Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.51/, 2.6.32/, 3.2.52/, 3.11.6/
Date: Tue, 29 Oct 2013 17:29:42
Message-Id: 1383067771.73961b305f24ed999e4af414afb420f14ca0252b.blueness@gentoo
1 commit: 73961b305f24ed999e4af414afb420f14ca0252b
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Tue Oct 29 17:29:31 2013 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Tue Oct 29 17:29:31 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=73961b30
7
8 Grsec/PaX: 2.9.1-{2.6.32.61,3.2.52,3.11.6}-201310271552
9
10 ---
11 2.6.32/0000_README | 2 +-
12 ..._grsecurity-2.9.1-2.6.32.61-201310271545.patch} | 22 +-
13 3.11.6/0000_README | 2 +-
14 ...420_grsecurity-2.9.1-3.11.6-201310271552.patch} | 258 +-
15 {3.2.51 => 3.2.52}/0000_README | 6 +-
16 {3.2.51 => 3.2.52}/1021_linux-3.2.22.patch | 0
17 {3.2.51 => 3.2.52}/1022_linux-3.2.23.patch | 0
18 {3.2.51 => 3.2.52}/1023_linux-3.2.24.patch | 0
19 {3.2.51 => 3.2.52}/1024_linux-3.2.25.patch | 0
20 {3.2.51 => 3.2.52}/1025_linux-3.2.26.patch | 0
21 {3.2.51 => 3.2.52}/1026_linux-3.2.27.patch | 0
22 {3.2.51 => 3.2.52}/1027_linux-3.2.28.patch | 0
23 {3.2.51 => 3.2.52}/1028_linux-3.2.29.patch | 0
24 {3.2.51 => 3.2.52}/1029_linux-3.2.30.patch | 0
25 {3.2.51 => 3.2.52}/1030_linux-3.2.31.patch | 0
26 {3.2.51 => 3.2.52}/1031_linux-3.2.32.patch | 0
27 {3.2.51 => 3.2.52}/1032_linux-3.2.33.patch | 0
28 {3.2.51 => 3.2.52}/1033_linux-3.2.34.patch | 0
29 {3.2.51 => 3.2.52}/1034_linux-3.2.35.patch | 0
30 {3.2.51 => 3.2.52}/1035_linux-3.2.36.patch | 0
31 {3.2.51 => 3.2.52}/1036_linux-3.2.37.patch | 0
32 {3.2.51 => 3.2.52}/1037_linux-3.2.38.patch | 0
33 {3.2.51 => 3.2.52}/1038_linux-3.2.39.patch | 0
34 {3.2.51 => 3.2.52}/1039_linux-3.2.40.patch | 0
35 {3.2.51 => 3.2.52}/1040_linux-3.2.41.patch | 0
36 {3.2.51 => 3.2.52}/1041_linux-3.2.42.patch | 0
37 {3.2.51 => 3.2.52}/1042_linux-3.2.43.patch | 0
38 {3.2.51 => 3.2.52}/1043_linux-3.2.44.patch | 0
39 {3.2.51 => 3.2.52}/1044_linux-3.2.45.patch | 0
40 {3.2.51 => 3.2.52}/1045_linux-3.2.46.patch | 0
41 {3.2.51 => 3.2.52}/1046_linux-3.2.47.patch | 0
42 {3.2.51 => 3.2.52}/1047_linux-3.2.48.patch | 0
43 {3.2.51 => 3.2.52}/1048_linux-3.2.49.patch | 0
44 {3.2.51 => 3.2.52}/1049_linux-3.2.50.patch | 0
45 {3.2.51 => 3.2.52}/1050_linux-3.2.51.patch | 0
46 3.2.52/1051_linux-3.2.52.patch | 5221 ++++++++++++++++++++
47 ...4420_grsecurity-2.9.1-3.2.52-201310271550.patch | 1135 ++---
48 {3.2.51 => 3.2.52}/4425_grsec_remove_EI_PAX.patch | 0
49 .../4427_force_XATTR_PAX_tmpfs.patch | 0
50 .../4430_grsec-remove-localversion-grsec.patch | 0
51 {3.2.51 => 3.2.52}/4435_grsec-mute-warnings.patch | 0
52 .../4440_grsec-remove-protected-paths.patch | 0
53 .../4450_grsec-kconfig-default-gids.patch | 0
54 .../4465_selinux-avc_audit-log-curr_ip.patch | 0
55 {3.2.51 => 3.2.52}/4470_disable-compat_vdso.patch | 0
56 {3.2.51 => 3.2.52}/4475_emutramp_default_on.patch | 0
57 46 files changed, 5774 insertions(+), 872 deletions(-)
58
59 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
60 index 381f8d3..3fdf601 100644
61 --- a/2.6.32/0000_README
62 +++ b/2.6.32/0000_README
63 @@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
64 From: http://www.kernel.org
65 Desc: Linux 2.6.32.61
66
67 -Patch: 4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
68 +Patch: 4420_grsecurity-2.9.1-2.6.32.61-201310271545.patch
69 From: http://www.grsecurity.net
70 Desc: hardened-sources base patch from upstream grsecurity
71
72
73 diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201310271545.patch
74 similarity index 99%
75 rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
76 rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201310271545.patch
77 index 80f4104..995d206 100644
78 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
79 +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201310271545.patch
80 @@ -115800,7 +115800,7 @@ index dba56d2..acee5d6 100644
81 tmo = req->expires - jiffies;
82 if (tmo < 0)
83 diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
84 -index d717267..56de7e7 100644
85 +index d717267..f9707ae 100644
86 --- a/net/ipv4/inet_hashtables.c
87 +++ b/net/ipv4/inet_hashtables.c
88 @@ -18,12 +18,15 @@
89 @@ -115819,6 +115819,15 @@ index d717267..56de7e7 100644
90 /*
91 * Allocate and initialize a new local port bind bucket.
92 * The bindhash mutex for snum's hash chain must be held here.
93 +@@ -247,7 +250,7 @@ begintw:
94 + }
95 + if (unlikely(!INET_TW_MATCH(sk, net, hash, acookie,
96 + saddr, daddr, ports, dif))) {
97 +- sock_put(sk);
98 ++ inet_twsk_put(inet_twsk(sk));
99 + goto begintw;
100 + }
101 + goto out;
102 @@ -491,6 +494,8 @@ ok:
103 }
104 spin_unlock(&head->lock);
105 @@ -116814,9 +116823,18 @@ index cc4797d..7cfdfcc 100644
106 dst_release(dst);
107 dst = NULL;
108 diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
109 -index 093e9b2..f72cddb 100644
110 +index 093e9b2..d6dbc3f 100644
111 --- a/net/ipv6/inet6_hashtables.c
112 +++ b/net/ipv6/inet6_hashtables.c
113 +@@ -104,7 +104,7 @@ begintw:
114 + goto out;
115 + }
116 + if (!INET6_TW_MATCH(sk, net, hash, saddr, daddr, ports, dif)) {
117 +- sock_put(sk);
118 ++ inet_twsk_put(inet_twsk(sk));
119 + goto begintw;
120 + }
121 + goto out;
122 @@ -119,7 +119,7 @@ out:
123 }
124 EXPORT_SYMBOL(__inet6_lookup_established);
125
126 diff --git a/3.11.6/0000_README b/3.11.6/0000_README
127 index 2d9249d..5611acb 100644
128 --- a/3.11.6/0000_README
129 +++ b/3.11.6/0000_README
130 @@ -2,7 +2,7 @@ README
131 -----------------------------------------------------------------------------
132 Individual Patch Descriptions:
133 -----------------------------------------------------------------------------
134 -Patch: 4420_grsecurity-2.9.1-3.11.6-201310260850.patch
135 +Patch: 4420_grsecurity-2.9.1-3.11.6-201310271552.patch
136 From: http://www.grsecurity.net
137 Desc: hardened-sources base patch from upstream grsecurity
138
139
140 diff --git a/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310260850.patch b/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310271552.patch
141 similarity index 99%
142 rename from 3.11.6/4420_grsecurity-2.9.1-3.11.6-201310260850.patch
143 rename to 3.11.6/4420_grsecurity-2.9.1-3.11.6-201310271552.patch
144 index 584d2ee..e291fc5 100644
145 --- a/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310260850.patch
146 +++ b/3.11.6/4420_grsecurity-2.9.1-3.11.6-201310271552.patch
147 @@ -44037,6 +44037,19 @@ index 4658f4c..407d155 100644
148
149 #include "ftmac100.h"
150
151 +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c
152 +index 85fe7b5..e2da180 100644
153 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
154 ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
155 +@@ -2637,6 +2637,8 @@ static int igb_set_eee(struct net_device *netdev,
156 + (hw->phy.media_type != e1000_media_type_copper))
157 + return -EOPNOTSUPP;
158 +
159 ++ memset(&eee_curr, 0, sizeof(struct ethtool_eee));
160 ++
161 + ret_val = igb_get_eee(netdev, &eee_curr);
162 + if (ret_val)
163 + return ret_val;
164 diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
165 index 331987d..3be1135 100644
166 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
167 @@ -44498,6 +44511,18 @@ index 3f0c4f2..bcfff0d 100644
168 sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed);
169 /* Lucky card and linux use same encoding here */
170 sync.clock_type = FST_RDB(card, portConfig[i].internalClock) ==
171 +diff --git a/drivers/net/wan/wanxl.c b/drivers/net/wan/wanxl.c
172 +index 6a24a5a..4c0a697 100644
173 +--- a/drivers/net/wan/wanxl.c
174 ++++ b/drivers/net/wan/wanxl.c
175 +@@ -355,6 +355,7 @@ static int wanxl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
176 + ifr->ifr_settings.size = size; /* data size wanted */
177 + return -ENOBUFS;
178 + }
179 ++ memset(&line, 0, sizeof(line));
180 + line.clock_type = get_status(port)->clocking;
181 + line.clock_rate = 0;
182 + line.loopback = 0;
183 diff --git a/drivers/net/wimax/i2400m/rx.c b/drivers/net/wimax/i2400m/rx.c
184 index 0b60295..b8bfa5b 100644
185 --- a/drivers/net/wimax/i2400m/rx.c
186 @@ -54449,6 +54474,19 @@ index c7c83ff..bda9461 100644
187 parent, NULL, NULL);
188 }
189 EXPORT_SYMBOL_GPL(debugfs_create_dir);
190 +diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
191 +index d107576..40db688 100644
192 +--- a/fs/ecryptfs/crypto.c
193 ++++ b/fs/ecryptfs/crypto.c
194 +@@ -408,7 +408,7 @@ static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat,
195 + struct page *page)
196 + {
197 + return ecryptfs_lower_header_size(crypt_stat) +
198 +- (page->index << PAGE_CACHE_SHIFT);
199 ++ ((loff_t)page->index << PAGE_CACHE_SHIFT);
200 + }
201 +
202 + /**
203 diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
204 index 67e9b63..a9adb68 100644
205 --- a/fs/ecryptfs/inode.c
206 @@ -54471,6 +54509,27 @@ index 67e9b63..a9adb68 100644
207 if (!IS_ERR(buf)) {
208 /* Free the char* */
209 kfree(buf);
210 +diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
211 +index 7d52806..4725a07 100644
212 +--- a/fs/ecryptfs/keystore.c
213 ++++ b/fs/ecryptfs/keystore.c
214 +@@ -1149,7 +1149,7 @@ decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
215 + struct ecryptfs_msg_ctx *msg_ctx;
216 + struct ecryptfs_message *msg = NULL;
217 + char *auth_tok_sig;
218 +- char *payload;
219 ++ char *payload = NULL;
220 + size_t payload_len = 0;
221 + int rc;
222 +
223 +@@ -1203,6 +1203,7 @@ decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
224 + }
225 + out:
226 + kfree(msg);
227 ++ kfree(payload);
228 + return rc;
229 + }
230 +
231 diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
232 index e4141f2..d8263e8 100644
233 --- a/fs/ecryptfs/miscdev.c
234 @@ -76402,7 +76461,7 @@ index 429c199..4d42e38 100644
235
236 /* shm_mode upper byte flags */
237 diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
238 -index 3b71a4e..5c9f309 100644
239 +index 3b71a4e..4823435 100644
240 --- a/include/linux/skbuff.h
241 +++ b/include/linux/skbuff.h
242 @@ -648,7 +648,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
243 @@ -76441,7 +76500,19 @@ index 3b71a4e..5c9f309 100644
244 }
245
246 /**
247 -@@ -1750,7 +1750,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
248 +@@ -1316,6 +1316,11 @@ static inline int skb_pagelen(const struct sk_buff *skb)
249 + return len + skb_headlen(skb);
250 + }
251 +
252 ++static inline bool skb_has_frags(const struct sk_buff *skb)
253 ++{
254 ++ return skb_shinfo(skb)->nr_frags;
255 ++}
256 ++
257 + /**
258 + * __skb_fill_page_desc - initialise a paged fragment in an skb
259 + * @skb: buffer containing fragment to be initialised
260 +@@ -1750,7 +1755,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
261 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
262 */
263 #ifndef NET_SKB_PAD
264 @@ -76450,7 +76521,7 @@ index 3b71a4e..5c9f309 100644
265 #endif
266
267 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
268 -@@ -2345,7 +2345,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
269 +@@ -2345,7 +2350,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
270 int noblock, int *err);
271 extern unsigned int datagram_poll(struct file *file, struct socket *sock,
272 struct poll_table_struct *wait);
273 @@ -76459,7 +76530,7 @@ index 3b71a4e..5c9f309 100644
274 int offset, struct iovec *to,
275 int size);
276 extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
277 -@@ -2636,6 +2636,9 @@ static inline void nf_reset(struct sk_buff *skb)
278 +@@ -2636,6 +2641,9 @@ static inline void nf_reset(struct sk_buff *skb)
279 nf_bridge_put(skb->nf_bridge);
280 skb->nf_bridge = NULL;
281 #endif
282 @@ -88631,30 +88702,10 @@ index 94722a4..e661e29 100644
283
284 if (nstart < prev->vm_end)
285 diff --git a/mm/mremap.c b/mm/mremap.c
286 -index 0843feb..5607f47 100644
287 +index 0843feb..4f5b2e6 100644
288 --- a/mm/mremap.c
289 +++ b/mm/mremap.c
290 -@@ -25,6 +25,7 @@
291 - #include <asm/uaccess.h>
292 - #include <asm/cacheflush.h>
293 - #include <asm/tlbflush.h>
294 -+#include <asm/pgalloc.h>
295 -
296 - #include "internal.h"
297 -
298 -@@ -62,8 +63,10 @@ static pmd_t *alloc_new_pmd(struct mm_struct *mm, struct vm_area_struct *vma,
299 - return NULL;
300 -
301 - pmd = pmd_alloc(mm, pud, addr);
302 -- if (!pmd)
303 -+ if (!pmd) {
304 -+ pud_free(mm, pud);
305 - return NULL;
306 -+ }
307 -
308 - VM_BUG_ON(pmd_trans_huge(*pmd));
309 -
310 -@@ -144,6 +147,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
311 +@@ -144,6 +144,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
312 continue;
313 pte = ptep_get_and_clear(mm, old_addr, old_pte);
314 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
315 @@ -88667,7 +88718,7 @@ index 0843feb..5607f47 100644
316 pte = move_soft_dirty_pte(pte);
317 set_pte_at(mm, new_addr, new_pte, pte);
318 }
319 -@@ -337,6 +346,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
320 +@@ -337,6 +343,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
321 if (is_vm_hugetlb_page(vma))
322 goto Einval;
323
324 @@ -88679,7 +88730,7 @@ index 0843feb..5607f47 100644
325 /* We can't remap across vm area boundaries */
326 if (old_len > vma->vm_end - addr)
327 goto Efault;
328 -@@ -392,20 +406,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
329 +@@ -392,20 +403,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
330 unsigned long ret = -EINVAL;
331 unsigned long charged = 0;
332 unsigned long map_flags;
333 @@ -88710,7 +88761,7 @@ index 0843feb..5607f47 100644
334 goto out;
335
336 ret = do_munmap(mm, new_addr, new_len);
337 -@@ -474,6 +493,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
338 +@@ -474,6 +490,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
339 unsigned long ret = -EINVAL;
340 unsigned long charged = 0;
341 bool locked = false;
342 @@ -88718,7 +88769,7 @@ index 0843feb..5607f47 100644
343
344 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
345 return ret;
346 -@@ -495,6 +515,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
347 +@@ -495,6 +512,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
348 if (!new_len)
349 return ret;
350
351 @@ -88736,7 +88787,7 @@ index 0843feb..5607f47 100644
352 down_write(&current->mm->mmap_sem);
353
354 if (flags & MREMAP_FIXED) {
355 -@@ -545,6 +576,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
356 +@@ -545,6 +573,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
357 new_addr = addr;
358 }
359 ret = addr;
360 @@ -88744,7 +88795,7 @@ index 0843feb..5607f47 100644
361 goto out;
362 }
363 }
364 -@@ -568,7 +600,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
365 +@@ -568,7 +597,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
366 goto out;
367 }
368
369 @@ -91150,23 +91201,25 @@ index eb0a46a..5f3bae8 100644
370
371 switch (ss->ss_family) {
372 diff --git a/net/compat.c b/net/compat.c
373 -index f0a1ba6..0541331 100644
374 +index f0a1ba6..24e30e5 100644
375 --- a/net/compat.c
376 +++ b/net/compat.c
377 -@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
378 +@@ -71,9 +71,11 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
379 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
380 __get_user(kmsg->msg_flags, &umsg->msg_flags))
381 return -EFAULT;
382 - kmsg->msg_name = compat_ptr(tmp1);
383 - kmsg->msg_iov = compat_ptr(tmp2);
384 - kmsg->msg_control = compat_ptr(tmp3);
385 ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
386 ++ return -EINVAL;
387 + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
388 + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
389 + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
390 return 0;
391 }
392
393 -@@ -85,7 +85,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
394 +@@ -85,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
395
396 if (kern_msg->msg_namelen) {
397 if (mode == VERIFY_READ) {
398 @@ -91175,7 +91228,7 @@ index f0a1ba6..0541331 100644
399 kern_msg->msg_namelen,
400 kern_address);
401 if (err < 0)
402 -@@ -96,7 +96,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
403 +@@ -96,7 +98,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
404 kern_msg->msg_name = NULL;
405
406 tot_len = iov_from_user_compat_to_kern(kern_iov,
407 @@ -91184,7 +91237,7 @@ index f0a1ba6..0541331 100644
408 kern_msg->msg_iovlen);
409 if (tot_len >= 0)
410 kern_msg->msg_iov = kern_iov;
411 -@@ -116,20 +116,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
412 +@@ -116,20 +118,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
413
414 #define CMSG_COMPAT_FIRSTHDR(msg) \
415 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
416 @@ -91208,7 +91261,7 @@ index f0a1ba6..0541331 100644
417 msg->msg_controllen)
418 return NULL;
419 return (struct compat_cmsghdr __user *)ptr;
420 -@@ -219,7 +219,7 @@ Efault:
421 +@@ -219,7 +221,7 @@ Efault:
422
423 int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
424 {
425 @@ -91217,7 +91270,7 @@ index f0a1ba6..0541331 100644
426 struct compat_cmsghdr cmhdr;
427 struct compat_timeval ctv;
428 struct compat_timespec cts[3];
429 -@@ -275,7 +275,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
430 +@@ -275,7 +277,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
431
432 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
433 {
434 @@ -91226,7 +91279,7 @@ index f0a1ba6..0541331 100644
435 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
436 int fdnum = scm->fp->count;
437 struct file **fp = scm->fp->fp;
438 -@@ -363,7 +363,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
439 +@@ -363,7 +365,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
440 return -EFAULT;
441 old_fs = get_fs();
442 set_fs(KERNEL_DS);
443 @@ -91235,7 +91288,7 @@ index f0a1ba6..0541331 100644
444 set_fs(old_fs);
445
446 return err;
447 -@@ -424,7 +424,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
448 +@@ -424,7 +426,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
449 len = sizeof(ktime);
450 old_fs = get_fs();
451 set_fs(KERNEL_DS);
452 @@ -91244,7 +91297,7 @@ index f0a1ba6..0541331 100644
453 set_fs(old_fs);
454
455 if (!err) {
456 -@@ -567,7 +567,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
457 +@@ -567,7 +569,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
458 case MCAST_JOIN_GROUP:
459 case MCAST_LEAVE_GROUP:
460 {
461 @@ -91253,7 +91306,7 @@ index f0a1ba6..0541331 100644
462 struct group_req __user *kgr =
463 compat_alloc_user_space(sizeof(struct group_req));
464 u32 interface;
465 -@@ -588,7 +588,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
466 +@@ -588,7 +590,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
467 case MCAST_BLOCK_SOURCE:
468 case MCAST_UNBLOCK_SOURCE:
469 {
470 @@ -91262,7 +91315,7 @@ index f0a1ba6..0541331 100644
471 struct group_source_req __user *kgsr = compat_alloc_user_space(
472 sizeof(struct group_source_req));
473 u32 interface;
474 -@@ -609,7 +609,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
475 +@@ -609,7 +611,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
476 }
477 case MCAST_MSFILTER:
478 {
479 @@ -91271,7 +91324,7 @@ index f0a1ba6..0541331 100644
480 struct group_filter __user *kgf;
481 u32 interface, fmode, numsrc;
482
483 -@@ -647,7 +647,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
484 +@@ -647,7 +649,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
485 char __user *optval, int __user *optlen,
486 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
487 {
488 @@ -91280,7 +91333,7 @@ index f0a1ba6..0541331 100644
489 struct group_filter __user *kgf;
490 int __user *koptlen;
491 u32 interface, fmode, numsrc;
492 -@@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
493 +@@ -805,7 +807,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
494
495 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
496 return -EINVAL;
497 @@ -92084,7 +92137,7 @@ index 6acb541..9ea617d 100644
498
499 void inet_get_local_port_range(int *low, int *high)
500 diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
501 -index 7bd8983..3abdcf6 100644
502 +index 7bd8983..b956690 100644
503 --- a/net/ipv4/inet_hashtables.c
504 +++ b/net/ipv4/inet_hashtables.c
505 @@ -18,12 +18,15 @@
506 @@ -92103,6 +92156,15 @@ index 7bd8983..3abdcf6 100644
507 /*
508 * Allocate and initialize a new local port bind bucket.
509 * The bindhash mutex for snum's hash chain must be held here.
510 +@@ -287,7 +290,7 @@ begintw:
511 + if (unlikely(!INET_TW_MATCH(sk, net, acookie,
512 + saddr, daddr, ports,
513 + dif))) {
514 +- sock_put(sk);
515 ++ inet_twsk_put(inet_twsk(sk));
516 + goto begintw;
517 + }
518 + goto out;
519 @@ -554,6 +557,8 @@ ok:
520 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
521 spin_unlock(&head->lock);
522 @@ -92209,6 +92271,19 @@ index 8d6939e..19d0a95 100644
523 .kind = "gretap",
524 .maxtype = IFLA_GRE_MAX,
525 .policy = ipgre_policy,
526 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
527 +index a04d872..7f4ab5d 100644
528 +--- a/net/ipv4/ip_output.c
529 ++++ b/net/ipv4/ip_output.c
530 +@@ -836,7 +836,7 @@ static int __ip_append_data(struct sock *sk,
531 + csummode = CHECKSUM_PARTIAL;
532 +
533 + cork->length += length;
534 +- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
535 ++ if (((length > mtu) || (skb && skb_has_frags(skb))) &&
536 + (sk->sk_protocol == IPPROTO_UDP) &&
537 + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
538 + err = ip_ufo_append_data(sk, queue, getfrag, from, length,
539 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
540 index d9c4f11..02b82dbc 100644
541 --- a/net/ipv4/ip_sockglue.c
542 @@ -93213,6 +93288,19 @@ index 7cfc8d2..c5394b6 100644
543
544 table = kmemdup(ipv6_icmp_table_template,
545 sizeof(ipv6_icmp_table_template),
546 +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
547 +index 32b4a16..066640e 100644
548 +--- a/net/ipv6/inet6_hashtables.c
549 ++++ b/net/ipv6/inet6_hashtables.c
550 +@@ -116,7 +116,7 @@ begintw:
551 + }
552 + if (unlikely(!INET6_TW_MATCH(sk, net, saddr, daddr,
553 + ports, dif))) {
554 +- sock_put(sk);
555 ++ inet_twsk_put(inet_twsk(sk));
556 + goto begintw;
557 + }
558 + goto out;
559 diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
560 index 8bc717b..76fbb5d 100644
561 --- a/net/ipv6/ip6_gre.c
562 @@ -93253,6 +93341,19 @@ index 8bc717b..76fbb5d 100644
563 .kind = "ip6gretap",
564 .maxtype = IFLA_GRE_MAX,
565 .policy = ip6gre_policy,
566 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
567 +index 44df1c9..2e542d0 100644
568 +--- a/net/ipv6/ip6_output.c
569 ++++ b/net/ipv6/ip6_output.c
570 +@@ -1252,7 +1252,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
571 + skb = skb_peek_tail(&sk->sk_write_queue);
572 + cork->length += length;
573 + if (((length > mtu) ||
574 +- (skb && skb_is_gso(skb))) &&
575 ++ (skb && skb_has_frags(skb))) &&
576 + (sk->sk_protocol == IPPROTO_UDP) &&
577 + (rt->dst.dev->features & NETIF_F_UFO)) {
578 + err = ip6_ufo_append_data(sk, getfrag, from, length,
579 diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
580 index cf5d490..30946f0 100644
581 --- a/net/ipv6/ip6_tunnel.c
582 @@ -95644,7 +95745,7 @@ index 9a5c4c9..46e4b29 100644
583
584 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
585 diff --git a/net/socket.c b/net/socket.c
586 -index b2d7c62..441a7ef 100644
587 +index b2d7c62..f703b02 100644
588 --- a/net/socket.c
589 +++ b/net/socket.c
590 @@ -88,6 +88,7 @@
591 @@ -95828,7 +95929,38 @@ index b2d7c62..441a7ef 100644
592 int err, err2;
593 int fput_needed;
594
595 -@@ -2040,7 +2106,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
596 +@@ -1973,6 +2039,16 @@ struct used_address {
597 + unsigned int name_len;
598 + };
599 +
600 ++static int copy_msghdr_from_user(struct msghdr *kmsg,
601 ++ struct msghdr __user *umsg)
602 ++{
603 ++ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
604 ++ return -EFAULT;
605 ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
606 ++ return -EINVAL;
607 ++ return 0;
608 ++}
609 ++
610 + static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
611 + struct msghdr *msg_sys, unsigned int flags,
612 + struct used_address *used_address)
613 +@@ -1991,8 +2067,11 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
614 + if (MSG_CMSG_COMPAT & flags) {
615 + if (get_compat_msghdr(msg_sys, msg_compat))
616 + return -EFAULT;
617 +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
618 +- return -EFAULT;
619 ++ } else {
620 ++ err = copy_msghdr_from_user(msg_sys, msg);
621 ++ if (err)
622 ++ return err;
623 ++ }
624 +
625 + if (msg_sys->msg_iovlen > UIO_FASTIOV) {
626 + err = -EMSGSIZE;
627 +@@ -2040,7 +2119,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
628 * checking falls down on this.
