--- /dev/null
+From 448f53a1ede54eb854d036abf54573281412d650 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Tue, 14 Dec 2010 20:06:20 +0000
+Subject: drm/i915/bios: Reverse order of 100/120 Mhz SSC clocks
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 448f53a1ede54eb854d036abf54573281412d650 upstream.
+
+Fixes the lack of output on the LVDS panel of the Lenovo U160.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=31596
+Reported-and-tested-by: Dirk Gouders <gouders@et.bocholt.fh-gelsenkirchen.de>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_bios.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -276,7 +276,7 @@ parse_general_features(struct drm_i915_p
+ general->ssc_freq ? 66 : 48;
+ else if (IS_IRONLAKE(dev_priv->dev) || IS_GEN6(dev))
+ dev_priv->lvds_ssc_freq =
+- general->ssc_freq ? 100 : 120;
++ general->ssc_freq ? 120 : 100;
+ else
+ dev_priv->lvds_ssc_freq =
+ general->ssc_freq ? 100 : 96;
--- /dev/null
+From 8316f33766a82907c694267ff911e45e256f09f9 Mon Sep 17 00:00:00 2001
+From: David Flynn <davidf@rd.bbc.co.uk>
+Date: Wed, 8 Dec 2010 16:10:21 +0000
+Subject: drm/i915/dp: Fix I2C/EDID handling with active DisplayPort to DVI converter
+
+From: David Flynn <davidf@rd.bbc.co.uk>
+
+commit 8316f33766a82907c694267ff911e45e256f09f9 upstream.
+
+The DisplayPort standard (1.1a) states that:
+ The I2C-over-AUX Reply field is valid only when Native AUX CH Reply
+ field is AUX_ACK (00). When Native AUX CH Reply field is not 00, then,
+ I2C-over-AUX Reply field must be 00 and be ignored.
+
+This fixes broken EDID reading when using an active DisplayPort to
+duallink DVI converter. If the AUX CH replier chooses to defer the
+transaction, a short read occurs and erroneous data is returned as
+the i2c reply due to a lack of length checking and failure to check
+for AUX ACK.
+
+As a result, broken EDIDs can look like:
+ 0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
+00: bc bc bc ff bc bc bc ff bc bc bc ac bc bc bc 45 ???.???.???????E
+10: bc bc bc 10 bc bc bc 34 bc bc bc ee bc bc bc 4c ???????4???????L
+20: bc bc bc 50 bc bc bc 00 bc bc bc 40 bc bc bc 00 ???P???.???@???.
+30: bc bc bc 01 bc bc bc 01 bc bc bc a0 bc bc bc 40 ???????????????@
+40: bc bc bc 00 bc bc bc 00 bc bc bc 00 bc bc bc 55 ???.???.???.???U
+50: bc bc bc 35 bc bc bc 31 bc bc bc 20 bc bc bc fc ???5???1??? ????
+60: bc bc bc 4c bc bc bc 34 bc bc bc 46 bc bc bc 00 ???L???4???F???.
+70: bc bc bc 38 bc bc bc 11 bc bc bc 20 bc bc bc 20 ???8??????? ???
+80: bc bc bc ff bc bc bc ff bc bc bc ff bc bc bc ff ???.???.???.???.
+...
+
+which can lead to:
+[drm:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder
+[drm:drm_edid_block_valid] *ERROR* Raw EDID:
+<3>30 30 30 30 30 30 30 32 38 32 30 32 63 63 31 61 000000028202cc1a
+<3>28 00 02 8c 00 00 00 00 18 00 00 00 00 00 00 00 (...............
+<3>20 4c 61 73 74 20 62 65 61 63 6f 6e 3a 20 33 32 Last beacon: 32
+<3>32 30 6d 73 20 61 67 6f 46 00 05 8c 00 00 00 00 20ms agoF.......
+<3>36 00 00 00 00 00 00 00 00 0c 57 69 2d 46 69 20 6.........Wi-Fi
+<3>52 6f 75 74 65 72 01 08 82 84 8b 96 24 30 48 6c Router......$0Hl
+<3>03 01 01 06 02 00 00 2a 01 00 2f 01 00 32 04 0c .......*../..2..
+<3>12 18 60 dd 09 00 10 18 02 00 00 01 00 00 18 00 ..`.............
