ia64/xen-unstable

changeset 5441:aa643d3d2742

bitkeeper revision 1.1713.1.2 (42ad8793XA-gObRPsPuWlI4gxZ7j5Q)

Merge freefall.cl.cam.ac.uk:/auto/groups/xeno-xenod/BK/xen-2.0-testing.bk
into freefall.cl.cam.ac.uk:/auto/groups/xeno-xenod/BK/xen-unstable.bk
author iap10@freefall.cl.cam.ac.uk
date Mon Jun 13 13:18:11 2005 +0000 (2005-06-13)
parents 61da956d43da 5a5f81b0e950
children c45207396f75 085461ee5cd6
files .rootkeys patches/linux-2.6.11/linux-2.6.11.11.patch patches/linux-2.6.11/linux-2.6.11.12.patch
line diff
     1.1 --- a/.rootkeys	Mon Jun 13 11:22:00 2005 +0000
     1.2 +++ b/.rootkeys	Mon Jun 13 13:18:11 2005 +0000
     1.3 @@ -468,7 +468,7 @@ 413cb3b53nyOv1OIeDSsCXhBFDXvJA netbsd-2.
     1.4  413aa1d0oNP8HXLvfPuMe6cSroUfSA patches/linux-2.6.11/agpgart.patch
     1.5  427261074Iy1MkbbqIV6zdZDWWx_Jg patches/linux-2.6.11/i386-cpu-hotplug-updated-for-mm.patch
     1.6  42372652KCUP-IOH9RN19YQmGhs4aA patches/linux-2.6.11/iomap.patch
     1.7 -428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.11.patch
     1.8 +428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.12.patch
     1.9  4296fb998LGSWCcljGKbOCUv3h9uRQ patches/linux-2.6.11/net-csum.patch
    1.10  429ae875I9ZrqrRDjGD34IC2kzDREw patches/linux-2.6.11/rcu-nohz.patch
    1.11  429ba3007184K-y6WHQ6KgY65-lEIQ patches/linux-2.6.11/udp-frag.patch
     2.1 --- a/patches/linux-2.6.11/linux-2.6.11.11.patch	Mon Jun 13 11:22:00 2005 +0000
     2.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.3 @@ -1,2304 +0,0 @@
     2.4 -diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs
     2.5 -new file mode 100644
     2.6 ---- /dev/null
     2.7 -+++ b/Documentation/SecurityBugs
     2.8 -@@ -0,0 +1,38 @@
     2.9 -+Linux kernel developers take security very seriously.  As such, we'd
    2.10 -+like to know when a security bug is found so that it can be fixed and
    2.11 -+disclosed as quickly as possible.  Please report security bugs to the
    2.12 -+Linux kernel security team.
    2.13 -+
    2.14 -+1) Contact
    2.15 -+
    2.16 -+The Linux kernel security team can be contacted by email at
    2.17 -+<security@kernel.org>.  This is a private list of security officers
    2.18 -+who will help verify the bug report and develop and release a fix.
    2.19 -+It is possible that the security team will bring in extra help from
    2.20 -+area maintainers to understand and fix the security vulnerability.
    2.21 -+
    2.22 -+As it is with any bug, the more information provided the easier it
    2.23 -+will be to diagnose and fix.  Please review the procedure outlined in
    2.24 -+REPORTING-BUGS if you are unclear about what information is helpful.
    2.25 -+Any exploit code is very helpful and will not be released without
    2.26 -+consent from the reporter unless it has already been made public.
    2.27 -+
    2.28 -+2) Disclosure
    2.29 -+
    2.30 -+The goal of the Linux kernel security team is to work with the
    2.31 -+bug submitter to bug resolution as well as disclosure.  We prefer
    2.32 -+to fully disclose the bug as soon as possible.  It is reasonable to
    2.33 -+delay disclosure when the bug or the fix is not yet fully understood,
    2.34 -+the solution is not well-tested or for vendor coordination.  However, we
    2.35 -+expect these delays to be short, measurable in days, not weeks or months.
    2.36 -+A disclosure date is negotiated by the security team working with the
    2.37 -+bug submitter as well as vendors.  However, the kernel security team
    2.38 -+holds the final say when setting a disclosure date.  The timeframe for
    2.39 -+disclosure is from immediate (esp. if it's already publically known)
    2.40 -+to a few weeks.  As a basic default policy, we expect report date to
    2.41 -+disclosure date to be on the order of 7 days.
    2.42 -+
    2.43 -+3) Non-disclosure agreements
    2.44 -+
    2.45 -+The Linux kernel security team is not a formal body and therefore unable
    2.46 -+to enter any non-disclosure agreements.
    2.47 -diff --git a/MAINTAINERS b/MAINTAINERS
    2.48 ---- a/MAINTAINERS
    2.49 -+++ b/MAINTAINERS
    2.50 -@@ -1966,6 +1966,11 @@ M:	christer@weinigel.se
    2.51 - W:	http://www.weinigel.se
    2.52 - S:	Supported
    2.53 - 
    2.54 -+SECURITY CONTACT
    2.55 -+P:	Security Officers
    2.56 -+M:	security@kernel.org
    2.57 -+S:	Supported
    2.58 -+
    2.59 - SELINUX SECURITY MODULE
    2.60 - P:	Stephen Smalley
    2.61 - M:	sds@epoch.ncsc.mil
    2.62 -diff --git a/Makefile b/Makefile
    2.63 ---- a/Makefile
    2.64 -+++ b/Makefile
    2.65 -@@ -1,8 +1,8 @@
    2.66 - VERSION = 2
    2.67 - PATCHLEVEL = 6
    2.68 - SUBLEVEL = 11
    2.69 --EXTRAVERSION =
    2.70 --NAME=Woozy Numbat
    2.71 -+EXTRAVERSION = .11
    2.72 -+NAME=Woozy Beaver
    2.73 - 
    2.74 - # *DOCUMENTATION*
    2.75 - # To see a list of typical targets execute "make help"
    2.76 -diff --git a/REPORTING-BUGS b/REPORTING-BUGS
    2.77 ---- a/REPORTING-BUGS
    2.78 -+++ b/REPORTING-BUGS
    2.79 -@@ -16,6 +16,10 @@ code relevant to what you were doing. If
    2.80 - describe how to recreate it. That is worth even more than the oops itself.
    2.81 - The list of maintainers is in the MAINTAINERS file in this directory.
    2.82 - 
    2.83 -+      If it is a security bug, please copy the Security Contact listed
    2.84 -+in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.
    2.85 -+See Documentation/SecurityBugs for more infomation.
    2.86 -+
    2.87 -       If you are totally stumped as to whom to send the report, send it to
    2.88 - linux-kernel@vger.kernel.org. (For more information on the linux-kernel
    2.89 - mailing list see http://www.tux.org/lkml/).
    2.90 -diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
    2.91 ---- a/arch/ia64/kernel/fsys.S
    2.92 -+++ b/arch/ia64/kernel/fsys.S
    2.93 -@@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down)
    2.94 - 	movl r2=ia64_ret_from_syscall
    2.95 - 	;;
    2.96 - 	mov rp=r2				// set the real return addr
    2.97 --	tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
    2.98 -+	and r3=_TIF_SYSCALL_TRACEAUDIT,r3
    2.99 - 	;;
   2.100 -+	cmp.eq p8,p0=r3,r0
   2.101 -+
   2.102 - (p10)	br.cond.spnt.many ia64_ret_from_syscall	// p10==true means out registers are more than 8
   2.103 - (p8)	br.call.sptk.many b6=b6		// ignore this return addr
   2.104 - 	br.cond.sptk ia64_trace_syscall
   2.105 -diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
   2.106 ---- a/arch/ia64/kernel/signal.c
   2.107 -+++ b/arch/ia64/kernel/signal.c
   2.108 -@@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc
   2.109 - 	 * could be corrupted.
   2.110 - 	 */
   2.111 - 	retval = (long) &ia64_leave_kernel;
   2.112 --	if (test_thread_flag(TIF_SYSCALL_TRACE))
   2.113 -+	if (test_thread_flag(TIF_SYSCALL_TRACE)
   2.114 -+	    || test_thread_flag(TIF_SYSCALL_AUDIT))
   2.115 - 		/*
   2.116 - 		 * strace expects to be notified after sigreturn returns even though the
   2.117 - 		 * context to which we return may not be in the middle of a syscall.
   2.118 -diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
   2.119 ---- a/arch/ppc/oprofile/op_model_fsl_booke.c
   2.120 -+++ b/arch/ppc/oprofile/op_model_fsl_booke.c
   2.121 -@@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s
   2.122 - 	int is_kernel;
   2.123 - 	int val;
   2.124 - 	int i;
   2.125 --	unsigned int cpu = smp_processor_id();
   2.126 - 
   2.127 - 	/* set the PMM bit (see comment below) */
   2.128 - 	mtmsr(mfmsr() | MSR_PMM);
   2.129 -@@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s
   2.130 - 		val = ctr_read(i);
   2.131 - 		if (val < 0) {
   2.132 - 			if (oprofile_running && ctr[i].enabled) {
   2.133 --				oprofile_add_sample(pc, is_kernel, i, cpu);
   2.134 -+				oprofile_add_pc(pc, is_kernel, i);
   2.135 - 				ctr_write(i, reset_value[i]);
   2.136 - 			} else {
   2.137 - 				ctr_write(i, 0);
   2.138 -diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
   2.139 ---- a/arch/ppc/platforms/4xx/ebony.h
   2.140 -+++ b/arch/ppc/platforms/4xx/ebony.h
   2.141 -@@ -61,8 +61,8 @@
   2.142 -  */
   2.143 - 
   2.144 - /* OpenBIOS defined UART mappings, used before early_serial_setup */
   2.145 --#define UART0_IO_BASE	(u8 *) 0xE0000200
   2.146 --#define UART1_IO_BASE	(u8 *) 0xE0000300
   2.147 -+#define UART0_IO_BASE	0xE0000200
   2.148 -+#define UART1_IO_BASE	0xE0000300
   2.149 - 
   2.150 - /* external Epson SG-615P */
   2.151 - #define BASE_BAUD	691200
   2.152 -diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
   2.153 ---- a/arch/ppc/platforms/4xx/luan.h
   2.154 -+++ b/arch/ppc/platforms/4xx/luan.h
   2.155 -@@ -47,9 +47,9 @@
   2.156 - #define RS_TABLE_SIZE	3
   2.157 - 
   2.158 - /* PIBS defined UART mappings, used before early_serial_setup */
   2.159 --#define UART0_IO_BASE	(u8 *) 0xa0000200
   2.160 --#define UART1_IO_BASE	(u8 *) 0xa0000300
   2.161 --#define UART2_IO_BASE	(u8 *) 0xa0000600
   2.162 -+#define UART0_IO_BASE	0xa0000200
   2.163 -+#define UART1_IO_BASE	0xa0000300
   2.164 -+#define UART2_IO_BASE	0xa0000600
   2.165 - 
   2.166 - #define BASE_BAUD	11059200
   2.167 - #define STD_UART_OP(num)					\
   2.168 -diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
   2.169 ---- a/arch/ppc/platforms/4xx/ocotea.h
   2.170 -+++ b/arch/ppc/platforms/4xx/ocotea.h
   2.171 -@@ -56,8 +56,8 @@
   2.172 - #define RS_TABLE_SIZE	2
   2.173 - 
   2.174 - /* OpenBIOS defined UART mappings, used before early_serial_setup */
   2.175 --#define UART0_IO_BASE	(u8 *) 0xE0000200
   2.176 --#define UART1_IO_BASE	(u8 *) 0xE0000300
   2.177 -+#define UART0_IO_BASE	0xE0000200
   2.178 -+#define UART1_IO_BASE	0xE0000300
   2.179 - 
   2.180 - #define BASE_BAUD	11059200/16
   2.181 - #define STD_UART_OP(num)					\
   2.182 -diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c
   2.183 ---- a/arch/ppc64/kernel/pSeries_iommu.c
   2.184 -+++ b/arch/ppc64/kernel/pSeries_iommu.c
   2.185 -@@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st
   2.186 - 	struct device_node *dn, *pdn;
   2.187 - 	unsigned int *dma_window = NULL;
   2.188 - 
   2.189 -+	DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self);
   2.190 -+
   2.191 - 	dn = pci_bus_to_OF_node(bus);
   2.192 - 
   2.193 - 	/* Find nearest ibm,dma-window, walking up the device tree */
   2.194 -@@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru
   2.195 - 	}
   2.196 - }
   2.197 - 
   2.198 -+static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev)
   2.199 -+{
   2.200 -+	struct device_node *pdn, *dn;
   2.201 -+	struct iommu_table *tbl;
   2.202 -+	int *dma_window = NULL;
   2.203 -+
   2.204 -+	DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name);
   2.205 -+
   2.206 -+	/* dev setup for LPAR is a little tricky, since the device tree might
   2.207 -+	 * contain the dma-window properties per-device and not neccesarily
   2.208 -+	 * for the bus. So we need to search upwards in the tree until we
   2.209 -+	 * either hit a dma-window property, OR find a parent with a table
   2.210 -+	 * already allocated.
   2.211 -+	 */
   2.212 -+	dn = pci_device_to_OF_node(dev);
   2.213 -+
   2.214 -+	for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) {
   2.215 -+		dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL);
   2.216 -+		if (dma_window)
   2.217 -+			break;
   2.218 -+	}
   2.219 -+
   2.220 -+	/* Check for parent == NULL so we don't try to setup the empty EADS
   2.221 -+	 * slots on POWER4 machines.
   2.222 -+	 */
   2.223 -+	if (dma_window == NULL || pdn->parent == NULL) {
   2.224 -+		/* Fall back to regular (non-LPAR) dev setup */
   2.225 -+		DBG("No dma window for device, falling back to regular setup\n");
   2.226 -+		iommu_dev_setup_pSeries(dev);
   2.227 -+		return;
   2.228 -+	} else {
   2.229 -+		DBG("Found DMA window, allocating table\n");
   2.230 -+	}
   2.231 -+
   2.232 -+	if (!pdn->iommu_table) {
   2.233 -+		/* iommu_table_setparms_lpar needs bussubno. */
   2.234 -+		pdn->bussubno = pdn->phb->bus->number;
   2.235 -+
   2.236 -+		tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table),
   2.237 -+						    GFP_KERNEL);
   2.238 -+
   2.239 -+		iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window);
   2.240 -+
   2.241 -+		pdn->iommu_table = iommu_init_table(tbl);
   2.242 -+	}
   2.243 -+
   2.244 -+	if (pdn != dn)
   2.245 -+		dn->iommu_table = pdn->iommu_table;
   2.246 -+}
   2.247 -+
   2.248 - static void iommu_bus_setup_null(struct pci_bus *b) { }
   2.249 - static void iommu_dev_setup_null(struct pci_dev *d) { }
   2.250 - 
   2.251 -@@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void)
   2.252 - 			ppc_md.tce_free	 = tce_free_pSeriesLP;
   2.253 - 		}
   2.254 - 		ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP;
   2.255 -+		ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP;
   2.256 - 	} else {
   2.257 - 		ppc_md.tce_build = tce_build_pSeries;
   2.258 - 		ppc_md.tce_free  = tce_free_pSeries;
   2.259 - 		ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries;
   2.260 -+		ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
   2.261 - 	}
   2.262 - 
   2.263 --	ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
   2.264 - 
   2.265 - 	pci_iommu_init();
   2.266 - }
   2.267 -diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c
   2.268 ---- a/arch/sparc/kernel/ptrace.c
   2.269 -+++ b/arch/sparc/kernel/ptrace.c
   2.270 -@@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs
   2.271 - 			pt_error_return(regs, EIO);
   2.272 - 			goto out_tsk;
   2.273 - 		}
   2.274 --		if (addr != 1) {
   2.275 --			if (addr & 3) {
   2.276 --				pt_error_return(regs, EINVAL);
   2.277 --				goto out_tsk;
   2.278 --			}
   2.279 --#ifdef DEBUG_PTRACE
   2.280 --			printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
   2.281 --			printk ("Continuing with %08lx %08lx\n", addr, addr+4);
   2.282 --#endif
   2.283 --			child->thread.kregs->pc = addr;
   2.284 --			child->thread.kregs->npc = addr + 4;
   2.285 --		}
   2.286 - 
   2.287 - 		if (request == PTRACE_SYSCALL)
   2.288 - 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   2.289 -diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
   2.290 ---- a/arch/sparc64/kernel/ptrace.c
   2.291 -+++ b/arch/sparc64/kernel/ptrace.c
   2.292 -@@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs
   2.293 - 			pt_error_return(regs, EIO);
   2.294 - 			goto out_tsk;
   2.295 - 		}
   2.296 --		if (addr != 1) {
   2.297 --			unsigned long pc_mask = ~0UL;
   2.298 --
   2.299 --			if ((child->thread_info->flags & _TIF_32BIT) != 0)
   2.300 --				pc_mask = 0xffffffff;
   2.301 --
   2.302 --			if (addr & 3) {
   2.303 --				pt_error_return(regs, EINVAL);
   2.304 --				goto out_tsk;
   2.305 --			}
   2.306 --#ifdef DEBUG_PTRACE
   2.307 --			printk ("Original: %016lx %016lx\n",
   2.308 --				child->thread_info->kregs->tpc,
   2.309 --				child->thread_info->kregs->tnpc);
   2.310 --			printk ("Continuing with %016lx %016lx\n", addr, addr+4);
   2.311 --#endif
   2.312 --			child->thread_info->kregs->tpc = (addr & pc_mask);
   2.313 --			child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
   2.314 --		}
   2.315 - 
   2.316 - 		if (request == PTRACE_SYSCALL) {
   2.317 - 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   2.318 -diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c
   2.319 ---- a/arch/sparc64/kernel/signal32.c
   2.320 -+++ b/arch/sparc64/kernel/signal32.c
   2.321 -@@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf
   2.322 - 			err |= __put_user(from->si_uid, &to->si_uid);
   2.323 - 			break;
   2.324 - 		case __SI_FAULT >> 16:
   2.325 --		case __SI_POLL >> 16:
   2.326 - 			err |= __put_user(from->si_trapno, &to->si_trapno);
   2.327 - 			err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
   2.328 - 			break;
   2.329 -+		case __SI_POLL >> 16:
   2.330 -+			err |= __put_user(from->si_band, &to->si_band);
   2.331 -+			err |= __put_user(from->si_fd, &to->si_fd);
   2.332 -+			break;
   2.333 - 		case __SI_RT >> 16: /* This is not generated by the kernel as of now.  */
   2.334 - 		case __SI_MESGQ >> 16:
   2.335 - 			err |= __put_user(from->si_pid, &to->si_pid);
   2.336 -diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S
   2.337 ---- a/arch/sparc64/kernel/systbls.S
   2.338 -+++ b/arch/sparc64/kernel/systbls.S
   2.339 -@@ -75,7 +75,7 @@ sys_call_table32:
   2.340 - /*260*/	.word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
   2.341 - 	.word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
   2.342 - /*270*/	.word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
   2.343 --	.word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   2.344 -+	.word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   2.345 - /*280*/	.word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
   2.346 - 
   2.347 - #endif /* CONFIG_COMPAT */
   2.348 -diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h
   2.349 ---- a/arch/um/include/sysdep-i386/syscalls.h
   2.350 -+++ b/arch/um/include/sysdep-i386/syscalls.h
   2.351 -@@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr
   2.352 - 		      unsigned long prot, unsigned long flags,
   2.353 - 		      unsigned long fd, unsigned long pgoff);
   2.354 - 
   2.355 -+/* On i386 they choose a meaningless naming.*/
   2.356 -+#define __NR_kexec_load __NR_sys_kexec_load
   2.357 -+
   2.358 - #define ARCH_SYSCALLS \
   2.359 - 	[ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
   2.360 - 	[ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
   2.361 -@@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr
   2.362 - 	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.363 - 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.364 - 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.365 --	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   2.366 - 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.367 --        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   2.368 --	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   2.369 --	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   2.370 --        
   2.371 -+	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   2.372 -+
   2.373 - /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
   2.374 - 
   2.375 --#define LAST_ARCH_SYSCALL __NR_vserver
   2.376 -+#define LAST_ARCH_SYSCALL 285
   2.377 - 
   2.378 - /*
   2.379 -  * Overrides for Emacs so that we follow Linus's tabbing style.
   2.380 -diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h
   2.381 ---- a/arch/um/include/sysdep-x86_64/syscalls.h
   2.382 -+++ b/arch/um/include/sysdep-x86_64/syscalls.h
   2.383 -@@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl;
   2.384 - 	[ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
   2.385 - 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.386 - 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   2.387 --        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   2.388 - 	[ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
   2.389 --	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   2.390 --	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   2.391 --	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   2.392 --	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
   2.393 - 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall,
   2.394 - 
   2.395 - #define LAST_ARCH_SYSCALL 251
   2.396 -diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c
   2.397 ---- a/arch/um/kernel/skas/uaccess.c
   2.398 -+++ b/arch/um/kernel/skas/uaccess.c
   2.399 -@@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v
   2.400 - 	void *arg;
   2.401 - 	int *res;
   2.402 - 
   2.403 --	va_copy(args, *(va_list *)arg_ptr);
   2.404 -+	/* Some old gccs recognize __va_copy, but not va_copy */
   2.405 -+	__va_copy(args, *(va_list *)arg_ptr);
   2.406 - 	addr = va_arg(args, unsigned long);
   2.407 - 	len = va_arg(args, int);
   2.408 - 	is_write = va_arg(args, int);
   2.409 -diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c
   2.410 ---- a/arch/um/kernel/sys_call_table.c
   2.411 -+++ b/arch/um/kernel/sys_call_table.c
   2.412 -@@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork;
   2.413 - extern syscall_handler_t old_select;
   2.414 - extern syscall_handler_t sys_modify_ldt;
   2.415 - extern syscall_handler_t sys_rt_sigsuspend;
   2.416 --extern syscall_handler_t sys_vserver;
   2.417 - extern syscall_handler_t sys_mbind;
   2.418 - extern syscall_handler_t sys_get_mempolicy;
   2.419 - extern syscall_handler_t sys_set_mempolicy;
   2.420 -@@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = {
   2.421 - 	[ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
   2.422 - 	[ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
   2.423 - 	[ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
   2.424 -+	[ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
   2.425 -         [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
   2.426 - 	[ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
   2.427 - 	[ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
   2.428 -@@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = {
   2.429 - 	[ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
   2.430 - 	[ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
   2.431 - 	[ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
   2.432 --	[ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
   2.433 --	[ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
   2.434 - 	[ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
   2.435 - 	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
   2.436 --	[ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
   2.437 --	[ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
   2.438 -+	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
   2.439 -+	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   2.440 - 	[ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
   2.441 - 	[ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
   2.442 - 	[ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
   2.443 -@@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = {
   2.444 - 	[ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
   2.445 - 	[ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
   2.446 - 	[ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
   2.447 --	[ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   2.448 -+	[ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   2.449 - 	[ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
   2.450 --	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   2.451 - 	[ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
   2.452 - 	[ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
   2.453 - 	[ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
   2.454 -diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
   2.455 ---- a/arch/x86_64/kernel/ptrace.c
   2.456 -+++ b/arch/x86_64/kernel/ptrace.c
   2.457 -@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch
   2.458 - 			value &= 0xffff;
   2.459 - 			return 0;
   2.460 - 		case offsetof(struct user_regs_struct,fs_base):
   2.461 --			if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
   2.462 --				return -EIO; 
   2.463 -+			if (value >= TASK_SIZE)
   2.464 -+				return -EIO;
   2.465 - 			child->thread.fs = value;
   2.466 - 			return 0;
   2.467 - 		case offsetof(struct user_regs_struct,gs_base):
   2.468 --			if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
   2.469 --				return -EIO; 
   2.470 -+			if (value >= TASK_SIZE)
   2.471 -+				return -EIO;
   2.472 - 			child->thread.gs = value;
   2.473 - 			return 0;
   2.474 - 		case offsetof(struct user_regs_struct, eflags):
   2.475 -@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch
   2.476 - 				return -EIO;
   2.477 - 			value &= 0xffff;
   2.478 - 			break;
   2.479 -+		case offsetof(struct user_regs_struct, rip):
   2.480 -+			/* Check if the new RIP address is canonical */
   2.481 -+			if (value >= TASK_SIZE)
   2.482 -+				return -EIO;
   2.483 -+			break;
   2.484 - 	}
   2.485 - 	put_stack_long(child, regno - sizeof(struct pt_regs), value);
   2.486 - 	return 0;
   2.487 -diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c
   2.488 ---- a/arch/x86_64/mm/fault.c
   2.489 -+++ b/arch/x86_64/mm/fault.c
   2.490 -@@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne
   2.491 - 
   2.492 - /*
   2.493 -  * Handle a fault on the vmalloc or module mapping area
   2.494 -+ *
   2.495 -+ * This assumes no large pages in there.
   2.496 -  */
   2.497 - static int vmalloc_fault(unsigned long address)
   2.498 - {
   2.499 -@@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a
   2.500 - 	if (!pte_present(*pte_ref))
   2.501 - 		return -1;
   2.502 - 	pte = pte_offset_kernel(pmd, address);
   2.503 --	if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref))
   2.504 -+	/* Don't use pte_page here, because the mappings can point
   2.505 -+	   outside mem_map, and the NUMA hash lookup cannot handle
   2.506 -+	   that. */
   2.507 -+	if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
   2.508 - 		BUG();
   2.509 - 	__flush_tlb_all();
   2.510 - 	return 0;
   2.511 -@@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_
   2.512 - 	 * protection error (error_code & 1) == 0.
   2.513 - 	 */
   2.514 - 	if (unlikely(address >= TASK_SIZE)) {
   2.515 --		if (!(error_code & 5)) {
   2.516 -+		if (!(error_code & 5) &&
   2.517 -+		      ((address >= VMALLOC_START && address < VMALLOC_END) ||
   2.518 -+		       (address >= MODULES_VADDR && address < MODULES_END))) {
   2.519 - 			if (vmalloc_fault(address) < 0)
   2.520 - 				goto bad_area_nosemaphore;
   2.521 - 			return;
   2.522 -diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c
   2.523 ---- a/arch/x86_64/mm/ioremap.c
   2.524 -+++ b/arch/x86_64/mm/ioremap.c
   2.525 -@@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr
   2.526 - 	if ((p->flags >> 20) &&
   2.527 - 		p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) {
   2.528 - 		/* p->size includes the guard page, but cpa doesn't like that */
   2.529 --		change_page_attr(virt_to_page(__va(p->phys_addr)),
   2.530 -+		change_page_attr_addr((unsigned long)(__va(p->phys_addr)),
   2.531 - 				 (p->size - PAGE_SIZE) >> PAGE_SHIFT,
   2.532 - 				 PAGE_KERNEL); 				 
   2.533 - 		global_flush_tlb();
   2.534 -diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c
   2.535 ---- a/drivers/block/ioctl.c
   2.536 -+++ b/drivers/block/ioctl.c
   2.537 -@@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi
   2.538 - 	}
   2.539 - 	return ret;
   2.540 - }
   2.541 -+
   2.542 -+EXPORT_SYMBOL_GPL(blkdev_ioctl);
   2.543 -diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
   2.544 ---- a/drivers/block/pktcdvd.c
   2.545 -+++ b/drivers/block/pktcdvd.c
   2.546 -@@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode
   2.547 - 	case CDROM_LAST_WRITTEN:
   2.548 - 	case CDROM_SEND_PACKET:
   2.549 - 	case SCSI_IOCTL_SEND_COMMAND:
   2.550 --		return ioctl_by_bdev(pd->bdev, cmd, arg);
   2.551 -+		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   2.552 - 
   2.553 - 	case CDROMEJECT:
   2.554 - 		/*
   2.555 -@@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode
   2.556 - 		 * have to unlock it or else the eject command fails.
