.38 patches

14 files changed, 993 insertions, 0 deletions

diff --git a/queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch b/queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch
new file mode 100644
index 0000000000..c6a148f51e
--- /dev/null
+++ b/queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch
@@ -0,0 +1,58 @@
+From bfacf2225a955bea9c41c707fc72ba16009674a0 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 27 Apr 2011 13:25:51 -0400
+Subject: cifs: change bleft in decode_unicode_ssetup back to signed type
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit bfacf2225a955bea9c41c707fc72ba16009674a0 upstream.
+
+The buffer length checks in this function depend on this value being a
+signed data type, but 690c522fa converted it to an unsigned type.
+
+Also, eliminate a problem with the null termination check in the same
+function. cifs_strndup_from_ucs handles that situation correctly
+already, and the existing check could potentially lead to a buffer
+overrun since it increments bleft without checking to see whether it
+falls off the end of the buffer.
+
+Reported-and-Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/sess.c |   15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -277,7 +277,7 @@ static void ascii_ssetup_strings(char **
+ }
+ 
+ static void
+-decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses,
++decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
+ 		      const struct nls_table *nls_cp)
+ {
+ 	int len;
+@@ -285,19 +285,6 @@ decode_unicode_ssetup(char **pbcc_area,
+ 
+ 	cFYI(1, "bleft %d", bleft);
+ 
+-	/*
+-	 * Windows servers do not always double null terminate their final
+-	 * Unicode string. Check to see if there are an uneven number of bytes
+-	 * left. If so, then add an extra NULL pad byte to the end of the
+-	 * response.
+-	 *
+-	 * See section 2.7.2 in "Implementing CIFS" for details
+-	 */
+-	if (bleft % 2) {
+-		data[bleft] = 0;
+-		++bleft;
+-	}
+-
+ 	kfree(ses->serverOS);
+ 	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
+ 	cFYI(1, "serverOS=%s", ses->serverOS);
diff --git a/queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch b/queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch
new file mode 100644
index 0000000000..4493188c34
--- /dev/null
+++ b/queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch
@@ -0,0 +1,37 @@
+From fcda7f4578bbf9717444ca6da8a421d21489d078 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 27 Apr 2011 13:25:51 -0400
+Subject: cifs: check for bytes_remaining going to zero in CIFS_SessSetup
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit fcda7f4578bbf9717444ca6da8a421d21489d078 upstream.
+
+It's possible that when we go to decode the string area in the
+SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at
+that point will mean that it can go "negative" and wrap. Check for a
+bytes_remaining value of 0, and don't try to decode the string area if
+that's the case.
+
+Reported-and-Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/sess.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -917,7 +917,9 @@ ssetup_ntlmssp_authenticate:
+ 	}
+ 
+ 	/* BB check if Unicode and decode strings */
+-	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
++	if (bytes_remaining == 0) {
++		/* no string area to decode, do nothing */
++	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
+ 		/* unicode string area must be word-aligned */
+ 		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
+ 			++bcc_ptr;
diff --git a/queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch b/queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch
new file mode 100644
index 0000000000..5b71641f9b
--- /dev/null
+++ b/queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch
@@ -0,0 +1,46 @@
+From 16541ba11c4f04ffe94b073e301f00b749fb84a1 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Fri, 29 Apr 2011 06:52:44 -0400
+Subject: cifs: handle errors from coalesce_t2
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 16541ba11c4f04ffe94b073e301f00b749fb84a1 upstream.
+
+cifs_demultiplex_thread calls coalesce_t2 to try and merge follow-on t2
+responses into the original mid buffer. coalesce_t2 however can return
+errors, but the caller doesn't handle that situation properly. Fix the
+thread to treat such a case as it would a malformed packet. Mark the
+mid as being malformed and issue the callback.
+
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -631,12 +631,16 @@ incomplete_rcv:
+ 				isMultiRsp = true;
+ 				if (mid_entry->resp_buf) {
+ 					/* merge response - fix up 1st*/
+-					if (coalesce_t2(smb_buffer,
+-							mid_entry->resp_buf)) {
++					length = coalesce_t2(smb_buffer,
++							mid_entry->resp_buf);
++					if (length > 0) {
++						length = 0;
+ 						mid_entry->multiRsp = true;
+ 						break;
+ 					} else {
+-						/* all parts received */
++						/* all parts received or
++						 * packet is malformed
++						 */
+ 						mid_entry->multiEnd = true;
+ 						goto multi_t2_fnd;
+ 					}
diff --git a/queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch b/queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch
new file mode 100644
index 0000000000..8cbb8dfe8a
--- /dev/null
+++ b/queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch
@@ -0,0 +1,129 @@
+From 146f9f65bd13f56665205aed7205d531c810cb35 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Fri, 29 Apr 2011 06:52:43 -0400
+Subject: cifs: refactor mid finding loop in cifs_demultiplex_thread
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 146f9f65bd13f56665205aed7205d531c810cb35 upstream.
