ia64/xen-unstable

changeset 4944:a6552aac4737

bitkeeper revision 1.1159.258.133 (42899fc9Z0GRA_KAdf0VC2mm_dJH6w)

upgrade to 2.6.11.10
author iap10@tetris.cl.cam.ac.uk
date Tue May 17 07:39:53 2005 +0000 (2005-05-17)
parents 85e3c42fd78f
children 8820b00f46e3 2c0074c64c33
files .rootkeys patches/linux-2.6.11/linux-2.6.11.10.patch patches/linux-2.6.11/linux-2.6.11.9.patch
line diff
     1.1 --- a/.rootkeys	Mon May 16 20:21:34 2005 +0000
     1.2 +++ b/.rootkeys	Tue May 17 07:39:53 2005 +0000
     1.3 @@ -369,7 +369,7 @@ 422e4430-gOD358H8nGGnNWes08Nng netbsd-2.
     1.4  413cb3b53nyOv1OIeDSsCXhBFDXvJA netbsd-2.0-xen-sparse/sys/nfs/files.nfs
     1.5  413aa1d0oNP8HXLvfPuMe6cSroUfSA patches/linux-2.6.11/agpgart.patch
     1.6  42372652KCUP-IOH9RN19YQmGhs4aA patches/linux-2.6.11/iomap.patch
     1.7 -428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.9.patch
     1.8 +428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.10.patch
     1.9  418abc69J3F638vPO9MYoDGeYilxoQ patches/linux-2.6.11/nettel.patch
    1.10  3f776bd1Hy9rn69ntXBhPReUFw9IEA tools/Makefile
    1.11  40e1b09db5mN69Ijj0X_Eol-S7dXiw tools/Rules.mk
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/patches/linux-2.6.11/linux-2.6.11.10.patch	Tue May 17 07:39:53 2005 +0000
     2.3 @@ -0,0 +1,1737 @@
     2.4 +diff -Naur linux-2.6.11/Documentation/SecurityBugs linux-2.6.11.10/Documentation/SecurityBugs
     2.5 +--- linux-2.6.11/Documentation/SecurityBugs	1969-12-31 16:00:00.000000000 -0800
     2.6 ++++ linux-2.6.11.10/Documentation/SecurityBugs	2005-05-16 10:50:30.000000000 -0700
     2.7 +@@ -0,0 +1,38 @@
     2.8 ++Linux kernel developers take security very seriously.  As such, we'd
     2.9 ++like to know when a security bug is found so that it can be fixed and
    2.10 ++disclosed as quickly as possible.  Please report security bugs to the
    2.11 ++Linux kernel security team.
    2.12 ++
    2.13 ++1) Contact
    2.14 ++
    2.15 ++The Linux kernel security team can be contacted by email at
    2.16 ++<security@kernel.org>.  This is a private list of security officers
    2.17 ++who will help verify the bug report and develop and release a fix.
    2.18 ++It is possible that the security team will bring in extra help from
    2.19 ++area maintainers to understand and fix the security vulnerability.
    2.20 ++
    2.21 ++As it is with any bug, the more information provided the easier it
    2.22 ++will be to diagnose and fix.  Please review the procedure outlined in
    2.23 ++REPORTING-BUGS if you are unclear about what information is helpful.
    2.24 ++Any exploit code is very helpful and will not be released without
    2.25 ++consent from the reporter unless it has already been made public.
    2.26 ++
    2.27 ++2) Disclosure
    2.28 ++
    2.29 ++The goal of the Linux kernel security team is to work with the
    2.30 ++bug submitter to bug resolution as well as disclosure.  We prefer
    2.31 ++to fully disclose the bug as soon as possible.  It is reasonable to
    2.32 ++delay disclosure when the bug or the fix is not yet fully understood,
    2.33 ++the solution is not well-tested or for vendor coordination.  However, we
    2.34 ++expect these delays to be short, measurable in days, not weeks or months.
    2.35 ++A disclosure date is negotiated by the security team working with the
    2.36 ++bug submitter as well as vendors.  However, the kernel security team
    2.37 ++holds the final say when setting a disclosure date.  The timeframe for
    2.38 ++disclosure is from immediate (esp. if it's already publically known)
    2.39 ++to a few weeks.  As a basic default policy, we expect report date to
    2.40 ++disclosure date to be on the order of 7 days.
    2.41 ++
    2.42 ++3) Non-disclosure agreements
    2.43 ++
    2.44 ++The Linux kernel security team is not a formal body and therefore unable
    2.45 ++to enter any non-disclosure agreements.
    2.46 +diff -Naur linux-2.6.11/MAINTAINERS linux-2.6.11.10/MAINTAINERS
    2.47 +--- linux-2.6.11/MAINTAINERS	2005-03-01 23:38:10.000000000 -0800
    2.48 ++++ linux-2.6.11.10/MAINTAINERS	2005-05-16 10:50:30.000000000 -0700
    2.49 +@@ -1966,6 +1966,11 @@
    2.50 + W:	http://www.weinigel.se
    2.51 + S:	Supported
    2.52 + 
    2.53 ++SECURITY CONTACT
    2.54 ++P:	Security Officers
    2.55 ++M:	security@kernel.org
    2.56 ++S:	Supported
    2.57 ++
    2.58 + SELINUX SECURITY MODULE
    2.59 + P:	Stephen Smalley
    2.60 + M:	sds@epoch.ncsc.mil
    2.61 +diff -Naur linux-2.6.11/Makefile linux-2.6.11.10/Makefile
    2.62 +--- linux-2.6.11/Makefile	2005-03-01 23:38:13.000000000 -0800
    2.63 ++++ linux-2.6.11.10/Makefile	2005-05-16 10:50:30.000000000 -0700
    2.64 +@@ -1,8 +1,8 @@
    2.65 + VERSION = 2
    2.66 + PATCHLEVEL = 6
    2.67 + SUBLEVEL = 11
    2.68 +-EXTRAVERSION =
    2.69 +-NAME=Woozy Numbat
    2.70 ++EXTRAVERSION = .10
    2.71 ++NAME=Woozy Beaver
    2.72 + 
    2.73 + # *DOCUMENTATION*
    2.74 + # To see a list of typical targets execute "make help"
    2.75 +diff -Naur linux-2.6.11/REPORTING-BUGS linux-2.6.11.10/REPORTING-BUGS
    2.76 +--- linux-2.6.11/REPORTING-BUGS	2005-03-01 23:38:09.000000000 -0800
    2.77 ++++ linux-2.6.11.10/REPORTING-BUGS	2005-05-16 10:50:30.000000000 -0700
    2.78 +@@ -16,6 +16,10 @@
    2.79 + describe how to recreate it. That is worth even more than the oops itself.
    2.80 + The list of maintainers is in the MAINTAINERS file in this directory.
    2.81 + 
    2.82 ++      If it is a security bug, please copy the Security Contact listed
    2.83 ++in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.
    2.84 ++See Documentation/SecurityBugs for more infomation.
    2.85 ++
    2.86 +       If you are totally stumped as to whom to send the report, send it to
    2.87 + linux-kernel@vger.kernel.org. (For more information on the linux-kernel
    2.88 + mailing list see http://www.tux.org/lkml/).
    2.89 +diff -Naur linux-2.6.11/arch/ia64/kernel/fsys.S linux-2.6.11.10/arch/ia64/kernel/fsys.S
    2.90 +--- linux-2.6.11/arch/ia64/kernel/fsys.S	2005-03-01 23:38:34.000000000 -0800
    2.91 ++++ linux-2.6.11.10/arch/ia64/kernel/fsys.S	2005-05-16 10:50:30.000000000 -0700
    2.92 +@@ -611,8 +611,10 @@
    2.93 + 	movl r2=ia64_ret_from_syscall
    2.94 + 	;;
    2.95 + 	mov rp=r2				// set the real return addr
    2.96 +-	tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
    2.97 ++	and r3=_TIF_SYSCALL_TRACEAUDIT,r3
    2.98 + 	;;
    2.99 ++	cmp.eq p8,p0=r3,r0
   2.100 ++
   2.101 + (p10)	br.cond.spnt.many ia64_ret_from_syscall	// p10==true means out registers are more than 8
   2.102 + (p8)	br.call.sptk.many b6=b6		// ignore this return addr
   2.103 + 	br.cond.sptk ia64_trace_syscall
   2.104 +diff -Naur linux-2.6.11/arch/ia64/kernel/signal.c linux-2.6.11.10/arch/ia64/kernel/signal.c
   2.105 +--- linux-2.6.11/arch/ia64/kernel/signal.c	2005-03-01 23:38:10.000000000 -0800
   2.106 ++++ linux-2.6.11.10/arch/ia64/kernel/signal.c	2005-05-16 10:50:30.000000000 -0700
   2.107 +@@ -224,7 +224,8 @@
   2.108 + 	 * could be corrupted.
   2.109 + 	 */
   2.110 + 	retval = (long) &ia64_leave_kernel;
   2.111 +-	if (test_thread_flag(TIF_SYSCALL_TRACE))
   2.112 ++	if (test_thread_flag(TIF_SYSCALL_TRACE)
   2.113 ++	    || test_thread_flag(TIF_SYSCALL_AUDIT))
   2.114 + 		/*
   2.115 + 		 * strace expects to be notified after sigreturn returns even though the
   2.116 + 		 * context to which we return may not be in the middle of a syscall.
   2.117 +diff -Naur linux-2.6.11/arch/ppc/oprofile/op_model_fsl_booke.c linux-2.6.11.10/arch/ppc/oprofile/op_model_fsl_booke.c
   2.118 +--- linux-2.6.11/arch/ppc/oprofile/op_model_fsl_booke.c	2005-03-01 23:38:33.000000000 -0800
   2.119 ++++ linux-2.6.11.10/arch/ppc/oprofile/op_model_fsl_booke.c	2005-05-16 10:50:31.000000000 -0700
   2.120 +@@ -150,7 +150,6 @@
   2.121 + 	int is_kernel;
   2.122 + 	int val;
   2.123 + 	int i;
   2.124 +-	unsigned int cpu = smp_processor_id();
   2.125 + 
   2.126 + 	/* set the PMM bit (see comment below) */
   2.127 + 	mtmsr(mfmsr() | MSR_PMM);
   2.128 +@@ -162,7 +161,7 @@
   2.129 + 		val = ctr_read(i);
   2.130 + 		if (val < 0) {
   2.131 + 			if (oprofile_running && ctr[i].enabled) {
   2.132 +-				oprofile_add_sample(pc, is_kernel, i, cpu);
   2.133 ++				oprofile_add_pc(pc, is_kernel, i);
   2.134 + 				ctr_write(i, reset_value[i]);
   2.135 + 			} else {
   2.136 + 				ctr_write(i, 0);
   2.137 +diff -Naur linux-2.6.11/arch/ppc/platforms/4xx/ebony.h linux-2.6.11.10/arch/ppc/platforms/4xx/ebony.h
   2.138 +--- linux-2.6.11/arch/ppc/platforms/4xx/ebony.h	2005-03-01 23:38:18.000000000 -0800
   2.139 ++++ linux-2.6.11.10/arch/ppc/platforms/4xx/ebony.h	2005-05-16 10:50:31.000000000 -0700
   2.140 +@@ -61,8 +61,8 @@
   2.141 +  */
   2.142 + 
   2.143 + /* OpenBIOS defined UART mappings, used before early_serial_setup */
   2.144 +-#define UART0_IO_BASE	(u8 *) 0xE0000200
   2.145 +-#define UART1_IO_BASE	(u8 *) 0xE0000300
   2.146 ++#define UART0_IO_BASE	0xE0000200
   2.147 ++#define UART1_IO_BASE	0xE0000300
   2.148 + 
   2.149 + /* external Epson SG-615P */
   2.150 + #define BASE_BAUD	691200
   2.151 +diff -Naur linux-2.6.11/arch/ppc/platforms/4xx/luan.h linux-2.6.11.10/arch/ppc/platforms/4xx/luan.h
   2.152 +--- linux-2.6.11/arch/ppc/platforms/4xx/luan.h	2005-03-01 23:38:13.000000000 -0800
   2.153 ++++ linux-2.6.11.10/arch/ppc/platforms/4xx/luan.h	2005-05-16 10:50:31.000000000 -0700
   2.154 +@@ -47,9 +47,9 @@
   2.155 + #define RS_TABLE_SIZE	3
   2.156 + 
   2.157 + /* PIBS defined UART mappings, used before early_serial_setup */
   2.158 +-#define UART0_IO_BASE	(u8 *) 0xa0000200
   2.159 +-#define UART1_IO_BASE	(u8 *) 0xa0000300
   2.160 +-#define UART2_IO_BASE	(u8 *) 0xa0000600
   2.161 ++#define UART0_IO_BASE	0xa0000200
   2.162 ++#define UART1_IO_BASE	0xa0000300
   2.163 ++#define UART2_IO_BASE	0xa0000600
   2.164 + 
   2.165 + #define BASE_BAUD	11059200
   2.166 + #define STD_UART_OP(num)					\
   2.167 +diff -Naur linux-2.6.11/arch/ppc/platforms/4xx/ocotea.h linux-2.6.11.10/arch/ppc/platforms/4xx/ocotea.h
   2.168 +--- linux-2.6.11/arch/ppc/platforms/4xx/ocotea.h	2005-03-01 23:38:08.000000000 -0800
   2.169 ++++ linux-2.6.11.10/arch/ppc/platforms/4xx/ocotea.h	2005-05-16 10:50:31.000000000 -0700
   2.170 +@@ -56,8 +56,8 @@
   2.171 + #define RS_TABLE_SIZE	2
   2.172 + 
   2.173 + /* OpenBIOS defined UART mappings, used before early_serial_setup */
   2.174 +-#define UART0_IO_BASE	(u8 *) 0xE0000200
   2.175 +-#define UART1_IO_BASE	(u8 *) 0xE0000300
   2.176 ++#define UART0_IO_BASE	0xE0000200
   2.177 ++#define UART1_IO_BASE	0xE0000300
   2.178 + 
   2.179 + #define BASE_BAUD	11059200/16
   2.180 + #define STD_UART_OP(num)					\
   2.181 +diff -Naur linux-2.6.11/arch/sparc/kernel/ptrace.c linux-2.6.11.10/arch/sparc/kernel/ptrace.c
   2.182 +--- linux-2.6.11/arch/sparc/kernel/ptrace.c	2005-03-01 23:38:33.000000000 -0800
   2.183 ++++ linux-2.6.11.10/arch/sparc/kernel/ptrace.c	2005-05-16 10:50:31.000000000 -0700
   2.184 +@@ -531,18 +531,6 @@
   2.185 + 			pt_error_return(regs, EIO);
   2.186 + 			goto out_tsk;
   2.187 + 		}
   2.188 +-		if (addr != 1) {
   2.189 +-			if (addr & 3) {
   2.190 +-				pt_error_return(regs, EINVAL);
   2.191 +-				goto out_tsk;
   2.192 +-			}
   2.193 +-#ifdef DEBUG_PTRACE
   2.194 +-			printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
   2.195 +-			printk ("Continuing with %08lx %08lx\n", addr, addr+4);
   2.196 +-#endif
   2.197 +-			child->thread.kregs->pc = addr;
   2.198 +-			child->thread.kregs->npc = addr + 4;
   2.199 +-		}
   2.200 + 
   2.201 + 		if (request == PTRACE_SYSCALL)
   2.202 + 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   2.203 +diff -Naur linux-2.6.11/arch/sparc64/kernel/ptrace.c linux-2.6.11.10/arch/sparc64/kernel/ptrace.c
   2.204 +--- linux-2.6.11/arch/sparc64/kernel/ptrace.c	2005-03-01 23:38:32.000000000 -0800
   2.205 ++++ linux-2.6.11.10/arch/sparc64/kernel/ptrace.c	2005-05-16 10:50:31.000000000 -0700
   2.206 +@@ -514,25 +514,6 @@
   2.207 + 			pt_error_return(regs, EIO);
   2.208 + 			goto out_tsk;
   2.209 + 		}
   2.210 +-		if (addr != 1) {
   2.211 +-			unsigned long pc_mask = ~0UL;
   2.212 +-
   2.213 +-			if ((child->thread_info->flags & _TIF_32BIT) != 0)
   2.214 +-				pc_mask = 0xffffffff;
   2.215 +-
   2.216 +-			if (addr & 3) {
   2.217 +-				pt_error_return(regs, EINVAL);
   2.218 +-				goto out_tsk;
   2.219 +-			}
   2.220 +-#ifdef DEBUG_PTRACE
   2.221 +-			printk ("Original: %016lx %016lx\n",
   2.222 +-				child->thread_info->kregs->tpc,
   2.223 +-				child->thread_info->kregs->tnpc);
   2.224 +-			printk ("Continuing with %016lx %016lx\n", addr, addr+4);
   2.225 +-#endif
   2.226 +-			child->thread_info->kregs->tpc = (addr & pc_mask);
   2.227 +-			child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
   2.228 +-		}
   2.229 + 
   2.230 + 		if (request == PTRACE_SYSCALL) {
   2.231 + 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   2.232 +diff -Naur linux-2.6.11/arch/sparc64/kernel/signal32.c linux-2.6.11.10/arch/sparc64/kernel/signal32.c
   2.233 +--- linux-2.6.11/arch/sparc64/kernel/signal32.c	2005-03-01 23:38:34.000000000 -0800
   2.234 ++++ linux-2.6.11.10/arch/sparc64/kernel/signal32.c	2005-05-16 10:50:31.000000000 -0700
   2.235 +@@ -192,10 +192,13 @@
   2.236 + 			err |= __put_user(from->si_uid, &to->si_uid);
   2.237 + 			break;
   2.238 + 		case __SI_FAULT >> 16:
   2.239 +-		case __SI_POLL >> 16:
   2.240 + 			err |= __put_user(from->si_trapno, &to->si_trapno);
   2.241 + 			err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
   2.242 + 			break;
   2.243 ++		case __SI_POLL >> 16:
   2.244 ++			err |= __put_user(from->si_band, &to->si_band);
   2.245 ++			err |= __put_user(from->si_fd, &to->si_fd);
   2.246 ++			break;
   2.247 + 		case __SI_RT >> 16: /* This is not generated by the kernel as of now.  */
   2.248 + 		case __SI_MESGQ >> 16:
   2.249 + 			err |= __put_user(from->si_pid, &to->si_pid);
   2.250 +diff -Naur linux-2.6.11/arch/sparc64/kernel/systbls.S linux-2.6.11.10/arch/sparc64/kernel/systbls.S
   2.251 +--- linux-2.6.11/arch/sparc64/kernel/systbls.S	2005-03-01 23:38:07.000000000 -0800
   2.252 ++++ linux-2.6.11.10/arch/sparc64/kernel/systbls.S	2005-05-16 10:50:31.000000000 -0700
   2.253 +@@ -75,7 +75,7 @@
   2.254 + /*260*/	.word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
   2.255 + 	.word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
   2.256 + /*270*/	.word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
   2.257 +-	.word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   2.258 ++	.word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   2.259 + /*280*/	.word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
   2.260 + 
   2.261 + #endif /* CONFIG_COMPAT */
   2.262 +diff -Naur linux-2.6.11/arch/um/include/sysdep-i386/syscalls.h linux-2.6.11.10/arch/um/include/sysdep-i386/syscalls.h
   2.263 +--- linux-2.6.11/arch/um/include/sysdep-i386/syscalls.h	2005-03-01 23:37:49.000000000 -0800
   2.264 ++++ linux-2.6.11.10/arch/um/include/sysdep-i386/syscalls.h	2005-05-16 10:50:31.000000000 -0700
   2.265 +@@ -23,6 +23,9 @@
   2.266 + 		      unsigned long prot, unsigned long flags,
   2.267 + 		      unsigned long fd, unsigned long pgoff);
   2.268 + 
   2.269 ++/* On i386 they choose a meaningless naming.*/
   2.270 ++#define __NR_kexec_load __NR_sys_kexec_load
   2.271 ++
   2.272 + #define ARCH_SYSCALLS \
   2.273 + 	[ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
   2.274 + 	[ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
   2.275 +@@ -101,15 +104,12 @@
   2.276 + 	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.277 + 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.278 + 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.279 +-	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   2.280 + 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.281 +-        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   2.282 +-	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   2.283 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   2.284 +-        
   2.285 ++	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   2.286 ++
   2.287 + /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
   2.288 + 
   2.289 +-#define LAST_ARCH_SYSCALL __NR_vserver
   2.290 ++#define LAST_ARCH_SYSCALL 285
   2.291 + 
   2.292 + /*
   2.293 +  * Overrides for Emacs so that we follow Linus's tabbing style.
