--- /dev/null
+From bfacf2225a955bea9c41c707fc72ba16009674a0 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 27 Apr 2011 13:25:51 -0400
+Subject: cifs: change bleft in decode_unicode_ssetup back to signed type
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit bfacf2225a955bea9c41c707fc72ba16009674a0 upstream.
+
+The buffer length checks in this function depend on this value being a
+signed data type, but 690c522fa converted it to an unsigned type.
+
+Also, eliminate a problem with the null termination check in the same
+function. cifs_strndup_from_ucs handles that situation correctly
+already, and the existing check could potentially lead to a buffer
+overrun since it increments bleft without checking to see whether it
+falls off the end of the buffer.
+
+Reported-and-Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/sess.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -277,7 +277,7 @@ static void ascii_ssetup_strings(char **
+ }
+
+ static void
+-decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses,
++decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
+ const struct nls_table *nls_cp)
+ {
+ int len;
+@@ -285,19 +285,6 @@ decode_unicode_ssetup(char **pbcc_area,
+
+ cFYI(1, "bleft %d", bleft);
+
+- /*
+- * Windows servers do not always double null terminate their final
+- * Unicode string. Check to see if there are an uneven number of bytes
+- * left. If so, then add an extra NULL pad byte to the end of the
+- * response.
+- *
+- * See section 2.7.2 in "Implementing CIFS" for details
+- */
+- if (bleft % 2) {
+- data[bleft] = 0;
+- ++bleft;
+- }
+-
+ kfree(ses->serverOS);
+ ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
+ cFYI(1, "serverOS=%s", ses->serverOS);
--- /dev/null
+From fcda7f4578bbf9717444ca6da8a421d21489d078 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 27 Apr 2011 13:25:51 -0400
+Subject: cifs: check for bytes_remaining going to zero in CIFS_SessSetup
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit fcda7f4578bbf9717444ca6da8a421d21489d078 upstream.
+
+It's possible that when we go to decode the string area in the
+SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at
+that point will mean that it can go "negative" and wrap. Check for a
+bytes_remaining value of 0, and don't try to decode the string area if
+that's the case.
+
+Reported-and-Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/sess.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -917,7 +917,9 @@ ssetup_ntlmssp_authenticate:
+ }
+
+ /* BB check if Unicode and decode strings */
+- if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
++ if (bytes_remaining == 0) {
++ /* no string area to decode, do nothing */
++ } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
+ /* unicode string area must be word-aligned */
+ if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
+ ++bcc_ptr;
--- /dev/null
+From 16541ba11c4f04ffe94b073e301f00b749fb84a1 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Fri, 29 Apr 2011 06:52:44 -0400
+Subject: cifs: handle errors from coalesce_t2
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 16541ba11c4f04ffe94b073e301f00b749fb84a1 upstream.
+
+cifs_demultiplex_thread calls coalesce_t2 to try and merge follow-on t2
+responses into the original mid buffer. coalesce_t2 however can return
+errors, but the caller doesn't handle that situation properly. Fix the
+thread to treat such a case as it would a malformed packet. Mark the
+mid as being malformed and issue the callback.
+
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -631,12 +631,16 @@ incomplete_rcv:
+ isMultiRsp = true;
+ if (mid_entry->resp_buf) {
+ /* merge response - fix up 1st*/
+- if (coalesce_t2(smb_buffer,
+- mid_entry->resp_buf)) {
++ length = coalesce_t2(smb_buffer,
++ mid_entry->resp_buf);
++ if (length > 0) {
++ length = 0;
+ mid_entry->multiRsp = true;
+ break;
+ } else {
+- /* all parts received */
++ /* all parts received or
++ * packet is malformed
++ */
+ mid_entry->multiEnd = true;
+ goto multi_t2_fnd;
+ }
--- /dev/null
+From 146f9f65bd13f56665205aed7205d531c810cb35 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Fri, 29 Apr 2011 06:52:43 -0400
+Subject: cifs: refactor mid finding loop in cifs_demultiplex_thread
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 146f9f65bd13f56665205aed7205d531c810cb35 upstream.
+
+...to reduce the extreme indentation. This should introduce no
+behavioral changes.
