3.0 patches

10 files changed, 555 insertions, 0 deletions

diff --git a/queue-3.0/cciss-do-not-attempt-to-read-from-a-write-only-register.patch b/queue-3.0/cciss-do-not-attempt-to-read-from-a-write-only-register.patch
new file mode 100644
index 0000000000..5b2f045149
--- /dev/null
+++ b/queue-3.0/cciss-do-not-attempt-to-read-from-a-write-only-register.patch
@@ -0,0 +1,32 @@
+From 07d0c38e7d84f911c72058a124c7f17b3c779a65 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron@beardog.cce.hp.com>
+Date: Sat, 9 Jul 2011 09:04:12 +0200
+Subject: cciss: do not attempt to read from a write-only register
+
+From: "Stephen M. Cameron" <scameron@beardog.cce.hp.com>
+
+commit 07d0c38e7d84f911c72058a124c7f17b3c779a65 upstream.
+
+Most smartarrays will tolerate it, but some new ones don't.
+
+Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
+
+Note: this is a regression caused by commit 1ddd5049
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/cciss.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/cciss.h
++++ b/drivers/block/cciss.h
+@@ -223,7 +223,7 @@ static void SA5_submit_command( ctlr_inf
+ 			h->ctlr, c->busaddr);
+ #endif /* CCISS_DEBUG */
+          writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET);
+-	readl(h->vaddr + SA5_REQUEST_PORT_OFFSET);
++	readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
+ 	 h->commands_outstanding++;
+ 	 if ( h->commands_outstanding > h->max_outstanding)
+ 		h->max_outstanding = h->commands_outstanding;
diff --git a/queue-3.0/drivers-firmware-sigma.c-needs-module_license.patch b/queue-3.0/drivers-firmware-sigma.c-needs-module_license.patch
new file mode 100644
index 0000000000..f29662ab3b
--- /dev/null
+++ b/queue-3.0/drivers-firmware-sigma.c-needs-module_license.patch
@@ -0,0 +1,39 @@
+From 27c46a2546c75c6814562e85b751e3d64c188ad5 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@xenotime.net>
+Date: Mon, 25 Jul 2011 17:13:21 -0700
+Subject: drivers/firmware/sigma.c needs MODULE_LICENSE
+
+From: Randy Dunlap <rdunlap@xenotime.net>
+
+commit 27c46a2546c75c6814562e85b751e3d64c188ad5 upstream.
+
+Fix module tainting message:
+
+  sigma: module license 'unspecified' taints kernel.
+
+Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
+Acked-by: Mike Frysinger <vapier@gentoo.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/firmware/sigma.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/firmware/sigma.c
++++ b/drivers/firmware/sigma.c
+@@ -11,6 +11,7 @@
+ #include <linux/firmware.h>
+ #include <linux/kernel.h>
+ #include <linux/i2c.h>
++#include <linux/module.h>
+ #include <linux/sigma.h>
+ 
+ /* Return: 0==OK, <0==error, =1 ==no more actions */
+@@ -113,3 +114,5 @@ int process_sigma_firmware(struct i2c_cl
+ 	return ret;
+ }
+ EXPORT_SYMBOL(process_sigma_firmware);
++
++MODULE_LICENSE("GPL");
diff --git a/queue-3.0/ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch b/queue-3.0/ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch
new file mode 100644
index 0000000000..35afa266ca
--- /dev/null
+++ b/queue-3.0/ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch
@@ -0,0 +1,50 @@
+From ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 30 May 2011 13:29:20 +0200
+Subject: ext3: Fix oops in ext3_try_to_allocate_with_rsv()
+
+From: Jan Kara <jack@suse.cz>
+
+commit ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 upstream.
+
+Block allocation is called from two places: ext3_get_blocks_handle() and
+ext3_xattr_block_set(). These two callers are not necessarily synchronized
+because xattr code holds only xattr_sem and i_mutex, and
+ext3_get_blocks_handle() may hold only truncate_mutex when called from
+writepage() path. Block reservation code does not expect two concurrent
+allocations to happen to the same inode and thus assertions can be triggered
+or reservation structure corruption can occur.
