From ab311c8fc4d7b5a6f8d91c569fd96de59e72b482 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Mon, 23 Apr 2012 01:03:13 +0000
Subject: [PATCH] Update to 3.2.16

svn path=/dists/sid/linux-2.6/; revision=18945
---
 debian/changelog                              | 13 ++-
 ...-fix-race-condition-in-hugetlb_fault.patch | 88 -------------------
 ...64-Fix-futex_atomic_cmpxchg_inatomic.patch | 41 ---------
 ...anscoder-select-bits-before-setting-.patch | 47 ----------
 debian/patches/series/base                    |  3 -
 5 files changed, 11 insertions(+), 181 deletions(-)
 delete mode 100644 debian/patches/bugfix/all/hugetlb-fix-race-condition-in-hugetlb_fault.patch
 delete mode 100644 debian/patches/bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch
 delete mode 100644 debian/patches/bugfix/x86/drm-i915-mask-transcoder-select-bits-before-setting-.patch

diff --git a/debian/changelog b/debian/changelog
index c57fee958..303c8b3fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,16 @@
-linux-2.6 (3.2.15-2) UNRELEASED; urgency=low
+linux-2.6 (3.2.16-1) UNRELEASED; urgency=low
+
+  * New upstream stable update:
+    http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.16
+    - md/bitmap: prevent bitmap_daemon_work running while initialising bitmap
+    - [ia64] Fix futex_atomic_cmpxchg_inatomic() (Closes: #659485)
+    - USB: serial: fix race between probe and open
+    - fcaps: clear the same personality flags as suid when fcaps are used
+    - futex: Do not leak robust list to unprivileged process
+    - drm/radeon/kms: fix the regression of DVI connector check
+      (Closes: #670047)
 
