Merge branch 'f12/master' into f12/user/myoung/xendom0

Conflicts:
	kernel.spec

18 files changed, 42 insertions, 893 deletions

diff --git a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch b/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
deleted file mode 100644
index 2053e03..0000000
--- a/01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
+++ /dev/null
@@ -1,198 +0,0 @@
-From f45716729488bd8263b06e7d672c8ff8f2ded8b7 Mon Sep 17 00:00:00 2001
-From: H. Peter Anvin <hpa@linux.intel.com>
-Date: Tue, 7 Sep 2010 16:16:18 -0700
-Subject: [PATCH 1/4] compat: Make compat_alloc_user_space() incorporate the access_ok()
-
-compat_alloc_user_space() expects the caller to independently call
-access_ok() to verify the returned area.  A missing call could
-introduce problems on some architectures.
-
-This patch incorporates the access_ok() check into
-compat_alloc_user_space() and also adds a sanity check on the length.
-The existing compat_alloc_user_space() implementations are renamed
-arch_compat_alloc_user_space() and are used as part of the
-implementation of the new global function.
-
-This patch assumes NULL will cause __get_user()/__put_user() to either
-fail or access userspace on all architectures.  This should be
-followed by checking the return value of compat_access_user_space()
-for NULL in the callers, at which time the access_ok() in the callers
-can also be removed.
-
-Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-Acked-by: Chris Metcalf <cmetcalf@tilera.com>
-Acked-by: David S. Miller <davem@davemloft.net>
-Acked-by: Ingo Molnar <mingo@elte.hu>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Tony Luck <tony.luck@intel.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Cc: Fenghua Yu <fenghua.yu@intel.com>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
-Cc: Helge Deller <deller@gmx.de>
-Cc: James Bottomley <jejb@parisc-linux.org>
-Cc: Kyle McMartin <kyle@mcmartin.ca>
-Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Cc: Paul Mackerras <paulus@samba.org>
-Cc: Ralf Baechle <ralf@linux-mips.org>
-Cc: <stable@kernel.org>
----
-
- [ edited to fix build on 2.6.32 ]
-
- arch/ia64/include/asm/compat.h    |    2 +-
- arch/mips/include/asm/compat.h    |    2 +-
- arch/parisc/include/asm/compat.h  |    2 +-
- arch/powerpc/include/asm/compat.h |    2 +-
- arch/s390/include/asm/compat.h    |    2 +-
- arch/sparc/include/asm/compat.h   |    2 +-
- arch/x86/include/asm/compat.h     |    2 +-
- include/linux/compat.h            |    2 ++
- kernel/compat.c                   |   22 +++++++++++++++++++++
- 9 files changed, 30 insertions(+), 7 deletions(-)
-
-diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h
-index dfcf75b..c8662cd 100644
---- a/arch/ia64/include/asm/compat.h
-+++ b/arch/ia64/include/asm/compat.h
-@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr)
- }
- 
- static __inline__ void __user *
--compat_alloc_user_space (long len)
-+arch_compat_alloc_user_space (long len)
- {
- 	struct pt_regs *regs = task_pt_regs(current);
- 	return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
-diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h
-index f58aed3..27505bd 100644
---- a/arch/mips/include/asm/compat.h
-+++ b/arch/mips/include/asm/compat.h
-@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
- 	return (u32)(unsigned long)uptr;
- }
- 
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- 	struct pt_regs *regs = (struct pt_regs *)
- 		((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
-diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h
-index 7f32611..7c77fa9 100644
---- a/arch/parisc/include/asm/compat.h
-+++ b/arch/parisc/include/asm/compat.h
-@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
- 	return (u32)(unsigned long)uptr;
- }
- 
--static __inline__ void __user *compat_alloc_user_space(long len)
-+static __inline__ void __user *arch_compat_alloc_user_space(long len)
- {
- 	struct pt_regs *regs = &current->thread.regs;
- 	return (void __user *)regs->gr[30];
-diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h
-index 4774c2f..8d0fff3 100644
---- a/arch/powerpc/include/asm/compat.h
-+++ b/arch/powerpc/include/asm/compat.h
-@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
- 	return (u32)(unsigned long)uptr;
- }
- 
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- 	struct pt_regs *regs = current->thread.regs;
- 	unsigned long usp = regs->gpr[1];
-diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
-index 01a0802..0c940d3 100644
---- a/arch/s390/include/asm/compat.h
-+++ b/arch/s390/include/asm/compat.h
-@@ -180,7 +180,7 @@ static inline int is_compat_task(void)
- 
- #endif
- 
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- 	unsigned long stack;
- 
-diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h
-index 0e70625..612bb38 100644
---- a/arch/sparc/include/asm/compat.h
-+++ b/arch/sparc/include/asm/compat.h