+
+Fix the problem by taking truncate_mutex in xattr code to serialize
+allocations.
+
+CC: Sage Weil <sage@newdream.net>
+Reported-by: Fyodor Ustinov <ufm@ufm.su>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/xattr.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/ext3/xattr.c
++++ b/fs/ext3/xattr.c
+@@ -803,8 +803,16 @@ inserted:
+ 			/* We need to allocate a new block */
+ 			ext3_fsblk_t goal = ext3_group_first_block_no(sb,
+ 						EXT3_I(inode)->i_block_group);
+-			ext3_fsblk_t block = ext3_new_block(handle, inode,
+-							goal, &error);
++			ext3_fsblk_t block;
++
++			/*
++			 * Protect us agaist concurrent allocations to the
++			 * same inode from ext3_..._writepage(). Reservation
++			 * code does not expect racing allocations.
++			 */
++			mutex_lock(&EXT3_I(inode)->truncate_mutex);
++			block = ext3_new_block(handle, inode, goal, &error);
++			mutex_unlock(&EXT3_I(inode)->truncate_mutex);
+ 			if (error)
+ 				goto cleanup;
+ 			ea_idebug(inode, "creating block %d", block);
diff --git a/queue-3.0/ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch b/queue-3.0/ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch
new file mode 100644
index 0000000000..e414f0599f
--- /dev/null
+++ b/queue-3.0/ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch
@@ -0,0 +1,82 @@
+From 7132de744ba76930d13033061018ddd7e3e8cd91 Mon Sep 17 00:00:00 2001
+From: Maxim Patlasov <maxim.patlasov@gmail.com>
+Date: Sun, 10 Jul 2011 19:37:48 -0400
+Subject: ext4: fix i_blocks/quota accounting when extent insertion fails
+
+From: Maxim Patlasov <maxim.patlasov@gmail.com>
+
+commit 7132de744ba76930d13033061018ddd7e3e8cd91 upstream.
+
+The current implementation of ext4_free_blocks() always calls
+dquot_free_block This looks quite sensible in the most cases: blocks
+to be freed are associated with inode and were accounted in quota and
+i_blocks some time ago.
+
+However, there is a case when blocks to free were not accounted by the
+time calling ext4_free_blocks() yet:
+
+1. delalloc is on, write_begin pre-allocated some space in quota
+2. write-back happens, ext4 allocates some blocks in ext4_ext_map_blocks()
+3. then ext4_ext_map_blocks() gets an error (e.g.  ENOSPC) from
+   ext4_ext_insert_extent() and calls ext4_free_blocks().
+
+In this scenario, ext4_free_blocks() calls dquot_free_block() who, in
+turn, decrements i_blocks for blocks which were not accounted yet (due
+to delalloc) After clean umount, e2fsck reports something like:
+
+> Inode 21, i_blocks is 5080, should be 5128.  Fix<y>?
+because i_blocks was erroneously decremented as explained above.
+
+The patch fixes the problem by passing the new flag
+EXT4_FREE_BLOCKS_NO_QUOT_UPDATE to ext4_free_blocks(), to request
+that the dquot_free_block() call be skipped.
+
+Signed-off-by: Maxim Patlasov <maxim.patlasov@gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/ext4.h    |    1 +
+ fs/ext4/extents.c |    4 +++-
+ fs/ext4/mballoc.c |    2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -526,6 +526,7 @@ struct ext4_new_group_data {
+ #define EXT4_FREE_BLOCKS_METADATA	0x0001
+ #define EXT4_FREE_BLOCKS_FORGET		0x0002
+ #define EXT4_FREE_BLOCKS_VALIDATED	0x0004
++#define EXT4_FREE_BLOCKS_NO_QUOT_UPDATE	0x0008
+ 
+ /*
+  * ioctl commands
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3601,12 +3601,14 @@ int ext4_ext_map_blocks(handle_t *handle
+ 
+ 	err = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
+ 	if (err) {
++		int fb_flags = flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE ?