+
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c | 92 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 46 insertions(+), 46 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -618,59 +618,59 @@ incomplete_rcv:
+ list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {
+ mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
+
+- if ((mid_entry->mid == smb_buffer->Mid) &&
+- (mid_entry->midState == MID_REQUEST_SUBMITTED) &&
+- (mid_entry->command == smb_buffer->Command)) {
+- if (length == 0 &&
+- check2ndT2(smb_buffer, server->maxBuf) > 0) {
+- /* We have a multipart transact2 resp */
+- isMultiRsp = true;
+- if (mid_entry->resp_buf) {
+- /* merge response - fix up 1st*/
+- if (coalesce_t2(smb_buffer,
++ if (mid_entry->mid != smb_buffer->Mid ||
++ mid_entry->midState != MID_REQUEST_SUBMITTED ||
++ mid_entry->command != smb_buffer->Command) {
++ mid_entry = NULL;
++ continue;
++ }
++
++ if (length == 0 &&
++ check2ndT2(smb_buffer, server->maxBuf) > 0) {
++ /* We have a multipart transact2 resp */
++ isMultiRsp = true;
++ if (mid_entry->resp_buf) {
++ /* merge response - fix up 1st*/
++ if (coalesce_t2(smb_buffer,
+ mid_entry->resp_buf)) {
+- mid_entry->multiRsp =
+- true;
+- break;
+- } else {
+- /* all parts received */
+- mid_entry->multiEnd =
+- true;
+- goto multi_t2_fnd;
+- }
++ mid_entry->multiRsp = true;
++ break;
++ } else {
++ /* all parts received */
++ mid_entry->multiEnd = true;
++ goto multi_t2_fnd;
++ }
++ } else {
++ if (!isLargeBuf) {
++ /*
++ * FIXME: switch to already
++ * allocated largebuf?
++ */
++ cERROR(1, "1st trans2 resp "
++ "needs bigbuf");
+ } else {
+- if (!isLargeBuf) {
+- cERROR(1, "1st trans2 resp needs bigbuf");
+- /* BB maybe we can fix this up, switch
+- to already allocated large buffer? */
+- } else {
+- /* Have first buffer */
+- mid_entry->resp_buf =
+- smb_buffer;
+- mid_entry->largeBuf =
+- true;
+- bigbuf = NULL;
+- }
++ /* Have first buffer */
++ mid_entry->resp_buf =
++ smb_buffer;
++ mid_entry->largeBuf = true;
++ bigbuf = NULL;
+ }
+- break;
+ }
+- mid_entry->resp_buf = smb_buffer;
+- mid_entry->largeBuf = isLargeBuf;
++ break;
++ }
++ mid_entry->resp_buf = smb_buffer;
++ mid_entry->largeBuf = isLargeBuf;
+ multi_t2_fnd:
+- if (length == 0)
+- mid_entry->midState =
+- MID_RESPONSE_RECEIVED;
+- else
+- mid_entry->midState =
+- MID_RESPONSE_MALFORMED;
++ if (length == 0)
++ mid_entry->midState = MID_RESPONSE_RECEIVED;
++ else
++ mid_entry->midState = MID_RESPONSE_MALFORMED;
+ #ifdef CONFIG_CIFS_STATS2
+- mid_entry->when_received = jiffies;
++ mid_entry->when_received = jiffies;
+ #endif
+- list_del_init(&mid_entry->qhead);
+- mid_entry->callback(mid_entry);
+- break;
+- }
+- mid_entry = NULL;
++ list_del_init(&mid_entry->qhead);
++ mid_entry->callback(mid_entry);
++ break;
+ }
+ spin_unlock(&GlobalMid_Lock);
+
--- /dev/null
+From 2a2047bc94d0efc316401170c3d078d9edc20dc4 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 27 Apr 2011 13:29:49 -0400
+Subject: cifs: sanitize length checking in coalesce_t2 (try #3)
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 2a2047bc94d0efc316401170c3d078d9edc20dc4 upstream.
+
+There are a couple of places in this code where these values can wrap or
+go negative, and that could potentially end up overflowing the buffer.
+Ensure that that doesn't happen. Do all of the length calculation and
+checks first, and only perform the memcpy after they pass.
+
+Also, increase some stack variables to 32 bits to ensure that they don't
+wrap without being detected.
+
+Finally, change the error codes to be a bit more descriptive of any
+problems detected. -EINVAL isn't very accurate.