-@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
- 	return (u32)(unsigned long)uptr;
- }
- 
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- 	struct pt_regs *regs = current_thread_info()->kregs;
- 	unsigned long usp = regs->u_regs[UREG_I6];
-diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
-index 9a9c7bd..c8c9a74 100644
---- a/arch/x86/include/asm/compat.h
-+++ b/arch/x86/include/asm/compat.h
-@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
- 	return (u32)(unsigned long)uptr;
- }
- 
--static inline void __user *compat_alloc_user_space(long len)
-+static inline void __user *arch_compat_alloc_user_space(long len)
- {
- 	struct pt_regs *regs = task_pt_regs(current);
- 	return (void __user *)regs->sp - len;
-diff --git a/include/linux/compat.h b/include/linux/compat.h
-index af931ee..cab23f2 100644
---- a/include/linux/compat.h
-+++ b/include/linux/compat.h
-@@ -309,5 +309,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename,
- asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename,
- 				  int flags, int mode);
- 
-+extern void __user *compat_alloc_user_space(unsigned long len);
-+
- #endif /* CONFIG_COMPAT */
- #endif /* _LINUX_COMPAT_H */
-diff a/kernel/compat.c b/kernel/compat.c
---- a/kernel/compat.c
-+++ b/kernel/compat.c
-@@ -13,6 +13,7 @@
- 
- #include <linux/linkage.h>
- #include <linux/compat.h>
-+#include <linux/module.h>
- #include <linux/errno.h>
- #include <linux/time.h>
- #include <linux/signal.h>
-@@ -1137,3 +1137,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
- 
- 	return 0;
- }
-+
-+/*
-+ * Allocate user-space memory for the duration of a single system call,
-+ * in order to marshall parameters inside a compat thunk.
-+ */
-+void __user *compat_alloc_user_space(unsigned long len)
-+{
-+	void __user *ptr;
-+
-+	/* If len would occupy more than half of the entire compat space... */
-+	if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
-+		return NULL;
-+
-+	ptr = arch_compat_alloc_user_space(len);
-+
-+	if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
-+		return NULL;
-+
-+	return ptr;
-+}
-+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
--- 
-1.7.2.3
-
diff --git a/02-compat-test-rax-for-the-system-call-number-not-eax.patch b/02-compat-test-rax-for-the-system-call-number-not-eax.patch
deleted file mode 100644
index 8fd7490..0000000
--- a/02-compat-test-rax-for-the-system-call-number-not-eax.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From aaeacea2992c28f1d355ff7cd4c4754131bdd831 Mon Sep 17 00:00:00 2001
-From: H. Peter Anvin <hpa@linux.intel.com>
-Date: Tue, 14 Sep 2010 12:42:41 -0700
-Subject: [PATCH 2/4] x86-64, compat: Test %rax for the syscall number, not %eax
-
-On 64 bits, we always, by necessity, jump through the system call
-table via %rax.  For 32-bit system calls, in theory the system call
-number is stored in %eax, and the code was testing %eax for a valid
-system call number.  At one point we loaded the stored value back from
-the stack to enforce zero-extension, but that was removed in checkin
-d4d67150165df8bf1cc05e532f6efca96f907cab.  An actual 32-bit process
-will not be able to introduce a non-zero-extended number, but it can
-happen via ptrace.
-
-Instead of re-introducing the zero-extension, test what we are
-actually going to use, i.e. %rax.  This only adds a handful of REX
-prefixes to the code.
-
-Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
-Cc: <stable@kernel.org>
-Cc: Roland McGrath <roland@redhat.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
----
- arch/x86/ia32/ia32entry.S |   14 +++++++-------
- 1 files changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
-index 5294d84..7f9eb54 100644
---- a/arch/x86/ia32/ia32entry.S
-+++ b/arch/x86/ia32/ia32entry.S
-@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
- 	testl  $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
- 	CFI_REMEMBER_STATE
- 	jnz  sysenter_tracesys
--	cmpl	$(IA32_NR_syscalls-1),%eax
-+	cmpq	$(IA32_NR_syscalls-1),%rax
- 	ja	ia32_badsys
- sysenter_do_call:
- 	IA32_ARG_FIXUP
-@@ -195,7 +195,7 @@ sysexit_from_sys_call:
- 	movl $AUDIT_ARCH_I386,%edi	/* 1st arg: audit arch */
- 	call audit_syscall_entry
- 	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall number */
--	cmpl $(IA32_NR_syscalls-1),%eax
-+	cmpq $(IA32_NR_syscalls-1),%rax
- 	ja ia32_badsys
- 	movl %ebx,%edi			/* reload 1st syscall arg */
- 	movl RCX-ARGOFFSET(%rsp),%esi	/* reload 2nd syscall arg */
-@@ -248,7 +248,7 @@ sysenter_tracesys:
- 	call	syscall_trace_enter
- 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
- 	RESTORE_REST
--	cmpl	$(IA32_NR_syscalls-1),%eax
-+	cmpq	$(IA32_NR_syscalls-1),%rax
- 	ja	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
- 	jmp	sysenter_do_call
- 	CFI_ENDPROC
-@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
- 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
- 	CFI_REMEMBER_STATE
- 	jnz   cstar_tracesys