+
+Signed-off-by: David Flynn <davidf@rd.bbc.co.uk>
+[ickle: fix up some surrounding checkpatch warnings]
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_dp.c | 37 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 30 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -425,6 +425,7 @@ intel_dp_i2c_aux_ch(struct i2c_adapter *
+ uint16_t address = algo_data->address;
+ uint8_t msg[5];
+ uint8_t reply[2];
++ unsigned retry;
+ int msg_bytes;
+ int reply_bytes;
+ int ret;
+@@ -459,14 +460,33 @@ intel_dp_i2c_aux_ch(struct i2c_adapter *
+ break;
+ }
+
+- for (;;) {
+- ret = intel_dp_aux_ch(intel_dp,
+- msg, msg_bytes,
+- reply, reply_bytes);
++ for (retry = 0; retry < 5; retry++) {
++ ret = intel_dp_aux_ch(intel_dp,
++ msg, msg_bytes,
++ reply, reply_bytes);
+ if (ret < 0) {
+ DRM_DEBUG_KMS("aux_ch failed %d\n", ret);
+ return ret;
+ }
++
++ switch (reply[0] & AUX_NATIVE_REPLY_MASK) {
++ case AUX_NATIVE_REPLY_ACK:
++ /* I2C-over-AUX Reply field is only valid
++ * when paired with AUX ACK.
++ */
++ break;
++ case AUX_NATIVE_REPLY_NACK:
++ DRM_DEBUG_KMS("aux_ch native nack\n");
++ return -EREMOTEIO;
++ case AUX_NATIVE_REPLY_DEFER:
++ udelay(100);
++ continue;
++ default:
++ DRM_ERROR("aux_ch invalid native reply 0x%02x\n",
++ reply[0]);
++ return -EREMOTEIO;
++ }
++
+ switch (reply[0] & AUX_I2C_REPLY_MASK) {
+ case AUX_I2C_REPLY_ACK:
+ if (mode == MODE_I2C_READ) {
+@@ -474,17 +494,20 @@ intel_dp_i2c_aux_ch(struct i2c_adapter *
+ }
+ return reply_bytes - 1;
+ case AUX_I2C_REPLY_NACK:
+- DRM_DEBUG_KMS("aux_ch nack\n");
++ DRM_DEBUG_KMS("aux_i2c nack\n");
+ return -EREMOTEIO;
+ case AUX_I2C_REPLY_DEFER:
+- DRM_DEBUG_KMS("aux_ch defer\n");
++ DRM_DEBUG_KMS("aux_i2c defer\n");
+ udelay(100);
+ break;
+ default:
+- DRM_ERROR("aux_ch invalid reply 0x%02x\n", reply[0]);
++ DRM_ERROR("aux_i2c invalid reply 0x%02x\n", reply[0]);
+ return -EREMOTEIO;
+ }
+ }
++
++ DRM_ERROR("too many retries, giving up\n");
++ return -EREMOTEIO;
+ }
+
+ static int
--- /dev/null
+From 63ee41d794d9c555f84205517a68509848988760 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Mon, 20 Dec 2010 18:40:06 -0800
+Subject: drm/i915, intel_ips: When i915 loads after IPS, make IPS relink to i915.
+
+From: Eric Anholt <eric@anholt.net>
+
+commit 63ee41d794d9c555f84205517a68509848988760 upstream.
+
+The IPS driver is designed to be able to run detached from i915 and
+just not enable GPU turbo in that case, in order to avoid module
+dependencies between the two drivers. This means that we don't know
+what the load order between the two is going to be, and we had
+previously only supported IPS after (optionally) i915, but not i915
+after IPS. If the wrong order was chosen, you'd get no GPU turbo, and
+something like half the possible graphics performance.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/i915/i915_dma.c | 23 +++++++++++++++++++++++
+ drivers/platform/x86/intel_ips.c | 36 +++++++++++++++++++++++++++++++++---
+ drivers/platform/x86/intel_ips.h | 21 +++++++++++++++++++++
+ 3 files changed, 77 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_dma.c
++++ b/drivers/gpu/drm/i915/i915_dma.c
+@@ -34,6 +34,7 @@
+ #include "i915_drm.h"
+ #include "i915_drv.h"
+ #include "i915_trace.h"
++#include "../../../platform/x86/intel_ips.h"
+ #include <linux/pci.h>
+ #include <linux/vgaarb.h>
+ #include <linux/acpi.h>
+@@ -2047,6 +2048,26 @@ out_unlock:
+ EXPORT_SYMBOL_GPL(i915_gpu_turbo_disable);
+
+ /**
++ * Tells the intel_ips driver that the i915 driver is now loaded, if
++ * IPS got loaded first.
