3.0 patches

9 files changed, 518 insertions, 0 deletions

diff --git a/queue-3.0/ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch b/queue-3.0/ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch
new file mode 100644
index 0000000000..02b7d680ce
--- /dev/null
+++ b/queue-3.0/ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch
@@ -0,0 +1,36 @@
+From 8b2a3827bb12430d932cd479b22d906baf08c212 Mon Sep 17 00:00:00 2001
+From: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
+Date: Wed, 24 Aug 2011 21:38:07 +0530
+Subject: ath9k: Fix PS wrappers in ath9k_set_coverage_class
+
+From: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
+
+commit 8b2a3827bb12430d932cd479b22d906baf08c212 upstream.
+
+this callback is called during suspend/resume and also via iw command.
+it configures parameters like sifs, slottime, acktimeout in
+ath9k_hw_init_global_settings where few REG_READ, REG_RMW are also done
+and hence the need for PS wrappers
+
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath9k/main.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -2260,7 +2260,11 @@ static void ath9k_set_coverage_class(str
+ 
+ 	mutex_lock(&sc->mutex);
+ 	ah->coverage_class = coverage_class;
++
++	ath9k_ps_wakeup(sc);
+ 	ath9k_hw_init_global_settings(ah);
++	ath9k_ps_restore(sc);
++
+ 	mutex_unlock(&sc->mutex);
+ }
+ 
diff --git a/queue-3.0/ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch b/queue-3.0/ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch
new file mode 100644
index 0000000000..8fd45e7e10
--- /dev/null
+++ b/queue-3.0/ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch
@@ -0,0 +1,39 @@
+From b503c7a273c0a3018ad11ea8c513c639120afbf4 Mon Sep 17 00:00:00 2001
+From: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
+Date: Fri, 19 Aug 2011 18:43:06 +0530
+Subject: ath9k_hw: Fix STA (AR9485) bringup issue due to incorrect MAC address
+
+From: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
+
+commit b503c7a273c0a3018ad11ea8c513c639120afbf4 upstream.
+
+Due to some recent optimization done in the way the mac address
+bytes are written into the OTP memory, some AR9485 chipsets were
+forced to use the first byte from the eeprom template and the
+remaining bytes are read from OTP.
+
+AR9485 happens to use generic eeprom template which has 0x1 as
+the first byte causes issues in bringing up the card.
+
+So fixed the eeprom template accordingly to address the issue.
+
+Cc: Paul Stewart <pstew@google.com>
+Signed-off-by: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -68,7 +68,7 @@ static int ar9003_hw_power_interpolate(i
+ static const struct ar9300_eeprom ar9300_default = {
+ 	.eepromVersion = 2,
+ 	.templateVersion = 2,
+-	.macAddr = {1, 2, 3, 4, 5, 6},
++	.macAddr = {0, 2, 3, 4, 5, 6},
+ 	.custData = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 		     0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+ 	.baseEepHeader = {
diff --git a/queue-3.0/carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch b/queue-3.0/carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch
new file mode 100644
index 0000000000..b57cf4e81d
--- /dev/null
+++ b/queue-3.0/carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch
@@ -0,0 +1,42 @@
+From 66cb54bd24086b2d871a03035de9b0e79b2b725e Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Wed, 24 Aug 2011 00:44:32 +0400
+Subject: carl9170: Fix mismatch in carl9170_op_set_key mutex
+ lock-unlock
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 66cb54bd24086b2d871a03035de9b0e79b2b725e upstream.
+
+If is_main_vif(ar, vif) reports that we have to fall back
+to software encryption, we goto err_softw; before locking ar->mutex.
+As a result, we have unprotected call to carl9170_set_operating_mode
+and unmatched mutex_unlock.
+
+The patch fix the issue by adding mutex_lock before goto.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-By: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/carl9170/main.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/carl9170/main.c
++++ b/drivers/net/wireless/ath/carl9170/main.c
+@@ -1066,8 +1066,10 @@ static int carl9170_op_set_key(struct ie
+ 	 * the high througput speed in 802.11n networks.
