+++ /dev/null
-diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs
-new file mode 100644
---- /dev/null
-+++ b/Documentation/SecurityBugs
-@@ -0,0 +1,38 @@
-+Linux kernel developers take security very seriously. As such, we'd
-+like to know when a security bug is found so that it can be fixed and
-+disclosed as quickly as possible. Please report security bugs to the
-+Linux kernel security team.
-+
-+1) Contact
-+
-+The Linux kernel security team can be contacted by email at
-+<security@kernel.org>. This is a private list of security officers
-+who will help verify the bug report and develop and release a fix.
-+It is possible that the security team will bring in extra help from
-+area maintainers to understand and fix the security vulnerability.
-+
-+As it is with any bug, the more information provided the easier it
-+will be to diagnose and fix. Please review the procedure outlined in
-+REPORTING-BUGS if you are unclear about what information is helpful.
-+Any exploit code is very helpful and will not be released without
-+consent from the reporter unless it has already been made public.
-+
-+2) Disclosure
-+
-+The goal of the Linux kernel security team is to work with the
-+bug submitter to bug resolution as well as disclosure. We prefer
-+to fully disclose the bug as soon as possible. It is reasonable to
-+delay disclosure when the bug or the fix is not yet fully understood,
-+the solution is not well-tested or for vendor coordination. However, we
-+expect these delays to be short, measurable in days, not weeks or months.
-+A disclosure date is negotiated by the security team working with the
-+bug submitter as well as vendors. However, the kernel security team
-+holds the final say when setting a disclosure date. The timeframe for
-+disclosure is from immediate (esp. if it's already publically known)
-+to a few weeks. As a basic default policy, we expect report date to
-+disclosure date to be on the order of 7 days.
-+
-+3) Non-disclosure agreements
-+
-+The Linux kernel security team is not a formal body and therefore unable
-+to enter any non-disclosure agreements.
-diff --git a/MAINTAINERS b/MAINTAINERS
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -1966,6 +1966,11 @@ M: christer@weinigel.se
- W: http://www.weinigel.se
- S: Supported
-
-+SECURITY CONTACT
-+P: Security Officers
-+M: security@kernel.org
-+S: Supported
-+
- SELINUX SECURITY MODULE
- P: Stephen Smalley
- M: sds@epoch.ncsc.mil
-diff --git a/Makefile b/Makefile
---- a/Makefile
-+++ b/Makefile
-@@ -1,8 +1,8 @@
- VERSION = 2
- PATCHLEVEL = 6
- SUBLEVEL = 11
--EXTRAVERSION =
--NAME=Woozy Numbat
-+EXTRAVERSION = .11
-+NAME=Woozy Beaver
-
- # *DOCUMENTATION*
- # To see a list of typical targets execute "make help"
-diff --git a/REPORTING-BUGS b/REPORTING-BUGS
---- a/REPORTING-BUGS
-+++ b/REPORTING-BUGS
-@@ -16,6 +16,10 @@ code relevant to what you were doing. If
- describe how to recreate it. That is worth even more than the oops itself.
- The list of maintainers is in the MAINTAINERS file in this directory.
-
-+ If it is a security bug, please copy the Security Contact listed
-+in the MAINTAINERS file. They can help coordinate bugfix and disclosure.
-+See Documentation/SecurityBugs for more infomation.
-+
- If you are totally stumped as to whom to send the report, send it to
- linux-kernel@vger.kernel.org. (For more information on the linux-kernel
- mailing list see http://www.tux.org/lkml/).
-diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
---- a/arch/ia64/kernel/fsys.S
-+++ b/arch/ia64/kernel/fsys.S
-@@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down)
- movl r2=ia64_ret_from_syscall
- ;;
- mov rp=r2 // set the real return addr
-- tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
-+ and r3=_TIF_SYSCALL_TRACEAUDIT,r3
- ;;
-+ cmp.eq p8,p0=r3,r0
-+
- (p10) br.cond.spnt.many ia64_ret_from_syscall // p10==true means out registers are more than 8
- (p8) br.call.sptk.many b6=b6 // ignore this return addr
- br.cond.sptk ia64_trace_syscall
-diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
---- a/arch/ia64/kernel/signal.c
-+++ b/arch/ia64/kernel/signal.c
-@@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc
- * could be corrupted.
- */
- retval = (long) &ia64_leave_kernel;
-- if (test_thread_flag(TIF_SYSCALL_TRACE))
-+ if (test_thread_flag(TIF_SYSCALL_TRACE)
-+ || test_thread_flag(TIF_SYSCALL_AUDIT))
- /*
- * strace expects to be notified after sigreturn returns even though the
- * context to which we return may not be in the middle of a syscall.
-diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
---- a/arch/ppc/oprofile/op_model_fsl_booke.c
-+++ b/arch/ppc/oprofile/op_model_fsl_booke.c
-@@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s
- int is_kernel;
- int val;
- int i;
-- unsigned int cpu = smp_processor_id();
-
- /* set the PMM bit (see comment below) */
- mtmsr(mfmsr() | MSR_PMM);
-@@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s
- val = ctr_read(i);
- if (val < 0) {
- if (oprofile_running && ctr[i].enabled) {
-- oprofile_add_sample(pc, is_kernel, i, cpu);
-+ oprofile_add_pc(pc, is_kernel, i);
- ctr_write(i, reset_value[i]);
- } else {
- ctr_write(i, 0);
-diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
---- a/arch/ppc/platforms/4xx/ebony.h
-+++ b/arch/ppc/platforms/4xx/ebony.h
-@@ -61,8 +61,8 @@
- */
-
- /* OpenBIOS defined UART mappings, used before early_serial_setup */
--#define UART0_IO_BASE (u8 *) 0xE0000200
--#define UART1_IO_BASE (u8 *) 0xE0000300
-+#define UART0_IO_BASE 0xE0000200
-+#define UART1_IO_BASE 0xE0000300
-
- /* external Epson SG-615P */
- #define BASE_BAUD 691200
-diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
---- a/arch/ppc/platforms/4xx/luan.h
-+++ b/arch/ppc/platforms/4xx/luan.h
-@@ -47,9 +47,9 @@
- #define RS_TABLE_SIZE 3
-
- /* PIBS defined UART mappings, used before early_serial_setup */
--#define UART0_IO_BASE (u8 *) 0xa0000200
--#define UART1_IO_BASE (u8 *) 0xa0000300
--#define UART2_IO_BASE (u8 *) 0xa0000600
-+#define UART0_IO_BASE 0xa0000200
-+#define UART1_IO_BASE 0xa0000300
-+#define UART2_IO_BASE 0xa0000600
-
- #define BASE_BAUD 11059200
- #define STD_UART_OP(num) \
-diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
---- a/arch/ppc/platforms/4xx/ocotea.h
-+++ b/arch/ppc/platforms/4xx/ocotea.h
-@@ -56,8 +56,8 @@
- #define RS_TABLE_SIZE 2
-
- /* OpenBIOS defined UART mappings, used before early_serial_setup */
--#define UART0_IO_BASE (u8 *) 0xE0000200
--#define UART1_IO_BASE (u8 *) 0xE0000300
-+#define UART0_IO_BASE 0xE0000200
-+#define UART1_IO_BASE 0xE0000300
-
- #define BASE_BAUD 11059200/16
- #define STD_UART_OP(num) \
-diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c
---- a/arch/ppc64/kernel/pSeries_iommu.c
-+++ b/arch/ppc64/kernel/pSeries_iommu.c
-@@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st
- struct device_node *dn, *pdn;
- unsigned int *dma_window = NULL;
-
-+ DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self);
-+
- dn = pci_bus_to_OF_node(bus);
-
- /* Find nearest ibm,dma-window, walking up the device tree */
-@@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru
- }
- }
-
-+static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev)
-+{
-+ struct device_node *pdn, *dn;
-+ struct iommu_table *tbl;
-+ int *dma_window = NULL;
-+
-+ DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name);
-+
-+ /* dev setup for LPAR is a little tricky, since the device tree might
-+ * contain the dma-window properties per-device and not neccesarily
-+ * for the bus. So we need to search upwards in the tree until we
-+ * either hit a dma-window property, OR find a parent with a table
-+ * already allocated.
-+ */
-+ dn = pci_device_to_OF_node(dev);
-+
-+ for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) {
-+ dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL);
-+ if (dma_window)
-+ break;
-+ }
-+
-+ /* Check for parent == NULL so we don't try to setup the empty EADS
-+ * slots on POWER4 machines.
-+ */
-+ if (dma_window == NULL || pdn->parent == NULL) {
-+ /* Fall back to regular (non-LPAR) dev setup */
-+ DBG("No dma window for device, falling back to regular setup\n");
-+ iommu_dev_setup_pSeries(dev);
-+ return;
-+ } else {
-+ DBG("Found DMA window, allocating table\n");
-+ }
-+
-+ if (!pdn->iommu_table) {
-+ /* iommu_table_setparms_lpar needs bussubno. */
-+ pdn->bussubno = pdn->phb->bus->number;
-+
-+ tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table),
-+ GFP_KERNEL);
-+
-+ iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window);
-+
-+ pdn->iommu_table = iommu_init_table(tbl);
-+ }
-+
-+ if (pdn != dn)
-+ dn->iommu_table = pdn->iommu_table;
-+}
-+
- static void iommu_bus_setup_null(struct pci_bus *b) { }
- static void iommu_dev_setup_null(struct pci_dev *d) { }
-
-@@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void)
- ppc_md.tce_free = tce_free_pSeriesLP;
- }
- ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP;
-+ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP;
- } else {
- ppc_md.tce_build = tce_build_pSeries;
- ppc_md.tce_free = tce_free_pSeries;
- ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries;
-+ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
- }
-
-- ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
-
- pci_iommu_init();
- }
-diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c
---- a/arch/sparc/kernel/ptrace.c
-+++ b/arch/sparc/kernel/ptrace.c
-@@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs
- pt_error_return(regs, EIO);
- goto out_tsk;
- }
-- if (addr != 1) {
-- if (addr & 3) {
-- pt_error_return(regs, EINVAL);
-- goto out_tsk;
-- }
--#ifdef DEBUG_PTRACE
-- printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
-- printk ("Continuing with %08lx %08lx\n", addr, addr+4);
--#endif
-- child->thread.kregs->pc = addr;
-- child->thread.kregs->npc = addr + 4;
-- }
-
- if (request == PTRACE_SYSCALL)
- set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
-diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
---- a/arch/sparc64/kernel/ptrace.c
-+++ b/arch/sparc64/kernel/ptrace.c
-@@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs
- pt_error_return(regs, EIO);
- goto out_tsk;
- }
-- if (addr != 1) {
-- unsigned long pc_mask = ~0UL;
--
-- if ((child->thread_info->flags & _TIF_32BIT) != 0)
-- pc_mask = 0xffffffff;
--
-- if (addr & 3) {
-- pt_error_return(regs, EINVAL);
-- goto out_tsk;
-- }
--#ifdef DEBUG_PTRACE
-- printk ("Original: %016lx %016lx\n",
-- child->thread_info->kregs->tpc,
-- child->thread_info->kregs->tnpc);
-- printk ("Continuing with %016lx %016lx\n", addr, addr+4);
--#endif
-- child->thread_info->kregs->tpc = (addr & pc_mask);
-- child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
-- }
-
- if (request == PTRACE_SYSCALL) {
- set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
-diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c
---- a/arch/sparc64/kernel/signal32.c
-+++ b/arch/sparc64/kernel/signal32.c
-@@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf
- err |= __put_user(from->si_uid, &to->si_uid);
- break;
- case __SI_FAULT >> 16:
-- case __SI_POLL >> 16:
- err |= __put_user(from->si_trapno, &to->si_trapno);
- err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
- break;
-+ case __SI_POLL >> 16:
-+ err |= __put_user(from->si_band, &to->si_band);
-+ err |= __put_user(from->si_fd, &to->si_fd);
-+ break;
- case __SI_RT >> 16: /* This is not generated by the kernel as of now. */
- case __SI_MESGQ >> 16:
- err |= __put_user(from->si_pid, &to->si_pid);
-diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S
---- a/arch/sparc64/kernel/systbls.S
-+++ b/arch/sparc64/kernel/systbls.S
-@@ -75,7 +75,7 @@ sys_call_table32:
- /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
- .word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
- /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
-- .word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
-+ .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
- /*280*/ .word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
-
- #endif /* CONFIG_COMPAT */
-diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h
---- a/arch/um/include/sysdep-i386/syscalls.h
-+++ b/arch/um/include/sysdep-i386/syscalls.h
-@@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr
- unsigned long prot, unsigned long flags,
- unsigned long fd, unsigned long pgoff);
-
-+/* On i386 they choose a meaningless naming.*/
-+#define __NR_kexec_load __NR_sys_kexec_load
-+
- #define ARCH_SYSCALLS \
- [ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
- [ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
-@@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr
- [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
- [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
- [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
-- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
- [ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
-- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
-- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
-- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
--
-+ [ 285 ] = (syscall_handler_t *) sys_ni_syscall,
-+
- /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
-
--#define LAST_ARCH_SYSCALL __NR_vserver
-+#define LAST_ARCH_SYSCALL 285
-
- /*
- * Overrides for Emacs so that we follow Linus's tabbing style.
-diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h
---- a/arch/um/include/sysdep-x86_64/syscalls.h
-+++ b/arch/um/include/sysdep-x86_64/syscalls.h
-@@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl;
- [ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
- [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
- [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
-- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
- [ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
-- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
-- [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
-- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
-- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
- [ 251 ] = (syscall_handler_t *) sys_ni_syscall,
-
- #define LAST_ARCH_SYSCALL 251
-diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c
---- a/arch/um/kernel/skas/uaccess.c
-+++ b/arch/um/kernel/skas/uaccess.c
-@@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v
- void *arg;
- int *res;
-
-- va_copy(args, *(va_list *)arg_ptr);
-+ /* Some old gccs recognize __va_copy, but not va_copy */
-+ __va_copy(args, *(va_list *)arg_ptr);
- addr = va_arg(args, unsigned long);
- len = va_arg(args, int);
- is_write = va_arg(args, int);
-diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c
---- a/arch/um/kernel/sys_call_table.c
-+++ b/arch/um/kernel/sys_call_table.c
-@@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork;
- extern syscall_handler_t old_select;
- extern syscall_handler_t sys_modify_ldt;
- extern syscall_handler_t sys_rt_sigsuspend;
--extern syscall_handler_t sys_vserver;
- extern syscall_handler_t sys_mbind;
- extern syscall_handler_t sys_get_mempolicy;
- extern syscall_handler_t sys_set_mempolicy;
-@@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = {
- [ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
- [ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
- [ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
-+ [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
- [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
- [ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
- [ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
-@@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = {
- [ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
- [ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
- [ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
-- [ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
-- [ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
- [ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
-- [ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
-- [ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
-+ [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
-+ [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
- [ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
- [ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
- [ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
-@@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = {
- [ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
- [ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
- [ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
-- [ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
-+ [ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
- [ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
-- [ 285 ] = (syscall_handler_t *) sys_ni_syscall,
- [ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
- [ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
- [ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
-diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
---- a/arch/x86_64/kernel/ptrace.c
-+++ b/arch/x86_64/kernel/ptrace.c
-@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch
- value &= 0xffff;
- return 0;
- case offsetof(struct user_regs_struct,fs_base):
-- if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
-- return -EIO;
-+ if (value >= TASK_SIZE)
-+ return -EIO;
- child->thread.fs = value;
- return 0;
- case offsetof(struct user_regs_struct,gs_base):
-- if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
-- return -EIO;
-+ if (value >= TASK_SIZE)
-+ return -EIO;
- child->thread.gs = value;
- return 0;
- case offsetof(struct user_regs_struct, eflags):
-@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch
- return -EIO;
- value &= 0xffff;
- break;
-+ case offsetof(struct user_regs_struct, rip):
-+ /* Check if the new RIP address is canonical */
-+ if (value >= TASK_SIZE)
-+ return -EIO;
-+ break;
- }
- put_stack_long(child, regno - sizeof(struct pt_regs), value);
- return 0;
-diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c
---- a/arch/x86_64/mm/fault.c
-+++ b/arch/x86_64/mm/fault.c
-@@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne
-
- /*
- * Handle a fault on the vmalloc or module mapping area
-+ *
-+ * This assumes no large pages in there.
- */
- static int vmalloc_fault(unsigned long address)
- {
-@@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a
- if (!pte_present(*pte_ref))
- return -1;
- pte = pte_offset_kernel(pmd, address);
-- if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref))
-+ /* Don't use pte_page here, because the mappings can point
-+ outside mem_map, and the NUMA hash lookup cannot handle
-+ that. */
-+ if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
- BUG();
- __flush_tlb_all();
- return 0;
-@@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_
- * protection error (error_code & 1) == 0.
- */
- if (unlikely(address >= TASK_SIZE)) {
-- if (!(error_code & 5)) {
-+ if (!(error_code & 5) &&
-+ ((address >= VMALLOC_START && address < VMALLOC_END) ||
-+ (address >= MODULES_VADDR && address < MODULES_END))) {
- if (vmalloc_fault(address) < 0)
- goto bad_area_nosemaphore;
- return;
-diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c
---- a/arch/x86_64/mm/ioremap.c
-+++ b/arch/x86_64/mm/ioremap.c
-@@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr
- if ((p->flags >> 20) &&
- p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) {
- /* p->size includes the guard page, but cpa doesn't like that */
-- change_page_attr(virt_to_page(__va(p->phys_addr)),
-+ change_page_attr_addr((unsigned long)(__va(p->phys_addr)),
- (p->size - PAGE_SIZE) >> PAGE_SHIFT,
- PAGE_KERNEL);
- global_flush_tlb();
-diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c
---- a/drivers/block/ioctl.c
-+++ b/drivers/block/ioctl.c
-@@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi
- }
- return ret;
- }
-+
-+EXPORT_SYMBOL_GPL(blkdev_ioctl);
-diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
---- a/drivers/block/pktcdvd.c
-+++ b/drivers/block/pktcdvd.c
-@@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode
- case CDROM_LAST_WRITTEN:
- case CDROM_SEND_PACKET:
- case SCSI_IOCTL_SEND_COMMAND:
-- return ioctl_by_bdev(pd->bdev, cmd, arg);
-+ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
-
- case CDROMEJECT:
- /*
-@@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode
- * have to unlock it or else the eject command fails.