++			EXT4_FREE_BLOCKS_NO_QUOT_UPDATE : 0;
+ 		/* free data blocks we just allocated */
+ 		/* not a good idea to call discard here directly,
+ 		 * but otherwise we'd need to call it every free() */
+ 		ext4_discard_preallocations(inode);
+ 		ext4_free_blocks(handle, inode, NULL, ext4_ext_pblock(&newex),
+-				 ext4_ext_get_actual_len(&newex), 0);
++				 ext4_ext_get_actual_len(&newex), fb_flags);
+ 		goto out2;
+ 	}
+ 
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -4637,7 +4637,7 @@ do_more:
+ 	}
+ 	ext4_mark_super_dirty(sb);
+ error_return:
+-	if (freed)
++	if (freed && !(flags & EXT4_FREE_BLOCKS_NO_QUOT_UPDATE))
+ 		dquot_free_block(inode, freed);
+ 	brelse(bitmap_bh);
+ 	ext4_std_error(sb, err);
diff --git a/queue-3.0/ext4-free-allocated-and-pre-allocated-blocks-when.patch b/queue-3.0/ext4-free-allocated-and-pre-allocated-blocks-when.patch
new file mode 100644
index 0000000000..97383872da
--- /dev/null
+++ b/queue-3.0/ext4-free-allocated-and-pre-allocated-blocks-when.patch
@@ -0,0 +1,42 @@
+From 575a1d4bdfa2ea9fc10733013136145b497e1be0 Mon Sep 17 00:00:00 2001
+From: Jiaying Zhang <jiayingz@google.com>
+Date: Sun, 10 Jul 2011 20:07:25 -0400
+Subject: ext4: free allocated and pre-allocated blocks when
+ check_eofblocks_fl fails
+
+From: Jiaying Zhang <jiayingz@google.com>
+
+commit 575a1d4bdfa2ea9fc10733013136145b497e1be0 upstream.
+
+Upon corrupted inode or disk failures, we may fail after we already
+allocate some blocks from the inode or take some blocks from the
+inode's preallocation list, but before we successfully insert the
+corresponding extent to the extent tree. In this case, we should free
+any allocated blocks and discard the inode's preallocated blocks
+because the entries in the inode's preallocation list may be in an
+inconsistent state.
+
+Signed-off-by: Jiaying Zhang <jiayingz@google.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/extents.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3596,10 +3596,9 @@ int ext4_ext_map_blocks(handle_t *handle
+ 	}
+ 
+ 	err = check_eofblocks_fl(handle, inode, map->m_lblk, path, ar.len);
+-	if (err)
+-		goto out2;
+-
+-	err = ext4_ext_insert_extent(handle, inode, path, &newex, flags);
++	if (!err)
++		err = ext4_ext_insert_extent(handle, inode, path,
++					     &newex, flags);
+ 	if (err) {
+ 		int fb_flags = flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE ?
+ 			EXT4_FREE_BLOCKS_NO_QUOT_UPDATE : 0;
diff --git a/queue-3.0/geode-reflect-mfgpt-dependency-on-mfd.patch b/queue-3.0/geode-reflect-mfgpt-dependency-on-mfd.patch
new file mode 100644
index 0000000000..ce3ac1960a
--- /dev/null
+++ b/queue-3.0/geode-reflect-mfgpt-dependency-on-mfd.patch
@@ -0,0 +1,43 @@
+From 703f03c896fdbd726b809066ae279df513992f0e Mon Sep 17 00:00:00 2001
+From: "Philip A. Prindeville" <philipp@redfish-solutions.com>
+Date: Mon, 25 Jul 2011 17:13:05 -0700
+Subject: geode: reflect mfgpt dependency on mfd
+
+From: "Philip A. Prindeville" <philipp@redfish-solutions.com>
+
+commit 703f03c896fdbd726b809066ae279df513992f0e upstream.