+ 	 */
+ 
+-	if (!is_main_vif(ar, vif))
++	if (!is_main_vif(ar, vif)) {
++		mutex_lock(&ar->mutex);
+ 		goto err_softw;
++	}
+ 
+ 	/*
+ 	 * While the hardware supports *catch-all* key, for offloading
diff --git a/queue-3.0/ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch b/queue-3.0/ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch
new file mode 100644
index 0000000000..84b5b6d727
--- /dev/null
+++ b/queue-3.0/ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch
@@ -0,0 +1,77 @@
+From c6f59d13e24187ff95427a9f4a5a7e14fb8faf5a Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Wed, 24 Aug 2011 17:56:15 -0700
+Subject: ibmveth: Fix leak when recycling skb and hypervisor returns
+ error
+
+From: Anton Blanchard <anton@samba.org>
+
+commit c6f59d13e24187ff95427a9f4a5a7e14fb8faf5a upstream.
+
+If h_add_logical_lan_buffer returns an error we need to free
+the skb.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/ibmveth.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ibmveth.c
++++ b/drivers/net/ibmveth.c
+@@ -394,7 +394,7 @@ static inline struct sk_buff *ibmveth_rx
+ }
+ 
+ /* recycle the current buffer on the rx queue */
+-static void ibmveth_rxq_recycle_buffer(struct ibmveth_adapter *adapter)
++static int ibmveth_rxq_recycle_buffer(struct ibmveth_adapter *adapter)
+ {
+ 	u32 q_index = adapter->rx_queue.index;
+ 	u64 correlator = adapter->rx_queue.queue_addr[q_index].correlator;
+@@ -402,6 +402,7 @@ static void ibmveth_rxq_recycle_buffer(s
+ 	unsigned int index = correlator & 0xffffffffUL;
+ 	union ibmveth_buf_desc desc;
+ 	unsigned long lpar_rc;
++	int ret = 1;
+ 
+ 	BUG_ON(pool >= IBMVETH_NUM_BUFF_POOLS);
+ 	BUG_ON(index >= adapter->rx_buff_pool[pool].size);
+@@ -409,7 +410,7 @@ static void ibmveth_rxq_recycle_buffer(s
+ 	if (!adapter->rx_buff_pool[pool].active) {
+ 		ibmveth_rxq_harvest_buffer(adapter);
+ 		ibmveth_free_buffer_pool(adapter, &adapter->rx_buff_pool[pool]);
+-		return;
++		goto out;
+ 	}
+ 
+ 	desc.fields.flags_len = IBMVETH_BUF_VALID |
+@@ -422,12 +423,16 @@ static void ibmveth_rxq_recycle_buffer(s
+ 		netdev_dbg(adapter->netdev, "h_add_logical_lan_buffer failed "
+ 			   "during recycle rc=%ld", lpar_rc);
+ 		ibmveth_remove_buffer_from_pool(adapter, adapter->rx_queue.queue_addr[adapter->rx_queue.index].correlator);
++		ret = 0;
+ 	}
+ 
+ 	if (++adapter->rx_queue.index == adapter->rx_queue.num_slots) {
+ 		adapter->rx_queue.index = 0;
+ 		adapter->rx_queue.toggle = !adapter->rx_queue.toggle;
+ 	}
++
++out:
++	return ret;
+ }
+ 
+ static void ibmveth_rxq_harvest_buffer(struct ibmveth_adapter *adapter)
+@@ -1083,8 +1088,9 @@ restart_poll:
+ 				if (rx_flush)
+ 					ibmveth_flush_buffer(skb->data,
+ 						length + offset);
++				if (!ibmveth_rxq_recycle_buffer(adapter))
++					kfree_skb(skb);
+ 				skb = new_skb;
+-				ibmveth_rxq_recycle_buffer(adapter);
+ 			} else {
+ 				ibmveth_rxq_harvest_buffer(adapter);
+ 				skb_reserve(skb, offset);
diff --git a/queue-3.0/mac80211-fix-suspend-resume-races-with-unregister-hw.patch b/queue-3.0/mac80211-fix-suspend-resume-races-with-unregister-hw.patch
new file mode 100644
index 0000000000..8d15f57954
--- /dev/null
+++ b/queue-3.0/mac80211-fix-suspend-resume-races-with-unregister-hw.patch
@@ -0,0 +1,137 @@
+From ecb4433550f0620f3d1471ae7099037ede30a91e Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Fri, 12 Aug 2011 14:00:59 +0200
+Subject: mac80211: fix suspend/resume races with unregister hw
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit ecb4433550f0620f3d1471ae7099037ede30a91e upstream.