++ *
++ * This awkward dance is so that neither module has to depend on the
++ * other in order for IPS to do the appropriate communication of
++ * GPU turbo limits to i915.
++ */
++static void
++ips_ping_for_i915_load(void)
++{
++ void (*link)(void);
++
++ link = symbol_get(ips_link_to_i915_driver);
++ if (link) {
++ link();
++ symbol_put(ips_link_to_i915_driver);
++ }
++}
++
++/**
+ * i915_driver_load - setup chip and create an initial config
+ * @dev: DRM device
+ * @flags: startup flags
+@@ -2234,6 +2255,8 @@ int i915_driver_load(struct drm_device *
+ /* XXX Prevent module unload due to memory corruption bugs. */
+ __module_get(THIS_MODULE);
+
++ ips_ping_for_i915_load();
++
+ return 0;
+
+ out_workqueue_free:
+--- a/drivers/platform/x86/intel_ips.c
++++ b/drivers/platform/x86/intel_ips.c
+@@ -75,6 +75,7 @@
+ #include <drm/i915_drm.h>
+ #include <asm/msr.h>
+ #include <asm/processor.h>
++#include "intel_ips.h"
+
+ #define PCI_DEVICE_ID_INTEL_THERMAL_SENSOR 0x3b32
+
+@@ -245,6 +246,7 @@
+ #define thm_writel(off, val) writel((val), ips->regmap + (off))
+
+ static const int IPS_ADJUST_PERIOD = 5000; /* ms */
++static bool late_i915_load = false;
+
+ /* For initial average collection */
+ static const int IPS_SAMPLE_PERIOD = 200; /* ms */
+@@ -339,6 +341,9 @@ struct ips_driver {
+ u64 orig_turbo_ratios;
+ };
+
++static bool
++ips_gpu_turbo_enabled(struct ips_driver *ips);
++
+ /**
+ * ips_cpu_busy - is CPU busy?
+ * @ips: IPS driver struct
+@@ -517,7 +522,7 @@ static void ips_disable_cpu_turbo(struct
+ */
+ static bool ips_gpu_busy(struct ips_driver *ips)
+ {
+- if (!ips->gpu_turbo_enabled)
++ if (!ips_gpu_turbo_enabled(ips))
+ return false;
+
+ return ips->gpu_busy();
+@@ -532,7 +537,7 @@ static bool ips_gpu_busy(struct ips_driv
+ */
+ static void ips_gpu_raise(struct ips_driver *ips)
+ {
+- if (!ips->gpu_turbo_enabled)
++ if (!ips_gpu_turbo_enabled(ips))
+ return;
+
+ if (!ips->gpu_raise())
+@@ -549,7 +554,7 @@ static void ips_gpu_raise(struct ips_dri
+ */
+ static void ips_gpu_lower(struct ips_driver *ips)
+ {
+- if (!ips->gpu_turbo_enabled)
++ if (!ips_gpu_turbo_enabled(ips))
+ return;
+
+ if (!ips->gpu_lower())
+@@ -1454,6 +1459,31 @@ out_err:
+ return false;
+ }
+
++static bool
++ips_gpu_turbo_enabled(struct ips_driver *ips)
++{
++ if (!ips->gpu_busy && late_i915_load) {
++ if (ips_get_i915_syms(ips)) {
++ dev_info(&ips->dev->dev,
++ "i915 driver attached, reenabling gpu turbo\n");
++ ips->gpu_turbo_enabled = !(thm_readl(THM_HTS) & HTS_GTD_DIS);
++ }
++ }
++
++ return ips->gpu_turbo_enabled;
++}
++
++void
++ips_link_to_i915_driver()
++{
++ /* We can't cleanly get at the various ips_driver structs from
++ * this caller (the i915 driver), so just set a flag saying
++ * that it's time to try getting the symbols again.
++ */
++ late_i915_load = true;
++}
++EXPORT_SYMBOL_GPL(ips_link_to_i915_driver);
++
+ static DEFINE_PCI_DEVICE_TABLE(ips_id_table) = {
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL,
+ PCI_DEVICE_ID_INTEL_THERMAL_SENSOR), },
+--- /dev/null
++++ b/drivers/platform/x86/intel_ips.h
+@@ -0,0 +1,21 @@
++/*
++ * Copyright (c) 2010 Intel Corporation
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms and conditions of the GNU General Public License,
++ * version 2, as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
++ * more details.