   2.557 - 		 */
   2.558 - 		pkt_lock_door(pd, 0);
   2.559 --		return ioctl_by_bdev(pd->bdev, cmd, arg);
   2.560 -+		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   2.561 - 
   2.562 - 	default:
   2.563 - 		printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
   2.564 -diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
   2.565 ---- a/drivers/char/drm/drm_ioctl.c
   2.566 -+++ b/drivers/char/drm/drm_ioctl.c
   2.567 -@@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS)
   2.568 - 
   2.569 - 	DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
   2.570 - 
   2.571 -+	memset(&version, 0, sizeof(version));
   2.572 -+
   2.573 - 	dev->driver->version(&version);
   2.574 - 	retv.drm_di_major = DRM_IF_MAJOR;
   2.575 - 	retv.drm_di_minor = DRM_IF_MINOR;
   2.576 -diff --git a/drivers/char/raw.c b/drivers/char/raw.c
   2.577 ---- a/drivers/char/raw.c
   2.578 -+++ b/drivers/char/raw.c
   2.579 -@@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi
   2.580 - {
   2.581 - 	struct block_device *bdev = filp->private_data;
   2.582 - 
   2.583 --	return ioctl_by_bdev(bdev, command, arg);
   2.584 -+	return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
   2.585 - }
   2.586 - 
   2.587 - static void bind_device(struct raw_config_request *rq)
   2.588 -diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c
   2.589 ---- a/drivers/i2c/chips/eeprom.c
   2.590 -+++ b/drivers/i2c/chips/eeprom.c
   2.591 -@@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec
   2.592 - 
   2.593 - 	/* Hide Vaio security settings to regular users (16 first bytes) */
   2.594 - 	if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
   2.595 --		int in_row1 = 16 - off;
   2.596 -+		size_t in_row1 = 16 - off;
   2.597 -+		in_row1 = min(in_row1, count);
   2.598 - 		memset(buf, 0, in_row1);
   2.599 - 		if (count - in_row1 > 0)
   2.600 - 			memcpy(buf + in_row1, &data->data[16], count - in_row1);
   2.601 -diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
   2.602 ---- a/drivers/i2c/chips/it87.c
   2.603 -+++ b/drivers/i2c/chips/it87.c
   2.604 -@@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device
   2.605 - 	struct it87_data *data = it87_update_device(dev);
   2.606 - 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   2.607 - }
   2.608 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   2.609 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   2.610 - 
   2.611 - static ssize_t
   2.612 - show_vrm_reg(struct device *dev, char *buf)
   2.613 -diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c
   2.614 ---- a/drivers/i2c/chips/via686a.c
   2.615 -+++ b/drivers/i2c/chips/via686a.c
   2.616 -@@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device
   2.617 - 	struct via686a_data *data = via686a_update_device(dev);
   2.618 - 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   2.619 - }
   2.620 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   2.621 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   2.622 - 
   2.623 - /* The driver. I choose to use type i2c_driver, as at is identical to both
   2.624 -    smbus_driver and isa_driver, and clients could be of either kind */
   2.625 -diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
   2.626 ---- a/drivers/ide/ide-disk.c
   2.627 -+++ b/drivers/ide/ide-disk.c
   2.628 -@@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk(
   2.629 - 	if (hwif->no_lba48_dma && lba48 && dma) {
   2.630 - 		if (block + rq->nr_sectors > 1ULL << 28)
   2.631 - 			dma = 0;
   2.632 -+		else
   2.633 -+			lba48 = 0;
   2.634 - 	}
   2.635 - 
   2.636 - 	if (!dma) {
   2.637 -@@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk(
   2.638 - 	/* FIXME: SELECT_MASK(drive, 0) ? */
   2.639 - 
   2.640 - 	if (drive->select.b.lba) {
   2.641 --		if (drive->addressing == 1) {
   2.642 -+		if (lba48) {
   2.643 - 			task_ioreg_t tasklets[10];
   2.644 - 
   2.645 - 			pr_debug("%s: LBA=0x%012llx\n", drive->name, block);
   2.646 -diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
   2.647 ---- a/drivers/input/serio/i8042-x86ia64io.h
   2.648 -+++ b/drivers/input/serio/i8042-x86ia64io.h
   2.649 -@@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i
   2.650 - };
   2.651 - #endif
   2.652 - 
   2.653 --#ifdef CONFIG_ACPI
   2.654 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.655 - #include <linux/acpi.h>
   2.656 - #include <acpi/acpi_bus.h>
   2.657 - 
   2.658 -@@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo
   2.659 - 	i8042_kbd_irq = I8042_MAP_IRQ(1);
   2.660 - 	i8042_aux_irq = I8042_MAP_IRQ(12);
   2.661 - 
   2.662 --#ifdef CONFIG_ACPI
   2.663 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.664 - 	if (i8042_acpi_init())
   2.665 - 		return -1;
   2.666 - #endif
   2.667 -@@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo
   2.668 - 
   2.669 - static inline void i8042_platform_exit(void)
   2.670 - {
   2.671 --#ifdef CONFIG_ACPI
   2.672 -+#if defined(__ia64__) && defined(CONFIG_ACPI)
   2.673 - 	i8042_acpi_exit();
   2.674 - #endif
   2.675 - }
   2.676 -diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
   2.677 ---- a/drivers/md/raid6altivec.uc
   2.678 -+++ b/drivers/md/raid6altivec.uc
   2.679 -@@ -108,7 +108,11 @@ int raid6_have_altivec(void);
   2.680 - int raid6_have_altivec(void)
   2.681 - {
   2.682 - 	/* This assumes either all CPUs have Altivec or none does */
   2.683 -+#ifdef CONFIG_PPC64
   2.684 - 	return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
   2.685 -+#else
   2.686 -+	return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
   2.687 -+#endif
   2.688 - }
   2.689 - #endif
   2.690 - 
   2.691 -diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
   2.692 ---- a/drivers/media/video/adv7170.c
   2.693 -+++ b/drivers/media/video/adv7170.c
   2.694 -@@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client *
   2.695 - 		u8 block_data[32];
   2.696 - 
   2.697 - 		msg.addr = client->addr;
   2.698 --		msg.flags = client->flags;
   2.699 -+		msg.flags = 0;
   2.700 - 		while (len >= 2) {
   2.701 - 			msg.buf = (char *) block_data;
   2.702 - 			msg.len = 0;
   2.703 -diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
   2.704 ---- a/drivers/media/video/adv7175.c
   2.705 -+++ b/drivers/media/video/adv7175.c
   2.706 -@@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client *
   2.707 - 		u8 block_data[32];
   2.708 - 
   2.709 - 		msg.addr = client->addr;
   2.710 --		msg.flags = client->flags;
   2.711 -+		msg.flags = 0;
   2.712 - 		while (len >= 2) {
   2.713 - 			msg.buf = (char *) block_data;
   2.714 - 			msg.len = 0;
   2.715 -diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
   2.716 ---- a/drivers/media/video/bt819.c
   2.717 -+++ b/drivers/media/video/bt819.c
   2.718 -@@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl
   2.719 - 		u8 block_data[32];
   2.720 - 
   2.721 - 		msg.addr = client->addr;
   2.722 --		msg.flags = client->flags;
   2.723 -+		msg.flags = 0;
   2.724 - 		while (len >= 2) {
   2.725 - 			msg.buf = (char *) block_data;
   2.726 - 			msg.len = 0;
   2.727 -diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
   2.728 ---- a/drivers/media/video/bttv-cards.c
   2.729 -+++ b/drivers/media/video/bttv-cards.c
   2.730 -@@ -2718,8 +2718,6 @@ void __devinit bttv_init_card2(struct bt
   2.731 -         }
   2.732 - 	btv->pll.pll_current = -1;
   2.733 - 
   2.734 --	bttv_reset_audio(btv);
   2.735 --
   2.736 - 	/* tuner configuration (from card list / autodetect / insmod option) */
   2.737 -  	if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
   2.738 - 		if(UNSET == btv->tuner_type)
   2.739 -diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
   2.740 ---- a/drivers/media/video/saa7110.c
   2.741 -+++ b/drivers/media/video/saa7110.c
   2.742 -@@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
   2.743 - 
   2.744 - #define	I2C_SAA7110		0x9C	/* or 0x9E */
   2.745 - 
   2.746 -+#define SAA7110_NR_REG		0x35
   2.747 -+
   2.748 - struct saa7110 {
   2.749 --	unsigned char reg[54];
   2.750 -+	u8 reg[SAA7110_NR_REG];
   2.751 - 
   2.752 - 	int norm;
   2.753 - 	int input;
   2.754 -@@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client *
   2.755 - 		     unsigned int       len)
   2.756 - {
   2.757 - 	int ret = -1;
   2.758 --	u8 reg = *data++;
   2.759 -+	u8 reg = *data;		/* first register to write to */
   2.760 - 
   2.761 --	len--;
   2.762 -+	/* Sanity check */
   2.763 -+	if (reg + (len - 1) > SAA7110_NR_REG)
   2.764 -+		return ret;
   2.765 - 
   2.766 - 	/* the saa7110 has an autoincrement function, use it if
   2.767 - 	 * the adapter understands raw I2C */
   2.768 - 	if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
   2.769 - 		struct saa7110 *decoder = i2c_get_clientdata(client);
   2.770 - 		struct i2c_msg msg;
   2.771 --		u8 block_data[54];
   2.772 - 
   2.773 --		msg.len = 0;
   2.774 --		msg.buf = (char *) block_data;
   2.775 -+		msg.len = len;
   2.776 -+		msg.buf = (char *) data;
   2.777 - 		msg.addr = client->addr;
   2.778 --		msg.flags = client->flags;
   2.779 --		while (len >= 1) {
   2.780 --			msg.len = 0;
   2.781 --			block_data[msg.len++] = reg;
   2.782 --			while (len-- >= 1 && msg.len < 54)
   2.783 --				block_data[msg.len++] =
   2.784 --				    decoder->reg[reg++] = *data++;
   2.785 --			ret = i2c_transfer(client->adapter, &msg, 1);
   2.786 --		}
   2.787 -+		msg.flags = 0;
   2.788 -+		ret = i2c_transfer(client->adapter, &msg, 1);
   2.789 -+
   2.790 -+		/* Cache the written data */
   2.791 -+		memcpy(decoder->reg + reg, data + 1, len - 1);
   2.792 - 	} else {
   2.793 --		while (len-- >= 1) {
   2.794 -+		for (++data, --len; len; len--) {
   2.795 - 			if ((ret = saa7110_write(client, reg++,
   2.796 - 						 *data++)) < 0)
   2.797 - 				break;
   2.798 -@@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien
   2.799 - 	return 0;
   2.800 - }
   2.801 - 
   2.802 --static const unsigned char initseq[] = {
   2.803 -+static const unsigned char initseq[1 + SAA7110_NR_REG] = {
   2.804 - 	0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
   2.805 - 	/* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
   2.806 - 	/* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
   2.807 -diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
   2.808 ---- a/drivers/media/video/saa7114.c
   2.809 -+++ b/drivers/media/video/saa7114.c
   2.810 -@@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client *
   2.811 - 		u8 block_data[32];
   2.812 - 
   2.813 - 		msg.addr = client->addr;
   2.814 --		msg.flags = client->flags;
   2.815 -+		msg.flags = 0;
   2.816 - 		while (len >= 2) {
   2.817 - 			msg.buf = (char *) block_data;
   2.818 - 			msg.len = 0;
   2.819 -diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
   2.820 ---- a/drivers/media/video/saa7185.c
   2.821 -+++ b/drivers/media/video/saa7185.c
   2.822 -@@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client *
   2.823 - 		u8 block_data[32];
   2.824 - 
   2.825 - 		msg.addr = client->addr;
   2.826 --		msg.flags = client->flags;
   2.827 -+		msg.flags = 0;
   2.828 - 		while (len >= 2) {
   2.829 - 			msg.buf = (char *) block_data;
   2.830 - 			msg.len = 0;
   2.831 -diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
   2.832 ---- a/drivers/net/3c59x.c
   2.833 -+++ b/drivers/net/3c59x.c
   2.834 -@@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev)
   2.835 - 
   2.836 - 	if (VORTEX_PCI(vp)) {
   2.837 - 		pci_set_power_state(VORTEX_PCI(vp), PCI_D0);	/* Go active */
   2.838 --		pci_restore_state(VORTEX_PCI(vp));
   2.839 -+		if (vp->pm_state_valid)
   2.840 -+			pci_restore_state(VORTEX_PCI(vp));
   2.841 - 		pci_enable_device(VORTEX_PCI(vp));
   2.842 - 	}
   2.843 - 
   2.844 -@@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int 
   2.845 - 		outl(0, ioaddr + DownListPtr);
   2.846 - 
   2.847 - 	if (final_down && VORTEX_PCI(vp)) {
   2.848 -+		vp->pm_state_valid = 1;
   2.849 - 		pci_save_state(VORTEX_PCI(vp));
   2.850 - 		acpi_set_WOL(dev);
   2.851 - 	}
   2.852 -@@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi
   2.853 - 		outw(RxEnable, ioaddr + EL3_CMD);
   2.854 - 
   2.855 - 		pci_enable_wake(VORTEX_PCI(vp), 0, 1);
   2.856 -+
   2.857 -+		/* Change the power state to D3; RxEnable doesn't take effect. */
   2.858 -+		pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
   2.859 - 	}
   2.860 --	/* Change the power state to D3; RxEnable doesn't take effect. */
   2.861 --	pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
   2.862 - }
   2.863 - 
   2.864 - 
   2.865 -diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
   2.866 ---- a/drivers/net/amd8111e.c
   2.867 -+++ b/drivers/net/amd8111e.c
   2.868 -@@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi
   2.869 - 
   2.870 - 	if(amd8111e_restart(dev)){
   2.871 - 		spin_unlock_irq(&lp->lock);
   2.872 -+		if (dev->irq)
   2.873 -+			free_irq(dev->irq, dev);
   2.874 - 		return -ENOMEM;
   2.875 - 	}
   2.876 - 	/* Start ipg timer */
   2.877 -diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
   2.878 ---- a/drivers/net/ppp_async.c
   2.879 -+++ b/drivers/net/ppp_async.c
   2.880 -@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp
   2.881 - 	data += 4;
   2.882 - 	dlen -= 4;
   2.883 - 	/* data[0] is code, data[1] is length */
   2.884 --	while (dlen >= 2 && dlen >= data[1]) {
   2.885 -+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
   2.886 - 		switch (data[0]) {
   2.887 - 		case LCP_MRU:
   2.888 - 			val = (data[2] << 8) + data[3];
   2.889 -diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
   2.890 ---- a/drivers/net/r8169.c
   2.891 -+++ b/drivers/net/r8169.c
   2.892 -@@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r
   2.893 - 	rtl8169_make_unusable_by_asic(desc);
   2.894 - }
   2.895 - 
   2.896 --static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
   2.897 -+static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
   2.898 - {
   2.899 --	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   2.900 -+	u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
   2.901 -+
   2.902 -+	desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
   2.903 - }
   2.904 - 
   2.905 --static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   2.906 --					int rx_buf_sz)
   2.907 -+static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   2.908 -+				       u32 rx_buf_sz)
   2.909 - {
   2.910 - 	desc->addr = cpu_to_le64(mapping);
   2.911 --	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   2.912 -+	wmb();
   2.913 -+	rtl8169_mark_to_asic(desc, rx_buf_sz);
   2.914 - }
   2.915 - 
   2.916 - static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
   2.917 -@@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p
   2.918 - 	mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
   2.919 - 				 PCI_DMA_FROMDEVICE);
   2.920 - 
   2.921 --	rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
   2.922 -+	rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
   2.923 - 
   2.924 - out:
   2.925 - 	return ret;
   2.926 -@@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st
   2.927 - 			skb_reserve(skb, NET_IP_ALIGN);
   2.928 - 			eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
   2.929 - 			*sk_buff = skb;
   2.930 --			rtl8169_return_to_asic(desc, rx_buf_sz);
   2.931 -+			rtl8169_mark_to_asic(desc, rx_buf_sz);
   2.932 - 			ret = 0;
   2.933 - 		}
   2.934 - 	}
   2.935 -diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c
   2.936 ---- a/drivers/net/sis900.c
   2.937 -+++ b/drivers/net/sis900.c
   2.938 -@@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr
   2.939 - 	signature = (u16) read_eeprom(ioaddr, EEPROMSignature);    
   2.940 - 	if (signature == 0xffff || signature == 0x0000) {
   2.941 - 		printk (KERN_INFO "%s: Error EERPOM read %x\n", 
   2.942 --			net_dev->name, signature);
   2.943 -+			pci_name(pci_dev), signature);
   2.944 - 		return 0;
   2.945 - 	}
   2.946 - 
   2.947 -@@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add
   2.948 - 	if (!isa_bridge)
   2.949 - 		isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
   2.950 - 	if (!isa_bridge) {
   2.951 --		printk("%s: Can not find ISA bridge\n", net_dev->name);
   2.952 -+		printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
   2.953 - 		return 0;
   2.954 - 	}
   2.955 - 	pci_read_config_byte(isa_bridge, 0x48, &reg);
   2.956 -@@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct
   2.957 - 	net_dev->tx_timeout = sis900_tx_timeout;
   2.958 - 	net_dev->watchdog_timeo = TX_TIMEOUT;
   2.959 - 	net_dev->ethtool_ops = &sis900_ethtool_ops;
   2.960 --	
   2.961 --	ret = register_netdev(net_dev);
   2.962 --	if (ret)
   2.963 --		goto err_unmap_rx;
   2.964 - 		
   2.965 - 	/* Get Mac address according to the chip revision */
   2.966 - 	pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
   2.967 -@@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct
   2.968 - 
   2.969 - 	if (ret == 0) {
   2.970 - 		ret = -ENODEV;
   2.971 --		goto err_out_unregister;
   2.972 -+		goto err_unmap_rx;
   2.973 - 	}
   2.974 - 	
   2.975 - 	/* 630ET : set the mii access mode as software-mode */
   2.976 -@@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct
   2.977 - 	/* probe for mii transceiver */
   2.978 - 	if (sis900_mii_probe(net_dev) == 0) {
   2.979 - 		ret = -ENODEV;
   2.980 --		goto err_out_unregister;
   2.981 -+		goto err_unmap_rx;
   2.982 - 	}
   2.983 - 
   2.984 - 	/* save our host bridge revision */
   2.985 -@@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct
   2.986 - 		pci_dev_put(dev);
   2.987 - 	}
   2.988 - 
   2.989 -+	ret = register_netdev(net_dev);
   2.990 -+	if (ret)
   2.991 -+		goto err_unmap_rx;
   2.992 -+
   2.993 - 	/* print some information about our NIC */
   2.994 - 	printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
   2.995 - 	       card_name, ioaddr, net_dev->irq);
   2.996 -@@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct
   2.997 - 
   2.998 - 	return 0;
   2.999 - 
  2.1000 -- err_out_unregister:
  2.1001 -- 	unregister_netdev(net_dev);
  2.1002 -  err_unmap_rx:
  2.1003 - 	pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
  2.1004 - 		sis_priv->rx_ring_dma);
  2.1005 -@@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct
  2.1006 - static int __init sis900_mii_probe(struct net_device * net_dev)
  2.1007 - {
  2.1008 - 	struct sis900_private * sis_priv = net_dev->priv;
  2.1009 -+	const char *dev_name = pci_name(sis_priv->pci_dev);
  2.1010 - 	u16 poll_bit = MII_STAT_LINK, status = 0;
  2.1011 - 	unsigned long timeout = jiffies + 5 * HZ;
  2.1012 - 	int phy_addr;
  2.1013 -@@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc
  2.1014 - 					mii_phy->phy_types =
  2.1015 - 					    (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
  2.1016 - 				printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
  2.1017 --				       net_dev->name, mii_chip_table[i].name,
  2.1018 -+				       dev_name, mii_chip_table[i].name,
  2.1019 - 				       phy_addr);
  2.1020 - 				break;
  2.1021 - 			}
  2.1022 - 			
  2.1023 - 		if( !mii_chip_table[i].phy_id1 ) {
  2.1024 - 			printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
  2.1025 --			       net_dev->name, phy_addr);
  2.1026 -+			       dev_name, phy_addr);
  2.1027 - 			mii_phy->phy_types = UNKNOWN;
  2.1028 - 		}
  2.1029 - 	}
  2.1030 - 	
  2.1031 - 	if (sis_priv->mii == NULL) {
  2.1032 --		printk(KERN_INFO "%s: No MII transceivers found!\n",
  2.1033 --			net_dev->name);
  2.1034 -+		printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
  2.1035 - 		return 0;
  2.1036 - 	}
  2.1037 - 
  2.1038 -@@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc
  2.1039 - 			poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
  2.1040 - 			if (time_after_eq(jiffies, timeout)) {
  2.1041 - 				printk(KERN_WARNING "%s: reset phy and link down now\n",
  2.1042 --					net_dev->name);
  2.1043 -+				       dev_name);
  2.1044 - 				return -ETIME;
  2.1045 - 			}
  2.1046 - 		}
  2.1047 -@@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net
  2.1048 - 		sis_priv->mii = default_phy;
  2.1049 - 		sis_priv->cur_phy = default_phy->phy_addr;
  2.1050 - 		printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
  2.1051 --					net_dev->name,sis_priv->cur_phy);
  2.1052 -+		       pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
  2.1053 - 	}
  2.1054 - 	
  2.1055 - 	status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
  2.1056 -diff --git a/drivers/net/tun.c b/drivers/net/tun.c
  2.1057 ---- a/drivers/net/tun.c
  2.1058 -+++ b/drivers/net/tun.c
  2.1059 -@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s
  2.1060 - 	size_t len = count;
  2.1061 - 
  2.1062 - 	if (!(tun->flags & TUN_NO_PI)) {
  2.1063 --		if ((len -= sizeof(pi)) > len)
  2.1064 -+		if ((len -= sizeof(pi)) > count)
  2.1065 - 			return -EINVAL;
  2.1066 - 
  2.1067 - 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
  2.1068 -diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
  2.1069 ---- a/drivers/net/via-rhine.c
  2.1070 -+++ b/drivers/net/via-rhine.c
  2.1071 -@@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device 
  2.1072 - 		       dev->name, rp->pdev->irq);
  2.1073 - 
  2.1074 - 	rc = alloc_ring(dev);
  2.1075 --	if (rc)
  2.1076 -+	if (rc) {
  2.1077 -+		free_irq(rp->pdev->irq, dev);
  2.1078 - 		return rc;
  2.1079 -+	}
  2.1080 - 	alloc_rbufs(dev);
  2.1081 - 	alloc_tbufs(dev);
  2.1082 - 	rhine_chip_reset(dev);
  2.1083 -@@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic
  2.1084 - 	struct rhine_private *rp = netdev_priv(dev);
  2.1085 - 	void __iomem *ioaddr = rp->base;
  2.1086 - 
  2.1087 -+	if (!(rp->quirks & rqWOL))
  2.1088 -+		return; /* Nothing to do for non-WOL adapters */
  2.1089 -+
  2.1090 - 	rhine_power_init(dev);
  2.1091 - 
  2.1092 - 	/* Make sure we use pattern 0, 1 and not 4, 5 */
  2.1093 -diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
  2.1094 ---- a/drivers/net/wan/hd6457x.c
  2.1095 -+++ b/drivers/net/wan/hd6457x.c
  2.1096 -@@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card, 
  2.1097 - #endif
  2.1098 - 	stats->rx_packets++;
  2.1099 - 	stats->rx_bytes += skb->len;
  2.1100 --	skb->dev->last_rx = jiffies;
  2.1101 -+	dev->last_rx = jiffies;
  2.1102 - 	skb->protocol = hdlc_type_trans(skb, dev);
  2.1103 - 	netif_rx(skb);
  2.1104 - }
  2.1105 -diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
  2.1106 ---- a/drivers/pci/hotplug/pciehp_ctrl.c
  2.1107 -+++ b/drivers/pci/hotplug/pciehp_ctrl.c
  2.1108 -@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func 
  2.1109 - 				dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
  2.1110 - 					ctrl->seg, func->bus, func->device, func->function);
  2.1111 - 				bridge_slot_remove(func);
  2.1112 --			} else
  2.1113 -+			} else {
  2.1114 - 				dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
  2.1115 - 					ctrl->seg, func->bus, func->device, func->function);
  2.1116 - 				slot_remove(func);
  2.1117 -+			}
  2.1118 - 
  2.1119 - 			func = pciehp_slot_find(ctrl->slot_bus, device, 0);
  2.1120 - 		}
  2.1121 -diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
  2.1122 ---- a/drivers/usb/serial/visor.c
  2.1123 -+++ b/drivers/usb/serial/visor.c
  2.1124 -@@ -386,6 +386,7 @@ struct visor_private {
  2.1125 - 	int bytes_in;
  2.1126 - 	int bytes_out;
  2.1127 - 	int outstanding_urbs;
  2.1128 -+	int throttled;
  2.1129 - };
  2.1130 - 
  2.1131 - /* number of outstanding urbs to prevent userspace DoS from happening */
  2.1132 -@@ -415,6 +416,7 @@ static int visor_open (struct usb_serial
  2.1133 - 	priv->bytes_in = 0;
  2.1134 - 	priv->bytes_out = 0;
  2.1135 - 	priv->outstanding_urbs = 0;
  2.1136 -+	priv->throttled = 0;
  2.1137 - 	spin_unlock_irqrestore(&priv->lock, flags);
  2.1138 - 
  2.1139 - 	/*
  2.1140 -@@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st
  2.1141 - 	struct tty_struct *tty;
  2.1142 - 	unsigned long flags;
  2.1143 - 	int i;
  2.1144 -+	int throttled;
  2.1145 - 	int result;
  2.1146 - 
  2.1147 - 	dbg("%s - port %d", __FUNCTION__, port->number);
  2.1148 -@@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st
  2.1149 - 	}
  2.1150 - 	spin_lock_irqsave(&priv->lock, flags);
  2.1151 - 	priv->bytes_in += urb->actual_length;
  2.1152 -+	throttled = priv->throttled;
  2.1153 - 	spin_unlock_irqrestore(&priv->lock, flags);
  2.1154 - 
  2.1155 --	/* Continue trying to always read  */
  2.1156 --	usb_fill_bulk_urb (port->read_urb, port->serial->dev,
  2.1157 --			   usb_rcvbulkpipe(port->serial->dev,
  2.1158 --					   port->bulk_in_endpointAddress),
  2.1159 --			   port->read_urb->transfer_buffer,
  2.1160 --			   port->read_urb->transfer_buffer_length,
  2.1161 --			   visor_read_bulk_callback, port);
  2.1162 --	result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  2.1163 --	if (result)
  2.1164 --		dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
  2.1165 -+	/* Continue trying to always read if we should */
  2.1166 -+	if (!throttled) {
  2.1167 -+		usb_fill_bulk_urb (port->read_urb, port->serial->dev,
  2.1168 -+				   usb_rcvbulkpipe(port->serial->dev,
  2.1169 -+						   port->bulk_in_endpointAddress),
  2.1170 -+				   port->read_urb->transfer_buffer,
  2.1171 -+				   port->read_urb->transfer_buffer_length,
  2.1172 -+				   visor_read_bulk_callback, port);
  2.1173 -+		result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  2.1174 -+		if (result)
  2.1175 -+			dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
  2.1176 -+	}
  2.1177 - 	return;
  2.1178 - }
  2.1179 - 
  2.1180 -@@ -683,16 +689,26 @@ exit:
  2.1181 - 
  2.1182 - static void visor_throttle (struct usb_serial_port *port)
  2.1183 - {
  2.1184 -+	struct visor_private *priv = usb_get_serial_port_data(port);
  2.1185 -+	unsigned long flags;
  2.1186 -+
  2.1187 - 	dbg("%s - port %d", __FUNCTION__, port->number);
  2.1188 --	usb_kill_urb(port->read_urb);
  2.1189 -+	spin_lock_irqsave(&priv->lock, flags);
  2.1190 -+	priv->throttled = 1;
  2.1191 -+	spin_unlock_irqrestore(&priv->lock, flags);
  2.1192 - }
  2.1193 - 
  2.1194 - 
  2.1195 - static void visor_unthrottle (struct usb_serial_port *port)
  2.1196 - {
  2.1197 -+	struct visor_private *priv = usb_get_serial_port_data(port);
  2.1198 -+	unsigned long flags;
  2.1199 - 	int result;
  2.1200 - 
  2.1201 - 	dbg("%s - port %d", __FUNCTION__, port->number);
  2.1202 -+	spin_lock_irqsave(&priv->lock, flags);
  2.1203 -+	priv->throttled = 0;
  2.1204 -+	spin_unlock_irqrestore(&priv->lock, flags);
  2.1205 - 
  2.1206 - 	port->read_urb->dev = port->serial->dev;