+
+Reported-and-Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -275,7 +275,8 @@ static int coalesce_t2(struct smb_hdr *p
+ char *data_area_of_target;
+ char *data_area_of_buf2;
+ int remaining;
+- __u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
++ unsigned int byte_count, total_in_buf;
++ __u16 total_data_size, total_in_buf2;
+
+ total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
+
+@@ -288,7 +289,7 @@ static int coalesce_t2(struct smb_hdr *p
+ remaining = total_data_size - total_in_buf;
+
+ if (remaining < 0)
+- return -EINVAL;
++ return -EPROTO;
+
+ if (remaining == 0) /* nothing to do, ignore */
+ return 0;
+@@ -309,20 +310,29 @@ static int coalesce_t2(struct smb_hdr *p
+ data_area_of_target += total_in_buf;
+
+ /* copy second buffer into end of first buffer */
+- memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
+ total_in_buf += total_in_buf2;
++ /* is the result too big for the field? */
++ if (total_in_buf > USHRT_MAX)
++ return -EPROTO;
+ put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
++
++ /* fix up the BCC */
+ byte_count = get_bcc_le(pTargetSMB);
+ byte_count += total_in_buf2;
++ /* is the result too big for the field? */
++ if (byte_count > USHRT_MAX)
++ return -EPROTO;
+ put_bcc_le(byte_count, pTargetSMB);
+
+ byte_count = pTargetSMB->smb_buf_length;
+ byte_count += total_in_buf2;
+-
+- /* BB also add check that we are not beyond maximum buffer size */
+-
++ /* don't allow buffer to overflow */
++ if (byte_count > CIFSMaxBufSize)
++ return -ENOBUFS;
+ pTargetSMB->smb_buf_length = byte_count;
+
++ memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
++
+ if (remaining == total_in_buf2) {
+ cFYI(1, "found the last secondary response");
+ return 0; /* we are done */
--- /dev/null
+From 4f87af46107499415afd238be104587b5a9d7ac3 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Wed, 4 May 2011 11:41:47 -0400
+Subject: drm/radeon/kms: add pci id to acer travelmate quirk for 5730
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit 4f87af46107499415afd238be104587b5a9d7ac3 upstream.
+
+Fixes:
+https://bugzilla.kernel.org/show_bug.cgi?id=34082
+
+Reported by: Sampo Laaksonen <zhamahn@gmail.com>
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -431,7 +431,7 @@ static bool radeon_atom_apply_quirks(str
+ }
+ }
+
+- /* Acer laptop (Acer TravelMate 5730G) has an HDMI port
++ /* Acer laptop (Acer TravelMate 5730/5730G) has an HDMI port
+ * on the laptop and a DVI port on the docking station and
+ * both share the same encoder, hpd pin, and ddc line.
+ * So while the bios table is technically correct,
+@@ -440,7 +440,7 @@ static bool radeon_atom_apply_quirks(str
+ * with different crtcs which isn't possible on the hardware
+ * side and leaves no crtcs for LVDS or VGA.
+ */
+- if ((dev->pdev->device == 0x95c4) &&
++ if (((dev->pdev->device == 0x95c4) || (dev->pdev->device == 0x9591)) &&
+ (dev->pdev->subsystem_vendor == 0x1025) &&
+ (dev->pdev->subsystem_device == 0x013c)) {
+ if ((*connector_type == DRM_MODE_CONNECTOR_DVII) &&
--- /dev/null
+From alexdeucher@gmail.com Mon May 9 16:35:34 2011
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Fri, 6 May 2011 14:29:55 -0400
+Subject: [stable] [PATCH] drm/radeon/kms: fix gart setup on fusion parts (v2) backport
+To: stable@kernel.org
+Cc: Alex Deucher <alexdeucher@gmail.com>, airlied@redhat.com, gregkh@suse.de
+Message-ID: <1304706595-9781-1-git-send-email-alexdeucher@gmail.com>
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+Backport of 8aeb96f80232e9a701b5c4715504f4c9173978bd
+(drm/radeon/kms: fix gart setup on fusion parts (v2))
+to the stable tree.
+
+Out of the entire GART/VM subsystem, the hw designers changed
+the location of 3 regs.
+
+v2: airlied: add parameter for userspace to work from.
