
++ /*
++ * We need to read back the CMP register to make sure that
++ * what we wrote hit the chip before we compare it to the
++ * counter.
++ */
++ WARN_ON((u32)hpet_readl(HPET_T0_CMP) != cnt);
++
+ return (s32)((u32)hpet_readl(HPET_COUNTER) - cnt) >= 0 ? -ETIME : 0;
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:36 2008
+Message-Id: <20081006230536.112052485@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:09 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ "Maciej W. Rozycki" <macro@linux-mips.org>,
+ Ingo Molnar <mingo@elte.hu>
+Subject: [patch 20/28] ntp: fix calculation of the next jiffie to trigger RTC sync
+Content-Disposition: inline; filename=timer-fix-10.patch
+Content-Length: 2377
+Lines: 58
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Maciej W. Rozycki <macro@linux-mips.org>
+
+commit 4ff4b9e19a80b73959ebeb28d1df40176686f0a8 upstream
+
+We have a bug in the calculation of the next jiffie to trigger the RTC
+synchronisation. The aim here is to run sync_cmos_clock() as close as
+possible to the middle of a second. Which means we want this function to
+be called less than or equal to half a jiffie away from when now.tv_nsec
+equals 5e8 (500000000).
+
+If this is not the case for a given call to the function, for this purpose
+instead of updating the RTC we calculate the offset in nanoseconds to the
+next point in time where now.tv_nsec will be equal 5e8. The calculated
+offset is then converted to jiffies as these are the unit used by the
+timer.
+
+Hovewer timespec_to_jiffies() used here uses a ceil()-type rounding mode,
+where the resulting value is rounded up. As a result the range of
+now.tv_nsec when the timer will trigger is from 5e8 to 5e8 + TICK_NSEC
+rather than the desired 5e8 - TICK_NSEC / 2 to 5e8 + TICK_NSEC / 2.
+
+As a result if for example sync_cmos_clock() happens to be called at the
+time when now.tv_nsec is between 5e8 + TICK_NSEC / 2 and 5e8 to 5e8 +
+TICK_NSEC, it will simply be rescheduled HZ jiffies later, falling in the
+same range of now.tv_nsec again. Similarly for cases offsetted by an
+integer multiple of TICK_NSEC.
+
+This change addresses the problem by subtracting TICK_NSEC / 2 from the
+nanosecond offset to the next point in time where now.tv_nsec will be
+equal 5e8, effectively shifting the following rounding in
+timespec_to_jiffies() so that it produces a rounded-to-nearest result.
+
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/ntp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -205,7 +205,7 @@ static void sync_cmos_clock(unsigned lon
+ if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec / 2)
+ fail = update_persistent_clock(now);
+
+- next.tv_nsec = (NSEC_PER_SEC / 2) - now.tv_nsec;
++ next.tv_nsec = (NSEC_PER_SEC / 2) - now.tv_nsec - (TICK_NSEC / 2);
+ if (next.tv_nsec <= 0)
+ next.tv_nsec += NSEC_PER_SEC;
+
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:36 2008
+Message-Id: <20081006230536.285845382@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:10 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Thomas Gleixner <tglx@linutronix.de>
+Subject: [patch 21/28] clockevents: remove WARN_ON which was used to gather information
+Content-Disposition: inline; filename=timer-fix-11.patch
+Content-Length: 1849
+Lines: 58
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 61c22c34c6f80a8e89cff5ff717627c54cc14fd4 upstream
+
+The issue of the endless reprogramming loop due to a too small
+min_delta_ns was fixed with the previous updates of the clock events
+code, but we had no information about the spread of this problem. I
+added a WARN_ON to get automated information via kerneloops.org and to
+get some direct reports, which allowed me to analyse the affected
+machines.
