ia64/xen-unstable

changeset 5210:80f5e85981da

bitkeeper revision 1.1598 (429b7933SwjyJJbULLC4ZT800edwvQ)

Merge freefall.cl.cam.ac.uk:/auto/groups/xeno-xenod/BK/xen-2.0-testing.bk
into freefall.cl.cam.ac.uk:/auto/groups/xeno-xenod/BK/xen-unstable.bk
author iap10@freefall.cl.cam.ac.uk
date Mon May 30 20:36:03 2005 +0000 (2005-05-30)
parents 84ecb1a32456 254dc1cf9be7
children b2310e7dbfdc
files .rootkeys patches/linux-2.6.11/linux-2.6.11.10.patch patches/linux-2.6.11/linux-2.6.11.11.patch
line diff
     1.1 --- a/.rootkeys	Mon May 30 17:08:40 2005 +0000
     1.2 +++ b/.rootkeys	Mon May 30 20:36:03 2005 +0000
     1.3 @@ -469,7 +469,7 @@ 413cb3b53nyOv1OIeDSsCXhBFDXvJA netbsd-2.
     1.4  413aa1d0oNP8HXLvfPuMe6cSroUfSA patches/linux-2.6.11/agpgart.patch
     1.5  427261074Iy1MkbbqIV6zdZDWWx_Jg patches/linux-2.6.11/i386-cpu-hotplug-updated-for-mm.patch
     1.6  42372652KCUP-IOH9RN19YQmGhs4aA patches/linux-2.6.11/iomap.patch
     1.7 -428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.10.patch
     1.8 +428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.11.patch
     1.9  4296fb998LGSWCcljGKbOCUv3h9uRQ patches/linux-2.6.11/net-csum.patch
    1.10  429ae875I9ZrqrRDjGD34IC2kzDREw patches/linux-2.6.11/rcu-nohz.patch
    1.11  424f001e_M1Tnxc52rDrmCLelnDWMQ patches/linux-2.6.11/x86_64-linux.patch
     2.1 --- a/patches/linux-2.6.11/linux-2.6.11.10.patch	Mon May 30 17:08:40 2005 +0000
     2.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.3 @@ -1,1737 +0,0 @@
     2.4 -diff -Naur linux-2.6.11/Documentation/SecurityBugs linux-2.6.11.10/Documentation/SecurityBugs
     2.5 ---- linux-2.6.11/Documentation/SecurityBugs	1969-12-31 16:00:00.000000000 -0800
     2.6 -+++ linux-2.6.11.10/Documentation/SecurityBugs	2005-05-16 10:50:30.000000000 -0700
     2.7 -@@ -0,0 +1,38 @@
     2.8 -+Linux kernel developers take security very seriously.  As such, we'd
     2.9 -+like to know when a security bug is found so that it can be fixed and
    2.10 -+disclosed as quickly as possible.  Please report security bugs to the
    2.11 -+Linux kernel security team.
    2.12 -+
    2.13 -+1) Contact
    2.14 -+
    2.15 -+The Linux kernel security team can be contacted by email at
    2.16 -+<security@kernel.org>.  This is a private list of security officers
    2.17 -+who will help verify the bug report and develop and release a fix.
    2.18 -+It is possible that the security team will bring in extra help from
    2.19 -+area maintainers to understand and fix the security vulnerability.
    2.20 -+
    2.21 -+As it is with any bug, the more information provided the easier it
    2.22 -+will be to diagnose and fix.  Please review the procedure outlined in
    2.23 -+REPORTING-BUGS if you are unclear about what information is helpful.
    2.24 -+Any exploit code is very helpful and will not be released without
    2.25 -+consent from the reporter unless it has already been made public.
    2.26 -+
    2.27 -+2) Disclosure
    2.28 -+
    2.29 -+The goal of the Linux kernel security team is to work with the
    2.30 -+bug submitter to bug resolution as well as disclosure.  We prefer
    2.31 -+to fully disclose the bug as soon as possible.  It is reasonable to
    2.32 -+delay disclosure when the bug or the fix is not yet fully understood,
    2.33 -+the solution is not well-tested or for vendor coordination.  However, we
    2.34 -+expect these delays to be short, measurable in days, not weeks or months.
    2.35 -+A disclosure date is negotiated by the security team working with the
    2.36 -+bug submitter as well as vendors.  However, the kernel security team
    2.37 -+holds the final say when setting a disclosure date.  The timeframe for
    2.38 -+disclosure is from immediate (esp. if it's already publically known)
    2.39 -+to a few weeks.  As a basic default policy, we expect report date to
    2.40 -+disclosure date to be on the order of 7 days.
    2.41 -+
    2.42 -+3) Non-disclosure agreements
    2.43 -+
    2.44 -+The Linux kernel security team is not a formal body and therefore unable
    2.45 -+to enter any non-disclosure agreements.
    2.46 -diff -Naur linux-2.6.11/MAINTAINERS linux-2.6.11.10/MAINTAINERS
    2.47 ---- linux-2.6.11/MAINTAINERS	2005-03-01 23:38:10.000000000 -0800
    2.48 -+++ linux-2.6.11.10/MAINTAINERS	2005-05-16 10:50:30.000000000 -0700
    2.49 -@@ -1966,6 +1966,11 @@
    2.50 - W:	http://www.weinigel.se
    2.51 - S:	Supported
    2.52 - 
    2.53 -+SECURITY CONTACT
    2.54 -+P:	Security Officers
    2.55 -+M:	security@kernel.org
    2.56 -+S:	Supported
    2.57 -+
    2.58 - SELINUX SECURITY MODULE
    2.59 - P:	Stephen Smalley
    2.60 - M:	sds@epoch.ncsc.mil
    2.61 -diff -Naur linux-2.6.11/Makefile linux-2.6.11.10/Makefile
    2.62 ---- linux-2.6.11/Makefile	2005-03-01 23:38:13.000000000 -0800
    2.63 -+++ linux-2.6.11.10/Makefile	2005-05-16 10:50:30.000000000 -0700
    2.64 -@@ -1,8 +1,8 @@
    2.65 - VERSION = 2
    2.66 - PATCHLEVEL = 6
    2.67 - SUBLEVEL = 11
    2.68 --EXTRAVERSION =
    2.69 --NAME=Woozy Numbat
    2.70 -+EXTRAVERSION = .10
    2.71 -+NAME=Woozy Beaver
    2.72 - 
    2.73 - # *DOCUMENTATION*
    2.74 - # To see a list of typical targets execute "make help"
    2.75 -diff -Naur linux-2.6.11/REPORTING-BUGS linux-2.6.11.10/REPORTING-BUGS
    2.76 ---- linux-2.6.11/REPORTING-BUGS	2005-03-01 23:38:09.000000000 -0800
    2.77 -+++ linux-2.6.11.10/REPORTING-BUGS	2005-05-16 10:50:30.000000000 -0700
    2.78 -@@ -16,6 +16,10 @@
    2.79 - describe how to recreate it. That is worth even more than the oops itself.
    2.80 - The list of maintainers is in the MAINTAINERS file in this directory.
    2.81 - 
    2.82 -+      If it is a security bug, please copy the Security Contact listed
    2.83 -+in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.
    2.84 -+See Documentation/SecurityBugs for more infomation.
    2.85 -+
    2.86 -       If you are totally stumped as to whom to send the report, send it to
    2.87 - linux-kernel@vger.kernel.org. (For more information on the linux-kernel
    2.88 - mailing list see http://www.tux.org/lkml/).
    2.89 -diff -Naur linux-2.6.11/arch/ia64/kernel/fsys.S linux-2.6.11.10/arch/ia64/kernel/fsys.S
    2.90 ---- linux-2.6.11/arch/ia64/kernel/fsys.S	2005-03-01 23:38:34.000000000 -0800
    2.91 -+++ linux-2.6.11.10/arch/ia64/kernel/fsys.S	2005-05-16 10:50:30.000000000 -0700
    2.92 -@@ -611,8 +611,10 @@
    2.93 - 	movl r2=ia64_ret_from_syscall
    2.94 - 	;;
    2.95 - 	mov rp=r2				// set the real return addr
    2.96 --	tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
    2.97 -+	and r3=_TIF_SYSCALL_TRACEAUDIT,r3
    2.98 - 	;;
    2.99 -+	cmp.eq p8,p0=r3,r0
   2.100 -+
   2.101 - (p10)	br.cond.spnt.many ia64_ret_from_syscall	// p10==true means out registers are more than 8
   2.102 - (p8)	br.call.sptk.many b6=b6		// ignore this return addr
   2.103 - 	br.cond.sptk ia64_trace_syscall
   2.104 -diff -Naur linux-2.6.11/arch/ia64/kernel/signal.c linux-2.6.11.10/arch/ia64/kernel/signal.c
   2.105 ---- linux-2.6.11/arch/ia64/kernel/signal.c	2005-03-01 23:38:10.000000000 -0800
   2.106 -+++ linux-2.6.11.10/arch/ia64/kernel/signal.c	2005-05-16 10:50:30.000000000 -0700
   2.107 -@@ -224,7 +224,8 @@
   2.108 - 	 * could be corrupted.
   2.109 - 	 */
   2.110 - 	retval = (long) &ia64_leave_kernel;
   2.111 --	if (test_thread_flag(TIF_SYSCALL_TRACE))
   2.112 -+	if (test_thread_flag(TIF_SYSCALL_TRACE)
   2.113 -+	    || test_thread_flag(TIF_SYSCALL_AUDIT))
   2.114 - 		/*
   2.115 - 		 * strace expects to be notified after sigreturn returns even though the
   2.116 - 		 * context to which we return may not be in the middle of a syscall.
   2.117 -diff -Naur linux-2.6.11/arch/ppc/oprofile/op_model_fsl_booke.c linux-2.6.11.10/arch/ppc/oprofile/op_model_fsl_booke.c
   2.118 ---- linux-2.6.11/arch/ppc/oprofile/op_model_fsl_booke.c	2005-03-01 23:38:33.000000000 -0800
   2.119 -+++ linux-2.6.11.10/arch/ppc/oprofile/op_model_fsl_booke.c	2005-05-16 10:50:31.000000000 -0700
   2.120 -@@ -150,7 +150,6 @@
   2.121 - 	int is_kernel;
   2.122 - 	int val;
   2.123 - 	int i;
   2.124 --	unsigned int cpu = smp_processor_id();
   2.125 - 
   2.126 - 	/* set the PMM bit (see comment below) */
   2.127 - 	mtmsr(mfmsr() | MSR_PMM);
   2.128 -@@ -162,7 +161,7 @@
   2.129 - 		val = ctr_read(i);
   2.130 - 		if (val < 0) {
   2.131 - 			if (oprofile_running && ctr[i].enabled) {
   2.132 --				oprofile_add_sample(pc, is_kernel, i, cpu);
   2.133 -+				oprofile_add_pc(pc, is_kernel, i);
   2.134 - 				ctr_write(i, reset_value[i]);
   2.135 - 			} else {
   2.136 - 				ctr_write(i, 0);
   2.137 -diff -Naur linux-2.6.11/arch/ppc/platforms/4xx/ebony.h linux-2.6.11.10/arch/ppc/platforms/4xx/ebony.h
   2.138 ---- linux-2.6.11/arch/ppc/platforms/4xx/ebony.h	2005-03-01 23:38:18.000000000 -0800
   2.139 -+++ linux-2.6.11.10/arch/ppc/platforms/4xx/ebony.h	2005-05-16 10:50:31.000000000 -0700
   2.140 -@@ -61,8 +61,8 @@
   2.141 -  */
   2.142 - 
   2.143 - /* OpenBIOS defined UART mappings, used before early_serial_setup */
   2.144 --#define UART0_IO_BASE	(u8 *) 0xE0000200
   2.145 --#define UART1_IO_BASE	(u8 *) 0xE0000300
   2.146 -+#define UART0_IO_BASE	0xE0000200
   2.147 -+#define UART1_IO_BASE	0xE0000300
   2.148 - 
   2.149 - /* external Epson SG-615P */
   2.150 - #define BASE_BAUD	691200
   2.151 -diff -Naur linux-2.6.11/arch/ppc/platforms/4xx/luan.h linux-2.6.11.10/arch/ppc/platforms/4xx/luan.h
   2.152 ---- linux-2.6.11/arch/ppc/platforms/4xx/luan.h	2005-03-01 23:38:13.000000000 -0800
   2.153 -+++ linux-2.6.11.10/arch/ppc/platforms/4xx/luan.h	2005-05-16 10:50:31.000000000 -0700
   2.154 -@@ -47,9 +47,9 @@
   2.155 - #define RS_TABLE_SIZE	3
   2.156 - 
   2.157 - /* PIBS defined UART mappings, used before early_serial_setup */
   2.158 --#define UART0_IO_BASE	(u8 *) 0xa0000200
   2.159 --#define UART1_IO_BASE	(u8 *) 0xa0000300
   2.160 --#define UART2_IO_BASE	(u8 *) 0xa0000600
   2.161 -+#define UART0_IO_BASE	0xa0000200
   2.162 -+#define UART1_IO_BASE	0xa0000300
   2.163 -+#define UART2_IO_BASE	0xa0000600
   2.164 - 
   2.165 - #define BASE_BAUD	11059200
   2.166 - #define STD_UART_OP(num)					\
   2.167 -diff -Naur linux-2.6.11/arch/ppc/platforms/4xx/ocotea.h linux-2.6.11.10/arch/ppc/platforms/4xx/ocotea.h
   2.168 ---- linux-2.6.11/arch/ppc/platforms/4xx/ocotea.h	2005-03-01 23:38:08.000000000 -0800
   2.169 -+++ linux-2.6.11.10/arch/ppc/platforms/4xx/ocotea.h	2005-05-16 10:50:31.000000000 -0700
   2.170 -@@ -56,8 +56,8 @@
   2.171 - #define RS_TABLE_SIZE	2
   2.172 - 
   2.173 - /* OpenBIOS defined UART mappings, used before early_serial_setup */
   2.174 --#define UART0_IO_BASE	(u8 *) 0xE0000200
   2.175 --#define UART1_IO_BASE	(u8 *) 0xE0000300
   2.176 -+#define UART0_IO_BASE	0xE0000200
   2.177 -+#define UART1_IO_BASE	0xE0000300
   2.178 - 
   2.179 - #define BASE_BAUD	11059200/16
   2.180 - #define STD_UART_OP(num)					\
   2.181 -diff -Naur linux-2.6.11/arch/sparc/kernel/ptrace.c linux-2.6.11.10/arch/sparc/kernel/ptrace.c
   2.182 ---- linux-2.6.11/arch/sparc/kernel/ptrace.c	2005-03-01 23:38:33.000000000 -0800
   2.183 -+++ linux-2.6.11.10/arch/sparc/kernel/ptrace.c	2005-05-16 10:50:31.000000000 -0700
   2.184 -@@ -531,18 +531,6 @@
   2.185 - 			pt_error_return(regs, EIO);
   2.186 - 			goto out_tsk;
   2.187 - 		}
   2.188 --		if (addr != 1) {
   2.189 --			if (addr & 3) {
   2.190 --				pt_error_return(regs, EINVAL);
   2.191 --				goto out_tsk;
   2.192 --			}
   2.193 --#ifdef DEBUG_PTRACE
   2.194 --			printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
   2.195 --			printk ("Continuing with %08lx %08lx\n", addr, addr+4);
   2.196 --#endif
   2.197 --			child->thread.kregs->pc = addr;
   2.198 --			child->thread.kregs->npc = addr + 4;
   2.199 --		}
   2.200 - 
   2.201 - 		if (request == PTRACE_SYSCALL)
   2.202 - 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   2.203 -diff -Naur linux-2.6.11/arch/sparc64/kernel/ptrace.c linux-2.6.11.10/arch/sparc64/kernel/ptrace.c
   2.204 ---- linux-2.6.11/arch/sparc64/kernel/ptrace.c	2005-03-01 23:38:32.000000000 -0800
   2.205 -+++ linux-2.6.11.10/arch/sparc64/kernel/ptrace.c	2005-05-16 10:50:31.000000000 -0700
   2.206 -@@ -514,25 +514,6 @@
   2.207 - 			pt_error_return(regs, EIO);
   2.208 - 			goto out_tsk;
   2.209 - 		}
   2.210 --		if (addr != 1) {
   2.211 --			unsigned long pc_mask = ~0UL;
   2.212 --
   2.213 --			if ((child->thread_info->flags & _TIF_32BIT) != 0)
   2.214 --				pc_mask = 0xffffffff;
   2.215 --
   2.216 --			if (addr & 3) {
   2.217 --				pt_error_return(regs, EINVAL);
   2.218 --				goto out_tsk;
   2.219 --			}
   2.220 --#ifdef DEBUG_PTRACE
   2.221 --			printk ("Original: %016lx %016lx\n",
   2.222 --				child->thread_info->kregs->tpc,
   2.223 --				child->thread_info->kregs->tnpc);
   2.224 --			printk ("Continuing with %016lx %016lx\n", addr, addr+4);
   2.225 --#endif
   2.226 --			child->thread_info->kregs->tpc = (addr & pc_mask);
   2.227 --			child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
   2.228 --		}
   2.229 - 
   2.230 - 		if (request == PTRACE_SYSCALL) {
   2.231 - 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   2.232 -diff -Naur linux-2.6.11/arch/sparc64/kernel/signal32.c linux-2.6.11.10/arch/sparc64/kernel/signal32.c
   2.233 ---- linux-2.6.11/arch/sparc64/kernel/signal32.c	2005-03-01 23:38:34.000000000 -0800
   2.234 -+++ linux-2.6.11.10/arch/sparc64/kernel/signal32.c	2005-05-16 10:50:31.000000000 -0700
   2.235 -@@ -192,10 +192,13 @@
   2.236 - 			err |= __put_user(from->si_uid, &to->si_uid);
   2.237 - 			break;
   2.238 - 		case __SI_FAULT >> 16:
   2.239 --		case __SI_POLL >> 16:
   2.240 - 			err |= __put_user(from->si_trapno, &to->si_trapno);
   2.241 - 			err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
   2.242 - 			break;
   2.243 -+		case __SI_POLL >> 16:
   2.244 -+			err |= __put_user(from->si_band, &to->si_band);
   2.245 -+			err |= __put_user(from->si_fd, &to->si_fd);
   2.246 -+			break;
   2.247 - 		case __SI_RT >> 16: /* This is not generated by the kernel as of now.  */
   2.248 - 		case __SI_MESGQ >> 16:
   2.249 - 			err |= __put_user(from->si_pid, &to->si_pid);
   2.250 -diff -Naur linux-2.6.11/arch/sparc64/kernel/systbls.S linux-2.6.11.10/arch/sparc64/kernel/systbls.S
   2.251 ---- linux-2.6.11/arch/sparc64/kernel/systbls.S	2005-03-01 23:38:07.000000000 -0800
   2.252 -+++ linux-2.6.11.10/arch/sparc64/kernel/systbls.S	2005-05-16 10:50:31.000000000 -0700
   2.253 -@@ -75,7 +75,7 @@
   2.254 - /*260*/	.word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
   2.255 - 	.word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
   2.256 - /*270*/	.word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
   2.257 --	.word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   2.258 -+	.word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   2.259 - /*280*/	.word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
   2.260 - 
   2.261 - #endif /* CONFIG_COMPAT */
   2.262 -diff -Naur linux-2.6.11/arch/um/include/sysdep-i386/syscalls.h linux-2.6.11.10/arch/um/include/sysdep-i386/syscalls.h
   2.263 ---- linux-2.6.11/arch/um/include/sysdep-i386/syscalls.h	2005-03-01 23:37:49.000000000 -0800
   2.264 -+++ linux-2.6.11.10/arch/um/include/sysdep-i386/syscalls.h	2005-05-16 10:50:31.000000000 -0700
   2.265 -@@ -23,6 +23,9 @@
   2.266 - 		      unsigned long prot, unsigned long flags,
   2.267 - 		      unsigned long fd, unsigned long pgoff);
   2.268 - 
   2.269 -+/* On i386 they choose a meaningless naming.*/
   2.270 -+#define __NR_kexec_load __NR_sys_kexec_load
   2.271 -+
   2.272 - #define ARCH_SYSCALLS \
   2.273 - 	[ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
   2.274 - 	[ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
   2.275 -@@ -101,15 +104,12 @@
   2.276 - 	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.277 - 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.278 - 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.279 --	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   2.280 - 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.281 --        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   2.282 --	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   2.283 --	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   2.284 --        
   2.285 -+	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   2.286 -+
   2.287 - /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
   2.288 - 
   2.289 --#define LAST_ARCH_SYSCALL __NR_vserver
   2.290 -+#define LAST_ARCH_SYSCALL 285
   2.291 - 
   2.292 - /*
   2.293 -  * Overrides for Emacs so that we follow Linus's tabbing style.
   2.294 -diff -Naur linux-2.6.11/arch/um/include/sysdep-x86_64/syscalls.h linux-2.6.11.10/arch/um/include/sysdep-x86_64/syscalls.h
   2.295 ---- linux-2.6.11/arch/um/include/sysdep-x86_64/syscalls.h	2005-03-01 23:38:13.000000000 -0800
   2.296 -+++ linux-2.6.11.10/arch/um/include/sysdep-x86_64/syscalls.h	2005-05-16 10:50:31.000000000 -0700
   2.297 -@@ -71,12 +71,7 @@
   2.298 - 	[ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
   2.299 - 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.300 - 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.301 --        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   2.302 - 	[ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
   2.303 --	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   2.304 --	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.305 --	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   2.306 --	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
   2.307 - 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall,
   2.308 - 
   2.309 - #define LAST_ARCH_SYSCALL 251
   2.310 -diff -Naur linux-2.6.11/arch/um/kernel/skas/uaccess.c linux-2.6.11.10/arch/um/kernel/skas/uaccess.c
   2.311 ---- linux-2.6.11/arch/um/kernel/skas/uaccess.c	2005-03-01 23:38:33.000000000 -0800
   2.312 -+++ linux-2.6.11.10/arch/um/kernel/skas/uaccess.c	2005-05-16 10:50:31.000000000 -0700
   2.313 -@@ -61,7 +61,8 @@
   2.314 - 	void *arg;
   2.315 - 	int *res;
   2.316 - 
   2.317 --	va_copy(args, *(va_list *)arg_ptr);
   2.318 -+	/* Some old gccs recognize __va_copy, but not va_copy */
   2.319 -+	__va_copy(args, *(va_list *)arg_ptr);
   2.320 - 	addr = va_arg(args, unsigned long);
   2.321 - 	len = va_arg(args, int);
   2.322 - 	is_write = va_arg(args, int);
   2.323 -diff -Naur linux-2.6.11/arch/um/kernel/sys_call_table.c linux-2.6.11.10/arch/um/kernel/sys_call_table.c
   2.324 ---- linux-2.6.11/arch/um/kernel/sys_call_table.c	2005-03-01 23:38:25.000000000 -0800
   2.325 -+++ linux-2.6.11.10/arch/um/kernel/sys_call_table.c	2005-05-16 10:50:31.000000000 -0700
   2.326 -@@ -48,7 +48,6 @@
   2.327 - extern syscall_handler_t old_select;
   2.328 - extern syscall_handler_t sys_modify_ldt;
   2.329 - extern syscall_handler_t sys_rt_sigsuspend;
   2.330 --extern syscall_handler_t sys_vserver;
   2.331 - extern syscall_handler_t sys_mbind;
   2.332 - extern syscall_handler_t sys_get_mempolicy;
   2.333 - extern syscall_handler_t sys_set_mempolicy;
   2.334 -@@ -242,6 +241,7 @@
   2.335 - 	[ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
   2.336 - 	[ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
   2.337 - 	[ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
   2.338 -+	[ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
   2.339 -         [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
   2.340 - 	[ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
   2.341 - 	[ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
   2.342 -@@ -252,12 +252,10 @@
   2.343 - 	[ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
   2.344 - 	[ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
   2.345 - 	[ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
   2.346 --	[ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
   2.347 --	[ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
   2.348 - 	[ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
   2.349 - 	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
   2.350 --	[ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
   2.351 --	[ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
   2.352 -+	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
   2.353 -+	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   2.354 - 	[ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
   2.355 - 	[ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
   2.356 - 	[ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
   2.357 -@@ -267,9 +265,8 @@
   2.358 - 	[ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
   2.359 - 	[ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
   2.360 - 	[ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
   2.361 --	[ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   2.362 -+	[ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   2.363 - 	[ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
   2.364 --	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   2.365 - 	[ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
   2.366 - 	[ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
   2.367 - 	[ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
   2.368 -diff -Naur linux-2.6.11/drivers/block/ioctl.c linux-2.6.11.10/drivers/block/ioctl.c
   2.369 ---- linux-2.6.11/drivers/block/ioctl.c	2005-03-01 23:37:47.000000000 -0800
   2.370 -+++ linux-2.6.11.10/drivers/block/ioctl.c	2005-05-16 10:50:31.000000000 -0700
   2.371 -@@ -237,3 +237,5 @@
   2.372 - 	}
   2.373 - 	return ret;
   2.374 - }
   2.375 -+
   2.376 -+EXPORT_SYMBOL_GPL(blkdev_ioctl);
   2.377 -diff -Naur linux-2.6.11/drivers/block/pktcdvd.c linux-2.6.11.10/drivers/block/pktcdvd.c
   2.378 ---- linux-2.6.11/drivers/block/pktcdvd.c	2005-03-01 23:37:30.000000000 -0800
   2.379 -+++ linux-2.6.11.10/drivers/block/pktcdvd.c	2005-05-16 10:50:31.000000000 -0700
   2.380 -@@ -2400,7 +2400,7 @@
   2.381 - 	case CDROM_LAST_WRITTEN:
   2.382 - 	case CDROM_SEND_PACKET:
   2.383 - 	case SCSI_IOCTL_SEND_COMMAND:
   2.384 --		return ioctl_by_bdev(pd->bdev, cmd, arg);
   2.385 -+		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   2.386 - 
   2.387 - 	case CDROMEJECT:
   2.388 - 		/*
   2.389 -@@ -2408,7 +2408,7 @@
   2.390 - 		 * have to unlock it or else the eject command fails.
