ia64/xen-unstable
changeset 5440:5a5f81b0e950
bitkeeper revision 1.1159.258.167 (42ad874eIWwyPd8tmJO5tkGQ2JoYXQ)
Upgrade to linux patch 2.6.11.12
Signed-off-by: ian@xensource.com
Upgrade to linux patch 2.6.11.12
Signed-off-by: ian@xensource.com
| author | iap10@freefall.cl.cam.ac.uk |
|---|---|
| date | Mon Jun 13 13:17:02 2005 +0000 (2005-06-13) |
| parents | 58658b628754 |
| children | aa643d3d2742 2f99f3e3c506 |
| files | .rootkeys patches/linux-2.6.11/linux-2.6.11.11.patch patches/linux-2.6.11/linux-2.6.11.12.patch |
line diff
1.1 --- a/.rootkeys Fri Jun 10 16:15:35 2005 +0000 1.2 +++ b/.rootkeys Mon Jun 13 13:17:02 2005 +0000 1.3 @@ -368,7 +368,7 @@ 422e4430-gOD358H8nGGnNWes08Nng netbsd-2. 1.4 413cb3b53nyOv1OIeDSsCXhBFDXvJA netbsd-2.0-xen-sparse/sys/nfs/files.nfs 1.5 413aa1d0oNP8HXLvfPuMe6cSroUfSA patches/linux-2.6.11/agpgart.patch 1.6 42372652KCUP-IOH9RN19YQmGhs4aA patches/linux-2.6.11/iomap.patch 1.7 -428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.11.patch 1.8 +428359d4b3fDYtazwXi4UUmSWaOUew patches/linux-2.6.11/linux-2.6.11.12.patch 1.9 418abc69J3F638vPO9MYoDGeYilxoQ patches/linux-2.6.11/nettel.patch 1.10 429ae875I9ZrqrRDjGD34IC2kzDREw patches/linux-2.6.11/rcu-nohz.patch 1.11 429ba3007184K-y6WHQ6KgY65-lEIQ patches/linux-2.6.11/udp-frag.patch
2.1 --- a/patches/linux-2.6.11/linux-2.6.11.11.patch Fri Jun 10 16:15:35 2005 +0000 2.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 2.3 @@ -1,2304 +0,0 @@ 2.4 -diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs 2.5 -new file mode 100644 2.6 ---- /dev/null 2.7 -+++ b/Documentation/SecurityBugs 2.8 -@@ -0,0 +1,38 @@ 2.9 -+Linux kernel developers take security very seriously. As such, we'd 2.10 -+like to know when a security bug is found so that it can be fixed and 2.11 -+disclosed as quickly as possible. Please report security bugs to the 2.12 -+Linux kernel security team. 2.13 -+ 2.14 -+1) Contact 2.15 -+ 2.16 -+The Linux kernel security team can be contacted by email at 2.17 -+<security@kernel.org>. This is a private list of security officers 2.18 -+who will help verify the bug report and develop and release a fix. 2.19 -+It is possible that the security team will bring in extra help from 2.20 -+area maintainers to understand and fix the security vulnerability. 2.21 -+ 2.22 -+As it is with any bug, the more information provided the easier it 2.23 -+will be to diagnose and fix. Please review the procedure outlined in 2.24 -+REPORTING-BUGS if you are unclear about what information is helpful. 2.25 -+Any exploit code is very helpful and will not be released without 2.26 -+consent from the reporter unless it has already been made public. 2.27 -+ 2.28 -+2) Disclosure 2.29 -+ 2.30 -+The goal of the Linux kernel security team is to work with the 2.31 -+bug submitter to bug resolution as well as disclosure. We prefer 2.32 -+to fully disclose the bug as soon as possible. It is reasonable to 2.33 -+delay disclosure when the bug or the fix is not yet fully understood, 2.34 -+the solution is not well-tested or for vendor coordination. However, we 2.35 -+expect these delays to be short, measurable in days, not weeks or months. 2.36 -+A disclosure date is negotiated by the security team working with the 2.37 -+bug submitter as well as vendors. However, the kernel security team 2.38 -+holds the final say when setting a disclosure date. The timeframe for 2.39 -+disclosure is from immediate (esp. if it's already publically known) 2.40 -+to a few weeks. As a basic default policy, we expect report date to 2.41 -+disclosure date to be on the order of 7 days. 2.42 -+ 2.43 -+3) Non-disclosure agreements 2.44 -+ 2.45 -+The Linux kernel security team is not a formal body and therefore unable 2.46 -+to enter any non-disclosure agreements. 2.47 -diff --git a/MAINTAINERS b/MAINTAINERS 2.48 ---- a/MAINTAINERS 2.49 -+++ b/MAINTAINERS 2.50 -@@ -1966,6 +1966,11 @@ M: christer@weinigel.se 2.51 - W: http://www.weinigel.se 2.52 - S: Supported 2.53 - 2.54 -+SECURITY CONTACT 2.55 -+P: Security Officers 2.56 -+M: security@kernel.org 2.57 -+S: Supported 2.58 -+ 2.59 - SELINUX SECURITY MODULE 2.60 - P: Stephen Smalley 2.61 - M: sds@epoch.ncsc.mil 2.62 -diff --git a/Makefile b/Makefile 2.63 ---- a/Makefile 2.64 -+++ b/Makefile 2.65 -@@ -1,8 +1,8 @@ 2.66 - VERSION = 2 2.67 - PATCHLEVEL = 6 2.68 - SUBLEVEL = 11 2.69 --EXTRAVERSION = 2.70 --NAME=Woozy Numbat 2.71 -+EXTRAVERSION = .11 2.72 -+NAME=Woozy Beaver 2.73 - 2.74 - # *DOCUMENTATION* 2.75 - # To see a list of typical targets execute "make help" 2.76 -diff --git a/REPORTING-BUGS b/REPORTING-BUGS 2.77 ---- a/REPORTING-BUGS 2.78 -+++ b/REPORTING-BUGS 2.79 -@@ -16,6 +16,10 @@ code relevant to what you were doing. If 2.80 - describe how to recreate it. That is worth even more than the oops itself. 2.81 - The list of maintainers is in the MAINTAINERS file in this directory. 2.82 - 2.83 -+ If it is a security bug, please copy the Security Contact listed 2.84 -+in the MAINTAINERS file. They can help coordinate bugfix and disclosure. 2.85 -+See Documentation/SecurityBugs for more infomation. 2.86 -+ 2.87 - If you are totally stumped as to whom to send the report, send it to 2.88 - linux-kernel@vger.kernel.org. (For more information on the linux-kernel 2.89 - mailing list see http://www.tux.org/lkml/). 2.90 -diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S 2.91 ---- a/arch/ia64/kernel/fsys.S 2.92 -+++ b/arch/ia64/kernel/fsys.S 2.93 -@@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down) 2.94 - movl r2=ia64_ret_from_syscall 2.95 - ;; 2.96 - mov rp=r2 // set the real return addr 2.97 -- tbit.z p8,p0=r3,TIF_SYSCALL_TRACE 2.98 -+ and r3=_TIF_SYSCALL_TRACEAUDIT,r3 2.99 - ;; 2.100 -+ cmp.eq p8,p0=r3,r0 2.101 -+ 2.102 - (p10) br.cond.spnt.many ia64_ret_from_syscall // p10==true means out registers are more than 8 2.103 - (p8) br.call.sptk.many b6=b6 // ignore this return addr 2.104 - br.cond.sptk ia64_trace_syscall 2.105 -diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c 2.106 ---- a/arch/ia64/kernel/signal.c 2.107 -+++ b/arch/ia64/kernel/signal.c 2.108 -@@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc 2.109 - * could be corrupted. 2.110 - */ 2.111 - retval = (long) &ia64_leave_kernel; 2.112 -- if (test_thread_flag(TIF_SYSCALL_TRACE)) 2.113 -+ if (test_thread_flag(TIF_SYSCALL_TRACE) 2.114 -+ || test_thread_flag(TIF_SYSCALL_AUDIT)) 2.115 - /* 2.116 - * strace expects to be notified after sigreturn returns even though the 2.117 - * context to which we return may not be in the middle of a syscall. 2.118 -diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c 2.119 ---- a/arch/ppc/oprofile/op_model_fsl_booke.c 2.120 -+++ b/arch/ppc/oprofile/op_model_fsl_booke.c 2.121 -@@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s 2.122 - int is_kernel; 2.123 - int val; 2.124 - int i; 2.125 -- unsigned int cpu = smp_processor_id(); 2.126 - 2.127 - /* set the PMM bit (see comment below) */ 2.128 - mtmsr(mfmsr() | MSR_PMM); 2.129 -@@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s 2.130 - val = ctr_read(i); 2.131 - if (val < 0) { 2.132 - if (oprofile_running && ctr[i].enabled) { 2.133 -- oprofile_add_sample(pc, is_kernel, i, cpu); 2.134 -+ oprofile_add_pc(pc, is_kernel, i); 2.135 - ctr_write(i, reset_value[i]); 2.136 - } else { 2.137 - ctr_write(i, 0); 2.138 -diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h 2.139 ---- a/arch/ppc/platforms/4xx/ebony.h 2.140 -+++ b/arch/ppc/platforms/4xx/ebony.h 2.141 -@@ -61,8 +61,8 @@ 2.142 - */ 2.143 - 2.144 - /* OpenBIOS defined UART mappings, used before early_serial_setup */ 2.145 --#define UART0_IO_BASE (u8 *) 0xE0000200 2.146 --#define UART1_IO_BASE (u8 *) 0xE0000300 2.147 -+#define UART0_IO_BASE 0xE0000200 2.148 -+#define UART1_IO_BASE 0xE0000300 2.149 - 2.150 - /* external Epson SG-615P */ 2.151 - #define BASE_BAUD 691200 2.152 -diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h 2.153 ---- a/arch/ppc/platforms/4xx/luan.h 2.154 -+++ b/arch/ppc/platforms/4xx/luan.h 2.155 -@@ -47,9 +47,9 @@ 2.156 - #define RS_TABLE_SIZE 3 2.157 - 2.158 - /* PIBS defined UART mappings, used before early_serial_setup */ 2.159 --#define UART0_IO_BASE (u8 *) 0xa0000200 2.160 --#define UART1_IO_BASE (u8 *) 0xa0000300 2.161 --#define UART2_IO_BASE (u8 *) 0xa0000600 2.162 -+#define UART0_IO_BASE 0xa0000200 2.163 -+#define UART1_IO_BASE 0xa0000300 2.164 -+#define UART2_IO_BASE 0xa0000600 2.165 - 2.166 - #define BASE_BAUD 11059200 2.167 - #define STD_UART_OP(num) \ 2.168 -diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h 2.169 ---- a/arch/ppc/platforms/4xx/ocotea.h 2.170 -+++ b/arch/ppc/platforms/4xx/ocotea.h 2.171 -@@ -56,8 +56,8 @@ 2.172 - #define RS_TABLE_SIZE 2 2.173 - 2.174 - /* OpenBIOS defined UART mappings, used before early_serial_setup */ 2.175 --#define UART0_IO_BASE (u8 *) 0xE0000200 2.176 --#define UART1_IO_BASE (u8 *) 0xE0000300 2.177 -+#define UART0_IO_BASE 0xE0000200 2.178 -+#define UART1_IO_BASE 0xE0000300 2.179 - 2.180 - #define BASE_BAUD 11059200/16 2.181 - #define STD_UART_OP(num) \ 2.182 -diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c 2.183 ---- a/arch/ppc64/kernel/pSeries_iommu.c 2.184 -+++ b/arch/ppc64/kernel/pSeries_iommu.c 2.185 -@@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st 2.186 - struct device_node *dn, *pdn; 2.187 - unsigned int *dma_window = NULL; 2.188 - 2.189 -+ DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self); 2.190 -+ 2.191 - dn = pci_bus_to_OF_node(bus); 2.192 - 2.193 - /* Find nearest ibm,dma-window, walking up the device tree */ 2.194 -@@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru 2.195 - } 2.196 - } 2.197 - 2.198 -+static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev) 2.199 -+{ 2.200 -+ struct device_node *pdn, *dn; 2.201 -+ struct iommu_table *tbl; 2.202 -+ int *dma_window = NULL; 2.203 -+ 2.204 -+ DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name); 2.205 -+ 2.206 -+ /* dev setup for LPAR is a little tricky, since the device tree might 2.207 -+ * contain the dma-window properties per-device and not neccesarily 2.208 -+ * for the bus. So we need to search upwards in the tree until we 2.209 -+ * either hit a dma-window property, OR find a parent with a table 2.210 -+ * already allocated. 2.211 -+ */ 2.212 -+ dn = pci_device_to_OF_node(dev); 2.213 -+ 2.214 -+ for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) { 2.215 -+ dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL); 2.216 -+ if (dma_window) 2.217 -+ break; 2.218 -+ } 2.219 -+ 2.220 -+ /* Check for parent == NULL so we don't try to setup the empty EADS 2.221 -+ * slots on POWER4 machines. 2.222 -+ */ 2.223 -+ if (dma_window == NULL || pdn->parent == NULL) { 2.224 -+ /* Fall back to regular (non-LPAR) dev setup */ 2.225 -+ DBG("No dma window for device, falling back to regular setup\n"); 2.226 -+ iommu_dev_setup_pSeries(dev); 2.227 -+ return; 2.228 -+ } else { 2.229 -+ DBG("Found DMA window, allocating table\n"); 2.230 -+ } 2.231 -+ 2.232 -+ if (!pdn->iommu_table) { 2.233 -+ /* iommu_table_setparms_lpar needs bussubno. */ 2.234 -+ pdn->bussubno = pdn->phb->bus->number; 2.235 -+ 2.236 -+ tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table), 2.237 -+ GFP_KERNEL); 2.238 -+ 2.239 -+ iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window); 2.240 -+ 2.241 -+ pdn->iommu_table = iommu_init_table(tbl); 2.242 -+ } 2.243 -+ 2.244 -+ if (pdn != dn) 2.245 -+ dn->iommu_table = pdn->iommu_table; 2.246 -+} 2.247 -+ 2.248 - static void iommu_bus_setup_null(struct pci_bus *b) { } 2.249 - static void iommu_dev_setup_null(struct pci_dev *d) { } 2.250 - 2.251 -@@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void) 2.252 - ppc_md.tce_free = tce_free_pSeriesLP; 2.253 - } 2.254 - ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP; 2.255 -+ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP; 2.256 - } else { 2.257 - ppc_md.tce_build = tce_build_pSeries; 2.258 - ppc_md.tce_free = tce_free_pSeries; 2.259 - ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries; 2.260 -+ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries; 2.261 - } 2.262 - 2.263 -- ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries; 2.264 - 2.265 - pci_iommu_init(); 2.266 - } 2.267 -diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c 2.268 ---- a/arch/sparc/kernel/ptrace.c 2.269 -+++ b/arch/sparc/kernel/ptrace.c 2.270 -@@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs 2.271 - pt_error_return(regs, EIO); 2.272 - goto out_tsk; 2.273 - } 2.274 -- if (addr != 1) { 2.275 -- if (addr & 3) { 2.276 -- pt_error_return(regs, EINVAL); 2.277 -- goto out_tsk; 2.278 -- } 2.279 --#ifdef DEBUG_PTRACE 2.280 -- printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc); 2.281 -- printk ("Continuing with %08lx %08lx\n", addr, addr+4); 2.282 --#endif 2.283 -- child->thread.kregs->pc = addr; 2.284 -- child->thread.kregs->npc = addr + 4; 2.285 -- } 2.286 - 2.287 - if (request == PTRACE_SYSCALL) 2.288 - set_tsk_thread_flag(child, TIF_SYSCALL_TRACE); 2.289 -diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c 2.290 ---- a/arch/sparc64/kernel/ptrace.c 2.291 -+++ b/arch/sparc64/kernel/ptrace.c 2.292 -@@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs 2.293 - pt_error_return(regs, EIO); 2.294 - goto out_tsk; 2.295 - } 2.296 -- if (addr != 1) { 2.297 -- unsigned long pc_mask = ~0UL; 2.298 -- 2.299 -- if ((child->thread_info->flags & _TIF_32BIT) != 0) 2.300 -- pc_mask = 0xffffffff; 2.301 -- 2.302 -- if (addr & 3) { 2.303 -- pt_error_return(regs, EINVAL); 2.304 -- goto out_tsk; 2.305 -- } 2.306 --#ifdef DEBUG_PTRACE 2.307 -- printk ("Original: %016lx %016lx\n", 2.308 -- child->thread_info->kregs->tpc, 2.309 -- child->thread_info->kregs->tnpc); 2.310 -- printk ("Continuing with %016lx %016lx\n", addr, addr+4); 2.311 --#endif 2.312 -- child->thread_info->kregs->tpc = (addr & pc_mask); 2.313 -- child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask); 2.314 -- } 2.315 - 2.316 - if (request == PTRACE_SYSCALL) { 2.317 - set_tsk_thread_flag(child, TIF_SYSCALL_TRACE); 2.318 -diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c 2.319 ---- a/arch/sparc64/kernel/signal32.c 2.320 -+++ b/arch/sparc64/kernel/signal32.c 2.321 -@@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf 2.322 - err |= __put_user(from->si_uid, &to->si_uid); 2.323 - break; 2.324 - case __SI_FAULT >> 16: 2.325 -- case __SI_POLL >> 16: 2.326 - err |= __put_user(from->si_trapno, &to->si_trapno); 2.327 - err |= __put_user((unsigned long)from->si_addr, &to->si_addr); 2.328 - break; 2.329 -+ case __SI_POLL >> 16: 2.330 -+ err |= __put_user(from->si_band, &to->si_band); 2.331 -+ err |= __put_user(from->si_fd, &to->si_fd); 2.332 -+ break; 2.333 - case __SI_RT >> 16: /* This is not generated by the kernel as of now. */ 2.334 - case __SI_MESGQ >> 16: 2.335 - err |= __put_user(from->si_pid, &to->si_pid); 2.336 -diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S 2.337 ---- a/arch/sparc64/kernel/systbls.S 2.338 -+++ b/arch/sparc64/kernel/systbls.S 2.339 -@@ -75,7 +75,7 @@ sys_call_table32: 2.340 - /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun 2.341 - .word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy 2.342 - /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink 2.343 -- .word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid 2.344 -+ .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid 2.345 - /*280*/ .word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl 2.346 - 2.347 - #endif /* CONFIG_COMPAT */ 2.348 -diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h 2.349 ---- a/arch/um/include/sysdep-i386/syscalls.h 2.350 -+++ b/arch/um/include/sysdep-i386/syscalls.h 2.351 -@@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr 2.352 - unsigned long prot, unsigned long flags, 2.353 - unsigned long fd, unsigned long pgoff); 2.354 - 2.355 -+/* On i386 they choose a meaningless naming.*/ 2.356 -+#define __NR_kexec_load __NR_sys_kexec_load 2.357 -+ 2.358 - #define ARCH_SYSCALLS \ 2.359 - [ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \ 2.360 - [ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \ 2.361 -@@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr 2.362 - [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \ 2.363 - [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 2.364 - [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 2.365 -- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \ 2.366 - [ 251 ] = (syscall_handler_t *) sys_ni_syscall, \ 2.367 -- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \ 2.368 -- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \ 2.369 -- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, 2.370 -- 2.371 -+ [ 285 ] = (syscall_handler_t *) sys_ni_syscall, 2.372 -+ 2.373 - /* 222 doesn't yet have a name in include/asm-i386/unistd.h */ 2.374 - 2.375 --#define LAST_ARCH_SYSCALL __NR_vserver 2.376 -+#define LAST_ARCH_SYSCALL 285 2.377 - 2.378 - /* 2.379 - * Overrides for Emacs so that we follow Linus's tabbing style. 2.380 -diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h 2.381 ---- a/arch/um/include/sysdep-x86_64/syscalls.h 2.382 -+++ b/arch/um/include/sysdep-x86_64/syscalls.h 2.383 -@@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl; 2.384 - [ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \ 2.385 - [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 2.386 - [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 2.387 -- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \ 2.388 - [ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \ 2.389 -- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \ 2.390 -- [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \ 2.391 -- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \ 2.392 -- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \ 2.393 - [ 251 ] = (syscall_handler_t *) sys_ni_syscall, 2.394 - 2.395 - #define LAST_ARCH_SYSCALL 251 2.396 -diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c 2.397 ---- a/arch/um/kernel/skas/uaccess.c 2.398 -+++ b/arch/um/kernel/skas/uaccess.c 2.399 -@@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v 2.400 - void *arg; 2.401 - int *res; 2.402 - 2.403 -- va_copy(args, *(va_list *)arg_ptr); 2.404 -+ /* Some old gccs recognize __va_copy, but not va_copy */ 2.405 -+ __va_copy(args, *(va_list *)arg_ptr); 2.406 - addr = va_arg(args, unsigned long); 2.407 - len = va_arg(args, int); 2.408 - is_write = va_arg(args, int); 2.409 -diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c 2.410 ---- a/arch/um/kernel/sys_call_table.c 2.411 -+++ b/arch/um/kernel/sys_call_table.c 2.412 -@@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork; 2.413 - extern syscall_handler_t old_select; 2.414 - extern syscall_handler_t sys_modify_ldt; 2.415 - extern syscall_handler_t sys_rt_sigsuspend; 2.416 --extern syscall_handler_t sys_vserver; 2.417 - extern syscall_handler_t sys_mbind; 2.418 - extern syscall_handler_t sys_get_mempolicy; 2.419 - extern syscall_handler_t sys_set_mempolicy; 2.420 -@@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = { 2.421 - [ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create, 2.422 - [ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl, 2.423 - [ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait, 2.424 -+ [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, 2.425 - [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address, 2.426 - [ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create, 2.427 - [ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime, 2.428 -@@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = { 2.429 - [ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime, 2.430 - [ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres, 2.431 - [ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep, 2.432 -- [ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64, 2.433 -- [ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64, 2.434 - [ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill, 2.435 - [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, 2.436 -- [ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64, 2.437 -- [ __NR_vserver ] = (syscall_handler_t *) sys_vserver, 2.438 -+ [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, 2.439 -+ [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, 2.440 - [ __NR_mbind ] = (syscall_handler_t *) sys_mbind, 2.441 - [ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy, 2.442 - [ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy, 2.443 -@@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = { 2.444 - [ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive, 2.445 - [ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify, 2.446 - [ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr, 2.447 -- [ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall, 2.448 -+ [ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall, 2.449 - [ __NR_waitid ] = (syscall_handler_t *) sys_waitid, 2.450 -- [ 285 ] = (syscall_handler_t *) sys_ni_syscall, 2.451 - [ __NR_add_key ] = (syscall_handler_t *) sys_add_key, 2.452 - [ __NR_request_key ] = (syscall_handler_t *) sys_request_key, 2.453 - [ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl, 2.454 -diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c 2.455 ---- a/arch/x86_64/kernel/ptrace.c 2.456 -+++ b/arch/x86_64/kernel/ptrace.c 2.457 -@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch 2.458 - value &= 0xffff; 2.459 - return 0; 2.460 - case offsetof(struct user_regs_struct,fs_base): 2.461 -- if (!((value >> 48) == 0 || (value >> 48) == 0xffff)) 2.462 -- return -EIO; 2.463 -+ if (value >= TASK_SIZE) 2.464 -+ return -EIO; 2.465 - child->thread.fs = value; 2.466 - return 0; 2.467 - case offsetof(struct user_regs_struct,gs_base): 2.468 -- if (!((value >> 48) == 0 || (value >> 48) == 0xffff)) 2.469 -- return -EIO; 2.470 -+ if (value >= TASK_SIZE) 2.471 -+ return -EIO; 2.472 - child->thread.gs = value; 2.473 - return 0; 2.474 - case offsetof(struct user_regs_struct, eflags): 2.475 -@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch 2.476 - return -EIO; 2.477 - value &= 0xffff; 2.478 - break; 2.479 -+ case offsetof(struct user_regs_struct, rip): 2.480 -+ /* Check if the new RIP address is canonical */ 2.481 -+ if (value >= TASK_SIZE) 2.482 -+ return -EIO; 2.483 -+ break; 2.484 - } 2.485 - put_stack_long(child, regno - sizeof(struct pt_regs), value); 2.486 - return 0; 2.487 -diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c 2.488 ---- a/arch/x86_64/mm/fault.c 2.489 -+++ b/arch/x86_64/mm/fault.c 2.490 -@@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne 2.491 - 2.492 - /* 2.493 - * Handle a fault on the vmalloc or module mapping area 2.494 -+ * 2.495 -+ * This assumes no large pages in there. 2.496 - */ 2.497 - static int vmalloc_fault(unsigned long address) 2.498 - { 2.499 -@@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a 2.500 - if (!pte_present(*pte_ref)) 2.501 - return -1; 2.502 - pte = pte_offset_kernel(pmd, address); 2.503 -- if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref)) 2.504 -+ /* Don't use pte_page here, because the mappings can point 2.505 -+ outside mem_map, and the NUMA hash lookup cannot handle 2.506 -+ that. */ 2.507 -+ if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref)) 2.508 - BUG(); 2.509 - __flush_tlb_all(); 2.510 - return 0; 2.511 -@@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_ 2.512 - * protection error (error_code & 1) == 0. 2.513 - */ 2.514 - if (unlikely(address >= TASK_SIZE)) { 2.515 -- if (!