++ *
++ * You should have received a copy of the GNU General Public License along with
++ * this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * The full GNU General Public License is included in this distribution in
++ * the file called "COPYING".
++ */
++
++void ips_link_to_i915_driver(void);
--- /dev/null
+From 86f5c9edbb3bac37cc8cee6528a929005ba72aad Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Mon, 20 Dec 2010 12:35:04 -0500
+Subject: drm/radeon/kms/evergreen: reset the grbm blocks at resume and init
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit 86f5c9edbb3bac37cc8cee6528a929005ba72aad upstream.
+
+This fixes module reloading and resume as the gfx block seems to
+be left in a bad state in some cases.
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/evergreen.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -2097,6 +2097,11 @@ int evergreen_resume(struct radeon_devic
+ {
+ int r;
+
++ /* reset the asic, the gfx blocks are often in a bad state
++ * after the driver is unloaded or after a resume
++ */
++ if (radeon_asic_reset(rdev))
++ dev_warn(rdev->dev, "GPU reset failed !\n");
+ /* Do not reset GPU before posting, on rv770 hw unlike on r500 hw,
+ * posting will perform necessary task to bring back GPU into good
+ * shape.
+@@ -2193,6 +2198,11 @@ int evergreen_init(struct radeon_device
+ r = radeon_atombios_init(rdev);
+ if (r)
+ return r;
++ /* reset the asic, the gfx blocks are often in a bad state
++ * after the driver is unloaded or after a resume
++ */
++ if (radeon_asic_reset(rdev))
++ dev_warn(rdev->dev, "GPU reset failed !\n");
+ /* Post card if necessary */
+ if (!evergreen_card_posted(rdev)) {
+ if (!rdev->bios) {
--- /dev/null
+From 9f0c4f9c2f835eee1bbb93f96bf9483d56f1892b Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Mon, 20 Dec 2010 12:35:03 -0500
+Subject: drm/radeon/kms: fix evergreen asic reset
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit 9f0c4f9c2f835eee1bbb93f96bf9483d56f1892b upstream.
+
+Only reset the grbm blocks, srbm tends to lock the GPU
+if not done properly and in most cases is not necessary.
+Also, no need to call asic init after reset the grbm blocks.
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/evergreen.c | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -1423,7 +1423,6 @@ bool evergreen_gpu_is_lockup(struct rade
+ static int evergreen_gpu_soft_reset(struct radeon_device *rdev)
+ {
+ struct evergreen_mc_save save;
+- u32 srbm_reset = 0;
+ u32 grbm_reset = 0;
+
+ dev_info(rdev->dev, "GPU softreset \n");
+@@ -1462,16 +1461,6 @@ static int evergreen_gpu_soft_reset(stru
+ udelay(50);
+ WREG32(GRBM_SOFT_RESET, 0);
+ (void)RREG32(GRBM_SOFT_RESET);
+-
+- /* reset all the system blocks */
+- srbm_reset = SRBM_SOFT_RESET_ALL_MASK;
+-
+- dev_info(rdev->dev, " SRBM_SOFT_RESET=0x%08X\n", srbm_reset);
+- WREG32(SRBM_SOFT_RESET, srbm_reset);
+- (void)RREG32(SRBM_SOFT_RESET);
+- udelay(50);
+- WREG32(SRBM_SOFT_RESET, 0);
+- (void)RREG32(SRBM_SOFT_RESET);
+ /* Wait a little for things to settle down */
+ udelay(50);
+ dev_info(rdev->dev, " GRBM_STATUS=0x%08X\n",
+@@ -1482,10 +1471,6 @@ static int evergreen_gpu_soft_reset(stru
+ RREG32(GRBM_STATUS_SE1));
+ dev_info(rdev->dev, " SRBM_STATUS=0x%08X\n",
+ RREG32(SRBM_STATUS));
+- /* After reset we need to reinit the asic as GPU often endup in an
+- * incoherent state.
+- */
+- atom_asic_init(rdev->mode_info.atom_context);
+ evergreen_mc_resume(rdev, &save);
+ return 0;
+ }
--- /dev/null
+From a93f344d3c04e4b84490c65f2a574387c593be40 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Mon, 20 Dec 2010 11:22:29 -0500
+Subject: drm/radeon/kms: reorder display resume to avoid problems
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit a93f344d3c04e4b84490c65f2a574387c593be40 upstream.
