pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

page_count is copied from userspace.  agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case.  Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

agd5f: fix commit message.
Signed-off-by: Cedric Cano <ccano@interfaceconcept.com>
Reviewed-by: Michel Dänzer <michel@daenzer.net>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Prefer min m to max p only on pre-r7xx asics.

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=36197Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

* 'nouveau/drm-nouveau-fixes' of /ssd/git/drm-nouveau-next:
  drm/nouveau: fix allocation of notifier object
  drm/nouveau: fix notifier memory corruption bug
  drm/nouveau: fix pinning of notifier block
  drm/nouveau: populate ttm_alloced with false, when it's not
  drm/nouveau: fix nv30 pcie boards
  drm/nouveau: split ramin_lock into two locks, one hardirq safe

Commit 73412c38 ("drm/nouveau: allocate
kernel's notifier object at end of block") intended to align end of
notifier block to page boundary, but start of block was miscalculated
to be off by -16 bytes. Fix it.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

nouveau_bo_wr32 expects offset to be in words, but we pass value in bytes,
so after commit 73412c38 ("drm/nouveau: allocate
kernel's notifier object at end of block") we started to overwrite some memory
after notifier buffer object (previously m2mf_ntfy was always 0, so it didn't
matter it was a value in bytes).
Reported-by: Dominik Brodowski <linux@dominikbrodowski.net>
Reported-by: Nigel Cunningham <lkml@nigelcunningham.com.au>
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Pekka Paalanen <pq@iki.fi>
Cc: stable@kernel.org    [2.6.38]
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

Problem introduced with commit 6ba9a683Reported-by: Bob Gleitsmann <rjgleits@bellsouth.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

Caught with kmemcheck on unrelated business.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

Wasn't aware they even existed, apparently they do!  They're actually
AGP chips with a bridge as far as I can tell, which puts them in the
same boat as nv40/nv45.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

Fixes a possible lock ordering reversal between context_switch_lock
and ramin_lock.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Reviewed-by: Francisco Jerez <currojerez@riseup.net>

This patch fixes two issues:
- A disabled crtc does not use any lb, so return 0 for
lb size.  This makes the display priority calculation
more exact.
- Only use 1/2 and whole lb partitions. Using smaller
partitions can cause underflow to one of the displays
if you have multiple large displays on the same lb.

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=34534Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Sometimes the i2c test in i2c_bit_add_bus fails
if this happens we fail to register the i2c adapter and
eventually fail to add the connector.  If i2c fails,
add the connector to the user can at least force
it on.

Note that some distros set i2c-algo-bit.bit_test to 1 by
default which sometimes fails preventing the ddc i2c adapter
from being added.  The i2c adapter works even if the bit test
fails, probably due to pre/post_xfer not getting called in
the test_bit function.  I have another patch to follow
up on that.

See:
https://bugs.freedesktop.org/show_bug.cgi?id=36221Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Noticed by Patrick Lowry.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

This reverts commit 0a0883c8.

this was in my tree by accident, I meant to rebase it out and
didn't realise in time.
Signed-off-by: Dave Airlie <airlied@redhat.com>

This reverts commit 69a07f0b.

We've tracked a number of problems back to this, and Thomas
thinks we should redesign this for .40/41 anyways so I'm
happy to revert it.
Signed-off-by: Dave Airlie <airlied@redhat.com>

fix Kconfig warning:

(DRM_I915 && STUB_POULSBO) selects ACPI_VIDEO which has unmet direct dependencies
(ACPI && X86 && BACKLIGHT_CLASS_DEVICE && VIDEO_OUTPUT_CONTROL && INPUT)
Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Change vddci as well as vddc when changing power modes
on evergreen/ni.  Also, properly set vddci on boot up
for ni cards.  The vbios only sets the limited clocks
and voltages on boot until the mc ucode is loaded.  This
should fix stability problems on some btc cards.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

This is needed for setting voltages other than vddc.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

btc and cayman asics use the same callback for
pcie port registers.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Apparently only rv515 asics need the workaround
added in f24d86f1
(drm/radeon/kms: fix resume regression for some r5xx laptops).

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=34709Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

As per Konrad's original patch, the dummy page used
by the gart code and allocated in radeon_gart_init()
was not freed properly in radeon_gart_fini().

At the same time r6xx and newer allocated and freed the
dummy page on their own.  So to do Konrad's patch one
better, just remove the allocation and freeing of the
dummy page in the r6xx, 7xx, evergreen, and ni code and
allocate and free in the gart_init/fini() functions for
all asics.

Cc: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

* 'nouveau/drm-nouveau-fixes' of /ssd/git/drm-nouveau-next:
  drm/nvc0: improve vm flush function
  drm/nv50-nvc0: remove some code that doesn't belong here
  drm/nv50: use "nv86" tlb flush method on everything except 0x50/0xac
  drm/nouveau: quirk for XFX GT-240X-YA
  drm/nv50-nvc0: work around an evo channel hang that some people see
  drm/nouveau: implement init table opcode 0x5c
  drm/nouveau: fix oops on unload with disabled LVDS panel
  nv30: Fix parsing of perf table
  drm/nouveau: correct memtiming table parsing for nv4x

Switch some errors to debug output.  These are generally harmless
and tend to confuse users.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Prefer minm over maxp.

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=35994Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

Signed-off-by: Michel Dänzer <daenzer@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

This is necessary even with PCI(e) GART, and it makes writeback work even with
AGP on my PowerBook. Might still be unreliable with older revisions of UniNorth
and other AGP bridges though.
Signed-off-by: Michel Dänzer <daenzer@vmware.com>
Reviewed-by: Alex Deucher <alex.deucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

This has always used a big hammer, but that hammer is probably
too big, I'm also not sure its necessary but at least this
should be safe.