--	cmpl $IA32_NR_syscalls-1,%eax
-+	cmpq $IA32_NR_syscalls-1,%rax
- 	ja  ia32_badsys
- cstar_do_call:
- 	IA32_ARG_FIXUP 1
-@@ -367,7 +367,7 @@ cstar_tracesys:
- 	LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
- 	RESTORE_REST
- 	xchgl %ebp,%r9d
--	cmpl $(IA32_NR_syscalls-1),%eax
-+	cmpq $(IA32_NR_syscalls-1),%rax
- 	ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
- 	jmp cstar_do_call
- END(ia32_cstar_target)
-@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
- 	orl   $TS_COMPAT,TI_status(%r10)
- 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
- 	jnz ia32_tracesys
--	cmpl $(IA32_NR_syscalls-1),%eax
-+	cmpq $(IA32_NR_syscalls-1),%rax
- 	ja ia32_badsys
- ia32_do_call:
- 	IA32_ARG_FIXUP
-@@ -444,7 +444,7 @@ ia32_tracesys:
- 	call syscall_trace_enter
- 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
- 	RESTORE_REST
--	cmpl $(IA32_NR_syscalls-1),%eax
-+	cmpq $(IA32_NR_syscalls-1),%rax
- 	ja  int_ret_from_sys_call	/* ia32_tracesys has set RAX(%rsp) */
- 	jmp ia32_do_call
- END(ia32_syscall)
--- 
-1.7.2.3
-
diff --git a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch b/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
deleted file mode 100644
index 96c269b..0000000
--- a/03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 1fa16daaa76d1b132c8fee027c11bad5a5d25761 Mon Sep 17 00:00:00 2001
-From: Roland McGrath <roland@redhat.com>
-Date: Tue, 14 Sep 2010 12:22:58 -0700
-Subject: [PATCH 3/4] x86-64, compat: Retruncate rax after ia32 syscall entry tracing
-
-In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
-32-bit tracee in system call entry.  A %rax value set via ptrace at the
-entry tracing stop gets used whole as a 32-bit syscall number, while we
-only check the low 32 bits for validity.
-
-Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
-in addition to testing the full 64 bits as has already been added.
-
-Reported-by: Ben Hawkes <hawkes@sota.gen.nz>
-Signed-off-by: Roland McGrath <roland@redhat.com>
-Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
----
- arch/x86/ia32/ia32entry.S |    8 +++++++-
- 1 files changed, 7 insertions(+), 1 deletions(-)
-
-diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
-index 7f9eb54..4edd8eb 100644
---- a/arch/x86/ia32/ia32entry.S
-+++ b/arch/x86/ia32/ia32entry.S
-@@ -50,7 +50,12 @@
- 	/*
- 	 * Reload arg registers from stack in case ptrace changed them.
- 	 * We don't reload %eax because syscall_trace_enter() returned
--	 * the value it wants us to use in the table lookup.
-+	 * the %rax value we should see.  Instead, we just truncate that
-+	 * value to 32 bits again as we did on entry from user mode.
-+	 * If it's a new value set by user_regset during entry tracing,
-+	 * this matches the normal truncation of the user-mode value.
-+	 * If it's -1 to make us punt the syscall, then (u32)-1 is still
-+	 * an appropriately invalid value.
- 	 */
- 	.macro LOAD_ARGS32 offset, _r9=0
- 	.if \_r9
-@@ -60,6 +65,7 @@
- 	movl \offset+48(%rsp),%edx
- 	movl \offset+56(%rsp),%esi
- 	movl \offset+64(%rsp),%edi
-+	movl %eax,%eax			/* zero extension */
- 	.endm
- 	
- 	.macro CFI_STARTPROC32 simple
--- 
-1.7.2.3
-
diff --git a/aio-check-for-multiplication-overflow-in-do_io_submit.patch b/aio-check-for-multiplication-overflow-in-do_io_submit.patch
deleted file mode 100644
index 8706792..0000000
--- a/aio-check-for-multiplication-overflow-in-do_io_submit.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From be18992d0630149403bfae5882601cf01a7d4eea Mon Sep 17 00:00:00 2001
-From: Jeff Moyer <jmoyer@redhat.com>
-Date: Fri, 10 Sep 2010 14:16:00 -0700
-Subject: [PATCH 4/4] aio: check for multiplication overflow in do_io_submit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Tavis Ormandy pointed out that do_io_submit does not do proper bounds
-checking on the passed-in iocb array:
-
-       if (unlikely(nr < 0))
-               return -EINVAL;
-
-       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
-               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^
-
-The attached patch checks for overflow, and if it is detected, the
-number of iocbs submitted is scaled down to a number that will fit in
-the long.  This is an ok thing to do, as sys_io_submit is documented as
-returning the number of iocbs submitted, so callers should handle a
-return value of less than the 'nr' argument passed in.
-
-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/aio.c |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 02a2c93..b84a769 100644
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1639,6 +1639,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
- 	if (unlikely(nr < 0))
- 		return -EINVAL;
- 
-+	if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
-+		nr = LONG_MAX/sizeof(*iocbpp);
-+
- 	if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
- 		return -EFAULT;
- 
--- 
-1.7.2.3
-
diff --git a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
