--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:15:48 2008
+From: Uli Luckas <u.luckas@road.de>
+To: stable@kernel.org
+Date: Sun, 24 Feb 2008 15:55:37 +0100
+Message-Id: <200802241555.39230.u.luckas@road.de>
+Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
+Subject: ARM pxa: fix clock lookup to find specific device clocks
+
+From: Russell King <rmk@dyn-67.arm.linux.org.uk>
+commit: a0dd005d1d9f4c3beab52086f3844ef9342d1e67
+
+Ensure that the clock lookup always finds an entry for a specific
+device and ID before it falls back to finding just by ID. This
+fixes a problem reported by Holger Schurig where the BTUART was
+assigned the wrong clock.
+
+Tested-by: Holger Schurig <hs4233@mail.mn-solutions.de>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+Uli Luckas notes:
+
+ The patch fixes the otherwise unusable bluetooth uart on pxa25x. The
+ patch is written by Russell King [1] who also gave his OK for
+ stable inclusion [2]. The patch is also available as commit
+ a0dd005d1d9f4c3beab52086f3844ef9342d1e67 to Linus' tree.
+
+ [1] http://marc.info/?l=linux-arm-kernel&m=120298366510315
+ [2] http://marc.info/?l=linux-arm-kernel&m=120384388411097
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ arch/arm/mach-pxa/clock.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/arch/arm/mach-pxa/clock.c
++++ b/arch/arm/mach-pxa/clock.c
+@@ -23,18 +23,27 @@ static LIST_HEAD(clocks);
+ static DEFINE_MUTEX(clocks_mutex);
+ static DEFINE_SPINLOCK(clocks_lock);
+
++static struct clk *clk_lookup(struct device *dev, const char *id)
++{
++ struct clk *p;
++
++ list_for_each_entry(p, &clocks, node)
++ if (strcmp(id, p->name) == 0 && p->dev == dev)
++ return p;
++
++ return NULL;
++}
++
+ struct clk *clk_get(struct device *dev, const char *id)
+ {
+ struct clk *p, *clk = ERR_PTR(-ENOENT);
+
+ mutex_lock(&clocks_mutex);
+- list_for_each_entry(p, &clocks, node) {
+- if (strcmp(id, p->name) == 0 &&
+- (p->dev == NULL || p->dev == dev)) {
+- clk = p;
+- break;
+- }
+- }
++ p = clk_lookup(dev, id);
++ if (!p)
++ p = clk_lookup(NULL, id);
++ if (p)
++ clk = p;
+ mutex_unlock(&clocks_mutex);
+
+ return clk;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:32:28 2008
+Date: Sun, 24 Feb 2008 02:10:07 GMT
+Message-Id: <200802240210.m1O2A7rF015414@hera.kernel.org>
+From: jejb@kernel.org
+To: jejb@kernel.org, stable@kernel.org
+Subject: file capabilities: simplify signal check
+
+From: Serge E. Hallyn <serue@us.ibm.com>
+commit: 094972840f2e7c1c6fc9e1a97d817cc17085378e
+
+Simplify the uid equivalence check in cap_task_kill(). Anyone can kill a
+process owned by the same uid.
+
+Without this patch wireshark is reported to fail.
+
+Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ security/commoncap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -539,7 +539,7 @@ int cap_task_kill(struct task_struct *p,
+ * allowed.
+ * We must preserve legacy signal behavior in this case.
+ */
+- if (p->euid == 0 && p->uid == current->uid)
++ if (p->uid == current->uid)
+ return 0;
+
+ /* sigcont is permitted within same session */
--- /dev/null
+From 1a823ac9ff09cbdf39201df37b7ede1f9395de83 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Sat, 23 Feb 2008 15:23:27 -0800
+Message-Id: <E1JTapR-00079g-QF@pomaz-ex.szeredi.hu>
+Subject: fuse: fix permission checking
+
+[upstream commit 1a823ac9ff09cbdf39201df37b7ede1f9395de83]
+
+I added a nasty local variable shadowing bug to fuse in 2.6.24, with the
+result, that the 'default_permissions' mount option is basically ignored.
+
+How did this happen?
+
+ - old err declaration in inner scope
+ - new err getting declared in outer scope
+ - 'return err' from inner scope getting removed
+ - old declaration not being noticed
+
+-Wshadow would have saved us, but it doesn't seem practical for
+the kernel :(
+
+More testing would have also saved us :((
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/fuse/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -905,7 +905,7 @@ static int fuse_permission(struct inode
+ }
+
+ if (fc->flags & FUSE_DEFAULT_PERMISSIONS) {
+- int err = generic_permission(inode, mask, NULL);
++ err = generic_permission(inode, mask, NULL);
+
+ /* If permission is denied, try to refresh file
+ attributes. This is also needed, because the root
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:31:39 2008
+Date: Sun, 24 Feb 2008 02:10:06 GMT
+Message-Id: <200802240210.m1O2A6Et015329@hera.kernel.org>
+From: jejb@kernel.org
+To: jejb@kernel.org, stable@kernel.org
+Subject: futex: fix init order
+
+From: Thomas Gleixner <tglx@linutronix.de>
+commit: 3e4ab747efa8e78562ec6782b08bbf21a00aba1b
+
+When the futex init code fails to initialize the futex pseudo file system it
+returns early without initializing the hash queues. Should the boot succeed
+then a futex syscall which tries to enqueue a waiter on the hashqueue will
+crash due to the unitilialized plist heads.
+
+Initialize the hash queues before the filesystem.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Cc: Lennert Buytenhek <buytenh@wantstofly.org>
+Cc: Riku Voipio <riku.voipio@movial.fi>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ kernel/futex.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2123,8 +2123,14 @@ static struct file_system_type futex_fs_
+
+ static int __init init(void)
+ {
+- int i = register_filesystem(&futex_fs_type);
++ int i;
+
++ for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
++ plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
++ spin_lock_init(&futex_queues[i].lock);
++ }
++
++ i = register_filesystem(&futex_fs_type);
+ if (i)
+ return i;
+
+@@ -2134,10 +2140,6 @@ static int __init init(void)
+ return PTR_ERR(futex_mnt);
+ }
+
+- for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
+- plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
+- spin_lock_init(&futex_queues[i].lock);
+- }
+ return 0;
+ }
+ __initcall(init);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:30:10 2008
+Date: Sun, 24 Feb 2008 02:10:05 GMT
+Message-Id: <200802240210.m1O2A5n3015260@hera.kernel.org>
+From: jejb@kernel.org
+To: jejb@kernel.org, stable@kernel.org
+Subject: futex: runtime enable pi and robust functionality
+
+From: Thomas Gleixner <tglx@linutronix.de>
+commit: a0c1e9073ef7428a14309cba010633a6cd6719ea
+
+Not all architectures implement futex_atomic_cmpxchg_inatomic(). The default
+implementation returns -ENOSYS, which is currently not handled inside of the
+futex guts.
