From 179d9671c0aeb407cc272cb9dfeeedd9fc056d3e Mon Sep 17 00:00:00 2001 From: Eric Andersen Date: Fri, 23 Jun 2006 07:06:48 +0000 Subject: version bump --- .../kernel-patches/001-patch-2.6.16.20.patch | 6360 ++++++++++++++++++++ .../AMD/DBAu1500/kernel-patches/001-patch-2.6.16.4 | 1089 ---- .../AMD/DBAu1500/kernel-patches/100_VERSION.patch | 4 +- target/device/AMD/DBAu1500/linux.config | 136 +- 4 files changed, 6388 insertions(+), 1201 deletions(-) create mode 100644 target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch delete mode 100644 target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.4 (limited to 'target/device/AMD') diff --git a/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch b/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch new file mode 100644 index 000000000..1a1b32409 --- /dev/null +++ b/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.20.patch @@ -0,0 +1,6360 @@ +diff --git a/Documentation/dvb/get_dvb_firmware b/Documentation/dvb/get_dvb_firmware +index 75c28a1..948f502 100644 +--- a/Documentation/dvb/get_dvb_firmware ++++ b/Documentation/dvb/get_dvb_firmware +@@ -240,9 +240,9 @@ sub dibusb { + } + + sub nxt2002 { +- my $sourcefile = "Broadband4PC_4_2_11.zip"; ++ my $sourcefile = "Technisat_DVB-PC_4_4_COMPACT.zip"; + my $url = "http://www.bbti.us/download/windows/$sourcefile"; +- my $hash = "c6d2ea47a8f456d887ada0cfb718ff2a"; ++ my $hash = "476befae8c7c1bb9648954060b1eec1f"; + my $outfile = "dvb-fe-nxt2002.fw"; + my $tmpdir = tempdir(DIR => "/tmp", CLEANUP => 1); + +@@ -250,8 +250,8 @@ sub nxt2002 { + + wgetfile($sourcefile, $url); + unzip($sourcefile, $tmpdir); +- verify("$tmpdir/SkyNETU.sys", $hash); +- extract("$tmpdir/SkyNETU.sys", 375832, 5908, $outfile); ++ verify("$tmpdir/SkyNET.sys", $hash); ++ extract("$tmpdir/SkyNET.sys", 331624, 5908, $outfile); + + $outfile; + } +diff --git a/Makefile b/Makefile +index cb57905..600c769 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + VERSION = 2 + PATCHLEVEL = 6 + SUBLEVEL = 16 +-EXTRAVERSION = ++EXTRAVERSION = .20 + NAME=Sliding Snow Leopard + + # *DOCUMENTATION* +diff --git a/arch/alpha/kernel/setup.c b/arch/alpha/kernel/setup.c +index b4e5f8f..45308bd 100644 +--- a/arch/alpha/kernel/setup.c ++++ b/arch/alpha/kernel/setup.c +@@ -24,6 +24,7 @@ #include + #include /* CONFIG_ALPHA_LCA etc */ + #include + #include ++#include + #include + #include + #include +@@ -477,6 +478,22 @@ #undef PFN_DOWN + #undef PFN_PHYS + #undef PFN_MAX + ++static int __init ++register_cpus(void) ++{ ++ int i; ++ ++ for_each_possible_cpu(i) { ++ struct cpu *p = kzalloc(sizeof(*p), GFP_KERNEL); ++ if (!p) ++ return -ENOMEM; ++ register_cpu(p, i, NULL); ++ } ++ return 0; ++} ++ ++arch_initcall(register_cpus); ++ + void __init + setup_arch(char **cmdline_p) + { +diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c +index 02c2db0..1852554 100644 +--- a/arch/alpha/kernel/smp.c ++++ b/arch/alpha/kernel/smp.c +@@ -439,7 +439,7 @@ setup_smp(void) + if ((cpu->flags & 0x1cc) == 0x1cc) { + smp_num_probed++; + /* Assume here that "whami" == index */ +- cpu_set(i, cpu_possible_map); ++ cpu_set(i, cpu_present_mask); + cpu->pal_revision = boot_cpu_palrev; + } + +@@ -450,9 +450,8 @@ setup_smp(void) + } + } else { + smp_num_probed = 1; +- cpu_set(boot_cpuid, cpu_possible_map); ++ cpu_set(boot_cpuid, cpu_present_mask); + } +- cpu_present_mask = cpumask_of_cpu(boot_cpuid); + + printk(KERN_INFO "SMP: %d CPUs probed -- cpu_present_mask = %lx\n", + smp_num_probed, cpu_possible_map.bits[0]); +@@ -488,9 +487,8 @@ void __devinit + smp_prepare_boot_cpu(void) + { + /* +- * Mark the boot cpu (current cpu) as both present and online ++ * Mark the boot cpu (current cpu) as online + */ +- cpu_set(smp_processor_id(), cpu_present_mask); + cpu_set(smp_processor_id(), cpu_online_map); + } + +diff --git a/arch/alpha/lib/strncpy.S b/arch/alpha/lib/strncpy.S +index 338551c..bbdef1b 100644 +--- a/arch/alpha/lib/strncpy.S ++++ b/arch/alpha/lib/strncpy.S +@@ -43,8 +43,8 @@ strncpy: + + .align 4 + $multiword: +- subq $24, 1, $2 # clear the final bits in the prev word +- or $2, $24, $2 ++ subq $27, 1, $2 # clear the final bits in the prev word ++ or $2, $27, $2 + zapnot $1, $2, $1 + subq $18, 1, $18 + +@@ -70,8 +70,8 @@ strncpy: + bne $18, 0b + + 1: ldq_u $1, 0($16) # clear the leading bits in the final word +- subq $27, 1, $2 +- or $2, $27, $2 ++ subq $24, 1, $2 ++ or $2, $24, $2 + + zap $1, $2, $1 + stq_u $1, 0($16) +diff --git a/arch/i386/kernel/apm.c b/arch/i386/kernel/apm.c +index 05312a8..558d2d2 100644 +--- a/arch/i386/kernel/apm.c ++++ b/arch/i386/kernel/apm.c +@@ -1081,7 +1081,7 @@ static int apm_console_blank(int blank) + break; + } + +- if (error == APM_NOT_ENGAGED && state != APM_STATE_READY) { ++ if (error == APM_NOT_ENGAGED) { + static int tried; + int eng_error; + if (tried++ == 0) { +diff --git a/arch/i386/kernel/cpu/amd.c b/arch/i386/kernel/cpu/amd.c +index 0810f81..d2d50cb 100644 +--- a/arch/i386/kernel/cpu/amd.c ++++ b/arch/i386/kernel/cpu/amd.c +@@ -207,6 +207,8 @@ #define CBAR_KEY (0X000000CB) + set_bit(X86_FEATURE_K7, c->x86_capability); + break; + } ++ if (c->x86 >= 6) ++ set_bit(X86_FEATURE_FXSAVE_LEAK, c->x86_capability); + + display_cacheinfo(c); + +diff --git a/arch/i386/kernel/cpu/cpufreq/Kconfig b/arch/i386/kernel/cpu/cpufreq/Kconfig +index 26892d2..16f2e35 100644 +--- a/arch/i386/kernel/cpu/cpufreq/Kconfig ++++ b/arch/i386/kernel/cpu/cpufreq/Kconfig +@@ -203,6 +203,7 @@ config X86_LONGRUN + config X86_LONGHAUL + tristate "VIA Cyrix III Longhaul" + select CPU_FREQ_TABLE ++ depends on BROKEN + help + This adds the CPUFreq driver for VIA Samuel/CyrixIII, + VIA Cyrix Samuel/C3, VIA Cyrix Ezra and VIA Cyrix Ezra-T +diff --git a/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c b/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c +index cc73a7a..ebe1848 100644 +--- a/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c ++++ b/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c +@@ -244,7 +244,7 @@ #endif + for (i=1; (p4clockmod_table[i].frequency != CPUFREQ_TABLE_END); i++) { + if ((i<2) && (has_N44_O17_errata[policy->cpu])) + p4clockmod_table[i].frequency = CPUFREQ_ENTRY_INVALID; +- else if (has_N60_errata[policy->cpu] && p4clockmod_table[i].frequency < 2000000) ++ else if (has_N60_errata[policy->cpu] && ((stock_freq * i)/8) < 2000000) + p4clockmod_table[i].frequency = CPUFREQ_ENTRY_INVALID; + else + p4clockmod_table[i].frequency = (stock_freq * i)/8; +diff --git a/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c b/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c +index 28cc5d5..cfc4276 100644 +--- a/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c ++++ b/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c +@@ -75,7 +75,9 @@ static int speedstep_smi_ownership (void + __asm__ __volatile__( + "out %%al, (%%dx)\n" + : "=D" (result) +- : "a" (command), "b" (function), "c" (0), "d" (smi_port), "D" (0), "S" (magic) ++ : "a" (command), "b" (function), "c" (0), "d" (smi_port), ++ "D" (0), "S" (magic) ++ : "memory" + ); + + dprintk("result is %x\n", result); +diff --git a/arch/i386/kernel/dmi_scan.c b/arch/i386/kernel/dmi_scan.c +index 6a93d75..ca2a0cb 100644 +--- a/arch/i386/kernel/dmi_scan.c ++++ b/arch/i386/kernel/dmi_scan.c +@@ -106,7 +106,7 @@ static void __init dmi_save_devices(stru + struct dmi_device *dev; + + for (i = 0; i < count; i++) { +- char *d = ((char *) dm) + (i * 2); ++ char *d = (char *)(dm + 1) + (i * 2); + + /* Skip disabled device */ + if ((*d & 0x80) == 0) +diff --git a/arch/i386/kernel/vm86.c b/arch/i386/kernel/vm86.c +index f51c894..aee14fa 100644 +--- a/arch/i386/kernel/vm86.c ++++ b/arch/i386/kernel/vm86.c +@@ -43,6 +43,7 @@ #include + #include + #include + #include ++#include + + #include + #include +@@ -252,6 +253,7 @@ out: + static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk) + { + struct tss_struct *tss; ++ long eax; + /* + * make sure the vm86() system call doesn't try to do anything silly + */ +@@ -305,13 +307,19 @@ static void do_sys_vm86(struct kernel_vm + tsk->thread.screen_bitmap = info->screen_bitmap; + if (info->flags & VM86_SCREEN_BITMAP) + mark_screen_rdonly(tsk->mm); ++ __asm__ __volatile__("xorl %eax,%eax; movl %eax,%fs; movl %eax,%gs\n\t"); ++ __asm__ __volatile__("movl %%eax, %0\n" :"=r"(eax)); ++ ++ /*call audit_syscall_exit since we do not exit via the normal paths */ ++ if (unlikely(current->audit_context)) ++ audit_syscall_exit(current, AUDITSC_RESULT(eax), eax); ++ + __asm__ __volatile__( +- "xorl %%eax,%%eax; movl %%eax,%%fs; movl %%eax,%%gs\n\t" + "movl %0,%%esp\n\t" + "movl %1,%%ebp\n\t" + "jmp resume_userspace" + : /* no outputs */ +- :"r" (&info->regs), "r" (task_thread_info(tsk)) : "ax"); ++ :"r" (&info->regs), "r" (task_thread_info(tsk))); + /* we never return here */ + } + +diff --git a/arch/m32r/kernel/m32r_ksyms.c b/arch/m32r/kernel/m32r_ksyms.c +index be8b711..6000950 100644 +--- a/arch/m32r/kernel/m32r_ksyms.c ++++ b/arch/m32r/kernel/m32r_ksyms.c +@@ -38,10 +38,6 @@ EXPORT_SYMBOL(__udelay); + EXPORT_SYMBOL(__delay); + EXPORT_SYMBOL(__const_udelay); + +-EXPORT_SYMBOL(__get_user_1); +-EXPORT_SYMBOL(__get_user_2); +-EXPORT_SYMBOL(__get_user_4); +- + EXPORT_SYMBOL(strpbrk); + EXPORT_SYMBOL(strstr); + +diff --git a/arch/m32r/kernel/setup.c b/arch/m32r/kernel/setup.c +index d742037..542ed93 100644 +--- a/arch/m32r/kernel/setup.c ++++ b/arch/m32r/kernel/setup.c +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -218,8 +219,6 @@ #else /* CONFIG_DISCONTIGMEM */ + extern unsigned long setup_memory(void); + #endif /* CONFIG_DISCONTIGMEM */ + +-#define M32R_PCC_PCATCR 0x00ef7014 /* will move to m32r.h */ +- + void __init setup_arch(char **cmdline_p) + { + ROOT_DEV = old_decode_dev(ORIG_ROOT_DEV); +@@ -268,15 +267,14 @@ #endif /* CONFIG_DISCONTIGMEM */ + paging_init(); + } + +-static struct cpu cpu[NR_CPUS]; ++static struct cpu cpu_devices[NR_CPUS]; + + static int __init topology_init(void) + { +- int cpu_id; ++ int i; + +- for (cpu_id = 0; cpu_id < NR_CPUS; cpu_id++) +- if (cpu_possible(cpu_id)) +- register_cpu(&cpu[cpu_id], cpu_id, NULL); ++ for_each_present_cpu(i) ++ register_cpu(&cpu_devices[i], i, NULL); + + return 0; + } +diff --git a/arch/m32r/kernel/smpboot.c b/arch/m32r/kernel/smpboot.c +index d7ec16e..840b434 100644 +--- a/arch/m32r/kernel/smpboot.c ++++ b/arch/m32r/kernel/smpboot.c +@@ -39,8 +39,10 @@ + * Martin J. Bligh : Added support for multi-quad systems + */ + ++#include + #include + #include ++#include + #include + #include + #include +@@ -72,11 +74,15 @@ physid_mask_t phys_cpu_present_map; + + /* Bitmask of currently online CPUs */ + cpumask_t cpu_online_map; ++EXPORT_SYMBOL(cpu_online_map); + + cpumask_t cpu_bootout_map; + cpumask_t cpu_bootin_map; +-cpumask_t cpu_callout_map; + static cpumask_t cpu_callin_map; ++cpumask_t cpu_callout_map; ++EXPORT_SYMBOL(cpu_callout_map); ++cpumask_t cpu_possible_map = CPU_MASK_ALL; ++EXPORT_SYMBOL(cpu_possible_map); + + /* Per CPU bogomips and other parameters */ + struct cpuinfo_m32r cpu_data[NR_CPUS] __cacheline_aligned; +@@ -110,7 +116,6 @@ static unsigned int calibration_result; + + void smp_prepare_boot_cpu(void); + void smp_prepare_cpus(unsigned int); +-static void smp_tune_scheduling(void); + static void init_ipi_lock(void); + static void do_boot_cpu(int); + int __cpu_up(unsigned int); +@@ -177,6 +182,9 @@ void __init smp_prepare_cpus(unsigned in + } + for (phys_id = 0 ; phys_id < nr_cpu ; phys_id++) + physid_set(phys_id, phys_cpu_present_map); ++#ifndef CONFIG_HOTPLUG_CPU ++ cpu_present_map = cpu_possible_map; ++#endif + + show_mp_info(nr_cpu); + +@@ -186,7 +194,6 @@ void __init smp_prepare_cpus(unsigned in + * Setup boot CPU information + */ + smp_store_cpu_info(0); /* Final full version of the data */ +- smp_tune_scheduling(); + + /* + * If SMP should be disabled, then really disable it! +@@ -230,11 +237,6 @@ smp_done: + Dprintk("Boot done.\n"); + } + +-static void __init smp_tune_scheduling(void) +-{ +- /* Nothing to do. */ +-} +- + /* + * init_ipi_lock : Initialize IPI locks. + */ +@@ -629,4 +631,3 @@ static void __init unmap_cpu_to_physid(i + physid_2_cpu[phys_id] = -1; + cpu_2_physid[cpu_id] = -1; + } +- +diff --git a/arch/m32r/lib/Makefile b/arch/m32r/lib/Makefile +index e632d10..d16b4e4 100644 +--- a/arch/m32r/lib/Makefile ++++ b/arch/m32r/lib/Makefile +@@ -2,6 +2,6 @@ # + # Makefile for M32R-specific library files.. + # + +-lib-y := checksum.o ashxdi3.o memset.o memcpy.o getuser.o \ +- putuser.o delay.o strlen.o usercopy.o csum_partial_copy.o ++lib-y := checksum.o ashxdi3.o memset.o memcpy.o \ ++ delay.o strlen.o usercopy.o csum_partial_copy.o + +diff --git a/arch/m32r/lib/getuser.S b/arch/m32r/lib/getuser.S +deleted file mode 100644 +index 58a0db0..0000000 +--- a/arch/m32r/lib/getuser.S ++++ /dev/null +@@ -1,88 +0,0 @@ +-/* +- * __get_user functions. +- * +- * (C) Copyright 2001 Hirokazu Takata +- * +- * These functions have a non-standard call interface +- * to make them more efficient, especially as they +- * return an error value in addition to the "real" +- * return value. +- */ +- +-#include +- +-/* +- * __get_user_X +- * +- * Inputs: r0 contains the address +- * +- * Outputs: r0 is error code (0 or -EFAULT) +- * r1 contains zero-extended value +- * +- * These functions should not modify any other registers, +- * as they get called from within inline assembly. +- */ +- +-#ifdef CONFIG_ISA_DUAL_ISSUE +- +- .text +- .balign 4 +- .globl __get_user_1 +-__get_user_1: +-1: ldub r1, @r0 || ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __get_user_2 +-__get_user_2: +-2: lduh r1, @r0 || ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __get_user_4 +-__get_user_4: +-3: ld r1, @r0 || ldi r0, #0 +- jmp r14 +- +-bad_get_user: +- ldi r1, #0 || ldi r0, #-14 +- jmp r14 +- +-#else /* not CONFIG_ISA_DUAL_ISSUE */ +- +- .text +- .balign 4 +- .globl __get_user_1 +-__get_user_1: +-1: ldub r1, @r0 +- ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __get_user_2 +-__get_user_2: +-2: lduh r1, @r0 +- ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __get_user_4 +-__get_user_4: +-3: ld r1, @r0 +- ldi r0, #0 +- jmp r14 +- +-bad_get_user: +- ldi r1, #0 +- ldi r0, #-14 +- jmp r14 +- +-#endif /* not CONFIG_ISA_DUAL_ISSUE */ +- +-.section __ex_table,"a" +- .long 1b,bad_get_user +- .long 2b,bad_get_user +- .long 3b,bad_get_user +-.previous +- +- .end +diff --git a/arch/m32r/lib/putuser.S b/arch/m32r/lib/putuser.S +deleted file mode 100644 +index 218154c..0000000 +--- a/arch/m32r/lib/putuser.S ++++ /dev/null +@@ -1,84 +0,0 @@ +-/* +- * __put_user functions. +- * +- * (C) Copyright 1998 Linus Torvalds +- * (C) Copyright 2001 Hirokazu Takata +- * +- * These functions have a non-standard call interface +- * to make them more efficient. +- */ +- +-#include +- +-/* +- * __put_user_X +- * +- * Inputs: r0 contains the address +- * r1 contains the value +- * +- * Outputs: r0 is error code (0 or -EFAULT) +- * r1 is corrupted (will contain "current_task"). +- * +- * These functions should not modify any other registers, +- * as they get called from within inline assembly. +- */ +- +-#ifdef CONFIG_ISA_DUAL_ISSUE +- +- .text +- .balign 4 +- .globl __put_user_1 +-__put_user_1: +-1: stb r1, @r0 || ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __put_user_2 +-__put_user_2: +-2: sth r1, @r0 || ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __put_user_4 +-__put_user_4: +-3: st r1, @r0 || ldi r0, #0 +- jmp r14 +- +-bad_put_user: +- ldi r0, #-14 || jmp r14 +- +-#else /* not CONFIG_ISA_DUAL_ISSUE */ +- +- .text +- .balign 4 +- .globl __put_user_1 +-__put_user_1: +-1: stb r1, @r0 +- ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __put_user_2 +-__put_user_2: +-2: sth r1, @r0 +- ldi r0, #0 +- jmp r14 +- +- .balign 4 +- .globl __put_user_4 +-__put_user_4: +-3: st r1, @r0 +- ldi r0, #0 +- jmp r14 +- +-bad_put_user: +- ldi r0, #-14 +- jmp r14 +- +-#endif /* not CONFIG_ISA_DUAL_ISSUE */ +- +-.section __ex_table,"a" +- .long 1b,bad_put_user +- .long 2b,bad_put_user +- .long 3b,bad_put_user +-.previous +diff --git a/arch/mips/kernel/branch.c b/arch/mips/kernel/branch.c +index 374de83..b6232d9 100644 +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -184,7 +184,7 @@ int __compute_return_epc(struct pt_regs + bit = (insn.i_format.rt >> 2); + bit += (bit != 0); + bit += 23; +- switch (insn.i_format.rt) { ++ switch (insn.i_format.rt & 3) { + case 0: /* bc1f */ + case 2: /* bc1fl */ + if (~fcr31 & (1 << bit)) +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index 9572ed4..a761f99 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -154,7 +154,8 @@ static inline void blast_icache32_r4600_ + + static inline void tx49_blast_icache32_page_indexed(unsigned long page) + { +- unsigned long start = page; ++ unsigned long indexmask = current_cpu_data.icache.waysize - 1; ++ unsigned long start = INDEX_BASE + (page & indexmask); + unsigned long end = start + PAGE_SIZE; + unsigned long ws_inc = 1UL << current_cpu_data.icache.waybit; + unsigned long ws_end = current_cpu_data.icache.ways << +diff --git a/arch/powerpc/kernel/pci_64.c b/arch/powerpc/kernel/pci_64.c +index ba92bab..4c4449b 100644 +--- a/arch/powerpc/kernel/pci_64.c ++++ b/arch/powerpc/kernel/pci_64.c +@@ -78,6 +78,7 @@ int global_phb_number; /* Global phb co + + /* Cached ISA bridge dev. */ + struct pci_dev *ppc64_isabridge_dev = NULL; ++EXPORT_SYMBOL_GPL(ppc64_isabridge_dev); + + static void fixup_broken_pcnet32(struct pci_dev* dev) + { +diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c +index f96c49b..abd758f 100644 +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -256,12 +256,10 @@ #endif + /* + * Initialize stab / SLB management except on iSeries + */ +- if (!firmware_has_feature(FW_FEATURE_ISERIES)) { +- if (cpu_has_feature(CPU_FTR_SLB)) +- slb_initialize(); +- else +- stab_initialize(lpaca->stab_real); +- } ++ if (cpu_has_feature(CPU_FTR_SLB)) ++ slb_initialize(); ++ else if (!firmware_has_feature(FW_FEATURE_ISERIES)) ++ stab_initialize(lpaca->stab_real); + + DBG(" <- early_setup()\n"); + } +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 4324f8a..096dfdc 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -213,7 +213,7 @@ static inline void __user * get_sigframe + /* Default to using normal stack */ + newsp = regs->gpr[1]; + +- if (ka->sa.sa_flags & SA_ONSTACK) { ++ if ((ka->sa.sa_flags & SA_ONSTACK) && current->sas_ss_size) { + if (! on_sig_stack(regs->gpr[1])) + newsp = (current->sas_ss_sp + current->sas_ss_size); + } +diff --git a/arch/powerpc/platforms/powermac/setup.c b/arch/powerpc/platforms/powermac/setup.c +index 29c2946..f649750 100644 +--- a/arch/powerpc/platforms/powermac/setup.c ++++ b/arch/powerpc/platforms/powermac/setup.c +@@ -456,11 +456,23 @@ static int pmac_pm_finish(suspend_state_ + return 0; + } + ++static int pmac_pm_valid(suspend_state_t state) ++{ ++ switch (state) { ++ case PM_SUSPEND_DISK: ++ return 1; ++ /* can't do any other states via generic mechanism yet */ ++ default: ++ return 0; ++ } ++} ++ + static struct pm_ops pmac_pm_ops = { + .pm_disk_mode = PM_DISK_SHUTDOWN, + .prepare = pmac_pm_prepare, + .enter = pmac_pm_enter, + .finish = pmac_pm_finish, ++ .valid = pmac_pm_valid, + }; + + #endif /* CONFIG_SOFTWARE_SUSPEND */ +diff --git a/arch/x86_64/ia32/Makefile b/arch/x86_64/ia32/Makefile +index 929e6b0..e9263b4 100644 +--- a/arch/x86_64/ia32/Makefile ++++ b/arch/x86_64/ia32/Makefile +@@ -27,5 +27,5 @@ quiet_cmd_syscall = SYSCALL $@ + $(obj)/vsyscall-%.so: $(src)/vsyscall.lds $(obj)/vsyscall-%.o FORCE + $(call if_changed,syscall) + +-AFLAGS_vsyscall-sysenter.o = -m32 +-AFLAGS_vsyscall-syscall.o = -m32 ++AFLAGS_vsyscall-sysenter.o = -m32 -Wa,-32 ++AFLAGS_vsyscall-syscall.o = -m32 -Wa,-32 +diff --git a/arch/x86_64/kernel/entry.S b/arch/x86_64/kernel/entry.S +index 7c10e90..97583bb 100644 +--- a/arch/x86_64/kernel/entry.S ++++ b/arch/x86_64/kernel/entry.S +@@ -180,6 +180,10 @@ rff_trace: + * + * XXX if we had a free scratch register we could save the RSP into the stack frame + * and report it properly in ps. Unfortunately we haven't. ++ * ++ * When user can change the frames always force IRET. That is because ++ * it deals with uncanonical addresses better. SYSRET has trouble ++ * with them due to bugs in both AMD and Intel CPUs. + */ + + ENTRY(system_call) +@@ -254,7 +258,10 @@ sysret_signal: + xorl %esi,%esi # oldset -> arg2 + call ptregscall_common + 1: movl $_TIF_NEED_RESCHED,%edi +- jmp sysret_check ++ /* Use IRET because user could have changed frame. This ++ works because ptregscall_common has called FIXUP_TOP_OF_STACK. */ ++ cli ++ jmp int_with_check + + badsys: + movq $-ENOSYS,RAX-ARGOFFSET(%rsp) +@@ -274,13 +281,9 @@ tracesys: + ja 1f + movq %r10,%rcx /* fixup for C */ + call *sys_call_table(,%rax,8) +- movq %rax,RAX-ARGOFFSET(%rsp) +-1: SAVE_REST +- movq %rsp,%rdi +- call syscall_trace_leave +- RESTORE_TOP_OF_STACK %rbx +- RESTORE_REST +- jmp ret_from_sys_call ++1: movq %rax,RAX-ARGOFFSET(%rsp) ++ /* Use IRET because user could have changed frame */ ++ jmp int_ret_from_sys_call + CFI_ENDPROC + + /* +@@ -408,25 +411,9 @@ ENTRY(stub_execve) + CFI_ADJUST_CFA_OFFSET -8 + CFI_REGISTER rip, r11 + SAVE_REST +- movq %r11, %r15 +- CFI_REGISTER rip, r15 + FIXUP_TOP_OF_STACK %r11 + call sys_execve +- GET_THREAD_INFO(%rcx) +- bt $TIF_IA32,threadinfo_flags(%rcx) +- CFI_REMEMBER_STATE +- jc exec_32bit + RESTORE_TOP_OF_STACK %r11 +- movq %r15, %r11 +- CFI_REGISTER rip, r11 +- RESTORE_REST +- pushq %r11 +- CFI_ADJUST_CFA_OFFSET 8 +- CFI_REL_OFFSET rip, 0 +- ret +- +-exec_32bit: +- CFI_RESTORE_STATE + movq %rax,RAX(%rsp) + RESTORE_REST + jmp int_ret_from_sys_call +diff --git a/arch/x86_64/kernel/pci-gart.c b/arch/x86_64/kernel/pci-gart.c +index 0c3f052..b9dbe3c 100644 +--- a/arch/x86_64/kernel/pci-gart.c ++++ b/arch/x86_64/kernel/pci-gart.c +@@ -114,10 +114,6 @@ static unsigned long alloc_iommu(int siz + static void free_iommu(unsigned long offset, int size) + { + unsigned long flags; +- if (size == 1) { +- clear_bit(offset, iommu_gart_bitmap); +- return; +- } + spin_lock_irqsave(&iommu_bitmap_lock, flags); + __clear_bit_string(iommu_gart_bitmap, offset, size); + spin_unlock_irqrestore(&iommu_bitmap_lock, flags); +diff --git a/arch/x86_64/kernel/process.c b/arch/x86_64/kernel/process.c +index 22a05de..818ab9e 100644 +--- a/arch/x86_64/kernel/process.c ++++ b/arch/x86_64/kernel/process.c +@@ -527,8 +527,6 @@ __switch_to(struct task_struct *prev_p, + int cpu = smp_processor_id(); + struct tss_struct *tss = &per_cpu(init_tss, cpu); + +- unlazy_fpu(prev_p); +- + /* + * Reload esp0, LDT and the page table pointer: + */ +@@ -591,6 +589,12 @@ __switch_to(struct task_struct *prev_p, + prev->userrsp = read_pda(oldrsp); + write_pda(oldrsp, next->userrsp); + write_pda(pcurrent, next_p); ++ ++ /* This must be here to ensure both math_state_restore() and ++ kernel_fpu_begin() work consistently. ++ And the AMD workaround requires it to be after DS reload. */ ++ unlazy_fpu(prev_p); ++ + write_pda(kernelstack, + task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET); + +diff --git a/arch/x86_64/kernel/setup.c b/arch/x86_64/kernel/setup.c +index aa55e3c..a4a0bb5 100644 +--- a/arch/x86_64/kernel/setup.c ++++ b/arch/x86_64/kernel/setup.c +@@ -909,6 +909,10 @@ #endif + if (c->x86 == 15 && ((level >= 0x0f48 && level < 0x0f50) || level >= 0x0f58)) + set_bit(X86_FEATURE_REP_GOOD, &c->x86_capability); + ++ /* Enable workaround for FXSAVE leak */ ++ if (c->x86 >= 6) ++ set_bit(X86_FEATURE_FXSAVE_LEAK, &c->x86_capability); ++ + r = get_model_name(c); + if (!r) { + switch (c->x86) { +diff --git a/arch/x86_64/kernel/traps.c b/arch/x86_64/kernel/traps.c +index 28d50dc..a5209fd 100644 +--- a/arch/x86_64/kernel/traps.c ++++ b/arch/x86_64/kernel/traps.c +@@ -30,6 +30,7 @@ #include + #include + #include + #include ++#include + + #include + #include +@@ -434,6 +435,8 @@ #endif + printk(KERN_ALERT "RIP "); + printk_address(regs->rip); + printk(" RSP <%016lx>\n", regs->rsp); ++ if (kexec_should_crash(current)) ++ crash_kexec(regs); + } + + void die(const char * str, struct pt_regs * regs, long err) +@@ -456,6 +459,8 @@ void __kprobes die_nmi(char *str, struct + */ + printk(str, safe_smp_processor_id()); + show_registers(regs); ++ if (kexec_should_crash(current)) ++ crash_kexec(regs); + if (panic_on_timeout || panic_on_oops) + panic("nmi watchdog"); + printk("console shuts up ...\n"); +diff --git a/block/elevator.c b/block/elevator.c +index 24b702d..ef1e606 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -314,6 +314,7 @@ void elv_insert(request_queue_t *q, stru + { + struct list_head *pos; + unsigned ordseq; ++ int unplug_it = 1; + + rq->q = q; + +@@ -378,6 +379,11 @@ void elv_insert(request_queue_t *q, stru + } + + list_add_tail(&rq->queuelist, pos); ++ /* ++ * most requeues happen because of a busy condition, don't ++ * force unplug of the queue for that case. ++ */ ++ unplug_it = 0; + break; + + default: +@@ -386,7 +392,7 @@ void elv_insert(request_queue_t *q, stru + BUG(); + } + +- if (blk_queue_plugged(q)) { ++ if (unplug_it && blk_queue_plugged(q)) { + int nrq = q->rq.count[READ] + q->rq.count[WRITE] + - q->in_flight; + +diff --git a/block/genhd.c b/block/genhd.c +index db57546..7f406f9 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -16,8 +16,6 @@ #include + #include + #include + +-#define MAX_PROBE_HASH 255 /* random */ +- + static struct subsystem block_subsys; + + static DECLARE_MUTEX(block_subsys_sem); +@@ -30,108 +28,29 @@ static struct blk_major_name { + struct blk_major_name *next; + int major; + char name[16]; +-} *major_names[MAX_PROBE_HASH]; ++} *major_names[BLKDEV_MAJOR_HASH_SIZE]; + + /* index in the above - for now: assume no multimajor ranges */ + static inline int major_to_index(int major) + { +- return major % MAX_PROBE_HASH; +-} +- +-struct blkdev_info { +- int index; +- struct blk_major_name *bd; +-}; +- +-/* +- * iterate over a list of blkdev_info structures. allows +- * the major_names array to be iterated over from outside this file +- * must be called with the block_subsys_sem held +- */ +-void *get_next_blkdev(void *dev) +-{ +- struct blkdev_info *info; +- +- if (dev == NULL) { +- info = kmalloc(sizeof(*info), GFP_KERNEL); +- if (!info) +- goto out; +- info->index=0; +- info->bd = major_names[info->index]; +- if (info->bd) +- goto out; +- } else { +- info = dev; +- } +- +- while (info->index < ARRAY_SIZE(major_names)) { +- if (info->bd) +- info->bd = info->bd->next; +- if (info->bd) +- goto out; +- /* +- * No devices on this chain, move to the next +- */ +- info->index++; +- info->bd = (info->index < ARRAY_SIZE(major_names)) ? +- major_names[info->index] : NULL; +- if (info->bd) +- goto out; +- } +- +-out: +- return info; +-} +- +-void *acquire_blkdev_list(void) +-{ +- down(&block_subsys_sem); +- return get_next_blkdev(NULL); +-} +- +-void release_blkdev_list(void *dev) +-{ +- up(&block_subsys_sem); +- kfree(dev); ++ return major % BLKDEV_MAJOR_HASH_SIZE; + } + ++#ifdef CONFIG_PROC_FS + +-/* +- * Count the number of records in the blkdev_list. +- * must be called with the block_subsys_sem held +- */ +-int count_blkdev_list(void) ++void blkdev_show(struct seq_file *f, off_t offset) + { +- struct blk_major_name *n; +- int i, count; ++ struct blk_major_name *dp; + +- count = 0; +- +- for (i = 0; i < ARRAY_SIZE(major_names); i++) { +- for (n = major_names[i]; n; n = n->next) +- count++; ++ if (offset < BLKDEV_MAJOR_HASH_SIZE) { ++ down(&block_subsys_sem); ++ for (dp = major_names[offset]; dp; dp = dp->next) ++ seq_printf(f, "%3d %s\n", dp->major, dp->name); ++ up(&block_subsys_sem); + } +- +- return count; +-} +- +-/* +- * extract the major and name values from a blkdev_info struct +- * passed in as a void to *dev. Must be called with +- * block_subsys_sem held +- */ +-int get_blkdev_info(void *dev, int *major, char **name) +-{ +- struct blkdev_info *info = dev; +- +- if (info->bd == NULL) +- return 1; +- +- *major = info->bd->major; +- *name = info->bd->name; +- return 0; + } + ++#endif /* CONFIG_PROC_FS */ + + int register_blkdev(unsigned int major, const char *name) + { +diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c +index 0ef2971..cd995c3 100644 +--- a/block/ll_rw_blk.c ++++ b/block/ll_rw_blk.c +@@ -1719,8 +1719,21 @@ void blk_run_queue(struct request_queue + + spin_lock_irqsave(q->queue_lock, flags); + blk_remove_plug(q); +- if (!elv_queue_empty(q)) +- q->request_fn(q); ++ ++ /* ++ * Only recurse once to avoid overrunning the stack, let the unplug ++ * handling reinvoke the handler shortly if we already got there. ++ */ ++ if (!elv_queue_empty(q)) { ++ if (!test_and_set_bit(QUEUE_FLAG_REENTER, &q->queue_flags)) { ++ q->request_fn(q); ++ clear_bit(QUEUE_FLAG_REENTER, &q->queue_flags); ++ } else { ++ blk_plug_device(q); ++ kblockd_schedule_work(&q->unplug_work); ++ } ++ } ++ + spin_unlock_irqrestore(q->queue_lock, flags); + } + EXPORT_SYMBOL(blk_run_queue); +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 07a7f97..29f3d75 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -141,7 +141,7 @@ #endif + return error; + } + +-struct sys_device *get_cpu_sysdev(int cpu) ++struct sys_device *get_cpu_sysdev(unsigned cpu) + { + if (cpu < NR_CPUS) + return cpu_sys_devices[cpu]; +diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c +index e97e911..4723182 100644 +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -211,18 +211,20 @@ static int + fw_realloc_buffer(struct firmware_priv *fw_priv, int min_size) + { + u8 *new_data; ++ int new_size = fw_priv->alloc_size; + + if (min_size <= fw_priv->alloc_size) + return 0; + +- new_data = vmalloc(fw_priv->alloc_size + PAGE_SIZE); ++ new_size = ALIGN(min_size, PAGE_SIZE); ++ new_data = vmalloc(new_size); + if (!new_data) { + printk(KERN_ERR "%s: unable to alloc buffer\n", __FUNCTION__); + /* Make sure that we don't keep incomplete data */ + fw_load_abort(fw_priv); + return -ENOMEM; + } +- fw_priv->alloc_size += PAGE_SIZE; ++ fw_priv->alloc_size = new_size; + if (fw_priv->fw->data) { + memcpy(new_data, fw_priv->fw->data, fw_priv->fw->size); + vfree(fw_priv->fw->data); +diff --git a/drivers/base/node.c b/drivers/base/node.c +index 16c513a..c80c3ae 100644 +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -106,7 +106,7 @@ static ssize_t node_read_numastat(struct + other_node = 0; + for (i = 0; i < MAX_NR_ZONES; i++) { + struct zone *z = &pg->node_zones[i]; +- for (cpu = 0; cpu < NR_CPUS; cpu++) { ++ for_each_online_cpu(cpu) { + struct per_cpu_pageset *ps = zone_pcp(z,cpu); + numa_hit += ps->numa_hit; + numa_miss += ps->numa_miss; +diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c +index 0d65394..71552e1 100644 +--- a/drivers/block/cciss.c ++++ b/drivers/block/cciss.c +@@ -1181,6 +1181,53 @@ static int revalidate_allvol(ctlr_info_t + return 0; + } + ++static inline void complete_buffers(struct bio *bio, int status) ++{ ++ while (bio) { ++ struct bio *xbh = bio->bi_next; ++ int nr_sectors = bio_sectors(bio); ++ ++ bio->bi_next = NULL; ++ blk_finished_io(len); ++ bio_endio(bio, nr_sectors << 9, status ? 