(error_code & 5)) { 2.516 -+ if (!(error_code & 5) && 2.517 -+ ((address >= VMALLOC_START && address < VMALLOC_END) || 2.518 -+ (address >= MODULES_VADDR && address < MODULES_END))) { 2.519 - if (vmalloc_fault(address) < 0) 2.520 - goto bad_area_nosemaphore; 2.521 - return; 2.522 -diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c 2.523 ---- a/arch/x86_64/mm/ioremap.c 2.524 -+++ b/arch/x86_64/mm/ioremap.c 2.525 -@@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr 2.526 - if ((p->flags >> 20) && 2.527 - p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) { 2.528 - /* p->size includes the guard page, but cpa doesn't like that */ 2.529 -- change_page_attr(virt_to_page(__va(p->phys_addr)), 2.530 -+ change_page_attr_addr((unsigned long)(__va(p->phys_addr)), 2.531 - (p->size - PAGE_SIZE) >> PAGE_SHIFT, 2.532 - PAGE_KERNEL); 2.533 - global_flush_tlb(); 2.534 -diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c 2.535 ---- a/drivers/block/ioctl.c 2.536 -+++ b/drivers/block/ioctl.c 2.537 -@@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi 2.538 - } 2.539 - return ret; 2.540 - } 2.541 -+ 2.542 -+EXPORT_SYMBOL_GPL(blkdev_ioctl); 2.543 -diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c 2.544 ---- a/drivers/block/pktcdvd.c 2.545 -+++ b/drivers/block/pktcdvd.c 2.546 -@@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode 2.547 - case CDROM_LAST_WRITTEN: 2.548 - case CDROM_SEND_PACKET: 2.549 - case SCSI_IOCTL_SEND_COMMAND: 2.550 -- return ioctl_by_bdev(pd->bdev, cmd, arg); 2.551 -+ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); 2.552 - 2.553 - case CDROMEJECT: 2.554 - /* 2.555 -@@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode 2.556 - * have to unlock it or else the eject command fails. 2.557 - */ 2.558 - pkt_lock_door(pd, 0); 2.559 -- return ioctl_by_bdev(pd->bdev, cmd, arg); 2.560 -+ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); 2.561 - 2.562 - default: 2.563 - printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd); 2.564 -diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c 2.565 ---- a/drivers/char/drm/drm_ioctl.c 2.566 -+++ b/drivers/char/drm/drm_ioctl.c 2.567 -@@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS) 2.568 - 2.569 - DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv)); 2.570 - 2.571 -+ memset(&version, 0, sizeof(version)); 2.572 -+ 2.573 - dev->driver->version(&version); 2.574 - retv.drm_di_major = DRM_IF_MAJOR; 2.575 - retv.drm_di_minor = DRM_IF_MINOR; 2.576 -diff --git a/drivers/char/raw.c b/drivers/char/raw.c 2.577 ---- a/drivers/char/raw.c 2.578 -+++ b/drivers/char/raw.c 2.579 -@@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi 2.580 - { 2.581 - struct block_device *bdev = filp->private_data; 2.582 - 2.583 -- return ioctl_by_bdev(bdev, command, arg); 2.584 -+ return blkdev_ioctl(bdev->bd_inode, filp, command, arg); 2.585 - } 2.586 - 2.587 - static void bind_device(struct raw_config_request *rq) 2.588 -diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c 2.589 ---- a/drivers/i2c/chips/eeprom.c 2.590 -+++ b/drivers/i2c/chips/eeprom.c 2.591 -@@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec 2.592 - 2.593 - /* Hide Vaio security settings to regular users (16 first bytes) */ 2.594 - if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) { 2.595 -- int in_row1 = 16 - off; 2.596 -+ size_t in_row1 = 16 - off; 2.597 -+ in_row1 = min(in_row1, count); 2.598 - memset(buf, 0, in_row1); 2.599 - if (count - in_row1 > 0) 2.600 - memcpy(buf + in_row1, &data->data[16], count - in_row1); 2.601 -diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c 2.602 ---- a/drivers/i2c/chips/it87.c 2.603 -+++ b/drivers/i2c/chips/it87.c 2.604 -@@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device 2.605 - struct it87_data *data = it87_update_device(dev); 2.606 - return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms)); 2.607 - } 2.608 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL); 2.609 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL); 2.610 - 2.611 - static ssize_t 2.612 - show_vrm_reg(struct device *dev, char *buf) 2.613 -diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c 2.614 ---- a/drivers/i2c/chips/via686a.c 2.615 -+++ b/drivers/i2c/chips/via686a.c 2.616 -@@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device 2.617 - struct via686a_data *data = via686a_update_device(dev); 2.618 - return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms)); 2.619 - } 2.620 --static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL); 2.621 -+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL); 2.622 - 2.623 - /* The driver. I choose to use type i2c_driver, as at is identical to both 2.624 - smbus_driver and isa_driver, and clients could be of either kind */ 2.625 -diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c 2.626 ---- a/drivers/ide/ide-disk.c 2.627 -+++ b/drivers/ide/ide-disk.c 2.628 -@@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk( 2.629 - if (hwif->no_lba48_dma && lba48 && dma) { 2.630 - if (block + rq->nr_sectors > 1ULL << 28) 2.631 - dma = 0; 2.632 -+ else 2.633 -+ lba48 = 0; 2.634 - } 2.635 - 2.636 - if (!dma) { 2.637 -@@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk( 2.638 - /* FIXME: SELECT_MASK(drive, 0) ? */ 2.639 - 2.640 - if (drive->select.b.lba) { 2.641 -- if (drive->addressing == 1) { 2.642 -+ if (lba48) { 2.643 - task_ioreg_t tasklets[10]; 2.644 - 2.645 - pr_debug("%s: LBA=0x%012llx\n", drive->name, block); 2.646 -diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h 2.647 ---- a/drivers/input/serio/i8042-x86ia64io.h 2.648 -+++ b/drivers/input/serio/i8042-x86ia64io.h 2.649 -@@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i 2.650 - }; 2.651 - #endif 2.652 - 2.653 --#ifdef CONFIG_ACPI 2.654 -+#if defined(__ia64__) && defined(CONFIG_ACPI) 2.655 - #include <linux/acpi.h> 2.656 - #include <acpi/acpi_bus.h> 2.657 - 2.658 -@@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo 2.659 - i8042_kbd_irq = I8042_MAP_IRQ(1); 2.660 - i8042_aux_irq = I8042_MAP_IRQ(12); 2.661 - 2.662 --#ifdef CONFIG_ACPI 2.663 -+#if defined(__ia64__) && defined(CONFIG_ACPI) 2.664 - if (i8042_acpi_init()) 2.665 - return -1; 2.666 - #endif 2.667 -@@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo 2.668 - 2.669 - static inline void i8042_platform_exit(void) 2.670 - { 2.671 --#ifdef CONFIG_ACPI 2.672 -+#if defined(__ia64__) && defined(CONFIG_ACPI) 2.673 - i8042_acpi_exit(); 2.674 - #endif 2.675 - } 2.676 -diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc 2.677 ---- a/drivers/md/raid6altivec.uc 2.678 -+++ b/drivers/md/raid6altivec.uc 2.679 -@@ -108,7 +108,11 @@ int raid6_have_altivec(void); 2.680 - int raid6_have_altivec(void) 2.681 - { 2.682 - /* This assumes either all CPUs have Altivec or none does */ 2.683 -+#ifdef CONFIG_PPC64 2.684 - return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC; 2.685 -+#else 2.686 -+ return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC; 2.687 -+#endif 2.688 - } 2.689 - #endif 2.690 - 2.691 -diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c 2.692 ---- a/drivers/media/video/adv7170.c 2.693 -+++ b/drivers/media/video/adv7170.c 2.694 -@@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client * 2.695 - u8 block_data[32]; 2.696 - 2.697 - msg.addr = client->addr; 2.698 -- msg.flags = client->flags; 2.699 -+ msg.flags = 0; 2.700 - while (len >= 2) { 2.701 - msg.buf = (char *) block_data; 2.702 - msg.len = 0; 2.703 -diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c 2.704 ---- a/drivers/media/video/adv7175.c 2.705 -+++ b/drivers/media/video/adv7175.c 2.706 -@@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client * 2.707 - u8 block_data[32]; 2.708 - 2.709 - msg.addr = client->addr; 2.710 -- msg.flags = client->flags; 2.711 -+ msg.flags = 0; 2.712 - while (len >= 2) { 2.713 - msg.buf = (char *) block_data; 2.714 - msg.len = 0; 2.715 -diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c 2.716 ---- a/drivers/media/video/bt819.c 2.717 -+++ b/drivers/media/video/bt819.c 2.718 -@@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl 2.719 - u8 block_data[32]; 2.720 - 2.721 - msg.addr = client->addr; 2.722 -- msg.flags = client->flags; 2.723 -+ msg.flags = 0; 2.724 - while (len >= 2) { 2.725 - msg.buf = (char *) block_data; 2.726 - msg.len = 0; 2.727 -diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c 2.728 ---- a/drivers/media/video/bttv-cards.c 2.729 -+++ b/drivers/media/video/bttv-cards.c 2.730 -@@ -2718,8 +2718,6 @@ void __devinit bttv_init_card2(struct bt 2.731 - } 2.732 - btv->pll.pll_current = -1; 2.733 - 2.734 -- bttv_reset_audio(btv); 2.735 -- 2.736 - /* tuner configuration (from card list / autodetect / insmod option) */ 2.737 - if (UNSET != bttv_tvcards[btv->c.type].tuner_type) 2.738 - if(UNSET == btv->tuner_type) 2.739 -diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c 2.740 ---- a/drivers/media/video/saa7110.c 2.741 -+++ b/drivers/media/video/saa7110.c 2.742 -@@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0- 2.743 - 2.744 - #define I2C_SAA7110 0x9C /* or 0x9E */ 2.745 - 2.746 -+#define SAA7110_NR_REG 0x35 2.747 -+ 2.748 - struct saa7110 { 2.749 -- unsigned char reg[54]; 2.750 -+ u8 reg[SAA7110_NR_REG]; 2.751 - 2.752 - int norm; 2.753 - int input; 2.754 -@@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client * 2.755 - unsigned int len) 2.756 - { 2.757 - int ret = -1; 2.758 -- u8 reg = *data++; 2.759 -+ u8 reg = *data; /* first register to write to */ 2.760 - 2.761 -- len--; 2.762 -+ /* Sanity check */ 2.763 -+ if (reg + (len - 1) > SAA7110_NR_REG) 2.764 -+ return ret; 2.765 - 2.766 - /* the saa7110 has an autoincrement function, use it if 2.767 - * the adapter understands raw I2C */ 2.768 - if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) { 2.769 - struct saa7110 *decoder = i2c_get_clientdata(client); 2.770 - struct i2c_msg msg; 2.771 -- u8 block_data[54]; 2.772 - 2.773 -- msg.len = 0; 2.774 -- msg.buf = (char *) block_data; 2.775 -+ msg.len = len; 2.776 -+ msg.buf = (char *) data; 2.777 - msg.addr = client->addr; 2.778 -- msg.flags = client->flags; 2.779 -- while (len >= 1) { 2.780 -- msg.len = 0; 2.781 -- block_data[msg.len++] = reg; 2.782 -- while (len-- >= 1 && msg.len < 54) 2.783 -- block_data[msg.len++] = 2.784 -- decoder->reg[reg++] = *data++; 2.785 -- ret = i2c_transfer(client->adapter, &msg, 1); 2.786 -- } 2.787 -+ msg.flags = 0; 2.788 -+ ret = i2c_transfer(client->adapter, &msg, 1); 2.789 -+ 2.790 -+ /* Cache the written data */ 2.791 -+ memcpy(decoder->reg + reg, data + 1, len - 1); 2.792 - } else { 2.793 -- while (len-- >= 1) { 2.794 -+ for (++data, --len; len; len--) { 2.795 - if ((ret = saa7110_write(client, reg++, 2.796 - *data++)) < 0) 2.797 - break; 2.798 -@@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien 2.799 - return 0; 2.800 - } 2.801 - 2.802 --static const unsigned char initseq[] = { 2.803 -+static const unsigned char initseq[1 + SAA7110_NR_REG] = { 2.804 - 0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00, 2.805 - /* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90, 2.806 - /* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA, 2.807 -diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c 2.808 ---- a/drivers/media/video/saa7114.c 2.809 -+++ b/drivers/media/video/saa7114.c 2.810 -@@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client * 2.811 - u8 block_data[32]; 2.812 - 2.813 - msg.addr = client->addr; 2.814 -- msg.flags = client->flags; 2.815 -+ msg.flags = 0; 2.816 - while (len >= 2) { 2.817 - msg.buf = (char *) block_data; 2.818 - msg.len = 0; 2.819 -diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c 2.820 ---- a/drivers/media/video/saa7185.c 2.821 -+++ b/drivers/media/video/saa7185.c 2.822 -@@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client * 2.823 - u8 block_data[32]; 2.824 - 2.825 - msg.addr = client->addr; 2.826 -- msg.flags = client->flags; 2.827 -+ msg.flags = 0; 2.828 - while (len >= 2) { 2.829 - msg.buf = (char *) block_data; 2.830 - msg.len = 0; 2.831 -diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c 2.832 ---- a/drivers/net/3c59x.c 2.833 -+++ b/drivers/net/3c59x.c 2.834 -@@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev) 2.835 - 2.836 - if (VORTEX_PCI(vp)) { 2.837 - pci_set_power_state(VORTEX_PCI(vp), PCI_D0); /* Go active */ 2.838 -- pci_restore_state(VORTEX_PCI(vp)); 2.839 -+ if (vp->pm_state_valid) 2.840 -+ pci_restore_state(VORTEX_PCI(vp)); 2.841 - pci_enable_device(VORTEX_PCI(vp)); 2.842 - } 2.843 - 2.844 -@@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int 2.845 - outl(0, ioaddr + DownListPtr); 2.846 - 2.847 - if (final_down && VORTEX_PCI(vp)) { 2.848 -+ vp->pm_state_valid = 1; 2.849 - pci_save_state(VORTEX_PCI(vp)); 2.850 - acpi_set_WOL(dev); 2.851 - } 2.852 -@@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi 2.853 - outw(RxEnable, ioaddr + EL3_CMD); 2.854 - 2.855 - pci_enable_wake(VORTEX_PCI(vp), 0, 1); 2.856 -+ 2.857 -+ /* Change the power state to D3; RxEnable doesn't take effect. */ 2.858 -+ pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot); 2.859 - } 2.860 -- /* Change the power state to D3; RxEnable doesn't take effect. */ 2.861 -- pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot); 2.862 - } 2.863 - 2.864 - 2.865 -diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c 2.866 ---- a/drivers/net/amd8111e.c 2.867 -+++ b/drivers/net/amd8111e.c 2.868 -@@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi 2.869 - 2.870 - if(amd8111e_restart(dev)){ 2.871 - spin_unlock_irq(&lp->lock); 2.872 -+ if (dev->irq) 2.873 -+ free_irq(dev->irq, dev); 2.874 - return -ENOMEM; 2.875 - } 2.876 - /* Start ipg timer */ 2.877 -diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c 2.878 ---- a/drivers/net/ppp_async.c 2.879 -+++ b/drivers/net/ppp_async.c 2.880 -@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp 2.881 - data += 4; 2.882 - dlen -= 4; 2.883 - /* data[0] is code, data[1] is length */ 2.884 -- while (dlen >= 2 && dlen >= data[1]) { 2.885 -+ while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) { 2.886 - switch (data[0]) { 2.887 - case LCP_MRU: 2.888 - val = (data[2] << 8) + data[3]; 2.889 -diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c 2.890 ---- a/drivers/net/r8169.c 2.891 -+++ b/drivers/net/r8169.c 2.892 -@@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r 2.893 - rtl8169_make_unusable_by_asic(desc); 2.894 - } 2.895 - 2.896 --static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz) 2.897 -+static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz) 2.898 - { 2.899 -- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz); 2.900 -+ u32 eor = le32_to_cpu(desc->opts1) & RingEnd; 2.901 -+ 2.902 -+ desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz); 2.903 - } 2.904 - 2.905 --static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping, 2.906 -- int rx_buf_sz) 2.907 -+static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping, 2.908 -+ u32 rx_buf_sz) 2.909 - { 2.910 - desc->addr = cpu_to_le64(mapping); 2.911 -- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz); 2.912 -+ wmb(); 2.913 -+ rtl8169_mark_to_asic(desc, rx_buf_sz); 2.914 - } 2.915 - 2.916 - static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff, 2.917 -@@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p 2.918 - mapping = pci_map_single(pdev, skb->tail, rx_buf_sz, 2.919 - PCI_DMA_FROMDEVICE); 2.920 - 2.921 -- rtl8169_give_to_asic(desc, mapping, rx_buf_sz); 2.922 -+ rtl8169_map_to_asic(desc, mapping, rx_buf_sz); 2.923 - 2.924 - out: 2.925 - return ret; 2.926 -@@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st 2.927 - skb_reserve(skb, NET_IP_ALIGN); 2.928 - eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0); 2.929 - *sk_buff = skb; 2.930 -- rtl8169_return_to_asic(desc, rx_buf_sz); 2.931 -+ rtl8169_mark_to_asic(desc, rx_buf_sz); 2.932 - ret = 0; 2.933 - } 2.934 - } 2.935 -diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c 2.936 ---- a/drivers/net/sis900.c 2.937 -+++ b/drivers/net/sis900.c 2.938 -@@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr 2.939 - signature = (u16) read_eeprom(ioaddr, EEPROMSignature); 2.940 - if (signature == 0xffff || signature == 0x0000) { 2.941 - printk (KERN_INFO "%s: Error EERPOM read %x\n", 2.942 -- net_dev->name, signature); 2.943 -+ pci_name(pci_dev), signature); 2.944 - return 0; 2.945 - } 2.946 - 2.947 -@@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add 2.948 - if (!isa_bridge) 2.949 - isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge); 2.950 - if (!isa_bridge) { 2.951 -- printk("%s: Can not find ISA bridge\n", net_dev->name); 2.952 -+ printk("%s: Can not find ISA bridge\n", pci_name(pci_dev)); 2.953 - return 0; 2.954 - } 2.955 - pci_read_config_byte(isa_bridge, 0x48, ®); 2.956 -@@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct 2.957 - net_dev->tx_timeout = sis900_tx_timeout; 2.958 - net_dev->watchdog_timeo = TX_TIMEOUT; 2.959 - net_dev->ethtool_ops = &sis900_ethtool_ops; 2.960 -- 2.961 -- ret = register_netdev(net_dev); 2.962 -- if (ret) 2.963 -- goto err_unmap_rx; 2.964 - 2.965 - /* Get Mac address according to the chip revision */ 2.966 - pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision); 2.967 -@@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct 2.968 - 2.969 - if (ret == 0) { 2.970 - ret = -ENODEV; 2.971 -- goto err_out_unregister; 2.972 -+ goto err_unmap_rx; 2.973 - } 2.974 - 2.975 - /* 630ET : set the mii access mode as software-mode */ 2.976 -@@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct 2.977 - /* probe for mii transceiver */ 2.978 - if (sis900_mii_probe(net_dev) == 0) { 2.979 - ret = -ENODEV; 2.980 -- goto err_out_unregister; 2.981 -+ goto err_unmap_rx; 2.982 - } 2.983 - 2.984 - /* save our host bridge revision */ 2.985 -@@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct 2.986 - pci_dev_put(dev); 2.987 - } 2.988 - 2.989 -+ ret = register_netdev(net_dev); 2.990 -+ if (ret) 2.991 -+ goto err_unmap_rx; 2.992 -+ 2.993 - /* print some information about our NIC */ 2.994 - printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name, 2.995 - card_name, ioaddr, net_dev->irq); 2.996 -@@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct 2.997 - 2.998 - return 0; 2.999 - 2.1000 -- err_out_unregister: 2.1001 -- unregister_netdev(net_dev); 2.1002 - err_unmap_rx: 2.1003 - pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring, 2.1004 - sis_priv->rx_ring_dma); 2.1005 -@@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct 2.1006 - static int __init sis900_mii_probe(struct net_device * net_dev) 2.1007 - { 2.1008 - struct sis900_private * sis_priv = net_dev->priv; 2.1009 -+ const char *dev_name = pci_name(sis_priv->pci_dev); 2.1010 - u16 poll_bit = MII_STAT_LINK, status = 0; 2.1011 - unsigned long timeout = jiffies + 5 * HZ; 2.1012 - int phy_addr; 2.1013 -@@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc 2.1014 - mii_phy->phy_types = 2.1015 - (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME; 2.1016 - printk(KERN_INFO "%s: %s transceiver found at address %d.\n", 2.1017 -- net_dev->name, mii_chip_table[i].name, 2.1018 -+ dev_name, mii_chip_table[i].name, 2.1019 - phy_addr); 2.1020 - break; 2.1021 - } 2.1022 - 2.1023 - if( !mii_chip_table[i].phy_id1 ) { 2.1024 - printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n", 2.1025 -- net_dev->name, phy_addr); 2.1026 -+ dev_name, phy_addr); 2.1027 - mii_phy->phy_types = UNKNOWN; 2.1028 - } 2.1029 - } 2.1030 - 2.1031 - if (sis_priv->mii == NULL) { 2.1032 -- printk(KERN_INFO "%s: No MII transceivers found!\n", 2.1033 -- net_dev->name); 2.1034 -+ printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name); 2.1035 - return 0; 2.1036 - } 2.1037 - 2.1038 -@@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc 2.1039 - poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit); 2.1040 - if (time_after_eq(jiffies, timeout)) { 2.1041 - printk(KERN_WARNING "%s: reset phy and link down now\n", 2.1042 -- net_dev->name); 2.1043 -+ dev_name); 2.1044 - return -ETIME; 2.1045 - } 2.1046 - } 2.1047 -@@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net 2.1048 - sis_priv->mii = default_phy; 2.1049 - sis_priv->cur_phy = default_phy->phy_addr; 2.1050 - printk(KERN_INFO "%s: Using transceiver found at address %d as default\n", 2.1051 -- net_dev->name,sis_priv->cur_phy); 2.1052 -+ pci_name(sis_priv->pci_dev), sis_priv->cur_phy); 2.1053 - } 2.1054 - 2.1055 - status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL); 2.1056 -diff --git a/drivers/net/tun.c b/drivers/net/tun.c 2.1057 ---- a/drivers/net/tun.c 2.1058 -+++ b/drivers/net/tun.c 2.1059 -@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s 2.1060 - size_t len = count; 2.1061 - 2.1062 - if (!(tun->flags & TUN_NO_PI)) { 2.1063 -- if ((len -= sizeof(pi)) > len) 2.1064 -+ if ((len -= sizeof(pi)) > count) 2.1065 - return -EINVAL; 2.1066 - 2.1067 - if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi))) 2.1068 -diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c 2.1069 ---- a/drivers/net/via-rhine.c 2.1070 -+++ b/drivers/net/via-rhine.c 2.1071 -@@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device 2.1072 - dev->name, rp->pdev->irq); 2.1073 - 2.1074 - rc = alloc_ring(dev); 2.1075 -- if (rc) 2.1076 -+ if (rc) { 2.1077 -+ free_irq(rp->pdev->irq, dev); 2.1078 - return rc; 2.1079 -+ } 2.1080 - alloc_rbufs(dev); 2.1081 - alloc_tbufs(dev); 2.1082 - rhine_chip_reset(dev); 2.1083 -@@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic 2.1084 - struct rhine_private *rp = netdev_priv(dev); 2.1085 - void __iomem *ioaddr = rp->base; 2.1086 - 2.1087 -+ if (!