+
+Do not call ->suspend, ->resume methods after we unregister wiphy. Also
+delete sta_clanup timer after we finish wiphy unregister to avoid this:
+
+WARNING: at lib/debugobjects.c:262 debug_print_object+0x85/0xa0()
+Hardware name: 6369CTO
+ODEBUG: free active (active state 0) object type: timer_list hint: sta_info_cleanup+0x0/0x180 [mac80211]
+Modules linked in: aes_i586 aes_generic fuse bridge stp llc autofs4 sunrpc cpufreq_ondemand acpi_cpufreq mperf ext2 dm_mod uinput thinkpad_acpi hwmon sg arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00lib mac80211 cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support e1000e ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom yenta_socket ahci libahci pata_acpi ata_generic ata_piix i915 drm_kms_helper drm i2c_algo_bit video [last unloaded: microcode]
+Pid: 5663, comm: pm-hibernate Not tainted 3.1.0-rc1-wl+ #19
+Call Trace:
+ [<c0454cfd>] warn_slowpath_common+0x6d/0xa0
+ [<c05e05e5>] ? debug_print_object+0x85/0xa0
+ [<c05e05e5>] ? debug_print_object+0x85/0xa0
+ [<c0454dae>] warn_slowpath_fmt+0x2e/0x30
+ [<c05e05e5>] debug_print_object+0x85/0xa0
+ [<f8a808e0>] ? sta_info_alloc+0x1a0/0x1a0 [mac80211]
+ [<c05e0bd2>] debug_check_no_obj_freed+0xe2/0x180
+ [<c051175b>] kfree+0x8b/0x150
+ [<f8a126ae>] cfg80211_dev_free+0x7e/0x90 [cfg80211]
+ [<f8a13afd>] wiphy_dev_release+0xd/0x10 [cfg80211]
+ [<c068d959>] device_release+0x19/0x80
+ [<c05d06ba>] kobject_release+0x7a/0x1c0
+ [<c07646a8>] ? rtnl_unlock+0x8/0x10
+ [<f8a13adb>] ? wiphy_resume+0x6b/0x80 [cfg80211]
+ [<c05d0640>] ? kobject_del+0x30/0x30
+ [<c05d1a6d>] kref_put+0x2d/0x60
+ [<c05d056d>] kobject_put+0x1d/0x50
+ [<c08015f4>] ? mutex_lock+0x14/0x40
+ [<c068d60f>] put_device+0xf/0x20
+ [<c069716a>] dpm_resume+0xca/0x160
+ [<c04912bd>] hibernation_snapshot+0xcd/0x260
+ [<c04903df>] ? freeze_processes+0x3f/0x90
+ [<c049151b>] hibernate+0xcb/0x1e0
+ [<c048fdc0>] ? pm_async_store+0x40/0x40
+ [<c048fe60>] state_store+0xa0/0xb0
+ [<c048fdc0>] ? pm_async_store+0x40/0x40
+ [<c05d0200>] kobj_attr_store+0x20/0x30
+ [<c0575ea4>] sysfs_write_file+0x94/0xf0
+ [<c051e26a>] vfs_write+0x9a/0x160
+ [<c0575e10>] ? sysfs_open_file+0x200/0x200
+ [<c051e3fd>] sys_write+0x3d/0x70
+ [<c080959f>] sysenter_do_call+0x12/0x28
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/cfg80211.h |    3 +++
+ net/mac80211/main.c    |    2 +-
+ net/wireless/core.c    |    7 +++++++
+ net/wireless/sysfs.c   |    6 ++++--
+ 4 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -1814,6 +1814,9 @@ struct wiphy {
+ 	 * you need use set_wiphy_dev() (see below) */
+ 	struct device dev;
+ 
++	/* protects ->resume, ->suspend sysfs callbacks against unregister hw */
