diff options
Diffstat (limited to 'target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch')
-rw-r--r-- | target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch | 6360 |
1 files changed, 0 insertions, 6360 deletions
diff --git a/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch b/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch deleted file mode 100644 index 1a1b32409..000000000 --- a/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch +++ /dev/null @@ -1,6360 +0,0 @@ -diff --git a/Documentation/dvb/get_dvb_firmware b/Documentation/dvb/get_dvb_firmware -index 75c28a1..948f502 100644 ---- a/Documentation/dvb/get_dvb_firmware -+++ b/Documentation/dvb/get_dvb_firmware -@@ -240,9 +240,9 @@ sub dibusb { - } - - sub nxt2002 { -- my $sourcefile = "Broadband4PC_4_2_11.zip"; -+ my $sourcefile = "Technisat_DVB-PC_4_4_COMPACT.zip"; - my $url = "http://www.bbti.us/download/windows/$sourcefile"; -- my $hash = "c6d2ea47a8f456d887ada0cfb718ff2a"; -+ my $hash = "476befae8c7c1bb9648954060b1eec1f"; - my $outfile = "dvb-fe-nxt2002.fw"; - my $tmpdir = tempdir(DIR => "/tmp", CLEANUP => 1); - -@@ -250,8 +250,8 @@ sub nxt2002 { - - wgetfile($sourcefile, $url); - unzip($sourcefile, $tmpdir); -- verify("$tmpdir/SkyNETU.sys", $hash); -- extract("$tmpdir/SkyNETU.sys", 375832, 5908, $outfile); -+ verify("$tmpdir/SkyNET.sys", $hash); -+ extract("$tmpdir/SkyNET.sys", 331624, 5908, $outfile); - - $outfile; - } -diff --git a/Makefile b/Makefile -index cb57905..600c769 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,7 +1,7 @@ - VERSION = 2 - PATCHLEVEL = 6 - SUBLEVEL = 16 --EXTRAVERSION = -+EXTRAVERSION = .20 - NAME=Sliding Snow Leopard - - # *DOCUMENTATION* -diff --git a/arch/alpha/kernel/setup.c b/arch/alpha/kernel/setup.c -index b4e5f8f..45308bd 100644 ---- a/arch/alpha/kernel/setup.c -+++ b/arch/alpha/kernel/setup.c -@@ -24,6 +24,7 @@ #include <linux/delay.h> - #include <linux/config.h> /* CONFIG_ALPHA_LCA etc */ - #include <linux/mc146818rtc.h> - #include <linux/console.h> -+#include <linux/cpu.h> - #include <linux/errno.h> - #include <linux/init.h> - #include <linux/string.h> -@@ -477,6 +478,22 @@ #undef PFN_DOWN - #undef PFN_PHYS - #undef PFN_MAX - -+static int __init -+register_cpus(void) -+{ -+ int i; -+ -+ for_each_possible_cpu(i) { -+ struct cpu *p = kzalloc(sizeof(*p), GFP_KERNEL); -+ if (!p) -+ return -ENOMEM; -+ register_cpu(p, i, NULL); -+ } -+ return 0; -+} -+ -+arch_initcall(register_cpus); -+ - void __init - setup_arch(char **cmdline_p) - { -diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c -index 02c2db0..1852554 100644 ---- a/arch/alpha/kernel/smp.c -+++ b/arch/alpha/kernel/smp.c -@@ -439,7 +439,7 @@ setup_smp(void) - if ((cpu->flags & 0x1cc) == 0x1cc) { - smp_num_probed++; - /* Assume here that "whami" == index */ -- cpu_set(i, cpu_possible_map); -+ cpu_set(i, cpu_present_mask); - cpu->pal_revision = boot_cpu_palrev; - } - -@@ -450,9 +450,8 @@ setup_smp(void) - } - } else { - smp_num_probed = 1; -- cpu_set(boot_cpuid, cpu_possible_map); -+ cpu_set(boot_cpuid, cpu_present_mask); - } -- cpu_present_mask = cpumask_of_cpu(boot_cpuid); - - printk(KERN_INFO "SMP: %d CPUs probed -- cpu_present_mask = %lx\n", - smp_num_probed, cpu_possible_map.bits[0]); -@@ -488,9 +487,8 @@ void __devinit - smp_prepare_boot_cpu(void) - { - /* -- * Mark the boot cpu (current cpu) as both present and online -+ * Mark the boot cpu (current cpu) as online - */ -- cpu_set(smp_processor_id(), cpu_present_mask); - cpu_set(smp_processor_id(), cpu_online_map); - } - -diff --git a/arch/alpha/lib/strncpy.S b/arch/alpha/lib/strncpy.S -index 338551c..bbdef1b 100644 ---- a/arch/alpha/lib/strncpy.S -+++ b/arch/alpha/lib/strncpy.S -@@ -43,8 +43,8 @@ strncpy: - - .align 4 - $multiword: -- subq $24, 1, $2 # clear the final bits in the prev word -- or $2, $24, $2 -+ subq $27, 1, $2 # clear the final bits in the prev word -+ or $2, $27, $2 - zapnot $1, $2, $1 - subq $18, 1, $18 - -@@ -70,8 +70,8 @@ strncpy: - bne $18, 0b - - 1: ldq_u $1, 0($16) # clear the leading bits in the final word -- subq $27, 1, $2 -- or $2, $27, $2 -+ subq $24, 1, $2 -+ or $2, $24, $2 - - zap $1, $2, $1 - stq_u $1, 0($16) -diff --git a/arch/i386/kernel/apm.c b/arch/i386/kernel/apm.c -index 05312a8..558d2d2 100644 ---- a/arch/i386/kernel/apm.c -+++ b/arch/i386/kernel/apm.c -@@ -1081,7 +1081,7 @@ static int apm_console_blank(int blank) - break; - } - -- if (error == APM_NOT_ENGAGED && state != APM_STATE_READY) { -+ if (error == APM_NOT_ENGAGED) { - static int tried; - int eng_error; - if (tried++ == 0) { -diff --git a/arch/i386/kernel/cpu/amd.c b/arch/i386/kernel/cpu/amd.c -index 0810f81..d2d50cb 100644 ---- a/arch/i386/kernel/cpu/amd.c -+++ b/arch/i386/kernel/cpu/amd.c -@@ -207,6 +207,8 @@ #define CBAR_KEY (0X000000CB) - set_bit(X86_FEATURE_K7, c->x86_capability); - break; - } -+ if (c->x86 >= 6) -+ set_bit(X86_FEATURE_FXSAVE_LEAK, c->x86_capability); - - display_cacheinfo(c); - -diff --git a/arch/i386/kernel/cpu/cpufreq/Kconfig b/arch/i386/kernel/cpu/cpufreq/Kconfig -index 26892d2..16f2e35 100644 ---- a/arch/i386/kernel/cpu/cpufreq/Kconfig -+++ b/arch/i386/kernel/cpu/cpufreq/Kconfig -@@ -203,6 +203,7 @@ config X86_LONGRUN - config X86_LONGHAUL - tristate "VIA Cyrix III Longhaul" - select CPU_FREQ_TABLE -+ depends on BROKEN - help - This adds the CPUFreq driver for VIA Samuel/CyrixIII, - VIA Cyrix Samuel/C3, VIA Cyrix Ezra and VIA Cyrix Ezra-T -diff --git a/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c b/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c -index cc73a7a..ebe1848 100644 ---- a/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c -+++ b/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c -@@ -244,7 +244,7 @@ #endif - for (i=1; (p4clockmod_table[i].frequency != CPUFREQ_TABLE_END); i++) { - if ((i<2) && (has_N44_O17_errata[policy->cpu])) - p4clockmod_table[i].frequency = CPUFREQ_ENTRY_INVALID; -- else if (has_N60_errata[policy->cpu] && p4clockmod_table[i].frequency < 2000000) -+ else if (has_N60_errata[policy->cpu] && ((stock_freq * i)/8) < 2000000) - p4clockmod_table[i].frequency = CPUFREQ_ENTRY_INVALID; - else - p4clockmod_table[i].frequency = (stock_freq * i)/8; -diff --git a/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c b/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c -index 28cc5d5..cfc4276 100644 ---- a/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c -+++ b/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c -@@ -75,7 +75,9 @@ static int speedstep_smi_ownership (void - __asm__ __volatile__( - "out %%al, (%%dx)\n" - : "=D" (result) -- : "a" (command), "b" (function), "c" (0), "d" (smi_port), "D" (0), "S" (magic) -+ : "a" (command), "b" (function), "c" (0), "d" (smi_port), -+ "D" (0), "S" (magic) -+ : "memory" - ); - - dprintk("result is %x\n", result); -diff --git a/arch/i386/kernel/dmi_scan.c b/arch/i386/kernel/dmi_scan.c -index 6a93d75..ca2a0cb 100644 ---- a/arch/i386/kernel/dmi_scan.c -+++ b/arch/i386/kernel/dmi_scan.c -@@ -106,7 +106,7 @@ static void __init dmi_save_devices(stru - struct dmi_device *dev; - - for (i = 0; i < count; i++) { -- char *d = ((char *) dm) + (i * 2); -+ char *d = (char *)(dm + 1) + (i * 2); - - /* Skip disabled device */ - if ((*d & 0x80) == 0) -diff --git a/arch/i386/kernel/vm86.c b/arch/i386/kernel/vm86.c -index f51c894..aee14fa 100644 ---- a/arch/i386/kernel/vm86.c -+++ b/arch/i386/kernel/vm86.c -@@ -43,6 +43,7 @@ #include <linux/smp.h> - #include <linux/smp_lock.h> - #include <linux/highmem.h> - #include <linux/ptrace.h> -+#include <linux/audit.h> - - #include <asm/uaccess.h> - #include <asm/io.h> -@@ -252,6 +253,7 @@ out: - static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk) - { - struct tss_struct *tss; -+ long eax; - /* - * make sure the vm86() system call doesn't try to do anything silly - */ -@@ -305,13 +307,19 @@ static void do_sys_vm86(struct kernel_vm - tsk->thread.screen_bitmap = info->screen_bitmap; - if (info->flags & VM86_SCREEN_BITMAP) - mark_screen_rdonly(tsk->mm); -+ __asm__ __volatile__("xorl %eax,%eax; movl %eax,%fs; movl %eax,%gs\n\t"); -+ __asm__ __volatile__("movl %%eax, %0\n" :"=r"(eax)); -+ -+ /*call audit_syscall_exit since we do not exit via the normal paths */ -+ if (unlikely(current->audit_context)) -+ audit_syscall_exit(current, AUDITSC_RESULT(eax), eax); -+ - __asm__ __volatile__( -- "xorl %%eax,%%eax; movl %%eax,%%fs; movl %%eax,%%gs\n\t" - "movl %0,%%esp\n\t" - "movl %1,%%ebp\n\t" - "jmp resume_userspace" - : /* no outputs */ -- :"r" (&info->regs), "r" (task_thread_info(tsk)) : "ax"); -+ :"r" (&info->regs), "r" (task_thread_info(tsk))); - /* we never return here */ - } - -diff --git a/arch/m32r/kernel/m32r_ksyms.c b/arch/m32r/kernel/m32r_ksyms.c -index be8b711..6000950 100644 ---- a/arch/m32r/kernel/m32r_ksyms.c -+++ b/arch/m32r/kernel/m32r_ksyms.c -@@ -38,10 +38,6 @@ EXPORT_SYMBOL(__udelay); - EXPORT_SYMBOL(__delay); - EXPORT_SYMBOL(__const_udelay); - --EXPORT_SYMBOL(__get_user_1); --EXPORT_SYMBOL(__get_user_2); --EXPORT_SYMBOL(__get_user_4); -- - EXPORT_SYMBOL(strpbrk); - EXPORT_SYMBOL(strstr); - -diff --git a/arch/m32r/kernel/setup.c b/arch/m32r/kernel/setup.c -index d742037..542ed93 100644 ---- a/arch/m32r/kernel/setup.c -+++ b/arch/m32r/kernel/setup.c -@@ -9,6 +9,7 @@ - - #include <linux/config.h> - #include <linux/init.h> -+#include <linux/kernel.h> - #include <linux/stddef.h> - #include <linux/fs.h> - #include <linux/sched.h> -@@ -218,8 +219,6 @@ #else /* CONFIG_DISCONTIGMEM */ - extern unsigned long setup_memory(void); - #endif /* CONFIG_DISCONTIGMEM */ - --#define M32R_PCC_PCATCR 0x00ef7014 /* will move to m32r.h */ -- - void __init setup_arch(char **cmdline_p) - { - ROOT_DEV = old_decode_dev(ORIG_ROOT_DEV); -@@ -268,15 +267,14 @@ #endif /* CONFIG_DISCONTIGMEM */ - paging_init(); - } - --static struct cpu cpu[NR_CPUS]; -+static struct cpu cpu_devices[NR_CPUS]; - - static int __init topology_init(void) - { -- int cpu_id; -+ int i; - -- for (cpu_id = 0; cpu_id < NR_CPUS; cpu_id++) -- if (cpu_possible(cpu_id)) -- register_cpu(&cpu[cpu_id], cpu_id, NULL); -+ for_each_present_cpu(i) -+ register_cpu(&cpu_devices[i], i, NULL); - - return 0; - } -diff --git a/arch/m32r/kernel/smpboot.c b/arch/m32r/kernel/smpboot.c -index d7ec16e..840b434 100644 ---- a/arch/m32r/kernel/smpboot.c -+++ b/arch/m32r/kernel/smpboot.c -@@ -39,8 +39,10 @@ - * Martin J. Bligh : Added support for multi-quad systems - */ - -+#include <linux/module.h> - #include <linux/config.h> - #include <linux/init.h> -+#include <linux/kernel.h> - #include <linux/mm.h> - #include <linux/smp_lock.h> - #include <linux/irq.h> -@@ -72,11 +74,15 @@ physid_mask_t phys_cpu_present_map; - - /* Bitmask of currently online CPUs */ - cpumask_t cpu_online_map; -+EXPORT_SYMBOL(cpu_online_map); - - cpumask_t cpu_bootout_map; - cpumask_t cpu_bootin_map; --cpumask_t cpu_callout_map; - static cpumask_t cpu_callin_map; -+cpumask_t cpu_callout_map; -+EXPORT_SYMBOL(cpu_callout_map); -+cpumask_t cpu_possible_map = CPU_MASK_ALL; -+EXPORT_SYMBOL(cpu_possible_map); - - /* Per CPU bogomips and other parameters */ - struct cpuinfo_m32r cpu_data[NR_CPUS] __cacheline_aligned; -@@ -110,7 +116,6 @@ static unsigned int calibration_result; - - void smp_prepare_boot_cpu(void); - void smp_prepare_cpus(unsigned int); --static void smp_tune_scheduling(void); - static void init_ipi_lock(void); - static void do_boot_cpu(int); - int __cpu_up(unsigned int); -@@ -177,6 +182,9 @@ void __init smp_prepare_cpus(unsigned in - } - for (phys_id = 0 ; phys_id < nr_cpu ; phys_id++) - physid_set(phys_id, phys_cpu_present_map); -+#ifndef CONFIG_HOTPLUG_CPU -+ cpu_present_map = cpu_possible_map; -+#endif - - show_mp_info(nr_cpu); - -@@ -186,7 +194,6 @@ void __init smp_prepare_cpus(unsigned in - * Setup boot CPU information - */ - smp_store_cpu_info(0); /* Final full version of the data */ -- smp_tune_scheduling(); - - /* - * If SMP should be disabled, then really disable it! -@@ -230,11 +237,6 @@ smp_done: - Dprintk("Boot done.\n"); - } - --static void __init smp_tune_scheduling(void) --{ -- /* Nothing to do. */ --} -- - /* - * init_ipi_lock : Initialize IPI locks. - */ -@@ -629,4 +631,3 @@ static void __init unmap_cpu_to_physid(i - physid_2_cpu[phys_id] = -1; - cpu_2_physid[cpu_id] = -1; - } -- -diff --git a/arch/m32r/lib/Makefile b/arch/m32r/lib/Makefile -index e632d10..d16b4e4 100644 ---- a/arch/m32r/lib/Makefile -+++ b/arch/m32r/lib/Makefile -@@ -2,6 +2,6 @@ # - # Makefile for M32R-specific library files.. - # - --lib-y := checksum.o ashxdi3.o memset.o memcpy.o getuser.o \ -- putuser.o delay.o strlen.o usercopy.o csum_partial_copy.o -+lib-y := checksum.o ashxdi3.o memset.o memcpy.o \ -+ delay.o strlen.o usercopy.o csum_partial_copy.o - -diff --git a/arch/m32r/lib/getuser.S b/arch/m32r/lib/getuser.S -deleted file mode 100644 -index 58a0db0..0000000 ---- a/arch/m32r/lib/getuser.S -+++ /dev/null -@@ -1,88 +0,0 @@ --/* -- * __get_user functions. -- * -- * (C) Copyright 2001 Hirokazu Takata -- * -- * These functions have a non-standard call interface -- * to make them more efficient, especially as they -- * return an error value in addition to the "real" -- * return value. -- */ -- --#include <linux/config.h> -- --/* -- * __get_user_X -- * -- * Inputs: r0 contains the address -- * -- * Outputs: r0 is error code (0 or -EFAULT) -- * r1 contains zero-extended value -- * -- * These functions should not modify any other registers, -- * as they get called from within inline assembly. -- */ -- --#ifdef CONFIG_ISA_DUAL_ISSUE -- -- .text -- .balign 4 -- .globl __get_user_1 --__get_user_1: --1: ldub r1, @r0 || ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __get_user_2 --__get_user_2: --2: lduh r1, @r0 || ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __get_user_4 --__get_user_4: --3: ld r1, @r0 || ldi r0, #0 -- jmp r14 -- --bad_get_user: -- ldi r1, #0 || ldi r0, #-14 -- jmp r14 -- --#else /* not CONFIG_ISA_DUAL_ISSUE */ -- -- .text -- .balign 4 -- .globl __get_user_1 --__get_user_1: --1: ldub r1, @r0 -- ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __get_user_2 --__get_user_2: --2: lduh r1, @r0 -- ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __get_user_4 --__get_user_4: --3: ld r1, @r0 -- ldi r0, #0 -- jmp r14 -- --bad_get_user: -- ldi r1, #0 -- ldi r0, #-14 -- jmp r14 -- --#endif /* not CONFIG_ISA_DUAL_ISSUE */ -- --.section __ex_table,"a" -- .long 1b,bad_get_user -- .long 2b,bad_get_user -- .long 3b,bad_get_user --.previous -- -- .end -diff --git a/arch/m32r/lib/putuser.S b/arch/m32r/lib/putuser.S -deleted file mode 100644 -index 218154c..0000000 ---- a/arch/m32r/lib/putuser.S -+++ /dev/null -@@ -1,84 +0,0 @@ --/* -- * __put_user functions. -- * -- * (C) Copyright 1998 Linus Torvalds -- * (C) Copyright 2001 Hirokazu Takata -- * -- * These functions have a non-standard call interface -- * to make them more efficient. -- */ -- --#include <linux/config.h> -- --/* -- * __put_user_X -- * -- * Inputs: r0 contains the address -- * r1 contains the value -- * -- * Outputs: r0 is error code (0 or -EFAULT) -- * r1 is corrupted (will contain "current_task"). -- * -- * These functions should not modify any other registers, -- * as they get called from within inline assembly. -- */ -- --#ifdef CONFIG_ISA_DUAL_ISSUE -- -- .text -- .balign 4 -- .globl __put_user_1 --__put_user_1: --1: stb r1, @r0 || ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __put_user_2 --__put_user_2: --2: sth r1, @r0 || ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __put_user_4 --__put_user_4: --3: st r1, @r0 || ldi r0, #0 -- jmp r14 -- --bad_put_user: -- ldi r0, #-14 || jmp r14 -- --#else /* not CONFIG_ISA_DUAL_ISSUE */ -- -- .text -- .balign 4 -- .globl __put_user_1 --__put_user_1: --1: stb r1, @r0 -- ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __put_user_2 --__put_user_2: --2: sth r1, @r0 -- ldi r0, #0 -- jmp r14 -- -- .balign 4 -- .globl __put_user_4 --__put_user_4: --3: st r1, @r0 -- ldi r0, #0 -- jmp r14 -- --bad_put_user: -- ldi r0, #-14 -- jmp r14 -- --#endif /* not CONFIG_ISA_DUAL_ISSUE */ -- --.section __ex_table,"a" -- .long 1b,bad_put_user -- .long 2b,bad_put_user -- .long 3b,bad_put_user --.previous -diff --git a/arch/mips/kernel/branch.c b/arch/mips/kernel/branch.c -index 374de83..b6232d9 100644 ---- a/arch/mips/kernel/branch.c -+++ b/arch/mips/kernel/branch.c -@@ -184,7 +184,7 @@ int __compute_return_epc(struct pt_regs - bit = (insn.i_format.rt >> 2); - bit += (bit != 0); - bit += 23; -- switch (insn.i_format.rt) { -+ switch (insn.i_format.rt & 3) { - case 0: /* bc1f */ - case 2: /* bc1fl */ - if (~fcr31 & (1 << bit)) -diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c -index 9572ed4..a761f99 100644 ---- a/arch/mips/mm/c-r4k.c -+++ b/arch/mips/mm/c-r4k.c -@@ -154,7 +154,8 @@ static inline void blast_icache32_r4600_ - - static inline void tx49_blast_icache32_page_indexed(unsigned long page) - { -- unsigned long start = page; -+ unsigned long indexmask = current_cpu_data.icache.waysize - 1; -+ unsigned long start = INDEX_BASE + (page & indexmask); - unsigned long end = start + PAGE_SIZE; - unsigned long ws_inc = 1UL << current_cpu_data.icache.waybit; - unsigned long ws_end = current_cpu_data.icache.ways << -diff --git a/arch/powerpc/kernel/pci_64.c b/arch/powerpc/kernel/pci_64.c -index ba92bab..4c4449b 100644 ---- a/arch/powerpc/kernel/pci_64.c -+++ b/arch/powerpc/kernel/pci_64.c -@@ -78,6 +78,7 @@ int global_phb_number; /* Global phb co - - /* Cached ISA bridge dev. */ - struct pci_dev *ppc64_isabridge_dev = NULL; -+EXPORT_SYMBOL_GPL(ppc64_isabridge_dev); - - static void fixup_broken_pcnet32(struct pci_dev* dev) - { -diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c -index f96c49b..abd758f 100644 ---- a/arch/powerpc/kernel/setup_64.c -+++ b/arch/powerpc/kernel/setup_64.c -@@ -256,12 +256,10 @@ #endif - /* - * Initialize stab / SLB management except on iSeries - */ -- if (!firmware_has_feature(FW_FEATURE_ISERIES)) { -- if (cpu_has_feature(CPU_FTR_SLB)) -- slb_initialize(); -- else -- stab_initialize(lpaca->stab_real); -- } -+ if (cpu_has_feature(CPU_FTR_SLB)) -+ slb_initialize(); -+ else if (!firmware_has_feature(FW_FEATURE_ISERIES)) -+ stab_initialize(lpaca->stab_real); - - DBG(" <- early_setup()\n"); - } -diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index 4324f8a..096dfdc 100644 ---- a/arch/powerpc/kernel/signal_64.c -+++ b/arch/powerpc/kernel/signal_64.c -@@ -213,7 +213,7 @@ static inline void __user * get_sigframe - /* Default to using normal stack */ - newsp = regs->gpr[1]; - -- if (ka->sa.sa_flags & SA_ONSTACK) { -+ if ((ka->sa.sa_flags & SA_ONSTACK) && current->sas_ss_size) { - if (! on_sig_stack(regs->gpr[1])) - newsp = (current->sas_ss_sp + current->sas_ss_size); - } -diff --git a/arch/powerpc/platforms/powermac/setup.c b/arch/powerpc/platforms/powermac/setup.c -index 29c2946..f649750 100644 ---- a/arch/powerpc/platforms/powermac/setup.c -+++ b/arch/powerpc/platforms/powermac/setup.c -@@ -456,11 +456,23 @@ static int pmac_pm_finish(suspend_state_ - return 0; - } - -+static int pmac_pm_valid(suspend_state_t state) -+{ -+ switch (state) { -+ case PM_SUSPEND_DISK: -+ return 1; -+ /* can't do any other states via generic mechanism yet */ -+ default: -+ return 0; -+ } -+} -+ - static struct pm_ops pmac_pm_ops = { - .pm_disk_mode = PM_DISK_SHUTDOWN, - .prepare = pmac_pm_prepare, - .enter = pmac_pm_enter, - .finish = pmac_pm_finish, -+ .valid = pmac_pm_valid, - }; - - #endif /* CONFIG_SOFTWARE_SUSPEND */ -diff --git a/arch/x86_64/ia32/Makefile b/arch/x86_64/ia32/Makefile -index 929e6b0..e9263b4 100644 ---- a/arch/x86_64/ia32/Makefile -+++ b/arch/x86_64/ia32/Makefile -@@ -27,5 +27,5 @@ quiet_cmd_syscall = SYSCALL $@ - $(obj)/vsyscall-%.so: $(src)/vsyscall.lds $(obj)/vsyscall-%.o FORCE - $(call if_changed,syscall) - --AFLAGS_vsyscall-sysenter.o = -m32 --AFLAGS_vsyscall-syscall.o = -m32 -+AFLAGS_vsyscall-sysenter.o = -m32 -Wa,-32 -+AFLAGS_vsyscall-syscall.o = -m32 -Wa,-32 -diff --git a/arch/x86_64/kernel/entry.S b/arch/x86_64/kernel/entry.S -index 7c10e90..97583bb 100644 ---- a/arch/x86_64/kernel/entry.S -+++ b/arch/x86_64/kernel/entry.S -@@ -180,6 +180,10 @@ rff_trace: - * - * XXX if we had a free scratch register we could save the RSP into the stack frame - * and report it properly in ps. Unfortunately we haven't. -+ * -+ * When user can change the frames always force IRET. That is because -+ * it deals with uncanonical addresses better. SYSRET has trouble -+ * with them due to bugs in both AMD and Intel CPUs. - */ - - ENTRY(system_call) -@@ -254,7 +258,10 @@ sysret_signal: - xorl %esi,%esi # oldset -> arg2 - call ptregscall_common - 1: movl $_TIF_NEED_RESCHED,%edi -- jmp sysret_check -+ /* Use IRET because user could have changed frame. This -+ works because ptregscall_common has called FIXUP_TOP_OF_STACK. */ -+ cli -+ jmp int_with_check - - badsys: - movq $-ENOSYS,RAX-ARGOFFSET(%rsp) -@@ -274,13 +281,9 @@ tracesys: - ja 1f - movq %r10,%rcx /* fixup for C */ - call *sys_call_table(,%rax,8) -- movq %rax,RAX-ARGOFFSET(%rsp) --1: SAVE_REST -- movq %rsp,%rdi -- call syscall_trace_leave -- RESTORE_TOP_OF_STACK %rbx -- RESTORE_REST -- jmp ret_from_sys_call -+1: movq %rax,RAX-ARGOFFSET(%rsp) -+ /* Use IRET because user could have changed frame */ -+ jmp int_ret_from_sys_call - CFI_ENDPROC - - /* -@@ -408,25 +411,9 @@ ENTRY(stub_execve) - CFI_ADJUST_CFA_OFFSET -8 - CFI_REGISTER rip, r11 - SAVE_REST -- movq %r11, %r15 -- CFI_REGISTER rip, r15 - FIXUP_TOP_OF_STACK %r11 - call sys_execve -- GET_THREAD_INFO(%rcx) -- bt $TIF_IA32,threadinfo_flags(%rcx) -- CFI_REMEMBER_STATE -- jc exec_32bit - RESTORE_TOP_OF_STACK %r11 -- movq %r15, %r11 -- CFI_REGISTER rip, r11 -- RESTORE_REST -- pushq %r11 -- CFI_ADJUST_CFA_OFFSET 8 -- CFI_REL_OFFSET rip, 0 -- ret -- --exec_32bit: -- CFI_RESTORE_STATE - movq %rax,RAX(%rsp) - RESTORE_REST - jmp int_ret_from_sys_call -diff --git a/arch/x86_64/kernel/pci-gart.c b/arch/x86_64/kernel/pci-gart.c -index 0c3f052..b9dbe3c 100644 ---- a/arch/x86_64/kernel/pci-gart.c -+++ b/arch/x86_64/kernel/pci-gart.c -@@ -114,10 +114,6 @@ static unsigned long alloc_iommu(int siz - static void free_iommu(unsigned long offset, int size) - { - unsigned long flags; -- if (size == 1) { -- clear_bit(offset, iommu_gart_bitmap); -- return; -- } - spin_lock_irqsave(&iommu_bitmap_lock, flags); - __clear_bit_string(iommu_gart_bitmap, offset, size); - spin_unlock_irqrestore(&iommu_bitmap_lock, flags); -diff --git a/arch/x86_64/kernel/process.c b/arch/x86_64/kernel/process.c -index 22a05de..818ab9e 100644 ---- a/arch/x86_64/kernel/process.c -+++ b/arch/x86_64/kernel/process.c -@@ -527,8 +527,6 @@ __switch_to(struct task_struct *prev_p, - int cpu = smp_processor_id(); - struct tss_struct *tss = &per_cpu(init_tss, cpu); - -- unlazy_fpu(prev_p); -- - /* - * Reload esp0, LDT and the page table pointer: - */ -@@ -591,6 +589,12 @@ __switch_to(struct task_struct *prev_p, - prev->userrsp = read_pda(oldrsp); - write_pda(oldrsp, next->userrsp); - write_pda(pcurrent, next_p); -+ -+ /* This must be here to ensure both math_state_restore() and -+ kernel_fpu_begin() work consistently. -+ And the AMD workaround requires it to be after DS reload. */ -+ unlazy_fpu(prev_p); -+ - write_pda(kernelstack, - task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET); - -diff --git a/arch/x86_64/kernel/setup.c b/arch/x86_64/kernel/setup.c -index aa55e3c..a4a0bb5 100644 ---- a/arch/x86_64/kernel/setup.c -+++ b/arch/x86_64/kernel/setup.c -@@ -909,6 +909,10 @@ #endif - if (c->x86 == 15 && ((level >= 0x0f48 && level < 0x0f50) || level >= 0x0f58)) - set_bit(X86_FEATURE_REP_GOOD, &c->x86_capability); - -+ /* Enable workaround for FXSAVE leak */ -+ if (c->x86 >= 6) -+ set_bit(X86_FEATURE_FXSAVE_LEAK, &c->x86_capability); -+ - r = get_model_name(c); - if (!r) { - switch (c->x86) { -diff --git a/arch/x86_64/kernel/traps.c b/arch/x86_64/kernel/traps.c -index 28d50dc..a5209fd 100644 ---- a/arch/x86_64/kernel/traps.c -+++ b/arch/x86_64/kernel/traps.c -@@ -30,6 +30,7 @@ #include <linux/module.h> - #include <linux/moduleparam.h> - #include <linux/nmi.h> - #include <linux/kprobes.h> -+#include <linux/kexec.h> - - #include <asm/system.h> - #include <asm/uaccess.h> -@@ -434,6 +435,8 @@ #endif - printk(KERN_ALERT "RIP "); - printk_address(regs->rip); - printk(" RSP <%016lx>\n", regs->rsp); -+ if (kexec_should_crash(current)) -+ crash_kexec(regs); - } - - void die(const char * str, struct pt_regs * regs, long err) -@@ -456,6 +459,8 @@ void __kprobes die_nmi(char *str, struct - */ - printk(str, safe_smp_processor_id()); - show_registers(regs); -+ if (kexec_should_crash(current)) -+ crash_kexec(regs); - if (panic_on_timeout || panic_on_oops) - panic("nmi watchdog"); - printk("console shuts up ...