+
+On resume, we were attemping to unblank the displays before the
+timing and plls had be reprogrammed which led to atom timeouts
+waiting for things that are not yet programmed. Re-program
+the mode first, then reset the dpms state.
+
+This fixes the infamous atombios timeouts on resume.
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/atombios_crtc.c | 3 ++-
+ drivers/gpu/drm/radeon/radeon_device.c | 9 ++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/atombios_crtc.c
++++ b/drivers/gpu/drm/radeon/atombios_crtc.c
+@@ -253,7 +253,8 @@ void atombios_crtc_dpms(struct drm_crtc
+ case DRM_MODE_DPMS_SUSPEND:
+ case DRM_MODE_DPMS_OFF:
+ drm_vblank_pre_modeset(dev, radeon_crtc->crtc_id);
+- atombios_blank_crtc(crtc, ATOM_ENABLE);
++ if (radeon_crtc->enabled)
++ atombios_blank_crtc(crtc, ATOM_ENABLE);
+ if (ASIC_IS_DCE3(rdev))
+ atombios_enable_crtc_memreq(crtc, ATOM_DISABLE);
+ atombios_enable_crtc(crtc, ATOM_DISABLE);
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -829,11 +829,6 @@ int radeon_resume_kms(struct drm_device
+ radeon_pm_resume(rdev);
+ radeon_restore_bios_scratch_regs(rdev);
+
+- /* turn on display hw */
+- list_for_each_entry(connector, &dev->mode_config.connector_list, head) {
+- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
+- }
+-
+ radeon_fbdev_set_suspend(rdev, 0);
+ release_console_sem();
+
+@@ -841,6 +836,10 @@ int radeon_resume_kms(struct drm_device
+ radeon_hpd_init(rdev);
+ /* blat the mode back in */
+ drm_helper_resume_force_mode(dev);
++ /* turn on display hw */
++ list_for_each_entry(connector, &dev->mode_config.connector_list, head) {
++ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
++ }
+ return 0;
+ }
+
--- /dev/null
+From 867c20265459d30a01b021a9c1e81fb4c5832aa9 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Mon, 3 Jan 2011 14:59:10 -0800
+Subject: ima: fix add LSM rule bug
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 867c20265459d30a01b021a9c1e81fb4c5832aa9 upstream.
+
+If security_filter_rule_init() doesn't return a rule, then not everything
+is as fine as the return code implies.
+
+This bug only occurs when the LSM (eg. SELinux) is disabled at runtime.
+
+Adding an empty LSM rule causes ima_match_rules() to always succeed,
+ignoring any remaining rules.
+
+ default IMA TCB policy:
+ # PROC_SUPER_MAGIC
+ dont_measure fsmagic=0x9fa0
+ # SYSFS_MAGIC
+ dont_measure fsmagic=0x62656572
+ # DEBUGFS_MAGIC
+ dont_measure fsmagic=0x64626720
+ # TMPFS_MAGIC
+ dont_measure fsmagic=0x01021994
+ # SECURITYFS_MAGIC
+ dont_measure fsmagic=0x73636673
+
+ < LSM specific rule >
+ dont_measure obj_type=var_log_t
+
+ measure func=BPRM_CHECK
+ measure func=FILE_MMAP mask=MAY_EXEC
+ measure func=FILE_CHECK mask=MAY_READ uid=0
+
+Thus without the patch, with the boot parameters 'tcb selinux=0', adding
+the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB
+measurement policy, would result in nothing being measured. The patch
+prevents the default TCB policy from being replaced.
+
+Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
+Cc: James Morris <jmorris@namei.org>
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Cc: David Safford <safford@watson.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/integrity/ima/ima_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_
+ result = security_filter_rule_init(entry->lsm[lsm_rule].type,
+ Audit_equal, args,
+ &entry->lsm[lsm_rule].rule);
++ if (!entry->lsm[lsm_rule].rule)
++ return -EINVAL;
+ return result;
+ }
+
--- /dev/null
+From 73c1160ce377d8fc6d84cb630ebf9658808bec49 Mon Sep 17 00:00:00 2001
+From: Andre Przywara <andre.przywara@amd.com>
+Date: Wed, 1 Dec 2010 12:17:44 +0100
+Subject: KVM: enlarge number of possible CPUID leaves
+
+From: Andre Przywara <andre.przywara@amd.com>
+
+commit 73c1160ce377d8fc6d84cb630ebf9658808bec49 upstream.