   2.294 +diff -Naur linux-2.6.11/arch/um/include/sysdep-x86_64/syscalls.h linux-2.6.11.10/arch/um/include/sysdep-x86_64/syscalls.h
   2.295 +--- linux-2.6.11/arch/um/include/sysdep-x86_64/syscalls.h	2005-03-01 23:38:13.000000000 -0800
   2.296 ++++ linux-2.6.11.10/arch/um/include/sysdep-x86_64/syscalls.h	2005-05-16 10:50:31.000000000 -0700
   2.297 +@@ -71,12 +71,7 @@
   2.298 + 	[ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
   2.299 + 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.300 + 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.301 +-        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   2.302 + 	[ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
   2.303 +-	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   2.304 +-	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.305 +-	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   2.306 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
   2.307 + 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall,
   2.308 + 
   2.309 + #define LAST_ARCH_SYSCALL 251
   2.310 +diff -Naur linux-2.6.11/arch/um/kernel/skas/uaccess.c linux-2.6.11.10/arch/um/kernel/skas/uaccess.c
   2.311 +--- linux-2.6.11/arch/um/kernel/skas/uaccess.c	2005-03-01 23:38:33.000000000 -0800
   2.312 ++++ linux-2.6.11.10/arch/um/kernel/skas/uaccess.c	2005-05-16 10:50:31.000000000 -0700
   2.313 +@@ -61,7 +61,8 @@
   2.314 + 	void *arg;
   2.315 + 	int *res;
   2.316 + 
   2.317 +-	va_copy(args, *(va_list *)arg_ptr);
   2.318 ++	/* Some old gccs recognize __va_copy, but not va_copy */
   2.319 ++	__va_copy(args, *(va_list *)arg_ptr);
   2.320 + 	addr = va_arg(args, unsigned long);
   2.321 + 	len = va_arg(args, int);
   2.322 + 	is_write = va_arg(args, int);
   2.323 +diff -Naur linux-2.6.11/arch/um/kernel/sys_call_table.c linux-2.6.11.10/arch/um/kernel/sys_call_table.c
   2.324 +--- linux-2.6.11/arch/um/kernel/sys_call_table.c	2005-03-01 23:38:25.000000000 -0800
   2.325 ++++ linux-2.6.11.10/arch/um/kernel/sys_call_table.c	2005-05-16 10:50:31.000000000 -0700
   2.326 +@@ -48,7 +48,6 @@
   2.327 + extern syscall_handler_t old_select;
   2.328 + extern syscall_handler_t sys_modify_ldt;
   2.329 + extern syscall_handler_t sys_rt_sigsuspend;
   2.330 +-extern syscall_handler_t sys_vserver;
   2.331 + extern syscall_handler_t sys_mbind;
   2.332 + extern syscall_handler_t sys_get_mempolicy;
   2.333 + extern syscall_handler_t sys_set_mempolicy;
   2.334 +@@ -242,6 +241,7 @@
   2.335 + 	[ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
   2.336 + 	[ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
   2.337 + 	[ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
   2.338 ++	[ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
   2.339 +         [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
   2.340 + 	[ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
   2.341 + 	[ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
   2.342 +@@ -252,12 +252,10 @@
   2.343 + 	[ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
   2.344 + 	[ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
   2.345 + 	[ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
   2.346 +-	[ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
   2.347 +-	[ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
   2.348 + 	[ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
   2.349 + 	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
   2.350 +-	[ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
   2.351 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
   2.352 ++	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
   2.353 ++	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   2.354 + 	[ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
   2.355 + 	[ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
   2.356 + 	[ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
   2.357 +@@ -267,9 +265,8 @@
   2.358 + 	[ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
   2.359 + 	[ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
   2.360 + 	[ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
   2.361 +-	[ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   2.362 ++	[ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   2.363 + 	[ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
   2.364 +-	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   2.365 + 	[ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
   2.366 + 	[ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
   2.367 + 	[ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
   2.368 +diff -Naur linux-2.6.11/drivers/block/ioctl.c linux-2.6.11.10/drivers/block/ioctl.c
   2.369 +--- linux-2.6.11/drivers/block/ioctl.c	2005-03-01 23:37:47.000000000 -0800
   2.370 ++++ linux-2.6.11.10/drivers/block/ioctl.c	2005-05-16 10:50:31.000000000 -0700
   2.371 +@@ -237,3 +237,5 @@
   2.372 + 	}
   2.373 + 	return ret;
   2.374 + }
   2.375 ++
   2.376 ++EXPORT_SYMBOL_GPL(blkdev_ioctl);
   2.377 +diff -Naur linux-2.6.11/drivers/block/pktcdvd.c linux-2.6.11.10/drivers/block/pktcdvd.c
   2.378 +--- linux-2.6.11/drivers/block/pktcdvd.c	2005-03-01 23:37:30.000000000 -0800
   2.379 ++++ linux-2.6.11.10/drivers/block/pktcdvd.c	2005-05-16 10:50:31.000000000 -0700
   2.380 +@@ -2400,7 +2400,7 @@
   2.381 + 	case CDROM_LAST_WRITTEN:
   2.382 + 	case CDROM_SEND_PACKET:
   2.383 + 	case SCSI_IOCTL_SEND_COMMAND:
   2.384 +-		return ioctl_by_bdev(pd->bdev, cmd, arg);
   2.385 ++		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   2.386 + 
   2.387 + 	case CDROMEJECT:
   2.388 + 		/*
   2.389 +@@ -2408,7 +2408,7 @@
   2.390 + 		 * have to unlock it or else the eject command fails.
   2.391 + 		 */
   2.392 + 		pkt_lock_door(pd, 0);
   2.393 +-		return ioctl_by_bdev(pd->bdev, cmd, arg);
   2.394 ++		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   2.395 + 
   2.396 + 	default:
   2.397 + 		printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
   2.398 +diff -Naur linux-2.6.11/drivers/char/drm/drm_ioctl.c linux-2.6.11.10/drivers/char/drm/drm_ioctl.c
   2.399 +--- linux-2.6.11/drivers/char/drm/drm_ioctl.c	2005-03-01 23:37:50.000000000 -0800
   2.400 ++++ linux-2.6.11.10/drivers/char/drm/drm_ioctl.c	2005-05-16 10:50:31.000000000 -0700
   2.401 +@@ -326,6 +326,8 @@
   2.402 + 
   2.403 + 	DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
   2.404 + 
   2.405 ++	memset(&version, 0, sizeof(version));
   2.406 ++
   2.407 + 	dev->driver->version(&version);
   2.408 + 	retv.drm_di_major = DRM_IF_MAJOR;
   2.409 + 	retv.drm_di_minor = DRM_IF_MINOR;
   2.410 +diff -Naur linux-2.6.11/drivers/char/raw.c linux-2.6.11.10/drivers/char/raw.c
   2.411 +--- linux-2.6.11/drivers/char/raw.c	2005-03-01 23:38:12.000000000 -0800
   2.412 ++++ linux-2.6.11.10/drivers/char/raw.c	2005-05-16 10:50:31.000000000 -0700
   2.413 +@@ -122,7 +122,7 @@
   2.414 + {
   2.415 + 	struct block_device *bdev = filp->private_data;
   2.416 + 
   2.417 +-	return ioctl_by_bdev(bdev, command, arg);
   2.418 ++	return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
   2.419 + }
   2.420 + 
   2.421 + static void bind_device(struct raw_config_request *rq)
   2.422 +diff -Naur linux-2.6.11/drivers/i2c/chips/eeprom.c linux-2.6.11.10/drivers/i2c/chips/eeprom.c
   2.423 +--- linux-2.6.11/drivers/i2c/chips/eeprom.c	2005-03-01 23:38:00.000000000 -0800
   2.424 ++++ linux-2.6.11.10/drivers/i2c/chips/eeprom.c	2005-05-16 10:50:31.000000000 -0700
   2.425 +@@ -130,7 +130,8 @@
   2.426 + 
   2.427 + 	/* Hide Vaio security settings to regular users (16 first bytes) */
   2.428 + 	if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
   2.429 +-		int in_row1 = 16 - off;
   2.430 ++		size_t in_row1 = 16 - off;
   2.431 ++		in_row1 = min(in_row1, count);
   2.432 + 		memset(buf, 0, in_row1);
   2.433 + 		if (count - in_row1 > 0)
   2.434 + 			memcpy(buf + in_row1, &data->data[16], count - in_row1);
   2.435 +diff -Naur linux-2.6.11/drivers/i2c/chips/it87.c linux-2.6.11.10/drivers/i2c/chips/it87.c
   2.436 +--- linux-2.6.11/drivers/i2c/chips/it87.c	2005-03-01 23:38:17.000000000 -0800
   2.437 ++++ linux-2.6.11.10/drivers/i2c/chips/it87.c	2005-05-16 10:50:31.000000000 -0700
   2.438 +@@ -631,7 +631,7 @@
   2.439 + 	struct it87_data *data = it87_update_device(dev);
   2.440 + 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   2.441 + }
   2.442 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   2.443 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   2.444 + 
   2.445 + static ssize_t
   2.446 + show_vrm_reg(struct device *dev, char *buf)
   2.447 +diff -Naur linux-2.6.11/drivers/i2c/chips/via686a.c linux-2.6.11.10/drivers/i2c/chips/via686a.c
   2.448 +--- linux-2.6.11/drivers/i2c/chips/via686a.c	2005-03-01 23:37:48.000000000 -0800
   2.449 ++++ linux-2.6.11.10/drivers/i2c/chips/via686a.c	2005-05-16 10:50:31.000000000 -0700
   2.450 +@@ -554,7 +554,7 @@
   2.451 + 	struct via686a_data *data = via686a_update_device(dev);
   2.452 + 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   2.453 + }
   2.454 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   2.455 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   2.456 + 
   2.457 + /* The driver. I choose to use type i2c_driver, as at is identical to both
   2.458 +    smbus_driver and isa_driver, and clients could be of either kind */
   2.459 +diff -Naur linux-2.6.11/drivers/input/serio/i8042-x86ia64io.h linux-2.6.11.10/drivers/input/serio/i8042-x86ia64io.h
   2.460 +--- linux-2.6.11/drivers/input/serio/i8042-x86ia64io.h	2005-03-01 23:38:17.000000000 -0800
   2.461 ++++ linux-2.6.11.10/drivers/input/serio/i8042-x86ia64io.h	2005-05-16 10:50:32.000000000 -0700
   2.462 +@@ -88,7 +88,7 @@
   2.463 + };
   2.464 + #endif
   2.465 + 
   2.466 +-#ifdef CONFIG_ACPI
   2.467 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.468 + #include <linux/acpi.h>
   2.469 + #include <acpi/acpi_bus.h>
   2.470 + 
   2.471 +@@ -281,7 +281,7 @@
   2.472 + 	i8042_kbd_irq = I8042_MAP_IRQ(1);
   2.473 + 	i8042_aux_irq = I8042_MAP_IRQ(12);
   2.474 + 
   2.475 +-#ifdef CONFIG_ACPI
   2.476 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.477 + 	if (i8042_acpi_init())
   2.478 + 		return -1;
   2.479 + #endif
   2.480 +@@ -300,7 +300,7 @@
   2.481 + 
   2.482 + static inline void i8042_platform_exit(void)
   2.483 + {
   2.484 +-#ifdef CONFIG_ACPI
   2.485 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.486 + 	i8042_acpi_exit();
   2.487 + #endif
   2.488 + }
   2.489 +diff -Naur linux-2.6.11/drivers/md/raid6altivec.uc linux-2.6.11.10/drivers/md/raid6altivec.uc
   2.490 +--- linux-2.6.11/drivers/md/raid6altivec.uc	2005-03-01 23:38:25.000000000 -0800
   2.491 ++++ linux-2.6.11.10/drivers/md/raid6altivec.uc	2005-05-16 10:50:32.000000000 -0700
   2.492 +@@ -108,7 +108,11 @@
   2.493 + int raid6_have_altivec(void)
   2.494 + {
   2.495 + 	/* This assumes either all CPUs have Altivec or none does */
   2.496 ++#ifdef CONFIG_PPC64
   2.497 + 	return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
   2.498 ++#else
   2.499 ++	return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
   2.500 ++#endif
   2.501 + }
   2.502 + #endif
   2.503 + 
   2.504 +diff -Naur linux-2.6.11/drivers/media/video/adv7170.c linux-2.6.11.10/drivers/media/video/adv7170.c
   2.505 +--- linux-2.6.11/drivers/media/video/adv7170.c	2005-03-01 23:38:26.000000000 -0800
   2.506 ++++ linux-2.6.11.10/drivers/media/video/adv7170.c	2005-05-16 10:50:32.000000000 -0700
   2.507 +@@ -130,7 +130,7 @@
   2.508 + 		u8 block_data[32];
   2.509 + 
   2.510 + 		msg.addr = client->addr;
   2.511 +-		msg.flags = client->flags;
   2.512 ++		msg.flags = 0;
   2.513 + 		while (len >= 2) {
   2.514 + 			msg.buf = (char *) block_data;
   2.515 + 			msg.len = 0;
   2.516 +diff -Naur linux-2.6.11/drivers/media/video/adv7175.c linux-2.6.11.10/drivers/media/video/adv7175.c
   2.517 +--- linux-2.6.11/drivers/media/video/adv7175.c	2005-03-01 23:38:26.000000000 -0800
   2.518 ++++ linux-2.6.11.10/drivers/media/video/adv7175.c	2005-05-16 10:50:32.000000000 -0700
   2.519 +@@ -126,7 +126,7 @@
   2.520 + 		u8 block_data[32];
   2.521 + 
   2.522 + 		msg.addr = client->addr;
   2.523 +-		msg.flags = client->flags;
   2.524 ++		msg.flags = 0;
   2.525 + 		while (len >= 2) {
   2.526 + 			msg.buf = (char *) block_data;
   2.527 + 			msg.len = 0;
   2.528 +diff -Naur linux-2.6.11/drivers/media/video/bt819.c linux-2.6.11.10/drivers/media/video/bt819.c
   2.529 +--- linux-2.6.11/drivers/media/video/bt819.c	2005-03-01 23:37:48.000000000 -0800
   2.530 ++++ linux-2.6.11.10/drivers/media/video/bt819.c	2005-05-16 10:50:32.000000000 -0700
   2.531 +@@ -146,7 +146,7 @@
   2.532 + 		u8 block_data[32];
   2.533 + 
   2.534 + 		msg.addr = client->addr;
   2.535 +-		msg.flags = client->flags;
   2.536 ++		msg.flags = 0;
   2.537 + 		while (len >= 2) {
   2.538 + 			msg.buf = (char *) block_data;
   2.539 + 			msg.len = 0;
   2.540 +diff -Naur linux-2.6.11/drivers/media/video/bttv-cards.c linux-2.6.11.10/drivers/media/video/bttv-cards.c
   2.541 +--- linux-2.6.11/drivers/media/video/bttv-cards.c	2005-03-01 23:38:09.000000000 -0800
   2.542 ++++ linux-2.6.11.10/drivers/media/video/bttv-cards.c	2005-05-16 10:50:32.000000000 -0700
   2.543 +@@ -2718,8 +2718,6 @@
   2.544 +         }
   2.545 + 	btv->pll.pll_current = -1;
   2.546 + 
   2.547 +-	bttv_reset_audio(btv);
   2.548 +-
   2.549 + 	/* tuner configuration (from card list / autodetect / insmod option) */
   2.550 +  	if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
   2.551 + 		if(UNSET == btv->tuner_type)
   2.552 +diff -Naur linux-2.6.11/drivers/media/video/saa7110.c linux-2.6.11.10/drivers/media/video/saa7110.c
   2.553 +--- linux-2.6.11/drivers/media/video/saa7110.c	2005-03-01 23:37:30.000000000 -0800
   2.554 ++++ linux-2.6.11.10/drivers/media/video/saa7110.c	2005-05-16 10:50:32.000000000 -0700
   2.555 +@@ -60,8 +60,10 @@
   2.556 + 
   2.557 + #define	I2C_SAA7110		0x9C	/* or 0x9E */
   2.558 + 
   2.559 ++#define SAA7110_NR_REG		0x35
   2.560 ++
   2.561 + struct saa7110 {
   2.562 +-	unsigned char reg[54];
   2.563 ++	u8 reg[SAA7110_NR_REG];
   2.564 + 
   2.565 + 	int norm;
   2.566 + 	int input;
   2.567 +@@ -95,31 +97,28 @@
   2.568 + 		     unsigned int       len)
   2.569 + {
   2.570 + 	int ret = -1;
   2.571 +-	u8 reg = *data++;
   2.572 ++	u8 reg = *data;		/* first register to write to */
   2.573 + 
   2.574 +-	len--;
   2.575 ++	/* Sanity check */
   2.576 ++	if (reg + (len - 1) > SAA7110_NR_REG)
   2.577 ++		return ret;
   2.578 + 
   2.579 + 	/* the saa7110 has an autoincrement function, use it if
   2.580 + 	 * the adapter understands raw I2C */
   2.581 + 	if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
   2.582 + 		struct saa7110 *decoder = i2c_get_clientdata(client);
   2.583 + 		struct i2c_msg msg;
   2.584 +-		u8 block_data[54];
   2.585 + 
   2.586 +-		msg.len = 0;
   2.587 +-		msg.buf = (char *) block_data;
   2.588 ++		msg.len = len;
   2.589 ++		msg.buf = (char *) data;
   2.590 + 		msg.addr = client->addr;
   2.591 +-		msg.flags = client->flags;
   2.592 +-		while (len >= 1) {
   2.593 +-			msg.len = 0;
   2.594 +-			block_data[msg.len++] = reg;
   2.595 +-			while (len-- >= 1 && msg.len < 54)
   2.596 +-				block_data[msg.len++] =
   2.597 +-				    decoder->reg[reg++] = *data++;
   2.598 +-			ret = i2c_transfer(client->adapter, &msg, 1);
   2.599 +-		}
   2.600 ++		msg.flags = 0;
   2.601 ++		ret = i2c_transfer(client->adapter, &msg, 1);
   2.602 ++
   2.603 ++		/* Cache the written data */
   2.604 ++		memcpy(decoder->reg + reg, data + 1, len - 1);
   2.605 + 	} else {
   2.606 +-		while (len-- >= 1) {
   2.607 ++		for (++data, --len; len; len--) {
   2.608 + 			if ((ret = saa7110_write(client, reg++,
   2.609 + 						 *data++)) < 0)
   2.610 + 				break;
   2.611 +@@ -192,7 +191,7 @@
   2.612 + 	return 0;
   2.613 + }
   2.614 + 
   2.615 +-static const unsigned char initseq[] = {
   2.616 ++static const unsigned char initseq[1 + SAA7110_NR_REG] = {
   2.617 + 	0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
   2.618 + 	/* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
   2.619 + 	/* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
   2.620 +diff -Naur linux-2.6.11/drivers/media/video/saa7114.c linux-2.6.11.10/drivers/media/video/saa7114.c
   2.621 +--- linux-2.6.11/drivers/media/video/saa7114.c	2005-03-01 23:38:25.000000000 -0800
   2.622 ++++ linux-2.6.11.10/drivers/media/video/saa7114.c	2005-05-16 10:50:32.000000000 -0700
   2.623 +@@ -163,7 +163,7 @@
   2.624 + 		u8 block_data[32];
   2.625 + 
   2.626 + 		msg.addr = client->addr;
   2.627 +-		msg.flags = client->flags;
   2.628 ++		msg.flags = 0;
   2.629 + 		while (len >= 2) {
   2.630 + 			msg.buf = (char *) block_data;
   2.631 + 			msg.len = 0;
   2.632 +diff -Naur linux-2.6.11/drivers/media/video/saa7185.c linux-2.6.11.10/drivers/media/video/saa7185.c
   2.633 +--- linux-2.6.11/drivers/media/video/saa7185.c	2005-03-01 23:38:34.000000000 -0800
   2.634 ++++ linux-2.6.11.10/drivers/media/video/saa7185.c	2005-05-16 10:50:32.000000000 -0700
   2.635 +@@ -118,7 +118,7 @@
   2.636 + 		u8 block_data[32];
   2.637 + 
   2.638 + 		msg.addr = client->addr;
   2.639 +-		msg.flags = client->flags;
   2.640 ++		msg.flags = 0;
   2.641 + 		while (len >= 2) {
   2.642 + 			msg.buf = (char *) block_data;
   2.643 + 			msg.len = 0;
   2.644 +diff -Naur linux-2.6.11/drivers/net/amd8111e.c linux-2.6.11.10/drivers/net/amd8111e.c
   2.645 +--- linux-2.6.11/drivers/net/amd8111e.c	2005-03-01 23:38:38.000000000 -0800
   2.646 ++++ linux-2.6.11.10/drivers/net/amd8111e.c	2005-05-16 10:50:32.000000000 -0700
   2.647 +@@ -1381,6 +1381,8 @@
   2.648 + 
   2.649 + 	if(amd8111e_restart(dev)){
   2.650 + 		spin_unlock_irq(&lp->lock);
   2.651 ++		if (dev->irq)
   2.652 ++			free_irq(dev->irq, dev);
   2.653 + 		return -ENOMEM;
   2.654 + 	}
   2.655 + 	/* Start ipg timer */
   2.656 +diff -Naur linux-2.6.11/drivers/net/ppp_async.c linux-2.6.11.10/drivers/net/ppp_async.c
   2.657 +--- linux-2.6.11/drivers/net/ppp_async.c	2005-03-01 23:38:17.000000000 -0800
   2.658 ++++ linux-2.6.11.10/drivers/net/ppp_async.c	2005-05-16 10:50:32.000000000 -0700
   2.659 +@@ -1000,7 +1000,7 @@
   2.660 + 	data += 4;
   2.661 + 	dlen -= 4;
   2.662 + 	/* data[0] is code, data[1] is length */
   2.663 +-	while (dlen >= 2 && dlen >= data[1]) {
   2.664 ++	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
   2.665 + 		switch (data[0]) {
   2.666 + 		case LCP_MRU:
   2.667 + 			val = (data[2] << 8) + data[3];
   2.668 +diff -Naur linux-2.6.11/drivers/net/r8169.c linux-2.6.11.10/drivers/net/r8169.c
   2.669 +--- linux-2.6.11/drivers/net/r8169.c	2005-03-01 23:38:09.000000000 -0800
   2.670 ++++ linux-2.6.11.10/drivers/net/r8169.c	2005-05-16 10:50:32.000000000 -0700
   2.671 +@@ -1683,16 +1683,19 @@
   2.672 + 	rtl8169_make_unusable_by_asic(desc);
