diff --git a/debian/changelog b/debian/changelog
index b0d533e8e..3ba558d92 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,7 +11,12 @@ linux-2.6 (3.0.0-3) UNRELEASED; urgency=low
     SNAT/masquerading is not done)
   * Remove net device features from bug reports (Closes: #638956)
   * [mips,mipsel] Ignore nfs ABI changes made in 3.0.0-2; fixes FTBFS
+  * genirq: Fix wrong bit operation
+  * befs: Validate length of long symbolic links (CVE-2011-2928)
   * CIFS: Fix memory corruption on mount (Closes: #635344)
+  * x86-32, vdso: On system call restart after SYSENTER, use int $0x80
+  * drm/ttm: fix ttm_bo_add_ttm(user) failure path
+  * fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
 
  -- Ben Hutchings <ben@decadent.org.uk>  Sun, 21 Aug 2011 16:18:29 +0100
 
diff --git a/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch b/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
new file mode 100644
index 000000000..06675c6f2
--- /dev/null
+++ b/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
@@ -0,0 +1,50 @@
+From: Timo Warns <Warns@pre-sense.de>
+Date: Wed, 17 Aug 2011 17:59:56 +0200
+Subject: befs: Validate length of long symbolic links.
+
+From: Timo Warns <Warns@pre-sense.de>
+
+commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 upstream.
+
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/befs/linuxvfs.c |   23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry,
+ 		befs_data_stream *data = &befs_ino->i_data.ds;
+ 		befs_off_t len = data->size;
+ 
+-		befs_debug(sb, "Follow long symlink");
+-
+-		link = kmalloc(len, GFP_NOFS);
+-		if (!link) {
+-			link = ERR_PTR(-ENOMEM);
+-		} else if (befs_read_lsymlink(sb, data, link, len) != len) {
+-			kfree(link);
+-			befs_error(sb, "Failed to read entire long symlink");
++		if (len == 0) {
++			befs_error(sb, "Long symlink with illegal length");
+ 			link = ERR_PTR(-EIO);
+ 		} else {
+-			link[len - 1] = '\0';
++			befs_debug(sb, "Follow long symlink");
++
++			link = kmalloc(len, GFP_NOFS);
++			if (!link) {
++				link = ERR_PTR(-ENOMEM);
++			} else if (befs_read_lsymlink(sb, data, link, len) != len) {
++				kfree(link);
++				befs_error(sb, "Failed to read entire long symlink");
++				link = ERR_PTR(-EIO);
++			} else {
++				link[len - 1] = '\0';
++			}
+ 		}
+ 	} else {
+ 		link = befs_ino->i_data.symlink;
diff --git a/debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch b/debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
new file mode 100644
index 000000000..0cdedba6c
--- /dev/null
+++ b/debian/patches/bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
@@ -0,0 +1,34 @@
+From: Marcin Slusarz <marcin.slusarz@gmail.com>
+Date: Mon, 22 Aug 2011 21:17:57 +0000
+Subject: drm/ttm: fix ttm_bo_add_ttm(user) failure path
+
+From: Marcin Slusarz <marcin.slusarz@gmail.com>
+
+commit 7c4c3960dff109bc5db4c35da481c212dadb5eb5 upstream.
+
+ttm_tt_destroy kfrees passed object, so we need to nullify
+a reference to it.
+
+Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -353,8 +353,10 @@ static int ttm_bo_add_ttm(struct ttm_buf
+ 
+ 		ret = ttm_tt_set_user(bo->ttm, current,
+ 				      bo->buffer_start, bo->num_pages);
+-		if (unlikely(ret != 0))
++		if (unlikely(ret != 0)) {
+ 			ttm_tt_destroy(bo->ttm);
++			bo->ttm = NULL;
++		}
+ 		break;
+ 	default:
+ 		printk(KERN_ERR TTM_PFX "Illegal buffer object type\n");
diff --git a/debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch b/debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
new file mode 100644
index 000000000..f3c0e44c3
--- /dev/null
+++ b/debian/patches/bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch
@@ -0,0 +1,33 @@
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Wed, 24 Aug 2011 10:20:17 +0200
+Subject: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream.
+
+FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
+message processing could overrun and result in a "kernel BUG at
+fs/fuse/dev.c:629!"