  2.1207 - 	result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  2.1208 -diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c
  2.1209 ---- a/drivers/video/matrox/matroxfb_accel.c
  2.1210 -+++ b/drivers/video/matrox/matroxfb_accel.c
  2.1211 -@@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI
  2.1212 - 		} else if (step == 1) {
  2.1213 - 			/* Special case for 1..8bit widths */
  2.1214 - 			while (height--) {
  2.1215 --				mga_writel(mmio, 0, *chardata);
  2.1216 -+#if defined(__BIG_ENDIAN)
  2.1217 -+				fb_writel((*chardata) << 24, mmio.vaddr);
  2.1218 -+#else
  2.1219 -+				fb_writel(*chardata, mmio.vaddr);
  2.1220 -+#endif
  2.1221 - 				chardata++;
  2.1222 - 			}
  2.1223 - 		} else if (step == 2) {
  2.1224 - 			/* Special case for 9..15bit widths */
  2.1225 - 			while (height--) {
  2.1226 --				mga_writel(mmio, 0, *(u_int16_t*)chardata);
  2.1227 -+#if defined(__BIG_ENDIAN)
  2.1228 -+				fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr);
  2.1229 -+#else
  2.1230 -+				fb_writel(*(u_int16_t*)chardata, mmio.vaddr);
  2.1231 -+#endif
  2.1232 - 				chardata += 2;
  2.1233 - 			}
  2.1234 - 		} else {
  2.1235 -@@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI
  2.1236 - 				
  2.1237 - 				for (i = 0; i < step; i += 4) {
  2.1238 - 					/* Hope that there are at least three readable bytes beyond the end of bitmap */
  2.1239 --					mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i)));
  2.1240 -+					fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr);
  2.1241 - 				}
  2.1242 - 				chardata += step;
  2.1243 - 			}
  2.1244 -diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h
  2.1245 ---- a/drivers/video/matrox/matroxfb_base.h
  2.1246 -+++ b/drivers/video/matrox/matroxfb_base.h
  2.1247 -@@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr
  2.1248 - 
  2.1249 - 	if ((unsigned long)src & 3) {
  2.1250 - 		while (len >= 4) {
  2.1251 --			writel(get_unaligned((u32 *)src), addr);
  2.1252 -+			fb_writel(get_unaligned((u32 *)src), addr);
  2.1253 - 			addr++;
  2.1254 - 			len -= 4;
  2.1255 - 			src += 4;
  2.1256 - 		}
  2.1257 - 	} else {
  2.1258 - 		while (len >= 4) {
  2.1259 --			writel(*(u32 *)src, addr);
  2.1260 -+			fb_writel(*(u32 *)src, addr);
  2.1261 - 			addr++;
  2.1262 - 			len -= 4;
  2.1263 - 			src += 4;
  2.1264 -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  2.1265 ---- a/fs/binfmt_elf.c
  2.1266 -+++ b/fs/binfmt_elf.c
  2.1267 -@@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b
  2.1268 - 	}
  2.1269 - 
  2.1270 - 	/* Populate argv and envp */
  2.1271 --	p = current->mm->arg_start;
  2.1272 -+	p = current->mm->arg_end = current->mm->arg_start;
  2.1273 - 	while (argc-- > 0) {
  2.1274 - 		size_t len;
  2.1275 - 		__put_user((elf_addr_t)p, argv++);
  2.1276 -@@ -1008,6 +1008,7 @@ out_free_ph:
  2.1277 - static int load_elf_library(struct file *file)
  2.1278 - {
  2.1279 - 	struct elf_phdr *elf_phdata;
  2.1280 -+	struct elf_phdr *eppnt;
  2.1281 - 	unsigned long elf_bss, bss, len;
  2.1282 - 	int retval, error, i, j;
  2.1283 - 	struct elfhdr elf_ex;
  2.1284 -@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file 
  2.1285 - 	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
  2.1286 - 
  2.1287 - 	error = -ENOMEM;
  2.1288 --	elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
  2.1289 -+	elf_phdata = kmalloc(j, GFP_KERNEL);
  2.1290 - 	if (!elf_phdata)
  2.1291 - 		goto out;
  2.1292 - 
  2.1293 -+	eppnt = elf_phdata;
  2.1294 - 	error = -ENOEXEC;
  2.1295 --	retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
  2.1296 -+	retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
  2.1297 - 	if (retval != j)
  2.1298 - 		goto out_free_ph;
  2.1299 - 
  2.1300 - 	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
  2.1301 --		if ((elf_phdata + i)->p_type == PT_LOAD) j++;
  2.1302 -+		if ((eppnt + i)->p_type == PT_LOAD)
  2.1303 -+			j++;
  2.1304 - 	if (j != 1)
  2.1305 - 		goto out_free_ph;
  2.1306 - 
  2.1307 --	while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
  2.1308 -+	while (eppnt->p_type != PT_LOAD)
  2.1309 -+		eppnt++;
  2.1310 - 
  2.1311 - 	/* Now use mmap to map the library into memory. */
  2.1312 - 	down_write(&current->mm->mmap_sem);
  2.1313 - 	error = do_mmap(file,
  2.1314 --			ELF_PAGESTART(elf_phdata->p_vaddr),
  2.1315 --			(elf_phdata->p_filesz +
  2.1316 --			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
  2.1317 -+			ELF_PAGESTART(eppnt->p_vaddr),
  2.1318 -+			(eppnt->p_filesz +
  2.1319 -+			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
  2.1320 - 			PROT_READ | PROT_WRITE | PROT_EXEC,
  2.1321 - 			MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
  2.1322 --			(elf_phdata->p_offset -
  2.1323 --			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
  2.1324 -+			(eppnt->p_offset -
  2.1325 -+			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
  2.1326 - 	up_write(&current->mm->mmap_sem);
  2.1327 --	if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
  2.1328 -+	if (error != ELF_PAGESTART(eppnt->p_vaddr))
  2.1329 - 		goto out_free_ph;
  2.1330 - 
  2.1331 --	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
  2.1332 -+	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
  2.1333 - 	if (padzero(elf_bss)) {
  2.1334 - 		error = -EFAULT;
  2.1335 - 		goto out_free_ph;
  2.1336 - 	}
  2.1337 - 
  2.1338 --	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
  2.1339 --	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
  2.1340 -+	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
  2.1341 -+	bss = eppnt->p_memsz + eppnt->p_vaddr;
  2.1342 - 	if (bss > len) {
  2.1343 - 		down_write(&current->mm->mmap_sem);
  2.1344 - 		do_brk(len, bss - len);
  2.1345 -@@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs
  2.1346 - static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
  2.1347 - 		       struct mm_struct *mm)
  2.1348 - {
  2.1349 --	int i, len;
  2.1350 -+	unsigned int i, len;
  2.1351 - 	
  2.1352 - 	/* first copy the parameters from user space */
  2.1353 - 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
  2.1354 -diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
  2.1355 ---- a/fs/cramfs/inode.c
  2.1356 -+++ b/fs/cramfs/inode.c
  2.1357 -@@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st
  2.1358 - 			inode->i_data.a_ops = &cramfs_aops;
  2.1359 - 		} else {
  2.1360 - 			inode->i_size = 0;
  2.1361 -+			inode->i_blocks = 0;
  2.1362 - 			init_special_inode(inode, inode->i_mode,
  2.1363 - 				old_decode_dev(cramfs_inode->size));
  2.1364 - 		}
  2.1365 -diff --git a/fs/eventpoll.c b/fs/eventpoll.c
  2.1366 ---- a/fs/eventpoll.c
  2.1367 -+++ b/fs/eventpoll.c
  2.1368 -@@ -619,6 +619,7 @@ eexit_1:
  2.1369 - 	return error;
  2.1370 - }
  2.1371 - 
  2.1372 -+#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
  2.1373 - 
  2.1374 - /*
  2.1375 -  * Implement the event wait interface for the eventpoll file. It is the kernel
  2.1376 -@@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd,
  2.1377 - 		     current, epfd, events, maxevents, timeout));
  2.1378 - 
  2.1379 - 	/* The maximum number of event must be greater than zero */
  2.1380 --	if (maxevents <= 0)
  2.1381 -+	if (maxevents <= 0 || maxevents > MAX_EVENTS)
  2.1382 - 		return -EINVAL;
  2.1383 - 
  2.1384 - 	/* Verify that the area passed by the user is writeable */
  2.1385 -diff --git a/fs/exec.c b/fs/exec.c
  2.1386 ---- a/fs/exec.c
  2.1387 -+++ b/fs/exec.c
  2.1388 -@@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas
  2.1389 - {
  2.1390 - 	/* buf must be at least sizeof(tsk->comm) in size */
  2.1391 - 	task_lock(tsk);
  2.1392 --	memcpy(buf, tsk->comm, sizeof(tsk->comm));
  2.1393 -+	strncpy(buf, tsk->comm, sizeof(tsk->comm));
  2.1394 - 	task_unlock(tsk);
  2.1395 - }
  2.1396 - 
  2.1397 -diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
  2.1398 ---- a/fs/ext2/dir.c
  2.1399 -+++ b/fs/ext2/dir.c
  2.1400 -@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode,
  2.1401 - 		goto fail;
  2.1402 - 	}
  2.1403 - 	kaddr = kmap_atomic(page, KM_USER0);
  2.1404 -+       memset(kaddr, 0, chunk_size);
  2.1405 - 	de = (struct ext2_dir_entry_2 *)kaddr;
  2.1406 - 	de->name_len = 1;
  2.1407 - 	de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
  2.1408 -diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
  2.1409 ---- a/fs/ext3/balloc.c
  2.1410 -+++ b/fs/ext3/balloc.c
  2.1411 -@@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino
  2.1412 - 
  2.1413 - 	if (!rsv_is_empty(&rsv->rsv_window)) {
  2.1414 - 		spin_lock(rsv_lock);
  2.1415 --		rsv_window_remove(inode->i_sb, rsv);
  2.1416 -+		if (!rsv_is_empty(&rsv->rsv_window))
  2.1417 -+			rsv_window_remove(inode->i_sb, rsv);
  2.1418 - 		spin_unlock(rsv_lock);
  2.1419 - 	}
  2.1420 - }
  2.1421 -diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
  2.1422 ---- a/fs/isofs/inode.c
  2.1423 -+++ b/fs/isofs/inode.c
  2.1424 -@@ -685,6 +685,8 @@ root_found:
  2.1425 - 	  sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
  2.1426 - 	  sbi->s_max_size = isonum_733(h_pri->volume_space_size);
  2.1427 - 	} else {
  2.1428 -+	  if (!pri)
  2.1429 -+	    goto out_freebh;
  2.1430 - 	  rootp = (struct iso_directory_record *) pri->root_directory_record;
  2.1431 - 	  sbi->s_nzones = isonum_733 (pri->volume_space_size);
  2.1432 - 	  sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
  2.1433 -@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl
  2.1434 - 	struct inode *inode;
  2.1435 - 	struct isofs_iget5_callback_data data;
  2.1436 - 
  2.1437 -+	if (offset >= 1ul << sb->s_blocksize_bits)
  2.1438 -+		return NULL;
  2.1439 -+
  2.1440 - 	data.block = block;
  2.1441 - 	data.offset = offset;
  2.1442 - 
  2.1443 -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
  2.1444 ---- a/fs/isofs/rock.c
  2.1445 -+++ b/fs/isofs/rock.c
  2.1446 -@@ -53,6 +53,7 @@
  2.1447 -   if(LEN & 1) LEN++;						\
  2.1448 -   CHR = ((unsigned char *) DE) + LEN;				\
  2.1449 -   LEN = *((unsigned char *) DE) - LEN;                          \
  2.1450 -+  if (LEN<0) LEN=0;                                             \
  2.1451 -   if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1)                \
  2.1452 -   {                                                             \
  2.1453 -      LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset;                \
  2.1454 -@@ -73,6 +74,10 @@
  2.1455 -     offset1 = 0; \
  2.1456 -     pbh = sb_bread(DEV->i_sb, block); \
  2.1457 -     if(pbh){       \
  2.1458 -+      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
  2.1459 -+	brelse(pbh); \
  2.1460 -+	goto out; \
  2.1461 -+      } \
  2.1462 -       memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
  2.1463 -       brelse(pbh); \
  2.1464 -       chr = (unsigned char *) buffer; \
  2.1465 -@@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d
  2.1466 -     struct rock_ridge * rr;
  2.1467 -     int sig;
  2.1468 -     
  2.1469 --    while (len > 1){ /* There may be one byte for padding somewhere */
  2.1470 -+    while (len > 2){ /* There may be one byte for padding somewhere */
  2.1471 -       rr = (struct rock_ridge *) chr;
  2.1472 --      if (rr->len == 0) goto out; /* Something got screwed up here */
  2.1473 -+      if (rr->len < 3) goto out; /* Something got screwed up here */
  2.1474 -       sig = isonum_721(chr);
  2.1475 -       chr += rr->len; 
  2.1476 -       len -= rr->len;
  2.1477 -+      if (len < 0) goto out;	/* corrupted isofs */
  2.1478 - 
  2.1479 -       switch(sig){
  2.1480 -       case SIG('R','R'):
  2.1481 -@@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d
  2.1482 - 	break;
  2.1483 -       case SIG('N','M'):
  2.1484 - 	if (truncate) break;
  2.1485 -+	if (rr->len < 5) break;
  2.1486 -         /*
  2.1487 - 	 * If the flags are 2 or 4, this indicates '.' or '..'.
  2.1488 - 	 * We don't want to do anything with this, because it
  2.1489 -@@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i
  2.1490 -     struct rock_ridge * rr;
  2.1491 -     int rootflag;
  2.1492 -     
  2.1493 --    while (len > 1){ /* There may be one byte for padding somewhere */
  2.1494 -+    while (len > 2){ /* There may be one byte for padding somewhere */
  2.1495 -       rr = (struct rock_ridge *) chr;
  2.1496 --      if (rr->len == 0) goto out; /* Something got screwed up here */
  2.1497 -+      if (rr->len < 3) goto out; /* Something got screwed up here */
  2.1498 -       sig = isonum_721(chr);
  2.1499 -       chr += rr->len; 
  2.1500 -       len -= rr->len;
  2.1501 -+      if (len < 0) goto out;	/* corrupted isofs */
  2.1502 -       
  2.1503 -       switch(sig){
  2.1504 - #ifndef CONFIG_ZISOFS		/* No flag for SF or ZF */
  2.1505 -@@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s
  2.1506 - 	struct rock_ridge *rr;
  2.1507 - 
  2.1508 - 	if (!ISOFS_SB(inode->i_sb)->s_rock)
  2.1509 --		panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
  2.1510 -+		goto error;
  2.1511 - 
  2.1512 - 	block = ei->i_iget5_block;
  2.1513 - 	lock_kernel();
  2.1514 -@@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s
  2.1515 - 	SETUP_ROCK_RIDGE(raw_inode, chr, len);
  2.1516 - 
  2.1517 -       repeat:
  2.1518 --	while (len > 1) { /* There may be one byte for padding somewhere */
  2.1519 -+	while (len > 2) { /* There may be one byte for padding somewhere */
  2.1520 - 		rr = (struct rock_ridge *) chr;
  2.1521 --		if (rr->len == 0)
  2.1522 -+		if (rr->len < 3)
  2.1523 - 			goto out;	/* Something got screwed up here */
  2.1524 - 		sig = isonum_721(chr);
  2.1525 - 		chr += rr->len;
  2.1526 - 		len -= rr->len;
  2.1527 -+		if (len < 0)
  2.1528 -+			goto out;	/* corrupted isofs */
  2.1529 - 
  2.1530 - 		switch (sig) {
  2.1531 - 		case SIG('R', 'R'):
  2.1532 -@@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s
  2.1533 -       fail:
  2.1534 - 	brelse(bh);
  2.1535 - 	unlock_kernel();
  2.1536 -+      error:
  2.1537 - 	SetPageError(page);
  2.1538 - 	kunmap(page);
  2.1539 - 	unlock_page(page);
  2.1540 -diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c
  2.1541 ---- a/fs/jbd/transaction.c
  2.1542 -+++ b/fs/jbd/transaction.c
  2.1543 -@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
  2.1544 - 			JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
  2.1545 - 			ret = __dispose_buffer(jh,
  2.1546 - 					journal->j_running_transaction);
  2.1547 -+			journal_put_journal_head(jh);
  2.1548 - 			spin_unlock(&journal->j_list_lock);
  2.1549 - 			jbd_unlock_bh_state(bh);
  2.1550 - 			spin_unlock(&journal->j_state_lock);
  2.1551 --			journal_put_journal_head(jh);
  2.1552 - 			return ret;
  2.1553 - 		} else {
  2.1554 - 			/* There is no currently-running transaction. So the
  2.1555 -@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
  2.1556 - 				JBUFFER_TRACE(jh, "give to committing trans");
  2.1557 - 				ret = __dispose_buffer(jh,
  2.1558 - 					journal->j_committing_transaction);
  2.1559 -+				journal_put_journal_head(jh);
  2.1560 - 				spin_unlock(&journal->j_list_lock);
  2.1561 - 				jbd_unlock_bh_state(bh);
  2.1562 - 				spin_unlock(&journal->j_state_lock);
  2.1563 --				journal_put_journal_head(jh);
  2.1564 - 				return ret;
  2.1565 - 			} else {
  2.1566 - 				/* The orphan record's transaction has
  2.1567 -@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
  2.1568 - 					journal->j_running_transaction);
  2.1569 - 			jh->b_next_transaction = NULL;
  2.1570 - 		}
  2.1571 -+		journal_put_journal_head(jh);
  2.1572 - 		spin_unlock(&journal->j_list_lock);
  2.1573 - 		jbd_unlock_bh_state(bh);
  2.1574 - 		spin_unlock(&journal->j_state_lock);
  2.1575 --		journal_put_journal_head(jh);
  2.1576 - 		return 0;
  2.1577 - 	} else {
  2.1578 - 		/* Good, the buffer belongs to the running transaction.
  2.1579 -diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h
  2.1580 ---- a/include/asm-x86_64/processor.h
  2.1581 -+++ b/include/asm-x86_64/processor.h
  2.1582 -@@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne
  2.1583 - 
  2.1584 - 
  2.1585 - /*
  2.1586 -- * User space process size. 47bits.
  2.1587 -+ * User space process size. 47bits minus one guard page.
  2.1588 -  */
  2.1589 --#define TASK_SIZE	(0x800000000000UL)
  2.1590 -+#define TASK_SIZE	(0x800000000000UL - 4096)
  2.1591 - 
  2.1592 - /* This decides where the kernel will search for a free chunk of vm
  2.1593 -  * space during mmap's.
  2.1594 -diff --git a/include/linux/err.h b/include/linux/err.h
  2.1595 ---- a/include/linux/err.h
  2.1596 -+++ b/include/linux/err.h
  2.1597 -@@ -13,6 +13,8 @@
  2.1598 -  * This should be a per-architecture thing, to allow different
  2.1599 -  * error and pointer decisions.
  2.1600 -  */
  2.1601 -+#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L)
  2.1602 -+
  2.1603 - static inline void *ERR_PTR(long error)
  2.1604 - {
  2.1605 - 	return (void *) error;
  2.1606 -@@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p
  2.1607 - 
  2.1608 - static inline long IS_ERR(const void *ptr)
  2.1609 - {
  2.1610 --	return unlikely((unsigned long)ptr > (unsigned long)-1000L);
  2.1611 -+	return IS_ERR_VALUE((unsigned long)ptr);
  2.1612 - }
  2.1613 - 
  2.1614 - #endif /* _LINUX_ERR_H */
  2.1615 -diff --git a/kernel/exit.c b/kernel/exit.c
  2.1616 ---- a/kernel/exit.c
  2.1617 -+++ b/kernel/exit.c
  2.1618 -@@ -516,8 +516,6 @@ static inline void choose_new_parent(tas
  2.1619 - 	 */
  2.1620 - 	BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
  2.1621 - 	p->real_parent = reaper;
  2.1622 --	if (p->parent == p->real_parent)
  2.1623 --		BUG();
  2.1624 - }
  2.1625 - 
  2.1626 - static inline void reparent_thread(task_t *p, task_t *father, int traced)
  2.1627 -diff --git a/kernel/signal.c b/kernel/signal.c
  2.1628 ---- a/kernel/signal.c
  2.1629 -+++ b/kernel/signal.c
  2.1630 -@@ -1728,6 +1728,7 @@ do_signal_stop(int signr)
  2.1631 - 			 * with another processor delivering a stop signal,
  2.1632 - 			 * then the SIGCONT that wakes us up should clear it.
  2.1633 - 			 */
  2.1634 -+			read_unlock(&tasklist_lock);
  2.1635 - 			return 0;
  2.1636 - 		}
  2.1637 - 
  2.1638 -diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c
  2.1639 ---- a/lib/rwsem-spinlock.c
  2.1640 -+++ b/lib/rwsem-spinlock.c
  2.1641 -@@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct
  2.1642 - 
  2.1643 - 	rwsemtrace(sem, "Entering __down_read");
  2.1644 - 
  2.1645 --	spin_lock(&sem->wait_lock);
  2.1646 -+	spin_lock_irq(&sem->wait_lock);
  2.1647 - 
  2.1648 - 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  2.1649 - 		/* granted */
  2.1650 - 		sem->activity++;
  2.1651 --		spin_unlock(&sem->wait_lock);
  2.1652 -+		spin_unlock_irq(&sem->wait_lock);
  2.1653 - 		goto out;
  2.1654 - 	}
  2.1655 - 
  2.1656 -@@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct
  2.1657 - 	list_add_tail(&waiter.list, &sem->wait_list);
  2.1658 - 
  2.1659 - 	/* we don't need to touch the semaphore struct anymore */
  2.1660 --	spin_unlock(&sem->wait_lock);
  2.1661 -+	spin_unlock_irq(&sem->wait_lock);
  2.1662 - 
  2.1663 - 	/* wait to be given the lock */
  2.1664 - 	for (;;) {
  2.1665 -@@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct
  2.1666 -  */
  2.1667 - int fastcall __down_read_trylock(struct rw_semaphore *sem)
  2.1668 - {
  2.1669 -+	unsigned long flags;
  2.1670 - 	int ret = 0;
  2.1671 -+
  2.1672 - 	rwsemtrace(sem, "Entering __down_read_trylock");
  2.1673 - 
  2.1674 --	spin_lock(&sem->wait_lock);
  2.1675 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1676 - 
  2.1677 - 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  2.1678 - 		/* granted */
  2.1679 -@@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct 
  2.1680 - 		ret = 1;
  2.1681 - 	}
  2.1682 - 
  2.1683 --	spin_unlock(&sem->wait_lock);
  2.1684 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1685 - 
  2.1686 - 	rwsemtrace(sem, "Leaving __down_read_trylock");
  2.1687 - 	return ret;
  2.1688 -@@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc
  2.1689 - 
  2.1690 - 	rwsemtrace(sem, "Entering __down_write");
  2.1691 - 
  2.1692 --	spin_lock(&sem->wait_lock);
  2.1693 -+	spin_lock_irq(&sem->wait_lock);
  2.1694 - 
  2.1695 - 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  2.1696 - 		/* granted */
  2.1697 - 		sem->activity = -1;
  2.1698 --		spin_unlock(&sem->wait_lock);
  2.1699 -+		spin_unlock_irq(&sem->wait_lock);
  2.1700 - 		goto out;
  2.1701 - 	}
  2.1702 - 
  2.1703 -@@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc
  2.1704 - 	list_add_tail(&waiter.list, &sem->wait_list);
  2.1705 - 
  2.1706 - 	/* we don't need to touch the semaphore struct anymore */
  2.1707 --	spin_unlock(&sem->wait_lock);
  2.1708 -+	spin_unlock_irq(&sem->wait_lock);
  2.1709 - 
  2.1710 - 	/* wait to be given the lock */
  2.1711 - 	for (;;) {
  2.1712 -@@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc
  2.1713 -  */
  2.1714 - int fastcall __down_write_trylock(struct rw_semaphore *sem)
  2.1715 - {
  2.1716 -+	unsigned long flags;
  2.1717 - 	int ret = 0;
  2.1718 -+
  2.1719 - 	rwsemtrace(sem, "Entering __down_write_trylock");
  2.1720 - 
  2.1721 --	spin_lock(&sem->wait_lock);
  2.1722 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1723 - 
  2.1724 - 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  2.1725 - 		/* granted */
  2.1726 -@@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct
  2.1727 - 		ret = 1;
  2.1728 - 	}
  2.1729 - 
  2.1730 --	spin_unlock(&sem->wait_lock);
  2.1731 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1732 - 
  2.1733 - 	rwsemtrace(sem, "Leaving __down_write_trylock");
  2.1734 - 	return ret;
  2.1735 -@@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct
  2.1736 -  */
  2.1737 - void fastcall __up_read(struct rw_semaphore *sem)
  2.1738 - {
  2.1739 -+	unsigned long flags;
  2.1740 -+
  2.1741 - 	rwsemtrace(sem, "Entering __up_read");
  2.1742 - 
  2.1743 --	spin_lock(&sem->wait_lock);
  2.1744 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1745 - 
  2.1746 - 	if (--sem->activity == 0 && !list_empty(&sem->wait_list))
  2.1747 - 		sem = __rwsem_wake_one_writer(sem);
  2.1748 - 
  2.1749 --	spin_unlock(&sem->wait_lock);
  2.1750 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1751 - 
  2.1752 - 	rwsemtrace(sem, "Leaving __up_read");
  2.1753 - }
  2.1754 -@@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph
  2.1755 -  */
  2.1756 - void fastcall __up_write(struct rw_semaphore *sem)
  2.1757 - {
  2.1758 -+	unsigned long flags;
  2.1759 -+
  2.1760 - 	rwsemtrace(sem, "Entering __up_write");
  2.1761 - 
  2.1762 --	spin_lock(&sem->wait_lock);
  2.1763 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1764 - 
  2.1765 - 	sem->activity = 0;
  2.1766 - 	if (!list_empty(&sem->wait_list))
  2.1767 - 		sem = __rwsem_do_wake(sem, 1);
  2.1768 - 
  2.1769 --	spin_unlock(&sem->wait_lock);
  2.1770 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1771 - 
  2.1772 - 	rwsemtrace(sem, "Leaving __up_write");
  2.1773 - }
  2.1774 -@@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap
  2.1775 -  */
  2.1776 - void fastcall __downgrade_write(struct rw_semaphore *sem)
  2.1777 - {
  2.1778 -+	unsigned long flags;
  2.1779 -+
  2.1780 - 	rwsemtrace(sem, "Entering __downgrade_write");
  2.1781 - 
  2.1782 --	spin_lock(&sem->wait_lock);
  2.1783 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1784 - 
  2.1785 - 	sem->activity = 1;
  2.1786 - 	if (!list_empty(&sem->wait_list))
  2.1787 - 		sem = __rwsem_do_wake(sem, 0);
  2.1788 - 
  2.1789 --	spin_unlock(&sem->wait_lock);
  2.1790 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1791 - 
  2.1792 - 	rwsemtrace(sem, "Leaving __downgrade_write");
  2.1793 - }
  2.1794 -diff --git a/lib/rwsem.c b/lib/rwsem.c
  2.1795 ---- a/lib/rwsem.c
  2.1796 -+++ b/lib/rwsem.c
  2.1797 -@@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap
  2.1798 - 	set_task_state(tsk, TASK_UNINTERRUPTIBLE);
  2.1799 - 
  2.1800 - 	/* set up my own style of waitqueue */
  2.1801 --	spin_lock(&sem->wait_lock);
  2.1802 -+	spin_lock_irq(&sem->wait_lock);
  2.1803 - 	waiter->task = tsk;
  2.1804 - 	get_task_struct(tsk);
  2.1805 - 
  2.1806 -@@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap
  2.1807 - 	if (!(count & RWSEM_ACTIVE_MASK))
  2.1808 - 		sem = __rwsem_do_wake(sem, 0);
  2.1809 - 
  2.1810 --	spin_unlock(&sem->wait_lock);
  2.1811 -+	spin_unlock_irq(&sem->wait_lock);
  2.1812 - 
  2.1813 - 	/* wait to be given the lock */
  2.1814 - 	for (;;) {
  2.1815 -@@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph
  2.1816 -  */
  2.1817 - struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
  2.1818 - {
  2.1819 -+	unsigned long flags;
  2.1820 -+
  2.1821 - 	rwsemtrace(sem, "Entering rwsem_wake");
  2.1822 - 
  2.1823 --	spin_lock(&sem->wait_lock);
  2.1824 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1825 - 
  2.1826 - 	/* do nothing if list empty */
  2.1827 - 	if (!list_empty(&sem->wait_list))
  2.1828 - 		sem = __rwsem_do_wake(sem, 0);
  2.1829 - 
  2.1830 --	spin_unlock(&sem->wait_lock);
  2.1831 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1832 - 
  2.1833 - 	rwsemtrace(sem, "Leaving rwsem_wake");
  2.1834 - 
  2.1835 -@@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake
  2.1836 -  */
  2.1837 - struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
  2.1838 - {
  2.1839 -+	unsigned long flags;
  2.1840 -+
  2.1841 - 	rwsemtrace(sem, "Entering rwsem_downgrade_wake");
  2.1842 - 
  2.1843 --	spin_lock(&sem->wait_lock);
  2.1844 -+	spin_lock_irqsave(&sem->wait_lock, flags);
  2.1845 - 
  2.1846 - 	/* do nothing if list empty */
  2.1847 - 	if (!list_empty(&sem->wait_list))
  2.1848 - 		sem = __rwsem_do_wake(sem, 1);
  2.1849 - 
  2.1850 --	spin_unlock(&sem->wait_lock);
  2.1851 -+	spin_unlock_irqrestore(&sem->wait_lock, flags);
  2.1852 - 
  2.1853 - 	rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
  2.1854 - 	return sem;
  2.1855 -diff --git a/mm/mmap.c b/mm/mmap.c
  2.1856 ---- a/mm/mmap.c
  2.1857 -+++ b/mm/mmap.c
  2.1858 -@@ -1315,37 +1315,40 @@ unsigned long
  2.1859 - get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
  2.1860 - 		unsigned long pgoff, unsigned long flags)
  2.1861 - {
  2.1862 --	if (flags & MAP_FIXED) {
  2.1863 --		unsigned long ret;
  2.1864 -+	unsigned long ret;
  2.1865 - 
  2.1866 --		if (addr > TASK_SIZE - len)
  2.1867 --			return -ENOMEM;
  2.1868 --		if (addr & ~PAGE_MASK)
  2.1869 --			return -EINVAL;
  2.1870 --		if (file && is_file_hugepages(file))  {
  2.1871 --			/*
  2.1872 --			 * Check if the given range is hugepage aligned, and
  2.1873 --			 * can be made suitable for hugepages.
