[kernel] r19768 - in dists/squeeze-security/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/all/stable debian/patches/bugfix/ia64 debian/patches/bugfix/x86 debian/patches/debian debian/patches/features/all/hpsa debian/patches/features/all/megaraid_sas debian/patches/features/all/openvz debian/patches/features/all/vserver debian/patches/features/x86 debian/patches/features/x86/isci debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jan 22 06:01:57 UTC 2013
Author: dannf
Date: Tue Jan 22 06:01:55 2013
New Revision: 19768
Log:
merge 2.6.32-47
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/stable/2.6.32.60.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/stable/2.6.32.60.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
dists/squeeze-security/linux-2.6/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch
dists/squeeze-security/linux-2.6/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/megaraid_sas/
- copied from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/megaraid_sas/
dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch
dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch
dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch
dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch
dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch
dists/squeeze-security/linux-2.6/debian/patches/features/x86/isci/
- copied from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/isci/
dists/squeeze-security/linux-2.6/debian/patches/series/47
- copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/series/47
dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
- copied unchanged from r19767, dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1
Deleted:
dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1
Modified:
dists/squeeze-security/linux-2.6/ (props changed)
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Jan 21 04:42:29 2013 (r19767)
+++ dists/squeeze-security/linux-2.6/debian/changelog Tue Jan 22 06:01:55 2013 (r19768)
@@ -1,9 +1,106 @@
-linux-2.6 (2.6.32-46squeeze1) UNRELEASED; urgency=high
+linux-2.6 (2.6.32-47squeeze1) UNRELEASED; urgency=high
* kmod: make __request_module() killable (CVE-2012-4398)
-- dann frazier <dannf at debian.org> Mon, 22 Oct 2012 20:34:13 -0500
+linux-2.6 (2.6.32-47) stable; urgency=low
+
+ [ Ben Hutchings ]
+ * [x86] ALSA: hda_intel: Add device/class IDs for Intel Patsburg,
+ Vortex86MX, VMware, Intel Panther Point and other Intel chips
+ (Closes: #689928)
+ * header: fix broken headers for user space (Closes: #692133)
+ * nfsv4: Fix kernel panic when mounting NFSv4 (Closes: #695872)
+ * hpsa: Backport changes up to Linux 3.2.35 (Closes: #690100)
+ * net: fix route cache rebuilds (Closes: #646063)
+ * Add longterm release 2.6.32.60, including:
+ - netxen: support for GbE port settings (Closes: #638921)
+ - futex: Fix uninterruptible loop due to gate_area
+ - time: Improve sanity checking of timekeeping inputs
+ - eCryptfs: Copy up lower inode attrs after setting lower xattr
+ - eCryptfs: Clear ECRYPTFS_NEW_FILE flag during truncate
+ - bonding: 802.3ad - fix agg_device_up
+ - usbnet: increase URB reference count before usb_unlink_urb
+ - usbnet: don't clear urb->dev in tx_complete
+ - xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink()
+ - nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+ - ntp: Fix integer overflow when setting time
+ - ext4: check for zero length extent
+ - Bluetooth: add NULL pointer check in HCI
+ - Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
+ - phonet: Check input from user before allocating
+ - netlink: fix races after skb queueing
+ - net: fix a race in sock_queue_err_skb()
+ - net/ethernet: ks8851_mll fix rx frame buffer overflow
+ - NFSv4: Revalidate uid/gid after open (Closes: #659111)
+ - ext3: Fix error handling on inode bitmap corruption
+ - ext4: fix error handling on inode bitmap corruption
+ - SCSI: fix scsi_wait_scan
+ - fuse: fix stat call on 32 bit platforms
+ - udf: Improve table length check to avoid possible overflow
+ - eCryptfs: Properly check for O_RDONLY flag before doing privileged open
+ - mm: Hold a file reference in madvise_remove (CVE-2012-3511)
+ - SCSI: Avoid dangling pointer in scsi_requeue_command()
+ - usbdevfs: Correct amount of data copied to user in processcompl_compat
+ - ext4: don't let i_reserved_meta_blocks go negative
+ - sctp: Fix list corruption resulting from freeing an association on a list
+ - cipso: don't follow a NULL pointer when setsockopt() is called
+ - net/tun: fix ioctl() based info leaks
+ - futex: Test for pi_mutex on fault in futex_wait_requeue_pi()
+ - futex: Fix bug in WARN_ON for NULL q.pi_state
+ - futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()
+ - mm: mmu_notifier: fix freed page still mapped in secondary MMU
+ - fuse: verify all ioctl retry iov elements
+ - vfs: missed source of ->f_pos races - compat_sys_{read,write}v()
+ - NFSv3: Ensure that do_proc_get_root() reports errors correctly
+ - Remove user-triggerable BUG from mpol_to_str
+ - udf: Fix data corruption for files in ICB
+ - ext3: Fix fdatasync() for files with only i_size changes
+ - dccp: check ccid before dereferencing
+ - [ia64] Add accept4() syscall (Closes: #647825)
+ - tcp: drop SYN+FIN messages
+ - [x86] amd, xen: Avoid NULL pointer paravirt references
+ - [x86] tls: Off by one limit check
+ - sparc64: Eliminate obsolete __handle_softirq() function
+ - udf: fix retun value on error path in udf_load_logicalvol
+ - epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()
+ - epoll: ep_unregister_pollwait() can use the freed pwq->whead
+ - Don't limit non-nested epoll paths
+ - epoll: limit paths (CVE-2011-1083)
+ - epoll: clear the tfile_check_list on -ELOOP (CVE-2012-3375)
+ - random: Improve random number generation on non-interactive systems
+ + random: Use arch_get_random_int instead of cycle counter if avail
+ + random: Use arch-specific RNG to initialize the entropy store
+ + random: make 'add_interrupt_randomness()' do something sane
+ + usb: feed USB device information to the /dev/random driver
+ + net: feed /dev/random with the MAC address when registering a device
+ + rtc: wm831x: Feed the write counter into device_add_randomness()
+ + mfd: wm831x: Feed the device UUID into device_add_randomness()
+ + dmi: Feed DMI table to /dev/random driver
+ For the complete list of changes, see:
+ http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.60
+ and the bug report which this closes: #698022.
+ - [ia64] Revert "pcdp: use early_ioremap/early_iounmap to access pcdp
+ table", which breaks compilation of this driver
+ * [x86] Don't use the EFI reboot method by default (Closes: #626022)
+ * [x86] drm/i915: Attempt to fix watermark setup on 85x (v2)
+ (Closes: #661696)
+ * [x86] isci: Backport changes up to Linux 3.2.35 (Closes: #698094)
+ * [amd64] rtl8192e: Fix transmit on 64-bit architectures (Closes: #698473)
+ * [x86] usbip: Fix loss of isochronous packets that require padding
+ (Closes: #698474)
+ * staging: Fix various log messages that were broken on 64-bit architectures
+ (Closes: #698475)
+ * [x86] xen/x86: don't corrupt %eip when returning from a signal handler
+ * [i386] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+ guests. (CVE-2013-0190)
+
+ [ Jonathan Nieder ]
+ * megaraid_sas: Backport changes up to Linux 3.0.56 (Closes: #666108)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 19 Jan 2013 05:00:07 +0000
+
linux-2.6 (2.6.32-46) stable; urgency=high
[ Bastian Blank ]
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch)
@@ -0,0 +1,39 @@
+From: Changli Gao <xiaosuo at gmail.com>
+Date: Sun, 22 Aug 2010 17:25:05 +0000
+Subject: header: fix broken headers for user space
+Bug-Debian: http://bugs.debian.org/692133
+
+commit 09cd2b99c6cdd1e14e84c1febca2fb91e9f4e5ba upstream.
+
+__packed is only defined in kernel space, so we should use
+__attribute__((packed)) for the code shared between kernel and user space.
+
+Two __attribute() annotations are replaced with __attribute__() too.
+
+Signed-off-by: Changli Gao <xiaosuo at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32: most changes were unneeded, as the headers had
+ not yet been wrongly converted to use __packed]
+---
+--- a/include/linux/if_pppox.h
++++ b/include/linux/if_pppox.h
+@@ -92,7 +92,7 @@ struct pppoe_tag {
+ __be16 tag_type;
+ __be16 tag_len;
+ char tag_data[0];
+-} __attribute ((packed));
++} __attribute__ ((packed));
+
+ /* Tag identifiers */
+ #define PTT_EOL __cpu_to_be16(0x0000)
+--- a/include/linux/rfkill.h
++++ b/include/linux/rfkill.h
+@@ -78,7 +78,7 @@ struct rfkill_event {
+ __u8 type;
+ __u8 op;
+ __u8 soft, hard;
+-} __packed;
++} __attribute__((packed));
+
+ /*
+ * We are planning to be backward and forward compatible with changes
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch)
@@ -0,0 +1,139 @@
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Mon, 20 Dec 2010 21:19:26 +0000
+Subject: kernel panic when mount NFSv4
+
+commit beb0f0a9fba1fa98b378329a9a5b0a73f25097ae upstream.
+
+On Tue, 2010-12-14 at 16:58 +0800, Mi Jinlong wrote:
+> Hi,
+>
+> When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic
+> at NFS client's __rpc_create_common function.
+>
+> The panic place is:
+> rpc_mkpipe
+> __rpc_lookup_create() <=== find pipefile *idmap*
+> __rpc_mkpipe() <=== pipefile is *idmap*
+> __rpc_create_common()
+> ****** BUG_ON(!d_unhashed(dentry)); ****** *panic*
+>
+> It means that the dentry's d_flags have be set DCACHE_UNHASHED,
+> but it should not be set here.
+>
+> Is someone known this bug? or give me some idea?
+>
+> A reproduce program is append, but it can't reproduce the bug every time.
+> the export is: "/nfsroot *(rw,no_root_squash,fsid=0,insecure)"
+>
+> And the panic message is append.
+>
+> ============================================================================
+> #!/bin/sh
+>
+> LOOPTOTAL=768
+> LOOPCOUNT=0
+> ret=0
+>
+> while [ $LOOPCOUNT -ne $LOOPTOTAL ]
+> do
+> ((LOOPCOUNT += 1))
+> service nfs restart
+> /usr/sbin/rpc.idmapd
+> mount -t nfs4 127.0.0.1:/ /mnt|| return 1;
+> ls -l /var/lib/nfs/rpc_pipefs/nfs/*/
+> umount /mnt
+> echo $LOOPCOUNT
+> done
+>
+> ===============================================================================
+> Code: af 60 01 00 00 89 fa 89 f0 e8 64 cf 89 f0 e8 5c 7c 64 cf 31 c0 8b 5c 24 10 8b
+> 74 24 14 8b 7c 24 18 8b 6c 24 1c 83 c4 20 c3 <0f> 0b eb fc 8b 46 28 c7 44 24 08 20
+> de ee f0 c7 44 24 04 56 ea
+> EIP:[<f0ee92ea>] __rpc_create_common+0x8a/0xc0 [sunrpc] SS:ESP 0068:eccb5d28
+> ---[ end trace 8f5606cd08928ed2]---
+> Kernel panic - not syncing: Fatal exception
+> Pid:7131, comm: mount.nfs4 Tainted: G D -------------------2.6.32 #1
+> Call Trace:
+> [<c080ad18>] ? panic+0x42/0xed
+> [<c080e42c>] ? oops_end+0xbc/0xd0
+> [<c040b090>] ? do_invalid_op+0x0/0x90
+> [<c040b10f>] ? do_invalid_op+0x7f/0x90
+> [<f0ee92ea>] ? __rpc_create_common+0x8a/0xc0[sunrpc]
+> [<f0edc433>] ? rpc_free_task+0x33/0x70[sunrpc]
+> [<f0ed6508>] ? prc_call_sync+0x48/0x60[sunrpc]
+> [<f0ed656e>] ? rpc_ping+0x4e/0x60[sunrpc]
+> [<f0ed6eaf>] ? rpc_create+0x38f/0x4f0[sunrpc]
+> [<c080d80b>] ? error_code+0x73/0x78
+> [<f0ee92ea>] ? __rpc_create_common+0x8a/0xc0[sunrpc]
+> [<c0532bda>] ? d_lookup+0x2a/0x40
+> [<f0ee94b1>] ? rpc_mkpipe+0x111/0x1b0[sunrpc]
+> [<f10a59f4>] ? nfs_create_rpc_client+0xb4/0xf0[nfs]
+> [<f10d6c6d>] ? nfs_fscache_get_client_cookie+0x1d/0x50[nfs]
+> [<f10d3fcb>] ? nfs_idmap_new+0x7b/0x140[nfs]
+> [<c05e76aa>] ? strlcpy+0x3a/0x60
+> [<f10a60ca>] ? nfs4_set_client+0xea/0x2b0[nfs]
+> [<f10a6d0c>] ? nfs4_create_server+0xac/0x1b0[nfs]
+> [<c04f1400>] ? krealloc+0x40/0x50
+> [<f10b0e8b>] ? nfs4_remote_get_sb+0x6b/0x250[nfs]
+> [<c04f14ec>] ? kstrdup+0x3c/0x60
+> [<c0520739>] ? vfs_kern_mount+0x69/0x170
+> [<f10b1a3c>] ? nfs_do_root_mount+0x6c/0xa0[nfs]
+> [<f10b1b47>] ? nfs4_try_mount+0x37/0xa0[nfs]
+> [<f10afe6d>] ? nfs4_validate_text_mount_data+-x7d/0xf0[nfs]
+> [<f10b1c42>] ? nfs4_get_sb+0x92/0x2f0
+> [<c0520739>] ? vfs_kern_mount+0x69/0x170
+> [<c05366d2>] ? get_fs_type+0x32/0xb0
+> [<c052089f>] ? do_kern_mount+0x3f/0xe0
+> [<c053954f>] ? do_mount+0x2ef/0x740
+> [<c0537740>] ? copy_mount_options+0xb0/0x120
+> [<c0539a0e>] ? sys_mount+0x6e/0xa0
+
+Hi,
+
+Does the following patch fix the problem?
+
+Cheers
+ Trond
+
+--------------------------
+SUNRPC: Fix a BUG in __rpc_create_common
+
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+Mi Jinlong reports:
+
+When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic
+at NFS client's __rpc_create_common function.
+
+The panic place is:
+ rpc_mkpipe
+ __rpc_lookup_create() <=== find pipefile *idmap*
+ __rpc_mkpipe() <=== pipefile is *idmap*
+ __rpc_create_common()
+ ****** BUG_ON(!d_unhashed(dentry)); ****** *panic*
+
+The test is wrong: we can find ourselves with a hashed negative dentry here
+if the idmapper tried to look up the file before we got round to creating
+it.
+
+Just replace the BUG_ON() with a d_drop(dentry).
+
+Reported-by: Mi Jinlong <mijinlong at cn.fujitsu.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+---
+ net/sunrpc/rpc_pipe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
+index 10a17a3..5356d95 100644
+--- a/net/sunrpc/rpc_pipe.c
++++ b/net/sunrpc/rpc_pipe.c
+@@ -466,7 +466,7 @@ static int __rpc_create_common(struct inode *dir, struct dentry *dentry,
+ {
+ struct inode *inode;
+
+- BUG_ON(!d_unhashed(dentry));
++ d_drop(dentry);
+ inode = rpc_get_inode(dir->i_sb, mode);
+ if (!inode)
+ goto out_err;
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch)
@@ -0,0 +1,145 @@
+From: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Mon, 8 Mar 2010 03:20:00 +0000
+Subject: net: fix route cache rebuilds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 9837638727488922727b0cfd438039fa73364183 upstream.
+
+We added an automatic route cache rebuilding in commit 1080d709fb9d8cd43
+but had to correct few bugs. One of the assumption of original patch,
+was that entries where kept sorted in a given way.
+
+This assumption is known to be wrong (commit 1ddbcb005c395518 gave an
+explanation of this and corrected a leak) and expensive to respect.
+
+Paweł Staszewski reported to me one of his machine got its routing cache
+disabled after few messages like :
+
+[ 2677.850065] Route hash chain too long!
+[ 2677.850080] Adjust your secret_interval!
+[82839.662993] Route hash chain too long!
+[82839.662996] Adjust your secret_interval!
+[155843.731650] Route hash chain too long!
+[155843.731664] Adjust your secret_interval!
+[155843.811881] Route hash chain too long!
+[155843.811891] Adjust your secret_interval!
+[155843.858209] vlan0811: 5 rebuilds is over limit, route caching
+disabled
+[155843.858212] Route hash chain too long!
+[155843.858213] Adjust your secret_interval!
+
+This is because rt_intern_hash() might be fooled when computing a chain
+length, because multiple entries with same keys can differ because of
+TOS (or mark/oif) bits.
+
+In the rare case the fast algorithm see a too long chain, and before
+taking expensive path, we call a helper function in order to not count
+duplicates of same routes, that only differ with tos/mark/oif bits. This
+helper works with data already in cpu cache and is not be very
+expensive, despite its O(N^2) implementation.
+
+Paweł Staszewski sucessfully tested this patch on his loaded router.
+
+Reported-and-tested-by: Paweł Staszewski <pstaszewski at itcare.pl>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/route.c | 50 ++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index b2ba558..d9b4024 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -146,7 +146,6 @@ static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst);
+ static void ipv4_link_failure(struct sk_buff *skb);
+ static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu);
+ static int rt_garbage_collect(struct dst_ops *ops);
+-static void rt_emergency_hash_rebuild(struct net *net);
+
+
+ static struct dst_ops ipv4_dst_ops = {
+@@ -780,11 +779,30 @@ static void rt_do_flush(int process_context)
+ #define FRACT_BITS 3
+ #define ONE (1UL << FRACT_BITS)
+
++/*
++ * Given a hash chain and an item in this hash chain,
++ * find if a previous entry has the same hash_inputs
++ * (but differs on tos, mark or oif)
++ * Returns 0 if an alias is found.
++ * Returns ONE if rth has no alias before itself.
++ */
++static int has_noalias(const struct rtable *head, const struct rtable *rth)
++{
++ const struct rtable *aux = head;
++
++ while (aux != rth) {
++ if (compare_hash_inputs(&aux->fl, &rth->fl))
++ return 0;
++ aux = aux->u.dst.rt_next;
++ }
++ return ONE;
++}
++
+ static void rt_check_expire(void)
+ {
+ static unsigned int rover;
+ unsigned int i = rover, goal;
+- struct rtable *rth, *aux, **rthp;
++ struct rtable *rth, **rthp;
+ unsigned long samples = 0;
+ unsigned long sum = 0, sum2 = 0;
+ unsigned long delta;
+@@ -835,15 +853,7 @@ nofree:
+ * attributes don't unfairly skew
+ * the length computation
+ */
+- for (aux = rt_hash_table[i].chain;;) {
+- if (aux == rth) {
+- length += ONE;
+- break;
+- }
+- if (compare_hash_inputs(&aux->fl, &rth->fl))
+- break;
+- aux = aux->u.dst.rt_next;
+- }
++ length += has_noalias(rt_hash_table[i].chain, rth);
+ continue;
+ }
+ } else if (!rt_may_expire(rth, tmo, ip_rt_gc_timeout))
+@@ -1073,6 +1083,21 @@ work_done:
+ out: return 0;
+ }
+
++/*
++ * Returns number of entries in a hash chain that have different hash_inputs
++ */
++static int slow_chain_length(const struct rtable *head)
++{
++ int length = 0;
++ const struct rtable *rth = head;
++
++ while (rth) {
++ length += has_noalias(head, rth);
++ rth = rth->u.dst.rt_next;
++ }
++ return length >> FRACT_BITS;
++}
++
+ static int rt_intern_hash(unsigned hash, struct rtable *rt,
+ struct rtable **rp, struct sk_buff *skb)
+ {
+@@ -1185,7 +1210,8 @@ restart:
+ rt_free(cand);
+ }
+ } else {
+- if (chain_length > rt_chain_length_max) {
++ if (chain_length > rt_chain_length_max &&
++ slow_chain_length(rt_hash_table[hash].chain) > rt_chain_length_max) {
+ struct net *net = dev_net(rt->u.dst.dev);
+ int num = ++net->ipv4.current_rt_cache_rebuild_count;
+ if (!rt_caching(dev_net(rt->u.dst.dev))) {
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/stable/2.6.32.60.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/stable/2.6.32.60.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/stable/2.6.32.60.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/stable/2.6.32.60.patch)
@@ -0,0 +1,7716 @@
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index c840e7d..14c7fb0 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1725,6 +1725,11 @@ and is between 256 and 4096 characters. It is defined in the file
+
+ noresidual [PPC] Don't use residual data on PReP machines.
+
++ nordrand [X86] Disable the direct use of the RDRAND
++ instruction even if it is supported by the
++ processor. RDRAND is still available to user
++ space applications.
++
+ noresume [SWSUSP] Disables resume and restores original swap
+ space.
+
+diff --git a/Documentation/stable_kernel_rules.txt b/Documentation/stable_kernel_rules.txt
+index e6e482f..3c9d7ac 100644
+--- a/Documentation/stable_kernel_rules.txt
++++ b/Documentation/stable_kernel_rules.txt
+@@ -12,6 +12,12 @@ Rules on what kind of patches are accepted, and which ones are not, into the
+ marked CONFIG_BROKEN), an oops, a hang, data corruption, a real
+ security issue, or some "oh, that's not good" issue. In short, something
+ critical.
++ - Serious issues as reported by a user of a distribution kernel may also
++ be considered if they fix a notable performance or interactivity issue.
++ As these fixes are not as obvious and have a higher risk of a subtle
++ regression they should only be submitted by a distribution kernel
++ maintainer and include an addendum linking to a bugzilla entry if it
++ exists and additional information on the user-visible impact.
+ - New device IDs and quirks are also accepted.
+ - No "theoretical race condition" issues, unless an explanation of how the
+ race can be exploited is also provided.
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 613da5d..334258c 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -4379,7 +4379,7 @@ F: Documentation/blockdev/ramdisk.txt
+ F: drivers/block/brd.c
+
+ RANDOM NUMBER DRIVER
+-M: Matt Mackall <mpm at selenic.com>
++M: Theodore Ts'o" <tytso at mit.edu>
+ S: Maintained
+ F: drivers/char/random.c
+
+diff --git a/Makefile b/Makefile
+index 3a9a721..b0e245e 100644
+diff --git a/arch/arm/kernel/sys_arm.c b/arch/arm/kernel/sys_arm.c
+index ae4027bd..2dd070f 100644
+--- a/arch/arm/kernel/sys_arm.c
++++ b/arch/arm/kernel/sys_arm.c
+@@ -240,7 +240,7 @@ int kernel_execve(const char *filename, char *const argv[], char *const envp[])
+ "Ir" (THREAD_START_SP - sizeof(regs)),
+ "r" (®s),
+ "Ir" (sizeof(regs))
+- : "r0", "r1", "r2", "r3", "ip", "lr", "memory");
++ : "r0", "r1", "r2", "r3", "r8", "r9", "ip", "lr", "memory");
+
+ out:
+ return ret;
+diff --git a/arch/ia64/include/asm/unistd.h b/arch/ia64/include/asm/unistd.h
+index 5a5347f..08a0e5c 100644
+--- a/arch/ia64/include/asm/unistd.h
++++ b/arch/ia64/include/asm/unistd.h
+@@ -311,11 +311,12 @@
+ #define __NR_preadv 1319
+ #define __NR_pwritev 1320
+ #define __NR_rt_tgsigqueueinfo 1321
++#define __NR_accept4 1334
+
+ #ifdef __KERNEL__
+
+
+-#define NR_syscalls 298 /* length of syscall table */
++#define NR_syscalls 311 /* length of syscall table */
+
+ /*
+ * The following defines stop scripts/checksyscalls.sh from complaining about
+diff --git a/arch/ia64/kernel/entry.S b/arch/ia64/kernel/entry.S
+index d0e7d37..e3be543 100644
+--- a/arch/ia64/kernel/entry.S
++++ b/arch/ia64/kernel/entry.S
+@@ -1806,6 +1806,19 @@ sys_call_table:
+ data8 sys_preadv
+ data8 sys_pwritev // 1320
+ data8 sys_rt_tgsigqueueinfo
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall // 1325
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall // 1330
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall
++ data8 sys_ni_syscall
++ data8 sys_accept4
+
+ .org sys_call_table + 8*NR_syscalls // guard against failures to increase NR_syscalls
+ #endif /* __IA64_ASM_PARAVIRTUALIZED_NATIVE */
+diff --git a/arch/ia64/kernel/irq_ia64.c b/arch/ia64/kernel/irq_ia64.c
+index dd9d7b5..463b8a7 100644
+--- a/arch/ia64/kernel/irq_ia64.c
++++ b/arch/ia64/kernel/irq_ia64.c
+@@ -24,7 +24,6 @@
+ #include <linux/kernel_stat.h>
+ #include <linux/slab.h>
+ #include <linux/ptrace.h>
+-#include <linux/random.h> /* for rand_initialize_irq() */
+ #include <linux/signal.h>
+ #include <linux/smp.h>
+ #include <linux/threads.h>
+diff --git a/arch/ia64/kvm/kvm-ia64.c b/arch/ia64/kvm/kvm-ia64.c
+index 2eb6365..0edba06 100644
+--- a/arch/ia64/kvm/kvm-ia64.c
++++ b/arch/ia64/kvm/kvm-ia64.c
+@@ -1185,6 +1185,11 @@ out:
+
+ #define PALE_RESET_ENTRY 0x80000000ffffffb0UL
+
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
++{
++ return irqchip_in_kernel(vcpu->kvm) == (vcpu->arch.apic != NULL);
++}
++
+ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_vcpu *v;
+diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
+index 845da21..0e50757 100644
+--- a/arch/mips/include/asm/thread_info.h
++++ b/arch/mips/include/asm/thread_info.h
+@@ -60,6 +60,8 @@ struct thread_info {
+ register struct thread_info *__current_thread_info __asm__("$28");
+ #define current_thread_info() __current_thread_info
+
++#endif /* !__ASSEMBLY__ */
++
+ /* thread information allocation */
+ #if defined(CONFIG_PAGE_SIZE_4KB) && defined(CONFIG_32BIT)
+ #define THREAD_SIZE_ORDER (1)
+@@ -93,8 +95,6 @@ register struct thread_info *__current_thread_info __asm__("$28");
+
+ #define free_thread_info(info) kfree(info)
+
+-#endif /* !__ASSEMBLY__ */
+-
+ #define PREEMPT_ACTIVE 0x10000000
+
+ /*
+diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
+index 162b299..d5c95d6 100644
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -1,5 +1,6 @@
+ #include <asm/asm-offsets.h>
+ #include <asm/page.h>
++#include <asm/thread_info.h>
+ #include <asm-generic/vmlinux.lds.h>
+
+ #undef mips
+@@ -70,7 +71,7 @@ SECTIONS
+ .data : { /* Data */
+ . = . + DATAOFFSET; /* for CONFIG_MAPPED_KERNEL */
+
+- INIT_TASK_DATA(PAGE_SIZE)
++ INIT_TASK_DATA(THREAD_SIZE)
+ NOSAVE_DATA
+ CACHELINE_ALIGNED_DATA(1 << CONFIG_MIPS_L1_CACHE_SHIFT)
+ DATA_DATA
+diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
+index 8bc9e96..6ee459d 100644
+--- a/arch/parisc/include/asm/atomic.h
++++ b/arch/parisc/include/asm/atomic.h
+@@ -248,7 +248,7 @@ static __inline__ int atomic_add_unless(atomic_t *v, int a, int u)
+
+ #define atomic_sub_and_test(i,v) (atomic_sub_return((i),(v)) == 0)
+
+-#define ATOMIC_INIT(i) ((atomic_t) { (i) })
++#define ATOMIC_INIT(i) { (i) }
+
+ #define smp_mb__before_atomic_dec() smp_mb()
+ #define smp_mb__after_atomic_dec() smp_mb()
+@@ -257,7 +257,7 @@ static __inline__ int atomic_add_unless(atomic_t *v, int a, int u)
+
+ #ifdef CONFIG_64BIT
+
+-#define ATOMIC64_INIT(i) ((atomic64_t) { (i) })
++#define ATOMIC64_INIT(i) { (i) }
+
+ static __inline__ int
+ __atomic64_add_return(s64 i, atomic64_t *v)
+diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
+index 32a7c30..6ce44dd 100644
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -870,7 +870,8 @@
+ /* Macros for setting and retrieving special purpose registers */
+ #ifndef __ASSEMBLY__
+ #define mfmsr() ({unsigned long rval; \
+- asm volatile("mfmsr %0" : "=r" (rval)); rval;})
++ asm volatile("mfmsr %0" : "=r" (rval) : \
++ : "memory"); rval;})
+ #ifdef CONFIG_PPC64
+ #define __mtmsrd(v, l) asm volatile("mtmsrd %0," __stringify(l) \
+ : : "r" (v) : "memory")
+diff --git a/arch/powerpc/kernel/ftrace.c b/arch/powerpc/kernel/ftrace.c
+index ce1f3e4..eda40d2 100644
+--- a/arch/powerpc/kernel/ftrace.c
++++ b/arch/powerpc/kernel/ftrace.c
+@@ -244,9 +244,9 @@ __ftrace_make_nop(struct module *mod,
+
+ /*
+ * On PPC32 the trampoline looks like:
+- * 0x3d, 0x60, 0x00, 0x00 lis r11,sym at ha
+- * 0x39, 0x6b, 0x00, 0x00 addi r11,r11,sym at l
+- * 0x7d, 0x69, 0x03, 0xa6 mtctr r11
++ * 0x3d, 0x80, 0x00, 0x00 lis r12,sym at ha
++ * 0x39, 0x8c, 0x00, 0x00 addi r12,r12,sym at l
++ * 0x7d, 0x89, 0x03, 0xa6 mtctr r12
+ * 0x4e, 0x80, 0x04, 0x20 bctr
+ */
+
+@@ -261,9 +261,9 @@ __ftrace_make_nop(struct module *mod,
+ pr_devel(" %08x %08x ", jmp[0], jmp[1]);
+
+ /* verify that this is what we expect it to be */
+- if (((jmp[0] & 0xffff0000) != 0x3d600000) ||
+- ((jmp[1] & 0xffff0000) != 0x396b0000) ||
+- (jmp[2] != 0x7d6903a6) ||
++ if (((jmp[0] & 0xffff0000) != 0x3d800000) ||
++ ((jmp[1] & 0xffff0000) != 0x398c0000) ||
++ (jmp[2] != 0x7d8903a6) ||
+ (jmp[3] != 0x4e800420)) {
+ printk(KERN_ERR "Not a trampoline\n");
+ return -EINVAL;
+diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
+index f832773..449a7e0 100644
+--- a/arch/powerpc/kernel/module_32.c
++++ b/arch/powerpc/kernel/module_32.c
+@@ -187,8 +187,8 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+
+ static inline int entry_matches(struct ppc_plt_entry *entry, Elf32_Addr val)
+ {
+- if (entry->jump[0] == 0x3d600000 + ((val + 0x8000) >> 16)
+- && entry->jump[1] == 0x396b0000 + (val & 0xffff))
++ if (entry->jump[0] == 0x3d800000 + ((val + 0x8000) >> 16)
++ && entry->jump[1] == 0x398c0000 + (val & 0xffff))
+ return 1;
+ return 0;
+ }
+@@ -215,10 +215,9 @@ static uint32_t do_plt_call(void *location,
+ entry++;
+ }
+
+- /* Stolen from Paul Mackerras as well... */
+- entry->jump[0] = 0x3d600000+((val+0x8000)>>16); /* lis r11,sym at ha */
+- entry->jump[1] = 0x396b0000 + (val&0xffff); /* addi r11,r11,sym at l*/
+- entry->jump[2] = 0x7d6903a6; /* mtctr r11 */
++ entry->jump[0] = 0x3d800000+((val+0x8000)>>16); /* lis r12,sym at ha */
++ entry->jump[1] = 0x398c0000 + (val&0xffff); /* addi r12,r12,sym at l*/
++ entry->jump[2] = 0x7d8903a6; /* mtctr r12 */
+ entry->jump[3] = 0x4e800420; /* bctr */
+
+ DEBUGP("Initialized plt for 0x%x at %p\n", val, entry);
+diff --git a/arch/powerpc/platforms/powermac/smp.c b/arch/powerpc/platforms/powermac/smp.c
+index b40c22d..7f66d0c 100644
+--- a/arch/powerpc/platforms/powermac/smp.c
++++ b/arch/powerpc/platforms/powermac/smp.c
+@@ -402,7 +402,7 @@ static struct irqaction psurge_irqaction = {
+
+ static void __init smp_psurge_setup_cpu(int cpu_nr)
+ {
+- if (cpu_nr != 0)
++ if (cpu_nr != 0 || !psurge_start)
+ return;
+
+ /* reset the entry point so if we get another intr we won't
+diff --git a/arch/sparc/Makefile b/arch/sparc/Makefile
+index 113225b..0538555 100644
+--- a/arch/sparc/Makefile
++++ b/arch/sparc/Makefile
+@@ -31,7 +31,7 @@ UTS_MACHINE := sparc
+
+ #KBUILD_CFLAGS += -g -pipe -fcall-used-g5 -fcall-used-g7
+ KBUILD_CFLAGS += -m32 -pipe -mno-fpu -fcall-used-g5 -fcall-used-g7
+-KBUILD_AFLAGS += -m32
++KBUILD_AFLAGS += -m32 -Wa,-Av8
+
+ #LDFLAGS_vmlinux = -N -Ttext 0xf0004000
+ # Since 2.5.40, the first stage is left not btfix-ed.
+diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c
+index 4a700f4..6a831bd 100644
+--- a/arch/sparc/kernel/ds.c
++++ b/arch/sparc/kernel/ds.c
+@@ -1242,4 +1242,4 @@ static int __init ds_init(void)
+ return vio_register_driver(&ds_driver);
+ }
+
+-subsys_initcall(ds_init);
++fs_initcall(ds_init);
+diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S
+index fd3cee4..cc4b1ff 100644
+--- a/arch/sparc/kernel/rtrap_64.S
++++ b/arch/sparc/kernel/rtrap_64.S
+@@ -20,11 +20,6 @@
+
+ .text
+ .align 32
+-__handle_softirq:
+- call do_softirq
+- nop
+- ba,a,pt %xcc, __handle_softirq_continue
+- nop
+ __handle_preemption:
+ call schedule
+ wrpr %g0, RTRAP_PSTATE, %pstate
+@@ -159,9 +154,7 @@ rtrap:
+ cmp %l1, 0
+
+ /* mm/ultra.S:xcall_report_regs KNOWS about this load. */
+- bne,pn %icc, __handle_softirq
+ ldx [%sp + PTREGS_OFF + PT_V9_TSTATE], %l1
+-__handle_softirq_continue:
+ rtrap_xcall:
+ sethi %hi(0xf << 20), %l4
+ and %l1, %l4, %l4
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 73ae02a..aa889d6 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1428,6 +1428,15 @@ config ARCH_USES_PG_UNCACHED
+ def_bool y
+ depends on X86_PAT
+
++config ARCH_RANDOM
++ def_bool y
++ prompt "x86 architectural random number generator" if EXPERT
++ ---help---
++ Enable the x86 architectural RDRAND instruction
++ (Intel Bull Mountain technology) to generate random numbers.
++ If supported, this is a high bandwidth, cryptographically
++ secure hardware random number generator.
++
+ config EFI
+ bool "EFI runtime service support"
+ depends on ACPI
+diff --git a/arch/x86/include/asm/archrandom.h b/arch/x86/include/asm/archrandom.h
+new file mode 100644
+index 0000000..0d9ec77
+--- /dev/null
++++ b/arch/x86/include/asm/archrandom.h
+@@ -0,0 +1,75 @@
++/*
++ * This file is part of the Linux kernel.
++ *
++ * Copyright (c) 2011, Intel Corporation
++ * Authors: Fenghua Yu <fenghua.yu at intel.com>,
++ * H. Peter Anvin <hpa at linux.intel.com>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms and conditions of the GNU General Public License,
++ * version 2, as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
++ * more details.
++ *
++ * You should have received a copy of the GNU General Public License along with
++ * this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ */
++
++#ifndef ASM_X86_ARCHRANDOM_H
++#define ASM_X86_ARCHRANDOM_H
++
++#include <asm/processor.h>
++#include <asm/cpufeature.h>
++#include <asm/alternative.h>
++#include <asm/nops.h>
++
++#define RDRAND_RETRY_LOOPS 10
++
++#define RDRAND_INT ".byte 0x0f,0xc7,0xf0"
++#ifdef CONFIG_X86_64
++# define RDRAND_LONG ".byte 0x48,0x0f,0xc7,0xf0"
++#else
++# define RDRAND_LONG RDRAND_INT
++#endif
++
++#ifdef CONFIG_ARCH_RANDOM
++
++#define GET_RANDOM(name, type, rdrand, nop) \
++static inline int name(type *v) \
++{ \
++ int ok; \
++ alternative_io("movl $0, %0\n\t" \
++ nop, \
++ "\n1: " rdrand "\n\t" \
++ "jc 2f\n\t" \
++ "decl %0\n\t" \
++ "jnz 1b\n\t" \
++ "2:", \
++ X86_FEATURE_RDRAND, \
++ ASM_OUTPUT2("=r" (ok), "=a" (*v)), \
++ "0" (RDRAND_RETRY_LOOPS)); \
++ return ok; \
++}
++
++#ifdef CONFIG_X86_64
++
++GET_RANDOM(arch_get_random_long, unsigned long, RDRAND_LONG, ASM_NOP5);
++GET_RANDOM(arch_get_random_int, unsigned int, RDRAND_INT, ASM_NOP4);
++
++#else
++
++GET_RANDOM(arch_get_random_long, unsigned long, RDRAND_LONG, ASM_NOP3);
++GET_RANDOM(arch_get_random_int, unsigned int, RDRAND_INT, ASM_NOP3);
++
++#endif /* CONFIG_X86_64 */
++
++#endif /* CONFIG_ARCH_RANDOM */
++
++extern void x86_init_rdrand(struct cpuinfo_x86 *c);
++
++#endif /* ASM_X86_ARCHRANDOM_H */
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
+index 1efb1fa..27929b8 100644
+--- a/arch/x86/include/asm/cpufeature.h
++++ b/arch/x86/include/asm/cpufeature.h
+@@ -124,6 +124,8 @@
+ #define X86_FEATURE_XSAVE (4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */
+ #define X86_FEATURE_OSXSAVE (4*32+27) /* "" XSAVE enabled in the OS */
+ #define X86_FEATURE_AVX (4*32+28) /* Advanced Vector Extensions */
++#define X86_FEATURE_F16C (4*32+29) /* 16-bit fp conversions */
++#define X86_FEATURE_RDRAND (4*32+30) /* The RDRAND instruction */
+ #define X86_FEATURE_HYPERVISOR (4*32+31) /* Running on a hypervisor */
+
+ /* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
+diff --git a/arch/x86/include/asm/k8.h b/arch/x86/include/asm/k8.h
+index f0746f4..41845d2 100644
+--- a/arch/x86/include/asm/k8.h
++++ b/arch/x86/include/asm/k8.h
+@@ -1,11 +1,13 @@
+ #ifndef _ASM_X86_K8_H
+ #define _ASM_X86_K8_H
+
++#include <linux/ioport.h>
+ #include <linux/pci.h>
+
+ extern struct pci_device_id k8_nb_ids[];
+
+ extern int early_is_k8_nb(u32 value);
++extern struct resource *amd_get_mmconfig_range(struct resource *res);
+ extern struct pci_dev **k8_northbridges;
+ extern int num_k8_northbridges;
+ extern int cache_k8_northbridges(void);
+diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
+index 5ed59ec..cc44e3d 100644
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -109,6 +109,8 @@ struct x86_emulate_ops {
+ unsigned int bytes,
+ struct kvm_vcpu *vcpu);
+
++ bool (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
++ u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
+ };
+
+ /* Type, address-of, and value of an instruction's operand. */
+@@ -190,6 +192,19 @@ struct x86_emulate_ctxt {
+ #define X86EMUL_MODE_HOST X86EMUL_MODE_PROT64
+ #endif
+
++/* CPUID vendors */
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
++
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
++
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
++
+ int x86_decode_insn(struct x86_emulate_ctxt *ctxt,
+ struct x86_emulate_ops *ops);
+ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt,
+diff --git a/arch/x86/include/asm/timer.h b/arch/x86/include/asm/timer.h
+index b93a9aa..18e1ca7 100644
+--- a/arch/x86/include/asm/timer.h
++++ b/arch/x86/include/asm/timer.h
+@@ -63,14 +63,10 @@ DECLARE_PER_CPU(unsigned long long, cyc2ns_offset);
+
+ static inline unsigned long long __cycles_2_ns(unsigned long long cyc)
+ {
+- unsigned long long quot;
+- unsigned long long rem;
+ int cpu = smp_processor_id();
+ unsigned long long ns = per_cpu(cyc2ns_offset, cpu);
+- quot = (cyc >> CYC2NS_SCALE_FACTOR);
+- rem = cyc & ((1ULL << CYC2NS_SCALE_FACTOR) - 1);
+- ns += quot * per_cpu(cyc2ns, cpu) +
+- ((rem * per_cpu(cyc2ns, cpu)) >> CYC2NS_SCALE_FACTOR);
++ ns += mult_frac(cyc, per_cpu(cyc2ns, cpu),
++ (1UL << CYC2NS_SCALE_FACTOR));
+ return ns;
+ }
+
+diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
+index ff502cc..1f537a2 100644
+--- a/arch/x86/kernel/cpu/Makefile
++++ b/arch/x86/kernel/cpu/Makefile
+@@ -14,6 +14,7 @@ CFLAGS_common.o := $(nostackp)
+ obj-y := intel_cacheinfo.o addon_cpuid_features.o
+ obj-y += proc.o capflags.o powerflags.o common.o
+ obj-y += vmware.o hypervisor.o sched.o
++obj-y += rdrand.o
+
+ obj-$(CONFIG_X86_32) += bugs.o cmpxchg.o
+ obj-$(CONFIG_X86_64) += bugs_64.o
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 4e34d10..ba1a1dd 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -15,6 +15,7 @@
+ #include <asm/stackprotector.h>
+ #include <asm/perf_event.h>
+ #include <asm/mmu_context.h>
++#include <asm/archrandom.h>
+ #include <asm/hypervisor.h>
+ #include <asm/processor.h>
+ #include <asm/sections.h>
+@@ -815,6 +816,7 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
+ #endif
+
+ init_hypervisor(c);
++ x86_init_rdrand(c);
+
+ /*
+ * Clear/Set all flags overriden by options, need do it
+diff --git a/arch/x86/kernel/cpu/rdrand.c b/arch/x86/kernel/cpu/rdrand.c
+new file mode 100644
+index 0000000..feca286
+--- /dev/null
++++ b/arch/x86/kernel/cpu/rdrand.c
+@@ -0,0 +1,73 @@
++/*
++ * This file is part of the Linux kernel.
++ *
++ * Copyright (c) 2011, Intel Corporation
++ * Authors: Fenghua Yu <fenghua.yu at intel.com>,
++ * H. Peter Anvin <hpa at linux.intel.com>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms and conditions of the GNU General Public License,
++ * version 2, as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
++ * more details.
++ *
++ * You should have received a copy of the GNU General Public License along with
++ * this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ */
++
++#include <asm/processor.h>
++#include <asm/archrandom.h>
++#include <asm/sections.h>
++
++static int __init x86_rdrand_setup(char *s)
++{
++ setup_clear_cpu_cap(X86_FEATURE_RDRAND);
++ return 1;
++}
++__setup("nordrand", x86_rdrand_setup);
++
++/* We can't use arch_get_random_long() here since alternatives haven't run */
++static inline int rdrand_long(unsigned long *v)
++{
++ int ok;
++ asm volatile("1: " RDRAND_LONG "\n\t"
++ "jc 2f\n\t"
++ "decl %0\n\t"
++ "jnz 1b\n\t"
++ "2:"
++ : "=r" (ok), "=a" (*v)
++ : "0" (RDRAND_RETRY_LOOPS));
++ return ok;
++}
++
++/*
++ * Force a reseed cycle; we are architecturally guaranteed a reseed
++ * after no more than 512 128-bit chunks of random data. This also
++ * acts as a test of the CPU capability.
++ */
++#define RESEED_LOOP ((512*128)/sizeof(unsigned long))
++
++void __cpuinit x86_init_rdrand(struct cpuinfo_x86 *c)
++{
++#ifdef CONFIG_ARCH_RANDOM
++ unsigned long tmp;
++ int i, count, ok;
++
++ if (!cpu_has(c, X86_FEATURE_RDRAND))
++ return; /* Nothing to do */
++
++ for (count = i = 0; i < RESEED_LOOP; i++) {
++ ok = rdrand_long(&tmp);
++ if (ok)
++ count++;
++ }
++
++ if (count != RESEED_LOOP)
++ clear_cpu_cap(c, X86_FEATURE_RDRAND);
++#endif
++}
+diff --git a/arch/x86/kernel/k8.c b/arch/x86/kernel/k8.c
+index 9b89546..2831a32 100644
+--- a/arch/x86/kernel/k8.c
++++ b/arch/x86/kernel/k8.c
+@@ -87,6 +87,37 @@ int __init early_is_k8_nb(u32 device)
+ return 0;
+ }
+
++struct resource *amd_get_mmconfig_range(struct resource *res)
++{
++ u32 address;
++ u64 base, msr;
++ unsigned segn_busn_bits;
++
++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
++ return NULL;
++
++ /* assume all cpus from fam10h have mmconfig */
++ if (boot_cpu_data.x86 < 0x10)
++ return NULL;
++
++ address = MSR_FAM10H_MMIO_CONF_BASE;
++ rdmsrl(address, msr);
++
++ /* mmconfig is not enabled */
++ if (!(msr & FAM10H_MMIO_CONF_ENABLE))
++ return NULL;
++
++ base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
++
++ segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
++ FAM10H_MMIO_CONF_BUSRANGE_MASK;
++
++ res->flags = IORESOURCE_MEM;
++ res->start = base;
++ res->end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
++ return res;
++}
++
+ void k8_flush_garts(void)
+ {
+ int flushed, i;
+diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
+index 6bb7b85..bcfec2d 100644
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -163,7 +163,7 @@ int regset_tls_get(struct task_struct *target, const struct user_regset *regset,
+ {
+ const struct desc_struct *tls;
+
+- if (pos > GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
++ if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ (pos % sizeof(struct user_desc)) != 0 ||
+ (count % sizeof(struct user_desc)) != 0)
+ return -EINVAL;
+@@ -198,7 +198,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+ struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
+ const struct user_desc *info;
+
+- if (pos > GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
++ if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ (pos % sizeof(struct user_desc)) != 0 ||
+ (count % sizeof(struct user_desc)) != 0)
+ return -EINVAL;
+diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
+index bc07543..9972276 100644
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -623,7 +623,8 @@ static void set_cyc2ns_scale(unsigned long cpu_khz, int cpu)
+
+ if (cpu_khz) {
+ *scale = (NSEC_PER_MSEC << CYC2NS_SCALE_FACTOR)/cpu_khz;
+- *offset = ns_now - (tsc_now * *scale >> CYC2NS_SCALE_FACTOR);
++ *offset = ns_now - mult_frac(tsc_now, *scale,
++ (1UL << CYC2NS_SCALE_FACTOR));
+ }
+
+ sched_clock_idle_wakeup_event(0);
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 1350e43..aa2d905 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1495,20 +1495,73 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
+ ss->present = 1;
+ }
+
++static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt,
++ struct x86_emulate_ops *ops)
++{
++ u32 eax, ebx, ecx, edx;
++
++ /*
++ * syscall should always be enabled in longmode - so only become
++ * vendor specific (cpuid) if other modes are active...
++ */
++ if (ctxt->mode == X86EMUL_MODE_PROT64)
++ return true;
++
++ eax = 0x00000000;
++ ecx = 0x00000000;
++ if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
++ /*
++ * Intel ("GenuineIntel")
++ * remark: Intel CPUs only support "syscall" in 64bit
++ * longmode. Also an 64bit guest with a
++ * 32bit compat-app running will #UD !! While this
++ * behaviour can be fixed (by emulating) into AMD
++ * response - CPUs of AMD can't behave like Intel.
++ */
++ if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
++ ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
++ edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
++ return false;
++
++ /* AMD ("AuthenticAMD") */
++ if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
++ ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
++ edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
++ return true;
++
++ /* AMD ("AMDisbetter!") */
++ if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
++ ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
++ edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
++ return true;
++ }
++
++ /* default: (not Intel, not AMD), apply Intel's stricter rules... */
++ return false;
++}
++
+ static int
+-emulate_syscall(struct x86_emulate_ctxt *ctxt)
++emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
+ {
+ struct decode_cache *c = &ctxt->decode;
+ struct kvm_segment cs, ss;
+ u64 msr_data;
++ u64 efer = 0;
+
+ /* syscall is not available in real mode */
+ if (c->lock_prefix || ctxt->mode == X86EMUL_MODE_REAL
+ || ctxt->mode == X86EMUL_MODE_VM86)
+ return -1;
+
++ if (!(em_syscall_is_enabled(ctxt, ops)))
++ return -1;
++
++ kvm_x86_ops->get_msr(ctxt->vcpu, MSR_EFER, &efer);
+ setup_syscalls_segments(ctxt, &cs, &ss);
+
++ if (!(efer & EFER_SCE))
++ return -1;
++
+ kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
+ msr_data >>= 32;
+ cs.selector = (u16)(msr_data & 0xfffc);
+@@ -2342,7 +2395,7 @@ twobyte_insn:
+ }
+ break;
+ case 0x05: /* syscall */
+- if (emulate_syscall(ctxt) == -1)
++ if (emulate_syscall(ctxt, ops) == -1)
+ goto cannot_emulate;
+ else
+ goto writeback;
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 88ad162..7e361b4 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -277,11 +277,15 @@ static struct kvm_timer_ops kpit_ops = {
+ .is_periodic = kpit_is_periodic,
+ };
+
+-static void create_pit_timer(struct kvm_kpit_state *ps, u32 val, int is_period)
++static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
+ {
++ struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
+ struct kvm_timer *pt = &ps->pit_timer;
+ s64 interval;
+
++ if (!irqchip_in_kernel(kvm))
++ return;
++
+ interval = muldiv64(val, NSEC_PER_SEC, KVM_PIT_FREQ);
+
+ pr_debug("pit: create pit timer, interval is %llu nsec\n", interval);
+@@ -333,13 +337,13 @@ static void pit_load_count(struct kvm *kvm, int channel, u32 val)
+ /* FIXME: enhance mode 4 precision */
+ case 4:
+ if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)) {
+- create_pit_timer(ps, val, 0);
++ create_pit_timer(kvm, val, 0);
+ }
+ break;
+ case 2:
+ case 3:
+ if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)){
+- create_pit_timer(ps, val, 1);
++ create_pit_timer(kvm, val, 1);
+ }
+ break;
+ default:
+diff --git a/arch/x86/kvm/irq.h b/arch/x86/kvm/irq.h
+index 7d6058a..85a8721 100644
+--- a/arch/x86/kvm/irq.h
++++ b/arch/x86/kvm/irq.h
+@@ -85,7 +85,11 @@ static inline struct kvm_pic *pic_irqchip(struct kvm *kvm)
+
+ static inline int irqchip_in_kernel(struct kvm *kvm)
+ {
+- return pic_irqchip(kvm) != NULL;
++ int ret;
++
++ ret = (pic_irqchip(kvm) != NULL);
++ smp_rmb();
++ return ret;
+ }
+
+ void kvm_pic_reset(struct kvm_kpic_state *s);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index df1cefb..271fddf 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2273,25 +2273,42 @@ long kvm_arch_vm_ioctl(struct file *filp,
+ if (r)
+ goto out;
+ break;
+- case KVM_CREATE_IRQCHIP:
++ case KVM_CREATE_IRQCHIP: {
++ struct kvm_pic *vpic;
++
++ mutex_lock(&kvm->lock);
++ r = -EEXIST;
++ if (kvm->arch.vpic)
++ goto create_irqchip_unlock;
++ r = -EINVAL;
++ if (atomic_read(&kvm->online_vcpus))
++ goto create_irqchip_unlock;
+ r = -ENOMEM;
+- kvm->arch.vpic = kvm_create_pic(kvm);
+- if (kvm->arch.vpic) {
++ vpic = kvm_create_pic(kvm);
++ if (vpic) {
+ r = kvm_ioapic_init(kvm);
+ if (r) {
+- kfree(kvm->arch.vpic);
+- kvm->arch.vpic = NULL;
+- goto out;
++ kfree(vpic);
++ goto create_irqchip_unlock;
+ }
+ } else
+- goto out;
++ goto create_irqchip_unlock;
++ smp_wmb();
++ kvm->arch.vpic = vpic;
++ smp_wmb();
+ r = kvm_setup_default_irq_routing(kvm);
+ if (r) {
++ mutex_lock(&kvm->irq_lock);
+ kfree(kvm->arch.vpic);
+ kfree(kvm->arch.vioapic);
+- goto out;
++ kvm->arch.vpic = NULL;
++ kvm->arch.vioapic = NULL;
++ mutex_unlock(&kvm->irq_lock);
+ }
++ create_irqchip_unlock:
++ mutex_unlock(&kvm->lock);
+ break;
++ }
+ case KVM_CREATE_PIT:
+ u.pit_config.flags = KVM_PIT_SPEAKER_DUMMY;
+ goto create_pit;
+@@ -2871,12 +2888,35 @@ void kvm_report_emulation_failure(struct kvm_vcpu *vcpu, const char *context)
+ }
+ EXPORT_SYMBOL_GPL(kvm_report_emulation_failure);
+
++static bool emulator_get_cpuid(struct x86_emulate_ctxt *ctxt,
++ u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
++{
++ struct kvm_cpuid_entry2 *cpuid = NULL;
++
++ if (eax && ecx)
++ cpuid = kvm_find_cpuid_entry(ctxt->vcpu,
++ *eax, *ecx);
++
++ if (cpuid) {
++ *eax = cpuid->eax;
++ *ecx = cpuid->ecx;
++ if (ebx)
++ *ebx = cpuid->ebx;
++ if (edx)
++ *edx = cpuid->edx;
++ return true;
++ }
++
++ return false;
++}
++
+ static struct x86_emulate_ops emulate_ops = {
+ .read_std = kvm_read_guest_virt_system,
+ .fetch = kvm_fetch_guest_virt,
+ .read_emulated = emulator_read_emulated,
+ .write_emulated = emulator_write_emulated,
+ .cmpxchg_emulated = emulator_cmpxchg_emulated,
++ .get_cpuid = emulator_get_cpuid,
+ };
+
+ static void cache_all_regs(struct kvm_vcpu *vcpu)
+@@ -4990,6 +5030,11 @@ void kvm_arch_check_processor_compat(void *rtn)
+ kvm_x86_ops->check_processor_compatibility(rtn);
+ }
+
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
++{
++ return irqchip_in_kernel(vcpu->kvm) == (vcpu->arch.apic != NULL);
++}
++
+ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+ struct page *page;
+diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c
+index ff485d3..b6372ce 100644
+--- a/arch/x86/lib/delay.c
++++ b/arch/x86/lib/delay.c
+@@ -48,9 +48,9 @@ static void delay_loop(unsigned long loops)
+ }
+
+ /* TSC based delay: */
+-static void delay_tsc(unsigned long loops)
++static void delay_tsc(unsigned long __loops)
+ {
+- unsigned long bclock, now;
++ u32 bclock, now, loops = __loops;
+ int cpu;
+
+ preempt_disable();
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 8ac0d76..249ad57 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -223,15 +223,14 @@ void vmalloc_sync_all(void)
+ address >= TASK_SIZE && address < FIXADDR_TOP;
+ address += PMD_SIZE) {
+
+- unsigned long flags;
+ struct page *page;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (!vmalloc_sync_one(page_address(page), address))
+ break;
+ }
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+ }
+
+@@ -331,13 +330,12 @@ void vmalloc_sync_all(void)
+ address += PGDIR_SIZE) {
+
+ const pgd_t *pgd_ref = pgd_offset_k(address);
+- unsigned long flags;
+ struct page *page;
+
+ if (pgd_none(*pgd_ref))
+ continue;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ pgd_t *pgd;
+ pgd = (pgd_t *)page_address(page) + pgd_index(address);
+@@ -346,7 +344,7 @@ void vmalloc_sync_all(void)
+ else
+ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
+ }
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+ }
+
+diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
+index dd38bfb..6d44087 100644
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -56,12 +56,10 @@ static unsigned long direct_pages_count[PG_LEVEL_NUM];
+
+ void update_page_count(int level, unsigned long pages)
+ {
+- unsigned long flags;
+-
+ /* Protect against CPA */
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ direct_pages_count[level] += pages;
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ static void split_page_count(int level)
+@@ -354,7 +352,7 @@ static int
+ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ struct cpa_data *cpa)
+ {
+- unsigned long nextpage_addr, numpages, pmask, psize, flags, addr, pfn;
++ unsigned long nextpage_addr, numpages, pmask, psize, addr, pfn;
+ pte_t new_pte, old_pte, *tmp;
+ pgprot_t old_prot, new_prot;
+ int i, do_split = 1;
+@@ -363,7 +361,7 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ if (cpa->force_split)
+ return 1;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ /*
+ * Check for races, another CPU might have split this page
+ * up already:
+@@ -458,14 +456,14 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ }
+
+ out_unlock:
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return do_split;
+ }
+
+ static int split_large_page(pte_t *kpte, unsigned long address)
+ {
+- unsigned long flags, pfn, pfninc = 1;
++ unsigned long pfn, pfninc = 1;
+ unsigned int i, level;
+ pte_t *pbase, *tmp;
+ pgprot_t ref_prot;
+@@ -479,7 +477,7 @@ static int split_large_page(pte_t *kpte, unsigned long address)
+ if (!base)
+ return -ENOMEM;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ /*
+ * Check for races, another CPU might have split this page
+ * up for us already:
+@@ -551,7 +549,7 @@ out_unlock:
+ */
+ if (base)
+ __free_page(base);
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return 0;
+ }
+diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
+index e0e6fad..cb7cfc8 100644
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -110,14 +110,12 @@ static void pgd_ctor(pgd_t *pgd)
+
+ static void pgd_dtor(pgd_t *pgd)
+ {
+- unsigned long flags; /* can be called from interrupt context */
+-
+ if (SHARED_KERNEL_PMD)
+ return;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+ pgd_list_del(pgd);
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ /*
+@@ -248,7 +246,6 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ {
+ pgd_t *pgd;
+ pmd_t *pmds[PREALLOCATED_PMDS];
+- unsigned long flags;
+
+ pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
+
+@@ -268,12 +265,12 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ * respect to anything walking the pgd_list, so that they
+ * never see a partially populated pgd.