deleted file mode 100644
index 73e65ec..0000000
--- a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
-Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
-
-ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
-
-The error handling in snd_seq_oss_open() has several bad codes that
-do dereferecing released pointers and double-free of kmalloc'ed data.
-The object dp is release in free_devinfo() that is called via
-private_free callback.  The rest shouldn't touch this object any more.
-
-The patch changes delete_port() to call kfree() in any case, and gets
-rid of unnecessary calls of destructors in snd_seq_oss_open().
-
-Fixes CVE-2010-3080.
-
-Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Cc: <stable@kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
-
-diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
-index 6857122..69cd7b3 100644
---- a/sound/core/seq/oss/seq_oss_init.c
-+++ b/sound/core/seq/oss/seq_oss_init.c
-@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
- 	return 0;
- 
-  _error:
--	snd_seq_oss_writeq_delete(dp->writeq);
--	snd_seq_oss_readq_delete(dp->readq);
- 	snd_seq_oss_synth_cleanup(dp);
- 	snd_seq_oss_midi_cleanup(dp);
--	delete_port(dp);
- 	delete_seq_queue(dp->queue);
--	kfree(dp);
-+	delete_port(dp);
- 
- 	return rc;
- }
-@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
- static int
- delete_port(struct seq_oss_devinfo *dp)
- {
--	if (dp->port < 0)
-+	if (dp->port < 0) {
-+		kfree(dp);
- 		return 0;
-+	}
- 
- 	debug_printk(("delete_port %i\n", dp->port));
- 	return snd_seq_event_port_detach(dp->cseq, dp->port);
diff --git a/drm-upgrayedd.patch b/drm-upgrayedd.patch
index 08f039b..2530bec 100644
--- a/drm-upgrayedd.patch
+++ b/drm-upgrayedd.patch
@@ -10283,7 +10283,7 @@ index 601415d..b27202d 100644
 +	dev_priv->pipe_to_crtc_mapping[intel_crtc->pipe] = &intel_crtc->base;
 +
  	intel_crtc->cursor_addr = 0;
- 	intel_crtc->dpms_mode = DRM_MODE_DPMS_OFF;
+ 	intel_crtc->dpms_mode = -1;
  	drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs);
 @@ -4036,7 +4382,7 @@ static void intel_setup_outputs(struct drm_device *dev)
  	if (IS_MOBILE(dev) && !IS_I830(dev))
diff --git a/hid-01-usbhid-initialize-interface-pointers-early-enough.patch b/hid-01-usbhid-initialize-interface-pointers-early-enough.patch
deleted file mode 100644
index d522b3f..0000000
--- a/hid-01-usbhid-initialize-interface-pointers-early-enough.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-commit 57ab12e418ec4fe24c11788bb1bbdabb29d05679
-Author: Jiri Kosina <jkosina at suse.cz>
-Date:   Wed Feb 17 14:25:01 2010 +0100
-
-    HID: usbhid: initialize interface pointers early enough
-    
-    Move the initialization of USB interface pointers from _start()
-    over to _probe() callback, which is where it belongs.
-    
-    This fixes case where interface is NULL when parsing of report
-    descriptor fails.
-    
-    LKML-Reference: <20100213135720.603e5f64 at neptune.home>
-    Reported-by: Alan Stern <stern at rowland.harvard.edu>
-    Tested-by: Bruno Prémont <bonbons at linux-vserver.org>
-    Signed-off-by: Jiri Kosina <jkosina at suse.cz>
-
-diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
-index 74bd3ca..ceaf4a1 100644
---- a/drivers/hid/usbhid/hid-core.c
-+++ b/drivers/hid/usbhid/hid-core.c
-@@ -1005,9 +1005,6 @@ static int usbhid_start(struct hid_device *hid)
- 
- 	spin_lock_init(&usbhid->lock);
- 
--	usbhid->intf = intf;
--	usbhid->ifnum = interface->desc.bInterfaceNumber;
--
- 	usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
- 	if (!usbhid->urbctrl) {
- 		ret = -ENOMEM;
-@@ -1178,6 +1175,8 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
- 
- 	hid->driver_data = usbhid;
- 	usbhid->hid = hid;
-+	usbhid->intf = intf;
-+	usbhid->ifnum = interface->desc.bInterfaceNumber;
- 
- 	ret = hid_add_device(hid);
- 	if (ret) {
diff --git a/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch b/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
deleted file mode 100644
index bbd3880..0000000
--- a/hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-commit fde4e2f73208b8f34f123791e39c0cb6bc74b32a
-Author: Alan Stern <stern at rowland.harvard.edu>
-Date:   Fri May 7 10:41:10 2010 -0400
-
-    HID: fix suspend crash by moving initializations earlier
-    
-    Although the usbhid driver allocates its usbhid structure in the probe
-    routine, several critical fields in that structure don't get
-    initialized until usbhid_start().  However if report descriptor
-    parsing fails then usbhid_start() is never called.  This leads to
-    problems during system suspend -- the system will freeze.
-    
-    This patch (as1378) fixes the bug by moving the initialization
-    statements up into usbhid_probe().
-    
-    Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
-    Reported-by: Bruno Prémont <bonbons at linux-vserver.org>
-    Tested-By: Bruno Prémont <bonbons at linux-vserver.org>