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Jerome Glisse <jglisse@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/gpu/drm/radeon/evergreen.c | 17 +++++++++--------
+ drivers/gpu/drm/radeon/evergreend.h | 5 +++++
+ drivers/gpu/drm/radeon/radeon_kms.c | 3 +++
+ include/drm/radeon_drm.h | 1 +
+ 4 files changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -869,9 +869,15 @@ int evergreen_pcie_gart_enable(struct ra
+ SYSTEM_ACCESS_MODE_NOT_IN_SYS |
+ SYSTEM_APERTURE_UNMAPPED_ACCESS_PASS_THRU |
+ EFFECTIVE_L1_TLB_SIZE(5) | EFFECTIVE_L1_QUEUE_SIZE(5);
+- WREG32(MC_VM_MD_L1_TLB0_CNTL, tmp);
+- WREG32(MC_VM_MD_L1_TLB1_CNTL, tmp);
+- WREG32(MC_VM_MD_L1_TLB2_CNTL, tmp);
++ if (rdev->flags & RADEON_IS_IGP) {
++ WREG32(FUS_MC_VM_MD_L1_TLB0_CNTL, tmp);
++ WREG32(FUS_MC_VM_MD_L1_TLB1_CNTL, tmp);
++ WREG32(FUS_MC_VM_MD_L1_TLB2_CNTL, tmp);
++ } else {
++ WREG32(MC_VM_MD_L1_TLB0_CNTL, tmp);
++ WREG32(MC_VM_MD_L1_TLB1_CNTL, tmp);
++ WREG32(MC_VM_MD_L1_TLB2_CNTL, tmp);
++ }
+ WREG32(MC_VM_MB_L1_TLB0_CNTL, tmp);
+ WREG32(MC_VM_MB_L1_TLB1_CNTL, tmp);
+ WREG32(MC_VM_MB_L1_TLB2_CNTL, tmp);
+@@ -2930,11 +2936,6 @@ static int evergreen_startup(struct rade
+ rdev->asic->copy = NULL;
+ dev_warn(rdev->dev, "failed blitter (%d) falling back to memcpy\n", r);
+ }
+- /* XXX: ontario has problems blitting to gart at the moment */
+- if (rdev->family == CHIP_PALM) {
+- rdev->asic->copy = NULL;
+- radeon_ttm_set_active_vram_size(rdev, rdev->mc.visible_vram_size);
+- }
+
+ /* allocate wb buffer */
+ r = radeon_wb_init(rdev);
+--- a/drivers/gpu/drm/radeon/evergreend.h
++++ b/drivers/gpu/drm/radeon/evergreend.h
+@@ -221,6 +221,11 @@
+ #define MC_VM_MD_L1_TLB0_CNTL 0x2654
+ #define MC_VM_MD_L1_TLB1_CNTL 0x2658
+ #define MC_VM_MD_L1_TLB2_CNTL 0x265C
++
++#define FUS_MC_VM_MD_L1_TLB0_CNTL 0x265C
++#define FUS_MC_VM_MD_L1_TLB1_CNTL 0x2660
++#define FUS_MC_VM_MD_L1_TLB2_CNTL 0x2664
++
+ #define MC_VM_SYSTEM_APERTURE_DEFAULT_ADDR 0x203C
+ #define MC_VM_SYSTEM_APERTURE_HIGH_ADDR 0x2038
+ #define MC_VM_SYSTEM_APERTURE_LOW_ADDR 0x2034
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -205,6 +205,9 @@ int radeon_info_ioctl(struct drm_device
+ /* return clock value in KHz */
+ value = rdev->clock.spll.reference_freq * 10;
+ break;
++ case RADEON_INFO_FUSION_GART_WORKING:
++ value = 1;
++ break;
+ default:
+ DRM_DEBUG_KMS("Invalid request %d\n", info->request);
+ return -EINVAL;
+--- a/include/drm/radeon_drm.h
++++ b/include/drm/radeon_drm.h
+@@ -908,6 +908,7 @@ struct drm_radeon_cs {
+ #define RADEON_INFO_WANT_HYPERZ 0x07
+ #define RADEON_INFO_WANT_CMASK 0x08 /* get access to CMASK on r300 */
+ #define RADEON_INFO_CLOCK_CRYSTAL_FREQ 0x09 /* clock crystal frequency */
++#define RADEON_INFO_FUSION_GART_WORKING 0x0c /* fusion writes to GTT were broken before this */
+
+ struct drm_radeon_info {
+ uint32_t request;
--- /dev/null
+From 925f83c085e1bb08435556c5b4844a60de002e31 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Fri, 6 May 2011 01:53:18 +0200
+Subject: hw_breakpoints, powerpc: Fix CONFIG_HAVE_HW_BREAKPOINT off-case in ptrace_set_debugreg()
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 925f83c085e1bb08435556c5b4844a60de002e31 upstream.