+ */
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+
+ pgd_ctor(pgd);
+ pgd_prepopulate_pmd(mm, pgd, pmds);
+
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+
+ return pgd;
+
+diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
+index 829edf0..b50a280 100644
+--- a/arch/x86/oprofile/backtrace.c
++++ b/arch/x86/oprofile/backtrace.c
+@@ -71,9 +71,9 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
+ offset = addr & (PAGE_SIZE - 1);
+ size = min(PAGE_SIZE - offset, n - len);
+
+- map = kmap_atomic(page, KM_USER0);
++ map = kmap_atomic(page, KM_NMI);
+ memcpy(to, map+offset, size);
+- kunmap_atomic(map, KM_USER0);
++ kunmap_atomic(map, KM_NMI);
+ put_page(page);
+
+ len += size;
+diff --git a/arch/x86/pci/amd_bus.c b/arch/x86/pci/amd_bus.c
+index 572ee97..aae9931 100644
+--- a/arch/x86/pci/amd_bus.c
++++ b/arch/x86/pci/amd_bus.c
+@@ -3,6 +3,7 @@
+ #include <linux/topology.h>
+ #include <linux/cpu.h>
+ #include <asm/pci_x86.h>
++#include <asm/k8.h>
+
+ #ifdef CONFIG_X86_64
+ #include <asm/pci-direct.h>
+@@ -190,34 +191,6 @@ static struct pci_hostbridge_probe pci_probes[] __initdata = {
+ { 0, 0x18, PCI_VENDOR_ID_AMD, 0x1300 },
+ };
+
+-static u64 __initdata fam10h_mmconf_start;
+-static u64 __initdata fam10h_mmconf_end;
+-static void __init get_pci_mmcfg_amd_fam10h_range(void)
+-{
+- u32 address;
+- u64 base, msr;
+- unsigned segn_busn_bits;
+-
+- /* assume all cpus from fam10h have mmconf */
+- if (boot_cpu_data.x86 < 0x10)
+- return;
+-
+- address = MSR_FAM10H_MMIO_CONF_BASE;
+- rdmsrl(address, msr);
+-
+- /* mmconfig is not enable */
+- if (!(msr & FAM10H_MMIO_CONF_ENABLE))
+- return;
+-
+- base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
+-
+- segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
+- FAM10H_MMIO_CONF_BUSRANGE_MASK;
+-
+- fam10h_mmconf_start = base;
+- fam10h_mmconf_end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
+-}
+-
+ /**
+ * early_fill_mp_bus_to_node()
+ * called before pcibios_scan_root and pci_scan_bus
+@@ -243,6 +216,9 @@ static int __init early_fill_mp_bus_info(void)
+ struct res_range range[RANGE_NUM];
+ u64 val;
+ u32 address;
++ struct resource fam10h_mmconf_res, *fam10h_mmconf;
++ u64 fam10h_mmconf_start;
++ u64 fam10h_mmconf_end;
+
+ if (!early_pci_allowed())
+ return -1;
+@@ -367,11 +343,16 @@ static int __init early_fill_mp_bus_info(void)
+ update_range(range, 0, end - 1);
+
+ /* get mmconfig */
+- get_pci_mmcfg_amd_fam10h_range();
++ fam10h_mmconf = amd_get_mmconfig_range(&fam10h_mmconf_res);
+ /* need to take out mmconf range */
+- if (fam10h_mmconf_end) {
+- printk(KERN_DEBUG "Fam 10h mmconf [%llx, %llx]\n", fam10h_mmconf_start, fam10h_mmconf_end);
++ if (fam10h_mmconf) {
++ printk(KERN_DEBUG "Fam 10h mmconf %pR\n", fam10h_mmconf);
++ fam10h_mmconf_start = fam10h_mmconf->start;
++ fam10h_mmconf_end = fam10h_mmconf->end;
+ update_range(range, fam10h_mmconf_start, fam10h_mmconf_end);
++ } else {
++ fam10h_mmconf_start = 0;
++ fam10h_mmconf_end = 0;
+ }
+
+ /* mmio resource */
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 0087b00..d52f895 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -945,7 +945,10 @@ static const struct pv_cpu_ops xen_cpu_ops __initdata = {
+ .wbinvd = native_wbinvd,
+
+ .read_msr = native_read_msr_safe,
++ .rdmsr_regs = native_rdmsr_safe_regs,
+ .write_msr = xen_write_msr_safe,
++ .wrmsr_regs = native_wrmsr_safe_regs,
++
+ .read_tsc = native_read_tsc,
+ .read_pmc = native_read_pmc,
+
+diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
+index 3f90a2c..8f4452c 100644
+--- a/arch/x86/xen/mmu.c
++++ b/arch/x86/xen/mmu.c
+@@ -987,10 +987,9 @@ static void xen_pgd_pin(struct mm_struct *mm)
+ */
+ void xen_mm_pin_all(void)
+ {
+- unsigned long flags;
+ struct page *page;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (!PagePinned(page)) {
+@@ -999,7 +998,7 @@ void xen_mm_pin_all(void)
+ }
+ }
+
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ /*
+@@ -1100,10 +1099,9 @@ static void xen_pgd_unpin(struct mm_struct *mm)
+ */
+ void xen_mm_unpin_all(void)
+ {
+- unsigned long flags;
+ struct page *page;
+
+- spin_lock_irqsave(&pgd_lock, flags);
++ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+ if (PageSavePinned(page)) {
+@@ -1113,7 +1111,7 @@ void xen_mm_unpin_all(void)
+ }
+ }
+
+- spin_unlock_irqrestore(&pgd_lock, flags);
++ spin_unlock(&pgd_lock);
+ }
+
+ void xen_activate_mm(struct mm_struct *prev, struct mm_struct *next)
+diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S
+index 79d7362..3e45aa0 100644
+--- a/arch/x86/xen/xen-asm.S
++++ b/arch/x86/xen/xen-asm.S
+@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct)
+
+ /* check for unmasked and pending */
+ cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending
+- jz 1f
++ jnz 1f
+ 2: call check_events
+ 1:
+ ENDPATCH(xen_restore_fl_direct)
+diff --git a/block/blk-ioc.c b/block/blk-ioc.c
+index d4ed600..cbdabb0 100644
+--- a/block/blk-ioc.c
++++ b/block/blk-ioc.c
+@@ -66,22 +66,22 @@ static void cfq_exit(struct io_context *ioc)
+ }
+
+ /* Called by the exitting task */
+-void exit_io_context(void)
++void exit_io_context(struct task_struct *task)
+ {
+ struct io_context *ioc;
+
+- task_lock(current);
+- ioc = current->io_context;
+- current->io_context = NULL;
+- task_unlock(current);
++ task_lock(task);
++ ioc = task->io_context;
++ task->io_context = NULL;
++ task_unlock(task);
+
+ if (atomic_dec_and_test(&ioc->nr_tasks)) {
+ if (ioc->aic && ioc->aic->exit)
+ ioc->aic->exit(ioc->aic);
+ cfq_exit(ioc);
+
+- put_io_context(ioc);
+ }
++ put_io_context(ioc);
+ }
+
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node)
+diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
+index 107f6f7..dd30f40 100644
+--- a/crypto/sha512_generic.c
++++ b/crypto/sha512_generic.c
+@@ -174,7 +174,7 @@ sha512_update(struct shash_desc *desc, const u8 *data, unsigned int len)
+ index = sctx->count[0] & 0x7f;
+
+ /* Update number of bytes */
+- if (!(sctx->count[0] += len))
++ if ((sctx->count[0] += len) < len)
+ sctx->count[1]++;
+
+ part_len = 128 - index;
+diff --git a/drivers/acpi/ac.c b/drivers/acpi/ac.c
+index b6ed60b..bc3f918 100644
+--- a/drivers/acpi/ac.c
++++ b/drivers/acpi/ac.c
+@@ -287,7 +287,9 @@ static int acpi_ac_add(struct acpi_device *device)
+ ac->charger.properties = ac_props;
+ ac->charger.num_properties = ARRAY_SIZE(ac_props);
+ ac->charger.get_property = get_ac_property;
+- power_supply_register(&ac->device->dev, &ac->charger);
++ result = power_supply_register(&ac->device->dev, &ac->charger);
++ if (result)
++ goto end;
+ #endif
+
+ printk(KERN_INFO PREFIX "%s [%s] (%s)\n",
+diff --git a/drivers/block/cciss_scsi.c b/drivers/block/cciss_scsi.c
+index 3315268..ad8e592 100644
+--- a/drivers/block/cciss_scsi.c
++++ b/drivers/block/cciss_scsi.c
+@@ -747,17 +747,7 @@ complete_scsi_command( CommandList_struct *cp, int timeout, __u32 tag)
+ {
+ case CMD_TARGET_STATUS:
+ /* Pass it up to the upper layers... */
+- if( ei->ScsiStatus)
+- {
+-#if 0
+- printk(KERN_WARNING "cciss: cmd %p "
+- "has SCSI Status = %x\n",
+- cp,
+- ei->ScsiStatus);
+-#endif
+- cmd->result |= (ei->ScsiStatus < 1);
+- }
+- else { /* scsi status is zero??? How??? */
++ if (!ei->ScsiStatus) {
+
+ /* Ordinarily, this case should never happen, but there is a bug
+ in some released firmware revisions that allows it to happen
+diff --git a/drivers/block/sx8.c b/drivers/block/sx8.c
+index a7c4184..bcbfc20 100644
+--- a/drivers/block/sx8.c
++++ b/drivers/block/sx8.c
+@@ -1116,7 +1116,7 @@ static inline void carm_handle_resp(struct carm_host *host,
+ break;
+ case MISC_GET_FW_VER: {
+ struct carm_fw_ver *ver = (struct carm_fw_ver *)
+- mem + sizeof(struct carm_msg_get_fw_ver);
++ (mem + sizeof(struct carm_msg_get_fw_ver));
+ if (!error) {
+ host->fw_ver = le32_to_cpu(ver->version);
+ host->flags |= (ver->features & FL_FW_VER_MASK);
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 75185a6..a562761 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -470,15 +470,10 @@ static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
+
+ pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
+
+- urb->dev = data->udev;
+- urb->pipe = pipe;
+- urb->context = hdev;
+- urb->complete = btusb_isoc_complete;
+- urb->interval = data->isoc_rx_ep->bInterval;
++ usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
++ hdev, data->isoc_rx_ep->bInterval);
+
+ urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
+- urb->transfer_buffer = buf;
+- urb->transfer_buffer_length = size;
+
+ __fill_isoc_descriptor(urb, size,
+ le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index e3d4eda..d68e2f5 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -312,9 +312,11 @@ static void hci_uart_tty_close(struct tty_struct *tty)
+ hci_uart_close(hdev);
+
+ if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
++ if (hdev) {
++ hci_unregister_dev(hdev);
++ hci_free_dev(hdev);
++ }
+ hu->proto->close(hu);
+- hci_unregister_dev(hdev);
+- hci_free_dev(hdev);
+ }
+ }
+ }
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 3a19e2d..446b20a 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -125,20 +125,32 @@
+ * The current exported interfaces for gathering environmental noise
+ * from the devices are:
+ *
++ * void add_device_randomness(const void *buf, unsigned int size);
+ * void add_input_randomness(unsigned int type, unsigned int code,
+ * unsigned int value);
+- * void add_interrupt_randomness(int irq);
++ * void add_interrupt_randomness(int irq, int irq_flags);
++ * void add_disk_randomness(struct gendisk *disk);
++ *
++ * add_device_randomness() is for adding data to the random pool that
++ * is likely to differ between two devices (or possibly even per boot).
++ * This would be things like MAC addresses or serial numbers, or the
++ * read-out of the RTC. This does *not* add any actual entropy to the
++ * pool, but it initializes the pool to different values for devices
++ * that might otherwise be identical and have very little entropy
++ * available to them (particularly common in the embedded world).
+ *
+ * add_input_randomness() uses the input layer interrupt timing, as well as
+ * the event type information from the hardware.
+ *
+- * add_interrupt_randomness() uses the inter-interrupt timing as random
+- * inputs to the entropy pool. Note that not all interrupts are good
+- * sources of randomness! For example, the timer interrupts is not a
+- * good choice, because the periodicity of the interrupts is too
+- * regular, and hence predictable to an attacker. Disk interrupts are
+- * a better measure, since the timing of the disk interrupts are more
+- * unpredictable.
++ * add_interrupt_randomness() uses the interrupt timing as random
++ * inputs to the entropy pool. Using the cycle counters and the irq source
++ * as inputs, it feeds the randomness roughly once a second.
++ *
++ * add_disk_randomness() uses what amounts to the seek time of block
++ * layer request events, on a per-disk_devt basis, as input to the
++ * entropy pool. Note that high-speed solid state drives with very low
++ * seek times do not make for good sources of entropy, as their seek
++ * times are usually fairly consistent.
+ *
+ * All of these routines try to estimate how many bits of randomness a
+ * particular randomness source. They do this by keeping track of the
+@@ -241,6 +253,8 @@
+ #include <linux/percpu.h>
+ #include <linux/cryptohash.h>
+ #include <linux/fips.h>
++#include <linux/ptrace.h>
++#include <linux/kmemcheck.h>
+
+ #ifdef CONFIG_GENERIC_HARDIRQS
+ # include <linux/irq.h>
+@@ -249,6 +263,7 @@
+ #include <asm/processor.h>
+ #include <asm/uaccess.h>
+ #include <asm/irq.h>
++#include <asm/irq_regs.h>
+ #include <asm/io.h>
+
+ /*
+@@ -257,6 +272,9 @@
+ #define INPUT_POOL_WORDS 128
+ #define OUTPUT_POOL_WORDS 32
+ #define SEC_XFER_SIZE 512
++#define EXTRACT_SIZE 10
++
++#define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
+
+ /*
+ * The minimum number of bits of entropy before we wake up a read on
+@@ -406,15 +424,17 @@ struct entropy_store {
+ struct poolinfo *poolinfo;
+ __u32 *pool;
+ const char *name;
+- int limit;
+ struct entropy_store *pull;
++ int limit;
+
+ /* read-write data: */
+ spinlock_t lock;
+ unsigned add_ptr;
++ unsigned input_rotate;
+ int entropy_count;
+- int input_rotate;
+- __u8 *last_data;
++ int entropy_total;
++ unsigned int initialized:1;
++ __u8 last_data[EXTRACT_SIZE];
+ };
+
+ static __u32 input_pool_data[INPUT_POOL_WORDS];
+@@ -446,6 +466,10 @@ static struct entropy_store nonblocking_pool = {
+ .pool = nonblocking_pool_data
+ };
+
++static __u32 const twist_table[8] = {
++ 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
++ 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
++
+ /*
+ * This function adds bytes into the entropy "pool". It does not
+ * update the entropy estimate. The caller should call
+@@ -456,29 +480,24 @@ static struct entropy_store nonblocking_pool = {
+ * it's cheap to do so and helps slightly in the expected case where
+ * the entropy is concentrated in the low-order bits.
+ */
+-static void mix_pool_bytes_extract(struct entropy_store *r, const void *in,
+- int nbytes, __u8 out[64])
++static void __mix_pool_bytes(struct entropy_store *r, const void *in,
++ int nbytes, __u8 out[64])
+ {
+- static __u32 const twist_table[8] = {
+- 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
+- 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
+ unsigned long i, j, tap1, tap2, tap3, tap4, tap5;
+ int input_rotate;
+ int wordmask = r->poolinfo->poolwords - 1;
+ const char *bytes = in;
+ __u32 w;
+- unsigned long flags;
+
+- /* Taps are constant, so we can load them without holding r->lock. */
+ tap1 = r->poolinfo->tap1;
+ tap2 = r->poolinfo->tap2;
+ tap3 = r->poolinfo->tap3;
+ tap4 = r->poolinfo->tap4;
+ tap5 = r->poolinfo->tap5;
+
+- spin_lock_irqsave(&r->lock, flags);
+- input_rotate = r->input_rotate;
+- i = r->add_ptr;
++ smp_rmb();
++ input_rotate = ACCESS_ONCE(r->input_rotate);
++ i = ACCESS_ONCE(r->add_ptr);
+
+ /* mix one byte at a time to simplify size handling and churn faster */
+ while (nbytes--) {
+@@ -505,19 +524,53 @@ static void mix_pool_bytes_extract(struct entropy_store *r, const void *in,
+ input_rotate += i ? 7 : 14;
+ }
+
+- r->input_rotate = input_rotate;
+- r->add_ptr = i;
++ ACCESS_ONCE(r->input_rotate) = input_rotate;
++ ACCESS_ONCE(r->add_ptr) = i;
++ smp_wmb();
+
+ if (out)
+ for (j = 0; j < 16; j++)
+ ((__u32 *)out)[j] = r->pool[(i - j) & wordmask];
++}
+
++static void mix_pool_bytes(struct entropy_store *r, const void *in,
++ int nbytes, __u8 out[64])
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&r->lock, flags);
++ __mix_pool_bytes(r, in, nbytes, out);
+ spin_unlock_irqrestore(&r->lock, flags);
+ }
+
+-static void mix_pool_bytes(struct entropy_store *r, const void *in, int bytes)
++struct fast_pool {
++ __u32 pool[4];
++ unsigned long last;
++ unsigned short count;
++ unsigned char rotate;
++ unsigned char last_timer_intr;
++};
++
++/*
++ * This is a fast mixing routine used by the interrupt randomness
++ * collector. It's hardcoded for an 128 bit pool and assumes that any
++ * locks that might be needed are taken by the caller.
++ */
++static void fast_mix(struct fast_pool *f, const void *in, int nbytes)
+ {
+- mix_pool_bytes_extract(r, in, bytes, NULL);
++ const char *bytes = in;
++ __u32 w;
++ unsigned i = f->count;
++ unsigned input_rotate = f->rotate;
++
++ while (nbytes--) {
++ w = rol32(*bytes++, input_rotate & 31) ^ f->pool[i & 3] ^
++ f->pool[(i + 1) & 3];
++ f->pool[i & 3] = (w >> 3) ^ twist_table[w & 7];
++ input_rotate += (i++ & 3) ? 7 : 14;
++ }
++ f->count = i;
++ f->rotate = input_rotate;
+ }
+
+ /*
+@@ -525,30 +578,34 @@ static void mix_pool_bytes(struct entropy_store *r, const void *in, int bytes)
+ */
+ static void credit_entropy_bits(struct entropy_store *r, int nbits)
+ {
+- unsigned long flags;
+- int entropy_count;
++ int entropy_count, orig;
+
+ if (!nbits)
+ return;
+
+- spin_lock_irqsave(&r->lock, flags);
+-
+ DEBUG_ENT("added %d entropy credits to %s\n", nbits, r->name);
+- entropy_count = r->entropy_count;
++retry:
++ entropy_count = orig = ACCESS_ONCE(r->entropy_count);
+ entropy_count += nbits;
+ if (entropy_count < 0) {
+ DEBUG_ENT("negative entropy/overflow\n");
+ entropy_count = 0;
+ } else if (entropy_count > r->poolinfo->POOLBITS)
+ entropy_count = r->poolinfo->POOLBITS;
+- r->entropy_count = entropy_count;
++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
++ goto retry;
++
++ if (!r->initialized && nbits > 0) {
++ r->entropy_total += nbits;
++ if (r->entropy_total > 128)
++ r->initialized = 1;
++ }
+
+ /* should we wake readers? */
+ if (r == &input_pool && entropy_count >= random_read_wakeup_thresh) {
+ wake_up_interruptible(&random_read_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+ }
+- spin_unlock_irqrestore(&r->lock, flags);
+ }
+
+ /*********************************************************************
+@@ -564,42 +621,24 @@ struct timer_rand_state {
+ unsigned dont_count_entropy:1;
+ };
+
+-#ifndef CONFIG_GENERIC_HARDIRQS
+-
+-static struct timer_rand_state *irq_timer_state[NR_IRQS];
+-
+-static struct timer_rand_state *get_timer_rand_state(unsigned int irq)
+-{
+- return irq_timer_state[irq];
+-}
+-
+-static void set_timer_rand_state(unsigned int irq,
+- struct timer_rand_state *state)
+-{
+- irq_timer_state[irq] = state;
+-}
+-
+-#else
+-
+-static struct timer_rand_state *get_timer_rand_state(unsigned int irq)
+-{
+- struct irq_desc *desc;
+-
+- desc = irq_to_desc(irq);
+-
+- return desc->timer_rand_state;
+-}
+-
+-static void set_timer_rand_state(unsigned int irq,
+- struct timer_rand_state *state)
++/*
++ * Add device- or boot-specific data to the input and nonblocking
++ * pools to help initialize them to unique values.
++ *
++ * None of this adds any entropy, it is meant to avoid the
++ * problem of the nonblocking pool having similar initial state
++ * across largely identical devices.
++ */
++void add_device_randomness(const void *buf, unsigned int size)
+ {
+- struct irq_desc *desc;
+-
+- desc = irq_to_desc(irq);
++ unsigned long time = get_cycles() ^ jiffies;
+
+- desc->timer_rand_state = state;
++ mix_pool_bytes(&input_pool, buf, size, NULL);
++ mix_pool_bytes(&input_pool, &time, sizeof(time), NULL);
++ mix_pool_bytes(&nonblocking_pool, buf, size, NULL);
++ mix_pool_bytes(&nonblocking_pool, &time, sizeof(time), NULL);
+ }
+-#endif
++EXPORT_SYMBOL(add_device_randomness);
+
+ static struct timer_rand_state input_timer_state;
+
+@@ -616,8 +655,8 @@ static struct timer_rand_state input_timer_state;
+ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+ {
+ struct {
+- cycles_t cycles;
+ long jiffies;
++ unsigned cycles;
+ unsigned num;
+ } sample;
+ long delta, delta2, delta3;
+@@ -631,7 +670,7 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+ sample.jiffies = jiffies;
+ sample.cycles = get_cycles();
+ sample.num = num;
+- mix_pool_bytes(&input_pool, &sample, sizeof(sample));
++ mix_pool_bytes(&input_pool, &sample, sizeof(sample), NULL);
+
+ /*
+ * Calculate number of bits of randomness we probably added.
+@@ -688,17 +727,48 @@ void add_input_randomness(unsigned int type, unsigned int code,
+ }
+ EXPORT_SYMBOL_GPL(add_input_randomness);
+
+-void add_interrupt_randomness(int irq)
++static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
++
++void add_interrupt_randomness(int irq, int irq_flags)
+ {
+- struct timer_rand_state *state;
++ struct entropy_store *r;
++ struct fast_pool *fast_pool = &__get_cpu_var(irq_randomness);
++ struct pt_regs *regs = get_irq_regs();
++ unsigned long now = jiffies;
++ __u32 input[4], cycles = get_cycles();
++
++ input[0] = cycles ^ jiffies;
++ input[1] = irq;
++ if (regs) {
++ __u64 ip = instruction_pointer(regs);
++ input[2] = ip;
++ input[3] = ip >> 32;
++ }
+
+- state = get_timer_rand_state(irq);
++ fast_mix(fast_pool, input, sizeof(input));
+
+- if (state == NULL)
++ if ((fast_pool->count & 1023) &&
++ !time_after(now, fast_pool->last + HZ))
+ return;
+
+- DEBUG_ENT("irq event %d\n", irq);
+- add_timer_randomness(state, 0x100 + irq);
++ fast_pool->last = now;
++
++ r = nonblocking_pool.initialized ? &input_pool : &nonblocking_pool;
++ __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool), NULL);
++ /*
++ * If we don't have a valid cycle counter, and we see
++ * back-to-back timer interrupts, then skip giving credit for
++ * any entropy.
++ */
++ if (cycles == 0) {
++ if (irq_flags & __IRQF_TIMER) {
++ if (fast_pool->last_timer_intr)
++ return;
++ fast_pool->last_timer_intr = 1;
++ } else
++ fast_pool->last_timer_intr = 0;
++ }
++ credit_entropy_bits(r, 1);
+ }
+
+ #ifdef CONFIG_BLOCK
+@@ -714,8 +784,6 @@ void add_disk_randomness(struct gendisk *disk)
+ }
+ #endif
+
+-#define EXTRACT_SIZE 10
+-
+ /*********************************************************************
+ *
+ * Entropy extraction routines
+@@ -732,7 +800,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ */
+ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
+ {
+- __u32 tmp[OUTPUT_POOL_WORDS];
++ __u32 tmp[OUTPUT_POOL_WORDS];
+
+ if (r->pull && r->entropy_count < nbytes * 8 &&
+ r->entropy_count < r->poolinfo->POOLBITS) {
+@@ -751,7 +819,7 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
+
+ bytes = extract_entropy(r->pull, tmp, bytes,
+ random_read_wakeup_thresh / 8, rsvd);
+- mix_pool_bytes(r, tmp, bytes);
++ mix_pool_bytes(r, tmp, bytes, NULL);
+ credit_entropy_bits(r, bytes*8);
+ }
+ }
+@@ -810,13 +878,19 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
+ static void extract_buf(struct entropy_store *r, __u8 *out)
+ {
+ int i;
+- __u32 hash[5], workspace[SHA_WORKSPACE_WORDS];
++ union {
++ __u32 w[5];
++ unsigned long l[LONGS(EXTRACT_SIZE)];
++ } hash;
++ __u32 workspace[SHA_WORKSPACE_WORDS];
+ __u8 extract[64];
++ unsigned long flags;
+
+ /* Generate a hash across the pool, 16 words (512 bits) at a time */
+- sha_init(hash);
++ sha_init(hash.w);
++ spin_lock_irqsave(&r->lock, flags);
+ for (i = 0; i < r->poolinfo->poolwords; i += 16)
+- sha_transform(hash, (__u8 *)(r->pool + i), workspace);
++ sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
+
+ /*
+ * We mix the hash back into the pool to prevent backtracking
+@@ -827,13 +901,14 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ * brute-forcing the feedback as hard as brute-forcing the
+ * hash.
+ */
+- mix_pool_bytes_extract(r, hash, sizeof(hash), extract);
++ __mix_pool_bytes(r, hash.w, sizeof(hash.w), extract);
++ spin_unlock_irqrestore(&r->lock, flags);
+
+ /*
+ * To avoid duplicates, we atomically extract a portion of the
+ * pool while mixing, and hash one final time.
+ */
+- sha_transform(hash, extract, workspace);
++ sha_transform(hash.w, extract, workspace);
+ memset(extract, 0, sizeof(extract));
+ memset(workspace, 0, sizeof(workspace));
+
+@@ -842,19 +917,30 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ * pattern, we fold it in half. Thus, we always feed back
+ * twice as much data as we output.
+ */
+- hash[0] ^= hash[3];
+- hash[1] ^= hash[4];
+- hash[2] ^= rol32(hash[2], 16);
+- memcpy(out, hash, EXTRACT_SIZE);
+- memset(hash, 0, sizeof(hash));
++ hash.w[0] ^= hash.w[3];
++ hash.w[1] ^= hash.w[4];
++ hash.w[2] ^= rol32(hash.w[2], 16);
++
++ /*
++ * If we have a architectural hardware random number
++ * generator, mix that in, too.
++ */
++ for (i = 0; i < LONGS(EXTRACT_SIZE); i++) {
++ unsigned long v;
++ if (!arch_get_random_long(&v))
++ break;
++ hash.l[i] ^= v;
++ }
++
++ memcpy(out, &hash, EXTRACT_SIZE);
++ memset(&hash, 0, sizeof(hash));
+ }
+
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes, int min, int reserved)
++ size_t nbytes, int min, int reserved)
+ {
+ ssize_t ret = 0, i;
+ __u8 tmp[EXTRACT_SIZE];
+- unsigned long flags;
+
+ xfer_secondary_pool(r, nbytes);
+ nbytes = account(r, nbytes, min, reserved);
+@@ -862,7 +948,9 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ while (nbytes) {
+ extract_buf(r, tmp);
+
+- if (r->last_data) {
++ if (fips_enabled) {
++ unsigned long flags;
++
+ spin_lock_irqsave(&r->lock, flags);
+ if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
+ panic("Hardware RNG duplicated output!\n");
+@@ -921,8 +1009,9 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+
+ /*
+ * This function is the exported kernel interface. It returns some
+- * number of good random numbers, suitable for seeding TCP sequence
+- * numbers, etc.
++ * number of good random numbers, suitable for key generation, seeding
++ * TCP sequence numbers, etc. It does not use the hw random number
++ * generator, if available; use get_random_bytes_arch() for that.
+ */
+ void get_random_bytes(void *buf, int nbytes)
+ {
+@@ -931,6 +1020,38 @@ void get_random_bytes(void *buf, int nbytes)
+ EXPORT_SYMBOL(get_random_bytes);
+
+ /*
++ * This function will use the architecture-specific hardware random
++ * number generator if it is available. The arch-specific hw RNG will
++ * almost certainly be faster than what we can do in software, but it
++ * is impossible to verify that it is implemented securely (as
++ * opposed, to, say, the AES encryption of a sequence number using a
++ * key known by the NSA). So it's useful if we need the speed, but
++ * only if we're willing to trust the hardware manufacturer not to
++ * have put in a back door.
++ */
++void get_random_bytes_arch(void *buf, int nbytes)
++{
++ char *p = buf;
++
++ while (nbytes) {
++ unsigned long v;
++ int chunk = min(nbytes, (int)sizeof(unsigned long));
++
++ if (!arch_get_random_long(&v))
++ break;
++
++ memcpy(p, &v, chunk);
++ p += chunk;
++ nbytes -= chunk;
++ }
++
++ if (nbytes)
++ extract_entropy(&nonblocking_pool, p, nbytes, 0, 0);
++}
++EXPORT_SYMBOL(get_random_bytes_arch);
++
++
++/*
+ * init_std_data - initialize pool with system data
+ *
+ * @r: pool to initialize
+@@ -941,21 +1062,31 @@ EXPORT_SYMBOL(get_random_bytes);
+ */
+ static void init_std_data(struct entropy_store *r)
+ {
+- ktime_t now;
+- unsigned long flags;
++ int i;
++ ktime_t now = ktime_get_real();
++ unsigned long rv;
+
+- spin_lock_irqsave(&r->lock, flags);
+ r->entropy_count = 0;
+- spin_unlock_irqrestore(&r->lock, flags);
+-
+- now = ktime_get_real();
+- mix_pool_bytes(r, &now, sizeof(now));
+- mix_pool_bytes(r, utsname(), sizeof(*(utsname())));
+- /* Enable continuous test in fips mode */
+- if (fips_enabled)
+- r->last_data = kmalloc(EXTRACT_SIZE, GFP_KERNEL);
++ r->entropy_total = 0;
++ mix_pool_bytes(r, &now, sizeof(now), NULL);
++ for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
++ if (!arch_get_random_long(&rv))
++ break;
++ mix_pool_bytes(r, &rv, sizeof(rv), NULL);
++ }
++ mix_pool_bytes(r, utsname(), sizeof(*(utsname())), NULL);
+ }
+
++/*
++ * Note that setup_arch() may call add_device_randomness()
++ * long before we get here. This allows seeding of the pools
++ * with some platform dependent data very early in the boot
++ * process. But it limits our options here. We must use
++ * statically allocated structures that already have all
++ * initializations complete at compile time. We should also
++ * take care not to overwrite the precious per platform data
++ * we were given.
++ */
+ static int rand_initialize(void)
+ {
+ init_std_data(&input_pool);
+@@ -965,24 +1096,6 @@ static int rand_initialize(void)
+ }
+ module_init(rand_initialize);
+
+-void rand_initialize_irq(int irq)
+-{
+- struct timer_rand_state *state;
+-
+- state = get_timer_rand_state(irq);
+-
+- if (state)
+- return;
+-
+- /*
+- * If kzalloc returns null, we just won't use that entropy
+- * source.
+- */
+- state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
+- if (state)
+- set_timer_rand_state(irq, state);
+-}
+-
+ #ifdef CONFIG_BLOCK
+ void rand_initialize_disk(struct gendisk *disk)
+ {
+@@ -1090,7 +1203,7 @@ write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ count -= bytes;
+ p += bytes;
+
+- mix_pool_bytes(r, buf, bytes);
++ mix_pool_bytes(r, buf, bytes, NULL);
+ cond_resched();
+ }
+
+@@ -1231,10 +1344,15 @@ static int proc_do_uuid(ctl_table *table, int write,
+ uuid = table->data;
+ if (!uuid) {
+ uuid = tmp_uuid;
+- uuid[8] = 0;
+- }
+- if (uuid[8] == 0)
+ generate_random_uuid(uuid);
++ } else {
++ static DEFINE_SPINLOCK(bootid_spinlock);
++
++ spin_lock(&bootid_spinlock);
++ if (!uuid[8])
++ generate_random_uuid(uuid);
++ spin_unlock(&bootid_spinlock);
++ }
+
+ sprintf(buf, "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-"
+ "%02x%02x%02x%02x%02x%02x",
+@@ -1357,9 +1475,14 @@ late_initcall(random_int_secret_init);
+ DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+- __u32 *hash = get_cpu_var(get_random_int_hash);
++ __u32 *hash;
+ unsigned int ret;
+
++ if (arch_get_random_int(&ret))
++ return ret;
++
++ hash = get_cpu_var(get_random_int_hash);
++
+ hash[0] += current->pid + jiffies + get_cycles();
+ md5_transform(hash, random_int_secret);
+ ret = hash[0];
+diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c
+index ac16fbe..dd4691a 100644
+--- a/drivers/char/tty_audit.c
++++ b/drivers/char/tty_audit.c
+@@ -94,8 +94,10 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
+ {
+ if (buf->valid == 0)
+ return;
+- if (audit_enabled == 0)
++ if (audit_enabled == 0) {
++ buf->valid = 0;
+ return;
++ }
+ tty_audit_log("tty", tsk, loginuid, sessionid, buf->major, buf->minor,
+ buf->data, buf->valid);
+ buf->valid = 0;
+diff --git a/drivers/dma/ioat/dma_v2.c b/drivers/dma/ioat/dma_v2.c
+index 5cc37af..d1be371 100644
+--- a/drivers/dma/ioat/dma_v2.c
++++ b/drivers/dma/ioat/dma_v2.c
+@@ -51,48 +51,40 @@ MODULE_PARM_DESC(ioat_ring_max_alloc_order,
+
+ void __ioat2_issue_pending(struct ioat2_dma_chan *ioat)
+ {
+- void * __iomem reg_base = ioat->base.reg_base;
++ struct ioat_chan_common *chan = &ioat->base;
+
+- ioat->pending = 0;
+ ioat->dmacount += ioat2_ring_pending(ioat);
+ ioat->issued = ioat->head;
+ /* make descriptor updates globally visible before notifying channel */
+ wmb();
+- writew(ioat->dmacount, reg_base + IOAT_CHAN_DMACOUNT_OFFSET);
+- dev_dbg(to_dev(&ioat->base),
++ writew(ioat->dmacount, chan->reg_base + IOAT_CHAN_DMACOUNT_OFFSET);
++ dev_dbg(to_dev(chan),
+ "%s: head: %#x tail: %#x issued: %#x count: %#x\n",
+ __func__, ioat->head, ioat->tail, ioat->issued, ioat->dmacount);
+ }
+
+-void ioat2_issue_pending(struct dma_chan *chan)
++void ioat2_issue_pending(struct dma_chan *c)
+ {
+- struct ioat2_dma_chan *ioat = to_ioat2_chan(chan);
++ struct ioat2_dma_chan *ioat = to_ioat2_chan(c);
+
+- spin_lock_bh(&ioat->ring_lock);
+- if (ioat->pending == 1)
++ if (ioat2_ring_pending(ioat)) {
++ spin_lock_bh(&ioat->ring_lock);
+ __ioat2_issue_pending(ioat);
+- spin_unlock_bh(&ioat->ring_lock);
++ spin_unlock_bh(&ioat->ring_lock);
++ }
+ }
+
+ /**
+ * ioat2_update_pending - log pending descriptors
+ * @ioat: ioat2+ channel
+ *
+- * set pending to '1' unless pending is already set to '2', pending == 2
+- * indicates that submission is temporarily blocked due to an in-flight
+- * reset. If we are already above the ioat_pending_level threshold then
+- * just issue pending.
+- *
+- * called with ring_lock held
++ * Check if the number of unsubmitted descriptors has exceeded the
++ * watermark. Called with ring_lock held
+ */
+ static void ioat2_update_pending(struct ioat2_dma_chan *ioat)
+ {
+- if (unlikely(ioat->pending == 2))
+- return;
+- else if (ioat2_ring_pending(ioat) > ioat_pending_level)
++ if (ioat2_ring_pending(ioat) > ioat_pending_level)
+ __ioat2_issue_pending(ioat);
+- else
+- ioat->pending = 1;
+ }
+
+ static void __ioat2_start_null_desc(struct ioat2_dma_chan *ioat)
+@@ -546,7 +538,6 @@ int ioat2_alloc_chan_resources(struct dma_chan *c)
+ ioat->head = 0;
+ ioat->issued = 0;
+ ioat->tail = 0;
+- ioat->pending = 0;
+ ioat->alloc_order = order;
+ spin_unlock_bh(&ioat->ring_lock);
+
+@@ -815,7 +806,6 @@ void ioat2_free_chan_resources(struct dma_chan *c)
+
+ chan->last_completion = 0;
+ chan->completion_dma = 0;
+- ioat->pending = 0;
+ ioat->dmacount = 0;
+ }
+
+diff --git a/drivers/dma/ioat/dma_v2.h b/drivers/dma/ioat/dma_v2.h
+index 3afad8d..d211335 100644
+--- a/drivers/dma/ioat/dma_v2.h
++++ b/drivers/dma/ioat/dma_v2.h
+@@ -47,7 +47,6 @@ extern int ioat_ring_alloc_order;
+ * @head: allocated index
+ * @issued: hardware notification point
+ * @tail: cleanup index
+- * @pending: lock free indicator for issued != head
+ * @dmacount: identical to 'head' except for occasionally resetting to zero
+ * @alloc_order: log2 of the number of allocated descriptors
+ * @ring: software ring buffer implementation of hardware ring
+@@ -61,7 +60,6 @@ struct ioat2_dma_chan {
+ u16 tail;
+ u16 dmacount;
+ u16 alloc_order;
+- int pending;
+ struct ioat_ring_ent **ring;
+ spinlock_t ring_lock;
+ };
+diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
+index 3a2ccb0..10a4246 100644
+--- a/drivers/firmware/dmi_scan.c
++++ b/drivers/firmware/dmi_scan.c
+@@ -6,6 +6,7 @@
+ #include <linux/efi.h>
+ #include <linux/bootmem.h>
+ #include <linux/slab.h>
++#include <linux/random.h>
+ #include <asm/dmi.h>
+
+ /*
+@@ -111,6 +112,8 @@ static int __init dmi_walk_early(void (*decode)(const struct dmi_header *,
+
+ dmi_table(buf, dmi_len, dmi_num, decode, NULL);
+
++ add_device_randomness(buf, dmi_len);
++
+ dmi_iounmap(buf, dmi_len);
+ return 0;
+ }
+diff --git a/drivers/firmware/pcdp.c b/drivers/firmware/pcdp.c
+index 51e0e2d..a330492 100644
+--- a/drivers/firmware/pcdp.c
++++ b/drivers/firmware/pcdp.c
+@@ -95,7 +95,7 @@ efi_setup_pcdp_console(char *cmdline)
+ if (efi.hcdp == EFI_INVALID_TABLE_ADDR)
+ return -ENODEV;
+
+- pcdp = ioremap(efi.hcdp, 4096);
++ pcdp = early_ioremap(efi.hcdp, 4096);
+ printk(KERN_INFO "PCDP: v%d at 0x%lx\n", pcdp->rev, efi.hcdp);
+
+ if (strstr(cmdline, "console=hcdp")) {
+@@ -131,6 +131,6 @@ efi_setup_pcdp_console(char *cmdline)
+ }
+
+ out:
+- iounmap(pcdp);
++ early_iounmap(pcdp, 4096);
+ return rc;
+ }
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index 79cc437..25b3e90 100644
+diff --git a/drivers/mfd/wm831x-otp.c b/drivers/mfd/wm831x-otp.c
+index f742745..b90f3e0 100644
+--- a/drivers/mfd/wm831x-otp.c
++++ b/drivers/mfd/wm831x-otp.c
+@@ -18,6 +18,7 @@
+ #include <linux/bcd.h>
+ #include <linux/delay.h>
+ #include <linux/mfd/core.h>
++#include <linux/random.h>
+
+ #include <linux/mfd/wm831x/core.h>
+ #include <linux/mfd/wm831x/otp.h>
+@@ -66,6 +67,7 @@ static DEVICE_ATTR(unique_id, 0444, wm831x_unique_id_show, NULL);
+
+ int wm831x_otp_init(struct wm831x *wm831x)
+ {
++ char uuid[WM831X_UNIQUE_ID_LEN];
+ int ret;
+
+ ret = device_create_file(wm831x->dev, &dev_attr_unique_id);
+@@ -73,6 +75,12 @@ int wm831x_otp_init(struct wm831x *wm831x)
+ dev_err(wm831x->dev, "Unique ID attribute not created: %d\n",
+ ret);
+
++ ret = wm831x_unique_id_read(wm831x, uuid);
++ if (ret == 0)
++ add_device_randomness(uuid, sizeof(uuid));
++ else
++ dev_err(wm831x->dev, "Failed to read UUID: %d\n", ret);
++
+ return ret;
+ }
+
+diff --git a/drivers/mtd/nand/cafe_nand.c b/drivers/mtd/nand/cafe_nand.c
+index c828d9a..97b9c7b 100644
+--- a/drivers/mtd/nand/cafe_nand.c
++++ b/drivers/mtd/nand/cafe_nand.c
+@@ -103,7 +103,7 @@ static const char *part_probes[] = { "cmdlinepart", "RedBoot", NULL };
+ static int cafe_device_ready(struct mtd_info *mtd)
+ {
+ struct cafe_priv *cafe = mtd->priv;
+- int result = !!(cafe_readl(cafe, NAND_STATUS) | 0x40000000);
++ int result = !!(cafe_readl(cafe, NAND_STATUS) & 0x40000000);
+ uint32_t irqs = cafe_readl(cafe, NAND_IRQ);
+
+ cafe_writel(cafe, irqs, NAND_IRQ);
+diff --git a/drivers/net/atlx/atl1.c b/drivers/net/atlx/atl1.c
+index 403bfb6..adc862f 100644
+--- a/drivers/net/atlx/atl1.c
++++ b/drivers/net/atlx/atl1.c
+@@ -2478,7 +2478,7 @@ static irqreturn_t atl1_intr(int irq, void *data)
+ "pcie phy link down %x\n", status);
+ if (netif_running(adapter->netdev)) { /* reset MAC */
+ iowrite32(0, adapter->hw.hw_addr + REG_IMR);
+- schedule_work(&adapter->pcie_dma_to_rst_task);
++ schedule_work(&adapter->reset_dev_task);
+ return IRQ_HANDLED;
+ }
+ }
+@@ -2490,7 +2490,7 @@ static irqreturn_t atl1_intr(int irq, void *data)
+ "pcie DMA r/w error (status = 0x%x)\n",
+ status);
+ iowrite32(0, adapter->hw.hw_addr + REG_IMR);
+- schedule_work(&adapter->pcie_dma_to_rst_task);
++ schedule_work(&adapter->reset_dev_task);
+ return IRQ_HANDLED;
+ }
+
+@@ -2635,10 +2635,10 @@ static void atl1_down(struct atl1_adapter *adapter)
+ atl1_clean_rx_ring(adapter);
+ }
+
+-static void atl1_tx_timeout_task(struct work_struct *work)
++static void atl1_reset_dev_task(struct work_struct *work)
+ {
+ struct atl1_adapter *adapter =
+- container_of(work, struct atl1_adapter, tx_timeout_task);
++ container_of(work, struct atl1_adapter, reset_dev_task);
+ struct net_device *netdev = adapter->netdev;
+
+ netif_device_detach(netdev);
+@@ -3050,12 +3050,10 @@ static int __devinit atl1_probe(struct pci_dev *pdev,
+ (unsigned long)adapter);
+ adapter->phy_timer_pending = false;
+
+- INIT_WORK(&adapter->tx_timeout_task, atl1_tx_timeout_task);
++ INIT_WORK(&adapter->reset_dev_task, atl1_reset_dev_task);
+
+ INIT_WORK(&adapter->link_chg_task, atlx_link_chg_task);
+
+- INIT_WORK(&adapter->pcie_dma_to_rst_task, atl1_tx_timeout_task);
+-
+ err = register_netdev(netdev);
+ if (err)
+ goto err_common;
+diff --git a/drivers/net/atlx/atl1.h b/drivers/net/atlx/atl1.h
+index 146372f..0494e514 100644
+--- a/drivers/net/atlx/atl1.h
++++ b/drivers/net/atlx/atl1.h
+@@ -762,9 +762,8 @@ struct atl1_adapter {
+ u16 link_speed;
+ u16 link_duplex;
+ spinlock_t lock;
+- struct work_struct tx_timeout_task;
++ struct work_struct reset_dev_task;
+ struct work_struct link_chg_task;
+- struct work_struct pcie_dma_to_rst_task;
+
+ struct timer_list phy_config_timer;
+ bool phy_timer_pending;
+diff --git a/drivers/net/atlx/atlx.c b/drivers/net/atlx/atlx.c
+index 3dc0142..ce09b95 100644
+--- a/drivers/net/atlx/atlx.c
++++ b/drivers/net/atlx/atlx.c
+@@ -189,7 +189,7 @@ static void atlx_tx_timeout(struct net_device *netdev)
+ {
+ struct atlx_adapter *adapter = netdev_priv(netdev);
+ /* Do the reset outside of interrupt context */
+- schedule_work(&adapter->tx_timeout_task);
++ schedule_work(&adapter->reset_dev_task);
+ }
+
+ /*
+diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
+index 223990d..05308e6 100644
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -1471,8 +1471,11 @@ static struct aggregator *ad_agg_selection_test(struct aggregator *best,
+
+ static int agg_device_up(const struct aggregator *agg)
+ {
+- return (netif_running(agg->slave->dev) &&
+- netif_carrier_ok(agg->slave->dev));
++ struct port *port = agg->lag_ports;
++ if (!port)
++ return 0;
++ return (netif_running(port->slave->dev) &&
++ netif_carrier_ok(port->slave->dev));
+ }
+
+ /**
+diff --git a/drivers/net/dl2k.c b/drivers/net/dl2k.c
+index 7fa7a90..c2f9313 100644
+--- a/drivers/net/dl2k.c
++++ b/drivers/net/dl2k.c
+@@ -1279,55 +1279,21 @@ rio_ioctl (struct net_device *dev, struct ifreq *rq, int cmd)
+ {
+ int phy_addr;
+ struct netdev_private *np = netdev_priv(dev);
+- struct mii_data *miidata = (struct mii_data *) &rq->ifr_ifru;
+-
+- struct netdev_desc *desc;
+- int i;
++ struct mii_ioctl_data *miidata = if_mii(rq);
+
+ phy_addr = np->phy_addr;
+ switch (cmd) {
+- case SIOCDEVPRIVATE:
+- break;
+-
+- case SIOCDEVPRIVATE + 1:
+- miidata->out_value = mii_read (dev, phy_addr, miidata->reg_num);
++ case SIOCGMIIPHY:
++ miidata->phy_id = phy_addr;
+ break;
+- case SIOCDEVPRIVATE + 2:
+- mii_write (dev, phy_addr, miidata->reg_num, miidata->in_value);
++ case SIOCGMIIREG:
++ miidata->val_out = mii_read (dev, phy_addr, miidata->reg_num);
+ break;
+- case SIOCDEVPRIVATE + 3:
+- break;
+- case SIOCDEVPRIVATE + 4:
+- break;
+- case SIOCDEVPRIVATE + 5:
+- netif_stop_queue (dev);
++ case SIOCSMIIREG:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++ mii_write (dev, phy_addr, miidata->reg_num, miidata->val_in);
+ break;
+- case SIOCDEVPRIVATE + 6:
+- netif_wake_queue (dev);
+- break;
+- case SIOCDEVPRIVATE + 7:
+- printk
+- ("tx_full=%x cur_tx=%lx old_tx=%lx cur_rx=%lx old_rx=%lx\n",
+- netif_queue_stopped(dev), np->cur_tx, np->old_tx, np->cur_rx,
+- np->old_rx);
+- break;
+- case SIOCDEVPRIVATE + 8:
+- printk("TX ring:\n");
+- for (i = 0; i < TX_RING_SIZE; i++) {
+- desc = &np->tx_ring[i];
+- printk
+- ("%02x:cur:%08x next:%08x status:%08x frag1:%08x frag0:%08x",
+- i,
+- (u32) (np->tx_ring_dma + i * sizeof (*desc)),
+- (u32)le64_to_cpu(desc->next_desc),
+- (u32)le64_to_cpu(desc->status),
+- (u32)(le64_to_cpu(desc->fraginfo) >> 32),
+- (u32)le64_to_cpu(desc->fraginfo));
+- printk ("\n");
+- }
+- printk ("\n");
+- break;
+-
+ default:
+ return -EOPNOTSUPP;
+ }
+@@ -1448,7 +1414,7 @@ mii_wait_link (struct net_device *dev, int wait)
+
+ do {
+ bmsr = mii_read (dev, phy_addr, MII_BMSR);
+- if (bmsr & MII_BMSR_LINK_STATUS)
++ if (bmsr & BMSR_LSTATUS)
+ return 0;
+ mdelay (1);
+ } while (--wait > 0);
+@@ -1469,60 +1435,60 @@ mii_get_media (struct net_device *dev)
+
+ bmsr = mii_read (dev, phy_addr, MII_BMSR);
+ if (np->an_enable) {
+- if (!(bmsr & MII_BMSR_AN_COMPLETE)) {
++ if (!(bmsr & BMSR_ANEGCOMPLETE)) {
+ /* Auto-Negotiation not completed */
+ return -1;
+ }
+- negotiate = mii_read (dev, phy_addr, MII_ANAR) &
+- mii_read (dev, phy_addr, MII_ANLPAR);
+- mscr = mii_read (dev, phy_addr, MII_MSCR);
+- mssr = mii_read (dev, phy_addr, MII_MSSR);
+- if (mscr & MII_MSCR_1000BT_FD && mssr & MII_MSSR_LP_1000BT_FD) {
++ negotiate = mii_read (dev, phy_addr, MII_ADVERTISE) &
++ mii_read (dev, phy_addr, MII_LPA);
++ mscr = mii_read (dev, phy_addr, MII_CTRL1000);
++ mssr = mii_read (dev, phy_addr, MII_STAT1000);
++ if (mscr & ADVERTISE_1000FULL && mssr & LPA_1000FULL) {
+ np->speed = 1000;
+ np->full_duplex = 1;
+ printk (KERN_INFO "Auto 1000 Mbps, Full duplex\n");
+- } else if (mscr & MII_MSCR_1000BT_HD && mssr & MII_MSSR_LP_1000BT_HD) {
++ } else if (mscr & ADVERTISE_1000HALF && mssr & LPA_1000HALF) {
+ np->speed = 1000;
+ np->full_duplex = 0;
+ printk (KERN_INFO "Auto 1000 Mbps, Half duplex\n");
+- } else if (negotiate & MII_ANAR_100BX_FD) {
++ } else if (negotiate & ADVERTISE_100FULL) {
+ np->speed = 100;
+ np->full_duplex = 1;
+ printk (KERN_INFO "Auto 100 Mbps, Full duplex\n");
+- } else if (negotiate & MII_ANAR_100BX_HD) {
++ } else if (negotiate & ADVERTISE_100HALF) {
+ np->speed = 100;
+ np->full_duplex = 0;
+ printk (KERN_INFO "Auto 100 Mbps, Half duplex\n");
+- } else if (negotiate & MII_ANAR_10BT_FD) {
++ } else if (negotiate & ADVERTISE_10FULL) {
+ np->speed = 10;
+ np->full_duplex = 1;
+ printk (KERN_INFO "Auto 10 Mbps, Full duplex\n");
+- } else if (negotiate & MII_ANAR_10BT_HD) {
++ } else if (negotiate & ADVERTISE_10HALF) {
+ np->speed = 10;
+ np->full_duplex = 0;
+ printk (KERN_INFO "Auto 10 Mbps, Half duplex\n");
+ }
+- if (negotiate & MII_ANAR_PAUSE) {
++ if (negotiate & ADVERTISE_PAUSE_CAP) {
+ np->tx_flow &= 1;
+ np->rx_flow &= 1;
+- } else if (negotiate & MII_ANAR_ASYMMETRIC) {
++ } else if (negotiate & ADVERTISE_PAUSE_ASYM) {
+ np->tx_flow = 0;
+ np->rx_flow &= 1;
+ }
+ /* else tx_flow, rx_flow = user select */
+ } else {
+ __u16 bmcr = mii_read (dev, phy_addr, MII_BMCR);
+- switch (bmcr & (MII_BMCR_SPEED_100 | MII_BMCR_SPEED_1000)) {
+- case MII_BMCR_SPEED_1000:
++ switch (bmcr & (BMCR_SPEED100 | BMCR_SPEED1000)) {
++ case BMCR_SPEED1000:
+ printk (KERN_INFO "Operating at 1000 Mbps, ");
+ break;
+- case MII_BMCR_SPEED_100:
++ case BMCR_SPEED100:
+ printk (KERN_INFO "Operating at 100 Mbps, ");
+ break;
+ case 0:
+ printk (KERN_INFO "Operating at 10 Mbps, ");
+ }
+- if (bmcr & MII_BMCR_DUPLEX_MODE) {
++ if (bmcr & BMCR_FULLDPLX) {
+ printk (KERN_CONT "Full duplex\n");
+ } else {
+ printk (KERN_CONT "Half duplex\n");
+@@ -1556,24 +1522,22 @@ mii_set_media (struct net_device *dev)
+ if (np->an_enable) {
+ /* Advertise capabilities */
+ bmsr = mii_read (dev, phy_addr, MII_BMSR);
+- anar = mii_read (dev, phy_addr, MII_ANAR) &
+- ~MII_ANAR_100BX_FD &
+- ~MII_ANAR_100BX_HD &
+- ~MII_ANAR_100BT4 &
+- ~MII_ANAR_10BT_FD &
+- ~MII_ANAR_10BT_HD;
+- if (bmsr & MII_BMSR_100BX_FD)
+- anar |= MII_ANAR_100BX_FD;
+- if (bmsr & MII_BMSR_100BX_HD)
+- anar |= MII_ANAR_100BX_HD;
+- if (bmsr & MII_BMSR_100BT4)
+- anar |= MII_ANAR_100BT4;
+- if (bmsr & MII_BMSR_10BT_FD)
+- anar |= MII_ANAR_10BT_FD;
+- if (bmsr & MII_BMSR_10BT_HD)
+- anar |= MII_ANAR_10BT_HD;
+- anar |= MII_ANAR_PAUSE | MII_ANAR_ASYMMETRIC;
+- mii_write (dev, phy_addr, MII_ANAR, anar);
++ anar = mii_read (dev, phy_addr, MII_ADVERTISE) &
++ ~(ADVERTISE_100FULL | ADVERTISE_10FULL |
++ ADVERTISE_100HALF | ADVERTISE_10HALF |
++ ADVERTISE_100BASE4);
++ if (bmsr & BMSR_100FULL)
++ anar |= ADVERTISE_100FULL;
++ if (bmsr & BMSR_100HALF)
++ anar |= ADVERTISE_100HALF;
++ if (bmsr & BMSR_100BASE4)
++ anar |= ADVERTISE_100BASE4;
++ if (bmsr & BMSR_10FULL)
++ anar |= ADVERTISE_10FULL;
++ if (bmsr & BMSR_10HALF)
++ anar |= ADVERTISE_10HALF;
++ anar |= ADVERTISE_PAUSE_CAP | ADVERTISE_PAUSE_ASYM;
++ mii_write (dev, phy_addr, MII_ADVERTISE, anar);
+
+ /* Enable Auto crossover */
+ pscr = mii_read (dev, phy_addr, MII_PHY_SCR);
+@@ -1581,8 +1545,8 @@ mii_set_media (struct net_device *dev)
+ mii_write (dev, phy_addr, MII_PHY_SCR, pscr);
+
+ /* Soft reset PHY */
+- mii_write (dev, phy_addr, MII_BMCR, MII_BMCR_RESET);
+- bmcr = MII_BMCR_AN_ENABLE | MII_BMCR_RESTART_AN | MII_BMCR_RESET;
++ mii_write (dev, phy_addr, MII_BMCR, BMCR_RESET);
++ bmcr = BMCR_ANENABLE | BMCR_ANRESTART | BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ mdelay(1);
+ } else {
+@@ -1594,7 +1558,7 @@ mii_set_media (struct net_device *dev)
+
+ /* 2) PHY Reset */
+ bmcr = mii_read (dev, phy_addr, MII_BMCR);
+- bmcr |= MII_BMCR_RESET;
++ bmcr |= BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+
+ /* 3) Power Down */
+@@ -1603,25 +1567,25 @@ mii_set_media (struct net_device *dev)
+ mdelay (100); /* wait a certain time */
+
+ /* 4) Advertise nothing */
+- mii_write (dev, phy_addr, MII_ANAR, 0);
++ mii_write (dev, phy_addr, MII_ADVERTISE, 0);
+
+ /* 5) Set media and Power Up */
+- bmcr = MII_BMCR_POWER_DOWN;
++ bmcr = BMCR_PDOWN;
+ if (np->speed == 100) {
+- bmcr |= MII_BMCR_SPEED_100;
++ bmcr |= BMCR_SPEED100;
+ printk (KERN_INFO "Manual 100 Mbps, ");
+ } else if (np->speed == 10) {
+ printk (KERN_INFO "Manual 10 Mbps, ");
+ }
+ if (np->full_duplex) {
+- bmcr |= MII_BMCR_DUPLEX_MODE;
++ bmcr |= BMCR_FULLDPLX;
+ printk (KERN_CONT "Full duplex\n");
+ } else {
+ printk (KERN_CONT "Half duplex\n");
+ }
+ #if 0
+ /* Set 1000BaseT Master/Slave setting */
+- mscr = mii_read (dev, phy_addr, MII_MSCR);
++ mscr = mii_read (dev, phy_addr, MII_CTRL1000);
+ mscr |= MII_MSCR_CFG_ENABLE;
+ mscr &= ~MII_MSCR_CFG_VALUE = 0;
+ #endif
+@@ -1644,7 +1608,7 @@ mii_get_media_pcs (struct net_device *dev)
+
+ bmsr = mii_read (dev, phy_addr, PCS_BMSR);
+ if (np->an_enable) {
+- if (!(bmsr & MII_BMSR_AN_COMPLETE)) {
++ if (!(bmsr & BMSR_ANEGCOMPLETE)) {
+ /* Auto-Negotiation not completed */
+ return -1;
+ }
+@@ -1669,7 +1633,7 @@ mii_get_media_pcs (struct net_device *dev)
+ } else {
+ __u16 bmcr = mii_read (dev, phy_addr, PCS_BMCR);
+ printk (KERN_INFO "Operating at 1000 Mbps, ");
+- if (bmcr & MII_BMCR_DUPLEX_MODE) {
++ if (bmcr & BMCR_FULLDPLX) {
+ printk (KERN_CONT "Full duplex\n");
+ } else {
+ printk (KERN_CONT "Half duplex\n");
+@@ -1702,7 +1666,7 @@ mii_set_media_pcs (struct net_device *dev)
+ if (np->an_enable) {
+ /* Advertise capabilities */
+ esr = mii_read (dev, phy_addr, PCS_ESR);
+- anar = mii_read (dev, phy_addr, MII_ANAR) &
++ anar = mii_read (dev, phy_addr, MII_ADVERTISE) &
+ ~PCS_ANAR_HALF_DUPLEX &
+ ~PCS_ANAR_FULL_DUPLEX;
+ if (esr & (MII_ESR_1000BT_HD | MII_ESR_1000BX_HD))
+@@ -1710,22 +1674,21 @@ mii_set_media_pcs (struct net_device *dev)
+ if (esr & (MII_ESR_1000BT_FD | MII_ESR_1000BX_FD))
+ anar |= PCS_ANAR_FULL_DUPLEX;
+ anar |= PCS_ANAR_PAUSE | PCS_ANAR_ASYMMETRIC;
+- mii_write (dev, phy_addr, MII_ANAR, anar);
++ mii_write (dev, phy_addr, MII_ADVERTISE, anar);
+
+ /* Soft reset PHY */
+- mii_write (dev, phy_addr, MII_BMCR, MII_BMCR_RESET);
+- bmcr = MII_BMCR_AN_ENABLE | MII_BMCR_RESTART_AN |
+- MII_BMCR_RESET;
++ mii_write (dev, phy_addr, MII_BMCR, BMCR_RESET);
++ bmcr = BMCR_ANENABLE | BMCR_ANRESTART | BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ mdelay(1);
+ } else {
+ /* Force speed setting */
+ /* PHY Reset */
+- bmcr = MII_BMCR_RESET;
++ bmcr = BMCR_RESET;
+ mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ mdelay(10);
+ if (np->full_duplex) {
+- bmcr = MII_BMCR_DUPLEX_MODE;
++ bmcr = BMCR_FULLDPLX;
+ printk (KERN_INFO "Manual full duplex\n");
+ } else {
+ bmcr = 0;
+@@ -1735,7 +1698,7 @@ mii_set_media_pcs (struct net_device *dev)
+ mdelay(10);
+
+ /* Advertise nothing */
+- mii_write (dev, phy_addr, MII_ANAR, 0);
++ mii_write (dev, phy_addr, MII_ADVERTISE, 0);
+ }
+ return 0;
+ }
+diff --git a/drivers/net/dl2k.h b/drivers/net/dl2k.h
+index 266ec87..cde8ecd 100644
+--- a/drivers/net/dl2k.h
++++ b/drivers/net/dl2k.h
+@@ -28,6 +28,7 @@
+ #include <linux/init.h>
+ #include <linux/crc32.h>
+ #include <linux/ethtool.h>
++#include <linux/mii.h>
+ #include <linux/bitops.h>
+ #include <asm/processor.h> /* Processor type for cache alignment. */
+ #include <asm/io.h>
+@@ -271,20 +272,9 @@ enum RFS_bits {
+ #define MII_RESET_TIME_OUT 10000
+ /* MII register */
+ enum _mii_reg {
+- MII_BMCR = 0,
+- MII_BMSR = 1,
+- MII_PHY_ID1 = 2,
+- MII_PHY_ID2 = 3,
+- MII_ANAR = 4,
+- MII_ANLPAR = 5,
+- MII_ANER = 6,
+- MII_ANNPT = 7,
+- MII_ANLPRNP = 8,
+- MII_MSCR = 9,
+- MII_MSSR = 10,
+- MII_ESR = 15,
+ MII_PHY_SCR = 16,
+ };
++
+ /* PCS register */
+ enum _pcs_reg {
+ PCS_BMCR = 0,
+@@ -297,102 +287,6 @@ enum _pcs_reg {
+ PCS_ESR = 15,
+ };
+
+-/* Basic Mode Control Register */
+-enum _mii_bmcr {
+- MII_BMCR_RESET = 0x8000,
+- MII_BMCR_LOOP_BACK = 0x4000,
+- MII_BMCR_SPEED_LSB = 0x2000,
+- MII_BMCR_AN_ENABLE = 0x1000,
+- MII_BMCR_POWER_DOWN = 0x0800,
+- MII_BMCR_ISOLATE = 0x0400,
+- MII_BMCR_RESTART_AN = 0x0200,
+- MII_BMCR_DUPLEX_MODE = 0x0100,
+- MII_BMCR_COL_TEST = 0x0080,
+- MII_BMCR_SPEED_MSB = 0x0040,
+- MII_BMCR_SPEED_RESERVED = 0x003f,
+- MII_BMCR_SPEED_10 = 0,
+- MII_BMCR_SPEED_100 = MII_BMCR_SPEED_LSB,
+- MII_BMCR_SPEED_1000 = MII_BMCR_SPEED_MSB,
+-};
+-
+-/* Basic Mode Status Register */
+-enum _mii_bmsr {
+- MII_BMSR_100BT4 = 0x8000,
+- MII_BMSR_100BX_FD = 0x4000,
+- MII_BMSR_100BX_HD = 0x2000,
+- MII_BMSR_10BT_FD = 0x1000,
+- MII_BMSR_10BT_HD = 0x0800,
+- MII_BMSR_100BT2_FD = 0x0400,
+- MII_BMSR_100BT2_HD = 0x0200,
+- MII_BMSR_EXT_STATUS = 0x0100,
+- MII_BMSR_PREAMBLE_SUPP = 0x0040,
+- MII_BMSR_AN_COMPLETE = 0x0020,
+- MII_BMSR_REMOTE_FAULT = 0x0010,
+- MII_BMSR_AN_ABILITY = 0x0008,
+- MII_BMSR_LINK_STATUS = 0x0004,
+- MII_BMSR_JABBER_DETECT = 0x0002,
+- MII_BMSR_EXT_CAP = 0x0001,
+-};
+-
+-/* ANAR */
+-enum _mii_anar {
+- MII_ANAR_NEXT_PAGE = 0x8000,
+- MII_ANAR_REMOTE_FAULT = 0x4000,
+- MII_ANAR_ASYMMETRIC = 0x0800,
+- MII_ANAR_PAUSE = 0x0400,
+- MII_ANAR_100BT4 = 0x0200,
+- MII_ANAR_100BX_FD = 0x0100,
+- MII_ANAR_100BX_HD = 0x0080,
+- MII_ANAR_10BT_FD = 0x0020,
+- MII_ANAR_10BT_HD = 0x0010,
+- MII_ANAR_SELECTOR = 0x001f,
+- MII_IEEE8023_CSMACD = 0x0001,
+-};
+-
+-/* ANLPAR */
+-enum _mii_anlpar {
+- MII_ANLPAR_NEXT_PAGE = MII_ANAR_NEXT_PAGE,
+- MII_ANLPAR_REMOTE_FAULT = MII_ANAR_REMOTE_FAULT,
+- MII_ANLPAR_ASYMMETRIC = MII_ANAR_ASYMMETRIC,
+- MII_ANLPAR_PAUSE = MII_ANAR_PAUSE,
+- MII_ANLPAR_100BT4 = MII_ANAR_100BT4,
+- MII_ANLPAR_100BX_FD = MII_ANAR_100BX_FD,
+- MII_ANLPAR_100BX_HD = MII_ANAR_100BX_HD,
+- MII_ANLPAR_10BT_FD = MII_ANAR_10BT_FD,
+- MII_ANLPAR_10BT_HD = MII_ANAR_10BT_HD,
+- MII_ANLPAR_SELECTOR = MII_ANAR_SELECTOR,
+-};
+-
+-/* Auto-Negotiation Expansion Register */
+-enum _mii_aner {
+- MII_ANER_PAR_DETECT_FAULT = 0x0010,
+- MII_ANER_LP_NEXTPAGABLE = 0x0008,
+- MII_ANER_NETXTPAGABLE = 0x0004,
+- MII_ANER_PAGE_RECEIVED = 0x0002,
+- MII_ANER_LP_NEGOTIABLE = 0x0001,
+-};
+-
+-/* MASTER-SLAVE Control Register */
+-enum _mii_mscr {
+- MII_MSCR_TEST_MODE = 0xe000,
+- MII_MSCR_CFG_ENABLE = 0x1000,
+- MII_MSCR_CFG_VALUE = 0x0800,
+- MII_MSCR_PORT_VALUE = 0x0400,
+- MII_MSCR_1000BT_FD = 0x0200,
+- MII_MSCR_1000BT_HD = 0X0100,
+-};
+-
+-/* MASTER-SLAVE Status Register */
+-enum _mii_mssr {
+- MII_MSSR_CFG_FAULT = 0x8000,
+- MII_MSSR_CFG_RES = 0x4000,
+- MII_MSSR_LOCAL_RCV_STATUS = 0x2000,
+- MII_MSSR_REMOTE_RCVR = 0x1000,
+- MII_MSSR_LP_1000BT_FD = 0x0800,
+- MII_MSSR_LP_1000BT_HD = 0x0400,
+- MII_MSSR_IDLE_ERR_COUNT = 0x00ff,
+-};
+-
+ /* IEEE Extened Status Register */
+ enum _mii_esr {
+ MII_ESR_1000BX_FD = 0x8000,
+@@ -471,13 +365,6 @@ struct ioctl_data {
+ char *data;
+ };
+
+-struct mii_data {
+- __u16 reserved;
+- __u16 reg_num;
+- __u16 in_value;
+- __u16 out_value;
+-};
+-
+ /* The Rx and Tx buffer descriptors. */
+ struct netdev_desc {
+ __le64 next_desc;
+diff --git a/drivers/net/ks8851_mll.c b/drivers/net/ks8851_mll.c
+index c0ceebc..4e3a69c 100644
+--- a/drivers/net/ks8851_mll.c
++++ b/drivers/net/ks8851_mll.c
+@@ -35,7 +35,7 @@
+ #define DRV_NAME "ks8851_mll"
+
+ static u8 KS_DEFAULT_MAC_ADDRESS[] = { 0x00, 0x10, 0xA1, 0x86, 0x95, 0x11 };
+-#define MAX_RECV_FRAMES 32
++#define MAX_RECV_FRAMES 255
+ #define MAX_BUF_SIZE 2048
+ #define TX_BUF_SIZE 2000
+ #define RX_BUF_SIZE 2000
+diff --git a/drivers/net/netxen/netxen_nic.h b/drivers/net/netxen/netxen_nic.h
+index e52af5b..50d2af8 100644
+--- a/drivers/net/netxen/netxen_nic.h
++++ b/drivers/net/netxen/netxen_nic.h
+@@ -700,7 +700,8 @@ struct netxen_recv_context {
+ #define NX_CDRP_CMD_READ_PEXQ_PARAMETERS 0x0000001c
+ #define NX_CDRP_CMD_GET_LIC_CAPABILITIES 0x0000001d
+ #define NX_CDRP_CMD_READ_MAX_LRO_PER_BOARD 0x0000001e
+-#define NX_CDRP_CMD_MAX 0x0000001f
++#define NX_CDRP_CMD_CONFIG_GBE_PORT 0x0000001f
++#define NX_CDRP_CMD_MAX 0x00000020
+
+ #define NX_RCODE_SUCCESS 0
+ #define NX_RCODE_NO_HOST_MEM 1
+@@ -1015,6 +1016,7 @@ typedef struct {
+ #define NX_FW_CAPABILITY_BDG (1 << 8)
+ #define NX_FW_CAPABILITY_FVLANTX (1 << 9)
+ #define NX_FW_CAPABILITY_HW_LRO (1 << 10)
++#define NX_FW_CAPABILITY_GBE_LINK_CFG (1 << 11)
+
+ /* module types */
+ #define LINKEVENT_MODULE_NOT_PRESENT 1
+@@ -1323,6 +1325,9 @@ int netxen_config_ipaddr(struct netxen_adapter *adapter, u32 ip, int cmd);
+ int netxen_linkevent_request(struct netxen_adapter *adapter, int enable);
+ void netxen_advert_link_change(struct netxen_adapter *adapter, int linkup);
+
++int nx_fw_cmd_set_gbe_port(struct netxen_adapter *adapter,
++ u32 speed, u32 duplex, u32 autoneg);
++
+ int nx_fw_cmd_set_mtu(struct netxen_adapter *adapter, int mtu);
+ int netxen_nic_change_mtu(struct net_device *netdev, int new_mtu);
+ int netxen_config_hw_lro(struct netxen_adapter *adapter, int enable);
+diff --git a/drivers/net/netxen/netxen_nic_ctx.c b/drivers/net/netxen/netxen_nic_ctx.c
+index 9cb8f68..f48cdb2 100644
+--- a/drivers/net/netxen/netxen_nic_ctx.c
++++ b/drivers/net/netxen/netxen_nic_ctx.c
+@@ -112,6 +112,21 @@ nx_fw_cmd_set_mtu(struct netxen_adapter *adapter, int mtu)
+ return 0;
+ }
+
++int
++nx_fw_cmd_set_gbe_port(struct netxen_adapter *adapter,
++ u32 speed, u32 duplex, u32 autoneg)
++{
++
++ return netxen_issue_cmd(adapter,
++ adapter->ahw.pci_func,
++ NXHAL_VERSION,
++ speed,
++ duplex,
++ autoneg,
++ NX_CDRP_CMD_CONFIG_GBE_PORT);
++
++}
++
+ static int
+ nx_fw_cmd_create_rx_ctx(struct netxen_adapter *adapter)
+ {
+diff --git a/drivers/net/netxen/netxen_nic_ethtool.c b/drivers/net/netxen/netxen_nic_ethtool.c
+index 714f387..7e34840 100644
+--- a/drivers/net/netxen/netxen_nic_ethtool.c
++++ b/drivers/net/netxen/netxen_nic_ethtool.c
+@@ -216,7 +216,6 @@ skip:
+ check_sfp_module = netif_running(dev) &&
+ adapter->has_link_events;
+ } else {
+- ecmd->autoneg = AUTONEG_ENABLE;
+ ecmd->supported |= (SUPPORTED_TP |SUPPORTED_Autoneg);
+ ecmd->advertising |=
+ (ADVERTISED_TP | ADVERTISED_Autoneg);
+@@ -254,53 +253,24 @@ static int
+ netxen_nic_set_settings(struct net_device *dev, struct ethtool_cmd *ecmd)
+ {
+ struct netxen_adapter *adapter = netdev_priv(dev);
+- __u32 status;
++ int ret;
+
+- /* read which mode */
+- if (adapter->ahw.port_type == NETXEN_NIC_GBE) {
+- /* autonegotiation */
+- if (adapter->phy_write
+- && adapter->phy_write(adapter,
+- NETXEN_NIU_GB_MII_MGMT_ADDR_AUTONEG,
+- ecmd->autoneg) != 0)
+- return -EIO;
+- else
+- adapter->link_autoneg = ecmd->autoneg;
++ if (adapter->ahw.port_type != NETXEN_NIC_GBE)
++ return -EOPNOTSUPP;
+
+- if (adapter->phy_read
+- && adapter->phy_read(adapter,
+- NETXEN_NIU_GB_MII_MGMT_ADDR_PHY_STATUS,
+- &status) != 0)
+- return -EIO;
++ if (!(adapter->capabilities & NX_FW_CAPABILITY_GBE_LINK_CFG))
++ return -EOPNOTSUPP;
+
+- /* speed */
+- switch (ecmd->speed) {
+- case SPEED_10:
+- netxen_set_phy_speed(status, 0);
+- break;
+- case SPEED_100:
+- netxen_set_phy_speed(status, 1);
+- break;
+- case SPEED_1000:
+- netxen_set_phy_speed(status, 2);
+- break;
+- }
+- /* set duplex mode */
+- if (ecmd->duplex == DUPLEX_HALF)
+- netxen_clear_phy_duplex(status);
+- if (ecmd->duplex == DUPLEX_FULL)
+- netxen_set_phy_duplex(status);
+- if (adapter->phy_write
+- && adapter->phy_write(adapter,
+- NETXEN_NIU_GB_MII_MGMT_ADDR_PHY_STATUS,
+- *((int *)&status)) != 0)
+- return -EIO;
+- else {
+- adapter->link_speed = ecmd->speed;
+- adapter->link_duplex = ecmd->duplex;
+- }
+- } else
++ ret = nx_fw_cmd_set_gbe_port(adapter, ecmd->speed, ecmd->duplex,
++ ecmd->autoneg);
++ if (ret == NX_RCODE_NOT_SUPPORTED)
+ return -EOPNOTSUPP;
++ else if (ret)
++ return -EIO;
++
++ adapter->link_speed = ecmd->speed;
++ adapter->link_duplex = ecmd->duplex;
++ adapter->link_autoneg = ecmd->autoneg;
+
+ if (!netif_running(dev))
+ return 0;
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 0f77aca..894ad84 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1121,10 +1121,12 @@ static long tun_chr_ioctl(struct file *file, unsigned int cmd,
+ int sndbuf;
+ int ret;
+
+- if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
++ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ if (copy_from_user(&ifr, argp, sizeof ifr))
+ return -EFAULT;
+-
++ } else {
++ memset(&ifr, 0, sizeof(ifr));
++ }
+ if (cmd == TUNGETFEATURES) {
+ /* Currently this just means: "what IFF flags are valid?".