+
+The WARN_ON has served its purpose and would be annoying for a release
+kernel. Remove it and just keep the information about the increase of
+the min_delta_ns value.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/tick-oneshot.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/kernel/time/tick-oneshot.c
++++ b/kernel/time/tick-oneshot.c
+@@ -43,19 +43,17 @@ int tick_dev_program_event(struct clock_
+ * and emit a warning.
+ */
+ if (++i > 2) {
+- printk(KERN_WARNING "CE: __tick_program_event of %s is "
+- "stuck %llx %llx\n", dev->name ? dev->name : "?",
+- now.tv64, expires.tv64);
+- printk(KERN_WARNING
+- "CE: increasing min_delta_ns %ld to %ld nsec\n",
+- dev->min_delta_ns, dev->min_delta_ns << 1);
+- WARN_ON(1);
+-
+- /* Double the min. delta and try again */
++ /* Increase the min. delta and try again */
+ if (!dev->min_delta_ns)
+ dev->min_delta_ns = 5000;
+ else
+- dev->min_delta_ns <<= 1;
++ dev->min_delta_ns += dev->min_delta_ns >> 1;
++
++ printk(KERN_WARNING
++ "CE: %s increasing min_delta_ns to %lu nsec\n",
++ dev->name ? dev->name : "?",
++ dev->min_delta_ns << 1);
++
+ i = 0;
+ }
+
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:36 2008
+Message-Id: <20081006230536.416183246@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:11 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org,
+ jejb@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Zachary Amsden <zach@vmware.com>,
+ Ingo Molnar <mingo@redhat.com>,
+ Glauber de Oliveira Costa <gcosta@redhat.com>
+Subject: [patch 22/28] x86: Fix broken LDT access in VMI
+Content-Disposition: inline; filename=x86-fix-broken-ldt-access-in-vmi.patch
+Content-Length: 1366
+Lines: 40
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Zachary Amsden <zach@vmware.com>
+
+commit de59985e3a623d4d5d6207f1777398ca0606ab1c upstream
+
+After investigating a JRE failure, I found this bug was introduced a
+long time ago, and had already managed to survive another bugfix which
+occurred on the same line. The result is a total failure of the JRE due
+to LDT selectors not working properly.
+
+This one took a long time to rear up because LDT usage is not very
+common, but the bug is quite serious. It got introduced along with
+another bug, already fixed, by 75b8bb3e56ca09a467fbbe5229bc68627f7445be
+
+Signed-off-by: Zachary Amsden <zach@vmware.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Glauber de Oliveira Costa <gcosta@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/vmi_32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/vmi_32.c
++++ b/arch/x86/kernel/vmi_32.c
+@@ -234,7 +234,7 @@ static void vmi_write_ldt_entry(struct d
+ const void *desc)
+ {
+ u32 *ldt_entry = (u32 *)desc;
+- vmi_ops.write_idt_entry(dt, entry, ldt_entry[0], ldt_entry[1]);
++ vmi_ops.write_ldt_entry(dt, entry, ldt_entry[0], ldt_entry[1]);
+ }
+
+ static void vmi_load_sp0(struct tss_struct *tss,
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:36 2008
+Message-Id: <20081006230536.588776970@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:12 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Neil Horman <nhorman@tuxdriver.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 23/28] ipv6: Fix OOPS in ip6_dst_lookup_tail().
+Content-Disposition: inline; filename=0001-ipv6-Fix-OOPS-in-ip6_dst_lookup_tail.patch
+Content-Length: 3011
+Lines: 105
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit e550dfb0c2c31b6363aa463a035fc9f8dcaa3c9b ]
+
+This fixes kernel bugzilla 11469: "TUN with 1024 neighbours:
+ip6_dst_lookup_tail NULL crash"
+
+dst->neighbour is not necessarily hooked up at this point
+in the processing path, so blindly dereferencing it is
+the wrong thing to do. This NULL check exists in other
+similar paths and this case was just an oversight.
+
+Also fix the completely wrong and confusing indentation
+here while we're at it.