\n"); -diff --git a/block/elevator.c b/block/elevator.c -index 24b702d..ef1e606 100644 ---- a/block/elevator.c -+++ b/block/elevator.c -@@ -314,6 +314,7 @@ void elv_insert(request_queue_t *q, stru - { - struct list_head *pos; - unsigned ordseq; -+ int unplug_it = 1; - - rq->q = q; - -@@ -378,6 +379,11 @@ void elv_insert(request_queue_t *q, stru - } - - list_add_tail(&rq->queuelist, pos); -+ /* -+ * most requeues happen because of a busy condition, don't -+ * force unplug of the queue for that case. -+ */ -+ unplug_it = 0; - break; - - default: -@@ -386,7 +392,7 @@ void elv_insert(request_queue_t *q, stru - BUG(); - } - -- if (blk_queue_plugged(q)) { -+ if (unplug_it && blk_queue_plugged(q)) { - int nrq = q->rq.count[READ] + q->rq.count[WRITE] - - q->in_flight; - -diff --git a/block/genhd.c b/block/genhd.c -index db57546..7f406f9 100644 ---- a/block/genhd.c -+++ b/block/genhd.c -@@ -16,8 +16,6 @@ #include <linux/kmod.h> - #include <linux/kobj_map.h> - #include <linux/buffer_head.h> - --#define MAX_PROBE_HASH 255 /* random */ -- - static struct subsystem block_subsys; - - static DECLARE_MUTEX(block_subsys_sem); -@@ -30,108 +28,29 @@ static struct blk_major_name { - struct blk_major_name *next; - int major; - char name[16]; --} *major_names[MAX_PROBE_HASH]; -+} *major_names[BLKDEV_MAJOR_HASH_SIZE]; - - /* index in the above - for now: assume no multimajor ranges */ - static inline int major_to_index(int major) - { -- return major % MAX_PROBE_HASH; --} -- --struct blkdev_info { -- int index; -- struct blk_major_name *bd; --}; -- --/* -- * iterate over a list of blkdev_info structures. allows -- * the major_names array to be iterated over from outside this file -- * must be called with the block_subsys_sem held -- */ --void *get_next_blkdev(void *dev) --{ -- struct blkdev_info *info; -- -- if (dev == NULL) { -- info = kmalloc(sizeof(*info), GFP_KERNEL); -- if (!info) -- goto out; -- info->index=0; -- info->bd = major_names[info->index]; -- if (info->bd) -- goto out; -- } else { -- info = dev; -- } -- -- while (info->index < ARRAY_SIZE(major_names)) { -- if (info->bd) -- info->bd = info->bd->next; -- if (info->bd) -- goto out; -- /* -- * No devices on this chain, move to the next -- */ -- info->index++; -- info->bd = (info->index < ARRAY_SIZE(major_names)) ? -- major_names[info->index] : NULL; -- if (info->bd) -- goto out; -- } -- --out: -- return info; --} -- --void *acquire_blkdev_list(void) --{ -- down(&block_subsys_sem); -- return get_next_blkdev(NULL); --} -- --void release_blkdev_list(void *dev) --{ -- up(&block_subsys_sem); -- kfree(dev); -+ return major % BLKDEV_MAJOR_HASH_SIZE; - } - -+#ifdef CONFIG_PROC_FS - --/* -- * Count the number of records in the blkdev_list. -- * must be called with the block_subsys_sem held -- */ --int count_blkdev_list(void) -+void blkdev_show(struct seq_file *f, off_t offset) - { -- struct blk_major_name *n; -- int i, count; -+ struct blk_major_name *dp; - -- count = 0; -- -- for (i = 0; i < ARRAY_SIZE(major_names); i++) { -- for (n = major_names[i]; n; n = n->next) -- count++; -+ if (offset < BLKDEV_MAJOR_HASH_SIZE) { -+ down(&block_subsys_sem); -+ for (dp = major_names[offset]; dp; dp = dp->next) -+ seq_printf(f, "%3d %s\n", dp->major, dp->name); -+ up(&block_subsys_sem); - } -- -- return count; --} -- --/* -- * extract the major and name values from a blkdev_info struct -- * passed in as a void to *dev. Must be called with -- * block_subsys_sem held -- */ --int get_blkdev_info(void *dev, int *major, char **name) --{ -- struct blkdev_info *info = dev; -- -- if (info->bd == NULL) -- return 1; -- -- *major = info->bd->major; -- *name = info->bd->name; -- return 0; - } - -+#endif /* CONFIG_PROC_FS */ - - int register_blkdev(unsigned int major, const char *name) - { -diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c -index 0ef2971..cd995c3 100644 ---- a/block/ll_rw_blk.c -+++ b/block/ll_rw_blk.c -@@ -1719,8 +1719,21 @@ void blk_run_queue(struct request_queue - - spin_lock_irqsave(q->queue_lock, flags); - blk_remove_plug(q); -- if (!elv_queue_empty(q)) -- q->request_fn(q); -+ -+ /* -+ * Only recurse once to avoid overrunning the stack, let the unplug -+ * handling reinvoke the handler shortly if we already got there. -+ */ -+ if (!elv_queue_empty(q)) { -+ if (!test_and_set_bit(QUEUE_FLAG_REENTER, &q->queue_flags)) { -+ q->request_fn(q); -+ clear_bit(QUEUE_FLAG_REENTER, &q->queue_flags); -+ } else { -+ blk_plug_device(q); -+ kblockd_schedule_work(&q->unplug_work); -+ } -+ } -+ - spin_unlock_irqrestore(q->queue_lock, flags); - } - EXPORT_SYMBOL(blk_run_queue); -diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c -index 07a7f97..29f3d75 100644 ---- a/drivers/base/cpu.c -+++ b/drivers/base/cpu.c -@@ -141,7 +141,7 @@ #endif - return error; - } - --struct sys_device *get_cpu_sysdev(int cpu) -+struct sys_device *get_cpu_sysdev(unsigned cpu) - { - if (cpu < NR_CPUS) - return cpu_sys_devices[cpu]; -diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c -index e97e911..4723182 100644 ---- a/drivers/base/firmware_class.c -+++ b/drivers/base/firmware_class.c -@@ -211,18 +211,20 @@ static int - fw_realloc_buffer(struct firmware_priv *fw_priv, int min_size) - { - u8 *new_data; -+ int new_size = fw_priv->alloc_size; - - if (min_size <= fw_priv->alloc_size) - return 0; - -- new_data = vmalloc(fw_priv->alloc_size + PAGE_SIZE); -+ new_size = ALIGN(min_size, PAGE_SIZE); -+ new_data = vmalloc(new_size); - if (!new_data) { - printk(KERN_ERR "%s: unable to alloc buffer\n", __FUNCTION__); - /* Make sure that we don't keep incomplete data */ - fw_load_abort(fw_priv); - return -ENOMEM; - } -- fw_priv->alloc_size += PAGE_SIZE; -+ fw_priv->alloc_size = new_size; - if (fw_priv->fw->data) { - memcpy(new_data, fw_priv->fw->data, fw_priv->fw->size); - vfree(fw_priv->fw->data); -diff --git a/drivers/base/node.c b/drivers/base/node.c -index 16c513a..c80c3ae 100644 ---- a/drivers/base/node.c -+++ b/drivers/base/node.c -@@ -106,7 +106,7 @@ static ssize_t node_read_numastat(struct - other_node = 0; - for (i = 0; i < MAX_NR_ZONES; i++) { - struct zone *z = &pg->node_zones[i]; -- for (cpu = 0; cpu < NR_CPUS; cpu++) { -+ for_each_online_cpu(cpu) { - struct per_cpu_pageset *ps = zone_pcp(z,cpu); - numa_hit += ps->numa_hit; - numa_miss += ps->numa_miss; -diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c -index 0d65394..71552e1 100644 ---- a/drivers/block/cciss.c -+++ b/drivers/block/cciss.c -@@ -1181,6 +1181,53 @@ static int revalidate_allvol(ctlr_info_t - return 0; - } - -+static inline void complete_buffers(struct bio *bio, int status) -+{ -+ while (bio) { -+ struct bio *xbh = bio->bi_next; -+ int nr_sectors = bio_sectors(bio); -+ -+ bio->bi_next = NULL; -+ blk_finished_io(len); -+ bio_endio(bio, nr_sectors << 9, status ? 0 : -EIO); -+ bio = xbh; -+ } -+ -+} -+ -+static void cciss_softirq_done(struct request *rq) -+{ -+ CommandList_struct *cmd = rq->completion_data; -+ ctlr_info_t *h = hba[cmd->ctlr]; -+ unsigned long flags; -+ u64bit temp64; -+ int i, ddir; -+ -+ if (cmd->Request.Type.Direction == XFER_READ) -+ ddir = PCI_DMA_FROMDEVICE; -+ else -+ ddir = PCI_DMA_TODEVICE; -+ -+ /* command did not need to be retried */ -+ /* unmap the DMA mapping for all the scatter gather elements */ -+ for(i=0; i<cmd->Header.SGList; i++) { -+ temp64.val32.lower = cmd->SG[i].Addr.lower; -+ temp64.val32.upper = cmd->SG[i].Addr.upper; -+ pci_unmap_page(h->pdev, temp64.val, cmd->SG[i].Len, ddir); -+ } -+ -+ complete_buffers(rq->bio, rq->errors); -+ -+#ifdef CCISS_DEBUG -+ printk("Done with %p\n", rq); -+#endif /* CCISS_DEBUG */ -+ -+ spin_lock_irqsave(&h->lock, flags); -+ end_that_request_last(rq, rq->errors); -+ cmd_free(h, cmd,1); -+ spin_unlock_irqrestore(&h->lock, flags); -+} -+ - /* This function will check the usage_count of the drive to be updated/added. - * If the usage_count is zero then the drive information will be updated and - * the disk will be re-registered with the kernel. If not then it will be -@@ -1249,6 +1296,8 @@ static void cciss_update_drive_info(int - - blk_queue_max_sectors(disk->queue, 512); - -+ blk_queue_softirq_done(disk->queue, cciss_softirq_done); -+ - disk->queue->queuedata = hba[ctlr]; - - blk_queue_hardsect_size(disk->queue, -@@ -2148,20 +2197,6 @@ static void start_io( ctlr_info_t *h) - addQ (&(h->cmpQ), c); - } - } -- --static inline void complete_buffers(struct bio *bio, int status) --{ -- while (bio) { -- struct bio *xbh = bio->bi_next; -- int nr_sectors = bio_sectors(bio); -- -- bio->bi_next = NULL; -- blk_finished_io(len); -- bio_endio(bio, nr_sectors << 9, status ? 0 : -EIO); -- bio = xbh; -- } -- --} - /* Assumes that CCISS_LOCK(h->ctlr) is held. */ - /* Zeros out the error record and then resends the command back */ - /* to the controller */ -@@ -2179,39 +2214,6 @@ static inline void resend_cciss_cmd( ctl - start_io(h); - } - --static void cciss_softirq_done(struct request *rq) --{ -- CommandList_struct *cmd = rq->completion_data; -- ctlr_info_t *h = hba[cmd->ctlr]; -- unsigned long flags; -- u64bit temp64; -- int i, ddir; -- -- if (cmd->Request.Type.Direction == XFER_READ) -- ddir = PCI_DMA_FROMDEVICE; -- else -- ddir = PCI_DMA_TODEVICE; -- -- /* command did not need to be retried */ -- /* unmap the DMA mapping for all the scatter gather elements */ -- for(i=0; i<cmd->Header.SGList; i++) { -- temp64.val32.lower = cmd->SG[i].Addr.lower; -- temp64.val32.upper = cmd->SG[i].Addr.upper; -- pci_unmap_page(h->pdev, temp64.val, cmd->SG[i].Len, ddir); -- } -- -- complete_buffers(rq->bio, rq->errors); -- --#ifdef CCISS_DEBUG -- printk("Done with %p\n", rq); --#endif /* CCISS_DEBUG */ -- -- spin_lock_irqsave(&h->lock, flags); -- end_that_request_last(rq, rq->errors); -- cmd_free(h, cmd,1); -- spin_unlock_irqrestore(&h->lock, flags); --} -- - /* checks the status of the job and calls complete buffers to mark all - * buffers for the completed job. Note that this function does not need - * to hold the hba/queue lock. -@@ -3269,8 +3271,8 @@ clean2: - unregister_blkdev(hba[i]->major, hba[i]->devname); - clean1: - release_io_mem(hba[i]); -- free_hba(i); - hba[i]->busy_initializing = 0; -+ free_hba(i); - return(-1); - } - -diff --git a/drivers/block/ub.c b/drivers/block/ub.c -index f04d864..a9485e5 100644 ---- a/drivers/block/ub.c -+++ b/drivers/block/ub.c -@@ -704,6 +704,9 @@ static void ub_cleanup(struct ub_dev *sc - kfree(lun); - } - -+ usb_set_intfdata(sc->intf, NULL); -+ usb_put_intf(sc->intf); -+ usb_put_dev(sc->dev); - kfree(sc); - } - -@@ -2428,7 +2431,12 @@ static int ub_probe(struct usb_interface - // sc->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; - usb_set_intfdata(intf, sc); - usb_get_dev(sc->dev); -- // usb_get_intf(sc->intf); /* Do we need this? */ -+ /* -+ * Since we give the interface struct to the block level through -+ * disk->driverfs_dev, we have to pin it. Otherwise, block_uevent -+ * oopses on close after a disconnect (kernels 2.6.16 and up). -+ */ -+ usb_get_intf(sc->intf); - - snprintf(sc->name, 12, DRV_NAME "(%d.%d)", - sc->dev->bus->busnum, sc->dev->devnum); -@@ -2509,7 +2517,7 @@ #endif - err_diag: - err_dev_desc: - usb_set_intfdata(intf, NULL); -- // usb_put_intf(sc->intf); -+ usb_put_intf(sc->intf); - usb_put_dev(sc->dev); - kfree(sc); - err_core: -@@ -2688,12 +2696,6 @@ static void ub_disconnect(struct usb_int - */ - - device_remove_file(&sc->intf->dev, &dev_attr_diag); -- usb_set_intfdata(intf, NULL); -- // usb_put_intf(sc->intf); -- sc->intf = NULL; -- usb_put_dev(sc->dev); -- sc->dev = NULL; -- - ub_put(sc); - } - -diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig -index 05ba410..8b72a61 100644 ---- a/drivers/char/Kconfig -+++ b/drivers/char/Kconfig -@@ -187,6 +187,7 @@ config MOXA_SMARTIO - config ISI - tristate "Multi-Tech multiport card support (EXPERIMENTAL)" - depends on SERIAL_NONSTANDARD -+ select FW_LOADER - help - This is a driver for the Multi-Tech cards which provide several - serial ports. The driver is experimental and can currently only be -diff --git a/drivers/char/agp/efficeon-agp.c b/drivers/char/agp/efficeon-agp.c -index e7aea77..40dfc29 100644 ---- a/drivers/char/agp/efficeon-agp.c -+++ b/drivers/char/agp/efficeon-agp.c -@@ -64,6 +64,12 @@ static struct gatt_mask efficeon_generic - {.mask = 0x00000001, .type = 0} - }; - -+/* This function does the same thing as mask_memory() for this chipset... */ -+static inline unsigned long efficeon_mask_memory(unsigned long addr) -+{ -+ return addr | 0x00000001; -+} -+ - static struct aper_size_info_lvl2 efficeon_generic_sizes[4] = - { - {256, 65536, 0}, -@@ -251,7 +257,7 @@ static int efficeon_insert_memory(struct - last_page = NULL; - for (i = 0; i < count; i++) { - int index = pg_start + i; -- unsigned long insert = mem->memory[i]; -+ unsigned long insert = efficeon_mask_memory(mem->memory[i]); - - page = (unsigned int *) efficeon_private.l1_table[index >> 10]; - -diff --git a/drivers/char/cs5535_gpio.c b/drivers/char/cs5535_gpio.c -index 5d72f50..46d6603 100644 ---- a/drivers/char/cs5535_gpio.c -+++ b/drivers/char/cs5535_gpio.c -@@ -241,9 +241,10 @@ static int __init cs5535_gpio_init(void) - static void __exit cs5535_gpio_cleanup(void) - { - dev_t dev_id = MKDEV(major, 0); -+ -+ cdev_del(&cs5535_gpio_cdev); - unregister_chrdev_region(dev_id, CS5535_GPIO_COUNT); -- if (gpio_base != 0) -- release_region(gpio_base, CS5535_GPIO_SIZE); -+ release_region(gpio_base, CS5535_GPIO_SIZE); - } - - module_init(cs5535_gpio_init); -diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c -index 58dcdee..0030cd8 100644 ---- a/drivers/char/ipmi/ipmi_bt_sm.c -+++ b/drivers/char/ipmi/ipmi_bt_sm.c -@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s - { - unsigned int i; - -- if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) -+ if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2))) - return -1; - - if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED)) -diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c -index 5fdf185..b61354a 100644 ---- a/drivers/char/pcmcia/cm4000_cs.c -+++ b/drivers/char/pcmcia/cm4000_cs.c -@@ -2010,10 +2010,6 @@ static int __init cmm_init(void) - if (!cmm_class) - return -1; - -- rc = pcmcia_register_driver(&cm4000_driver); -- if (rc < 0) -- return rc; -- - major = register_chrdev(0, DEVICE_NAME, &cm4000_fops); - if (major < 0) { - printk(KERN_WARNING MODULE_NAME -@@ -2021,6 +2017,12 @@ static int __init cmm_init(void) - return -1; - } - -+ rc = pcmcia_register_driver(&cm4000_driver); -+ if (rc < 0) { -+ unregister_chrdev(major, DEVICE_NAME); -+ return rc; -+ } -+ - return 0; - } - -diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c -index 466e33b..744b57d 100644 ---- a/drivers/char/pcmcia/cm4040_cs.c -+++ b/drivers/char/pcmcia/cm4040_cs.c -@@ -769,16 +769,19 @@ static int __init cm4040_init(void) - if (!cmx_class) - return -1; - -- rc = pcmcia_register_driver(&reader_driver); -- if (rc < 0) -- return rc; -- - major = register_chrdev(0, DEVICE_NAME, &reader_fops); - if (major < 0) { - printk(KERN_WARNING MODULE_NAME - ": could not get major number\n"); - return -1; - } -+ -+ rc = pcmcia_register_driver(&reader_driver); -+ if (rc < 0) { -+ unregister_chrdev(major, DEVICE_NAME); -+ return rc; -+ } -+ - return 0; - } - -diff --git a/drivers/char/snsc.c b/drivers/char/snsc.c -index 0e7d216..d22da98 100644 ---- a/drivers/char/snsc.c -+++ b/drivers/char/snsc.c -@@ -391,7 +391,8 @@ scdrv_init(void) - format_module_id(devnamep, geo_module(geoid), - MODULE_FORMAT_BRIEF); - devnamep = devname + strlen(devname); -- sprintf(devnamep, "#%d", geo_slab(geoid)); -+ sprintf(devnamep, "^%d#%d", geo_slot(geoid), -+ geo_slab(geoid)); - - /* allocate sysctl device data */ - scd = kmalloc(sizeof (struct sysctl_data_s), -diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c -index f8dd852..a90f5d9 100644 ---- a/drivers/char/sonypi.c -+++ b/drivers/char/sonypi.c -@@ -1341,6 +1341,9 @@ static int __devinit sonypi_probe(struct - else if ((pcidev = pci_get_device(PCI_VENDOR_ID_INTEL, - PCI_DEVICE_ID_INTEL_ICH6_1, NULL))) - sonypi_device.model = SONYPI_DEVICE_MODEL_TYPE3; -+ else if ((pcidev = pci_get_device(PCI_VENDOR_ID_INTEL, -+ PCI_DEVICE_ID_INTEL_ICH7_1, NULL))) -+ sonypi_device.model = SONYPI_DEVICE_MODEL_TYPE3; - else - sonypi_device.model = SONYPI_DEVICE_MODEL_TYPE2; - -diff --git a/drivers/char/tipar.c b/drivers/char/tipar.c -index eb2eb3e..079db5a 100644 ---- a/drivers/char/tipar.c -+++ b/drivers/char/tipar.c -@@ -515,7 +515,7 @@ tipar_init_module(void) - err = PTR_ERR(tipar_class); - goto out_chrdev; - } -- if (parport_register_driver(&tipar_driver) || tp_count == 0) { -+ if (parport_register_driver(&tipar_driver)) { - printk(KERN_ERR "tipar: unable to register with parport\n"); - err = -EIO; - goto out_class; -diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c -index 4c27218..f58ad7f 100644 ---- a/drivers/char/tlclk.c -+++ b/drivers/char/tlclk.c -@@ -327,7 +327,7 @@ static ssize_t store_received_ref_clk3a( - return strnlen(buf, count); - } - --static DEVICE_ATTR(received_ref_clk3a, S_IWUGO, NULL, -+static DEVICE_ATTR(received_ref_clk3a, (S_IWUSR|S_IWGRP), NULL, - store_received_ref_clk3a); - - -@@ -349,7 +349,7 @@ static ssize_t store_received_ref_clk3b( - return strnlen(buf, count); - } - --static DEVICE_ATTR(received_ref_clk3b, S_IWUGO, NULL, -+static DEVICE_ATTR(received_ref_clk3b, (S_IWUSR|S_IWGRP), NULL, - store_received_ref_clk3b); - - -@@ -371,7 +371,7 @@ static ssize_t store_enable_clk3b_output - return strnlen(buf, count); - } - --static DEVICE_ATTR(enable_clk3b_output, S_IWUGO, NULL, -+static DEVICE_ATTR(enable_clk3b_output, (S_IWUSR|S_IWGRP), NULL, - store_enable_clk3b_output); - - static ssize_t store_enable_clk3a_output(struct device *d, -@@ -392,7 +392,7 @@ static ssize_t store_enable_clk3a_output - return strnlen(buf, count); - } - --static DEVICE_ATTR(enable_clk3a_output, S_IWUGO, NULL, -+static DEVICE_ATTR(enable_clk3a_output, (S_IWUSR|S_IWGRP), NULL, - store_enable_clk3a_output); - - static ssize_t store_enable_clkb1_output(struct device *d, -@@ -413,7 +413,7 @@ static ssize_t store_enable_clkb1_output - return strnlen(buf, count); - } - --static DEVICE_ATTR(enable_clkb1_output, S_IWUGO, NULL, -+static DEVICE_ATTR(enable_clkb1_output, (S_IWUSR|S_IWGRP), NULL, - store_enable_clkb1_output); - - -@@ -435,7 +435,7 @@ static ssize_t store_enable_clka1_output - return strnlen(buf, count); - } - --static DEVICE_ATTR(enable_clka1_output, S_IWUGO, NULL, -+static DEVICE_ATTR(enable_clka1_output, (S_IWUSR|S_IWGRP), NULL, - store_enable_clka1_output); - - static ssize_t store_enable_clkb0_output(struct device *d, -@@ -456,7 +456,7 @@ static ssize_t store_enable_clkb0_output - return strnlen(buf, count); - } - --static DEVICE_ATTR(enable_clkb0_output, S_IWUGO, NULL, -+static DEVICE_ATTR(enable_clkb0_output, (S_IWUSR|S_IWGRP), NULL, - store_enable_clkb0_output); - - static ssize_t store_enable_clka0_output(struct device *d, -@@ -477,7 +477,7 @@ static ssize_t store_enable_clka0_output - return strnlen(buf, count); - } - --static DEVICE_ATTR(enable_clka0_output, S_IWUGO, NULL, -+static DEVICE_ATTR(enable_clka0_output, (S_IWUSR|S_IWGRP), NULL, - store_enable_clka0_output); - - static ssize_t store_select_amcb2_transmit_clock(struct device *d, -@@ -519,7 +519,7 @@ static ssize_t store_select_amcb2_transm - return strnlen(buf, count); - } - --static DEVICE_ATTR(select_amcb2_transmit_clock, S_IWUGO, NULL, -+static DEVICE_ATTR(select_amcb2_transmit_clock, (S_IWUSR|S_IWGRP), NULL, - store_select_amcb2_transmit_clock); - - static ssize_t store_select_amcb1_transmit_clock(struct device *d, -@@ -560,7 +560,7 @@ static ssize_t store_select_amcb1_transm - return strnlen(buf, count); - } - --static DEVICE_ATTR(select_amcb1_transmit_clock, S_IWUGO, NULL, -+static DEVICE_ATTR(select_amcb1_transmit_clock, (S_IWUSR|S_IWGRP), NULL, - store_select_amcb1_transmit_clock); - - static ssize_t store_select_redundant_clock(struct device *d, -@@ -581,7 +581,7 @@ static ssize_t store_select_redundant_cl - return strnlen(buf, count); - } - --static DEVICE_ATTR(select_redundant_clock, S_IWUGO, NULL, -+static DEVICE_ATTR(select_redundant_clock, (S_IWUSR|S_IWGRP), NULL, - store_select_redundant_clock); - - static ssize_t store_select_ref_frequency(struct device *d, -@@ -602,7 +602,7 @@ static ssize_t store_select_ref_frequenc - return strnlen(buf, count); - } - --static DEVICE_ATTR(select_ref_frequency, S_IWUGO, NULL, -+static DEVICE_ATTR(select_ref_frequency, (S_IWUSR|S_IWGRP), NULL, - store_select_ref_frequency); - - static ssize_t store_filter_select(struct device *d, -@@ -623,7 +623,7 @@ static ssize_t store_filter_select(struc - return strnlen(buf, count); - } - --static DEVICE_ATTR(filter_select, S_IWUGO, NULL, store_filter_select); -+static DEVICE_ATTR(filter_select, (S_IWUSR|S_IWGRP), NULL, store_filter_select); - - static ssize_t store_hardware_switching_mode(struct device *d, - struct device_attribute *attr, const char *buf, size_t count) -@@ -643,7 +643,7 @@ static ssize_t store_hardware_switching_ - return strnlen(buf, count); - } - --static DEVICE_ATTR(hardware_switching_mode, S_IWUGO, NULL, -+static DEVICE_ATTR(hardware_switching_mode, (S_IWUSR|S_IWGRP), NULL, - store_hardware_switching_mode); - - static ssize_t store_hardware_switching(struct device *d, -@@ -664,7 +664,7 @@ static ssize_t store_hardware_switching( - return strnlen(buf, count); - } - --static DEVICE_ATTR(hardware_switching, S_IWUGO, NULL, -+static DEVICE_ATTR(hardware_switching, (S_IWUSR|S_IWGRP), NULL, - store_hardware_switching); - - static ssize_t store_refalign (struct device *d, -@@ -684,7 +684,7 @@ static ssize_t store_refalign (struct de - return strnlen(buf, count); - } - --static DEVICE_ATTR(refalign, S_IWUGO, NULL, store_refalign); -+static DEVICE_ATTR(refalign, (S_IWUSR|S_IWGRP), NULL, store_refalign); - - static ssize_t store_mode_select (struct device *d, - struct device_attribute *attr, const char *buf, size_t count) -@@ -704,7 +704,7 @@ static ssize_t store_mode_select (struct - return strnlen(buf, count); - } - --static DEVICE_ATTR(mode_select, S_IWUGO, NULL, store_mode_select); -+static DEVICE_ATTR(mode_select, (S_IWUSR|S_IWGRP), NULL, store_mode_select); - - static ssize_t store_reset (struct device *d, - struct device_attribute *attr, const char *buf, size_t count) -@@ -724,7 +724,7 @@ static ssize_t store_reset (struct devic - return strnlen(buf, count); - } - --static DEVICE_ATTR(reset, S_IWUGO, NULL, store_reset); -+static DEVICE_ATTR(reset, (S_IWUSR|S_IWGRP), NULL, store_reset); - - static struct attribute *tlclk_sysfs_entries[] = { - &dev_attr_current_ref.attr, -@@ -767,6 +767,7 @@ static int __init tlclk_init(void) - printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major); - return ret; - } -+ tlclk_major = ret; - alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); - if (!alarm_events) - goto out1; -diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c -index 53d3d06..edaee70 100644 ---- a/drivers/char/tty_io.c -+++ b/drivers/char/tty_io.c -@@ -2706,7 +2706,11 @@ #else - } - task_lock(p); - if (p->files) { -- rcu_read_lock(); -+ /* -+ * We don't take a ref to the file, so we must -+ * hold ->file_lock instead. -+ */ -+ spin_lock(&p->files->file_lock); - fdt = files_fdtable(p->files); - for (i=0; i < fdt->max_fds; i++) { - filp = fcheck_files(p->files, i); -@@ -2721,7 +2725,7 @@ #else - break; - } - } -- rcu_read_unlock(); -+ spin_unlock(&p->files->file_lock); - } - task_unlock(p); - } while_each_task_pid(session, PIDTYPE_SID, p); -diff --git a/drivers/edac/Kconfig b/drivers/edac/Kconfig -index 52f3eb4..7ecdb1e 100644 ---- a/drivers/edac/Kconfig -+++ b/drivers/edac/Kconfig -@@ -71,7 +71,7 @@ config EDAC_E7XXX - - config EDAC_E752X - tristate "Intel e752x (e7520, e7525, e7320)" -- depends on EDAC_MM_EDAC && PCI -+ depends on EDAC_MM_EDAC && PCI && HOTPLUG - help - Support for error detection and correction on the Intel - E7520, E7525, E7320 server chipsets. -diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c -index 8e0f315..dfca749 100644 ---- a/drivers/i2c/busses/i2c-i801.c -+++ b/drivers/i2c/busses/i2c-i801.c -@@ -478,6 +478,11 @@ static s32 i801_access(struct i2c_adapte - ret = i801_transaction(); - } - -+ /* Some BIOSes don't like it when PEC is enabled at reboot or resume -+ time, so we forcibly disable it after every transaction. */ -+ if (hwpec) -+ outb_p(0, SMBAUXCTL); -+ - if(block) - return ret; - if(ret) -diff --git a/drivers/i2c/busses/scx200_acb.c b/drivers/i2c/busses/scx200_acb.c -index d3478e0..ad44dd5 100644 ---- a/drivers/i2c/busses/scx200_acb.c -+++ b/drivers/i2c/busses/scx200_acb.c -@@ -440,7 +440,6 @@ static int __init scx200_acb_create(int - struct scx200_acb_iface *iface; - struct i2c_adapter *adapter; - int rc = 0; -- char description[64]; - - iface = kzalloc(sizeof(*iface), GFP_KERNEL); - if (!iface) { -@@ -459,8 +458,7 @@ static int __init scx200_acb_create(int - - init_MUTEX(&iface->sem); - -- snprintf(description, sizeof(description), "NatSemi SCx200 ACCESS.bus [%s]", adapter->name); -- if (request_region(base, 8, description) == 0) { -+ if (!request_region(base, 8, adapter->name)) { - dev_err(&adapter->dev, "can't allocate io 0x%x-0x%x\n", - base, base + 8-1); - rc = -EBUSY; -diff --git a/drivers/i2c/chips/m41t00.c b/drivers/i2c/chips/m41t00.c -index 2dc3d48..2836fb3 100644 ---- a/drivers/i2c/chips/m41t00.c -+++ b/drivers/i2c/chips/m41t00.c -@@ -129,13 +129,13 @@ m41t00_set_tlet(ulong arg) - if ((i2c_smbus_write_byte_data(save_client, 0, tm.tm_sec & 0x7f) < 0) - || (i2c_smbus_write_byte_data(save_client, 1, tm.tm_min & 0x7f) - < 0) -- || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x7f) -+ || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x3f) - < 0) -- || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x7f) -+ || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x3f) - < 0) -- || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x7f) -+ || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x1f) - < 0) -- || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0x7f) -+ || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0xff) - < 0)) - - dev_warn(&save_client->dev,"m41t00: can't write to rtc chip\n"); -diff --git a/drivers/ide/pci/alim15x3.c b/drivers/ide/pci/alim15x3.c -index cf84350..8b24b4f 100644 ---- a/drivers/ide/pci/alim15x3.c -+++ b/drivers/ide/pci/alim15x3.c -@@ -731,6 +731,8 @@ static unsigned int __devinit ata66_ali1 - - if(m5229_revision <= 0x20) - tmpbyte = (tmpbyte & (~0x02)) | 0x01; -+ else if (m5229_revision == 0xc7) -+ tmpbyte |= 0x03; - else - tmpbyte |= 0x01; - -diff --git a/drivers/ieee1394/ohci1394.c b/drivers/ieee1394/ohci1394.c -index b6b96fa..a9a73f7 100644 ---- a/drivers/ieee1394/ohci1394.c -+++ b/drivers/ieee1394/ohci1394.c -@@ -2525,7 +2525,7 @@ static irqreturn_t ohci_irq_handler(int - if (phys_dma) { - reg_write(ohci,OHCI1394_PhyReqFilterHiSet, 0xffffffff); - reg_write(ohci,OHCI1394_PhyReqFilterLoSet, 0xffffffff); -- reg_write(ohci,OHCI1394_PhyUpperBound, 0xffff0000); -+ reg_write(ohci,OHCI1394_PhyUpperBound, 0x01000000); - } else { - reg_write(ohci,OHCI1394_PhyReqFilterHiSet, 0x00000000); - reg_write(ohci,OHCI1394_PhyReqFilterLoSet, 0x00000000); -diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c -index eca92eb..d02be4a 100644 ---- a/drivers/ieee1394/sbp2.c -+++ b/drivers/ieee1394/sbp2.c -@@ -495,22 +495,17 @@ static struct sbp2_command_info *sbp2uti - /* - * This function finds the sbp2_command for a given outstanding SCpnt. - * Only looks at the inuse list. -+ * Must be called with scsi_id->sbp2_command_orb_lock held. - */ --static struct sbp2_command_info *sbp2util_find_command_for_SCpnt(struct scsi_id_instance_data *scsi_id, void *SCpnt) -+static struct sbp2_command_info *sbp2util_find_command_for_SCpnt( -+ struct scsi_id_instance_data *scsi_id, void *SCpnt) - { - struct sbp2_command_info *command; -- unsigned long flags; - -- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); -- if (!list_empty(&scsi_id->sbp2_command_orb_inuse)) { -- list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list) { -- if (command->Current_SCpnt == SCpnt) { -- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); -+ if (!list_empty(&scsi_id->sbp2_command_orb_inuse)) -+ list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list) -+ if (command->Current_SCpnt == SCpnt) - return command; -- } -- } -- } -- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - return NULL; - } - -@@ -579,17 +574,15 @@ static void sbp2util_free_command_dma(st - - /* - * This function moves a command to the completed orb list. -+ * Must be called with scsi_id->sbp2_command_orb_lock held. - */ --static void sbp2util_mark_command_completed(struct scsi_id_instance_data *scsi_id, -- struct sbp2_command_info *command) -+static void sbp2util_mark_command_completed( -+ struct scsi_id_instance_data *scsi_id, -+ struct sbp2_command_info *command) - { -- unsigned long flags; -- -- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); - list_del(&command->list); - sbp2util_free_command_dma(command); - list_add_tail(&command->list, &scsi_id->sbp2_command_orb_completed); -- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - } - - /* -@@ -761,12 +754,17 @@ #endif - - /* Register the status FIFO address range. We could use the same FIFO - * for targets at different nodes. However we need different FIFOs per -- * target in order to support multi-unit devices. */ -+ * target in order to support multi-unit devices. -+ * The FIFO is located out of the local host controller's physical range -+ * but, if possible, within the posted write area. Status writes will -+ * then be performed as unified transactions. This slightly reduces -+ * bandwidth usage, and some Prolific based devices seem to require it. -+ */ - scsi_id->status_fifo_addr = hpsb_allocate_and_register_addrspace( - &sbp2_highlevel, ud->ne->host, &sbp2_ops, - sizeof(struct sbp2_status_block), sizeof(quadlet_t), -- ~0ULL, ~0ULL); -- if (!scsi_id->status_fifo_addr) { -+ 0x010000000000ULL, CSR1212_ALL_SPACE_END); -+ if (scsi_id->status_fifo_addr == ~0ULL) { - SBP2_ERR("failed to allocate status FIFO address range"); - goto failed_alloc; - } -@@ -2177,7 +2175,9 @@ static int sbp2_handle_status_write(stru - * Matched status with command, now grab scsi command pointers and check status - */ - SCpnt = command->Current_SCpnt; -+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); - sbp2util_mark_command_completed(scsi_id, command); -+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - - if (SCpnt) { - -@@ -2491,9 +2491,20 @@ static int sbp2scsi_slave_alloc(struct s - - static int sbp2scsi_slave_configure(struct scsi_device *sdev) - { -+ struct scsi_id_instance_data *scsi_id = -+ (struct scsi_id_instance_data *)sdev->host->hostdata[0]; -+ - blk_queue_dma_alignment(sdev->request_queue, (512 - 1)); - sdev->use_10_for_rw = 1; - sdev->use_10_for_ms = 1; -+ -+ if ((scsi_id->sbp2_firmware_revision & 0xffff00) == 0x0a2700 && -+ (scsi_id->ud->model_id == 0x000021 /* gen.4 iPod */ || -+ scsi_id->ud->model_id == 0x000023 /* iPod mini */ || -+ scsi_id->ud->model_id == 0x00007e /* iPod Photo */ )) { -+ SBP2_INFO("enabling iPod workaround: decrement disk capacity"); -+ sdev->fix_capacity = 1; -+ } - return 0; - } - -@@ -2513,6 +2524,7 @@ static int sbp2scsi_abort(struct scsi_cm - (struct scsi_id_instance_data *)SCpnt->device->host->hostdata[0]; - struct sbp2scsi_host_info *hi = scsi_id->hi; - struct sbp2_command_info *command; -+ unsigned long flags; - - SBP2_ERR("aborting sbp2 command"); - scsi_print_command(SCpnt); -@@ -2523,6 +2535,7 @@ static int sbp2scsi_abort(struct scsi_cm - * Right now, just return any matching command structures - * to the free pool. - */ -+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); - command = sbp2util_find_command_for_SCpnt(scsi_id, SCpnt); - if (command) { - SBP2_DEBUG("Found command to abort"); -@@ -2540,6 +2553,7 @@ static int sbp2scsi_abort(struct scsi_cm - command->Current_done(command->Current_SCpnt); - } - } -+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - - /* - * Initiate a fetch agent reset. -diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c -index ad62174..b2bed1a 100644 ---- a/drivers/input/mouse/psmouse-base.c -+++ b/drivers/input/mouse/psmouse-base.c -@@ -300,8 +300,10 @@ static irqreturn_t psmouse_interrupt(str - * Check if this is a new device announcement (0xAA 0x00) - */ - if (unlikely(psmouse->packet[0] == PSMOUSE_RET_BAT && psmouse->pktcnt <= 2)) { -- if (psmouse->pktcnt == 1) -+ if (psmouse->pktcnt == 1) { -+ psmouse->last = jiffies; - goto out; -+ } - - if (psmouse->packet[1] == PSMOUSE_RET_ID) { - __psmouse_set_state(psmouse, PSMOUSE_IGNORE); -diff --git a/drivers/macintosh/therm_adt746x.c b/drivers/macintosh/therm_adt746x.c -index 5ebfd1d..5282fec 100644 ---- a/drivers/macintosh/therm_adt746x.c -+++ b/drivers/macintosh/therm_adt746x.c -@@ -627,8 +627,8 @@ thermostat_init(void) - if(therm_type == ADT7460) - device_create_file(&of_dev->dev, &dev_attr_sensor2_fan_speed); - --#ifndef CONFIG_I2C_KEYWEST -- request_module("i2c-keywest"); -+#ifndef CONFIG_I2C_POWERMAC -+ request_module("i2c-powermac"); - #endif - - return i2c_add_driver(&thermostat_driver); -diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c -index f3759dd..1ed241d 100644 ---- a/drivers/md/dm-snap.c -+++ b/drivers/md/dm-snap.c -@@ -542,8 +542,12 @@ static void snapshot_dtr(struct dm_targe - { - struct dm_snapshot *s = (struct dm_snapshot *) ti->private; - -+ /* Prevent further origin writes from using this snapshot. */ -+ /* After this returns there can be no new kcopyd jobs. */ - unregister_snapshot(s); - -+ kcopyd_client_destroy(s->kcopyd_client); -+ - exit_exception_table(&s->pending, pending_cache); - exit_exception_table(&s->complete, exception_cache); - -@@ -552,7 +556,7 @@ static void snapshot_dtr(struct dm_targe - - dm_put_device(ti, s->origin); - dm_put_device(ti, s->cow); -- kcopyd_client_destroy(s->kcopyd_client); -+ - kfree(s); - } - -diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 745ca1f..f6c8e8e 100644 ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -533,30 +533,35 @@ static void __clone_and_map(struct clone - - } else { - /* -- * Create two copy bios to deal with io that has -- * been split across a target. -+ * Handle a bvec that must be split between two or more targets. - */ - struct bio_vec *bv = bio->bi_io_vec + ci->idx; -+ sector_t remaining = to_sector(bv->bv_len); -+ unsigned int offset = 0; - -- clone = split_bvec(bio, ci->sector, ci->idx, -- bv->bv_offset, max); -- __map_bio(ti, clone, tio); -+ do { -+ if (offset) { -+ ti = dm_table_find_target(ci->map, ci->sector); -+ max = max_io_len(ci->md, ci->sector, ti); - -- ci->sector += max; -- ci->sector_count -= max; -- ti = dm_table_find_target(ci->map, ci->sector); -- -- len = to_sector(bv->bv_len) - max; -- clone = split_bvec(bio, ci->sector, ci->idx, -- bv->bv_offset + to_bytes(max), len); -- tio = alloc_tio(ci->md); -- tio->io = ci->io; -- tio->ti = ti; -- memset(&tio->info, 0, sizeof(tio->info)); -- __map_bio(ti, clone, tio); -+ tio = alloc_tio(ci->md); -+ tio->io = ci->io; -+ tio->ti = ti; -+ memset(&tio->info, 0, sizeof(tio->info)); -+ } -+ -+ len = min(remaining, max); -+ -+ clone = split_bvec(bio, ci->sector, ci->idx, -+ bv->bv_offset + offset, len); -+ -+ __map_bio(ti, clone, tio); -+ -+ ci->sector += len; -+ ci->sector_count -= len; -+ offset += to_bytes(len); -+ } while (remaining -= len); - -- ci->sector += len; -- ci->sector_count -= len; - ci->idx++; - } - } -@@ -1093,6 +1098,7 @@ int dm_suspend(struct mapped_device *md, - { - struct dm_table *map = NULL; - DECLARE_WAITQUEUE(wait, current); -+ struct bio *def; - int r = -EINVAL; - - down(&md->suspend_lock); -@@ -1152,9 +1158,11 @@ int dm_suspend(struct mapped_device *md, - /* were we interrupted ? */ - r = -EINTR; - if (atomic_read(&md->pending)) { -+ clear_bit(DMF_BLOCK_IO, &md->flags); -+ def = bio_list_get(&md->deferred); -+ __flush_deferred_io(md, def); - up_write(&md->io_lock); - unlock_fs(md); -- clear_bit(DMF_BLOCK_IO, &md->flags); - goto out; - } - up_write(&md->io_lock); -diff --git a/drivers/md/kcopyd.c b/drivers/md/kcopyd.c -index 8b3515f..fc009cb 100644 ---- a/drivers/md/kcopyd.c -+++ b/drivers/md/kcopyd.c -@@ -44,6 +44,9 @@ struct kcopyd_client { - struct page_list *pages; - unsigned int nr_pages; - unsigned int nr_free_pages; -+ -+ wait_queue_head_t destroyq; -+ atomic_t nr_jobs; - }; - - static struct page_list *alloc_pl(void) -@@ -293,10 +296,15 @@ static int run_complete_job(struct kcopy - int read_err = job->read_err; - unsigned int write_err = job->write_err; - kcopyd_notify_fn fn = job->fn; -+ struct kcopyd_client *kc = job->kc; - -- kcopyd_put_pages(job->kc, job->pages); -+ kcopyd_put_pages(kc, job->pages); - mempool_free(job, _job_pool); - fn(read_err, write_err, context); -+ -+ if (atomic_dec_and_test(&kc->nr_jobs)) -+ wake_up(&kc->destroyq); -+ - return 0; - } - -@@ -431,6 +439,7 @@ static void do_work(void *ignored) - */ - static void dispatch_job(struct kcopyd_job *job) - { -+ atomic_inc(&job->kc->nr_jobs); - push(&_pages_jobs, job); - wake(); - } -@@ -670,6 +679,9 @@ int kcopyd_client_create(unsigned int nr - return r; - } - -+ init_waitqueue_head(&kc->destroyq); -+ atomic_set(&kc->nr_jobs, 0); -+ - client_add(kc); - *result = kc; - return 0; -@@ -677,6 +689,9 @@ int kcopyd_client_create(unsigned int nr - - void kcopyd_client_destroy(struct kcopyd_client *kc) - { -+ /* Wait for completion of all jobs submitted by this client. */ -+ wait_event(kc->destroyq, !atomic_read(&kc->nr_jobs)); -+ - dm_io_put(kc->nr_pages); - client_free_pages(kc); - client_del(kc); -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index ab90a6d..039ed49 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1436,9 +1436,9 @@ static void raid10d(mddev_t *mddev) - sl--; - d = r10_bio->devs[sl].devnum; - rdev = conf->mirrors[d].rdev; -- atomic_add(s, &rdev->corrected_errors); - if (rdev && - test_bit(In_sync, &rdev->flags)) { -+ atomic_add(s, &rdev->corrected_errors); - if (sync_page_io(rdev->bdev, - r10_bio->devs[sl].addr + - sect + rdev->data_offset, -diff --git a/drivers/media/dvb/dvb-usb/cxusb.c b/drivers/media/dvb/dvb-usb/cxusb.c -index 162f979..356a09a 100644 ---- a/drivers/media/dvb/dvb-usb/cxusb.c -+++ b/drivers/media/dvb/dvb-usb/cxusb.c -@@ -149,6 +149,15 @@ static int cxusb_power_ctrl(struct dvb_u - return cxusb_ctrl_msg(d, CMD_POWER_OFF, &b, 1, NULL, 0); - } - -+static int cxusb_bluebird_power_ctrl(struct dvb_usb_device *d, int onoff) -+{ -+ u8 b = 0; -+ if (onoff) -+ return cxusb_ctrl_msg(d, CMD_POWER_ON, &b, 1, NULL, 0); -+ else -+ return 0; -+} -+ - static int cxusb_streaming_ctrl(struct dvb_usb_device *d, int onoff) - { - u8 buf[2] = { 0x03, 0x00 }; -@@ -505,7 +514,7 @@ static struct dvb_usb_properties cxusb_b - .size_of_priv = sizeof(struct cxusb_state), - - .streaming_ctrl = cxusb_streaming_ctrl, -- .power_ctrl = cxusb_power_ctrl, -+ .power_ctrl = cxusb_bluebird_power_ctrl, - .frontend_attach = cxusb_lgdt3303_frontend_attach, - .tuner_attach = cxusb_lgh064f_tuner_attach, - -@@ -545,7 +554,7 @@ static struct dvb_usb_properties cxusb_b - .size_of_priv = sizeof(struct cxusb_state), - - .streaming_ctrl = cxusb_streaming_ctrl, -- .power_ctrl = cxusb_power_ctrl, -+ .power_ctrl = cxusb_bluebird_power_ctrl, - .frontend_attach = cxusb_dee1601_frontend_attach, - .tuner_attach = cxusb_dee1601_tuner_attach, - -@@ -594,7 +603,7 @@ static struct dvb_usb_properties cxusb_b - .size_of_priv = sizeof(struct cxusb_state), - - .streaming_ctrl = cxusb_streaming_ctrl, -- .power_ctrl = cxusb_power_ctrl, -+ .power_ctrl = cxusb_bluebird_power_ctrl, - .frontend_attach = cxusb_mt352_frontend_attach, - .tuner_attach = cxusb_lgz201_tuner_attach, - -@@ -634,7 +643,7 @@ static struct dvb_usb_properties cxusb_b - .size_of_priv = sizeof(struct cxusb_state), - - .streaming_ctrl = cxusb_streaming_ctrl, -- .power_ctrl = cxusb_power_ctrl, -+ .power_ctrl = cxusb_bluebird_power_ctrl, - .frontend_attach = cxusb_mt352_frontend_attach, - .tuner_attach = cxusb_dtt7579_tuner_attach, - -diff --git a/drivers/media/video/Kconfig b/drivers/media/video/Kconfig -index d82c8a3..ef42a26 100644 ---- a/drivers/media/video/Kconfig -+++ b/drivers/media/video/Kconfig -@@ -349,6 +349,7 @@ config VIDEO_AUDIO_DECODER - config VIDEO_DECODER - tristate "Add support for additional video chipsets" - depends on VIDEO_DEV && I2C && EXPERIMENTAL -+ select FW_LOADER - ---help--- - Say Y here to compile drivers for SAA7115, SAA7127 and CX25840 - video decoders. -diff --git a/drivers/media/video/saa7127.c b/drivers/media/video/saa7127.c -index 992c717..9e4c178 100644 ---- a/drivers/media/video/saa7127.c -+++ b/drivers/media/video/saa7127.c -@@ -141,6 +141,7 @@ struct i2c_reg_value { - static const struct i2c_reg_value saa7129_init_config_extra[] = { - { SAA7127_REG_OUTPUT_PORT_CONTROL, 0x38 }, - { SAA7127_REG_VTRIG, 0xfa }, -+ { 0, 0 } - }; - - static const struct i2c_reg_value saa7127_init_config_common[] = { -diff --git a/drivers/media/video/tuner-types.c b/drivers/media/video/tuner-types.c -index 6fe7817..5f3d46d 100644 ---- a/drivers/media/video/tuner-types.c -+++ b/drivers/media/video/tuner-types.c -@@ -1087,8 +1087,8 @@ static struct tuner_params tuner_tnf_533 - /* ------------ TUNER_SAMSUNG_TCPN_2121P30A - Samsung NTSC ------------ */ - - static struct tuner_range tuner_samsung_tcpn_2121p30a_ntsc_ranges[] = { -- { 16 * 175.75 /*MHz*/, 0x01, }, -- { 16 * 410.25 /*MHz*/, 0x02, }, -+ { 16 * 130.00 /*MHz*/, 0x01, }, -+ { 16 * 364.50 /*MHz*/, 0x02, }, - { 16 * 999.99 , 0x08, }, - }; - -diff --git a/drivers/mtd/nand/Kconfig b/drivers/mtd/nand/Kconfig -index 1fc4c13..cfe288a 100644 ---- a/drivers/mtd/nand/Kconfig -+++ b/drivers/mtd/nand/Kconfig -@@ -178,17 +178,16 @@ config MTD_NAND_DISKONCHIP_BBTWRITE - Even if you leave this disabled, you can enable BBT writes at module - load time (assuming you build diskonchip as a module) with the module - parameter "inftl_bbt_write=1". -- -- config MTD_NAND_SHARPSL -- bool "Support for NAND Flash on Sharp SL Series (C7xx + others)" -- depends on MTD_NAND && ARCH_PXA -- -- config MTD_NAND_NANDSIM -- bool "Support for NAND Flash Simulator" -- depends on MTD_NAND && MTD_PARTITIONS - -+config MTD_NAND_SHARPSL -+ tristate "Support for NAND Flash on Sharp SL Series (C7xx + others)" -+ depends on MTD_NAND && ARCH_PXA -+ -+config MTD_NAND_NANDSIM -+ tristate "Support for NAND Flash Simulator" -+ depends on MTD_NAND && MTD_PARTITIONS - help - The simulator may simulate verious NAND flash chips for the - MTD nand layer. -- -+ - endmenu -diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c -index 84dcca3..fa29402 100644 ---- a/drivers/net/e1000/e1000_main.c -+++ b/drivers/net/e1000/e1000_main.c -@@ -3851,6 +3851,7 @@ #endif - skb_shinfo(skb)->nr_frags++; - skb->len += length; - skb->data_len += length; -+ skb->truesize += length; - } - - e1000_rx_checksum(adapter, staterr, -diff --git a/drivers/net/irda/irda-usb.c b/drivers/net/irda/irda-usb.c -index 8936058..6e2ec56 100644 ---- a/drivers/net/irda/irda-usb.c -+++ b/drivers/net/irda/irda-usb.c -@@ -740,7 +740,7 @@ static void irda_usb_receive(struct urb - struct sk_buff *newskb; - struct sk_buff *dataskb; - struct urb *next_urb; -- int docopy; -+ unsigned int len, docopy; - - IRDA_DEBUG(2, "%s(), len=%d\n", __FUNCTION__, urb->actual_length); - -@@ -851,10 +851,11 @@ static void irda_usb_receive(struct urb - dataskb->dev = self->netdev; - dataskb->mac.raw = dataskb->data; - dataskb->protocol = htons(ETH_P_IRDA); -+ len = dataskb->len; - netif_rx(dataskb); - - /* Keep stats up to date */ -- self->stats.rx_bytes += dataskb->len; -+ self->stats.rx_bytes += len; - self->stats.rx_packets++; - self->netdev->last_rx = jiffies; - -diff --git a/drivers/net/sky2.c b/drivers/net/sky2.c -index 7326036..0618cd5 100644 ---- a/drivers/net/sky2.c -+++ b/drivers/net/sky2.c -@@ -579,8 +579,8 @@ static void sky2_mac_init(struct sky2_hw - reg = gma_read16(hw, port, GM_PHY_ADDR); - gma_write16(hw, port, GM_PHY_ADDR, reg | GM_PAR_MIB_CLR); - -- for (i = 0; i < GM_MIB_CNT_SIZE; i++) -- gma_read16(hw, port, GM_MIB_CNT_BASE + 8 * i); -+ for (i = GM_MIB_CNT_BASE; i <= GM_MIB_CNT_END; i += 4) -+ gma_read16(hw, port, i); - gma_write16(hw, port, GM_PHY_ADDR, reg); - - /* transmit control */ -diff --git a/drivers/net/sky2.h b/drivers/net/sky2.h -index dce955c..c91e0a4 100644 ---- a/drivers/net/sky2.h -+++ b/drivers/net/sky2.h -@@ -1380,6 +1380,7 @@ enum { - /* MIB Counters */ - #define GM_MIB_CNT_BASE 0x0100 /* Base Address of MIB Counters */ - #define GM_MIB_CNT_SIZE 44 /* Number of MIB Counters */ -+#define GM_MIB_CNT_END 0x025C /* Last MIB counter */ - - /* - * MIB Counters base address definitions (low word) - -diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c -index caf4102..7d00722 100644 ---- a/drivers/net/tg3.c -+++ b/drivers/net/tg3.c -@@ -7368,21 +7368,23 @@ static int tg3_get_settings(struct net_d - cmd->supported |= (SUPPORTED_1000baseT_Half | - SUPPORTED_1000baseT_Full); - -- if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES)) -+ if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES)) { - cmd->supported |= (SUPPORTED_100baseT_Half | - SUPPORTED_100baseT_Full | - SUPPORTED_10baseT_Half | - SUPPORTED_10baseT_Full | - SUPPORTED_MII); -- else -+ cmd->port = PORT_TP; -+ } else { - cmd->supported |= SUPPORTED_FIBRE; -+ cmd->port = PORT_FIBRE; -+ } - - cmd->advertising = tp->link_config.advertising; - if (netif_running(dev)) { - cmd->speed = tp->link_config.active_speed; - cmd->duplex = tp->link_config.active_duplex; - } -- cmd->port = 0; - cmd->phy_address = PHY_ADDR; - cmd->transceiver = 0; - cmd->autoneg = tp->link_config.autoneg; -diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c -index 2418715..56864ff 100644 ---- a/drivers/net/via-rhine.c -+++ b/drivers/net/via-rhine.c -@@ -129,6 +129,7 @@ - - Massive clean-up - - Rewrite PHY, media handling (remove options, full_duplex, backoff) - - Fix Tx engine race for good -+ - Craig Brind: Zero padded aligned buffers for short packets. - - */ - -@@ -1306,7 +1307,12 @@ static int rhine_start_tx(struct sk_buff - rp->stats.tx_dropped++; - return 0; - } -+ -+ /* Padding is not copied and so must be redone. */ - skb_copy_and_csum_dev(skb, rp->tx_buf[entry]); -+ if (skb->len < ETH_ZLEN) -+ memset(rp->tx_buf[entry] + skb->len, 0, -+ ETH_ZLEN - skb->len); - rp->tx_skbuff_dma[entry] = 0; - rp->tx_ring[entry].addr = cpu_to_le32(rp->tx_bufs_dma + - (rp->tx_buf[entry] - -diff --git a/drivers/net/wireless/Kconfig b/drivers/net/wireless/Kconfig -index ef85d76..8101657 100644 ---- a/drivers/net/wireless/Kconfig -+++ b/drivers/net/wireless/Kconfig -@@ -239,7 +239,8 @@ config IPW2200_DEBUG - - config AIRO - tristate "Cisco/Aironet 34X/35X/4500/4800 ISA and PCI cards" -- depends on NET_RADIO && ISA_DMA_API && CRYPTO && (PCI || BROKEN) -+ depends on NET_RADIO && ISA_DMA_API && (PCI || BROKEN) -+ select CRYPTO - ---help--- - This is the standard Linux driver to support Cisco/Aironet ISA and - PCI 802.11 wireless cards. -@@ -374,6 +375,7 @@ config PCMCIA_HERMES - config PCMCIA_SPECTRUM - tristate "Symbol Spectrum24 Trilogy PCMCIA card support" - depends on NET_RADIO && PCMCIA && HERMES -+ select FW_LOADER - ---help--- - - This is a driver for 802.11b cards using RAM-loadable Symbol -@@ -387,6 +389,7 @@ config PCMCIA_SPECTRUM - config AIRO_CS - tristate "Cisco/Aironet 34X/35X/4500/4800 PCMCIA cards" - depends on NET_RADIO && PCMCIA && (BROKEN || !M32R) -+ select CRYPTO - ---help--- - This is the standard Linux driver to support Cisco/Aironet PCMCIA - 802.11 wireless cards. This driver is the same as the Aironet -diff --git a/drivers/net/wireless/hostap/hostap_80211_tx.c b/drivers/net/wireless/hostap/hostap_80211_tx.c -index 4a85e63..5f398bd 100644 ---- a/drivers/net/wireless/hostap/hostap_80211_tx.c -+++ b/drivers/net/wireless/hostap/hostap_80211_tx.c -@@ -469,7 +469,7 @@ int hostap_master_start_xmit(struct sk_b - } - - if (local->ieee_802_1x && meta->ethertype == ETH_P_PAE && tx.crypt && -- !