--- /dev/null
+From tiwai@suse.de Tue Nov 11 13:16:00 2008
+From: Matthew Ranostay <mranostay@embeddedalley.com>
+Date: Wed, 05 Nov 2008 08:40:59 +0100
+Subject: ALSA: hda: make a STAC_DELL_EQ option
+To: Greg KH <greg@kroah.com>
+Cc: Matthew Ranostay <mranostay@embeddedalley.com>, stable@kernel.org
+Message-ID: <s5h7i7imxh0.wl%tiwai@suse.de>
+
+
+From: Matthew Ranostay <mranostay@embeddedalley.com>
+
+commit 6b3ab21ef1ac15db4b053ce0ba8eae0ef9361c8a upstream.
+
+Add support for explicitly enabling the EQ distortion hack for
+systems without software biquad support.
+
+Signed-off-by: Matthew Ranostay <mranostay@embeddedalley.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_sigmatel.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -67,6 +67,7 @@ enum {
+ enum {
+ STAC_92HD73XX_REF,
+ STAC_DELL_M6,
++ STAC_DELL_EQ,
+ STAC_92HD73XX_MODELS
+ };
+
+@@ -560,9 +561,7 @@ static struct hda_verb dell_eq_core_init
+ };
+
+ static struct hda_verb dell_m6_core_init[] = {
+- /* set master volume to max value without distortion
+- * and direct control */
+- { 0x1f, AC_VERB_SET_VOLUME_KNOB_CONTROL, 0xec},
++ { 0x1f, AC_VERB_SET_VOLUME_KNOB_CONTROL, 0xff},
+ /* setup audio connections */
+ { 0x0d, AC_VERB_SET_CONNECT_SEL, 0x00},
+ { 0x0a, AC_VERB_SET_CONNECT_SEL, 0x01},
+@@ -1297,11 +1296,13 @@ static unsigned int dell_m6_pin_configs[
+ static unsigned int *stac92hd73xx_brd_tbl[STAC_92HD73XX_MODELS] = {
+ [STAC_92HD73XX_REF] = ref92hd73xx_pin_configs,
+ [STAC_DELL_M6] = dell_m6_pin_configs,
++ [STAC_DELL_EQ] = dell_m6_pin_configs,
+ };
+
+ static const char *stac92hd73xx_models[STAC_92HD73XX_MODELS] = {
+ [STAC_92HD73XX_REF] = "ref",
+ [STAC_DELL_M6] = "dell-m6",
++ [STAC_DELL_EQ] = "dell-eq",
+ };
+
+ static struct snd_pci_quirk stac92hd73xx_cfg_tbl[] = {
+@@ -3560,8 +3561,12 @@ again:
+ spec->gpio_data = 0x01;
+
+ switch (spec->board_config) {
+- case STAC_DELL_M6:
++ case STAC_DELL_EQ:
+ spec->init = dell_eq_core_init;
++ /* fallthru */
++ case STAC_DELL_M6:
++ if (!spec->init)
++ spec->init = dell_m6_core_init;
+ switch (codec->subsystem_id) {
+ case 0x1028025e: /* Analog Mics */
+ case 0x1028025f:
+@@ -3570,8 +3575,6 @@ again:
+ break;
+ case 0x10280271: /* Digital Mics */
+ case 0x10280272:
+- spec->init = dell_m6_core_init;
+- /* fall-through */
+ case 0x10280254:
+ case 0x10280255:
+ stac92xx_set_config_reg(codec, 0x13, 0x90A60160);
--- /dev/null
+From c5d712433ff57a66d8fb79a57a4fc7a7c3467b97 Mon Sep 17 00:00:00 2001
+From: Rafael J. Wysocki <rjw@sisk.pl>
+Date: Sat, 8 Nov 2008 13:53:33 +0100
+Subject: Fix __pfn_to_page(pfn) for CONFIG_DISCONTIGMEM=y
+
+From: Rafael J. Wysocki <rjw@sisk.pl>
+
+commit c5d712433ff57a66d8fb79a57a4fc7a7c3467b97 upstream
+
+Fix the __pfn_to_page(pfn) macro so that it doesn't evaluate its
+argument twice in the CONFIG_DISCONTIGMEM=y case, because 'pfn' may
+be a result of a funtion call having side effects.