+
+We make use of ptrace_get_breakpoints() / ptrace_put_breakpoints() to
+protect ptrace_set_debugreg() even if CONFIG_HAVE_HW_BREAKPOINT if off.
+However in this case, these APIs are not implemented.
+
+To fix this, push the protection down inside the relevant ifdef.
+Best would be to export the code inside
+CONFIG_HAVE_HW_BREAKPOINT into a standalone function to cleanup
+the ifdefury there and call the breakpoint ref API inside. But
+as it is more invasive, this should be rather made in an -rc1.
+
+Fixes this build error:
+
+ arch/powerpc/kernel/ptrace.c:1594: error: implicit declaration of function 'ptrace_get_breakpoints' make[2]: ***
+
+Reported-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: LPPC <linuxppc-dev@lists.ozlabs.org>
+Cc: Prasad <prasad@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/1304639598-4707-1-git-send-email-fweisbec@gmail.com
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/kernel/ptrace.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -924,12 +924,16 @@ int ptrace_set_debugreg(struct task_stru
+ if (data && !(data & DABR_TRANSLATION))
+ return -EIO;
+ #ifdef CONFIG_HAVE_HW_BREAKPOINT
++ if (ptrace_get_breakpoints(task) < 0)
++ return -ESRCH;
++
+ bp = thread->ptrace_bps[0];
+ if ((!data) || !(data & (DABR_DATA_WRITE | DABR_DATA_READ))) {
+ if (bp) {
+ unregister_hw_breakpoint(bp);
+ thread->ptrace_bps[0] = NULL;
+ }
++ ptrace_put_breakpoints(task);
+ return 0;
+ }
+ if (bp) {
+@@ -939,9 +943,12 @@ int ptrace_set_debugreg(struct task_stru
+ (DABR_DATA_WRITE | DABR_DATA_READ),
+ &attr.bp_type);
+ ret = modify_user_hw_breakpoint(bp, &attr);
+- if (ret)
++ if (ret) {
++ ptrace_put_breakpoints(task);
+ return ret;
++ }
+ thread->ptrace_bps[0] = bp;
++ ptrace_put_breakpoints(task);
+ thread->dabr = data;
+ return 0;
+ }
+@@ -956,9 +963,12 @@ int ptrace_set_debugreg(struct task_stru
+ ptrace_triggered, task);
+ if (IS_ERR(bp)) {
+ thread->ptrace_bps[0] = NULL;
++ ptrace_put_breakpoints(task);
+ return PTR_ERR(bp);
+ }
+
++ ptrace_put_breakpoints(task);
++
+ #endif /* CONFIG_HAVE_HW_BREAKPOINT */
+
+ /* Move contents to the DABR register */
--- /dev/null
+From sgruszka@redhat.com Mon May 9 16:34:59 2011
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Mon, 9 May 2011 21:27:30 +0200
+Subject: iwlwifi: add {ack, plpc}_check module parameters
+To: kernel@lists.fedoraproject.org, stable@kernel.org
+Cc: Kyle McMartin <kmcmartin@redhat.com>, Stanislaw Gruszka <sgruszka@redhat.com>
+Message-ID: <1304969250-27725-1-git-send-email-sgruszka@redhat.com>
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit b7977ffaab5187ad75edaf04ac854615cea93828 upstream.
+
+Add module ack_check, and plcp_check parameters. Ack_check is disabled
+by default since is proved that check ack health can cause troubles.
+Plcp_check is enabled by default.
+
+This prevent connection hangs with "low ack count detected" messages.