- */
- pkt_lock_door(pd, 0);
-- return ioctl_by_bdev(pd->bdev, cmd, arg);
-+ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
-
- default:
- printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
-diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
---- a/drivers/char/drm/drm_ioctl.c
-+++ b/drivers/char/drm/drm_ioctl.c
-@@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS)
-
- DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
-
-+ memset(&version, 0, sizeof(version));
-+
- dev->driver->version(&version);
- retv.drm_di_major = DRM_IF_MAJOR;
- retv.drm_di_minor = DRM_IF_MINOR;
-diff --git a/drivers/char/raw.c b/drivers/char/raw.c
---- a/drivers/char/raw.c
-+++ b/drivers/char/raw.c
-@@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi
- {
- struct block_device *bdev = filp->private_data;
-
-- return ioctl_by_bdev(bdev, command, arg);
-+ return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
- }
-
- static void bind_device(struct raw_config_request *rq)
-diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c
---- a/drivers/i2c/chips/eeprom.c
-+++ b/drivers/i2c/chips/eeprom.c
-@@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec
-
- /* Hide Vaio security settings to regular users (16 first bytes) */
- if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
-- int in_row1 = 16 - off;
-+ size_t in_row1 = 16 - off;
-+ in_row1 = min(in_row1, count);
- memset(buf, 0, in_row1);
- if (count - in_row1 > 0)
- memcpy(buf + in_row1, &data->data[16], count - in_row1);
-diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
---- a/drivers/i2c/chips/it87.c
-+++ b/drivers/i2c/chips/it87.c
-@@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device
- struct it87_data *data = it87_update_device(dev);
- return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
- }
--static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
-+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
-
- static ssize_t
- show_vrm_reg(struct device *dev, char *buf)
-diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c
---- a/drivers/i2c/chips/via686a.c
-+++ b/drivers/i2c/chips/via686a.c
-@@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device
- struct via686a_data *data = via686a_update_device(dev);
- return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
- }
--static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
-+static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
-
- /* The driver. I choose to use type i2c_driver, as at is identical to both
- smbus_driver and isa_driver, and clients could be of either kind */
-diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
---- a/drivers/ide/ide-disk.c
-+++ b/drivers/ide/ide-disk.c
-@@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk(
- if (hwif->no_lba48_dma && lba48 && dma) {
- if (block + rq->nr_sectors > 1ULL << 28)
- dma = 0;
-+ else
-+ lba48 = 0;
- }
-
- if (!dma) {
-@@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk(
- /* FIXME: SELECT_MASK(drive, 0) ? */
-
- if (drive->select.b.lba) {
-- if (drive->addressing == 1) {
-+ if (lba48) {
- task_ioreg_t tasklets[10];
-
- pr_debug("%s: LBA=0x%012llx\n", drive->name, block);
-diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
---- a/drivers/input/serio/i8042-x86ia64io.h
-+++ b/drivers/input/serio/i8042-x86ia64io.h
-@@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i
- };
- #endif
-
--#ifdef CONFIG_ACPI
-+#if defined(__ia64__) && defined(CONFIG_ACPI)
- #include <linux/acpi.h>
- #include <acpi/acpi_bus.h>
-
-@@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo
- i8042_kbd_irq = I8042_MAP_IRQ(1);
- i8042_aux_irq = I8042_MAP_IRQ(12);
-
--#ifdef CONFIG_ACPI
-+#if defined(__ia64__) && defined(CONFIG_ACPI)
- if (i8042_acpi_init())
- return -1;
- #endif
-@@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo
-
- static inline void i8042_platform_exit(void)
- {
--#ifdef CONFIG_ACPI
-+#if defined(__ia64__) && defined(CONFIG_ACPI)
- i8042_acpi_exit();
- #endif
- }
-diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
---- a/drivers/md/raid6altivec.uc
-+++ b/drivers/md/raid6altivec.uc
-@@ -108,7 +108,11 @@ int raid6_have_altivec(void);
- int raid6_have_altivec(void)
- {
- /* This assumes either all CPUs have Altivec or none does */
-+#ifdef CONFIG_PPC64
- return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
-+#else
-+ return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
-+#endif
- }
- #endif
-
-diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
---- a/drivers/media/video/adv7170.c
-+++ b/drivers/media/video/adv7170.c
-@@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client *
- u8 block_data[32];
-
- msg.addr = client->addr;
-- msg.flags = client->flags;
-+ msg.flags = 0;
- while (len >= 2) {
- msg.buf = (char *) block_data;
- msg.len = 0;
-diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
---- a/drivers/media/video/adv7175.c
-+++ b/drivers/media/video/adv7175.c
-@@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client *
- u8 block_data[32];
-
- msg.addr = client->addr;
-- msg.flags = client->flags;
-+ msg.flags = 0;
- while (len >= 2) {
- msg.buf = (char *) block_data;
- msg.len = 0;
-diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
---- a/drivers/media/video/bt819.c
-+++ b/drivers/media/video/bt819.c
-@@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl
- u8 block_data[32];
-
- msg.addr = client->addr;
-- msg.flags = client->flags;
-+ msg.flags = 0;
- while (len >= 2) {
- msg.buf = (char *) block_data;
- msg.len = 0;
-diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
---- a/drivers/media/video/bttv-cards.c
-+++ b/drivers/media/video/bttv-cards.c
-@@ -2718,8 +2718,6 @@ void __devinit bttv_init_card2(struct bt
- }
- btv->pll.pll_current = -1;
-
-- bttv_reset_audio(btv);
--
- /* tuner configuration (from card list / autodetect / insmod option) */
- if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
- if(UNSET == btv->tuner_type)
-diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
---- a/drivers/media/video/saa7110.c
-+++ b/drivers/media/video/saa7110.c
-@@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
-
- #define I2C_SAA7110 0x9C /* or 0x9E */
-
-+#define SAA7110_NR_REG 0x35
-+
- struct saa7110 {
-- unsigned char reg[54];
-+ u8 reg[SAA7110_NR_REG];
-
- int norm;
- int input;
-@@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client *
- unsigned int len)
- {
- int ret = -1;
-- u8 reg = *data++;
-+ u8 reg = *data; /* first register to write to */
-
-- len--;
-+ /* Sanity check */
-+ if (reg + (len - 1) > SAA7110_NR_REG)
-+ return ret;
-
- /* the saa7110 has an autoincrement function, use it if
- * the adapter understands raw I2C */
- if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
- struct saa7110 *decoder = i2c_get_clientdata(client);
- struct i2c_msg msg;
-- u8 block_data[54];
-
-- msg.len = 0;
-- msg.buf = (char *) block_data;
-+ msg.len = len;
-+ msg.buf = (char *) data;
- msg.addr = client->addr;
-- msg.flags = client->flags;
-- while (len >= 1) {
-- msg.len = 0;
-- block_data[msg.len++] = reg;
-- while (len-- >= 1 && msg.len < 54)
-- block_data[msg.len++] =
-- decoder->reg[reg++] = *data++;
-- ret = i2c_transfer(client->adapter, &msg, 1);
-- }
-+ msg.flags = 0;
-+ ret = i2c_transfer(client->adapter, &msg, 1);
-+
-+ /* Cache the written data */
-+ memcpy(decoder->reg + reg, data + 1, len - 1);
- } else {
-- while (len-- >= 1) {
-+ for (++data, --len; len; len--) {
- if ((ret = saa7110_write(client, reg++,
- *data++)) < 0)
- break;
-@@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien
- return 0;
- }
-
--static const unsigned char initseq[] = {
-+static const unsigned char initseq[1 + SAA7110_NR_REG] = {
- 0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
- /* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
- /* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
-diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
---- a/drivers/media/video/saa7114.c
-+++ b/drivers/media/video/saa7114.c
-@@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client *
- u8 block_data[32];
-
- msg.addr = client->addr;
-- msg.flags = client->flags;
-+ msg.flags = 0;
- while (len >= 2) {
- msg.buf = (char *) block_data;
- msg.len = 0;
-diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
---- a/drivers/media/video/saa7185.c
-+++ b/drivers/media/video/saa7185.c
-@@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client *
- u8 block_data[32];
-
- msg.addr = client->addr;
-- msg.flags = client->flags;
-+ msg.flags = 0;
- while (len >= 2) {
- msg.buf = (char *) block_data;
- msg.len = 0;
-diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
---- a/drivers/net/3c59x.c
-+++ b/drivers/net/3c59x.c
-@@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev)
-
- if (VORTEX_PCI(vp)) {
- pci_set_power_state(VORTEX_PCI(vp), PCI_D0); /* Go active */
-- pci_restore_state(VORTEX_PCI(vp));
-+ if (vp->pm_state_valid)
-+ pci_restore_state(VORTEX_PCI(vp));
- pci_enable_device(VORTEX_PCI(vp));
- }
-
-@@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int
- outl(0, ioaddr + DownListPtr);
-
- if (final_down && VORTEX_PCI(vp)) {
-+ vp->pm_state_valid = 1;
- pci_save_state(VORTEX_PCI(vp));
- acpi_set_WOL(dev);
- }
-@@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi
- outw(RxEnable, ioaddr + EL3_CMD);
-
- pci_enable_wake(VORTEX_PCI(vp), 0, 1);
-+
-+ /* Change the power state to D3; RxEnable doesn't take effect. */
-+ pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
- }
-- /* Change the power state to D3; RxEnable doesn't take effect. */
-- pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
- }
-
-
-diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
---- a/drivers/net/amd8111e.c
-+++ b/drivers/net/amd8111e.c
-@@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi
-
- if(amd8111e_restart(dev)){
- spin_unlock_irq(&lp->lock);
-+ if (dev->irq)
-+ free_irq(dev->irq, dev);
- return -ENOMEM;
- }
- /* Start ipg timer */
-diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
---- a/drivers/net/ppp_async.c
-+++ b/drivers/net/ppp_async.c
-@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp
- data += 4;
- dlen -= 4;
- /* data[0] is code, data[1] is length */
-- while (dlen >= 2 && dlen >= data[1]) {
-+ while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
- switch (data[0]) {
- case LCP_MRU:
- val = (data[2] << 8) + data[3];
-diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
---- a/drivers/net/r8169.c
-+++ b/drivers/net/r8169.c
-@@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r
- rtl8169_make_unusable_by_asic(desc);
- }
-
--static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
-+static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
- {
-- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
-+ u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
-+
-+ desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
- }
-
--static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
-- int rx_buf_sz)
-+static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
-+ u32 rx_buf_sz)
- {
- desc->addr = cpu_to_le64(mapping);
-- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
-+ wmb();
-+ rtl8169_mark_to_asic(desc, rx_buf_sz);
- }
-
- static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
-@@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p
- mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
- PCI_DMA_FROMDEVICE);
-
-- rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
-+ rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
-
- out:
- return ret;
-@@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st
- skb_reserve(skb, NET_IP_ALIGN);
- eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
- *sk_buff = skb;
-- rtl8169_return_to_asic(desc, rx_buf_sz);
-+ rtl8169_mark_to_asic(desc, rx_buf_sz);
- ret = 0;
- }
- }
-diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c
---- a/drivers/net/sis900.c
-+++ b/drivers/net/sis900.c
-@@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr
- signature = (u16) read_eeprom(ioaddr, EEPROMSignature);
- if (signature == 0xffff || signature == 0x0000) {
- printk (KERN_INFO "%s: Error EERPOM read %x\n",
-- net_dev->name, signature);
-+ pci_name(pci_dev), signature);
- return 0;
- }
-
-@@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add
- if (!isa_bridge)
- isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
- if (!isa_bridge) {
-- printk("%s: Can not find ISA bridge\n", net_dev->name);
-+ printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
- return 0;
- }
- pci_read_config_byte(isa_bridge, 0x48, ®);
-@@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct
- net_dev->tx_timeout = sis900_tx_timeout;
- net_dev->watchdog_timeo = TX_TIMEOUT;
- net_dev->ethtool_ops = &sis900_ethtool_ops;
--
-- ret = register_netdev(net_dev);
-- if (ret)
-- goto err_unmap_rx;
-
- /* Get Mac address according to the chip revision */
- pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
-@@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct
-
- if (ret == 0) {
- ret = -ENODEV;
-- goto err_out_unregister;
-+ goto err_unmap_rx;
- }
-
- /* 630ET : set the mii access mode as software-mode */
-@@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct
- /* probe for mii transceiver */
- if (sis900_mii_probe(net_dev) == 0) {
- ret = -ENODEV;
-- goto err_out_unregister;
-+ goto err_unmap_rx;
- }
-
- /* save our host bridge revision */
-@@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct
- pci_dev_put(dev);
- }
-
-+ ret = register_netdev(net_dev);
-+ if (ret)
-+ goto err_unmap_rx;
-+
- /* print some information about our NIC */
- printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
- card_name, ioaddr, net_dev->irq);
-@@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct
-
- return 0;
-
-- err_out_unregister:
-- unregister_netdev(net_dev);
- err_unmap_rx:
- pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
- sis_priv->rx_ring_dma);
-@@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct
- static int __init sis900_mii_probe(struct net_device * net_dev)
- {
- struct sis900_private * sis_priv = net_dev->priv;
-+ const char *dev_name = pci_name(sis_priv->pci_dev);
- u16 poll_bit = MII_STAT_LINK, status = 0;
- unsigned long timeout = jiffies + 5 * HZ;
- int phy_addr;
-@@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc
- mii_phy->phy_types =
- (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
- printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
-- net_dev->name, mii_chip_table[i].name,
-+ dev_name, mii_chip_table[i].name,
- phy_addr);
- break;
- }
-
- if( !mii_chip_table[i].phy_id1 ) {
- printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
-- net_dev->name, phy_addr);
-+ dev_name, phy_addr);
- mii_phy->phy_types = UNKNOWN;
- }
- }
-
- if (sis_priv->mii == NULL) {
-- printk(KERN_INFO "%s: No MII transceivers found!\n",
-- net_dev->name);
-+ printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
- return 0;
- }
-
-@@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc
- poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
- if (time_after_eq(jiffies, timeout)) {
- printk(KERN_WARNING "%s: reset phy and link down now\n",
-- net_dev->name);
-+ dev_name);
- return -ETIME;
- }
- }
-@@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net
- sis_priv->mii = default_phy;
- sis_priv->cur_phy = default_phy->phy_addr;
- printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
-- net_dev->name,sis_priv->cur_phy);
-+ pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
- }
-
- status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
-diff --git a/drivers/net/tun.c b/drivers/net/tun.c
---- a/drivers/net/tun.c
-+++ b/drivers/net/tun.c
-@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s
- size_t len = count;
-
- if (!(tun->flags & TUN_NO_PI)) {
-- if ((len -= sizeof(pi)) > len)
-+ if ((len -= sizeof(pi)) > count)
- return -EINVAL;
-
- if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
-diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
---- a/drivers/net/via-rhine.c
-+++ b/drivers/net/via-rhine.c
-@@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device
- dev->name, rp->pdev->irq);
-
- rc = alloc_ring(dev);
-- if (rc)
-+ if (rc) {
-+ free_irq(rp->pdev->irq, dev);
- return rc;
-+ }
- alloc_rbufs(dev);
- alloc_tbufs(dev);
- rhine_chip_reset(dev);
-@@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic
- struct rhine_private *rp = netdev_priv(dev);
- void __iomem *ioaddr = rp->base;
-
-+ if (!(rp->quirks & rqWOL))
-+ return; /* Nothing to do for non-WOL adapters */
-+
- rhine_power_init(dev);
-
- /* Make sure we use pattern 0, 1 and not 4, 5 */
-diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
---- a/drivers/net/wan/hd6457x.c
-+++ b/drivers/net/wan/hd6457x.c
-@@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card,
- #endif
- stats->rx_packets++;
- stats->rx_bytes += skb->len;
-- skb->dev->last_rx = jiffies;
-+ dev->last_rx = jiffies;
- skb->protocol = hdlc_type_trans(skb, dev);
- netif_rx(skb);
- }
-diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
---- a/drivers/pci/hotplug/pciehp_ctrl.c
-+++ b/drivers/pci/hotplug/pciehp_ctrl.c
-@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func
- dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
- ctrl->seg, func->bus, func->device, func->function);
- bridge_slot_remove(func);
-- } else
-+ } else {
- dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
- ctrl->seg, func->bus, func->device, func->function);
- slot_remove(func);
-+ }
-
- func = pciehp_slot_find(ctrl->slot_bus, device, 0);
- }
-diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
---- a/drivers/usb/serial/visor.c
-+++ b/drivers/usb/serial/visor.c
-@@ -386,6 +386,7 @@ struct visor_private {
- int bytes_in;
- int bytes_out;
- int outstanding_urbs;
-+ int throttled;
- };
-
- /* number of outstanding urbs to prevent userspace DoS from happening */
-@@ -415,6 +416,7 @@ static int visor_open (struct usb_serial
- priv->bytes_in = 0;
- priv->bytes_out = 0;
- priv->outstanding_urbs = 0;
-+ priv->throttled = 0;
- spin_unlock_irqrestore(&priv->lock, flags);
-
- /*
-@@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st
- struct tty_struct *tty;
- unsigned long flags;
- int i;
-+ int throttled;
- int result;
-
- dbg("%s - port %d", __FUNCTION__, port->number);
-@@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st
- }
- spin_lock_irqsave(&priv->lock, flags);
- priv->bytes_in += urb->actual_length;
-+ throttled = priv->throttled;
- spin_unlock_irqrestore(&priv->lock, flags);
-
-- /* Continue trying to always read */
-- usb_fill_bulk_urb (port->read_urb, port->serial->dev,
-- usb_rcvbulkpipe(port->serial->dev,
-- port->bulk_in_endpointAddress),
-- port->read_urb->transfer_buffer,
-- port->read_urb->transfer_buffer_length,
-- visor_read_bulk_callback, port);
-- result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
-- if (result)
-- dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
-+ /* Continue trying to always read if we should */
-+ if (!throttled) {
-+ usb_fill_bulk_urb (port->read_urb, port->serial->dev,
-+ usb_rcvbulkpipe(port->serial->dev,
-+ port->bulk_in_endpointAddress),
-+ port->read_urb->transfer_buffer,
-+ port->read_urb->transfer_buffer_length,
-+ visor_read_bulk_callback, port);
-+ result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
-+ if (result)
-+ dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
-+ }
- return;
- }
-
-@@ -683,16 +689,26 @@ exit:
-
- static void visor_throttle (struct usb_serial_port *port)
- {
-+ struct visor_private *priv = usb_get_serial_port_data(port);
-+ unsigned long flags;
-+
- dbg("%s - port %d", __FUNCTION__, port->number);
-- usb_kill_urb(port->read_urb);
-+ spin_lock_irqsave(&priv->lock, flags);
-+ priv->throttled = 1;
-+ spin_unlock_irqrestore(&priv->lock, flags);
- }
-
-
- static void visor_unthrottle (struct usb_serial_port *port)
- {
-+ struct visor_private *priv = usb_get_serial_port_data(port);
-+ unsigned long flags;
- int result;
-
- dbg("%s - port %d", __FUNCTION__, port->number);
-+ spin_lock_irqsave(&priv->lock, flags);
-+ priv->throttled = 0;
-+ spin_unlock_irqrestore(&priv->lock, flags);
-
- port->read_urb->dev = port->serial->dev;
- result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
-diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c
---- a/drivers/video/matrox/matroxfb_accel.c
-+++ b/drivers/video/matrox/matroxfb_accel.c
-@@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI
- } else if (step == 1) {
- /* Special case for 1..8bit widths */
- while (height--) {
-- mga_writel(mmio, 0, *chardata);
-+#if defined(__BIG_ENDIAN)
-+ fb_writel((*chardata) << 24, mmio.vaddr);