   2.673 + }
   2.674 + 
   2.675 +-static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
   2.676 ++static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
   2.677 + {
   2.678 +-	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   2.679 ++	u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
   2.680 ++
   2.681 ++	desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
   2.682 + }
   2.683 + 
   2.684 +-static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   2.685 +-					int rx_buf_sz)
   2.686 ++static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   2.687 ++				       u32 rx_buf_sz)
   2.688 + {
   2.689 + 	desc->addr = cpu_to_le64(mapping);
   2.690 +-	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   2.691 ++	wmb();
   2.692 ++	rtl8169_mark_to_asic(desc, rx_buf_sz);
   2.693 + }
   2.694 + 
   2.695 + static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
   2.696 +@@ -1712,7 +1715,7 @@
   2.697 + 	mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
   2.698 + 				 PCI_DMA_FROMDEVICE);
   2.699 + 
   2.700 +-	rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
   2.701 ++	rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
   2.702 + 
   2.703 + out:
   2.704 + 	return ret;
   2.705 +@@ -2150,7 +2153,7 @@
   2.706 + 			skb_reserve(skb, NET_IP_ALIGN);
   2.707 + 			eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
   2.708 + 			*sk_buff = skb;
   2.709 +-			rtl8169_return_to_asic(desc, rx_buf_sz);
   2.710 ++			rtl8169_mark_to_asic(desc, rx_buf_sz);
   2.711 + 			ret = 0;
   2.712 + 		}
   2.713 + 	}
   2.714 +diff -Naur linux-2.6.11/drivers/net/sis900.c linux-2.6.11.10/drivers/net/sis900.c
   2.715 +--- linux-2.6.11/drivers/net/sis900.c	2005-03-01 23:38:08.000000000 -0800
   2.716 ++++ linux-2.6.11.10/drivers/net/sis900.c	2005-05-16 10:50:32.000000000 -0700
   2.717 +@@ -236,7 +236,7 @@
   2.718 + 	signature = (u16) read_eeprom(ioaddr, EEPROMSignature);    
   2.719 + 	if (signature == 0xffff || signature == 0x0000) {
   2.720 + 		printk (KERN_INFO "%s: Error EERPOM read %x\n", 
   2.721 +-			net_dev->name, signature);
   2.722 ++			pci_name(pci_dev), signature);
   2.723 + 		return 0;
   2.724 + 	}
   2.725 + 
   2.726 +@@ -268,7 +268,7 @@
   2.727 + 	if (!isa_bridge)
   2.728 + 		isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
   2.729 + 	if (!isa_bridge) {
   2.730 +-		printk("%s: Can not find ISA bridge\n", net_dev->name);
   2.731 ++		printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
   2.732 + 		return 0;
   2.733 + 	}
   2.734 + 	pci_read_config_byte(isa_bridge, 0x48, &reg);
   2.735 +@@ -456,10 +456,6 @@
   2.736 + 	net_dev->tx_timeout = sis900_tx_timeout;
   2.737 + 	net_dev->watchdog_timeo = TX_TIMEOUT;
   2.738 + 	net_dev->ethtool_ops = &sis900_ethtool_ops;
   2.739 +-	
   2.740 +-	ret = register_netdev(net_dev);
   2.741 +-	if (ret)
   2.742 +-		goto err_unmap_rx;
   2.743 + 		
   2.744 + 	/* Get Mac address according to the chip revision */
   2.745 + 	pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
   2.746 +@@ -476,7 +472,7 @@
   2.747 + 
   2.748 + 	if (ret == 0) {
   2.749 + 		ret = -ENODEV;
   2.750 +-		goto err_out_unregister;
   2.751 ++		goto err_unmap_rx;
   2.752 + 	}
   2.753 + 	
   2.754 + 	/* 630ET : set the mii access mode as software-mode */
   2.755 +@@ -486,7 +482,7 @@
   2.756 + 	/* probe for mii transceiver */
   2.757 + 	if (sis900_mii_probe(net_dev) == 0) {
   2.758 + 		ret = -ENODEV;
   2.759 +-		goto err_out_unregister;
   2.760 ++		goto err_unmap_rx;
   2.761 + 	}
   2.762 + 
   2.763 + 	/* save our host bridge revision */
   2.764 +@@ -496,6 +492,10 @@
   2.765 + 		pci_dev_put(dev);
   2.766 + 	}
   2.767 + 
   2.768 ++	ret = register_netdev(net_dev);
   2.769 ++	if (ret)
   2.770 ++		goto err_unmap_rx;
   2.771 ++
   2.772 + 	/* print some information about our NIC */
   2.773 + 	printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
   2.774 + 	       card_name, ioaddr, net_dev->irq);
   2.775 +@@ -505,8 +505,6 @@
   2.776 + 
   2.777 + 	return 0;
   2.778 + 
   2.779 +- err_out_unregister:
   2.780 +- 	unregister_netdev(net_dev);
   2.781 +  err_unmap_rx:
   2.782 + 	pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
   2.783 + 		sis_priv->rx_ring_dma);
   2.784 +@@ -533,6 +531,7 @@
   2.785 + static int __init sis900_mii_probe(struct net_device * net_dev)
   2.786 + {
   2.787 + 	struct sis900_private * sis_priv = net_dev->priv;
   2.788 ++	const char *dev_name = pci_name(sis_priv->pci_dev);
   2.789 + 	u16 poll_bit = MII_STAT_LINK, status = 0;
   2.790 + 	unsigned long timeout = jiffies + 5 * HZ;
   2.791 + 	int phy_addr;
   2.792 +@@ -582,21 +581,20 @@
   2.793 + 					mii_phy->phy_types =
   2.794 + 					    (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
   2.795 + 				printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
   2.796 +-				       net_dev->name, mii_chip_table[i].name,
   2.797 ++				       dev_name, mii_chip_table[i].name,
   2.798 + 				       phy_addr);
   2.799 + 				break;
   2.800 + 			}
   2.801 + 			
   2.802 + 		if( !mii_chip_table[i].phy_id1 ) {
   2.803 + 			printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
   2.804 +-			       net_dev->name, phy_addr);
   2.805 ++			       dev_name, phy_addr);
   2.806 + 			mii_phy->phy_types = UNKNOWN;
   2.807 + 		}
   2.808 + 	}
   2.809 + 	
   2.810 + 	if (sis_priv->mii == NULL) {
   2.811 +-		printk(KERN_INFO "%s: No MII transceivers found!\n",
   2.812 +-			net_dev->name);
   2.813 ++		printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
   2.814 + 		return 0;
   2.815 + 	}
   2.816 + 
   2.817 +@@ -621,7 +619,7 @@
   2.818 + 			poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
   2.819 + 			if (time_after_eq(jiffies, timeout)) {
   2.820 + 				printk(KERN_WARNING "%s: reset phy and link down now\n",
   2.821 +-					net_dev->name);
   2.822 ++				       dev_name);
   2.823 + 				return -ETIME;
   2.824 + 			}
   2.825 + 		}
   2.826 +@@ -691,7 +689,7 @@
   2.827 + 		sis_priv->mii = default_phy;
   2.828 + 		sis_priv->cur_phy = default_phy->phy_addr;
   2.829 + 		printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
   2.830 +-					net_dev->name,sis_priv->cur_phy);
   2.831 ++		       pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
   2.832 + 	}
   2.833 + 	
   2.834 + 	status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
   2.835 +diff -Naur linux-2.6.11/drivers/net/tun.c linux-2.6.11.10/drivers/net/tun.c
   2.836 +--- linux-2.6.11/drivers/net/tun.c	2005-03-01 23:38:08.000000000 -0800
   2.837 ++++ linux-2.6.11.10/drivers/net/tun.c	2005-05-16 10:50:32.000000000 -0700
   2.838 +@@ -229,7 +229,7 @@
   2.839 + 	size_t len = count;
   2.840 + 
   2.841 + 	if (!(tun->flags & TUN_NO_PI)) {
   2.842 +-		if ((len -= sizeof(pi)) > len)
   2.843 ++		if ((len -= sizeof(pi)) > count)
   2.844 + 			return -EINVAL;
   2.845 + 
   2.846 + 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
   2.847 +diff -Naur linux-2.6.11/drivers/net/via-rhine.c linux-2.6.11.10/drivers/net/via-rhine.c
   2.848 +--- linux-2.6.11/drivers/net/via-rhine.c	2005-03-01 23:38:32.000000000 -0800
   2.849 ++++ linux-2.6.11.10/drivers/net/via-rhine.c	2005-05-16 10:50:32.000000000 -0700
   2.850 +@@ -1197,8 +1197,10 @@
   2.851 + 		       dev->name, rp->pdev->irq);
   2.852 + 
   2.853 + 	rc = alloc_ring(dev);
   2.854 +-	if (rc)
   2.855 ++	if (rc) {
   2.856 ++		free_irq(rp->pdev->irq, dev);
   2.857 + 		return rc;
   2.858 ++	}
   2.859 + 	alloc_rbufs(dev);
   2.860 + 	alloc_tbufs(dev);
   2.861 + 	rhine_chip_reset(dev);
   2.862 +@@ -1899,6 +1901,9 @@
   2.863 + 	struct rhine_private *rp = netdev_priv(dev);
   2.864 + 	void __iomem *ioaddr = rp->base;
   2.865 + 
   2.866 ++	if (!(rp->quirks & rqWOL))
   2.867 ++		return; /* Nothing to do for non-WOL adapters */
   2.868 ++
   2.869 + 	rhine_power_init(dev);
   2.870 + 
   2.871 + 	/* Make sure we use pattern 0, 1 and not 4, 5 */
   2.872 +diff -Naur linux-2.6.11/drivers/net/wan/hd6457x.c linux-2.6.11.10/drivers/net/wan/hd6457x.c
   2.873 +--- linux-2.6.11/drivers/net/wan/hd6457x.c	2005-03-01 23:37:50.000000000 -0800
   2.874 ++++ linux-2.6.11.10/drivers/net/wan/hd6457x.c	2005-05-16 10:50:32.000000000 -0700
   2.875 +@@ -315,7 +315,7 @@
   2.876 + #endif
   2.877 + 	stats->rx_packets++;
   2.878 + 	stats->rx_bytes += skb->len;
   2.879 +-	skb->dev->last_rx = jiffies;
   2.880 ++	dev->last_rx = jiffies;
   2.881 + 	skb->protocol = hdlc_type_trans(skb, dev);
   2.882 + 	netif_rx(skb);
   2.883 + }
   2.884 +diff -Naur linux-2.6.11/drivers/pci/hotplug/pciehp_ctrl.c linux-2.6.11.10/drivers/pci/hotplug/pciehp_ctrl.c
   2.885 +--- linux-2.6.11/drivers/pci/hotplug/pciehp_ctrl.c	2005-03-01 23:37:49.000000000 -0800
   2.886 ++++ linux-2.6.11.10/drivers/pci/hotplug/pciehp_ctrl.c	2005-05-16 10:50:33.000000000 -0700
   2.887 +@@ -1354,10 +1354,11 @@
   2.888 + 				dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
   2.889 + 					ctrl->seg, func->bus, func->device, func->function);
   2.890 + 				bridge_slot_remove(func);
   2.891 +-			} else
   2.892 ++			} else {
   2.893 + 				dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
   2.894 + 					ctrl->seg, func->bus, func->device, func->function);
   2.895 + 				slot_remove(func);
   2.896 ++			}
   2.897 + 
   2.898 + 			func = pciehp_slot_find(ctrl->slot_bus, device, 0);
   2.899 + 		}
   2.900 +diff -Naur linux-2.6.11/fs/binfmt_elf.c linux-2.6.11.10/fs/binfmt_elf.c
   2.901 +--- linux-2.6.11/fs/binfmt_elf.c	2005-03-01 23:38:08.000000000 -0800
   2.902 ++++ linux-2.6.11.10/fs/binfmt_elf.c	2005-05-16 10:50:44.000000000 -0700
   2.903 +@@ -257,7 +257,7 @@
   2.904 + 	}
   2.905 + 
   2.906 + 	/* Populate argv and envp */
   2.907 +-	p = current->mm->arg_start;
   2.908 ++	p = current->mm->arg_end = current->mm->arg_start;
   2.909 + 	while (argc-- > 0) {
   2.910 + 		size_t len;
   2.911 + 		__put_user((elf_addr_t)p, argv++);
   2.912 +@@ -1008,6 +1008,7 @@
   2.913 + static int load_elf_library(struct file *file)
   2.914 + {
   2.915 + 	struct elf_phdr *elf_phdata;
   2.916 ++	struct elf_phdr *eppnt;
   2.917 + 	unsigned long elf_bss, bss, len;
   2.918 + 	int retval, error, i, j;
   2.919 + 	struct elfhdr elf_ex;
   2.920 +@@ -1031,44 +1032,47 @@
   2.921 + 	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
   2.922 + 
   2.923 + 	error = -ENOMEM;
   2.924 +-	elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
   2.925 ++	elf_phdata = kmalloc(j, GFP_KERNEL);
   2.926 + 	if (!elf_phdata)
   2.927 + 		goto out;
   2.928 + 
   2.929 ++	eppnt = elf_phdata;
   2.930 + 	error = -ENOEXEC;
   2.931 +-	retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
   2.932 ++	retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
   2.933 + 	if (retval != j)
   2.934 + 		goto out_free_ph;
   2.935 + 
   2.936 + 	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
   2.937 +-		if ((elf_phdata + i)->p_type == PT_LOAD) j++;
   2.938 ++		if ((eppnt + i)->p_type == PT_LOAD)
   2.939 ++			j++;
   2.940 + 	if (j != 1)
   2.941 + 		goto out_free_ph;
   2.942 + 
   2.943 +-	while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
   2.944 ++	while (eppnt->p_type != PT_LOAD)
   2.945 ++		eppnt++;
   2.946 + 
   2.947 + 	/* Now use mmap to map the library into memory. */
   2.948 + 	down_write(&current->mm->mmap_sem);
   2.949 + 	error = do_mmap(file,
   2.950 +-			ELF_PAGESTART(elf_phdata->p_vaddr),
   2.951 +-			(elf_phdata->p_filesz +
   2.952 +-			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
   2.953 ++			ELF_PAGESTART(eppnt->p_vaddr),
   2.954 ++			(eppnt->p_filesz +
   2.955 ++			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
   2.956 + 			PROT_READ | PROT_WRITE | PROT_EXEC,
   2.957 + 			MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
   2.958 +-			(elf_phdata->p_offset -
   2.959 +-			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
   2.960 ++			(eppnt->p_offset -
   2.961 ++			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
   2.962 + 	up_write(&current->mm->mmap_sem);
   2.963 +-	if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
   2.964 ++	if (error != ELF_PAGESTART(eppnt->p_vaddr))
   2.965 + 		goto out_free_ph;
   2.966 + 
   2.967 +-	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
   2.968 ++	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
   2.969 + 	if (padzero(elf_bss)) {
   2.970 + 		error = -EFAULT;
   2.971 + 		goto out_free_ph;
   2.972 + 	}
   2.973 + 
   2.974 +-	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
   2.975 +-	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
   2.976 ++	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
   2.977 ++	bss = eppnt->p_memsz + eppnt->p_vaddr;
   2.978 + 	if (bss > len) {
   2.979 + 		down_write(&current->mm->mmap_sem);
   2.980 + 		do_brk(len, bss - len);
   2.981 +@@ -1275,7 +1279,7 @@
   2.982 + static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
   2.983 + 		       struct mm_struct *mm)
   2.984 + {
   2.985 +-	int i, len;
   2.986 ++	unsigned int i, len;
   2.987 + 	
   2.988 + 	/* first copy the parameters from user space */
   2.989 + 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
   2.990 +diff -Naur linux-2.6.11/fs/cramfs/inode.c linux-2.6.11.10/fs/cramfs/inode.c
   2.991 +--- linux-2.6.11/fs/cramfs/inode.c	2005-03-01 23:37:47.000000000 -0800
   2.992 ++++ linux-2.6.11.10/fs/cramfs/inode.c	2005-05-16 10:50:45.000000000 -0700
   2.993 +@@ -70,6 +70,7 @@
   2.994 + 			inode->i_data.a_ops = &cramfs_aops;
   2.995 + 		} else {
   2.996 + 			inode->i_size = 0;
   2.997 ++			inode->i_blocks = 0;
   2.998 + 			init_special_inode(inode, inode->i_mode,
   2.999 + 				old_decode_dev(cramfs_inode->size));
  2.1000 + 		}
  2.1001 +diff -Naur linux-2.6.11/fs/eventpoll.c linux-2.6.11.10/fs/eventpoll.c
  2.1002 +--- linux-2.6.11/fs/eventpoll.c	2005-03-01 23:38:07.000000000 -0800
  2.1003 ++++ linux-2.6.11.10/fs/eventpoll.c	2005-05-16 10:50:45.000000000 -0700
  2.1004 +@@ -619,6 +619,7 @@
  2.1005 + 	return error;
  2.1006 + }
  2.1007 + 
  2.1008 ++#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
  2.1009 + 
  2.1010 + /*
  2.1011 +  * Implement the event wait interface for the eventpoll file. It is the kernel
  2.1012 +@@ -635,7 +636,7 @@
  2.1013 + 		     current, epfd, events, maxevents, timeout));
  2.1014 + 
  2.1015 + 	/* The maximum number of event must be greater than zero */
  2.1016 +-	if (maxevents <= 0)
  2.1017 ++	if (maxevents <= 0 || maxevents > MAX_EVENTS)
  2.1018 + 		return -EINVAL;
  2.1019 + 
  2.1020 + 	/* Verify that the area passed by the user is writeable */
  2.1021 +diff -Naur linux-2.6.11/fs/exec.c linux-2.6.11.10/fs/exec.c
  2.1022 +--- linux-2.6.11/fs/exec.c	2005-03-01 23:38:06.000000000 -0800
  2.1023 ++++ linux-2.6.11.10/fs/exec.c	2005-05-16 10:50:45.000000000 -0700
  2.1024 +@@ -814,7 +814,7 @@
  2.1025 + {
  2.1026 + 	/* buf must be at least sizeof(tsk->comm) in size */
  2.1027 + 	task_lock(tsk);
  2.1028 +-	memcpy(buf, tsk->comm, sizeof(tsk->comm));
  2.1029 ++	strncpy(buf, tsk->comm, sizeof(tsk->comm));
  2.1030 + 	task_unlock(tsk);
  2.1031 + }
  2.1032 + 
  2.1033 +diff -Naur linux-2.6.11/fs/ext2/dir.c linux-2.6.11.10/fs/ext2/dir.c
  2.1034 +--- linux-2.6.11/fs/ext2/dir.c	2005-03-01 23:38:10.000000000 -0800
  2.1035 ++++ linux-2.6.11.10/fs/ext2/dir.c	2005-05-16 10:50:45.000000000 -0700
  2.1036 +@@ -592,6 +592,7 @@
  2.1037 + 		goto fail;
  2.1038 + 	}
  2.1039 + 	kaddr = kmap_atomic(page, KM_USER0);
  2.1040 ++       memset(kaddr, 0, chunk_size);
  2.1041 + 	de = (struct ext2_dir_entry_2 *)kaddr;
  2.1042 + 	de->name_len = 1;
  2.1043 + 	de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
  2.1044 +diff -Naur linux-2.6.11/fs/isofs/inode.c linux-2.6.11.10/fs/isofs/inode.c
  2.1045 +--- linux-2.6.11/fs/isofs/inode.c	2005-03-01 23:38:26.000000000 -0800
  2.1046 ++++ linux-2.6.11.10/fs/isofs/inode.c	2005-05-16 10:50:47.000000000 -0700
  2.1047 +@@ -685,6 +685,8 @@
  2.1048 + 	  sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
  2.1049 + 	  sbi->s_max_size = isonum_733(h_pri->volume_space_size);
  2.1050 + 	} else {
  2.1051 ++	  if (!pri)
  2.1052 ++	    goto out_freebh;
  2.1053 + 	  rootp = (struct iso_directory_record *) pri->root_directory_record;
  2.1054 + 	  sbi->s_nzones = isonum_733 (pri->volume_space_size);
  2.1055 + 	  sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
  2.1056 +@@ -1395,6 +1397,9 @@
  2.1057 + 	struct inode *inode;
  2.1058 + 	struct isofs_iget5_callback_data data;
  2.1059 + 
  2.1060 ++	if (offset >= 1ul << sb->s_blocksize_bits)
  2.1061 ++		return NULL;
  2.1062 ++
  2.1063 + 	data.block = block;
  2.1064 + 	data.offset = offset;
  2.1065 + 
  2.1066 +diff -Naur linux-2.6.11/fs/isofs/rock.c linux-2.6.11.10/fs/isofs/rock.c
  2.1067 +--- linux-2.6.11/fs/isofs/rock.c	2005-03-01 23:38:10.000000000 -0800
  2.1068 ++++ linux-2.6.11.10/fs/isofs/rock.c	2005-05-16 10:50:47.000000000 -0700
  2.1069 +@@ -53,6 +53,7 @@
  2.1070 +   if(LEN & 1) LEN++;						\
  2.1071 +   CHR = ((unsigned char *) DE) + LEN;				\
  2.1072 +   LEN = *((unsigned char *) DE) - LEN;                          \
  2.1073 ++  if (LEN<0) LEN=0;                                             \
  2.1074 +   if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1)                \
  2.1075 +   {                                                             \
  2.1076 +      LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset;                \
  2.1077 +@@ -73,6 +74,10 @@
  2.1078 +     offset1 = 0; \
  2.1079 +     pbh = sb_bread(DEV->i_sb, block); \
  2.1080 +     if(pbh){       \
  2.1081 ++      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
  2.1082 ++	brelse(pbh); \
  2.1083 ++	goto out; \
  2.1084 ++      } \
  2.1085 +       memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
  2.1086 +       brelse(pbh); \
  2.1087 +       chr = (unsigned char *) buffer; \
  2.1088 +@@ -103,12 +108,13 @@
  2.1089 +     struct rock_ridge * rr;
  2.1090 +     int sig;
  2.1091 +     
  2.1092 +-    while (len > 1){ /* There may be one byte for padding somewhere */
  2.1093 ++    while (len > 2){ /* There may be one byte for padding somewhere */
  2.1094 +       rr = (struct rock_ridge *) chr;
  2.1095 +-      if (rr->len == 0) goto out; /* Something got screwed up here */
  2.1096 ++      if (rr->len < 3) goto out; /* Something got screwed up here */
  2.1097 +       sig = isonum_721(chr);
  2.1098 +       chr += rr->len; 
  2.1099 +       len -= rr->len;
  2.1100 ++      if (len < 0) goto out;	/* corrupted isofs */
  2.1101 + 
  2.1102 +       switch(sig){
  2.1103 +       case SIG('R','R'):
  2.1104 +@@ -122,6 +128,7 @@
  2.1105 + 	break;
  2.1106 +       case SIG('N','M'):
  2.1107 + 	if (truncate) break;
  2.1108 ++	if (rr->len < 5) break;
  2.1109 +         /*
  2.1110 + 	 * If the flags are 2 or 4, this indicates '.' or '..'.