+
+Resolves:
+https://bugzilla.redhat.com/show_bug.cgi?id=666646
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 1 +
+ drivers/net/wireless/iwlwifi/iwl-agn.c | 6 ++++++
+ drivers/net/wireless/iwlwifi/iwl-core.h | 2 ++
+ drivers/net/wireless/iwlwifi/iwl-rx.c | 8 ++++++--
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
+@@ -604,6 +604,7 @@ const u8 *iwlagn_eeprom_query_addr(const
+ struct iwl_mod_params iwlagn_mod_params = {
+ .amsdu_size_8K = 1,
+ .restart_fw = 1,
++ .plcp_check = true,
+ /* the rest are 0 by default */
+ };
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
+@@ -4586,3 +4586,9 @@ MODULE_PARM_DESC(antenna_coupling,
+ module_param_named(bt_ch_inhibition, iwlagn_bt_ch_announce, bool, S_IRUGO);
+ MODULE_PARM_DESC(bt_ch_inhibition,
+ "Disable BT channel inhibition (default: enable)");
++
++module_param_named(plcp_check, iwlagn_mod_params.plcp_check, bool, S_IRUGO);
++MODULE_PARM_DESC(plcp_check, "Check plcp health (default: 1 [enabled])");
++
++module_param_named(ack_check, iwlagn_mod_params.ack_check, bool, S_IRUGO);
++MODULE_PARM_DESC(ack_check, "Check ack health (default: 0 [disabled])");
+--- a/drivers/net/wireless/iwlwifi/iwl-core.h
++++ b/drivers/net/wireless/iwlwifi/iwl-core.h
+@@ -263,6 +263,8 @@ struct iwl_mod_params {
+ int amsdu_size_8K; /* def: 1 = enable 8K amsdu size */
+ int antenna; /* def: 0 = both antennas (use diversity) */
+ int restart_fw; /* def: 1 = restart firmware */
++ bool plcp_check; /* def: true = enable plcp health check */
++ bool ack_check; /* def: false = disable ack health check */
+ };
+
+ /*
+--- a/drivers/net/wireless/iwlwifi/iwl-rx.c
++++ b/drivers/net/wireless/iwlwifi/iwl-rx.c
+@@ -234,10 +234,13 @@ EXPORT_SYMBOL(iwl_rx_spectrum_measure_no
+ void iwl_recover_from_statistics(struct iwl_priv *priv,
+ struct iwl_rx_packet *pkt)
+ {
++ const struct iwl_mod_params *mod_params = priv->cfg->mod_params;
++
+ if (test_bit(STATUS_EXIT_PENDING, &priv->status))
+ return;
+ if (iwl_is_any_associated(priv)) {
+- if (priv->cfg->ops->lib->check_ack_health) {
++ if (mod_params->ack_check &&
++ priv->cfg->ops->lib->check_ack_health) {
+ if (!priv->cfg->ops->lib->check_ack_health(
+ priv, pkt)) {
+ /*
+@@ -250,7 +253,8 @@ void iwl_recover_from_statistics(struct
+ return;
+ }
+ }
+- if (priv->cfg->ops->lib->check_plcp_health) {
++ if (mod_params->plcp_check &&
++ priv->cfg->ops->lib->check_plcp_health) {
+ if (!priv->cfg->ops->lib->check_plcp_health(
+ priv, pkt)) {
+ /*
--- /dev/null
+From bf26c018490c2fce7fe9b629083b96ce0e6ad019 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Thu, 7 Apr 2011 16:53:20 +0200
+Subject: ptrace: Prepare to fix racy accesses on task breakpoints
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit bf26c018490c2fce7fe9b629083b96ce0e6ad019 upstream.
+
+When a task is traced and is in a stopped state, the tracer
+may execute a ptrace request to examine the tracee state and
+get its task struct. Right after, the tracee can be killed
+and thus its breakpoints released.
+This can happen concurrently when the tracer is in the middle
+of reading or modifying these breakpoints, leading to dereferencing
+a freed pointer.
+
+Hence, to prepare the fix, create a generic breakpoint reference
+holding API. When a reference on the breakpoints of a task is
+held, the breakpoints won't be released until the last reference
+is dropped. After that, no more ptrace request on the task's
+breakpoints can be serviced for the tracer.
