direct-io.hg

view patches/linux-2.6.11/linux-2.6.11.12.patch @ 5517:10e9028c8e3d

bitkeeper revision 1.1718.1.10 (42b7b19aqOS_1M8I4pIOFjiTPYWV-g)

Merge bk://xenbits.xensource.com/xen-unstable.bk
into spot.cl.cam.ac.uk:C:/Documents and Settings/iap10/xen-unstable.bk
author iap10@spot.cl.cam.ac.uk
date Tue Jun 21 06:20:10 2005 +0000 (2005-06-21)
parents c45207396f75
children 56a63f9f378f
line source
1 diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs
2 new file mode 100644
3 --- /dev/null
4 +++ b/Documentation/SecurityBugs
5 @@ -0,0 +1,38 @@
6 +Linux kernel developers take security very seriously. As such, we'd
7 +like to know when a security bug is found so that it can be fixed and
8 +disclosed as quickly as possible. Please report security bugs to the
9 +Linux kernel security team.
10 +
11 +1) Contact
12 +
13 +The Linux kernel security team can be contacted by email at
14 +<security@kernel.org>. This is a private list of security officers
15 +who will help verify the bug report and develop and release a fix.
16 +It is possible that the security team will bring in extra help from
17 +area maintainers to understand and fix the security vulnerability.
18 +
19 +As it is with any bug, the more information provided the easier it
20 +will be to diagnose and fix. Please review the procedure outlined in
21 +REPORTING-BUGS if you are unclear about what information is helpful.
22 +Any exploit code is very helpful and will not be released without
23 +consent from the reporter unless it has already been made public.
24 +
25 +2) Disclosure
26 +
27 +The goal of the Linux kernel security team is to work with the
28 +bug submitter to bug resolution as well as disclosure. We prefer
29 +to fully disclose the bug as soon as possible. It is reasonable to
30 +delay disclosure when the bug or the fix is not yet fully understood,
31 +the solution is not well-tested or for vendor coordination. However, we
32 +expect these delays to be short, measurable in days, not weeks or months.
33 +A disclosure date is negotiated by the security team working with the
34 +bug submitter as well as vendors. However, the kernel security team
35 +holds the final say when setting a disclosure date. The timeframe for
36 +disclosure is from immediate (esp. if it's already publically known)
37 +to a few weeks. As a basic default policy, we expect report date to
38 +disclosure date to be on the order of 7 days.
39 +
40 +3) Non-disclosure agreements
41 +
42 +The Linux kernel security team is not a formal body and therefore unable
43 +to enter any non-disclosure agreements.
44 diff --git a/MAINTAINERS b/MAINTAINERS
45 --- a/MAINTAINERS
46 +++ b/MAINTAINERS
47 @@ -1966,6 +1966,11 @@ M: christer@weinigel.se
48 W: http://www.weinigel.se
49 S: Supported
51 +SECURITY CONTACT
52 +P: Security Officers
53 +M: security@kernel.org
54 +S: Supported
55 +
56 SELINUX SECURITY MODULE
57 P: Stephen Smalley
58 M: sds@epoch.ncsc.mil
59 diff --git a/Makefile b/Makefile
60 --- a/Makefile
61 +++ b/Makefile
62 @@ -1,8 +1,8 @@
63 VERSION = 2
64 PATCHLEVEL = 6
65 SUBLEVEL = 11
66 -EXTRAVERSION =
67 -NAME=Woozy Numbat
68 +EXTRAVERSION = .12
69 +NAME=Woozy Beaver
71 # *DOCUMENTATION*
72 # To see a list of typical targets execute "make help"
73 diff --git a/REPORTING-BUGS b/REPORTING-BUGS
74 --- a/REPORTING-BUGS
75 +++ b/REPORTING-BUGS
76 @@ -16,6 +16,10 @@ code relevant to what you were doing. If
77 describe how to recreate it. That is worth even more than the oops itself.
78 The list of maintainers is in the MAINTAINERS file in this directory.
80 + If it is a security bug, please copy the Security Contact listed
81 +in the MAINTAINERS file. They can help coordinate bugfix and disclosure.
82 +See Documentation/SecurityBugs for more infomation.
83 +
84 If you are totally stumped as to whom to send the report, send it to
85 linux-kernel@vger.kernel.org. (For more information on the linux-kernel
86 mailing list see http://www.tux.org/lkml/).
87 diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
88 --- a/arch/ia64/kernel/fsys.S
89 +++ b/arch/ia64/kernel/fsys.S
90 @@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down)
91 movl r2=ia64_ret_from_syscall
92 ;;
93 mov rp=r2 // set the real return addr
94 - tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
95 + and r3=_TIF_SYSCALL_TRACEAUDIT,r3
96 ;;
97 + cmp.eq p8,p0=r3,r0
98 +
99 (p10) br.cond.spnt.many ia64_ret_from_syscall // p10==true means out registers are more than 8
100 (p8) br.call.sptk.many b6=b6 // ignore this return addr
101 br.cond.sptk ia64_trace_syscall
102 diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
103 --- a/arch/ia64/kernel/signal.c
104 +++ b/arch/ia64/kernel/signal.c
105 @@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc
106 * could be corrupted.
107 */
108 retval = (long) &ia64_leave_kernel;
109 - if (test_thread_flag(TIF_SYSCALL_TRACE))
110 + if (test_thread_flag(TIF_SYSCALL_TRACE)
111 + || test_thread_flag(TIF_SYSCALL_AUDIT))
112 /*
113 * strace expects to be notified after sigreturn returns even though the
114 * context to which we return may not be in the middle of a syscall.
115 diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
116 --- a/arch/ppc/oprofile/op_model_fsl_booke.c
117 +++ b/arch/ppc/oprofile/op_model_fsl_booke.c
118 @@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s
119 int is_kernel;
120 int val;
121 int i;
122 - unsigned int cpu = smp_processor_id();
124 /* set the PMM bit (see comment below) */
125 mtmsr(mfmsr() | MSR_PMM);
126 @@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s
127 val = ctr_read(i);
128 if (val < 0) {
129 if (oprofile_running && ctr[i].enabled) {
130 - oprofile_add_sample(pc, is_kernel, i, cpu);
131 + oprofile_add_pc(pc, is_kernel, i);
132 ctr_write(i, reset_value[i]);
133 } else {
134 ctr_write(i, 0);
135 diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
136 --- a/arch/ppc/platforms/4xx/ebony.h
137 +++ b/arch/ppc/platforms/4xx/ebony.h
138 @@ -61,8 +61,8 @@
139 */
141 /* OpenBIOS defined UART mappings, used before early_serial_setup */
142 -#define UART0_IO_BASE (u8 *) 0xE0000200
143 -#define UART1_IO_BASE (u8 *) 0xE0000300
144 +#define UART0_IO_BASE 0xE0000200
145 +#define UART1_IO_BASE 0xE0000300
147 /* external Epson SG-615P */
148 #define BASE_BAUD 691200
149 diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
150 --- a/arch/ppc/platforms/4xx/luan.h
151 +++ b/arch/ppc/platforms/4xx/luan.h
152 @@ -47,9 +47,9 @@
153 #define RS_TABLE_SIZE 3
155 /* PIBS defined UART mappings, used before early_serial_setup */
156 -#define UART0_IO_BASE (u8 *) 0xa0000200
157 -#define UART1_IO_BASE (u8 *) 0xa0000300
158 -#define UART2_IO_BASE (u8 *) 0xa0000600
159 +#define UART0_IO_BASE 0xa0000200
160 +#define UART1_IO_BASE 0xa0000300
161 +#define UART2_IO_BASE 0xa0000600
163 #define BASE_BAUD 11059200
164 #define STD_UART_OP(num) \
165 diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
166 --- a/arch/ppc/platforms/4xx/ocotea.h
167 +++ b/arch/ppc/platforms/4xx/ocotea.h
168 @@ -56,8 +56,8 @@
169 #define RS_TABLE_SIZE 2
171 /* OpenBIOS defined UART mappings, used before early_serial_setup */
172 -#define UART0_IO_BASE (u8 *) 0xE0000200
173 -#define UART1_IO_BASE (u8 *) 0xE0000300
174 +#define UART0_IO_BASE 0xE0000200
175 +#define UART1_IO_BASE 0xE0000300
177 #define BASE_BAUD 11059200/16
178 #define STD_UART_OP(num) \
179 diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c
180 --- a/arch/ppc64/kernel/pSeries_iommu.c
181 +++ b/arch/ppc64/kernel/pSeries_iommu.c
182 @@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st
183 struct device_node *dn, *pdn;
184 unsigned int *dma_window = NULL;
186 + DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self);
187 +
188 dn = pci_bus_to_OF_node(bus);
190 /* Find nearest ibm,dma-window, walking up the device tree */
191 @@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru
192 }
193 }
195 +static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev)
196 +{
197 + struct device_node *pdn, *dn;
198 + struct iommu_table *tbl;
199 + int *dma_window = NULL;
200 +
201 + DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name);
202 +
203 + /* dev setup for LPAR is a little tricky, since the device tree might
204 + * contain the dma-window properties per-device and not neccesarily
205 + * for the bus. So we need to search upwards in the tree until we
206 + * either hit a dma-window property, OR find a parent with a table
207 + * already allocated.
208 + */
209 + dn = pci_device_to_OF_node(dev);
210 +
211 + for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) {
212 + dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL);
213 + if (dma_window)
214 + break;
215 + }
216 +
217 + /* Check for parent == NULL so we don't try to setup the empty EADS
218 + * slots on POWER4 machines.