+
+As stated in drivers/mfd/cs5535-mfd.c, the mfd driver exposes the BARs
+which then make the GPIO, MFGPT, ACPI, etc.  all visible to the system.
+
+So the dependencies of the MFGPT stuff have changed, and most people
+expect Kconfig to bring in the necessary dependencies.  Without them, the
+module fails to load and most people don't understand why because the
+details of the rewrite aren't captured anywhere most people who know to
+look.
+
+This dependency needs to be reflected in Kconfig.
+
+Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
+Acked-by: Alexandros C. Couloumbis <alex@ozo.com>
+Acked-by: Andres Salomon <dilinger@queued.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/Kconfig |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/misc/Kconfig
++++ b/drivers/misc/Kconfig
+@@ -245,8 +245,7 @@ config SGI_XP
+ 
+ config CS5535_MFGPT
+ 	tristate "CS5535/CS5536 Geode Multi-Function General Purpose Timer (MFGPT) support"
+-	depends on PCI
+-	depends on X86
++	depends on PCI && X86 && MFD_CS5535
+ 	default n
+ 	help
+ 	  This driver provides access to MFGPT functionality for other
diff --git a/queue-3.0/mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch b/queue-3.0/mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch
new file mode 100644
index 0000000000..d3291d61b1
--- /dev/null
+++ b/queue-3.0/mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch
@@ -0,0 +1,46 @@
+From ccb6108f5b0b541d3eb332c3a73e645c0f84278e Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 25 Jul 2011 17:11:57 -0700
+Subject: mm/backing-dev.c: reset bdi min_ratio in bdi_unregister()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit ccb6108f5b0b541d3eb332c3a73e645c0f84278e upstream.
+
+Vito said:
+
+: The system has many usb disks coming and going day to day, with their
+: respective bdi's having min_ratio set to 1 when inserted.  It works for
+: some time until eventually min_ratio can no longer be set, even when the
+: active set of bdi's seen in /sys/class/bdi/*/min_ratio doesn't add up to
+: anywhere near 100.
+:
+: This then leads to an unrelated starvation problem caused by write-heavy
+: fuse mounts being used atop the usb disks, a problem the min_ratio setting
+: at the underlying devices bdi effectively prevents.
+
+Fix this leakage by resetting the bdi min_ratio when unregistering the
+BDI.
+
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Reported-by: Vito Caputo <lkml@pengaru.com>
+Cc: Wu Fengguang <fengguang.wu@intel.com>
+Cc: Miklos Szeredi <miklos@szeredi.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/backing-dev.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -606,6 +606,7 @@ static void bdi_prune_sb(struct backing_
+ void bdi_unregister(struct backing_dev_info *bdi)
+ {
+ 	if (bdi->dev) {
++		bdi_set_min_ratio(bdi, 0);
+ 		trace_writeback_bdi_unregister(bdi);
+ 		bdi_prune_sb(bdi);
+ 		del_timer_sync(&bdi->wb.wakeup_timer);
diff --git a/queue-3.0/mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch b/queue-3.0/mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch
new file mode 100644
index 0000000000..4ed25598ac
--- /dev/null
+++ b/queue-3.0/mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch
@@ -0,0 +1,176 @@
+From 2efaca927f5cd7ecd0f1554b8f9b6a9a2c329c03 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 25 Jul 2011 17:12:32 -0700
+Subject: mm/futex: fix futex writes on archs with SW tracking of dirty & young
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 2efaca927f5cd7ecd0f1554b8f9b6a9a2c329c03 upstream.
+
+I haven't reproduced it myself but the fail scenario is that on such
+machines (notably ARM and some embedded powerpc), if you manage to hit
+that futex path on a writable page whose dirty bit has gone from the PTE,
+you'll livelock inside the kernel from what I can tell.
+
+It will go in a loop of trying the atomic access, failing, trying gup to
+"fix it up", getting succcess from gup, go back to the atomic access,
+failing again because dirty wasn't fixed etc...