0 : -EIO); ++ bio = xbh; ++ } ++ ++} ++ ++static void cciss_softirq_done(struct request *rq) ++{ ++ CommandList_struct *cmd = rq->completion_data; ++ ctlr_info_t *h = hba[cmd->ctlr]; ++ unsigned long flags; ++ u64bit temp64; ++ int i, ddir; ++ ++ if (cmd->Request.Type.Direction == XFER_READ) ++ ddir = PCI_DMA_FROMDEVICE; ++ else ++ ddir = PCI_DMA_TODEVICE; ++ ++ /* command did not need to be retried */ ++ /* unmap the DMA mapping for all the scatter gather elements */ ++ for(i=0; iHeader.SGList; i++) { ++ temp64.val32.lower = cmd->SG[i].Addr.lower; ++ temp64.val32.upper = cmd->SG[i].Addr.upper; ++ pci_unmap_page(h->pdev, temp64.val, cmd->SG[i].Len, ddir); ++ } ++ ++ complete_buffers(rq->bio, rq->errors); ++ ++#ifdef CCISS_DEBUG ++ printk("Done with %p\n", rq); ++#endif /* CCISS_DEBUG */ ++ ++ spin_lock_irqsave(&h->lock, flags); ++ end_that_request_last(rq, rq->errors); ++ cmd_free(h, cmd,1); ++ spin_unlock_irqrestore(&h->lock, flags); ++} ++ + /* This function will check the usage_count of the drive to be updated/added. + * If the usage_count is zero then the drive information will be updated and + * the disk will be re-registered with the kernel. If not then it will be +@@ -1249,6 +1296,8 @@ static void cciss_update_drive_info(int + + blk_queue_max_sectors(disk->queue, 512); + ++ blk_queue_softirq_done(disk->queue, cciss_softirq_done); ++ + disk->queue->queuedata = hba[ctlr]; + + blk_queue_hardsect_size(disk->queue, +@@ -2148,20 +2197,6 @@ static void start_io( ctlr_info_t *h) + addQ (&(h->cmpQ), c); + } + } +- +-static inline void complete_buffers(struct bio *bio, int status) +-{ +- while (bio) { +- struct bio *xbh = bio->bi_next; +- int nr_sectors = bio_sectors(bio); +- +- bio->bi_next = NULL; +- blk_finished_io(len); +- bio_endio(bio, nr_sectors << 9, status ? 0 : -EIO); +- bio = xbh; +- } +- +-} + /* Assumes that CCISS_LOCK(h->ctlr) is held. */ + /* Zeros out the error record and then resends the command back */ + /* to the controller */ +@@ -2179,39 +2214,6 @@ static inline void resend_cciss_cmd( ctl + start_io(h); + } + +-static void cciss_softirq_done(struct request *rq) +-{ +- CommandList_struct *cmd = rq->completion_data; +- ctlr_info_t *h = hba[cmd->ctlr]; +- unsigned long flags; +- u64bit temp64; +- int i, ddir; +- +- if (cmd->Request.Type.Direction == XFER_READ) +- ddir = PCI_DMA_FROMDEVICE; +- else +- ddir = PCI_DMA_TODEVICE; +- +- /* command did not need to be retried */ +- /* unmap the DMA mapping for all the scatter gather elements */ +- for(i=0; iHeader.SGList; i++) { +- temp64.val32.lower = cmd->SG[i].Addr.lower; +- temp64.val32.upper = cmd->SG[i].Addr.upper; +- pci_unmap_page(h->pdev, temp64.val, cmd->SG[i].Len, ddir); +- } +- +- complete_buffers(rq->bio, rq->errors); +- +-#ifdef CCISS_DEBUG +- printk("Done with %p\n", rq); +-#endif /* CCISS_DEBUG */ +- +- spin_lock_irqsave(&h->lock, flags); +- end_that_request_last(rq, rq->errors); +- cmd_free(h, cmd,1); +- spin_unlock_irqrestore(&h->lock, flags); +-} +- + /* checks the status of the job and calls complete buffers to mark all + * buffers for the completed job. Note that this function does not need + * to hold the hba/queue lock. +@@ -3269,8 +3271,8 @@ clean2: + unregister_blkdev(hba[i]->major, hba[i]->devname); + clean1: + release_io_mem(hba[i]); +- free_hba(i); + hba[i]->busy_initializing = 0; ++ free_hba(i); + return(-1); + } + +diff --git a/drivers/block/ub.c b/drivers/block/ub.c +index f04d864..a9485e5 100644 +--- a/drivers/block/ub.c ++++ b/drivers/block/ub.c +@@ -704,6 +704,9 @@ static void ub_cleanup(struct ub_dev *sc + kfree(lun); + } + ++ usb_set_intfdata(sc->intf, NULL); ++ usb_put_intf(sc->intf); ++ usb_put_dev(sc->dev); + kfree(sc); + } + +@@ -2428,7 +2431,12 @@ static int ub_probe(struct usb_interface + // sc->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; + usb_set_intfdata(intf, sc); + usb_get_dev(sc->dev); +- // usb_get_intf(sc->intf); /* Do we need this? */ ++ /* ++ * Since we give the interface struct to the block level through ++ * disk->driverfs_dev, we have to pin it. Otherwise, block_uevent ++ * oopses on close after a disconnect (kernels 2.6.16 and up). ++ */ ++ usb_get_intf(sc->intf); + + snprintf(sc->name, 12, DRV_NAME "(%d.%d)", + sc->dev->bus->busnum, sc->dev->devnum); +@@ -2509,7 +2517,7 @@ #endif + err_diag: + err_dev_desc: + usb_set_intfdata(intf, NULL); +- // usb_put_intf(sc->intf); ++ usb_put_intf(sc->intf); + usb_put_dev(sc->dev); + kfree(sc); + err_core: +@@ -2688,12 +2696,6 @@ static void ub_disconnect(struct usb_int + */ + + device_remove_file(&sc->intf->dev, &dev_attr_diag); +- usb_set_intfdata(intf, NULL); +- // usb_put_intf(sc->intf); +- sc->intf = NULL; +- usb_put_dev(sc->dev); +- sc->dev = NULL; +- + ub_put(sc); + } + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 05ba410..8b72a61 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -187,6 +187,7 @@ config MOXA_SMARTIO + config ISI + tristate "Multi-Tech multiport card support (EXPERIMENTAL)" + depends on SERIAL_NONSTANDARD ++ select FW_LOADER + help + This is a driver for the Multi-Tech cards which provide several + serial ports. The driver is experimental and can currently only be +diff --git a/drivers/char/agp/efficeon-agp.c b/drivers/char/agp/efficeon-agp.c +index e7aea77..40dfc29 100644 +--- a/drivers/char/agp/efficeon-agp.c ++++ b/drivers/char/agp/efficeon-agp.c +@@ -64,6 +64,12 @@ static struct gatt_mask efficeon_generic + {.mask = 0x00000001, .type = 0} + }; + ++/* This function does the same thing as mask_memory() for this chipset... */ ++static inline unsigned long efficeon_mask_memory(unsigned long addr) ++{ ++ return addr | 0x00000001; ++} ++ + static struct aper_size_info_lvl2 efficeon_generic_sizes[4] = + { + {256, 65536, 0}, +@@ -251,7 +257,7 @@ static int efficeon_insert_memory(struct + last_page = NULL; + for (i = 0; i < count; i++) { + int index = pg_start + i; +- unsigned long insert = mem->memory[i]; ++ unsigned long insert = efficeon_mask_memory(mem->memory[i]); + + page = (unsigned int *) efficeon_private.l1_table[index >> 10]; + +diff --git a/drivers/char/cs5535_gpio.c b/drivers/char/cs5535_gpio.c +index 5d72f50..46d6603 100644 +--- a/drivers/char/cs5535_gpio.c ++++ b/drivers/char/cs5535_gpio.c +@@ -241,9 +241,10 @@ static int __init cs5535_gpio_init(void) + static void __exit cs5535_gpio_cleanup(void) + { + dev_t dev_id = MKDEV(major, 0); ++ ++ cdev_del(&cs5535_gpio_cdev); + unregister_chrdev_region(dev_id, CS5535_GPIO_COUNT); +- if (gpio_base != 0) +- release_region(gpio_base, CS5535_GPIO_SIZE); ++ release_region(gpio_base, CS5535_GPIO_SIZE); + } + + module_init(cs5535_gpio_init); +diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c +index 58dcdee..0030cd8 100644 +--- a/drivers/char/ipmi/ipmi_bt_sm.c ++++ b/drivers/char/ipmi/ipmi_bt_sm.c +@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s + { + unsigned int i; + +- if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) ++ if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2))) + return -1; + + if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED)) +diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c +index 5fdf185..b61354a 100644 +--- a/drivers/char/pcmcia/cm4000_cs.c ++++ b/drivers/char/pcmcia/cm4000_cs.c +@@ -2010,10 +2010,6 @@ static int __init cmm_init(void) + if (!cmm_class) + return -1; + +- rc = pcmcia_register_driver(&cm4000_driver); +- if (rc < 0) +- return rc; +- + major = register_chrdev(0, DEVICE_NAME, &cm4000_fops); + if (major < 0) { + printk(KERN_WARNING MODULE_NAME +@@ -2021,6 +2017,12 @@ static int __init cmm_init(void) + return -1; + } + ++ rc = pcmcia_register_driver(&cm4000_driver); ++ if (rc < 0) { ++ unregister_chrdev(major, DEVICE_NAME); ++ return rc; ++ } ++ + return 0; + } + +diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c +index 466e33b..744b57d 100644 +--- a/drivers/char/pcmcia/cm4040_cs.c ++++ b/drivers/char/pcmcia/cm4040_cs.c +@@ -769,16 +769,19 @@ static int __init cm4040_init(void) + if (!cmx_class) + return -1; + +- rc = pcmcia_register_driver(&reader_driver); +- if (rc < 0) +- return rc; +- + major = register_chrdev(0, DEVICE_NAME, &reader_fops); + if (major < 0) { + printk(KERN_WARNING MODULE_NAME + ": could not get major number\n"); + return -1; + } ++ ++ rc = pcmcia_register_driver(&reader_driver); ++ if (rc < 0) { ++ unregister_chrdev(major, DEVICE_NAME); ++ return rc; ++ } ++ + return 0; + } + +diff --git a/drivers/char/snsc.c b/drivers/char/snsc.c +index 0e7d216..d22da98 100644 +--- a/drivers/char/snsc.c ++++ b/drivers/char/snsc.c +@@ -391,7 +391,8 @@ scdrv_init(void) + format_module_id(devnamep, geo_module(geoid), + MODULE_FORMAT_BRIEF); + devnamep = devname + strlen(devname); +- sprintf(devnamep, "#%d", geo_slab(geoid)); ++ sprintf(devnamep, "^%d#%d", geo_slot(geoid), ++ geo_slab(geoid)); + + /* allocate sysctl device data */ + scd = kmalloc(sizeof (struct sysctl_data_s), +diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c +index f8dd852..a90f5d9 100644 +--- a/drivers/char/sonypi.c ++++ b/drivers/char/sonypi.c +@@ -1341,6 +1341,9 @@ static int __devinit sonypi_probe(struct + else if ((pcidev = pci_get_device(PCI_VENDOR_ID_INTEL, + PCI_DEVICE_ID_INTEL_ICH6_1, NULL))) + sonypi_device.model = SONYPI_DEVICE_MODEL_TYPE3; ++ else if ((pcidev = pci_get_device(PCI_VENDOR_ID_INTEL, ++ PCI_DEVICE_ID_INTEL_ICH7_1, NULL))) ++ sonypi_device.model = SONYPI_DEVICE_MODEL_TYPE3; + else + sonypi_device.model = SONYPI_DEVICE_MODEL_TYPE2; + +diff --git a/drivers/char/tipar.c b/drivers/char/tipar.c +index eb2eb3e..079db5a 100644 +--- a/drivers/char/tipar.c ++++ b/drivers/char/tipar.c +@@ -515,7 +515,7 @@ tipar_init_module(void) + err = PTR_ERR(tipar_class); + goto out_chrdev; + } +- if (parport_register_driver(&tipar_driver) || tp_count == 0) { ++ if (parport_register_driver(&tipar_driver)) { + printk(KERN_ERR "tipar: unable to register with parport\n"); + err = -EIO; + goto out_class; +diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c +index 4c27218..f58ad7f 100644 +--- a/drivers/char/tlclk.c ++++ b/drivers/char/tlclk.c +@@ -327,7 +327,7 @@ static ssize_t store_received_ref_clk3a( + return strnlen(buf, count); + } + +-static DEVICE_ATTR(received_ref_clk3a, S_IWUGO, NULL, ++static DEVICE_ATTR(received_ref_clk3a, (S_IWUSR|S_IWGRP), NULL, + store_received_ref_clk3a); + + +@@ -349,7 +349,7 @@ static ssize_t store_received_ref_clk3b( + return strnlen(buf, count); + } + +-static DEVICE_ATTR(received_ref_clk3b, S_IWUGO, NULL, ++static DEVICE_ATTR(received_ref_clk3b, (S_IWUSR|S_IWGRP), NULL, + store_received_ref_clk3b); + + +@@ -371,7 +371,7 @@ static ssize_t store_enable_clk3b_output + return strnlen(buf, count); + } + +-static DEVICE_ATTR(enable_clk3b_output, S_IWUGO, NULL, ++static DEVICE_ATTR(enable_clk3b_output, (S_IWUSR|S_IWGRP), NULL, + store_enable_clk3b_output); + + static ssize_t store_enable_clk3a_output(struct device *d, +@@ -392,7 +392,7 @@ static ssize_t store_enable_clk3a_output + return strnlen(buf, count); + } + +-static DEVICE_ATTR(enable_clk3a_output, S_IWUGO, NULL, ++static DEVICE_ATTR(enable_clk3a_output, (S_IWUSR|S_IWGRP), NULL, + store_enable_clk3a_output); + + static ssize_t store_enable_clkb1_output(struct device *d, +@@ -413,7 +413,7 @@ static ssize_t store_enable_clkb1_output + return strnlen(buf, count); + } + +-static DEVICE_ATTR(enable_clkb1_output, S_IWUGO, NULL, ++static DEVICE_ATTR(enable_clkb1_output, (S_IWUSR|S_IWGRP), NULL, + store_enable_clkb1_output); + + +@@ -435,7 +435,7 @@ static ssize_t store_enable_clka1_output + return strnlen(buf, count); + } + +-static DEVICE_ATTR(enable_clka1_output, S_IWUGO, NULL, ++static DEVICE_ATTR(enable_clka1_output, (S_IWUSR|S_IWGRP), NULL, + store_enable_clka1_output); + + static ssize_t store_enable_clkb0_output(struct device *d, +@@ -456,7 +456,7 @@ static ssize_t store_enable_clkb0_output + return strnlen(buf, count); + } + +-static DEVICE_ATTR(enable_clkb0_output, S_IWUGO, NULL, ++static DEVICE_ATTR(enable_clkb0_output, (S_IWUSR|S_IWGRP), NULL, + store_enable_clkb0_output); + + static ssize_t store_enable_clka0_output(struct device *d, +@@ -477,7 +477,7 @@ static ssize_t store_enable_clka0_output + return strnlen(buf, count); + } + +-static DEVICE_ATTR(enable_clka0_output, S_IWUGO, NULL, ++static DEVICE_ATTR(enable_clka0_output, (S_IWUSR|S_IWGRP), NULL, + store_enable_clka0_output); + + static ssize_t store_select_amcb2_transmit_clock(struct device *d, +@@ -519,7 +519,7 @@ static ssize_t store_select_amcb2_transm + return strnlen(buf, count); + } + +-static DEVICE_ATTR(select_amcb2_transmit_clock, S_IWUGO, NULL, ++static DEVICE_ATTR(select_amcb2_transmit_clock, (S_IWUSR|S_IWGRP), NULL, + store_select_amcb2_transmit_clock); + + static ssize_t store_select_amcb1_transmit_clock(struct device *d, +@@ -560,7 +560,7 @@ static ssize_t store_select_amcb1_transm + return strnlen(buf, count); + } + +-static DEVICE_ATTR(select_amcb1_transmit_clock, S_IWUGO, NULL, ++static DEVICE_ATTR(select_amcb1_transmit_clock, (S_IWUSR|S_IWGRP), NULL, + store_select_amcb1_transmit_clock); + + static ssize_t store_select_redundant_clock(struct device *d, +@@ -581,7 +581,7 @@ static ssize_t store_select_redundant_cl + return strnlen(buf, count); + } + +-static DEVICE_ATTR(select_redundant_clock, S_IWUGO, NULL, ++static DEVICE_ATTR(select_redundant_clock, (S_IWUSR|S_IWGRP), NULL, + store_select_redundant_clock); + + static ssize_t store_select_ref_frequency(struct device *d, +@@ -602,7 +602,7 @@ static ssize_t store_select_ref_frequenc + return strnlen(buf, count); + } + +-static DEVICE_ATTR(select_ref_frequency, S_IWUGO, NULL, ++static DEVICE_ATTR(select_ref_frequency, (S_IWUSR|S_IWGRP), NULL, + store_select_ref_frequency); + + static ssize_t store_filter_select(struct device *d, +@@ -623,7 +623,7 @@ static ssize_t store_filter_select(struc + return strnlen(buf, count); + } + +-static DEVICE_ATTR(filter_select, S_IWUGO, NULL, store_filter_select); ++static DEVICE_ATTR(filter_select, (S_IWUSR|S_IWGRP), NULL, store_filter_select); + + static ssize_t store_hardware_switching_mode(struct device *d, + struct device_attribute *attr, const char *buf, size_t count) +@@ -643,7 +643,7 @@ static ssize_t store_hardware_switching_ + return strnlen(buf, count); + } + +-static DEVICE_ATTR(hardware_switching_mode, S_IWUGO, NULL, ++static DEVICE_ATTR(hardware_switching_mode, (S_IWUSR|S_IWGRP), NULL, + store_hardware_switching_mode); + + static ssize_t store_hardware_switching(struct device *d, +@@ -664,7 +664,7 @@ static ssize_t store_hardware_switching( + return strnlen(buf, count); + } + +-static DEVICE_ATTR(hardware_switching, S_IWUGO, NULL, ++static DEVICE_ATTR(hardware_switching, (S_IWUSR|S_IWGRP), NULL, + store_hardware_switching); + + static ssize_t store_refalign (struct device *d, +@@ -684,7 +684,7 @@ static ssize_t store_refalign (struct de + return strnlen(buf, count); + } + +-static DEVICE_ATTR(refalign, S_IWUGO, NULL, store_refalign); ++static DEVICE_ATTR(refalign, (S_IWUSR|S_IWGRP), NULL, store_refalign); + + static ssize_t store_mode_select (struct device *d, + struct device_attribute *attr, const char *buf, size_t count) +@@ -704,7 +704,7 @@ static ssize_t store_mode_select (struct + return strnlen(buf, count); + } + +-static DEVICE_ATTR(mode_select, S_IWUGO, NULL, store_mode_select); ++static DEVICE_ATTR(mode_select, (S_IWUSR|S_IWGRP), NULL, store_mode_select); + + static ssize_t store_reset (struct device *d, + struct device_attribute *attr, const char *buf, size_t count) +@@ -724,7 +724,7 @@ static ssize_t store_reset (struct devic + return strnlen(buf, count); + } + +-static DEVICE_ATTR(reset, S_IWUGO, NULL, store_reset); ++static DEVICE_ATTR(reset, (S_IWUSR|S_IWGRP), NULL, store_reset); + + static struct attribute *tlclk_sysfs_entries[] = { + &dev_attr_current_ref.attr, +@@ -767,6 +767,7 @@ static int __init tlclk_init(void) + printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major); + return ret; + } ++ tlclk_major = ret; + alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); + if (!alarm_events) + goto out1; +diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c +index 53d3d06..edaee70 100644 +--- a/drivers/char/tty_io.c ++++ b/drivers/char/tty_io.c +@@ -2706,7 +2706,11 @@ #else + } + task_lock(p); + if (p->files) { +- rcu_read_lock(); ++ /* ++ * We don't take a ref to the file, so we must ++ * hold ->file_lock instead. ++ */ ++ spin_lock(&p->files->file_lock); + fdt = files_fdtable(p->files); + for (i=0; i < fdt->max_fds; i++) { + filp = fcheck_files(p->files, i); +@@ -2721,7 +2725,7 @@ #else + break; + } + } +- rcu_read_unlock(); ++ spin_unlock(&p->files->file_lock); + } + task_unlock(p); + } while_each_task_pid(session, PIDTYPE_SID, p); +diff --git a/drivers/edac/Kconfig b/drivers/edac/Kconfig +index 52f3eb4..7ecdb1e 100644 +--- a/drivers/edac/Kconfig ++++ b/drivers/edac/Kconfig +@@ -71,7 +71,7 @@ config EDAC_E7XXX + + config EDAC_E752X + tristate "Intel e752x (e7520, e7525, e7320)" +- depends on EDAC_MM_EDAC && PCI ++ depends on EDAC_MM_EDAC && PCI && HOTPLUG + help + Support for error detection and correction on the Intel + E7520, E7525, E7320 server chipsets. +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index 8e0f315..dfca749 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -478,6 +478,11 @@ static s32 i801_access(struct i2c_adapte + ret = i801_transaction(); + } + ++ /* Some BIOSes don't like it when PEC is enabled at reboot or resume ++ time, so we forcibly disable it after every transaction. */ ++ if (hwpec) ++ outb_p(0, SMBAUXCTL); ++ + if(block) + return ret; + if(ret) +diff --git a/drivers/i2c/busses/scx200_acb.c b/drivers/i2c/busses/scx200_acb.c +index d3478e0..ad44dd5 100644 +--- a/drivers/i2c/busses/scx200_acb.c ++++ b/drivers/i2c/busses/scx200_acb.c +@@ -440,7 +440,6 @@ static int __init scx200_acb_create(int + struct scx200_acb_iface *iface; + struct i2c_adapter *adapter; + int rc = 0; +- char description[64]; + + iface = kzalloc(sizeof(*iface), GFP_KERNEL); + if (!iface) { +@@ -459,8 +458,7 @@ static int __init scx200_acb_create(int + + init_MUTEX(&iface->sem); + +- snprintf(description, sizeof(description), "NatSemi SCx200 ACCESS.bus [%s]", adapter->name); +- if (request_region(base, 8, description) == 0) { ++ if (!request_region(base, 8, adapter->name)) { + dev_err(&adapter->dev, "can't allocate io 0x%x-0x%x\n", + base, base + 8-1); + rc = -EBUSY; +diff --git a/drivers/i2c/chips/m41t00.c b/drivers/i2c/chips/m41t00.c +index 2dc3d48..2836fb3 100644 +--- a/drivers/i2c/chips/m41t00.c ++++ b/drivers/i2c/chips/m41t00.c +@@ -129,13 +129,13 @@ m41t00_set_tlet(ulong arg) + if ((i2c_smbus_write_byte_data(save_client, 0, tm.tm_sec & 0x7f) < 0) + || (i2c_smbus_write_byte_data(save_client, 1, tm.tm_min & 0x7f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 2, tm.tm_hour & 0x3f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 4, tm.tm_mday & 0x3f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 5, tm.tm_mon & 0x1f) + < 0) +- || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0x7f) ++ || (i2c_smbus_write_byte_data(save_client, 6, tm.tm_year & 0xff) + < 0)) + + dev_warn(&save_client->dev,"m41t00: can't write to rtc chip\n"); +diff --git a/drivers/ide/pci/alim15x3.c b/drivers/ide/pci/alim15x3.c +index cf84350..8b24b4f 100644 +--- a/drivers/ide/pci/alim15x3.c ++++ b/drivers/ide/pci/alim15x3.c +@@ -731,6 +731,8 @@ static unsigned int __devinit ata66_ali1 + + if(m5229_revision <= 0x20) + tmpbyte = (tmpbyte & (~0x02)) | 0x01; ++ else if (m5229_revision == 0xc7) ++ tmpbyte |= 0x03; + else + tmpbyte |= 0x01; + +diff --git a/drivers/ieee1394/ohci1394.c b/drivers/ieee1394/ohci1394.c +index b6b96fa..a9a73f7 100644 +--- a/drivers/ieee1394/ohci1394.c ++++ b/drivers/ieee1394/ohci1394.c +@@ -2525,7 +2525,7 @@ static irqreturn_t ohci_irq_handler(int + if (phys_dma) { + reg_write(ohci,OHCI1394_PhyReqFilterHiSet, 0xffffffff); + reg_write(ohci,OHCI1394_PhyReqFilterLoSet, 0xffffffff); +- reg_write(ohci,OHCI1394_PhyUpperBound, 0xffff0000); ++ reg_write(ohci,OHCI1394_PhyUpperBound, 0x01000000); + } else { + reg_write(ohci,OHCI1394_PhyReqFilterHiSet, 0x00000000); + reg_write(ohci,OHCI1394_PhyReqFilterLoSet, 0x00000000); +diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c +index eca92eb..d02be4a 100644 +--- a/drivers/ieee1394/sbp2.c ++++ b/drivers/ieee1394/sbp2.c +@@ -495,22 +495,17 @@ static struct sbp2_command_info *sbp2uti + /* + * This function finds the sbp2_command for a given outstanding SCpnt. + * Only looks at the inuse list. ++ * Must be called with scsi_id->sbp2_command_orb_lock held. + */ +-static struct sbp2_command_info *sbp2util_find_command_for_SCpnt(struct scsi_id_instance_data *scsi_id, void *SCpnt) ++static struct sbp2_command_info *sbp2util_find_command_for_SCpnt( ++ struct scsi_id_instance_data *scsi_id, void *SCpnt) + { + struct sbp2_command_info *command; +- unsigned long flags; + +- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); +- if (!list_empty(&scsi_id->sbp2_command_orb_inuse)) { +- list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list) { +- if (command->Current_SCpnt == SCpnt) { +- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); ++ if (!list_empty(&scsi_id->sbp2_command_orb_inuse)) ++ list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list) ++ if (command->Current_SCpnt == SCpnt) + return command; +- } +- } +- } +- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); + return NULL; + } + +@@ -579,17 +574,15 @@ static void sbp2util_free_command_dma(st + + /* + * This function moves a command to the completed orb list. ++ * Must be called with scsi_id->sbp2_command_orb_lock held. + */ +-static void sbp2util_mark_command_completed(struct scsi_id_instance_data *scsi_id, +- struct sbp2_command_info *command) ++static void sbp2util_mark_command_completed( ++ struct scsi_id_instance_data *scsi_id, ++ struct sbp2_command_info *command) + { +- unsigned long flags; +- +- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); + list_del(&command->list); + sbp2util_free_command_dma(command); + list_add_tail(&command->list, &scsi_id->sbp2_command_orb_completed); +- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); + } + + /* +@@ -761,12 +754,17 @@ #endif + + /* Register the status FIFO address range. We could use the same FIFO + * for targets at different nodes. However we need different FIFOs per +- * target in order to support multi-unit devices. */ ++ * target in order to support multi-unit devices. ++ * The FIFO is located out of the local host controller's physical range ++ * but, if possible, within the posted write area. Status writes will ++ * then be performed as unified transactions. This slightly reduces ++ * bandwidth usage, and some Prolific based devices seem to require it. ++ */ + scsi_id->status_fifo_addr = hpsb_allocate_and_register_addrspace( + &sbp2_highlevel, ud->ne->host, &sbp2_ops, + sizeof(struct sbp2_status_block), sizeof(quadlet_t), +- ~0ULL, ~0ULL); +- if (!scsi_id->status_fifo_addr) { ++ 0x010000000000ULL, CSR1212_ALL_SPACE_END); ++ if (scsi_id->status_fifo_addr == ~0ULL) { + SBP2_ERR("failed to allocate status FIFO address range"); + goto failed_alloc; + } +@@ -2177,7 +2175,9 @@ static int sbp2_handle_status_write(stru + * Matched status with command, now grab scsi command pointers and check status + */ + SCpnt = command->Current_SCpnt; ++ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); + sbp2util_mark_command_completed(scsi_id, command); ++ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); + + if (SCpnt) { + +@@ -2491,9 +2491,20 @@ static int sbp2scsi_slave_alloc(struct s + + static int sbp2scsi_slave_configure(struct scsi_device *sdev) + { ++ struct scsi_id_instance_data *scsi_id = ++ (struct scsi_id_instance_data *)sdev->host->hostdata[0]; ++ + blk_queue_dma_alignment(sdev->request_queue, (512 - 1)); + sdev->use_10_for_rw = 1; + sdev->use_10_for_ms = 1; ++ ++ if ((scsi_id->sbp2_firmware_revision & 0xffff00) == 0x0a2700 && ++ (scsi_id->ud->model_id == 0x000021 /* gen.4 iPod */ || ++ scsi_id->ud->model_id == 0x000023 /* iPod mini */ || ++ scsi_id->ud->model_id == 0x00007e /* iPod Photo */ )) { ++ SBP2_INFO("enabling iPod workaround: decrement disk capacity"); ++ sdev->fix_capacity = 1; ++ } + return 0; + } + +@@ -2513,6 +2524,7 @@ static int sbp2scsi_abort(struct scsi_cm + (struct scsi_id_instance_data *)SCpnt->device->host->hostdata[0]; + struct sbp2scsi_host_info *hi = scsi_id->hi; + struct sbp2_command_info *command; ++ unsigned long flags; + + SBP2_ERR("aborting sbp2 command"); + scsi_print_command(SCpnt); +@@ -2523,6 +2535,7 @@ static int sbp2scsi_abort(struct scsi_cm + * Right now, just return any matching command structures + * to the free pool. + */ ++ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); + command = sbp2util_find_command_for_SCpnt(scsi_id, SCpnt); + if (command) { + SBP2_DEBUG("Found command to abort"); +@@ -2540,6 +2553,7 @@ static int sbp2scsi_abort(struct scsi_cm + command->Current_done(command->Current_SCpnt); + } + } ++ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); + + /* + * Initiate a fetch agent reset. +diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c +index ad62174..b2bed1a 100644 +--- a/drivers/input/mouse/psmouse-base.c ++++ b/drivers/input/mouse/psmouse-base.c +@@ -300,8 +300,10 @@ static irqreturn_t psmouse_interrupt(str + * Check if this is a new device announcement (0xAA 0x00) + */ + if (unlikely(psmouse->packet[0] == PSMOUSE_RET_BAT && psmouse->pktcnt <= 2)) { +- if (psmouse->pktcnt == 1) ++ if (psmouse->pktcnt == 1) { ++ psmouse->last = jiffies; + goto out; ++ } + + if (psmouse->packet[1] == PSMOUSE_RET_ID) { + __psmouse_set_state(psmouse, PSMOUSE_IGNORE); +diff --git a/drivers/macintosh/therm_adt746x.c b/drivers/macintosh/therm_adt746x.c +index 5ebfd1d..5282fec 100644 +--- a/drivers/macintosh/therm_adt746x.c ++++ b/drivers/macintosh/therm_adt746x.c +@@ -627,8 +627,8 @@ thermostat_init(void) + if(therm_type == ADT7460) + device_create_file(&of_dev->dev, &dev_attr_sensor2_fan_speed); + +-#ifndef CONFIG_I2C_KEYWEST +- request_module("i2c-keywest"); ++#ifndef CONFIG_I2C_POWERMAC ++ request_module("i2c-powermac"); + #endif + + return i2c_add_driver(&thermostat_driver); +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index f3759dd..1ed241d 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -542,8 +542,12 @@ static void snapshot_dtr(struct dm_targe + { + struct dm_snapshot *s = (struct dm_snapshot *) ti->private; + ++ /* Prevent further origin writes from using this snapshot. */ ++ /* After this returns there can be no new kcopyd jobs. */ + unregister_snapshot(s); + ++ kcopyd_client_destroy(s->kcopyd_client); ++ + exit_exception_table(&s->pending, pending_cache); + exit_exception_table(&s->complete, exception_cache); + +@@ -552,7 +556,7 @@ static void snapshot_dtr(struct dm_targe + + dm_put_device(ti, s->origin); + dm_put_device(ti, s->cow); +- kcopyd_client_destroy(s->kcopyd_client); ++ + kfree(s); + } + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 745ca1f..f6c8e8e 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -533,30 +533,35 @@ static void __clone_and_map(struct clone + + } else { + /* +- * Create two copy bios to deal with io that has +- * been split across a target. ++ * Handle a bvec that must be split between two or more targets. + */ + struct bio_vec *bv = bio->bi_io_vec + ci->idx; ++ sector_t remaining = to_sector(bv->bv_len); ++ unsigned int offset = 0; + +- clone = split_bvec(bio, ci->sector, ci->idx, +- bv->bv_offset, max); +- __map_bio(ti, clone, tio); ++ do { ++ if (offset) { ++ ti = dm_table_find_target(ci->map, ci->sector); ++ max = max_io_len(ci->md, ci->sector, ti); + +- ci->sector += max; +- ci->sector_count -= max; +- ti = dm_table_find_target(ci->map, ci->sector); +- +- len = to_sector(bv->bv_len) - max; +- clone = split_bvec(bio, ci->sector, ci->idx, +- bv->bv_offset + to_bytes(max), len); +- tio = alloc_tio(ci->md); +- tio->io = ci->io; +- tio->ti = ti; +- memset(&tio->info, 0, sizeof(tio->info)); +- __map_bio(ti, clone, tio); ++ tio = alloc_tio(ci->md); ++ tio->io = ci->io; ++ tio->ti = ti; ++ memset(&tio->info, 0, sizeof(tio->info)); ++ } ++ ++ len = min(remaining, max); ++ ++ clone = split_bvec(bio, ci->sector, ci->idx, ++ bv->bv_offset + offset, len); ++ ++ __map_bio(ti, clone, tio); ++ ++ ci->sector += len; ++ ci->sector_count -= len; ++ offset += to_bytes(len); ++ } while (remaining -= len); + +- ci->sector += len; +- ci->sector_count -= len; + ci->idx++; + } + } +@@ -1093,6 +1098,7 @@ int dm_suspend(struct mapped_device *md, + { + struct dm_table *map = NULL; + DECLARE_WAITQUEUE(wait, current); ++ struct bio *def; + int r = -EINVAL; + + down(&md->suspend_lock); +@@ -1152,9 +1158,11 @@ int dm_suspend(struct mapped_device *md, + /* were we interrupted ? */ + r = -EINTR; + if (atomic_read(&md->pending)) { ++ clear_bit(DMF_BLOCK_IO, &md->flags); ++ def = bio_list_get(&md->deferred); ++ __flush_deferred_io(md, def); + up_write(&md->io_lock); + unlock_fs(md); +- clear_bit(DMF_BLOCK_IO, &md->flags); + goto out; + } + up_write(&md->io_lock); +diff --git a/drivers/md/kcopyd.c b/drivers/md/kcopyd.c +index 8b3515f..fc009cb 100644 +--- a/drivers/md/kcopyd.c ++++ b/drivers/md/kcopyd.c +@@ -44,6 +44,9 @@ struct kcopyd_client { + struct page_list *pages; + unsigned int nr_pages; + unsigned int nr_free_pages; ++ ++ wait_queue_head_t destroyq; ++ atomic_t nr_jobs; + }; + + static struct page_list *alloc_pl(void) +@@ -293,10 +296,15 @@ static int run_complete_job(struct kcopy + int read_err = job->read_err; + unsigned int write_err = job->write_err; + kcopyd_notify_fn fn = job->fn; ++ struct kcopyd_client *kc = job->kc; + +- kcopyd_put_pages(job->kc, job->pages); ++ kcopyd_put_pages(kc, job->pages); + mempool_free(job, _job_pool); + fn(read_err, write_err, context); ++ ++ if (atomic_dec_and_test(&kc->nr_jobs)) ++ wake_up(&kc->destroyq); ++ + return 0; + } + +@@ -431,6 +439,7 @@ static void do_work(void *ignored) + */ + static void dispatch_job(struct kcopyd_job *job) + { ++ atomic_inc(&job->kc->nr_jobs); + push(&_pages_jobs, job); + wake(); + } +@@ -670,6 +679,9 @@ int kcopyd_client_create(unsigned int nr + return r; + } + ++ init_waitqueue_head(&kc->destroyq); ++ atomic_set(&kc->nr_jobs, 0); ++ + client_add(kc); + *result = kc; + return 0; +@@ -677,6 +689,9 @@ int kcopyd_client_create(unsigned int nr + + void kcopyd_client_destroy(struct kcopyd_client *kc) + { ++ /* Wait for completion of all jobs submitted by this client. */ ++ wait_event(kc->destroyq, !atomic_read(&kc->nr_jobs)); ++ + dm_io_put(kc->nr_pages); + client_free_pages(kc); + client_del(kc); +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index ab90a6d..039ed49 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1436,9 +1436,9 @@ static void raid10d(mddev_t *mddev) + sl--; + d = r10_bio->devs[sl].devnum; + rdev = conf->mirrors[d].rdev; +- atomic_add(s, &rdev->corrected_errors); + if (rdev && + test_bit(In_sync, &rdev->flags)) { ++ atomic_add(s, &rdev->corrected_errors); + if (sync_page_io(rdev->bdev, + r10_bio->devs[sl].addr + + sect + rdev->data_offset, +diff --git a/drivers/media/dvb/dvb-usb/cxusb.c b/drivers/media/dvb/dvb-usb/cxusb.c +index 162f979..356a09a 100644 +--- a/drivers/media/dvb/dvb-usb/cxusb.c ++++ b/drivers/media/dvb/dvb-usb/cxusb.c +@@ -149,6 +149,15 @@ static int cxusb_power_ctrl(struct dvb_u + return cxusb_ctrl_msg(d, CMD_POWER_OFF, &b, 1, NULL, 0); + } + ++static int cxusb_bluebird_power_ctrl(struct dvb_usb_device *d, int onoff) ++{ ++ u8 b = 0; ++ if (onoff) ++ return cxusb_ctrl_msg(d, CMD_POWER_ON, &b, 1, NULL, 0); ++ else ++ return 0; ++} ++ + static int cxusb_streaming_ctrl(struct dvb_usb_device *d, int onoff) + { + u8 buf[2] = { 0x03, 0x00 }; +@@ -505,7 +514,7 @@ static struct dvb_usb_properties cxusb_b + .size_of_priv = sizeof(struct cxusb_state), + + .streaming_ctrl = cxusb_streaming_ctrl, +- .power_ctrl = cxusb_power_ctrl, ++ .power_ctrl = cxusb_bluebird_power_ctrl, + .frontend_attach = cxusb_lgdt3303_frontend_attach, + .tuner_attach = cxusb_lgh064f_tuner_attach, + +@@ -545,7 +554,7 @@ static struct dvb_usb_properties cxusb_b + .size_of_priv = sizeof(struct cxusb_state), + + .streaming_ctrl = cxusb_streaming_ctrl, +- .power_ctrl = cxusb_power_ctrl, ++ .power_ctrl = cxusb_bluebird_power_ctrl, + .frontend_attach = cxusb_dee1601_frontend_attach, + .tuner_attach = cxusb_dee1601_tuner_attach, + +@@ -594,7 +603,7 @@ static struct dvb_usb_properties cxusb_b + .size_of_priv = sizeof(struct cxusb_state), + + .streaming_ctrl = cxusb_streaming_ctrl, +- .power_ctrl = cxusb_power_ctrl, ++ .power_ctrl = cxusb_bluebird_power_ctrl, + .frontend_attach = cxusb_mt352_frontend_attach, + .tuner_attach = cxusb_lgz201_tuner_attach, + +@@ -634,7 +643,7 @@ static struct dvb_usb_properties cxusb_b + .size_of_priv = sizeof(struct cxusb_state), + + .streaming_ctrl = cxusb_streaming_ctrl, +- .power_ctrl = cxusb_power_ctrl, ++ .power_ctrl = cxusb_bluebird_power_ctrl, + .frontend_attach = cxusb_mt352_frontend_attach, + .tuner_attach = cxusb_dtt7579_tuner_attach, + +diff --git a/drivers/media/video/Kconfig b/drivers/media/video/Kconfig +index d82c8a3..ef42a26 100644 +--- a/drivers/media/video/Kconfig ++++ b/drivers/media/video/Kconfig +@@ -349,6 +349,7 @@ config VIDEO_AUDIO_DECODER + config VIDEO_DECODER + tristate "Add support for additional video chipsets" + depends on VIDEO_DEV && I2C && EXPERIMENTAL ++ select FW_LOADER + ---help--- + Say Y here to compile drivers for SAA7115, SAA7127 and CX25840 + video decoders. +diff --git a/drivers/media/video/saa7127.c b/drivers/media/video/saa7127.c +index 992c717..9e4c178 100644 +--- a/drivers/media/video/saa7127.c ++++ b/drivers/media/video/saa7127.c +@@ -141,6 +141,7 @@ struct i2c_reg_value { + static const struct i2c_reg_value saa7129_init_config_extra[] = { + { SAA7127_REG_OUTPUT_PORT_CONTROL, 0x38 }, + { SAA7127_REG_VTRIG, 0xfa }, ++ { 0, 0 } + }; + + static const struct i2c_reg_value saa7127_init_config_common[] = { +diff --git a/drivers/media/video/tuner-types.c b/drivers/media/video/tuner-types.c +index 6fe7817..5f3d46d 100644 +--- a/drivers/media/video/tuner-types.c ++++ b/drivers/media/video/tuner-types.c +@@ -1087,8 +1087,8 @@ static struct tuner_params tuner_tnf_533 + /* ------------ TUNER_SAMSUNG_TCPN_2121P30A - Samsung NTSC ------------ */ + + static struct tuner_range tuner_samsung_tcpn_2121p30a_ntsc_ranges[] = { +- { 16 * 175.75 /*MHz*/, 0x01, }, +- { 16 * 410.25 /*MHz*/, 0x02, }, ++ { 16 * 130.00 /*MHz*/, 0x01, }, ++ { 16 * 364.50 /*MHz*/, 0x02, }, + { 16 * 999.99 , 0x08, }, + }; + +diff --git a/drivers/mtd/nand/Kconfig b/drivers/mtd/nand/Kconfig +index 1fc4c13..cfe288a 100644 +--- a/drivers/mtd/nand/Kconfig ++++ b/drivers/mtd/nand/Kconfig +@@ -178,17 +178,16 @@ config MTD_NAND_DISKONCHIP_BBTWRITE + Even if you leave this disabled, you can enable BBT writes at module + load time (assuming you build diskonchip as a module) with the module + parameter "inftl_bbt_write=1". +- +- config MTD_NAND_SHARPSL +- bool "Support for NAND Flash on Sharp SL Series (C7xx + others)" +- depends on MTD_NAND && ARCH_PXA +- +- config MTD_NAND_NANDSIM +- bool "Support for NAND Flash Simulator" +- depends on MTD_NAND && MTD_PARTITIONS + ++config MTD_NAND_SHARPSL ++ tristate "Support for NAND Flash on Sharp SL Series (C7xx + others)" ++ depends on MTD_NAND && ARCH_PXA ++ ++config MTD_NAND_NANDSIM ++ tristate "Support for NAND Flash Simulator" ++ depends on MTD_NAND && MTD_PARTITIONS + help + The simulator may simulate verious NAND flash chips for the + MTD nand layer. +- ++ + endmenu +diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c +index 84dcca3..fa29402 100644 +--- a/drivers/net/e1000/e1000_main.c ++++ b/drivers/net/e1000/e1000_main.c +@@ -3851,6 +3851,7 @@ #endif + skb_shinfo(skb)->nr_frags++; + skb->len += length; + skb->data_len += length; ++ skb->truesize += length; + } + + e1000_rx_checksum(adapter, staterr, +diff --git a/drivers/net/irda/irda-usb.c b/drivers/net/irda/irda-usb.c +index 8936058..6e2ec56 100644 +--- a/drivers/net/irda/irda-usb.c ++++ b/drivers/net/irda/irda-usb.c +@@ -740,7 +740,7 @@ static void irda_usb_receive(struct urb + struct sk_buff *newskb; + struct sk_buff *dataskb; + struct urb *next_urb; +- int docopy; ++ unsigned int len, docopy; + + IRDA_DEBUG(2, "%s(), len=%d\n", __FUNCTION__, urb->actual_length); + +@@ -851,10 +851,11 @@ static void irda_usb_receive(struct urb + dataskb->dev = self->netdev; + dataskb->mac.raw = dataskb->data; + dataskb->protocol = htons(ETH_P_IRDA); ++ len = dataskb->len; + netif_rx(dataskb); + + /* Keep stats up to date */ +- self->stats.rx_bytes += dataskb->len; ++ self->stats.rx_bytes += len; + self->stats.rx_packets++; + self->netdev->last_rx = jiffies; + +diff --git a/drivers/net/sky2.c b/drivers/net/sky2.c +index 7326036..0618cd5 100644 +--- a/drivers/net/sky2.c ++++ b/drivers/net/sky2.c +@@ -579,8 +579,8 @@ static void sky2_mac_init(struct sky2_hw + reg = gma_read16(hw, port, GM_PHY_ADDR); + gma_write16(hw, port, GM_PHY_ADDR, reg | GM_PAR_MIB_CLR); + +- for (i = 0; i < GM_MIB_CNT_SIZE; i++) +- gma_read16(hw, port, GM_MIB_CNT_BASE + 8 * i); ++ for (i = GM_MIB_CNT_BASE; i <= GM_MIB_CNT_END; i += 4) ++ gma_read16(hw, port, i); + gma_write16(hw, port, GM_PHY_ADDR, reg); + + /* transmit control */ +diff --git a/drivers/net/sky2.h b/drivers/net/sky2.h +index dce955c..c91e0a4 100644 +--- a/drivers/net/sky2.h ++++ b/drivers/net/sky2.h +@@ -1380,6 +1380,7 @@ enum { + /* MIB Counters */ + #define GM_MIB_CNT_BASE 0x0100 /* Base Address of MIB Counters */ + #define GM_MIB_CNT_SIZE 44 /* Number of MIB Counters */ ++#define GM_MIB_CNT_END 0x025C /* Last MIB counter */ + + /* + * MIB Counters base address definitions (low word) - +diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c +index caf4102..7d00722 100644 +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -7368,21 +7368,23 @@ static int tg3_get_settings(struct net_d + cmd->supported |= (SUPPORTED_1000baseT_Half | + SUPPORTED_1000baseT_Full); + +- if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES)) ++ if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES)) { + cmd->supported |= (SUPPORTED_100baseT_Half | + SUPPORTED_100baseT_Full | + SUPPORTED_10baseT_Half | + SUPPORTED_10baseT_Full | + SUPPORTED_MII); +- else ++ cmd->port = PORT_TP; ++ } else { + cmd->supported |= SUPPORTED_FIBRE; ++ cmd->port = PORT_FIBRE; ++ } + + cmd->advertising = tp->link_config.advertising; + if (netif_running(dev)) { + cmd->speed = tp->link_config.active_speed; + cmd->duplex = tp->link_config.active_duplex; + } +- cmd->port = 0; + cmd->phy_address = PHY_ADDR; + cmd->transceiver = 0; + cmd->autoneg = tp->link_config.autoneg; +diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c +index 2418715..56864ff 100644 +--- a/drivers/net/via-rhine.c ++++ b/drivers/net/via-rhine.c +@@ -129,6 +129,7 @@ + - Massive clean-up + - Rewrite PHY, media handling (remove options, full_duplex, backoff) + - Fix Tx engine race for good ++ - Craig Brind: Zero padded aligned buffers for short packets. + + */ + +@@ -1306,7 +1307,12 @@ static int rhine_start_tx(struct sk_buff + rp->stats.tx_dropped++; + return 0; + } ++ ++ /* Padding is not copied and so must be redone. */ + skb_copy_and_csum_dev(skb, rp->tx_buf[entry]); ++ if (skb->len < ETH_ZLEN) ++ memset(rp->tx_buf[entry] + skb->len, 0, ++ ETH_ZLEN - skb->len); + rp->tx_skbuff_dma[entry] = 0; + rp->tx_ring[entry].addr = cpu_to_le32(rp->tx_bufs_dma + + (rp->tx_buf[entry] - +diff --git a/drivers/net/wireless/Kconfig b/drivers/net/wireless/Kconfig +index ef85d76..8101657 100644 +--- a/drivers/net/wireless/Kconfig ++++ b/drivers/net/wireless/Kconfig +@@ -239,7 +239,8 @@ config IPW2200_DEBUG + + config AIRO + tristate "Cisco/Aironet 34X/35X/4500/4800 ISA and PCI cards" +- depends on NET_RADIO && ISA_DMA_API && CRYPTO && (PCI || BROKEN) ++ depends on NET_RADIO && ISA_DMA_API && (PCI || BROKEN) ++ select CRYPTO + ---help--- + This is the standard Linux driver to support Cisco/Aironet ISA and + PCI 802.11 wireless cards. +@@ -374,6 +375,7 @@ config PCMCIA_HERMES + config PCMCIA_SPECTRUM + tristate "Symbol Spectrum24 Trilogy PCMCIA card support" + depends on NET_RADIO && PCMCIA && HERMES ++ select FW_LOADER + ---help--- + + This is a driver for 802.11b cards using RAM-loadable Symbol +@@ -387,6 +389,7 @@ config PCMCIA_SPECTRUM + config AIRO_CS + tristate "Cisco/Aironet 34X/35X/4500/4800 PCMCIA cards" + depends on NET_RADIO && PCMCIA && (BROKEN || !M32R) ++ select CRYPTO + ---help--- + This is the standard Linux driver to support Cisco/Aironet PCMCIA + 802.11 wireless cards. This driver is the same as the Aironet +diff --git a/drivers/net/wireless/hostap/hostap_80211_tx.c b/drivers/net/wireless/hostap/hostap_80211_tx.c +index 4a85e63..5f398bd 100644 +--- a/drivers/net/wireless/hostap/hostap_80211_tx.c ++++ b/drivers/net/wireless/hostap/hostap_80211_tx.c +@@ -469,7 +469,7 @@ int hostap_master_start_xmit(struct sk_b + } + + if (local->ieee_802_1x && meta->ethertype == ETH_P_PAE && tx.crypt && +- !(fc & IEEE80211_FCTL_VERS)) { ++ !(fc & IEEE80211_FCTL_PROTECTED)) { + no_encrypt = 1; + PDEBUG(DEBUG_EXTRA2, "%s: TX: IEEE 802.1X - passing " + "unencrypted EAPOL frame\n", dev->name); +diff --git a/drivers/net/wireless/ipw2200.c b/drivers/net/wireless/ipw2200.c +index 287676a..f42e51a 100644 +--- a/drivers/net/wireless/ipw2200.c ++++ b/drivers/net/wireless/ipw2200.c +@@ -8391,20 +8391,28 @@ static int ipw_wx_get_range(struct net_d + + i = 0; + if (priv->ieee->mode & (IEEE_B | IEEE_G)) { +- for (j = 0; j < geo->bg_channels && i < IW_MAX_FREQUENCIES; +- i++, j++) { ++ for (j = 0; j < geo->bg_channels && i < IW_MAX_FREQUENCIES; j++) { ++ if ((priv->ieee->iw_mode == IW_MODE_ADHOC) && ++ (geo->bg[j].flags & IEEE80211_CH_PASSIVE_ONLY)) ++ continue; ++ + range->freq[i].i = geo->bg[j].channel; + range->freq[i].m = geo->bg[j].freq * 100000; + range->freq[i].e = 1; ++ i++; + } + } + + if (priv->ieee->mode & IEEE_A) { +- for (j = 0; j < geo->a_channels && i < IW_MAX_FREQUENCIES; +- i++, j++) { ++ for (j = 0; j < geo->a_channels && i < IW_MAX_FREQUENCIES; j++) { ++ if ((priv->ieee->iw_mode == IW_MODE_ADHOC) && ++ (geo->a[j].flags & IEEE80211_CH_PASSIVE_ONLY)) ++ continue; ++ + range->freq[i].i = geo->a[j].channel; + range->freq[i].m = geo->a[j].freq * 100000; + range->freq[i].e = 1; ++ i++; + } + } + +@@ -9956,9 +9964,8 @@ static int ipw_ethtool_set_eeprom(struct + return -EINVAL; + down(&p->sem); + memcpy(&p->eeprom[eeprom->offset], bytes, eeprom->len); +- for (i = IPW_EEPROM_DATA; +- i < IPW_EEPROM_DATA + IPW_EEPROM_IMAGE_SIZE; i++) +- ipw_write8(p, i, p->eeprom[i]); ++ for (i = 0; i < IPW_EEPROM_IMAGE_SIZE; i++) ++ ipw_write8(p, i + IPW_EEPROM_DATA, p->eeprom[i]); + up(&p->sem); + return 0; + } +diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c +index 6917c6c..c2ecae5 100644 +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -33,13 +33,10 @@ acpi_query_osc ( + acpi_status status; + struct acpi_object_list input; + union acpi_object in_params[4]; +- struct acpi_buffer output; +- union acpi_object out_obj; ++ struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL}; ++ union acpi_object *out_obj; + u32 osc_dw0; + +- /* Setting up output buffer */ +- output.length = sizeof(out_obj) + 3*sizeof(u32); +- output.pointer = &out_obj; + + /* Setting up input parameters */ + input.count = 4; +@@ -61,12 +58,15 @@ acpi_query_osc ( + "Evaluate _OSC Set fails. Status = 0x%04x\n", status); + return status; + } +- if (out_obj.type != ACPI_TYPE_BUFFER) { ++ out_obj = output.pointer; ++ ++ if (out_obj->type != ACPI_TYPE_BUFFER) { + printk(KERN_DEBUG + "Evaluate _OSC returns wrong type\n"); +- return AE_TYPE; ++ status = AE_TYPE; ++ goto query_osc_out; + } +- osc_dw0 = *((u32 *) out_obj.buffer.pointer); ++ osc_dw0 = *((u32 *) out_obj->buffer.pointer); + if (osc_dw0) { + if (osc_dw0 & OSC_REQUEST_ERROR) + printk(KERN_DEBUG "_OSC request fails\n"); +@@ -76,15 +76,21 @@ acpi_query_osc ( + printk(KERN_DEBUG "_OSC invalid revision\n"); + if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) { + /* Update Global Control Set */ +- global_ctrlsets = *((u32 *)(out_obj.buffer.pointer+8)); +- return AE_OK; ++ global_ctrlsets = *((u32 *)(out_obj->buffer.pointer+8)); ++ status = AE_OK; ++ goto query_osc_out; + } +- return AE_ERROR; ++ status = AE_ERROR; ++ goto query_osc_out; + } + + /* Update Global Control Set */ +- global_ctrlsets = *((u32 *)(out_obj.buffer.pointer + 8)); +- return AE_OK; ++ global_ctrlsets = *((u32 *)(out_obj->buffer.pointer + 8)); ++ status = AE_OK; ++ ++query_osc_out: ++ kfree(output.pointer); ++ return status; + } + + +@@ -96,14 +102,10 @@ acpi_run_osc ( + acpi_status status; + struct acpi_object_list input; + union acpi_object in_params[4]; +- struct acpi_buffer output; +- union acpi_object out_obj; ++ struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL}; ++ union acpi_object *out_obj; + u32 osc_dw0; + +- /* Setting up output buffer */ +- output.length = sizeof(out_obj) + 3*sizeof(u32); +- output.pointer = &out_obj; +- + /* Setting up input parameters */ + input.count = 4; + input.pointer = in_params; +@@ -124,12 +126,14 @@ acpi_run_osc ( + "Evaluate _OSC Set fails. Status = 0x%04x\n", status); + return status; + } +- if (out_obj.type != ACPI_TYPE_BUFFER) { ++ out_obj = output.pointer; ++ if (out_obj->type != ACPI_TYPE_BUFFER) { + printk(KERN_DEBUG + "Evaluate _OSC returns wrong type\n"); +- return AE_TYPE; ++ status = AE_TYPE; ++ goto run_osc_out; + } +- osc_dw0 = *((u32 *) out_obj.buffer.pointer); ++ osc_dw0 = *((u32 *) out_obj->buffer.pointer); + if (osc_dw0) { + if (osc_dw0 & OSC_REQUEST_ERROR) + printk(KERN_DEBUG "_OSC request fails\n"); +@@ -139,11 +143,17 @@ acpi_run_osc ( + printk(KERN_DEBUG "_OSC invalid revision\n"); + if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) { + printk(KERN_DEBUG "_OSC FW not grant req. control\n"); +- return AE_SUPPORT; ++ status = AE_SUPPORT; ++ goto run_osc_out; + } +- return AE_ERROR; ++ status = AE_ERROR; ++ goto run_osc_out; + } +- return AE_OK; ++ status = AE_OK; ++ ++run_osc_out: ++ kfree(output.pointer); ++ return status; + } + + /** +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index dda6099..381f36b 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -631,6 +631,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_V + * non-x86 architectures (yes Via exists on PPC among other places), + * we must mask the PCI_INTERRUPT_LINE value versus 0xf to get + * interrupts delivered properly. ++ * ++ * Some of the on-chip devices are actually '586 devices' so they are ++ * listed here. + */ + static void quirk_via_irq(struct pci_dev *dev) + { +@@ -639,13 +642,19 @@ static void quirk_via_irq(struct pci_dev + new_irq = dev->irq & 0xf; + pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &irq); + if (new_irq != irq) { +- printk(KERN_INFO "PCI: Via IRQ fixup for %s, from %d to %d\n", ++ printk(KERN_INFO "PCI: VIA IRQ fixup for %s, from %d to %d\n", + pci_name(dev), irq, new_irq); + udelay(15); /* unknown if delay really needed */ + pci_write_config_byte(dev, PCI_INTERRUPT_LINE, new_irq); + } + } +-DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_ANY_ID, quirk_via_irq); ++DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_0, quirk_via_irq); ++DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, quirk_via_irq); ++DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_2, quirk_via_irq); ++DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_3, quirk_via_irq); ++DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686, quirk_via_irq); ++DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4, quirk_via_irq); ++DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_5, quirk_via_irq); + + /* + * VIA VT82C598 has its device ID settable and many BIOSes +@@ -861,6 +870,7 @@ static void __init quirk_eisa_bridge(str + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82375, quirk_eisa_bridge ); + ++#ifndef CONFIG_ACPI_SLEEP + /* + * On ASUS P4B boards, the SMBus PCI Device within the ICH2/4 southbridge + * is not activated. The myth is that Asus said that they do not want the +@@ -872,8 +882,12 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I + * bridge. Unfortunately, this device has no subvendor/subdevice ID. So it + * becomes necessary to do this tweak in two steps -- I've chosen the Host + * bridge as trigger. ++ * ++ * Actually, leaving it unhidden and not redoing the quirk over suspend2ram ++ * will cause thermal management to break down, and causing machine to ++ * overheat. + */ +-static int __initdata asus_hides_smbus = 0; ++static int __initdata asus_hides_smbus; + + static void __init asus_hides_smbus_hostbridge(struct pci_dev *dev) + { +@@ -1008,6 +1022,8 @@ static void __init asus_hides_smbus_lpc_ + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, asus_hides_smbus_lpc_ich6 ); + ++#endif ++ + /* + * SiS 96x south bridge: BIOS typically hides SMBus device... + */ +diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c +index bb96ce1..a4333a8 100644 +--- a/drivers/pcmcia/ds.c ++++ b/drivers/pcmcia/ds.c +@@ -546,7 +546,7 @@ static int pcmcia_device_query(struct pc + tmp = vers1->str + vers1->ofs[i]; + + length = strlen(tmp) + 1; +- if ((length < 3) || (length > 255)) ++ if ((length < 2) || (length > 255)) + continue; + + p_dev->prod_id[i] = kmalloc(sizeof(char) * length, +diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c +index d9152d0..9132549 100644 +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -85,7 +85,7 @@ #include + #include "3w-9xxx.h" + + /* Globals */ +-#define TW_DRIVER_VERSION "2.26.02.005" ++#define TW_DRIVER_VERSION "2.26.02.007" + static TW_Device_Extension *twa_device_extension_list[TW_MAX_SLOT]; + static unsigned int twa_device_extension_count; + static int twa_major = -1; +@@ -1944,9 +1944,13 @@ static void twa_scsiop_execute_scsi_comp + } + if (tw_dev->srb[request_id]->use_sg == 1) { + struct scatterlist *sg = (struct scatterlist *)tw_dev->srb[request_id]->request_buffer; +- char *buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset; ++ char *buf; ++ unsigned long flags = 0; ++ local_irq_save(flags); ++ buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset; + memcpy(buf, tw_dev->generic_buffer_virt[request_id], sg->length); + kunmap_atomic(buf - sg->offset, KM_IRQ0); ++ local_irq_restore(flags); + } + } + } /* End twa_scsiop_execute_scsi_complete() */ +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index 25f678d..e8e41e6 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -1508,10 +1508,12 @@ static void tw_transfer_internal(TW_Devi + struct scsi_cmnd *cmd = tw_dev->srb[request_id]; + void *buf; + unsigned int transfer_len; ++ unsigned long flags = 0; + + if (cmd->use_sg) { + struct scatterlist *sg = + (struct scatterlist *)cmd->request_buffer; ++ local_irq_save(flags); + buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset; + transfer_len = min(sg->length, len); + } else { +@@ -1526,6 +1528,7 @@ static void tw_transfer_internal(TW_Devi + + sg = (struct scatterlist *)cmd->request_buffer; + kunmap_atomic(buf - sg->offset, KM_IRQ0); ++ local_irq_restore(flags); + } + } + +diff --git a/drivers/scsi/libata-core.c b/drivers/scsi/libata-core.c +index 4f91b0d..400e9d7 100644 +--- a/drivers/scsi/libata-core.c ++++ b/drivers/scsi/libata-core.c +@@ -4293,6 +4293,7 @@ static int ata_start_drive(struct ata_po + int ata_device_resume(struct ata_port *ap, struct ata_device *dev) + { + if (ap->flags & ATA_FLAG_SUSPENDED) { ++ ata_busy_wait(ap, ATA_BUSY | ATA_DRQ, 200000); + ap->flags &= ~ATA_FLAG_SUSPENDED; + ata_set_mode(ap); + } +diff --git a/drivers/scsi/sata_mv.c b/drivers/scsi/sata_mv.c +index 2770005..b00af08 100644 +--- a/drivers/scsi/sata_mv.c ++++ b/drivers/scsi/sata_mv.c +@@ -1102,6 +1102,7 @@ static u8 mv_get_crpb_status(struct ata_ + void __iomem *port_mmio = mv_ap_base(ap); + struct mv_port_priv *pp = ap->private_data; + u32 out_ptr; ++ u8 ata_status; + + out_ptr = readl(port_mmio + EDMA_RSP_Q_OUT_PTR_OFS); + +@@ -1109,6 +1110,8 @@ static u8 mv_get_crpb_status(struct ata_ + assert(((out_ptr >> EDMA_RSP_Q_PTR_SHIFT) & MV_MAX_Q_DEPTH_MASK) == + pp->rsp_consumer); + ++ ata_status = pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT; ++ + /* increment our consumer index... */ + pp->rsp_consumer = mv_inc_q_index(&pp->rsp_consumer); + +@@ -1123,7 +1126,7 @@ static u8 mv_get_crpb_status(struct ata_ + writelfl(out_ptr, port_mmio + EDMA_RSP_Q_OUT_PTR_OFS); + + /* Return ATA status register for completed CRPB */ +- return (pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT); ++ return ata_status; + } + + /** +@@ -1192,7 +1195,6 @@ static void mv_host_intr(struct ata_host + u32 hc_irq_cause; + int shift, port, port0, hard_port, handled; + unsigned int err_mask; +- u8 ata_status = 0; + + if (hc == 0) { + port0 = 0; +@@ -1210,6 +1212,7 @@ static void mv_host_intr(struct ata_host + hc,relevant,hc_irq_cause); + + for (port = port0; port < port0 + MV_PORTS_PER_HC; port++) { ++ u8 ata_status = 0; + ap = host_set->ports[port]; + hard_port = port & MV_PORT_MASK; /* range 0-3 */ + handled = 0; /* ensure ata_status is set if handled++ */ +diff --git a/drivers/sn/ioc3.c b/drivers/sn/ioc3.c +index 93449a1..4bd05a0 100644 +--- a/drivers/sn/ioc3.c ++++ b/drivers/sn/ioc3.c +@@ -677,7 +677,7 @@ #endif + /* Track PCI-device specific data */ + pci_set_drvdata(pdev, idd); + down_write(&ioc3_devices_rwsem); +- list_add(&idd->list, &ioc3_devices); ++ list_add_tail(&idd->list, &ioc3_devices); + idd->id = ioc3_counter++; + up_write(&ioc3_devices_rwsem); + +diff --git a/drivers/sn/ioc4.c b/drivers/sn/ioc4.c +index ea75b3d..771e868 100644 +--- a/drivers/sn/ioc4.c ++++ b/drivers/sn/ioc4.c +@@ -313,7 +313,7 @@ ioc4_probe(struct pci_dev *pdev, const s + idd->idd_serial_data = NULL; + pci_set_drvdata(idd->idd_pdev, idd); + down_write(&ioc4_devices_rwsem); +- list_add(&idd->idd_list, &ioc4_devices); ++ list_add_tail(&idd->idd_list, &ioc4_devices); + up_write(&ioc4_devices_rwsem); + + /* Add this IOC4 to all submodules */ +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 7135e54..96cabeb 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1388,11 +1388,13 @@ free_interfaces: + if (dev->state != USB_STATE_ADDRESS) + usb_disable_device (dev, 1); // Skip ep0 + +- i = dev->bus_mA - cp->desc.bMaxPower * 2; +- if (i < 0) +- dev_warn(&dev->dev, "new config #%d exceeds power " +- "limit by %dmA\n", +- configuration, -i); ++ if (cp) { ++ i = dev->bus_mA - cp->desc.bMaxPower * 2; ++ if (i < 0) ++ dev_warn(&dev->dev, "new config #%d exceeds power " ++ "limit by %dmA\n", ++ configuration, -i); ++ } + + if ((ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), + USB_REQ_SET_CONFIGURATION, 0, configuration, 0, +diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c +index ebcca97..88419c6 100644 +--- a/drivers/usb/host/ehci-sched.c ++++ b/drivers/usb/host/ehci-sched.c +@@ -707,6 +707,7 @@ iso_stream_init ( + } else { + u32 addr; + int think_time; ++ int hs_transfers; + + addr = dev->ttport << 24; + if (!ehci_is_TDI(ehci) +@@ -719,6 +720,7 @@ iso_stream_init ( + think_time = dev->tt ? dev->tt->think_time : 0; + stream->tt_usecs = NS_TO_US (think_time + usb_calc_bus_time ( + dev->speed, is_input, 1, maxp)); ++ hs_transfers = max (1u, (maxp + 187) / 188); + if (is_input) { + u32 tmp; + +@@ -727,12 +729,11 @@ iso_stream_init ( + stream->usecs = HS_USECS_ISO (1); + stream->raw_mask = 1; + +- /* pessimistic c-mask */ +- tmp = usb_calc_bus_time (USB_SPEED_FULL, 1, 0, maxp) +- / (125 * 1000); +- stream->raw_mask |= 3 << (tmp + 9); ++ /* c-mask as specified in USB 2.0 11.18.4 3.c */ ++ tmp = (1 << (hs_transfers + 2)) - 1; ++ stream->raw_mask |= tmp << (8 + 2); + } else +- stream->raw_mask = smask_out [maxp / 188]; ++ stream->raw_mask = smask_out [hs_transfers - 1]; + bandwidth = stream->usecs + stream->c_usecs; + bandwidth /= 1 << (interval + 2); + +diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c +index 167f8ec..8023bb7 100644 +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -54,7 +54,7 @@ static struct console usbcons; + * serial.c code, except that the specifier is "ttyUSB" instead + * of "ttyS". + */ +-static int __init usb_console_setup(struct console *co, char *options) ++static int usb_console_setup(struct console *co, char *options) + { + struct usbcons_info *info = &usbcons_info; + int baud = 9600; +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 52bdf6f..fd8a50e 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -582,14 +582,14 @@ static void option_setup_urbs(struct usb + portdata = usb_get_serial_port_data(port); + + /* Do indat endpoints first */ +- for (j = 0; j <= N_IN_URB; ++j) { ++ for (j = 0; j < N_IN_URB; ++j) { + portdata->in_urbs[j] = option_setup_urb (serial, + port->bulk_in_endpointAddress, USB_DIR_IN, port, + portdata->in_buffer[j], IN_BUFLEN, option_indat_callback); + } + + /* outdat endpoints */ +- for (j = 0; j <= N_OUT_URB; ++j) { ++ for (j = 0; j < N_OUT_URB; ++j) { + portdata->out_urbs[j] = option_setup_urb (serial, + port->bulk_out_endpointAddress, USB_DIR_OUT, port, + portdata->out_buffer[j], OUT_BUFLEN, option_outdat_callback); +diff --git a/drivers/usb/storage/Kconfig b/drivers/usb/storage/Kconfig +index 92be101..be9eec2 100644 +--- a/drivers/usb/storage/Kconfig ++++ b/drivers/usb/storage/Kconfig +@@ -48,7 +48,8 @@ config USB_STORAGE_FREECOM + + config USB_STORAGE_ISD200 + bool "ISD-200 USB/ATA Bridge support" +- depends on USB_STORAGE && BLK_DEV_IDE ++ depends on USB_STORAGE ++ depends on BLK_DEV_IDE=y || BLK_DEV_IDE=USB_STORAGE + ---help--- + Say Y here if you want to use USB Mass Store devices based + on the In-Systems Design ISD-200 USB/ATA bridge. +diff --git a/drivers/video/cfbimgblt.c b/drivers/video/cfbimgblt.c +index 910e233..8ba6152 100644 +--- a/drivers/video/cfbimgblt.c ++++ b/drivers/video/cfbimgblt.c +@@ -169,7 +169,7 @@ static inline void slow_imageblit(const + + while (j--) { + l--; +- color = (*s & 1 << (FB_BIT_NR(l))) ? fgcolor : bgcolor; ++ color = (*s & (1 << l)) ? fgcolor : bgcolor; + val |= FB_SHIFT_HIGH(color, shift); + + /* Did the bitshift spill bits to the next long? */ +diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c +index 996c7b5..b3094ae 100644 +--- a/drivers/video/fbmem.c ++++ b/drivers/video/fbmem.c +@@ -669,13 +669,19 @@ fb_write(struct file *file, const char _ + total_size = info->fix.smem_len; + + if (p > total_size) +- return 0; ++ return -EFBIG; + +- if (count >= total_size) ++ if (count > total_size) { ++ err = -EFBIG; + count = total_size; ++ } ++ ++ if (count + p > total_size) { ++ if (!err) ++ err = -ENOSPC; + +- if (count + p > total_size) + count = total_size - p; ++ } + + buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, + GFP_KERNEL); +@@ -717,7 +723,7 @@ fb_write(struct file *file, const char _ + + kfree(buffer); + +- return (err) ? err : cnt; ++ return (cnt) ? cnt : err; + } + + #ifdef CONFIG_KMOD +diff --git a/drivers/video/i810/i810_main.c b/drivers/video/i810/i810_main.c +index d8467c0..788297e 100644 +--- a/drivers/video/i810/i810_main.c ++++ b/drivers/video/i810/i810_main.c +@@ -1508,7 +1508,7 @@ static int i810fb_cursor(struct fb_info + int size = ((cursor->image.width + 7) >> 3) * + cursor->image.height; + int i; +- u8 *data = kmalloc(64 * 8, GFP_KERNEL); ++ u8 *data = kmalloc(64 * 8, GFP_ATOMIC); + + if (data == NULL) + return -ENOMEM; +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index 3ad8455..651a9e1 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -614,6 +614,7 @@ static struct dentry *v9fs_vfs_lookup(st + + sb = dir->i_sb; + v9ses = v9fs_inode2v9ses(dir); ++ dentry->d_op = &v9fs_dentry_operations; + dirfid = v9fs_fid_lookup(dentry->d_parent); + + if (!dirfid) { +@@ -681,8 +682,6 @@ static struct dentry *v9fs_vfs_lookup(st + goto FreeFcall; + + fid->qid = fcall->params.rstat.stat.qid; +- +- dentry->d_op = &v9fs_dentry_operations; + v9fs_stat2inode(&fcall->params.rstat.stat, inode, inode->i_sb); + + d_add(dentry, inode); +diff --git a/fs/char_dev.c b/fs/char_dev.c +index 21195c4..4e163af 100644 +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -15,6 +15,7 @@ #include + #include + #include + #include ++#include + + #include + #include +@@ -26,8 +27,6 @@ #endif + + static struct kobj_map *cdev_map; + +-#define MAX_PROBE_HASH 255 /* random */ +- + static DECLARE_MUTEX(chrdevs_lock); + + static struct char_device_struct { +@@ -38,93 +37,29 @@ static struct char_device_struct { + char name[64]; + struct file_operations *fops; + struct cdev *cdev; /* will die */ +-} *chrdevs[MAX_PROBE_HASH]; ++} *chrdevs[CHRDEV_MAJOR_HASH_SIZE]; + + /* index in the above */ + static inline int major_to_index(int major) + { +- return major % MAX_PROBE_HASH; +-} +- +-struct chrdev_info { +- int index; +- struct char_device_struct *cd; +-}; +- +-void *get_next_chrdev(void *dev) +-{ +- struct chrdev_info *info; +- +- if (dev == NULL) { +- info = kmalloc(sizeof(*info), GFP_KERNEL); +- if (!info) +- goto out; +- info->index=0; +- info->cd = chrdevs[info->index]; +- if (info->cd) +- goto out; +- } else { +- info = dev; +- } +- +- while (info->index < ARRAY_SIZE(chrdevs)) { +- if (info->cd) +- info->cd = info->cd->next; +- if (info->cd) +- goto out; +- /* +- * No devices on this chain, move to the next +- */ +- info->index++; +- info->cd = (info->index < ARRAY_SIZE(chrdevs)) ? +- chrdevs[info->index] : NULL; +- if (info->cd) +- goto out; +- } +- +-out: +- return info; +-} +- +-void *acquire_chrdev_list(void) +-{ +- down(&chrdevs_lock); +- return get_next_chrdev(NULL); +-} +- +-void release_chrdev_list(void *dev) +-{ +- up(&chrdevs_lock); +- kfree(dev); ++ return major % CHRDEV_MAJOR_HASH_SIZE; + } + ++#ifdef CONFIG_PROC_FS + +-int count_chrdev_list(void) ++void chrdev_show(struct seq_file *f, off_t offset) + { + struct char_device_struct *cd; +- int i, count; +- +- count = 0; + +- for (i = 0; i < ARRAY_SIZE(chrdevs) ; i++) { +- for (cd = chrdevs[i]; cd; cd = cd->next) +- count++; ++ if (offset < CHRDEV_MAJOR_HASH_SIZE) { ++ down(&chrdevs_lock); ++ for (cd = chrdevs[offset]; cd; cd = cd->next) ++ seq_printf(f, "%3d %s\n", cd->major, cd->name); ++ up(&chrdevs_lock); + } +- +- return count; + } + +-int get_chrdev_info(void *dev, int *major, char **name) +-{ +- struct chrdev_info *info = dev; +- +- if (info->cd == NULL) +- return 1; +- +- *major = info->cd->major; +- *name = info->cd->name; +- return 0; +-} ++#endif /* CONFIG_PROC_FS */ + + /* + * Register a single major with a specified minor range. +diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c +index a2c2485..3f5e38c 100644 +--- a/fs/cifs/cifsencrypt.c ++++ b/fs/cifs/cifsencrypt.c +@@ -56,9 +56,6 @@ int cifs_sign_smb(struct smb_hdr * cifs_ + int rc = 0; + char smb_signature[20]; + +- /* BB remember to initialize sequence number elsewhere and initialize mac_signing key elsewhere BB */ +- /* BB remember to add code to save expected sequence number in midQ entry BB */ +- + if((cifs_pdu == NULL) || (server == NULL)) + return -EINVAL; + +@@ -85,20 +82,33 @@ int cifs_sign_smb(struct smb_hdr * cifs_ + static int cifs_calc_signature2(const struct kvec * iov, int n_vec, + const char * key, char * signature) + { +- struct MD5Context context; +- +- if((iov == NULL) || (signature == NULL)) +- return -EINVAL; ++ struct MD5Context context; ++ int i; + +- MD5Init(&context); +- MD5Update(&context,key,CIFS_SESSION_KEY_SIZE+16); ++ if((iov == NULL) || (signature == NULL)) ++ return -EINVAL; + +-/* MD5Update(&context,cifs_pdu->Protocol,cifs_pdu->smb_buf_length); */ /* BB FIXME BB */ ++ MD5Init(&context); ++ MD5Update(&context,key,CIFS_SESSION_KEY_SIZE+16); ++ for(i=0;ii_sb); + pTcon = cifs_sb->tcon; + ++ /* ++ * Don't allow the separator character in a path component. ++ * The VFS will not allow "/", but "\" is allowed by posix. ++ */ ++ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) { ++ int i; ++ for (i = 0; i < direntry->d_name.len; i++) ++ if (direntry->d_name.name[i] == '\\') { ++ cFYI(1, ("Invalid file name")); ++ FreeXid(xid); ++ return ERR_PTR(-EINVAL); ++ } ++ } ++ + /* can not grab the rename sem here since it would + deadlock in the cases (beginning of sys_rename itself) + in which we already have the sb rename sem */ +diff --git a/fs/compat.c b/fs/compat.c +index 5333c7d..8491bb8 100644 +--- a/fs/compat.c ++++ b/fs/compat.c +@@ -1215,6 +1215,10 @@ static ssize_t compat_do_readv_writev(in + if (ret < 0) + goto out; + ++ ret = security_file_permission(file, type == READ ? MAY_READ:MAY_WRITE); ++ if (ret) ++ goto out; ++ + fnv = NULL; + if (type == READ) { + fn = file->f_op->read; +@@ -1897,7 +1901,7 @@ asmlinkage long compat_sys_ppoll(struct + } + + if (sigmask) { +- if (sigsetsize |= sizeof(compat_sigset_t)) ++ if (sigsetsize != sizeof(compat_sigset_t)) + return -EINVAL; + if (copy_from_user(&ss32, sigmask, sizeof(ss32))) + return -EFAULT; +diff --git a/fs/ext3/resize.c b/fs/ext3/resize.c +index 1041dab..14f5f6e 100644 +--- a/fs/ext3/resize.c ++++ b/fs/ext3/resize.c +@@ -974,6 +974,7 @@ int ext3_group_extend(struct super_block + if (o_blocks_count != le32_to_cpu(es->s_blocks_count)) { + ext3_warning(sb, __FUNCTION__, + "multiple resizers run on filesystem!"); ++ unlock_super(sb); + err = -EBUSY; + goto exit_put; + } +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 6f05379..ce93cf9 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -397,8 +397,12 @@ static int fuse_readpages(struct file *f + return -EINTR; + + err = read_cache_pages(mapping, pages, fuse_readpages_fill, &data); +- if (!err) +- fuse_send_readpages(data.req, file, inode); ++ if (!err) { ++ if (data.req->num_pages) ++ fuse_send_readpages(data.req, file, inode); ++ else ++ fuse_put_request(fc, data.req); ++ } + return err; + } + +diff --git a/fs/locks.c b/fs/locks.c +index 909eab8..39b038b 100644 +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -432,15 +432,14 @@ static struct lock_manager_operations le + */ + static int lease_init(struct file *filp, int type, struct file_lock *fl) + { ++ if (assign_type(fl, type) != 0) ++ return -EINVAL; ++ + fl->fl_owner = current->files; + fl->fl_pid = current->tgid; + + fl->fl_file = filp; + fl->fl_flags = FL_LEASE; +- if (assign_type(fl, type) != 0) { +- locks_free_lock(fl); +- return -EINVAL; +- } + fl->fl_start = 0; + fl->fl_end = OFFSET_MAX; + fl->fl_ops = NULL; +@@ -452,16 +451,19 @@ static int lease_init(struct file *filp, + static int lease_alloc(struct file *filp, int type, struct file_lock **flp) + { + struct file_lock *fl = locks_alloc_lock(); +- int error; ++ int error = -ENOMEM; + + if (fl == NULL) +- return -ENOMEM; ++ goto out; + + error = lease_init(filp, type, fl); +- if (error) +- return error; ++ if (error) { ++ locks_free_lock(fl); ++ fl = NULL; ++ } ++out: + *flp = fl; +- return 0; ++ return error; + } + + /* Check if two locks overlap each other. +@@ -712,8 +714,9 @@ EXPORT_SYMBOL(posix_locks_deadlock); + * at the head of the list, but that's secret knowledge known only to + * flock_lock_file and posix_lock_file. + */ +-static int flock_lock_file(struct file *filp, struct file_lock *new_fl) ++static int flock_lock_file(struct file *filp, struct file_lock *request) + { ++ struct file_lock *new_fl = NULL; + struct file_lock **before; + struct inode * inode = filp->f_dentry->d_inode; + int error = 0; +@@ -728,17 +731,19 @@ static int flock_lock_file(struct file * + continue; + if (filp != fl->fl_file) + continue; +- if (new_fl->fl_type == fl->fl_type) ++ if (request->fl_type == fl->fl_type) + goto out; + found = 1; + locks_delete_lock(before); + break; + } +- unlock_kernel(); + +- if (new_fl->fl_type == F_UNLCK) +- return 0; ++ if (request->fl_type == F_UNLCK) ++ goto out; + ++ new_fl = locks_alloc_lock(); ++ if (new_fl == NULL) ++ goto out; + /* + * If a higher-priority process was blocked on the old file lock, + * give it the opportunity to lock the file. +@@ -746,26 +751,27 @@ static int flock_lock_file(struct file * + if (found) + cond_resched(); + +- lock_kernel(); + for_each_lock(inode, before) { + struct file_lock *fl = *before; + if (IS_POSIX(fl)) + break; + if (IS_LEASE(fl)) + continue; +- if (!flock_locks_conflict(new_fl, fl)) ++ if (!flock_locks_conflict(request, fl)) + continue; + error = -EAGAIN; +- if (new_fl->fl_flags & FL_SLEEP) { +- locks_insert_block(fl, new_fl); +- } ++ if (request->fl_flags & FL_SLEEP) ++ locks_insert_block(fl, request); + goto out; + } ++ locks_copy_lock(new_fl, request); + locks_insert_lock(&inode->i_flock, new_fl); +- error = 0; ++ new_fl = NULL; + + out: + unlock_kernel(); ++ if (new_fl) ++ locks_free_lock(new_fl); + return error; + } + +@@ -1337,6 +1343,7 @@ static int __setlease(struct file *filp, + goto out; + + if (my_before != NULL) { ++ *flp = *my_before; + error = lease->fl_lmops->fl_change(my_before, arg); + goto out; + } +@@ -1529,9 +1536,7 @@ asmlinkage long sys_flock(unsigned int f + error = flock_lock_file_wait(filp, lock); + + out_free: +- if (list_empty(&lock->fl_link)) { +- locks_free_lock(lock); +- } ++ locks_free_lock(lock); + + out_putf: + fput(filp); +@@ -2212,7 +2217,12 @@ void steal_locks(fl_owner_t from) + + lock_kernel(); + j = 0; +- rcu_read_lock(); ++ ++ /* ++ * We are not taking a ref to the file structures, so ++ * we need to acquire ->file_lock. ++ */ ++ spin_lock(&files->file_lock); + fdt = files_fdtable(files); + for (;;) { + unsigned long set; +@@ -2230,7 +2240,7 @@ void steal_locks(fl_owner_t from) + set >>= 1; + } + } +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + unlock_kernel(); + } + EXPORT_SYMBOL(steal_locks); +diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c +index 6d2dfed..f61142a 100644 +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -682,7 +682,7 @@ static struct svc_procedure nfsd_proced + PROC(lookup, dirop, dirop, fhandle2, RC_NOCACHE, ST+FH+pAT+pAT), + PROC(access, access, access, fhandle, RC_NOCACHE, ST+pAT+1), + PROC(readlink, readlink, readlink, fhandle, RC_NOCACHE, ST+pAT+1+NFS3_MAXPATHLEN/4), +- PROC(read, read, read, fhandle, RC_NOCACHE, ST+pAT+4+NFSSVC_MAXBLKSIZE), ++ PROC(read, read, read, fhandle, RC_NOCACHE, ST+pAT+4+NFSSVC_MAXBLKSIZE/4), + PROC(write, write, write, fhandle, RC_REPLBUFF, ST+WC+4), + PROC(create, create, create, fhandle2, RC_REPLBUFF, ST+(1+FH+pAT)+WC), + PROC(mkdir, mkdir, create, fhandle2, RC_REPLBUFF, ST+(1+FH+pAT)+WC), +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 6d63f1d..ca8a4c4 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -975,7 +975,7 @@ #define PROC(name, argt, rest, relt, cac + */ + static struct svc_procedure nfsd_procedures4[2] = { + PROC(null, void, void, void, RC_NOCACHE, 1), +- PROC(compound, compound, compound, compound, RC_NOCACHE, NFSD_BUFSIZE) ++ PROC(compound, compound, compound, compound, RC_NOCACHE, NFSD_BUFSIZE/4) + }; + + struct svc_version nfsd_version4 = { +diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c +index 3e6b75c..06cd0db 100644 +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -553,7 +553,7 @@ static struct svc_procedure nfsd_proced + PROC(none, void, void, none, RC_NOCACHE, ST), + PROC(lookup, diropargs, diropres, fhandle, RC_NOCACHE, ST+FH+AT), + PROC(readlink, readlinkargs, readlinkres, none, RC_NOCACHE, ST+1+NFS_MAXPATHLEN/4), +- PROC(read, readargs, readres, fhandle, RC_NOCACHE, ST+AT+1+NFSSVC_MAXBLKSIZE), ++ PROC(read, readargs, readres, fhandle, RC_NOCACHE, ST+AT+1+NFSSVC_MAXBLKSIZE/4), + PROC(none, void, void, none, RC_NOCACHE, ST), + PROC(write, writeargs, attrstat, fhandle, RC_REPLBUFF, ST+AT), + PROC(create, createargs, diropres, fhandle, RC_REPLBUFF, ST+FH+AT), +diff --git a/fs/open.c b/fs/open.c +index 70e0230..f697914 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -330,7 +330,10 @@ out: + + asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length) + { +- return do_sys_ftruncate(fd, length, 1); ++ long ret = do_sys_ftruncate(fd, length, 1); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + /* LFS versions of truncate are only needed on 32 bit machines */ +@@ -342,7 +345,10 @@ asmlinkage long sys_truncate64(const cha + + asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length) + { +- return do_sys_ftruncate(fd, length, 0); ++ long ret = do_sys_ftruncate(fd, length, 0); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + #endif + +@@ -1083,20 +1089,30 @@ long do_sys_open(int dfd, const char __u + + asmlinkage long sys_open(const char __user *filename, int flags, int mode) + { ++ long ret; ++ + if (force_o_largefile()) + flags |= O_LARGEFILE; + +- return do_sys_open(AT_FDCWD, filename, flags, mode); ++ ret = do_sys_open(AT_FDCWD, filename, flags, mode); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + EXPORT_SYMBOL_GPL(sys_open); + + asmlinkage long sys_openat(int dfd, const char __user *filename, int flags, + int mode) + { ++ long ret; ++ + if (force_o_largefile()) + flags |= O_LARGEFILE; + +- return do_sys_open(dfd, filename, flags, mode); ++ ret = do_sys_open(dfd, filename, flags, mode); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + EXPORT_SYMBOL_GPL(sys_openat); + +diff --git a/fs/partitions/check.c b/fs/partitions/check.c +index f924f45..2ef03aa 100644 +--- a/fs/partitions/check.c ++++ b/fs/partitions/check.c +@@ -345,6 +345,7 @@ static char *make_block_name(struct gend + char *name; + static char *block_str = "block:"; + int size; ++ char *s; + + size = strlen(block_str) + strlen(disk->disk_name) + 1; + name = kmalloc(size, GFP_KERNEL); +@@ -352,6 +353,10 @@ static char *make_block_name(struct gend + return NULL; + strcpy(name, block_str); + strcat(name, disk->disk_name); ++ /* ewww... some of these buggers have / in name... */ ++ s = strchr(name, '/'); ++ if (s) ++ *s = '!'; + return name; + } + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 20feb75..c192cb2 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -294,16 +294,20 @@ static int proc_fd_link(struct inode *in + + files = get_files_struct(task); + if (files) { +- rcu_read_lock(); ++ /* ++ * We are not taking a ref to the file structure, so we must ++ * hold ->file_lock. ++ */ ++ spin_lock(&files->file_lock); + file = fcheck_files(files, fd); + if (file) { + *mnt = mntget(file->f_vfsmnt); + *dentry = dget(file->f_dentry); +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + return 0; + } +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + } + return -ENOENT; +@@ -1485,7 +1489,12 @@ static struct dentry *proc_lookupfd(stru + if (!files) + goto out_unlock; + inode->i_mode = S_IFLNK; +- rcu_read_lock(); ++ ++ /* ++ * We are not taking a ref to the file structure, so we must ++ * hold ->file_lock. ++ */ ++ spin_lock(&files->file_lock); + file = fcheck_files(files, fd); + if (!file) + goto out_unlock2; +@@ -1493,7 +1502,7 @@ static struct dentry *proc_lookupfd(stru + inode->i_mode |= S_IRUSR | S_IXUSR; + if (file->f_mode & 2) + inode->i_mode |= S_IWUSR | S_IXUSR; +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + inode->i_op = &proc_pid_link_inode_operations; + inode->i_size = 64; +@@ -1503,7 +1512,7 @@ static struct dentry *proc_lookupfd(stru + return NULL; + + out_unlock2: +- rcu_read_unlock(); ++ spin_unlock(&files->file_lock); + put_files_struct(files); + out_unlock: + iput(inode); +diff --git a/fs/proc/proc_misc.c b/fs/proc/proc_misc.c +index 1d24fea..0c78312 100644 +--- a/fs/proc/proc_misc.c ++++ b/fs/proc/proc_misc.c +@@ -249,144 +249,60 @@ static int cpuinfo_open(struct inode *in + return seq_open(file, &cpuinfo_op); + } + +-enum devinfo_states { +- CHR_HDR, +- CHR_LIST, +- BLK_HDR, +- BLK_LIST, +- DEVINFO_DONE +-}; +- +-struct devinfo_state { +- void *chrdev; +- void *blkdev; +- unsigned int num_records; +- unsigned int cur_record; +- enum devinfo_states state; ++static struct file_operations proc_cpuinfo_operations = { ++ .open = cpuinfo_open, ++ .read = seq_read, ++ .llseek = seq_lseek, ++ .release = seq_release, + }; + +-static void *devinfo_start(struct seq_file *f, loff_t *pos) ++static int devinfo_show(struct seq_file *f, void *v) + { +- struct devinfo_state *info = f->private; ++ int i = *(loff_t *) v; + +- if (*pos) { +- if ((info) && (*pos <= info->num_records)) +- return info; +- return NULL; ++ if (i < CHRDEV_MAJOR_HASH_SIZE) { ++ if (i == 0) ++ seq_printf(f, "Character devices:\n"); ++ chrdev_show(f, i); ++ } else { ++ i -= CHRDEV_MAJOR_HASH_SIZE; ++ if (i == 0) ++ seq_printf(f, "\nBlock devices:\n"); ++ blkdev_show(f, i); + } +- info = kmalloc(sizeof(*info), GFP_KERNEL); +- f->private = info; +- info->chrdev = acquire_chrdev_list(); +- info->blkdev = acquire_blkdev_list(); +- info->state = CHR_HDR; +- info->num_records = count_chrdev_list(); +- info->num_records += count_blkdev_list(); +- info->num_records += 2; /* Character and Block headers */ +- *pos = 1; +- info->cur_record = *pos; +- return info; ++ return 0; + } + +-static void *devinfo_next(struct seq_file *f, void *v, loff_t *pos) ++static void *devinfo_start(struct seq_file *f, loff_t *pos) + { +- int idummy; +- char *ndummy; +- struct devinfo_state *info = f->private; +- +- switch (info->state) { +- case CHR_HDR: +- info->state = CHR_LIST; +- (*pos)++; +- /*fallthrough*/ +- case CHR_LIST: +- if (get_chrdev_info(info->chrdev,&idummy,&ndummy)) { +- /* +- * The character dev list is complete +- */ +- info->state = BLK_HDR; +- } else { +- info->chrdev = get_next_chrdev(info->chrdev); +- } +- (*pos)++; +- break; +- case BLK_HDR: +- info->state = BLK_LIST; +- (*pos)++; +- break; +- case BLK_LIST: +- if (get_blkdev_info(info->blkdev,&idummy,&ndummy)) { +- /* +- * The block dev list is complete +- */ +- info->state = DEVINFO_DONE; +- } else { +- info->blkdev = get_next_blkdev(info->blkdev); +- } +- (*pos)++; +- break; +- case DEVINFO_DONE: +- (*pos)++; +- info->cur_record = *pos; +- info = NULL; +- break; +- default: +- break; +- } +- if (info) +- info->cur_record = *pos; +- return info; ++ if (*pos < (BLKDEV_MAJOR_HASH_SIZE + CHRDEV_MAJOR_HASH_SIZE)) ++ return pos; ++ return NULL; + } + +-static void devinfo_stop(struct seq_file *f, void *v) ++static void *devinfo_next(struct seq_file *f, void *v, loff_t *pos) + { +- struct devinfo_state *info = f->private; +- +- if (info) { +- release_chrdev_list(info->chrdev); +- release_blkdev_list(info->blkdev); +- f->private = NULL; +- kfree(info); +- } ++ (*pos)++; ++ if (*pos >= (BLKDEV_MAJOR_HASH_SIZE + CHRDEV_MAJOR_HASH_SIZE)) ++ return NULL; ++ return pos; + } + +-static int devinfo_show(struct seq_file *f, void *arg) +-{ +- int major; +- char *name; +- struct devinfo_state *info = f->private; +- +- switch(info->state) { +- case CHR_HDR: +- seq_printf(f,"Character devices:\n"); +- /* fallthrough */ +- case CHR_LIST: +- if (!get_chrdev_info(info->chrdev,&major,&name)) +- seq_printf(f,"%3d %s\n",major,name); +- break; +- case BLK_HDR: +- seq_printf(f,"\nBlock devices:\n"); +- /* fallthrough */ +- case BLK_LIST: +- if (!get_blkdev_info(info->blkdev,&major,&name)) +- seq_printf(f,"%3d %s\n",major,name); +- break; +- default: +- break; +- } +- +- return 0; ++static void devinfo_stop(struct seq_file *f, void *v) ++{ ++ /* Nothing to do */ + } + +-static struct seq_operations devinfo_op = { +- .start = devinfo_start, +- .next = devinfo_next, +- .stop = devinfo_stop, +- .show = devinfo_show, ++static struct seq_operations devinfo_ops = { ++ .start = devinfo_start, ++ .next = devinfo_next, ++ .stop = devinfo_stop, ++ .show = devinfo_show + }; + +-static int devinfo_open(struct inode *inode, struct file *file) ++static int devinfo_open(struct inode *inode, struct file *filp) + { +- return seq_open(file, &devinfo_op); ++ return seq_open(filp, &devinfo_ops); + } + + static struct file_operations proc_devinfo_operations = { +@@ -396,13 +312,6 @@ static struct file_operations proc_devin + .release = seq_release, + }; + +-static struct file_operations proc_cpuinfo_operations = { +- .open = cpuinfo_open, +- .read = seq_read, +- .llseek = seq_lseek, +- .release = seq_release, +-}; +- + extern struct seq_operations vmstat_op; + static int vmstat_open(struct inode *inode, struct file *file) + { +diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c +index 4063fb3..164a7d0 100644 +--- a/fs/proc/vmcore.c ++++ b/fs/proc/vmcore.c +@@ -103,8 +103,8 @@ static ssize_t read_vmcore(struct file * + size_t buflen, loff_t *fpos) + { + ssize_t acc = 0, tmp; +- size_t tsz, nr_bytes; +- u64 start; ++ size_t tsz; ++ u64 start, nr_bytes; + struct vmcore *curr_m = NULL; + + if (buflen == 0 || *fpos >= vmcore_size) +diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c +index ab8894c..9df778a 100644 +--- a/fs/reiserfs/xattr_acl.c ++++ b/fs/reiserfs/xattr_acl.c +@@ -408,8 +408,9 @@ int reiserfs_cache_default_acl(struct in + acl = reiserfs_get_acl(inode, ACL_TYPE_DEFAULT); + reiserfs_read_unlock_xattrs(inode->i_sb); + reiserfs_read_unlock_xattr_i(inode); +- ret = acl ? 1 : 0; +- posix_acl_release(acl); ++ ret = (acl && !IS_ERR(acl)); ++ if (ret) ++ posix_acl_release(acl); + } + + return ret; +diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c +index 0424d06..45862ec 100644 +--- a/fs/smbfs/dir.c ++++ b/fs/smbfs/dir.c +@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den + if (dentry->d_name.len > SMB_MAXNAMELEN) + goto out; + ++ /* Do not allow lookup of names with backslashes in */ ++ error = -EINVAL; ++ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) ++ goto out; ++ + lock_kernel(); + error = smb_proc_getattr(dentry, &finfo); + #ifdef SMBFS_PARANOIA +diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c +index c71c375..c71dd27 100644 +--- a/fs/smbfs/request.c ++++ b/fs/smbfs/request.c +@@ -339,9 +339,11 @@ #endif + /* + * On timeout or on interrupt we want to try and remove the + * request from the recvq/xmitq. ++ * First check if the request is still part of a queue. (May ++ * have been removed by some error condition) + */ + smb_lock_server(server); +- if (!(req->rq_flags & SMB_REQ_RECEIVED)) { ++ if (!list_empty(&req->rq_queue)) { + list_del_init(&req->rq_queue); + smb_rput(req); + } +diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c +index 49bd219..cfd290d 100644 +--- a/fs/sysfs/dir.c ++++ b/fs/sysfs/dir.c +@@ -302,6 +302,7 @@ void sysfs_remove_dir(struct kobject * k + * Drop reference from dget() on entrance. + */ + dput(dentry); ++ kobj->dentry = NULL; + } + + int sysfs_rename_dir(struct kobject * kobj, const char *new_name) +diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c +index d0e3d84..2ecc58c 100644 +--- a/fs/sysfs/file.c ++++ b/fs/sysfs/file.c +@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer * + return -ENOMEM; + + if (count >= PAGE_SIZE) +- count = PAGE_SIZE; ++ count = PAGE_SIZE - 1; + error = copy_from_user(buffer->page,buf,count); + buffer->needs_read_fill = 1; + return error ? -EFAULT : count; +diff --git a/fs/sysfs/inode.c b/fs/sysfs/inode.c +index 689f7bc..6beee6f 100644 +--- a/fs/sysfs/inode.c ++++ b/fs/sysfs/inode.c +@@ -227,12 +227,16 @@ void sysfs_drop_dentry(struct sysfs_dire + void sysfs_hash_and_remove(struct dentry * dir, const char * name) + { + struct sysfs_dirent * sd; +- struct sysfs_dirent * parent_sd = dir->d_fsdata; ++ struct sysfs_dirent * parent_sd; ++ ++ if (!dir) ++ return; + + if (dir->d_inode == NULL) + /* no inode means this hasn't been made visible yet */ + return; + ++ parent_sd = dir->d_fsdata; + mutex_lock(&dir->d_inode->i_mutex); + list_for_each_entry(sd, &parent_sd->s_children, s_sibling) { + if (!sd->s_element) +diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c +index e38d633..e5ce6e7 100644 +--- a/fs/sysfs/symlink.c ++++ b/fs/sysfs/symlink.c +@@ -66,6 +66,7 @@ static int sysfs_add_link(struct dentry + if (!error) + return 0; + ++ kobject_put(target); + kfree(sl->link_name); + exit2: + kfree(sl); +diff --git a/fs/xfs/linux-2.6/xfs_aops.c b/fs/xfs/linux-2.6/xfs_aops.c +index 74d8be8..a980736 100644 +--- a/fs/xfs/linux-2.6/xfs_aops.c ++++ b/fs/xfs/linux-2.6/xfs_aops.c +@@ -616,7 +616,7 @@ xfs_is_delayed_page( + acceptable = (type == IOMAP_UNWRITTEN); + else if (buffer_delay(bh)) + acceptable = (type == IOMAP_DELAY); +- else if (buffer_mapped(bh)) ++ else if (buffer_dirty(bh) && buffer_mapped(bh)) + acceptable = (type == 0); + else + break; +diff --git a/fs/xfs/linux-2.6/xfs_iops.c b/fs/xfs/linux-2.6/xfs_iops.c +index d7f6f2d..43808e2 100644 +--- a/fs/xfs/linux-2.6/xfs_iops.c ++++ b/fs/xfs/linux-2.6/xfs_iops.c +@@ -673,8 +673,7 @@ linvfs_setattr( + if (ia_valid & ATTR_ATIME) { + vattr.va_mask |= XFS_AT_ATIME; + vattr.va_atime = attr->ia_atime; +- if (ia_valid & ATTR_ATIME_SET) +- inode->i_atime = attr->ia_atime; ++ inode->i_atime = attr->ia_atime; + } + if (ia_valid & ATTR_MTIME) { + vattr.va_mask |= XFS_AT_MTIME; +diff --git a/include/asm-i386/cpufeature.h b/include/asm-i386/cpufeature.h +index c4ec2a4..9d15eec 100644 +--- a/include/asm-i386/cpufeature.h ++++ b/include/asm-i386/cpufeature.h +@@ -70,6 +70,7 @@ #define X86_FEATURE_K7 (3*32+ 5) /* Ath + #define X86_FEATURE_P3 (3*32+ 6) /* P3 */ + #define X86_FEATURE_P4 (3*32+ 7) /* P4 */ + #define X86_FEATURE_CONSTANT_TSC (3*32+ 8) /* TSC ticks at a constant rate */ ++#define X86_FEATURE_FXSAVE_LEAK (3*32+10) /* FXSAVE leaks FOP/FIP/FOP */ + + /* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ + #define X86_FEATURE_XMM3 (4*32+ 0) /* Streaming SIMD Extensions-3 */ +diff --git a/include/asm-i386/i387.h b/include/asm-i386/i387.h +index 152d0ba..bc1d6ed 100644 +--- a/include/asm-i386/i387.h ++++ b/include/asm-i386/i387.h +@@ -13,6 +13,7 @@ #define __ASM_I386_I387_H + + #include + #include ++#include + #include + #include + #include +@@ -38,17 +39,38 @@ #define restore_fpu(tsk) \ + extern void kernel_fpu_begin(void); + #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0) + ++/* We need a safe address that is cheap to find and that is already ++ in L1 during context switch. The best choices are unfortunately ++ different for UP and SMP */ ++#ifdef CONFIG_SMP ++#define safe_address (__per_cpu_offset[0]) ++#else ++#define safe_address (kstat_cpu(0).cpustat.user) ++#endif ++ + /* + * These must be called with preempt disabled + */ + static inline void __save_init_fpu( struct task_struct *tsk ) + { ++ /* Use more nops than strictly needed in case the compiler ++ varies code */ + alternative_input( +- "fnsave %1 ; fwait ;" GENERIC_NOP2, +- "fxsave %1 ; fnclex", ++ "fnsave %[fx] ;fwait;" GENERIC_NOP8 GENERIC_NOP4, ++ "fxsave %[fx]\n" ++ "bt $7,%[fsw] ; jnc 1f ; fnclex\n1:", + X86_FEATURE_FXSR, +- "m" (tsk->thread.i387.fxsave) +- :"memory"); ++ [fx] "m" (tsk->thread.i387.fxsave), ++ [fsw] "m" (tsk->thread.i387.fxsave.swd) : "memory"); ++ /* AMD K7/K8 CPUs don't save/restore FDP/FIP/FOP unless an exception ++ is pending. Clear the x87 state here by setting it to fixed ++ values. safe_address is a random variable that should be in L1 */ ++ alternative_input( ++ GENERIC_NOP8 GENERIC_NOP2, ++ "emms\n\t" /* clear stack tags */ ++ "fildl %[addr]", /* set F?P to defined value */ ++ X86_FEATURE_FXSAVE_LEAK, ++ [addr] "m" (safe_address)); + task_thread_info(tsk)->status &= ~TS_USEDFPU; + } + +diff --git a/include/asm-i386/pgtable-2level.h b/include/asm-i386/pgtable-2level.h +index 74ef721..d76c61d 100644 +--- a/include/asm-i386/pgtable-2level.h ++++ b/include/asm-i386/pgtable-2level.h +@@ -18,6 +18,9 @@ #define set_pte_at(mm,addr,ptep,pteval) + #define set_pte_atomic(pteptr, pteval) set_pte(pteptr,pteval) + #define set_pmd(pmdptr, pmdval) (*(pmdptr) = (pmdval)) + ++#define pte_clear(mm,addr,xp) do { set_pte_at(mm, addr, xp, __pte(0)); } while (0) ++#define pmd_clear(xp) do { set_pmd(xp, __pmd(0)); } while (0) ++ + #define ptep_get_and_clear(mm,addr,xp) __pte(xchg(&(xp)->pte_low, 0)) + #define pte_same(a, b) ((a).pte_low == (b).pte_low) + #define pte_page(x) pfn_to_page(pte_pfn(x)) +diff --git a/include/asm-i386/pgtable-3level.h b/include/asm-i386/pgtable-3level.h +index f1a8b45..3dda0f6 100644 +--- a/include/asm-i386/pgtable-3level.h ++++ b/include/asm-i386/pgtable-3level.h +@@ -85,6 +85,26 @@ ((unsigned long) __va(pud_val(pud) & PAG + #define pmd_offset(pud, address) ((pmd_t *) pud_page(*(pud)) + \ + pmd_index(address)) + ++/* ++ * For PTEs and PDEs, we must clear the P-bit first when clearing a page table ++ * entry, so clear the bottom half first and enforce ordering with a compiler ++ * barrier. ++ */ ++static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep) ++{ ++ ptep->pte_low = 0; ++ smp_wmb(); ++ ptep->pte_high = 0; ++} ++ ++static inline void pmd_clear(pmd_t *pmd) ++{ ++ u32 *tmp = (u32 *)pmd; ++ *tmp = 0; ++ smp_wmb(); ++ *(tmp + 1) = 0; ++} ++ + static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep) + { + pte_t res; +diff --git a/include/asm-i386/pgtable.h b/include/asm-i386/pgtable.h +index 088a945..6313403 100644 +--- a/include/asm-i386/pgtable.h ++++ b/include/asm-i386/pgtable.h +@@ -204,12 +204,10 @@ #undef TEST_ACCESS_OK + extern unsigned long pg0[]; + + #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE)) +-#define pte_clear(mm,addr,xp) do { set_pte_at(mm, addr, xp, __pte(0)); } while (0) + + /* To avoid harmful races, pmd_none(x) should check only the lower when PAE */ + #define pmd_none(x) (!