   2.391 - 		 */
   2.392 - 		pkt_lock_door(pd, 0);
   2.393 --		return ioctl_by_bdev(pd->bdev, cmd, arg);
   2.394 -+		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   2.395 - 
   2.396 - 	default:
   2.397 - 		printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
   2.398 -diff -Naur linux-2.6.11/drivers/char/drm/drm_ioctl.c linux-2.6.11.10/drivers/char/drm/drm_ioctl.c
   2.399 ---- linux-2.6.11/drivers/char/drm/drm_ioctl.c	2005-03-01 23:37:50.000000000 -0800
   2.400 -+++ linux-2.6.11.10/drivers/char/drm/drm_ioctl.c	2005-05-16 10:50:31.000000000 -0700
   2.401 -@@ -326,6 +326,8 @@
   2.402 - 
   2.403 - 	DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
   2.404 - 
   2.405 -+	memset(&version, 0, sizeof(version));
   2.406 -+
   2.407 - 	dev->driver->version(&version);
   2.408 - 	retv.drm_di_major = DRM_IF_MAJOR;
   2.409 - 	retv.drm_di_minor = DRM_IF_MINOR;
   2.410 -diff -Naur linux-2.6.11/drivers/char/raw.c linux-2.6.11.10/drivers/char/raw.c
   2.411 ---- linux-2.6.11/drivers/char/raw.c	2005-03-01 23:38:12.000000000 -0800
   2.412 -+++ linux-2.6.11.10/drivers/char/raw.c	2005-05-16 10:50:31.000000000 -0700
   2.413 -@@ -122,7 +122,7 @@
   2.414 - {
   2.415 - 	struct block_device *bdev = filp->private_data;
   2.416 - 
   2.417 --	return ioctl_by_bdev(bdev, command, arg);
   2.418 -+	return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
   2.419 - }
   2.420 - 
   2.421 - static void bind_device(struct raw_config_request *rq)
   2.422 -diff -Naur linux-2.6.11/drivers/i2c/chips/eeprom.c linux-2.6.11.10/drivers/i2c/chips/eeprom.c
   2.423 ---- linux-2.6.11/drivers/i2c/chips/eeprom.c	2005-03-01 23:38:00.000000000 -0800
   2.424 -+++ linux-2.6.11.10/drivers/i2c/chips/eeprom.c	2005-05-16 10:50:31.000000000 -0700
   2.425 -@@ -130,7 +130,8 @@
   2.426 - 
   2.427 - 	/* Hide Vaio security settings to regular users (16 first bytes) */
   2.428 - 	if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
   2.429 --		int in_row1 = 16 - off;
   2.430 -+		size_t in_row1 = 16 - off;
   2.431 -+		in_row1 = min(in_row1, count);
   2.432 - 		memset(buf, 0, in_row1);
   2.433 - 		if (count - in_row1 > 0)
   2.434 - 			memcpy(buf + in_row1, &data->data[16], count - in_row1);
   2.435 -diff -Naur linux-2.6.11/drivers/i2c/chips/it87.c linux-2.6.11.10/drivers/i2c/chips/it87.c
   2.436 ---- linux-2.6.11/drivers/i2c/chips/it87.c	2005-03-01 23:38:17.000000000 -0800
   2.437 -+++ linux-2.6.11.10/drivers/i2c/chips/it87.c	2005-05-16 10:50:31.000000000 -0700
   2.438 -@@ -631,7 +631,7 @@
   2.439 - 	struct it87_data *data = it87_update_device(dev);
   2.440 - 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   2.441 - }
   2.442 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   2.443 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   2.444 - 
   2.445 - static ssize_t
   2.446 - show_vrm_reg(struct device *dev, char *buf)
   2.447 -diff -Naur linux-2.6.11/drivers/i2c/chips/via686a.c linux-2.6.11.10/drivers/i2c/chips/via686a.c
   2.448 ---- linux-2.6.11/drivers/i2c/chips/via686a.c	2005-03-01 23:37:48.000000000 -0800
   2.449 -+++ linux-2.6.11.10/drivers/i2c/chips/via686a.c	2005-05-16 10:50:31.000000000 -0700
   2.450 -@@ -554,7 +554,7 @@
   2.451 - 	struct via686a_data *data = via686a_update_device(dev);
   2.452 - 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   2.453 - }
   2.454 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   2.455 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   2.456 - 
   2.457 - /* The driver. I choose to use type i2c_driver, as at is identical to both
   2.458 -    smbus_driver and isa_driver, and clients could be of either kind */
   2.459 -diff -Naur linux-2.6.11/drivers/input/serio/i8042-x86ia64io.h linux-2.6.11.10/drivers/input/serio/i8042-x86ia64io.h
   2.460 ---- linux-2.6.11/drivers/input/serio/i8042-x86ia64io.h	2005-03-01 23:38:17.000000000 -0800
   2.461 -+++ linux-2.6.11.10/drivers/input/serio/i8042-x86ia64io.h	2005-05-16 10:50:32.000000000 -0700
   2.462 -@@ -88,7 +88,7 @@
   2.463 - };
   2.464 - #endif
   2.465 - 
   2.466 --#ifdef CONFIG_ACPI
   2.467 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.468 - #include <linux/acpi.h>
   2.469 - #include <acpi/acpi_bus.h>
   2.470 - 
   2.471 -@@ -281,7 +281,7 @@
   2.472 - 	i8042_kbd_irq = I8042_MAP_IRQ(1);
   2.473 - 	i8042_aux_irq = I8042_MAP_IRQ(12);
   2.474 - 
   2.475 --#ifdef CONFIG_ACPI
   2.476 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.477 - 	if (i8042_acpi_init())
   2.478 - 		return -1;
   2.479 - #endif
   2.480 -@@ -300,7 +300,7 @@
   2.481 - 
   2.482 - static inline void i8042_platform_exit(void)
   2.483 - {
   2.484 --#ifdef CONFIG_ACPI
   2.485 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.486 - 	i8042_acpi_exit();
   2.487 - #endif
   2.488 - }
   2.489 -diff -Naur linux-2.6.11/drivers/md/raid6altivec.uc linux-2.6.11.10/drivers/md/raid6altivec.uc
   2.490 ---- linux-2.6.11/drivers/md/raid6altivec.uc	2005-03-01 23:38:25.000000000 -0800
   2.491 -+++ linux-2.6.11.10/drivers/md/raid6altivec.uc	2005-05-16 10:50:32.000000000 -0700
   2.492 -@@ -108,7 +108,11 @@
   2.493 - int raid6_have_altivec(void)
   2.494 - {
   2.495 - 	/* This assumes either all CPUs have Altivec or none does */
   2.496 -+#ifdef CONFIG_PPC64
   2.497 - 	return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
   2.498 -+#else
   2.499 -+	return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
   2.500 -+#endif
   2.501 - }
   2.502 - #endif
   2.503 - 
   2.504 -diff -Naur linux-2.6.11/drivers/media/video/adv7170.c linux-2.6.11.10/drivers/media/video/adv7170.c
   2.505 ---- linux-2.6.11/drivers/media/video/adv7170.c	2005-03-01 23:38:26.000000000 -0800
   2.506 -+++ linux-2.6.11.10/drivers/media/video/adv7170.c	2005-05-16 10:50:32.000000000 -0700
   2.507 -@@ -130,7 +130,7 @@
   2.508 - 		u8 block_data[32];
   2.509 - 
   2.510 - 		msg.addr = client->addr;
   2.511 --		msg.flags = client->flags;
   2.512 -+		msg.flags = 0;
   2.513 - 		while (len >= 2) {
   2.514 - 			msg.buf = (char *) block_data;
   2.515 - 			msg.len = 0;
   2.516 -diff -Naur linux-2.6.11/drivers/media/video/adv7175.c linux-2.6.11.10/drivers/media/video/adv7175.c
   2.517 ---- linux-2.6.11/drivers/media/video/adv7175.c	2005-03-01 23:38:26.000000000 -0800
   2.518 -+++ linux-2.6.11.10/drivers/media/video/adv7175.c	2005-05-16 10:50:32.000000000 -0700
   2.519 -@@ -126,7 +126,7 @@
   2.520 - 		u8 block_data[32];
   2.521 - 
   2.522 - 		msg.addr = client->addr;
   2.523 --		msg.flags = client->flags;
   2.524 -+		msg.flags = 0;
   2.525 - 		while (len >= 2) {
   2.526 - 			msg.buf = (char *) block_data;
   2.527 - 			msg.len = 0;
   2.528 -diff -Naur linux-2.6.11/drivers/media/video/bt819.c linux-2.6.11.10/drivers/media/video/bt819.c
   2.529 ---- linux-2.6.11/drivers/media/video/bt819.c	2005-03-01 23:37:48.000000000 -0800
   2.530 -+++ linux-2.6.11.10/drivers/media/video/bt819.c	2005-05-16 10:50:32.000000000 -0700
   2.531 -@@ -146,7 +146,7 @@
   2.532 - 		u8 block_data[32];
   2.533 - 
   2.534 - 		msg.addr = client->addr;
   2.535 --		msg.flags = client->flags;
   2.536 -+		msg.flags = 0;
   2.537 - 		while (len >= 2) {
   2.538 - 			msg.buf = (char *) block_data;
   2.539 - 			msg.len = 0;
   2.540 -diff -Naur linux-2.6.11/drivers/media/video/bttv-cards.c linux-2.6.11.10/drivers/media/video/bttv-cards.c
   2.541 ---- linux-2.6.11/drivers/media/video/bttv-cards.c	2005-03-01 23:38:09.000000000 -0800
   2.542 -+++ linux-2.6.11.10/drivers/media/video/bttv-cards.c	2005-05-16 10:50:32.000000000 -0700
   2.543 -@@ -2718,8 +2718,6 @@
   2.544 -         }
   2.545 - 	btv->pll.pll_current = -1;
   2.546 - 
   2.547 --	bttv_reset_audio(btv);
   2.548 --
   2.549 - 	/* tuner configuration (from card list / autodetect / insmod option) */
   2.550 -  	if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
   2.551 - 		if(UNSET == btv->tuner_type)
   2.552 -diff -Naur linux-2.6.11/drivers/media/video/saa7110.c linux-2.6.11.10/drivers/media/video/saa7110.c
   2.553 ---- linux-2.6.11/drivers/media/video/saa7110.c	2005-03-01 23:37:30.000000000 -0800
   2.554 -+++ linux-2.6.11.10/drivers/media/video/saa7110.c	2005-05-16 10:50:32.000000000 -0700
   2.555 -@@ -60,8 +60,10 @@
   2.556 - 
   2.557 - #define	I2C_SAA7110		0x9C	/* or 0x9E */
   2.558 - 
   2.559 -+#define SAA7110_NR_REG		0x35
   2.560 -+
   2.561 - struct saa7110 {
   2.562 --	unsigned char reg[54];
   2.563 -+	u8 reg[SAA7110_NR_REG];
   2.564 - 
   2.565 - 	int norm;
   2.566 - 	int input;
   2.567 -@@ -95,31 +97,28 @@
   2.568 - 		     unsigned int       len)
   2.569 - {
   2.570 - 	int ret = -1;
   2.571 --	u8 reg = *data++;
   2.572 -+	u8 reg = *data;		/* first register to write to */
   2.573 - 
   2.574 --	len--;
   2.575 -+	/* Sanity check */
   2.576 -+	if (reg + (len - 1) > SAA7110_NR_REG)
   2.577 -+		return ret;
   2.578 - 
   2.579 - 	/* the saa7110 has an autoincrement function, use it if
   2.580 - 	 * the adapter understands raw I2C */
   2.581 - 	if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
   2.582 - 		struct saa7110 *decoder = i2c_get_clientdata(client);
   2.583 - 		struct i2c_msg msg;
   2.584 --		u8 block_data[54];
   2.585 - 
   2.586 --		msg.len = 0;
   2.587 --		msg.buf = (char *) block_data;
   2.588 -+		msg.len = len;
   2.589 -+		msg.buf = (char *) data;
   2.590 - 		msg.addr = client->addr;
   2.591 --		msg.flags = client->flags;
   2.592 --		while (len >= 1) {
   2.593 --			msg.len = 0;
   2.594 --			block_data[msg.len++] = reg;
   2.595 --			while (len-- >= 1 && msg.len < 54)
   2.596 --				block_data[msg.len++] =
   2.597 --				    decoder->reg[reg++] = *data++;
   2.598 --			ret = i2c_transfer(client->adapter, &msg, 1);
   2.599 --		}
   2.600 -+		msg.flags = 0;
   2.601 -+		ret = i2c_transfer(client->adapter, &msg, 1);
   2.602 -+
   2.603 -+		/* Cache the written data */
   2.604 -+		memcpy(decoder->reg + reg, data + 1, len - 1);
   2.605 - 	} else {
   2.606 --		while (len-- >= 1) {
   2.607 -+		for (++data, --len; len; len--) {
   2.608 - 			if ((ret = saa7110_write(client, reg++,
   2.609 - 						 *data++)) < 0)
   2.610 - 				break;
   2.611 -@@ -192,7 +191,7 @@
   2.612 - 	return 0;
   2.613 - }
   2.614 - 
   2.615 --static const unsigned char initseq[] = {
   2.616 -+static const unsigned char initseq[1 + SAA7110_NR_REG] = {
   2.617 - 	0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
   2.618 - 	/* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
   2.619 - 	/* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
   2.620 -diff -Naur linux-2.6.11/drivers/media/video/saa7114.c linux-2.6.11.10/drivers/media/video/saa7114.c
   2.621 ---- linux-2.6.11/drivers/media/video/saa7114.c	2005-03-01 23:38:25.000000000 -0800
   2.622 -+++ linux-2.6.11.10/drivers/media/video/saa7114.c	2005-05-16 10:50:32.000000000 -0700
   2.623 -@@ -163,7 +163,7 @@
   2.624 - 		u8 block_data[32];
   2.625 - 
   2.626 - 		msg.addr = client->addr;
   2.627 --		msg.flags = client->flags;
   2.628 -+		msg.flags = 0;
   2.629 - 		while (len >= 2) {
   2.630 - 			msg.buf = (char *) block_data;
   2.631 - 			msg.len = 0;
   2.632 -diff -Naur linux-2.6.11/drivers/media/video/saa7185.c linux-2.6.11.10/drivers/media/video/saa7185.c
   2.633 ---- linux-2.6.11/drivers/media/video/saa7185.c	2005-03-01 23:38:34.000000000 -0800
   2.634 -+++ linux-2.6.11.10/drivers/media/video/saa7185.c	2005-05-16 10:50:32.000000000 -0700
   2.635 -@@ -118,7 +118,7 @@
   2.636 - 		u8 block_data[32];
   2.637 - 
   2.638 - 		msg.addr = client->addr;
   2.639 --		msg.flags = client->flags;
   2.640 -+		msg.flags = 0;
   2.641 - 		while (len >= 2) {
   2.642 - 			msg.buf = (char *) block_data;
   2.643 - 			msg.len = 0;
   2.644 -diff -Naur linux-2.6.11/drivers/net/amd8111e.c linux-2.6.11.10/drivers/net/amd8111e.c
   2.645 ---- linux-2.6.11/drivers/net/amd8111e.c	2005-03-01 23:38:38.000000000 -0800
   2.646 -+++ linux-2.6.11.10/drivers/net/amd8111e.c	2005-05-16 10:50:32.000000000 -0700
   2.647 -@@ -1381,6 +1381,8 @@
   2.648 - 
   2.649 - 	if(amd8111e_restart(dev)){
   2.650 - 		spin_unlock_irq(&lp->lock);
   2.651 -+		if (dev->irq)
   2.652 -+			free_irq(dev->irq, dev);
   2.653 - 		return -ENOMEM;
   2.654 - 	}
   2.655 - 	/* Start ipg timer */
   2.656 -diff -Naur linux-2.6.11/drivers/net/ppp_async.c linux-2.6.11.10/drivers/net/ppp_async.c
   2.657 ---- linux-2.6.11/drivers/net/ppp_async.c	2005-03-01 23:38:17.000000000 -0800
   2.658 -+++ linux-2.6.11.10/drivers/net/ppp_async.c	2005-05-16 10:50:32.000000000 -0700
   2.659 -@@ -1000,7 +1000,7 @@
   2.660 - 	data += 4;
   2.661 - 	dlen -= 4;
   2.662 - 	/* data[0] is code, data[1] is length */
   2.663 --	while (dlen >= 2 && dlen >= data[1]) {
   2.664 -+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
   2.665 - 		switch (data[0]) {
   2.666 - 		case LCP_MRU:
   2.667 - 			val = (data[2] << 8) + data[3];
   2.668 -diff -Naur linux-2.6.11/drivers/net/r8169.c linux-2.6.11.10/drivers/net/r8169.c
   2.669 ---- linux-2.6.11/drivers/net/r8169.c	2005-03-01 23:38:09.000000000 -0800
   2.670 -+++ linux-2.6.11.10/drivers/net/r8169.c	2005-05-16 10:50:32.000000000 -0700
   2.671 -@@ -1683,16 +1683,19 @@
   2.672 - 	rtl8169_make_unusable_by_asic(desc);
   2.673 - }
   2.674 - 
   2.675 --static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
   2.676 -+static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
   2.677 - {
   2.678 --	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   2.679 -+	u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
   2.680 -+
   2.681 -+	desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
   2.682 - }
   2.683 - 
   2.684 --static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   2.685 --					int rx_buf_sz)
   2.686 -+static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   2.687 -+				       u32 rx_buf_sz)
   2.688 - {
   2.689 - 	desc->addr = cpu_to_le64(mapping);
   2.690 --	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   2.691 -+	wmb();
   2.692 -+	rtl8169_mark_to_asic(desc, rx_buf_sz);
   2.693 - }
   2.694 - 
   2.695 - static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
   2.696 -@@ -1712,7 +1715,7 @@
   2.697 - 	mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
   2.698 - 				 PCI_DMA_FROMDEVICE);
   2.699 - 
   2.700 --	rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
   2.701 -+	rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
   2.702 - 
   2.703 - out:
   2.704 - 	return ret;
   2.705 -@@ -2150,7 +2153,7 @@
   2.706 - 			skb_reserve(skb, NET_IP_ALIGN);
   2.707 - 			eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
   2.708 - 			*sk_buff = skb;
   2.709 --			rtl8169_return_to_asic(desc, rx_buf_sz);
   2.710 -+			rtl8169_mark_to_asic(desc, rx_buf_sz);
   2.711 - 			ret = 0;
   2.712 - 		}
   2.713 - 	}
   2.714 -diff -Naur linux-2.6.11/drivers/net/sis900.c linux-2.6.11.10/drivers/net/sis900.c
   2.715 ---- linux-2.6.11/drivers/net/sis900.c	2005-03-01 23:38:08.000000000 -0800
   2.716 -+++ linux-2.6.11.10/drivers/net/sis900.c	2005-05-16 10:50:32.000000000 -0700
   2.717 -@@ -236,7 +236,7 @@
   2.718 - 	signature = (u16) read_eeprom(ioaddr, EEPROMSignature);    
   2.719 - 	if (signature == 0xffff || signature == 0x0000) {
   2.720 - 		printk (KERN_INFO "%s: Error EERPOM read %x\n", 
   2.721 --			net_dev->name, signature);
   2.722 -+			pci_name(pci_dev), signature);
   2.723 - 		return 0;
   2.724 - 	}
   2.725 - 
   2.726 -@@ -268,7 +268,7 @@
   2.727 - 	if (!isa_bridge)
   2.728 - 		isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
   2.729 - 	if (!isa_bridge) {
   2.730 --		printk("%s: Can not find ISA bridge\n", net_dev->name);
   2.731 -+		printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
   2.732 - 		return 0;
   2.733 - 	}
   2.734 - 	pci_read_config_byte(isa_bridge, 0x48, &reg);
   2.735 -@@ -456,10 +456,6 @@
   2.736 - 	net_dev->tx_timeout = sis900_tx_timeout;
   2.737 - 	net_dev->watchdog_timeo = TX_TIMEOUT;
   2.738 - 	net_dev->ethtool_ops = &sis900_ethtool_ops;
   2.739 --	
   2.740 --	ret = register_netdev(net_dev);
   2.741 --	if (ret)
   2.742 --		goto err_unmap_rx;
   2.743 - 		
   2.744 - 	/* Get Mac address according to the chip revision */
   2.745 - 	pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
   2.746 -@@ -476,7 +472,7 @@
   2.747 - 
   2.748 - 	if (ret == 0) {
   2.749 - 		ret = -ENODEV;
   2.750 --		goto err_out_unregister;
   2.751 -+		goto err_unmap_rx;
   2.752 - 	}
   2.753 - 	
   2.754 - 	/* 630ET : set the mii access mode as software-mode */
   2.755 -@@ -486,7 +482,7 @@
   2.756 - 	/* probe for mii transceiver */
   2.757 - 	if (sis900_mii_probe(net_dev) == 0) {
   2.758 - 		ret = -ENODEV;
   2.759 --		goto err_out_unregister;
   2.760 -+		goto err_unmap_rx;
   2.761 - 	}
   2.762 - 
   2.763 - 	/* save our host bridge revision */
   2.764 -@@ -496,6 +492,10 @@
   2.765 - 		pci_dev_put(dev);
   2.766 - 	}
   2.767 - 
   2.768 -+	ret = register_netdev(net_dev);
   2.769 -+	if (ret)
   2.770 -+		goto err_unmap_rx;
   2.771 -+
   2.772 - 	/* print some information about our NIC */
   2.773 - 	printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
   2.774 - 	       card_name, ioaddr, net_dev->irq);
   2.775 -@@ -505,8 +505,6 @@
   2.776 - 
   2.777 - 	return 0;
   2.778 - 
   2.779 -- err_out_unregister:
   2.780 -- 	unregister_netdev(net_dev);
   2.781 -  err_unmap_rx:
   2.782 - 	pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
   2.783 - 		sis_priv->rx_ring_dma);
   2.784 -@@ -533,6 +531,7 @@
   2.785 - static int __init sis900_mii_probe(struct net_device * net_dev)
   2.786 - {
   2.787 - 	struct sis900_private * sis_priv = net_dev->priv;
   2.788 -+	const char *dev_name = pci_name(sis_priv->pci_dev);
   2.789 - 	u16 poll_bit = MII_STAT_LINK, status = 0;
   2.790 - 	unsigned long timeout = jiffies + 5 * HZ;
   2.791 - 	int phy_addr;
   2.792 -@@ -582,21 +581,20 @@
   2.793 - 					mii_phy->phy_types =
   2.794 - 					    (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
   2.795 - 				printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
   2.796 --				       net_dev->name, mii_chip_table[i].name,
   2.797 -+				       dev_name, mii_chip_table[i].name,
   2.798 - 				       phy_addr);
   2.799 - 				break;
   2.800 - 			}
   2.801 - 			
   2.802 - 		if( !mii_chip_table[i].phy_id1 ) {
   2.803 - 			printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
   2.804 --			       net_dev->name, phy_addr);