++	bool registered;
++
+ 	/* dir in debugfs: ieee80211/<wiphyname> */
+ 	struct dentry *debugfsdir;
+ 
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1012,7 +1012,6 @@ void ieee80211_unregister_hw(struct ieee
+ 	cancel_work_sync(&local->reconfig_filter);
+ 
+ 	ieee80211_clear_tx_pending(local);
+-	sta_info_stop(local);
+ 	rate_control_deinitialize(local);
+ 
+ 	if (skb_queue_len(&local->skb_queue) ||
+@@ -1024,6 +1023,7 @@ void ieee80211_unregister_hw(struct ieee
+ 
+ 	destroy_workqueue(local->workqueue);
+ 	wiphy_unregister(local->hw.wiphy);
++	sta_info_stop(local);
+ 	ieee80211_wep_free(local);
+ 	ieee80211_led_exit(local);
+ 	kfree(local->int_scan_req);
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -612,6 +612,9 @@ int wiphy_register(struct wiphy *wiphy)
+ 	if (res)
+ 		goto out_rm_dev;
+ 
++	rtnl_lock();
++	rdev->wiphy.registered = true;
++	rtnl_unlock();
+ 	return 0;
+ 
+ out_rm_dev:
+@@ -643,6 +646,10 @@ void wiphy_unregister(struct wiphy *wiph
+ {
+ 	struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
+ 
++	rtnl_lock();
++	rdev->wiphy.registered = false;
++	rtnl_unlock();
++
+ 	rfkill_unregister(rdev->rfkill);
+ 
+ 	/* protect the device list */
+--- a/net/wireless/sysfs.c
++++ b/net/wireless/sysfs.c
+@@ -93,7 +93,8 @@ static int wiphy_suspend(struct device *
+ 
+ 	if (rdev->ops->suspend) {
+ 		rtnl_lock();
+-		ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan);
++		if (rdev->wiphy.registered)
++			ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan);
+ 		rtnl_unlock();
+ 	}
+ 
+@@ -112,7 +113,8 @@ static int wiphy_resume(struct device *d
+ 
+ 	if (rdev->ops->resume) {
+ 		rtnl_lock();
+-		ret = rdev->ops->resume(&rdev->wiphy);
++		if (rdev->wiphy.registered)
++			ret = rdev->ops->resume(&rdev->wiphy);
+ 		rtnl_unlock();
+ 	}
+ 
diff --git a/queue-3.0/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch b/queue-3.0/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch
new file mode 100644
index 0000000000..548cb1c9e8
--- /dev/null
+++ b/queue-3.0/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch
@@ -0,0 +1,80 @@
+From 543cc38c8fe86deba4169977c61eb88491036837 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Fri, 12 Aug 2011 14:02:04 +0200
+Subject: rt2x00: do not drop usb dev reference counter on suspend
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 543cc38c8fe86deba4169977c61eb88491036837 upstream.
+
+When hibernating ->resume may not be called by usb core, but disconnect
+and probe instead, so we do not increase the counter after decreasing
+it in ->supend. As a result we free memory early, and get crash when
+unplugging usb dongle.