+
+So I think you essentially hang in the kernel.
+
+The scenario is probably rare'ish because affected architecture are
+embedded and tend to not swap much (if at all) so we probably rarely hit
+the case where dirty is missing or young is missing, but I think Shan has
+a piece of SW that can reliably reproduce it using a shared writable
+mapping & fork or something like that.
+
+On archs who use SW tracking of dirty & young, a page without dirty is
+effectively mapped read-only and a page without young unaccessible in the
+PTE.
+
+Additionally, some architectures might lazily flush the TLB when relaxing
+write protection (by doing only a local flush), and expect a fault to
+invalidate the stale entry if it's still present on another processor.
+
+The futex code assumes that if the "in_atomic()" access -EFAULT's, it can
+"fix it up" by causing get_user_pages() which would then be equivalent to
+taking the fault.
+
+However that isn't the case.  get_user_pages() will not call
+handle_mm_fault() in the case where the PTE seems to have the right
+permissions, regardless of the dirty and young state.  It will eventually
+update those bits ...  in the struct page, but not in the PTE.
+
+Additionally, it will not handle the lazy TLB flushing that can be
+required by some architectures in the fault case.
+
+Basically, gup is the wrong interface for the job.  The patch provides a
+more appropriate one which boils down to just calling handle_mm_fault()
+since what we are trying to do is simulate a real page fault.
+
+The futex code currently attempts to write to user memory within a
+pagefault disabled section, and if that fails, tries to fix it up using
+get_user_pages().
+
+This doesn't work on archs where the dirty and young bits are maintained
+by software, since they will gate access permission in the TLB, and will
+not be updated by gup().
+
+In addition, there's an expectation on some archs that a spurious write
+fault triggers a local TLB flush, and that is missing from the picture as
+well.
+
+I decided that adding those "features" to gup() would be too much for this
+already too complex function, and instead added a new simpler
+fixup_user_fault() which is essentially a wrapper around handle_mm_fault()
+which the futex code can call.
+
+[akpm@linux-foundation.org: coding-style fixes]
+[akpm@linux-foundation.org: fix some nits Darren saw, fiddle comment layout]
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Reported-by: Shan Hai <haishan.bai@gmail.com>
+Tested-by: Shan Hai <haishan.bai@gmail.com>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Darren Hart <darren.hart@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/mm.h |    2 +
+ kernel/futex.c     |    4 +--
+ mm/memory.c        |   58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 61 insertions(+), 3 deletions(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -985,6 +985,8 @@ int get_user_pages(struct task_struct *t
+ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
+ 			struct page **pages);
+ struct page *get_dump_page(unsigned long addr);
++extern int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
++			    unsigned long address, unsigned int fault_flags);
+ 
+ extern int try_to_release_page(struct page * page, gfp_t gfp_mask);
+ extern void do_invalidatepage(struct page *page, unsigned long offset);
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -355,8 +355,8 @@ static int fault_in_user_writeable(u32 _
+ 	int ret;
+ 
+ 	down_read(&mm->mmap_sem);
+-	ret = get_user_pages(current, mm, (unsigned long)uaddr,
+-			     1, 1, 0, NULL, NULL);
++	ret = fixup_user_fault(current, mm, (unsigned long)uaddr,
++			       FAULT_FLAG_WRITE);
+ 	up_read(&mm->mmap_sem);
+ 
+ 	return ret < 0 ? ret : 0;
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1816,7 +1816,63 @@ next_page:
+ }
+ EXPORT_SYMBOL(__get_user_pages);
+ 
+-/**
++/*
++ * fixup_user_fault() - manually resolve a user page fault
++ * @tsk:	the task_struct to use for page fault accounting, or
++ *		NULL if faults are not to be recorded.
++ * @mm:		mm_struct of target mm
++ * @address:	user address
++ * @fault_flags:flags to pass down to handle_mm_fault()
++ *
++ * This is meant to be called in the specific scenario where for locking reasons
++ * we try to access user memory in atomic context (within a pagefault_disable()
++ * section), this returns -EFAULT, and we want to resolve the user fault before
++ * trying again.