   2.805 -+			       dev_name, phy_addr);
   2.806 - 			mii_phy->phy_types = UNKNOWN;
   2.807 - 		}
   2.808 - 	}
   2.809 - 	
   2.810 - 	if (sis_priv->mii == NULL) {
   2.811 --		printk(KERN_INFO "%s: No MII transceivers found!\n",
   2.812 --			net_dev->name);
   2.813 -+		printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
   2.814 - 		return 0;
   2.815 - 	}
   2.816 - 
   2.817 -@@ -621,7 +619,7 @@
   2.818 - 			poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
   2.819 - 			if (time_after_eq(jiffies, timeout)) {
   2.820 - 				printk(KERN_WARNING "%s: reset phy and link down now\n",
   2.821 --					net_dev->name);
   2.822 -+				       dev_name);
   2.823 - 				return -ETIME;
   2.824 - 			}
   2.825 - 		}
   2.826 -@@ -691,7 +689,7 @@
   2.827 - 		sis_priv->mii = default_phy;
   2.828 - 		sis_priv->cur_phy = default_phy->phy_addr;
   2.829 - 		printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
   2.830 --					net_dev->name,sis_priv->cur_phy);
   2.831 -+		       pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
   2.832 - 	}
   2.833 - 	
   2.834 - 	status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
   2.835 -diff -Naur linux-2.6.11/drivers/net/tun.c linux-2.6.11.10/drivers/net/tun.c
   2.836 ---- linux-2.6.11/drivers/net/tun.c	2005-03-01 23:38:08.000000000 -0800
   2.837 -+++ linux-2.6.11.10/drivers/net/tun.c	2005-05-16 10:50:32.000000000 -0700
   2.838 -@@ -229,7 +229,7 @@
   2.839 - 	size_t len = count;
   2.840 - 
   2.841 - 	if (!(tun->flags & TUN_NO_PI)) {
   2.842 --		if ((len -= sizeof(pi)) > len)
   2.843 -+		if ((len -= sizeof(pi)) > count)
   2.844 - 			return -EINVAL;
   2.845 - 
   2.846 - 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
   2.847 -diff -Naur linux-2.6.11/drivers/net/via-rhine.c linux-2.6.11.10/drivers/net/via-rhine.c
   2.848 ---- linux-2.6.11/drivers/net/via-rhine.c	2005-03-01 23:38:32.000000000 -0800
   2.849 -+++ linux-2.6.11.10/drivers/net/via-rhine.c	2005-05-16 10:50:32.000000000 -0700
   2.850 -@@ -1197,8 +1197,10 @@
   2.851 - 		       dev->name, rp->pdev->irq);
   2.852 - 
   2.853 - 	rc = alloc_ring(dev);
   2.854 --	if (rc)
   2.855 -+	if (rc) {
   2.856 -+		free_irq(rp->pdev->irq, dev);
   2.857 - 		return rc;
   2.858 -+	}
   2.859 - 	alloc_rbufs(dev);
   2.860 - 	alloc_tbufs(dev);
   2.861 - 	rhine_chip_reset(dev);
   2.862 -@@ -1899,6 +1901,9 @@
   2.863 - 	struct rhine_private *rp = netdev_priv(dev);
   2.864 - 	void __iomem *ioaddr = rp->base;
   2.865 - 
   2.866 -+	if (!(rp->quirks & rqWOL))
   2.867 -+		return; /* Nothing to do for non-WOL adapters */
   2.868 -+
   2.869 - 	rhine_power_init(dev);
   2.870 - 
   2.871 - 	/* Make sure we use pattern 0, 1 and not 4, 5 */
   2.872 -diff -Naur linux-2.6.11/drivers/net/wan/hd6457x.c linux-2.6.11.10/drivers/net/wan/hd6457x.c
   2.873 ---- linux-2.6.11/drivers/net/wan/hd6457x.c	2005-03-01 23:37:50.000000000 -0800
   2.874 -+++ linux-2.6.11.10/drivers/net/wan/hd6457x.c	2005-05-16 10:50:32.000000000 -0700
   2.875 -@@ -315,7 +315,7 @@
   2.876 - #endif
   2.877 - 	stats->rx_packets++;
   2.878 - 	stats->rx_bytes += skb->len;
   2.879 --	skb->dev->last_rx = jiffies;
   2.880 -+	dev->last_rx = jiffies;
   2.881 - 	skb->protocol = hdlc_type_trans(skb, dev);
   2.882 - 	netif_rx(skb);
   2.883 - }
   2.884 -diff -Naur linux-2.6.11/drivers/pci/hotplug/pciehp_ctrl.c linux-2.6.11.10/drivers/pci/hotplug/pciehp_ctrl.c
   2.885 ---- linux-2.6.11/drivers/pci/hotplug/pciehp_ctrl.c	2005-03-01 23:37:49.000000000 -0800
   2.886 -+++ linux-2.6.11.10/drivers/pci/hotplug/pciehp_ctrl.c	2005-05-16 10:50:33.000000000 -0700
   2.887 -@@ -1354,10 +1354,11 @@
   2.888 - 				dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
   2.889 - 					ctrl->seg, func->bus, func->device, func->function);
   2.890 - 				bridge_slot_remove(func);
   2.891 --			} else
   2.892 -+			} else {
   2.893 - 				dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
   2.894 - 					ctrl->seg, func->bus, func->device, func->function);
   2.895 - 				slot_remove(func);
   2.896 -+			}
   2.897 - 
   2.898 - 			func = pciehp_slot_find(ctrl->slot_bus, device, 0);
   2.899 - 		}
   2.900 -diff -Naur linux-2.6.11/fs/binfmt_elf.c linux-2.6.11.10/fs/binfmt_elf.c
   2.901 ---- linux-2.6.11/fs/binfmt_elf.c	2005-03-01 23:38:08.000000000 -0800
   2.902 -+++ linux-2.6.11.10/fs/binfmt_elf.c	2005-05-16 10:50:44.000000000 -0700
   2.903 -@@ -257,7 +257,7 @@
   2.904 - 	}
   2.905 - 
   2.906 - 	/* Populate argv and envp */
   2.907 --	p = current->mm->arg_start;
   2.908 -+	p = current->mm->arg_end = current->mm->arg_start;
   2.909 - 	while (argc-- > 0) {
   2.910 - 		size_t len;
   2.911 - 		__put_user((elf_addr_t)p, argv++);
   2.912 -@@ -1008,6 +1008,7 @@
   2.913 - static int load_elf_library(struct file *file)
   2.914 - {
   2.915 - 	struct elf_phdr *elf_phdata;
   2.916 -+	struct elf_phdr *eppnt;
   2.917 - 	unsigned long elf_bss, bss, len;
   2.918 - 	int retval, error, i, j;
   2.919 - 	struct elfhdr elf_ex;
   2.920 -@@ -1031,44 +1032,47 @@
   2.921 - 	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
   2.922 - 
   2.923 - 	error = -ENOMEM;
   2.924 --	elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
   2.925 -+	elf_phdata = kmalloc(j, GFP_KERNEL);
   2.926 - 	if (!elf_phdata)
   2.927 - 		goto out;
   2.928 - 
   2.929 -+	eppnt = elf_phdata;
   2.930 - 	error = -ENOEXEC;
   2.931 --	retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
   2.932 -+	retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
   2.933 - 	if (retval != j)
   2.934 - 		goto out_free_ph;
   2.935 - 
   2.936 - 	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
   2.937 --		if ((elf_phdata + i)->p_type == PT_LOAD) j++;
   2.938 -+		if ((eppnt + i)->p_type == PT_LOAD)
   2.939 -+			j++;
   2.940 - 	if (j != 1)
   2.941 - 		goto out_free_ph;
   2.942 - 
   2.943 --	while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
   2.944 -+	while (eppnt->p_type != PT_LOAD)
   2.945 -+		eppnt++;
   2.946 - 
   2.947 - 	/* Now use mmap to map the library into memory. */
   2.948 - 	down_write(&current->mm->mmap_sem);
   2.949 - 	error = do_mmap(file,
   2.950 --			ELF_PAGESTART(elf_phdata->p_vaddr),
   2.951 --			(elf_phdata->p_filesz +
   2.952 --			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
   2.953 -+			ELF_PAGESTART(eppnt->p_vaddr),
   2.954 -+			(eppnt->p_filesz +
   2.955 -+			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
   2.956 - 			PROT_READ | PROT_WRITE | PROT_EXEC,
   2.957 - 			MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
   2.958 --			(elf_phdata->p_offset -
   2.959 --			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
   2.960 -+			(eppnt->p_offset -
   2.961 -+			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
   2.962 - 	up_write(&current->mm->mmap_sem);
   2.963 --	if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
   2.964 -+	if (error != ELF_PAGESTART(eppnt->p_vaddr))
   2.965 - 		goto out_free_ph;
   2.966 - 
   2.967 --	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
   2.968 -+	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
   2.969 - 	if (padzero(elf_bss)) {
   2.970 - 		error = -EFAULT;
   2.971 - 		goto out_free_ph;
   2.972 - 	}
   2.973 - 
   2.974 --	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
   2.975 --	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
   2.976 -+	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
   2.977 -+	bss = eppnt->p_memsz + eppnt->p_vaddr;
   2.978 - 	if (bss > len) {
   2.979 - 		down_write(&current->mm->mmap_sem);
   2.980 - 		do_brk(len, bss - len);
   2.981 -@@ -1275,7 +1279,7 @@
   2.982 - static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
   2.983 - 		       struct mm_struct *mm)
   2.984 - {
   2.985 --	int i, len;
   2.986 -+	unsigned int i, len;
   2.987 - 	
   2.988 - 	/* first copy the parameters from user space */
   2.989 - 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
   2.990 -diff -Naur linux-2.6.11/fs/cramfs/inode.c linux-2.6.11.10/fs/cramfs/inode.c
   2.991 ---- linux-2.6.11/fs/cramfs/inode.c	2005-03-01 23:37:47.000000000 -0800
   2.992 -+++ linux-2.6.11.10/fs/cramfs/inode.c	2005-05-16 10:50:45.000000000 -0700
   2.993 -@@ -70,6 +70,7 @@
   2.994 - 			inode->i_data.a_ops = &cramfs_aops;
   2.995 - 		} else {
   2.996 - 			inode->i_size = 0;
   2.997 -+			inode->i_blocks = 0;
   2.998 - 			init_special_inode(inode, inode->i_mode,
   2.999 - 				old_decode_dev(cramfs_inode->size));
  2.1000 - 		}
  2.1001 -diff -Naur linux-2.6.11/fs/eventpoll.c linux-2.6.11.10/fs/eventpoll.c
  2.1002 ---- linux-2.6.11/fs/eventpoll.c	2005-03-01 23:38:07.000000000 -0800
  2.1003 -+++ linux-2.6.11.10/fs/eventpoll.c	2005-05-16 10:50:45.000000000 -0700
  2.1004 -@@ -619,6 +619,7 @@
  2.1005 - 	return error;
  2.1006 - }
  2.1007 - 
  2.1008 -+#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
  2.1009 - 
  2.1010 - /*
  2.1011 -  * Implement the event wait interface for the eventpoll file. It is the kernel
  2.1012 -@@ -635,7 +636,7 @@
  2.1013 - 		     current, epfd, events, maxevents, timeout));
  2.1014 - 
  2.1015 - 	/* The maximum number of event must be greater than zero */
  2.1016 --	if (maxevents <= 0)
  2.1017 -+	if (maxevents <= 0 || maxevents > MAX_EVENTS)
  2.1018 - 		return -EINVAL;
  2.1019 - 
  2.1020 - 	/* Verify that the area passed by the user is writeable */
  2.1021 -diff -Naur linux-2.6.11/fs/exec.c linux-2.6.11.10/fs/exec.c
  2.1022 ---- linux-2.6.11/fs/exec.c	2005-03-01 23:38:06.000000000 -0800
  2.1023 -+++ linux-2.6.11.10/fs/exec.c	2005-05-16 10:50:45.000000000 -0700
  2.1024 -@@ -814,7 +814,7 @@
  2.1025 - {
  2.1026 - 	/* buf must be at least sizeof(tsk->comm) in size */
  2.1027 - 	task_lock(tsk);
  2.1028 --	memcpy(buf, tsk->comm, sizeof(tsk->comm));
  2.1029 -+	strncpy(buf, tsk->comm, sizeof(tsk->comm));
  2.1030 - 	task_unlock(tsk);
  2.1031 - }
  2.1032 - 
  2.1033 -diff -Naur linux-2.6.11/fs/ext2/dir.c linux-2.6.11.10/fs/ext2/dir.c
  2.1034 ---- linux-2.6.11/fs/ext2/dir.c	2005-03-01 23:38:10.000000000 -0800
  2.1035 -+++ linux-2.6.11.10/fs/ext2/dir.c	2005-05-16 10:50:45.000000000 -0700
  2.1036 -@@ -592,6 +592,7 @@
  2.1037 - 		goto fail;
  2.1038 - 	}
  2.1039 - 	kaddr = kmap_atomic(page, KM_USER0);
  2.1040 -+       memset(kaddr, 0, chunk_size);
  2.1041 - 	de = (struct ext2_dir_entry_2 *)kaddr;
  2.1042 - 	de->name_len = 1;
  2.1043 - 	de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
  2.1044 -diff -Naur linux-2.6.11/fs/isofs/inode.c linux-2.6.11.10/fs/isofs/inode.c
  2.1045 ---- linux-2.6.11/fs/isofs/inode.c	2005-03-01 23:38:26.000000000 -0800
  2.1046 -+++ linux-2.6.11.10/fs/isofs/inode.c	2005-05-16 10:50:47.000000000 -0700
  2.1047 -@@ -685,6 +685,8 @@
  2.1048 - 	  sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
  2.1049 - 	  sbi->s_max_size = isonum_733(h_pri->volume_space_size);
  2.1050 - 	} else {
  2.1051 -+	  if (!pri)
  2.1052 -+	    goto out_freebh;
  2.1053 - 	  rootp = (struct iso_directory_record *) pri->root_directory_record;
  2.1054 - 	  sbi->s_nzones = isonum_733 (pri->volume_space_size);
  2.1055 - 	  sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
  2.1056 -@@ -1395,6 +1397,9 @@
  2.1057 - 	struct inode *inode;
  2.1058 - 	struct isofs_iget5_callback_data data;
  2.1059 - 
  2.1060 -+	if (offset >= 1ul << sb->s_blocksize_bits)
  2.1061 -+		return NULL;
  2.1062 -+
  2.1063 - 	data.block = block;
  2.1064 - 	data.offset = offset;
  2.1065 - 
  2.1066 -diff -Naur linux-2.6.11/fs/isofs/rock.c linux-2.6.11.10/fs/isofs/rock.c
  2.1067 ---- linux-2.6.11/fs/isofs/rock.c	2005-03-01 23:38:10.000000000 -0800
  2.1068 -+++ linux-2.6.11.10/fs/isofs/rock.c	2005-05-16 10:50:47.000000000 -0700
  2.1069 -@@ -53,6 +53,7 @@
  2.1070 -   if(LEN & 1) LEN++;						\
  2.1071 -   CHR = ((unsigned char *) DE) + LEN;				\
  2.1072 -   LEN = *((unsigned char *) DE) - LEN;                          \
  2.1073 -+  if (LEN<0) LEN=0;                                             \
  2.1074 -   if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1)                \
  2.1075 -   {                                                             \
  2.1076 -      LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset;                \
  2.1077 -@@ -73,6 +74,10 @@
  2.1078 -     offset1 = 0; \
  2.1079 -     pbh = sb_bread(DEV->i_sb, block); \
  2.1080 -     if(pbh){       \
  2.1081 -+      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
  2.1082 -+	brelse(pbh); \
  2.1083 -+	goto out; \
  2.1084 -+      } \
  2.1085 -       memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
  2.1086 -       brelse(pbh); \
  2.1087 -       chr = (unsigned char *) buffer; \
  2.1088 -@@ -103,12 +108,13 @@
  2.1089 -     struct rock_ridge * rr;
  2.1090 -     int sig;
  2.1091 -     
  2.1092 --    while (len > 1){ /* There may be one byte for padding somewhere */
  2.1093 -+    while (len > 2){ /* There may be one byte for padding somewhere */
  2.1094 -       rr = (struct rock_ridge *) chr;
  2.1095 --      if (rr->len == 0) goto out; /* Something got screwed up here */
  2.1096 -+      if (rr->len < 3) goto out; /* Something got screwed up here */
  2.1097 -       sig = isonum_721(chr);
  2.1098 -       chr += rr->len; 
  2.1099 -       len -= rr->len;
  2.1100 -+      if (len < 0) goto out;	/* corrupted isofs */
  2.1101 - 
  2.1102 -       switch(sig){
  2.1103 -       case SIG('R','R'):
  2.1104 -@@ -122,6 +128,7 @@
  2.1105 - 	break;
  2.1106 -       case SIG('N','M'):
  2.1107 - 	if (truncate) break;
  2.1108 -+	if (rr->len < 5) break;
  2.1109 -         /*
  2.1110 - 	 * If the flags are 2 or 4, this indicates '.' or '..'.
  2.1111 - 	 * We don't want to do anything with this, because it
  2.1112 -@@ -186,12 +193,13 @@
  2.1113 -     struct rock_ridge * rr;
  2.1114 -     int rootflag;
  2.1115 -     
  2.1116 --    while (len > 1){ /* There may be one byte for padding somewhere */
  2.1117 -+    while (len > 2){ /* There may be one byte for padding somewhere */
  2.1118 -       rr = (struct rock_ridge *) chr;
  2.1119 --      if (rr->len == 0) goto out; /* Something got screwed up here */
  2.1120 -+      if (rr->len < 3) goto out; /* Something got screwed up here */
  2.1121 -       sig = isonum_721(chr);
  2.1122 -       chr += rr->len; 
  2.1123 -       len -= rr->len;
  2.1124 -+      if (len < 0) goto out;	/* corrupted isofs */
  2.1125 -       
  2.1126 -       switch(sig){
  2.1127 - #ifndef CONFIG_ZISOFS		/* No flag for SF or ZF */
  2.1128 -@@ -462,7 +470,7 @@
  2.1129 - 	struct rock_ridge *rr;
  2.1130 - 
  2.1131 - 	if (!ISOFS_SB(inode->i_sb)->s_rock)
  2.1132 --		panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
  2.1133 -+		goto error;
  2.1134 - 
  2.1135 - 	block = ei->i_iget5_block;
  2.1136 - 	lock_kernel();
  2.1137 -@@ -487,13 +495,15 @@
  2.1138 - 	SETUP_ROCK_RIDGE(raw_inode, chr, len);
  2.1139 - 
  2.1140 -       repeat:
  2.1141 --	while (len > 1) { /* There may be one byte for padding somewhere */
  2.1142 -+	while (len > 2) { /* There may be one byte for padding somewhere */
  2.1143 - 		rr = (struct rock_ridge *) chr;
  2.1144 --		if (rr->len == 0)
  2.1145 -+		if (rr->len < 3)
  2.1146 - 			goto out;	/* Something got screwed up here */
  2.1147 - 		sig = isonum_721(chr);
  2.1148 - 		chr += rr->len;
  2.1149 - 		len -= rr->len;
  2.1150 -+		if (len < 0)
  2.1151 -+			goto out;	/* corrupted isofs */
  2.1152 - 
  2.1153 - 		switch (sig) {
  2.1154 - 		case SIG('R', 'R'):
  2.1155 -@@ -543,6 +553,7 @@
  2.1156 -       fail:
  2.1157 - 	brelse(bh);
  2.1158 - 	unlock_kernel();
  2.1159 -+      error:
  2.1160 - 	SetPageError(page);
  2.1161 - 	kunmap(page);
  2.1162 - 	unlock_page(page);
  2.1163 -diff -Naur linux-2.6.11/fs/jbd/transaction.c linux-2.6.11.10/fs/jbd/transaction.c
  2.1164 ---- linux-2.6.11/fs/jbd/transaction.c	2005-03-01 23:37:53.000000000 -0800
  2.1165 -+++ linux-2.6.11.10/fs/jbd/transaction.c	2005-05-16 10:50:47.000000000 -0700
  2.1166 -@@ -1775,10 +1775,10 @@
  2.1167 - 			JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
  2.1168 - 			ret = __dispose_buffer(jh,
  2.1169 - 					journal->j_running_transaction);
  2.1170 -+			journal_put_journal_head(jh);
  2.1171 - 			spin_unlock(&journal->j_list_lock);
  2.1172 - 			jbd_unlock_bh_state(bh);
  2.1173 - 			spin_unlock(&journal->j_state_lock);
  2.1174 --			journal_put_journal_head(jh);
  2.1175 - 			return ret;
  2.1176 - 		} else {
  2.1177 - 			/* There is no currently-running transaction. So the
  2.1178 -@@ -1789,10 +1789,10 @@
  2.1179 - 				JBUFFER_TRACE(jh, "give to committing trans");
  2.1180 - 				ret = __dispose_buffer(jh,
  2.1181 - 					journal->j_committing_transaction);
  2.1182 -+				journal_put_journal_head(jh);
  2.1183 - 				spin_unlock(&journal->j_list_lock);
  2.1184 - 				jbd_unlock_bh_state(bh);
  2.1185 - 				spin_unlock(&journal->j_state_lock);
  2.1186 --				journal_put_journal_head(jh);
  2.1187 - 				return ret;
  2.1188 - 			} else {
  2.1189 - 				/* The orphan record's transaction has
  2.1190 -@@ -1813,10 +1813,10 @@
  2.1191 - 					journal->j_running_transaction);
  2.1192 - 			jh->b_next_transaction = NULL;
  2.1193 - 		}
  2.1194 -+		journal_put_journal_head(jh);
  2.1195 - 		spin_unlock(&journal->j_list_lock);
  2.1196 - 		jbd_unlock_bh_state(bh);
  2.1197 - 		spin_unlock(&journal->j_state_lock);
  2.1198 --		journal_put_journal_head(jh);
  2.1199 - 		return 0;
  2.1200 - 	} else {
  2.1201 - 		/* Good, the buffer belongs to the running transaction.
  2.1202 -diff -Naur linux-2.6.11/kernel/exit.c linux-2.6.11.10/kernel/exit.c
  2.1203 ---- linux-2.6.11/kernel/exit.c	2005-03-01 23:38:25.000000000 -0800
  2.1204 -+++ linux-2.6.11.10/kernel/exit.c	2005-05-16 10:51:53.000000000 -0700
  2.1205 -@@ -516,8 +516,6 @@
  2.1206 - 	 */
  2.1207 - 	BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
  2.1208 - 	p->real_parent = reaper;
  2.1209 --	if (p->parent == p->real_parent)
  2.1210 --		BUG();
  2.1211 - }
  2.1212 - 
  2.1213 - static inline void reparent_thread(task_t *p, task_t *father, int traced)
  2.1214 -diff -Naur linux-2.6.11/kernel/signal.c linux-2.6.11.10/kernel/signal.c
  2.1215 ---- linux-2.6.11/kernel/signal.c	2005-03-01 23:38:07.000000000 -0800
  2.1216 -+++ linux-2.6.11.10/kernel/signal.c	2005-05-16 10:51:53.000000000 -0700
  2.1217 -@@ -1728,6 +1728,7 @@
  2.1218 - 			 * with another processor delivering a stop signal,
  2.1219 - 			 * then the SIGCONT that wakes us up should clear it.