(fc & IEEE80211_FCTL_VERS)) { -+ !(fc & IEEE80211_FCTL_PROTECTED)) { - no_encrypt = 1; - PDEBUG(DEBUG_EXTRA2, "%s: TX: IEEE 802.1X - passing " - "unencrypted EAPOL frame\n", dev->name); -diff --git a/drivers/net/wireless/ipw2200.c b/drivers/net/wireless/ipw2200.c -index 287676a..f42e51a 100644 ---- a/drivers/net/wireless/ipw2200.c -+++ b/drivers/net/wireless/ipw2200.c -@@ -8391,20 +8391,28 @@ static int ipw_wx_get_range(struct net_d - - i = 0; - if (priv->ieee->mode & (IEEE_B | IEEE_G)) { -- for (j = 0; j < geo->bg_channels && i < IW_MAX_FREQUENCIES; -- i++, j++) { -+ for (j = 0; j < geo->bg_channels && i < IW_MAX_FREQUENCIES; j++) { -+ if ((priv->ieee->iw_mode == IW_MODE_ADHOC) && -+ (geo->bg[j].flags & IEEE80211_CH_PASSIVE_ONLY)) -+ continue; -+ - range->freq[i].i = geo->bg[j].channel; - range->freq[i].m = geo->bg[j].freq * 100000; - range->freq[i].e = 1; -+ i++; - } - } - - if (priv->ieee->mode & IEEE_A) { -- for (j = 0; j < geo->a_channels && i < IW_MAX_FREQUENCIES; -- i++, j++) { -+ for (j = 0; j < geo->a_channels && i < IW_MAX_FREQUENCIES; j++) { -+ if ((priv->ieee->iw_mode == IW_MODE_ADHOC) && -+ (geo->a[j].flags & IEEE80211_CH_PASSIVE_ONLY)) -+ continue; -+ - range->freq[i].i = geo->a[j].channel; - range->freq[i].m = geo->a[j].freq * 100000; - range->freq[i].e = 1; -+ i++; - } - } - -@@ -9956,9 +9964,8 @@ static int ipw_ethtool_set_eeprom(struct - return -EINVAL; - down(&p->sem); - memcpy(&p->eeprom[eeprom->offset], bytes, eeprom->len); -- for (i = IPW_EEPROM_DATA; -- i < IPW_EEPROM_DATA + IPW_EEPROM_IMAGE_SIZE; i++) -- ipw_write8(p, i, p->eeprom[i]); -+ for (i = 0; i < IPW_EEPROM_IMAGE_SIZE; i++) -+ ipw_write8(p, i + IPW_EEPROM_DATA, p->eeprom[i]); - up(&p->sem); - return 0; - } -diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c -index 6917c6c..c2ecae5 100644 ---- a/drivers/pci/pci-acpi.c -+++ b/drivers/pci/pci-acpi.c -@@ -33,13 +33,10 @@ acpi_query_osc ( - acpi_status status; - struct acpi_object_list input; - union acpi_object in_params[4]; -- struct acpi_buffer output; -- union acpi_object out_obj; -+ struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL}; -+ union acpi_object *out_obj; - u32 osc_dw0; - -- /* Setting up output buffer */ -- output.length = sizeof(out_obj) + 3*sizeof(u32); -- output.pointer = &out_obj; - - /* Setting up input parameters */ - input.count = 4; -@@ -61,12 +58,15 @@ acpi_query_osc ( - "Evaluate _OSC Set fails. Status = 0x%04x\n", status); - return status; - } -- if (out_obj.type != ACPI_TYPE_BUFFER) { -+ out_obj = output.pointer; -+ -+ if (out_obj->type != ACPI_TYPE_BUFFER) { - printk(KERN_DEBUG - "Evaluate _OSC returns wrong type\n"); -- return AE_TYPE; -+ status = AE_TYPE; -+ goto query_osc_out; - } -- osc_dw0 = *((u32 *) out_obj.buffer.pointer); -+ osc_dw0 = *((u32 *) out_obj->buffer.pointer); - if (osc_dw0) { - if (osc_dw0 & OSC_REQUEST_ERROR) - printk(KERN_DEBUG "_OSC request fails\n"); -@@ -76,15 +76,21 @@ acpi_query_osc ( - printk(KERN_DEBUG "_OSC invalid revision\n"); - if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) { - /* Update Global Control Set */ -- global_ctrlsets = *((u32 *)(out_obj.buffer.pointer+8)); -- return AE_OK; -+ global_ctrlsets = *((u32 *)(out_obj->buffer.pointer+8)); -+ status = AE_OK; -+ goto query_osc_out; - } -- return AE_ERROR; -+ status = AE_ERROR; -+ goto query_osc_out; - } - - /* Update Global Control Set */ -- global_ctrlsets = *((u32 *)(out_obj.buffer.pointer + 8)); -- return AE_OK; -+ global_ctrlsets = *((u32 *)(out_obj->buffer.pointer + 8)); -+ status = AE_OK; -+ -+query_osc_out: -+ kfree(output.pointer); -+ return status; - } - - -@@ -96,14 +102,10 @@ acpi_run_osc ( - acpi_status status; - struct acpi_object_list input; - union acpi_object in_params[4]; -- struct acpi_buffer output; -- union acpi_object out_obj; -+ struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL}; -+ union acpi_object *out_obj; - u32 osc_dw0; - -- /* Setting up output buffer */ -- output.length = sizeof(out_obj) + 3*sizeof(u32); -- output.pointer = &out_obj; -- - /* Setting up input parameters */ - input.count = 4; - input.pointer = in_params; -@@ -124,12 +126,14 @@ acpi_run_osc ( - "Evaluate _OSC Set fails. Status = 0x%04x\n", status); - return status; - } -- if (out_obj.type != ACPI_TYPE_BUFFER) { -+ out_obj = output.pointer; -+ if (out_obj->type != ACPI_TYPE_BUFFER) { - printk(KERN_DEBUG - "Evaluate _OSC returns wrong type\n"); -- return AE_TYPE; -+ status = AE_TYPE; -+ goto run_osc_out; - } -- osc_dw0 = *((u32 *) out_obj.buffer.pointer); -+ osc_dw0 = *((u32 *) out_obj->buffer.pointer); - if (osc_dw0) { - if (osc_dw0 & OSC_REQUEST_ERROR) - printk(KERN_DEBUG "_OSC request fails\n"); -@@ -139,11 +143,17 @@ acpi_run_osc ( - printk(KERN_DEBUG "_OSC invalid revision\n"); - if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) { - printk(KERN_DEBUG "_OSC FW not grant req. control\n"); -- return AE_SUPPORT; -+ status = AE_SUPPORT; -+ goto run_osc_out; - } -- return AE_ERROR; -+ status = AE_ERROR; -+ goto run_osc_out; - } -- return AE_OK; -+ status = AE_OK; -+ -+run_osc_out: -+ kfree(output.pointer); -+ return status; - } - - /** -diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index dda6099..381f36b 100644 ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -631,6 +631,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_V - * non-x86 architectures (yes Via exists on PPC among other places), - * we must mask the PCI_INTERRUPT_LINE value versus 0xf to get - * interrupts delivered properly. -+ * -+ * Some of the on-chip devices are actually '586 devices' so they are -+ * listed here. - */ - static void quirk_via_irq(struct pci_dev *dev) - { -@@ -639,13 +642,19 @@ static void quirk_via_irq(struct pci_dev - new_irq = dev->irq & 0xf; - pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &irq); - if (new_irq != irq) { -- printk(KERN_INFO "PCI: Via IRQ fixup for %s, from %d to %d\n", -+ printk(KERN_INFO "PCI: VIA IRQ fixup for %s, from %d to %d\n", - pci_name(dev), irq, new_irq); - udelay(15); /* unknown if delay really needed */ - pci_write_config_byte(dev, PCI_INTERRUPT_LINE, new_irq); - } - } --DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_ANY_ID, quirk_via_irq); -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_0, quirk_via_irq); -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, quirk_via_irq); -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_2, quirk_via_irq); -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_3, quirk_via_irq); -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686, quirk_via_irq); -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4, quirk_via_irq); -+DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_5, quirk_via_irq); - - /* - * VIA VT82C598 has its device ID settable and many BIOSes -@@ -861,6 +870,7 @@ static void __init quirk_eisa_bridge(str - } - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82375, quirk_eisa_bridge ); - -+#ifndef CONFIG_ACPI_SLEEP - /* - * On ASUS P4B boards, the SMBus PCI Device within the ICH2/4 southbridge - * is not activated. The myth is that Asus said that they do not want the -@@ -872,8 +882,12 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I - * bridge. Unfortunately, this device has no subvendor/subdevice ID. So it - * becomes necessary to do this tweak in two steps -- I've chosen the Host - * bridge as trigger. -+ * -+ * Actually, leaving it unhidden and not redoing the quirk over suspend2ram -+ * will cause thermal management to break down, and causing machine to -+ * overheat. - */ --static int __initdata asus_hides_smbus = 0; -+static int __initdata asus_hides_smbus; - - static void __init asus_hides_smbus_hostbridge(struct pci_dev *dev) - { -@@ -1008,6 +1022,8 @@ static void __init asus_hides_smbus_lpc_ - } - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, asus_hides_smbus_lpc_ich6 ); - -+#endif -+ - /* - * SiS 96x south bridge: BIOS typically hides SMBus device... - */ -diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c -index bb96ce1..a4333a8 100644 ---- a/drivers/pcmcia/ds.c -+++ b/drivers/pcmcia/ds.c -@@ -546,7 +546,7 @@ static int pcmcia_device_query(struct pc - tmp = vers1->str + vers1->ofs[i]; - - length = strlen(tmp) + 1; -- if ((length < 3) || (length > 255)) -+ if ((length < 2) || (length > 255)) - continue; - - p_dev->prod_id[i] = kmalloc(sizeof(char) * length, -diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c -index d9152d0..9132549 100644 ---- a/drivers/scsi/3w-9xxx.c -+++ b/drivers/scsi/3w-9xxx.c -@@ -85,7 +85,7 @@ #include <scsi/scsi_cmnd.h> - #include "3w-9xxx.h" - - /* Globals */ --#define TW_DRIVER_VERSION "2.26.02.005" -+#define TW_DRIVER_VERSION "2.26.02.007" - static TW_Device_Extension *twa_device_extension_list[TW_MAX_SLOT]; - static unsigned int twa_device_extension_count; - static int twa_major = -1; -@@ -1944,9 +1944,13 @@ static void twa_scsiop_execute_scsi_comp - } - if (tw_dev->srb[request_id]->use_sg == 1) { - struct scatterlist *sg = (struct scatterlist *)tw_dev->srb[request_id]->request_buffer; -- char *buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset; -+ char *buf; -+ unsigned long flags = 0; -+ local_irq_save(flags); -+ buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset; - memcpy(buf, tw_dev->generic_buffer_virt[request_id], sg->length); - kunmap_atomic(buf - sg->offset, KM_IRQ0); -+ local_irq_restore(flags); - } - } - } /* End twa_scsiop_execute_scsi_complete() */ -diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c -index 25f678d..e8e41e6 100644 ---- a/drivers/scsi/3w-xxxx.c -+++ b/drivers/scsi/3w-xxxx.c -@@ -1508,10 +1508,12 @@ static void tw_transfer_internal(TW_Devi - struct scsi_cmnd *cmd = tw_dev->srb[request_id]; - void *buf; - unsigned int transfer_len; -+ unsigned long flags = 0; - - if (cmd->use_sg) { - struct scatterlist *sg = - (struct scatterlist *)cmd->request_buffer; -+ local_irq_save(flags); - buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset; - transfer_len = min(sg->length, len); - } else { -@@ -1526,6 +1528,7 @@ static void tw_transfer_internal(TW_Devi - - sg = (struct scatterlist *)cmd->request_buffer; - kunmap_atomic(buf - sg->offset, KM_IRQ0); -+ local_irq_restore(flags); - } - } - -diff --git a/drivers/scsi/libata-core.c b/drivers/scsi/libata-core.c -index 4f91b0d..400e9d7 100644 ---- a/drivers/scsi/libata-core.c -+++ b/drivers/scsi/libata-core.c -@@ -4293,6 +4293,7 @@ static int ata_start_drive(struct ata_po - int ata_device_resume(struct ata_port *ap, struct ata_device *dev) - { - if (ap->flags & ATA_FLAG_SUSPENDED) { -+ ata_busy_wait(ap, ATA_BUSY | ATA_DRQ, 200000); - ap->flags &= ~ATA_FLAG_SUSPENDED; - ata_set_mode(ap); - } -diff --git a/drivers/scsi/sata_mv.c b/drivers/scsi/sata_mv.c -index 2770005..b00af08 100644 ---- a/drivers/scsi/sata_mv.c -+++ b/drivers/scsi/sata_mv.c -@@ -1102,6 +1102,7 @@ static u8 mv_get_crpb_status(struct ata_ - void __iomem *port_mmio = mv_ap_base(ap); - struct mv_port_priv *pp = ap->private_data; - u32 out_ptr; -+ u8 ata_status; - - out_ptr = readl(port_mmio + EDMA_RSP_Q_OUT_PTR_OFS); - -@@ -1109,6 +1110,8 @@ static u8 mv_get_crpb_status(struct ata_ - assert(((out_ptr >> EDMA_RSP_Q_PTR_SHIFT) & MV_MAX_Q_DEPTH_MASK) == - pp->rsp_consumer); - -+ ata_status = pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT; -+ - /* increment our consumer index... */ - pp->rsp_consumer = mv_inc_q_index(&pp->rsp_consumer); - -@@ -1123,7 +1126,7 @@ static u8 mv_get_crpb_status(struct ata_ - writelfl(out_ptr, port_mmio + EDMA_RSP_Q_OUT_PTR_OFS); - - /* Return ATA status register for completed CRPB */ -- return (pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT); -+ return ata_status; - } - - /** -@@ -1192,7 +1195,6 @@ static void mv_host_intr(struct ata_host - u32 hc_irq_cause; - int shift, port, port0, hard_port, handled; - unsigned int err_mask; -- u8 ata_status = 0; - - if (hc == 0) { - port0 = 0; -@@ -1210,6 +1212,7 @@ static void mv_host_intr(struct ata_host - hc,relevant,hc_irq_cause); - - for (port = port0; port < port0 + MV_PORTS_PER_HC; port++) { -+ u8 ata_status = 0; - ap = host_set->ports[port]; - hard_port = port & MV_PORT_MASK; /* range 0-3 */ - handled = 0; /* ensure ata_status is set if handled++ */ -diff --git a/drivers/sn/ioc3.c b/drivers/sn/ioc3.c -index 93449a1..4bd05a0 100644 ---- a/drivers/sn/ioc3.c -+++ b/drivers/sn/ioc3.c -@@ -677,7 +677,7 @@ #endif - /* Track PCI-device specific data */ - pci_set_drvdata(pdev, idd); - down_write(&ioc3_devices_rwsem); -- list_add(&idd->list, &ioc3_devices); -+ list_add_tail(&idd->list, &ioc3_devices); - idd->id = ioc3_counter++; - up_write(&ioc3_devices_rwsem); - -diff --git a/drivers/sn/ioc4.c b/drivers/sn/ioc4.c -index ea75b3d..771e868 100644 ---- a/drivers/sn/ioc4.c -+++ b/drivers/sn/ioc4.c -@@ -313,7 +313,7 @@ ioc4_probe(struct pci_dev *pdev, const s - idd->idd_serial_data = NULL; - pci_set_drvdata(idd->idd_pdev, idd); - down_write(&ioc4_devices_rwsem); -- list_add(&idd->idd_list, &ioc4_devices); -+ list_add_tail(&idd->idd_list, &ioc4_devices); - up_write(&ioc4_devices_rwsem); - - /* Add this IOC4 to all submodules */ -diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c -index 7135e54..96cabeb 100644 ---- a/drivers/usb/core/message.c -+++ b/drivers/usb/core/message.c -@@ -1388,11 +1388,13 @@ free_interfaces: - if (dev->state != USB_STATE_ADDRESS) - usb_disable_device (dev, 1); // Skip ep0 - -- i = dev->bus_mA - cp->desc.bMaxPower * 2; -- if (i < 0) -- dev_warn(&dev->dev, "new config #%d exceeds power " -- "limit by %dmA\n", -- configuration, -i); -+ if (cp) { -+ i = dev->bus_mA - cp->desc.bMaxPower * 2; -+ if (i < 0) -+ dev_warn(&dev->dev, "new config #%d exceeds power " -+ "limit by %dmA\n", -+ configuration, -i); -+ } - - if ((ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), - USB_REQ_SET_CONFIGURATION, 0, configuration, 0, -diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c -index ebcca97..88419c6 100644 ---- a/drivers/usb/host/ehci-sched.c -+++ b/drivers/usb/host/ehci-sched.c -@@ -707,6 +707,7 @@ iso_stream_init ( - } else { - u32 addr; - int think_time; -+ int hs_transfers; - - addr = dev->ttport << 24; - if (!ehci_is_TDI(ehci) -@@ -719,6 +720,7 @@ iso_stream_init ( - think_time = dev->tt ? dev->tt->think_time : 0; - stream->tt_usecs = NS_TO_US (think_time + usb_calc_bus_time ( - dev->speed, is_input, 1, maxp)); -+ hs_transfers = max (1u, (maxp + 187) / 188); - if (is_input) { - u32 tmp; - -@@ -727,12 +729,11 @@ iso_stream_init ( - stream->usecs = HS_USECS_ISO (1); - stream->raw_mask = 1; - -- /* pessimistic c-mask */ -- tmp = usb_calc_bus_time (USB_SPEED_FULL, 1, 0, maxp) -- / (125 * 1000); -- stream->raw_mask |= 3 << (tmp + 9); -+ /* c-mask as specified in USB 2.0 11.18.4 3.c */ -+ tmp = (1 << (hs_transfers + 2)) - 1; -+ stream->raw_mask |= tmp << (8 + 2); - } else -- stream->raw_mask = smask_out [maxp / 188]; -+ stream->raw_mask = smask_out [hs_transfers - 1]; - bandwidth = stream->usecs + stream->c_usecs; - bandwidth /= 1 << (interval + 2); - -diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c -index 167f8ec..8023bb7 100644 ---- a/drivers/usb/serial/console.c -+++ b/drivers/usb/serial/console.c -@@ -54,7 +54,7 @@ static struct console usbcons; - * serial.c code, except that the specifier is "ttyUSB" instead - * of "ttyS". - */ --static int __init usb_console_setup(struct console *co, char *options) -+static int usb_console_setup(struct console *co, char *options) - { - struct usbcons_info *info = &usbcons_info; - int baud = 9600; -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 52bdf6f..fd8a50e 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -582,14 +582,14 @@ static void option_setup_urbs(struct usb - portdata = usb_get_serial_port_data(port); - - /* Do indat endpoints first */ -- for (j = 0; j <= N_IN_URB; ++j) { -+ for (j = 0; j < N_IN_URB; ++j) { - portdata->in_urbs[j] = option_setup_urb (serial, - port->bulk_in_endpointAddress, USB_DIR_IN, port, - portdata->in_buffer[j], IN_BUFLEN, option_indat_callback); - } - - /* outdat endpoints */ -- for (j = 0; j <= N_OUT_URB; ++j) { -+ for (j = 0; j < N_OUT_URB; ++j) { - portdata->out_urbs[j] = option_setup_urb (serial, - port->bulk_out_endpointAddress, USB_DIR_OUT, port, - portdata->out_buffer[j], OUT_BUFLEN, option_outdat_callback); -diff --git a/drivers/usb/storage/Kconfig b/drivers/usb/storage/Kconfig -index 92be101..be9eec2 100644 ---- a/drivers/usb/storage/Kconfig -+++ b/drivers/usb/storage/Kconfig -@@ -48,7 +48,8 @@ config USB_STORAGE_FREECOM - - config USB_STORAGE_ISD200 - bool "ISD-200 USB/ATA Bridge support" -- depends on USB_STORAGE && BLK_DEV_IDE -+ depends on USB_STORAGE -+ depends on BLK_DEV_IDE=y || BLK_DEV_IDE=USB_STORAGE - ---help--- - Say Y here if you want to use USB Mass Store devices based - on the In-Systems Design ISD-200 USB/ATA bridge. -diff --git a/drivers/video/cfbimgblt.c b/drivers/video/cfbimgblt.c -index 910e233..8ba6152 100644 ---- a/drivers/video/cfbimgblt.c -+++ b/drivers/video/cfbimgblt.c -@@ -169,7 +169,7 @@ static inline void slow_imageblit(const - - while (j--) { - l--; -- color = (*s & 1 << (FB_BIT_NR(l))) ? fgcolor : bgcolor; -+ color = (*s & (1 << l)) ? fgcolor : bgcolor; - val |= FB_SHIFT_HIGH(color, shift); - - /* Did the bitshift spill bits to the next long? */ -diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c -index 996c7b5..b3094ae 100644 ---- a/drivers/video/fbmem.c -+++ b/drivers/video/fbmem.c -@@ -669,13 +669,19 @@ fb_write(struct file *file, const char _ - total_size = info->fix.smem_len; - - if (p > total_size) -- return 0; -+ return -EFBIG; - -- if (count >= total_size) -+ if (count > total_size) { -+ err = -EFBIG; - count = total_size; -+ } -+ -+ if (count + p > total_size) { -+ if (!err) -+ err = -ENOSPC; - -- if (count + p > total_size) - count = total_size - p; -+ } - - buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, - GFP_KERNEL); -@@ -717,7 +723,7 @@ fb_write(struct file *file, const char _ - - kfree(buffer); - -- return (err) ? err : cnt; -+ return (cnt) ? cnt : err; - } - - #ifdef CONFIG_KMOD -diff --git a/drivers/video/i810/i810_main.c b/drivers/video/i810/i810_main.c -index d8467c0..788297e 100644 ---- a/drivers/video/i810/i810_main.c -+++ b/drivers/video/i810/i810_main.c -@@ -1508,7 +1508,7 @@ static int i810fb_cursor(struct fb_info - int size = ((cursor->image.width + 7) >> 3) * - cursor->image.height; - int i; -- u8 *data = kmalloc(64 * 8, GFP_KERNEL); -+ u8 *data = kmalloc(64 * 8, GFP_ATOMIC); - - if (data == NULL) - return -ENOMEM; -diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c -index 3ad8455..651a9e1 100644 ---- a/fs/9p/vfs_inode.c -+++ b/fs/9p/vfs_inode.c -@@ -614,6 +614,7 @@ static struct dentry *v9fs_vfs_lookup(st - - sb = dir->i_sb; - v9ses = v9fs_inode2v9ses(dir); -+ dentry->d_op = &v9fs_dentry_operations; - dirfid = v9fs_fid_lookup(dentry->d_parent); - - if (!dirfid) { -@@ -681,8 +682,6 @@ static struct dentry *v9fs_vfs_lookup(st - goto FreeFcall; - - fid->qid = fcall->params.rstat.stat.qid; -- -- dentry->d_op = &v9fs_dentry_operations; - v9fs_stat2inode(&fcall->params.rstat.stat, inode, inode->i_sb); - - d_add(dentry, inode); -diff --git a/fs/char_dev.c b/fs/char_dev.c -index 21195c4..4e163af 100644 ---- a/fs/char_dev.c -+++ b/fs/char_dev.c -@@ -15,6 +15,7 @@ #include <linux/errno.h> - #include <linux/module.h> - #include <linux/smp_lock.h> - #include <linux/devfs_fs_kernel.h> -+#include <linux/seq_file.h> - - #include <linux/kobject.h> - #include <linux/kobj_map.h> -@@ -26,8 +27,6 @@ #endif - - static struct kobj_map *cdev_map; - --#define MAX_PROBE_HASH 255 /* random */ -- - static DECLARE_MUTEX(chrdevs_lock); - - static struct char_device_struct { -@@ -38,93 +37,29 @@ static struct char_device_struct { - char name[64]; - struct file_operations *fops; - struct cdev *cdev; /* will die */ --} *chrdevs[MAX_PROBE_HASH]; -+} *chrdevs[CHRDEV_MAJOR_HASH_SIZE]; - - /* index in the above */ - static inline int major_to_index(int major) - { -- return major % MAX_PROBE_HASH; --} -- --struct chrdev_info { -- int index; -- struct char_device_struct *cd; --}; -- --void *get_next_chrdev(void *dev) --{ -- struct chrdev_info *info; -- -- if (dev == NULL) { -- info = kmalloc(sizeof(*info), GFP_KERNEL); -- if (!info) -- goto out; -- info->index=0; -- info->cd = chrdevs[info->index]; -- if (info->cd) -- goto out; -- } else { -- info = dev; -- } -- -- while (info->index < ARRAY_SIZE(chrdevs)) { -- if (info->cd) -- info->cd = info->cd->next; -- if (info->cd) -- goto out; -- /* -- * No devices on this chain, move to the next -- */ -- info->index++; -- info->cd = (info->index < ARRAY_SIZE(chrdevs)) ? -- chrdevs[info->index] : NULL; -- if (info->cd) -- goto out; -- } -- --out: -- return info; --} -- --void *acquire_chrdev_list(void) --{ -- down(&chrdevs_lock); -- return get_next_chrdev(NULL); --} -- --void release_chrdev_list(void *dev) --{ -- up(&chrdevs_lock); -- kfree(dev); -+ return major % CHRDEV_MAJOR_HASH_SIZE; - } - -+#ifdef CONFIG_PROC_FS - --int count_chrdev_list(void) -+void chrdev_show(struct seq_file *f, off_t offset) - { - struct char_device_struct *cd; -- int i, count; -- -- count = 0; - -- for (i = 0; i < ARRAY_SIZE(chrdevs) ; i++) { -- for (cd = chrdevs[i]; cd; cd = cd->next) -- count++; -+ if (offset < CHRDEV_MAJOR_HASH_SIZE) { -+ down(&chrdevs_lock); -+ for (cd = chrdevs[offset]; cd; cd = cd->next) -+ seq_printf(f, "%3d %s\n", cd->major, cd->name); -+ up(&chrdevs_lock); - } -- -- return count; - } - --int get_chrdev_info(void *dev, int *major, char **name) --{ -- struct chrdev_info *info = dev; -- -- if (info->cd == NULL) -- return 1; -- -- *major = info->cd->major; -- *name = info->cd->name; -- return 0; --} -+#endif /* CONFIG_PROC_FS */ - - /* - * Register a single major with a specified minor range. -diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c -index a2c2485..3f5e38c 100644 ---- a/fs/cifs/cifsencrypt.c -+++ b/fs/cifs/cifsencrypt.c -@@ -56,9 +56,6 @@ int cifs_sign_smb(struct smb_hdr * cifs_ - int rc = 0; - char smb_signature[20]; - -- /* BB remember to initialize sequence number elsewhere and initialize mac_signing key elsewhere BB */ -- /* BB remember to add code to save expected sequence number in midQ entry BB */ -- - if((cifs_pdu == NULL) || (server == NULL)) - return -EINVAL; - -@@ -85,20 +82,33 @@ int cifs_sign_smb(struct smb_hdr * cifs_ - static int cifs_calc_signature2(const struct kvec * iov, int n_vec, - const char * key, char * signature) - { -- struct MD5Context context; -- -- if((iov == NULL) || (signature == NULL)) -- return -EINVAL; -+ struct MD5Context context; -+ int i; - -- MD5Init(&context); -- MD5Update(&context,key,CIFS_SESSION_KEY_SIZE+16); -+ if((iov == NULL) || (signature == NULL)) -+ return -EINVAL; - --/* MD5Update(&context,cifs_pdu->Protocol,cifs_pdu->smb_buf_length); */ /* BB FIXME BB */ -+ MD5Init(&context); -+ MD5Update(&context,key,CIFS_SESSION_KEY_SIZE+16); -+ for(i=0;i<n_vec;i++) { -+ if(iov[i].iov_base == NULL) { -+ cERROR(1,("null iovec entry")); -+ return -EIO; -+ } else if(iov[i].iov_len == 0) -+ break; /* bail out if we are sent nothing to sign */ -+ /* The first entry includes a length field (which does not get -+ signed that occupies the first 4 bytes before the header */ -+ if(i==0) { -+ if (iov[0].iov_len <= 8 ) /* cmd field at offset 9 */ -+ break; /* nothing to sign or corrupt header */ -+ MD5Update(&context,iov[0].iov_base+4, iov[0].iov_len-4); -+ } else -+ MD5Update(&context,iov[i].iov_base, iov[i].iov_len); -+ } - -- MD5Final(signature,&context); -+ MD5Final(signature,&context); - -- return -EOPNOTSUPP; --/* return 0; */ -+ return 0; - } - - -diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c -index fed55e3..5e562bc 100644 ---- a/fs/cifs/dir.c -+++ b/fs/cifs/dir.c -@@ -441,6 +441,20 @@ cifs_lookup(struct inode *parent_dir_ino - cifs_sb = CIFS_SB(parent_dir_inode->i_sb); - pTcon = cifs_sb->tcon; - -+ /* -+ * Don't allow the separator character in a path component. -+ * The VFS will not allow "/", but "\" is allowed by posix. -+ */ -+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) { -+ int i; -+ for (i = 0; i < direntry->d_name.len; i++) -+ if (direntry->d_name.name[i] == '\\') { -+ cFYI(1, ("Invalid file name")); -+ FreeXid(xid); -+ return ERR_PTR(-EINVAL); -+ } -+ } -+ - /* can not grab the rename sem here since it would - deadlock in the cases (beginning of sys_rename itself) - in which we already have the sb rename sem */ -diff --git a/fs/compat.c b/fs/compat.c -index 5333c7d..8491bb8 100644 ---- a/fs/compat.c -+++ b/fs/compat.c -@@ -1215,6 +1215,10 @@ static ssize_t compat_do_readv_writev(in - if (ret < 0) - goto out; - -+ ret = security_file_permission(file, type == READ ? MAY_READ:MAY_WRITE); -+ if (ret) -+ goto out; -+ - fnv = NULL; - if (type == READ) { - fn = file->f_op->read; -@@ -1897,7 +1901,7 @@ asmlinkage long compat_sys_ppoll(struct - } - - if (sigmask) { -- if (sigsetsize |= sizeof(compat_sigset_t)) -+ if (sigsetsize != sizeof(compat_sigset_t)) - return -EINVAL; - if (copy_from_user(&ss32, sigmask, sizeof(ss32))) - return -EFAULT; -diff --git a/fs/ext3/resize.c b/fs/ext3/resize.c -index 1041dab..14f5f6e 100644 ---- a/fs/ext3/resize.c -+++ b/fs/ext3/resize.c -@@ -974,6 +974,7 @@ int ext3_group_extend(struct super_block - if (o_blocks_count != le32_to_cpu(es->s_blocks_count)) { - ext3_warning(sb, __FUNCTION__, - "multiple resizers run on filesystem!"); -+ unlock_super(sb); - err = -EBUSY; - goto exit_put; - } -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 6f05379..ce93cf9 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -397,8 +397,12 @@ static int fuse_readpages(struct file *f - return -EINTR; - - err = read_cache_pages(mapping, pages, fuse_readpages_fill, &data); -- if (!err) -- fuse_send_readpages(data.req, file, inode); -+ if (!err) { -+ if (data.req->num_pages) -+ fuse_send_readpages(data.req, file, inode); -+ else -+ fuse_put_request(fc, data.req); -+ } - return err; - } - -diff --git a/fs/locks.c b/fs/locks.c -index 909eab8..39b038b 100644 ---- a/fs/locks.c -+++ b/fs/locks.c -@@ -432,15 +432,14 @@ static struct lock_manager_operations le - */ - static int lease_init(struct file *filp, int type, struct file_lock *fl) - { -+ if (assign_type(fl, type) != 0) -+ return -EINVAL; -+ - fl->fl_owner = current->files; - fl->fl_pid = current->tgid; - - fl->fl_file = filp; - fl->fl_flags = FL_LEASE; -- if (assign_type(fl, type) != 0) { -- locks_free_lock(fl); -- return -EINVAL; -- } - fl->fl_start = 0; - fl->fl_end = OFFSET_MAX; - fl->fl_ops = NULL; -@@ -452,16 +451,19 @@ static int lease_init(struct file *filp, - static int lease_alloc(struct file *filp, int type, struct file_lock **flp) - { - struct file_lock *fl = locks_alloc_lock(); -- int error; -+ int error = -ENOMEM; - - if (fl == NULL) -- return -ENOMEM; -+ goto out; - - error = lease_init(filp, type, fl); -- if (error) -- return error; -+ if (error) { -+ locks_free_lock(fl); -+ fl = NULL; -+ } -+out: - *flp = fl; -- return 0; -+ return error; - } - - /* Check if two locks overlap each other. -@@ -712,8 +714,9 @@ EXPORT_SYMBOL(posix_locks_deadlock); - * at the head of the list, but that's secret knowledge known only to - * flock_lock_file and posix_lock_file. - */ --static int flock_lock_file(struct file *filp, struct file_lock *new_fl) -+static int flock_lock_file(struct file *filp, struct file_lock *request) - { -+ struct file_lock *new_fl = NULL; - struct file_lock **before; - struct inode * inode = filp->f_dentry->d_inode; - int error = 0; -@@ -728,17 +731,19 @@ static int flock_lock_file(struct file * - continue; - if (filp != fl->fl_file) - continue; -- if (new_fl->fl_type == fl->fl_type) -+ if (request->fl_type == fl->fl_type) - goto out; - found = 1; - locks_delete_lock(before); - break; - } -- unlock_kernel(); - -- if (new_fl->fl_type == F_UNLCK) -- return 0; -+ if (request->fl_type == F_UNLCK) -+ goto out; - -+ new_fl = locks_alloc_lock(); -+ if (new_fl == NULL) -+ goto out; - /* - * If a higher-priority process was blocked on the old file lock, - * give it the opportunity to lock the file. -@@ -746,26 +751,27 @@ static int flock_lock_file(struct file * - if (found) - cond_resched(); - -- lock_kernel(); - for_each_lock(inode, before) { - struct file_lock *fl = *before; - if (IS_POSIX(fl)) - break; - if (IS_LEASE(fl)) - continue; -- if (!flock_locks_conflict(new_fl, fl)) -+ if (!flock_locks_conflict(request, fl)) - continue; - error = -EAGAIN; -- if (new_fl->fl_flags & FL_SLEEP) { -- locks_insert_block(fl, new_fl); -- } -+ if (request->fl_flags & FL_SLEEP) -+ locks_insert_block(fl, request); - goto out; - } -+ locks_copy_lock(new_fl, request); - locks_insert_lock(&inode->i_flock, new_fl); -- error = 0; -+ new_fl = NULL; - - out: - unlock_kernel(); -+ if (new_fl) -+ locks_free_lock(new_fl); - return error; - } - -@@ -1337,6 +1343,7 @@ static int __setlease(struct file *filp, - goto out; - - if (my_before != NULL) { -+ *flp = *my_before; - error = lease->fl_lmops->fl_change(my_before, arg); - goto out; - } -@@ -1529,9 +1536,7 @@ asmlinkage long sys_flock(unsigned int f - error = flock_lock_file_wait(filp, lock); - - out_free: -- if (list_empty(&lock->fl_link)) { -- locks_free_lock(lock); -- } -+ locks_free_lock(lock); - - out_putf: - fput(filp); -@@ -2212,7 +2217,12 @@ void steal_locks(fl_owner_t from) - - lock_kernel(); - j = 0; -- rcu_read_lock(); -+ -+ /* -+ * We are not taking a ref to the file structures, so -+ * we need to acquire ->file_lock. -+ */ -+ spin_lock(&files->file_lock); - fdt = files_fdtable(files); - for (;;) { - unsigned long set; -@@ -2230,7 +2240,7 @@ void steal_locks(fl_owner_t from) - set >>= 1; - } - } -- rcu_read_unlock(); -+ spin_unlock(&files->file_lock); - unlock_kernel(); - } - EXPORT_SYMBOL(steal_locks); -diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c -index 6d2dfed..f61142a 100644 ---- a/fs/nfsd/nfs3proc.c -+++ b/fs/nfsd/nfs3proc.c -@@ -682,7 +682,7 @@ static struct svc_procedure nfsd_proced - PROC(lookup, dirop, dirop, fhandle2, RC_NOCACHE, ST+FH+pAT+pAT), - PROC(access, access, access, fhandle, RC_NOCACHE, ST+pAT+1), - PROC(readlink, readlink, readlink, fhandle, RC_NOCACHE, ST+pAT+1+NFS3_MAXPATHLEN/4), -- PROC(read, read, read, fhandle, RC_NOCACHE, ST+pAT+4+NFSSVC_MAXBLKSIZE), -+ PROC(read, read, read, fhandle, RC_NOCACHE, ST+pAT+4+NFSSVC_MAXBLKSIZE/4), - PROC(write, write, write, fhandle, RC_REPLBUFF, ST+WC+4), - PROC(create, create, create, fhandle2, RC_REPLBUFF, ST+(1+FH+pAT)+WC), - PROC(mkdir, mkdir, create, fhandle2, RC_REPLBUFF, ST+(1+FH+pAT)+WC), -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index 6d63f1d..ca8a4c4 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -975,7 +975,7 @@ #define PROC(name, argt, rest, relt, cac - */ - static struct svc_procedure nfsd_procedures4[2] = { - PROC(null, void, void, void, RC_NOCACHE, 1), -- PROC(compound, compound, compound, compound, RC_NOCACHE, NFSD_BUFSIZE) -+ PROC(compound, compound, compound, compound, RC_NOCACHE, NFSD_BUFSIZE/4) - }; - - struct svc_version nfsd_version4 = { -diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c -index 3e6b75c..06cd0db 100644 ---- a/fs/nfsd/nfsproc.c -+++ b/fs/nfsd/nfsproc.c -@@ -553,7 +553,7 @@ static struct svc_procedure nfsd_proced - PROC(none, void, void, none, RC_NOCACHE, ST), - PROC(lookup, diropargs, diropres, fhandle, RC_NOCACHE, ST+FH+AT), - PROC(readlink, readlinkargs, readlinkres, none, RC_NOCACHE, ST+1+NFS_MAXPATHLEN/4), -- PROC(read, readargs, readres, fhandle, RC_NOCACHE, ST+AT+1+NFSSVC_MAXBLKSIZE), -+ PROC(read, readargs, readres, fhandle, RC_NOCACHE, ST+AT+1+NFSSVC_MAXBLKSIZE/4), - PROC(none, void, void, none, RC_NOCACHE, ST), - PROC(write, writeargs, attrstat, fhandle, RC_REPLBUFF, ST+AT), - PROC(create, createargs, diropres, fhandle, RC_REPLBUFF, ST+FH+AT), -diff --git a/fs/open.c b/fs/open.c -index 70e0230..f697914 100644 ---- a/fs/open.c -+++ b/fs/open.c -@@ -330,7 +330,10 @@ out: - - asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length) - { -- return do_sys_ftruncate(fd, length, 1); -+ long ret = do_sys_ftruncate(fd, length, 1); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - /* LFS versions of truncate are only needed on 32 bit machines */ -@@ -342,7 +345,10 @@ asmlinkage long sys_truncate64(const cha - - asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length) - { -- return do_sys_ftruncate(fd, length, 0); -+ long ret = do_sys_ftruncate(fd, length, 0); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - #endif - -@@ -1083,20 +1089,30 @@ long do_sys_open(int dfd, const char __u - - asmlinkage long sys_open(const char __user *filename, int flags, int mode) - { -+ long ret; -+ - if (force_o_largefile()) - flags |= O_LARGEFILE; - -- return do_sys_open(AT_FDCWD, filename, flags, mode); -+ ret = do_sys_open(AT_FDCWD, filename, flags, mode); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - EXPORT_SYMBOL_GPL(sys_open); - - asmlinkage long sys_openat(int dfd, const char __user *filename, int flags, - int mode) - { -+ long ret; -+ - if (force_o_largefile()) - flags |= O_LARGEFILE; - -- return do_sys_open(dfd, filename, flags, mode); -+ ret = do_sys_open(dfd, filename, flags, mode); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - EXPORT_SYMBOL_GPL(sys_openat); - -diff --git a/fs/partitions/check.c b/fs/partitions/check.c -index f924f45..2ef03aa 100644 ---- a/fs/partitions/check.c -+++ b/fs/partitions/check.c -@@ -345,6 +345,7 @@ static char *make_block_name(struct gend - char *name; - static char *block_str = "block:"; - int size; -+ char *s; - - size = strlen(block_str) + strlen(disk->disk_name) + 1; - name = kmalloc(size, GFP_KERNEL); -@@ -352,6 +353,10 @@ static char *make_block_name(struct gend - return NULL; - strcpy(name, block_str); - strcat(name, disk->disk_name); -+ /* ewww... some of these buggers have / in name... */ -+ s = strchr(name, '/'); -+ if (s) -+ *s = '!'; - return name; - } - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 20feb75..c192cb2 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -294,16 +294,20 @@ static int proc_fd_link(struct inode *in - - files = get_files_struct(task); - if (files) { -- rcu_read_lock(); -+ /* -+ * We are not taking a ref to the file structure, so we must -+ * hold ->file_lock. -+ */ -+ spin_lock(&files->file_lock); - file = fcheck_files(files, fd); - if (file) { - *mnt = mntget(file->f_vfsmnt); - *dentry = dget(file->f_dentry); -- rcu_read_unlock(); -+ spin_unlock(&files->file_lock); - put_files_struct(files); - return 0; - } -- rcu_read_unlock(); -+ spin_unlock(&files->file_lock); - put_files_struct(files); - } - return -ENOENT; -@@ -1485,7 +1489,12 @@ static struct dentry *proc_lookupfd(stru - if (!files) - goto out_unlock; - inode->i_mode = S_IFLNK; -- rcu_read_lock(); -+ -+ /* -+ * We are not taking a ref to the file structure, so we must -+ * hold ->file_lock. -+ */ -+ spin_lock(&files->file_lock); - file = fcheck_files(files, fd); - if (!file) - goto out_unlock2; -@@ -1493,7 +1502,7 @@ static struct dentry *proc_lookupfd(stru - inode->i_mode |= S_IRUSR | S_IXUSR; - if (file->f_mode & 2) - inode->i_mode |= S_IWUSR | S_IXUSR; -- rcu_read_unlock(); -+ spin_unlock(&files->file_lock); - put_files_struct(files); - inode->i_op = &proc_pid_link_inode_operations; - inode->i_size = 64; -@@ -1503,7 +1512,7 @@ static struct dentry *proc_lookupfd(stru - return NULL; - - out_unlock2: -- rcu_read_unlock(); -+ spin_unlock(&files->file_lock); - put_files_struct(files); - out_unlock: - iput(inode); -diff --git a/fs/proc/proc_misc.c b/fs/proc/proc_misc.c -index 1d24fea..0c78312 100644 ---- a/fs/proc/proc_misc.c -+++ b/fs/proc/proc_misc.c -@@ -249,144 +249,60 @@ static int cpuinfo_open(struct inode *in - return seq_open(file, &cpuinfo_op); - } - --enum devinfo_states { -- CHR_HDR, -- CHR_LIST, -- BLK_HDR, -- BLK_LIST, -- DEVINFO_DONE --}; -- --struct devinfo_state { -- void *chrdev; -- void *blkdev; -- unsigned int num_records; -- unsigned int cur_record; -- enum devinfo_states state; -+static struct file_operations proc_cpuinfo_operations = { -+ .open = cpuinfo_open, -+ .read = seq_read, -+ .llseek = seq_lseek, -+ .release = seq_release, - }; - --static void *devinfo_start(struct seq_file *f, loff_t *pos) -+static int devinfo_show(struct seq_file *f, void *v) - { -- struct devinfo_state *info = f->private; -+ int i = *(loff_t *) v; - -- if (*pos) { -- if ((info) && (*pos <= info->num_records)) -- return info; -- return NULL; -+ if (i < CHRDEV_MAJOR_HASH_SIZE) { -+ if (i == 0) -+ seq_printf(f, "Character devices:\n"); -+ chrdev_show(f, i); -+ } else { -+ i -= CHRDEV_MAJOR_HASH_SIZE; -+ if (i == 0) -+ seq_printf(f, "\nBlock devices:\n"); -+ blkdev_show(f, i); - } -- info = kmalloc(sizeof(*info), GFP_KERNEL); -- f->private = info; -- info->chrdev = acquire_chrdev_list(); -- info->blkdev = acquire_blkdev_list(); -- info->state = CHR_HDR; -- info->num_records = count_chrdev_list(); -- info->num_records += count_blkdev_list(); -- info->num_records += 2; /* Character and Block headers */ -- *pos = 1; -- info->cur_record = *pos; -- return info; -+ return 0; - } - --static void *devinfo_next(struct seq_file *f, void *v, loff_t *pos) -+static void *devinfo_start(struct seq_file *f, loff_t *pos) - { -- int idummy; -- char *ndummy; -- struct devinfo_state *info = f->private; -- -- switch (info->state) { -- case CHR_HDR: -- info->state = CHR_LIST; -- (*pos)++; -- /*fallthrough*/ -- case CHR_LIST: -- if (get_chrdev_info(info->chrdev,&idummy,&ndummy)) { -- /* -- * The character dev list is complete -- */ -- info->state = BLK_HDR; -- } else { -- info->chrdev = get_next_chrdev(info->chrdev); -- } -- (*pos)++; -- break; -- case BLK_HDR: -- info->state = BLK_LIST; -- (*pos)++; -- break; -- case BLK_LIST: -- if (get_blkdev_info(info->blkdev,&idummy,&ndummy)) { -- /* -- * The block dev list is complete -- */ -- info->state = DEVINFO_DONE; -- } else { -- info->blkdev = get_next_blkdev(info->blkdev); -- } -- (*pos)++; -- break; -- case DEVINFO_DONE: -- (*pos)++; -- info->cur_record = *pos; -- info = NULL; -- break; -- default: -- break; -- } -- if (info) -- info->cur_record = *pos; -- return info; -+ if (*pos < (BLKDEV_MAJOR_HASH_SIZE + CHRDEV_MAJOR_HASH_SIZE)) -+ return pos; -+ return NULL; - } - --static void devinfo_stop(struct seq_file *f, void *v) -+static void *devinfo_next(struct seq_file *f, void *v, loff_t *pos) - { -- struct devinfo_state *info = f->private; -- -- if (info) { -- release_chrdev_list(info->chrdev); -- release_blkdev_list(info->blkdev); -- f->private = NULL; -- kfree(info); -- } -+ (*pos)++; -+ if (*pos >= (BLKDEV_MAJOR_HASH_SIZE + CHRDEV_MAJOR_HASH_SIZE)) -+ return NULL; -+ return pos; - } - --static int devinfo_show(struct seq_file *f, void *arg) --{ -- int major; -- char *name; -- struct devinfo_state *info = f->private; -- -- switch(info->state) { -- case CHR_HDR: -- seq_printf(f,"Character devices:\n"); -- /* fallthrough */ -- case CHR_LIST: -- if (!get_chrdev_info(info->chrdev,&major,&name)) -- seq_printf(f,"%3d %s\n",major,name); -- break; -- case BLK_HDR: -- seq_printf(f,"\nBlock devices:\n"); -- /* fallthrough */ -- case BLK_LIST: -- if (!get_blkdev_info(info->blkdev,&major,&name)) -- seq_printf(f,"%3d %s\n",major,name); -- break; -- default: -- break; -- } -- -- return 0; -+static void devinfo_stop(struct seq_file *f, void *v) -+{ -+ /* Nothing to do */ - } - --static struct seq_operations devinfo_op = { -- .start = devinfo_start, -- .next = devinfo_next, -- .stop = devinfo_stop, -- .show = devinfo_show, -+static struct seq_operations devinfo_ops = { -+ .start = devinfo_start, -+ .next = devinfo_next, -+ .stop = devinfo_stop, -+ .show = devinfo_show - }; - --static int devinfo_open(struct inode *inode, struct file *file) -+static int devinfo_open(struct inode *inode, struct file *filp) - { -- return seq_open(file, &devinfo_op); -+ return seq_open(filp, &devinfo_ops); - } - - static struct file_operations proc_devinfo_operations = { -@@ -396,13 +312,6 @@ static struct file_operations proc_devin - .release = seq_release, - }; - --static struct file_operations proc_cpuinfo_operations = { -- .open = cpuinfo_open, -- .read = seq_read, -- .llseek = seq_lseek, -- .release = seq_release, --}; -- - extern struct seq_operations vmstat_op; - static int vmstat_open(struct inode *inode, struct file *file) - { -diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c -index 4063fb3..164a7d0 100644 ---- a/fs/proc/vmcore.c -+++ b/fs/proc/vmcore.c -@@ -103,8 +103,8 @@ static ssize_t read_vmcore(struct file * - size_t buflen, loff_t *fpos) - { - ssize_t acc = 0, tmp; -- size_t tsz, nr_bytes; -- u64 start; -+ size_t tsz; -+ u64 start, nr_bytes; - struct vmcore *curr_m = NULL; - - if (buflen == 0 || *fpos >= vmcore_size) -diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c -index ab8894c..9df778a 100644 ---- a/fs/reiserfs/xattr_acl.c -+++ b/fs/reiserfs/xattr_acl.c -@@ -408,8 +408,9 @@ int reiserfs_cache_default_acl(struct in - acl = reiserfs_get_acl(inode, ACL_TYPE_DEFAULT); - reiserfs_read_unlock_xattrs(inode->i_sb); - reiserfs_read_unlock_xattr_i(inode); -- ret = acl ? 1 : 0; -- posix_acl_release(acl); -+ ret = (acl && !IS_ERR(acl)); -+ if (ret) -+ posix_acl_release(acl); - } - - return ret; -diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c -index 0424d06..45862ec 100644 ---- a/fs/smbfs/dir.c -+++ b/fs/smbfs/dir.c -@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den - if (dentry->d_name.len > SMB_MAXNAMELEN) - goto out; - -+ /* Do not allow lookup of names with backslashes in */ -+ error = -EINVAL; -+ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) -+ goto out; -+ - lock_kernel(); - error = smb_proc_getattr(dentry, &finfo); - #ifdef SMBFS_PARANOIA -diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c -index c71c375..c71dd27 100644 ---- a/fs/smbfs/request.c -+++ b/fs/smbfs/request.c -@@ -339,9 +339,11 @@ #endif - /* - * On timeout or on interrupt we want to try and remove the - * request from the recvq/xmitq. -+ * First check if the request is still part of a queue. (May -+ * have been removed by some error condition) - */ - smb_lock_server(server); -- if (!(req->rq_flags & SMB_REQ_RECEIVED)) { -+ if (!list_empty(&req->rq_queue)) { - list_del_init(&req->rq_queue); - smb_rput(req); - } -diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c -index 49bd219..cfd290d 100644 ---- a/fs/sysfs/dir.c -+++ b/fs/sysfs/dir.c -@@ -302,6 +302,7 @@ void sysfs_remove_dir(struct kobject * k - * Drop reference from dget() on entrance. - */ - dput(dentry); -+ kobj->dentry = NULL; - } - - int sysfs_rename_dir(struct kobject * kobj, const char *new_name) -diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c -index d0e3d84..2ecc58c 100644 ---- a/fs/sysfs/file.c -+++ b/fs/sysfs/file.c -@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer * - return -ENOMEM; - - if (count >= PAGE_SIZE) -- count = PAGE_SIZE; -+ count = PAGE_SIZE - 1; - error = copy_from_user(buffer->page,buf,count); - buffer->needs_read_fill = 1; - return error ? -EFAULT : count; -diff --git a/fs/sysfs/inode.c b/fs/sysfs/inode.c -index 689f7bc..6beee6f 100644 ---- a/fs/sysfs/inode.c -+++ b/fs/sysfs/inode.c -@@ -227,12 +227,16 @@ void sysfs_drop_dentry(struct sysfs_dire - void sysfs_hash_and_remove(struct dentry * dir, const char * name) - { - struct sysfs_dirent * sd; -- struct sysfs_dirent * parent_sd = dir->d_fsdata; -+ struct sysfs_dirent * parent_sd; -+ -+ if (!dir) -+ return; - - if (dir->d_inode == NULL) - /* no inode means this hasn't been made visible yet */ - return; - -+ parent_sd = dir->d_fsdata; - mutex_lock(&dir->d_inode->i_mutex); - list_for_each_entry(sd, &parent_sd->s_children, s_sibling) { - if (!sd->s_element) -diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c -index e38d633..e5ce6e7 100644 ---- a/fs/sysfs/symlink.c -+++ b/fs/sysfs/symlink.c -@@ -66,6 +66,7 @@ static int sysfs_add_link(struct dentry - if (!error) - return 0; - -+ kobject_put(target); - kfree(sl->link_name); - exit2: - kfree(sl); -diff --git a/fs/xfs/linux-2.6/xfs_aops.c b/fs/xfs/linux-2.6/xfs_aops.c -index 74d8be8..a980736 100644 ---- a/fs/xfs/linux-2.6/xfs_aops.c -+++ b/fs/xfs/linux-2.6/xfs_aops.c -@@ -616,7 +616,7 @@ xfs_is_delayed_page( - acceptable = (type == IOMAP_UNWRITTEN); - else if (buffer_delay(bh)) - acceptable = (type == IOMAP_DELAY); -- else if (buffer_mapped(bh)) -+ else if (buffer_dirty(bh) && buffer_mapped(bh)) - acceptable = (type == 0); - else - break; -diff --git a/fs/xfs/linux-2.6/xfs_iops.c b/fs/xfs/linux-2.6/xfs_iops.c -index d7f6f2d..43808e2 100644 ---- a/fs/xfs/linux-2.6/xfs_iops.c -+++ b/fs/xfs/linux-2.6/xfs_iops.c -@@ -673,8 +673,7 @@ linvfs_setattr( - if (ia_valid & ATTR_ATIME) { - vattr.va_mask |= XFS_AT_ATIME; - vattr.va_atime = attr->ia_atime; -- if (ia_valid & ATTR_ATIME_SET) -- inode->i_atime = attr->ia_atime; -+ inode->i_atime = attr->ia_atime; - } - if (ia_valid & ATTR_MTIME) { - vattr.va_mask |= XFS_AT_MTIME; -diff --git a/include/asm-i386/cpufeature.h b/include/asm-i386/cpufeature.h -index c4ec2a4..9d15eec 100644 ---- a/include/asm-i386/cpufeature.h -+++ b/include/asm-i386/cpufeature.h -@@ -70,6 +70,7 @@ #define X86_FEATURE_K7 (3*32+ 5) /* Ath - #define X86_FEATURE_P3 (3*32+ 6) /* P3 */ - #define X86_FEATURE_P4 (3*32+ 7) /* P4 */ - #define X86_FEATURE_CONSTANT_TSC (3*32+ 8) /* TSC ticks at a constant rate */ -+#define X86_FEATURE_FXSAVE_LEAK (3*32+10) /* FXSAVE leaks FOP/FIP/FOP */ - - /* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ - #define X86_FEATURE_XMM3 (4*32+ 0) /* Streaming SIMD Extensions-3 */ -diff --git a/include/asm-i386/i387.h b/include/asm-i386/i387.h -index 152d0ba..bc1d6ed 100644 ---- a/include/asm-i386/i387.h -+++ b/include/asm-i386/i387.h -@@ -13,6 +13,7 @@ #define __ASM_I386_I387_H - - #include <linux/sched.h> - #include <linux/init.h> -+#include <linux/kernel_stat.h> - #include <asm/processor.h> - #include <asm/sigcontext.h> - #include <asm/user.h> -@@ -38,17 +39,38 @@ #define restore_fpu(tsk) \ - extern void kernel_fpu_begin(void); - #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0) - -+/* We need a safe address that is cheap to find and that is already -+ in L1 during context switch. The best choices are unfortunately -+ different for UP and SMP */ -+#ifdef CONFIG_SMP -+#define safe_address (__per_cpu_offset[0]) -+#else -+#define safe_address (kstat_cpu(0).cpustat.user) -+#endif -+ - /* - * These must be called with preempt disabled - */ - static inline void __save_init_fpu( struct task_struct *tsk ) - { -+ /* Use more nops than strictly needed in case the compiler -+ varies code */ - alternative_input( -- "fnsave %1 ; fwait ;" GENERIC_NOP2, -- "fxsave %1 ; fnclex", -+ "fnsave %[fx] ;fwait;" GENERIC_NOP8 GENERIC_NOP4, -+ "fxsave %[fx]\n" -+ "bt $7,%[fsw] ; jnc 1f ; fnclex\n1:", - X86_FEATURE_FXSR, -- "m" (tsk->thread.i387.fxsave) -- :"memory"); -+ [fx] "m" (tsk->thread.i387.fxsave), -+ [fsw] "m" (tsk->thread.i387.fxsave.swd) : "memory"); -+ /* AMD K7/K8 CPUs don't save/restore FDP/FIP/FOP unless an exception -+ is pending. Clear the x87 state here by setting it to fixed -+ values. safe_address is a random variable that should be in L1 */ -+ alternative_input( -+ GENERIC_NOP8 GENERIC_NOP2, -+ "emms\n\t" /* clear stack tags */ -+ "fildl %[addr]", /* set F?P to defined value */ -+ X86_FEATURE_FXSAVE_LEAK, -+ [addr] "m" (safe_address)); - task_thread_info(tsk)->status &= ~TS_USEDFPU; - } - -diff --git a/include/asm-i386/pgtable-2level.h b/include/asm-i386/pgtable-2level.h -index 74ef721..d76c61d 100644 ---- a/include/asm-i386/pgtable-2level.h -+++ b/include/asm-i386/pgtable-2level.h -@@ -18,6 +18,9 @@ #define set_pte_at(mm,addr,ptep,pteval) - #define set_pte_atomic(pteptr, pteval) set_pte(pteptr,pteval) - #define set_pmd(pmdptr, pmdval) (*(pmdptr) = (pmdval)) - -+#define pte_clear(mm,addr,xp) do { set_pte_at(mm, addr, xp, __pte(0)); } while (0) -+#define pmd_clear(xp) do { set_pmd(xp, __pmd(0)); } while (0) -+ - #define ptep_get_and_clear(mm,addr,xp) __pte(xchg(&(xp)->pte_low, 0)) - #define pte_same(a, b) ((a).pte_low == (b).pte_low) - #define pte_page(x) pfn_to_page(pte_pfn(x)) -diff --git a/include/asm-i386/pgtable-3level.h b/include/asm-i386/pgtable-3level.h -index f1a8b45..3dda0f6 100644 ---- a/include/asm-i386/pgtable-3level.h -+++ b/include/asm-i386/pgtable-3level.h -@@ -85,6 +85,26 @@ ((unsigned long) __va(pud_val(pud) & PAG - #define pmd_offset(pud, address) ((pmd_t *) pud_page(*(pud)) + \ - pmd_index(address)) - -+/* -+ * For PTEs and PDEs, we must clear the P-bit first when clearing a page table -+ * entry, so clear the bottom half first and enforce ordering with a compiler -+ * barrier. -+ */ -+static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep) -+{ -+ ptep->pte_low = 0; -+ smp_wmb(); -+ ptep->pte_high = 0; -+} -+ -+static inline void pmd_clear(pmd_t *pmd) -+{ -+ u32 *tmp = (u32 *)pmd; -+ *tmp = 0; -+ smp_wmb(); -+ *(tmp + 1) = 0; -+} -+ - static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep) - { - pte_t res; -diff --git a/include/asm-i386/pgtable.h b/include/asm-i386/pgtable.h -index 088a945..6313403 100644 ---- a/include/asm-i386/pgtable.h -+++ b/include/asm-i386/pgtable.h -@@ -204,12 +204,10 @@ #undef TEST_ACCESS_OK - extern unsigned long pg0[]; - - #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE)) --#define pte_clear(mm,addr,xp) do { set_pte_at(mm, addr, xp, __pte(0)); } while (0) - - /* To avoid harmful races, pmd_none(x) should check only the lower when PAE */ - #define pmd_none(x) (!