629 */
630 if (copy_from_user(ctl_buf,
631 @@ -95837,7 +95969,7 @@ index b2d7c62..441a7ef 100644
632 ctl_len))
633 goto out_freectl;
634 msg_sys->msg_control = ctl_buf;
635 -@@ -2191,7 +2257,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
636 +@@ -2191,7 +2270,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
637 int err, total_len, len;
638
639 /* kernel mode address */
640 @@ -95846,7 +95978,21 @@ index b2d7c62..441a7ef 100644
641
642 /* user mode address pointers */
643 struct sockaddr __user *uaddr;
644 -@@ -2219,7 +2285,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
645 +@@ -2200,8 +2279,11 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
646 + if (MSG_CMSG_COMPAT & flags) {
647 + if (get_compat_msghdr(msg_sys, msg_compat))
648 + return -EFAULT;
649 +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
650 +- return -EFAULT;
651 ++ } else {
652 ++ err = copy_msghdr_from_user(msg_sys, msg);
653 ++ if (err)
654 ++ return err;
655 ++ }
656 +
657 + if (msg_sys->msg_iovlen > UIO_FASTIOV) {
658 + err = -EMSGSIZE;
659 +@@ -2219,7 +2301,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
660 * kernel msghdr to use the kernel address space)
661 */
662
663 @@ -95855,7 +96001,7 @@ index b2d7c62..441a7ef 100644
664 uaddr_len = COMPAT_NAMELEN(msg);
665 if (MSG_CMSG_COMPAT & flags) {
666 err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
667 -@@ -2974,7 +3040,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
668 +@@ -2974,7 +3056,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
669 old_fs = get_fs();
670 set_fs(KERNEL_DS);
671 err = dev_ioctl(net, cmd,
672 @@ -95864,7 +96010,7 @@ index b2d7c62..441a7ef 100644
673 set_fs(old_fs);
674
675 return err;
676 -@@ -3083,7 +3149,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
677 +@@ -3083,7 +3165,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
678
679 old_fs = get_fs();
680 set_fs(KERNEL_DS);
681 @@ -95873,7 +96019,7 @@ index b2d7c62..441a7ef 100644
682 set_fs(old_fs);
683
684 if (cmd == SIOCGIFMAP && !err) {
685 -@@ -3188,7 +3254,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
686 +@@ -3188,7 +3270,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
687 ret |= __get_user(rtdev, &(ur4->rt_dev));
688 if (rtdev) {
689 ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
690 @@ -95882,7 +96028,7 @@ index b2d7c62..441a7ef 100644
691 devname[15] = 0;
692 } else
693 r4.rt_dev = NULL;
694 -@@ -3414,8 +3480,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
695 +@@ -3414,8 +3496,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
696 int __user *uoptlen;
697 int err;
698
699 @@ -95893,7 +96039,7 @@ index b2d7c62..441a7ef 100644
700
701 set_fs(KERNEL_DS);
702 if (level == SOL_SOCKET)
703 -@@ -3435,7 +3501,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
704 +@@ -3435,7 +3517,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
705 char __user *uoptval;
706 int err;
707
708
709 diff --git a/3.2.51/0000_README b/3.2.52/0000_README
710 similarity index 96%
711 rename from 3.2.51/0000_README
712 rename to 3.2.52/0000_README
713 index 8ba65d1..ec68a31 100644
714 --- a/3.2.51/0000_README
715 +++ b/3.2.52/0000_README
716 @@ -122,7 +122,11 @@ Patch: 1050_linux-3.2.51.patch
717 From: http://www.kernel.org
718 Desc: Linux 3.2.51
719
720 -Patch: 4420_grsecurity-2.9.1-3.2.51-201310260849.patch
721 +Patch: 1051_linux-3.2.52.patch
722 +From: http://www.kernel.org
723 +Desc: Linux 3.2.52
724 +
725 +Patch: 4420_grsecurity-2.9.1-3.2.52-201310271550.patch
726 From: http://www.grsecurity.net
727 Desc: hardened-sources base patch from upstream grsecurity
728
729
730 diff --git a/3.2.51/1021_linux-3.2.22.patch b/3.2.52/1021_linux-3.2.22.patch
731 similarity index 100%
732 rename from 3.2.51/1021_linux-3.2.22.patch
733 rename to 3.2.52/1021_linux-3.2.22.patch
734
735 diff --git a/3.2.51/1022_linux-3.2.23.patch b/3.2.52/1022_linux-3.2.23.patch
736 similarity index 100%
737 rename from 3.2.51/1022_linux-3.2.23.patch
738 rename to 3.2.52/1022_linux-3.2.23.patch
739
740 diff --git a/3.2.51/1023_linux-3.2.24.patch b/3.2.52/1023_linux-3.2.24.patch
741 similarity index 100%
742 rename from 3.2.51/1023_linux-3.2.24.patch
743 rename to 3.2.52/1023_linux-3.2.24.patch
744
745 diff --git a/3.2.51/1024_linux-3.2.25.patch b/3.2.52/1024_linux-3.2.25.patch
746 similarity index 100%
747 rename from 3.2.51/1024_linux-3.2.25.patch
748 rename to 3.2.52/1024_linux-3.2.25.patch
749
750 diff --git a/3.2.51/1025_linux-3.2.26.patch b/3.2.52/1025_linux-3.2.26.patch
751 similarity index 100%
752 rename from 3.2.51/1025_linux-3.2.26.patch
753 rename to 3.2.52/1025_linux-3.2.26.patch
754
755 diff --git a/3.2.51/1026_linux-3.2.27.patch b/3.2.52/1026_linux-3.2.27.patch
756 similarity index 100%
757 rename from 3.2.51/1026_linux-3.2.27.patch
758 rename to 3.2.52/1026_linux-3.2.27.patch
759
760 diff --git a/3.2.51/1027_linux-3.2.28.patch b/3.2.52/1027_linux-3.2.28.patch
761 similarity index 100%
762 rename from 3.2.51/1027_linux-3.2.28.patch
763 rename to 3.2.52/1027_linux-3.2.28.patch
764
765 diff --git a/3.2.51/1028_linux-3.2.29.patch b/3.2.52/1028_linux-3.2.29.patch
766 similarity index 100%
767 rename from 3.2.51/1028_linux-3.2.29.patch
768 rename to 3.2.52/1028_linux-3.2.29.patch
769
770 diff --git a/3.2.51/1029_linux-3.2.30.patch b/3.2.52/1029_linux-3.2.30.patch
771 similarity index 100%
772 rename from 3.2.51/1029_linux-3.2.30.patch
773 rename to 3.2.52/1029_linux-3.2.30.patch
774
775 diff --git a/3.2.51/1030_linux-3.2.31.patch b/3.2.52/1030_linux-3.2.31.patch
776 similarity index 100%
777 rename from 3.2.51/1030_linux-3.2.31.patch
778 rename to 3.2.52/1030_linux-3.2.31.patch
779
780 diff --git a/3.2.51/1031_linux-3.2.32.patch b/3.2.52/1031_linux-3.2.32.patch
781 similarity index 100%
782 rename from 3.2.51/1031_linux-3.2.32.patch
783 rename to 3.2.52/1031_linux-3.2.32.patch
784
785 diff --git a/3.2.51/1032_linux-3.2.33.patch b/3.2.52/1032_linux-3.2.33.patch
786 similarity index 100%
787 rename from 3.2.51/1032_linux-3.2.33.patch
788 rename to 3.2.52/1032_linux-3.2.33.patch
789
790 diff --git a/3.2.51/1033_linux-3.2.34.patch b/3.2.52/1033_linux-3.2.34.patch
791 similarity index 100%
792 rename from 3.2.51/1033_linux-3.2.34.patch
793 rename to 3.2.52/1033_linux-3.2.34.patch
794
795 diff --git a/3.2.51/1034_linux-3.2.35.patch b/3.2.52/1034_linux-3.2.35.patch
796 similarity index 100%
797 rename from 3.2.51/1034_linux-3.2.35.patch
798 rename to 3.2.52/1034_linux-3.2.35.patch
799
800 diff --git a/3.2.51/1035_linux-3.2.36.patch b/3.2.52/1035_linux-3.2.36.patch
801 similarity index 100%
802 rename from 3.2.51/1035_linux-3.2.36.patch
803 rename to 3.2.52/1035_linux-3.2.36.patch
804
805 diff --git a/3.2.51/1036_linux-3.2.37.patch b/3.2.52/1036_linux-3.2.37.patch
806 similarity index 100%
807 rename from 3.2.51/1036_linux-3.2.37.patch
808 rename to 3.2.52/1036_linux-3.2.37.patch
809
810 diff --git a/3.2.51/1037_linux-3.2.38.patch b/3.2.52/1037_linux-3.2.38.patch
811 similarity index 100%
812 rename from 3.2.51/1037_linux-3.2.38.patch
813 rename to 3.2.52/1037_linux-3.2.38.patch
814
815 diff --git a/3.2.51/1038_linux-3.2.39.patch b/3.2.52/1038_linux-3.2.39.patch
816 similarity index 100%
817 rename from 3.2.51/1038_linux-3.2.39.patch
818 rename to 3.2.52/1038_linux-3.2.39.patch
819
820 diff --git a/3.2.51/1039_linux-3.2.40.patch b/3.2.52/1039_linux-3.2.40.patch
821 similarity index 100%
822 rename from 3.2.51/1039_linux-3.2.40.patch
823 rename to 3.2.52/1039_linux-3.2.40.patch
824
825 diff --git a/3.2.51/1040_linux-3.2.41.patch b/3.2.52/1040_linux-3.2.41.patch
826 similarity index 100%
827 rename from 3.2.51/1040_linux-3.2.41.patch
828 rename to 3.2.52/1040_linux-3.2.41.patch
829
830 diff --git a/3.2.51/1041_linux-3.2.42.patch b/3.2.52/1041_linux-3.2.42.patch
831 similarity index 100%
832 rename from 3.2.51/1041_linux-3.2.42.patch
833 rename to 3.2.52/1041_linux-3.2.42.patch
834
835 diff --git a/3.2.51/1042_linux-3.2.43.patch b/3.2.52/1042_linux-3.2.43.patch
836 similarity index 100%
837 rename from 3.2.51/1042_linux-3.2.43.patch
838 rename to 3.2.52/1042_linux-3.2.43.patch
839
840 diff --git a/3.2.51/1043_linux-3.2.44.patch b/3.2.52/1043_linux-3.2.44.patch
841 similarity index 100%
842 rename from 3.2.51/1043_linux-3.2.44.patch
843 rename to 3.2.52/1043_linux-3.2.44.patch
844
845 diff --git a/3.2.51/1044_linux-3.2.45.patch b/3.2.52/1044_linux-3.2.45.patch
846 similarity index 100%
847 rename from 3.2.51/1044_linux-3.2.45.patch
848 rename to 3.2.52/1044_linux-3.2.45.patch
849
850 diff --git a/3.2.51/1045_linux-3.2.46.patch b/3.2.52/1045_linux-3.2.46.patch
851 similarity index 100%
852 rename from 3.2.51/1045_linux-3.2.46.patch
853 rename to 3.2.52/1045_linux-3.2.46.patch
854
855 diff --git a/3.2.51/1046_linux-3.2.47.patch b/3.2.52/1046_linux-3.2.47.patch
856 similarity index 100%
857 rename from 3.2.51/1046_linux-3.2.47.patch
858 rename to 3.2.52/1046_linux-3.2.47.patch
859
860 diff --git a/3.2.51/1047_linux-3.2.48.patch b/3.2.52/1047_linux-3.2.48.patch
861 similarity index 100%
862 rename from 3.2.51/1047_linux-3.2.48.patch
863 rename to 3.2.52/1047_linux-3.2.48.patch
864
865 diff --git a/3.2.51/1048_linux-3.2.49.patch b/3.2.52/1048_linux-3.2.49.patch
866 similarity index 100%
867 rename from 3.2.51/1048_linux-3.2.49.patch
868 rename to 3.2.52/1048_linux-3.2.49.patch
869
870 diff --git a/3.2.51/1049_linux-3.2.50.patch b/3.2.52/1049_linux-3.2.50.patch
871 similarity index 100%
872 rename from 3.2.51/1049_linux-3.2.50.patch
873 rename to 3.2.52/1049_linux-3.2.50.patch
874
875 diff --git a/3.2.51/1050_linux-3.2.51.patch b/3.2.52/1050_linux-3.2.51.patch
876 similarity index 100%
877 rename from 3.2.51/1050_linux-3.2.51.patch
878 rename to 3.2.52/1050_linux-3.2.51.patch
879
880 diff --git a/3.2.52/1051_linux-3.2.52.patch b/3.2.52/1051_linux-3.2.52.patch
881 new file mode 100644
882 index 0000000..94b9359
883 --- /dev/null
884 +++ b/3.2.52/1051_linux-3.2.52.patch
885 @@ -0,0 +1,5221 @@
886 +diff --git a/Makefile b/Makefile
887 +index 0f11936..1dd2c09 100644
888 +--- a/Makefile
889 ++++ b/Makefile
890 +@@ -1,6 +1,6 @@
891 + VERSION = 3
892 + PATCHLEVEL = 2
893 +-SUBLEVEL = 51
894 ++SUBLEVEL = 52
895 + EXTRAVERSION =
896 + NAME = Saber-toothed Squirrel
897 +
898 +diff --git a/arch/arm/mach-versatile/pci.c b/arch/arm/mach-versatile/pci.c
899 +index c898deb..189ed00 100644
900 +--- a/arch/arm/mach-versatile/pci.c
901 ++++ b/arch/arm/mach-versatile/pci.c
902 +@@ -43,9 +43,9 @@
903 + #define PCI_IMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x0)
904 + #define PCI_IMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x4)
905 + #define PCI_IMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x8)
906 +-#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x10)
907 +-#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14)
908 +-#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18)
909 ++#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14)
910 ++#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18)
911 ++#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x1c)
912 + #define PCI_SELFID __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0xc)
913 +
914 + #define DEVICE_ID_OFFSET 0x00
915 +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
916 +index fbdd12e..cc3f35d 100644
917 +--- a/arch/arm/mm/init.c
918 ++++ b/arch/arm/mm/init.c
919 +@@ -98,6 +98,9 @@ void show_mem(unsigned int filter)
920 + printk("Mem-info:\n");
921 + show_free_areas(filter);
922 +
923 ++ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
924 ++ return;
925 ++
926 + for_each_bank (i, mi) {
927 + struct membank *bank = &mi->bank[i];
928 + unsigned int pfn1, pfn2;
929 +diff --git a/arch/ia64/mm/contig.c b/arch/ia64/mm/contig.c
930 +index f114a3b..ce6e7a8 100644
931 +--- a/arch/ia64/mm/contig.c
932 ++++ b/arch/ia64/mm/contig.c
933 +@@ -46,6 +46,8 @@ void show_mem(unsigned int filter)
934 + printk(KERN_INFO "Mem-info:\n");
935 + show_free_areas(filter);
936 + printk(KERN_INFO "Node memory in pages:\n");
937 ++ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
938 ++ return;
939 + for_each_online_pgdat(pgdat) {
940 + unsigned long present;
941 + unsigned long flags;
942 +diff --git a/arch/ia64/mm/discontig.c b/arch/ia64/mm/discontig.c
943 +index c641333..2230817 100644
944 +--- a/arch/ia64/mm/discontig.c
945 ++++ b/arch/ia64/mm/discontig.c
946 +@@ -623,6 +623,8 @@ void show_mem(unsigned int filter)
947 +
948 + printk(KERN_INFO "Mem-info:\n");
949 + show_free_areas(filter);
950 ++ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
951 ++ return;
952 + printk(KERN_INFO "Node memory in pages:\n");
953 + for_each_online_pgdat(pgdat) {
954 + unsigned long present;
955 +diff --git a/arch/m68k/kernel/vmlinux-nommu.lds b/arch/m68k/kernel/vmlinux-nommu.lds
956 +new file mode 100644
957 +index 0000000..40e02d9
958 +--- /dev/null
959 ++++ b/arch/m68k/kernel/vmlinux-nommu.lds
960 +@@ -0,0 +1,93 @@
961 ++/*
962 ++ * vmlinux.lds.S -- master linker script for m68knommu arch
963 ++ *
964 ++ * (C) Copyright 2002-2012, Greg Ungerer <gerg@××××××××.com>
965 ++ *
966 ++ * This linker script is equipped to build either ROM loaded or RAM
967 ++ * run kernels.
968 ++ */
969 ++
970 ++#if defined(CONFIG_RAMKERNEL)
971 ++#define KTEXT_ADDR CONFIG_KERNELBASE
972 ++#endif
973 ++#if defined(CONFIG_ROMKERNEL)
974 ++#define KTEXT_ADDR CONFIG_ROMSTART
975 ++#define KDATA_ADDR CONFIG_KERNELBASE
976 ++#define LOAD_OFFSET KDATA_ADDR + (ADDR(.text) + SIZEOF(.text))
977 ++#endif
978 ++
979 ++#include <asm/page.h>
980 ++#include <asm/thread_info.h>
981 ++#include <asm-generic/vmlinux.lds.h>
982 ++
983 ++OUTPUT_ARCH(m68k)
984 ++ENTRY(_start)
985 ++
986 ++jiffies = jiffies_64 + 4;
987 ++
988 ++SECTIONS {
989 ++
990 ++#ifdef CONFIG_ROMVEC
991 ++ . = CONFIG_ROMVEC;
992 ++ .romvec : {
993 ++ __rom_start = .;
994 ++ _romvec = .;
995 ++ *(.romvec)
996 ++ *(.data..initvect)
997 ++ }
998 ++#endif
999 ++
1000 ++ . = KTEXT_ADDR;
1001 ++
1002 ++ _text = .;
1003 ++ _stext = .;
1004 ++ .text : {
1005 ++ HEAD_TEXT
1006 ++ TEXT_TEXT
1007 ++ SCHED_TEXT
1008 ++ LOCK_TEXT
1009 ++ *(.fixup)
1010 ++ . = ALIGN(16);
1011 ++ }
1012 ++ _etext = .;
1013 ++
1014 ++#ifdef KDATA_ADDR
1015 ++ . = KDATA_ADDR;
1016 ++#endif
1017 ++
1018 ++ _sdata = .;
1019 ++ RO_DATA_SECTION(PAGE_SIZE)
1020 ++ RW_DATA_SECTION(16, PAGE_SIZE, THREAD_SIZE)
1021 ++ _edata = .;
1022 ++
1023 ++ EXCEPTION_TABLE(16)
1024 ++ NOTES
1025 ++
1026 ++ . = ALIGN(PAGE_SIZE);
1027 ++ __init_begin = .;
1028 ++ INIT_TEXT_SECTION(PAGE_SIZE)
1029 ++ INIT_DATA_SECTION(16)
1030 ++ PERCPU_SECTION(16)
1031 ++ .m68k_fixup : {
1032 ++ __start_fixup = .;
1033 ++ *(.m68k_fixup)
1034 ++ __stop_fixup = .;
1035 ++ }
1036 ++ .init.data : {
1037 ++ . = ALIGN(PAGE_SIZE);
1038 ++ __init_end = .;
1039 ++ }
1040 ++
1041 ++ _sbss = .;
1042 ++ BSS_SECTION(0, 0, 0)
1043 ++ _ebss = .;
1044 ++
1045 ++ _end = .;
1046 ++
1047 ++ STABS_DEBUG
1048 ++ .comment 0 : { *(.comment) }
1049 ++
1050 ++ /* Sections to be discarded */
1051 ++ DISCARDS
1052 ++}
1053 ++
1054 +diff --git a/arch/m68k/kernel/vmlinux.lds.S b/arch/m68k/kernel/vmlinux.lds.S
1055 +index 030dabf..69ec796 100644
1056 +--- a/arch/m68k/kernel/vmlinux.lds.S
1057 ++++ b/arch/m68k/kernel/vmlinux.lds.S
1058 +@@ -1,5 +1,14 @@
1059 +-#ifdef CONFIG_MMU
1060 +-#include "vmlinux.lds_mm.S"
1061 ++#if defined(CONFIG_MMU) && !defined(CONFIG_COLDFIRE)
1062 ++PHDRS
1063 ++{
1064 ++ text PT_LOAD FILEHDR PHDRS FLAGS (7);
1065 ++ data PT_LOAD FLAGS (7);
1066 ++}
1067 ++#ifdef CONFIG_SUN3
1068 ++#include "vmlinux-sun3.lds"
1069 + #else
1070 +-#include "vmlinux.lds_no.S"
1071 ++#include "vmlinux-std.lds"
1072 ++#endif
1073 ++#else
1074 ++#include "vmlinux-nommu.lds"
1075 + #endif
1076 +diff --git a/arch/m68k/kernel/vmlinux.lds_mm.S b/arch/m68k/kernel/vmlinux.lds_mm.S
1077 +deleted file mode 100644
1078 +index 99ba315..0000000
1079 +--- a/arch/m68k/kernel/vmlinux.lds_mm.S
1080 ++++ /dev/null
1081 +@@ -1,10 +0,0 @@
1082 +-PHDRS
1083 +-{
1084 +- text PT_LOAD FILEHDR PHDRS FLAGS (7);
1085 +- data PT_LOAD FLAGS (7);
1086 +-}
1087 +-#ifdef CONFIG_SUN3
1088 +-#include "vmlinux-sun3.lds"
1089 +-#else
1090 +-#include "vmlinux-std.lds"
1091 +-#endif
1092 +diff --git a/arch/m68k/kernel/vmlinux.lds_no.S b/arch/m68k/kernel/vmlinux.lds_no.S
1093 +deleted file mode 100644
1094 +index 4e23893..0000000
1095 +--- a/arch/m68k/kernel/vmlinux.lds_no.S
1096 ++++ /dev/null
1097 +@@ -1,187 +0,0 @@
1098 +-/*
1099 +- * vmlinux.lds.S -- master linker script for m68knommu arch
1100 +- *
1101 +- * (C) Copyright 2002-2006, Greg Ungerer <gerg@××××××××.com>
1102 +- *
1103 +- * This linker script is equipped to build either ROM loaded or RAM
1104 +- * run kernels.