+
+BUG: unable to handle kernel paging request at 6b6b6b9f
+IP: [<c06909b0>] driver_sysfs_remove+0x10/0x30
+*pdpt = 0000000034f21001 *pde = 0000000000000000
+Pid: 20, comm: khubd Not tainted 3.1.0-rc1-wl+ #20 LENOVO 6369CTO/6369CTO
+EIP: 0060:[<c06909b0>] EFLAGS: 00010202 CPU: 1
+EIP is at driver_sysfs_remove+0x10/0x30
+EAX: 6b6b6b6b EBX: f52bba34 ECX: 00000000 EDX: 6b6b6b6b
+ESI: 6b6b6b6b EDI: c0a0ea20 EBP: f61c9e68 ESP: f61c9e64
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+Process khubd (pid: 20, ti=f61c8000 task=f6138270 task.ti=f61c8000)
+Call Trace:
+ [<c06909ef>] __device_release_driver+0x1f/0xa0
+ [<c0690b20>] device_release_driver+0x20/0x40
+ [<c068fd64>] bus_remove_device+0x84/0xe0
+ [<c068e12a>] ? device_remove_attrs+0x2a/0x80
+ [<c068e267>] device_del+0xe7/0x170
+ [<c06d93d4>] usb_disconnect+0xd4/0x180
+ [<c06d9d61>] hub_thread+0x691/0x1600
+ [<c0473260>] ? wake_up_bit+0x30/0x30
+ [<c0442a39>] ? complete+0x49/0x60
+ [<c06d96d0>] ? hub_disconnect+0xd0/0xd0
+ [<c06d96d0>] ? hub_disconnect+0xd0/0xd0
+ [<c0472eb4>] kthread+0x74/0x80
+ [<c0472e40>] ? kthread_worker_fn+0x150/0x150
+ [<c0809b3e>] kernel_thread_helper+0x6/0x10
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rt2x00/rt2x00usb.c |   14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2x00usb.c
++++ b/drivers/net/wireless/rt2x00/rt2x00usb.c
+@@ -870,18 +870,8 @@ int rt2x00usb_suspend(struct usb_interfa
+ {
+ 	struct ieee80211_hw *hw = usb_get_intfdata(usb_intf);
+ 	struct rt2x00_dev *rt2x00dev = hw->priv;
+-	int retval;
+ 
+-	retval = rt2x00lib_suspend(rt2x00dev, state);
+-	if (retval)
+-		return retval;
+-
+-	/*
+-	 * Decrease usbdev refcount.
+-	 */
+-	usb_put_dev(interface_to_usbdev(usb_intf));
+-
+-	return 0;
++	return rt2x00lib_suspend(rt2x00dev, state);
+ }
+ EXPORT_SYMBOL_GPL(rt2x00usb_suspend);
+ 
+@@ -890,8 +880,6 @@ int rt2x00usb_resume(struct usb_interfac
+ 	struct ieee80211_hw *hw = usb_get_intfdata(usb_intf);
+ 	struct rt2x00_dev *rt2x00dev = hw->priv;
+ 
+-	usb_get_dev(interface_to_usbdev(usb_intf));
+-
+ 	return rt2x00lib_resume(rt2x00dev);
+ }
+ EXPORT_SYMBOL_GPL(rt2x00usb_resume);
diff --git a/queue-3.0/savagedb-fix-typo-causing-regression-in-savage4-series.patch b/queue-3.0/savagedb-fix-typo-causing-regression-in-savage4-series.patch
new file mode 100644
index 0000000000..c04ffa686f
--- /dev/null
+++ b/queue-3.0/savagedb-fix-typo-causing-regression-in-savage4-series.patch
@@ -0,0 +1,39 @@
+From 4b00e4b3940eabb38adeec0823751820fe2d6fda Mon Sep 17 00:00:00 2001
+From: John Stanley <jpsinthemix@verizon.net>
+Date: Wed, 3 Aug 2011 20:41:00 -0400
+Subject: savagedb: Fix typo causing regression in savage4 series
+ video chip detection
+
+From: John Stanley <jpsinthemix@verizon.net>
+
+commit 4b00e4b3940eabb38adeec0823751820fe2d6fda upstream.
+
+Two additional savage4 variants were added, but the S3_SAVAGE4_SERIES
+macro was incompletely modified, resulting in a false positive detection
+of a savage4 card regardless of which savage card is actually present.
+
+For non-savage4 series cards, such as a Savage/IX-MV card, this results
+in garbled video and/or a hard-hang at boot time.  Fix this by changing
+an '||' to an '&&' in the S3_SAVAGE4_SERIES macro.