(rp->quirks & rqWOL)) 2.1088 -+ return; /* Nothing to do for non-WOL adapters */ 2.1089 -+ 2.1090 - rhine_power_init(dev); 2.1091 - 2.1092 - /* Make sure we use pattern 0, 1 and not 4, 5 */ 2.1093 -diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c 2.1094 ---- a/drivers/net/wan/hd6457x.c 2.1095 -+++ b/drivers/net/wan/hd6457x.c 2.1096 -@@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card, 2.1097 - #endif 2.1098 - stats->rx_packets++; 2.1099 - stats->rx_bytes += skb->len; 2.1100 -- skb->dev->last_rx = jiffies; 2.1101 -+ dev->last_rx = jiffies; 2.1102 - skb->protocol = hdlc_type_trans(skb, dev); 2.1103 - netif_rx(skb); 2.1104 - } 2.1105 -diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c 2.1106 ---- a/drivers/pci/hotplug/pciehp_ctrl.c 2.1107 -+++ b/drivers/pci/hotplug/pciehp_ctrl.c 2.1108 -@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func 2.1109 - dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 2.1110 - ctrl->seg, func->bus, func->device, func->function); 2.1111 - bridge_slot_remove(func); 2.1112 -- } else 2.1113 -+ } else { 2.1114 - dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 2.1115 - ctrl->seg, func->bus, func->device, func->function); 2.1116 - slot_remove(func); 2.1117 -+ } 2.1118 - 2.1119 - func = pciehp_slot_find(ctrl->slot_bus, device, 0); 2.1120 - } 2.1121 -diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c 2.1122 ---- a/drivers/usb/serial/visor.c 2.1123 -+++ b/drivers/usb/serial/visor.c 2.1124 -@@ -386,6 +386,7 @@ struct visor_private { 2.1125 - int bytes_in; 2.1126 - int bytes_out; 2.1127 - int outstanding_urbs; 2.1128 -+ int throttled; 2.1129 - }; 2.1130 - 2.1131 - /* number of outstanding urbs to prevent userspace DoS from happening */ 2.1132 -@@ -415,6 +416,7 @@ static int visor_open (struct usb_serial 2.1133 - priv->bytes_in = 0; 2.1134 - priv->bytes_out = 0; 2.1135 - priv->outstanding_urbs = 0; 2.1136 -+ priv->throttled = 0; 2.1137 - spin_unlock_irqrestore(&priv->lock, flags); 2.1138 - 2.1139 - /* 2.1140 -@@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st 2.1141 - struct tty_struct *tty; 2.1142 - unsigned long flags; 2.1143 - int i; 2.1144 -+ int throttled; 2.1145 - int result; 2.1146 - 2.1147 - dbg("%s - port %d", __FUNCTION__, port->number); 2.1148 -@@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st 2.1149 - } 2.1150 - spin_lock_irqsave(&priv->lock, flags); 2.1151 - priv->bytes_in += urb->actual_length; 2.1152 -+ throttled = priv->throttled; 2.1153 - spin_unlock_irqrestore(&priv->lock, flags); 2.1154 - 2.1155 -- /* Continue trying to always read */ 2.1156 -- usb_fill_bulk_urb (port->read_urb, port->serial->dev, 2.1157 -- usb_rcvbulkpipe(port->serial->dev, 2.1158 -- port->bulk_in_endpointAddress), 2.1159 -- port->read_urb->transfer_buffer, 2.1160 -- port->read_urb->transfer_buffer_length, 2.1161 -- visor_read_bulk_callback, port); 2.1162 -- result = usb_submit_urb(port->read_urb, GFP_ATOMIC); 2.1163 -- if (result) 2.1164 -- dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result); 2.1165 -+ /* Continue trying to always read if we should */ 2.1166 -+ if (!throttled) { 2.1167 -+ usb_fill_bulk_urb (port->read_urb, port->serial->dev, 2.1168 -+ usb_rcvbulkpipe(port->serial->dev, 2.1169 -+ port->bulk_in_endpointAddress), 2.1170 -+ port->read_urb->transfer_buffer, 2.1171 -+ port->read_urb->transfer_buffer_length, 2.1172 -+ visor_read_bulk_callback, port); 2.1173 -+ result = usb_submit_urb(port->read_urb, GFP_ATOMIC); 2.1174 -+ if (result) 2.1175 -+ dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result); 2.1176 -+ } 2.1177 - return; 2.1178 - } 2.1179 - 2.1180 -@@ -683,16 +689,26 @@ exit: 2.1181 - 2.1182 - static void visor_throttle (struct usb_serial_port *port) 2.1183 - { 2.1184 -+ struct visor_private *priv = usb_get_serial_port_data(port); 2.1185 -+ unsigned long flags; 2.1186 -+ 2.1187 - dbg("%s - port %d", __FUNCTION__, port->number); 2.1188 -- usb_kill_urb(port->read_urb); 2.1189 -+ spin_lock_irqsave(&priv->lock, flags); 2.1190 -+ priv->throttled = 1; 2.1191 -+ spin_unlock_irqrestore(&priv->lock, flags); 2.1192 - } 2.1193 - 2.1194 - 2.1195 - static void visor_unthrottle (struct usb_serial_port *port) 2.1196 - { 2.1197 -+ struct visor_private *priv = usb_get_serial_port_data(port); 2.1198 -+ unsigned long flags; 2.1199 - int result; 2.1200 - 2.1201 - dbg("%s - port %d", __FUNCTION__, port->number); 2.1202 -+ spin_lock_irqsave(&priv->lock, flags); 2.1203 -+ priv->throttled = 0; 2.1204 -+ spin_unlock_irqrestore(&priv->lock, flags); 2.1205 - 2.1206 - port->read_urb->dev = port->serial->dev; 2.1207 - result = usb_submit_urb(port->read_urb, GFP_ATOMIC); 2.1208 -diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c 2.1209 ---- a/drivers/video/matrox/matroxfb_accel.c 2.1210 -+++ b/drivers/video/matrox/matroxfb_accel.c 2.1211 -@@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI 2.1212 - } else if (step == 1) { 2.1213 - /* Special case for 1..8bit widths */ 2.1214 - while (height--) { 2.1215 -- mga_writel(mmio, 0, *chardata); 2.1216 -+#if defined(__BIG_ENDIAN) 2.1217 -+ fb_writel((*chardata) << 24, mmio.vaddr); 2.1218 -+#else 2.1219 -+ fb_writel(*chardata, mmio.vaddr); 2.1220 -+#endif 2.1221 - chardata++; 2.1222 - } 2.1223 - } else if (step == 2) { 2.1224 - /* Special case for 9..15bit widths */ 2.1225 - while (height--) { 2.1226 -- mga_writel(mmio, 0, *(u_int16_t*)chardata); 2.1227 -+#if defined(__BIG_ENDIAN) 2.1228 -+ fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr); 2.1229 -+#else 2.1230 -+ fb_writel(*(u_int16_t*)chardata, mmio.vaddr); 2.1231 -+#endif 2.1232 - chardata += 2; 2.1233 - } 2.1234 - } else { 2.1235 -@@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI 2.1236 - 2.1237 - for (i = 0; i < step; i += 4) { 2.1238 - /* Hope that there are at least three readable bytes beyond the end of bitmap */ 2.1239 -- mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i))); 2.1240 -+ fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr); 2.1241 - } 2.1242 - chardata += step; 2.1243 - } 2.1244 -diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h 2.1245 ---- a/drivers/video/matrox/matroxfb_base.h 2.1246 -+++ b/drivers/video/matrox/matroxfb_base.h 2.1247 -@@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr 2.1248 - 2.1249 - if ((unsigned long)src & 3) { 2.1250 - while (len >= 4) { 2.1251 -- writel(get_unaligned((u32 *)src), addr); 2.1252 -+ fb_writel(get_unaligned((u32 *)src), addr); 2.1253 - addr++; 2.1254 - len -= 4; 2.1255 - src += 4; 2.1256 - } 2.1257 - } else { 2.1258 - while (len >= 4) { 2.1259 -- writel(*(u32 *)src, addr); 2.1260 -+ fb_writel(*(u32 *)src, addr); 2.1261 - addr++; 2.1262 - len -= 4; 2.1263 - src += 4; 2.1264 -diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c 2.1265 ---- a/fs/binfmt_elf.c 2.1266 -+++ b/fs/binfmt_elf.c 2.1267 -@@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b 2.1268 - } 2.1269 - 2.1270 - /* Populate argv and envp */ 2.1271 -- p = current->mm->arg_start; 2.1272 -+ p = current->mm->arg_end = current->mm->arg_start; 2.1273 - while (argc-- > 0) { 2.1274 - size_t len; 2.1275 - __put_user((elf_addr_t)p, argv++); 2.1276 -@@ -1008,6 +1008,7 @@ out_free_ph: 2.1277 - static int load_elf_library(struct file *file) 2.1278 - { 2.1279 - struct elf_phdr *elf_phdata; 2.1280 -+ struct elf_phdr *eppnt; 2.1281 - unsigned long elf_bss, bss, len; 2.1282 - int retval, error, i, j; 2.1283 - struct elfhdr elf_ex; 2.1284 -@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file 2.1285 - /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */ 2.1286 - 2.1287 - error = -ENOMEM; 2.1288 -- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL); 2.1289 -+ elf_phdata = kmalloc(j, GFP_KERNEL); 2.1290 - if (!elf_phdata) 2.1291 - goto out; 2.1292 - 2.1293 -+ eppnt = elf_phdata; 2.1294 - error = -ENOEXEC; 2.1295 -- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j); 2.1296 -+ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j); 2.1297 - if (retval != j) 2.1298 - goto out_free_ph; 2.1299 - 2.1300 - for (j = 0, i = 0; i<elf_ex.e_phnum; i++) 2.1301 -- if ((elf_phdata + i)->p_type == PT_LOAD) j++; 2.1302 -+ if ((eppnt + i)->p_type == PT_LOAD) 2.1303 -+ j++; 2.1304 - if (j != 1) 2.1305 - goto out_free_ph; 2.1306 - 2.1307 -- while (elf_phdata->p_type != PT_LOAD) elf_phdata++; 2.1308 -+ while (eppnt->p_type != PT_LOAD) 2.1309 -+ eppnt++; 2.1310 - 2.1311 - /* Now use mmap to map the library into memory. */ 2.1312 - down_write(¤t->mm->mmap_sem); 2.1313 - error = do_mmap(file, 2.1314 -- ELF_PAGESTART(elf_phdata->p_vaddr), 2.1315 -- (elf_phdata->p_filesz + 2.1316 -- ELF_PAGEOFFSET(elf_phdata->p_vaddr)), 2.1317 -+ ELF_PAGESTART(eppnt->p_vaddr), 2.1318 -+ (eppnt->p_filesz + 2.1319 -+ ELF_PAGEOFFSET(eppnt->p_vaddr)), 2.1320 - PROT_READ | PROT_WRITE | PROT_EXEC, 2.1321 - MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, 2.1322 -- (elf_phdata->p_offset - 2.1323 -- ELF_PAGEOFFSET(elf_phdata->p_vaddr))); 2.1324 -+ (eppnt->p_offset - 2.1325 -+ ELF_PAGEOFFSET(eppnt->p_vaddr))); 2.1326 - up_write(¤t->mm->mmap_sem); 2.1327 -- if (error != ELF_PAGESTART(elf_phdata->p_vaddr)) 2.1328 -+ if (error != ELF_PAGESTART(eppnt->p_vaddr)) 2.1329 - goto out_free_ph; 2.1330 - 2.1331 -- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz; 2.1332 -+ elf_bss = eppnt->p_vaddr + eppnt->p_filesz; 2.1333 - if (padzero(elf_bss)) { 2.1334 - error = -EFAULT; 2.1335 - goto out_free_ph; 2.1336 - } 2.1337 - 2.1338 -- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1); 2.1339 -- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr; 2.1340 -+ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1); 2.1341 -+ bss = eppnt->p_memsz + eppnt->p_vaddr; 2.1342 - if (bss > len) { 2.1343 - down_write(¤t->mm->mmap_sem); 2.1344 - do_brk(len, bss - len); 2.1345 -@@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs 2.1346 - static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, 2.1347 - struct mm_struct *mm) 2.1348 - { 2.1349 -- int i, len; 2.1350 -+ unsigned int i, len; 2.1351 - 2.1352 - /* first copy the parameters from user space */ 2.1353 - memset(psinfo, 0, sizeof(struct elf_prpsinfo)); 2.1354 -diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c 2.1355 ---- a/fs/cramfs/inode.c 2.1356 -+++ b/fs/cramfs/inode.c 2.1357 -@@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st 2.1358 - inode->i_data.a_ops = &cramfs_aops; 2.1359 - } else { 2.1360 - inode->i_size = 0; 2.1361 -+ inode->i_blocks = 0; 2.1362 - init_special_inode(inode, inode->i_mode, 2.1363 - old_decode_dev(cramfs_inode->size)); 2.1364 - } 2.1365 -diff --git a/fs/eventpoll.c b/fs/eventpoll.c 2.1366 ---- a/fs/eventpoll.c 2.1367 -+++ b/fs/eventpoll.c 2.1368 -@@ -619,6 +619,7 @@ eexit_1: 2.1369 - return error; 2.1370 - } 2.1371 - 2.1372 -+#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event)) 2.1373 - 2.1374 - /* 2.1375 - * Implement the event wait interface for the eventpoll file. It is the kernel 2.1376 -@@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd, 2.1377 - current, epfd, events, maxevents, timeout)); 2.1378 - 2.1379 - /* The maximum number of event must be greater than zero */ 2.1380 -- if (maxevents <= 0) 2.1381 -+ if (maxevents <= 0 || maxevents > MAX_EVENTS) 2.1382 - return -EINVAL; 2.1383 - 2.1384 - /* Verify that the area passed by the user is writeable */ 2.1385 -diff --git a/fs/exec.c b/fs/exec.c 2.1386 ---- a/fs/exec.c 2.1387 -+++ b/fs/exec.c 2.1388 -@@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas 2.1389 - { 2.1390 - /* buf must be at least sizeof(tsk->comm) in size */ 2.1391 - task_lock(tsk); 2.1392 -- memcpy(buf, tsk->comm, sizeof(tsk->comm)); 2.1393 -+ strncpy(buf, tsk->comm, sizeof(tsk->comm)); 2.1394 - task_unlock(tsk); 2.1395 - } 2.1396 - 2.1397 -diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c 2.1398 ---- a/fs/ext2/dir.c 2.1399 -+++ b/fs/ext2/dir.c 2.1400 -@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode, 2.1401 - goto fail; 2.1402 - } 2.1403 - kaddr = kmap_atomic(page, KM_USER0); 2.1404 -+ memset(kaddr, 0, chunk_size); 2.1405 - de = (struct ext2_dir_entry_2 *)kaddr; 2.1406 - de->name_len = 1; 2.1407 - de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1)); 2.1408 -diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c 2.1409 ---- a/fs/ext3/balloc.c 2.1410 -+++ b/fs/ext3/balloc.c 2.1411 -@@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino 2.1412 - 2.1413 - if (!rsv_is_empty(&rsv->rsv_window)) { 2.1414 - spin_lock(rsv_lock); 2.1415 -- rsv_window_remove(inode->i_sb, rsv); 2.1416 -+ if (!rsv_is_empty(&rsv->rsv_window)) 2.1417 -+ rsv_window_remove(inode->i_sb, rsv); 2.1418 - spin_unlock(rsv_lock); 2.1419 - } 2.1420 - } 2.1421 -diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c 2.1422 ---- a/fs/isofs/inode.c 2.1423 -+++ b/fs/isofs/inode.c 2.1424 -@@ -685,6 +685,8 @@ root_found: 2.1425 - sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size); 2.1426 - sbi->s_max_size = isonum_733(h_pri->volume_space_size); 2.1427 - } else { 2.1428 -+ if (!pri) 2.1429 -+ goto out_freebh; 2.1430 - rootp = (struct iso_directory_record *) pri->root_directory_record; 2.1431 - sbi->s_nzones = isonum_733 (pri->volume_space_size); 2.1432 - sbi->s_log_zone_size = isonum_723 (pri->logical_block_size); 2.1433 -@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl 2.1434 - struct inode *inode; 2.1435 - struct isofs_iget5_callback_data data; 2.1436 - 2.1437 -+ if (offset >= 1ul << sb->s_blocksize_bits) 2.1438 -+ return NULL; 2.1439 -+ 2.1440 - data.block = block; 2.1441 - data.offset = offset; 2.1442 - 2.1443 -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c 2.1444 ---- a/fs/isofs/rock.c 2.1445 -+++ b/fs/isofs/rock.c 2.1446 -@@ -53,6 +53,7 @@ 2.1447 - if(LEN & 1) LEN++; \ 2.1448 - CHR = ((unsigned char *) DE) + LEN; \ 2.1449 - LEN = *((unsigned char *) DE) - LEN; \ 2.1450 -+ if (LEN<0) LEN=0; \ 2.1451 - if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \ 2.1452 - { \ 2.1453 - LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \ 2.1454 -@@ -73,6 +74,10 @@ 2.1455 - offset1 = 0; \ 2.1456 - pbh = sb_bread(DEV->i_sb, block); \ 2.1457 - if(pbh){ \ 2.1458 -+ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \ 2.1459 -+ brelse(pbh); \ 2.1460 -+ goto out; \ 2.1461 -+ } \ 2.1462 - memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \ 2.1463 - brelse(pbh); \ 2.1464 - chr = (unsigned char *) buffer; \ 2.1465 -@@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d 2.1466 - struct rock_ridge * rr; 2.1467 - int sig; 2.1468 - 2.1469 -- while (len > 1){ /* There may be one byte for padding somewhere */ 2.1470 -+ while (len > 2){ /* There may be one byte for padding somewhere */ 2.1471 - rr = (struct rock_ridge *) chr; 2.1472 -- if (rr->len == 0) goto out; /* Something got screwed up here */ 2.1473 -+ if (rr->len < 3) goto out; /* Something got screwed up here */ 2.1474 - sig = isonum_721(chr); 2.1475 - chr += rr->len; 2.1476 - len -= rr->len; 2.1477 -+ if (len < 0) goto out; /* corrupted isofs */ 2.1478 - 2.1479 - switch(sig){ 2.1480 - case SIG('R','R'): 2.1481 -@@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d 2.1482 - break; 2.1483 - case SIG('N','M'): 2.1484 - if (truncate) break; 2.1485 -+ if (rr->len < 5) break; 2.1486 - /* 2.1487 - * If the flags are 2 or 4, this indicates '.' or '..'. 2.1488 - * We don't want to do anything with this, because it 2.1489 -@@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i 2.1490 - struct rock_ridge * rr; 2.1491 - int rootflag; 2.1492 - 2.1493 -- while (len > 1){ /* There may be one byte for padding somewhere */ 2.1494 -+ while (len > 2){ /* There may be one byte for padding somewhere */ 2.1495 - rr = (struct rock_ridge *) chr; 2.1496 -- if (rr->len == 0) goto out; /* Something got screwed up here */ 2.1497 -+ if (rr->len < 3) goto out; /* Something got screwed up here */ 2.1498 - sig = isonum_721(chr); 2.1499 - chr += rr->len; 2.1500 - len -= rr->len; 2.1501 -+ if (len < 0) goto out; /* corrupted isofs */ 2.1502 - 2.1503 - switch(sig){ 2.1504 - #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */ 2.1505 -@@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s 2.1506 - struct rock_ridge *rr; 2.1507 - 2.1508 - if (!ISOFS_SB(inode->i_sb)->s_rock) 2.1509 -- panic ("Cannot have symlink with high sierra variant of iso filesystem\n"); 2.1510 -+ goto error; 2.1511 - 2.1512 - block = ei->i_iget5_block; 2.1513 - lock_kernel(); 2.1514 -@@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s 2.1515 - SETUP_ROCK_RIDGE(raw_inode, chr, len); 2.1516 - 2.1517 - repeat: 2.1518 -- while (len > 1) { /* There may be one byte for padding somewhere */ 2.1519 -+ while (len > 2) { /* There may be one byte for padding somewhere */ 2.1520 - rr = (struct rock_ridge *) chr; 2.1521 -- if (rr->len == 0) 2.1522 -+ if (rr->len < 3) 2.1523 - goto out; /* Something got screwed up here */ 2.1524 - sig = isonum_721(chr); 2.1525 - chr += rr->len; 2.1526 - len -= rr->len; 2.1527 -+ if (len < 0) 2.1528 -+ goto out; /* corrupted isofs */ 2.1529 - 2.1530 - switch (sig) { 2.1531 - case SIG('R', 'R'): 2.1532 -@@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s 2.1533 - fail: 2.1534 - brelse(bh); 2.1535 - unlock_kernel(); 2.1536 -+ error: 2.1537 - SetPageError(page); 2.1538 - kunmap(page); 2.1539 - unlock_page(page); 2.1540 -diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c 2.1541 ---- a/fs/jbd/transaction.c 2.1542 -+++ b/fs/jbd/transaction.c 2.1543 -@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_ 2.1544 - JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget"); 2.1545 - ret = __dispose_buffer(jh, 2.1546 - journal->j_running_transaction); 2.1547 -+ journal_put_journal_head(jh); 2.1548 - spin_unlock(&journal->j_list_lock); 2.1549 - jbd_unlock_bh_state(bh); 2.1550 - spin_unlock(&journal->j_state_lock); 2.1551 -- journal_put_journal_head(jh); 2.1552 - return ret; 2.1553 - } else { 2.1554 - /* There is no currently-running transaction. So the 2.1555 -@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_ 2.1556 - JBUFFER_TRACE(jh, "give to committing trans"); 2.1557 - ret = __dispose_buffer(jh, 2.1558 - journal->j_committing_transaction); 2.1559 -+ journal_put_journal_head(jh); 2.1560 - spin_unlock(&journal->j_list_lock); 2.1561 - jbd_unlock_bh_state(bh); 2.1562 - spin_unlock(&journal->j_state_lock); 2.1563 -- journal_put_journal_head(jh); 2.1564 - return ret; 2.1565 - } else { 2.1566 - /* The orphan record's transaction has 2.1567 -@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_ 2.1568 - journal->j_running_transaction); 2.1569 - jh->b_next_transaction = NULL; 2.1570 - } 2.1571 -+ journal_put_journal_head(jh); 2.1572 - spin_unlock(&journal->j_list_lock); 2.1573 - jbd_unlock_bh_state(bh); 2.1574 - spin_unlock(&journal->j_state_lock); 2.1575 -- journal_put_journal_head(jh); 2.1576 - return 0; 2.1577 - } else { 2.1578 - /* Good, the buffer belongs to the running transaction. 2.1579 -diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h 2.1580 ---- a/include/asm-x86_64/processor.h 2.1581 -+++ b/include/asm-x86_64/processor.h 2.1582 -@@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne 2.1583 - 2.1584 - 2.1585 - /* 2.1586 -- * User space process size. 47bits. 2.1587 -+ * User space process size. 47bits minus one guard page. 2.1588 - */ 2.1589 --#define TASK_SIZE (0x800000000000UL) 2.1590 -+#define TASK_SIZE (0x800000000000UL - 4096) 2.1591 - 2.1592 - /* This decides where the kernel will search for a free chunk of vm 2.1593 - * space during mmap's. 2.1594 -diff --git a/include/linux/err.h b/include/linux/err.h 2.1595 ---- a/include/linux/err.h 2.1596 -+++ b/include/linux/err.h 2.1597 -@@ -13,6 +13,8 @@ 2.1598 - * This should be a per-architecture thing, to allow different 2.1599 - * error and pointer decisions. 2.1600 - */ 2.1601 -+#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L) 2.1602 -+ 2.1603 - static inline void *ERR_PTR(long error) 2.1604 - { 2.1605 - return (void *) error; 2.1606 -@@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p 2.1607 - 2.1608 - static inline long IS_ERR(const void *ptr) 2.1609 - { 2.1610 -- return unlikely((unsigned long)ptr > (unsigned long)-1000L); 2.1611 -+ return IS_ERR_VALUE((unsigned long)ptr); 2.1612 - } 2.1613 - 2.1614 - #endif /* _LINUX_ERR_H */ 2.1615 -diff --git a/kernel/exit.c b/kernel/exit.c 2.1616 ---- a/kernel/exit.c 2.1617 -+++ b/kernel/exit.c 2.1618 -@@ -516,8 +516,6 @@ static inline void choose_new_parent(tas 2.1619 - */ 2.1620 - BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE); 2.1621 - p->real_parent = reaper; 2.1622 -- if (p->parent == p->real_parent) 2.1623 -- BUG(); 2.1624 - } 2.1625 - 2.1626 - static inline void reparent_thread(task_t *p, task_t *father, int traced) 2.1627 -diff --git a/kernel/signal.c b/kernel/signal.c 2.1628 ---- a/kernel/signal.c 2.1629 -+++ b/kernel/signal.c 2.1630 -@@ -1728,6 +1728,7 @@ do_signal_stop(int signr) 2.1631 - * with another processor delivering a stop signal, 2.1632 - * then the SIGCONT that wakes us up should clear it. 2.1633 - */ 2.1634 -+ read_unlock(&tasklist_lock); 2.1635 - return 0; 2.1636 - } 2.1637 - 2.1638 -diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c 2.1639 ---- a/lib/rwsem-spinlock.c 2.1640 -+++ b/lib/rwsem-spinlock.c 2.1641 -@@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct 2.1642 - 2.1643 - rwsemtrace(sem, "Entering __down_read"); 2.1644 - 2.1645 -- spin_lock(&sem->wait_lock); 2.1646 -+ spin_lock_irq(&sem->wait_lock); 2.1647 - 2.1648 - if (sem->activity >= 0 && list_empty(&sem->wait_list)) { 2.1649 - /* granted */ 2.1650 - sem->activity++; 2.1651 -- spin_unlock(&sem->wait_lock); 2.1652 -+ spin_unlock_irq(&sem->wait_lock); 2.1653 - goto out; 2.1654 - } 2.1655 - 2.1656 -@@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct 2.1657 - list_add_tail(&waiter.list, &sem->wait_list); 2.1658 - 2.1659 - /* we don't need to touch the semaphore struct anymore */ 2.1660 -- spin_unlock(&sem->wait_lock); 2.1661 -+ spin_unlock_irq(&sem->wait_lock); 2.1662 - 2.1663 - /* wait to be given the lock */ 2.1664 - for (;;) { 2.1665 -@@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct 2.1666 - */ 2.1667 - int fastcall __down_read_trylock(struct rw_semaphore *sem) 2.1668 - { 2.1669 -+ unsigned long flags; 2.1670 - int ret = 0; 2.1671 -+ 2.1672 - rwsemtrace(sem, "Entering __down_read_trylock"); 2.1673 - 2.1674 -- spin_lock(&sem->wait_lock); 2.1675 -+ spin_lock_irqsave(&sem->wait_lock, flags); 2.1676 - 2.1677 - if (sem->activity >= 0 && list_empty(&sem->wait_list)) { 2.1678 - /* granted */ 2.1679 -@@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct 2.1680 - ret = 1; 2.1681 - } 2.1682 - 2.1683 -- spin_unlock(&sem->wait_lock); 2.1684 -+ spin_unlock_irqrestore(&sem->wait_lock, flags); 2.1685 - 2.1686 - rwsemtrace(sem, "Leaving __down_read_trylock"); 2.1687 - return ret; 2.1688 -@@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc 2.1689 - 2.1690 - rwsemtrace(sem, "Entering __down_write"); 2.1691 - 2.1692 -- spin_lock(&sem->wait_lock); 2.1693 -+ spin_lock_irq(&sem->wait_lock); 2.1694 - 2.1695 - if (sem->activity == 0 && list_empty(&sem->wait_list)) { 2.1696 - /* granted */ 2.1697 - sem->activity = -1; 2.1698 -- spin_unlock(&sem->wait_lock); 2.1699 -+ spin_unlock_irq(&sem->wait_lock); 2.1700 - goto out; 2.1701 - } 2.1702 - 2.1703 -@@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc 2.1704 - list_add_tail(&waiter.list, &sem->wait_list); 2.1705 - 2.1706 - /* we don't need to touch the semaphore struct anymore */ 2.1707 -- spin_unlock(&sem->wait_lock); 2.1708 -+ spin_unlock_irq(&sem->wait_lock); 2.1709 - 2.1710 - /* wait to be given the lock */ 2.1711 - for (;;) { 2.1712 -@@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc 2.1713 - */ 2.1714 - int fastcall __down_write_trylock(struct rw_semaphore *sem) 2.1715 - { 2.1716 -+ unsigned long flags; 2.1717 - int ret = 0; 2.1718 -+ 2.1719 - rwsemtrace(sem, "Entering __down_write_trylock"); 2.1720 - 2.1721 -- spin_lock(&sem->wait_lock); 2.1722 -+ spin_lock_irqsave(&sem->wait_lock, flags); 2.1723 - 2.1724 - if (sem->activity == 0 && list_empty(&sem->wait_list)) { 2.1725 - /* granted */ 2.1726 -@@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct 2.1727 - ret = 1; 2.1728 - } 2.1729 - 2.1730 -- spin_unlock(&sem->wait_lock); 2.1731 -+ spin_unlock_irqrestore(&sem->wait_lock, flags); 2.1732 - 2.1733 - rwsemtrace(sem, "Leaving __down_write_trylock"); 2.1734 - return ret; 2.1735 -@@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct 2.1736 - */ 2.1737 - void fastcall __up_read(struct rw_semaphore *sem) 2.1738 - { 2.1739 -+ unsigned long flags; 2.1740 -+ 2.1741 - rwsemtrace(sem, "Entering __up_read"); 2.1742 - 2.1743 -- spin_lock(&sem->wait_lock); 2.1744 -+ spin_lock_irqsave(&sem->wait_lock, flags); 2.1745 - 2.1746 - if (--sem->activity == 0 && !list_empty(&sem->wait_list)) 2.1747 - sem = __rwsem_wake_one_writer(sem); 2.1748 - 2.1749 -- spin_unlock(&sem->wait_lock); 2.1750 -+ spin_unlock_irqrestore(&sem->wait_lock, flags); 2.1751 - 2.1752 - rwsemtrace(sem, "Leaving __up_read"); 2.1753 - } 2.1754 -@@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph 2.1755 - */ 2.1756 - void fastcall __up_write(struct rw_semaphore *sem) 2.1757 - { 2.1758 -+ unsigned long flags; 2.1759 -+ 2.1760 - rwsemtrace(sem, "Entering __up_write"); 2.1761 - 2.1762 -- spin_lock(&sem->wait_lock); 2.1763 -+ spin_lock_irqsave(&sem->wait_lock, flags); 2.1764 - 2.1765 - sem->activity = 0; 2.1766 - if (!list_empty(&sem->wait_list)) 2.1767 - sem = __rwsem_do_wake(sem, 1); 2.1768 - 2.1769 -- spin_unlock(&sem->wait_lock); 2.1770 -+ spin_unlock_irqrestore(&sem->wait_lock, flags); 2.1771 - 2.1772 - rwsemtrace(sem, "Leaving __up_write"); 2.1773 - } 2.1774 -@@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap 2.1775 - */ 2.1776 - void fastcall __downgrade_write(struct rw_semaphore *sem) 2.1777 - { 2.1778 -+ unsigned long flags; 2.1779 -+ 2.1780 - rwsemtrace(sem, "Entering __downgrade_write"); 2.1781 - 2.1782 -- spin_lock(&sem->wait_lock); 2.1783 -+ spin_lock_irqsave(&sem->wait_lock, flags); 2.1784 - 2.1785 - sem->activity = 1; 2.1786 - if (!list_empty(&sem->wait_list)) 2.1787 - sem = __rwsem_do_wake(sem, 0); 2.1788 - 2.1789 -- spin_unlock(&sem->wait_lock); 2.1790 -+ spin_unlock_irqrestore(&sem->wait_lock, flags); 2.1791 - 2.1792 - rwsemtrace(sem, "Leaving __downgrade_write"); 2.1793 - } 2.1794 -diff --git a/lib/rwsem.c b/lib/rwsem.c 2.1795 ---- a/lib/rwsem.c 2.1796 -+++ b/lib/rwsem.c 2.1797 -@@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap 2.1798 - set_task_state(tsk, TASK_UNINTERRUPTIBLE); 2.1799 - 2.1800 - /* set up my own style of waitqueue */ 2.1801 -- spin_lock(&sem->wait_lock); 2.1802 -+ spin_lock_irq(&sem->wait_lock); 2.1803 - waiter->task = tsk; 2.1804 - get_task_struct(tsk); 2.1805 - 2.1806 -@@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap 2.1807 - if (!