Should fix: https://bugzilla.kernel.org/show_bug.cgi?id=23592Signed-off-by: Dave Airlie <airlied@redhat.com>

* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
  NFS: Change initial mount authflavor only when server returns NFS4ERR_WRONGSEC
  NFS: Fix a signed vs. unsigned secinfo bug
  Revert "net/sunrpc: Use static const char arrays"

Fix erroneous syscall kernel-doc comments in kernel/signal.c.
Reported-by: Matt Fleming <matt@console-pimps.org>
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6:
  [S390] compile fix for latest binutils
  [S390] cio: prevent purging of CCW devices in the online state
  [S390] qdio: fix init sequence
  [S390] Fix parameter passing for smp_switch_to_cpu()
  [S390] oprofile s390: prevent stack corruption

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6:
  quota: Don't write quota info in dquot_commit()
  ext3: Fix writepage credits computation for ordered mode

* git://git.kernel.org/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog:
  watchdog: mpc8xxx_wdt: fix build

Since 1c48a5c9 (dt: Eliminate of_platform_{,un}register_driver)
mpc8xxx_wdt no longer builds as it tries to refer to a 'match' variable
rather than ofdev->dev.of_match that it checks just before.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>

When attempting an initial mount, we should only attempt other
authflavors if AUTH_UNIX receives a NFS4ERR_WRONGSEC error.
This allows other errors to be passed back to userspace programs.
Signed-off-by: Bryan Schumaker <bjschuma@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

Merge branch 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-2.6

* 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-2.6:
  efifb: Add override for 11" Macbook Air 3,1
  efifb: Support overriding fields FW tells us with the DMI data.
  fb: Reduce priority of resource conflict message
  savagefb: Remove obsolete else clause in savage_setup_i2c_bus
  savagefb: Set up I2C based on chip family instead of card id
  savagefb: Replace magic register address with define
  drivers/video/bfin-lq035q1-fb.c: introduce missing kfree
  video: s3c-fb: fix checkpatch errors and warning
  efifb: support AMD Radeon HD 6490
  s3fb: fix Virge/GX2
  fbcon: Remove unused 'display *p' variable from fb_flashcursor()
  fbdev: sh_mobile_lcdcfb: fix module lock acquisition
  fbdev: sh_mobile_lcdcfb: add blanking support
  viafb: initialize margins correct
  viafb: refresh rate bug collection
  sh: mach-ap325rxa: move backlight control code
  sh: mach-ecovec24: support for main lcd backlight

Merge branch 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6

* 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  ARM: arch-shmobile: only run FSI init on respective boards
  ARM: arch-shmobile: only run HDMI init on respective boards
  ARM: mach-shmobile: Correctly check for CONFIG_MACH_MACKEREL

* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: select ARCH_NO_SYSDEV_OPS.
  sh: fix build error in board-sh7757lcr.c
  sh: landisk: Remove whitespace
  sh: landisk: Remove mv_nr_irqs
  sh: sh-sci: Fix double initialization by serial_console_setup
  serial: sh-sci: prevent setup of uninitialized serial console
  dma: shdma: add checking the DMAOR_AE in sh_dmae_err

Merge branches 'x86-fixes-for-linus', 'sched-fixes-for-linus', 'timers-fixes-for-linus', 'irq-fixes-for-linus' and 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  x86-32, fpu: Fix FPU exception handling on non-SSE systems
  x86, hibernate: Initialize mmu_cr4_features during boot
  x86-32, NUMA: Fix ACPI NUMA init broken by recent x86-64 change
  x86: visws: Fixup irq overhaul fallout

* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  sched: Clean up rebalance_domains() load-balance interval calculation

* 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  x86/mrst/vrtc: Fix boot crash in mrst_rtc_init()
  rtc, x86/mrst/vrtc: Fix boot crash in rtc_read_alarm()

* 'irq-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  genirq: Fix cpumask leak in __setup_irq()

* 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  perf probe: Fix listing incorrect line number with inline function
  perf probe: Fix to find recursively inlined function
  perf probe: Fix multiple --vars options behavior
  perf probe: Fix to remove redundant close
  perf probe: Fix to ensure function declared file

* 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6: (28 commits)
  staging: usbip: bugfix for isochronous packets and optimization
  staging: usbip: bugfix add number of packets for isochronous frames
  staging: usbip: bugfixes related to kthread conversion
  staging: usbip: fix shutdown problems.
  staging: hv: Fix GARP not sent after Quick Migration
  staging: IIO: IMU: ADIS16400: Avoid using printk facility directly
  staging: IIO: IMU: ADIS16400: Fix product ID check, skip embedded revision number
  staging: IIO: IMU: ADIS16400: Make sure only enabled scan_elements are pushed into the ring
  staging: IIO: IMU: ADIS16400: Fix addresses of GYRO and ACCEL calibration offset
  staging: IIO: IMU: ADIS16400: Add delay after self test
  staging: IIO: IMU: ADIS16400: Fix up SPI messages cs_change behavior
  staging/rtl81*: build as loadable modules only
  staging: brcm80211: removed 'is_amsdu causing toss' log spam
  staging: brcm80211: fix for 'Short CCK' log spam
  staging: brcm80211: fix for 'AC_BE txop..' logs spammed problem
  staging: memrar: remove driver from tree
  staging: sep: remove last memrar remnants
  staging: fix hv_mouse build, needs delay.h
  staging: fix olpc_dcon build errors
  staging: sm7xx: fixed defines
  ...

Fix up trivial conflict in drivers/staging/memrar/memrar_handler.c
(deleted vs trivial spelling fixes)