+++ /dev/null
-From dab5fff14df2cd16eb1ad4c02e83915e1063fece Mon Sep 17 00:00:00 2001
-From: Zhang Rui <rui.zhang@intel.com>
-Date: Tue, 12 Oct 2010 09:09:37 +0800
-Subject: acpi-cpufreq: fix a memleak when unloading driver
-
-From: Zhang Rui <rui.zhang@intel.com>
-
-commit dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream.
-
-We didn't free per_cpu(acfreq_data, cpu)->freq_table
-when acpi_freq driver is unloaded.
-
-Resulting in the following messages in /sys/kernel/debug/kmemleak:
-
-unreferenced object 0xf6450e80 (size 64):
- comm "modprobe", pid 1066, jiffies 4294677317 (age 19290.453s)
- hex dump (first 32 bytes):
- 00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00 ......$.......$.
- 02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00 .....j.......5..
- backtrace:
- [<c123ba97>] kmemleak_alloc+0x27/0x50
- [<c109f96f>] __kmalloc+0xcf/0x110
- [<f9da97ee>] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq]
- [<c11cd8d2>] cpufreq_add_dev+0x142/0x3a0
- [<c11920b7>] sysdev_driver_register+0x97/0x110
- [<c11cce56>] cpufreq_register_driver+0x86/0x140
- [<f9dad080>] 0xf9dad080
- [<c1001130>] do_one_initcall+0x30/0x160
- [<c10626e9>] sys_init_module+0x99/0x1e0
- [<c1002d97>] sysenter_do_call+0x12/0x26
- [<ffffffff>] 0xffffffff
-
-https://bugzilla.kernel.org/show_bug.cgi?id=15807#c21
-
-Tested-by: Toralf Forster <toralf.foerster@gmx.de>
-Signed-off-by: Zhang Rui <rui.zhang@intel.com>
-Signed-off-by: Len Brown <len.brown@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
-+++ b/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
-@@ -743,6 +743,7 @@ static int acpi_cpufreq_cpu_exit(struct
- per_cpu(acfreq_data, policy->cpu) = NULL;
- acpi_processor_unregister_performance(data->acpi_data,
- policy->cpu);
-+ kfree(data->freq_table);
- kfree(data);
- }
-
+++ /dev/null
-From 337279ce3aa85d81d34c0f837d1c204df105103b Mon Sep 17 00:00:00 2001
-From: Zhang Rui <rui.zhang@intel.com>
-Date: Tue, 28 Sep 2010 22:48:55 -0400
-Subject: ACPI: Disable Windows Vista compatibility for Toshiba P305D
-
-From: Zhang Rui <rui.zhang@intel.com>
-
-commit 337279ce3aa85d81d34c0f837d1c204df105103b upstream.
-
-Disable the Windows Vista (SP1) compatibility for Toshiba P305D.
-
-http://bugzilla.kernel.org/show_bug.cgi?id=14736
-
-Signed-off-by: Zhang Rui <rui.zhang@intel.com>
-Signed-off-by: Len Brown <len.brown@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/acpi/blacklist.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/acpi/blacklist.c
-+++ b/drivers/acpi/blacklist.c
-@@ -233,6 +233,14 @@ static struct dmi_system_id acpi_osi_dmi
- DMI_MATCH(DMI_PRODUCT_NAME, "K50IJ"),
- },
- },
-+ {
-+ .callback = dmi_disable_osi_vista,
-+ .ident = "Toshiba P305D",
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Satellite P305D"),
-+ },
-+ },
-
- /*
- * BIOS invocation of _OSI(Linux) is almost always a BIOS bug.
+++ /dev/null
-From 7a1d602f5fc35d14907b7da98d5627acb69589d1 Mon Sep 17 00:00:00 2001
-From: Len Brown <len.brown@intel.com>
-Date: Tue, 28 Sep 2010 17:51:51 -0400
-Subject: ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355
-
-From: Len Brown <len.brown@intel.com>
-
-commit 7a1d602f5fc35d14907b7da98d5627acb69589d1 upstream.
-
-https://bugzilla.kernel.org/show_bug.cgi?id=12641
-
-Signed-off-by: Len Brown <len.brown@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/acpi/blacklist.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/acpi/blacklist.c
-+++ b/drivers/acpi/blacklist.c
-@@ -218,6 +218,14 @@ static struct dmi_system_id acpi_osi_dmi
- },
- },
- {
-+ .callback = dmi_disable_osi_vista,
-+ .ident = "Toshiba Satellite L355",
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
-+ DMI_MATCH(DMI_PRODUCT_VERSION, "Satellite L355"),
-+ },
-+ },
-+ {
- .callback = dmi_disable_osi_win7,
- .ident = "ASUS K50IJ",
- .matches = {
+++ /dev/null
-From 573b638158029898caf9470c8214b7ddd29751e3 Mon Sep 17 00:00:00 2001
-From: Colin Ian King <colin.king@canonical.com>
-Date: Mon, 2 Aug 2010 15:14:43 +0000
-Subject: ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume
-
-From: Colin Ian King <colin.king@canonical.com>
-
-commit 573b638158029898caf9470c8214b7ddd29751e3 upstream.
-
-Section 4.7.3.1.1 (PM1 Status Registers) of version 4.0 of
-the ACPI spec concerning PCIEXP_WAKE_STS points out in
-in the final note field in table 4-11 that if this bit is
-set to 1 and the system is put into a sleeping state then
-the system will not automatically wake.
-
-This bit gets set by hardware to indicate that the system
-woke up due to a PCI Express wakeup event, so clear it during
-acpi_hw_clear_acpi_status() calls to enable subsequent
-resumes to work.
-
-BugLink: http://bugs.launchpad.net/bugs/613381
-
-Signed-off-by: Colin Ian King <colin.king@canonical.com>
-Signed-off-by: Len Brown <len.brown@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/acpi/acpica/aclocal.h | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/acpi/acpica/aclocal.h
-+++ b/drivers/acpi/acpica/aclocal.h
-@@ -846,6 +846,7 @@ struct acpi_bit_register_info {
- ACPI_BITMASK_POWER_BUTTON_STATUS | \
- ACPI_BITMASK_SLEEP_BUTTON_STATUS | \
- ACPI_BITMASK_RT_CLOCK_STATUS | \
-+ ACPI_BITMASK_PCIEXP_WAKE_DISABLE | \
- ACPI_BITMASK_WAKE_STATUS)
-
- #define ACPI_BITMASK_TIMER_ENABLE 0x0001
+++ /dev/null
-From 0613a59456980161d0cd468bae6c63d772743102 Mon Sep 17 00:00:00 2001
-From: Daniel T Chen <crimsun@ubuntu.com>
-Date: Mon, 1 Nov 2010 01:14:51 -0400
-Subject: ALSA: ac97: Apply quirk for Dell Latitude D610 binding Master and Headphone controls
-
-From: Daniel T Chen <crimsun@ubuntu.com>
-
-commit 0613a59456980161d0cd468bae6c63d772743102 upstream.
-
-BugLink: https://launchpad.net/bugs/669279
-
-The original reporter states: "The Master mixer does not change the
-volume from the headphone output (which is affected by the headphone
-mixer). Instead it only seems to control the on-board speaker volume.
-This confuses PulseAudio greatly as the Master channel is merged into
-the volume mix."
-
-Fix this symptom by applying the hp_only quirk for the reporter's SSID.
-The fix is applicable to all stable kernels.
-
-Reported-and-tested-by: Ben Gamari <bgamari@gmail.com>
-Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/pci/intel8x0.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/sound/pci/intel8x0.c
-+++ b/sound/pci/intel8x0.c
-@@ -1860,6 +1860,12 @@ static struct ac97_quirk ac97_quirks[] _
- },
- {
- .subvendor = 0x1028,
-+ .subdevice = 0x0182,
-+ .name = "Dell Latitude D610", /* STAC9750/51 */
-+ .type = AC97_TUNE_HP_ONLY
-+ },
-+ {
-+ .subvendor = 0x1028,
- .subdevice = 0x0186,
- .name = "Dell Latitude D810", /* cf. Malone #41015 */
- .type = AC97_TUNE_HP_MUTE_LED
+++ /dev/null
-From cc1c452e509aefc28f7ad2deed75bc69d4f915f7 Mon Sep 17 00:00:00 2001
-From: David Henningsson <david.henningsson@canonical.com>
-Date: Wed, 24 Nov 2010 14:17:47 +0100
-Subject: ALSA: HDA: Add an extra DAC for Realtek ALC887-VD
-
-From: David Henningsson <david.henningsson@canonical.com>
-
-commit cc1c452e509aefc28f7ad2deed75bc69d4f915f7 upstream.
-
-The patch enables ALC887-VD to use the DAC at nid 0x26,
-which makes it possible to use this DAC for e g Headphone
-volume.
-
-Signed-off-by: David Henningsson <david.henningsson@canonical.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/pci/hda/patch_realtek.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -17670,6 +17670,8 @@ static inline hda_nid_t alc662_mix_to_da
- return 0x02;
- else if (nid >= 0x0c && nid <= 0x0e)
- return nid - 0x0c + 0x02;
-+ else if (nid == 0x26) /* ALC887-VD has this DAC too */
-+ return 0x25;
- else
- return 0;
- }
-@@ -17678,7 +17680,7 @@ static inline hda_nid_t alc662_mix_to_da
- static hda_nid_t alc662_dac_to_mix(struct hda_codec *codec, hda_nid_t pin,
- hda_nid_t dac)
- {
-- hda_nid_t mix[4];
-+ hda_nid_t mix[5];
- int i, num;
-
- num = snd_hda_get_connections(codec, pin, mix, ARRAY_SIZE(mix));
+++ /dev/null
-From 0f9f1ee9d1412d45a22bfd69dfd4d4324b506e9e Mon Sep 17 00:00:00 2001
-From: Luke Yelavich <luke.yelavich@canonical.com>
-Date: Tue, 21 Sep 2010 17:05:46 +1000
-Subject: ALSA: hda - Add Dell Latitude E6400 model quirk
-
-From: Luke Yelavich <luke.yelavich@canonical.com>
-
-commit 0f9f1ee9d1412d45a22bfd69dfd4d4324b506e9e upstream.
-
-BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/643891
-
-Set the Dell Latitude E6400 (1028:0233) SSID to use AD1984_DELL_DESKTOP
-
-Signed-off-by: Luke Yelavich <luke.yelavich@canonical.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/pci/hda/patch_analog.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/sound/pci/hda/patch_analog.c
-+++ b/sound/pci/hda/patch_analog.c
-@@ -3536,6 +3536,7 @@ static struct snd_pci_quirk ad1984_cfg_t
- /* Lenovo Thinkpad T61/X61 */
- SND_PCI_QUIRK_VENDOR(0x17aa, "Lenovo Thinkpad", AD1984_THINKPAD),
- SND_PCI_QUIRK(0x1028, 0x0214, "Dell T3400", AD1984_DELL_DESKTOP),
-+ SND_PCI_QUIRK(0x1028, 0x0233, "Dell Latitude E6400", AD1984_DELL_DESKTOP),
- {}
- };
-
+++ /dev/null
-From 01e0f1378c47947b825eac05c98697ab1be1c86f Mon Sep 17 00:00:00 2001
-From: Kailang Yang <kailang@realtek.com>
-Date: Mon, 22 Nov 2010 10:59:36 +0100
-Subject: ALSA: hda - Fixed ALC887-VD initial error
-
-From: Kailang Yang <kailang@realtek.com>
-
-commit 01e0f1378c47947b825eac05c98697ab1be1c86f upstream.
-
-ALC887-VD is like ALC888-VD. It can not be initialized as ALC882.
-
-Signed-off-by: Kailang Yang <kailang@realtek.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/pci/hda/patch_realtek.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -18077,7 +18077,10 @@ static int patch_alc888(struct hda_codec
- {
- if ((alc_read_coef_idx(codec, 0) & 0x00f0)==0x0030){
- kfree(codec->chip_name);
-- codec->chip_name = kstrdup("ALC888-VD", GFP_KERNEL);
-+ if (codec->vendor_id == 0x10ec0887)
-+ codec->chip_name = kstrdup("ALC887-VD", GFP_KERNEL);
-+ else
-+ codec->chip_name = kstrdup("ALC888-VD", GFP_KERNEL);
- if (!codec->chip_name) {
- alc_free(codec);
- return -ENOMEM;
-@@ -18117,7 +18120,7 @@ static struct hda_codec_preset snd_hda_p
- { .id = 0x10ec0885, .rev = 0x100103, .name = "ALC889A",
- .patch = patch_alc882 },
- { .id = 0x10ec0885, .name = "ALC885", .patch = patch_alc882 },
-- { .id = 0x10ec0887, .name = "ALC887", .patch = patch_alc882 },
-+ { .id = 0x10ec0887, .name = "ALC887", .patch = patch_alc888 },
- { .id = 0x10ec0888, .rev = 0x100101, .name = "ALC1200",
- .patch = patch_alc882 },
- { .id = 0x10ec0888, .name = "ALC888", .patch = patch_alc888 },
+++ /dev/null
-From 0defe09ca70daccdc83abd9c3c24cd89ae6a1141 Mon Sep 17 00:00:00 2001
-From: Daniel T Chen <crimsun@ubuntu.com>
-Date: Wed, 1 Dec 2010 19:16:07 -0500
-Subject: ALSA: hda: Use "alienware" model quirk for another SSID
-
-From: Daniel T Chen <crimsun@ubuntu.com>
-
-commit 0defe09ca70daccdc83abd9c3c24cd89ae6a1141 upstream.
-
-BugLink: https://launchpad.net/bugs/683695
-
-The original reporter states that headphone jacks do not appear to
-work. Upon inspecting his codec dump, and upon further testing, it is
-confirmed that the "alienware" model quirk is correct.
-
-Reported-and-tested-by: Cody Thierauf
-Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/pci/hda/patch_sigmatel.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/sound/pci/hda/patch_sigmatel.c
-+++ b/sound/pci/hda/patch_sigmatel.c
-@@ -1610,6 +1610,8 @@ static struct snd_pci_quirk stac92hd73xx
- static struct snd_pci_quirk stac92hd73xx_codec_id_cfg_tbl[] = {
- SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02a1,
- "Alienware M17x", STAC_ALIENWARE_M17X),
-+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x043a,
-+ "Alienware M17x", STAC_ALIENWARE_M17X),
- {} /* terminator */
- };
-
+++ /dev/null
-From 0873a5ae747847ee55a63db409dff3476e45bcd9 Mon Sep 17 00:00:00 2001
-From: Erik J. Staab <ejs@insightbb.com>
-Date: Wed, 22 Sep 2010 11:07:41 +0200
-Subject: ALSA: oxygen: fix analog capture on Claro halo cards
-
-From: Erik J. Staab <ejs@insightbb.com>
-
-commit 0873a5ae747847ee55a63db409dff3476e45bcd9 upstream.
-
-On the HT-Omega Claro halo card, the ADC data must be captured from the
-second I2S input. Using the default first input, which isn't connected
-to anything, would result in silence.
-
-Signed-off-by: Erik J. Staab <ejs@insightbb.com>
-Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/pci/oxygen/oxygen.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/sound/pci/oxygen/oxygen.c
-+++ b/sound/pci/oxygen/oxygen.c
-@@ -543,6 +543,10 @@ static int __devinit get_oxygen_model(st
- chip->model.suspend = claro_suspend;
- chip->model.resume = claro_resume;
- chip->model.set_adc_params = set_ak5385_params;
-+ chip->model.device_config = PLAYBACK_0_TO_I2S |
-+ PLAYBACK_1_TO_SPDIF |
-+ CAPTURE_0_FROM_I2S_2 |
-+ CAPTURE_1_FROM_SPDIF;
- break;
- }
- if (id->driver_data == MODEL_MERIDIAN ||
+++ /dev/null
-From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Tue, 28 Sep 2010 14:18:20 -0400
-Subject: ALSA: prevent heap corruption in snd_ctl_new()
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit 5591bf07225523600450edd9e6ad258bb877b779 upstream.
-
-The snd_ctl_new() function in sound/core/control.c allocates space for a
-snd_kcontrol struct by performing arithmetic operations on a
-user-provided size without checking for integer overflow. If a user
-provides a large enough size, an overflow will occur, the allocated
-chunk will be too small, and a second user-influenced value will be
-written repeatedly past the bounds of this chunk. This code is
-reachable by unprivileged users who have permission to open
-a /dev/snd/controlC* device (on many distros, this is group "audio") via
-the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
-
-Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/core/control.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -31,6 +31,7 @@
-
- /* max number of user-defined controls */
- #define MAX_USER_CONTROLS 32
-+#define MAX_CONTROL_COUNT 1028
-
- struct snd_kctl_ioctl {
- struct list_head list; /* list of all ioctls */
-@@ -191,6 +192,10 @@ static struct snd_kcontrol *snd_ctl_new(
-
- if (snd_BUG_ON(!control || !control->count))
- return NULL;
-+
-+ if (control->count > MAX_CONTROL_COUNT)
-+ return NULL;
-+
- kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
- if (kctl == NULL) {
- snd_printk(KERN_ERR "Cannot allocate control instance\n");
+++ /dev/null
-From aa73aec6c385e2c797ac25cc7ccf0318031de7c8 Mon Sep 17 00:00:00 2001
-From: Clemens Ladisch <clemens@ladisch.de>
-Date: Fri, 15 Oct 2010 12:06:18 +0200
-Subject: ALSA: rawmidi: fix oops (use after free) when unloading a driver module
-
-From: Clemens Ladisch <clemens@ladisch.de>
-
-commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8 upstream.
-
-When a driver module is unloaded and the last still open file is a raw
-MIDI device, the card and its devices will be actually freed in the
-snd_card_file_remove() call when that file is closed. Afterwards, rmidi
-and rmidi->card point into freed memory, so the module pointer is likely
-to be garbage.
-(This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.)
-
-Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
-Reported-by: Krzysztof Foltman <wdev@foltman.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/core/rawmidi.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/sound/core/rawmidi.c
-+++ b/sound/core/rawmidi.c
-@@ -531,13 +531,15 @@ static int snd_rawmidi_release(struct in
- {
- struct snd_rawmidi_file *rfile;
- struct snd_rawmidi *rmidi;
-+ struct module *module;
-
- rfile = file->private_data;
- rmidi = rfile->rmidi;
- rawmidi_release_priv(rfile);
- kfree(rfile);
-+ module = rmidi->card->module;
- snd_card_file_remove(rmidi->card, file);
-- module_put(rmidi->card->module);
-+ module_put(module);
- return 0;
- }
-
+++ /dev/null
-From e68d3b316ab7b02a074edc4f770e6a746390cb7d Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Sat, 25 Sep 2010 11:07:27 -0400
-Subject: ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream.
-
-The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
-SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
-unprivileged users to read uninitialized kernel stack memory, because
-several fields of the hdsp{m}_config_info structs declared on the stack
-are not altered or zeroed before being copied back to the user. This
-patch takes care of it.
-
-Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- sound/pci/rme9652/hdsp.c | 1 +
- sound/pci/rme9652/hdspm.c | 1 +
- 2 files changed, 2 insertions(+)
-
---- a/sound/pci/rme9652/hdsp.c
-+++ b/sound/pci/rme9652/hdsp.c
-@@ -4610,6 +4610,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
- if (err < 0)
- return err;
-
-+ memset(&info, 0, sizeof(info));
- spin_lock_irqsave(&hdsp->lock, flags);
- info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
- info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
---- a/sound/pci/rme9652/hdspm.c
-+++ b/sound/pci/rme9652/hdspm.c
-@@ -4127,6 +4127,7 @@ static int snd_hdspm_hwdep_ioctl(struct
-
- case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
-
-+ memset(&info, 0, sizeof(info));
- spin_lock_irq(&hdspm->lock);
- info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
- info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
+++ /dev/null
-From 0e91ec0c06d2cd15071a6021c94840a50e6671aa Mon Sep 17 00:00:00 2001
-From: James Jones <jajones@nvidia.com>
-Date: Wed, 24 Nov 2010 00:21:37 +0100
-Subject: ARM: 6482/2: Fix find_next_zero_bit and related assembly
-
-From: James Jones <jajones@nvidia.com>
-
-commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream.
-
-The find_next_bit, find_first_bit, find_next_zero_bit
-and find_first_zero_bit functions were not properly
-clamping to the maxbit argument at the bit level. They
-were instead only checking maxbit at the byte level.
-To fix this, add a compare and a conditional move
-instruction to the end of the common bit-within-the-
-byte code used by all the functions and be sure not to
-clobber the maxbit argument before it is used.
-
-Reviewed-by: Nicolas Pitre <nicolas.pitre@linaro.org>
-Tested-by: Stephen Warren <swarren@nvidia.com>
-Signed-off-by: James Jones <jajones@nvidia.com>
-Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/arm/lib/findbit.S | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/arch/arm/lib/findbit.S
-+++ b/arch/arm/lib/findbit.S
-@@ -174,8 +174,8 @@ ENDPROC(_find_next_bit_be)
- */
- .L_found:
- #if __LINUX_ARM_ARCH__ >= 5
-- rsb r1, r3, #0
-- and r3, r3, r1
-+ rsb r0, r3, #0
-+ and r3, r3, r0
- clz r3, r3
- rsb r3, r3, #31
- add r0, r2, r3
-@@ -190,5 +190,7 @@ ENDPROC(_find_next_bit_be)
- addeq r2, r2, #1
- mov r0, r2
- #endif
-+ cmp r1, r0 @ Clamp to maxbit
-+ movlo r0, r1
- mov pc, lr
-
+++ /dev/null
-From 1142b71d85894dcff1466dd6c871ea3c89e0352c Mon Sep 17 00:00:00 2001
-From: Will Deacon <will.deacon@arm.com>
-Date: Fri, 19 Nov 2010 13:18:31 +0100
-Subject: ARM: 6489/1: thumb2: fix incorrect optimisation in usracc
-
-From: Will Deacon <will.deacon@arm.com>
-
-commit 1142b71d85894dcff1466dd6c871ea3c89e0352c upstream.
-
-Commit 8b592783 added a Thumb-2 variant of usracc which, when it is
-called with \rept=2, calls usraccoff once with an offset of 0 and
-secondly with a hard-coded offset of 4 in order to avoid incrementing
-the pointer again. If \inc != 4 then we will store the data to the wrong
-offset from \ptr. Luckily, the only caller that passes \rept=2 to this
-function is __clear_user so we haven't been actively corrupting user data.
-
-This patch fixes usracc to pass \inc instead of #4 to usraccoff
-when it is called a second time.
-
-Reported-by: Tony Thompson <tony.thompson@arm.com>
-Acked-by: Catalin Marinas <catalin.marinas@arm.com>
-Signed-off-by: Will Deacon <will.deacon@arm.com>
-Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/arm/include/asm/assembler.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/arm/include/asm/assembler.h
-+++ b/arch/arm/include/asm/assembler.h
-@@ -215,7 +215,7 @@
- @ Slightly optimised to avoid incrementing the pointer twice
- usraccoff \instr, \reg, \ptr, \inc, 0, \cond, \abort
- .if \rept == 2
-- usraccoff \instr, \reg, \ptr, \inc, 4, \cond, \abort
-+ usraccoff \instr, \reg, \ptr, \inc, \inc, \cond, \abort
- .endif
-
- add\cond \ptr, #\rept * \inc
+++ /dev/null
-From ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 Mon Sep 17 00:00:00 2001
-From: Luca Tettamanti <kronos.it@gmail.com>
-Date: Wed, 22 Sep 2010 10:41:58 +0000
-Subject: atl1: fix resume
-
-From: Luca Tettamanti <kronos.it@gmail.com>
-
-commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream.
-
-adapter->cmb.cmb is initialized when the device is opened and freed when
-it's closed. Accessing it unconditionally during resume results either
-in a crash (NULL pointer dereference, when the interface has not been
-opened yet) or data corruption (when the interface has been used and
-brought down adapter->cmb.cmb points to a deallocated memory area).
-
-Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
-Acked-by: Chris Snook <chris.snook@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/net/atlx/atl1.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/drivers/net/atlx/atl1.c
-+++ b/drivers/net/atlx/atl1.c
-@@ -2849,10 +2849,11 @@ static int atl1_resume(struct pci_dev *p
- pci_enable_wake(pdev, PCI_D3cold, 0);
-
- atl1_reset_hw(&adapter->hw);
-- adapter->cmb.cmb->int_stats = 0;
-
-- if (netif_running(netdev))
-+ if (netif_running(netdev)) {
-+ adapter->cmb.cmb->int_stats = 0;
- atl1_up(adapter);
-+ }
- netif_device_attach(netdev);
-
- return 0;
+++ /dev/null
-From bcf64aa379fcadd074449cbf0c049da70071b06f Mon Sep 17 00:00:00 2001
-From: Paul Fertser <fercerpav@gmail.com>
-Date: Mon, 11 Oct 2010 15:45:35 -0700
-Subject: b44: fix carrier detection on bind
-
-From: Paul Fertser <fercerpav@gmail.com>
-
-commit bcf64aa379fcadd074449cbf0c049da70071b06f upstream.
-
-For carrier detection to work properly when binding the driver with a cable
-unplugged, netif_carrier_off() should be called after register_netdev(),
-not before.
-
-Signed-off-by: Paul Fertser <fercerpav@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/net/b44.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/net/b44.c
-+++ b/drivers/net/b44.c
-@@ -2175,8 +2175,6 @@ static int __devinit b44_init_one(struct
- dev->irq = sdev->irq;
- SET_ETHTOOL_OPS(dev, &b44_ethtool_ops);
-
-- netif_carrier_off(dev);
--
- err = ssb_bus_powerup(sdev->bus, 0);
- if (err) {
- dev_err(sdev->dev,
-@@ -2216,6 +2214,8 @@ static int __devinit b44_init_one(struct
- goto err_out_powerdown;
- }
-
-+ netif_carrier_off(dev);
-+
- ssb_set_drvdata(sdev, dev);
-
- /* Chip reset provides power to the b44 MAC & PCI cores, which
+++ /dev/null
-From d1d73578e053b981c3611e5a211534290d24a5eb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
-Date: Wed, 24 Nov 2010 12:57:14 -0800
-Subject: backlight: grab ops_lock before testing bd->ops
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
-
-commit d1d73578e053b981c3611e5a211534290d24a5eb upstream.
-
-According to the comment describing ops_lock in the definition of struct
-backlight_device and when comparing with other functions in backlight.c
-the mutex must be hold when checking ops to be non-NULL.
-
-Fixes a problem added by c835ee7f4154992e6 ("backlight: Add suspend/resume
-support to the backlight core") in Jan 2009.
-
-Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
-Acked-by: Richard Purdie <rpurdie@linux.intel.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/video/backlight/backlight.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
---- a/drivers/video/backlight/backlight.c
-+++ b/drivers/video/backlight/backlight.c
-@@ -196,12 +196,12 @@ static int backlight_suspend(struct devi
- {
- struct backlight_device *bd = to_backlight_device(dev);
-
-- if (bd->ops->options & BL_CORE_SUSPENDRESUME) {
-- mutex_lock(&bd->ops_lock);
-+ mutex_lock(&bd->ops_lock);
-+ if (bd->ops && bd->ops->options & BL_CORE_SUSPENDRESUME) {
- bd->props.state |= BL_CORE_SUSPENDED;
- backlight_update_status(bd);
-- mutex_unlock(&bd->ops_lock);
- }
-+ mutex_unlock(&bd->ops_lock);
-
- return 0;
- }
-@@ -210,12 +210,12 @@ static int backlight_resume(struct devic
- {
- struct backlight_device *bd = to_backlight_device(dev);
-
-- if (bd->ops->options & BL_CORE_SUSPENDRESUME) {
-- mutex_lock(&bd->ops_lock);
-+ mutex_lock(&bd->ops_lock);
-+ if (bd->ops && bd->ops->options & BL_CORE_SUSPENDRESUME) {
- bd->props.state &= ~BL_CORE_SUSPENDED;
- backlight_update_status(bd);
-- mutex_unlock(&bd->ops_lock);
- }
-+ mutex_unlock(&bd->ops_lock);
-
- return 0;
- }
+++ /dev/null
-From cb4644cac4a2797afc847e6c92736664d4b0ea34 Mon Sep 17 00:00:00 2001
-From: Jens Axboe <jaxboe@fusionio.com>
-Date: Wed, 10 Nov 2010 14:36:25 +0100
-Subject: bio: take care not overflow page count when mapping/copying user data
-
-From: Jens Axboe <jaxboe@fusionio.com>
-
-commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
-
-If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
-to overflow, we could end up attempting to map a huge number of
-pages. Check for this invalid input type.
-
-Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/bio.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
---- a/fs/bio.c
-+++ b/fs/bio.c
-@@ -838,6 +838,12 @@ struct bio *bio_copy_user_iov(struct req
- end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
- start = uaddr >> PAGE_SHIFT;
-
-+ /*
-+ * Overflow, abort
-+ */
-+ if (end < start)
-+ return ERR_PTR(-EINVAL);
-+
- nr_pages += end - start;
- len += iov[i].iov_len;
- }
-@@ -965,6 +971,12 @@ static struct bio *__bio_map_user_iov(st
- unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
- unsigned long start = uaddr >> PAGE_SHIFT;
-
-+ /*
-+ * Overflow, abort
-+ */
-+ if (end < start)
-+ return ERR_PTR(-EINVAL);
-+
- nr_pages += end - start;
- /*
- * buffer must be aligned to at least hardsector size for now
-@@ -992,7 +1004,7 @@ static struct bio *__bio_map_user_iov(st
- unsigned long start = uaddr >> PAGE_SHIFT;
- const int local_nr_pages = end - start;
- const int page_limit = cur_page + local_nr_pages;
--
-+
- ret = get_user_pages_fast(uaddr, local_nr_pages,
- write_to_vm, &pages[cur_page]);
- if (ret < local_nr_pages) {
+++ /dev/null
-From 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 Mon Sep 17 00:00:00 2001
-From: Jens Axboe <jaxboe@fusionio.com>
-Date: Fri, 29 Oct 2010 08:10:18 -0600
-Subject: block: check for proper length of iov entries in blk_rq_map_user_iov()
-
-From: Jens Axboe <jaxboe@fusionio.com>
-
-commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream.
-
-Ensure that we pass down properly validated iov segments before
-calling into the mapping or copy functions.
-
-Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- block/blk-map.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/block/blk-map.c
-+++ b/block/blk-map.c
-@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_q
- unaligned = 1;
- break;
- }
-+ if (!iov[i].iov_len)
-+ return -EINVAL;
- }
-
- if (unaligned || (q->dma_pad_mask & len) || map_data)
+++ /dev/null
-From 892b6f90db81cccb723d5d92f4fddc2d68b206e1 Mon Sep 17 00:00:00 2001
-From: Martin K. Petersen <martin.petersen@oracle.com>
-Date: Wed, 13 Oct 2010 21:18:03 +0200
-Subject: block: Ensure physical block size is unsigned int
-
-From: Martin K. Petersen <martin.petersen@oracle.com>
-
-commit 892b6f90db81cccb723d5d92f4fddc2d68b206e1 upstream.
-
-Physical block size was declared unsigned int to accomodate the maximum
-size reported by READ CAPACITY(16). Make sure we use the right type in
-the related functions.
-
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Acked-by: Mike Snitzer <snitzer@redhat.com>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- block/blk-settings.c | 2 +-
- include/linux/blkdev.h | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
---- a/block/blk-settings.c
-+++ b/block/blk-settings.c
-@@ -356,7 +356,7 @@ EXPORT_SYMBOL(blk_queue_logical_block_si
- * hardware can operate on without reverting to read-modify-write
- * operations.
- */
--void blk_queue_physical_block_size(struct request_queue *q, unsigned short size)
-+void blk_queue_physical_block_size(struct request_queue *q, unsigned int size)
- {
- q->limits.physical_block_size = size;
-
---- a/include/linux/blkdev.h
-+++ b/include/linux/blkdev.h
-@@ -926,7 +926,7 @@ extern void blk_queue_max_segment_size(s
- extern void blk_queue_max_discard_sectors(struct request_queue *q,
- unsigned int max_discard_sectors);
- extern void blk_queue_logical_block_size(struct request_queue *, unsigned short);
--extern void blk_queue_physical_block_size(struct request_queue *, unsigned short);
-+extern void blk_queue_physical_block_size(struct request_queue *, unsigned int);
- extern void blk_queue_alignment_offset(struct request_queue *q,
- unsigned int alignment);
- extern void blk_limits_io_min(struct queue_limits *limits, unsigned int min);
-@@ -1077,7 +1077,7 @@ static inline unsigned int queue_physica
- return q->limits.physical_block_size;
- }
-
--static inline int bdev_physical_block_size(struct block_device *bdev)
-+static inline unsigned int bdev_physical_block_size(struct block_device *bdev)
- {
- return queue_physical_block_size(bdev_get_queue(bdev));
- }
+++ /dev/null
-From f3f63c1c28bc861a931fac283b5bc3585efb8967 Mon Sep 17 00:00:00 2001
-From: Jens Axboe <jaxboe@fusionio.com>
-Date: Fri, 29 Oct 2010 11:46:56 -0600
-Subject: block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
-
-From: Jens Axboe <jaxboe@fusionio.com>
-
-commit f3f63c1c28bc861a931fac283b5bc3585efb8967 upstream.
-
-Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/bio.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
---- a/fs/bio.c
-+++ b/fs/bio.c
-@@ -371,6 +371,9 @@ struct bio *bio_kmalloc(gfp_t gfp_mask,
- {
- struct bio *bio;
-
-+ if (nr_iovecs > UIO_MAXIOV)
-+ return NULL;
-+
- bio = kmalloc(sizeof(struct bio) + nr_iovecs * sizeof(struct bio_vec),
- gfp_mask);
- if (unlikely(!bio))
-@@ -701,8 +704,12 @@ static void bio_free_map_data(struct bio
- static struct bio_map_data *bio_alloc_map_data(int nr_segs, int iov_count,
- gfp_t gfp_mask)
- {
-- struct bio_map_data *bmd = kmalloc(sizeof(*bmd), gfp_mask);
-+ struct bio_map_data *bmd;
-+
-+ if (iov_count > UIO_MAXIOV)
-+ return NULL;
-
-+ bmd = kmalloc(sizeof(*bmd), gfp_mask);
- if (!bmd)
- return NULL;
-
+++ /dev/null
-From 9f864c80913467312c7b8690e41fb5ebd1b50e92 Mon Sep 17 00:00:00 2001
-From: Jens Axboe <jaxboe@fusionio.com>
-Date: Fri, 29 Oct 2010 11:31:42 -0600
-Subject: block: take care not to overflow when calculating total iov length
-
-From: Jens Axboe <jaxboe@fusionio.com>
-
-commit 9f864c80913467312c7b8690e41fb5ebd1b50e92 upstream.
-
-Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- block/scsi_ioctl.c | 34 ++++++++++++++++++++++++----------
- 1 file changed, 24 insertions(+), 10 deletions(-)
-
---- a/block/scsi_ioctl.c
-+++ b/block/scsi_ioctl.c
-@@ -321,33 +321,47 @@ static int sg_io(struct request_queue *q
- if (hdr->iovec_count) {
- const int size = sizeof(struct sg_iovec) * hdr->iovec_count;
- size_t iov_data_len;
-- struct sg_iovec *iov;
-+ struct sg_iovec *sg_iov;
-+ struct iovec *iov;
-+ int i;
-
-- iov = kmalloc(size, GFP_KERNEL);
-- if (!iov) {
-+ sg_iov = kmalloc(size, GFP_KERNEL);
-+ if (!sg_iov) {
- ret = -ENOMEM;
- goto out;
- }
-
-- if (copy_from_user(iov, hdr->dxferp, size)) {
-- kfree(iov);
-+ if (copy_from_user(sg_iov, hdr->dxferp, size)) {
-+ kfree(sg_iov);
- ret = -EFAULT;
- goto out;
- }
-
-+ /*
-+ * Sum up the vecs, making sure they don't overflow
-+ */
-+ iov = (struct iovec *) sg_iov;
-+ iov_data_len = 0;
-+ for (i = 0; i < hdr->iovec_count; i++) {
-+ if (iov_data_len + iov[i].iov_len < iov_data_len) {
-+ kfree(sg_iov);
-+ ret = -EINVAL;
-+ goto out;
-+ }
-+ iov_data_len += iov[i].iov_len;
-+ }
-+
- /* SG_IO howto says that the shorter of the two wins */
-- iov_data_len = iov_length((struct iovec *)iov,
-- hdr->iovec_count);
- if (hdr->dxfer_len < iov_data_len) {
-- hdr->iovec_count = iov_shorten((struct iovec *)iov,
-+ hdr->iovec_count = iov_shorten(iov,
- hdr->iovec_count,
- hdr->dxfer_len);
- iov_data_len = hdr->dxfer_len;
- }
-
-- ret = blk_rq_map_user_iov(q, rq, NULL, iov, hdr->iovec_count,
-+ ret = blk_rq_map_user_iov(q, rq, NULL, sg_iov, hdr->iovec_count,
- iov_data_len, GFP_KERNEL);
-- kfree(iov);
-+ kfree(sg_iov);
- } else if (hdr->dxfer_len)
- ret = blk_rq_map_user(q, rq, NULL, hdr->dxferp, hdr->dxfer_len,
- GFP_KERNEL);
+++ /dev/null
-From c19483cc5e56ac5e22dd19cf25ba210ab1537773 Mon Sep 17 00:00:00 2001
-From: Alan Cox <alan@linux.intel.com>
-Date: Fri, 22 Oct 2010 14:11:26 +0100
-Subject: bluetooth: Fix missing NULL check
-
-From: Alan Cox <alan@linux.intel.com>
-
-commit c19483cc5e56ac5e22dd19cf25ba210ab1537773 upstream.
-
-Fortunately this is only exploitable on very unusual hardware.
-
-[Reported a while ago but nothing happened so just fixing it]
-
-Signed-off-by: Alan Cox <alan@linux.intel.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/bluetooth/hci_ldisc.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/bluetooth/hci_ldisc.c
-+++ b/drivers/bluetooth/hci_ldisc.c
-@@ -258,9 +258,16 @@ static int hci_uart_tty_open(struct tty_
-
- BT_DBG("tty %p", tty);
-
-+ /* FIXME: This btw is bogus, nothing requires the old ldisc to clear
-+ the pointer */
- if (hu)
- return -EEXIST;
-
-+ /* Error if the tty has no write op instead of leaving an exploitable
-+ hole */
-+ if (tty->ops->write == NULL)
-+ return -EOPNOTSUPP;
-+
- if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
- BT_ERR("Can't allocate control structure");
- return -ENFILE;
+++ /dev/null
-From 478971600e47cb83ff2d3c63c5c24f2b04b0d6a1 Mon Sep 17 00:00:00 2001
-From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
-Date: Fri, 17 Sep 2010 00:46:42 +0900
-Subject: [SCSI] bsg: fix incorrect device_status value
-
-From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
-
-commit 478971600e47cb83ff2d3c63c5c24f2b04b0d6a1 upstream.
-
-bsg incorrectly returns sg's masked_status value for device_status.
-
-[jejb: fix up expression logic]
-Reported-by: Douglas Gilbert <dgilbert@interlog.com>
-Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
-Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- block/bsg.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/block/bsg.c
-+++ b/block/bsg.c
-@@ -425,7 +425,7 @@ static int blk_complete_sgv4_hdr_rq(stru
- /*
- * fill in all the output members
- */
-- hdr->device_status = status_byte(rq->errors);
-+ hdr->device_status = rq->errors & 0xff;
- hdr->transport_status = host_byte(rq->errors);
- hdr->driver_status = driver_byte(rq->errors);
- hdr->info = 0;
+++ /dev/null
-From da495ecc0fb096b383754952a1c152147bc95b52 Mon Sep 17 00:00:00 2001
-From: Josef Bacik <josef@redhat.com>
-Date: Thu, 25 Feb 2010 20:38:35 +0000
-Subject: Btrfs: kfree correct pointer during mount option parsing
-
-From: Josef Bacik <josef@redhat.com>
-
-commit da495ecc0fb096b383754952a1c152147bc95b52 upstream.
-
-We kstrdup the options string, but then strsep screws with the pointer,
-so when we kfree() it, we're not giving it the right pointer.
-
-Tested-by: Andy Lutomirski <luto@mit.edu>
-Signed-off-by: Chris Mason <chris.mason@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/btrfs/super.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/fs/btrfs/super.c
-+++ b/fs/btrfs/super.c
-@@ -128,7 +128,7 @@ int btrfs_parse_options(struct btrfs_roo
- {
- struct btrfs_fs_info *info = root->fs_info;
- substring_t args[MAX_OPT_ARGS];
-- char *p, *num;
-+ char *p, *num, *orig;
- int intarg;
- int ret = 0;
-
-@@ -143,6 +143,7 @@ int btrfs_parse_options(struct btrfs_roo
- if (!options)
- return -ENOMEM;
-
-+ orig = options;
-
- while ((p = strsep(&options, ",")) != NULL) {
- int token;
-@@ -280,7 +281,7 @@ int btrfs_parse_options(struct btrfs_roo
- }
- }
- out:
-- kfree(options);
-+ kfree(orig);
- return ret;
- }
-
+++ /dev/null
-From 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 Mon Sep 17 00:00:00 2001
-From: Oliver Hartkopp <socketcan@hartkopp.net>
-Date: Wed, 10 Nov 2010 12:10:30 +0000
-Subject: can-bcm: fix minor heap overflow
-
-From: Oliver Hartkopp <socketcan@hartkopp.net>
-
-commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream.
-
-On 64-bit platforms the ASCII representation of a pointer may be up to 17
-bytes long. This patch increases the length of the buffer accordingly.
-
-http://marc.info/?l=linux-netdev&m=128872251418192&w=2
-
-Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
-CC: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/can/bcm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/can/bcm.c
-+++ b/net/can/bcm.c
-@@ -117,7 +117,7 @@ struct bcm_sock {
- struct list_head tx_ops;
- unsigned long dropped_usr_msgs;
- struct proc_dir_entry *bcm_proc_read;
-- char procname [9]; /* pointer printed in ASCII with \0 */
-+ char procname [20]; /* pointer printed in ASCII with \0 */
- };
-
- static inline struct bcm_sock *bcm_sk(const struct sock *sk)
+++ /dev/null
-From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001
-From: H. Peter Anvin <hpa@linux.intel.com>
-Date: Tue, 7 Sep 2010 16:16:18 -0700
-Subject: compat: Make compat_alloc_user_space() incorporate the access_ok()
-
-From: H. Peter Anvin <hpa@linux.intel.com>
-
-commit c41d68a513c71e35a14f66d71782d27a79a81ea6 upstream.
-
-compat_alloc_user_space() expects the caller to independently call
-access_ok() to verify the returned area. A missing call could
-introduce problems on some architectures.
-
-This patch incorporates the access_ok() check into
-compat_alloc_user_space() and also adds a sanity check on the length.
-The existing compat_alloc_user_space() implementations are renamed
-arch_compat_alloc_user_space() and are used as part of the
-implementation of the new global function.
-
-This patch assumes NULL will cause __get_user()/__put_user() to either
-fail or access userspace on all architectures. This should be
-followed by checking the return value of compat_access_user_space()
-for NULL in the callers, at which time the access_ok() in the callers
-can also be removed.
-
-Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-Acked-by: Chris Metcalf <cmetcalf@tilera.com>
-Acked-by: David S. Miller <davem@davemloft.net>
-Acked-by: Ingo Molnar <mingo@elte.hu>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Tony Luck <tony.luck@intel.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Cc: Fenghua Yu <fenghua.yu@intel.com>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
-Cc: Helge Deller <deller@gmx.de>
-Cc: James Bottomley <jejb@parisc-linux.org>
-Cc: Kyle McMartin <kyle@mcmartin.ca>
-Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Cc: Paul Mackerras <paulus@samba.org>
-Cc: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/ia64/include/asm/compat.h | 2 +-
- arch/mips/include/asm/compat.h | 2 +-
- arch/parisc/include/asm/compat.h | 2 +-
- arch/powerpc/include/asm/compat.h | 2 +-
- arch/s390/include/asm/compat.h | 2 +-
- arch/sparc/include/asm/compat.h | 2 +-
- arch/x86/include/asm/compat.h | 2 +-
- include/linux/compat.h | 2 ++
- kernel/compat.c | 21 +++++++++++++++++++++
- 9 files changed, 30 insertions(+), 7 deletions(-)
-
---- a/arch/ia64/include/asm/compat.h
-+++ b/arch/ia64/include/asm/compat.h
-@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr)
- }
-
- static __inline__ void __user *
--compat_alloc_user_space (long len)
-+arch_compat_alloc_user_space (long len)
- {
- struct pt_regs *regs = task_pt_regs(current);
- return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
---- a/arch/mips/include/asm/compat.h
-+++ b/arch/mips/include/asm/compat.h
-@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compa
- return (u32)(unsigned long)uptr;
- }
-
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- struct pt_regs *regs = (struct pt_regs *)
- ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
---- a/arch/parisc/include/asm/compat.h
-+++ b/arch/parisc/include/asm/compat.h
-@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compa
- return (u32)(unsigned long)uptr;
- }
-
--static __inline__ void __user *compat_alloc_user_space(long len)
-+static __inline__ void __user *arch_compat_alloc_user_space(long len)
- {
- struct pt_regs *regs = ¤t->thread.regs;
- return (void __user *)regs->gr[30];
---- a/arch/powerpc/include/asm/compat.h
-+++ b/arch/powerpc/include/asm/compat.h
-@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compa
- return (u32)(unsigned long)uptr;
- }
-
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- struct pt_regs *regs = current->thread.regs;
- unsigned long usp = regs->gpr[1];
---- a/arch/s390/include/asm/compat.h
-+++ b/arch/s390/include/asm/compat.h
-@@ -180,7 +180,7 @@ static inline int is_compat_task(void)
-
- #endif
-
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- unsigned long stack;
-
---- a/arch/sparc/include/asm/compat.h
-+++ b/arch/sparc/include/asm/compat.h
-@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compa
- return (u32)(unsigned long)uptr;
- }
-
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- struct pt_regs *regs = current_thread_info()->kregs;
- unsigned long usp = regs->u_regs[UREG_I6];
---- a/arch/x86/include/asm/compat.h
-+++ b/arch/x86/include/asm/compat.h
-@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compa
- return (u32)(unsigned long)uptr;
- }
-
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- struct pt_regs *regs = task_pt_regs(current);
- return (void __user *)regs->sp - len;
---- a/include/linux/compat.h
-+++ b/include/linux/compat.h
-@@ -353,5 +353,7 @@ asmlinkage long compat_sys_newfstatat(un
- asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename,
- int flags, int mode);
-
-+extern void __user *compat_alloc_user_space(unsigned long len);
-+
- #endif /* CONFIG_COMPAT */
- #endif /* _LINUX_COMPAT_H */
---- a/kernel/compat.c
-+++ b/kernel/compat.c
-@@ -1136,3 +1136,24 @@ compat_sys_sysinfo(struct compat_sysinfo
-
- return 0;
- }
-+
-+/*
-+ * Allocate user-space memory for the duration of a single system call,
-+ * in order to marshall parameters inside a compat thunk.
-+ */
-+void __user *compat_alloc_user_space(unsigned long len)
-+{
-+ void __user *ptr;
-+
-+ /* If len would occupy more than half of the entire compat space... */
-+ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
-+ return NULL;
-+
-+ ptr = arch_compat_alloc_user_space(len);
-+
-+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
-+ return NULL;
-+
-+ return ptr;
-+}
-+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
+++ /dev/null
-From c054a076a1bd4731820a9c4d638b13d5c9bf5935 Mon Sep 17 00:00:00 2001
-From: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Thu, 4 Nov 2010 14:38:39 -0400
-Subject: crypto: padlock - Fix AES-CBC handling on odd-block-sized input
-
-From: Herbert Xu <herbert@gondor.apana.org.au>
-
-commit c054a076a1bd4731820a9c4d638b13d5c9bf5935 upstream.
-
-On certain VIA chipsets AES-CBC requires the input/output to be
-a multiple of 64 bytes. We had a workaround for this but it was
-buggy as it sent the whole input for processing when it is meant
-to only send the initial number of blocks which makes the rest
-a multiple of 64 bytes.
-
-As expected this causes memory corruption whenever the workaround
-kicks in.
-
-Reported-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/crypto/padlock-aes.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/crypto/padlock-aes.c
-+++ b/drivers/crypto/padlock-aes.c
-@@ -285,7 +285,7 @@ static inline u8 *padlock_xcrypt_cbc(con
- if (initial)
- asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
- : "+S" (input), "+D" (output), "+a" (iv)
-- : "d" (control_word), "b" (key), "c" (count));
-+ : "d" (control_word), "b" (key), "c" (initial));
-
- asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
- : "+S" (input), "+D" (output), "+a" (iv)
+++ /dev/null
-From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Fri, 15 Oct 2010 11:09:28 -0700
-Subject: De-pessimize rds_page_copy_user
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream.
-
-Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and
-the unsafe atomic user mode accessor functions. It's actually slower
-than the straightforward code on any reasonable modern CPU.
-
-Back when the code was written (although probably not by the time it was
-actually merged, though), 32-bit x86 may have been the dominant
-architecture. And there kmap_atomic() can be a lot faster than kmap()
-(unless you have very good locality, in which case the virtual address
-caching by kmap() can overcome all the downsides).
-
-But these days, x86-64 may not be more populous, but it's getting there
-(and if you care about performance, it's definitely already there -
-you'd have upgraded your CPU's already in the last few years). And on
-x86-64, the non-kmap_atomic() version is faster, simply because the code
-is simpler and doesn't have the "re-try page fault" case.
-
-People with old hardware are not likely to care about RDS anyway, and
-the optimization for the 32-bit case is simply buggy, since it doesn't
-verify the user addresses properly.
-
-Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Acked-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/rds/page.c | 27 +++++++--------------------
- 1 file changed, 7 insertions(+), 20 deletions(-)
-
---- a/net/rds/page.c
-+++ b/net/rds/page.c
-@@ -56,30 +56,17 @@ int rds_page_copy_user(struct page *page
- unsigned long ret;
- void *addr;
-
-- if (to_user)
-+ addr = kmap(page);
-+ if (to_user) {
- rds_stats_add(s_copy_to_user, bytes);
-- else
-+ ret = copy_to_user(ptr, addr + offset, bytes);
-+ } else {
- rds_stats_add(s_copy_from_user, bytes);
--
-- addr = kmap_atomic(page, KM_USER0);
-- if (to_user)
-- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
-- else
-- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
-- kunmap_atomic(addr, KM_USER0);
--
-- if (ret) {
-- addr = kmap(page);
-- if (to_user)
-- ret = copy_to_user(ptr, addr + offset, bytes);
-- else
-- ret = copy_from_user(addr + offset, ptr, bytes);
-- kunmap(page);
-- if (ret)
-- return -EFAULT;
-+ ret = copy_from_user(addr + offset, ptr, bytes);
- }
-+ kunmap(page);
-
-- return 0;
-+ return ret ? -EFAULT : 0;
- }
- EXPORT_SYMBOL_GPL(rds_page_copy_user);
-
+++ /dev/null
-From 3c6f27bf33052ea6ba9d82369fb460726fb779c0 Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Tue, 23 Nov 2010 11:02:13 +0000
-Subject: DECnet: don't leak uninitialized stack byte
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.
-
-A single uninitialized padding byte is leaked to userspace.
-
-Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/decnet/af_decnet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/decnet/af_decnet.c
-+++ b/net/decnet/af_decnet.c
-@@ -1556,6 +1556,8 @@ static int __dn_getsockopt(struct socket
- if (r_len > sizeof(struct linkinfo_dn))
- r_len = sizeof(struct linkinfo_dn);
-
-+ memset(&link, 0, sizeof(link));
-+
- switch(sock->state) {
- case SS_CONNECTING:
- link.idn_linkstate = LL_CONNECTING;
+++ /dev/null
-From cc60f8878eab892c03d06b10f389232b9b66bd83 Mon Sep 17 00:00:00 2001
-From: Simon Guinot <sguinot@lacie.com>
-Date: Fri, 17 Sep 2010 23:33:51 +0200
-Subject: dmaengine: fix interrupt clearing for mv_xor
-
-From: Simon Guinot <sguinot@lacie.com>
-
-commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream.
-
-When using simultaneously the two DMA channels on a same engine, some
-transfers are never completed. For example, an endless lock can occur
-while writing heavily on a RAID5 array (with async-tx offload support
-enabled).
-
-Note that this issue can also be reproduced by using the DMA test
-client.
-
-On a same engine, the interrupt cause register is shared between two
-DMA channels. This patch make sure that the cause bit is only cleared
-for the requested channel.
-
-Signed-off-by: Simon Guinot <sguinot@lacie.com>
-Tested-by: Luc Saillard <luc@saillard.org>
-Acked-by: saeed bishara <saeed.bishara@gmail.com>
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/dma/mv_xor.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/dma/mv_xor.c
-+++ b/drivers/dma/mv_xor.c
-@@ -161,7 +161,7 @@ static int mv_is_err_intr(u32 intr_cause
-
- static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan)
- {
-- u32 val = (1 << (1 + (chan->idx * 16)));
-+ u32 val = ~(1 << (chan->idx * 16));
- dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val);
- __raw_writel(val, XOR_INTR_CAUSE(chan));
- }
+++ /dev/null
-From 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 Mon Sep 17 00:00:00 2001
-From: Nelson Elhage <nelhage@ksplice.com>
-Date: Thu, 2 Dec 2010 14:31:21 -0800
-Subject: do_exit(): make sure that we run with get_fs() == USER_DS
-
-From: Nelson Elhage <nelhage@ksplice.com>
-
-commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream.
-
-If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
-otherwise reset before do_exit(). do_exit may later (via mm_release in
-fork.c) do a put_user to a user-controlled address, potentially allowing
-a user to leverage an oops into a controlled write into kernel memory.
-
-This is only triggerable in the presence of another bug, but this
-potentially turns a lot of DoS bugs into privilege escalations, so it's
-worth fixing. I have proof-of-concept code which uses this bug along
-with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
-I've tested that this is not theoretical.
-
-A more logical place to put this fix might be when we know an oops has
-occurred, before we call do_exit(), but that would involve changing
-every architecture, in multiple places.
-
-Let's just stick it in do_exit instead.
-
-[akpm@linux-foundation.org: update code comment]
-Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
-Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/exit.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -903,6 +903,15 @@ NORET_TYPE void do_exit(long code)
- if (unlikely(!tsk->pid))
- panic("Attempted to kill the idle task!");
-
-+ /*
-+ * If do_exit is called because this processes oopsed, it's possible
-+ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
-+ * continuing. Amongst other possible reasons, this is to prevent
-+ * mm_release()->clear_child_tid() from writing to a user-controlled
-+ * kernel address.
-+ */
-+ set_fs(USER_DS);
-+
- tracehook_report_exit(&code);
-
- validate_creds_for_do_exit(tsk);
+++ /dev/null
-From 1e0ad2881d50becaeea70ec696a80afeadf944d2 Mon Sep 17 00:00:00 2001
-From: Graham Gower <graham.gower@gmail.com>
-Date: Wed, 27 Oct 2010 15:33:00 -0700
-Subject: drivers/char/vt_ioctl.c: fix VT_OPENQRY error value
-
-From: Graham Gower <graham.gower@gmail.com>
-
-commit 1e0ad2881d50becaeea70ec696a80afeadf944d2 upstream.
-
-When all VT's are in use, VT_OPENQRY casts -1 to unsigned char before
-returning it to userspace as an int. VT255 is not the next available
-console.
-
-Signed-off-by: Graham Gower <graham.gower@gmail.com>
-Cc: Greg KH <greg@kroah.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/vt_ioctl.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- a/drivers/char/vt_ioctl.c
-+++ b/drivers/char/vt_ioctl.c
-@@ -503,6 +503,7 @@ int vt_ioctl(struct tty_struct *tty, str
- struct kbd_struct * kbd;
- unsigned int console;
- unsigned char ucval;
-+ unsigned int uival;
- void __user *up = (void __user *)arg;
- int i, perm;
- int ret = 0;
-@@ -657,7 +658,7 @@ int vt_ioctl(struct tty_struct *tty, str
- break;
-
- case KDGETMODE:
-- ucval = vc->vc_mode;
-+ uival = vc->vc_mode;
- goto setint;
-
- case KDMAPDISP:
-@@ -695,7 +696,7 @@ int vt_ioctl(struct tty_struct *tty, str
- break;
-
- case KDGKBMODE:
-- ucval = ((kbd->kbdmode == VC_RAW) ? K_RAW :
-+ uival = ((kbd->kbdmode == VC_RAW) ? K_RAW :
- (kbd->kbdmode == VC_MEDIUMRAW) ? K_MEDIUMRAW :
- (kbd->kbdmode == VC_UNICODE) ? K_UNICODE :
- K_XLATE);
-@@ -717,9 +718,9 @@ int vt_ioctl(struct tty_struct *tty, str
- break;
-
- case KDGKBMETA:
-- ucval = (vc_kbd_mode(kbd, VC_META) ? K_ESCPREFIX : K_METABIT);
-+ uival = (vc_kbd_mode(kbd, VC_META) ? K_ESCPREFIX : K_METABIT);
- setint:
-- ret = put_user(ucval, (int __user *)arg);
-+ ret = put_user(uival, (int __user *)arg);
- break;
-
- case KDGETKEYCODE:
-@@ -949,7 +950,7 @@ int vt_ioctl(struct tty_struct *tty, str
- for (i = 0; i < MAX_NR_CONSOLES; ++i)
- if (! VT_IS_IN_USE(i))
- break;
-- ucval = i < MAX_NR_CONSOLES ? (i+1) : -1;
-+ uival = i < MAX_NR_CONSOLES ? (i+1) : -1;
- goto setint;
-
- /*
+++ /dev/null
-From 0d91f22b75347d9503b17a42b6c74d3f7750acd6 Mon Sep 17 00:00:00 2001
-From: Julia Lawall <julia@diku.dk>
-Date: Fri, 15 Oct 2010 15:00:06 +0200
-Subject: drivers/net/wireless/p54/eeprom.c: Return -ENOMEM on memory allocation failure
-
-From: Julia Lawall <julia@diku.dk>
-
-commit 0d91f22b75347d9503b17a42b6c74d3f7750acd6 upstream.
-
-In this code, 0 is returned on memory allocation failure, even though other
-failures return -ENOMEM or other similar values.
-
-A simplified version of the semantic match that finds this problem is as
-follows: (http://coccinelle.lip6.fr/)
-
-// <smpl>
-@@
-expression ret;
-expression x,e1,e2,e3;
-@@
-
-ret = 0
-... when != ret = e1
-*x = \(kmalloc\|kcalloc\|kzalloc\)(...)
-... when != ret = e2
-if (x == NULL) { ... when != ret = e3
- return ret;
-}
-// </smpl>
-
-Signed-off-by: Julia Lawall <julia@diku.dk>
-Acked-by: Christian Lamparter <chunkeey@googlemail.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/net/wireless/p54/eeprom.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/net/wireless/p54/eeprom.c
-+++ b/drivers/net/wireless/p54/eeprom.c
-@@ -261,8 +261,10 @@ static int p54_generate_channel_lists(st
- list->max_entries = max_channel_num;
- list->channels = kzalloc(sizeof(struct p54_channel_entry) *
- max_channel_num, GFP_KERNEL);
-- if (!list->channels)
-+ if (!list->channels) {
-+ ret = -ENOMEM;
- goto free;
-+ }
-
- for (i = 0; i < max_channel_num; i++) {
- if (i < priv->iq_autocal_len) {
+++ /dev/null
-From f459ffbdfd04edb4a8ce6eea33170eb057a5e695 Mon Sep 17 00:00:00 2001
-From: Dave Airlie <airlied@redhat.com>
-Date: Sat, 25 Sep 2010 17:45:50 +1000
-Subject: drm/radeon: fix PCI ID 5657 to be an RV410
-
-From: Dave Airlie <airlied@redhat.com>
-
-commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream.
-
-fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012
-
-Signed-off-by: Dave Airlie <airlied@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- include/drm/drm_pciids.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/include/drm/drm_pciids.h
-+++ b/include/drm/drm_pciids.h
-@@ -85,7 +85,6 @@
- {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
- {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
- {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
-- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \
- {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
- {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
- {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
-@@ -103,6 +102,7 @@
- {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
- {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
- {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
-+ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \
- {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \
- {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \
- {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \
+++ /dev/null
-From 0fbecd400dd0a82d465b3086f209681e8c54cb0f Mon Sep 17 00:00:00 2001
-From: Francisco Jerez <currojerez@riseup.net>
-Date: Tue, 21 Sep 2010 02:15:15 +0200
-Subject: drm/ttm: Clear the ghost cpu_writers flag on ttm_buffer_object_transfer.
-
-From: Francisco Jerez <currojerez@riseup.net>
-
-commit 0fbecd400dd0a82d465b3086f209681e8c54cb0f upstream.
-
-It makes sense for a BO to move after a process has requested
-exclusive RW access on it (e.g. because the BO used to be located in
-unmappable VRAM and we intercepted the CPU access from the fault
-handler).
-
-If we let the ghost object inherit cpu_writers from the original
-object, ttm_bo_release_list() will raise a kernel BUG when the ghost
-object is destroyed. This can be reproduced with the nouveau driver on
-nv5x.
-
-Reported-by: Marcin Slusarz <marcin.slusarz@gmail.com>
-Reviewed-by: Jerome Glisse <jglisse@redhat.com>
-Tested-by: Marcin Slusarz <marcin.slusarz@gmail.com>
-Signed-off-by: Francisco Jerez <currojerez@riseup.net>
-Signed-off-by: Dave Airlie <airlied@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/gpu/drm/ttm/ttm_bo_util.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/gpu/drm/ttm/ttm_bo_util.c
-+++ b/drivers/gpu/drm/ttm/ttm_bo_util.c
-@@ -326,6 +326,7 @@ static int ttm_buffer_object_transfer(st
- INIT_LIST_HEAD(&fbo->lru);
- INIT_LIST_HEAD(&fbo->swap);
- fbo->vm_node = NULL;
-+ atomic_set(&fbo->cpu_writers, 0);
-
- fbo->sync_obj = driver->sync_obj_ref(bo->sync_obj);
- if (fbo->mem.mm_node)
+++ /dev/null
-From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
-From: Phil Blundell <philb@gnu.org>
-Date: Wed, 24 Nov 2010 11:49:19 -0800
-Subject: econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
-
-From: Phil Blundell <philb@gnu.org>
-
-commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
-
-Later parts of econet_sendmsg() rely on saddr != NULL, so return early
-with EINVAL if NULL was passed otherwise an oops may occur.
-
-Signed-off-by: Phil Blundell <philb@gnu.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/econet/af_econet.c | 26 ++++++++------------------
- 1 file changed, 8 insertions(+), 18 deletions(-)
-
---- a/net/econet/af_econet.c
-+++ b/net/econet/af_econet.c
-@@ -296,23 +296,14 @@ static int econet_sendmsg(struct kiocb *
-
- mutex_lock(&econet_mutex);
-
-- if (saddr == NULL) {
-- struct econet_sock *eo = ec_sk(sk);
--
-- addr.station = eo->station;
-- addr.net = eo->net;
-- port = eo->port;
-- cb = eo->cb;
-- } else {
-- if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-- mutex_unlock(&econet_mutex);
-- return -EINVAL;
-- }
-- addr.station = saddr->addr.station;
-- addr.net = saddr->addr.net;
-- port = saddr->port;
-- cb = saddr->cb;
-- }
-+ if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-+ mutex_unlock(&econet_mutex);
-+ return -EINVAL;
-+ }
-+ addr.station = saddr->addr.station;
-+ addr.net = saddr->addr.net;
-+ port = saddr->port;
-+ cb = saddr->cb;
-
- /* Look for a device with the right network number. */
- dev = net2dev_map[addr.net];
-@@ -350,7 +341,6 @@ static int econet_sendmsg(struct kiocb *
-
- eb = (struct ec_cb *)&skb->cb;
-
-- /* BUG: saddr may be NULL */
- eb->cookie = saddr->cookie;
- eb->sec = *saddr;
- eb->sent = ec_tx_done;
+++ /dev/null
-From a27e13d370415add3487949c60810e36069a23a6 Mon Sep 17 00:00:00 2001
-From: Phil Blundell <philb@gnu.org>
-Date: Wed, 24 Nov 2010 11:51:47 -0800
-Subject: econet: fix CVE-2010-3848
-
-From: Phil Blundell <philb@gnu.org>
-
-commit a27e13d370415add3487949c60810e36069a23a6 upstream.