+
+...to reduce the extreme indentation. This should introduce no
+behavioral changes.
+
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c |   92 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 46 insertions(+), 46 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -618,59 +618,59 @@ incomplete_rcv:
+ 		list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {
+ 			mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
+ 
+-			if ((mid_entry->mid == smb_buffer->Mid) &&
+-			    (mid_entry->midState == MID_REQUEST_SUBMITTED) &&
+-			    (mid_entry->command == smb_buffer->Command)) {
+-				if (length == 0 &&
+-				   check2ndT2(smb_buffer, server->maxBuf) > 0) {
+-					/* We have a multipart transact2 resp */
+-					isMultiRsp = true;
+-					if (mid_entry->resp_buf) {
+-						/* merge response - fix up 1st*/
+-						if (coalesce_t2(smb_buffer,
++			if (mid_entry->mid != smb_buffer->Mid ||
++			    mid_entry->midState != MID_REQUEST_SUBMITTED ||
++			    mid_entry->command != smb_buffer->Command) {
++				mid_entry = NULL;
++				continue;
++			}
++
++			if (length == 0 &&
++			    check2ndT2(smb_buffer, server->maxBuf) > 0) {
++				/* We have a multipart transact2 resp */
++				isMultiRsp = true;
++				if (mid_entry->resp_buf) {
++					/* merge response - fix up 1st*/
++					if (coalesce_t2(smb_buffer,
+ 							mid_entry->resp_buf)) {
+-							mid_entry->multiRsp =
+-								 true;
+-							break;
+-						} else {
+-							/* all parts received */
+-							mid_entry->multiEnd =
+-								 true;
+-							goto multi_t2_fnd;
+-						}
++						mid_entry->multiRsp = true;
++						break;
++					} else {
++						/* all parts received */
++						mid_entry->multiEnd = true;
++						goto multi_t2_fnd;
++					}
++				} else {
++					if (!isLargeBuf) {
++						/*
++						 * FIXME: switch to already
++						 *        allocated largebuf?
++						 */
++						cERROR(1, "1st trans2 resp "
++							  "needs bigbuf");
+ 					} else {
+-						if (!isLargeBuf) {
+-							cERROR(1, "1st trans2 resp needs bigbuf");
+-					/* BB maybe we can fix this up,  switch
+-					   to already allocated large buffer? */
+-						} else {
+-							/* Have first buffer */
+-							mid_entry->resp_buf =
+-								 smb_buffer;
+-							mid_entry->largeBuf =
+-								 true;
+-							bigbuf = NULL;
+-						}
++						/* Have first buffer */
++						mid_entry->resp_buf =
++							 smb_buffer;
++						mid_entry->largeBuf = true;
++						bigbuf = NULL;
+ 					}
+-					break;
+ 				}
+-				mid_entry->resp_buf = smb_buffer;
+-				mid_entry->largeBuf = isLargeBuf;
++				break;
++			}
++			mid_entry->resp_buf = smb_buffer;
++			mid_entry->largeBuf = isLargeBuf;
+ multi_t2_fnd:
+-				if (length == 0)
+-					mid_entry->midState =
+-							MID_RESPONSE_RECEIVED;
+-				else
+-					mid_entry->midState =
+-							MID_RESPONSE_MALFORMED;
++			if (length == 0)
++				mid_entry->midState = MID_RESPONSE_RECEIVED;
++			else
++				mid_entry->midState = MID_RESPONSE_MALFORMED;
+ #ifdef CONFIG_CIFS_STATS2
+-				mid_entry->when_received = jiffies;
++			mid_entry->when_received = jiffies;
+ #endif
+-				list_del_init(&mid_entry->qhead);
+-				mid_entry->callback(mid_entry);
+-				break;
+-			}
+-			mid_entry = NULL;
++			list_del_init(&mid_entry->qhead);
++			mid_entry->callback(mid_entry);
++			break;
+ 		}
+ 		spin_unlock(&GlobalMid_Lock);
+ 
diff --git a/queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch b/queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch
new file mode 100644
index 0000000000..d0266e6911
--- /dev/null
+++ b/queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch
@@ -0,0 +1,84 @@
+From 2a2047bc94d0efc316401170c3d078d9edc20dc4 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Wed, 27 Apr 2011 13:29:49 -0400
+Subject: cifs: sanitize length checking in coalesce_t2 (try #3)
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 2a2047bc94d0efc316401170c3d078d9edc20dc4 upstream.
+
+There are a couple of places in this code where these values can wrap or
+go negative, and that could potentially end up overflowing the buffer.
+Ensure that that doesn't happen. Do all of the length calculation and
+checks first, and only perform the memcpy after they pass.
+
+Also, increase some stack variables to 32 bits to ensure that they don't
+wrap without being detected.
+
+Finally, change the error codes to be a bit more descriptive of any
+problems detected. -EINVAL isn't very accurate.