1105 +- */
1106 +-
1107 +-#include <asm-generic/vmlinux.lds.h>
1108 +-#include <asm/page.h>
1109 +-#include <asm/thread_info.h>
1110 +-
1111 +-#if defined(CONFIG_RAMKERNEL)
1112 +-#define RAM_START CONFIG_KERNELBASE
1113 +-#define RAM_LENGTH (CONFIG_RAMBASE + CONFIG_RAMSIZE - CONFIG_KERNELBASE)
1114 +-#define TEXT ram
1115 +-#define DATA ram
1116 +-#define INIT ram
1117 +-#define BSSS ram
1118 +-#endif
1119 +-#if defined(CONFIG_ROMKERNEL) || defined(CONFIG_HIMEMKERNEL)
1120 +-#define RAM_START CONFIG_RAMBASE
1121 +-#define RAM_LENGTH CONFIG_RAMSIZE
1122 +-#define ROMVEC_START CONFIG_ROMVEC
1123 +-#define ROMVEC_LENGTH CONFIG_ROMVECSIZE
1124 +-#define ROM_START CONFIG_ROMSTART
1125 +-#define ROM_LENGTH CONFIG_ROMSIZE
1126 +-#define TEXT rom
1127 +-#define DATA ram
1128 +-#define INIT ram
1129 +-#define BSSS ram
1130 +-#endif
1131 +-
1132 +-#ifndef DATA_ADDR
1133 +-#define DATA_ADDR
1134 +-#endif
1135 +-
1136 +-
1137 +-OUTPUT_ARCH(m68k)
1138 +-ENTRY(_start)
1139 +-
1140 +-MEMORY {
1141 +- ram : ORIGIN = RAM_START, LENGTH = RAM_LENGTH
1142 +-#ifdef ROM_START
1143 +- romvec : ORIGIN = ROMVEC_START, LENGTH = ROMVEC_LENGTH
1144 +- rom : ORIGIN = ROM_START, LENGTH = ROM_LENGTH
1145 +-#endif
1146 +-}
1147 +-
1148 +-jiffies = jiffies_64 + 4;
1149 +-
1150 +-SECTIONS {
1151 +-
1152 +-#ifdef ROMVEC_START
1153 +- . = ROMVEC_START ;
1154 +- .romvec : {
1155 +- __rom_start = . ;
1156 +- _romvec = .;
1157 +- *(.data..initvect)
1158 +- } > romvec
1159 +-#endif
1160 +-
1161 +- .text : {
1162 +- _text = .;
1163 +- _stext = . ;
1164 +- HEAD_TEXT
1165 +- TEXT_TEXT
1166 +- SCHED_TEXT
1167 +- LOCK_TEXT
1168 +- *(.text..lock)
1169 +-
1170 +- . = ALIGN(16); /* Exception table */
1171 +- __start___ex_table = .;
1172 +- *(__ex_table)
1173 +- __stop___ex_table = .;
1174 +-
1175 +- *(.rodata) *(.rodata.*)
1176 +- *(__vermagic) /* Kernel version magic */
1177 +- *(.rodata1)
1178 +- *(.rodata.str1.1)
1179 +-
1180 +- /* Kernel symbol table: Normal symbols */
1181 +- . = ALIGN(4);
1182 +- __start___ksymtab = .;
1183 +- *(SORT(___ksymtab+*))
1184 +- __stop___ksymtab = .;
1185 +-
1186 +- /* Kernel symbol table: GPL-only symbols */
1187 +- __start___ksymtab_gpl = .;
1188 +- *(SORT(___ksymtab_gpl+*))
1189 +- __stop___ksymtab_gpl = .;
1190 +-
1191 +- /* Kernel symbol table: Normal unused symbols */
1192 +- __start___ksymtab_unused = .;
1193 +- *(SORT(___ksymtab_unused+*))
1194 +- __stop___ksymtab_unused = .;
1195 +-
1196 +- /* Kernel symbol table: GPL-only unused symbols */
1197 +- __start___ksymtab_unused_gpl = .;
1198 +- *(SORT(___ksymtab_unused_gpl+*))
1199 +- __stop___ksymtab_unused_gpl = .;
1200 +-
1201 +- /* Kernel symbol table: GPL-future symbols */
1202 +- __start___ksymtab_gpl_future = .;
1203 +- *(SORT(___ksymtab_gpl_future+*))
1204 +- __stop___ksymtab_gpl_future = .;
1205 +-
1206 +- /* Kernel symbol table: Normal symbols */
1207 +- __start___kcrctab = .;
1208 +- *(SORT(___kcrctab+*))
1209 +- __stop___kcrctab = .;
1210 +-
1211 +- /* Kernel symbol table: GPL-only symbols */
1212 +- __start___kcrctab_gpl = .;
1213 +- *(SORT(___kcrctab_gpl+*))
1214 +- __stop___kcrctab_gpl = .;
1215 +-
1216 +- /* Kernel symbol table: Normal unused symbols */
1217 +- __start___kcrctab_unused = .;
1218 +- *(SORT(___kcrctab_unused+*))
1219 +- __stop___kcrctab_unused = .;
1220 +-
1221 +- /* Kernel symbol table: GPL-only unused symbols */
1222 +- __start___kcrctab_unused_gpl = .;
1223 +- *(SORT(___kcrctab_unused_gpl+*))
1224 +- __stop___kcrctab_unused_gpl = .;
1225 +-
1226 +- /* Kernel symbol table: GPL-future symbols */
1227 +- __start___kcrctab_gpl_future = .;
1228 +- *(SORT(___kcrctab_gpl_future+*))
1229 +- __stop___kcrctab_gpl_future = .;
1230 +-
1231 +- /* Kernel symbol table: strings */
1232 +- *(__ksymtab_strings)
1233 +-
1234 +- /* Built-in module parameters */
1235 +- . = ALIGN(4) ;
1236 +- __start___param = .;
1237 +- *(__param)
1238 +- __stop___param = .;
1239 +-
1240 +- /* Built-in module versions */
1241 +- . = ALIGN(4) ;
1242 +- __start___modver = .;
1243 +- *(__modver)
1244 +- __stop___modver = .;
1245 +-
1246 +- . = ALIGN(4) ;
1247 +- _etext = . ;
1248 +- } > TEXT
1249 +-
1250 +- .data DATA_ADDR : {
1251 +- . = ALIGN(4);
1252 +- _sdata = . ;
1253 +- DATA_DATA
1254 +- CACHELINE_ALIGNED_DATA(32)
1255 +- PAGE_ALIGNED_DATA(PAGE_SIZE)
1256 +- *(.data..shared_aligned)
1257 +- INIT_TASK_DATA(THREAD_SIZE)
1258 +- _edata = . ;
1259 +- } > DATA
1260 +-
1261 +- .init.text : {
1262 +- . = ALIGN(PAGE_SIZE);
1263 +- __init_begin = .;
1264 +- } > INIT
1265 +- INIT_TEXT_SECTION(PAGE_SIZE) > INIT
1266 +- INIT_DATA_SECTION(16) > INIT
1267 +- .init.data : {
1268 +- . = ALIGN(PAGE_SIZE);
1269 +- __init_end = .;
1270 +- } > INIT
1271 +-
1272 +- .bss : {
1273 +- . = ALIGN(4);
1274 +- _sbss = . ;
1275 +- *(.bss)
1276 +- *(COMMON)
1277 +- . = ALIGN(4) ;
1278 +- _ebss = . ;
1279 +- _end = . ;
1280 +- } > BSSS
1281 +-
1282 +- DISCARDS
1283 +-}
1284 +-
1285 +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
1286 +index 82f364e..0b62162 100644
1287 +--- a/arch/parisc/mm/init.c
1288 ++++ b/arch/parisc/mm/init.c
1289 +@@ -685,6 +685,8 @@ void show_mem(unsigned int filter)
1290 +
1291 + printk(KERN_INFO "Mem-info:\n");
1292 + show_free_areas(filter);
1293 ++ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
1294 ++ return;
1295 + #ifndef CONFIG_DISCONTIGMEM
1296 + i = max_mapnr;
1297 + while (i-- > 0) {
1298 +diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c
1299 +index 8184ee9..3fcbae0 100644
1300 +--- a/arch/powerpc/kernel/align.c
1301 ++++ b/arch/powerpc/kernel/align.c
1302 +@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs)
1303 + nb = aligninfo[instr].len;
1304 + flags = aligninfo[instr].flags;
1305 +
1306 ++ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */
1307 ++ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) {
1308 ++ nb = 8;
1309 ++ flags = LD+SW;
1310 ++ } else if (IS_XFORM(instruction) &&
1311 ++ ((instruction >> 1) & 0x3ff) == 660) {
1312 ++ nb = 8;
1313 ++ flags = ST+SW;
1314 ++ }
1315 ++
1316 + /* Byteswap little endian loads and stores */
1317 + swiz = 0;
1318 + if (regs->msr & MSR_LE) {
1319 +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c
1320 +index 0cfcf98..d0b205c 100644
1321 +--- a/arch/powerpc/kernel/iommu.c
1322 ++++ b/arch/powerpc/kernel/iommu.c
1323 +@@ -495,7 +495,7 @@ struct iommu_table *iommu_init_table(struct iommu_table *tbl, int nid)
1324 + /* number of bytes needed for the bitmap */
1325 + sz = (tbl->it_size + 7) >> 3;
1326 +
1327 +- page = alloc_pages_node(nid, GFP_ATOMIC, get_order(sz));
1328 ++ page = alloc_pages_node(nid, GFP_KERNEL, get_order(sz));
1329 + if (!page)
1330 + panic("iommu_init_table: Can't allocate %ld bytes\n", sz);
1331 + tbl->it_map = page_address(page);
1332 +diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
1333 +index 826681d..26af24b 100644
1334 +--- a/arch/powerpc/kernel/lparcfg.c
1335 ++++ b/arch/powerpc/kernel/lparcfg.c
1336 +@@ -375,6 +375,7 @@ static void parse_system_parameter_string(struct seq_file *m)
1337 + __pa(rtas_data_buf),
1338 + RTAS_DATA_BUF_SIZE);
1339 + memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
1340 ++ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
1341 + spin_unlock(&rtas_data_buf_lock);
1342 +
1343 + if (call_status != 0) {
1344 +diff --git a/arch/powerpc/kernel/sysfs.c b/arch/powerpc/kernel/sysfs.c
1345 +index 55be64d..ca683a1 100644
1346 +--- a/arch/powerpc/kernel/sysfs.c
1347 ++++ b/arch/powerpc/kernel/sysfs.c
1348 +@@ -18,6 +18,7 @@
1349 + #include <asm/machdep.h>
1350 + #include <asm/smp.h>
1351 + #include <asm/pmc.h>
1352 ++#include <asm/firmware.h>
1353 +
1354 + #include "cacheinfo.h"
1355 +
1356 +@@ -178,14 +179,24 @@ SYSFS_PMCSETUP(purr, SPRN_PURR);
1357 + SYSFS_PMCSETUP(spurr, SPRN_SPURR);
1358 + SYSFS_PMCSETUP(dscr, SPRN_DSCR);
1359 +
1360 ++/*
1361 ++ Lets only enable read for phyp resources and
1362 ++ enable write when needed with a separate function.
1363 ++ Lets be conservative and default to pseries.
1364 ++*/
1365 + static SYSDEV_ATTR(mmcra, 0600, show_mmcra, store_mmcra);
1366 + static SYSDEV_ATTR(spurr, 0600, show_spurr, NULL);
1367 + static SYSDEV_ATTR(dscr, 0600, show_dscr, store_dscr);
1368 +-static SYSDEV_ATTR(purr, 0600, show_purr, store_purr);
1369 ++static SYSDEV_ATTR(purr, 0400, show_purr, store_purr);
1370 +
1371 + unsigned long dscr_default = 0;
1372 + EXPORT_SYMBOL(dscr_default);
1373 +
1374 ++static void add_write_permission_dev_attr(struct sysdev_attribute *attr)
1375 ++{
1376 ++ attr->attr.mode |= 0200;
1377 ++}
1378 ++
1379 + static ssize_t show_dscr_default(struct sysdev_class *class,
1380 + struct sysdev_class_attribute *attr, char *buf)
1381 + {
1382 +@@ -394,8 +405,11 @@ static void __cpuinit register_cpu_online(unsigned int cpu)
1383 + if (cpu_has_feature(CPU_FTR_MMCRA))
1384 + sysdev_create_file(s, &attr_mmcra);
1385 +
1386 +- if (cpu_has_feature(CPU_FTR_PURR))
1387 ++ if (cpu_has_feature(CPU_FTR_PURR)) {
1388 ++ if (!firmware_has_feature(FW_FEATURE_LPAR))
1389 ++ add_write_permission_dev_attr(&attr_purr);
1390 + sysdev_create_file(s, &attr_purr);
1391 ++ }
1392 +
1393 + if (cpu_has_feature(CPU_FTR_SPURR))
1394 + sysdev_create_file(s, &attr_spurr);
1395 +diff --git a/arch/powerpc/lib/checksum_64.S b/arch/powerpc/lib/checksum_64.S
1396 +index 18245af..3cdbc64 100644
1397 +--- a/arch/powerpc/lib/checksum_64.S
1398 ++++ b/arch/powerpc/lib/checksum_64.S
1399 +@@ -229,19 +229,35 @@ _GLOBAL(csum_partial)
1400 + blr
1401 +
1402 +
1403 +- .macro source
1404 ++ .macro srcnr
1405 + 100:
1406 + .section __ex_table,"a"
1407 + .align 3
1408 +- .llong 100b,.Lsrc_error
1409 ++ .llong 100b,.Lsrc_error_nr
1410 + .previous
1411 + .endm
1412 +
1413 +- .macro dest
1414 ++ .macro source
1415 ++150:
1416 ++ .section __ex_table,"a"
1417 ++ .align 3
1418 ++ .llong 150b,.Lsrc_error
1419 ++ .previous
1420 ++ .endm
1421 ++
1422 ++ .macro dstnr
1423 + 200:
1424 + .section __ex_table,"a"
1425 + .align 3
1426 +- .llong 200b,.Ldest_error
1427 ++ .llong 200b,.Ldest_error_nr
1428 ++ .previous
1429 ++ .endm
1430 ++
1431 ++ .macro dest
1432 ++250:
1433 ++ .section __ex_table,"a"
1434 ++ .align 3
1435 ++ .llong 250b,.Ldest_error
1436 + .previous
1437 + .endm
1438 +
1439 +@@ -272,16 +288,16 @@ _GLOBAL(csum_partial_copy_generic)
1440 + rldicl. r6,r3,64-1,64-2 /* r6 = (r3 & 0x3) >> 1 */
1441 + beq .Lcopy_aligned
1442 +
1443 +- li r7,4
1444 +- sub r6,r7,r6
1445 ++ li r9,4
1446 ++ sub r6,r9,r6
1447 + mtctr r6
1448 +
1449 + 1:
1450 +-source; lhz r6,0(r3) /* align to doubleword */
1451 ++srcnr; lhz r6,0(r3) /* align to doubleword */
1452 + subi r5,r5,2
1453 + addi r3,r3,2
1454 + adde r0,r0,r6
1455 +-dest; sth r6,0(r4)
1456 ++dstnr; sth r6,0(r4)
1457 + addi r4,r4,2
1458 + bdnz 1b
1459 +
1460 +@@ -395,10 +411,10 @@ dest; std r16,56(r4)
1461 +
1462 + mtctr r6
1463 + 3:
1464 +-source; ld r6,0(r3)
1465 ++srcnr; ld r6,0(r3)
1466 + addi r3,r3,8
1467 + adde r0,r0,r6
1468 +-dest; std r6,0(r4)
1469 ++dstnr; std r6,0(r4)
1470 + addi r4,r4,8
1471 + bdnz 3b
1472 +
1473 +@@ -408,10 +424,10 @@ dest; std r6,0(r4)
1474 + srdi. r6,r5,2
1475 + beq .Lcopy_tail_halfword
1476 +
1477 +-source; lwz r6,0(r3)
1478 ++srcnr; lwz r6,0(r3)
1479 + addi r3,r3,4
1480 + adde r0,r0,r6
1481 +-dest; stw r6,0(r4)
1482 ++dstnr; stw r6,0(r4)
1483 + addi r4,r4,4
1484 + subi r5,r5,4
1485 +
1486 +@@ -419,10 +435,10 @@ dest; stw r6,0(r4)
1487 + srdi. r6,r5,1
1488 + beq .Lcopy_tail_byte
1489 +
1490 +-source; lhz r6,0(r3)
1491 ++srcnr; lhz r6,0(r3)
1492 + addi r3,r3,2
1493 + adde r0,r0,r6
1494 +-dest; sth r6,0(r4)
1495 ++dstnr; sth r6,0(r4)
1496 + addi r4,r4,2
1497 + subi r5,r5,2
1498 +
1499 +@@ -430,10 +446,10 @@ dest; sth r6,0(r4)
1500 + andi. r6,r5,1
1501 + beq .Lcopy_finish
1502 +
1503 +-source; lbz r6,0(r3)
1504 ++srcnr; lbz r6,0(r3)
1505 + sldi r9,r6,8 /* Pad the byte out to 16 bits */
1506 + adde r0,r0,r9
1507 +-dest; stb r6,0(r4)
1508 ++dstnr; stb r6,0(r4)
1509 +
1510 + .Lcopy_finish:
1511 + addze r0,r0 /* add in final carry */
1512 +@@ -443,6 +459,11 @@ dest; stb r6,0(r4)
1513 + blr
1514 +
1515 + .Lsrc_error:
1516 ++ ld r14,STK_REG(r14)(r1)
1517 ++ ld r15,STK_REG(r15)(r1)
1518 ++ ld r16,STK_REG(r16)(r1)
1519 ++ addi r1,r1,STACKFRAMESIZE
1520 ++.Lsrc_error_nr:
1521 + cmpdi 0,r7,0
1522 + beqlr
1523 + li r6,-EFAULT
1524 +@@ -450,6 +471,11 @@ dest; stb r6,0(r4)
1525 + blr
1526 +
1527 + .Ldest_error:
1528 ++ ld r14,STK_REG(r14)(r1)
1529 ++ ld r15,STK_REG(r15)(r1)
1530 ++ ld r16,STK_REG(r16)(r1)
1531 ++ addi r1,r1,STACKFRAMESIZE
1532 ++.Ldest_error_nr:
1533 + cmpdi 0,r8,0
1534 + beqlr
1535 + li r6,-EFAULT
1536 +diff --git a/arch/sparc/kernel/entry.S b/arch/sparc/kernel/entry.S
1537 +index f445e98..cfabc3d 100644
1538 +--- a/arch/sparc/kernel/entry.S
1539 ++++ b/arch/sparc/kernel/entry.S
1540 +@@ -1177,7 +1177,7 @@ sys_sigreturn:
1541 + nop
1542 +
1543 + call syscall_trace
1544 +- nop
1545 ++ mov 1, %o1
1546 +
1547 + 1:
1548 + /* We don't want to muck with user registers like a
1549 +diff --git a/arch/sparc/kernel/ktlb.S b/arch/sparc/kernel/ktlb.S
1550 +index 79f3103..7c00735 100644
1551 +--- a/arch/sparc/kernel/ktlb.S
1552 ++++ b/arch/sparc/kernel/ktlb.S
1553 +@@ -25,11 +25,10 @@ kvmap_itlb:
1554 + */
1555 + kvmap_itlb_4v:
1556 +
1557 +-kvmap_itlb_nonlinear:
1558 + /* Catch kernel NULL pointer calls. */
1559 + sethi %hi(PAGE_SIZE), %g5
1560 + cmp %g4, %g5
1561 +- bleu,pn %xcc, kvmap_dtlb_longpath
1562 ++ blu,pn %xcc, kvmap_itlb_longpath
1563 + nop
1564 +
1565 + KERN_TSB_LOOKUP_TL1(%g4, %g6, %g5, %g1, %g2, %g3, kvmap_itlb_load)
1566 +diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
1567 +index 7f5f65d..817187d 100644
1568 +--- a/arch/sparc/kernel/syscalls.S
1569 ++++ b/arch/sparc/kernel/syscalls.S
1570 +@@ -147,7 +147,7 @@ linux_syscall_trace32:
1571 + srl %i4, 0, %o4
1572 + srl %i1, 0, %o1
1573 + srl %i2, 0, %o2
1574 +- ba,pt %xcc, 2f
1575 ++ ba,pt %xcc, 5f
1576 + srl %i3, 0, %o3
1577 +
1578 + linux_syscall_trace:
1579 +@@ -177,13 +177,13 @@ linux_sparc_syscall32:
1580 + srl %i1, 0, %o1 ! IEU0 Group
1581 + ldx [%g6 + TI_FLAGS], %l0 ! Load
1582 +
1583 +- srl %i5, 0, %o5 ! IEU1
1584 ++ srl %i3, 0, %o3 ! IEU0
1585 + srl %i2, 0, %o2 ! IEU0 Group
1586 + andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
1587 + bne,pn %icc, linux_syscall_trace32 ! CTI
1588 + mov %i0, %l5 ! IEU1
1589 +- call %l7 ! CTI Group brk forced
1590 +- srl %i3, 0, %o3 ! IEU0
1591 ++5: call %l7 ! CTI Group brk forced
1592 ++ srl %i5, 0, %o5 ! IEU1
1593 + ba,a,pt %xcc, 3f
1594 +
1595 + /* Linux native system calls enter here... */
1596 +diff --git a/arch/sparc/kernel/trampoline_64.S b/arch/sparc/kernel/trampoline_64.S
1597 +index da1b781..8fa84a3 100644
1598 +--- a/arch/sparc/kernel/trampoline_64.S
1599 ++++ b/arch/sparc/kernel/trampoline_64.S
1600 +@@ -131,7 +131,6 @@ startup_continue:
1601 + clr %l5
1602 + sethi %hi(num_kernel_image_mappings), %l6
1603 + lduw [%l6 + %lo(num_kernel_image_mappings)], %l6
1604 +- add %l6, 1, %l6
1605 +
1606 + mov 15, %l7
1607 + BRANCH_IF_ANY_CHEETAH(g1,g5,2f)
1608 +@@ -224,7 +223,6 @@ niagara_lock_tlb:
1609 + clr %l5
1610 + sethi %hi(num_kernel_image_mappings), %l6
1611 + lduw [%l6 + %lo(num_kernel_image_mappings)], %l6
1612 +- add %l6, 1, %l6
1613 +
1614 + 1:
1615 + mov HV_FAST_MMU_MAP_PERM_ADDR, %o5
1616 +diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
1617 +index 1b30bb3..fbb8005 100644
1618 +--- a/arch/sparc/lib/ksyms.c
1619 ++++ b/arch/sparc/lib/ksyms.c
1620 +@@ -131,15 +131,6 @@ EXPORT_SYMBOL(___copy_from_user);
1621 + EXPORT_SYMBOL(___copy_in_user);
1622 + EXPORT_SYMBOL(__clear_user);
1623 +
1624 +-/* RW semaphores */
1625 +-EXPORT_SYMBOL(__down_read);
1626 +-EXPORT_SYMBOL(__down_read_trylock);
1627 +-EXPORT_SYMBOL(__down_write);
1628 +-EXPORT_SYMBOL(__down_write_trylock);
1629 +-EXPORT_SYMBOL(__up_read);
1630 +-EXPORT_SYMBOL(__up_write);
1631 +-EXPORT_SYMBOL(__downgrade_write);
1632 +-
1633 + /* Atomic counter implementation. */
1634 + EXPORT_SYMBOL(atomic_add);
1635 + EXPORT_SYMBOL(atomic_add_ret);
1636 +diff --git a/arch/unicore32/mm/init.c b/arch/unicore32/mm/init.c
1637 +index 3b379cd..d1af4ed 100644
1638 +--- a/arch/unicore32/mm/init.c
1639 ++++ b/arch/unicore32/mm/init.c
1640 +@@ -65,6 +65,9 @@ void show_mem(unsigned int filter)
1641 + printk(KERN_DEFAULT "Mem-info:\n");
1642 + show_free_areas(filter);
1643 +
1644 ++ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
1645 ++ return;
1646 ++
1647 + for_each_bank(i, mi) {
1648 + struct membank *bank = &mi->bank[i];
1649 + unsigned int pfn1, pfn2;
1650 +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
1651 +index 47f4e5f..a4e1b4b 100644
1652 +--- a/arch/x86/kernel/reboot.c
1653 ++++ b/arch/x86/kernel/reboot.c
1654 +@@ -468,6 +468,22 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = {
1655 + DMI_MATCH(DMI_PRODUCT_NAME, "Precision M6600"),
1656 + },
1657 + },
1658 ++ { /* Handle problems with rebooting on the Dell PowerEdge C6100. */
1659 ++ .callback = set_pci_reboot,
1660 ++ .ident = "Dell PowerEdge C6100",
1661 ++ .matches = {
1662 ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
1663 ++ DMI_MATCH(DMI_PRODUCT_NAME, "C6100"),
1664 ++ },
1665 ++ },
1666 ++ { /* Some C6100 machines were shipped with vendor being 'Dell'. */
1667 ++ .callback = set_pci_reboot,
1668 ++ .ident = "Dell PowerEdge C6100",
1669 ++ .matches = {
1670 ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
1671 ++ DMI_MATCH(DMI_PRODUCT_NAME, "C6100"),
1672 ++ },
1673 ++ },
1674 + { }
1675 + };
1676 +
1677 +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
1678 +index f9537e3..a18d20d 100644
1679 +--- a/arch/x86/platform/efi/efi.c
1680 ++++ b/arch/x86/platform/efi/efi.c
1681 +@@ -703,10 +703,13 @@ void __init efi_enter_virtual_mode(void)
1682 +
1683 + for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) {
1684 + md = p;
1685 +- if (!(md->attribute & EFI_MEMORY_RUNTIME) &&
1686 +- md->type != EFI_BOOT_SERVICES_CODE &&
1687 +- md->type != EFI_BOOT_SERVICES_DATA)
1688 +- continue;
1689 ++ if (!(md->attribute & EFI_MEMORY_RUNTIME)) {
1690 ++#ifdef CONFIG_X86_64
1691 ++ if (md->type != EFI_BOOT_SERVICES_CODE &&
1692 ++ md->type != EFI_BOOT_SERVICES_DATA)
1693 ++#endif
1694 ++ continue;
1695 ++ }
1696 +
1697 + size = md->num_pages << EFI_PAGE_SHIFT;
1698 + end = md->phys_addr + size;
1699 +diff --git a/crypto/api.c b/crypto/api.c
1700 +index 033a714..cea3cf6 100644
1701 +--- a/crypto/api.c
1702 ++++ b/crypto/api.c
1703 +@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
1704 + BLOCKING_NOTIFIER_HEAD(crypto_chain);
1705 + EXPORT_SYMBOL_GPL(crypto_chain);
1706 +
1707 ++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
1708 ++
1709 + static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
1710 + {
1711 + atomic_inc(&alg->cra_refcnt);
1712 +@@ -150,8 +152,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
1713 + }
1714 + up_write(&crypto_alg_sem);
1715 +
1716 +- if (alg != &larval->alg)
1717 ++ if (alg != &larval->alg) {
1718 + kfree(larval);
1719 ++ if (crypto_is_larval(alg))
1720 ++ alg = crypto_larval_wait(alg);
1721 ++ }
1722 +
1723 + return alg;
1724 + }
1725 +diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
1726 +index f40acef..a6977e1 100644
1727 +--- a/drivers/acpi/acpi_ipmi.c
1728 ++++ b/drivers/acpi/acpi_ipmi.c
1729 +@@ -39,6 +39,7 @@
1730 + #include <linux/ipmi.h>
1731 + #include <linux/device.h>
1732 + #include <linux/pnp.h>
1733 ++#include <linux/spinlock.h>
1734 +
1735 + MODULE_AUTHOR("Zhao Yakui");
1736 + MODULE_DESCRIPTION("ACPI IPMI Opregion driver");
1737 +@@ -57,7 +58,7 @@ struct acpi_ipmi_device {
1738 + struct list_head head;
1739 + /* the IPMI request message list */
1740 + struct list_head tx_msg_list;
1741 +- struct mutex tx_msg_lock;
1742 ++ spinlock_t tx_msg_lock;
1743 + acpi_handle handle;
1744 + struct pnp_dev *pnp_dev;
1745 + ipmi_user_t user_interface;
1746 +@@ -147,6 +148,7 @@ static void acpi_format_ipmi_msg(struct acpi_ipmi_msg *tx_msg,
1747 + struct kernel_ipmi_msg *msg;
1748 + struct acpi_ipmi_buffer *buffer;
1749 + struct acpi_ipmi_device *device;
1750 ++ unsigned long flags;
1751 +
1752 + msg = &tx_msg->tx_message;
1753 + /*
1754 +@@ -177,10 +179,10 @@ static void acpi_format_ipmi_msg(struct acpi_ipmi_msg *tx_msg,
1755 +
1756 + /* Get the msgid */
1757 + device = tx_msg->device;
1758 +- mutex_lock(&device->tx_msg_lock);
1759 ++ spin_lock_irqsave(&device->tx_msg_lock, flags);
1760 + device->curr_msgid++;
1761 + tx_msg->tx_msgid = device->curr_msgid;
1762 +- mutex_unlock(&device->tx_msg_lock);
1763 ++ spin_unlock_irqrestore(&device->tx_msg_lock, flags);
1764 + }
1765 +
1766 + static void acpi_format_ipmi_response(struct acpi_ipmi_msg *msg,
1767 +@@ -242,6 +244,7 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
1768 + int msg_found = 0;
1769 + struct acpi_ipmi_msg *tx_msg;
1770 + struct pnp_dev *pnp_dev = ipmi_device->pnp_dev;
1771 ++ unsigned long flags;
1772 +
1773 + if (msg->user != ipmi_device->user_interface) {
1774 + dev_warn(&pnp_dev->dev, "Unexpected response is returned. "
1775 +@@ -250,7 +253,7 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
1776 + ipmi_free_recv_msg(msg);
1777 + return;
1778 + }
1779 +- mutex_lock(&ipmi_device->tx_msg_lock);
1780 ++ spin_lock_irqsave(&ipmi_device->tx_msg_lock, flags);
1781 + list_for_each_entry(tx_msg, &ipmi_device->tx_msg_list, head) {
1782 + if (msg->msgid == tx_msg->tx_msgid) {
1783 + msg_found = 1;
1784 +@@ -258,7 +261,7 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
1785 + }
1786 + }
1787 +
1788 +- mutex_unlock(&ipmi_device->tx_msg_lock);
1789 ++ spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
1790 + if (!msg_found) {
1791 + dev_warn(&pnp_dev->dev, "Unexpected response (msg id %ld) is "
1792 + "returned.\n", msg->msgid);
1793 +@@ -378,6 +381,7 @@ acpi_ipmi_space_handler(u32 function, acpi_physical_address address,
1794 + struct acpi_ipmi_device *ipmi_device = handler_context;
1795 + int err, rem_time;
1796 + acpi_status status;
1797 ++ unsigned long flags;
1798 + /*
1799 + * IPMI opregion message.