-
-Don't declare variable sized array of iovecs on the stack since this
-could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
-the user-supplied data into a new buffer and use a single iovec for it.
-
-Signed-off-by: Phil Blundell <philb@gnu.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/econet/af_econet.c | 62 ++++++++++++++++++++++++-------------------------
- 1 file changed, 31 insertions(+), 31 deletions(-)
-
---- a/net/econet/af_econet.c
-+++ b/net/econet/af_econet.c
-@@ -30,6 +30,7 @@
- #include <linux/wireless.h>
- #include <linux/skbuff.h>
- #include <linux/udp.h>
-+#include <linux/vmalloc.h>
- #include <net/sock.h>
- #include <net/inet_common.h>
- #include <linux/stat.h>
-@@ -275,12 +276,12 @@ static int econet_sendmsg(struct kiocb *
- #endif
- #ifdef CONFIG_ECONET_AUNUDP
- struct msghdr udpmsg;
-- struct iovec iov[msg->msg_iovlen+1];
-+ struct iovec iov[2];
- struct aunhdr ah;
- struct sockaddr_in udpdest;
- __kernel_size_t size;
-- int i;
- mm_segment_t oldfs;
-+ char *userbuf;
- #endif
-
- /*
-@@ -318,17 +319,17 @@ static int econet_sendmsg(struct kiocb *
- }
- }
-
-- if (len + 15 > dev->mtu) {
-- mutex_unlock(&econet_mutex);
-- return -EMSGSIZE;
-- }
--
- if (dev->type == ARPHRD_ECONET) {
- /* Real hardware Econet. We're not worthy etc. */
- #ifdef CONFIG_ECONET_NATIVE
- unsigned short proto = 0;
- int res;
-
-+ if (len + 15 > dev->mtu) {
-+ mutex_unlock(&econet_mutex);
-+ return -EMSGSIZE;
-+ }
-+
- dev_hold(dev);
-
- skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
-@@ -404,6 +405,11 @@ static int econet_sendmsg(struct kiocb *
- return -ENETDOWN; /* No socket - can't send */
- }
-
-+ if (len > 32768) {
-+ err = -E2BIG;
-+ goto error;
-+ }
-+
- /* Make up a UDP datagram and hand it off to some higher intellect. */
-
- memset(&udpdest, 0, sizeof(udpdest));
-@@ -435,36 +441,26 @@ static int econet_sendmsg(struct kiocb *
-
- /* tack our header on the front of the iovec */
- size = sizeof(struct aunhdr);
-- /*
-- * XXX: that is b0rken. We can't mix userland and kernel pointers
-- * in iovec, since on a lot of platforms copy_from_user() will
-- * *not* work with the kernel and userland ones at the same time,
-- * regardless of what we do with set_fs(). And we are talking about
-- * econet-over-ethernet here, so "it's only ARM anyway" doesn't
-- * apply. Any suggestions on fixing that code? -- AV
-- */
- iov[0].iov_base = (void *)&ah;
- iov[0].iov_len = size;
-- for (i = 0; i < msg->msg_iovlen; i++) {
-- void __user *base = msg->msg_iov[i].iov_base;
-- size_t iov_len = msg->msg_iov[i].iov_len;
-- /* Check it now since we switch to KERNEL_DS later. */
-- if (!access_ok(VERIFY_READ, base, iov_len)) {
-- mutex_unlock(&econet_mutex);
-- return -EFAULT;
-- }
-- iov[i+1].iov_base = base;
-- iov[i+1].iov_len = iov_len;
-- size += iov_len;
-+
-+ userbuf = vmalloc(len);
-+ if (userbuf == NULL) {
-+ err = -ENOMEM;
-+ goto error;
- }
-
-+ iov[1].iov_base = userbuf;
-+ iov[1].iov_len = len;
-+ err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
-+ if (err)
-+ goto error_free_buf;
-+
- /* Get a skbuff (no data, just holds our cb information) */
- if ((skb = sock_alloc_send_skb(sk, 0,
- msg->msg_flags & MSG_DONTWAIT,
-- &err)) == NULL) {
-- mutex_unlock(&econet_mutex);
-- return err;
-- }
-+ &err)) == NULL)
-+ goto error_free_buf;
-
- eb = (struct ec_cb *)&skb->cb;
-
-@@ -480,7 +476,7 @@ static int econet_sendmsg(struct kiocb *
- udpmsg.msg_name = (void *)&udpdest;
- udpmsg.msg_namelen = sizeof(udpdest);
- udpmsg.msg_iov = &iov[0];
-- udpmsg.msg_iovlen = msg->msg_iovlen + 1;
-+ udpmsg.msg_iovlen = 2;
- udpmsg.msg_control = NULL;
- udpmsg.msg_controllen = 0;
- udpmsg.msg_flags=0;
-@@ -488,9 +484,13 @@ static int econet_sendmsg(struct kiocb *
- oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */
- err = sock_sendmsg(udpsock, &udpmsg, size);
- set_fs(oldfs);
-+
-+error_free_buf:
-+ vfree(userbuf);
- #else
- err = -EPROTOTYPE;
- #endif
-+ error:
- mutex_unlock(&econet_mutex);
-
- return err;
+++ /dev/null
-From 16c41745c7b92a243d0874f534c1655196c64b74 Mon Sep 17 00:00:00 2001
-From: Phil Blundell <philb@gnu.org>
-Date: Wed, 24 Nov 2010 11:49:53 -0800
-Subject: econet: fix CVE-2010-3850
-
-From: Phil Blundell <philb@gnu.org>
-
-commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.
-
-Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
-
-Signed-off-by: Phil Blundell <philb@gnu.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/econet/af_econet.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/econet/af_econet.c
-+++ b/net/econet/af_econet.c
-@@ -660,6 +660,9 @@ static int ec_dev_ioctl(struct socket *s
- err = 0;
- switch (cmd) {
- case SIOCSIFADDR:
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
- edev = dev->ec_ptr;
- if (edev == NULL) {
- /* Magic up a new one. */
+++ /dev/null
-From 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 Mon Sep 17 00:00:00 2001
-From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
-Date: Thu, 23 Sep 2010 02:35:04 -0500
-Subject: eCryptfs: Clear LOOKUP_OPEN flag when creating lower file
-
-From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
-
-commit 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 upstream.
-
-eCryptfs was passing the LOOKUP_OPEN flag through to the lower file
-system, even though ecryptfs_create() doesn't support the flag. A valid
-filp for the lower filesystem could be returned in the nameidata if the
-lower file system's create() function supported LOOKUP_OPEN, possibly
-resulting in unencrypted writes to the lower file.
-
-However, this is only a potential problem in filesystems (FUSE, NFS,
-CIFS, CEPH, 9p) that eCryptfs isn't known to support today.
-
-https://bugs.launchpad.net/ecryptfs/+bug/641703
-
-Reported-by: Kevin Buhr
-Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/ecryptfs/inode.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/fs/ecryptfs/inode.c
-+++ b/fs/ecryptfs/inode.c
-@@ -69,15 +69,19 @@ ecryptfs_create_underlying_file(struct i
- struct vfsmount *lower_mnt = ecryptfs_dentry_to_lower_mnt(dentry);
- struct dentry *dentry_save;
- struct vfsmount *vfsmount_save;
-+ unsigned int flags_save;
- int rc;
-
- dentry_save = nd->path.dentry;
- vfsmount_save = nd->path.mnt;
-+ flags_save = nd->flags;
- nd->path.dentry = lower_dentry;
- nd->path.mnt = lower_mnt;
-+ nd->flags &= ~LOOKUP_OPEN;
- rc = vfs_create(lower_dir_inode, lower_dentry, mode, nd);
- nd->path.dentry = dentry_save;
- nd->path.mnt = vfsmount_save;
-+ nd->flags = flags_save;
- return rc;
- }
-
+++ /dev/null
-From 85a00d9bbfb4704fbf368944b1cb9fed8f1598c5 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 22 Sep 2010 13:05:04 -0700
-Subject: efifb: check that the base address is plausible on pci systems
-
-From: Peter Jones <pjones@redhat.com>
-
-commit 85a00d9bbfb4704fbf368944b1cb9fed8f1598c5 upstream.
-
-Some Apple machines have identical DMI data but different memory
-configurations for the video. Given that, check that the address in our
-table is actually within the range of a PCI BAR on a VGA device in the
-machine.
-
-This also fixes up the return value from set_system(), which has always
-been wrong, but never resulted in bad behavior since there's only ever
-been one matching entry in the dmi table.
-
-The patch
-
-1) stops people's machines from crashing when we get their display wrong,
- which seems to be unfortunately inevitable,
-
-2) allows us to support identical dmi data with differing video memory
- configurations
-
-This also adds me as the efifb maintainer, since I've effectively been
-acting as such for quite some time.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: maximilian attems <max@stro.at>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- MAINTAINERS | 6 ++++
- drivers/video/efifb.c | 61 ++++++++++++++++++++++++++++++++++++++++----------
- 2 files changed, 55 insertions(+), 12 deletions(-)
-
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -2032,6 +2032,12 @@ W: http://acpi4asus.sf.net
- S: Maintained
- F: drivers/platform/x86/eeepc-laptop.c
-
-+EFIFB FRAMEBUFFER DRIVER
-+L: linux-fbdev@vger.kernel.org
-+M: Peter Jones <pjones@redhat.com>
-+S: Maintained
-+F: drivers/video/efifb.c
-+
- EFS FILESYSTEM
- W: http://aeschi.ch.eu.org/efs/
- S: Orphan
---- a/drivers/video/efifb.c
-+++ b/drivers/video/efifb.c
-@@ -13,7 +13,7 @@
- #include <linux/platform_device.h>
- #include <linux/screen_info.h>
- #include <linux/dmi.h>
--
-+#include <linux/pci.h>
- #include <video/vga.h>
-
- static struct fb_var_screeninfo efifb_defined __initdata = {
-@@ -113,7 +113,7 @@ static int set_system(const struct dmi_s
- {
- struct efifb_dmi_info *info = id->driver_data;
- if (info->base == 0)
-- return -ENODEV;
-+ return 0;
-
- printk(KERN_INFO "efifb: dmi detected %s - framebuffer at %p "
- "(%dx%d, stride %d)\n", id->ident,
-@@ -121,18 +121,55 @@ static int set_system(const struct dmi_s
- info->stride);
-
- /* Trust the bootloader over the DMI tables */
-- if (screen_info.lfb_base == 0)
-+ if (screen_info.lfb_base == 0) {
-+#if defined(CONFIG_PCI)
-+ struct pci_dev *dev = NULL;
-+ int found_bar = 0;
-+#endif
- screen_info.lfb_base = info->base;
-- if (screen_info.lfb_linelength == 0)
-- screen_info.lfb_linelength = info->stride;
-- if (screen_info.lfb_width == 0)
-- screen_info.lfb_width = info->width;
-- if (screen_info.lfb_height == 0)
-- screen_info.lfb_height = info->height;
-- if (screen_info.orig_video_isVGA == 0)
-- screen_info.orig_video_isVGA = VIDEO_TYPE_EFI;
-
-- return 0;
-+#if defined(CONFIG_PCI)
-+ /* make sure that the address in the table is actually on a
-+ * VGA device's PCI BAR */
-+
-+ for_each_pci_dev(dev) {
-+ int i;
-+ if ((dev->class >> 8) != PCI_CLASS_DISPLAY_VGA)
-+ continue;
-+ for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
-+ resource_size_t start, end;
-+
-+ start = pci_resource_start(dev, i);
-+ if (start == 0)
-+ break;
-+ end = pci_resource_end(dev, i);
-+ if (screen_info.lfb_base >= start &&
-+ screen_info.lfb_base < end) {
-+ found_bar = 1;
-+ }
-+ }
-+ }
-+ if (!found_bar)
-+ screen_info.lfb_base = 0;
-+#endif
-+ }
-+ if (screen_info.lfb_base) {
-+ if (screen_info.lfb_linelength == 0)
-+ screen_info.lfb_linelength = info->stride;
-+ if (screen_info.lfb_width == 0)
-+ screen_info.lfb_width = info->width;
-+ if (screen_info.lfb_height == 0)
-+ screen_info.lfb_height = info->height;
-+ if (screen_info.orig_video_isVGA == 0)
-+ screen_info.orig_video_isVGA = VIDEO_TYPE_EFI;
-+ } else {
-+ screen_info.lfb_linelength = 0;
-+ screen_info.lfb_width = 0;
-+ screen_info.lfb_height = 0;
-+ screen_info.orig_video_isVGA = 0;
-+ return 0;
-+ }
-+ return 1;
- }
-
- static int efifb_setcolreg(unsigned regno, unsigned red, unsigned green,
+++ /dev/null
-From 7993bc1f4663c0db67bb8f0d98e6678145b387cd Mon Sep 17 00:00:00 2001
-From: Roland McGrath <roland@redhat.com>
-Date: Tue, 7 Sep 2010 19:36:28 -0700
-Subject: execve: improve interactivity with large arguments
-
-From: Roland McGrath <roland@redhat.com>
-
-commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd upstream.
-
-This adds a preemption point during the copying of the argument and
-environment strings for execve, in copy_strings(). There is already
-a preemption point in the count() loop, so this doesn't add any new
-points in the abstract sense.
-
-When the total argument+environment strings are very large, the time
-spent copying them can be much more than a normal user time slice.
-So this change improves the interactivity of the rest of the system
-when one process is doing an execve with very large arguments.
-
-Signed-off-by: Roland McGrath <roland@redhat.com>
-Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Chuck Ebbert <cebbert@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/exec.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -418,6 +418,8 @@ static int copy_strings(int argc, char _
- while (len > 0) {
- int offset, bytes_to_copy;
-
-+ cond_resched();
-+
- offset = pos % PAGE_SIZE;
- if (offset == 0)
- offset = PAGE_SIZE;
+++ /dev/null
-From 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 Mon Sep 17 00:00:00 2001
-From: Roland McGrath <roland@redhat.com>
-Date: Tue, 7 Sep 2010 19:37:06 -0700
-Subject: execve: make responsive to SIGKILL with large arguments
-
-From: Roland McGrath <roland@redhat.com>
-
-commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 upstream.
-
-An execve with a very large total of argument/environment strings
-can take a really long time in the execve system call. It runs
-uninterruptibly to count and copy all the strings. This change
-makes it abort the exec quickly if sent a SIGKILL.
-
-Note that this is the conservative change, to interrupt only for
-SIGKILL, by using fatal_signal_pending(). It would be perfectly
-correct semantics to let any signal interrupt the string-copying in
-execve, i.e. use signal_pending() instead of fatal_signal_pending().
-We'll save that change for later, since it could have user-visible
-consequences, such as having a timer set too quickly make it so that
-an execve can never complete, though it always happened to work before.
-
-Signed-off-by: Roland McGrath <roland@redhat.com>
-Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Cc: Chuck Ebbert <cebbert@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
----
- fs/exec.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -375,6 +375,9 @@ static int count(char __user * __user *
- argv++;
- if (i++ >= max)
- return -E2BIG;
-+
-+ if (fatal_signal_pending(current))
-+ return -ERESTARTNOHAND;
- cond_resched();
- }
- }
-@@ -418,6 +421,10 @@ static int copy_strings(int argc, char _
- while (len > 0) {
- int offset, bytes_to_copy;
-
-+ if (fatal_signal_pending(current)) {
-+ ret = -ERESTARTNOHAND;
-+ goto out;
-+ }
- cond_resched();
-
- offset = pos % PAGE_SIZE;
+++ /dev/null
-From 731eb1a03a8445cde2cb23ecfb3580c6fa7bb690 Mon Sep 17 00:00:00 2001
-From: Akinobu Mita <akinobu.mita@gmail.com>
-Date: Wed, 3 Mar 2010 23:55:01 -0500
-Subject: ext4: consolidate in_range() definitions
-
-From: Akinobu Mita <akinobu.mita@gmail.com>
-
-commit 731eb1a03a8445cde2cb23ecfb3580c6fa7bb690 upstream.
-
-There are duplicate macro definitions of in_range() in mballoc.h and
-balloc.c. This consolidates these two definitions into ext4.h, and
-changes extents.c to use in_range() as well.
-
-Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
-Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
-Cc: Andreas Dilger <adilger@sun.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/ext4/balloc.c | 3 ---
- fs/ext4/ext4.h | 2 ++
- fs/ext4/extents.c | 4 ++--
- fs/ext4/mballoc.h | 2 --
- 4 files changed, 4 insertions(+), 7 deletions(-)
-
---- a/fs/ext4/balloc.c
-+++ b/fs/ext4/balloc.c
-@@ -189,9 +189,6 @@ unsigned ext4_init_block_bitmap(struct s
- * when a file system is mounted (see ext4_fill_super).
- */
-
--
--#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
--
- /**
- * ext4_get_group_desc() -- load group descriptor from disk
- * @sb: super block
---- a/fs/ext4/ext4.h
-+++ b/fs/ext4/ext4.h
-@@ -1773,6 +1773,8 @@ static inline void set_bitmap_uptodate(s
- set_bit(BH_BITMAP_UPTODATE, &(bh)->b_state);
- }
-
-+#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
-+
- #endif /* __KERNEL__ */
-
- #endif /* _EXT4_H */
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -1952,7 +1952,7 @@ ext4_ext_in_cache(struct inode *inode, e
-
- BUG_ON(cex->ec_type != EXT4_EXT_CACHE_GAP &&
- cex->ec_type != EXT4_EXT_CACHE_EXTENT);
-- if (block >= cex->ec_block && block < cex->ec_block + cex->ec_len) {
-+ if (in_range(block, cex->ec_block, cex->ec_len)) {
- ex->ee_block = cpu_to_le32(cex->ec_block);
- ext4_ext_store_pblock(ex, cex->ec_start);
- ex->ee_len = cpu_to_le16(cex->ec_len);
-@@ -3258,7 +3258,7 @@ int ext4_ext_get_blocks(handle_t *handle
- */
- ee_len = ext4_ext_get_actual_len(ex);
- /* if found extent covers block, simply return it */
-- if (iblock >= ee_block && iblock < ee_block + ee_len) {
-+ if (in_range(iblock, ee_block, ee_len)) {
- newblock = iblock - ee_block + ee_start;
- /* number of remaining blocks in the extent */
- allocated = ee_len - (iblock - ee_block);
---- a/fs/ext4/mballoc.h
-+++ b/fs/ext4/mballoc.h
-@@ -220,8 +220,6 @@ struct ext4_buddy {
- #define EXT4_MB_BITMAP(e4b) ((e4b)->bd_bitmap)
- #define EXT4_MB_BUDDY(e4b) ((e4b)->bd_buddy)
-
--#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
--
- static inline ext4_fsblk_t ext4_grp_offs_to_block(struct super_block *sb,
- struct ext4_free_extent *fex)
- {
+++ /dev/null
-From 6d19c42b7cf81c39632b6d4dbc514e8449bcd346 Mon Sep 17 00:00:00 2001
-From: Nikanth Karthikesan <knikanth@suse.de>
-Date: Sun, 16 May 2010 14:00:00 -0400
-Subject: ext4: Prevent creation of files larger than RLIMIT_FSIZE using fallocate
-
-From: Nikanth Karthikesan <knikanth@suse.de>
-
-commit 6d19c42b7cf81c39632b6d4dbc514e8449bcd346 upstream.
-
-Currently using posix_fallocate one can bypass an RLIMIT_FSIZE limit
-and create a file larger than the limit. Add a check for that.
-
-Signed-off-by: Nikanth Karthikesan <knikanth@suse.de>
-Signed-off-by: Amit Arora <aarora@in.ibm.com>
-Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/ext4/extents.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -3545,6 +3545,11 @@ long ext4_fallocate(struct inode *inode,
- */
- credits = ext4_chunk_trans_blocks(inode, max_blocks);
- mutex_lock(&inode->i_mutex);
-+ ret = inode_newsize_ok(inode, (len + offset));
-+ if (ret) {
-+ mutex_unlock(&inode->i_mutex);
-+ return ret;
-+ }
- retry:
- while (ret >= 0 && ret < max_blocks) {
- block = block + ret;
+++ /dev/null
-From 85f7ffd5d2b320f73912b15fe8cef34bae297daf Mon Sep 17 00:00:00 2001
-From: Clemens Ladisch <clemens@ladisch.de>
-Date: Mon, 25 Oct 2010 11:41:53 +0200
-Subject: firewire: ohci: fix buffer overflow in AR split packet handling
-
-From: Clemens Ladisch <clemens@ladisch.de>
-
-commit 85f7ffd5d2b320f73912b15fe8cef34bae297daf upstream.
-
-When the controller had to split a received asynchronous packet into two
-buffers, the driver tries to reassemble it by copying both parts into
-the first page. However, if size + rest > PAGE_SIZE, i.e., if the yet
-unhandled packets before the split packet, the split packet itself, and
-any received packets after the split packet are together larger than one
-page, then the memory after the first page would get overwritten.
-
-To fix this, do not try to copy the data of all unhandled packets at
-once, but copy the possibly needed data every time when handling
-a packet.
-
-This gets rid of most of the infamous crashes and data corruptions when
-using firewire-net.
-
-Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
-Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
-Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (cast PAGE_SIZE to size_t)
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/firewire/ohci.c | 35 ++++++++++++++++++++++++++++++++---
- 1 file changed, 32 insertions(+), 3 deletions(-)
-
---- a/drivers/firewire/ohci.c
-+++ b/drivers/firewire/ohci.c
-@@ -628,7 +628,7 @@ static void ar_context_tasklet(unsigned
- d = &ab->descriptor;
-
- if (d->res_count == 0) {
-- size_t size, rest, offset;
-+ size_t size, size2, rest, pktsize, size3, offset;
- dma_addr_t start_bus;
- void *start;
-
-@@ -645,12 +645,41 @@ static void ar_context_tasklet(unsigned
- ab = ab->next;
- d = &ab->descriptor;
- size = buffer + PAGE_SIZE - ctx->pointer;
-+ /* valid buffer data in the next page */
- rest = le16_to_cpu(d->req_count) - le16_to_cpu(d->res_count);
-+ /* what actually fits in this page */
-+ size2 = min(rest, (size_t)PAGE_SIZE - size);
- memmove(buffer, ctx->pointer, size);
-- memcpy(buffer + size, ab->data, rest);
-+ memcpy(buffer + size, ab->data, size2);
- ctx->current_buffer = ab;
- ctx->pointer = (void *) ab->data + rest;
-- end = buffer + size + rest;
-+
-+ while (size > 0) {
-+ void *next = handle_ar_packet(ctx, buffer);
-+ pktsize = next - buffer;
-+ if (pktsize >= size) {
-+ /*
-+ * We have handled all the data that was
-+ * originally in this page, so we can now
-+ * continue in the next page.
-+ */
-+ buffer = next;
-+ break;
-+ }
-+ /* move the next packet to the start of the buffer */
-+ memmove(buffer, next, size + size2 - pktsize);
-+ size -= pktsize;
-+ /* fill up this page again */
-+ size3 = min(rest - size2,
-+ (size_t)PAGE_SIZE - size - size2);
-+ memcpy(buffer + size + size2,
-+ (void *) ab->data + size2, size3);
-+ size2 += size3;
-+ }
-+
-+ /* handle the packets that are fully in the next page */
-+ buffer = (void *) ab->data + (buffer - (start + size));
-+ end = (void *) ab->data + rest;
-
- while (buffer < end)
- buffer = handle_ar_packet(ctx, buffer);
+++ /dev/null
-From a1f805e5e73a8fe166b71c6592d3837df0cd5e2e Mon Sep 17 00:00:00 2001
-From: Clemens Ladisch <clemens@ladisch.de>
-Date: Mon, 25 Oct 2010 11:42:20 +0200
-Subject: firewire: ohci: fix race in AR split packet handling
-
-From: Clemens Ladisch <clemens@ladisch.de>
-
-commit a1f805e5e73a8fe166b71c6592d3837df0cd5e2e upstream.
-
-When handling an AR buffer that has been completely filled, we assumed
-that its descriptor will not be read by the controller and can be
-overwritten. However, when the last received packet happens to end at
-the end of the buffer, the controller might not yet have moved on to the
-next buffer and might read the branch address later. If we overwrite
-and free the page before that, the DMA context will either go dead
-because of an invalid Z value, or go off into some random memory.
-
-To fix this, ensure that the descriptor does not get overwritten by
-using only the actual buffer instead of the entire page for reassembling
-the split packet. Furthermore, to avoid freeing the page too early,
-move on to the next buffer only when some data in it guarantees that the
-controller has moved on.
-
-This should eliminate the remaining firewire-net problems.
-
-Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
-Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
-Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/firewire/ohci.c | 39 +++++++++++++++++++++++----------------
- 1 file changed, 23 insertions(+), 16 deletions(-)
-
---- a/drivers/firewire/ohci.c
-+++ b/drivers/firewire/ohci.c
-@@ -639,20 +639,19 @@ static void ar_context_tasklet(unsigned
- */
-
- offset = offsetof(struct ar_buffer, data);
-- start = buffer = ab;
-+ start = ab;
- start_bus = le32_to_cpu(ab->descriptor.data_address) - offset;
-+ buffer = ab->data;
-
- ab = ab->next;
- d = &ab->descriptor;
-- size = buffer + PAGE_SIZE - ctx->pointer;
-+ size = start + PAGE_SIZE - ctx->pointer;
- /* valid buffer data in the next page */
- rest = le16_to_cpu(d->req_count) - le16_to_cpu(d->res_count);
- /* what actually fits in this page */
-- size2 = min(rest, (size_t)PAGE_SIZE - size);
-+ size2 = min(rest, (size_t)PAGE_SIZE - offset - size);
- memmove(buffer, ctx->pointer, size);
- memcpy(buffer + size, ab->data, size2);
-- ctx->current_buffer = ab;
-- ctx->pointer = (void *) ab->data + rest;
-
- while (size > 0) {
- void *next = handle_ar_packet(ctx, buffer);
-@@ -671,22 +670,30 @@ static void ar_context_tasklet(unsigned
- size -= pktsize;
- /* fill up this page again */
- size3 = min(rest - size2,
-- (size_t)PAGE_SIZE - size - size2);
-+ (size_t)PAGE_SIZE - offset - size - size2);
- memcpy(buffer + size + size2,
- (void *) ab->data + size2, size3);
- size2 += size3;
- }
-
-- /* handle the packets that are fully in the next page */
-- buffer = (void *) ab->data + (buffer - (start + size));
-- end = (void *) ab->data + rest;
--
-- while (buffer < end)
-- buffer = handle_ar_packet(ctx, buffer);
--
-- dma_free_coherent(ohci->card.device, PAGE_SIZE,
-- start, start_bus);
-- ar_context_add_page(ctx);
-+ if (rest > 0) {
-+ /* handle the packets that are fully in the next page */
-+ buffer = (void *) ab->data +
-+ (buffer - (start + offset + size));
-+ end = (void *) ab->data + rest;
-+
-+ while (buffer < end)
-+ buffer = handle_ar_packet(ctx, buffer);
-+
-+ ctx->current_buffer = ab;
-+ ctx->pointer = end;
-+
-+ dma_free_coherent(ohci->card.device, PAGE_SIZE,
-+ start, start_bus);
-+ ar_context_add_page(ctx);
-+ } else {
-+ ctx->pointer = start + PAGE_SIZE;
-+ }
- } else {
- buffer = ctx->pointer;
- ctx->pointer = end =
+++ /dev/null
-From 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <christof.schmitt@de.ibm.com>
-Date: Wed, 6 Oct 2010 13:19:44 +0200
-Subject: [SCSI] Fix race when removing SCSI devices
-
-From: Christof Schmitt <christof.schmitt@de.ibm.com>
-
-commit 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec upstream.
-
-Removing SCSI devices through
-echo 1 > /sys/bus/scsi/devices/ ... /delete
-
-while the FC transport class removes the SCSI target can lead to an
-oops:
-
-Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000
-Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
-Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipath scsi_dh dm_mod ipv6 qeth ccwgroup [last unloaded: scsi_wait_scan]
-CPU: 1 Not tainted 2.6.35.5-45.x.20100924-s390xdefault #1
-Process fc_wq_0 (pid: 861, task: 00000000b7331240, ksp: 00000000b735bac0)
-Krnl PSW : 0704200180000000 00000000003ff6e4 (__scsi_remove_device+0x24/0xd0)
- R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
-Krnl GPRS: 0000000000000001 0000000000000000 00000000b6815000 00000000bc24a8c0
- 00000000003ff7c8 000000000056dbb8 0000000000000002 0000000000835d80
- ffffffff00000000 0000000000001000 00000000b6815000 00000000bc24a7f0
- 00000000b68151a0 00000000b6815000 00000000b735bc20 00000000b735bbf8
-Krnl Code: 00000000003ff6d6: a7840001 brc 8,3ff6d8
- 00000000003ff6da: a7fbffd8 aghi %r15,-40
- 00000000003ff6de: e3e0f0980024 stg %r14,152(%r15)
- >00000000003ff6e4: e31021200004 lg %r1,288(%r2)
- 00000000003ff6ea: a71f0000 cghi %r1,0
- 00000000003ff6ee: a7a40011 brc 10,3ff710
- 00000000003ff6f2: a7390003 lghi %r3,3
- 00000000003ff6f6: c0e5ffffc8b1 brasl %r14,3f8858
-Call Trace:
-([<0000000000001000>] 0x1000)
- [<00000000003ff7d2>] scsi_remove_device+0x42/0x54
- [<00000000003ff8ba>] __scsi_remove_target+0xca/0xfc
- [<00000000003ff99a>] __remove_child+0x3a/0x48
- [<00000000003e3246>] device_for_each_child+0x72/0xbc
- [<00000000003ff93a>] scsi_remove_target+0x4e/0x74
- [<0000000000406586>] fc_rport_final_delete+0xb2/0x23c
- [<000000000015d080>] worker_thread+0x200/0x344
- [<000000000016330c>] kthread+0xa0/0xa8
- [<0000000000106c1a>] kernel_thread_starter+0x6/0xc
- [<0000000000106c14>] kernel_thread_starter+0x0/0xc
-INFO: lockdep is turned off.
-Last Breaking-Event-Address:
- [<00000000003ff7cc>] scsi_remove_device+0x3c/0x54
-
-The function __scsi_remove_target iterates through the SCSI devices on
-the host, but it drops the host_lock before calling
-scsi_remove_device. When the SCSI device is deleted from another
-thread, the pointer to the SCSI device in scsi_remove_device can
-become invalid. Fix this by getting a reference to the SCSI device
-before dropping the host_lock to keep the SCSI device alive for the
-call to scsi_remove_device.
-
-Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
-Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/scsi/scsi_sysfs.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/scsi_sysfs.c
-+++ b/drivers/scsi/scsi_sysfs.c
-@@ -992,10 +992,11 @@ static void __scsi_remove_target(struct
- list_for_each_entry(sdev, &shost->__devices, siblings) {
- if (sdev->channel != starget->channel ||
- sdev->id != starget->id ||
-- sdev->sdev_state == SDEV_DEL)
-+ scsi_device_get(sdev))
- continue;
- spin_unlock_irqrestore(shost->host_lock, flags);
- scsi_remove_device(sdev);
-+ scsi_device_put(sdev);
- spin_lock_irqsave(shost->host_lock, flags);
- goto restart;
- }
+++ /dev/null
-From 986fe6c7f50974e871b8ab5a800f5310ea25b361 Mon Sep 17 00:00:00 2001
-From: Mike Christie <michaelc@cs.wisc.edu>
-Date: Wed, 6 Oct 2010 03:10:59 -0500
-Subject: [SCSI] Fix regressions in scsi_internal_device_block
-
-From: Mike Christie <michaelc@cs.wisc.edu>
-
-commit 986fe6c7f50974e871b8ab5a800f5310ea25b361 upstream.
-
-Deleting a SCSI device on a blocked fc_remote_port (before
-fast_io_fail_tmo fires) results in a hanging thread:
-
- STACK:
- 0 schedule+1108 [0x5cac48]
- 1 schedule_timeout+528 [0x5cb7fc]
- 2 wait_for_common+266 [0x5ca6be]
- 3 blk_execute_rq+160 [0x354054]
- 4 scsi_execute+324 [0x3b7ef4]
- 5 scsi_execute_req+162 [0x3b80ca]
- 6 sd_sync_cache+138 [0x3cf662]
- 7 sd_shutdown+138 [0x3cf91a]
- 8 sd_remove+112 [0x3cfe4c]
- 9 __device_release_driver+124 [0x3a08b8]
-10 device_release_driver+60 [0x3a0a5c]
-11 bus_remove_device+266 [0x39fa76]
-12 device_del+340 [0x39d818]
-13 __scsi_remove_device+204 [0x3bcc48]
-14 scsi_remove_device+66 [0x3bcc8e]
-15 sysfs_schedule_callback_work+50 [0x260d66]
-16 worker_thread+622 [0x162326]
-17 kthread+160 [0x1680b0]
-18 kernel_thread_starter+6 [0x10aaea]
-
-During the delete, the SCSI device is in moved to SDEV_CANCEL. When
-the FC transport class later calls scsi_target_unblock, this has no
-effect, since scsi_internal_device_unblock ignores SCSI devics in this
-state.
-
-It looks like all these are regressions caused by:
-5c10e63c943b4c67561ddc6bf61e01d4141f881f
-[SCSI] limit state transitions in scsi_internal_device_unblock
-
-Fix by rejecting offline and cancel in the state transition.
-
-Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
-[jejb: Original patch by Christof Schmitt, modified by Mike Christie]
-Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/scsi/scsi_lib.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/scsi_lib.c
-+++ b/drivers/scsi/scsi_lib.c
-@@ -2436,7 +2436,8 @@ scsi_internal_device_unblock(struct scsi
- sdev->sdev_state = SDEV_RUNNING;
- else if (sdev->sdev_state == SDEV_CREATED_BLOCK)
- sdev->sdev_state = SDEV_CREATED;
-- else
-+ else if (sdev->sdev_state != SDEV_CANCEL &&
-+ sdev->sdev_state != SDEV_OFFLINE)
- return -EINVAL;
-
- spin_lock_irqsave(q->queue_lock, flags);
+++ /dev/null
-From a0822c55779d9319939eac69f00bb729ea9d23da Mon Sep 17 00:00:00 2001
-From: Ken Sumrall <ksumrall@android.com>
-Date: Wed, 24 Nov 2010 12:57:00 -0800
-Subject: fuse: fix attributes after open(O_TRUNC)
-
-From: Ken Sumrall <ksumrall@android.com>
-
-commit a0822c55779d9319939eac69f00bb729ea9d23da upstream.
-
-The attribute cache for a file was not being cleared when a file is opened
-with O_TRUNC.
-
-If the filesystem's open operation truncates the file ("atomic_o_trunc"
-feature flag is set) then the kernel should invalidate the cached st_mtime
-and st_ctime attributes.
-
-Also i_size should be explicitly be set to zero as it is used sometimes
-without refreshing the cache.
-
-Signed-off-by: Ken Sumrall <ksumrall@android.com>
-Cc: Anfei <anfei.zhou@gmail.com>
-Cc: "Anand V. Avati" <avati@gluster.com>
-Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/fuse/file.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -134,6 +134,7 @@ EXPORT_SYMBOL_GPL(fuse_do_open);
- void fuse_finish_open(struct inode *inode, struct file *file)
- {
- struct fuse_file *ff = file->private_data;
-+ struct fuse_conn *fc = get_fuse_conn(inode);
-
- if (ff->open_flags & FOPEN_DIRECT_IO)
- file->f_op = &fuse_direct_io_file_operations;
-@@ -141,6 +142,15 @@ void fuse_finish_open(struct inode *inod
- invalidate_inode_pages2(inode->i_mapping);
- if (ff->open_flags & FOPEN_NONSEEKABLE)
- nonseekable_open(inode, file);
-+ if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) {
-+ struct fuse_inode *fi = get_fuse_inode(inode);
-+
-+ spin_lock(&fc->lock);
-+ fi->attr_version = ++fc->attr_version;
-+ i_size_write(inode, 0);
-+ spin_unlock(&fc->lock);
-+ fuse_invalidate_attr(inode);
-+ }
- }
-
- int fuse_open_common(struct inode *inode, struct file *file, bool isdir)
+++ /dev/null
-From 7ada876a8703f23befbb20a7465a702ee39b1704 Mon Sep 17 00:00:00 2001
-From: Darren Hart <dvhart@linux.intel.com>
-Date: Sun, 17 Oct 2010 08:35:04 -0700
-Subject: futex: Fix errors in nested key ref-counting
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Darren Hart <dvhart@linux.intel.com>
-
-commit 7ada876a8703f23befbb20a7465a702ee39b1704 upstream.
-
-futex_wait() is leaking key references due to futex_wait_setup()
-acquiring an additional reference via the queue_lock() routine. The
-nested key ref-counting has been masking bugs and complicating code
-analysis. queue_lock() is only called with a previously ref-counted
-key, so remove the additional ref-counting from the queue_(un)lock()
-functions.
-
-Also futex_wait_requeue_pi() drops one key reference too many in
-unqueue_me_pi(). Remove the key reference handling from
-unqueue_me_pi(). This was paired with a queue_lock() in
-futex_lock_pi(), so the count remains unchanged.
-
-Document remaining nested key ref-counting sites.
-
-Signed-off-by: Darren Hart <dvhart@linux.intel.com>
-Reported-and-tested-by: Matthieu Fertré<matthieu.fertre@kerlabs.com>
-Reported-by: Louis Rilling<louis.rilling@kerlabs.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Eric Dumazet <eric.dumazet@gmail.com>
-Cc: John Kacur <jkacur@redhat.com>
-Cc: Rusty Russell <rusty@rustcorp.com.au>
-LKML-Reference: <4CBB17A8.70401@linux.intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/futex.c | 31 ++++++++++++++++---------------
- 1 file changed, 16 insertions(+), 15 deletions(-)
-
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -1363,7 +1363,6 @@ static inline struct futex_hash_bucket *
- {
- struct futex_hash_bucket *hb;
-
-- get_futex_key_refs(&q->key);
- hb = hash_futex(&q->key);
- q->lock_ptr = &hb->lock;
-
-@@ -1375,7 +1374,6 @@ static inline void
- queue_unlock(struct futex_q *q, struct futex_hash_bucket *hb)
- {
- spin_unlock(&hb->lock);
-- drop_futex_key_refs(&q->key);
- }
-
- /**
-@@ -1480,8 +1478,6 @@ static void unqueue_me_pi(struct futex_q
- q->pi_state = NULL;
-
- spin_unlock(q->lock_ptr);
--
-- drop_futex_key_refs(&q->key);
- }
-
- /*
-@@ -1812,7 +1808,10 @@ static int futex_wait(u32 __user *uaddr,
- }
-
- retry:
-- /* Prepare to wait on uaddr. */
-+ /*
-+ * Prepare to wait on uaddr. On success, holds hb lock and increments
-+ * q.key refs.
-+ */
- ret = futex_wait_setup(uaddr, val, fshared, &q, &hb);
- if (ret)
- goto out;
-@@ -1822,24 +1821,23 @@ retry:
-
- /* If we were woken (and unqueued), we succeeded, whatever. */
- ret = 0;
-+ /* unqueue_me() drops q.key ref */
- if (!unqueue_me(&q))
-- goto out_put_key;
-+ goto out;
- ret = -ETIMEDOUT;
- if (to && !to->task)
-- goto out_put_key;
-+ goto out;
-
- /*
- * We expect signal_pending(current), but we might be the
- * victim of a spurious wakeup as well.
- */
-- if (!signal_pending(current)) {
-- put_futex_key(fshared, &q.key);
-+ if (!signal_pending(current))
- goto retry;
-- }
-
- ret = -ERESTARTSYS;
- if (!abs_time)
-- goto out_put_key;
-+ goto out;
-
- restart = ¤t_thread_info()->restart_block;
- restart->fn = futex_wait_restart;
-@@ -1856,8 +1854,6 @@ retry:
-
- ret = -ERESTART_RESTARTBLOCK;
-
--out_put_key:
-- put_futex_key(fshared, &q.key);
- out:
- if (to) {
- hrtimer_cancel(&to->timer);
-@@ -2236,7 +2232,10 @@ static int futex_wait_requeue_pi(u32 __u
- q.rt_waiter = &rt_waiter;
- q.requeue_pi_key = &key2;
-
-- /* Prepare to wait on uaddr. */
-+ /*
-+ * Prepare to wait on uaddr. On success, increments q.key (key1) ref
-+ * count.
-+ */
- ret = futex_wait_setup(uaddr, val, fshared, &q, &hb);
- if (ret)
- goto out_key2;
-@@ -2254,7 +2253,9 @@ static int futex_wait_requeue_pi(u32 __u
- * In order for us to be here, we know our q.key == key2, and since
- * we took the hb->lock above, we also know that futex_requeue() has
- * completed and we no longer have to concern ourselves with a wakeup
-- * race with the atomic proxy lock acquition by the requeue code.
-+ * race with the atomic proxy lock acquisition by the requeue code. The
-+ * futex_requeue dropped our key1 reference and incremented our key2
-+ * reference count.
- */
-
- /* Check if the requeue code acquired the second futex for us. */
+++ /dev/null
-From f63ae56e4e97fb12053590e41a4fa59e7daa74a4 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <error27@gmail.com>
-Date: Fri, 8 Oct 2010 09:03:07 +0200
-Subject: [SCSI] gdth: integer overflow in ioctl
-
-From: Dan Carpenter <error27@gmail.com>
-
-commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream.
-
-gdth_ioctl_alloc() takes the size variable as an int.
-copy_from_user() takes the size variable as an unsigned long.
-gen.data_len and gen.sense_len are unsigned longs.
-On x86_64 longs are 64 bit and ints are 32 bit.
-
-We could pass in a very large number and the allocation would truncate
-the size to 32 bits and allocate a small buffer. Then when we do the
-copy_from_user(), it would result in a memory corruption.
-
-Signed-off-by: Dan Carpenter <error27@gmail.com>
-Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/scsi/gdth.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/scsi/gdth.c
-+++ b/drivers/scsi/gdth.c
-@@ -4174,6 +4174,14 @@ static int ioc_general(void __user *arg,
- ha = gdth_find_ha(gen.ionode);
- if (!ha)
- return -EFAULT;
-+
-+ if (gen.data_len > INT_MAX)
-+ return -EINVAL;
-+ if (gen.sense_len > INT_MAX)
-+ return -EINVAL;
-+ if (gen.data_len + gen.sense_len > INT_MAX)
-+ return -EINVAL;
-+
- if (gen.data_len + gen.sense_len != 0) {
- if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
- FALSE, &paddr)))
+++ /dev/null
-From 25c9170ed64a6551beefe9315882f754e14486f4 Mon Sep 17 00:00:00 2001
-From: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
-Date: Tue, 30 Nov 2010 17:36:08 +0900
-Subject: genirq: Fix incorrect proc spurious output
-
-From: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
-
-commit 25c9170ed64a6551beefe9315882f754e14486f4 upstream.
-
-Since commit a1afb637(switch /proc/irq/*/spurious to seq_file) all
-/proc/irq/XX/spurious files show the information of irq 0.
-
-Current irq_spurious_proc_open() passes on NULL as the 3rd argument,
-which is used as an IRQ number in irq_spurious_proc_show(), to the
-single_open(). Because of this, all the /proc/irq/XX/spurious file
-shows IRQ 0 information regardless of the IRQ number.
-
-To fix the problem, irq_spurious_proc_open() must pass on the
-appropreate data (IRQ number) to single_open().
-
-Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
-Reviewed-by: Yong Zhang <yong.zhang0@gmail.com>
-LKML-Reference: <4CF4B778.90604@jp.fujitsu.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/irq/proc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/irq/proc.c
-+++ b/kernel/irq/proc.c
-@@ -160,7 +160,7 @@ static int irq_spurious_proc_show(struct
-
- static int irq_spurious_proc_open(struct inode *inode, struct file *file)
- {
-- return single_open(file, irq_spurious_proc_show, NULL);
-+ return single_open(file, irq_spurious_proc_show, PDE(inode)->data);
- }
-
- static const struct file_operations irq_spurious_proc_fops = {
+++ /dev/null
-From 96e9694df446d1154ec2f4fdba8908588b9cba38 Mon Sep 17 00:00:00 2001
-From: Clemens Ladisch <clemens@ladisch.de>
-Date: Tue, 26 Oct 2010 14:22:13 -0700
-Subject: hpet: fix unwanted interrupt due to stale irq status bit
-
-From: Clemens Ladisch <clemens@ladisch.de>
-
-commit 96e9694df446d1154ec2f4fdba8908588b9cba38 upstream.
-
-Jaswinder Singh Rajput wrote:
-> By executing Documentation/timers/hpet_example.c
->
-> for polling, I requested for 3 iterations but it seems iteration work
-> for only 2 as first expired time is always very small.
->
-> # ./hpet_example poll /dev/hpet 10 3
-> -hpet: executing poll
-> hpet_poll: info.hi_flags 0x0
-> hpet_poll: expired time = 0x13
-> hpet_poll: revents = 0x1
-> hpet_poll: data 0x1
-> hpet_poll: expired time = 0x1868c
-> hpet_poll: revents = 0x1
-> hpet_poll: data 0x1
-> hpet_poll: expired time = 0x18645
-> hpet_poll: revents = 0x1
-> hpet_poll: data 0x1
-
-Clearing the HPET interrupt enable bit disables interrupt generation
-but does not disable the timer, so the interrupt status bit will still
-be set when the timer elapses. If another interrupt arrives before
-the timer has been correctly programmed (due to some other device on
-the same interrupt line, or CONFIG_DEBUG_SHIRQ), this results in an
-extra unwanted interrupt event because the status bit is likely to be
-set from comparator matches that happened before the device was opened.
-
-Therefore, we have to ensure that the interrupt status bit is and
-stays cleared until we actually program the timer.
-
-Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
-Reported-by: Jaswinder Singh Rajput <jaswinderlinux@gmail.com>
-Cc: Ingo Molnar <mingo@elte.hu>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: john stultz <johnstul@us.ibm.com>
-Cc: Bob Picco <bpicco@redhat.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/hpet.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
---- a/drivers/char/hpet.c
-+++ b/drivers/char/hpet.c
-@@ -476,6 +476,21 @@ static int hpet_ioctl_ieon(struct hpet_d
- if (irq) {
- unsigned long irq_flags;
-
-+ if (devp->hd_flags & HPET_SHARED_IRQ) {
-+ /*
-+ * To prevent the interrupt handler from seeing an
-+ * unwanted interrupt status bit, program the timer
-+ * so that it will not fire in the near future ...
-+ */
-+ writel(readl(&timer->hpet_config) & ~Tn_TYPE_CNF_MASK,
-+ &timer->hpet_config);
-+ write_counter(read_counter(&hpet->hpet_mc),
-+ &timer->hpet_compare);
-+ /* ... and clear any left-over status. */
-+ isr = 1 << (devp - devp->hd_hpets->hp_dev);
-+ writel(isr, &hpet->hpet_isr);
-+ }
-+
- sprintf(devp->hd_name, "hpet%d", (int)(devp - hpetp->hp_dev));
- irq_flags = devp->hd_flags & HPET_SHARED_IRQ
- ? IRQF_SHARED : IRQF_DISABLED;
+++ /dev/null
-From a56d5318716d120e040294bb258901ba89fb9c90 Mon Sep 17 00:00:00 2001
-From: Jiri Slaby <jslaby@suse.cz>
-Date: Tue, 26 Oct 2010 14:22:11 -0700
-Subject: hpet: unmap unused I/O space
-
-From: Jiri Slaby <jslaby@suse.cz>
-
-commit a56d5318716d120e040294bb258901ba89fb9c90 upstream.
-
-When the initialization code in hpet finds a memory resource and does not
-find an IRQ, it does not unmap the memory resource previously mapped.
-
-There are buggy BIOSes which report resources exactly like this and what
-is worse the memory region bases point to normal RAM. This normally would
-not matter since the space is not touched. But when PAT is turned on,
-ioremap causes the page to be uncached and sets this bit in page->flags.
-
-Then when the page is about to be used by the allocator, it is reported
-as:
-
-BUG: Bad page state in process md5sum pfn:3ed00
-page:ffffea0000dbd800 count:0 mapcount:0 mapping:(null) index:0x0
-page flags: 0x20000001000000(uncached)
-Pid: 7956, comm: md5sum Not tainted 2.6.34-12-desktop #1
-Call Trace:
- [<ffffffff810df851>] bad_page+0xb1/0x100
- [<ffffffff810dfa45>] prep_new_page+0x1a5/0x1c0
- [<ffffffff810dfe01>] get_page_from_freelist+0x3a1/0x640
- [<ffffffff810e01af>] __alloc_pages_nodemask+0x10f/0x6b0
-...
-
-In this particular case:
-
-1) HPET returns 3ed00000 as memory region base, but it is not in
-reserved ranges reported by the BIOS (excerpt):
- BIOS-e820: 0000000000100000 - 00000000af6cf000 (usable)
- BIOS-e820: 00000000af6cf000 - 00000000afdcf000 (reserved)
-
-2) there is no IRQ resource reported by HPET method. On the other
-hand, the Intel HPET specs (1.0a) says (3.2.5.1):
-_CRS (
- // Report 1K of memory consumed by this Timer Block
- memory range consumed
- // Optional: only used if BIOS allocates Interrupts [1]
- IRQs consumed
-)
-
-[1] For case where Timer Block is configured to consume IRQ0/IRQ8 AND
-Legacy 8254/Legacy RTC hardware still exists, the device objects
-associated with 8254 & RTC devices should not report IRQ0/IRQ8 as
-"consumed resources".
-
-So in theory we should check whether if it is the case and use those
-interrupts instead.
-
-Anyway the address reported by the BIOS here is bogus, so non-presence
-of IRQ doesn't mean the "optional" part in point 2).
-
-Since I got no reply previously, fix this by simply unmapping the space
-when IRQ is not found and memory region was mapped previously. It would
-be probably more safe to walk the resources again and unmap appropriately
-depending on type. But as we now use only ioremap for both 2 memory
-resource types, it is not necessarily needed right now.
-
-Addresses https://bugzilla.novell.com/show_bug.cgi?id=629908
-
-Reported-by: Olaf Hering <olaf@aepfle.de>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Acked-by: Clemens Ladisch <clemens@ladisch.de>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/hpet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/char/hpet.c
-+++ b/drivers/char/hpet.c
-@@ -982,6 +982,8 @@ static int hpet_acpi_add(struct acpi_dev
- return -ENODEV;
-
- if (!data.hd_address || !data.hd_nirqs) {
-+ if (data.hd_address)
-+ iounmap(data.hd_address);
- printk("%s: no address or irqs in _CRS\n", __func__);
- return -ENODEV;
- }
+++ /dev/null
-From f13d4f979c518119bba5439dd2364d76d31dcd3f Mon Sep 17 00:00:00 2001
-From: Salman Qazi <sqazi@google.com>
-Date: Tue, 12 Oct 2010 07:25:19 -0700
-Subject: hrtimer: Preserve timer state in remove_hrtimer()
-
-From: Salman Qazi <sqazi@google.com>
-
-commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream.
-
-The race is described as follows:
-
-CPU X CPU Y
-remove_hrtimer
-// state & QUEUED == 0
-timer->state = CALLBACK
-unlock timer base
-timer->f(n) //very long
- hrtimer_start
- lock timer base
- remove_hrtimer // no effect
- hrtimer_enqueue
- timer->state = CALLBACK |
- QUEUED
- unlock timer base
- hrtimer_start
- lock timer base
- remove_hrtimer
- mode = INACTIVE
- // CALLBACK bit lost!
- switch_hrtimer_base
- CALLBACK bit not set:
- timer->base
- changes to a
- different CPU.
-lock this CPU's timer base
-
-The bug was introduced with commit ca109491f (hrtimer: removing all ur
-callback modes) in 2.6.29
-
-[ tglx: Feed new state via local variable and add a comment. ]
-
-Signed-off-by: Salman Qazi <sqazi@google.com>
-Cc: akpm@linux-foundation.org
-Cc: Peter Zijlstra <peterz@infradead.org>
-LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/hrtimer.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
---- a/kernel/hrtimer.c
-+++ b/kernel/hrtimer.c
-@@ -936,6 +936,7 @@ static inline int
- remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
- {
- if (hrtimer_is_queued(timer)) {
-+ unsigned long state;
- int reprogram;
-
- /*
-@@ -949,8 +950,13 @@ remove_hrtimer(struct hrtimer *timer, st
- debug_deactivate(timer);
- timer_stats_hrtimer_clear_start_info(timer);
- reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
-- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE,
-- reprogram);
-+ /*
-+ * We must preserve the CALLBACK state flag here,
-+ * otherwise we could move the timer base in
-+ * switch_hrtimer_base.
-+ */
-+ state = timer->state & HRTIMER_STATE_CALLBACK;
-+ __remove_hrtimer(timer, base, state, reprogram);
- return 1;
- }
- return 0;
-@@ -1237,6 +1243,9 @@ static void __run_hrtimer(struct hrtimer
- BUG_ON(timer->state != HRTIMER_STATE_CALLBACK);
- enqueue_hrtimer(timer, base);
- }
-+
-+ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK));
-+
- timer->state &= ~HRTIMER_STATE_CALLBACK;
- }
-
+++ /dev/null
-From fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 Mon Sep 17 00:00:00 2001
-From: Jean Delvare <khali@linux-fr.org>
-Date: Thu, 28 Oct 2010 20:31:50 +0200
-Subject: hwmon: (lm85) Fix ADT7468 frequency table
-
-From: Jean Delvare <khali@linux-fr.org>
-
-commit fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 upstream.
-
-The ADT7468 uses the same frequency table as the ADT7463.
-
-Signed-off-by: Jean Delvare <khali@linux-fr.org>
-Cc: Darrick J. Wong <djwong@us.ibm.com>
-Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/hwmon/lm85.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/hwmon/lm85.c
-+++ b/drivers/hwmon/lm85.c
-@@ -1259,6 +1259,7 @@ static int lm85_probe(struct i2c_client
- switch (data->type) {
- case adm1027:
- case adt7463:
-+ case adt7468:
- case emc6d100:
- case emc6d102:
- data->freq_map = adm1027_freq_map;
+++ /dev/null
-From d2520a426dc3033c00077e923a553fc6c98c7564 Mon Sep 17 00:00:00 2001
-From: Kenneth Waters <kwwaters@gmail.com>
-Date: Tue, 21 Sep 2010 00:58:23 -0700
-Subject: Input: joydev - fix JSIOCSAXMAP ioctl
-
-From: Kenneth Waters <kwwaters@gmail.com>
-
-commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream.
-
-Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to
-event axis in addition to abspam. This fixes a regression introduced
-by 999b874f.
-
-Signed-off-by: Kenneth Waters <kwwaters@gmail.com>
-Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/input/joydev.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/input/joydev.c
-+++ b/drivers/input/joydev.c
-@@ -481,6 +481,9 @@ static int joydev_handle_JSIOCSAXMAP(str
-
- memcpy(joydev->abspam, abspam, len);
-
-+ for (i = 0; i < joydev->nabs; i++)
-+ joydev->absmap[joydev->abspam[i]] = i;
-+
- out:
- kfree(abspam);
- return retval;
+++ /dev/null
-From 4731fdcf6f7bdab3e369a3f844d4ea4d4017284d Mon Sep 17 00:00:00 2001
-From: Len Brown <len.brown@intel.com>
-Date: Fri, 24 Sep 2010 21:02:27 -0400
-Subject: intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang
-
-From: Len Brown <len.brown@intel.com>
-
-commit 4731fdcf6f7bdab3e369a3f844d4ea4d4017284d upstream.
-
-When the Lenovo Ideapad S10-3 is booted with HT enabled,
-it hits a boot hang in the intel_idle driver.
-
-This occurs when entering ATM-C4 for the first time,
-unless BM_STS is first cleared.
-
-acpi_idle doesn't see this because it first checks
-and clears BM_STS, but it would hit the same hang
-if that check were disabled.
-
-http://bugs.meego.com/show_bug.cgi?id=7093
-https://bugs.launchpad.net/ubuntu/+source/linux/+bug/634702
-
-Signed-off-by: Len Brown <len.brown@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/pci/quirks.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
---- a/drivers/pci/quirks.c
-+++ b/drivers/pci/quirks.c
-@@ -155,6 +155,26 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NE
- DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NEC, PCI_DEVICE_ID_NEC_CBUS_3, quirk_isa_dma_hangs);
-
- /*
-+ * Intel NM10 "TigerPoint" LPC PM1a_STS.BM_STS must be clear
-+ * for some HT machines to use C4 w/o hanging.
-+ */
-+static void __devinit quirk_tigerpoint_bm_sts(struct pci_dev *dev)
-+{
-+ u32 pmbase;
-+ u16 pm1a;
-+
-+ pci_read_config_dword(dev, 0x40, &pmbase);
-+ pmbase = pmbase & 0xff80;
-+ pm1a = inw(pmbase);
-+
-+ if (pm1a & 0x10) {
-+ dev_info(&dev->dev, FW_BUG "TigerPoint LPC.BM_STS cleared\n");
-+ outw(0x10, pmbase);
-+ }
-+}
-+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGP_LPC, quirk_tigerpoint_bm_sts);
-+
-+/*
- * Chipsets where PCI->PCI transfers vanish or hang
- */
- static void __devinit quirk_nopcipci(struct pci_dev *dev)
+++ /dev/null
-From e1a3ddca02595af27c6057610f7b12f1b0ac21c6 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <eric.dumazet@gmail.com>
-Date: Tue, 21 Sep 2010 08:47:45 +0000
-Subject: ip: fix truesize mismatch in ip fragmentation
-
-
-From: Eric Dumazet <eric.dumazet@gmail.com>
-
-[ Upstream commit 3d13008e7345fa7a79d8f6438150dc15d6ba6e9d ]
-
-Special care should be taken when slow path is hit in ip_fragment() :
-
-When walking through frags, we transfert truesize ownership from skb to
-frags. Then if we hit a slow_path condition, we must undo this or risk
-uncharging frags->truesize twice, and in the end, having negative socket
-sk_wmem_alloc counter, or even freeing socket sooner than expected.
-
-Many thanks to Nick Bowler, who provided a very clean bug report and
-test program.
-
-Thanks to Jarek for reviewing my first patch and providing a V2
-
-While Nick bisection pointed to commit 2b85a34e911 (net: No more
-expensive sock_hold()/sock_put() on each tx), underlying bug is older
-(2.6.12-rc5)
-
-A side effect is to extend work done in commit b2722b1c3a893e
-(ip_fragment: also adjust skb->truesize for packets not owned by a
-socket) to ipv6 as well.
-
-Reported-and-bisected-by: Nick Bowler <nbowler@elliptictech.com>
-Tested-by: Nick Bowler <nbowler@elliptictech.com>
-Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
-CC: Jarek Poplawski <jarkao2@gmail.com>
-CC: Patrick McHardy <kaber@trash.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/ipv4/ip_output.c | 19 +++++++++++++------
- net/ipv6/ip6_output.c | 18 +++++++++++++-----
- 2 files changed, 26 insertions(+), 11 deletions(-)
-
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -478,9 +478,8 @@ int ip_fragment(struct sk_buff *skb, int
- * we can switch to copy when see the first bad fragment.
- */
- if (skb_has_frags(skb)) {
-- struct sk_buff *frag;
-+ struct sk_buff *frag, *frag2;
- int first_len = skb_pagelen(skb);
-- int truesizes = 0;
-
- if (first_len - hlen > mtu ||
- ((first_len - hlen) & 7) ||
-@@ -493,18 +492,18 @@ int ip_fragment(struct sk_buff *skb, int
- if (frag->len > mtu ||
- ((frag->len & 7) && frag->next) ||
- skb_headroom(frag) < hlen)
-- goto slow_path;
-+ goto slow_path_clean;
-
- /* Partially cloned skb? */
- if (skb_shared(frag))
-- goto slow_path;
-+ goto slow_path_clean;
-
- BUG_ON(frag->sk);
- if (skb->sk) {
- frag->sk = skb->sk;
- frag->destructor = sock_wfree;
- }
-- truesizes += frag->truesize;
-+ skb->truesize -= frag->truesize;
- }
-
- /* Everything is OK. Generate! */
-@@ -514,7 +513,6 @@ int ip_fragment(struct sk_buff *skb, int
- frag = skb_shinfo(skb)->frag_list;
- skb_frag_list_init(skb);
- skb->data_len = first_len - skb_headlen(skb);
-- skb->truesize -= truesizes;
- skb->len = first_len;
- iph->tot_len = htons(first_len);
- iph->frag_off = htons(IP_MF);
-@@ -566,6 +564,15 @@ int ip_fragment(struct sk_buff *skb, int
- }
- IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
- return err;
-+
-+slow_path_clean:
-+ skb_walk_frags(skb, frag2) {
-+ if (frag2 == frag)
-+ break;
-+ frag2->sk = NULL;
-+ frag2->destructor = NULL;
-+ skb->truesize += frag2->truesize;
-+ }
- }
-
- slow_path:
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -642,7 +642,7 @@ static int ip6_fragment(struct sk_buff *
-
- if (skb_has_frags(skb)) {
- int first_len = skb_pagelen(skb);
-- int truesizes = 0;
-+ struct sk_buff *frag2;
-
- if (first_len - hlen > mtu ||
- ((first_len - hlen) & 7) ||
-@@ -654,18 +654,18 @@ static int ip6_fragment(struct sk_buff *
- if (frag->len > mtu ||
- ((frag->len & 7) && frag->next) ||
- skb_headroom(frag) < hlen)
-- goto slow_path;
-+ goto slow_path_clean;
-
- /* Partially cloned skb? */
- if (skb_shared(frag))
-- goto slow_path;
-+ goto slow_path_clean;
-
- BUG_ON(frag->sk);
- if (skb->sk) {
- frag->sk = skb->sk;
- frag->destructor = sock_wfree;
-- truesizes += frag->truesize;
- }
-+ skb->truesize -= frag->truesize;
- }
-
- err = 0;
-@@ -696,7 +696,6 @@ static int ip6_fragment(struct sk_buff *
-
- first_len = skb_pagelen(skb);
- skb->data_len = first_len - skb_headlen(skb);
-- skb->truesize -= truesizes;
- skb->len = first_len;
- ipv6_hdr(skb)->payload_len = htons(first_len -
- sizeof(struct ipv6hdr));
-@@ -759,6 +758,15 @@ static int ip6_fragment(struct sk_buff *
- IPSTATS_MIB_FRAGFAILS);
- dst_release(&rt->u.dst);
- return err;
-+
-+slow_path_clean:
-+ skb_walk_frags(skb, frag2) {
-+ if (frag2 == frag)
-+ break;
-+ frag2->sk = NULL;
-+ frag2->destructor = NULL;
-+ skb->truesize += frag2->truesize;
-+ }
- }
-
- slow_path:
+++ /dev/null
-From 03145beb455cf5c20a761e8451e30b8a74ba58d9 Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Wed, 27 Oct 2010 15:34:17 -0700
-Subject: ipc: initialize structure memory to zero for compat functions
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream.
-
-This takes care of leaking uninitialized kernel stack memory to
-userspace from non-zeroed fields in structs in compat ipc functions.
-
-Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Cc: Manfred Spraul <manfred@colorfullife.com>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- ipc/compat.c | 6 ++++++
- ipc/compat_mq.c | 5 +++++
- 2 files changed, 11 insertions(+)
-
---- a/ipc/compat.c
-+++ b/ipc/compat.c
-@@ -242,6 +242,8 @@ long compat_sys_semctl(int first, int se
- struct semid64_ds __user *up64;
- int version = compat_ipc_parse_version(&third);
-
-+ memset(&s64, 0, sizeof(s64));
-+
- if (!uptr)
- return -EINVAL;
- if (get_user(pad, (u32 __user *) uptr))
-@@ -422,6 +424,8 @@ long compat_sys_msgctl(int first, int se
- int version = compat_ipc_parse_version(&second);
- void __user *p;
-
-+ memset(&m64, 0, sizeof(m64));
-+
- switch (second & (~IPC_64)) {
- case IPC_INFO:
- case IPC_RMID:
-@@ -595,6 +599,8 @@ long compat_sys_shmctl(int first, int se
- int err, err2;
- int version = compat_ipc_parse_version(&second);
-
-+ memset(&s64, 0, sizeof(s64));
-+
- switch (second & (~IPC_64)) {
- case IPC_RMID:
- case SHM_LOCK:
---- a/ipc/compat_mq.c
-+++ b/ipc/compat_mq.c
-@@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const
- void __user *p = NULL;
- if (u_attr && oflag & O_CREAT) {
- struct mq_attr attr;
-+
-+ memset(&attr, 0, sizeof(attr));
-+
- p = compat_alloc_user_space(sizeof(attr));
- if (get_compat_mq_attr(&attr, u_attr) ||
- copy_to_user(p, &attr, sizeof(attr)))
-@@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr
- struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
- long ret;
-
-+ memset(&mqstat, 0, sizeof(mqstat));
-+
- if (u_mqstat) {
- if (get_compat_mq_attr(&mqstat, u_mqstat) ||
- copy_to_user(p, &mqstat, sizeof(mqstat)))
+++ /dev/null
-From 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 Mon Sep 17 00:00:00 2001
-From: Vasiliy Kulikov <segooon@gmail.com>
-Date: Sat, 30 Oct 2010 18:22:49 +0400
-Subject: ipc: shm: fix information leak to userland
-
-From: Vasiliy Kulikov <segooon@gmail.com>
-
-commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream.