-    Signed-off-by: Jiri Kosina <jkosina at suse.cz>
-
-diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
-index 56d06cd..7b85b69 100644
---- a/drivers/hid/usbhid/hid-core.c
-+++ b/drivers/hid/usbhid/hid-core.c
-@@ -999,13 +999,6 @@ static int usbhid_start(struct hid_device *hid)
- 		}
- 	}
- 
--	init_waitqueue_head(&usbhid->wait);
--	INIT_WORK(&usbhid->reset_work, hid_reset);
--	INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
--	setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
--
--	spin_lock_init(&usbhid->lock);
--
- 	usbhid->urbctrl = usb_alloc_urb(0, GFP_KERNEL);
- 	if (!usbhid->urbctrl) {
- 		ret = -ENOMEM;
-@@ -1179,6 +1172,12 @@ static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *
- 	usbhid->intf = intf;
- 	usbhid->ifnum = interface->desc.bInterfaceNumber;
- 
-+	init_waitqueue_head(&usbhid->wait);
-+	INIT_WORK(&usbhid->reset_work, hid_reset);
-+	INIT_WORK(&usbhid->restart_work, __usbhid_restart_queues);
-+	setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid);
-+	spin_lock_init(&usbhid->lock);
-+
- 	ret = hid_add_device(hid);
- 	if (ret) {
- 		if (ret != -ENODEV)
-
-
diff --git a/inotify-fix-inotify-oneshot-support.patch b/inotify-fix-inotify-oneshot-support.patch
deleted file mode 100644
index ba63e10..0000000
--- a/inotify-fix-inotify-oneshot-support.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-#607327
-
-During the large inotify rewrite to fsnotify I completely dropped support
-for IN_ONESHOT.  Reimplement that support.
-
-Signed-off-by: Eric Paris <eparis@redhat.com>
----
-
- fs/notify/inotify/inotify_fsnotify.c |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
-index daa666a..388a150 100644
---- a/fs/notify/inotify/inotify_fsnotify.c
-+++ b/fs/notify/inotify/inotify_fsnotify.c
-@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
- 			ret = 0;
- 	}
- 
-+	if (entry->mask & IN_ONESHOT)
-+		fsnotify_destroy_mark_by_entry(entry);
-+
- 	/*
- 	 * If we hold the entry until after the event is on the queue
- 	 * IN_IGNORED won't be able to pass this event in the queue
diff --git a/inotify-send-IN_UNMOUNT-events.patch b/inotify-send-IN_UNMOUNT-events.patch
deleted file mode 100644
index cf1d4c4..0000000
--- a/inotify-send-IN_UNMOUNT-events.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-#607327 ?
-
-Since the .31 or so notify rewrite inotify has not sent events about
-inodes which are unmounted.  This patch restores those events.
-
-Signed-off-by: Eric Paris <eparis@redhat.com>
----
-
- fs/notify/inotify/inotify_user.c |    7 +++++--
- 1 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
-index 44aeb0f..f381daf 100644
---- a/fs/notify/inotify/inotify_user.c
-+++ b/fs/notify/inotify/inotify_user.c
-@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
- {
- 	__u32 mask;
- 
--	/* everything should accept their own ignored and cares about children */
--	mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
-+	/*
-+	 * everything should accept their own ignored, cares about children,
-+	 * and should receive events when the inode is unmounted
-+	 */
-+	mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);
- 
- 	/* mask off the flags used to open the fd */
- 	mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));
diff --git a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
deleted file mode 100644
index a36f8af..0000000
--- a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: David S. Miller <davem@davemloft.net>
-Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700)
-Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure.
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257
-
-irda: Correctly clean up self->ias_obj on irda_bind() failure.
-
-If irda_open_tsap() fails, the irda_bind() code tries to destroy
-the ->ias_obj object by hand, but does so wrongly.
-
-In particular, it fails to a) release the hashbin attached to the
-object and b) reset the self->ias_obj pointer to NULL.
-
-Fix both problems by using irias_delete_object() and explicitly
-setting self->ias_obj to NULL, just as irda_release() does.
-
-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
-
-diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
-index 79986a6..fd55b51 100644
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
- 
- 	err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
- 	if (err < 0) {
--		kfree(self->ias_obj->name);
--		kfree(self->ias_obj);
-+		irias_delete_object(self->ias_obj);
-+		self->ias_obj = NULL;
- 		return err;
- 	}
- 
diff --git a/kernel.spec b/kernel.spec
index 14a5272..f8178e0 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 168
+%global baserelease 170
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 21
+%define stable_update 23
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -640,11 +640,6 @@ Patch21: linux-2.6-tracehook.patch
 Patch22: linux-2.6-utrace.patch
 Patch23: linux-2.6-utrace-ptrace.patch
 