  2.1220 - 			 */
  2.1221 -+			read_unlock(&tasklist_lock);
  2.1222 - 			return 0;
  2.1223 - 		}
  2.1224 - 
  2.1225 -diff -Naur linux-2.6.11/lib/rwsem-spinlock.c linux-2.6.11.10/lib/rwsem-spinlock.c
  2.1226 ---- linux-2.6.11/lib/rwsem-spinlock.c	2005-03-01 23:38:34.000000000 -0800
  2.1227 -+++ linux-2.6.11.10/lib/rwsem-spinlock.c	2005-05-16 10:51:54.000000000 -0700
  2.1228 -@@ -140,12 +140,12 @@
  2.1229 - 
  2.1230 - 	rwsemtrace(sem, "Entering __down_read");
  2.1231 - 
  2.1232 --	spin_lock(&sem->wait_lock);
  2.1233 -+	spin_lock_irq(&sem->wait_lock);
  2.1234 - 
  2.1235 - 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  2.1236 - 		/* granted */
  2.1237 - 		sem->activity++;
  2.1238 --		spin_unlock(&sem->wait_lock);
  2.1239 -+		spin_unlock_irq(&sem->wait_lock);
  2.1240 - 		goto out;
  2.1241 - 	}
  2.1242 - 
  2.1243 -@@ -160,7 +160,7 @@
  2.1244 - 	list_add_tail(&waiter.list, &sem->wait_list);
  2.1245 - 
  2.1246 - 	/* we don't need to touch the semaphore struct anymore */
  2.1247 --	spin_unlock(&sem->wait_lock);
  2.1248 -+	spin_unlock_irq(&sem->wait_lock);
  2.1249 - 
  2.1250 - 	/* wait to be given the lock */
  2.1251 - 	for (;;) {
  2.1252 -@@ -181,10 +181,12 @@
  2.1253 -  */
  2.1254 - int fastcall __down_read_trylock(struct rw_semaphore *sem)
  2.1255 - {
  2.1256 -+	unsigned long flags;
  2.1257 - 	int ret = 0;
  2.1258 -+
  2.1259 - 	rwsemtrace(sem, "Entering __down_read_trylock");
  2.1260 - 
  2.1261 --	spin_lock(&sem->wait_lock);
  2.1262 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1263 - 
  2.1264 - 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  2.1265 - 		/* granted */
  2.1266 -@@ -192,7 +194,7 @@
  2.1267 - 		ret = 1;
  2.1268 - 	}
  2.1269 - 
  2.1270 --	spin_unlock(&sem->wait_lock);
  2.1271 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1272 - 
  2.1273 - 	rwsemtrace(sem, "Leaving __down_read_trylock");
  2.1274 - 	return ret;
  2.1275 -@@ -209,12 +211,12 @@
  2.1276 - 
  2.1277 - 	rwsemtrace(sem, "Entering __down_write");
  2.1278 - 
  2.1279 --	spin_lock(&sem->wait_lock);
  2.1280 -+	spin_lock_irq(&sem->wait_lock);
  2.1281 - 
  2.1282 - 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  2.1283 - 		/* granted */
  2.1284 - 		sem->activity = -1;
  2.1285 --		spin_unlock(&sem->wait_lock);
  2.1286 -+		spin_unlock_irq(&sem->wait_lock);
  2.1287 - 		goto out;
  2.1288 - 	}
  2.1289 - 
  2.1290 -@@ -229,7 +231,7 @@
  2.1291 - 	list_add_tail(&waiter.list, &sem->wait_list);
  2.1292 - 
  2.1293 - 	/* we don't need to touch the semaphore struct anymore */
  2.1294 --	spin_unlock(&sem->wait_lock);
  2.1295 -+	spin_unlock_irq(&sem->wait_lock);
  2.1296 - 
  2.1297 - 	/* wait to be given the lock */
  2.1298 - 	for (;;) {
  2.1299 -@@ -250,10 +252,12 @@
  2.1300 -  */
  2.1301 - int fastcall __down_write_trylock(struct rw_semaphore *sem)
  2.1302 - {
  2.1303 -+	unsigned long flags;
  2.1304 - 	int ret = 0;
  2.1305 -+
  2.1306 - 	rwsemtrace(sem, "Entering __down_write_trylock");
  2.1307 - 
  2.1308 --	spin_lock(&sem->wait_lock);
  2.1309 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1310 - 
  2.1311 - 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  2.1312 - 		/* granted */
  2.1313 -@@ -261,7 +265,7 @@
  2.1314 - 		ret = 1;
  2.1315 - 	}
  2.1316 - 
  2.1317 --	spin_unlock(&sem->wait_lock);
  2.1318 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1319 - 
  2.1320 - 	rwsemtrace(sem, "Leaving __down_write_trylock");
  2.1321 - 	return ret;
  2.1322 -@@ -272,14 +276,16 @@
  2.1323 -  */
  2.1324 - void fastcall __up_read(struct rw_semaphore *sem)
  2.1325 - {
  2.1326 -+	unsigned long flags;
  2.1327 -+
  2.1328 - 	rwsemtrace(sem, "Entering __up_read");
  2.1329 - 
  2.1330 --	spin_lock(&sem->wait_lock);
  2.1331 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1332 - 
  2.1333 - 	if (--sem->activity == 0 && !list_empty(&sem->wait_list))
  2.1334 - 		sem = __rwsem_wake_one_writer(sem);
  2.1335 - 
  2.1336 --	spin_unlock(&sem->wait_lock);
  2.1337 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1338 - 
  2.1339 - 	rwsemtrace(sem, "Leaving __up_read");
  2.1340 - }
  2.1341 -@@ -289,15 +295,17 @@
  2.1342 -  */
  2.1343 - void fastcall __up_write(struct rw_semaphore *sem)
  2.1344 - {
  2.1345 -+	unsigned long flags;
  2.1346 -+
  2.1347 - 	rwsemtrace(sem, "Entering __up_write");
  2.1348 - 
  2.1349 --	spin_lock(&sem->wait_lock);
  2.1350 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1351 - 
  2.1352 - 	sem->activity = 0;
  2.1353 - 	if (!list_empty(&sem->wait_list))
  2.1354 - 		sem = __rwsem_do_wake(sem, 1);
  2.1355 - 
  2.1356 --	spin_unlock(&sem->wait_lock);
  2.1357 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1358 - 
  2.1359 - 	rwsemtrace(sem, "Leaving __up_write");
  2.1360 - }
  2.1361 -@@ -308,15 +316,17 @@
  2.1362 -  */
  2.1363 - void fastcall __downgrade_write(struct rw_semaphore *sem)
  2.1364 - {
  2.1365 -+	unsigned long flags;
  2.1366 -+
  2.1367 - 	rwsemtrace(sem, "Entering __downgrade_write");
  2.1368 - 
  2.1369 --	spin_lock(&sem->wait_lock);
  2.1370 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1371 - 
  2.1372 - 	sem->activity = 1;
  2.1373 - 	if (!list_empty(&sem->wait_list))
  2.1374 - 		sem = __rwsem_do_wake(sem, 0);
  2.1375 - 
  2.1376 --	spin_unlock(&sem->wait_lock);
  2.1377 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1378 - 
  2.1379 - 	rwsemtrace(sem, "Leaving __downgrade_write");
  2.1380 - }
  2.1381 -diff -Naur linux-2.6.11/lib/rwsem.c linux-2.6.11.10/lib/rwsem.c
  2.1382 ---- linux-2.6.11/lib/rwsem.c	2005-03-01 23:38:34.000000000 -0800
  2.1383 -+++ linux-2.6.11.10/lib/rwsem.c	2005-05-16 10:51:54.000000000 -0700
  2.1384 -@@ -150,7 +150,7 @@
  2.1385 - 	set_task_state(tsk, TASK_UNINTERRUPTIBLE);
  2.1386 - 
  2.1387 - 	/* set up my own style of waitqueue */
  2.1388 --	spin_lock(&sem->wait_lock);
  2.1389 -+	spin_lock_irq(&sem->wait_lock);
  2.1390 - 	waiter->task = tsk;
  2.1391 - 	get_task_struct(tsk);
  2.1392 - 
  2.1393 -@@ -163,7 +163,7 @@
  2.1394 - 	if (!(count & RWSEM_ACTIVE_MASK))
  2.1395 - 		sem = __rwsem_do_wake(sem, 0);
  2.1396 - 
  2.1397 --	spin_unlock(&sem->wait_lock);
  2.1398 -+	spin_unlock_irq(&sem->wait_lock);
  2.1399 - 
  2.1400 - 	/* wait to be given the lock */
  2.1401 - 	for (;;) {
  2.1402 -@@ -219,15 +219,17 @@
  2.1403 -  */
  2.1404 - struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
  2.1405 - {
  2.1406 -+	unsigned long flags;
  2.1407 -+
  2.1408 - 	rwsemtrace(sem, "Entering rwsem_wake");
  2.1409 - 
  2.1410 --	spin_lock(&sem->wait_lock);
  2.1411 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1412 - 
  2.1413 - 	/* do nothing if list empty */
  2.1414 - 	if (!list_empty(&sem->wait_list))
  2.1415 - 		sem = __rwsem_do_wake(sem, 0);
  2.1416 - 
  2.1417 --	spin_unlock(&sem->wait_lock);
  2.1418 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1419 - 
  2.1420 - 	rwsemtrace(sem, "Leaving rwsem_wake");
  2.1421 - 
  2.1422 -@@ -241,15 +243,17 @@
  2.1423 -  */
  2.1424 - struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
  2.1425 - {
  2.1426 -+	unsigned long flags;
  2.1427 -+
  2.1428 - 	rwsemtrace(sem, "Entering rwsem_downgrade_wake");
  2.1429 - 
  2.1430 --	spin_lock(&sem->wait_lock);
  2.1431 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1432 - 
  2.1433 - 	/* do nothing if list empty */
  2.1434 - 	if (!list_empty(&sem->wait_list))
  2.1435 - 		sem = __rwsem_do_wake(sem, 1);
  2.1436 - 
  2.1437 --	spin_unlock(&sem->wait_lock);
  2.1438 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1439 - 
  2.1440 - 	rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
  2.1441 - 	return sem;
  2.1442 -diff -Naur linux-2.6.11/net/bluetooth/af_bluetooth.c linux-2.6.11.10/net/bluetooth/af_bluetooth.c
  2.1443 ---- linux-2.6.11/net/bluetooth/af_bluetooth.c	2005-03-01 23:37:49.000000000 -0800
  2.1444 -+++ linux-2.6.11.10/net/bluetooth/af_bluetooth.c	2005-05-16 10:51:56.000000000 -0700
  2.1445 -@@ -64,7 +64,7 @@
  2.1446 - 
  2.1447 - int bt_sock_register(int proto, struct net_proto_family *ops)
  2.1448 - {
  2.1449 --	if (proto >= BT_MAX_PROTO)
  2.1450 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1451 - 		return -EINVAL;
  2.1452 - 
  2.1453 - 	if (bt_proto[proto])
  2.1454 -@@ -77,7 +77,7 @@
  2.1455 - 
  2.1456 - int bt_sock_unregister(int proto)
  2.1457 - {
  2.1458 --	if (proto >= BT_MAX_PROTO)
  2.1459 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1460 - 		return -EINVAL;
  2.1461 - 
  2.1462 - 	if (!bt_proto[proto])
  2.1463 -@@ -92,7 +92,7 @@
  2.1464 - {
  2.1465 - 	int err = 0;
  2.1466 - 
  2.1467 --	if (proto >= BT_MAX_PROTO)
  2.1468 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1469 - 		return -EINVAL;
  2.1470 - 
  2.1471 - #if defined(CONFIG_KMOD)
  2.1472 -diff -Naur linux-2.6.11/net/ipv4/fib_hash.c linux-2.6.11.10/net/ipv4/fib_hash.c
  2.1473 ---- linux-2.6.11/net/ipv4/fib_hash.c	2005-03-01 23:38:09.000000000 -0800
  2.1474 -+++ linux-2.6.11.10/net/ipv4/fib_hash.c	2005-05-16 10:51:57.000000000 -0700
  2.1475 -@@ -919,13 +919,23 @@
  2.1476 - 	return fa;
  2.1477 - }
  2.1478 - 
  2.1479 -+static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
  2.1480 -+{
  2.1481 -+	struct fib_alias *fa = fib_get_first(seq);
  2.1482 -+
  2.1483 -+	if (fa)
  2.1484 -+		while (pos && (fa = fib_get_next(seq)))
  2.1485 -+			--pos;
  2.1486 -+	return pos ? NULL : fa;
  2.1487 -+}
  2.1488 -+
  2.1489 - static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
  2.1490 - {
  2.1491 - 	void *v = NULL;
  2.1492 - 
  2.1493 - 	read_lock(&fib_hash_lock);
  2.1494 - 	if (ip_fib_main_table)
  2.1495 --		v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
  2.1496 -+		v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
  2.1497 - 	return v;
  2.1498 - }
  2.1499 - 
  2.1500 -diff -Naur linux-2.6.11/net/ipv4/tcp_input.c linux-2.6.11.10/net/ipv4/tcp_input.c
  2.1501 ---- linux-2.6.11/net/ipv4/tcp_input.c	2005-03-01 23:38:17.000000000 -0800
  2.1502 -+++ linux-2.6.11.10/net/ipv4/tcp_input.c	2005-05-16 10:52:00.000000000 -0700
  2.1503 -@@ -1653,7 +1653,10 @@
  2.1504 - static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
  2.1505 - {
  2.1506 - 	if (tp->prior_ssthresh) {
  2.1507 --		tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  2.1508 -+		if (tcp_is_bic(tp))
  2.1509 -+			tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
  2.1510 -+		else
  2.1511 -+			tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  2.1512 - 
  2.1513 - 		if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
  2.1514 - 			tp->snd_ssthresh = tp->prior_ssthresh;
  2.1515 -diff -Naur linux-2.6.11/net/ipv4/tcp_timer.c linux-2.6.11.10/net/ipv4/tcp_timer.c
  2.1516 ---- linux-2.6.11/net/ipv4/tcp_timer.c	2005-03-01 23:38:26.000000000 -0800
  2.1517 -+++ linux-2.6.11.10/net/ipv4/tcp_timer.c	2005-05-16 10:52:00.000000000 -0700
  2.1518 -@@ -38,6 +38,7 @@
  2.1519 - 
  2.1520 - #ifdef TCP_DEBUG
  2.1521 - const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
  2.1522 -+EXPORT_SYMBOL(tcp_timer_bug_msg);
  2.1523 - #endif
  2.1524 - 
  2.1525 - /*
  2.1526 -diff -Naur linux-2.6.11/net/ipv4/xfrm4_output.c linux-2.6.11.10/net/ipv4/xfrm4_output.c
  2.1527 ---- linux-2.6.11/net/ipv4/xfrm4_output.c	2005-03-01 23:37:50.000000000 -0800
  2.1528 -+++ linux-2.6.11.10/net/ipv4/xfrm4_output.c	2005-05-16 10:52:00.000000000 -0700
  2.1529 -@@ -103,17 +103,17 @@
  2.1530 - 			goto error_nolock;
  2.1531 - 	}
  2.1532 - 
  2.1533 --	spin_lock_bh(&x->lock);
  2.1534 --	err = xfrm_state_check(x, skb);
  2.1535 --	if (err)
  2.1536 --		goto error;
  2.1537 --
  2.1538 - 	if (x->props.mode) {
  2.1539 - 		err = xfrm4_tunnel_check_size(skb);
  2.1540 - 		if (err)
  2.1541 --			goto error;
  2.1542 -+			goto error_nolock;
  2.1543 - 	}
  2.1544 - 
  2.1545 -+	spin_lock_bh(&x->lock);
  2.1546 -+	err = xfrm_state_check(x, skb);
  2.1547 -+	if (err)
  2.1548 -+		goto error;
  2.1549 -+
  2.1550 - 	xfrm4_encap(skb);
  2.1551 - 
  2.1552 - 	err = x->type->output(skb);
  2.1553 -diff -Naur linux-2.6.11/net/ipv6/xfrm6_output.c linux-2.6.11.10/net/ipv6/xfrm6_output.c
  2.1554 ---- linux-2.6.11/net/ipv6/xfrm6_output.c	2005-03-01 23:38:25.000000000 -0800
  2.1555 -+++ linux-2.6.11.10/net/ipv6/xfrm6_output.c	2005-05-16 10:52:00.000000000 -0700
  2.1556 -@@ -103,17 +103,17 @@
  2.1557 - 			goto error_nolock;
  2.1558 - 	}
  2.1559 - 
  2.1560 --	spin_lock_bh(&x->lock);
  2.1561 --	err = xfrm_state_check(x, skb);
  2.1562 --	if (err)
  2.1563 --		goto error;
  2.1564 --
  2.1565 - 	if (x->props.mode) {
  2.1566 - 		err = xfrm6_tunnel_check_size(skb);
  2.1567 - 		if (err)
  2.1568 --			goto error;
  2.1569 -+			goto error_nolock;
  2.1570 - 	}
  2.1571 - 
  2.1572 -+	spin_lock_bh(&x->lock);
  2.1573 -+	err = xfrm_state_check(x, skb);
  2.1574 -+	if (err)
  2.1575 -+		goto error;
  2.1576 -+
  2.1577 - 	xfrm6_encap(skb);
  2.1578 - 
  2.1579 - 	err = x->type->output(skb);
  2.1580 -diff -Naur linux-2.6.11/net/netrom/nr_in.c linux-2.6.11.10/net/netrom/nr_in.c
  2.1581 ---- linux-2.6.11/net/netrom/nr_in.c	2005-03-01 23:38:01.000000000 -0800
  2.1582 -+++ linux-2.6.11.10/net/netrom/nr_in.c	2005-05-16 10:52:02.000000000 -0700
  2.1583 -@@ -74,7 +74,6 @@
  2.1584 - static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
  2.1585 - 	int frametype)
  2.1586 - {
  2.1587 --	bh_lock_sock(sk);
  2.1588 - 	switch (frametype) {
  2.1589 - 	case NR_CONNACK: {
  2.1590 - 		nr_cb *nr = nr_sk(sk);
  2.1591 -@@ -103,8 +102,6 @@
  2.1592 - 	default:
  2.1593 - 		break;
  2.1594 - 	}
  2.1595 --	bh_unlock_sock(sk);
  2.1596 --
  2.1597 - 	return 0;
  2.1598 - }
  2.1599 - 
  2.1600 -@@ -116,7 +113,6 @@
  2.1601 - static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
  2.1602 - 	int frametype)
  2.1603 - {
  2.1604 --	bh_lock_sock(sk);
  2.1605 - 	switch (frametype) {
  2.1606 - 	case NR_CONNACK | NR_CHOKE_FLAG:
  2.1607 - 		nr_disconnect(sk, ECONNRESET);
  2.1608 -@@ -132,8 +128,6 @@
  2.1609 - 	default:
  2.1610 - 		break;
  2.1611 - 	}
  2.1612 --	bh_unlock_sock(sk);
  2.1613 --
  2.1614 - 	return 0;
  2.1615 - }
  2.1616 - 
  2.1617 -@@ -154,7 +148,6 @@
  2.1618 - 	nr = skb->data[18];
  2.1619 - 	ns = skb->data[17];
  2.1620 - 
  2.1621 --	bh_lock_sock(sk);
  2.1622 - 	switch (frametype) {
  2.1623 - 	case NR_CONNREQ:
  2.1624 - 		nr_write_internal(sk, NR_CONNACK);
  2.1625 -@@ -265,8 +258,6 @@
  2.1626 - 	default:
  2.1627 - 		break;
  2.1628 - 	}
  2.1629 --	bh_unlock_sock(sk);
  2.1630 --
  2.1631 - 	return queued;
  2.1632 - }
  2.1633 - 
  2.1634 -diff -Naur linux-2.6.11/net/xfrm/xfrm_state.c linux-2.6.11.10/net/xfrm/xfrm_state.c
  2.1635 ---- linux-2.6.11/net/xfrm/xfrm_state.c	2005-03-01 23:38:17.000000000 -0800
  2.1636 -+++ linux-2.6.11.10/net/xfrm/xfrm_state.c	2005-05-16 10:52:04.000000000 -0700
  2.1637 -@@ -609,7 +609,7 @@
  2.1638 - 
  2.1639 - 	for (i = 0; i < XFRM_DST_HSIZE; i++) {
  2.1640 - 		list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
  2.1641 --			if (x->km.seq == seq) {
  2.1642 -+			if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
  2.1643 - 				xfrm_state_hold(x);
  2.1644 - 				return x;
  2.1645 - 			}
  2.1646 -diff -Naur linux-2.6.11/security/keys/key.c linux-2.6.11.10/security/keys/key.c
  2.1647 ---- linux-2.6.11/security/keys/key.c	2005-03-01 23:38:25.000000000 -0800
  2.1648 -+++ linux-2.6.11.10/security/keys/key.c	2005-05-16 10:52:06.000000000 -0700
  2.1649 -@@ -57,9 +57,10 @@
  2.1650 - {
  2.1651 - 	struct key_user *candidate = NULL, *user;
  2.1652 - 	struct rb_node *parent = NULL;
  2.1653 --	struct rb_node **p = &key_user_tree.rb_node;
  2.1654 -+	struct rb_node **p;
  2.1655 - 
  2.1656 -  try_again:
  2.1657 -+	p = &key_user_tree.rb_node;
  2.1658 - 	spin_lock(&key_user_lock);
  2.1659 - 
  2.1660 - 	/* search the tree for a user record with a matching UID */
  2.1661 -diff -Naur linux-2.6.11/sound/core/timer.c linux-2.6.11.10/sound/core/timer.c
  2.1662 ---- linux-2.6.11/sound/core/timer.c	2005-03-01 23:38:12.000000000 -0800
  2.1663 -+++ linux-2.6.11.10/sound/core/timer.c	2005-05-16 10:52:08.000000000 -0700
  2.1664 -@@ -1117,7 +1117,8 @@
  2.1665 - 	if (tu->qused >= tu->queue_size) {
  2.1666 - 		tu->overrun++;
  2.1667 - 	} else {
  2.1668 --		memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
  2.1669 -+		memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
  2.1670 -+		tu->qtail %= tu->queue_size;
  2.1671 - 		tu->qused++;
  2.1672 - 	}
  2.1673 - }
  2.1674 -@@ -1140,6 +1141,8 @@
  2.1675 - 	spin_lock(&tu->qlock);
  2.1676 - 	snd_timer_user_append_to_tqueue(tu, &r1);
  2.1677 - 	spin_unlock(&tu->qlock);
  2.1678 -+	kill_fasync(&tu->fasync, SIGIO, POLL_IN);
  2.1679 -+	wake_up(&tu->qchange_sleep);
  2.1680 - }
  2.1681 - 
  2.1682 - static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
  2.1683 -diff -Naur linux-2.6.11/sound/pci/ac97/ac97_codec.c linux-2.6.11.10/sound/pci/ac97/ac97_codec.c
  2.1684 ---- linux-2.6.11/sound/pci/ac97/ac97_codec.c	2005-03-01 23:38:37.000000000 -0800
  2.1685 -+++ linux-2.6.11.10/sound/pci/ac97/ac97_codec.c	2005-05-16 10:52:15.000000000 -0700
  2.1686 -@@ -1185,7 +1185,7 @@
  2.1687 - /*
  2.1688 -  * create mute switch(es) for normal stereo controls
  2.1689 -  */
  2.1690 --static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
  2.1691 -+static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
  2.1692 - {
  2.1693 - 	snd_kcontrol_t *kctl;
  2.1694 - 	int err;
  2.1695 -@@ -1196,7 +1196,7 @@
  2.1696 - 
  2.1697 - 	mute_mask = 0x8000;
  2.1698 - 	val = snd_ac97_read(ac97, reg);
  2.1699 --	if (ac97->flags & AC97_STEREO_MUTES) {
  2.1700 -+	if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
  2.1701 - 		/* check whether both mute bits work */
  2.1702 - 		val1 = val | 0x8080;
  2.1703 - 		snd_ac97_write(ac97, reg, val1);
  2.1704 -@@ -1254,7 +1254,7 @@
  2.1705 - /*
  2.1706 -  * create a mute-switch and a volume for normal stereo/mono controls
  2.1707 -  */
  2.1708 --static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
  2.1709 -+static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
  2.1710 - {
  2.1711 - 	int err;
  2.1712 - 	char name[44];
  2.1713 -@@ -1265,7 +1265,7 @@
  2.1714 - 
  2.1715 - 	if (snd_ac97_try_bit(ac97, reg, 15)) {
  2.1716 - 		sprintf(name, "%s Switch", pfx);
  2.1717 --		if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
  2.1718 -+		if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
  2.1719 - 			return err;
  2.1720 - 	}
  2.1721 - 	check_volume_resolution(ac97, reg, &lo_max, &hi_max);
  2.1722 -@@ -1277,6 +1277,8 @@
  2.1723 - 	return 0;
  2.1724 - }
  2.1725 - 
  2.1726 -+#define snd_ac97_cmix_new(card, pfx, reg, ac97)	snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
  2.1727 -+#define snd_ac97_cmute_new(card, name, reg, ac97)	snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
  2.1728 - 
  2.1729 - static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
  2.1730 - 
  2.1731 -@@ -1327,7 +1329,8 @@
  2.1732 - 
  2.1733 - 	/* build surround controls */
  2.1734 - 	if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
  2.1735 --		if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
  2.1736 -+		/* Surround Master (0x38) is with stereo mutes */
  2.1737 -+		if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
  2.1738 - 			return err;
  2.1739 - 	}
  2.1740 - 
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/patches/linux-2.6.11/linux-2.6.11.11.patch	Mon May 30 20:36:03 2005 +0000
     3.3 @@ -0,0 +1,2304 @@
     3.4 +diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs
     3.5 +new file mode 100644
     3.6 +--- /dev/null
     3.7 ++++ b/Documentation/SecurityBugs
     3.8 +@@ -0,0 +1,38 @@
     3.9 ++Linux kernel developers take security very seriously.  As such, we'd
    3.10 ++like to know when a security bug is found so that it can be fixed and
    3.11 ++disclosed as quickly as possible.  Please report security bugs to the
    3.12 ++Linux kernel security team.
    3.13 ++
    3.14 ++1) Contact
    3.15 ++
    3.16 ++The Linux kernel security team can be contacted by email at
    3.17 ++<security@kernel.org>.  This is a private list of security officers
    3.18 ++who will help verify the bug report and develop and release a fix.
    3.19 ++It is possible that the security team will bring in extra help from
    3.20 ++area maintainers to understand and fix the security vulnerability.
    3.21 ++
    3.22 ++As it is with any bug, the more information provided the easier it
    3.23 ++will be to diagnose and fix.  Please review the procedure outlined in
    3.24 ++REPORTING-BUGS if you are unclear about what information is helpful.
    3.25 ++Any exploit code is very helpful and will not be released without
    3.26 ++consent from the reporter unless it has already been made public.
    3.27 ++
    3.28 ++2) Disclosure
    3.29 ++
    3.30 ++The goal of the Linux kernel security team is to work with the
    3.31 ++bug submitter to bug resolution as well as disclosure.  We prefer
    3.32 ++to fully disclose the bug as soon as possible.  It is reasonable to
    3.33 ++delay disclosure when the bug or the fix is not yet fully understood,
    3.34 ++the solution is not well-tested or for vendor coordination.  However, we
    3.35 ++expect these delays to be short, measurable in days, not weeks or months.
    3.36 ++A disclosure date is negotiated by the security team working with the
    3.37 ++bug submitter as well as vendors.  However, the kernel security team
    3.38 ++holds the final say when setting a disclosure date.  The timeframe for
    3.39 ++disclosure is from immediate (esp. if it's already publically known)
    3.40 ++to a few weeks.  As a basic default policy, we expect report date to
    3.41 ++disclosure date to be on the order of 7 days.
    3.42 ++
    3.43 ++3) Non-disclosure agreements
    3.44 ++
    3.45 ++The Linux kernel security team is not a formal body and therefore unable
    3.46 ++to enter any non-disclosure agreements.