+ * This is needed because we never checked for invalid flags on
+diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c
+index e391ef9..fd8e335 100644
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1325,7 +1325,7 @@ static int kaweth_internal_control_msg(struct usb_device *usb_dev,
+ int retv;
+ int length = 0; /* shut up GCC */
+
+- urb = usb_alloc_urb(0, GFP_NOIO);
++ urb = usb_alloc_urb(0, GFP_ATOMIC);
+ if (!urb)
+ return -ENOMEM;
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index da33dce..07f69ee 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -584,6 +584,14 @@ static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q)
+ entry = (struct skb_data *) skb->cb;
+ urb = entry->urb;
+
++ /*
++ * Get reference count of the URB to avoid it to be
++ * freed during usb_unlink_urb, which may trigger
++ * use-after-free problem inside usb_unlink_urb since
++ * usb_unlink_urb is always racing with .complete
++ * handler(include defer_bh).
++ */
++ usb_get_urb(urb);
+ spin_unlock_irqrestore(&q->lock, flags);
+ // during some PM-driven resume scenarios,
+ // these (async) unlinks complete immediately
+@@ -592,6 +600,7 @@ static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q)
+ devdbg (dev, "unlink urb err, %d", retval);
+ else
+ count++;
++ usb_put_urb(urb);
+ spin_lock_irqsave(&q->lock, flags);
+ }
+ spin_unlock_irqrestore (&q->lock, flags);
+@@ -989,7 +998,6 @@ static void tx_complete (struct urb *urb)
+ }
+ }
+
+- urb->dev = NULL;
+ entry->state = tx_done;
+ defer_bh(dev, skb, &dev->txq);
+ }
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 1e42381..d0959af 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -2550,6 +2550,40 @@ static void __devinit fixup_ti816x_class(struct pci_dev* dev)
+ }
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_TI, 0xb800, fixup_ti816x_class);
+
++/*
++ * Some BIOS implementations leave the Intel GPU interrupts enabled,
++ * even though no one is handling them (f.e. i915 driver is never loaded).
++ * Additionally the interrupt destination is not set up properly
++ * and the interrupt ends up -somewhere-.
++ *
++ * These spurious interrupts are "sticky" and the kernel disables
++ * the (shared) interrupt line after 100.000+ generated interrupts.
++ *
++ * Fix it by disabling the still enabled interrupts.
++ * This resolves crashes often seen on monitor unplug.
++ */
++#define I915_DEIER_REG 0x4400c
++static void __devinit disable_igfx_irq(struct pci_dev *dev)
++{
++ void __iomem *regs = pci_iomap(dev, 0, 0);
++ if (regs == NULL) {
++ dev_warn(&dev->dev, "igfx quirk: Can't iomap PCI device\n");
++ return;
++ }
++
++ /* Check if any interrupt line is still enabled */
++ if (readl(regs + I915_DEIER_REG) != 0) {
++ dev_warn(&dev->dev, "BIOS left Intel GPU interrupts enabled; "
++ "disabling\n");
++
++ writel(0, regs + I915_DEIER_REG);
++ }
++
++ pci_iounmap(dev, regs);
++}
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
++
+ static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f,
+ struct pci_fixup *end)
+ {
+diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c
+index eb39d26..253996c 100644
+--- a/drivers/pnp/quirks.c
++++ b/drivers/pnp/quirks.c
+@@ -300,9 +300,9 @@ static void quirk_system_pci_resources(struct pnp_dev *dev)
+ }
+ }
+
+-#ifdef CONFIG_AMD_NB
++#ifdef CONFIG_K8_NB
+
+-#include <asm/amd_nb.h>
++#include <asm/k8.h>
+
+ static void quirk_amd_mmconfig_area(struct pnp_dev *dev)
+ {
+@@ -366,7 +366,7 @@ static struct pnp_fixup pnp_fixups[] = {
+ /* PnP resources that might overlap PCI BARs */
+ {"PNP0c01", quirk_system_pci_resources},
+ {"PNP0c02", quirk_system_pci_resources},
+-#ifdef CONFIG_AMD_NB
++#ifdef CONFIG_K8_NB
+ {"PNP0c01", quirk_amd_mmconfig_area},
+ #endif
+ {""}
+diff --git a/drivers/rtc/rtc-wm831x.c b/drivers/rtc/rtc-wm831x.c
+index 79795cd..daefe66 100644
+--- a/drivers/rtc/rtc-wm831x.c
++++ b/drivers/rtc/rtc-wm831x.c
+@@ -23,7 +23,7 @@
+ #include <linux/mfd/wm831x/core.h>
+ #include <linux/delay.h>
+ #include <linux/platform_device.h>
+-
++#include <linux/random.h>
+
+ /*
+ * R16416 (0x4020) - RTC Write Counter
+@@ -95,6 +95,26 @@ struct wm831x_rtc {
+ unsigned int alarm_enabled:1;
+ };
+
++static void wm831x_rtc_add_randomness(struct wm831x *wm831x)
++{
++ int ret;
++ u16 reg;
++
++ /*
++ * The write counter contains a pseudo-random number which is
++ * regenerated every time we set the RTC so it should be a
++ * useful per-system source of entropy.
++ */
++ ret = wm831x_reg_read(wm831x, WM831X_RTC_WRITE_COUNTER);
++ if (ret >= 0) {
++ reg = ret;
++ add_device_randomness(®, sizeof(reg));
++ } else {
++ dev_warn(wm831x->dev, "Failed to read RTC write counter: %d\n",
++ ret);
++ }
++}
++
+ /*
+ * Read current time and date in RTC
+ */
+@@ -464,6 +484,8 @@ static int wm831x_rtc_probe(struct platform_device *pdev)
+ alm_irq, ret);
+ }
+
++ wm831x_rtc_add_randomness(wm831x);
++
+ return 0;
+
+ err:
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index b10ee2a..1bdfde1 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -754,7 +754,7 @@ static struct domain_device *sas_ex_discover_end_dev(
+ }
+
+ /* See if this phy is part of a wide port */
+-static int sas_ex_join_wide_port(struct domain_device *parent, int phy_id)
++static bool sas_ex_join_wide_port(struct domain_device *parent, int phy_id)
+ {
+ struct ex_phy *phy = &parent->ex_dev.ex_phy[phy_id];
+ int i;
+@@ -770,11 +770,11 @@ static int sas_ex_join_wide_port(struct domain_device *parent, int phy_id)
+ sas_port_add_phy(ephy->port, phy->phy);
+ phy->port = ephy->port;
+ phy->phy_state = PHY_DEVICE_DISCOVERED;
+- return 0;
++ return true;
+ }
+ }
+
+- return -ENODEV;
++ return false;
+ }
+
+ static struct domain_device *sas_ex_discover_expander(
+@@ -912,8 +912,7 @@ static int sas_ex_discover_dev(struct domain_device *dev, int phy_id)
+ return res;
+ }
+
+- res = sas_ex_join_wide_port(dev, phy_id);
+- if (!res) {
++ if (sas_ex_join_wide_port(dev, phy_id)) {
+ SAS_DPRINTK("Attaching ex phy%d to wide port %016llx\n",
+ phy_id, SAS_ADDR(ex_phy->attached_sas_addr));
+ return res;
+@@ -958,8 +957,7 @@ static int sas_ex_discover_dev(struct domain_device *dev, int phy_id)
+ if (SAS_ADDR(ex->ex_phy[i].attached_sas_addr) ==
+ SAS_ADDR(child->sas_addr)) {
+ ex->ex_phy[i].phy_state= PHY_DEVICE_DISCOVERED;
+- res = sas_ex_join_wide_port(dev, i);
+- if (!res)
++ if (sas_ex_join_wide_port(dev, i))
+ SAS_DPRINTK("Attaching ex phy%d to wide port %016llx\n",
+ i, SAS_ADDR(ex->ex_phy[i].attached_sas_addr));
+
+@@ -1812,32 +1810,20 @@ static int sas_discover_new(struct domain_device *dev, int phy_id)
+ {
+ struct ex_phy *ex_phy = &dev->ex_dev.ex_phy[phy_id];
+ struct domain_device *child;
+- bool found = false;
+- int res, i;
++ int res;
+
+ SAS_DPRINTK("ex %016llx phy%d new device attached\n",
+ SAS_ADDR(dev->sas_addr), phy_id);
+ res = sas_ex_phy_discover(dev, phy_id);
+ if (res)
+- goto out;
+- /* to support the wide port inserted */
+- for (i = 0; i < dev->ex_dev.num_phys; i++) {
+- struct ex_phy *ex_phy_temp = &dev->ex_dev.ex_phy[i];
+- if (i == phy_id)
+- continue;
+- if (SAS_ADDR(ex_phy_temp->attached_sas_addr) ==
+- SAS_ADDR(ex_phy->attached_sas_addr)) {
+- found = true;
+- break;
+- }
+- }
+- if (found) {
+- sas_ex_join_wide_port(dev, phy_id);
++ return res;
++
++ if (sas_ex_join_wide_port(dev, phy_id))
+ return 0;
+- }
++
+ res = sas_ex_discover_devices(dev, phy_id);
+- if (!res)
+- goto out;
++ if (res)
++ return res;
+ list_for_each_entry(child, &dev->ex_dev.children, siblings) {
+ if (SAS_ADDR(child->sas_addr) ==
+ SAS_ADDR(ex_phy->attached_sas_addr)) {
+@@ -1847,7 +1833,6 @@ static int sas_discover_new(struct domain_device *dev, int phy_id)
+ break;
+ }
+ }
+-out:
+ return res;
+ }
+
+@@ -1946,9 +1931,7 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev)
+ struct domain_device *dev = NULL;
+
+ res = sas_find_bcast_dev(port_dev, &dev);
+- if (res)
+- goto out;
+- if (dev) {
++ while (res == 0 && dev) {
+ struct expander_device *ex = &dev->ex_dev;
+ int i = 0, phy_id;
+
+@@ -1960,8 +1943,10 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev)
+ res = sas_rediscover(dev, phy_id);
+ i = phy_id + 1;
+ } while (i < ex->num_phys);
++
++ dev = NULL;
++ res = sas_find_bcast_dev(port_dev, &dev);
+ }
+-out:
+ return res;
+ }
+
+diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
+index 573921d..3890793 100644
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -1550,6 +1550,20 @@ static void scsi_restart_operations(struct Scsi_Host *shost)
+ * requests are started.
+ */
+ scsi_run_host_queues(shost);
++
++ /*
++ * if eh is active and host_eh_scheduled is pending we need to re-run
++ * recovery. we do this check after scsi_run_host_queues() to allow
++ * everything pent up since the last eh run a chance to make forward
++ * progress before we sync again. Either we'll immediately re-run
++ * recovery or scsi_device_unbusy() will wake us again when these
++ * pending commands complete.
++ */
++ spin_lock_irqsave(shost->host_lock, flags);
++ if (shost->host_eh_scheduled)
++ if (scsi_host_set_state(shost, SHOST_RECOVERY))
++ WARN_ON(scsi_host_set_state(shost, SHOST_CANCEL_RECOVERY));
++ spin_unlock_irqrestore(shost->host_lock, flags);
+ }
+
+ /**
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 8df12522..e28f9b0 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -482,15 +482,26 @@ static void scsi_run_queue(struct request_queue *q)
+ */
+ static void scsi_requeue_command(struct request_queue *q, struct scsi_cmnd *cmd)
+ {
++ struct scsi_device *sdev = cmd->device;
+ struct request *req = cmd->request;
+ unsigned long flags;
+
++ /*
++ * We need to hold a reference on the device to avoid the queue being
++ * killed after the unlock and before scsi_run_queue is invoked which
++ * may happen because scsi_unprep_request() puts the command which
++ * releases its reference on the device.
++ */
++ get_device(&sdev->sdev_gendev);
++
+ spin_lock_irqsave(q->queue_lock, flags);
+ scsi_unprep_request(req);
+ blk_requeue_request(q, req);
+ spin_unlock_irqrestore(q->queue_lock, flags);
+
+ scsi_run_queue(q);
++
++ put_device(&sdev->sdev_gendev);
+ }
+
+ void scsi_next_command(struct scsi_cmnd *cmd)
+diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h
+index 1fbf7c7..11c0085 100644
+--- a/drivers/scsi/scsi_priv.h
++++ b/drivers/scsi/scsi_priv.h
+@@ -107,6 +107,7 @@ extern void scsi_exit_procfs(void);
+ #endif /* CONFIG_PROC_FS */
+
+ /* scsi_scan.c */
++extern int scsi_complete_async_scans(void);
+ extern int scsi_scan_host_selected(struct Scsi_Host *, unsigned int,
+ unsigned int, unsigned int, int);
+ extern void scsi_forget_host(struct Scsi_Host *);
+diff --git a/drivers/scsi/scsi_wait_scan.c b/drivers/scsi/scsi_wait_scan.c
+index 74708fc..5c22bda 100644
+--- a/drivers/scsi/scsi_wait_scan.c
++++ b/drivers/scsi/scsi_wait_scan.c
+@@ -13,6 +13,7 @@
+ #include <linux/module.h>
+ #include <linux/device.h>
+ #include <scsi/scsi_scan.h>
++#include "scsi_priv.h"
+
+ static int __init wait_scan_init(void)
+ {
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 653f853..8ad9dfb 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1120,7 +1120,8 @@ skip_normal_probe:
+ }
+
+
+- if (data_interface->cur_altsetting->desc.bNumEndpoints < 2)
++ if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
++ control_interface->cur_altsetting->desc.bNumEndpoints == 0)
+ return -EINVAL;
+
+ epctrl = &control_interface->cur_altsetting->endpoint[0].desc;
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index d71514b..37f2899 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -441,6 +441,8 @@ retry:
+ goto retry;
+ }
+ if (!desc->reslength) { /* zero length read */
++ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
++ clear_bit(WDM_READ, &desc->flags);
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index df1e873..48742ff 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1454,10 +1454,14 @@ static int processcompl_compat(struct async *as, void __user * __user *arg)
+ void __user *addr = as->userurb;
+ unsigned int i;
+
+- if (as->userbuffer && urb->actual_length)
+- if (copy_to_user(as->userbuffer, urb->transfer_buffer,
+- urb->actual_length))
++ if (as->userbuffer && urb->actual_length) {
++ if (urb->number_of_packets > 0) /* Isochronous */
++ i = urb->transfer_buffer_length;
++ else /* Non-Isoc */
++ i = urb->actual_length;
++ if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
+ return -EFAULT;
++ }
+ if (put_user(as->status, &userurb->status))
+ return -EFAULT;
+ if (put_user(urb->actual_length, &userurb->actual_length))
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 2b428fc..02aad50 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -23,6 +23,7 @@
+ #include <linux/mutex.h>
+ #include <linux/freezer.h>
+ #include <linux/usb/quirks.h>
++#include <linux/random.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/byteorder.h>
+@@ -458,10 +459,8 @@ hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt)
+ * talking to TTs must queue control transfers (not just bulk and iso), so
+ * both can talk to the same hub concurrently.
+ */
+-static void hub_tt_work(struct work_struct *work)
++void _hub_tt_work(struct usb_hub *hub)
+ {
+- struct usb_hub *hub =
+- container_of(work, struct usb_hub, tt.clear_work);
+ unsigned long flags;
+ int limit = 100;
+
+@@ -496,6 +495,14 @@ static void hub_tt_work(struct work_struct *work)
+ spin_unlock_irqrestore (&hub->tt.lock, flags);
+ }
+
++void hub_tt_work(struct work_struct *work)
++{
++ struct usb_hub *hub =
++ container_of(work, struct usb_hub, tt.clear_work);
++
++ _hub_tt_work(hub);
++}
++
+ /**
+ * usb_hub_clear_tt_buffer - clear control/bulk TT state in high speed hub
+ * @urb: an URB associated with the failed or incomplete split transaction
+@@ -543,7 +550,20 @@ int usb_hub_clear_tt_buffer(struct urb *urb)
+ /* tell keventd to clear state for this TT */
+ spin_lock_irqsave (&tt->lock, flags);
+ list_add_tail (&clear->clear_list, &tt->clear_list);
+- schedule_work(&tt->clear_work);
++ /* don't schedule on kevent if we're running on keventd (e.g.,
++ * in hid_reset we can get here on kevent) unless on >=2.6.36
++ */
++ if (!current_is_keventd())
++ /* put it on keventd */
++ schedule_work(&tt->clear_work);
++ else {
++ /* let khubd do it */
++ struct usb_hub *hub =
++ container_of(&tt->clear_work, struct usb_hub,
++ tt.clear_work);
++ kick_khubd(hub);
++ }
++
+ spin_unlock_irqrestore (&tt->lock, flags);
+ return 0;
+ }
+@@ -1812,6 +1832,14 @@ int usb_new_device(struct usb_device *udev)
+ /* Tell the world! */
+ announce_device(udev);
+
++ if (udev->serial)
++ add_device_randomness(udev->serial, strlen(udev->serial));
++ if (udev->product)
++ add_device_randomness(udev->product, strlen(udev->product));
++ if (udev->manufacturer)
++ add_device_randomness(udev->manufacturer,
++ strlen(udev->manufacturer));
++
+ /* Register the device. The device driver is responsible
+ * for configuring the device and invoking the add-device
+ * notifier chain (used by usbfs and possibly others).
+@@ -3274,6 +3302,10 @@ static void hub_events(void)
+ if (hub->quiescing)
+ goto loop_autopm;
+
++ /* _hub_tt_work usually run on keventd */
++ if (!list_empty(&hub->tt.clear_list))
++ _hub_tt_work(hub);
++
+ if (hub->error) {
+ dev_dbg (hub_dev, "resetting for error %d\n",
+ hub->error);
+diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
+index 1206a26..7565f55 100644
+--- a/drivers/usb/early/ehci-dbgp.c
++++ b/drivers/usb/early/ehci-dbgp.c
+@@ -449,7 +449,7 @@ static int dbgp_ehci_startup(void)
+ writel(FLAG_CF, &ehci_regs->configured_flag);
+
+ /* Wait until the controller is no longer halted */
+- loop = 10;
++ loop = 1000;
+ do {
+ status = readl(&ehci_regs->status);
+ if (!(status & STS_HALT))
+diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c
+index 0ff157a..981b604 100644
+--- a/drivers/usb/host/pci-quirks.c
++++ b/drivers/usb/host/pci-quirks.c
+@@ -458,9 +458,13 @@ static void __devinit quirk_usb_handoff_xhci(struct pci_dev *pdev)
+ }
+ }
+
+- /* Disable any BIOS SMIs */
+- writel(XHCI_LEGACY_DISABLE_SMI,
+- base + ext_cap_offset + XHCI_LEGACY_CONTROL_OFFSET);
++ val = readl(base + ext_cap_offset + XHCI_LEGACY_CONTROL_OFFSET);
++ /* Mask off (turn off) any enabled SMIs */
++ val &= XHCI_LEGACY_DISABLE_SMI;
++ /* Mask all SMI events bits, RW1C */
++ val |= XHCI_LEGACY_SMI_EVENTS;
++ /* Disable any BIOS SMIs and clear all SMI events*/
++ writel(val, base + ext_cap_offset + XHCI_LEGACY_CONTROL_OFFSET);
+
+ hc_init:
+ op_reg_base = base + XHCI_HC_LENGTH(readl(base));
+diff --git a/drivers/usb/host/xhci-ext-caps.h b/drivers/usb/host/xhci-ext-caps.h
+index 78c4eda..e2acc97 100644
+--- a/drivers/usb/host/xhci-ext-caps.h
++++ b/drivers/usb/host/xhci-ext-caps.h
+@@ -62,8 +62,9 @@
+ /* USB Legacy Support Control and Status Register - section 7.1.2 */
+ /* Add this offset, plus the value of xECP in HCCPARAMS to the base address */
+ #define XHCI_LEGACY_CONTROL_OFFSET (0x04)
+-/* bits 1:2, 5:12, and 17:19 need to be preserved; bits 21:28 should be zero */
+-#define XHCI_LEGACY_DISABLE_SMI ((0x3 << 1) + (0xff << 5) + (0x7 << 17))
++/* bits 1:3, 5:12, and 17:19 need to be preserved; bits 21:28 should be zero */
++#define XHCI_LEGACY_DISABLE_SMI ((0x7 << 1) + (0xff << 5) + (0x7 << 17))
++#define XHCI_LEGACY_SMI_EVENTS (0x7 << 29)
+
+ /* command register values to disable interrupts and halt the HC */
+ /* start/stop HC execution - do not write unless HC is halted*/
+diff --git a/drivers/usb/host/xhci-hcd.c b/drivers/usb/host/xhci-hcd.c
+index 56661a2..0641633 100644
+--- a/drivers/usb/host/xhci-hcd.c
++++ b/drivers/usb/host/xhci-hcd.c
+@@ -150,7 +150,7 @@ int xhci_reset(struct xhci_hcd *xhci)
+ xhci_to_hcd(xhci)->state = HC_STATE_HALT;
+
+ ret = handshake(xhci, &xhci->op_regs->command,
+- CMD_RESET, 0, 250 * 1000);
++ CMD_RESET, 0, 10 * 1000 * 1000);
+ if (ret)
+ return ret;
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 8c29073..776fd43 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -934,11 +934,6 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ int i;
+
+ /* Free the Event Ring Segment Table and the actual Event Ring */
+- if (xhci->ir_set) {
+- xhci_writel(xhci, 0, &xhci->ir_set->erst_size);
+- xhci_write_64(xhci, 0, &xhci->ir_set->erst_base);
+- xhci_write_64(xhci, 0, &xhci->ir_set->erst_dequeue);
+- }
+ size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries);
+ if (xhci->erst.entries)
+ pci_free_consistent(pdev, size,
+@@ -950,7 +945,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ xhci->event_ring = NULL;
+ xhci_dbg(xhci, "Freed event ring\n");
+
+- xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring);
++ xhci->cmd_ring_reserved_trbs = 0;
+ if (xhci->cmd_ring)
+ xhci_ring_free(xhci, xhci->cmd_ring);
+ xhci->cmd_ring = NULL;
+@@ -969,7 +964,6 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ xhci->device_pool = NULL;
+ xhci_dbg(xhci, "Freed device context pool\n");
+
+- xhci_write_64(xhci, 0, &xhci->op_regs->dcbaa_ptr);
+ if (xhci->dcbaa)
+ pci_free_consistent(pdev, sizeof(*xhci->dcbaa),
+ xhci->dcbaa, xhci->dcbaa->dma);
+@@ -1146,6 +1140,8 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+
+ fail:
+ xhci_warn(xhci, "Couldn't initialize memory\n");
++ xhci_halt(xhci);
++ xhci_reset(xhci);
+ xhci_mem_cleanup(xhci);
+ return -ENOMEM;
+ }
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 0a1ccaa..c374beb 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1784,7 +1784,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial)
+
+ dbg("%s", __func__);
+
+- if (strcmp(udev->manufacturer, "CALAO Systems") == 0)
++ if ((udev->manufacturer) &&
++ (strcmp(udev->manufacturer, "CALAO Systems") == 0))
+ return ftdi_jtag_probe(serial);
+
+ return 0;
+diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
+index 9fdcee2..61829b8 100644
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -1181,9 +1181,12 @@ static int mos7840_chars_in_buffer(struct tty_struct *tty)
+ }
+
+ spin_lock_irqsave(&mos7840_port->pool_lock, flags);
+- for (i = 0; i < NUM_URBS; ++i)
+- if (mos7840_port->busy[i])
+- chars += URB_TRANSFER_BUFFER_SIZE;
++ for (i = 0; i < NUM_URBS; ++i) {
++ if (mos7840_port->busy[i]) {
++ struct urb *urb = mos7840_port->write_urb_pool[i];
++ chars += urb->transfer_buffer_length;
++ }
++ }
+ spin_unlock_irqrestore(&mos7840_port->pool_lock, flags);
+ dbg("%s - returns %d", __func__, chars);
+ return chars;
+diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
+index f23f3b4..5429bc5 100644
+--- a/drivers/usb/serial/usb-serial.c
++++ b/drivers/usb/serial/usb-serial.c
+@@ -1083,6 +1083,12 @@ int usb_serial_probe(struct usb_interface *interface,
+ serial->attached = 1;
+ }
+
++ /* Avoid race with tty_open and serial_install by setting the
++ * disconnected flag and not clearing it until all ports have been
++ * registered.
++ */
++ serial->disconnected = 1;
++
+ if (get_free_serial(serial, num_ports, &minor) == NULL) {
+ dev_err(&interface->dev, "No more free serial devices\n");
+ goto probe_error;
+@@ -1105,6 +1111,8 @@ int usb_serial_probe(struct usb_interface *interface,
+ }
+ }
+
++ serial->disconnected = 0;
++
+ usb_serial_console_init(debug, minor);
+
+ exit:
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index 54fbb29..6623a2e 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -814,8 +814,15 @@ static int __devinit uvesafb_vbe_init(struct fb_info *info)
+ par->pmi_setpal = pmi_setpal;
+ par->ypan = ypan;
+
+- if (par->pmi_setpal || par->ypan)
+- uvesafb_vbe_getpmi(task, par);
++ if (par->pmi_setpal || par->ypan) {
++ if (__supported_pte_mask & _PAGE_NX) {
++ par->pmi_setpal = par->ypan = 0;
++ printk(KERN_WARNING "uvesafb: NX protection is actively."
++ "We have better not to use the PMI.\n");
++ } else {
++ uvesafb_vbe_getpmi(task, par);
++ }
++ }
+ #else
+ /* The protected mode interface is not available on non-x86. */
+ par->pmi_setpal = par->ypan = 0;
+diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c
+index c0861e7..8aac2d6 100644
+--- a/fs/btrfs/async-thread.c
++++ b/fs/btrfs/async-thread.c
+@@ -211,10 +211,17 @@ static noinline int run_ordered_completions(struct btrfs_workers *workers,
+
+ work->ordered_func(work);
+
+- /* now take the lock again and call the freeing code */
++ /* now take the lock again and drop our item from the list */
+ spin_lock(&workers->order_lock);
+ list_del(&work->order_list);
++ spin_unlock(&workers->order_lock);
++
++ /*
++ * we don't want to call the ordered free functions
++ * with the lock held though
++ */
+ work->ordered_free(work);
++ spin_lock(&workers->order_lock);
+ }
+
+ spin_unlock(&workers->order_lock);
+diff --git a/fs/compat.c b/fs/compat.c
+index d1e2411..46b93d1 100644
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -1208,11 +1208,14 @@ compat_sys_readv(unsigned long fd, const struct compat_iovec __user *vec,
+ struct file *file;
+ int fput_needed;
+ ssize_t ret;
++ loff_t pos;
+
+ file = fget_light(fd, &fput_needed);
+ if (!file)
+ return -EBADF;
+- ret = compat_readv(file, vec, vlen, &file->f_pos);
++ pos = file->f_pos;
++ ret = compat_readv(file, vec, vlen, &pos);
++ file->f_pos = pos;
+ fput_light(file, fput_needed);
+ return ret;
+ }
+@@ -1265,11 +1268,14 @@ compat_sys_writev(unsigned long fd, const struct compat_iovec __user *vec,
+ struct file *file;
+ int fput_needed;
+ ssize_t ret;
++ loff_t pos;
+
+ file = fget_light(fd, &fput_needed);
+ if (!file)
+ return -EBADF;
+- ret = compat_writev(file, vec, vlen, &file->f_pos);
++ pos = file->f_pos;
++ ret = compat_writev(file, vec, vlen, &pos);
++ file->f_pos = pos;
+ fput_light(file, fput_needed);
+ return ret;
+ }
+diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
+index 90a6087..3c1dbc0 100644
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -777,6 +777,9 @@ static int truncate_upper(struct dentry *dentry, struct iattr *ia,
+ goto out;
+ }
+ crypt_stat = &ecryptfs_inode_to_private(dentry->d_inode)->crypt_stat;
++ if (crypt_stat->flags & ECRYPTFS_NEW_FILE)
++ crypt_stat->flags &= ~(ECRYPTFS_NEW_FILE);
++
+ /* Set up a fake ecryptfs file, this is used to interface with
+ * the file in the underlying filesystem so that the
+ * truncation has an effect there as well. */
+@@ -1035,6 +1038,8 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ rc = lower_dentry->d_inode->i_op->setxattr(lower_dentry, name, value,
+ size, flags);
+ mutex_unlock(&lower_dentry->d_inode->i_mutex);
++ if (!rc)
++ fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode, NULL);
+ out:
+ return rc;
+ }
+diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
+index e14cf7e..5ffc900 100644
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -148,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
+ (*lower_file) = dentry_open(lower_dentry, lower_mnt, flags, cred);
+ if (!IS_ERR(*lower_file))
+ goto out;
+- if (flags & O_RDONLY) {
++ if ((flags & O_ACCMODE) == O_RDONLY) {
+ rc = PTR_ERR((*lower_file));
+ goto out;
+ }
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index f539204..ff57421 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -200,6 +200,12 @@ struct eventpoll {
+
+ /* The user that created the eventpoll descriptor */
+ struct user_struct *user;
++
++ struct file *file;
++
++ /* used to optimize loop detection check */
++ int visited;
++ struct list_head visited_list_link;
+ };
+
+ /* Wait structure used by the poll hooks */
+@@ -258,6 +264,15 @@ static struct kmem_cache *epi_cache __read_mostly;
+ /* Slab cache used to allocate "struct eppoll_entry" */
+ static struct kmem_cache *pwq_cache __read_mostly;
+
++/* Visited nodes during ep_loop_check(), so we can unset them when we finish */
++static LIST_HEAD(visited_list);
++
++/*
++ * List of files with newly added links, where we may need to limit the number
++ * of emanating paths. Protected by the epmutex.
++ */
++static LIST_HEAD(tfile_check_list);
++
+ #ifdef CONFIG_SYSCTL
+
+ #include <linux/sysctl.h>
+@@ -277,6 +292,12 @@ ctl_table epoll_table[] = {
+ };
+ #endif /* CONFIG_SYSCTL */
+
++static const struct file_operations eventpoll_fops;
++
++static inline int is_file_epoll(struct file *f)
++{
++ return f->f_op == &eventpoll_fops;
++}
+
+ /* Setup the structure that is used as key for the RB tree */
+ static inline void ep_set_ffd(struct epoll_filefd *ffd,
+@@ -300,6 +321,11 @@ static inline int ep_is_linked(struct list_head *p)
+ return !list_empty(p);
+ }
+
++static inline struct eppoll_entry *ep_pwq_from_wait(wait_queue_t *p)
++{
++ return container_of(p, struct eppoll_entry, wait);
++}
++
+ /* Get the "struct epitem" from a wait queue pointer */
+ static inline struct epitem *ep_item_from_wait(wait_queue_t *p)
+ {
+@@ -434,6 +460,18 @@ static void ep_poll_safewake(wait_queue_head_t *wq)
+ put_cpu();
+ }
+
++static void ep_remove_wait_queue(struct eppoll_entry *pwq)
++{
++ wait_queue_head_t *whead;
++
++ rcu_read_lock();
++ /* If it is cleared by POLLFREE, it should be rcu-safe */
++ whead = rcu_dereference(pwq->whead);
++ if (whead)
++ remove_wait_queue(whead, &pwq->wait);
++ rcu_read_unlock();
++}
++
+ /*
+ * This function unregisters poll callbacks from the associated file
+ * descriptor. Must be called with "mtx" held (or "epmutex" if called from
+@@ -448,7 +486,7 @@ static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi)
+ pwq = list_first_entry(lsthead, struct eppoll_entry, llink);
+
+ list_del(&pwq->llink);
+- remove_wait_queue(pwq->whead, &pwq->wait);
++ ep_remove_wait_queue(pwq);
+ kmem_cache_free(pwq_cache, pwq);
+ }
+ }
+@@ -698,12 +736,6 @@ static const struct file_operations eventpoll_fops = {
+ .poll = ep_eventpoll_poll
+ };
+
+-/* Fast test to see if the file is an evenpoll file */
+-static inline int is_file_epoll(struct file *f)
+-{
+- return f->f_op == &eventpoll_fops;
+-}
+-
+ /*
+ * This is called from eventpoll_release() to unlink files from the eventpoll
+ * interface. We need to have this facility to cleanup correctly files that are
+@@ -814,6 +846,17 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k
+ struct epitem *epi = ep_item_from_wait(wait);
+ struct eventpoll *ep = epi->ep;
+
++ if ((unsigned long)key & POLLFREE) {
++ ep_pwq_from_wait(wait)->whead = NULL;
++ /*
++ * whead = NULL above can race with ep_remove_wait_queue()
++ * which can do another remove_wait_queue() after us, so we
++ * can't use __remove_wait_queue(). whead->lock is held by
++ * the caller.
++ */
++ list_del_init(&wait->task_list);
++ }
++
+ spin_lock_irqsave(&ep->lock, flags);
+
+ /*
+@@ -913,6 +956,103 @@ static void ep_rbtree_insert(struct eventpoll *ep, struct epitem *epi)
+ rb_insert_color(&epi->rbn, &ep->rbr);
+ }
+
++
++
++#define PATH_ARR_SIZE 5
++/*
++ * These are the number paths of length 1 to 5, that we are allowing to emanate
++ * from a single file of interest. For example, we allow 1000 paths of length
++ * 1, to emanate from each file of interest. This essentially represents the
++ * potential wakeup paths, which need to be limited in order to avoid massive
++ * uncontrolled wakeup storms. The common use case should be a single ep which
++ * is connected to n file sources. In this case each file source has 1 path
++ * of length 1. Thus, the numbers below should be more than sufficient. These
++ * path limits are enforced during an EPOLL_CTL_ADD operation, since a modify
++ * and delete can't add additional paths. Protected by the epmutex.
++ */
++static const int path_limits[PATH_ARR_SIZE] = { 1000, 500, 100, 50, 10 };
++static int path_count[PATH_ARR_SIZE];
++
++static int path_count_inc(int nests)
++{
++ /* Allow an arbitrary number of depth 1 paths */
++ if (nests == 0)
++ return 0;
++
++ if (++path_count[nests] > path_limits[nests])
++ return -1;
++ return 0;
++}
++
++static void path_count_init(void)
++{
++ int i;
++
++ for (i = 0; i < PATH_ARR_SIZE; i++)
++ path_count[i] = 0;
++}
++
++static int reverse_path_check_proc(void *priv, void *cookie, int call_nests)
++{
++ int error = 0;
++ struct file *file = priv;
++ struct file *child_file;
++ struct epitem *epi;
++
++ list_for_each_entry(epi, &file->f_ep_links, fllink) {
++ child_file = epi->ep->file;
++ if (is_file_epoll(child_file)) {
++ if (list_empty(&child_file->f_ep_links)) {
++ if (path_count_inc(call_nests)) {
++ error = -1;
++ break;
++ }
++ } else {
++ error = ep_call_nested(&poll_loop_ncalls,
++ EP_MAX_NESTS,
++ reverse_path_check_proc,
++ child_file, child_file,
++ current);
++ }
++ if (error != 0)
++ break;
++ } else {
++ printk(KERN_ERR "reverse_path_check_proc: "
++ "file is not an ep!\n");
++ }
++ }
++ return error;
++}
++
++/**
++ * reverse_path_check - The tfile_check_list is list of file *, which have
++ * links that are proposed to be newly added. We need to
++ * make sure that those added links don't add too many
++ * paths such that we will spend all our time waking up
++ * eventpoll objects.
++ *
++ * Returns: Returns zero if the proposed links don't create too many paths,
++ * -1 otherwise.
++ */
++static int reverse_path_check(void)
++{
++ int length = 0;
++ int error = 0;
++ struct file *current_file;
++
++ /* let's call this for all tfiles */
++ list_for_each_entry(current_file, &tfile_check_list, f_tfile_llink) {
++ length++;
++ path_count_init();
++ error = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
++ reverse_path_check_proc, current_file,
++ current_file, current);
++ if (error)
++ break;
++ }
++ return error;
++}
++
+ /*
+ * Must be called with "mtx" held.
+ */
+@@ -973,6 +1113,11 @@ static int ep_insert(struct eventpoll *ep, struct epoll_event *event,
+ */
+ ep_rbtree_insert(ep, epi);
+
++ /* now check if we've created too many backpaths */
++ error = -EINVAL;
++ if (reverse_path_check())
++ goto error_remove_epi;
++
+ /* We have to drop the new item inside our item list to keep track of it */
+ spin_lock_irqsave(&ep->lock, flags);
+
+@@ -997,6 +1142,14 @@ static int ep_insert(struct eventpoll *ep, struct epoll_event *event,
+
+ return 0;
+
++error_remove_epi:
++ spin_lock(&tfile->f_lock);
++ if (ep_is_linked(&epi->fllink))
++ list_del_init(&epi->fllink);
++ spin_unlock(&tfile->f_lock);
++
++ rb_erase(&epi->rbn, &ep->rbr);
++
+ error_unregister:
+ ep_unregister_pollwait(ep, epi);
+
+@@ -1223,18 +1376,36 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
+ int error = 0;
+ struct file *file = priv;
+ struct eventpoll *ep = file->private_data;
++ struct eventpoll *ep_tovisit;
+ struct rb_node *rbp;
+ struct epitem *epi;
+
+ mutex_lock_nested(&ep->mtx, call_nests + 1);
++ ep->visited = 1;
++ list_add(&ep->visited_list_link, &visited_list);
+ for (rbp = rb_first(&ep->rbr); rbp; rbp = rb_next(rbp)) {
+ epi = rb_entry(rbp, struct epitem, rbn);
+ if (unlikely(is_file_epoll(epi->ffd.file))) {
++ ep_tovisit = epi->ffd.file->private_data;
++ if (ep_tovisit->visited)
++ continue;
+ error = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
+- ep_loop_check_proc, epi->ffd.file,
+- epi->ffd.file->private_data, current);
++ ep_loop_check_proc, epi->ffd.file,
++ ep_tovisit, current);
+ if (error != 0)
+ break;
++ } else {
++ /*
++ * If we've reached a file that is not associated with
++ * an ep, then we need to check if the newly added
++ * links are going to add too many wakeup paths. We do
++ * this by adding it to the tfile_check_list, if it's
++ * not already there, and calling reverse_path_check()
++ * during ep_insert().
++ */
++ if (list_empty(&epi->ffd.file->f_tfile_llink))
++ list_add(&epi->ffd.file->f_tfile_llink,
++ &tfile_check_list);
+ }
+ }
+ mutex_unlock(&ep->mtx);
+@@ -1255,8 +1426,31 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
+ */
+ static int ep_loop_check(struct eventpoll *ep, struct file *file)
+ {
+- return ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
++ int ret;
++ struct eventpoll *ep_cur, *ep_next;
++
++ ret = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
+ ep_loop_check_proc, file, ep, current);
++ /* clear visited list */
++ list_for_each_entry_safe(ep_cur, ep_next, &visited_list,
++ visited_list_link) {
++ ep_cur->visited = 0;
++ list_del(&ep_cur->visited_list_link);
++ }
++ return ret;
++}
++
++static void clear_tfile_check_list(void)
++{
++ struct file *file;
++
++ /* first clear the tfile_check_list */
++ while (!list_empty(&tfile_check_list)) {
++ file = list_first_entry(&tfile_check_list, struct file,
++ f_tfile_llink);
++ list_del_init(&file->f_tfile_llink);
++ }
++ INIT_LIST_HEAD(&tfile_check_list);
+ }
+
+ /*
+@@ -1264,8 +1458,9 @@ static int ep_loop_check(struct eventpoll *ep, struct file *file)
+ */
+ SYSCALL_DEFINE1(epoll_create1, int, flags)
+ {
+- int error;
++ int error, fd;
+ struct eventpoll *ep = NULL;
++ struct file *file;
+
+ /* Check the EPOLL_* constant for consistency. */
+ BUILD_BUG_ON(EPOLL_CLOEXEC != O_CLOEXEC);
+@@ -1282,11 +1477,25 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
+ * Creates all the items needed to setup an eventpoll file. That is,
+ * a file structure and a free file descriptor.
+ */
+- error = anon_inode_getfd("[eventpoll]", &eventpoll_fops, ep,
+- flags & O_CLOEXEC);
+- if (error < 0)
+- ep_free(ep);
+-
++ fd = get_unused_fd_flags(O_RDWR | (flags & O_CLOEXEC));
++ if (fd < 0) {
++ error = fd;
++ goto out_free_ep;
++ }
++ file = anon_inode_getfile("[eventpoll]", &eventpoll_fops, ep,
++ O_RDWR | (flags & O_CLOEXEC));
++ if (IS_ERR(file)) {
++ error = PTR_ERR(file);
++ goto out_free_fd;
++ }
++ fd_install(fd, file);
++ ep->file = file;
++ return fd;
++
++out_free_fd:
++ put_unused_fd(fd);
++out_free_ep:
++ ep_free(ep);
+ return error;
+ }
+
+@@ -1352,21 +1561,29 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
+ /*
+ * When we insert an epoll file descriptor, inside another epoll file
+ * descriptor, there is the change of creating closed loops, which are
+- * better be handled here, than in more critical paths.
++ * better be handled here, than in more critical paths. While we are
++ * checking for loops we also determine the list of files reachable
++ * and hang them on the tfile_check_list, so we can check that we
++ * haven't created too many possible wakeup paths.
+ *
+- * We hold epmutex across the loop check and the insert in this case, in
+- * order to prevent two separate inserts from racing and each doing the
+- * insert "at the same time" such that ep_loop_check passes on both
+- * before either one does the insert, thereby creating a cycle.
++ * We need to hold the epmutex across both ep_insert and ep_remove
++ * b/c we want to make sure we are looking at a coherent view of
++ * epoll network.
+ */
+- if (unlikely(is_file_epoll(tfile) && op == EPOLL_CTL_ADD)) {
++ if (op == EPOLL_CTL_ADD || op == EPOLL_CTL_DEL) {
+ mutex_lock(&epmutex);
+ did_lock_epmutex = 1;
+- error = -ELOOP;
+- if (ep_loop_check(ep, tfile) != 0)
+- goto error_tgt_fput;
+ }
+-
++ if (op == EPOLL_CTL_ADD) {
++ if (is_file_epoll(tfile)) {
++ error = -ELOOP;
++ if (ep_loop_check(ep, tfile) != 0) {
++ clear_tfile_check_list();
++ goto error_tgt_fput;
++ }
++ } else
++ list_add(&tfile->f_tfile_llink, &tfile_check_list);
++ }
+
+ mutex_lock_nested(&ep->mtx, 0);
+
+@@ -1385,6 +1602,7 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
+ error = ep_insert(ep, &epds, tfile, fd);
+ } else
+ error = -EEXIST;
++ clear_tfile_check_list();
+ break;
+ case EPOLL_CTL_DEL:
+ if (epi)
+@@ -1403,7 +1621,7 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
+ mutex_unlock(&ep->mtx);
+
+ error_tgt_fput:
+- if (unlikely(did_lock_epmutex))
++ if (did_lock_epmutex)
+ mutex_unlock(&epmutex);
+
+ fput(tfile);
+diff --git a/fs/ext3/ialloc.c b/fs/ext3/ialloc.c
+index b399912..108f4fc 100644
+--- a/fs/ext3/ialloc.c
++++ b/fs/ext3/ialloc.c
+@@ -575,8 +575,12 @@ got:
+ if (IS_DIRSYNC(inode))
+ handle->h_sync = 1;
+ if (insert_inode_locked(inode) < 0) {
+- err = -EINVAL;
+- goto fail_drop;
++ /*
++ * Likely a bitmap corruption causing inode to be allocated
++ * twice.
++ */
++ err = -EIO;
++ goto fail;
+ }
+ spin_lock(&sbi->s_next_gen_lock);
+ inode->i_generation = sbi->s_next_generation++;
+diff --git a/fs/ext3/inode.c b/fs/ext3/inode.c
+index f9d6937..3191a30 100644
+--- a/fs/ext3/inode.c
++++ b/fs/ext3/inode.c
+@@ -2948,6 +2948,8 @@ static int ext3_do_update_inode(handle_t *handle,
+ struct ext3_inode_info *ei = EXT3_I(inode);
+ struct buffer_head *bh = iloc->bh;
+ int err = 0, rc, block;
++ int need_datasync = 0;
++ __le32 disksize;
+
+ again:
+ /* we can't allow multiple procs in here at once, its a bit racey */
+@@ -2985,7 +2987,11 @@ again:
+ raw_inode->i_gid_high = 0;
+ }
+ raw_inode->i_links_count = cpu_to_le16(inode->i_nlink);
+- raw_inode->i_size = cpu_to_le32(ei->i_disksize);
++ disksize = cpu_to_le32(ei->i_disksize);
++ if (disksize != raw_inode->i_size) {
++ need_datasync = 1;
++ raw_inode->i_size = disksize;
++ }
+ raw_inode->i_atime = cpu_to_le32(inode->i_atime.tv_sec);
+ raw_inode->i_ctime = cpu_to_le32(inode->i_ctime.tv_sec);
+ raw_inode->i_mtime = cpu_to_le32(inode->i_mtime.tv_sec);
+@@ -3001,8 +3007,11 @@ again:
+ if (!S_ISREG(inode->i_mode)) {
+ raw_inode->i_dir_acl = cpu_to_le32(ei->i_dir_acl);
+ } else {
+- raw_inode->i_size_high =
+- cpu_to_le32(ei->i_disksize >> 32);
++ disksize = cpu_to_le32(ei->i_disksize >> 32);
++ if (disksize != raw_inode->i_size_high) {
++ raw_inode->i_size_high = disksize;
++ need_datasync = 1;
++ }
+ if (ei->i_disksize > 0x7fffffffULL) {
+ struct super_block *sb = inode->i_sb;
+ if (!EXT3_HAS_RO_COMPAT_FEATURE(sb,
+@@ -3055,6 +3064,8 @@ again:
+ ei->i_state &= ~EXT3_STATE_NEW;
+
+ atomic_set(&ei->i_sync_tid, handle->h_transaction->t_tid);
++ if (need_datasync)
++ atomic_set(&ei->i_datasync_tid, handle->h_transaction->t_tid);
+ out_brelse:
+ brelse (bh);
+ ext3_std_error(inode->i_sb, err);
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 93f7999..b4402c8 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -358,6 +358,8 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext)
+ ext4_fsblk_t block = ext_pblock(ext);
+ int len = ext4_ext_get_actual_len(ext);
+
++ if (len == 0)
++ return 0;
+ return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
+ }
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 55a93f5..29d9055 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1015,8 +1015,12 @@ got:
+ if (IS_DIRSYNC(inode))
+ ext4_handle_sync(handle);
+ if (insert_inode_locked(inode) < 0) {
+- err = -EINVAL;
+- goto fail_drop;
++ /*
++ * Likely a bitmap corruption causing inode to be allocated
++ * twice.
++ */
++ err = -EIO;
++ goto fail;
+ }
+ spin_lock(&sbi->s_next_gen_lock);
+ inode->i_generation = sbi->s_next_generation++;
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 72ba88f..efe6363 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1112,6 +1112,15 @@ void ext4_da_update_reserve_space(struct inode *inode,
+ used = ei->i_reserved_data_blocks;
+ }
+
++ if (unlikely(ei->i_allocated_meta_blocks > ei->i_reserved_meta_blocks)) {
++ ext4_msg(inode->i_sb, KERN_NOTICE, "%s: ino %lu, allocated %d "
++ "with only %d reserved metadata blocks\n", __func__,
++ inode->i_ino, ei->i_allocated_meta_blocks,
++ ei->i_reserved_meta_blocks);
++ WARN_ON(1);
++ ei->i_allocated_meta_blocks = ei->i_reserved_meta_blocks;
++ }
++
+ /* Update per-inode reservations */
+ ei->i_reserved_data_blocks -= used;
+ used += ei->i_allocated_meta_blocks;
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index 4787ae6..b359543 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -855,6 +855,7 @@ int fuse_update_attributes(struct inode *inode, struct kstat *stat,
+ if (stat) {
+ generic_fillattr(inode, stat);
+ stat->mode = fi->orig_i_mode;
++ stat->ino = fi->orig_ino;
+ }
+ }
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index f6104a95..102d582 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1664,7 +1664,7 @@ static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count)
+ size_t n;
+ u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT;
+
+- for (n = 0; n < count; n++) {
++ for (n = 0; n < count; n++, iov++) {
+ if (iov->iov_len > (size_t) max)
+ return -ENOMEM;
+ max -= iov->iov_len;
+diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
+index e6d614d..829acee 100644
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -76,6 +76,9 @@ struct fuse_inode {
+ preserve the original mode */
+ mode_t orig_i_mode;
+
++ /** 64 bit inode number */
++ u64 orig_ino;
++
+ /** Version of last attribute change */
+ u64 attr_version;
+
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index 1a822ce..c95186c 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -86,6 +86,7 @@ static struct inode *fuse_alloc_inode(struct super_block *sb)
+ fi->nlookup = 0;
+ fi->attr_version = 0;
+ fi->writectr = 0;
++ fi->orig_ino = 0;
+ INIT_LIST_HEAD(&fi->write_files);
+ INIT_LIST_HEAD(&fi->queued_writes);
+ INIT_LIST_HEAD(&fi->writepages);
+@@ -140,6 +141,18 @@ static int fuse_remount_fs(struct super_block *sb, int *flags, char *data)
+ return 0;
+ }
+
++/*
++ * ino_t is 32-bits on 32-bit arch. We have to squash the 64-bit value down
++ * so that it will fit.
++ */
++static ino_t fuse_squash_ino(u64 ino64)
++{
++ ino_t ino = (ino_t) ino64;
++ if (sizeof(ino_t) < sizeof(u64))
++ ino ^= ino64 >> (sizeof(u64) - sizeof(ino_t)) * 8;
++ return ino;
++}
++
+ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
+ u64 attr_valid)
+ {
+@@ -149,7 +162,7 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
+ fi->attr_version = ++fc->attr_version;
+ fi->i_time = attr_valid;
+
+- inode->i_ino = attr->ino;
++ inode->i_ino = fuse_squash_ino(attr->ino);
+ inode->i_mode = (inode->i_mode & S_IFMT) | (attr->mode & 07777);
+ inode->i_nlink = attr->nlink;
+ inode->i_uid = attr->uid;
+@@ -175,6 +188,8 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
+ fi->orig_i_mode = inode->i_mode;
+ if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
+ inode->i_mode &= ~S_ISVTX;
++
++ fi->orig_ino = attr->ino;
+ }
+
+ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
+index f6874ac..a0786c6 100644
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
+ err = hfs_brec_find(&src_fd);
+ if (err)
+ goto out;
++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
+
+ hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ src_fd.entrylength);
+diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
+index 5f40236..f4300ff7 100644
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ filp->f_pos++;
+ /* fall through */
+ case 1:
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
+ printk(KERN_ERR "hfs: bad catalog folder thread\n");
+@@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ err = -EIO;
+ goto out;
+ }
++
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ type = be16_to_cpu(entry.type);
+ len = HFSPLUS_MAX_STRLEN;
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index 87a1258..2179de8 100644
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -601,9 +601,15 @@ static int hugetlbfs_statfs(struct dentry *dentry, struct kstatfs *buf)
+ spin_lock(&sbinfo->stat_lock);
+ /* If no limits set, just report 0 for max/free/used
+ * blocks, like simple_statfs() */
+- if (sbinfo->max_blocks >= 0) {
+- buf->f_blocks = sbinfo->max_blocks;
+- buf->f_bavail = buf->f_bfree = sbinfo->free_blocks;
++ if (sbinfo->spool) {
++ long free_pages;
++
++ spin_lock(&sbinfo->spool->lock);
++ buf->f_blocks = sbinfo->spool->max_hpages;
++ free_pages = sbinfo->spool->max_hpages
++ - sbinfo->spool->used_hpages;
++ buf->f_bavail = buf->f_bfree = free_pages;
++ spin_unlock(&sbinfo->spool->lock);
+ buf->f_files = sbinfo->max_inodes;
+ buf->f_ffree = sbinfo->free_inodes;
+ }
+@@ -619,6 +625,10 @@ static void hugetlbfs_put_super(struct super_block *sb)
+
+ if (sbi) {
+ sb->s_fs_info = NULL;
++
++ if (sbi->spool)
++ hugepage_put_subpool(sbi->spool);
++
+ kfree(sbi);
+ }
+ }
+@@ -842,10 +852,14 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent)
+ sb->s_fs_info = sbinfo;
+ sbinfo->hstate = config.hstate;
+ spin_lock_init(&sbinfo->stat_lock);
+- sbinfo->max_blocks = config.nr_blocks;
+- sbinfo->free_blocks = config.nr_blocks;
+ sbinfo->max_inodes = config.nr_inodes;
+ sbinfo->free_inodes = config.nr_inodes;
++ sbinfo->spool = NULL;
++ if (config.nr_blocks != -1) {
++ sbinfo->spool = hugepage_new_subpool(config.nr_blocks);
++ if (!sbinfo->spool)
++ goto out_free;
++ }
+ sb->s_maxbytes = MAX_LFS_FILESIZE;
+ sb->s_blocksize = huge_page_size(config.hstate);
+ sb->s_blocksize_bits = huge_page_shift(config.hstate);
+@@ -865,38 +879,12 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent)
+ sb->s_root = root;
+ return 0;
+ out_free:
++ if (sbinfo->spool)
++ kfree(sbinfo->spool);
+ kfree(sbinfo);
+ return -ENOMEM;
+ }
+
+-int hugetlb_get_quota(struct address_space *mapping, long delta)
+-{
+- int ret = 0;
+- struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb);
+-
+- if (sbinfo->free_blocks > -1) {
+- spin_lock(&sbinfo->stat_lock);
+- if (sbinfo->free_blocks - delta >= 0)
+- sbinfo->free_blocks -= delta;
+- else
+- ret = -ENOMEM;
+- spin_unlock(&sbinfo->stat_lock);
+- }
+-
+- return ret;
+-}
+-
+-void hugetlb_put_quota(struct address_space *mapping, long delta)
+-{
+- struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb);
+-
+- if (sbinfo->free_blocks > -1) {
+- spin_lock(&sbinfo->stat_lock);
+- sbinfo->free_blocks += delta;
+- spin_unlock(&sbinfo->stat_lock);
+- }
+-}
+-
+ static int hugetlbfs_get_sb(struct file_system_type *fs_type,
+ int flags, const char *dev_name, void *data, struct vfsmount *mnt)
+ {
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index a051270..5c156ad 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1822,6 +1822,8 @@ zap_buffer_unlocked:
+ clear_buffer_mapped(bh);
+ clear_buffer_req(bh);
+ clear_buffer_new(bh);
++ clear_buffer_delay(bh);
++ clear_buffer_unwritten(bh);
+ bh->b_bdev = NULL;
+ return may_free;
+ }
+diff --git a/fs/locks.c b/fs/locks.c
+index a8794f2..fde92d1 100644
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -291,7 +291,7 @@ static int flock_make_lock(struct file *filp, struct file_lock **lock,
+ return 0;
+ }
+
+-static int assign_type(struct file_lock *fl, int type)
++static int assign_type(struct file_lock *fl, long type)
+ {
+ switch (type) {
+ case F_RDLCK:
+@@ -444,7 +444,7 @@ static const struct lock_manager_operations lease_manager_ops = {
+ /*
+ * Initialize a lease, use the default lock manager operations
+ */
+-static int lease_init(struct file *filp, int type, struct file_lock *fl)
++static int lease_init(struct file *filp, long type, struct file_lock *fl)
+ {
+ if (assign_type(fl, type) != 0)
+ return -EINVAL;
+@@ -462,7 +462,7 @@ static int lease_init(struct file *filp, int type, struct file_lock *fl)
+ }
+
+ /* Allocate a file_lock initialised to this type of lease */
+-static struct file_lock *lease_alloc(struct file *filp, int type)
++static struct file_lock *lease_alloc(struct file *filp, long type)
+ {
+ struct file_lock *fl = locks_alloc_lock();
+ int error = -ENOMEM;
+diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
+index 3f8881d..59d9304 100644
+--- a/fs/nfs/nfs3proc.c
++++ b/fs/nfs/nfs3proc.c
+@@ -66,7 +66,7 @@ do_proc_get_root(struct rpc_clnt *client, struct nfs_fh *fhandle,
+ nfs_fattr_init(info->fattr);
+ status = rpc_call_sync(client, &msg, 0);
+ dprintk("%s: reply fsinfo: %d\n", __func__, status);
+- if (!(info->fattr->valid & NFS_ATTR_FATTR)) {
++ if (status == 0 && !(info->fattr->valid & NFS_ATTR_FATTR)) {
+ msg.rpc_proc = &nfs3_procedures[NFS3PROC_GETATTR];
+ msg.rpc_resp = info->fattr;
+ status = rpc_call_sync(client, &msg, 0);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 3c759df..21c7190 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1586,6 +1586,7 @@ static int _nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, in
+ goto err_opendata_put;
+ if (server->caps & NFS_CAP_POSIX_LOCK)
+ set_bit(NFS_STATE_POSIX_LOCKS, &state->flags);
++ nfs_revalidate_inode(server, state->inode);
+ nfs4_opendata_put(opendata);
+ nfs4_put_state_owner(sp);
+ *res = state;
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index c346808..9a3f15b 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2934,4 +2934,6 @@ out:
+ return error;
+ }
+
++MODULE_ALIAS("nfs4");
++
+ #endif /* CONFIG_NFS_V4 */
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 4a82a96..6d27757 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1955,7 +1955,7 @@ out_acl:
+ if (bmval0 & FATTR4_WORD0_CASE_INSENSITIVE) {
+ if ((buflen -= 4) < 0)
+ goto out_resource;
+- WRITE32(1);
++ WRITE32(0);
+ }
+ if (bmval0 & FATTR4_WORD0_CASE_PRESERVING) {
+ if ((buflen -= 4) < 0)
+diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
+index ad391a8..149a8a1 100644
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -478,6 +478,7 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs,
+ brelse(sbh[1]);
+ sbh[1] = NULL;
+ sbp[1] = NULL;
++ valid[1] = 0;
+ swp = 0;
+ }
+ if (!valid[swp]) {
+diff --git a/fs/signalfd.c b/fs/signalfd.c
+index d98bea8..02c25d7 100644
+--- a/fs/signalfd.c
++++ b/fs/signalfd.c
+@@ -29,6 +29,21 @@
+ #include <linux/signalfd.h>
+ #include <linux/syscalls.h>
+
++void signalfd_cleanup(struct sighand_struct *sighand)
++{
++ wait_queue_head_t *wqh = &sighand->signalfd_wqh;
++ /*
++ * The lockless check can race with remove_wait_queue() in progress,
++ * but in this case its caller should run under rcu_read_lock() and
++ * sighand_cachep is SLAB_DESTROY_BY_RCU, we can safely return.