+
+For example, the hibernation code applies pfn_to_page(pfn) to the
+result of a function returning the pfn corresponding to the next set
+bit in a bitmap and the current bit position is modified on each
+call. This leads to "interesting" failures for CONFIG_DISCONTIGMEM=y
+due to the current behavior of __pfn_to_page(pfn).
+
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Acked-by: Pavel Machek <pavel@suse.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/asm-generic/memory_model.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/asm-generic/memory_model.h
++++ b/include/asm-generic/memory_model.h
+@@ -34,7 +34,7 @@
+
+ #define __pfn_to_page(pfn) \
+ ({ unsigned long __pfn = (pfn); \
+- unsigned long __nid = arch_pfn_to_nid(pfn); \
++ unsigned long __nid = arch_pfn_to_nid(__pfn); \
+ NODE_DATA(__nid)->node_mem_map + arch_local_page_offset(__pfn, __nid);\
+ })
+
--- /dev/null
+From d38b7aa7fc3371b52d036748028db50b585ade2e Mon Sep 17 00:00:00 2001
+From: Eric Sesterhenn <snakebyte@gmx.de>
+Date: Wed, 15 Oct 2008 22:04:11 -0700
+Subject: hfs: fix namelength memory corruption (CVE-2008-5025)
+
+From: Eric Sesterhenn <snakebyte@gmx.de>
+
+commit d38b7aa7fc3371b52d036748028db50b585ade2e upstream
+
+Fix a stack corruption caused by a corrupted hfs filesystem. If the
+catalog name length is corrupted the memcpy overwrites the catalog btree
+structure. Since the field is limited to HFS_NAMELEN bytes in the
+structure and the file format, we throw an error if it is too long.
+
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hfs/catalog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block
+
+ fd->search_key->cat.ParID = rec.thread.ParID;
+ len = fd->search_key->cat.CName.len = rec.thread.CName.len;
++ if (len > HFS_NAMELEN) {
++ printk(KERN_ERR "hfs: bad catalog namelength\n");
++ return -EIO;
++ }
+ memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
+ return hfs_brec_find(fd);
+ }
--- /dev/null
+From 649f1ee6c705aab644035a7998d7b574193a598a Mon Sep 17 00:00:00 2001
+From: Eric Sesterhenn <snakebyte@gmx.de>
+Date: Wed, 15 Oct 2008 22:04:10 -0700
+Subject: hfsplus: check read_mapping_page() return value (CVE-2008-4934)
+
+From: Eric Sesterhenn <snakebyte@gmx.de>
+
+commit 649f1ee6c705aab644035a7998d7b574193a598a upstream.
+
+While testing more corrupted images with hfsplus, i came across
+one which triggered the following bug:
+
+[15840.675016] BUG: unable to handle kernel paging request at fffffffb
+[15840.675016] IP: [<c0116a4f>] kmap+0x15/0x56
+[15840.675016] *pde = 00008067 *pte = 00000000
+[15840.675016] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
+[15840.675016] Modules linked in:
+[15840.675016]
+[15840.675016] Pid: 11575, comm: ln Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #29)
+[15840.675016] EIP: 0060:[<c0116a4f>] EFLAGS: 00010202 CPU: 0
+[15840.675016] EIP is at kmap+0x15/0x56
+[15840.675016] EAX: 00000246 EBX: fffffffb ECX: 00000000 EDX: cab919c0
+[15840.675016] ESI: 000007dd EDI: cab0bcf4 EBP: cab0bc98 ESP: cab0bc94
+[15840.675016] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
+[15840.675016] Process ln (pid: 11575, ti=cab0b000 task=cab919c0 task.ti=cab0b000)
+[15840.675016] Stack: 00000000 cab0bcdc c0231cfb 00000000 cab0bce0 00000800 ca9290c0 fffffffb
+[15840.675016] cab145d0 cab919c0 cab15998 22222222 22222222 22222222 00000001 cab15960
+[15840.675016] 000007dd cab0bcf4 cab0bd04 c022cb3a cab0bcf4 cab15a6c ca9290c0 00000000
+[15840.675016] Call Trace:
+[15840.675016] [<c0231cfb>] ? hfsplus_block_allocate+0x6f/0x2d3
+[15840.675016] [<c022cb3a>] ? hfsplus_file_extend+0xc4/0x1db
+[15840.675016] [<c022ce41>] ? hfsplus_get_block+0x8c/0x19d
+[15840.675016] [<c06adde4>] ? sub_preempt_count+0x9d/0xab
+[15840.675016] [<c019ece6>] ? __block_prepare_write+0x147/0x311
+[15840.675016] [<c0161934>] ? __grab_cache_page+0x52/0x73
+[15840.675016] [<c019ef4f>] ? block_write_begin+0x79/0xd5
+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
+[15840.675016] [<c019f22a>] ? cont_write_begin+0x27f/0x2af
+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