    3.47 +diff --git a/MAINTAINERS b/MAINTAINERS
    3.48 +--- a/MAINTAINERS
    3.49 ++++ b/MAINTAINERS
    3.50 +@@ -1966,6 +1966,11 @@ M:	christer@weinigel.se
    3.51 + W:	http://www.weinigel.se
    3.52 + S:	Supported
    3.53 + 
    3.54 ++SECURITY CONTACT
    3.55 ++P:	Security Officers
    3.56 ++M:	security@kernel.org
    3.57 ++S:	Supported
    3.58 ++
    3.59 + SELINUX SECURITY MODULE
    3.60 + P:	Stephen Smalley
    3.61 + M:	sds@epoch.ncsc.mil
    3.62 +diff --git a/Makefile b/Makefile
    3.63 +--- a/Makefile
    3.64 ++++ b/Makefile
    3.65 +@@ -1,8 +1,8 @@
    3.66 + VERSION = 2
    3.67 + PATCHLEVEL = 6
    3.68 + SUBLEVEL = 11
    3.69 +-EXTRAVERSION =
    3.70 +-NAME=Woozy Numbat
    3.71 ++EXTRAVERSION = .11
    3.72 ++NAME=Woozy Beaver
    3.73 + 
    3.74 + # *DOCUMENTATION*
    3.75 + # To see a list of typical targets execute "make help"
    3.76 +diff --git a/REPORTING-BUGS b/REPORTING-BUGS
    3.77 +--- a/REPORTING-BUGS
    3.78 ++++ b/REPORTING-BUGS
    3.79 +@@ -16,6 +16,10 @@ code relevant to what you were doing. If
    3.80 + describe how to recreate it. That is worth even more than the oops itself.
    3.81 + The list of maintainers is in the MAINTAINERS file in this directory.
    3.82 + 
    3.83 ++      If it is a security bug, please copy the Security Contact listed
    3.84 ++in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.
    3.85 ++See Documentation/SecurityBugs for more infomation.
    3.86 ++
    3.87 +       If you are totally stumped as to whom to send the report, send it to
    3.88 + linux-kernel@vger.kernel.org. (For more information on the linux-kernel
    3.89 + mailing list see http://www.tux.org/lkml/).
    3.90 +diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
    3.91 +--- a/arch/ia64/kernel/fsys.S
    3.92 ++++ b/arch/ia64/kernel/fsys.S
    3.93 +@@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down)
    3.94 + 	movl r2=ia64_ret_from_syscall
    3.95 + 	;;
    3.96 + 	mov rp=r2				// set the real return addr
    3.97 +-	tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
    3.98 ++	and r3=_TIF_SYSCALL_TRACEAUDIT,r3
    3.99 + 	;;
   3.100 ++	cmp.eq p8,p0=r3,r0
   3.101 ++
   3.102 + (p10)	br.cond.spnt.many ia64_ret_from_syscall	// p10==true means out registers are more than 8
   3.103 + (p8)	br.call.sptk.many b6=b6		// ignore this return addr
   3.104 + 	br.cond.sptk ia64_trace_syscall
   3.105 +diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
   3.106 +--- a/arch/ia64/kernel/signal.c
   3.107 ++++ b/arch/ia64/kernel/signal.c
   3.108 +@@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc
   3.109 + 	 * could be corrupted.
   3.110 + 	 */
   3.111 + 	retval = (long) &ia64_leave_kernel;
   3.112 +-	if (test_thread_flag(TIF_SYSCALL_TRACE))
   3.113 ++	if (test_thread_flag(TIF_SYSCALL_TRACE)
   3.114 ++	    || test_thread_flag(TIF_SYSCALL_AUDIT))
   3.115 + 		/*
   3.116 + 		 * strace expects to be notified after sigreturn returns even though the
   3.117 + 		 * context to which we return may not be in the middle of a syscall.
   3.118 +diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
   3.119 +--- a/arch/ppc/oprofile/op_model_fsl_booke.c
   3.120 ++++ b/arch/ppc/oprofile/op_model_fsl_booke.c
   3.121 +@@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s
   3.122 + 	int is_kernel;
   3.123 + 	int val;
   3.124 + 	int i;
   3.125 +-	unsigned int cpu = smp_processor_id();
   3.126 + 
   3.127 + 	/* set the PMM bit (see comment below) */
   3.128 + 	mtmsr(mfmsr() | MSR_PMM);
   3.129 +@@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s
   3.130 + 		val = ctr_read(i);
   3.131 + 		if (val < 0) {
   3.132 + 			if (oprofile_running && ctr[i].enabled) {
   3.133 +-				oprofile_add_sample(pc, is_kernel, i, cpu);
   3.134 ++				oprofile_add_pc(pc, is_kernel, i);
   3.135 + 				ctr_write(i, reset_value[i]);
   3.136 + 			} else {
   3.137 + 				ctr_write(i, 0);
   3.138 +diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
   3.139 +--- a/arch/ppc/platforms/4xx/ebony.h
   3.140 ++++ b/arch/ppc/platforms/4xx/ebony.h
   3.141 +@@ -61,8 +61,8 @@
   3.142 +  */
   3.143 + 
   3.144 + /* OpenBIOS defined UART mappings, used before early_serial_setup */
   3.145 +-#define UART0_IO_BASE	(u8 *) 0xE0000200
   3.146 +-#define UART1_IO_BASE	(u8 *) 0xE0000300
   3.147 ++#define UART0_IO_BASE	0xE0000200
   3.148 ++#define UART1_IO_BASE	0xE0000300
   3.149 + 
   3.150 + /* external Epson SG-615P */
   3.151 + #define BASE_BAUD	691200
   3.152 +diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
   3.153 +--- a/arch/ppc/platforms/4xx/luan.h
   3.154 ++++ b/arch/ppc/platforms/4xx/luan.h
   3.155 +@@ -47,9 +47,9 @@
   3.156 + #define RS_TABLE_SIZE	3
   3.157 + 
   3.158 + /* PIBS defined UART mappings, used before early_serial_setup */
   3.159 +-#define UART0_IO_BASE	(u8 *) 0xa0000200
   3.160 +-#define UART1_IO_BASE	(u8 *) 0xa0000300
   3.161 +-#define UART2_IO_BASE	(u8 *) 0xa0000600
   3.162 ++#define UART0_IO_BASE	0xa0000200
   3.163 ++#define UART1_IO_BASE	0xa0000300
   3.164 ++#define UART2_IO_BASE	0xa0000600
   3.165 + 
   3.166 + #define BASE_BAUD	11059200
   3.167 + #define STD_UART_OP(num)					\
   3.168 +diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
   3.169 +--- a/arch/ppc/platforms/4xx/ocotea.h
   3.170 ++++ b/arch/ppc/platforms/4xx/ocotea.h
   3.171 +@@ -56,8 +56,8 @@
   3.172 + #define RS_TABLE_SIZE	2
   3.173 + 
   3.174 + /* OpenBIOS defined UART mappings, used before early_serial_setup */
   3.175 +-#define UART0_IO_BASE	(u8 *) 0xE0000200
   3.176 +-#define UART1_IO_BASE	(u8 *) 0xE0000300
   3.177 ++#define UART0_IO_BASE	0xE0000200
   3.178 ++#define UART1_IO_BASE	0xE0000300
   3.179 + 
   3.180 + #define BASE_BAUD	11059200/16
   3.181 + #define STD_UART_OP(num)					\
   3.182 +diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c
   3.183 +--- a/arch/ppc64/kernel/pSeries_iommu.c
   3.184 ++++ b/arch/ppc64/kernel/pSeries_iommu.c
   3.185 +@@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st
   3.186 + 	struct device_node *dn, *pdn;
   3.187 + 	unsigned int *dma_window = NULL;
   3.188 + 
   3.189 ++	DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self);
   3.190 ++
   3.191 + 	dn = pci_bus_to_OF_node(bus);
   3.192 + 
   3.193 + 	/* Find nearest ibm,dma-window, walking up the device tree */
   3.194 +@@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru
   3.195 + 	}
   3.196 + }
   3.197 + 
   3.198 ++static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev)
   3.199 ++{
   3.200 ++	struct device_node *pdn, *dn;
   3.201 ++	struct iommu_table *tbl;
   3.202 ++	int *dma_window = NULL;
   3.203 ++
   3.204 ++	DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name);
   3.205 ++
   3.206 ++	/* dev setup for LPAR is a little tricky, since the device tree might
   3.207 ++	 * contain the dma-window properties per-device and not neccesarily
   3.208 ++	 * for the bus. So we need to search upwards in the tree until we
   3.209 ++	 * either hit a dma-window property, OR find a parent with a table
   3.210 ++	 * already allocated.
   3.211 ++	 */
   3.212 ++	dn = pci_device_to_OF_node(dev);
   3.213 ++
   3.214 ++	for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) {
   3.215 ++		dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL);
   3.216 ++		if (dma_window)
   3.217 ++			break;
   3.218 ++	}
   3.219 ++
   3.220 ++	/* Check for parent == NULL so we don't try to setup the empty EADS
   3.221 ++	 * slots on POWER4 machines.
   3.222 ++	 */
   3.223 ++	if (dma_window == NULL || pdn->parent == NULL) {
   3.224 ++		/* Fall back to regular (non-LPAR) dev setup */
   3.225 ++		DBG("No dma window for device, falling back to regular setup\n");
   3.226 ++		iommu_dev_setup_pSeries(dev);
   3.227 ++		return;
   3.228 ++	} else {
   3.229 ++		DBG("Found DMA window, allocating table\n");
   3.230 ++	}
   3.231 ++
   3.232 ++	if (!pdn->iommu_table) {
   3.233 ++		/* iommu_table_setparms_lpar needs bussubno. */
   3.234 ++		pdn->bussubno = pdn->phb->bus->number;
   3.235 ++
   3.236 ++		tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table),
   3.237 ++						    GFP_KERNEL);
   3.238 ++
   3.239 ++		iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window);
   3.240 ++
   3.241 ++		pdn->iommu_table = iommu_init_table(tbl);
   3.242 ++	}
   3.243 ++
   3.244 ++	if (pdn != dn)
   3.245 ++		dn->iommu_table = pdn->iommu_table;
   3.246 ++}
   3.247 ++
   3.248 + static void iommu_bus_setup_null(struct pci_bus *b) { }
   3.249 + static void iommu_dev_setup_null(struct pci_dev *d) { }
   3.250 + 
   3.251 +@@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void)
   3.252 + 			ppc_md.tce_free	 = tce_free_pSeriesLP;
   3.253 + 		}
   3.254 + 		ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP;
   3.255 ++		ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP;
   3.256 + 	} else {
   3.257 + 		ppc_md.tce_build = tce_build_pSeries;
   3.258 + 		ppc_md.tce_free  = tce_free_pSeries;
   3.259 + 		ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries;
   3.260 ++		ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
   3.261 + 	}
   3.262 + 
   3.263 +-	ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
   3.264 + 
   3.265 + 	pci_iommu_init();
   3.266 + }
   3.267 +diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c
   3.268 +--- a/arch/sparc/kernel/ptrace.c
   3.269 ++++ b/arch/sparc/kernel/ptrace.c
   3.270 +@@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs
   3.271 + 			pt_error_return(regs, EIO);
   3.272 + 			goto out_tsk;
   3.273 + 		}
   3.274 +-		if (addr != 1) {
   3.275 +-			if (addr & 3) {
   3.276 +-				pt_error_return(regs, EINVAL);
   3.277 +-				goto out_tsk;
   3.278 +-			}
   3.279 +-#ifdef DEBUG_PTRACE
   3.280 +-			printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
   3.281 +-			printk ("Continuing with %08lx %08lx\n", addr, addr+4);
   3.282 +-#endif
   3.283 +-			child->thread.kregs->pc = addr;
   3.284 +-			child->thread.kregs->npc = addr + 4;
   3.285 +-		}
   3.286 + 
   3.287 + 		if (request == PTRACE_SYSCALL)
   3.288 + 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   3.289 +diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
   3.290 +--- a/arch/sparc64/kernel/ptrace.c
   3.291 ++++ b/arch/sparc64/kernel/ptrace.c
   3.292 +@@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs
   3.293 + 			pt_error_return(regs, EIO);
   3.294 + 			goto out_tsk;
   3.295 + 		}
   3.296 +-		if (addr != 1) {
   3.297 +-			unsigned long pc_mask = ~0UL;
   3.298 +-
   3.299 +-			if ((child->thread_info->flags & _TIF_32BIT) != 0)
   3.300 +-				pc_mask = 0xffffffff;
   3.301 +-
   3.302 +-			if (addr & 3) {
   3.303 +-				pt_error_return(regs, EINVAL);
   3.304 +-				goto out_tsk;
   3.305 +-			}
   3.306 +-#ifdef DEBUG_PTRACE
   3.307 +-			printk ("Original: %016lx %016lx\n",
   3.308 +-				child->thread_info->kregs->tpc,
   3.309 +-				child->thread_info->kregs->tnpc);
   3.310 +-			printk ("Continuing with %016lx %016lx\n", addr, addr+4);
   3.311 +-#endif
   3.312 +-			child->thread_info->kregs->tpc = (addr & pc_mask);
   3.313 +-			child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
   3.314 +-		}
   3.315 + 
   3.316 + 		if (request == PTRACE_SYSCALL) {
   3.317 + 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   3.318 +diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c
   3.319 +--- a/arch/sparc64/kernel/signal32.c
   3.320 ++++ b/arch/sparc64/kernel/signal32.c
   3.321 +@@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf
   3.322 + 			err |= __put_user(from->si_uid, &to->si_uid);
   3.323 + 			break;
   3.324 + 		case __SI_FAULT >> 16:
   3.325 +-		case __SI_POLL >> 16:
   3.326 + 			err |= __put_user(from->si_trapno, &to->si_trapno);
   3.327 + 			err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
   3.328 + 			break;
   3.329 ++		case __SI_POLL >> 16:
   3.330 ++			err |= __put_user(from->si_band, &to->si_band);
   3.331 ++			err |= __put_user(from->si_fd, &to->si_fd);
   3.332 ++			break;
   3.333 + 		case __SI_RT >> 16: /* This is not generated by the kernel as of now.  */
   3.334 + 		case __SI_MESGQ >> 16:
   3.335 + 			err |= __put_user(from->si_pid, &to->si_pid);
   3.336 +diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S
   3.337 +--- a/arch/sparc64/kernel/systbls.S
   3.338 ++++ b/arch/sparc64/kernel/systbls.S
   3.339 +@@ -75,7 +75,7 @@ sys_call_table32:
   3.340 + /*260*/	.word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
   3.341 + 	.word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
   3.342 + /*270*/	.word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
   3.343 +-	.word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   3.344 ++	.word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   3.345 + /*280*/	.word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
   3.346 + 
   3.347 + #endif /* CONFIG_COMPAT */
   3.348 +diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h
   3.349 +--- a/arch/um/include/sysdep-i386/syscalls.h
   3.350 ++++ b/arch/um/include/sysdep-i386/syscalls.h
   3.351 +@@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr
   3.352 + 		      unsigned long prot, unsigned long flags,
   3.353 + 		      unsigned long fd, unsigned long pgoff);
   3.354 + 
   3.355 ++/* On i386 they choose a meaningless naming.*/
   3.356 ++#define __NR_kexec_load __NR_sys_kexec_load
   3.357 ++
   3.358 + #define ARCH_SYSCALLS \
   3.359 + 	[ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
   3.360 + 	[ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
   3.361 +@@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr
   3.362 + 	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.363 + 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.364 + 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.365 +-	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   3.366 + 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.367 +-        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   3.368 +-	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   3.369 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   3.370 +-        
   3.371 ++	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   3.372 ++
   3.373 + /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
   3.374 + 
   3.375 +-#define LAST_ARCH_SYSCALL __NR_vserver
   3.376 ++#define LAST_ARCH_SYSCALL 285
   3.377 + 
   3.378 + /*
   3.379 +  * Overrides for Emacs so that we follow Linus's tabbing style.
   3.380 +diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h
   3.381 +--- a/arch/um/include/sysdep-x86_64/syscalls.h
   3.382 ++++ b/arch/um/include/sysdep-x86_64/syscalls.h
   3.383 +@@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl;
   3.384 + 	[ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
   3.385 + 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.386 + 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.387 +-        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   3.388 + 	[ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
   3.389 +-	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   3.390 +-	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.391 +-	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   3.392 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
   3.393 + 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall,
   3.394 + 
   3.395 + #define LAST_ARCH_SYSCALL 251
   3.396 +diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c
   3.397 +--- a/arch/um/kernel/skas/uaccess.c
   3.398 ++++ b/arch/um/kernel/skas/uaccess.c
   3.399 +@@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v
   3.400 + 	void *arg;
   3.401 + 	int *res;
   3.402 + 
   3.403 +-	va_copy(args, *(va_list *)arg_ptr);
   3.404 ++	/* Some old gccs recognize __va_copy, but not va_copy */
   3.405 ++	__va_copy(args, *(va_list *)arg_ptr);
   3.406 + 	addr = va_arg(args, unsigned long);
   3.407 + 	len = va_arg(args, int);
   3.408 + 	is_write = va_arg(args, int);
   3.409 +diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c
   3.410 +--- a/arch/um/kernel/sys_call_table.c
   3.411 ++++ b/arch/um/kernel/sys_call_table.c
   3.412 +@@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork;
   3.413 + extern syscall_handler_t old_select;
   3.414 + extern syscall_handler_t sys_modify_ldt;
   3.415 + extern syscall_handler_t sys_rt_sigsuspend;
   3.416 +-extern syscall_handler_t sys_vserver;
   3.417 + extern syscall_handler_t sys_mbind;
   3.418 + extern syscall_handler_t sys_get_mempolicy;
   3.419 + extern syscall_handler_t sys_set_mempolicy;
   3.420 +@@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = {
   3.421 + 	[ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
   3.422 + 	[ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
   3.423 + 	[ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
   3.424 ++	[ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
   3.425 +         [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
   3.426 + 	[ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
   3.427 + 	[ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
   3.428 +@@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = {
   3.429 + 	[ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
   3.430 + 	[ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
   3.431 + 	[ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
   3.432 +-	[ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
   3.433 +-	[ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
   3.434 + 	[ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
   3.435 + 	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
   3.436 +-	[ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
   3.437 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
   3.438 ++	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
   3.439 ++	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   3.440 + 	[ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
   3.441 + 	[ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
   3.442 + 	[ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
   3.443 +@@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = {
   3.444 + 	[ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
   3.445 + 	[ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
   3.446 + 	[ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
   3.447 +-	[ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   3.448 ++	[ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   3.449 + 	[ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
   3.450 +-	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   3.451 + 	[ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
   3.452 + 	[ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
   3.453 + 	[ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
   3.454 +diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
   3.455 +--- a/arch/x86_64/kernel/ptrace.c
   3.456 ++++ b/arch/x86_64/kernel/ptrace.c
   3.457 +@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch
   3.458 + 			value &= 0xffff;
   3.459 + 			return 0;
   3.460 + 		case offsetof(struct user_regs_struct,fs_base):
   3.461 +-			if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
   3.462 +-				return -EIO; 
   3.463 ++			if (value >= TASK_SIZE)
   3.464 ++				return -EIO;
   3.465 + 			child->thread.fs = value;
   3.466 + 			return 0;
   3.467 + 		case offsetof(struct user_regs_struct,gs_base):
   3.468 +-			if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
   3.469 +-				return -EIO; 
   3.470 ++			if (value >= TASK_SIZE)
   3.471 ++				return -EIO;
   3.472 + 			child->thread.gs = value;
   3.473 + 			return 0;
   3.474 + 		case offsetof(struct user_regs_struct, eflags):
   3.475 +@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch
   3.476 + 				return -EIO;
   3.477 + 			value &= 0xffff;
   3.478 + 			break;
   3.479 ++		case offsetof(struct user_regs_struct, rip):
   3.480 ++			/* Check if the new RIP address is canonical */
   3.481 ++			if (value >= TASK_SIZE)
   3.482 ++				return -EIO;
   3.483 ++			break;
   3.484 + 	}
   3.485 + 	put_stack_long(child, regno - sizeof(struct pt_regs), value);
   3.486 + 	return 0;
   3.487 +diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c
   3.488 +--- a/arch/x86_64/mm/fault.c
   3.489 ++++ b/arch/x86_64/mm/fault.c
   3.490 +@@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne
   3.491 + 
   3.492 + /*
   3.493 +  * Handle a fault on the vmalloc or module mapping area
   3.494 ++ *
   3.495 ++ * This assumes no large pages in there.
   3.496 +  */
   3.497 + static int vmalloc_fault(unsigned long address)
   3.498 + {
   3.499 +@@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a
   3.500 + 	if (!pte_present(*pte_ref))
   3.501 + 		return -1;
   3.502 + 	pte = pte_offset_kernel(pmd, address);
   3.503 +-	if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref))
   3.504 ++	/* Don't use pte_page here, because the mappings can point
   3.505 ++	   outside mem_map, and the NUMA hash lookup cannot handle
   3.506 ++	   that. */
   3.507 ++	if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
   3.508 + 		BUG();
   3.509 + 	__flush_tlb_all();
   3.510 + 	return 0;
   3.511 +@@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_
   3.512 + 	 * protection error (error_code & 1) == 0.
   3.513 + 	 */
   3.514 + 	if (unlikely(address >= TASK_SIZE)) {
   3.515 +-		if (!(error_code & 5)) {
   3.516 ++		if (!(error_code & 5) &&
   3.517 ++		      ((address >= VMALLOC_START && address < VMALLOC_END) ||
   3.518 ++		       (address >= MODULES_VADDR && address < MODULES_END))) {
   3.519 + 			if (vmalloc_fault(address) < 0)
   3.520 + 				goto bad_area_nosemaphore;
   3.521 + 			return;
   3.522 +diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c
   3.523 +--- a/arch/x86_64/mm/ioremap.c
   3.524 ++++ b/arch/x86_64/mm/ioremap.c
   3.525 +@@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr
   3.526 + 	if ((p->flags >> 20) &&
   3.527 + 		p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) {
   3.528 + 		/* p->size includes the guard page, but cpa doesn't like that */
   3.529 +-		change_page_attr(virt_to_page(__va(p->phys_addr)),
   3.530 ++		change_page_attr_addr((unsigned long)(__va(p->phys_addr)),
   3.531 + 				 (p->size - PAGE_SIZE) >> PAGE_SHIFT,
   3.532 + 				 PAGE_KERNEL); 				 
   3.533 + 		global_flush_tlb();
   3.534 +diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c
   3.535 +--- a/drivers/block/ioctl.c
   3.536 ++++ b/drivers/block/ioctl.c
   3.537 +@@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi
   3.538 + 	}
   3.539 + 	return ret;
   3.540 + }
   3.541 ++
   3.542 ++EXPORT_SYMBOL_GPL(blkdev_ioctl);
   3.543 +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
   3.544 +--- a/drivers/block/pktcdvd.c
   3.545 ++++ b/drivers/block/pktcdvd.c
   3.546 +@@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode
   3.547 + 	case CDROM_LAST_WRITTEN:
   3.548 + 	case CDROM_SEND_PACKET:
   3.549 + 	case SCSI_IOCTL_SEND_COMMAND:
   3.550 +-		return ioctl_by_bdev(pd->bdev, cmd, arg);
   3.551 ++		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   3.552 + 
   3.553 + 	case CDROMEJECT:
   3.554 + 		/*
   3.555 +@@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode
   3.556 + 		 * have to unlock it or else the eject command fails.