+
+Futex PI calls and robust list exits with a held futex result in an endless
+loop in the futex code on architectures which have no support.
+
+Fixing up every place where futex_atomic_cmpxchg_inatomic() is called would
+add a fair amount of extra if/else constructs to the already complex code. It
+is also not possible to disable the robust feature before user space tries to
+register robust lists.
+
+Compile time disabling is not a good idea either, as there are already
+architectures with runtime detection of futex_atomic_cmpxchg_inatomic support.
+
+Detect the functionality at runtime instead by calling
+cmpxchg_futex_value_locked() with a NULL pointer from the futex initialization
+code. This is guaranteed to fail, but the call of
+futex_atomic_cmpxchg_inatomic() happens with pagefaults disabled.
+
+On architectures, which use the asm-generic implementation or have a runtime
+CPU feature detection, a -ENOSYS return value disables the PI/robust features.
+
+On architectures with a working implementation the call returns -EFAULT and
+the PI/robust features are enabled.
+
+The relevant syscalls return -ENOSYS and the robust list exit code is blocked,
+when the detection fails.
+
+Fixes http://lkml.org/lkml/2008/2/11/149
+Originally reported by: Lennart Buytenhek
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Cc: Lennert Buytenhek <buytenh@wantstofly.org>
+Cc: Riku Voipio <riku.voipio@movial.fi>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ include/linux/futex.h | 1 +
+ kernel/futex.c | 38 ++++++++++++++++++++++++++++++++++----
+ kernel/futex_compat.c | 9 +++++++++
+ 3 files changed, 44 insertions(+), 4 deletions(-)
+
+--- a/include/linux/futex.h
++++ b/include/linux/futex.h
+@@ -153,6 +153,7 @@ union futex_key {
+ #ifdef CONFIG_FUTEX
+ extern void exit_robust_list(struct task_struct *curr);
+ extern void exit_pi_state_list(struct task_struct *curr);
++extern int futex_cmpxchg_enabled;
+ #else
+ static inline void exit_robust_list(struct task_struct *curr)
+ {
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -60,6 +60,8 @@
+
+ #include "rtmutex_common.h"
+
++int __read_mostly futex_cmpxchg_enabled;
++
+ #define FUTEX_HASHBITS (CONFIG_BASE_SMALL ? 4 : 8)
+
+ /*
+@@ -466,6 +468,8 @@ void exit_pi_state_list(struct task_stru
+ struct futex_hash_bucket *hb;
+ union futex_key key;
+
++ if (!futex_cmpxchg_enabled)
++ return;
+ /*
+ * We are a ZOMBIE and nobody can enqueue itself on
+ * pi_state_list anymore, but we have to be careful
+@@ -1854,6 +1858,8 @@ asmlinkage long
+ sys_set_robust_list(struct robust_list_head __user *head,
+ size_t len)
+ {
++ if (!futex_cmpxchg_enabled)
++ return -ENOSYS;
+ /*
+ * The kernel knows only one size for now:
+ */
+@@ -1878,6 +1884,9 @@ sys_get_robust_list(int pid, struct robu
+ struct robust_list_head __user *head;
+ unsigned long ret;
+
++ if (!futex_cmpxchg_enabled)
++ return -ENOSYS;
++
+ if (!pid)
+ head = current->robust_list;
+ else {
+@@ -1980,6 +1989,9 @@ void exit_robust_list(struct task_struct
+ unsigned long futex_offset;
+ int rc;
+
++ if (!futex_cmpxchg_enabled)
++ return;
++
+ /*
+ * Fetch the list head (which was registered earlier, via
+ * sys_set_robust_list()):
+@@ -2034,7 +2046,7 @@ void exit_robust_list(struct task_struct
+ long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
+ u32 __user *uaddr2, u32 val2, u32 val3)
+ {
+- int ret;
++ int ret = -ENOSYS;
+ int cmd = op & FUTEX_CMD_MASK;
+ struct rw_semaphore *fshared = NULL;
+
+@@ -2062,13 +2074,16 @@ long do_futex(u32 __user *uaddr, int op,
+ ret = futex_wake_op(uaddr, fshared, uaddr2, val, val2, val3);
+ break;
+ case FUTEX_LOCK_PI:
+- ret = futex_lock_pi(uaddr, fshared, val, timeout, 0);
++ if (futex_cmpxchg_enabled)
++ ret = futex_lock_pi(uaddr, fshared, val, timeout, 0);
+ break;
+ case FUTEX_UNLOCK_PI:
+- ret = futex_unlock_pi(uaddr, fshared);
++ if (futex_cmpxchg_enabled)
++ ret = futex_unlock_pi(uaddr, fshared);
+ break;
+ case FUTEX_TRYLOCK_PI:
+- ret = futex_lock_pi(uaddr, fshared, 0, timeout, 1);
++ if (futex_cmpxchg_enabled)
++ ret = futex_lock_pi(uaddr, fshared, 0, timeout, 1);
+ break;
+ default:
+ ret = -ENOSYS;
+@@ -2123,8 +2138,23 @@ static struct file_system_type futex_fs_
+
+ static int __init init(void)
+ {
++ u32 curval;
+ int i;
+
++ /*
++ * This will fail and we want it. Some arch implementations do
++ * runtime detection of the futex_atomic_cmpxchg_inatomic()
++ * functionality. We want to know that before we call in any
++ * of the complex code paths. Also we want to prevent
++ * registration of robust lists in that case. NULL is
++ * guaranteed to fault and we get -EFAULT on functional
++ * implementation, the non functional ones will return
++ * -ENOSYS.