-+#else
-+ fb_writel(*chardata, mmio.vaddr);
-+#endif
- chardata++;
- }
- } else if (step == 2) {
- /* Special case for 9..15bit widths */
- while (height--) {
-- mga_writel(mmio, 0, *(u_int16_t*)chardata);
-+#if defined(__BIG_ENDIAN)
-+ fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr);
-+#else
-+ fb_writel(*(u_int16_t*)chardata, mmio.vaddr);
-+#endif
- chardata += 2;
- }
- } else {
-@@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI
-
- for (i = 0; i < step; i += 4) {
- /* Hope that there are at least three readable bytes beyond the end of bitmap */
-- mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i)));
-+ fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr);
- }
- chardata += step;
- }
-diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h
---- a/drivers/video/matrox/matroxfb_base.h
-+++ b/drivers/video/matrox/matroxfb_base.h
-@@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr
-
- if ((unsigned long)src & 3) {
- while (len >= 4) {
-- writel(get_unaligned((u32 *)src), addr);
-+ fb_writel(get_unaligned((u32 *)src), addr);
- addr++;
- len -= 4;
- src += 4;
- }
- } else {
- while (len >= 4) {
-- writel(*(u32 *)src, addr);
-+ fb_writel(*(u32 *)src, addr);
- addr++;
- len -= 4;
- src += 4;
-diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
---- a/fs/binfmt_elf.c
-+++ b/fs/binfmt_elf.c
-@@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b
- }
-
- /* Populate argv and envp */
-- p = current->mm->arg_start;
-+ p = current->mm->arg_end = current->mm->arg_start;
- while (argc-- > 0) {
- size_t len;
- __put_user((elf_addr_t)p, argv++);
-@@ -1008,6 +1008,7 @@ out_free_ph:
- static int load_elf_library(struct file *file)
- {
- struct elf_phdr *elf_phdata;
-+ struct elf_phdr *eppnt;
- unsigned long elf_bss, bss, len;
- int retval, error, i, j;
- struct elfhdr elf_ex;
-@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file
- /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
-
- error = -ENOMEM;
-- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
-+ elf_phdata = kmalloc(j, GFP_KERNEL);
- if (!elf_phdata)
- goto out;
-
-+ eppnt = elf_phdata;
- error = -ENOEXEC;
-- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
-+ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
- if (retval != j)
- goto out_free_ph;
-
- for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
-- if ((elf_phdata + i)->p_type == PT_LOAD) j++;
-+ if ((eppnt + i)->p_type == PT_LOAD)
-+ j++;
- if (j != 1)
- goto out_free_ph;
-
-- while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
-+ while (eppnt->p_type != PT_LOAD)
-+ eppnt++;
-
- /* Now use mmap to map the library into memory. */
- down_write(¤t->mm->mmap_sem);
- error = do_mmap(file,
-- ELF_PAGESTART(elf_phdata->p_vaddr),
-- (elf_phdata->p_filesz +
-- ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
-+ ELF_PAGESTART(eppnt->p_vaddr),
-+ (eppnt->p_filesz +
-+ ELF_PAGEOFFSET(eppnt->p_vaddr)),
- PROT_READ | PROT_WRITE | PROT_EXEC,
- MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
-- (elf_phdata->p_offset -
-- ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
-+ (eppnt->p_offset -
-+ ELF_PAGEOFFSET(eppnt->p_vaddr)));
- up_write(¤t->mm->mmap_sem);
-- if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
-+ if (error != ELF_PAGESTART(eppnt->p_vaddr))
- goto out_free_ph;
-
-- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
-+ elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
- if (padzero(elf_bss)) {
- error = -EFAULT;
- goto out_free_ph;
- }
-
-- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
-- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
-+ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
-+ bss = eppnt->p_memsz + eppnt->p_vaddr;
- if (bss > len) {
- down_write(¤t->mm->mmap_sem);
- do_brk(len, bss - len);
-@@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs
- static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
- struct mm_struct *mm)
- {
-- int i, len;
-+ unsigned int i, len;
-
- /* first copy the parameters from user space */
- memset(psinfo, 0, sizeof(struct elf_prpsinfo));
-diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
---- a/fs/cramfs/inode.c
-+++ b/fs/cramfs/inode.c
-@@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st
- inode->i_data.a_ops = &cramfs_aops;
- } else {
- inode->i_size = 0;
-+ inode->i_blocks = 0;
- init_special_inode(inode, inode->i_mode,
- old_decode_dev(cramfs_inode->size));
- }
-diff --git a/fs/eventpoll.c b/fs/eventpoll.c
---- a/fs/eventpoll.c
-+++ b/fs/eventpoll.c
-@@ -619,6 +619,7 @@ eexit_1:
- return error;
- }
-
-+#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
-
- /*
- * Implement the event wait interface for the eventpoll file. It is the kernel
-@@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd,
- current, epfd, events, maxevents, timeout));
-
- /* The maximum number of event must be greater than zero */
-- if (maxevents <= 0)
-+ if (maxevents <= 0 || maxevents > MAX_EVENTS)
- return -EINVAL;
-
- /* Verify that the area passed by the user is writeable */
-diff --git a/fs/exec.c b/fs/exec.c
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas
- {
- /* buf must be at least sizeof(tsk->comm) in size */
- task_lock(tsk);
-- memcpy(buf, tsk->comm, sizeof(tsk->comm));
-+ strncpy(buf, tsk->comm, sizeof(tsk->comm));
- task_unlock(tsk);
- }
-
-diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
---- a/fs/ext2/dir.c
-+++ b/fs/ext2/dir.c
-@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode,
- goto fail;
- }
- kaddr = kmap_atomic(page, KM_USER0);
-+ memset(kaddr, 0, chunk_size);
- de = (struct ext2_dir_entry_2 *)kaddr;
- de->name_len = 1;
- de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
-diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
---- a/fs/ext3/balloc.c
-+++ b/fs/ext3/balloc.c
-@@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino
-
- if (!rsv_is_empty(&rsv->rsv_window)) {
- spin_lock(rsv_lock);
-- rsv_window_remove(inode->i_sb, rsv);
-+ if (!rsv_is_empty(&rsv->rsv_window))
-+ rsv_window_remove(inode->i_sb, rsv);
- spin_unlock(rsv_lock);
- }
- }
-diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
---- a/fs/isofs/inode.c
-+++ b/fs/isofs/inode.c
-@@ -685,6 +685,8 @@ root_found:
- sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
- sbi->s_max_size = isonum_733(h_pri->volume_space_size);
- } else {
-+ if (!pri)
-+ goto out_freebh;
- rootp = (struct iso_directory_record *) pri->root_directory_record;
- sbi->s_nzones = isonum_733 (pri->volume_space_size);
- sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
-@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl
- struct inode *inode;
- struct isofs_iget5_callback_data data;
-
-+ if (offset >= 1ul << sb->s_blocksize_bits)
-+ return NULL;
-+
- data.block = block;
- data.offset = offset;
-
-diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
---- a/fs/isofs/rock.c
-+++ b/fs/isofs/rock.c
-@@ -53,6 +53,7 @@
- if(LEN & 1) LEN++; \
- CHR = ((unsigned char *) DE) + LEN; \
- LEN = *((unsigned char *) DE) - LEN; \
-+ if (LEN<0) LEN=0; \
- if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \
- { \
- LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \
-@@ -73,6 +74,10 @@
- offset1 = 0; \
- pbh = sb_bread(DEV->i_sb, block); \
- if(pbh){ \
-+ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \
-+ brelse(pbh); \
-+ goto out; \
-+ } \
- memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
- brelse(pbh); \
- chr = (unsigned char *) buffer; \
-@@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d
- struct rock_ridge * rr;
- int sig;
-
-- while (len > 1){ /* There may be one byte for padding somewhere */
-+ while (len > 2){ /* There may be one byte for padding somewhere */
- rr = (struct rock_ridge *) chr;
-- if (rr->len == 0) goto out; /* Something got screwed up here */
-+ if (rr->len < 3) goto out; /* Something got screwed up here */
- sig = isonum_721(chr);
- chr += rr->len;
- len -= rr->len;
-+ if (len < 0) goto out; /* corrupted isofs */
-
- switch(sig){
- case SIG('R','R'):
-@@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d
- break;
- case SIG('N','M'):
- if (truncate) break;
-+ if (rr->len < 5) break;
- /*
- * If the flags are 2 or 4, this indicates '.' or '..'.
- * We don't want to do anything with this, because it
-@@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i
- struct rock_ridge * rr;
- int rootflag;
-
-- while (len > 1){ /* There may be one byte for padding somewhere */
-+ while (len > 2){ /* There may be one byte for padding somewhere */
- rr = (struct rock_ridge *) chr;
-- if (rr->len == 0) goto out; /* Something got screwed up here */
-+ if (rr->len < 3) goto out; /* Something got screwed up here */
- sig = isonum_721(chr);
- chr += rr->len;
- len -= rr->len;
-+ if (len < 0) goto out; /* corrupted isofs */
-
- switch(sig){
- #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
-@@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s
- struct rock_ridge *rr;
-
- if (!ISOFS_SB(inode->i_sb)->s_rock)
-- panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
-+ goto error;
-
- block = ei->i_iget5_block;
- lock_kernel();
-@@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s
- SETUP_ROCK_RIDGE(raw_inode, chr, len);
-
- repeat:
-- while (len > 1) { /* There may be one byte for padding somewhere */
-+ while (len > 2) { /* There may be one byte for padding somewhere */
- rr = (struct rock_ridge *) chr;
-- if (rr->len == 0)
-+ if (rr->len < 3)
- goto out; /* Something got screwed up here */
- sig = isonum_721(chr);
- chr += rr->len;
- len -= rr->len;
-+ if (len < 0)
-+ goto out; /* corrupted isofs */
-
- switch (sig) {
- case SIG('R', 'R'):
-@@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s
- fail:
- brelse(bh);
- unlock_kernel();
-+ error:
- SetPageError(page);
- kunmap(page);
- unlock_page(page);
-diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c
---- a/fs/jbd/transaction.c
-+++ b/fs/jbd/transaction.c
-@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
- JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
- ret = __dispose_buffer(jh,
- journal->j_running_transaction);
-+ journal_put_journal_head(jh);
- spin_unlock(&journal->j_list_lock);
- jbd_unlock_bh_state(bh);
- spin_unlock(&journal->j_state_lock);
-- journal_put_journal_head(jh);
- return ret;
- } else {
- /* There is no currently-running transaction. So the
-@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
- JBUFFER_TRACE(jh, "give to committing trans");
- ret = __dispose_buffer(jh,
- journal->j_committing_transaction);
-+ journal_put_journal_head(jh);
- spin_unlock(&journal->j_list_lock);
- jbd_unlock_bh_state(bh);
- spin_unlock(&journal->j_state_lock);
-- journal_put_journal_head(jh);
- return ret;
- } else {
- /* The orphan record's transaction has
-@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
- journal->j_running_transaction);
- jh->b_next_transaction = NULL;
- }
-+ journal_put_journal_head(jh);
- spin_unlock(&journal->j_list_lock);
- jbd_unlock_bh_state(bh);
- spin_unlock(&journal->j_state_lock);
-- journal_put_journal_head(jh);
- return 0;
- } else {
- /* Good, the buffer belongs to the running transaction.
-diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h
---- a/include/asm-x86_64/processor.h
-+++ b/include/asm-x86_64/processor.h
-@@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne
-
-
- /*
-- * User space process size. 47bits.
-+ * User space process size. 47bits minus one guard page.
- */
--#define TASK_SIZE (0x800000000000UL)
-+#define TASK_SIZE (0x800000000000UL - 4096)
-
- /* This decides where the kernel will search for a free chunk of vm
- * space during mmap's.
-diff --git a/include/linux/err.h b/include/linux/err.h
---- a/include/linux/err.h
-+++ b/include/linux/err.h
-@@ -13,6 +13,8 @@
- * This should be a per-architecture thing, to allow different
- * error and pointer decisions.
- */
-+#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L)
-+
- static inline void *ERR_PTR(long error)
- {
- return (void *) error;
-@@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p
-
- static inline long IS_ERR(const void *ptr)
- {
-- return unlikely((unsigned long)ptr > (unsigned long)-1000L);
-+ return IS_ERR_VALUE((unsigned long)ptr);
- }
-
- #endif /* _LINUX_ERR_H */
-diff --git a/kernel/exit.c b/kernel/exit.c
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -516,8 +516,6 @@ static inline void choose_new_parent(tas
- */
- BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
- p->real_parent = reaper;
-- if (p->parent == p->real_parent)
-- BUG();
- }
-
- static inline void reparent_thread(task_t *p, task_t *father, int traced)
-diff --git a/kernel/signal.c b/kernel/signal.c
---- a/kernel/signal.c
-+++ b/kernel/signal.c
-@@ -1728,6 +1728,7 @@ do_signal_stop(int signr)
- * with another processor delivering a stop signal,
- * then the SIGCONT that wakes us up should clear it.
- */
-+ read_unlock(&tasklist_lock);
- return 0;
- }
-
-diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c
---- a/lib/rwsem-spinlock.c
-+++ b/lib/rwsem-spinlock.c
-@@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct
-
- rwsemtrace(sem, "Entering __down_read");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irq(&sem->wait_lock);
-
- if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
- /* granted */
- sem->activity++;
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irq(&sem->wait_lock);
- goto out;
- }
-
-@@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct
- list_add_tail(&waiter.list, &sem->wait_list);
-
- /* we don't need to touch the semaphore struct anymore */
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irq(&sem->wait_lock);
-
- /* wait to be given the lock */
- for (;;) {
-@@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct
- */
- int fastcall __down_read_trylock(struct rw_semaphore *sem)
- {
-+ unsigned long flags;
- int ret = 0;
-+
- rwsemtrace(sem, "Entering __down_read_trylock");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irqsave(&sem->wait_lock, flags);
-
- if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
- /* granted */
-@@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct
- ret = 1;
- }
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irqrestore(&sem->wait_lock, flags);
-
- rwsemtrace(sem, "Leaving __down_read_trylock");
- return ret;
-@@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc
-
- rwsemtrace(sem, "Entering __down_write");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irq(&sem->wait_lock);
-
- if (sem->activity == 0 && list_empty(&sem->wait_list)) {
- /* granted */
- sem->activity = -1;
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irq(&sem->wait_lock);
- goto out;
- }
-
-@@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc
- list_add_tail(&waiter.list, &sem->wait_list);
-
- /* we don't need to touch the semaphore struct anymore */
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irq(&sem->wait_lock);
-
- /* wait to be given the lock */
- for (;;) {
-@@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc
- */
- int fastcall __down_write_trylock(struct rw_semaphore *sem)
- {
-+ unsigned long flags;
- int ret = 0;
-+
- rwsemtrace(sem, "Entering __down_write_trylock");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irqsave(&sem->wait_lock, flags);
-
- if (sem->activity == 0 && list_empty(&sem->wait_list)) {
- /* granted */
-@@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct
- ret = 1;
- }
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irqrestore(&sem->wait_lock, flags);
-
- rwsemtrace(sem, "Leaving __down_write_trylock");
- return ret;
-@@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct
- */
- void fastcall __up_read(struct rw_semaphore *sem)
- {
-+ unsigned long flags;
-+
- rwsemtrace(sem, "Entering __up_read");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irqsave(&sem->wait_lock, flags);
-
- if (--sem->activity == 0 && !list_empty(&sem->wait_list))
- sem = __rwsem_wake_one_writer(sem);
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irqrestore(&sem->wait_lock, flags);
-
- rwsemtrace(sem, "Leaving __up_read");
- }
-@@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph
- */
- void fastcall __up_write(struct rw_semaphore *sem)
- {
-+ unsigned long flags;
-+
- rwsemtrace(sem, "Entering __up_write");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irqsave(&sem->wait_lock, flags);
-
- sem->activity = 0;
- if (!list_empty(&sem->wait_list))
- sem = __rwsem_do_wake(sem, 1);
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irqrestore(&sem->wait_lock, flags);
-
- rwsemtrace(sem, "Leaving __up_write");
- }
-@@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap
- */
- void fastcall __downgrade_write(struct rw_semaphore *sem)
- {
-+ unsigned long flags;
-+
- rwsemtrace(sem, "Entering __downgrade_write");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irqsave(&sem->wait_lock, flags);
-
- sem->activity = 1;
- if (!list_empty(&sem->wait_list))
- sem = __rwsem_do_wake(sem, 0);
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irqrestore(&sem->wait_lock, flags);
-
- rwsemtrace(sem, "Leaving __downgrade_write");
- }
-diff --git a/lib/rwsem.c b/lib/rwsem.c
---- a/lib/rwsem.c
-+++ b/lib/rwsem.c
-@@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap
- set_task_state(tsk, TASK_UNINTERRUPTIBLE);
-
- /* set up my own style of waitqueue */
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irq(&sem->wait_lock);
- waiter->task = tsk;
- get_task_struct(tsk);
-
-@@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap
- if (!(count & RWSEM_ACTIVE_MASK))
- sem = __rwsem_do_wake(sem, 0);
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irq(&sem->wait_lock);
-
- /* wait to be given the lock */
- for (;;) {
-@@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph
- */
- struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
- {
-+ unsigned long flags;
-+
- rwsemtrace(sem, "Entering rwsem_wake");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irqsave(&sem->wait_lock, flags);
-
- /* do nothing if list empty */
- if (!list_empty(&sem->wait_list))
- sem = __rwsem_do_wake(sem, 0);
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irqrestore(&sem->wait_lock, flags);
-
- rwsemtrace(sem, "Leaving rwsem_wake");
-
-@@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake
- */
- struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
- {
-+ unsigned long flags;
-+
- rwsemtrace(sem, "Entering rwsem_downgrade_wake");
-
-- spin_lock(&sem->wait_lock);
-+ spin_lock_irqsave(&sem->wait_lock, flags);
-
- /* do nothing if list empty */
- if (!list_empty(&sem->wait_list))
- sem = __rwsem_do_wake(sem, 1);
-
-- spin_unlock(&sem->wait_lock);
-+ spin_unlock_irqrestore(&sem->wait_lock, flags);
-
- rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
- return sem;
-diff --git a/mm/mmap.c b/mm/mmap.c
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1315,37 +1315,40 @@ unsigned long
- get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
- unsigned long pgoff, unsigned long flags)
- {
-- if (flags & MAP_FIXED) {
-- unsigned long ret;
-+ unsigned long ret;
-
-- if (addr > TASK_SIZE - len)
-- return -ENOMEM;
-- if (addr & ~PAGE_MASK)
-- return -EINVAL;
-- if (file && is_file_hugepages(file)) {
-- /*
-- * Check if the given range is hugepage aligned, and
-- * can be made suitable for hugepages.
-- */
-- ret = prepare_hugepage_range(addr, len);
-- } else {
-- /*
-- * Ensure that a normal request is not falling in a
-- * reserved hugepage range. For some archs like IA-64,
-- * there is a separate region for hugepages.
-- */
-- ret = is_hugepage_only_range(addr, len);
-- }
-- if (ret)
-- return -EINVAL;
-- return addr;
-- }
-+ if (!(flags & MAP_FIXED)) {
-+ unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
-
-- if (file && file->f_op && file->f_op->get_unmapped_area)
-- return file->f_op->get_unmapped_area(file, addr, len,
-- pgoff, flags);
-+ get_area = current->mm->get_unmapped_area;
-+ if (file && file->f_op && file->f_op->get_unmapped_area)
-+ get_area = file->f_op->get_unmapped_area;
-+ addr = get_area(file, addr, len, pgoff, flags);
-+ if (IS_ERR_VALUE(addr))
-+ return addr;
-+ }
-
-- return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
-+ if (addr > TASK_SIZE - len)
-+ return -ENOMEM;
-+ if (addr & ~PAGE_MASK)
-+ return -EINVAL;
-+ if (file && is_file_hugepages(file)) {
-+ /*
-+ * Check if the given range is hugepage aligned, and
-+ * can be made suitable for hugepages.
-+ */
-+ ret = prepare_hugepage_range(addr, len);
-+ } else {
-+ /*
-+ * Ensure that a normal request is not falling in a
-+ * reserved hugepage range. For some archs like IA-64,
-+ * there is a separate region for hugepages.