++ */
++ if (likely(!waitqueue_active(wqh)))
++ return;
++
++ /* wait_queue_t->func(POLLFREE) should do remove_wait_queue() */
++ wake_up_poll(wqh, POLLHUP | POLLFREE);
++}
++
+ struct signalfd_ctx {
+ sigset_t sigmask;
+ };
+diff --git a/fs/udf/file.c b/fs/udf/file.c
+index b80cbd7..78bdef3 100644
+--- a/fs/udf/file.c
++++ b/fs/udf/file.c
+@@ -40,20 +40,24 @@
+ #include "udf_i.h"
+ #include "udf_sb.h"
+
+-static int udf_adinicb_readpage(struct file *file, struct page *page)
++static void __udf_adinicb_readpage(struct page *page)
+ {
+ struct inode *inode = page->mapping->host;
+ char *kaddr;
+ struct udf_inode_info *iinfo = UDF_I(inode);
+
+- BUG_ON(!PageLocked(page));
+-
+ kaddr = kmap(page);
+- memset(kaddr, 0, PAGE_CACHE_SIZE);
+ memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, inode->i_size);
++ memset(kaddr + inode->i_size, 0, PAGE_CACHE_SIZE - inode->i_size);
+ flush_dcache_page(page);
+ SetPageUptodate(page);
+ kunmap(page);
++}
++
++static int udf_adinicb_readpage(struct file *file, struct page *page)
++{
++ BUG_ON(!PageLocked(page));
++ __udf_adinicb_readpage(page);
+ unlock_page(page);
+
+ return 0;
+@@ -78,6 +82,25 @@ static int udf_adinicb_writepage(struct page *page,
+ return 0;
+ }
+
++static int udf_adinicb_write_begin(struct file *file,
++ struct address_space *mapping, loff_t pos,
++ unsigned len, unsigned flags, struct page **pagep,
++ void **fsdata)
++{
++ struct page *page;
++
++ if (WARN_ON_ONCE(pos >= PAGE_CACHE_SIZE))
++ return -EIO;
++ page = grab_cache_page_write_begin(mapping, 0, flags);
++ if (!page)
++ return -ENOMEM;
++ *pagep = page;
++
++ if (!PageUptodate(page) && len != PAGE_CACHE_SIZE)
++ __udf_adinicb_readpage(page);
++ return 0;
++}
++
+ static int udf_adinicb_write_end(struct file *file,
+ struct address_space *mapping,
+ loff_t pos, unsigned len, unsigned copied,
+@@ -100,8 +123,8 @@ const struct address_space_operations udf_adinicb_aops = {
+ .readpage = udf_adinicb_readpage,
+ .writepage = udf_adinicb_writepage,
+ .sync_page = block_sync_page,
+- .write_begin = simple_write_begin,
+- .write_end = udf_adinicb_write_end,
++ .write_begin = udf_adinicb_write_begin,
++ .write_end = udf_adinicb_write_end,
+ };
+
+ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index ee6b3af..0045ebc 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -57,6 +57,7 @@
+ #include <linux/seq_file.h>
+ #include <linux/bitmap.h>
+ #include <linux/crc-itu-t.h>
++#include <linux/log2.h>
+ #include <asm/byteorder.h>
+
+ #include "udf_sb.h"
+@@ -1239,16 +1240,65 @@ out_bh:
+ return ret;
+ }
+
++static int udf_load_sparable_map(struct super_block *sb,
++ struct udf_part_map *map,
++ struct sparablePartitionMap *spm)
++{
++ uint32_t loc;
++ uint16_t ident;
++ struct sparingTable *st;
++ struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing;
++ int i;
++ struct buffer_head *bh;
++
++ map->s_partition_type = UDF_SPARABLE_MAP15;
++ sdata->s_packet_len = le16_to_cpu(spm->packetLength);
++ if (!is_power_of_2(sdata->s_packet_len)) {
++ udf_error(sb, __func__, "error loading logical volume descriptor: "
++ "Invalid packet length %u\n",
++ (unsigned)sdata->s_packet_len);
++ return -EIO;
++ }
++ if (spm->numSparingTables > 4) {
++ udf_error(sb, __func__, "error loading logical volume descriptor: "
++ "Too many sparing tables (%d)\n",
++ (int)spm->numSparingTables);
++ return -EIO;
++ }
++
++ for (i = 0; i < spm->numSparingTables; i++) {
++ loc = le32_to_cpu(spm->locSparingTable[i]);
++ bh = udf_read_tagged(sb, loc, loc, &ident);
++ if (!bh)
++ continue;
++
++ st = (struct sparingTable *)bh->b_data;
++ if (ident != 0 ||
++ strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
++ strlen(UDF_ID_SPARING)) ||
++ sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
++ sb->s_blocksize) {
++ brelse(bh);
++ continue;
++ }
++
++ sdata->s_spar_map[i] = bh;
++ }
++ map->s_partition_func = udf_get_pblock_spar15;
++ return 0;
++}
++
+ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ struct kernel_lb_addr *fileset)
+ {
+ struct logicalVolDesc *lvd;
+- int i, j, offset;
++ int i, offset;
+ uint8_t type;
+ struct udf_sb_info *sbi = UDF_SB(sb);
+ struct genericPartitionMap *gpm;
+ uint16_t ident;
+ struct buffer_head *bh;
++ unsigned int table_len;
+ int ret = 0;
+
+ bh = udf_read_tagged(sb, block, block, &ident);
+@@ -1257,6 +1307,15 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ BUG_ON(ident != TAG_IDENT_LVD);
+ lvd = (struct logicalVolDesc *)bh->b_data;
+
++ table_len = le32_to_cpu(lvd->mapTableLength);
++ if (table_len > sb->s_blocksize - sizeof(*lvd)) {
++ udf_error(sb, __func__, "error loading logical volume descriptor: "
++ "Partition table too long (%u > %lu)\n", table_len,
++ sb->s_blocksize - sizeof(*lvd));
++ ret = 1;
++ goto out_bh;
++ }
++
+ i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+ if (i != 0) {
+ ret = i;
+@@ -1264,7 +1323,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ }
+
+ for (i = 0, offset = 0;
+- i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
++ i < sbi->s_partitions && offset < table_len;
+ i++, offset += gpm->partitionMapLength) {
+ struct udf_part_map *map = &sbi->s_partmaps[i];
+ gpm = (struct genericPartitionMap *)
+@@ -1299,38 +1358,11 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ } else if (!strncmp(upm2->partIdent.ident,
+ UDF_ID_SPARABLE,
+ strlen(UDF_ID_SPARABLE))) {
+- uint32_t loc;
+- struct sparingTable *st;
+- struct sparablePartitionMap *spm =
+- (struct sparablePartitionMap *)gpm;
+-
+- map->s_partition_type = UDF_SPARABLE_MAP15;
+- map->s_type_specific.s_sparing.s_packet_len =
+- le16_to_cpu(spm->packetLength);
+- for (j = 0; j < spm->numSparingTables; j++) {
+- struct buffer_head *bh2;
+-
+- loc = le32_to_cpu(
+- spm->locSparingTable[j]);
+- bh2 = udf_read_tagged(sb, loc, loc,
+- &ident);
+- map->s_type_specific.s_sparing.
+- s_spar_map[j] = bh2;
+-
+- if (bh2 == NULL)
+- continue;
+-
+- st = (struct sparingTable *)bh2->b_data;
+- if (ident != 0 || strncmp(
+- st->sparingIdent.ident,
+- UDF_ID_SPARING,
+- strlen(UDF_ID_SPARING))) {
+- brelse(bh2);
+- map->s_type_specific.s_sparing.
+- s_spar_map[j] = NULL;
+- }
++ if (udf_load_sparable_map(sb, map,
++ (struct sparablePartitionMap *)gpm) < 0) {
++ ret = 1;
++ goto out_bh;
+ }
+- map->s_partition_func = udf_get_pblock_spar15;
+ } else if (!strncmp(upm2->partIdent.ident,
+ UDF_ID_METADATA,
+ strlen(UDF_ID_METADATA))) {
+diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
+index 844a99b..bae2c99 100644
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -3298,37 +3298,26 @@ xlog_recover_process_iunlinks(
+ */
+ continue;
+ }
++ /*
++ * Unlock the buffer so that it can be acquired in the normal
++ * course of the transaction to truncate and free each inode.
++ * Because we are not racing with anyone else here for the AGI
++ * buffer, we don't even need to hold it locked to read the
++ * initial unlinked bucket entries out of the buffer. We keep
++ * buffer reference though, so that it stays pinned in memory
++ * while we need the buffer.
++ */
+ agi = XFS_BUF_TO_AGI(agibp);
++ xfs_buf_unlock(agibp);
+
+ for (bucket = 0; bucket < XFS_AGI_UNLINKED_BUCKETS; bucket++) {
+ agino = be32_to_cpu(agi->agi_unlinked[bucket]);
+ while (agino != NULLAGINO) {
+- /*
+- * Release the agi buffer so that it can
+- * be acquired in the normal course of the
+- * transaction to truncate and free the inode.
+- */
+- xfs_buf_relse(agibp);
+-
+ agino = xlog_recover_process_one_iunlink(mp,
+ agno, agino, bucket);
+-
+- /*
+- * Reacquire the agibuffer and continue around
+- * the loop. This should never fail as we know
+- * the buffer was good earlier on.
+- */
+- error = xfs_read_agi(mp, NULL, agno, &agibp);
+- ASSERT(error == 0);
+- agi = XFS_BUF_TO_AGI(agibp);
+ }
+ }
+-
+- /*
+- * Release the buffer for the current agi so we can
+- * go on to the next one.
+- */
+- xfs_buf_relse(agibp);
++ xfs_buf_rele(agibp);
+ }
+
+ mp->m_dmevmask = mp_dmevmask;
+diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
+index 8f32f50..1a07e03 100644
+--- a/fs/xfs/xfs_vnodeops.c
++++ b/fs/xfs/xfs_vnodeops.c
+@@ -554,7 +554,7 @@ xfs_readlink(
+ char *link)
+ {
+ xfs_mount_t *mp = ip->i_mount;
+- int pathlen;
++ xfs_fsize_t pathlen;
+ int error = 0;
+
+ xfs_itrace_entry(ip);
+@@ -564,13 +564,21 @@ xfs_readlink(
+
+ xfs_ilock(ip, XFS_ILOCK_SHARED);
+
+- ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
+- ASSERT(ip->i_d.di_size <= MAXPATHLEN);
+-
+ pathlen = ip->i_d.di_size;
+ if (!pathlen)
+ goto out;
+
++ if (pathlen < 0 || pathlen > MAXPATHLEN) {
++ xfs_fs_cmn_err(CE_ALERT, mp,
++ "%s: inode (%llu) bad symlink length (%lld)",
++ __func__, (unsigned long long) ip->i_ino,
++ (long long) pathlen);
++ ASSERT(0);
++ error = XFS_ERROR(EFSCORRUPTED);
++ goto out;
++ }
++
++
+ if (ip->i_df.if_flags & XFS_IFINLINE) {
+ memcpy(link, ip->i_df.if_u1.if_data, pathlen);
+ link[pathlen] = '\0';
+diff --git a/include/asm-generic/poll.h b/include/asm-generic/poll.h
+index 44bce83..9ce7f44 100644
+--- a/include/asm-generic/poll.h
++++ b/include/asm-generic/poll.h
+@@ -28,6 +28,8 @@
+ #define POLLRDHUP 0x2000
+ #endif
+
++#define POLLFREE 0x4000 /* currently only for epoll */
++
+ struct pollfd {
+ int fd;
+ short events;
+diff --git a/include/linux/eventpoll.h b/include/linux/eventpoll.h
+index f6856a5..ca399c5 100644
+--- a/include/linux/eventpoll.h
++++ b/include/linux/eventpoll.h
+@@ -61,6 +61,7 @@ struct file;
+ static inline void eventpoll_init_file(struct file *file)
+ {
+ INIT_LIST_HEAD(&file->f_ep_links);
++ INIT_LIST_HEAD(&file->f_tfile_llink);
+ }
+
+
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 1b9a47a..860cb6d 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -941,6 +941,7 @@ struct file {
+ #ifdef CONFIG_EPOLL
+ /* Used by fs/eventpoll.c to link all the hooks to this file */
+ struct list_head f_ep_links;
++ struct list_head f_tfile_llink;
+ #endif /* #ifdef CONFIG_EPOLL */
+ struct address_space *f_mapping;
+ #ifdef CONFIG_DEBUG_WRITECOUNT
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 040b679..b4f0b3f 100644
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -159,6 +159,7 @@ struct hrtimer_clock_base {
+ * and timers
+ * @clock_base: array of clock bases for this cpu
+ * @curr_timer: the timer which is executing a callback right now
++ * @clock_was_set: Indicates that clock was set from irq context.
+ * @expires_next: absolute time of the next event which was scheduled
+ * via clock_set_next_event()
+ * @hres_active: State of high resolution mode
+@@ -171,6 +172,7 @@ struct hrtimer_clock_base {
+ struct hrtimer_cpu_base {
+ spinlock_t lock;
+ struct hrtimer_clock_base clock_base[HRTIMER_MAX_CLOCK_BASES];
++ unsigned int clock_was_set;
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ ktime_t expires_next;
+ int hres_active;
+@@ -280,6 +282,8 @@ extern void hrtimer_peek_ahead_timers(void);
+ # define MONOTONIC_RES_NSEC HIGH_RES_NSEC
+ # define KTIME_MONOTONIC_RES KTIME_HIGH_RES
+
++extern void clock_was_set_delayed(void);
++
+ #else
+
+ # define MONOTONIC_RES_NSEC LOW_RES_NSEC
+@@ -308,11 +312,14 @@ static inline int hrtimer_is_hres_active(struct hrtimer *timer)
+ {
+ return 0;
+ }
++
++static inline void clock_was_set_delayed(void) { }
++
+ #endif
+
+ extern ktime_t ktime_get(void);
+ extern ktime_t ktime_get_real(void);
+-
++extern ktime_t ktime_get_update_offsets(ktime_t *offs_real);
+
+ DECLARE_PER_CPU(struct tick_device, tick_cpu_device);
+
+diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
+index 41a59af..6b3feef 100644
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -12,6 +12,15 @@ struct user_struct;
+ #include <linux/shm.h>
+ #include <asm/tlbflush.h>
+
++struct hugepage_subpool {
++ spinlock_t lock;
++ long count;
++ long max_hpages, used_hpages;
++};
++
++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks);
++void hugepage_put_subpool(struct hugepage_subpool *spool);
++
+ int PageHuge(struct page *page);
+
+ static inline int is_vm_hugetlb_page(struct vm_area_struct *vma)
+@@ -138,12 +147,11 @@ struct hugetlbfs_config {
+ };
+
+ struct hugetlbfs_sb_info {
+- long max_blocks; /* blocks allowed */
+- long free_blocks; /* blocks free */
+ long max_inodes; /* inodes allowed */
+ long free_inodes; /* inodes free */
+ spinlock_t stat_lock;
+ struct hstate *hstate;
++ struct hugepage_subpool *spool;
+ };
+
+
+@@ -166,8 +174,6 @@ extern const struct file_operations hugetlbfs_file_operations;
+ extern const struct vm_operations_struct hugetlb_vm_ops;
+ struct file *hugetlb_file_setup(const char *name, size_t size, int acct,
+ struct user_struct **user, int creat_flags);
+-int hugetlb_get_quota(struct address_space *mapping, long delta);
+-void hugetlb_put_quota(struct address_space *mapping, long delta);
+
+ static inline int is_file_hugepages(struct file *file)
+ {
+diff --git a/include/linux/iocontext.h b/include/linux/iocontext.h
+index eb73632..19abfc1 100644
+--- a/include/linux/iocontext.h
++++ b/include/linux/iocontext.h
+@@ -94,14 +94,15 @@ static inline struct io_context *ioc_task_link(struct io_context *ioc)
+ return NULL;
+ }
+
++struct task_struct;
+ #ifdef CONFIG_BLOCK
+ int put_io_context(struct io_context *ioc);
+-void exit_io_context(void);
++void exit_io_context(struct task_struct *task);
+ struct io_context *get_io_context(gfp_t gfp_flags, int node);
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node);
+ void copy_io_context(struct io_context **pdst, struct io_context **psrc);
+ #else
+-static inline void exit_io_context(void)
++static inline void exit_io_context(struct task_struct *task)
+ {
+ }
+
+diff --git a/include/linux/irq.h b/include/linux/irq.h
+index 9e5f45a..2333710 100644
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -174,7 +174,6 @@ struct irq_2_iommu;
+ */
+ struct irq_desc {
+ unsigned int irq;
+- struct timer_rand_state *timer_rand_state;
+ unsigned int *kstat_irqs;
+ #ifdef CONFIG_INTR_REMAP
+ struct irq_2_iommu *irq_2_iommu;
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 9acb92d..3526cd4 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -55,6 +55,19 @@ extern const char linux_proc_banner[];
+ } \
+ )
+
++/*
++ * Multiplies an integer by a fraction, while avoiding unnecessary
++ * overflow or loss of precision.
++ */
++#define mult_frac(x, numer, denom)( \
++{ \
++ typeof(x) quot = (x) / (denom); \
++ typeof(x) rem = (x) % (denom); \
++ (quot * (numer)) + ((rem * (numer)) / (denom)); \
++} \
++)
++
++
+ #define _RET_IP_ (unsigned long)__builtin_return_address(0)
+ #define _THIS_IP_ ({ __label__ __here; __here: (unsigned long)&&__here; })
+
+diff --git a/include/linux/ktime.h b/include/linux/ktime.h
+index ce59832..ecdf64e 100644
+--- a/include/linux/ktime.h
++++ b/include/linux/ktime.h
+@@ -58,13 +58,6 @@ union ktime {
+
+ typedef union ktime ktime_t; /* Kill this */
+
+-#define KTIME_MAX ((s64)~((u64)1 << 63))
+-#if (BITS_PER_LONG == 64)
+-# define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
+-#else
+-# define KTIME_SEC_MAX LONG_MAX
+-#endif
+-
+ /*
+ * ktime_t definitions when using the 64-bit scalar representation:
+ */
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index c728a50..8bfed57 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -556,5 +556,12 @@ static inline bool kvm_vcpu_is_bsp(struct kvm_vcpu *vcpu)
+ {
+ return vcpu->kvm->bsp_vcpu_id == vcpu->vcpu_id;
+ }
++
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu);
++
++#else
++
++static inline bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) { return true; }
++
+ #endif
+ #endif
+diff --git a/include/linux/random.h b/include/linux/random.h
+index 2948046..1864957 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -44,13 +44,13 @@ struct rand_pool_info {
+
+ #ifdef __KERNEL__
+
+-extern void rand_initialize_irq(int irq);
+-
++extern void add_device_randomness(const void *, unsigned int);
+ extern void add_input_randomness(unsigned int type, unsigned int code,
+ unsigned int value);
+-extern void add_interrupt_randomness(int irq);
++extern void add_interrupt_randomness(int irq, int irq_flags);
+
+ extern void get_random_bytes(void *buf, int nbytes);
++extern void get_random_bytes_arch(void *buf, int nbytes);
+ void generate_random_uuid(unsigned char uuid_out[16]);
+
+ #ifndef MODULE
+@@ -63,6 +63,19 @@ unsigned long randomize_range(unsigned long start, unsigned long end, unsigned l
+ u32 random32(void);
+ void srandom32(u32 seed);
+
++#ifdef CONFIG_ARCH_RANDOM
++# include <asm/archrandom.h>
++#else
++static inline int arch_get_random_long(unsigned long *v)
++{
++ return 0;
++}
++static inline int arch_get_random_int(unsigned int *v)
++{
++ return 0;
++}
++#endif
++
+ #endif /* __KERNEL___ */
+
+ #endif /* _LINUX_RANDOM_H */
+diff --git a/include/linux/signalfd.h b/include/linux/signalfd.h
+index b363b91..ed9b65e 100644
+--- a/include/linux/signalfd.h
++++ b/include/linux/signalfd.h
+@@ -60,13 +60,16 @@ static inline void signalfd_notify(struct task_struct *tsk, int sig)
+ wake_up(&tsk->sighand->signalfd_wqh);
+ }
+
++extern void signalfd_cleanup(struct sighand_struct *sighand);
++
+ #else /* CONFIG_SIGNALFD */
+
+ static inline void signalfd_notify(struct task_struct *tsk, int sig) { }
+
++static inline void signalfd_cleanup(struct sighand_struct *sighand) { }
++
+ #endif /* CONFIG_SIGNALFD */
+
+ #endif /* __KERNEL__ */
+
+ #endif /* _LINUX_SIGNALFD_H */
+-
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index bcdd660..4e647bb 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1312,6 +1312,16 @@ static inline void skb_set_mac_header(struct sk_buff *skb, const int offset)
+ }
+ #endif /* NET_SKBUFF_DATA_USES_OFFSET */
+
++static inline void skb_mac_header_rebuild(struct sk_buff *skb)
++{
++ if (skb_mac_header_was_set(skb)) {
++ const unsigned char *old_mac = skb_mac_header(skb);
++
++ skb_set_mac_header(skb, -skb->mac_len);
++ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
++ }
++}
++
+ static inline int skb_transport_offset(const struct sk_buff *skb)
+ {
+ return skb_transport_header(skb) - skb->data;
+diff --git a/include/linux/time.h b/include/linux/time.h
+index 6e026e4..bc93987 100644
+--- a/include/linux/time.h
++++ b/include/linux/time.h
+@@ -91,11 +91,36 @@ static inline struct timespec timespec_sub(struct timespec lhs,
+ return ts_delta;
+ }
+
++#define KTIME_MAX ((s64)~((u64)1 << 63))
++#if (BITS_PER_LONG == 64)
++# define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
++#else
++# define KTIME_SEC_MAX LONG_MAX
++#endif
++
+ /*
+ * Returns true if the timespec is norm, false if denorm:
+ */
+-#define timespec_valid(ts) \
+- (((ts)->tv_sec >= 0) && (((unsigned long) (ts)->tv_nsec) < NSEC_PER_SEC))
++static inline bool timespec_valid(const struct timespec *ts)
++{
++ /* Dates before 1970 are bogus */
++ if (ts->tv_sec < 0)
++ return false;
++ /* Can't have more nanoseconds then a second */
++ if ((unsigned long)ts->tv_nsec >= NSEC_PER_SEC)
++ return false;
++ return true;
++}
++
++static inline bool timespec_valid_strict(const struct timespec *ts)
++{
++ if (!timespec_valid(ts))
++ return false;
++ /* Disallow values that could overflow ktime_t */
++ if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX)
++ return false;
++ return true;
++}
+
+ extern struct timespec xtime;
+ extern struct timespec wall_to_monotonic;
+diff --git a/include/linux/timex.h b/include/linux/timex.h
+index e6967d1..3b587b4 100644
+--- a/include/linux/timex.h
++++ b/include/linux/timex.h
+@@ -271,7 +271,7 @@ static inline int ntp_synced(void)
+ /* Returns how long ticks are at present, in ns / 2^NTP_SCALE_SHIFT. */
+ extern u64 tick_length;
+
+-extern void second_overflow(void);
++extern int second_overflow(unsigned long secs);
+ extern void update_ntp_one_tick(void);
+ extern int do_adjtimex(struct timex *);
+
+diff --git a/include/net/rose.h b/include/net/rose.h
+index 5ba9f02..555dd19 100644
+--- a/include/net/rose.h
++++ b/include/net/rose.h
+@@ -14,6 +14,12 @@
+
+ #define ROSE_MIN_LEN 3
+
++#define ROSE_CALL_REQ_ADDR_LEN_OFF 3
++#define ROSE_CALL_REQ_ADDR_LEN_VAL 0xAA /* each address is 10 digits */
++#define ROSE_CALL_REQ_DEST_ADDR_OFF 4
++#define ROSE_CALL_REQ_SRC_ADDR_OFF 9
++#define ROSE_CALL_REQ_FACILITIES_OFF 14
++
+ #define ROSE_GFI 0x10
+ #define ROSE_Q_BIT 0x80
+ #define ROSE_D_BIT 0x40
+@@ -214,7 +220,7 @@ extern void rose_requeue_frames(struct sock *);
+ extern int rose_validate_nr(struct sock *, unsigned short);
+ extern void rose_write_internal(struct sock *, int);
+ extern int rose_decode(struct sk_buff *, int *, int *, int *, int *, int *);
+-extern int rose_parse_facilities(unsigned char *, struct rose_facilities_struct *);
++extern int rose_parse_facilities(unsigned char *, unsigned int, struct rose_facilities_struct *);
+ extern void rose_disconnect(struct sock *, int, int, int);
+
+ /* rose_timer.c */
+diff --git a/kernel/cred.c b/kernel/cred.c
+index 0b5b5fc..9c06d10 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -443,6 +443,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
+
+ mutex_init(&p->cred_guard_mutex);
+
++ p->replacement_session_keyring = NULL;
++
+ if (
+ #ifdef CONFIG_KEYS
+ !p->cred->thread_keyring &&
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 0f8fae3..a2a1659 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1020,7 +1020,7 @@ NORET_TYPE void do_exit(long code)
+ tsk->flags |= PF_EXITPIDONE;
+
+ if (tsk->io_context)
+- exit_io_context();
++ exit_io_context(tsk);
+
+ if (tsk->splice_pipe)
+ __free_pipe_info(tsk->splice_pipe);
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 4bde56f..c28f804 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -64,6 +64,7 @@
+ #include <linux/magic.h>
+ #include <linux/perf_event.h>
+ #include <linux/posix-timers.h>
++#include <linux/signalfd.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/pgalloc.h>
+@@ -815,8 +816,10 @@ static int copy_sighand(unsigned long clone_flags, struct task_struct *tsk)
+
+ void __cleanup_sighand(struct sighand_struct *sighand)
+ {
+- if (atomic_dec_and_test(&sighand->count))
++ if (atomic_dec_and_test(&sighand->count)) {
++ signalfd_cleanup(sighand);
+ kmem_cache_free(sighand_cachep, sighand);
++ }
+ }
+
+
+@@ -1299,7 +1302,8 @@ bad_fork_free_pid:
+ if (pid != &init_struct_pid)
+ free_pid(pid);
+ bad_fork_cleanup_io:
+- put_io_context(p->io_context);
++ if (p->io_context)
++ exit_io_context(p);
+ bad_fork_cleanup_namespaces:
+ exit_task_namespaces(p);
+ bad_fork_cleanup_mm:
+diff --git a/kernel/futex.c b/kernel/futex.c
+index fb98c9f..9c5ffe1 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -264,17 +264,29 @@ again:
+
+ page = compound_head(page);
+ lock_page(page);
++
++ /*
++ * If page->mapping is NULL, then it cannot be a PageAnon
++ * page; but it might be the ZERO_PAGE or in the gate area or
++ * in a special mapping (all cases which we are happy to fail);
++ * or it may have been a good file page when get_user_pages_fast
++ * found it, but truncated or holepunched or subjected to
++ * invalidate_complete_page2 before we got the page lock (also
++ * cases which we are happy to fail). And we hold a reference,
++ * so refcount care in invalidate_complete_page's remove_mapping
++ * prevents drop_caches from setting mapping to NULL beneath us.
++ *
++ * The case we do have to guard against is when memory pressure made
++ * shmem_writepage move it from filecache to swapcache beneath us:
++ * an unlikely race, but we do need to retry for page->mapping.
++ */
+ if (!page->mapping) {
++ int shmem_swizzled = PageSwapCache(page);
+ unlock_page(page);
+ put_page(page);
+- /*
+- * ZERO_PAGE pages don't have a mapping. Avoid a busy loop
+- * trying to find one. RW mapping would have COW'd (and thus
+- * have a mapping) so this page is RO and won't ever change.
+- */
+- if ((page == ZERO_PAGE(address)))
+- return -EFAULT;
+- goto again;
++ if (shmem_swizzled)
++ goto again;
++ return -EFAULT;
+ }
+
+ /*
+@@ -2192,11 +2204,11 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
+ * @uaddr2: the pi futex we will take prior to returning to user-space
+ *
+ * The caller will wait on uaddr and will be requeued by futex_requeue() to
+- * uaddr2 which must be PI aware. Normal wakeup will wake on uaddr2 and
+- * complete the acquisition of the rt_mutex prior to returning to userspace.
+- * This ensures the rt_mutex maintains an owner when it has waiters; without
+- * one, the pi logic wouldn't know which task to boost/deboost, if there was a
+- * need to.
++ * uaddr2 which must be PI aware and unique from uaddr. Normal wakeup will wake
++ * on uaddr2 and complete the acquisition of the rt_mutex prior to returning to
++ * userspace. This ensures the rt_mutex maintains an owner when it has waiters;
++ * without one, the pi logic would not know which task to boost/deboost, if
++ * there was a need to.
+ *
+ * We call schedule in futex_wait_queue_me() when we enqueue and return there
+ * via the following:
+@@ -2233,6 +2245,9 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
+ struct futex_q q;
+ int res, ret;
+
++ if (uaddr == uaddr2)
++ return -EINVAL;
++
+ if (!bitset)
+ return -EINVAL;
+
+@@ -2306,7 +2321,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
+ * signal. futex_unlock_pi() will not destroy the lock_ptr nor
+ * the pi_state.
+ */
+- WARN_ON(!&q.pi_state);
++ WARN_ON(!q.pi_state);
+ pi_mutex = &q.pi_state->pi_mutex;
+ ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
+ debug_rt_mutex_free_waiter(&rt_waiter);
+@@ -2333,7 +2348,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
+ * fault, unlock the rt_mutex and return the fault to userspace.
+ */
+ if (ret == -EFAULT) {
+- if (rt_mutex_owner(pi_mutex) == current)
++ if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
+ rt_mutex_unlock(pi_mutex);
+ } else if (ret == -EINTR) {
+ /*
+diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
+index a6e9d00..2818422 100644
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -603,6 +603,12 @@ static int hrtimer_reprogram(struct hrtimer *timer,
+ return res;
+ }
+
++static inline ktime_t hrtimer_update_base(struct hrtimer_cpu_base *base)
++{
++ ktime_t *offs_real = &base->clock_base[CLOCK_REALTIME].offset;
++
++ return ktime_get_update_offsets(offs_real);
++}
+
+ /*
+ * Retrigger next event is called after clock was set
+@@ -612,26 +618,15 @@ static int hrtimer_reprogram(struct hrtimer *timer,
+ static void retrigger_next_event(void *arg)
+ {
+ struct hrtimer_cpu_base *base;
+- struct timespec realtime_offset;
+- unsigned long seq;
+
+ if (!hrtimer_hres_active())
+ return;
+
+- do {
+- seq = read_seqbegin(&xtime_lock);
+- set_normalized_timespec(&realtime_offset,
+- -wall_to_monotonic.tv_sec,
+- -wall_to_monotonic.tv_nsec);
+- } while (read_seqretry(&xtime_lock, seq));
+-
+ base = &__get_cpu_var(hrtimer_bases);
+
+ /* Adjust CLOCK_REALTIME offset */
+ spin_lock(&base->lock);
+- base->clock_base[CLOCK_REALTIME].offset =
+- timespec_to_ktime(realtime_offset);
+-
++ hrtimer_update_base(base);
+ hrtimer_force_reprogram(base, 0);
+ spin_unlock(&base->lock);
+ }
+@@ -731,13 +726,25 @@ static int hrtimer_switch_to_hres(void)
+ base->clock_base[CLOCK_MONOTONIC].resolution = KTIME_HIGH_RES;
+
+ tick_setup_sched_timer();
+-
+ /* "Retrigger" the interrupt to get things going */
+ retrigger_next_event(NULL);
+ local_irq_restore(flags);
+ return 1;
+ }
+
++/*
++ * Called from timekeeping code to reprogramm the hrtimer interrupt
++ * device. If called from the timer interrupt context we defer it to
++ * softirq context.
++ */
++void clock_was_set_delayed(void)
++{
++ struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
++
++ cpu_base->clock_was_set = 1;
++ __raise_softirq_irqoff(HRTIMER_SOFTIRQ);
++}
++
+ #else
+
+ static inline int hrtimer_hres_active(void) { return 0; }
+@@ -1250,11 +1257,10 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ cpu_base->nr_events++;
+ dev->next_event.tv64 = KTIME_MAX;
+
+- entry_time = now = ktime_get();
++ spin_lock(&cpu_base->lock);
++ entry_time = now = hrtimer_update_base(cpu_base);
+ retry:
+ expires_next.tv64 = KTIME_MAX;
+-
+- spin_lock(&cpu_base->lock);
+ /*
+ * We set expires_next to KTIME_MAX here with cpu_base->lock
+ * held to prevent that a timer is enqueued in our queue via
+@@ -1328,8 +1334,12 @@ retry:
+ * We need to prevent that we loop forever in the hrtimer
+ * interrupt routine. We give it 3 attempts to avoid
+ * overreacting on some spurious event.
++ *
++ * Acquire base lock for updating the offsets and retrieving
++ * the current time.
+ */
+- now = ktime_get();
++ spin_lock(&cpu_base->lock);
++ now = hrtimer_update_base(cpu_base);
+ cpu_base->nr_retries++;
+ if (++retries < 3)
+ goto retry;
+@@ -1341,6 +1351,7 @@ retry:
+ */
+ cpu_base->nr_hangs++;
+ cpu_base->hang_detected = 1;
++ spin_unlock(&cpu_base->lock);
+ delta = ktime_sub(now, entry_time);
+ if (delta.tv64 > cpu_base->max_hang_time.tv64)
+ cpu_base->max_hang_time = delta;
+@@ -1393,6 +1404,13 @@ void hrtimer_peek_ahead_timers(void)
+
+ static void run_hrtimer_softirq(struct softirq_action *h)
+ {
++ struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
++
++ if (cpu_base->clock_was_set) {
++ cpu_base->clock_was_set = 0;
++ clock_was_set();
++ }
++
+ hrtimer_peek_ahead_timers();
+ }
+
+diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c
+index 17c71bb..27fd0a6 100644
+--- a/kernel/irq/handle.c
++++ b/kernel/irq/handle.c
+@@ -370,7 +370,7 @@ static void warn_no_thread(unsigned int irq, struct irqaction *action)
+ irqreturn_t handle_IRQ_event(unsigned int irq, struct irqaction *action)
+ {
+ irqreturn_t ret, retval = IRQ_NONE;
+- unsigned int status = 0;
++ unsigned int flags = 0;
+
+ if (!(action->flags & IRQF_DISABLED))
+ local_irq_enable_in_hardirq();
+@@ -413,7 +413,7 @@ irqreturn_t handle_IRQ_event(unsigned int irq, struct irqaction *action)
+
+ /* Fall through to add to randomness */
+ case IRQ_HANDLED:
+- status |= action->flags;
++ flags |= action->flags;
+ break;
+
+ default:
+@@ -424,8 +424,7 @@ irqreturn_t handle_IRQ_event(unsigned int irq, struct irqaction *action)
+ action = action->next;
+ } while (action);
+
+- if (status & IRQF_SAMPLE_RANDOM)
+- add_interrupt_randomness(irq);
++ add_interrupt_randomness(irq, flags);
+ local_irq_disable();
+
+ return retval;
+diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
+index 315705c..5dd29f3 100644
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -633,22 +633,6 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
+
+ if (desc->chip == &no_irq_chip)
+ return -ENOSYS;
+- /*
+- * Some drivers like serial.c use request_irq() heavily,
+- * so we have to be careful not to interfere with a
+- * running system.
+- */
+- if (new->flags & IRQF_SAMPLE_RANDOM) {
+- /*
+- * This function might sleep, we want to call it first,
+- * outside of the atomic block.
+- * Yes, this might clear the entropy pool if the wrong
+- * driver is attempted to be loaded, without actually
+- * installing a new handler, but is this really a problem,
+- * only the sysadmin is able to do this.
+- */
+- rand_initialize_irq(irq);
+- }
+
+ /* Oneshot interrupts are not allowed with shared */
+ if ((new->flags & IRQF_ONESHOT) && (new->flags & IRQF_SHARED))
+@@ -1021,7 +1005,6 @@ EXPORT_SYMBOL(free_irq);
+ *
+ * IRQF_SHARED Interrupt is shared
+ * IRQF_DISABLED Disable local interrupts while processing
+- * IRQF_SAMPLE_RANDOM The interrupt can be used for entropy
+ * IRQF_TRIGGER_* Specify active edge(s) or level
+ *
+ */
+diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
+index cd9a40b..fd6e5f2 100644
+--- a/kernel/sched_fair.c
++++ b/kernel/sched_fair.c
+@@ -862,6 +862,9 @@ check_preempt_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr)
+ struct sched_entity *se = __pick_next_entity(cfs_rq);
+ s64 delta = curr->vruntime - se->vruntime;
+
++ if (delta < 0)
++ return;
++
+ if (delta > ideal_runtime)
+ resched_task(rq_of(cfs_rq)->curr);
+ }
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 4800f93..264928c 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -28,8 +28,6 @@ unsigned long tick_nsec;
+ u64 tick_length;
+ static u64 tick_length_base;
+
+-static struct hrtimer leap_timer;
+-
+ #define MAX_TICKADJ 500LL /* usecs */
+ #define MAX_TICKADJ_SCALED \
+ (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ)
+@@ -108,7 +106,7 @@ static inline s64 ntp_update_offset_fll(s64 offset64, long secs)
+ {
+ time_status &= ~STA_MODE;
+
+- if (secs < MINSEC)
++ if ((s32)secs < MINSEC)
+ return 0;
+
+ if (!(time_status & STA_FLL) && (secs <= MAXSEC))
+@@ -180,60 +178,64 @@ void ntp_clear(void)
+ }
+
+ /*
+- * Leap second processing. If in leap-insert state at the end of the
+- * day, the system clock is set back one second; if in leap-delete
+- * state, the system clock is set ahead one second.
++ * this routine handles the overflow of the microsecond field
++ *
++ * The tricky bits of code to handle the accurate clock support
++ * were provided by Dave Mills (Mills at UDEL.EDU) of NTP fame.
++ * They were originally developed for SUN and DEC kernels.
++ * All the kudos should go to Dave for this stuff.
++ *
++ * Also handles leap second processing, and returns leap offset
+ */
+-static enum hrtimer_restart ntp_leap_second(struct hrtimer *timer)
++int second_overflow(unsigned long secs)
+ {
+- enum hrtimer_restart res = HRTIMER_NORESTART;
+-
+- write_seqlock(&xtime_lock);
++ int leap = 0;
++ s64 delta;
+
++ /*
++ * Leap second processing. If in leap-insert state at the end of the
++ * day, the system clock is set back one second; if in leap-delete
++ * state, the system clock is set ahead one second.
++ */
+ switch (time_state) {
+ case TIME_OK:
++ if (time_status & STA_INS)
++ time_state = TIME_INS;
++ else if (time_status & STA_DEL)
++ time_state = TIME_DEL;
+ break;
+ case TIME_INS:
+- timekeeping_leap_insert(-1);
+- time_state = TIME_OOP;
+- printk(KERN_NOTICE
+- "Clock: inserting leap second 23:59:60 UTC\n");
+- hrtimer_add_expires_ns(&leap_timer, NSEC_PER_SEC);
+- res = HRTIMER_RESTART;
++ if (!(time_status & STA_INS))
++ time_state = TIME_OK;
++ else if (secs % 86400 == 0) {
++ leap = -1;
++ time_state = TIME_OOP;
++ time_tai++;
++ printk(KERN_NOTICE
++ "Clock: inserting leap second 23:59:60 UTC\n");
++ }
+ break;
+ case TIME_DEL:
+- timekeeping_leap_insert(1);
+- time_tai--;
+- time_state = TIME_WAIT;
+- printk(KERN_NOTICE
+- "Clock: deleting leap second 23:59:59 UTC\n");
++ if (!(time_status & STA_DEL))
++ time_state = TIME_OK;
++ else if ((secs + 1) % 86400 == 0) {
++ leap = 1;
++ time_tai--;
++ time_state = TIME_WAIT;
++ printk(KERN_NOTICE
++ "Clock: deleting leap second 23:59:59 UTC\n");
++ }
+ break;
+ case TIME_OOP:
+- time_tai++;
+ time_state = TIME_WAIT;
+- /* fall through */
++ break;
++
+ case TIME_WAIT:
+ if (!(time_status & (STA_INS | STA_DEL)))
+ time_state = TIME_OK;
+ break;
+ }
+
+- write_sequnlock(&xtime_lock);
+-
+- return res;
+-}
+-
+-/*
+- * this routine handles the overflow of the microsecond field
+- *
+- * The tricky bits of code to handle the accurate clock support
+- * were provided by Dave Mills (Mills at UDEL.EDU) of NTP fame.
+- * They were originally developed for SUN and DEC kernels.
+- * All the kudos should go to Dave for this stuff.
+- */
+-void second_overflow(void)
+-{
+- s64 delta;
+
+ /* Bump the maxerror field */
+ time_maxerror += MAXFREQ / NSEC_PER_USEC;
+@@ -253,23 +255,25 @@ void second_overflow(void)
+ tick_length += delta;
+
+ if (!time_adjust)
+- return;
++ goto out;
+
+ if (time_adjust > MAX_TICKADJ) {
+ time_adjust -= MAX_TICKADJ;
+ tick_length += MAX_TICKADJ_SCALED;
+- return;
++ goto out;
+ }
+
+ if (time_adjust < -MAX_TICKADJ) {
+ time_adjust += MAX_TICKADJ;
+ tick_length -= MAX_TICKADJ_SCALED;
+- return;
++ goto out;
+ }
+
+ tick_length += (s64)(time_adjust * NSEC_PER_USEC / NTP_INTERVAL_FREQ)
+ << NTP_SCALE_SHIFT;
+ time_adjust = 0;
++out:
++ return leap;
+ }
+
+ #ifdef CONFIG_GENERIC_CMOS_UPDATE
+@@ -331,27 +335,6 @@ static void notify_cmos_timer(void)
+ static inline void notify_cmos_timer(void) { }
+ #endif
+
+-/*
+- * Start the leap seconds timer:
+- */
+-static inline void ntp_start_leap_timer(struct timespec *ts)
+-{
+- long now = ts->tv_sec;
+-
+- if (time_status & STA_INS) {
+- time_state = TIME_INS;
+- now += 86400 - now % 86400;
+- hrtimer_start(&leap_timer, ktime_set(now, 0), HRTIMER_MODE_ABS);
+-
+- return;
+- }
+-
+- if (time_status & STA_DEL) {
+- time_state = TIME_DEL;
+- now += 86400 - (now + 1) % 86400;
+- hrtimer_start(&leap_timer, ktime_set(now, 0), HRTIMER_MODE_ABS);
+- }
+-}
+
+ /*
+ * Propagate a new txc->status value into the NTP state:
+@@ -374,22 +357,6 @@ static inline void process_adj_status(struct timex *txc, struct timespec *ts)
+ time_status &= STA_RONLY;
+ time_status |= txc->status & ~STA_RONLY;
+
+- switch (time_state) {
+- case TIME_OK:
+- ntp_start_leap_timer(ts);
+- break;
+- case TIME_INS:
+- case TIME_DEL:
+- time_state = TIME_OK;
+- ntp_start_leap_timer(ts);
+- case TIME_WAIT:
+- if (!(time_status & (STA_INS | STA_DEL)))
+- time_state = TIME_OK;
+- break;
+- case TIME_OOP:
+- hrtimer_restart(&leap_timer);
+- break;
+- }
+ }
+ /*
+ * Called with the xtime lock held, so we can access and modify
+@@ -469,9 +436,6 @@ int do_adjtimex(struct timex *txc)
+ (txc->tick < 900000/USER_HZ ||
+ txc->tick > 1100000/USER_HZ))
+ return -EINVAL;
+-
+- if (txc->modes & ADJ_STATUS && time_state != TIME_OK)
+- hrtimer_cancel(&leap_timer);
+ }
+
+ getnstimeofday(&ts);
+@@ -549,6 +513,4 @@ __setup("ntp_tick_adj=", ntp_tick_adj_setup);
+ void __init ntp_init(void)
+ {
+ ntp_clear();
+- hrtimer_init(&leap_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS);
+- leap_timer.function = ntp_leap_second;
+ }
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index 4a71cff..3d35af3 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -161,11 +161,39 @@ struct timespec xtime __attribute__ ((aligned (16)));
+ struct timespec wall_to_monotonic __attribute__ ((aligned (16)));
+ static struct timespec total_sleep_time;
+
++/* Offset clock monotonic -> clock realtime */
++static ktime_t offs_real;
++
++/* Offset clock monotonic -> clock boottime */
++static ktime_t offs_boot;
++
+ /*
+ * The raw monotonic time for the CLOCK_MONOTONIC_RAW posix clock.
+ */
+ struct timespec raw_time;
+
++/* must hold write on xtime_lock */
++static void update_rt_offset(void)
++{
++ struct timespec tmp, *wtm = &wall_to_monotonic;
++
++ set_normalized_timespec(&tmp, -wtm->tv_sec, -wtm->tv_nsec);
++ offs_real = timespec_to_ktime(tmp);
++}
++
++/* must hold write on xtime_lock */
++static void timekeeping_update(bool clearntp)
++{
++ if (clearntp) {
++ timekeeper.ntp_error = 0;
++ ntp_clear();
++ }
++ update_rt_offset();
++ update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
++}
++
++
++
+ /* flag for if timekeeping is suspended */
+ int __read_mostly timekeeping_suspended;
+
+@@ -183,14 +211,6 @@ void update_xtime_cache(u64 nsec)
+ ACCESS_ONCE(xtime_cache) = ts;
+ }
+
+-/* must hold xtime_lock */
+-void timekeeping_leap_insert(int leapsecond)
+-{
+- xtime.tv_sec += leapsecond;
+- wall_to_monotonic.tv_sec -= leapsecond;
+- update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
+-}
+-
+ #ifdef CONFIG_GENERIC_TIME
+
+ /**
+@@ -334,7 +354,7 @@ int do_settimeofday(struct timespec *tv)
+ struct timespec ts_delta;
+ unsigned long flags;
+
+- if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
++ if (!timespec_valid_strict(tv))
+ return -EINVAL;
+
+ write_seqlock_irqsave(&xtime_lock, flags);
+@@ -349,10 +369,7 @@ int do_settimeofday(struct timespec *tv)
+
+ update_xtime_cache(0);
+
+- timekeeper.ntp_error = 0;
+- ntp_clear();
+-
+- update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
++ timekeeping_update(true);
+
+ write_sequnlock_irqrestore(&xtime_lock, flags);
+
+@@ -553,7 +570,20 @@ void __init timekeeping_init(void)
+ struct timespec now, boot;
+
+ read_persistent_clock(&now);
++ if (!timespec_valid_strict(&now)) {
++ printk("WARNING: Persistent clock returned invalid value!\n"
++ " Check your CMOS/BIOS settings.\n");
++ now.tv_sec = 0;
++ now.tv_nsec = 0;
++ }
++
+ read_boot_clock(&boot);
++ if (!timespec_valid_strict(&boot)) {
++ printk("WARNING: Boot clock returned invalid value!\n"
++ " Check your CMOS/BIOS settings.\n");
++ boot.tv_sec = 0;
++ boot.tv_nsec = 0;
++ }
+
+ write_seqlock_irqsave(&xtime_lock, flags);
+
+@@ -575,6 +605,7 @@ void __init timekeeping_init(void)
+ set_normalized_timespec(&wall_to_monotonic,
+ -boot.tv_sec, -boot.tv_nsec);
+ update_xtime_cache(0);
++ update_rt_offset();
+ total_sleep_time.tv_sec = 0;
+ total_sleep_time.tv_nsec = 0;
+ write_sequnlock_irqrestore(&xtime_lock, flags);
+@@ -583,6 +614,12 @@ void __init timekeeping_init(void)
+ /* time in seconds when suspend began */
+ static struct timespec timekeeping_suspend_time;
+
++static void update_sleep_time(struct timespec t)
++{
++ total_sleep_time = t;
++ offs_boot = timespec_to_ktime(t);
++}
++
+ /**
+ * timekeeping_resume - Resumes the generic timekeeping subsystem.
+ * @dev: unused
+@@ -606,13 +643,14 @@ static int timekeeping_resume(struct sys_device *dev)
+ ts = timespec_sub(ts, timekeeping_suspend_time);
+ xtime = timespec_add_safe(xtime, ts);
+ wall_to_monotonic = timespec_sub(wall_to_monotonic, ts);
+- total_sleep_time = timespec_add_safe(total_sleep_time, ts);
++ update_sleep_time(timespec_add_safe(total_sleep_time, ts));
+ }
+ update_xtime_cache(0);
+ /* re-base the last cycle value */
+ timekeeper.clock->cycle_last = timekeeper.clock->read(timekeeper.clock);
+ timekeeper.ntp_error = 0;
+ timekeeping_suspended = 0;
++ timekeeping_update(false);
+ write_sequnlock_irqrestore(&xtime_lock, flags);
+
+ touch_softlockup_watchdog();
+@@ -769,6 +807,10 @@ void update_wall_time(void)
+ #else
+ offset = timekeeper.cycle_interval;
+ #endif
++ /* Check if there's really nothing to do */
++ if (offset < timekeeper.cycle_interval)
++ return;
++
+ timekeeper.xtime_nsec = (s64)xtime.tv_nsec << timekeeper.shift;
+
+ /* normally this loop will run just once, however in the
+@@ -783,9 +825,14 @@ void update_wall_time(void)
+
+ timekeeper.xtime_nsec += timekeeper.xtime_interval;
+ if (timekeeper.xtime_nsec >= nsecps) {
++ int leap;
+ timekeeper.xtime_nsec -= nsecps;
+ xtime.tv_sec++;
+- second_overflow();
++ leap = second_overflow(xtime.tv_sec);
++ xtime.tv_sec += leap;
++ wall_to_monotonic.tv_sec -= leap;
++ if (leap)
++ clock_was_set_delayed();
+ }
+
+ raw_time.tv_nsec += timekeeper.raw_interval;
+@@ -837,8 +884,7 @@ void update_wall_time(void)
+ nsecs = clocksource_cyc2ns(offset, timekeeper.mult, timekeeper.shift);
+ update_xtime_cache(nsecs);
+
+- /* check to see if there is a new clocksource to use */
+- update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
++ timekeeping_update(false);
+ }
+
+ /**
+@@ -915,3 +961,35 @@ struct timespec get_monotonic_coarse(void)
+ now.tv_nsec + mono.tv_nsec);
+ return now;
+ }
++
++#ifdef CONFIG_HIGH_RES_TIMERS
++/**
++ * ktime_get_update_offsets - hrtimer helper
++ * @real: pointer to storage for monotonic -> realtime offset
++ *
++ * Returns current monotonic time and updates the offsets
++ * Called from hrtimer_interupt() or retrigger_next_event()
++ */
++ktime_t ktime_get_update_offsets(ktime_t *real)
++{
++ ktime_t now;
++ unsigned int seq;
++ u64 secs, nsecs;
++
++ do {
++ seq = read_seqbegin(&xtime_lock);
++
++ secs = xtime.tv_sec;
++ nsecs = xtime.tv_nsec;
++ nsecs += timekeeping_get_ns();
++ /* If arch requires, add in gettimeoffset() */
++ nsecs += arch_gettimeoffset();
++
++ *real = offs_real;
++ } while (read_seqretry(&xtime_lock, seq));
++
++ now = ktime_add_ns(ktime_set(secs, 0), nsecs);
++ now = ktime_sub(now, *real);
++ return now;
++}
++#endif
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 67e526b..b617e0c 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -772,6 +772,7 @@ int current_is_keventd(void)
+ return ret;
+
+ }
++EXPORT_SYMBOL_GPL(current_is_keventd);
+
+ static struct cpu_workqueue_struct *
+ init_cpu_workqueue(struct workqueue_struct *wq, int cpu)
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 5e1e508..20f9240 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -49,6 +49,84 @@ static unsigned long __initdata default_hstate_size;
+ */
+ static DEFINE_SPINLOCK(hugetlb_lock);
+
++static inline void unlock_or_release_subpool(struct hugepage_subpool *spool)
++{
++ bool free = (spool->count == 0) && (spool->used_hpages == 0);
++
++ spin_unlock(&spool->lock);
++
++ /* If no pages are used, and no other handles to the subpool
++ * remain, free the subpool the subpool remain */
++ if (free)
++ kfree(spool);
++}
++
++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks)
++{
++ struct hugepage_subpool *spool;
++
++ spool = kmalloc(sizeof(*spool), GFP_KERNEL);
++ if (!spool)
++ return NULL;
++
++ spin_lock_init(&spool->lock);
++ spool->count = 1;
++ spool->max_hpages = nr_blocks;
++ spool->used_hpages = 0;
++
++ return spool;
++}
++
++void hugepage_put_subpool(struct hugepage_subpool *spool)
++{
++ spin_lock(&spool->lock);
++ BUG_ON(!spool->count);
++ spool->count--;
++ unlock_or_release_subpool(spool);
++}
++
++static int hugepage_subpool_get_pages(struct hugepage_subpool *spool,
++ long delta)
++{
++ int ret = 0;
++
++ if (!spool)
++ return 0;
++
++ spin_lock(&spool->lock);
++ if ((spool->used_hpages + delta) <= spool->max_hpages) {
++ spool->used_hpages += delta;
++ } else {
++ ret = -ENOMEM;
++ }
++ spin_unlock(&spool->lock);
++
++ return ret;
++}
++
++static void hugepage_subpool_put_pages(struct hugepage_subpool *spool,
++ long delta)
++{
++ if (!spool)
++ return;
++
++ spin_lock(&spool->lock);
++ spool->used_hpages -= delta;
++ /* If hugetlbfs_put_super couldn't free spool due to
++ * an outstanding quota reference, free it now. */
++ unlock_or_release_subpool(spool);
++}
++
++static inline struct hugepage_subpool *subpool_inode(struct inode *inode)
++{
++ return HUGETLBFS_SB(inode->i_sb)->spool;
++}
++
++static inline struct hugepage_subpool *subpool_vma(struct vm_area_struct *vma)
++{
++ return subpool_inode(vma->vm_file->f_dentry->d_inode);
++}
++
+ /*
+ * Region tracking -- allows tracking of reservations and instantiated pages
+ * across the pages in a mapping.
+@@ -541,9 +619,9 @@ static void free_huge_page(struct page *page)
+ */
+ struct hstate *h = page_hstate(page);
+ int nid = page_to_nid(page);
+- struct address_space *mapping;
++ struct hugepage_subpool *spool =
++ (struct hugepage_subpool *)page_private(page);
+
+- mapping = (struct address_space *) page_private(page);
+ set_page_private(page, 0);
+ page->mapping = NULL;
+ BUG_ON(page_count(page));
+@@ -558,8 +636,7 @@ static void free_huge_page(struct page *page)
+ enqueue_huge_page(h, page);
+ }
+ spin_unlock(&hugetlb_lock);
+- if (mapping)
+- hugetlb_put_quota(mapping, 1);
++ hugepage_subpool_put_pages(spool, 1);
+ }
+
+ static void prep_new_huge_page(struct hstate *h, struct page *page, int nid)
+@@ -927,11 +1004,12 @@ static void return_unused_surplus_pages(struct hstate *h,
+ /*
+ * Determine if the huge page at addr within the vma has an associated
+ * reservation. Where it does not we will need to logically increase
+- * reservation and actually increase quota before an allocation can occur.
+- * Where any new reservation would be required the reservation change is
+- * prepared, but not committed. Once the page has been quota'd allocated
+- * an instantiated the change should be committed via vma_commit_reservation.
+- * No action is required on failure.
++ * reservation and actually increase subpool usage before an allocation
++ * can occur. Where any new reservation would be required the
++ * reservation change is prepared, but not committed. Once the page
++ * has been allocated from the subpool and instantiated the change should
++ * be committed via vma_commit_reservation. No action is required on
++ * failure.
+ */
+ static long vma_needs_reservation(struct hstate *h,
+ struct vm_area_struct *vma, unsigned long addr)
+@@ -980,24 +1058,24 @@ static void vma_commit_reservation(struct hstate *h,
+ static struct page *alloc_huge_page(struct vm_area_struct *vma,
+ unsigned long addr, int avoid_reserve)
+ {
++ struct hugepage_subpool *spool = subpool_vma(vma);
+ struct hstate *h = hstate_vma(vma);
+ struct page *page;
+- struct address_space *mapping = vma->vm_file->f_mapping;
+- struct inode *inode = mapping->host;
+ long chg;
+
+ /*
+- * Processes that did not create the mapping will have no reserves and
+- * will not have accounted against quota. Check that the quota can be
+- * made before satisfying the allocation
+- * MAP_NORESERVE mappings may also need pages and quota allocated
+- * if no reserve mapping overlaps.
++ * Processes that did not create the mapping will have no
++ * reserves and will not have accounted against subpool
++ * limit. Check that the subpool limit can be made before
++ * satisfying the allocation MAP_NORESERVE mappings may also
++ * need pages and subpool limit allocated allocated if no reserve
++ * mapping overlaps.
+ */
+ chg = vma_needs_reservation(h, vma, addr);
+ if (chg < 0)
+ return ERR_PTR(-VM_FAULT_OOM);
+ if (chg)
+- if (hugetlb_get_quota(inode->i_mapping, chg))
++ if (hugepage_subpool_get_pages(spool, chg))
+ return ERR_PTR(-VM_FAULT_SIGBUS);
+
+ spin_lock(&hugetlb_lock);
+@@ -1007,13 +1085,13 @@ static struct page *alloc_huge_page(struct vm_area_struct *vma,
+ if (!page) {
+ page = alloc_buddy_huge_page(h, vma, addr);
+ if (!page) {
+- hugetlb_put_quota(inode->i_mapping, chg);
++ hugepage_subpool_put_pages(spool, chg);
+ return ERR_PTR(-VM_FAULT_SIGBUS);
+ }
+ }
+
+ set_page_refcounted(page);
+- set_page_private(page, (unsigned long) mapping);
++ set_page_private(page, (unsigned long)spool);
+
+ vma_commit_reservation(h, vma, addr);
+
+@@ -1698,6 +1776,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ {
+ struct hstate *h = hstate_vma(vma);
+ struct resv_map *reservations = vma_resv_map(vma);
++ struct hugepage_subpool *spool = subpool_vma(vma);
+ unsigned long reserve;
+ unsigned long start;
+ unsigned long end;
+@@ -1713,7 +1792,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+
+ if (reserve) {
+ hugetlb_acct_memory(h, -reserve);
+- hugetlb_put_quota(vma->vm_file->f_mapping, reserve);
++ hugepage_subpool_put_pages(spool, reserve);
+ }
+ }
+ }
+@@ -1910,7 +1989,7 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+ address = address & huge_page_mask(h);
+ pgoff = ((address - vma->vm_start) >> PAGE_SHIFT)
+ + (vma->vm_pgoff >> PAGE_SHIFT);
+- mapping = (struct address_space *)page_private(page);
++ mapping = vma->vm_file->f_dentry->d_inode->i_mapping;
+
+ vma_prio_tree_foreach(iter_vma, &iter, &mapping->i_mmap, pgoff, pgoff) {
+ /* Do not unmap the current VMA */
+@@ -2364,11 +2443,12 @@ int hugetlb_reserve_pages(struct inode *inode,
+ {
+ long ret, chg;
+ struct hstate *h = hstate_inode(inode);
++ struct hugepage_subpool *spool = subpool_inode(inode);
+
+ /*
+ * Only apply hugepage reservation if asked. At fault time, an
+ * attempt will be made for VM_NORESERVE to allocate a page
+- * and filesystem quota without using reserves
++ * without using reserves
+ */
+ if (acctflag & VM_NORESERVE)
+ return 0;
+@@ -2395,17 +2475,17 @@ int hugetlb_reserve_pages(struct inode *inode,
+ if (chg < 0)
+ return chg;
+
+- /* There must be enough filesystem quota for the mapping */
+- if (hugetlb_get_quota(inode->i_mapping, chg))
++ /* There must be enough pages in the subpool for the mapping */
++ if (hugepage_subpool_get_pages(spool, chg))
+ return -ENOSPC;
+
+ /*
+ * Check enough hugepages are available for the reservation.
+- * Hand back the quota if there are not
++ * Hand the pages back to the subpool if there are not
+ */
+ ret = hugetlb_acct_memory(h, chg);
+ if (ret < 0) {
+- hugetlb_put_quota(inode->i_mapping, chg);
++ hugepage_subpool_put_pages(spool, chg);
+ return ret;
+ }
+
+@@ -2429,11 +2509,12 @@ void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed)
+ {
+ struct hstate *h = hstate_inode(inode);
+ long chg = region_truncate(&inode->i_mapping->private_list, offset);
++ struct hugepage_subpool *spool = subpool_inode(inode);
+
+ spin_lock(&inode->i_lock);
+ inode->i_blocks -= (blocks_per_huge_page(h) * freed);
+ spin_unlock(&inode->i_lock);
+
+- hugetlb_put_quota(inode->i_mapping, (chg - freed));
++ hugepage_subpool_put_pages(spool, (chg - freed));
+ hugetlb_acct_memory(h, -(chg - freed));
+ }
+diff --git a/mm/madvise.c b/mm/madvise.c
+index 35b1479..e405c5f 100644
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -12,6 +12,7 @@
+ #include <linux/hugetlb.h>
+ #include <linux/sched.h>
+ #include <linux/ksm.h>
++#include <linux/file.h>
+
+ /*
+ * Any behaviour which results in changes to the vma->vm_flags needs to
+@@ -190,14 +191,16 @@ static long madvise_remove(struct vm_area_struct *vma,
+ struct address_space *mapping;
+ loff_t offset, endoff;
+ int error;
++ struct file *f;
+
+ *prev = NULL; /* tell sys_madvise we drop mmap_sem */
+
+ if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))
+ return -EINVAL;
+
+- if (!vma->vm_file || !vma->vm_file->f_mapping
+- || !vma->vm_file->f_mapping->host) {
++ f = vma->vm_file;
++
++ if (!f || !f->f_mapping || !f->f_mapping->host) {
+ return -EINVAL;
+ }
+
+@@ -211,9 +214,16 @@ static long madvise_remove(struct vm_area_struct *vma,
+ endoff = (loff_t)(end - vma->vm_start - 1)
+ + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
+
+- /* vmtruncate_range needs to take i_mutex and i_alloc_sem */
++ /*
++ * vmtruncate_range may need to take i_mutex and i_alloc_sem.