+
+Based upon a patch by Evgeniy Polyakov.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_output.c | 64 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 32 insertions(+), 32 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -930,39 +930,39 @@ static int ip6_dst_lookup_tail(struct so
+ }
+
+ #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
+- /*
+- * Here if the dst entry we've looked up
+- * has a neighbour entry that is in the INCOMPLETE
+- * state and the src address from the flow is
+- * marked as OPTIMISTIC, we release the found
+- * dst entry and replace it instead with the
+- * dst entry of the nexthop router
+- */
+- if (!((*dst)->neighbour->nud_state & NUD_VALID)) {
+- struct inet6_ifaddr *ifp;
+- struct flowi fl_gw;
+- int redirect;
+-
+- ifp = ipv6_get_ifaddr(&init_net, &fl->fl6_src,
+- (*dst)->dev, 1);
+-
+- redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
+- if (ifp)
+- in6_ifa_put(ifp);
+-
+- if (redirect) {
+- /*
+- * We need to get the dst entry for the
+- * default router instead
+- */
+- dst_release(*dst);
+- memcpy(&fl_gw, fl, sizeof(struct flowi));
+- memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
+- *dst = ip6_route_output(sk, &fl_gw);
+- if ((err = (*dst)->error))
+- goto out_err_release;
+- }
++ /*
++ * Here if the dst entry we've looked up
++ * has a neighbour entry that is in the INCOMPLETE
++ * state and the src address from the flow is
++ * marked as OPTIMISTIC, we release the found
++ * dst entry and replace it instead with the
++ * dst entry of the nexthop router
++ */
++ if ((*dst)->neighbour && !((*dst)->neighbour->nud_state & NUD_VALID)) {
++ struct inet6_ifaddr *ifp;
++ struct flowi fl_gw;
++ int redirect;
++
++ ifp = ipv6_get_ifaddr(&init_net, &fl->fl6_src,
++ (*dst)->dev, 1);
++
++ redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
++ if (ifp)
++ in6_ifa_put(ifp);
++
++ if (redirect) {
++ /*
++ * We need to get the dst entry for the
++ * default router instead
++ */
++ dst_release(*dst);
++ memcpy(&fl_gw, fl, sizeof(struct flowi));
++ memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
++ *dst = ip6_route_output(sk, &fl_gw);
++ if ((err = (*dst)->error))
++ goto out_err_release;
+ }
++ }
+ #endif
+
+ return 0;
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:36 2008
+Message-Id: <20081006230536.737674455@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:13 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Santwona Behera <santwona.behera@sun.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 24/28] niu: panic on reset
+Content-Disposition: inline; filename=0002-niu-panic-on-reset.patch
+Content-Length: 2377
+Lines: 94
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Santwona Behera <santwona.behera@sun.com>
+
+[ Upstream commit cff502a38394fd33693f6233e03fca363dfa956d ]
+
+The reset_task function in the niu driver does not reset the tx and rx
+buffers properly. This leads to panic on reset. This patch is a
+modified implementation of the previously posted fix.