+
+Reported-and-Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c |   22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -275,7 +275,8 @@ static int coalesce_t2(struct smb_hdr *p
+ 	char *data_area_of_target;
+ 	char *data_area_of_buf2;
+ 	int remaining;
+-	__u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
++	unsigned int byte_count, total_in_buf;
++	__u16 total_data_size, total_in_buf2;
+ 
+ 	total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
+ 
+@@ -288,7 +289,7 @@ static int coalesce_t2(struct smb_hdr *p
+ 	remaining = total_data_size - total_in_buf;
+ 
+ 	if (remaining < 0)
+-		return -EINVAL;
++		return -EPROTO;
+ 
+ 	if (remaining == 0) /* nothing to do, ignore */
+ 		return 0;
+@@ -309,20 +310,29 @@ static int coalesce_t2(struct smb_hdr *p
+ 	data_area_of_target += total_in_buf;
+ 
+ 	/* copy second buffer into end of first buffer */
+-	memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
+ 	total_in_buf += total_in_buf2;
++	/* is the result too big for the field? */
++	if (total_in_buf > USHRT_MAX)
++		return -EPROTO;
+ 	put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
++
++	/* fix up the BCC */
+ 	byte_count = get_bcc_le(pTargetSMB);
+ 	byte_count += total_in_buf2;
++	/* is the result too big for the field? */
++	if (byte_count > USHRT_MAX)
++		return -EPROTO;
+ 	put_bcc_le(byte_count, pTargetSMB);
+ 
+ 	byte_count = pTargetSMB->smb_buf_length;
+ 	byte_count += total_in_buf2;
+-
+-	/* BB also add check that we are not beyond maximum buffer size */
+-
++	/* don't allow buffer to overflow */
++	if (byte_count > CIFSMaxBufSize)
++		return -ENOBUFS;
+ 	pTargetSMB->smb_buf_length = byte_count;
+ 
++	memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
++
+ 	if (remaining == total_in_buf2) {
+ 		cFYI(1, "found the last secondary response");
+ 		return 0; /* we are done */
diff --git a/queue-2.6.38/drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch b/queue-2.6.38/drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch
new file mode 100644
index 0000000000..6ba3e1e4cc
--- /dev/null
+++ b/queue-2.6.38/drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch
@@ -0,0 +1,41 @@
+From 4f87af46107499415afd238be104587b5a9d7ac3 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Wed, 4 May 2011 11:41:47 -0400
+Subject: drm/radeon/kms: add pci id to acer travelmate quirk for 5730
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+commit 4f87af46107499415afd238be104587b5a9d7ac3 upstream.
+
+Fixes:
+https://bugzilla.kernel.org/show_bug.cgi?id=34082
+
+Reported by: Sampo Laaksonen <zhamahn@gmail.com>
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -431,7 +431,7 @@ static bool radeon_atom_apply_quirks(str
+ 		}
+ 	}
+ 
+-	/* Acer laptop (Acer TravelMate 5730G) has an HDMI port
++	/* Acer laptop (Acer TravelMate 5730/5730G) has an HDMI port
+ 	 * on the laptop and a DVI port on the docking station and
+ 	 * both share the same encoder, hpd pin, and ddc line.
+ 	 * So while the bios table is technically correct,
+@@ -440,7 +440,7 @@ static bool radeon_atom_apply_quirks(str
+ 	 * with different crtcs which isn't possible on the hardware
+ 	 * side and leaves no crtcs for LVDS or VGA.
+ 	 */
+-	if ((dev->pdev->device == 0x95c4) &&
++	if (((dev->pdev->device == 0x95c4) || (dev->pdev->device == 0x9591)) &&
+ 	    (dev->pdev->subsystem_vendor == 0x1025) &&
+ 	    (dev->pdev->subsystem_device == 0x013c)) {
+ 		if ((*connector_type == DRM_MODE_CONNECTOR_DVII) &&
diff --git a/queue-2.6.38/drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch b/queue-2.6.38/drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch
new file mode 100644
index 0000000000..a8ec0e390d
--- /dev/null
+++ b/queue-2.6.38/drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch
@@ -0,0 +1,99 @@
+From alexdeucher@gmail.com  Mon May  9 16:35:34 2011
+From: Alex Deucher <alexdeucher@gmail.com>
+Date: Fri,  6 May 2011 14:29:55 -0400
+Subject: [stable] [PATCH] drm/radeon/kms: fix gart setup on fusion parts (v2) backport
+To: stable@kernel.org
+Cc: Alex Deucher <alexdeucher@gmail.com>, airlied@redhat.com, gregkh@suse.de
+Message-ID: <1304706595-9781-1-git-send-email-alexdeucher@gmail.com>
+
+From: Alex Deucher <alexdeucher@gmail.com>
+
+Backport of 8aeb96f80232e9a701b5c4715504f4c9173978bd
+(drm/radeon/kms: fix gart setup on fusion parts (v2))
+to the stable tree.
+
+Out of the entire GART/VM subsystem, the hw designers changed
+the location of 3 regs.
+
+v2: airlied: add parameter for userspace to work from.