+[15840.675016] [<c0139ebe>] ? tick_program_event+0x28/0x4c
+[15840.675016] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[15840.675016] [<c022b723>] ? hfsplus_write_begin+0x2d/0x32
+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
+[15840.675016] [<c0161988>] ? pagecache_write_begin+0x33/0x107
+[15840.675016] [<c01879e5>] ? __page_symlink+0x3c/0xae
+[15840.675016] [<c019ad34>] ? __mark_inode_dirty+0x12f/0x137
+[15840.675016] [<c0187a70>] ? page_symlink+0x19/0x1e
+[15840.675016] [<c022e6eb>] ? hfsplus_symlink+0x41/0xa6
+[15840.675016] [<c01886a9>] ? vfs_symlink+0x99/0x101
+[15840.675016] [<c018a2f6>] ? sys_symlinkat+0x6b/0xad
+[15840.675016] [<c018a348>] ? sys_symlink+0x10/0x12
+[15840.675016] [<c01038bd>] ? sysenter_do_call+0x12/0x31
+[15840.675016] =======================
+[15840.675016] Code: 00 00 75 10 83 3d 88 2f ec c0 02 75 07 89 d0 e8 12 56 05 00 5d c3 55 ba 06 00 00 00 89 e5 53 89 c3 b8 3d eb 7e c0 e8 16 74 00 00 <8b> 03 c1 e8 1e 69 c0 d8 02 00 00 05 b8 69 8e c0 2b 80 c4 02 00
+[15840.675016] EIP: [<c0116a4f>] kmap+0x15/0x56 SS:ESP 0068:cab0bc94
+[15840.675016] ---[ end trace 4fea40dad6b70e5f ]---
+
+This happens because the return value of read_mapping_page() is passed on
+to kmap unchecked. The bug is triggered after the first
+read_mapping_page() in hfsplus_block_allocate(), this patch fixes all
+three usages in this functions but leaves the ones further down in the
+file unchanged.
+
+Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hfsplus/bitmap.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/hfsplus/bitmap.c
++++ b/fs/hfsplus/bitmap.c
+@@ -32,6 +32,10 @@ int hfsplus_block_allocate(struct super_
+ mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
+ mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;
+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL);
++ if (IS_ERR(page)) {
++ start = size;
++ goto out;
++ }
+ pptr = kmap(page);
+ curr = pptr + (offset & (PAGE_CACHE_BITS - 1)) / 32;
+ i = offset % 32;
+@@ -73,6 +77,10 @@ int hfsplus_block_allocate(struct super_
+ break;
+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
+ NULL);
++ if (IS_ERR(page)) {
++ start = size;
++ goto out;
++ }
+ curr = pptr = kmap(page);
+ if ((size ^ offset) / PAGE_CACHE_BITS)
+ end = pptr + PAGE_CACHE_BITS / 32;
+@@ -120,6 +128,10 @@ found:
+ offset += PAGE_CACHE_BITS;
+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
+ NULL);
++ if (IS_ERR(page)) {
++ start = size;
++ goto out;
++ }
+ pptr = kmap(page);
+ curr = pptr;
+ end = pptr + PAGE_CACHE_BITS / 32;
--- /dev/null
+From efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 Mon Sep 17 00:00:00 2001
+From: Eric Sesterhenn <snakebyte@gmx.de>
+Date: Wed, 15 Oct 2008 22:04:08 -0700
+Subject: hfsplus: fix Buffer overflow with a corrupted image (CVE-2008-4933)
+
+From: Eric Sesterhenn <snakebyte@gmx.de>
+
+commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 upstream
+
+When an hfsplus image gets corrupted it might happen that the catalog
+namelength field gets b0rked. If we mount such an image the memcpy() in
+hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
+field. Depending on the size of the overwritten data, we either only get
+memory corruption or also trigger an oops like this:
+
+[ 221.628020] BUG: unable to handle kernel paging request at c82b0000
+[ 221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
+[ 221.629066] *pde = 0ea29163 *pte = 082b0160
+[ 221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
+[ 221.629066] Modules linked in:
+[ 221.629066]
+[ 221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
+[ 221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
+[ 221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
+[ 221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
+[ 221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
+[ 221.629066] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
+[ 221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
+[ 221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