+
+Signed-off-by: Santwona Behera <santwona.behera@sun.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/niu.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+--- a/drivers/net/niu.c
++++ b/drivers/net/niu.c
+@@ -5230,6 +5230,56 @@ static void niu_netif_start(struct niu *
+ niu_enable_interrupts(np, 1);
+ }
+
++static void niu_reset_buffers(struct niu *np)
++{
++ int i, j, k, err;
++
++ if (np->rx_rings) {
++ for (i = 0; i < np->num_rx_rings; i++) {
++ struct rx_ring_info *rp = &np->rx_rings[i];
++
++ for (j = 0, k = 0; j < MAX_RBR_RING_SIZE; j++) {
++ struct page *page;
++
++ page = rp->rxhash[j];
++ while (page) {
++ struct page *next =
++ (struct page *) page->mapping;
++ u64 base = page->index;
++ base = base >> RBR_DESCR_ADDR_SHIFT;
++ rp->rbr[k++] = cpu_to_le32(base);
++ page = next;
++ }
++ }
++ for (; k < MAX_RBR_RING_SIZE; k++) {
++ err = niu_rbr_add_page(np, rp, GFP_ATOMIC, k);
++ if (unlikely(err))
++ break;
++ }
++
++ rp->rbr_index = rp->rbr_table_size - 1;
++ rp->rcr_index = 0;
++ rp->rbr_pending = 0;
++ rp->rbr_refill_pending = 0;
++ }
++ }
++ if (np->tx_rings) {
++ for (i = 0; i < np->num_tx_rings; i++) {
++ struct tx_ring_info *rp = &np->tx_rings[i];
++
++ for (j = 0; j < MAX_TX_RING_SIZE; j++) {
++ if (rp->tx_buffs[j].skb)
++ (void) release_tx_packet(np, rp, j);
++ }
++
++ rp->pending = MAX_TX_RING_SIZE;
++ rp->prod = 0;
++ rp->cons = 0;
++ rp->wrap_bit = 0;
++ }
++ }
++}
++
+ static void niu_reset_task(struct work_struct *work)
+ {
+ struct niu *np = container_of(work, struct niu, reset_task);
+@@ -5252,6 +5302,12 @@ static void niu_reset_task(struct work_s
+
+ niu_stop_hw(np);
+
++ spin_unlock_irqrestore(&np->lock, flags);
++
++ niu_reset_buffers(np);
++
++ spin_lock_irqsave(&np->lock, flags);
++
+ err = niu_init_hw(np);
+ if (!err) {
+ np->timer.expires = jiffies + HZ;
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:37 2008
+Message-Id: <20081006230536.895880806@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:14 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Vegard Nossum <vegard.nossum@gmail.com>,
+ Thomas Graf <tgraf@suug.ch>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 25/28] netlink: fix overrun in attribute iteration
+Content-Disposition: inline; filename=0003-netlink-fix-overrun-in-attribute-iteration.patch
+Content-Length: 3110
+Lines: 93
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Vegard Nossum <vegard.nossum@gmail.com>
+
+[ Upstream commit 1045b03e07d85f3545118510a587035536030c1c ]
+
+kmemcheck reported this:
+
+ kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
+ 0500110001508abf050010000500000002017300140000006f72672e66726565
+ i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
+ ^
+
+ Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13)
+ EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0
+ EIP is at nla_parse+0x5a/0xf0
+ EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005
+ ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88
+ DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
+ CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0
+ DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000
+ DR6: ffff4ff0 DR7: 00000400
+ [<c05d4b23>] rtnl_setlink+0x63/0x130
+ [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200
+ [<c05ddf66>] netlink_rcv_skb+0x76/0xa0
+ [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30
+ [<c05dda21>] netlink_unicast+0x281/0x290
+ [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0
+ [<c05beef2>] sock_sendmsg+0xd2/0x100
+ [<c05bf945>] sys_sendto+0xa5/0xd0
+ [<c05bf9a6>] sys_send+0x36/0x40
+ [<c05c03d6>] sys_socketcall+0x1e6/0x2c0
+ [<c020353b>] sysenter_do_call+0x12/0x3f
+ [<ffffffff>] 0xffffffff
+
+This is the line in nla_ok():
+
+ /**
+ * nla_ok - check if the netlink attribute fits into the remaining bytes
+ * @nla: netlink attribute
+ * @remaining: number of bytes remaining in attribute stream
+ */
+ static inline int nla_ok(const struct nlattr *nla, int remaining)
+ {
+ return remaining >= sizeof(*nla) &&
+ nla->nla_len >= sizeof(*nla) &&
+ nla->nla_len <= remaining;
+ }
+
+It turns out that remaining can become negative due to alignment in
+nla_next(). But GCC promotes "remaining" to unsigned in the test
+against sizeof(*nla) above. Therefore the test succeeds, and the
+nla_for_each_attr() may access memory outside the received buffer.