-
-The shmid_ds structure is copied to userland with shm_unused{,2,3}
-fields unitialized. It leads to leaking of contents of kernel stack
-memory.
-
-Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
-Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- ipc/shm.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -476,6 +476,7 @@ static inline unsigned long copy_shmid_t
- {
- struct shmid_ds out;
-
-+ memset(&out, 0, sizeof(out));
- ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
- out.shm_segsz = in->shm_segsz;
- out.shm_atime = in->shm_atime;
+++ /dev/null
-From 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 Mon Sep 17 00:00:00 2001
-From: Samuel Ortiz <samuel@sortiz.org>
-Date: Wed, 6 Oct 2010 01:03:12 +0200
-Subject: irda: Fix heap memory corruption in iriap.c
-
-From: Samuel Ortiz <samuel@sortiz.org>
-
-commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.
-
-While parsing the GetValuebyClass command frame, we could potentially write
-passed the skb->data pointer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/irda/iriap.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/irda/iriap.c
-+++ b/net/irda/iriap.c
-@@ -501,7 +501,8 @@ static void iriap_getvaluebyclass_confir
- IRDA_DEBUG(4, "%s(), strlen=%d\n", __func__, value_len);
-
- /* Make sure the string is null-terminated */
-- fp[n+value_len] = 0x00;
-+ if (n + value_len < skb->len)
-+ fp[n + value_len] = 0x00;
- IRDA_DEBUG(4, "Got string %s\n", fp+n);
-
- /* Will truncate to IAS_MAX_STRING bytes */
+++ /dev/null
-From efc463eb508798da4243625b08c7396462cabf9f Mon Sep 17 00:00:00 2001
-From: Samuel Ortiz <samuel@sortiz.org>
-Date: Mon, 11 Oct 2010 01:17:56 +0200
-Subject: irda: Fix parameter extraction stack overflow
-
-From: Samuel Ortiz <samuel@sortiz.org>
-
-commit efc463eb508798da4243625b08c7396462cabf9f upstream.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/irda/parameters.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/net/irda/parameters.c
-+++ b/net/irda/parameters.c
-@@ -298,6 +298,8 @@ static int irda_extract_string(void *sel
-
- p.pi = pi; /* In case handler needs to know */
- p.pl = buf[1]; /* Extract length of value */
-+ if (p.pl > 32)
-+ p.pl = 32;
-
- IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
- p.pi, p.pl);
-@@ -318,7 +320,7 @@ static int irda_extract_string(void *sel
- (__u8) str[0], (__u8) str[1]);
-
- /* Null terminate string */
-- str[p.pl+1] = '\0';
-+ str[p.pl] = '\0';
-
- p.pv.c = str; /* Handler will need to take a copy */
-
+++ /dev/null
-From 38715258aa2e8cd94bd4aafadc544e5104efd551 Mon Sep 17 00:00:00 2001
-From: Ken Chen <kenchen@google.com>
-Date: Thu, 11 Nov 2010 14:05:16 -0800
-Subject: latencytop: fix per task accumulator
-
-From: Ken Chen <kenchen@google.com>
-
-commit 38715258aa2e8cd94bd4aafadc544e5104efd551 upstream.
-
-Per task latencytop accumulator prematurely terminates due to erroneous
-placement of latency_record_count. It should be incremented whenever a
-new record is allocated instead of increment on every latencytop event.
-
-Also fix search iterator to only search known record events instead of
-blindly searching all pre-allocated space.
-
-Signed-off-by: Ken Chen <kenchen@google.com>
-Reviewed-by: Arjan van de Ven <arjan@infradead.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/latencytop.c | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
---- a/kernel/latencytop.c
-+++ b/kernel/latencytop.c
-@@ -195,14 +195,7 @@ __account_scheduler_latency(struct task_
-
- account_global_scheduler_latency(tsk, &lat);
-
-- /*
-- * short term hack; if we're > 32 we stop; future we recycle:
-- */
-- tsk->latency_record_count++;
-- if (tsk->latency_record_count >= LT_SAVECOUNT)
-- goto out_unlock;
--
-- for (i = 0; i < LT_SAVECOUNT; i++) {
-+ for (i = 0; i < tsk->latency_record_count; i++) {
- struct latency_record *mylat;
- int same = 1;
-
-@@ -228,8 +221,14 @@ __account_scheduler_latency(struct task_
- }
- }
-
-+ /*
-+ * short term hack; if we're > 32 we stop; future we recycle:
-+ */
-+ if (tsk->latency_record_count >= LT_SAVECOUNT)
-+ goto out_unlock;
-+
- /* Allocated a new one: */
-- i = tsk->latency_record_count;
-+ i = tsk->latency_record_count++;
- memcpy(&tsk->latency_record[i], &lat, sizeof(struct latency_record));
-
- out_unlock:
+++ /dev/null
-From 50d431e8a15701b599c98afe2b464eb33c952477 Mon Sep 17 00:00:00 2001
-From: Steven Rostedt <rostedt@goodmis.org>
-Date: Wed, 24 Nov 2010 12:56:52 -0800
-Subject: leds: fix bug with reading NAS SS4200 dmi code
-
-From: Steven Rostedt <rostedt@goodmis.org>
-
-commit 50d431e8a15701b599c98afe2b464eb33c952477 upstream.
-
-While running randconfg with ktest.pl I stumbled upon this bug:
-
- BUG: unable to handle kernel NULL pointer dereference at 0000000000000003
- IP: [<ffffffff815fe44f>] strstr+0x39/0x86
- PGD 0
- Oops: 0000 [#1] SMP
- last sysfs file:
- CPU 0
- Modules linked in:
-
- Pid: 1, comm: swapper Not tainted 2.6.37-rc1-test+ #6 DG965MQ/
- RIP: 0010:[<ffffffff815fe44f>] [<ffffffff815fe44f>] strstr+0x39/0x86
- RSP: 0018:ffff8800797cbd80 EFLAGS: 00010213
- RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffffffffffff
- RDX: 0000000000000000 RSI: ffffffff82eb7ac9 RDI: 0000000000000003
- RBP: ffff8800797cbda0 R08: ffff880000000003 R09: 0000000000030725
- R10: ffff88007d294c00 R11: 0000000000014c00 R12: 0000000000000020
- R13: ffffffff82eb7ac9 R14: ffffffffffffffff R15: ffffffff82eb7b08
- FS: 0000000000000000(0000) GS:ffff88007d200000(0000) knlGS:0000000000000000
- CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
- CR2: 0000000000000003 CR3: 0000000002a1d000 CR4: 00000000000006f0
- DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
- DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
- Process swapper (pid: 1, threadinfo ffff8800797ca000, task ffff8800797d0000)
- Stack:
- 00000000000000ba ffffffff82eb7ac9 ffffffff82eb7ab8 00000000000000ba
- ffff8800797cbdf0 ffffffff81e2050f ffff8800797cbdc0 00000000815f913b
- ffff8800797cbe00 ffffffff82eb7ab8 0000000000000000 0000000000000000
- Call Trace:
- [<ffffffff81e2050f>] dmi_matches+0x117/0x154
- [<ffffffff81e205d7>] dmi_check_system+0x3d/0x8d
- [<ffffffff82e1ad25>] ? nas_gpio_init+0x0/0x2c8
- [<ffffffff82e1ad49>] nas_gpio_init+0x24/0x2c8
- [<ffffffff820d750d>] ? wm8350_led_init+0x0/0x20
- [<ffffffff82e1ad25>] ? nas_gpio_init+0x0/0x2c8
- [<ffffffff810022f7>] do_one_initcall+0xab/0x1b2
- [<ffffffff82da749c>] kernel_init+0x248/0x331
- [<ffffffff8100e624>] kernel_thread_helper+0x4/0x10
- [<ffffffff82da7254>] ? kernel_init+0x0/0x331
-
-Found that the nas_led_whitelist dmi_system_id structure array had no
-NULL end delimiter, causing the dmi_check_system() loop to read an
-undefined entry.
-
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-Acked-by: Dave Hansen <dave@sr71.net>
-Acked-by: Richard Purdie <rpurdie@linux.intel.com>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/leds/leds-ss4200.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/leds/leds-ss4200.c
-+++ b/drivers/leds/leds-ss4200.c
-@@ -102,6 +102,7 @@ static struct dmi_system_id __initdata n
- DMI_MATCH(DMI_PRODUCT_VERSION, "1.00.00")
- }
- },
-+ {}
- };
-
- /*
+++ /dev/null
-From 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 Mon Sep 17 00:00:00 2001
-From: Tejun Heo <tj@kernel.org>
-Date: Mon, 1 Nov 2010 11:39:19 +0100
-Subject: libata: fix NULL sdev dereference race in atapi_qc_complete()
-
-From: Tejun Heo <tj@kernel.org>
-
-commit 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 upstream.
-
-SCSI commands may be issued between __scsi_add_device() and dev->sdev
-assignment, so it's unsafe for ata_qc_complete() to dereference
-dev->sdev->locked without checking whether it's NULL or not. Fix it.
-
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/ata/libata-scsi.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -2547,8 +2547,11 @@ static void atapi_qc_complete(struct ata
- *
- * If door lock fails, always clear sdev->locked to
- * avoid this infinite loop.
-+ *
-+ * This may happen before SCSI scan is complete. Make
-+ * sure qc->dev->sdev isn't NULL before dereferencing.
- */
-- if (qc->cdb[0] == ALLOW_MEDIUM_REMOVAL)
-+ if (qc->cdb[0] == ALLOW_MEDIUM_REMOVAL && qc->dev->sdev)
- qc->dev->sdev->locked = 0;
-
- qc->scsicmd->result = SAM_STAT_CHECK_CONDITION;
+++ /dev/null
-From f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 Mon Sep 17 00:00:00 2001
-From: David Milburn <dmilburn@redhat.com>
-Date: Fri, 3 Sep 2010 17:13:03 -0500
-Subject: [SCSI] libsas: fix NCQ mixing with non-NCQ
-
-From: David Milburn <dmilburn@redhat.com>
-
-commit f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 upstream.
-
-Some cards (like mvsas) have issue troubles if non-NCQ commands are
-mixed with NCQ ones. Fix this by using the libata default NCQ check
-routine which waits until all NCQ commands are complete before issuing
-a non-NCQ one. The impact to cards (like aic94xx) which don't need
-this logic should be minimal
-
-Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/scsi/libsas/sas_ata.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/scsi/libsas/sas_ata.c
-+++ b/drivers/scsi/libsas/sas_ata.c
-@@ -346,6 +346,7 @@ static int sas_ata_scr_read(struct ata_l
- static struct ata_port_operations sas_sata_ops = {
- .phy_reset = sas_ata_phy_reset,
- .post_internal_cmd = sas_ata_post_internal,
-+ .qc_defer = ata_std_qc_defer,
- .qc_prep = ata_noop_qc_prep,
- .qc_issue = sas_ata_qc_issue,
- .qc_fill_rtf = sas_ata_qc_fill_rtf,
+++ /dev/null
-From cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Fri, 24 Sep 2010 11:20:47 +0200
-Subject: mac80211: fix use-after-free
-
-From: Johannes Berg <johannes.berg@intel.com>
-
-commit cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 upstream.
-
-commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1
-Author: Johannes Berg <johannes@sipsolutions.net>
-Date: Wed Nov 25 17:46:15 2009 +0100
-
- mac80211: move cmntr flag out of rx flags
-
-moved the CMTR flag into the skb's status, and
-in doing so introduced a use-after-free -- when
-the skb has been handed to cooked monitors the
-status setting will touch now invalid memory.
-
-Additionally, moving it there has effectively
-discarded the optimisation -- since the bit is
-only ever set on freed SKBs, and those were a
-copy, it could never be checked.
-
-For the current release, fixing this properly
-is a bit too involved, so let's just remove the
-problematic code and leave userspace with one
-copy of each frame for each virtual interface.
-
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/mac80211/rx.c | 4 ----
- 1 file changed, 4 deletions(-)
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2123,9 +2123,6 @@ static void ieee80211_rx_cooked_monitor(
- struct net_device *prev_dev = NULL;
- struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
-
-- if (status->flag & RX_FLAG_INTERNAL_CMTR)
-- goto out_free_skb;
--
- if (skb_headroom(skb) < sizeof(*rthdr) &&
- pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
- goto out_free_skb;
-@@ -2184,7 +2181,6 @@ static void ieee80211_rx_cooked_monitor(
- } else
- goto out_free_skb;
-
-- status->flag |= RX_FLAG_INTERNAL_CMTR;
- return;
-
- out_free_skb:
+++ /dev/null
-From c26a44ed1e552aaa1d4ceb71842002d235fe98d7 Mon Sep 17 00:00:00 2001
-From: Justin Maggard <jmaggard10@gmail.com>
-Date: Wed, 24 Nov 2010 16:36:17 +1100
-Subject: md: fix return value of rdev_size_change()
-
-From: Justin Maggard <jmaggard10@gmail.com>
-
-commit c26a44ed1e552aaa1d4ceb71842002d235fe98d7 upstream.
-
-When trying to grow an array by enlarging component devices,
-rdev_size_store() expects the return value of rdev_size_change() to be
-in sectors, but the actual value is returned in KBs.
-
-This functionality was broken by commit
- dd8ac336c13fd8afdb082ebacb1cddd5cf727889
-so this patch is suitable for any kernel since 2.6.30.
-
-Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
-Signed-off-by: NeilBrown <neilb@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/md/md.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -1255,7 +1255,7 @@ super_90_rdev_size_change(mdk_rdev_t *rd
- md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size,
- rdev->sb_page);
- md_super_wait(rdev->mddev);
-- return num_sectors / 2; /* kB for sysfs */
-+ return num_sectors;
- }
-
-
-@@ -1617,7 +1617,7 @@ super_1_rdev_size_change(mdk_rdev_t *rde
- md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size,
- rdev->sb_page);
- md_super_wait(rdev->mddev);
-- return num_sectors / 2; /* kB for sysfs */
-+ return num_sectors;
- }
-
- static struct super_type super_types[] = {
+++ /dev/null
-From 8f9e0ee38f75d4740daa9e42c8af628d33d19a02 Mon Sep 17 00:00:00 2001
-From: NeilBrown <neilb@suse.de>
-Date: Wed, 24 Nov 2010 16:39:46 +1100
-Subject: md/raid1: really fix recovery looping when single good device fails.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: NeilBrown <neilb@suse.de>
-
-commit 8f9e0ee38f75d4740daa9e42c8af628d33d19a02 upstream.
-
-Commit 4044ba58dd15cb01797c4fd034f39ef4a75f7cc3 supposedly fixed a
-problem where if a raid1 with just one good device gets a read-error
-during recovery, the recovery would abort and immediately restart in
-an infinite loop.
-
-However it depended on raid1_remove_disk removing the spare device
-from the array. But that does not happen in this case. So add a test
-so that in the 'recovery_disabled' case, the device will be removed.
-
-This suitable for any kernel since 2.6.29 which is when
-recovery_disabled was introduced.
-
-Reported-by: Sebastian Färber <faerber@gmail.com>
-Signed-off-by: NeilBrown <neilb@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/md/raid1.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/md/raid1.c
-+++ b/drivers/md/raid1.c
-@@ -1196,6 +1196,7 @@ static int raid1_remove_disk(mddev_t *md
- * is not possible.
- */
- if (!test_bit(Faulty, &rdev->flags) &&
-+ !mddev->recovery_disabled &&
- mddev->degraded < conf->raid_disks) {
- err = -EBUSY;
- goto abort;
+++ /dev/null
-From a6331d6f9a4298173b413cf99a40cc86a9d92c37 Mon Sep 17 00:00:00 2001
-From: andrew hendry <andrew.hendry@gmail.com>
-Date: Wed, 3 Nov 2010 12:54:53 +0000
-Subject: memory corruption in X.25 facilities parsing
-
-From: andrew hendry <andrew.hendry@gmail.com>
-
-commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.
-
-Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/x25/x25_facilities.c | 8 ++++----
- net/x25/x25_in.c | 2 ++
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
---- a/net/x25/x25_facilities.c
-+++ b/net/x25/x25_facilities.c
-@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff
- case X25_FAC_CLASS_D:
- switch (*p) {
- case X25_FAC_CALLING_AE:
-- if (p[1] > X25_MAX_DTE_FACIL_LEN)
-- break;
-+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-+ return 0;
- dte_facs->calling_len = p[2];
- memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
- *vc_fac_mask |= X25_MASK_CALLING_AE;
- break;
- case X25_FAC_CALLED_AE:
-- if (p[1] > X25_MAX_DTE_FACIL_LEN)
-- break;
-+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-+ return 0;
- dte_facs->called_len = p[2];
- memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
- *vc_fac_mask |= X25_MASK_CALLED_AE;
---- a/net/x25/x25_in.c
-+++ b/net/x25/x25_in.c
-@@ -118,6 +118,8 @@ static int x25_state1_machine(struct soc
- &x25->vc_facil_mask);
- if (len > 0)
- skb_pull(skb, len);
-+ else
-+ return -1;
- /*
- * Copy any Call User Data.
- */
+++ /dev/null
-From 966cca029f739716fbcc8068b8c6dfe381f86fc3 Mon Sep 17 00:00:00 2001
-From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-Date: Mon, 9 Aug 2010 17:20:09 -0700
-Subject: mm: fix corruption of hibernation caused by reusing swap during image saving
-
-From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-
-commit 966cca029f739716fbcc8068b8c6dfe381f86fc3 upstream.
-
-Since 2.6.31, swap_map[]'s refcounting was changed to show that a used
-swap entry is just for swap-cache, can be reused. Then, while scanning
-free entry in swap_map[], a swap entry may be able to be reclaimed and
-reused. It was caused by commit c9e444103b5e7a5 ("mm: reuse unused swap
-entry if necessary").
-
-But this caused deta corruption at resume. The scenario is
-
-- Assume a clean-swap cache, but mapped.
-
-- at hibernation_snapshot[], clean-swap-cache is saved as
- clean-swap-cache and swap_map[] is marked as SWAP_HAS_CACHE.
-
-- then, save_image() is called. And reuse SWAP_HAS_CACHE entry to save
- image, and break the contents.
-
-After resume:
-
-- the memory reclaim runs and finds clean-not-referenced-swap-cache and
- discards it because it's marked as clean. But here, the contents on
- disk and swap-cache is inconsistent.
-
-Hance memory is corrupted.
-
-This patch avoids the bug by not reclaiming swap-entry during hibernation.
-This is a quick fix for backporting.
-
-Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-Cc: Rafael J. Wysocki <rjw@sisk.pl>
-Reported-by: Ondreg Zary <linux@rainbow-software.org>
-Tested-by: Ondreg Zary <linux@rainbow-software.org>
-Tested-by: Andrea Gelmini <andrea.gelmini@gmail.com>
-Acked-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/swapfile.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/mm/swapfile.c
-+++ b/mm/swapfile.c
-@@ -315,8 +315,10 @@ checks:
- if (offset > si->highest_bit)
- scan_base = offset = si->lowest_bit;
-
-- /* reuse swap entry of cache-only swap if not busy. */
-- if (vm_swap_full() && si->swap_map[offset] == SWAP_HAS_CACHE) {
-+ /* reuse swap entry of cache-only swap if not hibernation. */
-+ if (vm_swap_full()
-+ && usage == SWAP_HAS_CACHE
-+ && si->swap_map[offset] == SWAP_HAS_CACHE) {
- int swap_was_freed;
- spin_unlock(&swap_lock);
- swap_was_freed = __try_to_reclaim_swap(si, offset);
+++ /dev/null
-From 572438f9b52236bd8938b1647cc15e027d27ef55 Mon Sep 17 00:00:00 2001
-From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-Date: Tue, 26 Oct 2010 14:22:08 -0700
-Subject: mm: fix is_mem_section_removable() page_order BUG_ON check
-
-From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-
-commit 572438f9b52236bd8938b1647cc15e027d27ef55 upstream.
-
-page_order() is called by memory hotplug's user interface to check the
-section is removable or not. (is_mem_section_removable())
-
-It calls page_order() withoug holding zone->lock.
-So, even if the caller does
-
- if (PageBuddy(page))
- ret = page_order(page) ...
-The caller may hit BUG_ON().
-
-For fixing this, there are 2 choices.
- 1. add zone->lock.
- 2. remove BUG_ON().
-
-is_mem_section_removable() is used for some "advice" and doesn't need to
-be 100% accurate. This is_removable() can be called via user program..
-We don't want to take this important lock for long by user's request. So,
-this patch removes BUG_ON().
-
-Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-Acked-by: Wu Fengguang <fengguang.wu@intel.com>
-Acked-by: Michal Hocko <mhocko@suse.cz>
-Acked-by: Mel Gorman <mel@csn.ul.ie>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/internal.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/mm/internal.h
-+++ b/mm/internal.h
-@@ -62,7 +62,7 @@ extern bool is_free_buddy_page(struct pa
- */
- static inline unsigned long page_order(struct page *page)
- {
-- VM_BUG_ON(!PageBuddy(page));
-+ /* PageBuddy() must be checked by the caller */
- return page_private(page);
- }
-
+++ /dev/null
-From 5528f9132cf65d4d892bcbc5684c61e7822b21e9 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Fri, 13 Aug 2010 09:24:04 -0700
-Subject: mm: fix missing page table unmap for stack guard page failure case
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 5528f9132cf65d4d892bcbc5684c61e7822b21e9 upstream.
-
-.. which didn't show up in my tests because it's a no-op on x86-64 and
-most other architectures. But we enter the function with the last-level
-page table mapped, and should unmap it at exit.
-
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/memory.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -2677,8 +2677,10 @@ static int do_anonymous_page(struct mm_s
- spinlock_t *ptl;
- pte_t entry;
-
-- if (check_stack_guard_page(vma, address) < 0)
-+ if (check_stack_guard_page(vma, address) < 0) {
-+ pte_unmap(page_table);
- return VM_FAULT_SIGBUS;
-+ }
-
- if (!(flags & FAULT_FLAG_WRITE)) {
- entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
+++ /dev/null
-From 11ac552477e32835cb6970bf0a70c210807f5673 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sat, 14 Aug 2010 11:44:56 -0700
-Subject: mm: fix page table unmap for stack guard page properly
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 11ac552477e32835cb6970bf0a70c210807f5673 upstream.
-
-We do in fact need to unmap the page table _before_ doing the whole
-stack guard page logic, because if it is needed (mainly 32-bit x86 with
-PAE and CONFIG_HIGHPTE, but other architectures may use it too) then it
-will do a kmap_atomic/kunmap_atomic.
-
-And those kmaps will create an atomic region that we cannot do
-allocations in. However, the whole stack expand code will need to do
-anon_vma_prepare() and vma_lock_anon_vma() and they cannot do that in an
-atomic region.
-
-Now, a better model might actually be to do the anon_vma_prepare() when
-_creating_ a VM_GROWSDOWN segment, and not have to worry about any of
-this at page fault time. But in the meantime, this is the
-straightforward fix for the issue.
-
-See https://bugzilla.kernel.org/show_bug.cgi?id=16588 for details.
-
-Reported-by: Wylda <wylda@volny.cz>
-Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
-Reported-by: Mike Pagano <mpagano@gentoo.org>
-Reported-by: François Valenduc <francois.valenduc@tvcablenet.be>
-Tested-by: Ed Tomlinson <edt@aei.ca>
-Cc: Pekka Enberg <penberg@kernel.org>
-Cc: Greg KH <gregkh@suse.de>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/memory.c | 13 ++++++-------
- 1 file changed, 6 insertions(+), 7 deletions(-)
-
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -2677,24 +2677,23 @@ static int do_anonymous_page(struct mm_s
- spinlock_t *ptl;
- pte_t entry;
-
-- if (check_stack_guard_page(vma, address) < 0) {
-- pte_unmap(page_table);
-+ pte_unmap(page_table);
-+
-+ /* Check if we need to add a guard page to the stack */
-+ if (check_stack_guard_page(vma, address) < 0)
- return VM_FAULT_SIGBUS;
-- }
-
-+ /* Use the zero-page for reads */
- if (!(flags & FAULT_FLAG_WRITE)) {
- entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
- vma->vm_page_prot));
-- ptl = pte_lockptr(mm, pmd);
-- spin_lock(ptl);
-+ page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
- if (!pte_none(*page_table))
- goto unlock;
- goto setpte;
- }
-
- /* Allocate our own private page. */
-- pte_unmap(page_table);
--
- if (unlikely(anon_vma_prepare(vma)))
- goto oom;
- page = alloc_zeroed_user_highpage_movable(vma, address);
+++ /dev/null
-From f8f72ad5396987e05a42cf7eff826fb2a15ff148 Mon Sep 17 00:00:00 2001
-From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-Date: Tue, 26 Oct 2010 14:21:10 -0700
-Subject: mm: fix return value of scan_lru_pages in memory unplug
-
-From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-
-commit f8f72ad5396987e05a42cf7eff826fb2a15ff148 upstream.
-
-scan_lru_pages returns pfn. So, it's type should be "unsigned long"
-not "int".
-
-Note: I guess this has been work until now because memory hotplug tester's
- machine has not very big memory....
- physical address < 32bit << PAGE_SHIFT.
-
-Reported-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/memory_hotplug.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/mm/memory_hotplug.c
-+++ b/mm/memory_hotplug.c
-@@ -629,7 +629,7 @@ static int test_pages_in_a_zone(unsigned
- * Scanning pfn is much easier than scanning lru list.
- * Scan pfn from start to end and Find LRU page.
- */
--int scan_lru_pages(unsigned long start, unsigned long end)
-+unsigned long scan_lru_pages(unsigned long start, unsigned long end)
- {
- unsigned long pfn;
- struct page *page;
+++ /dev/null
-From d7824370e26325c881b665350ce64fb0a4fde24a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sun, 15 Aug 2010 11:35:52 -0700
-Subject: mm: fix up some user-visible effects of the stack guard page
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit d7824370e26325c881b665350ce64fb0a4fde24a upstream.
-
-This commit makes the stack guard page somewhat less visible to user
-space. It does this by:
-
- - not showing the guard page in /proc/<pid>/maps
-
- It looks like lvm-tools will actually read /proc/self/maps to figure
- out where all its mappings are, and effectively do a specialized
- "mlockall()" in user space. By not showing the guard page as part of
- the mapping (by just adding PAGE_SIZE to the start for grows-up
- pages), lvm-tools ends up not being aware of it.
-
- - by also teaching the _real_ mlock() functionality not to try to lock
- the guard page.
-
- That would just expand the mapping down to create a new guard page,
- so there really is no point in trying to lock it in place.
-
-It would perhaps be nice to show the guard page specially in
-/proc/<pid>/maps (or at least mark grow-down segments some way), but
-let's not open ourselves up to more breakage by user space from programs
-that depends on the exact deails of the 'maps' file.
-
-Special thanks to Henrique de Moraes Holschuh for diving into lvm-tools
-source code to see what was going on with the whole new warning.
-
-Reported-and-tested-by: François Valenduc <francois.valenduc@tvcablenet.be
-Reported-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/proc/task_mmu.c | 8 +++++++-
- mm/mlock.c | 8 ++++++++
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -206,6 +206,7 @@ static void show_map_vma(struct seq_file
- int flags = vma->vm_flags;
- unsigned long ino = 0;
- unsigned long long pgoff = 0;
-+ unsigned long start;
- dev_t dev = 0;
- int len;
-
-@@ -216,8 +217,13 @@ static void show_map_vma(struct seq_file
- pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
- }
-
-+ /* We don't show the stack guard page in /proc/maps */
-+ start = vma->vm_start;
-+ if (vma->vm_flags & VM_GROWSDOWN)
-+ start += PAGE_SIZE;
-+
- seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
-- vma->vm_start,
-+ start,
- vma->vm_end,
- flags & VM_READ ? 'r' : '-',
- flags & VM_WRITE ? 'w' : '-',
---- a/mm/mlock.c
-+++ b/mm/mlock.c
-@@ -167,6 +167,14 @@ static long __mlock_vma_pages_range(stru
- if (vma->vm_flags & VM_WRITE)
- gup_flags |= FOLL_WRITE;
-
-+ /* We don't try to access the guard page of a stack vma */
-+ if (vma->vm_flags & VM_GROWSDOWN) {
-+ if (start == vma->vm_start) {
-+ start += PAGE_SIZE;
-+ nr_pages--;
-+ }
-+ }
-+
- while (nr_pages > 0) {
- int i;
-
+++ /dev/null
-From 320b2b8de12698082609ebbc1a17165727f4c893 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Thu, 12 Aug 2010 17:54:33 -0700
-Subject: mm: keep a guard page below a grow-down stack segment
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 320b2b8de12698082609ebbc1a17165727f4c893 upstream.
-
-This is a rather minimally invasive patch to solve the problem of the
-user stack growing into a memory mapped area below it. Whenever we fill
-the first page of the stack segment, expand the segment down by one
-page.
-
-Now, admittedly some odd application might _want_ the stack to grow down
-into the preceding memory mapping, and so we may at some point need to
-make this a process tunable (some people might also want to have more
-than a single page of guarding), but let's try the minimal approach
-first.
-
-Tested with trivial application that maps a single page just below the
-stack, and then starts recursing. Without this, we will get a SIGSEGV
-_after_ the stack has smashed the mapping. With this patch, we'll get a
-nice SIGBUS just as the stack touches the page just above the mapping.
-
-Requested-by: Keith Packard <keithp@keithp.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/memory.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -2645,6 +2645,26 @@ out_release:
- }
-
- /*
-+ * This is like a special single-page "expand_downwards()",
-+ * except we must first make sure that 'address-PAGE_SIZE'
-+ * doesn't hit another vma.
-+ *
-+ * The "find_vma()" will do the right thing even if we wrap
-+ */
-+static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
-+{
-+ address &= PAGE_MASK;
-+ if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
-+ address -= PAGE_SIZE;
-+ if (find_vma(vma->vm_mm, address) != vma)
-+ return -ENOMEM;
-+
-+ expand_stack(vma, address);
-+ }
-+ return 0;
-+}
-+
-+/*
- * We enter with non-exclusive mmap_sem (to exclude vma changes,
- * but allow concurrent faults), and pte mapped but not yet locked.
- * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -2657,6 +2677,9 @@ static int do_anonymous_page(struct mm_s
- spinlock_t *ptl;
- pte_t entry;
-
-+ if (check_stack_guard_page(vma, address) < 0)
-+ return VM_FAULT_SIGBUS;
-+
- if (!(flags & FAULT_FLAG_WRITE)) {
- entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
- vma->vm_page_prot));
+++ /dev/null
-From 8d056cb965b8fb7c53c564abf28b1962d1061cd3 Mon Sep 17 00:00:00 2001
-From: Dave Hansen <dave@linux.vnet.ibm.com>
-Date: Thu, 11 Nov 2010 14:05:15 -0800
-Subject: mm/vfs: revalidate page->mapping in do_generic_file_read()
-
-From: Dave Hansen <dave@linux.vnet.ibm.com>
-
-commit 8d056cb965b8fb7c53c564abf28b1962d1061cd3 upstream.
-
-70 hours into some stress tests of a 2.6.32-based enterprise kernel, we
-ran into a NULL dereference in here:
-
- int block_is_partially_uptodate(struct page *page, read_descriptor_t *desc,
- unsigned long from)
- {
-----> struct inode *inode = page->mapping->host;
-
-It looks like page->mapping was the culprit. (xmon trace is below).
-After closer examination, I realized that do_generic_file_read() does a
-find_get_page(), and eventually locks the page before calling
-block_is_partially_uptodate(). However, it doesn't revalidate the
-page->mapping after the page is locked. So, there's a small window
-between the find_get_page() and ->is_partially_uptodate() where the page
-could get truncated and page->mapping cleared.
-
-We _have_ a reference, so it can't get reclaimed, but it certainly
-can be truncated.
-
-I think the correct thing is to check page->mapping after the
-trylock_page(), and jump out if it got truncated. This patch has been
-running in the test environment for a month or so now, and we have not
-seen this bug pop up again.
-
-xmon info:
-
- 1f:mon> e
- cpu 0x1f: Vector: 300 (Data Access) at [c0000002ae36f770]
- pc: c0000000001e7a6c: .block_is_partially_uptodate+0xc/0x100
- lr: c000000000142944: .generic_file_aio_read+0x1e4/0x770
- sp: c0000002ae36f9f0
- msr: 8000000000009032
- dar: 0
- dsisr: 40000000
- current = 0xc000000378f99e30
- paca = 0xc000000000f66300
- pid = 21946, comm = bash
- 1f:mon> r
- R00 = 0025c0500000006d R16 = 0000000000000000
- R01 = c0000002ae36f9f0 R17 = c000000362cd3af0
- R02 = c000000000e8cd80 R18 = ffffffffffffffff
- R03 = c0000000031d0f88 R19 = 0000000000000001
- R04 = c0000002ae36fa68 R20 = c0000003bb97b8a0
- R05 = 0000000000000000 R21 = c0000002ae36fa68
- R06 = 0000000000000000 R22 = 0000000000000000
- R07 = 0000000000000001 R23 = c0000002ae36fbb0
- R08 = 0000000000000002 R24 = 0000000000000000
- R09 = 0000000000000000 R25 = c000000362cd3a80
- R10 = 0000000000000000 R26 = 0000000000000002
- R11 = c0000000001e7b60 R27 = 0000000000000000
- R12 = 0000000042000484 R28 = 0000000000000001
- R13 = c000000000f66300 R29 = c0000003bb97b9b8
- R14 = 0000000000000001 R30 = c000000000e28a08
- R15 = 000000000000ffff R31 = c0000000031d0f88
- pc = c0000000001e7a6c .block_is_partially_uptodate+0xc/0x100
- lr = c000000000142944 .generic_file_aio_read+0x1e4/0x770
- msr = 8000000000009032 cr = 22000488
- ctr = c0000000001e7a60 xer = 0000000020000000 trap = 300
- dar = 0000000000000000 dsisr = 40000000
- 1f:mon> t
- [link register ] c000000000142944 .generic_file_aio_read+0x1e4/0x770
- [c0000002ae36f9f0] c000000000142a14 .generic_file_aio_read+0x2b4/0x770 (unreliable)
- [c0000002ae36fb40] c0000000001b03e4 .do_sync_read+0xd4/0x160
- [c0000002ae36fce0] c0000000001b153c .vfs_read+0xec/0x1f0
- [c0000002ae36fd80] c0000000001b1768 .SyS_read+0x58/0xb0
- [c0000002ae36fe30] c00000000000852c syscall_exit+0x0/0x40
- --- Exception: c00 (System Call) at 00000080a840bc54
- SP (fffca15df30) is in userspace
- 1f:mon> di c0000000001e7a6c
- c0000000001e7a6c e9290000 ld r9,0(r9)
- c0000000001e7a70 418200c0 beq c0000000001e7b30 # .block_is_partially_uptodate+0xd0/0x100
- c0000000001e7a74 e9440008 ld r10,8(r4)
- c0000000001e7a78 78a80020 clrldi r8,r5,32
- c0000000001e7a7c 3c000001 lis r0,1
- c0000000001e7a80 812900a8 lwz r9,168(r9)
- c0000000001e7a84 39600001 li r11,1
- c0000000001e7a88 7c080050 subf r0,r8,r0
- c0000000001e7a8c 7f805040 cmplw cr7,r0,r10
- c0000000001e7a90 7d6b4830 slw r11,r11,r9
- c0000000001e7a94 796b0020 clrldi r11,r11,32
- c0000000001e7a98 419d00a8 bgt cr7,c0000000001e7b40 # .block_is_partially_uptodate+0xe0/0x100
- c0000000001e7a9c 7fa55840 cmpld cr7,r5,r11
- c0000000001e7aa0 7d004214 add r8,r0,r8
- c0000000001e7aa4 79080020 clrldi r8,r8,32
- c0000000001e7aa8 419c0078 blt cr7,c0000000001e7b20 # .block_is_partially_uptodate+0xc0/0x100
-
-Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
-Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
-Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
-Acked-by: Rik van Riel <riel@redhat.com>
-Cc: <arunabal@in.ibm.com>
-Cc: <sbest@us.ibm.com>
-Cc: Christoph Hellwig <hch@lst.de>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Cc: Minchan Kim <minchan.kim@gmail.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/filemap.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/mm/filemap.c
-+++ b/mm/filemap.c
-@@ -1009,6 +1009,9 @@ find_page:
- goto page_not_up_to_date;
- if (!trylock_page(page))
- goto page_not_up_to_date;
-+ /* Did it get truncated before we got the lock? */
-+ if (!page->mapping)
-+ goto page_not_up_to_date_locked;
- if (!mapping->a_ops->is_partially_uptodate(page,
- desc, offset))
- goto page_not_up_to_date_locked;
+++ /dev/null
-From e31f3698cd3499e676f6b0ea12e3528f569c4fa3 Mon Sep 17 00:00:00 2001
-From: Wu Fengguang <fengguang.wu@intel.com>
-Date: Mon, 9 Aug 2010 17:20:01 -0700
-Subject: vmscan: raise the bar to PAGEOUT_IO_SYNC stalls
-
-From: Wu Fengguang <fengguang.wu@intel.com>
-
-commit e31f3698cd3499e676f6b0ea12e3528f569c4fa3 upstream.
-
-Fix "system goes unresponsive under memory pressure and lots of
-dirty/writeback pages" bug.
-
- http://lkml.org/lkml/2010/4/4/86
-
-In the above thread, Andreas Mohr described that
-
- Invoking any command locked up for minutes (note that I'm
- talking about attempted additional I/O to the _other_,
- _unaffected_ main system HDD - such as loading some shell
- binaries -, NOT the external SSD18M!!).
-
-This happens when the two conditions are both meet:
-- under memory pressure
-- writing heavily to a slow device
-
-OOM also happens in Andreas' system. The OOM trace shows that 3 processes
-are stuck in wait_on_page_writeback() in the direct reclaim path. One in
-do_fork() and the other two in unix_stream_sendmsg(). They are blocked on
-this condition:
-
- (sc->order && priority < DEF_PRIORITY - 2)
-
-which was introduced in commit 78dc583d (vmscan: low order lumpy reclaim
-also should use PAGEOUT_IO_SYNC) one year ago. That condition may be too
-permissive. In Andreas' case, 512MB/1024 = 512KB. If the direct reclaim
-for the order-1 fork() allocation runs into a range of 512KB
-hard-to-reclaim LRU pages, it will be stalled.
-
-It's a severe problem in three ways.
-
-Firstly, it can easily happen in daily desktop usage. vmscan priority can
-easily go below (DEF_PRIORITY - 2) on _local_ memory pressure. Even if
-the system has 50% globally reclaimable pages, it still has good
-opportunity to have 0.1% sized hard-to-reclaim ranges. For example, a
-simple dd can easily create a big range (up to 20%) of dirty pages in the
-LRU lists. And order-1 to order-3 allocations are more than common with
-SLUB. Try "grep -v '1 :' /proc/slabinfo" to get the list of high order
-slab caches. For example, the order-1 radix_tree_node slab cache may
-stall applications at swap-in time; the order-3 inode cache on most
-filesystems may stall applications when trying to read some file; the
-order-2 proc_inode_cache may stall applications when trying to open a
-/proc file.
-
-Secondly, once triggered, it will stall unrelated processes (not doing IO
-at all) in the system. This "one slow USB device stalls the whole system"
-avalanching effect is very bad.
-
-Thirdly, once stalled, the stall time could be intolerable long for the
-users. When there are 20MB queued writeback pages and USB 1.1 is writing
-them in 1MB/s, wait_on_page_writeback() will stuck for up to 20 seconds.
-Not to mention it may be called multiple times.
-
-So raise the bar to only enable PAGEOUT_IO_SYNC when priority goes below
-DEF_PRIORITY/3, or 6.25% LRU size. As the default dirty throttle ratio is
-20%, it will hardly be triggered by pure dirty pages. We'd better treat
-PAGEOUT_IO_SYNC as some last resort workaround -- its stall time is so
-uncomfortably long (easily goes beyond 1s).
-
-The bar is only raised for (order < PAGE_ALLOC_COSTLY_ORDER) allocations,
-which are easy to satisfy in 1TB memory boxes. So, although 6.25% of
-memory could be an awful lot of pages to scan on a system with 1TB of
-memory, it won't really have to busy scan that much.
-
-Andreas tested an older version of this patch and reported that it mostly
-fixed his problem. Mel Gorman helped improve it and KOSAKI Motohiro will
-fix it further in the next patch.
-
-Reported-by: Andreas Mohr <andi@lisas.de>
-Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
-Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: Mel Gorman <mel@csn.ul.ie>
-Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
-Cc: Rik van Riel <riel@redhat.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
-
----
- mm/vmscan.c | 53 +++++++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 45 insertions(+), 8 deletions(-)
-
---- a/mm/vmscan.c
-+++ b/mm/vmscan.c
-@@ -1082,6 +1082,48 @@ static int too_many_isolated(struct zone
- }
-
- /*
-+ * Returns true if the caller should wait to clean dirty/writeback pages.
-+ *
-+ * If we are direct reclaiming for contiguous pages and we do not reclaim
-+ * everything in the list, try again and wait for writeback IO to complete.
-+ * This will stall high-order allocations noticeably. Only do that when really
-+ * need to free the pages under high memory pressure.
-+ */
-+static inline bool should_reclaim_stall(unsigned long nr_taken,
-+ unsigned long nr_freed,
-+ int priority,
-+ int lumpy_reclaim,
-+ struct scan_control *sc)
-+{
-+ int lumpy_stall_priority;
-+
-+ /* kswapd should not stall on sync IO */
-+ if (current_is_kswapd())
-+ return false;
-+
-+ /* Only stall on lumpy reclaim */
-+ if (!lumpy_reclaim)
-+ return false;
-+
-+ /* If we have relaimed everything on the isolated list, no stall */
-+ if (nr_freed == nr_taken)
-+ return false;
-+
-+ /*
-+ * For high-order allocations, there are two stall thresholds.
-+ * High-cost allocations stall immediately where as lower
-+ * order allocations such as stacks require the scanning
-+ * priority to be much higher before stalling.
-+ */
-+ if (sc->order > PAGE_ALLOC_COSTLY_ORDER)
-+ lumpy_stall_priority = DEF_PRIORITY;
-+ else
-+ lumpy_stall_priority = DEF_PRIORITY / 3;
-+
-+ return priority <= lumpy_stall_priority;
-+}
-+
-+/*
- * shrink_inactive_list() is a helper for shrink_zone(). It returns the number
- * of reclaimed pages
- */
-@@ -1173,14 +1215,9 @@ static unsigned long shrink_inactive_lis
- nr_scanned += nr_scan;
- nr_freed = shrink_page_list(&page_list, sc, PAGEOUT_IO_ASYNC);
-
-- /*
-- * If we are direct reclaiming for contiguous pages and we do
-- * not reclaim everything in the list, try again and wait
-- * for IO to complete. This will stall high-order allocations
-- * but that should be acceptable to the caller
-- */
-- if (nr_freed < nr_taken && !current_is_kswapd() &&
-- lumpy_reclaim) {
-+ /* Check if we should syncronously wait for writeback */
-+ if (should_reclaim_stall(nr_taken, nr_freed, priority,
-+ lumpy_reclaim, sc)) {
- congestion_wait(BLK_RW_ASYNC, HZ/10);
-
- /*
+++ /dev/null
-From 3ee48b6af49cf534ca2f481ecc484b156a41451d Mon Sep 17 00:00:00 2001
-From: Cliff Wickman <cpw@sgi.com>
-Date: Thu, 16 Sep 2010 11:44:02 -0500
-Subject: mm, x86: Saving vmcore with non-lazy freeing of vmas
-
-From: Cliff Wickman <cpw@sgi.com>
-
-commit 3ee48b6af49cf534ca2f481ecc484b156a41451d upstream.
-
-During the reading of /proc/vmcore the kernel is doing
-ioremap()/iounmap() repeatedly. And the buildup of un-flushed
-vm_area_struct's is causing a great deal of overhead. (rb_next()
-is chewing up most of that time).
-
-This solution is to provide function set_iounmap_nonlazy(). It
-causes a subsequent call to iounmap() to immediately purge the
-vma area (with try_purge_vmap_area_lazy()).
-
-With this patch we have seen the time for writing a 250MB
-compressed dump drop from 71 seconds to 44 seconds.
-
-Signed-off-by: Cliff Wickman <cpw@sgi.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: kexec@lists.infradead.org
-LKML-Reference: <E1OwHZ4-0005WK-Tw@eag09.americas.sgi.com>
-Signed-off-by: Ingo Molnar <mingo@elte.hu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/include/asm/io.h | 1 +
- arch/x86/kernel/crash_dump_64.c | 1 +
- mm/vmalloc.c | 9 +++++++++
- 3 files changed, 11 insertions(+)
-
---- a/arch/x86/include/asm/io.h
-+++ b/arch/x86/include/asm/io.h
-@@ -172,6 +172,7 @@ static inline void __iomem *ioremap(reso
-
- extern void iounmap(volatile void __iomem *addr);
-
-+extern void set_iounmap_nonlazy(void);
-
- #ifdef CONFIG_X86_32
- # include "io_32.h"
---- a/arch/x86/kernel/crash_dump_64.c
-+++ b/arch/x86/kernel/crash_dump_64.c
-@@ -46,6 +46,7 @@ ssize_t copy_oldmem_page(unsigned long p
- } else
- memcpy(buf, vaddr + offset, csize);
-
-+ set_iounmap_nonlazy();
- iounmap(vaddr);
- return csize;
- }
---- a/mm/vmalloc.c
-+++ b/mm/vmalloc.c
-@@ -513,6 +513,15 @@ static atomic_t vmap_lazy_nr = ATOMIC_IN
- static void purge_fragmented_blocks_allcpus(void);
-
- /*
-+ * called before a call to iounmap() if the caller wants vm_area_struct's
-+ * immediately freed.
-+ */
-+void set_iounmap_nonlazy(void)
-+{
-+ atomic_set(&vmap_lazy_nr, lazy_max_pages()+1);
-+}
-+
-+/*
- * Purges all lazily-freed vmap areas.
- *
- * If sync is 0 then don't purge if there is already a purge in progress.
+++ /dev/null
-From 9320f7cbbdd5febf013b0e91db29189724057738 Mon Sep 17 00:00:00 2001
-From: Marek Szyprowski <m.szyprowski@samsung.com>
-Date: Thu, 23 Sep 2010 16:22:05 +0200
-Subject: mmc: sdhci-s3c: fix NULL ptr access in sdhci_s3c_remove
-
-From: Marek Szyprowski <m.szyprowski@samsung.com>
-
-commit 9320f7cbbdd5febf013b0e91db29189724057738 upstream.
-
-If not all clocks have been defined in platform data, the driver will
-cause a null pointer dereference when it is removed. This patch fixes
-this issue.
-
-Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
-Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Chris Ball <cjb@laptop.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/mmc/host/sdhci-s3c.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/mmc/host/sdhci-s3c.c
-+++ b/drivers/mmc/host/sdhci-s3c.c
-@@ -379,8 +379,10 @@ static int __devexit sdhci_s3c_remove(st
- sdhci_remove_host(host, 1);
-
- for (ptr = 0; ptr < 3; ptr++) {
-- clk_disable(sc->clk_bus[ptr]);
-- clk_put(sc->clk_bus[ptr]);
-+ if (sc->clk_bus[ptr]) {
-+ clk_disable(sc->clk_bus[ptr]);
-+ clk_put(sc->clk_bus[ptr]);
-+ }
- }
- clk_disable(sc->clk_io);
- clk_put(sc->clk_io);
+++ /dev/null
-From 9e244c6ac5641f48b55044d9fc3995f32a2f8208 Mon Sep 17 00:00:00 2001
-From: Jianzhao Wang <jianzhao.wang@6wind.com>
-Date: Wed, 8 Sep 2010 14:35:43 -0700
-Subject: net: blackhole route should always be recalculated
-
-
-From: Jianzhao Wang <jianzhao.wang@6wind.com>
-
-[ Upstream commit ae2688d59b5f861dc70a091d003773975d2ae7fb ]
-
-Blackhole routes are used when xfrm_lookup() returns -EREMOTE (error
-triggered by IKE for example), hence this kind of route is always
-temporary and so we should check if a better route exists for next
-packets.
-Bug has been introduced by commit d11a4dc18bf41719c9f0d7ed494d295dd2973b92.
-
-Signed-off-by: Jianzhao Wang <jianzhao.wang@6wind.com>
-Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/ipv4/route.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/net/ipv4/route.c
-+++ b/net/ipv4/route.c
-@@ -2721,6 +2721,11 @@ slow_output:
-
- EXPORT_SYMBOL_GPL(__ip_route_output_key);
-
-+static struct dst_entry *ipv4_blackhole_dst_check(struct dst_entry *dst, u32 cookie)
-+{
-+ return NULL;
-+}
-+
- static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
- {
- }
-@@ -2729,7 +2734,7 @@ static struct dst_ops ipv4_dst_blackhole
- .family = AF_INET,
- .protocol = cpu_to_be16(ETH_P_IP),
- .destroy = ipv4_dst_destroy,
-- .check = ipv4_dst_check,
-+ .check = ipv4_blackhole_dst_check,
- .update_pmtu = ipv4_rt_blackhole_update_pmtu,
- .entries = ATOMIC_INIT(0),
- };
+++ /dev/null
-From ae6df5f96a51818d6376da5307d773baeece4014 Mon Sep 17 00:00:00 2001
-From: Kees Cook <kees.cook@canonical.com>
-Date: Thu, 7 Oct 2010 10:03:48 +0000
-Subject: net: clear heap allocation for ETHTOOL_GRXCLSRLALL
-
-From: Kees Cook <kees.cook@canonical.com>
-
-commit ae6df5f96a51818d6376da5307d773baeece4014 upstream.
-
-Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
-heap without clearing it. For the one driver (niu) that implements it,
-it will leave the unused portion of heap unchanged and copy the full
-contents back to userspace.
-
-Signed-off-by: Kees Cook <kees.cook@canonical.com>
-Acked-by: Ben Hutchings <bhutchings@solarflare.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/core/ethtool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/core/ethtool.c
-+++ b/net/core/ethtool.c
-@@ -258,7 +258,7 @@ static int ethtool_get_rxnfc(struct net_
- if (info.cmd == ETHTOOL_GRXCLSRLALL) {
- if (info.rule_cnt > 0) {
- if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
-- rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
-+ rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
- GFP_USER);
- if (!rule_buf)
- return -ENOMEM;
+++ /dev/null
-From cc0ae35298fdf854a48fbf16be07177156a282a7 Mon Sep 17 00:00:00 2001
-From: Kees Cook <kees.cook@canonical.com>
-Date: Mon, 11 Oct 2010 12:23:25 -0700
-Subject: net: clear heap allocations for privileged ethtool actions
-
-
-From: Kees Cook <kees.cook@canonical.com>
-
-[ Upstream commit b00916b189d13a615ff05c9242201135992fcda3 ]
-
-Several other ethtool functions leave heap uncleared (potentially) by
-drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
-are well controlled. In some situations (e.g. unchecked error conditions),
-the heap will remain unchanged in areas before copying back to userspace.
-Note that these are less of an issue since these all require CAP_NET_ADMIN.
-
-Cc: stable@kernel.org
-Signed-off-by: Kees Cook <kees.cook@canonical.com>
-Acked-by: Ben Hutchings <bhutchings@solarflare.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/core/ethtool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/core/ethtool.c
-+++ b/net/core/ethtool.c
-@@ -304,7 +304,7 @@ static int ethtool_get_regs(struct net_d
- if (regs.len > reglen)
- regs.len = reglen;
-
-- regbuf = kmalloc(reglen, GFP_USER);
-+ regbuf = kzalloc(reglen, GFP_USER);
- if (!regbuf)
- return -ENOMEM;
-
+++ /dev/null
-From c5770f1ec3ce0ea87d6c0193d7f9c1331c278996 Mon Sep 17 00:00:00 2001
-From: Maciej Żenczykowski <maze@google.com>
-Date: Sun, 3 Oct 2010 14:49:00 -0700
-Subject: net: Fix IPv6 PMTU disc. w/ asymmetric routes
-
-
-From: Maciej Żenczykowski <maze@google.com>
-
-[ Upstream commit ae878ae280bea286ff2b1e1cb6e609dd8cb4501d ]
-
-Signed-off-by: Maciej Żenczykowski <maze@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/ipv6/route.c | 28 ++++++++++++++++++++++++----
- 1 file changed, 24 insertions(+), 4 deletions(-)
-
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -1567,14 +1567,13 @@ out:
- * i.e. Path MTU discovery
- */
-
--void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
-- struct net_device *dev, u32 pmtu)
-+static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr,
-+ struct net *net, u32 pmtu, int ifindex)
- {
- struct rt6_info *rt, *nrt;
-- struct net *net = dev_net(dev);
- int allfrag = 0;
-
-- rt = rt6_lookup(net, daddr, saddr, dev->ifindex, 0);
-+ rt = rt6_lookup(net, daddr, saddr, ifindex, 0);
- if (rt == NULL)
- return;
-
-@@ -1642,6 +1641,27 @@ out:
- dst_release(&rt->u.dst);
- }
-
-+void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
-+ struct net_device *dev, u32 pmtu)
-+{
-+ struct net *net = dev_net(dev);
-+
-+ /*
-+ * RFC 1981 states that a node "MUST reduce the size of the packets it
-+ * is sending along the path" that caused the Packet Too Big message.
-+ * Since it's not possible in the general case to determine which
-+ * interface was used to send the original packet, we update the MTU
-+ * on the interface that will be used to send future packets. We also
-+ * update the MTU on the interface that received the Packet Too Big in
-+ * case the original packet was forced out that interface with
-+ * SO_BINDTODEVICE or similar. This is the next best thing to the
-+ * correct behaviour, which would be to update the MTU on all
-+ * interfaces.
-+ */
-+ rt6_do_pmtu_disc(daddr, saddr, net, pmtu, 0);
-+ rt6_do_pmtu_disc(daddr, saddr, net, pmtu, dev->ifindex);
-+}
-+
- /*
- * Misc support functions
- */
+++ /dev/null
-From 0c5647cd1cc02c549cfe0ea602e1c498519670ef Mon Sep 17 00:00:00 2001
-From: Nagendra Tomar <tomer_iisc@yahoo.com>
-Date: Sat, 2 Oct 2010 23:45:06 +0000
-Subject: net: Fix the condition passed to sk_wait_event()
-
-
-From: Nagendra Tomar <tomer_iisc@yahoo.com>
-
-[ Upstream commit 482964e56e1320cb7952faa1932d8ecf59c4bf75 ]
-
-This patch fixes the condition (3rd arg) passed to sk_wait_event() in
-sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
-causes the following soft lockup in tcp_sendmsg() when the global tcp
-memory pool has exhausted.
-
->>> snip <<<
-
-localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
-localhost kernel: CPU 3:
-localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
-localhost kernel:
-localhost kernel: Call Trace:
-localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
-localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
-localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
-localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
-localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
-localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
-localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
-localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190
-localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90
-localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83
-
->>> snip <<<
-
-What is happening is, that the sk_wait_event() condition passed from
-sk_stream_wait_memory() evaluates to true for the case of tcp global memory
-exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
-which causes sk_wait_event() to *not* call schedule_timeout().
-Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
-This causes the caller to again try allocation, which again fails and again
-calls sk_stream_wait_memory(), and so on.
-
-[ Bug introduced by commit c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088
- ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
-
-Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/core/stream.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/net/core/stream.c
-+++ b/net/core/stream.c
-@@ -140,10 +140,10 @@ int sk_stream_wait_memory(struct sock *s
-
- set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
- sk->sk_write_pending++;
-- sk_wait_event(sk, ¤t_timeo, !sk->sk_err &&
-- !(sk->sk_shutdown & SEND_SHUTDOWN) &&
-- sk_stream_memory_free(sk) &&
-- vm_wait);
-+ sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
-+ (sk->sk_shutdown & SEND_SHUTDOWN) ||
-+ (sk_stream_memory_free(sk) &&
-+ !vm_wait));
- sk->sk_write_pending--;
-
- if (vm_wait) {
+++ /dev/null
-From 8acfe468b0384e834a303f08ebc4953d72fb690a Mon Sep 17 00:00:00 2001
-From: David S. Miller <davem@davemloft.net>
-Date: Thu, 28 Oct 2010 11:41:55 -0700
-Subject: net: Limit socket I/O iovec total length to INT_MAX.
-
-From: David S. Miller <davem@davemloft.net>
-
-commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream.
-
-This helps protect us from overflow issues down in the
-individual protocol sendmsg/recvmsg handlers. Once
-we hit INT_MAX we truncate out the rest of the iovec
-by setting the iov_len members to zero.
-
-This works because:
-
-1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
- writes are allowed and the application will just continue
- with another write to send the rest of the data.
-
-2) For datagram oriented sockets, where there must be a
- one-to-one correspondance between write() calls and
- packets on the wire, INT_MAX is going to be far larger
- than the packet size limit the protocol is going to
- check for and signal with -EMSGSIZE.
-
-Based upon a patch by Linus Torvalds.
-
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- include/linux/socket.h | 2 +-
- net/compat.c | 10 ++++++----
- net/core/iovec.c | 20 +++++++++-----------
- 3 files changed, 16 insertions(+), 16 deletions(-)
-
---- a/include/linux/socket.h
-+++ b/include/linux/socket.h
-@@ -313,7 +313,7 @@ extern int csum_partial_copy_fromiovecen
- int offset,
- unsigned int len, __wsum *csump);
-
--extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
-+extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
- extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
- extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
- int offset, int len);
---- a/net/compat.c
-+++ b/net/compat.c
-@@ -40,10 +40,12 @@ static inline int iov_from_user_compat_t
- compat_size_t len;
-
- if (get_user(len, &uiov32->iov_len) ||
-- get_user(buf, &uiov32->iov_base)) {
-- tot_len = -EFAULT;
-- break;
-- }
-+ get_user(buf, &uiov32->iov_base))
-+ return -EFAULT;
-+
-+ if (len > INT_MAX - tot_len)
-+ len = INT_MAX - tot_len;
-+
- tot_len += len;
- kiov->iov_base = compat_ptr(buf);
- kiov->iov_len = (__kernel_size_t) len;
---- a/net/core/iovec.c
-+++ b/net/core/iovec.c
-@@ -36,10 +36,9 @@
- * in any case.
- */
-
--long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
-+int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
- {
-- int size, ct;
-- long err;
-+ int size, ct, err;
-
- if (m->msg_namelen) {
- if (mode == VERIFY_READ) {
-@@ -61,14 +60,13 @@ long verify_iovec(struct msghdr *m, stru
- err = 0;
-
- for (ct = 0; ct < m->msg_iovlen; ct++) {
-- err += iov[ct].iov_len;
-- /*
-- * Goal is not to verify user data, but to prevent returning
-- * negative value, which is interpreted as errno.
-- * Overflow is still possible, but it is harmless.
-- */
-- if (err < 0)
-- return -EMSGSIZE;
-+ size_t len = iov[ct].iov_len;
-+
-+ if (len > INT_MAX - err) {
-+ len = INT_MAX - err;
-+ iov[ct].iov_len = len;
-+ }
-+ err += len;
- }
-
- return err;
+++ /dev/null
-From 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <bhutchings@solarflare.com>
-Date: Fri, 22 Oct 2010 04:38:26 +0000
-Subject: net: NETIF_F_HW_CSUM does not imply FCoE CRC offload
-
-From: Ben Hutchings <bhutchings@solarflare.com>
-
-commit 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 upstream.
-
-NETIF_F_HW_CSUM indicates the ability to update an TCP/IP-style 16-bit
-checksum with the checksum of an arbitrary part of the packet data,
-whereas the FCoE CRC is something entirely different.
-
-Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/core/dev.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -1590,10 +1590,10 @@ EXPORT_SYMBOL(netif_device_attach);
-
- static bool can_checksum_protocol(unsigned long features, __be16 protocol)
- {
-- return ((features & NETIF_F_GEN_CSUM) ||
-- ((features & NETIF_F_IP_CSUM) &&
-+ return ((features & NETIF_F_NO_CSUM) ||
-+ ((features & NETIF_F_V4_CSUM) &&
- protocol == htons(ETH_P_IP)) ||
-- ((features & NETIF_F_IPV6_CSUM) &&
-+ ((features & NETIF_F_V6_CSUM) &&
- protocol == htons(ETH_P_IPV6)) ||
- ((features & NETIF_F_FCOE_CRC) &&
- protocol == htons(ETH_P_FCOE)));
+++ /dev/null
-From 253eacc070b114c2ec1f81b067d2fed7305467b0 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sat, 30 Oct 2010 16:43:10 -0700
-Subject: net: Truncate recvfrom and sendto length to INT_MAX.
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
-
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/socket.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1671,6 +1671,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __
- struct iovec iov;
- int fput_needed;
-
-+ if (len > INT_MAX)
-+ len = INT_MAX;
- sock = sockfd_lookup_light(fd, &err, &fput_needed);
- if (!sock)
- goto out;
-@@ -1728,6 +1730,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
- int err, err2;
- int fput_needed;
-
-+ if (size > INT_MAX)
-+ size = INT_MAX;
- sock = sockfd_lookup_light(fd, &err, &fput_needed);
- if (!sock)
- goto out;
+++ /dev/null
-From 6b1686a71e3158d3c5f125260effce171cc7852b Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <eric.dumazet@gmail.com>
-Date: Thu, 28 Oct 2010 12:34:21 +0200
-Subject: netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem pages
-
-From: Eric Dumazet <eric.dumazet@gmail.com>
-
-commit 6b1686a71e3158d3c5f125260effce171cc7852b upstream.
-
-commit ea781f197d6a8 (use SLAB_DESTROY_BY_RCU and get rid of call_rcu())
-did a mistake in __vmalloc() call in nf_ct_alloc_hashtable().
-
-I forgot to add __GFP_HIGHMEM, so pages were taken from LOWMEM only.
-
-Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
-Signed-off-by: Patrick McHardy <kaber@trash.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/netfilter/nf_conntrack_core.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/netfilter/nf_conntrack_core.c
-+++ b/net/netfilter/nf_conntrack_core.c
-@@ -1178,7 +1178,8 @@ void *nf_ct_alloc_hashtable(unsigned int
- if (!hash) {
- *vmalloced = 1;
- printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
-- hash = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
-+ hash = __vmalloc(sz, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
-+ PAGE_KERNEL);
- }
-
- if (hash && nulls)
+++ /dev/null
-From a15b685b82ecb42ca10fae48a5a07aebf348c480 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <eric.dumazet@gmail.com>
-Date: Tue, 21 Sep 2010 13:04:04 -0700
-Subject: netxen: dont set skb->truesize
-
-
-From: Eric Dumazet <eric.dumazet@gmail.com>
-
-[ Upstream commit 7e96dc7045bff8758804b047c0dfb6868f182500 ]
-
-skb->truesize is set in core network.
-
-Dont change it unless dealing with fragments.