+
+Signed-off-by: John P. Stanley <jpsinthemix@verizon.net>
+Reviewed-by: Tormod Volden <debian.tormod@gmail.com>
+[ The macros have incomplete parenthesis too, but whatever ..  -Linus ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/savage/savagefb.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/savage/savagefb.h
++++ b/drivers/video/savage/savagefb.h
+@@ -55,7 +55,7 @@
+ 
+ #define S3_SAVAGE3D_SERIES(chip)  ((chip>=S3_SAVAGE3D) && (chip<=S3_SAVAGE_MX))
+ 
+-#define S3_SAVAGE4_SERIES(chip)   ((chip>=S3_SAVAGE4) || (chip<=S3_PROSAVAGEDDR))
++#define S3_SAVAGE4_SERIES(chip)   ((chip>=S3_SAVAGE4) && (chip<=S3_PROSAVAGEDDR))
+ 
+ #define S3_SAVAGE_MOBILE_SERIES(chip)  ((chip==S3_SAVAGE_MX) || (chip==S3_SUPERSAVAGE))
+ 
diff --git a/queue-3.0/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch b/queue-3.0/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
new file mode 100644
index 0000000000..0f85bd9108
--- /dev/null
+++ b/queue-3.0/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
@@ -0,0 +1,60 @@
+From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Wed, 24 Aug 2011 19:45:03 -0700
+Subject: sendmmsg/sendmsg: fix unsafe user pointer access
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream.
+
+Dereferencing a user pointer directly from kernel-space without going
+through the copy_from_user family of functions is a bad idea. Two of
+such usages can be found in the sendmsg code path called from sendmmsg,
+added by
+
+commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
+commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
+
+Usages are performed through memcmp() and memcpy() directly. Fix those
+by using the already copied msg_sys structure instead of the __user *msg
+structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
+or verify_iovec(), which requires additional NULL pointer checks.
+
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: David Goulet <dgoulet@ev0ke.net>
+CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+CC: Anton Blanchard <anton@samba.org>
+CC: David S. Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/socket.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket *
+ 	 * used_address->name_len is initialized to UINT_MAX so that the first
+ 	 * destination address never matches.
+ 	 */
+-	if (used_address && used_address->name_len == msg_sys->msg_namelen &&
+-	    !memcmp(&used_address->name, msg->msg_name,
++	if (used_address && msg_sys->msg_name &&
++	    used_address->name_len == msg_sys->msg_namelen &&
++	    !memcmp(&used_address->name, msg_sys->msg_name,
+ 		    used_address->name_len)) {
+ 		err = sock_sendmsg_nosec(sock, msg_sys, total_len);
+ 		goto out_freectl;
+@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket *
+ 	 */
+ 	if (used_address && err >= 0) {
+ 		used_address->name_len = msg_sys->msg_namelen;
+-		memcpy(&used_address->name, msg->msg_name,
+-		       used_address->name_len);
++		if (msg_sys->msg_name)
++			memcpy(&used_address->name, msg_sys->msg_name,
++			       used_address->name_len);
+ 	}
+ 
+ out_freectl:
diff --git a/queue-3.0/series b/queue-3.0/series
index 320a3bfe87..c4d87ebad0 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -25,3 +25,11 @@ xhci-fix-memory-leak-during-failed-enqueue.patch
 xhci-fix-failed-enqueue-in-the-middle-of-isoch-td.patch
 xhci-remove-tds-from-td-lists-when-urbs-are-canceled.patch
 xhci-handle-zero-length-isochronous-packets.patch
+sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
+ath9k-fix-ps-wrappers-in-ath9k_set_coverage_class.patch
+ibmveth-fix-leak-when-recycling-skb-and-hypervisor-returns.patch
+carl9170-fix-mismatch-in-carl9170_op_set_key-mutex.patch
+ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch
+rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch
+mac80211-fix-suspend-resume-races-with-unregister-hw.patch
+savagedb-fix-typo-causing-regression-in-savage4-series.patch