++ * We need to explicitly grab a reference because the vma (and
++ * hence the vma's reference to the file) can go away as soon as
++ * we drop mmap_sem.
++ */
++ get_file(f);
+ up_read(¤t->mm->mmap_sem);
+ error = vmtruncate_range(mapping->host, offset, endoff);
++ fput(f);
+ down_read(¤t->mm->mmap_sem);
+ return error;
+ }
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 3c6e3e2..a6563fb 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2259,7 +2259,7 @@ int mpol_to_str(char *buffer, int maxlen, struct mempolicy *pol, int no_context)
+ break;
+
+ default:
+- BUG();
++ return -EINVAL;
+ }
+
+ l = strlen(policy_types[mode]);
+diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
+index 7e33f2c..8aa875c 100644
+--- a/mm/mmu_notifier.c
++++ b/mm/mmu_notifier.c
+@@ -32,6 +32,24 @@
+ void __mmu_notifier_release(struct mm_struct *mm)
+ {
+ struct mmu_notifier *mn;
++ struct hlist_node *n;
++
++ /*
++ * RCU here will block mmu_notifier_unregister until
++ * ->release returns.
++ */
++ rcu_read_lock();
++ hlist_for_each_entry_rcu(mn, n, &mm->mmu_notifier_mm->list, hlist)
++ /*
++ * if ->release runs before mmu_notifier_unregister it
++ * must be handled as it's the only way for the driver
++ * to flush all existing sptes and stop the driver
++ * from establishing any more sptes before all the
++ * pages in the mm are freed.
++ */
++ if (mn->ops->release)
++ mn->ops->release(mn, mm);
++ rcu_read_unlock();
+
+ spin_lock(&mm->mmu_notifier_mm->lock);
+ while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
+@@ -45,23 +63,6 @@ void __mmu_notifier_release(struct mm_struct *mm)
+ * mmu_notifier_unregister to return.
+ */
+ hlist_del_init_rcu(&mn->hlist);
+- /*
+- * RCU here will block mmu_notifier_unregister until
+- * ->release returns.
+- */
+- rcu_read_lock();
+- spin_unlock(&mm->mmu_notifier_mm->lock);
+- /*
+- * if ->release runs before mmu_notifier_unregister it
+- * must be handled as it's the only way for the driver
+- * to flush all existing sptes and stop the driver
+- * from establishing any more sptes before all the
+- * pages in the mm are freed.
+- */
+- if (mn->ops->release)
+- mn->ops->release(mn, mm);
+- rcu_read_unlock();
+- spin_lock(&mm->mmu_notifier_mm->lock);
+ }
+ spin_unlock(&mm->mmu_notifier_mm->lock);
+
+@@ -263,16 +264,13 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
+ {
+ BUG_ON(atomic_read(&mm->mm_count) <= 0);
+
+- spin_lock(&mm->mmu_notifier_mm->lock);
+ if (!hlist_unhashed(&mn->hlist)) {
+- hlist_del_rcu(&mn->hlist);
+-
+ /*
+ * RCU here will force exit_mmap to wait ->release to finish
+ * before freeing the pages.
+ */
+ rcu_read_lock();
+- spin_unlock(&mm->mmu_notifier_mm->lock);
++
+ /*
+ * exit_mmap will block in mmu_notifier_release to
+ * guarantee ->release is called before freeing the
+@@ -281,8 +279,11 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
+ if (mn->ops->release)
+ mn->ops->release(mn, mm);
+ rcu_read_unlock();
+- } else
++
++ spin_lock(&mm->mmu_notifier_mm->lock);
++ hlist_del_rcu(&mn->hlist);
+ spin_unlock(&mm->mmu_notifier_mm->lock);
++ }
+
+ /*
+ * Wait any running method to finish, of course including
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 84a0705..46e2a29 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1133,6 +1133,7 @@ int dev_open(struct net_device *dev)
+ /*
+ * ... and announce new interface.
+ */
++ add_device_randomness(dev->dev_addr, dev->addr_len);
+ call_netdevice_notifiers(NETDEV_UP, dev);
+ }
+
+@@ -4268,6 +4269,7 @@ int dev_set_mac_address(struct net_device *dev, struct sockaddr *sa)
+ err = ops->ndo_set_mac_address(dev, sa);
+ if (!err)
+ call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
++ add_device_randomness(dev->dev_addr, dev->addr_len);
+ return err;
+ }
+ EXPORT_SYMBOL(dev_set_mac_address);
+@@ -4871,6 +4873,7 @@ int register_netdevice(struct net_device *dev)
+ dev_init_scheduler(dev);
+ dev_hold(dev);
+ list_netdevice(dev);
++ add_device_randomness(dev->dev_addr, dev->addr_len);
+
+ /* Notify protocols, that a new device appeared. */
+ ret = call_netdevice_notifiers(NETDEV_REGISTER, dev);
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index d4fd895..9d70042 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -817,6 +817,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
+ goto errout;
+ send_addr_notify = 1;
+ modified = 1;
++ add_device_randomness(dev->dev_addr, dev->addr_len);
+ }
+
+ if (tb[IFLA_MTU]) {
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 025f924..72ff527 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2989,6 +2989,8 @@ static void sock_rmem_free(struct sk_buff *skb)
+ */
+ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+ {
++ int len = skb->len;
++
+ if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
+ (unsigned)sk->sk_rcvbuf)
+ return -ENOMEM;
+@@ -3000,7 +3002,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+
+ skb_queue_tail(&sk->sk_error_queue, skb);
+ if (!sock_flag(sk, SOCK_DEAD))
+- sk->sk_data_ready(sk, skb->len);
++ sk->sk_data_ready(sk, len);
+ return 0;
+ }
+ EXPORT_SYMBOL(sock_queue_err_skb);
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6605e75..4538a34 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1391,6 +1391,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ gfp_t gfp_mask;
+ long timeo;
+ int err;
++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
++
++ err = -EMSGSIZE;
++ if (npages > MAX_SKB_FRAGS)
++ goto failure;
+
+ gfp_mask = sk->sk_allocation;
+ if (gfp_mask & __GFP_WAIT)
+@@ -1409,14 +1414,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
+ skb = alloc_skb(header_len, gfp_mask);
+ if (skb) {
+- int npages;
+ int i;
+
+ /* No pages, we're done... */
+ if (!data_len)
+ break;
+
+- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+ skb->truesize += data_len;
+ skb_shinfo(skb)->nr_frags = npages;
+ for (i = 0; i < npages; i++) {
+diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
+index facedd2..ab260b0 100644
+--- a/net/dccp/ccid.h
++++ b/net/dccp/ccid.h
+@@ -214,7 +214,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk,
+ u32 __user *optval, int __user *optlen)
+ {
+ int rc = -ENOPROTOOPT;
+- if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
+ rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len,
+ optval, optlen);
+ return rc;
+@@ -225,7 +225,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk,
+ u32 __user *optval, int __user *optlen)
+ {
+ int rc = -ENOPROTOOPT;
+- if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
+ rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
+ optval, optlen);
+ return rc;
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 039cc1f..10f8f8d 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1726,8 +1726,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
+ case CIPSO_V4_TAG_LOCAL:
+ /* This is a non-standard tag that we only allow for
+ * local connections, so if the incoming interface is
+- * not the loopback device drop the packet. */
+- if (!(skb->dev->flags & IFF_LOOPBACK)) {
++ * not the loopback device drop the packet. Further,
++ * there is no legitimate reason for setting this from
++ * userspace so reject it if skb is NULL. */
++ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) {
+ err_offset = opt_iter;
+ goto validate_return_locked;
+ }
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index f095659..b9644d8 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -838,8 +838,7 @@ new_segment:
+ wait_for_sndbuf:
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
+ wait_for_memory:
+- if (copied)
+- tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
++ tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
+
+ if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
+ goto do_error;
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index ce1ce82..db755c4 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5239,7 +5239,9 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
+ if (tp->copied_seq == tp->rcv_nxt &&
+ len - tcp_header_len <= tp->ucopy.len) {
+ #ifdef CONFIG_NET_DMA
+- if (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
++ if (tp->ucopy.task == current &&
++ sock_owned_by_user(sk) &&
++ tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
+ copied_early = 1;
+ eaten = 1;
+ }
+@@ -5632,6 +5634,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ goto discard;
+
+ if (th->syn) {
++ if (th->fin)
++ goto discard;
+ if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
+ return 1;
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 6fc7961..6a4e832 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -406,6 +406,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ !icsk->icsk_backoff)
+ break;
+
++ if (sock_owned_by_user(sk))
++ break;
++
+ icsk->icsk_backoff--;
+ inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
+ icsk->icsk_backoff;
+@@ -420,11 +423,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ if (remaining) {
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+ remaining, TCP_RTO_MAX);
+- } else if (sock_owned_by_user(sk)) {
+- /* RTO revert clocked out retransmission,
+- * but socket is locked. Will defer. */
+- inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+- HZ/20, TCP_RTO_MAX);
+ } else {
+ /* RTO revert clocked out retransmission.
+ * Will retransmit now */
+diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c
+index 6341818..e3db3f9 100644
+--- a/net/ipv4/xfrm4_mode_beet.c
++++ b/net/ipv4/xfrm4_mode_beet.c
+@@ -110,10 +110,7 @@ static int xfrm4_beet_input(struct xfrm_state *x, struct sk_buff *skb)
+
+ skb_push(skb, sizeof(*iph));
+ skb_reset_network_header(skb);
+-
+- memmove(skb->data - skb->mac_len, skb_mac_header(skb),
+- skb->mac_len);
+- skb_set_mac_header(skb, -skb->mac_len);
++ skb_mac_header_rebuild(skb);
+
+ xfrm4_beet_make_header(skb);
+
+diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
+index 3444f3b..5d1d1fd 100644
+--- a/net/ipv4/xfrm4_mode_tunnel.c
++++ b/net/ipv4/xfrm4_mode_tunnel.c
+@@ -65,7 +65,6 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
+
+ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+- const unsigned char *old_mac;
+ int err = -EINVAL;
+
+ if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
+@@ -83,10 +82,9 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ if (!(x->props.flags & XFRM_STATE_NOECN))
+ ipip_ecn_decapsulate(skb);
+
+- old_mac = skb_mac_header(skb);
+- skb_set_mac_header(skb, -skb->mac_len);
+- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ skb_reset_network_header(skb);
++ skb_mac_header_rebuild(skb);
++
+ err = 0;
+
+ out:
+diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
+index bbd48b1..6cc7a45 100644
+--- a/net/ipv6/xfrm6_mode_beet.c
++++ b/net/ipv6/xfrm6_mode_beet.c
+@@ -82,7 +82,6 @@ static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ struct ipv6hdr *ip6h;
+- const unsigned char *old_mac;
+ int size = sizeof(struct ipv6hdr);
+ int err;
+
+@@ -92,10 +91,7 @@ static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
+
+ __skb_push(skb, size);
+ skb_reset_network_header(skb);
+-
+- old_mac = skb_mac_header(skb);
+- skb_set_mac_header(skb, -skb->mac_len);
+- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
++ skb_mac_header_rebuild(skb);
+
+ xfrm6_beet_make_header(skb);
+
+diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
+index 3927832..672c0da 100644
+--- a/net/ipv6/xfrm6_mode_tunnel.c
++++ b/net/ipv6/xfrm6_mode_tunnel.c
+@@ -61,7 +61,6 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int err = -EINVAL;
+- const unsigned char *old_mac;
+
+ if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPV6)
+ goto out;
+@@ -78,10 +77,9 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ if (!(x->props.flags & XFRM_STATE_NOECN))
+ ipip6_ecn_decapsulate(skb);
+
+- old_mac = skb_mac_header(skb);
+- skb_set_mac_header(skb, -skb->mac_len);
+- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ skb_reset_network_header(skb);
++ skb_mac_header_rebuild(skb);
++
+ err = 0;
+
+ out:
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 5a7dcdf..fc91ff6 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -821,12 +821,19 @@ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
+ return 0;
+ }
+
+-int netlink_sendskb(struct sock *sk, struct sk_buff *skb)
++static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb)
+ {
+ int len = skb->len;
+
+ skb_queue_tail(&sk->sk_receive_queue, skb);
+ sk->sk_data_ready(sk, len);
++ return len;
++}
++
++int netlink_sendskb(struct sock *sk, struct sk_buff *skb)
++{
++ int len = __netlink_sendskb(sk, skb);
++
+ sock_put(sk);
+ return len;
+ }
+@@ -951,8 +958,7 @@ static inline int netlink_broadcast_deliver(struct sock *sk,
+ if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
+ !test_bit(0, &nlk->state)) {
+ skb_set_owner_r(skb, sk);
+- skb_queue_tail(&sk->sk_receive_queue, skb);
+- sk->sk_data_ready(sk, skb->len);
++ __netlink_sendskb(sk, skb);
+ return atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf;
+ }
+ return -1;
+@@ -1665,10 +1671,8 @@ static int netlink_dump(struct sock *sk)
+
+ if (sk_filter(sk, skb))
+ kfree_skb(skb);
+- else {
+- skb_queue_tail(&sk->sk_receive_queue, skb);
+- sk->sk_data_ready(sk, skb->len);
+- }
++ else
++ __netlink_sendskb(sk, skb);
+ return 0;
+ }
+
+@@ -1680,10 +1684,8 @@ static int netlink_dump(struct sock *sk)
+
+ if (sk_filter(sk, skb))
+ kfree_skb(skb);
+- else {
+- skb_queue_tail(&sk->sk_receive_queue, skb);
+- sk->sk_data_ready(sk, skb->len);
+- }
++ else
++ __netlink_sendskb(sk, skb);
+
+ if (cb->done)
+ cb->done(cb);
+diff --git a/net/phonet/pep.c b/net/phonet/pep.c
+index 9cdd35e..7481d70 100644
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -851,6 +851,9 @@ static int pep_sendmsg(struct kiocb *iocb, struct sock *sk,
+ int flags = msg->msg_flags;
+ int err, done;
+
++ if (len > 65535)
++ return -EMSGSIZE;
++
+ if (msg->msg_flags & MSG_OOB || !(msg->msg_flags & MSG_EOR))
+ return -EOPNOTSUPP;
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 7d188bc..523efbb 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -983,7 +983,7 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
+ struct sock *make;
+ struct rose_sock *make_rose;
+ struct rose_facilities_struct facilities;
+- int n, len;
++ int n;
+
+ skb->sk = NULL; /* Initially we don't know who it's for */
+
+@@ -992,9 +992,9 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
+ */
+ memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
+
+- len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+- len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
+- if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
++ if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
++ skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
++ &facilities)) {
+ rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);
+ return 0;
+ }
+diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
+index 114df6e..37965b8 100644
+--- a/net/rose/rose_loopback.c
++++ b/net/rose/rose_loopback.c
+@@ -72,9 +72,20 @@ static void rose_loopback_timer(unsigned long param)
+ unsigned int lci_i, lci_o;
+
+ while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
++ if (skb->len < ROSE_MIN_LEN) {
++ kfree_skb(skb);
++ continue;
++ }
+ lci_i = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
+ frametype = skb->data[2];
+- dest = (rose_address *)(skb->data + 4);
++ if (frametype == ROSE_CALL_REQUEST &&
++ (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
++ skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
++ ROSE_CALL_REQ_ADDR_LEN_VAL)) {
++ kfree_skb(skb);
++ continue;
++ }
++ dest = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
+ lci_o = 0xFFF - lci_i;
+
+ skb_reset_transport_header(skb);
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index 08230fa..1646b25 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -852,7 +852,7 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ unsigned int lci, new_lci;
+ unsigned char cause, diagnostic;
+ struct net_device *dev;
+- int len, res = 0;
++ int res = 0;
+ char buf[11];
+
+ #if 0
+@@ -860,10 +860,17 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ return res;
+ #endif
+
++ if (skb->len < ROSE_MIN_LEN)
++ return res;
+ frametype = skb->data[2];
+ lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
+- src_addr = (rose_address *)(skb->data + 9);
+- dest_addr = (rose_address *)(skb->data + 4);
++ if (frametype == ROSE_CALL_REQUEST &&
++ (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
++ skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
++ ROSE_CALL_REQ_ADDR_LEN_VAL))
++ return res;
++ src_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF);
++ dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
+
+ spin_lock_bh(&rose_neigh_list_lock);
+ spin_lock_bh(&rose_route_list_lock);
+@@ -1001,12 +1008,11 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ goto out;
+ }
+
+- len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+- len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
+-
+ memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
+
+- if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
++ if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
++ skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
++ &facilities)) {
+ rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76);
+ goto out;
+ }
+diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
+index 07bca7d..32e5c9f 100644
+--- a/net/rose/rose_subr.c
++++ b/net/rose/rose_subr.c
+@@ -141,7 +141,7 @@ void rose_write_internal(struct sock *sk, int frametype)
+ *dptr++ = ROSE_GFI | lci1;
+ *dptr++ = lci2;
+ *dptr++ = frametype;
+- *dptr++ = 0xAA;
++ *dptr++ = ROSE_CALL_REQ_ADDR_LEN_VAL;
+ memcpy(dptr, &rose->dest_addr, ROSE_ADDR_LEN);
+ dptr += ROSE_ADDR_LEN;
+ memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
+@@ -245,12 +245,16 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ do {
+ switch (*p & 0xC0) {
+ case 0x00:
++ if (len < 2)
++ return -1;
+ p += 2;
+ n += 2;
+ len -= 2;
+ break;
+
+ case 0x40:
++ if (len < 3)
++ return -1;
+ if (*p == FAC_NATIONAL_RAND)
+ facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF);
+ p += 3;
+@@ -259,32 +263,48 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ break;
+
+ case 0x80:
++ if (len < 4)
++ return -1;
+ p += 4;
+ n += 4;
+ len -= 4;
+ break;
+
+ case 0xC0:
++ if (len < 2)
++ return -1;
+ l = p[1];
++ if (len < 2 + l)
++ return -1;
+ if (*p == FAC_NATIONAL_DEST_DIGI) {
+ if (!fac_national_digis_received) {
++ if (l < AX25_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN);
+ facilities->source_ndigis = 1;
+ }
+ }
+ else if (*p == FAC_NATIONAL_SRC_DIGI) {
+ if (!fac_national_digis_received) {
++ if (l < AX25_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN);
+ facilities->dest_ndigis = 1;
+ }
+ }
+ else if (*p == FAC_NATIONAL_FAIL_CALL) {
++ if (l < AX25_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN);
+ }
+ else if (*p == FAC_NATIONAL_FAIL_ADD) {
++ if (l < 1 + ROSE_ADDR_LEN)
++ return -1;
+ memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN);
+ }
+ else if (*p == FAC_NATIONAL_DIGIS) {
++ if (l % AX25_ADDR_LEN)
++ return -1;
+ fac_national_digis_received = 1;
+ facilities->source_ndigis = 0;
+ facilities->dest_ndigis = 0;
+@@ -318,24 +338,32 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+ do {
+ switch (*p & 0xC0) {
+ case 0x00:
++ if (len < 2)
++ return -1;
+ p += 2;
+ n += 2;
+ len -= 2;
+ break;
+
+ case 0x40:
++ if (len < 3)
++ return -1;
+ p += 3;
+ n += 3;
+ len -= 3;
+ break;
+
+ case 0x80:
++ if (len < 4)
++ return -1;
+ p += 4;
+ n += 4;
+ len -= 4;
+ break;
+
+ case 0xC0:
++ if (len < 2)
++ return -1;
+ l = p[1];
+
+ /* Prevent overflows*/
+@@ -364,49 +392,44 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+ return n;
+ }
+
+-int rose_parse_facilities(unsigned char *p,
++int rose_parse_facilities(unsigned char *p, unsigned packet_len,
+ struct rose_facilities_struct *facilities)
+ {
+ int facilities_len, len;
+
+ facilities_len = *p++;
+
+- if (facilities_len == 0)
++ if (facilities_len == 0 || (unsigned)facilities_len > packet_len)
+ return 0;
+
+- while (facilities_len > 0) {
+- if (*p == 0x00) {
+- facilities_len--;
+- p++;
+-
+- switch (*p) {
+- case FAC_NATIONAL: /* National */
+- len = rose_parse_national(p + 1, facilities, facilities_len - 1);
+- if (len < 0)
+- return 0;
+- facilities_len -= len + 1;
+- p += len + 1;
+- break;
+-
+- case FAC_CCITT: /* CCITT */
+- len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+- if (len < 0)
+- return 0;
+- facilities_len -= len + 1;
+- p += len + 1;
+- break;
+-
+- default:
+- printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
+- facilities_len--;
+- p++;
+- break;
+- }
+- } else
+- break; /* Error in facilities format */
++ while (facilities_len >= 3 && *p == 0x00) {
++ facilities_len--;
++ p++;
++
++ switch (*p) {
++ case FAC_NATIONAL: /* National */
++ len = rose_parse_national(p + 1, facilities, facilities_len - 1);
++ break;
++
++ case FAC_CCITT: /* CCITT */
++ len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
++ break;
++
++ default:
++ printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
++ len = 1;
++ break;
++ }
++
++ if (len < 0)
++ return 0;
++ if (WARN_ON(len >= facilities_len))
++ return 0;
++ facilities_len -= len + 1;
++ p += len + 1;
+ }
+
+- return 1;
++ return facilities_len == 0;
+ }
+
+ static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)
+diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
+index 40408d5..bf98414 100644
+--- a/net/sched/sch_gred.c
++++ b/net/sched/sch_gred.c
+@@ -544,11 +544,8 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb)
+ opt.packets = q->packetsin;
+ opt.bytesin = q->bytesin;
+
+- if (gred_wred_mode(table)) {
+- q->parms.qidlestart =
+- table->tab[table->def]->parms.qidlestart;
+- q->parms.qavg = table->tab[table->def]->parms.qavg;
+- }
++ if (gred_wred_mode(table))
++ gred_load_wred_set(table, q);
+
+ opt.qave = red_calc_qavg(&q->parms, q->parms.qavg);
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 2b88295..0ae345a 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -199,12 +199,10 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+ * do it now in software before we mangle it.
+ */
+ if (q->corrupt && q->corrupt >= get_crandom(&q->corrupt_cor)) {
+- if (!(skb = skb_unshare(skb, GFP_ATOMIC))
+- || (skb->ip_summed == CHECKSUM_PARTIAL
+- && skb_checksum_help(skb))) {
+- sch->qstats.drops++;
+- return NET_XMIT_DROP;
+- }
++ if (!(skb = skb_unshare(skb, GFP_ATOMIC)) ||
++ (skb->ip_summed == CHECKSUM_PARTIAL &&
++ skb_checksum_help(skb)))
++ return qdisc_drop(skb, sch);
+
+ skb->data[net_random() % skb_headlen(skb)] ^= 1<<(net_random() % 8);
+ }
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 254afea..e8e73f1 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -739,15 +739,12 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep)
+
+ epb = &ep->base;
+
+- if (hlist_unhashed(&epb->node))
+- return;
+-
+ epb->hashent = sctp_ep_hashfn(epb->bind_addr.port);
+
+ head = &sctp_ep_hashtable[epb->hashent];
+
+ sctp_write_lock(&head->lock);
+- __hlist_del(&epb->node);
++ hlist_del_init(&epb->node);
+ sctp_write_unlock(&head->lock);
+ }
+
+@@ -828,7 +825,7 @@ static void __sctp_unhash_established(struct sctp_association *asoc)
+ head = &sctp_assoc_hashtable[epb->hashent];
+
+ sctp_write_lock(&head->lock);
+- __hlist_del(&epb->node);
++ hlist_del_init(&epb->node);
+ sctp_write_unlock(&head->lock);
+ }
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 3a95fcb..1f9843e 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1142,8 +1142,14 @@ out_free:
+ SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p"
+ " kaddrs: %p err: %d\n",
+ asoc, kaddrs, err);
+- if (asoc)
++ if (asoc) {
++ /* sctp_primitive_ASSOCIATE may have added this association
++ * To the hash table, try to unhash it, just in case, its a noop
++ * if it wasn't hashed so we're safe
++ */
++ sctp_unhash_established(asoc);
+ sctp_association_free(asoc);
++ }
+ return err;
+ }
+
+@@ -1851,8 +1857,10 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+ goto out_unlock;
+
+ out_free:
+- if (new_asoc)
++ if (new_asoc) {
++ sctp_unhash_established(asoc);
+ sctp_association_free(asoc);
++ }
+ out_unlock:
+ sctp_release_sock(sk);
+
+diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
+index 25f7801..e3fea46 100644
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -719,6 +719,8 @@ static ssize_t cache_do_downcall(char *kaddr, const char __user *buf,
+ {
+ ssize_t ret;
+
++ if (count == 0)
++ return -EINVAL;
+ if (copy_from_user(kaddr, buf, count))
+ return -EFAULT;
+ kaddr[count] = '\0';
+diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
+index ac94477..9b3941d 100644
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -485,14 +485,18 @@ EXPORT_SYMBOL_GPL(rpc_wake_up_next);
+ */
+ void rpc_wake_up(struct rpc_wait_queue *queue)
+ {
+- struct rpc_task *task, *next;
+ struct list_head *head;
+
+ spin_lock_bh(&queue->lock);
+ head = &queue->tasks[queue->maxpriority];
+ for (;;) {
+- list_for_each_entry_safe(task, next, head, u.tk_wait.list)
++ while (!list_empty(head)) {
++ struct rpc_task *task;
++ task = list_first_entry(head,
++ struct rpc_task,
++ u.tk_wait.list);
+ rpc_wake_up_task_queue_locked(queue, task);
++ }
+ if (head == &queue->tasks[0])
+ break;
+ head--;
+@@ -510,13 +514,16 @@ EXPORT_SYMBOL_GPL(rpc_wake_up);
+ */
+ void rpc_wake_up_status(struct rpc_wait_queue *queue, int status)
+ {
+- struct rpc_task *task, *next;
+ struct list_head *head;
+
+ spin_lock_bh(&queue->lock);
+ head = &queue->tasks[queue->maxpriority];
+ for (;;) {
+- list_for_each_entry_safe(task, next, head, u.tk_wait.list) {
++ while (!list_empty(head)) {
++ struct rpc_task *task;
++ task = list_first_entry(head,
++ struct rpc_task,
++ u.tk_wait.list);
+ task->tk_status = status;
+ rpc_wake_up_task_queue_locked(queue, task);
+ }
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 314320a..8d72660 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -304,7 +304,6 @@ static void svc_thread_dequeue(struct svc_pool *pool, struct svc_rqst *rqstp)
+ */
+ void svc_xprt_enqueue(struct svc_xprt *xprt)
+ {
+- struct svc_serv *serv = xprt->xpt_server;
+ struct svc_pool *pool;
+ struct svc_rqst *rqstp;
+ int cpu;
+@@ -381,8 +380,6 @@ void svc_xprt_enqueue(struct svc_xprt *xprt)
+ rqstp, rqstp->rq_xprt);
+ rqstp->rq_xprt = xprt;
+ svc_xprt_get(xprt);
+- rqstp->rq_reserved = serv->sv_max_mesg;
+- atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
+ rqstp->rq_waking = 1;
+ pool->sp_nwaking++;
+ pool->sp_stats.threads_woken++;
+@@ -667,8 +664,6 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
+ if (xprt) {
+ rqstp->rq_xprt = xprt;
+ svc_xprt_get(xprt);
+- rqstp->rq_reserved = serv->sv_max_mesg;
+- atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
+ } else {
+ /* No data pending. Go to sleep */
+ svc_thread_enqueue(pool, rqstp);
+@@ -758,6 +753,8 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
+ } else
+ len = xprt->xpt_ops->xpo_recvfrom(rqstp);
+ dprintk("svc: got len=%d\n", len);
++ rqstp->rq_reserved = serv->sv_max_mesg;
++ atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
+ }
+
+ /* No data, incomplete (TCP) read, or accept() */
+@@ -811,7 +808,8 @@ int svc_send(struct svc_rqst *rqstp)
+
+ /* Grab mutex to serialize outgoing data. */
+ mutex_lock(&xprt->xpt_mutex);
+- if (test_bit(XPT_DEAD, &xprt->xpt_flags))
++ if (test_bit(XPT_DEAD, &xprt->xpt_flags)
++ || test_bit(XPT_CLOSE, &xprt->xpt_flags))
+ len = -ENOTCONN;
+ else
+ len = xprt->xpt_ops->xpo_sendto(rqstp);
+diff --git a/net/wanrouter/wanmain.c b/net/wanrouter/wanmain.c
+index 258daa8..0d8380a 100644
+--- a/net/wanrouter/wanmain.c
++++ b/net/wanrouter/wanmain.c
+@@ -603,36 +603,31 @@ static int wanrouter_device_new_if(struct wan_device *wandev,
+ * successfully, add it to the interface list.
+ */
+
+- if (dev->name == NULL) {
+- err = -EINVAL;
+- } else {
++#ifdef WANDEBUG
++ printk(KERN_INFO "%s: registering interface %s...\n",
++ wanrouter_modname, dev->name);
++#endif
+
+- #ifdef WANDEBUG
+- printk(KERN_INFO "%s: registering interface %s...\n",
+- wanrouter_modname, dev->name);
+- #endif
+-
+- err = register_netdev(dev);
+- if (!err) {
+- struct net_device *slave = NULL;
+- unsigned long smp_flags=0;
+-
+- lock_adapter_irq(&wandev->lock, &smp_flags);
+-
+- if (wandev->dev == NULL) {
+- wandev->dev = dev;
+- } else {
+- for (slave=wandev->dev;
+- DEV_TO_SLAVE(slave);
+- slave = DEV_TO_SLAVE(slave))
+- DEV_TO_SLAVE(slave) = dev;
+- }
+- ++wandev->ndev;
+-
+- unlock_adapter_irq(&wandev->lock, &smp_flags);
+- err = 0; /* done !!! */
+- goto out;
++ err = register_netdev(dev);
++ if (!err) {
++ struct net_device *slave = NULL;
++ unsigned long smp_flags=0;
++
++ lock_adapter_irq(&wandev->lock, &smp_flags);
++
++ if (wandev->dev == NULL) {
++ wandev->dev = dev;
++ } else {
++ for (slave=wandev->dev;
++ DEV_TO_SLAVE(slave);
++ slave = DEV_TO_SLAVE(slave))
++ DEV_TO_SLAVE(slave) = dev;
+ }
++ ++wandev->ndev;
++
++ unlock_adapter_irq(&wandev->lock, &smp_flags);
++ err = 0; /* done !!! */
++ goto out;
+ }
+ if (wandev->del_if)
+ wandev->del_if(wandev, dev);
+diff --git a/security/commoncap.c b/security/commoncap.c
+index fe30751..ee9d623 100644
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -27,6 +27,7 @@
+ #include <linux/sched.h>
+ #include <linux/prctl.h>
+ #include <linux/securebits.h>
++#include <linux/personality.h>
+
+ /*
+ * If a non-root user executes a setuid-root binary in
+@@ -511,6 +512,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ }
+ skip:
+
++ /* if we have fs caps, clear dangerous personality flags */
++ if (!cap_issubset(new->cap_permitted, old->cap_permitted))
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++
++
+ /* Don't let someone trace a set[ug]id/setpcap binary with the revised
+ * credentials unless they have the appropriate permit
+ */
+diff --git a/sound/drivers/mpu401/mpu401_uart.c b/sound/drivers/mpu401/mpu401_uart.c
+index 2af0999..74f5a3d 100644
+--- a/sound/drivers/mpu401/mpu401_uart.c
++++ b/sound/drivers/mpu401/mpu401_uart.c
+@@ -554,6 +554,7 @@ int snd_mpu401_uart_new(struct snd_card *card, int device,
+ spin_lock_init(&mpu->output_lock);
+ spin_lock_init(&mpu->timer_lock);
+ mpu->hardware = hardware;
++ mpu->irq = -1;
+ if (! (info_flags & MPU401_INFO_INTEGRATED)) {
+ int res_size = hardware == MPU401_HW_PC98II ? 4 : 2;
+ mpu->res = request_region(port, res_size, "MPU401 UART");
+diff --git a/sound/pci/echoaudio/echoaudio_dsp.c b/sound/pci/echoaudio/echoaudio_dsp.c
+index 4df51ef..5d14b7a 100644
+--- a/sound/pci/echoaudio/echoaudio_dsp.c
++++ b/sound/pci/echoaudio/echoaudio_dsp.c
+@@ -474,7 +474,7 @@ static int load_firmware(struct echoaudio *chip)
+ const struct firmware *fw;
+ int box_type, err;
+
+- if (snd_BUG_ON(!chip->dsp_code_to_load || !chip->comm_page))
++ if (snd_BUG_ON(!chip->comm_page))
+ return -EPERM;
+
+ /* See if the ASIC is present and working - only if the DSP is already loaded */
+diff --git a/sound/pci/hda/hda_proc.c b/sound/pci/hda/hda_proc.c
+index 2b3d859..9294d40 100644
+--- a/sound/pci/hda/hda_proc.c
++++ b/sound/pci/hda/hda_proc.c
+@@ -340,7 +340,7 @@ static void print_digital_conv(struct snd_info_buffer *buffer,
+ if (digi1 & AC_DIG1_EMPHASIS)
+ snd_iprintf(buffer, " Preemphasis");
+ if (digi1 & AC_DIG1_COPYRIGHT)
+- snd_iprintf(buffer, " Copyright");
++ snd_iprintf(buffer, " Non-Copyright");
+ if (digi1 & AC_DIG1_NONAUDIO)
+ snd_iprintf(buffer, " Non-Audio");
+ if (digi1 & AC_DIG1_PROFESSIONAL)
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 4f3434f..82b6fdc 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -43,6 +43,8 @@
+ #include <linux/swap.h>
+ #include <linux/bitops.h>
+ #include <linux/spinlock.h>
++#include <linux/namei.h>
++#include <linux/fs.h>
+
+ #include <asm/processor.h>
+ #include <asm/io.h>
+@@ -575,12 +577,76 @@ out:
+ return r;
+ }
+
++/*
++ * We want to test whether the caller has been granted permissions to
++ * use this device. To be able to configure and control the device,
++ * the user needs access to PCI configuration space and BAR resources.
++ * These are accessed through PCI sysfs. PCI config space is often
++ * passed to the process calling this ioctl via file descriptor, so we
++ * can't rely on access to that file. We can check for permissions
++ * on each of the BAR resource files, which is a pretty clear
++ * indicator that the user has been granted access to the device.
++ */
++static int probe_sysfs_permissions(struct pci_dev *dev)
++{
++#ifdef CONFIG_SYSFS
++ int i;
++ bool bar_found = false;
++
++ for (i = PCI_STD_RESOURCES; i <= PCI_STD_RESOURCE_END; i++) {
++ char *kpath, *syspath;
++ struct path path;
++ struct inode *inode;
++ int r;
++
++ if (!pci_resource_len(dev, i))
++ continue;
++
++ kpath = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
++ if (!kpath)
++ return -ENOMEM;
++
++ /* Per sysfs-rules, sysfs is always at /sys */
++ syspath = kasprintf(GFP_KERNEL, "/sys%s/resource%d", kpath, i);
++ kfree(kpath);
++ if (!syspath)
++ return -ENOMEM;
++
++ r = kern_path(syspath, LOOKUP_FOLLOW, &path);
++ kfree(syspath);
++ if (r)
++ return r;
++
++ inode = path.dentry->d_inode;
++
++ r = inode_permission(inode, MAY_READ | MAY_WRITE | MAY_ACCESS);
++ path_put(&path);
++ if (r)
++ return r;
++
++ bar_found = true;
++ }
++
++ /* If no resources, probably something special */
++ if (!bar_found)
++ return -EPERM;
++
++ return 0;
++#else
++ return -EINVAL; /* No way to control the device without sysfs */
++#endif
++}
++
+ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ struct kvm_assigned_pci_dev *assigned_dev)
+ {
+ int r = 0;
+ struct kvm_assigned_dev_kernel *match;
+ struct pci_dev *dev;
++ u8 header_type;
++
++ if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
++ return -EINVAL;
+
+ down_read(&kvm->slots_lock);
+ mutex_lock(&kvm->lock);
+@@ -607,6 +673,18 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ r = -EINVAL;
+ goto out_free;
+ }
++
++ /* Don't allow bridges to be assigned */
++ pci_read_config_byte(dev, PCI_HEADER_TYPE, &header_type);
++ if ((header_type & PCI_HEADER_TYPE) != PCI_HEADER_TYPE_NORMAL) {
++ r = -EPERM;
++ goto out_put;
++ }
++
++ r = probe_sysfs_permissions(dev);
++ if (r)
++ goto out_put;
++
+ if (pci_enable_device(dev)) {
+ printk(KERN_INFO "%s: Could not enable PCI device\n", __func__);
+ r = -EBUSY;
+@@ -635,16 +713,14 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+
+ list_add(&match->list, &kvm->arch.assigned_dev_head);
+
+- if (assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU) {
+- if (!kvm->arch.iommu_domain) {
+- r = kvm_iommu_map_guest(kvm);
+- if (r)
+- goto out_list_del;
+- }
+- r = kvm_assign_device(kvm, match);
++ if (!kvm->arch.iommu_domain) {
++ r = kvm_iommu_map_guest(kvm);
+ if (r)
+ goto out_list_del;
+ }
++ r = kvm_assign_device(kvm, match);
++ if (r)
++ goto out_list_del;
+
+ out:
+ mutex_unlock(&kvm->lock);
+@@ -683,8 +759,7 @@ static int kvm_vm_ioctl_deassign_device(struct kvm *kvm,
+ goto out;
+ }
+
+- if (match->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU)
+- kvm_deassign_device(kvm, match);
++ kvm_deassign_device(kvm, match);
+
+ kvm_free_assigned_device(kvm, match);
+
+@@ -1782,6 +1857,10 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
+ return r;
+
+ mutex_lock(&kvm->lock);
++ if (!kvm_vcpu_compatible(vcpu)) {
++ r = -EINVAL;
++ goto vcpu_destroy;
++ }
+ if (atomic_read(&kvm->online_vcpus) == KVM_MAX_VCPUS) {
+ r = -EINVAL;
+ goto vcpu_destroy;
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch)
@@ -0,0 +1,25 @@
+From: Randy Dunlap <randy.dunlap at oracle.com>
+Date: Thu, 7 Jul 2011 10:49:54 -0700
+Subject: staging: fix usbip printk format warning
+
+commit 6394c5a0379d0733396edd9452e31282e0684a3c upstream.
+
+Fix usbip printk format warning for size_t:
+
+drivers/staging/usbip/stub_tx.c:236: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'size_t'
+
+Signed-off-by: Randy Dunlap <randy.dunlap at oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Backported to 2.6.32: adjusted context]
+---
+--- a/drivers/staging/usbip/stub_tx.c
++++ b/drivers/staging/usbip/stub_tx.c
+@@ -237,7 +237,7 @@ static int stub_send_ret_submit(struct stub_device *sdev)
+
+ if (txsize != sizeof(pdu_header) + urb->actual_length) {
+ dev_err(&sdev->interface->dev,
+- "actual length of urb (%d) does not match iso packet sizes (%d)\n",
++ "actual length of urb (%d) does not match iso packet sizes %zu\n",
+ urb->actual_length, txsize-sizeof(pdu_header));
+ kfree(iov);
+ usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP);
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch)
@@ -0,0 +1,29 @@
+From: Randy Dunlap <randy.dunlap at oracle.com>
+Date: Thu, 25 Feb 2010 09:55:03 -0800
+Subject: Staging: fix wlan-ng printk format warning
+
+commit 83a0f9bc658b20b06740691d9ee711c5d14b6e8a upstream.
+
+Fix prism2fw.c printk format warning:
+
+drivers/staging/wlan-ng/prism2fw.c:209: warning: format '%d' expects type 'int', but argument 3 has type 'size_t'
+
+Signed-off-by: Randy Dunlap <randy.dunlap at oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/staging/wlan-ng/prism2fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/wlan-ng/prism2fw.c b/drivers/staging/wlan-ng/prism2fw.c
+index baa20a7..b576012 100644
+--- a/drivers/staging/wlan-ng/prism2fw.c
++++ b/drivers/staging/wlan-ng/prism2fw.c
+@@ -205,7 +205,7 @@ int prism2_fwtry(struct usb_device *udev, wlandevice_t *wlandev)
+ return 1;
+ }
+
+- printk(KERN_INFO "prism2_usb: %s will be processed, size %d\n",
++ printk(KERN_INFO "prism2_usb: %s will be processed, size %zu\n",
+ PRISM2_USB_FWFILE, fw_entry->size);
+ prism2_fwapply((const struct ihex_binrec *)fw_entry->data, wlandev);
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch)
@@ -0,0 +1,52 @@
+From: Jeff Mahoney <jeffm at suse.com>
+Date: Mon, 11 Jan 2010 10:54:27 -0500
+Subject: Staging: rtl8192e: Use skb_tail_pointer
+
+commit 1c7ec2e8e0fb6e8acda4f6b9a682cf7f8e650e2f upstream.
+
+rtl8192e uses skb->tail directly. This patch uses the tail pointer macros
+instead.
+
+Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/staging/rtl8192e/r8192E_core.c | 5 ++---
+ drivers/staging/rtl8192e/r819xE_cmdpkt.c | 2 +-
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/rtl8192e/r8192E_core.c b/drivers/staging/rtl8192e/r8192E_core.c
+index 50c7602..886105d 100644
+--- a/drivers/staging/rtl8192e/r8192E_core.c
++++ b/drivers/staging/rtl8192e/r8192E_core.c
+@@ -1807,7 +1807,7 @@ static short rtl8192_alloc_rx_desc_ring(struct net_device *dev)
+ return 0;
+ priv->rx_buf[i] = skb;
+ mapping = (dma_addr_t *)skb->cb;
+- *mapping = pci_map_single(priv->pdev, skb->tail,//skb_tail_pointer(skb),
++ *mapping = pci_map_single(priv->pdev, skb_tail_pointer(skb),
+ priv->rxbuffersize, PCI_DMA_FROMDEVICE);
+
+ entry->BufferAddress = cpu_to_le32(*mapping);
+@@ -6287,8 +6287,7 @@ static void rtl8192_rx(struct net_device *dev)
+
+ skb = new_skb;
+ priv->rx_buf[priv->rx_idx] = skb;
+- *((dma_addr_t *) skb->cb) = pci_map_single(priv->pdev, skb->tail, priv->rxbuffersize, PCI_DMA_FROMDEVICE);
+-// *((dma_addr_t *) skb->cb) = pci_map_single(priv->pdev, skb_tail_pointer(skb), priv->rxbuffersize, PCI_DMA_FROMDEVICE);
++ *((dma_addr_t *) skb->cb) = pci_map_single(priv->pdev, skb_tail_pointer(skb), priv->rxbuffersize, PCI_DMA_FROMDEVICE);
+ }
+
+ }
+diff --git a/drivers/staging/rtl8192e/r819xE_cmdpkt.c b/drivers/staging/rtl8192e/r819xE_cmdpkt.c
+index 2aaa4e1..87c334f 100644
+--- a/drivers/staging/rtl8192e/r819xE_cmdpkt.c
++++ b/drivers/staging/rtl8192e/r819xE_cmdpkt.c
+@@ -135,7 +135,7 @@ RT_STATUS cmpk_message_handle_tx(
+ * Transform from little endian to big endian
+ * and pending zero
+ */
+- seg_ptr = skb->tail;
++ seg_ptr = skb_tail_pointer(skb);
+ for(i=0 ; i < frag_length; i+=4) {
+ *seg_ptr++ = ((i+0)<frag_length)?code_virtual_address[i+3]:0;
+ *seg_ptr++ = ((i+1)<frag_length)?code_virtual_address[i+2]:0;
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch)
@@ -0,0 +1,30 @@
+From: Randy Dunlap <randy.dunlap at oracle.com>
+Date: Wed, 13 Oct 2010 13:10:49 -0700
+Subject: staging: speakup: fix printk format warning
+
+commit 0a652b96287ef61c97a2acab2bcc3d0f319b50e4 upstream.
+
+Fix printk format warning:
+
+drivers/staging/speakup/serialio.c:44: warning: format '%x' expects type 'unsigned int', but argument 2 has type 'long unsigned int'
+
+Signed-off-by: Randy Dunlap <randy.dunlap at oracle.com>
+Cc: <speakup at braille.uwo.ca>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/staging/speakup/serialio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/speakup/serialio.c b/drivers/staging/speakup/serialio.c
+index bafd62f..65772ec 100644
+--- a/drivers/staging/speakup/serialio.c
++++ b/drivers/staging/speakup/serialio.c
+@@ -41,7 +41,7 @@ struct serial_state *spk_serial_init(int index)
+ __release_region(&ioport_resource, ser->port, 8);
+ err = synth_request_region(ser->port, 8);
+ if (err) {
+- pr_warn("Unable to allocate port at %x, errno %i", ser->port, err);
++ pr_warn("Unable to allocate port at %lx, errno %i", ser->port, err);
+ return NULL;
+ }
+ }
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch)
@@ -0,0 +1,76 @@
+From: Bart Westgeest <bart at elbrys.com>
+Date: Mon, 23 Jan 2012 10:55:46 -0500
+Subject: staging: usbip: changed function return type to void
+
+commit ac2b41acfa3efe4650102067a99251587a806d70 upstream.
+
+The function usbip_pad_iso never returns anything but 0 (success).
+
+Signed-off-by: Bart Westgeest <bart at elbrys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+[bwh: Backported to 2.6.32: adjust context]
+---
+--- a/drivers/staging/usbip/usbip_common.c
++++ b/drivers/staging/usbip/usbip_common.c
+@@ -961,26 +961,25 @@ EXPORT_SYMBOL_GPL(usbip_recv_iso);
+ * buffer and iso packets need to be stored and be in propeper endian in urb
+ * before calling this function
+ */
+-int usbip_pad_iso(struct usbip_device *ud, struct urb *urb)
++void usbip_pad_iso(struct usbip_device *ud, struct urb *urb)
+ {
+ int np = urb->number_of_packets;
+ int i;
+- int ret;
+ int actualoffset = urb->actual_length;
+
+ if (!usb_pipeisoc(urb->pipe))
+- return 0;
++ return;
+
+ /* if no packets or length of data is 0, then nothing to unpack */
+ if (np == 0 || urb->actual_length == 0)
+- return 0;
++ return;
+
+ /*
+ * if actual_length is transfer_buffer_length then no padding is
+ * present.
+ */
+ if (urb->actual_length == urb->transfer_buffer_length)
+- return 0;
++ return;
+
+ /*
+ * loop over all packets from last to first (to prevent overwritting
+@@ -992,7 +991,6 @@ int usbip_pad_iso(struct usbip_device *ud, struct urb *urb)
+ urb->transfer_buffer + actualoffset,
+ urb->iso_frame_desc[i].actual_length);
+ }
+- return ret;
+ }
+ EXPORT_SYMBOL_GPL(usbip_pad_iso);
+
+--- a/drivers/staging/usbip/usbip_common.h
++++ b/drivers/staging/usbip/usbip_common.h
+@@ -394,7 +394,7 @@ void usbip_header_correct_endian(struct usbip_header *pdu, int send);
+ /* some members of urb must be substituted before. */
+ int usbip_recv_iso(struct usbip_device *ud, struct urb *urb);
+ /* some members of urb must be substituted before. */
+-int usbip_pad_iso(struct usbip_device *ud, struct urb *urb);
++void usbip_pad_iso(struct usbip_device *ud, struct urb *urb);
+ void *usbip_alloc_iso_desc_pdu(struct urb *urb, ssize_t *bufflen);
+
+
+--- a/drivers/staging/usbip/vhci_rx.c
++++ b/drivers/staging/usbip/vhci_rx.c
+@@ -99,8 +99,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
+ return;
+
+ /* restore the padding in iso packets */
+- if (usbip_pad_iso(ud, urb) < 0)
+- return;
++ usbip_pad_iso(ud, urb);
+
+ if (usbip_dbg_flag_vhci_rx)
+ usbip_dump_urb(urb);
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch)
@@ -0,0 +1,40 @@
+From 9f10d301a441cfe32aeb55cf3181cbd70fa33564 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 12 Jan 2013 21:04:48 +0000
+Subject: [PATCH] Revert "pcdp: use early_ioremap/early_iounmap to access pcdp
+ table"
+
+This reverts commit 2af3af56e7d4756b21a2e0d86e4fc4e5b7f0df24, which was
+commit 6c4088ac3a4d82779903433bcd5f048c58fb1aca upstream.
+
+This was purported to be a fix for x86_64 systems, but this driver
+cannot even be selected on x86_64, even in current mainline!
+Additionally, the early_io{remap,unmap}() functions were not defined
+for ia64 until Linux 2.6.33.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/firmware/pcdp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/pcdp.c b/drivers/firmware/pcdp.c
+index a330492..51e0e2d 100644
+--- a/drivers/firmware/pcdp.c
++++ b/drivers/firmware/pcdp.c
+@@ -95,7 +95,7 @@ efi_setup_pcdp_console(char *cmdline)
+ if (efi.hcdp == EFI_INVALID_TABLE_ADDR)
+ return -ENODEV;
+
+- pcdp = early_ioremap(efi.hcdp, 4096);
++ pcdp = ioremap(efi.hcdp, 4096);
+ printk(KERN_INFO "PCDP: v%d at 0x%lx\n", pcdp->rev, efi.hcdp);
+
+ if (strstr(cmdline, "console=hcdp")) {
+@@ -131,6 +131,6 @@ efi_setup_pcdp_console(char *cmdline)
+ }
+
+ out:
+- early_iounmap(pcdp, 4096);
++ iounmap(pcdp);
+ return rc;
+ }
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch)
@@ -0,0 +1,46 @@
+From: Adam Jackson <ajax at redhat.com>
+Date: Fri, 16 Apr 2010 18:20:57 -0400
+Subject: drm/i915: Attempt to fix watermark setup on 85x (v2)
+
+commit 8f4695ed1c9e068772bcce4cd4ff03f88d57a008 upstream.
+
+IS_MOBILE() catches 85x, so we'd always try to use the 9xx FIFO sizing;
+since there's an explicit 85x version, this seems wrong.
+
+v2: Handle 830m correctly too.
+
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Reviewed-by: Eric Anholt <eric at anholt.net>
+Signed-off-by: Eric Anholt <eric at anholt.net>
+---
+ drivers/gpu/drm/i915/intel_display.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index e7356fb..c7502b6 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -4853,17 +4853,18 @@ static void intel_init_display(struct drm_device *dev)
+ dev_priv->display.update_wm = g4x_update_wm;
+ else if (IS_I965G(dev))
+ dev_priv->display.update_wm = i965_update_wm;
+- else if (IS_I9XX(dev) || IS_MOBILE(dev)) {
++ else if (IS_I9XX(dev)) {
+ dev_priv->display.update_wm = i9xx_update_wm;
+ dev_priv->display.get_fifo_size = i9xx_get_fifo_size;
++ } else if (IS_I85X(dev)) {
++ dev_priv->display.update_wm = i9xx_update_wm;
++ dev_priv->display.get_fifo_size = i85x_get_fifo_size;
+ } else {
+- if (IS_I85X(dev))
+- dev_priv->display.get_fifo_size = i85x_get_fifo_size;
+- else if (IS_845G(dev))
++ dev_priv->display.update_wm = i830_update_wm;
++ if (IS_845G(dev))
+ dev_priv->display.get_fifo_size = i845_get_fifo_size;
+ else
+ dev_priv->display.get_fifo_size = i830_get_fifo_size;
+- dev_priv->display.update_wm = i830_update_wm;
+ }
+ }
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch)
@@ -0,0 +1,38 @@
+From: Matthew Garrett <mjg at redhat.com>
+Date: Wed, 6 Jul 2011 16:52:37 -0400
+Subject: x86: Don't use the EFI reboot method by default
+
+commit f70e957cda22d309c769805cbb932407a5232219 upstream.
+
+Testing suggests that at least some Lenovos and some Intels will
+fail to reboot via EFI, attempting to jump to an unmapped
+physical address. In the long run we could handle this by
+providing a page table with a 1:1 mapping of physical addresses,
+but for now it's probably just easier to assume that ACPI or
+legacy methods will be present and reboot via those.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Alan Cox <alan at linux.intel.com>
+Link: http://lkml.kernel.org/r/1309985557-15350-1-git-send-email-mjg@redhat.com
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+[bwh: Backported to 2.6.32: adjust filename]
+---
+ arch/x86/kernel/efi.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 474356b..899e393 100644
+--- a/arch/x86/kernel/efi.c
++++ b/arch/x86/kernel/efi.c
+@@ -504,9 +504,6 @@ void __init efi_init(void)
+ x86_platform.set_wallclock = efi_set_rtc_mmss;
+ #endif
+
+- /* Setup for EFI runtime service */
+- reboot_type = BOOT_EFI;
+-
+ #if EFI_DEBUG
+ print_efi_memmap();
+ #endif
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch)
@@ -0,0 +1,59 @@
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Date: Wed, 16 Jan 2013 12:00:55 +0000
+Subject: xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+ guests.
+
+commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path. This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+ popl %eax # Error code from hypervisor
+ jz 5f
+ addl $16,%esp
+ jmp iret_exc # Hypervisor said iret fault
+5: addl $16,%esp
+ # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+ popl_cfi %eax # Error from the hypervisor
+ lea 16(%esp),%esp # Add $16 before choosing fault path
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+ addl $16,%esp # Incorrectly adjust %esp again
+ jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present. At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio at citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+---
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1059,7 +1059,6 @@ ENTRY(xen_failsafe_callback)
+ lea 16(%esp),%esp
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+- addl $16,%esp
+ jmp iret_exc
+ 5: pushl $-1 /* orig_ax = -1 => not a system call */
+ CFI_ADJUST_CFA_OFFSET 4
Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch)
@@ -0,0 +1,90 @@
+From: David Vrabel <david.vrabel at citrix.com>
+Date: Fri, 19 Oct 2012 17:29:07 +0100
+Subject: xen/x86: don't corrupt %eip when returning from a signal handler
+
+commit a349e23d1cf746f8bdc603dcc61fae9ee4a695f6 upstream.
+
+In 32 bit guests, if a userspace process has %eax == -ERESTARTSYS
+(-512) or -ERESTARTNOINTR (-513) when it is interrupted by an event
+/and/ the process has a pending signal then %eip (and %eax) are
+corrupted when returning to the main process after handling the
+signal. The application may then crash with SIGSEGV or a SIGILL or it
+may have subtly incorrect behaviour (depending on what instruction it
+returned to).
+
+The occurs because handle_signal() is incorrectly thinking that there
+is a system call that needs to restarted so it adjusts %eip and %eax
+to re-execute the system call instruction (even though user space had
+not done a system call).
+
+If %eax == -514 (-ERESTARTNOHAND (-514) or -ERESTART_RESTARTBLOCK
+(-516) then handle_signal() only corrupted %eax (by setting it to
+-EINTR). This may cause the application to crash or have incorrect
+behaviour.
+
+handle_signal() assumes that regs->orig_ax >= 0 means a system call so
+any kernel entry point that is not for a system call must push a
+negative value for orig_ax. For example, for physical interrupts on
+bare metal the inverse of the vector is pushed and page_fault() sets
+regs->orig_ax to -1, overwriting the hardware provided error code.
+
+xen_hypervisor_callback() was incorrectly pushing 0 for orig_ax
+instead of -1.
+
+Classic Xen kernels pushed %eax which works as %eax cannot be both
+non-negative and -RESTARTSYS (etc.), but using -1 is consistent with
+other non-system call entry points and avoids some of the tests in
+handle_signal().
+
+There were similar bugs in xen_failsafe_callback() of both 32 and
+64-bit guests. If the fault was corrected and the normal return path
+was used then 0 was incorrectly pushed as the value for orig_ax.
+
+Signed-off-by: David Vrabel <david.vrabel at citrix.com>
+Acked-by: Jan Beulich <JBeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+[bwh: Backported to 2.6.32: adjust context; no pushl_cfi]
+---
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1007,7 +1007,7 @@ ENTRY(xen_sysenter_target)
+
+ ENTRY(xen_hypervisor_callback)
+ CFI_STARTPROC
+- pushl $0
++ pushl $-1 /* orig_ax = -1 => not a system call */
+ CFI_ADJUST_CFA_OFFSET 4
+ SAVE_ALL
+ TRACE_IRQS_OFF
+@@ -1051,15 +1051,17 @@ ENTRY(xen_failsafe_callback)
+ 2: mov 8(%esp),%es
+ 3: mov 12(%esp),%fs
+ 4: mov 16(%esp),%gs
++ /* EAX == 0 => Category 1 (Bad segment)
++ EAX != 0 => Category 2 (Bad IRET) */
+ testl %eax,%eax
+ popl %eax
+ CFI_ADJUST_CFA_OFFSET -4
+ lea 16(%esp),%esp
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+ addl $16,%esp
+- jmp iret_exc # EAX != 0 => Category 2 (Bad IRET)
+-5: pushl $0 # EAX == 0 => Category 1 (Bad segment)
++ jmp iret_exc
++5: pushl $-1 /* orig_ax = -1 => not a system call */
+ CFI_ADJUST_CFA_OFFSET 4
+ SAVE_ALL
+ jmp ret_from_exception
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1358,7 +1358,7 @@ ENTRY(xen_failsafe_callback)
+ CFI_RESTORE r11
+ addq $0x30,%rsp
+ CFI_ADJUST_CFA_OFFSET -0x30
+- pushq_cfi $0
++ pushq_cfi $-1 /* orig_ax = -1 => not a system call */
+ SAVE_ALL
+ jmp error_exit
+ CFI_ENDPROC
Copied: dists/squeeze-security/linux-2.6/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch)
@@ -0,0 +1,31 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: epoll: Avoid ABI change in struct file
+Date: Sun, 23 Dec 2012 19:05:04 +0000
+
+commit 28d82dc1c4ed ('epoll: limit paths') added the member
+f_tfile_llink to the middle of struct file and was backported in Linux
+2.6.32.60. This structure is always allocated in filp_open(), with a
+few exceptions that are not exposed to userland (so not used with
+epoll), so we can add this member at the end. Move it there and hide
+it from genksyms.
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -940,12 +940,16 @@ struct file {
+ #ifdef CONFIG_EPOLL
+ /* Used by fs/eventpoll.c to link all the hooks to this file */
+ struct list_head f_ep_links;
+- struct list_head f_tfile_llink;
+ #endif /* #ifdef CONFIG_EPOLL */
+ struct address_space *f_mapping;
+ #ifdef CONFIG_DEBUG_WRITECOUNT
+ unsigned long f_mnt_write_state;
+ #endif
++#ifndef __GENKSYMS__
++#ifdef CONFIG_EPOLL
++ struct list_head f_tfile_llink;
++#endif
++#endif
+ };
+ extern spinlock_t files_lock;
+ #define file_list_lock() spin_lock(&files_lock);
Copied: dists/squeeze-security/linux-2.6/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch)
@@ -0,0 +1,18 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: random: Avoid ABI change in irq_desc
+Date: Sun, 23 Dec 2012 18:51:34 +0000
+
+commit c5857ccf2939 ('random: remove rand_initialize_irq()') removed
+irq_desc::timer_rand_state and was backported in Linux 2.6.32.60.
+We need to put it back to maintain the structure layout.
+
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -174,6 +174,7 @@ struct irq_2_iommu;
+ */
+ struct irq_desc {
+ unsigned int irq;
++ struct timer_rand_state *timer_rand_state; /* now unused */
+ unsigned int *kstat_irqs;
+ #ifdef CONFIG_INTR_REMAP
+ struct irq_2_iommu *irq_2_iommu;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch)
@@ -0,0 +1,90 @@
+From f9fe8698b191d79e9a4e78013f52453c8f6a317d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:47:48 -0600
+Subject: [PATCH 080/136] hpsa: defend against zero sized buffers in passthru
+ ioctls
+
+commit b03a7771c81a0d5f026250c8cd4091d9ee767fdc upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 36 ++++++++++++++++--------------------
+ 1 file changed, 16 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 3c7c9a7..eb7ace9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2405,15 +2405,17 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ buff = kmalloc(iocommand.buf_size, GFP_KERNEL);
+ if (buff == NULL)
+ return -EFAULT;
+- }
+- if (iocommand.Request.Type.Direction == XFER_WRITE) {
+- /* Copy the data into the buffer we created */
+- if (copy_from_user(buff, iocommand.buf, iocommand.buf_size)) {
+- kfree(buff);
+- return -EFAULT;
++ if (iocommand.Request.Type.Direction == XFER_WRITE) {
++ /* Copy the data into the buffer we created */
++ if (copy_from_user(buff, iocommand.buf,
++ iocommand.buf_size)) {
++ kfree(buff);
++ return -EFAULT;
++ }
++ } else {
++ memset(buff, 0, iocommand.buf_size);
+ }
+- } else
+- memset(buff, 0, iocommand.buf_size);
++ }
+ c = cmd_special_alloc(h);
+ if (c == NULL) {
+ kfree(buff);
+@@ -2459,8 +2461,8 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ cmd_special_free(h, c);
+ return -EFAULT;
+ }
+-
+- if (iocommand.Request.Type.Direction == XFER_READ) {
++ if (iocommand.Request.Type.Direction == XFER_READ &&
++ iocommand.buf_size > 0) {
+ /* Copy the data out of the buffer we created */
+ if (copy_to_user(iocommand.buf, buff, iocommand.buf_size)) {
+ kfree(buff);
+@@ -2553,14 +2555,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ }
+ c->cmd_type = CMD_IOCTL_PEND;
+ c->Header.ReplyQueue = 0;
+-
+- if (ioc->buf_size > 0) {
+- c->Header.SGList = sg_used;
+- c->Header.SGTotal = sg_used;
+- } else {
+- c->Header.SGList = 0;
+- c->Header.SGTotal = 0;
+- }
++ c->Header.SGList = c->Header.SGTotal = sg_used;
+ memcpy(&c->Header.LUN, &ioc->LUN_info, sizeof(c->Header.LUN));
+ c->Header.Tag.lower = c->busaddr;
+ memcpy(&c->Request, &ioc->Request, sizeof(c->Request));
+@@ -2577,7 +2572,8 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ }
+ }
+ hpsa_scsi_do_simple_cmd_core(h, c);
+- hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL);
++ if (sg_used)
++ hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL);
+ check_ioctl_unit_attention(h, c);
+ /* Copy the error information out */
+ memcpy(&ioc->error_info, c->err_info, sizeof(ioc->error_info));
+@@ -2586,7 +2582,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ status = -EFAULT;
+ goto cleanup1;
+ }
+- if (ioc->Request.Type.Direction == XFER_READ) {
++ if (ioc->Request.Type.Direction == XFER_READ && ioc->buf_size > 0) {
+ /* Copy the data out of the buffer we created */
+ BYTE __user *ptr = ioc->buf;
+ for (i = 0; i < sg_used; i++) {
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch)
@@ -0,0 +1,49 @@
+From 5c17c7e0af831bdb5d5b2e27909f697d3bd898b6 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <StephenM.Cameron>
+Date: Thu, 6 Jan 2011 14:47:53 -0600
+Subject: [PATCH 081/136] hpsa: fixup DMA address before freeing.
+
+commit d896f3f3d129f1e2fbb4e3824242bc0dc2fb1a07 upstream.