-+ */
-+ ret = is_hugepage_only_range(addr, len);
-+ }
-+ if (ret)
-+ return -EINVAL;
-+ return addr;
- }
-
- EXPORT_SYMBOL(get_unmapped_area);
-diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
---- a/net/bluetooth/af_bluetooth.c
-+++ b/net/bluetooth/af_bluetooth.c
-@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache;
-
- int bt_sock_register(int proto, struct net_proto_family *ops)
- {
-- if (proto >= BT_MAX_PROTO)
-+ if (proto < 0 || proto >= BT_MAX_PROTO)
- return -EINVAL;
-
- if (bt_proto[proto])
-@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register);
-
- int bt_sock_unregister(int proto)
- {
-- if (proto >= BT_MAX_PROTO)
-+ if (proto < 0 || proto >= BT_MAX_PROTO)
- return -EINVAL;
-
- if (!bt_proto[proto])
-@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket
- {
- int err = 0;
-
-- if (proto >= BT_MAX_PROTO)
-+ if (proto < 0 || proto >= BT_MAX_PROTO)
- return -EINVAL;
-
- #if defined(CONFIG_KMOD)
-diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
---- a/net/bridge/netfilter/ebtables.c
-+++ b/net/bridge/netfilter/ebtables.c
-@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int
- struct ebt_chainstack *cs;
- struct ebt_entries *chaininfo;
- char *base;
-- struct ebt_table_info *private = table->private;
-+ struct ebt_table_info *private;
-
- read_lock_bh(&table->lock);
-+ private = table->private;
- cb_base = COUNTER_BASE(private->counters, private->nentries,
- smp_processor_id());
- if (private->chainstack)
-diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
---- a/net/ipv4/fib_hash.c
-+++ b/net/ipv4/fib_hash.c
-@@ -919,13 +919,23 @@ out:
- return fa;
- }
-
-+static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
-+{
-+ struct fib_alias *fa = fib_get_first(seq);
-+
-+ if (fa)
-+ while (pos && (fa = fib_get_next(seq)))
-+ --pos;
-+ return pos ? NULL : fa;
-+}
-+
- static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
- {
- void *v = NULL;
-
- read_lock(&fib_hash_lock);
- if (ip_fib_main_table)
-- v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
-+ v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
- return v;
- }
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str
- static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
- {
- if (tp->prior_ssthresh) {
-- tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
-+ if (tcp_is_bic(tp))
-+ tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
-+ else
-+ tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
-
- if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
- tp->snd_ssthresh = tp->prior_ssthresh;
-diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
---- a/net/ipv4/tcp_timer.c
-+++ b/net/ipv4/tcp_timer.c
-@@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne
-
- #ifdef TCP_DEBUG
- const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
-+EXPORT_SYMBOL(tcp_timer_bug_msg);
- #endif
-
- /*
-diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
---- a/net/ipv4/xfrm4_output.c
-+++ b/net/ipv4/xfrm4_output.c
-@@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb)
- goto error_nolock;
- }
-
-- spin_lock_bh(&x->lock);
-- err = xfrm_state_check(x, skb);
-- if (err)
-- goto error;
--
- if (x->props.mode) {
- err = xfrm4_tunnel_check_size(skb);
- if (err)
-- goto error;
-+ goto error_nolock;
- }
-
-+ spin_lock_bh(&x->lock);
-+ err = xfrm_state_check(x, skb);
-+ if (err)
-+ goto error;
-+
- xfrm4_encap(skb);
-
- err = x->type->output(skb);
-diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
---- a/net/ipv6/xfrm6_output.c
-+++ b/net/ipv6/xfrm6_output.c
-@@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb)
- goto error_nolock;
- }
-
-- spin_lock_bh(&x->lock);
-- err = xfrm_state_check(x, skb);
-- if (err)
-- goto error;
--
- if (x->props.mode) {
- err = xfrm6_tunnel_check_size(skb);
- if (err)
-- goto error;
-+ goto error_nolock;
- }
-
-+ spin_lock_bh(&x->lock);
-+ err = xfrm_state_check(x, skb);
-+ if (err)
-+ goto error;
-+
- xfrm6_encap(skb);
-
- err = x->type->output(skb);
-diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
---- a/net/netrom/nr_in.c
-+++ b/net/netrom/nr_in.c
-@@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock
- static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
- int frametype)
- {
-- bh_lock_sock(sk);
- switch (frametype) {
- case NR_CONNACK: {
- nr_cb *nr = nr_sk(sk);
-@@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock
- default:
- break;
- }
-- bh_unlock_sock(sk);
--
- return 0;
- }
-
-@@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock
- static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
- int frametype)
- {
-- bh_lock_sock(sk);
- switch (frametype) {
- case NR_CONNACK | NR_CHOKE_FLAG:
- nr_disconnect(sk, ECONNRESET);
-@@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock
- default:
- break;
- }
-- bh_unlock_sock(sk);
--
- return 0;
- }
-
-@@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock
- nr = skb->data[18];
- ns = skb->data[17];
-
-- bh_lock_sock(sk);
- switch (frametype) {
- case NR_CONNREQ:
- nr_write_internal(sk, NR_CONNACK);
-@@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock
- default:
- break;
- }
-- bh_unlock_sock(sk);
--
- return queued;
- }
-
-diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
---- a/net/rose/rose_route.c
-+++ b/net/rose/rose_route.c
-@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void
- }
- if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
- return -EINVAL;
--
-+ if (rose_route.ndigis > 8) /* No more than 8 digipeats */
-+ return -EINVAL;
- err = rose_add_node(&rose_route, dev);
- dev_put(dev);
- return err;
-diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
---- a/net/xfrm/xfrm_state.c
-+++ b/net/xfrm/xfrm_state.c
-@@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac
-
- for (i = 0; i < XFRM_DST_HSIZE; i++) {
- list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
-- if (x->km.seq == seq) {
-+ if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
- xfrm_state_hold(x);
- return x;
- }
-diff --git a/security/keys/key.c b/security/keys/key.c
---- a/security/keys/key.c
-+++ b/security/keys/key.c
-@@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u
- {
- struct key_user *candidate = NULL, *user;
- struct rb_node *parent = NULL;
-- struct rb_node **p = &key_user_tree.rb_node;
-+ struct rb_node **p;
-
- try_again:
-+ p = &key_user_tree.rb_node;
- spin_lock(&key_user_lock);
-
- /* search the tree for a user record with a matching UID */
-diff --git a/sound/core/timer.c b/sound/core/timer.c
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu
- if (tu->qused >= tu->queue_size) {
- tu->overrun++;
- } else {
-- memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
-+ memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
-+ tu->qtail %= tu->queue_size;
- tu->qused++;
- }
- }
-@@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd
- spin_lock(&tu->qlock);
- snd_timer_user_append_to_tqueue(tu, &r1);
- spin_unlock(&tu->qlock);
-+ kill_fasync(&tu->fasync, SIGIO, POLL_IN);
-+ wake_up(&tu->qchange_sleep);
- }
-
- static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
-diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
---- a/sound/pci/ac97/ac97_codec.c
-+++ b/sound/pci/ac97/ac97_codec.c
-@@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_
- /*
- * create mute switch(es) for normal stereo controls
- */
--static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
-+static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
- {
- snd_kcontrol_t *kctl;
- int err;
-@@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t
-
- mute_mask = 0x8000;
- val = snd_ac97_read(ac97, reg);
-- if (ac97->flags & AC97_STEREO_MUTES) {
-+ if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
- /* check whether both mute bits work */
- val1 = val | 0x8080;
- snd_ac97_write(ac97, reg, val1);
-@@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t
- /*
- * create a mute-switch and a volume for normal stereo/mono controls
- */
--static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
-+static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
- {
- int err;
- char name[44];
-@@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t
-
- if (snd_ac97_try_bit(ac97, reg, 15)) {
- sprintf(name, "%s Switch", pfx);
-- if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
-+ if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
- return err;
- }
- check_volume_resolution(ac97, reg, &lo_max, &hi_max);
-@@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t
- return 0;
- }
-
-+#define snd_ac97_cmix_new(card, pfx, reg, ac97) snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
-+#define snd_ac97_cmute_new(card, name, reg, ac97) snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
-
- static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
-
-@@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t *
-
- /* build surround controls */
- if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
-- if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
-+ /* Surround Master (0x38) is with stereo mutes */
-+ if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
- return err;
- }
-
-diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c
---- a/sound/usb/usbaudio.c
-+++ b/sound/usb/usbaudio.c
-@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str
- }
- usb_chip[chip->index] = NULL;
- up(®ister_mutex);
-- snd_card_free_in_thread(card);
-+ snd_card_free(card);
- } else {
- up(®ister_mutex);
- }
-diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
---- a/sound/usb/usx2y/usbusx2y.c
-+++ b/sound/usb/usx2y/usbusx2y.c
-@@ -1,6 +1,11 @@
- /*
- * usbusy2y.c - ALSA USB US-428 Driver
- *
-+2005-04-14 Karsten Wiese
-+ Version 0.8.7.2:
-+ Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom.
-+ Tested ok with kernel 2.6.12-rc2.
-+
- 2004-12-14 Karsten Wiese
- Version 0.8.7.1:
- snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open.
-@@ -143,7 +148,7 @@
-
-
- MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>");
--MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1");
-+MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2");
- MODULE_LICENSE("GPL");
- MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}");
-
-@@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct
- if (ptr) {
- usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr);
- struct list_head* p;
-- if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP) // on 2.6.1 kernel snd_usbmidi_disconnect()
-- return; // calls us back. better leave :-) .
- usX2Y->chip.shutdown = 1;
- usX2Y->chip_status = USX2Y_STAT_CHIP_HUP;
- usX2Y_unlinkSeq(&usX2Y->AS04);
-@@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct
- }
- if (usX2Y->us428ctls_sharedmem)
- wake_up(&usX2Y->us428ctls_wait_queue_head);
-- snd_card_free_in_thread((snd_card_t*)ptr);
-+ snd_card_free((snd_card_t*)ptr);
- }
- }
-
--- /dev/null
+diff --git a/Documentation/SecurityBugs b/Documentation/SecurityBugs
+new file mode 100644
+--- /dev/null
++++ b/Documentation/SecurityBugs
+@@ -0,0 +1,38 @@
++Linux kernel developers take security very seriously. As such, we'd
++like to know when a security bug is found so that it can be fixed and
++disclosed as quickly as possible. Please report security bugs to the
++Linux kernel security team.
++
++1) Contact
++
++The Linux kernel security team can be contacted by email at
++<security@kernel.org>. This is a private list of security officers
++who will help verify the bug report and develop and release a fix.
++It is possible that the security team will bring in extra help from
++area maintainers to understand and fix the security vulnerability.
++
++As it is with any bug, the more information provided the easier it
++will be to diagnose and fix. Please review the procedure outlined in
++REPORTING-BUGS if you are unclear about what information is helpful.
++Any exploit code is very helpful and will not be released without
++consent from the reporter unless it has already been made public.
++
++2) Disclosure
++
++The goal of the Linux kernel security team is to work with the
++bug submitter to bug resolution as well as disclosure. We prefer
++to fully disclose the bug as soon as possible. It is reasonable to
++delay disclosure when the bug or the fix is not yet fully understood,
++the solution is not well-tested or for vendor coordination. However, we
++expect these delays to be short, measurable in days, not weeks or months.
++A disclosure date is negotiated by the security team working with the
++bug submitter as well as vendors. However, the kernel security team
++holds the final say when setting a disclosure date. The timeframe for
++disclosure is from immediate (esp. if it's already publically known)
++to a few weeks. As a basic default policy, we expect report date to
++disclosure date to be on the order of 7 days.
++
++3) Non-disclosure agreements
++
++The Linux kernel security team is not a formal body and therefore unable
++to enter any non-disclosure agreements.
+diff --git a/MAINTAINERS b/MAINTAINERS
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -1966,6 +1966,11 @@ M: christer@weinigel.se
+ W: http://www.weinigel.se
+ S: Supported
+
++SECURITY CONTACT
++P: Security Officers
++M: security@kernel.org
++S: Supported
++
+ SELINUX SECURITY MODULE
+ P: Stephen Smalley
+ M: sds@epoch.ncsc.mil
+diff --git a/Makefile b/Makefile
+--- a/Makefile
++++ b/Makefile
+@@ -1,8 +1,8 @@
+ VERSION = 2
+ PATCHLEVEL = 6
+ SUBLEVEL = 11
+-EXTRAVERSION =
+-NAME=Woozy Numbat
++EXTRAVERSION = .12
++NAME=Woozy Beaver
+
+ # *DOCUMENTATION*
+ # To see a list of typical targets execute "make help"
+diff --git a/REPORTING-BUGS b/REPORTING-BUGS
+--- a/REPORTING-BUGS
++++ b/REPORTING-BUGS
+@@ -16,6 +16,10 @@ code relevant to what you were doing. If
+ describe how to recreate it. That is worth even more than the oops itself.
+ The list of maintainers is in the MAINTAINERS file in this directory.
+
++ If it is a security bug, please copy the Security Contact listed
++in the MAINTAINERS file. They can help coordinate bugfix and disclosure.
++See Documentation/SecurityBugs for more infomation.
++
+ If you are totally stumped as to whom to send the report, send it to
+ linux-kernel@vger.kernel.org. (For more information on the linux-kernel
+ mailing list see http://www.tux.org/lkml/).
+diff --git a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
+--- a/arch/ia64/kernel/fsys.S
++++ b/arch/ia64/kernel/fsys.S
+@@ -611,8 +611,10 @@ GLOBAL_ENTRY(fsys_bubble_down)
+ movl r2=ia64_ret_from_syscall
+ ;;
+ mov rp=r2 // set the real return addr
+- tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
++ and r3=_TIF_SYSCALL_TRACEAUDIT,r3
+ ;;
++ cmp.eq p8,p0=r3,r0
++
+ (p10) br.cond.spnt.many ia64_ret_from_syscall // p10==true means out registers are more than 8
+ (p8) br.call.sptk.many b6=b6 // ignore this return addr
+ br.cond.sptk ia64_trace_syscall
+diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
+--- a/arch/ia64/kernel/signal.c
++++ b/arch/ia64/kernel/signal.c
+@@ -224,7 +224,8 @@ ia64_rt_sigreturn (struct sigscratch *sc
+ * could be corrupted.
+ */
+ retval = (long) &ia64_leave_kernel;
+- if (test_thread_flag(TIF_SYSCALL_TRACE))
++ if (test_thread_flag(TIF_SYSCALL_TRACE)
++ || test_thread_flag(TIF_SYSCALL_AUDIT))
+ /*
+ * strace expects to be notified after sigreturn returns even though the
+ * context to which we return may not be in the middle of a syscall.
+diff --git a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
+--- a/arch/ppc/oprofile/op_model_fsl_booke.c
++++ b/arch/ppc/oprofile/op_model_fsl_booke.c
+@@ -150,7 +150,6 @@ static void fsl_booke_handle_interrupt(s
+ int is_kernel;
+ int val;
+ int i;
+- unsigned int cpu = smp_processor_id();
+
+ /* set the PMM bit (see comment below) */
+ mtmsr(mfmsr() | MSR_PMM);
+@@ -162,7 +161,7 @@ static void fsl_booke_handle_interrupt(s
+ val = ctr_read(i);
+ if (val < 0) {
+ if (oprofile_running && ctr[i].enabled) {
+- oprofile_add_sample(pc, is_kernel, i, cpu);
++ oprofile_add_pc(pc, is_kernel, i);
+ ctr_write(i, reset_value[i]);
+ } else {
+ ctr_write(i, 0);
+diff --git a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
+--- a/arch/ppc/platforms/4xx/ebony.h
++++ b/arch/ppc/platforms/4xx/ebony.h
+@@ -61,8 +61,8 @@
+ */
+
+ /* OpenBIOS defined UART mappings, used before early_serial_setup */
+-#define UART0_IO_BASE (u8 *) 0xE0000200
+-#define UART1_IO_BASE (u8 *) 0xE0000300
++#define UART0_IO_BASE 0xE0000200
++#define UART1_IO_BASE 0xE0000300
+
+ /* external Epson SG-615P */
+ #define BASE_BAUD 691200
+diff --git a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
+--- a/arch/ppc/platforms/4xx/luan.h
++++ b/arch/ppc/platforms/4xx/luan.h
+@@ -47,9 +47,9 @@
+ #define RS_TABLE_SIZE 3
+
+ /* PIBS defined UART mappings, used before early_serial_setup */
+-#define UART0_IO_BASE (u8 *) 0xa0000200
+-#define UART1_IO_BASE (u8 *) 0xa0000300
+-#define UART2_IO_BASE (u8 *) 0xa0000600
++#define UART0_IO_BASE 0xa0000200
++#define UART1_IO_BASE 0xa0000300
++#define UART2_IO_BASE 0xa0000600
+
+ #define BASE_BAUD 11059200
+ #define STD_UART_OP(num) \
+diff --git a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
+--- a/arch/ppc/platforms/4xx/ocotea.h
++++ b/arch/ppc/platforms/4xx/ocotea.h
+@@ -56,8 +56,8 @@
+ #define RS_TABLE_SIZE 2
+
+ /* OpenBIOS defined UART mappings, used before early_serial_setup */
+-#define UART0_IO_BASE (u8 *) 0xE0000200
+-#define UART1_IO_BASE (u8 *) 0xE0000300
++#define UART0_IO_BASE 0xE0000200
++#define UART1_IO_BASE 0xE0000300
+
+ #define BASE_BAUD 11059200/16
+ #define STD_UART_OP(num) \
+diff --git a/arch/ppc64/kernel/pSeries_iommu.c b/arch/ppc64/kernel/pSeries_iommu.c
+--- a/arch/ppc64/kernel/pSeries_iommu.c
++++ b/arch/ppc64/kernel/pSeries_iommu.c
+@@ -401,6 +401,8 @@ static void iommu_bus_setup_pSeriesLP(st
+ struct device_node *dn, *pdn;
+ unsigned int *dma_window = NULL;
+
++ DBG("iommu_bus_setup_pSeriesLP, bus %p, bus->self %p\n", bus, bus->self);
++
+ dn = pci_bus_to_OF_node(bus);
+
+ /* Find nearest ibm,dma-window, walking up the device tree */
+@@ -455,6 +457,56 @@ static void iommu_dev_setup_pSeries(stru
+ }
+ }
+
++static void iommu_dev_setup_pSeriesLP(struct pci_dev *dev)
++{
++ struct device_node *pdn, *dn;
++ struct iommu_table *tbl;
++ int *dma_window = NULL;
++
++ DBG("iommu_dev_setup_pSeriesLP, dev %p (%s)\n", dev, dev->pretty_name);
++
++ /* dev setup for LPAR is a little tricky, since the device tree might
++ * contain the dma-window properties per-device and not neccesarily
++ * for the bus. So we need to search upwards in the tree until we
++ * either hit a dma-window property, OR find a parent with a table
++ * already allocated.
++ */
++ dn = pci_device_to_OF_node(dev);
++
++ for (pdn = dn; pdn && !pdn->iommu_table; pdn = pdn->parent) {
++ dma_window = (unsigned int *)get_property(pdn, "ibm,dma-window", NULL);
++ if (dma_window)
++ break;
++ }
++
++ /* Check for parent == NULL so we don't try to setup the empty EADS
++ * slots on POWER4 machines.