+[ 221.629066] 01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
+[ 221.629066] 00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
+[ 221.629066] Call Trace:
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+[ 221.629066] [<c01302d2>] ? __kernel_text_address+0x1b/0x27
+[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
+[ 221.629066] [<c0109e32>] ? save_stack_address+0x0/0x2c
+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
+[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
+[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
+[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
+[ 221.629066] [<c013553d>] ? down+0xc/0x2f
+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+[ 221.629066] [<c013da5d>] ? mark_held_locks+0x43/0x5a
+[ 221.629066] [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
+[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
+[ 221.629066] [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
+[ 221.629066] [<c013555c>] ? down+0x2b/0x2f
+[ 221.629066] [<c022aa68>] ? hfsplus_iget+0xa0/0x154
+[ 221.629066] [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
+[ 221.629066] [<c041c9e4>] ? string+0x2b/0x74
+[ 221.629066] [<c041cd16>] ? vsnprintf+0x2e9/0x512
+[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
+[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
+[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
+[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
+[ 221.629066] [<c01354d3>] ? up+0xc/0x2f
+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+[ 221.629066] [<c041cfb7>] ? snprintf+0x1b/0x1d
+[ 221.629066] [<c01ba466>] ? disk_name+0x25/0x67
+[ 221.629066] [<c0183960>] ? get_sb_bdev+0xcd/0x10b
+[ 221.629066] [<c016ad92>] ? kstrdup+0x2a/0x4c
+[ 221.629066] [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
+[ 221.629066] [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
+[ 221.629066] [<c0183583>] ? vfs_kern_mount+0x3b/0x76
+[ 221.629066] [<c0183602>] ? do_kern_mount+0x32/0xba
+[ 221.629066] [<c01960d4>] ? do_new_mount+0x46/0x74
+[ 221.629066] [<c0196277>] ? do_mount+0x175/0x193
+[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
+[ 221.629066] [<c01663b2>] ? __get_free_pages+0x1e/0x24
+[ 221.629066] [<c06ac07b>] ? lock_kernel+0x19/0x8c
+[ 221.629066] [<c01962e6>] ? sys_mount+0x51/0x9b
+[ 221.629066] [<c01962f9>] ? sys_mount+0x64/0x9b
+[ 221.629066] [<c01038bd>] ? sysenter_do_call+0x12/0x31
+[ 221.629066] =======================
+[ 221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
+[ 221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
+[ 221.629066] ---[ end trace e417a1d67f0d0066 ]---
+
+Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
+the check is performed at the callsite.
+
+Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
+Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/hfsplus/catalog.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -168,6 +168,11 @@ int hfsplus_find_cat(struct super_block
+ return -EIO;
+ }
+
++ if (be16_to_cpu(tmp.thread.nodeName.length) > 255) {
++ printk(KERN_ERR "hfs: catalog name length corrupted\n");
++ return -EIO;
++ }
++
+ hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID),
+ &tmp.thread.nodeName);
+ return hfs_brec_find(fd);
--- /dev/null
+From 19b723218bde79c60a394a3caee9eb156ac2d356 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 4 Nov 2008 17:08:40 +0900
+Subject: libata: fix last_reset timestamp handling
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 19b723218bde79c60a394a3caee9eb156ac2d356 upstream
+
+ehc->last_reset is used to ensure that resets are not issued too
+close to each other. It's initialized to jiffies minus one minute
+on EH entry. However, when new links are initialized after PMP is
+probed, new links have zero for this timestamp resulting in long wait
+depending on the current jiffies.
+
+This patch makes last_set considered iff ATA_EHI_DID_RESET is set, in
+which case last_reset is always initialized. As an added precaution,
+WARN_ON() is added so that warning is printed if last_reset is
+in future.