+
+Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
+Signed-off-by: Jerome Glisse <jglisse@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/gpu/drm/radeon/evergreen.c  |   17 +++++++++--------
+ drivers/gpu/drm/radeon/evergreend.h |    5 +++++
+ drivers/gpu/drm/radeon/radeon_kms.c |    3 +++
+ include/drm/radeon_drm.h            |    1 +
+ 4 files changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -869,9 +869,15 @@ int evergreen_pcie_gart_enable(struct ra
+ 		SYSTEM_ACCESS_MODE_NOT_IN_SYS |
+ 		SYSTEM_APERTURE_UNMAPPED_ACCESS_PASS_THRU |
+ 		EFFECTIVE_L1_TLB_SIZE(5) | EFFECTIVE_L1_QUEUE_SIZE(5);
+-	WREG32(MC_VM_MD_L1_TLB0_CNTL, tmp);
+-	WREG32(MC_VM_MD_L1_TLB1_CNTL, tmp);
+-	WREG32(MC_VM_MD_L1_TLB2_CNTL, tmp);
++	if (rdev->flags & RADEON_IS_IGP) {
++		WREG32(FUS_MC_VM_MD_L1_TLB0_CNTL, tmp);
++		WREG32(FUS_MC_VM_MD_L1_TLB1_CNTL, tmp);
++		WREG32(FUS_MC_VM_MD_L1_TLB2_CNTL, tmp);
++	} else {
++		WREG32(MC_VM_MD_L1_TLB0_CNTL, tmp);
++		WREG32(MC_VM_MD_L1_TLB1_CNTL, tmp);
++		WREG32(MC_VM_MD_L1_TLB2_CNTL, tmp);
++	}
+ 	WREG32(MC_VM_MB_L1_TLB0_CNTL, tmp);
+ 	WREG32(MC_VM_MB_L1_TLB1_CNTL, tmp);
+ 	WREG32(MC_VM_MB_L1_TLB2_CNTL, tmp);
+@@ -2930,11 +2936,6 @@ static int evergreen_startup(struct rade
+ 		rdev->asic->copy = NULL;
+ 		dev_warn(rdev->dev, "failed blitter (%d) falling back to memcpy\n", r);
+ 	}
+-	/* XXX: ontario has problems blitting to gart at the moment */
+-	if (rdev->family == CHIP_PALM) {
+-		rdev->asic->copy = NULL;
+-		radeon_ttm_set_active_vram_size(rdev, rdev->mc.visible_vram_size);
+-	}
+ 
+ 	/* allocate wb buffer */
+ 	r = radeon_wb_init(rdev);
+--- a/drivers/gpu/drm/radeon/evergreend.h
++++ b/drivers/gpu/drm/radeon/evergreend.h
+@@ -221,6 +221,11 @@
+ #define	MC_VM_MD_L1_TLB0_CNTL				0x2654
+ #define	MC_VM_MD_L1_TLB1_CNTL				0x2658
+ #define	MC_VM_MD_L1_TLB2_CNTL				0x265C
++
++#define	FUS_MC_VM_MD_L1_TLB0_CNTL			0x265C
++#define	FUS_MC_VM_MD_L1_TLB1_CNTL			0x2660
++#define	FUS_MC_VM_MD_L1_TLB2_CNTL			0x2664
++
+ #define	MC_VM_SYSTEM_APERTURE_DEFAULT_ADDR		0x203C
+ #define	MC_VM_SYSTEM_APERTURE_HIGH_ADDR			0x2038
+ #define	MC_VM_SYSTEM_APERTURE_LOW_ADDR			0x2034
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -205,6 +205,9 @@ int radeon_info_ioctl(struct drm_device
+ 		/* return clock value in KHz */
+ 		value = rdev->clock.spll.reference_freq * 10;
+ 		break;
++	case RADEON_INFO_FUSION_GART_WORKING:
++		value = 1;
++		break;
+ 	default:
+ 		DRM_DEBUG_KMS("Invalid request %d\n", info->request);
+ 		return -EINVAL;
+--- a/include/drm/radeon_drm.h
++++ b/include/drm/radeon_drm.h
+@@ -908,6 +908,7 @@ struct drm_radeon_cs {
+ #define RADEON_INFO_WANT_HYPERZ		0x07
+ #define RADEON_INFO_WANT_CMASK		0x08 /* get access to CMASK on r300 */
+ #define RADEON_INFO_CLOCK_CRYSTAL_FREQ	0x09 /* clock crystal frequency */
++#define RADEON_INFO_FUSION_GART_WORKING	0x0c /* fusion writes to GTT were broken before this */
+ 
+ struct drm_radeon_info {
+ 	uint32_t		request;
diff --git a/queue-2.6.38/hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch b/queue-2.6.38/hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch
new file mode 100644
index 0000000000..18105b29d2
--- /dev/null
+++ b/queue-2.6.38/hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch
@@ -0,0 +1,81 @@
+From 925f83c085e1bb08435556c5b4844a60de002e31 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Fri, 6 May 2011 01:53:18 +0200
+Subject: hw_breakpoints, powerpc: Fix CONFIG_HAVE_HW_BREAKPOINT off-case in ptrace_set_debugreg()
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 925f83c085e1bb08435556c5b4844a60de002e31 upstream.