++ */
++ if (dma_window == NULL || pdn->parent == NULL) {
++ /* Fall back to regular (non-LPAR) dev setup */
++ DBG("No dma window for device, falling back to regular setup\n");
++ iommu_dev_setup_pSeries(dev);
++ return;
++ } else {
++ DBG("Found DMA window, allocating table\n");
++ }
++
++ if (!pdn->iommu_table) {
++ /* iommu_table_setparms_lpar needs bussubno. */
++ pdn->bussubno = pdn->phb->bus->number;
++
++ tbl = (struct iommu_table *)kmalloc(sizeof(struct iommu_table),
++ GFP_KERNEL);
++
++ iommu_table_setparms_lpar(pdn->phb, pdn, tbl, dma_window);
++
++ pdn->iommu_table = iommu_init_table(tbl);
++ }
++
++ if (pdn != dn)
++ dn->iommu_table = pdn->iommu_table;
++}
++
+ static void iommu_bus_setup_null(struct pci_bus *b) { }
+ static void iommu_dev_setup_null(struct pci_dev *d) { }
+
+@@ -479,13 +531,14 @@ void iommu_init_early_pSeries(void)
+ ppc_md.tce_free = tce_free_pSeriesLP;
+ }
+ ppc_md.iommu_bus_setup = iommu_bus_setup_pSeriesLP;
++ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeriesLP;
+ } else {
+ ppc_md.tce_build = tce_build_pSeries;
+ ppc_md.tce_free = tce_free_pSeries;
+ ppc_md.iommu_bus_setup = iommu_bus_setup_pSeries;
++ ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
+ }
+
+- ppc_md.iommu_dev_setup = iommu_dev_setup_pSeries;
+
+ pci_iommu_init();
+ }
+diff --git a/arch/sparc/kernel/ptrace.c b/arch/sparc/kernel/ptrace.c
+--- a/arch/sparc/kernel/ptrace.c
++++ b/arch/sparc/kernel/ptrace.c
+@@ -531,18 +531,6 @@ asmlinkage void do_ptrace(struct pt_regs
+ pt_error_return(regs, EIO);
+ goto out_tsk;
+ }
+- if (addr != 1) {
+- if (addr & 3) {
+- pt_error_return(regs, EINVAL);
+- goto out_tsk;
+- }
+-#ifdef DEBUG_PTRACE
+- printk ("Original: %08lx %08lx\n", child->thread.kregs->pc, child->thread.kregs->npc);
+- printk ("Continuing with %08lx %08lx\n", addr, addr+4);
+-#endif
+- child->thread.kregs->pc = addr;
+- child->thread.kregs->npc = addr + 4;
+- }
+
+ if (request == PTRACE_SYSCALL)
+ set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
+diff --git a/arch/sparc64/kernel/ptrace.c b/arch/sparc64/kernel/ptrace.c
+--- a/arch/sparc64/kernel/ptrace.c
++++ b/arch/sparc64/kernel/ptrace.c
+@@ -514,25 +514,6 @@ asmlinkage void do_ptrace(struct pt_regs
+ pt_error_return(regs, EIO);
+ goto out_tsk;
+ }
+- if (addr != 1) {
+- unsigned long pc_mask = ~0UL;
+-
+- if ((child->thread_info->flags & _TIF_32BIT) != 0)
+- pc_mask = 0xffffffff;
+-
+- if (addr & 3) {
+- pt_error_return(regs, EINVAL);
+- goto out_tsk;
+- }
+-#ifdef DEBUG_PTRACE
+- printk ("Original: %016lx %016lx\n",
+- child->thread_info->kregs->tpc,
+- child->thread_info->kregs->tnpc);
+- printk ("Continuing with %016lx %016lx\n", addr, addr+4);
+-#endif
+- child->thread_info->kregs->tpc = (addr & pc_mask);
+- child->thread_info->kregs->tnpc = ((addr + 4) & pc_mask);
+- }
+
+ if (request == PTRACE_SYSCALL) {
+ set_tsk_thread_flag(child, TIF_SYSCALL_TRACE);
+diff --git a/arch/sparc64/kernel/signal32.c b/arch/sparc64/kernel/signal32.c
+--- a/arch/sparc64/kernel/signal32.c
++++ b/arch/sparc64/kernel/signal32.c
+@@ -192,10 +192,13 @@ int copy_siginfo_to_user32(compat_siginf
+ err |= __put_user(from->si_uid, &to->si_uid);
+ break;
+ case __SI_FAULT >> 16:
+- case __SI_POLL >> 16:
+ err |= __put_user(from->si_trapno, &to->si_trapno);
+ err |= __put_user((unsigned long)from->si_addr, &to->si_addr);
+ break;
++ case __SI_POLL >> 16:
++ err |= __put_user(from->si_band, &to->si_band);
++ err |= __put_user(from->si_fd, &to->si_fd);
++ break;
+ case __SI_RT >> 16: /* This is not generated by the kernel as of now. */
+ case __SI_MESGQ >> 16:
+ err |= __put_user(from->si_pid, &to->si_pid);
+diff --git a/arch/sparc64/kernel/systbls.S b/arch/sparc64/kernel/systbls.S
+--- a/arch/sparc64/kernel/systbls.S
++++ b/arch/sparc64/kernel/systbls.S
+@@ -75,7 +75,7 @@ sys_call_table32:
+ /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
+ .word sys_timer_delete, sys32_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
+ /*270*/ .word sys32_io_submit, sys_io_cancel, compat_sys_io_getevents, sys32_mq_open, sys_mq_unlink
+- .word sys_mq_timedsend, sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
++ .word compat_sys_mq_timedsend, compat_sys_mq_timedreceive, compat_sys_mq_notify, compat_sys_mq_getsetattr, compat_sys_waitid
+ /*280*/ .word sys_ni_syscall, sys_add_key, sys_request_key, sys_keyctl
+
+ #endif /* CONFIG_COMPAT */
+diff --git a/arch/um/include/sysdep-i386/syscalls.h b/arch/um/include/sysdep-i386/syscalls.h
+--- a/arch/um/include/sysdep-i386/syscalls.h
++++ b/arch/um/include/sysdep-i386/syscalls.h
+@@ -23,6 +23,9 @@ extern long sys_mmap2(unsigned long addr
+ unsigned long prot, unsigned long flags,
+ unsigned long fd, unsigned long pgoff);
+
++/* On i386 they choose a meaningless naming.*/
++#define __NR_kexec_load __NR_sys_kexec_load
++
+ #define ARCH_SYSCALLS \
+ [ __NR_waitpid ] = (syscall_handler_t *) sys_waitpid, \
+ [ __NR_break ] = (syscall_handler_t *) sys_ni_syscall, \
+@@ -101,15 +104,12 @@ extern long sys_mmap2(unsigned long addr
+ [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
+ [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
+ [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
+- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
+ [ 251 ] = (syscall_handler_t *) sys_ni_syscall, \
+- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
+- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
+- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
+-
++ [ 285 ] = (syscall_handler_t *) sys_ni_syscall,
++
+ /* 222 doesn't yet have a name in include/asm-i386/unistd.h */
+
+-#define LAST_ARCH_SYSCALL __NR_vserver
++#define LAST_ARCH_SYSCALL 285
+
+ /*
+ * Overrides for Emacs so that we follow Linus's tabbing style.
+diff --git a/arch/um/include/sysdep-x86_64/syscalls.h b/arch/um/include/sysdep-x86_64/syscalls.h
+--- a/arch/um/include/sysdep-x86_64/syscalls.h
++++ b/arch/um/include/sysdep-x86_64/syscalls.h
+@@ -71,12 +71,7 @@ extern syscall_handler_t sys_arch_prctl;
+ [ __NR_iopl ] = (syscall_handler_t *) sys_ni_syscall, \
+ [ __NR_set_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
+ [ __NR_get_thread_area ] = (syscall_handler_t *) sys_ni_syscall, \
+- [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages, \
+ [ __NR_semtimedop ] = (syscall_handler_t *) sys_semtimedop, \
+- [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64, \
+- [ 223 ] = (syscall_handler_t *) sys_ni_syscall, \
+- [ __NR_utimes ] = (syscall_handler_t *) sys_utimes, \
+- [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall, \
+ [ 251 ] = (syscall_handler_t *) sys_ni_syscall,
+
+ #define LAST_ARCH_SYSCALL 251
+diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c
+--- a/arch/um/kernel/skas/uaccess.c
++++ b/arch/um/kernel/skas/uaccess.c
+@@ -61,7 +61,8 @@ static void do_buffer_op(void *jmpbuf, v
+ void *arg;
+ int *res;
+
+- va_copy(args, *(va_list *)arg_ptr);
++ /* Some old gccs recognize __va_copy, but not va_copy */
++ __va_copy(args, *(va_list *)arg_ptr);
+ addr = va_arg(args, unsigned long);
+ len = va_arg(args, int);
+ is_write = va_arg(args, int);
+diff --git a/arch/um/kernel/sys_call_table.c b/arch/um/kernel/sys_call_table.c
+--- a/arch/um/kernel/sys_call_table.c
++++ b/arch/um/kernel/sys_call_table.c
+@@ -48,7 +48,6 @@ extern syscall_handler_t sys_vfork;
+ extern syscall_handler_t old_select;
+ extern syscall_handler_t sys_modify_ldt;
+ extern syscall_handler_t sys_rt_sigsuspend;
+-extern syscall_handler_t sys_vserver;
+ extern syscall_handler_t sys_mbind;
+ extern syscall_handler_t sys_get_mempolicy;
+ extern syscall_handler_t sys_set_mempolicy;
+@@ -242,6 +241,7 @@ syscall_handler_t *sys_call_table[] = {
+ [ __NR_epoll_create ] = (syscall_handler_t *) sys_epoll_create,
+ [ __NR_epoll_ctl ] = (syscall_handler_t *) sys_epoll_ctl,
+ [ __NR_epoll_wait ] = (syscall_handler_t *) sys_epoll_wait,
++ [ __NR_remap_file_pages ] = (syscall_handler_t *) sys_remap_file_pages,
+ [ __NR_set_tid_address ] = (syscall_handler_t *) sys_set_tid_address,
+ [ __NR_timer_create ] = (syscall_handler_t *) sys_timer_create,
+ [ __NR_timer_settime ] = (syscall_handler_t *) sys_timer_settime,
+@@ -252,12 +252,10 @@ syscall_handler_t *sys_call_table[] = {
+ [ __NR_clock_gettime ] = (syscall_handler_t *) sys_clock_gettime,
+ [ __NR_clock_getres ] = (syscall_handler_t *) sys_clock_getres,
+ [ __NR_clock_nanosleep ] = (syscall_handler_t *) sys_clock_nanosleep,
+- [ __NR_statfs64 ] = (syscall_handler_t *) sys_statfs64,
+- [ __NR_fstatfs64 ] = (syscall_handler_t *) sys_fstatfs64,
+ [ __NR_tgkill ] = (syscall_handler_t *) sys_tgkill,
+ [ __NR_utimes ] = (syscall_handler_t *) sys_utimes,
+- [ __NR_fadvise64_64 ] = (syscall_handler_t *) sys_fadvise64_64,
+- [ __NR_vserver ] = (syscall_handler_t *) sys_vserver,
++ [ __NR_fadvise64 ] = (syscall_handler_t *) sys_fadvise64,
++ [ __NR_vserver ] = (syscall_handler_t *) sys_ni_syscall,
+ [ __NR_mbind ] = (syscall_handler_t *) sys_mbind,
+ [ __NR_get_mempolicy ] = (syscall_handler_t *) sys_get_mempolicy,
+ [ __NR_set_mempolicy ] = (syscall_handler_t *) sys_set_mempolicy,
+@@ -267,9 +265,8 @@ syscall_handler_t *sys_call_table[] = {
+ [ __NR_mq_timedreceive ] = (syscall_handler_t *) sys_mq_timedreceive,
+ [ __NR_mq_notify ] = (syscall_handler_t *) sys_mq_notify,
+ [ __NR_mq_getsetattr ] = (syscall_handler_t *) sys_mq_getsetattr,
+- [ __NR_sys_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
++ [ __NR_kexec_load ] = (syscall_handler_t *) sys_ni_syscall,
+ [ __NR_waitid ] = (syscall_handler_t *) sys_waitid,
+- [ 285 ] = (syscall_handler_t *) sys_ni_syscall,
+ [ __NR_add_key ] = (syscall_handler_t *) sys_add_key,
+ [ __NR_request_key ] = (syscall_handler_t *) sys_request_key,
+ [ __NR_keyctl ] = (syscall_handler_t *) sys_keyctl,
+diff --git a/arch/x86_64/kernel/apic.c b/arch/x86_64/kernel/apic.c
+--- a/arch/x86_64/kernel/apic.c
++++ b/arch/x86_64/kernel/apic.c
+@@ -775,9 +775,7 @@ void __init setup_boot_APIC_clock (void)
+
+ void __init setup_secondary_APIC_clock(void)
+ {
+- local_irq_disable(); /* FIXME: Do we need this? --RR */
+ setup_APIC_timer(calibration_result);
+- local_irq_enable();
+ }
+
+ void __init disable_APIC_timer(void)
+diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
+--- a/arch/x86_64/kernel/ptrace.c
++++ b/arch/x86_64/kernel/ptrace.c
+@@ -129,13 +129,13 @@ static int putreg(struct task_struct *ch
+ value &= 0xffff;
+ return 0;
+ case offsetof(struct user_regs_struct,fs_base):
+- if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
+- return -EIO;
++ if (value >= TASK_SIZE)
++ return -EIO;
+ child->thread.fs = value;
+ return 0;
+ case offsetof(struct user_regs_struct,gs_base):
+- if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
+- return -EIO;
++ if (value >= TASK_SIZE)
++ return -EIO;
+ child->thread.gs = value;
+ return 0;
+ case offsetof(struct user_regs_struct, eflags):
+@@ -149,6 +149,11 @@ static int putreg(struct task_struct *ch
+ return -EIO;
+ value &= 0xffff;
+ break;
++ case offsetof(struct user_regs_struct, rip):
++ /* Check if the new RIP address is canonical */
++ if (value >= TASK_SIZE)
++ return -EIO;
++ break;
+ }
+ put_stack_long(child, regno - sizeof(struct pt_regs), value);
+ return 0;
+@@ -247,7 +252,7 @@ asmlinkage long sys_ptrace(long request,
+ break;
+
+ switch (addr) {
+- case 0 ... sizeof(struct user_regs_struct):
++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
+ tmp = getreg(child, addr);
+ break;
+ case offsetof(struct user, u_debugreg[0]):
+@@ -292,7 +297,7 @@ asmlinkage long sys_ptrace(long request,
+ break;
+
+ switch (addr) {
+- case 0 ... sizeof(struct user_regs_struct):
++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long):
+ ret = putreg(child, addr, data);
+ break;
+ /* Disallows to set a breakpoint into the vsyscall */
+diff --git a/arch/x86_64/kernel/smpboot.c b/arch/x86_64/kernel/smpboot.c
+--- a/arch/x86_64/kernel/smpboot.c
++++ b/arch/x86_64/kernel/smpboot.c
+@@ -309,8 +309,6 @@ void __init smp_callin(void)
+ Dprintk("CALLIN, before setup_local_APIC().\n");
+ setup_local_APIC();
+
+- local_irq_enable();
+-
+ /*
+ * Get our bogomips.
+ */
+@@ -324,8 +322,6 @@ void __init smp_callin(void)
+ */
+ smp_store_cpu_info(cpuid);
+
+- local_irq_disable();
+-
+ /*
+ * Allow the master to continue.
+ */
+diff --git a/arch/x86_64/mm/fault.c b/arch/x86_64/mm/fault.c
+--- a/arch/x86_64/mm/fault.c
++++ b/arch/x86_64/mm/fault.c
+@@ -236,6 +236,8 @@ static noinline void pgtable_bad(unsigne
+
+ /*
+ * Handle a fault on the vmalloc or module mapping area
++ *
++ * This assumes no large pages in there.
+ */
+ static int vmalloc_fault(unsigned long address)
+ {
+@@ -274,7 +276,10 @@ static int vmalloc_fault(unsigned long a
+ if (!pte_present(*pte_ref))
+ return -1;
+ pte = pte_offset_kernel(pmd, address);
+- if (!pte_present(*pte) || pte_page(*pte) != pte_page(*pte_ref))
++ /* Don't use pte_page here, because the mappings can point
++ outside mem_map, and the NUMA hash lookup cannot handle
++ that. */
++ if (!pte_present(*pte) || pte_pfn(*pte) != pte_pfn(*pte_ref))
+ BUG();
+ __flush_tlb_all();
+ return 0;
+@@ -348,7 +353,9 @@ asmlinkage void do_page_fault(struct pt_
+ * protection error (error_code & 1) == 0.
+ */
+ if (unlikely(address >= TASK_SIZE)) {
+- if (!(error_code & 5)) {
++ if (!(error_code & 5) &&
++ ((address >= VMALLOC_START && address < VMALLOC_END) ||
++ (address >= MODULES_VADDR && address < MODULES_END))) {
+ if (vmalloc_fault(address) < 0)
+ goto bad_area_nosemaphore;
+ return;
+diff --git a/arch/x86_64/mm/ioremap.c b/arch/x86_64/mm/ioremap.c
+--- a/arch/x86_64/mm/ioremap.c
++++ b/arch/x86_64/mm/ioremap.c
+@@ -266,7 +266,7 @@ void iounmap(volatile void __iomem *addr
+ if ((p->flags >> 20) &&
+ p->phys_addr + p->size - 1 < virt_to_phys(high_memory)) {
+ /* p->size includes the guard page, but cpa doesn't like that */
+- change_page_attr(virt_to_page(__va(p->phys_addr)),
++ change_page_attr_addr((unsigned long)(__va(p->phys_addr)),
+ (p->size - PAGE_SIZE) >> PAGE_SHIFT,
+ PAGE_KERNEL);
+ global_flush_tlb();
+diff --git a/drivers/block/ioctl.c b/drivers/block/ioctl.c
+--- a/drivers/block/ioctl.c
++++ b/drivers/block/ioctl.c
+@@ -237,3 +237,5 @@ long compat_blkdev_ioctl(struct file *fi
+ }
+ return ret;
+ }
++
++EXPORT_SYMBOL_GPL(blkdev_ioctl);
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -2400,7 +2400,7 @@ static int pkt_ioctl(struct inode *inode
+ case CDROM_LAST_WRITTEN:
+ case CDROM_SEND_PACKET:
+ case SCSI_IOCTL_SEND_COMMAND:
+- return ioctl_by_bdev(pd->bdev, cmd, arg);
++ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
+
+ case CDROMEJECT:
+ /*
+@@ -2408,7 +2408,7 @@ static int pkt_ioctl(struct inode *inode
+ * have to unlock it or else the eject command fails.