1800 + * IPMI message is firstly written to the BMC and system software
1801 +@@ -395,9 +399,9 @@ acpi_ipmi_space_handler(u32 function, acpi_physical_address address,
1802 + return AE_NO_MEMORY;
1803 +
1804 + acpi_format_ipmi_msg(tx_msg, address, value);
1805 +- mutex_lock(&ipmi_device->tx_msg_lock);
1806 ++ spin_lock_irqsave(&ipmi_device->tx_msg_lock, flags);
1807 + list_add_tail(&tx_msg->head, &ipmi_device->tx_msg_list);
1808 +- mutex_unlock(&ipmi_device->tx_msg_lock);
1809 ++ spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
1810 + err = ipmi_request_settime(ipmi_device->user_interface,
1811 + &tx_msg->addr,
1812 + tx_msg->tx_msgid,
1813 +@@ -413,9 +417,9 @@ acpi_ipmi_space_handler(u32 function, acpi_physical_address address,
1814 + status = AE_OK;
1815 +
1816 + end_label:
1817 +- mutex_lock(&ipmi_device->tx_msg_lock);
1818 ++ spin_lock_irqsave(&ipmi_device->tx_msg_lock, flags);
1819 + list_del(&tx_msg->head);
1820 +- mutex_unlock(&ipmi_device->tx_msg_lock);
1821 ++ spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
1822 + kfree(tx_msg);
1823 + return status;
1824 + }
1825 +@@ -457,7 +461,7 @@ static void acpi_add_ipmi_device(struct acpi_ipmi_device *ipmi_device)
1826 +
1827 + INIT_LIST_HEAD(&ipmi_device->head);
1828 +
1829 +- mutex_init(&ipmi_device->tx_msg_lock);
1830 ++ spin_lock_init(&ipmi_device->tx_msg_lock);
1831 + INIT_LIST_HEAD(&ipmi_device->tx_msg_list);
1832 + ipmi_install_space_handler(ipmi_device);
1833 +
1834 +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
1835 +index 51de186..8176b82 100644
1836 +--- a/drivers/acpi/ec.c
1837 ++++ b/drivers/acpi/ec.c
1838 +@@ -964,6 +964,10 @@ static struct dmi_system_id __initdata ec_dmi_table[] = {
1839 + ec_enlarge_storm_threshold, "CLEVO hardware", {
1840 + DMI_MATCH(DMI_SYS_VENDOR, "CLEVO Co."),
1841 + DMI_MATCH(DMI_PRODUCT_NAME, "M720T/M730T"),}, NULL},
1842 ++ {
1843 ++ ec_validate_ecdt, "ASUS hardware", {
1844 ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek Computer Inc."),
1845 ++ DMI_MATCH(DMI_PRODUCT_NAME, "L4R"),}, NULL},
1846 + {},
1847 + };
1848 +
1849 +diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
1850 +index d3446f6..d7ad865 100644
1851 +--- a/drivers/block/cciss.c
1852 ++++ b/drivers/block/cciss.c
1853 +@@ -1186,6 +1186,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
1854 + int err;
1855 + u32 cp;
1856 +
1857 ++ memset(&arg64, 0, sizeof(arg64));
1858 + err = 0;
1859 + err |=
1860 + copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
1861 +diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
1862 +index 9125bbe..504bc16 100644
1863 +--- a/drivers/block/cpqarray.c
1864 ++++ b/drivers/block/cpqarray.c
1865 +@@ -1195,6 +1195,7 @@ out_passthru:
1866 + ida_pci_info_struct pciinfo;
1867 +
1868 + if (!arg) return -EINVAL;
1869 ++ memset(&pciinfo, 0, sizeof(pciinfo));
1870 + pciinfo.bus = host->pci_dev->bus->number;
1871 + pciinfo.dev_fn = host->pci_dev->devfn;
1872 + pciinfo.board_id = host->board_id;
1873 +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
1874 +index bde72f7..3539f9b 100644
1875 +--- a/drivers/bluetooth/ath3k.c
1876 ++++ b/drivers/bluetooth/ath3k.c
1877 +@@ -84,6 +84,7 @@ static struct usb_device_id ath3k_table[] = {
1878 + { USB_DEVICE(0x04CA, 0x3008) },
1879 + { USB_DEVICE(0x13d3, 0x3362) },
1880 + { USB_DEVICE(0x0CF3, 0xE004) },
1881 ++ { USB_DEVICE(0x0CF3, 0xE005) },
1882 + { USB_DEVICE(0x0930, 0x0219) },
1883 + { USB_DEVICE(0x0489, 0xe057) },
1884 + { USB_DEVICE(0x13d3, 0x3393) },
1885 +@@ -125,6 +126,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
1886 + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
1887 + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
1888 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
1889 ++ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
1890 + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
1891 + { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
1892 + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
1893 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
1894 +index 1bd3924..f18b5a2 100644
1895 +--- a/drivers/bluetooth/btusb.c
1896 ++++ b/drivers/bluetooth/btusb.c
1897 +@@ -108,6 +108,7 @@ static struct usb_device_id btusb_table[] = {
1898 +
1899 + /* Broadcom BCM20702A0 */
1900 + { USB_DEVICE(0x0b05, 0x17b5) },
1901 ++ { USB_DEVICE(0x0b05, 0x17cb) },
1902 + { USB_DEVICE(0x04ca, 0x2003) },
1903 + { USB_DEVICE(0x0489, 0xe042) },
1904 + { USB_DEVICE(0x413c, 0x8197) },
1905 +@@ -154,6 +155,7 @@ static struct usb_device_id blacklist_table[] = {
1906 + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
1907 + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
1908 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
1909 ++ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
1910 + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
1911 + { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
1912 + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
1913 +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
1914 +index 7211f67..72f460e 100644
1915 +--- a/drivers/gpu/drm/drm_edid.c
1916 ++++ b/drivers/gpu/drm/drm_edid.c
1917 +@@ -125,6 +125,9 @@ static struct edid_quirk {
1918 +
1919 + /* ViewSonic VA2026w */
1920 + { "VSC", 5020, EDID_QUIRK_FORCE_REDUCED_BLANKING },
1921 ++
1922 ++ /* Medion MD 30217 PG */
1923 ++ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 },
1924 + };
1925 +
1926 + /*** DDC fetch and block validation ***/
1927 +diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
1928 +index a07ccab..72163e8 100644
1929 +--- a/drivers/gpu/drm/i915/intel_dp.c
1930 ++++ b/drivers/gpu/drm/i915/intel_dp.c
1931 +@@ -621,7 +621,18 @@ intel_dp_i2c_aux_ch(struct i2c_adapter *adapter, int mode,
1932 + DRM_DEBUG_KMS("aux_ch native nack\n");
1933 + return -EREMOTEIO;
1934 + case AUX_NATIVE_REPLY_DEFER:
1935 +- udelay(100);
1936 ++ /*
1937 ++ * For now, just give more slack to branch devices. We
1938 ++ * could check the DPCD for I2C bit rate capabilities,
1939 ++ * and if available, adjust the interval. We could also
1940 ++ * be more careful with DP-to-Legacy adapters where a
1941 ++ * long legacy cable may force very low I2C bit rates.
1942 ++ */
1943 ++ if (intel_dp->dpcd[DP_DOWNSTREAMPORT_PRESENT] &
1944 ++ DP_DWN_STRM_PORT_PRESENT)
1945 ++ usleep_range(500, 600);
1946 ++ else
1947 ++ usleep_range(300, 400);
1948 + continue;
1949 + default:
1950 + DRM_ERROR("aux_ch invalid native reply 0x%02x\n",
1951 +diff --git a/drivers/gpu/drm/i915/intel_opregion.c b/drivers/gpu/drm/i915/intel_opregion.c
1952 +index cffb007..356a252 100644
1953 +--- a/drivers/gpu/drm/i915/intel_opregion.c
1954 ++++ b/drivers/gpu/drm/i915/intel_opregion.c
1955 +@@ -161,7 +161,7 @@ static u32 asle_set_backlight(struct drm_device *dev, u32 bclp)
1956 +
1957 + max = intel_panel_get_max_backlight(dev);
1958 + intel_panel_set_backlight(dev, bclp * max / 255);
1959 +- asle->cblv = (bclp*0x64)/0xff | ASLE_CBLV_VALID;
1960 ++ asle->cblv = DIV_ROUND_UP(bclp * 100, 255) | ASLE_CBLV_VALID;
1961 +
1962 + return 0;
1963 + }
1964 +diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
1965 +index f0dc04b..3171294 100644
1966 +--- a/drivers/gpu/drm/radeon/atombios_encoders.c
1967 ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
1968 +@@ -1385,8 +1385,12 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
1969 + atombios_dig_encoder_setup(encoder, ATOM_ENABLE, 0);
1970 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_SETUP, 0, 0);
1971 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE, 0, 0);
1972 +- /* some early dce3.2 boards have a bug in their transmitter control table */
1973 +- if ((rdev->family != CHIP_RV710) && (rdev->family != CHIP_RV730))
1974 ++ /* some dce3.x boards have a bug in their transmitter control table.
1975 ++ * ACTION_ENABLE_OUTPUT can probably be dropped since ACTION_ENABLE
1976 ++ * does the same thing and more.
1977 ++ */
1978 ++ if ((rdev->family != CHIP_RV710) && (rdev->family != CHIP_RV730) &&
1979 ++ (rdev->family != CHIP_RS880))
1980 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE_OUTPUT, 0, 0);
1981 + }
1982 + if (ENCODER_MODE_IS_DP(atombios_get_encoder_mode(encoder)) && connector) {
1983 +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
1984 +index f5962a0..a68057a 100644
1985 +--- a/drivers/gpu/drm/radeon/evergreen.c
1986 ++++ b/drivers/gpu/drm/radeon/evergreen.c
1987 +@@ -501,7 +501,8 @@ static u32 evergreen_line_buffer_adjust(struct radeon_device *rdev,
1988 + struct drm_display_mode *mode,
1989 + struct drm_display_mode *other_mode)
1990 + {
1991 +- u32 tmp;
1992 ++ u32 tmp, buffer_alloc, i;
1993 ++ u32 pipe_offset = radeon_crtc->crtc_id * 0x20;
1994 + /*
1995 + * Line Buffer Setup
1996 + * There are 3 line buffers, each one shared by 2 display controllers.
1997 +@@ -524,18 +525,34 @@ static u32 evergreen_line_buffer_adjust(struct radeon_device *rdev,
1998 + * non-linked crtcs for maximum line buffer allocation.
1999 + */
2000 + if (radeon_crtc->base.enabled && mode) {
2001 +- if (other_mode)
2002 ++ if (other_mode) {
2003 + tmp = 0; /* 1/2 */
2004 +- else
2005 ++ buffer_alloc = 1;
2006 ++ } else {
2007 + tmp = 2; /* whole */
2008 +- } else
2009 ++ buffer_alloc = 2;
2010 ++ }
2011 ++ } else {
2012 + tmp = 0;
2013 ++ buffer_alloc = 0;
2014 ++ }
2015 +
2016 + /* second controller of the pair uses second half of the lb */
2017 + if (radeon_crtc->crtc_id % 2)
2018 + tmp += 4;
2019 + WREG32(DC_LB_MEMORY_SPLIT + radeon_crtc->crtc_offset, tmp);
2020 +
2021 ++ if (ASIC_IS_DCE41(rdev) || ASIC_IS_DCE5(rdev)) {
2022 ++ WREG32(PIPE0_DMIF_BUFFER_CONTROL + pipe_offset,
2023 ++ DMIF_BUFFERS_ALLOCATED(buffer_alloc));
2024 ++ for (i = 0; i < rdev->usec_timeout; i++) {
2025 ++ if (RREG32(PIPE0_DMIF_BUFFER_CONTROL + pipe_offset) &
2026 ++ DMIF_BUFFERS_ALLOCATED_COMPLETED)
2027 ++ break;
2028 ++ udelay(1);
2029 ++ }
2030 ++ }
2031 ++
2032 + if (radeon_crtc->base.enabled && mode) {
2033 + switch (tmp) {
2034 + case 0:
2035 +diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h
2036 +index fe44a95..47f3bd2 100644
2037 +--- a/drivers/gpu/drm/radeon/evergreend.h
2038 ++++ b/drivers/gpu/drm/radeon/evergreend.h
2039 +@@ -459,6 +459,10 @@
2040 + # define LATENCY_LOW_WATERMARK(x) ((x) << 0)
2041 + # define LATENCY_HIGH_WATERMARK(x) ((x) << 16)
2042 +
2043 ++#define PIPE0_DMIF_BUFFER_CONTROL 0x0ca0
2044 ++# define DMIF_BUFFERS_ALLOCATED(x) ((x) << 0)
2045 ++# define DMIF_BUFFERS_ALLOCATED_COMPLETED (1 << 4)
2046 ++
2047 + #define IH_RB_CNTL 0x3e00
2048 + # define IH_RB_ENABLE (1 << 0)
2049 + # define IH_IB_SIZE(x) ((x) << 1) /* log2 */
2050 +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
2051 +index 383b38e..cda89c6b 100644
2052 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c
2053 ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
2054 +@@ -709,13 +709,16 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
2055 + (ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT *)
2056 + (ctx->bios + data_offset +
2057 + le16_to_cpu(router_obj->asObjects[k].usSrcDstTableOffset));
2058 ++ u8 *num_dst_objs = (u8 *)
2059 ++ ((u8 *)router_src_dst_table + 1 +
2060 ++ (router_src_dst_table->ucNumberOfSrc * 2));
2061 ++ u16 *dst_objs = (u16 *)(num_dst_objs + 1);
2062 + int enum_id;
2063 +
2064 + router.router_id = router_obj_id;
2065 +- for (enum_id = 0; enum_id < router_src_dst_table->ucNumberOfDst;
2066 +- enum_id++) {
2067 ++ for (enum_id = 0; enum_id < (*num_dst_objs); enum_id++) {
2068 + if (le16_to_cpu(path->usConnObjectId) ==
2069 +- le16_to_cpu(router_src_dst_table->usDstObjectID[enum_id]))
2070 ++ le16_to_cpu(dst_objs[enum_id]))
2071 + break;
2072 + }
2073 +
2074 +@@ -1616,7 +1619,9 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct
2075 + kfree(edid);
2076 + }
2077 + }
2078 +- record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD);
2079 ++ record += fake_edid_record->ucFakeEDIDLength ?
2080 ++ fake_edid_record->ucFakeEDIDLength + 2 :
2081 ++ sizeof(ATOM_FAKE_EDID_PATCH_RECORD);
2082 + break;
2083 + case LCD_PANEL_RESOLUTION_RECORD_TYPE:
2084 + panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
2085 +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
2086 +index 6fd53b6..b101843 100644
2087 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c
2088 ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
2089 +@@ -1387,6 +1387,24 @@ struct drm_connector_funcs radeon_dp_connector_funcs = {
2090 + .force = radeon_dvi_force,
2091 + };
2092 +
2093 ++static const struct drm_connector_funcs radeon_edp_connector_funcs = {
2094 ++ .dpms = drm_helper_connector_dpms,
2095 ++ .detect = radeon_dp_detect,
2096 ++ .fill_modes = drm_helper_probe_single_connector_modes,
2097 ++ .set_property = radeon_lvds_set_property,
2098 ++ .destroy = radeon_dp_connector_destroy,
2099 ++ .force = radeon_dvi_force,
2100 ++};
2101 ++
2102 ++static const struct drm_connector_funcs radeon_lvds_bridge_connector_funcs = {
2103 ++ .dpms = drm_helper_connector_dpms,
2104 ++ .detect = radeon_dp_detect,
2105 ++ .fill_modes = drm_helper_probe_single_connector_modes,
2106 ++ .set_property = radeon_lvds_set_property,
2107 ++ .destroy = radeon_dp_connector_destroy,
2108 ++ .force = radeon_dvi_force,
2109 ++};
2110 ++
2111 + void
2112 + radeon_add_atom_connector(struct drm_device *dev,
2113 + uint32_t connector_id,
2114 +@@ -1478,8 +1496,6 @@ radeon_add_atom_connector(struct drm_device *dev,
2115 + goto failed;
2116 + radeon_dig_connector->igp_lane_info = igp_lane_info;
2117 + radeon_connector->con_priv = radeon_dig_connector;
2118 +- drm_connector_init(dev, &radeon_connector->base, &radeon_dp_connector_funcs, connector_type);
2119 +- drm_connector_helper_add(&radeon_connector->base, &radeon_dp_connector_helper_funcs);
2120 + if (i2c_bus->valid) {
2121 + /* add DP i2c bus */
2122 + if (connector_type == DRM_MODE_CONNECTOR_eDP)
2123 +@@ -1496,6 +1512,10 @@ radeon_add_atom_connector(struct drm_device *dev,
2124 + case DRM_MODE_CONNECTOR_VGA:
2125 + case DRM_MODE_CONNECTOR_DVIA:
2126 + default:
2127 ++ drm_connector_init(dev, &radeon_connector->base,
2128 ++ &radeon_dp_connector_funcs, connector_type);
2129 ++ drm_connector_helper_add(&radeon_connector->base,
2130 ++ &radeon_dp_connector_helper_funcs);
2131 + connector->interlace_allowed = true;
2132 + connector->doublescan_allowed = true;
2133 + radeon_connector->dac_load_detect = true;
2134 +@@ -1508,6 +1528,10 @@ radeon_add_atom_connector(struct drm_device *dev,
2135 + case DRM_MODE_CONNECTOR_HDMIA:
2136 + case DRM_MODE_CONNECTOR_HDMIB:
2137 + case DRM_MODE_CONNECTOR_DisplayPort:
2138 ++ drm_connector_init(dev, &radeon_connector->base,
2139 ++ &radeon_dp_connector_funcs, connector_type);
2140 ++ drm_connector_helper_add(&radeon_connector->base,
2141 ++ &radeon_dp_connector_helper_funcs);
2142 + drm_connector_attach_property(&radeon_connector->base,
2143 + rdev->mode_info.underscan_property,
2144 + UNDERSCAN_OFF);
2145 +@@ -1532,6 +1556,10 @@ radeon_add_atom_connector(struct drm_device *dev,
2146 + break;
2147 + case DRM_MODE_CONNECTOR_LVDS:
2148 + case DRM_MODE_CONNECTOR_eDP:
2149 ++ drm_connector_init(dev, &radeon_connector->base,
2150 ++ &radeon_lvds_bridge_connector_funcs, connector_type);
2151 ++ drm_connector_helper_add(&radeon_connector->base,
2152 ++ &radeon_dp_connector_helper_funcs);
2153 + drm_connector_attach_property(&radeon_connector->base,
2154 + dev->mode_config.scaling_mode_property,
2155 + DRM_MODE_SCALE_FULLSCREEN);
2156 +@@ -1695,7 +1723,7 @@ radeon_add_atom_connector(struct drm_device *dev,
2157 + goto failed;
2158 + radeon_dig_connector->igp_lane_info = igp_lane_info;
2159 + radeon_connector->con_priv = radeon_dig_connector;
2160 +- drm_connector_init(dev, &radeon_connector->base, &radeon_dp_connector_funcs, connector_type);
2161 ++ drm_connector_init(dev, &radeon_connector->base, &radeon_edp_connector_funcs, connector_type);
2162 + drm_connector_helper_add(&radeon_connector->base, &radeon_dp_connector_helper_funcs);
2163 + if (i2c_bus->valid) {
2164 + /* add DP i2c bus */
2165 +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
2166 +index cd94abb..8cde84b 100644
2167 +--- a/drivers/gpu/drm/radeon/radeon_device.c
2168 ++++ b/drivers/gpu/drm/radeon/radeon_device.c
2169 +@@ -818,10 +818,16 @@ int radeon_device_init(struct radeon_device *rdev,
2170 + return r;
2171 + }
2172 + if (radeon_testing) {
2173 +- radeon_test_moves(rdev);
2174 ++ if (rdev->accel_working)
2175 ++ radeon_test_moves(rdev);
2176 ++ else
2177 ++ DRM_INFO("radeon: acceleration disabled, skipping move tests\n");
2178 + }
2179 + if (radeon_benchmarking) {
2180 +- radeon_benchmark(rdev, radeon_benchmarking);
2181 ++ if (rdev->accel_working)
2182 ++ radeon_benchmark(rdev, radeon_benchmarking);
2183 ++ else
2184 ++ DRM_INFO("radeon: acceleration disabled, skipping benchmarks\n");
2185 + }
2186 + return 0;
2187 + }
2188 +diff --git a/drivers/gpu/drm/radeon/rs400.c b/drivers/gpu/drm/radeon/rs400.c
2189 +index 4dd9512..c087434 100644
2190 +--- a/drivers/gpu/drm/radeon/rs400.c
2191 ++++ b/drivers/gpu/drm/radeon/rs400.c
2192 +@@ -174,10 +174,13 @@ int rs400_gart_enable(struct radeon_device *rdev)
2193 + /* FIXME: according to doc we should set HIDE_MMCFG_BAR=0,
2194 + * AGPMODE30=0 & AGP30ENHANCED=0 in NB_CNTL */
2195 + if ((rdev->family == CHIP_RS690) || (rdev->family == CHIP_RS740)) {
2196 +- WREG32_MC(RS480_MC_MISC_CNTL,
2197 +- (RS480_GART_INDEX_REG_EN | RS690_BLOCK_GFX_D3_EN));
2198 ++ tmp = RREG32_MC(RS480_MC_MISC_CNTL);
2199 ++ tmp |= RS480_GART_INDEX_REG_EN | RS690_BLOCK_GFX_D3_EN;
2200 ++ WREG32_MC(RS480_MC_MISC_CNTL, tmp);
2201 + } else {
2202 +- WREG32_MC(RS480_MC_MISC_CNTL, RS480_GART_INDEX_REG_EN);
2203 ++ tmp = RREG32_MC(RS480_MC_MISC_CNTL);
2204 ++ tmp |= RS480_GART_INDEX_REG_EN;
2205 ++ WREG32_MC(RS480_MC_MISC_CNTL, tmp);
2206 + }
2207 + /* Enable gart */
2208 + WREG32_MC(RS480_AGP_ADDRESS_SPACE_SIZE, (RS480_GART_EN | size_reg));
2209 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
2210 +index 611aafc..9ac4389 100644
2211 +--- a/drivers/hid/hid-core.c
2212 ++++ b/drivers/hid/hid-core.c
2213 +@@ -59,6 +59,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
2214 + struct hid_report_enum *report_enum = device->report_enum + type;
2215 + struct hid_report *report;
2216 +
2217 ++ if (id >= HID_MAX_IDS)
2218 ++ return NULL;
2219 + if (report_enum->report_id_hash[id])
2220 + return report_enum->report_id_hash[id];
2221 +
2222 +@@ -216,9 +218,9 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
2223 + {
2224 + struct hid_report *report;
2225 + struct hid_field *field;
2226 +- int usages;
2227 ++ unsigned usages;
2228 + unsigned offset;
2229 +- int i;
2230 ++ unsigned i;
2231 +
2232 + report = hid_register_report(parser->device, report_type, parser->global.report_id);
2233 + if (!report) {
2234 +@@ -237,7 +239,8 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
2235 + if (!parser->local.usage_index) /* Ignore padding fields */
2236 + return 0;
2237 +
2238 +- usages = max_t(int, parser->local.usage_index, parser->global.report_count);
2239 ++ usages = max_t(unsigned, parser->local.usage_index,
2240 ++ parser->global.report_count);
2241 +
2242 + field = hid_register_field(report, usages, parser->global.report_count);
2243 + if (!field)
2244 +@@ -248,7 +251,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
2245 + field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION);
2246 +
2247 + for (i = 0; i < usages; i++) {
2248 +- int j = i;
2249 ++ unsigned j = i;
2250 + /* Duplicate the last usage we parsed if we have excess values */
2251 + if (i >= parser->local.usage_index)
2252 + j = parser->local.usage_index - 1;
2253 +@@ -380,8 +383,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
2254 +
2255 + case HID_GLOBAL_ITEM_TAG_REPORT_ID:
2256 + parser->global.report_id = item_udata(item);
2257 +- if (parser->global.report_id == 0) {
2258 +- dbg_hid("report_id 0 is invalid\n");
2259 ++ if (parser->global.report_id == 0 ||
2260 ++ parser->global.report_id >= HID_MAX_IDS) {
2261 ++ dbg_hid("report_id %u is invalid\n",
2262 ++ parser->global.report_id);
2263 + return -1;
2264 + }
2265 + return 0;
2266 +@@ -552,7 +557,7 @@ static void hid_device_release(struct device *dev)
2267 + for (i = 0; i < HID_REPORT_TYPES; i++) {
2268 + struct hid_report_enum *report_enum = device->report_enum + i;
2269 +
2270 +- for (j = 0; j < 256; j++) {
2271 ++ for (j = 0; j < HID_MAX_IDS; j++) {
2272 + struct hid_report *report = report_enum->report_id_hash[j];
2273 + if (report)
2274 + hid_free_report(report);
2275 +@@ -710,6 +715,64 @@ err:
2276 + }
2277 + EXPORT_SYMBOL_GPL(hid_parse_report);
2278 +
2279 ++static const char * const hid_report_names[] = {
2280 ++ "HID_INPUT_REPORT",
2281 ++ "HID_OUTPUT_REPORT",
2282 ++ "HID_FEATURE_REPORT",
2283 ++};
2284 ++/**
2285 ++ * hid_validate_values - validate existing device report's value indexes
2286 ++ *
2287 ++ * @device: hid device
2288 ++ * @type: which report type to examine
2289 ++ * @id: which report ID to examine (0 for first)
2290 ++ * @field_index: which report field to examine
2291 ++ * @report_counts: expected number of values
2292 ++ *
2293 ++ * Validate the number of values in a given field of a given report, after
2294 ++ * parsing.