+
+Currently the number of CPUID leaves KVM handles is limited to 40.
+My desktop machine (AthlonII) already has 35 and future CPUs will
+expand this well beyond the limit. Extend the limit to 80 to make
+room for future processors.
+
+KVM-Stable-Tag.
+Signed-off-by: Andre Przywara <andre.przywara@amd.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -79,7 +79,7 @@
+ #define KVM_NUM_MMU_PAGES (1 << KVM_MMU_HASH_SHIFT)
+ #define KVM_MIN_FREE_MMU_PAGES 5
+ #define KVM_REFILL_PAGES 25
+-#define KVM_MAX_CPUID_ENTRIES 40
++#define KVM_MAX_CPUID_ENTRIES 80
+ #define KVM_NR_FIXED_MTRR_REGION 88
+ #define KVM_NR_VAR_MTRR 8
+
--- /dev/null
+From 3ea3aa8cf67d3bbe00a19b6a4013d19efa7d0f41 Mon Sep 17 00:00:00 2001
+From: Sheng Yang <sheng@linux.intel.com>
+Date: Wed, 8 Dec 2010 10:49:43 +0800
+Subject: KVM: Fix OSXSAVE after migration
+
+From: Sheng Yang <sheng@linux.intel.com>
+
+commit 3ea3aa8cf67d3bbe00a19b6a4013d19efa7d0f41 upstream.
+
+CPUID's OSXSAVE is a mirror of CR4.OSXSAVE bit. We need to update the CPUID
+after migration.
+
+KVM-Stable-Tag.
+Signed-off-by: Sheng Yang <sheng@linux.intel.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5112,6 +5112,8 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct
+
+ mmu_reset_needed |= kvm_read_cr4(vcpu) != sregs->cr4;
+ kvm_x86_ops->set_cr4(vcpu, sregs->cr4);
++ if (sregs->cr4 & X86_CR4_OSXSAVE)
++ update_cpuid(vcpu);
+ if (!is_long_mode(vcpu) && is_pae(vcpu)) {
+ load_pdptrs(vcpu, vcpu->arch.cr3);
+ mmu_reset_needed = 1;
--- /dev/null
+From 24d1b15f72abe3465e871d11cfc9dc34d1aab8b2 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Tue, 7 Dec 2010 17:15:05 +0100
+Subject: KVM: SVM: Do not report xsave in supported cpuid
+
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit 24d1b15f72abe3465e871d11cfc9dc34d1aab8b2 upstream.
+
+To support xsave properly for the guest the SVM module need
+software support for it. As long as this is not present do
+not report the xsave as supported feature in cpuid.
+As a side-effect this patch moves the bit() helper function
+into the x86.h file so that it can be used in svm.c too.
+
+KVM-Stable-Tag.
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/svm.c | 4 ++++
+ arch/x86/kvm/vmx.c | 5 -----
+ arch/x86/kvm/x86.c | 5 -----
+ arch/x86/kvm/x86.h | 5 +++++
+ 4 files changed, 9 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3383,6 +3383,10 @@ static void svm_cpuid_update(struct kvm_
+ static void svm_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry)
+ {
+ switch (func) {
++ case 0x00000001:
++ /* Mask out xsave bit as long as it is not supported by SVM */
++ entry->ecx &= ~(bit(X86_FEATURE_XSAVE));
++ break;
+ case 0x80000001:
+ if (nested)
+ entry->ecx |= (1 << 2); /* Set SVM bit */
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -4248,11 +4248,6 @@ static int vmx_get_lpage_level(void)
+ return PT_PDPE_LEVEL;
+ }
+
+-static inline u32 bit(int bitno)
+-{
+- return 1 << (bitno & 31);
+-}
+-
+ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_cpuid_entry2 *best;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -153,11 +153,6 @@ struct kvm_stats_debugfs_item debugfs_en
+
+ u64 __read_mostly host_xcr0;
+
+-static inline u32 bit(int bitno)
+-{
+- return 1 << (bitno & 31);
+-}
+-
+ static void kvm_on_user_return(struct user_return_notifier *urn)
+ {
+ unsigned slot;
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -65,6 +65,11 @@ static inline int is_paging(struct kvm_v
+ return kvm_read_cr0_bits(vcpu, X86_CR0_PG);
+ }
+
++static inline u32 bit(int bitno)
++{
++ return 1 << (bitno & 31);
++}
++
+ void kvm_before_handle_nmi(struct kvm_vcpu *vcpu);
+ void kvm_after_handle_nmi(struct kvm_vcpu *vcpu);
+
--- /dev/null
+From ebb76ce16daf6908dc030dec1c00827d37129fe5 Mon Sep 17 00:00:00 2001
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Date: Wed, 29 Dec 2010 14:07:11 -0800
+Subject: memcg: fix wrong VM_BUG_ON() in try_charge()'s mm->owner check
+
+From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+
+commit ebb76ce16daf6908dc030dec1c00827d37129fe5 upstream.