   3.557 + 		 */
   3.558 + 		pkt_lock_door(pd, 0);
   3.559 +-		return ioctl_by_bdev(pd->bdev, cmd, arg);
   3.560 ++		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   3.561 + 
   3.562 + 	default:
   3.563 + 		printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
   3.564 +diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
   3.565 +--- a/drivers/char/drm/drm_ioctl.c
   3.566 ++++ b/drivers/char/drm/drm_ioctl.c
   3.567 +@@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS)
   3.568 + 
   3.569 + 	DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
   3.570 + 
   3.571 ++	memset(&version, 0, sizeof(version));
   3.572 ++
   3.573 + 	dev->driver->version(&version);
   3.574 + 	retv.drm_di_major = DRM_IF_MAJOR;
   3.575 + 	retv.drm_di_minor = DRM_IF_MINOR;
   3.576 +diff --git a/drivers/char/raw.c b/drivers/char/raw.c
   3.577 +--- a/drivers/char/raw.c
   3.578 ++++ b/drivers/char/raw.c
   3.579 +@@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi
   3.580 + {
   3.581 + 	struct block_device *bdev = filp->private_data;
   3.582 + 
   3.583 +-	return ioctl_by_bdev(bdev, command, arg);
   3.584 ++	return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
   3.585 + }
   3.586 + 
   3.587 + static void bind_device(struct raw_config_request *rq)
   3.588 +diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c
   3.589 +--- a/drivers/i2c/chips/eeprom.c
   3.590 ++++ b/drivers/i2c/chips/eeprom.c
   3.591 +@@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec
   3.592 + 
   3.593 + 	/* Hide Vaio security settings to regular users (16 first bytes) */
   3.594 + 	if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
   3.595 +-		int in_row1 = 16 - off;
   3.596 ++		size_t in_row1 = 16 - off;
   3.597 ++		in_row1 = min(in_row1, count);
   3.598 + 		memset(buf, 0, in_row1);
   3.599 + 		if (count - in_row1 > 0)
   3.600 + 			memcpy(buf + in_row1, &data->data[16], count - in_row1);
   3.601 +diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
   3.602 +--- a/drivers/i2c/chips/it87.c
   3.603 ++++ b/drivers/i2c/chips/it87.c
   3.604 +@@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device
   3.605 + 	struct it87_data *data = it87_update_device(dev);
   3.606 + 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   3.607 + }
   3.608 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   3.609 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   3.610 + 
   3.611 + static ssize_t
   3.612 + show_vrm_reg(struct device *dev, char *buf)
   3.613 +diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c
   3.614 +--- a/drivers/i2c/chips/via686a.c
   3.615 ++++ b/drivers/i2c/chips/via686a.c
   3.616 +@@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device
   3.617 + 	struct via686a_data *data = via686a_update_device(dev);
   3.618 + 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   3.619 + }
   3.620 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   3.621 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   3.622 + 
   3.623 + /* The driver. I choose to use type i2c_driver, as at is identical to both
   3.624 +    smbus_driver and isa_driver, and clients could be of either kind */
   3.625 +diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
   3.626 +--- a/drivers/ide/ide-disk.c
   3.627 ++++ b/drivers/ide/ide-disk.c
   3.628 +@@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk(
   3.629 + 	if (hwif->no_lba48_dma && lba48 && dma) {
   3.630 + 		if (block + rq->nr_sectors > 1ULL << 28)
   3.631 + 			dma = 0;
   3.632 ++		else
   3.633 ++			lba48 = 0;
   3.634 + 	}
   3.635 + 
   3.636 + 	if (!dma) {
   3.637 +@@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk(
   3.638 + 	/* FIXME: SELECT_MASK(drive, 0) ? */
   3.639 + 
   3.640 + 	if (drive->select.b.lba) {
   3.641 +-		if (drive->addressing == 1) {
   3.642 ++		if (lba48) {
   3.643 + 			task_ioreg_t tasklets[10];
   3.644 + 
   3.645 + 			pr_debug("%s: LBA=0x%012llx\n", drive->name, block);
   3.646 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
   3.647 +--- a/drivers/input/serio/i8042-x86ia64io.h
   3.648 ++++ b/drivers/input/serio/i8042-x86ia64io.h
   3.649 +@@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i
   3.650 + };
   3.651 + #endif
   3.652 + 
   3.653 +-#ifdef CONFIG_ACPI
   3.654 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.655 + #include <linux/acpi.h>
   3.656 + #include <acpi/acpi_bus.h>
   3.657 + 
   3.658 +@@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo
   3.659 + 	i8042_kbd_irq = I8042_MAP_IRQ(1);
   3.660 + 	i8042_aux_irq = I8042_MAP_IRQ(12);
   3.661 + 
   3.662 +-#ifdef CONFIG_ACPI
   3.663 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.664 + 	if (i8042_acpi_init())
   3.665 + 		return -1;
   3.666 + #endif
   3.667 +@@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo
   3.668 + 
   3.669 + static inline void i8042_platform_exit(void)
   3.670 + {
   3.671 +-#ifdef CONFIG_ACPI
   3.672 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.673 + 	i8042_acpi_exit();
   3.674 + #endif
   3.675 + }
   3.676 +diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
   3.677 +--- a/drivers/md/raid6altivec.uc
   3.678 ++++ b/drivers/md/raid6altivec.uc
   3.679 +@@ -108,7 +108,11 @@ int raid6_have_altivec(void);
   3.680 + int raid6_have_altivec(void)
   3.681 + {
   3.682 + 	/* This assumes either all CPUs have Altivec or none does */
   3.683 ++#ifdef CONFIG_PPC64
   3.684 + 	return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
   3.685 ++#else
   3.686 ++	return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
   3.687 ++#endif
   3.688 + }
   3.689 + #endif
   3.690 + 
   3.691 +diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
   3.692 +--- a/drivers/media/video/adv7170.c
   3.693 ++++ b/drivers/media/video/adv7170.c
   3.694 +@@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client *
   3.695 + 		u8 block_data[32];
   3.696 + 
   3.697 + 		msg.addr = client->addr;
   3.698 +-		msg.flags = client->flags;
   3.699 ++		msg.flags = 0;
   3.700 + 		while (len >= 2) {
   3.701 + 			msg.buf = (char *) block_data;
   3.702 + 			msg.len = 0;
   3.703 +diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
   3.704 +--- a/drivers/media/video/adv7175.c
   3.705 ++++ b/drivers/media/video/adv7175.c
   3.706 +@@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client *
   3.707 + 		u8 block_data[32];
   3.708 + 
   3.709 + 		msg.addr = client->addr;
   3.710 +-		msg.flags = client->flags;
   3.711 ++		msg.flags = 0;
   3.712 + 		while (len >= 2) {
   3.713 + 			msg.buf = (char *) block_data;
   3.714 + 			msg.len = 0;
   3.715 +diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
   3.716 +--- a/drivers/media/video/bt819.c
   3.717 ++++ b/drivers/media/video/bt819.c
   3.718 +@@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl
   3.719 + 		u8 block_data[32];
   3.720 + 
   3.721 + 		msg.addr = client->addr;
   3.722 +-		msg.flags = client->flags;
   3.723 ++		msg.flags = 0;
   3.724 + 		while (len >= 2) {
   3.725 + 			msg.buf = (char *) block_data;
   3.726 + 			msg.len = 0;
   3.727 +diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
   3.728 +--- a/drivers/media/video/bttv-cards.c
   3.729 ++++ b/drivers/media/video/bttv-cards.c
   3.730 +@@ -2718,8 +2718,6 @@ void __devinit bttv_init_card2(struct bt
   3.731 +         }
   3.732 + 	btv->pll.pll_current = -1;
   3.733 + 
   3.734 +-	bttv_reset_audio(btv);
   3.735 +-
   3.736 + 	/* tuner configuration (from card list / autodetect / insmod option) */
   3.737 +  	if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
   3.738 + 		if(UNSET == btv->tuner_type)
   3.739 +diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
   3.740 +--- a/drivers/media/video/saa7110.c
   3.741 ++++ b/drivers/media/video/saa7110.c
   3.742 +@@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
   3.743 + 
   3.744 + #define	I2C_SAA7110		0x9C	/* or 0x9E */
   3.745 + 
   3.746 ++#define SAA7110_NR_REG		0x35
   3.747 ++
   3.748 + struct saa7110 {
   3.749 +-	unsigned char reg[54];
   3.750 ++	u8 reg[SAA7110_NR_REG];
   3.751 + 
   3.752 + 	int norm;
   3.753 + 	int input;
   3.754 +@@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client *
   3.755 + 		     unsigned int       len)
   3.756 + {
   3.757 + 	int ret = -1;
   3.758 +-	u8 reg = *data++;
   3.759 ++	u8 reg = *data;		/* first register to write to */
   3.760 + 
   3.761 +-	len--;
   3.762 ++	/* Sanity check */
   3.763 ++	if (reg + (len - 1) > SAA7110_NR_REG)
   3.764 ++		return ret;
   3.765 + 
   3.766 + 	/* the saa7110 has an autoincrement function, use it if
   3.767 + 	 * the adapter understands raw I2C */
   3.768 + 	if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
   3.769 + 		struct saa7110 *decoder = i2c_get_clientdata(client);
   3.770 + 		struct i2c_msg msg;
   3.771 +-		u8 block_data[54];
   3.772 + 
   3.773 +-		msg.len = 0;
   3.774 +-		msg.buf = (char *) block_data;
   3.775 ++		msg.len = len;
   3.776 ++		msg.buf = (char *) data;
   3.777 + 		msg.addr = client->addr;
   3.778 +-		msg.flags = client->flags;
   3.779 +-		while (len >= 1) {
   3.780 +-			msg.len = 0;
   3.781 +-			block_data[msg.len++] = reg;
   3.782 +-			while (len-- >= 1 && msg.len < 54)
   3.783 +-				block_data[msg.len++] =
   3.784 +-				    decoder->reg[reg++] = *data++;
   3.785 +-			ret = i2c_transfer(client->adapter, &msg, 1);
   3.786 +-		}
   3.787 ++		msg.flags = 0;
   3.788 ++		ret = i2c_transfer(client->adapter, &msg, 1);
   3.789 ++
   3.790 ++		/* Cache the written data */
   3.791 ++		memcpy(decoder->reg + reg, data + 1, len - 1);
   3.792 + 	} else {
   3.793 +-		while (len-- >= 1) {
   3.794 ++		for (++data, --len; len; len--) {
   3.795 + 			if ((ret = saa7110_write(client, reg++,
   3.796 + 						 *data++)) < 0)
   3.797 + 				break;
   3.798 +@@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien
   3.799 + 	return 0;
   3.800 + }
   3.801 + 
   3.802 +-static const unsigned char initseq[] = {
   3.803 ++static const unsigned char initseq[1 + SAA7110_NR_REG] = {
   3.804 + 	0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
   3.805 + 	/* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
   3.806 + 	/* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
   3.807 +diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
   3.808 +--- a/drivers/media/video/saa7114.c
   3.809 ++++ b/drivers/media/video/saa7114.c
   3.810 +@@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client *
   3.811 + 		u8 block_data[32];
   3.812 + 
   3.813 + 		msg.addr = client->addr;
   3.814 +-		msg.flags = client->flags;
   3.815 ++		msg.flags = 0;
   3.816 + 		while (len >= 2) {
   3.817 + 			msg.buf = (char *) block_data;
   3.818 + 			msg.len = 0;
   3.819 +diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
   3.820 +--- a/drivers/media/video/saa7185.c
   3.821 ++++ b/drivers/media/video/saa7185.c
   3.822 +@@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client *
   3.823 + 		u8 block_data[32];
   3.824 + 
   3.825 + 		msg.addr = client->addr;
   3.826 +-		msg.flags = client->flags;
   3.827 ++		msg.flags = 0;
   3.828 + 		while (len >= 2) {
   3.829 + 			msg.buf = (char *) block_data;
   3.830 + 			msg.len = 0;
   3.831 +diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
   3.832 +--- a/drivers/net/3c59x.c
   3.833 ++++ b/drivers/net/3c59x.c
   3.834 +@@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev)
   3.835 + 
   3.836 + 	if (VORTEX_PCI(vp)) {
   3.837 + 		pci_set_power_state(VORTEX_PCI(vp), PCI_D0);	/* Go active */
   3.838 +-		pci_restore_state(VORTEX_PCI(vp));
   3.839 ++		if (vp->pm_state_valid)
   3.840 ++			pci_restore_state(VORTEX_PCI(vp));
   3.841 + 		pci_enable_device(VORTEX_PCI(vp));
   3.842 + 	}
   3.843 + 
   3.844 +@@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int 
   3.845 + 		outl(0, ioaddr + DownListPtr);
   3.846 + 
   3.847 + 	if (final_down && VORTEX_PCI(vp)) {
   3.848 ++		vp->pm_state_valid = 1;
   3.849 + 		pci_save_state(VORTEX_PCI(vp));
   3.850 + 		acpi_set_WOL(dev);
   3.851 + 	}
   3.852 +@@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi
   3.853 + 		outw(RxEnable, ioaddr + EL3_CMD);
   3.854 + 
   3.855 + 		pci_enable_wake(VORTEX_PCI(vp), 0, 1);
   3.856 ++
   3.857 ++		/* Change the power state to D3; RxEnable doesn't take effect. */
   3.858 ++		pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
   3.859 + 	}
   3.860 +-	/* Change the power state to D3; RxEnable doesn't take effect. */
   3.861 +-	pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
   3.862 + }
   3.863 + 
   3.864 + 
   3.865 +diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
   3.866 +--- a/drivers/net/amd8111e.c
   3.867 ++++ b/drivers/net/amd8111e.c
   3.868 +@@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi
   3.869 + 
   3.870 + 	if(amd8111e_restart(dev)){
   3.871 + 		spin_unlock_irq(&lp->lock);
   3.872 ++		if (dev->irq)
   3.873 ++			free_irq(dev->irq, dev);
   3.874 + 		return -ENOMEM;
   3.875 + 	}
   3.876 + 	/* Start ipg timer */
   3.877 +diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
   3.878 +--- a/drivers/net/ppp_async.c
   3.879 ++++ b/drivers/net/ppp_async.c
   3.880 +@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp
   3.881 + 	data += 4;
   3.882 + 	dlen -= 4;
   3.883 + 	/* data[0] is code, data[1] is length */
   3.884 +-	while (dlen >= 2 && dlen >= data[1]) {
   3.885 ++	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
   3.886 + 		switch (data[0]) {
   3.887 + 		case LCP_MRU:
   3.888 + 			val = (data[2] << 8) + data[3];
   3.889 +diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
   3.890 +--- a/drivers/net/r8169.c
   3.891 ++++ b/drivers/net/r8169.c
   3.892 +@@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r
   3.893 + 	rtl8169_make_unusable_by_asic(desc);
   3.894 + }
   3.895 + 
   3.896 +-static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
   3.897 ++static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
   3.898 + {
   3.899 +-	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   3.900 ++	u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
   3.901 ++
   3.902 ++	desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
   3.903 + }
   3.904 + 
   3.905 +-static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   3.906 +-					int rx_buf_sz)
   3.907 ++static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   3.908 ++				       u32 rx_buf_sz)
   3.909 + {
   3.910 + 	desc->addr = cpu_to_le64(mapping);
   3.911 +-	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   3.912 ++	wmb();
   3.913 ++	rtl8169_mark_to_asic(desc, rx_buf_sz);
   3.914 + }
   3.915 + 
   3.916 + static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
   3.917 +@@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p
   3.918 + 	mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
   3.919 + 				 PCI_DMA_FROMDEVICE);
   3.920 + 
   3.921 +-	rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
   3.922 ++	rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
   3.923 + 
   3.924 + out:
   3.925 + 	return ret;
   3.926 +@@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st
   3.927 + 			skb_reserve(skb, NET_IP_ALIGN);
   3.928 + 			eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
   3.929 + 			*sk_buff = skb;
   3.930 +-			rtl8169_return_to_asic(desc, rx_buf_sz);
   3.931 ++			rtl8169_mark_to_asic(desc, rx_buf_sz);
   3.932 + 			ret = 0;
   3.933 + 		}
   3.934 + 	}
   3.935 +diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c
   3.936 +--- a/drivers/net/sis900.c
   3.937 ++++ b/drivers/net/sis900.c
   3.938 +@@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr
   3.939 + 	signature = (u16) read_eeprom(ioaddr, EEPROMSignature);    
   3.940 + 	if (signature == 0xffff || signature == 0x0000) {
   3.941 + 		printk (KERN_INFO "%s: Error EERPOM read %x\n", 
   3.942 +-			net_dev->name, signature);
   3.943 ++			pci_name(pci_dev), signature);
   3.944 + 		return 0;
   3.945 + 	}
   3.946 + 
   3.947 +@@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add
   3.948 + 	if (!isa_bridge)
   3.949 + 		isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
   3.950 + 	if (!isa_bridge) {
   3.951 +-		printk("%s: Can not find ISA bridge\n", net_dev->name);
   3.952 ++		printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
   3.953 + 		return 0;
   3.954 + 	}
   3.955 + 	pci_read_config_byte(isa_bridge, 0x48, &reg);
   3.956 +@@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct
   3.957 + 	net_dev->tx_timeout = sis900_tx_timeout;
   3.958 + 	net_dev->watchdog_timeo = TX_TIMEOUT;
   3.959 + 	net_dev->ethtool_ops = &sis900_ethtool_ops;
   3.960 +-	
   3.961 +-	ret = register_netdev(net_dev);
   3.962 +-	if (ret)
   3.963 +-		goto err_unmap_rx;
   3.964 + 		
   3.965 + 	/* Get Mac address according to the chip revision */
   3.966 + 	pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
   3.967 +@@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct
   3.968 + 
   3.969 + 	if (ret == 0) {
   3.970 + 		ret = -ENODEV;
   3.971 +-		goto err_out_unregister;
   3.972 ++		goto err_unmap_rx;
   3.973 + 	}
   3.974 + 	
   3.975 + 	/* 630ET : set the mii access mode as software-mode */
   3.976 +@@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct
   3.977 + 	/* probe for mii transceiver */
   3.978 + 	if (sis900_mii_probe(net_dev) == 0) {
   3.979 + 		ret = -ENODEV;
   3.980 +-		goto err_out_unregister;
   3.981 ++		goto err_unmap_rx;
   3.982 + 	}
   3.983 + 
   3.984 + 	/* save our host bridge revision */
   3.985 +@@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct
   3.986 + 		pci_dev_put(dev);
   3.987 + 	}
   3.988 + 
   3.989 ++	ret = register_netdev(net_dev);
   3.990 ++	if (ret)
   3.991 ++		goto err_unmap_rx;
   3.992 ++
   3.993 + 	/* print some information about our NIC */
   3.994 + 	printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
   3.995 + 	       card_name, ioaddr, net_dev->irq);
   3.996 +@@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct
   3.997 + 
   3.998 + 	return 0;
   3.999 + 
  3.1000 +- err_out_unregister:
  3.1001 +- 	unregister_netdev(net_dev);
  3.1002 +  err_unmap_rx:
  3.1003 + 	pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
  3.1004 + 		sis_priv->rx_ring_dma);
  3.1005 +@@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct
  3.1006 + static int __init sis900_mii_probe(struct net_device * net_dev)
  3.1007 + {
  3.1008 + 	struct sis900_private * sis_priv = net_dev->priv;
  3.1009 ++	const char *dev_name = pci_name(sis_priv->pci_dev);
  3.1010 + 	u16 poll_bit = MII_STAT_LINK, status = 0;
  3.1011 + 	unsigned long timeout = jiffies + 5 * HZ;
  3.1012 + 	int phy_addr;
  3.1013 +@@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc
  3.1014 + 					mii_phy->phy_types =
  3.1015 + 					    (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
  3.1016 + 				printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
  3.1017 +-				       net_dev->name, mii_chip_table[i].name,
  3.1018 ++				       dev_name, mii_chip_table[i].name,
  3.1019 + 				       phy_addr);
  3.1020 + 				break;
  3.1021 + 			}
  3.1022 + 			
  3.1023 + 		if( !mii_chip_table[i].phy_id1 ) {
  3.1024 + 			printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
  3.1025 +-			       net_dev->name, phy_addr);
  3.1026 ++			       dev_name, phy_addr);
  3.1027 + 			mii_phy->phy_types = UNKNOWN;
  3.1028 + 		}
  3.1029 + 	}
  3.1030 + 	
  3.1031 + 	if (sis_priv->mii == NULL) {
  3.1032 +-		printk(KERN_INFO "%s: No MII transceivers found!\n",
  3.1033 +-			net_dev->name);
  3.1034 ++		printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
  3.1035 + 		return 0;
  3.1036 + 	}
  3.1037 + 
  3.1038 +@@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc
  3.1039 + 			poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
  3.1040 + 			if (time_after_eq(jiffies, timeout)) {
  3.1041 + 				printk(KERN_WARNING "%s: reset phy and link down now\n",
  3.1042 +-					net_dev->name);
  3.1043 ++				       dev_name);
  3.1044 + 				return -ETIME;
  3.1045 + 			}
  3.1046 + 		}
  3.1047 +@@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net
  3.1048 + 		sis_priv->mii = default_phy;
  3.1049 + 		sis_priv->cur_phy = default_phy->phy_addr;
  3.1050 + 		printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
  3.1051 +-					net_dev->name,sis_priv->cur_phy);
  3.1052 ++		       pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
  3.1053 + 	}
  3.1054 + 	
  3.1055 + 	status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
  3.1056 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
  3.1057 +--- a/drivers/net/tun.c
  3.1058 ++++ b/drivers/net/tun.c
  3.1059 +@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s
  3.1060 + 	size_t len = count;
  3.1061 + 
  3.1062 + 	if (!(tun->flags & TUN_NO_PI)) {
  3.1063 +-		if ((len -= sizeof(pi)) > len)
  3.1064 ++		if ((len -= sizeof(pi)) > count)
  3.1065 + 			return -EINVAL;
  3.1066 + 
  3.1067 + 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
  3.1068 +diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
  3.1069 +--- a/drivers/net/via-rhine.c
  3.1070 ++++ b/drivers/net/via-rhine.c
  3.1071 +@@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device 
  3.1072 + 		       dev->name, rp->pdev->irq);
  3.1073 + 
  3.1074 + 	rc = alloc_ring(dev);
  3.1075 +-	if (rc)
  3.1076 ++	if (rc) {
  3.1077 ++		free_irq(rp->pdev->irq, dev);
  3.1078 + 		return rc;
  3.1079 ++	}
  3.1080 + 	alloc_rbufs(dev);
  3.1081 + 	alloc_tbufs(dev);
  3.1082 + 	rhine_chip_reset(dev);
  3.1083 +@@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic
  3.1084 + 	struct rhine_private *rp = netdev_priv(dev);
  3.1085 + 	void __iomem *ioaddr = rp->base;
  3.1086 + 
  3.1087 ++	if (!(rp->quirks & rqWOL))
  3.1088 ++		return; /* Nothing to do for non-WOL adapters */
  3.1089 ++
  3.1090 + 	rhine_power_init(dev);
  3.1091 + 
  3.1092 + 	/* Make sure we use pattern 0, 1 and not 4, 5 */
  3.1093 +diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
  3.1094 +--- a/drivers/net/wan/hd6457x.c
  3.1095 ++++ b/drivers/net/wan/hd6457x.c
  3.1096 +@@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card, 
  3.1097 + #endif
  3.1098 + 	stats->rx_packets++;
  3.1099 + 	stats->rx_bytes += skb->len;
  3.1100 +-	skb->dev->last_rx = jiffies;
  3.1101 ++	dev->last_rx = jiffies;