2295 ++ */
2296 ++struct hid_report *hid_validate_values(struct hid_device *hid,
2297 ++ unsigned int type, unsigned int id,
2298 ++ unsigned int field_index,
2299 ++ unsigned int report_counts)
2300 ++{
2301 ++ struct hid_report *report;
2302 ++
2303 ++ if (type > HID_FEATURE_REPORT) {
2304 ++ hid_err(hid, "invalid HID report type %u\n", type);
2305 ++ return NULL;
2306 ++ }
2307 ++
2308 ++ if (id >= HID_MAX_IDS) {
2309 ++ hid_err(hid, "invalid HID report id %u\n", id);
2310 ++ return NULL;
2311 ++ }
2312 ++
2313 ++ /*
2314 ++ * Explicitly not using hid_get_report() here since it depends on
2315 ++ * ->numbered being checked, which may not always be the case when
2316 ++ * drivers go to access report values.
2317 ++ */
2318 ++ report = hid->report_enum[type].report_id_hash[id];
2319 ++ if (!report) {
2320 ++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
2321 ++ return NULL;
2322 ++ }
2323 ++ if (report->maxfield <= field_index) {
2324 ++ hid_err(hid, "not enough fields in %s %u\n",
2325 ++ hid_report_names[type], id);
2326 ++ return NULL;
2327 ++ }
2328 ++ if (report->field[field_index]->report_count < report_counts) {
2329 ++ hid_err(hid, "not enough values in %s %u field %u\n",
2330 ++ hid_report_names[type], id, field_index);
2331 ++ return NULL;
2332 ++ }
2333 ++ return report;
2334 ++}
2335 ++EXPORT_SYMBOL_GPL(hid_validate_values);
2336 ++
2337 + /*
2338 + * Convert a signed n-bit integer to signed 32-bit integer. Common
2339 + * cases are done through the compiler, the screwed things has to be
2340 +@@ -990,7 +1053,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
2341 +
2342 + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
2343 + {
2344 +- unsigned size = field->report_size;
2345 ++ unsigned size;
2346 ++
2347 ++ if (!field)
2348 ++ return -1;
2349 ++
2350 ++ size = field->report_size;
2351 +
2352 + hid_dump_input(field->report->device, field->usage + offset, value);
2353 +
2354 +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
2355 +index 08075f2..ca2b3e6 100644
2356 +--- a/drivers/hid/hid-ids.h
2357 ++++ b/drivers/hid/hid-ids.h
2358 +@@ -581,6 +581,7 @@
2359 + #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_16 0x0012
2360 + #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_17 0x0013
2361 + #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_18 0x0014
2362 ++#define USB_DEVICE_ID_NTRIG_DUOSENSE 0x1500
2363 +
2364 + #define USB_VENDOR_ID_ONTRAK 0x0a07
2365 + #define USB_DEVICE_ID_ONTRAK_ADU100 0x0064
2366 +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
2367 +index f333139..95c79a3 100644
2368 +--- a/drivers/hid/hid-input.c
2369 ++++ b/drivers/hid/hid-input.c
2370 +@@ -284,6 +284,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
2371 + if (field->flags & HID_MAIN_ITEM_CONSTANT)
2372 + goto ignore;
2373 +
2374 ++ /* Ignore if report count is out of bounds. */
2375 ++ if (field->report_count < 1)
2376 ++ goto ignore;
2377 ++
2378 + /* only LED usages are supported in output fields */
2379 + if (field->report_type == HID_OUTPUT_REPORT &&
2380 + (usage->hid & HID_USAGE_PAGE) != HID_UP_LED) {
2381 +@@ -887,10 +891,15 @@ static void report_features(struct hid_device *hid)
2382 +
2383 + rep_enum = &hid->report_enum[HID_FEATURE_REPORT];
2384 + list_for_each_entry(rep, &rep_enum->report_list, list)
2385 +- for (i = 0; i < rep->maxfield; i++)
2386 ++ for (i = 0; i < rep->maxfield; i++) {
2387 ++ /* Ignore if report count is out of bounds. */
2388 ++ if (rep->field[i]->report_count < 1)
2389 ++ continue;
2390 ++
2391 + for (j = 0; j < rep->field[i]->maxusage; j++)
2392 + drv->feature_mapping(hid, rep->field[i],
2393 + rep->field[i]->usage + j);
2394 ++ }
2395 + }
2396 +
2397 + /*
2398 +diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
2399 +index 3c31bc6..128f011 100644
2400 +--- a/drivers/hid/hid-lg2ff.c
2401 ++++ b/drivers/hid/hid-lg2ff.c
2402 +@@ -66,26 +66,13 @@ int lg2ff_init(struct hid_device *hid)
2403 + struct hid_report *report;
2404 + struct hid_input *hidinput = list_entry(hid->inputs.next,
2405 + struct hid_input, list);
2406 +- struct list_head *report_list =
2407 +- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
2408 + struct input_dev *dev = hidinput->input;
2409 + int error;
2410 +
2411 +- if (list_empty(report_list)) {
2412 +- hid_err(hid, "no output report found\n");
2413 ++ /* Check that the report looks ok */
2414 ++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7);
2415 ++ if (!report)
2416 + return -ENODEV;
2417 +- }
2418 +-
2419 +- report = list_entry(report_list->next, struct hid_report, list);
2420 +-
2421 +- if (report->maxfield < 1) {
2422 +- hid_err(hid, "output report is empty\n");
2423 +- return -ENODEV;
2424 +- }
2425 +- if (report->field[0]->report_count < 7) {
2426 +- hid_err(hid, "not enough values in the field\n");
2427 +- return -ENODEV;
2428 +- }
2429 +
2430 + lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
2431 + if (!lg2ff)
2432 +diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
2433 +index f98644c..91f981f 100644
2434 +--- a/drivers/hid/hid-lg3ff.c
2435 ++++ b/drivers/hid/hid-lg3ff.c
2436 +@@ -68,10 +68,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
2437 + int x, y;
2438 +
2439 + /*
2440 +- * Maxusage should always be 63 (maximum fields)
2441 +- * likely a better way to ensure this data is clean
2442 ++ * Available values in the field should always be 63, but we only use up to
2443 ++ * 35. Instead, clear the entire area, however big it is.
2444 + */
2445 +- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
2446 ++ memset(report->field[0]->value, 0,
2447 ++ sizeof(__s32) * report->field[0]->report_count);
2448 +
2449 + switch (effect->type) {
2450 + case FF_CONSTANT:
2451 +@@ -131,32 +132,14 @@ static const signed short ff3_joystick_ac[] = {
2452 + int lg3ff_init(struct hid_device *hid)
2453 + {
2454 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
2455 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
2456 + struct input_dev *dev = hidinput->input;
2457 +- struct hid_report *report;
2458 +- struct hid_field *field;
2459 + const signed short *ff_bits = ff3_joystick_ac;
2460 + int error;
2461 + int i;
2462 +
2463 +- /* Find the report to use */
2464 +- if (list_empty(report_list)) {
2465 +- hid_err(hid, "No output report found\n");
2466 +- return -1;
2467 +- }
2468 +-
2469 + /* Check that the report looks ok */
2470 +- report = list_entry(report_list->next, struct hid_report, list);
2471 +- if (!report) {
2472 +- hid_err(hid, "NULL output report\n");
2473 +- return -1;
2474 +- }
2475 +-
2476 +- field = report->field[0];
2477 +- if (!field) {
2478 +- hid_err(hid, "NULL field\n");
2479 +- return -1;
2480 +- }
2481 ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35))
2482 ++ return -ENODEV;
2483 +
2484 + /* Assume single fixed device G940 */
2485 + for (i = 0; ff_bits[i] >= 0; i++)
2486 +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
2487 +index 103f30d..5c6bf4b 100644
2488 +--- a/drivers/hid/hid-lg4ff.c
2489 ++++ b/drivers/hid/hid-lg4ff.c
2490 +@@ -339,33 +339,15 @@ static ssize_t lg4ff_range_store(struct device *dev, struct device_attribute *at
2491 + int lg4ff_init(struct hid_device *hid)
2492 + {
2493 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
2494 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
2495 + struct input_dev *dev = hidinput->input;
2496 +- struct hid_report *report;
2497 +- struct hid_field *field;
2498 + struct lg4ff_device_entry *entry;
2499 + struct usb_device_descriptor *udesc;
2500 + int error, i, j;
2501 + __u16 bcdDevice, rev_maj, rev_min;
2502 +
2503 +- /* Find the report to use */
2504 +- if (list_empty(report_list)) {
2505 +- hid_err(hid, "No output report found\n");
2506 +- return -1;
2507 +- }
2508 +-
2509 + /* Check that the report looks ok */
2510 +- report = list_entry(report_list->next, struct hid_report, list);
2511 +- if (!report) {
2512 +- hid_err(hid, "NULL output report\n");
2513 ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
2514 + return -1;
2515 +- }
2516 +-
2517 +- field = report->field[0];
2518 +- if (!field) {
2519 +- hid_err(hid, "NULL field\n");
2520 +- return -1;
2521 +- }
2522 +
2523 + /* Check what wheel has been connected */
2524 + for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
2525 +diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
2526 +index 27bc54f..1d978daa 100644
2527 +--- a/drivers/hid/hid-lgff.c
2528 ++++ b/drivers/hid/hid-lgff.c
2529 +@@ -130,27 +130,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
2530 + int lgff_init(struct hid_device* hid)
2531 + {
2532 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
2533 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
2534 + struct input_dev *dev = hidinput->input;
2535 +- struct hid_report *report;
2536 +- struct hid_field *field;
2537 + const signed short *ff_bits = ff_joystick;
2538 + int error;
2539 + int i;
2540 +
2541 +- /* Find the report to use */
2542 +- if (list_empty(report_list)) {
2543 +- hid_err(hid, "No output report found\n");
2544 +- return -1;
2545 +- }
2546 +-
2547 + /* Check that the report looks ok */
2548 +- report = list_entry(report_list->next, struct hid_report, list);
2549 +- field = report->field[0];
2550 +- if (!field) {
2551 +- hid_err(hid, "NULL field\n");
2552 +- return -1;
2553 +- }
2554 ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
2555 ++ return -ENODEV;
2556 +
2557 + for (i = 0; i < ARRAY_SIZE(devices); i++) {
2558 + if (dev->id.vendor == devices[i].idVendor &&
2559 +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
2560 +index 8821ecc..828a0dd 100644
2561 +--- a/drivers/hid/hid-logitech-dj.c
2562 ++++ b/drivers/hid/hid-logitech-dj.c
2563 +@@ -791,6 +791,12 @@ static int logi_dj_probe(struct hid_device *hdev,
2564 + goto hid_parse_fail;
2565 + }
2566 +
2567 ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
2568 ++ 0, DJREPORT_SHORT_LENGTH - 1)) {
2569 ++ retval = -ENODEV;
2570 ++ goto hid_parse_fail;
2571 ++ }
2572 ++
2573 + /* Starts the usb device and connects to upper interfaces hiddev and
2574 + * hidraw */
2575 + retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
2576 +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
2577 +index 9fae2eb..48cba85 100644
2578 +--- a/drivers/hid/hid-ntrig.c
2579 ++++ b/drivers/hid/hid-ntrig.c
2580 +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
2581 + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
2582 + report_id_hash[0x0d];
2583 +
2584 +- if (!report)
2585 ++ if (!report || report->maxfield < 1 ||
2586 ++ report->field[0]->report_count < 1)
2587 + return -EINVAL;
2588 +
2589 + usbhid_submit_report(hdev, report, USB_DIR_IN);
2590 +diff --git a/drivers/hid/hid-picolcd.c b/drivers/hid/hid-picolcd.c
2591 +index 01e7d2c..1daeaca 100644
2592 +--- a/drivers/hid/hid-picolcd.c
2593 ++++ b/drivers/hid/hid-picolcd.c
2594 +@@ -1424,7 +1424,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
2595 + buf += 10;
2596 + cnt -= 10;
2597 + }
2598 +- if (!report)
2599 ++ if (!report || report->maxfield != 1)
2600 + return -EINVAL;
2601 +
2602 + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
2603 +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
2604 +index 070f93a..12786cd 100644
2605 +--- a/drivers/hid/hid-pl.c
2606 ++++ b/drivers/hid/hid-pl.c
2607 +@@ -129,8 +129,14 @@ static int plff_init(struct hid_device *hid)
2608 + strong = &report->field[0]->value[2];
2609 + weak = &report->field[0]->value[3];
2610 + debug("detected single-field device");
2611 +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
2612 +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
2613 ++ } else if (report->field[0]->maxusage == 1 &&
2614 ++ report->field[0]->usage[0].hid ==
2615 ++ (HID_UP_LED | 0x43) &&
2616 ++ report->maxfield >= 4 &&
2617 ++ report->field[0]->report_count >= 1 &&
2618 ++ report->field[1]->report_count >= 1 &&
2619 ++ report->field[2]->report_count >= 1 &&
2620 ++ report->field[3]->report_count >= 1) {
2621 + report->field[0]->value[0] = 0x00;
2622 + report->field[1]->value[0] = 0x00;
2623 + strong = &report->field[2]->value[0];
2624 +diff --git a/drivers/hid/hid-speedlink.c b/drivers/hid/hid-speedlink.c
2625 +index 6020137..2b03c9b 100644
2626 +--- a/drivers/hid/hid-speedlink.c
2627 ++++ b/drivers/hid/hid-speedlink.c
2628 +@@ -3,7 +3,7 @@
2629 + * Fixes "jumpy" cursor and removes nonexistent keyboard LEDS from
2630 + * the HID descriptor.
2631 + *
2632 +- * Copyright (c) 2011 Stefan Kriwanek <mail@××××××××××××××.de>
2633 ++ * Copyright (c) 2011, 2013 Stefan Kriwanek <dev@××××××××××××××.de>
2634 + */
2635 +
2636 + /*
2637 +@@ -48,8 +48,13 @@ static int speedlink_event(struct hid_device *hdev, struct hid_field *field,
2638 + struct hid_usage *usage, __s32 value)
2639 + {
2640 + /* No other conditions due to usage_table. */
2641 +- /* Fix "jumpy" cursor (invalid events sent by device). */
2642 +- if (value == 256)
2643 ++
2644 ++ /* This fixes the "jumpy" cursor occuring due to invalid events sent
2645 ++ * by the device. Some devices only send them with value==+256, others
2646 ++ * don't. However, catching abs(value)>=256 is restrictive enough not
2647 ++ * to interfere with devices that were bug-free (has been tested).
2648 ++ */
2649 ++ if (abs(value) >= 256)
2650 + return 1;
2651 + /* Drop useless distance 0 events (on button clicks etc.) as well */
2652 + if (value == 0)
2653 +diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
2654 +index f6ba81d..f348f7f 100644
2655 +--- a/drivers/hid/hid-zpff.c
2656 ++++ b/drivers/hid/hid-zpff.c
2657 +@@ -70,21 +70,13 @@ static int zpff_init(struct hid_device *hid)
2658 + struct hid_report *report;
2659 + struct hid_input *hidinput = list_entry(hid->inputs.next,
2660 + struct hid_input, list);
2661 +- struct list_head *report_list =
2662 +- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
2663 + struct input_dev *dev = hidinput->input;
2664 +- int error;
2665 ++ int i, error;
2666 +
2667 +- if (list_empty(report_list)) {
2668 +- hid_err(hid, "no output report found\n");
2669 +- return -ENODEV;
2670 +- }
2671 +-
2672 +- report = list_entry(report_list->next, struct hid_report, list);
2673 +-
2674 +- if (report->maxfield < 4) {
2675 +- hid_err(hid, "not enough fields in report\n");
2676 +- return -ENODEV;
2677 ++ for (i = 0; i < 4; i++) {
2678 ++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
2679 ++ if (!report)
2680 ++ return -ENODEV;
2681 + }
2682 +
2683 + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
2684 +diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
2685 +index 17d15bb..9e50f61 100644
2686 +--- a/drivers/hid/hidraw.c
2687 ++++ b/drivers/hid/hidraw.c
2688 +@@ -42,7 +42,6 @@ static struct cdev hidraw_cdev;
2689 + static struct class *hidraw_class;
2690 + static struct hidraw *hidraw_table[HIDRAW_MAX_DEVICES];
2691 + static DEFINE_MUTEX(minors_lock);
2692 +-static void drop_ref(struct hidraw *hid, int exists_bit);
2693 +
2694 + static ssize_t hidraw_read(struct file *file, char __user *buffer, size_t count, loff_t *ppos)
2695 + {
2696 +@@ -296,14 +295,37 @@ out:
2697 +
2698 + }
2699 +
2700 ++static void drop_ref(struct hidraw *hidraw, int exists_bit)
2701 ++{
2702 ++ if (exists_bit) {
2703 ++ hid_hw_close(hidraw->hid);
2704 ++ hidraw->exist = 0;
2705 ++ if (hidraw->open)
2706 ++ wake_up_interruptible(&hidraw->wait);
2707 ++ } else {
2708 ++ --hidraw->open;
2709 ++ }
2710 ++
2711 ++ if (!hidraw->open && !hidraw->exist) {
2712 ++ device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
2713 ++ hidraw_table[hidraw->minor] = NULL;
2714 ++ kfree(hidraw);
2715 ++ }
2716 ++}
2717 ++
2718 + static int hidraw_release(struct inode * inode, struct file * file)
2719 + {
2720 + unsigned int minor = iminor(inode);
2721 + struct hidraw_list *list = file->private_data;
2722 +
2723 +- drop_ref(hidraw_table[minor], 0);
2724 ++ mutex_lock(&minors_lock);
2725 ++
2726 + list_del(&list->node);
2727 + kfree(list);
2728 ++
2729 ++ drop_ref(hidraw_table[minor], 0);
2730 ++
2731 ++ mutex_unlock(&minors_lock);
2732 + return 0;
2733 + }
2734 +
2735 +@@ -506,7 +528,12 @@ EXPORT_SYMBOL_GPL(hidraw_connect);
2736 + void hidraw_disconnect(struct hid_device *hid)
2737 + {
2738 + struct hidraw *hidraw = hid->hidraw;
2739 ++
2740 ++ mutex_lock(&minors_lock);
2741 ++
2742 + drop_ref(hidraw, 1);
2743 ++
2744 ++ mutex_unlock(&minors_lock);
2745 + }
2746 + EXPORT_SYMBOL_GPL(hidraw_disconnect);
2747 +
2748 +@@ -555,23 +582,3 @@ void hidraw_exit(void)
2749 + unregister_chrdev_region(dev_id, HIDRAW_MAX_DEVICES);
2750 +
2751 + }
2752 +-
2753 +-static void drop_ref(struct hidraw *hidraw, int exists_bit)
2754 +-{
2755 +- mutex_lock(&minors_lock);
2756 +- if (exists_bit) {
2757 +- hid_hw_close(hidraw->hid);
2758 +- hidraw->exist = 0;
2759 +- if (hidraw->open)
2760 +- wake_up_interruptible(&hidraw->wait);
2761 +- } else {
2762 +- --hidraw->open;
2763 +- }
2764 +-
2765 +- if (!hidraw->open && !hidraw->exist) {
2766 +- device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
2767 +- hidraw_table[hidraw->minor] = NULL;
2768 +- kfree(hidraw);
2769 +- }
2770 +- mutex_unlock(&minors_lock);
2771 +-}
2772 +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
2773 +index 96a1e0f..f98fbad 100644
2774 +--- a/drivers/hid/usbhid/hid-quirks.c
2775 ++++ b/drivers/hid/usbhid/hid-quirks.c
2776 +@@ -99,6 +99,8 @@ static const struct hid_blacklist {
2777 + { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_MULTI_TOUCH, HID_QUIRK_MULTI_INPUT },
2778 + { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS, HID_QUIRK_MULTI_INPUT },
2779 + { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS },
2780 ++ { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS },
2781 ++
2782 + { 0, 0 }
2783 + };
2784 +
2785 +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
2786 +index d99aa84..30cac58 100644
2787 +--- a/drivers/hwmon/applesmc.c
2788 ++++ b/drivers/hwmon/applesmc.c
2789 +@@ -344,8 +344,10 @@ static int applesmc_get_lower_bound(unsigned int *lo, const char *key)
2790 + while (begin != end) {
2791 + int middle = begin + (end - begin) / 2;
2792 + entry = applesmc_get_entry_by_index(middle);
2793 +- if (IS_ERR(entry))
2794 ++ if (IS_ERR(entry)) {
2795 ++ *lo = 0;
2796 + return PTR_ERR(entry);
2797 ++ }
2798 + if (strcmp(entry->key, key) < 0)
2799 + begin = middle + 1;
2800 + else
2801 +@@ -364,8 +366,10 @@ static int applesmc_get_upper_bound(unsigned int *hi, const char *key)
2802 + while (begin != end) {
2803 + int middle = begin + (end - begin) / 2;
2804 + entry = applesmc_get_entry_by_index(middle);
2805 +- if (IS_ERR(entry))
2806 ++ if (IS_ERR(entry)) {
2807 ++ *hi = smcreg.key_count;
2808 + return PTR_ERR(entry);
2809 ++ }
2810 + if (strcmp(key, entry->key) < 0)
2811 + end = middle;
2812 + else
2813 +@@ -485,16 +489,25 @@ static int applesmc_init_smcreg_try(void)
2814 + {
2815 + struct applesmc_registers *s = &smcreg;
2816 + bool left_light_sensor, right_light_sensor;
2817 ++ unsigned int count;
2818 + u8 tmp[1];
2819 + int ret;
2820 +
2821 + if (s->init_complete)
2822 + return 0;
2823 +
2824 +- ret = read_register_count(&s->key_count);
2825 ++ ret = read_register_count(&count);
2826 + if (ret)
2827 + return ret;
2828 +
2829 ++ if (s->cache && s->key_count != count) {
2830 ++ pr_warn("key count changed from %d to %d\n",
2831 ++ s->key_count, count);
2832 ++ kfree(s->cache);
2833 ++ s->cache = NULL;
2834 ++ }
2835 ++ s->key_count = count;
2836 ++
2837 + if (!s->cache)
2838 + s->cache = kcalloc(s->key_count, sizeof(*s->cache), GFP_KERNEL);
2839 + if (!s->cache)
2840 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
2841 +index f44a067..b4a4aaf 100644
2842 +--- a/drivers/iommu/intel-iommu.c
2843 ++++ b/drivers/iommu/intel-iommu.c
2844 +@@ -861,56 +861,54 @@ static int dma_pte_clear_range(struct dmar_domain *domain,
2845 + return order;
2846 + }
2847 +
2848 ++static void dma_pte_free_level(struct dmar_domain *domain, int level,
2849 ++ struct dma_pte *pte, unsigned long pfn,
2850 ++ unsigned long start_pfn, unsigned long last_pfn)
2851 ++{
2852 ++ pfn = max(start_pfn, pfn);
2853 ++ pte = &pte[pfn_level_offset(pfn, level)];
2854 ++
2855 ++ do {
2856 ++ unsigned long level_pfn;
2857 ++ struct dma_pte *level_pte;
2858 ++
2859 ++ if (!dma_pte_present(pte) || dma_pte_superpage(pte))
2860 ++ goto next;
2861 ++
2862 ++ level_pfn = pfn & level_mask(level - 1);
2863 ++ level_pte = phys_to_virt(dma_pte_addr(pte));
2864 ++
2865 ++ if (level > 2)
2866 ++ dma_pte_free_level(domain, level - 1, level_pte,
2867 ++ level_pfn, start_pfn, last_pfn);
2868 ++
2869 ++ /* If range covers entire pagetable, free it */
2870 ++ if (!(start_pfn > level_pfn ||
2871 ++ last_pfn < level_pfn + level_size(level))) {
2872 ++ dma_clear_pte(pte);
2873 ++ domain_flush_cache(domain, pte, sizeof(*pte));
2874 ++ free_pgtable_page(level_pte);
2875 ++ }
2876 ++next:
2877 ++ pfn += level_size(level);
2878 ++ } while (!first_pte_in_page(++pte) && pfn <= last_pfn);
2879 ++}
2880 ++
2881 + /* free page table pages. last level pte should already be cleared */
2882 + static void dma_pte_free_pagetable(struct dmar_domain *domain,
2883 + unsigned long start_pfn,
2884 + unsigned long last_pfn)
2885 + {
2886 + int addr_width = agaw_to_width(domain->agaw) - VTD_PAGE_SHIFT;
2887 +- struct dma_pte *first_pte, *pte;
2888 +- int total = agaw_to_level(domain->agaw);
2889 +- int level;
2890 +- unsigned long tmp;
2891 +- int large_page = 2;
2892 +
2893 + BUG_ON(addr_width < BITS_PER_LONG && start_pfn >> addr_width);
2894 + BUG_ON(addr_width < BITS_PER_LONG && last_pfn >> addr_width);
2895 + BUG_ON(start_pfn > last_pfn);
2896 +
2897 + /* We don't need lock here; nobody else touches the iova range */
2898 +- level = 2;
2899 +- while (level <= total) {
2900 +- tmp = align_to_level(start_pfn, level);
2901 +-
2902 +- /* If we can't even clear one PTE at this level, we're done */
2903 +- if (tmp + level_size(level) - 1 > last_pfn)
2904 +- return;
2905 +-
2906 +- do {
2907 +- large_page = level;
2908 +- first_pte = pte = dma_pfn_level_pte(domain, tmp, level, &large_page);
2909 +- if (large_page > level)
2910 +- level = large_page + 1;
2911 +- if (!pte) {
2912 +- tmp = align_to_level(tmp + 1, level + 1);
2913 +- continue;
2914 +- }
2915 +- do {
2916 +- if (dma_pte_present(pte)) {
2917 +- free_pgtable_page(phys_to_virt(dma_pte_addr(pte)));
2918 +- dma_clear_pte(pte);
2919 +- }
2920 +- pte++;
2921 +- tmp += level_size(level);
2922 +- } while (!first_pte_in_page(pte) &&
2923 +- tmp + level_size(level) - 1 <= last_pfn);
2924 ++ dma_pte_free_level(domain, agaw_to_level(domain->agaw),
2925 ++ domain->pgd, 0, start_pfn, last_pfn);
2926 +
2927 +- domain_flush_cache(domain, first_pte,
2928 +- (void *)pte - (void *)first_pte);
2929 +-
2930 +- } while (tmp && tmp + level_size(level) - 1 <= last_pfn);
2931 +- level++;
2932 +- }
2933 + /* free pgd */
2934 + if (start_pfn == 0 && last_pfn == DOMAIN_MAX_PFN(domain->gaw)) {
2935 + free_pgtable_page(domain->pgd);
2936 +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
2937 +index b4aaa7b..5c30316 100644
2938 +--- a/drivers/md/dm-snap.c
2939 ++++ b/drivers/md/dm-snap.c
2940 +@@ -721,17 +721,16 @@ static int calc_max_buckets(void)
2941 + */
2942 + static int init_hash_tables(struct dm_snapshot *s)
2943 + {
2944 +- sector_t hash_size, cow_dev_size, origin_dev_size, max_buckets;
2945 ++ sector_t hash_size, cow_dev_size, max_buckets;
2946 +
2947 + /*
2948 + * Calculate based on the size of the original volume or
2949 + * the COW volume...