(unsigned long)pmd_val(x)) - #define pmd_present(x) (pmd_val(x) & _PAGE_PRESENT) --#define pmd_clear(xp) do { set_pmd(xp, __pmd(0)); } while (0) - #define pmd_bad(x) ((pmd_val(x) & (~PAGE_MASK & ~_PAGE_USER)) != _KERNPG_TABLE) - - -@@ -269,7 +267,7 @@ static inline pte_t ptep_get_and_clear_f - pte_t pte; - if (full) { - pte = *ptep; -- *ptep = __pte(0); -+ pte_clear(mm, addr, ptep); - } else { - pte = ptep_get_and_clear(mm, addr, ptep); - } -diff --git a/include/asm-m32r/smp.h b/include/asm-m32r/smp.h -index 7885b7d..1184293 100644 ---- a/include/asm-m32r/smp.h -+++ b/include/asm-m32r/smp.h -@@ -67,7 +67,8 @@ #define cpu_to_physid(cpu_id) cpu_2_phys - #define raw_smp_processor_id() (current_thread_info()->cpu) - - extern cpumask_t cpu_callout_map; --#define cpu_possible_map cpu_callout_map -+extern cpumask_t cpu_possible_map; -+extern cpumask_t cpu_present_map; - - static __inline__ int hard_smp_processor_id(void) - { -diff --git a/include/asm-m32r/uaccess.h b/include/asm-m32r/uaccess.h -index e8ae619..819cc28 100644 ---- a/include/asm-m32r/uaccess.h -+++ b/include/asm-m32r/uaccess.h -@@ -5,17 +5,9 @@ #define _ASM_M32R_UACCESS_H - * linux/include/asm-m32r/uaccess.h - * - * M32R version. -- * Copyright (C) 2004 Hirokazu Takata <takata at linux-m32r.org> -+ * Copyright (C) 2004, 2006 Hirokazu Takata <takata at linux-m32r.org> - */ - --#undef UACCESS_DEBUG -- --#ifdef UACCESS_DEBUG --#define UAPRINTK(args...) printk(args) --#else --#define UAPRINTK(args...) --#endif /* UACCESS_DEBUG */ -- - /* - * User space memory access functions - */ -@@ -38,27 +30,29 @@ #define VERIFY_WRITE 1 - #define MAKE_MM_SEG(s) ((mm_segment_t) { (s) }) - - #ifdef CONFIG_MMU -+ - #define KERNEL_DS MAKE_MM_SEG(0xFFFFFFFF) - #define USER_DS MAKE_MM_SEG(PAGE_OFFSET) --#else --#define KERNEL_DS MAKE_MM_SEG(0xFFFFFFFF) --#define USER_DS MAKE_MM_SEG(0xFFFFFFFF) --#endif /* CONFIG_MMU */ -- - #define get_ds() (KERNEL_DS) --#ifdef CONFIG_MMU - #define get_fs() (current_thread_info()->addr_limit) - #define set_fs(x) (current_thread_info()->addr_limit = (x)) --#else -+ -+#else /* not CONFIG_MMU */ -+ -+#define KERNEL_DS MAKE_MM_SEG(0xFFFFFFFF) -+#define USER_DS MAKE_MM_SEG(0xFFFFFFFF) -+#define get_ds() (KERNEL_DS) -+ - static inline mm_segment_t get_fs(void) - { -- return USER_DS; -+ return USER_DS; - } - - static inline void set_fs(mm_segment_t s) - { - } --#endif /* CONFIG_MMU */ -+ -+#endif /* not CONFIG_MMU */ - - #define segment_eq(a,b) ((a).seg == (b).seg) - -@@ -83,9 +77,9 @@ #define __range_ok(addr,size) ({ \ - " subx %0, %0\n" \ - " cmpu %4, %1\n" \ - " subx %0, %5\n" \ -- : "=&r"(flag), "=r"(sum) \ -- : "1"(addr), "r"((int)(size)), \ -- "r"(current_thread_info()->addr_limit.seg), "r"(0) \ -+ : "=&r" (flag), "=r" (sum) \ -+ : "1" (addr), "r" ((int)(size)), \ -+ "r" (current_thread_info()->addr_limit.seg), "r" (0) \ - : "cbit" ); \ - flag; }) - -@@ -113,10 +107,10 @@ #define access_ok(type,addr,size) (likel - #else - static inline int access_ok(int type, const void *addr, unsigned long size) - { -- extern unsigned long memory_start, memory_end; -- unsigned long val = (unsigned long)addr; -+ extern unsigned long memory_start, memory_end; -+ unsigned long val = (unsigned long)addr; - -- return ((val >= memory_start) && ((val + size) < memory_end)); -+ return ((val >= memory_start) && ((val + size) < memory_end)); - } - #endif /* CONFIG_MMU */ - -@@ -155,39 +149,6 @@ extern int fixup_exception(struct pt_reg - * accesses to the same area of user memory). - */ - --extern void __get_user_1(void); --extern void __get_user_2(void); --extern void __get_user_4(void); -- --#ifndef MODULE --#define __get_user_x(size,ret,x,ptr) \ -- __asm__ __volatile__( \ -- " mv r0, %0\n" \ -- " mv r1, %1\n" \ -- " bl __get_user_" #size "\n" \ -- " mv %0, r0\n" \ -- " mv %1, r1\n" \ -- : "=r"(ret), "=r"(x) \ -- : "0"(ptr) \ -- : "r0", "r1", "r14" ) --#else /* MODULE */ --/* -- * Use "jl" instead of "bl" for MODULE -- */ --#define __get_user_x(size,ret,x,ptr) \ -- __asm__ __volatile__( \ -- " mv r0, %0\n" \ -- " mv r1, %1\n" \ -- " seth lr, #high(__get_user_" #size ")\n" \ -- " or3 lr, lr, #low(__get_user_" #size ")\n" \ -- " jl lr\n" \ -- " mv %0, r0\n" \ -- " mv %1, r1\n" \ -- : "=r"(ret), "=r"(x) \ -- : "0"(ptr) \ -- : "r0", "r1", "r14" ) --#endif -- - /* Careful: we have to cast the result to the type of the pointer for sign - reasons */ - /** -@@ -208,20 +169,7 @@ #endif - * On error, the variable @x is set to zero. - */ - #define get_user(x,ptr) \ --({ int __ret_gu; \ -- unsigned long __val_gu; \ -- __chk_user_ptr(ptr); \ -- switch(sizeof (*(ptr))) { \ -- case 1: __get_user_x(1,__ret_gu,__val_gu,ptr); break; \ -- case 2: __get_user_x(2,__ret_gu,__val_gu,ptr); break; \ -- case 4: __get_user_x(4,__ret_gu,__val_gu,ptr); break; \ -- default: __get_user_x(X,__ret_gu,__val_gu,ptr); break; \ -- } \ -- (x) = (__typeof__(*(ptr)))__val_gu; \ -- __ret_gu; \ --}) -- --extern void __put_user_bad(void); -+ __get_user_check((x),(ptr),sizeof(*(ptr))) - - /** - * put_user: - Write a simple value into user space. -@@ -240,8 +188,7 @@ extern void __put_user_bad(void); - * Returns zero on success, or -EFAULT on error. - */ - #define put_user(x,ptr) \ -- __put_user_check((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) -- -+ __put_user_check((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) - - /** - * __get_user: - Get a simple variable from user space, with less checking. -@@ -264,8 +211,64 @@ #define put_user(x,ptr) \ - * On error, the variable @x is set to zero. - */ - #define __get_user(x,ptr) \ -- __get_user_nocheck((x),(ptr),sizeof(*(ptr))) -+ __get_user_nocheck((x),(ptr),sizeof(*(ptr))) - -+#define __get_user_nocheck(x,ptr,size) \ -+({ \ -+ long __gu_err = 0; \ -+ unsigned long __gu_val; \ -+ might_sleep(); \ -+ __get_user_size(__gu_val,(ptr),(size),__gu_err); \ -+ (x) = (__typeof__(*(ptr)))__gu_val; \ -+ __gu_err; \ -+}) -+ -+#define __get_user_check(x,ptr,size) \ -+({ \ -+ long __gu_err = -EFAULT; \ -+ unsigned long __gu_val = 0; \ -+ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \ -+ might_sleep(); \ -+ if (access_ok(VERIFY_READ,__gu_addr,size)) \ -+ __get_user_size(__gu_val,__gu_addr,(size),__gu_err); \ -+ (x) = (__typeof__(*(ptr)))__gu_val; \ -+ __gu_err; \ -+}) -+ -+extern long __get_user_bad(void); -+ -+#define __get_user_size(x,ptr,size,retval) \ -+do { \ -+ retval = 0; \ -+ __chk_user_ptr(ptr); \ -+ switch (size) { \ -+ case 1: __get_user_asm(x,ptr,retval,"ub"); break; \ -+ case 2: __get_user_asm(x,ptr,retval,"uh"); break; \ -+ case 4: __get_user_asm(x,ptr,retval,""); break; \ -+ default: (x) = __get_user_bad(); \ -+ } \ -+} while (0) -+ -+#define __get_user_asm(x, addr, err, itype) \ -+ __asm__ __volatile__( \ -+ " .fillinsn\n" \ -+ "1: ld"itype" %1,@%2\n" \ -+ " .fillinsn\n" \ -+ "2:\n" \ -+ ".section .fixup,\"ax\"\n" \ -+ " .balign 4\n" \ -+ "3: ldi %0,%3\n" \ -+ " seth r14,#high(2b)\n" \ -+ " or3 r14,r14,#low(2b)\n" \ -+ " jmp r14\n" \ -+ ".previous\n" \ -+ ".section __ex_table,\"a\"\n" \ -+ " .balign 4\n" \ -+ " .long 1b,3b\n" \ -+ ".previous" \ -+ : "=&r" (err), "=&r" (x) \ -+ : "r" (addr), "i" (-EFAULT), "0" (err) \ -+ : "r14", "memory") - - /** - * __put_user: - Write a simple value into user space, with less checking. -@@ -287,11 +290,13 @@ #define __get_user(x,ptr) \ - * Returns zero on success, or -EFAULT on error. - */ - #define __put_user(x,ptr) \ -- __put_user_nocheck((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) -+ __put_user_nocheck((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) -+ - - #define __put_user_nocheck(x,ptr,size) \ - ({ \ - long __pu_err; \ -+ might_sleep(); \ - __put_user_size((x),(ptr),(size),__pu_err); \ - __pu_err; \ - }) -@@ -308,28 +313,28 @@ ({ \ - }) - - #if defined(__LITTLE_ENDIAN__) --#define __put_user_u64(x, addr, err) \ -- __asm__ __volatile__( \ -- " .fillinsn\n" \ -- "1: st %L1,@%2\n" \ -- " .fillinsn\n" \ -- "2: st %H1,@(4,%2)\n" \ -- " .fillinsn\n" \ -- "3:\n" \ -- ".section .fixup,\"ax\"\n" \ -- " .balign 4\n" \ -- "4: ldi %0,%3\n" \ -- " seth r14,#high(3b)\n" \ -- " or3 r14,r14,#low(3b)\n" \ -- " jmp r14\n" \ -- ".previous\n" \ -- ".section __ex_table,\"a\"\n" \ -- " .balign 4\n" \ -- " .long 1b,4b\n" \ -- " .long 2b,4b\n" \ -- ".previous" \ -- : "=&r"(err) \ -- : "r"(x), "r"(addr), "i"(-EFAULT), "0"(err) \ -+#define __put_user_u64(x, addr, err) \ -+ __asm__ __volatile__( \ -+ " .fillinsn\n" \ -+ "1: st %L1,@%2\n" \ -+ " .fillinsn\n" \ -+ "2: st %H1,@(4,%2)\n" \ -+ " .fillinsn\n" \ -+ "3:\n" \ -+ ".section .fixup,\"ax\"\n" \ -+ " .balign 4\n" \ -+ "4: ldi %0,%3\n" \ -+ " seth r14,#high(3b)\n" \ -+ " or3 r14,r14,#low(3b)\n" \ -+ " jmp r14\n" \ -+ ".previous\n" \ -+ ".section __ex_table,\"a\"\n" \ -+ " .balign 4\n" \ -+ " .long 1b,4b\n" \ -+ " .long 2b,4b\n" \ -+ ".previous" \ -+ : "=&r" (err) \ -+ : "r" (x), "r" (addr), "i" (-EFAULT), "0" (err) \ - : "r14", "memory") - - #elif defined(__BIG_ENDIAN__) -@@ -353,13 +358,15 @@ #define __put_user_u64(x, addr, err) - " .long 1b,4b\n" \ - " .long 2b,4b\n" \ - ".previous" \ -- : "=&r"(err) \ -- : "r"(x), "r"(addr), "i"(-EFAULT), "0"(err) \ -+ : "=&r" (err) \ -+ : "r" (x), "r" (addr), "i" (-EFAULT), "0" (err) \ - : "r14", "memory") - #else - #error no endian defined - #endif - -+extern void __put_user_bad(void); -+ - #define __put_user_size(x,ptr,size,retval) \ - do { \ - retval = 0; \ -@@ -398,52 +405,8 @@ #define __put_user_asm(x, addr, err, ity - " .balign 4\n" \ - " .long 1b,3b\n" \ - ".previous" \ -- : "=&r"(err) \ -- : "r"(x), "r"(addr), "i"(-EFAULT), "0"(err) \ -- : "r14", "memory") -- --#define __get_user_nocheck(x,ptr,size) \ --({ \ -- long __gu_err; \ -- unsigned long __gu_val; \ -- __get_user_size(__gu_val,(ptr),(size),__gu_err); \ -- (x) = (__typeof__(*(ptr)))__gu_val; \ -- __gu_err; \ --}) -- --extern long __get_user_bad(void); -- --#define __get_user_size(x,ptr,size,retval) \ --do { \ -- retval = 0; \ -- __chk_user_ptr(ptr); \ -- switch (size) { \ -- case 1: __get_user_asm(x,ptr,retval,"ub"); break; \ -- case 2: __get_user_asm(x,ptr,retval,"uh"); break; \ -- case 4: __get_user_asm(x,ptr,retval,""); break; \ -- default: (x) = __get_user_bad(); \ -- } \ --} while (0) -- --#define __get_user_asm(x, addr, err, itype) \ -- __asm__ __volatile__( \ -- " .fillinsn\n" \ -- "1: ld"itype" %1,@%2\n" \ -- " .fillinsn\n" \ -- "2:\n" \ -- ".section .fixup,\"ax\"\n" \ -- " .balign 4\n" \ -- "3: ldi %0,%3\n" \ -- " seth r14,#high(2b)\n" \ -- " or3 r14,r14,#low(2b)\n" \ -- " jmp r14\n" \ -- ".previous\n" \ -- ".section __ex_table,\"a\"\n" \ -- " .balign 4\n" \ -- " .long 1b,3b\n" \ -- ".previous" \ -- : "=&r"(err), "=&r"(x) \ -- : "r"(addr), "i"(-EFAULT), "0"(err) \ -+ : "=&r" (err) \ -+ : "r" (x), "r" (addr), "i" (-EFAULT), "0" (err) \ - : "r14", "memory") - - /* -@@ -453,7 +416,6 @@ #define __get_user_asm(x, addr, err, ity - * anything, so this is accurate. - */ - -- - /* - * Copy To/From Userspace - */ -@@ -511,8 +473,9 @@ do { \ - " .long 2b,9b\n" \ - " .long 3b,9b\n" \ - ".previous\n" \ -- : "=&r"(__dst), "=&r"(__src), "=&r"(size), "=&r"(__c) \ -- : "0"(to), "1"(from), "2"(size), "3"(size / 4) \ -+ : "=&r" (__dst), "=&r" (__src), "=&r" (size), \ -+ "=&r" (__c) \ -+ : "0" (to), "1" (from), "2" (size), "3" (size / 4) \ - : "r14", "memory"); \ - } while (0) - -@@ -573,8 +536,9 @@ do { \ - " .long 2b,7b\n" \ - " .long 3b,7b\n" \ - ".previous\n" \ -- : "=&r"(__dst), "=&r"(__src), "=&r"(size), "=&r"(__c) \ -- : "0"(to), "1"(from), "2"(size), "3"(size / 4) \ -+ : "=&r" (__dst), "=&r" (__src), "=&r" (size), \ -+ "=&r" (__c) \ -+ : "0" (to), "1" (from), "2" (size), "3" (size / 4) \ - : "r14", "memory"); \ - } while (0) - -@@ -676,7 +640,7 @@ #define __copy_from_user(to,from,n) \ - #define copy_from_user(to,from,n) \ - ({ \ - might_sleep(); \ --__generic_copy_from_user((to),(from),(n)); \ -+ __generic_copy_from_user((to),(from),(n)); \ - }) - - long __must_check strncpy_from_user(char *dst, const char __user *src, -diff --git a/include/asm-mips/bitops.h b/include/asm-mips/bitops.h -index 8e80205..849155a 100644 ---- a/include/asm-mips/bitops.h -+++ b/include/asm-mips/bitops.h -@@ -654,7 +654,12 @@ static inline unsigned long fls(unsigned - { - #ifdef CONFIG_32BIT - #ifdef CONFIG_CPU_MIPS32 -- __asm__ ("clz %0, %1" : "=r" (word) : "r" (word)); -+ __asm__ ( -+ " .set mips32 \n" -+ " clz %0, %1 \n" -+ " .set mips0 \n" -+ : "=r" (word) -+ : "r" (word)); - - return 32 - word; - #else -@@ -678,7 +683,12 @@ #endif /* CONFIG_32BIT */ - #ifdef CONFIG_64BIT - #ifdef CONFIG_CPU_MIPS64 - -- __asm__ ("dclz %0, %1" : "=r" (word) : "r" (word)); -+ __asm__ ( -+ " .set mips64 \n" -+ " dclz %0, %1 \n" -+ " .set mips0 \n" -+ : "=r" (word) -+ : "r" (word)); - - return 64 - word; - #else -diff --git a/include/asm-mips/byteorder.h b/include/asm-mips/byteorder.h -index 584f812..4ce5bc3 100644 ---- a/include/asm-mips/byteorder.h -+++ b/include/asm-mips/byteorder.h -@@ -19,7 +19,9 @@ #ifdef CONFIG_CPU_MIPSR2 - static __inline__ __attribute_const__ __u16 ___arch__swab16(__u16 x) - { - __asm__( -+ " .set mips32r2 \n" - " wsbh %0, %1 \n" -+ " .set mips0 \n" - : "=r" (x) - : "r" (x)); - -@@ -30,8 +32,10 @@ #define __arch__swab16(x) ___arch__swab1 - static __inline__ __attribute_const__ __u32 ___arch__swab32(__u32 x) - { - __asm__( -+ " .set mips32r2 \n" - " wsbh %0, %1 \n" - " rotr %0, %0, 16 \n" -+ " .set mips0 \n" - : "=r" (x) - : "r" (x)); - -diff --git a/include/asm-mips/interrupt.h b/include/asm-mips/interrupt.h -index 7743487..50baf6b 100644 ---- a/include/asm-mips/interrupt.h -+++ b/include/asm-mips/interrupt.h -@@ -20,7 +20,9 @@ __asm__ ( - " .set reorder \n" - " .set noat \n" - #ifdef CONFIG_CPU_MIPSR2 -+ " .set mips32r2 \n" - " ei \n" -+ " .set mips0 \n" - #else - " mfc0 $1,$12 \n" - " ori $1,0x1f \n" -@@ -63,7 +65,9 @@ __asm__ ( - " .set push \n" - " .set noat \n" - #ifdef CONFIG_CPU_MIPSR2 -+ " .set mips32r2 \n" - " di \n" -+ " .set mips0 \n" - #else - " mfc0 $1,$12 \n" - " ori $1,0x1f \n" -@@ -103,8 +107,10 @@ __asm__ ( - " .set reorder \n" - " .set noat \n" - #ifdef CONFIG_CPU_MIPSR2 -+ " .set mips32r2 \n" - " di \\result \n" - " andi \\result, 1 \n" -+ " .set mips0 \n" - #else - " mfc0 \\result, $12 \n" - " ori $1, \\result, 0x1f \n" -@@ -133,9 +139,11 @@ #if defined(CONFIG_CPU_MIPSR2) && define - * Slow, but doesn't suffer from a relativly unlikely race - * condition we're having since days 1. - */ -+ " .set mips32r2 \n" - " beqz \\flags, 1f \n" - " di \n" - " ei \n" -+ " .set mips0 \n" - "1: \n" - #elif defined(CONFIG_CPU_MIPSR2) - /* -diff --git a/include/asm-mips/r4kcache.h b/include/asm-mips/r4kcache.h -index 0bcb79a..d9ee097 100644 ---- a/include/asm-mips/r4kcache.h -+++ b/include/asm-mips/r4kcache.h -@@ -37,7 +37,7 @@ #define cache_op(op,addr) \ - " cache %0, %1 \n" \ - " .set pop \n" \ - : \ -- : "i" (op), "m" (*(unsigned char *)(addr))) -+ : "i" (op), "R" (*(unsigned char *)(addr))) - - static inline void flush_icache_line_indexed(unsigned long addr) - { -diff --git a/include/asm-powerpc/floppy.h b/include/asm-powerpc/floppy.h -index e258778..608164c 100644 ---- a/include/asm-powerpc/floppy.h -+++ b/include/asm-powerpc/floppy.h -@@ -35,6 +35,7 @@ #define fd_free_irq() free_irq - #ifdef CONFIG_PCI - - #include <linux/pci.h> -+#include <asm/ppc-pci.h> /* for ppc64_isabridge_dev */ - - #define fd_dma_setup(addr,size,mode,io) powerpc_fd_dma_setup(addr,size,mode,io) - -@@ -52,12 +53,12 @@ static __inline__ int powerpc_fd_dma_set - if (bus_addr - && (addr != prev_addr || size != prev_size || dir != prev_dir)) { - /* different from last time -- unmap prev */ -- pci_unmap_single(NULL, bus_addr, prev_size, prev_dir); -+ pci_unmap_single(ppc64_isabridge_dev, bus_addr, prev_size, prev_dir); - bus_addr = 0; - } - - if (!bus_addr) /* need to map it */ -- bus_addr = pci_map_single(NULL, addr, size, dir); -+ bus_addr = pci_map_single(ppc64_isabridge_dev, addr, size, dir); - - /* remember this one as prev */ - prev_addr = addr; -diff --git a/include/asm-x86_64/cpufeature.h b/include/asm-x86_64/cpufeature.h -index 76bb619..662964b 100644 ---- a/include/asm-x86_64/cpufeature.h -+++ b/include/asm-x86_64/cpufeature.h -@@ -64,6 +64,7 @@ #define X86_FEATURE_CENTAUR_MCR (3*32+ 3 - #define X86_FEATURE_REP_GOOD (3*32+ 4) /* rep microcode works well on this CPU */ - #define X86_FEATURE_CONSTANT_TSC (3*32+5) /* TSC runs at constant rate */ - #define X86_FEATURE_SYNC_RDTSC (3*32+6) /* RDTSC syncs CPU core */ -+#define X86_FEATURE_FXSAVE_LEAK (3*32+7) /* FIP/FOP/FDP leaks through FXSAVE */ - - /* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ - #define X86_FEATURE_XMM3 (4*32+ 0) /* Streaming SIMD Extensions-3 */ -diff --git a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h -index 876eb9a..cba8a3b 100644 ---- a/include/asm-x86_64/i387.h -+++ b/include/asm-x86_64/i387.h -@@ -72,6 +72,23 @@ #define set_fpu_cwd(t,val) ((t)->thread. - #define set_fpu_swd(t,val) ((t)->thread.i387.fxsave.swd = (val)) - #define set_fpu_fxsr_twd(t,val) ((t)->thread.i387.fxsave.twd = (val)) - -+#define X87_FSW_ES (1 << 7) /* Exception Summary */ -+ -+/* AMD CPUs don't save/restore FDP/FIP/FOP unless an exception -+ is pending. Clear the x87 state here by setting it to fixed -+ values. The kernel data segment can be sometimes 0 and sometimes -+ new user value. Both should be ok. -+ Use the PDA as safe address because it should be already in L1. */ -+static inline void clear_fpu_state(struct i387_fxsave_struct *fx) -+{ -+ if (unlikely(fx->swd & X87_FSW_ES)) -+ asm volatile("fnclex"); -+ alternative_input(ASM_NOP8 ASM_NOP2, -+ " emms\n" /* clear stack tags */ -+ " fildl %%gs:0", /* load to clear state */ -+ X86_FEATURE_FXSAVE_LEAK); -+} -+ - static inline int restore_fpu_checking(struct i387_fxsave_struct *fx) - { - int err; -@@ -119,6 +136,7 @@ #else - #endif - if (unlikely(err)) - __clear_user(fx, sizeof(struct i387_fxsave_struct)); -+ /* No need to clear here because the caller clears USED_MATH */ - return err; - } - -@@ -149,7 +167,7 @@ #else - "i" (offsetof(__typeof__(*tsk), - thread.i387.fxsave))); - #endif -- __asm__ __volatile__("fnclex"); -+ clear_fpu_state(&tsk->thread.i387.fxsave); - } - - static inline void kernel_fpu_begin(void) -diff --git a/include/linux/cpu.h b/include/linux/cpu.h -index 0ed1d48..d612b89 100644 ---- a/include/linux/cpu.h -+++ b/include/linux/cpu.h -@@ -32,7 +32,7 @@ struct cpu { - }; - - extern int register_cpu(struct cpu *, int, struct node *); --extern struct sys_device *get_cpu_sysdev(int cpu); -+extern struct sys_device *get_cpu_sysdev(unsigned cpu); - #ifdef CONFIG_HOTPLUG_CPU - extern void unregister_cpu(struct cpu *, struct node *); - #endif -diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h -index 60e56c6..a47ad70 100644 ---- a/include/linux/cpumask.h -+++ b/include/linux/cpumask.h -@@ -408,6 +408,7 @@ ({ \ - }) - - #define for_each_cpu(cpu) for_each_cpu_mask((cpu), cpu_possible_map) -+#define for_each_possible_cpu(cpu) for_each_cpu_mask((cpu), cpu_possible_map) - #define for_each_online_cpu(cpu) for_each_cpu_mask((cpu), cpu_online_map) - #define for_each_present_cpu(cpu) for_each_cpu_mask((cpu), cpu_present_map) - -diff --git a/include/linux/fb.h b/include/linux/fb.h -index 2cb19e6..2fdd8ae 100644 ---- a/include/linux/fb.h -+++ b/include/linux/fb.h -@@ -839,12 +839,10 @@ #if defined (__BIG_ENDIAN) - #define FB_LEFT_POS(bpp) (32 - bpp) - #define FB_SHIFT_HIGH(val, bits) ((val) >> (bits)) - #define FB_SHIFT_LOW(val, bits) ((val) << (bits)) --#define FB_BIT_NR(b) (7 - (b)) - #else - #define FB_LEFT_POS(bpp) (0) - #define FB_SHIFT_HIGH(val, bits) ((val) << (bits)) - #define FB_SHIFT_LOW(val, bits) ((val) >> (bits)) --#define FB_BIT_NR(b) (b) - #endif - - /* -diff --git a/include/linux/fs.h b/include/linux/fs.h -index 128d008..872042f 100644 ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -1383,6 +1383,7 @@ extern int bd_claim(struct block_device - extern void bd_release(struct block_device *); - - /* fs/char_dev.c */ -+#define CHRDEV_MAJOR_HASH_SIZE 255 - extern int alloc_chrdev_region(dev_t *, unsigned, unsigned, const char *); - extern int register_chrdev_region(dev_t, unsigned, const char *); - extern int register_chrdev(unsigned int, const char *, -@@ -1390,25 +1391,17 @@ extern int register_chrdev(unsigned int, - extern int unregister_chrdev(unsigned int, const char *); - extern void unregister_chrdev_region(dev_t, unsigned); - extern int chrdev_open(struct inode *, struct file *); --extern int get_chrdev_list(char *); --extern void *acquire_chrdev_list(void); --extern int count_chrdev_list(void); --extern void *get_next_chrdev(void *); --extern int get_chrdev_info(void *, int *, char **); --extern void release_chrdev_list(void *); -+extern void chrdev_show(struct seq_file *,off_t); - - /* fs/block_dev.c */ -+#define BLKDEV_MAJOR_HASH_SIZE 255 - #define BDEVNAME_SIZE 32 /* Largest string for a blockdev identifier */ - extern const char *__bdevname(dev_t, char *buffer); - extern const char *bdevname(struct block_device *bdev, char *buffer); - extern struct block_device *lookup_bdev(const char *); - extern struct block_device *open_bdev_excl(const char *, int, void *); - extern void close_bdev_excl(struct block_device *); --extern void *acquire_blkdev_list(void); --extern int count_blkdev_list(void); --extern void *get_next_blkdev(void *); --extern int get_blkdev_info(void *, int *, char **); --extern void release_blkdev_list(void *); -+extern void blkdev_show(struct seq_file *,off_t); - - extern void init_special_inode(struct inode *, umode_t, dev_t); - -diff --git a/include/linux/mm.h b/include/linux/mm.h -index 498ff87..279446e 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -229,10 +229,9 @@ struct page { - unsigned long private; /* Mapping-private opaque data: - * usually used for buffer_heads - * if PagePrivate set; used for -- * swp_entry_t if PageSwapCache. -- * When page is free, this -+ * swp_entry_t if PageSwapCache; - * indicates order in the buddy -- * system. -+ * system if PG_buddy is set. - */ - struct address_space *mapping; /* If low bit clear, points to - * inode address_space, or NULL. -diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h -index d52999c..d7ce72e 100644 ---- a/include/linux/page-flags.h -+++ b/include/linux/page-flags.h -@@ -74,7 +74,9 @@ #define PG_swapcache 15 /* Swap page: s - #define PG_mappedtodisk 16 /* Has blocks allocated on-disk */ - #define PG_reclaim 17 /* To be reclaimed asap */ - #define PG_nosave_free 18 /* Free, should not be written */ --#define PG_uncached 19 /* Page has been mapped as uncached */ -+#define PG_buddy 19 /* Page is free, on buddy lists */ -+ -+#define PG_uncached 20 /* Page has been mapped as uncached */ - - /* - * Global page accounting. One instance per CPU. Only unsigned longs are -@@ -319,6 +321,10 @@ #define PageNosaveFree(page) test_bit(PG - #define SetPageNosaveFree(page) set_bit(PG_nosave_free, &(page)->flags) - #define ClearPageNosaveFree(page) clear_bit(PG_nosave_free, &(page)->flags) - -+#define PageBuddy(page) test_bit(PG_buddy, &(page)->flags) -+#define __SetPageBuddy(page) __set_bit(PG_buddy, &(page)->flags) -+#define __ClearPageBuddy(page) __clear_bit(PG_buddy, &(page)->flags) -+ - #define PageMappedToDisk(page) test_bit(PG_mappedtodisk, &(page)->flags) - #define