+ */
+ pkt_lock_door(pd, 0);
+- return ioctl_by_bdev(pd->bdev, cmd, arg);
++ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
+
+ default:
+ printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
+diff --git a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
+--- a/drivers/char/drm/drm_ioctl.c
++++ b/drivers/char/drm/drm_ioctl.c
+@@ -326,6 +326,8 @@ int drm_setversion(DRM_IOCTL_ARGS)
+
+ DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
+
++ memset(&version, 0, sizeof(version));
++
+ dev->driver->version(&version);
+ retv.drm_di_major = DRM_IF_MAJOR;
+ retv.drm_di_minor = DRM_IF_MINOR;
+diff --git a/drivers/char/raw.c b/drivers/char/raw.c
+--- a/drivers/char/raw.c
++++ b/drivers/char/raw.c
+@@ -122,7 +122,7 @@ raw_ioctl(struct inode *inode, struct fi
+ {
+ struct block_device *bdev = filp->private_data;
+
+- return ioctl_by_bdev(bdev, command, arg);
++ return blkdev_ioctl(bdev->bd_inode, filp, command, arg);
+ }
+
+ static void bind_device(struct raw_config_request *rq)
+diff --git a/drivers/i2c/chips/eeprom.c b/drivers/i2c/chips/eeprom.c
+--- a/drivers/i2c/chips/eeprom.c
++++ b/drivers/i2c/chips/eeprom.c
+@@ -130,7 +130,8 @@ static ssize_t eeprom_read(struct kobjec
+
+ /* Hide Vaio security settings to regular users (16 first bytes) */
+ if (data->nature == VAIO && off < 16 && !capable(CAP_SYS_ADMIN)) {
+- int in_row1 = 16 - off;
++ size_t in_row1 = 16 - off;
++ in_row1 = min(in_row1, count);
+ memset(buf, 0, in_row1);
+ if (count - in_row1 > 0)
+ memcpy(buf + in_row1, &data->data[16], count - in_row1);
+diff --git a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
+--- a/drivers/i2c/chips/it87.c
++++ b/drivers/i2c/chips/it87.c
+@@ -631,7 +631,7 @@ static ssize_t show_alarms(struct device
+ struct it87_data *data = it87_update_device(dev);
+ return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
+ }
+-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
+
+ static ssize_t
+ show_vrm_reg(struct device *dev, char *buf)
+diff --git a/drivers/i2c/chips/via686a.c b/drivers/i2c/chips/via686a.c
+--- a/drivers/i2c/chips/via686a.c
++++ b/drivers/i2c/chips/via686a.c
+@@ -554,7 +554,7 @@ static ssize_t show_alarms(struct device
+ struct via686a_data *data = via686a_update_device(dev);
+ return sprintf(buf,"%d\n", ALARMS_FROM_REG(data->alarms));
+ }
+-static DEVICE_ATTR(alarms, S_IRUGO | S_IWUSR, show_alarms, NULL);
++static DEVICE_ATTR(alarms, S_IRUGO, show_alarms, NULL);
+
+ /* The driver. I choose to use type i2c_driver, as at is identical to both
+ smbus_driver and isa_driver, and clients could be of either kind */
+diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
+--- a/drivers/ide/ide-disk.c
++++ b/drivers/ide/ide-disk.c
+@@ -133,6 +133,8 @@ static ide_startstop_t __ide_do_rw_disk(
+ if (hwif->no_lba48_dma && lba48 && dma) {
+ if (block + rq->nr_sectors > 1ULL << 28)
+ dma = 0;
++ else
++ lba48 = 0;
+ }
+
+ if (!dma) {
+@@ -146,7 +148,7 @@ static ide_startstop_t __ide_do_rw_disk(
+ /* FIXME: SELECT_MASK(drive, 0) ? */
+
+ if (drive->select.b.lba) {
+- if (drive->addressing == 1) {
++ if (lba48) {
+ task_ioreg_t tasklets[10];
+
+ pr_debug("%s: LBA=0x%012llx\n", drive->name, block);
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -88,7 +88,7 @@ static struct dmi_system_id __initdata i
+ };
+ #endif
+
+-#ifdef CONFIG_ACPI
++#if defined(__ia64__) && defined(CONFIG_ACPI)
+ #include <linux/acpi.h>
+ #include <acpi/acpi_bus.h>
+
+@@ -281,7 +281,7 @@ static inline int i8042_platform_init(vo
+ i8042_kbd_irq = I8042_MAP_IRQ(1);
+ i8042_aux_irq = I8042_MAP_IRQ(12);
+
+-#ifdef CONFIG_ACPI
++#if defined(__ia64__) && defined(CONFIG_ACPI)
+ if (i8042_acpi_init())
+ return -1;
+ #endif
+@@ -300,7 +300,7 @@ static inline int i8042_platform_init(vo
+
+ static inline void i8042_platform_exit(void)
+ {
+-#ifdef CONFIG_ACPI
++#if defined(__ia64__) && defined(CONFIG_ACPI)
+ i8042_acpi_exit();
+ #endif
+ }
+diff --git a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
+--- a/drivers/md/raid6altivec.uc
++++ b/drivers/md/raid6altivec.uc
+@@ -108,7 +108,11 @@ int raid6_have_altivec(void);
+ int raid6_have_altivec(void)
+ {
+ /* This assumes either all CPUs have Altivec or none does */
++#ifdef CONFIG_PPC64
+ return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
++#else
++ return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
++#endif
+ }
+ #endif
+
+diff --git a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
+--- a/drivers/media/video/adv7170.c
++++ b/drivers/media/video/adv7170.c
+@@ -130,7 +130,7 @@ adv7170_write_block (struct i2c_client *
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff --git a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
+--- a/drivers/media/video/adv7175.c
++++ b/drivers/media/video/adv7175.c
+@@ -126,7 +126,7 @@ adv7175_write_block (struct i2c_client *
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff --git a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
+--- a/drivers/media/video/bt819.c
++++ b/drivers/media/video/bt819.c
+@@ -146,7 +146,7 @@ bt819_write_block (struct i2c_client *cl
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff --git a/drivers/media/video/bttv-cards.c b/drivers/media/video/bttv-cards.c
+--- a/drivers/media/video/bttv-cards.c
++++ b/drivers/media/video/bttv-cards.c
+@@ -1939,7 +1939,6 @@ struct tvcard bttv_tvcards[] = {
+ .no_tda9875 = 1,
+ .no_tda7432 = 1,
+ .tuner_type = TUNER_ABSENT,
+- .no_video = 1,
+ .pll = PLL_28,
+ },{
+ .name = "Teppro TEV-560/InterVision IV-560",
+@@ -2718,8 +2717,6 @@ void __devinit bttv_init_card2(struct bt
+ }
+ btv->pll.pll_current = -1;
+
+- bttv_reset_audio(btv);
+-
+ /* tuner configuration (from card list / autodetect / insmod option) */
+ if (UNSET != bttv_tvcards[btv->c.type].tuner_type)
+ if(UNSET == btv->tuner_type)
+diff --git a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
+--- a/drivers/media/video/saa7110.c
++++ b/drivers/media/video/saa7110.c
+@@ -60,8 +60,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
+
+ #define I2C_SAA7110 0x9C /* or 0x9E */
+
++#define SAA7110_NR_REG 0x35
++
+ struct saa7110 {
+- unsigned char reg[54];
++ u8 reg[SAA7110_NR_REG];
+
+ int norm;
+ int input;
+@@ -95,31 +97,28 @@ saa7110_write_block (struct i2c_client *
+ unsigned int len)
+ {
+ int ret = -1;
+- u8 reg = *data++;
++ u8 reg = *data; /* first register to write to */
+
+- len--;
++ /* Sanity check */
++ if (reg + (len - 1) > SAA7110_NR_REG)
++ return ret;
+
+ /* the saa7110 has an autoincrement function, use it if
+ * the adapter understands raw I2C */
+ if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
+ struct saa7110 *decoder = i2c_get_clientdata(client);
+ struct i2c_msg msg;
+- u8 block_data[54];
+
+- msg.len = 0;
+- msg.buf = (char *) block_data;
++ msg.len = len;
++ msg.buf = (char *) data;
+ msg.addr = client->addr;
+- msg.flags = client->flags;
+- while (len >= 1) {
+- msg.len = 0;
+- block_data[msg.len++] = reg;
+- while (len-- >= 1 && msg.len < 54)
+- block_data[msg.len++] =
+- decoder->reg[reg++] = *data++;
+- ret = i2c_transfer(client->adapter, &msg, 1);
+- }
++ msg.flags = 0;
++ ret = i2c_transfer(client->adapter, &msg, 1);
++
++ /* Cache the written data */
++ memcpy(decoder->reg + reg, data + 1, len - 1);
+ } else {
+- while (len-- >= 1) {
++ for (++data, --len; len; len--) {
+ if ((ret = saa7110_write(client, reg++,
+ *data++)) < 0)
+ break;
+@@ -192,7 +191,7 @@ saa7110_selmux (struct i2c_client *clien
+ return 0;
+ }
+
+-static const unsigned char initseq[] = {
++static const unsigned char initseq[1 + SAA7110_NR_REG] = {
+ 0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
+ /* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
+ /* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
+diff --git a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
+--- a/drivers/media/video/saa7114.c
++++ b/drivers/media/video/saa7114.c
+@@ -163,7 +163,7 @@ saa7114_write_block (struct i2c_client *
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff --git a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
+--- a/drivers/media/video/saa7185.c
++++ b/drivers/media/video/saa7185.c
+@@ -118,7 +118,7 @@ saa7185_write_block (struct i2c_client *
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
+--- a/drivers/net/3c59x.c
++++ b/drivers/net/3c59x.c
+@@ -1581,7 +1581,8 @@ vortex_up(struct net_device *dev)
+
+ if (VORTEX_PCI(vp)) {
+ pci_set_power_state(VORTEX_PCI(vp), PCI_D0); /* Go active */
+- pci_restore_state(VORTEX_PCI(vp));
++ if (vp->pm_state_valid)
++ pci_restore_state(VORTEX_PCI(vp));
+ pci_enable_device(VORTEX_PCI(vp));
+ }
+
+@@ -2741,6 +2742,7 @@ vortex_down(struct net_device *dev, int
+ outl(0, ioaddr + DownListPtr);
+
+ if (final_down && VORTEX_PCI(vp)) {
++ vp->pm_state_valid = 1;
+ pci_save_state(VORTEX_PCI(vp));
+ acpi_set_WOL(dev);
+ }
+@@ -3243,9 +3245,10 @@ static void acpi_set_WOL(struct net_devi
+ outw(RxEnable, ioaddr + EL3_CMD);
+
+ pci_enable_wake(VORTEX_PCI(vp), 0, 1);
++
++ /* Change the power state to D3; RxEnable doesn't take effect. */
++ pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
+ }
+- /* Change the power state to D3; RxEnable doesn't take effect. */
+- pci_set_power_state(VORTEX_PCI(vp), PCI_D3hot);
+ }
+
+
+diff --git a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
+--- a/drivers/net/amd8111e.c
++++ b/drivers/net/amd8111e.c
+@@ -1381,6 +1381,8 @@ static int amd8111e_open(struct net_devi
+
+ if(amd8111e_restart(dev)){
+ spin_unlock_irq(&lp->lock);
++ if (dev->irq)
++ free_irq(dev->irq, dev);
+ return -ENOMEM;
+ }
+ /* Start ipg timer */
+diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
+--- a/drivers/net/ppp_async.c
++++ b/drivers/net/ppp_async.c
+@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncp
+ data += 4;
+ dlen -= 4;
+ /* data[0] is code, data[1] is length */
+- while (dlen >= 2 && dlen >= data[1]) {
++ while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
+ switch (data[0]) {
+ case LCP_MRU:
+ val = (data[2] << 8) + data[3];
+diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -1683,16 +1683,19 @@ static void rtl8169_free_rx_skb(struct r
+ rtl8169_make_unusable_by_asic(desc);
+ }
+
+-static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
++static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
+ {
+- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
++ u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
++
++ desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
+ }
+
+-static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
+- int rx_buf_sz)
++static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
++ u32 rx_buf_sz)
+ {
+ desc->addr = cpu_to_le64(mapping);
+- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
++ wmb();
++ rtl8169_mark_to_asic(desc, rx_buf_sz);
+ }
+
+ static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
+@@ -1712,7 +1715,7 @@ static int rtl8169_alloc_rx_skb(struct p
+ mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
+ PCI_DMA_FROMDEVICE);
+
+- rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
++ rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
+
+ out:
+ return ret;
+@@ -2150,7 +2153,7 @@ static inline int rtl8169_try_rx_copy(st
+ skb_reserve(skb, NET_IP_ALIGN);
+ eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
+ *sk_buff = skb;
+- rtl8169_return_to_asic(desc, rx_buf_sz);
++ rtl8169_mark_to_asic(desc, rx_buf_sz);
+ ret = 0;
+ }
+ }
+diff --git a/drivers/net/sis900.c b/drivers/net/sis900.c
+--- a/drivers/net/sis900.c
++++ b/drivers/net/sis900.c
+@@ -236,7 +236,7 @@ static int __devinit sis900_get_mac_addr
+ signature = (u16) read_eeprom(ioaddr, EEPROMSignature);
+ if (signature == 0xffff || signature == 0x0000) {
+ printk (KERN_INFO "%s: Error EERPOM read %x\n",
+- net_dev->name, signature);
++ pci_name(pci_dev), signature);
+ return 0;
+ }
+
+@@ -268,7 +268,7 @@ static int __devinit sis630e_get_mac_add
+ if (!isa_bridge)
+ isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
+ if (!isa_bridge) {
+- printk("%s: Can not find ISA bridge\n", net_dev->name);
++ printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
+ return 0;
+ }
+ pci_read_config_byte(isa_bridge, 0x48, ®);
+@@ -456,10 +456,6 @@ static int __devinit sis900_probe(struct
+ net_dev->tx_timeout = sis900_tx_timeout;
+ net_dev->watchdog_timeo = TX_TIMEOUT;
+ net_dev->ethtool_ops = &sis900_ethtool_ops;
+-
+- ret = register_netdev(net_dev);
+- if (ret)
+- goto err_unmap_rx;
+
+ /* Get Mac address according to the chip revision */
+ pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
+@@ -476,7 +472,7 @@ static int __devinit sis900_probe(struct
+
+ if (ret == 0) {
+ ret = -ENODEV;
+- goto err_out_unregister;
++ goto err_unmap_rx;
+ }
+
+ /* 630ET : set the mii access mode as software-mode */
+@@ -486,7 +482,7 @@ static int __devinit sis900_probe(struct
+ /* probe for mii transceiver */
+ if (sis900_mii_probe(net_dev) == 0) {
+ ret = -ENODEV;
+- goto err_out_unregister;
++ goto err_unmap_rx;
+ }
+
+ /* save our host bridge revision */
+@@ -496,6 +492,10 @@ static int __devinit sis900_probe(struct
+ pci_dev_put(dev);
+ }
+
++ ret = register_netdev(net_dev);
++ if (ret)
++ goto err_unmap_rx;
++
+ /* print some information about our NIC */
+ printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
+ card_name, ioaddr, net_dev->irq);
+@@ -505,8 +505,6 @@ static int __devinit sis900_probe(struct
+
+ return 0;
+
+- err_out_unregister:
+- unregister_netdev(net_dev);
+ err_unmap_rx:
+ pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
+ sis_priv->rx_ring_dma);
+@@ -533,6 +531,7 @@ static int __devinit sis900_probe(struct
+ static int __init sis900_mii_probe(struct net_device * net_dev)
+ {
+ struct sis900_private * sis_priv = net_dev->priv;
++ const char *dev_name = pci_name(sis_priv->pci_dev);
+ u16 poll_bit = MII_STAT_LINK, status = 0;
+ unsigned long timeout = jiffies + 5 * HZ;
+ int phy_addr;
+@@ -582,21 +581,20 @@ static int __init sis900_mii_probe(struc
+ mii_phy->phy_types =
+ (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
+ printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
+- net_dev->name, mii_chip_table[i].name,
++ dev_name, mii_chip_table[i].name,
+ phy_addr);
+ break;
+ }
+
+ if( !mii_chip_table[i].phy_id1 ) {
+ printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
+- net_dev->name, phy_addr);
++ dev_name, phy_addr);
+ mii_phy->phy_types = UNKNOWN;
+ }
+ }
+
+ if (sis_priv->mii == NULL) {
+- printk(KERN_INFO "%s: No MII transceivers found!\n",
+- net_dev->name);
++ printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
+ return 0;
+ }
+
+@@ -621,7 +619,7 @@ static int __init sis900_mii_probe(struc
+ poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
+ if (time_after_eq(jiffies, timeout)) {
+ printk(KERN_WARNING "%s: reset phy and link down now\n",
+- net_dev->name);
++ dev_name);
+ return -ETIME;
+ }
+ }
+@@ -691,7 +689,7 @@ static u16 sis900_default_phy(struct net
+ sis_priv->mii = default_phy;
+ sis_priv->cur_phy = default_phy->phy_addr;
+ printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
+- net_dev->name,sis_priv->cur_phy);
++ pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
+ }
+
+ status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(s
+ size_t len = count;
+
+ if (!(tun->flags & TUN_NO_PI)) {
+- if ((len -= sizeof(pi)) > len)
++ if ((len -= sizeof(pi)) > count)
+ return -EINVAL;
+
+ if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
+diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
+--- a/drivers/net/via-rhine.c
++++ b/drivers/net/via-rhine.c
+@@ -1197,8 +1197,10 @@ static int rhine_open(struct net_device
+ dev->name, rp->pdev->irq);
+
+ rc = alloc_ring(dev);
+- if (rc)
++ if (rc) {
++ free_irq(rp->pdev->irq, dev);
+ return rc;
++ }
+ alloc_rbufs(dev);
+ alloc_tbufs(dev);
+ rhine_chip_reset(dev);
+@@ -1899,6 +1901,9 @@ static void rhine_shutdown (struct devic
+ struct rhine_private *rp = netdev_priv(dev);
+ void __iomem *ioaddr = rp->base;
+
++ if (!(rp->quirks & rqWOL))
++ return; /* Nothing to do for non-WOL adapters */
++
+ rhine_power_init(dev);
+
+ /* Make sure we use pattern 0, 1 and not 4, 5 */
+diff --git a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
+--- a/drivers/net/wan/hd6457x.c
++++ b/drivers/net/wan/hd6457x.c
+@@ -315,7 +315,7 @@ static inline void sca_rx(card_t *card,
+ #endif
+ stats->rx_packets++;
+ stats->rx_bytes += skb->len;
+- skb->dev->last_rx = jiffies;
++ dev->last_rx = jiffies;
+ skb->protocol = hdlc_type_trans(skb, dev);
+ netif_rx(skb);
+ }
+diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
+--- a/drivers/pci/hotplug/pciehp_ctrl.c
++++ b/drivers/pci/hotplug/pciehp_ctrl.c
+@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func
+ dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
+ ctrl->seg, func->bus, func->device, func->function);
+ bridge_slot_remove(func);
+- } else
++ } else {
+ dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
+ ctrl->seg, func->bus, func->device, func->function);
+ slot_remove(func);
++ }
+
+ func = pciehp_slot_find(ctrl->slot_bus, device, 0);
+ }
+diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -386,6 +386,7 @@ struct visor_private {
+ int bytes_in;
+ int bytes_out;
+ int outstanding_urbs;
++ int throttled;
+ };
+
+ /* number of outstanding urbs to prevent userspace DoS from happening */
+@@ -415,6 +416,7 @@ static int visor_open (struct usb_serial
+ priv->bytes_in = 0;
+ priv->bytes_out = 0;
+ priv->outstanding_urbs = 0;
++ priv->throttled = 0;
+ spin_unlock_irqrestore(&priv->lock, flags);
+
+ /*
+@@ -602,6 +604,7 @@ static void visor_read_bulk_callback (st
+ struct tty_struct *tty;
+ unsigned long flags;
+ int i;
++ int throttled;
+ int result;
+
+ dbg("%s - port %d", __FUNCTION__, port->number);
+@@ -627,18 +630,21 @@ static void visor_read_bulk_callback (st
+ }
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->bytes_in += urb->actual_length;
++ throttled = priv->throttled;
+ spin_unlock_irqrestore(&priv->lock, flags);
+
+- /* Continue trying to always read */
+- usb_fill_bulk_urb (port->read_urb, port->serial->dev,
+- usb_rcvbulkpipe(port->serial->dev,
+- port->bulk_in_endpointAddress),
+- port->read_urb->transfer_buffer,
+- port->read_urb->transfer_buffer_length,
+- visor_read_bulk_callback, port);
+- result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
+- if (result)
+- dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
++ /* Continue trying to always read if we should */
++ if (!throttled) {
++ usb_fill_bulk_urb (port->read_urb, port->serial->dev,
++ usb_rcvbulkpipe(port->serial->dev,
++ port->bulk_in_endpointAddress),
++ port->read_urb->transfer_buffer,
++ port->read_urb->transfer_buffer_length,
++ visor_read_bulk_callback, port);
++ result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
++ if (result)
++ dev_err(&port->dev, "%s - failed resubmitting read urb, error %d\n", __FUNCTION__, result);
++ }
+ return;
+ }
+
+@@ -683,16 +689,26 @@ exit:
+
+ static void visor_throttle (struct usb_serial_port *port)
+ {
++ struct visor_private *priv = usb_get_serial_port_data(port);
++ unsigned long flags;
++
+ dbg("%s - port %d", __FUNCTION__, port->number);
+- usb_kill_urb(port->read_urb);
++ spin_lock_irqsave(&priv->lock, flags);
++ priv->throttled = 1;
++ spin_unlock_irqrestore(&priv->lock, flags);
+ }
+
+
+ static void visor_unthrottle (struct usb_serial_port *port)
+ {
++ struct visor_private *priv = usb_get_serial_port_data(port);
++ unsigned long flags;
+ int result;
+
+ dbg("%s - port %d", __FUNCTION__, port->number);
++ spin_lock_irqsave(&priv->lock, flags);
++ priv->throttled = 0;
++ spin_unlock_irqrestore(&priv->lock, flags);
+
+ port->read_urb->dev = port->serial->dev;
+ result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
+diff --git a/drivers/video/matrox/matroxfb_accel.c b/drivers/video/matrox/matroxfb_accel.c
+--- a/drivers/video/matrox/matroxfb_accel.c
++++ b/drivers/video/matrox/matroxfb_accel.c
+@@ -438,13 +438,21 @@ static void matroxfb_1bpp_imageblit(WPMI
+ } else if (step == 1) {
+ /* Special case for 1..8bit widths */
+ while (height--) {
+- mga_writel(mmio, 0, *chardata);
++#if defined(__BIG_ENDIAN)
++ fb_writel((*chardata) << 24, mmio.vaddr);
++#else
++ fb_writel(*chardata, mmio.vaddr);
++#endif
+ chardata++;
+ }
+ } else if (step == 2) {
+ /* Special case for 9..15bit widths */
+ while (height--) {