++ */
++ curval = cmpxchg_futex_value_locked(NULL, 0, 0);
++ if (curval == -EFAULT)
++ futex_cmpxchg_enabled = 1;
++
+ for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
+ plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
+ spin_lock_init(&futex_queues[i].lock);
+--- a/kernel/futex_compat.c
++++ b/kernel/futex_compat.c
+@@ -54,6 +54,9 @@ void compat_exit_robust_list(struct task
+ compat_long_t futex_offset;
+ int rc;
+
++ if (!futex_cmpxchg_enabled)
++ return;
++
+ /*
+ * Fetch the list head (which was registered earlier, via
+ * sys_set_robust_list()):
+@@ -115,6 +118,9 @@ asmlinkage long
+ compat_sys_set_robust_list(struct compat_robust_list_head __user *head,
+ compat_size_t len)
+ {
++ if (!futex_cmpxchg_enabled)
++ return -ENOSYS;
++
+ if (unlikely(len != sizeof(*head)))
+ return -EINVAL;
+
+@@ -130,6 +136,9 @@ compat_sys_get_robust_list(int pid, comp
+ struct compat_robust_list_head __user *head;
+ unsigned long ret;
+
++ if (!futex_cmpxchg_enabled)
++ return -ENOSYS;
++
+ if (!pid)
+ head = current->compat_robust_list;
+ else {
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:33:10 2008
+Date: Sun, 24 Feb 2008 02:10:08 GMT
+Message-Id: <200802240210.m1O2A8nV015424@hera.kernel.org>
+From: jejb@kernel.org
+To: jejb@kernel.org, stable@kernel.org
+Subject: hugetlb: ensure we do not reference a surplus page after handing it to buddy
+
+From: Andy Whitcroft <apw@shadowen.org>
+commit: e5df70ab194543522397fa3da8c8f80564a0f7d3
+
+When we free a page via free_huge_page and we detect that we are in surplus
+the page will be returned to the buddy. After this we no longer own the page.
+
+However at the end free_huge_page we clear out our mapping pointer from
+page private. Even where the page is not a surplus we free the page to
+the hugepage pool, drop the pool locks and then clear page private. In
+either case the page may have been reallocated. BAD.
+
+Make sure we clear out page private before we free the page.
+
+Signed-off-by: Andy Whitcroft <apw@shadowen.org>
+Acked-by: Adam Litke <agl@us.ibm.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ mm/hugetlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -119,6 +119,7 @@ static void free_huge_page(struct page *
+ struct address_space *mapping;
+
+ mapping = (struct address_space *) page_private(page);
++ set_page_private(page, 0);
+ BUG_ON(page_count(page));
+ INIT_LIST_HEAD(&page->lru);
+
+@@ -133,7 +134,6 @@ static void free_huge_page(struct page *
+ spin_unlock(&hugetlb_lock);
+ if (mapping)
+ hugetlb_put_quota(mapping, 1);
+- set_page_private(page, 0);
+ }
+
+ /*
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:46:38 2008
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20080225140102.20602.42947.sendpatchset@localhost.localdomain>
+Date: Mon, 25 Feb 2008 15:01:04 +0100 (MET)
+Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: fix ebtable targets return
+
+Upstream commit 1b04ab459:
+
+The function ebt_do_table doesn't take NF_DROP as a verdict from the targets.
+
+Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/bridge/netfilter/ebt_dnat.c | 2 +-
+ net/bridge/netfilter/ebt_redirect.c | 2 +-
+ net/bridge/netfilter/ebt_snat.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/bridge/netfilter/ebt_dnat.c
++++ b/net/bridge/netfilter/ebt_dnat.c
+@@ -21,7 +21,7 @@ static int ebt_target_dnat(struct sk_buf
+ struct ebt_nat_info *info = (struct ebt_nat_info *)data;
+
+ if (!skb_make_writable(skb, 0))
+- return NF_DROP;
++ return EBT_DROP;
+
+ memcpy(eth_hdr(skb)->h_dest, info->mac, ETH_ALEN);
+ return info->target;
+--- a/net/bridge/netfilter/ebt_redirect.c
++++ b/net/bridge/netfilter/ebt_redirect.c
+@@ -22,7 +22,7 @@ static int ebt_target_redirect(struct sk
+ struct ebt_redirect_info *info = (struct ebt_redirect_info *)data;
+
+ if (!skb_make_writable(skb, 0))
+- return NF_DROP;
++ return EBT_DROP;
+
+ if (hooknr != NF_BR_BROUTING)
+ memcpy(eth_hdr(skb)->h_dest,
+--- a/net/bridge/netfilter/ebt_snat.c
++++ b/net/bridge/netfilter/ebt_snat.c
+@@ -23,7 +23,7 @@ static int ebt_target_snat(struct sk_buf
+ struct ebt_nat_info *info = (struct ebt_nat_info *) data;
+
+ if (!skb_make_writable(skb, 0))
+- return NF_DROP;
++ return EBT_DROP;
+
+ memcpy(eth_hdr(skb)->h_source, info->mac, ETH_ALEN);
+ if (!(info->target & NAT_ARP_BIT) &&
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:44:30 2008
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20080225140100.20602.23690.sendpatchset@localhost.localdomain>
+Date: Mon, 25 Feb 2008 15:01:02 +0100 (MET)
+Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: Fix incorrect use of skb_make_writable
+
+Upstream commit eb1197bc0:
+
+http://bugzilla.kernel.org/show_bug.cgi?id=9920
+The function skb_make_writable returns true or false.