SetPageMappedToDisk(page) set_bit(PG_mappedtodisk, &(page)->flags) - #define ClearPageMappedToDisk(page) clear_bit(PG_mappedtodisk, &(page)->flags) -diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h -index aa6322d..6c1e347 100644 ---- a/include/linux/proc_fs.h -+++ b/include/linux/proc_fs.h -@@ -78,7 +78,7 @@ struct kcore_list { - struct vmcore { - struct list_head list; - unsigned long long paddr; -- unsigned long size; -+ unsigned long long size; - loff_t offset; - }; - -diff --git a/include/linux/raid/raid1.h b/include/linux/raid/raid1.h -index 9d5494a..3009c81 100644 ---- a/include/linux/raid/raid1.h -+++ b/include/linux/raid/raid1.h -@@ -130,6 +130,6 @@ #define R1BIO_BarrierRetry 5 - * with failure when last write completes (and all failed). - * Record that bi_end_io was called with this flag... - */ --#define R1BIO_Returned 4 -+#define R1BIO_Returned 6 - - #endif -diff --git a/include/linux/rtc.h b/include/linux/rtc.h -index 0b2ba67..b739ac1 100644 ---- a/include/linux/rtc.h -+++ b/include/linux/rtc.h -@@ -11,8 +11,6 @@ - #ifndef _LINUX_RTC_H_ - #define _LINUX_RTC_H_ - --#include <linux/interrupt.h> -- - /* - * The struct used to pass data via the following ioctl. Similar to the - * struct tm in <time.h>, but it needs to be here so that the kernel -@@ -95,6 +93,8 @@ #define RTC_PLL_SET _IOW('p', 0x12, stru - - #ifdef __KERNEL__ - -+#include <linux/interrupt.h> -+ - typedef struct rtc_task { - void (*func)(void *private_data); - void *private_data; -diff --git a/include/net/ip.h b/include/net/ip.h -index fab3d5b..ed84d04 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -95,6 +95,7 @@ extern int ip_local_deliver(struct sk_b - extern int ip_mr_input(struct sk_buff *skb); - extern int ip_output(struct sk_buff *skb); - extern int ip_mc_output(struct sk_buff *skb); -+extern int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)); - extern int ip_do_nat(struct sk_buff *skb); - extern void ip_send_check(struct iphdr *ip); - extern int ip_queue_xmit(struct sk_buff *skb, int ipfragok); -diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h -index e673b2c..aa6033c 100644 ---- a/include/net/sctp/sctp.h -+++ b/include/net/sctp/sctp.h -@@ -461,12 +461,12 @@ static inline int sctp_frag_point(const - * there is room for a param header too. - */ - #define sctp_walk_params(pos, chunk, member)\ --_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member) -+_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) - - #define _sctp_walk_params(pos, chunk, end, member)\ - for (pos.v = chunk->member;\ - pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\ -- pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\ -+ pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ - ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ - pos.v += WORD_ROUND(ntohs(pos.p->length))) - -@@ -477,7 +477,7 @@ #define _sctp_walk_errors(err, chunk_hdr - for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ - sizeof(sctp_chunkhdr_t));\ - (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\ -- (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\ -+ (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ - ntohs(err->length) >= sizeof(sctp_errhdr_t); \ - err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) - -diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h -index 072f407..acb2ce1 100644 ---- a/include/net/sctp/structs.h -+++ b/include/net/sctp/structs.h -@@ -702,6 +702,7 @@ struct sctp_chunk { - __u8 tsn_gap_acked; /* Is this chunk acked by a GAP ACK? */ - __s8 fast_retransmit; /* Is this chunk fast retransmitted? */ - __u8 tsn_missing_report; /* Data chunk missing counter. */ -+ __u8 data_accepted; /* At least 1 chunk in this packet accepted */ - }; - - void sctp_chunk_hold(struct sctp_chunk *); -diff --git a/ipc/shm.c b/ipc/shm.c -index 9162123..f409726 100644 ---- a/ipc/shm.c -+++ b/ipc/shm.c -@@ -161,6 +161,8 @@ static int shm_mmap(struct file * file, - ret = shmem_mmap(file, vma); - if (ret == 0) { - vma->vm_ops = &shm_vm_ops; -+ if (!(vma->vm_flags & VM_WRITE)) -+ vma->vm_flags &= ~VM_MAYWRITE; - shm_inc(file->f_dentry->d_inode->i_ino); - } - -diff --git a/ipc/util.c b/ipc/util.c -index 8626219..303b058 100644 ---- a/ipc/util.c -+++ b/ipc/util.c -@@ -182,8 +182,7 @@ static int grow_ary(struct ipc_ids* ids, - if(new == NULL) - return size; - new->size = newsize; -- memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size + -- sizeof(struct ipc_id_ary)); -+ memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size); - for(i=size;i<newsize;i++) { - new->p[i] = NULL; - } -diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index d7e7e63..cfaa4a2 100644 ---- a/kernel/auditsc.c -+++ b/kernel/auditsc.c -@@ -966,11 +966,6 @@ void audit_syscall_entry(struct task_str - if (context->in_syscall) { - struct audit_context *newctx; - --#if defined(__NR_vm86) && defined(__NR_vm86old) -- /* vm86 mode should only be entered once */ -- if (major == __NR_vm86 || major == __NR_vm86old) -- return; --#endif - #if AUDIT_DEBUG - printk(KERN_ERR - "audit(:%d) pid=%d in syscall=%d;" -diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c -index 867d6db..c01cead 100644 ---- a/kernel/exec_domain.c -+++ b/kernel/exec_domain.c -@@ -140,6 +140,7 @@ __set_personality(u_long personality) - ep = lookup_exec_domain(personality); - if (ep == current_thread_info()->exec_domain) { - current->personality = personality; -+ module_put(ep->module); - return 0; - } - -diff --git a/kernel/fork.c b/kernel/fork.c -index b373322..9d4e0d8 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -720,7 +720,7 @@ out_release: - free_fdset (new_fdt->open_fds, new_fdt->max_fdset); - free_fd_array(new_fdt->fd, new_fdt->max_fds); - kmem_cache_free(files_cachep, newf); -- goto out; -+ return NULL; - } - - static int copy_files(unsigned long clone_flags, struct task_struct * tsk) -diff --git a/kernel/power/process.c b/kernel/power/process.c -index 28de118..67b2cdd 100644 ---- a/kernel/power/process.c -+++ b/kernel/power/process.c -@@ -25,8 +25,7 @@ static inline int freezeable(struct task - (p->flags & PF_NOFREEZE) || - (p->exit_state == EXIT_ZOMBIE) || - (p->exit_state == EXIT_DEAD) || -- (p->state == TASK_STOPPED) || -- (p->state == TASK_TRACED)) -+ (p->state == TASK_STOPPED)) - return 0; - return 1; - } -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index d95a72c..48453c3 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -57,10 +57,6 @@ void ptrace_untrace(task_t *child) - signal_wake_up(child, 1); - } - } -- if (child->signal->flags & SIGNAL_GROUP_EXIT) { -- sigaddset(&child->pending.signal, SIGKILL); -- signal_wake_up(child, 1); -- } - spin_unlock(&child->sighand->siglock); - } - -@@ -82,7 +78,8 @@ void __ptrace_unlink(task_t *child) - SET_LINKS(child); - } - -- ptrace_untrace(child); -+ if (child->state == TASK_TRACED) -+ ptrace_untrace(child); - } - - /* -@@ -152,12 +149,34 @@ int ptrace_may_attach(struct task_struct - int ptrace_attach(struct task_struct *task) - { - int retval; -- task_lock(task); -+ - retval = -EPERM; - if (task->pid <= 1) -- goto bad; -+ goto out; - if (task->tgid == current->tgid) -- goto bad; -+ goto out; -+ -+repeat: -+ /* -+ * Nasty, nasty. -+ * -+ * We want to hold both the task-lock and the -+ * tasklist_lock for writing at the same time. -+ * But that's against the rules (tasklist_lock -+ * is taken for reading by interrupts on other -+ * cpu's that may have task_lock). -+ */ -+ task_lock(task); -+ local_irq_disable(); -+ if (!write_trylock(&tasklist_lock)) { -+ local_irq_enable(); -+ task_unlock(task); -+ do { -+ cpu_relax(); -+ } while (!write_can_lock(&tasklist_lock)); -+ goto repeat; -+ } -+ - /* the same process cannot be attached many times */ - if (task->ptrace & PT_PTRACED) - goto bad; -@@ -170,17 +189,15 @@ int ptrace_attach(struct task_struct *ta - ? PT_ATTACHED : 0); - if (capable(CAP_SYS_PTRACE)) - task->ptrace |= PT_PTRACE_CAP; -- task_unlock(task); - -- write_lock_irq(&tasklist_lock); - __ptrace_link(task, current); -- write_unlock_irq(&tasklist_lock); - - force_sig_specific(SIGSTOP, task); -- return 0; - - bad: -+ write_unlock_irq(&tasklist_lock); - task_unlock(task); -+out: - return retval; - } - -@@ -421,21 +438,22 @@ #endif - */ - int ptrace_traceme(void) - { -- int ret; -+ int ret = -EPERM; - - /* - * Are we already being traced? - */ -- if (current->ptrace & PT_PTRACED) -- return -EPERM; -- ret = security_ptrace(current->parent, current); -- if (ret) -- return -EPERM; -- /* -- * Set the ptrace bit in the process ptrace flags. -- */ -- current->ptrace |= PT_PTRACED; -- return 0; -+ task_lock(current); -+ if (!(current->ptrace & PT_PTRACED)) { -+ ret = security_ptrace(current->parent, current); -+ /* -+ * Set the ptrace bit in the process ptrace flags. -+ */ -+ if (!ret) -+ current->ptrace |= PT_PTRACED; -+ } -+ task_unlock(current); -+ return ret; - } - - /** -diff --git a/kernel/sched.c b/kernel/sched.c -index 4d46e90..4e7efac 100644 ---- a/kernel/sched.c -+++ b/kernel/sched.c -@@ -237,6 +237,7 @@ #ifdef CONFIG_SMP - - task_t *migration_thread; - struct list_head migration_queue; -+ int cpu; - #endif - - #ifdef CONFIG_SCHEDSTATS -@@ -1660,6 +1661,9 @@ #ifdef CONFIG_SMP - /* - * double_rq_lock - safely lock two runqueues - * -+ * We must take them in cpu order to match code in -+ * dependent_sleeper and wake_dependent_sleeper. -+ * - * Note this does not disable interrupts like task_rq_lock, - * you need to do so manually before calling. - */ -@@ -1671,7 +1675,7 @@ static void double_rq_lock(runqueue_t *r - spin_lock(&rq1->lock); - __acquire(rq2->lock); /* Fake it out ;) */ - } else { -- if (rq1 < rq2) { -+ if (rq1->cpu < rq2->cpu) { - spin_lock(&rq1->lock); - spin_lock(&rq2->lock); - } else { -@@ -1707,7 +1711,7 @@ static void double_lock_balance(runqueue - __acquires(this_rq->lock) - { - if (unlikely(!spin_trylock(&busiest->lock))) { -- if (busiest < this_rq) { -+ if (busiest->cpu < this_rq->cpu) { - spin_unlock(&this_rq->lock); - spin_lock(&busiest->lock); - spin_lock(&this_rq->lock); -@@ -6035,6 +6039,7 @@ #ifdef CONFIG_SMP - rq->push_cpu = 0; - rq->migration_thread = NULL; - INIT_LIST_HEAD(&rq->migration_queue); -+ rq->cpu = i; - #endif - atomic_set(&rq->nr_iowait, 0); - -diff --git a/kernel/signal.c b/kernel/signal.c -index ea15410..acbccf7 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -975,7 +975,6 @@ __group_complete_signal(int sig, struct - if (t == NULL) - /* restart balancing at this thread */ - t = p->signal->curr_target = p; -- BUG_ON(t->tgid != p->tgid); - - while (!wants_signal(sig, t)) { - t = next_thread(t); -@@ -1689,6 +1688,7 @@ static void ptrace_stop(int exit_code, i - /* Let the debugger run. */ - set_current_state(TASK_TRACED); - spin_unlock_irq(¤t->sighand->siglock); -+ try_to_freeze(); - read_lock(&tasklist_lock); - if (likely(current->ptrace & PT_PTRACED) && - likely(current->parent != current->real_parent || -@@ -1942,9 +1942,9 @@ relock: - /* Let the debugger run. */ - ptrace_stop(signr, signr, info); - -- /* We're back. Did the debugger cancel the sig or group_exit? */ -+ /* We're back. Did the debugger cancel the sig? */ - signr = current->exit_code; -- if (signr == 0 || current->signal->flags & SIGNAL_GROUP_EXIT) -+ if (signr == 0) - continue; - - current->exit_code = 0; -diff --git a/kernel/sys.c b/kernel/sys.c -index f91218a..105e102 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -1657,7 +1657,19 @@ asmlinkage long sys_setrlimit(unsigned i - (cputime_eq(current->signal->it_prof_expires, cputime_zero) || - new_rlim.rlim_cur <= cputime_to_secs( - current->signal->it_prof_expires))) { -- cputime_t cputime = secs_to_cputime(new_rlim.rlim_cur); -+ unsigned long rlim_cur = new_rlim.rlim_cur; -+ cputime_t cputime; -+ -+ if (rlim_cur == 0) { -+ /* -+ * The caller is asking for an immediate RLIMIT_CPU -+ * expiry. But we use the zero value to mean "it was -+ * never set". So let's cheat and make it one second -+ * instead -+ */ -+ rlim_cur = 1; -+ } -+ cputime = secs_to_cputime(rlim_cur); - read_lock(&tasklist_lock); - spin_lock_irq(¤t->sighand->siglock); - set_process_cpu_timer(current, CPUCLOCK_PROF, -diff --git a/kernel/uid16.c b/kernel/uid16.c -index aa25605..187e2a4 100644 ---- a/kernel/uid16.c -+++ b/kernel/uid16.c -@@ -20,43 +20,67 @@ #include <asm/uaccess.h> - - asmlinkage long sys_chown16(const char __user * filename, old_uid_t user, old_gid_t group) - { -- return sys_chown(filename, low2highuid(user), low2highgid(group)); -+ long ret = sys_chown(filename, low2highuid(user), low2highgid(group)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_lchown16(const char __user * filename, old_uid_t user, old_gid_t group) - { -- return sys_lchown(filename, low2highuid(user), low2highgid(group)); -+ long ret = sys_lchown(filename, low2highuid(user), low2highgid(group)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group) - { -- return sys_fchown(fd, low2highuid(user), low2highgid(group)); -+ long ret = sys_fchown(fd, low2highuid(user), low2highgid(group)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid) - { -- return sys_setregid(low2highgid(rgid), low2highgid(egid)); -+ long ret = sys_setregid(low2highgid(rgid), low2highgid(egid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_setgid16(old_gid_t gid) - { -- return sys_setgid(low2highgid(gid)); -+ long ret = sys_setgid(low2highgid(gid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid) - { -- return sys_setreuid(low2highuid(ruid), low2highuid(euid)); -+ long ret = sys_setreuid(low2highuid(ruid), low2highuid(euid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_setuid16(old_uid_t uid) - { -- return sys_setuid(low2highuid(uid)); -+ long ret = sys_setuid(low2highuid(uid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid) - { -- return sys_setresuid(low2highuid(ruid), low2highuid(euid), -- low2highuid(suid)); -+ long ret = sys_setresuid(low2highuid(ruid), low2highuid(euid), -+ low2highuid(suid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_getresuid16(old_uid_t __user *ruid, old_uid_t __user *euid, old_uid_t __user *suid) -@@ -72,8 +96,11 @@ asmlinkage long sys_getresuid16(old_uid_ - - asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid) - { -- return sys_setresgid(low2highgid(rgid), low2highgid(egid), -- low2highgid(sgid)); -+ long ret = sys_setresgid(low2highgid(rgid), low2highgid(egid), -+ low2highgid(sgid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_getresgid16(old_gid_t __user *rgid, old_gid_t __user *egid, old_gid_t __user *sgid) -@@ -89,12 +116,18 @@ asmlinkage long sys_getresgid16(old_gid_ - - asmlinkage long sys_setfsuid16(old_uid_t uid) - { -- return sys_setfsuid(low2highuid(uid)); -+ long ret = sys_setfsuid(low2highuid(uid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - asmlinkage long sys_setfsgid16(old_gid_t gid) - { -- return sys_setfsgid(low2highgid(gid)); -+ long ret = sys_setfsgid(low2highgid(gid)); -+ /* avoid REGPARM breakage on x86: */ -+ prevent_tail_call(ret); -+ return ret; - } - - static int groups16_to_user(old_gid_t __user *grouplist, -diff --git a/mm/madvise.c b/mm/madvise.c -index af3d573..4e19615 100644 ---- a/mm/madvise.c -+++ b/mm/madvise.c -@@ -168,6 +168,9 @@ static long madvise_remove(struct vm_are - return -EINVAL; - } - -+ if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE)) -+ return -EACCES; -+ - mapping = vma->vm_file->f_mapping; - - offset = (loff_t)(start - vma->vm_start) -diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index b21869a..8d7ddf0 100644 ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -1796,7 +1796,6 @@ static void gather_stats(struct page *pa - md->mapcount_max = count; - - md->node[page_to_nid(page)]++; -- cond_resched(); - } - - #ifdef CONFIG_HUGETLB_PAGE -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 234bd48..8b3cde1 100644 ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -153,7 +153,8 @@ static void bad_page(struct page *page) - 1 << PG_reclaim | - 1 << PG_slab | - 1 << PG_swapcache | -- 1 << PG_writeback ); -+ 1 << PG_writeback | -+ 1 << PG_buddy ); - set_page_count(page, 0); - reset_page_mapcount(page); - page->mapping = NULL; -@@ -224,12 +225,12 @@ static inline unsigned long page_order(s - - static inline void set_page_order(struct page *page, int order) { - set_page_private(page, order); -- __SetPagePrivate(page); -+ __SetPageBuddy(page); - } - - static inline void rmv_page_order(struct page *page) - { -- __ClearPagePrivate(page); -+ __ClearPageBuddy(page); - set_page_private(page, 0); - } - -@@ -268,11 +269,13 @@ __find_combined_index(unsigned long page - * This function checks whether a page is free && is the buddy - * we can do coalesce a page and its buddy if - * (a) the buddy is not in a hole && -- * (b) the buddy is free && -- * (c) the buddy is on the buddy system && -- * (d) a page and its buddy have the same order. -- * for recording page's order, we use page_private(page) and PG_private. -+ * (b) the buddy is in the buddy system && -+ * (c) a page and its buddy have the same order. -+ * -+ * For recording whether a page is in the buddy system, we use PG_buddy. -+ * Setting, clearing, and testing PG_buddy is serialized by zone->lock. - * -+ * For recording page's order, we use page_private(page). - */ - static inline int page_is_buddy(struct page *page, int order) - { -@@ -281,10 +284,10 @@ #ifdef CONFIG_HOLES_IN_ZONE - return 0; - #endif - -- if (PagePrivate(page) && -- (page_order(page) == order) && -- page_count(page) == 0) -+ if (PageBuddy(page) && page_order(page) == order) { -+ BUG_ON(page_count(page) != 0); - return 1; -+ } - return 0; - } - -@@ -301,7 +304,7 @@ #endif - * as necessary, plus some accounting needed to play nicely with other - * parts of the VM system. - * At each level, we keep a list of pages, which are heads of continuous -- * free pages of length of (1 << order) and marked with PG_Private.Page's -+ * free pages of length of (1 << order) and marked with PG_buddy. Page's - * order is recorded in page_private(page) field. - * So when we are allocating or freeing one, we can derive the state of the - * other. That is, if we allocate a small block, and both were -@@ -364,7 +367,8 @@ static inline int free_pages_check(struc - 1 << PG_slab | - 1 << PG_swapcache | - 1 << PG_writeback | -- 1 << PG_reserved )))) -+ 1 << PG_reserved | -+ 1 << PG_buddy )))) - bad_page(page); - if (PageDirty(page)) - __ClearPageDirty(page); -@@ -522,7 +526,8 @@ static int prep_new_page(struct page *pa - 1 << PG_slab | - 1 << PG_swapcache | - 1 << PG_writeback | -- 1 << PG_reserved )))) -+ 1 << PG_reserved | -+ 1 << PG_buddy )))) - bad_page(page); - - /* -@@ -944,7 +949,8 @@ restart: - alloc_flags |= ALLOC_HARDER; - if (gfp_mask & __GFP_HIGH) - alloc_flags |= ALLOC_HIGH; -- alloc_flags |= ALLOC_CPUSET; -+ if (wait) -+ alloc_flags |= ALLOC_CPUSET; - - /* - * Go through the zonelist again. Let __GFP_HIGH and allocations -diff --git a/mm/shmem.c b/mm/shmem.c -index 7c455fb..f0eb2f2 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -2172,6 +2172,7 @@ #ifdef CONFIG_TMPFS - .prepare_write = shmem_prepare_write, - .commit_write = simple_commit_write, - #endif -+ .migratepage = migrate_page, - }; - - static struct file_operations shmem_file_operations = { -diff --git a/mm/vmscan.c b/mm/vmscan.c -index 4fe7e3a..1d64dc1 100644 ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -949,6 +949,17 @@ redo: - goto unlock_both; - } - -+ /* Make sure the dirty bit is up to date */ -+ if (try_to_unmap(page, 1) == SWAP_FAIL) { -+ rc = -EPERM; -+ goto unlock_both; -+ } -+ -+ if (page_mapcount(page)) { -+ rc = -EAGAIN; -+ goto unlock_both; -+ } -+ - /* - * Default handling if a filesystem does not provide - * a migration function. We can only migrate clean -diff --git a/net/atm/clip.c b/net/atm/clip.c -index 73370de..1842a4e 100644 ---- a/net/atm/clip.c -+++ b/net/atm/clip.c -@@ -613,12 +613,19 @@ static int clip_create(int number) - - - static int clip_device_event(struct notifier_block *this,unsigned long event, -- void *dev) -+ void *arg) - { -+ struct net_device *dev = arg; -+ -+ if (event == NETDEV_UNREGISTER) { -+ neigh_ifdown(&clip_tbl, dev); -+ return NOTIFY_DONE; -+ } -+ - /* ignore non-CLIP devices */ -- if (((struct net_device *) dev)->type != ARPHRD_ATM || -- ((struct net_device *) dev)->hard_start_xmit != clip_start_xmit) -+ if (dev->type != ARPHRD_ATM || dev->hard_start_xmit != clip_start_xmit) - return NOTIFY_DONE; -+ - switch (event) { - case NETDEV_UP: - DPRINTK("clip_device_event NETDEV_UP\n"); -@@ -686,14 +693,12 @@ static struct notifier_block clip_inet_n - static void atmarpd_close(struct atm_vcc *vcc) - { - DPRINTK("atmarpd_close\n"); -- atmarpd = NULL; /* assumed to be atomic */ -- barrier(); -- unregister_inetaddr_notifier(&clip_inet_notifier); -- unregister_netdevice_notifier(&clip_dev_notifier); -- if (skb_peek(&sk_atm(vcc)->sk_receive_queue)) -- printk(KERN_ERR "atmarpd_close: closing with requests " -- "pending\n"); -+ -+ rtnl_lock(); -+ atmarpd = NULL; - skb_queue_purge(&sk_atm(vcc)->sk_receive_queue); -+ rtnl_unlock(); -+ - DPRINTK("(done)\n"); - module_put(THIS_MODULE); - } -@@ -714,7 +719,12 @@ static struct atm_dev atmarpd_dev = { - - static int atm_init_atmarp(struct atm_vcc *vcc) - { -- if (atmarpd) return -EADDRINUSE; -+ rtnl_lock(); -+ if (atmarpd) { -+ rtnl_unlock(); -+ return -EADDRINUSE; -+ } -+ - if (start_timer) { - start_timer = 0; - init_timer(&idle_timer); -@@ -731,10 +741,7 @@ static int atm_init_atmarp(struct atm_vc - vcc->push = NULL; - vcc->pop = NULL; /* crash */ - vcc->push_oam = NULL; /* crash */ -- if (register_netdevice_notifier(&clip_dev_notifier)) -- printk(KERN_ERR "register_netdevice_notifier failed\n"); -- if (register_inetaddr_notifier(&clip_inet_notifier)) -- printk(KERN_ERR "register_inetaddr_notifier failed\n"); -+ rtnl_unlock(); - return 0; - } - -@@ -992,6 +999,8 @@ static int __init atm_clip_init(void) - - clip_tbl_hook = &clip_tbl; - register_atm_ioctl(&clip_ioctl_ops); -+ register_netdevice_notifier(&clip_dev_notifier); -+ register_inetaddr_notifier(&clip_inet_notifier); - - #ifdef CONFIG_PROC_FS - { -@@ -1012,6 +1021,9 @@ static void __exit atm_clip_exit(void) - - remove_proc_entry("arp", atm_proc_root); - -+ unregister_inetaddr_notifier(&clip_inet_notifier); -+ unregister_netdevice_notifier(&clip_dev_notifier); -+ - deregister_atm_ioctl(&clip_ioctl_ops); - - /* First, stop the idle timer, so it stops banging -diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c -index e060aad..9e27373 100644 ---- a/net/bridge/br_netfilter.c -+++ b/net/bridge/br_netfilter.c -@@ -739,6 +739,15 @@ out: - return NF_STOLEN; - } - -+static int br_nf_dev_queue_xmit(struct sk_buff *skb) -+{ -+ if (skb->protocol == htons(ETH_P_IP) && -+ skb->len > skb->dev->mtu && -+ !