   [ Ben Hutchings ]
-  * [ia64] Fix futex_atomic_cmpxchg_inatomic() (Closes: #659485)
   * rt2x00: Identify rt2800usb chipsets. (Closes: #658067)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 16 Apr 2012 02:27:29 +0100
diff --git a/debian/patches/bugfix/all/hugetlb-fix-race-condition-in-hugetlb_fault.patch b/debian/patches/bugfix/all/hugetlb-fix-race-condition-in-hugetlb_fault.patch
deleted file mode 100644
index ff0795850..000000000
--- a/debian/patches/bugfix/all/hugetlb-fix-race-condition-in-hugetlb_fault.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Chris Metcalf <cmetcalf@tilera.com>
-Date: Thu, 12 Apr 2012 12:49:15 -0700
-Subject: [PATCH] hugetlb: fix race condition in hugetlb_fault()
-
-commit 66aebce747eaf9bc456bf1f1b217d8db843031d0 upstream.
-
-The race is as follows:
-
-Suppose a multi-threaded task forks a new process (on cpu A), thus
-bumping up the ref count on all the pages.  While the fork is occurring
-(and thus we have marked all the PTEs as read-only), another thread in
-the original process (on cpu B) tries to write to a huge page, taking an
-access violation from the write-protect and calling hugetlb_cow().  Now,
-suppose the fork() fails.  It will undo the COW and decrement the ref
-count on the pages, so the ref count on the huge page drops back to 1.
-Meanwhile hugetlb_cow() also decrements the ref count by one on the
-original page, since the original address space doesn't need it any
-more, having copied a new page to replace the original page.  This
-leaves the ref count at zero, and when we call unlock_page(), we panic.
-
-	fork on CPU A				fault on CPU B
-	=============				==============
-	...
-	down_write(&parent->mmap_sem);
-	down_write_nested(&child->mmap_sem);
-	...
-	while duplicating vmas
-		if error
-			break;
-	...
-	up_write(&child->mmap_sem);
-	up_write(&parent->mmap_sem);		...
-						down_read(&parent->mmap_sem);
-						...
-						lock_page(page);
-						handle COW
-						page_mapcount(old_page) == 2
-						alloc and prepare new_page
-	...
-	handle error
-	page_remove_rmap(page);
-	put_page(page);
-	...
-						fold new_page into pte
-						page_remove_rmap(page);
-						put_page(page);
-						...
-				oops ==>	unlock_page(page);
-						up_read(&parent->mmap_sem);
-
-The solution is to take an extra reference to the page while we are
-holding the lock on it.
-
-Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
-Cc: Hillf Danton <dhillf@gmail.com>
-Cc: Michal Hocko <mhocko@suse.cz>
-Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- mm/hugetlb.c |    2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index b8ce6f4..cd65cb1 100644
---- a/mm/hugetlb.c
-+++ b/mm/hugetlb.c
-@@ -2791,6 +2791,7 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
- 	 * so no worry about deadlock.
- 	 */
- 	page = pte_page(entry);
-+	get_page(page);
- 	if (page != pagecache_page)
- 		lock_page(page);
- 
-@@ -2822,6 +2823,7 @@ out_page_table_lock:
- 	}
- 	if (page != pagecache_page)
- 		unlock_page(page);
-+	put_page(page);
- 
- out_mutex:
- 	mutex_unlock(&hugetlb_instantiation_mutex);
--- 
-1.7.9.5
-
diff --git a/debian/patches/bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch b/debian/patches/bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch
deleted file mode 100644
index afe7c7408..000000000
--- a/debian/patches/bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Tony Luck <tony.luck@intel.com>
-Date: Fri Apr 13 11:32:44 2012 -0700
-Subject: [IA64] Fix futex_atomic_cmpxchg_inatomic()
-
-commit 9d38e66bf07b6e57c8e60767c454e1db9aac4484 upstream.
-
-Michel Lespinasse cleaned up the futex calling conventions in
-commit 37a9d912b24f96a0591773e6e6c3642991ae5a70
-    futex: Sanitize cmpxchg_futex_value_locked API
-
-But the ia64 implementation was subtly broken. Gcc does not know
-that register "r8" will be updated by the fault handler if the
-cmpxchg instruction takes an exception. So it feels safe in letting
-the initialization of r8 slide to after the cmpxchg. Result: we
-always return 0 whether the user address faulted or not.
-
-Fix by moving the initialization of r8 into the __asm__ code so
-gcc won't move it.
-
-Reported-by: <emeric.maschino@gmail.com>
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=42757
-Cc: stable@vger.kernel.org # v2.6.39+
-Signed-off-by: Tony Luck <tony.luck@intel.com>
----
-diff --git a/arch/ia64/include/asm/futex.h b/arch/ia64/include/asm/futex.h
-index 8428525..71949a5 100644
---- a/arch/ia64/include/asm/futex.h
-+++ b/arch/ia64/include/asm/futex.h
-@@ -107,10 +107,11 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
- 		return -EFAULT;
- 
- 	{
--		register unsigned long r8 __asm ("r8") = 0;
-+		register unsigned long r8 __asm ("r8");
- 		unsigned long prev;
- 		__asm__ __volatile__(
- 			"	mf;;					\n"
-+			"	mov r8=r0				\n"
- 			"	mov ar.ccv=%3;;				\n"
- 			"[1:]	cmpxchg4.acq %0=[%1],%2,ar.ccv		\n"
- 			"	.xdata4 \"__ex_table\", 1b-., 2f-.	\n"
diff --git a/debian/patches/bugfix/x86/drm-i915-mask-transcoder-select-bits-before-setting-.patch b/debian/patches/bugfix/x86/drm-i915-mask-transcoder-select-bits-before-setting-.patch
deleted file mode 100644
index e45095d57..000000000
--- a/debian/patches/bugfix/x86/drm-i915-mask-transcoder-select-bits-before-setting-.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Jesse Barnes <jbarnes@virtuousgeek.org>
-Date: Thu, 12 Jan 2012 14:51:17 -0800
-Subject: [PATCH] drm/i915: mask transcoder select bits before setting them on
- LVDS
-
-commit 7885d2052bd94395e337709cfba093a41f273ff1 upstream.
-
-The transcoder port may changed from mode set to mode set, so make sure
-to mask out the selection bits before setting the right ones or we'll
-get black screens when going from transcoder B to A.
-
-Tested-by: Vincent Vanackere <vincent.vanackere@gmail.com>
-Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Signed-off-by: Keith Packard <keithp@keithp.com>
----
- drivers/gpu/drm/i915/intel_display.c |   13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 2a3f707..96cea08 100644
---- a/drivers/gpu/drm/i915/intel_display.c
-+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -5808,12 +5808,15 @@ static int ironlake_crtc_mode_set(struct drm_crtc *crtc,
- 	if (is_lvds) {
- 		temp = I915_READ(PCH_LVDS);
- 		temp |= LVDS_PORT_EN | LVDS_A0A2_CLKA_POWER_UP;
--		if (HAS_PCH_CPT(dev))
-+		if (HAS_PCH_CPT(dev)) {
-+			temp &= ~PORT_TRANS_SEL_MASK;
- 			temp |= PORT_TRANS_SEL_CPT(pipe);
--		else if (pipe == 1)
--			temp |= LVDS_PIPEB_SELECT;
--		else
--			temp &= ~LVDS_PIPEB_SELECT;
-+		} else {
-+			if (pipe == 1)
-+				temp |= LVDS_PIPEB_SELECT;
-+			else
-+				temp &= ~LVDS_PIPEB_SELECT;
-+		}
- 
- 		/* set the corresponsding LVDS_BORDER bit */
- 		temp |= dev_priv->lvds_border_bits;
--- 
-1.7.9.5
-
diff --git a/debian/patches/series/base b/debian/patches/series/base
index e6941355d..25b8d5dd9 100644
--- a/debian/patches/series/base
+++ b/debian/patches/series/base
@@ -86,7 +86,6 @@
 
 + bugfix/all/net-fix-proc-net-dev-regression.patch
 + bugfix/arm/ARM-orion5x-Fix-GPIO-enable-bits-for-MPP9.patch
-+ bugfix/x86/drm-i915-mask-transcoder-select-bits-before-setting-.patch
 
 # Update all Hyper-V drivers to 3.4-rc1 (no longer staging)
 + features/x86/hyperv/0001-NLS-improve-UTF8-UTF16-string-conversion-routine.patch
@@ -171,6 +170,4 @@
 + debian/revert-rtc-Provide-flag-for-rtc-devices-that-don-t-s.patch
 + debian/nls-Avoid-ABI-change-from-improvement-to-utf8s_to_ut.patch
 
-+ bugfix/all/hugetlb-fix-race-condition-in-hugetlb_fault.patch
-+ bugfix/ia64/IA64-Fix-futex_atomic_cmpxchg_inatomic.patch
 + features/all/rt2x00-Identify-rt2800usb-chipsets.patch