+
+We make use of ptrace_get_breakpoints() / ptrace_put_breakpoints() to
+protect ptrace_set_debugreg() even if CONFIG_HAVE_HW_BREAKPOINT if off.
+However in this case, these APIs are not implemented.
+
+To fix this, push the protection down inside the relevant ifdef.
+Best would be to export the code inside
+CONFIG_HAVE_HW_BREAKPOINT into a standalone function to cleanup
+the ifdefury there and call the breakpoint ref API inside. But
+as it is more invasive, this should be rather made in an -rc1.
+
+Fixes this build error:
+
+  arch/powerpc/kernel/ptrace.c:1594: error: implicit declaration of function 'ptrace_get_breakpoints' make[2]: ***
+
+Reported-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: LPPC <linuxppc-dev@lists.ozlabs.org>
+Cc: Prasad <prasad@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/1304639598-4707-1-git-send-email-fweisbec@gmail.com
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/powerpc/kernel/ptrace.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -924,12 +924,16 @@ int ptrace_set_debugreg(struct task_stru
+ 	if (data && !(data & DABR_TRANSLATION))
+ 		return -EIO;
+ #ifdef CONFIG_HAVE_HW_BREAKPOINT
++	if (ptrace_get_breakpoints(task) < 0)
++		return -ESRCH;
++
+ 	bp = thread->ptrace_bps[0];
+ 	if ((!data) || !(data & (DABR_DATA_WRITE | DABR_DATA_READ))) {
+ 		if (bp) {
+ 			unregister_hw_breakpoint(bp);
+ 			thread->ptrace_bps[0] = NULL;
+ 		}
++		ptrace_put_breakpoints(task);
+ 		return 0;
+ 	}
+ 	if (bp) {
+@@ -939,9 +943,12 @@ int ptrace_set_debugreg(struct task_stru
+ 					(DABR_DATA_WRITE | DABR_DATA_READ),
+ 							&attr.bp_type);
+ 		ret =  modify_user_hw_breakpoint(bp, &attr);
+-		if (ret)
++		if (ret) {
++			ptrace_put_breakpoints(task);
+ 			return ret;
++		}
+ 		thread->ptrace_bps[0] = bp;
++		ptrace_put_breakpoints(task);
+ 		thread->dabr = data;
+ 		return 0;
+ 	}
+@@ -956,9 +963,12 @@ int ptrace_set_debugreg(struct task_stru
+ 							ptrace_triggered, task);
+ 	if (IS_ERR(bp)) {
+ 		thread->ptrace_bps[0] = NULL;
++		ptrace_put_breakpoints(task);
+ 		return PTR_ERR(bp);
+ 	}
+ 
++	ptrace_put_breakpoints(task);
++
+ #endif /* CONFIG_HAVE_HW_BREAKPOINT */
+ 
+ 	/* Move contents to the DABR register */
diff --git a/queue-2.6.38/iwlwifi-add-ack-plpc-_check-module-parameters.patch b/queue-2.6.38/iwlwifi-add-ack-plpc-_check-module-parameters.patch
new file mode 100644
index 0000000000..b331fd5578
--- /dev/null
+++ b/queue-2.6.38/iwlwifi-add-ack-plpc-_check-module-parameters.patch
@@ -0,0 +1,90 @@
+From sgruszka@redhat.com  Mon May  9 16:34:59 2011
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Mon,  9 May 2011 21:27:30 +0200
+Subject: iwlwifi: add {ack, plpc}_check module parameters
+To: kernel@lists.fedoraproject.org, stable@kernel.org
+Cc: Kyle McMartin <kmcmartin@redhat.com>, Stanislaw Gruszka <sgruszka@redhat.com>
+Message-ID: <1304969250-27725-1-git-send-email-sgruszka@redhat.com>
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit b7977ffaab5187ad75edaf04ac854615cea93828 upstream.
+
+Add module ack_check, and plcp_check parameters. Ack_check is disabled
+by default since is proved that check ack health can cause troubles.
+Plcp_check is enabled by default.
+
+This prevent connection hangs with "low ack count detected" messages.