-
-Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- drivers/net/netxen/netxen_nic_init.c | 3 ---
- 1 file changed, 3 deletions(-)
-
---- a/drivers/net/netxen/netxen_nic_init.c
-+++ b/drivers/net/netxen/netxen_nic_init.c
-@@ -1398,7 +1398,6 @@ netxen_process_rcv(struct netxen_adapter
- if (pkt_offset)
- skb_pull(skb, pkt_offset);
-
-- skb->truesize = skb->len + sizeof(struct sk_buff);
- skb->protocol = eth_type_trans(skb, netdev);
-
- napi_gro_receive(&sds_ring->napi, skb);
-@@ -1460,8 +1459,6 @@ netxen_process_lro(struct netxen_adapter
-
- skb_put(skb, lro_length + data_offset);
-
-- skb->truesize = skb->len + sizeof(struct sk_buff) + skb_headroom(skb);
--
- skb_pull(skb, l2_hdr_offset);
- skb->protocol = eth_type_trans(skb, netdev);
-
+++ /dev/null
-From 398812159e328478ae49b4bd01f0d71efea96c39 Mon Sep 17 00:00:00 2001
-From: Heiko Carstens <heiko.carstens@de.ibm.com>
-Date: Wed, 1 Dec 2010 10:08:01 +0100
-Subject: [S390] nohz/s390: fix arch_needs_cpu() return value on offline cpus
-
-From: Heiko Carstens <heiko.carstens@de.ibm.com>
-
-commit 398812159e328478ae49b4bd01f0d71efea96c39 upstream.
-
-This fixes the same problem as described in the patch "nohz: fix
-printk_needs_cpu() return value on offline cpus" for the arch_needs_cpu()
-primitive:
-
-arch_needs_cpu() may return 1 if called on offline cpus. When a cpu gets
-offlined it schedules the idle process which, before killing its own cpu,
-will call tick_nohz_stop_sched_tick().
-That function in turn will call arch_needs_cpu() in order to check if the
-local tick can be disabled. On offline cpus this function should naturally
-return 0 since regardless if the tick gets disabled or not the cpu will be
-dead short after. That is besides the fact that __cpu_disable() should already
-have made sure that no interrupts on the offlined cpu will be delivered anyway.
-
-In this case it prevents tick_nohz_stop_sched_tick() to call
-select_nohz_load_balancer(). No idea if that really is a problem. However what
-made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is
-used within __mod_timer() to select a cpu on which a timer gets enqueued.
-If arch_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get
-updated when a cpu gets offlined. It may contain the cpu number of an offline
-cpu. In turn timers get enqueued on an offline cpu and not very surprisingly
-they never expire and cause system hangs.
-
-This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses
-get_nohz_timer_target() which doesn't have that problem. However there might
-be other problems because of the too early exit tick_nohz_stop_sched_tick()
-in case a cpu goes offline.
-
-This specific bug was indrocuded with 3c5d92a0 "nohz: Introduce
-arch_needs_cpu".
-
-In this case a cpu hotplug notifier is used to fix the issue in order to keep
-the normal/fast path small. All we need to do is to clear the condition that
-makes arch_needs_cpu() return 1 since it is just a performance improvement
-which is supposed to keep the local tick running for a short period if a cpu
-goes idle. Nothing special needs to be done except for clearing the condition.
-
-Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
-Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/s390/kernel/vtime.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
---- a/arch/s390/kernel/vtime.c
-+++ b/arch/s390/kernel/vtime.c
-@@ -19,6 +19,7 @@
- #include <linux/kernel_stat.h>
- #include <linux/rcupdate.h>
- #include <linux/posix-timers.h>
-+#include <linux/cpu.h>
-
- #include <asm/s390_ext.h>
- #include <asm/timer.h>
-@@ -562,6 +563,23 @@ void init_cpu_vtimer(void)
- __ctl_set_bit(0,10);
- }
-
-+static int __cpuinit s390_nohz_notify(struct notifier_block *self,
-+ unsigned long action, void *hcpu)
-+{
-+ struct s390_idle_data *idle;
-+ long cpu = (long) hcpu;
-+
-+ idle = &per_cpu(s390_idle, cpu);
-+ switch (action) {
-+ case CPU_DYING:
-+ case CPU_DYING_FROZEN:
-+ idle->nohz_delay = 0;
-+ default:
-+ break;
-+ }
-+ return NOTIFY_OK;
-+}
-+
- void __init vtime_init(void)
- {
- /* request the cpu timer external interrupt */
-@@ -570,5 +588,6 @@ void __init vtime_init(void)
-
- /* Enable cpu timer interrupts on the boot cpu. */
- init_cpu_vtimer();
-+ cpu_notifier(s390_nohz_notify, 0);
- }
-
+++ /dev/null
-From 04c3496152394d17e3bc2316f9731ee3e8a026bc Mon Sep 17 00:00:00 2001
-From: Steven J. Magnani <steve@digidescorp.com>
-Date: Wed, 24 Nov 2010 12:56:54 -0800
-Subject: nommu: yield CPU while disposing VM
-
-From: Steven J. Magnani <steve@digidescorp.com>
-
-commit 04c3496152394d17e3bc2316f9731ee3e8a026bc upstream.
-
-Depending on processor speed, page size, and the amount of memory a
-process is allowed to amass, cleanup of a large VM may freeze the system
-for many seconds. This can result in a watchdog timeout.
-
-Make sure other tasks receive some service when cleaning up large VMs.
-
-Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
-Cc: Greg Ungerer <gerg@snapgear.com>
-Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/nommu.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/mm/nommu.c
-+++ b/mm/nommu.c
-@@ -1643,6 +1643,7 @@ void exit_mmap(struct mm_struct *mm)
- mm->mmap = vma->vm_next;
- delete_vma_from_mm(vma);
- delete_vma(mm, vma);
-+ cond_resched();
- }
-
- kleave("");
+++ /dev/null
-From 800416f799e0723635ac2d720ad4449917a1481c Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <eric.dumazet@gmail.com>
-Date: Wed, 27 Oct 2010 19:33:43 +0200
-Subject: numa: fix slab_node(MPOL_BIND)
-
-From: Eric Dumazet <eric.dumazet@gmail.com>
-
-commit 800416f799e0723635ac2d720ad4449917a1481c upstream.
-
-When a node contains only HighMem memory, slab_node(MPOL_BIND)
-dereferences a NULL pointer.
-
-[ This code seems to go back all the way to commit 19770b32609b: "mm:
- filter based on a nodemask as well as a gfp_mask". Which was back in
- April 2008, and it got merged into 2.6.26. - Linus ]
-
-Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
-Cc: Mel Gorman <mel@csn.ul.ie>
-Cc: Christoph Lameter <cl@linux.com>
-Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/mempolicy.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1480,7 +1480,7 @@ unsigned slab_node(struct mempolicy *pol
- (void)first_zones_zonelist(zonelist, highest_zoneidx,
- &policy->v.nodes,
- &zone);
-- return zone->node;
-+ return zone ? zone->node : numa_node_id();
- }
-
- default:
+++ /dev/null
-From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001
-From: Joel Becker <joel.becker@oracle.com>
-Date: Wed, 29 Sep 2010 17:33:05 -0700
-Subject: ocfs2: Don't walk off the end of fast symlinks.
-
-From: Joel Becker <joel.becker@oracle.com>
-
-commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream.
-
-ocfs2 fast symlinks are NUL terminated strings stored inline in the
-inode data area. However, disk corruption or a local attacker could, in
-theory, remove that NUL. Because we're using strlen() (my fault,
-introduced in a731d1 when removing vfs_follow_link()), we could walk off
-the end of that string.
-
-Signed-off-by: Joel Becker <joel.becker@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/ocfs2/symlink.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/ocfs2/symlink.c
-+++ b/fs/ocfs2/symlink.c
-@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru
- }
-
- /* Fast symlinks can't be large */
-- len = strlen(target);
-+ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb));
- link = kzalloc(len + 1, GFP_NOFS);
- if (!link) {
- status = -ENOMEM;
+++ /dev/null
-From 7cfbb29466633e6ecdc14f76a693c8478c2b22af Mon Sep 17 00:00:00 2001
-From: Richard A. Smith <richard@laptop.org>
-Date: Sat, 25 Sep 2010 19:19:26 +0100
-Subject: olpc_battery: Fix endian neutral breakage for s16 values
-
-From: Richard A. Smith <richard@laptop.org>
-
-commit 7cfbb29466633e6ecdc14f76a693c8478c2b22af upstream.
-
-When the driver was updated to be endian neutral (8e9c7716c)
-the signed part of the s16 values was lost. This is because be16_to_cpu()
-returns an unsigned value. This patch casts the values back to a s16
-number prior to the the implicit cast up to an int.
-
-Signed-off-by: Richard A. Smith <richard@laptop.org>
-Signed-off-by: Daniel Drake <dsd@laptop.org>
-Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/power/olpc_battery.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/drivers/power/olpc_battery.c
-+++ b/drivers/power/olpc_battery.c
-@@ -271,14 +271,14 @@ static int olpc_bat_get_property(struct
- if (ret)
- return ret;
-
-- val->intval = (int)be16_to_cpu(ec_word) * 9760L / 32;
-+ val->intval = (s16)be16_to_cpu(ec_word) * 9760L / 32;
- break;
- case POWER_SUPPLY_PROP_CURRENT_AVG:
- ret = olpc_ec_cmd(EC_BAT_CURRENT, NULL, 0, (void *)&ec_word, 2);
- if (ret)
- return ret;
-
-- val->intval = (int)be16_to_cpu(ec_word) * 15625L / 120;
-+ val->intval = (s16)be16_to_cpu(ec_word) * 15625L / 120;
- break;
- case POWER_SUPPLY_PROP_CAPACITY:
- ret = olpc_ec_cmd(EC_BAT_SOC, NULL, 0, &ec_byte, 1);
-@@ -299,7 +299,7 @@ static int olpc_bat_get_property(struct
- if (ret)
- return ret;
-
-- val->intval = (int)be16_to_cpu(ec_word) * 100 / 256;
-+ val->intval = (s16)be16_to_cpu(ec_word) * 100 / 256;
- break;
- case POWER_SUPPLY_PROP_TEMP_AMBIENT:
- ret = olpc_ec_cmd(EC_AMB_TEMP, NULL, 0, (void *)&ec_word, 2);
-@@ -313,7 +313,7 @@ static int olpc_bat_get_property(struct
- if (ret)
- return ret;
-
-- val->intval = (int)be16_to_cpu(ec_word) * 6250 / 15;
-+ val->intval = (s16)be16_to_cpu(ec_word) * 6250 / 15;
- break;
- case POWER_SUPPLY_PROP_SERIAL_NUMBER:
- ret = olpc_ec_cmd(EC_BAT_SERIAL, NULL, 0, (void *)&ser_buf, 8);
+++ /dev/null
-From 1a92795dac419128eb511dce30a6aad672064b88 Mon Sep 17 00:00:00 2001
-From: Christian Lamparter <chunkeey@googlemail.com>
-Date: Fri, 1 Oct 2010 22:01:24 +0200
-Subject: p54usb: add five more USBIDs
-
-From: Christian Lamparter <chunkeey@googlemail.com>
-
-commit 1a92795dac419128eb511dce30a6aad672064b88 upstream.
-
-Source:
-http://www.wikidevi.com/wiki/Intersil/p54/usb/windows
-
-Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/net/wireless/p54/p54usb.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
---- a/drivers/net/wireless/p54/p54usb.c
-+++ b/drivers/net/wireless/p54/p54usb.c
-@@ -32,8 +32,17 @@ MODULE_ALIAS("prism54usb");
- MODULE_FIRMWARE("isl3886usb");
- MODULE_FIRMWARE("isl3887usb");
-
-+/*
-+ * Note:
-+ *
-+ * Always update our wiki's device list (located at:
-+ * http://wireless.kernel.org/en/users/Drivers/p54/devices ),
-+ * whenever you add a new device.
-+ */
-+
- static struct usb_device_id p54u_table[] __devinitdata = {
- /* Version 1 devices (pci chip + net2280) */
-+ {USB_DEVICE(0x045e, 0x00c2)}, /* Microsoft MN-710 */
- {USB_DEVICE(0x0506, 0x0a11)}, /* 3COM 3CRWE254G72 */
- {USB_DEVICE(0x0707, 0xee06)}, /* SMC 2862W-G */
- {USB_DEVICE(0x07aa, 0x001c)}, /* Corega CG-WLUSB2GT */
-@@ -45,7 +54,9 @@ static struct usb_device_id p54u_table[]
- {USB_DEVICE(0x0846, 0x4220)}, /* Netgear WG111 */
- {USB_DEVICE(0x09aa, 0x1000)}, /* Spinnaker Proto board */
- {USB_DEVICE(0x0cde, 0x0006)}, /* Medion 40900, Roper Europe */
-+ {USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */
- {USB_DEVICE(0x124a, 0x4023)}, /* Shuttle PN15, Airvast WM168g, IOGear GWU513 */
-+ {USB_DEVICE(0x1630, 0x0005)}, /* 2Wire 802.11g USB (v1) / Z-Com */
- {USB_DEVICE(0x1915, 0x2234)}, /* Linksys WUSB54G OEM */
- {USB_DEVICE(0x1915, 0x2235)}, /* Linksys WUSB54G Portable OEM */
- {USB_DEVICE(0x2001, 0x3701)}, /* DLink DWL-G120 Spinnaker */
-@@ -58,6 +69,7 @@ static struct usb_device_id p54u_table[]
- {USB_DEVICE(0x050d, 0x7050)}, /* Belkin F5D7050 ver 1000 */
- {USB_DEVICE(0x0572, 0x2000)}, /* Cohiba Proto board */
- {USB_DEVICE(0x0572, 0x2002)}, /* Cohiba Proto board */
-+ {USB_DEVICE(0x06a9, 0x000e)}, /* Westell 802.11g USB (A90-211WG-01) */
- {USB_DEVICE(0x06b9, 0x0121)}, /* Thomson SpeedTouch 121g */
- {USB_DEVICE(0x0707, 0xee13)}, /* SMC 2862W-G version 2 */
- {USB_DEVICE(0x083a, 0x4521)}, /* Siemens Gigaset USB Adapter 54 version 2 */
-@@ -77,6 +89,7 @@ static struct usb_device_id p54u_table[]
- {USB_DEVICE(0x13B1, 0x000C)}, /* Linksys WUSB54AG */
- {USB_DEVICE(0x1413, 0x5400)}, /* Telsey 802.11g USB2.0 Adapter */
- {USB_DEVICE(0x1435, 0x0427)}, /* Inventel UR054G */
-+ {USB_DEVICE(0x1668, 0x1050)}, /* Actiontec 802UIG-1 */
- {USB_DEVICE(0x2001, 0x3704)}, /* DLink DWL-G122 rev A2 */
- {USB_DEVICE(0x413c, 0x5513)}, /* Dell WLA3310 USB Wireless Adapter */
- {USB_DEVICE(0x413c, 0x8102)}, /* Spinnaker DUT */
+++ /dev/null
-From 11791a6f7534906b4a01ffb54ba0b02ca39398ef Mon Sep 17 00:00:00 2001
-From: Christian Lamparter <chunkeey@googlemail.com>
-Date: Sun, 22 Aug 2010 22:41:33 +0200
-Subject: p54usb: fix off-by-one on !CONFIG_PM
-
-From: Christian Lamparter <chunkeey@googlemail.com>
-
-commit 11791a6f7534906b4a01ffb54ba0b02ca39398ef upstream.
-
-The ISL3887 chip needs a USB reset, whenever the
-usb-frontend module "p54usb" is reloaded.
-
-This patch fixes an off-by-one bug, if the user
-is running a kernel without the CONFIG_PM option
-set and for some reason (e.g.: compat-wireless)
-wants to switch between different p54usb modules.
-
-Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/net/wireless/p54/p54usb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/net/wireless/p54/p54usb.c
-+++ b/drivers/net/wireless/p54/p54usb.c
-@@ -929,8 +929,8 @@ static int __devinit p54u_probe(struct u
- #ifdef CONFIG_PM
- /* ISL3887 needs a full reset on resume */
- udev->reset_resume = 1;
-+#endif /* CONFIG_PM */
- err = p54u_device_reset(dev);
--#endif
-
- priv->hw_type = P54U_3887;
- dev->extra_tx_headroom += sizeof(struct lm87_tx_hdr);
+++ /dev/null
-From 8c05cd08a7504b855c265263e84af61aabafa329 Mon Sep 17 00:00:00 2001
-From: Darrick J. Wong <djwong@us.ibm.com>
-Date: Tue, 16 Nov 2010 09:13:41 -0800
-Subject: PCI: fix offset check for sysfs mmapped files
-
-From: Darrick J. Wong <djwong@us.ibm.com>
-
-commit 8c05cd08a7504b855c265263e84af61aabafa329 upstream.
-
-I just loaded 2.6.37-rc2 on my machines, and I noticed that X no longer starts.
-Running an strace of the X server shows that it's doing this:
-
-open("/sys/bus/pci/devices/0000:07:00.0/resource0", O_RDWR) = 10
-mmap(NULL, 16777216, PROT_READ|PROT_WRITE, MAP_SHARED, 10, 0) = -1 EINVAL (Invalid argument)
-
-This code seems to be asking for a shared read/write mapping of 16MB worth of
-BAR0 starting at file offset 0, and letting the kernel assign a starting
-address. Unfortunately, this -EINVAL causes X not to start. Looking into
-dmesg, there's a complaint like so:
-
-process "Xorg" tried to map 0x01000000 bytes at page 0x00000000 on 0000:07:00.0 BAR 0 (start 0x 96000000, size 0x 1000000)
-
-...with the following code in pci_mmap_fits:
-
- pci_start = (mmap_api == PCI_MMAP_SYSFS) ?
- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
- if (start >= pci_start && start < pci_start + size &&
- start + nr <= pci_start + size)
-
-It looks like the logic here is set up such that when the mmap call comes via
-sysfs, the check in pci_mmap_fits wants vma->vm_pgoff to be between the
-resource's start and end address, and the end of the vma to be no farther than
-the end. However, the sysfs PCI resource files always start at offset zero,
-which means that this test always fails for programs that mmap the sysfs files.
-Given the comment in the original commit
-3b519e4ea618b6943a82931630872907f9ac2c2b, I _think_ the old procfs files
-require that the file offset be equal to the resource's base address when
-mmapping.
-
-I think what we want here is for pci_start to be 0 when mmap_api ==
-PCI_MMAP_PROCFS. The following patch makes that change, after which the Matrox
-and Mach64 X drivers work again.
-
-Acked-by: Martin Wilck <martin.wilck@ts.fujitsu.com>
-Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
-Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/pci/pci-sysfs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -699,7 +699,7 @@ int pci_mmap_fits(struct pci_dev *pdev,
- nr = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
- start = vma->vm_pgoff;
- size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
-- pci_start = (mmap_api == PCI_MMAP_SYSFS) ?
-+ pci_start = (mmap_api == PCI_MMAP_PROCFS) ?
- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
- if (start >= pci_start && start < pci_start + size &&
- start + nr <= pci_start + size)
+++ /dev/null
-From 3b519e4ea618b6943a82931630872907f9ac2c2b Mon Sep 17 00:00:00 2001
-From: Martin Wilck <martin.wilck@ts.fujitsu.com>
-Date: Wed, 10 Nov 2010 11:03:21 +0100
-Subject: PCI: fix size checks for mmap() on /proc/bus/pci files
-
-From: Martin Wilck <martin.wilck@ts.fujitsu.com>
-
-commit 3b519e4ea618b6943a82931630872907f9ac2c2b upstream.
-
-The checks for valid mmaps of PCI resources made through /proc/bus/pci files
-that were introduced in 9eff02e2042f96fb2aedd02e032eca1c5333d767 have several
-problems:
-
-1. mmap() calls on /proc/bus/pci files are made with real file offsets > 0,
-whereas under /sys/bus/pci/devices, the start of the resource corresponds
-to offset 0. This may lead to false negatives in pci_mmap_fits(), which
-implicitly assumes the /sys/bus/pci/devices layout.
-
-2. The loop in proc_bus_pci_mmap doesn't skip empty resouces. This leads
-to false positives, because pci_mmap_fits() doesn't treat empty resources
-correctly (the calculated size is 1 << (8*sizeof(resource_size_t)-PAGE_SHIFT)
-in this case!).
-
-3. If a user maps resources with BAR > 0, pci_mmap_fits will emit bogus
-WARNINGS for the first resources that don't fit until the correct one is found.
-
-On many controllers the first 2-4 BARs are used, and the others are empty.
-In this case, an mmap attempt will first fail on the non-empty BARs
-(including the "right" BAR because of 1.) and emit bogus WARNINGS because
-of 3., and finally succeed on the first empty BAR because of 2.
-This is certainly not the intended behaviour.
-
-This patch addresses all 3 issues.
-Updated with an enum type for the additional parameter for pci_mmap_fits().
-
-Signed-off-by: Martin Wilck <martin.wilck@ts.fujitsu.com>
-Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/pci/pci-sysfs.c | 22 ++++++++++++++++------
- drivers/pci/pci.h | 7 ++++++-
- drivers/pci/proc.c | 2 +-
- 3 files changed, 23 insertions(+), 8 deletions(-)
-
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -689,17 +689,21 @@ void pci_remove_legacy_files(struct pci_
-
- #ifdef HAVE_PCI_MMAP
-
--int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma)
-+int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma,
-+ enum pci_mmap_api mmap_api)
- {
-- unsigned long nr, start, size;
-+ unsigned long nr, start, size, pci_start;
-
-+ if (pci_resource_len(pdev, resno) == 0)
-+ return 0;
- nr = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
- start = vma->vm_pgoff;
- size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
-- if (start < size && size - start >= nr)
-+ pci_start = (mmap_api == PCI_MMAP_SYSFS) ?
-+ pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
-+ if (start >= pci_start && start < pci_start + size &&
-+ start + nr <= pci_start + size)
- return 1;
-- WARN(1, "process \"%s\" tried to map 0x%08lx-0x%08lx on %s BAR %d (size 0x%08lx)\n",
-- current->comm, start, start+nr, pci_name(pdev), resno, size);
- return 0;
- }
-
-@@ -729,8 +733,14 @@ pci_mmap_resource(struct kobject *kobj,
- if (i >= PCI_ROM_RESOURCE)
- return -ENODEV;
-
-- if (!pci_mmap_fits(pdev, i, vma))
-+ if (!pci_mmap_fits(pdev, i, vma, PCI_MMAP_SYSFS)) {
-+ WARN(1, "process \"%s\" tried to map 0x%08lx bytes "
-+ "at page 0x%08lx on %s BAR %d (start 0x%16Lx, size 0x%16Lx)\n",
-+ current->comm, vma->vm_end-vma->vm_start, vma->vm_pgoff,
-+ pci_name(pdev), i,
-+ pci_resource_start(pdev, i), pci_resource_len(pdev, i));
- return -EINVAL;
-+ }
-
- /* pci_mmap_page_range() expects the same kind of entry as coming
- * from /proc/bus/pci/ which is a "user visible" value. If this is
---- a/drivers/pci/pci.h
-+++ b/drivers/pci/pci.h
-@@ -13,8 +13,13 @@ extern int pci_create_sysfs_dev_files(st
- extern void pci_remove_sysfs_dev_files(struct pci_dev *pdev);
- extern void pci_cleanup_rom(struct pci_dev *dev);
- #ifdef HAVE_PCI_MMAP
-+enum pci_mmap_api {
-+ PCI_MMAP_SYSFS, /* mmap on /sys/bus/pci/devices/<BDF>/resource<N> */
-+ PCI_MMAP_PROCFS /* mmap on /proc/bus/pci/<BDF> */
-+};
- extern int pci_mmap_fits(struct pci_dev *pdev, int resno,
-- struct vm_area_struct *vma);
-+ struct vm_area_struct *vmai,
-+ enum pci_mmap_api mmap_api);
- #endif
- int pci_probe_reset_function(struct pci_dev *dev);
-
---- a/drivers/pci/proc.c
-+++ b/drivers/pci/proc.c
-@@ -259,7 +259,7 @@ static int proc_bus_pci_mmap(struct file
-
- /* Make sure the caller is mapping a real resource for this device */
- for (i = 0; i < PCI_ROM_RESOURCE; i++) {
-- if (pci_mmap_fits(dev, i, vma))
-+ if (pci_mmap_fits(dev, i, vma, PCI_MMAP_PROCFS))
- break;
- }
-
+++ /dev/null
-From 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 Mon Sep 17 00:00:00 2001
-From: Vasiliy Kulikov <segooon@gmail.com>
-Date: Sun, 17 Oct 2010 18:41:24 +0400
-Subject: pcmcia: synclink_cs: fix information leak to userland
-
-From: Vasiliy Kulikov <segooon@gmail.com>
-
-commit 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 upstream.
-
-Structure new_line is copied to userland with some padding fields unitialized.
-It leads to leaking of stack memory.
-
-Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
-Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/pcmcia/synclink_cs.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/char/pcmcia/synclink_cs.c
-+++ b/drivers/char/pcmcia/synclink_cs.c
-@@ -4144,6 +4144,8 @@ static int hdlcdev_ioctl(struct net_devi
- if (cmd != SIOCWANDEV)
- return hdlc_ioctl(dev, ifr, cmd);
-
-+ memset(&new_line, 0, size);
-+
- switch(ifr->ifr_settings.type) {
- case IF_GET_IFACE: /* return current sync_serial_settings */
-
+++ /dev/null
-From 8474b591faf3bb0a1e08a60d21d6baac498f15e4 Mon Sep 17 00:00:00 2001
-From: Masanori ITOH <itoumsn@nttdata.co.jp>
-Date: Tue, 26 Oct 2010 14:21:20 -0700
-Subject: percpu: fix list_head init bug in __percpu_counter_init()
-
-From: Masanori ITOH <itoumsn@nttdata.co.jp>
-
-commit 8474b591faf3bb0a1e08a60d21d6baac498f15e4 upstream.
-
-WARNING: at lib/list_debug.c:26 __list_add+0x3f/0x81()
-Hardware name: Express5800/B120a [N8400-085]
-list_add corruption. next->prev should be prev (ffffffff81a7ea00), but was dead000000200200. (next=ffff88080b872d58).
-Modules linked in: aoe ipt_MASQUERADE iptable_nat nf_nat autofs4 sunrpc bridge 8021q garp stp llc ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_round_robin dm_multipath kvm_intel kvm uinput lpfc scsi_transport_fc igb ioatdma scsi_tgt i2c_i801 i2c_core dca iTCO_wdt iTCO_vendor_support pcspkr shpchp megaraid_sas [last unloaded: aoe]
-Pid: 54, comm: events/3 Tainted: G W 2.6.34-vanilla1 #1
-Call Trace:
-[<ffffffff8104bd77>] warn_slowpath_common+0x7c/0x94
-[<ffffffff8104bde6>] warn_slowpath_fmt+0x41/0x43
-[<ffffffff8120fd2e>] __list_add+0x3f/0x81
-[<ffffffff81212a12>] __percpu_counter_init+0x59/0x6b
-[<ffffffff810d8499>] bdi_init+0x118/0x17e
-[<ffffffff811f2c50>] blk_alloc_queue_node+0x79/0x143
-[<ffffffff811f2d2b>] blk_alloc_queue+0x11/0x13
-[<ffffffffa02a931d>] aoeblk_gdalloc+0x8e/0x1c9 [aoe]
-[<ffffffffa02aa655>] aoecmd_sleepwork+0x25/0xa8 [aoe]
-[<ffffffff8106186c>] worker_thread+0x1a9/0x237
-[<ffffffffa02aa630>] ? aoecmd_sleepwork+0x0/0xa8 [aoe]
-[<ffffffff81065827>] ? autoremove_wake_function+0x0/0x39
-[<ffffffff810616c3>] ? worker_thread+0x0/0x237
-[<ffffffff810653ad>] kthread+0x7f/0x87
-[<ffffffff8100aa24>] kernel_thread_helper+0x4/0x10
-[<ffffffff8106532e>] ? kthread+0x0/0x87
-[<ffffffff8100aa20>] ? kernel_thread_helper+0x0/0x10
-
-It's because there is no initialization code for a list_head contained in
-the struct backing_dev_info under CONFIG_HOTPLUG_CPU, and the bug comes up
-when block device drivers calling blk_alloc_queue() are used. In case of
-me, I got them by using aoe.
-
-Signed-off-by: Masanori Itoh <itoumsn@nttdata.co.jp>
-Cc: Tejun Heo <tj@kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- lib/percpu_counter.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/lib/percpu_counter.c
-+++ b/lib/percpu_counter.c
-@@ -76,6 +76,7 @@ int __percpu_counter_init(struct percpu_
- if (!fbc->counters)
- return -ENOMEM;
- #ifdef CONFIG_HOTPLUG_CPU
-+ INIT_LIST_HEAD(&fbc->list);
- mutex_lock(&percpu_counters_lock);
- list_add(&fbc->list, &percpu_counters);
- mutex_unlock(&percpu_counters_lock);
+++ /dev/null
-From 63bfd7384b119409685a17d5c58f0b56e5dc03da Mon Sep 17 00:00:00 2001
-From: Pekka Enberg <penberg@kernel.org>
-Date: Mon, 8 Nov 2010 21:29:07 +0200
-Subject: perf_events: Fix perf_counter_mmap() hook in mprotect()
-
-From: Pekka Enberg <penberg@kernel.org>
-
-commit 63bfd7384b119409685a17d5c58f0b56e5dc03da upstream.
-
-As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to
-mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
-merging. Fix the problem by moving perf_event_mmap() hook to
-mprotect_fixup().
-
-Note: there's another successful return path from mprotect_fixup() if old
-flags equal to new flags. We don't, however, need to call
-perf_event_mmap() there because 'perf' already knows the VMA is
-executable.
-
-Reported-by: Dave Jones <davej@redhat.com>
-Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Ingo Molnar <mingo@elte.hu>
-Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
-Signed-off-by: Pekka Enberg <penberg@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- mm/mprotect.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/mm/mprotect.c
-+++ b/mm/mprotect.c
-@@ -212,6 +212,7 @@ success:
- mmu_notifier_invalidate_range_end(mm, start, end);
- vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
- vm_stat_account(mm, newflags, vma->vm_file, nrpages);
-+ perf_event_mmap(vma);
- return 0;
-
- fail:
-@@ -300,7 +301,6 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
- error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
- if (error)
- goto out;
-- perf_event_mmap(vma);
- nstart = tmp;
-
- if (nstart < prev->vm_end)
+++ /dev/null
-From fb179ba0a33882bf9f639202e7a90f7c77d05a00 Mon Sep 17 00:00:00 2001
-From: Kumar Sanghvi <kumar.sanghvi@stericsson.com>
-Date: Mon, 27 Sep 2010 23:10:42 +0000
-Subject: Phonet: Correct header retrieval after pskb_may_pull
-
-
-From: Kumar Sanghvi <kumar.sanghvi@stericsson.com>
-
-[ Upstream commit a91e7d471e2e384035b9746ea707ccdcd353f5dd ]
-
-Retrieve the header after doing pskb_may_pull since, pskb_may_pull
-could change the buffer structure.
-
-This is based on the comment given by Eric Dumazet on Phonet
-Pipe controller patch for a similar problem.
-
-Signed-off-by: Kumar Sanghvi <kumar.sanghvi@stericsson.com>
-Acked-by: Linus Walleij <linus.walleij@stericsson.com>
-Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
-Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/phonet/pep.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/phonet/pep.c
-+++ b/net/phonet/pep.c
-@@ -224,12 +224,13 @@ static void pipe_grant_credits(struct so
- static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
- {
- struct pep_sock *pn = pep_sk(sk);
-- struct pnpipehdr *hdr = pnp_hdr(skb);
-+ struct pnpipehdr *hdr;
- int wake = 0;
-
- if (!pskb_may_pull(skb, sizeof(*hdr) + 4))
- return -EINVAL;
-
-+ hdr = pnp_hdr(skb);
- if (hdr->data[0] != PN_PEP_TYPE_COMMON) {
- LIMIT_NETDEBUG(KERN_DEBUG"Phonet unknown PEP type: %u\n",
- (unsigned)hdr->data[0]);
+++ /dev/null
-From e5953cbdff26f7cbae7eff30cd9b18c4e19b7594 Mon Sep 17 00:00:00 2001
-From: Nicolas Kaiser <nikai@nikai.net>
-Date: Thu, 21 Oct 2010 14:56:00 +0200
-Subject: pipe: fix failure to return error code on ->confirm()
-
-From: Nicolas Kaiser <nikai@nikai.net>
-
-commit e5953cbdff26f7cbae7eff30cd9b18c4e19b7594 upstream.
-
-The arguments were transposed, we want to assign the error code to
-'ret', which is being returned.
-
-Signed-off-by: Nicolas Kaiser <nikai@nikai.net>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/pipe.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -363,7 +363,7 @@ pipe_read(struct kiocb *iocb, const stru
- error = ops->confirm(pipe, buf);
- if (error) {
- if (!ret)
-- error = ret;
-+ ret = error;
- break;
- }
-
+++ /dev/null
-From 9f5f9ffe50e90ed73040d2100db8bfc341cee352 Mon Sep 17 00:00:00 2001
-From: Paul Mackerras <paulus@samba.org>
-Date: Thu, 9 Sep 2010 19:02:40 +0000
-Subject: powerpc/perf: Fix sampling enable for PPC970
-
-From: Paul Mackerras <paulus@samba.org>
-
-commit 9f5f9ffe50e90ed73040d2100db8bfc341cee352 upstream.
-
-The logic to distinguish marked instruction events from ordinary events
-on PPC970 and derivatives was flawed. The result is that instruction
-sampling didn't get enabled in the PMU for some marked instruction
-events, so they would never trigger. This fixes it by adding the
-appropriate break statements in the switch statement.
-
-Reported-by: David Binderman <dcb314@hotmail.com>
-Signed-off-by: Paul Mackerras <paulus@samba.org>
-Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/powerpc/kernel/ppc970-pmu.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/arch/powerpc/kernel/ppc970-pmu.c
-+++ b/arch/powerpc/kernel/ppc970-pmu.c
-@@ -169,9 +169,11 @@ static int p970_marked_instr_event(u64 e
- switch (unit) {
- case PM_VPU:
- mask = 0x4c; /* byte 0 bits 2,3,6 */
-+ break;
- case PM_LSU0:
- /* byte 2 bits 0,2,3,4,6; all of byte 1 */
- mask = 0x085dff00;
-+ break;
- case PM_LSU1L:
- mask = 0x50 << 24; /* byte 3 bits 4,6 */
- break;
+++ /dev/null
-From a27341cd5fcb7cf2d2d4726e9f324009f7162c00 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Tue, 2 Mar 2010 08:36:46 -0800
-Subject: Prioritize synchronous signals over 'normal' signals
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit a27341cd5fcb7cf2d2d4726e9f324009f7162c00 upstream.
-
-This makes sure that we pick the synchronous signals caused by a
-processor fault over any pending regular asynchronous signals sent to
-use by [t]kill().
-
-This is not strictly required semantics, but it makes it _much_ easier
-for programs like Wine that expect to find the fault information in the
-signal stack.
-
-Without this, if a non-synchronous signal gets picked first, the delayed
-asynchronous signal will have its signal context pointing to the new
-signal invocation, rather than the instruction that caused the SIGSEGV
-or SIGBUS in the first place.
-
-This is not all that pretty, and we're discussing making the synchronous
-signals more explicit rather than have these kinds of implicit
-preferences of SIGSEGV and friends. See for example
-
- http://bugzilla.kernel.org/show_bug.cgi?id=15395
-
-for some of the discussion. But in the meantime this is a simple and
-fairly straightforward work-around, and the whole
-
- if (x & Y)
- x &= Y;
-
-thing can be compiled into (and gcc does do it) just three instructions:
-
- movq %rdx, %rax
- andl $Y, %eax
- cmovne %rax, %rdx
-
-so it is at least a simple solution to a subtle issue.
-
-Reported-and-tested-by: Pavel Vilim <wylda@volny.cz>
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/signal.c | 43 ++++++++++++++++++++++++++++++-------------
- 1 file changed, 30 insertions(+), 13 deletions(-)
-
---- a/kernel/signal.c
-+++ b/kernel/signal.c
-@@ -159,6 +159,10 @@ void recalc_sigpending(void)
-
- /* Given the mask, find the first available signal that should be serviced. */
-
-+#define SYNCHRONOUS_MASK \
-+ (sigmask(SIGSEGV) | sigmask(SIGBUS) | sigmask(SIGILL) | \
-+ sigmask(SIGTRAP) | sigmask(SIGFPE))
-+
- int next_signal(struct sigpending *pending, sigset_t *mask)
- {
- unsigned long i, *s, *m, x;
-@@ -166,26 +170,39 @@ int next_signal(struct sigpending *pendi
-
- s = pending->signal.sig;
- m = mask->sig;
-+
-+ /*
-+ * Handle the first word specially: it contains the
-+ * synchronous signals that need to be dequeued first.
-+ */
-+ x = *s &~ *m;
-+ if (x) {
-+ if (x & SYNCHRONOUS_MASK)
-+ x &= SYNCHRONOUS_MASK;
-+ sig = ffz(~x) + 1;
-+ return sig;
-+ }
-+
- switch (_NSIG_WORDS) {
- default:
-- for (i = 0; i < _NSIG_WORDS; ++i, ++s, ++m)
-- if ((x = *s &~ *m) != 0) {
-- sig = ffz(~x) + i*_NSIG_BPW + 1;
-- break;
-- }
-+ for (i = 1; i < _NSIG_WORDS; ++i) {
-+ x = *++s &~ *++m;
-+ if (!x)
-+ continue;
-+ sig = ffz(~x) + i*_NSIG_BPW + 1;
-+ break;
-+ }
- break;
-
-- case 2: if ((x = s[0] &~ m[0]) != 0)
-- sig = 1;
-- else if ((x = s[1] &~ m[1]) != 0)
-- sig = _NSIG_BPW + 1;
-- else
-+ case 2:
-+ x = s[1] &~ m[1];
-+ if (!x)
- break;
-- sig += ffz(~x);
-+ sig = ffz(~x) + _NSIG_BPW + 1;
- break;
-
-- case 1: if ((x = *s &~ *m) != 0)
-- sig = ffz(~x) + 1;
-+ case 1:
-+ /* Nothing to do */
- break;
- }
-
+++ /dev/null
-From ben@decadent.org.uk Wed Oct 20 14:37:52 2010
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Fri, 15 Oct 2010 04:36:53 +0100
-Subject: r6040: Fix multicast list iteration when hash filter is used
-To: stable@kernel.org, Florian Fainelli <florian@openwrt.org>
-Cc: 600155@bugs.debian.org, Jason Heeris <jason.heeris@gmail.com>, David Miller <davem@davemloft.net>, spamalot@hispeed.ch
-Message-ID: <1287113813.20865.20.camel@localhost>
-
-From: Ben Hutchings <ben@decadent.org.uk>
-
-This was fixed in mainline by the interface change made in commit
-f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249.
-
-After walking the multicast list to set up the hash filter, this
-function will walk off the end of the list when filling the
-exact-match entries. This was fixed in mainline by the interface
-change made in commit f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249.
-
-Reported-by: spamalot@hispeed.ch
-Reference: https://bugzilla.kernel.org/show_bug.cgi?id=15355
-Reported-by: Jason Heeris <jason.heeris@gmail.com>
-Reference: http://bugs.debian.org/600155
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/net/r6040.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/net/r6040.c
-+++ b/drivers/net/r6040.c
-@@ -991,6 +991,7 @@ static void r6040_multicast_list(struct
- iowrite16(hash_table[3], ioaddr + MAR3);
- }
- /* Multicast Address 1~4 case */
-+ dmi = dev->mc_list;
- for (i = 0, dmi; (i < dev->mc_count) && (i < MCAST_MAX); i++) {
- adrp = (u16 *)dmi->dmi_addr;
- iowrite16(adrp[0], ioaddr + MID_1L + 8*i);
+++ /dev/null
-From 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106 Mon Sep 17 00:00:00 2001
-From: Florian Fainelli <florian@openwrt.org>
-Date: Wed, 7 Apr 2010 16:50:58 -0700
-Subject: r6040: fix r6040_multicast_list
-
-From: Florian Fainelli <florian@openwrt.org>
-
-commit 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106 upstream.
-
-As reported in <https://bugzilla.kernel.org/show_bug.cgi?id=15355>, r6040_
-multicast_list currently crashes. This is due a wrong maximum of multicast
-entries. This patch fixes the following issues with multicast:
-
-- number of maximum entries if off-by-one (4 instead of 3)
-
-- the writing of the hash table index is not necessary and leads to invalid
-values being written into the MCR1 register, so the MAC is simply put in a non
-coherent state
-
-- when we exceed the maximum number of mutlticast address, writing the
-broadcast address should be done in registers MID_1{L,M,H} instead of
-MID_O{L,M,H}, otherwise we would loose the adapter's MAC address
-
-[bwh: Adjust for 2.6.32; should also apply to 2.6.27]
-
-Signed-off-by: Florian Fainelli <florian@openwrt.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/net/r6040.c | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
---- a/drivers/net/r6040.c
-+++ b/drivers/net/r6040.c
-@@ -135,7 +135,7 @@
- #define RX_DESC_SIZE (RX_DCNT * sizeof(struct r6040_descriptor))
- #define TX_DESC_SIZE (TX_DCNT * sizeof(struct r6040_descriptor))
- #define MBCR_DEFAULT 0x012A /* MAC Bus Control Register */
--#define MCAST_MAX 4 /* Max number multicast addresses to filter */
-+#define MCAST_MAX 3 /* Max number multicast addresses to filter */
-
- /* Descriptor status */
- #define DSC_OWNER_MAC 0x8000 /* MAC is the owner of this descriptor */
-@@ -984,9 +984,6 @@ static void r6040_multicast_list(struct
- crc >>= 26;
- hash_table[crc >> 4] |= 1 << (15 - (crc & 0xf));
- }
-- /* Write the index of the hash table */
-- for (i = 0; i < 4; i++)
-- iowrite16(hash_table[i] << 14, ioaddr + MCR1);
- /* Fill the MAC hash tables with their values */
- iowrite16(hash_table[0], ioaddr + MAR0);
- iowrite16(hash_table[1], ioaddr + MAR1);
-@@ -1002,9 +999,9 @@ static void r6040_multicast_list(struct
- dmi = dmi->next;
- }
- for (i = dev->mc_count; i < MCAST_MAX; i++) {
-- iowrite16(0xffff, ioaddr + MID_0L + 8*i);
-- iowrite16(0xffff, ioaddr + MID_0M + 8*i);
-- iowrite16(0xffff, ioaddr + MID_0H + 8*i);
-+ iowrite16(0xffff, ioaddr + MID_1L + 8*i);
-+ iowrite16(0xffff, ioaddr + MID_1M + 8*i);
-+ iowrite16(0xffff, ioaddr + MID_1H + 8*i);
- }
- }
-
+++ /dev/null
-From bec658ff31453a5726b1c188674d587a5d40c482 Mon Sep 17 00:00:00 2001
-From: Steve Wise <swise@opengridcomputing.com>
-Date: Sat, 18 Sep 2010 19:38:21 -0500
-Subject: RDMA/cxgb3: Turn off RX coalescing for iWARP connections
-
-From: Steve Wise <swise@opengridcomputing.com>
-
-commit bec658ff31453a5726b1c188674d587a5d40c482 upstream.
-
-The HW by default has RX coalescing on. For iWARP connections, this
-causes a 100ms delay in connection establishement due to the ingress
-MPA Start message being stalled in HW. So explicitly turn RX
-coalescing off when setting up iWARP connections.
-
-This was causing very bad performance for NP64 gather operations using
-Open MPI, due to the way it sets up connections on larger jobs.
-
-Signed-off-by: Steve Wise <swise@opengridcomputing.com>
-Signed-off-by: Roland Dreier <rolandd@cisco.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/infiniband/hw/cxgb3/iwch_cm.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
-+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
-@@ -486,7 +486,8 @@ static int send_connect(struct iwch_ep *
- V_MSS_IDX(mtu_idx) |
- V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx);
- opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10);
-- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor);
-+ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) |
-+ V_CONG_CONTROL_FLAVOR(cong_flavor);
- skb->priority = CPL_PRIORITY_SETUP;
- set_arp_failure_handler(skb, act_open_req_arp_failure);
-
-@@ -1303,7 +1304,8 @@ static void accept_cr(struct iwch_ep *ep
- V_MSS_IDX(mtu_idx) |
- V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx);
- opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10);
-- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor);
-+ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) |
-+ V_CONG_CONTROL_FLAVOR(cong_flavor);
-
- rpl = cplhdr(skb);
- rpl->wr.wr_hi = htonl(V_WR_OP(FW_WROPCODE_FORWARD));
+++ /dev/null
-From 218854af84038d828a32f061858b1902ed2beec6 Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Wed, 17 Nov 2010 06:37:16 +0000
-Subject: rds: Integer overflow in RDS cmsg handling
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit 218854af84038d828a32f061858b1902ed2beec6 upstream.
-
-In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
-restricted to less than UINT_MAX. This seems to need a tighter upper
-bound, since the calculation of total iov_size can overflow, resulting
-in a small sock_kmalloc() allocation. This would probably just result
-in walking off the heap and crashing when calling rds_rdma_pages() with
-a high count value. If it somehow doesn't crash here, then memory
-corruption could occur soon after.
-
-Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/rds/rdma.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/rds/rdma.c
-+++ b/net/rds/rdma.c
-@@ -471,7 +471,7 @@ static struct rds_rdma_op *rds_rdma_prep
- goto out;
- }
-
-- if (args->nr_local > (u64)UINT_MAX) {
-+ if (args->nr_local > UIO_MAXIOV) {
- ret = -EMSGSIZE;
- goto out;
- }
+++ /dev/null
-From 238af8751f64a75f8b638193353b1c31ea32e738 Mon Sep 17 00:00:00 2001
-From: Frederic Weisbecker <fweisbec@gmail.com>
-Date: Thu, 2 Dec 2010 14:31:16 -0800
-Subject: reiserfs: don't acquire lock recursively in reiserfs_acl_chmod
-
-From: Frederic Weisbecker <fweisbec@gmail.com>
-
-commit 238af8751f64a75f8b638193353b1c31ea32e738 upstream.
-
-reiserfs_acl_chmod() can be called by reiserfs_set_attr() and then take
-the reiserfs lock a second time. Thereafter it may call journal_begin()
-that definitely requires the lock not to be nested in order to release
-it before taking the journal mutex because the reiserfs lock depends on
-the journal mutex already.
-
-So, aviod nesting the lock in reiserfs_acl_chmod().
-
-Reported-by: Pawel Zawora <pzawora@gmail.com>
-Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
-Tested-by: Pawel Zawora <pzawora@gmail.com>
-Cc: Jeff Mahoney <jeffm@suse.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/reiserfs/xattr_acl.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/fs/reiserfs/xattr_acl.c
-+++ b/fs/reiserfs/xattr_acl.c
-@@ -471,7 +471,9 @@ int reiserfs_acl_chmod(struct inode *ino
- struct reiserfs_transaction_handle th;
- size_t size = reiserfs_xattr_nblocks(inode,
- reiserfs_acl_size(clone->a_count));
-- reiserfs_write_lock(inode->i_sb);
-+ int depth;
-+
-+ depth = reiserfs_write_lock_once(inode->i_sb);
- error = journal_begin(&th, inode->i_sb, size * 2);
- if (!error) {
- int error2;
-@@ -481,7 +483,7 @@ int reiserfs_acl_chmod(struct inode *ino
- if (error2)
- error = error2;
- }
-- reiserfs_write_unlock(inode->i_sb);
-+ reiserfs_write_unlock_once(inode->i_sb, depth);
- }
- posix_acl_release(clone);
- return error;
+++ /dev/null
-From 3f259d092c7a2fdf217823e8f1838530adb0cdb0 Mon Sep 17 00:00:00 2001
-From: Frederic Weisbecker <fweisbec@gmail.com>
-Date: Thu, 30 Sep 2010 15:15:37 -0700
-Subject: reiserfs: fix dependency inversion between inode and reiserfs mutexes
-
-From: Frederic Weisbecker <fweisbec@gmail.com>
-
-commit 3f259d092c7a2fdf217823e8f1838530adb0cdb0 upstream.
-
-The reiserfs mutex already depends on the inode mutex, so we can't lock
-the inode mutex in reiserfs_unpack() without using the safe locking API,
-because reiserfs_unpack() is always called with the reiserfs mutex locked.
-
-This fixes:
-
- =======================================================
- [ INFO: possible circular locking dependency detected ]
- 2.6.35c #13
- -------------------------------------------------------
- lilo/1606 is trying to acquire lock:
- (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
-
- but task is already holding lock:
- (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
-
- which lock already depends on the new lock.
-
- the existing dependency chain (in reverse order) is:
-
- -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
- [<c1056347>] lock_acquire+0x67/0x80
- [<c12f083d>] __mutex_lock_common+0x4d/0x410
- [<c12f0c58>] mutex_lock_nested+0x18/0x20
- [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
- [<d0329e9a>] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs]
- [<d0316b81>] reiserfs_fill_super+0x941/0xe60 [reiserfs]
- [<c10b7d17>] get_sb_bdev+0x117/0x170
- [<d0313e21>] get_super_block+0x21/0x30 [reiserfs]
- [<c10b74ba>] vfs_kern_mount+0x6a/0x1b0
- [<c10b7659>] do_kern_mount+0x39/0xe0
- [<c10cebe0>] do_mount+0x340/0x790
- [<c10cf0b4>] sys_mount+0x84/0xb0
- [<c12f25cd>] syscall_call+0x7/0xb
-
- -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}:
- [<c1056186>] __lock_acquire+0x1026/0x1180
- [<c1056347>] lock_acquire+0x67/0x80
- [<c12f083d>] __mutex_lock_common+0x4d/0x410
- [<c12f0c58>] mutex_lock_nested+0x18/0x20
- [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
- [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
- [<c10c3228>] vfs_ioctl+0x28/0xa0
- [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
- [<c10c3f53>] sys_ioctl+0x63/0x70
- [<c12f25cd>] syscall_call+0x7/0xb
-
- other info that might help us debug this:
-
- 1 lock held by lilo/1606:
- #0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a268>] reiserfs_write_lock+0x28/0x40 [reiserfs]
-
- stack backtrace:
- Pid: 1606, comm: lilo Not tainted 2.6.35c #13
- Call Trace:
- [<c1056186>] __lock_acquire+0x1026/0x1180
- [<c1056347>] lock_acquire+0x67/0x80
- [<c12f083d>] __mutex_lock_common+0x4d/0x410
- [<c12f0c58>] mutex_lock_nested+0x18/0x20
- [<d0329450>] reiserfs_unpack+0x60/0x110 [reiserfs]
- [<d0329772>] reiserfs_ioctl+0x272/0x320 [reiserfs]
- [<c10c3228>] vfs_ioctl+0x28/0xa0
- [<c10c3c5d>] do_vfs_ioctl+0x32d/0x5c0
- [<c10c3f53>] sys_ioctl+0x63/0x70
- [<c12f25cd>] syscall_call+0x7/0xb
-
-Reported-by: Jarek Poplawski <jarkao2@gmail.com>
-Tested-by: Jarek Poplawski <jarkao2@gmail.com>
-Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
-Cc: Jeff Mahoney <jeffm@suse.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/reiserfs/ioctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/reiserfs/ioctl.c
-+++ b/fs/reiserfs/ioctl.c
-@@ -188,7 +188,7 @@ int reiserfs_unpack(struct inode *inode,
- /* we need to make sure nobody is changing the file size beneath
- ** us
- */
-- mutex_lock(&inode->i_mutex);
-+ reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb);
- reiserfs_write_lock(inode->i_sb);
-
- write_from = inode->i_size & (blocksize - 1);
+++ /dev/null
-From 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 Mon Sep 17 00:00:00 2001
-From: Frederic Weisbecker <fweisbec@gmail.com>
-Date: Thu, 30 Sep 2010 15:15:38 -0700
-Subject: reiserfs: fix unwanted reiserfs lock recursion
-
-From: Frederic Weisbecker <fweisbec@gmail.com>
-
-commit 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 upstream.
-
-Prevent from recursively locking the reiserfs lock in reiserfs_unpack()
-because we may call journal_begin() that requires the lock to be taken
-only once, otherwise it won't be able to release the lock while taking
-other mutexes, ending up in inverted dependencies between the journal
-mutex and the reiserfs lock for example.
-
-This fixes:
-
- =======================================================
- [ INFO: possible circular locking dependency detected ]
- 2.6.35.4.4a #3
- -------------------------------------------------------
- lilo/1620 is trying to acquire lock:
- (&journal->j_mutex){+.+...}, at: [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
-
- but task is already holding lock:
- (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
-
- which lock already depends on the new lock.
-
- the existing dependency chain (in reverse order) is:
-
- -> #1 (&REISERFS_SB(s)->lock){+.+.+.}:
- [<c10562b7>] lock_acquire+0x67/0x80
- [<c12facad>] __mutex_lock_common+0x4d/0x410
- [<c12fb0c8>] mutex_lock_nested+0x18/0x20
- [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
- [<d0325c06>] do_journal_begin_r+0x86/0x340 [reiserfs]
- [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
- [<d0315be4>] reiserfs_remount+0x224/0x530 [reiserfs]
- [<c10b6a20>] do_remount_sb+0x60/0x110
- [<c10cee25>] do_mount+0x625/0x790
- [<c10cf014>] sys_mount+0x84/0xb0
- [<c12fca3d>] syscall_call+0x7/0xb
-
- -> #0 (&journal->j_mutex){+.+...}:
- [<c10560f6>] __lock_acquire+0x1026/0x1180
- [<c10562b7>] lock_acquire+0x67/0x80
- [<c12facad>] __mutex_lock_common+0x4d/0x410
- [<c12fb0c8>] mutex_lock_nested+0x18/0x20
- [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
- [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
- [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
- [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
- [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
- [<c10dbbe6>] block_prepare_write+0x26/0x40
- [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
- [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
- [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
- [<c10c3188>] vfs_ioctl+0x28/0xa0
- [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
- [<c10c3eb3>] sys_ioctl+0x63/0x70
- [<c12fca3d>] syscall_call+0x7/0xb
-
- other info that might help us debug this:
-
- 2 locks held by lilo/1620:
- #0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<d032945a>] reiserfs_unpack+0x6a/0x120 [reiserfs]
- #1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [<d032a278>] reiserfs_write_lock+0x28/0x40 [reiserfs]
-
- stack backtrace:
- Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3
- Call Trace:
- [<c10560f6>] __lock_acquire+0x1026/0x1180
- [<c10562b7>] lock_acquire+0x67/0x80
- [<c12facad>] __mutex_lock_common+0x4d/0x410
- [<c12fb0c8>] mutex_lock_nested+0x18/0x20
- [<d0325bff>] do_journal_begin_r+0x7f/0x340 [reiserfs]
- [<d0325f77>] journal_begin+0x77/0x140 [reiserfs]
- [<d0326271>] reiserfs_persistent_transaction+0x41/0x90 [reiserfs]
- [<d030d06c>] reiserfs_get_block+0x22c/0x1530 [reiserfs]
- [<c10db9db>] __block_prepare_write+0x1bb/0x3a0
- [<c10dbbe6>] block_prepare_write+0x26/0x40
- [<d030b738>] reiserfs_prepare_write+0x88/0x170 [reiserfs]
- [<d03294d6>] reiserfs_unpack+0xe6/0x120 [reiserfs]
- [<d0329782>] reiserfs_ioctl+0x272/0x320 [reiserfs]
- [<c10c3188>] vfs_ioctl+0x28/0xa0
- [<c10c3bbd>] do_vfs_ioctl+0x32d/0x5c0
- [<c10c3eb3>] sys_ioctl+0x63/0x70
- [<c12fca3d>] syscall_call+0x7/0xb
-
-Reported-by: Jarek Poplawski <jarkao2@gmail.com>
-Tested-by: Jarek Poplawski <jarkao2@gmail.com>
-Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
-Cc: Jeff Mahoney <jeffm@suse.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/reiserfs/ioctl.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/fs/reiserfs/ioctl.c
-+++ b/fs/reiserfs/ioctl.c
-@@ -170,6 +170,7 @@ int reiserfs_prepare_write(struct file *
- int reiserfs_unpack(struct inode *inode, struct file *filp)
- {
- int retval = 0;
-+ int depth;
- int index;
- struct page *page;
- struct address_space *mapping;
-@@ -189,7 +190,7 @@ int reiserfs_unpack(struct inode *inode,
- ** us
- */
- reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb);
-- reiserfs_write_lock(inode->i_sb);
-+ depth = reiserfs_write_lock_once(inode->i_sb);
-
- write_from = inode->i_size & (blocksize - 1);
- /* if we are on a block boundary, we are already unpacked. */
-@@ -224,6 +225,6 @@ int reiserfs_unpack(struct inode *inode,
-
- out:
- mutex_unlock(&inode->i_mutex);
-- reiserfs_write_unlock(inode->i_sb);
-+ reiserfs_write_unlock_once(inode->i_sb, depth);
- return retval;
- }
+++ /dev/null
-From 7fc0405db42af7c170c6eb5d0244b38b54ea7d2c Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Fri, 6 Aug 2010 10:22:56 -0700
-Subject: Revert "ssb: Handle Netbook devices where the SPROM address is changed"
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-Turns out this isn't the best way to resolve this issue. The
-individual patches will be applied instead.
-
-Cc: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/ssb/driver_chipcommon.c | 3 -
- drivers/ssb/driver_chipcommon_pmu.c | 17 ++++++-----
- drivers/ssb/pci.c | 46 +++---------------------------
- drivers/ssb/sprom.c | 15 ---------
- include/linux/ssb/ssb.h | 1
- include/linux/ssb/ssb_driver_chipcommon.h | 2 -
- include/linux/ssb/ssb_regs.h | 3 -
- 7 files changed, 17 insertions(+), 70 deletions(-)
-
---- a/drivers/ssb/driver_chipcommon.c
-+++ b/drivers/ssb/driver_chipcommon.c
-@@ -233,9 +233,6 @@ void ssb_chipcommon_init(struct ssb_chip
- {
- if (!cc->dev)
- return; /* We don't have a ChipCommon */
-- if (cc->dev->id.revision >= 11)
-- cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT);
-- ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status);
- ssb_pmu_init(cc);
- chipco_powercontrol_init(cc);
- ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST);
---- a/drivers/ssb/driver_chipcommon_pmu.c
-+++ b/drivers/ssb/driver_chipcommon_pmu.c
-@@ -495,9 +495,9 @@ static void ssb_pmu_resources_init(struc
- chipco_write32(cc, SSB_CHIPCO_PMU_MAXRES_MSK, max_msk);
- }
-
--/* http://bcm-v4.sipsolutions.net/802.11/SSB/PmuInit */
- void ssb_pmu_init(struct ssb_chipcommon *cc)
- {
-+ struct ssb_bus *bus = cc->dev->bus;
- u32 pmucap;
-
- if (!(cc->capabilities & SSB_CHIPCO_CAP_PMU))
-@@ -509,12 +509,15 @@ void ssb_pmu_init(struct ssb_chipcommon
- ssb_dprintk(KERN_DEBUG PFX "Found rev %u PMU (capabilities 0x%08X)\n",
- cc->pmu.rev, pmucap);
-
-- if (cc->pmu.rev == 1)
-- chipco_mask32(cc, SSB_CHIPCO_PMU_CTL,
-- ~SSB_CHIPCO_PMU_CTL_NOILPONW);
-- else
-- chipco_set32(cc, SSB_CHIPCO_PMU_CTL,
-- SSB_CHIPCO_PMU_CTL_NOILPONW);
-+ if (cc->pmu.rev >= 1) {
-+ if ((bus->chip_id == 0x4325) && (bus->chip_rev < 2)) {
-+ chipco_mask32(cc, SSB_CHIPCO_PMU_CTL,
-+ ~SSB_CHIPCO_PMU_CTL_NOILPONW);
-+ } else {
-+ chipco_set32(cc, SSB_CHIPCO_PMU_CTL,
-+ SSB_CHIPCO_PMU_CTL_NOILPONW);
-+ }
-+ }
- ssb_pmu_pll_init(cc);
- ssb_pmu_resources_init(cc);
- }
---- a/drivers/ssb/pci.c
-+++ b/drivers/ssb/pci.c
-@@ -22,7 +22,6 @@
-
- #include "ssb_private.h"
-
--bool ssb_is_sprom_available(struct ssb_bus *bus);
-
- /* Define the following to 1 to enable a printk on each coreswitch. */
- #define SSB_VERBOSE_PCICORESWITCH_DEBUG 0
-@@ -168,7 +167,7 @@ err_pci:
- }
-
- /* Get the word-offset for a SSB_SPROM_XXX define. */
--#define SPOFF(offset) ((offset) / sizeof(u16))
-+#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16))
- /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */
- #define SPEX16(_outvar, _offset, _mask, _shift) \
- out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift))
-@@ -253,13 +252,8 @@ static int sprom_do_read(struct ssb_bus
- {
- int i;
-
-- /* Check if SPROM can be read */
-- if (ioread16(bus->mmio + bus->sprom_offset) == 0xFFFF) {
-- ssb_printk(KERN_ERR PFX "Unable to read SPROM\n");
-- return -ENODEV;
-- }
- for (i = 0; i < bus->sprom_size; i++)
-- sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2));
-+ sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2));
-
- return 0;
- }
-@@ -290,7 +284,7 @@ static int sprom_do_write(struct ssb_bus
- ssb_printk("75%%");
- else if (i % 2)
- ssb_printk(".");
-- writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2));
-+ writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2));
- mmiowb();
- msleep(20);
- }
-@@ -626,49 +620,21 @@ static int ssb_pci_sprom_get(struct ssb_
- int err = -ENOMEM;
- u16 *buf;
-
-- if (!ssb_is_sprom_available(bus)) {
-- ssb_printk(KERN_ERR PFX "No SPROM available!\n");
-- return -ENODEV;
-- }
-- if (bus->chipco.dev) { /* can be unavailible! */
-- /*
-- * get SPROM offset: SSB_SPROM_BASE1 except for
-- * chipcommon rev >= 31 or chip ID is 0x4312 and
-- * chipcommon status & 3 == 2
-- */
-- if (bus->chipco.dev->id.revision >= 31)
-- bus->sprom_offset = SSB_SPROM_BASE31;
-- else if (bus->chip_id == 0x4312 &&
-- (bus->chipco.status & 0x03) == 2)
-- bus->sprom_offset = SSB_SPROM_BASE31;
-- else
-- bus->sprom_offset = SSB_SPROM_BASE1;
-- } else {
-- bus->sprom_offset = SSB_SPROM_BASE1;
-- }
-- ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset);
--
- buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
- if (!buf)
- goto out;
- bus->sprom_size = SSB_SPROMSIZE_WORDS_R123;
-- err = sprom_do_read(bus, buf);
-- if (err)
-- goto out_free;
-+ sprom_do_read(bus, buf);
- err = sprom_check_crc(buf, bus->sprom_size);
- if (err) {
- /* try for a 440 byte SPROM - revision 4 and higher */
- kfree(buf);
- buf = kcalloc(SSB_SPROMSIZE_WORDS_R4, sizeof(u16),
- GFP_KERNEL);
-- if (!buf) {
-- err = -ENOMEM;
-+ if (!buf)
- goto out;
-- }
- bus->sprom_size = SSB_SPROMSIZE_WORDS_R4;
-- err = sprom_do_read(bus, buf);
-- if (err)
-- goto out_free;
-+ sprom_do_read(bus, buf);
- err = sprom_check_crc(buf, bus->sprom_size);
- if (err) {
- /* All CRC attempts failed.
---- a/drivers/ssb/sprom.c
-+++ b/drivers/ssb/sprom.c
-@@ -175,18 +175,3 @@ const struct ssb_sprom *ssb_get_fallback
- {
- return fallback_sprom;
- }
--
--/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */
--bool ssb_is_sprom_available(struct ssb_bus *bus)
--{
-- /* status register only exists on chipcomon rev >= 11 and we need check
-- for >= 31 only */
-- /* this routine differs from specs as we do not access SPROM directly
-- on PCMCIA */
-- if (bus->bustype == SSB_BUSTYPE_PCI &&
-- bus->chipco.dev && /* can be unavailible! */
-- bus->chipco.dev->id.revision >= 31)
-- return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM;
--
-- return true;
--}
---- a/include/linux/ssb/ssb.h
-+++ b/include/linux/ssb/ssb.h
-@@ -306,7 +306,6 @@ struct ssb_bus {
- u16 chip_id;
- u16 chip_rev;
- u16 sprom_size; /* number of words in sprom */
-- u16 sprom_offset;
- u8 chip_package;
-
- /* List of devices (cores) on the backplane. */
---- a/include/linux/ssb/ssb_driver_chipcommon.h
-+++ b/include/linux/ssb/ssb_driver_chipcommon.h
-@@ -46,7 +46,6 @@
- #define SSB_PLLTYPE_7 0x00038000 /* 25Mhz, 4 dividers */
- #define SSB_CHIPCO_CAP_PCTL 0x00040000 /* Power Control */
- #define SSB_CHIPCO_CAP_OTPS 0x00380000 /* OTP size */
--#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */
- #define SSB_CHIPCO_CAP_OTPS_SHIFT 19
- #define SSB_CHIPCO_CAP_OTPS_BASE 5
- #define SSB_CHIPCO_CAP_JTAGM 0x00400000 /* JTAG master present */
-@@ -565,7 +564,6 @@ struct ssb_chipcommon_pmu {
- struct ssb_chipcommon {
- struct ssb_device *dev;
- u32 capabilities;
-- u32 status;
- /* Fast Powerup Delay constant */
- u16 fast_pwrup_delay;
- struct ssb_chipcommon_pmu pmu;
---- a/include/linux/ssb/ssb_regs.h
-+++ b/include/linux/ssb/ssb_regs.h
-@@ -170,8 +170,7 @@
- #define SSB_SPROMSIZE_WORDS_R4 220
- #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16))
- #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16))
--#define SSB_SPROM_BASE1 0x1000
--#define SSB_SPROM_BASE31 0x0800
-+#define SSB_SPROM_BASE 0x1000
- #define SSB_SPROM_REVISION 0x107E
- #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */
- #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */
+++ /dev/null
-From d01343244abdedd18303d0323b518ed9cdcb1988 Mon Sep 17 00:00:00 2001
-From: Steven Rostedt <srostedt@redhat.com>
-Date: Tue, 12 Oct 2010 12:06:43 -0400
-Subject: ring-buffer: Fix typo of time extends per page
-
-From: Steven Rostedt <srostedt@redhat.com>
-
-commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream.