+
+Some low bits might have been set by the driver, causing
+a message like this to come out:
+
+ [ 13.288062] ------------[ cut here ]------------
+ [ 13.293211] WARNING: at lib/dma-debug.c:803 check_unmap+0x1a1/0x654()
+ [ 13.300387] Hardware name: ProLiant DL180 G6
+ [ 13.305335] hpsa 0000:06:00.0: DMA-API: device driver tries to free
+ DMA memory it has not allocated [device address=0x000000007f81e001]
+ [size=640 bytes]
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ drivers/scsi/hpsa_cmd.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index eb7ace9..f6f53e5 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2239,7 +2239,7 @@ static void cmd_special_free(struct ctlr_info *h, struct CommandList *c)
+ pci_free_consistent(h->pdev, sizeof(*c->err_info),
+ c->err_info, (dma_addr_t) temp64.val);
+ pci_free_consistent(h->pdev, sizeof(*c),
+- c, (dma_addr_t) c->busaddr);
++ c, (dma_addr_t) (c->busaddr & DIRECT_LOOKUP_MASK));
+ }
+
+ #ifdef CONFIG_COMPAT
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index f5c4c3c..7910c14 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -265,6 +265,7 @@ struct ErrorInfo {
+
+ #define DIRECT_LOOKUP_SHIFT 5
+ #define DIRECT_LOOKUP_BIT 0x10
++#define DIRECT_LOOKUP_MASK (~((1 << DIRECT_LOOKUP_SHIFT) - 1))
+
+ #define HPSA_ERROR_BIT 0x02
+ struct ctlr_info; /* defined in hpsa.h */
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch)
@@ -0,0 +1,34 @@
+From 1d59adeeba7f7e2b0228888e19d2d2dea5e6637e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <StephenM.Cameron>
+Date: Thu, 6 Jan 2011 14:47:58 -0600
+Subject: [PATCH 082/136] hpsa: Remove duplicate defines of DIRECT_LOOKUP_
+ constants
+
+commit 922a9e4da34270d81e216728f929c6e11e169794 upstream.
+
+They are defined in hpsa_cmd.h
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index f6f53e5..61fc7e8 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2835,13 +2835,11 @@ static inline void finish_cmd(struct CommandList *c, u32 raw_tag)
+
+ static inline u32 hpsa_tag_contains_index(u32 tag)
+ {
+-#define DIRECT_LOOKUP_BIT 0x10
+ return tag & DIRECT_LOOKUP_BIT;
+ }
+
+ static inline u32 hpsa_tag_to_index(u32 tag)
+ {
+-#define DIRECT_LOOKUP_SHIFT 5
+ return tag >> DIRECT_LOOKUP_SHIFT;
+ }
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch)
@@ -0,0 +1,123 @@
+From 2f25d644826dd5b85ec8634328b58b3107ca8399 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:03 -0600
+Subject: [PATCH 083/136] hpsa: fix board status waiting code
+
+commit fe5389c87f13c16cd77d976801c93422d0c05a49 upstream.
+
+After a reset, we should first wait for the board to become "not ready",
+and then wait for it to become "ready", instead of immediately
+waiting for it to become "ready", and do this waiting *after*
+restoring PCI config space registers. Also, only wait 10 secs
+for board to become "not ready" after a reset (it should quickly
+become not ready.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 44 ++++++++++++++++++++++++++++++++++++--------
+ drivers/scsi/hpsa.h | 4 ++++
+ 2 files changed, 40 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 61fc7e8..053ecce 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -165,6 +165,10 @@ static int __devinit hpsa_find_cfg_addrs(struct pci_dev *pdev,
+ static int __devinit hpsa_pci_find_memory_BAR(struct pci_dev *pdev,
+ unsigned long *memory_bar);
+ static int __devinit hpsa_lookup_board_id(struct pci_dev *pdev, u32 *board_id);
++static int __devinit hpsa_wait_for_board_state(struct pci_dev *pdev,
++ void __iomem *vaddr, int wait_for_ready);
++#define BOARD_NOT_READY 0
++#define BOARD_READY 1
+
+ static DEVICE_ATTR(raid_level, S_IRUGO, raid_level_show, NULL);
+ static DEVICE_ATTR(lunid, S_IRUGO, lunid_show, NULL);
+@@ -3209,6 +3213,20 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ need a little pause here */
+ msleep(HPSA_POST_RESET_PAUSE_MSECS);
+
++ /* Wait for board to become not ready, then ready. */
++ dev_info(&pdev->dev, "Waiting for board to become ready.\n");
++ rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_NOT_READY);
++ if (rc)
++ dev_warn(&pdev->dev,
++ "failed waiting for board to become not ready\n");
++ rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_READY);
++ if (rc) {
++ dev_warn(&pdev->dev,
++ "failed waiting for board to become ready\n");
++ goto unmap_cfgtable;
++ }
++ dev_info(&pdev->dev, "board ready.\n");
++
+ /* Controller should be in simple mode at this point. If it's not,
+ * It means we're on one of those controllers which doesn't support
+ * the doorbell reset method and on which the PCI power management reset
+@@ -3404,18 +3422,28 @@ static int __devinit hpsa_pci_find_memory_BAR(struct pci_dev *pdev,
+ return -ENODEV;
+ }
+
+-static int __devinit hpsa_wait_for_board_ready(struct ctlr_info *h)
++static int __devinit hpsa_wait_for_board_state(struct pci_dev *pdev,
++ void __iomem *vaddr, int wait_for_ready)
+ {
+- int i;
++ int i, iterations;
+ u32 scratchpad;
++ if (wait_for_ready)
++ iterations = HPSA_BOARD_READY_ITERATIONS;
++ else
++ iterations = HPSA_BOARD_NOT_READY_ITERATIONS;
+
+- for (i = 0; i < HPSA_BOARD_READY_ITERATIONS; i++) {
+- scratchpad = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
+- if (scratchpad == HPSA_FIRMWARE_READY)
+- return 0;
++ for (i = 0; i < iterations; i++) {
++ scratchpad = readl(vaddr + SA5_SCRATCHPAD_OFFSET);
++ if (wait_for_ready) {
++ if (scratchpad == HPSA_FIRMWARE_READY)
++ return 0;
++ } else {
++ if (scratchpad != HPSA_FIRMWARE_READY)
++ return 0;
++ }
+ msleep(HPSA_BOARD_READY_POLL_INTERVAL_MSECS);
+ }
+- dev_warn(&h->pdev->dev, "board not ready, timed out.\n");
++ dev_warn(&pdev->dev, "board not ready, timed out.\n");
+ return -ENODEV;
+ }
+
+@@ -3607,7 +3635,7 @@ static int __devinit hpsa_pci_init(struct ctlr_info *h)
+ err = -ENOMEM;
+ goto err_out_free_res;
+ }
+- err = hpsa_wait_for_board_ready(h);
++ err = hpsa_wait_for_board_state(h->pdev, h->vaddr, BOARD_READY);
+ if (err)
+ goto err_out_free_res;
+ err = hpsa_find_cfgtables(h);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 19586e1..074d237 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -154,12 +154,16 @@ struct ctlr_info {
+ * HPSA_BOARD_READY_ITERATIONS are derived from those.
+ */
+ #define HPSA_BOARD_READY_WAIT_SECS (120)
++#define HPSA_BOARD_NOT_READY_WAIT_SECS (10)
+ #define HPSA_BOARD_READY_POLL_INTERVAL_MSECS (100)
+ #define HPSA_BOARD_READY_POLL_INTERVAL \
+ ((HPSA_BOARD_READY_POLL_INTERVAL_MSECS * HZ) / 1000)
+ #define HPSA_BOARD_READY_ITERATIONS \
+ ((HPSA_BOARD_READY_WAIT_SECS * 1000) / \
+ HPSA_BOARD_READY_POLL_INTERVAL_MSECS)
++#define HPSA_BOARD_NOT_READY_ITERATIONS \
++ ((HPSA_BOARD_NOT_READY_WAIT_SECS * 1000) / \
++ HPSA_BOARD_READY_POLL_INTERVAL_MSECS)
+ #define HPSA_POST_RESET_PAUSE_MSECS (3000)
+ #define HPSA_POST_RESET_NOOP_RETRIES (12)
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch)
@@ -0,0 +1,159 @@
+From c9b2fbc21a082f18582b75e4791ae1391c37d308 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:08 -0600
+Subject: [PATCH 084/136] hpsa: Use kernel provided PCI state save and restore
+ functions
+
+commit 270d05de2b8d82df4ed19955f6c0c7400f6ffbf5 upstream.
+
+and use the doorbell reset method if available (which doesn't
+lock up the controller if you properly save and restore all
+the PCI registers that you're supposed to.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 81 ++++++++++-----------------------------------------
+ 1 file changed, 15 insertions(+), 66 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 053ecce..c5dae04 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3025,38 +3025,6 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ #define hpsa_soft_reset_controller(p) hpsa_message(p, 1, 0)
+ #define hpsa_noop(p) hpsa_message(p, 3, 0)
+
+-static __devinit int hpsa_reset_msi(struct pci_dev *pdev)
+-{
+-/* the #defines are stolen from drivers/pci/msi.h. */
+-#define msi_control_reg(base) (base + PCI_MSI_FLAGS)
+-#define PCI_MSIX_FLAGS_ENABLE (1 << 15)
+-
+- int pos;
+- u16 control = 0;
+-
+- pos = pci_find_capability(pdev, PCI_CAP_ID_MSI);
+- if (pos) {
+- pci_read_config_word(pdev, msi_control_reg(pos), &control);
+- if (control & PCI_MSI_FLAGS_ENABLE) {
+- dev_info(&pdev->dev, "resetting MSI\n");
+- pci_write_config_word(pdev, msi_control_reg(pos),
+- control & ~PCI_MSI_FLAGS_ENABLE);
+- }
+- }
+-
+- pos = pci_find_capability(pdev, PCI_CAP_ID_MSIX);
+- if (pos) {
+- pci_read_config_word(pdev, msi_control_reg(pos), &control);
+- if (control & PCI_MSIX_FLAGS_ENABLE) {
+- dev_info(&pdev->dev, "resetting MSI-X\n");
+- pci_write_config_word(pdev, msi_control_reg(pos),
+- control & ~PCI_MSIX_FLAGS_ENABLE);
+- }
+- }
+-
+- return 0;
+-}
+-
+ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ void * __iomem vaddr, bool use_doorbell)
+ {
+@@ -3112,17 +3080,17 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ */
+ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ {
+- u16 saved_config_space[32];
+ u64 cfg_offset;
+ u32 cfg_base_addr;
+ u64 cfg_base_addr_index;
+ void __iomem *vaddr;
+ unsigned long paddr;
+ u32 misc_fw_support, active_transport;
+- int rc, i;
++ int rc;
+ struct CfgTable __iomem *cfgtable;
+ bool use_doorbell;
+ u32 board_id;
++ u16 command_register;
+
+ /* For controllers as old as the P600, this is very nearly
+ * the same thing as
+@@ -3132,14 +3100,6 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ * pci_set_power_state(pci_dev, PCI_D0);
+ * pci_restore_state(pci_dev);
+ *
+- * but we can't use these nice canned kernel routines on
+- * kexec, because they also check the MSI/MSI-X state in PCI
+- * configuration space and do the wrong thing when it is
+- * set/cleared. Also, the pci_save/restore_state functions
+- * violate the ordering requirements for restoring the
+- * configuration space from the CCISS document (see the
+- * comment below). So we roll our own ....
+- *
+ * For controllers newer than the P600, the pci power state
+ * method of resetting doesn't work so we have another way
+ * using the doorbell register.
+@@ -3156,9 +3116,13 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ if (board_id == 0x409C0E11 || board_id == 0x409D0E11)
+ return -ENOTSUPP;
+
+- for (i = 0; i < 32; i++)
+- pci_read_config_word(pdev, 2*i, &saved_config_space[i]);
+-
++ /* Save the PCI command register */
++ pci_read_config_word(pdev, 4, &command_register);
++ /* Turn the board off. This is so that later pci_restore_state()
++ * won't turn the board on before the rest of config space is ready.
++ */
++ pci_disable_device(pdev);
++ pci_save_state(pdev);
+
+ /* find the first memory BAR, so we can find the cfg table */
+ rc = hpsa_pci_find_memory_BAR(pdev, &paddr);
+@@ -3184,30 +3148,17 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ misc_fw_support = readl(&cfgtable->misc_fw_support);
+ use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
+
+- /* The doorbell reset seems to cause lockups on some Smart
+- * Arrays (e.g. P410, P410i, maybe others). Until this is
+- * fixed or at least isolated, avoid the doorbell reset.
+- */
+- use_doorbell = 0;
+-
+ rc = hpsa_controller_hard_reset(pdev, vaddr, use_doorbell);
+ if (rc)
+ goto unmap_cfgtable;
+
+- /* Restore the PCI configuration space. The Open CISS
+- * Specification says, "Restore the PCI Configuration
+- * Registers, offsets 00h through 60h. It is important to
+- * restore the command register, 16-bits at offset 04h,
+- * last. Do not restore the configuration status register,
+- * 16-bits at offset 06h." Note that the offset is 2*i.
+- */
+- for (i = 0; i < 32; i++) {
+- if (i == 2 || i == 3)
+- continue;
+- pci_write_config_word(pdev, 2*i, saved_config_space[i]);
++ pci_restore_state(pdev);
++ rc = pci_enable_device(pdev);
++ if (rc) {
++ dev_warn(&pdev->dev, "failed to enable device.\n");
++ goto unmap_cfgtable;
+ }
+- wmb();
+- pci_write_config_word(pdev, 4, saved_config_space[2]);
++ pci_write_config_word(pdev, 4, command_register);
+
+ /* Some devices (notably the HP Smart Array 5i Controller)
+ need a little pause here */
+@@ -3704,8 +3655,6 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ return 0; /* just try to do the kdump anyhow. */
+ if (rc)
+ return -ENODEV;
+- if (hpsa_reset_msi(pdev))
+- return -ENODEV;
+
+ /* Now try to get the controller to respond to a no-op */
+ for (i = 0; i < HPSA_POST_RESET_NOOP_RETRIES; i++) {
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch)
@@ -0,0 +1,31 @@
+From 49dd47ee22a6d53e7583fea7db49b837c5cb7107 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:13 -0600
+Subject: [PATCH 085/136] hpsa: limit commands allocated on reset_devices
+
+commit 72ceeaecb748dff3d35b10d7518bed651b895f3e upstream.
+
+This is to conserve memory in a memory-limited kdump scenario
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index c5dae04..ce422d2 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3442,6 +3442,11 @@ static int __devinit hpsa_find_cfgtables(struct ctlr_info *h)
+ static void __devinit hpsa_get_max_perf_mode_cmds(struct ctlr_info *h)
+ {
+ h->max_commands = readl(&(h->cfgtable->MaxPerformantModeCommands));
++
++ /* Limit commands in memory limited kdump scenario. */
++ if (reset_devices && h->max_commands > 32)
++ h->max_commands = 32;
++
+ if (h->max_commands < 16) {
+ dev_warn(&h->pdev->dev, "Controller reports "
+ "max supported commands of %d, an obvious lie. "
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch)
@@ -0,0 +1,33 @@
+From fc59111199675969a6a3804e0cd2c896534ceafe Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:18 -0600
+Subject: [PATCH 086/136] hpsa: do not reset unknown boards on reset_devices
+
+commit 25c1e56a04e60af2414f8d81eda0fd10b8e7b961 upstream.
+
+This is to prevent hpsa from resetting older boards
+which the cciss driver may be controlling.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index ce422d2..be9540a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3112,7 +3112,11 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ * likely not be happy. Just forbid resetting this conjoined mess.
+ * The 640x isn't really supported by hpsa anyway.
+ */
+- hpsa_lookup_board_id(pdev, &board_id);
++ rc = hpsa_lookup_board_id(pdev, &board_id);
++ if (rc < 0) {
++ dev_warn(&pdev->dev, "Not resetting device.\n");
++ return -ENODEV;
++ }
+ if (board_id == 0x409C0E11 || board_id == 0x409D0E11)
+ return -ENOTSUPP;
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch)
@@ -0,0 +1,59 @@
+From 4fd0ada1b0a83466ba65155431dba7ec4ae301b1 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:24 -0600
+Subject: [PATCH 087/136] hpsa: take the adapter lock in
+ hpsa_wait_for_mode_change_ack
+
+commit 6eaf46fdc719991a3ccda1e14b274e9adb515978 upstream.
+
+Need to take the lock while accessing the register to check to
+see if config table changes have taken effect.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index be9540a..76f34d9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3525,13 +3525,18 @@ static inline void hpsa_p600_dma_prefetch_quirk(struct ctlr_info *h)
+ static void __devinit hpsa_wait_for_mode_change_ack(struct ctlr_info *h)
+ {
+ int i;
++ u32 doorbell_value;
++ unsigned long flags;
+
+ /* under certain very rare conditions, this can take awhile.
+ * (e.g.: hot replace a failed 144GB drive in a RAID 5 set right
+ * as we enter this code.)
+ */
+ for (i = 0; i < MAX_CONFIG_WAIT; i++) {
+- if (!(readl(h->vaddr + SA5_DOORBELL) & CFGTBL_ChangeReq))
++ spin_lock_irqsave(&h->lock, flags);
++ doorbell_value = readl(h->vaddr + SA5_DOORBELL);
++ spin_unlock_irqrestore(&h->lock, flags);
++ if (!doorbell_value & CFGTBL_ChangeReq)
+ break;
+ /* delay and try again */
+ msleep(10);
+@@ -3703,6 +3708,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ h->busy_initializing = 1;
+ INIT_HLIST_HEAD(&h->cmpQ);
+ INIT_HLIST_HEAD(&h->reqQ);
++ spin_lock_init(&h->lock);
++ spin_lock_init(&h->scan_lock);
+ rc = hpsa_pci_init(h);
+ if (rc != 0)
+ goto clean1;
+@@ -3762,8 +3769,6 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ }
+ if (hpsa_allocate_sg_chain_blocks(h))
+ goto clean4;
+- spin_lock_init(&h->lock);
+- spin_lock_init(&h->scan_lock);
+ init_waitqueue_head(&h->scan_wait_queue);
+ h->scan_finished = 1; /* no scan currently in progress */
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch)
@@ -0,0 +1,39 @@
+From eed7e66b40b1c85ad0a389163e5d1bc03d406d2e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:29 -0600
+Subject: [PATCH 088/136] hpsa: allow driver to put controller in either
+ simple or performant mode
+
+commit 02ec19c82e87e3748d326ca5e15e7ddb18c73476 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 76f34d9..7f488db 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -74,6 +74,10 @@ static int hpsa_allow_any;
+ module_param(hpsa_allow_any, int, S_IRUGO|S_IWUSR);
+ MODULE_PARM_DESC(hpsa_allow_any,
+ "Allow hpsa driver to access unknown HP Smart Array hardware");
++static int hpsa_simple_mode;
++module_param(hpsa_simple_mode, int, S_IRUGO|S_IWUSR);
++MODULE_PARM_DESC(hpsa_simple_mode,
++ "Use 'simple mode' rather than 'performant mode'");
+
+ /* define the PCI info for the cards we can control */
+ static const struct pci_device_id hpsa_pci_device_id[] = {
+@@ -4010,6 +4014,9 @@ static __devinit void hpsa_put_ctlr_into_performant_mode(struct ctlr_info *h)
+ {
+ u32 trans_support;
+
++ if (hpsa_simple_mode)
++ return;
++
+ trans_support = readl(&(h->cfgtable->TransportSupport));
+ if (!(trans_support & PERFORMANT_MODE))
+ return;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch)
@@ -0,0 +1,60 @@
+From 48f6a79fe7ded6d8f2331c16f6c79679b11ae5ce Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:39 -0600
+Subject: [PATCH 089/136] hpsa: Add a per controller commands_outstanding
+ entry in /sys
+
+commit 94a136495a3fbe59b960c46fba3574b1159e8489 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 7f488db..fef7931 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -151,6 +151,8 @@ static ssize_t unique_id_show(struct device *dev,
+ struct device_attribute *attr, char *buf);
+ static ssize_t host_show_firmware_revision(struct device *dev,
+ struct device_attribute *attr, char *buf);
++static ssize_t host_show_commands_outstanding(struct device *dev,
++ struct device_attribute *attr, char *buf);
+ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno);
+ static ssize_t host_store_rescan(struct device *dev,
+ struct device_attribute *attr, const char *buf, size_t count);
+@@ -180,6 +182,8 @@ static DEVICE_ATTR(unique_id, S_IRUGO, unique_id_show, NULL);
+ static DEVICE_ATTR(rescan, S_IWUSR, NULL, host_store_rescan);
+ static DEVICE_ATTR(firmware_revision, S_IRUGO,
+ host_show_firmware_revision, NULL);
++static DEVICE_ATTR(commands_outstanding, S_IRUGO,
++ host_show_commands_outstanding, NULL);
+
+ static struct device_attribute *hpsa_sdev_attrs[] = {
+ &dev_attr_raid_level,
+@@ -191,6 +195,7 @@ static struct device_attribute *hpsa_sdev_attrs[] = {
+ static struct device_attribute *hpsa_shost_attrs[] = {
+ &dev_attr_rescan,
+ &dev_attr_firmware_revision,
++ &dev_attr_commands_outstanding,
+ NULL,
+ };
+
+@@ -290,6 +295,15 @@ static ssize_t host_show_firmware_revision(struct device *dev,
+ fwrev[0], fwrev[1], fwrev[2], fwrev[3]);
+ }
+
++static ssize_t host_show_commands_outstanding(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ struct Scsi_Host *shost = class_to_shost(dev);
++ struct ctlr_info *h = shost_to_hba(shost);
++
++ return snprintf(buf, 20, "%d\n", h->commands_outstanding);
++}
++
+ /* Enqueuing and dequeuing functions for cmdlists. */
+ static inline void addQ(struct hlist_head *list, struct CommandList *c)
+ {
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch)
@@ -0,0 +1,38 @@
+From 57bb0a0b5b6ae6fb87df50877c317925ec320c74 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 7 Jan 2011 10:55:43 -0600
+Subject: [PATCH 090/136] hpsa: fix use of uninitialized variable in
+ hpsa_add_msa2xxx_enclosure_device()
+
+commit c4f8a299d04bd083643ba93e982ab910219dd1f0 upstream.
+
+Thanks to Scott Teel for noticing this.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index fef7931..3ae6f3b 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1608,6 +1608,8 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ if (lun == 0) /* if lun is 0, then obviously we have a lun 0. */
+ return 0;
+
++ memset(scsi3addr, 0, 8);
++ scsi3addr[3] = target;
+ if (is_hba_lunid(scsi3addr))
+ return 0; /* Don't add the RAID controller here. */
+
+@@ -1622,8 +1624,6 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ return 0;
+ }
+
+- memset(scsi3addr, 0, 8);
+- scsi3addr[3] = target;
+ if (hpsa_update_device_info(h, scsi3addr, this_device))
+ return 0;
+ (*nmsa2xxx_enclosures)++;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch)
@@ -0,0 +1,39 @@
+From d27d3c0d4aa3ad016886557f9f9fbd4e3e2f6c95 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <StephenM.Cameron>
+Date: Fri, 7 Jan 2011 10:55:48 -0600
+Subject: [PATCH 091/136] hpsa: Fix problem that CMD_UNABORTABLE command
+ status was treated as unknown
+
+commit 1d5e2ed0805bf426226b7daa54b3e60af78baa10 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 3ae6f3b..51acff6 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1143,6 +1143,10 @@ static void complete_scsi_command(struct CommandList *cp,
+ cmd->result = DID_TIME_OUT << 16;
+ dev_warn(&h->pdev->dev, "cp %p timedout\n", cp);
+ break;
++ case CMD_UNABORTABLE:
++ cmd->result = DID_ERROR << 16;
++ dev_warn(&h->pdev->dev, "Command unabortable\n");
++ break;
+ default:
+ cmd->result = DID_ERROR << 16;
+ dev_warn(&h->pdev->dev, "cp %p returned unknown status %x\n",
+@@ -1308,6 +1312,9 @@ static void hpsa_scsi_interpret_error(struct CommandList *cp)
+ case CMD_TIMEOUT:
+ dev_warn(d, "cp %p timed out\n", cp);
+ break;
++ case CMD_UNABORTABLE:
++ dev_warn(d, "Command unabortable\n");
++ break;
+ default:
+ dev_warn(d, "cp %p returned unknown status %x\n", cp,
+ ei->CommandStatus);
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch)
@@ -0,0 +1,37 @@
+From c6bda971d4c6d0b2d4f71ae74d4afa39d7359c5e Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon at gmail.com>
+Date: Fri, 7 Jan 2011 10:55:53 -0600
+Subject: [PATCH 092/136] hpsa: avoid leaking stack contents to userland
+
+commit 938abd8449c27fc67203e1a7c350199cea1158da upstream.
+
+memset arg64 to zero in the passthrough ioctls to avoid leaking contents
+of kernel stack memory to userland via uninitialized padding fields
+inserted by the compiler for alignment reasons.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 51acff6..2043392 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2282,6 +2282,7 @@ static int hpsa_ioctl32_passthru(struct scsi_device *dev, int cmd, void *arg)
+ int err;
+ u32 cp;
+
++ memset(&arg64, 0, sizeof(arg64));
+ err = 0;
+ err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
+ sizeof(arg64.LUN_info));
+@@ -2318,6 +2319,7 @@ static int hpsa_ioctl32_big_passthru(struct scsi_device *dev,
+ int err;
+ u32 cp;
+
++ memset(&arg64, 0, sizeof(arg64));
+ err = 0;
+ err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
+ sizeof(arg64.LUN_info));
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch)
@@ -0,0 +1,126 @@
+From 366de2b726f4a6237f2dcc4856baaf8fc43dee7d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:32:48 -0600
+Subject: [PATCH 093/136] hpsa: do not re-order commands in internal queues
+
+commit 9e0fc764eaec082cd2ffcf82568dfdd086935934 upstream.
+
+Driver's internal queues should be FIFO, not LIFO.
+This is a port of an almost identical patch from cciss by Jens Axboe.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 23 +++++++++++------------
+ drivers/scsi/hpsa.h | 4 ++--
+ drivers/scsi/hpsa_cmd.h | 2 +-
+ 3 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 2043392..5a62a0f 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -305,9 +305,9 @@ static ssize_t host_show_commands_outstanding(struct device *dev,
+ }
+
+ /* Enqueuing and dequeuing functions for cmdlists. */
+-static inline void addQ(struct hlist_head *list, struct CommandList *c)
++static inline void addQ(struct list_head *list, struct CommandList *c)
+ {
+- hlist_add_head(&c->list, list);
++ list_add_tail(&c->list, list);
+ }
+
+ static inline u32 next_command(struct ctlr_info *h)
+@@ -357,9 +357,9 @@ static void enqueue_cmd_and_start_io(struct ctlr_info *h,
+
+ static inline void removeQ(struct CommandList *c)
+ {
+- if (WARN_ON(hlist_unhashed(&c->list)))
++ if (WARN_ON(list_empty(&c->list)))
+ return;
+- hlist_del_init(&c->list);
++ list_del_init(&c->list);
+ }
+
+ static inline int is_hba_lunid(unsigned char scsi3addr[])
+@@ -2200,7 +2200,7 @@ static struct CommandList *cmd_alloc(struct ctlr_info *h)
+
+ c->cmdindex = i;
+
+- INIT_HLIST_NODE(&c->list);
++ INIT_LIST_HEAD(&c->list);
+ c->busaddr = (u32) cmd_dma_handle;
+ temp64.val = (u64) err_dma_handle;
+ c->ErrDesc.Addr.lower = temp64.val32.lower;
+@@ -2238,7 +2238,7 @@ static struct CommandList *cmd_special_alloc(struct ctlr_info *h)
+ }
+ memset(c->err_info, 0, sizeof(*c->err_info));
+
+- INIT_HLIST_NODE(&c->list);
++ INIT_LIST_HEAD(&c->list);
+ c->busaddr = (u32) cmd_dma_handle;
+ temp64.val = (u64) err_dma_handle;
+ c->ErrDesc.Addr.lower = temp64.val32.lower;
+@@ -2809,8 +2809,8 @@ static void start_io(struct ctlr_info *h)
+ {
+ struct CommandList *c;
+
+- while (!hlist_empty(&h->reqQ)) {
+- c = hlist_entry(h->reqQ.first, struct CommandList, list);
++ while (!list_empty(&h->reqQ)) {
++ c = list_entry(h->reqQ.next, struct CommandList, list);
+ /* can't do anything if fifo is full */
+ if ((h->access.fifo_full(h))) {
+ dev_warn(&h->pdev->dev, "fifo full\n");
+@@ -2901,10 +2901,9 @@ static inline u32 process_nonindexed_cmd(struct ctlr_info *h,
+ {
+ u32 tag;
+ struct CommandList *c = NULL;
+- struct hlist_node *tmp;
+
+ tag = hpsa_tag_discard_error_bits(raw_tag);
+- hlist_for_each_entry(c, tmp, &h->cmpQ, list) {
++ list_for_each_entry(c, &h->cmpQ, list) {
+ if ((c->busaddr & 0xFFFFFFE0) == (tag & 0xFFFFFFE0)) {
+ finish_cmd(c, raw_tag);
+ return next_command(h);
+@@ -3733,8 +3732,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+
+ h->pdev = pdev;
+ h->busy_initializing = 1;
+- INIT_HLIST_HEAD(&h->cmpQ);
+- INIT_HLIST_HEAD(&h->reqQ);
++ INIT_LIST_HEAD(&h->cmpQ);
++ INIT_LIST_HEAD(&h->reqQ);
+ spin_lock_init(&h->lock);
+ spin_lock_init(&h->scan_lock);
+ rc = hpsa_pci_init(h);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 074d237..e898193 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -75,8 +75,8 @@ struct ctlr_info {
+ struct access_method access;
+
+ /* queue and queue Info */
+- struct hlist_head reqQ;
+- struct hlist_head cmpQ;
++ struct list_head reqQ;
++ struct list_head cmpQ;
+ unsigned int Qdepth;
+ unsigned int maxQsinceinit;
+ unsigned int maxSG;
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 7910c14..785abdd 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -292,7 +292,7 @@ struct CommandList {
+ struct ctlr_info *h;
+ int cmd_type;
+ long cmdindex;
+- struct hlist_node list;
++ struct list_head list;
+ struct request *rq;
+ struct completion *waiting;
+ void *scsi_cmd;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch)
@@ -0,0 +1,155 @@
+From b7e25a46a70a9dd756b5a144a52a07e030b5121c Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:32:53 -0600
+Subject: [PATCH 094/136] hpsa: make hpsa.hpsa_simple_mode=1 module parameter
+ actually work
+
+commit a9a3a2739a44fc05dcaba0d4d36e52dc444c294f upstream.
+
+It's not enough to simple avoid putting the board into performant
+mode, as we have to set up the interrupts differently, etc. When
+I originally tested this module parameter, I tested it incorrectly
+without realizing it, and the driver was running in performant mode
+the whole time unbeknownst to me.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 37 +++++++++++++++++++++++--------------
+ drivers/scsi/hpsa.h | 1 +
+ 2 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 5a62a0f..dc00910 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1177,7 +1177,7 @@ static int hpsa_scsi_detect(struct ctlr_info *h)
+ sh->sg_tablesize = h->maxsgentries;
+ h->scsi_host = sh;
+ sh->hostdata[0] = (unsigned long) h;
+- sh->irq = h->intr[PERF_MODE_INT];
++ sh->irq = h->intr[h->intr_mode];
+ sh->unique_id = sh->irq;
+ error = scsi_add_host(sh, &h->pdev->dev);
+ if (error)
+@@ -2874,10 +2874,14 @@ static inline u32 hpsa_tag_to_index(u32 tag)
+ return tag >> DIRECT_LOOKUP_SHIFT;
+ }
+
+-static inline u32 hpsa_tag_discard_error_bits(u32 tag)
++
++static inline u32 hpsa_tag_discard_error_bits(struct ctlr_info *h, u32 tag)
+ {
+-#define HPSA_ERROR_BITS 0x03
+- return tag & ~HPSA_ERROR_BITS;
++#define HPSA_PERF_ERROR_BITS ((1 << DIRECT_LOOKUP_SHIFT) - 1)
++#define HPSA_SIMPLE_ERROR_BITS 0x03
++ if (unlikely(h->transMethod != CFGTBL_Trans_Performant))
++ return tag & ~HPSA_SIMPLE_ERROR_BITS;
++ return tag & ~HPSA_PERF_ERROR_BITS;
+ }
+
+ /* process completion of an indexed ("direct lookup") command */
+@@ -2902,7 +2906,7 @@ static inline u32 process_nonindexed_cmd(struct ctlr_info *h,
+ u32 tag;
+ struct CommandList *c = NULL;
+
+- tag = hpsa_tag_discard_error_bits(raw_tag);
++ tag = hpsa_tag_discard_error_bits(h, raw_tag);
+ list_for_each_entry(c, &h->cmpQ, list) {
+ if ((c->busaddr & 0xFFFFFFE0) == (tag & 0xFFFFFFE0)) {
+ finish_cmd(c, raw_tag);
+@@ -2953,7 +2957,10 @@ static irqreturn_t do_hpsa_intr_msi(int irq, void *dev_id)
+ return IRQ_HANDLED;
+ }
+
+-/* Send a message CDB to the firmware. */
++/* Send a message CDB to the firmware. Careful, this only works
++ * in simple mode, not performant mode due to the tag lookup.
++ * We only ever use this immediately after a controller reset.
++ */
+ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ unsigned char type)
+ {
+@@ -3019,7 +3026,7 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+
+ for (i = 0; i < HPSA_MSG_SEND_RETRY_LIMIT; i++) {
+ tag = readl(vaddr + SA5_REPLY_PORT_OFFSET);
+- if (hpsa_tag_discard_error_bits(tag) == paddr32)
++ if ((tag & ~HPSA_SIMPLE_ERROR_BITS) == paddr32)
+ break;
+ msleep(HPSA_MSG_SEND_RETRY_INTERVAL_MSECS);
+ }
+@@ -3351,7 +3358,7 @@ static void __devinit hpsa_interrupt_mode(struct ctlr_info *h)
+ default_int_mode:
+ #endif /* CONFIG_PCI_MSI */
+ /* if we get here we're going to use the default interrupt mode */
+- h->intr[PERF_MODE_INT] = h->pdev->irq;
++ h->intr[h->intr_mode] = h->pdev->irq;
+ }
+
+ static int __devinit hpsa_lookup_board_id(struct pci_dev *pdev, u32 *board_id)
+@@ -3732,6 +3739,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+
+ h->pdev = pdev;
+ h->busy_initializing = 1;
++ h->intr_mode = hpsa_simple_mode ? SIMPLE_MODE_INT : PERF_MODE_INT;
++ printk(KERN_WARNING "hpsa_simple_mode is %d\n", hpsa_simple_mode);
+ INIT_LIST_HEAD(&h->cmpQ);
+ INIT_LIST_HEAD(&h->reqQ);
+ spin_lock_init(&h->lock);
+@@ -3762,20 +3771,20 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ h->access.set_intr_mask(h, HPSA_INTR_OFF);
+
+ if (h->msix_vector || h->msi_vector)
+- rc = request_irq(h->intr[PERF_MODE_INT], do_hpsa_intr_msi,
++ rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_msi,
+ IRQF_DISABLED, h->devname, h);
+ else
+- rc = request_irq(h->intr[PERF_MODE_INT], do_hpsa_intr_intx,
++ rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_intx,
+ IRQF_DISABLED, h->devname, h);
+ if (rc) {
+ dev_err(&pdev->dev, "unable to get irq %d for %s\n",
+- h->intr[PERF_MODE_INT], h->devname);
++ h->intr[h->intr_mode], h->devname);
+ goto clean2;
+ }
+
+ dev_info(&pdev->dev, "%s: <0x%x> at IRQ %d%s using DAC\n",
+ h->devname, pdev->device,
+- h->intr[PERF_MODE_INT], dac ? "" : " not");
++ h->intr[h->intr_mode], dac ? "" : " not");
+
+ h->cmd_pool_bits =
+ kmalloc(((h->nr_cmds + BITS_PER_LONG -
+@@ -3826,7 +3835,7 @@ clean4:
+ h->nr_cmds * sizeof(struct ErrorInfo),
+ h->errinfo_pool,
+ h->errinfo_pool_dhandle);
+- free_irq(h->intr[PERF_MODE_INT], h);
++ free_irq(h->intr[h->intr_mode], h);
+ clean2:
+ clean1:
+ h->busy_initializing = 0;
+@@ -3870,7 +3879,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
+ */
+ hpsa_flush_cache(h);
+ h->access.set_intr_mask(h, HPSA_INTR_OFF);
+- free_irq(h->intr[PERF_MODE_INT], h);
++ free_irq(h->intr[h->intr_mode], h);
+ #ifdef CONFIG_PCI_MSI
+ if (h->msix_vector)
+ pci_disable_msix(h->pdev);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index e898193..621a153 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -72,6 +72,7 @@ struct ctlr_info {
+ unsigned int intr[4];
+ unsigned int msix_vector;
+ unsigned int msi_vector;
++ int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
+ struct access_method access;
+
+ /* queue and queue Info */
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch)
@@ -0,0 +1,70 @@
+From a0fde39e480c3d4ee24cbb859b6ce1edcd81d773 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:32:58 -0600
+Subject: [PATCH 095/136] hpsa: Add transport_mode host attribute in /sys
+
+commit 745a7a25bc0f6dc77db72656b7bc8d17b6ee8e53 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index dc00910..c1e2319 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -153,6 +153,8 @@ static ssize_t host_show_firmware_revision(struct device *dev,
+ struct device_attribute *attr, char *buf);
+ static ssize_t host_show_commands_outstanding(struct device *dev,
+ struct device_attribute *attr, char *buf);
++static ssize_t host_show_transport_mode(struct device *dev,
++ struct device_attribute *attr, char *buf);
+ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno);
+ static ssize_t host_store_rescan(struct device *dev,
+ struct device_attribute *attr, const char *buf, size_t count);
+@@ -184,6 +186,8 @@ static DEVICE_ATTR(firmware_revision, S_IRUGO,
+ host_show_firmware_revision, NULL);
+ static DEVICE_ATTR(commands_outstanding, S_IRUGO,
+ host_show_commands_outstanding, NULL);
++static DEVICE_ATTR(transport_mode, S_IRUGO,
++ host_show_transport_mode, NULL);
+
+ static struct device_attribute *hpsa_sdev_attrs[] = {
+ &dev_attr_raid_level,
+@@ -196,6 +200,7 @@ static struct device_attribute *hpsa_shost_attrs[] = {
+ &dev_attr_rescan,
+ &dev_attr_firmware_revision,
+ &dev_attr_commands_outstanding,
++ &dev_attr_transport_mode,
+ NULL,
+ };
+
+@@ -304,6 +309,18 @@ static ssize_t host_show_commands_outstanding(struct device *dev,
+ return snprintf(buf, 20, "%d\n", h->commands_outstanding);
+ }
+
++static ssize_t host_show_transport_mode(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ struct ctlr_info *h;
++ struct Scsi_Host *shost = class_to_shost(dev);
++
++ h = shost_to_hba(shost);
++ return snprintf(buf, 20, "%s\n",
++ h->transMethod == CFGTBL_Trans_Performant ?
++ "performant" : "simple");
++}
++
+ /* Enqueuing and dequeuing functions for cmdlists. */
+ static inline void addQ(struct list_head *list, struct CommandList *c)
+ {
+@@ -3740,7 +3757,6 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ h->pdev = pdev;
+ h->busy_initializing = 1;
+ h->intr_mode = hpsa_simple_mode ? SIMPLE_MODE_INT : PERF_MODE_INT;
+- printk(KERN_WARNING "hpsa_simple_mode is %d\n", hpsa_simple_mode);
+ INIT_LIST_HEAD(&h->cmpQ);
+ INIT_LIST_HEAD(&h->reqQ);
+ spin_lock_init(&h->lock);
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch)
@@ -0,0 +1,122 @@
+From 8672b6f8e803d0c1394ccd0a7030da3e7fbca512 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:33:03 -0600
+Subject: [PATCH 096/136] hpsa: Inform controller we are using 32-bit tags.
+
+commit 960a30e7a73affcc441b9ceaff3b1b9e73e99c1f upstream.
+
+Controller will transfer only 32-bits on completion if it
+knows we are only using 32-bit tags. Also, some newer controllers
+apparently (and erroneously) require that we only use 32-bit tags,
+and that we inform the controller of this.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 24 +++++++++++++-----------
+ drivers/scsi/hpsa_cmd.h | 1 +
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index c1e2319..747c31b 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -317,7 +317,7 @@ static ssize_t host_show_transport_mode(struct device *dev,
+
+ h = shost_to_hba(shost);
+ return snprintf(buf, 20, "%s\n",
+- h->transMethod == CFGTBL_Trans_Performant ?
++ h->transMethod & CFGTBL_Trans_Performant ?
+ "performant" : "simple");
+ }
+
+@@ -331,7 +331,7 @@ static inline u32 next_command(struct ctlr_info *h)
+ {
+ u32 a;
+
+- if (unlikely(h->transMethod != CFGTBL_Trans_Performant))
++ if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
+ return h->access.command_completed(h);
+
+ if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
+@@ -355,7 +355,7 @@ static inline u32 next_command(struct ctlr_info *h)
+ */
+ static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
+ {
+- if (likely(h->transMethod == CFGTBL_Trans_Performant))
++ if (likely(h->transMethod & CFGTBL_Trans_Performant))
+ c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
+ }
+
+@@ -2896,7 +2896,7 @@ static inline u32 hpsa_tag_discard_error_bits(struct ctlr_info *h, u32 tag)
+ {
+ #define HPSA_PERF_ERROR_BITS ((1 << DIRECT_LOOKUP_SHIFT) - 1)
+ #define HPSA_SIMPLE_ERROR_BITS 0x03
+- if (unlikely(h->transMethod != CFGTBL_Trans_Performant))
++ if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
+ return tag & ~HPSA_SIMPLE_ERROR_BITS;
+ return tag & ~HPSA_PERF_ERROR_BITS;
+ }
+@@ -3612,6 +3612,7 @@ static int __devinit hpsa_enter_simple_mode(struct ctlr_info *h)
+ "unable to get board into simple mode\n");
+ return -ENODEV;
+ }
++ h->transMethod = CFGTBL_Trans_Simple;
+ return 0;
+ }
+
+@@ -3997,7 +3998,8 @@ static void calc_bucket_map(int bucket[], int num_buckets,
+ }
+ }
+
+-static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h)
++static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h,
++ u32 use_short_tags)
+ {
+ int i;
+ unsigned long register_value;
+@@ -4045,7 +4047,7 @@ static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h)
+ writel(0, &h->transtable->RepQCtrAddrHigh32);
+ writel(h->reply_pool_dhandle, &h->transtable->RepQAddr0Low32);
+ writel(0, &h->transtable->RepQAddr0High32);
+- writel(CFGTBL_Trans_Performant,
++ writel(CFGTBL_Trans_Performant | use_short_tags,
+ &(h->cfgtable->HostWrite.TransportRequest));
+ writel(CFGTBL_ChangeReq, h->vaddr + SA5_DOORBELL);
+ hpsa_wait_for_mode_change_ack(h);
+@@ -4055,6 +4057,9 @@ static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h)
+ " performant mode\n");
+ return;
+ }
++ /* Change the access methods to the performant access methods */
++ h->access = SA5_performant_access;
++ h->transMethod = CFGTBL_Trans_Performant;
+ }
+
+ static __devinit void hpsa_put_ctlr_into_performant_mode(struct ctlr_info *h)
+@@ -4083,11 +4088,8 @@ static __devinit void hpsa_put_ctlr_into_performant_mode(struct ctlr_info *h)
+ || (h->blockFetchTable == NULL))
+ goto clean_up;
+
+- hpsa_enter_performant_mode(h);
+-
+- /* Change the access methods to the performant access methods */
+- h->access = SA5_performant_access;
+- h->transMethod = CFGTBL_Trans_Performant;
++ hpsa_enter_performant_mode(h,
++ trans_support & CFGTBL_Trans_use_short_tags);
+
+ return;
+
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 785abdd..1846490 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -104,6 +104,7 @@
+
+ #define CFGTBL_Trans_Simple 0x00000002l
+ #define CFGTBL_Trans_Performant 0x00000004l
++#define CFGTBL_Trans_use_short_tags 0x20000000l
+
+ #define CFGTBL_BusType_Ultra2 0x00000001l
+ #define CFGTBL_BusType_Ultra3 0x00000002l
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch)
@@ -0,0 +1,39 @@
+From 6d2736e5d6e72c2b2d9b01c9035c4a140228b229 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:33:08 -0600
+Subject: [PATCH 097/136] hpsa: Do not attempt kdump if we detect resetting
+ controller failed.
+
+commit ba95e2ac6bfeb9af92153058a353fc47e1addc02 upstream.
+
+We can get completions left over from before the attempted reset which
+will interfere with the kdump. Better to just not make the attempt in
+that case.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 747c31b..087a77b 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3236,13 +3236,13 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ * It means we're on one of those controllers which doesn't support
+ * the doorbell reset method and on which the PCI power management reset
+ * method doesn't work (P800, for example.)
+- * In those cases, pretend the reset worked and hope for the best.
++ * In those cases, don't try to proceed, as it generally doesn't work.
+ */
+ active_transport = readl(&cfgtable->TransportActive);
+ if (active_transport & PERFORMANT_MODE) {
+ dev_warn(&pdev->dev, "Unable to successfully reset controller,"
+- " proceeding anyway.\n");
+- rc = -ENOTSUPP;
++ " Ignoring controller.\n");
++ rc = -ENODEV;
+ }
+
+ unmap_cfgtable:
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch)
@@ -0,0 +1,30 @@
+From 82544351c81e6bb64eee4a7c8a76784de854ea2a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27 at gmail.com>
+Date: Tue, 15 Feb 2011 15:33:13 -0600
+Subject: [PATCH 098/136] hpsa: fix bad comparison
+
+commit 382be668c5a284844f9dcbb5b1cb8ffba2386d80 upstream.
+
+'!' has higher precedence than '&'. CFGTBL_ChangeReq is 0x1 so the
+original code is equivelent to if (!doorbell_value) {...
+
+Signed-off-by: Dan Carpenter <error27 at gmail.com>
+Acked-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 087a77b..0f5979a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3586,7 +3586,7 @@ static void __devinit hpsa_wait_for_mode_change_ack(struct ctlr_info *h)
+ spin_lock_irqsave(&h->lock, flags);
+ doorbell_value = readl(h->vaddr + SA5_DOORBELL);
+ spin_unlock_irqrestore(&h->lock, flags);
+- if (!doorbell_value & CFGTBL_ChangeReq)
++ if (!(doorbell_value & CFGTBL_ChangeReq))
+ break;
+ /* delay and try again */
+ msleep(10);
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch)
@@ -0,0 +1,74 @@
+From 7cab8a9728ccfb9c0843d2f64e1d544389ba9888 Mon Sep 17 00:00:00 2001
+From: "scameron at beardog.cce.hp.com" <scameron at beardog.cce.hp.com>
+Date: Mon, 7 Mar 2011 10:44:16 -0600
+Subject: [PATCH 099/136] hpsa: fix incorrect PCI IDs and add two new ones
+ (2nd try)
+
+commit 9143a9612277abc6e4ddced2bc54a120734834c6 upstream.
+
+My first attempt was botched, got the wrong PCI Device ID
+(used PCI_DEVICE_ID_HP_CISSE, should have been PCI_DEVICE_ID_HP_CISSF)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+[bwh: Backported to 2.6.32: also add the device ID to <linux/pci_ids.h>,
+ added upstream in commit 6362beea8914cbd4630ccde3617d944aeca2d48f]
+---
+ drivers/scsi/hpsa.c | 24 ++++++++++++++----------
+ include/linux/pci_ids.h | 1 +
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 0f5979a..a410aca 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -82,11 +82,13 @@ MODULE_PARM_DESC(hpsa_simple_mode,
+ /* define the PCI info for the cards we can control */
+ static const struct pci_device_id hpsa_pci_device_id[] = {
+ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3233},
+- {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3250},
+- {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3251},
+- {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3252},
+- {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3253},
+- {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSE, 0x103C, 0x3254},
++ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSF, 0x103C, 0x3350},
++ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSF, 0x103C, 0x3351},
++ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSF, 0x103C, 0x3352},
++ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSF, 0x103C, 0x3353},
++ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSF, 0x103C, 0x3354},
++ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSF, 0x103C, 0x3355},
++ {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_CISSF, 0x103C, 0x3356},
+ {PCI_VENDOR_ID_HP, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_RAID << 8, 0xffff << 8, 0},
+ {0,}
+@@ -106,11 +108,13 @@ static struct board_type products[] = {
+ {0x3249103C, "Smart Array P812", &SA5_access},
+ {0x324a103C, "Smart Array P712m", &SA5_access},
+ {0x324b103C, "Smart Array P711m", &SA5_access},
+- {0x3250103C, "Smart Array", &SA5_access},
+- {0x3250113C, "Smart Array", &SA5_access},
+- {0x3250123C, "Smart Array", &SA5_access},
+- {0x3250133C, "Smart Array", &SA5_access},
+- {0x3250143C, "Smart Array", &SA5_access},
++ {0x3350103C, "Smart Array", &SA5_access},
++ {0x3351103C, "Smart Array", &SA5_access},
++ {0x3352103C, "Smart Array", &SA5_access},
++ {0x3353103C, "Smart Array", &SA5_access},
++ {0x3354103C, "Smart Array", &SA5_access},
++ {0x3355103C, "Smart Array", &SA5_access},
++ {0x3356103C, "Smart Array", &SA5_access},
+ {0xFFFF103C, "Unknown Smart Array", &SA5_access},
+ };
+
+diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
+index 96077a5..b987a66 100644
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -744,6 +744,7 @@
+ #define PCI_DEVICE_ID_HP_CISSC 0x3230
+ #define PCI_DEVICE_ID_HP_CISSD 0x3238
+ #define PCI_DEVICE_ID_HP_CISSE 0x323a
++#define PCI_DEVICE_ID_HP_CISSF 0x323b
+ #define PCI_DEVICE_ID_HP_ZX2_IOC 0x4031
+
+ #define PCI_VENDOR_ID_PCTECH 0x1042
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch)
@@ -0,0 +1,304 @@
+From aa98bec461822222293c009fd7a3ef3d712968d0 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 9 Mar 2011 17:00:01 -0600
+Subject: [PATCH 100/136] hpsa: move device attributes to avoid forward
+ declarations
+
+commit 3f5eac3a040a2ea61a575f713aabedecdd23c3f8 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+[bwh: Backported to 2.6.32: no scsi_host_template::change_queue_depth]
+---
+ drivers/scsi/hpsa.c | 251 ++++++++++++++++++++++++---------------------------
+ 1 file changed, 119 insertions(+), 132 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a410aca..3eb21da 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -147,21 +147,7 @@ static int hpsa_eh_device_reset_handler(struct scsi_cmnd *scsicmd);
+ static int hpsa_slave_alloc(struct scsi_device *sdev);
+ static void hpsa_slave_destroy(struct scsi_device *sdev);
+
+-static ssize_t raid_level_show(struct device *dev,
+- struct device_attribute *attr, char *buf);
+-static ssize_t lunid_show(struct device *dev,
+- struct device_attribute *attr, char *buf);
+-static ssize_t unique_id_show(struct device *dev,
+- struct device_attribute *attr, char *buf);
+-static ssize_t host_show_firmware_revision(struct device *dev,
+- struct device_attribute *attr, char *buf);
+-static ssize_t host_show_commands_outstanding(struct device *dev,
+- struct device_attribute *attr, char *buf);
+-static ssize_t host_show_transport_mode(struct device *dev,
+- struct device_attribute *attr, char *buf);
+ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno);
+-static ssize_t host_store_rescan(struct device *dev,
+- struct device_attribute *attr, const char *buf, size_t count);
+ static int check_for_unit_attention(struct ctlr_info *h,
+ struct CommandList *c);
+ static void check_ioctl_unit_attention(struct ctlr_info *h,
+@@ -182,52 +168,6 @@ static int __devinit hpsa_wait_for_board_state(struct pci_dev *pdev,
+ #define BOARD_NOT_READY 0
+ #define BOARD_READY 1
+
+-static DEVICE_ATTR(raid_level, S_IRUGO, raid_level_show, NULL);
+-static DEVICE_ATTR(lunid, S_IRUGO, lunid_show, NULL);
+-static DEVICE_ATTR(unique_id, S_IRUGO, unique_id_show, NULL);
+-static DEVICE_ATTR(rescan, S_IWUSR, NULL, host_store_rescan);
+-static DEVICE_ATTR(firmware_revision, S_IRUGO,
+- host_show_firmware_revision, NULL);
+-static DEVICE_ATTR(commands_outstanding, S_IRUGO,
+- host_show_commands_outstanding, NULL);
+-static DEVICE_ATTR(transport_mode, S_IRUGO,
+- host_show_transport_mode, NULL);
+-
+-static struct device_attribute *hpsa_sdev_attrs[] = {
+- &dev_attr_raid_level,
+- &dev_attr_lunid,
+- &dev_attr_unique_id,
+- NULL,
+-};
+-
+-static struct device_attribute *hpsa_shost_attrs[] = {
+- &dev_attr_rescan,
+- &dev_attr_firmware_revision,
+- &dev_attr_commands_outstanding,
+- &dev_attr_transport_mode,
+- NULL,
+-};
+-
+-static struct scsi_host_template hpsa_driver_template = {
+- .module = THIS_MODULE,
+- .name = "hpsa",
+- .proc_name = "hpsa",
+- .queuecommand = hpsa_scsi_queue_command,
+- .scan_start = hpsa_scan_start,
+- .scan_finished = hpsa_scan_finished,
+- .this_id = -1,
+- .use_clustering = ENABLE_CLUSTERING,
+- .eh_device_reset_handler = hpsa_eh_device_reset_handler,
+- .ioctl = hpsa_ioctl,
+- .slave_alloc = hpsa_slave_alloc,
+- .slave_destroy = hpsa_slave_destroy,
+-#ifdef CONFIG_COMPAT
+- .compat_ioctl = hpsa_compat_ioctl,
+-#endif
+- .sdev_attrs = hpsa_sdev_attrs,
+- .shost_attrs = hpsa_shost_attrs,
+-};
+-
+ static inline struct ctlr_info *sdev_to_hba(struct scsi_device *sdev)
+ {
+ unsigned long *priv = shost_priv(sdev->host);
+@@ -325,83 +265,11 @@ static ssize_t host_show_transport_mode(struct device *dev,
+ "performant" : "simple");
+ }
+
+-/* Enqueuing and dequeuing functions for cmdlists. */
+-static inline void addQ(struct list_head *list, struct CommandList *c)
+-{
+- list_add_tail(&c->list, list);
+-}
+-
+-static inline u32 next_command(struct ctlr_info *h)
+-{
+- u32 a;
+-
+- if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
+- return h->access.command_completed(h);
+-
+- if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
+- a = *(h->reply_pool_head); /* Next cmd in ring buffer */
+- (h->reply_pool_head)++;
+- h->commands_outstanding--;
+- } else {
+- a = FIFO_EMPTY;
+- }
+- /* Check for wraparound */
+- if (h->reply_pool_head == (h->reply_pool + h->max_commands)) {
+- h->reply_pool_head = h->reply_pool;
+- h->reply_pool_wraparound ^= 1;
+- }
+- return a;
+-}
+-
+-/* set_performant_mode: Modify the tag for cciss performant
+- * set bit 0 for pull model, bits 3-1 for block fetch
+- * register number
+- */
+-static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
+-{
+- if (likely(h->transMethod & CFGTBL_Trans_Performant))
+- c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
+-}
+-
+-static void enqueue_cmd_and_start_io(struct ctlr_info *h,
+- struct CommandList *c)
+-{
+- unsigned long flags;
+-
+- set_performant_mode(h, c);
+- spin_lock_irqsave(&h->lock, flags);
+- addQ(&h->reqQ, c);
+- h->Qdepth++;
+- start_io(h);
+- spin_unlock_irqrestore(&h->lock, flags);
+-}
+-
+-static inline void removeQ(struct CommandList *c)
+-{
+- if (WARN_ON(list_empty(&c->list)))
+- return;
+- list_del_init(&c->list);
+-}
+-
+-static inline int is_hba_lunid(unsigned char scsi3addr[])
+-{
+- return memcmp(scsi3addr, RAID_CTLR_LUNID, 8) == 0;
+-}
+-
+ static inline int is_logical_dev_addr_mode(unsigned char scsi3addr[])
+ {
+ return (scsi3addr[3] & 0xC0) == 0x40;
+ }
+
+-static inline int is_scsi_rev_5(struct ctlr_info *h)
+-{
+- if (!h->hba_inquiry_data)
+- return 0;
+- if ((h->hba_inquiry_data[2] & 0x07) == 5)
+- return 1;
+- return 0;
+-}
+-
+ static const char *raid_label[] = { "0", "4", "1(1+0)", "5", "5+1", "ADG",
+ "UNKNOWN"
+ };
+@@ -493,6 +361,125 @@ static ssize_t unique_id_show(struct device *dev,
+ sn[12], sn[13], sn[14], sn[15]);
+ }
+
++static DEVICE_ATTR(raid_level, S_IRUGO, raid_level_show, NULL);
++static DEVICE_ATTR(lunid, S_IRUGO, lunid_show, NULL);
++static DEVICE_ATTR(unique_id, S_IRUGO, unique_id_show, NULL);
++static DEVICE_ATTR(rescan, S_IWUSR, NULL, host_store_rescan);
++static DEVICE_ATTR(firmware_revision, S_IRUGO,
++ host_show_firmware_revision, NULL);
++static DEVICE_ATTR(commands_outstanding, S_IRUGO,
++ host_show_commands_outstanding, NULL);
++static DEVICE_ATTR(transport_mode, S_IRUGO,
++ host_show_transport_mode, NULL);
++
++static struct device_attribute *hpsa_sdev_attrs[] = {
++ &dev_attr_raid_level,
++ &dev_attr_lunid,
++ &dev_attr_unique_id,
++ NULL,
++};
++
++static struct device_attribute *hpsa_shost_attrs[] = {
++ &dev_attr_rescan,
++ &dev_attr_firmware_revision,
++ &dev_attr_commands_outstanding,
++ &dev_attr_transport_mode,
++ NULL,
++};
++
++static struct scsi_host_template hpsa_driver_template = {
++ .module = THIS_MODULE,
++ .name = "hpsa",
++ .proc_name = "hpsa",
++ .queuecommand = hpsa_scsi_queue_command,
++ .scan_start = hpsa_scan_start,
++ .scan_finished = hpsa_scan_finished,
++ .this_id = -1,
++ .use_clustering = ENABLE_CLUSTERING,
++ .eh_device_reset_handler = hpsa_eh_device_reset_handler,
++ .ioctl = hpsa_ioctl,
++ .slave_alloc = hpsa_slave_alloc,
++ .slave_destroy = hpsa_slave_destroy,
++#ifdef CONFIG_COMPAT
++ .compat_ioctl = hpsa_compat_ioctl,
++#endif
++ .sdev_attrs = hpsa_sdev_attrs,
++ .shost_attrs = hpsa_shost_attrs,
++};
++
++
++/* Enqueuing and dequeuing functions for cmdlists. */
++static inline void addQ(struct list_head *list, struct CommandList *c)
++{
++ list_add_tail(&c->list, list);
++}
++
++static inline u32 next_command(struct ctlr_info *h)
++{
++ u32 a;
++
++ if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
++ return h->access.command_completed(h);
++
++ if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
++ a = *(h->reply_pool_head); /* Next cmd in ring buffer */
++ (h->reply_pool_head)++;
++ h->commands_outstanding--;
++ } else {
++ a = FIFO_EMPTY;
++ }
++ /* Check for wraparound */
++ if (h->reply_pool_head == (h->reply_pool + h->max_commands)) {
++ h->reply_pool_head = h->reply_pool;
++ h->reply_pool_wraparound ^= 1;
++ }
++ return a;
++}
++
++/* set_performant_mode: Modify the tag for cciss performant
++ * set bit 0 for pull model, bits 3-1 for block fetch
++ * register number
++ */
++static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
++{
++ if (likely(h->transMethod & CFGTBL_Trans_Performant))
++ c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
++}
++
++static void enqueue_cmd_and_start_io(struct ctlr_info *h,
++ struct CommandList *c)
++{
++ unsigned long flags;
++
++ set_performant_mode(h, c);
++ spin_lock_irqsave(&h->lock, flags);
++ addQ(&h->reqQ, c);
++ h->Qdepth++;
++ start_io(h);
++ spin_unlock_irqrestore(&h->lock, flags);
++}
++
++static inline void removeQ(struct CommandList *c)
++{
++ if (WARN_ON(list_empty(&c->list)))
++ return;
++ list_del_init(&c->list);
++}
++
++static inline int is_hba_lunid(unsigned char scsi3addr[])
++{
++ return memcmp(scsi3addr, RAID_CTLR_LUNID, 8) == 0;
++}
++
++static inline int is_scsi_rev_5(struct ctlr_info *h)
++{
++ if (!h->hba_inquiry_data)
++ return 0;
++ if ((h->hba_inquiry_data[2] & 0x07) == 5)
++ return 1;
++ return 0;
++}
++
+ static int hpsa_find_target_lun(struct ctlr_info *h,
+ unsigned char scsi3addr[], int bus, int *target, int *lun)
+ {
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch)
@@ -0,0 +1,86 @@
+From 9910b190678f5204ff108439a77f86172f632595 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 9 Mar 2011 17:00:06 -0600
+Subject: [PATCH 101/136] hpsa: export resettable host attribute
+
+commit 941b1cdae83039c99fc5c1884a98d2afd39760e5 upstream.
+
+This attribute, requested by Redhat, allows kexec-tools to know
+whether the controller can honor the reset_devices kernel parameter
+and actually reset the controller. For kdump to work properly it
+is necessary that the reset_devices parameter be honored. This
+attribute enables kexec-tools to warn the user if they attempt to
+designate a non-resettable controller as the dump device.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 3eb21da..fa52ad9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -265,6 +265,44 @@ static ssize_t host_show_transport_mode(struct device *dev,
+ "performant" : "simple");
+ }
+
++/* List of controllers which cannot be reset on kexec with reset_devices */
++static u32 unresettable_controller[] = {
++ 0x324a103C, /* Smart Array P712m */
++ 0x324b103C, /* SmartArray P711m */
++ 0x3223103C, /* Smart Array P800 */
++ 0x3234103C, /* Smart Array P400 */
++ 0x3235103C, /* Smart Array P400i */
++ 0x3211103C, /* Smart Array E200i */
++ 0x3212103C, /* Smart Array E200 */
++ 0x3213103C, /* Smart Array E200i */
++ 0x3214103C, /* Smart Array E200i */
++ 0x3215103C, /* Smart Array E200i */
++ 0x3237103C, /* Smart Array E500 */
++ 0x323D103C, /* Smart Array P700m */
++ 0x409C0E11, /* Smart Array 6400 */
++ 0x409D0E11, /* Smart Array 6400 EM */
++};
++
++static int ctlr_is_resettable(struct ctlr_info *h)
++{
++ int i;
++
++ for (i = 0; i < ARRAY_SIZE(unresettable_controller); i++)
++ if (unresettable_controller[i] == h->board_id)
++ return 0;
++ return 1;
++}
++
++static ssize_t host_show_resettable(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ struct ctlr_info *h;
++ struct Scsi_Host *shost = class_to_shost(dev);
++
++ h = shost_to_hba(shost);
++ return snprintf(buf, 20, "%d\n", ctlr_is_resettable(h));
++}
++
+ static inline int is_logical_dev_addr_mode(unsigned char scsi3addr[])
+ {
+ return (scsi3addr[3] & 0xC0) == 0x40;
+@@ -371,6 +409,8 @@ static DEVICE_ATTR(commands_outstanding, S_IRUGO,
+ host_show_commands_outstanding, NULL);
+ static DEVICE_ATTR(transport_mode, S_IRUGO,
+ host_show_transport_mode, NULL);
++static DEVICE_ATTR(resettable, S_IRUGO,
++ host_show_resettable, NULL);
+
+ static struct device_attribute *hpsa_sdev_attrs[] = {
+ &dev_attr_raid_level,
+@@ -384,6 +424,7 @@ static struct device_attribute *hpsa_shost_attrs[] = {
+ &dev_attr_firmware_revision,
+ &dev_attr_commands_outstanding,
+ &dev_attr_transport_mode,
++ &dev_attr_resettable,
+ NULL,
+ };
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch)
@@ -0,0 +1,30 @@
+From bebca693eb5bde267011b46fbcca723047b0c1b4 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:58:49 -0500
+Subject: [PATCH 102/136] hpsa: do readl after writel in main i/o path to
+ ensure commands don't get lost.