+
+A short example illustrating this point is here:
+
+ #include <stdio.h>
+
+ main(void)
+ {
+ printf("%d\n", -1 >= sizeof(int));
+ }
+
+...which prints "1".
+
+This patch adds a cast in front of the sizeof so that GCC will make
+a signed comparison and fix the illegal memory dereference. With the
+patch applied, there is no kmemcheck report.
+
+Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
+Acked-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/netlink.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/netlink.h
++++ b/include/net/netlink.h
+@@ -704,7 +704,7 @@ static inline int nla_len(const struct n
+ */
+ static inline int nla_ok(const struct nlattr *nla, int remaining)
+ {
+- return remaining >= sizeof(*nla) &&
++ return remaining >= (int) sizeof(*nla) &&
+ nla->nla_len >= sizeof(*nla) &&
+ nla->nla_len <= remaining;
+ }
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:37 2008
+Message-Id: <20081006230537.071324822@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:15 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Vlad Yasevich <vladislav.yasevich@hp.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 26/28] sctp: do not enable peer features if we cant do them.
+Content-Disposition: inline; filename=0004-sctp-do-not-enable-peer-features-if-we-can-t-do-the.patch
+Content-Length: 1664
+Lines: 53
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit 0ef46e285c062cbe35d60c0adbff96f530d31c86 ]
+
+Do not enable peer features like addip and auth, if they
+are administratively disabled localy. If the peer resports
+that he supports something that we don't, neither end can
+use it so enabling it is pointless. This solves a problem
+when talking to a peer that has auth and addip enabled while
+we do not. Found by Andrei Pelinescu-Onciul <andrei@iptel.org>.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/sm_make_chunk.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -1886,11 +1886,13 @@ static void sctp_process_ext_param(struc
+ /* if the peer reports AUTH, assume that he
+ * supports AUTH.
+ */
+- asoc->peer.auth_capable = 1;
++ if (sctp_auth_enable)
++ asoc->peer.auth_capable = 1;
+ break;
+ case SCTP_CID_ASCONF:
+ case SCTP_CID_ASCONF_ACK:
+- asoc->peer.asconf_capable = 1;
++ if (sctp_addip_enable)
++ asoc->peer.asconf_capable = 1;
+ break;
+ default:
+ break;
+@@ -2454,6 +2456,9 @@ static int sctp_process_param(struct sct
+ break;
+
+ case SCTP_PARAM_SET_PRIMARY:
++ if (!sctp_addip_enable)
++ goto fall_through;
++
+ addr_param = param.v + sizeof(sctp_addip_param_t);
+
+ af = sctp_get_af_specific(param_type2af(param.p->type));
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:37 2008
+Message-Id: <20081006230537.215048257@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:16 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Vlad Yasevich <vladislav.yasevich@hp.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 27/28] sctp: Fix oops when INIT-ACK indicates that peer doesnt support AUTH
+Content-Disposition: inline; filename=0005-sctp-Fix-oops-when-INIT-ACK-indicates-that-peer-doe.patch
+Content-Length: 2354
+Lines: 70
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+[ Upstream commit add52379dde2e5300e2d574b172e62c6cf43b3d3 ]
+
+If INIT-ACK is received with SupportedExtensions parameter which
+indicates that the peer does not support AUTH, the packet will be
+silently ignore, and sctp_process_init() do cleanup all of the
+transports in the association.
+When T1-Init timer is expires, OOPS happen while we try to choose
+a different init transport.