  2.1874 --			 */
  2.1875 --			ret = prepare_hugepage_range(addr, len);
  2.1876 --		} else {
  2.1877 --			/*
  2.1878 --			 * Ensure that a normal request is not falling in a
  2.1879 --			 * reserved hugepage range.  For some archs like IA-64,
  2.1880 --			 * there is a separate region for hugepages.
  2.1881 --			 */
  2.1882 --			ret = is_hugepage_only_range(addr, len);
  2.1883 --		}
  2.1884 --		if (ret)
  2.1885 --			return -EINVAL;
  2.1886 --		return addr;
  2.1887 --	}
  2.1888 -+	if (!(flags & MAP_FIXED)) {
  2.1889 -+		unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
  2.1890 - 
  2.1891 --	if (file && file->f_op && file->f_op->get_unmapped_area)
  2.1892 --		return file->f_op->get_unmapped_area(file, addr, len,
  2.1893 --						pgoff, flags);
  2.1894 -+		get_area = current->mm->get_unmapped_area;
  2.1895 -+		if (file && file->f_op && file->f_op->get_unmapped_area)
  2.1896 -+			get_area = file->f_op->get_unmapped_area;
  2.1897 -+		addr = get_area(file, addr, len, pgoff, flags);
  2.1898 -+		if (IS_ERR_VALUE(addr))
  2.1899 -+			return addr;
  2.1900 -+	}
  2.1901 - 
  2.1902 --	return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
  2.1903 -+	if (addr > TASK_SIZE - len)
  2.1904 -+		return -ENOMEM;
  2.1905 -+	if (addr & ~PAGE_MASK)
  2.1906 -+		return -EINVAL;
  2.1907 -+	if (file && is_file_hugepages(file))  {
  2.1908 -+		/*
  2.1909 -+		 * Check if the given range is hugepage aligned, and
  2.1910 -+		 * can be made suitable for hugepages.
  2.1911 -+		 */
  2.1912 -+		ret = prepare_hugepage_range(addr, len);
  2.1913 -+	} else {
  2.1914 -+		/*
  2.1915 -+		 * Ensure that a normal request is not falling in a
  2.1916 -+		 * reserved hugepage range.  For some archs like IA-64,
  2.1917 -+		 * there is a separate region for hugepages.
  2.1918 -+		 */
  2.1919 -+		ret = is_hugepage_only_range(addr, len);
  2.1920 -+	}
  2.1921 -+	if (ret)
  2.1922 -+		return -EINVAL;
  2.1923 -+	return addr;
  2.1924 - }
  2.1925 - 
  2.1926 - EXPORT_SYMBOL(get_unmapped_area);
  2.1927 -diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
  2.1928 ---- a/net/bluetooth/af_bluetooth.c
  2.1929 -+++ b/net/bluetooth/af_bluetooth.c
  2.1930 -@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache;
  2.1931 - 
  2.1932 - int bt_sock_register(int proto, struct net_proto_family *ops)
  2.1933 - {
  2.1934 --	if (proto >= BT_MAX_PROTO)
  2.1935 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1936 - 		return -EINVAL;
  2.1937 - 
  2.1938 - 	if (bt_proto[proto])
  2.1939 -@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register);
  2.1940 - 
  2.1941 - int bt_sock_unregister(int proto)
  2.1942 - {
  2.1943 --	if (proto >= BT_MAX_PROTO)
  2.1944 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1945 - 		return -EINVAL;
  2.1946 - 
  2.1947 - 	if (!bt_proto[proto])
  2.1948 -@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket 
  2.1949 - {
  2.1950 - 	int err = 0;
  2.1951 - 
  2.1952 --	if (proto >= BT_MAX_PROTO)
  2.1953 -+	if (proto < 0 || proto >= BT_MAX_PROTO)
  2.1954 - 		return -EINVAL;
  2.1955 - 
  2.1956 - #if defined(CONFIG_KMOD)
  2.1957 -diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
  2.1958 ---- a/net/bridge/netfilter/ebtables.c
  2.1959 -+++ b/net/bridge/netfilter/ebtables.c
  2.1960 -@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int 
  2.1961 - 	struct ebt_chainstack *cs;
  2.1962 - 	struct ebt_entries *chaininfo;
  2.1963 - 	char *base;
  2.1964 --	struct ebt_table_info *private = table->private;
  2.1965 -+	struct ebt_table_info *private;
  2.1966 - 
  2.1967 - 	read_lock_bh(&table->lock);
  2.1968 -+	private = table->private;
  2.1969 - 	cb_base = COUNTER_BASE(private->counters, private->nentries,
  2.1970 - 	   smp_processor_id());
  2.1971 - 	if (private->chainstack)
  2.1972 -diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
  2.1973 ---- a/net/ipv4/fib_hash.c
  2.1974 -+++ b/net/ipv4/fib_hash.c
  2.1975 -@@ -919,13 +919,23 @@ out:
  2.1976 - 	return fa;
  2.1977 - }
  2.1978 - 
  2.1979 -+static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
  2.1980 -+{
  2.1981 -+	struct fib_alias *fa = fib_get_first(seq);
  2.1982 -+
  2.1983 -+	if (fa)
  2.1984 -+		while (pos && (fa = fib_get_next(seq)))
  2.1985 -+			--pos;
  2.1986 -+	return pos ? NULL : fa;
  2.1987 -+}
  2.1988 -+
  2.1989 - static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
  2.1990 - {
  2.1991 - 	void *v = NULL;
  2.1992 - 
  2.1993 - 	read_lock(&fib_hash_lock);
  2.1994 - 	if (ip_fib_main_table)
  2.1995 --		v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
  2.1996 -+		v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
  2.1997 - 	return v;
  2.1998 - }
  2.1999 - 
  2.2000 -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
  2.2001 ---- a/net/ipv4/tcp_input.c
  2.2002 -+++ b/net/ipv4/tcp_input.c
  2.2003 -@@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str
  2.2004 - static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
  2.2005 - {
  2.2006 - 	if (tp->prior_ssthresh) {
  2.2007 --		tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  2.2008 -+		if (tcp_is_bic(tp))
  2.2009 -+			tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
  2.2010 -+		else
  2.2011 -+			tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  2.2012 - 
  2.2013 - 		if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
  2.2014 - 			tp->snd_ssthresh = tp->prior_ssthresh;
  2.2015 -diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
  2.2016 ---- a/net/ipv4/tcp_timer.c
  2.2017 -+++ b/net/ipv4/tcp_timer.c
  2.2018 -@@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne
  2.2019 - 
  2.2020 - #ifdef TCP_DEBUG
  2.2021 - const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
  2.2022 -+EXPORT_SYMBOL(tcp_timer_bug_msg);
  2.2023 - #endif
  2.2024 - 
  2.2025 - /*
  2.2026 -diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
  2.2027 ---- a/net/ipv4/xfrm4_output.c
  2.2028 -+++ b/net/ipv4/xfrm4_output.c
  2.2029 -@@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb)
  2.2030 - 			goto error_nolock;
  2.2031 - 	}
  2.2032 - 
  2.2033 --	spin_lock_bh(&x->lock);
  2.2034 --	err = xfrm_state_check(x, skb);
  2.2035 --	if (err)
  2.2036 --		goto error;
  2.2037 --
  2.2038 - 	if (x->props.mode) {
  2.2039 - 		err = xfrm4_tunnel_check_size(skb);
  2.2040 - 		if (err)
  2.2041 --			goto error;
  2.2042 -+			goto error_nolock;
  2.2043 - 	}
  2.2044 - 
  2.2045 -+	spin_lock_bh(&x->lock);
  2.2046 -+	err = xfrm_state_check(x, skb);
  2.2047 -+	if (err)
  2.2048 -+		goto error;
  2.2049 -+
  2.2050 - 	xfrm4_encap(skb);
  2.2051 - 
  2.2052 - 	err = x->type->output(skb);
  2.2053 -diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
  2.2054 ---- a/net/ipv6/xfrm6_output.c
  2.2055 -+++ b/net/ipv6/xfrm6_output.c
  2.2056 -@@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb)
  2.2057 - 			goto error_nolock;
  2.2058 - 	}
  2.2059 - 
  2.2060 --	spin_lock_bh(&x->lock);
  2.2061 --	err = xfrm_state_check(x, skb);
  2.2062 --	if (err)
  2.2063 --		goto error;
  2.2064 --
  2.2065 - 	if (x->props.mode) {
  2.2066 - 		err = xfrm6_tunnel_check_size(skb);
  2.2067 - 		if (err)
  2.2068 --			goto error;
  2.2069 -+			goto error_nolock;
  2.2070 - 	}
  2.2071 - 
  2.2072 -+	spin_lock_bh(&x->lock);
  2.2073 -+	err = xfrm_state_check(x, skb);
  2.2074 -+	if (err)
  2.2075 -+		goto error;
  2.2076 -+
  2.2077 - 	xfrm6_encap(skb);
  2.2078 - 
  2.2079 - 	err = x->type->output(skb);
  2.2080 -diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
  2.2081 ---- a/net/netrom/nr_in.c
  2.2082 -+++ b/net/netrom/nr_in.c
  2.2083 -@@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock
  2.2084 - static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
  2.2085 - 	int frametype)
  2.2086 - {
  2.2087 --	bh_lock_sock(sk);
  2.2088 - 	switch (frametype) {
  2.2089 - 	case NR_CONNACK: {
  2.2090 - 		nr_cb *nr = nr_sk(sk);
  2.2091 -@@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock
  2.2092 - 	default:
  2.2093 - 		break;
  2.2094 - 	}
  2.2095 --	bh_unlock_sock(sk);
  2.2096 --
  2.2097 - 	return 0;
  2.2098 - }
  2.2099 - 
  2.2100 -@@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock
  2.2101 - static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
  2.2102 - 	int frametype)
  2.2103 - {
  2.2104 --	bh_lock_sock(sk);
  2.2105 - 	switch (frametype) {
  2.2106 - 	case NR_CONNACK | NR_CHOKE_FLAG:
  2.2107 - 		nr_disconnect(sk, ECONNRESET);
  2.2108 -@@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock
  2.2109 - 	default:
  2.2110 - 		break;
  2.2111 - 	}
  2.2112 --	bh_unlock_sock(sk);
  2.2113 --
  2.2114 - 	return 0;
  2.2115 - }
  2.2116 - 
  2.2117 -@@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock
  2.2118 - 	nr = skb->data[18];
  2.2119 - 	ns = skb->data[17];
  2.2120 - 
  2.2121 --	bh_lock_sock(sk);
  2.2122 - 	switch (frametype) {
  2.2123 - 	case NR_CONNREQ:
  2.2124 - 		nr_write_internal(sk, NR_CONNACK);
  2.2125 -@@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock
  2.2126 - 	default:
  2.2127 - 		break;
  2.2128 - 	}
  2.2129 --	bh_unlock_sock(sk);
  2.2130 --
  2.2131 - 	return queued;
  2.2132 - }
  2.2133 - 
  2.2134 -diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
  2.2135 ---- a/net/rose/rose_route.c
  2.2136 -+++ b/net/rose/rose_route.c
  2.2137 -@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void
  2.2138 - 		}
  2.2139 - 		if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
  2.2140 - 			return -EINVAL;
  2.2141 --
  2.2142 -+		if (rose_route.ndigis > 8) /* No more than 8 digipeats */
  2.2143 -+			return -EINVAL;
  2.2144 - 		err = rose_add_node(&rose_route, dev);
  2.2145 - 		dev_put(dev);
  2.2146 - 		return err;
  2.2147 -diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
  2.2148 ---- a/net/xfrm/xfrm_state.c
  2.2149 -+++ b/net/xfrm/xfrm_state.c
  2.2150 -@@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac
  2.2151 - 
  2.2152 - 	for (i = 0; i < XFRM_DST_HSIZE; i++) {
  2.2153 - 		list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
  2.2154 --			if (x->km.seq == seq) {
  2.2155 -+			if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
  2.2156 - 				xfrm_state_hold(x);
  2.2157 - 				return x;
  2.2158 - 			}
  2.2159 -diff --git a/security/keys/key.c b/security/keys/key.c
  2.2160 ---- a/security/keys/key.c
  2.2161 -+++ b/security/keys/key.c
  2.2162 -@@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u
  2.2163 - {
  2.2164 - 	struct key_user *candidate = NULL, *user;
  2.2165 - 	struct rb_node *parent = NULL;
  2.2166 --	struct rb_node **p = &key_user_tree.rb_node;
  2.2167 -+	struct rb_node **p;
  2.2168 - 
  2.2169 -  try_again:
  2.2170 -+	p = &key_user_tree.rb_node;
  2.2171 - 	spin_lock(&key_user_lock);
  2.2172 - 
  2.2173 - 	/* search the tree for a user record with a matching UID */
  2.2174 -diff --git a/sound/core/timer.c b/sound/core/timer.c
  2.2175 ---- a/sound/core/timer.c
  2.2176 -+++ b/sound/core/timer.c
  2.2177 -@@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu
  2.2178 - 	if (tu->qused >= tu->queue_size) {
  2.2179 - 		tu->overrun++;
  2.2180 - 	} else {
  2.2181 --		memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
  2.2182 -+		memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
  2.2183 -+		tu->qtail %= tu->queue_size;
  2.2184 - 		tu->qused++;
  2.2185 - 	}
  2.2186 - }
  2.2187 -@@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd
  2.2188 - 	spin_lock(&tu->qlock);
  2.2189 - 	snd_timer_user_append_to_tqueue(tu, &r1);
  2.2190 - 	spin_unlock(&tu->qlock);
  2.2191 -+	kill_fasync(&tu->fasync, SIGIO, POLL_IN);
  2.2192 -+	wake_up(&tu->qchange_sleep);
  2.2193 - }
  2.2194 - 
  2.2195 - static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
  2.2196 -diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
  2.2197 ---- a/sound/pci/ac97/ac97_codec.c
  2.2198 -+++ b/sound/pci/ac97/ac97_codec.c
  2.2199 -@@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_
  2.2200 - /*
  2.2201 -  * create mute switch(es) for normal stereo controls
  2.2202 -  */
  2.2203 --static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
  2.2204 -+static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
  2.2205 - {
  2.2206 - 	snd_kcontrol_t *kctl;
  2.2207 - 	int err;
  2.2208 -@@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t
  2.2209 - 
  2.2210 - 	mute_mask = 0x8000;
  2.2211 - 	val = snd_ac97_read(ac97, reg);
  2.2212 --	if (ac97->flags & AC97_STEREO_MUTES) {
  2.2213 -+	if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
  2.2214 - 		/* check whether both mute bits work */
  2.2215 - 		val1 = val | 0x8080;
  2.2216 - 		snd_ac97_write(ac97, reg, val1);
  2.2217 -@@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t 
  2.2218 - /*
  2.2219 -  * create a mute-switch and a volume for normal stereo/mono controls
  2.2220 -  */
  2.2221 --static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
  2.2222 -+static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
  2.2223 - {
  2.2224 - 	int err;
  2.2225 - 	char name[44];
  2.2226 -@@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t 
  2.2227 - 
  2.2228 - 	if (snd_ac97_try_bit(ac97, reg, 15)) {
  2.2229 - 		sprintf(name, "%s Switch", pfx);
  2.2230 --		if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
  2.2231 -+		if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
  2.2232 - 			return err;
  2.2233 - 	}
  2.2234 - 	check_volume_resolution(ac97, reg, &lo_max, &hi_max);
  2.2235 -@@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t 
  2.2236 - 	return 0;
  2.2237 - }
  2.2238 - 
  2.2239 -+#define snd_ac97_cmix_new(card, pfx, reg, ac97)	snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
  2.2240 -+#define snd_ac97_cmute_new(card, name, reg, ac97)	snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
  2.2241 - 
  2.2242 - static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
  2.2243 - 
  2.2244 -@@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t *
  2.2245 - 
  2.2246 - 	/* build surround controls */
  2.2247 - 	if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
  2.2248 --		if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
  2.2249 -+		/* Surround Master (0x38) is with stereo mutes */
  2.2250 -+		if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
  2.2251 - 			return err;
  2.2252 - 	}
  2.2253 - 
  2.2254 -diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c
  2.2255 ---- a/sound/usb/usbaudio.c
  2.2256 -+++ b/sound/usb/usbaudio.c
  2.2257 -@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str
  2.2258 - 		}
  2.2259 - 		usb_chip[chip->index] = NULL;
  2.2260 - 		up(&register_mutex);
  2.2261 --		snd_card_free_in_thread(card);
  2.2262 -+		snd_card_free(card);
  2.2263 - 	} else {
  2.2264 - 		up(&register_mutex);
  2.2265 - 	}
  2.2266 -diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
  2.2267 ---- a/sound/usb/usx2y/usbusx2y.c
  2.2268 -+++ b/sound/usb/usx2y/usbusx2y.c
  2.2269 -@@ -1,6 +1,11 @@
  2.2270 - /*
  2.2271 -  * usbusy2y.c - ALSA USB US-428 Driver
  2.2272 -  *
  2.2273 -+2005-04-14 Karsten Wiese
  2.2274 -+	Version 0.8.7.2:
  2.2275 -+	Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom.
  2.2276 -+	Tested ok with kernel 2.6.12-rc2.
  2.2277 -+
  2.2278 - 2004-12-14 Karsten Wiese
  2.2279 - 	Version 0.8.7.1:
  2.2280 - 	snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open.
  2.2281 -@@ -143,7 +148,7 @@
  2.2282 - 
  2.2283 - 
  2.2284 - MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>");
  2.2285 --MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1");
  2.2286 -+MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2");
  2.2287 - MODULE_LICENSE("GPL");
  2.2288 - MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}");
  2.2289 - 
  2.2290 -@@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct 
  2.2291 - 	if (ptr) {
  2.2292 - 		usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr);
  2.2293 - 		struct list_head* p;
  2.2294 --		if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP)	// on 2.6.1 kernel snd_usbmidi_disconnect()
  2.2295 --			return;					// calls us back. better leave :-) .
  2.2296 - 		usX2Y->chip.shutdown = 1;
  2.2297 - 		usX2Y->chip_status = USX2Y_STAT_CHIP_HUP;
  2.2298 - 		usX2Y_unlinkSeq(&usX2Y->AS04);
  2.2299 -@@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct 
  2.2300 - 		}
  2.2301 - 		if (usX2Y->us428ctls_sharedmem) 
  2.2302 - 			wake_up(&usX2Y->us428ctls_wait_queue_head);
  2.2303 --		snd_card_free_in_thread((snd_card_t*)ptr);
  2.2304 -+		snd_card_free((snd_card_t*)ptr);
  2.2305 - 	}
  2.2306 - }
  2.2307 - 
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/patches/linux-2.6.11/linux-2.6.11.12.patch	Mon Jun 13 13:18:11 2005 +0000
     3.3 @@ -0,0 +1,2579 @@
     3.4 +diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs
     3.5 +new file mode 100644
     3.6 +--- /dev/null
     3.7 ++++ b/Documentation/SecurityBugs
     3.8 +@@ -0,0 +1,38 @@
     3.9 ++Linux kernel developers take security very seriously.  As such, we'd
    3.10 ++like to know when a security bug is found so that it can be fixed and
    3.11 ++disclosed as quickly as possible.  Please report security bugs to the
    3.12 ++Linux kernel security team.
    3.13 ++
    3.14 ++1) Contact
    3.15 ++
    3.16 ++The Linux kernel security team can be contacted by email at
    3.17 ++<security@kernel.org>.  This is a private list of security officers
    3.18 ++who will help verify the bug report and develop and release a fix.
    3.19 ++It is possible that the security team will bring in extra help from
    3.20 ++area maintainers to understand and fix the security vulnerability.
    3.21 ++
    3.22 ++As it is with any bug, the more information provided the easier it
    3.23 ++will be to diagnose and fix.  Please review the procedure outlined in
    3.24 ++REPORTING-BUGS if you are unclear about what information is helpful.
    3.25 ++Any exploit code is very helpful and will not be released without
    3.26 ++consent from the reporter unless it has already been made public.
    3.27 ++
    3.28 ++2) Disclosure
    3.29 ++
    3.30 ++The goal of the Linux kernel security team is to work with the
    3.31 ++bug submitter to bug resolution as well as disclosure.  We prefer
    3.32 ++to fully disclose the bug as soon as possible.  It is reasonable to
    3.33 ++delay disclosure when the bug or the fix is not yet fully understood,
    3.34 ++the solution is not well-tested or for vendor coordination.  However, we
    3.35 ++expect these delays to be short, measurable in days, not weeks or months.
    3.36 ++A disclosure date is negotiated by the security team working with the
    3.37 ++bug submitter as well as vendors.  However, the kernel security team
    3.38 ++holds the final say when setting a disclosure date.  The timeframe for
    3.39 ++disclosure is from immediate (esp. if it's already publically known)
    3.40 ++to a few weeks.  As a basic default policy, we expect report date to
    3.41 ++disclosure date to be on the order of 7 days.
    3.42 ++
    3.43 ++3) Non-disclosure agreements
    3.44 ++
    3.45 ++The Linux kernel security team is not a formal body and therefore unable
    3.46 ++to enter any non-disclosure agreements.
    3.47 +diff --git a/MAINTAINERS b/MAINTAINERS
    3.48 +--- a/MAINTAINERS
    3.49 ++++ b/MAINTAINERS
    3.50 +@@ -1966,6 +1966,11 @@ M:	christer@weinigel.se
    3.51 + W:	http://www.weinigel.se
    3.52 + S:	Supported
    3.53 + 
    3.54 ++SECURITY CONTACT
    3.55 ++P:	Security Officers
    3.56 ++M:	security@kernel.org
    3.57 ++S:	Supported
    3.58 ++
    3.59 + SELINUX SECURITY MODULE
    3.60 + P:	Stephen Smalley
    3.61 + M:	sds@epoch.ncsc.mil
    3.62 +diff --git a/Makefile b/Makefile
    3.63 +--- a/Makefile
    3.64 ++++ b/Makefile
    3.65 +@@ -1,8 +1,8 @@
    3.66 + VERSION = 2
    3.67 + PATCHLEVEL = 6
    3.68 + SUBLEVEL = 11
    3.69 +-EXTRAVERSION =
    3.70 +-NAME=Woozy Numbat
    3.71 ++EXTRAVERSION = .12
    3.72 ++NAME=Woozy Beaver
    3.73 + 
    3.74 + # *DOCUMENTATION*
    3.75 + # To see a list of typical targets execute "make help"
    3.76 +diff --git a/REPORTING-BUGS b/REPORTING-BUGS
    3.77 +--- a/REPORTING-BUGS
    3.78 ++++ b/REPORTING-BUGS
    3.79 +@@ -16,6 +16,10 @@ code relevant to what you were doing. If
    3.80 + describe how to recreate it. That is worth even more than the oops itself.
    3.81 + The list of maintainers is in the MAINTAINERS file in this directory.
    3.82 + 
    3.83 ++      If it is a security bug, please copy the Security Contact listed
    3.84 ++in the MAINTAINERS file.  They can help coordinate bugfix and disclosure.
    3.85 ++See Documentation/SecurityBugs for more infomation.
    3.86 ++
    3.87 +       If you are totally stumped as to whom to send the report, send it to
    3.88 + linux-kernel@vger.kernel.org. (For more information on the linux-kernel
    3.89 + mailing list see http://www.tux.org/lkml/).
    3.90 +diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
    3.91 +--- a/arch/ia64/kernel/fsys.S
    3.92 ++++ b/arch/ia64/kernel/fsys.S
    3.93 +@@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down)
    3.94 + 	movl r2=ia64_ret_from_syscall
    3.95 + 	;;
    3.96 + 	mov rp=r2				// set the real return addr
    3.97 +-	tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
    3.98 ++	and r3=_TIF_SYSCALL_TRACEAUDIT,r3
    3.99 + 	;;
   3.100 ++	cmp.eq p8,p0=r3,r0
   3.101 ++
   3.102 + (p10)	br.cond.spnt.many ia64_ret_from_syscall	// p10==true means out registers are more than 8
   3.103 + (p8)	br.call.sptk.many b6=b6		// ignore this return addr
   3.104 + 	br.cond.sptk ia64_trace_syscall
   3.105 +diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
   3.106 +--- a/arch/ia64/kernel/signal.c
   3.107 ++++ b/arch/ia64/kernel/signal.c
   3.108 +@@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc
   3.109 + 	 * could be corrupted.
   3.110 + 	 */
   3.111 + 	retval = (long) &ia64_leave_kernel;
   3.112 +-	if (test_thread_flag(TIF_SYSCALL_TRACE))
   3.113 ++	if (test_thread_flag(TIF_SYSCALL_TRACE)
   3.114 ++	    || test_thread_flag(TIF_SYSCALL_AUDIT))
   3.115 + 		/*
   3.116 + 		 * strace expects to be notified after sigreturn returns even though the
   3.117 + 		 * context to which we return may not be in the middle of a syscall.