+
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Prasad <prasad@linux.vnet.ibm.com>
+Cc: Paul Mundt <lethal@linux-sh.org>
+Link: http://lkml.kernel.org/r/1302284067-7860-2-git-send-email-fweisbec@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/ptrace.h | 13 ++++++++++++-
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 2 +-
+ kernel/ptrace.c | 17 +++++++++++++++++
+ 4 files changed, 33 insertions(+), 2 deletions(-)
+
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -189,6 +189,10 @@ static inline void ptrace_init_task(stru
+ child->ptrace = current->ptrace;
+ __ptrace_link(child, current->parent);
+ }
++
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++ atomic_set(&child->ptrace_bp_refcnt, 1);
++#endif
+ }
+
+ /**
+@@ -350,6 +354,13 @@ extern int task_current_syscall(struct t
+ unsigned long args[6], unsigned int maxargs,
+ unsigned long *sp, unsigned long *pc);
+
+-#endif
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++extern int ptrace_get_breakpoints(struct task_struct *tsk);
++extern void ptrace_put_breakpoints(struct task_struct *tsk);
++#else
++static inline void ptrace_put_breakpoints(struct task_struct *tsk) { }
++#endif /* CONFIG_HAVE_HW_BREAKPOINT */
++
++#endif /* __KERNEL */
+
+ #endif
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1531,6 +1531,9 @@ struct task_struct {
+ unsigned long memsw_bytes; /* uncharged mem+swap usage */
+ } memcg_batch;
+ #endif
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++ atomic_t ptrace_bp_refcnt;
++#endif
+ };
+
+ /* Future-safe accessor for struct task_struct's cpus_allowed. */
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1015,7 +1015,7 @@ NORET_TYPE void do_exit(long code)
+ /*
+ * FIXME: do that only when needed, using sched_exit tracepoint
+ */
+- flush_ptrace_hw_breakpoint(tsk);
++ ptrace_put_breakpoints(tsk);
+
+ exit_notify(tsk, group_dead);
+ #ifdef CONFIG_NUMA
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -22,6 +22,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/uaccess.h>
+ #include <linux/regset.h>
++#include <linux/hw_breakpoint.h>
+
+
+ /*
+@@ -876,3 +877,19 @@ asmlinkage long compat_sys_ptrace(compat
+ return ret;
+ }
+ #endif /* CONFIG_COMPAT */
++
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++int ptrace_get_breakpoints(struct task_struct *tsk)
++{
++ if (atomic_inc_not_zero(&tsk->ptrace_bp_refcnt))
++ return 0;
++
++ return -1;
++}
++
++void ptrace_put_breakpoints(struct task_struct *tsk)
++{
++ if (atomic_dec_and_test(&tsk->ptrace_bp_refcnt))
++ flush_ptrace_hw_breakpoint(tsk);
++}
++#endif /* CONFIG_HAVE_HW_BREAKPOINT */
--- /dev/null
+cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch
+cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch
+cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch
+cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch
+cifs-handle-errors-from-coalesce_t2.patch
+validate-size-of-efi-guid-partition-entries.patch
+drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch
+thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch
+x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch
+ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch
+hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch
+iwlwifi-add-ack-plpc-_check-module-parameters.patch
+drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch
--- /dev/null
+From 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a Mon Sep 17 00:00:00 2001
+From: Manoj Iyer <manoj.iyer@canonical.com>
+Date: Sun, 8 May 2011 18:04:29 -0400
+Subject: thinkpad-acpi: module autoloading for newer Lenovo ThinkPads.
+
+From: Manoj Iyer <manoj.iyer@canonical.com>
+
+commit 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a upstream.
+
+The newer Lenovo ThinkPads have HKEY HID of LEN0068 instead
+of IBM0068. Added new HID so that thinkpad_acpi module will
+auto load on these newer Lenovo ThinkPads.
+
+Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
+Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com>
+Signed-off-by: Andy Lutomirski <luto@mit.edu>
+Signed-off-by: Matthew Garrett <mjg@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/platform/x86/thinkpad_acpi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -128,7 +128,8 @@ enum {
+ };
+
+ /* ACPI HIDs */
+-#define TPACPI_ACPI_HKEY_HID "IBM0068"
++#define TPACPI_ACPI_IBM_HKEY_HID "IBM0068"
++#define TPACPI_ACPI_LENOVO_HKEY_HID "LEN0068"
+ #define TPACPI_ACPI_EC_HID "PNP0C09"
+
+ /* Input IDs */
+@@ -3879,7 +3880,8 @@ errexit:
+ }
+
+ static const struct acpi_device_id ibm_htk_device_ids[] = {
+- {TPACPI_ACPI_HKEY_HID, 0},
++ {TPACPI_ACPI_IBM_HKEY_HID, 0},
++ {TPACPI_ACPI_LENOVO_HKEY_HID, 0},
+ {"", 0},
+ };
+
--- /dev/null
+From fa039d5f6b126fbd65eefa05db2f67e44df8f121 Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns@pre-sense.de>
+Date: Fri, 6 May 2011 13:47:35 +0200
+Subject: Validate size of EFI GUID partition entries.