  3.1102 + 	skb->protocol = hdlc_type_trans(skb, dev);
  3.1103 + 	netif_rx(skb);
  3.1104 + }
  3.1105 +diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
  3.1106 +--- a/drivers/pci/hotplug/pciehp_ctrl.c
  3.1107 ++++ b/drivers/pci/hotplug/pciehp_ctrl.c
  3.1108 +@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func 
  3.1109 + 				dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
  3.1110 + 					ctrl->seg, func->bus, func->device, func->function);
  3.1111 + 				bridge_slot_remove(func);
  3.1112 +-			} else
  3.1113 ++			} else {
  3.1114 + 				dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
  3.1115 + 					ctrl->seg, func->bus, func->device, func->function);
  3.1116 + 				slot_remove(func);
  3.1117 ++			}
  3.1118 + 
  3.1119 + 			func = pciehp_slot_find(ctrl->slot_bus, device, 0);
  3.1120 + 		}
  3.1121 +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
  3.1122 +--- a/drivers/usb/serial/visor.c
  3.1123 ++++ b/drivers/usb/serial/visor.c
  3.1124 +@@ -386,6 +386,7 @@ struct visor_private {
  3.1125 + 	int bytes_in;
  3.1126 + 	int bytes_out;
  3.1127 + 	int outstanding_urbs;
  3.1128 ++	int throttled;
  3.1129 + };
  3.1130 + 
  3.1131 + /* number of outstanding urbs to prevent userspace DoS from happening */
  3.1132 +@@ -415,6 +416,7 @@ static int visor_open (struct usb_serial
  3.1133 + 	priv->bytes_in = 0;
  3.1134 + 	priv->bytes_out = 0;
  3.1135 + 	priv->outstanding_urbs = 0;
  3.1136 ++	priv->throttled = 0;
  3.1137 + 	spin_unlock_irqrestore(&priv->lock, flags);
  3.1138 + 
  3.1139 + 	/*
  3.1140 +@@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st
  3.1141 + 	struct tty_struct *tty;
  3.1142 + 	unsigned long flags;
  3.1143 + 	int i;
  3.1144 ++	int throttled;
  3.1145 + 	int result;
  3.1146 + 
  3.1147 + 	dbg("%s - port %d", __FUNCTION__, port->number);
  3.1148 +@@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st
  3.1149 + 	}
  3.1150 + 	spin_lock_irqsave(&priv->lock, flags);
  3.1151 + 	priv->bytes_in += urb->actual_length;
  3.1152 ++	throttled = priv->throttled;
  3.1153 + 	spin_unlock_irqrestore(&priv->lock, flags);
  3.1154 + 
  3.1155 +-	/* Continue trying to always read  */
  3.1156 +-	usb_fill_bulk_urb (port->read_urb, port->serial->dev,
  3.1157 +-			   usb_rcvbulkpipe(port->serial->dev,
  3.1158 +-					   port->bulk_in_endpointAddress),
  3.1159 +-			   port->read_urb->transfer_buffer,
  3.1160 +-			   port->read_urb->transfer_buffer_length,
  3.1161 +-			   visor_read_bulk_callback, port);
  3.1162 +-	result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  3.1163 +-	if (result)
  3.1164 +-		dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
  3.1165 ++	/* Continue trying to always read if we should */
  3.1166 ++	if (!throttled) {
  3.1167 ++		usb_fill_bulk_urb (port->read_urb, port->serial->dev,
  3.1168 ++				   usb_rcvbulkpipe(port->serial->dev,
  3.1169 ++						   port->bulk_in_endpointAddress),
  3.1170 ++				   port->read_urb->transfer_buffer,
  3.1171 ++				   port->read_urb->transfer_buffer_length,
  3.1172 ++				   visor_read_bulk_callback, port);
  3.1173 ++		result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  3.1174 ++		if (result)
  3.1175 ++			dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
  3.1176 ++	}
  3.1177 + 	return;
  3.1178 + }
  3.1179 + 
  3.1180 +@@ -683,16 +689,26 @@ exit:
  3.1181 + 
  3.1182 + static void visor_throttle (struct usb_serial_port *port)
  3.1183 + {
  3.1184 ++	struct visor_private *priv = usb_get_serial_port_data(port);
  3.1185 ++	unsigned long flags;
  3.1186 ++
  3.1187 + 	dbg("%s - port %d", __FUNCTION__, port->number);
  3.1188 +-	usb_kill_urb(port->read_urb);
  3.1189 ++	spin_lock_irqsave(&priv->lock, flags);
  3.1190 ++	priv->throttled = 1;
  3.1191 ++	spin_unlock_irqrestore(&priv->lock, flags);
  3.1192 + }
  3.1193 + 
  3.1194 + 
  3.1195 + static void visor_unthrottle (struct usb_serial_port *port)
  3.1196 + {
  3.1197 ++	struct visor_private *priv = usb_get_serial_port_data(port);
  3.1198 ++	unsigned long flags;
  3.1199 + 	int result;
  3.1200 + 
  3.1201 + 	dbg("%s - port %d", __FUNCTION__, port->number);
  3.1202 ++	spin_lock_irqsave(&priv->lock, flags);
  3.1203 ++	priv->throttled = 0;
  3.1204 ++	spin_unlock_irqrestore(&priv->lock, flags);
  3.1205 + 
  3.1206 + 	port->read_urb->dev = port->serial->dev;
  3.1207 + 	result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  3.1208 +diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c
  3.1209 +--- a/drivers/video/matrox/matroxfb_accel.c
  3.1210 ++++ b/drivers/video/matrox/matroxfb_accel.c
  3.1211 +@@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI
  3.1212 + 		} else if (step == 1) {
  3.1213 + 			/* Special case for 1..8bit widths */
  3.1214 + 			while (height--) {
  3.1215 +-				mga_writel(mmio, 0, *chardata);
  3.1216 ++#if defined(__BIG_ENDIAN)
  3.1217 ++				fb_writel((*chardata) << 24, mmio.vaddr);
  3.1218 ++#else
  3.1219 ++				fb_writel(*chardata, mmio.vaddr);
  3.1220 ++#endif
  3.1221 + 				chardata++;
  3.1222 + 			}
  3.1223 + 		} else if (step == 2) {
  3.1224 + 			/* Special case for 9..15bit widths */
  3.1225 + 			while (height--) {
  3.1226 +-				mga_writel(mmio, 0, *(u_int16_t*)chardata);
  3.1227 ++#if defined(__BIG_ENDIAN)
  3.1228 ++				fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr);
  3.1229 ++#else
  3.1230 ++				fb_writel(*(u_int16_t*)chardata, mmio.vaddr);
  3.1231 ++#endif
  3.1232 + 				chardata += 2;
  3.1233 + 			}
  3.1234 + 		} else {
  3.1235 +@@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI
  3.1236 + 				
  3.1237 + 				for (i = 0; i < step; i += 4) {
  3.1238 + 					/* Hope that there are at least three readable bytes beyond the end of bitmap */
  3.1239 +-					mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i)));
  3.1240 ++					fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr);
  3.1241 + 				}
  3.1242 + 				chardata += step;
  3.1243 + 			}
  3.1244 +diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h
  3.1245 +--- a/drivers/video/matrox/matroxfb_base.h
  3.1246 ++++ b/drivers/video/matrox/matroxfb_base.h
  3.1247 +@@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr
  3.1248 + 
  3.1249 + 	if ((unsigned long)src & 3) {
  3.1250 + 		while (len >= 4) {
  3.1251 +-			writel(get_unaligned((u32 *)src), addr);
  3.1252 ++			fb_writel(get_unaligned((u32 *)src), addr);
  3.1253 + 			addr++;
  3.1254 + 			len -= 4;
  3.1255 + 			src += 4;
  3.1256 + 		}
  3.1257 + 	} else {
  3.1258 + 		while (len >= 4) {
  3.1259 +-			writel(*(u32 *)src, addr);
  3.1260 ++			fb_writel(*(u32 *)src, addr);
  3.1261 + 			addr++;
  3.1262 + 			len -= 4;
  3.1263 + 			src += 4;
  3.1264 +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  3.1265 +--- a/fs/binfmt_elf.c
  3.1266 ++++ b/fs/binfmt_elf.c
  3.1267 +@@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b
  3.1268 + 	}
  3.1269 + 
  3.1270 + 	/* Populate argv and envp */
  3.1271 +-	p = current->mm->arg_start;
  3.1272 ++	p = current->mm->arg_end = current->mm->arg_start;
  3.1273 + 	while (argc-- > 0) {
  3.1274 + 		size_t len;
  3.1275 + 		__put_user((elf_addr_t)p, argv++);
  3.1276 +@@ -1008,6 +1008,7 @@ out_free_ph:
  3.1277 + static int load_elf_library(struct file *file)
  3.1278 + {
  3.1279 + 	struct elf_phdr *elf_phdata;
  3.1280 ++	struct elf_phdr *eppnt;
  3.1281 + 	unsigned long elf_bss, bss, len;
  3.1282 + 	int retval, error, i, j;
  3.1283 + 	struct elfhdr elf_ex;
  3.1284 +@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file 
  3.1285 + 	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
  3.1286 + 
  3.1287 + 	error = -ENOMEM;
  3.1288 +-	elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
  3.1289 ++	elf_phdata = kmalloc(j, GFP_KERNEL);
  3.1290 + 	if (!elf_phdata)
  3.1291 + 		goto out;
  3.1292 + 
  3.1293 ++	eppnt = elf_phdata;
  3.1294 + 	error = -ENOEXEC;
  3.1295 +-	retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
  3.1296 ++	retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
  3.1297 + 	if (retval != j)
  3.1298 + 		goto out_free_ph;
  3.1299 + 
  3.1300 + 	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
  3.1301 +-		if ((elf_phdata + i)->p_type == PT_LOAD) j++;
  3.1302 ++		if ((eppnt + i)->p_type == PT_LOAD)
  3.1303 ++			j++;
  3.1304 + 	if (j != 1)
  3.1305 + 		goto out_free_ph;
  3.1306 + 
  3.1307 +-	while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
  3.1308 ++	while (eppnt->p_type != PT_LOAD)
  3.1309 ++		eppnt++;
  3.1310 + 
  3.1311 + 	/* Now use mmap to map the library into memory. */
  3.1312 + 	down_write(&current->mm->mmap_sem);
  3.1313 + 	error = do_mmap(file,
  3.1314 +-			ELF_PAGESTART(elf_phdata->p_vaddr),
  3.1315 +-			(elf_phdata->p_filesz +
  3.1316 +-			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
  3.1317 ++			ELF_PAGESTART(eppnt->p_vaddr),
  3.1318 ++			(eppnt->p_filesz +
  3.1319 ++			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
  3.1320 + 			PROT_READ | PROT_WRITE | PROT_EXEC,
  3.1321 + 			MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
  3.1322 +-			(elf_phdata->p_offset -
  3.1323 +-			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
  3.1324 ++			(eppnt->p_offset -
  3.1325 ++			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
  3.1326 + 	up_write(&current->mm->mmap_sem);
  3.1327 +-	if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
  3.1328 ++	if (error != ELF_PAGESTART(eppnt->p_vaddr))
  3.1329 + 		goto out_free_ph;
  3.1330 + 
  3.1331 +-	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
  3.1332 ++	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
  3.1333 + 	if (padzero(elf_bss)) {
  3.1334 + 		error = -EFAULT;
  3.1335 + 		goto out_free_ph;
  3.1336 + 	}
  3.1337 + 
  3.1338 +-	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
  3.1339 +-	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
  3.1340 ++	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
  3.1341 ++	bss = eppnt->p_memsz + eppnt->p_vaddr;
  3.1342 + 	if (bss > len) {
  3.1343 + 		down_write(&current->mm->mmap_sem);
  3.1344 + 		do_brk(len, bss - len);
  3.1345 +@@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs
  3.1346 + static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
  3.1347 + 		       struct mm_struct *mm)
  3.1348 + {
  3.1349 +-	int i, len;
  3.1350 ++	unsigned int i, len;
  3.1351 + 	
  3.1352 + 	/* first copy the parameters from user space */
  3.1353 + 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
  3.1354 +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
  3.1355 +--- a/fs/cramfs/inode.c
  3.1356 ++++ b/fs/cramfs/inode.c
  3.1357 +@@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st
  3.1358 + 			inode->i_data.a_ops = &cramfs_aops;
  3.1359 + 		} else {
  3.1360 + 			inode->i_size = 0;
  3.1361 ++			inode->i_blocks = 0;
  3.1362 + 			init_special_inode(inode, inode->i_mode,
  3.1363 + 				old_decode_dev(cramfs_inode->size));
  3.1364 + 		}
  3.1365 +diff --git a/fs/eventpoll.c b/fs/eventpoll.c
  3.1366 +--- a/fs/eventpoll.c
  3.1367 ++++ b/fs/eventpoll.c
  3.1368 +@@ -619,6 +619,7 @@ eexit_1:
  3.1369 + 	return error;
  3.1370 + }
  3.1371 + 
  3.1372 ++#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
  3.1373 + 
  3.1374 + /*
  3.1375 +  * Implement the event wait interface for the eventpoll file. It is the kernel
  3.1376 +@@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd,
  3.1377 + 		     current, epfd, events, maxevents, timeout));
  3.1378 + 
  3.1379 + 	/* The maximum number of event must be greater than zero */
  3.1380 +-	if (maxevents <= 0)
  3.1381 ++	if (maxevents <= 0 || maxevents > MAX_EVENTS)
  3.1382 + 		return -EINVAL;
  3.1383 + 
  3.1384 + 	/* Verify that the area passed by the user is writeable */
  3.1385 +diff --git a/fs/exec.c b/fs/exec.c
  3.1386 +--- a/fs/exec.c
  3.1387 ++++ b/fs/exec.c
  3.1388 +@@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas
  3.1389 + {
  3.1390 + 	/* buf must be at least sizeof(tsk->comm) in size */
  3.1391 + 	task_lock(tsk);
  3.1392 +-	memcpy(buf, tsk->comm, sizeof(tsk->comm));
  3.1393 ++	strncpy(buf, tsk->comm, sizeof(tsk->comm));
  3.1394 + 	task_unlock(tsk);
  3.1395 + }
  3.1396 + 
  3.1397 +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
  3.1398 +--- a/fs/ext2/dir.c
  3.1399 ++++ b/fs/ext2/dir.c
  3.1400 +@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode,
  3.1401 + 		goto fail;
  3.1402 + 	}
  3.1403 + 	kaddr = kmap_atomic(page, KM_USER0);
  3.1404 ++       memset(kaddr, 0, chunk_size);
  3.1405 + 	de = (struct ext2_dir_entry_2 *)kaddr;
  3.1406 + 	de->name_len = 1;
  3.1407 + 	de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
  3.1408 +diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
  3.1409 +--- a/fs/ext3/balloc.c
  3.1410 ++++ b/fs/ext3/balloc.c
  3.1411 +@@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino
  3.1412 + 
  3.1413 + 	if (!rsv_is_empty(&rsv->rsv_window)) {
  3.1414 + 		spin_lock(rsv_lock);
  3.1415 +-		rsv_window_remove(inode->i_sb, rsv);
  3.1416 ++		if (!rsv_is_empty(&rsv->rsv_window))
  3.1417 ++			rsv_window_remove(inode->i_sb, rsv);
  3.1418 + 		spin_unlock(rsv_lock);
  3.1419 + 	}
  3.1420 + }
  3.1421 +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
  3.1422 +--- a/fs/isofs/inode.c
  3.1423 ++++ b/fs/isofs/inode.c
  3.1424 +@@ -685,6 +685,8 @@ root_found:
  3.1425 + 	  sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
  3.1426 + 	  sbi->s_max_size = isonum_733(h_pri->volume_space_size);
  3.1427 + 	} else {
  3.1428 ++	  if (!pri)
  3.1429 ++	    goto out_freebh;
  3.1430 + 	  rootp = (struct iso_directory_record *) pri->root_directory_record;
  3.1431 + 	  sbi->s_nzones = isonum_733 (pri->volume_space_size);
  3.1432 + 	  sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
  3.1433 +@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl
  3.1434 + 	struct inode *inode;
  3.1435 + 	struct isofs_iget5_callback_data data;
  3.1436 + 
  3.1437 ++	if (offset >= 1ul << sb->s_blocksize_bits)
  3.1438 ++		return NULL;
  3.1439 ++
  3.1440 + 	data.block = block;
  3.1441 + 	data.offset = offset;
  3.1442 + 
  3.1443 +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
  3.1444 +--- a/fs/isofs/rock.c
  3.1445 ++++ b/fs/isofs/rock.c
  3.1446 +@@ -53,6 +53,7 @@
  3.1447 +   if(LEN & 1) LEN++;						\
  3.1448 +   CHR = ((unsigned char *) DE) + LEN;				\
  3.1449 +   LEN = *((unsigned char *) DE) - LEN;                          \
  3.1450 ++  if (LEN<0) LEN=0;                                             \
  3.1451 +   if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1)                \
  3.1452 +   {                                                             \
  3.1453 +      LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset;                \
  3.1454 +@@ -73,6 +74,10 @@
  3.1455 +     offset1 = 0; \
  3.1456 +     pbh = sb_bread(DEV->i_sb, block); \
  3.1457 +     if(pbh){       \
  3.1458 ++      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
  3.1459 ++	brelse(pbh); \
  3.1460 ++	goto out; \
  3.1461 ++      } \
  3.1462 +       memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
  3.1463 +       brelse(pbh); \
  3.1464 +       chr = (unsigned char *) buffer; \
  3.1465 +@@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d
  3.1466 +     struct rock_ridge * rr;
  3.1467 +     int sig;
  3.1468 +     
  3.1469 +-    while (len > 1){ /* There may be one byte for padding somewhere */
  3.1470 ++    while (len > 2){ /* There may be one byte for padding somewhere */
  3.1471 +       rr = (struct rock_ridge *) chr;
  3.1472 +-      if (rr->len == 0) goto out; /* Something got screwed up here */
  3.1473 ++      if (rr->len < 3) goto out; /* Something got screwed up here */
  3.1474 +       sig = isonum_721(chr);
  3.1475 +       chr += rr->len; 
  3.1476 +       len -= rr->len;
  3.1477 ++      if (len < 0) goto out;	/* corrupted isofs */
  3.1478 + 
  3.1479 +       switch(sig){
  3.1480 +       case SIG('R','R'):
  3.1481 +@@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d
  3.1482 + 	break;
  3.1483 +       case SIG('N','M'):
  3.1484 + 	if (truncate) break;
  3.1485 ++	if (rr->len < 5) break;
  3.1486 +         /*
  3.1487 + 	 * If the flags are 2 or 4, this indicates '.' or '..'.
  3.1488 + 	 * We don't want to do anything with this, because it
  3.1489 +@@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i
  3.1490 +     struct rock_ridge * rr;
  3.1491 +     int rootflag;
  3.1492 +     
  3.1493 +-    while (len > 1){ /* There may be one byte for padding somewhere */
  3.1494 ++    while (len > 2){ /* There may be one byte for padding somewhere */
  3.1495 +       rr = (struct rock_ridge *) chr;
  3.1496 +-      if (rr->len == 0) goto out; /* Something got screwed up here */
  3.1497 ++      if (rr->len < 3) goto out; /* Something got screwed up here */
  3.1498 +       sig = isonum_721(chr);
  3.1499 +       chr += rr->len; 
  3.1500 +       len -= rr->len;
  3.1501 ++      if (len < 0) goto out;	/* corrupted isofs */
  3.1502 +       
  3.1503 +       switch(sig){
  3.1504 + #ifndef CONFIG_ZISOFS		/* No flag for SF or ZF */
  3.1505 +@@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s
  3.1506 + 	struct rock_ridge *rr;
  3.1507 + 
  3.1508 + 	if (!ISOFS_SB(inode->i_sb)->s_rock)
  3.1509 +-		panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
  3.1510 ++		goto error;
  3.1511 + 
  3.1512 + 	block = ei->i_iget5_block;
  3.1513 + 	lock_kernel();
  3.1514 +@@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s
  3.1515 + 	SETUP_ROCK_RIDGE(raw_inode, chr, len);
  3.1516 + 
  3.1517 +       repeat:
  3.1518 +-	while (len > 1) { /* There may be one byte for padding somewhere */
  3.1519 ++	while (len > 2) { /* There may be one byte for padding somewhere */
  3.1520 + 		rr = (struct rock_ridge *) chr;
  3.1521 +-		if (rr->len == 0)
  3.1522 ++		if (rr->len < 3)
  3.1523 + 			goto out;	/* Something got screwed up here */
  3.1524 + 		sig = isonum_721(chr);
  3.1525 + 		chr += rr->len;
  3.1526 + 		len -= rr->len;
  3.1527 ++		if (len < 0)
  3.1528 ++			goto out;	/* corrupted isofs */
  3.1529 + 
  3.1530 + 		switch (sig) {
  3.1531 + 		case SIG('R', 'R'):
  3.1532 +@@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s
  3.1533 +       fail:
  3.1534 + 	brelse(bh);
  3.1535 + 	unlock_kernel();
  3.1536 ++      error:
  3.1537 + 	SetPageError(page);
  3.1538 + 	kunmap(page);
  3.1539 + 	unlock_page(page);
  3.1540 +diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c
  3.1541 +--- a/fs/jbd/transaction.c
  3.1542 ++++ b/fs/jbd/transaction.c
  3.1543 +@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
  3.1544 + 			JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
  3.1545 + 			ret = __dispose_buffer(jh,
  3.1546 + 					journal->j_running_transaction);
  3.1547 ++			journal_put_journal_head(jh);
  3.1548 + 			spin_unlock(&journal->j_list_lock);
  3.1549 + 			jbd_unlock_bh_state(bh);
  3.1550 + 			spin_unlock(&journal->j_state_lock);
  3.1551 +-			journal_put_journal_head(jh);
  3.1552 + 			return ret;
  3.1553 + 		} else {
  3.1554 + 			/* There is no currently-running transaction. So the
  3.1555 +@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
  3.1556 + 				JBUFFER_TRACE(jh, "give to committing trans");
  3.1557 + 				ret = __dispose_buffer(jh,
  3.1558 + 					journal->j_committing_transaction);
  3.1559 ++				journal_put_journal_head(jh);
  3.1560 + 				spin_unlock(&journal->j_list_lock);
  3.1561 + 				jbd_unlock_bh_state(bh);
  3.1562 + 				spin_unlock(&journal->j_state_lock);
  3.1563 +-				journal_put_journal_head(jh);
  3.1564 + 				return ret;
  3.1565 + 			} else {
  3.1566 + 				/* The orphan record's transaction has
  3.1567 +@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
  3.1568 + 					journal->j_running_transaction);
  3.1569 + 			jh->b_next_transaction = NULL;
  3.1570 + 		}
  3.1571 ++		journal_put_journal_head(jh);
  3.1572 + 		spin_unlock(&journal->j_list_lock);
  3.1573 + 		jbd_unlock_bh_state(bh);
  3.1574 + 		spin_unlock(&journal->j_state_lock);
  3.1575 +-		journal_put_journal_head(jh);
  3.1576 + 		return 0;
  3.1577 + 	} else {
  3.1578 + 		/* Good, the buffer belongs to the running transaction.
  3.1579 +diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h
  3.1580 +--- a/include/asm-x86_64/processor.h
  3.1581 ++++ b/include/asm-x86_64/processor.h
  3.1582 +@@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne
  3.1583 + 
  3.1584 + 
  3.1585 + /*
  3.1586 +- * User space process size. 47bits.
  3.1587 ++ * User space process size. 47bits minus one guard page.
  3.1588 +  */
  3.1589 +-#define TASK_SIZE	(0x800000000000UL)
  3.1590 ++#define TASK_SIZE	(0x800000000000UL - 4096)
  3.1591 + 
  3.1592 + /* This decides where the kernel will search for a free chunk of vm
  3.1593 +  * space during mmap's.
  3.1594 +diff --git a/include/linux/err.h b/include/linux/err.h
  3.1595 +--- a/include/linux/err.h
  3.1596 ++++ b/include/linux/err.h
  3.1597 +@@ -13,6 +13,8 @@
  3.1598 +  * This should be a per-architecture thing, to allow different
  3.1599 +  * error and pointer decisions.
  3.1600 +  */
  3.1601 ++#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L)
  3.1602 ++
  3.1603 + static inline void *ERR_PTR(long error)
  3.1604 + {
  3.1605 + 	return (void *) error;
  3.1606 +@@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p
  3.1607 + 
  3.1608 + static inline long IS_ERR(const void *ptr)
  3.1609 + {
  3.1610 +-	return unlikely((unsigned long)ptr > (unsigned long)-1000L);
  3.1611 ++	return IS_ERR_VALUE((unsigned long)ptr);
  3.1612 + }
  3.1613 + 
  3.1614 + #endif /* _LINUX_ERR_H */
  3.1615 +diff --git a/kernel/exit.c b/kernel/exit.c
  3.1616 +--- a/kernel/exit.c
  3.1617 ++++ b/kernel/exit.c
  3.1618 +@@ -516,8 +516,6 @@ static inline void choose_new_parent(tas
  3.1619 + 	 */
  3.1620 + 	BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
  3.1621 + 	p->real_parent = reaper;
  3.1622 +-	if (p->parent == p->real_parent)
  3.1623 +-		BUG();
  3.1624 + }
  3.1625 + 
  3.1626 + static inline void reparent_thread(task_t *p, task_t *father, int traced)
  3.1627 +diff --git a/kernel/signal.c b/kernel/signal.c
  3.1628 +--- a/kernel/signal.c
  3.1629 ++++ b/kernel/signal.c
  3.1630 +@@ -1728,6 +1728,7 @@ do_signal_stop(int signr)
  3.1631 + 			 * with another processor delivering a stop signal,
  3.1632 + 			 * then the SIGCONT that wakes us up should clear it.