2950 + */
2951 + cow_dev_size = get_dev_size(s->cow->bdev);
2952 +- origin_dev_size = get_dev_size(s->origin->bdev);
2953 + max_buckets = calc_max_buckets();
2954 +
2955 +- hash_size = min(origin_dev_size, cow_dev_size) >> s->store->chunk_shift;
2956 ++ hash_size = cow_dev_size >> s->store->chunk_shift;
2957 + hash_size = min(hash_size, max_buckets);
2958 +
2959 + if (hash_size < 64)
2960 +diff --git a/drivers/media/video/hdpvr/hdpvr-core.c b/drivers/media/video/hdpvr/hdpvr-core.c
2961 +index 441dacf..060353e 100644
2962 +--- a/drivers/media/video/hdpvr/hdpvr-core.c
2963 ++++ b/drivers/media/video/hdpvr/hdpvr-core.c
2964 +@@ -297,6 +297,11 @@ static int hdpvr_probe(struct usb_interface *interface,
2965 +
2966 + dev->workqueue = 0;
2967 +
2968 ++ /* init video transfer queues first of all */
2969 ++ /* to prevent oops in hdpvr_delete() on error paths */
2970 ++ INIT_LIST_HEAD(&dev->free_buff_list);
2971 ++ INIT_LIST_HEAD(&dev->rec_buff_list);
2972 ++
2973 + /* register v4l2_device early so it can be used for printks */
2974 + if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
2975 + err("v4l2_device_register failed");
2976 +@@ -319,10 +324,6 @@ static int hdpvr_probe(struct usb_interface *interface,
2977 + if (!dev->workqueue)
2978 + goto error;
2979 +
2980 +- /* init video transfer queues */
2981 +- INIT_LIST_HEAD(&dev->free_buff_list);
2982 +- INIT_LIST_HEAD(&dev->rec_buff_list);
2983 +-
2984 + dev->options = hdpvr_default_options;
2985 +
2986 + if (default_video_input < HDPVR_VIDEO_INPUTS)
2987 +@@ -373,12 +374,6 @@ static int hdpvr_probe(struct usb_interface *interface,
2988 + }
2989 + mutex_unlock(&dev->io_mutex);
2990 +
2991 +- if (hdpvr_register_videodev(dev, &interface->dev,
2992 +- video_nr[atomic_inc_return(&dev_nr)])) {
2993 +- v4l2_err(&dev->v4l2_dev, "registering videodev failed\n");
2994 +- goto error;
2995 +- }
2996 +-
2997 + #if defined(CONFIG_I2C) || defined(CONFIG_I2C_MODULE)
2998 + retval = hdpvr_register_i2c_adapter(dev);
2999 + if (retval < 0) {
3000 +@@ -399,6 +394,13 @@ static int hdpvr_probe(struct usb_interface *interface,
3001 + }
3002 + #endif
3003 +
3004 ++ retval = hdpvr_register_videodev(dev, &interface->dev,
3005 ++ video_nr[atomic_inc_return(&dev_nr)]);
3006 ++ if (retval < 0) {
3007 ++ v4l2_err(&dev->v4l2_dev, "registering videodev failed\n");
3008 ++ goto reg_fail;
3009 ++ }
3010 ++
3011 + /* let the user know what node this device is now attached to */
3012 + v4l2_info(&dev->v4l2_dev, "device now attached to %s\n",
3013 + video_device_node_name(dev->video_dev));
3014 +diff --git a/drivers/mmc/host/tmio_mmc_dma.c b/drivers/mmc/host/tmio_mmc_dma.c
3015 +index 86f259c..be9e74d 100644
3016 +--- a/drivers/mmc/host/tmio_mmc_dma.c
3017 ++++ b/drivers/mmc/host/tmio_mmc_dma.c
3018 +@@ -92,6 +92,7 @@ static void tmio_mmc_start_dma_rx(struct tmio_mmc_host *host)
3019 + pio:
3020 + if (!desc) {
3021 + /* DMA failed, fall back to PIO */
3022 ++ tmio_mmc_enable_dma(host, false);
3023 + if (ret >= 0)
3024 + ret = -EIO;
3025 + host->chan_rx = NULL;
3026 +@@ -104,7 +105,6 @@ pio:
3027 + }
3028 + dev_warn(&host->pdev->dev,
3029 + "DMA failed: %d, falling back to PIO\n", ret);
3030 +- tmio_mmc_enable_dma(host, false);
3031 + }
3032 +
3033 + dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d, sg[%d]\n", __func__,
3034 +@@ -173,6 +173,7 @@ static void tmio_mmc_start_dma_tx(struct tmio_mmc_host *host)
3035 + pio:
3036 + if (!desc) {
3037 + /* DMA failed, fall back to PIO */
3038 ++ tmio_mmc_enable_dma(host, false);
3039 + if (ret >= 0)
3040 + ret = -EIO;
3041 + host->chan_tx = NULL;
3042 +@@ -185,7 +186,6 @@ pio:
3043 + }
3044 + dev_warn(&host->pdev->dev,
3045 + "DMA failed: %d, falling back to PIO\n", ret);
3046 +- tmio_mmc_enable_dma(host, false);
3047 + }
3048 +
3049 + dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d\n", __func__,
3050 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
3051 +index b436b84..1bf36ac 100644
3052 +--- a/drivers/net/bonding/bond_main.c
3053 ++++ b/drivers/net/bonding/bond_main.c
3054 +@@ -1911,6 +1911,7 @@ int bond_release(struct net_device *bond_dev, struct net_device *slave_dev)
3055 + struct bonding *bond = netdev_priv(bond_dev);
3056 + struct slave *slave, *oldcurrent;
3057 + struct sockaddr addr;
3058 ++ int old_flags = bond_dev->flags;
3059 + u32 old_features = bond_dev->features;
3060 +
3061 + /* slave is not a slave or master is not master of this slave */
3062 +@@ -2041,12 +2042,18 @@ int bond_release(struct net_device *bond_dev, struct net_device *slave_dev)
3063 + * already taken care of above when we detached the slave
3064 + */
3065 + if (!USES_PRIMARY(bond->params.mode)) {
3066 +- /* unset promiscuity level from slave */
3067 +- if (bond_dev->flags & IFF_PROMISC)
3068 ++ /* unset promiscuity level from slave
3069 ++ * NOTE: The NETDEV_CHANGEADDR call above may change the value
3070 ++ * of the IFF_PROMISC flag in the bond_dev, but we need the
3071 ++ * value of that flag before that change, as that was the value
3072 ++ * when this slave was attached, so we cache at the start of the
3073 ++ * function and use it here. Same goes for ALLMULTI below
3074 ++ */
3075 ++ if (old_flags & IFF_PROMISC)
3076 + dev_set_promiscuity(slave_dev, -1);
3077 +
3078 + /* unset allmulti level from slave */
3079 +- if (bond_dev->flags & IFF_ALLMULTI)
3080 ++ if (old_flags & IFF_ALLMULTI)
3081 + dev_set_allmulti(slave_dev, -1);
3082 +
3083 + /* flush master's mc_list from slave */
3084 +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
3085 +index e59d006..bb828c2 100644
3086 +--- a/drivers/net/can/flexcan.c
3087 ++++ b/drivers/net/can/flexcan.c
3088 +@@ -60,7 +60,7 @@
3089 + #define FLEXCAN_MCR_BCC BIT(16)
3090 + #define FLEXCAN_MCR_LPRIO_EN BIT(13)
3091 + #define FLEXCAN_MCR_AEN BIT(12)
3092 +-#define FLEXCAN_MCR_MAXMB(x) ((x) & 0xf)
3093 ++#define FLEXCAN_MCR_MAXMB(x) ((x) & 0x1f)
3094 + #define FLEXCAN_MCR_IDAM_A (0 << 8)
3095 + #define FLEXCAN_MCR_IDAM_B (1 << 8)
3096 + #define FLEXCAN_MCR_IDAM_C (2 << 8)
3097 +@@ -666,7 +666,6 @@ static int flexcan_chip_start(struct net_device *dev)
3098 + {
3099 + struct flexcan_priv *priv = netdev_priv(dev);
3100 + struct flexcan_regs __iomem *regs = priv->base;
3101 +- unsigned int i;
3102 + int err;
3103 + u32 reg_mcr, reg_ctrl;
3104 +
3105 +@@ -700,9 +699,11 @@ static int flexcan_chip_start(struct net_device *dev)
3106 + *
3107 + */
3108 + reg_mcr = flexcan_read(&regs->mcr);
3109 ++ reg_mcr &= ~FLEXCAN_MCR_MAXMB(0xff);
3110 + reg_mcr |= FLEXCAN_MCR_FRZ | FLEXCAN_MCR_FEN | FLEXCAN_MCR_HALT |
3111 + FLEXCAN_MCR_SUPV | FLEXCAN_MCR_WRN_EN |
3112 +- FLEXCAN_MCR_IDAM_C;
3113 ++ FLEXCAN_MCR_IDAM_C |
3114 ++ FLEXCAN_MCR_MAXMB(FLEXCAN_TX_BUF_ID);
3115 + dev_dbg(dev->dev.parent, "%s: writing mcr=0x%08x", __func__, reg_mcr);
3116 + flexcan_write(reg_mcr, &regs->mcr);
3117 +
3118 +@@ -732,16 +733,9 @@ static int flexcan_chip_start(struct net_device *dev)
3119 + dev_dbg(dev->dev.parent, "%s: writing ctrl=0x%08x", __func__, reg_ctrl);
3120 + flexcan_write(reg_ctrl, &regs->ctrl);
3121 +
3122 +- for (i = 0; i < ARRAY_SIZE(regs->cantxfg); i++) {
3123 +- flexcan_write(0, &regs->cantxfg[i].can_ctrl);
3124 +- flexcan_write(0, &regs->cantxfg[i].can_id);
3125 +- flexcan_write(0, &regs->cantxfg[i].data[0]);
3126 +- flexcan_write(0, &regs->cantxfg[i].data[1]);
3127 +-
3128 +- /* put MB into rx queue */
3129 +- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4),
3130 +- &regs->cantxfg[i].can_ctrl);
3131 +- }
3132 ++ /* Abort any pending TX, mark Mailbox as INACTIVE */
3133 ++ flexcan_write(FLEXCAN_MB_CNT_CODE(0x4),
3134 ++ &regs->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl);
3135 +
3136 + /* acceptance mask/acceptance code (accept everything) */
3137 + flexcan_write(0x0, &regs->rxgmask);
3138 +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
3139 +index d0722a7..fb9e7d3 100644
3140 +--- a/drivers/net/ethernet/freescale/gianfar.c
3141 ++++ b/drivers/net/ethernet/freescale/gianfar.c
3142 +@@ -397,7 +397,13 @@ static void gfar_init_mac(struct net_device *ndev)
3143 + if (ndev->features & NETIF_F_IP_CSUM)
3144 + tctrl |= TCTRL_INIT_CSUM;
3145 +
3146 +- tctrl |= TCTRL_TXSCHED_PRIO;
3147 ++ if (priv->prio_sched_en)
3148 ++ tctrl |= TCTRL_TXSCHED_PRIO;
3149 ++ else {
3150 ++ tctrl |= TCTRL_TXSCHED_WRRS;
3151 ++ gfar_write(&regs->tr03wt, DEFAULT_WRRS_WEIGHT);
3152 ++ gfar_write(&regs->tr47wt, DEFAULT_WRRS_WEIGHT);
3153 ++ }
3154 +
3155 + gfar_write(&regs->tctrl, tctrl);
3156 +
3157 +@@ -1157,6 +1163,9 @@ static int gfar_probe(struct platform_device *ofdev)
3158 + priv->rx_filer_enable = 1;
3159 + /* Enable most messages by default */
3160 + priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1;
3161 ++ /* use pritority h/w tx queue scheduling for single queue devices */
3162 ++ if (priv->num_tx_queues == 1)
3163 ++ priv->prio_sched_en = 1;
3164 +
3165 + /* Carrier starts down, phylib will bring it up */
3166 + netif_carrier_off(dev);
3167 +diff --git a/drivers/net/ethernet/freescale/gianfar.h b/drivers/net/ethernet/freescale/gianfar.h
3168 +index 9aa4377..abeb79a 100644
3169 +--- a/drivers/net/ethernet/freescale/gianfar.h
3170 ++++ b/drivers/net/ethernet/freescale/gianfar.h
3171 +@@ -304,8 +304,16 @@ extern const char gfar_driver_version[];
3172 + #define TCTRL_TFCPAUSE 0x00000008
3173 + #define TCTRL_TXSCHED_MASK 0x00000006
3174 + #define TCTRL_TXSCHED_INIT 0x00000000
3175 ++/* priority scheduling */
3176 + #define TCTRL_TXSCHED_PRIO 0x00000002
3177 ++/* weighted round-robin scheduling (WRRS) */
3178 + #define TCTRL_TXSCHED_WRRS 0x00000004
3179 ++/* default WRRS weight and policy setting,
3180 ++ * tailored to the tr03wt and tr47wt registers:
3181 ++ * equal weight for all Tx Qs, measured in 64byte units
3182 ++ */
3183 ++#define DEFAULT_WRRS_WEIGHT 0x18181818
3184 ++
3185 + #define TCTRL_INIT_CSUM (TCTRL_TUCSEN | TCTRL_IPCSEN)
3186 +
3187 + #define IEVENT_INIT_CLEAR 0xffffffff
3188 +@@ -1101,7 +1109,8 @@ struct gfar_private {
3189 + extended_hash:1,
3190 + bd_stash_en:1,
3191 + rx_filer_enable:1,
3192 +- wol_en:1; /* Wake-on-LAN enabled */
3193 ++ wol_en:1, /* Wake-on-LAN enabled */
3194 ++ prio_sched_en:1; /* Enable priorty based Tx scheduling in Hw */
3195 + unsigned short padding;
3196 +
3197 + /* PHY stuff */
3198 +diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
3199 +index 8f47907..4236b82 100644
3200 +--- a/drivers/net/ethernet/realtek/8139cp.c
3201 ++++ b/drivers/net/ethernet/realtek/8139cp.c
3202 +@@ -478,7 +478,7 @@ rx_status_loop:
3203 +
3204 + while (1) {
3205 + u32 status, len;
3206 +- dma_addr_t mapping;
3207 ++ dma_addr_t mapping, new_mapping;
3208 + struct sk_buff *skb, *new_skb;
3209 + struct cp_desc *desc;
3210 + const unsigned buflen = cp->rx_buf_sz;
3211 +@@ -520,6 +520,14 @@ rx_status_loop:
3212 + goto rx_next;
3213 + }
3214 +
3215 ++ new_mapping = dma_map_single(&cp->pdev->dev, new_skb->data, buflen,
3216 ++ PCI_DMA_FROMDEVICE);
3217 ++ if (dma_mapping_error(&cp->pdev->dev, new_mapping)) {
3218 ++ dev->stats.rx_dropped++;
3219 ++ kfree_skb(new_skb);
3220 ++ goto rx_next;
3221 ++ }
3222 ++
3223 + dma_unmap_single(&cp->pdev->dev, mapping,
3224 + buflen, PCI_DMA_FROMDEVICE);
3225 +
3226 +@@ -531,12 +539,11 @@ rx_status_loop:
3227 +
3228 + skb_put(skb, len);
3229 +
3230 +- mapping = dma_map_single(&cp->pdev->dev, new_skb->data, buflen,
3231 +- PCI_DMA_FROMDEVICE);
3232 + cp->rx_skb[rx_tail] = new_skb;
3233 +
3234 + cp_rx_skb(cp, skb, desc);
3235 + rx++;
3236 ++ mapping = new_mapping;
3237 +
3238 + rx_next:
3239 + cp->rx_ring[rx_tail].opts2 = 0;
3240 +@@ -704,6 +711,22 @@ static inline u32 cp_tx_vlan_tag(struct sk_buff *skb)
3241 + TxVlanTag | swab16(vlan_tx_tag_get(skb)) : 0x00;
3242 + }
3243 +
3244 ++static void unwind_tx_frag_mapping(struct cp_private *cp, struct sk_buff *skb,
3245 ++ int first, int entry_last)
3246 ++{
3247 ++ int frag, index;
3248 ++ struct cp_desc *txd;
3249 ++ skb_frag_t *this_frag;
3250 ++ for (frag = 0; frag+first < entry_last; frag++) {
3251 ++ index = first+frag;
3252 ++ cp->tx_skb[index] = NULL;
3253 ++ txd = &cp->tx_ring[index];
3254 ++ this_frag = &skb_shinfo(skb)->frags[frag];
3255 ++ dma_unmap_single(&cp->pdev->dev, le64_to_cpu(txd->addr),
3256 ++ skb_frag_size(this_frag), PCI_DMA_TODEVICE);
3257 ++ }
3258 ++}
3259 ++
3260 + static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
3261 + struct net_device *dev)
3262 + {
3263 +@@ -737,6 +760,9 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
3264 +
3265 + len = skb->len;
3266 + mapping = dma_map_single(&cp->pdev->dev, skb->data, len, PCI_DMA_TODEVICE);
3267 ++ if (dma_mapping_error(&cp->pdev->dev, mapping))
3268 ++ goto out_dma_error;
3269 ++
3270 + txd->opts2 = opts2;
3271 + txd->addr = cpu_to_le64(mapping);
3272 + wmb();
3273 +@@ -774,6 +800,9 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
3274 + first_len = skb_headlen(skb);
3275 + first_mapping = dma_map_single(&cp->pdev->dev, skb->data,
3276 + first_len, PCI_DMA_TODEVICE);
3277 ++ if (dma_mapping_error(&cp->pdev->dev, first_mapping))
3278 ++ goto out_dma_error;
3279 ++
3280 + cp->tx_skb[entry] = skb;
3281 + entry = NEXT_TX(entry);
3282 +
3283 +@@ -787,6 +816,11 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
3284 + mapping = dma_map_single(&cp->pdev->dev,
3285 + skb_frag_address(this_frag),
3286 + len, PCI_DMA_TODEVICE);
3287 ++ if (dma_mapping_error(&cp->pdev->dev, mapping)) {
3288 ++ unwind_tx_frag_mapping(cp, skb, first_entry, entry);
3289 ++ goto out_dma_error;
3290 ++ }
3291 ++
3292 + eor = (entry == (CP_TX_RING_SIZE - 1)) ? RingEnd : 0;
3293 +
3294 + ctrl = eor | len | DescOwn;
3295 +@@ -845,11 +879,16 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
3296 + if (TX_BUFFS_AVAIL(cp) <= (MAX_SKB_FRAGS + 1))
3297 + netif_stop_queue(dev);
3298 +
3299 ++out_unlock:
3300 + spin_unlock_irqrestore(&cp->lock, intr_flags);
3301 +
3302 + cpw8(TxPoll, NormalTxPoll);
3303 +
3304 + return NETDEV_TX_OK;
3305 ++out_dma_error:
3306 ++ kfree_skb(skb);
3307 ++ cp->dev->stats.tx_dropped++;
3308 ++ goto out_unlock;
3309 + }
3310 +
3311 + /* Set or clear the multicast filter for this adaptor.
3312 +@@ -1023,6 +1062,10 @@ static int cp_refill_rx(struct cp_private *cp)
3313 +
3314 + mapping = dma_map_single(&cp->pdev->dev, skb->data,
3315 + cp->rx_buf_sz, PCI_DMA_FROMDEVICE);
3316 ++ if (dma_mapping_error(&cp->pdev->dev, mapping)) {
3317 ++ kfree_skb(skb);
3318 ++ goto err_out;
3319 ++ }
3320 + cp->rx_skb[i] = skb;
3321 +
3322 + cp->rx_ring[i].opts2 = 0;
3323 +diff --git a/drivers/net/ethernet/sfc/rx.c b/drivers/net/ethernet/sfc/rx.c
3324 +index 9ce8665..c231b3f 100644
3325 +--- a/drivers/net/ethernet/sfc/rx.c
3326 ++++ b/drivers/net/ethernet/sfc/rx.c
3327 +@@ -312,8 +312,9 @@ static void efx_resurrect_rx_buffer(struct efx_rx_queue *rx_queue,
3328 +
3329 + index = rx_queue->added_count & rx_queue->ptr_mask;
3330 + new_buf = efx_rx_buffer(rx_queue, index);
3331 +- new_buf->dma_addr = rx_buf->dma_addr ^ (PAGE_SIZE >> 1);
3332 + new_buf->u.page = rx_buf->u.page;
3333 ++ new_buf->page_offset = rx_buf->page_offset ^ (PAGE_SIZE >> 1);
3334 ++ new_buf->dma_addr = state->dma_addr + new_buf->page_offset;
3335 + new_buf->len = rx_buf->len;
3336 + new_buf->is_page = true;
3337 + ++rx_queue->added_count;
3338 +diff --git a/drivers/net/ethernet/via/via-rhine.c b/drivers/net/ethernet/via/via-rhine.c
3339 +index f34dd99..f37e0ae 100644
3340 +--- a/drivers/net/ethernet/via/via-rhine.c
3341 ++++ b/drivers/net/ethernet/via/via-rhine.c
3342 +@@ -32,7 +32,7 @@
3343 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
3344 +
3345 + #define DRV_NAME "via-rhine"
3346 +-#define DRV_VERSION "1.5.0"
3347 ++#define DRV_VERSION "1.5.1"
3348 + #define DRV_RELDATE "2010-10-09"
3349 +
3350 +
3351 +@@ -1518,7 +1518,12 @@ static netdev_tx_t rhine_start_tx(struct sk_buff *skb,
3352 + cpu_to_le32(TXDESC | (skb->len >= ETH_ZLEN ? skb->len : ETH_ZLEN));
3353 +
3354 + if (unlikely(vlan_tx_tag_present(skb))) {
3355 +- rp->tx_ring[entry].tx_status = cpu_to_le32((vlan_tx_tag_get(skb)) << 16);
3356 ++ u16 vid_pcp = vlan_tx_tag_get(skb);
3357 ++
3358 ++ /* drop CFI/DEI bit, register needs VID and PCP */
3359 ++ vid_pcp = (vid_pcp & VLAN_VID_MASK) |
3360 ++ ((vid_pcp & VLAN_PRIO_MASK) >> 1);
3361 ++ rp->tx_ring[entry].tx_status = cpu_to_le32((vid_pcp) << 16);
3362 + /* request tagging */
3363 + rp->tx_ring[entry].desc_length |= cpu_to_le32(0x020000);
3364 + }
3365 +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
3366 +index 2681b53..e26945d 100644
3367 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
3368 ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
3369 +@@ -308,6 +308,12 @@ static int temac_dma_bd_init(struct net_device *ndev)
3370 + lp->rx_bd_p + (sizeof(*lp->rx_bd_v) * (RX_BD_NUM - 1)));
3371 + lp->dma_out(lp, TX_CURDESC_PTR, lp->tx_bd_p);
3372 +
3373 ++ /* Init descriptor indexes */
3374 ++ lp->tx_bd_ci = 0;
3375 ++ lp->tx_bd_next = 0;
3376 ++ lp->tx_bd_tail = 0;
3377 ++ lp->rx_bd_ci = 0;
3378 ++
3379 + return 0;
3380 +
3381 + out:
3382 +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
3383 +index 96b9e3c..b0f9015 100644
3384 +--- a/drivers/net/macvtap.c
3385 ++++ b/drivers/net/macvtap.c
3386 +@@ -641,6 +641,28 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb,
3387 + return 0;
3388 + }
3389 +
3390 ++static unsigned long iov_pages(const struct iovec *iv, int offset,
3391 ++ unsigned long nr_segs)
3392 ++{
3393 ++ unsigned long seg, base;
3394 ++ int pages = 0, len, size;
3395 ++
3396 ++ while (nr_segs && (offset >= iv->iov_len)) {
3397 ++ offset -= iv->iov_len;
3398 ++ ++iv;
3399 ++ --nr_segs;
3400 ++ }
3401 ++
3402 ++ for (seg = 0; seg < nr_segs; seg++) {
3403 ++ base = (unsigned long)iv[seg].iov_base + offset;
3404 ++ len = iv[seg].iov_len - offset;
3405 ++ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
3406 ++ pages += size;
3407 ++ offset = 0;
3408 ++ }
3409 ++
3410 ++ return pages;
3411 ++}
3412 +
3413 + /* Get packet from user space buffer */
3414 + static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
3415 +@@ -687,31 +709,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
3416 + if (unlikely(count > UIO_MAXIOV))
3417 + goto err;
3418 +
3419 +- if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY))
3420 +- zerocopy = true;
3421 +-
3422 +- if (zerocopy) {
3423 +- /* Userspace may produce vectors with count greater than
3424 +- * MAX_SKB_FRAGS, so we need to linearize parts of the skb
3425 +- * to let the rest of data to be fit in the frags.