(count & RWSEM_ACTIVE_MASK)) 2.1808 - sem = __rwsem_do_wake(sem, 0); 2.1809 - 2.1810 -- spin_unlock(&sem->wait_lock); 2.1811 -+ spin_unlock_irq(&sem->wait_lock); 2.1812 - 2.1813 - /* wait to be given the lock */ 2.1814 - for (;;) { 2.1815 -@@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph 2.1816 - */ 2.1817 - struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem) 2.1818 - { 2.1819 -+ unsigned long flags; 2.1820 -+ 2.1821 - rwsemtrace(sem, "Entering rwsem_wake"); 2.1822 - 2.1823 -- spin_lock(&sem->wait_lock); 2.1824 -+ spin_lock_irqsave(&sem->wait_lock, flags); 2.1825 - 2.1826 - /* do nothing if list empty */ 2.1827 - if (!list_empty(&sem->wait_list)) 2.1828 - sem = __rwsem_do_wake(sem, 0); 2.1829 - 2.1830 -- spin_unlock(&sem->wait_lock); 2.1831 -+ spin_unlock_irqrestore(&sem->wait_lock, flags); 2.1832 - 2.1833 - rwsemtrace(sem, "Leaving rwsem_wake"); 2.1834 - 2.1835 -@@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake 2.1836 - */ 2.1837 - struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem) 2.1838 - { 2.1839 -+ unsigned long flags; 2.1840 -+ 2.1841 - rwsemtrace(sem, "Entering rwsem_downgrade_wake"); 2.1842 - 2.1843 -- spin_lock(&sem->wait_lock); 2.1844 -+ spin_lock_irqsave(&sem->wait_lock, flags); 2.1845 - 2.1846 - /* do nothing if list empty */ 2.1847 - if (!list_empty(&sem->wait_list)) 2.1848 - sem = __rwsem_do_wake(sem, 1); 2.1849 - 2.1850 -- spin_unlock(&sem->wait_lock); 2.1851 -+ spin_unlock_irqrestore(&sem->wait_lock, flags); 2.1852 - 2.1853 - rwsemtrace(sem, "Leaving rwsem_downgrade_wake"); 2.1854 - return sem; 2.1855 -diff --git a/mm/mmap.c b/mm/mmap.c 2.1856 ---- a/mm/mmap.c 2.1857 -+++ b/mm/mmap.c 2.1858 -@@ -1315,37 +1315,40 @@ unsigned long 2.1859 - get_unmapped_area(struct file *file, unsigned long addr, unsigned long len, 2.1860 - unsigned long pgoff, unsigned long flags) 2.1861 - { 2.1862 -- if (flags & MAP_FIXED) { 2.1863 -- unsigned long ret; 2.1864 -+ unsigned long ret; 2.1865 - 2.1866 -- if (addr > TASK_SIZE - len) 2.1867 -- return -ENOMEM; 2.1868 -- if (addr & ~PAGE_MASK) 2.1869 -- return -EINVAL; 2.1870 -- if (file && is_file_hugepages(file)) { 2.1871 -- /* 2.1872 -- * Check if the given range is hugepage aligned, and 2.1873 -- * can be made suitable for hugepages. 2.1874 -- */ 2.1875 -- ret = prepare_hugepage_range(addr, len); 2.1876 -- } else { 2.1877 -- /* 2.1878 -- * Ensure that a normal request is not falling in a 2.1879 -- * reserved hugepage range. For some archs like IA-64, 2.1880 -- * there is a separate region for hugepages. 2.1881 -- */ 2.1882 -- ret = is_hugepage_only_range(addr, len); 2.1883 -- } 2.1884 -- if (ret) 2.1885 -- return -EINVAL; 2.1886 -- return addr; 2.1887 -- } 2.1888 -+ if (!(flags & MAP_FIXED)) { 2.1889 -+ unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); 2.1890 - 2.1891 -- if (file && file->f_op && file->f_op->get_unmapped_area) 2.1892 -- return file->f_op->get_unmapped_area(file, addr, len, 2.1893 -- pgoff, flags); 2.1894 -+ get_area = current->mm->get_unmapped_area; 2.1895 -+ if (file && file->f_op && file->f_op->get_unmapped_area) 2.1896 -+ get_area = file->f_op->get_unmapped_area; 2.1897 -+ addr = get_area(file, addr, len, pgoff, flags); 2.1898 -+ if (IS_ERR_VALUE(addr)) 2.1899 -+ return addr; 2.1900 -+ } 2.1901 - 2.1902 -- return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); 2.1903 -+ if (addr > TASK_SIZE - len) 2.1904 -+ return -ENOMEM; 2.1905 -+ if (addr & ~PAGE_MASK) 2.1906 -+ return -EINVAL; 2.1907 -+ if (file && is_file_hugepages(file)) { 2.1908 -+ /* 2.1909 -+ * Check if the given range is hugepage aligned, and 2.1910 -+ * can be made suitable for hugepages. 2.1911 -+ */ 2.1912 -+ ret = prepare_hugepage_range(addr, len); 2.1913 -+ } else { 2.1914 -+ /* 2.1915 -+ * Ensure that a normal request is not falling in a 2.1916 -+ * reserved hugepage range. For some archs like IA-64, 2.1917 -+ * there is a separate region for hugepages. 2.1918 -+ */ 2.1919 -+ ret = is_hugepage_only_range(addr, len); 2.1920 -+ } 2.1921 -+ if (ret) 2.1922 -+ return -EINVAL; 2.1923 -+ return addr; 2.1924 - } 2.1925 - 2.1926 - EXPORT_SYMBOL(get_unmapped_area); 2.1927 -diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c 2.1928 ---- a/net/bluetooth/af_bluetooth.c 2.1929 -+++ b/net/bluetooth/af_bluetooth.c 2.1930 -@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache; 2.1931 - 2.1932 - int bt_sock_register(int proto, struct net_proto_family *ops) 2.1933 - { 2.1934 -- if (proto >= BT_MAX_PROTO) 2.1935 -+ if (proto < 0 || proto >= BT_MAX_PROTO) 2.1936 - return -EINVAL; 2.1937 - 2.1938 - if (bt_proto[proto]) 2.1939 -@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register); 2.1940 - 2.1941 - int bt_sock_unregister(int proto) 2.1942 - { 2.1943 -- if (proto >= BT_MAX_PROTO) 2.1944 -+ if (proto < 0 || proto >= BT_MAX_PROTO) 2.1945 - return -EINVAL; 2.1946 - 2.1947 - if (!bt_proto[proto]) 2.1948 -@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket 2.1949 - { 2.1950 - int err = 0; 2.1951 - 2.1952 -- if (proto >= BT_MAX_PROTO) 2.1953 -+ if (proto < 0 || proto >= BT_MAX_PROTO) 2.1954 - return -EINVAL; 2.1955 - 2.1956 - #if defined(CONFIG_KMOD) 2.1957 -diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c 2.1958 ---- a/net/bridge/netfilter/ebtables.c 2.1959 -+++ b/net/bridge/netfilter/ebtables.c 2.1960 -@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int 2.1961 - struct ebt_chainstack *cs; 2.1962 - struct ebt_entries *chaininfo; 2.1963 - char *base; 2.1964 -- struct ebt_table_info *private = table->private; 2.1965 -+ struct ebt_table_info *private; 2.1966 - 2.1967 - read_lock_bh(&table->lock); 2.1968 -+ private = table->private; 2.1969 - cb_base = COUNTER_BASE(private->counters, private->nentries, 2.1970 - smp_processor_id()); 2.1971 - if (private->chainstack) 2.1972 -diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c 2.1973 ---- a/net/ipv4/fib_hash.c 2.1974 -+++ b/net/ipv4/fib_hash.c 2.1975 -@@ -919,13 +919,23 @@ out: 2.1976 - return fa; 2.1977 - } 2.1978 - 2.1979 -+static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos) 2.1980 -+{ 2.1981 -+ struct fib_alias *fa = fib_get_first(seq); 2.1982 -+ 2.1983 -+ if (fa) 2.1984 -+ while (pos && (fa = fib_get_next(seq))) 2.1985 -+ --pos; 2.1986 -+ return pos ? NULL : fa; 2.1987 -+} 2.1988 -+ 2.1989 - static void *fib_seq_start(struct seq_file *seq, loff_t *pos) 2.1990 - { 2.1991 - void *v = NULL; 2.1992 - 2.1993 - read_lock(&fib_hash_lock); 2.1994 - if (ip_fib_main_table) 2.1995 -- v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN; 2.1996 -+ v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; 2.1997 - return v; 2.1998 - } 2.1999 - 2.2000 -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c 2.2001 ---- a/net/ipv4/tcp_input.c 2.2002 -+++ b/net/ipv4/tcp_input.c 2.2003 -@@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str 2.2004 - static void tcp_undo_cwr(struct tcp_sock *tp, int undo) 2.2005 - { 2.2006 - if (tp->prior_ssthresh) { 2.2007 -- tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1); 2.2008 -+ if (tcp_is_bic(tp)) 2.2009 -+ tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd); 2.2010 -+ else 2.2011 -+ tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1); 2.2012 - 2.2013 - if (undo && tp->prior_ssthresh > tp->snd_ssthresh) { 2.2014 - tp->snd_ssthresh = tp->prior_ssthresh; 2.2015 -diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c 2.2016 ---- a/net/ipv4/tcp_timer.c 2.2017 -+++ b/net/ipv4/tcp_timer.c 2.2018 -@@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne 2.2019 - 2.2020 - #ifdef TCP_DEBUG 2.2021 - const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n"; 2.2022 -+EXPORT_SYMBOL(tcp_timer_bug_msg); 2.2023 - #endif 2.2024 - 2.2025 - /* 2.2026 -diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c 2.2027 ---- a/net/ipv4/xfrm4_output.c 2.2028 -+++ b/net/ipv4/xfrm4_output.c 2.2029 -@@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb) 2.2030 - goto error_nolock; 2.2031 - } 2.2032 - 2.2033 -- spin_lock_bh(&x->lock); 2.2034 -- err = xfrm_state_check(x, skb); 2.2035 -- if (err) 2.2036 -- goto error; 2.2037 -- 2.2038 - if (x->props.mode) { 2.2039 - err = xfrm4_tunnel_check_size(skb); 2.2040 - if (err) 2.2041 -- goto error; 2.2042 -+ goto error_nolock; 2.2043 - } 2.2044 - 2.2045 -+ spin_lock_bh(&x->lock); 2.2046 -+ err = xfrm_state_check(x, skb); 2.2047 -+ if (err) 2.2048 -+ goto error; 2.2049 -+ 2.2050 - xfrm4_encap(skb); 2.2051 - 2.2052 - err = x->type->output(skb); 2.2053 -diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c 2.2054 ---- a/net/ipv6/xfrm6_output.c 2.2055 -+++ b/net/ipv6/xfrm6_output.c 2.2056 -@@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb) 2.2057 - goto error_nolock; 2.2058 - } 2.2059 - 2.2060 -- spin_lock_bh(&x->lock); 2.2061 -- err = xfrm_state_check(x, skb); 2.2062 -- if (err) 2.2063 -- goto error; 2.2064 -- 2.2065 - if (x->props.mode) { 2.2066 - err = xfrm6_tunnel_check_size(skb); 2.2067 - if (err) 2.2068 -- goto error; 2.2069 -+ goto error_nolock; 2.2070 - } 2.2071 - 2.2072 -+ spin_lock_bh(&x->lock); 2.2073 -+ err = xfrm_state_check(x, skb); 2.2074 -+ if (err) 2.2075 -+ goto error; 2.2076 -+ 2.2077 - xfrm6_encap(skb); 2.2078 - 2.2079 - err = x->type->output(skb); 2.2080 -diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c 2.2081 ---- a/net/netrom/nr_in.c 2.2082 -+++ b/net/netrom/nr_in.c 2.2083 -@@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock 2.2084 - static int nr_state1_machine(struct sock *sk, struct sk_buff *skb, 2.2085 - int frametype) 2.2086 - { 2.2087 -- bh_lock_sock(sk); 2.2088 - switch (frametype) { 2.2089 - case NR_CONNACK: { 2.2090 - nr_cb *nr = nr_sk(sk); 2.2091 -@@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock 2.2092 - default: 2.2093 - break; 2.2094 - } 2.2095 -- bh_unlock_sock(sk); 2.2096 -- 2.2097 - return 0; 2.2098 - } 2.2099 - 2.2100 -@@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock 2.2101 - static int nr_state2_machine(struct sock *sk, struct sk_buff *skb, 2.2102 - int frametype) 2.2103 - { 2.2104 -- bh_lock_sock(sk); 2.2105 - switch (frametype) { 2.2106 - case NR_CONNACK | NR_CHOKE_FLAG: 2.2107 - nr_disconnect(sk, ECONNRESET); 2.2108 -@@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock 2.2109 - default: 2.2110 - break; 2.2111 - } 2.2112 -- bh_unlock_sock(sk); 2.2113 -- 2.2114 - return 0; 2.2115 - } 2.2116 - 2.2117 -@@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock 2.2118 - nr = skb->data[18]; 2.2119 - ns = skb->data[17]; 2.2120 - 2.2121 -- bh_lock_sock(sk); 2.2122 - switch (frametype) { 2.2123 - case NR_CONNREQ: 2.2124 - nr_write_internal(sk, NR_CONNACK); 2.2125 -@@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock 2.2126 - default: 2.2127 - break; 2.2128 - } 2.2129 -- bh_unlock_sock(sk); 2.2130 -- 2.2131 - return queued; 2.2132 - } 2.2133 - 2.2134 -diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c 2.2135 ---- a/net/rose/rose_route.c 2.2136 -+++ b/net/rose/rose_route.c 2.2137 -@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void 2.2138 - } 2.2139 - if (rose_route.mask > 10) /* Mask can't be more than 10 digits */ 2.2140 - return -EINVAL; 2.2141 -- 2.2142 -+ if (rose_route.ndigis > 8) /* No more than 8 digipeats */ 2.2143 -+ return -EINVAL; 2.2144 - err = rose_add_node(&rose_route, dev); 2.2145 - dev_put(dev); 2.2146 - return err; 2.2147 -diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c 2.2148 ---- a/net/xfrm/xfrm_state.c 2.2149 -+++ b/net/xfrm/xfrm_state.c 2.2150 -@@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac 2.2151 - 2.2152 - for (i = 0; i < XFRM_DST_HSIZE; i++) { 2.2153 - list_for_each_entry(x, xfrm_state_bydst+i, bydst) { 2.2154 -- if (x->km.seq == seq) { 2.2155 -+ if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) { 2.2156 - xfrm_state_hold(x); 2.2157 - return x; 2.2158 - } 2.2159 -diff --git a/security/keys/key.c b/security/keys/key.c 2.2160 ---- a/security/keys/key.c 2.2161 -+++ b/security/keys/key.c 2.2162 -@@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u 2.2163 - { 2.2164 - struct key_user *candidate = NULL, *user; 2.2165 - struct rb_node *parent = NULL; 2.2166 -- struct rb_node **p = &key_user_tree.rb_node; 2.2167 -+ struct rb_node **p; 2.2168 - 2.2169 - try_again: 2.2170 -+ p = &key_user_tree.rb_node; 2.2171 - spin_lock(&key_user_lock); 2.2172 - 2.2173 - /* search the tree for a user record with a matching UID */ 2.2174 -diff --git a/sound/core/timer.c b/sound/core/timer.c 2.2175 ---- a/sound/core/timer.c 2.2176 -+++ b/sound/core/timer.c 2.2177 -@@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu 2.2178 - if (tu->qused >= tu->queue_size) { 2.2179 - tu->overrun++; 2.2180 - } else { 2.2181 -- memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread)); 2.2182 -+ memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread)); 2.2183 -+ tu->qtail %= tu->queue_size; 2.2184 - tu->qused++; 2.2185 - } 2.2186 - } 2.2187 -@@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd 2.2188 - spin_lock(&tu->qlock); 2.2189 - snd_timer_user_append_to_tqueue(tu, &r1); 2.2190 - spin_unlock(&tu->qlock); 2.2191 -+ kill_fasync(&tu->fasync, SIGIO, POLL_IN); 2.2192 -+ wake_up(&tu->qchange_sleep); 2.2193 - } 2.2194 - 2.2195 - static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri, 2.2196 -diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c 2.2197 ---- a/sound/pci/ac97/ac97_codec.c 2.2198 -+++ b/sound/pci/ac97/ac97_codec.c 2.2199 -@@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_ 2.2200 - /* 2.2201 - * create mute switch(es) for normal stereo controls 2.2202 - */ 2.2203 --static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97) 2.2204 -+static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97) 2.2205 - { 2.2206 - snd_kcontrol_t *kctl; 2.2207 - int err; 2.2208 -@@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t 2.2209 - 2.2210 - mute_mask = 0x8000; 2.2211 - val = snd_ac97_read(ac97, reg); 2.2212 -- if (ac97->flags & AC97_STEREO_MUTES) { 2.2213 -+ if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) { 2.2214 - /* check whether both mute bits work */ 2.2215 - val1 = val | 0x8080; 2.2216 - snd_ac97_write(ac97, reg, val1); 2.2217 -@@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t 2.2218 - /* 2.2219 - * create a mute-switch and a volume for normal stereo/mono controls 2.2220 - */ 2.2221 --static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97) 2.2222 -+static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97) 2.2223 - { 2.2224 - int err; 2.2225 - char name[44]; 2.2226 -@@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t 2.2227 - 2.2228 - if (snd_ac97_try_bit(ac97, reg, 15)) { 2.2229 - sprintf(name, "%s Switch", pfx); 2.2230 -- if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0) 2.2231 -+ if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0) 2.2232 - return err; 2.2233 - } 2.2234 - check_volume_resolution(ac97, reg, &lo_max, &hi_max); 2.2235 -@@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t 2.2236 - return 0; 2.2237 - } 2.2238 - 2.2239 -+#define snd_ac97_cmix_new(card, pfx, reg, ac97) snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97) 2.2240 -+#define snd_ac97_cmute_new(card, name, reg, ac97) snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97) 2.2241 - 2.2242 - static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97); 2.2243 - 2.2244 -@@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t * 2.2245 - 2.2246 - /* build surround controls */ 2.2247 - if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) { 2.2248 -- if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0) 2.2249 -+ /* Surround Master (0x38) is with stereo mutes */ 2.2250 -+ if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0) 2.2251 - return err; 2.2252 - } 2.2253 - 2.2254 -diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c 2.2255 ---- a/sound/usb/usbaudio.c 2.2256 -+++ b/sound/usb/usbaudio.c 2.2257 -@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str 2.2258 - } 2.2259 - usb_chip[chip->index] = NULL; 2.2260 - up(®ister_mutex); 2.2261 -- snd_card_free_in_thread(card); 2.2262 -+ snd_card_free(card); 2.2263 - } else { 2.2264 - up(®ister_mutex); 2.2265 - } 2.2266 -diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c 2.2267 ---- a/sound/usb/usx2y/usbusx2y.c 2.2268 -+++ b/sound/usb/usx2y/usbusx2y.c 2.2269 -@@ -1,6 +1,11 @@ 2.2270 - /* 2.2271 - * usbusy2y.c - ALSA USB US-428 Driver 2.2272 - * 2.2273 -+2005-04-14 Karsten Wiese 2.2274 -+ Version 0.8.7.2: 2.2275 -+ Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom. 2.2276 -+ Tested ok with kernel 2.6.12-rc2. 2.2277 -+ 2.2278 - 2004-12-14 Karsten Wiese 2.2279 - Version 0.8.7.1: 2.2280 - snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open. 2.2281 -@@ -143,7 +148,7 @@ 2.2282 - 2.2283 - 2.2284 - MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>"); 2.2285 --MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1"); 2.2286 -+MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2"); 2.2287 - MODULE_LICENSE("GPL"); 2.2288 - MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}"); 2.2289 - 2.2290 -@@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct 2.2291 - if (ptr) { 2.2292 - usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr); 2.2293 - struct list_head* p; 2.2294 -- if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP) // on 2.6.1 kernel snd_usbmidi_disconnect() 2.2295 -- return; // calls us back. better leave :-) . 2.2296 - usX2Y->chip.shutdown = 1; 2.2297 - usX2Y->chip_status = USX2Y_STAT_CHIP_HUP; 2.2298 - usX2Y_unlinkSeq(&usX2Y->AS04); 2.2299 -@@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct 2.2300 - } 2.2301 - if (usX2Y->us428ctls_sharedmem) 2.2302 - wake_up(&usX2Y->us428ctls_wait_queue_head); 2.2303 -- snd_card_free_in_thread((snd_card_t*)ptr); 2.2304 -+ snd_card_free((snd_card_t*)ptr); 2.2305 - } 2.2306 - } 2.2307 -
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/patches/linux-2.6.11/linux-2.6.11.12.patch Mon Jun 13 13:17:02 2005 +0000 3.3 @@ -0,0 +1,2579 @@ 3.4 +diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs 3.5 +new file mode 100644 3.6 +--- /dev/null 3.7 ++++ b/Documentation/SecurityBugs 3.8 +@@ -0,0 +1,38 @@ 3.9 ++Linux kernel developers take security very seriously. As such, we'd 3.10 ++like to know when a security bug is found so that it can be fixed and 3.11 ++disclosed as quickly as possible. Please report security bugs to the 3.12 ++Linux kernel security team. 3.13 ++ 3.14 ++1) Contact 3.15 ++ 3.16 ++The Linux kernel security team can be contacted by email at 3.17 ++<security@kernel.org>. This is a private list of security officers 3.18 ++who will help verify the bug report and develop and release a fix. 3.19 ++It is possible that the security team will bring in extra help from 3.20 ++area maintainers to understand and fix the security vulnerability. 3.21 ++ 3.22 ++As it is with any bug, the more information provided the easier it 3.23 ++will be to diagnose and fix. Please review the procedure outlined in 3.24 ++REPORTING-BUGS if you are unclear about what information is helpful. 3.25 ++Any exploit code is very helpful and will not be released without 3.26 ++consent from the reporter unless it has already been made public. 3.27 ++ 3.28 ++2) Disclosure 3.29 ++ 3.30 ++The goal of the Linux kernel security team is to work with the 3.31 ++bug submitter to bug resolution as well as disclosure. We prefer 3.32 ++to fully disclose the bug as soon as possible. It is reasonable to 3.33 ++delay disclosure when the bug or the fix is not yet fully understood, 3.34 ++the solution is not well-tested or for vendor coordination. However, we 3.35 ++expect these delays to be short, measurable in days, not weeks or months. 3.36 ++A disclosure date is negotiated by the security team working with the 3.37 ++bug submitter as well as vendors. However, the kernel security team 3.38 ++holds the final say when setting a disclosure date. The timeframe for 3.39 ++disclosure is from immediate (esp. if it's already publically known) 3.40 ++to a few weeks. As a basic default policy, we expect report date to 3.41 ++disclosure date to be on the order of 7 days. 3.42 ++ 3.43 ++3) Non-disclosure agreements 3.44 ++ 3.45 ++The Linux kernel security team is not a formal body and therefore unable 3.46 ++to enter any non-disclosure agreements. 3.47 +diff --git a/MAINTAINERS b/MAINTAINERS 3.48 +--- a/MAINTAINERS 3.49 ++++ b/MAINTAINERS 3.50 +@@ -1966,6 +1966,11 @@ M: christer@weinigel.se 3.51 + W: http://www.weinigel.se 3.52 + S: Supported 3.53 + 3.54 ++SECURITY CONTACT 3.55 ++P: Security Officers 3.56 ++M: security@kernel.org 3.57 ++S: Supported 3.58 ++ 3.59 + SELINUX SECURITY MODULE 3.60 + P: Stephen Smalley 3.61 + M: sds@epoch.ncsc.mil 3.62 +diff --git a/Makefile b/Makefile 3.63 +--- a/Makefile 3.64 ++++ b/Makefile 3.65 +@@ -1,8 +1,8 @@ 3.66 + VERSION = 2 3.67 + PATCHLEVEL = 6 3.68 + SUBLEVEL = 11 3.69 +-EXTRAVERSION = 3.70 +-NAME=Woozy Numbat 3.71 ++EXTRAVERSION = .12 3.72 ++NAME=Woozy Beaver 3.73 + 3.74 + # *DOCUMENTATION* 3.75 + # To see a list of typical targets execute "make help" 3.76 +diff --git a/REPORTING-BUGS b/REPORTING-BUGS 3.77 +--- a/REPORTING-BUGS 3.78 ++++ b/REPORTING-BUGS 3.79 +@@ -16,6 +16,10 @@ code relevant to what you were doing. If 3.80 + describe how to recreate it. That is worth even more than the oops itself. 3.81 + The list of maintainers is in the MAINTAINERS file in this directory. 3.82 + 3.83 ++ If it is a security bug, please copy the Security Contact listed 3.84 ++in the MAINTAINERS file. They can help coordinate bugfix and disclosure. 3.85 ++See Documentation/SecurityBugs for more infomation. 3.86 ++ 3.87 + If you are totally stumped as to whom to send the report, send it to 3.88 + linux-kernel@vger.kernel.org. (For more information on the linux-kernel 3.89 + mailing list see http://www.tux.org/lkml/). 