219 + */
220 + if (dma_window == NULL || pdn->parent == NULL) {
221 + /* Fall back to regular (non-LPAR) dev setup */
222 + DBG("No dma window for device, falling back to regular setup\n");
223 + iommu_dev_setup_pSeries(dev);
224 + return;
225 + } else {
226 + DBG("Found DMA window, allocating table\n");
227 + }
228 +
229 + if (!pdn->iommu_table) {
230 + /* iommu_table_setparms_lpar needs bussubno. */
231 + pdn->bussubno = pdn->phb->bus->number;
232 +
233 + tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table),
234 + GFP_KERNEL);
235 +
236 + iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window);
237 +
238 + pdn->iommu_table = iommu_init_table(tbl);
239 + }
240 +
241 + if (pdn != dn)
242 + dn->iommu_table = pdn->iommu_table;
243 +}
244 +
245 static void iommu_bus_setup_null(struct pci_bus *b) { }
246 static void iommu_dev_setup_null(struct pci_dev *d) { }
248 @@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void)
249 ppc_md.tce_free = tce_free_pSeriesLP;
250 }
251 ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP;
252 + ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP;
253 } else {
254 ppc_md.tce_build = tce_build_pSeries;
255 ppc_md.tce_free = tce_free_pSeries;
256 ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries;
257 + ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
258 }
260 - ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
262 pci_iommu_init();
263 }
264 diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c
265 --- a/arch/sparc/kernel/ptrace.c
266 +++ b/arch/sparc/kernel/ptrace.c
267 @@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs
268 pt_error_return(regs, EIO);
269 goto out_tsk;
270 }
271 - if (addr != 1) {
272 - if (addr & 3) {
273 - pt_error_return(regs, EINVAL);
274 - goto out_tsk;
275 - }
276 -#ifdef DEBUG_PTRACE
277 - printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
278 - printk ("Continuing with %08lx %08lx\n", addr, addr+4);
279 -#endif
280 - child->thread.kregs->pc = addr;
281 - child->thread.kregs->npc = addr + 4;
282 - }
284 if (request == PTRACE_SYSCALL)
285 set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
286 diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
287 --- a/arch/sparc64/kernel/ptrace.c
288 +++ b/arch/sparc64/kernel/ptrace.c
289 @@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs
290 pt_error_return(regs, EIO);
291 goto out_tsk;
292 }
293 - if (addr != 1) {
294 - unsigned long pc_mask = ~0UL;
295 -
296 - if ((child->thread_info->flags & _TIF_32BIT) != 0)
297 - pc_mask = 0xffffffff;
298 -
299 - if (addr & 3) {
300 - pt_error_return(regs, EINVAL);
301 - goto out_tsk;
302 - }
303 -#ifdef DEBUG_PTRACE
304 - printk ("Original: %016lx %016lx\n",
305 - child->thread_info->kregs->tpc,
306 - child->thread_info->kregs->tnpc);
307 - printk ("Continuing with %016lx %016lx\n", addr, addr+4);
308 -#endif
309 - child->thread_info->kregs->tpc = (addr & pc_mask);
310 - child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
311 - }
313 if (request == PTRACE_SYSCALL) {
314 set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
315 diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c
316 --- a/arch/sparc64/kernel/signal32.c
317 +++ b/arch/sparc64/kernel/signal32.c
318 @@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf
319 err |= __put_user(from->si_uid, &to->si_uid);
320 break;
321 case __SI_FAULT >> 16:
322 - case __SI_POLL >> 16:
323 err |= __put_user(from->si_trapno, &to->si_trapno);
324 err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
325 break;
326 + case __SI_POLL >> 16:
327 + err |= __put_user(from->si_band, &to->si_band);
328 + err |= __put_user(from->si_fd, &to->si_fd);
329 + break;
330 case __SI_RT >> 16: /* This is not generated by the kernel as of now. */
331 case __SI_MESGQ >> 16:
332 err |= __put_user(from->si_pid, &to->si_pid);
333 diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S
334 --- a/arch/sparc64/kernel/systbls.S
335 +++ b/arch/sparc64/kernel/systbls.S
336 @@ -75,7 +75,7 @@ sys_call_table32:
337 /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
338 .word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
339 /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
340 - .word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
341 + .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
342 /*280*/ .word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
344 #endif /* CONFIG_COMPAT */
345 diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h
346 --- a/arch/um/include/sysdep-i386/syscalls.h
347 +++ b/arch/um/include/sysdep-i386/syscalls.h
348 @@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr
349 unsigned long prot, unsigned long flags,
350 unsigned long fd, unsigned long pgoff);
352 +/* On i386 they choose a meaningless naming.*/
353 +#define __NR_kexec_load __NR_sys_kexec_load
354 +
355 #define ARCH_SYSCALLS \
356 [ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
357 [ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
358 @@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr
359 [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
360 [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
361 [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
362 - [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
363 [ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
364 - [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
365 - [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
366 - [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
367 -
368 + [ 285 ] = (syscall_handler_t *) sys_ni_syscall,
369 +
370 /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
372 -#define LAST_ARCH_SYSCALL __NR_vserver
373 +#define LAST_ARCH_SYSCALL 285
375 /*
376 * Overrides for Emacs so that we follow Linus's tabbing style.
377 diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h
378 --- a/arch/um/include/sysdep-x86_64/syscalls.h
379 +++ b/arch/um/include/sysdep-x86_64/syscalls.h
380 @@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl;
381 [ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
382 [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
383 [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
384 - [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
385 [ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
386 - [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
387 - [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
388 - [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
389 - [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
390 [ 251 ] = (syscall_handler_t *) sys_ni_syscall,
392 #define LAST_ARCH_SYSCALL 251
393 diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c
394 --- a/arch/um/kernel/skas/uaccess.c
395 +++ b/arch/um/kernel/skas/uaccess.c
396 @@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v
397 void *arg;
398 int *res;
400 - va_copy(args, *(va_list *)arg_ptr);
401 + /* Some old gccs recognize __va_copy, but not va_copy */
402 + __va_copy(args, *(va_list *)arg_ptr);
403 addr = va_arg(args, unsigned long);
404 len = va_arg(args, int);
405 is_write = va_arg(args, int);
406 diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c
407 --- a/arch/um/kernel/sys_call_table.c
408 +++ b/arch/um/kernel/sys_call_table.c
409 @@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork;
410 extern syscall_handler_t old_select;
411 extern syscall_handler_t sys_modify_ldt;
412 extern syscall_handler_t sys_rt_sigsuspend;
413 -extern syscall_handler_t sys_vserver;
414 extern syscall_handler_t sys_mbind;
415 extern syscall_handler_t sys_get_mempolicy;
416 extern syscall_handler_t sys_set_mempolicy;
417 @@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = {
418 [ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
419 [ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
420 [ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
421 + [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
422 [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
423 [ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
424 [ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
425 @@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = {
426 [ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
427 [ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
428 [ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
429 - [ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
430 - [ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
431 [ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
432 [ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
433 - [ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
434 - [ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
435 + [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
436 + [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
437 [ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
438 [ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
439 [ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
440 @@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = {
441 [ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
442 [ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
443 [ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
444 - [ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
445 + [ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
446 [ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
447 - [ 285 ] = (syscall_handler_t *) sys_ni_syscall,
448 [ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
449 [ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
450 [ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
451 diff --git a/arch/x86_64/kernel/apic.c b/arch/x86_64/kernel/apic.c
452 --- a/arch/x86_64/kernel/apic.c
453 +++ b/arch/x86_64/kernel/apic.c
454 @@ -775,9 +775,7 @@ void __init setup_boot_APIC_clock (void)
456 void __init setup_secondary_APIC_clock(void)
457 {
458 - local_irq_disable(); /* FIXME: Do we need this? --RR */
459 setup_APIC_timer(calibration_result);
460 - local_irq_enable();
461 }
463 void __init disable_APIC_timer(void)
464 diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
465 --- a/arch/x86_64/kernel/ptrace.c
466 +++ b/arch/x86_64/kernel/ptrace.c
467 @@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch
468 value &= 0xffff;
469 return 0;
470 case offsetof(struct user_regs_struct,fs_base):
471 - if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
472 - return -EIO;
473 + if (value >= TASK_SIZE)
474 + return -EIO;
475 child->thread.fs = value;
476 return 0;
477 case offsetof(struct user_regs_struct,gs_base):
478 - if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
479 - return -EIO;
480 + if (value >= TASK_SIZE)
481 + return -EIO;
482 child->thread.gs = value;
483 return 0;
484 case offsetof(struct user_regs_struct, eflags):
485 @@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch
486 return -EIO;
487 value &= 0xffff;
488 break;
489 + case offsetof(struct user_regs_struct, rip):
490 + /* Check if the new RIP address is canonical */
491 + if (value >= TASK_SIZE)
492 + return -EIO;
493 + break;
494 }
495 put_stack_long(child, regno - sizeof(struct pt_regs), value);
496 return 0;
497 @@ -247,7 +252,7 @@ asmlinkage long sys_ptrace(long request,
498 break;
500 switch (addr) {
501 - case 0 ... sizeof(struct user_regs_struct):
502 + case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
503 tmp = getreg(child, addr);
504 break;
505 case offsetof(struct user, u_debugreg[0]):
506 @@ -292,7 +297,7 @@ asmlinkage long sys_ptrace(long request,
507 break;
509 switch (addr) {
510 - case 0 ... sizeof(struct user_regs_struct):
511 + case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
512 ret = putreg(child, addr, data);
513 break;
514 /* Disallows to set a breakpoint into the vsyscall */
515 diff --git a/arch/x86_64/kernel/smpboot.c b/arch/x86_64/kernel/smpboot.c
516 --- a/arch/x86_64/kernel/smpboot.c
517 +++ b/arch/x86_64/kernel/smpboot.c
518 @@ -309,8 +309,6 @@ void __init smp_callin(void)
519 Dprintk("CALLIN, before setup_local_APIC().\n");
520 setup_local_APIC();
522 - local_irq_enable();
523 -
524 /*
525 * Get our bogomips.
526 */
527 @@ -324,8 +322,6 @@ void __init smp_callin(void)
528 */
529 smp_store_cpu_info(cpuid);
531 - local_irq_disable();
532 -
533 /*
534 * Allow the master to continue.
535 */
536 diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c
537 --- a/arch/x86_64/mm/fault.c
538 +++ b/arch/x86_64/mm/fault.c
539 @@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne
541 /*
542 * Handle a fault on the vmalloc or module mapping area
543 + *
544 + * This assumes no large pages in there.
545 */
546 static int vmalloc_fault(unsigned long address)
547 {
548 @@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a
549 if (!pte_present(*pte_ref))
550 return -1;
551 pte = pte_offset_kernel(pmd, address);
552 - if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref))
553 + /* Don't use pte_page here, because the mappings can point
554 + outside mem_map, and the NUMA hash lookup cannot handle
555 + that. */
556 + if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
557 BUG();
558 __flush_tlb_all();
559 return 0;
560 @@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_
561 * protection error (error_code & 1) == 0.
562 */
563 if (unlikely(address >= TASK_SIZE)) {
564 - if (!(error_code & 5)) {
565 + if (!(error_code & 5) &&
566 + ((address >= VMALLOC_START && address < VMALLOC_END) ||
567 + (address >= MODULES_VADDR && address < MODULES_END))) {
568 if (vmalloc_fault(address) < 0)
569 goto bad_area_nosemaphore;
570 return;
571 diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c
572 --- a/arch/x86_64/mm/ioremap.c
573 +++ b/arch/x86_64/mm/ioremap.c
574 @@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr
575 if ((p->flags >> 20) &&
576 p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) {
577 /* p->size includes the guard page, but cpa doesn't like that */
578 - change_page_attr(virt_to_page(__va(p->phys_addr)),
579 + change_page_attr_addr((unsigned long)(__va(p->phys_addr)),
580 (p->size - PAGE_SIZE) >> PAGE_SHIFT,
581 PAGE_KERNEL);
582 global_flush_tlb();
583 diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c
584 --- a/drivers/block/ioctl.c
585 +++ b/drivers/block/ioctl.c
586 @@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi
587 }
588 return ret;
589 }
590 +
591 +EXPORT_SYMBOL_GPL(blkdev_ioctl);
592 diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
593 --- a/drivers/block/pktcdvd.c
594 +++ b/drivers/block/pktcdvd.c
595 @@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode
596 case CDROM_LAST_WRITTEN:
597 case CDROM_SEND_PACKET:
598 case SCSI_IOCTL_SEND_COMMAND:
599 - return ioctl_by_bdev(pd->bdev, cmd, arg);
600 + return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
602 case CDROMEJECT:
603 /*
604 @@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode
605 * have to unlock it or else the eject command fails.