  2.1111 + 	 * We don't want to do anything with this, because it
  2.1112 +@@ -186,12 +193,13 @@
  2.1113 +     struct rock_ridge * rr;
  2.1114 +     int rootflag;
  2.1115 +     
  2.1116 +-    while (len > 1){ /* There may be one byte for padding somewhere */
  2.1117 ++    while (len > 2){ /* There may be one byte for padding somewhere */
  2.1118 +       rr = (struct rock_ridge *) chr;
  2.1119 +-      if (rr->len == 0) goto out; /* Something got screwed up here */
  2.1120 ++      if (rr->len < 3) goto out; /* Something got screwed up here */
  2.1121 +       sig = isonum_721(chr);
  2.1122 +       chr += rr->len; 
  2.1123 +       len -= rr->len;
  2.1124 ++      if (len < 0) goto out;	/* corrupted isofs */
  2.1125 +       
  2.1126 +       switch(sig){
  2.1127 + #ifndef CONFIG_ZISOFS		/* No flag for SF or ZF */
  2.1128 +@@ -462,7 +470,7 @@
  2.1129 + 	struct rock_ridge *rr;
  2.1130 + 
  2.1131 + 	if (!ISOFS_SB(inode->i_sb)->s_rock)
  2.1132 +-		panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
  2.1133 ++		goto error;
  2.1134 + 
  2.1135 + 	block = ei->i_iget5_block;
  2.1136 + 	lock_kernel();
  2.1137 +@@ -487,13 +495,15 @@
  2.1138 + 	SETUP_ROCK_RIDGE(raw_inode, chr, len);
  2.1139 + 
  2.1140 +       repeat:
  2.1141 +-	while (len > 1) { /* There may be one byte for padding somewhere */
  2.1142 ++	while (len > 2) { /* There may be one byte for padding somewhere */
  2.1143 + 		rr = (struct rock_ridge *) chr;
  2.1144 +-		if (rr->len == 0)
  2.1145 ++		if (rr->len < 3)
  2.1146 + 			goto out;	/* Something got screwed up here */
  2.1147 + 		sig = isonum_721(chr);
  2.1148 + 		chr += rr->len;
  2.1149 + 		len -= rr->len;
  2.1150 ++		if (len < 0)
  2.1151 ++			goto out;	/* corrupted isofs */
  2.1152 + 
  2.1153 + 		switch (sig) {
  2.1154 + 		case SIG('R', 'R'):
  2.1155 +@@ -543,6 +553,7 @@
  2.1156 +       fail:
  2.1157 + 	brelse(bh);
  2.1158 + 	unlock_kernel();
  2.1159 ++      error:
  2.1160 + 	SetPageError(page);
  2.1161 + 	kunmap(page);
  2.1162 + 	unlock_page(page);
  2.1163 +diff -Naur linux-2.6.11/fs/jbd/transaction.c linux-2.6.11.10/fs/jbd/transaction.c
  2.1164 +--- linux-2.6.11/fs/jbd/transaction.c	2005-03-01 23:37:53.000000000 -0800
  2.1165 ++++ linux-2.6.11.10/fs/jbd/transaction.c	2005-05-16 10:50:47.000000000 -0700
  2.1166 +@@ -1775,10 +1775,10 @@
  2.1167 + 			JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
  2.1168 + 			ret = __dispose_buffer(jh,
  2.1169 + 					journal->j_running_transaction);
  2.1170 ++			journal_put_journal_head(jh);
  2.1171 + 			spin_unlock(&journal->j_list_lock);
  2.1172 + 			jbd_unlock_bh_state(bh);
  2.1173 + 			spin_unlock(&journal->j_state_lock);
  2.1174 +-			journal_put_journal_head(jh);
  2.1175 + 			return ret;
  2.1176 + 		} else {
  2.1177 + 			/* There is no currently-running transaction. So the
  2.1178 +@@ -1789,10 +1789,10 @@
  2.1179 + 				JBUFFER_TRACE(jh, "give to committing trans");
  2.1180 + 				ret = __dispose_buffer(jh,
  2.1181 + 					journal->j_committing_transaction);
  2.1182 ++				journal_put_journal_head(jh);
  2.1183 + 				spin_unlock(&journal->j_list_lock);
  2.1184 + 				jbd_unlock_bh_state(bh);
  2.1185 + 				spin_unlock(&journal->j_state_lock);
  2.1186 +-				journal_put_journal_head(jh);
  2.1187 + 				return ret;
  2.1188 + 			} else {
  2.1189 + 				/* The orphan record's transaction has
  2.1190 +@@ -1813,10 +1813,10 @@
  2.1191 + 					journal->j_running_transaction);
  2.1192 + 			jh->b_next_transaction = NULL;
  2.1193 + 		}
  2.1194 ++		journal_put_journal_head(jh);
  2.1195 + 		spin_unlock(&journal->j_list_lock);
  2.1196 + 		jbd_unlock_bh_state(bh);
  2.1197 + 		spin_unlock(&journal->j_state_lock);
  2.1198 +-		journal_put_journal_head(jh);
  2.1199 + 		return 0;
  2.1200 + 	} else {
  2.1201 + 		/* Good, the buffer belongs to the running transaction.
  2.1202 +diff -Naur linux-2.6.11/kernel/exit.c linux-2.6.11.10/kernel/exit.c
  2.1203 +--- linux-2.6.11/kernel/exit.c	2005-03-01 23:38:25.000000000 -0800
  2.1204 ++++ linux-2.6.11.10/kernel/exit.c	2005-05-16 10:51:53.000000000 -0700
  2.1205 +@@ -516,8 +516,6 @@
  2.1206 + 	 */
  2.1207 + 	BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
  2.1208 + 	p->real_parent = reaper;
  2.1209 +-	if (p->parent == p->real_parent)
  2.1210 +-		BUG();
  2.1211 + }
  2.1212 + 
  2.1213 + static inline void reparent_thread(task_t *p, task_t *father, int traced)
  2.1214 +diff -Naur linux-2.6.11/kernel/signal.c linux-2.6.11.10/kernel/signal.c
  2.1215 +--- linux-2.6.11/kernel/signal.c	2005-03-01 23:38:07.000000000 -0800
  2.1216 ++++ linux-2.6.11.10/kernel/signal.c	2005-05-16 10:51:53.000000000 -0700
  2.1217 +@@ -1728,6 +1728,7 @@
  2.1218 + 			 * with another processor delivering a stop signal,
  2.1219 + 			 * then the SIGCONT that wakes us up should clear it.
  2.1220 + 			 */
  2.1221 ++			read_unlock(&tasklist_lock);
  2.1222 + 			return 0;
  2.1223 + 		}
  2.1224 + 
  2.1225 +diff -Naur linux-2.6.11/lib/rwsem-spinlock.c linux-2.6.11.10/lib/rwsem-spinlock.c
  2.1226 +--- linux-2.6.11/lib/rwsem-spinlock.c	2005-03-01 23:38:34.000000000 -0800
  2.1227 ++++ linux-2.6.11.10/lib/rwsem-spinlock.c	2005-05-16 10:51:54.000000000 -0700
  2.1228 +@@ -140,12 +140,12 @@
  2.1229 + 
  2.1230 + 	rwsemtrace(sem, "Entering __down_read");
  2.1231 + 
  2.1232 +-	spin_lock(&sem->wait_lock);
  2.1233 ++	spin_lock_irq(&sem->wait_lock);
  2.1234 + 
  2.1235 + 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  2.1236 + 		/* granted */
  2.1237 + 		sem->activity++;
  2.1238 +-		spin_unlock(&sem->wait_lock);
  2.1239 ++		spin_unlock_irq(&sem->wait_lock);
  2.1240 + 		goto out;
  2.1241 + 	}
  2.1242 + 
  2.1243 +@@ -160,7 +160,7 @@
  2.1244 + 	list_add_tail(&waiter.list, &sem->wait_list);
  2.1245 + 
  2.1246 + 	/* we don't need to touch the semaphore struct anymore */
  2.1247 +-	spin_unlock(&sem->wait_lock);
  2.1248 ++	spin_unlock_irq(&sem->wait_lock);
  2.1249 + 
  2.1250 + 	/* wait to be given the lock */
  2.1251 + 	for (;;) {
  2.1252 +@@ -181,10 +181,12 @@
  2.1253 +  */
  2.1254 + int fastcall __down_read_trylock(struct rw_semaphore *sem)
  2.1255 + {
  2.1256 ++	unsigned long flags;
  2.1257 + 	int ret = 0;
  2.1258 ++
  2.1259 + 	rwsemtrace(sem, "Entering __down_read_trylock");
  2.1260 + 
  2.1261 +-	spin_lock(&sem->wait_lock);
  2.1262 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1263 + 
  2.1264 + 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  2.1265 + 		/* granted */
  2.1266 +@@ -192,7 +194,7 @@
  2.1267 + 		ret = 1;
  2.1268 + 	}
  2.1269 + 
  2.1270 +-	spin_unlock(&sem->wait_lock);
  2.1271 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1272 + 
  2.1273 + 	rwsemtrace(sem, "Leaving __down_read_trylock");
  2.1274 + 	return ret;
  2.1275 +@@ -209,12 +211,12 @@
  2.1276 + 
  2.1277 + 	rwsemtrace(sem, "Entering __down_write");
  2.1278 + 
  2.1279 +-	spin_lock(&sem->wait_lock);
  2.1280 ++	spin_lock_irq(&sem->wait_lock);
  2.1281 + 
  2.1282 + 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  2.1283 + 		/* granted */
  2.1284 + 		sem->activity = -1;
  2.1285 +-		spin_unlock(&sem->wait_lock);
  2.1286 ++		spin_unlock_irq(&sem->wait_lock);
  2.1287 + 		goto out;
  2.1288 + 	}
  2.1289 + 
  2.1290 +@@ -229,7 +231,7 @@
  2.1291 + 	list_add_tail(&waiter.list, &sem->wait_list);
  2.1292 + 
  2.1293 + 	/* we don't need to touch the semaphore struct anymore */
  2.1294 +-	spin_unlock(&sem->wait_lock);
  2.1295 ++	spin_unlock_irq(&sem->wait_lock);
  2.1296 + 
  2.1297 + 	/* wait to be given the lock */
  2.1298 + 	for (;;) {
  2.1299 +@@ -250,10 +252,12 @@
  2.1300 +  */
  2.1301 + int fastcall __down_write_trylock(struct rw_semaphore *sem)
  2.1302 + {
  2.1303 ++	unsigned long flags;
  2.1304 + 	int ret = 0;
  2.1305 ++
  2.1306 + 	rwsemtrace(sem, "Entering __down_write_trylock");
  2.1307 + 
  2.1308 +-	spin_lock(&sem->wait_lock);
  2.1309 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1310 + 
  2.1311 + 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  2.1312 + 		/* granted */
  2.1313 +@@ -261,7 +265,7 @@
  2.1314 + 		ret = 1;
  2.1315 + 	}
  2.1316 + 
  2.1317 +-	spin_unlock(&sem->wait_lock);
  2.1318 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1319 + 
  2.1320 + 	rwsemtrace(sem, "Leaving __down_write_trylock");
  2.1321 + 	return ret;
  2.1322 +@@ -272,14 +276,16 @@
  2.1323 +  */
  2.1324 + void fastcall __up_read(struct rw_semaphore *sem)
  2.1325 + {
  2.1326 ++	unsigned long flags;
  2.1327 ++
  2.1328 + 	rwsemtrace(sem, "Entering __up_read");
  2.1329 + 
  2.1330 +-	spin_lock(&sem->wait_lock);
  2.1331 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1332 + 
  2.1333 + 	if (--sem->activity == 0 && !list_empty(&sem->wait_list))
  2.1334 + 		sem = __rwsem_wake_one_writer(sem);
  2.1335 + 
  2.1336 +-	spin_unlock(&sem->wait_lock);
  2.1337 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1338 + 
  2.1339 + 	rwsemtrace(sem, "Leaving __up_read");
  2.1340 + }
  2.1341 +@@ -289,15 +295,17 @@
  2.1342 +  */
  2.1343 + void fastcall __up_write(struct rw_semaphore *sem)
  2.1344 + {
  2.1345 ++	unsigned long flags;
  2.1346 ++
  2.1347 + 	rwsemtrace(sem, "Entering __up_write");
  2.1348 + 
  2.1349 +-	spin_lock(&sem->wait_lock);
  2.1350 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1351 + 
  2.1352 + 	sem->activity = 0;
  2.1353 + 	if (!list_empty(&sem->wait_list))
  2.1354 + 		sem = __rwsem_do_wake(sem, 1);
  2.1355 + 
  2.1356 +-	spin_unlock(&sem->wait_lock);
  2.1357 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1358 + 
  2.1359 + 	rwsemtrace(sem, "Leaving __up_write");
  2.1360 + }
  2.1361 +@@ -308,15 +316,17 @@
  2.1362 +  */
  2.1363 + void fastcall __downgrade_write(struct rw_semaphore *sem)
  2.1364 + {
  2.1365 ++	unsigned long flags;
  2.1366 ++
  2.1367 + 	rwsemtrace(sem, "Entering __downgrade_write");
  2.1368 + 
  2.1369 +-	spin_lock(&sem->wait_lock);
  2.1370 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1371 + 
  2.1372 + 	sem->activity = 1;
  2.1373 + 	if (!list_empty(&sem->wait_list))
  2.1374 + 		sem = __rwsem_do_wake(sem, 0);
  2.1375 + 
  2.1376 +-	spin_unlock(&sem->wait_lock);
  2.1377 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1378 + 
  2.1379 + 	rwsemtrace(sem, "Leaving __downgrade_write");
  2.1380 + }
  2.1381 +diff -Naur linux-2.6.11/lib/rwsem.c linux-2.6.11.10/lib/rwsem.c
  2.1382 +--- linux-2.6.11/lib/rwsem.c	2005-03-01 23:38:34.000000000 -0800
  2.1383 ++++ linux-2.6.11.10/lib/rwsem.c	2005-05-16 10:51:54.000000000 -0700
  2.1384 +@@ -150,7 +150,7 @@
  2.1385 + 	set_task_state(tsk, TASK_UNINTERRUPTIBLE);
  2.1386 + 
  2.1387 + 	/* set up my own style of waitqueue */
  2.1388 +-	spin_lock(&sem->wait_lock);
  2.1389 ++	spin_lock_irq(&sem->wait_lock);
  2.1390 + 	waiter->task = tsk;
  2.1391 + 	get_task_struct(tsk);
  2.1392 + 
  2.1393 +@@ -163,7 +163,7 @@
  2.1394 + 	if (!(count & RWSEM_ACTIVE_MASK))
  2.1395 + 		sem = __rwsem_do_wake(sem, 0);
  2.1396 + 
  2.1397 +-	spin_unlock(&sem->wait_lock);
  2.1398 ++	spin_unlock_irq(&sem->wait_lock);
  2.1399 + 
  2.1400 + 	/* wait to be given the lock */
  2.1401 + 	for (;;) {
  2.1402 +@@ -219,15 +219,17 @@
  2.1403 +  */
  2.1404 + struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
  2.1405 + {
  2.1406 ++	unsigned long flags;
  2.1407 ++
  2.1408 + 	rwsemtrace(sem, "Entering rwsem_wake");
  2.1409 + 
  2.1410 +-	spin_lock(&sem->wait_lock);
  2.1411 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1412 + 
  2.1413 + 	/* do nothing if list empty */
  2.1414 + 	if (!list_empty(&sem->wait_list))
  2.1415 + 		sem = __rwsem_do_wake(sem, 0);
  2.1416 + 
  2.1417 +-	spin_unlock(&sem->wait_lock);
  2.1418 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1419 + 
  2.1420 + 	rwsemtrace(sem, "Leaving rwsem_wake");
  2.1421 + 
  2.1422 +@@ -241,15 +243,17 @@
  2.1423 +  */
  2.1424 + struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
  2.1425 + {
  2.1426 ++	unsigned long flags;
  2.1427 ++
  2.1428 + 	rwsemtrace(sem, "Entering rwsem_downgrade_wake");
  2.1429 + 
  2.1430 +-	spin_lock(&sem->wait_lock);
  2.1431 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1432 + 
  2.1433 + 	/* do nothing if list empty */
  2.1434 + 	if (!list_empty(&sem->wait_list))
  2.1435 + 		sem = __rwsem_do_wake(sem, 1);
  2.1436 + 
  2.1437 +-	spin_unlock(&sem->wait_lock);
  2.1438 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1439 + 
  2.1440 + 	rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
  2.1441 + 	return sem;
  2.1442 +diff -Naur linux-2.6.11/net/bluetooth/af_bluetooth.c linux-2.6.11.10/net/bluetooth/af_bluetooth.c
  2.1443 +--- linux-2.6.11/net/bluetooth/af_bluetooth.c	2005-03-01 23:37:49.000000000 -0800
  2.1444 ++++ linux-2.6.11.10/net/bluetooth/af_bluetooth.c	2005-05-16 10:51:56.000000000 -0700
  2.1445 +@@ -64,7 +64,7 @@
  2.1446 + 
  2.1447 + int bt_sock_register(int proto, struct net_proto_family *ops)
  2.1448 + {
  2.1449 +-	if (proto >= BT_MAX_PROTO)
  2.1450 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1451 + 		return -EINVAL;
  2.1452 + 
  2.1453 + 	if (bt_proto[proto])
  2.1454 +@@ -77,7 +77,7 @@
  2.1455 + 
  2.1456 + int bt_sock_unregister(int proto)
  2.1457 + {
  2.1458 +-	if (proto >= BT_MAX_PROTO)
  2.1459 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1460 + 		return -EINVAL;
  2.1461 + 
  2.1462 + 	if (!bt_proto[proto])
  2.1463 +@@ -92,7 +92,7 @@
  2.1464 + {
  2.1465 + 	int err = 0;
  2.1466 + 
  2.1467 +-	if (proto >= BT_MAX_PROTO)
  2.1468 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1469 + 		return -EINVAL;
  2.1470 + 
  2.1471 + #if defined(CONFIG_KMOD)
  2.1472 +diff -Naur linux-2.6.11/net/ipv4/fib_hash.c linux-2.6.11.10/net/ipv4/fib_hash.c
  2.1473 +--- linux-2.6.11/net/ipv4/fib_hash.c	2005-03-01 23:38:09.000000000 -0800
  2.1474 ++++ linux-2.6.11.10/net/ipv4/fib_hash.c	2005-05-16 10:51:57.000000000 -0700
  2.1475 +@@ -919,13 +919,23 @@
  2.1476 + 	return fa;
  2.1477 + }
  2.1478 + 
  2.1479 ++static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
  2.1480 ++{
  2.1481 ++	struct fib_alias *fa = fib_get_first(seq);
  2.1482 ++
  2.1483 ++	if (fa)
  2.1484 ++		while (pos && (fa = fib_get_next(seq)))
  2.1485 ++			--pos;
  2.1486 ++	return pos ? NULL : fa;
  2.1487 ++}
  2.1488 ++
  2.1489 + static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
  2.1490 + {
  2.1491 + 	void *v = NULL;
  2.1492 + 
  2.1493 + 	read_lock(&fib_hash_lock);
  2.1494 + 	if (ip_fib_main_table)
  2.1495 +-		v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
  2.1496 ++		v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
  2.1497 + 	return v;
  2.1498 + }
  2.1499 + 
  2.1500 +diff -Naur linux-2.6.11/net/ipv4/tcp_input.c linux-2.6.11.10/net/ipv4/tcp_input.c
  2.1501 +--- linux-2.6.11/net/ipv4/tcp_input.c	2005-03-01 23:38:17.000000000 -0800
  2.1502 ++++ linux-2.6.11.10/net/ipv4/tcp_input.c	2005-05-16 10:52:00.000000000 -0700
  2.1503 +@@ -1653,7 +1653,10 @@
  2.1504 + static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
  2.1505 + {
  2.1506 + 	if (tp->prior_ssthresh) {
  2.1507 +-		tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  2.1508 ++		if (tcp_is_bic(tp))
  2.1509 ++			tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
  2.1510 ++		else
  2.1511 ++			tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  2.1512 + 
  2.1513 + 		if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
  2.1514 + 			tp->snd_ssthresh = tp->prior_ssthresh;
  2.1515 +diff -Naur linux-2.6.11/net/ipv4/tcp_timer.c linux-2.6.11.10/net/ipv4/tcp_timer.c
  2.1516 +--- linux-2.6.11/net/ipv4/tcp_timer.c	2005-03-01 23:38:26.000000000 -0800
  2.1517 ++++ linux-2.6.11.10/net/ipv4/tcp_timer.c	2005-05-16 10:52:00.000000000 -0700
  2.1518 +@@ -38,6 +38,7 @@
  2.1519 + 
  2.1520 + #ifdef TCP_DEBUG
  2.1521 + const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
  2.1522 ++EXPORT_SYMBOL(tcp_timer_bug_msg);
  2.1523 + #endif
  2.1524 + 
  2.1525 + /*
  2.1526 +diff -Naur linux-2.6.11/net/ipv4/xfrm4_output.c linux-2.6.11.10/net/ipv4/xfrm4_output.c
  2.1527 +--- linux-2.6.11/net/ipv4/xfrm4_output.c	2005-03-01 23:37:50.000000000 -0800
  2.1528 ++++ linux-2.6.11.10/net/ipv4/xfrm4_output.c	2005-05-16 10:52:00.000000000 -0700
  2.1529 +@@ -103,17 +103,17 @@
  2.1530 + 			goto error_nolock;
  2.1531 + 	}
  2.1532 + 
  2.1533 +-	spin_lock_bh(&x->lock);
  2.1534 +-	err = xfrm_state_check(x, skb);
  2.1535 +-	if (err)
  2.1536 +-		goto error;
  2.1537 +-
  2.1538 + 	if (x->props.mode) {
  2.1539 + 		err = xfrm4_tunnel_check_size(skb);
  2.1540 + 		if (err)
  2.1541 +-			goto error;
  2.1542 ++			goto error_nolock;
  2.1543 + 	}
  2.1544 + 
  2.1545 ++	spin_lock_bh(&x->lock);
  2.1546 ++	err = xfrm_state_check(x, skb);
  2.1547 ++	if (err)
  2.1548 ++		goto error;
  2.1549 ++
  2.1550 + 	xfrm4_encap(skb);
  2.1551 + 
  2.1552 + 	err = x->type->output(skb);
  2.1553 +diff -Naur linux-2.6.11/net/ipv6/xfrm6_output.c linux-2.6.11.10/net/ipv6/xfrm6_output.c
  2.1554 +--- linux-2.6.11/net/ipv6/xfrm6_output.c	2005-03-01 23:38:25.000000000 -0800
  2.1555 ++++ linux-2.6.11.10/net/ipv6/xfrm6_output.c	2005-05-16 10:52:00.000000000 -0700
  2.1556 +@@ -103,17 +103,17 @@
  2.1557 + 			goto error_nolock;
  2.1558 + 	}
  2.1559 + 
  2.1560 +-	spin_lock_bh(&x->lock);
  2.1561 +-	err = xfrm_state_check(x, skb);
  2.1562 +-	if (err)
  2.1563 +-		goto error;
  2.1564 +-
  2.1565 + 	if (x->props.mode) {
  2.1566 + 		err = xfrm6_tunnel_check_size(skb);
  2.1567 + 		if (err)
  2.1568 +-			goto error;
  2.1569 ++			goto error_nolock;
  2.1570 + 	}
  2.1571 + 
  2.1572 ++	spin_lock_bh(&x->lock);
  2.1573 ++	err = xfrm_state_check(x, skb);
  2.1574 ++	if (err)
  2.1575 ++		goto error;
  2.1576 ++
  2.1577 + 	xfrm6_encap(skb);
  2.1578 + 
  2.1579 + 	err = x->type->output(skb);
  2.1580 +diff -Naur linux-2.6.11/net/netrom/nr_in.c linux-2.6.11.10/net/netrom/nr_in.c
  2.1581 +--- linux-2.6.11/net/netrom/nr_in.c	2005-03-01 23:38:01.000000000 -0800
  2.1582 ++++ linux-2.6.11.10/net/netrom/nr_in.c	2005-05-16 10:52:02.000000000 -0700
  2.1583 +@@ -74,7 +74,6 @@
  2.1584 + static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
  2.1585 + 	int frametype)
  2.1586 + {
  2.1587 +-	bh_lock_sock(sk);
  2.1588 + 	switch (frametype) {
  2.1589 + 	case NR_CONNACK: {
  2.1590 + 		nr_cb *nr = nr_sk(sk);
  2.1591 +@@ -103,8 +102,6 @@
  2.1592 + 	default:
  2.1593 + 		break;
  2.1594 + 	}
  2.1595 +-	bh_unlock_sock(sk);
  2.1596 +-
  2.1597 + 	return 0;
  2.1598 + }
  2.1599 + 
  2.1600 +@@ -116,7 +113,6 @@
  2.1601 + static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
  2.1602 + 	int frametype)
  2.1603 + {
  2.1604 +-	bh_lock_sock(sk);
  2.1605 + 	switch (frametype) {
  2.1606 + 	case NR_CONNACK | NR_CHOKE_FLAG:
  2.1607 + 		nr_disconnect(sk, ECONNRESET);
  2.1608 +@@ -132,8 +128,6 @@
  2.1609 + 	default:
  2.1610 + 		break;
  2.1611 + 	}
  2.1612 +-	bh_unlock_sock(sk);
  2.1613 +-
  2.1614 + 	return 0;
  2.1615 + }
  2.1616 + 
  2.1617 +@@ -154,7 +148,6 @@
  2.1618 + 	nr = skb->data[18];
  2.1619 + 	ns = skb->data[17];
  2.1620 + 
  2.1621 +-	bh_lock_sock(sk);
  2.1622 + 	switch (frametype) {
  2.1623 + 	case NR_CONNREQ:
  2.1624 + 		nr_write_internal(sk, NR_CONNACK);