3.90 +diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S 3.91 +--- a/arch/ia64/kernel/fsys.S 3.92 ++++ b/arch/ia64/kernel/fsys.S 3.93 +@@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down) 3.94 + movl r2=ia64_ret_from_syscall 3.95 + ;; 3.96 + mov rp=r2 // set the real return addr 3.97 +- tbit.z p8,p0=r3,TIF_SYSCALL_TRACE 3.98 ++ and r3=_TIF_SYSCALL_TRACEAUDIT,r3 3.99 + ;; 3.100 ++ cmp.eq p8,p0=r3,r0 3.101 ++ 3.102 + (p10) br.cond.spnt.many ia64_ret_from_syscall // p10==true means out registers are more than 8 3.103 + (p8) br.call.sptk.many b6=b6 // ignore this return addr 3.104 + br.cond.sptk ia64_trace_syscall 3.105 +diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c 3.106 +--- a/arch/ia64/kernel/signal.c 3.107 ++++ b/arch/ia64/kernel/signal.c 3.108 +@@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc 3.109 + * could be corrupted. 3.110 + */ 3.111 + retval = (long) &ia64_leave_kernel; 3.112 +- if (test_thread_flag(TIF_SYSCALL_TRACE)) 3.113 ++ if (test_thread_flag(TIF_SYSCALL_TRACE) 3.114 ++ || test_thread_flag(TIF_SYSCALL_AUDIT)) 3.115 + /* 3.116 + * strace expects to be notified after sigreturn returns even though the 3.117 + * context to which we return may not be in the middle of a syscall. 3.118 +diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c 3.119 +--- a/arch/ppc/oprofile/op_model_fsl_booke.c 3.120 ++++ b/arch/ppc/oprofile/op_model_fsl_booke.c 3.121 +@@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s 3.122 + int is_kernel; 3.123 + int val; 3.124 + int i; 3.125 +- unsigned int cpu = smp_processor_id(); 3.126 + 3.127 + /* set the PMM bit (see comment below) */ 3.128 + mtmsr(mfmsr() | MSR_PMM); 3.129 +@@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s 3.130 + val = ctr_read(i); 3.131 + if (val < 0) { 3.132 + if (oprofile_running && ctr[i].enabled) { 3.133 +- oprofile_add_sample(pc, is_kernel, i, cpu); 3.134 ++ oprofile_add_pc(pc, is_kernel, i); 3.135 + ctr_write(i, reset_value[i]); 3.136 + } else { 3.137 + ctr_write(i, 0); 3.138 +diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h 3.139 +--- a/arch/ppc/platforms/4xx/ebony.h 3.140 ++++ b/arch/ppc/platforms/4xx/ebony.h 3.141 +@@ -61,8 +61,8 @@ 3.142 + */ 3.143 + 3.144 + /* OpenBIOS defined UART mappings, used before early_serial_setup */ 3.145 +-#define UART0_IO_BASE (u8 *) 0xE0000200 3.146 +-#define UART1_IO_BASE (u8 *) 0xE0000300 3.147 ++#define UART0_IO_BASE 0xE0000200 3.148 ++#define UART1_IO_BASE 0xE0000300 3.149 + 3.150 + /* external Epson SG-615P */ 3.151 + #define BASE_BAUD 691200 3.152 +diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h 3.153 +--- a/arch/ppc/platforms/4xx/luan.h 3.154 ++++ b/arch/ppc/platforms/4xx/luan.h 3.155 +@@ -47,9 +47,9 @@ 3.156 + #define RS_TABLE_SIZE 3 3.157 + 3.158 + /* PIBS defined UART mappings, used before early_serial_setup */ 3.159 +-#define UART0_IO_BASE (u8 *) 0xa0000200 3.160 +-#define UART1_IO_BASE (u8 *) 0xa0000300 3.161 +-#define UART2_IO_BASE (u8 *) 0xa0000600 3.162 ++#define UART0_IO_BASE 0xa0000200 3.163 ++#define UART1_IO_BASE 0xa0000300 3.164 ++#define UART2_IO_BASE 0xa0000600 3.165 + 3.166 + #define BASE_BAUD 11059200 3.167 + #define STD_UART_OP(num) \ 3.168 +diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h 3.169 +--- a/arch/ppc/platforms/4xx/ocotea.h 3.170 ++++ b/arch/ppc/platforms/4xx/ocotea.h 3.171 +@@ -56,8 +56,8 @@ 3.172 + #define RS_TABLE_SIZE 2 3.173 + 3.174 + /* OpenBIOS defined UART mappings, used before early_serial_setup */ 3.175 +-#define UART0_IO_BASE (u8 *) 0xE0000200 3.176 +-#define UART1_IO_BASE (u8 *) 0xE0000300 3.177 ++#define UART0_IO_BASE 0xE0000200 3.178 ++#define UART1_IO_BASE 0xE0000300 3.179 + 3.180 + #define BASE_BAUD 11059200/16 3.181 + #define STD_UART_OP(num) \ 3.182 +diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c 3.183 +--- a/arch/ppc64/kernel/pSeries_iommu.c 3.184 ++++ b/arch/ppc64/kernel/pSeries_iommu.c 3.185 +@@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st 3.186 + struct device_node *dn, *pdn; 3.187 + unsigned int *dma_window = NULL; 3.188 + 3.189 ++ DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self); 3.190 ++ 3.191 + dn = pci_bus_to_OF_node(bus); 3.192 + 3.193 + /* Find nearest ibm,dma-window, walking up the device tree */ 3.194 +@@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru 3.195 + } 3.196 + } 3.197 + 3.198 ++static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev) 3.199 ++{ 3.200 ++ struct device_node *pdn, *dn; 3.201 ++ struct iommu_table *tbl; 3.202 ++ int *dma_window = NULL; 3.203 ++ 3.204 ++ DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name); 3.205 ++ 3.206 ++ /* dev setup for LPAR is a little tricky, since the device tree might 3.207 ++ * contain the dma-window properties per-device and not neccesarily 3.208 ++ * for the bus. So we need to search upwards in the tree until we 3.209 ++ * either hit a dma-window property, OR find a parent with a table 3.210 ++ * already allocated. 3.211 ++ */ 3.212 ++ dn = pci_device_to_OF_node(dev); 3.213 ++ 3.214 ++ for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) { 3.215 ++ dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL); 3.216 ++ if (dma_window) 3.217 ++ break; 3.218 ++ } 3.219 ++ 3.220 ++ /* Check for parent == NULL so we don't try to setup the empty EADS 3.221 ++ * slots on POWER4 machines. 3.222 ++ */ 3.223 ++ if (dma_window == NULL || pdn->parent == NULL) { 3.224 ++ /* Fall back to regular (non-LPAR) dev setup */ 3.225 ++ DBG("No dma window for device, falling back to regular setup\n"); 3.226 ++ iommu_dev_setup_pSeries(dev); 3.227 ++ return; 3.228 ++ } else { 3.229 ++ DBG("Found DMA window, allocating table\n"); 3.230 ++ } 3.231 ++ 3.232 ++ if (!pdn->iommu_table) { 3.233 ++ /* iommu_table_setparms_lpar needs bussubno. */ 3.234 ++ pdn->bussubno = pdn->phb->bus->number; 3.235 ++ 3.236 ++ tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table), 3.237 ++ GFP_KERNEL); 3.238 ++ 3.239 ++ iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window); 3.240 ++ 3.241 ++ pdn->iommu_table = iommu_init_table(tbl); 3.242 ++ } 3.243 ++ 3.244 ++ if (pdn != dn) 3.245 ++ dn->iommu_table = pdn->iommu_table; 3.246 ++} 3.247 ++ 3.248 + static void iommu_bus_setup_null(struct pci_bus *b) { } 3.249 + static void iommu_dev_setup_null(struct pci_dev *d) { } 3.250 + 3.251 +@@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void) 3.252 + ppc_md.tce_free = tce_free_pSeriesLP; 3.253 + } 3.254 + ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP; 3.255 ++ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP; 3.256 + } else { 3.257 + ppc_md.tce_build = tce_build_pSeries; 3.258 + ppc_md.tce_free = tce_free_pSeries; 3.259 + ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries; 3.260 ++ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries; 3.261 + } 3.262 + 3.263 +- ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries; 3.264 + 3.265 + pci_iommu_init(); 3.266 + } 3.267 +diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c 3.268 +--- a/arch/sparc/kernel/ptrace.c 3.269 ++++ b/arch/sparc/kernel/ptrace.c 3.270 +@@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs 3.271 + pt_error_return(regs, EIO); 3.272 + goto out_tsk; 3.273 + } 3.274 +- if (addr != 1) { 3.275 +- if (addr & 3) { 3.276 +- pt_error_return(regs, EINVAL); 3.277 +- goto out_tsk; 3.278 +- } 3.279 +-#ifdef DEBUG_PTRACE 3.280 +- printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc); 3.281 +- printk ("Continuing with %08lx %08lx\n", addr, addr+4); 3.282 +-#endif 3.283 +- child->thread.kregs->pc = addr; 3.284 +- child->thread.kregs->npc = addr + 4; 3.285 +- } 3.286 + 3.287 + if (request == PTRACE_SYSCALL) 3.288 + set_tsk_thread_flag(child, TIF_SYSCALL_TRACE); 3.289 +diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c 3.290 +--- a/arch/sparc64/kernel/ptrace.c 3.291 ++++ b/arch/sparc64/kernel/ptrace.c 3.292 +@@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs 3.293 + pt_error_return(regs, EIO); 3.294 + goto out_tsk; 3.295 + } 3.296 +- if (addr != 1) { 3.297 +- unsigned long pc_mask = ~0UL; 3.298 +- 3.299 +- if ((child->thread_info->flags & _TIF_32BIT) != 0) 3.300 +- pc_mask = 0xffffffff; 3.301 +- 3.302 +- if (addr & 3) { 3.303 +- pt_error_return(regs, EINVAL); 3.304 +- goto out_tsk; 3.305 +- } 3.306 +-#ifdef DEBUG_PTRACE 3.307 +- printk ("Original: %016lx %016lx\n", 3.308 +- child->thread_info->kregs->tpc, 3.309 +- child->thread_info->kregs->tnpc); 3.310 +- printk ("Continuing with %016lx %016lx\n", addr, addr+4); 3.311 +-#endif 3.312 +- child->thread_info->kregs->tpc = (addr & pc_mask); 3.313 +- child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask); 3.314 +- } 3.315 + 3.316 + if (request == PTRACE_SYSCALL) { 3.317 + set_tsk_thread_flag(child, TIF_SYSCALL_TRACE); 3.318 +diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c 3.319 +--- a/arch/sparc64/kernel/signal32.c 3.320 ++++ b/arch/sparc64/kernel/signal32.c 3.321 +@@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf 3.322 + err |= __put_user(from->si_uid, &to->si_uid); 3.323 + break; 3.324 + case __SI_FAULT >> 16: 3.325 +- case __SI_POLL >> 16: 3.326 + err |= __put_user(from->si_trapno, &to->si_trapno); 3.327 + err |= __put_user((unsigned long)from->si_addr, &to->si_addr); 3.328 + break; 3.329 ++ case __SI_POLL >> 16: 3.330 ++ err |= __put_user(from->si_band, &to->si_band); 3.331 ++ err |= __put_user(from->si_fd, &to->si_fd); 3.332 ++ break; 3.333 + case __SI_RT >> 16: /* This is not generated by the kernel as of now. */ 3.334 + case __SI_MESGQ >> 16: 3.335 + err |= __put_user(from->si_pid, &to->si_pid); 3.336 +diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S 3.337 +--- a/arch/sparc64/kernel/systbls.S 3.338 ++++ b/arch/sparc64/kernel/systbls.S 3.339 +@@ -75,7 +75,7 @@ sys_call_table32: 3.340 + /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun 3.341 + .word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy 3.342 + /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink 3.343 +- .word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid 3.344 ++ .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid 3.345 + /*280*/ .word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl 3.346 + 3.347 + #endif /* CONFIG_COMPAT */ 3.348 +diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h 3.349 +--- a/arch/um/include/sysdep-i386/syscalls.h 3.350 ++++ b/arch/um/include/sysdep-i386/syscalls.h 3.351 +@@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr 3.352 + unsigned long prot, unsigned long flags, 3.353 + unsigned long fd, unsigned long pgoff); 3.354 + 3.355 ++/* On i386 they choose a meaningless naming.*/ 3.356 ++#define __NR_kexec_load __NR_sys_kexec_load 3.357 ++ 3.358 + #define ARCH_SYSCALLS \ 3.359 + [ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \ 3.360 + [ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \ 3.361 +@@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr 3.362 + [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \ 3.363 + [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 3.364 + [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 3.365 +- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \ 3.366 + [ 251 ] = (syscall_handler_t *) sys_ni_syscall, \ 3.367 +- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \ 3.368 +- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \ 3.369 +- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, 3.370 +- 3.371 ++ [ 285 ] = (syscall_handler_t *) sys_ni_syscall, 3.372 ++ 3.373 + /* 222 doesn't yet have a name in include/asm-i386/unistd.h */ 3.374 + 3.375 +-#define LAST_ARCH_SYSCALL __NR_vserver 3.376 ++#define LAST_ARCH_SYSCALL 285 3.377 + 3.378 + /* 3.379 + * Overrides for Emacs so that we follow Linus's tabbing style. 3.380 +diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h 3.381 +--- a/arch/um/include/sysdep-x86_64/syscalls.h 3.382 ++++ b/arch/um/include/sysdep-x86_64/syscalls.h 3.383 +@@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl; 3.384 + [ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \ 3.385 + [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 3.386 + [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \ 3.387 +- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \ 3.388 + [ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \ 3.389 +- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \ 3.390 +- [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \ 3.391 +- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \ 3.392 +- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \ 3.393 + [ 251 ] = (syscall_handler_t *) sys_ni_syscall, 3.394 + 3.395 + #define LAST_ARCH_SYSCALL 251 3.396 +diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c 3.397 +--- a/arch/um/kernel/skas/uaccess.c 3.398 ++++ b/arch/um/kernel/skas/uaccess.c 3.399 +@@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v 3.400 + void *arg; 3.401 + int *res; 3.402 + 3.403 +- va_copy(args, *(va_list *)arg_ptr); 3.404 ++ /* Some old gccs recognize __va_copy, but not va_copy */ 3.405 ++ __va_copy(args, *(va_list *)arg_ptr); 3.406 + addr = va_arg(args, unsigned long); 3.407 + len = va_arg(args, int); 3.408 + is_write = va_arg(args, int); 3.409 +diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c 3.410 +--- a/arch/um/kernel/sys_call_table.c 3.411 ++++ b/arch/um/kernel/sys_call_table.c 3.412 +@@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork; 3.413 + extern syscall_handler_t old_select; 3.414 + extern syscall_handler_t sys_modify_ldt; 3.415 + extern syscall_handler_t sys_rt_sigsuspend; 3.416 +-extern syscall_handler_t sys_vserver; 3.417 + extern syscall_handler_t sys_mbind; 3.418 + extern syscall_handler_t sys_get_mempolicy; 3.419 + extern syscall_handler_t sys_set_mempolicy; 3.420 +@@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = { 3.421 + [ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create, 3.422 + [ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl, 3.423 + [ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait, 3.424 ++ [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, 3.425 + [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address, 3.426 + [ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create, 3.427 + [ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime, 3.428 +@@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = { 3.429 + [ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime, 3.430 + [ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres, 3.431 + [ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep, 3.432 +- [ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64, 3.433 +- [ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64, 3.434 + [ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill, 3.435 + [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, 3.436 +- [ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64, 3.437 +- [ __NR_vserver ] = (syscall_handler_t *) sys_vserver, 3.438 ++ [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, 3.439 ++ [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, 3.440 + [ __NR_mbind ] = (syscall_handler_t *) sys_mbind, 3.441 + [ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy, 3.442 + [ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy, 3.443 +@@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = { 3.444 + [ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive, 3.445 + [ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify, 3.446 + [ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr, 3.447 +- [ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall, 3.448 ++ [ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall, 3.449 + [ __NR_waitid ] = (syscall_handler_t *) sys_waitid, 3.450 +- [ 285 ] = (syscall_handler_t *) sys_ni_syscall, 3.451 + [ __NR_add_key ] = (syscall_handler_t *) sys_add_key, 3.452 + [ __NR_request_key ] = (syscall_handler_t *) sys_request_key, 3.453 + [ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl, 3.454 +diff --git a/arch/x86_64/kernel/apic.c b/arch/x86_64/kernel/apic.c 3.455 +--- a/arch/x86_64/kernel/apic.c 3.456 ++++ b/arch/x86_64/kernel/apic.c 3.457 +@@ -775,9 +775,7 @@ void __init setup_boot_APIC_clock (void) 3.458 + 3.459 + void __init setup_secondary_APIC_clock(void) 3.460 + { 3.461 +- local_irq_disable(); /* FIXME: Do we need this? --RR */ 3.462 + setup_APIC_timer(calibration_result); 3.463 +- local_irq_enable(); 3.464 + } 3.465 + 3.466 + void __init disable_APIC_timer(void) 3.467 +diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c 3.468 +--- a/arch/x86_64/kernel/ptrace.c 3.469 ++++ b/arch/x86_64/kernel/ptrace.c 3.470 +@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch 3.471 + value &= 0xffff; 3.472 + return 0; 3.473 + case offsetof(struct user_regs_struct,fs_base): 3.474 +- if (!((value >> 48) == 0 || (value >> 48) == 0xffff)) 3.475 +- return -EIO; 3.476 ++ if (value >= TASK_SIZE) 3.477 ++ return -EIO; 3.478 + child->thread.fs = value; 3.479 + return 0; 3.480 + case offsetof(struct user_regs_struct,gs_base): 3.481 +- if (!((value >> 48) == 0 || (value >> 48) == 0xffff)) 3.482 +- return -EIO; 3.483 ++ if (value >= TASK_SIZE) 3.484 ++ return -EIO; 3.485 + child->thread.gs = value; 3.486 + return 0; 3.487 + case offsetof(struct user_regs_struct, eflags): 3.488 +@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch 3.489 + return -EIO; 3.490 + value &= 0xffff; 3.491 + break; 3.492 ++ case offsetof(struct user_regs_struct, rip): 3.493 ++ /* Check if the new RIP address is canonical */ 3.494 ++ if (value >= TASK_SIZE) 3.495 ++ return -EIO; 3.496 ++ break; 3.497 + } 3.498 + put_stack_long(child, regno - sizeof(struct pt_regs), value); 3.499 + return 0; 3.500 +@@ -247,7 +252,7 @@ asmlinkage long sys_ptrace(long request, 3.501 + break; 3.502 + 3.503 + switch (addr) { 3.504 +- case 0 ... sizeof(struct user_regs_struct): 3.505 ++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long): 3.506 + tmp = getreg(child, addr); 3.507 + break; 3.508 + case offsetof(struct user, u_debugreg[0]): 3.509 +@@ -292,7 +297,7 @@ asmlinkage long sys_ptrace(long request, 3.510 + break; 3.511 + 3.512 + switch (addr) { 3.513 +- case 0 ... sizeof(struct user_regs_struct): 3.514 ++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long): 3.515 + ret = putreg(child, addr, data); 3.516 + break; 3.517 + /* Disallows to set a breakpoint into the vsyscall */ 3.518 +diff --git a/arch/x86_64/kernel/smpboot.c b/arch/x86_64/kernel/smpboot.c 3.519 +--- a/arch/x86_64/kernel/smpboot.c 3.520 ++++ b/arch/x86_64/kernel/smpboot.c 3.521 +@@ -309,8 +309,6 @@ void __init smp_callin(void) 3.522 + Dprintk("CALLIN, before setup_local_APIC().\n"); 3.523 + setup_local_APIC(); 3.524 + 3.525 +- local_irq_enable(); 3.526 +- 3.527 + /* 3.528 + * Get our bogomips. 3.529 + */ 3.530 +@@ -324,8 +322,6 @@ void __init smp_callin(void) 3.531 + */ 3.532 + smp_store_cpu_info(cpuid); 3.533 + 3.534 +- local_irq_disable(); 3.535 +- 3.536 + /* 3.537 + * Allow the master to continue. 3.538 + */ 3.539 +diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c 3.540 +--- a/arch/x86_64/mm/fault.c 3.541 ++++ b/arch/x86_64/mm/fault.c 3.542 +@@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne 3.543 + 3.544 + /* 3.545 + * Handle a fault on the vmalloc or module mapping area 3.546 ++ * 3.547 ++ * This assumes no large pages in there. 3.548 + */ 3.549 + static int vmalloc_fault(unsigned long address) 3.550 + { 3.551 +@@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a 3.552 + if (!pte_present(*pte_ref)) 3.553 + return -1; 3.554 + pte = pte_offset_kernel(pmd, address); 3.555 +- if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref)) 3.556 ++ /* Don't use pte_page here, because the mappings can point 3.557 ++ outside mem_map, and the NUMA hash lookup cannot handle 3.558 ++ that. */ 3.559 ++ if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref)) 3.560 + BUG(); 3.561 + __flush_tlb_all(); 3.562 + return 0; 3.563 +@@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_ 3.564 + * protection error (error_code & 1) == 0. 3.565 + */ 3.566 + if (unlikely(address >= TASK_SIZE)) { 3.567 +- if (!(error_code & 5)) { 3.568 ++ if (!(error_code & 5) && 3.569 ++ ((address >= VMALLOC_START && address < VMALLOC_END) || 3.570 ++ (address >= MODULES_VADDR && address < MODULES_END))) { 3.571 + if (vmalloc_fault(address) < 0) 3.572 + goto bad_area_nosemaphore; 3.573 + return; 3.574 +diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c 3.575 +--- a/arch/x86_64/mm/ioremap.c 3.576 ++++ b/arch/x86_64/mm/ioremap.c 3.577 +@@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr 3.578 + if ((p->flags >> 20) && 3.579 + p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) { 3.580 + /* p->size includes the guard page, but cpa doesn't like that */ 3.581 +- change_page_attr(virt_to_page(__va(p->phys_addr)), 3.582 ++ change_page_attr_addr((unsigned long)(__va(p->phys_addr)), 3.583 + (p->size - PAGE_SIZE) >> PAGE_SHIFT, 3.584 + PAGE_KERNEL); 3.585 + global_flush_tlb(); 3.586 +diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c 3.587 +--- a/drivers/block/ioctl.c 3.588 ++++ b/drivers/block/ioctl.c 3.589 +@@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi 3.590 + } 3.591 + return ret; 3.592 + } 3.593 ++ 3.594 ++EXPORT_SYMBOL_GPL(blkdev_ioctl); 3.595 +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c 3.596 +--- a/drivers/block/pktcdvd.c 3.597 ++++ b/drivers/block/pktcdvd.c 3.598 +@@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode 3.599 + case CDROM_LAST_WRITTEN: 3.600 + case CDROM_SEND_PACKET: 3.601 + case SCSI_IOCTL_SEND_COMMAND: 3.602 +- return ioctl_by_bdev(pd->bdev, cmd, arg); 3.603 ++ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); 3.604 + 3.605 + case CDROMEJECT: 3.606 + /* 3.607 +@@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode 3.608 + * have to unlock it or else the eject command fails. 