+
+Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/fuse/dev.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struc
+ 	if (outarg.namelen > FUSE_NAME_MAX)
+ 		goto err;
+ 
++	err = -EINVAL;
++	if (size != sizeof(outarg) + outarg.namelen + 1)
++		goto err;
++
+ 	name.name = buf;
+ 	name.len = outarg.namelen;
+ 	err = fuse_copy_one(cs, buf, outarg.namelen + 1);
diff --git a/debian/patches/bugfix/all/genirq-fix-wrong-bit-operation.patch b/debian/patches/bugfix/all/genirq-fix-wrong-bit-operation.patch
new file mode 100644
index 000000000..69e837c2e
--- /dev/null
+++ b/debian/patches/bugfix/all/genirq-fix-wrong-bit-operation.patch
@@ -0,0 +1,39 @@
+From: "jhbird.choi@samsung.com" <jhbird.choi@samsung.com>
+Date: Thu, 21 Jul 2011 15:29:14 +0900
+Subject: genirq: Fix wrong bit operation
+
+From: "jhbird.choi@samsung.com" <jhbird.choi@samsung.com>
+
+commit 1dd75f91ae713049eb6baaa640078f3a6549e522 upstream.
+
+(!msk & 0x01) should be !(msk & 0x01)
+
+Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
+Link: http://lkml.kernel.org/r/1311229754-6003-1-git-send-email-jhbird.choi@samsung.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/irq/generic-chip.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/irq/generic-chip.c
++++ b/kernel/irq/generic-chip.c
+@@ -246,7 +246,7 @@ void irq_setup_generic_chip(struct irq_c
+ 		gc->mask_cache = irq_reg_readl(gc->reg_base + ct->regs.mask);
+ 
+ 	for (i = gc->irq_base; msk; msk >>= 1, i++) {
+-		if (!msk & 0x01)
++		if (!(msk & 0x01))
+ 			continue;
+ 
+ 		if (flags & IRQ_GC_INIT_NESTED_LOCK)
+@@ -301,7 +301,7 @@ void irq_remove_generic_chip(struct irq_
+ 	raw_spin_unlock(&gc_lock);
+ 
+ 	for (; msk; msk >>= 1, i++) {
+-		if (!msk & 0x01)
++		if (!(msk & 0x01))
+ 			continue;
+ 
+ 		/* Remove handler first. That will mask the irq line */
diff --git a/debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch b/debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
new file mode 100644
index 000000000..d12444e38
--- /dev/null
+++ b/debian/patches/bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
@@ -0,0 +1,38 @@
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+Date: Mon, 22 Aug 2011 13:27:06 -0700
+Subject: x86-32, vdso: On system call restart after SYSENTER, use int $0x80
+
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+
+commit 7ca0758cdb7c241cb4e0490a8d95f0eb5b861daf upstream.
+
+When we enter a 32-bit system call via SYSENTER or SYSCALL, we shuffle
+the arguments to match the int $0x80 calling convention.  This was
+probably a design mistake, but it's what it is now.  This causes
+errors if the system call as to be restarted.
+
+For SYSENTER, we have to invoke the instruction from the vdso as the
+return address is hardcoded.  Accordingly, we can simply replace the
+jump in the vdso with an int $0x80 instruction and use the slower
+entry point for a post-restart.
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Link: http://lkml.kernel.org/r/CA%2B55aFztZ=r5wa0x26KJQxvZOaQq8s2v3u50wCyJcA-Sc4g8gQ@mail.gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/vdso/vdso32/sysenter.S |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/vdso/vdso32/sysenter.S
++++ b/arch/x86/vdso/vdso32/sysenter.S
+@@ -43,7 +43,7 @@ __kernel_vsyscall:
+ 	.space 7,0x90
+ 
+ 	/* 14: System call restart point is here! (SYSENTER_RETURN-2) */
+-	jmp .Lenter_kernel
++	int $0x80
+ 	/* 16: System call normal return point is here! */
+ VDSO32_SYSENTER_RETURN:	/* Symbol used by sysenter.c via vdso32-syms.h */
+ 	pop %ebp
diff --git a/debian/patches/series/3 b/debian/patches/series/3
index c9670b839..3c050cd41 100644
--- a/debian/patches/series/3
+++ b/debian/patches/series/3
@@ -1,4 +1,9 @@
 - bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
 + bugfix/all/stable/3.0.3.patch
 + bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
++ bugfix/all/genirq-fix-wrong-bit-operation.patch
++ bugfix/all/befs-validate-length-of-long-symbolic-links.patch
 + bugfix/all/cifs-possible-memory-corruption-on-mount.patch
++ bugfix/all/x86-32-vdso-on-system-call-restart-after-sysenter-use-int.patch
++ bugfix/all/drm-ttm-fix-ttm_bo_add_ttm-user-failure-path.patch
++ bugfix/all/fuse-check-size-of-fuse_notify_inval_entry-message.patch