+
+At __mem_cgroup_try_charge(), VM_BUG_ON(!mm->owner) is checked.
+But as commented in mem_cgroup_from_task(), mm->owner can be NULL
+in some racy case. This check of VM_BUG_ON() is bad.
+
+A possible story to hit this is at swapoff()->try_to_unuse(). It passes
+mm_struct to mem_cgroup_try_charge_swapin() while mm->owner is NULL. If we
+can't get proper mem_cgroup from swap_cgroup information, mm->owner is used
+as charge target and we see NULL.
+
+Cc: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
+Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Reported-by: Hugh Dickins <hughd@google.com>
+Reported-by: Thomas Meyer <thomas@m3y3r.de>
+Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Reviewed-by: Balbir Singh <balbir@linux.vnet.ibm.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/memcontrol.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1730,19 +1730,18 @@ again:
+
+ rcu_read_lock();
+ p = rcu_dereference(mm->owner);
+- VM_BUG_ON(!p);
+ /*
+- * because we don't have task_lock(), "p" can exit while
+- * we're here. In that case, "mem" can point to root
+- * cgroup but never be NULL. (and task_struct itself is freed
+- * by RCU, cgroup itself is RCU safe.) Then, we have small
+- * risk here to get wrong cgroup. But such kind of mis-account
+- * by race always happens because we don't have cgroup_mutex().
+- * It's overkill and we allow that small race, here.
++ * Because we don't have task_lock(), "p" can exit.
++ * In that case, "mem" can point to root or p can be NULL with
++ * race with swapoff. Then, we have small risk of mis-accouning.
++ * But such kind of mis-account by race always happens because
++ * we don't have cgroup_mutex(). It's overkill and we allo that
++ * small race, here.
++ * (*) swapoff at el will charge against mm-struct not against
++ * task-struct. So, mm->owner can be NULL.
+ */
+ mem = mem_cgroup_from_task(p);
+- VM_BUG_ON(!mem);
+- if (mem_cgroup_is_root(mem)) {
++ if (!mem || mem_cgroup_is_root(mem)) {
+ rcu_read_unlock();
+ goto done;
+ }
--- /dev/null
+From bd7c72ed18d719c1fb0fdf6ff9042d8ab78fdf71 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Date: Wed, 24 Nov 2010 18:01:39 +0000
+Subject: mfd: Supply IRQ base for WM832x devices
+
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+
+commit bd7c72ed18d719c1fb0fdf6ff9042d8ab78fdf71 upstream.
+
+Without this the IRQ base will not be correctly configured for the
+subdevices.
+
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mfd/wm831x-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/wm831x-core.c
++++ b/drivers/mfd/wm831x-core.c
+@@ -1621,7 +1621,7 @@ static int wm831x_device_init(struct wm8
+ case WM8321:
+ ret = mfd_add_devices(wm831x->dev, -1,
+ wm8320_devs, ARRAY_SIZE(wm8320_devs),
+- NULL, 0);
++ NULL, wm831x->irq_base);
+ break;
+
+ default:
--- /dev/null
+From b93cef556162b0f33399bfe5f307c54f51554e09 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Date: Thu, 2 Dec 2010 16:25:43 +0000
+Subject: mfd: Support additional parent IDs for wm831x
+
+From: Mark Brown <broonie@opensource.wolfsonmicro.com>
+
+commit b93cef556162b0f33399bfe5f307c54f51554e09 upstream.
+
+Some newer device revisions add a second parent ID. Support this in
+the device validity checks done at startup.