+
+Resolves:
+https://bugzilla.redhat.com/show_bug.cgi?id=666646
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/wireless/iwlwifi/iwl-agn-lib.c |    1 +
+ drivers/net/wireless/iwlwifi/iwl-agn.c     |    6 ++++++
+ drivers/net/wireless/iwlwifi/iwl-core.h    |    2 ++
+ drivers/net/wireless/iwlwifi/iwl-rx.c      |    8 ++++++--
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
+@@ -604,6 +604,7 @@ const u8 *iwlagn_eeprom_query_addr(const
+ struct iwl_mod_params iwlagn_mod_params = {
+ 	.amsdu_size_8K = 1,
+ 	.restart_fw = 1,
++	.plcp_check = true,
+ 	/* the rest are 0 by default */
+ };
+ 
+--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
+@@ -4586,3 +4586,9 @@ MODULE_PARM_DESC(antenna_coupling,
+ module_param_named(bt_ch_inhibition, iwlagn_bt_ch_announce, bool, S_IRUGO);
+ MODULE_PARM_DESC(bt_ch_inhibition,
+ 		 "Disable BT channel inhibition (default: enable)");
++
++module_param_named(plcp_check, iwlagn_mod_params.plcp_check, bool, S_IRUGO);
++MODULE_PARM_DESC(plcp_check, "Check plcp health (default: 1 [enabled])");
++
++module_param_named(ack_check, iwlagn_mod_params.ack_check, bool, S_IRUGO);
++MODULE_PARM_DESC(ack_check, "Check ack health (default: 0 [disabled])");
+--- a/drivers/net/wireless/iwlwifi/iwl-core.h
++++ b/drivers/net/wireless/iwlwifi/iwl-core.h
+@@ -263,6 +263,8 @@ struct iwl_mod_params {
+ 	int amsdu_size_8K;	/* def: 1 = enable 8K amsdu size */
+ 	int antenna;  		/* def: 0 = both antennas (use diversity) */
+ 	int restart_fw;		/* def: 1 = restart firmware */
++	bool plcp_check;	/* def: true = enable plcp health check */
++	bool ack_check;		/* def: false = disable ack health check */
+ };
+ 
+ /*
+--- a/drivers/net/wireless/iwlwifi/iwl-rx.c
++++ b/drivers/net/wireless/iwlwifi/iwl-rx.c
+@@ -234,10 +234,13 @@ EXPORT_SYMBOL(iwl_rx_spectrum_measure_no
+ void iwl_recover_from_statistics(struct iwl_priv *priv,
+ 				struct iwl_rx_packet *pkt)
+ {
++	const struct iwl_mod_params *mod_params = priv->cfg->mod_params;
++
+ 	if (test_bit(STATUS_EXIT_PENDING, &priv->status))
+ 		return;
+ 	if (iwl_is_any_associated(priv)) {
+-		if (priv->cfg->ops->lib->check_ack_health) {
++		if (mod_params->ack_check &&
++		    priv->cfg->ops->lib->check_ack_health) {
+ 			if (!priv->cfg->ops->lib->check_ack_health(
+ 			    priv, pkt)) {
+ 				/*
+@@ -250,7 +253,8 @@ void iwl_recover_from_statistics(struct
+ 					return;
+ 			}
+ 		}
+-		if (priv->cfg->ops->lib->check_plcp_health) {
++		if (mod_params->plcp_check &&
++		    priv->cfg->ops->lib->check_plcp_health) {
+ 			if (!priv->cfg->ops->lib->check_plcp_health(
+ 			    priv, pkt)) {
+ 				/*
diff --git a/queue-2.6.38/ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch b/queue-2.6.38/ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch
new file mode 100644
index 0000000000..d9be76b06f
--- /dev/null
+++ b/queue-2.6.38/ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch
@@ -0,0 +1,121 @@
+From bf26c018490c2fce7fe9b629083b96ce0e6ad019 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Thu, 7 Apr 2011 16:53:20 +0200
+Subject: ptrace: Prepare to fix racy accesses on task breakpoints
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit bf26c018490c2fce7fe9b629083b96ce0e6ad019 upstream.
+
+When a task is traced and is in a stopped state, the tracer
+may execute a ptrace request to examine the tracee state and
+get its task struct. Right after, the tracee can be killed
+and thus its breakpoints released.
+This can happen concurrently when the tracer is in the middle
+of reading or modifying these breakpoints, leading to dereferencing
+a freed pointer.
+
+Hence, to prepare the fix, create a generic breakpoint reference
+holding API. When a reference on the breakpoints of a task is
+held, the breakpoints won't be released until the last reference
+is dropped. After that, no more ptrace request on the task's
+breakpoints can be serviced for the tracer.