(unsigned long)pmd_val(x)) + #define pmd_present(x) (pmd_val(x) & _PAGE_PRESENT) +-#define pmd_clear(xp) do { set_pmd(xp, __pmd(0)); } while (0) + #define pmd_bad(x) ((pmd_val(x) & (~PAGE_MASK & ~_PAGE_USER)) != _KERNPG_TABLE) + + +@@ -269,7 +267,7 @@ static inline pte_t ptep_get_and_clear_f + pte_t pte; + if (full) { + pte = *ptep; +- *ptep = __pte(0); ++ pte_clear(mm, addr, ptep); + } else { + pte = ptep_get_and_clear(mm, addr, ptep); + } +diff --git a/include/asm-m32r/smp.h b/include/asm-m32r/smp.h +index 7885b7d..1184293 100644 +--- a/include/asm-m32r/smp.h ++++ b/include/asm-m32r/smp.h +@@ -67,7 +67,8 @@ #define cpu_to_physid(cpu_id) cpu_2_phys + #define raw_smp_processor_id() (current_thread_info()->cpu) + + extern cpumask_t cpu_callout_map; +-#define cpu_possible_map cpu_callout_map ++extern cpumask_t cpu_possible_map; ++extern cpumask_t cpu_present_map; + + static __inline__ int hard_smp_processor_id(void) + { +diff --git a/include/asm-m32r/uaccess.h b/include/asm-m32r/uaccess.h +index e8ae619..819cc28 100644 +--- a/include/asm-m32r/uaccess.h ++++ b/include/asm-m32r/uaccess.h +@@ -5,17 +5,9 @@ #define _ASM_M32R_UACCESS_H + * linux/include/asm-m32r/uaccess.h + * + * M32R version. +- * Copyright (C) 2004 Hirokazu Takata ++ * Copyright (C) 2004, 2006 Hirokazu Takata + */ + +-#undef UACCESS_DEBUG +- +-#ifdef UACCESS_DEBUG +-#define UAPRINTK(args...) printk(args) +-#else +-#define UAPRINTK(args...) +-#endif /* UACCESS_DEBUG */ +- + /* + * User space memory access functions + */ +@@ -38,27 +30,29 @@ #define VERIFY_WRITE 1 + #define MAKE_MM_SEG(s) ((mm_segment_t) { (s) }) + + #ifdef CONFIG_MMU ++ + #define KERNEL_DS MAKE_MM_SEG(0xFFFFFFFF) + #define USER_DS MAKE_MM_SEG(PAGE_OFFSET) +-#else +-#define KERNEL_DS MAKE_MM_SEG(0xFFFFFFFF) +-#define USER_DS MAKE_MM_SEG(0xFFFFFFFF) +-#endif /* CONFIG_MMU */ +- + #define get_ds() (KERNEL_DS) +-#ifdef CONFIG_MMU + #define get_fs() (current_thread_info()->addr_limit) + #define set_fs(x) (current_thread_info()->addr_limit = (x)) +-#else ++ ++#else /* not CONFIG_MMU */ ++ ++#define KERNEL_DS MAKE_MM_SEG(0xFFFFFFFF) ++#define USER_DS MAKE_MM_SEG(0xFFFFFFFF) ++#define get_ds() (KERNEL_DS) ++ + static inline mm_segment_t get_fs(void) + { +- return USER_DS; ++ return USER_DS; + } + + static inline void set_fs(mm_segment_t s) + { + } +-#endif /* CONFIG_MMU */ ++ ++#endif /* not CONFIG_MMU */ + + #define segment_eq(a,b) ((a).seg == (b).seg) + +@@ -83,9 +77,9 @@ #define __range_ok(addr,size) ({ \ + " subx %0, %0\n" \ + " cmpu %4, %1\n" \ + " subx %0, %5\n" \ +- : "=&r"(flag), "=r"(sum) \ +- : "1"(addr), "r"((int)(size)), \ +- "r"(current_thread_info()->addr_limit.seg), "r"(0) \ ++ : "=&r" (flag), "=r" (sum) \ ++ : "1" (addr), "r" ((int)(size)), \ ++ "r" (current_thread_info()->addr_limit.seg), "r" (0) \ + : "cbit" ); \ + flag; }) + +@@ -113,10 +107,10 @@ #define access_ok(type,addr,size) (likel + #else + static inline int access_ok(int type, const void *addr, unsigned long size) + { +- extern unsigned long memory_start, memory_end; +- unsigned long val = (unsigned long)addr; ++ extern unsigned long memory_start, memory_end; ++ unsigned long val = (unsigned long)addr; + +- return ((val >= memory_start) && ((val + size) < memory_end)); ++ return ((val >= memory_start) && ((val + size) < memory_end)); + } + #endif /* CONFIG_MMU */ + +@@ -155,39 +149,6 @@ extern int fixup_exception(struct pt_reg + * accesses to the same area of user memory). + */ + +-extern void __get_user_1(void); +-extern void __get_user_2(void); +-extern void __get_user_4(void); +- +-#ifndef MODULE +-#define __get_user_x(size,ret,x,ptr) \ +- __asm__ __volatile__( \ +- " mv r0, %0\n" \ +- " mv r1, %1\n" \ +- " bl __get_user_" #size "\n" \ +- " mv %0, r0\n" \ +- " mv %1, r1\n" \ +- : "=r"(ret), "=r"(x) \ +- : "0"(ptr) \ +- : "r0", "r1", "r14" ) +-#else /* MODULE */ +-/* +- * Use "jl" instead of "bl" for MODULE +- */ +-#define __get_user_x(size,ret,x,ptr) \ +- __asm__ __volatile__( \ +- " mv r0, %0\n" \ +- " mv r1, %1\n" \ +- " seth lr, #high(__get_user_" #size ")\n" \ +- " or3 lr, lr, #low(__get_user_" #size ")\n" \ +- " jl lr\n" \ +- " mv %0, r0\n" \ +- " mv %1, r1\n" \ +- : "=r"(ret), "=r"(x) \ +- : "0"(ptr) \ +- : "r0", "r1", "r14" ) +-#endif +- + /* Careful: we have to cast the result to the type of the pointer for sign + reasons */ + /** +@@ -208,20 +169,7 @@ #endif + * On error, the variable @x is set to zero. + */ + #define get_user(x,ptr) \ +-({ int __ret_gu; \ +- unsigned long __val_gu; \ +- __chk_user_ptr(ptr); \ +- switch(sizeof (*(ptr))) { \ +- case 1: __get_user_x(1,__ret_gu,__val_gu,ptr); break; \ +- case 2: __get_user_x(2,__ret_gu,__val_gu,ptr); break; \ +- case 4: __get_user_x(4,__ret_gu,__val_gu,ptr); break; \ +- default: __get_user_x(X,__ret_gu,__val_gu,ptr); break; \ +- } \ +- (x) = (__typeof__(*(ptr)))__val_gu; \ +- __ret_gu; \ +-}) +- +-extern void __put_user_bad(void); ++ __get_user_check((x),(ptr),sizeof(*(ptr))) + + /** + * put_user: - Write a simple value into user space. +@@ -240,8 +188,7 @@ extern void __put_user_bad(void); + * Returns zero on success, or -EFAULT on error. + */ + #define put_user(x,ptr) \ +- __put_user_check((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) +- ++ __put_user_check((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) + + /** + * __get_user: - Get a simple variable from user space, with less checking. +@@ -264,8 +211,64 @@ #define put_user(x,ptr) \ + * On error, the variable @x is set to zero. + */ + #define __get_user(x,ptr) \ +- __get_user_nocheck((x),(ptr),sizeof(*(ptr))) ++ __get_user_nocheck((x),(ptr),sizeof(*(ptr))) + ++#define __get_user_nocheck(x,ptr,size) \ ++({ \ ++ long __gu_err = 0; \ ++ unsigned long __gu_val; \ ++ might_sleep(); \ ++ __get_user_size(__gu_val,(ptr),(size),__gu_err); \ ++ (x) = (__typeof__(*(ptr)))__gu_val; \ ++ __gu_err; \ ++}) ++ ++#define __get_user_check(x,ptr,size) \ ++({ \ ++ long __gu_err = -EFAULT; \ ++ unsigned long __gu_val = 0; \ ++ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \ ++ might_sleep(); \ ++ if (access_ok(VERIFY_READ,__gu_addr,size)) \ ++ __get_user_size(__gu_val,__gu_addr,(size),__gu_err); \ ++ (x) = (__typeof__(*(ptr)))__gu_val; \ ++ __gu_err; \ ++}) ++ ++extern long __get_user_bad(void); ++ ++#define __get_user_size(x,ptr,size,retval) \ ++do { \ ++ retval = 0; \ ++ __chk_user_ptr(ptr); \ ++ switch (size) { \ ++ case 1: __get_user_asm(x,ptr,retval,"ub"); break; \ ++ case 2: __get_user_asm(x,ptr,retval,"uh"); break; \ ++ case 4: __get_user_asm(x,ptr,retval,""); break; \ ++ default: (x) = __get_user_bad(); \ ++ } \ ++} while (0) ++ ++#define __get_user_asm(x, addr, err, itype) \ ++ __asm__ __volatile__( \ ++ " .fillinsn\n" \ ++ "1: ld"itype" %1,@%2\n" \ ++ " .fillinsn\n" \ ++ "2:\n" \ ++ ".section .fixup,\"ax\"\n" \ ++ " .balign 4\n" \ ++ "3: ldi %0,%3\n" \ ++ " seth r14,#high(2b)\n" \ ++ " or3 r14,r14,#low(2b)\n" \ ++ " jmp r14\n" \ ++ ".previous\n" \ ++ ".section __ex_table,\"a\"\n" \ ++ " .balign 4\n" \ ++ " .long 1b,3b\n" \ ++ ".previous" \ ++ : "=&r" (err), "=&r" (x) \ ++ : "r" (addr), "i" (-EFAULT), "0" (err) \ ++ : "r14", "memory") + + /** + * __put_user: - Write a simple value into user space, with less checking. +@@ -287,11 +290,13 @@ #define __get_user(x,ptr) \ + * Returns zero on success, or -EFAULT on error. + */ + #define __put_user(x,ptr) \ +- __put_user_nocheck((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) ++ __put_user_nocheck((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr))) ++ + + #define __put_user_nocheck(x,ptr,size) \ + ({ \ + long __pu_err; \ ++ might_sleep(); \ + __put_user_size((x),(ptr),(size),__pu_err); \ + __pu_err; \ + }) +@@ -308,28 +313,28 @@ ({ \ + }) + + #if defined(__LITTLE_ENDIAN__) +-#define __put_user_u64(x, addr, err) \ +- __asm__ __volatile__( \ +- " .fillinsn\n" \ +- "1: st %L1,@%2\n" \ +- " .fillinsn\n" \ +- "2: st %H1,@(4,%2)\n" \ +- " .fillinsn\n" \ +- "3:\n" \ +- ".section .fixup,\"ax\"\n" \ +- " .balign 4\n" \ +- "4: ldi %0,%3\n" \ +- " seth r14,#high(3b)\n" \ +- " or3 r14,r14,#low(3b)\n" \ +- " jmp r14\n" \ +- ".previous\n" \ +- ".section __ex_table,\"a\"\n" \ +- " .balign 4\n" \ +- " .long 1b,4b\n" \ +- " .long 2b,4b\n" \ +- ".previous" \ +- : "=&r"(err) \ +- : "r"(x), "r"(addr), "i"(-EFAULT), "0"(err) \ ++#define __put_user_u64(x, addr, err) \ ++ __asm__ __volatile__( \ ++ " .fillinsn\n" \ ++ "1: st %L1,@%2\n" \ ++ " .fillinsn\n" \ ++ "2: st %H1,@(4,%2)\n" \ ++ " .fillinsn\n" \ ++ "3:\n" \ ++ ".section .fixup,\"ax\"\n" \ ++ " .balign 4\n" \ ++ "4: ldi %0,%3\n" \ ++ " seth r14,#high(3b)\n" \ ++ " or3 r14,r14,#low(3b)\n" \ ++ " jmp r14\n" \ ++ ".previous\n" \ ++ ".section __ex_table,\"a\"\n" \ ++ " .balign 4\n" \ ++ " .long 1b,4b\n" \ ++ " .long 2b,4b\n" \ ++ ".previous" \ ++ : "=&r" (err) \ ++ : "r" (x), "r" (addr), "i" (-EFAULT), "0" (err) \ + : "r14", "memory") + + #elif defined(__BIG_ENDIAN__) +@@ -353,13 +358,15 @@ #define __put_user_u64(x, addr, err) + " .long 1b,4b\n" \ + " .long 2b,4b\n" \ + ".previous" \ +- : "=&r"(err) \ +- : "r"(x), "r"(addr), "i"(-EFAULT), "0"(err) \ ++ : "=&r" (err) \ ++ : "r" (x), "r" (addr), "i" (-EFAULT), "0" (err) \ + : "r14", "memory") + #else + #error no endian defined + #endif + ++extern void __put_user_bad(void); ++ + #define __put_user_size(x,ptr,size,retval) \ + do { \ + retval = 0; \ +@@ -398,52 +405,8 @@ #define __put_user_asm(x, addr, err, ity + " .balign 4\n" \ + " .long 1b,3b\n" \ + ".previous" \ +- : "=&r"(err) \ +- : "r"(x), "r"(addr), "i"(-EFAULT), "0"(err) \ +- : "r14", "memory") +- +-#define __get_user_nocheck(x,ptr,size) \ +-({ \ +- long __gu_err; \ +- unsigned long __gu_val; \ +- __get_user_size(__gu_val,(ptr),(size),__gu_err); \ +- (x) = (__typeof__(*(ptr)))__gu_val; \ +- __gu_err; \ +-}) +- +-extern long __get_user_bad(void); +- +-#define __get_user_size(x,ptr,size,retval) \ +-do { \ +- retval = 0; \ +- __chk_user_ptr(ptr); \ +- switch (size) { \ +- case 1: __get_user_asm(x,ptr,retval,"ub"); break; \ +- case 2: __get_user_asm(x,ptr,retval,"uh"); break; \ +- case 4: __get_user_asm(x,ptr,retval,""); break; \ +- default: (x) = __get_user_bad(); \ +- } \ +-} while (0) +- +-#define __get_user_asm(x, addr, err, itype) \ +- __asm__ __volatile__( \ +- " .fillinsn\n" \ +- "1: ld"itype" %1,@%2\n" \ +- " .fillinsn\n" \ +- "2:\n" \ +- ".section .fixup,\"ax\"\n" \ +- " .balign 4\n" \ +- "3: ldi %0,%3\n" \ +- " seth r14,#high(2b)\n" \ +- " or3 r14,r14,#low(2b)\n" \ +- " jmp r14\n" \ +- ".previous\n" \ +- ".section __ex_table,\"a\"\n" \ +- " .balign 4\n" \ +- " .long 1b,3b\n" \ +- ".previous" \ +- : "=&r"(err), "=&r"(x) \ +- : "r"(addr), "i"(-EFAULT), "0"(err) \ ++ : "=&r" (err) \ ++ : "r" (x), "r" (addr), "i" (-EFAULT), "0" (err) \ + : "r14", "memory") + + /* +@@ -453,7 +416,6 @@ #define __get_user_asm(x, addr, err, ity + * anything, so this is accurate. + */ + +- + /* + * Copy To/From Userspace + */ +@@ -511,8 +473,9 @@ do { \ + " .long 2b,9b\n" \ + " .long 3b,9b\n" \ + ".previous\n" \ +- : "=&r"(__dst), "=&r"(__src), "=&r"(size), "=&r"(__c) \ +- : "0"(to), "1"(from), "2"(size), "3"(size / 4) \ ++ : "=&r" (__dst), "=&r" (__src), "=&r" (size), \ ++ "=&r" (__c) \ ++ : "0" (to), "1" (from), "2" (size), "3" (size / 4) \ + : "r14", "memory"); \ + } while (0) + +@@ -573,8 +536,9 @@ do { \ + " .long 2b,7b\n" \ + " .long 3b,7b\n" \ + ".previous\n" \ +- : "=&r"(__dst), "=&r"(__src), "=&r"(size), "=&r"(__c) \ +- : "0"(to), "1"(from), "2"(size), "3"(size / 4) \ ++ : "=&r" (__dst), "=&r" (__src), "=&r" (size), \ ++ "=&r" (__c) \ ++ : "0" (to), "1" (from), "2" (size), "3" (size / 4) \ + : "r14", "memory"); \ + } while (0) + +@@ -676,7 +640,7 @@ #define __copy_from_user(to,from,n) \ + #define copy_from_user(to,from,n) \ + ({ \ + might_sleep(); \ +-__generic_copy_from_user((to),(from),(n)); \ ++ __generic_copy_from_user((to),(from),(n)); \ + }) + + long __must_check strncpy_from_user(char *dst, const char __user *src, +diff --git a/include/asm-mips/bitops.h b/include/asm-mips/bitops.h +index 8e80205..849155a 100644 +--- a/include/asm-mips/bitops.h ++++ b/include/asm-mips/bitops.h +@@ -654,7 +654,12 @@ static inline unsigned long fls(unsigned + { + #ifdef CONFIG_32BIT + #ifdef CONFIG_CPU_MIPS32 +- __asm__ ("clz %0, %1" : "=r" (word) : "r" (word)); ++ __asm__ ( ++ " .set mips32 \n" ++ " clz %0, %1 \n" ++ " .set mips0 \n" ++ : "=r" (word) ++ : "r" (word)); + + return 32 - word; + #else +@@ -678,7 +683,12 @@ #endif /* CONFIG_32BIT */ + #ifdef CONFIG_64BIT + #ifdef CONFIG_CPU_MIPS64 + +- __asm__ ("dclz %0, %1" : "=r" (word) : "r" (word)); ++ __asm__ ( ++ " .set mips64 \n" ++ " dclz %0, %1 \n" ++ " .set mips0 \n" ++ : "=r" (word) ++ : "r" (word)); + + return 64 - word; + #else +diff --git a/include/asm-mips/byteorder.h b/include/asm-mips/byteorder.h +index 584f812..4ce5bc3 100644 +--- a/include/asm-mips/byteorder.h ++++ b/include/asm-mips/byteorder.h +@@ -19,7 +19,9 @@ #ifdef CONFIG_CPU_MIPSR2 + static __inline__ __attribute_const__ __u16 ___arch__swab16(__u16 x) + { + __asm__( ++ " .set mips32r2 \n" + " wsbh %0, %1 \n" ++ " .set mips0 \n" + : "=r" (x) + : "r" (x)); + +@@ -30,8 +32,10 @@ #define __arch__swab16(x) ___arch__swab1 + static __inline__ __attribute_const__ __u32 ___arch__swab32(__u32 x) + { + __asm__( ++ " .set mips32r2 \n" + " wsbh %0, %1 \n" + " rotr %0, %0, 16 \n" ++ " .set mips0 \n" + : "=r" (x) + : "r" (x)); + +diff --git a/include/asm-mips/interrupt.h b/include/asm-mips/interrupt.h +index 7743487..50baf6b 100644 +--- a/include/asm-mips/interrupt.h ++++ b/include/asm-mips/interrupt.h +@@ -20,7 +20,9 @@ __asm__ ( + " .set reorder \n" + " .set noat \n" + #ifdef CONFIG_CPU_MIPSR2 ++ " .set mips32r2 \n" + " ei \n" ++ " .set mips0 \n" + #else + " mfc0 $1,$12 \n" + " ori $1,0x1f \n" +@@ -63,7 +65,9 @@ __asm__ ( + " .set push \n" + " .set noat \n" + #ifdef CONFIG_CPU_MIPSR2 ++ " .set mips32r2 \n" + " di \n" ++ " .set mips0 \n" + #else + " mfc0 $1,$12 \n" + " ori $1,0x1f \n" +@@ -103,8 +107,10 @@ __asm__ ( + " .set reorder \n" + " .set noat \n" + #ifdef CONFIG_CPU_MIPSR2 ++ " .set mips32r2 \n" + " di \\result \n" + " andi \\result, 1 \n" ++ " .set mips0 \n" + #else + " mfc0 \\result, $12 \n" + " ori $1, \\result, 0x1f \n" +@@ -133,9 +139,11 @@ #if defined(CONFIG_CPU_MIPSR2) && define + * Slow, but doesn't suffer from a relativly unlikely race + * condition we're having since days 1. + */ ++ " .set mips32r2 \n" + " beqz \\flags, 1f \n" + " di \n" + " ei \n" ++ " .set mips0 \n" + "1: \n" + #elif defined(CONFIG_CPU_MIPSR2) + /* +diff --git a/include/asm-mips/r4kcache.h b/include/asm-mips/r4kcache.h +index 0bcb79a..d9ee097 100644 +--- a/include/asm-mips/r4kcache.h ++++ b/include/asm-mips/r4kcache.h +@@ -37,7 +37,7 @@ #define cache_op(op,addr) \ + " cache %0, %1 \n" \ + " .set pop \n" \ + : \ +- : "i" (op), "m" (*(unsigned char *)(addr))) ++ : "i" (op), "R" (*(unsigned char *)(addr))) + + static inline void flush_icache_line_indexed(unsigned long addr) + { +diff --git a/include/asm-powerpc/floppy.h b/include/asm-powerpc/floppy.h +index e258778..608164c 100644 +--- a/include/asm-powerpc/floppy.h ++++ b/include/asm-powerpc/floppy.h +@@ -35,6 +35,7 @@ #define fd_free_irq() free_irq + #ifdef CONFIG_PCI + + #include ++#include /* for ppc64_isabridge_dev */ + + #define fd_dma_setup(addr,size,mode,io) powerpc_fd_dma_setup(addr,size,mode,io) + +@@ -52,12 +53,12 @@ static __inline__ int powerpc_fd_dma_set + if (bus_addr + && (addr != prev_addr || size != prev_size || dir != prev_dir)) { + /* different from last time -- unmap prev */ +- pci_unmap_single(NULL, bus_addr, prev_size, prev_dir); ++ pci_unmap_single(ppc64_isabridge_dev, bus_addr, prev_size, prev_dir); + bus_addr = 0; + } + + if (!bus_addr) /* need to map it */ +- bus_addr = pci_map_single(NULL, addr, size, dir); ++ bus_addr = pci_map_single(ppc64_isabridge_dev, addr, size, dir); + + /* remember this one as prev */ + prev_addr = addr; +diff --git a/include/asm-x86_64/cpufeature.h b/include/asm-x86_64/cpufeature.h +index 76bb619..662964b 100644 +--- a/include/asm-x86_64/cpufeature.h ++++ b/include/asm-x86_64/cpufeature.h +@@ -64,6 +64,7 @@ #define X86_FEATURE_CENTAUR_MCR (3*32+ 3 + #define X86_FEATURE_REP_GOOD (3*32+ 4) /* rep microcode works well on this CPU */ + #define X86_FEATURE_CONSTANT_TSC (3*32+5) /* TSC runs at constant rate */ + #define X86_FEATURE_SYNC_RDTSC (3*32+6) /* RDTSC syncs CPU core */ ++#define X86_FEATURE_FXSAVE_LEAK (3*32+7) /* FIP/FOP/FDP leaks through FXSAVE */ + + /* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ + #define X86_FEATURE_XMM3 (4*32+ 0) /* Streaming SIMD Extensions-3 */ +diff --git a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h +index 876eb9a..cba8a3b 100644 +--- a/include/asm-x86_64/i387.h ++++ b/include/asm-x86_64/i387.h +@@ -72,6 +72,23 @@ #define set_fpu_cwd(t,val) ((t)->thread. + #define set_fpu_swd(t,val) ((t)->thread.i387.fxsave.swd = (val)) + #define set_fpu_fxsr_twd(t,val) ((t)->thread.i387.fxsave.twd = (val)) + ++#define X87_FSW_ES (1 << 7) /* Exception Summary */ ++ ++/* AMD CPUs don't save/restore FDP/FIP/FOP unless an exception ++ is pending. Clear the x87 state here by setting it to fixed ++ values. The kernel data segment can be sometimes 0 and sometimes ++ new user value. Both should be ok. ++ Use the PDA as safe address because it should be already in L1. */ ++static inline void clear_fpu_state(struct i387_fxsave_struct *fx) ++{ ++ if (unlikely(fx->swd & X87_FSW_ES)) ++ asm volatile("fnclex"); ++ alternative_input(ASM_NOP8 ASM_NOP2, ++ " emms\n" /* clear stack tags */ ++ " fildl %%gs:0", /* load to clear state */ ++ X86_FEATURE_FXSAVE_LEAK); ++} ++ + static inline int restore_fpu_checking(struct i387_fxsave_struct *fx) + { + int err; +@@ -119,6 +136,7 @@ #else + #endif + if (unlikely(err)) + __clear_user(fx, sizeof(struct i387_fxsave_struct)); ++ /* No need to clear here because the caller clears USED_MATH */ + return err; + } + +@@ -149,7 +167,7 @@ #else + "i" (offsetof(__typeof__(*tsk), + thread.i387.fxsave))); + #endif +- __asm__ __volatile__("fnclex"); ++ clear_fpu_state(&tsk->thread.i387.fxsave); + } + + static inline void kernel_fpu_begin(void) +diff --git a/include/linux/cpu.h b/include/linux/cpu.h +index 0ed1d48..d612b89 100644 +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -32,7 +32,7 @@ struct cpu { + }; + + extern int register_cpu(struct cpu *, int, struct node *); +-extern struct sys_device *get_cpu_sysdev(int cpu); ++extern struct sys_device *get_cpu_sysdev(unsigned cpu); + #ifdef CONFIG_HOTPLUG_CPU + extern void unregister_cpu(struct cpu *, struct node *); + #endif +diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h +index 60e56c6..a47ad70 100644 +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -408,6 +408,7 @@ ({ \ + }) + + #define for_each_cpu(cpu) for_each_cpu_mask((cpu), cpu_possible_map) ++#define for_each_possible_cpu(cpu) for_each_cpu_mask((cpu), cpu_possible_map) + #define for_each_online_cpu(cpu) for_each_cpu_mask((cpu), cpu_online_map) + #define for_each_present_cpu(cpu) for_each_cpu_mask((cpu), cpu_present_map) + +diff --git a/include/linux/fb.h b/include/linux/fb.h +index 2cb19e6..2fdd8ae 100644 +--- a/include/linux/fb.h ++++ b/include/linux/fb.h +@@ -839,12 +839,10 @@ #if defined (__BIG_ENDIAN) + #define FB_LEFT_POS(bpp) (32 - bpp) + #define FB_SHIFT_HIGH(val, bits) ((val) >> (bits)) + #define FB_SHIFT_LOW(val, bits) ((val) << (bits)) +-#define FB_BIT_NR(b) (7 - (b)) + #else + #define FB_LEFT_POS(bpp) (0) + #define FB_SHIFT_HIGH(val, bits) ((val) << (bits)) + #define FB_SHIFT_LOW(val, bits) ((val) >> (bits)) +-#define FB_BIT_NR(b) (b) + #endif + + /* +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 128d008..872042f 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1383,6 +1383,7 @@ extern int bd_claim(struct block_device + extern void bd_release(struct block_device *); + + /* fs/char_dev.c */ ++#define CHRDEV_MAJOR_HASH_SIZE 255 + extern int alloc_chrdev_region(dev_t *, unsigned, unsigned, const char *); + extern int register_chrdev_region(dev_t, unsigned, const char *); + extern int register_chrdev(unsigned int, const char *, +@@ -1390,25 +1391,17 @@ extern int register_chrdev(unsigned int, + extern int unregister_chrdev(unsigned int, const char *); + extern void unregister_chrdev_region(dev_t, unsigned); + extern int chrdev_open(struct inode *, struct file *); +-extern int get_chrdev_list(char *); +-extern void *acquire_chrdev_list(void); +-extern int count_chrdev_list(void); +-extern void *get_next_chrdev(void *); +-extern int get_chrdev_info(void *, int *, char **); +-extern void release_chrdev_list(void *); ++extern void chrdev_show(struct seq_file *,off_t); + + /* fs/block_dev.c */ ++#define BLKDEV_MAJOR_HASH_SIZE 255 + #define BDEVNAME_SIZE 32 /* Largest string for a blockdev identifier */ + extern const char *__bdevname(dev_t, char *buffer); + extern const char *bdevname(struct block_device *bdev, char *buffer); + extern struct block_device *lookup_bdev(const char *); + extern struct block_device *open_bdev_excl(const char *, int, void *); + extern void close_bdev_excl(struct block_device *); +-extern void *acquire_blkdev_list(void); +-extern int count_blkdev_list(void); +-extern void *get_next_blkdev(void *); +-extern int get_blkdev_info(void *, int *, char **); +-extern void release_blkdev_list(void *); ++extern void blkdev_show(struct seq_file *,off_t); + + extern void init_special_inode(struct inode *, umode_t, dev_t); + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 498ff87..279446e 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -229,10 +229,9 @@ struct page { + unsigned long private; /* Mapping-private opaque data: + * usually used for buffer_heads + * if PagePrivate set; used for +- * swp_entry_t if PageSwapCache. +- * When page is free, this ++ * swp_entry_t if PageSwapCache; + * indicates order in the buddy +- * system. ++ * system if PG_buddy is set. + */ + struct address_space *mapping; /* If low bit clear, points to + * inode address_space, or NULL. +diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h +index d52999c..d7ce72e 100644 +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -74,7 +74,9 @@ #define PG_swapcache 15 /* Swap page: s + #define PG_mappedtodisk 16 /* Has blocks allocated on-disk */ + #define PG_reclaim 17 /* To be reclaimed asap */ + #define PG_nosave_free 18 /* Free, should not be written */ +-#define PG_uncached 19 /* Page has been mapped as uncached */ ++#define PG_buddy 19 /* Page is free, on buddy lists */ ++ ++#define PG_uncached 20 /* Page has been mapped as uncached */ + + /* + * Global page accounting. One instance per CPU. Only unsigned longs are +@@ -319,6 +321,10 @@ #define PageNosaveFree(page) test_bit(PG + #define SetPageNosaveFree(page) set_bit(PG_nosave_free, &(page)->flags) + #define ClearPageNosaveFree(page) clear_bit(PG_nosave_free, &(page)->flags) + ++#define PageBuddy(page) test_bit(PG_buddy, &(page)->flags) ++#define __SetPageBuddy(page) __set_bit(PG_buddy, &(page)->flags) ++#define __ClearPageBuddy(page) __clear_bit(PG_buddy, &(page)->flags) ++ + #define PageMappedToDisk(page) test_bit(PG_mappedtodisk, &(page)->flags) + #define SetPageMappedToDisk(page) set_bit(PG_mappedtodisk, &(page)->flags) + #define ClearPageMappedToDisk(page) clear_bit(PG_mappedtodisk, &(page)->flags) +diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h +index aa6322d..6c1e347 100644 +--- a/include/linux/proc_fs.h ++++ b/include/linux/proc_fs.h +@@ -78,7 +78,7 @@ struct kcore_list { + struct vmcore { + struct list_head list; + unsigned long long paddr; +- unsigned long size; ++ unsigned long long size; + loff_t offset; + }; + +diff --git a/include/linux/raid/raid1.h b/include/linux/raid/raid1.h +index 9d5494a..3009c81 100644 +--- a/include/linux/raid/raid1.h ++++ b/include/linux/raid/raid1.h +@@ -130,6 +130,6 @@ #define R1BIO_BarrierRetry 5 + * with failure when last write completes (and all failed). + * Record that bi_end_io was called with this flag... + */ +-#define R1BIO_Returned 4 ++#define R1BIO_Returned 6 + + #endif +diff --git a/include/linux/rtc.h b/include/linux/rtc.h +index 0b2ba67..b739ac1 100644 +--- a/include/linux/rtc.h ++++ b/include/linux/rtc.h +@@ -11,8 +11,6 @@ + #ifndef _LINUX_RTC_H_ + #define _LINUX_RTC_H_ + +-#include +- + /* + * The struct used to pass data via the following ioctl. Similar to the + * struct tm in , but it needs to be here so that the kernel +@@ -95,6 +93,8 @@ #define RTC_PLL_SET _IOW('p', 0x12, stru + + #ifdef __KERNEL__ + ++#include ++ + typedef struct rtc_task { + void (*func)(void *private_data); + void *private_data; +diff --git a/include/net/ip.h b/include/net/ip.h +index fab3d5b..ed84d04 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -95,6 +95,7 @@ extern int ip_local_deliver(struct sk_b + extern int ip_mr_input(struct sk_buff *skb); + extern int ip_output(struct sk_buff *skb); + extern int ip_mc_output(struct sk_buff *skb); ++extern int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)); + extern int ip_do_nat(struct sk_buff *skb); + extern void ip_send_check(struct iphdr *ip); + extern int ip_queue_xmit(struct sk_buff *skb, int ipfragok); +diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h +index e673b2c..aa6033c 100644 +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -461,12 +461,12 @@ static inline int sctp_frag_point(const + * there is room for a param header too. + */ + #define sctp_walk_params(pos, chunk, member)\ +-_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member) ++_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) + + #define _sctp_walk_params(pos, chunk, end, member)\ + for (pos.v = chunk->member;\ + pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\ +- pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\ ++ pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ + ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ + pos.v += WORD_ROUND(ntohs(pos.p->length))) + +@@ -477,7 +477,7 @@ #define _sctp_walk_errors(err, chunk_hdr + for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ + sizeof(sctp_chunkhdr_t));\ + (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\ +- (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\ ++ (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ + ntohs(err->length) >= sizeof(sctp_errhdr_t); \ + err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) + +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h +index 072f407..acb2ce1 100644 +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -702,6 +702,7 @@ struct sctp_chunk { + __u8 tsn_gap_acked; /* Is this chunk acked by a GAP ACK? */ + __s8 fast_retransmit; /* Is this chunk fast retransmitted? */ + __u8 tsn_missing_report; /* Data chunk missing counter. */ ++ __u8 data_accepted; /* At least 1 chunk in this packet accepted */ + }; + + void sctp_chunk_hold(struct sctp_chunk *); +diff --git a/ipc/shm.c b/ipc/shm.c +index 9162123..f409726 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -161,6 +161,8 @@ static int shm_mmap(struct file * file, + ret = shmem_mmap(file, vma); + if (ret == 0) { + vma->vm_ops = &shm_vm_ops; ++ if (!