+- mga_writel(mmio, 0, *(u_int16_t*)chardata);
++#if defined(__BIG_ENDIAN)
++ fb_writel((*(u_int16_t*)chardata) << 16, mmio.vaddr);
++#else
++ fb_writel(*(u_int16_t*)chardata, mmio.vaddr);
++#endif
+ chardata += 2;
+ }
+ } else {
+@@ -454,7 +462,7 @@ static void matroxfb_1bpp_imageblit(WPMI
+
+ for (i = 0; i < step; i += 4) {
+ /* Hope that there are at least three readable bytes beyond the end of bitmap */
+- mga_writel(mmio, 0, get_unaligned((u_int32_t*)(chardata + i)));
++ fb_writel(get_unaligned((u_int32_t*)(chardata + i)),mmio.vaddr);
+ }
+ chardata += step;
+ }
+diff --git a/drivers/video/matrox/matroxfb_base.h b/drivers/video/matrox/matroxfb_base.h
+--- a/drivers/video/matrox/matroxfb_base.h
++++ b/drivers/video/matrox/matroxfb_base.h
+@@ -170,14 +170,14 @@ static inline void mga_memcpy_toio(vaddr
+
+ if ((unsigned long)src & 3) {
+ while (len >= 4) {
+- writel(get_unaligned((u32 *)src), addr);
++ fb_writel(get_unaligned((u32 *)src), addr);
+ addr++;
+ len -= 4;
+ src += 4;
+ }
+ } else {
+ while (len >= 4) {
+- writel(*(u32 *)src, addr);
++ fb_writel(*(u32 *)src, addr);
+ addr++;
+ len -= 4;
+ src += 4;
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -257,7 +257,7 @@ create_elf_tables(struct linux_binprm *b
+ }
+
+ /* Populate argv and envp */
+- p = current->mm->arg_start;
++ p = current->mm->arg_end = current->mm->arg_start;
+ while (argc-- > 0) {
+ size_t len;
+ __put_user((elf_addr_t)p, argv++);
+@@ -1008,6 +1008,7 @@ out_free_ph:
+ static int load_elf_library(struct file *file)
+ {
+ struct elf_phdr *elf_phdata;
++ struct elf_phdr *eppnt;
+ unsigned long elf_bss, bss, len;
+ int retval, error, i, j;
+ struct elfhdr elf_ex;
+@@ -1031,44 +1032,47 @@ static int load_elf_library(struct file
+ /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
+
+ error = -ENOMEM;
+- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
++ elf_phdata = kmalloc(j, GFP_KERNEL);
+ if (!elf_phdata)
+ goto out;
+
++ eppnt = elf_phdata;
+ error = -ENOEXEC;
+- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
++ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
+ if (retval != j)
+ goto out_free_ph;
+
+ for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
+- if ((elf_phdata + i)->p_type == PT_LOAD) j++;
++ if ((eppnt + i)->p_type == PT_LOAD)
++ j++;
+ if (j != 1)
+ goto out_free_ph;
+
+- while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
++ while (eppnt->p_type != PT_LOAD)
++ eppnt++;
+
+ /* Now use mmap to map the library into memory. */
+ down_write(¤t->mm->mmap_sem);
+ error = do_mmap(file,
+- ELF_PAGESTART(elf_phdata->p_vaddr),
+- (elf_phdata->p_filesz +
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
++ ELF_PAGESTART(eppnt->p_vaddr),
++ (eppnt->p_filesz +
++ ELF_PAGEOFFSET(eppnt->p_vaddr)),
+ PROT_READ | PROT_WRITE | PROT_EXEC,
+ MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
+- (elf_phdata->p_offset -
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
++ (eppnt->p_offset -
++ ELF_PAGEOFFSET(eppnt->p_vaddr)));
+ up_write(¤t->mm->mmap_sem);
+- if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
++ if (error != ELF_PAGESTART(eppnt->p_vaddr))
+ goto out_free_ph;
+
+- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
++ elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
+ if (padzero(elf_bss)) {
+ error = -EFAULT;
+ goto out_free_ph;
+ }
+
+- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
++ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
++ bss = eppnt->p_memsz + eppnt->p_vaddr;
+ if (bss > len) {
+ down_write(¤t->mm->mmap_sem);
+ do_brk(len, bss - len);
+@@ -1275,7 +1279,7 @@ static void fill_prstatus(struct elf_prs
+ static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
+ struct mm_struct *mm)
+ {
+- int i, len;
++ unsigned int i, len;
+
+ /* first copy the parameters from user space */
+ memset(psinfo, 0, sizeof(struct elf_prpsinfo));
+diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -70,6 +70,7 @@ static struct inode *get_cramfs_inode(st
+ inode->i_data.a_ops = &cramfs_aops;
+ } else {
+ inode->i_size = 0;
++ inode->i_blocks = 0;
+ init_special_inode(inode, inode->i_mode,
+ old_decode_dev(cramfs_inode->size));
+ }
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -619,6 +619,7 @@ eexit_1:
+ return error;
+ }
+
++#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
+
+ /*
+ * Implement the event wait interface for the eventpoll file. It is the kernel
+@@ -635,7 +636,7 @@ asmlinkage long sys_epoll_wait(int epfd,
+ current, epfd, events, maxevents, timeout));
+
+ /* The maximum number of event must be greater than zero */
+- if (maxevents <= 0)
++ if (maxevents <= 0 || maxevents > MAX_EVENTS)
+ return -EINVAL;
+
+ /* Verify that the area passed by the user is writeable */
+diff --git a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -814,7 +814,7 @@ void get_task_comm(char *buf, struct tas
+ {
+ /* buf must be at least sizeof(tsk->comm) in size */
+ task_lock(tsk);
+- memcpy(buf, tsk->comm, sizeof(tsk->comm));
++ strncpy(buf, tsk->comm, sizeof(tsk->comm));
+ task_unlock(tsk);
+ }
+
+diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -592,6 +592,7 @@ int ext2_make_empty(struct inode *inode,
+ goto fail;
+ }
+ kaddr = kmap_atomic(page, KM_USER0);
++ memset(kaddr, 0, chunk_size);
+ de = (struct ext2_dir_entry_2 *)kaddr;
+ de->name_len = 1;
+ de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
+diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
+--- a/fs/ext3/balloc.c
++++ b/fs/ext3/balloc.c
+@@ -268,7 +268,8 @@ void ext3_discard_reservation(struct ino
+
+ if (!rsv_is_empty(&rsv->rsv_window)) {
+ spin_lock(rsv_lock);
+- rsv_window_remove(inode->i_sb, rsv);
++ if (!rsv_is_empty(&rsv->rsv_window))
++ rsv_window_remove(inode->i_sb, rsv);
+ spin_unlock(rsv_lock);
+ }
+ }
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -333,6 +333,8 @@ void hfs_mdb_close(struct super_block *s
+ * Release the resources associated with the in-core MDB. */
+ void hfs_mdb_put(struct super_block *sb)
+ {
++ if (!HFS_SB(sb))
++ return;
+ /* free the B-trees */
+ hfs_btree_close(HFS_SB(sb)->ext_tree);
+ hfs_btree_close(HFS_SB(sb)->cat_tree);
+@@ -340,4 +342,7 @@ void hfs_mdb_put(struct super_block *sb)
+ /* free the buffers holding the primary and alternate MDBs */
+ brelse(HFS_SB(sb)->mdb_bh);
+ brelse(HFS_SB(sb)->alt_mdb_bh);
++
++ kfree(HFS_SB(sb));
++ sb->s_fs_info = NULL;
+ }
+diff --git a/fs/hfs/super.c b/fs/hfs/super.c
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -263,7 +263,7 @@ static int hfs_fill_super(struct super_b
+ res = -EINVAL;
+ if (!parse_options((char *)data, sbi)) {
+ hfs_warn("hfs_fs: unable to parse mount options.\n");
+- goto bail3;
++ goto bail;
+ }
+
+ sb->s_op = &hfs_super_operations;
+@@ -276,7 +276,7 @@ static int hfs_fill_super(struct super_b
+ hfs_warn("VFS: Can't find a HFS filesystem on dev %s.\n",
+ hfs_mdb_name(sb));
+ res = -EINVAL;
+- goto bail2;
++ goto bail;
+ }
+
+ /* try to get the root inode */
+@@ -306,10 +306,8 @@ bail_iput:
+ iput(root_inode);
+ bail_no_root:
+ hfs_warn("hfs_fs: get root inode failed.\n");
++bail:
+ hfs_mdb_put(sb);
+-bail2:
+-bail3:
+- kfree(sbi);
+ return res;
+ }
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -207,7 +207,9 @@ static void hfsplus_write_super(struct s
+ static void hfsplus_put_super(struct super_block *sb)
+ {
+ dprint(DBG_SUPER, "hfsplus_put_super\n");
+- if (!(sb->s_flags & MS_RDONLY)) {
++ if (!sb->s_fs_info)
++ return;
++ if (!(sb->s_flags & MS_RDONLY) && HFSPLUS_SB(sb).s_vhdr) {
+ struct hfsplus_vh *vhdr = HFSPLUS_SB(sb).s_vhdr;
+
+ vhdr->modify_date = hfsp_now2mt();
+@@ -223,6 +225,8 @@ static void hfsplus_put_super(struct sup
+ iput(HFSPLUS_SB(sb).alloc_file);
+ iput(HFSPLUS_SB(sb).hidden_dir);
+ brelse(HFSPLUS_SB(sb).s_vhbh);
++ kfree(sb->s_fs_info);
++ sb->s_fs_info = NULL;
+ }
+
+ static int hfsplus_statfs(struct super_block *sb, struct kstatfs *buf)
+diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -685,6 +685,8 @@ root_found:
+ sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
+ sbi->s_max_size = isonum_733(h_pri->volume_space_size);
+ } else {
++ if (!pri)
++ goto out_freebh;
+ rootp = (struct iso_directory_record *) pri->root_directory_record;
+ sbi->s_nzones = isonum_733 (pri->volume_space_size);
+ sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
+@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_bl
+ struct inode *inode;
+ struct isofs_iget5_callback_data data;
+
++ if (offset >= 1ul << sb->s_blocksize_bits)
++ return NULL;
++
+ data.block = block;
+ data.offset = offset;
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -53,6 +53,7 @@
+ if(LEN & 1) LEN++; \
+ CHR = ((unsigned char *) DE) + LEN; \
+ LEN = *((unsigned char *) DE) - LEN; \
++ if (LEN<0) LEN=0; \
+ if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \
+ { \
+ LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \
+@@ -73,6 +74,10 @@
+ offset1 = 0; \
+ pbh = sb_bread(DEV->i_sb, block); \
+ if(pbh){ \
++ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \
++ brelse(pbh); \
++ goto out; \
++ } \
+ memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
+ brelse(pbh); \
+ chr = (unsigned char *) buffer; \
+@@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_d
+ struct rock_ridge * rr;
+ int sig;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ case SIG('R','R'):
+@@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_d
+ break;
+ case SIG('N','M'):
+ if (truncate) break;
++ if (rr->len < 5) break;
+ /*
+ * If the flags are 2 or 4, this indicates '.' or '..'.
+ * We don't want to do anything with this, because it
+@@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct i
+ struct rock_ridge * rr;
+ int rootflag;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
+@@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(s
+ struct rock_ridge *rr;
+
+ if (!ISOFS_SB(inode->i_sb)->s_rock)
+- panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
++ goto error;
+
+ block = ei->i_iget5_block;
+ lock_kernel();
+@@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(s
+ SETUP_ROCK_RIDGE(raw_inode, chr, len);
+
+ repeat:
+- while (len > 1) { /* There may be one byte for padding somewhere */
++ while (len > 2) { /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0)
++ if (rr->len < 3)
+ goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0)
++ goto out; /* corrupted isofs */
+
+ switch (sig) {
+ case SIG('R', 'R'):
+@@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(s
+ fail:
+ brelse(bh);
+ unlock_kernel();
++ error:
+ SetPageError(page);
+ kunmap(page);
+ unlock_page(page);
+diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c
+--- a/fs/jbd/checkpoint.c
++++ b/fs/jbd/checkpoint.c
+@@ -339,8 +339,10 @@ int log_do_checkpoint(journal_t *journal
+ }
+ } while (jh != last_jh && !retry);
+
+- if (batch_count)
++ if (batch_count) {
+ __flush_batch(journal, bhs, &batch_count);
++ retry = 1;
++ }
+
+ /*
+ * If someone cleaned up this transaction while we slept, we're
+diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c
+--- a/fs/jbd/transaction.c
++++ b/fs/jbd/transaction.c
+@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
+ JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
+ ret = __dispose_buffer(jh,
+ journal->j_running_transaction);
++ journal_put_journal_head(jh);
+ spin_unlock(&journal->j_list_lock);
+ jbd_unlock_bh_state(bh);
+ spin_unlock(&journal->j_state_lock);
+- journal_put_journal_head(jh);
+ return ret;
+ } else {
+ /* There is no currently-running transaction. So the
+@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
+ JBUFFER_TRACE(jh, "give to committing trans");
+ ret = __dispose_buffer(jh,
+ journal->j_committing_transaction);
++ journal_put_journal_head(jh);
+ spin_unlock(&journal->j_list_lock);
+ jbd_unlock_bh_state(bh);
+ spin_unlock(&journal->j_state_lock);
+- journal_put_journal_head(jh);
+ return ret;
+ } else {
+ /* The orphan record's transaction has
+@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
+ journal->j_running_transaction);
+ jh->b_next_transaction = NULL;
+ }
++ journal_put_journal_head(jh);
+ spin_unlock(&journal->j_list_lock);
+ jbd_unlock_bh_state(bh);
+ spin_unlock(&journal->j_state_lock);
+- journal_put_journal_head(jh);
+ return 0;
+ } else {
+ /* Good, the buffer belongs to the running transaction.
+diff --git a/include/asm-x86_64/processor.h b/include/asm-x86_64/processor.h
+--- a/include/asm-x86_64/processor.h
++++ b/include/asm-x86_64/processor.h
+@@ -160,9 +160,9 @@ static inline void clear_in_cr4 (unsigne
+
+
+ /*
+- * User space process size. 47bits.
++ * User space process size. 47bits minus one guard page.
+ */
+-#define TASK_SIZE (0x800000000000UL)
++#define TASK_SIZE (0x800000000000UL - 4096)
+
+ /* This decides where the kernel will search for a free chunk of vm
+ * space during mmap's.
+diff --git a/include/linux/err.h b/include/linux/err.h
+--- a/include/linux/err.h
++++ b/include/linux/err.h
+@@ -13,6 +13,8 @@
+ * This should be a per-architecture thing, to allow different
+ * error and pointer decisions.
+ */
++#define IS_ERR_VALUE(x) unlikely((x) > (unsigned long)-1000L)
++
+ static inline void *ERR_PTR(long error)
+ {
+ return (void *) error;
+@@ -25,7 +27,7 @@ static inline long PTR_ERR(const void *p
+
+ static inline long IS_ERR(const void *ptr)
+ {
+- return unlikely((unsigned long)ptr > (unsigned long)-1000L);
++ return IS_ERR_VALUE((unsigned long)ptr);
+ }
+
+ #endif /* _LINUX_ERR_H */
+diff --git a/kernel/exit.c b/kernel/exit.c
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -516,8 +516,6 @@ static inline void choose_new_parent(tas
+ */
+ BUG_ON(p == reaper || reaper->exit_state >= EXIT_ZOMBIE);
+ p->real_parent = reaper;
+- if (p->parent == p->real_parent)
+- BUG();
+ }
+
+ static inline void reparent_thread(task_t *p, task_t *father, int traced)
+diff --git a/kernel/signal.c b/kernel/signal.c
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1728,6 +1728,7 @@ do_signal_stop(int signr)
+ * with another processor delivering a stop signal,
+ * then the SIGCONT that wakes us up should clear it.
+ */
++ read_unlock(&tasklist_lock);
+ return 0;
+ }
+
+diff --git a/lib/rwsem-spinlock.c b/lib/rwsem-spinlock.c
+--- a/lib/rwsem-spinlock.c
++++ b/lib/rwsem-spinlock.c
+@@ -140,12 +140,12 @@ void fastcall __sched __down_read(struct
+
+ rwsemtrace(sem, "Entering __down_read");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irq(&sem->wait_lock);
+
+ if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
+ /* granted */
+ sem->activity++;
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irq(&sem->wait_lock);
+ goto out;
+ }
+
+@@ -160,7 +160,7 @@ void fastcall __sched __down_read(struct
+ list_add_tail(&waiter.list, &sem->wait_list);
+
+ /* we don't need to touch the semaphore struct anymore */
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irq(&sem->wait_lock);
+
+ /* wait to be given the lock */
+ for (;;) {
+@@ -181,10 +181,12 @@ void fastcall __sched __down_read(struct
+ */
+ int fastcall __down_read_trylock(struct rw_semaphore *sem)
+ {
++ unsigned long flags;
+ int ret = 0;
++
+ rwsemtrace(sem, "Entering __down_read_trylock");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irqsave(&sem->wait_lock, flags);
+
+ if (sem->activity >= 0 && list_empty(&sem->wait_list)) {
+ /* granted */
+@@ -192,7 +194,7 @@ int fastcall __down_read_trylock(struct
+ ret = 1;
+ }
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ rwsemtrace(sem, "Leaving __down_read_trylock");
+ return ret;
+@@ -209,12 +211,12 @@ void fastcall __sched __down_write(struc
+
+ rwsemtrace(sem, "Entering __down_write");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irq(&sem->wait_lock);
+
+ if (sem->activity == 0 && list_empty(&sem->wait_list)) {
+ /* granted */
+ sem->activity = -1;
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irq(&sem->wait_lock);
+ goto out;
+ }
+
+@@ -229,7 +231,7 @@ void fastcall __sched __down_write(struc
+ list_add_tail(&waiter.list, &sem->wait_list);
+
+ /* we don't need to touch the semaphore struct anymore */
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irq(&sem->wait_lock);
+
+ /* wait to be given the lock */
+ for (;;) {
+@@ -250,10 +252,12 @@ void fastcall __sched __down_write(struc
+ */
+ int fastcall __down_write_trylock(struct rw_semaphore *sem)
+ {
++ unsigned long flags;
+ int ret = 0;
++
+ rwsemtrace(sem, "Entering __down_write_trylock");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irqsave(&sem->wait_lock, flags);
+
+ if (sem->activity == 0 && list_empty(&sem->wait_list)) {
+ /* granted */
+@@ -261,7 +265,7 @@ int fastcall __down_write_trylock(struct
+ ret = 1;
+ }
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ rwsemtrace(sem, "Leaving __down_write_trylock");
+ return ret;
+@@ -272,14 +276,16 @@ int fastcall __down_write_trylock(struct
+ */
+ void fastcall __up_read(struct rw_semaphore *sem)
+ {
++ unsigned long flags;
++
+ rwsemtrace(sem, "Entering __up_read");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irqsave(&sem->wait_lock, flags);
+
+ if (--sem->activity == 0 && !list_empty(&sem->wait_list))
+ sem = __rwsem_wake_one_writer(sem);
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ rwsemtrace(sem, "Leaving __up_read");
+ }
+@@ -289,15 +295,17 @@ void fastcall __up_read(struct rw_semaph
+ */
+ void fastcall __up_write(struct rw_semaphore *sem)
+ {
++ unsigned long flags;
++
+ rwsemtrace(sem, "Entering __up_write");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irqsave(&sem->wait_lock, flags);
+
+ sem->activity = 0;
+ if (!list_empty(&sem->wait_list))
+ sem = __rwsem_do_wake(sem, 1);
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ rwsemtrace(sem, "Leaving __up_write");
+ }
+@@ -308,15 +316,17 @@ void fastcall __up_write(struct rw_semap
+ */
+ void fastcall __downgrade_write(struct rw_semaphore *sem)
+ {
++ unsigned long flags;
++
+ rwsemtrace(sem, "Entering __downgrade_write");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irqsave(&sem->wait_lock, flags);
+
+ sem->activity = 1;
+ if (!list_empty(&sem->wait_list))
+ sem = __rwsem_do_wake(sem, 0);
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ rwsemtrace(sem, "Leaving __downgrade_write");
+ }
+diff --git a/lib/rwsem.c b/lib/rwsem.c
+--- a/lib/rwsem.c
++++ b/lib/rwsem.c
+@@ -150,7 +150,7 @@ rwsem_down_failed_common(struct rw_semap
+ set_task_state(tsk, TASK_UNINTERRUPTIBLE);
+
+ /* set up my own style of waitqueue */
+- spin_lock(&sem->wait_lock);
++ spin_lock_irq(&sem->wait_lock);
+ waiter->task = tsk;
+ get_task_struct(tsk);
+
+@@ -163,7 +163,7 @@ rwsem_down_failed_common(struct rw_semap
+ if (!(count & RWSEM_ACTIVE_MASK))
+ sem = __rwsem_do_wake(sem, 0);
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irq(&sem->wait_lock);
+
+ /* wait to be given the lock */
+ for (;;) {
+@@ -219,15 +219,17 @@ rwsem_down_write_failed(struct rw_semaph
+ */
+ struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
+ {
++ unsigned long flags;
++
+ rwsemtrace(sem, "Entering rwsem_wake");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irqsave(&sem->wait_lock, flags);
+
+ /* do nothing if list empty */
+ if (!list_empty(&sem->wait_list))
+ sem = __rwsem_do_wake(sem, 0);
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ rwsemtrace(sem, "Leaving rwsem_wake");
+
+@@ -241,15 +243,17 @@ struct rw_semaphore fastcall *rwsem_wake
+ */
+ struct rw_semaphore fastcall *rwsem_downgrade_wake(struct rw_semaphore *sem)
+ {
++ unsigned long flags;
++
+ rwsemtrace(sem, "Entering rwsem_downgrade_wake");
+
+- spin_lock(&sem->wait_lock);
++ spin_lock_irqsave(&sem->wait_lock, flags);
+
+ /* do nothing if list empty */
+ if (!list_empty(&sem->wait_list))
+ sem = __rwsem_do_wake(sem, 1);
+
+- spin_unlock(&sem->wait_lock);
++ spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ rwsemtrace(sem, "Leaving rwsem_downgrade_wake");
+ return sem;
+diff --git a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1315,37 +1315,40 @@ unsigned long
+ get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
+ unsigned long pgoff, unsigned long flags)
+ {
+- if (flags & MAP_FIXED) {
+- unsigned long ret;
++ unsigned long ret;
+
+- if (addr > TASK_SIZE - len)
+- return -ENOMEM;
+- if (addr & ~PAGE_MASK)
+- return -EINVAL;
+- if (file && is_file_hugepages(file)) {
+- /*
+- * Check if the given range is hugepage aligned, and
+- * can be made suitable for hugepages.