3426 +- */
3427 +- if (count > MAX_SKB_FRAGS) {
3428 +- copylen = iov_length(iv, count - MAX_SKB_FRAGS);
3429 +- if (copylen < vnet_hdr_len)
3430 +- copylen = 0;
3431 +- else
3432 +- copylen -= vnet_hdr_len;
3433 +- }
3434 +- /* There are 256 bytes to be copied in skb, so there is enough
3435 +- * room for skb expand head in case it is used.
3436 +- * The rest buffer is mapped from userspace.
3437 +- */
3438 +- if (copylen < vnet_hdr.hdr_len)
3439 +- copylen = vnet_hdr.hdr_len;
3440 +- if (!copylen)
3441 +- copylen = GOODCOPY_LEN;
3442 ++ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) {
3443 ++ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN;
3444 + linear = copylen;
3445 +- } else {
3446 ++ if (iov_pages(iv, vnet_hdr_len + copylen, count)
3447 ++ <= MAX_SKB_FRAGS)
3448 ++ zerocopy = true;
3449 ++ }
3450 ++
3451 ++ if (!zerocopy) {
3452 + copylen = len;
3453 + linear = vnet_hdr.hdr_len;
3454 + }
3455 +@@ -723,9 +729,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
3456 +
3457 + if (zerocopy)
3458 + err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count);
3459 +- else
3460 ++ else {
3461 + err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len,
3462 + len);
3463 ++ if (!err && m && m->msg_control) {
3464 ++ struct ubuf_info *uarg = m->msg_control;
3465 ++ uarg->callback(uarg);
3466 ++ }
3467 ++ }
3468 ++
3469 + if (err)
3470 + goto err_kfree;
3471 +
3472 +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
3473 +index ad6a9d9..2b349d3 100644
3474 +--- a/drivers/net/ppp/pptp.c
3475 ++++ b/drivers/net/ppp/pptp.c
3476 +@@ -281,7 +281,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
3477 + nf_reset(skb);
3478 +
3479 + skb->ip_summed = CHECKSUM_NONE;
3480 +- ip_select_ident(iph, &rt->dst, NULL);
3481 ++ ip_select_ident(skb, &rt->dst, NULL);
3482 + ip_send_check(iph);
3483 +
3484 + ip_local_out(skb);
3485 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
3486 +index f4c5de6..ee1aab0 100644
3487 +--- a/drivers/net/tun.c
3488 ++++ b/drivers/net/tun.c
3489 +@@ -614,8 +614,9 @@ static ssize_t tun_get_user(struct tun_struct *tun,
3490 + int offset = 0;
3491 +
3492 + if (!(tun->flags & TUN_NO_PI)) {
3493 +- if ((len -= sizeof(pi)) > count)
3494 ++ if (len < sizeof(pi))
3495 + return -EINVAL;
3496 ++ len -= sizeof(pi);
3497 +
3498 + if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
3499 + return -EFAULT;
3500 +@@ -623,8 +624,9 @@ static ssize_t tun_get_user(struct tun_struct *tun,
3501 + }
3502 +
3503 + if (tun->flags & TUN_VNET_HDR) {
3504 +- if ((len -= tun->vnet_hdr_sz) > count)
3505 ++ if (len < tun->vnet_hdr_sz)
3506 + return -EINVAL;
3507 ++ len -= tun->vnet_hdr_sz;
3508 +
3509 + if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
3510 + return -EFAULT;
3511 +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
3512 +index 2ba40cf..43aa06b 100644
3513 +--- a/drivers/net/usb/cdc_ether.c
3514 ++++ b/drivers/net/usb/cdc_ether.c
3515 +@@ -615,6 +615,11 @@ static const struct usb_device_id products [] = {
3516 + .bInterfaceProtocol = USB_CDC_PROTO_NONE,
3517 + .driver_info = (unsigned long)&wwan_info,
3518 + }, {
3519 ++ /* Telit modules */
3520 ++ USB_VENDOR_AND_INTERFACE_INFO(0x1bc7, USB_CLASS_COMM,
3521 ++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
3522 ++ .driver_info = (kernel_ulong_t) &wwan_info,
3523 ++}, {
3524 + USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ETHERNET,
3525 + USB_CDC_PROTO_NONE),
3526 + .driver_info = (unsigned long) &cdc_info,
3527 +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
3528 +index fbc0e4d..136ecf3 100644
3529 +--- a/drivers/net/usb/dm9601.c
3530 ++++ b/drivers/net/usb/dm9601.c
3531 +@@ -384,7 +384,7 @@ static void dm9601_set_multicast(struct net_device *net)
3532 + rx_ctl |= 0x02;
3533 + } else if (net->flags & IFF_ALLMULTI ||
3534 + netdev_mc_count(net) > DM_MAX_MCAST) {
3535 +- rx_ctl |= 0x04;
3536 ++ rx_ctl |= 0x08;
3537 + } else if (!netdev_mc_empty(net)) {
3538 + struct netdev_hw_addr *ha;
3539 +
3540 +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
3541 +index 73be7ff..f146824 100644
3542 +--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
3543 ++++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
3544 +@@ -1016,6 +1016,10 @@ static bool ar9003_hw_ani_control(struct ath_hw *ah,
3545 + * is_on == 0 means MRC CCK is OFF (more noise imm)
3546 + */
3547 + bool is_on = param ? 1 : 0;
3548 ++
3549 ++ if (ah->caps.rx_chainmask == 1)
3550 ++ break;
3551 ++
3552 + REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL,
3553 + AR_PHY_MRC_CCK_ENABLE, is_on);
3554 + REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL,
3555 +diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h
3556 +index 1c269f5..7c70cf2 100644
3557 +--- a/drivers/net/wireless/ath/ath9k/ath9k.h
3558 ++++ b/drivers/net/wireless/ath/ath9k/ath9k.h
3559 +@@ -77,10 +77,6 @@ struct ath_config {
3560 + sizeof(struct ath_buf_state)); \
3561 + } while (0)
3562 +
3563 +-#define ATH_RXBUF_RESET(_bf) do { \
3564 +- (_bf)->bf_stale = false; \
3565 +- } while (0)
3566 +-
3567 + /**
3568 + * enum buffer_type - Buffer type flags
3569 + *
3570 +@@ -308,6 +304,7 @@ struct ath_rx {
3571 + struct ath_buf *rx_bufptr;
3572 + struct ath_rx_edma rx_edma[ATH9K_RX_QUEUE_MAX];
3573 +
3574 ++ struct ath_buf *buf_hold;
3575 + struct sk_buff *frag;
3576 + };
3577 +
3578 +diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
3579 +index d171a72..8326c14 100644
3580 +--- a/drivers/net/wireless/ath/ath9k/recv.c
3581 ++++ b/drivers/net/wireless/ath/ath9k/recv.c
3582 +@@ -78,8 +78,6 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf)
3583 + struct ath_desc *ds;
3584 + struct sk_buff *skb;
3585 +
3586 +- ATH_RXBUF_RESET(bf);
3587 +-
3588 + ds = bf->bf_desc;
3589 + ds->ds_link = 0; /* link to null */
3590 + ds->ds_data = bf->bf_buf_addr;
3591 +@@ -106,6 +104,14 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf)
3592 + sc->rx.rxlink = &ds->ds_link;
3593 + }
3594 +
3595 ++static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_buf *bf)
3596 ++{
3597 ++ if (sc->rx.buf_hold)
3598 ++ ath_rx_buf_link(sc, sc->rx.buf_hold);
3599 ++
3600 ++ sc->rx.buf_hold = bf;
3601 ++}
3602 ++
3603 + static void ath_setdefantenna(struct ath_softc *sc, u32 antenna)
3604 + {
3605 + /* XXX block beacon interrupts */
3606 +@@ -153,7 +159,6 @@ static bool ath_rx_edma_buf_link(struct ath_softc *sc,
3607 +
3608 + skb = bf->bf_mpdu;
3609 +
3610 +- ATH_RXBUF_RESET(bf);
3611 + memset(skb->data, 0, ah->caps.rx_status_len);
3612 + dma_sync_single_for_device(sc->dev, bf->bf_buf_addr,
3613 + ah->caps.rx_status_len, DMA_TO_DEVICE);
3614 +@@ -492,6 +497,7 @@ int ath_startrecv(struct ath_softc *sc)
3615 + if (list_empty(&sc->rx.rxbuf))
3616 + goto start_recv;
3617 +
3618 ++ sc->rx.buf_hold = NULL;
3619 + sc->rx.rxlink = NULL;
3620 + list_for_each_entry_safe(bf, tbf, &sc->rx.rxbuf, list) {
3621 + ath_rx_buf_link(sc, bf);
3622 +@@ -742,6 +748,9 @@ static struct ath_buf *ath_get_next_rx_buf(struct ath_softc *sc,
3623 + }
3624 +
3625 + bf = list_first_entry(&sc->rx.rxbuf, struct ath_buf, list);
3626 ++ if (bf == sc->rx.buf_hold)
3627 ++ return NULL;
3628 ++
3629 + ds = bf->bf_desc;
3630 +
3631 + /*
3632 +@@ -1974,7 +1983,7 @@ requeue:
3633 + if (edma) {
3634 + ath_rx_edma_buf_link(sc, qtype);
3635 + } else {
3636 +- ath_rx_buf_link(sc, bf);
3637 ++ ath_rx_buf_relink(sc, bf);
3638 + ath9k_hw_rxena(ah);
3639 + }
3640 + } while (1);
3641 +diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
3642 +index 18da100..126ed31 100644
3643 +--- a/drivers/net/wireless/ath/ath9k/xmit.c
3644 ++++ b/drivers/net/wireless/ath/ath9k/xmit.c
3645 +@@ -2423,6 +2423,7 @@ void ath_tx_node_init(struct ath_softc *sc, struct ath_node *an)
3646 + for (acno = 0, ac = &an->ac[acno];
3647 + acno < WME_NUM_AC; acno++, ac++) {
3648 + ac->sched = false;
3649 ++ ac->clear_ps_filter = true;
3650 + ac->txq = sc->tx.txq_map[acno];
3651 + INIT_LIST_HEAD(&ac->tid_q);
3652 + }
3653 +diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
3654 +index 564218c..0784493 100644
3655 +--- a/drivers/net/wireless/p54/p54usb.c
3656 ++++ b/drivers/net/wireless/p54/p54usb.c
3657 +@@ -83,6 +83,7 @@ static struct usb_device_id p54u_table[] = {
3658 + {USB_DEVICE(0x06a9, 0x000e)}, /* Westell 802.11g USB (A90-211WG-01) */
3659 + {USB_DEVICE(0x06b9, 0x0121)}, /* Thomson SpeedTouch 121g */
3660 + {USB_DEVICE(0x0707, 0xee13)}, /* SMC 2862W-G version 2 */
3661 ++ {USB_DEVICE(0x07aa, 0x0020)}, /* Corega WLUSB2GTST USB */
3662 + {USB_DEVICE(0x0803, 0x4310)}, /* Zoom 4410a */
3663 + {USB_DEVICE(0x083a, 0x4521)}, /* Siemens Gigaset USB Adapter 54 version 2 */
3664 + {USB_DEVICE(0x083a, 0x4531)}, /* T-Com Sinus 154 data II */
3665 +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
3666 +index 67cbe5a..8fb8c9e 100644
3667 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c
3668 ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
3669 +@@ -2067,6 +2067,13 @@ static int rt2800_get_gain_calibration_delta(struct rt2x00_dev *rt2x00dev)
3670 + int i;
3671 +
3672 + /*
3673 ++ * First check if temperature compensation is supported.
3674 ++ */
3675 ++ rt2x00_eeprom_read(rt2x00dev, EEPROM_NIC_CONF1, &eeprom);
3676 ++ if (!rt2x00_get_field16(eeprom, EEPROM_NIC_CONF1_EXTERNAL_TX_ALC))
3677 ++ return 0;
3678 ++
3679 ++ /*
3680 + * Read TSSI boundaries for temperature compensation from
3681 + * the EEPROM.
3682 + *
3683 +diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h
3684 +index deb87e9..82baaa2 100644
3685 +--- a/drivers/net/wireless/rtlwifi/wifi.h
3686 ++++ b/drivers/net/wireless/rtlwifi/wifi.h
3687 +@@ -1630,7 +1630,7 @@ struct rtl_priv {
3688 + that it points to the data allocated
3689 + beyond this structure like:
3690 + rtl_pci_priv or rtl_usb_priv */
3691 +- u8 priv[0];
3692 ++ u8 priv[0] __aligned(sizeof(void *));
3693 + };
3694 +
3695 + #define rtl_priv(hw) (((struct rtl_priv *)(hw)->priv))
3696 +diff --git a/drivers/of/base.c b/drivers/of/base.c
3697 +index 9b6588e..37639a6 100644
3698 +--- a/drivers/of/base.c
3699 ++++ b/drivers/of/base.c
3700 +@@ -1189,6 +1189,7 @@ void of_alias_scan(void * (*dt_alloc)(u64 size, u64 align))
3701 + ap = dt_alloc(sizeof(*ap) + len + 1, 4);
3702 + if (!ap)
3703 + continue;
3704 ++ memset(ap, 0, sizeof(*ap) + len + 1);
3705 + ap->alias = start;
3706 + of_alias_add(ap, np, id, start, len);
3707 + }
3708 +diff --git a/drivers/scsi/esp_scsi.c b/drivers/scsi/esp_scsi.c
3709 +index 394ed9e..4aa30d8 100644
3710 +--- a/drivers/scsi/esp_scsi.c
3711 ++++ b/drivers/scsi/esp_scsi.c
3712 +@@ -530,7 +530,7 @@ static int esp_need_to_nego_sync(struct esp_target_data *tp)
3713 + static int esp_alloc_lun_tag(struct esp_cmd_entry *ent,
3714 + struct esp_lun_data *lp)
3715 + {
3716 +- if (!ent->tag[0]) {
3717 ++ if (!ent->orig_tag[0]) {
3718 + /* Non-tagged, slot already taken? */
3719 + if (lp->non_tagged_cmd)
3720 + return -EBUSY;
3721 +@@ -564,9 +564,9 @@ static int esp_alloc_lun_tag(struct esp_cmd_entry *ent,
3722 + return -EBUSY;
3723 + }
3724 +
3725 +- BUG_ON(lp->tagged_cmds[ent->tag[1]]);
3726 ++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]]);
3727 +
3728 +- lp->tagged_cmds[ent->tag[1]] = ent;
3729 ++ lp->tagged_cmds[ent->orig_tag[1]] = ent;
3730 + lp->num_tagged++;
3731 +
3732 + return 0;
3733 +@@ -575,9 +575,9 @@ static int esp_alloc_lun_tag(struct esp_cmd_entry *ent,
3734 + static void esp_free_lun_tag(struct esp_cmd_entry *ent,
3735 + struct esp_lun_data *lp)
3736 + {
3737 +- if (ent->tag[0]) {
3738 +- BUG_ON(lp->tagged_cmds[ent->tag[1]] != ent);
3739 +- lp->tagged_cmds[ent->tag[1]] = NULL;
3740 ++ if (ent->orig_tag[0]) {
3741 ++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]] != ent);
3742 ++ lp->tagged_cmds[ent->orig_tag[1]] = NULL;
3743 + lp->num_tagged--;
3744 + } else {
3745 + BUG_ON(lp->non_tagged_cmd != ent);
3746 +@@ -667,6 +667,8 @@ static struct esp_cmd_entry *find_and_prep_issuable_command(struct esp *esp)
3747 + ent->tag[0] = 0;
3748 + ent->tag[1] = 0;
3749 + }
3750 ++ ent->orig_tag[0] = ent->tag[0];
3751 ++ ent->orig_tag[1] = ent->tag[1];
3752 +
3753 + if (esp_alloc_lun_tag(ent, lp) < 0)
3754 + continue;
3755 +diff --git a/drivers/scsi/esp_scsi.h b/drivers/scsi/esp_scsi.h
3756 +index 28e22ac..cd68805 100644
3757 +--- a/drivers/scsi/esp_scsi.h
3758 ++++ b/drivers/scsi/esp_scsi.h
3759 +@@ -271,6 +271,7 @@ struct esp_cmd_entry {
3760 + #define ESP_CMD_FLAG_AUTOSENSE 0x04 /* Doing automatic REQUEST_SENSE */
3761 +
3762 + u8 tag[2];
3763 ++ u8 orig_tag[2];
3764 +
3765 + u8 status;
3766 + u8 message;
3767 +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
3768 +index 96029e6..c874458 100644
3769 +--- a/drivers/scsi/scsi_transport_iscsi.c
3770 ++++ b/drivers/scsi/scsi_transport_iscsi.c
3771 +@@ -2105,7 +2105,7 @@ iscsi_if_rx(struct sk_buff *skb)
3772 + break;
3773 + err = iscsi_if_send_reply(group, nlh->nlmsg_seq,
3774 + nlh->nlmsg_type, 0, 0, ev, sizeof(*ev));
3775 +- } while (err < 0 && err != -ECONNREFUSED);
3776 ++ } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);
3777 + skb_pull(skb, rlen);
3778 + }
3779 + mutex_unlock(&rx_queue_mutex);
3780 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
3781 +index 17603da..f6d2b62 100644
3782 +--- a/drivers/scsi/sd.c
3783 ++++ b/drivers/scsi/sd.c
3784 +@@ -2136,14 +2136,9 @@ sd_read_cache_type(struct scsi_disk *sdkp, unsigned char *buffer)
3785 + }
3786 + }
3787 +
3788 +- if (modepage == 0x3F) {
3789 +- sd_printk(KERN_ERR, sdkp, "No Caching mode page "
3790 +- "present\n");
3791 +- goto defaults;
3792 +- } else if ((buffer[offset] & 0x3f) != modepage) {
3793 +- sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
3794 +- goto defaults;
3795 +- }
3796 ++ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n");
3797 ++ goto defaults;
3798 ++
3799 + Page_found:
3800 + if (modepage == 8) {
3801 + sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0);
3802 +diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c
3803 +index 95ebc26..e3adb38 100644
3804 +--- a/drivers/staging/comedi/drivers/dt282x.c
3805 ++++ b/drivers/staging/comedi/drivers/dt282x.c
3806 +@@ -407,8 +407,9 @@ struct dt282x_private {
3807 + } \
3808 + udelay(5); \
3809 + } \
3810 +- if (_i) \
3811 ++ if (_i) { \
3812 + b \
3813 ++ } \
3814 + } while (0)
3815 +
3816 + static int dt282x_attach(struct comedi_device *dev,
3817 +diff --git a/drivers/staging/comedi/drivers/ni_65xx.c b/drivers/staging/comedi/drivers/ni_65xx.c
3818 +index 403fc09..8b564ad 100644
3819 +--- a/drivers/staging/comedi/drivers/ni_65xx.c
3820 ++++ b/drivers/staging/comedi/drivers/ni_65xx.c
3821 +@@ -411,29 +411,25 @@ static int ni_65xx_dio_insn_bits(struct comedi_device *dev,
3822 + struct comedi_subdevice *s,
3823 + struct comedi_insn *insn, unsigned int *data)
3824 + {
3825 +- unsigned base_bitfield_channel;
3826 +- const unsigned max_ports_per_bitfield = 5;
3827 ++ int base_bitfield_channel;
3828 + unsigned read_bits = 0;
3829 +- unsigned j;
3830 ++ int last_port_offset = ni_65xx_port_by_channel(s->n_chan - 1);
3831 ++ int port_offset;
3832 ++
3833 + if (insn->n != 2)
3834 + return -EINVAL;
3835 + base_bitfield_channel = CR_CHAN(insn->chanspec);
3836 +- for (j = 0; j < max_ports_per_bitfield; ++j) {
3837 +- const unsigned port_offset =
3838 +- ni_65xx_port_by_channel(base_bitfield_channel) + j;
3839 +- const unsigned port =
3840 +- sprivate(s)->base_port + port_offset;
3841 +- unsigned base_port_channel;
3842 ++ for (port_offset = ni_65xx_port_by_channel(base_bitfield_channel);
3843 ++ port_offset <= last_port_offset; port_offset++) {
3844 ++ unsigned port = sprivate(s)->base_port + port_offset;
3845 ++ int base_port_channel = port_offset * ni_65xx_channels_per_port;
3846 + unsigned port_mask, port_data, port_read_bits;
3847 +- int bitshift;
3848 +- if (port >= ni_65xx_total_num_ports(board(dev)))
3849 ++ int bitshift = base_port_channel - base_bitfield_channel;
3850 ++
3851 ++ if (bitshift >= 32)
3852 + break;
3853 +- base_port_channel = port_offset * ni_65xx_channels_per_port;
3854 + port_mask = data[0];
3855 + port_data = data[1];
3856 +- bitshift = base_port_channel - base_bitfield_channel;
3857 +- if (bitshift >= 32 || bitshift <= -32)
3858 +- break;
3859 + if (bitshift > 0) {
3860 + port_mask >>= bitshift;
3861 + port_data >>= bitshift;
3862 +diff --git a/drivers/staging/vt6656/main_usb.c b/drivers/staging/vt6656/main_usb.c
3863 +index 754d54e..f680766 100644
3864 +--- a/drivers/staging/vt6656/main_usb.c
3865 ++++ b/drivers/staging/vt6656/main_usb.c
3866 +@@ -1221,6 +1221,8 @@ device_release_WPADEV(pDevice);
3867 + memset(pMgmt->abyCurrBSSID, 0, 6);
3868 + pMgmt->eCurrState = WMAC_STATE_IDLE;
3869 +
3870 ++ pDevice->flags &= ~DEVICE_FLAGS_OPENED;
3871 ++
3872 + device_free_tx_bufs(pDevice);
3873 + device_free_rx_bufs(pDevice);
3874 + device_free_int_bufs(pDevice);
3875 +@@ -1232,7 +1234,6 @@ device_release_WPADEV(pDevice);
3876 + usb_free_urb(pDevice->pInterruptURB);
3877 +
3878 + BSSvClearNodeDBTable(pDevice, 0);
3879 +- pDevice->flags &=(~DEVICE_FLAGS_OPENED);
3880 +
3881 + DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "device_close2 \n");
3882 +
3883 +diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
3884 +index 926d483..d197b3e 100644
3885 +--- a/drivers/staging/zram/zram_drv.c
3886 ++++ b/drivers/staging/zram/zram_drv.c
3887 +@@ -709,9 +709,7 @@ static void zram_slot_free_notify(struct block_device *bdev,
3888 + struct zram *zram;
3889 +
3890 + zram = bdev->bd_disk->private_data;
3891 +- down_write(&zram->lock);
3892 + zram_free_page(zram, index);
3893 +- up_write(&zram->lock);
3894 + zram_stat64_inc(zram, &zram->stats.notify_free);
3895 + }
3896 +
3897 +diff --git a/drivers/staging/zram/zram_drv.h b/drivers/staging/zram/zram_drv.h
3898 +index 87f2fec..e5cd246 100644
3899 +--- a/drivers/staging/zram/zram_drv.h
3900 ++++ b/drivers/staging/zram/zram_drv.h
3901 +@@ -107,9 +107,8 @@ struct zram {
3902 + void *compress_buffer;
3903 + struct table *table;
3904 + spinlock_t stat64_lock; /* protect 64-bit stats */
3905 +- struct rw_semaphore lock; /* protect compression buffers, table,
3906 +- * 32bit stat counters against concurrent
3907 +- * notifications, reads and writes */
3908 ++ struct rw_semaphore lock; /* protect compression buffers and table
3909 ++ * against concurrent read and writes */
3910 + struct request_queue *queue;
3911 + struct gendisk *disk;
3912 + int init_done;
3913 +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
3914 +index c0b4872..f5440a7 100644
3915 +--- a/drivers/tty/serial/pch_uart.c
3916 ++++ b/drivers/tty/serial/pch_uart.c
3917 +@@ -552,11 +552,12 @@ static int dma_push_rx(struct eg20t_port *priv, int size)
3918 + dev_warn(port->dev, "Rx overrun: dropping %u bytes\n",
3919 + size - room);
3920 + if (!room)
3921 +- return room;
3922 ++ goto out;
3923 +
3924 + tty_insert_flip_string(tty, sg_virt(&priv->sg_rx), size);
3925 +
3926 + port->icount.rx += room;
3927 ++out:
3928 + tty_kref_put(tty);
3929 +
3930 + return room;
3931 +@@ -970,6 +971,8 @@ static void pch_uart_err_ir(struct eg20t_port *priv, unsigned int lsr)
3932 + if (tty == NULL) {
3933 + for (i = 0; error_msg[i] != NULL; i++)
3934 + dev_err(&priv->pdev->dev, error_msg[i]);
3935 ++ } else {
3936 ++ tty_kref_put(tty);
3937 + }
3938 + }
3939 +
3940 +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
3941 +index fe8c04b..06dfb4f 100644
3942 +--- a/drivers/usb/class/cdc-wdm.c
3943 ++++ b/drivers/usb/class/cdc-wdm.c
3944 +@@ -187,6 +187,7 @@ skip_error:
3945 + static void wdm_int_callback(struct urb *urb)
3946 + {
3947 + int rv = 0;
3948 ++ int responding;
3949 + int status = urb->status;
3950 + struct wdm_device *desc;
3951 + struct usb_ctrlrequest *req;
3952 +@@ -260,8 +261,8 @@ static void wdm_int_callback(struct urb *urb)
3953 + desc->response->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
3954 + spin_lock(&desc->iuspin);
3955 + clear_bit(WDM_READ, &desc->flags);
3956 +- set_bit(WDM_RESPONDING, &desc->flags);
3957 +- if (!test_bit(WDM_DISCONNECTING, &desc->flags)
3958 ++ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
3959 ++ if (!responding && !test_bit(WDM_DISCONNECTING, &desc->flags)
3960 + && !test_bit(WDM_SUSPENDING, &desc->flags)) {
3961 + rv = usb_submit_urb(desc->response, GFP_ATOMIC);
3962 + dev_dbg(&desc->intf->dev, "%s: usb_submit_urb %d",
3963 +@@ -658,16 +659,20 @@ static void wdm_rxwork(struct work_struct *work)
3964 + {
3965 + struct wdm_device *desc = container_of(work, struct wdm_device, rxwork);
3966 + unsigned long flags;
3967 +- int rv;
3968 ++ int rv = 0;
3969 ++ int responding;
3970 +
3971 + spin_lock_irqsave(&desc->iuspin, flags);
3972 + if (test_bit(WDM_DISCONNECTING, &desc->flags)) {
3973 + spin_unlock_irqrestore(&desc->iuspin, flags);
3974 + } else {
3975 ++ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
3976 + spin_unlock_irqrestore(&desc->iuspin, flags);
3977 +- rv = usb_submit_urb(desc->response, GFP_KERNEL);
3978 ++ if (!responding)
3979 ++ rv = usb_submit_urb(desc->response, GFP_KERNEL);
3980 + if (rv < 0 && rv != -EPERM) {
3981 + spin_lock_irqsave(&desc->iuspin, flags);
3982 ++ clear_bit(WDM_RESPONDING, &desc->flags);
3983 + if (!test_bit(WDM_DISCONNECTING, &desc->flags))
3984 + schedule_work(&desc->rxwork);
3985 + spin_unlock_irqrestore(&desc->iuspin, flags);
3986 +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
3987 +index f4bdd0c..78609d3 100644
3988 +--- a/drivers/usb/core/config.c
3989 ++++ b/drivers/usb/core/config.c
3990 +@@ -424,7 +424,8 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
3991 +
3992 + memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
3993 + if (config->desc.bDescriptorType != USB_DT_CONFIG ||
3994 +- config->desc.bLength < USB_DT_CONFIG_SIZE) {
3995 ++ config->desc.bLength < USB_DT_CONFIG_SIZE ||
3996 ++ config->desc.bLength > size) {
3997 + dev_err(ddev, "invalid descriptor for config index %d: "
3998 + "type = 0x%X, length = %d\n", cfgidx,
3999 + config->desc.bDescriptorType, config->desc.bLength);
4000 +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
4001 +index 22f770a..49257b3 100644
4002 +--- a/drivers/usb/core/devio.c
4003 ++++ b/drivers/usb/core/devio.c
4004 +@@ -646,6 +646,22 @@ static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype,
4005 + if ((index & ~USB_DIR_IN) == 0)
4006 + return 0;
4007 + ret = findintfep(ps->dev, index);
4008 ++ if (ret < 0) {
4009 ++ /*
4010 ++ * Some not fully compliant Win apps seem to get
4011 ++ * index wrong and have the endpoint number here
4012 ++ * rather than the endpoint address (with the
4013 ++ * correct direction). Win does let this through,
4014 ++ * so we'll not reject it here but leave it to
4015 ++ * the device to not break KVM. But we warn.