   3.118 +diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
   3.119 +--- a/arch/ppc/oprofile/op_model_fsl_booke.c
   3.120 ++++ b/arch/ppc/oprofile/op_model_fsl_booke.c
   3.121 +@@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s
   3.122 + 	int is_kernel;
   3.123 + 	int val;
   3.124 + 	int i;
   3.125 +-	unsigned int cpu = smp_processor_id();
   3.126 + 
   3.127 + 	/* set the PMM bit (see comment below) */
   3.128 + 	mtmsr(mfmsr() | MSR_PMM);
   3.129 +@@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s
   3.130 + 		val = ctr_read(i);
   3.131 + 		if (val < 0) {
   3.132 + 			if (oprofile_running && ctr[i].enabled) {
   3.133 +-				oprofile_add_sample(pc, is_kernel, i, cpu);
   3.134 ++				oprofile_add_pc(pc, is_kernel, i);
   3.135 + 				ctr_write(i, reset_value[i]);
   3.136 + 			} else {
   3.137 + 				ctr_write(i, 0);
   3.138 +diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
   3.139 +--- a/arch/ppc/platforms/4xx/ebony.h
   3.140 ++++ b/arch/ppc/platforms/4xx/ebony.h
   3.141 +@@ -61,8 +61,8 @@
   3.142 +  */
   3.143 + 
   3.144 + /* OpenBIOS defined UART mappings, used before early_serial_setup */
   3.145 +-#define UART0_IO_BASE	(u8 *) 0xE0000200
   3.146 +-#define UART1_IO_BASE	(u8 *) 0xE0000300
   3.147 ++#define UART0_IO_BASE	0xE0000200
   3.148 ++#define UART1_IO_BASE	0xE0000300
   3.149 + 
   3.150 + /* external Epson SG-615P */
   3.151 + #define BASE_BAUD	691200
   3.152 +diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
   3.153 +--- a/arch/ppc/platforms/4xx/luan.h
   3.154 ++++ b/arch/ppc/platforms/4xx/luan.h
   3.155 +@@ -47,9 +47,9 @@
   3.156 + #define RS_TABLE_SIZE	3
   3.157 + 
   3.158 + /* PIBS defined UART mappings, used before early_serial_setup */
   3.159 +-#define UART0_IO_BASE	(u8 *) 0xa0000200
   3.160 +-#define UART1_IO_BASE	(u8 *) 0xa0000300
   3.161 +-#define UART2_IO_BASE	(u8 *) 0xa0000600
   3.162 ++#define UART0_IO_BASE	0xa0000200
   3.163 ++#define UART1_IO_BASE	0xa0000300
   3.164 ++#define UART2_IO_BASE	0xa0000600
   3.165 + 
   3.166 + #define BASE_BAUD	11059200
   3.167 + #define STD_UART_OP(num)					\
   3.168 +diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
   3.169 +--- a/arch/ppc/platforms/4xx/ocotea.h
   3.170 ++++ b/arch/ppc/platforms/4xx/ocotea.h
   3.171 +@@ -56,8 +56,8 @@
   3.172 + #define RS_TABLE_SIZE	2
   3.173 + 
   3.174 + /* OpenBIOS defined UART mappings, used before early_serial_setup */
   3.175 +-#define UART0_IO_BASE	(u8 *) 0xE0000200
   3.176 +-#define UART1_IO_BASE	(u8 *) 0xE0000300
   3.177 ++#define UART0_IO_BASE	0xE0000200
   3.178 ++#define UART1_IO_BASE	0xE0000300
   3.179 + 
   3.180 + #define BASE_BAUD	11059200/16
   3.181 + #define STD_UART_OP(num)					\
   3.182 +diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c
   3.183 +--- a/arch/ppc64/kernel/pSeries_iommu.c
   3.184 ++++ b/arch/ppc64/kernel/pSeries_iommu.c
   3.185 +@@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st
   3.186 + 	struct device_node *dn, *pdn;
   3.187 + 	unsigned int *dma_window = NULL;
   3.188 + 
   3.189 ++	DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self);
   3.190 ++
   3.191 + 	dn = pci_bus_to_OF_node(bus);
   3.192 + 
   3.193 + 	/* Find nearest ibm,dma-window, walking up the device tree */
   3.194 +@@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru
   3.195 + 	}
   3.196 + }
   3.197 + 
   3.198 ++static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev)
   3.199 ++{
   3.200 ++	struct device_node *pdn, *dn;
   3.201 ++	struct iommu_table *tbl;
   3.202 ++	int *dma_window = NULL;
   3.203 ++
   3.204 ++	DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name);
   3.205 ++
   3.206 ++	/* dev setup for LPAR is a little tricky, since the device tree might
   3.207 ++	 * contain the dma-window properties per-device and not neccesarily
   3.208 ++	 * for the bus. So we need to search upwards in the tree until we
   3.209 ++	 * either hit a dma-window property, OR find a parent with a table
   3.210 ++	 * already allocated.
   3.211 ++	 */
   3.212 ++	dn = pci_device_to_OF_node(dev);
   3.213 ++
   3.214 ++	for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) {
   3.215 ++		dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL);
   3.216 ++		if (dma_window)
   3.217 ++			break;
   3.218 ++	}
   3.219 ++
   3.220 ++	/* Check for parent == NULL so we don't try to setup the empty EADS
   3.221 ++	 * slots on POWER4 machines.
   3.222 ++	 */
   3.223 ++	if (dma_window == NULL || pdn->parent == NULL) {
   3.224 ++		/* Fall back to regular (non-LPAR) dev setup */
   3.225 ++		DBG("No dma window for device, falling back to regular setup\n");
   3.226 ++		iommu_dev_setup_pSeries(dev);
   3.227 ++		return;
   3.228 ++	} else {
   3.229 ++		DBG("Found DMA window, allocating table\n");
   3.230 ++	}
   3.231 ++
   3.232 ++	if (!pdn->iommu_table) {
   3.233 ++		/* iommu_table_setparms_lpar needs bussubno. */
   3.234 ++		pdn->bussubno = pdn->phb->bus->number;
   3.235 ++
   3.236 ++		tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table),
   3.237 ++						    GFP_KERNEL);
   3.238 ++
   3.239 ++		iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window);
   3.240 ++
   3.241 ++		pdn->iommu_table = iommu_init_table(tbl);
   3.242 ++	}
   3.243 ++
   3.244 ++	if (pdn != dn)
   3.245 ++		dn->iommu_table = pdn->iommu_table;
   3.246 ++}
   3.247 ++
   3.248 + static void iommu_bus_setup_null(struct pci_bus *b) { }
   3.249 + static void iommu_dev_setup_null(struct pci_dev *d) { }
   3.250 + 
   3.251 +@@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void)
   3.252 + 			ppc_md.tce_free	 = tce_free_pSeriesLP;
   3.253 + 		}
   3.254 + 		ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP;
   3.255 ++		ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP;
   3.256 + 	} else {
   3.257 + 		ppc_md.tce_build = tce_build_pSeries;
   3.258 + 		ppc_md.tce_free  = tce_free_pSeries;
   3.259 + 		ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries;
   3.260 ++		ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
   3.261 + 	}
   3.262 + 
   3.263 +-	ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
   3.264 + 
   3.265 + 	pci_iommu_init();
   3.266 + }
   3.267 +diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c
   3.268 +--- a/arch/sparc/kernel/ptrace.c
   3.269 ++++ b/arch/sparc/kernel/ptrace.c
   3.270 +@@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs
   3.271 + 			pt_error_return(regs, EIO);
   3.272 + 			goto out_tsk;
   3.273 + 		}
   3.274 +-		if (addr != 1) {
   3.275 +-			if (addr & 3) {
   3.276 +-				pt_error_return(regs, EINVAL);
   3.277 +-				goto out_tsk;
   3.278 +-			}
   3.279 +-#ifdef DEBUG_PTRACE
   3.280 +-			printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
   3.281 +-			printk ("Continuing with %08lx %08lx\n", addr, addr+4);
   3.282 +-#endif
   3.283 +-			child->thread.kregs->pc = addr;
   3.284 +-			child->thread.kregs->npc = addr + 4;
   3.285 +-		}
   3.286 + 
   3.287 + 		if (request == PTRACE_SYSCALL)
   3.288 + 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   3.289 +diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
   3.290 +--- a/arch/sparc64/kernel/ptrace.c
   3.291 ++++ b/arch/sparc64/kernel/ptrace.c
   3.292 +@@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs
   3.293 + 			pt_error_return(regs, EIO);
   3.294 + 			goto out_tsk;
   3.295 + 		}
   3.296 +-		if (addr != 1) {
   3.297 +-			unsigned long pc_mask = ~0UL;
   3.298 +-
   3.299 +-			if ((child->thread_info->flags & _TIF_32BIT) != 0)
   3.300 +-				pc_mask = 0xffffffff;
   3.301 +-
   3.302 +-			if (addr & 3) {
   3.303 +-				pt_error_return(regs, EINVAL);
   3.304 +-				goto out_tsk;
   3.305 +-			}
   3.306 +-#ifdef DEBUG_PTRACE
   3.307 +-			printk ("Original: %016lx %016lx\n",
   3.308 +-				child->thread_info->kregs->tpc,
   3.309 +-				child->thread_info->kregs->tnpc);
   3.310 +-			printk ("Continuing with %016lx %016lx\n", addr, addr+4);
   3.311 +-#endif
   3.312 +-			child->thread_info->kregs->tpc = (addr & pc_mask);
   3.313 +-			child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
   3.314 +-		}
   3.315 + 
   3.316 + 		if (request == PTRACE_SYSCALL) {
   3.317 + 			set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
   3.318 +diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c
   3.319 +--- a/arch/sparc64/kernel/signal32.c
   3.320 ++++ b/arch/sparc64/kernel/signal32.c
   3.321 +@@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf
   3.322 + 			err |= __put_user(from->si_uid, &to->si_uid);
   3.323 + 			break;
   3.324 + 		case __SI_FAULT >> 16:
   3.325 +-		case __SI_POLL >> 16:
   3.326 + 			err |= __put_user(from->si_trapno, &to->si_trapno);
   3.327 + 			err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
   3.328 + 			break;
   3.329 ++		case __SI_POLL >> 16:
   3.330 ++			err |= __put_user(from->si_band, &to->si_band);
   3.331 ++			err |= __put_user(from->si_fd, &to->si_fd);
   3.332 ++			break;
   3.333 + 		case __SI_RT >> 16: /* This is not generated by the kernel as of now.  */
   3.334 + 		case __SI_MESGQ >> 16:
   3.335 + 			err |= __put_user(from->si_pid, &to->si_pid);
   3.336 +diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S
   3.337 +--- a/arch/sparc64/kernel/systbls.S
   3.338 ++++ b/arch/sparc64/kernel/systbls.S
   3.339 +@@ -75,7 +75,7 @@ sys_call_table32:
   3.340 + /*260*/	.word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
   3.341 + 	.word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
   3.342 + /*270*/	.word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
   3.343 +-	.word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   3.344 ++	.word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
   3.345 + /*280*/	.word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
   3.346 + 
   3.347 + #endif /* CONFIG_COMPAT */
   3.348 +diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h
   3.349 +--- a/arch/um/include/sysdep-i386/syscalls.h
   3.350 ++++ b/arch/um/include/sysdep-i386/syscalls.h
   3.351 +@@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr
   3.352 + 		      unsigned long prot, unsigned long flags,
   3.353 + 		      unsigned long fd, unsigned long pgoff);
   3.354 + 
   3.355 ++/* On i386 they choose a meaningless naming.*/
   3.356 ++#define __NR_kexec_load __NR_sys_kexec_load
   3.357 ++
   3.358 + #define ARCH_SYSCALLS \
   3.359 + 	[ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
   3.360 + 	[ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
   3.361 +@@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr
   3.362 + 	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.363 + 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.364 + 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.365 +-	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   3.366 + 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.367 +-        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   3.368 +-	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   3.369 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   3.370 +-        
   3.371 ++	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   3.372 ++
   3.373 + /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
   3.374 + 
   3.375 +-#define LAST_ARCH_SYSCALL __NR_vserver
   3.376 ++#define LAST_ARCH_SYSCALL 285
   3.377 + 
   3.378 + /*
   3.379 +  * Overrides for Emacs so that we follow Linus's tabbing style.
   3.380 +diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h
   3.381 +--- a/arch/um/include/sysdep-x86_64/syscalls.h
   3.382 ++++ b/arch/um/include/sysdep-x86_64/syscalls.h
   3.383 +@@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl;
   3.384 + 	[ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
   3.385 + 	[ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.386 + 	[ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
   3.387 +-        [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
   3.388 + 	[ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
   3.389 +-	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
   3.390 +-	[ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
   3.391 +-	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
   3.392 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
   3.393 + 	[ 251 ] = (syscall_handler_t *) sys_ni_syscall,
   3.394 + 
   3.395 + #define LAST_ARCH_SYSCALL 251
   3.396 +diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c
   3.397 +--- a/arch/um/kernel/skas/uaccess.c
   3.398 ++++ b/arch/um/kernel/skas/uaccess.c
   3.399 +@@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v
   3.400 + 	void *arg;
   3.401 + 	int *res;
   3.402 + 
   3.403 +-	va_copy(args, *(va_list *)arg_ptr);
   3.404 ++	/* Some old gccs recognize __va_copy, but not va_copy */
   3.405 ++	__va_copy(args, *(va_list *)arg_ptr);
   3.406 + 	addr = va_arg(args, unsigned long);
   3.407 + 	len = va_arg(args, int);
   3.408 + 	is_write = va_arg(args, int);
   3.409 +diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c
   3.410 +--- a/arch/um/kernel/sys_call_table.c
   3.411 ++++ b/arch/um/kernel/sys_call_table.c
   3.412 +@@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork;
   3.413 + extern syscall_handler_t old_select;
   3.414 + extern syscall_handler_t sys_modify_ldt;
   3.415 + extern syscall_handler_t sys_rt_sigsuspend;
   3.416 +-extern syscall_handler_t sys_vserver;
   3.417 + extern syscall_handler_t sys_mbind;
   3.418 + extern syscall_handler_t sys_get_mempolicy;
   3.419 + extern syscall_handler_t sys_set_mempolicy;
   3.420 +@@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = {
   3.421 + 	[ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
   3.422 + 	[ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
   3.423 + 	[ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
   3.424 ++	[ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
   3.425 +         [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
   3.426 + 	[ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
   3.427 + 	[ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
   3.428 +@@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = {
   3.429 + 	[ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
   3.430 + 	[ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
   3.431 + 	[ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
   3.432 +-	[ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
   3.433 +-	[ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
   3.434 + 	[ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
   3.435 + 	[ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
   3.436 +-	[ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
   3.437 +-	[ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
   3.438 ++	[ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
   3.439 ++	[ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
   3.440 + 	[ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
   3.441 + 	[ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
   3.442 + 	[ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
   3.443 +@@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = {
   3.444 + 	[ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
   3.445 + 	[ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
   3.446 + 	[ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
   3.447 +-	[ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   3.448 ++	[ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
   3.449 + 	[ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
   3.450 +-	[ 285 ] = (syscall_handler_t *) sys_ni_syscall,
   3.451 + 	[ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
   3.452 + 	[ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
   3.453 + 	[ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
   3.454 +diff --git a/arch/x86_64/kernel/apic.c b/arch/x86_64/kernel/apic.c
   3.455 +--- a/arch/x86_64/kernel/apic.c
   3.456 ++++ b/arch/x86_64/kernel/apic.c
   3.457 +@@ -775,9 +775,7 @@ void __init setup_boot_APIC_clock (void)
   3.458 + 
   3.459 + void __init setup_secondary_APIC_clock(void)
   3.460 + {
   3.461 +-	local_irq_disable(); /* FIXME: Do we need this? --RR */
   3.462 + 	setup_APIC_timer(calibration_result);
   3.463 +-	local_irq_enable();
   3.464 + }
   3.465 + 
   3.466 + void __init disable_APIC_timer(void)
   3.467 +diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
   3.468 +--- a/arch/x86_64/kernel/ptrace.c
   3.469 ++++ b/arch/x86_64/kernel/ptrace.c
   3.470 +@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch
   3.471 + 			value &= 0xffff;
   3.472 + 			return 0;
   3.473 + 		case offsetof(struct user_regs_struct,fs_base):
   3.474 +-			if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
   3.475 +-				return -EIO; 
   3.476 ++			if (value >= TASK_SIZE)
   3.477 ++				return -EIO;
   3.478 + 			child->thread.fs = value;
   3.479 + 			return 0;
   3.480 + 		case offsetof(struct user_regs_struct,gs_base):
   3.481 +-			if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
   3.482 +-				return -EIO; 
   3.483 ++			if (value >= TASK_SIZE)
   3.484 ++				return -EIO;
   3.485 + 			child->thread.gs = value;
   3.486 + 			return 0;
   3.487 + 		case offsetof(struct user_regs_struct, eflags):
   3.488 +@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch
   3.489 + 				return -EIO;
   3.490 + 			value &= 0xffff;
   3.491 + 			break;
   3.492 ++		case offsetof(struct user_regs_struct, rip):
   3.493 ++			/* Check if the new RIP address is canonical */
   3.494 ++			if (value >= TASK_SIZE)
   3.495 ++				return -EIO;
   3.496 ++			break;
   3.497 + 	}
   3.498 + 	put_stack_long(child, regno - sizeof(struct pt_regs), value);
   3.499 + 	return 0;
   3.500 +@@ -247,7 +252,7 @@ asmlinkage long sys_ptrace(long request,
   3.501 + 			break;
   3.502 + 
   3.503 + 		switch (addr) { 
   3.504 +-		case 0 ... sizeof(struct user_regs_struct):
   3.505 ++		case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
   3.506 + 			tmp = getreg(child, addr);
   3.507 + 			break;
   3.508 + 		case offsetof(struct user, u_debugreg[0]):
   3.509 +@@ -292,7 +297,7 @@ asmlinkage long sys_ptrace(long request,
   3.510 + 			break;
   3.511 + 
   3.512 + 		switch (addr) { 
   3.513 +-		case 0 ... sizeof(struct user_regs_struct): 
   3.514 ++		case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
   3.515 + 			ret = putreg(child, addr, data);
   3.516 + 			break;
   3.517 + 		/* Disallows to set a breakpoint into the vsyscall */
   3.518 +diff --git a/arch/x86_64/kernel/smpboot.c b/arch/x86_64/kernel/smpboot.c
   3.519 +--- a/arch/x86_64/kernel/smpboot.c
   3.520 ++++ b/arch/x86_64/kernel/smpboot.c
   3.521 +@@ -309,8 +309,6 @@ void __init smp_callin(void)
   3.522 + 	Dprintk("CALLIN, before setup_local_APIC().\n");
   3.523 + 	setup_local_APIC();
   3.524 + 
   3.525 +-	local_irq_enable();
   3.526 +-
   3.527 + 	/*
   3.528 + 	 * Get our bogomips.
   3.529 + 	 */
   3.530 +@@ -324,8 +322,6 @@ void __init smp_callin(void)
   3.531 + 	 */
   3.532 +  	smp_store_cpu_info(cpuid);
   3.533 + 
   3.534 +-	local_irq_disable();
   3.535 +-
   3.536 + 	/*
   3.537 + 	 * Allow the master to continue.
   3.538 + 	 */
   3.539 +diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c
   3.540 +--- a/arch/x86_64/mm/fault.c
   3.541 ++++ b/arch/x86_64/mm/fault.c
   3.542 +@@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne
   3.543 + 
   3.544 + /*
   3.545 +  * Handle a fault on the vmalloc or module mapping area
   3.546 ++ *
   3.547 ++ * This assumes no large pages in there.
   3.548 +  */
   3.549 + static int vmalloc_fault(unsigned long address)
   3.550 + {
   3.551 +@@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a
   3.552 + 	if (!pte_present(*pte_ref))
   3.553 + 		return -1;
   3.554 + 	pte = pte_offset_kernel(pmd, address);
   3.555 +-	if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref))
   3.556 ++	/* Don't use pte_page here, because the mappings can point
   3.557 ++	   outside mem_map, and the NUMA hash lookup cannot handle
   3.558 ++	   that. */
   3.559 ++	if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
   3.560 + 		BUG();
   3.561 + 	__flush_tlb_all();
   3.562 + 	return 0;
   3.563 +@@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_
   3.564 + 	 * protection error (error_code & 1) == 0.
   3.565 + 	 */
   3.566 + 	if (unlikely(address >= TASK_SIZE)) {
   3.567 +-		if (!(error_code & 5)) {
   3.568 ++		if (!(error_code & 5) &&
   3.569 ++		      ((address >= VMALLOC_START && address < VMALLOC_END) ||
   3.570 ++		       (address >= MODULES_VADDR && address < MODULES_END))) {
   3.571 + 			if (vmalloc_fault(address) < 0)
   3.572 + 				goto bad_area_nosemaphore;
   3.573 + 			return;
   3.574 +diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c
   3.575 +--- a/arch/x86_64/mm/ioremap.c
   3.576 ++++ b/arch/x86_64/mm/ioremap.c
   3.577 +@@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr
   3.578 + 	if ((p->flags >> 20) &&
   3.579 + 		p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) {
   3.580 + 		/* p->size includes the guard page, but cpa doesn't like that */
   3.581 +-		change_page_attr(virt_to_page(__va(p->phys_addr)),
   3.582 ++		change_page_attr_addr((unsigned long)(__va(p->phys_addr)),
   3.583 + 				 (p->size - PAGE_SIZE) >> PAGE_SHIFT,
   3.584 + 				 PAGE_KERNEL); 				 
   3.585 + 		global_flush_tlb();
   3.586 +diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c
   3.587 +--- a/drivers/block/ioctl.c
   3.588 ++++ b/drivers/block/ioctl.c
   3.589 +@@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi
   3.590 + 	}
   3.591 + 	return ret;
   3.592 + }
   3.593 ++
   3.594 ++EXPORT_SYMBOL_GPL(blkdev_ioctl);
   3.595 +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
   3.596 +--- a/drivers/block/pktcdvd.c
   3.597 ++++ b/drivers/block/pktcdvd.c
   3.598 +@@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode
   3.599 + 	case CDROM_LAST_WRITTEN:
   3.600 + 	case CDROM_SEND_PACKET:
   3.601 + 	case SCSI_IOCTL_SEND_COMMAND:
   3.602 +-		return ioctl_by_bdev(pd->bdev, cmd, arg);
   3.603 ++		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   3.604 + 
   3.605 + 	case CDROMEJECT:
   3.606 + 		/*
   3.607 +@@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode
   3.608 + 		 * have to unlock it or else the eject command fails.