+- */
+- ret = prepare_hugepage_range(addr, len);
+- } else {
+- /*
+- * Ensure that a normal request is not falling in a
+- * reserved hugepage range. For some archs like IA-64,
+- * there is a separate region for hugepages.
+- */
+- ret = is_hugepage_only_range(addr, len);
+- }
+- if (ret)
+- return -EINVAL;
+- return addr;
+- }
++ if (!(flags & MAP_FIXED)) {
++ unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
+
+- if (file && file->f_op && file->f_op->get_unmapped_area)
+- return file->f_op->get_unmapped_area(file, addr, len,
+- pgoff, flags);
++ get_area = current->mm->get_unmapped_area;
++ if (file && file->f_op && file->f_op->get_unmapped_area)
++ get_area = file->f_op->get_unmapped_area;
++ addr = get_area(file, addr, len, pgoff, flags);
++ if (IS_ERR_VALUE(addr))
++ return addr;
++ }
+
+- return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
++ if (addr > TASK_SIZE - len)
++ return -ENOMEM;
++ if (addr & ~PAGE_MASK)
++ return -EINVAL;
++ if (file && is_file_hugepages(file)) {
++ /*
++ * Check if the given range is hugepage aligned, and
++ * can be made suitable for hugepages.
++ */
++ ret = prepare_hugepage_range(addr, len);
++ } else {
++ /*
++ * Ensure that a normal request is not falling in a
++ * reserved hugepage range. For some archs like IA-64,
++ * there is a separate region for hugepages.
++ */
++ ret = is_hugepage_only_range(addr, len);
++ }
++ if (ret)
++ return -EINVAL;
++ return addr;
+ }
+
+ EXPORT_SYMBOL(get_unmapped_area);
+diff --git a/mm/rmap.c b/mm/rmap.c
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -641,7 +641,7 @@ static void try_to_unmap_cluster(unsigne
+ pgd_t *pgd;
+ pud_t *pud;
+ pmd_t *pmd;
+- pte_t *pte;
++ pte_t *pte, *original_pte;
+ pte_t pteval;
+ struct page *page;
+ unsigned long address;
+@@ -673,7 +673,7 @@ static void try_to_unmap_cluster(unsigne
+ if (!pmd_present(*pmd))
+ goto out_unlock;
+
+- for (pte = pte_offset_map(pmd, address);
++ for (original_pte = pte = pte_offset_map(pmd, address);
+ address < end; pte++, address += PAGE_SIZE) {
+
+ if (!pte_present(*pte))
+@@ -710,7 +710,7 @@ static void try_to_unmap_cluster(unsigne
+ (*mapcount)--;
+ }
+
+- pte_unmap(pte);
++ pte_unmap(original_pte);
+
+ out_unlock:
+ spin_unlock(&mm->page_table_lock);
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache;
+
+ int bt_sock_register(int proto, struct net_proto_family *ops)
+ {
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ if (bt_proto[proto])
+@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register);
+
+ int bt_sock_unregister(int proto)
+ {
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ if (!bt_proto[proto])
+@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket
+ {
+ int err = 0;
+
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ #if defined(CONFIG_KMOD)
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -54,6 +54,9 @@ int br_handle_frame_finish(struct sk_buf
+ struct net_bridge_fdb_entry *dst;
+ int passedup = 0;
+
++ /* insert into forwarding database after filtering to avoid spoofing */
++ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
++
+ if (br->dev->flags & IFF_PROMISC) {
+ struct sk_buff *skb2;
+
+@@ -108,8 +111,7 @@ int br_handle_frame(struct net_bridge_po
+ if (eth_hdr(skb)->h_source[0] & 1)
+ goto err;
+
+- if (p->state == BR_STATE_LEARNING ||
+- p->state == BR_STATE_FORWARDING)
++ if (p->state == BR_STATE_LEARNING)
+ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
+
+ if (p->br->stp_enabled &&
+diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -140,6 +140,9 @@ int br_stp_handle_bpdu(struct sk_buff *s
+ struct net_bridge *br = p->br;
+ unsigned char *buf;
+
++ /* insert into forwarding database after filtering to avoid spoofing */
++ br_fdb_insert(p->br, p, eth_hdr(skb)->h_source, 0);
++
+ /* need at least the 802 and STP headers */
+ if (!pskb_may_pull(skb, sizeof(header)+1) ||
+ memcmp(skb->data, header, sizeof(header)))
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -179,9 +179,10 @@ unsigned int ebt_do_table (unsigned int
+ struct ebt_chainstack *cs;
+ struct ebt_entries *chaininfo;
+ char *base;
+- struct ebt_table_info *private = table->private;
++ struct ebt_table_info *private;
+
+ read_lock_bh(&table->lock);
++ private = table->private;
+ cb_base = COUNTER_BASE(private->counters, private->nentries,
+ smp_processor_id());
+ if (private->chainstack)
+diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
+--- a/net/ipv4/fib_hash.c
++++ b/net/ipv4/fib_hash.c
+@@ -919,13 +919,23 @@ out:
+ return fa;
+ }
+
++static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
++{
++ struct fib_alias *fa = fib_get_first(seq);
++
++ if (fa)
++ while (pos && (fa = fib_get_next(seq)))
++ --pos;
++ return pos ? NULL : fa;
++}
++
+ static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
+ {
+ void *v = NULL;
+
+ read_lock(&fib_hash_lock);
+ if (ip_fib_main_table)
+- v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
++ v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
+ return v;
+ }
+
+diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
+--- a/net/ipv4/netfilter/ip_queue.c
++++ b/net/ipv4/netfilter/ip_queue.c
+@@ -3,6 +3,7 @@
+ * communicating with userspace via netlink.
+ *
+ * (C) 2000-2002 James Morris <jmorris@intercode.com.au>
++ * (C) 2003-2005 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -14,6 +15,7 @@
+ * Zander).
+ * 2000-08-01: Added Nick Williams' MAC support.
+ * 2002-06-25: Code cleanup.
++ * 2005-05-26: local_bh_{disable,enable} around nf_reinject (Harald Welte)
+ *
+ */
+ #include <linux/module.h>
+@@ -66,7 +68,15 @@ static DECLARE_MUTEX(ipqnl_sem);
+ static void
+ ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
+ {
++ /* TCP input path (and probably other bits) assume to be called
++ * from softirq context, not from syscall, like ipq_issue_verdict is
++ * called. TCP input path deadlocks with locks taken from timer
++ * softirq, e.g. We therefore emulate this by local_bh_disable() */
++
++ local_bh_disable();
+ nf_reinject(entry->skb, entry->info, verdict);
++ local_bh_enable();
++
+ kfree(entry);
+ }
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1653,7 +1653,10 @@ static void DBGUNDO(struct sock *sk, str
+ static void tcp_undo_cwr(struct tcp_sock *tp, int undo)
+ {
+ if (tp->prior_ssthresh) {
+- tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
++ if (tcp_is_bic(tp))
++ tp->snd_cwnd = max(tp->snd_cwnd, tp->bictcp.last_max_cwnd);
++ else
++ tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh<<1);
+
+ if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
+ tp->snd_ssthresh = tp->prior_ssthresh;
+diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -38,6 +38,7 @@ static void tcp_keepalive_timer (unsigne
+
+ #ifdef TCP_DEBUG
+ const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
++EXPORT_SYMBOL(tcp_timer_bug_msg);
+ #endif
+
+ /*
+diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
+--- a/net/ipv4/xfrm4_output.c
++++ b/net/ipv4/xfrm4_output.c
+@@ -103,17 +103,17 @@ int xfrm4_output(struct sk_buff *skb)
+ goto error_nolock;
+ }
+
+- spin_lock_bh(&x->lock);
+- err = xfrm_state_check(x, skb);
+- if (err)
+- goto error;
+-
+ if (x->props.mode) {
+ err = xfrm4_tunnel_check_size(skb);
+ if (err)
+- goto error;
++ goto error_nolock;
+ }
+
++ spin_lock_bh(&x->lock);
++ err = xfrm_state_check(x, skb);
++ if (err)
++ goto error;
++
+ xfrm4_encap(skb);
+
+ err = x->type->output(skb);
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -103,17 +103,17 @@ int xfrm6_output(struct sk_buff *skb)
+ goto error_nolock;
+ }
+
+- spin_lock_bh(&x->lock);
+- err = xfrm_state_check(x, skb);
+- if (err)
+- goto error;
+-
+ if (x->props.mode) {
+ err = xfrm6_tunnel_check_size(skb);
+ if (err)
+- goto error;
++ goto error_nolock;
+ }
+
++ spin_lock_bh(&x->lock);
++ err = xfrm_state_check(x, skb);
++ if (err)
++ goto error;
++
+ xfrm6_encap(skb);
+
+ err = x->type->output(skb);
+diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
+--- a/net/netrom/nr_in.c
++++ b/net/netrom/nr_in.c
+@@ -74,7 +74,6 @@ static int nr_queue_rx_frame(struct sock
+ static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
+ int frametype)
+ {
+- bh_lock_sock(sk);
+ switch (frametype) {
+ case NR_CONNACK: {
+ nr_cb *nr = nr_sk(sk);
+@@ -103,8 +102,6 @@ static int nr_state1_machine(struct sock
+ default:
+ break;
+ }
+- bh_unlock_sock(sk);
+-
+ return 0;
+ }
+
+@@ -116,7 +113,6 @@ static int nr_state1_machine(struct sock
+ static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
+ int frametype)
+ {
+- bh_lock_sock(sk);
+ switch (frametype) {
+ case NR_CONNACK | NR_CHOKE_FLAG:
+ nr_disconnect(sk, ECONNRESET);
+@@ -132,8 +128,6 @@ static int nr_state2_machine(struct sock
+ default:
+ break;
+ }
+- bh_unlock_sock(sk);
+-
+ return 0;
+ }
+
+@@ -154,7 +148,6 @@ static int nr_state3_machine(struct sock
+ nr = skb->data[18];
+ ns = skb->data[17];
+
+- bh_lock_sock(sk);
+ switch (frametype) {
+ case NR_CONNREQ:
+ nr_write_internal(sk, NR_CONNACK);
+@@ -265,8 +258,6 @@ static int nr_state3_machine(struct sock
+ default:
+ break;
+ }
+- bh_unlock_sock(sk);
+-
+ return queued;
+ }
+
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -727,7 +727,8 @@ int rose_rt_ioctl(unsigned int cmd, void
+ }
+ if (rose_route.mask > 10) /* Mask can't be more than 10 digits */
+ return -EINVAL;
+-
++ if (rose_route.ndigis > 8) /* No more than 8 digipeats */
++ return -EINVAL;
+ err = rose_add_node(&rose_route, dev);
+ dev_put(dev);
+ return err;
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -184,10 +184,15 @@ static int netem_enqueue(struct sk_buff
+ /* Random duplication */
+ if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor)) {
+ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
+-
+- pr_debug("netem_enqueue: dup %p\n", skb2);
+- if (skb2)
+- delay_skb(sch, skb2);
++ if (skb2) {
++ struct Qdisc *rootq = sch->dev->qdisc;
++ u32 dupsave = q->duplicate;
++
++ /* prevent duplicating a dup... */
++ q->duplicate = 0;
++ rootq->enqueue(skb2, rootq);
++ q->duplicate = dupsave;
++ }
+ }
+
+ /* If doing simple delay then gap == 0 so all packets
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -609,7 +609,7 @@ static struct xfrm_state *__xfrm_find_ac
+
+ for (i = 0; i < XFRM_DST_HSIZE; i++) {
+ list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
+- if (x->km.seq == seq) {
++ if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
+ xfrm_state_hold(x);
+ return x;
+ }
+diff --git a/security/keys/key.c b/security/keys/key.c
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -57,9 +57,10 @@ struct key_user *key_user_lookup(uid_t u
+ {
+ struct key_user *candidate = NULL, *user;
+ struct rb_node *parent = NULL;
+- struct rb_node **p = &key_user_tree.rb_node;
++ struct rb_node **p;
+
+ try_again:
++ p = &key_user_tree.rb_node;
+ spin_lock(&key_user_lock);
+
+ /* search the tree for a user record with a matching UID */
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1117,7 +1117,8 @@ static void snd_timer_user_append_to_tqu
+ if (tu->qused >= tu->queue_size) {
+ tu->overrun++;
+ } else {
+- memcpy(&tu->queue[tu->qtail++], tread, sizeof(*tread));
++ memcpy(&tu->tqueue[tu->qtail++], tread, sizeof(*tread));
++ tu->qtail %= tu->queue_size;
+ tu->qused++;
+ }
+ }
+@@ -1140,6 +1141,8 @@ static void snd_timer_user_ccallback(snd
+ spin_lock(&tu->qlock);
+ snd_timer_user_append_to_tqueue(tu, &r1);
+ spin_unlock(&tu->qlock);
++ kill_fasync(&tu->fasync, SIGIO, POLL_IN);
++ wake_up(&tu->qchange_sleep);
+ }
+
+ static void snd_timer_user_tinterrupt(snd_timer_instance_t *timeri,
+diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
+--- a/sound/pci/ac97/ac97_codec.c
++++ b/sound/pci/ac97/ac97_codec.c
+@@ -1185,7 +1185,7 @@ snd_kcontrol_t *snd_ac97_cnew(const snd_
+ /*
+ * create mute switch(es) for normal stereo controls
+ */
+-static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
++static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
+ {
+ snd_kcontrol_t *kctl;
+ int err;
+@@ -1196,7 +1196,7 @@ static int snd_ac97_cmute_new(snd_card_t
+
+ mute_mask = 0x8000;
+ val = snd_ac97_read(ac97, reg);
+- if (ac97->flags & AC97_STEREO_MUTES) {
++ if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
+ /* check whether both mute bits work */
+ val1 = val | 0x8080;
+ snd_ac97_write(ac97, reg, val1);
+@@ -1254,7 +1254,7 @@ static int snd_ac97_cvol_new(snd_card_t
+ /*
+ * create a mute-switch and a volume for normal stereo/mono controls
+ */
+-static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
++static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
+ {
+ int err;
+ char name[44];
+@@ -1265,7 +1265,7 @@ static int snd_ac97_cmix_new(snd_card_t
+
+ if (snd_ac97_try_bit(ac97, reg, 15)) {
+ sprintf(name, "%s Switch", pfx);
+- if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
++ if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
+ return err;
+ }
+ check_volume_resolution(ac97, reg, &lo_max, &hi_max);
+@@ -1277,6 +1277,8 @@ static int snd_ac97_cmix_new(snd_card_t
+ return 0;
+ }
+
++#define snd_ac97_cmix_new(card, pfx, reg, ac97) snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
++#define snd_ac97_cmute_new(card, name, reg, ac97) snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
+
+ static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
+
+@@ -1327,7 +1329,8 @@ static int snd_ac97_mixer_build(ac97_t *
+
+ /* build surround controls */
+ if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
+- if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
++ /* Surround Master (0x38) is with stereo mutes */
++ if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
+ return err;
+ }
+
+diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c
+--- a/sound/usb/usbaudio.c
++++ b/sound/usb/usbaudio.c
+@@ -3276,7 +3276,7 @@ static void snd_usb_audio_disconnect(str
+ }
+ usb_chip[chip->index] = NULL;
+ up(®ister_mutex);
+- snd_card_free_in_thread(card);
++ snd_card_free(card);
+ } else {
+ up(®ister_mutex);
+ }
+diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
+--- a/sound/usb/usx2y/usbusx2y.c
++++ b/sound/usb/usx2y/usbusx2y.c
+@@ -1,6 +1,11 @@
+ /*
+ * usbusy2y.c - ALSA USB US-428 Driver
+ *
++2005-04-14 Karsten Wiese
++ Version 0.8.7.2:
++ Call snd_card_free() instead of snd_card_free_in_thread() to prevent oops with dead keyboard symptom.
++ Tested ok with kernel 2.6.12-rc2.
++
+ 2004-12-14 Karsten Wiese
+ Version 0.8.7.1:
+ snd_pcm_open for rawusb pcm-devices now returns -EBUSY if called without rawusb's hwdep device being open.
+@@ -143,7 +148,7 @@
+
+
+ MODULE_AUTHOR("Karsten Wiese <annabellesgarden@yahoo.de>");
+-MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.1");
++MODULE_DESCRIPTION("TASCAM "NAME_ALLCAPS" Version 0.8.7.2");
+ MODULE_LICENSE("GPL");
+ MODULE_SUPPORTED_DEVICE("{{TASCAM(0x1604), "NAME_ALLCAPS"(0x8001)(0x8005)(0x8007) }}");
+
+@@ -430,8 +435,6 @@ static void usX2Y_usb_disconnect(struct
+ if (ptr) {
+ usX2Ydev_t* usX2Y = usX2Y((snd_card_t*)ptr);
+ struct list_head* p;
+- if (usX2Y->chip_status == USX2Y_STAT_CHIP_HUP) // on 2.6.1 kernel snd_usbmidi_disconnect()
+- return; // calls us back. better leave :-) .
+ usX2Y->chip.shutdown = 1;
+ usX2Y->chip_status = USX2Y_STAT_CHIP_HUP;
+ usX2Y_unlinkSeq(&usX2Y->AS04);
+@@ -443,7 +446,7 @@ static void usX2Y_usb_disconnect(struct
+ }
+ if (usX2Y->us428ctls_sharedmem)
+ wake_up(&usX2Y->us428ctls_wait_queue_head);
+- snd_card_free_in_thread((snd_card_t*)ptr);
++ snd_card_free((snd_card_t*)ptr);
+ }
+ }
+
projects / xen.git / commitdiff