3.609 + */ 3.610 + pkt_lock_door(pd, 0); 3.611 +- return ioctl_by_bdev(pd->bdev, cmd, arg); 3.612 ++ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); 3.613 + 3.614 + default: 3.615 + printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd); 3.616 +diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c 3.617 +--- a/drivers/char/drm/drm_ioctl.c 3.618 ++++ b/drivers/char/drm/drm_ioctl.c 3.619 +@@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS) 3.620 + 3.621 + DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv)); 3.622 + 3.623 ++ memset(&version, 0, sizeof(version)); 3.624 ++ 3.625 + dev->driver->version(&version); 3.626 + retv.drm_di_major = DRM_IF_MAJOR; 3.627 + retv.drm_di_minor = DRM_IF_MINOR; 3.628 +diff --git a/drivers/char/raw.c b/drivers/char/raw.c 3.629 +--- a/drivers/char/raw.c 3.630 ++++ b/drivers/char/raw.c 3.631 +@@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi 3.632 + { 3.633 + struct block_device *bdev = filp->private_data; 3.634 + 3.635 +- return ioctl_by_bdev(bdev, command, arg); 3.636 ++ return blkdev_ioctl(bdev->bd_inode, filp, command, arg); 3.637 + } 3.638 + 3.639 + static void bind_device(struct raw_config_request *rq) 3.640 +diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c 3.641 +--- a/drivers/i2c/chips/eeprom.c 3.642 ++++ b/drivers/i2c/chips/eeprom.c 3.643 +@@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec 3.644 + 3.645 + /* Hide Vaio security settings to regular users (16 first bytes) */ 3.646 + if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) { 3.647 +- int in_row1 = 16 - off; 3.648 ++ size_t in_row1 = 16 - off; 3.649 ++ in_row1 = min(in_row1, count); 3.650 + memset(buf, 0, in_row1); 3.651 + if (count - in_row1 > 0) 3.652 + memcpy(buf + in_row1, &data->data[16], count - in_row1); 3.653 +diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c 3.654 +--- a/drivers/i2c/chips/it87.c 3.655 ++++ b/drivers/i2c/chips/it87.c 3.656 +@@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device 3.657 + struct it87_data *data = it87_update_device(dev); 3.658 + return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms)); 3.659 + } 3.660 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL); 3.661 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL); 3.662 + 3.663 + static ssize_t 3.664 + show_vrm_reg(struct device *dev, char *buf) 3.665 +diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c 3.666 +--- a/drivers/i2c/chips/via686a.c 3.667 ++++ b/drivers/i2c/chips/via686a.c 3.668 +@@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device 3.669 + struct via686a_data *data = via686a_update_device(dev); 3.670 + return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms)); 3.671 + } 3.672 +-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL); 3.673 ++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL); 3.674 + 3.675 + /* The driver. I choose to use type i2c_driver, as at is identical to both 3.676 + smbus_driver and isa_driver, and clients could be of either kind */ 3.677 +diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c 3.678 +--- a/drivers/ide/ide-disk.c 3.679 ++++ b/drivers/ide/ide-disk.c 3.680 +@@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk( 3.681 + if (hwif->no_lba48_dma && lba48 && dma) { 3.682 + if (block + rq->nr_sectors > 1ULL << 28) 3.683 + dma = 0; 3.684 ++ else 3.685 ++ lba48 = 0; 3.686 + } 3.687 + 3.688 + if (!dma) { 3.689 +@@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk( 3.690 + /* FIXME: SELECT_MASK(drive, 0) ? */ 3.691 + 3.692 + if (drive->select.b.lba) { 3.693 +- if (drive->addressing == 1) { 3.694 ++ if (lba48) { 3.695 + task_ioreg_t tasklets[10]; 3.696 + 3.697 + pr_debug("%s: LBA=0x%012llx\n", drive->name, block); 3.698 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h 3.699 +--- a/drivers/input/serio/i8042-x86ia64io.h 3.700 ++++ b/drivers/input/serio/i8042-x86ia64io.h 3.701 +@@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i 3.702 + }; 3.703 + #endif 3.704 + 3.705 +-#ifdef CONFIG_ACPI 3.706 ++#if defined(__ia64__) && defined(CONFIG_ACPI) 3.707 + #include <linux/acpi.h> 3.708 + #include <acpi/acpi_bus.h> 3.709 + 3.710 +@@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo 3.711 + i8042_kbd_irq = I8042_MAP_IRQ(1); 3.712 + i8042_aux_irq = I8042_MAP_IRQ(12); 3.713 + 3.714 +-#ifdef CONFIG_ACPI 3.715 ++#if defined(__ia64__) && defined(CONFIG_ACPI) 3.716 + if (i8042_acpi_init()) 3.717 + return -1; 3.718 + #endif 3.719 +@@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo 3.720 + 3.721 + static inline void i8042_platform_exit(void) 3.722 + { 3.723 +-#ifdef CONFIG_ACPI 3.724 ++#if defined(__ia64__) && defined(CONFIG_ACPI) 3.725 + i8042_acpi_exit(); 3.726 + #endif 3.727 + } 3.728 +diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc 3.729 +--- a/drivers/md/raid6altivec.uc 3.730 ++++ b/drivers/md/raid6altivec.uc 3.731 +@@ -108,7 +108,11 @@ int raid6_have_altivec(void); 3.732 + int raid6_have_altivec(void) 3.733 + { 3.734 + /* This assumes either all CPUs have Altivec or none does */ 3.735 ++#ifdef CONFIG_PPC64 3.736 + return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC; 3.737 ++#else 3.738 ++ return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC; 3.739 ++#endif 3.740 + } 3.741 + #endif 3.742 + 3.743 +diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c 3.744 +--- a/drivers/media/video/adv7170.c 3.745 ++++ b/drivers/media/video/adv7170.c 3.746 +@@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client * 3.747 + u8 block_data[32]; 3.748 + 3.749 + msg.addr = client->addr; 3.750 +- msg.flags = client->flags; 3.751 ++ msg.flags = 0; 3.752 + while (len >= 2) { 3.753 + msg.buf = (char *) block_data; 3.754 + msg.len = 0; 3.755 +diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c 3.756 +--- a/drivers/media/video/adv7175.c 3.757 ++++ b/drivers/media/video/adv7175.c 3.758 +@@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client * 3.759 + u8 block_data[32]; 3.760 + 3.761 + msg.addr = client->addr; 3.762 +- msg.flags = client->flags; 3.763 ++ msg.flags = 0; 3.764 + while (len >= 2) { 3.765 + msg.buf = (char *) block_data; 3.766 + msg.len = 0; 3.767 +diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c 3.768 +--- a/drivers/media/video/bt819.c 3.769 ++++ b/drivers/media/video/bt819.c 3.770 +@@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl 3.771 + u8 block_data[32]; 3.772 + 3.773 + msg.addr = client->addr; 3.774 +- msg.flags = client->flags; 3.775 ++ msg.flags = 0; 3.776 + while (len >= 2) { 3.777 + msg.buf = (char *) block_data; 3.778 + msg.len = 0; 3.779 +diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c 3.780 +--- a/drivers/media/video/bttv-cards.c 3.781 ++++ b/drivers/media/video/bttv-cards.c 3.782 +@@ -1939,7 +1939,6 @@ struct tvcard bttv_tvcards[] = { 3.783 + .no_tda9875 = 1, 3.784 + .no_tda7432 = 1, 3.785 + .tuner_type = TUNER_ABSENT, 3.786 +- .no_video = 1, 3.787 + .pll = PLL_28, 3.788 + },{ 3.789 + .name = "Teppro TEV-560/InterVision IV-560", 3.790 +@@ -2718,8 +2717,6 @@ void __devinit bttv_init_card2(struct bt 3.791 + } 3.792 + btv->pll.pll_current = -1; 3.793 + 3.794 +- bttv_reset_audio(btv); 3.795 +- 3.796 + /* tuner configuration (from card list / autodetect / insmod option) */ 3.797 + if (UNSET != bttv_tvcards[btv->c.type].tuner_type) 3.798 + if(UNSET == btv->tuner_type) 3.799 +diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c 3.800 +--- a/drivers/media/video/saa7110.c 3.801 ++++ b/drivers/media/video/saa7110.c 3.802 +@@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0- 3.803 + 3.804 + #define I2C_SAA7110 0x9C /* or 0x9E */ 3.805 + 3.806 ++#define SAA7110_NR_REG 0x35 3.807 ++ 3.808 + struct saa7110 { 3.809 +- unsigned char reg[54]; 3.810 ++ u8 reg[SAA7110_NR_REG]; 3.811 + 3.812 + int norm; 3.813 + int input; 3.814 +@@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client * 3.815 + unsigned int len) 3.816 + { 3.817 + int ret = -1; 3.818 +- u8 reg = *data++; 3.819 ++ u8 reg = *data; /* first register to write to */ 3.820 + 3.821 +- len--; 3.822 ++ /* Sanity check */ 3.823 ++ if (reg + (len - 1) > SAA7110_NR_REG) 3.824 ++ return ret; 3.825 + 3.826 + /* the saa7110 has an autoincrement function, use it if 3.827 + * the adapter understands raw I2C */ 3.828 + if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) { 3.829 + struct saa7110 *decoder = i2c_get_clientdata(client); 3.830 + struct i2c_msg msg; 3.831 +- u8 block_data[54]; 3.832 + 3.833 +- msg.len = 0; 3.834 +- msg.buf = (char *) block_data; 3.835 ++ msg.len = len; 3.836 ++ msg.buf = (char *) data; 3.837 + msg.addr = client->addr; 3.838 +- msg.flags = client->flags; 3.839 +- while (len >= 1) { 3.840 +- msg.len = 0; 3.841 +- block_data[msg.len++] = reg; 3.842 +- while (len-- >= 1 && msg.len < 54) 3.843 +- block_data[msg.len++] = 3.844 +- decoder->reg[reg++] = *data++; 3.845 +- ret = i2c_transfer(client->adapter, &msg, 1); 3.846 +- } 3.847 ++ msg.flags = 0; 3.848 ++ ret = i2c_transfer(client->adapter, &msg, 1); 3.849 ++ 3.850 ++ /* Cache the written data */ 3.851 ++ memcpy(decoder->reg + reg, data + 1, len - 1); 3.852 + } else { 3.853 +- while (len-- >= 1) { 3.854 ++ for (++data, --len; len; len--) { 3.855 + if ((ret = saa7110_write(client, reg++, 3.856 + *data++)) < 0) 3.857 + break; 3.858 +@@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien 3.859 + return 0; 3.860 + } 3.861 + 3.862 +-static const unsigned char initseq[] = { 3.863 ++static const unsigned char initseq[1 + SAA7110_NR_REG] = { 3.864 + 0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00, 3.865 + /* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90, 3.866 + /* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA, 3.867 +diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c 3.868 +--- a/drivers/media/video/saa7114.c 3.869 ++++ b/drivers/media/video/saa7114.c 3.870 +@@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client * 3.871 + u8 block_data[32]; 3.872 + 3.873 + msg.addr = client->addr; 3.874 +- msg.flags = client->flags; 3.875 ++ msg.flags = 0; 3.876 + while (len >= 2) { 3.877 + msg.buf = (char *) block_data; 3.878 + msg.len = 0; 3.879 +diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c 3.880 +--- a/drivers/media/video/saa7185.c 3.881 ++++ b/drivers/media/video/saa7185.c 3.882 +@@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client * 3.883 + u8 block_data[32]; 3.884 + 3.885 + msg.addr = client->addr; 3.886 +- msg.flags = client->flags; 3.887 ++ msg.flags = 0; 3.888 + while (len >= 2) { 3.889 + msg.buf = (char *) block_data; 3.890 + msg.len = 0; 3.891 +diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c 3.892 +--- a/drivers/net/3c59x.c 3.893 ++++ b/drivers/net/3c59x.c 3.894 +@@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev) 3.895 + 3.896 + if (VORTEX_PCI(vp)) { 3.897 + pci_set_power_state(VORTEX_PCI(vp), PCI_D0); /* Go active */ 3.898 +- pci_restore_state(VORTEX_PCI(vp)); 3.899 ++ if (vp->pm_state_valid) 3.900 ++ pci_restore_state(VORTEX_PCI(vp)); 3.901 + pci_enable_device(VORTEX_PCI(vp)); 3.902 + } 3.903 + 3.904 +@@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int 3.905 + outl(0, ioaddr + DownListPtr); 3.906 + 3.907 + if (final_down && VORTEX_PCI(vp)) { 3.908 ++ vp->pm_state_valid = 1; 3.909 + pci_save_state(VORTEX_PCI(vp)); 3.910 + acpi_set_WOL(dev); 3.911 + } 3.912 +@@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi 3.913 + outw(RxEnable, ioaddr + EL3_CMD); 3.914 + 3.915 + pci_enable_wake(VORTEX_PCI(vp), 0, 1); 3.916 ++ 3.917 ++ /* Change the power state to D3; RxEnable doesn't take effect. */ 3.918 ++ pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot); 3.919 + } 3.920 +- /* Change the power state to D3; RxEnable doesn't take effect. */ 3.921 +- pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot); 3.922 + } 3.923 + 3.924 + 3.925 +diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c 3.926 +--- a/drivers/net/amd8111e.c 3.927 ++++ b/drivers/net/amd8111e.c 3.928 +@@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi 3.929 + 3.930 + if(amd8111e_restart(dev)){ 3.931 + spin_unlock_irq(&lp->lock); 3.932 ++ if (dev->irq) 3.933 ++ free_irq(dev->irq, dev); 3.934 + return -ENOMEM; 3.935 + } 3.936 + /* Start ipg timer */ 3.937 +diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c 3.938 +--- a/drivers/net/ppp_async.c 3.939 ++++ b/drivers/net/ppp_async.c 3.940 +@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp 3.941 + data += 4; 3.942 + dlen -= 4; 3.943 + /* data[0] is code, data[1] is length */ 3.944 +- while (dlen >= 2 && dlen >= data[1]) { 3.945 ++ while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) { 3.946 + switch (data[0]) { 3.947 + case LCP_MRU: 3.948 + val = (data[2] << 8) + data[3]; 3.949 +diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c 3.950 +--- a/drivers/net/r8169.c 3.951 ++++ b/drivers/net/r8169.c 3.952 +@@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r 3.953 + rtl8169_make_unusable_by_asic(desc); 3.954 + } 3.955 + 3.956 +-static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz) 3.957 ++static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz) 3.958 + { 3.959 +- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz); 3.960 ++ u32 eor = le32_to_cpu(desc->opts1) & RingEnd; 3.961 ++ 3.962 ++ desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz); 3.963 + } 3.964 + 3.965 +-static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping, 3.966 +- int rx_buf_sz) 3.967 ++static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping, 3.968 ++ u32 rx_buf_sz) 3.969 + { 3.970 + desc->addr = cpu_to_le64(mapping); 3.971 +- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz); 3.972 ++ wmb(); 3.973 ++ rtl8169_mark_to_asic(desc, rx_buf_sz); 3.974 + } 3.975 + 3.976 + static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff, 3.977 +@@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p 3.978 + mapping = pci_map_single(pdev, skb->tail, rx_buf_sz, 3.979 + PCI_DMA_FROMDEVICE); 3.980 + 3.981 +- rtl8169_give_to_asic(desc, mapping, rx_buf_sz); 3.982 ++ rtl8169_map_to_asic(desc, mapping, rx_buf_sz); 3.983 + 3.984 + out: 3.985 + return ret; 3.986 +@@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st 3.987 + skb_reserve(skb, NET_IP_ALIGN); 3.988 + eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0); 3.989 + *sk_buff = skb; 3.990 +- rtl8169_return_to_asic(desc, rx_buf_sz); 3.991 ++ rtl8169_mark_to_asic(desc, rx_buf_sz); 3.992 + ret = 0; 3.993 + } 3.994 + } 3.995 +diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c 3.996 +--- a/drivers/net/sis900.c 3.997 ++++ b/drivers/net/sis900.c 3.998 +@@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr 3.999 + signature = (u16) read_eeprom(ioaddr, EEPROMSignature); 3.1000 + if (signature == 0xffff || signature == 0x0000) { 3.1001 + printk (KERN_INFO "%s: Error EERPOM read %x\n", 3.1002 +- net_dev->name, signature); 3.1003 ++ pci_name(pci_dev), signature); 3.1004 + return 0; 3.1005 + } 3.1006 + 3.1007 +@@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add 3.1008 + if (!isa_bridge) 3.1009 + isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge); 3.1010 + if (!isa_bridge) { 3.1011 +- printk("%s: Can not find ISA bridge\n", net_dev->name); 3.1012 ++ printk("%s: Can not find ISA bridge\n", pci_name(pci_dev)); 3.1013 + return 0; 3.1014 + } 3.1015 + pci_read_config_byte(isa_bridge, 0x48, ®); 3.1016 +@@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct 3.1017 + net_dev->tx_timeout = sis900_tx_timeout; 3.1018 + net_dev->watchdog_timeo = TX_TIMEOUT; 3.1019 + net_dev->ethtool_ops = &sis900_ethtool_ops; 3.1020 +- 3.1021 +- ret = register_netdev(net_dev); 3.1022 +- if (ret) 3.1023 +- goto err_unmap_rx; 3.1024 + 3.1025 + /* Get Mac address according to the chip revision */ 3.1026 + pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision); 3.1027 +@@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct 3.1028 + 3.1029 + if (ret == 0) { 3.1030 + ret = -ENODEV; 3.1031 +- goto err_out_unregister; 3.1032 ++ goto err_unmap_rx; 3.1033 + } 3.1034 + 3.1035 + /* 630ET : set the mii access mode as software-mode */ 3.1036 +@@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct 3.1037 + /* probe for mii transceiver */ 3.1038 + if (sis900_mii_probe(net_dev) == 0) { 3.1039 + ret = -ENODEV; 3.1040 +- goto err_out_unregister; 3.1041 ++ goto err_unmap_rx; 3.1042 + } 3.1043 + 3.1044 + /* save our host bridge revision */ 3.1045 +@@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct 3.1046 + pci_dev_put(dev); 3.1047 + } 3.1048 + 3.1049 ++ ret = register_netdev(net_dev); 3.1050 ++ if (ret) 3.1051 ++ goto err_unmap_rx; 3.1052 ++ 3.1053 + /* print some information about our NIC */ 3.1054 + printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name, 3.1055 + card_name, ioaddr, net_dev->irq); 3.1056 +@@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct 3.1057 + 3.1058 + return 0; 3.1059 + 3.1060 +- err_out_unregister: 3.1061 +- unregister_netdev(net_dev); 3.1062 + err_unmap_rx: 3.1063 + pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring, 3.1064 + sis_priv->rx_ring_dma); 3.1065 +@@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct 3.1066 + static int __init sis900_mii_probe(struct net_device * net_dev) 3.1067 + { 3.1068 + struct sis900_private * sis_priv = net_dev->priv; 3.1069 ++ const char *dev_name = pci_name(sis_priv->pci_dev); 3.1070 + u16 poll_bit = MII_STAT_LINK, status = 0; 3.1071 + unsigned long timeout = jiffies + 5 * HZ; 3.1072 + int phy_addr; 3.1073 +@@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc 3.1074 + mii_phy->phy_types = 3.1075 + (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME; 3.1076 + printk(KERN_INFO "%s: %s transceiver found at address %d.\n", 3.1077 +- net_dev->name, mii_chip_table[i].name, 3.1078 ++ dev_name, mii_chip_table[i].name, 3.1079 + phy_addr); 3.1080 + break; 3.1081 + } 3.1082 + 3.1083 + if( !mii_chip_table[i].phy_id1 ) { 3.1084 + printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n", 3.1085 +- net_dev->name, phy_addr); 3.1086 ++ dev_name, phy_addr); 3.1087 + mii_phy->phy_types = UNKNOWN; 3.1088 + } 3.1089 + } 3.1090 + 3.1091 + if (sis_priv->mii == NULL) { 3.1092 +- printk(KERN_INFO "%s: No MII transceivers found!\n", 3.1093 +- net_dev->name); 3.1094 ++ printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name); 3.1095 + return 0; 3.1096 + } 3.1097 + 3.1098 +@@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc 3.1099 + poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit); 3.1100 + if (time_after_eq(jiffies, timeout)) { 3.1101 + printk(KERN_WARNING "%s: reset phy and link down now\n", 3.1102 +- net_dev->name); 3.1103 ++ dev_name); 3.1104 + return -ETIME; 3.1105 + } 3.1106 + } 3.1107 +@@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net 3.1108 + sis_priv->mii = default_phy; 3.1109 + sis_priv->cur_phy = default_phy->phy_addr; 3.1110 + printk(KERN_INFO "%s: Using transceiver found at address %d as default\n", 3.1111 +- net_dev->name,sis_priv->cur_phy); 3.1112 ++ pci_name(sis_priv->pci_dev), sis_priv->cur_phy); 3.1113 + } 3.1114 + 3.1115 + status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL); 3.1116 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c 3.1117 +--- a/drivers/net/tun.c 3.1118 ++++ b/drivers/net/tun.c 3.1119 +@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s 3.1120 + size_t len = count; 3.1121 + 3.1122 + if (!(tun->flags & TUN_NO_PI)) { 3.1123 +- if ((len -= sizeof(pi)) > len) 3.1124 ++ if ((len -= sizeof(pi)) > count) 3.1125 + return -EINVAL; 3.1126 + 3.1127 + if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi))) 3.1128 +diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c 3.1129 +--- a/drivers/net/via-rhine.c 3.1130 ++++ b/drivers/net/via-rhine.c 3.1131 +@@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device 3.1132 + dev->name, rp->pdev->irq); 3.1133 + 3.1134 + rc = alloc_ring(dev); 3.1135 +- if (rc) 3.1136 ++ if (rc) { 3.1137 ++ free_irq(rp->pdev->irq, dev); 3.1138 + return rc; 3.1139 ++ } 3.1140 + alloc_rbufs(dev); 3.1141 + alloc_tbufs(dev); 3.1142 + rhine_chip_reset(dev); 3.1143 +@@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic 3.1144 + struct rhine_private *rp = netdev_priv(dev); 3.1145 + void __iomem *ioaddr = rp->base; 3.1146 + 3.1147 ++ if (!(rp->quirks & rqWOL)) 3.1148 ++ return; /* Nothing to do for non-WOL adapters */ 3.1149 ++ 3.1150 + rhine_power_init(dev); 3.1151 + 3.1152 + /* Make sure we use pattern 0, 1 and not 4, 5 */ 3.1153 +diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c 3.1154 +--- a/drivers/net/wan/hd6457x.c 3.1155 ++++ b/drivers/net/wan/hd6457x.c 3.1156 +@@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card, 3.1157 + #endif 3.1158 + stats->rx_packets++; 3.1159 + stats->rx_bytes += skb->len; 3.1160 +- skb->dev->last_rx = jiffies; 3.1161 ++ dev->last_rx = jiffies; 3.1162 + skb->protocol = hdlc_type_trans(skb, dev); 3.1163 + netif_rx(skb); 3.1164 + } 3.1165 +diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c 3.1166 +--- a/drivers/pci/hotplug/pciehp_ctrl.c 3.1167 ++++ b/drivers/pci/hotplug/pciehp_ctrl.c 3.1168 +@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func 3.1169 + dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 3.1170 + ctrl->seg, func->bus, func->device, func->function); 3.1171 + bridge_slot_remove(func); 3.1172 +- } else 3.1173 ++ } else { 3.1174 + dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n", 3.1175 + ctrl->seg, func->bus, func->device, func->function); 3.1176 + slot_remove(func); 3.1177 ++ } 3.1178 + 3.1179 + func = pciehp_slot_find(ctrl->slot_bus, device, 0); 3.1180 + } 3.1181 +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c 3.1182 +--- a/drivers/usb/serial/visor.c 3.1183 ++++ b/drivers/usb/serial/visor.c 3.1184 +@@ -386,6 +386,7 @@ struct visor_private { 3.1185 + int bytes_in; 3.1186 + int bytes_out; 3.1187 + int outstanding_urbs; 3.1188 ++ int throttled; 3.1189 + }; 3.1190 + 3.1191 + /* number of outstanding urbs to prevent userspace DoS from happening */ 3.1192 +@@ -415,6 +416,7 @@ static int visor_open (struct usb_serial 3.1193 + priv->bytes_in = 0; 3.1194 + priv->bytes_out = 0; 3.1195 + priv->outstanding_urbs = 0; 3.1196 ++ priv->throttled = 0; 3.1197 + spin_unlock_irqrestore(&priv->lock, flags); 3.1198 + 3.1199 + /* 3.1200 +@@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st 3.1201 + struct tty_struct *tty; 3.1202 + unsigned long flags; 3.1203 + int i; 3.1204 ++ int throttled; 3.1205 + int result; 3.1206 + 3.1207 + dbg("%s - port %d", __FUNCTION__, port->number); 3.1208 +@@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st 3.1209 + } 3.1210 + spin_lock_irqsave(&priv->lock, flags); 3.1211 + priv->bytes_in += urb->actual_length; 3.1212 ++ throttled = priv->throttled; 3.1213 + spin_unlock_irqrestore(&priv->lock, flags); 3.1214 + 3.1215 +- /* Continue trying to always read */ 3.1216 +- usb_fill_bulk_urb (port->read_urb, port->serial->dev, 3.1217 +- usb_rcvbulkpipe(port->serial->dev, 3.1218 +- port->bulk_in_endpointAddress), 3.1219 +- port->read_urb->transfer_buffer, 3.1220 +- port->read_urb->transfer_buffer_length, 3.1221 +- visor_read_bulk_callback, port); 3.1222 +- result = usb_submit_urb(port->read_urb, GFP_ATOMIC); 3.1223 +- if (result) 3.1224 +- dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result); 3.1225 ++ /* Continue trying to always read if we should */ 3.1226 ++ if (!throttled) { 3.1227 ++ usb_fill_bulk_urb (port->read_urb, port->serial->dev, 3.1228 ++ usb_rcvbulkpipe(port->serial->dev, 3.1229 ++ port->bulk_in_endpointAddress), 3.1230 ++ port->read_urb->transfer_buffer, 3.1231 ++ port->read_urb->transfer_buffer_length, 3.1232 ++ visor_read_bulk_callback, port); 3.1233 ++ result = usb_submit_urb(port->read_urb, GFP_ATOMIC); 3.1234 ++ if (result) 3.1235 ++ dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result); 3.1236 ++ } 3.1237 + return; 3.1238 + } 3.1239 + 3.1240 +@@ -683,16 +689,26 @@ exit: 3.1241 + 3.1242 + static void visor_throttle (struct usb_serial_port *port) 3.1243 + { 3.1244 ++ struct visor_private *priv = usb_get_serial_port_data(port); 3.1245 ++ unsigned long flags; 3.1246 ++ 3.1247 + dbg("%s - port %d", __FUNCTION__, port->number); 3.1248 +- usb_kill_urb(port->read_urb); 3.1249 ++ spin_lock_irqsave(&priv->lock, flags); 3.1250 ++ priv->throttled = 1; 3.1251 ++ spin_unlock_irqrestore(&priv->lock, flags); 3.1252 + } 3.1253 + 3.1254 + 3.1255 + static void visor_unthrottle (struct usb_serial_port *port) 3.1256 + { 3.1257 ++ struct visor_private *priv = usb_get_serial_port_data(port); 3.1258 ++ unsigned long flags; 3.1259 + int result; 3.1260 + 3.1261 + dbg("%s - port %d", __FUNCTION__, port->number); 3.1262 ++ spin_lock_irqsave(&priv->lock, flags); 3.1263 ++ priv->throttled = 0; 3.1264 ++ spin_unlock_irqrestore(&priv->lock, flags); 3.1265 + 3.1266 + port->read_urb->dev = port->serial->dev; 3.1267 + result = usb_submit_urb(port->read_urb, GFP_ATOMIC); 3.1268 +diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c 3.1269 +--- a/drivers/video/matrox/matroxfb_accel.c 3.1270 ++++ b/drivers/video/matrox/matroxfb_accel.c 3.1271 +@@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI 3.1272 + } else if (step == 1) { 3.1273 + /* Special case for 1..8bit widths */ 3.1274 + while (height--) { 3.1275 +- mga_writel(mmio, 0, *chardata); 3.1276 ++#if defined(__BIG_ENDIAN) 3.1277 ++ fb_writel((*chardata) << 24, mmio.vaddr); 3.1278 ++#else 3.1279 ++ fb_writel(*chardata, mmio.vaddr); 3.1280 ++#endif 3.1281 + chardata++; 3.1282 + } 3.1283 + } else if (step == 2) { 3.1284 + /* Special case for 9..15bit widths */ 3.1285 + while (height--) { 3.1286 +- mga_writel(mmio, 0, *(u_int16_t*)chardata); 3.1287 ++#if defined(__BIG_ENDIAN) 3.1288 ++ fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr); 