+
+The solution is to only clean up the non-active transports, i.e
+the ones that the peer added. However, that introduces a problem
+with sctp_connectx(), because we don't mark the proper state for
+the transports provided by the user. So, we'll simply mark
+user-provided transports as ACTIVE. That will allow INIT
+retransmissions to work properly in the sctp_connectx() context
+and prevent the crash.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/associola.c | 9 +++++----
+ net/sctp/sm_make_chunk.c | 6 ++----
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -588,11 +588,12 @@ struct sctp_transport *sctp_assoc_add_pe
+ /* Check to see if this is a duplicate. */
+ peer = sctp_assoc_lookup_paddr(asoc, addr);
+ if (peer) {
++ /* An UNKNOWN state is only set on transports added by
++ * user in sctp_connectx() call. Such transports should be
++ * considered CONFIRMED per RFC 4960, Section 5.4.
++ */
+ if (peer->state == SCTP_UNKNOWN) {
+- if (peer_state == SCTP_ACTIVE)
+- peer->state = SCTP_ACTIVE;
+- if (peer_state == SCTP_UNCONFIRMED)
+- peer->state = SCTP_UNCONFIRMED;
++ peer->state = SCTP_ACTIVE;
+ }
+ return peer;
+ }
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2321,12 +2321,10 @@ clean_up:
+ /* Release the transport structures. */
+ list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
+ transport = list_entry(pos, struct sctp_transport, transports);
+- list_del_init(pos);
+- sctp_transport_free(transport);
++ if (transport->state != SCTP_ACTIVE)
++ sctp_assoc_rm_peer(asoc, transport);
+ }
+
+- asoc->peer.transport_count = 0;
+-
+ nomem:
+ return 0;
+ }
+
+--
+
+From gregkh@mini.kroah.org Mon Oct 6 16:05:37 2008
+Message-Id: <20081006230537.381407459@mini.kroah.org>
+References: <20081006225949.357365087@mini.kroah.org>
+User-Agent: quilt/0.46-1
+Date: Mon, 06 Oct 2008 16:00:17 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: Justin Forbes <jmforbes@linuxtx.org>,
+ Zwane Mwaikambo <zwane@arm.linux.org.uk>,
+ Theodore Ts'o <tytso@mit.edu>,
+ Randy Dunlap <rdunlap@xenotime.net>,
+ Dave Jones <davej@redhat.com>,
+ Chuck Wolber <chuckw@quantumlinux.com>,
+ Chris Wedgwood <reviews@ml.cw.f00f.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Domenico Andreoli <cavokz@gmail.com>,
+ Willy Tarreau <w@1wt.eu>,
+ Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
+ Jake Edge <jake@lwn.net>,
+ Eugene Teo <eteo@redhat.com>,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Herbert Xu <herbert@gondor.apana.org.au>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 28/28] udp: Fix rcv socket locking
+Content-Disposition: inline; filename=0006-udp-Fix-rcv-socket-locking.patch
+Content-Length: 3998
+Lines: 152
+
+2.6.25-stable review patch. If anyone has any objections, please let us
+know.
+
+------------------
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commits d97106ea52aa57e63ff40d04479016836bbb5a4e and
+ 93821778def10ec1e69aa3ac10adee975dad4ff3 ]
+
+The previous patch in response to the recursive locking on IPsec
+reception is broken as it tries to drop the BH socket lock while in
+user context.