  2.1625 +@@ -265,8 +258,6 @@
  2.1626 + 	default:
  2.1627 + 		break;
  2.1628 + 	}
  2.1629 +-	bh_unlock_sock(sk);
  2.1630 +-
  2.1631 + 	return queued;
  2.1632 + }
  2.1633 + 
  2.1634 +diff -Naur linux-2.6.11/net/xfrm/xfrm_state.c linux-2.6.11.10/net/xfrm/xfrm_state.c
  2.1635 +--- linux-2.6.11/net/xfrm/xfrm_state.c	2005-03-01 23:38:17.000000000 -0800
  2.1636 ++++ linux-2.6.11.10/net/xfrm/xfrm_state.c	2005-05-16 10:52:04.000000000 -0700
  2.1637 +@@ -609,7 +609,7 @@
  2.1638 + 
  2.1639 + 	for (i = 0; i < XFRM_DST_HSIZE; i++) {
  2.1640 + 		list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
  2.1641 +-			if (x->km.seq == seq) {
  2.1642 ++			if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
  2.1643 + 				xfrm_state_hold(x);
  2.1644 + 				return x;
  2.1645 + 			}
  2.1646 +diff -Naur linux-2.6.11/security/keys/key.c linux-2.6.11.10/security/keys/key.c
  2.1647 +--- linux-2.6.11/security/keys/key.c	2005-03-01 23:38:25.000000000 -0800
  2.1648 ++++ linux-2.6.11.10/security/keys/key.c	2005-05-16 10:52:06.000000000 -0700
  2.1649 +@@ -57,9 +57,10 @@
  2.1650 + {
  2.1651 + 	struct key_user *candidate = NULL, *user;
  2.1652 + 	struct rb_node *parent = NULL;
  2.1653 +-	struct rb_node **p = &key_user_tree.rb_node;
  2.1654 ++	struct rb_node **p;
  2.1655 + 
  2.1656 +  try_again:
  2.1657 ++	p = &key_user_tree.rb_node;
  2.1658 + 	spin_lock(&key_user_lock);
  2.1659 + 
  2.1660 + 	/* search the tree for a user record with a matching UID */
  2.1661 +diff -Naur linux-2.6.11/sound/core/timer.c linux-2.6.11.10/sound/core/timer.c
  2.1662 +--- linux-2.6.11/sound/core/timer.c	2005-03-01 23:38:12.000000000 -0800
  2.1663 ++++ linux-2.6.11.10/sound/core/timer.c	2005-05-16 10:52:08.000000000 -0700
  2.1664 +@@ -1117,7 +1117,8 @@
  2.1665 + 	if (tu->qused >= tu->queue_size) {
  2.1666 + 		tu->overrun++;
  2.1667 + 	} else {
  2.1668 +-		memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
  2.1669 ++		memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
  2.1670 ++		tu->qtail %= tu->queue_size;
  2.1671 + 		tu->qused++;
  2.1672 + 	}
  2.1673 + }
  2.1674 +@@ -1140,6 +1141,8 @@
  2.1675 + 	spin_lock(&tu->qlock);
  2.1676 + 	snd_timer_user_append_to_tqueue(tu, &r1);
  2.1677 + 	spin_unlock(&tu->qlock);
  2.1678 ++	kill_fasync(&tu->fasync, SIGIO, POLL_IN);
  2.1679 ++	wake_up(&tu->qchange_sleep);
  2.1680 + }
  2.1681 + 
  2.1682 + static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
  2.1683 +diff -Naur linux-2.6.11/sound/pci/ac97/ac97_codec.c linux-2.6.11.10/sound/pci/ac97/ac97_codec.c
  2.1684 +--- linux-2.6.11/sound/pci/ac97/ac97_codec.c	2005-03-01 23:38:37.000000000 -0800
  2.1685 ++++ linux-2.6.11.10/sound/pci/ac97/ac97_codec.c	2005-05-16 10:52:15.000000000 -0700
  2.1686 +@@ -1185,7 +1185,7 @@
  2.1687 + /*
  2.1688 +  * create mute switch(es) for normal stereo controls
  2.1689 +  */
  2.1690 +-static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
  2.1691 ++static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
  2.1692 + {
  2.1693 + 	snd_kcontrol_t *kctl;
  2.1694 + 	int err;
  2.1695 +@@ -1196,7 +1196,7 @@
  2.1696 + 
  2.1697 + 	mute_mask = 0x8000;
  2.1698 + 	val = snd_ac97_read(ac97, reg);
  2.1699 +-	if (ac97->flags & AC97_STEREO_MUTES) {
  2.1700 ++	if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
  2.1701 + 		/* check whether both mute bits work */
  2.1702 + 		val1 = val | 0x8080;
  2.1703 + 		snd_ac97_write(ac97, reg, val1);
  2.1704 +@@ -1254,7 +1254,7 @@
  2.1705 + /*
  2.1706 +  * create a mute-switch and a volume for normal stereo/mono controls
  2.1707 +  */
  2.1708 +-static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
  2.1709 ++static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
  2.1710 + {
  2.1711 + 	int err;
  2.1712 + 	char name[44];
  2.1713 +@@ -1265,7 +1265,7 @@
  2.1714 + 
  2.1715 + 	if (snd_ac97_try_bit(ac97, reg, 15)) {
  2.1716 + 		sprintf(name, "%s Switch", pfx);
  2.1717 +-		if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
  2.1718 ++		if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
  2.1719 + 			return err;
  2.1720 + 	}
  2.1721 + 	check_volume_resolution(ac97, reg, &lo_max, &hi_max);
  2.1722 +@@ -1277,6 +1277,8 @@
  2.1723 + 	return 0;
  2.1724 + }
  2.1725 + 
  2.1726 ++#define snd_ac97_cmix_new(card, pfx, reg, ac97)	snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
  2.1727 ++#define snd_ac97_cmute_new(card, name, reg, ac97)	snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
  2.1728 + 
  2.1729 + static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
  2.1730 + 
  2.1731 +@@ -1327,7 +1329,8 @@
  2.1732 + 
  2.1733 + 	/* build surround controls */
  2.1734 + 	if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
  2.1735 +-		if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
  2.1736 ++		/* Surround Master (0x38) is with stereo mutes */
  2.1737 ++		if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
  2.1738 + 			return err;
  2.1739 + 	}
  2.1740 + 
     3.1 --- a/patches/linux-2.6.11/linux-2.6.11.9.patch	Mon May 16 20:21:34 2005 +0000
     3.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.3 @@ -1,1692 +0,0 @@
     3.4 -diff -Nru a/Documentation/SecurityBugs b/Documentation/SecurityBugs
     3.5 ---- /dev/null	Wed Dec 31 16:00:00 196900
     3.6 -+++ b/Documentation/SecurityBugs	2005-05-11 15:43:53 -07:00
     3.7 -@@ -0,0 +1,38 @@
     3.8 -+Linux kernel developers take security very seriously.  As such, we'd
     3.9 -+like to know when a security bug is found so that it can be fixed and
    3.10 -+disclosed as quickly as possible.  Please report security bugs to the
    3.11 -+Linux kernel security team.
    3.12 -+
    3.13 -+1) Contact
    3.14 -+
    3.15 -+The Linux kernel security team can be contacted by email at
    3.16 -+<security@kernel.org>.  This is a private list of security officers
    3.17 -+who will help verify the bug report and develop and release a fix.
    3.18 -+It is possible that the security team will bring in extra help from
    3.19 -+area maintainers to understand and fix the security vulnerability.
    3.20 -+
    3.21 -+As it is with any bug, the more information provided the easier it
    3.22 -+will be to diagnose and fix.  Please review the procedure outlined in
    3.23 -+REPORTING-BUGS if you are unclear about what information is helpful.
    3.24 -+Any exploit code is very helpful and will not be released without
    3.25 -+consent from the reporter unless it has already been made public.
    3.26 -+
    3.27 -+2) Disclosure
    3.28 -+
    3.29 -+The goal of the Linux kernel security team is to work with the
    3.30 -+bug submitter to bug resolution as well as disclosure.  We prefer
    3.31 -+to fully disclose the bug as soon as possible.  It is reasonable to
    3.32 -+delay disclosure when the bug or the fix is not yet fully understood,
    3.33 -+the solution is not well-tested or for vendor coordination.  However, we
    3.34 -+expect these delays to be short, measurable in days, not weeks or months.
    3.35 -+A disclosure date is negotiated by the security team working with the
    3.36 -+bug submitter as well as vendors.  However, the kernel security team
    3.37 -+holds the final say when setting a disclosure date.  The timeframe for
    3.38 -+disclosure is from immediate (esp. if it's already publically known)
    3.39 -+to a few weeks.  As a basic default policy, we expect report date to
    3.40 -+disclosure date to be on the order of 7 days.
    3.41 -+
    3.42 -+3) Non-disclosure agreements
    3.43 -+
    3.44 -+The Linux kernel security team is not a formal body and therefore unable
    3.45 -+to enter any non-disclosure agreements.
    3.46 -diff -Nru a/MAINTAINERS b/MAINTAINERS
    3.47 ---- a/MAINTAINERS	2005-05-11 15:43:53 -07:00
    3.48 -+++ b/MAINTAINERS	2005-05-11 15:43:53 -07:00
    3.49 -@@ -1966,6 +1966,11 @@
    3.50 - W:	http://www.weinigel.se
    3.51 - S:	Supported
    3.52 - 
    3.53 -+SECURITY CONTACT
    3.54 -+P:	Security Officers
    3.55 -+M:	security@kernel.org
    3.56 -+S:	Supported
    3.57 -+
    3.58 - SELINUX SECURITY MODULE
    3.59 - P:	Stephen Smalley
    3.60 - M:	sds@epoch.ncsc.mil
    3.61 -diff -Nru a/Makefile b/Makefile
    3.62 ---- a/Makefile	2005-05-11 15:43:53 -07:00
    3.63 -+++ b/Makefile	2005-05-11 15:43:53 -07:00
    3.64 -@@ -1,8 +1,8 @@
    3.65 - VERSION = 2
    3.66 - PATCHLEVEL = 6
    3.67 - SUBLEVEL = 11
    3.68 --EXTRAVERSION =
    3.69 --NAME=Woozy Numbat
    3.70 -+EXTRAVERSION = .9
    3.71 -+NAME=Woozy Beaver
    3.72 - 
    3.73 - # *DOCUMENTATION*
    3.74 - # To see a list of typical targets execute "make help"
    3.75 -diff -Nru a/REPORTING-BUGS b/REPORTING-BUGS
    3.76 ---- a/REPORTING-BUGS	2005-05-11 15:43:53 -07:00
    3.77 -+++ b/REPORTING-BUGS	2005-05-11 15:43:53 -07:00
    3.78 -@@ -16,6 +16,10 @@
    3.79 - describe how to recreate it. That is worth even more than the oops itself.
    3.80 - The list of maintainers is in the MAINTAINERS file in this directory.
    3.81 - 
    3.82 -+      If it is a security bug, please copy the Security Contact listed
    3.83 -+in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.
    3.84 -+See Documentation/SecurityBugs for more infomation.
    3.85 -+
    3.86 -       If you are totally stumped as to whom to send the report, send it to
    3.87 - linux-kernel@vger.kernel.org. (For more information on the linux-kernel
    3.88 - mailing list see http://www.tux.org/lkml/).
    3.89 -diff -Nru a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
    3.90 ---- a/arch/ia64/kernel/fsys.S	2005-05-11 15:43:53 -07:00
    3.91 -+++ b/arch/ia64/kernel/fsys.S	2005-05-11 15:43:53 -07:00
    3.92 -@@ -611,8 +611,10 @@
    3.93 - 	movl r2=ia64_ret_from_syscall
    3.94 - 	;;
    3.95 - 	mov rp=r2				// set the real return addr
    3.96 --	tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
    3.97 -+	and r3=_TIF_SYSCALL_TRACEAUDIT,r3
    3.98 - 	;;
    3.99 -+	cmp.eq p8,p0=r3,r0
   3.100 -+
   3.101 - (p10)	br.cond.spnt.many ia64_ret_from_syscall	// p10==true means out registers are more than 8
   3.102 - (p8)	br.call.sptk.many b6=b6		// ignore this return addr
   3.103 - 	br.cond.sptk ia64_trace_syscall
   3.104 -diff -Nru a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
   3.105 ---- a/arch/ia64/kernel/signal.c	2005-05-11 15:43:53 -07:00
   3.106 -+++ b/arch/ia64/kernel/signal.c	2005-05-11 15:43:53 -07:00
   3.107 -@@ -224,7 +224,8 @@
   3.108 - 	 * could be corrupted.
   3.109 - 	 */
   3.110 - 	retval = (long) &ia64_leave_kernel;
   3.111 --	if (test_thread_flag(TIF_SYSCALL_TRACE))
   3.112 -+	if (test_thread_flag(TIF_SYSCALL_TRACE)
   3.113 -+	    || test_thread_flag(TIF_SYSCALL_AUDIT))
   3.114 - 		/*
   3.115 - 		 * strace expects to be notified after sigreturn returns even though the
   3.116 - 		 * context to which we return may not be in the middle of a syscall.
   3.117 -diff -Nru a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
   3.118 ---- a/arch/ppc/oprofile/op_model_fsl_booke.c	2005-05-11 15:43:53 -07:00
   3.119 -+++ b/arch/ppc/oprofile/op_model_fsl_booke.c	2005-05-11 15:43:53 -07:00
   3.120 -@@ -150,7 +150,6 @@
   3.121 - 	int is_kernel;
   3.122 - 	int val;
   3.123 - 	int i;
   3.124 --	unsigned int cpu = smp_processor_id();
   3.125 - 
   3.126 - 	/* set the PMM bit (see comment below) */
   3.127 - 	mtmsr(mfmsr() | MSR_PMM);
   3.128 -@@ -162,7 +161,7 @@
   3.129 - 		val = ctr_read(i);
   3.130 - 		if (val < 0) {
   3.131 - 			if (oprofile_running && ctr[i].enabled) {
   3.132 --				oprofile_add_sample(pc, is_kernel, i, cpu);
   3.133 -+				oprofile_add_pc(pc, is_kernel, i);
   3.134 - 				ctr_write(i, reset_value[i]);
   3.135 - 			} else {
   3.136 - 				ctr_write(i, 0);
   3.137 -diff -Nru a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
   3.138 ---- a/arch/ppc/platforms/4xx/ebony.h	2005-05-11 15:43:53 -07:00
   3.139 -+++ b/arch/ppc/platforms/4xx/ebony.h	2005-05-11 15:43:53 -07:00
   3.140 -@@ -61,8 +61,8 @@
   3.141 -  */
   3.142 - 
   3.143 - /* OpenBIOS defined UART mappings, used before early_serial_setup */
   3.144 --#define UART0_IO_BASE	(u8 *) 0xE0000200
   3.145 --#define UART1_IO_BASE	(u8 *) 0xE0000300
   3.146 -+#define UART0_IO_BASE	0xE0000200
   3.147 -+#define UART1_IO_BASE	0xE0000300
   3.148 - 
   3.149 - /* external Epson SG-615P */
   3.150 - #define BASE_BAUD	691200
   3.151 -diff -Nru a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
   3.152 ---- a/arch/ppc/platforms/4xx/luan.h	2005-05-11 15:43:53 -07:00
   3.153 -+++ b/arch/ppc/platforms/4xx/luan.h	2005-05-11 15:43:53 -07:00
   3.154 -@@ -47,9 +47,9 @@
   3.155 - #define RS_TABLE_SIZE	3
   3.156 - 
   3.157 - /* PIBS defined UART mappings, used before early_serial_setup */
   3.158 --#define UART0_IO_BASE	(u8 *) 0xa0000200
   3.159 --#define UART1_IO_BASE	(u8 *) 0xa0000300
   3.160 --#define UART2_IO_BASE	(u8 *) 0xa0000600
   3.161 -+#define UART0_IO_BASE	0xa0000200
   3.162 -+#define UART1_IO_BASE	0xa0000300
   3.163 -+#define UART2_IO_BASE	0xa0000600
   3.164 - 
   3.165 - #define BASE_BAUD	11059200
   3.166 - #define STD_UART_OP(num)					\
   3.167 -diff -Nru a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
   3.168 ---- a/arch/ppc/platforms/4xx/ocotea.h	2005-05-11 15:43:53 -07:00
   3.169 -+++ b/arch/ppc/platforms/4xx/ocotea.h	2005-05-11 15:43:53 -07:00
   3.170 -@@ -56,8 +56,8 @@
   3.171 - #define RS_TABLE_SIZE	2
   3.172 - 
   3.173 - /* OpenBIOS defined UART mappings, used before early_serial_setup */
   3.174 --#define UART0_IO_BASE	(u8 *) 0xE0000200
   3.175 --#define UART1_IO_BASE	(u8 *) 0xE0000300
   3.176 -+#define UART0_IO_BASE	0xE0000200
   3.177 -+#define UART1_IO_BASE	0xE0000300
   3.178 - 
   3.179 - #define BASE_BAUD	11059200/16
   3.180 - #define STD_UART_OP(num)					\
   3.181 -diff -Nru a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c
   3.182 ---- a/arch/sparc/kernel/ptrace.c	2005-05-11 15:43:53 -07:00
   3.183 -+++ b/arch/sparc/kernel/ptrace.c	2005-05-11 15:43:53 -07:00
   3.184 -@@ -531,18 +531,6 @@
   3.185 - 			pt_error_return(regs, EIO);
   3.186 - 			goto out_tsk;
   3.187 - 		}
   3.188 --		if (addr != 1) {
   3.189 --			if (addr & 3) {
   3.190 --				pt_error_return(regs, EINVAL);
   3.191 --				goto out_tsk;
   3.192 --			}
   3.193 --#ifdef DEBUG_PTRACE
   3.194 --			printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
   3.195 --			printk ("Continuing with %08lx %08lx\n", addr, addr+4);
   3.196 --#endif
   3.197 --			child->thread.kregs->pc = addr;
   3.198 --			child->thread.kregs->npc = addr + 4;
   3.199 --		}
   3.200 - 
   3.201 - 		if (request == PTRACE_SYSCALL)
   3.202 - 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   3.203 -diff -Nru a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
   3.204 ---- a/arch/sparc64/kernel/ptrace.c	2005-05-11 15:43:53 -07:00
   3.205 -+++ b/arch/sparc64/kernel/ptrace.c	2005-05-11 15:43:53 -07:00
   3.206 -@@ -514,25 +514,6 @@
   3.207 - 			pt_error_return(regs, EIO);
   3.208 - 			goto out_tsk;
   3.209 - 		}
   3.210 --		if (addr != 1) {
   3.211 --			unsigned long pc_mask = ~0UL;
   3.212 --
   3.213 --			if ((child->thread_info->flags & _TIF_32BIT) != 0)
   3.214 --				pc_mask = 0xffffffff;
   3.215 --
   3.216 --			if (addr & 3) {
   3.217 --				pt_error_return(regs, EINVAL);
   3.218 --				goto out_tsk;
   3.219 --			}
   3.220 --#ifdef DEBUG_PTRACE
   3.221 --			printk ("Original: %016lx %016lx\n",
   3.222 --				child->thread_info->kregs->tpc,
   3.223 --				child->thread_info->kregs->tnpc);
   3.224 --			printk ("Continuing with %016lx %016lx\n", addr, addr+4);
   3.225 --#endif
   3.226 --			child->thread_info->kregs->tpc = (addr & pc_mask);
   3.227 --			child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
   3.228 --		}
   3.229 - 
   3.230 - 		if (request == PTRACE_SYSCALL) {
   3.231 - 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   3.232 -diff -Nru a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c
   3.233 ---- a/arch/sparc64/kernel/signal32.c	2005-05-11 15:43:53 -07:00
   3.234 -+++ b/arch/sparc64/kernel/signal32.c	2005-05-11 15:43:53 -07:00
   3.235 -@@ -192,9 +192,12 @@
   3.236 - 			err |= __put_user(from->si_uid, &to->si_uid);
   3.237 - 			break;
   3.238 - 		case __SI_FAULT >> 16:
   3.239 --		case __SI_POLL >> 16:
   3.240 - 			err |= __put_user(from->si_trapno, &to->si_trapno);
   3.241 - 			err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
   3.242 -+			break;
   3.243 -+		case __SI_POLL >> 16:
   3.244 -+			err |= __put_user(from->si_band, &to->si_band);
   3.245 -+			err |= __put_user(from->si_fd, &to->si_fd);
   3.246 - 			break;
   3.247 - 		case __SI_RT >> 16: /* This is not generated by the kernel as of now.  */
   3.248 - 		case __SI_MESGQ >> 16:
   3.249 -diff -Nru a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S
   3.250 ---- a/arch/sparc64/kernel/systbls.S	2005-05-11 15:43:53 -07:00
   3.251 -+++ b/arch/sparc64/kernel/systbls.S	2005-05-11 15:43:53 -07:00
   3.252 -@@ -75,7 +75,7 @@
   3.253 - /*260*/	.word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
   3.254 - 	.word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
   3.255 - /*270*/	.word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
   3.256 --	.word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   3.257 -+	.word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   3.258 - /*280*/	.word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
   3.259 - 
   3.260 - #endif /* CONFIG_COMPAT */
   3.261 -diff -Nru a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h
   3.262 ---- a/arch/um/include/sysdep-i386/syscalls.h	2005-05-11 15:43:53 -07:00
   3.263 -+++ b/arch/um/include/sysdep-i386/syscalls.h	2005-05-11 15:43:53 -07:00
   3.264 -@@ -23,6 +23,9 @@
   3.265 - 		      unsigned long prot, unsigned long flags,
   3.266 - 		      unsigned long fd, unsigned long pgoff);
   3.267 - 
   3.268 -+/* On i386 they choose a meaningless naming.*/
   3.269 -+#define __NR_kexec_load __NR_sys_kexec_load
   3.270 -+
   3.271 - #define ARCH_SYSCALLS \
   3.272 - 	[ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
   3.273 - 	[ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
   3.274 -@@ -101,15 +104,12 @@
   3.275 - 	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.276 - 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.277 - 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.278 --	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   3.279 - 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.280 --        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   3.281 --	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   3.282 --	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   3.283 --        
   3.284 -+	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   3.285 -+
   3.286 - /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
   3.287 - 
   3.288 --#define LAST_ARCH_SYSCALL __NR_vserver
   3.289 -+#define LAST_ARCH_SYSCALL 285
   3.290 - 
   3.291 - /*
   3.292 -  * Overrides for Emacs so that we follow Linus's tabbing style.