+
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Prasad <prasad@linux.vnet.ibm.com>
+Cc: Paul Mundt <lethal@linux-sh.org>
+Link: http://lkml.kernel.org/r/1302284067-7860-2-git-send-email-fweisbec@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/ptrace.h |   13 ++++++++++++-
+ include/linux/sched.h  |    3 +++
+ kernel/exit.c          |    2 +-
+ kernel/ptrace.c        |   17 +++++++++++++++++
+ 4 files changed, 33 insertions(+), 2 deletions(-)
+
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -189,6 +189,10 @@ static inline void ptrace_init_task(stru
+ 		child->ptrace = current->ptrace;
+ 		__ptrace_link(child, current->parent);
+ 	}
++
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++	atomic_set(&child->ptrace_bp_refcnt, 1);
++#endif
+ }
+ 
+ /**
+@@ -350,6 +354,13 @@ extern int task_current_syscall(struct t
+ 				unsigned long args[6], unsigned int maxargs,
+ 				unsigned long *sp, unsigned long *pc);
+ 
+-#endif
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++extern int ptrace_get_breakpoints(struct task_struct *tsk);
++extern void ptrace_put_breakpoints(struct task_struct *tsk);
++#else
++static inline void ptrace_put_breakpoints(struct task_struct *tsk) { }
++#endif /* CONFIG_HAVE_HW_BREAKPOINT */
++
++#endif /* __KERNEL */
+ 
+ #endif
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1531,6 +1531,9 @@ struct task_struct {
+ 		unsigned long memsw_bytes; /* uncharged mem+swap usage */
+ 	} memcg_batch;
+ #endif
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++	atomic_t ptrace_bp_refcnt;
++#endif
+ };
+ 
+ /* Future-safe accessor for struct task_struct's cpus_allowed. */
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1015,7 +1015,7 @@ NORET_TYPE void do_exit(long code)
+ 	/*
+ 	 * FIXME: do that only when needed, using sched_exit tracepoint
+ 	 */
+-	flush_ptrace_hw_breakpoint(tsk);
++	ptrace_put_breakpoints(tsk);
+ 
+ 	exit_notify(tsk, group_dead);
+ #ifdef CONFIG_NUMA
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -22,6 +22,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/uaccess.h>
+ #include <linux/regset.h>
++#include <linux/hw_breakpoint.h>
+ 
+ 
+ /*
+@@ -876,3 +877,19 @@ asmlinkage long compat_sys_ptrace(compat
+ 	return ret;
+ }
+ #endif	/* CONFIG_COMPAT */
++
++#ifdef CONFIG_HAVE_HW_BREAKPOINT
++int ptrace_get_breakpoints(struct task_struct *tsk)
++{
++	if (atomic_inc_not_zero(&tsk->ptrace_bp_refcnt))
++		return 0;
++
++	return -1;
++}
++
++void ptrace_put_breakpoints(struct task_struct *tsk)
++{
++	if (atomic_dec_and_test(&tsk->ptrace_bp_refcnt))
++		flush_ptrace_hw_breakpoint(tsk);
++}
++#endif /* CONFIG_HAVE_HW_BREAKPOINT */
diff --git a/queue-2.6.38/series b/queue-2.6.38/series
new file mode 100644
index 0000000000..263dcd98d4
--- /dev/null
+++ b/queue-2.6.38/series
@@ -0,0 +1,13 @@
+cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch
+cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch
+cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch
+cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch
+cifs-handle-errors-from-coalesce_t2.patch
+validate-size-of-efi-guid-partition-entries.patch
+drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch
+thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch
+x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch
+ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch
+hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch
+iwlwifi-add-ack-plpc-_check-module-parameters.patch
+drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch
diff --git a/queue-2.6.38/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch b/queue-2.6.38/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch
new file mode 100644
index 0000000000..f20df7e1ec
--- /dev/null
+++ b/queue-2.6.38/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch
@@ -0,0 +1,45 @@
+From 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a Mon Sep 17 00:00:00 2001
+From: Manoj Iyer <manoj.iyer@canonical.com>
+Date: Sun, 8 May 2011 18:04:29 -0400
+Subject: thinkpad-acpi: module autoloading for newer Lenovo ThinkPads.
+
+From: Manoj Iyer <manoj.iyer@canonical.com>
+
+commit 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a upstream.
+
+The newer Lenovo ThinkPads have HKEY HID of LEN0068 instead
+of IBM0068. Added new HID so that thinkpad_acpi module will
+auto load on these newer Lenovo ThinkPads.
+
+Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
+Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com>
+Signed-off-by: Andy Lutomirski <luto@mit.edu>
+Signed-off-by: Matthew Garrett <mjg@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/platform/x86/thinkpad_acpi.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -128,7 +128,8 @@ enum {
+ };
+ 
+ /* ACPI HIDs */
+-#define TPACPI_ACPI_HKEY_HID		"IBM0068"
++#define TPACPI_ACPI_IBM_HKEY_HID	"IBM0068"
++#define TPACPI_ACPI_LENOVO_HKEY_HID	"LEN0068"
+ #define TPACPI_ACPI_EC_HID		"PNP0C09"
+ 
+ /* Input IDs */
+@@ -3879,7 +3880,8 @@ errexit:
+ }
+ 
+ static const struct acpi_device_id ibm_htk_device_ids[] = {
+-	{TPACPI_ACPI_HKEY_HID, 0},
++	{TPACPI_ACPI_IBM_HKEY_HID, 0},
++	{TPACPI_ACPI_LENOVO_HKEY_HID, 0},
+ 	{"", 0},
+ };
+ 
diff --git a/queue-2.6.38/validate-size-of-efi-guid-partition-entries.patch b/queue-2.6.38/validate-size-of-efi-guid-partition-entries.patch
new file mode 100644
index 0000000000..033888f82c
--- /dev/null
+++ b/queue-2.6.38/validate-size-of-efi-guid-partition-entries.patch
@@ -0,0 +1,34 @@
+From fa039d5f6b126fbd65eefa05db2f67e44df8f121 Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns@pre-sense.de>
+Date: Fri, 6 May 2011 13:47:35 +0200
+Subject: Validate size of EFI GUID partition entries.