-
-Time stamps for the ring buffer are created by the difference between
-two events. Each page of the ring buffer holds a full 64 bit timestamp.
-Each event has a 27 bit delta stamp from the last event. The unit of time
-is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events
-happen more than 134 milliseconds apart, a time extend is inserted
-to add more bits for the delta. The time extend has 59 bits, which
-is good for ~18 years.
-
-Currently the time extend is committed separately from the event.
-If an event is discarded before it is committed, due to filtering,
-the time extend still exists. If all events are being filtered, then
-after ~134 milliseconds a new time extend will be added to the buffer.
-
-This can only happen till the end of the page. Since each page holds
-a full timestamp, there is no reason to add a time extend to the
-beginning of a page. Time extends can only fill a page that has actual
-data at the beginning, so there is no fear that time extends will fill
-more than a page without any data.
-
-When reading an event, a loop is made to skip over time extends
-since they are only used to maintain the time stamp and are never
-given to the caller. As a paranoid check to prevent the loop running
-forever, with the knowledge that time extends may only fill a page,
-a check is made that tests the iteration of the loop, and if the
-iteration is more than the number of time extends that can fit in a page
-a warning is printed and the ring buffer is disabled (all of ftrace
-is also disabled with it).
-
-There is another event type that is called a TIMESTAMP which can
-hold 64 bits of data in the theoretical case that two events happen
-18 years apart. This code has not been implemented, but the name
-of this event exists, as well as the structure for it. The
-size of a TIMESTAMP is 16 bytes, where as a time extend is only
-8 bytes. The macro used to calculate how many time extends can fit on
-a page used the TIMESTAMP size instead of the time extend size
-cutting the amount in half.
-
-The following test case can easily trigger the warning since we only
-need to have half the page filled with time extends to trigger the
-warning:
-
- # cd /sys/kernel/debug/tracing/
- # echo function > current_tracer
- # echo 'common_pid < 0' > events/ftrace/function/filter
- # echo > trace
- # echo 1 > trace_marker
- # sleep 120
- # cat trace
-
-Enabling the function tracer and then setting the filter to only trace
-functions where the process id is negative (no events), then clearing
-the trace buffer to ensure that we have nothing in the buffer,
-then write to trace_marker to add an event to the beginning of a page,
-sleep for 2 minutes (only 35 seconds is probably needed, but this
-guarantees the bug), and then finally reading the trace which will
-trigger the bug.
-
-This patch fixes the typo and prevents the false positive of that warning.
-
-Reported-by: Hans J. Koch <hjk@linutronix.de>
-Tested-by: Hans J. Koch <hjk@linutronix.de>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/trace/ring_buffer.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/trace/ring_buffer.c
-+++ b/kernel/trace/ring_buffer.c
-@@ -389,7 +389,7 @@ static inline int test_time_stamp(u64 de
- #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2))
-
- /* Max number of timestamps that can fit on a page */
--#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP)
-+#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND)
-
- int ring_buffer_print_page_header(struct trace_seq *s)
- {
+++ /dev/null
-From 82150dc22741d65244fd2b1694e5296a8df22741 Mon Sep 17 00:00:00 2001
-From: David S. Miller <davem@davemloft.net>
-Date: Mon, 20 Sep 2010 15:40:35 -0700
-Subject: rose: Fix signedness issues wrt. digi count.
-
-
-From: David S. Miller <davem@davemloft.net>
-
-[ Upstream commit 9828e6e6e3f19efcb476c567b9999891d051f52f ]
-
-Just use explicit casts, since we really can't change the
-types of structures exported to userspace which have been
-around for 15 years or so.
-
-Reported-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/rose/af_rose.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/rose/af_rose.c
-+++ b/net/rose/af_rose.c
-@@ -678,7 +678,7 @@ static int rose_bind(struct socket *sock
- if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
- return -EINVAL;
-
-- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
-+ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
- return -EINVAL;
-
- if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
-@@ -738,7 +738,7 @@ static int rose_connect(struct socket *s
- if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
- return -EINVAL;
-
-- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
-+ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
- return -EINVAL;
-
- /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
+++ /dev/null
-From 7740191cd909b75d75685fb08a5d1f54b8a9d28b Mon Sep 17 00:00:00 2001
-From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Date: Mon, 13 Sep 2010 17:47:00 -0400
-Subject: sched: Fix string comparison in /proc/sched_features
-
-From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-
-commit 7740191cd909b75d75685fb08a5d1f54b8a9d28b upstream.
-
-Fix incorrect handling of the following case:
-
- INTERACTIVE
- INTERACTIVE_SOMETHING_ELSE
-
-The comparison only checks up to each element's length.
-
-Changelog since v1:
- - Embellish using some Rostedtisms.
- [ mingo: ^^ == smaller and cleaner ]
-
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Tony Lindgren <tony@atomide.com>
-LKML-Reference: <20100913214700.GB16118@Krystal>
-Signed-off-by: Ingo Molnar <mingo@elte.hu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- kernel/sched.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/kernel/sched.c
-+++ b/kernel/sched.c
-@@ -740,7 +740,7 @@ sched_feat_write(struct file *filp, cons
- size_t cnt, loff_t *ppos)
- {
- char buf[64];
-- char *cmp = buf;
-+ char *cmp;
- int neg = 0;
- int i;
-
-@@ -751,6 +751,7 @@ sched_feat_write(struct file *filp, cons
- return -EFAULT;
-
- buf[cnt] = 0;
-+ cmp = strstrip(buf);
-
- if (strncmp(buf, "NO_", 3) == 0) {
- neg = 1;
-@@ -758,9 +759,7 @@ sched_feat_write(struct file *filp, cons
- }
-
- for (i = 0; sched_feat_names[i]; i++) {
-- int len = strlen(sched_feat_names[i]);
--
-- if (strncmp(cmp, sched_feat_names[i], len) == 0) {
-+ if (strcmp(cmp, sched_feat_names[i]) == 0) {
- if (neg)
- sysctl_sched_features &= ~(1UL << i);
- else
+++ /dev/null
-From 1a03ae0f556a931aa3747b70e44b78308f5b0590 Mon Sep 17 00:00:00 2001
-From: Michael Reed <mdr@sgi.com>
-Date: Mon, 20 Sep 2010 11:20:22 -0500
-Subject: [SCSI] sd name space exhaustion causes system hang
-
-From: Michael Reed <mdr@sgi.com>
-
-commit 1a03ae0f556a931aa3747b70e44b78308f5b0590 upstream.
-
-Following a site power outage which re-enabled all the ports on my FC
-switches, my system subsequently booted with far too many luns! I had
-let it run hoping it would make multi-user. It didn't. :( It hung solid
-after exhausting the last sd device, sdzzz, and attempting to create sdaaaa
-and beyond. I was unable to get a dump.
-
-Discovered using a 2.6.32.13 based system.
-
-correct this by detecting when the last index is utilized and failing
-the sd probe of the device. Patch applies to scsi-misc-2.6.
-
-Signed-off-by: Michael Reed <mdr@sgi.com>
-Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/scsi/sd.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/drivers/scsi/sd.c
-+++ b/drivers/scsi/sd.c
-@@ -2156,11 +2156,10 @@ static void sd_probe_async(void *data, a
- index = sdkp->index;
- dev = &sdp->sdev_gendev;
-
-- if (index < SD_MAX_DISKS) {
-- gd->major = sd_major((index & 0xf0) >> 4);
-- gd->first_minor = ((index & 0xf) << 4) | (index & 0xfff00);
-- gd->minors = SD_MINORS;
-- }
-+ gd->major = sd_major((index & 0xf0) >> 4);
-+ gd->first_minor = ((index & 0xf) << 4) | (index & 0xfff00);
-+ gd->minors = SD_MINORS;
-+
- gd->fops = &sd_fops;
- gd->private_data = &sdkp->driver;
- gd->queue = sdkp->device->request_queue;
-@@ -2249,6 +2248,12 @@ static int sd_probe(struct device *dev)
- if (error)
- goto out_put;
-
-+ if (index >= SD_MAX_DISKS) {
-+ error = -ENODEV;
-+ sdev_printk(KERN_WARNING, sdp, "SCSI disk (sd) name space exhausted.\n");
-+ goto out_free_index;
-+ }
-+
- error = sd_format_disk_name("sd", index, gd->disk_name, DISK_NAME_LEN);
- if (error)
- goto out_free_index;
+++ /dev/null
-x86-cpu-after-uncapping-cpuid-re-run-cpu-feature-detection.patch
-alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch
-alsa-oxygen-fix-analog-capture-on-claro-halo-cards.patch
-alsa-hda-add-dell-latitude-e6400-model-quirk.patch
-alsa-prevent-heap-corruption-in-snd_ctl_new.patch
-alsa-rawmidi-fix-oops-use-after-free-when-unloading-a-driver-module.patch
-usb-fix-bug-in-initialization-of-interface-minor-numbers.patch
-rdma-cxgb3-turn-off-rx-coalescing-for-iwarp-connections.patch
-mmc-sdhci-s3c-fix-null-ptr-access-in-sdhci_s3c_remove.patch
-x86-amd-iommu-set-iommu-configuration-flags-in-enable-loop.patch
-x86-amd-iommu-fix-rounding-bug-in-__unmap_single.patch
-x86-amd-iommu-work-around-s3-bios-bug.patch
-tracing-x86-don-t-use-mcount-in-pvclock.c.patch
-tracing-x86-don-t-use-mcount-in-kvmclock.c.patch
-v4l1-fix-32-bit-compat-microcode-loading-translation.patch
-v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch
-input-joydev-fix-jsiocsaxmap-ioctl.patch
-mac80211-fix-use-after-free.patch
-x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch
-x86-irq-plug-memory-leak-in-sparse-irq.patch
-ubd-fix-incorrect-sector-handling-during-request-restart.patch
-ring-buffer-fix-typo-of-time-extends-per-page.patch
-dmaengine-fix-interrupt-clearing-for-mv_xor.patch
-hrtimer-preserve-timer-state-in-remove_hrtimer.patch
-reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch
-reiserfs-fix-unwanted-reiserfs-lock-recursion.patch
-ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch
-wext-fix-potential-private-ioctl-memory-content-leak.patch
-atl1-fix-resume.patch
-x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch
-x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch
-de-pessimize-rds_page_copy_user.patch
-drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch
-ip-fix-truesize-mismatch-in-ip-fragmentation.patch
-net-blackhole-route-should-always-be-recalculated.patch
-net-clear-heap-allocations-for-privileged-ethtool-actions.patch
-net-fix-ipv6-pmtu-disc.-w-asymmetric-routes.patch
-net-fix-the-condition-passed-to-sk_wait_event.patch
-netxen-dont-set-skb-truesize.patch
-phonet-correct-header-retrieval-after-pskb_may_pull.patch
-rose-fix-signedness-issues-wrt.-digi-count.patch
-tcp-fix-4gb-writes-on-64-bit.patch
-tcp-fix-race-in-tcp_poll.patch
-xfrm4-strip-ecn-and-ip-precedence-bits-in-policy-lookup.patch
-bsg-fix-incorrect-device_status-value.patch
-r6040-fix-r6040_multicast_list.patch
-r6040-fix-multicast-list-iteration-when-hash-filter-is-used.patch
-b44-fix-carrier-detection-on-bind.patch
-acpi-enable-repeated-pciexp-wakeup-by-clearing-pciexp_wake_sts-on-resume.patch
-intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch
-acpi-ec-add-vista-incompatibility-dmi-entry-for-toshiba-satellite-l355.patch
-acpi-disable-windows-vista-compatibility-for-toshiba-p305d.patch
-x86-detect-scattered-cpuid-features-earlier.patch
-setup_arg_pages-diagnose-excessive-argument-size.patch
-execve-improve-interactivity-with-large-arguments.patch
-execve-make-responsive-to-sigkill-with-large-arguments.patch
-x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch
-x86-32-fix-dummy-trampoline-related-inline-stubs.patch
-x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch
-revert-ssb-handle-netbook-devices-where-the-sprom-address-is-changed.patch
-ssb-do-not-read-sprom-if-it-does-not-exist.patch
-ssb-look-for-sprom-at-different-offset-on-higher-rev-cc.patch
-ssb-fix-null-ptr-deref-when-pcihost_wrapper-is-used.patch
-ssb-handle-alternate-ssprom-location.patch
-staging-usbip-notify-usb-core-of-port-status-changes.patch
-staging-usbip-process-event-flags-without-delay.patch
-powerpc-perf-fix-sampling-enable-for-ppc970.patch
-pcmcia-synclink_cs-fix-information-leak-to-userland.patch
-sched-fix-string-comparison-in-proc-sched_features.patch
-bluetooth-fix-missing-null-check.patch
-futex-fix-errors-in-nested-key-ref-counting.patch
-mm-x86-saving-vmcore-with-non-lazy-freeing-of-vmas.patch
-x86-cpu-fix-renamed-not-yet-shipping-amd-cpuid-feature-bit.patch
-x86-kexec-make-sure-to-stop-all-cpus-before-exiting-the-kernel.patch
-x86-olpc-don-t-retry-ec-commands-forever.patch
-x86-mtrr-assume-sys_cfg-exists-on-all-future-amd-cpus.patch
-x86-intr-remap-set-redirection-hint-in-the-irte.patch
-x86-kdump-change-copy_oldmem_page-to-use-cached-addressing.patch
-pipe-fix-failure-to-return-error-code-on-confirm.patch
-p54usb-fix-off-by-one-on-config_pm.patch
-p54usb-add-five-more-usbids.patch
-drivers-net-wireless-p54-eeprom.c-return-enomem-on-memory-allocation-failure.patch
-usb-add-pid-for-ftdi-based-opendcc-hardware.patch
-usb-ftdi_sio-new-vid-pids-for-various-papouch-devices.patch
-usb-musb-blackfin-call-gpio_free-on-error-path-in-musb_platform_init.patch
-usb-option-add-more-zte-modem-usb-id-s.patch
-usb-cp210x-add-renesas-rx-stick-device-id.patch
-usb-cp210x-add-wago-750-923-service-cable-device-id.patch
-usb-atmel_usba_udc-force-vbus_pin-at-einval-when-gpio_request-failled.patch
-usb-disable-endpoints-after-unbinding-interfaces-not-before.patch
-usb-opticon-fix-long-standing-bugs-in-opticon-driver.patch
-usb-accept-some-invalid-ep0-maxpacket-values.patch
-sd-name-space-exhaustion-causes-system-hang.patch
-libsas-fix-ncq-mixing-with-non-ncq.patch
-gdth-integer-overflow-in-ioctl.patch
-fix-race-when-removing-scsi-devices.patch
-fix-regressions-in-scsi_internal_device_block.patch
-block-ensure-physical-block-size-is-unsigned-int.patch
-block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch
-block-take-care-not-to-overflow-when-calculating-total-iov-length.patch
-block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
-irda-fix-parameter-extraction-stack-overflow.patch
-irda-fix-heap-memory-corruption-in-iriap.c.patch
-net-clear-heap-allocation-for-ethtool_grxclsrlall.patch
-reiserfs-don-t-acquire-lock-recursively-in-reiserfs_acl_chmod.patch
-staging-asus_oled-fix-up-some-sysfs-attribute-permissions.patch
-staging-asus_oled-fix-up-my-fixup-for-some-sysfs-attribute-permissions.patch
-staging-line6-fix-up-some-sysfs-attribute-permissions.patch
-hpet-fix-unwanted-interrupt-due-to-stale-irq-status-bit.patch
-hpet-unmap-unused-i-o-space.patch
-olpc_battery-fix-endian-neutral-breakage-for-s16-values.patch
-percpu-fix-list_head-init-bug-in-__percpu_counter_init.patch
-um-remove-page_size-alignment-in-linker-script-causing-kernel-segfault.patch
-um-fix-global-timer-issue-when-using-config_no_hz.patch
-numa-fix-slab_node-mpol_bind.patch
-hwmon-lm85-fix-adt7468-frequency-table.patch
-mm-fix-return-value-of-scan_lru_pages-in-memory-unplug.patch
-mm-fix-is_mem_section_removable-page_order-bug_on-check.patch
-ssb-b43-pci-bridge-add-new-vendor-for-bcm4318.patch
-sgi-xpc-xpc-fails-to-discover-partitions-with-all-nasids-above-128.patch
-xen-ensure-that-all-event-channels-start-off-bound-to-vcpu-0.patch
-xen-don-t-bother-to-stop-other-cpus-on-shutdown-reboot.patch
-ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
-ipc-shm-fix-information-leak-to-userland.patch
-sys_semctl-fix-kernel-stack-leakage.patch
-net-netif_f_hw_csum-does-not-imply-fcoe-crc-offload.patch
-drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch
-viafb-use-proper-register-for-colour-when-doing-fill-ops.patch
-ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch
-md-raid1-really-fix-recovery-looping-when-single-good-device-fails.patch
-md-fix-return-value-of-rdev_size_change.patch
-tty-prevent-dos-in-the-flush_to_ldisc.patch
-tty-restore-tty_ldisc_wait_idle.patch
-tty_ldisc-fix-bug-on-hangup.patch
-tty-ldisc-fix-open-flag-handling.patch
-firewire-ohci-fix-buffer-overflow-in-ar-split-packet-handling.patch
-firewire-ohci-fix-race-in-ar-split-packet-handling.patch
-alsa-hda-fixed-alc887-vd-initial-error.patch
-alsa-ac97-apply-quirk-for-dell-latitude-d610-binding-master-and-headphone-controls.patch
-alsa-hda-add-an-extra-dac-for-realtek-alc887-vd.patch
-alsa-hda-use-alienware-model-quirk-for-another-ssid.patch
-netfilter-nf_conntrack-allow-nf_ct_alloc_hashtable-to-get-highmem-pages.patch
-latencytop-fix-per-task-accumulator.patch
-mm-vfs-revalidate-page-mapping-in-do_generic_file_read.patch
-bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
-drm-ttm-clear-the-ghost-cpu_writers-flag-on-ttm_buffer_object_transfer.patch
-libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch
-pci-fix-size-checks-for-mmap-on-proc-bus-pci-files.patch
-pci-fix-offset-check-for-sysfs-mmapped-files.patch
-efifb-check-that-the-base-address-is-plausible-on-pci-systems.patch
-usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch
-usb-misc-sisusbvga-fix-information-leak-to-userland.patch
-usb-misc-iowarrior-fix-information-leak-to-userland.patch
-usb-core-fix-information-leak-to-userland.patch
-staging-rt2870-add-usb-id-for-buffalo-airstation-wli-uc-gn.patch
-usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch
-usb-storage-sierra_ms-fix-sysfs-file-attribute.patch
-usb-atm-ueagle-atm-fix-up-some-permissions-on-the-sysfs-files.patch
-usb-misc-cypress_cy7c63-fix-up-some-sysfs-attribute-permissions.patch
-usb-misc-usbled-fix-up-some-sysfs-attribute-permissions.patch
-usb-ftdi_sio-revert-usb-ftdi_sio-fix-dtr-rts-line-modes.patch
-usb-misc-trancevibrator-fix-up-a-sysfs-attribute-permission.patch
-usb-misc-usbsevseg-fix-up-some-sysfs-attribute-permissions.patch
-usb-ftdi_sio-add-id-for-rt-systems-usb-29b-radio-cable.patch
-usb-serial-ftdi_sio-vardaan-usb-rs422-485-converter-pid-added.patch
-acpi-cpufreq-fix-a-memleak-when-unloading-driver.patch
-fuse-fix-attributes-after-open-o_trunc.patch
-do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
-backlight-grab-ops_lock-before-testing-bd-ops.patch
-nommu-yield-cpu-while-disposing-vm.patch
-x86-ignore-trap-bits-on-single-step-exceptions.patch
-decnet-don-t-leak-uninitialized-stack-byte.patch
-perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
-arm-6489-1-thumb2-fix-incorrect-optimisation-in-usracc.patch
-arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch
-leds-fix-bug-with-reading-nas-ss4200-dmi-code.patch
-udp-add-rehash-on-connect.patch
-staging-samsung-laptop-fix-up-some-sysfs-attribute-permissions.patch
-staging-samsung-laptop-fix-up-my-fixup-for-some-sysfs-attribute-permissions.patch
-staging-frontier-fix-up-some-sysfs-attribute-permissions.patch
-staging-rtl8187se-change-panic-to-warn-when-rf-switch-turned-off.patch
-mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
-mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch
-mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
-mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
-ext4-consolidate-in_range-definitions.patch
-x86-64-compat-test-rax-for-the-syscall-number-not-eax.patch
-x86-64-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
-compat-make-compat_alloc_user_space-incorporate-the-access_ok.patch
-ext4-prevent-creation-of-files-larger-than-rlimit_fsize-using-fallocate.patch
-mm-fix-corruption-of-hibernation-caused-by-reusing-swap-during-image-saving.patch
-btrfs-kfree-correct-pointer-during-mount-option-parsing.patch
-prioritize-synchronous-signals-over-normal-signals.patch
-mm-vmscan-raise-the-bar-to-pageout_io_sync-stalls.patch
-wmi-use-memcmp-instead-of-strncmp-to-compare-guids.patch
-nohz-s390-fix-arch_needs_cpu-return-value-on-offline-cpus.patch
-genirq-fix-incorrect-proc-spurious-output.patch
-net-truncate-recvfrom-and-sendto-length-to-int_max.patch
-net-limit-socket-i-o-iovec-total-length-to-int_max.patch
-x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch
-memory-corruption-in-x.25-facilities-parsing.patch
-can-bcm-fix-minor-heap-overflow.patch
-v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch
-x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
-crypto-padlock-fix-aes-cbc-handling-on-odd-block-sized-input.patch
-econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
-econet-fix-cve-2010-3850.patch
-econet-fix-cve-2010-3848.patch
-rds-integer-overflow-in-rds-cmsg-handling.patch
-sgi-xp-incoming-xpc-channel-messages-can-come-in-after-the-channel-s-partition-structures-have-been-torn-down.patch
+++ /dev/null
-From 1b528181b2ffa14721fb28ad1bd539fe1732c583 Mon Sep 17 00:00:00 2001
-From: Roland McGrath <roland@redhat.com>
-Date: Tue, 7 Sep 2010 19:35:49 -0700
-Subject: setup_arg_pages: diagnose excessive argument size
-
-From: Roland McGrath <roland@redhat.com>
-
-commit 1b528181b2ffa14721fb28ad1bd539fe1732c583 upstream.
-
-The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
-check the size of the argument/environment area on the stack.
-When it is unworkably large, shift_arg_pages() hits its BUG_ON.
-This is exploitable with a very large RLIMIT_STACK limit, to
-create a crash pretty easily.
-
-Check that the initial stack is not too large to make it possible
-to map in any executable. We're not checking that the actual
-executable (or intepreter, for binfmt_elf) will fit. So those
-mappings might clobber part of the initial stack mapping. But
-that is just userland lossage that userland made happen, not a
-kernel problem.
-
-Signed-off-by: Roland McGrath <roland@redhat.com>
-Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Chuck Ebbert <cebbert@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- fs/exec.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -593,6 +593,11 @@ int setup_arg_pages(struct linux_binprm
- #else
- stack_top = arch_align_stack(stack_top);
- stack_top = PAGE_ALIGN(stack_top);
-+
-+ if (unlikely(stack_top < mmap_min_addr) ||
-+ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
-+ return -ENOMEM;
-+
- stack_shift = vma->vm_end - stack_top;
-
- bprm->p -= stack_shift;
+++ /dev/null
-From 09358972bff5ce99de496bbba97c85d417b3c054 Mon Sep 17 00:00:00 2001
-From: Robin Holt <holt@sgi.com>
-Date: Tue, 26 Oct 2010 14:21:15 -0700
-Subject: sgi-xp: incoming XPC channel messages can come in after the channel's partition structures have been torn down
-
-From: Robin Holt <holt@sgi.com>
-
-commit 09358972bff5ce99de496bbba97c85d417b3c054 upstream.
-
-Under some workloads, some channel messages have been observed being
-delayed on the sending side past the point where the receiving side has
-been able to tear down its partition structures.
-
-This condition is already detected in xpc_handle_activate_IRQ_uv(), but
-that information is not given to xpc_handle_activate_mq_msg_uv(). As a
-result, xpc_handle_activate_mq_msg_uv() assumes the structures still exist
-and references them, causing a NULL-pointer deref.
-
-Signed-off-by: Robin Holt <holt@sgi.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/misc/sgi-xp/xpc_uv.c | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
---- a/drivers/misc/sgi-xp/xpc_uv.c
-+++ b/drivers/misc/sgi-xp/xpc_uv.c
-@@ -416,6 +416,7 @@ xpc_process_activate_IRQ_rcvd_uv(void)
- static void
- xpc_handle_activate_mq_msg_uv(struct xpc_partition *part,
- struct xpc_activate_mq_msghdr_uv *msg_hdr,
-+ int part_setup,
- int *wakeup_hb_checker)
- {
- unsigned long irq_flags;
-@@ -480,6 +481,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc
- case XPC_ACTIVATE_MQ_MSG_CHCTL_CLOSEREQUEST_UV: {
- struct xpc_activate_mq_msg_chctl_closerequest_uv *msg;
-
-+ if (!part_setup)
-+ break;
-+
- msg = container_of(msg_hdr, struct
- xpc_activate_mq_msg_chctl_closerequest_uv,
- hdr);
-@@ -496,6 +500,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc
- case XPC_ACTIVATE_MQ_MSG_CHCTL_CLOSEREPLY_UV: {
- struct xpc_activate_mq_msg_chctl_closereply_uv *msg;
-
-+ if (!part_setup)
-+ break;
-+
- msg = container_of(msg_hdr, struct
- xpc_activate_mq_msg_chctl_closereply_uv,
- hdr);
-@@ -510,6 +517,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc
- case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENREQUEST_UV: {
- struct xpc_activate_mq_msg_chctl_openrequest_uv *msg;
-
-+ if (!part_setup)
-+ break;
-+
- msg = container_of(msg_hdr, struct
- xpc_activate_mq_msg_chctl_openrequest_uv,
- hdr);
-@@ -527,6 +537,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc
- case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENREPLY_UV: {
- struct xpc_activate_mq_msg_chctl_openreply_uv *msg;
-
-+ if (!part_setup)
-+ break;
-+
- msg = container_of(msg_hdr, struct
- xpc_activate_mq_msg_chctl_openreply_uv, hdr);
- args = &part->remote_openclose_args[msg->ch_number];
-@@ -544,6 +557,9 @@ xpc_handle_activate_mq_msg_uv(struct xpc
- case XPC_ACTIVATE_MQ_MSG_CHCTL_OPENCOMPLETE_UV: {
- struct xpc_activate_mq_msg_chctl_opencomplete_uv *msg;
-
-+ if (!part_setup)
-+ break;
-+
- msg = container_of(msg_hdr, struct
- xpc_activate_mq_msg_chctl_opencomplete_uv, hdr);
- spin_lock_irqsave(&part->chctl_lock, irq_flags);
-@@ -620,6 +636,7 @@ xpc_handle_activate_IRQ_uv(int irq, void
-
- part_referenced = xpc_part_ref(part);
- xpc_handle_activate_mq_msg_uv(part, msg_hdr,
-+ part_referenced,
- &wakeup_hb_checker);
- if (part_referenced)
- xpc_part_deref(part);
+++ /dev/null
-From c22c7aeff69796f46ae0fcec141538e28f50b24e Mon Sep 17 00:00:00 2001
-From: Robin@sgi.com <Robin@sgi.com>
-Date: Wed, 24 Nov 2010 12:56:59 -0800
-Subject: sgi-xpc: XPC fails to discover partitions with all nasids above 128
-
-From: Robin@sgi.com <Robin@sgi.com>
-
-commit c22c7aeff69796f46ae0fcec141538e28f50b24e upstream.
-
-UV hardware defines 256 memory protection regions versus the baseline 64
-with increasing size for the SN2 ia64. This was overlooked when XPC was
-modified to accomodate both UV and SN2.
-
-Without this patch, a user could reconfigure their existing system and
-suddenly disable cross-partition communications with no indication of what
-has gone wrong. It also prevents larger configurations from using
-cross-partition communication.
-
-Signed-off-by: Robin Holt <holt@sgi.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/misc/sgi-xp/xpc_partition.c | 25 +++++++++++++++----------
- 1 file changed, 15 insertions(+), 10 deletions(-)
-
---- a/drivers/misc/sgi-xp/xpc_partition.c
-+++ b/drivers/misc/sgi-xp/xpc_partition.c
-@@ -438,18 +438,23 @@ xpc_discovery(void)
- * nodes that can comprise an access protection grouping. The access
- * protection is in regards to memory, IOI and IPI.
- */
-- max_regions = 64;
- region_size = xp_region_size;
-
-- switch (region_size) {
-- case 128:
-- max_regions *= 2;
-- case 64:
-- max_regions *= 2;
-- case 32:
-- max_regions *= 2;
-- region_size = 16;
-- DBUG_ON(!is_shub2());
-+ if (is_uv())
-+ max_regions = 256;
-+ else {
-+ max_regions = 64;
-+
-+ switch (region_size) {
-+ case 128:
-+ max_regions *= 2;
-+ case 64:
-+ max_regions *= 2;
-+ case 32:
-+ max_regions *= 2;
-+ region_size = 16;
-+ DBUG_ON(!is_shub2());
-+ }
- }
-
- for (region = 0; region < max_regions; region++) {
+++ /dev/null
-From 1d8638d4038eb8709edc80e37a0bbb77253d86e9 Mon Sep 17 00:00:00 2001
-From: Daniel Klaffenbach <danielklaffenbach@gmail.com>
-Date: Fri, 19 Nov 2010 21:25:21 -0600
-Subject: ssb: b43-pci-bridge: Add new vendor for BCM4318
-
-From: Daniel Klaffenbach <danielklaffenbach@gmail.com>
-
-commit 1d8638d4038eb8709edc80e37a0bbb77253d86e9 upstream.
-
-Add new vendor for Broadcom 4318.
-
-Signed-off-by: Daniel Klaffenbach <danielklaffenbach@gmail.com>
-Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/ssb/b43_pci_bridge.c | 1 +
- include/linux/pci_ids.h | 1 +
- 2 files changed, 2 insertions(+)
-
---- a/drivers/ssb/b43_pci_bridge.c
-+++ b/drivers/ssb/b43_pci_bridge.c
-@@ -24,6 +24,7 @@ static const struct pci_device_id b43_pc
- { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4312) },
- { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4315) },
- { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4318) },
-+ { PCI_DEVICE(PCI_VENDOR_ID_BCM_GVC, 0x4318) },
- { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4319) },
- { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4320) },
- { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4321) },
---- a/include/linux/pci_ids.h
-+++ b/include/linux/pci_ids.h
-@@ -2039,6 +2039,7 @@
- #define PCI_DEVICE_ID_AFAVLAB_P030 0x2182
- #define PCI_SUBDEVICE_ID_AFAVLAB_P061 0x2150
-
-+#define PCI_VENDOR_ID_BCM_GVC 0x14a4
- #define PCI_VENDOR_ID_BROADCOM 0x14e4
- #define PCI_DEVICE_ID_TIGON3_5752 0x1600
- #define PCI_DEVICE_ID_TIGON3_5752M 0x1601
+++ /dev/null
-From d53cdbb94a52a920d5420ed64d986c3523a56743 Mon Sep 17 00:00:00 2001
-From: John W. Linville <linville@tuxdriver.com>
-Date: Wed, 31 Mar 2010 21:39:35 +0200
-Subject: ssb: do not read SPROM if it does not exist
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: John W. Linville <linville@tuxdriver.com>
-
-commit d53cdbb94a52a920d5420ed64d986c3523a56743 upstream.
-
-Attempting to read registers that don't exist on the SSB bus can cause
-hangs on some boxes. At least some b43 devices are 'in the wild' that
-don't have SPROMs at all. When the SSB bus support loads, it attempts
-to read these (non-existant) SPROMs and causes hard hangs on the box --
-no console output, etc.
-
-This patch adds some intelligence to determine whether or not the SPROM
-is present before attempting to read it. This avoids those hard hangs
-on those devices with no SPROM attached to their SSB bus. The
-SSB-attached devices (e.g. b43, et al.) won't work, but at least the box
-will survive to test further patches. :-)
-
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Cc: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Michael Buesch <mb@bu3sch.de>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/ssb/driver_chipcommon.c | 2 ++
- drivers/ssb/pci.c | 5 +++++
- drivers/ssb/sprom.c | 14 ++++++++++++++
- include/linux/ssb/ssb.h | 3 +++
- include/linux/ssb/ssb_driver_chipcommon.h | 15 +++++++++++++++
- 5 files changed, 39 insertions(+)
-
---- a/drivers/ssb/driver_chipcommon.c
-+++ b/drivers/ssb/driver_chipcommon.c
-@@ -233,6 +233,8 @@ void ssb_chipcommon_init(struct ssb_chip
- {
- if (!cc->dev)
- return; /* We don't have a ChipCommon */
-+ if (cc->dev->id.revision >= 11)
-+ cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT);
- ssb_pmu_init(cc);
- chipco_powercontrol_init(cc);
- ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST);
---- a/drivers/ssb/pci.c
-+++ b/drivers/ssb/pci.c
-@@ -620,6 +620,11 @@ static int ssb_pci_sprom_get(struct ssb_
- int err = -ENOMEM;
- u16 *buf;
-
-+ if (!ssb_is_sprom_available(bus)) {
-+ ssb_printk(KERN_ERR PFX "No SPROM available!\n");
-+ return -ENODEV;
-+ }
-+
- buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
- if (!buf)
- goto out;
---- a/drivers/ssb/sprom.c
-+++ b/drivers/ssb/sprom.c
-@@ -175,3 +175,17 @@ const struct ssb_sprom *ssb_get_fallback
- {
- return fallback_sprom;
- }
-+
-+/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */
-+bool ssb_is_sprom_available(struct ssb_bus *bus)
-+{
-+ /* status register only exists on chipcomon rev >= 11 and we need check
-+ for >= 31 only */
-+ /* this routine differs from specs as we do not access SPROM directly
-+ on PCMCIA */
-+ if (bus->bustype == SSB_BUSTYPE_PCI &&
-+ bus->chipco.dev->id.revision >= 31)
-+ return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM;
-+
-+ return true;
-+}
---- a/include/linux/ssb/ssb.h
-+++ b/include/linux/ssb/ssb.h
-@@ -394,6 +394,9 @@ extern int ssb_bus_sdiobus_register(stru
-
- extern void ssb_bus_unregister(struct ssb_bus *bus);
-
-+/* Does the device have an SPROM? */
-+extern bool ssb_is_sprom_available(struct ssb_bus *bus);
-+
- /* Set a fallback SPROM.
- * See kdoc at the function definition for complete documentation. */
- extern int ssb_arch_set_fallback_sprom(const struct ssb_sprom *sprom);
---- a/include/linux/ssb/ssb_driver_chipcommon.h
-+++ b/include/linux/ssb/ssb_driver_chipcommon.h
-@@ -53,6 +53,7 @@
- #define SSB_CHIPCO_CAP_64BIT 0x08000000 /* 64-bit Backplane */
- #define SSB_CHIPCO_CAP_PMU 0x10000000 /* PMU available (rev >= 20) */
- #define SSB_CHIPCO_CAP_ECI 0x20000000 /* ECI available (rev >= 20) */
-+#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */
- #define SSB_CHIPCO_CORECTL 0x0008
- #define SSB_CHIPCO_CORECTL_UARTCLK0 0x00000001 /* Drive UART with internal clock */
- #define SSB_CHIPCO_CORECTL_SE 0x00000002 /* sync clk out enable (corerev >= 3) */
-@@ -385,6 +386,7 @@
-
-
- /** Chip specific Chip-Status register contents. */
-+#define SSB_CHIPCO_CHST_4322_SPROM_EXISTS 0x00000040 /* SPROM present */
- #define SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL 0x00000003
- #define SSB_CHIPCO_CHST_4325_DEFCIS_SEL 0 /* OTP is powered up, use def. CIS, no SPROM */
- #define SSB_CHIPCO_CHST_4325_SPROM_SEL 1 /* OTP is powered up, SPROM is present */
-@@ -398,6 +400,18 @@
- #define SSB_CHIPCO_CHST_4325_RCAL_VALUE_SHIFT 4
- #define SSB_CHIPCO_CHST_4325_PMUTOP_2B 0x00000200 /* 1 for 2b, 0 for to 2a */
-
-+/** Macros to determine SPROM presence based on Chip-Status register. */
-+#define SSB_CHIPCO_CHST_4312_SPROM_PRESENT(status) \
-+ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \
-+ SSB_CHIPCO_CHST_4325_OTP_SEL)
-+#define SSB_CHIPCO_CHST_4322_SPROM_PRESENT(status) \
-+ (status & SSB_CHIPCO_CHST_4322_SPROM_EXISTS)
-+#define SSB_CHIPCO_CHST_4325_SPROM_PRESENT(status) \
-+ (((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \
-+ SSB_CHIPCO_CHST_4325_DEFCIS_SEL) && \
-+ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \
-+ SSB_CHIPCO_CHST_4325_OTP_SEL))
-+
-
-
- /** Clockcontrol masks and values **/
-@@ -564,6 +578,7 @@ struct ssb_chipcommon_pmu {
- struct ssb_chipcommon {
- struct ssb_device *dev;
- u32 capabilities;
-+ u32 status;
- /* Fast Powerup Delay constant */
- u16 fast_pwrup_delay;
- struct ssb_chipcommon_pmu pmu;
+++ /dev/null
-From da1fdb02d9200ff28b6f3a380d21930335fe5429 Mon Sep 17 00:00:00 2001
-From: Christoph Fritz <chf.fritz@googlemail.com>
-Date: Fri, 28 May 2010 10:45:59 +0200
-Subject: ssb: fix NULL ptr deref when pcihost_wrapper is used
-
-From: Christoph Fritz <chf.fritz@googlemail.com>
-
-commit da1fdb02d9200ff28b6f3a380d21930335fe5429 upstream.
-
-Ethernet driver b44 does register ssb by it's pcihost_wrapper
-and doesn't set ssb_chipcommon. A check on this value
-introduced with commit d53cdbb94a52a920d5420ed64d986c3523a56743
-and ea2db495f92ad2cf3301623e60cb95b4062bc484 triggers:
-
-BUG: unable to handle kernel NULL pointer dereference at 00000010
-IP: [<c1266c36>] ssb_is_sprom_available+0x16/0x30
-
-Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Cc: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/ssb/pci.c | 9 ++++++---
- drivers/ssb/sprom.c | 1 +
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
---- a/drivers/ssb/pci.c
-+++ b/drivers/ssb/pci.c
-@@ -624,9 +624,12 @@ static int ssb_pci_sprom_get(struct ssb_
- ssb_printk(KERN_ERR PFX "No SPROM available!\n");
- return -ENODEV;
- }
--
-- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
-- SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
-+ if (bus->chipco.dev) { /* can be unavailible! */
-+ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
-+ SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
-+ } else {
-+ bus->sprom_offset = SSB_SPROM_BASE1;
-+ }
-
- buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
- if (!buf)
---- a/drivers/ssb/sprom.c
-+++ b/drivers/ssb/sprom.c
-@@ -184,6 +184,7 @@ bool ssb_is_sprom_available(struct ssb_b
- /* this routine differs from specs as we do not access SPROM directly
- on PCMCIA */
- if (bus->bustype == SSB_BUSTYPE_PCI &&
-+ bus->chipco.dev && /* can be unavailible! */
- bus->chipco.dev->id.revision >= 31)
- return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM;
-
+++ /dev/null
-From 9d1ac34ec3a67713308ae0883c3359c557f14d17 Mon Sep 17 00:00:00 2001
-From: Larry Finger <Larry.Finger@lwfinger.net>
-Date: Fri, 14 May 2010 22:08:58 -0500
-Subject: ssb: Handle alternate SSPROM location
-
-From: Larry Finger <Larry.Finger@lwfinger.net>
-
-commit 9d1ac34ec3a67713308ae0883c3359c557f14d17 upstream.
-
-In kernel Bugzilla #15825 (2 users), in a wireless mailing list thread
-(http://lists.infradead.org/pipermail/b43-dev/2010-May/000124.html), and on a
-netbook owned by John Linville
-(http://marc.info/?l=linux-wireless&m=127230751408818&w=4), there are reports
-of ssb failing to detect an SPROM at the normal location. After studying the
-MMIO trace dump for the Broadcom wl driver, it was determined that the affected
-boxes had a relocated SPROM.
-
-This patch fixes all systems that have reported this problem.
-
-Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/ssb/driver_chipcommon.c | 1 +
- drivers/ssb/pci.c | 15 +++++++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
---- a/drivers/ssb/driver_chipcommon.c
-+++ b/drivers/ssb/driver_chipcommon.c
-@@ -235,6 +235,7 @@ void ssb_chipcommon_init(struct ssb_chip
- return; /* We don't have a ChipCommon */
- if (cc->dev->id.revision >= 11)
- cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT);
-+ ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status);
- ssb_pmu_init(cc);
- chipco_powercontrol_init(cc);
- ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST);
---- a/drivers/ssb/pci.c
-+++ b/drivers/ssb/pci.c
-@@ -625,11 +625,22 @@ static int ssb_pci_sprom_get(struct ssb_
- return -ENODEV;
- }
- if (bus->chipco.dev) { /* can be unavailible! */
-- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
-- SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
-+ /*
-+ * get SPROM offset: SSB_SPROM_BASE1 except for
-+ * chipcommon rev >= 31 or chip ID is 0x4312 and
-+ * chipcommon status & 3 == 2
-+ */
-+ if (bus->chipco.dev->id.revision >= 31)
-+ bus->sprom_offset = SSB_SPROM_BASE31;
-+ else if (bus->chip_id == 0x4312 &&
-+ (bus->chipco.status & 0x03) == 2)
-+ bus->sprom_offset = SSB_SPROM_BASE31;
-+ else
-+ bus->sprom_offset = SSB_SPROM_BASE1;
- } else {
- bus->sprom_offset = SSB_SPROM_BASE1;
- }
-+ ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset);
-
- buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
- if (!buf)
+++ /dev/null
-From ea2db495f92ad2cf3301623e60cb95b4062bc484 Mon Sep 17 00:00:00 2001
-From: Rafał Miłecki <zajec5@gmail.com>
-Date: Wed, 31 Mar 2010 21:59:21 +0200
-Subject: ssb: Look for SPROM at different offset on higher rev CC
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Rafał Miłecki <zajec5@gmail.com>
-
-commit ea2db495f92ad2cf3301623e60cb95b4062bc484 upstream.
-
-Our offset handling becomes even a little more hackish now. For some reason I
-do not understand all offsets as inrelative. It assumes base offset is 0x1000
-but it will work for now as we make offsets relative anyway by removing base
-0x1000. Should be cleaner however.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Cc: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
-
----
- drivers/ssb/pci.c | 9 ++++++---
- include/linux/ssb/ssb.h | 1 +
- include/linux/ssb/ssb_regs.h | 3 ++-
- 3 files changed, 9 insertions(+), 4 deletions(-)
-
---- a/drivers/ssb/pci.c
-+++ b/drivers/ssb/pci.c
-@@ -167,7 +167,7 @@ err_pci:
- }
-
- /* Get the word-offset for a SSB_SPROM_XXX define. */
--#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16))
-+#define SPOFF(offset) (((offset) - SSB_SPROM_BASE1) / sizeof(u16))
- /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */
- #define SPEX16(_outvar, _offset, _mask, _shift) \
- out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift))
-@@ -253,7 +253,7 @@ static int sprom_do_read(struct ssb_bus
- int i;
-
- for (i = 0; i < bus->sprom_size; i++)
-- sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2));
-+ sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2));
-
- return 0;
- }
-@@ -284,7 +284,7 @@ static int sprom_do_write(struct ssb_bus
- ssb_printk("75%%");
- else if (i % 2)
- ssb_printk(".");
-- writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2));
-+ writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2));
- mmiowb();
- msleep(20);
- }
-@@ -625,6 +625,9 @@ static int ssb_pci_sprom_get(struct ssb_
- return -ENODEV;
- }
-
-+ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
-+ SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
-+
- buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
- if (!buf)
- goto out;
---- a/include/linux/ssb/ssb.h
-+++ b/include/linux/ssb/ssb.h
-@@ -305,6 +305,7 @@ struct ssb_bus {
- /* ID information about the Chip. */
- u16 chip_id;
- u16 chip_rev;
-+ u16 sprom_offset;
- u16 sprom_size; /* number of words in sprom */
- u8 chip_package;
-
---- a/include/linux/ssb/ssb_regs.h
-+++ b/include/linux/ssb/ssb_regs.h
-@@ -170,7 +170,8 @@
- #define SSB_SPROMSIZE_WORDS_R4 220
- #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16))
- #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16))
--#define SSB_SPROM_BASE 0x1000
-+#define SSB_SPROM_BASE1 0x1000
-+#define SSB_SPROM_BASE31 0x0800
- #define SSB_SPROM_REVISION 0x107E
- #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */
- #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */
+++ /dev/null
-From 515b4987ccd097cdf5416530b05fdf9e01afe95a Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Thu, 18 Nov 2010 11:21:04 -0800
-Subject: Staging: asus_oled: fix up my fixup for some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit 515b4987ccd097cdf5416530b05fdf9e01afe95a upstream.
-
-They should be writable by root, not readable.
-Doh, stupid me with the wrong flags.
-
-Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
-Cc: Jakub Schmidtke <sjakub@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/asus_oled/asus_oled.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/drivers/staging/asus_oled/asus_oled.c
-+++ b/drivers/staging/asus_oled/asus_oled.c
-@@ -609,13 +609,13 @@ static ssize_t class_set_picture(struct
-
- #define ASUS_OLED_DEVICE_ATTR(_file) dev_attr_asus_oled_##_file
-
--static DEVICE_ATTR(asus_oled_enabled, S_IRUSR | S_IRUGO,
-+static DEVICE_ATTR(asus_oled_enabled, S_IWUSR | S_IRUGO,
- get_enabled, set_enabled);
--static DEVICE_ATTR(asus_oled_picture, S_IRUSR , NULL, set_picture);
-+static DEVICE_ATTR(asus_oled_picture, S_IWUSR , NULL, set_picture);
-
--static DEVICE_ATTR(enabled, S_IRUSR | S_IRUGO,
-+static DEVICE_ATTR(enabled, S_IWUSR | S_IRUGO,
- class_get_enabled, class_set_enabled);
--static DEVICE_ATTR(picture, S_IRUSR, NULL, class_set_picture);
-+static DEVICE_ATTR(picture, S_IWUSR, NULL, class_set_picture);
-
- static int asus_oled_probe(struct usb_interface *interface,
- const struct usb_device_id *id)
+++ /dev/null
-From 590b0b9754bd8928926bae7194b6da7ead9bda3b Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Tue, 16 Nov 2010 11:17:01 -0800
-Subject: Staging: asus_oled: fix up some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit 590b0b9754bd8928926bae7194b6da7ead9bda3b upstream.
-
-They should not be writable by any user
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jakub Schmidtke <sjakub@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/asus_oled/asus_oled.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/drivers/staging/asus_oled/asus_oled.c
-+++ b/drivers/staging/asus_oled/asus_oled.c
-@@ -609,13 +609,13 @@ static ssize_t class_set_picture(struct
-
- #define ASUS_OLED_DEVICE_ATTR(_file) dev_attr_asus_oled_##_file
-
--static DEVICE_ATTR(asus_oled_enabled, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(asus_oled_enabled, S_IRUSR | S_IRUGO,
- get_enabled, set_enabled);
--static DEVICE_ATTR(asus_oled_picture, S_IWUGO , NULL, set_picture);
-+static DEVICE_ATTR(asus_oled_picture, S_IRUSR , NULL, set_picture);
-
--static DEVICE_ATTR(enabled, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(enabled, S_IRUSR | S_IRUGO,
- class_get_enabled, class_set_enabled);
--static DEVICE_ATTR(picture, S_IWUGO, NULL, class_set_picture);
-+static DEVICE_ATTR(picture, S_IRUSR, NULL, class_set_picture);
-
- static int asus_oled_probe(struct usb_interface *interface,
- const struct usb_device_id *id)
+++ /dev/null
-From 3bad28ec006ad6ab2bca4e5103860b75391e3c9d Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Tue, 16 Nov 2010 11:18:33 -0800
-Subject: Staging: frontier: fix up some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit 3bad28ec006ad6ab2bca4e5103860b75391e3c9d and
-2a767fda5d0d8dcff465724dfad6ee131489b3f2 upstream merged together.
-
-They should not be writable by any user
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: David Taht <d@teklibre.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/frontier/tranzport.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/staging/frontier/tranzport.c
-+++ b/drivers/staging/frontier/tranzport.c
-@@ -202,7 +202,7 @@ static void usb_tranzport_abort_transfer
- t->value = temp; \
- return count; \
- } \
-- static DEVICE_ATTR(value, S_IWUGO | S_IRUGO, show_##value, set_##value);
-+ static DEVICE_ATTR(value, S_IWUSR | S_IRUGO, show_##value, set_##value);
-
- show_int(enable);
- show_int(offline);
+++ /dev/null
-From 2018845b6a169f75341f8e68ad1089cb6697cf24 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Tue, 16 Nov 2010 11:23:33 -0800
-Subject: Staging: line6: fix up some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit 2018845b6a169f75341f8e68ad1089cb6697cf24 and
-2018845b6a169f75341f8e68ad1089cb6697cf24 upstream merged together as it
-had to be backported by hand.