   3.293 -diff -Nru a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h
   3.294 ---- a/arch/um/include/sysdep-x86_64/syscalls.h	2005-05-11 15:43:53 -07:00
   3.295 -+++ b/arch/um/include/sysdep-x86_64/syscalls.h	2005-05-11 15:43:53 -07:00
   3.296 -@@ -71,12 +71,7 @@
   3.297 - 	[ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
   3.298 - 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.299 - 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.300 --        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   3.301 - 	[ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
   3.302 --	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   3.303 --	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.304 --	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   3.305 --	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
   3.306 - 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall,
   3.307 - 
   3.308 - #define LAST_ARCH_SYSCALL 251
   3.309 -diff -Nru a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c
   3.310 ---- a/arch/um/kernel/skas/uaccess.c	2005-05-11 15:43:53 -07:00
   3.311 -+++ b/arch/um/kernel/skas/uaccess.c	2005-05-11 15:43:53 -07:00
   3.312 -@@ -61,7 +61,8 @@
   3.313 - 	void *arg;
   3.314 - 	int *res;
   3.315 - 
   3.316 --	va_copy(args, *(va_list *)arg_ptr);
   3.317 -+	/* Some old gccs recognize __va_copy, but not va_copy */
   3.318 -+	__va_copy(args, *(va_list *)arg_ptr);
   3.319 - 	addr = va_arg(args, unsigned long);
   3.320 - 	len = va_arg(args, int);
   3.321 - 	is_write = va_arg(args, int);
   3.322 -diff -Nru a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c
   3.323 ---- a/arch/um/kernel/sys_call_table.c	2005-05-11 15:43:53 -07:00
   3.324 -+++ b/arch/um/kernel/sys_call_table.c	2005-05-11 15:43:53 -07:00
   3.325 -@@ -48,7 +48,6 @@
   3.326 - extern syscall_handler_t old_select;
   3.327 - extern syscall_handler_t sys_modify_ldt;
   3.328 - extern syscall_handler_t sys_rt_sigsuspend;
   3.329 --extern syscall_handler_t sys_vserver;
   3.330 - extern syscall_handler_t sys_mbind;
   3.331 - extern syscall_handler_t sys_get_mempolicy;
   3.332 - extern syscall_handler_t sys_set_mempolicy;
   3.333 -@@ -242,6 +241,7 @@
   3.334 - 	[ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
   3.335 - 	[ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
   3.336 - 	[ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
   3.337 -+	[ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
   3.338 -         [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
   3.339 - 	[ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
   3.340 - 	[ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
   3.341 -@@ -252,12 +252,10 @@
   3.342 - 	[ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
   3.343 - 	[ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
   3.344 - 	[ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
   3.345 --	[ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
   3.346 --	[ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
   3.347 - 	[ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
   3.348 - 	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
   3.349 --	[ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
   3.350 --	[ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
   3.351 -+	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
   3.352 -+	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   3.353 - 	[ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
   3.354 - 	[ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
   3.355 - 	[ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
   3.356 -@@ -267,9 +265,8 @@
   3.357 - 	[ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
   3.358 - 	[ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
   3.359 - 	[ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
   3.360 --	[ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   3.361 -+	[ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   3.362 - 	[ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
   3.363 --	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   3.364 - 	[ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
   3.365 - 	[ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
   3.366 - 	[ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
   3.367 -diff -Nru a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
   3.368 ---- a/drivers/char/drm/drm_ioctl.c	2005-05-11 15:43:53 -07:00
   3.369 -+++ b/drivers/char/drm/drm_ioctl.c	2005-05-11 15:43:53 -07:00
   3.370 -@@ -326,6 +326,8 @@
   3.371 - 
   3.372 - 	DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
   3.373 - 
   3.374 -+	memset(&version, 0, sizeof(version));
   3.375 -+
   3.376 - 	dev->driver->version(&version);
   3.377 - 	retv.drm_di_major = DRM_IF_MAJOR;
   3.378 - 	retv.drm_di_minor = DRM_IF_MINOR;
   3.379 -diff -Nru a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c
   3.380 ---- a/drivers/i2c/chips/eeprom.c	2005-05-11 15:43:53 -07:00
   3.381 -+++ b/drivers/i2c/chips/eeprom.c	2005-05-11 15:43:53 -07:00
   3.382 -@@ -130,7 +130,8 @@
   3.383 - 
   3.384 - 	/* Hide Vaio security settings to regular users (16 first bytes) */
   3.385 - 	if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
   3.386 --		int in_row1 = 16 - off;
   3.387 -+		size_t in_row1 = 16 - off;
   3.388 -+		in_row1 = min(in_row1, count);
   3.389 - 		memset(buf, 0, in_row1);
   3.390 - 		if (count - in_row1 > 0)
   3.391 - 			memcpy(buf + in_row1, &data->data[16], count - in_row1);
   3.392 -diff -Nru a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
   3.393 ---- a/drivers/i2c/chips/it87.c	2005-05-11 15:43:53 -07:00
   3.394 -+++ b/drivers/i2c/chips/it87.c	2005-05-11 15:43:53 -07:00
   3.395 -@@ -631,7 +631,7 @@
   3.396 - 	struct it87_data *data = it87_update_device(dev);
   3.397 - 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   3.398 - }
   3.399 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   3.400 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   3.401 - 
   3.402 - static ssize_t
   3.403 - show_vrm_reg(struct device *dev, char *buf)
   3.404 -diff -Nru a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c
   3.405 ---- a/drivers/i2c/chips/via686a.c	2005-05-11 15:43:53 -07:00
   3.406 -+++ b/drivers/i2c/chips/via686a.c	2005-05-11 15:43:53 -07:00
   3.407 -@@ -554,7 +554,7 @@
   3.408 - 	struct via686a_data *data = via686a_update_device(dev);
   3.409 - 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   3.410 - }
   3.411 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   3.412 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   3.413 - 
   3.414 - /* The driver. I choose to use type i2c_driver, as at is identical to both
   3.415 -    smbus_driver and isa_driver, and clients could be of either kind */
   3.416 -diff -Nru a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
   3.417 ---- a/drivers/input/serio/i8042-x86ia64io.h	2005-05-11 15:43:53 -07:00
   3.418 -+++ b/drivers/input/serio/i8042-x86ia64io.h	2005-05-11 15:43:53 -07:00
   3.419 -@@ -88,7 +88,7 @@
   3.420 - };
   3.421 - #endif
   3.422 - 
   3.423 --#ifdef CONFIG_ACPI
   3.424 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.425 - #include <linux/acpi.h>
   3.426 - #include <acpi/acpi_bus.h>
   3.427 - 
   3.428 -@@ -281,7 +281,7 @@
   3.429 - 	i8042_kbd_irq = I8042_MAP_IRQ(1);
   3.430 - 	i8042_aux_irq = I8042_MAP_IRQ(12);
   3.431 - 
   3.432 --#ifdef CONFIG_ACPI
   3.433 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.434 - 	if (i8042_acpi_init())
   3.435 - 		return -1;
   3.436 - #endif
   3.437 -@@ -300,7 +300,7 @@
   3.438 - 
   3.439 - static inline void i8042_platform_exit(void)
   3.440 - {
   3.441 --#ifdef CONFIG_ACPI
   3.442 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.443 - 	i8042_acpi_exit();
   3.444 - #endif
   3.445 - }
   3.446 -diff -Nru a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
   3.447 ---- a/drivers/md/raid6altivec.uc	2005-05-11 15:43:53 -07:00
   3.448 -+++ b/drivers/md/raid6altivec.uc	2005-05-11 15:43:53 -07:00
   3.449 -@@ -108,7 +108,11 @@
   3.450 - int raid6_have_altivec(void)
   3.451 - {
   3.452 - 	/* This assumes either all CPUs have Altivec or none does */
   3.453 -+#ifdef CONFIG_PPC64
   3.454 - 	return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
   3.455 -+#else
   3.456 -+	return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
   3.457 -+#endif
   3.458 - }
   3.459 - #endif
   3.460 - 
   3.461 -diff -Nru a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
   3.462 ---- a/drivers/media/video/adv7170.c	2005-05-11 15:43:53 -07:00
   3.463 -+++ b/drivers/media/video/adv7170.c	2005-05-11 15:43:53 -07:00
   3.464 -@@ -130,7 +130,7 @@
   3.465 - 		u8 block_data[32];
   3.466 - 
   3.467 - 		msg.addr = client->addr;
   3.468 --		msg.flags = client->flags;
   3.469 -+		msg.flags = 0;
   3.470 - 		while (len >= 2) {
   3.471 - 			msg.buf = (char *) block_data;
   3.472 - 			msg.len = 0;
   3.473 -diff -Nru a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
   3.474 ---- a/drivers/media/video/adv7175.c	2005-05-11 15:43:53 -07:00
   3.475 -+++ b/drivers/media/video/adv7175.c	2005-05-11 15:43:53 -07:00
   3.476 -@@ -126,7 +126,7 @@
   3.477 - 		u8 block_data[32];
   3.478 - 
   3.479 - 		msg.addr = client->addr;
   3.480 --		msg.flags = client->flags;
   3.481 -+		msg.flags = 0;
   3.482 - 		while (len >= 2) {
   3.483 - 			msg.buf = (char *) block_data;
   3.484 - 			msg.len = 0;
   3.485 -diff -Nru a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
   3.486 ---- a/drivers/media/video/bt819.c	2005-05-11 15:43:53 -07:00
   3.487 -+++ b/drivers/media/video/bt819.c	2005-05-11 15:43:53 -07:00
   3.488 -@@ -146,7 +146,7 @@
   3.489 - 		u8 block_data[32];
   3.490 - 
   3.491 - 		msg.addr = client->addr;
   3.492 --		msg.flags = client->flags;
   3.493 -+		msg.flags = 0;
   3.494 - 		while (len >= 2) {
   3.495 - 			msg.buf = (char *) block_data;
   3.496 - 			msg.len = 0;
   3.497 -diff -Nru a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
   3.498 ---- a/drivers/media/video/bttv-cards.c	2005-05-11 15:43:53 -07:00
   3.499 -+++ b/drivers/media/video/bttv-cards.c	2005-05-11 15:43:53 -07:00
   3.500 -@@ -2718,8 +2718,6 @@
   3.501 -         }
   3.502 - 	btv->pll.pll_current = -1;
   3.503 - 
   3.504 --	bttv_reset_audio(btv);
   3.505 --
   3.506 - 	/* tuner configuration (from card list / autodetect / insmod option) */
   3.507 -  	if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
   3.508 - 		if(UNSET == btv->tuner_type)
   3.509 -diff -Nru a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
   3.510 ---- a/drivers/media/video/saa7110.c	2005-05-11 15:43:53 -07:00
   3.511 -+++ b/drivers/media/video/saa7110.c	2005-05-11 15:43:53 -07:00
   3.512 -@@ -60,8 +60,10 @@
   3.513 - 
   3.514 - #define	I2C_SAA7110		0x9C	/* or 0x9E */
   3.515 - 
   3.516 -+#define SAA7110_NR_REG		0x35
   3.517 -+
   3.518 - struct saa7110 {
   3.519 --	unsigned char reg[54];
   3.520 -+	u8 reg[SAA7110_NR_REG];
   3.521 - 
   3.522 - 	int norm;
   3.523 - 	int input;
   3.524 -@@ -95,31 +97,28 @@
   3.525 - 		     unsigned int       len)
   3.526 - {
   3.527 - 	int ret = -1;
   3.528 --	u8 reg = *data++;
   3.529 -+	u8 reg = *data;		/* first register to write to */
   3.530 - 
   3.531 --	len--;
   3.532 -+	/* Sanity check */
   3.533 -+	if (reg + (len - 1) > SAA7110_NR_REG)
   3.534 -+		return ret;
   3.535 - 
   3.536 - 	/* the saa7110 has an autoincrement function, use it if
   3.537 - 	 * the adapter understands raw I2C */
   3.538 - 	if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
   3.539 - 		struct saa7110 *decoder = i2c_get_clientdata(client);
   3.540 - 		struct i2c_msg msg;
   3.541 --		u8 block_data[54];
   3.542 - 
   3.543 --		msg.len = 0;
   3.544 --		msg.buf = (char *) block_data;
   3.545 -+		msg.len = len;
   3.546 -+		msg.buf = (char *) data;
   3.547 - 		msg.addr = client->addr;
   3.548 --		msg.flags = client->flags;
   3.549 --		while (len >= 1) {
   3.550 --			msg.len = 0;
   3.551 --			block_data[msg.len++] = reg;
   3.552 --			while (len-- >= 1 && msg.len < 54)
   3.553 --				block_data[msg.len++] =
   3.554 --				    decoder->reg[reg++] = *data++;
   3.555 --			ret = i2c_transfer(client->adapter, &msg, 1);
   3.556 --		}
   3.557 -+		msg.flags = 0;
   3.558 -+		ret = i2c_transfer(client->adapter, &msg, 1);
   3.559 -+
   3.560 -+		/* Cache the written data */
   3.561 -+		memcpy(decoder->reg + reg, data + 1, len - 1);
   3.562 - 	} else {
   3.563 --		while (len-- >= 1) {
   3.564 -+		for (++data, --len; len; len--) {
   3.565 - 			if ((ret = saa7110_write(client, reg++,
   3.566 - 						 *data++)) < 0)
   3.567 - 				break;
   3.568 -@@ -192,7 +191,7 @@
   3.569 - 	return 0;
   3.570 - }
   3.571 - 
   3.572 --static const unsigned char initseq[] = {
   3.573 -+static const unsigned char initseq[1 + SAA7110_NR_REG] = {
   3.574 - 	0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
   3.575 - 	/* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
   3.576 - 	/* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
   3.577 -diff -Nru a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
   3.578 ---- a/drivers/media/video/saa7114.c	2005-05-11 15:43:53 -07:00
   3.579 -+++ b/drivers/media/video/saa7114.c	2005-05-11 15:43:53 -07:00
   3.580 -@@ -163,7 +163,7 @@
   3.581 - 		u8 block_data[32];
   3.582 - 
   3.583 - 		msg.addr = client->addr;
   3.584 --		msg.flags = client->flags;
   3.585 -+		msg.flags = 0;
   3.586 - 		while (len >= 2) {
   3.587 - 			msg.buf = (char *) block_data;
   3.588 - 			msg.len = 0;
   3.589 -diff -Nru a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
   3.590 ---- a/drivers/media/video/saa7185.c	2005-05-11 15:43:53 -07:00
   3.591 -+++ b/drivers/media/video/saa7185.c	2005-05-11 15:43:53 -07:00
   3.592 -@@ -118,7 +118,7 @@
   3.593 - 		u8 block_data[32];
   3.594 - 
   3.595 - 		msg.addr = client->addr;
   3.596 --		msg.flags = client->flags;
   3.597 -+		msg.flags = 0;
   3.598 - 		while (len >= 2) {
   3.599 - 			msg.buf = (char *) block_data;
   3.600 - 			msg.len = 0;
   3.601 -diff -Nru a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
   3.602 ---- a/drivers/net/amd8111e.c	2005-05-11 15:43:53 -07:00
   3.603 -+++ b/drivers/net/amd8111e.c	2005-05-11 15:43:53 -07:00
   3.604 -@@ -1381,6 +1381,8 @@
   3.605 - 
   3.606 - 	if(amd8111e_restart(dev)){
   3.607 - 		spin_unlock_irq(&lp->lock);
   3.608 -+		if (dev->irq)
   3.609 -+			free_irq(dev->irq, dev);
   3.610 - 		return -ENOMEM;
   3.611 - 	}
   3.612 - 	/* Start ipg timer */
   3.613 -diff -Nru a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
   3.614 ---- a/drivers/net/ppp_async.c	2005-05-11 15:43:53 -07:00
   3.615 -+++ b/drivers/net/ppp_async.c	2005-05-11 15:43:53 -07:00
   3.616 -@@ -1000,7 +1000,7 @@
   3.617 - 	data += 4;
   3.618 - 	dlen -= 4;
   3.619 - 	/* data[0] is code, data[1] is length */
   3.620 --	while (dlen >= 2 && dlen >= data[1]) {
   3.621 -+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
   3.622 - 		switch (data[0]) {
   3.623 - 		case LCP_MRU:
   3.624 - 			val = (data[2] << 8) + data[3];
   3.625 -diff -Nru a/drivers/net/r8169.c b/drivers/net/r8169.c
   3.626 ---- a/drivers/net/r8169.c	2005-05-11 15:43:53 -07:00
   3.627 -+++ b/drivers/net/r8169.c	2005-05-11 15:43:53 -07:00
   3.628 -@@ -1683,16 +1683,19 @@
   3.629 - 	rtl8169_make_unusable_by_asic(desc);
   3.630 - }
   3.631 - 
   3.632 --static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
   3.633 -+static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
   3.634 - {
   3.635 --	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   3.636 -+	u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
   3.637 -+
   3.638 -+	desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
   3.639 - }
   3.640 - 
   3.641 --static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   3.642 --					int rx_buf_sz)
   3.643 -+static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   3.644 -+				       u32 rx_buf_sz)
   3.645 - {
   3.646 - 	desc->addr = cpu_to_le64(mapping);
   3.647 --	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   3.648 -+	wmb();
   3.649 -+	rtl8169_mark_to_asic(desc, rx_buf_sz);
   3.650 - }
   3.651 - 
   3.652 - static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
   3.653 -@@ -1712,7 +1715,7 @@
   3.654 - 	mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
   3.655 - 				 PCI_DMA_FROMDEVICE);
   3.656 - 
   3.657 --	rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
   3.658 -+	rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
   3.659 - 
   3.660 - out:
   3.661 - 	return ret;
   3.662 -@@ -2150,7 +2153,7 @@
   3.663 - 			skb_reserve(skb, NET_IP_ALIGN);
   3.664 - 			eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
   3.665 - 			*sk_buff = skb;
   3.666 --			rtl8169_return_to_asic(desc, rx_buf_sz);
   3.667 -+			rtl8169_mark_to_asic(desc, rx_buf_sz);
   3.668 - 			ret = 0;
   3.669 - 		}
   3.670 - 	}
   3.671 -diff -Nru a/drivers/net/sis900.c b/drivers/net/sis900.c
   3.672 ---- a/drivers/net/sis900.c	2005-05-11 15:43:53 -07:00
   3.673 -+++ b/drivers/net/sis900.c	2005-05-11 15:43:53 -07:00
   3.674 -@@ -236,7 +236,7 @@
   3.675 - 	signature = (u16) read_eeprom(ioaddr, EEPROMSignature);    
   3.676 - 	if (signature == 0xffff || signature == 0x0000) {
   3.677 - 		printk (KERN_INFO "%s: Error EERPOM read %x\n", 
   3.678 --			net_dev->name, signature);
   3.679 -+			pci_name(pci_dev), signature);
   3.680 - 		return 0;
   3.681 - 	}
   3.682 - 
   3.683 -@@ -268,7 +268,7 @@
   3.684 - 	if (!isa_bridge)
   3.685 - 		isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
   3.686 - 	if (!isa_bridge) {
   3.687 --		printk("%s: Can not find ISA bridge\n", net_dev->name);
   3.688 -+		printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
   3.689 - 		return 0;
   3.690 - 	}
   3.691 - 	pci_read_config_byte(isa_bridge, 0x48, &reg);
   3.692 -@@ -456,10 +456,6 @@
   3.693 - 	net_dev->tx_timeout = sis900_tx_timeout;
   3.694 - 	net_dev->watchdog_timeo = TX_TIMEOUT;
   3.695 - 	net_dev->ethtool_ops = &sis900_ethtool_ops;
   3.696 --	
   3.697 --	ret = register_netdev(net_dev);
   3.698 --	if (ret)
   3.699 --		goto err_unmap_rx;
   3.700 - 		
   3.701 - 	/* Get Mac address according to the chip revision */
   3.702 - 	pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
   3.703 -@@ -476,7 +472,7 @@
   3.704 - 
   3.705 - 	if (ret == 0) {
   3.706 - 		ret = -ENODEV;
   3.707 --		goto err_out_unregister;
   3.708 -+		goto err_unmap_rx;
   3.709 - 	}
   3.710 - 	
   3.711 - 	/* 630ET : set the mii access mode as software-mode */
   3.712 -@@ -486,7 +482,7 @@
   3.713 - 	/* probe for mii transceiver */
   3.714 - 	if (sis900_mii_probe(net_dev) == 0) {
   3.715 - 		ret = -ENODEV;
   3.716 --		goto err_out_unregister;
   3.717 -+		goto err_unmap_rx;
   3.718 - 	}
   3.719 - 
   3.720 - 	/* save our host bridge revision */
   3.721 -@@ -496,6 +492,10 @@
   3.722 - 		pci_dev_put(dev);