+
+This problem is spotted and debugged by Shane Huang.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Shane Huang <Shane.Huang@amd.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/libata-eh.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -604,9 +604,6 @@ void ata_scsi_error(struct Scsi_Host *ho
+ if (ata_ncq_enabled(dev))
+ ehc->saved_ncq_enabled |= 1 << devno;
+ }
+-
+- /* set last reset timestamp to some time in the past */
+- ehc->last_reset = jiffies - 60 * HZ;
+ }
+
+ ap->pflags |= ATA_PFLAG_EH_IN_PROGRESS;
+@@ -2209,17 +2206,21 @@ int ata_eh_reset(struct ata_link *link,
+ if (link->flags & ATA_LFLAG_NO_SRST)
+ softreset = NULL;
+
+- now = jiffies;
+- deadline = ata_deadline(ehc->last_reset, ATA_EH_RESET_COOL_DOWN);
+- if (time_before(now, deadline))
+- schedule_timeout_uninterruptible(deadline - now);
++ /* make sure each reset attemp is at least COOL_DOWN apart */
++ if (ehc->i.flags & ATA_EHI_DID_RESET) {
++ now = jiffies;
++ WARN_ON(time_after(ehc->last_reset, now));
++ deadline = ata_deadline(ehc->last_reset,
++ ATA_EH_RESET_COOL_DOWN);
++ if (time_before(now, deadline))
++ schedule_timeout_uninterruptible(deadline - now);
++ }
+
+ spin_lock_irqsave(ap->lock, flags);
+ ap->pflags |= ATA_PFLAG_RESETTING;
+ spin_unlock_irqrestore(ap->lock, flags);
+
+ ata_eh_about_to_do(link, NULL, ATA_EH_RESET);
+- ehc->last_reset = jiffies;
+
+ ata_link_for_each_dev(dev, link) {
+ /* If we issue an SRST then an ATA drive (not ATAPI)
+@@ -2285,7 +2286,6 @@ int ata_eh_reset(struct ata_link *link,
+ /*
+ * Perform reset
+ */
+- ehc->last_reset = jiffies;
+ if (ata_is_host_link(link))
+ ata_eh_freeze_port(ap);
+
+@@ -2297,6 +2297,7 @@ int ata_eh_reset(struct ata_link *link,
+ reset == softreset ? "soft" : "hard");
+
+ /* mark that this EH session started with reset */
++ ehc->last_reset = jiffies;
+ if (reset == hardreset)
+ ehc->i.flags |= ATA_EHI_DID_HARDRESET;
+ else
+@@ -2404,7 +2405,7 @@ int ata_eh_reset(struct ata_link *link,
+
+ /* reset successful, schedule revalidation */
+ ata_eh_done(link, NULL, ATA_EH_RESET);
+- ehc->last_reset = jiffies;
++ ehc->last_reset = jiffies; /* update to completion time */
+ ehc->i.action |= ATA_EH_REVALIDATE;
+
+ rc = 0;
--- /dev/null
+From 493890e75d98810a3470b4aae23be628ee5e9667 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <drzeus@drzeus.cx>
+Date: Sun, 26 Oct 2008 12:37:25 +0100
+Subject: mmc: increase SD write timeout for crappy cards
+
+From: Pierre Ossman <drzeus@drzeus.cx>
+
+commit 493890e75d98810a3470b4aae23be628ee5e9667 upstream.
+
+It seems that some cards are slightly out of spec and occasionally
+will not be able to complete a write in the alloted 250 ms [1].
+Incease the timeout slightly to allow even these cards to function
+properly.
+
+[1] http://lkml.org/lkml/2008/9/23/390
+
+Signed-off-by: Pierre Ossman <drzeus@drzeus.cx>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mmc/core/core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -280,7 +280,11 @@ void mmc_set_data_timeout(struct mmc_dat
+ (card->host->ios.clock / 1000);
+
+ if (data->flags & MMC_DATA_WRITE)
+- limit_us = 250000;
++ /*
++ * The limit is really 250 ms, but that is
++ * insufficient for some crappy cards.
++ */
++ limit_us = 300000;
+ else
+ limit_us = 100000;
+
acpi-dock-avoid-check-_sta-method.patch
arm-5300-1-fixup-spitz-reset-during-boot.patch
keys-make-request-key-instantiate-the-per-user-keyrings.patch
+libata-fix-last_reset-timestamp-handling.patch
+alsa-hda-make-a-stac_dell_eq-option.patch
+fix-__pfn_to_page-for-config_discontigmem-y.patch
+mmc-increase-sd-write-timeout-for-crappy-cards.patch
+hfsplus-fix-buffer-overflow-with-a-corrupted-image.patch
+hfsplus-check-read_mapping_page-return-value.patch
+hfs-fix-namelength-memory-corruption.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