-Patch100: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
-Patch101: 02-compat-test-rax-for-the-system-call-number-not-eax.patch
-Patch102: 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
-Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch
-
 Patch141: linux-2.6-ps3-storage-alias.patch
 Patch143: linux-2.6-g5-therm-shutdown.patch
 Patch144: linux-2.6-vio-modalias.patch
@@ -783,7 +778,6 @@ Patch11010: via-hwmon-temp-sensor.patch
 
 # patches headed upstream
 Patch12010: linux-2.6-dell-laptop-rfkill-fix.patch
-Patch12011: linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
 Patch12013: linux-2.6-rfkill-all.patch
 Patch12020: linux-2.6-cantiga-iommu-gfx.patch
 
@@ -834,19 +828,11 @@ Patch12923: mac80211-explicitly-disable-enable-QoS.patch
 # l2tp: fix oops in pppol2tp_xmit (#607054)
 Patch13030: l2tp-fix-oops-in-pppol2tp_xmit.patch
 
-Patch14020: inotify-fix-inotify-oneshot-support.patch
-Patch14030: inotify-send-IN_UNMOUNT-events.patch
-
 Patch14050: crypto-add-async-hash-testing.patch
 
 # Red Hat Bugzilla #610911
 Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 
-Patch14140: hid-01-usbhid-initialize-interface-pointers-early-enough.patch
-Patch14141: hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
-
-Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
-
 Patch14200: net-do-not-check-capable-if-kernel.patch
 
 # Mitigate DOS with large argument lists
@@ -854,13 +840,7 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch
 Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch
 Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch
 
-# CVE-2010-3080
-Patch14220: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
-# CVE-2010-2960
-Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
-Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
-# CVE-2010-3079
-Patch14240: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
+Patch14220: xen-fix-typo-in-xen-irq-fix.patch
 
 Patch19997: xen.pvops.pre.patch
 Patch19998: xen.pvops.patch
@@ -1306,11 +1286,6 @@ ApplyPatch linux-2.6-utrace-ptrace.patch
 ApplyPatch via-hwmon-temp-sensor.patch
 ApplyPatch linux-2.6-dell-laptop-rfkill-fix.patch
 
-ApplyPatch 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
-ApplyPatch 02-compat-test-rax-for-the-system-call-number-not-eax.patch
-ApplyPatch 03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
-
-
 #
 # Intel IOMMU
 #
@@ -1344,7 +1319,6 @@ ApplyPatch linux-2.6-execshield.patch
 #
 # bugfixes to drivers and filesystems
 #
-ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch
 
 # ext4
 
@@ -1475,9 +1449,6 @@ ApplyPatch crystalhd-2.6.34-staging.patch
 
 # Assorted Virt Fixes
 
-# Fix block I/O errors in KVM
-#ApplyPatch linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
-
 ApplyPatch linux-2.6-e1000-ich9.patch
 
 ApplyPatch linux-2.6-phylib-autoload.patch
@@ -1566,22 +1537,11 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch
 # l2tp: fix oops in pppol2tp_xmit (#607054)
 ApplyPatch l2tp-fix-oops-in-pppol2tp_xmit.patch
 
-# fix broken oneshot support and missing umount events (F13#607327)
-ApplyPatch inotify-fix-inotify-oneshot-support.patch
-ApplyPatch inotify-send-IN_UNMOUNT-events.patch
-
 # add tests for crypto async hashing (#571577)
 ApplyPatch crypto-add-async-hash-testing.patch
 
 ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
 
-# RHBZ #592785
-ApplyPatch hid-01-usbhid-initialize-interface-pointers-early-enough.patch
-ApplyPatch hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
-
-# CVE-2010-2954
-ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
-
 # rhbz #598796
 ApplyPatch net-do-not-check-capable-if-kernel.patch
 
@@ -1590,13 +1550,8 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
 ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
 ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
 
-# CVE-2010-3080
-ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
-# CVE-2010-2960
-ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
-ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
-# CVE-2010-3079
-ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
+# Fix typo in Xen patch from 2.6.22 that causes hang on boot.
+ApplyPatch xen-fix-typo-in-xen-irq-fix.patch
 
 ApplyPatch xen.pvops.pre.patch
 ApplyPatch xen.pvops.patch
@@ -2254,6 +2209,28 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Mon Sep 27 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.23-170
+- Linux 2.6.32.23
+- Drop merged patches:
+  aio-check-for-multiplication-overflow-in-do_io_submit.patch
+  inotify-fix-inotify-oneshot-support.patch
+  inotify-send-IN_UNMOUNT-events.patch
+  irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+  keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
+  keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
+- Fix typo in Xen patch from 2.6.32.22.
+
+* Mon Sep 20 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.22-169
+- Linux 2.6.32.22
+- Drop merged patches:
+  01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch
+  02-compat-test-rax-for-the-system-call-number-not-eax.patch
+  03-compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
+  hid-01-usbhid-initialize-interface-pointers-early-enough.patch
+  hid-02-fix-suspend-crash-by-moving-initializations-earlier.patch
+  alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
+  tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
+
 * Mon Sep 20 2010 Michael Young <m.a.young@durham.ac.uk>
 - update pvops
 