+
+From: Timo Warns <Warns@pre-sense.de>
+
+commit fa039d5f6b126fbd65eefa05db2f67e44df8f121 upstream.
+
+Otherwise corrupted EFI partition tables can cause total confusion.
+
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/partitions/efi.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -348,6 +348,12 @@ static int is_gpt_valid(struct parsed_pa
+ 		goto fail;
+ 	}
+ 
++	/* Check that sizeof_partition_entry has the correct value */
++	if (le32_to_cpu((*gpt)->sizeof_partition_entry) != sizeof(gpt_entry)) {
++		pr_debug("GUID Partitition Entry Size check failed.\n");
++		goto fail;
++	}
++
+ 	if (!(*ptes = alloc_read_gpt_entries(state, *gpt)))
+ 		goto fail;
+ 
diff --git a/queue-2.6.38/x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch b/queue-2.6.38/x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch
new file mode 100644
index 0000000000..fb1ba4fa11
--- /dev/null
+++ b/queue-2.6.38/x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch
@@ -0,0 +1,115 @@
+From 87dc669ba25777b67796d7262c569429e58b1ed4 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <fweisbec@gmail.com>
+Date: Fri, 8 Apr 2011 17:29:36 +0200
+Subject: x86, hw_breakpoints: Fix racy access to ptrace breakpoints
+
+From: Frederic Weisbecker <fweisbec@gmail.com>
+
+commit 87dc669ba25777b67796d7262c569429e58b1ed4 upstream.
+
+While the tracer accesses ptrace breakpoints, the child task may
+concurrently exit due to a SIGKILL and thus release its breakpoints
+at the same time. We can then dereference some freed pointers.
+
+To fix this, hold a reference on the child breakpoints before
+manipulating them.
+
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Prasad <prasad@linux.vnet.ibm.com>
+Cc: Paul Mundt <lethal@linux-sh.org>
+Link: http://lkml.kernel.org/r/1302284067-7860-3-git-send-email-fweisbec@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/ptrace.c |   36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -608,6 +608,9 @@ static int ptrace_write_dr7(struct task_
+ 	unsigned len, type;
+ 	struct perf_event *bp;
+ 
++	if (ptrace_get_breakpoints(tsk) < 0)
++		return -ESRCH;
++
+ 	data &= ~DR_CONTROL_RESERVED;
+ 	old_dr7 = ptrace_get_dr7(thread->ptrace_bps);
+ restore:
+@@ -655,6 +658,9 @@ restore:
+ 		}
+ 		goto restore;
+ 	}
++
++	ptrace_put_breakpoints(tsk);
++
+ 	return ((orig_ret < 0) ? orig_ret : rc);
+ }
+ 
+@@ -668,10 +674,17 @@ static unsigned long ptrace_get_debugreg
+ 
+ 	if (n < HBP_NUM) {
+ 		struct perf_event *bp;
++
++		if (ptrace_get_breakpoints(tsk) < 0)
++			return -ESRCH;
++
+ 		bp = thread->ptrace_bps[n];
+ 		if (!bp)
+-			return 0;
+-		val = bp->hw.info.address;
++			val = 0;
++		else
++			val = bp->hw.info.address;
++
++		ptrace_put_breakpoints(tsk);
+ 	} else if (n == 6) {
+ 		val = thread->debugreg6;
+ 	 } else if (n == 7) {
+@@ -686,6 +699,10 @@ static int ptrace_set_breakpoint_addr(st
+ 	struct perf_event *bp;
+ 	struct thread_struct *t = &tsk->thread;
+ 	struct perf_event_attr attr;
++	int err = 0;
++
++	if (ptrace_get_breakpoints(tsk) < 0)
++		return -ESRCH;
+ 
+ 	if (!t->ptrace_bps[nr]) {
+ 		ptrace_breakpoint_init(&attr);
+@@ -709,24 +726,23 @@ static int ptrace_set_breakpoint_addr(st
+ 		 * writing for the user. And anyway this is the previous
+ 		 * behaviour.
+ 		 */
+-		if (IS_ERR(bp))
+-			return PTR_ERR(bp);
++		if (IS_ERR(bp)) {
++			err = PTR_ERR(bp);
++			goto put;
++		}
+ 
+ 		t->ptrace_bps[nr] = bp;
+ 	} else {
+-		int err;
+-
+ 		bp = t->ptrace_bps[nr];
+ 
+ 		attr = bp->attr;
+ 		attr.bp_addr = addr;
+ 		err = modify_user_hw_breakpoint(bp, &attr);
+-		if (err)
+-			return err;
+ 	}
+ 
+-
+-	return 0;
++put:
++	ptrace_put_breakpoints(tsk);
++	return err;
+ }
+ 
+ /*