606 */
607 pkt_lock_door(pd, 0);
608 - return ioctl_by_bdev(pd->bdev, cmd, arg);
609 + return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
611 default:
612 printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
613 diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
614 --- a/drivers/char/drm/drm_ioctl.c
615 +++ b/drivers/char/drm/drm_ioctl.c
616 @@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS)
618 DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
620 + memset(&version, 0, sizeof(version));
621 +
622 dev->driver->version(&version);
623 retv.drm_di_major = DRM_IF_MAJOR;
624 retv.drm_di_minor = DRM_IF_MINOR;
625 diff --git a/drivers/char/raw.c b/drivers/char/raw.c
626 --- a/drivers/char/raw.c
627 +++ b/drivers/char/raw.c
628 @@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi
629 {
630 struct block_device *bdev = filp->private_data;
632 - return ioctl_by_bdev(bdev, command, arg);
633 + return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
634 }
636 static void bind_device(struct raw_config_request *rq)
637 diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c
638 --- a/drivers/i2c/chips/eeprom.c
639 +++ b/drivers/i2c/chips/eeprom.c
640 @@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec
642 /* Hide Vaio security settings to regular users (16 first bytes) */
643 if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
644 - int in_row1 = 16 - off;
645 + size_t in_row1 = 16 - off;
646 + in_row1 = min(in_row1, count);
647 memset(buf, 0, in_row1);
648 if (count - in_row1 > 0)
649 memcpy(buf + in_row1, &data->data[16], count - in_row1);
650 diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
651 --- a/drivers/i2c/chips/it87.c
652 +++ b/drivers/i2c/chips/it87.c
653 @@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device
654 struct it87_data *data = it87_update_device(dev);
655 return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
656 }
657 -static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
658 +static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
660 static ssize_t
661 show_vrm_reg(struct device *dev, char *buf)
662 diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c
663 --- a/drivers/i2c/chips/via686a.c
664 +++ b/drivers/i2c/chips/via686a.c
665 @@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device
666 struct via686a_data *data = via686a_update_device(dev);
667 return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
668 }
669 -static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
670 +static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
672 /* The driver. I choose to use type i2c_driver, as at is identical to both
673 smbus_driver and isa_driver, and clients could be of either kind */
674 diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
675 --- a/drivers/ide/ide-disk.c
676 +++ b/drivers/ide/ide-disk.c
677 @@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk(
678 if (hwif->no_lba48_dma && lba48 && dma) {
679 if (block + rq->nr_sectors > 1ULL << 28)
680 dma = 0;
681 + else
682 + lba48 = 0;
683 }
685 if (!dma) {
686 @@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk(
687 /* FIXME: SELECT_MASK(drive, 0) ? */
689 if (drive->select.b.lba) {
690 - if (drive->addressing == 1) {
691 + if (lba48) {
692 task_ioreg_t tasklets[10];
694 pr_debug("%s: LBA=0x%012llx\n", drive->name, block);
695 diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
696 --- a/drivers/input/serio/i8042-x86ia64io.h
697 +++ b/drivers/input/serio/i8042-x86ia64io.h
698 @@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i
699 };
700 #endif
702 -#ifdef CONFIG_ACPI
703 +#if defined(__ia64__) && defined(CONFIG_ACPI)
704 #include <linux/acpi.h>
705 #include <acpi/acpi_bus.h>
707 @@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo
708 i8042_kbd_irq = I8042_MAP_IRQ(1);
709 i8042_aux_irq = I8042_MAP_IRQ(12);
711 -#ifdef CONFIG_ACPI
712 +#if defined(__ia64__) && defined(CONFIG_ACPI)
713 if (i8042_acpi_init())
714 return -1;
715 #endif
716 @@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo
718 static inline void i8042_platform_exit(void)
719 {
720 -#ifdef CONFIG_ACPI
721 +#if defined(__ia64__) && defined(CONFIG_ACPI)
722 i8042_acpi_exit();
723 #endif
724 }
725 diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
726 --- a/drivers/md/raid6altivec.uc
727 +++ b/drivers/md/raid6altivec.uc
728 @@ -108,7 +108,11 @@ int raid6_have_altivec(void);
729 int raid6_have_altivec(void)
730 {
731 /* This assumes either all CPUs have Altivec or none does */
732 +#ifdef CONFIG_PPC64
733 return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
734 +#else
735 + return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
736 +#endif
737 }
738 #endif
740 diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
741 --- a/drivers/media/video/adv7170.c
742 +++ b/drivers/media/video/adv7170.c
743 @@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client *
744 u8 block_data[32];
746 msg.addr = client->addr;
747 - msg.flags = client->flags;
748 + msg.flags = 0;
749 while (len >= 2) {
750 msg.buf = (char *) block_data;
751 msg.len = 0;
752 diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
753 --- a/drivers/media/video/adv7175.c
754 +++ b/drivers/media/video/adv7175.c
755 @@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client *
756 u8 block_data[32];
758 msg.addr = client->addr;
759 - msg.flags = client->flags;
760 + msg.flags = 0;
761 while (len >= 2) {
762 msg.buf = (char *) block_data;
763 msg.len = 0;
764 diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
765 --- a/drivers/media/video/bt819.c
766 +++ b/drivers/media/video/bt819.c
767 @@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl
768 u8 block_data[32];
770 msg.addr = client->addr;
771 - msg.flags = client->flags;
772 + msg.flags = 0;
773 while (len >= 2) {
774 msg.buf = (char *) block_data;
775 msg.len = 0;
776 diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
777 --- a/drivers/media/video/bttv-cards.c
778 +++ b/drivers/media/video/bttv-cards.c
779 @@ -1939,7 +1939,6 @@ struct tvcard bttv_tvcards[] = {
780 .no_tda9875 = 1,
781 .no_tda7432 = 1,
782 .tuner_type = TUNER_ABSENT,
783 - .no_video = 1,
784 .pll = PLL_28,
785 },{
786 .name = "Teppro TEV-560/InterVision IV-560",
787 @@ -2718,8 +2717,6 @@ void __devinit bttv_init_card2(struct bt
788 }
789 btv->pll.pll_current = -1;
791 - bttv_reset_audio(btv);
792 -
793 /* tuner configuration (from card list / autodetect / insmod option) */
794 if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
795 if(UNSET == btv->tuner_type)
796 diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
797 --- a/drivers/media/video/saa7110.c
798 +++ b/drivers/media/video/saa7110.c
799 @@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
801 #define I2C_SAA7110 0x9C /* or 0x9E */
803 +#define SAA7110_NR_REG 0x35
804 +
805 struct saa7110 {
806 - unsigned char reg[54];
807 + u8 reg[SAA7110_NR_REG];
809 int norm;
810 int input;
811 @@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client *
812 unsigned int len)
813 {
814 int ret = -1;
815 - u8 reg = *data++;
816 + u8 reg = *data; /* first register to write to */
818 - len--;
819 + /* Sanity check */
820 + if (reg + (len - 1) > SAA7110_NR_REG)
821 + return ret;
823 /* the saa7110 has an autoincrement function, use it if
824 * the adapter understands raw I2C */
825 if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
826 struct saa7110 *decoder = i2c_get_clientdata(client);
827 struct i2c_msg msg;
828 - u8 block_data[54];
830 - msg.len = 0;
831 - msg.buf = (char *) block_data;
832 + msg.len = len;
833 + msg.buf = (char *) data;
834 msg.addr = client->addr;
835 - msg.flags = client->flags;
836 - while (len >= 1) {
837 - msg.len = 0;
838 - block_data[msg.len++] = reg;
839 - while (len-- >= 1 && msg.len < 54)
840 - block_data[msg.len++] =
841 - decoder->reg[reg++] = *data++;
842 - ret = i2c_transfer(client->adapter, &msg, 1);
843 - }
844 + msg.flags = 0;
845 + ret = i2c_transfer(client->adapter, &msg, 1);
846 +
847 + /* Cache the written data */
848 + memcpy(decoder->reg + reg, data + 1, len - 1);
849 } else {
850 - while (len-- >= 1) {
851 + for (++data, --len; len; len--) {
852 if ((ret = saa7110_write(client, reg++,
853 *data++)) < 0)
854 break;
855 @@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien
856 return 0;
857 }
859 -static const unsigned char initseq[] = {
860 +static const unsigned char initseq[1 + SAA7110_NR_REG] = {
861 0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
862 /* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
863 /* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
864 diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
865 --- a/drivers/media/video/saa7114.c
866 +++ b/drivers/media/video/saa7114.c
867 @@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client *
868 u8 block_data[32];
870 msg.addr = client->addr;
871 - msg.flags = client->flags;
872 + msg.flags = 0;
873 while (len >= 2) {
874 msg.buf = (char *) block_data;
875 msg.len = 0;
876 diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
877 --- a/drivers/media/video/saa7185.c
878 +++ b/drivers/media/video/saa7185.c
879 @@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client *
880 u8 block_data[32];
882 msg.addr = client->addr;
883 - msg.flags = client->flags;
884 + msg.flags = 0;
885 while (len >= 2) {
886 msg.buf = (char *) block_data;
887 msg.len = 0;
888 diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
889 --- a/drivers/net/3c59x.c
890 +++ b/drivers/net/3c59x.c
891 @@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev)
893 if (VORTEX_PCI(vp)) {
894 pci_set_power_state(VORTEX_PCI(vp), PCI_D0); /* Go active */
895 - pci_restore_state(VORTEX_PCI(vp));
896 + if (vp->pm_state_valid)
897 + pci_restore_state(VORTEX_PCI(vp));
898 pci_enable_device(VORTEX_PCI(vp));
899 }
901 @@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int
902 outl(0, ioaddr + DownListPtr);
904 if (final_down && VORTEX_PCI(vp)) {
905 + vp->pm_state_valid = 1;
906 pci_save_state(VORTEX_PCI(vp));
907 acpi_set_WOL(dev);
908 }
909 @@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi
910 outw(RxEnable, ioaddr + EL3_CMD);
912 pci_enable_wake(VORTEX_PCI(vp), 0, 1);
913 +
914 + /* Change the power state to D3; RxEnable doesn't take effect. */
915 + pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
916 }
917 - /* Change the power state to D3; RxEnable doesn't take effect. */
918 - pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
919 }
922 diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
923 --- a/drivers/net/amd8111e.c
924 +++ b/drivers/net/amd8111e.c
925 @@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi
927 if(amd8111e_restart(dev)){
928 spin_unlock_irq(&lp->lock);
929 + if (dev->irq)
930 + free_irq(dev->irq, dev);
931 return -ENOMEM;
932 }
933 /* Start ipg timer */
934 diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
935 --- a/drivers/net/ppp_async.c
936 +++ b/drivers/net/ppp_async.c
937 @@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp
938 data += 4;
939 dlen -= 4;
940 /* data[0] is code, data[1] is length */
941 - while (dlen >= 2 && dlen >= data[1]) {
942 + while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
943 switch (data[0]) {
944 case LCP_MRU:
945 val = (data[2] << 8) + data[3];
946 diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
947 --- a/drivers/net/r8169.c
948 +++ b/drivers/net/r8169.c
949 @@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r
950 rtl8169_make_unusable_by_asic(desc);
951 }
953 -static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
954 +static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
955 {
956 - desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
957 + u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
958 +
959 + desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
960 }
962 -static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
963 - int rx_buf_sz)
964 +static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
965 + u32 rx_buf_sz)
966 {
967 desc->addr = cpu_to_le64(mapping);
968 - desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
969 + wmb();
970 + rtl8169_mark_to_asic(desc, rx_buf_sz);
971 }
973 static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
974 @@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p
975 mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
976 PCI_DMA_FROMDEVICE);
978 - rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
979 + rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
981 out:
982 return ret;
983 @@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st
984 skb_reserve(skb, NET_IP_ALIGN);
985 eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
986 *sk_buff = skb;
987 - rtl8169_return_to_asic(desc, rx_buf_sz);
988 + rtl8169_mark_to_asic(desc, rx_buf_sz);
989 ret = 0;
990 }
991 }
992 diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c
993 --- a/drivers/net/sis900.c
994 +++ b/drivers/net/sis900.c
995 @@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr
996 signature = (u16) read_eeprom(ioaddr, EEPROMSignature);
997 if (signature == 0xffff || signature == 0x0000) {
998 printk (KERN_INFO "%s: Error EERPOM read %x\n",
999 - net_dev->name, signature);
1000 + pci_name(pci_dev), signature);
1001 return 0;
1004 @@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add
1005 if (!isa_bridge)
1006 isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
1007 if (!isa_bridge) {
1008 - printk("%s: Can not find ISA bridge\n", net_dev->name);
1009 + printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
1010 return 0;
1012 pci_read_config_byte(isa_bridge, 0x48, &reg);
1013 @@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct
1014 net_dev->tx_timeout = sis900_tx_timeout;
1015 net_dev->watchdog_timeo = TX_TIMEOUT;
1016 net_dev->ethtool_ops = &sis900_ethtool_ops;
1018 - ret = register_netdev(net_dev);
1019 - if (ret)
1020 - goto err_unmap_rx;
1022 /* Get Mac address according to the chip revision */
1023 pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
1024 @@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct
1026 if (ret == 0) {
1027 ret = -ENODEV;
1028 - goto err_out_unregister;
1029 + goto err_unmap_rx;
1032 /* 630ET : set the mii access mode as software-mode */
1033 @@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct
1034 /* probe for mii transceiver */
1035 if (sis900_mii_probe(net_dev) == 0) {
1036 ret = -ENODEV;
1037 - goto err_out_unregister;
1038 + goto err_unmap_rx;
1041 /* save our host bridge revision */
1042 @@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct
1043 pci_dev_put(dev);
1046 + ret = register_netdev(net_dev);
1047 + if (ret)
1048 + goto err_unmap_rx;
1050 /* print some information about our NIC */
1051 printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
1052 card_name, ioaddr, net_dev->irq);
1053 @@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct
1055 return 0;
1057 - err_out_unregister:
1058 - unregister_netdev(net_dev);
1059 err_unmap_rx:
1060 pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
1061 sis_priv->rx_ring_dma);
1062 @@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct
1063 static int __init sis900_mii_probe(struct net_device * net_dev)
1065 struct sis900_private * sis_priv = net_dev->priv;
1066 + const char *dev_name = pci_name(sis_priv->pci_dev);
1067 u16 poll_bit = MII_STAT_LINK, status = 0;
1068 unsigned long timeout = jiffies + 5 * HZ;
1069 int phy_addr;
1070 @@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc
1071 mii_phy->phy_types =
1072 (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
1073 printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
1074 - net_dev->name, mii_chip_table[i].name,
1075 + dev_name, mii_chip_table[i].name,
1076 phy_addr);
1077 break;
1080 if( !mii_chip_table[i].phy_id1 ) {
1081 printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
1082 - net_dev->name, phy_addr);
1083 + dev_name, phy_addr);
1084 mii_phy->phy_types = UNKNOWN;
1088 if (sis_priv->mii == NULL) {
1089 - printk(KERN_INFO "%s: No MII transceivers found!\n",
1090 - net_dev->name);
1091 + printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
1092 return 0;
1095 @@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc
1096 poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
1097 if (time_after_eq(jiffies, timeout)) {
1098 printk(KERN_WARNING "%s: reset phy and link down now\n",
1099 - net_dev->name);
1100 + dev_name);
1101 return -ETIME;
1104 @@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net
1105 sis_priv->mii = default_phy;
1106 sis_priv->cur_phy = default_phy->phy_addr;
1107 printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
1108 - net_dev->name,sis_priv->cur_phy);
1109 + pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
1112 status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
1113 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
1114 --- a/drivers/net/tun.c
1115 +++ b/drivers/net/tun.c
1116 @@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s
1117 size_t len = count;
1119 if (!(tun->flags & TUN_NO_PI)) {
1120 - if ((len -= sizeof(pi)) > len)
1121 + if ((len -= sizeof(pi)) > count)
1122 return -EINVAL;
1124 if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
1125 diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
1126 --- a/drivers/net/via-rhine.c
1127 +++ b/drivers/net/via-rhine.c
1128 @@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device
1129 dev->name, rp->pdev->irq);
1131 rc = alloc_ring(dev);
1132 - if (rc)
1133 + if (rc) {
1134 + free_irq(rp->pdev->irq, dev);
1135 return rc;
1136 + }
1137 alloc_rbufs(dev);
1138 alloc_tbufs(dev);
1139 rhine_chip_reset(dev);
1140 @@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic
1141 struct rhine_private *rp = netdev_priv(dev);
1142 void __iomem *ioaddr = rp->base;
1144 + if (!(rp->quirks & rqWOL))
1145 + return; /* Nothing to do for non-WOL adapters */
1147 rhine_power_init(dev);
1149 /* Make sure we use pattern 0, 1 and not 4, 5 */
1150 diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
1151 --- a/drivers/net/wan/hd6457x.c
1152 +++ b/drivers/net/wan/hd6457x.c
1153 @@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card,
1154 #endif
1155 stats->rx_packets++;
1156 stats->rx_bytes += skb->len;
1157 - skb->dev->last_rx = jiffies;
1158 + dev->last_rx = jiffies;
1159 skb->protocol = hdlc_type_trans(skb, dev);
1160 netif_rx(skb);
1162 diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
1163 --- a/drivers/pci/hotplug/pciehp_ctrl.c
1164 +++ b/drivers/pci/hotplug/pciehp_ctrl.c
1165 @@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func
1166 dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
1167 ctrl->seg, func->bus, func->device, func->function);
1168 bridge_slot_remove(func);
1169 - } else
1170 + } else {
1171 dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
1172 ctrl->seg, func->bus, func->device, func->function);
1173 slot_remove(func);
1174 + }
1176 func = pciehp_slot_find(ctrl->slot_bus, device, 0);
1178 diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
1179 --- a/drivers/usb/serial/visor.c
1180 +++ b/drivers/usb/serial/visor.c
1181 @@ -386,6 +386,7 @@ struct visor_private {
1182 int bytes_in;
1183 int bytes_out;
1184 int outstanding_urbs;
1185 + int throttled;
1186 };
1188 /* number of outstanding urbs to prevent userspace DoS from happening */
1189 @@ -415,6 +416,7 @@ static int visor_open (struct usb_serial
1190 priv->bytes_in = 0;
1191 priv->bytes_out = 0;
1192 priv->outstanding_urbs = 0;
1193 + priv->throttled = 0;
1194 spin_unlock_irqrestore(&priv->lock, flags);
1196 /*
1197 @@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st
1198 struct tty_struct *tty;
1199 unsigned long flags;
1200 int i;
1201 + int throttled;
1202 int result;
1204 dbg("%s - port %d", __FUNCTION__, port->number);
1205 @@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st
1207 spin_lock_irqsave(&priv->lock, flags);
1208 priv->bytes_in += urb->actual_length;
1209 + throttled = priv->throttled;
1210 spin_unlock_irqrestore(&priv->lock, flags);
1212 - /* Continue trying to always read */
1213 - usb_fill_bulk_urb (port->read_urb, port->serial->dev,
1214 - usb_rcvbulkpipe(port->serial->dev,
1215 - port->bulk_in_endpointAddress),
1216 - port->read_urb->transfer_buffer,
1217 - port->read_urb->transfer_buffer_length,
1218 - visor_read_bulk_callback, port);
1219 - result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
1220 - if (result)
1221 - dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
1222 + /* Continue trying to always read if we should */
1223 + if (!throttled) {
1224 + usb_fill_bulk_urb (port->read_urb, port->serial->dev,
1225 + usb_rcvbulkpipe(port->serial->dev,
1226 + port->bulk_in_endpointAddress),
1227 + port->read_urb->transfer_buffer,
1228 + port->read_urb->transfer_buffer_length,
1229 + visor_read_bulk_callback, port);
1230 + result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
1231 + if (result)
1232 + dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
1233 + }
1234 return;
1237 @@ -683,16 +689,26 @@ exit:
1239 static void visor_throttle (struct usb_serial_port *port)
1241 + struct visor_private *priv = usb_get_serial_port_data(port);
1242 + unsigned long flags;
1244 dbg("%s - port %d", __FUNCTION__, port->number);
1245 - usb_kill_urb(port->read_urb);
1246 + spin_lock_irqsave(&priv->lock, flags);
1247 + priv->throttled = 1;
1248 + spin_unlock_irqrestore(&priv->lock, flags);
1252 static void visor_unthrottle (struct usb_serial_port *port)
1254 + struct visor_private *priv = usb_get_serial_port_data(port);
1255 + unsigned long flags;
1256 int result;
1258 dbg("%s - port %d", __FUNCTION__, port->number);
1259 + spin_lock_irqsave(&priv->lock, flags);
1260 + priv->throttled = 0;
1261 + spin_unlock_irqrestore(&priv->lock, flags);
1263 port->read_urb->dev = port->serial->dev;
1264 result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
1265 diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c
1266 --- a/drivers/video/matrox/matroxfb_accel.c
1267 +++ b/drivers/video/matrox/matroxfb_accel.c
1268 @@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI
1269 } else if (step == 1) {
1270 /* Special case for 1..8bit widths */
1271 while (height--) {
1272 - mga_writel(mmio, 0, *chardata);
1273 +#if defined(__BIG_ENDIAN)
1274 + fb_writel((*chardata) << 24, mmio.vaddr);
1275 +#else
1276 + fb_writel(*chardata, mmio.vaddr);
1277 +#endif
1278 chardata++;
1280 } else if (step == 2) {
1281 /* Special case for 9..15bit widths */