+
+Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/bridge/netfilter/ebt_dnat.c | 2 +-
+ net/bridge/netfilter/ebt_redirect.c | 2 +-
+ net/bridge/netfilter/ebt_snat.c | 2 +-
+ net/ipv4/netfilter/arpt_mangle.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/bridge/netfilter/ebt_dnat.c
++++ b/net/bridge/netfilter/ebt_dnat.c
+@@ -20,7 +20,7 @@ static int ebt_target_dnat(struct sk_buf
+ {
+ struct ebt_nat_info *info = (struct ebt_nat_info *)data;
+
+- if (skb_make_writable(skb, 0))
++ if (!skb_make_writable(skb, 0))
+ return NF_DROP;
+
+ memcpy(eth_hdr(skb)->h_dest, info->mac, ETH_ALEN);
+--- a/net/bridge/netfilter/ebt_redirect.c
++++ b/net/bridge/netfilter/ebt_redirect.c
+@@ -21,7 +21,7 @@ static int ebt_target_redirect(struct sk
+ {
+ struct ebt_redirect_info *info = (struct ebt_redirect_info *)data;
+
+- if (skb_make_writable(skb, 0))
++ if (!skb_make_writable(skb, 0))
+ return NF_DROP;
+
+ if (hooknr != NF_BR_BROUTING)
+--- a/net/bridge/netfilter/ebt_snat.c
++++ b/net/bridge/netfilter/ebt_snat.c
+@@ -22,7 +22,7 @@ static int ebt_target_snat(struct sk_buf
+ {
+ struct ebt_nat_info *info = (struct ebt_nat_info *) data;
+
+- if (skb_make_writable(skb, 0))
++ if (!skb_make_writable(skb, 0))
+ return NF_DROP;
+
+ memcpy(eth_hdr(skb)->h_source, info->mac, ETH_ALEN);
+--- a/net/ipv4/netfilter/arpt_mangle.c
++++ b/net/ipv4/netfilter/arpt_mangle.c
+@@ -19,7 +19,7 @@ target(struct sk_buff *skb,
+ unsigned char *arpptr;
+ int pln, hln;
+
+- if (skb_make_writable(skb, skb->len))
++ if (!skb_make_writable(skb, skb->len))
+ return NF_DROP;
+
+ arp = arp_hdr(skb);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:41:37 2008
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Message-Id: <20080225140059.20602.57007.sendpatchset@localhost.localdomain>
+Date: Mon, 25 Feb 2008 15:01:01 +0100 (MET)
+Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>, davem@davemloft.net
+Subject: NETFILTER: nfnetlink_queue: fix SKB_LINEAR_ASSERT when mangling packet data
+
+Upstream commit e2b58a67:
+
+As reported by Tomas Simonaitis <tomas.simonaitis@gmail.com>, inserting new
+data in skbs queued over {ip,ip6,nfnetlink}_queue triggers a SKB_LINEAR_ASSERT
+in skb_put().
+
+Going back through the git history, it seems this bug is present since at
+least 2.6.12-rc2, probably even since the removal of skb_linearize() for
+netfilter.
+
+Linearize non-linear skbs through skb_copy_expand() when enlarging them.
+Tested by Thomas, fixes bugzilla #9933.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+Patrick, which part of commit log did you want to drop?
+
+ net/ipv4/netfilter/ip_queue.c | 12 +++++++-----
+ net/ipv6/netfilter/ip6_queue.c | 10 ++++++----
+ net/netfilter/nfnetlink_queue.c | 10 ++++++----
+ 3 files changed, 19 insertions(+), 13 deletions(-)
+
+--- a/net/ipv4/netfilter/ip_queue.c
++++ b/net/ipv4/netfilter/ip_queue.c
+@@ -336,8 +336,8 @@ static int
+ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
+ {
+ int diff;
+- int err;
+ struct iphdr *user_iph = (struct iphdr *)v->payload;
++ struct sk_buff *nskb;
+
+ if (v->data_len < sizeof(*user_iph))
+ return 0;
+@@ -349,14 +349,16 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st
+ if (v->data_len > 0xFFFF)
+ return -EINVAL;
+ if (diff > skb_tailroom(e->skb)) {
+- err = pskb_expand_head(e->skb, 0,
++ nskb = skb_copy_expand(e->skb, 0,
+ diff - skb_tailroom(e->skb),
+ GFP_ATOMIC);
+- if (err) {
++ if (!nskb) {
+ printk(KERN_WARNING "ip_queue: error "
+- "in mangle, dropping packet: %d\n", -err);
+- return err;
++ "in mangle, dropping packet\n");
++ return -ENOMEM;
+ }
++ kfree_skb(e->skb);
++ e->skb = nskb;
+ }
+ skb_put(e->skb, diff);
+ }
+--- a/net/ipv6/netfilter/ip6_queue.c
++++ b/net/ipv6/netfilter/ip6_queue.c
+@@ -333,8 +333,8 @@ static int
+ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
+ {
+ int diff;
+- int err;
+ struct ipv6hdr *user_iph = (struct ipv6hdr *)v->payload;
++ struct sk_buff *nskb;
+
+ if (v->data_len < sizeof(*user_iph))
+ return 0;
+@@ -346,14 +346,16 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st
+ if (v->data_len > 0xFFFF)
+ return -EINVAL;
+ if (diff > skb_tailroom(e->skb)) {
+- err = pskb_expand_head(e->skb, 0,
++ nskb = skb_copy_expand(e->skb, 0,
+ diff - skb_tailroom(e->skb),
+ GFP_ATOMIC);
+- if (err) {
++ if (!nskb) {
+ printk(KERN_WARNING "ip6_queue: OOM "
+ "in mangle, dropping packet\n");
+- return err;
++ return -ENOMEM;
+ }
++ kfree_skb(e->skb);
++ e->skb = nskb;
+ }
+ skb_put(e->skb, diff);
+ }
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -616,8 +616,8 @@ err_out_put:
+ static int
+ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
+ {
++ struct sk_buff *nskb;
+ int diff;
+- int err;
+
+ diff = data_len - e->skb->len;
+ if (diff < 0) {
+@@ -627,14 +627,16 @@ nfqnl_mangle(void *data, int data_len, s
+ if (data_len > 0xFFFF)
+ return -EINVAL;
+ if (diff > skb_tailroom(e->skb)) {
+- err = pskb_expand_head(e->skb, 0,
++ nskb = skb_copy_expand(e->skb, 0,
+ diff - skb_tailroom(e->skb),
+ GFP_ATOMIC);
+- if (err) {
++ if (!nskb) {
+ printk(KERN_WARNING "nf_queue: OOM "
+ "in mangle, dropping packet\n");
+- return err;
++ return -ENOMEM;
+ }
++ kfree_skb(e->skb);
++ e->skb = nskb;
+ }
+ skb_put(e->skb, diff);
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:58:53 2008
+Date: Wed, 27 Feb 2008 02:06:18 +0900
+To: stable@kernel.org
+From: FUJITA Tomonori <tomof@acm.org>
+Message-Id: <20080226090603A.tomof@acm.org>
+Cc: James.Bottomley@HansenPartnership.com, fujita.tomonori@lab.ntt.co.jp, matthew@wil.cx
+Subject: SCSI advansys: fix overrun_buf aligned bug
+
+From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+commit 7d5d408c77cee95d1380511de46b7a4c8dc2211d
+
+struct asc_dvc_var needs overrun buffer to be placed on an 8 byte
+boundary. advansys defines struct asc_dvc_var:
+
+struct asc_dvc_var {
+ ...