(vma->vm_flags & VM_WRITE)) ++ vma->vm_flags &= ~VM_MAYWRITE; + shm_inc(file->f_dentry->d_inode->i_ino); + } + +diff --git a/ipc/util.c b/ipc/util.c +index 8626219..303b058 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -182,8 +182,7 @@ static int grow_ary(struct ipc_ids* ids, + if(new == NULL) + return size; + new->size = newsize; +- memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size + +- sizeof(struct ipc_id_ary)); ++ memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size); + for(i=size;ip[i] = NULL; + } +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index d7e7e63..cfaa4a2 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -966,11 +966,6 @@ void audit_syscall_entry(struct task_str + if (context->in_syscall) { + struct audit_context *newctx; + +-#if defined(__NR_vm86) && defined(__NR_vm86old) +- /* vm86 mode should only be entered once */ +- if (major == __NR_vm86 || major == __NR_vm86old) +- return; +-#endif + #if AUDIT_DEBUG + printk(KERN_ERR + "audit(:%d) pid=%d in syscall=%d;" +diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c +index 867d6db..c01cead 100644 +--- a/kernel/exec_domain.c ++++ b/kernel/exec_domain.c +@@ -140,6 +140,7 @@ __set_personality(u_long personality) + ep = lookup_exec_domain(personality); + if (ep == current_thread_info()->exec_domain) { + current->personality = personality; ++ module_put(ep->module); + return 0; + } + +diff --git a/kernel/fork.c b/kernel/fork.c +index b373322..9d4e0d8 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -720,7 +720,7 @@ out_release: + free_fdset (new_fdt->open_fds, new_fdt->max_fdset); + free_fd_array(new_fdt->fd, new_fdt->max_fds); + kmem_cache_free(files_cachep, newf); +- goto out; ++ return NULL; + } + + static int copy_files(unsigned long clone_flags, struct task_struct * tsk) +diff --git a/kernel/power/process.c b/kernel/power/process.c +index 28de118..67b2cdd 100644 +--- a/kernel/power/process.c ++++ b/kernel/power/process.c +@@ -25,8 +25,7 @@ static inline int freezeable(struct task + (p->flags & PF_NOFREEZE) || + (p->exit_state == EXIT_ZOMBIE) || + (p->exit_state == EXIT_DEAD) || +- (p->state == TASK_STOPPED) || +- (p->state == TASK_TRACED)) ++ (p->state == TASK_STOPPED)) + return 0; + return 1; + } +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index d95a72c..48453c3 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -57,10 +57,6 @@ void ptrace_untrace(task_t *child) + signal_wake_up(child, 1); + } + } +- if (child->signal->flags & SIGNAL_GROUP_EXIT) { +- sigaddset(&child->pending.signal, SIGKILL); +- signal_wake_up(child, 1); +- } + spin_unlock(&child->sighand->siglock); + } + +@@ -82,7 +78,8 @@ void __ptrace_unlink(task_t *child) + SET_LINKS(child); + } + +- ptrace_untrace(child); ++ if (child->state == TASK_TRACED) ++ ptrace_untrace(child); + } + + /* +@@ -152,12 +149,34 @@ int ptrace_may_attach(struct task_struct + int ptrace_attach(struct task_struct *task) + { + int retval; +- task_lock(task); ++ + retval = -EPERM; + if (task->pid <= 1) +- goto bad; ++ goto out; + if (task->tgid == current->tgid) +- goto bad; ++ goto out; ++ ++repeat: ++ /* ++ * Nasty, nasty. ++ * ++ * We want to hold both the task-lock and the ++ * tasklist_lock for writing at the same time. ++ * But that's against the rules (tasklist_lock ++ * is taken for reading by interrupts on other ++ * cpu's that may have task_lock). ++ */ ++ task_lock(task); ++ local_irq_disable(); ++ if (!write_trylock(&tasklist_lock)) { ++ local_irq_enable(); ++ task_unlock(task); ++ do { ++ cpu_relax(); ++ } while (!write_can_lock(&tasklist_lock)); ++ goto repeat; ++ } ++ + /* the same process cannot be attached many times */ + if (task->ptrace & PT_PTRACED) + goto bad; +@@ -170,17 +189,15 @@ int ptrace_attach(struct task_struct *ta + ? PT_ATTACHED : 0); + if (capable(CAP_SYS_PTRACE)) + task->ptrace |= PT_PTRACE_CAP; +- task_unlock(task); + +- write_lock_irq(&tasklist_lock); + __ptrace_link(task, current); +- write_unlock_irq(&tasklist_lock); + + force_sig_specific(SIGSTOP, task); +- return 0; + + bad: ++ write_unlock_irq(&tasklist_lock); + task_unlock(task); ++out: + return retval; + } + +@@ -421,21 +438,22 @@ #endif + */ + int ptrace_traceme(void) + { +- int ret; ++ int ret = -EPERM; + + /* + * Are we already being traced? + */ +- if (current->ptrace & PT_PTRACED) +- return -EPERM; +- ret = security_ptrace(current->parent, current); +- if (ret) +- return -EPERM; +- /* +- * Set the ptrace bit in the process ptrace flags. +- */ +- current->ptrace |= PT_PTRACED; +- return 0; ++ task_lock(current); ++ if (!(current->ptrace & PT_PTRACED)) { ++ ret = security_ptrace(current->parent, current); ++ /* ++ * Set the ptrace bit in the process ptrace flags. ++ */ ++ if (!ret) ++ current->ptrace |= PT_PTRACED; ++ } ++ task_unlock(current); ++ return ret; + } + + /** +diff --git a/kernel/sched.c b/kernel/sched.c +index 4d46e90..4e7efac 100644 +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -237,6 +237,7 @@ #ifdef CONFIG_SMP + + task_t *migration_thread; + struct list_head migration_queue; ++ int cpu; + #endif + + #ifdef CONFIG_SCHEDSTATS +@@ -1660,6 +1661,9 @@ #ifdef CONFIG_SMP + /* + * double_rq_lock - safely lock two runqueues + * ++ * We must take them in cpu order to match code in ++ * dependent_sleeper and wake_dependent_sleeper. ++ * + * Note this does not disable interrupts like task_rq_lock, + * you need to do so manually before calling. + */ +@@ -1671,7 +1675,7 @@ static void double_rq_lock(runqueue_t *r + spin_lock(&rq1->lock); + __acquire(rq2->lock); /* Fake it out ;) */ + } else { +- if (rq1 < rq2) { ++ if (rq1->cpu < rq2->cpu) { + spin_lock(&rq1->lock); + spin_lock(&rq2->lock); + } else { +@@ -1707,7 +1711,7 @@ static void double_lock_balance(runqueue + __acquires(this_rq->lock) + { + if (unlikely(!spin_trylock(&busiest->lock))) { +- if (busiest < this_rq) { ++ if (busiest->cpu < this_rq->cpu) { + spin_unlock(&this_rq->lock); + spin_lock(&busiest->lock); + spin_lock(&this_rq->lock); +@@ -6035,6 +6039,7 @@ #ifdef CONFIG_SMP + rq->push_cpu = 0; + rq->migration_thread = NULL; + INIT_LIST_HEAD(&rq->migration_queue); ++ rq->cpu = i; + #endif + atomic_set(&rq->nr_iowait, 0); + +diff --git a/kernel/signal.c b/kernel/signal.c +index ea15410..acbccf7 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -975,7 +975,6 @@ __group_complete_signal(int sig, struct + if (t == NULL) + /* restart balancing at this thread */ + t = p->signal->curr_target = p; +- BUG_ON(t->tgid != p->tgid); + + while (!wants_signal(sig, t)) { + t = next_thread(t); +@@ -1689,6 +1688,7 @@ static void ptrace_stop(int exit_code, i + /* Let the debugger run. */ + set_current_state(TASK_TRACED); + spin_unlock_irq(¤t->sighand->siglock); ++ try_to_freeze(); + read_lock(&tasklist_lock); + if (likely(current->ptrace & PT_PTRACED) && + likely(current->parent != current->real_parent || +@@ -1942,9 +1942,9 @@ relock: + /* Let the debugger run. */ + ptrace_stop(signr, signr, info); + +- /* We're back. Did the debugger cancel the sig or group_exit? */ ++ /* We're back. Did the debugger cancel the sig? */ + signr = current->exit_code; +- if (signr == 0 || current->signal->flags & SIGNAL_GROUP_EXIT) ++ if (signr == 0) + continue; + + current->exit_code = 0; +diff --git a/kernel/sys.c b/kernel/sys.c +index f91218a..105e102 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1657,7 +1657,19 @@ asmlinkage long sys_setrlimit(unsigned i + (cputime_eq(current->signal->it_prof_expires, cputime_zero) || + new_rlim.rlim_cur <= cputime_to_secs( + current->signal->it_prof_expires))) { +- cputime_t cputime = secs_to_cputime(new_rlim.rlim_cur); ++ unsigned long rlim_cur = new_rlim.rlim_cur; ++ cputime_t cputime; ++ ++ if (rlim_cur == 0) { ++ /* ++ * The caller is asking for an immediate RLIMIT_CPU ++ * expiry. But we use the zero value to mean "it was ++ * never set". So let's cheat and make it one second ++ * instead ++ */ ++ rlim_cur = 1; ++ } ++ cputime = secs_to_cputime(rlim_cur); + read_lock(&tasklist_lock); + spin_lock_irq(¤t->sighand->siglock); + set_process_cpu_timer(current, CPUCLOCK_PROF, +diff --git a/kernel/uid16.c b/kernel/uid16.c +index aa25605..187e2a4 100644 +--- a/kernel/uid16.c ++++ b/kernel/uid16.c +@@ -20,43 +20,67 @@ #include + + asmlinkage long sys_chown16(const char __user * filename, old_uid_t user, old_gid_t group) + { +- return sys_chown(filename, low2highuid(user), low2highgid(group)); ++ long ret = sys_chown(filename, low2highuid(user), low2highgid(group)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_lchown16(const char __user * filename, old_uid_t user, old_gid_t group) + { +- return sys_lchown(filename, low2highuid(user), low2highgid(group)); ++ long ret = sys_lchown(filename, low2highuid(user), low2highgid(group)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group) + { +- return sys_fchown(fd, low2highuid(user), low2highgid(group)); ++ long ret = sys_fchown(fd, low2highuid(user), low2highgid(group)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid) + { +- return sys_setregid(low2highgid(rgid), low2highgid(egid)); ++ long ret = sys_setregid(low2highgid(rgid), low2highgid(egid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setgid16(old_gid_t gid) + { +- return sys_setgid(low2highgid(gid)); ++ long ret = sys_setgid(low2highgid(gid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid) + { +- return sys_setreuid(low2highuid(ruid), low2highuid(euid)); ++ long ret = sys_setreuid(low2highuid(ruid), low2highuid(euid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setuid16(old_uid_t uid) + { +- return sys_setuid(low2highuid(uid)); ++ long ret = sys_setuid(low2highuid(uid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid) + { +- return sys_setresuid(low2highuid(ruid), low2highuid(euid), +- low2highuid(suid)); ++ long ret = sys_setresuid(low2highuid(ruid), low2highuid(euid), ++ low2highuid(suid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_getresuid16(old_uid_t __user *ruid, old_uid_t __user *euid, old_uid_t __user *suid) +@@ -72,8 +96,11 @@ asmlinkage long sys_getresuid16(old_uid_ + + asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid) + { +- return sys_setresgid(low2highgid(rgid), low2highgid(egid), +- low2highgid(sgid)); ++ long ret = sys_setresgid(low2highgid(rgid), low2highgid(egid), ++ low2highgid(sgid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_getresgid16(old_gid_t __user *rgid, old_gid_t __user *egid, old_gid_t __user *sgid) +@@ -89,12 +116,18 @@ asmlinkage long sys_getresgid16(old_gid_ + + asmlinkage long sys_setfsuid16(old_uid_t uid) + { +- return sys_setfsuid(low2highuid(uid)); ++ long ret = sys_setfsuid(low2highuid(uid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + asmlinkage long sys_setfsgid16(old_gid_t gid) + { +- return sys_setfsgid(low2highgid(gid)); ++ long ret = sys_setfsgid(low2highgid(gid)); ++ /* avoid REGPARM breakage on x86: */ ++ prevent_tail_call(ret); ++ return ret; + } + + static int groups16_to_user(old_gid_t __user *grouplist, +diff --git a/mm/madvise.c b/mm/madvise.c +index af3d573..4e19615 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -168,6 +168,9 @@ static long madvise_remove(struct vm_are + return -EINVAL; + } + ++ if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE)) ++ return -EACCES; ++ + mapping = vma->vm_file->f_mapping; + + offset = (loff_t)(start - vma->vm_start) +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index b21869a..8d7ddf0 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1796,7 +1796,6 @@ static void gather_stats(struct page *pa + md->mapcount_max = count; + + md->node[page_to_nid(page)]++; +- cond_resched(); + } + + #ifdef CONFIG_HUGETLB_PAGE +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 234bd48..8b3cde1 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -153,7 +153,8 @@ static void bad_page(struct page *page) + 1 << PG_reclaim | + 1 << PG_slab | + 1 << PG_swapcache | +- 1 << PG_writeback ); ++ 1 << PG_writeback | ++ 1 << PG_buddy ); + set_page_count(page, 0); + reset_page_mapcount(page); + page->mapping = NULL; +@@ -224,12 +225,12 @@ static inline unsigned long page_order(s + + static inline void set_page_order(struct page *page, int order) { + set_page_private(page, order); +- __SetPagePrivate(page); ++ __SetPageBuddy(page); + } + + static inline void rmv_page_order(struct page *page) + { +- __ClearPagePrivate(page); ++ __ClearPageBuddy(page); + set_page_private(page, 0); + } + +@@ -268,11 +269,13 @@ __find_combined_index(unsigned long page + * This function checks whether a page is free && is the buddy + * we can do coalesce a page and its buddy if + * (a) the buddy is not in a hole && +- * (b) the buddy is free && +- * (c) the buddy is on the buddy system && +- * (d) a page and its buddy have the same order. +- * for recording page's order, we use page_private(page) and PG_private. ++ * (b) the buddy is in the buddy system && ++ * (c) a page and its buddy have the same order. ++ * ++ * For recording whether a page is in the buddy system, we use PG_buddy. ++ * Setting, clearing, and testing PG_buddy is serialized by zone->lock. + * ++ * For recording page's order, we use page_private(page). + */ + static inline int page_is_buddy(struct page *page, int order) + { +@@ -281,10 +284,10 @@ #ifdef CONFIG_HOLES_IN_ZONE + return 0; + #endif + +- if (PagePrivate(page) && +- (page_order(page) == order) && +- page_count(page) == 0) ++ if (PageBuddy(page) && page_order(page) == order) { ++ BUG_ON(page_count(page) != 0); + return 1; ++ } + return 0; + } + +@@ -301,7 +304,7 @@ #endif + * as necessary, plus some accounting needed to play nicely with other + * parts of the VM system. + * At each level, we keep a list of pages, which are heads of continuous +- * free pages of length of (1 << order) and marked with PG_Private.Page's ++ * free pages of length of (1 << order) and marked with PG_buddy. Page's + * order is recorded in page_private(page) field. + * So when we are allocating or freeing one, we can derive the state of the + * other. That is, if we allocate a small block, and both were +@@ -364,7 +367,8 @@ static inline int free_pages_check(struc + 1 << PG_slab | + 1 << PG_swapcache | + 1 << PG_writeback | +- 1 << PG_reserved )))) ++ 1 << PG_reserved | ++ 1 << PG_buddy )))) + bad_page(page); + if (PageDirty(page)) + __ClearPageDirty(page); +@@ -522,7 +526,8 @@ static int prep_new_page(struct page *pa + 1 << PG_slab | + 1 << PG_swapcache | + 1 << PG_writeback | +- 1 << PG_reserved )))) ++ 1 << PG_reserved | ++ 1 << PG_buddy )))) + bad_page(page); + + /* +@@ -944,7 +949,8 @@ restart: + alloc_flags |= ALLOC_HARDER; + if (gfp_mask & __GFP_HIGH) + alloc_flags |= ALLOC_HIGH; +- alloc_flags |= ALLOC_CPUSET; ++ if (wait) ++ alloc_flags |= ALLOC_CPUSET; + + /* + * Go through the zonelist again. Let __GFP_HIGH and allocations +diff --git a/mm/shmem.c b/mm/shmem.c +index 7c455fb..f0eb2f2 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2172,6 +2172,7 @@ #ifdef CONFIG_TMPFS + .prepare_write = shmem_prepare_write, + .commit_write = simple_commit_write, + #endif ++ .migratepage = migrate_page, + }; + + static struct file_operations shmem_file_operations = { +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 4fe7e3a..1d64dc1 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -949,6 +949,17 @@ redo: + goto unlock_both; + } + ++ /* Make sure the dirty bit is up to date */ ++ if (try_to_unmap(page, 1) == SWAP_FAIL) { ++ rc = -EPERM; ++ goto unlock_both; ++ } ++ ++ if (page_mapcount(page)) { ++ rc = -EAGAIN; ++ goto unlock_both; ++ } ++ + /* + * Default handling if a filesystem does not provide + * a migration function. We can only migrate clean +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 73370de..1842a4e 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -613,12 +613,19 @@ static int clip_create(int number) + + + static int clip_device_event(struct notifier_block *this,unsigned long event, +- void *dev) ++ void *arg) + { ++ struct net_device *dev = arg; ++ ++ if (event == NETDEV_UNREGISTER) { ++ neigh_ifdown(&clip_tbl, dev); ++ return NOTIFY_DONE; ++ } ++ + /* ignore non-CLIP devices */ +- if (((struct net_device *) dev)->type != ARPHRD_ATM || +- ((struct net_device *) dev)->hard_start_xmit != clip_start_xmit) ++ if (dev->type != ARPHRD_ATM || dev->hard_start_xmit != clip_start_xmit) + return NOTIFY_DONE; ++ + switch (event) { + case NETDEV_UP: + DPRINTK("clip_device_event NETDEV_UP\n"); +@@ -686,14 +693,12 @@ static struct notifier_block clip_inet_n + static void atmarpd_close(struct atm_vcc *vcc) + { + DPRINTK("atmarpd_close\n"); +- atmarpd = NULL; /* assumed to be atomic */ +- barrier(); +- unregister_inetaddr_notifier(&clip_inet_notifier); +- unregister_netdevice_notifier(&clip_dev_notifier); +- if (skb_peek(&sk_atm(vcc)->sk_receive_queue)) +- printk(KERN_ERR "atmarpd_close: closing with requests " +- "pending\n"); ++ ++ rtnl_lock(); ++ atmarpd = NULL; + skb_queue_purge(&sk_atm(vcc)->sk_receive_queue); ++ rtnl_unlock(); ++ + DPRINTK("(done)\n"); + module_put(THIS_MODULE); + } +@@ -714,7 +719,12 @@ static struct atm_dev atmarpd_dev = { + + static int atm_init_atmarp(struct atm_vcc *vcc) + { +- if (atmarpd) return -EADDRINUSE; ++ rtnl_lock(); ++ if (atmarpd) { ++ rtnl_unlock(); ++ return -EADDRINUSE; ++ } ++ + if (start_timer) { + start_timer = 0; + init_timer(&idle_timer); +@@ -731,10 +741,7 @@ static int atm_init_atmarp(struct atm_vc + vcc->push = NULL; + vcc->pop = NULL; /* crash */ + vcc->push_oam = NULL; /* crash */ +- if (register_netdevice_notifier(&clip_dev_notifier)) +- printk(KERN_ERR "register_netdevice_notifier failed\n"); +- if (register_inetaddr_notifier(&clip_inet_notifier)) +- printk(KERN_ERR "register_inetaddr_notifier failed\n"); ++ rtnl_unlock(); + return 0; + } + +@@ -992,6 +999,8 @@ static int __init atm_clip_init(void) + + clip_tbl_hook = &clip_tbl; + register_atm_ioctl(&clip_ioctl_ops); ++ register_netdevice_notifier(&clip_dev_notifier); ++ register_inetaddr_notifier(&clip_inet_notifier); + + #ifdef CONFIG_PROC_FS + { +@@ -1012,6 +1021,9 @@ static void __exit atm_clip_exit(void) + + remove_proc_entry("arp", atm_proc_root); + ++ unregister_inetaddr_notifier(&clip_inet_notifier); ++ unregister_netdevice_notifier(&clip_dev_notifier); ++ + deregister_atm_ioctl(&clip_ioctl_ops); + + /* First, stop the idle timer, so it stops banging +diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c +index e060aad..9e27373 100644 +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -739,6 +739,15 @@ out: + return NF_STOLEN; + } + ++static int br_nf_dev_queue_xmit(struct sk_buff *skb) ++{ ++ if (skb->protocol == htons(ETH_P_IP) && ++ skb->len > skb->dev->mtu && ++ !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size)) ++ return ip_fragment(skb, br_dev_queue_push_xmit); ++ else ++ return br_dev_queue_push_xmit(skb); ++} + + /* PF_BRIDGE/POST_ROUTING ********************************************/ + static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb, +@@ -798,7 +807,7 @@ #if defined(CONFIG_VLAN_8021Q) || define + realoutdev = nf_bridge->netoutdev; + #endif + NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev, +- br_dev_queue_push_xmit); ++ br_nf_dev_queue_xmit); + + return NF_STOLEN; + +@@ -843,7 +852,7 @@ static unsigned int ip_sabotage_out(unsi + if ((out->hard_start_xmit == br_dev_xmit && + okfn != br_nf_forward_finish && + okfn != br_nf_local_out_finish && +- okfn != br_dev_queue_push_xmit) ++ okfn != br_nf_dev_queue_xmit) + #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) + || ((out->priv_flags & IFF_802_1Q_VLAN) && + VLAN_DEV_INFO(out)->real_dev->hard_start_xmit == br_dev_xmit) +diff --git a/net/core/dev.c b/net/core/dev.c +index 2afb0de..12a214c 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2932,11 +2932,11 @@ void netdev_run_todo(void) + + switch(dev->reg_state) { + case NETREG_REGISTERING: ++ dev->reg_state = NETREG_REGISTERED; + err = netdev_register_sysfs(dev); + if (err) + printk(KERN_ERR "%s: failed sysfs registration (%d)\n", + dev->name, err); +- dev->reg_state = NETREG_REGISTERED; + break; + + case NETREG_UNREGISTERING: +diff --git a/net/core/sock.c b/net/core/sock.c +index 6e00811..5621198 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -404,8 +404,9 @@ #ifdef CONFIG_NETDEVICES + if (!valbool) { + sk->sk_bound_dev_if = 0; + } else { +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ memset(devname, 0, sizeof(devname)); + if (copy_from_user(devname, optval, optlen)) { + ret = -EFAULT; + break; +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index e320b32..24009be 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -314,11 +314,6 @@ static void __leaf_free_rcu(struct rcu_h + kfree(container_of(head, struct leaf, rcu)); + } + +-static inline void free_leaf(struct leaf *leaf) +-{ +- call_rcu(&leaf->rcu, __leaf_free_rcu); +-} +- + static void __leaf_info_free_rcu(struct rcu_head *head) + { + kfree(container_of(head, struct leaf_info, rcu)); +@@ -357,7 +352,12 @@ static void __tnode_free_rcu(struct rcu_ + + static inline void tnode_free(struct tnode *tn) + { +- call_rcu(&tn->rcu, __tnode_free_rcu); ++ if(IS_LEAF(tn)) { ++ struct leaf *l = (struct leaf *) tn; ++ call_rcu_bh(&l->rcu, __leaf_free_rcu); ++ } ++ else ++ call_rcu(&tn->rcu, __tnode_free_rcu); + } + + static struct leaf *leaf_new(void) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 8ee4d01..8dcba38 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -86,8 +86,6 @@ #include + + int sysctl_ip_default_ttl = IPDEFTTL; + +-static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*)); +- + /* Generate a checksum for an outgoing IP datagram. */ + __inline__ void ip_send_check(struct iphdr *iph) + { +@@ -421,7 +419,7 @@ #endif + * single device frame, and queue such a frame for sending. + */ + +-static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*)) ++int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*)) + { + struct iphdr *iph; + int raw = 0; +@@ -673,6 +671,8 @@ fail: + return err; + } + ++EXPORT_SYMBOL(ip_fragment); ++ + int + ip_generic_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb) + { +@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock * + iph->tos = inet->tos; + iph->tot_len = htons(skb->len); + iph->frag_off = df; +- if (!df) { +- __ip_select_ident(iph, &rt->u.dst, 0); +- } else { +- iph->id = htons(inet->id++); +- } ++ ip_select_ident(iph, &rt->u.dst, sk); + iph->ttl = ttl; + iph->protocol = sk->sk_protocol; + iph->saddr = rt->rt_src; +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 7d7ab94..12bfc25 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -941,7 +941,7 @@ static int do_add_counters(void __user * + + write_lock_bh(&t->lock); + private = t->private; +- if (private->number != paddc->num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c +index 84c66db..43f6b45 100644 +--- a/net/ipv4/netfilter/ip_conntrack_core.c ++++ b/net/ipv4/netfilter/ip_conntrack_core.c +@@ -1318,6 +1318,7 @@ getorigdst(struct sock *sk, int optval, + .tuple.dst.u.tcp.port; + sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL] + .tuple.dst.ip; ++ memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); + + DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n", + NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port)); +diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c +index e0b5926..d4e6d0a 100644 +--- a/net/ipv4/netfilter/ip_conntrack_netlink.c ++++ b/net/ipv4/netfilter/ip_conntrack_netlink.c +@@ -1619,7 +1619,7 @@ static void __exit ctnetlink_exit(void) + printk("ctnetlink: unregistering from nfnetlink.\n"); + + #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS +- ip_conntrack_unregister_notifier(&ctnl_notifier_exp); ++ ip_conntrack_expect_unregister_notifier(&ctnl_notifier_exp); + ip_conntrack_unregister_notifier(&ctnl_notifier); + #endif + +diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c +index be602e8..df67679 100644 +--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c ++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c +@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_con + flag = 1; + } + +- /* Cookie Ack/Echo chunks not the first OR +- Init / Init Ack / Shutdown compl chunks not the only chunks */ +- if ((sch->type == SCTP_CID_COOKIE_ACK ++ /* ++ * Cookie Ack/Echo chunks not the first OR ++ * Init / Init Ack / Shutdown compl chunks not the only chunks ++ * OR zero-length. ++ */ ++ if (((sch->type == SCTP_CID_COOKIE_ACK + || sch->type == SCTP_CID_COOKIE_ECHO + || flag) +- && count !=0 ) { ++ && count !=0) || !sch->length) { + DEBUGP("Basic checks failed\n"); + return 1; + } +diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c +index 4f95d47..df57e7a 100644 +--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c ++++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c +@@ -1000,12 +1000,12 @@ static unsigned char snmp_trap_decode(st + + return 1; + ++err_addr_free: ++ kfree((unsigned long *)trap->ip_address); ++ + err_id_free: + kfree(trap->id); + +-err_addr_free: +- kfree((unsigned long *)trap->ip_address); +- + return 0; + } + +@@ -1123,11 +1123,10 @@ static int snmp_parse_mangle(unsigned ch + struct snmp_v1_trap trap; + unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check); + +- /* Discard trap allocations regardless */ +- kfree(trap.id); +- kfree((unsigned long *)trap.ip_address); +- +- if (!ret) ++ if (ret) { ++ kfree(trap.id); ++ kfree((unsigned long *)trap.ip_address); ++ } else + return ret; + + } else { +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 16f47c6..735d5ff 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1063,7 +1063,7 @@ do_add_counters(void __user *user, unsig + + write_lock_bh(&t->lock); + private = t->private; +- if (private->number != paddc->num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +index 6c8624a..62a0f52 100644 +--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c ++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +@@ -354,6 +354,7 @@ getorigdst(struct sock *sk, int optval, + .tuple.dst.u.tcp.port; + sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL] + .tuple.dst.u3.ip; ++ memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); + + DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n", + NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port)); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index fca5fe0..a67955e 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in + /* Reserve room for dummy headers, this skb can pass + through good chunk of routing engine. + */ +- skb->mac.raw = skb->data; ++ skb->mac.raw = skb->nh.raw = skb->data; ++ ++ /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ ++ skb->nh.iph->protocol = IPPROTO_ICMP; + skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); + + if (rta[RTA_SRC - 1]) +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 9f498a6..310f2e6 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -537,7 +537,9 @@ int tcp_fragment(struct sock *sk, struct + buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC); + if (buff == NULL) + return -ENOMEM; /* We'll just try again later. */ +- sk_charge_skb(sk, buff); ++ ++ buff->truesize = skb->len - len; ++ skb->truesize -= buff->truesize; + + /* Correct the sequence numbers. */ + TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len; +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index 2a1e7e4..d88cab7 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -489,6 +489,18 @@ int ipv6_parse_hopopts(struct sk_buff *s + { + struct inet6_skb_parm *opt = IP6CB(skb); + ++ /* ++ * skb->nh.raw is equal to skb->data, and ++ * skb->h.raw - skb->nh.raw is always equal to ++ * sizeof(struct ipv6hdr) by definition of ++ * hop-by-hop options. ++ */ ++ if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) || ++ !pskb_may_pull(skb, sizeof(struct ipv6hdr) + ((skb->h.raw[1] + 1) << 3))) { ++ kfree_skb(skb); ++ return -1; ++ } ++ + opt->hop = sizeof(struct ipv6hdr); + if (ip6_parse_tlv(tlvprochopopt_lst, skb)) { + skb->h.raw += (skb->h.raw[1]+1)<<3; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 74ff56c..dd6ad42 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1120,7 +1120,7 @@ do_add_counters(void __user *user, unsig + + write_lock_bh(&t->lock); + private = t->private; +- if (private->number != paddc->num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index 91cce8b..88c840f 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -191,16 +191,18 @@ error: + static inline void + _decode_session6(struct sk_buff *skb, struct flowi *fl) + { +- u16 offset = sizeof(struct ipv6hdr); ++ u16 offset = skb->h.raw - skb->nh.raw; + struct ipv6hdr *hdr = skb->nh.ipv6h; +- struct ipv6_opt_hdr *exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset); +- u8 nexthdr = skb->nh.ipv6h->nexthdr; ++ struct ipv6_opt_hdr *exthdr; ++ u8 nexthdr = skb->nh.raw[IP6CB(skb)->nhoff]; + + memset(fl, 0, sizeof(struct flowi)); + ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr); + ipv6_addr_copy(&fl->fl6_src, &hdr->saddr); + + while (pskb_may_pull(skb, skb->nh.raw + offset + 1 - skb->data)) { ++ exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset); ++ + switch (nexthdr) { + case NEXTHDR_ROUTING: + case NEXTHDR_HOP: +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 9ff3463..40edeef 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1641,7 +1641,7 @@ static void __exit ctnetlink_exit(void) + printk("ctnetlink: unregistering from nfnetlink.