1282 while (height--) {
1283 - mga_writel(mmio, 0, *(u_int16_t*)chardata);
1284 +#if defined(__BIG_ENDIAN)
1285 + fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr);
1286 +#else
1287 + fb_writel(*(u_int16_t*)chardata, mmio.vaddr);
1288 +#endif
1289 chardata += 2;
1291 } else {
1292 @@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI
1294 for (i = 0; i < step; i += 4) {
1295 /* Hope that there are at least three readable bytes beyond the end of bitmap */
1296 - mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i)));
1297 + fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr);
1299 chardata += step;
1301 diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h
1302 --- a/drivers/video/matrox/matroxfb_base.h
1303 +++ b/drivers/video/matrox/matroxfb_base.h
1304 @@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr
1306 if ((unsigned long)src & 3) {
1307 while (len >= 4) {
1308 - writel(get_unaligned((u32 *)src), addr);
1309 + fb_writel(get_unaligned((u32 *)src), addr);
1310 addr++;
1311 len -= 4;
1312 src += 4;
1314 } else {
1315 while (len >= 4) {
1316 - writel(*(u32 *)src, addr);
1317 + fb_writel(*(u32 *)src, addr);
1318 addr++;
1319 len -= 4;
1320 src += 4;
1321 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
1322 --- a/fs/binfmt_elf.c
1323 +++ b/fs/binfmt_elf.c
1324 @@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b
1327 /* Populate argv and envp */
1328 - p = current->mm->arg_start;
1329 + p = current->mm->arg_end = current->mm->arg_start;
1330 while (argc-- > 0) {
1331 size_t len;
1332 __put_user((elf_addr_t)p, argv++);
1333 @@ -1008,6 +1008,7 @@ out_free_ph:
1334 static int load_elf_library(struct file *file)
1336 struct elf_phdr *elf_phdata;
1337 + struct elf_phdr *eppnt;
1338 unsigned long elf_bss, bss, len;
1339 int retval, error, i, j;
1340 struct elfhdr elf_ex;
1341 @@ -1031,44 +1032,47 @@ static int load_elf_library(struct file
1342 /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
1344 error = -ENOMEM;
1345 - elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
1346 + elf_phdata = kmalloc(j, GFP_KERNEL);
1347 if (!elf_phdata)
1348 goto out;
1350 + eppnt = elf_phdata;
1351 error = -ENOEXEC;
1352 - retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
1353 + retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
1354 if (retval != j)
1355 goto out_free_ph;
1357 for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
1358 - if ((elf_phdata + i)->p_type == PT_LOAD) j++;
1359 + if ((eppnt + i)->p_type == PT_LOAD)
1360 + j++;
1361 if (j != 1)
1362 goto out_free_ph;
1364 - while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
1365 + while (eppnt->p_type != PT_LOAD)
1366 + eppnt++;
1368 /* Now use mmap to map the library into memory. */
1369 down_write(&current->mm->mmap_sem);
1370 error = do_mmap(file,
1371 - ELF_PAGESTART(elf_phdata->p_vaddr),
1372 - (elf_phdata->p_filesz +
1373 - ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
1374 + ELF_PAGESTART(eppnt->p_vaddr),
1375 + (eppnt->p_filesz +
1376 + ELF_PAGEOFFSET(eppnt->p_vaddr)),
1377 PROT_READ | PROT_WRITE | PROT_EXEC,
1378 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
1379 - (elf_phdata->p_offset -
1380 - ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
1381 + (eppnt->p_offset -
1382 + ELF_PAGEOFFSET(eppnt->p_vaddr)));
1383 up_write(&current->mm->mmap_sem);
1384 - if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
1385 + if (error != ELF_PAGESTART(eppnt->p_vaddr))
1386 goto out_free_ph;
1388 - elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
1389 + elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
1390 if (padzero(elf_bss)) {
1391 error = -EFAULT;
1392 goto out_free_ph;
1395 - len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
1396 - bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
1397 + len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
1398 + bss = eppnt->p_memsz + eppnt->p_vaddr;
1399 if (bss > len) {
1400 down_write(&current->mm->mmap_sem);
1401 do_brk(len, bss - len);
1402 @@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs
1403 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1404 struct mm_struct *mm)
1406 - int i, len;
1407 + unsigned int i, len;
1409 /* first copy the parameters from user space */
1410 memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1411 diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
1412 --- a/fs/cramfs/inode.c
1413 +++ b/fs/cramfs/inode.c
1414 @@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st
1415 inode->i_data.a_ops = &cramfs_aops;
1416 } else {
1417 inode->i_size = 0;
1418 + inode->i_blocks = 0;
1419 init_special_inode(inode, inode->i_mode,
1420 old_decode_dev(cramfs_inode->size));
1422 diff --git a/fs/eventpoll.c b/fs/eventpoll.c
1423 --- a/fs/eventpoll.c
1424 +++ b/fs/eventpoll.c
1425 @@ -619,6 +619,7 @@ eexit_1:
1426 return error;
1429 +#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
1431 /*
1432 * Implement the event wait interface for the eventpoll file. It is the kernel
1433 @@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd,
1434 current, epfd, events, maxevents, timeout));
1436 /* The maximum number of event must be greater than zero */
1437 - if (maxevents <= 0)
1438 + if (maxevents <= 0 || maxevents > MAX_EVENTS)
1439 return -EINVAL;
1441 /* Verify that the area passed by the user is writeable */
1442 diff --git a/fs/exec.c b/fs/exec.c
1443 --- a/fs/exec.c
1444 +++ b/fs/exec.c
1445 @@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas
1447 /* buf must be at least sizeof(tsk->comm) in size */
1448 task_lock(tsk);
1449 - memcpy(buf, tsk->comm, sizeof(tsk->comm));
1450 + strncpy(buf, tsk->comm, sizeof(tsk->comm));
1451 task_unlock(tsk);
1454 diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
1455 --- a/fs/ext2/dir.c
1456 +++ b/fs/ext2/dir.c
1457 @@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode,
1458 goto fail;
1460 kaddr = kmap_atomic(page, KM_USER0);
1461 + memset(kaddr, 0, chunk_size);
1462 de = (struct ext2_dir_entry_2 *)kaddr;
1463 de->name_len = 1;
1464 de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
1465 diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
1466 --- a/fs/ext3/balloc.c
1467 +++ b/fs/ext3/balloc.c
1468 @@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino
1470 if (!rsv_is_empty(&rsv->rsv_window)) {
1471 spin_lock(rsv_lock);
1472 - rsv_window_remove(inode->i_sb, rsv);
1473 + if (!rsv_is_empty(&rsv->rsv_window))
1474 + rsv_window_remove(inode->i_sb, rsv);
1475 spin_unlock(rsv_lock);
1478 diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
1479 --- a/fs/hfs/mdb.c
1480 +++ b/fs/hfs/mdb.c
1481 @@ -333,6 +333,8 @@ void hfs_mdb_close(struct super_block *s
1482 * Release the resources associated with the in-core MDB. */
1483 void hfs_mdb_put(struct super_block *sb)
1485 + if (!HFS_SB(sb))
1486 + return;
1487 /* free the B-trees */
1488 hfs_btree_close(HFS_SB(sb)->ext_tree);
1489 hfs_btree_close(HFS_SB(sb)->cat_tree);
1490 @@ -340,4 +342,7 @@ void hfs_mdb_put(struct super_block *sb)
1491 /* free the buffers holding the primary and alternate MDBs */
1492 brelse(HFS_SB(sb)->mdb_bh);
1493 brelse(HFS_SB(sb)->alt_mdb_bh);
1495 + kfree(HFS_SB(sb));
1496 + sb->s_fs_info = NULL;
1498 diff --git a/fs/hfs/super.c b/fs/hfs/super.c
1499 --- a/fs/hfs/super.c
1500 +++ b/fs/hfs/super.c
1501 @@ -263,7 +263,7 @@ static int hfs_fill_super(struct super_b
1502 res = -EINVAL;
1503 if (!parse_options((char *)data, sbi)) {
1504 hfs_warn("hfs_fs: unable to parse mount options.\n");
1505 - goto bail3;
1506 + goto bail;
1509 sb->s_op = &hfs_super_operations;
1510 @@ -276,7 +276,7 @@ static int hfs_fill_super(struct super_b
1511 hfs_warn("VFS: Can't find a HFS filesystem on dev %s.\n",
1512 hfs_mdb_name(sb));
1513 res = -EINVAL;
1514 - goto bail2;
1515 + goto bail;
1518 /* try to get the root inode */
1519 @@ -306,10 +306,8 @@ bail_iput:
1520 iput(root_inode);
1521 bail_no_root:
1522 hfs_warn("hfs_fs: get root inode failed.\n");
1523 +bail:
1524 hfs_mdb_put(sb);
1525 -bail2:
1526 -bail3:
1527 - kfree(sbi);
1528 return res;
1531 diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
1532 --- a/fs/hfsplus/super.c
1533 +++ b/fs/hfsplus/super.c
1534 @@ -207,7 +207,9 @@ static void hfsplus_write_super(struct s
1535 static void hfsplus_put_super(struct super_block *sb)
1537 dprint(DBG_SUPER, "hfsplus_put_super\n");
1538 - if (!(sb->s_flags & MS_RDONLY)) {
1539 + if (!sb->s_fs_info)
1540 + return;
1541 + if (!(sb->s_flags & MS_RDONLY) && HFSPLUS_SB(sb).s_vhdr) {
1542 struct hfsplus_vh *vhdr = HFSPLUS_SB(sb).s_vhdr;
1544 vhdr->modify_date = hfsp_now2mt();
1545 @@ -223,6 +225,8 @@ static void hfsplus_put_super(struct sup
1546 iput(HFSPLUS_SB(sb).alloc_file);
1547 iput(HFSPLUS_SB(sb).hidden_dir);
1548 brelse(HFSPLUS_SB(sb).s_vhbh);
1549 + kfree(sb->s_fs_info);
1550 + sb->s_fs_info = NULL;
1553 static int hfsplus_statfs(struct super_block *sb, struct kstatfs *buf)
1554 diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
1555 --- a/fs/isofs/inode.c
1556 +++ b/fs/isofs/inode.c
1557 @@ -685,6 +685,8 @@ root_found:
1558 sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
1559 sbi->s_max_size = isonum_733(h_pri->volume_space_size);
1560 } else {
1561 + if (!pri)
1562 + goto out_freebh;
1563 rootp = (struct iso_directory_record *) pri->root_directory_record;
1564 sbi->s_nzones = isonum_733 (pri->volume_space_size);
1565 sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
1566 @@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl
1567 struct inode *inode;
1568 struct isofs_iget5_callback_data data;
1570 + if (offset >= 1ul << sb->s_blocksize_bits)
1571 + return NULL;
1573 data.block = block;
1574 data.offset = offset;
1576 diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
1577 --- a/fs/isofs/rock.c
1578 +++ b/fs/isofs/rock.c
1579 @@ -53,6 +53,7 @@
1580 if(LEN & 1) LEN++; \
1581 CHR = ((unsigned char *) DE) + LEN; \
1582 LEN = *((unsigned char *) DE) - LEN; \
1583 + if (LEN<0) LEN=0; \
1584 if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \
1585 { \
1586 LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \
1587 @@ -73,6 +74,10 @@
1588 offset1 = 0; \
1589 pbh = sb_bread(DEV->i_sb, block); \
1590 if(pbh){ \
1591 + if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \
1592 + brelse(pbh); \
1593 + goto out; \
1594 + } \
1595 memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
1596 brelse(pbh); \
1597 chr = (unsigned char *) buffer; \
1598 @@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d
1599 struct rock_ridge * rr;
1600 int sig;
1602 - while (len > 1){ /* There may be one byte for padding somewhere */
1603 + while (len > 2){ /* There may be one byte for padding somewhere */
1604 rr = (struct rock_ridge *) chr;
1605 - if (rr->len == 0) goto out; /* Something got screwed up here */
1606 + if (rr->len < 3) goto out; /* Something got screwed up here */
1607 sig = isonum_721(chr);
1608 chr += rr->len;
1609 len -= rr->len;
1610 + if (len < 0) goto out; /* corrupted isofs */
1612 switch(sig){
1613 case SIG('R','R'):
1614 @@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d
1615 break;
1616 case SIG('N','M'):
1617 if (truncate) break;
1618 + if (rr->len < 5) break;
1619 /*
1620 * If the flags are 2 or 4, this indicates '.' or '..'.