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size)) -+ return ip_fragment(skb, br_dev_queue_push_xmit); -+ else -+ return br_dev_queue_push_xmit(skb); -+} - - /* PF_BRIDGE/POST_ROUTING ********************************************/ - static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb, -@@ -798,7 +807,7 @@ #if defined(CONFIG_VLAN_8021Q) || define - realoutdev = nf_bridge->netoutdev; - #endif - NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev, -- br_dev_queue_push_xmit); -+ br_nf_dev_queue_xmit); - - return NF_STOLEN; - -@@ -843,7 +852,7 @@ static unsigned int ip_sabotage_out(unsi - if ((out->hard_start_xmit == br_dev_xmit && - okfn != br_nf_forward_finish && - okfn != br_nf_local_out_finish && -- okfn != br_dev_queue_push_xmit) -+ okfn != br_nf_dev_queue_xmit) - #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) - || ((out->priv_flags & IFF_802_1Q_VLAN) && - VLAN_DEV_INFO(out)->real_dev->hard_start_xmit == br_dev_xmit) -diff --git a/net/core/dev.c b/net/core/dev.c -index 2afb0de..12a214c 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -2932,11 +2932,11 @@ void netdev_run_todo(void) - - switch(dev->reg_state) { - case NETREG_REGISTERING: -+ dev->reg_state = NETREG_REGISTERED; - err = netdev_register_sysfs(dev); - if (err) - printk(KERN_ERR "%s: failed sysfs registration (%d)\n", - dev->name, err); -- dev->reg_state = NETREG_REGISTERED; - break; - - case NETREG_UNREGISTERING: -diff --git a/net/core/sock.c b/net/core/sock.c -index 6e00811..5621198 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -404,8 +404,9 @@ #ifdef CONFIG_NETDEVICES - if (!valbool) { - sk->sk_bound_dev_if = 0; - } else { -- if (optlen > IFNAMSIZ) -- optlen = IFNAMSIZ; -+ if (optlen > IFNAMSIZ - 1) -+ optlen = IFNAMSIZ - 1; -+ memset(devname, 0, sizeof(devname)); - if (copy_from_user(devname, optval, optlen)) { - ret = -EFAULT; - break; -diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c -index e320b32..24009be 100644 ---- a/net/ipv4/fib_trie.c -+++ b/net/ipv4/fib_trie.c -@@ -314,11 +314,6 @@ static void __leaf_free_rcu(struct rcu_h - kfree(container_of(head, struct leaf, rcu)); - } - --static inline void free_leaf(struct leaf *leaf) --{ -- call_rcu(&leaf->rcu, __leaf_free_rcu); --} -- - static void __leaf_info_free_rcu(struct rcu_head *head) - { - kfree(container_of(head, struct leaf_info, rcu)); -@@ -357,7 +352,12 @@ static void __tnode_free_rcu(struct rcu_ - - static inline void tnode_free(struct tnode *tn) - { -- call_rcu(&tn->rcu, __tnode_free_rcu); -+ if(IS_LEAF(tn)) { -+ struct leaf *l = (struct leaf *) tn; -+ call_rcu_bh(&l->rcu, __leaf_free_rcu); -+ } -+ else -+ call_rcu(&tn->rcu, __tnode_free_rcu); - } - - static struct leaf *leaf_new(void) -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 8ee4d01..8dcba38 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -86,8 +86,6 @@ #include <linux/tcp.h> - - int sysctl_ip_default_ttl = IPDEFTTL; - --static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*)); -- - /* Generate a checksum for an outgoing IP datagram. */ - __inline__ void ip_send_check(struct iphdr *iph) - { -@@ -421,7 +419,7 @@ #endif - * single device frame, and queue such a frame for sending. - */ - --static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*)) -+int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*)) - { - struct iphdr *iph; - int raw = 0; -@@ -673,6 +671,8 @@ fail: - return err; - } - -+EXPORT_SYMBOL(ip_fragment); -+ - int - ip_generic_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb) - { -@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock * - iph->tos = inet->tos; - iph->tot_len = htons(skb->len); - iph->frag_off = df; -- if (!df) { -- __ip_select_ident(iph, &rt->u.dst, 0); -- } else { -- iph->id = htons(inet->id++); -- } -+ ip_select_ident(iph, &rt->u.dst, sk); - iph->ttl = ttl; - iph->protocol = sk->sk_protocol; - iph->saddr = rt->rt_src; -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index 7d7ab94..12bfc25 100644 ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -941,7 +941,7 @@ static int do_add_counters(void __user * - - write_lock_bh(&t->lock); - private = t->private; -- if (private->number != paddc->num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } -diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c -index 84c66db..43f6b45 100644 ---- a/net/ipv4/netfilter/ip_conntrack_core.c -+++ b/net/ipv4/netfilter/ip_conntrack_core.c -@@ -1318,6 +1318,7 @@ getorigdst(struct sock *sk, int optval, - .tuple.dst.u.tcp.port; - sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL] - .tuple.dst.ip; -+ memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); - - DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n", - NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port)); -diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c -index e0b5926..d4e6d0a 100644 ---- a/net/ipv4/netfilter/ip_conntrack_netlink.c -+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c -@@ -1619,7 +1619,7 @@ static void __exit ctnetlink_exit(void) - printk("ctnetlink: unregistering from nfnetlink.\n"); - - #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS -- ip_conntrack_unregister_notifier(&ctnl_notifier_exp); -+ ip_conntrack_expect_unregister_notifier(&ctnl_notifier_exp); - ip_conntrack_unregister_notifier(&ctnl_notifier); - #endif - -diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c -index be602e8..df67679 100644 ---- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c -+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c -@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_con - flag = 1; - } - -- /* Cookie Ack/Echo chunks not the first OR -- Init / Init Ack / Shutdown compl chunks not the only chunks */ -- if ((sch->type == SCTP_CID_COOKIE_ACK -+ /* -+ * Cookie Ack/Echo chunks not the first OR -+ * Init / Init Ack / Shutdown compl chunks not the only chunks -+ * OR zero-length. -+ */ -+ if (((sch->type == SCTP_CID_COOKIE_ACK - || sch->type == SCTP_CID_COOKIE_ECHO - || flag) -- && count !=0 ) { -+ && count !=0) || !sch->length) { - DEBUGP("Basic checks failed\n"); - return 1; - } -diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c -index 4f95d47..df57e7a 100644 ---- a/net/ipv4/netfilter/ip_nat_snmp_basic.c -+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c -@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st - - return 1; - -+err_addr_free: -+ kfree((unsigned long *)trap->ip_address); -+ - err_id_free: - kfree(trap->id); - --err_addr_free: -- kfree((unsigned long *)trap->ip_address); -- - return 0; - } - -@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch - struct snmp_v1_trap trap; - unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check); - -- /* Discard trap allocations regardless */ -- kfree(trap.id); -- kfree((unsigned long *)trap.ip_address); -- -- if (!ret) -+ if (ret) { -+ kfree(trap.id); -+ kfree((unsigned long *)trap.ip_address); -+ } else - return ret; - - } else { -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index 16f47c6..735d5ff 100644 ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -1063,7 +1063,7 @@ do_add_counters(void __user *user, unsig - - write_lock_bh(&t->lock); - private = t->private; -- if (private->number != paddc->num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } -diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c -index 6c8624a..62a0f52 100644 ---- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c -+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c -@@ -354,6 +354,7 @@ getorigdst(struct sock *sk, int optval, - .tuple.dst.u.tcp.port; - sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL] - .tuple.dst.u3.ip; -+ memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); - - DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n", - NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port)); -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index fca5fe0..a67955e 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in - /* Reserve room for dummy headers, this skb can pass - through good chunk of routing engine. - */ -- skb->mac.raw = skb->data; -+ skb->mac.raw = skb->nh.raw = skb->data; -+ -+ /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ -+ skb->nh.iph->protocol = IPPROTO_ICMP; - skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); - - if (rta[RTA_SRC - 1]) -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 9f498a6..310f2e6 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -537,7 +537,9 @@ int tcp_fragment(struct sock *sk, struct - buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC); - if (buff == NULL) - return -ENOMEM; /* We'll just try again later. */ -- sk_charge_skb(sk, buff); -+ -+ buff->truesize = skb->len - len; -+ skb->truesize -= buff->truesize; - - /* Correct the sequence numbers. */ - TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len; -diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c -index 2a1e7e4..d88cab7 100644 ---- a/net/ipv6/exthdrs.c -+++ b/net/ipv6/exthdrs.c -@@ -489,6 +489,18 @@ int ipv6_parse_hopopts(struct sk_buff *s - { - struct inet6_skb_parm *opt = IP6CB(skb); - -+ /* -+ * skb->nh.raw is equal to skb->data, and -+ * skb->h.raw - skb->nh.raw is always equal to -+ * sizeof(struct ipv6hdr) by definition of -+ * hop-by-hop options. -+ */ -+ if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) || -+ !pskb_may_pull(skb, sizeof(struct ipv6hdr) + ((skb->h.raw[1] + 1) << 3))) { -+ kfree_skb(skb); -+ return -1; -+ } -+ - opt->hop = sizeof(struct ipv6hdr); - if (ip6_parse_tlv(tlvprochopopt_lst, skb)) { - skb->h.raw += (skb->h.raw[1]+1)<<3; -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index 74ff56c..dd6ad42 100644 ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -1120,7 +1120,7 @@ do_add_counters(void __user *user, unsig - - write_lock_bh(&t->lock); - private = t->private; -- if (private->number != paddc->num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } -diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c -index 91cce8b..88c840f 100644 ---- a/net/ipv6/xfrm6_policy.c -+++ b/net/ipv6/xfrm6_policy.c -@@ -191,16 +191,18 @@ error: - static inline void - _decode_session6(struct sk_buff *skb, struct flowi *fl) - { -- u16 offset = sizeof(struct ipv6hdr); -+ u16 offset = skb->h.raw - skb->nh.raw; - struct ipv6hdr *hdr = skb->nh.ipv6h; -- struct ipv6_opt_hdr *exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset); -- u8 nexthdr = skb->nh.ipv6h->nexthdr; -+ struct ipv6_opt_hdr *exthdr; -+ u8 nexthdr = skb->nh.raw[IP6CB(skb)->nhoff]; - - memset(fl, 0, sizeof(struct flowi)); - ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr); - ipv6_addr_copy(&fl->fl6_src, &hdr->saddr); - - while (pskb_may_pull(skb, skb->nh.raw + offset + 1 - skb->data)) { -+ exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset); -+ - switch (nexthdr) { - case NEXTHDR_ROUTING: - case NEXTHDR_HOP: -diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c -index 9ff3463..40edeef 100644 ---- a/net/netfilter/nf_conntrack_netlink.c -+++ b/net/netfilter/nf_conntrack_netlink.c -@@ -1641,7 +1641,7 @@ static void __exit ctnetlink_exit(void) - printk("ctnetlink: unregistering from nfnetlink.\n"); - - #ifdef CONFIG_NF_CONNTRACK_EVENTS -- nf_conntrack_unregister_notifier(&ctnl_notifier_exp); -+ nf_conntrack_expect_unregister_notifier(&ctnl_notifier_exp); - nf_conntrack_unregister_notifier(&ctnl_notifier); - #endif - -diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c -index cf798e6..cd2326d 100644 ---- a/net/netfilter/nf_conntrack_proto_sctp.c -+++ b/net/netfilter/nf_conntrack_proto_sctp.c -@@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_con - flag = 1; - } - -- /* Cookie Ack/Echo chunks not the first OR -- Init / Init Ack / Shutdown compl chunks not the only chunks */ -- if ((sch->type == SCTP_CID_COOKIE_ACK -+ /* -+ * Cookie Ack/Echo chunks not the first OR -+ * Init / Init Ack / Shutdown compl chunks not the only chunks -+ * OR zero-length. -+ */ -+ if (((sch->type == SCTP_CID_COOKIE_ACK - || sch->type == SCTP_CID_COOKIE_ECHO - || flag) -- && count !=0 ) { -+ && count !=0) || !sch->length) { - DEBUGP("Basic checks failed\n"); - return 1; - } -diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c -index 297b895..cf0c767 100644 ---- a/net/sctp/inqueue.c -+++ b/net/sctp/inqueue.c -@@ -149,6 +149,7 @@ struct sctp_chunk *sctp_inq_pop(struct s - /* This is the first chunk in the packet. */ - chunk->singleton = 1; - ch = (sctp_chunkhdr_t *) chunk->skb->data; -+ chunk->data_accepted = 0; - } - - chunk->chunk_hdr = ch; -diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index 2b9a832..9395e09 100644 ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co - */ - chunk->subh.cookie_hdr = - (struct sctp_signed_cookie *)chunk->skb->data; -- skb_pull(chunk->skb, -- ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t)); -+ if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - -+ sizeof(sctp_chunkhdr_t))) -+ goto nomem; - - /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint - * "Z" will reply with a COOKIE ACK chunk after building a TCB -@@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(cons - */ - chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; - paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); -- skb_pull(chunk->skb, paylen); -+ if (!pskb_pull(chunk->skb, paylen)) -+ goto nomem; - - reply = sctp_make_heartbeat_ack(asoc, chunk, - chunk->subh.hb_hdr, paylen); -@@ -1028,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3( - commands); - - hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; -+ /* Make sure that the length of the parameter is what we expect */ -+ if (ntohs(hbinfo->param_hdr.length) != -+ sizeof(sctp_sender_hb_info_t)) { -+ return SCTP_DISPOSITION_DISCARD; -+ } -+ - from_addr = hbinfo->daddr; - link = sctp_assoc_lookup_paddr(asoc, &from_addr); - -@@ -1860,8 +1868,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupc - * are in good shape. - */ - chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; -- skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - -- sizeof(sctp_chunkhdr_t)); -+ if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - -+ sizeof(sctp_chunkhdr_t))) -+ goto nomem; - - /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie - * of a duplicate COOKIE ECHO match the Verification Tags of the -@@ -5151,7 +5160,9 @@ static int sctp_eat_data(const struct sc - int tmp; - __u32 tsn; - int account_value; -+ struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; - struct sock *sk = asoc->base.sk; -+ int rcvbuf_over = 0; - - data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; - skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); -@@ -5162,10 +5173,16 @@ static int sctp_eat_data(const struct sc - /* ASSERT: Now skb->data is really the user data. */ - - /* -- * if we are established, and we have used up our receive -- * buffer memory, drop the frame -- */ -- if (asoc->state == SCTP_STATE_ESTABLISHED) { -+ * If we are established, and we have used up our receive buffer -+ * memory, think about droping the frame. -+ * Note that we have an opportunity to improve performance here. -+ * If we accept one chunk from an skbuff, we have to keep all the -+ * memory of that skbuff around until the chunk is read into user -+ * space. Therefore, once we accept 1 chunk we may as well accept all -+ * remaining chunks in the skbuff. The data_accepted flag helps us do -+ * that. -+ */ -+ if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) { - /* - * If the receive buffer policy is 1, then each - * association can allocate up to sk_rcvbuf bytes -@@ -5176,9 +5193,25 @@ static int sctp_eat_data(const struct sc - account_value = atomic_read(&asoc->rmem_alloc); - else - account_value = atomic_read(&sk->sk_rmem_alloc); -- -- if (account_value > sk->sk_rcvbuf) -- return SCTP_IERROR_IGNORE_TSN; -+ if (account_value > sk->sk_rcvbuf) { -+ /* -+ * We need to make forward progress, even when we are -+ * under memory pressure, so we always allow the -+ * next tsn after the ctsn ack point to be accepted. -+ * This lets us avoid deadlocks in which we have to -+ * drop frames that would otherwise let us drain the -+ * receive queue. -+ */ -+ if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn) -+ return SCTP_IERROR_IGNORE_TSN; -+ -+ /* -+ * We're going to accept the frame but we should renege -+ * to make space for it. This will send us down that -+ * path later in this function. -+ */ -+ rcvbuf_over = 1; -+ } - } - - /* Process ECN based congestion. -@@ -5226,6 +5259,7 @@ static int sctp_eat_data(const struct sc - datalen -= sizeof(sctp_data_chunk_t); - - deliver = SCTP_CMD_CHUNK_ULP; -+ chunk->data_accepted = 1; - - /* Think about partial delivery. */ - if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { -@@ -5242,7 +5276,8 @@ static int sctp_eat_data(const struct sc - * large spill over. - */ - if (!asoc->rwnd || asoc->rwnd_over || -- (datalen > asoc->rwnd + asoc->frag_point)) { -+ (datalen > asoc->rwnd + asoc->frag_point) || -+ rcvbuf_over) { - - /* If this is the next TSN, consider reneging to make - * room. Note: Playing nice with a confused sender. A -@@ -5250,8 +5285,8 @@ static int sctp_eat_data(const struct sc - * space and in the future we may want to detect and - * do more drastic reneging. - */ -- if (sctp_tsnmap_has_gap(&asoc->peer.tsn_map) && -- (sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map) + 1) == tsn) { -+ if (sctp_tsnmap_has_gap(map) && -+ (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { - SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); - deliver = SCTP_CMD_RENEGE; - } else { -diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c -index 75ef104..8bcca56 100644 ---- a/net/sctp/sm_statetable.c -+++ b/net/sctp/sm_statetable.c -@@ -366,9 +366,9 @@ #define TYPE_SCTP_ECN_ECNE { \ - /* SCTP_STATE_EMPTY */ \ - {.fn = sctp_sf_ootb, .name = "sctp_sf_ootb"}, \ - /* SCTP_STATE_CLOSED */ \ -- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ -+ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ - /* SCTP_STATE_COOKIE_WAIT */ \ -- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ -+ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ - /* SCTP_STATE_COOKIE_ECHOED */ \ - {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \ - /* SCTP_STATE_ESTABLISHED */ \ -@@ -380,7 +380,7 @@ #define TYPE_SCTP_ECN_ECNE { \ - /* SCTP_STATE_SHUTDOWN_RECEIVED */ \ - {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \ - /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \ -- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ -+ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ - } /* TYPE_SCTP_ECN_ECNE */ - - #define TYPE_SCTP_ECN_CWR { \ -@@ -401,7 +401,7 @@ #define TYPE_SCTP_ECN_CWR { \ - /* SCTP_STATE_SHUTDOWN_RECEIVED */ \ - {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ - /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \ -- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ -+ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ - } /* TYPE_SCTP_ECN_CWR */ - - #define TYPE_SCTP_SHUTDOWN_COMPLETE { \ -@@ -647,7 +647,7 @@ #define TYPE_SCTP_PRIMITIVE_REQUESTHEART - /* SCTP_STATE_EMPTY */ \ - {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ - /* SCTP_STATE_CLOSED */ \ -- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ -+ {.fn = sctp_sf_error_closed, .name = "sctp_sf_error_closed"}, \ - /* SCTP_STATE_COOKIE_WAIT */ \ - {.fn = sctp_sf_do_prm_requestheartbeat, \ - .name = "sctp_sf_do_prm_requestheartbeat"}, \ -diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c -index 2080b2d..575e556 100644 ---- a/net/sctp/ulpqueue.c -+++ b/net/sctp/ulpqueue.c -@@ -279,6 +279,7 @@ static inline void sctp_ulpq_store_reasm - static struct sctp_ulpevent *sctp_make_reassembled_event(struct sk_buff_head *queue, struct sk_buff *f_frag, struct sk_buff *l_frag) - { - struct sk_buff *pos; -+ struct sk_buff *new = NULL; - struct sctp_ulpevent *event; - struct sk_buff *pnext, *last; - struct sk_buff *list = skb_shinfo(f_frag)->frag_list; -@@ -297,11 +298,33 @@ static struct sctp_ulpevent *sctp_make_r - */ - if (last) - last->next = pos; -- else -- skb_shinfo(f_frag)->frag_list = pos; -+ else { -+ if (skb_cloned(f_frag)) { -+ /* This is a cloned skb, we can't just modify -+ * the frag_list. We need a new skb to do that. -+ * Instead of calling skb_unshare(), we'll do it -+ * ourselves since we need to delay the free. -+ */ -+ new = skb_copy(f_frag, GFP_ATOMIC); -+ if (!new) -+ return NULL; /* try again later */ -+ -+ new->sk = f_frag->sk; -+ -+ skb_shinfo(new)->frag_list = pos; -+ } else -+ skb_shinfo(f_frag)->frag_list = pos; -+ } - - /* Remove the first fragment from the reassembly queue. */ - __skb_unlink(f_frag, queue); -+ -+ /* if we did unshare, then free the old skb and re-assign */ -+ if (new) { -+ kfree_skb(f_frag); -+ f_frag = new; -+ } -+ - while (pos) { - - pnext = pos->next; -diff --git a/security/keys/key.c b/security/keys/key.c -index 99781b7..0e2584e 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t - - key_check(keyring); - -+ key_ref = ERR_PTR(-ENOTDIR); -+ if (keyring->type != &key_type_keyring) -+ goto error_2; -+ - down_write(&keyring->sem); - - /* if we're going to allocate a new key, we're going to have -diff --git a/security/keys/keyring.c b/security/keys/keyring.c -index d65a180..bffa924 100644 ---- a/security/keys/keyring.c -+++ b/security/keys/keyring.c -@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search); - /* - * search the given keyring only (no recursion) - * - keyring must be locked by caller -+ * - caller must guarantee that the keyring is a keyring - */ - key_ref_t __keyring_search_one(key_ref_t keyring_ref, - const struct key_type *ktype, -diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c -index 640d0bf..84047f6 100644 ---- a/security/selinux/ss/mls.c -+++ b/security/selinux/ss/mls.c -@@ -264,7 +264,7 @@ int mls_context_to_sid(char oldc, - - if (!selinux_mls_enabled) { - if (def_sid != SECSID_NULL && oldc) -- *scontext += strlen(*scontext); -+ *scontext += strlen(*scontext)+1; - return 0; - } - -diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c -index 8a76492..6375dd5 100644 ---- a/security/selinux/ss/services.c -+++ b/security/selinux/ss/services.c -@@ -592,6 +592,10 @@ int security_sid_to_context(u32 sid, cha - - *scontext_len = strlen(initial_sid_to_string[sid]) + 1; - scontextp = kmalloc(*scontext_len,GFP_ATOMIC); -+ if (!scontextp) { -+ rc = -ENOMEM; -+ goto out; -+ } - strcpy(scontextp, initial_sid_to_string[sid]); - *scontext = scontextp; - goto out; -diff --git a/sound/isa/opti9xx/opti92x-ad1848.c b/sound/isa/opti9xx/opti92x-ad1848.c -index 63d96be..65b28cb 100644 ---- a/sound/isa/opti9xx/opti92x-ad1848.c -+++ b/sound/isa/opti9xx/opti92x-ad1848.c -@@ -2088,9 +2088,11 @@ static int __init alsa_card_opti9xx_init - int error; - struct platform_device *device; - -+#ifdef CONFIG_PNP - pnp_register_card_driver(&opti9xx_pnpc_driver); - if (snd_opti9xx_pnp_is_probed) - return 0; -+#endif - if (! is_isapnp_selected()) { - error = platform_driver_register(&snd_opti9xx_driver); - if (error < 0) -@@ -2102,7 +2104,9 @@ static int __init alsa_card_opti9xx_init - } - platform_driver_unregister(&snd_opti9xx_driver); - } -+#ifdef CONFIG_PNP - pnp_unregister_card_driver(&opti9xx_pnpc_driver); -+#endif - #ifdef MODULE - printk(KERN_ERR "no OPTi " CHIP_NAME " soundcard found\n"); - #endif -@@ -2115,7 +2119,9 @@ static void __exit alsa_card_opti9xx_exi - platform_device_unregister(snd_opti9xx_platform_device); - platform_driver_unregister(&snd_opti9xx_driver); - } -+#ifdef CONFIG_PNP - pnp_unregister_card_driver(&opti9xx_pnpc_driver); -+#endif - } - - module_init(alsa_card_opti9xx_init) -diff --git a/sound/oss/dmasound/tas_common.c b/sound/oss/dmasound/tas_common.c -index 8131599..882ae98 100644 ---- a/sound/oss/dmasound/tas_common.c -+++ b/sound/oss/dmasound/tas_common.c -@@ -195,8 +195,8 @@ tas_init(int driver_id, const char *driv - - printk(KERN_INFO "tas driver [%s])\n", driver_name); - --#ifndef CONFIG_I2C_KEYWEST -- request_module("i2c-keywest"); -+#ifndef CONFIG_I2C_POWERMAC -+ request_module("i2c-powermac"); - #endif - tas_node = find_devices("deq"); - if (tas_node == NULL) -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index b767552..d5cd3a1 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -2948,6 +2948,8 @@ static struct hda_board_config alc260_cf - { .modelname = "basic", .config = ALC260_BASIC }, - { .pci_subvendor = 0x104d, .pci_subdevice = 0x81bb, - .config = ALC260_BASIC }, /* Sony VAIO */ -+ { .pci_subvendor = 0x152d, .pci_subdevice = 0x0729, -+ .config = ALC260_BASIC }, /* CTL Travel Master U553W */ - { .modelname = "hp", .config = ALC260_HP }, - { .pci_subvendor = 0x103c, .pci_subdevice = 0x3010, .config = ALC260_HP }, - { .pci_subvendor = 0x103c, .pci_subdevice = 0x3011, .config = ALC260_HP }, -diff --git a/sound/ppc/daca.c b/sound/ppc/daca.c -index 08cde51..b96cd94 100644 ---- a/sound/ppc/daca.c -+++ b/sound/ppc/daca.c -@@ -256,7 +256,7 @@ int __init snd_pmac_daca_init(struct snd - - #ifdef CONFIG_KMOD - if (current->fs->root) -- request_module("i2c-keywest"); -+ request_module("i2c-powermac"); - #endif /* CONFIG_KMOD */ - - mix = kmalloc(sizeof(*mix), GFP_KERNEL); -diff --git a/sound/ppc/tumbler.c b/sound/ppc/tumbler.c -index 838fc11..39d4cde 100644 ---- a/sound/ppc/tumbler.c -+++ b/sound/ppc/tumbler.c -@@ -1314,7 +1314,7 @@ int __init snd_pmac_tumbler_init(struct - - #ifdef CONFIG_KMOD - if (current->fs->root) -- request_module("i2c-keywest"); -+ request_module("i2c-powermac"); - #endif /* CONFIG_KMOD */ - - mix = kmalloc(sizeof(*mix), GFP_KERNEL); |