\n"); + + #ifdef CONFIG_NF_CONNTRACK_EVENTS +- nf_conntrack_unregister_notifier(&ctnl_notifier_exp); ++ nf_conntrack_expect_unregister_notifier(&ctnl_notifier_exp); + nf_conntrack_unregister_notifier(&ctnl_notifier); + #endif + +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index cf798e6..cd2326d 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_con + flag = 1; + } + +- /* Cookie Ack/Echo chunks not the first OR +- Init / Init Ack / Shutdown compl chunks not the only chunks */ +- if ((sch->type == SCTP_CID_COOKIE_ACK ++ /* ++ * Cookie Ack/Echo chunks not the first OR ++ * Init / Init Ack / Shutdown compl chunks not the only chunks ++ * OR zero-length. ++ */ ++ if (((sch->type == SCTP_CID_COOKIE_ACK + || sch->type == SCTP_CID_COOKIE_ECHO + || flag) +- && count !=0 ) { ++ && count !=0) || !sch->length) { + DEBUGP("Basic checks failed\n"); + return 1; + } +diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c +index 297b895..cf0c767 100644 +--- a/net/sctp/inqueue.c ++++ b/net/sctp/inqueue.c +@@ -149,6 +149,7 @@ struct sctp_chunk *sctp_inq_pop(struct s + /* This is the first chunk in the packet. */ + chunk->singleton = 1; + ch = (sctp_chunkhdr_t *) chunk->skb->data; ++ chunk->data_accepted = 0; + } + + chunk->chunk_hdr = ch; +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 2b9a832..9395e09 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co + */ + chunk->subh.cookie_hdr = + (struct sctp_signed_cookie *)chunk->skb->data; +- skb_pull(chunk->skb, +- ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t)); ++ if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - ++ sizeof(sctp_chunkhdr_t))) ++ goto nomem; + + /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint + * "Z" will reply with a COOKIE ACK chunk after building a TCB +@@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(cons + */ + chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; + paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); +- skb_pull(chunk->skb, paylen); ++ if (!pskb_pull(chunk->skb, paylen)) ++ goto nomem; + + reply = sctp_make_heartbeat_ack(asoc, chunk, + chunk->subh.hb_hdr, paylen); +@@ -1028,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3( + commands); + + hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; ++ /* Make sure that the length of the parameter is what we expect */ ++ if (ntohs(hbinfo->param_hdr.length) != ++ sizeof(sctp_sender_hb_info_t)) { ++ return SCTP_DISPOSITION_DISCARD; ++ } ++ + from_addr = hbinfo->daddr; + link = sctp_assoc_lookup_paddr(asoc, &from_addr); + +@@ -1860,8 +1868,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupc + * are in good shape. + */ + chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; +- skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - +- sizeof(sctp_chunkhdr_t)); ++ if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - ++ sizeof(sctp_chunkhdr_t))) ++ goto nomem; + + /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie + * of a duplicate COOKIE ECHO match the Verification Tags of the +@@ -5151,7 +5160,9 @@ static int sctp_eat_data(const struct sc + int tmp; + __u32 tsn; + int account_value; ++ struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map; + struct sock *sk = asoc->base.sk; ++ int rcvbuf_over = 0; + + data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data; + skb_pull(chunk->skb, sizeof(sctp_datahdr_t)); +@@ -5162,10 +5173,16 @@ static int sctp_eat_data(const struct sc + /* ASSERT: Now skb->data is really the user data. */ + + /* +- * if we are established, and we have used up our receive +- * buffer memory, drop the frame +- */ +- if (asoc->state == SCTP_STATE_ESTABLISHED) { ++ * If we are established, and we have used up our receive buffer ++ * memory, think about droping the frame. ++ * Note that we have an opportunity to improve performance here. ++ * If we accept one chunk from an skbuff, we have to keep all the ++ * memory of that skbuff around until the chunk is read into user ++ * space. Therefore, once we accept 1 chunk we may as well accept all ++ * remaining chunks in the skbuff. The data_accepted flag helps us do ++ * that. ++ */ ++ if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) { + /* + * If the receive buffer policy is 1, then each + * association can allocate up to sk_rcvbuf bytes +@@ -5176,9 +5193,25 @@ static int sctp_eat_data(const struct sc + account_value = atomic_read(&asoc->rmem_alloc); + else + account_value = atomic_read(&sk->sk_rmem_alloc); +- +- if (account_value > sk->sk_rcvbuf) +- return SCTP_IERROR_IGNORE_TSN; ++ if (account_value > sk->sk_rcvbuf) { ++ /* ++ * We need to make forward progress, even when we are ++ * under memory pressure, so we always allow the ++ * next tsn after the ctsn ack point to be accepted. ++ * This lets us avoid deadlocks in which we have to ++ * drop frames that would otherwise let us drain the ++ * receive queue. ++ */ ++ if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn) ++ return SCTP_IERROR_IGNORE_TSN; ++ ++ /* ++ * We're going to accept the frame but we should renege ++ * to make space for it. This will send us down that ++ * path later in this function. ++ */ ++ rcvbuf_over = 1; ++ } + } + + /* Process ECN based congestion. +@@ -5226,6 +5259,7 @@ static int sctp_eat_data(const struct sc + datalen -= sizeof(sctp_data_chunk_t); + + deliver = SCTP_CMD_CHUNK_ULP; ++ chunk->data_accepted = 1; + + /* Think about partial delivery. */ + if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) { +@@ -5242,7 +5276,8 @@ static int sctp_eat_data(const struct sc + * large spill over. + */ + if (!asoc->rwnd || asoc->rwnd_over || +- (datalen > asoc->rwnd + asoc->frag_point)) { ++ (datalen > asoc->rwnd + asoc->frag_point) || ++ rcvbuf_over) { + + /* If this is the next TSN, consider reneging to make + * room. Note: Playing nice with a confused sender. A +@@ -5250,8 +5285,8 @@ static int sctp_eat_data(const struct sc + * space and in the future we may want to detect and + * do more drastic reneging. + */ +- if (sctp_tsnmap_has_gap(&asoc->peer.tsn_map) && +- (sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map) + 1) == tsn) { ++ if (sctp_tsnmap_has_gap(map) && ++ (sctp_tsnmap_get_ctsn(map) + 1) == tsn) { + SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn); + deliver = SCTP_CMD_RENEGE; + } else { +diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c +index 75ef104..8bcca56 100644 +--- a/net/sctp/sm_statetable.c ++++ b/net/sctp/sm_statetable.c +@@ -366,9 +366,9 @@ #define TYPE_SCTP_ECN_ECNE { \ + /* SCTP_STATE_EMPTY */ \ + {.fn = sctp_sf_ootb, .name = "sctp_sf_ootb"}, \ + /* SCTP_STATE_CLOSED */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + /* SCTP_STATE_COOKIE_WAIT */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + /* SCTP_STATE_COOKIE_ECHOED */ \ + {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \ + /* SCTP_STATE_ESTABLISHED */ \ +@@ -380,7 +380,7 @@ #define TYPE_SCTP_ECN_ECNE { \ + /* SCTP_STATE_SHUTDOWN_RECEIVED */ \ + {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \ + /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + } /* TYPE_SCTP_ECN_ECNE */ + + #define TYPE_SCTP_ECN_CWR { \ +@@ -401,7 +401,7 @@ #define TYPE_SCTP_ECN_CWR { \ + /* SCTP_STATE_SHUTDOWN_RECEIVED */ \ + {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \ + } /* TYPE_SCTP_ECN_CWR */ + + #define TYPE_SCTP_SHUTDOWN_COMPLETE { \ +@@ -647,7 +647,7 @@ #define TYPE_SCTP_PRIMITIVE_REQUESTHEART + /* SCTP_STATE_EMPTY */ \ + {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ + /* SCTP_STATE_CLOSED */ \ +- {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \ ++ {.fn = sctp_sf_error_closed, .name = "sctp_sf_error_closed"}, \ + /* SCTP_STATE_COOKIE_WAIT */ \ + {.fn = sctp_sf_do_prm_requestheartbeat, \ + .name = "sctp_sf_do_prm_requestheartbeat"}, \ +diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c +index 2080b2d..575e556 100644 +--- a/net/sctp/ulpqueue.c ++++ b/net/sctp/ulpqueue.c +@@ -279,6 +279,7 @@ static inline void sctp_ulpq_store_reasm + static struct sctp_ulpevent *sctp_make_reassembled_event(struct sk_buff_head *queue, struct sk_buff *f_frag, struct sk_buff *l_frag) + { + struct sk_buff *pos; ++ struct sk_buff *new = NULL; + struct sctp_ulpevent *event; + struct sk_buff *pnext, *last; + struct sk_buff *list = skb_shinfo(f_frag)->frag_list; +@@ -297,11 +298,33 @@ static struct sctp_ulpevent *sctp_make_r + */ + if (last) + last->next = pos; +- else +- skb_shinfo(f_frag)->frag_list = pos; ++ else { ++ if (skb_cloned(f_frag)) { ++ /* This is a cloned skb, we can't just modify ++ * the frag_list. We need a new skb to do that. ++ * Instead of calling skb_unshare(), we'll do it ++ * ourselves since we need to delay the free. ++ */ ++ new = skb_copy(f_frag, GFP_ATOMIC); ++ if (!new) ++ return NULL; /* try again later */ ++ ++ new->sk = f_frag->sk; ++ ++ skb_shinfo(new)->frag_list = pos; ++ } else ++ skb_shinfo(f_frag)->frag_list = pos; ++ } + + /* Remove the first fragment from the reassembly queue. */ + __skb_unlink(f_frag, queue); ++ ++ /* if we did unshare, then free the old skb and re-assign */ ++ if (new) { ++ kfree_skb(f_frag); ++ f_frag = new; ++ } ++ + while (pos) { + + pnext = pos->next; +diff --git a/security/keys/key.c b/security/keys/key.c +index 99781b7..0e2584e 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t + + key_check(keyring); + ++ key_ref = ERR_PTR(-ENOTDIR); ++ if (keyring->type != &key_type_keyring) ++ goto error_2; ++ + down_write(&keyring->sem); + + /* if we're going to allocate a new key, we're going to have +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index d65a180..bffa924 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search); + /* + * search the given keyring only (no recursion) + * - keyring must be locked by caller ++ * - caller must guarantee that the keyring is a keyring + */ + key_ref_t __keyring_search_one(key_ref_t keyring_ref, + const struct key_type *ktype, +diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c +index 640d0bf..84047f6 100644 +--- a/security/selinux/ss/mls.c ++++ b/security/selinux/ss/mls.c +@@ -264,7 +264,7 @@ int mls_context_to_sid(char oldc, + + if (!selinux_mls_enabled) { + if (def_sid != SECSID_NULL && oldc) +- *scontext += strlen(*scontext); ++ *scontext += strlen(*scontext)+1; + return 0; + } + +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 8a76492..6375dd5 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -592,6 +592,10 @@ int security_sid_to_context(u32 sid, cha + + *scontext_len = strlen(initial_sid_to_string[sid]) + 1; + scontextp = kmalloc(*scontext_len,GFP_ATOMIC); ++ if (!scontextp) { ++ rc = -ENOMEM; ++ goto out; ++ } + strcpy(scontextp, initial_sid_to_string[sid]); + *scontext = scontextp; + goto out; +diff --git a/sound/isa/opti9xx/opti92x-ad1848.c b/sound/isa/opti9xx/opti92x-ad1848.c +index 63d96be..65b28cb 100644 +--- a/sound/isa/opti9xx/opti92x-ad1848.c ++++ b/sound/isa/opti9xx/opti92x-ad1848.c +@@ -2088,9 +2088,11 @@ static int __init alsa_card_opti9xx_init + int error; + struct platform_device *device; + ++#ifdef CONFIG_PNP + pnp_register_card_driver(&opti9xx_pnpc_driver); + if (snd_opti9xx_pnp_is_probed) + return 0; ++#endif + if (! is_isapnp_selected()) { + error = platform_driver_register(&snd_opti9xx_driver); + if (error < 0) +@@ -2102,7 +2104,9 @@ static int __init alsa_card_opti9xx_init + } + platform_driver_unregister(&snd_opti9xx_driver); + } ++#ifdef CONFIG_PNP + pnp_unregister_card_driver(&opti9xx_pnpc_driver); ++#endif + #ifdef MODULE + printk(KERN_ERR "no OPTi " CHIP_NAME " soundcard found\n"); + #endif +@@ -2115,7 +2119,9 @@ static void __exit alsa_card_opti9xx_exi + platform_device_unregister(snd_opti9xx_platform_device); + platform_driver_unregister(&snd_opti9xx_driver); + } ++#ifdef CONFIG_PNP + pnp_unregister_card_driver(&opti9xx_pnpc_driver); ++#endif + } + + module_init(alsa_card_opti9xx_init) +diff --git a/sound/oss/dmasound/tas_common.c b/sound/oss/dmasound/tas_common.c +index 8131599..882ae98 100644 +--- a/sound/oss/dmasound/tas_common.c ++++ b/sound/oss/dmasound/tas_common.c +@@ -195,8 +195,8 @@ tas_init(int driver_id, const char *driv + + printk(KERN_INFO "tas driver [%s])\n", driver_name); + +-#ifndef CONFIG_I2C_KEYWEST +- request_module("i2c-keywest"); ++#ifndef CONFIG_I2C_POWERMAC ++ request_module("i2c-powermac"); + #endif + tas_node = find_devices("deq"); + if (tas_node == NULL) +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index b767552..d5cd3a1 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2948,6 +2948,8 @@ static struct hda_board_config alc260_cf + { .modelname = "basic", .config = ALC260_BASIC }, + { .pci_subvendor = 0x104d, .pci_subdevice = 0x81bb, + .config = ALC260_BASIC }, /* Sony VAIO */ ++ { .pci_subvendor = 0x152d, .pci_subdevice = 0x0729, ++ .config = ALC260_BASIC }, /* CTL Travel Master U553W */ + { .modelname = "hp", .config = ALC260_HP }, + { .pci_subvendor = 0x103c, .pci_subdevice = 0x3010, .config = ALC260_HP }, + { .pci_subvendor = 0x103c, .pci_subdevice = 0x3011, .config = ALC260_HP }, +diff --git a/sound/ppc/daca.c b/sound/ppc/daca.c +index 08cde51..b96cd94 100644 +--- a/sound/ppc/daca.c ++++ b/sound/ppc/daca.c +@@ -256,7 +256,7 @@ int __init snd_pmac_daca_init(struct snd + + #ifdef CONFIG_KMOD + if (current->fs->root) +- request_module("i2c-keywest"); ++ request_module("i2c-powermac"); + #endif /* CONFIG_KMOD */ + + mix = kmalloc(sizeof(*mix), GFP_KERNEL); +diff --git a/sound/ppc/tumbler.c b/sound/ppc/tumbler.c +index 838fc11..39d4cde 100644 +--- a/sound/ppc/tumbler.c ++++ b/sound/ppc/tumbler.c +@@ -1314,7 +1314,7 @@ int __init snd_pmac_tumbler_init(struct + + #ifdef CONFIG_KMOD + if (current->fs->root) +- request_module("i2c-keywest"); ++ request_module("i2c-powermac"); + #endif /* CONFIG_KMOD */ + + mix = kmalloc(sizeof(*mix), GFP_KERNEL); diff --git a/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.4 b/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.4 deleted file mode 100644 index e8881bd73..000000000 --- a/target/device/AMD/DBAu1500/kernel-patches/001-patch-2.6.16.4 +++ /dev/null @@ -1,1089 +0,0 @@ -diff --git a/Makefile b/Makefile -index cb57905..29efaa1 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,7 +1,7 @@ - VERSION = 2 - PATCHLEVEL = 6 - SUBLEVEL = 16 --EXTRAVERSION = -+EXTRAVERSION = .4 - NAME=Sliding Snow Leopard - - # *DOCUMENTATION* -diff --git a/arch/i386/kernel/cpu/cpufreq/Kconfig b/arch/i386/kernel/cpu/cpufreq/Kconfig -index 26892d2..16f2e35 100644 ---- a/arch/i386/kernel/cpu/cpufreq/Kconfig -+++ b/arch/i386/kernel/cpu/cpufreq/Kconfig -@@ -203,6 +203,7 @@ config X86_LONGRUN - config X86_LONGHAUL - tristate "VIA Cyrix III Longhaul" - select CPU_FREQ_TABLE -+ depends on BROKEN - help - This adds the CPUFreq driver for VIA Samuel/CyrixIII, - VIA Cyrix Samuel/C3, VIA Cyrix Ezra and VIA Cyrix Ezra-T -diff --git a/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c b/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c -index cc73a7a..ebe1848 100644 ---- a/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c -+++ b/arch/i386/kernel/cpu/cpufreq/p4-clockmod.c -@@ -244,7 +244,7 @@ static int cpufreq_p4_cpu_init(struct cp - for (i=1; (p4clockmod_table[i].frequency != CPUFREQ_TABLE_END); i++) { - if ((i<2) && (has_N44_O17_errata[policy->cpu])) - p4clockmod_table[i].frequency = CPUFREQ_ENTRY_INVALID; -- else if (has_N60_errata[policy->cpu] && p4clockmod_table[i].frequency < 2000000) -+ else if (has_N60_errata[policy->cpu] && ((stock_freq * i)/8) < 2000000) - p4clockmod_table[i].frequency = CPUFREQ_ENTRY_INVALID; - else - p4clockmod_table[i].frequency = (stock_freq * i)/8; -diff --git a/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c b/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c -index 28cc5d5..cfc4276 100644 ---- a/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c -+++ b/arch/i386/kernel/cpu/cpufreq/speedstep-smi.c -@@ -75,7 +75,9 @@ static int speedstep_smi_ownership (void - __asm__ __volatile__( - "out %%al, (%%dx)\n" - : "=D" (result) -- : "a" (command), "b" (function), "c" (0), "d" (smi_port), "D" (0), "S" (magic) -+ : "a" (command), "b" (function), "c" (0), "d" (smi_port), -+ "D" (0), "S" (magic) -+ : "memory" - ); - - dprintk("result is %x\n", result); -diff --git a/arch/i386/kernel/dmi_scan.c b/arch/i386/kernel/dmi_scan.c -index 6a93d75..ca2a0cb 100644 ---- a/arch/i386/kernel/dmi_scan.c -+++ b/arch/i386/kernel/dmi_scan.c -@@ -106,7 +106,7 @@ static void __init dmi_save_devices(stru - struct dmi_device *dev; - - for (i = 0; i < count; i++) { -- char *d = ((char *) dm) + (i * 2); -+ char *d = (char *)(dm + 1) + (i * 2); - - /* Skip disabled device */ - if ((*d & 0x80) == 0) -diff --git a/arch/powerpc/kernel/pci_64.c b/arch/powerpc/kernel/pci_64.c -index ba92bab..4c4449b 100644 ---- a/arch/powerpc/kernel/pci_64.c -+++ b/arch/powerpc/kernel/pci_64.c -@@ -78,6 +78,7 @@ int global_phb_number; /* Global phb co - - /* Cached ISA bridge dev. */ - struct pci_dev *ppc64_isabridge_dev = NULL; -+EXPORT_SYMBOL_GPL(ppc64_isabridge_dev); - - static void fixup_broken_pcnet32(struct pci_dev* dev) - { -diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c -index 07a7f97..29f3d75 100644 ---- a/drivers/base/cpu.c -+++ b/drivers/base/cpu.c -@@ -141,7 +141,7 @@ int __devinit register_cpu(struct cpu *c - return error; - } - --struct sys_device *get_cpu_sysdev(int cpu) -+struct sys_device *get_cpu_sysdev(unsigned cpu) - { - if (cpu < NR_CPUS) - return cpu_sys_devices[cpu]; -diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c -index e97e911..4723182 100644 ---- a/drivers/base/firmware_class.c -+++ b/drivers/base/firmware_class.c -@@ -211,18 +211,20 @@ static int - fw_realloc_buffer(struct firmware_priv *fw_priv, int min_size) - { - u8 *new_data; -+ int new_size = fw_priv->alloc_size; - - if (min_size <= fw_priv->alloc_size) - return 0; - -- new_data = vmalloc(fw_priv->alloc_size + PAGE_SIZE); -+ new_size = ALIGN(min_size, PAGE_SIZE); -+ new_data = vmalloc(new_size); - if (!new_data) { - printk(KERN_ERR "%s: unable to alloc buffer\n", __FUNCTION__); - /* Make sure that we don't keep incomplete data */ - fw_load_abort(fw_priv); - return -ENOMEM; - } -- fw_priv->alloc_size += PAGE_SIZE; -+ fw_priv->alloc_size = new_size; - if (fw_priv->fw->data) { - memcpy(new_data, fw_priv->fw->data, fw_priv->fw->size); - vfree(fw_priv->fw->data); -diff --git a/drivers/base/node.c b/drivers/base/node.c -index 16c513a..c80c3ae 100644 ---- a/drivers/base/node.c -+++ b/drivers/base/node.c -@@ -106,7 +106,7 @@ static ssize_t node_read_numastat(struct - other_node = 0; - for (i = 0; i < MAX_NR_ZONES; i++) { - struct zone *z = &pg->node_zones[i]; -- for (cpu = 0; cpu < NR_CPUS; cpu++) { -+ for_each_online_cpu(cpu) { - struct per_cpu_pageset *ps = zone_pcp(z,cpu); - numa_hit += ps->numa_hit; - numa_miss += ps->numa_miss; -diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c -index 0d65394..c149d57 100644 ---- a/drivers/block/cciss.c -+++ b/drivers/block/cciss.c -@@ -3269,8 +3269,8 @@ clean2: - unregister_blkdev(hba[i]->major, hba[i]->devname); - clean1: - release_io_mem(hba[i]); -- free_hba(i); - hba[i]->busy_initializing = 0; -+ free_hba(i); - return(-1); - } - -diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig -index 05ba410..8b72a61 100644 ---- a/drivers/char/Kconfig -+++ b/drivers/char/Kconfig -@@ -187,6 +187,7 @@ config MOXA_SMARTIO - config ISI - tristate "Multi-Tech multiport card support (EXPERIMENTAL)" - depends on SERIAL_NONSTANDARD -+ select FW_LOADER - help - This is a driver for the Multi-Tech cards which provide several - serial ports. The driver is experimental and can currently only be -diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c -index 4c27218..2546637 100644 ---- a/drivers/char/tlclk.c -+++ b/drivers/char/tlclk.c -@@ -767,6 +767,7 @@ static int __init tlclk_init(void) - printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major); - return ret; - } -+ tlclk_major = ret; - alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); - if (!alarm_events) - goto out1; -diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c -index eca92eb..d83248e 100644 ---- a/drivers/ieee1394/sbp2.c -+++ b/drivers/ieee1394/sbp2.c -@@ -495,22 +495,17 @@ static struct sbp2_command_info *sbp2uti - /* - * This function finds the sbp2_command for a given outstanding SCpnt. - * Only looks at the inuse list. -+ * Must be called with scsi_id->sbp2_command_orb_lock held. - */ --static struct sbp2_command_info *sbp2util_find_command_for_SCpnt(struct scsi_id_instance_data *scsi_id, void *SCpnt) -+static struct sbp2_command_info *sbp2util_find_command_for_SCpnt( -+ struct scsi_id_instance_data *scsi_id, void *SCpnt) - { - struct sbp2_command_info *command; -- unsigned long flags; - -- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); -- if (!list_empty(&scsi_id->sbp2_command_orb_inuse)) { -- list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list) { -- if (command->Current_SCpnt == SCpnt) { -- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); -+ if (!list_empty(&scsi_id->sbp2_command_orb_inuse)) -+ list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list) -+ if (command->Current_SCpnt == SCpnt) - return command; -- } -- } -- } -- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - return NULL; - } - -@@ -579,17 +574,15 @@ static void sbp2util_free_command_dma(st - - /* - * This function moves a command to the completed orb list. -+ * Must be called with scsi_id->sbp2_command_orb_lock held. - */ --static void sbp2util_mark_command_completed(struct scsi_id_instance_data *scsi_id, -- struct sbp2_command_info *command) -+static void sbp2util_mark_command_completed( -+ struct scsi_id_instance_data *scsi_id, -+ struct sbp2_command_info *command) - { -- unsigned long flags; -- -- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); - list_del(&command->list); - sbp2util_free_command_dma(command); - list_add_tail(&command->list, &scsi_id->sbp2_command_orb_completed); -- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - } - - /* -@@ -2177,7 +2170,9 @@ static int sbp2_handle_status_write(stru - * Matched status with command, now grab scsi command pointers and check status - */ - SCpnt = command->Current_SCpnt; -+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); - sbp2util_mark_command_completed(scsi_id, command); -+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - - if (SCpnt) { - -@@ -2513,6 +2508,7 @@ static int sbp2scsi_abort(struct scsi_cm - (struct scsi_id_instance_data *)SCpnt->device->host->hostdata[0]; - struct sbp2scsi_host_info *hi = scsi_id->hi; - struct sbp2_command_info *command; -+ unsigned long flags; - - SBP2_ERR("aborting sbp2 command"); - scsi_print_command(SCpnt); -@@ -2523,6 +2519,7 @@ static int sbp2scsi_abort(struct scsi_cm - * Right now, just return any matching command structures - * to the free pool. - */ -+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags); - command = sbp2util_find_command_for_SCpnt(scsi_id, SCpnt); - if (command) { - SBP2_DEBUG("Found command to abort"); -@@ -2540,6 +2537,7 @@ static int sbp2scsi_abort(struct scsi_cm - command->Current_done(command->Current_SCpnt); - } - } -+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags); - - /* - * Initiate a fetch agent reset. -diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 745ca1f..d559569 100644 ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -533,30 +533,35 @@ static void __clone_and_map(struct clone - - } else { - /* -- * Create two copy bios to deal with io that has -- * been split across a target. -+ * Handle a bvec that must be split between two or more targets. - */ - struct bio_vec *bv = bio->bi_io_vec + ci->idx; -+ sector_t remaining = to_sector(bv->bv_len); -+ unsigned int offset = 0; - -- clone = split_bvec(bio, ci->sector, ci->idx, -- bv->bv_offset, max); -- __map_bio(ti, clone, tio); -- -- ci->sector += max; -- ci->sector_count -= max; -- ti = dm_table_find_target(ci->map, ci->sector); -- -- len = to_sector(bv->bv_len) - max; -- clone = split_bvec(bio, ci->sector, ci->idx, -- bv->bv_offset + to_bytes(max), len); -- tio = alloc_tio(ci->md); -- tio->io = ci->io; -- tio->ti = ti; -- memset(&tio->info, 0, sizeof(tio->info)); -- __map_bio(ti, clone, tio); -+ do { -+ if (offset) { -+ ti = dm_table_find_target(ci->map, ci->sector); -+ max = max_io_len(ci->md, ci->sector, ti); -+ -+ tio = alloc_tio(ci->md); -+ tio->io = ci->io; -+ tio->ti = ti; -+ memset(&tio->info, 0, sizeof(tio->info)); -+ } -+ -+ len = min(remaining, max); -+ -+ clone = split_bvec(bio, ci->sector, ci->idx, -+ bv->bv_offset + offset, len); -+ -+ __map_bio(ti, clone, tio); -+ -+ ci->sector += len; -+ ci->sector_count -= len; -+ offset += to_bytes(len); -+ } while (remaining -= len); - -- ci->sector += len; -- ci->sector_count -= len; - ci->idx++; - } - } -diff --git a/drivers/media/video/Kconfig b/drivers/media/video/Kconfig -index d82c8a3..ef42a26 100644 ---- a/drivers/media/video/Kconfig -+++ b/drivers/media/video/Kconfig -@@ -349,6 +349,7 @@ config VIDEO_AUDIO_DECODER - config VIDEO_DECODER - tristate "Add support for additional video chipsets" - depends on VIDEO_DEV && I2C && EXPERIMENTAL -+ select FW_LOADER - ---help--- - Say Y here to compile drivers for SAA7115, SAA7127 and CX25840 - video decoders. -diff --git a/drivers/media/video/tuner-types.c b/drivers/media/video/tuner-types.c -index 6fe7817..5f3d46d 100644 ---- a/drivers/media/video/tuner-types.c -+++ b/drivers/media/video/tuner-types.c -@@ -1087,8 +1087,8 @@ static struct tuner_params tuner_tnf_533 - /* ------------ TUNER_SAMSUNG_TCPN_2121P30A - Samsung NTSC ------------ */ - - static struct tuner_range tuner_samsung_tcpn_2121p30a_ntsc_ranges[] = { -- { 16 * 175.75 /*MHz*/, 0x01, }, -- { 16 * 410.25 /*MHz*/, 0x02, }, -+ { 16 * 130.00 /*MHz*/, 0x01, }, -+ { 16 * 364.50 /*MHz*/, 0x02, }, - { 16 * 999.99 , 0x08, }, - }; - -diff --git a/drivers/net/irda/irda-usb.c b/drivers/net/irda/irda-usb.c -index 8936058..6e2ec56 100644 ---- a/drivers/net/irda/irda-usb.c -+++ b/drivers/net/irda/irda-usb.c -@@ -740,7 +740,7 @@ static void irda_usb_receive(struct urb - struct sk_buff *newskb; - struct sk_buff *dataskb; - struct urb *next_urb; -- int docopy; -+ unsigned int len, docopy; - - IRDA_DEBUG(2, "%s(), len=%d\n", __FUNCTION__, urb->actual_length); - -@@ -851,10 +851,11 @@ static void irda_usb_receive(struct urb - dataskb->dev = self->netdev; - dataskb->mac.raw = dataskb->data; - dataskb->protocol = htons(ETH_P_IRDA); -+ len = dataskb->len; - netif_rx(dataskb); - - /* Keep stats up to date */ -- self->stats.rx_bytes += dataskb->len; -+ self->stats.rx_bytes += len; - self->stats.rx_packets++; - self->netdev->last_rx = jiffies; - -diff --git a/drivers/net/wireless/Kconfig b/drivers/net/wireless/Kconfig -index ef85d76..8101657 100644 ---- a/drivers/net/wireless/Kconfig -+++ b/drivers/net/wireless/Kconfig -@@ -239,7 +239,8 @@ config IPW2200_DEBUG - - config AIRO - tristate "Cisco/Aironet 34X/35X/4500/4800 ISA and PCI cards" -- depends on NET_RADIO && ISA_DMA_API && CRYPTO && (PCI || BROKEN) -+ depends on NET_RADIO && ISA_DMA_API && (PCI || BROKEN) -+ select CRYPTO - ---help--- - This is the standard Linux driver to support Cisco/Aironet ISA and - PCI 802.11 wireless cards. -@@ -374,6 +375,7 @@ config PCMCIA_HERMES - config PCMCIA_SPECTRUM - tristate "Symbol Spectrum24 Trilogy PCMCIA card support" - depends on NET_RADIO && PCMCIA && HERMES -+ select FW_LOADER - ---help--- - - This is a driver for 802.11b cards using RAM-loadable Symbol -@@ -387,6 +389,7 @@ config PCMCIA_SPECTRUM - config AIRO_CS - tristate "Cisco/Aironet 34X/35X/4500/4800 PCMCIA cards" - depends on NET_RADIO && PCMCIA && (BROKEN || !M32R) -+ select CRYPTO - ---help--- - This is the standard Linux driver to support Cisco/Aironet PCMCIA - 802.11 wireless cards. This driver is the same as the Aironet -diff --git a/drivers/net/wireless/hostap/hostap_80211_tx.c b/drivers/net/wireless/hostap/hostap_80211_tx.c -index 4a85e63..5f398bd 100644 ---- a/drivers/net/wireless/hostap/hostap_80211_tx.c -+++ b/drivers/net/wireless/hostap/hostap_80211_tx.c -@@ -469,7 +469,7 @@ int hostap_master_start_xmit(struct sk_b - } - - if (local->ieee_802_1x && meta->ethertype == ETH_P_PAE && tx.crypt && -- !(fc & IEEE80211_FCTL_VERS)) { -+ !