  3.1633 + 			 */
  3.1634 ++			read_unlock(&tasklist_lock);
  3.1635 + 			return 0;
  3.1636 + 		}
  3.1637 + 
  3.1638 +diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c
  3.1639 +--- a/lib/rwsem-spinlock.c
  3.1640 ++++ b/lib/rwsem-spinlock.c
  3.1641 +@@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct
  3.1642 + 
  3.1643 + 	rwsemtrace(sem, "Entering __down_read");
  3.1644 + 
  3.1645 +-	spin_lock(&sem->wait_lock);
  3.1646 ++	spin_lock_irq(&sem->wait_lock);
  3.1647 + 
  3.1648 + 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  3.1649 + 		/* granted */
  3.1650 + 		sem->activity++;
  3.1651 +-		spin_unlock(&sem->wait_lock);
  3.1652 ++		spin_unlock_irq(&sem->wait_lock);
  3.1653 + 		goto out;
  3.1654 + 	}
  3.1655 + 
  3.1656 +@@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct
  3.1657 + 	list_add_tail(&waiter.list, &sem->wait_list);
  3.1658 + 
  3.1659 + 	/* we don't need to touch the semaphore struct anymore */
  3.1660 +-	spin_unlock(&sem->wait_lock);
  3.1661 ++	spin_unlock_irq(&sem->wait_lock);
  3.1662 + 
  3.1663 + 	/* wait to be given the lock */
  3.1664 + 	for (;;) {
  3.1665 +@@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct
  3.1666 +  */
  3.1667 + int fastcall __down_read_trylock(struct rw_semaphore *sem)
  3.1668 + {
  3.1669 ++	unsigned long flags;
  3.1670 + 	int ret = 0;
  3.1671 ++
  3.1672 + 	rwsemtrace(sem, "Entering __down_read_trylock");
  3.1673 + 
  3.1674 +-	spin_lock(&sem->wait_lock);
  3.1675 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1676 + 
  3.1677 + 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  3.1678 + 		/* granted */
  3.1679 +@@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct 
  3.1680 + 		ret = 1;
  3.1681 + 	}
  3.1682 + 
  3.1683 +-	spin_unlock(&sem->wait_lock);
  3.1684 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1685 + 
  3.1686 + 	rwsemtrace(sem, "Leaving __down_read_trylock");
  3.1687 + 	return ret;
  3.1688 +@@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc
  3.1689 + 
  3.1690 + 	rwsemtrace(sem, "Entering __down_write");
  3.1691 + 
  3.1692 +-	spin_lock(&sem->wait_lock);
  3.1693 ++	spin_lock_irq(&sem->wait_lock);
  3.1694 + 
  3.1695 + 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  3.1696 + 		/* granted */
  3.1697 + 		sem->activity = -1;
  3.1698 +-		spin_unlock(&sem->wait_lock);
  3.1699 ++		spin_unlock_irq(&sem->wait_lock);
  3.1700 + 		goto out;
  3.1701 + 	}
  3.1702 + 
  3.1703 +@@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc
  3.1704 + 	list_add_tail(&waiter.list, &sem->wait_list);
  3.1705 + 
  3.1706 + 	/* we don't need to touch the semaphore struct anymore */
  3.1707 +-	spin_unlock(&sem->wait_lock);
  3.1708 ++	spin_unlock_irq(&sem->wait_lock);
  3.1709 + 
  3.1710 + 	/* wait to be given the lock */
  3.1711 + 	for (;;) {
  3.1712 +@@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc
  3.1713 +  */
  3.1714 + int fastcall __down_write_trylock(struct rw_semaphore *sem)
  3.1715 + {
  3.1716 ++	unsigned long flags;
  3.1717 + 	int ret = 0;
  3.1718 ++
  3.1719 + 	rwsemtrace(sem, "Entering __down_write_trylock");
  3.1720 + 
  3.1721 +-	spin_lock(&sem->wait_lock);
  3.1722 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1723 + 
  3.1724 + 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  3.1725 + 		/* granted */
  3.1726 +@@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct
  3.1727 + 		ret = 1;
  3.1728 + 	}
  3.1729 + 
  3.1730 +-	spin_unlock(&sem->wait_lock);
  3.1731 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1732 + 
  3.1733 + 	rwsemtrace(sem, "Leaving __down_write_trylock");
  3.1734 + 	return ret;
  3.1735 +@@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct
  3.1736 +  */
  3.1737 + void fastcall __up_read(struct rw_semaphore *sem)
  3.1738 + {
  3.1739 ++	unsigned long flags;
  3.1740 ++
  3.1741 + 	rwsemtrace(sem, "Entering __up_read");
  3.1742 + 
  3.1743 +-	spin_lock(&sem->wait_lock);
  3.1744 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1745 + 
  3.1746 + 	if (--sem->activity == 0 && !list_empty(&sem->wait_list))
  3.1747 + 		sem = __rwsem_wake_one_writer(sem);
  3.1748 + 
  3.1749 +-	spin_unlock(&sem->wait_lock);
  3.1750 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1751 + 
  3.1752 + 	rwsemtrace(sem, "Leaving __up_read");
  3.1753 + }
  3.1754 +@@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph
  3.1755 +  */
  3.1756 + void fastcall __up_write(struct rw_semaphore *sem)
  3.1757 + {
  3.1758 ++	unsigned long flags;
  3.1759 ++
  3.1760 + 	rwsemtrace(sem, "Entering __up_write");
  3.1761 + 
  3.1762 +-	spin_lock(&sem->wait_lock);
  3.1763 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1764 + 
  3.1765 + 	sem->activity = 0;
  3.1766 + 	if (!list_empty(&sem->wait_list))
  3.1767 + 		sem = __rwsem_do_wake(sem, 1);
  3.1768 + 
  3.1769 +-	spin_unlock(&sem->wait_lock);
  3.1770 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1771 + 
  3.1772 + 	rwsemtrace(sem, "Leaving __up_write");
  3.1773 + }
  3.1774 +@@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap
  3.1775 +  */
  3.1776 + void fastcall __downgrade_write(struct rw_semaphore *sem)
  3.1777 + {
  3.1778 ++	unsigned long flags;
  3.1779 ++
  3.1780 + 	rwsemtrace(sem, "Entering __downgrade_write");
  3.1781 + 
  3.1782 +-	spin_lock(&sem->wait_lock);
  3.1783 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1784 + 
  3.1785 + 	sem->activity = 1;
  3.1786 + 	if (!list_empty(&sem->wait_list))
  3.1787 + 		sem = __rwsem_do_wake(sem, 0);
  3.1788 + 
  3.1789 +-	spin_unlock(&sem->wait_lock);
  3.1790 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1791 + 
  3.1792 + 	rwsemtrace(sem, "Leaving __downgrade_write");
  3.1793 + }
  3.1794 +diff --git a/lib/rwsem.c b/lib/rwsem.c
  3.1795 +--- a/lib/rwsem.c
  3.1796 ++++ b/lib/rwsem.c
  3.1797 +@@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap
  3.1798 + 	set_task_state(tsk, TASK_UNINTERRUPTIBLE);
  3.1799 + 
  3.1800 + 	/* set up my own style of waitqueue */
  3.1801 +-	spin_lock(&sem->wait_lock);
  3.1802 ++	spin_lock_irq(&sem->wait_lock);
  3.1803 + 	waiter->task = tsk;
  3.1804 + 	get_task_struct(tsk);
  3.1805 + 
  3.1806 +@@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap
  3.1807 + 	if (!(count & RWSEM_ACTIVE_MASK))
  3.1808 + 		sem = __rwsem_do_wake(sem, 0);
  3.1809 + 
  3.1810 +-	spin_unlock(&sem->wait_lock);
  3.1811 ++	spin_unlock_irq(&sem->wait_lock);
  3.1812 + 
  3.1813 + 	/* wait to be given the lock */
  3.1814 + 	for (;;) {
  3.1815 +@@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph
  3.1816 +  */
  3.1817 + struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
  3.1818 + {
  3.1819 ++	unsigned long flags;
  3.1820 ++
  3.1821 + 	rwsemtrace(sem, "Entering rwsem_wake");
  3.1822 + 
  3.1823 +-	spin_lock(&sem->wait_lock);
  3.1824 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1825 + 
  3.1826 + 	/* do nothing if list empty */
  3.1827 + 	if (!list_empty(&sem->wait_list))
  3.1828 + 		sem = __rwsem_do_wake(sem, 0);
  3.1829 + 
  3.1830 +-	spin_unlock(&sem->wait_lock);
  3.1831 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1832 + 
  3.1833 + 	rwsemtrace(sem, "Leaving rwsem_wake");
  3.1834 + 
  3.1835 +@@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake
  3.1836 +  */
  3.1837 + struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
  3.1838 + {
  3.1839 ++	unsigned long flags;
  3.1840 ++
  3.1841 + 	rwsemtrace(sem, "Entering rwsem_downgrade_wake");
  3.1842 + 
  3.1843 +-	spin_lock(&sem->wait_lock);
  3.1844 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1845 + 
  3.1846 + 	/* do nothing if list empty */
  3.1847 + 	if (!list_empty(&sem->wait_list))
  3.1848 + 		sem = __rwsem_do_wake(sem, 1);
  3.1849 + 
  3.1850 +-	spin_unlock(&sem->wait_lock);
  3.1851 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1852 + 
  3.1853 + 	rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
  3.1854 + 	return sem;
  3.1855 +diff --git a/mm/mmap.c b/mm/mmap.c
  3.1856 +--- a/mm/mmap.c
  3.1857 ++++ b/mm/mmap.c
  3.1858 +@@ -1315,37 +1315,40 @@ unsigned long
  3.1859 + get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
  3.1860 + 		unsigned long pgoff, unsigned long flags)
  3.1861 + {
  3.1862 +-	if (flags & MAP_FIXED) {
  3.1863 +-		unsigned long ret;
  3.1864 ++	unsigned long ret;
  3.1865 + 
  3.1866 +-		if (addr > TASK_SIZE - len)
  3.1867 +-			return -ENOMEM;
  3.1868 +-		if (addr & ~PAGE_MASK)
  3.1869 +-			return -EINVAL;
  3.1870 +-		if (file && is_file_hugepages(file))  {
  3.1871 +-			/*
  3.1872 +-			 * Check if the given range is hugepage aligned, and
  3.1873 +-			 * can be made suitable for hugepages.
  3.1874 +-			 */
  3.1875 +-			ret = prepare_hugepage_range(addr, len);
  3.1876 +-		} else {
  3.1877 +-			/*
  3.1878 +-			 * Ensure that a normal request is not falling in a
  3.1879 +-			 * reserved hugepage range.  For some archs like IA-64,
  3.1880 +-			 * there is a separate region for hugepages.
  3.1881 +-			 */
  3.1882 +-			ret = is_hugepage_only_range(addr, len);
  3.1883 +-		}
  3.1884 +-		if (ret)
  3.1885 +-			return -EINVAL;
  3.1886 +-		return addr;
  3.1887 +-	}
  3.1888 ++	if (!(flags & MAP_FIXED)) {
  3.1889 ++		unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
  3.1890 + 
  3.1891 +-	if (file && file->f_op && file->f_op->get_unmapped_area)
  3.1892 +-		return file->f_op->get_unmapped_area(file, addr, len,
  3.1893 +-						pgoff, flags);
  3.1894 ++		get_area = current->mm->get_unmapped_area;
  3.1895 ++		if (file && file->f_op && file->f_op->get_unmapped_area)
  3.1896 ++			get_area = file->f_op->get_unmapped_area;
  3.1897 ++		addr = get_area(file, addr, len, pgoff, flags);
  3.1898 ++		if (IS_ERR_VALUE(addr))
  3.1899 ++			return addr;
  3.1900 ++	}
  3.1901 + 
  3.1902 +-	return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
  3.1903 ++	if (addr > TASK_SIZE - len)
  3.1904 ++		return -ENOMEM;
  3.1905 ++	if (addr & ~PAGE_MASK)
  3.1906 ++		return -EINVAL;
  3.1907 ++	if (file && is_file_hugepages(file))  {
  3.1908 ++		/*
  3.1909 ++		 * Check if the given range is hugepage aligned, and
  3.1910 ++		 * can be made suitable for hugepages.
  3.1911 ++		 */
  3.1912 ++		ret = prepare_hugepage_range(addr, len);
  3.1913 ++	} else {
  3.1914 ++		/*
  3.1915 ++		 * Ensure that a normal request is not falling in a
  3.1916 ++		 * reserved hugepage range.  For some archs like IA-64,
  3.1917 ++		 * there is a separate region for hugepages.
  3.1918 ++		 */
  3.1919 ++		ret = is_hugepage_only_range(addr, len);
  3.1920 ++	}
  3.1921 ++	if (ret)
  3.1922 ++		return -EINVAL;
  3.1923 ++	return addr;
  3.1924 + }
  3.1925 + 
  3.1926 + EXPORT_SYMBOL(get_unmapped_area);
  3.1927 +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
  3.1928 +--- a/net/bluetooth/af_bluetooth.c
  3.1929 ++++ b/net/bluetooth/af_bluetooth.c
  3.1930 +@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache;
  3.1931 + 
  3.1932 + int bt_sock_register(int proto, struct net_proto_family *ops)
  3.1933 + {
  3.1934 +-	if (proto >= BT_MAX_PROTO)
  3.1935 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.1936 + 		return -EINVAL;
  3.1937 + 
  3.1938 + 	if (bt_proto[proto])
  3.1939 +@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register);
  3.1940 + 
  3.1941 + int bt_sock_unregister(int proto)
  3.1942 + {
  3.1943 +-	if (proto >= BT_MAX_PROTO)
  3.1944 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.1945 + 		return -EINVAL;
  3.1946 + 
  3.1947 + 	if (!bt_proto[proto])
  3.1948 +@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket 
  3.1949 + {
  3.1950 + 	int err = 0;
  3.1951 + 
  3.1952 +-	if (proto >= BT_MAX_PROTO)
  3.1953 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.1954 + 		return -EINVAL;
  3.1955 + 
  3.1956 + #if defined(CONFIG_KMOD)
  3.1957 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
  3.1958 +--- a/net/bridge/netfilter/ebtables.c
  3.1959 ++++ b/net/bridge/netfilter/ebtables.c
  3.1960 +@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int 
  3.1961 + 	struct ebt_chainstack *cs;
  3.1962 + 	struct ebt_entries *chaininfo;
  3.1963 + 	char *base;
  3.1964 +-	struct ebt_table_info *private = table->private;
  3.1965 ++	struct ebt_table_info *private;
  3.1966 + 
  3.1967 + 	read_lock_bh(&table->lock);
  3.1968 ++	private = table->private;
  3.1969 + 	cb_base = COUNTER_BASE(private->counters, private->nentries,
  3.1970 + 	   smp_processor_id());
  3.1971 + 	if (private->chainstack)
  3.1972 +diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
  3.1973 +--- a/net/ipv4/fib_hash.c
  3.1974 ++++ b/net/ipv4/fib_hash.c
  3.1975 +@@ -919,13 +919,23 @@ out:
  3.1976 + 	return fa;
  3.1977 + }
  3.1978 + 
  3.1979 ++static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
  3.1980 ++{
  3.1981 ++	struct fib_alias *fa = fib_get_first(seq);
  3.1982 ++
  3.1983 ++	if (fa)
  3.1984 ++		while (pos && (fa = fib_get_next(seq)))
  3.1985 ++			--pos;
  3.1986 ++	return pos ? NULL : fa;
  3.1987 ++}
  3.1988 ++
  3.1989 + static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
  3.1990 + {
  3.1991 + 	void *v = NULL;
  3.1992 + 
  3.1993 + 	read_lock(&fib_hash_lock);
  3.1994 + 	if (ip_fib_main_table)
  3.1995 +-		v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
  3.1996 ++		v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
  3.1997 + 	return v;
  3.1998 + }
  3.1999 + 
  3.2000 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
  3.2001 +--- a/net/ipv4/tcp_input.c
  3.2002 ++++ b/net/ipv4/tcp_input.c
  3.2003 +@@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str
  3.2004 + static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
  3.2005 + {
  3.2006 + 	if (tp->prior_ssthresh) {
  3.2007 +-		tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  3.2008 ++		if (tcp_is_bic(tp))
  3.2009 ++			tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
  3.2010 ++		else
  3.2011 ++			tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  3.2012 + 
  3.2013 + 		if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
  3.2014 + 			tp->snd_ssthresh = tp->prior_ssthresh;
  3.2015 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
  3.2016 +--- a/net/ipv4/tcp_timer.c
  3.2017 ++++ b/net/ipv4/tcp_timer.c
  3.2018 +@@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne
  3.2019 + 
  3.2020 + #ifdef TCP_DEBUG
  3.2021 + const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
  3.2022 ++EXPORT_SYMBOL(tcp_timer_bug_msg);
  3.2023 + #endif
  3.2024 + 
  3.2025 + /*
  3.2026 +diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
  3.2027 +--- a/net/ipv4/xfrm4_output.c
  3.2028 ++++ b/net/ipv4/xfrm4_output.c
  3.2029 +@@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb)
  3.2030 + 			goto error_nolock;
  3.2031 + 	}
  3.2032 + 
  3.2033 +-	spin_lock_bh(&x->lock);
  3.2034 +-	err = xfrm_state_check(x, skb);
  3.2035 +-	if (err)
  3.2036 +-		goto error;
  3.2037 +-
  3.2038 + 	if (x->props.mode) {
  3.2039 + 		err = xfrm4_tunnel_check_size(skb);
  3.2040 + 		if (err)
  3.2041 +-			goto error;
  3.2042 ++			goto error_nolock;
  3.2043 + 	}
  3.2044 + 
  3.2045 ++	spin_lock_bh(&x->lock);
  3.2046 ++	err = xfrm_state_check(x, skb);
  3.2047 ++	if (err)
  3.2048 ++		goto error;
  3.2049 ++
  3.2050 + 	xfrm4_encap(skb);
  3.2051 + 
  3.2052 + 	err = x->type->output(skb);
  3.2053 +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
  3.2054 +--- a/net/ipv6/xfrm6_output.c
  3.2055 ++++ b/net/ipv6/xfrm6_output.c
  3.2056 +@@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb)
  3.2057 + 			goto error_nolock;
  3.2058 + 	}
  3.2059 + 
  3.2060 +-	spin_lock_bh(&x->lock);
  3.2061 +-	err = xfrm_state_check(x, skb);
  3.2062 +-	if (err)
  3.2063 +-		goto error;
  3.2064 +-
  3.2065 + 	if (x->props.mode) {
  3.2066 + 		err = xfrm6_tunnel_check_size(skb);
  3.2067 + 		if (err)
  3.2068 +-			goto error;
  3.2069 ++			goto error_nolock;
  3.2070 + 	}
  3.2071 + 
  3.2072 ++	spin_lock_bh(&x->lock);
  3.2073 ++	err = xfrm_state_check(x, skb);
  3.2074 ++	if (err)
  3.2075 ++		goto error;
  3.2076 ++
  3.2077 + 	xfrm6_encap(skb);
  3.2078 + 
  3.2079 + 	err = x->type->output(skb);
  3.2080 +diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
  3.2081 +--- a/net/netrom/nr_in.c
  3.2082 ++++ b/net/netrom/nr_in.c
  3.2083 +@@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock
  3.2084 + static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
  3.2085 + 	int frametype)
  3.2086 + {
  3.2087 +-	bh_lock_sock(sk);
  3.2088 + 	switch (frametype) {
  3.2089 + 	case NR_CONNACK: {
  3.2090 + 		nr_cb *nr = nr_sk(sk);
  3.2091 +@@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock
  3.2092 + 	default:
  3.2093 + 		break;
  3.2094 + 	}
  3.2095 +-	bh_unlock_sock(sk);
  3.2096 +-
  3.2097 + 	return 0;
  3.2098 + }
  3.2099 + 
  3.2100 +@@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock
  3.2101 + static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
  3.2102 + 	int frametype)
  3.2103 + {
  3.2104 +-	bh_lock_sock(sk);
  3.2105 + 	switch (frametype) {
  3.2106 + 	case NR_CONNACK | NR_CHOKE_FLAG:
  3.2107 + 		nr_disconnect(sk, ECONNRESET);
  3.2108 +@@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock
  3.2109 + 	default:
  3.2110 + 		break;
  3.2111 + 	}
  3.2112 +-	bh_unlock_sock(sk);
  3.2113 +-
  3.2114 + 	return 0;
  3.2115 + }
  3.2116 + 
  3.2117 +@@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock
  3.2118 + 	nr = skb->data[18];
  3.2119 + 	ns = skb->data[17];
  3.2120 + 
  3.2121 +-	bh_lock_sock(sk);
  3.2122 + 	switch (frametype) {
  3.2123 + 	case NR_CONNREQ:
  3.2124 + 		nr_write_internal(sk, NR_CONNACK);
  3.2125 +@@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock
  3.2126 + 	default:
  3.2127 + 		break;
  3.2128 + 	}
  3.2129 +-	bh_unlock_sock(sk);
  3.2130 +-
  3.2131 + 	return queued;
  3.2132 + }
  3.2133 + 
  3.2134 +diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
  3.2135 +--- a/net/rose/rose_route.c
  3.2136 ++++ b/net/rose/rose_route.c
  3.2137 +@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void
  3.2138 + 		}
  3.2139 + 		if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
  3.2140 + 			return -EINVAL;
  3.2141 +-
  3.2142 ++		if (rose_route.ndigis > 8) /* No more than 8 digipeats */
  3.2143 ++			return -EINVAL;
  3.2144 + 		err = rose_add_node(&rose_route, dev);
  3.2145 + 		dev_put(dev);
  3.2146 + 		return err;
  3.2147 +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
  3.2148 +--- a/net/xfrm/xfrm_state.c
  3.2149 ++++ b/net/xfrm/xfrm_state.c
  3.2150 +@@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac
  3.2151 + 
  3.2152 + 	for (i = 0; i < XFRM_DST_HSIZE; i++) {
  3.2153 + 		list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
  3.2154 +-			if (x->km.seq == seq) {
  3.2155 ++			if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
  3.2156 + 				xfrm_state_hold(x);
  3.2157 + 				return x;
  3.2158 + 			}
  3.2159 +diff --git a/security/keys/key.c b/security/keys/key.c
  3.2160 +--- a/security/keys/key.c
  3.2161 ++++ b/security/keys/key.c
  3.2162 +@@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u
  3.2163 + {
  3.2164 + 	struct key_user *candidate = NULL, *user;
  3.2165 + 	struct rb_node *parent = NULL;
  3.2166 +-	struct rb_node **p = &key_user_tree.rb_node;
  3.2167 ++	struct rb_node **p;
  3.2168 + 
  3.2169 +  try_again:
  3.2170 ++	p = &key_user_tree.rb_node;
  3.2171 + 	spin_lock(&key_user_lock);
  3.2172 + 
  3.2173 + 	/* search the tree for a user record with a matching UID */
  3.2174 +diff --git a/sound/core/timer.c b/sound/core/timer.c
  3.2175 +--- a/sound/core/timer.c
  3.2176 ++++ b/sound/core/timer.c
  3.2177 +@@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu
  3.2178 + 	if (tu->qused >= tu->queue_size) {
  3.2179 + 		tu->overrun++;
  3.2180 + 	} else {
  3.2181 +-		memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
  3.2182 ++		memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
  3.2183 ++		tu->qtail %= tu->queue_size;
  3.2184 + 		tu->qused++;
  3.2185 + 	}
  3.2186 + }
  3.2187 +@@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd
  3.2188 + 	spin_lock(&tu->qlock);
  3.2189 + 	snd_timer_user_append_to_tqueue(tu, &r1);
  3.2190 + 	spin_unlock(&tu->qlock);
  3.2191 ++	kill_fasync(&tu->fasync, SIGIO, POLL_IN);
  3.2192 ++	wake_up(&tu->qchange_sleep);
  3.2193 + }
  3.2194 + 
  3.2195 + static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
  3.2196 +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
  3.2197 +--- a/sound/pci/ac97/ac97_codec.c
  3.2198 ++++ b/sound/pci/ac97/ac97_codec.c
  3.2199 +@@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_
  3.2200 + /*
  3.2201 +  * create mute switch(es) for normal stereo controls
  3.2202 +  */
  3.2203 +-static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
  3.2204 ++static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
  3.2205 + {
  3.2206 + 	snd_kcontrol_t *kctl;
  3.2207 + 	int err;
  3.2208 +@@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t
  3.2209 + 
  3.2210 + 	mute_mask = 0x8000;
  3.2211 + 	val = snd_ac97_read(ac97, reg);
  3.2212 +-	if (ac97->flags & AC97_STEREO_MUTES) {
  3.2213 ++	if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
  3.2214 + 		/* check whether both mute bits work */
  3.2215 + 		val1 = val | 0x8080;
  3.2216 + 		snd_ac97_write(ac97, reg, val1);
  3.2217 +@@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t 
  3.2218 + /*
  3.2219 +  * create a mute-switch and a volume for normal stereo/mono controls
  3.2220 +  */
  3.2221 +-static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
  3.2222 ++static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
  3.2223 + {
  3.2224 + 	int err;
  3.2225 + 	char name[44];
  3.2226 +@@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t 
  3.2227 + 
  3.2228 + 	if (snd_ac97_try_bit(ac97, reg, 15)) {
  3.2229 + 		sprintf(name, "%s Switch", pfx);
  3.2230 +-		if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
  3.2231 ++		if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
  3.2232 + 			return err;
  3.2233 + 	}
  3.2234 + 	check_volume_resolution(ac97, reg, &lo_max, &hi_max);
  3.2235 +@@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t 
  3.2236 + 	return 0;
  3.2237 + }
  3.2238 + 
  3.2239 ++#define snd_ac97_cmix_new(card, pfx, reg, ac97)	snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
  3.2240 ++#define snd_ac97_cmute_new(card, name, reg, ac97)	snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
  3.2241 + 
  3.2242 + static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
  3.2243 + 
  3.2244 +@@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t *
  3.2245 + 
  3.2246 + 	/* build surround controls */
  3.2247 + 	if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
  3.2248 +-		if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
  3.2249 ++		/* Surround Master (0x38) is with stereo mutes */
  3.2250 ++		if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
  3.2251 + 			return err;
  3.2252 + 	}
  3.2253 + 
  3.2254 +diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c
  3.2255 +--- a/sound/usb/usbaudio.c
  3.2256 ++++ b/sound/usb/usbaudio.c
  3.2257 +@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str
  3.2258 + 		}
  3.2259 + 		usb_chip[chip->index] = NULL;
  3.2260 + 		up(&register_mutex);
  3.2261 +-		snd_card_free_in_thread(card);
  3.2262 ++		snd_card_free(card);
  3.2263 + 	} else {
  3.2264 + 		up(&register_mutex);
  3.2265 + 	}
  3.2266 +diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
  3.2267 +--- a/sound/usb/usx2y/usbusx2y.c
  3.2268 ++++ b/sound/usb/usx2y/usbusx2y.c
  3.2269 +@@ -1,6 +1,11 @@
  3.2270 + /*
  3.2271 +  * usbusy2y.c - ALSA USB US-428 Driver
  3.2272 +  *
  3.2273 ++2005-04-14 Karsten Wiese
  3.2274 ++	Version 0.8.7.2:
  3.2275 ++	Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom.
  3.2276 ++	Tested ok with kernel 2.6.12-rc2.
  3.2277 ++
  3.2278 + 2004-12-14 Karsten Wiese
  3.2279 + 	Version 0.8.7.1:
  3.2280 + 	snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open.
  3.2281 +@@ -143,7 +148,7 @@
  3.2282 + 
  3.2283 + 
  3.2284 + MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>");
  3.2285 +-MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1");
  3.2286 ++MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2");
  3.2287 + MODULE_LICENSE("GPL");
  3.2288 + MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}");
  3.2289 + 
  3.2290 +@@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct 
  3.2291 + 	if (ptr) {
  3.2292 + 		usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr);
  3.2293 + 		struct list_head* p;
  3.2294 +-		if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP)	// on 2.6.1 kernel snd_usbmidi_disconnect()
  3.2295 +-			return;					// calls us back. better leave :-) .
  3.2296 + 		usX2Y->chip.shutdown = 1;
  3.2297 + 		usX2Y->chip_status = USX2Y_STAT_CHIP_HUP;
  3.2298 + 		usX2Y_unlinkSeq(&usX2Y->AS04);
  3.2299 +@@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct 
  3.2300 + 		}
  3.2301 + 		if (usX2Y->us428ctls_sharedmem) 
  3.2302 + 			wake_up(&usX2Y->us428ctls_wait_queue_head);
  3.2303 +-		snd_card_free_in_thread((snd_card_t*)ptr);
  3.2304 ++		snd_card_free((snd_card_t*)ptr);
  3.2305 + 	}
  3.2306 + }
  3.2307 +