diff --git a/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch b/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
deleted file mode 100644
index fb62519..0000000
--- a/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100)
-Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376
-
-KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring
-
-Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
-of the parent process's session keyring whether or not the parent has a session
-keyring [CVE-2010-2960].
-
-This results in the following oops:
-
-  BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
-  IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
-  ...
-  Call Trace:
-   [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
-   [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
-   [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
-   [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
-
-if the parent process has no session keyring.
-
-If the system is using pam_keyinit then it mostly protected against this as all
-processes derived from a login will have inherited the session keyring created
-by pam_keyinit during the log in procedure.
-
-To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
-
-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Tavis Ormandy <taviso@cmpxchg8b.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
-
-[ 2.6.32 backport ]
-
-diff a/security/keys/keyctl.c b/security/keys/keyctl.c
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void)
- 		goto not_permitted;
- 
- 	/* the keyrings must have the same UID */
--	if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
-+	if ((pcred->tgcred->session_keyring &&
-+	     pcred->tgcred->session_keyring->uid != mycred->euid) ||
- 	    mycred->tgcred->session_keyring->uid != mycred->euid)
- 		goto not_permitted;
- 
-
diff --git a/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch b/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
deleted file mode 100644
index 5318f7e..0000000
--- a/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100)
-Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14
-
-KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
-
-There's an protected access to the parent process's credentials in the middle
-of keyctl_session_to_parent().  This results in the following RCU warning:
-
-  ===================================================
-  [ INFO: suspicious rcu_dereference_check() usage. ]
-  ---------------------------------------------------
-  security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
-
-  other info that might help us debug this:
-
-  rcu_scheduler_active = 1, debug_locks = 0
-  1 lock held by keyctl-session-/2137:
-   #0:  (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
-
-  stack backtrace:
-  Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
-  Call Trace:
-   [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
-   [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
-   [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
-   [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
-
-The code should take the RCU read lock to make sure the parents credentials
-don't go away, even though it's holding a spinlock and has IRQ disabled.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index b2b0998..3868c67 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void)
- 	keyring_r = NULL;
- 
- 	me = current;
-+	rcu_read_lock();
- 	write_lock_irq(&tasklist_lock);
- 
- 	parent = me->real_parent;
-@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void)
- 	set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
- 
- 	write_unlock_irq(&tasklist_lock);
-+	rcu_read_unlock();
- 	if (oldcred)
- 		put_cred(oldcred);
- 	return 0;
-@@ -1327,6 +1329,7 @@ already_same:
- 	ret = 0;
- not_permitted:
- 	write_unlock_irq(&tasklist_lock);
-+	rcu_read_unlock();
- 	put_cred(cred);
- 	return ret;
- 
diff --git a/linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch b/linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
deleted file mode 100644
index e6ab893..0000000
--- a/linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Mark McLoughlin <markmc@redhat.com>
-Subject: [PATCH] block: silently error unsupported empty barriers too
-
-With 2.6.31-rc5 in a KVM guest using dm and virtio_blk, we see the
-following errors:
-
-  end_request: I/O error, dev vda, sector 0
-  end_request: I/O error, dev vda, sector 0
-
-The errors go away if dm stops submitting empty barriers, by reverting:
-
-  commit 52b1fd5a27c625c78373e024bf570af3c9d44a79
-  Author: Mikulas Patocka <mpatocka@redhat.com>
-    dm: send empty barriers to targets in dm_flush
-
-We should error all barriers, even empty barriers, on devices like
-virtio_blk which don't support them.
-
-See also:
-
-  https://bugzilla.redhat.com/514901
-
-Signed-off-by: Mark McLoughlin <markmc@redhat.com>
-Cc: Rusty Russell <rusty@rustcorp.com.au>
-Cc: Mikulas Patocka <mpatocka@redhat.com>
-Cc: Alasdair G Kergon <agk@redhat.com>
-Cc: Neil Brown <neilb@suse.de>
----
- block/blk-core.c |    3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-diff --git a/block/blk-core.c b/block/blk-core.c
-index e3299a7..35ad2bb 100644
---- a/block/blk-core.c
-+++ b/block/blk-core.c
-@@ -1163,8 +1163,7 @@ static int __make_request(struct request_queue *q, struct bio *bio)
- 	const int unplug = bio_unplug(bio);
- 	int rw_flags;
- 
--	if (bio_barrier(bio) && bio_has_data(bio) &&
--	    (q->next_ordered == QUEUE_ORDERED_NONE)) {
-+	if (bio_barrier(bio) && (q->next_ordered == QUEUE_ORDERED_NONE)) {
- 		bio_endio(bio, -EOPNOTSUPP);
- 		return 0;
- 	}
--- 
-1.6.4
-
diff --git a/sources b/sources
index aa75510..70d5251 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 260551284ac224c3a43c4adac7df4879  linux-2.6.32.tar.bz2
-29aa10a231882a6e52908642b572326f  patch-2.6.32.21.bz2
+6eac9aebbf9e74546b7c44c0fb9348a7  patch-2.6.32.23.bz2
diff --git a/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch b/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
deleted file mode 100644
index 4bbae71..0000000
--- a/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From: Steven Rostedt <srostedt@redhat.com>
-Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
-Subject: tracing: Do not allow llseek to set_ftrace_filter
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
-
-tracing: Do not allow llseek to set_ftrace_filter
-
-Reading the file set_ftrace_filter does three things.
-
-1) shows whether or not filters are set for the function tracer
-2) shows what functions are set for the function tracer
-3) shows what triggers are set on any functions
-
-3 is independent from 1 and 2.
-
-The way this file currently works is that it is a state machine,
-and as you read it, it may change state. But this assumption breaks
-when you use lseek() on the file. The state machine gets out of sync
-and the t_show() may use the wrong pointer and cause a kernel oops.
-
-Luckily, this will only kill the app that does the lseek, but the app
-dies while holding a mutex. This prevents anyone else from using the
-set_ftrace_filter file (or any other function tracing file for that matter).
-
-A real fix for this is to rewrite the code, but that is too much for
-a -rc release or stable. This patch simply disables llseek on the
-set_ftrace_filter() file for now, and we can do the proper fix for the
-next major release.
-
-Reported-by: Robert Swiecki <swiecki@google.com>
-Cc: Chris Wright <chrisw@sous-sol.org>
-Cc: Tavis Ormandy <taviso@google.com>
-Cc: Eugene Teo <eugene@redhat.com>
-Cc: vendor-sec@lst.de
-Cc: <stable@kernel.org>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
----
-
-diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 7cb1f45..83a16e9 100644
---- a/kernel/trace/ftrace.c
-+++ b/kernel/trace/ftrace.c
-@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
- 	.open = ftrace_filter_open,
- 	.read = seq_read,
- 	.write = ftrace_filter_write,
--	.llseek = ftrace_regex_lseek,
-+	.llseek = no_llseek,
- 	.release = ftrace_filter_release,
- };
- 
diff --git a/xen-fix-typo-in-xen-irq-fix.patch b/xen-fix-typo-in-xen-irq-fix.patch
new file mode 100644
index 0000000..3a9fb62
--- /dev/null
+++ b/xen-fix-typo-in-xen-irq-fix.patch
@@ -0,0 +1,13 @@
+Fix typo in Xen patch from 2.6.35.5
+
+--- linux-2.6.35.noarch.orig/drivers/xen/events.c
++++ linux-2.6.35.noarch/drivers/xen/events.c
+@@ -935,7 +935,7 @@ static struct irq_chip xen_dynamic_chip 
+ 	.retrigger	= retrigger_dynirq,
+ };
+ 
+-static struct irq_chip en_percpu_chip __read_mostly = {
++static struct irq_chip xen_percpu_chip __read_mostly = {
+ 	.name		= "xen-percpu",
+ 
+ 	.disable	= disable_dynirq,