+ uchar overrun_buf[ASC_OVERRUN_BSIZE] __aligned(8);
+
+The problem is that struct asc_dvc_var is placed on
+shost->hostdata. So if the hostdata is not on an 8 byte boundary, the
+advansys crashes. The hostdata is placed on a sizeof(unsigned long)
+boundary so the 8 byte boundary is not garanteed with x86_32.
+
+With 2.6.23 and 2.6.24, the hostdata is on an 8 byte boundary by
+chance, but with the current git, it's not.
+
+This patch removes overrun_buf static array and use kzalloc.
+
+Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+FUJITA Tomonori notes:
+ We thought that 2.6.24 doesn't have this bug, however it does.
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/scsi/advansys.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/advansys.c
++++ b/drivers/scsi/advansys.c
+@@ -566,7 +566,7 @@ typedef struct asc_dvc_var {
+ ASC_SCSI_BIT_ID_TYPE unit_not_ready;
+ ASC_SCSI_BIT_ID_TYPE queue_full_or_busy;
+ ASC_SCSI_BIT_ID_TYPE start_motor;
+- uchar overrun_buf[ASC_OVERRUN_BSIZE] __aligned(8);
++ uchar *overrun_buf;
+ dma_addr_t overrun_dma;
+ uchar scsi_reset_wait;
+ uchar chip_no;
+@@ -13833,6 +13833,12 @@ static int __devinit advansys_board_foun
+ */
+ if (ASC_NARROW_BOARD(boardp)) {
+ ASC_DBG(2, "AscInitAsc1000Driver()\n");
++
++ asc_dvc_varp->overrun_buf = kzalloc(ASC_OVERRUN_BSIZE, GFP_KERNEL);
++ if (!asc_dvc_varp->overrun_buf) {
++ ret = -ENOMEM;
++ goto err_free_wide_mem;
++ }
+ warn_code = AscInitAsc1000Driver(asc_dvc_varp);
+
+ if (warn_code || asc_dvc_varp->err_code) {
+@@ -13840,8 +13846,10 @@ static int __devinit advansys_board_foun
+ "warn 0x%x, error 0x%x\n",
+ asc_dvc_varp->init_state, warn_code,
+ asc_dvc_varp->err_code);
+- if (asc_dvc_varp->err_code)
++ if (asc_dvc_varp->err_code) {
+ ret = -ENODEV;
++ kfree(asc_dvc_varp->overrun_buf);
++ }
+ }
+ } else {
+ if (advansys_wide_init_chip(shost))
+@@ -13894,6 +13902,7 @@ static int advansys_release(struct Scsi_
+ dma_unmap_single(board->dev,
+ board->dvc_var.asc_dvc_var.overrun_dma,
+ ASC_OVERRUN_BSIZE, DMA_FROM_DEVICE);
++ kfree(board->dvc_var.asc_dvc_var.overrun_buf);
+ } else {
+ iounmap(board->ioremap_addr);
+ advansys_wide_free_mem(board);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:09:33 2008
+Date: Sat, 23 Feb 2008 20:55:15 GMT
+Message-Id: <200802232055.m1NKtFCh024335@hera.kernel.org>
+From: James Bottomley <jejb@kernel.org>
+To: jejb@kernel.org, stable@kernel.org
+Subject: SCSI aic94xx: fix REQ_TASK_ABORT and REQ_DEVICE_RESET
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+commit: cb84e2d2ff3b50c0da5a7604a6d8634294a00a01
+
+This driver has been failing under heavy load with
+
+aic94xx: escb_tasklet_complete: REQ_TASK_ABORT, reason=0x6
+aic94xx: escb_tasklet_complete: Can't find task (tc=4) to abort!
+
+The second message is because the driver fails to identify the task
+it's being asked to abort. On closer inpection, there's a thinko in
+the for each task loop over pending tasks in both the REQ_TASK_ABORT
+and REQ_DEVICE_RESET cases where it doesn't look at the task on the
+pending list but at the one on the ESCB (which is always NULL).
+
+Fix by looking at the right task. Also add a print for the case where
+the pending SCB doesn't have a task attached.
+
+Not sure if this will fix all the problems, but it's a definite first
+step.
+
+Cc: Stable Tree <stable@kernel.org>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/scsi/aic94xx/aic94xx_scb.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/aic94xx/aic94xx_scb.c
++++ b/drivers/scsi/aic94xx/aic94xx_scb.c
+@@ -458,13 +458,19 @@ static void escb_tasklet_complete(struct
+ tc_abort = le16_to_cpu(tc_abort);
+
+ list_for_each_entry_safe(a, b, &asd_ha->seq.pend_q, list) {
+- struct sas_task *task = ascb->uldd_task;
++ struct sas_task *task = a->uldd_task;
++
++ if (a->tc_index != tc_abort)
++ continue;
+
+- if (task && a->tc_index == tc_abort) {
++ if (task) {
+ failed_dev = task->dev;
+ sas_task_abort(task);
+- break;
++ } else {
++ ASD_DPRINTK("R_T_A for non TASK scb 0x%x\n",
++ a->scb->header.opcode);
+ }
++ break;
+ }
+
+ if (!failed_dev) {
+@@ -478,7 +484,7 @@ static void escb_tasklet_complete(struct
+ * that the EH will wake up and do something.
+ */
+ list_for_each_entry_safe(a, b, &asd_ha->seq.pend_q, list) {
+- struct sas_task *task = ascb->uldd_task;
++ struct sas_task *task = a->uldd_task;
+
+ if (task &&
+ task->dev == failed_dev &&
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:08:26 2008
+Date: Sat, 23 Feb 2008 20:55:14 GMT
+Message-Id: <200802232055.m1NKtEuD024293@hera.kernel.org>
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+To: jejb@kernel.org, stable@kernel.org
+Subject: SCSI gdth: don't call pci_free_consistent under spinlock
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+commit: ff83efacf2b77a1fe8942db6613825a4b80ee5e2
+
+The spinlock is held over too large a region: pscratch is a permanent
+address (it's allocated at boot time and never changes). All you need
+the smp lock for is mediating the scratch in use flag, so fix this by
+moving the spinlock into the case where we set the pscratch_busy flag
+to false.