+
+From: Timo Warns <Warns@pre-sense.de>
+
+commit fa039d5f6b126fbd65eefa05db2f67e44df8f121 upstream.
+
+Otherwise corrupted EFI partition tables can cause total confusion.
+
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/partitions/efi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -348,6 +348,12 @@ static int is_gpt_valid(struct parsed_pa
+ goto fail;
+ }
+
++ /* Check that sizeof_partition_entry has the correct value */
++ if (le32_to_cpu((*gpt)->sizeof_partition_entry) != sizeof(gpt_entry)) {
++ pr_debug("GUID Partitition Entry Size check failed.\n");
++ goto fail;
++ }
++
+ if (!(*ptes = alloc_read_gpt_entries(state, *gpt)))
+ goto fail;
+
--- /dev/null
+From 87dc669ba25777b67796d7262c569429e58b1ed4 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Fri, 8 Apr 2011 17:29:36 +0200
+Subject: x86, hw_breakpoints: Fix racy access to ptrace breakpoints
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 87dc669ba25777b67796d7262c569429e58b1ed4 upstream.
+
+While the tracer accesses ptrace breakpoints, the child task may
+concurrently exit due to a SIGKILL and thus release its breakpoints
+at the same time. We can then dereference some freed pointers.
+
+To fix this, hold a reference on the child breakpoints before
+manipulating them.
+
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Prasad <prasad@linux.vnet.ibm.com>
+Cc: Paul Mundt <lethal@linux-sh.org>
+Link: http://lkml.kernel.org/r/1302284067-7860-3-git-send-email-fweisbec@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/ptrace.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -608,6 +608,9 @@ static int ptrace_write_dr7(struct task_
+ unsigned len, type;
+ struct perf_event *bp;
+
++ if (ptrace_get_breakpoints(tsk) < 0)
++ return -ESRCH;
++
+ data &= ~DR_CONTROL_RESERVED;
+ old_dr7 = ptrace_get_dr7(thread->ptrace_bps);
+ restore:
+@@ -655,6 +658,9 @@ restore:
+ }
+ goto restore;
+ }
++
++ ptrace_put_breakpoints(tsk);
++
+ return ((orig_ret < 0) ? orig_ret : rc);
+ }
+
+@@ -668,10 +674,17 @@ static unsigned long ptrace_get_debugreg
+
+ if (n < HBP_NUM) {
+ struct perf_event *bp;
++
++ if (ptrace_get_breakpoints(tsk) < 0)
++ return -ESRCH;
++
+ bp = thread->ptrace_bps[n];
+ if (!bp)
+- return 0;
+- val = bp->hw.info.address;
++ val = 0;
++ else
++ val = bp->hw.info.address;
++
++ ptrace_put_breakpoints(tsk);
+ } else if (n == 6) {
+ val = thread->debugreg6;
+ } else if (n == 7) {
+@@ -686,6 +699,10 @@ static int ptrace_set_breakpoint_addr(st
+ struct perf_event *bp;
+ struct thread_struct *t = &tsk->thread;
+ struct perf_event_attr attr;
++ int err = 0;
++
++ if (ptrace_get_breakpoints(tsk) < 0)
++ return -ESRCH;
+
+ if (!t->ptrace_bps[nr]) {
+ ptrace_breakpoint_init(&attr);
+@@ -709,24 +726,23 @@ static int ptrace_set_breakpoint_addr(st
+ * writing for the user. And anyway this is the previous
+ * behaviour.
+ */
+- if (IS_ERR(bp))
+- return PTR_ERR(bp);
++ if (IS_ERR(bp)) {
++ err = PTR_ERR(bp);
++ goto put;
++ }
+
+ t->ptrace_bps[nr] = bp;
+ } else {
+- int err;
+-
+ bp = t->ptrace_bps[nr];
+
+ attr = bp->attr;
+ attr.bp_addr = addr;
+ err = modify_user_hw_breakpoint(bp, &attr);
+- if (err)
+- return err;
+ }
+
+-
+- return 0;
++put:
++ ptrace_put_breakpoints(tsk);
++ return err;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