-
-They should not be writable by any user
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Markus Grabner <grabner@icg.tugraz.at>
-Cc: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/line6/control.c | 204 +++++++++++++++++++--------------------
- drivers/staging/line6/midi.c | 4
- drivers/staging/line6/pod.c | 32 +++---
- drivers/staging/line6/toneport.c | 4
- drivers/staging/line6/variax.c | 12 +-
- 5 files changed, 128 insertions(+), 128 deletions(-)
-
---- a/drivers/staging/line6/control.c
-+++ b/drivers/staging/line6/control.c
-@@ -268,210 +268,210 @@ VARIAX_PARAM_R(float, mix2);
- VARIAX_PARAM_R(float, mix1);
- VARIAX_PARAM_R(int, pickup_wiring);
-
--static DEVICE_ATTR(tweak, S_IWUGO | S_IRUGO, pod_get_tweak, pod_set_tweak);
--static DEVICE_ATTR(wah_position, S_IWUGO | S_IRUGO, pod_get_wah_position,
-+static DEVICE_ATTR(tweak, S_IWUSR | S_IRUGO, pod_get_tweak, pod_set_tweak);
-+static DEVICE_ATTR(wah_position, S_IWUSR | S_IRUGO, pod_get_wah_position,
- pod_set_wah_position);
--static DEVICE_ATTR(compression_gain, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(compression_gain, S_IWUSR | S_IRUGO,
- pod_get_compression_gain, pod_set_compression_gain);
--static DEVICE_ATTR(vol_pedal_position, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(vol_pedal_position, S_IWUSR | S_IRUGO,
- pod_get_vol_pedal_position, pod_set_vol_pedal_position);
--static DEVICE_ATTR(compression_threshold, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(compression_threshold, S_IWUSR | S_IRUGO,
- pod_get_compression_threshold,
- pod_set_compression_threshold);
--static DEVICE_ATTR(pan, S_IWUGO | S_IRUGO, pod_get_pan, pod_set_pan);
--static DEVICE_ATTR(amp_model_setup, S_IWUGO | S_IRUGO, pod_get_amp_model_setup,
-+static DEVICE_ATTR(pan, S_IWUSR | S_IRUGO, pod_get_pan, pod_set_pan);
-+static DEVICE_ATTR(amp_model_setup, S_IWUSR | S_IRUGO, pod_get_amp_model_setup,
- pod_set_amp_model_setup);
--static DEVICE_ATTR(amp_model, S_IWUGO | S_IRUGO, pod_get_amp_model,
-+static DEVICE_ATTR(amp_model, S_IWUSR | S_IRUGO, pod_get_amp_model,
- pod_set_amp_model);
--static DEVICE_ATTR(drive, S_IWUGO | S_IRUGO, pod_get_drive, pod_set_drive);
--static DEVICE_ATTR(bass, S_IWUGO | S_IRUGO, pod_get_bass, pod_set_bass);
--static DEVICE_ATTR(mid, S_IWUGO | S_IRUGO, pod_get_mid, pod_set_mid);
--static DEVICE_ATTR(lowmid, S_IWUGO | S_IRUGO, pod_get_lowmid, pod_set_lowmid);
--static DEVICE_ATTR(treble, S_IWUGO | S_IRUGO, pod_get_treble, pod_set_treble);
--static DEVICE_ATTR(highmid, S_IWUGO | S_IRUGO, pod_get_highmid,
-+static DEVICE_ATTR(drive, S_IWUSR | S_IRUGO, pod_get_drive, pod_set_drive);
-+static DEVICE_ATTR(bass, S_IWUSR | S_IRUGO, pod_get_bass, pod_set_bass);
-+static DEVICE_ATTR(mid, S_IWUSR | S_IRUGO, pod_get_mid, pod_set_mid);
-+static DEVICE_ATTR(lowmid, S_IWUSR | S_IRUGO, pod_get_lowmid, pod_set_lowmid);
-+static DEVICE_ATTR(treble, S_IWUSR | S_IRUGO, pod_get_treble, pod_set_treble);
-+static DEVICE_ATTR(highmid, S_IWUSR | S_IRUGO, pod_get_highmid,
- pod_set_highmid);
--static DEVICE_ATTR(chan_vol, S_IWUGO | S_IRUGO, pod_get_chan_vol,
-+static DEVICE_ATTR(chan_vol, S_IWUSR | S_IRUGO, pod_get_chan_vol,
- pod_set_chan_vol);
--static DEVICE_ATTR(reverb_mix, S_IWUGO | S_IRUGO, pod_get_reverb_mix,
-+static DEVICE_ATTR(reverb_mix, S_IWUSR | S_IRUGO, pod_get_reverb_mix,
- pod_set_reverb_mix);
--static DEVICE_ATTR(effect_setup, S_IWUGO | S_IRUGO, pod_get_effect_setup,
-+static DEVICE_ATTR(effect_setup, S_IWUSR | S_IRUGO, pod_get_effect_setup,
- pod_set_effect_setup);
--static DEVICE_ATTR(band_1_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(band_1_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_1_frequency, pod_set_band_1_frequency);
--static DEVICE_ATTR(presence, S_IWUGO | S_IRUGO, pod_get_presence,
-+static DEVICE_ATTR(presence, S_IWUSR | S_IRUGO, pod_get_presence,
- pod_set_presence);
--static DEVICE_ATTR2(treble__bass, treble, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(treble__bass, treble, S_IWUSR | S_IRUGO,
- pod_get_treble__bass, pod_set_treble__bass);
--static DEVICE_ATTR(noise_gate_enable, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(noise_gate_enable, S_IWUSR | S_IRUGO,
- pod_get_noise_gate_enable, pod_set_noise_gate_enable);
--static DEVICE_ATTR(gate_threshold, S_IWUGO | S_IRUGO, pod_get_gate_threshold,
-+static DEVICE_ATTR(gate_threshold, S_IWUSR | S_IRUGO, pod_get_gate_threshold,
- pod_set_gate_threshold);
--static DEVICE_ATTR(gate_decay_time, S_IWUGO | S_IRUGO, pod_get_gate_decay_time,
-+static DEVICE_ATTR(gate_decay_time, S_IWUSR | S_IRUGO, pod_get_gate_decay_time,
- pod_set_gate_decay_time);
--static DEVICE_ATTR(stomp_enable, S_IWUGO | S_IRUGO, pod_get_stomp_enable,
-+static DEVICE_ATTR(stomp_enable, S_IWUSR | S_IRUGO, pod_get_stomp_enable,
- pod_set_stomp_enable);
--static DEVICE_ATTR(comp_enable, S_IWUGO | S_IRUGO, pod_get_comp_enable,
-+static DEVICE_ATTR(comp_enable, S_IWUSR | S_IRUGO, pod_get_comp_enable,
- pod_set_comp_enable);
--static DEVICE_ATTR(stomp_time, S_IWUGO | S_IRUGO, pod_get_stomp_time,
-+static DEVICE_ATTR(stomp_time, S_IWUSR | S_IRUGO, pod_get_stomp_time,
- pod_set_stomp_time);
--static DEVICE_ATTR(delay_enable, S_IWUGO | S_IRUGO, pod_get_delay_enable,
-+static DEVICE_ATTR(delay_enable, S_IWUSR | S_IRUGO, pod_get_delay_enable,
- pod_set_delay_enable);
--static DEVICE_ATTR(mod_param_1, S_IWUGO | S_IRUGO, pod_get_mod_param_1,
-+static DEVICE_ATTR(mod_param_1, S_IWUSR | S_IRUGO, pod_get_mod_param_1,
- pod_set_mod_param_1);
--static DEVICE_ATTR(delay_param_1, S_IWUGO | S_IRUGO, pod_get_delay_param_1,
-+static DEVICE_ATTR(delay_param_1, S_IWUSR | S_IRUGO, pod_get_delay_param_1,
- pod_set_delay_param_1);
--static DEVICE_ATTR(delay_param_1_note_value, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(delay_param_1_note_value, S_IWUSR | S_IRUGO,
- pod_get_delay_param_1_note_value,
- pod_set_delay_param_1_note_value);
--static DEVICE_ATTR2(band_2_frequency__bass, band_2_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_2_frequency__bass, band_2_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_2_frequency__bass,
- pod_set_band_2_frequency__bass);
--static DEVICE_ATTR(delay_param_2, S_IWUGO | S_IRUGO, pod_get_delay_param_2,
-+static DEVICE_ATTR(delay_param_2, S_IWUSR | S_IRUGO, pod_get_delay_param_2,
- pod_set_delay_param_2);
--static DEVICE_ATTR(delay_volume_mix, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(delay_volume_mix, S_IWUSR | S_IRUGO,
- pod_get_delay_volume_mix, pod_set_delay_volume_mix);
--static DEVICE_ATTR(delay_param_3, S_IWUGO | S_IRUGO, pod_get_delay_param_3,
-+static DEVICE_ATTR(delay_param_3, S_IWUSR | S_IRUGO, pod_get_delay_param_3,
- pod_set_delay_param_3);
--static DEVICE_ATTR(reverb_enable, S_IWUGO | S_IRUGO, pod_get_reverb_enable,
-+static DEVICE_ATTR(reverb_enable, S_IWUSR | S_IRUGO, pod_get_reverb_enable,
- pod_set_reverb_enable);
--static DEVICE_ATTR(reverb_type, S_IWUGO | S_IRUGO, pod_get_reverb_type,
-+static DEVICE_ATTR(reverb_type, S_IWUSR | S_IRUGO, pod_get_reverb_type,
- pod_set_reverb_type);
--static DEVICE_ATTR(reverb_decay, S_IWUGO | S_IRUGO, pod_get_reverb_decay,
-+static DEVICE_ATTR(reverb_decay, S_IWUSR | S_IRUGO, pod_get_reverb_decay,
- pod_set_reverb_decay);
--static DEVICE_ATTR(reverb_tone, S_IWUGO | S_IRUGO, pod_get_reverb_tone,
-+static DEVICE_ATTR(reverb_tone, S_IWUSR | S_IRUGO, pod_get_reverb_tone,
- pod_set_reverb_tone);
--static DEVICE_ATTR(reverb_pre_delay, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(reverb_pre_delay, S_IWUSR | S_IRUGO,
- pod_get_reverb_pre_delay, pod_set_reverb_pre_delay);
--static DEVICE_ATTR(reverb_pre_post, S_IWUGO | S_IRUGO, pod_get_reverb_pre_post,
-+static DEVICE_ATTR(reverb_pre_post, S_IWUSR | S_IRUGO, pod_get_reverb_pre_post,
- pod_set_reverb_pre_post);
--static DEVICE_ATTR(band_2_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(band_2_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_2_frequency, pod_set_band_2_frequency);
--static DEVICE_ATTR2(band_3_frequency__bass, band_3_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_3_frequency__bass, band_3_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_3_frequency__bass,
- pod_set_band_3_frequency__bass);
--static DEVICE_ATTR(wah_enable, S_IWUGO | S_IRUGO, pod_get_wah_enable,
-+static DEVICE_ATTR(wah_enable, S_IWUSR | S_IRUGO, pod_get_wah_enable,
- pod_set_wah_enable);
--static DEVICE_ATTR(modulation_lo_cut, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(modulation_lo_cut, S_IWUSR | S_IRUGO,
- pod_get_modulation_lo_cut, pod_set_modulation_lo_cut);
--static DEVICE_ATTR(delay_reverb_lo_cut, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(delay_reverb_lo_cut, S_IWUSR | S_IRUGO,
- pod_get_delay_reverb_lo_cut, pod_set_delay_reverb_lo_cut);
--static DEVICE_ATTR(volume_pedal_minimum, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(volume_pedal_minimum, S_IWUSR | S_IRUGO,
- pod_get_volume_pedal_minimum, pod_set_volume_pedal_minimum);
--static DEVICE_ATTR(eq_pre_post, S_IWUGO | S_IRUGO, pod_get_eq_pre_post,
-+static DEVICE_ATTR(eq_pre_post, S_IWUSR | S_IRUGO, pod_get_eq_pre_post,
- pod_set_eq_pre_post);
--static DEVICE_ATTR(volume_pre_post, S_IWUGO | S_IRUGO, pod_get_volume_pre_post,
-+static DEVICE_ATTR(volume_pre_post, S_IWUSR | S_IRUGO, pod_get_volume_pre_post,
- pod_set_volume_pre_post);
--static DEVICE_ATTR(di_model, S_IWUGO | S_IRUGO, pod_get_di_model,
-+static DEVICE_ATTR(di_model, S_IWUSR | S_IRUGO, pod_get_di_model,
- pod_set_di_model);
--static DEVICE_ATTR(di_delay, S_IWUGO | S_IRUGO, pod_get_di_delay,
-+static DEVICE_ATTR(di_delay, S_IWUSR | S_IRUGO, pod_get_di_delay,
- pod_set_di_delay);
--static DEVICE_ATTR(mod_enable, S_IWUGO | S_IRUGO, pod_get_mod_enable,
-+static DEVICE_ATTR(mod_enable, S_IWUSR | S_IRUGO, pod_get_mod_enable,
- pod_set_mod_enable);
--static DEVICE_ATTR(mod_param_1_note_value, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(mod_param_1_note_value, S_IWUSR | S_IRUGO,
- pod_get_mod_param_1_note_value,
- pod_set_mod_param_1_note_value);
--static DEVICE_ATTR(mod_param_2, S_IWUGO | S_IRUGO, pod_get_mod_param_2,
-+static DEVICE_ATTR(mod_param_2, S_IWUSR | S_IRUGO, pod_get_mod_param_2,
- pod_set_mod_param_2);
--static DEVICE_ATTR(mod_param_3, S_IWUGO | S_IRUGO, pod_get_mod_param_3,
-+static DEVICE_ATTR(mod_param_3, S_IWUSR | S_IRUGO, pod_get_mod_param_3,
- pod_set_mod_param_3);
--static DEVICE_ATTR(mod_param_4, S_IWUGO | S_IRUGO, pod_get_mod_param_4,
-+static DEVICE_ATTR(mod_param_4, S_IWUSR | S_IRUGO, pod_get_mod_param_4,
- pod_set_mod_param_4);
--static DEVICE_ATTR(mod_param_5, S_IWUGO | S_IRUGO, pod_get_mod_param_5,
-+static DEVICE_ATTR(mod_param_5, S_IWUSR | S_IRUGO, pod_get_mod_param_5,
- pod_set_mod_param_5);
--static DEVICE_ATTR(mod_volume_mix, S_IWUGO | S_IRUGO, pod_get_mod_volume_mix,
-+static DEVICE_ATTR(mod_volume_mix, S_IWUSR | S_IRUGO, pod_get_mod_volume_mix,
- pod_set_mod_volume_mix);
--static DEVICE_ATTR(mod_pre_post, S_IWUGO | S_IRUGO, pod_get_mod_pre_post,
-+static DEVICE_ATTR(mod_pre_post, S_IWUSR | S_IRUGO, pod_get_mod_pre_post,
- pod_set_mod_pre_post);
--static DEVICE_ATTR(modulation_model, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(modulation_model, S_IWUSR | S_IRUGO,
- pod_get_modulation_model, pod_set_modulation_model);
--static DEVICE_ATTR(band_3_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(band_3_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_3_frequency, pod_set_band_3_frequency);
--static DEVICE_ATTR2(band_4_frequency__bass, band_4_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_4_frequency__bass, band_4_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_4_frequency__bass,
- pod_set_band_4_frequency__bass);
--static DEVICE_ATTR(mod_param_1_double_precision, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(mod_param_1_double_precision, S_IWUSR | S_IRUGO,
- pod_get_mod_param_1_double_precision,
- pod_set_mod_param_1_double_precision);
--static DEVICE_ATTR(delay_param_1_double_precision, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(delay_param_1_double_precision, S_IWUSR | S_IRUGO,
- pod_get_delay_param_1_double_precision,
- pod_set_delay_param_1_double_precision);
--static DEVICE_ATTR(eq_enable, S_IWUGO | S_IRUGO, pod_get_eq_enable,
-+static DEVICE_ATTR(eq_enable, S_IWUSR | S_IRUGO, pod_get_eq_enable,
- pod_set_eq_enable);
--static DEVICE_ATTR(tap, S_IWUGO | S_IRUGO, pod_get_tap, pod_set_tap);
--static DEVICE_ATTR(volume_tweak_pedal_assign, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(tap, S_IWUSR | S_IRUGO, pod_get_tap, pod_set_tap);
-+static DEVICE_ATTR(volume_tweak_pedal_assign, S_IWUSR | S_IRUGO,
- pod_get_volume_tweak_pedal_assign,
- pod_set_volume_tweak_pedal_assign);
--static DEVICE_ATTR(band_5_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(band_5_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_5_frequency, pod_set_band_5_frequency);
--static DEVICE_ATTR(tuner, S_IWUGO | S_IRUGO, pod_get_tuner, pod_set_tuner);
--static DEVICE_ATTR(mic_selection, S_IWUGO | S_IRUGO, pod_get_mic_selection,
-+static DEVICE_ATTR(tuner, S_IWUSR | S_IRUGO, pod_get_tuner, pod_set_tuner);
-+static DEVICE_ATTR(mic_selection, S_IWUSR | S_IRUGO, pod_get_mic_selection,
- pod_set_mic_selection);
--static DEVICE_ATTR(cabinet_model, S_IWUGO | S_IRUGO, pod_get_cabinet_model,
-+static DEVICE_ATTR(cabinet_model, S_IWUSR | S_IRUGO, pod_get_cabinet_model,
- pod_set_cabinet_model);
--static DEVICE_ATTR(stomp_model, S_IWUGO | S_IRUGO, pod_get_stomp_model,
-+static DEVICE_ATTR(stomp_model, S_IWUSR | S_IRUGO, pod_get_stomp_model,
- pod_set_stomp_model);
--static DEVICE_ATTR(roomlevel, S_IWUGO | S_IRUGO, pod_get_roomlevel,
-+static DEVICE_ATTR(roomlevel, S_IWUSR | S_IRUGO, pod_get_roomlevel,
- pod_set_roomlevel);
--static DEVICE_ATTR(band_4_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(band_4_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_4_frequency, pod_set_band_4_frequency);
--static DEVICE_ATTR(band_6_frequency, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(band_6_frequency, S_IWUSR | S_IRUGO,
- pod_get_band_6_frequency, pod_set_band_6_frequency);
--static DEVICE_ATTR(stomp_param_1_note_value, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(stomp_param_1_note_value, S_IWUSR | S_IRUGO,
- pod_get_stomp_param_1_note_value,
- pod_set_stomp_param_1_note_value);
--static DEVICE_ATTR(stomp_param_2, S_IWUGO | S_IRUGO, pod_get_stomp_param_2,
-+static DEVICE_ATTR(stomp_param_2, S_IWUSR | S_IRUGO, pod_get_stomp_param_2,
- pod_set_stomp_param_2);
--static DEVICE_ATTR(stomp_param_3, S_IWUGO | S_IRUGO, pod_get_stomp_param_3,
-+static DEVICE_ATTR(stomp_param_3, S_IWUSR | S_IRUGO, pod_get_stomp_param_3,
- pod_set_stomp_param_3);
--static DEVICE_ATTR(stomp_param_4, S_IWUGO | S_IRUGO, pod_get_stomp_param_4,
-+static DEVICE_ATTR(stomp_param_4, S_IWUSR | S_IRUGO, pod_get_stomp_param_4,
- pod_set_stomp_param_4);
--static DEVICE_ATTR(stomp_param_5, S_IWUGO | S_IRUGO, pod_get_stomp_param_5,
-+static DEVICE_ATTR(stomp_param_5, S_IWUSR | S_IRUGO, pod_get_stomp_param_5,
- pod_set_stomp_param_5);
--static DEVICE_ATTR(stomp_param_6, S_IWUGO | S_IRUGO, pod_get_stomp_param_6,
-+static DEVICE_ATTR(stomp_param_6, S_IWUSR | S_IRUGO, pod_get_stomp_param_6,
- pod_set_stomp_param_6);
--static DEVICE_ATTR(amp_switch_select, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(amp_switch_select, S_IWUSR | S_IRUGO,
- pod_get_amp_switch_select, pod_set_amp_switch_select);
--static DEVICE_ATTR(delay_param_4, S_IWUGO | S_IRUGO, pod_get_delay_param_4,
-+static DEVICE_ATTR(delay_param_4, S_IWUSR | S_IRUGO, pod_get_delay_param_4,
- pod_set_delay_param_4);
--static DEVICE_ATTR(delay_param_5, S_IWUGO | S_IRUGO, pod_get_delay_param_5,
-+static DEVICE_ATTR(delay_param_5, S_IWUSR | S_IRUGO, pod_get_delay_param_5,
- pod_set_delay_param_5);
--static DEVICE_ATTR(delay_pre_post, S_IWUGO | S_IRUGO, pod_get_delay_pre_post,
-+static DEVICE_ATTR(delay_pre_post, S_IWUSR | S_IRUGO, pod_get_delay_pre_post,
- pod_set_delay_pre_post);
--static DEVICE_ATTR(delay_model, S_IWUGO | S_IRUGO, pod_get_delay_model,
-+static DEVICE_ATTR(delay_model, S_IWUSR | S_IRUGO, pod_get_delay_model,
- pod_set_delay_model);
--static DEVICE_ATTR(delay_verb_model, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(delay_verb_model, S_IWUSR | S_IRUGO,
- pod_get_delay_verb_model, pod_set_delay_verb_model);
--static DEVICE_ATTR(tempo_msb, S_IWUGO | S_IRUGO, pod_get_tempo_msb,
-+static DEVICE_ATTR(tempo_msb, S_IWUSR | S_IRUGO, pod_get_tempo_msb,
- pod_set_tempo_msb);
--static DEVICE_ATTR(tempo_lsb, S_IWUGO | S_IRUGO, pod_get_tempo_lsb,
-+static DEVICE_ATTR(tempo_lsb, S_IWUSR | S_IRUGO, pod_get_tempo_lsb,
- pod_set_tempo_lsb);
--static DEVICE_ATTR(wah_model, S_IWUGO | S_IRUGO, pod_get_wah_model,
-+static DEVICE_ATTR(wah_model, S_IWUSR | S_IRUGO, pod_get_wah_model,
- pod_set_wah_model);
--static DEVICE_ATTR(bypass_volume, S_IWUGO | S_IRUGO, pod_get_bypass_volume,
-+static DEVICE_ATTR(bypass_volume, S_IWUSR | S_IRUGO, pod_get_bypass_volume,
- pod_set_bypass_volume);
--static DEVICE_ATTR(fx_loop_on_off, S_IWUGO | S_IRUGO, pod_get_fx_loop_on_off,
-+static DEVICE_ATTR(fx_loop_on_off, S_IWUSR | S_IRUGO, pod_get_fx_loop_on_off,
- pod_set_fx_loop_on_off);
--static DEVICE_ATTR(tweak_param_select, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(tweak_param_select, S_IWUSR | S_IRUGO,
- pod_get_tweak_param_select, pod_set_tweak_param_select);
--static DEVICE_ATTR(amp1_engage, S_IWUGO | S_IRUGO, pod_get_amp1_engage,
-+static DEVICE_ATTR(amp1_engage, S_IWUSR | S_IRUGO, pod_get_amp1_engage,
- pod_set_amp1_engage);
--static DEVICE_ATTR(band_1_gain, S_IWUGO | S_IRUGO, pod_get_band_1_gain,
-+static DEVICE_ATTR(band_1_gain, S_IWUSR | S_IRUGO, pod_get_band_1_gain,
- pod_set_band_1_gain);
--static DEVICE_ATTR2(band_2_gain__bass, band_2_gain, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_2_gain__bass, band_2_gain, S_IWUSR | S_IRUGO,
- pod_get_band_2_gain__bass, pod_set_band_2_gain__bass);
--static DEVICE_ATTR(band_2_gain, S_IWUGO | S_IRUGO, pod_get_band_2_gain,
-+static DEVICE_ATTR(band_2_gain, S_IWUSR | S_IRUGO, pod_get_band_2_gain,
- pod_set_band_2_gain);
--static DEVICE_ATTR2(band_3_gain__bass, band_3_gain, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_3_gain__bass, band_3_gain, S_IWUSR | S_IRUGO,
- pod_get_band_3_gain__bass, pod_set_band_3_gain__bass);
--static DEVICE_ATTR(band_3_gain, S_IWUGO | S_IRUGO, pod_get_band_3_gain,
-+static DEVICE_ATTR(band_3_gain, S_IWUSR | S_IRUGO, pod_get_band_3_gain,
- pod_set_band_3_gain);
--static DEVICE_ATTR2(band_4_gain__bass, band_4_gain, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_4_gain__bass, band_4_gain, S_IWUSR | S_IRUGO,
- pod_get_band_4_gain__bass, pod_set_band_4_gain__bass);
--static DEVICE_ATTR2(band_5_gain__bass, band_5_gain, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_5_gain__bass, band_5_gain, S_IWUSR | S_IRUGO,
- pod_get_band_5_gain__bass, pod_set_band_5_gain__bass);
--static DEVICE_ATTR(band_4_gain, S_IWUGO | S_IRUGO, pod_get_band_4_gain,
-+static DEVICE_ATTR(band_4_gain, S_IWUSR | S_IRUGO, pod_get_band_4_gain,
- pod_set_band_4_gain);
--static DEVICE_ATTR2(band_6_gain__bass, band_6_gain, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR2(band_6_gain__bass, band_6_gain, S_IWUSR | S_IRUGO,
- pod_get_band_6_gain__bass, pod_set_band_6_gain__bass);
- static DEVICE_ATTR(body, S_IRUGO, variax_get_body, line6_nop_write);
- static DEVICE_ATTR(pickup1_enable, S_IRUGO, variax_get_pickup1_enable,
---- a/drivers/staging/line6/midi.c
-+++ b/drivers/staging/line6/midi.c
-@@ -361,8 +361,8 @@ static ssize_t midi_set_midi_mask_receiv
- return count;
- }
-
--static DEVICE_ATTR(midi_mask_transmit, S_IWUGO | S_IRUGO, midi_get_midi_mask_transmit, midi_set_midi_mask_transmit);
--static DEVICE_ATTR(midi_mask_receive, S_IWUGO | S_IRUGO, midi_get_midi_mask_receive, midi_set_midi_mask_receive);
-+static DEVICE_ATTR(midi_mask_transmit, S_IWUSR | S_IRUGO, midi_get_midi_mask_transmit, midi_set_midi_mask_transmit);
-+static DEVICE_ATTR(midi_mask_receive, S_IWUSR | S_IRUGO, midi_get_midi_mask_receive, midi_set_midi_mask_receive);
-
- /* MIDI device destructor */
- static int snd_line6_midi_free(struct snd_device *device)
---- a/drivers/staging/line6/pod.c
-+++ b/drivers/staging/line6/pod.c
-@@ -950,33 +950,33 @@ POD_GET_SYSTEM_PARAM(tuner_pitch, 1, 1);
- #undef GET_SYSTEM_PARAM
-
- /* POD special files: */
--static DEVICE_ATTR(channel, S_IWUGO | S_IRUGO, pod_get_channel, pod_set_channel);
-+static DEVICE_ATTR(channel, S_IWUSR | S_IRUGO, pod_get_channel, pod_set_channel);
- static DEVICE_ATTR(clip, S_IRUGO, pod_wait_for_clip, line6_nop_write);
- static DEVICE_ATTR(device_id, S_IRUGO, pod_get_device_id, line6_nop_write);
- static DEVICE_ATTR(dirty, S_IRUGO, pod_get_dirty, line6_nop_write);
--static DEVICE_ATTR(dump, S_IWUGO | S_IRUGO, pod_get_dump, pod_set_dump);
--static DEVICE_ATTR(dump_buf, S_IWUGO | S_IRUGO, pod_get_dump_buf, pod_set_dump_buf);
--static DEVICE_ATTR(finish, S_IWUGO, line6_nop_read, pod_set_finish);
-+static DEVICE_ATTR(dump, S_IWUSR | S_IRUGO, pod_get_dump, pod_set_dump);
-+static DEVICE_ATTR(dump_buf, S_IWUSR | S_IRUGO, pod_get_dump_buf, pod_set_dump_buf);
-+static DEVICE_ATTR(finish, S_IWUSR, line6_nop_read, pod_set_finish);
- static DEVICE_ATTR(firmware_version, S_IRUGO, pod_get_firmware_version, line6_nop_write);
--static DEVICE_ATTR(midi_postprocess, S_IWUGO | S_IRUGO, pod_get_midi_postprocess, pod_set_midi_postprocess);
--static DEVICE_ATTR(monitor_level, S_IWUGO | S_IRUGO, pod_get_monitor_level, pod_set_monitor_level);
-+static DEVICE_ATTR(midi_postprocess, S_IWUSR | S_IRUGO, pod_get_midi_postprocess, pod_set_midi_postprocess);
-+static DEVICE_ATTR(monitor_level, S_IWUSR | S_IRUGO, pod_get_monitor_level, pod_set_monitor_level);
- static DEVICE_ATTR(name, S_IRUGO, pod_get_name, line6_nop_write);
- static DEVICE_ATTR(name_buf, S_IRUGO, pod_get_name_buf, line6_nop_write);
--static DEVICE_ATTR(retrieve_amp_setup, S_IWUGO, line6_nop_read, pod_set_retrieve_amp_setup);
--static DEVICE_ATTR(retrieve_channel, S_IWUGO, line6_nop_read, pod_set_retrieve_channel);
--static DEVICE_ATTR(retrieve_effects_setup, S_IWUGO, line6_nop_read, pod_set_retrieve_effects_setup);
--static DEVICE_ATTR(routing, S_IWUGO | S_IRUGO, pod_get_routing, pod_set_routing);
-+static DEVICE_ATTR(retrieve_amp_setup, S_IWUSR, line6_nop_read, pod_set_retrieve_amp_setup);
-+static DEVICE_ATTR(retrieve_channel, S_IWUSR, line6_nop_read, pod_set_retrieve_channel);
-+static DEVICE_ATTR(retrieve_effects_setup, S_IWUSR, line6_nop_read, pod_set_retrieve_effects_setup);
-+static DEVICE_ATTR(routing, S_IWUSR | S_IRUGO, pod_get_routing, pod_set_routing);
- static DEVICE_ATTR(serial_number, S_IRUGO, pod_get_serial_number, line6_nop_write);
--static DEVICE_ATTR(store_amp_setup, S_IWUGO, line6_nop_read, pod_set_store_amp_setup);
--static DEVICE_ATTR(store_channel, S_IWUGO, line6_nop_read, pod_set_store_channel);
--static DEVICE_ATTR(store_effects_setup, S_IWUGO, line6_nop_read, pod_set_store_effects_setup);
--static DEVICE_ATTR(tuner_freq, S_IWUGO | S_IRUGO, pod_get_tuner_freq, pod_set_tuner_freq);
--static DEVICE_ATTR(tuner_mute, S_IWUGO | S_IRUGO, pod_get_tuner_mute, pod_set_tuner_mute);
-+static DEVICE_ATTR(store_amp_setup, S_IWUSR, line6_nop_read, pod_set_store_amp_setup);
-+static DEVICE_ATTR(store_channel, S_IWUSR, line6_nop_read, pod_set_store_channel);
-+static DEVICE_ATTR(store_effects_setup, S_IWUSR, line6_nop_read, pod_set_store_effects_setup);
-+static DEVICE_ATTR(tuner_freq, S_IWUSR | S_IRUGO, pod_get_tuner_freq, pod_set_tuner_freq);
-+static DEVICE_ATTR(tuner_mute, S_IWUSR | S_IRUGO, pod_get_tuner_mute, pod_set_tuner_mute);
- static DEVICE_ATTR(tuner_note, S_IRUGO, pod_get_tuner_note, line6_nop_write);
- static DEVICE_ATTR(tuner_pitch, S_IRUGO, pod_get_tuner_pitch, line6_nop_write);
-
- #if CREATE_RAW_FILE
--static DEVICE_ATTR(raw, S_IWUGO, line6_nop_read, line6_set_raw);
-+static DEVICE_ATTR(raw, S_IWUSR, line6_nop_read, line6_set_raw);
- #endif
-
- /*
---- a/drivers/staging/line6/toneport.c
-+++ b/drivers/staging/line6/toneport.c
-@@ -124,9 +124,9 @@ static ssize_t toneport_set_led_green(st
- return count;
- }
-
--static DEVICE_ATTR(led_red, S_IWUGO | S_IRUGO, line6_nop_read,
-+static DEVICE_ATTR(led_red, S_IWUSR | S_IRUGO, line6_nop_read,
- toneport_set_led_red);
--static DEVICE_ATTR(led_green, S_IWUGO | S_IRUGO, line6_nop_read,
-+static DEVICE_ATTR(led_green, S_IWUSR | S_IRUGO, line6_nop_read,
- toneport_set_led_green);
-
- static int toneport_send_cmd(struct usb_device *usbdev, int cmd1, int cmd2)
---- a/drivers/staging/line6/variax.c
-+++ b/drivers/staging/line6/variax.c
-@@ -387,17 +387,17 @@ static ssize_t variax_set_raw2(struct de
- #endif
-
- /* Variax workbench special files: */
--static DEVICE_ATTR(model, S_IWUGO | S_IRUGO, variax_get_model, variax_set_model);
--static DEVICE_ATTR(volume, S_IWUGO | S_IRUGO, variax_get_volume, variax_set_volume);
--static DEVICE_ATTR(tone, S_IWUGO | S_IRUGO, variax_get_tone, variax_set_tone);
-+static DEVICE_ATTR(model, S_IWUSR | S_IRUGO, variax_get_model, variax_set_model);
-+static DEVICE_ATTR(volume, S_IWUSR | S_IRUGO, variax_get_volume, variax_set_volume);
-+static DEVICE_ATTR(tone, S_IWUSR | S_IRUGO, variax_get_tone, variax_set_tone);
- static DEVICE_ATTR(name, S_IRUGO, variax_get_name, line6_nop_write);
- static DEVICE_ATTR(bank, S_IRUGO, variax_get_bank, line6_nop_write);
- static DEVICE_ATTR(dump, S_IRUGO, variax_get_dump, line6_nop_write);
--static DEVICE_ATTR(active, S_IWUGO | S_IRUGO, variax_get_active, variax_set_active);
-+static DEVICE_ATTR(active, S_IWUSR | S_IRUGO, variax_get_active, variax_set_active);
-
- #if CREATE_RAW_FILE
--static DEVICE_ATTR(raw, S_IWUGO, line6_nop_read, line6_set_raw);
--static DEVICE_ATTR(raw2, S_IWUGO, line6_nop_read, variax_set_raw2);
-+static DEVICE_ATTR(raw, S_IWUSR, line6_nop_read, line6_set_raw);
-+static DEVICE_ATTR(raw2, S_IWUSR, line6_nop_read, variax_set_raw2);
- #endif
-
-
+++ /dev/null
-From 251d380034c6c34efe75ffb89d863558ba68ec6a Mon Sep 17 00:00:00 2001
-From: John Tapsell <johnflux@gmail.com>
-Date: Thu, 25 Mar 2010 13:30:45 +0000
-Subject: Staging: rt2870: Add USB ID for Buffalo Airstation WLI-UC-GN
-
-From: John Tapsell <johnflux@gmail.com>
-
-commit 251d380034c6c34efe75ffb89d863558ba68ec6a upstream.
-
-BugLink: http://bugs.launchpad.net/bugs/441990
-
-This was tested to successfully enable the hardware.
-
-Signed-off-by: John Tapsell <johnflux@gmail.com>
-Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/rt2860/usb_main_dev.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/staging/rt2860/usb_main_dev.c
-+++ b/drivers/staging/rt2860/usb_main_dev.c
-@@ -141,6 +141,7 @@ struct usb_device_id rtusb_usb_id[] = {
- {USB_DEVICE(0x2001, 0x3C09)}, /* D-Link */
- {USB_DEVICE(0x2001, 0x3C0A)}, /* D-Link 3072 */
- {USB_DEVICE(0x2019, 0xED14)}, /* Planex Communications, Inc. */
-+ {USB_DEVICE(0x0411, 0x015D)}, /* Buffalo Airstation WLI-UC-GN */
- {} /* Terminating entry */
- };
-
+++ /dev/null
-From f36d83a8cb7224f45fdfa1129a616dff56479a09 Mon Sep 17 00:00:00 2001
-From: Larry Finger <Larry.Finger@lwfinger.net>
-Date: Sat, 13 Nov 2010 13:01:56 -0600
-Subject: staging: rtl8187se: Change panic to warn when RF switch turned off
-
-From: Larry Finger <Larry.Finger@lwfinger.net>
-
-commit f36d83a8cb7224f45fdfa1129a616dff56479a09 upstream.
-
-This driver issues a kernel panic over conditions that do not
-justify such drastic action. Change these to log entries with
-a stack dump.
-
-This patch fixes the system crash reported in
-https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.
-
-Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
-Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/rtl8187se/r8185b_init.c | 32 +++++++++++++++++++++++---------
- 1 file changed, 23 insertions(+), 9 deletions(-)
-
---- a/drivers/staging/rtl8187se/r8185b_init.c
-+++ b/drivers/staging/rtl8187se/r8185b_init.c
-@@ -356,8 +356,12 @@ HwHSSIThreeWire(
- }
- udelay(10);
- }
-- if (TryCnt == TC_3W_POLL_MAX_TRY_CNT)
-- panic("HwThreeWire(): CmdReg: %#X RE|WE bits are not clear!!\n", u1bTmp);
-+ if (TryCnt == TC_3W_POLL_MAX_TRY_CNT) {
-+ printk(KERN_ERR "rtl8187se: HwThreeWire(): CmdReg:"
-+ " %#X RE|WE bits are not clear!!\n", u1bTmp);
-+ dump_stack();
-+ return 0;
-+ }
-
- // RTL8187S HSSI Read/Write Function
- u1bTmp = read_nic_byte(dev, RF_SW_CONFIG);
-@@ -397,13 +401,23 @@ HwHSSIThreeWire(
- int idx;
- int ByteCnt = nDataBufBitCnt / 8;
- //printk("%d\n",nDataBufBitCnt);
-- if ((nDataBufBitCnt % 8) != 0)
-- panic("HwThreeWire(): nDataBufBitCnt(%d) should be multiple of 8!!!\n",
-- nDataBufBitCnt);
--
-- if (nDataBufBitCnt > 64)
-- panic("HwThreeWire(): nDataBufBitCnt(%d) should <= 64!!!\n",
-- nDataBufBitCnt);
-+ if ((nDataBufBitCnt % 8) != 0) {
-+ printk(KERN_ERR "rtl8187se: "
-+ "HwThreeWire(): nDataBufBitCnt(%d)"
-+ " should be multiple of 8!!!\n",
-+ nDataBufBitCnt);
-+ dump_stack();
-+ nDataBufBitCnt += 8;
-+ nDataBufBitCnt &= ~7;
-+ }
-+
-+ if (nDataBufBitCnt > 64) {
-+ printk(KERN_ERR "rtl8187se: HwThreeWire():"
-+ " nDataBufBitCnt(%d) should <= 64!!!\n",
-+ nDataBufBitCnt);
-+ dump_stack();
-+ nDataBufBitCnt = 64;
-+ }
-
- for(idx = 0; idx < ByteCnt; idx++)
- {
+++ /dev/null
-From 4d7bc388b44e42a1feafa35e50eef4f24d6ca59d Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Thu, 18 Nov 2010 11:21:04 -0800
-Subject: Staging: samsung-laptop: fix up my fixup for some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit 4d7bc388b44e42a1feafa35e50eef4f24d6ca59d upstream.
-
-They should be writable by root, not readable.
-Doh, stupid me with the wrong flags.
-
-Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/samsung-laptop/samsung-laptop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/staging/samsung-laptop/samsung-laptop.c
-+++ b/drivers/staging/samsung-laptop/samsung-laptop.c
-@@ -355,7 +355,7 @@ static ssize_t set_silent_state(struct d
- }
- return count;
- }
--static DEVICE_ATTR(silent, S_IRUSR | S_IRUGO,
-+static DEVICE_ATTR(silent, S_IWUSR | S_IRUGO,
- get_silent_state, set_silent_state);
-
-
+++ /dev/null
-From 90c05b97fdec8d2196e420d98f774bab731af7aa Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Tue, 16 Nov 2010 11:21:03 -0800
-Subject: Staging: samsung-laptop: fix up some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit 90c05b97fdec8d2196e420d98f774bab731af7aa upstream.
-
-They should not be writable by any user
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/samsung-laptop/samsung-laptop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/staging/samsung-laptop/samsung-laptop.c
-+++ b/drivers/staging/samsung-laptop/samsung-laptop.c
-@@ -355,7 +355,7 @@ static ssize_t set_silent_state(struct d
- }
- return count;
- }
--static DEVICE_ATTR(silent, S_IWUGO | S_IRUGO,
-+static DEVICE_ATTR(silent, S_IRUSR | S_IRUGO,
- get_silent_state, set_silent_state);
-
-
+++ /dev/null
-From 0c9a32f0192e656daa2ff3c9149f6d71b4a1b873 Mon Sep 17 00:00:00 2001
-From: Max Vozeler <mvz@vozeler.com>
-Date: Tue, 21 Sep 2010 17:31:40 +0200
-Subject: staging: usbip: Notify usb core of port status changes
-
-From: Max Vozeler <mvz@vozeler.com>
-
-commit 0c9a32f0192e656daa2ff3c9149f6d71b4a1b873 upstream.
-
-This patch changes vhci to behave like dummy and
-other hcds when disconnecting a device.
-
-Previously detaching a device from the root hub
-did not notify the usb core of the disconnect and
-left the device visible.
-
-Signed-off-by: Max Vozeler <mvz@vozeler.com>
-Reported-by: Marco Lancione <marco@optikam.com>
-Tested-by: Luc Jalbert <ljalbert@optikam.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/usbip/vhci_hcd.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/staging/usbip/vhci_hcd.c
-+++ b/drivers/staging/usbip/vhci_hcd.c
-@@ -163,6 +163,8 @@ void rh_port_disconnect(int rhport)
- * spin_unlock(&vdev->ud.lock); */
-
- spin_unlock_irqrestore(&the_controller->lock, flags);
-+
-+ usb_hcd_poll_rh_status(vhci_to_hcd(the_controller));
- }
-
-
+++ /dev/null
-From 584c5b7cf06194464240280483ee0376cdddbbae Mon Sep 17 00:00:00 2001
-From: Max Vozeler <mvz@vozeler.com>
-Date: Tue, 21 Sep 2010 17:43:30 +0200
-Subject: staging: usbip: Process event flags without delay
-
-From: Max Vozeler <mvz@vozeler.com>
-
-commit 584c5b7cf06194464240280483ee0376cdddbbae upstream.
-
-The way the event handler works can cause it to delay
-events until eventual wakeup for another event.
-
-For example, on device detach (vhci):
-
- - Write to sysfs detach file
- -> usbip_event_add(VDEV_EVENT_DOWN)
- -> wakeup()
-
-#define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET).
-
- - Event thread wakes up and passes the event to
- event_handler() to process.
-
- - It processes and clears the USBIP_EH_SHUTDOWN
- flag then returns.
-
- - The outer event loop (event_handler_loop()) calls
- wait_event_interruptible().
-
-The processing of the second flag which is part of
-VDEV_EVENT_DOWN (USBIP_EH_RESET) did not happen yet.
-It is delayed until the next event.
-
-This means the ->reset callback may not happen for
-a long time (if ever), leaving the usbip port in a
-weird state which prevents its reuse.
-
-This patch changes the handler to process all flags
-before waiting for another wakeup.
-
-I have verified this change to fix a problem which
-prevented reattach of a usbip device. It also helps
-for socket errors which missed the RESET as well.
-
-The delayed event processing also affects the stub
-side of usbip and the error handling there.
-
-Signed-off-by: Max Vozeler <mvz@vozeler.com>
-Reported-by: Marco Lancione <marco@optikam.com>
-Tested-by: Luc Jalbert <ljalbert@optikam.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/staging/usbip/usbip_event.c | 16 +++-------------
- 1 file changed, 3 insertions(+), 13 deletions(-)
-
---- a/drivers/staging/usbip/usbip_event.c
-+++ b/drivers/staging/usbip/usbip_event.c
-@@ -38,21 +38,13 @@ static int event_handler(struct usbip_de
- ud->eh_ops.shutdown(ud);
-
- ud->event &= ~USBIP_EH_SHUTDOWN;
--
-- break;
- }
-
-- /* Stop the error handler. */
-- if (ud->event & USBIP_EH_BYE)
-- return -1;
--
- /* Reset the device. */
- if (ud->event & USBIP_EH_RESET) {
- ud->eh_ops.reset(ud);
-
- ud->event &= ~USBIP_EH_RESET;
--
-- break;
- }
-
- /* Mark the device as unusable. */
-@@ -60,13 +52,11 @@ static int event_handler(struct usbip_de
- ud->eh_ops.unusable(ud);
-
- ud->event &= ~USBIP_EH_UNUSABLE;
--
-- break;
- }
-
-- /* NOTREACHED */
-- printk(KERN_ERR "%s: unknown event\n", __func__);
-- return -1;
-+ /* Stop the error handler. */
-+ if (ud->event & USBIP_EH_BYE)
-+ return -1;
- }
-
- return 0;
+++ /dev/null
-From 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Thu, 30 Sep 2010 15:15:31 -0700
-Subject: sys_semctl: fix kernel stack leakage
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream.
-
-The semctl syscall has several code paths that lead to the leakage of
-uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
-IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
-version of the semid_ds struct.
-
-The copy_semid_to_user() function declares a semid_ds struct on the stack
-and copies it back to the user without initializing or zeroing the
-"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
-allowing the leakage of 16 bytes of kernel stack memory.
-
-The code is still reachable on 32-bit systems - when calling semctl()
-newer glibc's automatically OR the IPC command with the IPC_64 flag, but
-invoking the syscall directly allows users to use the older versions of
-the struct.
-
-Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
-Cc: Manfred Spraul <manfred@colorfullife.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- ipc/sem.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/ipc/sem.c
-+++ b/ipc/sem.c
-@@ -608,6 +608,8 @@ static unsigned long copy_semid_to_user(
- {
- struct semid_ds out;
-
-+ memset(&out, 0, sizeof(out));
-+
- ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
-
- out.sem_otime = in->sem_otime;
+++ /dev/null
-From 9d7439227df4cc64a8c023a32f2731081a0a49a9 Mon Sep 17 00:00:00 2001
-From: David S. Miller <davem@davemloft.net>
-Date: Mon, 27 Sep 2010 20:24:54 -0700
-Subject: tcp: Fix >4GB writes on 64-bit.
-
-
-From: David S. Miller <davem@davemloft.net>
-
-[ Upstream commit 01db403cf99f739f86903314a489fb420e0e254f ]
-
-Fixes kernel bugzilla #16603
-
-tcp_sendmsg() truncates iov_len to an 'int' which a 4GB write to write
-zero bytes, for example.
-
-There is also the problem higher up of how verify_iovec() works. It
-wants to prevent the total length from looking like an error return
-value.
-
-However it does this using 'int', but syscalls return 'long' (and
-thus signed 64-bit on 64-bit machines). So it could trigger
-false-positives on 64-bit as written. So fix it to use 'long'.
-
-Reported-by: Olaf Bonorden <bono@onlinehome.de>
-Reported-by: Daniel Büse <dbuese@gmx.de>
-Reported-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- include/linux/socket.h | 2 +-
- net/core/iovec.c | 5 +++--
- net/ipv4/tcp.c | 2 +-
- 3 files changed, 5 insertions(+), 4 deletions(-)
-
---- a/include/linux/socket.h
-+++ b/include/linux/socket.h
-@@ -313,7 +313,7 @@ extern int csum_partial_copy_fromiovecen
- int offset,
- unsigned int len, __wsum *csump);
-
--extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
-+extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
- extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
- extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
- int offset, int len);
---- a/net/core/iovec.c
-+++ b/net/core/iovec.c
-@@ -36,9 +36,10 @@
- * in any case.
- */
-
--int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
-+long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
- {
-- int size, err, ct;
-+ int size, ct;
-+ long err;
-
- if (m->msg_namelen) {
- if (mode == VERIFY_READ) {
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -935,7 +935,7 @@ int tcp_sendmsg(struct kiocb *iocb, stru
- goto out_err;
-
- while (--iovlen >= 0) {
-- int seglen = iov->iov_len;
-+ size_t seglen = iov->iov_len;
- unsigned char __user *from = iov->iov_base;
-
- iov++;
+++ /dev/null
-From eb50686502e040058eb7f12f824f45ef04edc380 Mon Sep 17 00:00:00 2001
-From: Tom Marshall <tdm.code@gmail.com>
-Date: Mon, 20 Sep 2010 15:42:05 -0700
-Subject: tcp: Fix race in tcp_poll
-
-
-From: Tom Marshall <tdm.code@gmail.com>
-
-[ Upstream commit a4d258036ed9b2a1811c3670c6099203a0f284a0 ]
-
-If a RST comes in immediately after checking sk->sk_err, tcp_poll will
-return POLLIN but not POLLOUT. Fix this by checking sk->sk_err at the end
-of tcp_poll. Additionally, ensure the correct order of operations on SMP
-machines with memory barriers.
-
-Signed-off-by: Tom Marshall <tdm.code@gmail.com>
-Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/ipv4/tcp.c | 7 +++++--
- net/ipv4/tcp_input.c | 2 ++
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -387,8 +387,6 @@ unsigned int tcp_poll(struct file *file,
- */
-
- mask = 0;
-- if (sk->sk_err)
-- mask = POLLERR;
-
- /*
- * POLLHUP is certainly not done right. But poll() doesn't
-@@ -457,6 +455,11 @@ unsigned int tcp_poll(struct file *file,
- if (tp->urg_data & TCP_URG_VALID)
- mask |= POLLPRI;
- }
-+ /* This barrier is coupled with smp_wmb() in tcp_reset() */
-+ smp_rmb();
-+ if (sk->sk_err)
-+ mask |= POLLERR;
-+
- return mask;
- }
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -4027,6 +4027,8 @@ static void tcp_reset(struct sock *sk)
- default:
- sk->sk_err = ECONNRESET;
- }
-+ /* This barrier is coupled with smp_rmb() in tcp_poll() */
-+ smp_wmb();
-
- if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_error_report(sk);
+++ /dev/null
-From 258af47479980d8238a04568b94a4e55aa1cb537 Mon Sep 17 00:00:00 2001
-From: Steven Rostedt <srostedt@redhat.com>
-Date: Wed, 22 Sep 2010 22:22:25 -0400
-Subject: tracing/x86: Don't use mcount in kvmclock.c
-
-From: Steven Rostedt <srostedt@redhat.com>
-
-commit 258af47479980d8238a04568b94a4e55aa1cb537 upstream.
-
-The guest can use the paravirt clock in kvmclock.c which is used
-by sched_clock(), which in turn is used by the tracing mechanism
-for timestamps, which leads to infinite recursion.
-
-Disable mcount/tracing for kvmclock.o.
-
-Cc: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
-Cc: Avi Kivity <avi@redhat.com>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/arch/x86/kernel/Makefile
-+++ b/arch/x86/kernel/Makefile
-@@ -12,6 +12,7 @@ CFLAGS_REMOVE_tsc.o = -pg
- CFLAGS_REMOVE_rtc.o = -pg
- CFLAGS_REMOVE_paravirt-spinlocks.o = -pg
- CFLAGS_REMOVE_pvclock.o = -pg
-+CFLAGS_REMOVE_kvmclock.o = -pg
- CFLAGS_REMOVE_ftrace.o = -pg
- CFLAGS_REMOVE_early_printk.o = -pg
- endif
+++ /dev/null
-From 9ecd4e1689208afe9b059a5ce1333acb2f42c4d2 Mon Sep 17 00:00:00 2001
-From: Jeremy Fitzhardinge <jeremy@goop.org>
-Date: Wed, 22 Sep 2010 17:07:27 -0700
-Subject: tracing/x86: Don't use mcount in pvclock.c
-
-From: Jeremy Fitzhardinge <jeremy@goop.org>
-
-commit 9ecd4e1689208afe9b059a5ce1333acb2f42c4d2 upstream.
-
-When using a paravirt clock, pvclock.c can be used by sched_clock(),
-which in turn is used by the tracing mechanism for timestamps,
-which leads to infinite recursion.
-
-Disable mcount/tracing for pvclock.o.
-
-Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
-LKML-Reference: <4C9A9A3F.4040201@goop.org>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/arch/x86/kernel/Makefile
-+++ b/arch/x86/kernel/Makefile
-@@ -11,6 +11,7 @@ ifdef CONFIG_FUNCTION_TRACER
- CFLAGS_REMOVE_tsc.o = -pg
- CFLAGS_REMOVE_rtc.o = -pg
- CFLAGS_REMOVE_paravirt-spinlocks.o = -pg
-+CFLAGS_REMOVE_pvclock.o = -pg
- CFLAGS_REMOVE_ftrace.o = -pg
- CFLAGS_REMOVE_early_printk.o = -pg
- endif
+++ /dev/null
-From 7f90cfc505d613f4faf096e0d84ffe99208057d9 Mon Sep 17 00:00:00 2001
-From: Jiri Slaby <jslaby@suse.cz>
-Date: Thu, 25 Nov 2010 00:27:54 +0100
-Subject: TTY: ldisc, fix open flag handling
-
-From: Jiri Slaby <jslaby@suse.cz>
-
-commit 7f90cfc505d613f4faf096e0d84ffe99208057d9 upstream.
-
-When a concrete ldisc open fails in tty_ldisc_open, we forget to clear
-TTY_LDISC_OPEN. This causes a false warning on the next ldisc open:
-WARNING: at drivers/char/tty_ldisc.c:445 tty_ldisc_open+0x26/0x38()
-Hardware name: System Product Name
-Modules linked in: ...
-Pid: 5251, comm: a.out Tainted: G W 2.6.32-5-686 #1
-Call Trace:
- [<c1030321>] ? warn_slowpath_common+0x5e/0x8a
- [<c1030357>] ? warn_slowpath_null+0xa/0xc
- [<c119311c>] ? tty_ldisc_open+0x26/0x38
- [<c11936c5>] ? tty_set_ldisc+0x218/0x304
-...
-
-So clear the bit when failing...
-
-Introduced in c65c9bc3efa (tty: rewrite the ldisc locking) back in
-2.6.31-rc1.
-
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Cc: Alan Cox <alan@linux.intel.com>
-Reported-by: Sergey Lapin <slapin@ossfans.org>
-Tested-by: Sergey Lapin <slapin@ossfans.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/tty_ldisc.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/char/tty_ldisc.c
-+++ b/drivers/char/tty_ldisc.c
-@@ -452,6 +452,8 @@ static int tty_ldisc_open(struct tty_str
- /* BKL here locks verus a hangup event */
- lock_kernel();
- ret = ld->ops->open(tty);
-+ if (ret)
-+ clear_bit(TTY_LDISC_OPEN, &tty->flags);
- unlock_kernel();
- return ret;
- }
+++ /dev/null
-From e045fec48970df84647a47930fcf7a22ff7229c0 Mon Sep 17 00:00:00 2001
-From: Jiri Olsa <jolsa@redhat.com>
-Date: Mon, 8 Nov 2010 19:01:47 +0100
-Subject: tty: prevent DOS in the flush_to_ldisc
-
-From: Jiri Olsa <jolsa@redhat.com>
-
-commit e045fec48970df84647a47930fcf7a22ff7229c0 upstream.
-
-There's a small window inside the flush_to_ldisc function,
-where the tty is unlocked and calling ldisc's receive_buf
-function. If in this window new buffer is added to the tty,
-the processing might never leave the flush_to_ldisc function.
-
-This scenario will hog the cpu, causing other tty processing
-starving, and making it impossible to interface the computer
-via tty.
-
-I was able to exploit this via pty interface by sending only
-control characters to the master input, causing the flush_to_ldisc
-to be scheduled, but never actually generate any output.
-
-To reproduce, please run multiple instances of following code.
-
-- SNIP
-#define _XOPEN_SOURCE
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-int main(int argc, char **argv)
-{
- int i, slave, master = getpt();
- char buf[8192];
-
- sprintf(buf, "%s", ptsname(master));
- grantpt(master);
- unlockpt(master);
-
- slave = open(buf, O_RDWR);
- if (slave < 0) {
- perror("open slave failed");
- return 1;
- }
-
- for(i = 0; i < sizeof(buf); i++)
- buf[i] = rand() % 32;
-
- while(1) {
- write(master, buf, sizeof(buf));
- }
-
- return 0;
-}
-- SNIP
-
-The attached patch (based on -next tree) fixes this by checking on the
-tty buffer tail. Once it's reached, the current work is rescheduled
-and another could run.
-
-Signed-off-by: Jiri Olsa <jolsa@redhat.com>
-Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/tty_buffer.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/drivers/char/tty_buffer.c
-+++ b/drivers/char/tty_buffer.c
-@@ -412,7 +412,8 @@ static void flush_to_ldisc(struct work_s
- spin_lock_irqsave(&tty->buf.lock, flags);
-
- if (!test_and_set_bit(TTY_FLUSHING, &tty->flags)) {
-- struct tty_buffer *head;
-+ struct tty_buffer *head, *tail = tty->buf.tail;
-+ int seen_tail = 0;
- while ((head = tty->buf.head) != NULL) {
- int count;
- char *char_buf;
-@@ -422,6 +423,15 @@ static void flush_to_ldisc(struct work_s
- if (!count) {
- if (head->next == NULL)
- break;
-+ /*
-+ There's a possibility tty might get new buffer
-+ added during the unlock window below. We could
-+ end up spinning in here forever hogging the CPU
-+ completely. To avoid this let's have a rest each
-+ time we processed the tail buffer.
-+ */
-+ if (tail == head)
-+ seen_tail = 1;
- tty->buf.head = head->next;
- tty_buffer_free(tty, head);
- continue;
-@@ -431,7 +441,7 @@ static void flush_to_ldisc(struct work_s
- line discipline as we want to empty the queue */
- if (test_bit(TTY_FLUSHPENDING, &tty->flags))
- break;
-- if (!tty->receive_room) {
-+ if (!tty->receive_room || seen_tail) {
- schedule_delayed_work(&tty->buf.work, 1);
- break;
- }
+++ /dev/null
-From 100eeae2c5ce23b4db93ff320ee330ef1d740151 Mon Sep 17 00:00:00 2001
-From: Jiri Slaby <jslaby@suse.cz>
-Date: Sun, 31 Oct 2010 23:17:51 +0100
-Subject: TTY: restore tty_ldisc_wait_idle
-
-From: Jiri Slaby <jslaby@suse.cz>
-
-commit 100eeae2c5ce23b4db93ff320ee330ef1d740151 upstream.
-
-It was removed in 65b770468e98 (tty-ldisc: turn ldisc user count into
-a proper refcount), but we need to wait for last user to quit the
-ldisc before we close it in tty_set_ldisc.
-
-Otherwise weird things start to happen. There might be processes
-waiting in tty_read->n_tty_read on tty->read_wait for input to appear
-and at that moment, a change of ldisc is fatal. n_tty_close is called,
-it frees read_buf and the waiting process is still in the middle of
-reading and goes nuts after it is woken.
-
-Previously we prevented close to happen when others are in ldisc ops
-by tty_ldisc_wait_idle in tty_set_ldisc. But the commit above removed
-that. So revoke the change and test whether there is 1 user (=we), and
-allow the close then.
-
-We can do that without ldisc/tty locks, because nobody else can open
-the device due to TTY_LDISC_CHANGING bit set, so we in fact wait for
-everybody to leave.
-
-I don't understand why tty_ldisc_lock would be needed either when the
-counter is an atomic variable, so this is a lockless
-tty_ldisc_wait_idle.
-
-On the other hand, if we fail to wait (timeout or signal), we have to
-reenable the halted ldiscs, so we take ldisc lock and reuse the setup
-path at the end of tty_set_ldisc.
-
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
-Tested-by: Sebastian Andrzej Siewior <bigeasy@breakpoint.cc>
-LKML-Reference: <20101031104136.GA511@Chamillionaire.breakpoint.cc>
-LKML-Reference: <1287669539-22644-1-git-send-email-jslaby@suse.cz>
-Cc: Alan Cox <alan@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/tty_ldisc.c | 29 +++++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
---- a/drivers/char/tty_ldisc.c
-+++ b/drivers/char/tty_ldisc.c
-@@ -47,6 +47,7 @@
-
- static DEFINE_SPINLOCK(tty_ldisc_lock);
- static DECLARE_WAIT_QUEUE_HEAD(tty_ldisc_wait);
-+static DECLARE_WAIT_QUEUE_HEAD(tty_ldisc_idle);
- /* Line disc dispatch table */
- static struct tty_ldisc_ops *tty_ldiscs[NR_LDISCS];
-
-@@ -83,6 +84,7 @@ static void put_ldisc(struct tty_ldisc *
- return;
- }
- local_irq_restore(flags);
-+ wake_up(&tty_ldisc_idle);
- }
-
- /**
-@@ -530,6 +532,23 @@ static int tty_ldisc_halt(struct tty_str
- }
-
- /**
-+ * tty_ldisc_wait_idle - wait for the ldisc to become idle
-+ * @tty: tty to wait for
-+ *
-+ * Wait for the line discipline to become idle. The discipline must
-+ * have been halted for this to guarantee it remains idle.
-+ */
-+static int tty_ldisc_wait_idle(struct tty_struct *tty)
-+{
-+ int ret;
-+ ret = wait_event_interruptible_timeout(tty_ldisc_idle,
-+ atomic_read(&tty->ldisc->users) == 1, 5 * HZ);
-+ if (ret < 0)
-+ return ret;
-+ return ret > 0 ? 0 : -EBUSY;
-+}
-+
-+/**
- * tty_set_ldisc - set line discipline
- * @tty: the terminal to set
- * @ldisc: the line discipline
-@@ -632,8 +651,17 @@ int tty_set_ldisc(struct tty_struct *tty
-
- flush_scheduled_work();
-
-+ retval = tty_ldisc_wait_idle(tty);
-+
- mutex_lock(&tty->ldisc_mutex);
- lock_kernel();
-+
-+ /* handle wait idle failure locked */
-+ if (retval) {
-+ tty_ldisc_put(new_ldisc);
-+ goto enable;
-+ }
-+
- if (test_bit(TTY_HUPPED, &tty->flags)) {
- /* We were raced by the hangup method. It will have stomped
- the ldisc data and closed the ldisc down */
-@@ -667,6 +695,7 @@ int tty_set_ldisc(struct tty_struct *tty
-
- tty_ldisc_put(o_ldisc);
-
-+enable:
- /*
- * Allow ldisc referencing to occur again
- */
+++ /dev/null
-From 1c95ba1e1de7edffc0c4e275e147f1a9eb1f81ae Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20R=C3=A9tornaz?= <philippe.retornaz@epfl.ch>
-Date: Wed, 27 Oct 2010 17:13:21 +0200
-Subject: tty_ldisc: Fix BUG() on hangup
-
-From: =?UTF-8?q?Philippe=20R=C3=A9tornaz?= <philippe.retornaz@epfl.ch>
-
-commit 1c95ba1e1de7edffc0c4e275e147f1a9eb1f81ae upstream.
-
-A kernel BUG when bluetooth rfcomm connection drop while the associated
-serial port is open is sometime triggered.
-
-It seems that the line discipline can disappear between the
-tty_ldisc_put and tty_ldisc_get. This patch fall back to the N_TTY line
-discipline if the previous discipline is not available anymore.
-
-Signed-off-by: Philippe Retornaz <philippe.retornaz@epfl.ch>
-Acked-by: Alan Cox <alan@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/char/tty_ldisc.c | 20 +++++++++++++-------
- 1 file changed, 13 insertions(+), 7 deletions(-)
-
---- a/drivers/char/tty_ldisc.c
-+++ b/drivers/char/tty_ldisc.c
-@@ -741,9 +741,12 @@ static void tty_reset_termios(struct tty
- * state closed
- */
-
--static void tty_ldisc_reinit(struct tty_struct *tty, int ldisc)
-+static int tty_ldisc_reinit(struct tty_struct *tty, int ldisc)
- {
-- struct tty_ldisc *ld;
-+ struct tty_ldisc *ld = tty_ldisc_get(ldisc);
-+
-+ if (IS_ERR(ld))
-+ return -1;
-
- tty_ldisc_close(tty, tty->ldisc);
- tty_ldisc_put(tty->ldisc);
-@@ -751,10 +754,10 @@ static void tty_ldisc_reinit(struct tty_
- /*
- * Switch the line discipline back
- */
-- ld = tty_ldisc_get(ldisc);
-- BUG_ON(IS_ERR(ld));
- tty_ldisc_assign(tty, ld);
- tty_set_termios_ldisc(tty, ldisc);
-+
-+ return 0;
- }
-
- /**
-@@ -816,13 +819,16 @@ void tty_ldisc_hangup(struct tty_struct
- a FIXME */
- if (tty->ldisc) { /* Not yet closed */
- if (reset == 0) {
-- tty_ldisc_reinit(tty, tty->termios->c_line);
-- err = tty_ldisc_open(tty, tty->ldisc);
-+
-+ if (!tty_ldisc_reinit(tty, tty->termios->c_line))
-+ err = tty_ldisc_open(tty, tty->ldisc);
-+ else
-+ err = 1;
- }
- /* If the re-open fails or we reset then go to N_TTY. The
- N_TTY open cannot fail */
- if (reset || err) {
-- tty_ldisc_reinit(tty, N_TTY);
-+ BUG_ON(tty_ldisc_reinit(tty, N_TTY));
- WARN_ON(tty_ldisc_open(tty, tty->ldisc));
- }
- tty_ldisc_enable(tty);
+++ /dev/null
-From 47526903feb52f4c26a6350370bdf74e337fcdb1 Mon Sep 17 00:00:00 2001
-From: Tejun Heo <tj@kernel.org>
-Date: Fri, 15 Oct 2010 12:56:21 +0200
-Subject: ubd: fix incorrect sector handling during request restart
-
-From: Tejun Heo <tj@kernel.org>
-
-commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream.
-
-Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation)
-dropped request->sector manipulation in preparation for global request
-handling cleanup; unfortunately, it incorrectly assumed that the
-updated sector wasn't being used.
-
-ubd tries to issue as many requests as possible to io_thread. When
-issuing fails due to memory pressure or other reasons, the device is
-put on the restart list and issuing stops. On IO completion, devices
-on the restart list are scanned and IO issuing is restarted.
-
-ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a
-request, so each device on the restart queue needs to remember where
-to restart in its current request. ubd needs to keep track of the
-issue position itself because,
-
-* blk_rq_pos(req) is now updated by the block layer to keep track of
- _completion_ position.
-
-* Multiple io_req's for the current request may be in flight, so it's
- difficult to tell where blk_rq_pos(req) currently is.
-
-Add ubd->rq_pos to keep track of the issue position and use it to
-correctly restart io_req issue.
-
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Reported-by: Richard Weinberger <richard@nod.at>
-Tested-by: Richard Weinberger <richard@nod.at>
-Tested-by: Chris Frey <cdfrey@foursquare.net>
-Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/um/drivers/ubd_kern.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
---- a/arch/um/drivers/ubd_kern.c
-+++ b/arch/um/drivers/ubd_kern.c
-@@ -161,6 +161,7 @@ struct ubd {
- struct scatterlist sg[MAX_SG];
- struct request *request;
- int start_sg, end_sg;
-+ sector_t rq_pos;
- };
-
- #define DEFAULT_COW { \
-@@ -185,6 +186,7 @@ struct ubd {
- .request = NULL, \
- .start_sg = 0, \
- .end_sg = 0, \
-+ .rq_pos = 0, \
- }
-
- /* Protected by ubd_lock */
-@@ -1222,7 +1224,6 @@ static void do_ubd_request(struct reques
- {
- struct io_thread_req *io_req;
- struct request *req;
-- sector_t sector;
- int n;
-
- while(1){
-@@ -1233,12 +1234,12 @@ static void do_ubd_request(struct reques
- return;
-
- dev->request = req;
-+ dev->rq_pos = blk_rq_pos(req);
- dev->start_sg = 0;
- dev->end_sg = blk_rq_map_sg(q, req, dev->sg);
- }
-
- req = dev->request;
-- sector = blk_rq_pos(req);
- while(dev->start_sg < dev->end_sg){
- struct scatterlist *sg = &dev->sg[dev->start_sg];
-
-@@ -1250,10 +1251,9 @@ static void do_ubd_request(struct reques
- return;
- }
- prepare_request(req, io_req,
-- (unsigned long long)sector << 9,
-+ (unsigned long long)dev->rq_pos << 9,
- sg->offset, sg->length, sg_page(sg));
-
-- sector += sg->length >> 9;
- n = os_write_file(thread_fd, &io_req,
- sizeof(struct io_thread_req *));
- if(n != sizeof(struct io_thread_req *)){
-@@ -1266,6 +1266,7 @@ static void do_ubd_request(struct reques
- return;
- }
-
-+ dev->rq_pos += sg->length >> 9;
- dev->start_sg++;
- }
- dev->end_sg = 0;
+++ /dev/null
-From 719f835853a92f6090258114a72ffe41f09155cd Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <eric.dumazet@gmail.com>
-Date: Wed, 8 Sep 2010 05:08:44 +0000
-Subject: udp: add rehash on connect()
-
-From: Eric Dumazet <eric.dumazet@gmail.com>
-
-commit 719f835853a92f6090258114a72ffe41f09155cd upstream.
-
-commit 30fff923 introduced in linux-2.6.33 (udp: bind() optimisation)
-added a secondary hash on UDP, hashed on (local addr, local port).
-
-Problem is that following sequence :
-
-fd = socket(...)
-connect(fd, &remote, ...)
-
-not only selects remote end point (address and port), but also sets
-local address, while UDP stack stored in secondary hash table the socket
-while its local address was INADDR_ANY (or ipv6 equivalent)
-
-Sequence is :
- - autobind() : choose a random local port, insert socket in hash tables
- [while local address is INADDR_ANY]
- - connect() : set remote address and port, change local address to IP
- given by a route lookup.
-
-When an incoming UDP frame comes, if more than 10 sockets are found in
-primary hash table, we switch to secondary table, and fail to find
-socket because its local address changed.
-
-One solution to this problem is to rehash datagram socket if needed.
-
-We add a new rehash(struct socket *) method in "struct proto", and
-implement this method for UDP v4 & v6, using a common helper.
-
-This rehashing only takes care of secondary hash table, since primary
-hash (based on local port only) is not changed.
-
-Reported-by: Krzysztof Piotr Oledzki <ole@ans.pl>
-Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
-Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- include/net/sock.h | 1 +
- include/net/udp.h | 1 +
- net/ipv4/datagram.c | 5 ++++-
- net/ipv4/udp.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
- net/ipv6/datagram.c | 7 ++++++-
- net/ipv6/udp.c | 10 ++++++++++
- 6 files changed, 66 insertions(+), 2 deletions(-)
-
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -681,6 +681,7 @@ struct proto {
- /* Keeping track of sk's, looking them up, and port selection methods. */
- void (*hash)(struct sock *sk);
- void (*unhash)(struct sock *sk);
-+ void (*rehash)(struct sock *sk);
- int (*get_port)(struct sock *sk, unsigned short snum);
-
- /* Keeping track of sockets in use */
---- a/include/net/udp.h
-+++ b/include/net/udp.h
-@@ -151,6 +151,7 @@ static inline void udp_lib_hash(struct s
- }
-
- extern void udp_lib_unhash(struct sock *sk);
-+extern void udp_lib_rehash(struct sock *sk, u16 new_hash);
-
- static inline void udp_lib_close(struct sock *sk, long timeout)
- {
---- a/net/ipv4/datagram.c
-+++ b/net/ipv4/datagram.c
-@@ -62,8 +62,11 @@ int ip4_datagram_connect(struct sock *sk
- }
- if (!inet->inet_saddr)
- inet->inet_saddr = rt->rt_src; /* Update source address */
-- if (!inet->inet_rcv_saddr)
-+ if (!inet->inet_rcv_saddr) {
- inet->inet_rcv_saddr = rt->rt_src;
-+ if (sk->sk_prot->rehash)
-+ sk->sk_prot->rehash(sk);
-+ }
- inet->inet_daddr = rt->rt_dst;
- inet->inet_dport = usin->sin_port;
- sk->sk_state = TCP_ESTABLISHED;
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1256,6 +1256,49 @@ void udp_lib_unhash(struct sock *sk)
- }
- EXPORT_SYMBOL(udp_lib_unhash);
-
-+/*
-+ * inet_rcv_saddr was changed, we must rehash secondary hash
-+ */
-+void udp_lib_rehash(struct sock *sk, u16 newhash)
-+{
-+ if (sk_hashed(sk)) {
-+ struct udp_table *udptable = sk->sk_prot->h.udp_table;
-+ struct udp_hslot *hslot, *hslot2, *nhslot2;
-+
-+ hslot2 = udp_hashslot2(udptable, udp_sk(sk)->udp_portaddr_hash);
-+ nhslot2 = udp_hashslot2(udptable, newhash);
-+ udp_sk(sk)->udp_portaddr_hash = newhash;
-+ if (hslot2 != nhslot2) {
-+ hslot = udp_hashslot(udptable, sock_net(sk),
-+ udp_sk(sk)->udp_port_hash);
-+ /* we must lock primary chain too */
-+ spin_lock_bh(&hslot->lock);
-+
-+ spin_lock(&hslot2->lock);
-+ hlist_nulls_del_init_rcu(&udp_sk(sk)->udp_portaddr_node);
-+ hslot2->count--;
-+ spin_unlock(&hslot2->lock);
-+
-+ spin_lock(&nhslot2->lock);
-+ hlist_nulls_add_head_rcu(&udp_sk(sk)->udp_portaddr_node,
-+ &nhslot2->head);
-+ nhslot2->count++;
-+ spin_unlock(&nhslot2->lock);
-+
-+ spin_unlock_bh(&hslot->lock);
-+ }
-+ }
-+}
-+EXPORT_SYMBOL(udp_lib_rehash);
-+
-+static void udp_v4_rehash(struct sock *sk)
-+{
-+ u16 new_hash = udp4_portaddr_hash(sock_net(sk),
-+ inet_sk(sk)->inet_rcv_saddr,
-+ inet_sk(sk)->inet_num);
-+ udp_lib_rehash(sk, new_hash);
-+}
-+
- static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
- {
- int rc = sock_queue_rcv_skb(sk, skb);
-@@ -1831,6 +1874,7 @@ struct proto udp_prot = {
- .backlog_rcv = __udp_queue_rcv_skb,
- .hash = udp_lib_hash,
- .unhash = udp_lib_unhash,
-+ .rehash = udp_v4_rehash,
- .get_port = udp_v4_get_port,
- .memory_allocated = &udp_memory_allocated,
- .sysctl_mem = sysctl_udp_mem,
---- a/net/ipv6/datagram.c
-+++ b/net/ipv6/datagram.c
-@@ -103,9 +103,12 @@ ipv4_connected:
- if (ipv6_addr_any(&np->saddr))
- ipv6_addr_set_v4mapped(inet->inet_saddr, &np->saddr);
-
-- if (ipv6_addr_any(&np->rcv_saddr))
-+ if (ipv6_addr_any(&np->rcv_saddr)) {
- ipv6_addr_set_v4mapped(inet->inet_rcv_saddr,
- &np->rcv_saddr);
-+ if (sk->sk_prot->rehash)
-+ sk->sk_prot->rehash(sk);
-+ }
-
- goto out;
- }
-@@ -190,6 +193,8 @@ ipv4_connected:
- if (ipv6_addr_any(&np->rcv_saddr)) {
- ipv6_addr_copy(&np->rcv_saddr, &fl.fl6_src);
- inet->inet_rcv_saddr = LOOPBACK4_IPV6;
-+ if (sk->sk_prot->rehash)
-+ sk->sk_prot->rehash(sk);
- }
-
- ip6_dst_store(sk, dst,
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -110,6 +110,15 @@ int udp_v6_get_port(struct sock *sk, uns
- return udp_lib_get_port(sk, snum, ipv6_rcv_saddr_equal, hash2_nulladdr);
- }
-
-+static void udp_v6_rehash(struct sock *sk)
-+{
-+ u16 new_hash = udp6_portaddr_hash(sock_net(sk),
-+ &inet6_sk(sk)->rcv_saddr,
-+ inet_sk(sk)->inet_num);
-+
-+ udp_lib_rehash(sk, new_hash);
-+}
-+
- static inline int compute_score(struct sock *sk, struct net *net,
- unsigned short hnum,
- struct in6_addr *saddr, __be16 sport,
-@@ -1431,6 +1440,7 @@ struct proto udpv6_prot = {
- .backlog_rcv = udpv6_queue_rcv_skb,
- .hash = udp_lib_hash,
- .unhash = udp_lib_unhash,
-+ .rehash = udp_v6_rehash,
- .get_port = udp_v6_get_port,
- .memory_allocated = &udp_memory_allocated,
- .sysctl_mem = sysctl_udp_mem,
+++ /dev/null
-From 482db6df1746c4fa7d64a2441d4cb2610249c679 Mon Sep 17 00:00:00 2001
-From: Richard Weinberger <richard@nod.at>
-Date: Tue, 26 Oct 2010 14:21:13 -0700
-Subject: um: fix global timer issue when using CONFIG_NO_HZ
-
-From: Richard Weinberger <richard@nod.at>
-
-commit 482db6df1746c4fa7d64a2441d4cb2610249c679 upstream.
-
-This fixes a issue which was introduced by fe2cc53e ("uml: track and make
-up lost ticks").
-
-timeval_to_ns() returns long long and not int. Due to that UML's timer
-did not work properlt and caused timer freezes.