1621 * We don't want to do anything with this, because it
1622 @@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i
1623 struct rock_ridge * rr;
1624 int rootflag;
1626 - while (len > 1){ /* There may be one byte for padding somewhere */
1627 + while (len > 2){ /* There may be one byte for padding somewhere */
1628 rr = (struct rock_ridge *) chr;
1629 - if (rr->len == 0) goto out; /* Something got screwed up here */
1630 + if (rr->len < 3) goto out; /* Something got screwed up here */
1631 sig = isonum_721(chr);
1632 chr += rr->len;
1633 len -= rr->len;
1634 + if (len < 0) goto out; /* corrupted isofs */
1636 switch(sig){
1637 #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
1638 @@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s
1639 struct rock_ridge *rr;
1641 if (!ISOFS_SB(inode->i_sb)->s_rock)
1642 - panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
1643 + goto error;
1645 block = ei->i_iget5_block;
1646 lock_kernel();
1647 @@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s
1648 SETUP_ROCK_RIDGE(raw_inode, chr, len);
1650 repeat:
1651 - while (len > 1) { /* There may be one byte for padding somewhere */
1652 + while (len > 2) { /* There may be one byte for padding somewhere */
1653 rr = (struct rock_ridge *) chr;
1654 - if (rr->len == 0)
1655 + if (rr->len < 3)
1656 goto out; /* Something got screwed up here */
1657 sig = isonum_721(chr);
1658 chr += rr->len;
1659 len -= rr->len;
1660 + if (len < 0)
1661 + goto out; /* corrupted isofs */
1663 switch (sig) {
1664 case SIG('R', 'R'):
1665 @@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s
1666 fail:
1667 brelse(bh);
1668 unlock_kernel();
1669 + error:
1670 SetPageError(page);
1671 kunmap(page);
1672 unlock_page(page);
1673 diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c
1674 --- a/fs/jbd/checkpoint.c
1675 +++ b/fs/jbd/checkpoint.c
1676 @@ -339,8 +339,10 @@ int log_do_checkpoint(journal_t *journal
1678 } while (jh != last_jh && !retry);
1680 - if (batch_count)
1681 + if (batch_count) {
1682 __flush_batch(journal, bhs, &batch_count);
1683 + retry = 1;
1684 + }
1686 /*
1687 * If someone cleaned up this transaction while we slept, we're
1688 diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c
1689 --- a/fs/jbd/transaction.c
1690 +++ b/fs/jbd/transaction.c
1691 @@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
1692 JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
1693 ret = __dispose_buffer(jh,
1694 journal->j_running_transaction);
1695 + journal_put_journal_head(jh);
1696 spin_unlock(&journal->j_list_lock);
1697 jbd_unlock_bh_state(bh);
1698 spin_unlock(&journal->j_state_lock);
1699 - journal_put_journal_head(jh);
1700 return ret;
1701 } else {
1702 /* There is no currently-running transaction. So the
1703 @@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
1704 JBUFFER_TRACE(jh, "give to committing trans");
1705 ret = __dispose_buffer(jh,
1706 journal->j_committing_transaction);
1707 + journal_put_journal_head(jh);
1708 spin_unlock(&journal->j_list_lock);
1709 jbd_unlock_bh_state(bh);
1710 spin_unlock(&journal->j_state_lock);
1711 - journal_put_journal_head(jh);
1712 return ret;
1713 } else {
1714 /* The orphan record's transaction has
1715 @@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
1716 journal->j_running_transaction);
1717 jh->b_next_transaction = NULL;
1719 + journal_put_journal_head(jh);
1720 spin_unlock(&journal->j_list_lock);
1721 jbd_unlock_bh_state(bh);
1722 spin_unlock(&journal->j_state_lock);
1723 - journal_put_journal_head(jh);
1724 return 0;
1725 } else {
1726 /* Good, the buffer belongs to the running transaction.
1727 diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h
1728 --- a/include/asm-x86_64/processor.h
1729 +++ b/include/asm-x86_64/processor.h
1730 @@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne
1733 /*
1734 - * User space process size. 47bits.
1735 + * User space process size. 47bits minus one guard page.
1736 */
1737 -#define TASK_SIZE (0x800000000000UL)
1738 +#define TASK_SIZE (0x800000000000UL - 4096)
1740 /* This decides where the kernel will search for a free chunk of vm
1741 * space during mmap's.
1742 diff --git a/include/linux/err.h b/include/linux/err.h
1743 --- a/include/linux/err.h
1744 +++ b/include/linux/err.h
1745 @@ -13,6 +13,8 @@
1746 * This should be a per-architecture thing, to allow different
1747 * error and pointer decisions.
1748 */
1749 +#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L)
1751 static inline void *ERR_PTR(long error)
1753 return (void *) error;
1754 @@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p
1756 static inline long IS_ERR(const void *ptr)
1758 - return unlikely((unsigned long)ptr > (unsigned long)-1000L);
1759 + return IS_ERR_VALUE((unsigned long)ptr);
1762 #endif /* _LINUX_ERR_H */
1763 diff --git a/kernel/exit.c b/kernel/exit.c
1764 --- a/kernel/exit.c
1765 +++ b/kernel/exit.c
1766 @@ -516,8 +516,6 @@ static inline void choose_new_parent(tas
1767 */
1768 BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
1769 p->real_parent = reaper;
1770 - if (p->parent == p->real_parent)
1771 - BUG();
1774 static inline void reparent_thread(task_t *p, task_t *father, int traced)
1775 diff --git a/kernel/signal.c b/kernel/signal.c
1776 --- a/kernel/signal.c
1777 +++ b/kernel/signal.c
1778 @@ -1728,6 +1728,7 @@ do_signal_stop(int signr)
1779 * with another processor delivering a stop signal,
1780 * then the SIGCONT that wakes us up should clear it.
1781 */
1782 + read_unlock(&tasklist_lock);
1783 return 0;
1786 diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c
1787 --- a/lib/rwsem-spinlock.c
1788 +++ b/lib/rwsem-spinlock.c
1789 @@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct
1791 rwsemtrace(sem, "Entering __down_read");
1793 - spin_lock(&sem->wait_lock);
1794 + spin_lock_irq(&sem->wait_lock);
1796 if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
1797 /* granted */
1798 sem->activity++;
1799 - spin_unlock(&sem->wait_lock);
1800 + spin_unlock_irq(&sem->wait_lock);
1801 goto out;
1804 @@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct
1805 list_add_tail(&waiter.list, &sem->wait_list);
1807 /* we don't need to touch the semaphore struct anymore */
1808 - spin_unlock(&sem->wait_lock);
1809 + spin_unlock_irq(&sem->wait_lock);
1811 /* wait to be given the lock */
1812 for (;;) {
1813 @@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct
1814 */
1815 int fastcall __down_read_trylock(struct rw_semaphore *sem)
1817 + unsigned long flags;
1818 int ret = 0;
1820 rwsemtrace(sem, "Entering __down_read_trylock");
1822 - spin_lock(&sem->wait_lock);
1823 + spin_lock_irqsave(&sem->wait_lock, flags);
1825 if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
1826 /* granted */
1827 @@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct
1828 ret = 1;
1831 - spin_unlock(&sem->wait_lock);
1832 + spin_unlock_irqrestore(&sem->wait_lock, flags);
1834 rwsemtrace(sem, "Leaving __down_read_trylock");
1835 return ret;
1836 @@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc
1838 rwsemtrace(sem, "Entering __down_write");
1840 - spin_lock(&sem->wait_lock);
1841 + spin_lock_irq(&sem->wait_lock);
1843 if (sem->activity == 0 && list_empty(&sem->wait_list)) {
1844 /* granted */
1845 sem->activity = -1;
1846 - spin_unlock(&sem->wait_lock);
1847 + spin_unlock_irq(&sem->wait_lock);
1848 goto out;
1851 @@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc
1852 list_add_tail(&waiter.list, &sem->wait_list);
1854 /* we don't need to touch the semaphore struct anymore */
1855 - spin_unlock(&sem->wait_lock);
1856 + spin_unlock_irq(&sem->wait_lock);
1858 /* wait to be given the lock */
1859 for (;;) {
1860 @@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc
1861 */
1862 int fastcall __down_write_trylock(struct rw_semaphore *sem)
1864 + unsigned long flags;
1865 int ret = 0;
1867 rwsemtrace(sem, "Entering __down_write_trylock");
1869 - spin_lock(&sem->wait_lock);
1870 + spin_lock_irqsave(&sem->wait_lock, flags);
1872 if (sem->activity == 0 && list_empty(&sem->wait_list)) {
1873 /* granted */
1874 @@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct
1875 ret = 1;
1878 - spin_unlock(&sem->wait_lock);
1879 + spin_unlock_irqrestore(&sem->wait_lock, flags);
1881 rwsemtrace(sem, "Leaving __down_write_trylock");
1882 return ret;
1883 @@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct
1884 */
1885 void fastcall __up_read(struct rw_semaphore *sem)
1887 + unsigned long flags;
1889 rwsemtrace(sem, "Entering __up_read");
1891 - spin_lock(&sem->wait_lock);
1892 + spin_lock_irqsave(&sem->wait_lock, flags);
1894 if (--sem->activity == 0 && !list_empty(&sem->wait_list))
1895 sem = __rwsem_wake_one_writer(sem);
1897 - spin_unlock(&sem->wait_lock);
1898 + spin_unlock_irqrestore(&sem->wait_lock, flags);
1900 rwsemtrace(sem, "Leaving __up_read");
1902 @@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph
1903 */
1904 void fastcall __up_write(struct rw_semaphore *sem)
1906 + unsigned long flags;
1908 rwsemtrace(sem, "Entering __up_write");
1910 - spin_lock(&sem->wait_lock);
1911 + spin_lock_irqsave(&sem->wait_lock, flags);
1913 sem->activity = 0;
1914 if (!list_empty(&sem->wait_list))
1915 sem = __rwsem_do_wake(sem, 1);