+
+This patch fixes it by shrinking the section protected by the
+socket lock to sock_queue_rcv_skb only. The only reason we added
+the lock is for the accounting which happens in that function.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/udp.c | 57 +++++++++++++++++++++++++++++++++------------------------
+ net/ipv6/udp.c | 6 +++---
+ 2 files changed, 36 insertions(+), 27 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -956,6 +956,27 @@ int udp_disconnect(struct sock *sk, int
+ return 0;
+ }
+
++static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
++{
++ int is_udplite = IS_UDPLITE(sk);
++ int rc;
++
++ if ((rc = sock_queue_rcv_skb(sk, skb)) < 0) {
++ /* Note that an ENOMEM error is charged twice */
++ if (rc == -ENOMEM)
++ UDP_INC_STATS_BH(UDP_MIB_RCVBUFERRORS,
++ is_udplite);
++ goto drop;
++ }
++
++ return 0;
++
++drop:
++ UDP_INC_STATS_BH(UDP_MIB_INERRORS, is_udplite);
++ kfree_skb(skb);
++ return -1;
++}
++
+ /* returns:
+ * -1: error
+ * 0: success
+@@ -1046,14 +1067,16 @@ int udp_queue_rcv_skb(struct sock * sk,
+ goto drop;
+ }
+
+- if ((rc = sock_queue_rcv_skb(sk,skb)) < 0) {
+- /* Note that an ENOMEM error is charged twice */
+- if (rc == -ENOMEM)
+- UDP_INC_STATS_BH(UDP_MIB_RCVBUFERRORS, is_udplite);
+- goto drop;
+- }
++ rc = 0;
+
+- return 0;
++ bh_lock_sock(sk);
++ if (!sock_owned_by_user(sk))
++ rc = __udp_queue_rcv_skb(sk, skb);
++ else
++ sk_add_backlog(sk, skb);
++ bh_unlock_sock(sk);
++
++ return rc;
+
+ drop:
+ UDP_INC_STATS_BH(UDP_MIB_INERRORS, is_udplite);
+@@ -1091,15 +1114,7 @@ static int __udp4_lib_mcast_deliver(stru
+ skb1 = skb_clone(skb, GFP_ATOMIC);
+
+ if (skb1) {
+- int ret = 0;
+-
+- bh_lock_sock_nested(sk);
+- if (!sock_owned_by_user(sk))
+- ret = udp_queue_rcv_skb(sk, skb1);
+- else
+- sk_add_backlog(sk, skb1);
+- bh_unlock_sock(sk);
+-
++ int ret = udp_queue_rcv_skb(sk, skb1);
+ if (ret > 0)
+ /* we should probably re-process instead
+ * of dropping packets here. */
+@@ -1192,13 +1207,7 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+ uh->dest, inet_iif(skb), udptable);
+
+ if (sk != NULL) {
+- int ret = 0;
+- bh_lock_sock_nested(sk);
+- if (!sock_owned_by_user(sk))
+- ret = udp_queue_rcv_skb(sk, skb);
+- else
+- sk_add_backlog(sk, skb);
+- bh_unlock_sock(sk);
++ int ret = udp_queue_rcv_skb(sk, skb);
+ sock_put(sk);
+
+ /* a return value > 0 means to resubmit the input, but
+@@ -1493,7 +1502,7 @@ struct proto udp_prot = {
+ .sendmsg = udp_sendmsg,
+ .recvmsg = udp_recvmsg,
+ .sendpage = udp_sendpage,
+- .backlog_rcv = udp_queue_rcv_skb,
++ .backlog_rcv = __udp_queue_rcv_skb,
+ .hash = udp_lib_hash,
+ .unhash = udp_lib_unhash,
+ .get_port = udp_v4_get_port,
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -373,7 +373,7 @@ static int __udp6_lib_mcast_deliver(stru
+ uh->source, saddr, dif))) {
+ struct sk_buff *buff = skb_clone(skb, GFP_ATOMIC);
+ if (buff) {
+- bh_lock_sock_nested(sk2);
++ bh_lock_sock(sk2);
+ if (!sock_owned_by_user(sk2))
+ udpv6_queue_rcv_skb(sk2, buff);
+ else
+@@ -381,7 +381,7 @@ static int __udp6_lib_mcast_deliver(stru
+ bh_unlock_sock(sk2);
+ }
+ }
+- bh_lock_sock_nested(sk);
++ bh_lock_sock(sk);
+ if (!sock_owned_by_user(sk))
+ udpv6_queue_rcv_skb(sk, skb);
+ else
+@@ -499,7 +499,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
+
+ /* deliver */
+
+- bh_lock_sock_nested(sk);
++ bh_lock_sock(sk);
+ if (!sock_owned_by_user(sk))
+ udpv6_queue_rcv_skb(sk, skb);
+ else
+
+--
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