-
-Signed-off-by: Richard Weinberger <richard@nod.at>
-Acked-by: Pekka Enberg <penberg@kernel.org>
-Cc: Jeff Dike <jdike@addtoit.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/um/os-Linux/time.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/um/os-Linux/time.c
-+++ b/arch/um/os-Linux/time.c
-@@ -60,7 +60,7 @@ static inline long long timeval_to_ns(co
- long long disable_timer(void)
- {
- struct itimerval time = ((struct itimerval) { { 0, 0 }, { 0, 0 } });
-- int remain, max = UM_NSEC_PER_SEC / UM_HZ;
-+ long long remain, max = UM_NSEC_PER_SEC / UM_HZ;
-
- if (setitimer(ITIMER_VIRTUAL, &time, &time) < 0)
- printk(UM_KERN_ERR "disable_timer - setitimer failed, "
+++ /dev/null
-From 6915e04f8847bea16d0890f559694ad8eedd026c Mon Sep 17 00:00:00 2001
-From: Richard Weinberger <richard@nod.at>
-Date: Tue, 26 Oct 2010 14:21:16 -0700
-Subject: um: remove PAGE_SIZE alignment in linker script causing kernel segfault.
-
-From: Richard Weinberger <richard@nod.at>
-
-commit 6915e04f8847bea16d0890f559694ad8eedd026c upstream.
-
-The linker script cleanup that I did in commit 5d150a97f93 ("um: Clean up
-linker script using standard macros.") (2.6.32) accidentally introduced an
-ALIGN(PAGE_SIZE) when converting to use INIT_TEXT_SECTION; Richard
-Weinberger reported that this causes the kernel to segfault with
-CONFIG_STATIC_LINK=y.
-
-I'm not certain why this extra alignment is a problem, but it seems likely
-it is because previously
-
-__init_begin = _stext = _text = _sinittext
-
-and with the extra ALIGN(PAGE_SIZE), _sinittext becomes different from the
-rest. So there is likely a bug here where something is assuming that
-_sinittext is the same as one of those other symbols. But reverting the
-accidental change fixes the regression, so it seems worth committing that
-now.
-
-Signed-off-by: Tim Abbott <tabbott@ksplice.com>
-Reported-by: Richard Weinberger <richard@nod.at>
-Cc: Jeff Dike <jdike@addtoit.com>
-Tested by: Antoine Martin <antoine@nagafix.co.uk>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/um/kernel/uml.lds.S | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/um/kernel/uml.lds.S
-+++ b/arch/um/kernel/uml.lds.S
-@@ -22,7 +22,7 @@ SECTIONS
- _text = .;
- _stext = .;
- __init_begin = .;
-- INIT_TEXT_SECTION(PAGE_SIZE)
-+ INIT_TEXT_SECTION(0)
- . = ALIGN(PAGE_SIZE);
-
- .text :
+++ /dev/null
-From 56626a72a47bf3e50875d960d6b5f17b9bee0ab2 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Thu, 14 Oct 2010 15:25:21 -0400
-Subject: USB: accept some invalid ep0-maxpacket values
-
-From: Alan Stern <stern@rowland.harvard.edu>
-
-commit 56626a72a47bf3e50875d960d6b5f17b9bee0ab2 upstream.
-
-A few devices (such as the RCA VR5220 voice recorder) are so
-non-compliant with the USB spec that they have invalid maxpacket sizes
-for endpoint 0. Nevertheless, as long as we can safely use them, we
-may as well do so.
-
-This patch (as1432) softens our acceptance criterion by allowing
-high-speed devices to have ep0-maxpacket sizes other than 64. A
-warning is printed in the system log when this happens, and the
-existing error message is clarified.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: James <bjlockie@lockie.ca>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/core/hub.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
---- a/drivers/usb/core/hub.c
-+++ b/drivers/usb/core/hub.c
-@@ -2872,13 +2872,16 @@ hub_port_init (struct usb_hub *hub, stru
- else
- i = udev->descriptor.bMaxPacketSize0;
- if (le16_to_cpu(udev->ep0.desc.wMaxPacketSize) != i) {
-- if (udev->speed != USB_SPEED_FULL ||
-+ if (udev->speed == USB_SPEED_LOW ||
- !(i == 8 || i == 16 || i == 32 || i == 64)) {
-- dev_err(&udev->dev, "ep0 maxpacket = %d\n", i);
-+ dev_err(&udev->dev, "Invalid ep0 maxpacket: %d\n", i);
- retval = -EMSGSIZE;
- goto fail;
- }
-- dev_dbg(&udev->dev, "ep0 maxpacket = %d\n", i);
-+ if (udev->speed == USB_SPEED_FULL)
-+ dev_dbg(&udev->dev, "ep0 maxpacket = %d\n", i);
-+ else
-+ dev_warn(&udev->dev, "Using ep0 maxpacket: %d\n", i);
- udev->ep0.desc.wMaxPacketSize = cpu_to_le16(i);
- usb_ep0_reinit(udev);
- }
+++ /dev/null
-From 99c1e4f89d1033444ce4d0c064bd2826e81c3775 Mon Sep 17 00:00:00 2001
-From: Rainer Keller <mail@rainerkeller.de>
-Date: Tue, 28 Sep 2010 12:27:43 +0200
-Subject: USB: add PID for FTDI based OpenDCC hardware
-
-From: Rainer Keller <mail@rainerkeller.de>
-
-commit 99c1e4f89d1033444ce4d0c064bd2826e81c3775 upstream.
-
-The OpenDCC project is developing a new hardware. This patch adds its
-PID to the list of known FTDI devices. The PID can be found at
-http://www.opendcc.de/elektronik/usb/opendcc_usb.html
-
-Signed-off-by: Rainer Keller <mail@rainerkeller.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/ftdi_sio.c | 1 +
- drivers/usb/serial/ftdi_sio_ids.h | 1 +
- 2 files changed, 2 insertions(+)
-
---- a/drivers/usb/serial/ftdi_sio.c
-+++ b/drivers/usb/serial/ftdi_sio.c
-@@ -179,6 +179,7 @@ static struct usb_device_id id_table_com
- { USB_DEVICE(FTDI_VID, FTDI_OPENDCC_SNIFFER_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_OPENDCC_THROTTLE_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_OPENDCC_GATEWAY_PID) },
-+ { USB_DEVICE(FTDI_VID, FTDI_OPENDCC_GBM_PID) },
- { USB_DEVICE(INTERBIOMETRICS_VID, INTERBIOMETRICS_IOBOARD_PID) },
- { USB_DEVICE(INTERBIOMETRICS_VID, INTERBIOMETRICS_MINI_IOBOARD_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_SPROG_II) },
---- a/drivers/usb/serial/ftdi_sio_ids.h
-+++ b/drivers/usb/serial/ftdi_sio_ids.h
-@@ -56,6 +56,7 @@
- #define FTDI_OPENDCC_SNIFFER_PID 0xBFD9
- #define FTDI_OPENDCC_THROTTLE_PID 0xBFDA
- #define FTDI_OPENDCC_GATEWAY_PID 0xBFDB
-+#define FTDI_OPENDCC_GBM_PID 0xBFDC
-
- /*
- * RR-CirKits LocoBuffer USB (http://www.rr-cirkits.com)
+++ /dev/null
-From e502ac5e1eca99d7dc3f12b2a6780ccbca674858 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Mon, 15 Nov 2010 11:11:45 -0800
-Subject: USB: atm: ueagle-atm: fix up some permissions on the sysfs files
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream.
-
-Some of the sysfs files had the incorrect permissions. Some didn't make
-sense at all (writable for a file that you could not write to?)
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Matthieu Castet <castet.matthieu@free.fr>
-Cc: Stanislaw Gruszka <stf_xl@wp.pl>
-Cc: Damien Bergamini <damien.bergamini@free.fr>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/atm/ueagle-atm.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/drivers/usb/atm/ueagle-atm.c
-+++ b/drivers/usb/atm/ueagle-atm.c
-@@ -2260,7 +2260,7 @@ out:
- return ret;
- }
-
--static DEVICE_ATTR(stat_status, S_IWUGO | S_IRUGO, read_status, reboot);
-+static DEVICE_ATTR(stat_status, S_IWUSR | S_IRUGO, read_status, reboot);
-
- static ssize_t read_human_status(struct device *dev, struct device_attribute *attr,
- char *buf)
-@@ -2323,7 +2323,7 @@ out:
- return ret;
- }
-
--static DEVICE_ATTR(stat_human_status, S_IWUGO | S_IRUGO, read_human_status, NULL);
-+static DEVICE_ATTR(stat_human_status, S_IRUGO, read_human_status, NULL);
-
- static ssize_t read_delin(struct device *dev, struct device_attribute *attr,
- char *buf)
-@@ -2355,7 +2355,7 @@ out:
- return ret;
- }
-
--static DEVICE_ATTR(stat_delin, S_IWUGO | S_IRUGO, read_delin, NULL);
-+static DEVICE_ATTR(stat_delin, S_IRUGO, read_delin, NULL);
-
- #define UEA_ATTR(name, reset) \
- \
+++ /dev/null
-From 969affff54702785330de553b790372e261e93f9 Mon Sep 17 00:00:00 2001
-From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
-Date: Mon, 20 Sep 2010 18:31:07 +0200
-Subject: USB: atmel_usba_udc: force vbus_pin at -EINVAL when gpio_request failled
-
-From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
-
-commit 969affff54702785330de553b790372e261e93f9 upstream.
-
-to ensure gpio_is_valid return false
-
-Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
-Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/gadget/atmel_usba_udc.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/usb/gadget/atmel_usba_udc.c
-+++ b/drivers/usb/gadget/atmel_usba_udc.c
-@@ -2013,6 +2013,9 @@ static int __init usba_udc_probe(struct
- } else {
- disable_irq(gpio_to_irq(udc->vbus_pin));
- }
-+ } else {
-+ /* gpio_request fail so use -EINVAL for gpio_is_valid */
-+ ubc->vbus_pin = -EINVAL;
- }
- }
-
+++ /dev/null
-From 886ccd4520064408ce5876cfe00554ce52ecf4a7 Mon Sep 17 00:00:00 2001
-From: Vasiliy Kulikov <segooon@gmail.com>
-Date: Sat, 6 Nov 2010 17:41:28 +0300
-Subject: usb: core: fix information leak to userland
-
-From: Vasiliy Kulikov <segooon@gmail.com>
-
-commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.
-
-Structure usbdevfs_connectinfo is copied to userland with padding byted
-after "slow" field uninitialized. It leads to leaking of contents of
-kernel stack memory.
-
-Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/core/devio.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/drivers/usb/core/devio.c
-+++ b/drivers/usb/core/devio.c
-@@ -946,10 +946,11 @@ static int proc_getdriver(struct dev_sta
-
- static int proc_connectinfo(struct dev_state *ps, void __user *arg)
- {
-- struct usbdevfs_connectinfo ci;
-+ struct usbdevfs_connectinfo ci = {
-+ .devnum = ps->dev->devnum,
-+ .slow = ps->dev->speed == USB_SPEED_LOW
-+ };
-
-- ci.devnum = ps->dev->devnum;
-- ci.slow = ps->dev->speed == USB_SPEED_LOW;
- if (copy_to_user(arg, &ci, sizeof(ci)))
- return -EFAULT;
- return 0;
+++ /dev/null
-From 2f1136d1d08a63dcdbcd462621373f30d8dfe590 Mon Sep 17 00:00:00 2001
-From: DJ Delorie <dj@delorie.com>
-Date: Fri, 17 Sep 2010 11:09:06 -0400
-Subject: USB: cp210x: Add Renesas RX-Stick device ID
-
-From: DJ Delorie <dj@delorie.com>
-
-commit 2f1136d1d08a63dcdbcd462621373f30d8dfe590 upstream.
-
-RX610 development board by Renesas
-
-Bus 001 Device 024: ID 045b:0053 Hitachi, Ltd
-Device Descriptor:
- bLength 18
- bDescriptorType 1
- bcdUSB 1.10
- bDeviceClass 0 (Defined at Interface level)
- bDeviceSubClass 0
- bDeviceProtocol 0
- bMaxPacketSize0 64
- idVendor 0x045b Hitachi, Ltd
- idProduct 0x0053
- bcdDevice 1.00
- iManufacturer 1 Silicon Labs
- iProduct 2 RX-Stick
- iSerial 3 0001
- . . .
-
-http://am.renesas.com/rx610stick
-
-Signed-off-by: DJ Delorie <dj@delorie.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/cp210x.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/usb/serial/cp210x.c
-+++ b/drivers/usb/serial/cp210x.c
-@@ -56,6 +56,7 @@ static int cp210x_carrier_raised(struct
- static int debug;
-
- static struct usb_device_id id_table [] = {
-+ { USB_DEVICE(0x045B, 0x0053) }, /* Renesas RX610 RX-Stick */
- { USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */
- { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
- { USB_DEVICE(0x0745, 0x1000) }, /* CipherLab USB CCD Barcode Scanner 1000 */
+++ /dev/null
-From 93ad03d60b5b18897030038234aa2ebae8234748 Mon Sep 17 00:00:00 2001
-From: Anders Larsen <al@alarsen.net>
-Date: Wed, 6 Oct 2010 23:46:25 +0200
-Subject: USB: cp210x: Add WAGO 750-923 Service Cable device ID
-
-From: Anders Larsen <al@alarsen.net>
-
-commit 93ad03d60b5b18897030038234aa2ebae8234748 upstream.
-
-The WAGO 750-923 USB Service Cable is used for configuration and firmware
-updates of several industrial automation products from WAGO Kontakttechnik GmbH.
-
-Bus 004 Device 002: ID 1be3:07a6
-Device Descriptor:
- bLength 18
- bDescriptorType 1
- bcdUSB 1.10
- bDeviceClass 0 (Defined at Interface level)
- bDeviceSubClass 0
- bDeviceProtocol 0
- bMaxPacketSize0 64
- idVendor 0x1be3
- idProduct 0x07a6
- bcdDevice 1.00
- iManufacturer 1 Silicon Labs
- iProduct 2 WAGO USB Service Cable
- iSerial 3 1277796751
- . . .
-
-Signed-off-by: Anders Larsen <al@alarsen.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/cp210x.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/usb/serial/cp210x.c
-+++ b/drivers/usb/serial/cp210x.c
-@@ -128,6 +128,7 @@ static struct usb_device_id id_table []
- { USB_DEVICE(0x17F4, 0xAAAA) }, /* Wavesense Jazz blood glucose meter */
- { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
- { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
-+ { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
- { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */
- { } /* Terminating Entry */
- };
+++ /dev/null
-From 80f0cf3947889014d3a3dc0ad60fb87cfda4b12a Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Thu, 30 Sep 2010 15:16:23 -0400
-Subject: USB: disable endpoints after unbinding interfaces, not before
-
-From: Alan Stern <stern@rowland.harvard.edu>
-
-commit 80f0cf3947889014d3a3dc0ad60fb87cfda4b12a upstream.
-
-This patch (as1430) fixes a bug in usbcore. When a device
-configuration change occurs or a device is removed, the endpoints for
-the old config should be completely disabled. However it turns out
-they aren't; this is because usb_unbind_interface() calls
-usb_enable_interface() or usb_set_interface() to put interfaces back
-in altsetting 0, which re-enables the interfaces' endpoints.
-
-As a result, when a device goes through a config change or is
-unconfigured, the ep_in[] and ep_out[] arrays may be left holding old
-pointers to usb_host_endpoint structures. If the device is
-deauthorized these structures get freed, and the stale pointers cause
-errors when the the device is eventually unplugged.
-
-The solution is to disable the endpoints after unbinding the
-interfaces instead of before. This isn't as large a change as it
-sounds, since usb_unbind_interface() disables all the interface's
-endpoints anyway before calling the driver's disconnect routine,
-unless the driver claims to support "soft" unbind.
-
-This fixes Bugzilla #19192. Thanks to "Tom" Lei Ming for diagnosing
-the underlying cause of the problem.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Tested-by: Carsten Sommer <carsten_sommer@ymail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/core/message.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
---- a/drivers/usb/core/message.c
-+++ b/drivers/usb/core/message.c
-@@ -1180,13 +1180,6 @@ void usb_disable_device(struct usb_devic
- {
- int i;
-
-- dev_dbg(&dev->dev, "%s nuking %s URBs\n", __func__,
-- skip_ep0 ? "non-ep0" : "all");
-- for (i = skip_ep0; i < 16; ++i) {
-- usb_disable_endpoint(dev, i, true);
-- usb_disable_endpoint(dev, i + USB_DIR_IN, true);
-- }
--
- /* getting rid of interfaces will disconnect
- * any drivers bound to them (a key side effect)
- */
-@@ -1216,6 +1209,13 @@ void usb_disable_device(struct usb_devic
- if (dev->state == USB_STATE_CONFIGURED)
- usb_set_device_state(dev, USB_STATE_ADDRESS);
- }
-+
-+ dev_dbg(&dev->dev, "%s nuking %s URBs\n", __func__,
-+ skip_ep0 ? "non-ep0" : "all");
-+ for (i = skip_ep0; i < 16; ++i) {
-+ usb_disable_endpoint(dev, i, true);
-+ usb_disable_endpoint(dev, i + USB_DIR_IN, true);
-+ }
- }
-
- /**
+++ /dev/null
-From 02e2c51ba3e80acde600721ea784c3ef84da5ea1 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 16 Nov 2010 10:57:37 -0500
-Subject: USB: EHCI: fix obscure race in ehci_endpoint_disable
-
-From: Alan Stern <stern@rowland.harvard.edu>
-
-commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.
-
-This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
-When an async URB is unlinked, the corresponding QH is removed from
-the async list. If the QH's endpoint is then disabled while the URB
-is being given back, ehci_endpoint_disable() won't find the QH on the
-async list, causing it to believe that the QH has been lost. This
-will lead to a memory leak at best and quite possibly to an oops.
-
-The solution is to trust usbcore not to lose track of endpoints. If
-the QH isn't on the async list then it doesn't need to be taken off
-the list, but the driver should still wait for the QH to become IDLE
-before disabling it.
-
-In theory this fixes Bugzilla #20182. In fact the race is so rare
-that it's not possible to tell whether the bug is still present.
-However, adding delays and making other changes to force the race
-seems to show that the patch works.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
-CC: David Brownell <david-b@pacbell.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/host/ehci-hcd.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/drivers/usb/host/ehci-hcd.c
-+++ b/drivers/usb/host/ehci-hcd.c
-@@ -1010,10 +1010,11 @@ rescan:
- tmp && tmp != qh;
- tmp = tmp->qh_next.qh)
- continue;
-- /* periodic qh self-unlinks on empty */
-- if (!tmp)
-- goto nogood;
-- unlink_async (ehci, qh);
-+ /* periodic qh self-unlinks on empty, and a COMPLETING qh
-+ * may already be unlinked.
-+ */
-+ if (tmp)
-+ unlink_async(ehci, qh);
- /* FALL THROUGH */
- case QH_STATE_UNLINK: /* wait for hw to finish? */
- case QH_STATE_UNLINK_WAIT:
-@@ -1030,7 +1031,6 @@ idle_timeout:
- }
- /* else FALL THROUGH */
- default:
--nogood:
- /* caller was supposed to have unlinked any requests;
- * that's not our job. just leak this memory.
- */
+++ /dev/null
-From 0026e00523a85b90a92a93ddf6660939ecef3e54 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 21 Sep 2010 15:01:53 -0400
-Subject: USB: fix bug in initialization of interface minor numbers
-
-From: Alan Stern <stern@rowland.harvard.edu>
-
-commit 0026e00523a85b90a92a93ddf6660939ecef3e54 upstream.
-
-Recent changes in the usbhid layer exposed a bug in usbcore. If
-CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned
-a minor number of 0. However interfaces that aren't registered as USB
-class devices also have their minor number set to 0, during
-initialization. As a result usb_find_interface() may return the
-wrong interface, leading to a crash.
-
-This patch (as1418) fixes the problem by initializing every
-interface's minor number to -1. It also cleans up the
-usb_register_dev() function, which besides being somewhat awkwardly
-written, does not unwind completely on all its error paths.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Tested-by: Philip J. Turmel <philip@turmel.org>
-Tested-by: Gabriel Craciunescu <nix.or.die@googlemail.com>
-Tested-by: Alex Riesen <raa.lkml@gmail.com>
-Tested-by: Matthias Bayer <jackdachef@gmail.com>
-CC: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/core/file.c | 35 ++++++++++++++++-------------------
- drivers/usb/core/message.c | 1 +
- 2 files changed, 17 insertions(+), 19 deletions(-)
-
---- a/drivers/usb/core/file.c
-+++ b/drivers/usb/core/file.c
-@@ -160,9 +160,9 @@ void usb_major_cleanup(void)
- int usb_register_dev(struct usb_interface *intf,
- struct usb_class_driver *class_driver)
- {
-- int retval = -EINVAL;
-+ int retval;
- int minor_base = class_driver->minor_base;
-- int minor = 0;
-+ int minor;
- char name[20];
- char *temp;
-
-@@ -174,12 +174,17 @@ int usb_register_dev(struct usb_interfac
- */
- minor_base = 0;
- #endif
-- intf->minor = -1;
--
-- dbg ("looking for a minor, starting at %d", minor_base);
-
- if (class_driver->fops == NULL)
-- goto exit;
-+ return -EINVAL;
-+ if (intf->minor >= 0)
-+ return -EADDRINUSE;
-+
-+ retval = init_usb_class();
-+ if (retval)
-+ return retval;
-+
-+ dev_dbg(&intf->dev, "looking for a minor, starting at %d", minor_base);
-
- down_write(&minor_rwsem);
- for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) {
-@@ -187,20 +192,12 @@ int usb_register_dev(struct usb_interfac
- continue;
-
- usb_minors[minor] = class_driver->fops;
--
-- retval = 0;
-+ intf->minor = minor;
- break;
- }
- up_write(&minor_rwsem);
--
-- if (retval)
-- goto exit;
--
-- retval = init_usb_class();
-- if (retval)
-- goto exit;
--
-- intf->minor = minor;
-+ if (intf->minor < 0)
-+ return -EXFULL;
-
- /* create a usb class device for this usb interface */
- snprintf(name, sizeof(name), class_driver->name, minor - minor_base);
-@@ -214,11 +211,11 @@ int usb_register_dev(struct usb_interfac
- "%s", temp);
- if (IS_ERR(intf->usb_dev)) {
- down_write(&minor_rwsem);
-- usb_minors[intf->minor] = NULL;
-+ usb_minors[minor] = NULL;
-+ intf->minor = -1;
- up_write(&minor_rwsem);
- retval = PTR_ERR(intf->usb_dev);
- }
--exit:
- return retval;
- }
- EXPORT_SYMBOL_GPL(usb_register_dev);
---- a/drivers/usb/core/message.c
-+++ b/drivers/usb/core/message.c
-@@ -1842,6 +1842,7 @@ free_interfaces:
- intf->dev.groups = usb_interface_groups;
- intf->dev.dma_mask = dev->dev.dma_mask;
- INIT_WORK(&intf->reset_ws, __usb_queue_reset_device);
-+ intf->minor = -1;
- device_initialize(&intf->dev);
- mark_quiesced(intf);
- dev_set_name(&intf->dev, "%d-%s:%d.%d",
+++ /dev/null
-From 28942bb6a9dd4e2ed793675e515cfb8297ed355b Mon Sep 17 00:00:00 2001
-From: Michael Stuermer <ms@mallorn.de>
-Date: Thu, 18 Nov 2010 00:45:43 +0100
-Subject: USB: ftdi_sio: Add ID for RT Systems USB-29B radio cable
-
-From: Michael Stuermer <ms@mallorn.de>
-
-commit 28942bb6a9dd4e2ed793675e515cfb8297ed355b upstream.
-
-Another variant of the RT Systems programming cable for ham radios.
-
-Signed-off-by: Michael Stuermer <ms@mallorn.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/ftdi_sio.c | 1 +
- drivers/usb/serial/ftdi_sio_ids.h | 1 +
- 2 files changed, 2 insertions(+)
-
---- a/drivers/usb/serial/ftdi_sio.c
-+++ b/drivers/usb/serial/ftdi_sio.c
-@@ -698,6 +698,7 @@ static struct usb_device_id id_table_com
- .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
- { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) },
- { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_SERIAL_VX7_PID) },
-+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_CT29B_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_MAXSTREAM_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_PHI_FISCO_PID) },
- { USB_DEVICE(TML_VID, TML_USB_SERIAL_PID) },
---- a/drivers/usb/serial/ftdi_sio_ids.h
-+++ b/drivers/usb/serial/ftdi_sio_ids.h
-@@ -708,6 +708,7 @@
- */
- #define RTSYSTEMS_VID 0x2100 /* Vendor ID */
- #define RTSYSTEMS_SERIAL_VX7_PID 0x9e52 /* Serial converter for VX-7 Radios using FT232RL */
-+#define RTSYSTEMS_CT29B_PID 0x9e54 /* CT29B Radio Cable */
-
- /*
- * Bayer Ascensia Contour blood glucose meter USB-converter cable.
+++ /dev/null
-From 59c6ccd9f9aecfa59c99ceba6d4d34b180547a05 Mon Sep 17 00:00:00 2001
-From: Daniel Suchy <danny@danysek.cz>
-Date: Tue, 12 Oct 2010 15:44:24 +0200
-Subject: USB: ftdi_sio: new VID/PIDs for various Papouch devices
-
-From: Daniel Suchy <danny@danysek.cz>
-
-commit 59c6ccd9f9aecfa59c99ceba6d4d34b180547a05 upstream.
-
-This patch for FTDI USB serial driver ads new VID/PIDs used on various
-devices manufactured by Papouch (http://www.papouch.com). These devices
-have their own VID/PID, although they're using standard FTDI chip. In
-ftdi_sio.c, I also made small cleanup to have declarations for all
-Papouch devices together.
-
-Signed-off-by: Daniel Suchy <danny@danysek.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/ftdi_sio.c | 30 +++++++++++++++++++++++++++++-
- drivers/usb/serial/ftdi_sio_ids.h | 27 ++++++++++++++++++++++++++-
- 2 files changed, 55 insertions(+), 2 deletions(-)
-
---- a/drivers/usb/serial/ftdi_sio.c
-+++ b/drivers/usb/serial/ftdi_sio.c
-@@ -677,7 +677,6 @@ static struct usb_device_id id_table_com
- { USB_DEVICE(FTDI_VID, FTDI_RRCIRKITS_LOCOBUFFER_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_ASK_RDR400_PID) },
- { USB_DEVICE(ICOM_ID1_VID, ICOM_ID1_PID) },
-- { USB_DEVICE(PAPOUCH_VID, PAPOUCH_TMU_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_ACG_HFDUAL_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_YEI_SERVOCENTER31_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_THORLABS_PID) },
-@@ -718,8 +717,37 @@ static struct usb_device_id id_table_com
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) },
- { USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) },
-+
-+ /* Papouch devices based on FTDI chip */
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SB485_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_AP485_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SB422_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SB485_2_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_AP485_2_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SB422_2_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SB485S_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SB485C_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_LEC_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SB232_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_TMU_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_IRAMP_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_DRAK5_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO8x8_PID) },
- { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO4x4_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO2x2_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO10x1_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO30x3_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO60x3_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO2x16_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_QUIDO3x32_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_DRAK6_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_UPSUSB_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_MU_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_SIMUKEY_PID) },
- { USB_DEVICE(PAPOUCH_VID, PAPOUCH_AD4USB_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_GMUX_PID) },
-+ { USB_DEVICE(PAPOUCH_VID, PAPOUCH_GMSR_PID) },
-+
- { USB_DEVICE(FTDI_VID, FTDI_DOMINTELL_DGQG_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_DOMINTELL_DUSB_PID) },
- { USB_DEVICE(ALTI2_VID, ALTI2_N3_PID) },
---- a/drivers/usb/serial/ftdi_sio_ids.h
-+++ b/drivers/usb/serial/ftdi_sio_ids.h
-@@ -1004,9 +1004,34 @@
- */
-
- #define PAPOUCH_VID 0x5050 /* Vendor ID */
-+#define PAPOUCH_SB485_PID 0x0100 /* Papouch SB485 USB-485/422 Converter */
-+#define PAPOUCH_AP485_PID 0x0101 /* AP485 USB-RS485 Converter */
-+#define PAPOUCH_SB422_PID 0x0102 /* Papouch SB422 USB-RS422 Converter */
-+#define PAPOUCH_SB485_2_PID 0x0103 /* Papouch SB485 USB-485/422 Converter */
-+#define PAPOUCH_AP485_2_PID 0x0104 /* AP485 USB-RS485 Converter */
-+#define PAPOUCH_SB422_2_PID 0x0105 /* Papouch SB422 USB-RS422 Converter */
-+#define PAPOUCH_SB485S_PID 0x0106 /* Papouch SB485S USB-485/422 Converter */
-+#define PAPOUCH_SB485C_PID 0x0107 /* Papouch SB485C USB-485/422 Converter */
-+#define PAPOUCH_LEC_PID 0x0300 /* LEC USB Converter */
-+#define PAPOUCH_SB232_PID 0x0301 /* Papouch SB232 USB-RS232 Converter */
- #define PAPOUCH_TMU_PID 0x0400 /* TMU USB Thermometer */
--#define PAPOUCH_QUIDO4x4_PID 0x0900 /* Quido 4/4 Module */
-+#define PAPOUCH_IRAMP_PID 0x0500 /* Papouch IRAmp Duplex */
-+#define PAPOUCH_DRAK5_PID 0x0700 /* Papouch DRAK5 */
-+#define PAPOUCH_QUIDO8x8_PID 0x0800 /* Papouch Quido 8/8 Module */
-+#define PAPOUCH_QUIDO4x4_PID 0x0900 /* Papouch Quido 4/4 Module */
-+#define PAPOUCH_QUIDO2x2_PID 0x0a00 /* Papouch Quido 2/2 Module */
-+#define PAPOUCH_QUIDO10x1_PID 0x0b00 /* Papouch Quido 10/1 Module */
-+#define PAPOUCH_QUIDO30x3_PID 0x0c00 /* Papouch Quido 30/3 Module */
-+#define PAPOUCH_QUIDO60x3_PID 0x0d00 /* Papouch Quido 60(100)/3 Module */
-+#define PAPOUCH_QUIDO2x16_PID 0x0e00 /* Papouch Quido 2/16 Module */
-+#define PAPOUCH_QUIDO3x32_PID 0x0f00 /* Papouch Quido 3/32 Module */
-+#define PAPOUCH_DRAK6_PID 0x1000 /* Papouch DRAK6 */
-+#define PAPOUCH_UPSUSB_PID 0x8000 /* Papouch UPS-USB adapter */
-+#define PAPOUCH_MU_PID 0x8001 /* MU controller */
-+#define PAPOUCH_SIMUKEY_PID 0x8002 /* Papouch SimuKey */
- #define PAPOUCH_AD4USB_PID 0x8003 /* AD4USB Measurement Module */
-+#define PAPOUCH_GMUX_PID 0x8004 /* Papouch GOLIATH MUX */
-+#define PAPOUCH_GMSR_PID 0x8005 /* Papouch GOLIATH MSR */
-
- /*
- * Marvell SheevaPlug
+++ /dev/null
-From 677aeafe19e88c282af74564048243ccabb1c590 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <jhovold@gmail.com>
-Date: Sun, 12 Sep 2010 16:31:45 +0200
-Subject: USB: ftdi_sio: revert "USB: ftdi_sio: fix DTR/RTS line modes"
-
-From: Johan Hovold <jhovold@gmail.com>
-
-commit 677aeafe19e88c282af74564048243ccabb1c590 upstream.
-
-This reverts commit 6a1a82df91fa0eb1cc76069a9efe5714d087eccd.
-
-RTS and DTR should not be modified based on CRTSCTS when calling
-set_termios.
-
-Modem control lines are raised at port open by the tty layer and should stay
-raised regardless of whether hardware flow control is enabled or not.
-
-This is in conformance with the way serial ports work today and many
-applications depend on this behaviour to be able to talk to hardware
-implementing hardware flow control (without the applications actually using
-it).
-
-Hardware which expects different behaviour on these lines can always
-use TIOCMSET/TIOCMBI[SC] after port open to change them.
-
-Reported-by: Daniel Mack <daniel@caiaq.de>
-Reported-by: Dave Mielke <dave@mielke.cc>
-Signed-off-by: Johan Hovold <jhovold@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/ftdi_sio.c | 4 ----
- 1 file changed, 4 deletions(-)
-
---- a/drivers/usb/serial/ftdi_sio.c
-+++ b/drivers/usb/serial/ftdi_sio.c
-@@ -2350,8 +2350,6 @@ static void ftdi_set_termios(struct tty_
- "urb failed to set to rts/cts flow control\n");
- }
-
-- /* raise DTR/RTS */
-- set_mctrl(port, TIOCM_DTR | TIOCM_RTS);
- } else {
- /*
- * Xon/Xoff code
-@@ -2399,8 +2397,6 @@ static void ftdi_set_termios(struct tty_
- }
- }
-
-- /* lower DTR/RTS */
-- clear_mctrl(port, TIOCM_DTR | TIOCM_RTS);
- }
- return;
- }
+++ /dev/null
-From c990600d340641150f7270470a64bd99a5c0b225 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Mon, 15 Nov 2010 11:32:38 -0800
-Subject: USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit c990600d340641150f7270470a64bd99a5c0b225 upstream.
-
-They should not be writable by any user.
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Oliver Bock <bock@tfh-berlin.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/misc/cypress_cy7c63.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
---- a/drivers/usb/misc/cypress_cy7c63.c
-+++ b/drivers/usb/misc/cypress_cy7c63.c
-@@ -195,11 +195,9 @@ static ssize_t get_port1_handler(struct
- return read_port(dev, attr, buf, 1, CYPRESS_READ_PORT_ID1);
- }
-
--static DEVICE_ATTR(port0, S_IWUGO | S_IRUGO,
-- get_port0_handler, set_port0_handler);
-+static DEVICE_ATTR(port0, S_IRUGO | S_IWUSR, get_port0_handler, set_port0_handler);
-
--static DEVICE_ATTR(port1, S_IWUGO | S_IRUGO,
-- get_port1_handler, set_port1_handler);
-+static DEVICE_ATTR(port1, S_IRUGO | S_IWUSR, get_port1_handler, set_port1_handler);
-
-
- static int cypress_probe(struct usb_interface *interface,
+++ /dev/null
-From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001
-From: Vasiliy Kulikov <segooon@gmail.com>
-Date: Sat, 6 Nov 2010 17:41:31 +0300
-Subject: usb: misc: iowarrior: fix information leak to userland
-
-From: Vasiliy Kulikov <segooon@gmail.com>
-
-commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.
-
-Structure iowarrior_info is copied to userland with padding byted
-between "serial" and "revision" fields uninitialized. It leads to
-leaking of contents of kernel stack memory.
-
-Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
-Acked-by: Kees Cook <kees.cook@canonical.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/misc/iowarrior.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/usb/misc/iowarrior.c
-+++ b/drivers/usb/misc/iowarrior.c
-@@ -552,6 +552,7 @@ static long iowarrior_ioctl(struct file
- /* needed for power consumption */
- struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
-
-+ memset(&info, 0, sizeof(info));
- /* directly from the descriptor */
- info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
- info.product = dev->product_id;
+++ /dev/null
-From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001
-From: Vasiliy Kulikov <segooon@gmail.com>
-Date: Sat, 6 Nov 2010 17:41:35 +0300
-Subject: usb: misc: sisusbvga: fix information leak to userland
-
-From: Vasiliy Kulikov <segooon@gmail.com>
-
-commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.
-
-Structure sisusb_info is copied to userland with "sisusb_reserved" field
-uninitialized. It leads to leaking of contents of kernel stack memory.
-
-Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/misc/sisusbvga/sisusb.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/usb/misc/sisusbvga/sisusb.c
-+++ b/drivers/usb/misc/sisusbvga/sisusb.c
-@@ -3008,6 +3008,7 @@ sisusb_ioctl(struct file *file, unsigned
- #else
- x.sisusb_conactive = 0;
- #endif
-+ memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved));
-
- if (copy_to_user((void __user *)arg, &x, sizeof(x)))
- retval = -EFAULT;
+++ /dev/null
-From d489a4b3926bad571d404ca6508f6744b9602776 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Mon, 15 Nov 2010 11:34:26 -0800
-Subject: USB: misc: trancevibrator: fix up a sysfs attribute permission
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit d489a4b3926bad571d404ca6508f6744b9602776 upstream.
-
-It should not be writable by any user.
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Sam Hocevar <sam@zoy.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/misc/trancevibrator.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/misc/trancevibrator.c
-+++ b/drivers/usb/misc/trancevibrator.c
-@@ -85,7 +85,7 @@ static ssize_t set_speed(struct device *
- return count;
- }
-
--static DEVICE_ATTR(speed, S_IWUGO | S_IRUGO, show_speed, set_speed);
-+static DEVICE_ATTR(speed, S_IRUGO | S_IWUSR, show_speed, set_speed);
-
- static int tv_probe(struct usb_interface *interface,
- const struct usb_device_id *id)
+++ /dev/null
-From 48f115470e68d443436b76b22dad63ffbffd6b97 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Mon, 15 Nov 2010 11:35:49 -0800
-Subject: USB: misc: usbled: fix up some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit 48f115470e68d443436b76b22dad63ffbffd6b97 upstream.
-
-They should not be writable by any user.
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/misc/usbled.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/misc/usbled.c
-+++ b/drivers/usb/misc/usbled.c
-@@ -94,7 +94,7 @@ static ssize_t set_##value(struct device
- change_color(led); \
- return count; \
- } \
--static DEVICE_ATTR(value, S_IWUGO | S_IRUGO, show_##value, set_##value);
-+static DEVICE_ATTR(value, S_IRUGO | S_IWUSR, show_##value, set_##value);
- show_set(blue);
- show_set(red);
- show_set(green);
+++ /dev/null
-From e24d7ace4e822debcb78386bf279c9aba4d7fbd1 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Mon, 15 Nov 2010 11:36:44 -0800
-Subject: USB: misc: usbsevseg: fix up some sysfs attribute permissions
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit e24d7ace4e822debcb78386bf279c9aba4d7fbd1 upstream.
-
-They should not be writable by any user.
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Harrison Metzger <harrisonmetz@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/misc/usbsevseg.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
---- a/drivers/usb/misc/usbsevseg.c
-+++ b/drivers/usb/misc/usbsevseg.c
-@@ -185,7 +185,7 @@ static ssize_t set_attr_##name(struct de
- \
- return count; \
- } \
--static DEVICE_ATTR(name, S_IWUGO | S_IRUGO, show_attr_##name, set_attr_##name);
-+static DEVICE_ATTR(name, S_IRUGO | S_IWUSR, show_attr_##name, set_attr_##name);
-
- static ssize_t show_attr_text(struct device *dev,
- struct device_attribute *attr, char *buf)
-@@ -216,7 +216,7 @@ static ssize_t set_attr_text(struct devi
- return count;
- }
-
--static DEVICE_ATTR(text, S_IWUGO | S_IRUGO, show_attr_text, set_attr_text);
-+static DEVICE_ATTR(text, S_IRUGO | S_IWUSR, show_attr_text, set_attr_text);
-
- static ssize_t show_attr_decimals(struct device *dev,
- struct device_attribute *attr, char *buf)
-@@ -265,8 +265,7 @@ static ssize_t set_attr_decimals(struct
- return count;
- }
-
--static DEVICE_ATTR(decimals, S_IWUGO | S_IRUGO,
-- show_attr_decimals, set_attr_decimals);
-+static DEVICE_ATTR(decimals, S_IRUGO | S_IWUSR, show_attr_decimals, set_attr_decimals);
-
- static ssize_t show_attr_textmode(struct device *dev,
- struct device_attribute *attr, char *buf)
-@@ -312,8 +311,7 @@ static ssize_t set_attr_textmode(struct
- return -EINVAL;
- }
-
--static DEVICE_ATTR(textmode, S_IWUGO | S_IRUGO,
-- show_attr_textmode, set_attr_textmode);
-+static DEVICE_ATTR(textmode, S_IRUGO | S_IWUSR, show_attr_textmode, set_attr_textmode);
-
-
- MYDEV_ATTR_SIMPLE_UNSIGNED(powered, update_display_powered);
+++ /dev/null
-From 00be545e49d83485d49a598d3b7e090088934be8 Mon Sep 17 00:00:00 2001
-From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
-Date: Wed, 29 Sep 2010 09:54:31 +0300
-Subject: usb: musb: blackfin: call gpio_free() on error path in musb_platform_init()
-
-From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
-
-commit 00be545e49d83485d49a598d3b7e090088934be8 upstream.
-
-Blackfin's musb_platform_init() needs to call gpio_free() for error cleanup iff
-otg_get_transceiver() call returns NULL.
-
-Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
-Acked-by: Mike Frysinger <vapier@gentoo.org>
-Signed-off-by: Felipe Balbi <balbi@ti.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/musb/blackfin.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/usb/musb/blackfin.c
-+++ b/drivers/usb/musb/blackfin.c
-@@ -298,8 +298,10 @@ int __init musb_platform_init(struct mus
-
- usb_nop_xceiv_register();
- musb->xceiv = otg_get_transceiver();
-- if (!musb->xceiv)
-+ if (!musb->xceiv) {
-+ gpio_free(musb->config->gpio_vrsel);
- return -ENODEV;
-+ }
-
- if (ANOMALY_05000346) {
- bfin_write_USB_APHY_CALIB(ANOMALY_05000346_value);
+++ /dev/null
-From 97cd8dc4ca9a1a5efb2cc38758e01492e3b013e2 Mon Sep 17 00:00:00 2001
-From: Alon Ziv <alon+git@nolaviz.org>
-Date: Sun, 10 Oct 2010 08:32:18 +0200
-Subject: USB: opticon: Fix long-standing bugs in opticon driver
-
-From: Alon Ziv <alon+git@nolaviz.org>
-
-commit 97cd8dc4ca9a1a5efb2cc38758e01492e3b013e2 upstream.
-
-The bulk-read callback had two bugs:
-a) The bulk-in packet's leading two zeros were returned (and the two last
- bytes truncated)
-b) The wrong URB was transmitted for the second (and later) read requests,
- causing further reads to return the entire packet (including leading
- zeros)
-
-Signed-off-by: Alon Ziv <alon-git@nolaviz.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/opticon.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/drivers/usb/serial/opticon.c
-+++ b/drivers/usb/serial/opticon.c
-@@ -99,8 +99,8 @@ static void opticon_bulk_callback(struct
- available_room = tty_buffer_request_room(tty,
- data_length);
- if (available_room) {
-- tty_insert_flip_string(tty, data,
-- available_room);
-+ tty_insert_flip_string(tty, data + 2,
-+ data_length);
- tty_flip_buffer_push(tty);
- }
- tty_kref_put(tty);
-@@ -134,7 +134,7 @@ exit:
- priv->bulk_address),
- priv->bulk_in_buffer, priv->buffer_size,
- opticon_bulk_callback, priv);
-- result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
-+ result = usb_submit_urb(priv->bulk_read_urb, GFP_ATOMIC);
- if (result)
- dev_err(&port->dev,
- "%s - failed resubmitting read urb, error %d\n",
+++ /dev/null
-From ecfa153ef616b901e86d9a051b329fcda7a6ce7b Mon Sep 17 00:00:00 2001
-From: Mauro Carvalho Chehab <mchehab@redhat.com>
-Date: Sun, 12 Sep 2010 11:41:50 -0300
-Subject: USB: option: Add more ZTE modem USB id's
-
-From: Mauro Carvalho Chehab <mchehab@redhat.com>
-
-commit ecfa153ef616b901e86d9a051b329fcda7a6ce7b upstream.
-
-There are lots of ZTE USB id's currently not covered by usb/serial. Adds them,
-to allow those devices to work properly on Linux.
-
-While here, put the USB ID's for 0x2002/0x2003 at the sorted order.
-
-This patch is based on zte.c file found on MF645.
-
-PS.: The ZTE driver is commenting the USB ID for 0x0053. It also adds, commented,
-an USB ID for 0x0026.
-
-Not sure why, but I think that 0053 is used by their devices in storage mode only.
-So, I opted to keep the comment on this patch.
-
-Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/option.c | 23 ++++++++++++++++++++---
- 1 file changed, 20 insertions(+), 3 deletions(-)
-
---- a/drivers/usb/serial/option.c
-+++ b/drivers/usb/serial/option.c
-@@ -572,6 +572,7 @@ static struct usb_device_id option_ids[]
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0011, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0012, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0013, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0014, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF628, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0016, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0017, 0xff, 0xff, 0xff) },
-@@ -583,38 +584,52 @@ static struct usb_device_id option_ids[]
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0023, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0024, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0025, 0xff, 0xff, 0xff) },
-- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0026, 0xff, 0xff, 0xff) },
-+ /* { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0026, 0xff, 0xff, 0xff) }, */
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0028, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0029, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0030, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF626, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0032, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0033, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0034, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0037, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0038, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0039, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0040, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0042, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0043, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0044, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0048, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0049, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0050, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0051, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0052, 0xff, 0xff, 0xff) },
-+ /* { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0053, 0xff, 0xff, 0xff) }, */
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0054, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0055, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0056, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0057, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0058, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0059, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0061, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0062, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0063, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0064, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0065, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0066, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0067, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0069, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0070, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0076, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0077, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0078, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0079, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0082, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0083, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0086, 0xff, 0xff, 0xff) },
-- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff, 0xff, 0xff) },
-- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2003, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0087, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0104, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0105, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0106, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0108, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0113, 0xff, 0xff, 0xff) },
-@@ -830,6 +845,8 @@ static struct usb_device_id option_ids[]
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0073, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0130, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0141, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff, 0xff, 0xff) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2003, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_CDMA_TECH, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AC8710, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AC2726, 0xff, 0xff, 0xff) },
+++ /dev/null
-From 58c0d9d70109bd7e82bdb9517007311a48499960 Mon Sep 17 00:00:00 2001
-From: ma rui <m00150988@huawei.com>
-Date: Mon, 1 Nov 2010 11:32:18 +0800
-Subject: USB: option: fix when the driver is loaded incorrectly for some Huawei devices.
-
-From: ma rui <m00150988@huawei.com>
-
-commit 58c0d9d70109bd7e82bdb9517007311a48499960 upstream.
-
-When huawei datacard with PID 0x14AC is insterted into Linux system, the
-present kernel will load the "option" driver to all the interfaces. But
-actually, some interfaces run as other function and do not need "option"
-driver.
-
-In this path, we modify the id_tables, when the PID is 0x14ac ,VID is
-0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is
-0xff, it does need "option" driver.
-
-Signed-off-by: ma rui <m00150988@huawei.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/option.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/serial/option.c
-+++ b/drivers/usb/serial/option.c
-@@ -469,7 +469,7 @@ static struct usb_device_id option_ids[]
- { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143D, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143E, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143F, 0xff, 0xff, 0xff) },
-- { USB_DEVICE(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC) },
-+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC, 0xff, 0xff, 0xff) },
- { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_9508) },
- { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) }, /* Novatel Merlin V640/XV620 */
- { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V620) }, /* Novatel Merlin V620/S620 */
+++ /dev/null
-From 6fdbad8021151a9e93af8159a6232c8f26415c09 Mon Sep 17 00:00:00 2001
-From: Jacques Viviers <jacques.viviers@gmail.com>
-Date: Wed, 24 Nov 2010 11:56:38 +0200
-Subject: USB: serial: ftdi_sio: Vardaan USB RS422/485 converter PID added
-
-From: Jacques Viviers <jacques.viviers@gmail.com>
-
-commit 6fdbad8021151a9e93af8159a6232c8f26415c09 upstream.
-
-Add the PID for the Vardaan Enterprises VEUSB422R3 USB to RS422/485
-converter. It uses the same chip as the FTDI_8U232AM_PID 0x6001.
-
-This should also work with the stable branches for:
-2.6.31, 2.6.32, 2.6.33, 2.6.34, 2.6.35, 2.6.36
-
-Signed-off-by: Jacques Viviers <jacques.viviers@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/serial/ftdi_sio.c | 1 +
- drivers/usb/serial/ftdi_sio_ids.h | 3 +++
- 2 files changed, 4 insertions(+)
-
---- a/drivers/usb/serial/ftdi_sio.c
-+++ b/drivers/usb/serial/ftdi_sio.c
-@@ -202,6 +202,7 @@ static struct usb_device_id id_table_com
- { USB_DEVICE(FTDI_VID, FTDI_MTXORB_5_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_MTXORB_6_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_R2000KU_TRUE_RNG) },
-+ { USB_DEVICE(FTDI_VID, FTDI_VARDAAN_PID) },
- { USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_0100_PID) },
- { USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_0101_PID) },
- { USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_0102_PID) },
---- a/drivers/usb/serial/ftdi_sio_ids.h
-+++ b/drivers/usb/serial/ftdi_sio_ids.h
-@@ -118,6 +118,9 @@
- #define XSENS_CONVERTER_6_PID 0xD38E
- #define XSENS_CONVERTER_7_PID 0xD38F
-
-+/* Vardaan Enterprises Serial Interface VEUSB422R3 */
-+#define FTDI_VARDAAN_PID 0xF070
-+
- /*
- * NDI (www.ndigital.com) product ids
- */
+++ /dev/null
-From d9624e75f6ad94d8a0718c1fafa89186d271a78c Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Mon, 15 Nov 2010 11:17:52 -0800
-Subject: USB: storage: sierra_ms: fix sysfs file attribute
-
-From: Greg Kroah-Hartman <gregkh@suse.de>
-
-commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream.
-
-A non-writable sysfs file shouldn't have writable attributes.
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Kevin Lloyd <klloyd@sierrawireless.com>
-Cc: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/usb/storage/sierra_ms.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/storage/sierra_ms.c
-+++ b/drivers/usb/storage/sierra_ms.c
-@@ -120,7 +120,7 @@ static ssize_t show_truinst(struct devic
- }
- return result;
- }
--static DEVICE_ATTR(truinst, S_IWUGO | S_IRUGO, show_truinst, NULL);
-+static DEVICE_ATTR(truinst, S_IRUGO, show_truinst, NULL);
-
- int sierra_ms_init(struct us_data *us)
- {
+++ /dev/null
-From c10469c637602c2385e2993d8c730cc44fd47d23 Mon Sep 17 00:00:00 2001
-From: Mauro Carvalho Chehab <mchehab@redhat.com>
-Date: Sat, 11 Sep 2010 11:37:51 -0300
-Subject: V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0)
-
-From: Mauro Carvalho Chehab <mchehab@redhat.com>
-
-commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream.
-
-As reported by: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>:
-
-[ 220.033500] cx231xx v4l2 driver loaded.
-[ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces
-[ 220.033577] cx231xx #0: registering interface 0
-[ 220.033591] cx231xx #0: registering interface 1
-[ 220.033654] cx231xx #0: registering interface 6
-[ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0)
-[ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null)
-[ 220.033955] IP: [<ffffffffa0d3c8bd>] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx]
-
-Thanks-to: Carlos Americo Domiciano <c_domiciano@yahoo.com.br>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/media/video/cx231xx/cx231xx-cards.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
---- a/drivers/media/video/cx231xx/cx231xx-cards.c
-+++ b/drivers/media/video/cx231xx/cx231xx-cards.c
-@@ -225,14 +225,16 @@ void cx231xx_pre_card_setup(struct cx231
- dev->board.name, dev->model);
-
- /* set the direction for GPIO pins */
-- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
-- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
-- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
-+ if (dev->board.tuner_gpio) {
-+ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
-+ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
-+ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
-
-- /* request some modules if any required */
-+ /* request some modules if any required */
-
-- /* reset the Tuner */
-- cx231xx_gpio_set(dev, dev->board.tuner_gpio);
-+ /* reset the Tuner */
-+ cx231xx_gpio_set(dev, dev->board.tuner_gpio);
-+ }
-
- /* set the mode to Analog mode initially */
- cx231xx_set_mode(dev, CX231XX_ANALOG_MODE);
+++ /dev/null
-From 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Wed, 15 Sep 2010 18:44:22 -0300
-Subject: V4L/DVB: ivtvfb: prevent reading uninitialized stack memory
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 upstream.
-
-The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
-bytes of uninitialized stack memory, because the "reserved" member of
-the fb_vblank struct declared on the stack is not altered or zeroed
-before being copied back to the user. This patch takes care of it.
-
-Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
-Signed-off-by: Andy Walls <awalls@md.metrocast.net>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/media/video/ivtv/ivtvfb.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/media/video/ivtv/ivtvfb.c
-+++ b/drivers/media/video/ivtv/ivtvfb.c
-@@ -457,6 +457,8 @@ static int ivtvfb_ioctl(struct fb_info *
- struct fb_vblank vblank;
- u32 trace;
-
-+ memset(&vblank, 0, sizeof(struct fb_vblank));
-+
- vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
- FB_VBLANK_HAVE_VSYNC;
- trace = read_reg(0x028c0) >> 16;
+++ /dev/null
-From 3e645d6b485446c54c6745c5e2cf5c528fe4deec Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Fri, 15 Oct 2010 11:12:38 -0700
-Subject: v4l1: fix 32-bit compat microcode loading translation
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream.
-
-The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
-It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
-staging and eventually removed unless somebody steps up to maintain it
-(at which point it should use request_firmware() rather than some magic
-ioctl). So we'll get rid of it eventually.
-
-But in the meantime, the compatibility ioctl code is broken, and this
-tries to get it to at least limp along (even if Mauro suggested just
-deleting it entirely, which may be the right thing to do - I don't think
-the compatibility translation code has ever worked unless you were very
-lucky).
-
-Reported-by: Kees Cook <kees.cook@canonical.com>
-Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/media/video/v4l2-compat-ioctl32.c | 32 +++++++++++++++++++-----------
- 1 file changed, 21 insertions(+), 11 deletions(-)
-
---- a/drivers/media/video/v4l2-compat-ioctl32.c
-+++ b/drivers/media/video/v4l2-compat-ioctl32.c
-@@ -193,17 +193,24 @@ static int put_video_window32(struct vid
- struct video_code32 {
- char loadwhat[16]; /* name or tag of file being passed */
- compat_int_t datasize;
-- unsigned char *data;
-+ compat_uptr_t data;
- };
-
--static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
-+static struct video_code __user *get_microcode32(struct video_code32 *kp)
- {
-- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
-- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
-- get_user(kp->datasize, &up->datasize) ||
-- copy_from_user(kp->data, up->data, up->datasize))
-- return -EFAULT;
-- return 0;
-+ struct video_code __user *up;
-+
-+ up = compat_alloc_user_space(sizeof(*up));
-+
-+ /*
-+ * NOTE! We don't actually care if these fail. If the
-+ * user address is invalid, the native ioctl will do
-+ * the error handling for us
-+ */
-+ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
-+ (void) put_user(kp->datasize, &up->datasize);
-+ (void) put_user(compat_ptr(kp->data), &up->data);
-+ return up;
- }
-
- #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
-@@ -741,7 +748,7 @@ static long do_video_ioctl(struct file *
- struct video_tuner vt;
- struct video_buffer vb;
- struct video_window vw;
-- struct video_code vc;
-+ struct video_code32 vc;
- struct video_audio va;
- #endif
- struct v4l2_format v2f;
-@@ -820,8 +827,11 @@ static long do_video_ioctl(struct file *
- break;
-
- case VIDIOCSMICROCODE:
-- err = get_microcode32(&karg.vc, up);
-- compatible_arg = 0;
-+ /* Copy the 32-bit "video_code32" to kernel space */
-+ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
-+ return -EFAULT;
-+ /* Convert the 32-bit version to a 64-bit version in user space */
-+ up = get_microcode32(&karg.vc);
- break;
-
- case VIDIOCSFREQ:
+++ /dev/null
-From efd4f6398dc92b5bf392670df862f42a19f34cf2 Mon Sep 17 00:00:00 2001
-From: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
-Date: Wed, 22 Sep 2010 02:33:52 +0000
-Subject: viafb: use proper register for colour when doing fill ops
-
-From: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
-
-commit efd4f6398dc92b5bf392670df862f42a19f34cf2 upstream.
-
-The colour was written to a wrong register for fillrect operations.
-This sometimes caused empty console space (for example after 'clear')
-to have a different colour than desired. Fix this by writing to the
-correct register.
-Many thanks to Daniel Drake and Jon Nettleton for pointing out this
-issue and pointing me in the right direction for the fix.
-
-Fixes http://dev.laptop.org/ticket/9323
-
-Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
-Cc: Joseph Chan <JosephChan@via.com.tw>
-Cc: Daniel Drake <dsd@laptop.org>
-Cc: Jon Nettleton <jon.nettleton@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/video/via/accel.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/drivers/video/via/accel.c
-+++ b/drivers/video/via/accel.c
-@@ -277,11 +277,12 @@ static int hw_bitblt_2(void __iomem *eng
- writel(tmp, engine + 0x1C);
- }
-
-- if (op != VIA_BITBLT_COLOR)
-+ if (op == VIA_BITBLT_FILL) {
-+ writel(fg_color, engine + 0x58);
-+ } else if (op == VIA_BITBLT_MONO) {
- writel(fg_color, engine + 0x4C);
--
-- if (op == VIA_BITBLT_MONO)
- writel(bg_color, engine + 0x50);
-+ }
-
- if (op == VIA_BITBLT_FILL)
- ge_cmd |= fill_rop << 24 | 0x00002000 | 0x00000001;
+++ /dev/null
-From df6d02300f7c2fbd0fbe626d819c8e5237d72c62 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Fri, 17 Sep 2010 00:38:25 +0200
-Subject: wext: fix potential private ioctl memory content leak
-
-From: Johannes Berg <johannes.berg@intel.com>
-
-commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream.
-
-When a driver doesn't fill the entire buffer, old
-heap contents may remain, and if it also doesn't
-update the length properly, this old heap content
-will be copied back to userspace.
-
-It is very unlikely that this happens in any of
-the drivers using private ioctls since it would
-show up as junk being reported by iwpriv, but it
-seems better to be safe here, so use kzalloc.
-
-Reported-by: Jeff Mahoney <jeffm@suse.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/wireless/wext-priv.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/wireless/wext-priv.c
-+++ b/net/wireless/wext-priv.c
-@@ -151,7 +151,7 @@ static int ioctl_private_iw_point(struct
- } else if (!iwp->pointer)
- return -EFAULT;
-
-- extra = kmalloc(extra_size, GFP_KERNEL);
-+ extra = kzalloc(extra_size, GFP_KERNEL);
- if (!extra)
- return -ENOMEM;
-
+++ /dev/null
-From 8b14d7b22c61f17ccb869e0047d9df6dd9f50a9f Mon Sep 17 00:00:00 2001
-From: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
-Date: Sun, 28 Nov 2010 19:46:50 -0200
-Subject: wmi: use memcmp instead of strncmp to compare GUIDs
-
-From: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
-
-commit 8b14d7b22c61f17ccb869e0047d9df6dd9f50a9f upstream.
-
-While looking for the duplicates in /sys/class/wmi/, I couldn't find
-them. The code that looks for duplicates uses strncmp in a binary GUID,
-which may contain zero bytes. The right function is memcmp, which is
-also used in another section of wmi code.
-
-It was finding 49142400-C6A3-40FA-BADB-8A2652834100 as a duplicate of
-39142400-C6A3-40FA-BADB-8A2652834100. Since the first byte is the fourth
-printed, they were found as equal by strncmp.
-
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
-Signed-off-by: Matthew Garrett <mjg@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/platform/x86/wmi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/platform/x86/wmi.c
-+++ b/drivers/platform/x86/wmi.c
-@@ -724,7 +724,7 @@ static bool guid_already_parsed(const ch
- wblock = list_entry(p, struct wmi_block, list);
- gblock = &wblock->gblock;
-
-- if (strncmp(gblock->guid, guid_string, 16) == 0)
-+ if (memcmp(gblock->guid, guid_string, 16) == 0)
- return true;
- }
- return false;
+++ /dev/null
-From f5eb917b861828da18dc28854308068c66d1449a Mon Sep 17 00:00:00 2001
-From: John Hughes <john@calva.com>
-Date: Wed, 7 Apr 2010 21:29:25 -0700
-Subject: x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
-
-From: John Hughes <john@calva.com>
-
-commit f5eb917b861828da18dc28854308068c66d1449a upstream.
-
-Here is a patch to stop X.25 examining fields beyond the end of the packet.
-
-For example, when a simple CALL ACCEPTED was received:
-
- 10 10 0f
-
-x25_parse_facilities was attempting to decode the FACILITIES field, but this
-packet contains no facilities field.
-
-Signed-off-by: John Hughes <john@calva.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- include/net/x25.h | 4 ++++
- net/x25/af_x25.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
- net/x25/x25_facilities.c | 12 +++++++++++-
- net/x25/x25_in.c | 15 +++++++++++----
- 4 files changed, 72 insertions(+), 6 deletions(-)
-
---- a/include/net/x25.h
-+++ b/include/net/x25.h
-@@ -182,6 +182,10 @@ extern int sysctl_x25_clear_request_tim
- extern int sysctl_x25_ack_holdback_timeout;
- extern int sysctl_x25_forward;
-
-+extern int x25_parse_address_block(struct sk_buff *skb,
-+ struct x25_address *called_addr,
-+ struct x25_address *calling_addr);
-+
- extern int x25_addr_ntoa(unsigned char *, struct x25_address *,
- struct x25_address *);
- extern int x25_addr_aton(unsigned char *, struct x25_address *,
---- a/net/x25/af_x25.c
-+++ b/net/x25/af_x25.c
-@@ -81,6 +81,41 @@ struct compat_x25_subscrip_struct {
- };
- #endif
-
-+
-+int x25_parse_address_block(struct sk_buff *skb,
-+ struct x25_address *called_addr,
-+ struct x25_address *calling_addr)
-+{
-+ unsigned char len;
-+ int needed;
-+ int rc;
-+
-+ if (skb->len < 1) {
-+ /* packet has no address block */
-+ rc = 0;
-+ goto empty;
-+ }
-+
-+ len = *skb->data;
-+ needed = 1 + (len >> 4) + (len & 0x0f);
-+
-+ if (skb->len < needed) {
-+ /* packet is too short to hold the addresses it claims
-+ to hold */
-+ rc = -1;
-+ goto empty;
-+ }
-+
-+ return x25_addr_ntoa(skb->data, called_addr, calling_addr);
-+
-+empty:
-+ *called_addr->x25_addr = 0;
-+ *calling_addr->x25_addr = 0;
-+
-+ return rc;
-+}
-+
-+
- int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,
- struct x25_address *calling_addr)
- {
-@@ -907,16 +942,26 @@ int x25_rx_call_request(struct sk_buff *
- /*
- * Extract the X.25 addresses and convert them to ASCII strings,
- * and remove them.
-+ *
-+ * Address block is mandatory in call request packets
- */
-- addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);
-+ addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);
-+ if (addr_len <= 0)
-+ goto out_clear_request;
- skb_pull(skb, addr_len);
-
- /*
- * Get the length of the facilities, skip past them for the moment
- * get the call user data because this is needed to determine
- * the correct listener
-+ *
-+ * Facilities length is mandatory in call request packets
- */
-+ if (skb->len < 1)
-+ goto out_clear_request;
- len = skb->data[0] + 1;
-+ if (skb->len < len)
-+ goto out_clear_request;
- skb_pull(skb,len);
-
- /*
---- a/net/x25/x25_facilities.c
-+++ b/net/x25/x25_facilities.c
-@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff
- struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
- {
- unsigned char *p = skb->data;
-- unsigned int len = *p++;
-+ unsigned int len;
-
- *vc_fac_mask = 0;
-
-@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff
- memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
- memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
-
-+ if (skb->len < 1)
-+ return 0;
-+
-+ len = *p++;
-+
-+ if (len >= skb->len)
-+ return -1;
-+
- while (len > 0) {
- switch (*p & X25_FAC_CLASS_MASK) {
- case X25_FAC_CLASS_A:
-@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_b
- memcpy(new, ours, sizeof(*new));
-
- len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
-+ if (len < 0)
-+ return len;
-
- /*
- * They want reverse charging, we won't accept it.
---- a/net/x25/x25_in.c
-+++ b/net/x25/x25_in.c
-@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct soc
- static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)
- {
- struct x25_address source_addr, dest_addr;
-+ int len;
-
- switch (frametype) {
- case X25_CALL_ACCEPTED: {
-@@ -106,11 +107,17 @@ static int x25_state1_machine(struct soc
- * Parse the data in the frame.
- */
- skb_pull(skb, X25_STD_MIN_LEN);
-- skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));
-- skb_pull(skb,
-- x25_parse_facilities(skb, &x25->facilities,
-+
-+ len = x25_parse_address_block(skb, &source_addr,
-+ &dest_addr);
-+ if (len > 0)
-+ skb_pull(skb, len);
-+
-+ len = x25_parse_facilities(skb, &x25->facilities,
- &x25->dte_facilities,
-- &x25->vc_facil_mask));
-+ &x25->vc_facil_mask);
-+ if (len > 0)
-+ skb_pull(skb, len);
- /*
- * Copy any Call User Data.