+
+Cc: Stable Tree <stable@kernel.org>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/scsi/gdth_proc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/gdth_proc.c
++++ b/drivers/scsi/gdth_proc.c
+@@ -694,15 +694,13 @@ static void gdth_ioctl_free(gdth_ha_str
+ {
+ ulong flags;
+
+- spin_lock_irqsave(&ha->smp_lock, flags);
+-
+ if (buf == ha->pscratch) {
++ spin_lock_irqsave(&ha->smp_lock, flags);
+ ha->scratch_busy = FALSE;
++ spin_unlock_irqrestore(&ha->smp_lock, flags);
+ } else {
+ pci_free_consistent(ha->pdev, size, buf, paddr);
+ }
+-
+- spin_unlock_irqrestore(&ha->smp_lock, flags);
+ }
+
+ #ifdef GDTH_IOCTL_PROC
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:05:31 2008
+Date: Sat, 23 Feb 2008 20:55:12 GMT
+Message-Id: <200802232055.m1NKtCp8024252@hera.kernel.org>
+From: jejb@kernel.org
+To: jejb@kernel.org, stable@kernel.org
+Subject: SCSI ips: fix data buffer accessors conversion bug
+
+From: FUJITA Tomonori <tomof@acm.org>
+commit: 2b28a4721e068ac89bd5435472723a1bc44442fe
+
+This fixes a bug that can't handle a passthru command with more than
+two sg entries.
+
+Big thanks to Tim Pepper for debugging the problem.
+
+Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Acked-by: Mark Salyzyn <Mark_Salyzyn@adaptec.com>
+Cc: Stable Tree <stable@kernel.org>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/scsi/ips.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ips.c
++++ b/drivers/scsi/ips.c
+@@ -1580,7 +1580,7 @@ ips_make_passthru(ips_ha_t *ha, struct s
+ METHOD_TRACE("ips_make_passthru", 1);
+
+ scsi_for_each_sg(SC, sg, scsi_sg_count(SC), i)
+- length += sg[i].length;
++ length += sg->length;
+
+ if (length < sizeof (ips_passthru_t)) {
+ /* wrong size */
From: Jeff Garzik <jeff@garzik.org>
commit 2551a13e61d3c3df6c2da6de5a3ece78e6d67111
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Acked-by: "Salyzyn, Mark" <mark_salyzyn@adaptec.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+
FUJITA Tomonori notes:
It didn't intend to fix a critical bug, however, it turned out that it
does. Without this patch, the ips driver in 2.6.23 and 2.6.24 doesn't
http://marc.info/?t=120293911900023&r=1&w=2
-Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-Acked-by: "Salyzyn, Mark" <mark_salyzyn@adaptec.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
drivers/scsi/ips.c | 18 +++++++++++++-----
scsi-ips-handle-scsi_add_host-failure-and-other-err-cleanups.patch
crypto-xcbc-fix-crash-with-ipsec.patch
crypto-xts-use-proper-alignment.patch
+fuse-fix-permission-checking.patch
+usb-storage-don-t-access-beyond-the-end-of-the-sg-buffer.patch
+scsi-ips-fix-data-buffer-accessors-conversion-bug.patch
+scsi-gdth-don-t-call-pci_free_consistent-under-spinlock.patch
+scsi-aic94xx-fix-req_task_abort-and-req_device_reset.patch
+x86-replace-lock_prefix-in-futex.h.patch
+arm-pxa-fix-clock-lookup-to-find-specific-device-clocks.patch
+futex-fix-init-order.patch
+futex-runtime-enable-pi-and-robust-functionality.patch
+file-capabilities-simplify-signal-check.patch
+hugetlb-ensure-we-do-not-reference-a-surplus-page-after-handing-it-to-buddy.patch
+ufs-fix-parenthesisation-in-ufs_set_fs_state.patch
+spi-pxa2xx_spi-clock-polarity-fix.patch
+netfilter-nfnetlink_queue-fix-skb_linear_assert-when-mangling-packet-data.patch
+netfilter-fix-incorrect-use-of-skb_make_writable.patch
+netfilter-fix-ebtable-targets-return.patch
+scsi-advansys-fix-overrun_buf-aligned-bug.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:30:56 2008
+Date: Sun, 24 Feb 2008 02:10:06 GMT
+Message-Id: <200802240210.m1O2A6be015394@hera.kernel.org>
+From: jejb@kernel.org
+To: jejb@kernel.org, stable@kernel.org
+Subject: spi: pxa2xx_spi clock polarity fix
+
+From: Ned Forrester <nforrester@whoi.edu>
+commit: b97c74bddce4e2c6fef6b3b58910b4fd9eb7f3b8
+
+Fixes a sequencing bug in spi driver pxa2xx_spi.c in which the chip select
+for a transfer may be asserted before the clock polarity is set on the
+interface. As a result of this bug, the clock signal may have the wrong
+polarity at transfer start, so it may need to make an extra half transition
+before the intended clock/data signals begin. (This probably means all
+transfers are one bit out of sequence.)
+
+This only occurs on the first transfer following a change in clock polarity
+in systems using more than one more than one such polarity. The fix
+assures that the clock mode is properly set before asserting chip select.
+
+This bug was introduced in a patch merged on 2006/12/10, kernel 2.6.20.