(fc & IEEE80211_FCTL_PROTECTED)) { - no_encrypt = 1; - PDEBUG(DEBUG_EXTRA2, "%s: TX: IEEE 802.1X - passing " - "unencrypted EAPOL frame\n", dev->name); -diff --git a/drivers/net/wireless/ipw2200.c b/drivers/net/wireless/ipw2200.c -index 287676a..aa6f3a4 100644 ---- a/drivers/net/wireless/ipw2200.c -+++ b/drivers/net/wireless/ipw2200.c -@@ -9956,9 +9956,8 @@ static int ipw_ethtool_set_eeprom(struct - return -EINVAL; - down(&p->sem); - memcpy(&p->eeprom[eeprom->offset], bytes, eeprom->len); -- for (i = IPW_EEPROM_DATA; -- i < IPW_EEPROM_DATA + IPW_EEPROM_IMAGE_SIZE; i++) -- ipw_write8(p, i, p->eeprom[i]); -+ for (i = 0; i < IPW_EEPROM_IMAGE_SIZE; i++) -+ ipw_write8(p, i + IPW_EEPROM_DATA, p->eeprom[i]); - up(&p->sem); - return 0; - } -diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c -index bb96ce1..a4333a8 100644 ---- a/drivers/pcmcia/ds.c -+++ b/drivers/pcmcia/ds.c -@@ -546,7 +546,7 @@ static int pcmcia_device_query(struct pc - tmp = vers1->str + vers1->ofs[i]; - - length = strlen(tmp) + 1; -- if ((length < 3) || (length > 255)) -+ if ((length < 2) || (length > 255)) - continue; - - p_dev->prod_id[i] = kmalloc(sizeof(char) * length, -diff --git a/drivers/scsi/sata_mv.c b/drivers/scsi/sata_mv.c -index 2770005..b00af08 100644 ---- a/drivers/scsi/sata_mv.c -+++ b/drivers/scsi/sata_mv.c -@@ -1102,6 +1102,7 @@ static u8 mv_get_crpb_status(struct ata_ - void __iomem *port_mmio = mv_ap_base(ap); - struct mv_port_priv *pp = ap->private_data; - u32 out_ptr; -+ u8 ata_status; - - out_ptr = readl(port_mmio + EDMA_RSP_Q_OUT_PTR_OFS); - -@@ -1109,6 +1110,8 @@ static u8 mv_get_crpb_status(struct ata_ - assert(((out_ptr >> EDMA_RSP_Q_PTR_SHIFT) & MV_MAX_Q_DEPTH_MASK) == - pp->rsp_consumer); - -+ ata_status = pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT; -+ - /* increment our consumer index... */ - pp->rsp_consumer = mv_inc_q_index(&pp->rsp_consumer); - -@@ -1123,7 +1126,7 @@ static u8 mv_get_crpb_status(struct ata_ - writelfl(out_ptr, port_mmio + EDMA_RSP_Q_OUT_PTR_OFS); - - /* Return ATA status register for completed CRPB */ -- return (pp->crpb[pp->rsp_consumer].flags >> CRPB_FLAG_STATUS_SHIFT); -+ return ata_status; - } - - /** -@@ -1192,7 +1195,6 @@ static void mv_host_intr(struct ata_host - u32 hc_irq_cause; - int shift, port, port0, hard_port, handled; - unsigned int err_mask; -- u8 ata_status = 0; - - if (hc == 0) { - port0 = 0; -@@ -1210,6 +1212,7 @@ static void mv_host_intr(struct ata_host - hc,relevant,hc_irq_cause); - - for (port = port0; port < port0 + MV_PORTS_PER_HC; port++) { -+ u8 ata_status = 0; - ap = host_set->ports[port]; - hard_port = port & MV_PORT_MASK; /* range 0-3 */ - handled = 0; /* ensure ata_status is set if handled++ */ -diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c -index 7135e54..96cabeb 100644 ---- a/drivers/usb/core/message.c -+++ b/drivers/usb/core/message.c -@@ -1388,11 +1388,13 @@ free_interfaces: - if (dev->state != USB_STATE_ADDRESS) - usb_disable_device (dev, 1); // Skip ep0 - -- i = dev->bus_mA - cp->desc.bMaxPower * 2; -- if (i < 0) -- dev_warn(&dev->dev, "new config #%d exceeds power " -- "limit by %dmA\n", -- configuration, -i); -+ if (cp) { -+ i = dev->bus_mA - cp->desc.bMaxPower * 2; -+ if (i < 0) -+ dev_warn(&dev->dev, "new config #%d exceeds power " -+ "limit by %dmA\n", -+ configuration, -i); -+ } - - if ((ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), - USB_REQ_SET_CONFIGURATION, 0, configuration, 0, -diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c -index ebcca97..88419c6 100644 ---- a/drivers/usb/host/ehci-sched.c -+++ b/drivers/usb/host/ehci-sched.c -@@ -707,6 +707,7 @@ iso_stream_init ( - } else { - u32 addr; - int think_time; -+ int hs_transfers; - - addr = dev->ttport << 24; - if (!ehci_is_TDI(ehci) -@@ -719,6 +720,7 @@ iso_stream_init ( - think_time = dev->tt ? dev->tt->think_time : 0; - stream->tt_usecs = NS_TO_US (think_time + usb_calc_bus_time ( - dev->speed, is_input, 1, maxp)); -+ hs_transfers = max (1u, (maxp + 187) / 188); - if (is_input) { - u32 tmp; - -@@ -727,12 +729,11 @@ iso_stream_init ( - stream->usecs = HS_USECS_ISO (1); - stream->raw_mask = 1; - -- /* pessimistic c-mask */ -- tmp = usb_calc_bus_time (USB_SPEED_FULL, 1, 0, maxp) -- / (125 * 1000); -- stream->raw_mask |= 3 << (tmp + 9); -+ /* c-mask as specified in USB 2.0 11.18.4 3.c */ -+ tmp = (1 << (hs_transfers + 2)) - 1; -+ stream->raw_mask |= tmp << (8 + 2); - } else -- stream->raw_mask = smask_out [maxp / 188]; -+ stream->raw_mask = smask_out [hs_transfers - 1]; - bandwidth = stream->usecs + stream->c_usecs; - bandwidth /= 1 << (interval + 2); - -diff --git a/drivers/video/cfbimgblt.c b/drivers/video/cfbimgblt.c -index 910e233..8ba6152 100644 ---- a/drivers/video/cfbimgblt.c -+++ b/drivers/video/cfbimgblt.c -@@ -169,7 +169,7 @@ static inline void slow_imageblit(const - - while (j--) { - l--; -- color = (*s & 1 << (FB_BIT_NR(l))) ? fgcolor : bgcolor; -+ color = (*s & (1 << l)) ? fgcolor : bgcolor; - val |= FB_SHIFT_HIGH(color, shift); - - /* Did the bitshift spill bits to the next long? */ -diff --git a/drivers/video/i810/i810_main.c b/drivers/video/i810/i810_main.c -index d8467c0..788297e 100644 ---- a/drivers/video/i810/i810_main.c -+++ b/drivers/video/i810/i810_main.c -@@ -1508,7 +1508,7 @@ static int i810fb_cursor(struct fb_info - int size = ((cursor->image.width + 7) >> 3) * - cursor->image.height; - int i; -- u8 *data = kmalloc(64 * 8, GFP_KERNEL); -+ u8 *data = kmalloc(64 * 8, GFP_ATOMIC); - - if (data == NULL) - return -ENOMEM; -diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c -index 3ad8455..651a9e1 100644 ---- a/fs/9p/vfs_inode.c -+++ b/fs/9p/vfs_inode.c -@@ -614,6 +614,7 @@ static struct dentry *v9fs_vfs_lookup(st - - sb = dir->i_sb; - v9ses = v9fs_inode2v9ses(dir); -+ dentry->d_op = &v9fs_dentry_operations; - dirfid = v9fs_fid_lookup(dentry->d_parent); - - if (!dirfid) { -@@ -681,8 +682,6 @@ static struct dentry *v9fs_vfs_lookup(st - goto FreeFcall; - - fid->qid = fcall->params.rstat.stat.qid; -- -- dentry->d_op = &v9fs_dentry_operations; - v9fs_stat2inode(&fcall->params.rstat.stat, inode, inode->i_sb); - - d_add(dentry, inode); -diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c -index 6d2dfed..f61142a 100644 ---- a/fs/nfsd/nfs3proc.c -+++ b/fs/nfsd/nfs3proc.c -@@ -682,7 +682,7 @@ static struct svc_procedure nfsd_proced - PROC(lookup, dirop, dirop, fhandle2, RC_NOCACHE, ST+FH+pAT+pAT), - PROC(access, access, access, fhandle, RC_NOCACHE, ST+pAT+1), - PROC(readlink, readlink, readlink, fhandle, RC_NOCACHE, ST+pAT+1+NFS3_MAXPATHLEN/4), -- PROC(read, read, read, fhandle, RC_NOCACHE, ST+pAT+4+NFSSVC_MAXBLKSIZE), -+ PROC(read, read, read, fhandle, RC_NOCACHE, ST+pAT+4+NFSSVC_MAXBLKSIZE/4), - PROC(write, write, write, fhandle, RC_REPLBUFF, ST+WC+4), - PROC(create, create, create, fhandle2, RC_REPLBUFF, ST+(1+FH+pAT)+WC), - PROC(mkdir, mkdir, create, fhandle2, RC_REPLBUFF, ST+(1+FH+pAT)+WC), -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index 6d63f1d..ca8a4c4 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -975,7 +975,7 @@ struct nfsd4_voidargs { int dummy; }; - */ - static struct svc_procedure nfsd_procedures4[2] = { - PROC(null, void, void, void, RC_NOCACHE, 1), -- PROC(compound, compound, compound, compound, RC_NOCACHE, NFSD_BUFSIZE) -+ PROC(compound, compound, compound, compound, RC_NOCACHE, NFSD_BUFSIZE/4) - }; - - struct svc_version nfsd_version4 = { -diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c -index 3e6b75c..06cd0db 100644 ---- a/fs/nfsd/nfsproc.c -+++ b/fs/nfsd/nfsproc.c -@@ -553,7 +553,7 @@ static struct svc_procedure nfsd_proced - PROC(none, void, void, none, RC_NOCACHE, ST), - PROC(lookup, diropargs, diropres, fhandle, RC_NOCACHE, ST+FH+AT), - PROC(readlink, readlinkargs, readlinkres, none, RC_NOCACHE, ST+1+NFS_MAXPATHLEN/4), -- PROC(read, readargs, readres, fhandle, RC_NOCACHE, ST+AT+1+NFSSVC_MAXBLKSIZE), -+ PROC(read, readargs, readres, fhandle, RC_NOCACHE, ST+AT+1+NFSSVC_MAXBLKSIZE/4), - PROC(none, void, void, none, RC_NOCACHE, ST), - PROC(write, writeargs, attrstat, fhandle, RC_REPLBUFF, ST+AT), - PROC(create, createargs, diropres, fhandle, RC_REPLBUFF, ST+FH+AT), -diff --git a/fs/proc/proc_misc.c b/fs/proc/proc_misc.c -index 1d24fea..826c131 100644 ---- a/fs/proc/proc_misc.c -+++ b/fs/proc/proc_misc.c -@@ -312,7 +312,7 @@ static void *devinfo_next(struct seq_fil - case BLK_HDR: - info->state = BLK_LIST; - (*pos)++; -- break; -+ /*fallthrough*/ - case BLK_LIST: - if (get_blkdev_info(info->blkdev,&idummy,&ndummy)) { - /* -diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c -index 4063fb3..164a7d0 100644 ---- a/fs/proc/vmcore.c -+++ b/fs/proc/vmcore.c -@@ -103,8 +103,8 @@ static ssize_t read_vmcore(struct file * - size_t buflen, loff_t *fpos) - { - ssize_t acc = 0, tmp; -- size_t tsz, nr_bytes; -- u64 start; -+ size_t tsz; -+ u64 start, nr_bytes; - struct vmcore *curr_m = NULL; - - if (buflen == 0 || *fpos >= vmcore_size) -diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c -index 49bd219..cfd290d 100644 ---- a/fs/sysfs/dir.c -+++ b/fs/sysfs/dir.c -@@ -302,6 +302,7 @@ void sysfs_remove_dir(struct kobject * k - * Drop reference from dget() on entrance. - */ - dput(dentry); -+ kobj->dentry = NULL; - } - - int sysfs_rename_dir(struct kobject * kobj, const char *new_name) -diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c -index d0e3d84..2ecc58c 100644 ---- a/fs/sysfs/file.c -+++ b/fs/sysfs/file.c -@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer * - return -ENOMEM; - - if (count >= PAGE_SIZE) -- count = PAGE_SIZE; -+ count = PAGE_SIZE - 1; - error = copy_from_user(buffer->page,buf,count); - buffer->needs_read_fill = 1; - return error ? -EFAULT : count; -diff --git a/fs/sysfs/inode.c b/fs/sysfs/inode.c -index 689f7bc..6beee6f 100644 ---- a/fs/sysfs/inode.c -+++ b/fs/sysfs/inode.c -@@ -227,12 +227,16 @@ void sysfs_drop_dentry(struct sysfs_dire - void sysfs_hash_and_remove(struct dentry * dir, const char * name) - { - struct sysfs_dirent * sd; -- struct sysfs_dirent * parent_sd = dir->d_fsdata; -+ struct sysfs_dirent * parent_sd; -+ -+ if (!dir) -+ return; - - if (dir->d_inode == NULL) - /* no inode means this hasn't been made visible yet */ - return; - -+ parent_sd = dir->d_fsdata; - mutex_lock(&dir->d_inode->i_mutex); - list_for_each_entry(sd, &parent_sd->s_children, s_sibling) { - if (!sd->s_element) -diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c -index e38d633..e5ce6e7 100644 ---- a/fs/sysfs/symlink.c -+++ b/fs/sysfs/symlink.c -@@ -66,6 +66,7 @@ static int sysfs_add_link(struct dentry - if (!error) - return 0; - -+ kobject_put(target); - kfree(sl->link_name); - exit2: - kfree(sl); -diff --git a/fs/xfs/linux-2.6/xfs_aops.c b/fs/xfs/linux-2.6/xfs_aops.c -index 74d8be8..a980736 100644 ---- a/fs/xfs/linux-2.6/xfs_aops.c -+++ b/fs/xfs/linux-2.6/xfs_aops.c -@@ -616,7 +616,7 @@ xfs_is_delayed_page( - acceptable = (type == IOMAP_UNWRITTEN); - else if (buffer_delay(bh)) - acceptable = (type == IOMAP_DELAY); -- else if (buffer_mapped(bh)) -+ else if (buffer_dirty(bh) && buffer_mapped(bh)) - acceptable = (type == 0); - else - break; -diff --git a/include/asm-powerpc/floppy.h b/include/asm-powerpc/floppy.h -index e258778..608164c 100644 ---- a/include/asm-powerpc/floppy.h -+++ b/include/asm-powerpc/floppy.h -@@ -35,6 +35,7 @@ - #ifdef CONFIG_PCI - - #include -+#include /* for ppc64_isabridge_dev */ - - #define fd_dma_setup(addr,size,mode,io) powerpc_fd_dma_setup(addr,size,mode,io) - -@@ -52,12 +53,12 @@ static __inline__ int powerpc_fd_dma_set - if (bus_addr - && (addr != prev_addr || size != prev_size || dir != prev_dir)) { - /* different from last time -- unmap prev */ -- pci_unmap_single(NULL, bus_addr, prev_size, prev_dir); -+ pci_unmap_single(ppc64_isabridge_dev, bus_addr, prev_size, prev_dir); - bus_addr = 0; - } - - if (!bus_addr) /* need to map it */ -- bus_addr = pci_map_single(NULL, addr, size, dir); -+ bus_addr = pci_map_single(ppc64_isabridge_dev, addr, size, dir); - - /* remember this one as prev */ - prev_addr = addr; -diff --git a/include/linux/cpu.h b/include/linux/cpu.h -index 0ed1d48..d612b89 100644 ---- a/include/linux/cpu.h -+++ b/include/linux/cpu.h -@@ -32,7 +32,7 @@ struct cpu { - }; - - extern int register_cpu(struct cpu *, int, struct node *); --extern struct sys_device *get_cpu_sysdev(int cpu); -+extern struct sys_device *get_cpu_sysdev(unsigned cpu); - #ifdef CONFIG_HOTPLUG_CPU - extern void unregister_cpu(struct cpu *, struct node *); - #endif -diff --git a/include/linux/fb.h b/include/linux/fb.h -index 2cb19e6..2fdd8ae 100644 ---- a/include/linux/fb.h -+++ b/include/linux/fb.h -@@ -839,12 +839,10 @@ struct fb_info { - #define FB_LEFT_POS(bpp) (32 - bpp) - #define FB_SHIFT_HIGH(val, bits) ((val) >> (bits)) - #define FB_SHIFT_LOW(val, bits) ((val) << (bits)) --#define FB_BIT_NR(b) (7 - (b)) - #else - #define FB_LEFT_POS(bpp) (0) - #define FB_SHIFT_HIGH(val, bits) ((val) << (bits)) - #define FB_SHIFT_LOW(val, bits) ((val) >> (bits)) --#define FB_BIT_NR(b) (b) - #endif - - /* -diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h -index aa6322d..6c1e347 100644 ---- a/include/linux/proc_fs.h -+++ b/include/linux/proc_fs.h -@@ -78,7 +78,7 @@ struct kcore_list { - struct vmcore { - struct list_head list; - unsigned long long paddr; -- unsigned long size; -+ unsigned long long size; - loff_t offset; - }; - -diff --git a/include/linux/raid/raid1.h b/include/linux/raid/raid1.h -index 9d5494a..3009c81 100644 ---- a/include/linux/raid/raid1.h -+++ b/include/linux/raid/raid1.h -@@ -130,6 +130,6 @@ struct r1bio_s { - * with failure when last write completes (and all failed). - * Record that bi_end_io was called with this flag... - */ --#define R1BIO_Returned 4 -+#define R1BIO_Returned 6 - - #endif -diff --git a/include/linux/rtc.h b/include/linux/rtc.h -index 0b2ba67..b739ac1 100644 ---- a/include/linux/rtc.h -+++ b/include/linux/rtc.h -@@ -11,8 +11,6 @@ - #ifndef _LINUX_RTC_H_ - #define _LINUX_RTC_H_ - --#include -- - /* - * The struct used to pass data via the following ioctl. Similar to the - * struct tm in , but it needs to be here so that the kernel -@@ -95,6 +93,8 @@ struct rtc_pll_info { - - #ifdef __KERNEL__ - -+#include -+ - typedef struct rtc_task { - void (*func)(void *private_data); - void *private_data; -diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c -index 867d6db..c01cead 100644 ---- a/kernel/exec_domain.c -+++ b/kernel/exec_domain.c -@@ -140,6 +140,7 @@ __set_personality(u_long personality) - ep = lookup_exec_domain(personality); - if (ep == current_thread_info()->exec_domain) { - current->personality = personality; -+ module_put(ep->module); - return 0; - } - -diff --git a/kernel/fork.c b/kernel/fork.c -index b373322..9d4e0d8 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -720,7 +720,7 @@ out_release: - free_fdset (new_fdt->open_fds, new_fdt->max_fdset); - free_fd_array(new_fdt->fd, new_fdt->max_fds); - kmem_cache_free(files_cachep, newf); -- goto out; -+ return NULL; - } - - static int copy_files(unsigned long clone_flags, struct task_struct * tsk) -diff --git a/kernel/sched.c b/kernel/sched.c -index 4d46e90..4e7efac 100644 ---- a/kernel/sched.c -+++ b/kernel/sched.c -@@ -237,6 +237,7 @@ struct runqueue { - - task_t *migration_thread; - struct list_head migration_queue; -+ int cpu; - #endif - - #ifdef CONFIG_SCHEDSTATS -@@ -1660,6 +1661,9 @@ unsigned long nr_iowait(void) - /* - * double_rq_lock - safely lock two runqueues - * -+ * We must take them in cpu order to match code in -+ * dependent_sleeper and wake_dependent_sleeper. -+ * - * Note this does not disable interrupts like task_rq_lock, - * you need to do so manually before calling. - */ -@@ -1671,7 +1675,7 @@ static void double_rq_lock(runqueue_t *r - spin_lock(&rq1->lock); - __acquire(rq2->lock); /* Fake it out ;) */ - } else { -- if (rq1 < rq2) { -+ if (rq1->cpu < rq2->cpu) { - spin_lock(&rq1->lock); - spin_lock(&rq2->lock); - } else { -@@ -1707,7 +1711,7 @@ static void double_lock_balance(runqueue - __acquires(this_rq->lock) - { - if (unlikely(!spin_trylock(&busiest->lock))) { -- if (busiest < this_rq) { -+ if (busiest->cpu < this_rq->cpu) { - spin_unlock(&this_rq->lock); - spin_lock(&busiest->lock); - spin_lock(&this_rq->lock); -@@ -6035,6 +6039,7 @@ void __init sched_init(void) - rq->push_cpu = 0; - rq->migration_thread = NULL; - INIT_LIST_HEAD(&rq->migration_queue); -+ rq->cpu = i; - #endif - atomic_set(&rq->nr_iowait, 0); - -diff --git a/kernel/signal.c b/kernel/signal.c -index ea15410..bc8f80b 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -975,7 +975,6 @@ __group_complete_signal(int sig, struct - if (t == NULL) - /* restart balancing at this thread */ - t = p->signal->curr_target = p; -- BUG_ON(t->tgid != p->tgid); - - while (!wants_signal(sig, t)) { - t = next_thread(t); -diff --git a/net/core/sock.c b/net/core/sock.c -index 6e00811..5621198 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -404,8 +404,9 @@ set_rcvbuf: - if (!valbool) { - sk->sk_bound_dev_if = 0; - } else { -- if (optlen > IFNAMSIZ) -- optlen = IFNAMSIZ; -+ if (optlen > IFNAMSIZ - 1) -+ optlen = IFNAMSIZ - 1; -+ memset(devname, 0, sizeof(devname)); - if (copy_from_user(devname, optval, optlen)) { - ret = -EFAULT; - break; -diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c -index e320b32..24009be 100644 ---- a/net/ipv4/fib_trie.c -+++ b/net/ipv4/fib_trie.c -@@ -314,11 +314,6 @@ static void __leaf_free_rcu(struct rcu_h - kfree(container_of(head, struct leaf, rcu)); - } - --static inline void free_leaf(struct leaf *leaf) --{ -- call_rcu(&leaf->rcu, __leaf_free_rcu); --} -- - static void __leaf_info_free_rcu(struct rcu_head *head) - { - kfree(container_of(head, struct leaf_info, rcu)); -@@ -357,7 +352,12 @@ static void __tnode_free_rcu(struct rcu_ - - static inline void tnode_free(struct tnode *tn) - { -- call_rcu(&tn->rcu, __tnode_free_rcu); -+ if(IS_LEAF(tn)) { -+ struct leaf *l = (struct leaf *) tn; -+ call_rcu_bh(&l->rcu, __leaf_free_rcu); -+ } -+ else -+ call_rcu(&tn->rcu, __tnode_free_rcu); - } - - static struct leaf *leaf_new(void) -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 8ee4d01..f75ff1d 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock * - iph->tos = inet->tos; - iph->tot_len = htons(skb->len); - iph->frag_off = df; -- if (!df) { -- __ip_select_ident(iph, &rt->u.dst, 0); -- } else { -- iph->id = htons(inet->id++); -- } -+ ip_select_ident(iph, &rt->u.dst, sk); - iph->ttl = ttl; - iph->protocol = sk->sk_protocol; - iph->saddr = rt->rt_src; -diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c -index e0b5926..d4e6d0a 100644 ---- a/net/ipv4/netfilter/ip_conntrack_netlink.c -+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c -@@ -1619,7 +1619,7 @@ static void __exit ctnetlink_exit(void) - printk("ctnetlink: unregistering from nfnetlink.\n"); - - #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS -- ip_conntrack_unregister_notifier(&ctnl_notifier_exp); -+ ip_conntrack_expect_unregister_notifier(&ctnl_notifier_exp); - ip_conntrack_unregister_notifier(&ctnl_notifier); - #endif - -diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c -index 9ff3463..40edeef 100644 ---- a/net/netfilter/nf_conntrack_netlink.c -+++ b/net/netfilter/nf_conntrack_netlink.c -@@ -1641,7 +1641,7 @@ static void __exit ctnetlink_exit(void) - printk("ctnetlink: unregistering from nfnetlink.\n"); - - #ifdef CONFIG_NF_CONNTRACK_EVENTS -- nf_conntrack_unregister_notifier(&ctnl_notifier_exp); -+ nf_conntrack_expect_unregister_notifier(&ctnl_notifier_exp); - nf_conntrack_unregister_notifier(&ctnl_notifier); - #endif - -diff --git a/security/keys/key.c b/security/keys/key.c -index 99781b7..0e2584e 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t - - key_check(keyring); - -+ key_ref = ERR_PTR(-ENOTDIR); -+ if (keyring->type != &key_type_keyring) -+ goto error_2; -+ - down_write(&keyring->sem); - - /* if we're going to allocate a new key, we're going to have -diff --git a/security/keys/keyring.c b/security/keys/keyring.c -index d65a180..bffa924 100644 ---- a/security/keys/keyring.c -+++ b/security/keys/keyring.c -@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search); - /* - * search the given keyring only (no recursion) - * - keyring must be locked by caller -+ * - caller must guarantee that the keyring is a keyring - */ - key_ref_t __keyring_search_one(key_ref_t keyring_ref, - const struct key_type *ktype, -diff --git a/sound/isa/opti9xx/opti92x-ad1848.c b/sound/isa/opti9xx/opti92x-ad1848.c -index 63d96be..65b28cb 100644 ---- a/sound/isa/opti9xx/opti92x-ad1848.c -+++ b/sound/isa/opti9xx/opti92x-ad1848.c -@@ -2088,9 +2088,11 @@ static int __init alsa_card_opti9xx_init - int error; - struct platform_device *device; - -+#ifdef CONFIG_PNP - pnp_register_card_driver(&opti9xx_pnpc_driver); - if (snd_opti9xx_pnp_is_probed) - return 0; -+#endif - if (! is_isapnp_selected()) { - error = platform_driver_register(&snd_opti9xx_driver); - if (error < 0) -@@ -2102,7 +2104,9 @@ static int __init alsa_card_opti9xx_init - } - platform_driver_unregister(&snd_opti9xx_driver); - } -+#ifdef CONFIG_PNP - pnp_unregister_card_driver(&opti9xx_pnpc_driver); -+#endif - #ifdef MODULE - printk(KERN_ERR "no OPTi " CHIP_NAME " soundcard found\n"); - #endif -@@ -2115,7 +2119,9 @@ static void __exit alsa_card_opti9xx_exi - platform_device_unregister(snd_opti9xx_platform_device); - platform_driver_unregister(&snd_opti9xx_driver); - } -+#ifdef CONFIG_PNP - pnp_unregister_card_driver(&opti9xx_pnpc_driver); -+#endif - } - - module_init(alsa_card_opti9xx_init) -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index b767552..d5cd3a1 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -2948,6 +2948,8 @@ static struct hda_board_config alc260_cf - { .modelname = "basic", .config = ALC260_BASIC }, - { .pci_subvendor = 0x104d, .pci_subdevice = 0x81bb, - .config = ALC260_BASIC }, /* Sony VAIO */ -+ { .pci_subvendor = 0x152d, .pci_subdevice = 0x0729, -+ .config = ALC260_BASIC }, /* CTL Travel Master U553W */ - { .modelname = "hp", .config = ALC260_HP }, - { .pci_subvendor = 0x103c, .pci_subdevice = 0x3010, .config = ALC260_HP }, - { .pci_subvendor = 0x103c, .pci_subdevice = 0x3011, .config = ALC260_HP }, diff --git a/target/device/AMD/DBAu1500/kernel-patches/100_VERSION.patch b/target/device/AMD/DBAu1500/kernel-patches/100_VERSION.patch index a28390d62..26ab03a48 100644 --- a/target/device/AMD/DBAu1500/kernel-patches/100_VERSION.patch +++ b/target/device/AMD/DBAu1500/kernel-patches/100_VERSION.patch @@ -4,9 +4,9 @@ VERSION = 2 PATCHLEVEL = 6 -SUBLEVEL = 16 --EXTRAVERSION = .4 +-EXTRAVERSION = .20 +SUBLEVEL = 16 -+EXTRAVERSION = .4-erik ++EXTRAVERSION = .20-erik NAME=Sliding Snow Leopard # *DOCUMENTATION* diff --git a/target/device/AMD/DBAu1500/linux.config b/target/device/AMD/DBAu1500/linux.config index e6afee886..c18739270 100644 --- a/target/device/AMD/DBAu1500/linux.config +++ b/target/device/AMD/DBAu1500/linux.config @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit -# Linux kernel version: 2.6.16-erik -# Sat Mar 25 11:26:00 2006 +# Linux kernel version: 2.6.16.4-erik +# Tue Apr 11 21:14:49 2006 # CONFIG_MIPS=y @@ -245,7 +245,7 @@ CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set CONFIG_UNIX=y CONFIG_XFRM=y -CONFIG_XFRM_USER=m +# CONFIG_XFRM_USER is not set CONFIG_NET_KEY=y CONFIG_INET=y CONFIG_IP_MULTICAST=y @@ -263,7 +263,7 @@ CONFIG_IP_PNP_BOOTP=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set -CONFIG_INET_TUNNEL=m +CONFIG_INET_TUNNEL=y # CONFIG_INET_DIAG is not set # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_BIC=y @@ -454,10 +454,8 @@ CONFIG_BLK_DEV_LOOP=y # CONFIG_BLK_DEV_UB is not set # CONFIG_BLK_DEV_RAM is not set CONFIG_BLK_DEV_RAM_COUNT=16 -CONFIG_CDROM_PKTCDVD=m -CONFIG_CDROM_PKTCDVD_BUFFERS=8 -# CONFIG_CDROM_PKTCDVD_WCACHE is not set -CONFIG_ATA_OVER_ETH=m +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set # # ATA/ATAPI/MFM/RLL support @@ -591,15 +589,7 @@ CONFIG_MIPS_AU1X00_ENET=y # CONFIG_WAN is not set # CONFIG_FDDI is not set # CONFIG_HIPPI is not set -CONFIG_PPP=m -CONFIG_PPP_MULTILINK=y -# CONFIG_PPP_FILTER is not set -CONFIG_PPP_ASYNC=m -# CONFIG_PPP_SYNC_TTY is not set -CONFIG_PPP_DEFLATE=m -# CONFIG_PPP_BSDCOMP is not set -# CONFIG_PPP_MPPE is not set -CONFIG_PPPOE=m +# CONFIG_PPP is not set # CONFIG_SLIP is not set # CONFIG_SHAPER is not set # CONFIG_NETCONSOLE is not set @@ -650,7 +640,7 @@ CONFIG_SERIO=y CONFIG_SERIO_SERPORT=y # CONFIG_SERIO_PCIPS2 is not set # CONFIG_SERIO_LIBPS2 is not set -CONFIG_SERIO_RAW=m +# CONFIG_SERIO_RAW is not set # CONFIG_GAMEPORT is not set # @@ -915,11 +905,7 @@ CONFIG_USB_HIDINPUT=y # # File systems # -CONFIG_EXT2_FS=y -CONFIG_EXT2_FS_XATTR=y -CONFIG_EXT2_FS_POSIX_ACL=y -# CONFIG_EXT2_FS_SECURITY is not set -# CONFIG_EXT2_FS_XIP is not set +# CONFIG_EXT2_FS is not set CONFIG_EXT3_FS=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_POSIX_ACL=y @@ -927,12 +913,7 @@ CONFIG_EXT3_FS_SECURITY=y CONFIG_JBD=y # CONFIG_JBD_DEBUG is not set CONFIG_FS_MBCACHE=y -CONFIG_REISERFS_FS=m -# CONFIG_REISERFS_CHECK is not set -# CONFIG_REISERFS_PROC_INFO is not set -CONFIG_REISERFS_FS_XATTR=y -CONFIG_REISERFS_FS_POSIX_ACL=y -CONFIG_REISERFS_FS_SECURITY=y +# CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set CONFIG_FS_POSIX_ACL=y # CONFIG_XFS_FS is not set @@ -942,8 +923,8 @@ CONFIG_FS_POSIX_ACL=y CONFIG_INOTIFY=y # CONFIG_QUOTA is not set CONFIG_DNOTIFY=y -CONFIG_AUTOFS_FS=m -CONFIG_AUTOFS4_FS=m +# CONFIG_AUTOFS_FS is not set +# CONFIG_AUTOFS4_FS is not set # CONFIG_FUSE_FS is not set # @@ -983,7 +964,7 @@ CONFIG_RAMFS=y # CONFIG_EFS_FS is not set # CONFIG_JFFS_FS is not set # CONFIG_JFFS2_FS is not set -CONFIG_CRAMFS=m +CONFIG_CRAMFS=y # CONFIG_VXFS_FS is not set # CONFIG_HPFS_FS is not set # CONFIG_QNX4FS_FS is not set @@ -996,22 +977,22 @@ CONFIG_CRAMFS=m CONFIG_NFS_FS=y CONFIG_NFS_V3=y # CONFIG_NFS_V3_ACL is not set -CONFIG_NFS_V4=y +# CONFIG_NFS_V4 is not set # CONFIG_NFS_DIRECTIO is not set -CONFIG_NFSD=m -# CONFIG_NFSD_V3 is not set +CONFIG_NFSD=y +CONFIG_NFSD_V3=y +# CONFIG_NFSD_V3_ACL is not set +# CONFIG_NFSD_V4 is not set # CONFIG_NFSD_TCP is not set CONFIG_ROOT_NFS=y CONFIG_LOCKD=y CONFIG_LOCKD_V4=y -CONFIG_EXPORTFS=m +CONFIG_EXPORTFS=y CONFIG_NFS_COMMON=y CONFIG_SUNRPC=y -CONFIG_SUNRPC_GSS=y -CONFIG_RPCSEC_GSS_KRB5=y +# CONFIG_RPCSEC_GSS_KRB5 is not set # CONFIG_RPCSEC_GSS_SPKM3 is not set -CONFIG_SMB_FS=m -# CONFIG_SMB_NLS_DEFAULT is not set +# CONFIG_SMB_FS is not set # CONFIG_CIFS is not set # CONFIG_NCP_FS is not set # CONFIG_CODA_FS is not set @@ -1027,46 +1008,7 @@ CONFIG_MSDOS_PARTITION=y # # Native Language Support # -CONFIG_NLS=m -CONFIG_NLS_DEFAULT="iso8859-1" -# CONFIG_NLS_CODEPAGE_437 is not set -# CONFIG_NLS_CODEPAGE_737 is not set -# CONFIG_NLS_CODEPAGE_775 is not set -# CONFIG_NLS_CODEPAGE_850 is not set -# CONFIG_NLS_CODEPAGE_852 is not set -# CONFIG_NLS_CODEPAGE_855 is not set -# CONFIG_NLS_CODEPAGE_857 is not set -# CONFIG_NLS_CODEPAGE_860 is not set -# CONFIG_NLS_CODEPAGE_861 is not set -# CONFIG_NLS_CODEPAGE_862 is not set -# CONFIG_NLS_CODEPAGE_863 is not set -# CONFIG_NLS_CODEPAGE_864 is not set -# CONFIG_NLS_CODEPAGE_865 is not set -# CONFIG_NLS_CODEPAGE_866 is not set -# CONFIG_NLS_CODEPAGE_869 is not set -# CONFIG_NLS_CODEPAGE_936 is not set -# CONFIG_NLS_CODEPAGE_950 is not set -# CONFIG_NLS_CODEPAGE_932 is not set -# CONFIG_NLS_CODEPAGE_949 is not set -# CONFIG_NLS_CODEPAGE_874 is not set -# CONFIG_NLS_ISO8859_8 is not set -# CONFIG_NLS_CODEPAGE_1250 is not set -# CONFIG_NLS_CODEPAGE_1251 is not set -# CONFIG_NLS_ASCII is not set -# CONFIG_NLS_ISO8859_1 is not set -# CONFIG_NLS_ISO8859_2 is not set -# CONFIG_NLS_ISO8859_3 is not set -# CONFIG_NLS_ISO8859_4 is not set -# CONFIG_NLS_ISO8859_5 is not set -# CONFIG_NLS_ISO8859_6 is not set -# CONFIG_NLS_ISO8859_7 is not set -# CONFIG_NLS_ISO8859_9 is not set -# CONFIG_NLS_ISO8859_13 is not set -# CONFIG_NLS_ISO8859_14 is not set -# CONFIG_NLS_ISO8859_15 is not set -# CONFIG_NLS_KOI8_R is not set -# CONFIG_NLS_KOI8_U is not set -# CONFIG_NLS_UTF8 is not set +# CONFIG_NLS is not set # # Profiling support @@ -1086,38 +1028,13 @@ CONFIG_CMDLINE="root=/dev/nfs ip=bootp" # # Security options # -CONFIG_KEYS=y -CONFIG_KEYS_DEBUG_PROC_KEYS=y +# CONFIG_KEYS is not set # CONFIG_SECURITY is not set # # Cryptographic options # -CONFIG_CRYPTO=y -CONFIG_CRYPTO_HMAC=y -CONFIG_CRYPTO_NULL=y -# CONFIG_CRYPTO_MD4 is not set -CONFIG_CRYPTO_MD5=y -# CONFIG_CRYPTO_SHA1 is not set -# CONFIG_CRYPTO_SHA256 is not set -CONFIG_CRYPTO_SHA512=y -CONFIG_CRYPTO_WP512=m -CONFIG_CRYPTO_TGR192=m -CONFIG_CRYPTO_DES=y -# CONFIG_CRYPTO_BLOWFISH is not set -CONFIG_CRYPTO_TWOFISH=y -# CONFIG_CRYPTO_SERPENT is not set -CONFIG_CRYPTO_AES=m -# CONFIG_CRYPTO_CAST5 is not set -# CONFIG_CRYPTO_CAST6 is not set -CONFIG_CRYPTO_TEA=m -# CONFIG_CRYPTO_ARC4 is not set -CONFIG_CRYPTO_KHAZAD=m -CONFIG_CRYPTO_ANUBIS=m -CONFIG_CRYPTO_DEFLATE=y -CONFIG_CRYPTO_MICHAEL_MIC=y -CONFIG_CRYPTO_CRC32C=m -# CONFIG_CRYPTO_TEST is not set +# CONFIG_CRYPTO is not set # # Hardware crypto devices @@ -1126,9 +1043,8 @@ CONFIG_CRYPTO_CRC32C=m # # Library routines # -CONFIG_CRC_CCITT=m +CONFIG_CRC_CCITT=y CONFIG_CRC16=y CONFIG_CRC32=y -CONFIG_LIBCRC32C=m +CONFIG_LIBCRC32C=y CONFIG_ZLIB_INFLATE=y -CONFIG_ZLIB_DEFLATE=y -- cgit v1.2.3