++ *
++ * Typically this is meant to be used by the futex code.
++ *
++ * The main difference with get_user_pages() is that this function will
++ * unconditionally call handle_mm_fault() which will in turn perform all the
++ * necessary SW fixup of the dirty and young bits in the PTE, while
++ * handle_mm_fault() only guarantees to update these in the struct page.
++ *
++ * This is important for some architectures where those bits also gate the
++ * access permission to the page because they are maintained in software.  On
++ * such architectures, gup() will not be enough to make a subsequent access
++ * succeed.
++ *
++ * This should be called with the mm_sem held for read.
++ */
++int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
++		     unsigned long address, unsigned int fault_flags)
++{
++	struct vm_area_struct *vma;
++	int ret;
++
++	vma = find_extend_vma(mm, address);
++	if (!vma || address < vma->vm_start)
++		return -EFAULT;
++
++	ret = handle_mm_fault(mm, vma, address, fault_flags);
++	if (ret & VM_FAULT_ERROR) {
++		if (ret & VM_FAULT_OOM)
++			return -ENOMEM;
++		if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE))
++			return -EHWPOISON;
++		if (ret & VM_FAULT_SIGBUS)
++			return -EFAULT;
++		BUG();
++	}
++	if (tsk) {
++		if (ret & VM_FAULT_MAJOR)
++			tsk->maj_flt++;
++		else
++			tsk->min_flt++;
++	}
++	return 0;
++}
++
++/*
+  * get_user_pages() - pin user pages in memory
+  * @tsk:	the task_struct to use for page fault accounting, or
+  *		NULL if faults are not to be recorded.
diff --git a/queue-3.0/series b/queue-3.0/series
index e1e0d80af6..f88e3b354c 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -61,3 +61,12 @@ tracing-fix-bug-when-reading-system-filters-on-module.patch
 tracing-have-enable-file-use-refcounts-like-the-filter.patch
 xz-fix-missing-linux-kernel.h-include.patch
 pci-ari-is-a-pcie-v2-feature.patch
+cciss-do-not-attempt-to-read-from-a-write-only-register.patch
+drivers-firmware-sigma.c-needs-module_license.patch
+geode-reflect-mfgpt-dependency-on-mfd.patch
+mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch
+mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch
+xtensa-prevent-arbitrary-read-in-ptrace.patch
+ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch
+ext4-free-allocated-and-pre-allocated-blocks-when.patch
+ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch
diff --git a/queue-3.0/xtensa-prevent-arbitrary-read-in-ptrace.patch b/queue-3.0/xtensa-prevent-arbitrary-read-in-ptrace.patch
new file mode 100644
index 0000000000..242f90042d
--- /dev/null
+++ b/queue-3.0/xtensa-prevent-arbitrary-read-in-ptrace.patch
@@ -0,0 +1,36 @@
+From 0d0138ebe24b94065580bd2601f8bb7eb6152f56 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Mon, 25 Jul 2011 17:11:53 -0700
+Subject: xtensa: prevent arbitrary read in ptrace
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 0d0138ebe24b94065580bd2601f8bb7eb6152f56 upstream.
+
+Prevent an arbitrary kernel read.  Check the user pointer with access_ok()
+before copying data in.
+
+[akpm@linux-foundation.org: s/EIO/EFAULT/]
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: Christian Zankel <chris@zankel.net>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/xtensa/kernel/ptrace.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/xtensa/kernel/ptrace.c
++++ b/arch/xtensa/kernel/ptrace.c
+@@ -147,6 +147,9 @@ int ptrace_setxregs(struct task_struct *
+ 	elf_xtregs_t *xtregs = uregs;
+ 	int ret = 0;
+ 
++	if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t)))
++		return -EFAULT;
++
+ #if XTENSA_HAVE_COPROCESSORS
+ 	/* Flush all coprocessors before we overwrite them. */
+ 	coprocessor_flush_all(ti);