   3.609 + 		 */
   3.610 + 		pkt_lock_door(pd, 0);
   3.611 +-		return ioctl_by_bdev(pd->bdev, cmd, arg);
   3.612 ++		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
   3.613 + 
   3.614 + 	default:
   3.615 + 		printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
   3.616 +diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
   3.617 +--- a/drivers/char/drm/drm_ioctl.c
   3.618 ++++ b/drivers/char/drm/drm_ioctl.c
   3.619 +@@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS)
   3.620 + 
   3.621 + 	DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
   3.622 + 
   3.623 ++	memset(&version, 0, sizeof(version));
   3.624 ++
   3.625 + 	dev->driver->version(&version);
   3.626 + 	retv.drm_di_major = DRM_IF_MAJOR;
   3.627 + 	retv.drm_di_minor = DRM_IF_MINOR;
   3.628 +diff --git a/drivers/char/raw.c b/drivers/char/raw.c
   3.629 +--- a/drivers/char/raw.c
   3.630 ++++ b/drivers/char/raw.c
   3.631 +@@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi
   3.632 + {
   3.633 + 	struct block_device *bdev = filp->private_data;
   3.634 + 
   3.635 +-	return ioctl_by_bdev(bdev, command, arg);
   3.636 ++	return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
   3.637 + }
   3.638 + 
   3.639 + static void bind_device(struct raw_config_request *rq)
   3.640 +diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c
   3.641 +--- a/drivers/i2c/chips/eeprom.c
   3.642 ++++ b/drivers/i2c/chips/eeprom.c
   3.643 +@@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec
   3.644 + 
   3.645 + 	/* Hide Vaio security settings to regular users (16 first bytes) */
   3.646 + 	if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
   3.647 +-		int in_row1 = 16 - off;
   3.648 ++		size_t in_row1 = 16 - off;
   3.649 ++		in_row1 = min(in_row1, count);
   3.650 + 		memset(buf, 0, in_row1);
   3.651 + 		if (count - in_row1 > 0)
   3.652 + 			memcpy(buf + in_row1, &data->data[16], count - in_row1);
   3.653 +diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
   3.654 +--- a/drivers/i2c/chips/it87.c
   3.655 ++++ b/drivers/i2c/chips/it87.c
   3.656 +@@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device
   3.657 + 	struct it87_data *data = it87_update_device(dev);
   3.658 + 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   3.659 + }
   3.660 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   3.661 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   3.662 + 
   3.663 + static ssize_t
   3.664 + show_vrm_reg(struct device *dev, char *buf)
   3.665 +diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c
   3.666 +--- a/drivers/i2c/chips/via686a.c
   3.667 ++++ b/drivers/i2c/chips/via686a.c
   3.668 +@@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device
   3.669 + 	struct via686a_data *data = via686a_update_device(dev);
   3.670 + 	return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
   3.671 + }
   3.672 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
   3.673 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
   3.674 + 
   3.675 + /* The driver. I choose to use type i2c_driver, as at is identical to both
   3.676 +    smbus_driver and isa_driver, and clients could be of either kind */
   3.677 +diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
   3.678 +--- a/drivers/ide/ide-disk.c
   3.679 ++++ b/drivers/ide/ide-disk.c
   3.680 +@@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk(
   3.681 + 	if (hwif->no_lba48_dma && lba48 && dma) {
   3.682 + 		if (block + rq->nr_sectors > 1ULL << 28)
   3.683 + 			dma = 0;
   3.684 ++		else
   3.685 ++			lba48 = 0;
   3.686 + 	}
   3.687 + 
   3.688 + 	if (!dma) {
   3.689 +@@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk(
   3.690 + 	/* FIXME: SELECT_MASK(drive, 0) ? */
   3.691 + 
   3.692 + 	if (drive->select.b.lba) {
   3.693 +-		if (drive->addressing == 1) {
   3.694 ++		if (lba48) {
   3.695 + 			task_ioreg_t tasklets[10];
   3.696 + 
   3.697 + 			pr_debug("%s: LBA=0x%012llx\n", drive->name, block);
   3.698 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
   3.699 +--- a/drivers/input/serio/i8042-x86ia64io.h
   3.700 ++++ b/drivers/input/serio/i8042-x86ia64io.h
   3.701 +@@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i
   3.702 + };
   3.703 + #endif
   3.704 + 
   3.705 +-#ifdef CONFIG_ACPI
   3.706 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.707 + #include <linux/acpi.h>
   3.708 + #include <acpi/acpi_bus.h>
   3.709 + 
   3.710 +@@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo
   3.711 + 	i8042_kbd_irq = I8042_MAP_IRQ(1);
   3.712 + 	i8042_aux_irq = I8042_MAP_IRQ(12);
   3.713 + 
   3.714 +-#ifdef CONFIG_ACPI
   3.715 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.716 + 	if (i8042_acpi_init())
   3.717 + 		return -1;
   3.718 + #endif
   3.719 +@@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo
   3.720 + 
   3.721 + static inline void i8042_platform_exit(void)
   3.722 + {
   3.723 +-#ifdef CONFIG_ACPI
   3.724 ++#if defined(__ia64__) && defined(CONFIG_ACPI)
   3.725 + 	i8042_acpi_exit();
   3.726 + #endif
   3.727 + }
   3.728 +diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
   3.729 +--- a/drivers/md/raid6altivec.uc
   3.730 ++++ b/drivers/md/raid6altivec.uc
   3.731 +@@ -108,7 +108,11 @@ int raid6_have_altivec(void);
   3.732 + int raid6_have_altivec(void)
   3.733 + {
   3.734 + 	/* This assumes either all CPUs have Altivec or none does */
   3.735 ++#ifdef CONFIG_PPC64
   3.736 + 	return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
   3.737 ++#else
   3.738 ++	return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
   3.739 ++#endif
   3.740 + }
   3.741 + #endif
   3.742 + 
   3.743 +diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
   3.744 +--- a/drivers/media/video/adv7170.c
   3.745 ++++ b/drivers/media/video/adv7170.c
   3.746 +@@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client *
   3.747 + 		u8 block_data[32];
   3.748 + 
   3.749 + 		msg.addr = client->addr;
   3.750 +-		msg.flags = client->flags;
   3.751 ++		msg.flags = 0;
   3.752 + 		while (len >= 2) {
   3.753 + 			msg.buf = (char *) block_data;
   3.754 + 			msg.len = 0;
   3.755 +diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
   3.756 +--- a/drivers/media/video/adv7175.c
   3.757 ++++ b/drivers/media/video/adv7175.c
   3.758 +@@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client *
   3.759 + 		u8 block_data[32];
   3.760 + 
   3.761 + 		msg.addr = client->addr;
   3.762 +-		msg.flags = client->flags;
   3.763 ++		msg.flags = 0;
   3.764 + 		while (len >= 2) {
   3.765 + 			msg.buf = (char *) block_data;
   3.766 + 			msg.len = 0;
   3.767 +diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
   3.768 +--- a/drivers/media/video/bt819.c
   3.769 ++++ b/drivers/media/video/bt819.c
   3.770 +@@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl
   3.771 + 		u8 block_data[32];
   3.772 + 
   3.773 + 		msg.addr = client->addr;
   3.774 +-		msg.flags = client->flags;
   3.775 ++		msg.flags = 0;
   3.776 + 		while (len >= 2) {
   3.777 + 			msg.buf = (char *) block_data;
   3.778 + 			msg.len = 0;
   3.779 +diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
   3.780 +--- a/drivers/media/video/bttv-cards.c
   3.781 ++++ b/drivers/media/video/bttv-cards.c
   3.782 +@@ -1939,7 +1939,6 @@ struct tvcard bttv_tvcards[] = {
   3.783 +         .no_tda9875     = 1,
   3.784 +         .no_tda7432     = 1,
   3.785 +         .tuner_type     = TUNER_ABSENT,
   3.786 +-        .no_video       = 1,
   3.787 + 	.pll            = PLL_28,
   3.788 + },{
   3.789 + 	.name           = "Teppro TEV-560/InterVision IV-560",
   3.790 +@@ -2718,8 +2717,6 @@ void __devinit bttv_init_card2(struct bt
   3.791 +         }
   3.792 + 	btv->pll.pll_current = -1;
   3.793 + 
   3.794 +-	bttv_reset_audio(btv);
   3.795 +-
   3.796 + 	/* tuner configuration (from card list / autodetect / insmod option) */
   3.797 +  	if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
   3.798 + 		if(UNSET == btv->tuner_type)
   3.799 +diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
   3.800 +--- a/drivers/media/video/saa7110.c
   3.801 ++++ b/drivers/media/video/saa7110.c
   3.802 +@@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
   3.803 + 
   3.804 + #define	I2C_SAA7110		0x9C	/* or 0x9E */
   3.805 + 
   3.806 ++#define SAA7110_NR_REG		0x35
   3.807 ++
   3.808 + struct saa7110 {
   3.809 +-	unsigned char reg[54];
   3.810 ++	u8 reg[SAA7110_NR_REG];
   3.811 + 
   3.812 + 	int norm;
   3.813 + 	int input;
   3.814 +@@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client *
   3.815 + 		     unsigned int       len)
   3.816 + {
   3.817 + 	int ret = -1;
   3.818 +-	u8 reg = *data++;
   3.819 ++	u8 reg = *data;		/* first register to write to */
   3.820 + 
   3.821 +-	len--;
   3.822 ++	/* Sanity check */
   3.823 ++	if (reg + (len - 1) > SAA7110_NR_REG)
   3.824 ++		return ret;
   3.825 + 
   3.826 + 	/* the saa7110 has an autoincrement function, use it if
   3.827 + 	 * the adapter understands raw I2C */
   3.828 + 	if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
   3.829 + 		struct saa7110 *decoder = i2c_get_clientdata(client);
   3.830 + 		struct i2c_msg msg;
   3.831 +-		u8 block_data[54];
   3.832 + 
   3.833 +-		msg.len = 0;
   3.834 +-		msg.buf = (char *) block_data;
   3.835 ++		msg.len = len;
   3.836 ++		msg.buf = (char *) data;
   3.837 + 		msg.addr = client->addr;
   3.838 +-		msg.flags = client->flags;
   3.839 +-		while (len >= 1) {
   3.840 +-			msg.len = 0;
   3.841 +-			block_data[msg.len++] = reg;
   3.842 +-			while (len-- >= 1 && msg.len < 54)
   3.843 +-				block_data[msg.len++] =
   3.844 +-				    decoder->reg[reg++] = *data++;
   3.845 +-			ret = i2c_transfer(client->adapter, &msg, 1);
   3.846 +-		}
   3.847 ++		msg.flags = 0;
   3.848 ++		ret = i2c_transfer(client->adapter, &msg, 1);
   3.849 ++
   3.850 ++		/* Cache the written data */
   3.851 ++		memcpy(decoder->reg + reg, data + 1, len - 1);
   3.852 + 	} else {
   3.853 +-		while (len-- >= 1) {
   3.854 ++		for (++data, --len; len; len--) {
   3.855 + 			if ((ret = saa7110_write(client, reg++,
   3.856 + 						 *data++)) < 0)
   3.857 + 				break;
   3.858 +@@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien
   3.859 + 	return 0;
   3.860 + }
   3.861 + 
   3.862 +-static const unsigned char initseq[] = {
   3.863 ++static const unsigned char initseq[1 + SAA7110_NR_REG] = {
   3.864 + 	0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
   3.865 + 	/* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
   3.866 + 	/* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
   3.867 +diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
   3.868 +--- a/drivers/media/video/saa7114.c
   3.869 ++++ b/drivers/media/video/saa7114.c
   3.870 +@@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client *
   3.871 + 		u8 block_data[32];
   3.872 + 
   3.873 + 		msg.addr = client->addr;
   3.874 +-		msg.flags = client->flags;
   3.875 ++		msg.flags = 0;
   3.876 + 		while (len >= 2) {
   3.877 + 			msg.buf = (char *) block_data;
   3.878 + 			msg.len = 0;
   3.879 +diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
   3.880 +--- a/drivers/media/video/saa7185.c
   3.881 ++++ b/drivers/media/video/saa7185.c
   3.882 +@@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client *
   3.883 + 		u8 block_data[32];
   3.884 + 
   3.885 + 		msg.addr = client->addr;
   3.886 +-		msg.flags = client->flags;
   3.887 ++		msg.flags = 0;
   3.888 + 		while (len >= 2) {
   3.889 + 			msg.buf = (char *) block_data;
   3.890 + 			msg.len = 0;
   3.891 +diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
   3.892 +--- a/drivers/net/3c59x.c
   3.893 ++++ b/drivers/net/3c59x.c
   3.894 +@@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev)
   3.895 + 
   3.896 + 	if (VORTEX_PCI(vp)) {
   3.897 + 		pci_set_power_state(VORTEX_PCI(vp), PCI_D0);	/* Go active */
   3.898 +-		pci_restore_state(VORTEX_PCI(vp));
   3.899 ++		if (vp->pm_state_valid)
   3.900 ++			pci_restore_state(VORTEX_PCI(vp));
   3.901 + 		pci_enable_device(VORTEX_PCI(vp));
   3.902 + 	}
   3.903 + 
   3.904 +@@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int 
   3.905 + 		outl(0, ioaddr + DownListPtr);
   3.906 + 
   3.907 + 	if (final_down && VORTEX_PCI(vp)) {
   3.908 ++		vp->pm_state_valid = 1;
   3.909 + 		pci_save_state(VORTEX_PCI(vp));
   3.910 + 		acpi_set_WOL(dev);
   3.911 + 	}
   3.912 +@@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi
   3.913 + 		outw(RxEnable, ioaddr + EL3_CMD);
   3.914 + 
   3.915 + 		pci_enable_wake(VORTEX_PCI(vp), 0, 1);
   3.916 ++
   3.917 ++		/* Change the power state to D3; RxEnable doesn't take effect. */
   3.918 ++		pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
   3.919 + 	}
   3.920 +-	/* Change the power state to D3; RxEnable doesn't take effect. */
   3.921 +-	pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
   3.922 + }
   3.923 + 
   3.924 + 
   3.925 +diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
   3.926 +--- a/drivers/net/amd8111e.c
   3.927 ++++ b/drivers/net/amd8111e.c
   3.928 +@@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi
   3.929 + 
   3.930 + 	if(amd8111e_restart(dev)){
   3.931 + 		spin_unlock_irq(&lp->lock);
   3.932 ++		if (dev->irq)
   3.933 ++			free_irq(dev->irq, dev);
   3.934 + 		return -ENOMEM;
   3.935 + 	}
   3.936 + 	/* Start ipg timer */
   3.937 +diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
   3.938 +--- a/drivers/net/ppp_async.c
   3.939 ++++ b/drivers/net/ppp_async.c
   3.940 +@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp
   3.941 + 	data += 4;
   3.942 + 	dlen -= 4;
   3.943 + 	/* data[0] is code, data[1] is length */
   3.944 +-	while (dlen >= 2 && dlen >= data[1]) {
   3.945 ++	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
   3.946 + 		switch (data[0]) {
   3.947 + 		case LCP_MRU:
   3.948 + 			val = (data[2] << 8) + data[3];
   3.949 +diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
   3.950 +--- a/drivers/net/r8169.c
   3.951 ++++ b/drivers/net/r8169.c
   3.952 +@@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r
   3.953 + 	rtl8169_make_unusable_by_asic(desc);
   3.954 + }
   3.955 + 
   3.956 +-static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
   3.957 ++static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
   3.958 + {
   3.959 +-	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   3.960 ++	u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
   3.961 ++
   3.962 ++	desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
   3.963 + }
   3.964 + 
   3.965 +-static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   3.966 +-					int rx_buf_sz)
   3.967 ++static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
   3.968 ++				       u32 rx_buf_sz)
   3.969 + {
   3.970 + 	desc->addr = cpu_to_le64(mapping);
   3.971 +-	desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
   3.972 ++	wmb();
   3.973 ++	rtl8169_mark_to_asic(desc, rx_buf_sz);
   3.974 + }
   3.975 + 
   3.976 + static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
   3.977 +@@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p
   3.978 + 	mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
   3.979 + 				 PCI_DMA_FROMDEVICE);
   3.980 + 
   3.981 +-	rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
   3.982 ++	rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
   3.983 + 
   3.984 + out:
   3.985 + 	return ret;
   3.986 +@@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st
   3.987 + 			skb_reserve(skb, NET_IP_ALIGN);
   3.988 + 			eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
   3.989 + 			*sk_buff = skb;
   3.990 +-			rtl8169_return_to_asic(desc, rx_buf_sz);
   3.991 ++			rtl8169_mark_to_asic(desc, rx_buf_sz);
   3.992 + 			ret = 0;
   3.993 + 		}
   3.994 + 	}
   3.995 +diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c
   3.996 +--- a/drivers/net/sis900.c
   3.997 ++++ b/drivers/net/sis900.c
   3.998 +@@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr
   3.999 + 	signature = (u16) read_eeprom(ioaddr, EEPROMSignature);    
  3.1000 + 	if (signature == 0xffff || signature == 0x0000) {
  3.1001 + 		printk (KERN_INFO "%s: Error EERPOM read %x\n", 
  3.1002 +-			net_dev->name, signature);
  3.1003 ++			pci_name(pci_dev), signature);
  3.1004 + 		return 0;
  3.1005 + 	}
  3.1006 + 
  3.1007 +@@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add
  3.1008 + 	if (!isa_bridge)
  3.1009 + 		isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
  3.1010 + 	if (!isa_bridge) {
  3.1011 +-		printk("%s: Can not find ISA bridge\n", net_dev->name);
  3.1012 ++		printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
  3.1013 + 		return 0;
  3.1014 + 	}
  3.1015 + 	pci_read_config_byte(isa_bridge, 0x48, &reg);
  3.1016 +@@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct
  3.1017 + 	net_dev->tx_timeout = sis900_tx_timeout;
  3.1018 + 	net_dev->watchdog_timeo = TX_TIMEOUT;
  3.1019 + 	net_dev->ethtool_ops = &sis900_ethtool_ops;
  3.1020 +-	
  3.1021 +-	ret = register_netdev(net_dev);
  3.1022 +-	if (ret)
  3.1023 +-		goto err_unmap_rx;
  3.1024 + 		
  3.1025 + 	/* Get Mac address according to the chip revision */
  3.1026 + 	pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
  3.1027 +@@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct
  3.1028 + 
  3.1029 + 	if (ret == 0) {
  3.1030 + 		ret = -ENODEV;
  3.1031 +-		goto err_out_unregister;
  3.1032 ++		goto err_unmap_rx;
  3.1033 + 	}
  3.1034 + 	
  3.1035 + 	/* 630ET : set the mii access mode as software-mode */
  3.1036 +@@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct
  3.1037 + 	/* probe for mii transceiver */
  3.1038 + 	if (sis900_mii_probe(net_dev) == 0) {
  3.1039 + 		ret = -ENODEV;
  3.1040 +-		goto err_out_unregister;
  3.1041 ++		goto err_unmap_rx;
  3.1042 + 	}
  3.1043 + 
  3.1044 + 	/* save our host bridge revision */
  3.1045 +@@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct
  3.1046 + 		pci_dev_put(dev);
  3.1047 + 	}
  3.1048 + 
  3.1049 ++	ret = register_netdev(net_dev);
  3.1050 ++	if (ret)
  3.1051 ++		goto err_unmap_rx;
  3.1052 ++
  3.1053 + 	/* print some information about our NIC */
  3.1054 + 	printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
  3.1055 + 	       card_name, ioaddr, net_dev->irq);
  3.1056 +@@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct
  3.1057 + 
  3.1058 + 	return 0;
  3.1059 + 
  3.1060 +- err_out_unregister:
  3.1061 +- 	unregister_netdev(net_dev);
  3.1062 +  err_unmap_rx:
  3.1063 + 	pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
  3.1064 + 		sis_priv->rx_ring_dma);
  3.1065 +@@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct
  3.1066 + static int __init sis900_mii_probe(struct net_device * net_dev)
  3.1067 + {
  3.1068 + 	struct sis900_private * sis_priv = net_dev->priv;
  3.1069 ++	const char *dev_name = pci_name(sis_priv->pci_dev);
  3.1070 + 	u16 poll_bit = MII_STAT_LINK, status = 0;
  3.1071 + 	unsigned long timeout = jiffies + 5 * HZ;
  3.1072 + 	int phy_addr;
  3.1073 +@@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc
  3.1074 + 					mii_phy->phy_types =
  3.1075 + 					    (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
  3.1076 + 				printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
  3.1077 +-				       net_dev->name, mii_chip_table[i].name,
  3.1078 ++				       dev_name, mii_chip_table[i].name,
  3.1079 + 				       phy_addr);
  3.1080 + 				break;
  3.1081 + 			}
  3.1082 + 			
  3.1083 + 		if( !mii_chip_table[i].phy_id1 ) {
  3.1084 + 			printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
  3.1085 +-			       net_dev->name, phy_addr);
  3.1086 ++			       dev_name, phy_addr);
  3.1087 + 			mii_phy->phy_types = UNKNOWN;
  3.1088 + 		}
  3.1089 + 	}
  3.1090 + 	
  3.1091 + 	if (sis_priv->mii == NULL) {
  3.1092 +-		printk(KERN_INFO "%s: No MII transceivers found!\n",
  3.1093 +-			net_dev->name);
  3.1094 ++		printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
  3.1095 + 		return 0;
  3.1096 + 	}
  3.1097 + 
  3.1098 +@@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc
  3.1099 + 			poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
  3.1100 + 			if (time_after_eq(jiffies, timeout)) {
  3.1101 + 				printk(KERN_WARNING "%s: reset phy and link down now\n",
  3.1102 +-					net_dev->name);
  3.1103 ++				       dev_name);
  3.1104 + 				return -ETIME;
  3.1105 + 			}
  3.1106 + 		}
  3.1107 +@@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net
  3.1108 + 		sis_priv->mii = default_phy;
  3.1109 + 		sis_priv->cur_phy = default_phy->phy_addr;
  3.1110 + 		printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
  3.1111 +-					net_dev->name,sis_priv->cur_phy);
  3.1112 ++		       pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
  3.1113 + 	}
  3.1114 + 	
  3.1115 + 	status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
  3.1116 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
  3.1117 +--- a/drivers/net/tun.c
  3.1118 ++++ b/drivers/net/tun.c
  3.1119 +@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s
  3.1120 + 	size_t len = count;
  3.1121 + 
  3.1122 + 	if (!(tun->flags & TUN_NO_PI)) {
  3.1123 +-		if ((len -= sizeof(pi)) > len)
  3.1124 ++		if ((len -= sizeof(pi)) > count)
  3.1125 + 			return -EINVAL;
  3.1126 + 
  3.1127 + 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
  3.1128 +diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
  3.1129 +--- a/drivers/net/via-rhine.c
  3.1130 ++++ b/drivers/net/via-rhine.c
  3.1131 +@@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device 
  3.1132 + 		       dev->name, rp->pdev->irq);
  3.1133 + 
  3.1134 + 	rc = alloc_ring(dev);
  3.1135 +-	if (rc)
  3.1136 ++	if (rc) {
  3.1137 ++		free_irq(rp->pdev->irq, dev);
  3.1138 + 		return rc;
  3.1139 ++	}
  3.1140 + 	alloc_rbufs(dev);
  3.1141 + 	alloc_tbufs(dev);
  3.1142 + 	rhine_chip_reset(dev);
  3.1143 +@@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic
  3.1144 + 	struct rhine_private *rp = netdev_priv(dev);
  3.1145 + 	void __iomem *ioaddr = rp->base;
  3.1146 + 
  3.1147 ++	if (!(rp->quirks & rqWOL))
  3.1148 ++		return; /* Nothing to do for non-WOL adapters */
  3.1149 ++
  3.1150 + 	rhine_power_init(dev);
  3.1151 + 
  3.1152 + 	/* Make sure we use pattern 0, 1 and not 4, 5 */
  3.1153 +diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
  3.1154 +--- a/drivers/net/wan/hd6457x.c
  3.1155 ++++ b/drivers/net/wan/hd6457x.c
  3.1156 +@@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card, 
  3.1157 + #endif
  3.1158 + 	stats->rx_packets++;
  3.1159 + 	stats->rx_bytes += skb->len;
  3.1160 +-	skb->dev->last_rx = jiffies;
  3.1161 ++	dev->last_rx = jiffies;
  3.1162 + 	skb->protocol = hdlc_type_trans(skb, dev);
  3.1163 + 	netif_rx(skb);
  3.1164 + }
  3.1165 +diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
  3.1166 +--- a/drivers/pci/hotplug/pciehp_ctrl.c
  3.1167 ++++ b/drivers/pci/hotplug/pciehp_ctrl.c
  3.1168 +@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func 
  3.1169 + 				dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
  3.1170 + 					ctrl->seg, func->bus, func->device, func->function);
  3.1171 + 				bridge_slot_remove(func);
  3.1172 +-			} else
  3.1173 ++			} else {
  3.1174 + 				dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 
  3.1175 + 					ctrl->seg, func->bus, func->device, func->function);
  3.1176 + 				slot_remove(func);
  3.1177 ++			}
  3.1178 + 
  3.1179 + 			func = pciehp_slot_find(ctrl->slot_bus, device, 0);
  3.1180 + 		}
  3.1181 +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
  3.1182 +--- a/drivers/usb/serial/visor.c
  3.1183 ++++ b/drivers/usb/serial/visor.c
  3.1184 +@@ -386,6 +386,7 @@ struct visor_private {
  3.1185 + 	int bytes_in;
  3.1186 + 	int bytes_out;
  3.1187 + 	int outstanding_urbs;
  3.1188 ++	int throttled;
  3.1189 + };
  3.1190 + 
  3.1191 + /* number of outstanding urbs to prevent userspace DoS from happening */
  3.1192 +@@ -415,6 +416,7 @@ static int visor_open (struct usb_serial
  3.1193 + 	priv->bytes_in = 0;
  3.1194 + 	priv->bytes_out = 0;
  3.1195 + 	priv->outstanding_urbs = 0;
  3.1196 ++	priv->throttled = 0;
  3.1197 + 	spin_unlock_irqrestore(&priv->lock, flags);
  3.1198 + 
  3.1199 + 	/*
  3.1200 +@@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st
  3.1201 + 	struct tty_struct *tty;
  3.1202 + 	unsigned long flags;
  3.1203 + 	int i;
  3.1204 ++	int throttled;
  3.1205 + 	int result;
  3.1206 + 
  3.1207 + 	dbg("%s - port %d", __FUNCTION__, port->number);
  3.1208 +@@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st
  3.1209 + 	}
  3.1210 + 	spin_lock_irqsave(&priv->lock, flags);
  3.1211 + 	priv->bytes_in += urb->actual_length;
  3.1212 ++	throttled = priv->throttled;
  3.1213 + 	spin_unlock_irqrestore(&priv->lock, flags);
  3.1214 + 
  3.1215 +-	/* Continue trying to always read  */
  3.1216 +-	usb_fill_bulk_urb (port->read_urb, port->serial->dev,
  3.1217 +-			   usb_rcvbulkpipe(port->serial->dev,
  3.1218 +-					   port->bulk_in_endpointAddress),
  3.1219 +-			   port->read_urb->transfer_buffer,
  3.1220 +-			   port->read_urb->transfer_buffer_length,
  3.1221 +-			   visor_read_bulk_callback, port);
  3.1222 +-	result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  3.1223 +-	if (result)
  3.1224 +-		dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
  3.1225 ++	/* Continue trying to always read if we should */
  3.1226 ++	if (!throttled) {
  3.1227 ++		usb_fill_bulk_urb (port->read_urb, port->serial->dev,
  3.1228 ++				   usb_rcvbulkpipe(port->serial->dev,
  3.1229 ++						   port->bulk_in_endpointAddress),
  3.1230 ++				   port->read_urb->transfer_buffer,
  3.1231 ++				   port->read_urb->transfer_buffer_length,
  3.1232 ++				   visor_read_bulk_callback, port);
  3.1233 ++		result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  3.1234 ++		if (result)
  3.1235 ++			dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
  3.1236 ++	}
  3.1237 + 	return;
  3.1238 + }
  3.1239 + 
  3.1240 +@@ -683,16 +689,26 @@ exit:
  3.1241 + 
  3.1242 + static void visor_throttle (struct usb_serial_port *port)
  3.1243 + {
  3.1244 ++	struct visor_private *priv = usb_get_serial_port_data(port);
  3.1245 ++	unsigned long flags;
  3.1246 ++
  3.1247 + 	dbg("%s - port %d", __FUNCTION__, port->number);
  3.1248 +-	usb_kill_urb(port->read_urb);
  3.1249 ++	spin_lock_irqsave(&priv->lock, flags);
  3.1250 ++	priv->throttled = 1;
  3.1251 ++	spin_unlock_irqrestore(&priv->lock, flags);
  3.1252 + }
  3.1253 + 
  3.1254 + 
  3.1255 + static void visor_unthrottle (struct usb_serial_port *port)
  3.1256 + {
  3.1257 ++	struct visor_private *priv = usb_get_serial_port_data(port);
  3.1258 ++	unsigned long flags;
  3.1259 + 	int result;
  3.1260 + 
  3.1261 + 	dbg("%s - port %d", __FUNCTION__, port->number);
  3.1262 ++	spin_lock_irqsave(&priv->lock, flags);
  3.1263 ++	priv->throttled = 0;
  3.1264 ++	spin_unlock_irqrestore(&priv->lock, flags);
  3.1265 + 
  3.1266 + 	port->read_urb->dev = port->serial->dev;
  3.1267 + 	result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
  3.1268 +diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c
  3.1269 +--- a/drivers/video/matrox/matroxfb_accel.c
  3.1270 ++++ b/drivers/video/matrox/matroxfb_accel.c
  3.1271 +@@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI
  3.1272 + 		} else if (step == 1) {
  3.1273 + 			/* Special case for 1..8bit widths */
  3.1274 + 			while (height--) {
  3.1275 +-				mga_writel(mmio, 0, *chardata);
  3.1276 ++#if defined(__BIG_ENDIAN)
  3.1277 ++				fb_writel((*chardata) << 24, mmio.vaddr);
  3.1278 ++#else
  3.1279 ++				fb_writel(*chardata, mmio.vaddr);
  3.1280 ++#endif
  3.1281 + 				chardata++;
  3.1282 + 			}
  3.1283 + 		} else if (step == 2) {
  3.1284 + 			/* Special case for 9..15bit widths */
  3.1285 + 			while (height--) {
  3.1286 +-				mga_writel(mmio, 0, *(u_int16_t*)chardata);
  3.1287 ++#if defined(__BIG_ENDIAN)
  3.1288 ++				fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr);
  3.1289 ++#else
  3.1290 ++				fb_writel(*(u_int16_t*)chardata, mmio.vaddr);
  3.1291 ++#endif
  3.1292 + 				chardata += 2;
  3.1293 + 			}
  3.1294 + 		} else {
  3.1295 +@@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI
  3.1296 + 				
  3.1297 + 				for (i = 0; i < step; i += 4) {
  3.1298 + 					/* Hope that there are at least three readable bytes beyond the end of bitmap */
  3.1299 +-					mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i)));
  3.1300 ++					fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr);
  3.1301 + 				}
  3.1302 + 				chardata += step;