1917 - spin_unlock(&sem->wait_lock);
1918 + spin_unlock_irqrestore(&sem->wait_lock, flags);
1920 rwsemtrace(sem, "Leaving __up_write");
1922 @@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap
1923 */
1924 void fastcall __downgrade_write(struct rw_semaphore *sem)
1926 + unsigned long flags;
1928 rwsemtrace(sem, "Entering __downgrade_write");
1930 - spin_lock(&sem->wait_lock);
1931 + spin_lock_irqsave(&sem->wait_lock, flags);
1933 sem->activity = 1;
1934 if (!list_empty(&sem->wait_list))
1935 sem = __rwsem_do_wake(sem, 0);
1937 - spin_unlock(&sem->wait_lock);
1938 + spin_unlock_irqrestore(&sem->wait_lock, flags);
1940 rwsemtrace(sem, "Leaving __downgrade_write");
1942 diff --git a/lib/rwsem.c b/lib/rwsem.c
1943 --- a/lib/rwsem.c
1944 +++ b/lib/rwsem.c
1945 @@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap
1946 set_task_state(tsk, TASK_UNINTERRUPTIBLE);
1948 /* set up my own style of waitqueue */
1949 - spin_lock(&sem->wait_lock);
1950 + spin_lock_irq(&sem->wait_lock);
1951 waiter->task = tsk;
1952 get_task_struct(tsk);
1954 @@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap
1955 if (!(count & RWSEM_ACTIVE_MASK))
1956 sem = __rwsem_do_wake(sem, 0);
1958 - spin_unlock(&sem->wait_lock);
1959 + spin_unlock_irq(&sem->wait_lock);
1961 /* wait to be given the lock */
1962 for (;;) {
1963 @@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph
1964 */
1965 struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
1967 + unsigned long flags;
1969 rwsemtrace(sem, "Entering rwsem_wake");
1971 - spin_lock(&sem->wait_lock);
1972 + spin_lock_irqsave(&sem->wait_lock, flags);
1974 /* do nothing if list empty */
1975 if (!list_empty(&sem->wait_list))
1976 sem = __rwsem_do_wake(sem, 0);
1978 - spin_unlock(&sem->wait_lock);
1979 + spin_unlock_irqrestore(&sem->wait_lock, flags);
1981 rwsemtrace(sem, "Leaving rwsem_wake");
1983 @@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake
1984 */
1985 struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
1987 + unsigned long flags;
1989 rwsemtrace(sem, "Entering rwsem_downgrade_wake");
1991 - spin_lock(&sem->wait_lock);
1992 + spin_lock_irqsave(&sem->wait_lock, flags);
1994 /* do nothing if list empty */
1995 if (!list_empty(&sem->wait_list))
1996 sem = __rwsem_do_wake(sem, 1);
1998 - spin_unlock(&sem->wait_lock);
1999 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2001 rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
2002 return sem;
2003 diff --git a/mm/mmap.c b/mm/mmap.c
2004 --- a/mm/mmap.c
2005 +++ b/mm/mmap.c
2006 @@ -1315,37 +1315,40 @@ unsigned long
2007 get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
2008 unsigned long pgoff, unsigned long flags)
2010 - if (flags & MAP_FIXED) {
2011 - unsigned long ret;
2012 + unsigned long ret;
2014 - if (addr > TASK_SIZE - len)
2015 - return -ENOMEM;
2016 - if (addr & ~PAGE_MASK)
2017 - return -EINVAL;
2018 - if (file && is_file_hugepages(file)) {
2019 - /*
2020 - * Check if the given range is hugepage aligned, and
2021 - * can be made suitable for hugepages.
2022 - */
2023 - ret = prepare_hugepage_range(addr, len);
2024 - } else {
2025 - /*
2026 - * Ensure that a normal request is not falling in a
2027 - * reserved hugepage range. For some archs like IA-64,
2028 - * there is a separate region for hugepages.
2029 - */
2030 - ret = is_hugepage_only_range(addr, len);
2031 - }
2032 - if (ret)
2033 - return -EINVAL;
2034 - return addr;
2035 - }
2036 + if (!(flags & MAP_FIXED)) {
2037 + unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
2039 - if (file && file->f_op && file->f_op->get_unmapped_area)
2040 - return file->f_op->get_unmapped_area(file, addr, len,
2041 - pgoff, flags);
2042 + get_area = current->mm->get_unmapped_area;
2043 + if (file && file->f_op && file->f_op->get_unmapped_area)
2044 + get_area = file->f_op->get_unmapped_area;
2045 + addr = get_area(file, addr, len, pgoff, flags);
2046 + if (IS_ERR_VALUE(addr))
2047 + return addr;
2048 + }
2050 - return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
2051 + if (addr > TASK_SIZE - len)
2052 + return -ENOMEM;
2053 + if (addr & ~PAGE_MASK)
2054 + return -EINVAL;
2055 + if (file && is_file_hugepages(file)) {
2056 + /*
2057 + * Check if the given range is hugepage aligned, and
2058 + * can be made suitable for hugepages.
2059 + */
2060 + ret = prepare_hugepage_range(addr, len);
2061 + } else {
2062 + /*
2063 + * Ensure that a normal request is not falling in a
2064 + * reserved hugepage range. For some archs like IA-64,
2065 + * there is a separate region for hugepages.
2066 + */
2067 + ret = is_hugepage_only_range(addr, len);
2068 + }
2069 + if (ret)
2070 + return -EINVAL;
2071 + return addr;
2074 EXPORT_SYMBOL(get_unmapped_area);
2075 diff --git a/mm/rmap.c b/mm/rmap.c
2076 --- a/mm/rmap.c
2077 +++ b/mm/rmap.c
2078 @@ -641,7 +641,7 @@ static void try_to_unmap_cluster(unsigne
2079 pgd_t *pgd;
2080 pud_t *pud;
2081 pmd_t *pmd;
2082 - pte_t *pte;
2083 + pte_t *pte, *original_pte;
2084 pte_t pteval;
2085 struct page *page;
2086 unsigned long address;
2087 @@ -673,7 +673,7 @@ static void try_to_unmap_cluster(unsigne
2088 if (!pmd_present(*pmd))
2089 goto out_unlock;
2091 - for (pte = pte_offset_map(pmd, address);
2092 + for (original_pte = pte = pte_offset_map(pmd, address);
2093 address < end; pte++, address += PAGE_SIZE) {
2095 if (!pte_present(*pte))
2096 @@ -710,7 +710,7 @@ static void try_to_unmap_cluster(unsigne
2097 (*mapcount)--;
2100 - pte_unmap(pte);
2101 + pte_unmap(original_pte);
2103 out_unlock:
2104 spin_unlock(&mm->page_table_lock);
2105 diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
2106 --- a/net/bluetooth/af_bluetooth.c
2107 +++ b/net/bluetooth/af_bluetooth.c
2108 @@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache;
2110 int bt_sock_register(int proto, struct net_proto_family *ops)
2112 - if (proto >= BT_MAX_PROTO)
2113 + if (proto < 0 || proto >= BT_MAX_PROTO)
2114 return -EINVAL;
2116 if (bt_proto[proto])
2117 @@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register);
2119 int bt_sock_unregister(int proto)
2121 - if (proto >= BT_MAX_PROTO)
2122 + if (proto < 0 || proto >= BT_MAX_PROTO)
2123 return -EINVAL;
2125 if (!bt_proto[proto])
2126 @@ -92,7 +92,7 @@ static int bt_sock_create(struct socket
2128 int err = 0;
2130 - if (proto >= BT_MAX_PROTO)
2131 + if (proto < 0 || proto >= BT_MAX_PROTO)
2132 return -EINVAL;
2134 #if defined(CONFIG_KMOD)
2135 diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
2136 --- a/net/bridge/br_input.c
2137 +++ b/net/bridge/br_input.c
2138 @@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf
2139 struct net_bridge_fdb_entry *dst;
2140 int passedup = 0;
2142 + /* insert into forwarding database after filtering to avoid spoofing */
2143 + br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
2145 if (br->dev->flags & IFF_PROMISC) {
2146 struct sk_buff *skb2;
2148 @@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po
2149 if (eth_hdr(skb)->h_source[0] & 1)
2150 goto err;
2152 - if (p->state == BR_STATE_LEARNING ||
2153 - p->state == BR_STATE_FORWARDING)
2154 + if (p->state == BR_STATE_LEARNING)
2155 br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
2157 if (p->br->stp_enabled &&
2158 diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
2159 --- a/net/bridge/br_stp_bpdu.c
2160 +++ b/net/bridge/br_stp_bpdu.c
2161 @@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s
2162 struct net_bridge *br = p->br;
2163 unsigned char *buf;
2165 + /* insert into forwarding database after filtering to avoid spoofing */
2166 + br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
2168 /* need at least the 802 and STP headers */
2169 if (!pskb_may_pull(skb, sizeof(header)+1) ||
2170 memcmp(skb->data, header, sizeof(header)))
2171 diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
2172 --- a/net/bridge/netfilter/ebtables.c
2173 +++ b/net/bridge/netfilter/ebtables.c
2174 @@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int
2175 struct ebt_chainstack *cs;
2176 struct ebt_entries *chaininfo;
2177 char *base;
2178 - struct ebt_table_info *private = table->private;
2179 + struct ebt_table_info *private;
2181 read_lock_bh(&table->lock);
2182 + private = table->private;
2183 cb_base = COUNTER_BASE(private->counters, private->nentries,
2184 smp_processor_id());
2185 if (private->chainstack)
2186 diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
2187 --- a/net/ipv4/fib_hash.c
2188 +++ b/net/ipv4/fib_hash.c
2189 @@ -919,13 +919,23 @@ out:
2190 return fa;
2193 +static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
2194 +{
2195 + struct fib_alias *fa = fib_get_first(seq);
2197 + if (fa)
2198 + while (pos && (fa = fib_get_next(seq)))
2199 + --pos;
2200 + return pos ? NULL : fa;
2201 +}
2203 static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
2205 void *v = NULL;
2207 read_lock(&fib_hash_lock);
2208 if (ip_fib_main_table)
2209 - v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
2210 + v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
2211 return v;
2214 diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
2215 --- a/net/ipv4/netfilter/ip_queue.c
2216 +++ b/net/ipv4/netfilter/ip_queue.c
2217 @@ -3,6 +3,7 @@
2218 * communicating with userspace via netlink.