   3.723 - 	}
   3.724 - 
   3.725 -+	ret = register_netdev(net_dev);
   3.726 -+	if (ret)
   3.727 -+		goto err_unmap_rx;
   3.728 -+
   3.729 - 	/* print some information about our NIC */
   3.730 - 	printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
   3.731 - 	       card_name, ioaddr, net_dev->irq);
   3.732 -@@ -505,8 +505,6 @@
   3.733 - 
   3.734 - 	return 0;
   3.735 - 
   3.736 -- err_out_unregister:
   3.737 -- 	unregister_netdev(net_dev);
   3.738 -  err_unmap_rx:
   3.739 - 	pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
   3.740 - 		sis_priv->rx_ring_dma);
   3.741 -@@ -533,6 +531,7 @@
   3.742 - static int __init sis900_mii_probe(struct net_device * net_dev)
   3.743 - {
   3.744 - 	struct sis900_private * sis_priv = net_dev->priv;
   3.745 -+	const char *dev_name = pci_name(sis_priv->pci_dev);
   3.746 - 	u16 poll_bit = MII_STAT_LINK, status = 0;
   3.747 - 	unsigned long timeout = jiffies + 5 * HZ;
   3.748 - 	int phy_addr;
   3.749 -@@ -582,21 +581,20 @@
   3.750 - 					mii_phy->phy_types =
   3.751 - 					    (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
   3.752 - 				printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
   3.753 --				       net_dev->name, mii_chip_table[i].name,
   3.754 -+				       dev_name, mii_chip_table[i].name,
   3.755 - 				       phy_addr);
   3.756 - 				break;
   3.757 - 			}
   3.758 - 			
   3.759 - 		if( !mii_chip_table[i].phy_id1 ) {
   3.760 - 			printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
   3.761 --			       net_dev->name, phy_addr);
   3.762 -+			       dev_name, phy_addr);
   3.763 - 			mii_phy->phy_types = UNKNOWN;
   3.764 - 		}
   3.765 - 	}
   3.766 - 	
   3.767 - 	if (sis_priv->mii == NULL) {
   3.768 --		printk(KERN_INFO "%s: No MII transceivers found!\n",
   3.769 --			net_dev->name);
   3.770 -+		printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
   3.771 - 		return 0;
   3.772 - 	}
   3.773 - 
   3.774 -@@ -621,7 +619,7 @@
   3.775 - 			poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
   3.776 - 			if (time_after_eq(jiffies, timeout)) {
   3.777 - 				printk(KERN_WARNING "%s: reset phy and link down now\n",
   3.778 --					net_dev->name);
   3.779 -+				       dev_name);
   3.780 - 				return -ETIME;
   3.781 - 			}
   3.782 - 		}
   3.783 -@@ -691,7 +689,7 @@
   3.784 - 		sis_priv->mii = default_phy;
   3.785 - 		sis_priv->cur_phy = default_phy->phy_addr;
   3.786 - 		printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
   3.787 --					net_dev->name,sis_priv->cur_phy);
   3.788 -+		       pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
   3.789 - 	}
   3.790 - 	
   3.791 - 	status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
   3.792 -diff -Nru a/drivers/net/tun.c b/drivers/net/tun.c
   3.793 ---- a/drivers/net/tun.c	2005-05-11 15:43:53 -07:00
   3.794 -+++ b/drivers/net/tun.c	2005-05-11 15:43:53 -07:00
   3.795 -@@ -229,7 +229,7 @@
   3.796 - 	size_t len = count;
   3.797 - 
   3.798 - 	if (!(tun->flags & TUN_NO_PI)) {
   3.799 --		if ((len -= sizeof(pi)) > len)
   3.800 -+		if ((len -= sizeof(pi)) > count)
   3.801 - 			return -EINVAL;
   3.802 - 
   3.803 - 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
   3.804 -diff -Nru a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
   3.805 ---- a/drivers/net/via-rhine.c	2005-05-11 15:43:53 -07:00
   3.806 -+++ b/drivers/net/via-rhine.c	2005-05-11 15:43:53 -07:00
   3.807 -@@ -1197,8 +1197,10 @@
   3.808 - 		       dev->name, rp->pdev->irq);
   3.809 - 
   3.810 - 	rc = alloc_ring(dev);
   3.811 --	if (rc)
   3.812 -+	if (rc) {
   3.813 -+		free_irq(rp->pdev->irq, dev);
   3.814 - 		return rc;
   3.815 -+	}
   3.816 - 	alloc_rbufs(dev);
   3.817 - 	alloc_tbufs(dev);
   3.818 - 	rhine_chip_reset(dev);
   3.819 -@@ -1898,6 +1900,9 @@
   3.820 - 	struct net_device *dev = pci_get_drvdata(pdev);
   3.821 - 	struct rhine_private *rp = netdev_priv(dev);
   3.822 - 	void __iomem *ioaddr = rp->base;
   3.823 -+
   3.824 -+	if (!(rp->quirks & rqWOL))
   3.825 -+		return; /* Nothing to do for non-WOL adapters */
   3.826 - 
   3.827 - 	rhine_power_init(dev);
   3.828 - 
   3.829 -diff -Nru a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
   3.830 ---- a/drivers/net/wan/hd6457x.c	2005-05-11 15:43:53 -07:00
   3.831 -+++ b/drivers/net/wan/hd6457x.c	2005-05-11 15:43:53 -07:00
   3.832 -@@ -315,7 +315,7 @@
   3.833 - #endif
   3.834 - 	stats->rx_packets++;
   3.835 - 	stats->rx_bytes += skb->len;
   3.836 --	skb->dev->last_rx = jiffies;
   3.837 -+	dev->last_rx = jiffies;
   3.838 - 	skb->protocol = hdlc_type_trans(skb, dev);
   3.839 - 	netif_rx(skb);
   3.840 - }
   3.841 -diff -Nru a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
   3.842 ---- a/drivers/pci/hotplug/pciehp_ctrl.c	2005-05-11 15:43:53 -07:00
   3.843 -+++ b/drivers/pci/hotplug/pciehp_ctrl.c	2005-05-11 15:43:53 -07:00
   3.844 -@@ -1354,10 +1354,11 @@
   3.845 - 				dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
   3.846 - 					ctrl->seg, func->bus, func->device, func->function);
   3.847 - 				bridge_slot_remove(func);
   3.848 --			} else
   3.849 -+			} else {
   3.850 - 				dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
   3.851 - 					ctrl->seg, func->bus, func->device, func->function);
   3.852 - 				slot_remove(func);
   3.853 -+			}
   3.854 - 
   3.855 - 			func = pciehp_slot_find(ctrl->slot_bus, device, 0);
   3.856 - 		}
   3.857 -diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
   3.858 ---- a/fs/binfmt_elf.c	2005-05-11 15:43:53 -07:00
   3.859 -+++ b/fs/binfmt_elf.c	2005-05-11 15:43:53 -07:00
   3.860 -@@ -257,7 +257,7 @@
   3.861 - 	}
   3.862 - 
   3.863 - 	/* Populate argv and envp */
   3.864 --	p = current->mm->arg_start;
   3.865 -+	p = current->mm->arg_end = current->mm->arg_start;
   3.866 - 	while (argc-- > 0) {
   3.867 - 		size_t len;
   3.868 - 		__put_user((elf_addr_t)p, argv++);
   3.869 -@@ -1008,6 +1008,7 @@
   3.870 - static int load_elf_library(struct file *file)
   3.871 - {
   3.872 - 	struct elf_phdr *elf_phdata;
   3.873 -+	struct elf_phdr *eppnt;
   3.874 - 	unsigned long elf_bss, bss, len;
   3.875 - 	int retval, error, i, j;
   3.876 - 	struct elfhdr elf_ex;
   3.877 -@@ -1031,44 +1032,47 @@
   3.878 - 	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
   3.879 - 
   3.880 - 	error = -ENOMEM;
   3.881 --	elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
   3.882 -+	elf_phdata = kmalloc(j, GFP_KERNEL);
   3.883 - 	if (!elf_phdata)
   3.884 - 		goto out;
   3.885 - 
   3.886 -+	eppnt = elf_phdata;
   3.887 - 	error = -ENOEXEC;
   3.888 --	retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
   3.889 -+	retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
   3.890 - 	if (retval != j)
   3.891 - 		goto out_free_ph;
   3.892 - 
   3.893 - 	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
   3.894 --		if ((elf_phdata + i)->p_type == PT_LOAD) j++;
   3.895 -+		if ((eppnt + i)->p_type == PT_LOAD)
   3.896 -+			j++;
   3.897 - 	if (j != 1)
   3.898 - 		goto out_free_ph;
   3.899 - 
   3.900 --	while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
   3.901 -+	while (eppnt->p_type != PT_LOAD)
   3.902 -+		eppnt++;
   3.903 - 
   3.904 - 	/* Now use mmap to map the library into memory. */
   3.905 - 	down_write(&current->mm->mmap_sem);
   3.906 - 	error = do_mmap(file,
   3.907 --			ELF_PAGESTART(elf_phdata->p_vaddr),
   3.908 --			(elf_phdata->p_filesz +
   3.909 --			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
   3.910 -+			ELF_PAGESTART(eppnt->p_vaddr),
   3.911 -+			(eppnt->p_filesz +
   3.912 -+			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
   3.913 - 			PROT_READ | PROT_WRITE | PROT_EXEC,
   3.914 - 			MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
   3.915 --			(elf_phdata->p_offset -
   3.916 --			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
   3.917 -+			(eppnt->p_offset -
   3.918 -+			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
   3.919 - 	up_write(&current->mm->mmap_sem);
   3.920 --	if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
   3.921 -+	if (error != ELF_PAGESTART(eppnt->p_vaddr))
   3.922 - 		goto out_free_ph;
   3.923 - 
   3.924 --	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
   3.925 -+	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
   3.926 - 	if (padzero(elf_bss)) {
   3.927 - 		error = -EFAULT;
   3.928 - 		goto out_free_ph;
   3.929 - 	}
   3.930 - 
   3.931 --	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
   3.932 --	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
   3.933 -+	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
   3.934 -+	bss = eppnt->p_memsz + eppnt->p_vaddr;
   3.935 - 	if (bss > len) {
   3.936 - 		down_write(&current->mm->mmap_sem);
   3.937 - 		do_brk(len, bss - len);
   3.938 -@@ -1275,7 +1279,7 @@
   3.939 - static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
   3.940 - 		       struct mm_struct *mm)
   3.941 - {
   3.942 --	int i, len;
   3.943 -+	unsigned int i, len;
   3.944 - 	
   3.945 - 	/* first copy the parameters from user space */
   3.946 - 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
   3.947 -diff -Nru a/fs/cramfs/inode.c b/fs/cramfs/inode.c
   3.948 ---- a/fs/cramfs/inode.c	2005-05-11 15:43:53 -07:00
   3.949 -+++ b/fs/cramfs/inode.c	2005-05-11 15:43:53 -07:00
   3.950 -@@ -70,6 +70,7 @@
   3.951 - 			inode->i_data.a_ops = &cramfs_aops;
   3.952 - 		} else {
   3.953 - 			inode->i_size = 0;
   3.954 -+			inode->i_blocks = 0;
   3.955 - 			init_special_inode(inode, inode->i_mode,
   3.956 - 				old_decode_dev(cramfs_inode->size));
   3.957 - 		}
   3.958 -diff -Nru a/fs/eventpoll.c b/fs/eventpoll.c
   3.959 ---- a/fs/eventpoll.c	2005-05-11 15:43:53 -07:00
   3.960 -+++ b/fs/eventpoll.c	2005-05-11 15:43:53 -07:00
   3.961 -@@ -619,6 +619,7 @@
   3.962 - 	return error;
   3.963 - }
   3.964 - 
   3.965 -+#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
   3.966 - 
   3.967 - /*
   3.968 -  * Implement the event wait interface for the eventpoll file. It is the kernel
   3.969 -@@ -635,7 +636,7 @@
   3.970 - 		     current, epfd, events, maxevents, timeout));
   3.971 - 
   3.972 - 	/* The maximum number of event must be greater than zero */
   3.973 --	if (maxevents <= 0)
   3.974 -+	if (maxevents <= 0 || maxevents > MAX_EVENTS)
   3.975 - 		return -EINVAL;
   3.976 - 
   3.977 - 	/* Verify that the area passed by the user is writeable */
   3.978 -diff -Nru a/fs/exec.c b/fs/exec.c
   3.979 ---- a/fs/exec.c	2005-05-11 15:43:53 -07:00
   3.980 -+++ b/fs/exec.c	2005-05-11 15:43:53 -07:00
   3.981 -@@ -814,7 +814,7 @@
   3.982 - {
   3.983 - 	/* buf must be at least sizeof(tsk->comm) in size */
   3.984 - 	task_lock(tsk);
   3.985 --	memcpy(buf, tsk->comm, sizeof(tsk->comm));
   3.986 -+	strncpy(buf, tsk->comm, sizeof(tsk->comm));
   3.987 - 	task_unlock(tsk);
   3.988 - }
   3.989 - 
   3.990 -diff -Nru a/fs/ext2/dir.c b/fs/ext2/dir.c
   3.991 ---- a/fs/ext2/dir.c	2005-05-11 15:43:53 -07:00
   3.992 -+++ b/fs/ext2/dir.c	2005-05-11 15:43:53 -07:00
   3.993 -@@ -592,6 +592,7 @@
   3.994 - 		goto fail;
   3.995 - 	}
   3.996 - 	kaddr = kmap_atomic(page, KM_USER0);
   3.997 -+       memset(kaddr, 0, chunk_size);
   3.998 - 	de = (struct ext2_dir_entry_2 *)kaddr;
   3.999 - 	de->name_len = 1;
  3.1000 - 	de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
  3.1001 -diff -Nru a/fs/isofs/inode.c b/fs/isofs/inode.c
  3.1002 ---- a/fs/isofs/inode.c	2005-05-11 15:43:53 -07:00
  3.1003 -+++ b/fs/isofs/inode.c	2005-05-11 15:43:53 -07:00
  3.1004 -@@ -685,6 +685,8 @@
  3.1005 - 	  sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
  3.1006 - 	  sbi->s_max_size = isonum_733(h_pri->volume_space_size);
  3.1007 - 	} else {
  3.1008 -+	  if (!pri)
  3.1009 -+	    goto out_freebh;
  3.1010 - 	  rootp = (struct iso_directory_record *) pri->root_directory_record;
  3.1011 - 	  sbi->s_nzones = isonum_733 (pri->volume_space_size);
  3.1012 - 	  sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
  3.1013 -@@ -1394,6 +1396,9 @@
  3.1014 - 	unsigned long hashval;
  3.1015 - 	struct inode *inode;
  3.1016 - 	struct isofs_iget5_callback_data data;
  3.1017 -+
  3.1018 -+	if (offset >= 1ul << sb->s_blocksize_bits)
  3.1019 -+		return NULL;
  3.1020 - 
  3.1021 - 	data.block = block;
  3.1022 - 	data.offset = offset;
  3.1023 -diff -Nru a/fs/isofs/rock.c b/fs/isofs/rock.c
  3.1024 ---- a/fs/isofs/rock.c	2005-05-11 15:43:53 -07:00
  3.1025 -+++ b/fs/isofs/rock.c	2005-05-11 15:43:53 -07:00
  3.1026 -@@ -53,6 +53,7 @@
  3.1027 -   if(LEN & 1) LEN++;						\
  3.1028 -   CHR = ((unsigned char *) DE) + LEN;				\
  3.1029 -   LEN = *((unsigned char *) DE) - LEN;                          \
  3.1030 -+  if (LEN<0) LEN=0;                                             \
  3.1031 -   if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1)                \
  3.1032 -   {                                                             \
  3.1033 -      LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset;                \
  3.1034 -@@ -73,6 +74,10 @@
  3.1035 -     offset1 = 0; \
  3.1036 -     pbh = sb_bread(DEV->i_sb, block); \
  3.1037 -     if(pbh){       \
  3.1038 -+      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
  3.1039 -+	brelse(pbh); \
  3.1040 -+	goto out; \
  3.1041 -+      } \
  3.1042 -       memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
  3.1043 -       brelse(pbh); \
  3.1044 -       chr = (unsigned char *) buffer; \
  3.1045 -@@ -103,12 +108,13 @@
  3.1046 -     struct rock_ridge * rr;
  3.1047 -     int sig;
  3.1048 -     
  3.1049 --    while (len > 1){ /* There may be one byte for padding somewhere */
  3.1050 -+    while (len > 2){ /* There may be one byte for padding somewhere */
  3.1051 -       rr = (struct rock_ridge *) chr;
  3.1052 --      if (rr->len == 0) goto out; /* Something got screwed up here */
  3.1053 -+      if (rr->len < 3) goto out; /* Something got screwed up here */
  3.1054 -       sig = isonum_721(chr);
  3.1055 -       chr += rr->len; 
  3.1056 -       len -= rr->len;
  3.1057 -+      if (len < 0) goto out;	/* corrupted isofs */
  3.1058 - 
  3.1059 -       switch(sig){
  3.1060 -       case SIG('R','R'):
  3.1061 -@@ -122,6 +128,7 @@
  3.1062 - 	break;
  3.1063 -       case SIG('N','M'):
  3.1064 - 	if (truncate) break;
  3.1065 -+	if (rr->len < 5) break;
  3.1066 -         /*
  3.1067 - 	 * If the flags are 2 or 4, this indicates '.' or '..'.
  3.1068 - 	 * We don't want to do anything with this, because it
  3.1069 -@@ -186,12 +193,13 @@
  3.1070 -     struct rock_ridge * rr;
  3.1071 -     int rootflag;
  3.1072 -     
  3.1073 --    while (len > 1){ /* There may be one byte for padding somewhere */
  3.1074 -+    while (len > 2){ /* There may be one byte for padding somewhere */
  3.1075 -       rr = (struct rock_ridge *) chr;
  3.1076 --      if (rr->len == 0) goto out; /* Something got screwed up here */
  3.1077 -+      if (rr->len < 3) goto out; /* Something got screwed up here */
  3.1078 -       sig = isonum_721(chr);
  3.1079 -       chr += rr->len; 
  3.1080 -       len -= rr->len;
  3.1081 -+      if (len < 0) goto out;	/* corrupted isofs */
  3.1082 -       
  3.1083 -       switch(sig){
  3.1084 - #ifndef CONFIG_ZISOFS		/* No flag for SF or ZF */
  3.1085 -@@ -462,7 +470,7 @@
  3.1086 - 	struct rock_ridge *rr;
  3.1087 - 
  3.1088 - 	if (!ISOFS_SB(inode->i_sb)->s_rock)
  3.1089 --		panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
  3.1090 -+		goto error;
  3.1091 - 
  3.1092 - 	block = ei->i_iget5_block;
  3.1093 - 	lock_kernel();
  3.1094 -@@ -487,13 +495,15 @@
  3.1095 - 	SETUP_ROCK_RIDGE(raw_inode, chr, len);
  3.1096 - 
  3.1097 -       repeat:
  3.1098 --	while (len > 1) { /* There may be one byte for padding somewhere */
  3.1099 -+	while (len > 2) { /* There may be one byte for padding somewhere */
  3.1100 - 		rr = (struct rock_ridge *) chr;
  3.1101 --		if (rr->len == 0)
  3.1102 -+		if (rr->len < 3)
  3.1103 - 			goto out;	/* Something got screwed up here */
  3.1104 - 		sig = isonum_721(chr);
  3.1105 - 		chr += rr->len;
  3.1106 - 		len -= rr->len;
  3.1107 -+		if (len < 0)
  3.1108 -+			goto out;	/* corrupted isofs */
  3.1109 - 
  3.1110 - 		switch (sig) {
  3.1111 - 		case SIG('R', 'R'):
  3.1112 -@@ -543,6 +553,7 @@
  3.1113 -       fail:
  3.1114 - 	brelse(bh);
  3.1115 - 	unlock_kernel();
  3.1116 -+      error:
  3.1117 - 	SetPageError(page);
  3.1118 - 	kunmap(page);
  3.1119 - 	unlock_page(page);
  3.1120 -diff -Nru a/fs/jbd/transaction.c b/fs/jbd/transaction.c
  3.1121 ---- a/fs/jbd/transaction.c	2005-05-11 15:43:53 -07:00
  3.1122 -+++ b/fs/jbd/transaction.c	2005-05-11 15:43:53 -07:00
  3.1123 -@@ -1775,10 +1775,10 @@
  3.1124 - 			JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
  3.1125 - 			ret = __dispose_buffer(jh,
  3.1126 - 					journal->j_running_transaction);
  3.1127 -+			journal_put_journal_head(jh);
  3.1128 - 			spin_unlock(&journal->j_list_lock);
  3.1129 - 			jbd_unlock_bh_state(bh);
  3.1130 - 			spin_unlock(&journal->j_state_lock);
  3.1131 --			journal_put_journal_head(jh);
  3.1132 - 			return ret;
  3.1133 - 		} else {
  3.1134 - 			/* There is no currently-running transaction. So the
  3.1135 -@@ -1789,10 +1789,10 @@
  3.1136 - 				JBUFFER_TRACE(jh, "give to committing trans");
  3.1137 - 				ret = __dispose_buffer(jh,
  3.1138 - 					journal->j_committing_transaction);
  3.1139 -+				journal_put_journal_head(jh);
  3.1140 - 				spin_unlock(&journal->j_list_lock);
  3.1141 - 				jbd_unlock_bh_state(bh);
  3.1142 - 				spin_unlock(&journal->j_state_lock);
  3.1143 --				journal_put_journal_head(jh);
  3.1144 - 				return ret;
  3.1145 - 			} else {
  3.1146 - 				/* The orphan record's transaction has
  3.1147 -@@ -1813,10 +1813,10 @@
  3.1148 - 					journal->j_running_transaction);
  3.1149 - 			jh->b_next_transaction = NULL;
  3.1150 - 		}
  3.1151 -+		journal_put_journal_head(jh);
  3.1152 - 		spin_unlock(&journal->j_list_lock);
  3.1153 - 		jbd_unlock_bh_state(bh);
  3.1154 - 		spin_unlock(&journal->j_state_lock);
  3.1155 --		journal_put_journal_head(jh);
  3.1156 - 		return 0;
  3.1157 - 	} else {
  3.1158 - 		/* Good, the buffer belongs to the running transaction.
  3.1159 -diff -Nru a/kernel/exit.c b/kernel/exit.c
  3.1160 ---- a/kernel/exit.c	2005-05-11 15:43:53 -07:00
  3.1161 -+++ b/kernel/exit.c	2005-05-11 15:43:53 -07:00
  3.1162 -@@ -516,8 +516,6 @@
  3.1163 - 	 */
  3.1164 - 	BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
  3.1165 - 	p->real_parent = reaper;
  3.1166 --	if (p->parent == p->real_parent)
  3.1167 --		BUG();
  3.1168 - }
  3.1169 - 
  3.1170 - static inline void reparent_thread(task_t *p, task_t *father, int traced)
  3.1171 -diff -Nru a/kernel/signal.c b/kernel/signal.c
  3.1172 ---- a/kernel/signal.c	2005-05-11 15:43:53 -07:00
  3.1173 -+++ b/kernel/signal.c	2005-05-11 15:43:53 -07:00
  3.1174 -@@ -1728,6 +1728,7 @@
  3.1175 - 			 * with another processor delivering a stop signal,
  3.1176 - 			 * then the SIGCONT that wakes us up should clear it.