+The patch defines an additional bit in: include/asm-arm/arch-pxa/regs-ssp.h
+for 2.6.25 and newer kernels but this addition must be made in:
+include/asm-arm/arch-pxa/pxa-regs.h for kernels between 2.6.20 and 2.6.24,
+inclusive
+
+Signed-off-by: Ned Forrester <nforrester@whoi.edu>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Cc: Russell King <rmk@arm.linux.org.uk>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[chrisw@sous-sol.org: backport to 2.6.24.3]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/spi/pxa2xx_spi.c | 41 +++++++++++++++++++++++-------------
+ include/asm-arm/arch-pxa/pxa-regs.h | 1
+ 2 files changed, 28 insertions(+), 14 deletions(-)
+
+--- a/drivers/spi/pxa2xx_spi.c
++++ b/drivers/spi/pxa2xx_spi.c
+@@ -48,13 +48,19 @@ MODULE_LICENSE("GPL");
+ #define RESET_DMA_CHANNEL (DCSR_NODESC | DMA_INT_MASK)
+ #define IS_DMA_ALIGNED(x) (((u32)(x)&0x07)==0)
+
+-/* for testing SSCR1 changes that require SSP restart, basically
+- * everything except the service and interrupt enables */
+-#define SSCR1_CHANGE_MASK (SSCR1_TTELP | SSCR1_TTE | SSCR1_EBCEI | SSCR1_SCFR \
++/*
++ * for testing SSCR1 changes that require SSP restart, basically
++ * everything except the service and interrupt enables, the pxa270 developer
++ * manual says only SSCR1_SCFR, SSCR1_SPH, SSCR1_SPO need to be in this
++ * list, but the PXA255 dev man says all bits without really meaning the
++ * service and interrupt enables
++ */
++#define SSCR1_CHANGE_MASK (SSCR1_TTELP | SSCR1_TTE | SSCR1_SCFR \
+ | SSCR1_ECRA | SSCR1_ECRB | SSCR1_SCLKDIR \
+- | SSCR1_RWOT | SSCR1_TRAIL | SSCR1_PINTE \
+- | SSCR1_STRF | SSCR1_EFWR |SSCR1_RFT \
+- | SSCR1_TFT | SSCR1_SPH | SSCR1_SPO | SSCR1_LBM)
++ | SSCR1_SFRMDIR | SSCR1_RWOT | SSCR1_TRAIL \
++ | SSCR1_IFS | SSCR1_STRF | SSCR1_EFWR \
++ | SSCR1_RFT | SSCR1_TFT | SSCR1_MWDS \
++ | SSCR1_SPH | SSCR1_SPO | SSCR1_LBM)
+
+ #define DEFINE_SSP_REG(reg, off) \
+ static inline u32 read_##reg(void *p) { return __raw_readl(p + (off)); } \
+@@ -961,9 +967,6 @@ static void pump_transfers(unsigned long
+ if (drv_data->ssp_type == PXA25x_SSP)
+ DCMD(drv_data->tx_channel) |= DCMD_ENDIRQEN;
+
+- /* Fix me, need to handle cs polarity */
+- drv_data->cs_control(PXA2XX_CS_ASSERT);
+-
+ /* Clear status and start DMA engine */
+ cr1 = chip->cr1 | dma_thresh | drv_data->dma_cr1;
+ write_SSSR(drv_data->clear_sr, reg);
+@@ -973,9 +976,6 @@ static void pump_transfers(unsigned long
+ /* Ensure we have the correct interrupt handler */
+ drv_data->transfer_handler = interrupt_transfer;
+
+- /* Fix me, need to handle cs polarity */
+- drv_data->cs_control(PXA2XX_CS_ASSERT);
+-
+ /* Clear status */
+ cr1 = chip->cr1 | chip->threshold | drv_data->int_cr1;
+ write_SSSR(drv_data->clear_sr, reg);
+@@ -986,16 +986,29 @@ static void pump_transfers(unsigned long
+ || (read_SSCR1(reg) & SSCR1_CHANGE_MASK) !=
+ (cr1 & SSCR1_CHANGE_MASK)) {
+
++ /* stop the SSP, and update the other bits */
+ write_SSCR0(cr0 & ~SSCR0_SSE, reg);
+ if (drv_data->ssp_type != PXA25x_SSP)
+ write_SSTO(chip->timeout, reg);
+- write_SSCR1(cr1, reg);
++ /* first set CR1 without interrupt and service enables */
++ write_SSCR1(cr1 & SSCR1_CHANGE_MASK, reg);
++ /* restart the SSP */
+ write_SSCR0(cr0, reg);
++
+ } else {
+ if (drv_data->ssp_type != PXA25x_SSP)
+ write_SSTO(chip->timeout, reg);
+- write_SSCR1(cr1, reg);
+ }
++
++ /* FIXME, need to handle cs polarity,
++ * this driver uses struct pxa2xx_spi_chip.cs_control to
++ * specify a CS handling function, and it ignores most
++ * struct spi_device.mode[s], including SPI_CS_HIGH */
++ drv_data->cs_control(PXA2XX_CS_ASSERT);
++
++ /* after chip select, release the data by enabling service
++ * requests and interrupts, without changing any mode bits */
++ write_SSCR1(cr1, reg);
+ }
+
+ static void pump_messages(struct work_struct *work)
+--- a/include/asm-arm/arch-pxa/pxa-regs.h
++++ b/include/asm-arm/arch-pxa/pxa-regs.h
+@@ -1669,6 +1669,7 @@
+ #define SSCR1_RSRE (1 << 20) /* Receive Service Request Enable */
+ #define SSCR1_TINTE (1 << 19) /* Receiver Time-out Interrupt enable */
+ #define SSCR1_PINTE (1 << 18) /* Peripheral Trailing Byte Interupt Enable */
++#define SSCR1_IFS (1 << 16) /* Invert Frame Signal */
+ #define SSCR1_STRF (1 << 15) /* Select FIFO or EFWR */
+ #define SSCR1_EFWR (1 << 14) /* Enable FIFO Write/Read */
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:34:00 2008
+Date: Sun, 24 Feb 2008 02:10:08 GMT
+Message-Id: <200802240210.m1O2A8OD015445@hera.kernel.org>
+From: jejb@kernel.org
+To: jejb@kernel.org, stable@kernel.org
+Subject: ufs: fix parenthesisation in ufs_set_fs_state()
+
+From: Roel Kluin <12o3l@tiscali.nl>
+commit: f81e8a43871f44f98dd14e83a83bf9ca0b3b46c5
+
+This bug snuck in with
+
+commit 252e211e90ce56bf005cb533ad5a297c18c19407
+Author: Mark Fortescue <mark@mtfhpc.demon.co.uk>
+Date: Tue Oct 16 23:26:31 2007 -0700
+
+ Add in SunOS 4.1.x compatible mode for UFS
+
+Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
+Acked-by: Evgeniy Dushistov <dushistov@mail.ru>
+Cc: Mark Fortescue <mark@mtfhpc.demon.co.uk>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/ufs/util.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ufs/util.h
++++ b/fs/ufs/util.h
+@@ -58,7 +58,7 @@ ufs_set_fs_state(struct super_block *sb,
+ {
+ switch (UFS_SB(sb)->s_flags & UFS_ST_MASK) {
+ case UFS_ST_SUNOS:
+- if (fs32_to_cpu(sb, usb3->fs_postblformat == UFS_42POSTBLFMT)) {
++ if (fs32_to_cpu(sb, usb3->fs_postblformat) == UFS_42POSTBLFMT) {
+ usb1->fs_u0.fs_sun.fs_state = cpu_to_fs32(sb, value);
+ break;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 21:58:41 2008
+Date: Fri, 22 Feb 2008 17:03:25 -0500 (EST)
+From: Alan Stern <stern@rowland.harvard.edu>
+To: stable@kernel.org
+Message-ID: <Pine.LNX.4.44L0.0802221700070.6832-100000@iolanthe.rowland.org>
+Cc: Mark Glines <mark@glines.org>, linux-usb@vger.kernel.org, Boaz Harrosh <bharrosh@panasas.com>
+Subject: usb-storage: don't access beyond the end of the sg buffer
+
+This patch (as1038) fixes a bug in usb_stor_access_xfer_buf() and
+usb_stor_set_xfer_buf() (the bug was originally found by Boaz
+Harrosh): The routine must not attempt to write beyond the end of a
+scatter-gather list or beyond the number of bytes requested.