- */
+++ /dev/null
-From 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-Date: Fri, 12 Nov 2010 12:44:42 -0800
-Subject: x25: Prevent crashing when parsing bad X.25 facilities
-
-From: Dan Rosenberg <drosenberg@vsecurity.com>
-
-commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
-
-Now with improved comma support.
-
-On parsing malformed X.25 facilities, decrementing the remaining length
-may cause it to underflow. Since the length is an unsigned integer,
-this will result in the loop continuing until the kernel crashes.
-
-This patch adds checks to ensure decrementing the remaining length does
-not cause it to wrap around.
-
-Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/x25/x25_facilities.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
---- a/net/x25/x25_facilities.c
-+++ b/net/x25/x25_facilities.c
-@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff
- while (len > 0) {
- switch (*p & X25_FAC_CLASS_MASK) {
- case X25_FAC_CLASS_A:
-+ if (len < 2)
-+ return 0;
- switch (*p) {
- case X25_FAC_REVERSE:
- if((p[1] & 0x81) == 0x81) {
-@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff
- len -= 2;
- break;
- case X25_FAC_CLASS_B:
-+ if (len < 3)
-+ return 0;
- switch (*p) {
- case X25_FAC_PACKET_SIZE:
- facilities->pacsize_in = p[1];
-@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff
- len -= 3;
- break;
- case X25_FAC_CLASS_C:
-+ if (len < 4)
-+ return 0;
- printk(KERN_DEBUG "X.25: unknown facility %02X, "
- "values %02X, %02X, %02X\n",
- p[0], p[1], p[2], p[3]);
-@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff
- len -= 4;
- break;
- case X25_FAC_CLASS_D:
-+ if (len < p[1] + 2)
-+ return 0;
- switch (*p) {
- case X25_FAC_CALLING_AE:
- if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff
- break;
- default:
- printk(KERN_DEBUG "X.25: unknown facility %02X,"
-- "length %d, values %02X, %02X, "
-- "%02X, %02X\n",
-- p[0], p[1], p[2], p[3], p[4], p[5]);
-+ "length %d\n", p[0], p[1]);
- break;
- }
- len -= p[1] + 2;
+++ /dev/null
-From 8848a91068c018bc91f597038a0f41462a0f88a4 Mon Sep 17 00:00:00 2001
-From: H. Peter Anvin <hpa@zytor.com>
-Date: Wed, 18 Aug 2010 11:42:23 -0700
-Subject: x86-32: Fix dummy trampoline-related inline stubs
-
-From: H. Peter Anvin <hpa@zytor.com>
-
-commit 8848a91068c018bc91f597038a0f41462a0f88a4 upstream.
-
-Fix dummy inline stubs for trampoline-related functions when no
-trampolines exist (until we get rid of the no-trampoline case
-entirely.)
-
-Signed-off-by: H. Peter Anvin <hpa@zytor.com>
-Cc: Joerg Roedel <joerg.roedel@amd.com>
-Cc: Borislav Petkov <borislav.petkov@amd.com>
-LKML-Reference: <4C6C294D.3030404@zytor.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/include/asm/trampoline.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/x86/include/asm/trampoline.h
-+++ b/arch/x86/include/asm/trampoline.h
-@@ -22,8 +22,8 @@ extern unsigned long setup_trampoline(vo
- extern void __init setup_trampoline_page_table(void);
- extern void __init reserve_trampoline_memory(void);
- #else
--static inline void reserve_trampoline_memory(void) {};
--extern void __init setup_trampoline_page_table(void) {};
-+static inline void setup_trampoline_page_table(void) {}
-+static inline void reserve_trampoline_memory(void) {}
- #endif /* CONFIG_X86_TRAMPOLINE */
-
- #endif /* __ASSEMBLY__ */
+++ /dev/null
-From fd89a137924e0710078c3ae855e7cec1c43cb845 Mon Sep 17 00:00:00 2001
-From: Joerg Roedel <joerg.roedel@amd.com>
-Date: Mon, 16 Aug 2010 14:38:33 +0200
-Subject: x86-32: Separate 1:1 pagetables from swapper_pg_dir
-
-From: Joerg Roedel <joerg.roedel@amd.com>
-
-commit fd89a137924e0710078c3ae855e7cec1c43cb845 upstream.
-
-This patch fixes machine crashes which occur when heavily exercising the
-CPU hotplug codepaths on a 32-bit kernel. These crashes are caused by
-AMD Erratum 383 and result in a fatal machine check exception. Here's
-the scenario:
-
-1. On 32-bit, the swapper_pg_dir page table is used as the initial page
-table for booting a secondary CPU.
-
-2. To make this work, swapper_pg_dir needs a direct mapping of physical
-memory in it (the low mappings). By adding those low, large page (2M)
-mappings (PAE kernel), we create the necessary conditions for Erratum
-383 to occur.
-
-3. Other CPUs which do not participate in the off- and onlining game may
-use swapper_pg_dir while the low mappings are present (when leave_mm is
-called). For all steps below, the CPU referred to is a CPU that is using
-swapper_pg_dir, and not the CPU which is being onlined.
-
-4. The presence of the low mappings in swapper_pg_dir can result
-in TLB entries for addresses below __PAGE_OFFSET to be established
-speculatively. These TLB entries are marked global and large.
-
-5. When the CPU with such TLB entry switches to another page table, this
-TLB entry remains because it is global.
-
-6. The process then generates an access to an address covered by the
-above TLB entry but there is a permission mismatch - the TLB entry
-covers a large global page not accessible to userspace.
-
-7. Due to this permission mismatch a new 4kb, user TLB entry gets
-established. Further, Erratum 383 provides for a small window of time
-where both TLB entries are present. This results in an uncorrectable
-machine check exception signalling a TLB multimatch which panics the
-machine.
-
-There are two ways to fix this issue:
-
- 1. Always do a global TLB flush when a new cr3 is loaded and the
- old page table was swapper_pg_dir. I consider this a hack hard
- to understand and with performance implications
-
- 2. Do not use swapper_pg_dir to boot secondary CPUs like 64-bit
- does.
-
-This patch implements solution 2. It introduces a trampoline_pg_dir
-which has the same layout as swapper_pg_dir with low_mappings. This page
-table is used as the initial page table of the booting CPU. Later in the
-bringup process, it switches to swapper_pg_dir and does a global TLB
-flush. This fixes the crashes in our test cases.
-
--v2: switch to swapper_pg_dir right after entering start_secondary() so
-that we are able to access percpu data which might not be mapped in the
-trampoline page table.
-
-Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
-LKML-Reference: <20100816123833.GB28147@aftab>
-Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
-Signed-off-by: H. Peter Anvin <hpa@zytor.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/include/asm/pgtable_32.h | 1 +
- arch/x86/include/asm/trampoline.h | 3 +++
- arch/x86/kernel/head_32.S | 8 +++++++-
- arch/x86/kernel/setup.c | 2 ++
- arch/x86/kernel/smpboot.c | 32 +++++++++++++-------------------
- arch/x86/kernel/trampoline.c | 18 ++++++++++++++++++
- 6 files changed, 44 insertions(+), 20 deletions(-)
-
---- a/arch/x86/include/asm/pgtable_32.h
-+++ b/arch/x86/include/asm/pgtable_32.h
-@@ -27,6 +27,7 @@ struct mm_struct;
- struct vm_area_struct;
-
- extern pgd_t swapper_pg_dir[1024];
-+extern pgd_t trampoline_pg_dir[1024];
-
- static inline void pgtable_cache_init(void) { }
- static inline void check_pgt_cache(void) { }
---- a/arch/x86/include/asm/trampoline.h
-+++ b/arch/x86/include/asm/trampoline.h
-@@ -13,14 +13,17 @@ extern unsigned char *trampoline_base;
-
- extern unsigned long init_rsp;
- extern unsigned long initial_code;
-+extern unsigned long initial_page_table;
- extern unsigned long initial_gs;
-
- #define TRAMPOLINE_SIZE roundup(trampoline_end - trampoline_data, PAGE_SIZE)
-
- extern unsigned long setup_trampoline(void);
-+extern void __init setup_trampoline_page_table(void);
- extern void __init reserve_trampoline_memory(void);
- #else
- static inline void reserve_trampoline_memory(void) {};
-+extern void __init setup_trampoline_page_table(void) {};
- #endif /* CONFIG_X86_TRAMPOLINE */
-
- #endif /* __ASSEMBLY__ */
---- a/arch/x86/kernel/head_32.S
-+++ b/arch/x86/kernel/head_32.S
-@@ -328,7 +328,7 @@ ENTRY(startup_32_smp)
- /*
- * Enable paging
- */
-- movl $pa(swapper_pg_dir),%eax
-+ movl pa(initial_page_table), %eax
- movl %eax,%cr3 /* set the page table pointer.. */
- movl %cr0,%eax
- orl $X86_CR0_PG,%eax
-@@ -608,6 +608,8 @@ ignore_int:
- .align 4
- ENTRY(initial_code)
- .long i386_start_kernel
-+ENTRY(initial_page_table)
-+ .long pa(swapper_pg_dir)
-
- /*
- * BSS section
-@@ -623,6 +625,10 @@ ENTRY(swapper_pg_dir)
- #endif
- swapper_pg_fixmap:
- .fill 1024,4,0
-+#ifdef CONFIG_X86_TRAMPOLINE
-+ENTRY(trampoline_pg_dir)
-+ .fill 1024,4,0
-+#endif
- ENTRY(empty_zero_page)
- .fill 4096,1,0
-
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -981,6 +981,8 @@ void __init setup_arch(char **cmdline_p)
- paging_init();
- x86_init.paging.pagetable_setup_done(swapper_pg_dir);
-
-+ setup_trampoline_page_table();
-+
- tboot_probe();
-
- #ifdef CONFIG_X86_64
---- a/arch/x86/kernel/smpboot.c
-+++ b/arch/x86/kernel/smpboot.c
-@@ -70,7 +70,6 @@
-
- #ifdef CONFIG_X86_32
- u8 apicid_2_node[MAX_APICID];
--static int low_mappings;
- #endif
-
- /* State of each CPU */
-@@ -273,6 +272,18 @@ notrace static void __cpuinit start_seco
- * fragile that we want to limit the things done here to the
- * most necessary things.
- */
-+
-+#ifdef CONFIG_X86_32
-+ /*
-+ * Switch away from the trampoline page-table
-+ *
-+ * Do this before cpu_init() because it needs to access per-cpu
-+ * data which may not be mapped in the trampoline page-table.
-+ */
-+ load_cr3(swapper_pg_dir);
-+ __flush_tlb_all();
-+#endif
-+
- vmi_bringup();
- cpu_init();
- preempt_disable();
-@@ -291,12 +302,6 @@ notrace static void __cpuinit start_seco
- enable_8259A_irq(0);
- }
-
--#ifdef CONFIG_X86_32
-- while (low_mappings)
-- cpu_relax();
-- __flush_tlb_all();
--#endif
--
- /* This must be done before setting cpu_online_mask */
- set_cpu_sibling_map(raw_smp_processor_id());
- wmb();
-@@ -743,6 +748,7 @@ do_rest:
- #ifdef CONFIG_X86_32
- /* Stack for startup_32 can be just as for start_secondary onwards */
- irq_ctx_init(cpu);
-+ initial_page_table = __pa(&trampoline_pg_dir);
- #else
- clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
- initial_gs = per_cpu_offset(cpu);
-@@ -883,20 +889,8 @@ int __cpuinit native_cpu_up(unsigned int
-
- per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
-
--#ifdef CONFIG_X86_32
-- /* init low mem mapping */
-- clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
-- min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
-- flush_tlb_all();
-- low_mappings = 1;
--
- err = do_boot_cpu(apicid, cpu);
-
-- zap_low_mappings(false);
-- low_mappings = 0;
--#else
-- err = do_boot_cpu(apicid, cpu);
--#endif
- if (err) {
- pr_debug("do_boot_cpu failed %d\n", err);
- return -EIO;
---- a/arch/x86/kernel/trampoline.c
-+++ b/arch/x86/kernel/trampoline.c
-@@ -1,6 +1,7 @@
- #include <linux/io.h>
-
- #include <asm/trampoline.h>
-+#include <asm/pgtable.h>
- #include <asm/e820.h>
-
- #if defined(CONFIG_X86_64) && defined(CONFIG_ACPI_SLEEP)
-@@ -37,3 +38,20 @@ unsigned long __trampinit setup_trampoli
- memcpy(trampoline_base, trampoline_data, TRAMPOLINE_SIZE);
- return virt_to_phys(trampoline_base);
- }
-+
-+void __init setup_trampoline_page_table(void)
-+{
-+#ifdef CONFIG_X86_32
-+ /* Copy kernel address range */
-+ clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY,
-+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
-+ min_t(unsigned long, KERNEL_PGD_PTRS,
-+ KERNEL_PGD_BOUNDARY));
-+
-+ /* Initialize low mappings */
-+ clone_pgd_range(trampoline_pg_dir,
-+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
-+ min_t(unsigned long, KERNEL_PGD_PTRS,
-+ KERNEL_PGD_BOUNDARY));
-+#endif
-+}
+++ /dev/null
-From eefdca043e8391dcd719711716492063030b55ac Mon Sep 17 00:00:00 2001
-From: Roland McGrath <roland@redhat.com>
-Date: Tue, 14 Sep 2010 12:22:58 -0700
-Subject: x86-64, compat: Retruncate rax after ia32 syscall entry tracing
-
-From: Roland McGrath <roland@redhat.com>
-
-commit eefdca043e8391dcd719711716492063030b55ac upstream.
-
-In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
-32-bit tracee in system call entry. A %rax value set via ptrace at the
-entry tracing stop gets used whole as a 32-bit syscall number, while we
-only check the low 32 bits for validity.
-
-Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
-in addition to testing the full 64 bits as has already been added.
-
-Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
-Signed-off-by: Roland McGrath <roland@redhat.com>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/ia32/ia32entry.S | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
---- a/arch/x86/ia32/ia32entry.S
-+++ b/arch/x86/ia32/ia32entry.S
-@@ -50,7 +50,12 @@
- /*
- * Reload arg registers from stack in case ptrace changed them.
- * We don't reload %eax because syscall_trace_enter() returned
-- * the value it wants us to use in the table lookup.
-+ * the %rax value we should see. Instead, we just truncate that
-+ * value to 32 bits again as we did on entry from user mode.
-+ * If it's a new value set by user_regset during entry tracing,
-+ * this matches the normal truncation of the user-mode value.
-+ * If it's -1 to make us punt the syscall, then (u32)-1 is still
-+ * an appropriately invalid value.
- */
- .macro LOAD_ARGS32 offset, _r9=0
- .if \_r9
-@@ -60,6 +65,7 @@
- movl \offset+48(%rsp),%edx
- movl \offset+56(%rsp),%esi
- movl \offset+64(%rsp),%edi
-+ movl %eax,%eax /* zero extension */
- .endm
-
- .macro CFI_STARTPROC32 simple
+++ /dev/null
-From 36d001c70d8a0144ac1d038f6876c484849a74de Mon Sep 17 00:00:00 2001
-From: H. Peter Anvin <hpa@linux.intel.com>
-Date: Tue, 14 Sep 2010 12:42:41 -0700
-Subject: x86-64, compat: Test %rax for the syscall number, not %eax
-
-From: H. Peter Anvin <hpa@linux.intel.com>
-
-commit 36d001c70d8a0144ac1d038f6876c484849a74de upstream.
-
-On 64 bits, we always, by necessity, jump through the system call
-table via %rax. For 32-bit system calls, in theory the system call
-number is stored in %eax, and the code was testing %eax for a valid
-system call number. At one point we loaded the stored value back from
-the stack to enforce zero-extension, but that was removed in checkin
-d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process
-will not be able to introduce a non-zero-extended number, but it can
-happen via ptrace.
-
-Instead of re-introducing the zero-extension, test what we are
-actually going to use, i.e. %rax. This only adds a handful of REX
-prefixes to the code.
-
-Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Cc: Roland McGrath <roland@redhat.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/ia32/ia32entry.S | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
---- a/arch/x86/ia32/ia32entry.S
-+++ b/arch/x86/ia32/ia32entry.S
-@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
- CFI_REMEMBER_STATE
- jnz sysenter_tracesys
-- cmpl $(IA32_NR_syscalls-1),%eax
-+ cmpq $(IA32_NR_syscalls-1),%rax
- ja ia32_badsys
- sysenter_do_call:
- IA32_ARG_FIXUP
-@@ -195,7 +195,7 @@ sysexit_from_sys_call:
- movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
- call audit_syscall_entry
- movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
-- cmpl $(IA32_NR_syscalls-1),%eax
-+ cmpq $(IA32_NR_syscalls-1),%rax
- ja ia32_badsys
- movl %ebx,%edi /* reload 1st syscall arg */
- movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
-@@ -248,7 +248,7 @@ sysenter_tracesys:
- call syscall_trace_enter
- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
- RESTORE_REST
-- cmpl $(IA32_NR_syscalls-1),%eax
-+ cmpq $(IA32_NR_syscalls-1),%rax
- ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
- jmp sysenter_do_call
- CFI_ENDPROC
-@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
- CFI_REMEMBER_STATE
- jnz cstar_tracesys
-- cmpl $IA32_NR_syscalls-1,%eax
-+ cmpq $IA32_NR_syscalls-1,%rax
- ja ia32_badsys
- cstar_do_call:
- IA32_ARG_FIXUP 1
-@@ -367,7 +367,7 @@ cstar_tracesys:
- LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
- RESTORE_REST
- xchgl %ebp,%r9d
-- cmpl $(IA32_NR_syscalls-1),%eax
-+ cmpq $(IA32_NR_syscalls-1),%rax
- ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
- jmp cstar_do_call
- END(ia32_cstar_target)
-@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
- orl $TS_COMPAT,TI_status(%r10)
- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
- jnz ia32_tracesys
-- cmpl $(IA32_NR_syscalls-1),%eax
-+ cmpq $(IA32_NR_syscalls-1),%rax
- ja ia32_badsys
- ia32_do_call:
- IA32_ARG_FIXUP
-@@ -444,7 +444,7 @@ ia32_tracesys:
- call syscall_trace_enter
- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
- RESTORE_REST
-- cmpl $(IA32_NR_syscalls-1),%eax
-+ cmpq $(IA32_NR_syscalls-1),%rax
- ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
- jmp ia32_do_call
- END(ia32_syscall)
+++ /dev/null
-From 04e0463e088b41060c08c255eb0d3278a504f094 Mon Sep 17 00:00:00 2001
-From: Joerg Roedel <joerg.roedel@amd.com>
-Date: Thu, 23 Sep 2010 16:12:48 +0200
-Subject: x86/amd-iommu: Fix rounding-bug in __unmap_single
-
-From: Joerg Roedel <joerg.roedel@amd.com>
-
-commit 04e0463e088b41060c08c255eb0d3278a504f094 upstream.
-
-In the __unmap_single function the dma_addr is rounded down
-to a page boundary before the dma pages are unmapped. The
-address is later also used to flush the TLB entries for that
-mapping. But without the offset into the dma page the amount
-of pages to flush might be miscalculated in the TLB flushing
-path. This patch fixes this bug by using the original
-address to flush the TLB.
-
-Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/amd_iommu.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/arch/x86/kernel/amd_iommu.c
-+++ b/arch/x86/kernel/amd_iommu.c
-@@ -1885,6 +1885,7 @@ static void __unmap_single(struct dma_op
- size_t size,
- int dir)
- {
-+ dma_addr_t flush_addr;
- dma_addr_t i, start;
- unsigned int pages;
-
-@@ -1892,6 +1893,7 @@ static void __unmap_single(struct dma_op
- (dma_addr + size > dma_dom->aperture_size))
- return;
-
-+ flush_addr = dma_addr;
- pages = iommu_num_pages(dma_addr, size, PAGE_SIZE);
- dma_addr &= PAGE_MASK;
- start = dma_addr;
-@@ -1906,7 +1908,7 @@ static void __unmap_single(struct dma_op
- dma_ops_free_addresses(dma_dom, dma_addr, pages);
-
- if (amd_iommu_unmap_flush || dma_dom->need_flush) {
-- iommu_flush_pages(&dma_dom->domain, dma_addr, size);
-+ iommu_flush_pages(&dma_dom->domain, flush_addr, size);
- dma_dom->need_flush = false;
- }
- }
+++ /dev/null
-From e9bf51971157e367aabfc111a8219db010f69cd4 Mon Sep 17 00:00:00 2001
-From: Joerg Roedel <joerg.roedel@amd.com>
-Date: Mon, 20 Sep 2010 14:33:07 +0200
-Subject: x86/amd-iommu: Set iommu configuration flags in enable-loop
-
-From: Joerg Roedel <joerg.roedel@amd.com>
-
-commit e9bf51971157e367aabfc111a8219db010f69cd4 upstream.
-
-This patch moves the setting of the configuration and
-feature flags out out the acpi table parsing path and moves
-it into the iommu-enable path. This is needed to reliably
-fix resume-from-s3.
-
-Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/include/asm/amd_iommu_types.h | 3 ++
- arch/x86/kernel/amd_iommu_init.c | 49 ++++++++++++++++++---------------
- 2 files changed, 30 insertions(+), 22 deletions(-)
-
---- a/arch/x86/include/asm/amd_iommu_types.h
-+++ b/arch/x86/include/asm/amd_iommu_types.h
-@@ -331,6 +331,9 @@ struct amd_iommu {
- /* capabilities of that IOMMU read from ACPI */
- u32 cap;
-
-+ /* flags read from acpi table */
-+ u8 acpi_flags;
-+
- /*
- * Capability pointer. There could be more than one IOMMU per PCI
- * device function if there are more than one AMD IOMMU capability
---- a/arch/x86/kernel/amd_iommu_init.c
-+++ b/arch/x86/kernel/amd_iommu_init.c
-@@ -645,29 +645,9 @@ static void __init init_iommu_from_acpi(
- struct ivhd_entry *e;
-
- /*
-- * First set the recommended feature enable bits from ACPI
-- * into the IOMMU control registers
-+ * First save the recommended feature enable bits from ACPI
- */
-- h->flags & IVHD_FLAG_HT_TUN_EN_MASK ?
-- iommu_feature_enable(iommu, CONTROL_HT_TUN_EN) :
-- iommu_feature_disable(iommu, CONTROL_HT_TUN_EN);
--
-- h->flags & IVHD_FLAG_PASSPW_EN_MASK ?
-- iommu_feature_enable(iommu, CONTROL_PASSPW_EN) :
-- iommu_feature_disable(iommu, CONTROL_PASSPW_EN);
--
-- h->flags & IVHD_FLAG_RESPASSPW_EN_MASK ?
-- iommu_feature_enable(iommu, CONTROL_RESPASSPW_EN) :
-- iommu_feature_disable(iommu, CONTROL_RESPASSPW_EN);
--
-- h->flags & IVHD_FLAG_ISOC_EN_MASK ?
-- iommu_feature_enable(iommu, CONTROL_ISOC_EN) :
-- iommu_feature_disable(iommu, CONTROL_ISOC_EN);
--
-- /*
-- * make IOMMU memory accesses cache coherent
-- */
-- iommu_feature_enable(iommu, CONTROL_COHERENT_EN);
-+ iommu->acpi_flags = h->flags;
-
- /*
- * Done. Now parse the device entries
-@@ -1109,6 +1089,30 @@ static void init_device_table(void)
- }
- }
-
-+static void iommu_init_flags(struct amd_iommu *iommu)
-+{
-+ iommu->acpi_flags & IVHD_FLAG_HT_TUN_EN_MASK ?
-+ iommu_feature_enable(iommu, CONTROL_HT_TUN_EN) :
-+ iommu_feature_disable(iommu, CONTROL_HT_TUN_EN);
-+
-+ iommu->acpi_flags & IVHD_FLAG_PASSPW_EN_MASK ?
-+ iommu_feature_enable(iommu, CONTROL_PASSPW_EN) :
-+ iommu_feature_disable(iommu, CONTROL_PASSPW_EN);
-+
-+ iommu->acpi_flags & IVHD_FLAG_RESPASSPW_EN_MASK ?
-+ iommu_feature_enable(iommu, CONTROL_RESPASSPW_EN) :
-+ iommu_feature_disable(iommu, CONTROL_RESPASSPW_EN);
-+
-+ iommu->acpi_flags & IVHD_FLAG_ISOC_EN_MASK ?
-+ iommu_feature_enable(iommu, CONTROL_ISOC_EN) :
-+ iommu_feature_disable(iommu, CONTROL_ISOC_EN);
-+
-+ /*
-+ * make IOMMU memory accesses cache coherent
-+ */
-+ iommu_feature_enable(iommu, CONTROL_COHERENT_EN);
-+}
-+
- /*
- * This function finally enables all IOMMUs found in the system after
- * they have been initialized
-@@ -1119,6 +1123,7 @@ static void enable_iommus(void)
-
- for_each_iommu(iommu) {
- iommu_disable(iommu);
-+ iommu_init_flags(iommu);
- iommu_set_device_table(iommu);
- iommu_enable_command_buffer(iommu);
- iommu_enable_event_buffer(iommu);
+++ /dev/null
-From 4c894f47bb49284008073d351c0ddaac8860864e Mon Sep 17 00:00:00 2001
-From: Joerg Roedel <joerg.roedel@amd.com>
-Date: Thu, 23 Sep 2010 15:15:19 +0200
-Subject: x86/amd-iommu: Work around S3 BIOS bug
-
-From: Joerg Roedel <joerg.roedel@amd.com>
-
-commit 4c894f47bb49284008073d351c0ddaac8860864e upstream.
-
-This patch adds a workaround for an IOMMU BIOS problem to
-the AMD IOMMU driver. The result of the bug is that the
-IOMMU does not execute commands anymore when the system
-comes out of the S3 state resulting in system failure. The
-bug in the BIOS is that is does not restore certain hardware
-specific registers correctly. This workaround reads out the
-contents of these registers at boot time and restores them
-on resume from S3. The workaround is limited to the specific
-IOMMU chipset where this problem occurs.
-
-Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/include/asm/amd_iommu_proto.h | 6 ++++++
- arch/x86/include/asm/amd_iommu_types.h | 9 +++++++++
- arch/x86/kernel/amd_iommu_init.c | 18 ++++++++++++++++++
- include/linux/pci_ids.h | 3 +++
- 4 files changed, 36 insertions(+)
-
---- a/arch/x86/include/asm/amd_iommu_proto.h
-+++ b/arch/x86/include/asm/amd_iommu_proto.h
-@@ -38,4 +38,10 @@ static inline void amd_iommu_stats_init(
-
- #endif /* !CONFIG_AMD_IOMMU_STATS */
-
-+static inline bool is_rd890_iommu(struct pci_dev *pdev)
-+{
-+ return (pdev->vendor == PCI_VENDOR_ID_ATI) &&
-+ (pdev->device == PCI_DEVICE_ID_RD890_IOMMU);
-+}
-+
- #endif /* _ASM_X86_AMD_IOMMU_PROTO_H */
---- a/arch/x86/include/asm/amd_iommu_types.h
-+++ b/arch/x86/include/asm/amd_iommu_types.h
-@@ -377,6 +377,15 @@ struct amd_iommu {
-
- /* default dma_ops domain for that IOMMU */
- struct dma_ops_domain *default_dom;
-+
-+ /*
-+ * This array is required to work around a potential BIOS bug.
-+ * The BIOS may miss to restore parts of the PCI configuration
-+ * space when the system resumes from S3. The result is that the
-+ * IOMMU does not execute commands anymore which leads to system
-+ * failure.
-+ */
-+ u32 cache_cfg[4];
- };
-
- /*
---- a/arch/x86/kernel/amd_iommu_init.c
-+++ b/arch/x86/kernel/amd_iommu_init.c
-@@ -628,6 +628,13 @@ static void __init init_iommu_from_pci(s
- iommu->last_device = calc_devid(MMIO_GET_BUS(range),
- MMIO_GET_LD(range));
- iommu->evt_msi_num = MMIO_MSI_NUM(misc);
-+
-+ if (is_rd890_iommu(iommu->dev)) {
-+ pci_read_config_dword(iommu->dev, 0xf0, &iommu->cache_cfg[0]);
-+ pci_read_config_dword(iommu->dev, 0xf4, &iommu->cache_cfg[1]);
-+ pci_read_config_dword(iommu->dev, 0xf8, &iommu->cache_cfg[2]);
-+ pci_read_config_dword(iommu->dev, 0xfc, &iommu->cache_cfg[3]);
-+ }
- }
-
- /*
-@@ -1113,6 +1120,16 @@ static void iommu_init_flags(struct amd_
- iommu_feature_enable(iommu, CONTROL_COHERENT_EN);
- }
-
-+static void iommu_apply_quirks(struct amd_iommu *iommu)
-+{
-+ if (is_rd890_iommu(iommu->dev)) {
-+ pci_write_config_dword(iommu->dev, 0xf0, iommu->cache_cfg[0]);
-+ pci_write_config_dword(iommu->dev, 0xf4, iommu->cache_cfg[1]);
-+ pci_write_config_dword(iommu->dev, 0xf8, iommu->cache_cfg[2]);
-+ pci_write_config_dword(iommu->dev, 0xfc, iommu->cache_cfg[3]);
-+ }
-+}
-+
- /*
- * This function finally enables all IOMMUs found in the system after
- * they have been initialized
-@@ -1123,6 +1140,7 @@ static void enable_iommus(void)
-
- for_each_iommu(iommu) {
- iommu_disable(iommu);
-+ iommu_apply_quirks(iommu);
- iommu_init_flags(iommu);
- iommu_set_device_table(iommu);
- iommu_enable_command_buffer(iommu);
---- a/include/linux/pci_ids.h
-+++ b/include/linux/pci_ids.h
-@@ -393,6 +393,9 @@
- #define PCI_DEVICE_ID_VLSI_82C147 0x0105
- #define PCI_DEVICE_ID_VLSI_VAS96011 0x0702
-
-+/* AMD RD890 Chipset */
-+#define PCI_DEVICE_ID_RD890_IOMMU 0x5a23
-+
- #define PCI_VENDOR_ID_ADL 0x1005
- #define PCI_DEVICE_ID_ADL_2301 0x2301
-
+++ /dev/null
-From 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <borislav.petkov@amd.com>
-Date: Fri, 8 Oct 2010 12:08:34 +0200
-Subject: x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order
-
-From: Borislav Petkov <borislav.petkov@amd.com>
-
-commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream.
-
-This fixes possible cases of not collecting valid error info in
-the MCE error thresholding groups on F10h hardware.
-
-The current code contains a subtle problem of checking only the
-Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM
-thresholding group) in its first iteration and breaking out if
-the bit is cleared.
-
-But (!), this MSR contains an offset value, BlkPtr[31:24], which
-points to the remaining MSRs in this thresholding group which
-might contain valid information too. But if we bail out only
-after we checked the valid bit in the first MSR and not the
-block pointer too, we miss that other information.
-
-The thing is, MC4_MISC0[BlkPtr] is not predicated on
-MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked
-prior to iterating over the MCI_MISCj thresholding group,
-irrespective of the MC4_MISC0[Valid] setting.
-
-Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
-Signed-off-by: Ingo Molnar <mingo@elte.hu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/cpu/mcheck/mce_amd.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
---- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
-+++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
-@@ -140,6 +140,7 @@ void mce_amd_feature_init(struct cpuinfo
- address = (low & MASK_BLKPTR_LO) >> 21;
- if (!address)
- break;
-+
- address += MCG_XBLK_ADDR;
- } else
- ++address;
-@@ -147,12 +148,8 @@ void mce_amd_feature_init(struct cpuinfo
- if (rdmsr_safe(address, &low, &high))
- break;
-
-- if (!(high & MASK_VALID_HI)) {
-- if (block)
-- continue;
-- else
-- break;
-- }
-+ if (!(high & MASK_VALID_HI))
-+ continue;
-
- if (!(high & MASK_CNTP_HI) ||
- (high & MASK_LOCKED_HI))
+++ /dev/null
-From d900329e20f4476db6461752accebcf7935a8055 Mon Sep 17 00:00:00 2001
-From: H. Peter Anvin <hpa@linux.intel.com>
-Date: Tue, 28 Sep 2010 15:35:01 -0700
-Subject: x86, cpu: After uncapping CPUID, re-run CPU feature detection
-
-From: H. Peter Anvin <hpa@linux.intel.com>
-
-commit d900329e20f4476db6461752accebcf7935a8055 upstream.
-
-After uncapping the CPUID level, we need to also re-run the CPU
-feature detection code.
-
-This resolves kernel bugzilla 16322.
-
-Reported-by: boris64 <bugzilla.kernel.org@boris64.net>
-LKML-Reference: <tip-@git.kernel.org>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/cpu/common.c | 2 +-
- arch/x86/kernel/cpu/cpu.h | 1 +
- arch/x86/kernel/cpu/intel.c | 1 +
- 3 files changed, 3 insertions(+), 1 deletion(-)
-
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -537,7 +537,7 @@ void __cpuinit cpu_detect(struct cpuinfo
- }
- }
-
--static void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c)
-+void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c)
- {
- u32 tfms, xlvl;
- u32 ebx;
---- a/arch/x86/kernel/cpu/cpu.h
-+++ b/arch/x86/kernel/cpu/cpu.h
-@@ -33,5 +33,6 @@ extern const struct cpu_dev *const __x86
- *const __x86_cpu_dev_end[];
-
- extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c);
-+extern void get_cpu_cap(struct cpuinfo_x86 *c);
-
- #endif
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -40,6 +40,7 @@ static void __cpuinit early_init_intel(s
- misc_enable &= ~MSR_IA32_MISC_ENABLE_LIMIT_CPUID;
- wrmsrl(MSR_IA32_MISC_ENABLE, misc_enable);
- c->cpuid_level = cpuid_eax(0);
-+ get_cpu_cap(c);
- }
- }
-
+++ /dev/null
-From 7ef8aa72ab176e0288f363d1247079732c5d5792 Mon Sep 17 00:00:00 2001
-From: Andre Przywara <andre.przywara@amd.com>
-Date: Mon, 6 Sep 2010 15:14:17 +0200
-Subject: x86, cpu: Fix renamed, not-yet-shipping AMD CPUID feature bit
-
-From: Andre Przywara <andre.przywara@amd.com>
-
-commit 7ef8aa72ab176e0288f363d1247079732c5d5792 upstream.
-
-The AMD SSE5 feature set as-it has been replaced by some extensions
-to the AVX instruction set. Thus the bit formerly advertised as SSE5
-is re-used for one of these extensions (XOP).
-Although this changes the /proc/cpuinfo output, it is not user visible, as
-there are no CPUs (yet) having this feature.
-To avoid confusion this should be added to the stable series, too.
-
-Signed-off-by: Andre Przywara <andre.przywara@amd.com>
-LKML-Reference: <1283778860-26843-2-git-send-email-andre.przywara@amd.com>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/include/asm/cpufeature.h | 2 +-
- arch/x86/kvm/x86.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/x86/include/asm/cpufeature.h
-+++ b/arch/x86/include/asm/cpufeature.h
-@@ -150,7 +150,7 @@
- #define X86_FEATURE_3DNOWPREFETCH (6*32+ 8) /* 3DNow prefetch instructions */
- #define X86_FEATURE_OSVW (6*32+ 9) /* OS Visible Workaround */
- #define X86_FEATURE_IBS (6*32+10) /* Instruction Based Sampling */
--#define X86_FEATURE_SSE5 (6*32+11) /* SSE-5 */
-+#define X86_FEATURE_XOP (6*32+11) /* extended AVX instructions */
- #define X86_FEATURE_SKINIT (6*32+12) /* SKINIT/STGI instructions */
- #define X86_FEATURE_WDT (6*32+13) /* Watchdog timer */
- #define X86_FEATURE_NODEID_MSR (6*32+19) /* NodeId MSR */
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -1615,7 +1615,7 @@ static void do_cpuid_ent(struct kvm_cpui
- const u32 kvm_supported_word6_x86_features =
- F(LAHF_LM) | F(CMP_LEGACY) | F(SVM) | 0 /* ExtApicSpace */ |
- F(CR8_LEGACY) | F(ABM) | F(SSE4A) | F(MISALIGNSSE) |
-- F(3DNOWPREFETCH) | 0 /* OSVW */ | 0 /* IBS */ | F(SSE5) |
-+ F(3DNOWPREFETCH) | 0 /* OSVW */ | 0 /* IBS */ | F(XOP) |
- 0 /* SKINIT */ | 0 /* WDT */;
-
- /* all calls to cpuid_count() should be made on the same cpu */
+++ /dev/null
-From 1dedefd1a066a795a87afca9c0236e1a94de9bf6 Mon Sep 17 00:00:00 2001
-From: Jacob Pan <jacob.jun.pan@linux.intel.com>
-Date: Wed, 19 May 2010 12:01:23 -0700
-Subject: x86: detect scattered cpuid features earlier
-
-From: Jacob Pan <jacob.jun.pan@linux.intel.com>
-
-commit 1dedefd1a066a795a87afca9c0236e1a94de9bf6 upstream.
-
-Some extra CPU features such as ARAT is needed in early boot so
-that x86_init function pointers can be set up properly.
-http://lkml.org/lkml/2010/5/18/519
-At start_kernel() level, this patch moves init_scattered_cpuid_features()
-from check_bugs() to setup_arch() -> early_cpu_init() which is earlier than
-platform specific x86_init layer setup. Suggested by HPA.
-
-Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
-LKML-Reference: <1274295685-6774-2-git-send-email-jacob.jun.pan@linux.intel.com>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/cpu/common.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -576,6 +576,7 @@ void __cpuinit get_cpu_cap(struct cpuinf
- if (c->extended_cpuid_level >= 0x80000007)
- c->x86_power = cpuid_edx(0x80000007);
-
-+ init_scattered_cpuid_features(c);
- }
-
- static void __cpuinit identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
-@@ -731,7 +732,6 @@ static void __cpuinit generic_identify(s
-
- get_model_name(c); /* Default name */
-
-- init_scattered_cpuid_features(c);
- detect_nopl(c);
- }
-
+++ /dev/null
-From 021989622810b02aab4b24f91e1f5ada2b654579 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Tue, 28 Sep 2010 23:20:23 +0200
-Subject: x86, hpet: Fix bogus error check in hpet_assign_irq()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream.
-
-create_irq() returns -1 if the interrupt allocation failed, but the
-code checks for irq == 0.
-
-Use create_irq_nr() instead.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Venkatesh Pallipadi <venki@google.com>
-LKML-Reference: <alpine.LFD.2.00.1009282310360.2416@localhost6.localdomain6>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/hpet.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/x86/kernel/hpet.c
-+++ b/arch/x86/kernel/hpet.c
-@@ -498,7 +498,7 @@ static int hpet_assign_irq(struct hpet_d
- {
- unsigned int irq;
-
-- irq = create_irq();
-+ irq = create_irq_nr(0, -1);
- if (!irq)
- return -EINVAL;
-
+++ /dev/null
-From 6c0aca288e726405b01dacb12cac556454d34b2a Mon Sep 17 00:00:00 2001
-From: Frederic Weisbecker <fweisbec@gmail.com>
-Date: Thu, 11 Nov 2010 21:18:43 +0100
-Subject: x86: Ignore trap bits on single step exceptions
-
-From: Frederic Weisbecker <fweisbec@gmail.com>
-
-commit 6c0aca288e726405b01dacb12cac556454d34b2a upstream.
-
-When a single step exception fires, the trap bits, used to
-signal hardware breakpoints, are in a random state.
-
-These trap bits might be set if another exception will follow,
-like a breakpoint in the next instruction, or a watchpoint in the
-previous one. Or there can be any junk there.
-
-So if we handle these trap bits during the single step exception,
-we are going to handle an exception twice, or we are going to
-handle junk.
-
-Just ignore them in this case.
-
-This fixes https://bugzilla.kernel.org/show_bug.cgi?id=21332
-
-Reported-by: Michael Stefaniuc <mstefani@redhat.com>
-Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
-Cc: Rafael J. Wysocki <rjw@sisk.pl>
-Cc: Maciej Rutecki <maciej.rutecki@gmail.com>
-Cc: Alexandre Julliard <julliard@winehq.org>
-Cc: Jason Wessel <jason.wessel@windriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/hw_breakpoint.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/arch/x86/kernel/hw_breakpoint.c
-+++ b/arch/x86/kernel/hw_breakpoint.c
-@@ -457,6 +457,10 @@ static int __kprobes hw_breakpoint_handl
- dr6_p = (unsigned long *)ERR_PTR(args->err);
- dr6 = *dr6_p;
-
-+ /* If it's a single step, TRAP bits are random */
-+ if (dr6 & DR_STEP)
-+ return NOTIFY_DONE;
-+
- /* Do an early return if no trap bits are set in DR6 */
- if ((dr6 & DR_TRAP_BITS) == 0)
- return NOTIFY_DONE;
+++ /dev/null
-From 75e3cfbed6f71a8f151dc6e413b6ce3c390030cb Mon Sep 17 00:00:00 2001
-From: Suresh Siddha <suresh.b.siddha@intel.com>
-Date: Fri, 27 Aug 2010 11:09:48 -0700
-Subject: x86, intr-remap: Set redirection hint in the IRTE
-
-From: Suresh Siddha <suresh.b.siddha@intel.com>
-
-commit 75e3cfbed6f71a8f151dc6e413b6ce3c390030cb upstream.
-
-Currently the redirection hint in the interrupt-remapping table entry
-is set to 0, which means the remapped interrupt is directed to the
-processors listed in the destination. So in logical flat mode
-in the presence of intr-remapping, this results in a single
-interrupt multi-casted to multiple cpu's as specified by the destination
-bit mask. But what we really want is to send that interrupt to one of the cpus
-based on the lowest priority delivery mode.
-
-Set the redirection hint in the IRTE to '1' to indicate that we want
-the remapped interrupt to be directed to only one of the processors
-listed in the destination.
-
-This fixes the issue of same interrupt getting delivered to multiple cpu's
-in the logical flat mode in the presence of interrupt-remapping. While
-there is no functional issue observed with this behavior, this will
-impact performance of such configurations (<=8 cpu's using logical flat
-mode in the presence of interrupt-remapping)
-
-Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
-LKML-Reference: <20100827181049.013051492@sbsiddha-MOBL3.sc.intel.com>
-Cc: Weidong Han <weidong.han@intel.com>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/apic/io_apic.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/arch/x86/kernel/apic/io_apic.c
-+++ b/arch/x86/kernel/apic/io_apic.c
-@@ -1399,6 +1399,7 @@ int setup_ioapic_entry(int apic_id, int
- irte.dlvry_mode = apic->irq_delivery_mode;
- irte.vector = vector;
- irte.dest_id = IRTE_DEST(destination);
-+ irte.redir_hint = 1;
-
- /* Set source-id of interrupt request */
- set_ioapic_sid(&irte, apic_id);
-@@ -3358,6 +3359,7 @@ static int msi_compose_msg(struct pci_de
- irte.dlvry_mode = apic->irq_delivery_mode;
- irte.vector = cfg->vector;
- irte.dest_id = IRTE_DEST(dest);
-+ irte.redir_hint = 1;
-
- /* Set source-id of interrupt request */
- if (pdev)
+++ /dev/null
-From 1cf180c94e9166cda083ff65333883ab3648e852 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Tue, 28 Sep 2010 20:57:19 +0200
-Subject: x86, irq: Plug memory leak in sparse irq
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream.
-
-free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this
-triggers a use after free caused by the fact that copying struct
-irq_cfg is done with memcpy, which copies the pointer not the cpumask.
-
-Fix both places.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Yinghai Lu <yhlu.kernel@gmail.com>
-LKML-Reference: <alpine.LFD.2.00.1009282052570.2416@localhost6.localdomain6>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/apic/io_apic.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
---- a/arch/x86/kernel/apic/io_apic.c
-+++ b/arch/x86/kernel/apic/io_apic.c
-@@ -316,14 +316,19 @@ void arch_init_copy_chip_data(struct irq
-
- old_cfg = old_desc->chip_data;
-
-- memcpy(cfg, old_cfg, sizeof(struct irq_cfg));
-+ cfg->vector = old_cfg->vector;
-+ cfg->move_in_progress = old_cfg->move_in_progress;
-+ cpumask_copy(cfg->domain, old_cfg->domain);
-+ cpumask_copy(cfg->old_domain, old_cfg->old_domain);
-
- init_copy_irq_2_pin(old_cfg, cfg, node);
- }
-
--static void free_irq_cfg(struct irq_cfg *old_cfg)
-+static void free_irq_cfg(struct irq_cfg *cfg)
- {
-- kfree(old_cfg);
-+ free_cpumask_var(cfg->domain);
-+ free_cpumask_var(cfg->old_domain);
-+ kfree(cfg);
- }
-
- void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc)
+++ /dev/null
-From 37a2f9f30a360fb03522d15c85c78265ccd80287 Mon Sep 17 00:00:00 2001
-From: Cliff Wickman <cpw@sgi.com>
-Date: Wed, 8 Sep 2010 10:14:27 -0500
-Subject: x86, kdump: Change copy_oldmem_page() to use cached addressing
-
-From: Cliff Wickman <cpw@sgi.com>
-
-commit 37a2f9f30a360fb03522d15c85c78265ccd80287 upstream.
-
-The copy of /proc/vmcore to a user buffer proceeds much faster
-if the kernel addresses memory as cached.
-
-With this patch we have seen an increase in transfer rate from
-less than 15MB/s to 80-460MB/s, depending on size of the
-transfer. This makes a big difference in time needed to save a
-system dump.
-
-Signed-off-by: Cliff Wickman <cpw@sgi.com>
-Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
-Cc: kexec@lists.infradead.org
-LKML-Reference: <E1OtMLz-0001yp-Ia@eag09.americas.sgi.com>
-Signed-off-by: Ingo Molnar <mingo@elte.hu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/crash_dump_64.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/x86/kernel/crash_dump_64.c
-+++ b/arch/x86/kernel/crash_dump_64.c
-@@ -34,7 +34,7 @@ ssize_t copy_oldmem_page(unsigned long p
- if (!csize)
- return 0;
-
-- vaddr = ioremap(pfn << PAGE_SHIFT, PAGE_SIZE);
-+ vaddr = ioremap_cache(pfn << PAGE_SHIFT, PAGE_SIZE);
- if (!vaddr)
- return -ENOMEM;
-
+++ /dev/null
-From 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce Mon Sep 17 00:00:00 2001
-From: Alok Kataria <akataria@vmware.com>
-Date: Mon, 11 Oct 2010 14:37:08 -0700
-Subject: x86, kexec: Make sure to stop all CPUs before exiting the kernel
-
-From: Alok Kataria <akataria@vmware.com>
-
-commit 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce upstream.
-
-x86 smp_ops now has a new op, stop_other_cpus which takes a parameter
-"wait" this allows the caller to specify if it wants to stop until all
-the cpus have processed the stop IPI. This is required specifically
-for the kexec case where we should wait for all the cpus to be stopped
-before starting the new kernel. We now wait for the cpus to stop in
-all cases except for panic/kdump where we expect things to be broken
-and we are doing our best to make things work anyway.
-
-This patch fixes a legitimate regression, which was introduced during
-2.6.30, by commit id 4ef702c10b5df18ab04921fc252c26421d4d6c75.
-
-Signed-off-by: Alok N Kataria <akataria@vmware.com>
-LKML-Reference: <1286833028.1372.20.camel@ank32.eng.vmware.com>
-Cc: Eric W. Biederman <ebiederm@xmission.com>
-Cc: Jeremy Fitzhardinge <jeremy@xensource.com>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/include/asm/smp.h | 9 +++++++--
- arch/x86/kernel/reboot.c | 2 +-
- arch/x86/kernel/smp.c | 15 +++++++++------
- arch/x86/xen/enlighten.c | 2 +-
- arch/x86/xen/smp.c | 6 +++---
- 5 files changed, 21 insertions(+), 13 deletions(-)
-
---- a/arch/x86/include/asm/smp.h
-+++ b/arch/x86/include/asm/smp.h
-@@ -50,7 +50,7 @@ struct smp_ops {
- void (*smp_prepare_cpus)(unsigned max_cpus);
- void (*smp_cpus_done)(unsigned max_cpus);
-
-- void (*smp_send_stop)(void);
-+ void (*stop_other_cpus)(int wait);
- void (*smp_send_reschedule)(int cpu);
-
- int (*cpu_up)(unsigned cpu);
-@@ -73,7 +73,12 @@ extern struct smp_ops smp_ops;
-
- static inline void smp_send_stop(void)
- {
-- smp_ops.smp_send_stop();
-+ smp_ops.stop_other_cpus(0);
-+}
-+
-+static inline void stop_other_cpus(void)
-+{
-+ smp_ops.stop_other_cpus(1);
- }
-
- static inline void smp_prepare_boot_cpu(void)
---- a/arch/x86/kernel/reboot.c
-+++ b/arch/x86/kernel/reboot.c
-@@ -633,7 +633,7 @@ void native_machine_shutdown(void)
- /* O.K Now that I'm on the appropriate processor,
- * stop all of the others.
- */
-- smp_send_stop();
-+ stop_other_cpus();
- #endif
-
- lapic_shutdown();
---- a/arch/x86/kernel/smp.c
-+++ b/arch/x86/kernel/smp.c
-@@ -158,10 +158,10 @@ asmlinkage void smp_reboot_interrupt(voi
- irq_exit();
- }
-
--static void native_smp_send_stop(void)
-+static void native_stop_other_cpus(int wait)
- {
- unsigned long flags;
-- unsigned long wait;
-+ unsigned long timeout;
-
- if (reboot_force)
- return;
-@@ -178,9 +178,12 @@ static void native_smp_send_stop(void)
- if (num_online_cpus() > 1) {
- apic->send_IPI_allbutself(REBOOT_VECTOR);
-
-- /* Don't wait longer than a second */
-- wait = USEC_PER_SEC;
-- while (num_online_cpus() > 1 && wait--)
-+ /*
-+ * Don't wait longer than a second if the caller
-+ * didn't ask us to wait.
-+ */
-+ timeout = USEC_PER_SEC;
-+ while (num_online_cpus() > 1 && (wait || timeout--))
- udelay(1);
- }
-
-@@ -226,7 +229,7 @@ struct smp_ops smp_ops = {
- .smp_prepare_cpus = native_smp_prepare_cpus,
- .smp_cpus_done = native_smp_cpus_done,
-
-- .smp_send_stop = native_smp_send_stop,
-+ .stop_other_cpus = native_stop_other_cpus,
- .smp_send_reschedule = native_smp_send_reschedule,
-
- .cpu_up = native_cpu_up,
---- a/arch/x86/xen/enlighten.c
-+++ b/arch/x86/xen/enlighten.c
-@@ -1000,7 +1000,7 @@ static void xen_reboot(int reason)
- struct sched_shutdown r = { .reason = reason };
-
- #ifdef CONFIG_SMP
-- smp_send_stop();
-+ stop_other_cpus();
- #endif
-
- if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r))
---- a/arch/x86/xen/smp.c
-+++ b/arch/x86/xen/smp.c
-@@ -397,9 +397,9 @@ static void stop_self(void *v)
- BUG();
- }
-
--static void xen_smp_send_stop(void)
-+static void xen_stop_other_cpus(int wait)
- {
-- smp_call_function(stop_self, NULL, 0);
-+ smp_call_function(stop_self, NULL, wait);
- }
-
- static void xen_smp_send_reschedule(int cpu)
-@@ -467,7 +467,7 @@ static const struct smp_ops xen_smp_ops
- .cpu_disable = xen_cpu_disable,
- .play_dead = xen_play_dead,
-
-- .smp_send_stop = xen_smp_send_stop,
-+ .stop_other_cpus = xen_stop_other_cpus,
- .smp_send_reschedule = xen_smp_send_reschedule,
-
- .send_call_func_ipi = xen_smp_send_call_function_ipi,
+++ /dev/null
-From b7d460897739e02f186425b7276e3fdb1595cea7 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Tue, 24 Aug 2010 22:44:12 -0700
-Subject: x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline
-
-From: Hugh Dickins <hughd@google.com>
-
-commit b7d460897739e02f186425b7276e3fdb1595cea7 upstream.
-
-rc2 kernel crashes when booting second cpu on this CONFIG_VMSPLIT_2G_OPT
-laptop: whereas cloning from kernel to low mappings pgd range does need
-to limit by both KERNEL_PGD_PTRS and KERNEL_PGD_BOUNDARY, cloning kernel
-pgd range itself must not be limited by the smaller KERNEL_PGD_BOUNDARY.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-LKML-Reference: <alpine.LSU.2.00.1008242235120.2515@sister.anvils>
-Signed-off-by: H. Peter Anvin <hpa@zytor.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/trampoline.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
---- a/arch/x86/kernel/trampoline.c
-+++ b/arch/x86/kernel/trampoline.c
-@@ -45,8 +45,7 @@ void __init setup_trampoline_page_table(
- /* Copy kernel address range */
- clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY,
- swapper_pg_dir + KERNEL_PGD_BOUNDARY,
-- min_t(unsigned long, KERNEL_PGD_PTRS,
-- KERNEL_PGD_BOUNDARY));
-+ KERNEL_PGD_PTRS);
-
- /* Initialize low mappings */
- clone_pgd_range(trampoline_pg_dir,
+++ /dev/null
-From 3fdbf004c1706480a7c7fac3c9d836fa6df20d7d Mon Sep 17 00:00:00 2001
-From: Andreas Herrmann <andreas.herrmann3@amd.com>
-Date: Thu, 30 Sep 2010 14:32:35 +0200
-Subject: x86, mtrr: Assume SYS_CFG[Tom2ForceMemTypeWB] exists on all future AMD CPUs
-
-From: Andreas Herrmann <andreas.herrmann3@amd.com>
-
-commit 3fdbf004c1706480a7c7fac3c9d836fa6df20d7d upstream.
-
-Instead of adapting the CPU family check in amd_special_default_mtrr()
-for each new CPU family assume that all new AMD CPUs support the
-necessary bits in SYS_CFG MSR.
-
-Tom2Enabled is architectural (defined in APM Vol.2).
-Tom2ForceMemTypeWB is defined in all BKDGs starting with K8 NPT.
-In pre K8-NPT BKDG this bit is reserved (read as zero).
-
-W/o this adaption Linux would unnecessarily complain about bad MTRR
-settings on every new AMD CPU family, e.g.
-
-[ 0.000000] WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing 4863MB of RAM.
-
-Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
-LKML-Reference: <20100930123235.GB20545@loge.amd.com>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/cpu/mtrr/cleanup.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/x86/kernel/cpu/mtrr/cleanup.c
-+++ b/arch/x86/kernel/cpu/mtrr/cleanup.c
-@@ -977,7 +977,7 @@ int __init amd_special_default_mtrr(void
-
- if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
- return 0;
-- if (boot_cpu_data.x86 < 0xf || boot_cpu_data.x86 > 0x11)
-+ if (boot_cpu_data.x86 < 0xf)
- return 0;
- /* In case some hypervisor doesn't pass SYSCFG through: */
- if (rdmsr_safe(MSR_K8_SYSCFG, &l, &h) < 0)
+++ /dev/null
-From 73cf624d029d776a33d0a80c695485b3f9b36231 Mon Sep 17 00:00:00 2001
-From: Yinghai Lu <yinghai@kernel.org>
-Date: Sun, 10 Oct 2010 19:52:15 -0700
-Subject: x86, numa: For each node, register the memory blocks actually used
-
-From: Yinghai Lu <yinghai@kernel.org>
-
-commit 73cf624d029d776a33d0a80c695485b3f9b36231 upstream.
-
-Russ reported SGI UV is broken recently. He said:
-
-| The SRAT table shows that memory range is spread over two nodes.
-|
-| SRAT: Node 0 PXM 0 100000000-800000000
-| SRAT: Node 1 PXM 1 800000000-1000000000
-| SRAT: Node 0 PXM 0 1000000000-1080000000
-|
-|Previously, the kernel early_node_map[] would show three entries
-|with the proper node.
-|
-|[ 0.000000] 0: 0x00100000 -> 0x00800000
-|[ 0.000000] 1: 0x00800000 -> 0x01000000
-|[ 0.000000] 0: 0x01000000 -> 0x01080000
-|
-|The problem is recent community kernel early_node_map[] shows
-|only two entries with the node 0 entry overlapping the node 1
-|entry.
-|
-| 0: 0x00100000 -> 0x01080000
-| 1: 0x00800000 -> 0x01000000
-
-After looking at the changelog, Found out that it has been broken for a while by
-following commit
-
-|commit 8716273caef7f55f39fe4fc6c69c5f9f197f41f1
-|Author: David Rientjes <rientjes@google.com>
-|Date: Fri Sep 25 15:20:04 2009 -0700
-|
-| x86: Export srat physical topology
-
-Before that commit, register_active_regions() is called for every SRAT memory
-entry right away.
-
-Use nodememblk_range[] instead of nodes[] in order to make sure we
-capture the actual memory blocks registered with each node. nodes[]
-contains an extended range which spans all memory regions associated
-with a node, but that does not mean that all the memory in between are
-included.
-
-Reported-by: Russ Anderson <rja@sgi.com>
-Tested-by: Russ Anderson <rja@sgi.com>
-Signed-off-by: Yinghai Lu <yinghai@kernel.org>
-LKML-Reference: <4CB27BDF.5000800@kernel.org>
-Acked-by: David Rientjes <rientjes@google.com>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/mm/srat_64.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
---- a/arch/x86/mm/srat_64.c
-+++ b/arch/x86/mm/srat_64.c
-@@ -372,9 +372,11 @@ int __init acpi_scan_nodes(unsigned long
- return -1;
- }
-
-- for_each_node_mask(i, nodes_parsed)
-- e820_register_active_regions(i, nodes[i].start >> PAGE_SHIFT,
-- nodes[i].end >> PAGE_SHIFT);
-+ for (i = 0; i < num_node_memblks; i++)
-+ e820_register_active_regions(memblk_nodeid[i],
-+ node_memblk_range[i].start >> PAGE_SHIFT,
-+ node_memblk_range[i].end >> PAGE_SHIFT);
-+
- /* for out of order entries in SRAT */
- sort_node_map();
- if (!nodes_cover_memory(nodes)) {
+++ /dev/null
-From 286e5b97eb22baab9d9a41ca76c6b933a484252c Mon Sep 17 00:00:00 2001
-From: Paul Fox <pgf@laptop.org>
-Date: Fri, 1 Oct 2010 18:17:19 +0100
-Subject: x86, olpc: Don't retry EC commands forever
-
-From: Paul Fox <pgf@laptop.org>
-
-commit 286e5b97eb22baab9d9a41ca76c6b933a484252c upstream.
-
-Avoids a potential infinite loop.
-
-It was observed once, during an EC hacking/debugging
-session - not in regular operation.
-
-Signed-off-by: Daniel Drake <dsd@laptop.org>
-Cc: dilinger@queued.net
-Signed-off-by: Ingo Molnar <mingo@elte.hu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/kernel/olpc.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/arch/x86/kernel/olpc.c
-+++ b/arch/x86/kernel/olpc.c
-@@ -115,6 +115,7 @@ int olpc_ec_cmd(unsigned char cmd, unsig
- unsigned long flags;
- int ret = -EIO;
- int i;
-+ int restarts = 0;
-
- spin_lock_irqsave(&ec_lock, flags);
-
-@@ -171,7 +172,9 @@ restart:
- if (wait_on_obf(0x6c, 1)) {
- printk(KERN_ERR "olpc-ec: timeout waiting for"
- " EC to provide data!\n");
-- goto restart;
-+ if (restarts++ < 10)
-+ goto restart;
-+ goto err;
- }
- outbuf[i] = inb(0x68);
- printk(KERN_DEBUG "olpc-ec: received 0x%x\n",
+++ /dev/null
-From 31e323cca9d5c8afd372976c35a5d46192f540d1 Mon Sep 17 00:00:00 2001
-From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
-Date: Mon, 29 Nov 2010 14:16:53 -0800
-Subject: xen: don't bother to stop other cpus on shutdown/reboot
-
-From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
-
-commit 31e323cca9d5c8afd372976c35a5d46192f540d1 upstream.
-
-Xen will shoot all the VCPUs when we do a shutdown hypercall, so there's
-no need to do it manually.
-
-In any case it will fail because all the IPI irqs have been pulled
-down by this point, so the cross-CPU calls will simply hang forever.
-
-Until change 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce the function calls
-were not synchronously waited for, so this wasn't apparent. However after
-that change the calls became synchronous leading to a hang on shutdown
-on multi-VCPU guests.
-
-Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
-Cc: Alok Kataria <akataria@vmware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- arch/x86/xen/enlighten.c | 4 ----
- 1 file changed, 4 deletions(-)
-
---- a/arch/x86/xen/enlighten.c
-+++ b/arch/x86/xen/enlighten.c
-@@ -999,10 +999,6 @@ static void xen_reboot(int reason)
- {
- struct sched_shutdown r = { .reason = reason };
-
--#ifdef CONFIG_SMP
-- stop_other_cpus();
--#endif
--
- if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r))
- BUG();
- }
+++ /dev/null
-From b0097adeec27e30223c989561ab0f7aa60d1fe93 Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell@citrix.com>
-Date: Fri, 8 Oct 2010 16:59:12 +0100
-Subject: xen: ensure that all event channels start off bound to VCPU 0
-
-From: Ian Campbell <ian.campbell@citrix.com>
-
-commit b0097adeec27e30223c989561ab0f7aa60d1fe93 upstream.
-
-All event channels startbound to VCPU 0 so ensure that cpu_evtchn_mask
-is initialised to reflect this. Otherwise there is a race after registering an
-event channel but before the affinity is explicitly set where the event channel
-can be delivered. If this happens then the event channel remains pending in the
-L1 (evtchn_pending) array but is cleared in L2 (evtchn_pending_sel), this means
-the event channel cannot be reraised until another event channel happens to
-trigger the same L2 entry on that VCPU.
-
-sizeof(cpu_evtchn_mask(0))==sizeof(unsigned long*) which is not correct, and
-causes only the first 32 or 64 event channels (depending on architecture) to be
-initially bound to VCPU0. Use sizeof(struct cpu_evtchn_s) instead.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Cc: Jeremy Fitzhardinge <jeremy@goop.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- drivers/xen/events.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/xen/events.c
-+++ b/drivers/xen/events.c
-@@ -254,7 +254,7 @@ static void init_evtchn_cpu_bindings(voi
- }
- #endif
-
-- memset(cpu_evtchn_mask(0), ~0, sizeof(cpu_evtchn_mask(0)));
-+ memset(cpu_evtchn_mask(0), ~0, sizeof(struct cpu_evtchn_s));
- }
-
- static inline void clear_evtchn(int port)
+++ /dev/null
-From 25963c2c4f9a38c02df9ecad6b86df328f651ba2 Mon Sep 17 00:00:00 2001
-From: Ulrich Weber <uweber@astaro.com>
-Date: Tue, 5 Oct 2010 13:46:19 +0200
-Subject: xfrm4: strip ECN and IP Precedence bits in policy lookup
-
-
-From: Ulrich Weber <uweber@astaro.com>
-
-[ Upstream commit 94e2238969e89f5112297ad2a00103089dde7e8f ]
-
-dont compare ECN and IP Precedence bits in find_bundle
-and use ECN bit stripped TOS value in xfrm_lookup
-
-Signed-off-by: Ulrich Weber <uweber@astaro.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
- net/ipv4/xfrm4_policy.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/xfrm4_policy.c
-+++ b/net/ipv4/xfrm4_policy.c
-@@ -70,7 +70,7 @@ __xfrm4_find_bundle(struct flowi *fl, st
- if (xdst->u.rt.fl.oif == fl->oif && /*XXX*/
- xdst->u.rt.fl.fl4_dst == fl->fl4_dst &&
- xdst->u.rt.fl.fl4_src == fl->fl4_src &&
-- xdst->u.rt.fl.fl4_tos == fl->fl4_tos &&
-+ !((xdst->u.rt.fl.fl4_tos ^ fl->fl4_tos) & IPTOS_RT_MASK) &&
- xfrm_bundle_ok(policy, xdst, fl, AF_INET, 0)) {
- dst_clone(dst);
- break;
-@@ -82,7 +82,7 @@ __xfrm4_find_bundle(struct flowi *fl, st
-
- static int xfrm4_get_tos(struct flowi *fl)
- {
-- return fl->fl4_tos;
-+ return IPTOS_RT_MASK & fl->fl4_tos; /* Strip ECN bits */
- }
-
- static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
projects / thirdparty / kernel / stable-queue.git / commitdiff