+
+Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mfd/wm831x-core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mfd/wm831x-core.c
++++ b/drivers/mfd/wm831x-core.c
+@@ -1464,7 +1464,11 @@ static int wm831x_device_init(struct wm8
+ dev_err(wm831x->dev, "Failed to read parent ID: %d\n", ret);
+ goto err;
+ }
+- if (ret != 0x6204) {
++ switch (ret) {
++ case 0x6204:
++ case 0x6246:
++ break;
++ default:
+ dev_err(wm831x->dev, "Device is not a WM831x: ID %x\n", ret);
+ ret = -EINVAL;
+ goto err;
--- /dev/null
+From 8333f65ef094e47020cd01452b4637e7daf5a77f Mon Sep 17 00:00:00 2001
+From: Saeed Bishara <saeed@marvell.com>
+Date: Tue, 21 Dec 2010 16:53:39 +0200
+Subject: mv_xor: fix race in tasklet function
+
+From: Saeed Bishara <saeed@marvell.com>
+
+commit 8333f65ef094e47020cd01452b4637e7daf5a77f upstream.
+
+use mv_xor_slot_cleanup() instead of __mv_xor_slot_cleanup() as the former function
+aquires the spin lock that needed to protect the drivers data.
+
+Signed-off-by: Saeed Bishara <saeed@marvell.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/dma/mv_xor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -449,7 +449,7 @@ mv_xor_slot_cleanup(struct mv_xor_chan *
+ static void mv_xor_tasklet(unsigned long data)
+ {
+ struct mv_xor_chan *chan = (struct mv_xor_chan *) data;
+- __mv_xor_slot_cleanup(chan);
++ mv_xor_slot_cleanup(chan);
+ }
+
+ static struct mv_xor_desc_slot *
watchdog-fix-null-pointer-dereference-while-accessing-rdc321x-platform_data.patch
watchdog-improve-initialisation-error-message-and-documentation.patch
arch-x86-oprofile-op_model_amd.c-perform-initialisation-on-a-single-cpu.patch
+mfd-support-additional-parent-ids-for-wm831x.patch
+mfd-supply-irq-base-for-wm832x-devices.patch
+drm-radeon-kms-evergreen-reset-the-grbm-blocks-at-resume-and-init.patch
+drm-radeon-kms-fix-evergreen-asic-reset.patch
+drm-radeon-kms-reorder-display-resume-to-avoid-problems.patch
+drm-i915-dp-fix-i2c-edid-handling-with-active-displayport-to-dvi-converter.patch
+drm-i915-bios-reverse-order-of-100-120-mhz-ssc-clocks.patch
+drm-i915-intel_ips-when-i915-loads-after-ips-make-ips-relink-to-i915.patch
+memcg-fix-wrong-vm_bug_on-in-try_charge-s-mm-owner-check.patch
+sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch
+kvm-enlarge-number-of-possible-cpuid-leaves.patch
+kvm-svm-do-not-report-xsave-in-supported-cpuid.patch
+kvm-fix-osxsave-after-migration.patch
+mv_xor-fix-race-in-tasklet-function.patch
+ima-fix-add-lsm-rule-bug.patch
--- /dev/null
+From d81a12bc29ae4038770e05dce4ab7f26fd5880fb Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Sat, 25 Dec 2010 16:23:40 -0500
+Subject: sound: Prevent buffer overflow in OSS load_mixer_volumes
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit d81a12bc29ae4038770e05dce4ab7f26fd5880fb upstream.
+
+The load_mixer_volumes() function, which can be triggered by
+unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+a buffer overflow. Because the provided "name" argument isn't
+guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+to overflow past the end of the last element in the mixer_vols array.
+Further exploitation can result in an arbitrary kernel write (via
+subsequent calls to load_mixer_volumes()) leading to privilege
+escalation, or arbitrary kernel reads via get_mixer_levels(). In
+addition, the strcmp() may leak bytes beyond the mixer_vols array.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/oss/soundcard.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -86,7 +86,7 @@ int *load_mixer_volumes(char *name, int
+ int i, n;
+
+ for (i = 0; i < num_mixer_volumes; i++) {
+- if (strcmp(name, mixer_vols[i].name) == 0) {
++ if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+ if (present)
+ mixer_vols[i].num = i;
+ return mixer_vols[i].levels;
+@@ -98,7 +98,7 @@ int *load_mixer_volumes(char *name, int
+ }
+ n = num_mixer_volumes++;
+
+- strcpy(mixer_vols[n].name, name);
++ strncpy(mixer_vols[n].name, name, 32);
+
+ if (present)
+ mixer_vols[n].num = n;
projects / thirdparty / kernel / stable-queue.git / commitdiff