2220 * (C) 2000-2002 James Morris <jmorris@intercode.com.au>
2221 + * (C) 2003-2005 Netfilter Core Team <coreteam@netfilter.org>
2223 * This program is free software; you can redistribute it and/or modify
2224 * it under the terms of the GNU General Public License version 2 as
2225 @@ -14,6 +15,7 @@
2226 * Zander).
2227 * 2000-08-01: Added Nick Williams' MAC support.
2228 * 2002-06-25: Code cleanup.
2229 + * 2005-05-26: local_bh_{disable,enable} around nf_reinject (Harald Welte)
2231 */
2232 #include <linux/module.h>
2233 @@ -66,7 +68,15 @@ static DECLARE_MUTEX(ipqnl_sem);
2234 static void
2235 ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
2237 + /* TCP input path (and probably other bits) assume to be called
2238 + * from softirq context, not from syscall, like ipq_issue_verdict is
2239 + * called. TCP input path deadlocks with locks taken from timer
2240 + * softirq, e.g. We therefore emulate this by local_bh_disable() */
2242 + local_bh_disable();
2243 nf_reinject(entry->skb, entry->info, verdict);
2244 + local_bh_enable();
2246 kfree(entry);
2249 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
2250 --- a/net/ipv4/tcp_input.c
2251 +++ b/net/ipv4/tcp_input.c
2252 @@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str
2253 static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
2255 if (tp->prior_ssthresh) {
2256 - tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
2257 + if (tcp_is_bic(tp))
2258 + tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
2259 + else
2260 + tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
2262 if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
2263 tp->snd_ssthresh = tp->prior_ssthresh;
2264 diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
2265 --- a/net/ipv4/tcp_timer.c
2266 +++ b/net/ipv4/tcp_timer.c
2267 @@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne
2269 #ifdef TCP_DEBUG
2270 const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
2271 +EXPORT_SYMBOL(tcp_timer_bug_msg);
2272 #endif
2274 /*
2275 diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
2276 --- a/net/ipv4/xfrm4_output.c
2277 +++ b/net/ipv4/xfrm4_output.c
2278 @@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb)
2279 goto error_nolock;
2282 - spin_lock_bh(&x->lock);
2283 - err = xfrm_state_check(x, skb);
2284 - if (err)
2285 - goto error;
2287 if (x->props.mode) {
2288 err = xfrm4_tunnel_check_size(skb);
2289 if (err)
2290 - goto error;
2291 + goto error_nolock;
2294 + spin_lock_bh(&x->lock);
2295 + err = xfrm_state_check(x, skb);
2296 + if (err)
2297 + goto error;
2299 xfrm4_encap(skb);
2301 err = x->type->output(skb);
2302 diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
2303 --- a/net/ipv6/xfrm6_output.c
2304 +++ b/net/ipv6/xfrm6_output.c
2305 @@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb)
2306 goto error_nolock;
2309 - spin_lock_bh(&x->lock);
2310 - err = xfrm_state_check(x, skb);
2311 - if (err)
2312 - goto error;
2314 if (x->props.mode) {
2315 err = xfrm6_tunnel_check_size(skb);
2316 if (err)
2317 - goto error;
2318 + goto error_nolock;
2321 + spin_lock_bh(&x->lock);
2322 + err = xfrm_state_check(x, skb);
2323 + if (err)
2324 + goto error;
2326 xfrm6_encap(skb);
2328 err = x->type->output(skb);
2329 diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
2330 --- a/net/netrom/nr_in.c
2331 +++ b/net/netrom/nr_in.c
2332 @@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock
2333 static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
2334 int frametype)
2336 - bh_lock_sock(sk);
2337 switch (frametype) {
2338 case NR_CONNACK: {
2339 nr_cb *nr = nr_sk(sk);
2340 @@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock
2341 default:
2342 break;
2344 - bh_unlock_sock(sk);
2346 return 0;
2349 @@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock
2350 static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
2351 int frametype)
2353 - bh_lock_sock(sk);
2354 switch (frametype) {
2355 case NR_CONNACK | NR_CHOKE_FLAG:
2356 nr_disconnect(sk, ECONNRESET);
2357 @@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock
2358 default:
2359 break;
2361 - bh_unlock_sock(sk);
2363 return 0;
2366 @@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock
2367 nr = skb->data[18];
2368 ns = skb->data[17];
2370 - bh_lock_sock(sk);
2371 switch (frametype) {
2372 case NR_CONNREQ:
2373 nr_write_internal(sk, NR_CONNACK);
2374 @@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock
2375 default:
2376 break;
2378 - bh_unlock_sock(sk);
2380 return queued;
2383 diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
2384 --- a/net/rose/rose_route.c
2385 +++ b/net/rose/rose_route.c
2386 @@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void
2388 if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
2389 return -EINVAL;
2391 + if (rose_route.ndigis > 8) /* No more than 8 digipeats */
2392 + return -EINVAL;
2393 err = rose_add_node(&rose_route, dev);
2394 dev_put(dev);
2395 return err;
2396 diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
2397 --- a/net/sched/sch_netem.c
2398 +++ b/net/sched/sch_netem.c
2399 @@ -184,10 +184,15 @@ static int netem_enqueue(struct sk_buff
2400 /* Random duplication */
2401 if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor)) {
2402 struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
2404 - pr_debug("netem_enqueue: dup %p\n", skb2);
2405 - if (skb2)
2406 - delay_skb(sch, skb2);
2407 + if (skb2) {
2408 + struct Qdisc *rootq = sch->dev->qdisc;
2409 + u32 dupsave = q->duplicate;
2411 + /* prevent duplicating a dup... */
2412 + q->duplicate = 0;
2413 + rootq->enqueue(skb2, rootq);
2414 + q->duplicate = dupsave;
2415 + }
2418 /* If doing simple delay then gap == 0 so all packets
2419 diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
2420 --- a/net/xfrm/xfrm_state.c
2421 +++ b/net/xfrm/xfrm_state.c
2422 @@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac
2424 for (i = 0; i < XFRM_DST_HSIZE; i++) {
2425 list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
2426 - if (x->km.seq == seq) {
2427 + if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
2428 xfrm_state_hold(x);
2429 return x;
2431 diff --git a/security/keys/key.c b/security/keys/key.c
2432 --- a/security/keys/key.c
2433 +++ b/security/keys/key.c
2434 @@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u
2436 struct key_user *candidate = NULL, *user;
2437 struct rb_node *parent = NULL;
2438 - struct rb_node **p = &key_user_tree.rb_node;
2439 + struct rb_node **p;
2441 try_again:
2442 + p = &key_user_tree.rb_node;
2443 spin_lock(&key_user_lock);
2445 /* search the tree for a user record with a matching UID */
2446 diff --git a/sound/core/timer.c b/sound/core/timer.c
2447 --- a/sound/core/timer.c
2448 +++ b/sound/core/timer.c
2449 @@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu
2450 if (tu->qused >= tu->queue_size) {
2451 tu->overrun++;
2452 } else {
2453 - memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
2454 + memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
2455 + tu->qtail %= tu->queue_size;
2456 tu->qused++;
2459 @@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd
2460 spin_lock(&tu->qlock);
2461 snd_timer_user_append_to_tqueue(tu, &r1);
2462 spin_unlock(&tu->qlock);
2463 + kill_fasync(&tu->fasync, SIGIO, POLL_IN);
2464 + wake_up(&tu->qchange_sleep);
2467 static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
2468 diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
2469 --- a/sound/pci/ac97/ac97_codec.c
2470 +++ b/sound/pci/ac97/ac97_codec.c
2471 @@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_
2472 /*
2473 * create mute switch(es) for normal stereo controls
2474 */
2475 -static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
2476 +static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
2478 snd_kcontrol_t *kctl;
2479 int err;
2480 @@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t
2482 mute_mask = 0x8000;
2483 val = snd_ac97_read(ac97, reg);
2484 - if (ac97->flags & AC97_STEREO_MUTES) {
2485 + if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
2486 /* check whether both mute bits work */
2487 val1 = val | 0x8080;
2488 snd_ac97_write(ac97, reg, val1);
2489 @@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t
2490 /*
2491 * create a mute-switch and a volume for normal stereo/mono controls
2492 */
2493 -static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
2494 +static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
2496 int err;
2497 char name[44];
2498 @@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t
2500 if (snd_ac97_try_bit(ac97, reg, 15)) {
2501 sprintf(name, "%s Switch", pfx);
2502 - if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
2503 + if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
2504 return err;
2506 check_volume_resolution(ac97, reg, &lo_max, &hi_max);
2507 @@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t
2508 return 0;
2511 +#define snd_ac97_cmix_new(card, pfx, reg, ac97) snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
2512 +#define snd_ac97_cmute_new(card, name, reg, ac97) snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
2514 static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
2516 @@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t *
2518 /* build surround controls */
2519 if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
2520 - if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
2521 + /* Surround Master (0x38) is with stereo mutes */
2522 + if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
2523 return err;
2526 diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c
2527 --- a/sound/usb/usbaudio.c
2528 +++ b/sound/usb/usbaudio.c
2529 @@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str
2531 usb_chip[chip->index] = NULL;
2532 up(&register_mutex);
2533 - snd_card_free_in_thread(card);
2534 + snd_card_free(card);
2535 } else {
2536 up(&register_mutex);
2538 diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
2539 --- a/sound/usb/usx2y/usbusx2y.c
2540 +++ b/sound/usb/usx2y/usbusx2y.c
2541 @@ -1,6 +1,11 @@
2542 /*
2543 * usbusy2y.c - ALSA USB US-428 Driver
2545 +2005-04-14 Karsten Wiese
2546 + Version 0.8.7.2:
2547 + Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom.
2548 + Tested ok with kernel 2.6.12-rc2.
2550 2004-12-14 Karsten Wiese
2551 Version 0.8.7.1:
2552 snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open.
2553 @@ -143,7 +148,7 @@
2556 MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>");
2557 -MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1");
2558 +MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2");
2559 MODULE_LICENSE("GPL");
2560 MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}");
2562 @@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct
2563 if (ptr) {
2564 usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr);
2565 struct list_head* p;
2566 - if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP) // on 2.6.1 kernel snd_usbmidi_disconnect()
2567 - return; // calls us back. better leave :-) .
2568 usX2Y->chip.shutdown = 1;
2569 usX2Y->chip_status = USX2Y_STAT_CHIP_HUP;
2570 usX2Y_unlinkSeq(&usX2Y->AS04);
2571 @@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct
2573 if (usX2Y->us428ctls_sharedmem)
2574 wake_up(&usX2Y->us428ctls_wait_queue_head);
2575 - snd_card_free_in_thread((snd_card_t*)ptr);
2576 + snd_card_free((snd_card_t*)ptr);