+
+commit d0be5ec8693944c2e2fc0de70fda9dbc1b93bd7d upstream.
+
+Apparently we've been doin it rong for a decade, but only lately do we
+run into problems.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 621a153..98c97ca 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -212,6 +212,7 @@ static void SA5_submit_command(struct ctlr_info *h,
+ dev_dbg(&h->pdev->dev, "Sending %x, tag = %x\n", c->busaddr,
+ c->Header.Tag.lower);
+ writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET);
++ (void) readl(h->vaddr + SA5_REQUEST_PORT_OFFSET);
+ h->commands_outstanding++;
+ if (h->commands_outstanding > h->max_outstanding)
+ h->max_outstanding = h->commands_outstanding;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch)
@@ -0,0 +1,48 @@
+From 6cdd7154301c0975c5c4c41ed0b37b313355f01a Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:58:55 -0500
+Subject: [PATCH 103/136] hpsa: add readl after writel in interrupt mask
+ setting code
+
+commit 8cd21da71c952843f9cc215436286cf7f991cc6e upstream.
+
+This is to ensure the board interrupts are really off when
+these functions return.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 98c97ca..7eec397 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -228,10 +228,12 @@ static void SA5_intr_mask(struct ctlr_info *h, unsigned long val)
+ if (val) { /* Turn interrupts on */
+ h->interrupts_enabled = 1;
+ writel(0, h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++ (void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ } else { /* Turn them off */
+ h->interrupts_enabled = 0;
+ writel(SA5_INTR_OFF,
+ h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++ (void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ }
+ }
+
+@@ -240,10 +242,12 @@ static void SA5_performant_intr_mask(struct ctlr_info *h, unsigned long val)
+ if (val) { /* turn on interrupts */
+ h->interrupts_enabled = 1;
+ writel(0, h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++ (void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ } else {
+ h->interrupts_enabled = 0;
+ writel(SA5_PERF_INTR_OFF,
+ h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++ (void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ }
+ }
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch)
@@ -0,0 +1,38 @@
+From 73be737a0b5e3de570dfecc9fd43fa9dda590eca Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:00 -0500
+Subject: [PATCH 104/136] hpsa: remove unused parameter from
+ hpsa_complete_scsi_command()
+
+commit 1fb011fb05b6bac4fb8eabd324a6983116f7594d upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index fa52ad9..a5b47a9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -997,8 +997,7 @@ static void hpsa_unmap_sg_chain_block(struct ctlr_info *h,
+ pci_unmap_single(h->pdev, temp64.val, chain_sg->Len, PCI_DMA_TODEVICE);
+ }
+
+-static void complete_scsi_command(struct CommandList *cp,
+- int timeout, u32 tag)
++static void complete_scsi_command(struct CommandList *cp)
+ {
+ struct scsi_cmnd *cmd;
+ struct ctlr_info *h;
+@@ -2908,7 +2907,7 @@ static inline void finish_cmd(struct CommandList *c, u32 raw_tag)
+ {
+ removeQ(c);
+ if (likely(c->cmd_type == CMD_SCSI))
+- complete_scsi_command(c, 0, raw_tag);
++ complete_scsi_command(c);
+ else if (c->cmd_type == CMD_IOCTL_PEND)
+ complete(c->waiting);
+ }
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch)
@@ -0,0 +1,33 @@
+From eee0ac89f0ce7c0f30cdf2c094c2bd3081f68082 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:05 -0500
+Subject: [PATCH 105/136] hpsa: delete old unused padding garbage
+
+commit a2a431a4fd3b11c6808933ca1bdb2d28a8fa0634 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa_cmd.h | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 1846490..0500740 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -256,14 +256,6 @@ struct ErrorInfo {
+ #define CMD_IOCTL_PEND 0x01
+ #define CMD_SCSI 0x03
+
+-/* This structure needs to be divisible by 32 for new
+- * indexing method and performant mode.
+- */
+-#define PAD32 32
+-#define PAD64DIFF 0
+-#define USEEXTRA ((sizeof(void *) - 4)/4)
+-#define PADSIZE (PAD32 + PAD64DIFF * USEEXTRA)
+-
+ #define DIRECT_LOOKUP_SHIFT 5
+ #define DIRECT_LOOKUP_BIT 0x10
+ #define DIRECT_LOOKUP_MASK (~((1 << DIRECT_LOOKUP_SHIFT) - 1))
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch)
@@ -0,0 +1,154 @@
+From 66c1eae0fb9d6eba75effd5aeb23a7431ef4176f Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:10 -0500
+Subject: [PATCH 106/136] hpsa: do a better job of detecting controller reset
+ failure
+
+commit 580ada3c1e2f23b4b0f3c254cae3eb278f92d494 upstream.
+
+Detect failure of controller reset by noticing if the 32 bytes of
+"driver version" we store on the hardware in the config table
+fail to get zeroed out. Previously we noticed if the controller
+did not transition to "simple mode", but this did not detect reset
+failure if the controller was already in simple mode prior to
+the reset attempt (e.g. due to module parameter hpsa_simple_mode=1).
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 76 ++++++++++++++++++++++++++++++++++++++++-------
+ drivers/scsi/hpsa_cmd.h | 1 +
+ 2 files changed, 67 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a5b47a9..dcdf55a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3156,6 +3156,59 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ return 0;
+ }
+
++static __devinit void init_driver_version(char *driver_version, int len)
++{
++ memset(driver_version, 0, len);
++ strncpy(driver_version, "hpsa " HPSA_DRIVER_VERSION, len - 1);
++}
++
++static __devinit int write_driver_ver_to_cfgtable(
++ struct CfgTable __iomem *cfgtable)
++{
++ char *driver_version;
++ int i, size = sizeof(cfgtable->driver_version);
++
++ driver_version = kmalloc(size, GFP_KERNEL);
++ if (!driver_version)
++ return -ENOMEM;
++
++ init_driver_version(driver_version, size);
++ for (i = 0; i < size; i++)
++ writeb(driver_version[i], &cfgtable->driver_version[i]);
++ kfree(driver_version);
++ return 0;
++}
++
++static __devinit void read_driver_ver_from_cfgtable(
++ struct CfgTable __iomem *cfgtable, unsigned char *driver_ver)
++{
++ int i;
++
++ for (i = 0; i < sizeof(cfgtable->driver_version); i++)
++ driver_ver[i] = readb(&cfgtable->driver_version[i]);
++}
++
++static __devinit int controller_reset_failed(
++ struct CfgTable __iomem *cfgtable)
++{
++
++ char *driver_ver, *old_driver_ver;
++ int rc, size = sizeof(cfgtable->driver_version);
++
++ old_driver_ver = kmalloc(2 * size, GFP_KERNEL);
++ if (!old_driver_ver)
++ return -ENOMEM;
++ driver_ver = old_driver_ver + size;
++
++ /* After a reset, the 32 bytes of "driver version" in the cfgtable
++ * should have been changed, otherwise we know the reset failed.
++ */
++ init_driver_version(old_driver_ver, size);
++ read_driver_ver_from_cfgtable(cfgtable, driver_ver);
++ rc = !memcmp(driver_ver, old_driver_ver, size);
++ kfree(old_driver_ver);
++ return rc;
++}
+ /* This does a hard reset of the controller using PCI power management
+ * states or the using the doorbell register.
+ */
+@@ -3166,7 +3219,7 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ u64 cfg_base_addr_index;
+ void __iomem *vaddr;
+ unsigned long paddr;
+- u32 misc_fw_support, active_transport;
++ u32 misc_fw_support;
+ int rc;
+ struct CfgTable __iomem *cfgtable;
+ bool use_doorbell;
+@@ -3228,6 +3281,9 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ rc = -ENOMEM;
+ goto unmap_vaddr;
+ }
++ rc = write_driver_ver_to_cfgtable(cfgtable);
++ if (rc)
++ goto unmap_vaddr;
+
+ /* If reset via doorbell register is supported, use that. */
+ misc_fw_support = readl(&cfgtable->misc_fw_support);
+@@ -3261,19 +3317,16 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ "failed waiting for board to become ready\n");
+ goto unmap_cfgtable;
+ }
+- dev_info(&pdev->dev, "board ready.\n");
+
+- /* Controller should be in simple mode at this point. If it's not,
+- * It means we're on one of those controllers which doesn't support
+- * the doorbell reset method and on which the PCI power management reset
+- * method doesn't work (P800, for example.)
+- * In those cases, don't try to proceed, as it generally doesn't work.
+- */
+- active_transport = readl(&cfgtable->TransportActive);
+- if (active_transport & PERFORMANT_MODE) {
++ rc = controller_reset_failed(vaddr);
++ if (rc < 0)
++ goto unmap_cfgtable;
++ if (rc) {
+ dev_warn(&pdev->dev, "Unable to successfully reset controller,"
+ " Ignoring controller.\n");
+ rc = -ENODEV;
++ } else {
++ dev_info(&pdev->dev, "board ready.\n");
+ }
+
+ unmap_cfgtable:
+@@ -3514,6 +3567,9 @@ static int __devinit hpsa_find_cfgtables(struct ctlr_info *h)
+ cfg_base_addr_index) + cfg_offset, sizeof(*h->cfgtable));
+ if (!h->cfgtable)
+ return -ENOMEM;
++ rc = write_driver_ver_to_cfgtable(h->cfgtable);
++ if (rc)
++ return rc;
+ /* Find performant mode table. */
+ trans_offset = readl(&h->cfgtable->TransMethodOffset);
+ h->transtable = remap_pci_mem(pci_resource_start(h->pdev,
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 0500740..8fd35a7 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -337,6 +337,7 @@ struct CfgTable {
+ u8 reserved[0x78 - 0x58];
+ u32 misc_fw_support; /* offset 0x78 */
+ #define MISC_FW_DOORBELL_RESET (0x02)
++ u8 driver_version[32];
+ };
+
+ #define NUM_BLOCKFETCH_ENTRIES 8
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch)
@@ -0,0 +1,31 @@
+From cab8825b8a2cb4fd848a4e5bf9d0c952a1801b53 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:15 -0500
+Subject: [PATCH 107/136] hpsa: wait longer for no-op to complete after
+ resetting controller
+
+commit 516fda49e8596904a741693059c8746f11ce579c upstream.
+
+This is to avoid the usual two or three messages about the command
+timing out. We're obviously not waiting long enough.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 7eec397..7a4ee73 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -130,7 +130,7 @@ struct ctlr_info {
+ #define HPSA_BUS_RESET_MSG 2
+ #define HPSA_HOST_RESET_MSG 3
+ #define HPSA_MSG_SEND_RETRY_LIMIT 10
+-#define HPSA_MSG_SEND_RETRY_INTERVAL_MSECS 1000
++#define HPSA_MSG_SEND_RETRY_INTERVAL_MSECS (10000)
+
+ /* Maximum time in seconds driver will wait for command completions
+ * when polling before giving up.
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch)
@@ -0,0 +1,112 @@
+From 65214eeec0a7660174f59dbd1e2bcc9173c5c9c7 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:20 -0500
+Subject: [PATCH 108/136] hpsa: factor out cmd pool allocation functions
+
+commit 2e9d1b3626c4383362df30bb853a1b57c2798300 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 66 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 36 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index dcdf55a..385fddd 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3819,6 +3819,40 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ return 0;
+ }
+
++static __devinit int hpsa_allocate_cmd_pool(struct ctlr_info *h)
++{
++ h->cmd_pool_bits = kzalloc(
++ DIV_ROUND_UP(h->nr_cmds, BITS_PER_LONG) *
++ sizeof(unsigned long), GFP_KERNEL);
++ h->cmd_pool = pci_alloc_consistent(h->pdev,
++ h->nr_cmds * sizeof(*h->cmd_pool),
++ &(h->cmd_pool_dhandle));
++ h->errinfo_pool = pci_alloc_consistent(h->pdev,
++ h->nr_cmds * sizeof(*h->errinfo_pool),
++ &(h->errinfo_pool_dhandle));
++ if ((h->cmd_pool_bits == NULL)
++ || (h->cmd_pool == NULL)
++ || (h->errinfo_pool == NULL)) {
++ dev_err(&h->pdev->dev, "out of memory in %s", __func__);
++ return -ENOMEM;
++ }
++ return 0;
++}
++
++static void hpsa_free_cmd_pool(struct ctlr_info *h)
++{
++ kfree(h->cmd_pool_bits);
++ if (h->cmd_pool)
++ pci_free_consistent(h->pdev,
++ h->nr_cmds * sizeof(struct CommandList),
++ h->cmd_pool, h->cmd_pool_dhandle);
++ if (h->errinfo_pool)
++ pci_free_consistent(h->pdev,
++ h->nr_cmds * sizeof(struct ErrorInfo),
++ h->errinfo_pool,
++ h->errinfo_pool_dhandle);
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+@@ -3889,33 +3923,14 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ dev_info(&pdev->dev, "%s: <0x%x> at IRQ %d%s using DAC\n",
+ h->devname, pdev->device,
+ h->intr[h->intr_mode], dac ? "" : " not");
+-
+- h->cmd_pool_bits =
+- kmalloc(((h->nr_cmds + BITS_PER_LONG -
+- 1) / BITS_PER_LONG) * sizeof(unsigned long), GFP_KERNEL);
+- h->cmd_pool = pci_alloc_consistent(h->pdev,
+- h->nr_cmds * sizeof(*h->cmd_pool),
+- &(h->cmd_pool_dhandle));
+- h->errinfo_pool = pci_alloc_consistent(h->pdev,
+- h->nr_cmds * sizeof(*h->errinfo_pool),
+- &(h->errinfo_pool_dhandle));
+- if ((h->cmd_pool_bits == NULL)
+- || (h->cmd_pool == NULL)
+- || (h->errinfo_pool == NULL)) {
+- dev_err(&pdev->dev, "out of memory");
+- rc = -ENOMEM;
++ if (hpsa_allocate_cmd_pool(h))
+ goto clean4;
+- }
+ if (hpsa_allocate_sg_chain_blocks(h))
+ goto clean4;
+ init_waitqueue_head(&h->scan_wait_queue);
+ h->scan_finished = 1; /* no scan currently in progress */
+
+ pci_set_drvdata(pdev, h);
+- memset(h->cmd_pool_bits, 0,
+- ((h->nr_cmds + BITS_PER_LONG -
+- 1) / BITS_PER_LONG) * sizeof(unsigned long));
+-
+ hpsa_scsi_setup(h);
+
+ /* Turn the interrupts on so we can service requests */
+@@ -3929,16 +3944,7 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+
+ clean4:
+ hpsa_free_sg_chain_blocks(h);
+- kfree(h->cmd_pool_bits);
+- if (h->cmd_pool)
+- pci_free_consistent(h->pdev,
+- h->nr_cmds * sizeof(struct CommandList),
+- h->cmd_pool, h->cmd_pool_dhandle);
+- if (h->errinfo_pool)
+- pci_free_consistent(h->pdev,
+- h->nr_cmds * sizeof(struct ErrorInfo),
+- h->errinfo_pool,
+- h->errinfo_pool_dhandle);
++ hpsa_free_cmd_pool(h);
+ free_irq(h->intr[h->intr_mode], h);
+ clean2:
+ clean1:
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch)
@@ -0,0 +1,65 @@
+From cbe6b1e444cd01e6e30fe84af46c0d06718899e9 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:25 -0500
+Subject: [PATCH 109/136] hpsa: factor out irq request code
+
+commit 0ae01a32cb4a89ef0ed49bb6f49bd5830b13ab3e upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 385fddd..af883b6 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3853,6 +3853,26 @@ static void hpsa_free_cmd_pool(struct ctlr_info *h)
+ h->errinfo_pool_dhandle);
+ }
+
++static int hpsa_request_irq(struct ctlr_info *h,
++ irqreturn_t (*msixhandler)(int, void *),
++ irqreturn_t (*intxhandler)(int, void *))
++{
++ int rc;
++
++ if (h->msix_vector || h->msi_vector)
++ rc = request_irq(h->intr[h->intr_mode], msixhandler,
++ IRQF_DISABLED, h->devname, h);
++ else
++ rc = request_irq(h->intr[h->intr_mode], intxhandler,
++ IRQF_DISABLED, h->devname, h);
++ if (rc) {
++ dev_err(&h->pdev->dev, "unable to get irq %d for %s\n",
++ h->intr[h->intr_mode], h->devname);
++ return -ENODEV;
++ }
++ return 0;
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+@@ -3908,18 +3928,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ /* make sure the board interrupts are off */
+ h->access.set_intr_mask(h, HPSA_INTR_OFF);
+
+- if (h->msix_vector || h->msi_vector)
+- rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_msi,
+- IRQF_DISABLED, h->devname, h);
+- else
+- rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_intx,
+- IRQF_DISABLED, h->devname, h);
+- if (rc) {
+- dev_err(&pdev->dev, "unable to get irq %d for %s\n",
+- h->intr[h->intr_mode], h->devname);
++ if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
+ goto clean2;
+- }
+-
+ dev_info(&pdev->dev, "%s: <0x%x> at IRQ %d%s using DAC\n",
+ h->devname, pdev->device,
+ h->intr[h->intr_mode], dac ? "" : " not");
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch)
@@ -0,0 +1,27 @@
+From cf37da8207b8daf6830e81d803e9c04e7fae0e5d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:31 -0500
+Subject: [PATCH 110/136] hpsa: increase time to wait for board reset
+
+commit 2ed7127bceb10a6a7d5a38c30ab65176d4e4bc0f upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 7a4ee73..b1412a7 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -155,7 +155,7 @@ struct ctlr_info {
+ * HPSA_BOARD_READY_ITERATIONS are derived from those.
+ */
+ #define HPSA_BOARD_READY_WAIT_SECS (120)
+-#define HPSA_BOARD_NOT_READY_WAIT_SECS (10)
++#define HPSA_BOARD_NOT_READY_WAIT_SECS (100)
+ #define HPSA_BOARD_READY_POLL_INTERVAL_MSECS (100)
+ #define HPSA_BOARD_READY_POLL_INTERVAL \
+ ((HPSA_BOARD_READY_POLL_INTERVAL_MSECS * HZ) / 1000)
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch)
@@ -0,0 +1,47 @@
+From 943f2a951a285ef8affdab4fb237e1b6bbc6ceca Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:36 -0500
+Subject: [PATCH 111/136] hpsa: clarify messages around reset behavior
+
+commit 2b870cb30000477e425666f9c6d83cca8fddc7c0 upstream.
+
+When waiting for the board to become "not ready"
+don't print a message saying "waiting for board to
+become ready" (possibly followed by a message saying
+"failed waiting for board to become not ready". Instead,
+it should be "waiting for board to reset" and "failed
+waiting for board to reset."
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index af883b6..c9e26a5 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3306,11 +3306,11 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ msleep(HPSA_POST_RESET_PAUSE_MSECS);
+
+ /* Wait for board to become not ready, then ready. */
+- dev_info(&pdev->dev, "Waiting for board to become ready.\n");
++ dev_info(&pdev->dev, "Waiting for board to reset.\n");
+ rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_NOT_READY);
+ if (rc)
+ dev_warn(&pdev->dev,
+- "failed waiting for board to become not ready\n");
++ "failed waiting for board to reset\n");
+ rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_READY);
+ if (rc) {
+ dev_warn(&pdev->dev,
+@@ -3809,6 +3809,7 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ return -ENODEV;
+
+ /* Now try to get the controller to respond to a no-op */
++ dev_warn(&pdev->dev, "Waiting for controller to respond to no-op\n");
+ for (i = 0; i < HPSA_POST_RESET_NOOP_RETRIES; i++) {
+ if (hpsa_noop(pdev) == 0)
+ break;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch)
@@ -0,0 +1,46 @@
+From 014dd58b2c620e56b168ec767427bd6a83a15886 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:41 -0500
+Subject: [PATCH 112/136] hpsa: remove atrophied hpsa_scsi_setup function
+
+commit 9a41338e5b474add499a7ca2a5a76148e5076805 upstream.
+
+hpsa_scsi_setup at one time contained enough code to justify
+its existence, but that time has passed.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index c9e26a5..dd30bfd 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -920,13 +920,6 @@ static void hpsa_slave_destroy(struct scsi_device *sdev)
+ /* nothing to do. */
+ }
+
+-static void hpsa_scsi_setup(struct ctlr_info *h)
+-{
+- h->ndevices = 0;
+- h->scsi_host = NULL;
+- spin_lock_init(&h->devlock);
+-}
+-
+ static void hpsa_free_sg_chain_blocks(struct ctlr_info *h)
+ {
+ int i;
+@@ -3942,7 +3935,9 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ h->scan_finished = 1; /* no scan currently in progress */
+
+ pci_set_drvdata(pdev, h);
+- hpsa_scsi_setup(h);
++ h->ndevices = 0;
++ h->scsi_host = NULL;
++ spin_lock_init(&h->devlock);
+
+ /* Turn the interrupts on so we can service requests */
+ h->access.set_intr_mask(h, HPSA_INTR_ON);
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch)
@@ -0,0 +1,99 @@
+From 10d448eedfaf5e81e3298e2804449932f1dabb8f Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:46 -0500
+Subject: [PATCH 113/136] hpsa: use new doorbell-bit-5 reset method
+
+commit cf0b08d0cd87ada9d284925834d08fb8026da888 upstream.
+
+The bit-2-doorbell reset method seemed to cause (survivable) NMIs
+on some systems and (unsurvivable) IOCK NMIs on some G7 servers.
+Firmware guys implemented a new doorbell method to alleviate these
+problems triggered by bit 5 of the doorbell register. We want to
+use it if it's available.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 25 ++++++++++++++++++++-----
+ drivers/scsi/hpsa_cmd.h | 2 ++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index dd30bfd..eece647 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3100,7 +3100,7 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ #define hpsa_noop(p) hpsa_message(p, 3, 0)
+
+ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+- void * __iomem vaddr, bool use_doorbell)
++ void * __iomem vaddr, u32 use_doorbell)
+ {
+ u16 pmcsr;
+ int pos;
+@@ -3111,7 +3111,7 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ * other way using the doorbell register.
+ */
+ dev_info(&pdev->dev, "using doorbell to reset controller\n");
+- writel(DOORBELL_CTLR_RESET, vaddr + SA5_DOORBELL);
++ writel(use_doorbell, vaddr + SA5_DOORBELL);
+ msleep(1000);
+ } else { /* Try to do it the PCI power state way */
+
+@@ -3215,7 +3215,7 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ u32 misc_fw_support;
+ int rc;
+ struct CfgTable __iomem *cfgtable;
+- bool use_doorbell;
++ u32 use_doorbell;
+ u32 board_id;
+ u16 command_register;
+
+@@ -3278,9 +3278,24 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ if (rc)
+ goto unmap_vaddr;
+
+- /* If reset via doorbell register is supported, use that. */
++ /* If reset via doorbell register is supported, use that.
++ * There are two such methods. Favor the newest method.
++ */
+ misc_fw_support = readl(&cfgtable->misc_fw_support);
+- use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
++ use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET2;
++ if (use_doorbell) {
++ use_doorbell = DOORBELL_CTLR_RESET2;
++ } else {
++ use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
++ if (use_doorbell) {
++ dev_warn(&pdev->dev, "Controller claims that "
++ "'Bit 2 doorbell reset' is "
++ "supported, but not 'bit 5 doorbell reset'. "
++ "Firmware update is recommended.\n");
++ rc = -ENODEV;
++ goto unmap_cfgtable;
++ }
++ }
+
+ rc = hpsa_controller_hard_reset(pdev, vaddr, use_doorbell);
+ if (rc)
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 8fd35a7..55d741b 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -101,6 +101,7 @@
+ #define CFGTBL_ChangeReq 0x00000001l
+ #define CFGTBL_AccCmds 0x00000001l
+ #define DOORBELL_CTLR_RESET 0x00000004l
++#define DOORBELL_CTLR_RESET2 0x00000020l
+
+ #define CFGTBL_Trans_Simple 0x00000002l
+ #define CFGTBL_Trans_Performant 0x00000004l
+@@ -337,6 +338,7 @@ struct CfgTable {
+ u8 reserved[0x78 - 0x58];
+ u32 misc_fw_support; /* offset 0x78 */
+ #define MISC_FW_DOORBELL_RESET (0x02)
++#define MISC_FW_DOORBELL_RESET2 (0x010)
+ u8 driver_version[32];
+ };
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch)
@@ -0,0 +1,361 @@
+From 679d87a9511524282791dd411777a13a14ee5581 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:51 -0500
+Subject: [PATCH 114/136] hpsa: do soft reset if hard reset is broken
+
+commit 64670ac8702ec37a00ad6e479f3cacbde0fd4efa upstream.
+
+on driver load, if reset_devices is set, and the hard reset
+attempts fail, try to bring up the controller to the point that
+a command can be sent, and send it a soft reset command, then
+after the reset undo whatever driver initialization was done to get
+it to the point to take a command, and re-do it after the reset.
+
+This is to get kdump to work on all the "non-resettable" controllers
+(except 64xx controllers which can't be reset due to the potentially
+shared cache module.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 226 +++++++++++++++++++++++++++++++++++++++++++++++----
+ drivers/scsi/hpsa.h | 6 +-
+ 2 files changed, 216 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index eece647..71389ed 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2715,6 +2715,26 @@ static int hpsa_ioctl(struct scsi_device *dev, int cmd, void *arg)
+ }
+ }
+
++static int __devinit hpsa_send_host_reset(struct ctlr_info *h,
++ unsigned char *scsi3addr, u8 reset_type)
++{
++ struct CommandList *c;
++
++ c = cmd_alloc(h);
++ if (!c)
++ return -ENOMEM;
++ fill_cmd(c, HPSA_DEVICE_RESET_MSG, h, NULL, 0, 0,
++ RAID_CTLR_LUNID, TYPE_MSG);
++ c->Request.CDB[1] = reset_type; /* fill_cmd defaults to target reset */
++ c->waiting = NULL;
++ enqueue_cmd_and_start_io(h, c);
++ /* Don't wait for completion, the reset won't complete. Don't free
++ * the command either. This is the last command we will send before
++ * re-initializing everything, so it doesn't matter and won't leak.
++ */
++ return 0;
++}
++
+ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ void *buff, size_t size, u8 page_code, unsigned char *scsi3addr,
+ int cmd_type)
+@@ -2792,7 +2812,8 @@ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ c->Request.Type.Attribute = ATTR_SIMPLE;
+ c->Request.Type.Direction = XFER_NONE;
+ c->Request.Timeout = 0; /* Don't time out */
+- c->Request.CDB[0] = 0x01; /* RESET_MSG is 0x01 */
++ memset(&c->Request.CDB[0], 0, sizeof(c->Request.CDB));
++ c->Request.CDB[0] = cmd;
+ c->Request.CDB[1] = 0x03; /* Reset target above */
+ /* If bytes 4-7 are zero, it means reset the */
+ /* LunID device */
+@@ -2958,6 +2979,63 @@ static inline u32 process_nonindexed_cmd(struct ctlr_info *h,
+ return next_command(h);
+ }
+
++/* Some controllers, like p400, will give us one interrupt
++ * after a soft reset, even if we turned interrupts off.
++ * Only need to check for this in the hpsa_xxx_discard_completions
++ * functions.
++ */
++static int ignore_bogus_interrupt(struct ctlr_info *h)
++{
++ if (likely(!reset_devices))
++ return 0;
++
++ if (likely(h->interrupts_enabled))
++ return 0;
++
++ dev_info(&h->pdev->dev, "Received interrupt while interrupts disabled "
++ "(known firmware bug.) Ignoring.\n");
++
++ return 1;
++}
++
++static irqreturn_t hpsa_intx_discard_completions(int irq, void *dev_id)
++{
++ struct ctlr_info *h = dev_id;
++ unsigned long flags;
++ u32 raw_tag;
++
++ if (ignore_bogus_interrupt(h))
++ return IRQ_NONE;
++
++ if (interrupt_not_for_us(h))
++ return IRQ_NONE;
++ spin_lock_irqsave(&h->lock, flags);
++ while (interrupt_pending(h)) {
++ raw_tag = get_next_completion(h);
++ while (raw_tag != FIFO_EMPTY)
++ raw_tag = next_command(h);
++ }
++ spin_unlock_irqrestore(&h->lock, flags);
++ return IRQ_HANDLED;
++}
++
++static irqreturn_t hpsa_msix_discard_completions(int irq, void *dev_id)
++{
++ struct ctlr_info *h = dev_id;
++ unsigned long flags;
++ u32 raw_tag;
++
++ if (ignore_bogus_interrupt(h))
++ return IRQ_NONE;
++
++ spin_lock_irqsave(&h->lock, flags);
++ raw_tag = get_next_completion(h);
++ while (raw_tag != FIFO_EMPTY)
++ raw_tag = next_command(h);
++ spin_unlock_irqrestore(&h->lock, flags);
++ return IRQ_HANDLED;
++}
++
+ static irqreturn_t do_hpsa_intr_intx(int irq, void *dev_id)
+ {
+ struct ctlr_info *h = dev_id;
+@@ -3096,7 +3174,6 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ return 0;
+ }
+
+-#define hpsa_soft_reset_controller(p) hpsa_message(p, 1, 0)
+ #define hpsa_noop(p) hpsa_message(p, 3, 0)
+
+ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+@@ -3292,7 +3369,7 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ "'Bit 2 doorbell reset' is "
+ "supported, but not 'bit 5 doorbell reset'. "
+ "Firmware update is recommended.\n");
+- rc = -ENODEV;
++ rc = -ENOTSUPP; /* try soft reset */
+ goto unmap_cfgtable;
+ }
+ }
+@@ -3316,13 +3393,18 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ /* Wait for board to become not ready, then ready. */
+ dev_info(&pdev->dev, "Waiting for board to reset.\n");
+ rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_NOT_READY);
+- if (rc)
++ if (rc) {
+ dev_warn(&pdev->dev,
+- "failed waiting for board to reset\n");
++ "failed waiting for board to reset."
++ " Will try soft reset.\n");
++ rc = -ENOTSUPP; /* Not expected, but try soft reset later */
++ goto unmap_cfgtable;
++ }
+ rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_READY);
+ if (rc) {
+ dev_warn(&pdev->dev,
+- "failed waiting for board to become ready\n");
++ "failed waiting for board to become ready "
++ "after hard reset\n");
+ goto unmap_cfgtable;
+ }
+
+@@ -3330,11 +3412,11 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ if (rc < 0)
+ goto unmap_cfgtable;
+ if (rc) {
+- dev_warn(&pdev->dev, "Unable to successfully reset controller,"
+- " Ignoring controller.\n");
+- rc = -ENODEV;
++ dev_warn(&pdev->dev, "Unable to successfully reset "
++ "controller. Will try soft reset.\n");
++ rc = -ENOTSUPP;
+ } else {
+- dev_info(&pdev->dev, "board ready.\n");
++ dev_info(&pdev->dev, "board ready after hard reset.\n");
+ }
+
+ unmap_cfgtable:
+@@ -3812,7 +3894,7 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ * due to concerns about shared bbwc between 6402/6404 pair.
+ */
+ if (rc == -ENOTSUPP)
+- return 0; /* just try to do the kdump anyhow. */
++ return rc; /* just try to do the kdump anyhow. */
+ if (rc)
+ return -ENODEV;
+
+@@ -3882,18 +3964,79 @@ static int hpsa_request_irq(struct ctlr_info *h,
+ return 0;
+ }
+
++static int __devinit hpsa_kdump_soft_reset(struct ctlr_info *h)
++{
++ if (hpsa_send_host_reset(h, RAID_CTLR_LUNID,
++ HPSA_RESET_TYPE_CONTROLLER)) {
++ dev_warn(&h->pdev->dev, "Resetting array controller failed.\n");
++ return -EIO;
++ }
++
++ dev_info(&h->pdev->dev, "Waiting for board to soft reset.\n");
++ if (hpsa_wait_for_board_state(h->pdev, h->vaddr, BOARD_NOT_READY)) {
++ dev_warn(&h->pdev->dev, "Soft reset had no effect.\n");
++ return -1;
++ }
++
++ dev_info(&h->pdev->dev, "Board reset, awaiting READY status.\n");
++ if (hpsa_wait_for_board_state(h->pdev, h->vaddr, BOARD_READY)) {
++ dev_warn(&h->pdev->dev, "Board failed to become ready "
++ "after soft reset.\n");
++ return -1;
++ }
++
++ return 0;
++}
++
++static void hpsa_undo_allocations_after_kdump_soft_reset(struct ctlr_info *h)
++{
++ free_irq(h->intr[h->intr_mode], h);
++#ifdef CONFIG_PCI_MSI
++ if (h->msix_vector)
++ pci_disable_msix(h->pdev);
++ else if (h->msi_vector)
++ pci_disable_msi(h->pdev);
++#endif /* CONFIG_PCI_MSI */
++ hpsa_free_sg_chain_blocks(h);
++ hpsa_free_cmd_pool(h);
++ kfree(h->blockFetchTable);
++ pci_free_consistent(h->pdev, h->reply_pool_size,
++ h->reply_pool, h->reply_pool_dhandle);
++ if (h->vaddr)
++ iounmap(h->vaddr);
++ if (h->transtable)
++ iounmap(h->transtable);
++ if (h->cfgtable)
++ iounmap(h->cfgtable);
++ pci_release_regions(h->pdev);
++ kfree(h);
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+ int dac, rc;
+ struct ctlr_info *h;
++ int try_soft_reset = 0;
++ unsigned long flags;
+
+ if (number_of_controllers == 0)
+ printk(KERN_INFO DRIVER_NAME "\n");
+
+ rc = hpsa_init_reset_devices(pdev);
+- if (rc)
+- return rc;
++ if (rc) {
++ if (rc != -ENOTSUPP)
++ return rc;
++ /* If the reset fails in a particular way (it has no way to do
++ * a proper hard reset, so returns -ENOTSUPP) we can try to do
++ * a soft reset once we get the controller configured up to the
++ * point that it can accept a command.
++ */
++ try_soft_reset = 1;
++ rc = 0;
++ }
++
++reinit_after_soft_reset:
+
+ /* Command structures must be aligned on a 32-byte boundary because
+ * the 5 lower bits of the address are used by the hardware. and by
+@@ -3953,11 +4096,66 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ h->ndevices = 0;
+ h->scsi_host = NULL;
+ spin_lock_init(&h->devlock);
++ hpsa_put_ctlr_into_performant_mode(h);
++
++ /* At this point, the controller is ready to take commands.
++ * Now, if reset_devices and the hard reset didn't work, try
++ * the soft reset and see if that works.
++ */
++ if (try_soft_reset) {
++
++ /* This is kind of gross. We may or may not get a completion
++ * from the soft reset command, and if we do, then the value
++ * from the fifo may or may not be valid. So, we wait 10 secs
++ * after the reset throwing away any completions we get during
++ * that time. Unregister the interrupt handler and register
++ * fake ones to scoop up any residual completions.
++ */
++ spin_lock_irqsave(&h->lock, flags);
++ h->access.set_intr_mask(h, HPSA_INTR_OFF);
++ spin_unlock_irqrestore(&h->lock, flags);
++ free_irq(h->intr[h->intr_mode], h);
++ rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
++ hpsa_intx_discard_completions);
++ if (rc) {
++ dev_warn(&h->pdev->dev, "Failed to request_irq after "
++ "soft reset.\n");
++ goto clean4;
++ }
++
++ rc = hpsa_kdump_soft_reset(h);
++ if (rc)
++ /* Neither hard nor soft reset worked, we're hosed. */
++ goto clean4;
++
++ dev_info(&h->pdev->dev, "Board READY.\n");
++ dev_info(&h->pdev->dev,
++ "Waiting for stale completions to drain.\n");
++ h->access.set_intr_mask(h, HPSA_INTR_ON);
++ msleep(10000);
++ h->access.set_intr_mask(h, HPSA_INTR_OFF);
++
++ rc = controller_reset_failed(h->cfgtable);
++ if (rc)
++ dev_info(&h->pdev->dev,
++ "Soft reset appears to have failed.\n");
++
++ /* since the controller's reset, we have to go back and re-init
++ * everything. Easiest to just forget what we've done and do it
++ * all over again.
++ */
++ hpsa_undo_allocations_after_kdump_soft_reset(h);
++ try_soft_reset = 0;
++ if (rc)
++ /* don't go to clean4, we already unallocated */
++ return -ENODEV;
++
++ goto reinit_after_soft_reset;
++ }
+
+ /* Turn the interrupts on so we can service requests */
+ h->access.set_intr_mask(h, HPSA_INTR_ON);
+
+- hpsa_put_ctlr_into_performant_mode(h);
+ hpsa_hba_inquiry(h);
+ hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
+ h->busy_initializing = 0;
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index b1412a7..6d8dcd4 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -127,8 +127,10 @@ struct ctlr_info {
+ };
+ #define HPSA_ABORT_MSG 0
+ #define HPSA_DEVICE_RESET_MSG 1
+-#define HPSA_BUS_RESET_MSG 2
+-#define HPSA_HOST_RESET_MSG 3
++#define HPSA_RESET_TYPE_CONTROLLER 0x00
++#define HPSA_RESET_TYPE_BUS 0x01
++#define HPSA_RESET_TYPE_TARGET 0x03
++#define HPSA_RESET_TYPE_LUN 0x04
+ #define HPSA_MSG_SEND_RETRY_LIMIT 10
+ #define HPSA_MSG_SEND_RETRY_INTERVAL_MSECS (10000)
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch)
@@ -0,0 +1,35 @@
+From 74ea21428ef9fbf84f6c4ee2cf3f8eb576cb31a6 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:56 -0500
+Subject: [PATCH 115/136] hpsa: remove superfluous sleeps around reset code
+
+commit dfc2224828c5fc4ec7e11587b9d6b97283aa2d01 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 71389ed..518dd07 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3189,7 +3189,6 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ */
+ dev_info(&pdev->dev, "using doorbell to reset controller\n");
+ writel(use_doorbell, vaddr + SA5_DOORBELL);
+- msleep(1000);
+ } else { /* Try to do it the PCI power state way */
+
+ /* Quoting from the Open CISS Specification: "The Power
+@@ -3220,8 +3219,6 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ pmcsr |= PCI_D0;
+ pci_write_config_word(pdev, pos + PCI_PM_CTRL, pmcsr);
+-
+- msleep(500);
+ }
+ return 0;
+ }
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch)
@@ -0,0 +1,113 @@
+From 048a06e370eb474566f59cafea6af8df80456673 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 15:00:01 -0500
+Subject: [PATCH 116/136] hpsa: do not attempt PCI power management reset
+ method if we know it won't work.
+
+commit 4638078697574be43816779845e26bf05ae70d9d upstream.
+
+Just go straight to the soft-reset method instead.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 52 +++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 38 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 518dd07..70a35a0 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -265,7 +265,7 @@ static ssize_t host_show_transport_mode(struct device *dev,
+ "performant" : "simple");
+ }
+
+-/* List of controllers which cannot be reset on kexec with reset_devices */
++/* List of controllers which cannot be hard reset on kexec with reset_devices */
+ static u32 unresettable_controller[] = {
+ 0x324a103C, /* Smart Array P712m */
+ 0x324b103C, /* SmartArray P711m */
+@@ -283,16 +283,45 @@ static u32 unresettable_controller[] = {
+ 0x409D0E11, /* Smart Array 6400 EM */
+ };
+
+-static int ctlr_is_resettable(struct ctlr_info *h)
++/* List of controllers which cannot even be soft reset */
++static u32 soft_unresettable_controller[] = {
++ /* Exclude 640x boards. These are two pci devices in one slot
++ * which share a battery backed cache module. One controls the
++ * cache, the other accesses the cache through the one that controls
++ * it. If we reset the one controlling the cache, the other will
++ * likely not be happy. Just forbid resetting this conjoined mess.
++ * The 640x isn't really supported by hpsa anyway.
++ */
++ 0x409C0E11, /* Smart Array 6400 */
++ 0x409D0E11, /* Smart Array 6400 EM */
++};
++
++static int ctlr_is_hard_resettable(u32 board_id)
+ {
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(unresettable_controller); i++)
+- if (unresettable_controller[i] == h->board_id)
++ if (unresettable_controller[i] == board_id)
++ return 0;
++ return 1;
++}
++
++static int ctlr_is_soft_resettable(u32 board_id)
++{
++ int i;
++
++ for (i = 0; i < ARRAY_SIZE(soft_unresettable_controller); i++)
++ if (soft_unresettable_controller[i] == board_id)
+ return 0;
+ return 1;
+ }
+
++static int ctlr_is_resettable(u32 board_id)
++{
++ return ctlr_is_hard_resettable(board_id) ||
++ ctlr_is_soft_resettable(board_id);
++}
++
+ static ssize_t host_show_resettable(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -300,7 +329,7 @@ static ssize_t host_show_resettable(struct device *dev,
+ struct Scsi_Host *shost = class_to_shost(dev);
+
+ h = shost_to_hba(shost);
+- return snprintf(buf, 20, "%d\n", ctlr_is_resettable(h));
++ return snprintf(buf, 20, "%d\n", ctlr_is_resettable(h->board_id));
+ }
+
+ static inline int is_logical_dev_addr_mode(unsigned char scsi3addr[])
+@@ -3306,20 +3335,15 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ * using the doorbell register.
+ */
+
+- /* Exclude 640x boards. These are two pci devices in one slot
+- * which share a battery backed cache module. One controls the
+- * cache, the other accesses the cache through the one that controls
+- * it. If we reset the one controlling the cache, the other will
+- * likely not be happy. Just forbid resetting this conjoined mess.
+- * The 640x isn't really supported by hpsa anyway.
+- */
+ rc = hpsa_lookup_board_id(pdev, &board_id);
+- if (rc < 0) {
++ if (rc < 0 || !ctlr_is_resettable(board_id)) {
+ dev_warn(&pdev->dev, "Not resetting device.\n");
+ return -ENODEV;
+ }
+- if (board_id == 0x409C0E11 || board_id == 0x409D0E11)
+- return -ENOTSUPP;
++
++ /* if controller is soft- but not hard resettable... */
++ if (!ctlr_is_hard_resettable(board_id))
++ return -ENOTSUPP; /* try soft reset later. */
+
+ /* Save the PCI command register */
+ pci_read_config_word(pdev, 4, &command_register);
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch)
@@ -0,0 +1,26 @@
+From 6d7872997a66af084ac19cf49878564bba217e23 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 15:00:07 -0500
+Subject: [PATCH 117/136] hpsa: add P2000 to list of shared SAS devices
+
+commit fda38518f236cbd965110938e324f6c6fcc91f38 upstream.
+
+Signed-off-by: Scott Teel <scott.stacy.teel at hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 70a35a0..d5bd28a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1582,6 +1582,7 @@ static unsigned char *msa2xxx_model[] = {
+ "MSA2024",
+ "MSA2312",
+ "MSA2324",
++ "P2000 G3 SAS",
+ NULL,
+ };
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch)
@@ -0,0 +1,42 @@
+From e6a95e129df6f74d862606175853f9dafb57f603 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe at perches.com>
+Date: Sun, 8 May 2011 23:32:40 -0700
+Subject: [PATCH 118/136] hpsa: Change memset using sizeof(ptr) to
+ sizeof(*ptr)
+
+commit 7630abd0c690e90cea9412846f596fe1565aaa0e upstream.
+
+Not at all sure this is correct or appropriate to change,
+but this seems odd.
+
+Found via coccinelle script
+
+@@
+type T;
+T* ptr;
+expression E1;
+@@
+
+* memset(E1, 0, sizeof(ptr));
+
+Signed-off-by: Joe Perches <joe at perches.com>
+Acked-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index d5bd28a..7592975 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1320,7 +1320,7 @@ static void hpsa_scsi_do_simple_cmd_with_retry(struct ctlr_info *h,
+ int retry_count = 0;
+
+ do {
+- memset(c->err_info, 0, sizeof(c->err_info));
++ memset(c->err_info, 0, sizeof(*c->err_info));
+ hpsa_scsi_do_simple_cmd_core(h, c);
+ retry_count++;
+ } while (check_for_unit_attention(h, c) && retry_count <= 3);
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch)
@@ -0,0 +1,27 @@
+From 5ac805964e5192d41f39fa7695a19a34a9633991 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 3 Jun 2011 09:57:29 -0500
+Subject: [PATCH 119/136] hpsa: fix dma unmap error in hpsa_passthru_ioctl
+
+commit c2dd32e02648d77466f320d6edd157b5080e7c99 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 7592975..ffb555c3 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2552,7 +2552,8 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ c->SG[0].Ext = 0; /* we are not chaining*/
+ }
+ hpsa_scsi_do_simple_cmd_core(h, c);
+- hpsa_pci_unmap(h->pdev, c, 1, PCI_DMA_BIDIRECTIONAL);
++ if (iocommand.buf_size > 0)
++ hpsa_pci_unmap(h->pdev, c, 1, PCI_DMA_BIDIRECTIONAL);
+ check_ioctl_unit_attention(h, c);
+
+ /* Copy the error information out */
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch)
@@ -0,0 +1,62 @@
+From 1cf4a81224ce81d9da2d745ed755f1ad5e5cda27 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 3 Jun 2011 09:57:34 -0500
+Subject: [PATCH 120/136] hpsa: fix potential overrun while memcpy'ing sense
+ data
+
+commit db111e18ec19bbadbf44a60f73bf2ff5991dc915 upstream.
+
+This memcpy:
+
+ memcpy(cmd->sense_buffer, ei->SenseInfo,
+ ei->SenseLen > SCSI_SENSE_BUFFERSIZE ?
+ SCSI_SENSE_BUFFERSIZE :
+ ei->SenseLen);
+
+The ei->SenseLen field is filled in by the Smart Array. For requests to
+logical drives, it will not exceed 32 bytes, so should be ok, but for physical
+requests it depends on the target device, not the Smart Array. It's conceivable
+that this could exceed the 32 byte size of ei->SenseInfo. In that case, the memcpy
+would read past the end of ei->SenseInfo, copying data from the next command,
+as if it were sense data, or, if it happened to be the very last command in the
+block of allocated commands, could fall off the end of the allocated area and
+crash. I'm not aware of anyone ever encountering this behavior, but it could
+conceivably happen. This bug was found by Coverity.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index ffb555c3..2eff302 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1028,6 +1028,7 @@ static void complete_scsi_command(struct CommandList *cp)
+ unsigned char sense_key;
+ unsigned char asc; /* additional sense code */
+ unsigned char ascq; /* additional sense code qualifier */
++ unsigned long sense_data_size;
+
+ ei = cp->err_info;
+ cmd = (struct scsi_cmnd *) cp->scsi_cmd;
+@@ -1042,10 +1043,14 @@ static void complete_scsi_command(struct CommandList *cp)
+ cmd->result |= ei->ScsiStatus;
+
+ /* copy the sense data whether we need to or not. */
+- memcpy(cmd->sense_buffer, ei->SenseInfo,
+- ei->SenseLen > SCSI_SENSE_BUFFERSIZE ?
+- SCSI_SENSE_BUFFERSIZE :
+- ei->SenseLen);
++ if (SCSI_SENSE_BUFFERSIZE < sizeof(ei->SenseInfo))
++ sense_data_size = SCSI_SENSE_BUFFERSIZE;
++ else
++ sense_data_size = sizeof(ei->SenseInfo);
++ if (ei->SenseLen < sense_data_size)
++ sense_data_size = ei->SenseLen;
++
++ memcpy(cmd->sense_buffer, ei->SenseInfo, sense_data_size);
+ scsi_set_resid(cmd, ei->ResidualCnt);
+
+ if (ei->CommandStatus == 0) {
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch)
@@ -0,0 +1,31 @@
+From ce9532c00d55dec1fb71bca497e6bb0fccabc31e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 21 Jul 2011 13:16:05 -0500
+Subject: [PATCH 121/136] hpsa: do not attempt to read from a write-only
+ register
+
+commit fec62c368b9c8b05d5124ca6c3b8336b537f26f3 upstream.
+
+Most smartarrays tolerate it, but a few new ones don't.
+Without this change some newer Smart Arrays will lock up
+and i/o will grind to a halt.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 6d8dcd4..7f53ceaa 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -214,7 +214,7 @@ static void SA5_submit_command(struct ctlr_info *h,
+ dev_dbg(&h->pdev->dev, "Sending %x, tag = %x\n", c->busaddr,
+ c->Header.Tag.lower);
+ writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET);
+- (void) readl(h->vaddr + SA5_REQUEST_PORT_OFFSET);
++ (void) readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
+ h->commands_outstanding++;
+ if (h->commands_outstanding > h->max_outstanding)
+ h->max_outstanding = h->commands_outstanding;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch)
@@ -0,0 +1,35 @@
+From 401be4064af671b528803b7867ffeeb078130780 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 26 Jul 2011 11:08:52 -0500
+Subject: [PATCH 122/136] hpsa: retry commands completing with status of
+ UNSOLICITED_ABORT
+
+commit f6e76055ba778c56716ba79e106db28297775e87 upstream.
+
+In a shared SAS setup, target devices may be reset by one of
+several hosts, and outstanding commands on that device will be
+completed to corresponding hosts with status of UNSOLICITED_ABORT.
+Such commands should be retried instead of being treated as i/o
+errors. Also fixed a nearby spelling error.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 2eff302..8b3a238 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1210,8 +1210,8 @@ static void complete_scsi_command(struct CommandList *cp)
+ dev_warn(&h->pdev->dev, "cp %p reports abort failed\n", cp);
+ break;
+ case CMD_UNSOLICITED_ABORT:
+- cmd->result = DID_RESET << 16;
+- dev_warn(&h->pdev->dev, "cp %p aborted do to an unsolicited "
++ cmd->result = DID_SOFT_ERROR << 16; /* retry the command */
++ dev_warn(&h->pdev->dev, "cp %p aborted due to an unsolicited "
+ "abort\n", cp);
+ break;
+ case CMD_TIMEOUT:
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch)
@@ -0,0 +1,145 @@
+From 294be65bc3311f1b733693d55155e06ce94c7bff Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 9 Aug 2011 08:17:30 -0500
+Subject: [PATCH 123/136] hpsa: fix problem that OBDR devices are not detected
+
+commit 0b0e1d6cbcc8627970e0399df8f06edd690ec7d9 upstream.
+
+The test to detect OBDR ("One Button Disaster Recovery")
+cd-rom devices was comparing against uninitialized data.
+
+Fixed by moving the test for the device to where the
+inquiry data is collected, and uninitialized variable
+altogether as it wasn't really being used.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 47 +++++++++++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 8b3a238..91f4d9c 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1539,10 +1539,17 @@ static inline void hpsa_set_bus_target_lun(struct hpsa_scsi_dev_t *device,
+ }
+
+ static int hpsa_update_device_info(struct ctlr_info *h,
+- unsigned char scsi3addr[], struct hpsa_scsi_dev_t *this_device)
++ unsigned char scsi3addr[], struct hpsa_scsi_dev_t *this_device,
++ unsigned char *is_OBDR_device)
+ {
+-#define OBDR_TAPE_INQ_SIZE 49
++
++#define OBDR_SIG_OFFSET 43
++#define OBDR_TAPE_SIG "$DR-10"
++#define OBDR_SIG_LEN (sizeof(OBDR_TAPE_SIG) - 1)
++#define OBDR_TAPE_INQ_SIZE (OBDR_SIG_OFFSET + OBDR_SIG_LEN)
++
+ unsigned char *inq_buff;
++ unsigned char *obdr_sig;
+
+ inq_buff = kzalloc(OBDR_TAPE_INQ_SIZE, GFP_KERNEL);
+ if (!inq_buff)
+@@ -1574,6 +1581,16 @@ static int hpsa_update_device_info(struct ctlr_info *h,
+ else
+ this_device->raid_level = RAID_UNKNOWN;
+
++ if (is_OBDR_device) {
++ /* See if this is a One-Button-Disaster-Recovery device
++ * by looking for "$DR-10" at offset 43 in inquiry data.
++ */
++ obdr_sig = &inq_buff[OBDR_SIG_OFFSET];
++ *is_OBDR_device = (this_device->devtype == TYPE_ROM &&
++ strncmp(obdr_sig, OBDR_TAPE_SIG,
++ OBDR_SIG_LEN) == 0);
++ }
++
+ kfree(inq_buff);
+ return 0;
+
+@@ -1707,7 +1724,7 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ return 0;
+ }
+
+- if (hpsa_update_device_info(h, scsi3addr, this_device))
++ if (hpsa_update_device_info(h, scsi3addr, this_device, NULL))
+ return 0;
+ (*nmsa2xxx_enclosures)++;
+ hpsa_set_bus_target_lun(this_device, bus, target, 0);
+@@ -1799,7 +1816,6 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ */
+ struct ReportLUNdata *physdev_list = NULL;
+ struct ReportLUNdata *logdev_list = NULL;
+- unsigned char *inq_buff = NULL;
+ u32 nphysicals = 0;
+ u32 nlogicals = 0;
+ u32 ndev_allocated = 0;
+@@ -1815,11 +1831,9 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ GFP_KERNEL);
+ physdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+ logdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+- inq_buff = kmalloc(OBDR_TAPE_INQ_SIZE, GFP_KERNEL);
+ tmpdevice = kzalloc(sizeof(*tmpdevice), GFP_KERNEL);
+
+- if (!currentsd || !physdev_list || !logdev_list ||
+- !inq_buff || !tmpdevice) {
++ if (!currentsd || !physdev_list || !logdev_list || !tmpdevice) {
+ dev_err(&h->pdev->dev, "out of memory\n");
+ goto out;
+ }
+@@ -1854,7 +1868,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ /* adjust our table of devices */
+ nmsa2xxx_enclosures = 0;
+ for (i = 0; i < nphysicals + nlogicals + 1; i++) {
+- u8 *lunaddrbytes;
++ u8 *lunaddrbytes, is_OBDR = 0;
+
+ /* Figure out where the LUN ID info is coming from */
+ lunaddrbytes = figure_lunaddrbytes(h, raid_ctlr_position,
+@@ -1865,7 +1879,8 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ continue;
+
+ /* Get device type, vendor, model, device id */
+- if (hpsa_update_device_info(h, lunaddrbytes, tmpdevice))
++ if (hpsa_update_device_info(h, lunaddrbytes, tmpdevice,
++ &is_OBDR))
+ continue; /* skip it if we can't talk to it. */
+ figure_bus_target_lun(h, lunaddrbytes, &bus, &target, &lun,
+ tmpdevice);
+@@ -1889,7 +1904,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ hpsa_set_bus_target_lun(this_device, bus, target, lun);
+
+ switch (this_device->devtype) {
+- case TYPE_ROM: {
++ case TYPE_ROM:
+ /* We don't *really* support actual CD-ROM devices,
+ * just "One Button Disaster Recovery" tape drive
+ * which temporarily pretends to be a CD-ROM drive.
+@@ -1897,15 +1912,8 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ * device by checking for "$DR-10" in bytes 43-48 of
+ * the inquiry data.
+ */
+- char obdr_sig[7];
+-#define OBDR_TAPE_SIG "$DR-10"
+- strncpy(obdr_sig, &inq_buff[43], 6);
+- obdr_sig[6] = '\0';
+- if (strncmp(obdr_sig, OBDR_TAPE_SIG, 6) != 0)
+- /* Not OBDR device, ignore it. */
+- break;
+- }
+- ncurrent++;
++ if (is_OBDR)
++ ncurrent++;
+ break;
+ case TYPE_DISK:
+ if (i < nphysicals)
+@@ -1938,7 +1946,6 @@ out:
+ for (i = 0; i < ndev_allocated; i++)
+ kfree(currentsd[i]);
+ kfree(currentsd);
+- kfree(inq_buff);
+ kfree(physdev_list);
+ kfree(logdev_list);
+ }
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch)
@@ -0,0 +1,45 @@
+From 2fc73aeb60fbbbb7b3f709174a46b1fa0b5f4816 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 9 Aug 2011 08:18:01 -0500
+Subject: [PATCH 124/136] hpsa: fix physical device lun and target numbering
+ problem
+
+commit 01350d05539d1c95ef3568d062d864ab76ae7670 upstream.
+
+If a physical device exposed to the OS by hpsa
+is replaced (e.g. one hot plug tape drive is replaced
+by another, or a tape drive is placed into "OBDR" mode
+in which it acts like a CD-ROM device) and a rescan is
+initiated, the replaced device will be added to the
+SCSI midlayer with target and lun numbers set to -1.
+After that, a panic is likely to ensue. When a physical
+device is replaced, the lun and target number should be
+preserved.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 91f4d9c..f0f2f2c 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -667,6 +667,16 @@ static void hpsa_scsi_replace_entry(struct ctlr_info *h, int hostno,
+ BUG_ON(entry < 0 || entry >= HPSA_MAX_SCSI_DEVS_PER_HBA);
+ removed[*nremoved] = h->dev[entry];
+ (*nremoved)++;
++
++ /*
++ * New physical devices won't have target/lun assigned yet
++ * so we need to preserve the values in the slot we are replacing.
++ */
++ if (new_entry->target == -1) {
++ new_entry->target = h->dev[entry]->target;
++ new_entry->lun = h->dev[entry]->lun;
++ }
++
+ h->dev[entry] = new_entry;
+ added[*nadded] = new_entry;
+ (*nadded)++;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch)
@@ -0,0 +1,40 @@
+From dfab1ab22543a45ff50b22fdd4bf000cabf1d7d4 Mon Sep 17 00:00:00 2001
+From: Mike Miller <mike.miller at hp.com>
+Date: Thu, 13 Oct 2011 11:44:06 -0500
+Subject: [PATCH 125/136] hpsa: change confusing message to be more clear
+
+commit fba63097b8614a4a158226c02eec0318f41cd24f upstream.
+
+The following warning message may be confusing to some users:
+
+dev_warn(&pdev->dev, "Controller claims that "
+ "'Bit 2 doorbell reset' is "
+ "supported, but not 'bit 5 doorbell reset'. "
+ "Firmware update is recommended.\n");
+
+Most users don't know or care what bit we may be hitting. Also change
+"recommended" to "required."
+
+Signed-off-by: Mike Miller <mike.miller at hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index f0f2f2c..efddc2e 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3410,10 +3410,8 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ } else {
+ use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
+ if (use_doorbell) {
+- dev_warn(&pdev->dev, "Controller claims that "
+- "'Bit 2 doorbell reset' is "
+- "supported, but not 'bit 5 doorbell reset'. "
+- "Firmware update is recommended.\n");
++ dev_warn(&pdev->dev, "Soft reset not supported. "
++ "Firmware update is required.\n");
+ rc = -ENOTSUPP; /* try soft reset */
+ goto unmap_cfgtable;
+ }
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch)
@@ -0,0 +1,36 @@
+From 51f0555d32145fee9bf450a9dcb6ce88c54f3196 Mon Sep 17 00:00:00 2001
+From: Mike Miller <mike.miller at hp.com>
+Date: Fri, 21 Oct 2011 08:19:43 +0200
+Subject: [PATCH 126/136] hpsa: add small delay when using PCI Power
+ Management to reset for kump
+
+commit c4853efec665134b2e6fc9c13447323240980351 upstream.
+
+The P600 requires a small delay when changing states. Otherwise we may think
+the board did not reset and we bail. This for kdump only and is particular
+to the P600.
+
+Signed-off-by: Mike Miller <mike.miller at hp.com>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+---
+ drivers/scsi/hpsa.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index efddc2e..ac63093 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3272,6 +3272,13 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ pmcsr |= PCI_D0;
+ pci_write_config_word(pdev, pos + PCI_PM_CTRL, pmcsr);
++
++ /*
++ * The P600 requires a small delay when changing states.
++ * Otherwise we may think the board did not reset and we bail.
++ * This for kdump only and is particular to the P600.
++ */
++ msleep(500);
+ }
+ return 0;
+ }
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch)
@@ -0,0 +1,29 @@
+From 2635d44221632c7855e6e1c33bccaf8fb4441127 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:20:53 -0500
+Subject: [PATCH 127/136] hpsa: set max sectors instead of taking the default
+
+commit c0d6a4d17b3848750b0285861b7a807811a0cfa6 upstream.
+
+Set the max hardware sectors in the SCSI host template to 8192
+to allow for larger i/o's (8192 is the same limit the cciss
+driver currently has.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index ac63093..b98d507 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -475,6 +475,7 @@ static struct scsi_host_template hpsa_driver_template = {
+ #endif
+ .sdev_attrs = hpsa_sdev_attrs,
+ .shost_attrs = hpsa_shost_attrs,
++ .max_sectors = 8192,
+ };
+
+
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch)
@@ -0,0 +1,56 @@
+From 0159e4f4ed46880a00975a566db680527ccf80cc Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:20:58 -0500
+Subject: [PATCH 128/136] hpsa: remove unused busy_initializing and
+ busy_scanning
+
+commit 03ab31f4c14f259bfa160543c83dbfd93d6fb3e2 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 3 ---
+ drivers/scsi/hpsa.h | 2 --
+ 2 files changed, 5 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index b98d507..64a8ec4 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -4100,7 +4100,6 @@ reinit_after_soft_reset:
+ return -ENOMEM;
+
+ h->pdev = pdev;
+- h->busy_initializing = 1;
+ h->intr_mode = hpsa_simple_mode ? SIMPLE_MODE_INT : PERF_MODE_INT;
+ INIT_LIST_HEAD(&h->cmpQ);
+ INIT_LIST_HEAD(&h->reqQ);
+@@ -4209,7 +4208,6 @@ reinit_after_soft_reset:
+
+ hpsa_hba_inquiry(h);
+ hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
+- h->busy_initializing = 0;
+ return 1;
+
+ clean4:
+@@ -4218,7 +4216,6 @@ clean4:
+ free_irq(h->intr[h->intr_mode], h);
+ clean2:
+ clean1:
+- h->busy_initializing = 0;
+ kfree(h);
+ return rc;
+ }
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 7f53ceaa..111b79e 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -95,8 +95,6 @@ struct ctlr_info {
+ unsigned long *cmd_pool_bits;
+ int nr_allocs;
+ int nr_frees;
+- int busy_initializing;
+- int busy_scanning;
+ int scan_finished;
+ spinlock_t scan_lock;
+ wait_queue_head_t scan_wait_queue;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch)
@@ -0,0 +1,115 @@
+From 307b9ca1a1e7a9830131379487b593060e93fecb Mon Sep 17 00:00:00 2001
+From: Scott Teel <scott.teel at hp.com>
+Date: Wed, 26 Oct 2011 16:21:07 -0500
+Subject: [PATCH 129/136] hpsa: rename HPSA_MAX_SCSI_DEVS_PER_HBA
+
+commit cfe5badcab2e993e71ebebbc07c21c270e5580c0 upstream.