  3.1177 - 			 */
  3.1178 -+			read_unlock(&tasklist_lock);
  3.1179 - 			return 0;
  3.1180 - 		}
  3.1181 - 
  3.1182 -diff -Nru a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c
  3.1183 ---- a/lib/rwsem-spinlock.c	2005-05-11 15:43:53 -07:00
  3.1184 -+++ b/lib/rwsem-spinlock.c	2005-05-11 15:43:53 -07:00
  3.1185 -@@ -140,12 +140,12 @@
  3.1186 - 
  3.1187 - 	rwsemtrace(sem, "Entering __down_read");
  3.1188 - 
  3.1189 --	spin_lock(&sem->wait_lock);
  3.1190 -+	spin_lock_irq(&sem->wait_lock);
  3.1191 - 
  3.1192 - 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  3.1193 - 		/* granted */
  3.1194 - 		sem->activity++;
  3.1195 --		spin_unlock(&sem->wait_lock);
  3.1196 -+		spin_unlock_irq(&sem->wait_lock);
  3.1197 - 		goto out;
  3.1198 - 	}
  3.1199 - 
  3.1200 -@@ -160,7 +160,7 @@
  3.1201 - 	list_add_tail(&waiter.list, &sem->wait_list);
  3.1202 - 
  3.1203 - 	/* we don't need to touch the semaphore struct anymore */
  3.1204 --	spin_unlock(&sem->wait_lock);
  3.1205 -+	spin_unlock_irq(&sem->wait_lock);
  3.1206 - 
  3.1207 - 	/* wait to be given the lock */
  3.1208 - 	for (;;) {
  3.1209 -@@ -181,10 +181,12 @@
  3.1210 -  */
  3.1211 - int fastcall __down_read_trylock(struct rw_semaphore *sem)
  3.1212 - {
  3.1213 -+	unsigned long flags;
  3.1214 - 	int ret = 0;
  3.1215 -+
  3.1216 - 	rwsemtrace(sem, "Entering __down_read_trylock");
  3.1217 - 
  3.1218 --	spin_lock(&sem->wait_lock);
  3.1219 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1220 - 
  3.1221 - 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  3.1222 - 		/* granted */
  3.1223 -@@ -192,7 +194,7 @@
  3.1224 - 		ret = 1;
  3.1225 - 	}
  3.1226 - 
  3.1227 --	spin_unlock(&sem->wait_lock);
  3.1228 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1229 - 
  3.1230 - 	rwsemtrace(sem, "Leaving __down_read_trylock");
  3.1231 - 	return ret;
  3.1232 -@@ -209,12 +211,12 @@
  3.1233 - 
  3.1234 - 	rwsemtrace(sem, "Entering __down_write");
  3.1235 - 
  3.1236 --	spin_lock(&sem->wait_lock);
  3.1237 -+	spin_lock_irq(&sem->wait_lock);
  3.1238 - 
  3.1239 - 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  3.1240 - 		/* granted */
  3.1241 - 		sem->activity = -1;
  3.1242 --		spin_unlock(&sem->wait_lock);
  3.1243 -+		spin_unlock_irq(&sem->wait_lock);
  3.1244 - 		goto out;
  3.1245 - 	}
  3.1246 - 
  3.1247 -@@ -229,7 +231,7 @@
  3.1248 - 	list_add_tail(&waiter.list, &sem->wait_list);
  3.1249 - 
  3.1250 - 	/* we don't need to touch the semaphore struct anymore */
  3.1251 --	spin_unlock(&sem->wait_lock);
  3.1252 -+	spin_unlock_irq(&sem->wait_lock);
  3.1253 - 
  3.1254 - 	/* wait to be given the lock */
  3.1255 - 	for (;;) {
  3.1256 -@@ -250,10 +252,12 @@
  3.1257 -  */
  3.1258 - int fastcall __down_write_trylock(struct rw_semaphore *sem)
  3.1259 - {
  3.1260 -+	unsigned long flags;
  3.1261 - 	int ret = 0;
  3.1262 -+
  3.1263 - 	rwsemtrace(sem, "Entering __down_write_trylock");
  3.1264 - 
  3.1265 --	spin_lock(&sem->wait_lock);
  3.1266 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1267 - 
  3.1268 - 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  3.1269 - 		/* granted */
  3.1270 -@@ -261,7 +265,7 @@
  3.1271 - 		ret = 1;
  3.1272 - 	}
  3.1273 - 
  3.1274 --	spin_unlock(&sem->wait_lock);
  3.1275 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1276 - 
  3.1277 - 	rwsemtrace(sem, "Leaving __down_write_trylock");
  3.1278 - 	return ret;
  3.1279 -@@ -272,14 +276,16 @@
  3.1280 -  */
  3.1281 - void fastcall __up_read(struct rw_semaphore *sem)
  3.1282 - {
  3.1283 -+	unsigned long flags;
  3.1284 -+
  3.1285 - 	rwsemtrace(sem, "Entering __up_read");
  3.1286 - 
  3.1287 --	spin_lock(&sem->wait_lock);
  3.1288 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1289 - 
  3.1290 - 	if (--sem->activity == 0 && !list_empty(&sem->wait_list))
  3.1291 - 		sem = __rwsem_wake_one_writer(sem);
  3.1292 - 
  3.1293 --	spin_unlock(&sem->wait_lock);
  3.1294 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1295 - 
  3.1296 - 	rwsemtrace(sem, "Leaving __up_read");
  3.1297 - }
  3.1298 -@@ -289,15 +295,17 @@
  3.1299 -  */
  3.1300 - void fastcall __up_write(struct rw_semaphore *sem)
  3.1301 - {
  3.1302 -+	unsigned long flags;
  3.1303 -+
  3.1304 - 	rwsemtrace(sem, "Entering __up_write");
  3.1305 - 
  3.1306 --	spin_lock(&sem->wait_lock);
  3.1307 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1308 - 
  3.1309 - 	sem->activity = 0;
  3.1310 - 	if (!list_empty(&sem->wait_list))
  3.1311 - 		sem = __rwsem_do_wake(sem, 1);
  3.1312 - 
  3.1313 --	spin_unlock(&sem->wait_lock);
  3.1314 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1315 - 
  3.1316 - 	rwsemtrace(sem, "Leaving __up_write");
  3.1317 - }
  3.1318 -@@ -308,15 +316,17 @@
  3.1319 -  */
  3.1320 - void fastcall __downgrade_write(struct rw_semaphore *sem)
  3.1321 - {
  3.1322 -+	unsigned long flags;
  3.1323 -+
  3.1324 - 	rwsemtrace(sem, "Entering __downgrade_write");
  3.1325 - 
  3.1326 --	spin_lock(&sem->wait_lock);
  3.1327 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1328 - 
  3.1329 - 	sem->activity = 1;
  3.1330 - 	if (!list_empty(&sem->wait_list))
  3.1331 - 		sem = __rwsem_do_wake(sem, 0);
  3.1332 - 
  3.1333 --	spin_unlock(&sem->wait_lock);
  3.1334 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1335 - 
  3.1336 - 	rwsemtrace(sem, "Leaving __downgrade_write");
  3.1337 - }
  3.1338 -diff -Nru a/lib/rwsem.c b/lib/rwsem.c
  3.1339 ---- a/lib/rwsem.c	2005-05-11 15:43:53 -07:00
  3.1340 -+++ b/lib/rwsem.c	2005-05-11 15:43:53 -07:00
  3.1341 -@@ -150,7 +150,7 @@
  3.1342 - 	set_task_state(tsk, TASK_UNINTERRUPTIBLE);
  3.1343 - 
  3.1344 - 	/* set up my own style of waitqueue */
  3.1345 --	spin_lock(&sem->wait_lock);
  3.1346 -+	spin_lock_irq(&sem->wait_lock);
  3.1347 - 	waiter->task = tsk;
  3.1348 - 	get_task_struct(tsk);
  3.1349 - 
  3.1350 -@@ -163,7 +163,7 @@
  3.1351 - 	if (!(count & RWSEM_ACTIVE_MASK))
  3.1352 - 		sem = __rwsem_do_wake(sem, 0);
  3.1353 - 
  3.1354 --	spin_unlock(&sem->wait_lock);
  3.1355 -+	spin_unlock_irq(&sem->wait_lock);
  3.1356 - 
  3.1357 - 	/* wait to be given the lock */
  3.1358 - 	for (;;) {
  3.1359 -@@ -219,15 +219,17 @@
  3.1360 -  */
  3.1361 - struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
  3.1362 - {
  3.1363 -+	unsigned long flags;
  3.1364 -+
  3.1365 - 	rwsemtrace(sem, "Entering rwsem_wake");
  3.1366 - 
  3.1367 --	spin_lock(&sem->wait_lock);
  3.1368 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1369 - 
  3.1370 - 	/* do nothing if list empty */
  3.1371 - 	if (!list_empty(&sem->wait_list))
  3.1372 - 		sem = __rwsem_do_wake(sem, 0);
  3.1373 - 
  3.1374 --	spin_unlock(&sem->wait_lock);
  3.1375 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1376 - 
  3.1377 - 	rwsemtrace(sem, "Leaving rwsem_wake");
  3.1378 - 
  3.1379 -@@ -241,15 +243,17 @@
  3.1380 -  */
  3.1381 - struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
  3.1382 - {
  3.1383 -+	unsigned long flags;
  3.1384 -+
  3.1385 - 	rwsemtrace(sem, "Entering rwsem_downgrade_wake");
  3.1386 - 
  3.1387 --	spin_lock(&sem->wait_lock);
  3.1388 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1389 - 
  3.1390 - 	/* do nothing if list empty */
  3.1391 - 	if (!list_empty(&sem->wait_list))
  3.1392 - 		sem = __rwsem_do_wake(sem, 1);
  3.1393 - 
  3.1394 --	spin_unlock(&sem->wait_lock);
  3.1395 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1396 - 
  3.1397 - 	rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
  3.1398 - 	return sem;
  3.1399 -diff -Nru a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
  3.1400 ---- a/net/bluetooth/af_bluetooth.c	2005-05-11 15:43:53 -07:00
  3.1401 -+++ b/net/bluetooth/af_bluetooth.c	2005-05-11 15:43:53 -07:00
  3.1402 -@@ -64,7 +64,7 @@
  3.1403 - 
  3.1404 - int bt_sock_register(int proto, struct net_proto_family *ops)
  3.1405 - {
  3.1406 --	if (proto >= BT_MAX_PROTO)
  3.1407 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.1408 - 		return -EINVAL;
  3.1409 - 
  3.1410 - 	if (bt_proto[proto])
  3.1411 -@@ -77,7 +77,7 @@
  3.1412 - 
  3.1413 - int bt_sock_unregister(int proto)
  3.1414 - {
  3.1415 --	if (proto >= BT_MAX_PROTO)
  3.1416 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.1417 - 		return -EINVAL;
  3.1418 - 
  3.1419 - 	if (!bt_proto[proto])
  3.1420 -@@ -92,7 +92,7 @@
  3.1421 - {
  3.1422 - 	int err = 0;
  3.1423 - 
  3.1424 --	if (proto >= BT_MAX_PROTO)
  3.1425 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.1426 - 		return -EINVAL;
  3.1427 - 
  3.1428 - #if defined(CONFIG_KMOD)
  3.1429 -diff -Nru a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
  3.1430 ---- a/net/ipv4/fib_hash.c	2005-05-11 15:43:53 -07:00
  3.1431 -+++ b/net/ipv4/fib_hash.c	2005-05-11 15:43:53 -07:00
  3.1432 -@@ -919,13 +919,23 @@
  3.1433 - 	return fa;
  3.1434 - }
  3.1435 - 
  3.1436 -+static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
  3.1437 -+{
  3.1438 -+	struct fib_alias *fa = fib_get_first(seq);
  3.1439 -+
  3.1440 -+	if (fa)
  3.1441 -+		while (pos && (fa = fib_get_next(seq)))
  3.1442 -+			--pos;
  3.1443 -+	return pos ? NULL : fa;
  3.1444 -+}
  3.1445 -+
  3.1446 - static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
  3.1447 - {
  3.1448 - 	void *v = NULL;
  3.1449 - 
  3.1450 - 	read_lock(&fib_hash_lock);
  3.1451 - 	if (ip_fib_main_table)
  3.1452 --		v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
  3.1453 -+		v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
  3.1454 - 	return v;
  3.1455 - }
  3.1456 - 
  3.1457 -diff -Nru a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
  3.1458 ---- a/net/ipv4/tcp_input.c	2005-05-11 15:43:53 -07:00
  3.1459 -+++ b/net/ipv4/tcp_input.c	2005-05-11 15:43:53 -07:00
  3.1460 -@@ -1653,7 +1653,10 @@
  3.1461 - static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
  3.1462 - {
  3.1463 - 	if (tp->prior_ssthresh) {
  3.1464 --		tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  3.1465 -+		if (tcp_is_bic(tp))
  3.1466 -+			tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
  3.1467 -+		else
  3.1468 -+			tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  3.1469 - 
  3.1470 - 		if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
  3.1471 - 			tp->snd_ssthresh = tp->prior_ssthresh;
  3.1472 -diff -Nru a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
  3.1473 ---- a/net/ipv4/tcp_timer.c	2005-05-11 15:43:53 -07:00
  3.1474 -+++ b/net/ipv4/tcp_timer.c	2005-05-11 15:43:53 -07:00
  3.1475 -@@ -38,6 +38,7 @@
  3.1476 - 
  3.1477 - #ifdef TCP_DEBUG
  3.1478 - const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
  3.1479 -+EXPORT_SYMBOL(tcp_timer_bug_msg);
  3.1480 - #endif
  3.1481 - 
  3.1482 - /*
  3.1483 -diff -Nru a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
  3.1484 ---- a/net/ipv4/xfrm4_output.c	2005-05-11 15:43:53 -07:00
  3.1485 -+++ b/net/ipv4/xfrm4_output.c	2005-05-11 15:43:53 -07:00
  3.1486 -@@ -103,16 +103,16 @@
  3.1487 - 			goto error_nolock;
  3.1488 - 	}
  3.1489 - 
  3.1490 --	spin_lock_bh(&x->lock);
  3.1491 --	err = xfrm_state_check(x, skb);
  3.1492 --	if (err)
  3.1493 --		goto error;
  3.1494 --
  3.1495 - 	if (x->props.mode) {
  3.1496 - 		err = xfrm4_tunnel_check_size(skb);
  3.1497 - 		if (err)
  3.1498 --			goto error;
  3.1499 -+			goto error_nolock;
  3.1500 - 	}
  3.1501 -+
  3.1502 -+	spin_lock_bh(&x->lock);
  3.1503 -+	err = xfrm_state_check(x, skb);
  3.1504 -+	if (err)
  3.1505 -+		goto error;
  3.1506 - 
  3.1507 - 	xfrm4_encap(skb);
  3.1508 - 
  3.1509 -diff -Nru a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
  3.1510 ---- a/net/ipv6/xfrm6_output.c	2005-05-11 15:43:53 -07:00
  3.1511 -+++ b/net/ipv6/xfrm6_output.c	2005-05-11 15:43:53 -07:00
  3.1512 -@@ -103,16 +103,16 @@
  3.1513 - 			goto error_nolock;
  3.1514 - 	}
  3.1515 - 
  3.1516 --	spin_lock_bh(&x->lock);
  3.1517 --	err = xfrm_state_check(x, skb);
  3.1518 --	if (err)
  3.1519 --		goto error;
  3.1520 --
  3.1521 - 	if (x->props.mode) {
  3.1522 - 		err = xfrm6_tunnel_check_size(skb);
  3.1523 - 		if (err)
  3.1524 --			goto error;
  3.1525 -+			goto error_nolock;
  3.1526 - 	}
  3.1527 -+
  3.1528 -+	spin_lock_bh(&x->lock);
  3.1529 -+	err = xfrm_state_check(x, skb);
  3.1530 -+	if (err)
  3.1531 -+		goto error;
  3.1532 - 
  3.1533 - 	xfrm6_encap(skb);
  3.1534 - 
  3.1535 -diff -Nru a/net/netrom/nr_in.c b/net/netrom/nr_in.c
  3.1536 ---- a/net/netrom/nr_in.c	2005-05-11 15:43:53 -07:00
  3.1537 -+++ b/net/netrom/nr_in.c	2005-05-11 15:43:53 -07:00
  3.1538 -@@ -74,7 +74,6 @@
  3.1539 - static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
  3.1540 - 	int frametype)
  3.1541 - {
  3.1542 --	bh_lock_sock(sk);
  3.1543 - 	switch (frametype) {
  3.1544 - 	case NR_CONNACK: {
  3.1545 - 		nr_cb *nr = nr_sk(sk);
  3.1546 -@@ -103,8 +102,6 @@
  3.1547 - 	default:
  3.1548 - 		break;
  3.1549 - 	}
  3.1550 --	bh_unlock_sock(sk);
  3.1551 --
  3.1552 - 	return 0;
  3.1553 - }
  3.1554 - 
  3.1555 -@@ -116,7 +113,6 @@
  3.1556 - static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
  3.1557 - 	int frametype)
  3.1558 - {
  3.1559 --	bh_lock_sock(sk);
  3.1560 - 	switch (frametype) {
  3.1561 - 	case NR_CONNACK | NR_CHOKE_FLAG:
  3.1562 - 		nr_disconnect(sk, ECONNRESET);
  3.1563 -@@ -132,8 +128,6 @@
  3.1564 - 	default:
  3.1565 - 		break;
  3.1566 - 	}
  3.1567 --	bh_unlock_sock(sk);
  3.1568 --
  3.1569 - 	return 0;
  3.1570 - }
  3.1571 - 
  3.1572 -@@ -154,7 +148,6 @@
  3.1573 - 	nr = skb->data[18];
  3.1574 - 	ns = skb->data[17];
  3.1575 - 
  3.1576 --	bh_lock_sock(sk);
  3.1577 - 	switch (frametype) {
  3.1578 - 	case NR_CONNREQ:
  3.1579 - 		nr_write_internal(sk, NR_CONNACK);
  3.1580 -@@ -265,8 +258,6 @@
  3.1581 - 	default:
  3.1582 - 		break;
  3.1583 - 	}
  3.1584 --	bh_unlock_sock(sk);
  3.1585 --
  3.1586 - 	return queued;
  3.1587 - }
  3.1588 - 
  3.1589 -diff -Nru a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
  3.1590 ---- a/net/xfrm/xfrm_state.c	2005-05-11 15:43:53 -07:00
  3.1591 -+++ b/net/xfrm/xfrm_state.c	2005-05-11 15:43:53 -07:00
  3.1592 -@@ -609,7 +609,7 @@
  3.1593 - 
  3.1594 - 	for (i = 0; i < XFRM_DST_HSIZE; i++) {
  3.1595 - 		list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
  3.1596 --			if (x->km.seq == seq) {
  3.1597 -+			if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
  3.1598 - 				xfrm_state_hold(x);
  3.1599 - 				return x;
  3.1600 - 			}
  3.1601 -diff -Nru a/security/keys/key.c b/security/keys/key.c
  3.1602 ---- a/security/keys/key.c	2005-05-11 15:43:53 -07:00
  3.1603 -+++ b/security/keys/key.c	2005-05-11 15:43:53 -07:00
  3.1604 -@@ -57,9 +57,10 @@
  3.1605 - {
  3.1606 - 	struct key_user *candidate = NULL, *user;
  3.1607 - 	struct rb_node *parent = NULL;
  3.1608 --	struct rb_node **p = &key_user_tree.rb_node;
  3.1609 -+	struct rb_node **p;
  3.1610 - 
  3.1611 -  try_again:
  3.1612 -+	p = &key_user_tree.rb_node;
  3.1613 - 	spin_lock(&key_user_lock);
  3.1614 - 
  3.1615 - 	/* search the tree for a user record with a matching UID */
  3.1616 -diff -Nru a/sound/core/timer.c b/sound/core/timer.c
  3.1617 ---- a/sound/core/timer.c	2005-05-11 15:43:53 -07:00
  3.1618 -+++ b/sound/core/timer.c	2005-05-11 15:43:53 -07:00
  3.1619 -@@ -1117,7 +1117,8 @@
  3.1620 - 	if (tu->qused >= tu->queue_size) {
  3.1621 - 		tu->overrun++;
  3.1622 - 	} else {
  3.1623 --		memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
  3.1624 -+		memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
  3.1625 -+		tu->qtail %= tu->queue_size;
  3.1626 - 		tu->qused++;
  3.1627 - 	}
  3.1628 - }
  3.1629 -@@ -1140,6 +1141,8 @@
  3.1630 - 	spin_lock(&tu->qlock);
  3.1631 - 	snd_timer_user_append_to_tqueue(tu, &r1);
  3.1632 - 	spin_unlock(&tu->qlock);
  3.1633 -+	kill_fasync(&tu->fasync, SIGIO, POLL_IN);
  3.1634 -+	wake_up(&tu->qchange_sleep);
  3.1635 - }
  3.1636 - 
  3.1637 - static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
  3.1638 -diff -Nru a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
  3.1639 ---- a/sound/pci/ac97/ac97_codec.c	2005-05-11 15:43:53 -07:00
  3.1640 -+++ b/sound/pci/ac97/ac97_codec.c	2005-05-11 15:43:53 -07:00
  3.1641 -@@ -1185,7 +1185,7 @@
  3.1642 - /*
  3.1643 -  * create mute switch(es) for normal stereo controls
  3.1644 -  */
  3.1645 --static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
  3.1646 -+static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
  3.1647 - {
  3.1648 - 	snd_kcontrol_t *kctl;
  3.1649 - 	int err;
  3.1650 -@@ -1196,7 +1196,7 @@
  3.1651 - 
  3.1652 - 	mute_mask = 0x8000;
  3.1653 - 	val = snd_ac97_read(ac97, reg);
  3.1654 --	if (ac97->flags & AC97_STEREO_MUTES) {
  3.1655 -+	if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
  3.1656 - 		/* check whether both mute bits work */
  3.1657 - 		val1 = val | 0x8080;
  3.1658 - 		snd_ac97_write(ac97, reg, val1);
  3.1659 -@@ -1254,7 +1254,7 @@
  3.1660 - /*
  3.1661 -  * create a mute-switch and a volume for normal stereo/mono controls
  3.1662 -  */
  3.1663 --static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
  3.1664 -+static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
  3.1665 - {
  3.1666 - 	int err;
  3.1667 - 	char name[44];
  3.1668 -@@ -1265,7 +1265,7 @@
  3.1669 - 
  3.1670 - 	if (snd_ac97_try_bit(ac97, reg, 15)) {
  3.1671 - 		sprintf(name, "%s Switch", pfx);
  3.1672 --		if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
  3.1673 -+		if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
  3.1674 - 			return err;
  3.1675 - 	}
  3.1676 - 	check_volume_resolution(ac97, reg, &lo_max, &hi_max);
  3.1677 -@@ -1277,6 +1277,8 @@
  3.1678 - 	return 0;
  3.1679 - }
  3.1680 - 
  3.1681 -+#define snd_ac97_cmix_new(card, pfx, reg, ac97)	snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
  3.1682 -+#define snd_ac97_cmute_new(card, name, reg, ac97)	snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
  3.1683 - 
  3.1684 - static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
  3.1685 - 
  3.1686 -@@ -1327,7 +1329,8 @@
  3.1687 - 
  3.1688 - 	/* build surround controls */
  3.1689 - 	if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
  3.1690 --		if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
  3.1691 -+		/* Surround Master (0x38) is with stereo mutes */
  3.1692 -+		if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
  3.1693 - 			return err;
  3.1694 - 	}
  3.1695 -