3.1289 ++#else 3.1290 ++ fb_writel(*(u_int16_t*)chardata, mmio.vaddr); 3.1291 ++#endif 3.1292 + chardata += 2; 3.1293 + } 3.1294 + } else { 3.1295 +@@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI 3.1296 + 3.1297 + for (i = 0; i < step; i += 4) { 3.1298 + /* Hope that there are at least three readable bytes beyond the end of bitmap */ 3.1299 +- mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i))); 3.1300 ++ fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr); 3.1301 + } 3.1302 + chardata += step; 3.1303 + } 3.1304 +diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h 3.1305 +--- a/drivers/video/matrox/matroxfb_base.h 3.1306 ++++ b/drivers/video/matrox/matroxfb_base.h 3.1307 +@@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr 3.1308 + 3.1309 + if ((unsigned long)src & 3) { 3.1310 + while (len >= 4) { 3.1311 +- writel(get_unaligned((u32 *)src), addr); 3.1312 ++ fb_writel(get_unaligned((u32 *)src), addr); 3.1313 + addr++; 3.1314 + len -= 4; 3.1315 + src += 4; 3.1316 + } 3.1317 + } else { 3.1318 + while (len >= 4) { 3.1319 +- writel(*(u32 *)src, addr); 3.1320 ++ fb_writel(*(u32 *)src, addr); 3.1321 + addr++; 3.1322 + len -= 4; 3.1323 + src += 4; 3.1324 +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c 3.1325 +--- a/fs/binfmt_elf.c 3.1326 ++++ b/fs/binfmt_elf.c 3.1327 +@@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b 3.1328 + } 3.1329 + 3.1330 + /* Populate argv and envp */ 3.1331 +- p = current->mm->arg_start; 3.1332 ++ p = current->mm->arg_end = current->mm->arg_start; 3.1333 + while (argc-- > 0) { 3.1334 + size_t len; 3.1335 + __put_user((elf_addr_t)p, argv++); 3.1336 +@@ -1008,6 +1008,7 @@ out_free_ph: 3.1337 + static int load_elf_library(struct file *file) 3.1338 + { 3.1339 + struct elf_phdr *elf_phdata; 3.1340 ++ struct elf_phdr *eppnt; 3.1341 + unsigned long elf_bss, bss, len; 3.1342 + int retval, error, i, j; 3.1343 + struct elfhdr elf_ex; 3.1344 +@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file 3.1345 + /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */ 3.1346 + 3.1347 + error = -ENOMEM; 3.1348 +- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL); 3.1349 ++ elf_phdata = kmalloc(j, GFP_KERNEL); 3.1350 + if (!elf_phdata) 3.1351 + goto out; 3.1352 + 3.1353 ++ eppnt = elf_phdata; 3.1354 + error = -ENOEXEC; 3.1355 +- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j); 3.1356 ++ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j); 3.1357 + if (retval != j) 3.1358 + goto out_free_ph; 3.1359 + 3.1360 + for (j = 0, i = 0; i<elf_ex.e_phnum; i++) 3.1361 +- if ((elf_phdata + i)->p_type == PT_LOAD) j++; 3.1362 ++ if ((eppnt + i)->p_type == PT_LOAD) 3.1363 ++ j++; 3.1364 + if (j != 1) 3.1365 + goto out_free_ph; 3.1366 + 3.1367 +- while (elf_phdata->p_type != PT_LOAD) elf_phdata++; 3.1368 ++ while (eppnt->p_type != PT_LOAD) 3.1369 ++ eppnt++; 3.1370 + 3.1371 + /* Now use mmap to map the library into memory. */ 3.1372 + down_write(¤t->mm->mmap_sem); 3.1373 + error = do_mmap(file, 3.1374 +- ELF_PAGESTART(elf_phdata->p_vaddr), 3.1375 +- (elf_phdata->p_filesz + 3.1376 +- ELF_PAGEOFFSET(elf_phdata->p_vaddr)), 3.1377 ++ ELF_PAGESTART(eppnt->p_vaddr), 3.1378 ++ (eppnt->p_filesz + 3.1379 ++ ELF_PAGEOFFSET(eppnt->p_vaddr)), 3.1380 + PROT_READ | PROT_WRITE | PROT_EXEC, 3.1381 + MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, 3.1382 +- (elf_phdata->p_offset - 3.1383 +- ELF_PAGEOFFSET(elf_phdata->p_vaddr))); 3.1384 ++ (eppnt->p_offset - 3.1385 ++ ELF_PAGEOFFSET(eppnt->p_vaddr))); 3.1386 + up_write(¤t->mm->mmap_sem); 3.1387 +- if (error != ELF_PAGESTART(elf_phdata->p_vaddr)) 3.1388 ++ if (error != ELF_PAGESTART(eppnt->p_vaddr)) 3.1389 + goto out_free_ph; 3.1390 + 3.1391 +- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz; 3.1392 ++ elf_bss = eppnt->p_vaddr + eppnt->p_filesz; 3.1393 + if (padzero(elf_bss)) { 3.1394 + error = -EFAULT; 3.1395 + goto out_free_ph; 3.1396 + } 3.1397 + 3.1398 +- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1); 3.1399 +- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr; 3.1400 ++ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1); 3.1401 ++ bss = eppnt->p_memsz + eppnt->p_vaddr; 3.1402 + if (bss > len) { 3.1403 + down_write(¤t->mm->mmap_sem); 3.1404 + do_brk(len, bss - len); 3.1405 +@@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs 3.1406 + static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, 3.1407 + struct mm_struct *mm) 3.1408 + { 3.1409 +- int i, len; 3.1410 ++ unsigned int i, len; 3.1411 + 3.1412 + /* first copy the parameters from user space */ 3.1413 + memset(psinfo, 0, sizeof(struct elf_prpsinfo)); 3.1414 +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c 3.1415 +--- a/fs/cramfs/inode.c 3.1416 ++++ b/fs/cramfs/inode.c 3.1417 +@@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st 3.1418 + inode->i_data.a_ops = &cramfs_aops; 3.1419 + } else { 3.1420 + inode->i_size = 0; 3.1421 ++ inode->i_blocks = 0; 3.1422 + init_special_inode(inode, inode->i_mode, 3.1423 + old_decode_dev(cramfs_inode->size)); 3.1424 + } 3.1425 +diff --git a/fs/eventpoll.c b/fs/eventpoll.c 3.1426 +--- a/fs/eventpoll.c 3.1427 ++++ b/fs/eventpoll.c 3.1428 +@@ -619,6 +619,7 @@ eexit_1: 3.1429 + return error; 3.1430 + } 3.1431 + 3.1432 ++#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event)) 3.1433 + 3.1434 + /* 3.1435 + * Implement the event wait interface for the eventpoll file. It is the kernel 3.1436 +@@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd, 3.1437 + current, epfd, events, maxevents, timeout)); 3.1438 + 3.1439 + /* The maximum number of event must be greater than zero */ 3.1440 +- if (maxevents <= 0) 3.1441 ++ if (maxevents <= 0 || maxevents > MAX_EVENTS) 3.1442 + return -EINVAL; 3.1443 + 3.1444 + /* Verify that the area passed by the user is writeable */ 3.1445 +diff --git a/fs/exec.c b/fs/exec.c 3.1446 +--- a/fs/exec.c 3.1447 ++++ b/fs/exec.c 3.1448 +@@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas 3.1449 + { 3.1450 + /* buf must be at least sizeof(tsk->comm) in size */ 3.1451 + task_lock(tsk); 3.1452 +- memcpy(buf, tsk->comm, sizeof(tsk->comm)); 3.1453 ++ strncpy(buf, tsk->comm, sizeof(tsk->comm)); 3.1454 + task_unlock(tsk); 3.1455 + } 3.1456 + 3.1457 +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c 3.1458 +--- a/fs/ext2/dir.c 3.1459 ++++ b/fs/ext2/dir.c 3.1460 +@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode, 3.1461 + goto fail; 3.1462 + } 3.1463 + kaddr = kmap_atomic(page, KM_USER0); 3.1464 ++ memset(kaddr, 0, chunk_size); 3.1465 + de = (struct ext2_dir_entry_2 *)kaddr; 3.1466 + de->name_len = 1; 3.1467 + de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1)); 3.1468 +diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c 3.1469 +--- a/fs/ext3/balloc.c 3.1470 ++++ b/fs/ext3/balloc.c 3.1471 +@@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino 3.1472 + 3.1473 + if (!rsv_is_empty(&rsv->rsv_window)) { 3.1474 + spin_lock(rsv_lock); 3.1475 +- rsv_window_remove(inode->i_sb, rsv); 3.1476 ++ if (!rsv_is_empty(&rsv->rsv_window)) 3.1477 ++ rsv_window_remove(inode->i_sb, rsv); 3.1478 + spin_unlock(rsv_lock); 3.1479 + } 3.1480 + } 3.1481 +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c 3.1482 +--- a/fs/hfs/mdb.c 3.1483 ++++ b/fs/hfs/mdb.c 3.1484 +@@ -333,6 +333,8 @@ void hfs_mdb_close(struct super_block *s 3.1485 + * Release the resources associated with the in-core MDB. */ 3.1486 + void hfs_mdb_put(struct super_block *sb) 3.1487 + { 3.1488 ++ if (!HFS_SB(sb)) 3.1489 ++ return; 3.1490 + /* free the B-trees */ 3.1491 + hfs_btree_close(HFS_SB(sb)->ext_tree); 3.1492 + hfs_btree_close(HFS_SB(sb)->cat_tree); 3.1493 +@@ -340,4 +342,7 @@ void hfs_mdb_put(struct super_block *sb) 3.1494 + /* free the buffers holding the primary and alternate MDBs */ 3.1495 + brelse(HFS_SB(sb)->mdb_bh); 3.1496 + brelse(HFS_SB(sb)->alt_mdb_bh); 3.1497 ++ 3.1498 ++ kfree(HFS_SB(sb)); 3.1499 ++ sb->s_fs_info = NULL; 3.1500 + } 3.1501 +diff --git a/fs/hfs/super.c b/fs/hfs/super.c 3.1502 +--- a/fs/hfs/super.c 3.1503 ++++ b/fs/hfs/super.c 3.1504 +@@ -263,7 +263,7 @@ static int hfs_fill_super(struct super_b 3.1505 + res = -EINVAL; 3.1506 + if (!parse_options((char *)data, sbi)) { 3.1507 + hfs_warn("hfs_fs: unable to parse mount options.\n"); 3.1508 +- goto bail3; 3.1509 ++ goto bail; 3.1510 + } 3.1511 + 3.1512 + sb->s_op = &hfs_super_operations; 3.1513 +@@ -276,7 +276,7 @@ static int hfs_fill_super(struct super_b 3.1514 + hfs_warn("VFS: Can't find a HFS filesystem on dev %s.\n", 3.1515 + hfs_mdb_name(sb)); 3.1516 + res = -EINVAL; 3.1517 +- goto bail2; 3.1518 ++ goto bail; 3.1519 + } 3.1520 + 3.1521 + /* try to get the root inode */ 3.1522 +@@ -306,10 +306,8 @@ bail_iput: 3.1523 + iput(root_inode); 3.1524 + bail_no_root: 3.1525 + hfs_warn("hfs_fs: get root inode failed.\n"); 3.1526 ++bail: 3.1527 + hfs_mdb_put(sb); 3.1528 +-bail2: 3.1529 +-bail3: 3.1530 +- kfree(sbi); 3.1531 + return res; 3.1532 + } 3.1533 + 3.1534 +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c 3.1535 +--- a/fs/hfsplus/super.c 3.1536 ++++ b/fs/hfsplus/super.c 3.1537 +@@ -207,7 +207,9 @@ static void hfsplus_write_super(struct s 3.1538 + static void hfsplus_put_super(struct super_block *sb) 3.1539 + { 3.1540 + dprint(DBG_SUPER, "hfsplus_put_super\n"); 3.1541 +- if (!(sb->s_flags & MS_RDONLY)) { 3.1542 ++ if (!sb->s_fs_info) 3.1543 ++ return; 3.1544 ++ if (!(sb->s_flags & MS_RDONLY) && HFSPLUS_SB(sb).s_vhdr) { 3.1545 + struct hfsplus_vh *vhdr = HFSPLUS_SB(sb).s_vhdr; 3.1546 + 3.1547 + vhdr->modify_date = hfsp_now2mt(); 3.1548 +@@ -223,6 +225,8 @@ static void hfsplus_put_super(struct sup 3.1549 + iput(HFSPLUS_SB(sb).alloc_file); 3.1550 + iput(HFSPLUS_SB(sb).hidden_dir); 3.1551 + brelse(HFSPLUS_SB(sb).s_vhbh); 3.1552 ++ kfree(sb->s_fs_info); 3.1553 ++ sb->s_fs_info = NULL; 3.1554 + } 3.1555 + 3.1556 + static int hfsplus_statfs(struct super_block *sb, struct kstatfs *buf) 3.1557 +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c 3.1558 +--- a/fs/isofs/inode.c 3.1559 ++++ b/fs/isofs/inode.c 3.1560 +@@ -685,6 +685,8 @@ root_found: 3.1561 + sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size); 3.1562 + sbi->s_max_size = isonum_733(h_pri->volume_space_size); 3.1563 + } else { 3.1564 ++ if (!pri) 3.1565 ++ goto out_freebh; 3.1566 + rootp = (struct iso_directory_record *) pri->root_directory_record; 3.1567 + sbi->s_nzones = isonum_733 (pri->volume_space_size); 3.1568 + sbi->s_log_zone_size = isonum_723 (pri->logical_block_size); 3.1569 +@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl 3.1570 + struct inode *inode; 3.1571 + struct isofs_iget5_callback_data data; 3.1572 + 3.1573 ++ if (offset >= 1ul << sb->s_blocksize_bits) 3.1574 ++ return NULL; 3.1575 ++ 3.1576 + data.block = block; 3.1577 + data.offset = offset; 3.1578 + 3.1579 +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c 3.1580 +--- a/fs/isofs/rock.c 3.1581 ++++ b/fs/isofs/rock.c 3.1582 +@@ -53,6 +53,7 @@ 3.1583 + if(LEN & 1) LEN++; \ 3.1584 + CHR = ((unsigned char *) DE) + LEN; \ 3.1585 + LEN = *((unsigned char *) DE) - LEN; \ 3.1586 ++ if (LEN<0) LEN=0; \ 3.1587 + if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \ 3.1588 + { \ 3.1589 + LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \ 3.1590 +@@ -73,6 +74,10 @@ 3.1591 + offset1 = 0; \ 3.1592 + pbh = sb_bread(DEV->i_sb, block); \ 3.1593 + if(pbh){ \ 3.1594 ++ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \ 3.1595 ++ brelse(pbh); \ 3.1596 ++ goto out; \ 3.1597 ++ } \ 3.1598 + memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \ 3.1599 + brelse(pbh); \ 3.1600 + chr = (unsigned char *) buffer; \ 3.1601 +@@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d 3.1602 + struct rock_ridge * rr; 3.1603 + int sig; 3.1604 + 3.1605 +- while (len > 1){ /* There may be one byte for padding somewhere */ 3.1606 ++ while (len > 2){ /* There may be one byte for padding somewhere */ 3.1607 + rr = (struct rock_ridge *) chr; 3.1608 +- if (rr->len == 0) goto out; /* Something got screwed up here */ 3.1609 ++ if (rr->len < 3) goto out; /* Something got screwed up here */ 3.1610 + sig = isonum_721(chr); 3.1611 + chr += rr->len; 3.1612 + len -= rr->len; 3.1613 ++ if (len < 0) goto out; /* corrupted isofs */ 3.1614 + 3.1615 + switch(sig){ 3.1616 + case SIG('R','R'): 3.1617 +@@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d 3.1618 + break; 3.1619 + case SIG('N','M'): 3.1620 + if (truncate) break; 3.1621 ++ if (rr->len < 5) break; 3.1622 + /* 3.1623 + * If the flags are 2 or 4, this indicates '.' or '..'. 3.1624 + * We don't want to do anything with this, because it 3.1625 +@@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i 3.1626 + struct rock_ridge * rr; 3.1627 + int rootflag; 3.1628 + 3.1629 +- while (len > 1){ /* There may be one byte for padding somewhere */ 3.1630 ++ while (len > 2){ /* There may be one byte for padding somewhere */ 3.1631 + rr = (struct rock_ridge *) chr; 3.1632 +- if (rr->len == 0) goto out; /* Something got screwed up here */ 3.1633 ++ if (rr->len < 3) goto out; /* Something got screwed up here */ 3.1634 + sig = isonum_721(chr); 3.1635 + chr += rr->len; 3.1636 + len -= rr->len; 3.1637 ++ if (len < 0) goto out; /* corrupted isofs */ 3.1638 + 3.1639 + switch(sig){ 3.1640 + #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */ 3.1641 +@@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s 3.1642 + struct rock_ridge *rr; 3.1643 + 3.1644 + if (!ISOFS_SB(inode->i_sb)->s_rock) 3.1645 +- panic ("Cannot have symlink with high sierra variant of iso filesystem\n"); 3.1646 ++ goto error; 3.1647 + 3.1648 + block = ei->i_iget5_block; 3.1649 + lock_kernel(); 3.1650 +@@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s 3.1651 + SETUP_ROCK_RIDGE(raw_inode, chr, len); 3.1652 + 3.1653 + repeat: 3.1654 +- while (len > 1) { /* There may be one byte for padding somewhere */ 3.1655 ++ while (len > 2) { /* There may be one byte for padding somewhere */ 3.1656 + rr = (struct rock_ridge *) chr; 3.1657 +- if (rr->len == 0) 3.1658 ++ if (rr->len < 3) 3.1659 + goto out; /* Something got screwed up here */ 3.1660 + sig = isonum_721(chr); 3.1661 + chr += rr->len; 3.1662 + len -= rr->len; 3.1663 ++ if (len < 0) 3.1664 ++ goto out; /* corrupted isofs */ 3.1665 + 3.1666 + switch (sig) { 3.1667 + case SIG('R', 'R'): 3.1668 +@@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s 3.1669 + fail: 3.1670 + brelse(bh); 3.1671 + unlock_kernel(); 3.1672 ++ error: 3.1673 + SetPageError(page); 3.1674 + kunmap(page); 3.1675 + unlock_page(page); 3.1676 +diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c 3.1677 +--- a/fs/jbd/checkpoint.c 3.1678 ++++ b/fs/jbd/checkpoint.c 3.1679 +@@ -339,8 +339,10 @@ int log_do_checkpoint(journal_t *journal 3.1680 + } 3.1681 + } while (jh != last_jh && !retry); 3.1682 + 3.1683 +- if (batch_count) 3.1684 ++ if (batch_count) { 3.1685 + __flush_batch(journal, bhs, &batch_count); 3.1686 ++ retry = 1; 3.1687 ++ } 3.1688 + 3.1689 + /* 3.1690 + * If someone cleaned up this transaction while we slept, we're 3.1691 +diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c 3.1692 +--- a/fs/jbd/transaction.c 3.1693 ++++ b/fs/jbd/transaction.c 3.1694 +@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_ 3.1695 + JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget"); 3.1696 + ret = __dispose_buffer(jh, 3.1697 + journal->j_running_transaction); 3.1698 ++ journal_put_journal_head(jh); 3.1699 + spin_unlock(&journal->j_list_lock); 3.1700 + jbd_unlock_bh_state(bh); 3.1701 + spin_unlock(&journal->j_state_lock); 3.1702 +- journal_put_journal_head(jh); 3.1703 + return ret; 3.1704 + } else { 3.1705 + /* There is no currently-running transaction. So the 3.1706 +@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_ 3.1707 + JBUFFER_TRACE(jh, "give to committing trans"); 3.1708 + ret = __dispose_buffer(jh, 3.1709 + journal->j_committing_transaction); 3.1710 ++ journal_put_journal_head(jh); 3.1711 + spin_unlock(&journal->j_list_lock); 3.1712 + jbd_unlock_bh_state(bh); 3.1713 + spin_unlock(&journal->j_state_lock); 3.1714 +- journal_put_journal_head(jh); 3.1715 + return ret; 3.1716 + } else { 3.1717 + /* The orphan record's transaction has 3.1718 +@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_ 3.1719 + journal->j_running_transaction); 3.1720 + jh->b_next_transaction = NULL; 3.1721 + } 3.1722 ++ journal_put_journal_head(jh); 3.1723 + spin_unlock(&journal->j_list_lock); 3.1724 + jbd_unlock_bh_state(bh); 3.1725 + spin_unlock(&journal->j_state_lock); 3.1726 +- journal_put_journal_head(jh); 3.1727 + return 0; 3.1728 + } else { 3.1729 + /* Good, the buffer belongs to the running transaction. 3.1730 +diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h 3.1731 +--- a/include/asm-x86_64/processor.h 3.1732 ++++ b/include/asm-x86_64/processor.h 3.1733 +@@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne 3.1734 + 3.1735 + 3.1736 + /* 3.1737 +- * User space process size. 47bits. 3.1738 ++ * User space process size. 47bits minus one guard page. 3.1739 + */ 3.1740 +-#define TASK_SIZE (0x800000000000UL) 3.1741 ++#define TASK_SIZE (0x800000000000UL - 4096) 3.1742 + 3.1743 + /* This decides where the kernel will search for a free chunk of vm 3.1744 + * space during mmap's. 3.1745 +diff --git a/include/linux/err.h b/include/linux/err.h 3.1746 +--- a/include/linux/err.h 3.1747 ++++ b/include/linux/err.h 3.1748 +@@ -13,6 +13,8 @@ 3.1749 + * This should be a per-architecture thing, to allow different 3.1750 + * error and pointer decisions. 3.1751 + */ 3.1752 ++#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L) 3.1753 ++ 3.1754 + static inline void *ERR_PTR(long error) 3.1755 + { 3.1756 + return (void *) error; 3.1757 +@@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p 3.1758 + 3.1759 + static inline long IS_ERR(const void *ptr) 3.1760 + { 3.1761 +- return unlikely((unsigned long)ptr > (unsigned long)-1000L); 3.1762 ++ return IS_ERR_VALUE((unsigned long)ptr); 3.1763 + } 3.1764 + 3.1765 + #endif /* _LINUX_ERR_H */ 3.1766 +diff --git a/kernel/exit.c b/kernel/exit.c 3.1767 +--- a/kernel/exit.c 3.1768 ++++ b/kernel/exit.c 3.1769 +@@ -516,8 +516,6 @@ static inline void choose_new_parent(tas 3.1770 + */ 3.1771 + BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE); 3.1772 + p->real_parent = reaper; 3.1773 +- if (p->parent == p->real_parent) 3.1774 +- BUG(); 3.1775 + } 3.1776 + 3.1777 + static inline void reparent_thread(task_t *p, task_t *father, int traced) 3.1778 +diff --git a/kernel/signal.c b/kernel/signal.c 3.1779 +--- a/kernel/signal.c 3.1780 ++++ b/kernel/signal.c 3.1781 +@@ -1728,6 +1728,7 @@ do_signal_stop(int signr) 3.1782 + * with another processor delivering a stop signal, 3.1783 + * then the SIGCONT that wakes us up should clear it. 3.1784 + */ 3.1785 ++ read_unlock(&tasklist_lock); 3.1786 + return 0; 3.1787 + } 3.1788 + 3.1789 +diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c 3.1790 +--- a/lib/rwsem-spinlock.c 3.1791 ++++ b/lib/rwsem-spinlock.c 3.1792 +@@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct 3.1793 + 3.1794 + rwsemtrace(sem, "Entering __down_read"); 3.1795 + 3.1796 +- spin_lock(&sem->wait_lock); 3.1797 ++ spin_lock_irq(&sem->wait_lock); 3.1798 + 3.1799 + if (sem->activity >= 0 && list_empty(&sem->wait_list)) { 3.1800 + /* granted */ 3.1801 + sem->activity++; 3.1802 +- spin_unlock(&sem->wait_lock); 3.1803 ++ spin_unlock_irq(&sem->wait_lock); 3.1804 + goto out; 3.1805 + } 3.1806 + 3.1807 +@@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct 3.1808 + list_add_tail(&waiter.list, &sem->wait_list); 3.1809 + 3.1810 + /* we don't need to touch the semaphore struct anymore */ 3.1811 +- spin_unlock(&sem->wait_lock); 3.1812 ++ spin_unlock_irq(&sem->wait_lock); 3.1813 + 3.1814 + /* wait to be given the lock */ 3.1815 + for (;;) { 3.1816 +@@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct 3.1817 + */ 3.1818 + int fastcall __down_read_trylock(struct rw_semaphore *sem) 3.1819 + { 3.1820 ++ unsigned long flags; 3.1821 + int ret = 0; 3.1822 ++ 3.1823 + rwsemtrace(sem, "Entering __down_read_trylock"); 3.1824 + 3.1825 +- spin_lock(&sem->wait_lock); 3.1826 ++ spin_lock_irqsave(&sem->wait_lock, flags); 3.1827 + 3.1828 + if (sem->activity >= 0 && list_empty(&sem->wait_list)) { 3.1829 + /* granted */ 3.1830 +@@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct 3.1831 + ret = 1; 3.1832 + } 3.1833 + 3.1834 +- spin_unlock(&sem->wait_lock); 3.1835 ++ spin_unlock_irqrestore(&sem->wait_lock, flags); 3.1836 + 3.1837 + rwsemtrace(sem, "Leaving __down_read_trylock"); 3.1838 + return ret; 3.1839 +@@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc 3.1840 + 3.1841 + rwsemtrace(sem, "Entering __down_write"); 3.1842 + 3.1843 +- spin_lock(&sem->wait_lock); 3.1844 ++ spin_lock_irq(&sem->wait_lock); 3.1845 + 3.1846 + if (sem->activity == 0 && list_empty(&sem->wait_list)) { 3.1847 + /* granted */ 3.1848 + sem->activity = -1; 3.1849 +- spin_unlock(&sem->wait_lock); 3.1850 ++ spin_unlock_irq(&sem->wait_lock); 3.1851 + goto out; 3.1852 + } 3.1853 + 3.1854 +@@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc 3.1855 + list_add_tail(&waiter.list, &sem->wait_list); 3.1856 + 3.1857 + /* we don't need to touch the semaphore struct anymore */ 3.1858 +- spin_unlock(&sem->wait_lock); 3.1859 ++ spin_unlock_irq(&sem->wait_lock); 3.1860 + 3.1861 + /* wait to be given the lock */ 3.1862 + for (;;) { 3.1863 +@@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc 3.1864 + */ 3.1865 + int fastcall __down_write_trylock(struct rw_semaphore *sem) 3.1866 + { 3.1867 ++ unsigned long flags; 3.1868 + int ret = 0; 3.1869 ++ 3.1870 + rwsemtrace(sem, "Entering __down_write_trylock"); 3.1871 + 3.1872 +- spin_lock(&sem->wait_lock); 3.1873 ++ spin_lock_irqsave(&sem->wait_lock, flags); 3.1874 + 3.1875 + if (sem->activity == 0 && list_empty(&sem->wait_list)) { 3.1876 + /* granted */ 3.1877 +@@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct 3.1878 + ret = 1; 3.1879 + } 3.1880 + 3.1881 +- spin_unlock(&sem->wait_lock); 3.1882 ++ spin_unlock_irqrestore(&sem->wait_lock, flags); 3.1883 + 3.1884 + rwsemtrace(sem, "Leaving __down_write_trylock"); 3.1885 + return ret; 3.1886 +@@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct 3.1887 + */ 3.1888 + void fastcall __up_read(struct rw_semaphore *sem) 3.1889 + { 3.1890 ++ unsigned long flags; 3.1891 ++ 3.1892 + rwsemtrace(sem, "Entering __up_read"); 3.1893 + 3.1894 +- spin_lock(&sem->wait_lock); 3.1895 ++ spin_lock_irqsave(&sem->wait_lock, flags); 3.1896 + 3.1897 + if (--sem->activity == 0 && !list_empty(&sem->wait_list)) 3.1898 + sem = __rwsem_wake_one_writer(sem); 3.1899 + 3.1900 +- spin_unlock(&sem->wait_lock); 3.1901 ++ spin_unlock_irqrestore(&sem->wait_lock, flags); 3.1902 + 3.1903 + rwsemtrace(sem, "Leaving __up_read"); 3.1904 + } 3.1905 +@@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph 3.1906 + */ 3.1907 + void fastcall __up_write(struct rw_semaphore *sem) 3.1908 + { 3.1909 ++ unsigned long flags; 3.1910 ++ 3.1911 + rwsemtrace(sem, "Entering __up_write"); 3.1912 + 3.1913 +- spin_lock(&sem->wait_lock); 3.1914 ++ spin_lock_irqsave(&sem->wait_lock, flags); 3.1915 + 3.1916 + sem->activity = 0; 3.1917 + if (!list_empty(&sem->wait_list)) 3.1918 + sem = __rwsem_do_wake(sem, 1); 3.1919 + 3.1920 +- spin_unlock(&sem->wait_lock); 3.1921 ++ spin_unlock_irqrestore(&sem->wait_lock, flags); 3.1922 + 3.1923 + rwsemtrace(sem, "Leaving __up_write"); 3.1924 + } 3.1925 +@@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap 3.1926 + */ 3.1927 + void fastcall __downgrade_write(struct rw_semaphore *sem) 3.1928 + { 3.1929 ++ unsigned long flags; 3.1930 ++ 3.1931 + rwsemtrace(sem, "Entering __downgrade_write"); 3.1932 + 3.1933 +- spin_lock(&sem->wait_lock); 3.1934 ++ spin_lock_irqsave(&sem->wait_lock, flags); 3.1935 + 3.1936 + sem->activity = 1; 3.1937 + if (!list_empty(&sem->wait_list)) 3.1938 + sem = __rwsem_do_wake(sem, 0); 3.1939 + 3.1940 +- spin_unlock(&sem->wait_lock); 3.1941 ++ spin_unlock_irqrestore(&sem->wait_lock, flags); 3.1942 + 3.1943 + rwsemtrace(sem, "Leaving __downgrade_write"); 3.1944 + } 3.1945 +diff --git a/lib/rwsem.c b/lib/rwsem.c 3.1946 +--- a/lib/rwsem.c 3.1947 ++++ b/lib/rwsem.c 3.1948 +@@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap 3.1949 + set_task_state(tsk, TASK_UNINTERRUPTIBLE); 3.1950 + 3.1951 + /* set up my own style of waitqueue */ 3.1952 +- spin_lock(&sem->wait_lock); 3.1953 ++ spin_lock_irq(&sem->wait_lock); 3.1954 + waiter->task = tsk; 3.1955 + get_task_struct(tsk); 3.1956 + 3.1957 +@@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap 3.1958 + if (!