+
+Rename HPSA_MAX_SCSI_DEVS_PER_HBA to HPSA_MAX_DEVICES
+
+Signed-off-by: Scott Teel <scott.teel at hp.com>
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 23 ++++++++++-------------
+ drivers/scsi/hpsa.h | 4 ++--
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 64a8ec4..62e87fa 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -558,16 +558,16 @@ static int hpsa_find_target_lun(struct ctlr_info *h,
+ * assumes h->devlock is held
+ */
+ int i, found = 0;
+- DECLARE_BITMAP(lun_taken, HPSA_MAX_SCSI_DEVS_PER_HBA);
++ DECLARE_BITMAP(lun_taken, HPSA_MAX_DEVICES);
+
+- memset(&lun_taken[0], 0, HPSA_MAX_SCSI_DEVS_PER_HBA >> 3);
++ memset(&lun_taken[0], 0, HPSA_MAX_DEVICES >> 3);
+
+ for (i = 0; i < h->ndevices; i++) {
+ if (h->dev[i]->bus == bus && h->dev[i]->target != -1)
+ set_bit(h->dev[i]->target, lun_taken);
+ }
+
+- for (i = 0; i < HPSA_MAX_SCSI_DEVS_PER_HBA; i++) {
++ for (i = 0; i < HPSA_MAX_DEVICES; i++) {
+ if (!test_bit(i, lun_taken)) {
+ /* *bus = 1; */
+ *target = i;
+@@ -590,7 +590,7 @@ static int hpsa_scsi_add_entry(struct ctlr_info *h, int hostno,
+ unsigned char addr1[8], addr2[8];
+ struct hpsa_scsi_dev_t *sd;
+
+- if (n >= HPSA_MAX_SCSI_DEVS_PER_HBA) {
++ if (n >= HPSA_MAX_DEVICES) {
+ dev_err(&h->pdev->dev, "too many devices, some will be "
+ "inaccessible.\n");
+ return -1;
+@@ -665,7 +665,7 @@ static void hpsa_scsi_replace_entry(struct ctlr_info *h, int hostno,
+ struct hpsa_scsi_dev_t *removed[], int *nremoved)
+ {
+ /* assumes h->devlock is held */
+- BUG_ON(entry < 0 || entry >= HPSA_MAX_SCSI_DEVS_PER_HBA);
++ BUG_ON(entry < 0 || entry >= HPSA_MAX_DEVICES);
+ removed[*nremoved] = h->dev[entry];
+ (*nremoved)++;
+
+@@ -694,7 +694,7 @@ static void hpsa_scsi_remove_entry(struct ctlr_info *h, int hostno, int entry,
+ int i;
+ struct hpsa_scsi_dev_t *sd;
+
+- BUG_ON(entry < 0 || entry >= HPSA_MAX_SCSI_DEVS_PER_HBA);
++ BUG_ON(entry < 0 || entry >= HPSA_MAX_DEVICES);
+
+ sd = h->dev[entry];
+ removed[*nremoved] = h->dev[entry];
+@@ -806,10 +806,8 @@ static void adjust_hpsa_scsi_table(struct ctlr_info *h, int hostno,
+ int nadded, nremoved;
+ struct Scsi_Host *sh = NULL;
+
+- added = kzalloc(sizeof(*added) * HPSA_MAX_SCSI_DEVS_PER_HBA,
+- GFP_KERNEL);
+- removed = kzalloc(sizeof(*removed) * HPSA_MAX_SCSI_DEVS_PER_HBA,
+- GFP_KERNEL);
++ added = kzalloc(sizeof(*added) * HPSA_MAX_DEVICES, GFP_KERNEL);
++ removed = kzalloc(sizeof(*removed) * HPSA_MAX_DEVICES, GFP_KERNEL);
+
+ if (!added || !removed) {
+ dev_warn(&h->pdev->dev, "out of memory in "
+@@ -1838,8 +1836,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ int raid_ctlr_position;
+ DECLARE_BITMAP(lunzerobits, HPSA_MAX_TARGETS_PER_CTLR);
+
+- currentsd = kzalloc(sizeof(*currentsd) * HPSA_MAX_SCSI_DEVS_PER_HBA,
+- GFP_KERNEL);
++ currentsd = kzalloc(sizeof(*currentsd) * HPSA_MAX_DEVICES, GFP_KERNEL);
+ physdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+ logdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+ tmpdevice = kzalloc(sizeof(*tmpdevice), GFP_KERNEL);
+@@ -1948,7 +1945,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ default:
+ break;
+ }
+- if (ncurrent >= HPSA_MAX_SCSI_DEVS_PER_HBA)
++ if (ncurrent >= HPSA_MAX_DEVICES)
+ break;
+ }
+ adjust_hpsa_scsi_table(h, hostno, currentsd, ncurrent);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 111b79e..4de9f71 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -102,8 +102,8 @@ struct ctlr_info {
+ struct Scsi_Host *scsi_host;
+ spinlock_t devlock; /* to protect hba[ctlr]->dev[]; */
+ int ndevices; /* number of used elements in .dev[] array. */
+-#define HPSA_MAX_SCSI_DEVS_PER_HBA 256
+- struct hpsa_scsi_dev_t *dev[HPSA_MAX_SCSI_DEVS_PER_HBA];
++#define HPSA_MAX_DEVICES 256
++ struct hpsa_scsi_dev_t *dev[HPSA_MAX_DEVICES];
+ /*
+ * Performant mode tables.
+ */
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch)
@@ -0,0 +1,83 @@
+From 634686b1e377f822b7be5a45888eeabef7585498 Mon Sep 17 00:00:00 2001
+From: Scott Teel <scott.teel at hp.com>
+Date: Wed, 26 Oct 2011 16:21:12 -0500
+Subject: [PATCH 130/136] hpsa: fix potential array overflow in
+ hpsa_update_scsi_devices
+
+commit b7ec021fe6fe979dbd4e62604a4942f964b12864 upstream.
+
+The currentsd[] array in hpsa_update_scsi_devices had room for
+256 devices. The code was iterating over however many physical
+and logical devices plus an additional number of possible external
+MSA2XXX controllers, which together could potentially exceed 256.
+
+We increased the size of the currentsd array to 1024 + 1024 + 32 + 1
+elements to reflect a reasonable maximum possible number of devices
+which might be encountered. We also don't just walk off the end
+of the array if the array controller reports more devices than we
+are prepared to handle, we just ignore the excessive devices.
+
+Signed-off-by: Scott Teel <scott.teel at hp.com>
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 8 +++++++-
+ drivers/scsi/hpsa.h | 1 -
+ drivers/scsi/hpsa_cmd.h | 5 ++++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 62e87fa..f19b4a4 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1725,7 +1725,6 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ if (is_scsi_rev_5(h))
+ return 0; /* p1210m doesn't need to do this. */
+
+-#define MAX_MSA2XXX_ENCLOSURES 32
+ if (*nmsa2xxx_enclosures >= MAX_MSA2XXX_ENCLOSURES) {
+ dev_warn(&h->pdev->dev, "Maximum number of MSA2XXX "
+ "enclosures exceeded. Check your hardware "
+@@ -1859,6 +1858,13 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+
+ /* Allocate the per device structures */
+ for (i = 0; i < ndevs_to_allocate; i++) {
++ if (i >= HPSA_MAX_DEVICES) {
++ dev_warn(&h->pdev->dev, "maximum devices (%d) exceeded."
++ " %d devices ignored.\n", HPSA_MAX_DEVICES,
++ ndevs_to_allocate - HPSA_MAX_DEVICES);
++ break;
++ }
++
+ currentsd[i] = kzalloc(sizeof(*currentsd[i]), GFP_KERNEL);
+ if (!currentsd[i]) {
+ dev_warn(&h->pdev->dev, "out of memory at %s:%d\n",
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 4de9f71..73858bc 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -102,7 +102,6 @@ struct ctlr_info {
+ struct Scsi_Host *scsi_host;
+ spinlock_t devlock; /* to protect hba[ctlr]->dev[]; */
+ int ndevices; /* number of used elements in .dev[] array. */
+-#define HPSA_MAX_DEVICES 256
+ struct hpsa_scsi_dev_t *dev[HPSA_MAX_DEVICES];
+ /*
+ * Performant mode tables.
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 55d741b..3fd4715 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -123,8 +123,11 @@ union u64bit {
+
+ /* FIXME this is a per controller value (barf!) */
+ #define HPSA_MAX_TARGETS_PER_CTLR 16
+-#define HPSA_MAX_LUN 256
++#define HPSA_MAX_LUN 1024
+ #define HPSA_MAX_PHYS_LUN 1024
++#define MAX_MSA2XXX_ENCLOSURES 32
++#define HPSA_MAX_DEVICES (HPSA_MAX_PHYS_LUN + HPSA_MAX_LUN + \
++ MAX_MSA2XXX_ENCLOSURES + 1) /* + 1 is for the controller itself */
+
+ /* SCSI-3 Commands */
+ #pragma pack(1)
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch)
@@ -0,0 +1,31 @@
+From 95a1e574f28db303656af6b72873ec9a3324c34c Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:21:17 -0500
+Subject: [PATCH 131/136] hpsa: fix flush cache transfer length
+
+commit bb158eabda984851d7964d968b9859383f98a701 upstream.
+
+We weren't filling in the transfer length of the
+flush cache command (it transfers 4 bytes of zeroes).
+Firmware didn't seem to be bothered by this, but it
+should be fixed.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index f19b4a4..086a639 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2848,6 +2848,8 @@ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ c->Request.Timeout = 0;
+ c->Request.CDB[0] = BMIC_WRITE;
+ c->Request.CDB[6] = BMIC_CACHE_FLUSH;
++ c->Request.CDB[7] = (size >> 8) & 0xFF;
++ c->Request.CDB[8] = size & 0xFF;
+ break;
+ case TEST_UNIT_READY:
+ c->Request.CDBLen = 6;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch)
@@ -0,0 +1,318 @@
+From 6bfb4ac0fba2b1c66cc13987ed62ce8066a6512f Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:22:04 -0500
+Subject: [PATCH 132/136] hpsa: detect controller lockup
+
+commit a0c124137a40fc22730ae87caf17e821f2dce1ed upstream.
+
+When controller lockup condition is detected,
+we should fail all outstanding commands and disable
+the controller. This will enable multipath solutions
+to recover gracefully.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 184 +++++++++++++++++++++++++++++++++++++++++++++++++--
+ drivers/scsi/hpsa.h | 5 ++
+ 2 files changed, 185 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 086a639..d4a1d44 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -48,6 +48,7 @@
+ #include <linux/bitmap.h>
+ #include <asm/atomic.h>
+ #include <linux/kthread.h>
++#include <linux/jiffies.h>
+ #include "hpsa_cmd.h"
+ #include "hpsa.h"
+
+@@ -120,6 +121,10 @@ static struct board_type products[] = {
+
+ static int number_of_controllers;
+
++static struct list_head hpsa_ctlr_list = LIST_HEAD_INIT(hpsa_ctlr_list);
++static spinlock_t lockup_detector_lock;
++static struct task_struct *hpsa_lockup_detector;
++
+ static irqreturn_t do_hpsa_intr_intx(int irq, void *dev_id);
+ static irqreturn_t do_hpsa_intr_msi(int irq, void *dev_id);
+ static int hpsa_ioctl(struct scsi_device *dev, int cmd, void *arg);
+@@ -1328,6 +1333,22 @@ static inline void hpsa_scsi_do_simple_cmd_core(struct ctlr_info *h,
+ wait_for_completion(&wait);
+ }
+
++static void hpsa_scsi_do_simple_cmd_core_if_no_lockup(struct ctlr_info *h,
++ struct CommandList *c)
++{
++ unsigned long flags;
++
++ /* If controller lockup detected, fake a hardware error. */
++ spin_lock_irqsave(&h->lock, flags);
++ if (unlikely(h->lockup_detected)) {
++ spin_unlock_irqrestore(&h->lock, flags);
++ c->err_info->CommandStatus = CMD_HARDWARE_ERR;
++ } else {
++ spin_unlock_irqrestore(&h->lock, flags);
++ hpsa_scsi_do_simple_cmd_core(h, c);
++ }
++}
++
+ static void hpsa_scsi_do_simple_cmd_with_retry(struct ctlr_info *h,
+ struct CommandList *c, int data_direction)
+ {
+@@ -2043,8 +2064,14 @@ static int hpsa_scsi_queue_command(struct scsi_cmnd *cmd,
+ }
+ memcpy(scsi3addr, dev->scsi3addr, sizeof(scsi3addr));
+
+- /* Need a lock as this is being allocated from the pool */
+ spin_lock_irqsave(&h->lock, flags);
++ if (unlikely(h->lockup_detected)) {
++ spin_unlock_irqrestore(&h->lock, flags);
++ cmd->result = DID_ERROR << 16;
++ done(cmd);
++ return 0;
++ }
++ /* Need a lock as this is being allocated from the pool */
+ c = cmd_alloc(h);
+ spin_unlock_irqrestore(&h->lock, flags);
+ if (c == NULL) { /* trouble... */
+@@ -2577,7 +2604,7 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ c->SG[0].Len = iocommand.buf_size;
+ c->SG[0].Ext = 0; /* we are not chaining*/
+ }
+- hpsa_scsi_do_simple_cmd_core(h, c);
++ hpsa_scsi_do_simple_cmd_core_if_no_lockup(h, c);
+ if (iocommand.buf_size > 0)
+ hpsa_pci_unmap(h->pdev, c, 1, PCI_DMA_BIDIRECTIONAL);
+ check_ioctl_unit_attention(h, c);
+@@ -2700,7 +2727,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ c->SG[i].Ext = 0;
+ }
+ }
+- hpsa_scsi_do_simple_cmd_core(h, c);
++ hpsa_scsi_do_simple_cmd_core_if_no_lockup(h, c);
+ if (sg_used)
+ hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL);
+ check_ioctl_unit_attention(h, c);
+@@ -3069,6 +3096,7 @@ static irqreturn_t hpsa_intx_discard_completions(int irq, void *dev_id)
+ if (interrupt_not_for_us(h))
+ return IRQ_NONE;
+ spin_lock_irqsave(&h->lock, flags);
++ h->last_intr_timestamp = get_jiffies_64();
+ while (interrupt_pending(h)) {
+ raw_tag = get_next_completion(h);
+ while (raw_tag != FIFO_EMPTY)
+@@ -3088,6 +3116,7 @@ static irqreturn_t hpsa_msix_discard_completions(int irq, void *dev_id)
+ return IRQ_NONE;
+
+ spin_lock_irqsave(&h->lock, flags);
++ h->last_intr_timestamp = get_jiffies_64();
+ raw_tag = get_next_completion(h);
+ while (raw_tag != FIFO_EMPTY)
+ raw_tag = next_command(h);
+@@ -3104,6 +3133,7 @@ static irqreturn_t do_hpsa_intr_intx(int irq, void *dev_id)
+ if (interrupt_not_for_us(h))
+ return IRQ_NONE;
+ spin_lock_irqsave(&h->lock, flags);
++ h->last_intr_timestamp = get_jiffies_64();
+ while (interrupt_pending(h)) {
+ raw_tag = get_next_completion(h);
+ while (raw_tag != FIFO_EMPTY) {
+@@ -3124,6 +3154,7 @@ static irqreturn_t do_hpsa_intr_msi(int irq, void *dev_id)
+ u32 raw_tag;
+
+ spin_lock_irqsave(&h->lock, flags);
++ h->last_intr_timestamp = get_jiffies_64();
+ raw_tag = get_next_completion(h);
+ while (raw_tag != FIFO_EMPTY) {
+ if (hpsa_tag_contains_index(raw_tag))
+@@ -4068,6 +4099,149 @@ static void hpsa_undo_allocations_after_kdump_soft_reset(struct ctlr_info *h)
+ kfree(h);
+ }
+
++static void remove_ctlr_from_lockup_detector_list(struct ctlr_info *h)
++{
++ assert_spin_locked(&lockup_detector_lock);
++ if (!hpsa_lockup_detector)
++ return;
++ if (h->lockup_detected)
++ return; /* already stopped the lockup detector */
++ list_del(&h->lockup_list);
++}
++
++/* Called when controller lockup detected. */
++static void fail_all_cmds_on_list(struct ctlr_info *h, struct list_head *list)
++{
++ struct CommandList *c = NULL;
++
++ assert_spin_locked(&h->lock);
++ /* Mark all outstanding commands as failed and complete them. */
++ while (!list_empty(list)) {
++ c = list_entry(list->next, struct CommandList, list);
++ c->err_info->CommandStatus = CMD_HARDWARE_ERR;
++ finish_cmd(c, c->Header.Tag.lower);
++ }
++}
++
++static void controller_lockup_detected(struct ctlr_info *h)
++{
++ unsigned long flags;
++
++ assert_spin_locked(&lockup_detector_lock);
++ remove_ctlr_from_lockup_detector_list(h);
++ h->access.set_intr_mask(h, HPSA_INTR_OFF);
++ spin_lock_irqsave(&h->lock, flags);
++ h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
++ spin_unlock_irqrestore(&h->lock, flags);
++ dev_warn(&h->pdev->dev, "Controller lockup detected: 0x%08x\n",
++ h->lockup_detected);
++ pci_disable_device(h->pdev);
++ spin_lock_irqsave(&h->lock, flags);
++ fail_all_cmds_on_list(h, &h->cmpQ);
++ fail_all_cmds_on_list(h, &h->reqQ);
++ spin_unlock_irqrestore(&h->lock, flags);
++}
++
++#define HEARTBEAT_SAMPLE_INTERVAL (10 * HZ)
++#define HEARTBEAT_CHECK_MINIMUM_INTERVAL (HEARTBEAT_SAMPLE_INTERVAL / 2)
++
++static void detect_controller_lockup(struct ctlr_info *h)
++{
++ u64 now;
++ u32 heartbeat;
++ unsigned long flags;
++
++ assert_spin_locked(&lockup_detector_lock);
++ now = get_jiffies_64();
++ /* If we've received an interrupt recently, we're ok. */
++ if (time_after64(h->last_intr_timestamp +
++ (HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++ return;
++
++ /*
++ * If we've already checked the heartbeat recently, we're ok.
++ * This could happen if someone sends us a signal. We
++ * otherwise don't care about signals in this thread.
++ */
++ if (time_after64(h->last_heartbeat_timestamp +
++ (HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++ return;
++
++ /* If heartbeat has not changed since we last looked, we're not ok. */
++ spin_lock_irqsave(&h->lock, flags);
++ heartbeat = readl(&h->cfgtable->HeartBeat);
++ spin_unlock_irqrestore(&h->lock, flags);
++ if (h->last_heartbeat == heartbeat) {
++ controller_lockup_detected(h);
++ return;
++ }
++
++ /* We're ok. */
++ h->last_heartbeat = heartbeat;
++ h->last_heartbeat_timestamp = now;
++}
++
++static int detect_controller_lockup_thread(void *notused)
++{
++ struct ctlr_info *h;
++ unsigned long flags;
++
++ while (1) {
++ struct list_head *this, *tmp;
++
++ schedule_timeout_interruptible(HEARTBEAT_SAMPLE_INTERVAL);
++ if (kthread_should_stop())
++ break;
++ spin_lock_irqsave(&lockup_detector_lock, flags);
++ list_for_each_safe(this, tmp, &hpsa_ctlr_list) {
++ h = list_entry(this, struct ctlr_info, lockup_list);
++ detect_controller_lockup(h);
++ }
++ spin_unlock_irqrestore(&lockup_detector_lock, flags);
++ }
++ return 0;
++}
++
++static void add_ctlr_to_lockup_detector_list(struct ctlr_info *h)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&lockup_detector_lock, flags);
++ list_add_tail(&h->lockup_list, &hpsa_ctlr_list);
++ spin_unlock_irqrestore(&lockup_detector_lock, flags);
++}
++
++static void start_controller_lockup_detector(struct ctlr_info *h)
++{
++ /* Start the lockup detector thread if not already started */
++ if (!hpsa_lockup_detector) {
++ spin_lock_init(&lockup_detector_lock);
++ hpsa_lockup_detector =
++ kthread_run(detect_controller_lockup_thread,
++ NULL, "hpsa");
++ }
++ if (!hpsa_lockup_detector) {
++ dev_warn(&h->pdev->dev,
++ "Could not start lockup detector thread\n");
++ return;
++ }
++ add_ctlr_to_lockup_detector_list(h);
++}
++
++static void stop_controller_lockup_detector(struct ctlr_info *h)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&lockup_detector_lock, flags);
++ remove_ctlr_from_lockup_detector_list(h);
++ /* If the list of ctlr's to monitor is empty, stop the thread */
++ if (list_empty(&hpsa_ctlr_list)) {
++ kthread_stop(hpsa_lockup_detector);
++ hpsa_lockup_detector = NULL;
++ }
++ spin_unlock_irqrestore(&lockup_detector_lock, flags);
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+@@ -4213,6 +4387,7 @@ reinit_after_soft_reset:
+
+ hpsa_hba_inquiry(h);
+ hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
++ start_controller_lockup_detector(h);
+ return 1;
+
+ clean4:
+@@ -4275,10 +4450,11 @@ static void __devexit hpsa_remove_one(struct pci_dev *pdev)
+ struct ctlr_info *h;
+
+ if (pci_get_drvdata(pdev) == NULL) {
+- dev_err(&pdev->dev, "unable to remove device \n");
++ dev_err(&pdev->dev, "unable to remove device\n");
+ return;
+ }
+ h = pci_get_drvdata(pdev);
++ stop_controller_lockup_detector(h);
+ hpsa_unregister_scsi(h); /* unhook from SCSI subsystem */
+ hpsa_shutdown(pdev);
+ iounmap(h->vaddr);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 73858bc..91edafb 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -121,6 +121,11 @@ struct ctlr_info {
+ unsigned char reply_pool_wraparound;
+ u32 *blockFetchTable;
+ unsigned char *hba_inquiry_data;
++ u64 last_intr_timestamp;
++ u32 last_heartbeat;
++ u64 last_heartbeat_timestamp;
++ u32 lockup_detected;
++ struct list_head lockup_list;
+ };
+ #define HPSA_ABORT_MSG 0
+ #define HPSA_DEVICE_RESET_MSG 1
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch)
@@ -0,0 +1,40 @@
+From 7e7d4c0815f86b5d2f60e00d3fb10a7cbc985b74 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Fri, 11 Nov 2011 11:14:23 -0500
+Subject: [PATCH 133/136] hpsa: Disable ASPM
+
+commit e5a44df85e8d78e5c2d3d2e4f59b460905691e2f upstream.
+
+The Windows driver .inf disables ASPM on hpsa devices. Do the same because the
+selection of a non default ASPM policy can cause the device to hang.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+Acked-by: Mike Miller <mike.miller at hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index d4a1d44..4b3ea9d 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -23,6 +23,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/types.h>
+ #include <linux/pci.h>
++#include <linux/pci-aspm.h>
+ #include <linux/kernel.h>
+ #include <linux/slab.h>
+ #include <linux/delay.h>
+@@ -3894,6 +3895,10 @@ static int __devinit hpsa_pci_init(struct ctlr_info *h)
+ dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
+ return -ENODEV;
+ }
++
++ pci_disable_link_state(h->pdev, PCIE_LINK_STATE_L0S |
++ PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
++
+ err = pci_enable_device(h->pdev);
+ if (err) {
+ dev_warn(&h->pdev->dev, "unable to enable PCI device\n");
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch)
@@ -0,0 +1,74 @@
+From af4c8bf2cceec44a21069553d8b1fd44a28d2b4e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 19 Jan 2012 14:01:04 -0600
+Subject: [PATCH 134/136] hpsa: Fix problem with MSA2xxx devices
+
+commit 9bc3711cbb67ac620bf09b4a147cbab45b2c36c0 upstream.
+
+Upgraded firmware on Smart Array P7xx (and some others) made them show up as
+SCSI revision 5 devices and this caused the driver to fail to map MSA2xxx
+logical drives to the correct bus/target/lun. A symptom of this would be that
+the target ID of the logical drives as presented by the external storage array
+is ignored, and all such logical drives are assigned to target zero,
+differentiated only by LUN. Some multipath software reportedly does not deal
+well with this behavior, failing to recognize different paths to the same
+device as such.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: Scott Teel <scott.teel at hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 4b3ea9d..59dda57 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1665,30 +1665,26 @@ static void figure_bus_target_lun(struct ctlr_info *h,
+
+ if (is_logical_dev_addr_mode(lunaddrbytes)) {
+ /* logical device */
+- if (unlikely(is_scsi_rev_5(h))) {
+- /* p1210m, logical drives lun assignments
+- * match SCSI REPORT LUNS data.
++ lunid = le32_to_cpu(*((__le32 *) lunaddrbytes));
++ if (is_msa2xxx(h, device)) {
++ /* msa2xxx way, put logicals on bus 1
++ * and match target/lun numbers box
++ * reports.
+ */
+- lunid = le32_to_cpu(*((__le32 *) lunaddrbytes));
+- *bus = 0;
+- *target = 0;
+- *lun = (lunid & 0x3fff) + 1;
++ *bus = 1;
++ *target = (lunid >> 16) & 0x3fff;
++ *lun = lunid & 0x00ff;
+ } else {
+- /* not p1210m... */
+- lunid = le32_to_cpu(*((__le32 *) lunaddrbytes));
+- if (is_msa2xxx(h, device)) {
+- /* msa2xxx way, put logicals on bus 1
+- * and match target/lun numbers box
+- * reports.
+- */
+- *bus = 1;
+- *target = (lunid >> 16) & 0x3fff;
+- *lun = lunid & 0x00ff;
++ if (likely(is_scsi_rev_5(h))) {
++ /* All current smart arrays (circa 2011) */
++ *bus = 0;
++ *target = 0;
++ *lun = (lunid & 0x3fff) + 1;
+ } else {
+- /* Traditional smart array way. */
++ /* Traditional old smart array way. */
+ *bus = 0;
+- *lun = 0;
+ *target = lunid & 0x3fff;
++ *lun = 0;
+ }
+ }
+ } else {
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch)
@@ -0,0 +1,39 @@
+From e1ce5fac21628998a31d295320b93f00f3aa6bbd Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Mon, 28 Nov 2011 10:15:20 -0600
+Subject: [PATCH 135/136] hpsa: Add IRQF_SHARED back in for the non-MSI(X)
+ interrupt handler
+
+commit 45bcf018d1a4779d592764ef57517c92589d55d7 upstream.
+
+IRQF_SHARED is required for older controllers that don't support MSI(X)
+and which may end up sharing an interrupt. All the controllers hpsa
+normally supports have MSI(X) capability, but older controllers may be
+encountered via the hpsa_allow_any=1 module parameter.
+
+Also remove deprecated IRQF_DISABLED.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 59dda57..5b9cc14 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -4040,10 +4040,10 @@ static int hpsa_request_irq(struct ctlr_info *h,
+
+ if (h->msix_vector || h->msi_vector)
+ rc = request_irq(h->intr[h->intr_mode], msixhandler,
+- IRQF_DISABLED, h->devname, h);
++ 0, h->devname, h);
+ else
+ rc = request_irq(h->intr[h->intr_mode], intxhandler,
+- IRQF_DISABLED, h->devname, h);
++ IRQF_SHARED, h->devname, h);
+ if (rc) {
+ dev_err(&h->pdev->dev, "unable to get irq %d for %s\n",
+ h->intr[h->intr_mode], h->devname);
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch)
@@ -0,0 +1,44 @@
+From 2f626bc37b11406310eb6600e98d5c0ffce9de76 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 14 Sep 2012 16:34:25 -0500
+Subject: [PATCH 136/136] hpsa: fix handling of protocol error
+
+commit 256d0eaac87da1e993190846064f339f4c7a63f5 upstream.
+
+If a command status of CMD_PROTOCOL_ERR is received, this
+information should be conveyed to the SCSI mid layer, not
+dropped on the floor. CMD_PROTOCOL_ERR may be received
+from the Smart Array for any commands destined for an external
+RAID controller such as a P2000, or commands destined for tape
+drives or CD/DVD-ROM drives, if for instance a cable is
+disconnected. This mostly affects multipath configurations, as
+disconnecting a cable on a non-multipath configuration is not
+going to do anything good regardless of whether CMD_PROTOCOL_ERR
+is handled correctly or not. Not handling CMD_PROTOCOL_ERR
+correctly in a multipath configaration involving external RAID
+controllers may cause data corruption, so this is quite a serious
+bug. This bug should not normally cause a problem for direct
+attached disk storage.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 5b9cc14..8eb56ff 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1204,8 +1204,9 @@ static void complete_scsi_command(struct CommandList *cp)
+ }
+ break;
+ case CMD_PROTOCOL_ERR:
++ cmd->result = DID_ERROR << 16;
+ dev_warn(&h->pdev->dev, "cp %p has "
+- "protocol error \n", cp);
++ "protocol error\n", cp);
+ break;
+ case CMD_HARDWARE_ERR:
+ cmd->result = DID_ERROR << 16;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch)
@@ -0,0 +1,52 @@
+From 2239182005cc209df395cae2316f4e6688642b8d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 26 Jul 2012 11:34:10 -0500
+Subject: [PATCH 137/138] hpsa: Use LUN reset instead of target reset
+
+commit 21e89afd325849eb38adccf382df16cc895911f9 upstream.
+
+It turns out Smart Array logical drives do not support target
+reset and when the target reset fails, the logical drive will
+be taken off line. Symptoms look like this:
+
+hpsa 0000:03:00.0: Abort request on C1:B0:T0:L0
+hpsa 0000:03:00.0: resetting device 1:0:0:0
+hpsa 0000:03:00.0: cp ffff880037c56000 is reported invalid (probably means target device no longer present)
+hpsa 0000:03:00.0: resetting device failed.
+sd 1:0:0:0: Device offlined - not ready after error recovery
+sd 1:0:0:0: rejecting I/O to offline device
+EXT3-fs error (device sdb1): read_block_bitmap:
+
+LUN reset is supported though, and is what we should be using.
+Target reset is also disruptive in shared SAS situations,
+for example, an external MSA1210m which does support target
+reset attached to Smart Arrays in multiple hosts -- a target
+reset from one host is disruptive to other hosts as all LUNs
+on the target will be reset and will abort all outstanding i/os
+back to all the attached hosts. So we should use LUN reset,
+not target reset.
+
+Tested this with Smart Array logical drives and with tape drives.
+Not sure how this bug survived since 2009, except it must be very
+rare for a Smart Array to require more than 30s to complete a request.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index be9aad8..a133724 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2926,7 +2926,7 @@ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ c->Request.Timeout = 0; /* Don't time out */
+ memset(&c->Request.CDB[0], 0, sizeof(c->Request.CDB));
+ c->Request.CDB[0] = cmd;
+- c->Request.CDB[1] = 0x03; /* Reset target above */
++ c->Request.CDB[1] = HPSA_RESET_TYPE_LUN;
+ /* If bytes 4-7 are zero, it means reset the */
+ /* LunID device */
+ c->Request.CDB[4] = 0x00;
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch)
@@ -0,0 +1,144 @@
+From def274ac605a69628f7d0d2d666484d209b0b6ee Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 1 May 2012 11:43:42 -0500
+Subject: [PATCH 138/138] hpsa: dial down lockup detection during firmware flash
+
+commit e85c59746957fd6e3595d02cf614370056b5816e upstream.
+
+Dial back the aggressiveness of the controller lockup detection thread.
+Currently it will declare the controller to be locked up if it goes
+for 10 seconds with no interrupts and no change in the heartbeat
+register. Dial back this to 30 seconds with no heartbeat change, and
+also snoop the ioctl path and if a firmware flash command is detected,
+dial it back further to 4 minutes until the firmware flash command
+completes. The reason for this is that during the firmware flash
+operation, the controller apparently doesn't update the heartbeat
+register as frequently as it is supposed to, and we can get a false
+positive.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c | 39 ++++++++++++++++++++++++++++++++++-----
+ drivers/scsi/hpsa.h | 2 ++
+ drivers/scsi/hpsa_cmd.h | 1 +
+ 3 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a133724..22523aa 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -532,12 +532,42 @@ static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
+ c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
+ }
+
++static int is_firmware_flash_cmd(u8 *cdb)
++{
++ return cdb[0] == BMIC_WRITE && cdb[6] == BMIC_FLASH_FIRMWARE;
++}
++
++/*
++ * During firmware flash, the heartbeat register may not update as frequently
++ * as it should. So we dial down lockup detection during firmware flash. and
++ * dial it back up when firmware flash completes.
++ */
++#define HEARTBEAT_SAMPLE_INTERVAL_DURING_FLASH (240 * HZ)
++#define HEARTBEAT_SAMPLE_INTERVAL (30 * HZ)
++static void dial_down_lockup_detection_during_fw_flash(struct ctlr_info *h,
++ struct CommandList *c)
++{
++ if (!is_firmware_flash_cmd(c->Request.CDB))
++ return;
++ atomic_inc(&h->firmware_flash_in_progress);
++ h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL_DURING_FLASH;
++}
++
++static void dial_up_lockup_detection_on_fw_flash_complete(struct ctlr_info *h,
++ struct CommandList *c)
++{
++ if (is_firmware_flash_cmd(c->Request.CDB) &&
++ atomic_dec_and_test(&h->firmware_flash_in_progress))
++ h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL;
++}
++
+ static void enqueue_cmd_and_start_io(struct ctlr_info *h,
+ struct CommandList *c)
+ {
+ unsigned long flags;
+
+ set_performant_mode(h, c);
++ dial_down_lockup_detection_during_fw_flash(h, c);
+ spin_lock_irqsave(&h->lock, flags);
+ addQ(&h->reqQ, c);
+ h->Qdepth++;
+@@ -3032,6 +3062,7 @@ static inline int bad_tag(struct ctlr_info *h, u32 tag_index,
+ static inline void finish_cmd(struct CommandList *c, u32 raw_tag)
+ {
+ removeQ(c);
++ dial_up_lockup_detection_on_fw_flash_complete(c->h, c);
+ if (likely(c->cmd_type == CMD_SCSI))
+ complete_scsi_command(c);
+ else if (c->cmd_type == CMD_IOCTL_PEND)
+@@ -4172,9 +4203,6 @@ static void controller_lockup_detected(struct ctlr_info *h)
+ spin_unlock_irqrestore(&h->lock, flags);
+ }
+
+-#define HEARTBEAT_SAMPLE_INTERVAL (10 * HZ)
+-#define HEARTBEAT_CHECK_MINIMUM_INTERVAL (HEARTBEAT_SAMPLE_INTERVAL / 2)
+-
+ static void detect_controller_lockup(struct ctlr_info *h)
+ {
+ u64 now;
+@@ -4185,7 +4213,7 @@ static void detect_controller_lockup(struct ctlr_info *h)
+ now = get_jiffies_64();
+ /* If we've received an interrupt recently, we're ok. */
+ if (time_after64(h->last_intr_timestamp +
+- (HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++ (h->heartbeat_sample_interval), now))
+ return;
+
+ /*
+@@ -4194,7 +4222,7 @@ static void detect_controller_lockup(struct ctlr_info *h)
+ * otherwise don't care about signals in this thread.
+ */
+ if (time_after64(h->last_heartbeat_timestamp +
+- (HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++ (h->heartbeat_sample_interval), now))
+ return;
+
+ /* If heartbeat has not changed since we last looked, we're not ok. */
+@@ -4236,6 +4264,7 @@ static void add_ctlr_to_lockup_detector_list(struct ctlr_info *h)
+ {
+ unsigned long flags;
+
++ h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL;
+ spin_lock_irqsave(&lockup_detector_lock, flags);
+ list_add_tail(&h->lockup_list, &hpsa_ctlr_list);
+ spin_unlock_irqrestore(&lockup_detector_lock, flags);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 91edafb..c721509 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -124,6 +124,8 @@ struct ctlr_info {
+ u64 last_intr_timestamp;
+ u32 last_heartbeat;
+ u64 last_heartbeat_timestamp;
++ u32 heartbeat_sample_interval;
++ atomic_t firmware_flash_in_progress;
+ u32 lockup_detected;
+ struct list_head lockup_list;
+ };
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 3fd4715..e4ea0a3 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -163,6 +163,7 @@ struct SenseSubsystem_info {
+ #define BMIC_WRITE 0x27
+ #define BMIC_CACHE_FLUSH 0xc2
+ #define HPSA_CACHE_FLUSH 0x01 /* C2 was already being used by HPSA */
++#define BMIC_FLASH_FIRMWARE 0xF7
+
+ /* Command List Structure */
+ union SCSI3Addr {
Modified: dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Mon Jan 21 04:42:29 2013 (r19767)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Tue Jan 22 06:01:55 2013 (r19768)
@@ -6541,6 +6541,12 @@
[bwh: Fix context for changes to lease_alloc() after commit
79549c6dfda0603dba9a70a53467ce62d9335c33 ('cred: copy_process() should
clear child->replacement_session_keyring')]
+[bwh: Update definition of struct eventpoll that this moves, to include
+ additions in 2.6.32.60]
+[bwh: Fix context for changes to fs/signalfd.c, include/linux/signalfd.h
+ and kernel/fork.c following addition of signalfd_cleanup() in 2.6.32.60]
+[bwh: Fix content for changes to do_tcp_sendpages() after 2.6.32.60]
+[bwh: Fix context for changes to struct file after 2.6.32.60]
diff --git a/COPYING.Parallels b/COPYING.Parallels
new file mode 100644
@@ -16575,7 +16581,7 @@
/*
* Structure used to track possible nested calls, for too deep recursions
* and loop cycles.
-@@ -110,82 +106,6 @@ struct nested_calls {
+@@ -110,88 +106,6 @@ struct nested_calls {
spinlock_t lock;
};
@@ -16653,6 +16659,12 @@
-
- /* The user that created the eventpoll descriptor */
- struct user_struct *user;
+-
+- struct file *file;
+-
+- /* used to optimize loop detection check */
+- int visited;
+- struct list_head visited_list_link;
-};
-
/* Wait structure used by the poll hooks */
@@ -16668,6 +16680,15 @@
/* Used to check for epoll file descriptor inclusion loops */
static struct nested_calls poll_loop_ncalls;
+@@ -286,7 +207,7 @@
+ };
+ #endif /* CONFIG_SYSCTL */
+
+-static const struct file_operations eventpoll_fops;
++const struct file_operations eventpoll_fops;
+
+ static inline int is_file_epoll(struct file *f)
+ {
@@ -672,10 +593,11 @@ static unsigned int ep_eventpoll_poll(struct file *file, poll_table *wait)
}
@@ -16679,8 +16700,8 @@
};
+EXPORT_SYMBOL(eventpoll_fops);
- /* Fast test to see if the file is an evenpoll file */
- static inline int is_file_epoll(struct file *f)
+ /*
+ * This is called from eventpoll_release() to unlink files from the eventpoll
@@ -757,7 +679,7 @@ free_uid:
* are protected by the "mtx" mutex, and ep_find() must be called with
* "mtx" held.
@@ -27722,18 +27743,25 @@
index d98bea8..d0c9670 100644
--- a/fs/signalfd.c
+++ b/fs/signalfd.c
-@@ -28,10 +28,7 @@
+@@ -28,6 +28,7 @@
#include <linux/anon_inodes.h>
#include <linux/signalfd.h>
#include <linux/syscalls.h>
--
++#include <linux/module.h>
+
+ void signalfd_cleanup(struct sighand_struct *sighand)
+ {
+@@ -44,10 +44,6 @@
+ wake_up_poll(wqh, POLLHUP | POLLFREE);
+ }
+
-struct signalfd_ctx {
- sigset_t sigmask;
-};
-+#include <linux/module.h>
-
+-
static int signalfd_release(struct inode *inode, struct file *file)
{
+ kfree(file->private_data);
@@ -201,17 +198,17 @@ static ssize_t signalfd_read(struct file *file, char __user *buf, size_t count,
return total ? total: ret;
}
@@ -33081,7 +33109,7 @@
/* Flags for epoll_create1. */
#define EPOLL_CLOEXEC O_CLOEXEC
-@@ -63,6 +64,94 @@ static inline void eventpoll_init_file(struct file *file)
+@@ -63,6 +64,106 @@ static inline void eventpoll_init_file(struct file *file)
INIT_LIST_HEAD(&file->f_ep_links);
}
@@ -33128,6 +33156,12 @@
+
+ /* The user that created the eventpoll descriptor */
+ struct user_struct *user;
++
++ struct file *file;
++
++ /* used to optimize loop detection check */
++ int visited;
++ struct list_head visited_list_link;
+};
+
+/*
@@ -33167,6 +33201,12 @@
+
+ /* The user that created the eventpoll descriptor */
+ struct user_struct *user;
++
++ struct file *file;
++
++ /* used to optimize loop detection check */
++ int visited;
++ struct list_head visited_list_link;
+};
+
+extern struct semaphore epsem;
@@ -33462,9 +33502,9 @@
unsigned long f_mnt_write_state;
#endif
+ struct ve_struct *owner_env;
- };
- extern spinlock_t files_lock;
- #define file_list_lock() spin_lock(&files_lock);
+ #ifndef __GENKSYMS__
+ #ifdef CONFIG_EPOLL
+ struct list_head f_tfile_llink;
@@ -1063,6 +1083,9 @@ struct file_lock {
fl_owner_t fl_owner;
unsigned char fl_flags;
@@ -35592,8 +35632,8 @@
--- a/include/linux/signalfd.h
+++ b/include/linux/signalfd.h
@@ -60,6 +60,12 @@ static inline void signalfd_notify(struct task_struct *tsk, int sig)
- wake_up(&tsk->sighand->signalfd_wqh);
- }
+
+ extern void signalfd_cleanup(struct sighand_struct *sighand);
+struct signalfd_ctx {
+ sigset_t sigmask;
@@ -69737,9 +69777,9 @@
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -64,6 +64,8 @@
- #include <linux/magic.h>
#include <linux/perf_event.h>
#include <linux/posix-timers.h>
+ #include <linux/signalfd.h>
+#include <linux/virtinfo.h>
+#include <linux/ve.h>
@@ -85416,7 +85456,7 @@
goto wait_for_memory;
if (can_coalesce) {
-@@ -838,10 +866,15 @@ new_segment:
+@@ -838,9 +866,14 @@ new_segment:
wait_for_sndbuf:
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
wait_for_memory:
@@ -85424,8 +85464,7 @@
+ skb_charge_size(MAX_TCP_HEADER + tp->mss_cache));
+ chargesize = 0;
+wait_for_ubspace:
- if (copied)
- tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
+ tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
- if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
+ err = __sk_stream_wait_memory(sk, &timeo, chargesize);
Modified: dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch Mon Jan 21 04:42:29 2013 (r19767)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch Tue Jan 22 06:01:55 2013 (r19768)
@@ -1,4 +1,6 @@
[bwh: Adjust context in drivers/block/Kconfig changed by drbd backport]
+[bwh: Adjust context in fs/ext3/inode.c and kernel/fork.c changed by
+ 2.6.32.60]
--- a/Documentation/scheduler/sched-cfs-hard-limits.txt 1970-01-01 01:00:00.000000000 +0100
+++ a/Documentation/scheduler/sched-cfs-hard-limits.txt 2011-06-10 13:03:02.000000000 +0200
@@ -3115,8 +3117,8 @@
+ uid_t uid = TAGINO_UID(DX_TAG(inode), inode->i_uid, inode->i_tag);
+ gid_t gid = TAGINO_GID(DX_TAG(inode), inode->i_gid, inode->i_tag);
int err = 0, rc, block;
-
- again:
+ int need_datasync = 0;
+ __le32 disksize;
@@ -2961,29 +2995,32 @@ again:
ext3_get_inode_flags(ei);
raw_inode->i_mode = cpu_to_le16(inode->i_mode);
@@ -3154,8 +3156,8 @@
+ raw_inode->i_raw_tag = cpu_to_le16(inode->i_tag);
+#endif
raw_inode->i_links_count = cpu_to_le16(inode->i_nlink);
- raw_inode->i_size = cpu_to_le32(ei->i_disksize);
- raw_inode->i_atime = cpu_to_le32(inode->i_atime.tv_sec);
+ disksize = cpu_to_le32(ei->i_disksize);
+ if (disksize != raw_inode->i_size) {
@@ -3141,7 +3178,8 @@ int ext3_setattr(struct dentry *dentry,
return error;
@@ -14885,9 +14887,9 @@
--- a/kernel/fork.c 2011-08-08 22:29:45.000000000 +0200
+++ a/kernel/fork.c 2011-06-10 13:03:02.000000000 +0200
@@ -64,6 +64,10 @@
- #include <linux/magic.h>
#include <linux/perf_event.h>
#include <linux/posix-timers.h>
+ #include <linux/signalfd.h>
+#include <linux/vs_context.h>
+#include <linux/vs_network.h>
+#include <linux/vs_limit.h>
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch)
@@ -0,0 +1,35 @@
+From: Seth Heasley <seth.heasley at intel.com>
+Date: Wed, 20 Apr 2011 10:59:57 -0700
+Subject: ALSA: hda - ALSA HD Audio patch for Intel Panther Point DeviceIDs
+
+commit d2edeb7c6f1dada8ca7d5c23e42d604e92ae0c76 upstream.
+
+This patch adds the HD Audio Controller DeviceIDs for the Intel Panther Point PCH.
+
+Signed-off-by: Seth Heasley <seth.heasley at intel.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 70a9d32..6f891ee 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -126,6 +126,7 @@ MODULE_SUPPORTED_DEVICE("{{Intel, ICH6},"
+ "{Intel, ICH10},"
+ "{Intel, PCH},"
+ "{Intel, CPT},"
++ "{Intel, PPT},"
+ "{Intel, PBG},"
+ "{Intel, SCH},"
+ "{ATI, SB450},"
+@@ -2759,6 +2760,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ { PCI_DEVICE(0x8086, 0x1c20), .driver_data = AZX_DRIVER_PCH },
+ /* PBG */
+ { PCI_DEVICE(0x8086, 0x1d20), .driver_data = AZX_DRIVER_PCH },
++ /* Panther Point */
++ { PCI_DEVICE(0x8086, 0x1e20), .driver_data = AZX_DRIVER_PCH },
+ /* SCH */
+ { PCI_DEVICE(0x8086, 0x811b), .driver_data = AZX_DRIVER_SCH },
+ /* Generic Intel */
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch)
@@ -0,0 +1,30 @@
+From: Bankim Bhavsar <bbhavsar at vmware.com>
+Date: Mon, 17 Jan 2011 15:23:21 +0100
+Subject: ALSA: hda - Add support for VMware controller
+
+commit 0f0714c5ed0a98fdeaa2287d3b159989bbe6d842 upstream.
+
+Add the new PCI ID 0x15ad and device ID 0x1977 for VMware HDAudio
+Controller.
+
+[changed to use AZX_DRIVER_GENERIC by tiwai]
+
+Signed-off-by: Bankim Bhavsar <bbhavsar at vmware.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index a1c4008..07c522f 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2806,6 +2806,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ #endif
+ /* Vortex86MX */
+ { PCI_DEVICE(0x17f3, 0x3010), .driver_data = AZX_DRIVER_GENERIC },
++ /* VMware HDAudio */
++ { PCI_DEVICE(0x15ad, 0x1977), .driver_data = AZX_DRIVER_GENERIC },
+ /* AMD/ATI Generic, PCI class code and Vendor ID for HD Audio */
+ { PCI_DEVICE(PCI_VENDOR_ID_ATI, PCI_ANY_ID),
+ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch)
@@ -0,0 +1,51 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Wed, 15 Sep 2010 10:17:26 +0200
+Subject: ALSA: hda - Reduce pci id list for Intel with class id
+
+commit b686453543fd56332e8730a2abd7bf5bca756149 upstream.
+
+Most of Intel controllers work as generic HD-audio without quirks,
+and it'll be hopefully so in future. Let's mark pci id with the
+PCI_CLASS_MULTIMEDIA_HD_AUDIO for Intel so that the driver will work
+with any new control chips in future.
+
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c | 18 +++++-------------
+ 1 file changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 34940a0..5f6f903 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2735,25 +2735,17 @@ static void __devexit azx_remove(struct pci_dev *pci)
+
+ /* PCI IDs */
+ static struct pci_device_id azx_ids[] = {
+- /* ICH 6..10 */
+- { PCI_DEVICE(0x8086, 0x2668), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x27d8), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x269a), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x284b), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x2911), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x293e), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x293f), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x3a3e), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x3a6e), .driver_data = AZX_DRIVER_ICH },
+- /* PCH */
+- { PCI_DEVICE(0x8086, 0x3b56), .driver_data = AZX_DRIVER_ICH },
+- { PCI_DEVICE(0x8086, 0x3b57), .driver_data = AZX_DRIVER_ICH },
+ /* CPT */
+ { PCI_DEVICE(0x8086, 0x1c20), .driver_data = AZX_DRIVER_PCH },
+ /* PBG */
+ { PCI_DEVICE(0x8086, 0x1d20), .driver_data = AZX_DRIVER_PCH },
+ /* SCH */
+ { PCI_DEVICE(0x8086, 0x811b), .driver_data = AZX_DRIVER_SCH },
++ /* Generic Intel */
++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_ANY_ID),
++ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
++ .class_mask = 0xffffff,
++ .driver_data = AZX_DRIVER_ICH },
+ /* ATI SB 450/600 */
+ { PCI_DEVICE(0x1002, 0x437b), .driver_data = AZX_DRIVER_ATI },
+ { PCI_DEVICE(0x1002, 0x4383), .driver_data = AZX_DRIVER_ATI },
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch)
@@ -0,0 +1,25 @@
+From: Otavio Salvador <otavio at ossystems.com.br>
+Date: Sun, 26 Sep 2010 23:35:06 -0300
+Subject: ALSA: hda: add Vortex86MX PCI ids
+
+commit e35d4b119578a054515ccb4ed5dddc4e8a81ec15 upstream.
+
+Signed-off-by: Otavio Salvador <otavio at ossystems.com.br>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 5f6f903..ec07e47 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2791,6 +2791,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ /* this entry seems still valid -- i.e. without emu20kx chip */
+ { PCI_DEVICE(0x1102, 0x0009), .driver_data = AZX_DRIVER_GENERIC },
+ #endif
++ /* Vortex86MX */
++ { PCI_DEVICE(0x17f3, 0x3010), .driver_data = AZX_DRIVER_GENERIC },
+ /* AMD/ATI Generic, PCI class code and Vendor ID for HD Audio */
+ { PCI_DEVICE(PCI_VENDOR_ID_ATI, PCI_ANY_ID),
+ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch)
@@ -0,0 +1,35 @@
+From: Seth Heasley <seth.heasley at intel.com>
+Date: Fri, 10 Sep 2010 16:29:56 -0700
+Subject: ALSA: hda_intel: ALSA HD Audio patch for Intel Patsburg DeviceIDs
+
+commit cea310e8f8702226f982f09386cfd3c5793c5e2f upstream.
+
+This patch adds the Intel Patsburg (PCH) HD Audio Controller DeviceIDs.
+
+Signed-off-by: Seth Heasley <seth.heasley at intel.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 1053fff..34940a0 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -126,6 +126,7 @@ MODULE_SUPPORTED_DEVICE("{{Intel, ICH6},"
+ "{Intel, ICH10},"
+ "{Intel, PCH},"
+ "{Intel, CPT},"
++ "{Intel, PBG},"
+ "{Intel, SCH},"
+ "{ATI, SB450},"
+ "{ATI, SB600},"
+@@ -2749,6 +2750,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ { PCI_DEVICE(0x8086, 0x3b57), .driver_data = AZX_DRIVER_ICH },
+ /* CPT */
+ { PCI_DEVICE(0x8086, 0x1c20), .driver_data = AZX_DRIVER_PCH },
++ /* PBG */
++ { PCI_DEVICE(0x8086, 0x1d20), .driver_data = AZX_DRIVER_PCH },
+ /* SCH */
+ { PCI_DEVICE(0x8086, 0x811b), .driver_data = AZX_DRIVER_SCH },
+ /* ATI SB 450/600 */
Copied: dists/squeeze-security/linux-2.6/debian/patches/series/47 (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/series/47)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47 Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/series/47)
@@ -0,0 +1,205 @@
++ features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch
++ features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch
++ features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch
++ features/x86/ALSA-hda-Add-support-for-VMware-controller.patch
++ features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch
++ bugfix/all/header-fix-broken-headers-for-user-space.patch
++ bugfix/all/kernel-panic-when-mount-NFSv4.patch
+
+# Update hpsa to 3.2.35
++ features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch
++ features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch
++ features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch
++ features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch
++ features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch
++ features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch
++ features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch
++ features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch
++ features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch
++ features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch
++ features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch
++ features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch
++ features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch
++ features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch
++ features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch
++ features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch
++ features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch
++ features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch
++ features/all/hpsa/0098-hpsa-fix-bad-comparison.patch
++ features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch
++ features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch
++ features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch
++ features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch
++ features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch
++ features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch
++ features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch
++ features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch
++ features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch
++ features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch
++ features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch
++ features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch
++ features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch
++ features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch
++ features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch
++ features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch
++ features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch
++ features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch
++ features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch
++ features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch
++ features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch
++ features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch
++ features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch
++ features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch
++ features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch
++ features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch
++ features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch
++ features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch
++ features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch
++ features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch
++ features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch
++ features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch
++ features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch
++ features/all/hpsa/0132-hpsa-detect-controller-lockup.patch
++ features/all/hpsa/0133-hpsa-Disable-ASPM.patch
++ features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch
++ features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch
++ features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch
++ features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch
++ features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch
+
+# Update megaraid_sas to 3.0.56
+# First 5 commits already applied in -29
++ features/all/megaraid_sas/0006-megaraid_sas-infrastructure-to-get-pds-from-fw.patch
++ features/all/megaraid_sas/0007-megaraid_sas-add-the-support-for-updating-the-os-after-adding-removing-the-devices-from-fw.patch
++ features/all/megaraid_sas/0008-megaraid_sas-add-the-logical-drive-list-to-driver.patch
++ features/all/megaraid_sas/0009-megaraid_sas-driver-fixed-the-device-update-issue.patch
++ features/all/megaraid_sas/0010-megaraid_sas-add-the-ieee-sge-support-to-sas2-controller.patch
++ features/all/megaraid_sas/0011-megaraid_sas-add-online-controller-reset-to-megaraid-sas-drive.patch
++ features/all/megaraid_sas/0012-megaraid_sas-rename-megaraid_sas.c-to-megaraid_sas_base.c.patch
++ features/all/megaraid_sas/0013-megaraid_sas-add-msi-x-support-and-msix_disable-module-parameter.patch
++ features/all/megaraid_sas/0014-megaraid_sas-make-driver-pci-legacy-i-o-port-free-driver.patch
++ features/all/megaraid_sas/0015-megaraid_sas-use-lowest-memory-bar-for-sr-iov-vf-support.patch
++ features/all/megaraid_sas/0016-megaraid_sas-add-struct-megasas_instance_template-changes.patch
++ features/all/megaraid_sas/0017-megaraid_sas-add-9565-9285-specific-code.patch
++ features/all/megaraid_sas/0018-megaraid_sas-fix-instance-access-in-megasas_reset_timer.patch
++ features/all/megaraid_sas/0019-megaraid_sas-tape-drive-support-fix.patch
++ features/all/megaraid_sas/0020-megaraid_sas-report-system-pds-to-os.patch
++ features/all/megaraid_sas/0021-megaraid_sas-use-the-firmware-boot-timeout-when-waiting-for-commands.patch
++ features/all/megaraid_sas/0022-megaraid_sas-update-version-number-and-documentation.patch
++ features/all/megaraid_sas/0023-megaraid_sas-zero-pad_0-in-mfi-structure.patch
++ features/all/megaraid_sas/0024-megaraid_sas-version-and-documentation-update.patch
++ features/all/megaraid_sas/0025-megaraid_sas-support-devices-update-flag.patch
++ features/all/megaraid_sas/0026-megaraid_sas-add-input-parameter-for-max_sectors.patch
++ features/all/megaraid_sas/0027-megaraid_sas-add-three-times-online-controller-reset.patch
++ features/all/megaraid_sas/0028-megaraid_sas-version-and-documentation-update.patch
++ features/all/megaraid_sas/0029-megaraid_sas-update-gpl-headers.patch
++ features/all/megaraid_sas/0030-megaraid_sas-fix-failure-gotos.patch
++ features/all/megaraid_sas/0031-megaraid_sas-add-missing-check_and_restore_queue_depth-call.patch
++ features/all/megaraid_sas/0032-megaraid_sas-enable-msi-x-before-calling-megasas_init_fw.patch
++ features/all/megaraid_sas/0033-megaraid_sas-call-tasklet_schedule-for-msi-x.patch
++ features/all/megaraid_sas/0034-megaraid_sas-fix-probe_one-to-clear-msi-x-flags-in-kdump.patch
++ features/all/megaraid_sas/0035-megaraid_sas-fix-megasas_build_dcdb_fusion-to-not-filter-by-type_disk.patch
++ features/all/megaraid_sas/0036-megaraid_sas-fix-megasas_build_dcdb_fusion-to-use-correct-lun-field.patch
++ features/all/megaraid_sas/0037-megaraid_sas-add-cfg_cleared-aen.patch
++ features/all/megaraid_sas/0038-megaraid_sas-fix-tasklet_init-call.patch
++ features/all/megaraid_sas/0039-megaraid_sas-fix-fault-state-handling.patch
++ features/all/megaraid_sas/0040-megaraid_sas-fix-max_sectors-for-ieee-sgl.patch
++ features/all/megaraid_sas/0041-megaraid_sas-fix-imr-ocr-support-to-work-correctly.patch
++ features/all/megaraid_sas/0042-megaraid_sas-documentation-update.patch
++ features/all/megaraid_sas/0043-megaraid_sas-add-9565-9285-specific-code-version-bump.patch
++ features/all/megaraid_sas/0044-megaraid_sas-version-and-changelog-update.patch
++ features/all/megaraid_sas/0045-megaraid_sas-remove-msi-x-black-list-use-mfi_reg_state-instead.patch
++ features/all/megaraid_sas/0046-megaraid_sas-remove-un-used-function.patch
++ features/all/megaraid_sas/0047-megaraid_sas-check-mfi_reg_state.fault.resetadapter.patch
++ features/all/megaraid_sas/0048-megaraid_sas-disable-interrupts-free_irq-in-megasas_shutdown.patch
++ features/all/megaraid_sas/0049-megaraid_sas-fix-bug-where-aens-could-be-lost-in-probe-and-resume.patch
++ features/all/megaraid_sas/0050-megaraid_sas-convert-6-10-12-byte-cdb-s-for-fastpath-io.patch
++ features/all/megaraid_sas/0051-megaraid_sas-add-1078-ocr-support.patch
++ features/all/megaraid_sas/0052-megaraid_sas-version-and-changelog-update.patch
++ features/all/megaraid_sas/0053-megaraid_sas-move-poll_aen_lock-initializer.patch
++ features/all/megaraid_sas/0054-megaraid_sas-cosmetic-changes.patch
+
++ bugfix/all/net-fix-route-cache-rebuilds.patch
+
+- bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch
+- bugfix/all/udf-Fortify-loading-of-sparing-table.patch
+- bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
+- bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
+- bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
+- bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
+- bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
+- bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
+- bugfix/all/dl2k-Clean-up-rio_ioctl.patch
+- bugfix/all/dl2k-use-standard-defines-from-mii.h.patch
+- bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
+- debian/timer-Avoid_ABI-change-from-leap-second-fix.patch
+- bugfix/all/0011-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0010-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0009-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0008-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0007-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0006-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0005-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0004-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0003-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0002-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0001-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/x86/usb-Fix-deadlock-in-hid_reset-when-Dell-iDRAC.patch
+- debian/security-Avoid-ABI-change-due-to-personality.h-include.patch
+- bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch
+- bugfix/all/security-fix-compile-error-in-commoncap.c.patch
+- bugfix/all/fcaps-clear-the-same-personality-flags-as-suid-when-fcaps-are-used.patch
+- bugfix/all/hugepages-fix-use-after-free-bug-in-quota-handling.patch
+- bugfix/x86/KVM-Ensure-all-vcpus-are-consistent-with-in-kernel-irqchip-settings.patch
+- bugfix/x86/KVM-disallow-multiple-KVM_CREATE_IRQCHIP.patch
+- bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch
+- bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
+- bugfix/x86/x86-mm-Fix-pgd_lock-deadlock.patch
+- bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch
+- bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
+- bugfix/all/KVM-Device-assignment-permission-checks.patch
+- bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
+- bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch
+- bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
+- bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
++ bugfix/all/stable/2.6.32.60.patch
++ bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch
++ debian/security-Avoid-ABI-change-due-to-personality.h-include.patch
++ debian/timer-Avoid_ABI-change-from-leap-second-fix.patch
++ bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
++ bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
++ bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch
++ debian/random-Avoid-ABI-change-in-irq_desc.patch
++ debian/epoll-Avoid-ABI-change-in-file.patch
+
++ bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch
+
++ features/x86/isci/0002-treewide-remove-extra-semicolons-from-various-parts-.patch
++ features/x86/isci/0005-SCSI-isci-fix-support-for-large-smp-requests.patch
++ features/x86/isci/0006-SCSI-isci-fix-missed-unlock-in-apc_agent_timeout.patch
++ features/x86/isci/0007-SCSI-isci-atapi-support.patch
++ features/x86/isci/0008-SCSI-isci-SATA-STP-I-O-is-only-returned-in-the-norma.patch
++ features/x86/isci/0009-SCSI-isci-fix-decode-of-DONE_CRC_ERR-TC-completion-s.patch
++ features/x86/isci/0010-SCSI-isci-The-port-state-should-be-set-to-stopping-o.patch
++ features/x86/isci/0012-SCSI-isci-Lookup-device-references-through-requests-.patch
++ features/x86/isci/0013-SCSI-isci-Immediately-fail-I-O-to-removed-devices.patch
++ features/x86/isci/0014-SCSI-isci-Fix-tag-leak-in-tasks-and-terminated-reque.patch
++ features/x86/isci/0015-SCSI-isci-Handle-task-request-timeouts-correctly.patch
++ features/x86/isci/0016-SCSI-isci-No-task_done-callbacks-in-error-handler-pa.patch
++ features/x86/isci/0017-SCSI-isci-Fix-task-management-for-SMP-SATA-and-on-de.patch
++ features/x86/isci/0018-SCSI-isci-Remove-redundant-isci_request.ttype-field.patch
++ features/x86/isci/0019-SCSI-isci-No-need-to-manage-the-pending-reset-bit-on.patch
++ features/x86/isci/0020-SCSI-isci-Fix-hard-reset-timeout-conditions.patch
++ features/x86/isci/0021-SCSI-isci-revert-bcn-filtering.patch
++ features/x86/isci/0022-SCSI-isci-overriding-max_concurr_spinup-oem-paramete.patch
++ features/x86/isci/0023-isci-fix-oem-parameter-validation-on-single-controll.patch
++ features/x86/isci/0024-isci-fix-isci_pci_probe-generates-warning-on-efi-fai.patch
++ features/x86/isci/0025-isci-copy-fis-0x34-response-into-proper-buffer.patch
+
++ bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch
++ bugfix/all/staging-fix-usbip-printk-format-warning.patch
++ bugfix/all/staging-usbip-changed-function-return-type-to-void.patch
++ bugfix/all/staging-speakup-fix-printk-format-warning.patch
++ bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch
++ bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
++ bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
Copied: dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 (from r19767, dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 Tue Jan 22 06:01:55 2013 (r19768, copy of r19767, dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1)
@@ -0,0 +1,5 @@
++ bugfix/all/usermodehelper-introduce-umh_complete.patch
++ bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
++ bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
++ bugfix/all/kmod-introduce-call_modprobe-helper.patch
++ bugfix/all/kmod-make-__request_module-killable.patch
More information about the Kernel-svn-changes
mailing list