+
+This is the minimal 2.6.24 equivalent to as1035 +
+as1037 (7084191d53b224b953c8e1db525ea6c31aca5fc7 "USB:
+usb-storage: don't access beyond the end of the sg buffer" +
+6d512a80c26d87f8599057c86dc920fbfe0aa3aa "usb-storage: update earlier
+scatter-gather bug fix"). Mark Glines has confirmed that it fixes
+his problem.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: Mark Glines <mark@glines.org>
+Cc: Boaz Harrosh <bharrosh@panasas.com>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ drivers/usb/storage/protocol.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/storage/protocol.c
++++ b/drivers/usb/storage/protocol.c
+@@ -194,7 +194,7 @@ unsigned int usb_stor_access_xfer_buf(un
+ * and the starting offset within the page, and update
+ * the *offset and *index values for the next loop. */
+ cnt = 0;
+- while (cnt < buflen) {
++ while (cnt < buflen && sg) {
+ struct page *page = sg_page(sg) +
+ ((sg->offset + *offset) >> PAGE_SHIFT);
+ unsigned int poff =
+@@ -249,7 +249,8 @@ void usb_stor_set_xfer_buf(unsigned char
+ unsigned int offset = 0;
+ struct scatterlist *sg = NULL;
+
+- usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
++ buflen = min(buflen, srb->request_bufflen);
++ buflen = usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
+ TO_XFER_BUF);
+ if (buflen < srb->request_bufflen)
+ srb->resid = srb->request_bufflen - buflen;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Mar 11 22:13:48 2008
+Message-ID: <47C05058.1030509@redhat.com>
+Date: Sat, 23 Feb 2008 11:56:56 -0500
+From: Chuck Ebbert <cebbert@redhat.com>
+To: Greg KH <gregkh@suse.de>
+Cc: stable@kernel.org
+Subject: x86: replace LOCK_PREFIX in futex.h
+
+From: Thomas Gleixner <tglx@linutronix.de>
+Commit: 9d55b9923a1b7ea8193b8875c57ec940dc2ff027
+
+The exception fixup for the futex macros __futex_atomic_op1/2 and
+futex_atomic_cmpxchg_inatomic() is missing an entry when the lock
+prefix is replaced by a NOP via SMP alternatives.
+
+Chuck Ebert tracked this down from the information provided in:
+https://bugzilla.redhat.com/show_bug.cgi?id=429412
+
+A possible solution would be to add another fixup after the
+LOCK_PREFIX, so both the LOCK and NOP case have their own entry in the
+exception table, but it's not really worth the trouble.
+
+Simply replace LOCK_PREFIX with lock and keep those untouched by SMP
+alternatives.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+[cebbert@redhat.com: backport to 2.6.24]
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ include/asm-x86/futex_32.h | 6 +++---
+ include/asm-x86/futex_64.h | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/include/asm-x86/futex_32.h
++++ b/include/asm-x86/futex_32.h
+@@ -28,7 +28,7 @@
+ "1: movl %2, %0\n\
+ movl %0, %3\n" \
+ insn "\n" \
+-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
++"2: lock ; cmpxchgl %3, %2\n\
+ jnz 1b\n\
+ 3: .section .fixup,\"ax\"\n\
+ 4: mov %5, %1\n\
+@@ -68,7 +68,7 @@ futex_atomic_op_inuser (int encoded_op,
+ #endif
+ switch (op) {
+ case FUTEX_OP_ADD:
+- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret,
++ __futex_atomic_op1("lock ; xaddl %0, %2", ret,
+ oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_OR:
+@@ -111,7 +111,7 @@ futex_atomic_cmpxchg_inatomic(int __user
+ return -EFAULT;
+
+ __asm__ __volatile__(
+- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
++ "1: lock ; cmpxchgl %3, %1 \n"
+
+ "2: .section .fixup, \"ax\" \n"
+ "3: mov %2, %0 \n"
+--- a/include/asm-x86/futex_64.h
++++ b/include/asm-x86/futex_64.h
+@@ -27,7 +27,7 @@
+ "1: movl %2, %0\n\
+ movl %0, %3\n" \
+ insn "\n" \
+-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
++"2: lock ; cmpxchgl %3, %2\n\
+ jnz 1b\n\
+ 3: .section .fixup,\"ax\"\n\
+ 4: mov %5, %1\n\
+@@ -62,7 +62,7 @@ futex_atomic_op_inuser (int encoded_op,
+ __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
+ break;
+ case FUTEX_OP_ADD:
+- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
++ __futex_atomic_op1("lock ; xaddl %0, %2", ret, oldval,
+ uaddr, oparg);
+ break;
+ case FUTEX_OP_OR:
+@@ -101,7 +101,7 @@ futex_atomic_cmpxchg_inatomic(int __user
+ return -EFAULT;
+
+ __asm__ __volatile__(
+- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
++ "1: lock ; cmpxchgl %3, %1 \n"
+
+ "2: .section .fixup, \"ax\" \n"
+ "3: mov %2, %0 \n"
projects / thirdparty / kernel / stable-queue.git / commitdiff