(count & RWSEM_ACTIVE_MASK)) 3.1959 + sem = __rwsem_do_wake(sem, 0); 3.1960 + 3.1961 +- spin_unlock(&sem->wait_lock); 3.1962 ++ spin_unlock_irq(&sem->wait_lock); 3.1963 + 3.1964 + /* wait to be given the lock */ 3.1965 + for (;;) { 3.1966 +@@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph 3.1967 + */ 3.1968 + struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem) 3.1969 + { 3.1970 ++ unsigned long flags; 3.1971 ++ 3.1972 + rwsemtrace(sem, "Entering rwsem_wake"); 3.1973 + 3.1974 +- spin_lock(&sem->wait_lock); 3.1975 ++ spin_lock_irqsave(&sem->wait_lock, flags); 3.1976 + 3.1977 + /* do nothing if list empty */ 3.1978 + if (!list_empty(&sem->wait_list)) 3.1979 + sem = __rwsem_do_wake(sem, 0); 3.1980 + 3.1981 +- spin_unlock(&sem->wait_lock); 3.1982 ++ spin_unlock_irqrestore(&sem->wait_lock, flags); 3.1983 + 3.1984 + rwsemtrace(sem, "Leaving rwsem_wake"); 3.1985 + 3.1986 +@@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake 3.1987 + */ 3.1988 + struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem) 3.1989 + { 3.1990 ++ unsigned long flags; 3.1991 ++ 3.1992 + rwsemtrace(sem, "Entering rwsem_downgrade_wake"); 3.1993 + 3.1994 +- spin_lock(&sem->wait_lock); 3.1995 ++ spin_lock_irqsave(&sem->wait_lock, flags); 3.1996 + 3.1997 + /* do nothing if list empty */ 3.1998 + if (!list_empty(&sem->wait_list)) 3.1999 + sem = __rwsem_do_wake(sem, 1); 3.2000 + 3.2001 +- spin_unlock(&sem->wait_lock); 3.2002 ++ spin_unlock_irqrestore(&sem->wait_lock, flags); 3.2003 + 3.2004 + rwsemtrace(sem, "Leaving rwsem_downgrade_wake"); 3.2005 + return sem; 3.2006 +diff --git a/mm/mmap.c b/mm/mmap.c 3.2007 +--- a/mm/mmap.c 3.2008 ++++ b/mm/mmap.c 3.2009 +@@ -1315,37 +1315,40 @@ unsigned long 3.2010 + get_unmapped_area(struct file *file, unsigned long addr, unsigned long len, 3.2011 + unsigned long pgoff, unsigned long flags) 3.2012 + { 3.2013 +- if (flags & MAP_FIXED) { 3.2014 +- unsigned long ret; 3.2015 ++ unsigned long ret; 3.2016 + 3.2017 +- if (addr > TASK_SIZE - len) 3.2018 +- return -ENOMEM; 3.2019 +- if (addr & ~PAGE_MASK) 3.2020 +- return -EINVAL; 3.2021 +- if (file && is_file_hugepages(file)) { 3.2022 +- /* 3.2023 +- * Check if the given range is hugepage aligned, and 3.2024 +- * can be made suitable for hugepages. 3.2025 +- */ 3.2026 +- ret = prepare_hugepage_range(addr, len); 3.2027 +- } else { 3.2028 +- /* 3.2029 +- * Ensure that a normal request is not falling in a 3.2030 +- * reserved hugepage range. For some archs like IA-64, 3.2031 +- * there is a separate region for hugepages. 3.2032 +- */ 3.2033 +- ret = is_hugepage_only_range(addr, len); 3.2034 +- } 3.2035 +- if (ret) 3.2036 +- return -EINVAL; 3.2037 +- return addr; 3.2038 +- } 3.2039 ++ if (!(flags & MAP_FIXED)) { 3.2040 ++ unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); 3.2041 + 3.2042 +- if (file && file->f_op && file->f_op->get_unmapped_area) 3.2043 +- return file->f_op->get_unmapped_area(file, addr, len, 3.2044 +- pgoff, flags); 3.2045 ++ get_area = current->mm->get_unmapped_area; 3.2046 ++ if (file && file->f_op && file->f_op->get_unmapped_area) 3.2047 ++ get_area = file->f_op->get_unmapped_area; 3.2048 ++ addr = get_area(file, addr, len, pgoff, flags); 3.2049 ++ if (IS_ERR_VALUE(addr)) 3.2050 ++ return addr; 3.2051 ++ } 3.2052 + 3.2053 +- return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); 3.2054 ++ if (addr > TASK_SIZE - len) 3.2055 ++ return -ENOMEM; 3.2056 ++ if (addr & ~PAGE_MASK) 3.2057 ++ return -EINVAL; 3.2058 ++ if (file && is_file_hugepages(file)) { 3.2059 ++ /* 3.2060 ++ * Check if the given range is hugepage aligned, and 3.2061 ++ * can be made suitable for hugepages. 3.2062 ++ */ 3.2063 ++ ret = prepare_hugepage_range(addr, len); 3.2064 ++ } else { 3.2065 ++ /* 3.2066 ++ * Ensure that a normal request is not falling in a 3.2067 ++ * reserved hugepage range. For some archs like IA-64, 3.2068 ++ * there is a separate region for hugepages. 3.2069 ++ */ 3.2070 ++ ret = is_hugepage_only_range(addr, len); 3.2071 ++ } 3.2072 ++ if (ret) 3.2073 ++ return -EINVAL; 3.2074 ++ return addr; 3.2075 + } 3.2076 + 3.2077 + EXPORT_SYMBOL(get_unmapped_area); 3.2078 +diff --git a/mm/rmap.c b/mm/rmap.c 3.2079 +--- a/mm/rmap.c 3.2080 ++++ b/mm/rmap.c 3.2081 +@@ -641,7 +641,7 @@ static void try_to_unmap_cluster(unsigne 3.2082 + pgd_t *pgd; 3.2083 + pud_t *pud; 3.2084 + pmd_t *pmd; 3.2085 +- pte_t *pte; 3.2086 ++ pte_t *pte, *original_pte; 3.2087 + pte_t pteval; 3.2088 + struct page *page; 3.2089 + unsigned long address; 3.2090 +@@ -673,7 +673,7 @@ static void try_to_unmap_cluster(unsigne 3.2091 + if (!pmd_present(*pmd)) 3.2092 + goto out_unlock; 3.2093 + 3.2094 +- for (pte = pte_offset_map(pmd, address); 3.2095 ++ for (original_pte = pte = pte_offset_map(pmd, address); 3.2096 + address < end; pte++, address += PAGE_SIZE) { 3.2097 + 3.2098 + if (!pte_present(*pte)) 3.2099 +@@ -710,7 +710,7 @@ static void try_to_unmap_cluster(unsigne 3.2100 + (*mapcount)--; 3.2101 + } 3.2102 + 3.2103 +- pte_unmap(pte); 3.2104 ++ pte_unmap(original_pte); 3.2105 + 3.2106 + out_unlock: 3.2107 + spin_unlock(&mm->page_table_lock); 3.2108 +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c 3.2109 +--- a/net/bluetooth/af_bluetooth.c 3.2110 ++++ b/net/bluetooth/af_bluetooth.c 3.2111 +@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache; 3.2112 + 3.2113 + int bt_sock_register(int proto, struct net_proto_family *ops) 3.2114 + { 3.2115 +- if (proto >= BT_MAX_PROTO) 3.2116 ++ if (proto < 0 || proto >= BT_MAX_PROTO) 3.2117 + return -EINVAL; 3.2118 + 3.2119 + if (bt_proto[proto]) 3.2120 +@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register); 3.2121 + 3.2122 + int bt_sock_unregister(int proto) 3.2123 + { 3.2124 +- if (proto >= BT_MAX_PROTO) 3.2125 ++ if (proto < 0 || proto >= BT_MAX_PROTO) 3.2126 + return -EINVAL; 3.2127 + 3.2128 + if (!bt_proto[proto]) 3.2129 +@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket 3.2130 + { 3.2131 + int err = 0; 3.2132 + 3.2133 +- if (proto >= BT_MAX_PROTO) 3.2134 ++ if (proto < 0 || proto >= BT_MAX_PROTO) 3.2135 + return -EINVAL; 3.2136 + 3.2137 + #if defined(CONFIG_KMOD) 3.2138 +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c 3.2139 +--- a/net/bridge/br_input.c 3.2140 ++++ b/net/bridge/br_input.c 3.2141 +@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf 3.2142 + struct net_bridge_fdb_entry *dst; 3.2143 + int passedup = 0; 3.2144 + 3.2145 ++ /* insert into forwarding database after filtering to avoid spoofing */ 3.2146 ++ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0); 3.2147 ++ 3.2148 + if (br->dev->flags & IFF_PROMISC) { 3.2149 + struct sk_buff *skb2; 3.2150 + 3.2151 +@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po 3.2152 + if (eth_hdr(skb)->h_source[0] & 1) 3.2153 + goto err; 3.2154 + 3.2155 +- if (p->state == BR_STATE_LEARNING || 3.2156 +- p->state == BR_STATE_FORWARDING) 3.2157 ++ if (p->state == BR_STATE_LEARNING) 3.2158 + br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0); 3.2159 + 3.2160 + if (p->br->stp_enabled && 3.2161 +diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c 3.2162 +--- a/net/bridge/br_stp_bpdu.c 3.2163 ++++ b/net/bridge/br_stp_bpdu.c 3.2164 +@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s 3.2165 + struct net_bridge *br = p->br; 3.2166 + unsigned char *buf; 3.2167 + 3.2168 ++ /* insert into forwarding database after filtering to avoid spoofing */ 3.2169 ++ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0); 3.2170 ++ 3.2171 + /* need at least the 802 and STP headers */ 3.2172 + if (!pskb_may_pull(skb, sizeof(header)+1) || 3.2173 + memcmp(skb->data, header, sizeof(header))) 3.2174 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c 3.2175 +--- a/net/bridge/netfilter/ebtables.c 3.2176 ++++ b/net/bridge/netfilter/ebtables.c 3.2177 +@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int 3.2178 + struct ebt_chainstack *cs; 3.2179 + struct ebt_entries *chaininfo; 3.2180 + char *base; 3.2181 +- struct ebt_table_info *private = table->private; 3.2182 ++ struct ebt_table_info *private; 3.2183 + 3.2184 + read_lock_bh(&table->lock); 3.2185 ++ private = table->private; 3.2186 + cb_base = COUNTER_BASE(private->counters, private->nentries, 3.2187 + smp_processor_id()); 3.2188 + if (private->chainstack) 3.2189 +diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c 3.2190 +--- a/net/ipv4/fib_hash.c 3.2191 ++++ b/net/ipv4/fib_hash.c 3.2192 +@@ -919,13 +919,23 @@ out: 3.2193 + return fa; 3.2194 + } 3.2195 + 3.2196 ++static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos) 3.2197 ++{ 3.2198 ++ struct fib_alias *fa = fib_get_first(seq); 3.2199 ++ 3.2200 ++ if (fa) 3.2201 ++ while (pos && (fa = fib_get_next(seq))) 3.2202 ++ --pos; 3.2203 ++ return pos ? NULL : fa; 3.2204 ++} 3.2205 ++ 3.2206 + static void *fib_seq_start(struct seq_file *seq, loff_t *pos) 3.2207 + { 3.2208 + void *v = NULL; 3.2209 + 3.2210 + read_lock(&fib_hash_lock); 3.2211 + if (ip_fib_main_table) 3.2212 +- v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN; 3.2213 ++ v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; 3.2214 + return v; 3.2215 + } 3.2216 + 3.2217 +diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c 3.2218 +--- a/net/ipv4/netfilter/ip_queue.c 3.2219 ++++ b/net/ipv4/netfilter/ip_queue.c 3.2220 +@@ -3,6 +3,7 @@ 3.2221 + * communicating with userspace via netlink. 3.2222 + * 3.2223 + * (C) 2000-2002 James Morris <jmorris@intercode.com.au> 3.2224 ++ * (C) 2003-2005 Netfilter Core Team <coreteam@netfilter.org> 3.2225 + * 3.2226 + * This program is free software; you can redistribute it and/or modify 3.2227 + * it under the terms of the GNU General Public License version 2 as 3.2228 +@@ -14,6 +15,7 @@ 3.2229 + * Zander). 3.2230 + * 2000-08-01: Added Nick Williams' MAC support. 3.2231 + * 2002-06-25: Code cleanup. 3.2232 ++ * 2005-05-26: local_bh_{disable,enable} around nf_reinject (Harald Welte) 3.2233 + * 3.2234 + */ 3.2235 + #include <linux/module.h> 3.2236 +@@ -66,7 +68,15 @@ static DECLARE_MUTEX(ipqnl_sem); 3.2237 + static void 3.2238 + ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict) 3.2239 + { 3.2240 ++ /* TCP input path (and probably other bits) assume to be called 3.2241 ++ * from softirq context, not from syscall, like ipq_issue_verdict is 3.2242 ++ * called. TCP input path deadlocks with locks taken from timer 3.2243 ++ * softirq, e.g. We therefore emulate this by local_bh_disable() */ 3.2244 ++ 3.2245 ++ local_bh_disable(); 3.2246 + nf_reinject(entry->skb, entry->info, verdict); 3.2247 ++ local_bh_enable(); 3.2248 ++ 3.2249 + kfree(entry); 3.2250 + } 3.2251 + 3.2252 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c 3.2253 +--- a/net/ipv4/tcp_input.c 3.2254 ++++ b/net/ipv4/tcp_input.c 3.2255 +@@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str 3.2256 + static void tcp_undo_cwr(struct tcp_sock *tp, int undo) 3.2257 + { 3.2258 + if (tp->prior_ssthresh) { 3.2259 +- tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1); 3.2260 ++ if (tcp_is_bic(tp)) 3.2261 ++ tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd); 3.2262 ++ else 3.2263 ++ tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1); 3.2264 + 3.2265 + if (undo && tp->prior_ssthresh > tp->snd_ssthresh) { 3.2266 + tp->snd_ssthresh = tp->prior_ssthresh; 3.2267 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c 3.2268 +--- a/net/ipv4/tcp_timer.c 3.2269 ++++ b/net/ipv4/tcp_timer.c 3.2270 +@@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne 3.2271 + 3.2272 + #ifdef TCP_DEBUG 3.2273 + const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n"; 3.2274 ++EXPORT_SYMBOL(tcp_timer_bug_msg); 3.2275 + #endif 3.2276 + 3.2277 + /* 3.2278 +diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c 3.2279 +--- a/net/ipv4/xfrm4_output.c 3.2280 ++++ b/net/ipv4/xfrm4_output.c 3.2281 +@@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb) 3.2282 + goto error_nolock; 3.2283 + } 3.2284 + 3.2285 +- spin_lock_bh(&x->lock); 3.2286 +- err = xfrm_state_check(x, skb); 3.2287 +- if (err) 3.2288 +- goto error; 3.2289 +- 3.2290 + if (x->props.mode) { 3.2291 + err = xfrm4_tunnel_check_size(skb); 3.2292 + if (err) 3.2293 +- goto error; 3.2294 ++ goto error_nolock; 3.2295 + } 3.2296 + 3.2297 ++ spin_lock_bh(&x->lock); 3.2298 ++ err = xfrm_state_check(x, skb); 3.2299 ++ if (err) 3.2300 ++ goto error; 3.2301 ++ 3.2302 + xfrm4_encap(skb); 3.2303 + 3.2304 + err = x->type->output(skb); 3.2305 +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c 3.2306 +--- a/net/ipv6/xfrm6_output.c 3.2307 ++++ b/net/ipv6/xfrm6_output.c 3.2308 +@@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb) 3.2309 + goto error_nolock; 3.2310 + } 3.2311 + 3.2312 +- spin_lock_bh(&x->lock); 3.2313 +- err = xfrm_state_check(x, skb); 3.2314 +- if (err) 3.2315 +- goto error; 3.2316 +- 3.2317 + if (x->props.mode) { 3.2318 + err = xfrm6_tunnel_check_size(skb); 3.2319 + if (err) 3.2320 +- goto error; 3.2321 ++ goto error_nolock; 3.2322 + } 3.2323 + 3.2324 ++ spin_lock_bh(&x->lock); 3.2325 ++ err = xfrm_state_check(x, skb); 3.2326 ++ if (err) 3.2327 ++ goto error; 3.2328 ++ 3.2329 + xfrm6_encap(skb); 3.2330 + 3.2331 + err = x->type->output(skb); 3.2332 +diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c 3.2333 +--- a/net/netrom/nr_in.c 3.2334 ++++ b/net/netrom/nr_in.c 3.2335 +@@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock 3.2336 + static int nr_state1_machine(struct sock *sk, struct sk_buff *skb, 3.2337 + int frametype) 3.2338 + { 3.2339 +- bh_lock_sock(sk); 3.2340 + switch (frametype) { 3.2341 + case NR_CONNACK: { 3.2342 + nr_cb *nr = nr_sk(sk); 3.2343 +@@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock 3.2344 + default: 3.2345 + break; 3.2346 + } 3.2347 +- bh_unlock_sock(sk); 3.2348 +- 3.2349 + return 0; 3.2350 + } 3.2351 + 3.2352 +@@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock 3.2353 + static int nr_state2_machine(struct sock *sk, struct sk_buff *skb, 3.2354 + int frametype) 3.2355 + { 3.2356 +- bh_lock_sock(sk); 3.2357 + switch (frametype) { 3.2358 + case NR_CONNACK | NR_CHOKE_FLAG: 3.2359 + nr_disconnect(sk, ECONNRESET); 3.2360 +@@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock 3.2361 + default: 3.2362 + break; 3.2363 + } 3.2364 +- bh_unlock_sock(sk); 3.2365 +- 3.2366 + return 0; 3.2367 + } 3.2368 + 3.2369 +@@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock 3.2370 + nr = skb->data[18]; 3.2371 + ns = skb->data[17]; 3.2372 + 3.2373 +- bh_lock_sock(sk); 3.2374 + switch (frametype) { 3.2375 + case NR_CONNREQ: 3.2376 + nr_write_internal(sk, NR_CONNACK); 3.2377 +@@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock 3.2378 + default: 3.2379 + break; 3.2380 + } 3.2381 +- bh_unlock_sock(sk); 3.2382 +- 3.2383 + return queued; 3.2384 + } 3.2385 + 3.2386 +diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c 3.2387 +--- a/net/rose/rose_route.c 3.2388 ++++ b/net/rose/rose_route.c 3.2389 +@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void 3.2390 + } 3.2391 + if (rose_route.mask > 10) /* Mask can't be more than 10 digits */ 3.2392 + return -EINVAL; 3.2393 +- 3.2394 ++ if (rose_route.ndigis > 8) /* No more than 8 digipeats */ 3.2395 ++ return -EINVAL; 3.2396 + err = rose_add_node(&rose_route, dev); 3.2397 + dev_put(dev); 3.2398 + return err; 3.2399 +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c 3.2400 +--- a/net/sched/sch_netem.c 3.2401 ++++ b/net/sched/sch_netem.c 3.2402 +@@ -184,10 +184,15 @@ static int netem_enqueue(struct sk_buff 3.2403 + /* Random duplication */ 3.2404 + if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor)) { 3.2405 + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); 3.2406 +- 3.2407 +- pr_debug("netem_enqueue: dup %p\n", skb2); 3.2408 +- if (skb2) 3.2409 +- delay_skb(sch, skb2); 3.2410 ++ if (skb2) { 3.2411 ++ struct Qdisc *rootq = sch->dev->qdisc; 3.2412 ++ u32 dupsave = q->duplicate; 3.2413 ++ 3.2414 ++ /* prevent duplicating a dup... */ 3.2415 ++ q->duplicate = 0; 3.2416 ++ rootq->enqueue(skb2, rootq); 3.2417 ++ q->duplicate = dupsave; 3.2418 ++ } 3.2419 + } 3.2420 + 3.2421 + /* If doing simple delay then gap == 0 so all packets 3.2422 +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c 3.2423 +--- a/net/xfrm/xfrm_state.c 3.2424 ++++ b/net/xfrm/xfrm_state.c 3.2425 +@@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac 3.2426 + 3.2427 + for (i = 0; i < XFRM_DST_HSIZE; i++) { 3.2428 + list_for_each_entry(x, xfrm_state_bydst+i, bydst) { 3.2429 +- if (x->km.seq == seq) { 3.2430 ++ if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) { 3.2431 + xfrm_state_hold(x); 3.2432 + return x; 3.2433 + } 3.2434 +diff --git a/security/keys/key.c b/security/keys/key.c 3.2435 +--- a/security/keys/key.c 3.2436 ++++ b/security/keys/key.c 3.2437 +@@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u 3.2438 + { 3.2439 + struct key_user *candidate = NULL, *user; 3.2440 + struct rb_node *parent = NULL; 3.2441 +- struct rb_node **p = &key_user_tree.rb_node; 3.2442 ++ struct rb_node **p; 3.2443 + 3.2444 + try_again: 3.2445 ++ p = &key_user_tree.rb_node; 3.2446 + spin_lock(&key_user_lock); 3.2447 + 3.2448 + /* search the tree for a user record with a matching UID */ 3.2449 +diff --git a/sound/core/timer.c b/sound/core/timer.c 3.2450 +--- a/sound/core/timer.c 3.2451 ++++ b/sound/core/timer.c 3.2452 +@@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu 3.2453 + if (tu->qused >= tu->queue_size) { 3.2454 + tu->overrun++; 3.2455 + } else { 3.2456 +- memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread)); 3.2457 ++ memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread)); 3.2458 ++ tu->qtail %= tu->queue_size; 3.2459 + tu->qused++; 3.2460 + } 3.2461 + } 3.2462 +@@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd 3.2463 + spin_lock(&tu->qlock); 3.2464 + snd_timer_user_append_to_tqueue(tu, &r1); 3.2465 + spin_unlock(&tu->qlock); 3.2466 ++ kill_fasync(&tu->fasync, SIGIO, POLL_IN); 3.2467 ++ wake_up(&tu->qchange_sleep); 3.2468 + } 3.2469 + 3.2470 + static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri, 3.2471 +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c 3.2472 +--- a/sound/pci/ac97/ac97_codec.c 3.2473 ++++ b/sound/pci/ac97/ac97_codec.c 3.2474 +@@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_ 3.2475 + /* 3.2476 + * create mute switch(es) for normal stereo controls 3.2477 + */ 3.2478 +-static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97) 3.2479 ++static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97) 3.2480 + { 3.2481 + snd_kcontrol_t *kctl; 3.2482 + int err; 3.2483 +@@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t 3.2484 + 3.2485 + mute_mask = 0x8000; 3.2486 + val = snd_ac97_read(ac97, reg); 3.2487 +- if (ac97->flags & AC97_STEREO_MUTES) { 3.2488 ++ if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) { 3.2489 + /* check whether both mute bits work */ 3.2490 + val1 = val | 0x8080; 3.2491 + snd_ac97_write(ac97, reg, val1); 3.2492 +@@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t 3.2493 + /* 3.2494 + * create a mute-switch and a volume for normal stereo/mono controls 3.2495 + */ 3.2496 +-static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97) 3.2497 ++static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97) 3.2498 + { 3.2499 + int err; 3.2500 + char name[44]; 3.2501 +@@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t 3.2502 + 3.2503 + if (snd_ac97_try_bit(ac97, reg, 15)) { 3.2504 + sprintf(name, "%s Switch", pfx); 3.2505 +- if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0) 3.2506 ++ if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0) 3.2507 + return err; 3.2508 + } 3.2509 + check_volume_resolution(ac97, reg, &lo_max, &hi_max); 3.2510 +@@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t 3.2511 + return 0; 3.2512 + } 3.2513 + 3.2514 ++#define snd_ac97_cmix_new(card, pfx, reg, ac97) snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97) 3.2515 ++#define snd_ac97_cmute_new(card, name, reg, ac97) snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97) 3.2516 + 3.2517 + static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97); 3.2518 + 3.2519 +@@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t * 3.2520 + 3.2521 + /* build surround controls */ 3.2522 + if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) { 3.2523 +- if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0) 3.2524 ++ /* Surround Master (0x38) is with stereo mutes */ 3.2525 ++ if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0) 3.2526 + return err; 3.2527 + } 3.2528 + 3.2529 +diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c 3.2530 +--- a/sound/usb/usbaudio.c 3.2531 ++++ b/sound/usb/usbaudio.c 3.2532 +@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str 3.2533 + } 3.2534 + usb_chip[chip->index] = NULL; 3.2535 + up(®ister_mutex); 3.2536 +- snd_card_free_in_thread(card); 3.2537 ++ snd_card_free(card); 3.2538 + } else { 3.2539 + up(®ister_mutex); 3.2540 + } 3.2541 +diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c 3.2542 +--- a/sound/usb/usx2y/usbusx2y.c 3.2543 ++++ b/sound/usb/usx2y/usbusx2y.c 3.2544 +@@ -1,6 +1,11 @@ 3.2545 + /* 3.2546 + * usbusy2y.c - ALSA USB US-428 Driver 3.2547 + * 3.2548 ++2005-04-14 Karsten Wiese 3.2549 ++ Version 0.8.7.2: 3.2550 ++ Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom. 3.2551 ++ Tested ok with kernel 2.6.12-rc2. 3.2552 ++ 3.2553 + 2004-12-14 Karsten Wiese 3.2554 + Version 0.8.7.1: 3.2555 + snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open. 3.2556 +@@ -143,7 +148,7 @@ 3.2557 + 3.2558 + 3.2559 + MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>"); 3.2560 +-MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1"); 3.2561 ++MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2"); 3.2562 + MODULE_LICENSE("GPL"); 3.2563 + MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}"); 3.2564 + 3.2565 +@@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct 3.2566 + if (ptr) { 3.2567 + usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr); 3.2568 + struct list_head* p; 3.2569 +- if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP) // on 2.6.1 kernel snd_usbmidi_disconnect() 3.2570 +- return; // calls us back. better leave :-) . 3.2571 + usX2Y->chip.shutdown = 1; 3.2572 + usX2Y->chip_status = USX2Y_STAT_CHIP_HUP; 3.2573 + usX2Y_unlinkSeq(&usX2Y->AS04); 3.2574 +@@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct 3.2575 + } 3.2576 + if (usX2Y->us428ctls_sharedmem) 3.2577 + wake_up(&usX2Y->us428ctls_wait_queue_head); 3.2578 +- snd_card_free_in_thread((snd_card_t*)ptr); 3.2579 ++ snd_card_free((snd_card_t*)ptr); 3.2580 + } 3.2581 + } 3.2582 +