  3.1303 + 			}
  3.1304 +diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h
  3.1305 +--- a/drivers/video/matrox/matroxfb_base.h
  3.1306 ++++ b/drivers/video/matrox/matroxfb_base.h
  3.1307 +@@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr
  3.1308 + 
  3.1309 + 	if ((unsigned long)src & 3) {
  3.1310 + 		while (len >= 4) {
  3.1311 +-			writel(get_unaligned((u32 *)src), addr);
  3.1312 ++			fb_writel(get_unaligned((u32 *)src), addr);
  3.1313 + 			addr++;
  3.1314 + 			len -= 4;
  3.1315 + 			src += 4;
  3.1316 + 		}
  3.1317 + 	} else {
  3.1318 + 		while (len >= 4) {
  3.1319 +-			writel(*(u32 *)src, addr);
  3.1320 ++			fb_writel(*(u32 *)src, addr);
  3.1321 + 			addr++;
  3.1322 + 			len -= 4;
  3.1323 + 			src += 4;
  3.1324 +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
  3.1325 +--- a/fs/binfmt_elf.c
  3.1326 ++++ b/fs/binfmt_elf.c
  3.1327 +@@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b
  3.1328 + 	}
  3.1329 + 
  3.1330 + 	/* Populate argv and envp */
  3.1331 +-	p = current->mm->arg_start;
  3.1332 ++	p = current->mm->arg_end = current->mm->arg_start;
  3.1333 + 	while (argc-- > 0) {
  3.1334 + 		size_t len;
  3.1335 + 		__put_user((elf_addr_t)p, argv++);
  3.1336 +@@ -1008,6 +1008,7 @@ out_free_ph:
  3.1337 + static int load_elf_library(struct file *file)
  3.1338 + {
  3.1339 + 	struct elf_phdr *elf_phdata;
  3.1340 ++	struct elf_phdr *eppnt;
  3.1341 + 	unsigned long elf_bss, bss, len;
  3.1342 + 	int retval, error, i, j;
  3.1343 + 	struct elfhdr elf_ex;
  3.1344 +@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file 
  3.1345 + 	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
  3.1346 + 
  3.1347 + 	error = -ENOMEM;
  3.1348 +-	elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
  3.1349 ++	elf_phdata = kmalloc(j, GFP_KERNEL);
  3.1350 + 	if (!elf_phdata)
  3.1351 + 		goto out;
  3.1352 + 
  3.1353 ++	eppnt = elf_phdata;
  3.1354 + 	error = -ENOEXEC;
  3.1355 +-	retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
  3.1356 ++	retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
  3.1357 + 	if (retval != j)
  3.1358 + 		goto out_free_ph;
  3.1359 + 
  3.1360 + 	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
  3.1361 +-		if ((elf_phdata + i)->p_type == PT_LOAD) j++;
  3.1362 ++		if ((eppnt + i)->p_type == PT_LOAD)
  3.1363 ++			j++;
  3.1364 + 	if (j != 1)
  3.1365 + 		goto out_free_ph;
  3.1366 + 
  3.1367 +-	while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
  3.1368 ++	while (eppnt->p_type != PT_LOAD)
  3.1369 ++		eppnt++;
  3.1370 + 
  3.1371 + 	/* Now use mmap to map the library into memory. */
  3.1372 + 	down_write(&current->mm->mmap_sem);
  3.1373 + 	error = do_mmap(file,
  3.1374 +-			ELF_PAGESTART(elf_phdata->p_vaddr),
  3.1375 +-			(elf_phdata->p_filesz +
  3.1376 +-			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
  3.1377 ++			ELF_PAGESTART(eppnt->p_vaddr),
  3.1378 ++			(eppnt->p_filesz +
  3.1379 ++			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
  3.1380 + 			PROT_READ | PROT_WRITE | PROT_EXEC,
  3.1381 + 			MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
  3.1382 +-			(elf_phdata->p_offset -
  3.1383 +-			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
  3.1384 ++			(eppnt->p_offset -
  3.1385 ++			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
  3.1386 + 	up_write(&current->mm->mmap_sem);
  3.1387 +-	if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
  3.1388 ++	if (error != ELF_PAGESTART(eppnt->p_vaddr))
  3.1389 + 		goto out_free_ph;
  3.1390 + 
  3.1391 +-	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
  3.1392 ++	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
  3.1393 + 	if (padzero(elf_bss)) {
  3.1394 + 		error = -EFAULT;
  3.1395 + 		goto out_free_ph;
  3.1396 + 	}
  3.1397 + 
  3.1398 +-	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
  3.1399 +-	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
  3.1400 ++	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
  3.1401 ++	bss = eppnt->p_memsz + eppnt->p_vaddr;
  3.1402 + 	if (bss > len) {
  3.1403 + 		down_write(&current->mm->mmap_sem);
  3.1404 + 		do_brk(len, bss - len);
  3.1405 +@@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs
  3.1406 + static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
  3.1407 + 		       struct mm_struct *mm)
  3.1408 + {
  3.1409 +-	int i, len;
  3.1410 ++	unsigned int i, len;
  3.1411 + 	
  3.1412 + 	/* first copy the parameters from user space */
  3.1413 + 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
  3.1414 +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
  3.1415 +--- a/fs/cramfs/inode.c
  3.1416 ++++ b/fs/cramfs/inode.c
  3.1417 +@@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st
  3.1418 + 			inode->i_data.a_ops = &cramfs_aops;
  3.1419 + 		} else {
  3.1420 + 			inode->i_size = 0;
  3.1421 ++			inode->i_blocks = 0;
  3.1422 + 			init_special_inode(inode, inode->i_mode,
  3.1423 + 				old_decode_dev(cramfs_inode->size));
  3.1424 + 		}
  3.1425 +diff --git a/fs/eventpoll.c b/fs/eventpoll.c
  3.1426 +--- a/fs/eventpoll.c
  3.1427 ++++ b/fs/eventpoll.c
  3.1428 +@@ -619,6 +619,7 @@ eexit_1:
  3.1429 + 	return error;
  3.1430 + }
  3.1431 + 
  3.1432 ++#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
  3.1433 + 
  3.1434 + /*
  3.1435 +  * Implement the event wait interface for the eventpoll file. It is the kernel
  3.1436 +@@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd,
  3.1437 + 		     current, epfd, events, maxevents, timeout));
  3.1438 + 
  3.1439 + 	/* The maximum number of event must be greater than zero */
  3.1440 +-	if (maxevents <= 0)
  3.1441 ++	if (maxevents <= 0 || maxevents > MAX_EVENTS)
  3.1442 + 		return -EINVAL;
  3.1443 + 
  3.1444 + 	/* Verify that the area passed by the user is writeable */
  3.1445 +diff --git a/fs/exec.c b/fs/exec.c
  3.1446 +--- a/fs/exec.c
  3.1447 ++++ b/fs/exec.c
  3.1448 +@@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas
  3.1449 + {
  3.1450 + 	/* buf must be at least sizeof(tsk->comm) in size */
  3.1451 + 	task_lock(tsk);
  3.1452 +-	memcpy(buf, tsk->comm, sizeof(tsk->comm));
  3.1453 ++	strncpy(buf, tsk->comm, sizeof(tsk->comm));
  3.1454 + 	task_unlock(tsk);
  3.1455 + }
  3.1456 + 
  3.1457 +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
  3.1458 +--- a/fs/ext2/dir.c
  3.1459 ++++ b/fs/ext2/dir.c
  3.1460 +@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode,
  3.1461 + 		goto fail;
  3.1462 + 	}
  3.1463 + 	kaddr = kmap_atomic(page, KM_USER0);
  3.1464 ++       memset(kaddr, 0, chunk_size);
  3.1465 + 	de = (struct ext2_dir_entry_2 *)kaddr;
  3.1466 + 	de->name_len = 1;
  3.1467 + 	de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
  3.1468 +diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
  3.1469 +--- a/fs/ext3/balloc.c
  3.1470 ++++ b/fs/ext3/balloc.c
  3.1471 +@@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino
  3.1472 + 
  3.1473 + 	if (!rsv_is_empty(&rsv->rsv_window)) {
  3.1474 + 		spin_lock(rsv_lock);
  3.1475 +-		rsv_window_remove(inode->i_sb, rsv);
  3.1476 ++		if (!rsv_is_empty(&rsv->rsv_window))
  3.1477 ++			rsv_window_remove(inode->i_sb, rsv);
  3.1478 + 		spin_unlock(rsv_lock);
  3.1479 + 	}
  3.1480 + }
  3.1481 +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
  3.1482 +--- a/fs/hfs/mdb.c
  3.1483 ++++ b/fs/hfs/mdb.c
  3.1484 +@@ -333,6 +333,8 @@ void hfs_mdb_close(struct super_block *s
  3.1485 +  * Release the resources associated with the in-core MDB.  */
  3.1486 + void hfs_mdb_put(struct super_block *sb)
  3.1487 + {
  3.1488 ++	if (!HFS_SB(sb))
  3.1489 ++		return;
  3.1490 + 	/* free the B-trees */
  3.1491 + 	hfs_btree_close(HFS_SB(sb)->ext_tree);
  3.1492 + 	hfs_btree_close(HFS_SB(sb)->cat_tree);
  3.1493 +@@ -340,4 +342,7 @@ void hfs_mdb_put(struct super_block *sb)
  3.1494 + 	/* free the buffers holding the primary and alternate MDBs */
  3.1495 + 	brelse(HFS_SB(sb)->mdb_bh);
  3.1496 + 	brelse(HFS_SB(sb)->alt_mdb_bh);
  3.1497 ++
  3.1498 ++	kfree(HFS_SB(sb));
  3.1499 ++	sb->s_fs_info = NULL;
  3.1500 + }
  3.1501 +diff --git a/fs/hfs/super.c b/fs/hfs/super.c
  3.1502 +--- a/fs/hfs/super.c
  3.1503 ++++ b/fs/hfs/super.c
  3.1504 +@@ -263,7 +263,7 @@ static int hfs_fill_super(struct super_b
  3.1505 + 	res = -EINVAL;
  3.1506 + 	if (!parse_options((char *)data, sbi)) {
  3.1507 + 		hfs_warn("hfs_fs: unable to parse mount options.\n");
  3.1508 +-		goto bail3;
  3.1509 ++		goto bail;
  3.1510 + 	}
  3.1511 + 
  3.1512 + 	sb->s_op = &hfs_super_operations;
  3.1513 +@@ -276,7 +276,7 @@ static int hfs_fill_super(struct super_b
  3.1514 + 			hfs_warn("VFS: Can't find a HFS filesystem on dev %s.\n",
  3.1515 + 				hfs_mdb_name(sb));
  3.1516 + 		res = -EINVAL;
  3.1517 +-		goto bail2;
  3.1518 ++		goto bail;
  3.1519 + 	}
  3.1520 + 
  3.1521 + 	/* try to get the root inode */
  3.1522 +@@ -306,10 +306,8 @@ bail_iput:
  3.1523 + 	iput(root_inode);
  3.1524 + bail_no_root:
  3.1525 + 	hfs_warn("hfs_fs: get root inode failed.\n");
  3.1526 ++bail:
  3.1527 + 	hfs_mdb_put(sb);
  3.1528 +-bail2:
  3.1529 +-bail3:
  3.1530 +-	kfree(sbi);
  3.1531 + 	return res;
  3.1532 + }
  3.1533 + 
  3.1534 +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
  3.1535 +--- a/fs/hfsplus/super.c
  3.1536 ++++ b/fs/hfsplus/super.c
  3.1537 +@@ -207,7 +207,9 @@ static void hfsplus_write_super(struct s
  3.1538 + static void hfsplus_put_super(struct super_block *sb)
  3.1539 + {
  3.1540 + 	dprint(DBG_SUPER, "hfsplus_put_super\n");
  3.1541 +-	if (!(sb->s_flags & MS_RDONLY)) {
  3.1542 ++	if (!sb->s_fs_info)
  3.1543 ++		return;
  3.1544 ++	if (!(sb->s_flags & MS_RDONLY) && HFSPLUS_SB(sb).s_vhdr) {
  3.1545 + 		struct hfsplus_vh *vhdr = HFSPLUS_SB(sb).s_vhdr;
  3.1546 + 
  3.1547 + 		vhdr->modify_date = hfsp_now2mt();
  3.1548 +@@ -223,6 +225,8 @@ static void hfsplus_put_super(struct sup
  3.1549 + 	iput(HFSPLUS_SB(sb).alloc_file);
  3.1550 + 	iput(HFSPLUS_SB(sb).hidden_dir);
  3.1551 + 	brelse(HFSPLUS_SB(sb).s_vhbh);
  3.1552 ++	kfree(sb->s_fs_info);
  3.1553 ++	sb->s_fs_info = NULL;
  3.1554 + }
  3.1555 + 
  3.1556 + static int hfsplus_statfs(struct super_block *sb, struct kstatfs *buf)
  3.1557 +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
  3.1558 +--- a/fs/isofs/inode.c
  3.1559 ++++ b/fs/isofs/inode.c
  3.1560 +@@ -685,6 +685,8 @@ root_found:
  3.1561 + 	  sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
  3.1562 + 	  sbi->s_max_size = isonum_733(h_pri->volume_space_size);
  3.1563 + 	} else {
  3.1564 ++	  if (!pri)
  3.1565 ++	    goto out_freebh;
  3.1566 + 	  rootp = (struct iso_directory_record *) pri->root_directory_record;
  3.1567 + 	  sbi->s_nzones = isonum_733 (pri->volume_space_size);
  3.1568 + 	  sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
  3.1569 +@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl
  3.1570 + 	struct inode *inode;
  3.1571 + 	struct isofs_iget5_callback_data data;
  3.1572 + 
  3.1573 ++	if (offset >= 1ul << sb->s_blocksize_bits)
  3.1574 ++		return NULL;
  3.1575 ++
  3.1576 + 	data.block = block;
  3.1577 + 	data.offset = offset;
  3.1578 + 
  3.1579 +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
  3.1580 +--- a/fs/isofs/rock.c
  3.1581 ++++ b/fs/isofs/rock.c
  3.1582 +@@ -53,6 +53,7 @@
  3.1583 +   if(LEN & 1) LEN++;						\
  3.1584 +   CHR = ((unsigned char *) DE) + LEN;				\
  3.1585 +   LEN = *((unsigned char *) DE) - LEN;                          \
  3.1586 ++  if (LEN<0) LEN=0;                                             \
  3.1587 +   if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1)                \
  3.1588 +   {                                                             \
  3.1589 +      LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset;                \
  3.1590 +@@ -73,6 +74,10 @@
  3.1591 +     offset1 = 0; \
  3.1592 +     pbh = sb_bread(DEV->i_sb, block); \
  3.1593 +     if(pbh){       \
  3.1594 ++      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
  3.1595 ++	brelse(pbh); \
  3.1596 ++	goto out; \
  3.1597 ++      } \
  3.1598 +       memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
  3.1599 +       brelse(pbh); \
  3.1600 +       chr = (unsigned char *) buffer; \
  3.1601 +@@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d
  3.1602 +     struct rock_ridge * rr;
  3.1603 +     int sig;
  3.1604 +     
  3.1605 +-    while (len > 1){ /* There may be one byte for padding somewhere */
  3.1606 ++    while (len > 2){ /* There may be one byte for padding somewhere */
  3.1607 +       rr = (struct rock_ridge *) chr;
  3.1608 +-      if (rr->len == 0) goto out; /* Something got screwed up here */
  3.1609 ++      if (rr->len < 3) goto out; /* Something got screwed up here */
  3.1610 +       sig = isonum_721(chr);
  3.1611 +       chr += rr->len; 
  3.1612 +       len -= rr->len;
  3.1613 ++      if (len < 0) goto out;	/* corrupted isofs */
  3.1614 + 
  3.1615 +       switch(sig){
  3.1616 +       case SIG('R','R'):
  3.1617 +@@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d
  3.1618 + 	break;
  3.1619 +       case SIG('N','M'):
  3.1620 + 	if (truncate) break;
  3.1621 ++	if (rr->len < 5) break;
  3.1622 +         /*
  3.1623 + 	 * If the flags are 2 or 4, this indicates '.' or '..'.
  3.1624 + 	 * We don't want to do anything with this, because it
  3.1625 +@@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i
  3.1626 +     struct rock_ridge * rr;
  3.1627 +     int rootflag;
  3.1628 +     
  3.1629 +-    while (len > 1){ /* There may be one byte for padding somewhere */
  3.1630 ++    while (len > 2){ /* There may be one byte for padding somewhere */
  3.1631 +       rr = (struct rock_ridge *) chr;
  3.1632 +-      if (rr->len == 0) goto out; /* Something got screwed up here */
  3.1633 ++      if (rr->len < 3) goto out; /* Something got screwed up here */
  3.1634 +       sig = isonum_721(chr);
  3.1635 +       chr += rr->len; 
  3.1636 +       len -= rr->len;
  3.1637 ++      if (len < 0) goto out;	/* corrupted isofs */
  3.1638 +       
  3.1639 +       switch(sig){
  3.1640 + #ifndef CONFIG_ZISOFS		/* No flag for SF or ZF */
  3.1641 +@@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s
  3.1642 + 	struct rock_ridge *rr;
  3.1643 + 
  3.1644 + 	if (!ISOFS_SB(inode->i_sb)->s_rock)
  3.1645 +-		panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
  3.1646 ++		goto error;
  3.1647 + 
  3.1648 + 	block = ei->i_iget5_block;
  3.1649 + 	lock_kernel();
  3.1650 +@@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s
  3.1651 + 	SETUP_ROCK_RIDGE(raw_inode, chr, len);
  3.1652 + 
  3.1653 +       repeat:
  3.1654 +-	while (len > 1) { /* There may be one byte for padding somewhere */
  3.1655 ++	while (len > 2) { /* There may be one byte for padding somewhere */
  3.1656 + 		rr = (struct rock_ridge *) chr;
  3.1657 +-		if (rr->len == 0)
  3.1658 ++		if (rr->len < 3)
  3.1659 + 			goto out;	/* Something got screwed up here */
  3.1660 + 		sig = isonum_721(chr);
  3.1661 + 		chr += rr->len;
  3.1662 + 		len -= rr->len;
  3.1663 ++		if (len < 0)
  3.1664 ++			goto out;	/* corrupted isofs */
  3.1665 + 
  3.1666 + 		switch (sig) {
  3.1667 + 		case SIG('R', 'R'):
  3.1668 +@@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s
  3.1669 +       fail:
  3.1670 + 	brelse(bh);
  3.1671 + 	unlock_kernel();
  3.1672 ++      error:
  3.1673 + 	SetPageError(page);
  3.1674 + 	kunmap(page);
  3.1675 + 	unlock_page(page);
  3.1676 +diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c
  3.1677 +--- a/fs/jbd/checkpoint.c
  3.1678 ++++ b/fs/jbd/checkpoint.c
  3.1679 +@@ -339,8 +339,10 @@ int log_do_checkpoint(journal_t *journal
  3.1680 + 			}
  3.1681 + 		} while (jh != last_jh && !retry);
  3.1682 + 
  3.1683 +-		if (batch_count)
  3.1684 ++		if (batch_count) {
  3.1685 + 			__flush_batch(journal, bhs, &batch_count);
  3.1686 ++			retry = 1;
  3.1687 ++		}
  3.1688 + 
  3.1689 + 		/*
  3.1690 + 		 * If someone cleaned up this transaction while we slept, we're
  3.1691 +diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c
  3.1692 +--- a/fs/jbd/transaction.c
  3.1693 ++++ b/fs/jbd/transaction.c
  3.1694 +@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
  3.1695 + 			JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
  3.1696 + 			ret = __dispose_buffer(jh,
  3.1697 + 					journal->j_running_transaction);
  3.1698 ++			journal_put_journal_head(jh);
  3.1699 + 			spin_unlock(&journal->j_list_lock);
  3.1700 + 			jbd_unlock_bh_state(bh);
  3.1701 + 			spin_unlock(&journal->j_state_lock);
  3.1702 +-			journal_put_journal_head(jh);
  3.1703 + 			return ret;
  3.1704 + 		} else {
  3.1705 + 			/* There is no currently-running transaction. So the
  3.1706 +@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
  3.1707 + 				JBUFFER_TRACE(jh, "give to committing trans");
  3.1708 + 				ret = __dispose_buffer(jh,
  3.1709 + 					journal->j_committing_transaction);
  3.1710 ++				journal_put_journal_head(jh);
  3.1711 + 				spin_unlock(&journal->j_list_lock);
  3.1712 + 				jbd_unlock_bh_state(bh);
  3.1713 + 				spin_unlock(&journal->j_state_lock);
  3.1714 +-				journal_put_journal_head(jh);
  3.1715 + 				return ret;
  3.1716 + 			} else {
  3.1717 + 				/* The orphan record's transaction has
  3.1718 +@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
  3.1719 + 					journal->j_running_transaction);
  3.1720 + 			jh->b_next_transaction = NULL;
  3.1721 + 		}
  3.1722 ++		journal_put_journal_head(jh);
  3.1723 + 		spin_unlock(&journal->j_list_lock);
  3.1724 + 		jbd_unlock_bh_state(bh);
  3.1725 + 		spin_unlock(&journal->j_state_lock);
  3.1726 +-		journal_put_journal_head(jh);
  3.1727 + 		return 0;
  3.1728 + 	} else {
  3.1729 + 		/* Good, the buffer belongs to the running transaction.
  3.1730 +diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h
  3.1731 +--- a/include/asm-x86_64/processor.h
  3.1732 ++++ b/include/asm-x86_64/processor.h
  3.1733 +@@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne
  3.1734 + 
  3.1735 + 
  3.1736 + /*
  3.1737 +- * User space process size. 47bits.
  3.1738 ++ * User space process size. 47bits minus one guard page.
  3.1739 +  */
  3.1740 +-#define TASK_SIZE	(0x800000000000UL)
  3.1741 ++#define TASK_SIZE	(0x800000000000UL - 4096)
  3.1742 + 
  3.1743 + /* This decides where the kernel will search for a free chunk of vm
  3.1744 +  * space during mmap's.
  3.1745 +diff --git a/include/linux/err.h b/include/linux/err.h
  3.1746 +--- a/include/linux/err.h
  3.1747 ++++ b/include/linux/err.h
  3.1748 +@@ -13,6 +13,8 @@
  3.1749 +  * This should be a per-architecture thing, to allow different
  3.1750 +  * error and pointer decisions.
  3.1751 +  */
  3.1752 ++#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L)
  3.1753 ++
  3.1754 + static inline void *ERR_PTR(long error)
  3.1755 + {
  3.1756 + 	return (void *) error;
  3.1757 +@@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p
  3.1758 + 
  3.1759 + static inline long IS_ERR(const void *ptr)
  3.1760 + {
  3.1761 +-	return unlikely((unsigned long)ptr > (unsigned long)-1000L);
  3.1762 ++	return IS_ERR_VALUE((unsigned long)ptr);
  3.1763 + }
  3.1764 + 
  3.1765 + #endif /* _LINUX_ERR_H */
  3.1766 +diff --git a/kernel/exit.c b/kernel/exit.c
  3.1767 +--- a/kernel/exit.c
  3.1768 ++++ b/kernel/exit.c
  3.1769 +@@ -516,8 +516,6 @@ static inline void choose_new_parent(tas
  3.1770 + 	 */
  3.1771 + 	BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
  3.1772 + 	p->real_parent = reaper;
  3.1773 +-	if (p->parent == p->real_parent)
  3.1774 +-		BUG();
  3.1775 + }
  3.1776 + 
  3.1777 + static inline void reparent_thread(task_t *p, task_t *father, int traced)
  3.1778 +diff --git a/kernel/signal.c b/kernel/signal.c
  3.1779 +--- a/kernel/signal.c
  3.1780 ++++ b/kernel/signal.c
  3.1781 +@@ -1728,6 +1728,7 @@ do_signal_stop(int signr)
  3.1782 + 			 * with another processor delivering a stop signal,
  3.1783 + 			 * then the SIGCONT that wakes us up should clear it.
  3.1784 + 			 */
  3.1785 ++			read_unlock(&tasklist_lock);
  3.1786 + 			return 0;
  3.1787 + 		}
  3.1788 + 
  3.1789 +diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c
  3.1790 +--- a/lib/rwsem-spinlock.c
  3.1791 ++++ b/lib/rwsem-spinlock.c
  3.1792 +@@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct
  3.1793 + 
  3.1794 + 	rwsemtrace(sem, "Entering __down_read");
  3.1795 + 
  3.1796 +-	spin_lock(&sem->wait_lock);
  3.1797 ++	spin_lock_irq(&sem->wait_lock);
  3.1798 + 
  3.1799 + 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  3.1800 + 		/* granted */
  3.1801 + 		sem->activity++;
  3.1802 +-		spin_unlock(&sem->wait_lock);
  3.1803 ++		spin_unlock_irq(&sem->wait_lock);
  3.1804 + 		goto out;
  3.1805 + 	}
  3.1806 + 
  3.1807 +@@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct
  3.1808 + 	list_add_tail(&waiter.list, &sem->wait_list);
  3.1809 + 
  3.1810 + 	/* we don't need to touch the semaphore struct anymore */
  3.1811 +-	spin_unlock(&sem->wait_lock);
  3.1812 ++	spin_unlock_irq(&sem->wait_lock);
  3.1813 + 
  3.1814 + 	/* wait to be given the lock */
  3.1815 + 	for (;;) {
  3.1816 +@@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct
  3.1817 +  */
  3.1818 + int fastcall __down_read_trylock(struct rw_semaphore *sem)
  3.1819 + {
  3.1820 ++	unsigned long flags;
  3.1821 + 	int ret = 0;
  3.1822 ++
  3.1823 + 	rwsemtrace(sem, "Entering __down_read_trylock");
  3.1824 + 
  3.1825 +-	spin_lock(&sem->wait_lock);
  3.1826 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1827 + 
  3.1828 + 	if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
  3.1829 + 		/* granted */
  3.1830 +@@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct 
  3.1831 + 		ret = 1;
  3.1832 + 	}
  3.1833 + 
  3.1834 +-	spin_unlock(&sem->wait_lock);
  3.1835 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1836 + 
  3.1837 + 	rwsemtrace(sem, "Leaving __down_read_trylock");
  3.1838 + 	return ret;
  3.1839 +@@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc
  3.1840 + 
  3.1841 + 	rwsemtrace(sem, "Entering __down_write");
  3.1842 + 
  3.1843 +-	spin_lock(&sem->wait_lock);
  3.1844 ++	spin_lock_irq(&sem->wait_lock);
  3.1845 + 
  3.1846 + 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  3.1847 + 		/* granted */
  3.1848 + 		sem->activity = -1;
  3.1849 +-		spin_unlock(&sem->wait_lock);
  3.1850 ++		spin_unlock_irq(&sem->wait_lock);
  3.1851 + 		goto out;
  3.1852 + 	}
  3.1853 + 
  3.1854 +@@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc
  3.1855 + 	list_add_tail(&waiter.list, &sem->wait_list);
  3.1856 + 
  3.1857 + 	/* we don't need to touch the semaphore struct anymore */
  3.1858 +-	spin_unlock(&sem->wait_lock);
  3.1859 ++	spin_unlock_irq(&sem->wait_lock);
  3.1860 + 
  3.1861 + 	/* wait to be given the lock */
  3.1862 + 	for (;;) {
  3.1863 +@@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc
  3.1864 +  */
  3.1865 + int fastcall __down_write_trylock(struct rw_semaphore *sem)
  3.1866 + {
  3.1867 ++	unsigned long flags;
  3.1868 + 	int ret = 0;
  3.1869 ++
  3.1870 + 	rwsemtrace(sem, "Entering __down_write_trylock");
  3.1871 + 
  3.1872 +-	spin_lock(&sem->wait_lock);
  3.1873 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1874 + 
  3.1875 + 	if (sem->activity == 0 && list_empty(&sem->wait_list)) {
  3.1876 + 		/* granted */
  3.1877 +@@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct
  3.1878 + 		ret = 1;
  3.1879 + 	}
  3.1880 + 
  3.1881 +-	spin_unlock(&sem->wait_lock);
  3.1882 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1883 + 
  3.1884 + 	rwsemtrace(sem, "Leaving __down_write_trylock");
  3.1885 + 	return ret;
  3.1886 +@@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct
  3.1887 +  */
  3.1888 + void fastcall __up_read(struct rw_semaphore *sem)
  3.1889 + {
  3.1890 ++	unsigned long flags;
  3.1891 ++
  3.1892 + 	rwsemtrace(sem, "Entering __up_read");
  3.1893 + 
  3.1894 +-	spin_lock(&sem->wait_lock);
  3.1895 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1896 + 
  3.1897 + 	if (--sem->activity == 0 && !list_empty(&sem->wait_list))
  3.1898 + 		sem = __rwsem_wake_one_writer(sem);
  3.1899 + 
  3.1900 +-	spin_unlock(&sem->wait_lock);
  3.1901 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1902 + 
  3.1903 + 	rwsemtrace(sem, "Leaving __up_read");
  3.1904 + }
  3.1905 +@@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph
  3.1906 +  */
  3.1907 + void fastcall __up_write(struct rw_semaphore *sem)
  3.1908 + {
  3.1909 ++	unsigned long flags;
  3.1910 ++
  3.1911 + 	rwsemtrace(sem, "Entering __up_write");
  3.1912 + 
  3.1913 +-	spin_lock(&sem->wait_lock);
  3.1914 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1915 + 
  3.1916 + 	sem->activity = 0;
  3.1917 + 	if (!list_empty(&sem->wait_list))
  3.1918 + 		sem = __rwsem_do_wake(sem, 1);
  3.1919 + 
  3.1920 +-	spin_unlock(&sem->wait_lock);
  3.1921 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1922 + 
  3.1923 + 	rwsemtrace(sem, "Leaving __up_write");
  3.1924 + }
  3.1925 +@@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap
  3.1926 +  */
  3.1927 + void fastcall __downgrade_write(struct rw_semaphore *sem)
  3.1928 + {
  3.1929 ++	unsigned long flags;
  3.1930 ++
  3.1931 + 	rwsemtrace(sem, "Entering __downgrade_write");
  3.1932 + 
  3.1933 +-	spin_lock(&sem->wait_lock);
  3.1934 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1935 + 
  3.1936 + 	sem->activity = 1;
  3.1937 + 	if (!list_empty(&sem->wait_list))
  3.1938 + 		sem = __rwsem_do_wake(sem, 0);
  3.1939 + 
  3.1940 +-	spin_unlock(&sem->wait_lock);
  3.1941 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1942 + 
  3.1943 + 	rwsemtrace(sem, "Leaving __downgrade_write");
  3.1944 + }
  3.1945 +diff --git a/lib/rwsem.c b/lib/rwsem.c
  3.1946 +--- a/lib/rwsem.c
  3.1947 ++++ b/lib/rwsem.c
  3.1948 +@@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap
  3.1949 + 	set_task_state(tsk, TASK_UNINTERRUPTIBLE);
  3.1950 + 
  3.1951 + 	/* set up my own style of waitqueue */
  3.1952 +-	spin_lock(&sem->wait_lock);
  3.1953 ++	spin_lock_irq(&sem->wait_lock);
  3.1954 + 	waiter->task = tsk;
  3.1955 + 	get_task_struct(tsk);
  3.1956 + 
  3.1957 +@@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap
  3.1958 + 	if (!(count & RWSEM_ACTIVE_MASK))
  3.1959 + 		sem = __rwsem_do_wake(sem, 0);
  3.1960 + 
  3.1961 +-	spin_unlock(&sem->wait_lock);
  3.1962 ++	spin_unlock_irq(&sem->wait_lock);
  3.1963 + 
  3.1964 + 	/* wait to be given the lock */
  3.1965 + 	for (;;) {
  3.1966 +@@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph
  3.1967 +  */
  3.1968 + struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
  3.1969 + {
  3.1970 ++	unsigned long flags;
  3.1971 ++
  3.1972 + 	rwsemtrace(sem, "Entering rwsem_wake");
  3.1973 + 
  3.1974 +-	spin_lock(&sem->wait_lock);
  3.1975 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1976 + 
  3.1977 + 	/* do nothing if list empty */
  3.1978 + 	if (!list_empty(&sem->wait_list))
  3.1979 + 		sem = __rwsem_do_wake(sem, 0);
  3.1980 + 
  3.1981 +-	spin_unlock(&sem->wait_lock);
  3.1982 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.1983 + 
  3.1984 + 	rwsemtrace(sem, "Leaving rwsem_wake");
  3.1985 + 
  3.1986 +@@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake
  3.1987 +  */
  3.1988 + struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
  3.1989 + {
  3.1990 ++	unsigned long flags;
  3.1991 ++
  3.1992 + 	rwsemtrace(sem, "Entering rwsem_downgrade_wake");
  3.1993 + 
  3.1994 +-	spin_lock(&sem->wait_lock);
  3.1995 ++	spin_lock_irqsave(&sem->wait_lock, flags);
  3.1996 + 
  3.1997 + 	/* do nothing if list empty */
  3.1998 + 	if (!list_empty(&sem->wait_list))
  3.1999 + 		sem = __rwsem_do_wake(sem, 1);
  3.2000 + 
  3.2001 +-	spin_unlock(&sem->wait_lock);
  3.2002 ++	spin_unlock_irqrestore(&sem->wait_lock, flags);
  3.2003 + 
  3.2004 + 	rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
  3.2005 + 	return sem;
  3.2006 +diff --git a/mm/mmap.c b/mm/mmap.c
  3.2007 +--- a/mm/mmap.c
  3.2008 ++++ b/mm/mmap.c
  3.2009 +@@ -1315,37 +1315,40 @@ unsigned long
  3.2010 + get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
  3.2011 + 		unsigned long pgoff, unsigned long flags)
  3.2012 + {
  3.2013 +-	if (flags & MAP_FIXED) {
  3.2014 +-		unsigned long ret;
  3.2015 ++	unsigned long ret;
  3.2016 + 
  3.2017 +-		if (addr > TASK_SIZE - len)
  3.2018 +-			return -ENOMEM;
  3.2019 +-		if (addr & ~PAGE_MASK)
  3.2020 +-			return -EINVAL;
  3.2021 +-		if (file && is_file_hugepages(file))  {
  3.2022 +-			/*
  3.2023 +-			 * Check if the given range is hugepage aligned, and
  3.2024 +-			 * can be made suitable for hugepages.
  3.2025 +-			 */
  3.2026 +-			ret = prepare_hugepage_range(addr, len);
  3.2027 +-		} else {
  3.2028 +-			/*
  3.2029 +-			 * Ensure that a normal request is not falling in a
  3.2030 +-			 * reserved hugepage range.  For some archs like IA-64,
  3.2031 +-			 * there is a separate region for hugepages.
  3.2032 +-			 */
  3.2033 +-			ret = is_hugepage_only_range(addr, len);
  3.2034 +-		}
  3.2035 +-		if (ret)
  3.2036 +-			return -EINVAL;
  3.2037 +-		return addr;
  3.2038 +-	}
  3.2039 ++	if (!(flags & MAP_FIXED)) {
  3.2040 ++		unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
  3.2041 + 
  3.2042 +-	if (file && file->f_op && file->f_op->get_unmapped_area)
  3.2043 +-		return file->f_op->get_unmapped_area(file, addr, len,
  3.2044 +-						pgoff, flags);
  3.2045 ++		get_area = current->mm->get_unmapped_area;
  3.2046 ++		if (file && file->f_op && file->f_op->get_unmapped_area)
  3.2047 ++			get_area = file->f_op->get_unmapped_area;
  3.2048 ++		addr = get_area(file, addr, len, pgoff, flags);
  3.2049 ++		if (IS_ERR_VALUE(addr))
  3.2050 ++			return addr;
  3.2051 ++	}
  3.2052 + 
  3.2053 +-	return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
  3.2054 ++	if (addr > TASK_SIZE - len)
  3.2055 ++		return -ENOMEM;
  3.2056 ++	if (addr & ~PAGE_MASK)
  3.2057 ++		return -EINVAL;
  3.2058 ++	if (file && is_file_hugepages(file))  {
  3.2059 ++		/*
  3.2060 ++		 * Check if the given range is hugepage aligned, and
  3.2061 ++		 * can be made suitable for hugepages.
  3.2062 ++		 */
  3.2063 ++		ret = prepare_hugepage_range(addr, len);
  3.2064 ++	} else {
  3.2065 ++		/*
  3.2066 ++		 * Ensure that a normal request is not falling in a
  3.2067 ++		 * reserved hugepage range.  For some archs like IA-64,
  3.2068 ++		 * there is a separate region for hugepages.
  3.2069 ++		 */
  3.2070 ++		ret = is_hugepage_only_range(addr, len);
  3.2071 ++	}
  3.2072 ++	if (ret)
  3.2073 ++		return -EINVAL;
  3.2074 ++	return addr;
  3.2075 + }
  3.2076 + 
  3.2077 + EXPORT_SYMBOL(get_unmapped_area);
  3.2078 +diff --git a/mm/rmap.c b/mm/rmap.c
  3.2079 +--- a/mm/rmap.c
  3.2080 ++++ b/mm/rmap.c
  3.2081 +@@ -641,7 +641,7 @@ static void try_to_unmap_cluster(unsigne
  3.2082 + 	pgd_t *pgd;
  3.2083 + 	pud_t *pud;
  3.2084 + 	pmd_t *pmd;
  3.2085 +-	pte_t *pte;
  3.2086 ++	pte_t *pte, *original_pte;
  3.2087 + 	pte_t pteval;
  3.2088 + 	struct page *page;
  3.2089 + 	unsigned long address;
  3.2090 +@@ -673,7 +673,7 @@ static void try_to_unmap_cluster(unsigne
  3.2091 + 	if (!pmd_present(*pmd))
  3.2092 + 		goto out_unlock;
  3.2093 + 
  3.2094 +-	for (pte = pte_offset_map(pmd, address);
  3.2095 ++	for (original_pte = pte = pte_offset_map(pmd, address);
  3.2096 + 			address < end; pte++, address += PAGE_SIZE) {
  3.2097 + 
  3.2098 + 		if (!pte_present(*pte))
  3.2099 +@@ -710,7 +710,7 @@ static void try_to_unmap_cluster(unsigne
  3.2100 + 		(*mapcount)--;
  3.2101 + 	}
  3.2102 + 
  3.2103 +-	pte_unmap(pte);
  3.2104 ++	pte_unmap(original_pte);
  3.2105 + 
  3.2106 + out_unlock:
  3.2107 + 	spin_unlock(&mm->page_table_lock);
  3.2108 +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
  3.2109 +--- a/net/bluetooth/af_bluetooth.c
  3.2110 ++++ b/net/bluetooth/af_bluetooth.c
  3.2111 +@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache;
  3.2112 + 
  3.2113 + int bt_sock_register(int proto, struct net_proto_family *ops)
  3.2114 + {
  3.2115 +-	if (proto >= BT_MAX_PROTO)
  3.2116 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.2117 + 		return -EINVAL;
  3.2118 + 
  3.2119 + 	if (bt_proto[proto])
  3.2120 +@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register);
  3.2121 + 
  3.2122 + int bt_sock_unregister(int proto)
  3.2123 + {
  3.2124 +-	if (proto >= BT_MAX_PROTO)
  3.2125 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.2126 + 		return -EINVAL;
  3.2127 + 
  3.2128 + 	if (!bt_proto[proto])
  3.2129 +@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket 
  3.2130 + {
  3.2131 + 	int err = 0;
  3.2132 + 
  3.2133 +-	if (proto >= BT_MAX_PROTO)
  3.2134 ++	if (proto < 0 || proto >= BT_MAX_PROTO)
  3.2135 + 		return -EINVAL;
  3.2136 + 
  3.2137 + #if defined(CONFIG_KMOD)
  3.2138 +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
  3.2139 +--- a/net/bridge/br_input.c
  3.2140 ++++ b/net/bridge/br_input.c
  3.2141 +@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf
  3.2142 + 	struct net_bridge_fdb_entry *dst;
  3.2143 + 	int passedup = 0;
  3.2144 + 
  3.2145 ++	/* insert into forwarding database after filtering to avoid spoofing */
  3.2146 ++	br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
  3.2147 ++
  3.2148 + 	if (br->dev->flags & IFF_PROMISC) {
  3.2149 + 		struct sk_buff *skb2;
  3.2150 + 
  3.2151 +@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po
  3.2152 + 	if (eth_hdr(skb)->h_source[0] & 1)
  3.2153 + 		goto err;
  3.2154 + 
  3.2155 +-	if (p->state == BR_STATE_LEARNING ||
  3.2156 +-	    p->state == BR_STATE_FORWARDING)
  3.2157 ++	if (p->state == BR_STATE_LEARNING)
  3.2158 + 		br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
  3.2159 + 
  3.2160 + 	if (p->br->stp_enabled &&
  3.2161 +diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
  3.2162 +--- a/net/bridge/br_stp_bpdu.c
  3.2163 ++++ b/net/bridge/br_stp_bpdu.c
  3.2164 +@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s
  3.2165 + 	struct net_bridge *br = p->br;
  3.2166 + 	unsigned char *buf;
  3.2167 + 
  3.2168 ++	/* insert into forwarding database after filtering to avoid spoofing */
  3.2169 ++	br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
  3.2170 ++
  3.2171 + 	/* need at least the 802 and STP headers */
  3.2172 + 	if (!pskb_may_pull(skb, sizeof(header)+1) ||
  3.2173 + 	    memcmp(skb->data, header, sizeof(header)))
  3.2174 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
  3.2175 +--- a/net/bridge/netfilter/ebtables.c
  3.2176 ++++ b/net/bridge/netfilter/ebtables.c
  3.2177 +@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int 
  3.2178 + 	struct ebt_chainstack *cs;
  3.2179 + 	struct ebt_entries *chaininfo;
  3.2180 + 	char *base;
  3.2181 +-	struct ebt_table_info *private = table->private;
  3.2182 ++	struct ebt_table_info *private;
  3.2183 + 
  3.2184 + 	read_lock_bh(&table->lock);
  3.2185 ++	private = table->private;
  3.2186 + 	cb_base = COUNTER_BASE(private->counters, private->nentries,
  3.2187 + 	   smp_processor_id());
  3.2188 + 	if (private->chainstack)
  3.2189 +diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
  3.2190 +--- a/net/ipv4/fib_hash.c
  3.2191 ++++ b/net/ipv4/fib_hash.c
  3.2192 +@@ -919,13 +919,23 @@ out:
  3.2193 + 	return fa;
  3.2194 + }
  3.2195 + 
  3.2196 ++static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
  3.2197 ++{
  3.2198 ++	struct fib_alias *fa = fib_get_first(seq);
  3.2199 ++
  3.2200 ++	if (fa)
  3.2201 ++		while (pos && (fa = fib_get_next(seq)))
  3.2202 ++			--pos;
  3.2203 ++	return pos ? NULL : fa;
  3.2204 ++}
  3.2205 ++
  3.2206 + static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
  3.2207 + {
  3.2208 + 	void *v = NULL;
  3.2209 + 
  3.2210 + 	read_lock(&fib_hash_lock);
  3.2211 + 	if (ip_fib_main_table)
  3.2212 +-		v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
  3.2213 ++		v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
  3.2214 + 	return v;
  3.2215 + }
  3.2216 + 
  3.2217 +diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
  3.2218 +--- a/net/ipv4/netfilter/ip_queue.c
  3.2219 ++++ b/net/ipv4/netfilter/ip_queue.c
  3.2220 +@@ -3,6 +3,7 @@
  3.2221 +  * communicating with userspace via netlink.
  3.2222 +  *
  3.2223 +  * (C) 2000-2002 James Morris <jmorris@intercode.com.au>
  3.2224 ++ * (C) 2003-2005 Netfilter Core Team <coreteam@netfilter.org>
  3.2225 +  *
  3.2226 +  * This program is free software; you can redistribute it and/or modify
  3.2227 +  * it under the terms of the GNU General Public License version 2 as
  3.2228 +@@ -14,6 +15,7 @@
  3.2229 +  *             Zander).
  3.2230 +  * 2000-08-01: Added Nick Williams' MAC support.
  3.2231 +  * 2002-06-25: Code cleanup.
  3.2232 ++ * 2005-05-26: local_bh_{disable,enable} around nf_reinject (Harald Welte)
  3.2233 +  *
  3.2234 +  */
  3.2235 + #include <linux/module.h>
  3.2236 +@@ -66,7 +68,15 @@ static DECLARE_MUTEX(ipqnl_sem);
  3.2237 + static void
  3.2238 + ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
  3.2239 + {
  3.2240 ++	/* TCP input path (and probably other bits) assume to be called
  3.2241 ++	 * from softirq context, not from syscall, like ipq_issue_verdict is
  3.2242 ++	 * called.  TCP input path deadlocks with locks taken from timer
  3.2243 ++	 * softirq, e.g.  We therefore emulate this by local_bh_disable() */
  3.2244 ++
  3.2245 ++	local_bh_disable();
  3.2246 + 	nf_reinject(entry->skb, entry->info, verdict);
  3.2247 ++	local_bh_enable();
  3.2248 ++
  3.2249 + 	kfree(entry);
  3.2250 + }
  3.2251 + 
  3.2252 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
  3.2253 +--- a/net/ipv4/tcp_input.c
  3.2254 ++++ b/net/ipv4/tcp_input.c
  3.2255 +@@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str
  3.2256 + static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
  3.2257 + {
  3.2258 + 	if (tp->prior_ssthresh) {
  3.2259 +-		tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  3.2260 ++		if (tcp_is_bic(tp))
  3.2261 ++			tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
  3.2262 ++		else
  3.2263 ++			tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
  3.2264 + 
  3.2265 + 		if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
  3.2266 + 			tp->snd_ssthresh = tp->prior_ssthresh;
  3.2267 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
  3.2268 +--- a/net/ipv4/tcp_timer.c
  3.2269 ++++ b/net/ipv4/tcp_timer.c
  3.2270 +@@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne
  3.2271 + 
  3.2272 + #ifdef TCP_DEBUG
  3.2273 + const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
  3.2274 ++EXPORT_SYMBOL(tcp_timer_bug_msg);
  3.2275 + #endif
  3.2276 + 
  3.2277 + /*
  3.2278 +diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
  3.2279 +--- a/net/ipv4/xfrm4_output.c
  3.2280 ++++ b/net/ipv4/xfrm4_output.c
  3.2281 +@@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb)
  3.2282 + 			goto error_nolock;
  3.2283 + 	}
  3.2284 + 
  3.2285 +-	spin_lock_bh(&x->lock);
  3.2286 +-	err = xfrm_state_check(x, skb);
  3.2287 +-	if (err)
  3.2288 +-		goto error;
  3.2289 +-
  3.2290 + 	if (x->props.mode) {
  3.2291 + 		err = xfrm4_tunnel_check_size(skb);
  3.2292 + 		if (err)
  3.2293 +-			goto error;
  3.2294 ++			goto error_nolock;
  3.2295 + 	}
  3.2296 + 
  3.2297 ++	spin_lock_bh(&x->lock);
  3.2298 ++	err = xfrm_state_check(x, skb);
  3.2299 ++	if (err)
  3.2300 ++		goto error;
  3.2301 ++
  3.2302 + 	xfrm4_encap(skb);
  3.2303 + 
  3.2304 + 	err = x->type->output(skb);
  3.2305 +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
  3.2306 +--- a/net/ipv6/xfrm6_output.c
  3.2307 ++++ b/net/ipv6/xfrm6_output.c
  3.2308 +@@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb)
  3.2309 + 			goto error_nolock;
  3.2310 + 	}
  3.2311 + 
  3.2312 +-	spin_lock_bh(&x->lock);
  3.2313 +-	err = xfrm_state_check(x, skb);
  3.2314 +-	if (err)
  3.2315 +-		goto error;
  3.2316 +-
  3.2317 + 	if (x->props.mode) {
  3.2318 + 		err = xfrm6_tunnel_check_size(skb);
  3.2319 + 		if (err)
  3.2320 +-			goto error;
  3.2321 ++			goto error_nolock;
  3.2322 + 	}
  3.2323 + 
  3.2324 ++	spin_lock_bh(&x->lock);
  3.2325 ++	err = xfrm_state_check(x, skb);
  3.2326 ++	if (err)
  3.2327 ++		goto error;
  3.2328 ++
  3.2329 + 	xfrm6_encap(skb);
  3.2330 + 
  3.2331 + 	err = x->type->output(skb);
  3.2332 +diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
  3.2333 +--- a/net/netrom/nr_in.c
  3.2334 ++++ b/net/netrom/nr_in.c
  3.2335 +@@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock
  3.2336 + static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
  3.2337 + 	int frametype)
  3.2338 + {
  3.2339 +-	bh_lock_sock(sk);
  3.2340 + 	switch (frametype) {
  3.2341 + 	case NR_CONNACK: {
  3.2342 + 		nr_cb *nr = nr_sk(sk);
  3.2343 +@@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock
  3.2344 + 	default:
  3.2345 + 		break;
  3.2346 + 	}
  3.2347 +-	bh_unlock_sock(sk);
  3.2348 +-
  3.2349 + 	return 0;
  3.2350 + }
  3.2351 + 
  3.2352 +@@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock
  3.2353 + static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
  3.2354 + 	int frametype)
  3.2355 + {
  3.2356 +-	bh_lock_sock(sk);
  3.2357 + 	switch (frametype) {
  3.2358 + 	case NR_CONNACK | NR_CHOKE_FLAG:
  3.2359 + 		nr_disconnect(sk, ECONNRESET);
  3.2360 +@@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock
  3.2361 + 	default:
  3.2362 + 		break;
  3.2363 + 	}
  3.2364 +-	bh_unlock_sock(sk);
  3.2365 +-
  3.2366 + 	return 0;
  3.2367 + }
  3.2368 + 
  3.2369 +@@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock
  3.2370 + 	nr = skb->data[18];
  3.2371 + 	ns = skb->data[17];
  3.2372 + 
  3.2373 +-	bh_lock_sock(sk);
  3.2374 + 	switch (frametype) {
  3.2375 + 	case NR_CONNREQ:
  3.2376 + 		nr_write_internal(sk, NR_CONNACK);
  3.2377 +@@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock
  3.2378 + 	default:
  3.2379 + 		break;
  3.2380 + 	}
  3.2381 +-	bh_unlock_sock(sk);
  3.2382 +-
  3.2383 + 	return queued;
  3.2384 + }
  3.2385 + 
  3.2386 +diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
  3.2387 +--- a/net/rose/rose_route.c
  3.2388 ++++ b/net/rose/rose_route.c
  3.2389 +@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void
  3.2390 + 		}
  3.2391 + 		if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
  3.2392 + 			return -EINVAL;
  3.2393 +-
  3.2394 ++		if (rose_route.ndigis > 8) /* No more than 8 digipeats */
  3.2395 ++			return -EINVAL;
  3.2396 + 		err = rose_add_node(&rose_route, dev);
  3.2397 + 		dev_put(dev);
  3.2398 + 		return err;
  3.2399 +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
  3.2400 +--- a/net/sched/sch_netem.c
  3.2401 ++++ b/net/sched/sch_netem.c
  3.2402 +@@ -184,10 +184,15 @@ static int netem_enqueue(struct sk_buff 
  3.2403 + 	/* Random duplication */
  3.2404 + 	if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor)) {
  3.2405 + 		struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
  3.2406 +-
  3.2407 +-		pr_debug("netem_enqueue: dup %p\n", skb2);
  3.2408 +-		if (skb2)
  3.2409 +-			delay_skb(sch, skb2);
  3.2410 ++		if (skb2) {
  3.2411 ++			struct Qdisc *rootq = sch->dev->qdisc;
  3.2412 ++			u32 dupsave = q->duplicate;
  3.2413 ++
  3.2414 ++			/* prevent duplicating a dup... */
  3.2415 ++			q->duplicate = 0;
  3.2416 ++			rootq->enqueue(skb2, rootq);
  3.2417 ++			q->duplicate = dupsave;
  3.2418 ++		}
  3.2419 + 	}
  3.2420 + 
  3.2421 + 	/* If doing simple delay then gap == 0 so all packets
  3.2422 +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
  3.2423 +--- a/net/xfrm/xfrm_state.c
  3.2424 ++++ b/net/xfrm/xfrm_state.c
  3.2425 +@@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac
  3.2426 + 
  3.2427 + 	for (i = 0; i < XFRM_DST_HSIZE; i++) {
  3.2428 + 		list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
  3.2429 +-			if (x->km.seq == seq) {
  3.2430 ++			if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
  3.2431 + 				xfrm_state_hold(x);
  3.2432 + 				return x;
  3.2433 + 			}
  3.2434 +diff --git a/security/keys/key.c b/security/keys/key.c
  3.2435 +--- a/security/keys/key.c
  3.2436 ++++ b/security/keys/key.c
  3.2437 +@@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u
  3.2438 + {
  3.2439 + 	struct key_user *candidate = NULL, *user;
  3.2440 + 	struct rb_node *parent = NULL;
  3.2441 +-	struct rb_node **p = &key_user_tree.rb_node;
  3.2442 ++	struct rb_node **p;
  3.2443 + 
  3.2444 +  try_again:
  3.2445 ++	p = &key_user_tree.rb_node;
  3.2446 + 	spin_lock(&key_user_lock);
  3.2447 + 
  3.2448 + 	/* search the tree for a user record with a matching UID */
  3.2449 +diff --git a/sound/core/timer.c b/sound/core/timer.c
  3.2450 +--- a/sound/core/timer.c
  3.2451 ++++ b/sound/core/timer.c
  3.2452 +@@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu
  3.2453 + 	if (tu->qused >= tu->queue_size) {
  3.2454 + 		tu->overrun++;
  3.2455 + 	} else {
  3.2456 +-		memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
  3.2457 ++		memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
  3.2458 ++		tu->qtail %= tu->queue_size;
  3.2459 + 		tu->qused++;
  3.2460 + 	}
  3.2461 + }
  3.2462 +@@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd
  3.2463 + 	spin_lock(&tu->qlock);
  3.2464 + 	snd_timer_user_append_to_tqueue(tu, &r1);
  3.2465 + 	spin_unlock(&tu->qlock);
  3.2466 ++	kill_fasync(&tu->fasync, SIGIO, POLL_IN);
  3.2467 ++	wake_up(&tu->qchange_sleep);
  3.2468 + }
  3.2469 + 
  3.2470 + static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
  3.2471 +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
  3.2472 +--- a/sound/pci/ac97/ac97_codec.c
  3.2473 ++++ b/sound/pci/ac97/ac97_codec.c
  3.2474 +@@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_
  3.2475 + /*
  3.2476 +  * create mute switch(es) for normal stereo controls
  3.2477 +  */
  3.2478 +-static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
  3.2479 ++static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
  3.2480 + {
  3.2481 + 	snd_kcontrol_t *kctl;
  3.2482 + 	int err;
  3.2483 +@@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t
  3.2484 + 
  3.2485 + 	mute_mask = 0x8000;
  3.2486 + 	val = snd_ac97_read(ac97, reg);
  3.2487 +-	if (ac97->flags & AC97_STEREO_MUTES) {
  3.2488 ++	if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
  3.2489 + 		/* check whether both mute bits work */
  3.2490 + 		val1 = val | 0x8080;
  3.2491 + 		snd_ac97_write(ac97, reg, val1);
  3.2492 +@@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t 
  3.2493 + /*
  3.2494 +  * create a mute-switch and a volume for normal stereo/mono controls
  3.2495 +  */
  3.2496 +-static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
  3.2497 ++static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
  3.2498 + {
  3.2499 + 	int err;
  3.2500 + 	char name[44];
  3.2501 +@@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t 
  3.2502 + 
  3.2503 + 	if (snd_ac97_try_bit(ac97, reg, 15)) {
  3.2504 + 		sprintf(name, "%s Switch", pfx);
  3.2505 +-		if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
  3.2506 ++		if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
  3.2507 + 			return err;
  3.2508 + 	}
  3.2509 + 	check_volume_resolution(ac97, reg, &lo_max, &hi_max);
  3.2510 +@@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t 
  3.2511 + 	return 0;
  3.2512 + }
  3.2513 + 
  3.2514 ++#define snd_ac97_cmix_new(card, pfx, reg, ac97)	snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
  3.2515 ++#define snd_ac97_cmute_new(card, name, reg, ac97)	snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
  3.2516 + 
  3.2517 + static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
  3.2518 + 
  3.2519 +@@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t *
  3.2520 + 
  3.2521 + 	/* build surround controls */
  3.2522 + 	if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
  3.2523 +-		if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
  3.2524 ++		/* Surround Master (0x38) is with stereo mutes */
  3.2525 ++		if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
  3.2526 + 			return err;
  3.2527 + 	}
  3.2528 + 
  3.2529 +diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c
  3.2530 +--- a/sound/usb/usbaudio.c
  3.2531 ++++ b/sound/usb/usbaudio.c
  3.2532 +@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str
  3.2533 + 		}
  3.2534 + 		usb_chip[chip->index] = NULL;
  3.2535 + 		up(&register_mutex);
  3.2536 +-		snd_card_free_in_thread(card);
  3.2537 ++		snd_card_free(card);
  3.2538 + 	} else {
  3.2539 + 		up(&register_mutex);
  3.2540 + 	}
  3.2541 +diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
  3.2542 +--- a/sound/usb/usx2y/usbusx2y.c
  3.2543 ++++ b/sound/usb/usx2y/usbusx2y.c
  3.2544 +@@ -1,6 +1,11 @@
  3.2545 + /*
  3.2546 +  * usbusy2y.c - ALSA USB US-428 Driver
  3.2547 +  *
  3.2548 ++2005-04-14 Karsten Wiese
  3.2549 ++	Version 0.8.7.2:
  3.2550 ++	Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom.
  3.2551 ++	Tested ok with kernel 2.6.12-rc2.
  3.2552 ++
  3.2553 + 2004-12-14 Karsten Wiese
  3.2554 + 	Version 0.8.7.1:
  3.2555 + 	snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open.
  3.2556 +@@ -143,7 +148,7 @@
  3.2557 + 
  3.2558 + 
  3.2559 + MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>");
  3.2560 +-MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1");
  3.2561 ++MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2");
  3.2562 + MODULE_LICENSE("GPL");
  3.2563 + MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}");
  3.2564 + 
  3.2565 +@@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct 
  3.2566 + 	if (ptr) {
  3.2567 + 		usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr);
  3.2568 + 		struct list_head* p;
  3.2569 +-		if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP)	// on 2.6.1 kernel snd_usbmidi_disconnect()
  3.2570 +-			return;					// calls us back. better leave :-) .
  3.2571 + 		usX2Y->chip.shutdown = 1;
  3.2572 + 		usX2Y->chip_status = USX2Y_STAT_CHIP_HUP;
  3.2573 + 		usX2Y_unlinkSeq(&usX2Y->AS04);
  3.2574 +@@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct 
  3.2575 + 		}
  3.2576 + 		if (usX2Y->us428ctls_sharedmem) 
  3.2577 + 			wake_up(&usX2Y->us428ctls_wait_queue_head);
  3.2578 +-		snd_card_free_in_thread((snd_card_t*)ptr);
  3.2579 ++		snd_card_free((snd_card_t*)ptr);
  3.2580 + 	}
  3.2581 + }
  3.2582 +