4016 ++ */
4017 ++ ret = findintfep(ps->dev, index ^ 0x80);
4018 ++ if (ret >= 0)
4019 ++ dev_info(&ps->dev->dev,
4020 ++ "%s: process %i (%s) requesting ep %02x but needs %02x\n",
4021 ++ __func__, task_pid_nr(current),
4022 ++ current->comm, index, index ^ 0x80);
4023 ++ }
4024 + if (ret >= 0)
4025 + ret = checkintf(ps, ret);
4026 + break;
4027 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
4028 +index 2768a7e..a5ea85f 100644
4029 +--- a/drivers/usb/core/hub.c
4030 ++++ b/drivers/usb/core/hub.c
4031 +@@ -3749,7 +3749,8 @@ static void hub_events(void)
4032 + hub->hdev->children[i - 1];
4033 +
4034 + dev_dbg(hub_dev, "warm reset port %d\n", i);
4035 +- if (!udev) {
4036 ++ if (!udev || !(portstatus &
4037 ++ USB_PORT_STAT_CONNECTION)) {
4038 + status = hub_port_reset(hub, i,
4039 + NULL, HUB_BH_RESET_TIME,
4040 + true);
4041 +@@ -3759,8 +3760,8 @@ static void hub_events(void)
4042 + usb_lock_device(udev);
4043 + status = usb_reset_device(udev);
4044 + usb_unlock_device(udev);
4045 ++ connect_change = 0;
4046 + }
4047 +- connect_change = 0;
4048 + }
4049 +
4050 + if (connect_change)
4051 +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
4052 +index f77c000..9edc582 100644
4053 +--- a/drivers/usb/dwc3/dwc3-pci.c
4054 ++++ b/drivers/usb/dwc3/dwc3-pci.c
4055 +@@ -45,6 +45,8 @@
4056 + /* FIXME define these in <linux/pci_ids.h> */
4057 + #define PCI_VENDOR_ID_SYNOPSYS 0x16c3
4058 + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd
4059 ++#define PCI_DEVICE_ID_INTEL_BYT 0x0f37
4060 ++#define PCI_DEVICE_ID_INTEL_MRFLD 0x119e
4061 +
4062 + #define DWC3_PCI_DEVS_POSSIBLE 32
4063 +
4064 +@@ -191,6 +193,8 @@ static DEFINE_PCI_DEVICE_TABLE(dwc3_pci_id_table) = {
4065 + PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
4066 + PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3),
4067 + },
4068 ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
4069 ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
4070 + { } /* Terminating Entry */
4071 + };
4072 + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
4073 +diff --git a/drivers/usb/host/ehci-mxc.c b/drivers/usb/host/ehci-mxc.c
4074 +index 55978fc..0874473 100644
4075 +--- a/drivers/usb/host/ehci-mxc.c
4076 ++++ b/drivers/usb/host/ehci-mxc.c
4077 +@@ -296,7 +296,7 @@ static int __exit ehci_mxc_drv_remove(struct platform_device *pdev)
4078 + if (pdata && pdata->exit)
4079 + pdata->exit(pdev);
4080 +
4081 +- if (pdata->otg)
4082 ++ if (pdata && pdata->otg)
4083 + otg_shutdown(pdata->otg);
4084 +
4085 + usb_remove_hcd(hcd);
4086 +diff --git a/drivers/usb/host/ehci-pci.c b/drivers/usb/host/ehci-pci.c
4087 +index b71e22e..29c0421 100644
4088 +--- a/drivers/usb/host/ehci-pci.c
4089 ++++ b/drivers/usb/host/ehci-pci.c
4090 +@@ -543,7 +543,7 @@ static struct pci_driver ehci_pci_driver = {
4091 + .remove = usb_hcd_pci_remove,
4092 + .shutdown = usb_hcd_pci_shutdown,
4093 +
4094 +-#ifdef CONFIG_PM_SLEEP
4095 ++#ifdef CONFIG_PM
4096 + .driver = {
4097 + .pm = &usb_hcd_pci_pm_ops
4098 + },
4099 +diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c
4100 +index bc01b06..839cb64 100644
4101 +--- a/drivers/usb/host/ohci-pci.c
4102 ++++ b/drivers/usb/host/ohci-pci.c
4103 +@@ -413,7 +413,7 @@ static struct pci_driver ohci_pci_driver = {
4104 + .remove = usb_hcd_pci_remove,
4105 + .shutdown = usb_hcd_pci_shutdown,
4106 +
4107 +-#ifdef CONFIG_PM_SLEEP
4108 ++#ifdef CONFIG_PM
4109 + .driver = {
4110 + .pm = &usb_hcd_pci_pm_ops
4111 + },
4112 +diff --git a/drivers/usb/host/uhci-pci.c b/drivers/usb/host/uhci-pci.c
4113 +index c300bd2f7..0f228c4 100644
4114 +--- a/drivers/usb/host/uhci-pci.c
4115 ++++ b/drivers/usb/host/uhci-pci.c
4116 +@@ -293,7 +293,7 @@ static struct pci_driver uhci_pci_driver = {
4117 + .remove = usb_hcd_pci_remove,
4118 + .shutdown = uhci_shutdown,
4119 +
4120 +-#ifdef CONFIG_PM_SLEEP
4121 ++#ifdef CONFIG_PM
4122 + .driver = {
4123 + .pm = &usb_hcd_pci_pm_ops
4124 + },
4125 +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
4126 +index 79d2720..61b0668 100644
4127 +--- a/drivers/usb/host/xhci-pci.c
4128 ++++ b/drivers/usb/host/xhci-pci.c
4129 +@@ -330,7 +330,7 @@ static struct pci_driver xhci_pci_driver = {
4130 + /* suspend and resume implemented later */
4131 +
4132 + .shutdown = usb_hcd_pci_shutdown,
4133 +-#ifdef CONFIG_PM_SLEEP
4134 ++#ifdef CONFIG_PM
4135 + .driver = {
4136 + .pm = &usb_hcd_pci_pm_ops
4137 + },
4138 +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
4139 +index 633476e..2b4f42b 100644
4140 +--- a/drivers/usb/host/xhci-ring.c
4141 ++++ b/drivers/usb/host/xhci-ring.c
4142 +@@ -879,8 +879,12 @@ remove_finished_td:
4143 + /* Otherwise ring the doorbell(s) to restart queued transfers */
4144 + ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
4145 + }
4146 +- ep->stopped_td = NULL;
4147 +- ep->stopped_trb = NULL;
4148 ++
4149 ++ /* Clear stopped_td and stopped_trb if endpoint is not halted */
4150 ++ if (!(ep->ep_state & EP_HALTED)) {
4151 ++ ep->stopped_td = NULL;
4152 ++ ep->stopped_trb = NULL;
4153 ++ }
4154 +
4155 + /*
4156 + * Drop the lock and complete the URBs in the cancelled TD list.
4157 +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
4158 +index 6e1c92a..629aa74 100644
4159 +--- a/drivers/usb/host/xhci.c
4160 ++++ b/drivers/usb/host/xhci.c
4161 +@@ -3484,10 +3484,21 @@ void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
4162 + {
4163 + struct xhci_hcd *xhci = hcd_to_xhci(hcd);
4164 + struct xhci_virt_device *virt_dev;
4165 ++ struct device *dev = hcd->self.controller;
4166 + unsigned long flags;
4167 + u32 state;
4168 + int i, ret;
4169 +
4170 ++#ifndef CONFIG_USB_DEFAULT_PERSIST
4171 ++ /*
4172 ++ * We called pm_runtime_get_noresume when the device was attached.
4173 ++ * Decrement the counter here to allow controller to runtime suspend
4174 ++ * if no devices remain.
4175 ++ */
4176 ++ if (xhci->quirks & XHCI_RESET_ON_RESUME)
4177 ++ pm_runtime_put_noidle(dev);
4178 ++#endif
4179 ++
4180 + ret = xhci_check_args(hcd, udev, NULL, 0, true, __func__);
4181 + /* If the host is halted due to driver unload, we still need to free the
4182 + * device.
4183 +@@ -3559,6 +3570,7 @@ static int xhci_reserve_host_control_ep_resources(struct xhci_hcd *xhci)
4184 + int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
4185 + {
4186 + struct xhci_hcd *xhci = hcd_to_xhci(hcd);
4187 ++ struct device *dev = hcd->self.controller;
4188 + unsigned long flags;
4189 + int timeleft;
4190 + int ret;
4191 +@@ -3611,6 +3623,16 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
4192 + goto disable_slot;
4193 + }
4194 + udev->slot_id = xhci->slot_id;
4195 ++
4196 ++#ifndef CONFIG_USB_DEFAULT_PERSIST
4197 ++ /*
4198 ++ * If resetting upon resume, we can't put the controller into runtime
4199 ++ * suspend if there is a device attached.
4200 ++ */
4201 ++ if (xhci->quirks & XHCI_RESET_ON_RESUME)
4202 ++ pm_runtime_get_noresume(dev);
4203 ++#endif
4204 ++
4205 + /* Is this a LS or FS device under a HS hub? */
4206 + /* Hub or peripherial? */
4207 + return 1;
4208 +diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
4209 +index 9270d5c..8e02ff2 100644
4210 +--- a/drivers/usb/serial/mos7720.c
4211 ++++ b/drivers/usb/serial/mos7720.c
4212 +@@ -383,7 +383,7 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
4213 + kfree(urbtrack);
4214 + return -ENOMEM;
4215 + }
4216 +- urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL);
4217 ++ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_ATOMIC);
4218 + if (!urbtrack->setup) {
4219 + usb_free_urb(urbtrack->urb);
4220 + kfree(urbtrack);
4221 +@@ -391,8 +391,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
4222 + }
4223 + urbtrack->setup->bRequestType = (__u8)0x40;
4224 + urbtrack->setup->bRequest = (__u8)0x0e;
4225 +- urbtrack->setup->wValue = get_reg_value(reg, dummy);
4226 +- urbtrack->setup->wIndex = get_reg_index(reg);
4227 ++ urbtrack->setup->wValue = cpu_to_le16(get_reg_value(reg, dummy));
4228 ++ urbtrack->setup->wIndex = cpu_to_le16(get_reg_index(reg));
4229 + urbtrack->setup->wLength = 0;
4230 + usb_fill_control_urb(urbtrack->urb, usbdev,
4231 + usb_sndctrlpipe(usbdev, 0),
4232 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
4233 +index c2103f4..536c4ad 100644
4234 +--- a/drivers/usb/serial/option.c
4235 ++++ b/drivers/usb/serial/option.c
4236 +@@ -81,6 +81,7 @@ static void option_instat_callback(struct urb *urb);
4237 +
4238 + #define HUAWEI_VENDOR_ID 0x12D1
4239 + #define HUAWEI_PRODUCT_E173 0x140C
4240 ++#define HUAWEI_PRODUCT_E1750 0x1406
4241 + #define HUAWEI_PRODUCT_K4505 0x1464
4242 + #define HUAWEI_PRODUCT_K3765 0x1465
4243 + #define HUAWEI_PRODUCT_K4605 0x14C6
4244 +@@ -581,6 +582,8 @@ static const struct usb_device_id option_ids[] = {
4245 + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) },
4246 + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff),
4247 + .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
4248 ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff),
4249 ++ .driver_info = (kernel_ulong_t) &net_intf2_blacklist },
4250 + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) },
4251 + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) },
4252 + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff),
4253 +diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
4254 +index bf1c094..b657de6 100644
4255 +--- a/drivers/xen/grant-table.c
4256 ++++ b/drivers/xen/grant-table.c
4257 +@@ -355,9 +355,18 @@ void gnttab_request_free_callback(struct gnttab_free_callback *callback,
4258 + void (*fn)(void *), void *arg, u16 count)
4259 + {
4260 + unsigned long flags;
4261 ++ struct gnttab_free_callback *cb;
4262 ++
4263 + spin_lock_irqsave(&gnttab_list_lock, flags);
4264 +- if (callback->next)
4265 +- goto out;
4266 ++
4267 ++ /* Check if the callback is already on the list */
4268 ++ cb = gnttab_free_callback_list;
4269 ++ while (cb) {
4270 ++ if (cb == callback)
4271 ++ goto out;
4272 ++ cb = cb->next;
4273 ++ }
4274 ++
4275 + callback->fn = fn;
4276 + callback->arg = arg;
4277 + callback->count = count;
4278 +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
4279 +index f3a257d..fb001cd 100644
4280 +--- a/fs/debugfs/inode.c
4281 ++++ b/fs/debugfs/inode.c
4282 +@@ -380,8 +380,7 @@ EXPORT_SYMBOL_GPL(debugfs_remove);
4283 + */
4284 + void debugfs_remove_recursive(struct dentry *dentry)
4285 + {
4286 +- struct dentry *child;
4287 +- struct dentry *parent;
4288 ++ struct dentry *child, *next, *parent;
4289 +
4290 + if (!dentry)
4291 + return;
4292 +@@ -391,61 +390,37 @@ void debugfs_remove_recursive(struct dentry *dentry)
4293 + return;
4294 +
4295 + parent = dentry;
4296 ++ down:
4297 + mutex_lock(&parent->d_inode->i_mutex);
4298 ++ list_for_each_entry_safe(child, next, &parent->d_subdirs, d_u.d_child) {
4299 ++ if (!debugfs_positive(child))
4300 ++ continue;
4301 +
4302 +- while (1) {
4303 +- /*
4304 +- * When all dentries under "parent" has been removed,
4305 +- * walk up the tree until we reach our starting point.
4306 +- */
4307 +- if (list_empty(&parent->d_subdirs)) {
4308 +- mutex_unlock(&parent->d_inode->i_mutex);
4309 +- if (parent == dentry)
4310 +- break;
4311 +- parent = parent->d_parent;
4312 +- mutex_lock(&parent->d_inode->i_mutex);
4313 +- }
4314 +- child = list_entry(parent->d_subdirs.next, struct dentry,
4315 +- d_u.d_child);
4316 +- next_sibling:
4317 +-
4318 +- /*
4319 +- * If "child" isn't empty, walk down the tree and
4320 +- * remove all its descendants first.
4321 +- */
4322 ++ /* perhaps simple_empty(child) makes more sense */
4323 + if (!list_empty(&child->d_subdirs)) {
4324 + mutex_unlock(&parent->d_inode->i_mutex);
4325 + parent = child;
4326 +- mutex_lock(&parent->d_inode->i_mutex);
4327 +- continue;
4328 +- }
4329 +- __debugfs_remove(child, parent);
4330 +- if (parent->d_subdirs.next == &child->d_u.d_child) {
4331 +- /*
4332 +- * Try the next sibling.
4333 +- */
4334 +- if (child->d_u.d_child.next != &parent->d_subdirs) {
4335 +- child = list_entry(child->d_u.d_child.next,
4336 +- struct dentry,
4337 +- d_u.d_child);
4338 +- goto next_sibling;
4339 +- }
4340 +-
4341 +- /*
4342 +- * Avoid infinite loop if we fail to remove
4343 +- * one dentry.
4344 +- */
4345 +- mutex_unlock(&parent->d_inode->i_mutex);
4346 +- break;
4347 ++ goto down;
4348 + }
4349 +- simple_release_fs(&debugfs_mount, &debugfs_mount_count);
4350 ++ up:
4351 ++ if (!__debugfs_remove(child, parent))
4352 ++ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
4353 + }
4354 +
4355 +- parent = dentry->d_parent;
4356 ++ mutex_unlock(&parent->d_inode->i_mutex);
4357 ++ child = parent;
4358 ++ parent = parent->d_parent;
4359 + mutex_lock(&parent->d_inode->i_mutex);
4360 +- __debugfs_remove(dentry, parent);
4361 ++
4362 ++ if (child != dentry) {
4363 ++ next = list_entry(child->d_u.d_child.next, struct dentry,
4364 ++ d_u.d_child);
4365 ++ goto up;
4366 ++ }
4367 ++
4368 ++ if (!__debugfs_remove(child, parent))
4369 ++ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
4370 + mutex_unlock(&parent->d_inode->i_mutex);
4371 +- simple_release_fs(&debugfs_mount, &debugfs_mount_count);
4372 + }
4373 + EXPORT_SYMBOL_GPL(debugfs_remove_recursive);
4374 +
4375 +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
4376 +index 3ca3b7f..2e0e34f 100644
4377 +--- a/fs/ext4/namei.c
4378 ++++ b/fs/ext4/namei.c
4379 +@@ -2054,7 +2054,8 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
4380 + int err = 0;
4381 +
4382 + /* ext4_handle_valid() assumes a valid handle_t pointer */
4383 +- if (handle && !ext4_handle_valid(handle))
4384 ++ if (handle && !ext4_handle_valid(handle) &&
4385 ++ !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
4386 + return 0;
4387 +
4388 + mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
4389 +diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
4390 +index 5ef7afb..06e2f73 100644
4391 +--- a/fs/fuse/dir.c
4392 ++++ b/fs/fuse/dir.c
4393 +@@ -1063,6 +1063,8 @@ static int parse_dirfile(char *buf, size_t nbytes, struct file *file,
4394 + return -EIO;
4395 + if (reclen > nbytes)
4396 + break;
4397 ++ if (memchr(dirent->name, '/', dirent->namelen) != NULL)
4398 ++ return -EIO;
4399 +
4400 + over = filldir(dstbuf, dirent->name, dirent->namelen,
4401 + file->f_pos, dirent->ino, dirent->type);
4402 +@@ -1282,6 +1284,7 @@ static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
4403 + {
4404 + struct inode *inode = entry->d_inode;
4405 + struct fuse_conn *fc = get_fuse_conn(inode);
4406 ++ struct fuse_inode *fi = get_fuse_inode(inode);
4407 + struct fuse_req *req;
4408 + struct fuse_setattr_in inarg;
4409 + struct fuse_attr_out outarg;
4410 +@@ -1312,8 +1315,10 @@ static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
4411 + if (IS_ERR(req))
4412 + return PTR_ERR(req);
4413 +
4414 +- if (is_truncate)
4415 ++ if (is_truncate) {
4416 + fuse_set_nowrite(inode);
4417 ++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
4418 ++ }
4419 +
4420 + memset(&inarg, 0, sizeof(inarg));
4421 + memset(&outarg, 0, sizeof(outarg));
4422 +@@ -1375,12 +1380,14 @@ static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
4423 + invalidate_inode_pages2(inode->i_mapping);
4424 + }
4425 +
4426 ++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
4427 + return 0;
4428 +
4429 + error:
4430 + if (is_truncate)
4431 + fuse_release_nowrite(inode);
4432 +
4433 ++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
4434 + return err;
4435 + }
4436 +
4437 +@@ -1439,6 +1446,8 @@ static int fuse_setxattr(struct dentry *entry, const char *name,
4438 + fc->no_setxattr = 1;
4439 + err = -EOPNOTSUPP;
4440 + }
4441 ++ if (!err)
4442 ++ fuse_invalidate_attr(inode);
4443 + return err;
4444 + }
4445 +
4446 +@@ -1568,6 +1577,8 @@ static int fuse_removexattr(struct dentry *entry, const char *name)
4447 + fc->no_removexattr = 1;
4448 + err = -EOPNOTSUPP;
4449 + }
4450 ++ if (!err)
4451 ++ fuse_invalidate_attr(inode);
4452 + return err;
4453 + }
4454 +
4455 +diff --git a/fs/fuse/file.c b/fs/fuse/file.c
4456 +index 5242006..510d4aa 100644
4457 +--- a/fs/fuse/file.c
4458 ++++ b/fs/fuse/file.c
4459 +@@ -519,7 +519,8 @@ static void fuse_read_update_size(struct inode *inode, loff_t size,
4460 + struct fuse_inode *fi = get_fuse_inode(inode);
4461 +
4462 + spin_lock(&fc->lock);
4463 +- if (attr_ver == fi->attr_version && size < inode->i_size) {
4464 ++ if (attr_ver == fi->attr_version && size < inode->i_size &&
4465 ++ !test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
4466 + fi->attr_version = ++fc->attr_version;
4467 + i_size_write(inode, size);
4468 + }
4469 +@@ -881,12 +882,16 @@ static ssize_t fuse_perform_write(struct file *file,
4470 + {
4471 + struct inode *inode = mapping->host;
4472 + struct fuse_conn *fc = get_fuse_conn(inode);
4473 ++ struct fuse_inode *fi = get_fuse_inode(inode);
4474 + int err = 0;
4475 + ssize_t res = 0;
4476 +
4477 + if (is_bad_inode(inode))
4478 + return -EIO;
4479 +
4480 ++ if (inode->i_size < pos + iov_iter_count(ii))
4481 ++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
4482 ++
4483 + do {
4484 + struct fuse_req *req;
4485 + ssize_t count;
4486 +@@ -921,6 +926,7 @@ static ssize_t fuse_perform_write(struct file *file,
4487 + if (res > 0)
4488 + fuse_write_update_size(inode, pos);
4489 +
4490 ++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
4491 + fuse_invalidate_attr(inode);
4492 +
4493 + return res > 0 ? res : err;
4494 +@@ -1251,7 +1257,6 @@ static int fuse_writepage_locked(struct page *page)
4495 +
4496 + inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK);
4497 + inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP);
4498 +- end_page_writeback(page);
4499 +
4500 + spin_lock(&fc->lock);
4501 + list_add(&req->writepages_entry, &fi->writepages);
4502 +@@ -1259,6 +1264,8 @@ static int fuse_writepage_locked(struct page *page)
4503 + fuse_flush_writepages(inode);
4504 + spin_unlock(&fc->lock);
4505 +
4506 ++ end_page_writeback(page);
4507 ++
4508 + return 0;
4509 +
4510 + err_free:
4511 +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
4512 +index 89c4a58..52ffd24 100644
4513 +--- a/fs/fuse/fuse_i.h
4514 ++++ b/fs/fuse/fuse_i.h
4515 +@@ -103,6 +103,15 @@ struct fuse_inode {
4516 +
4517 + /** List of writepage requestst (pending or sent) */
4518 + struct list_head writepages;
4519 ++
4520 ++ /** Miscellaneous bits describing inode state */
4521 ++ unsigned long state;
4522 ++};
4523 ++
4524 ++/** FUSE inode state bits */
4525 ++enum {
4526 ++ /** An operation changing file size is in progress */
4527 ++ FUSE_I_SIZE_UNSTABLE,
4528 + };
4529 +
4530 + struct fuse_conn;
4531 +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
4532 +index 1f82d95..912c250 100644
4533 +--- a/fs/fuse/inode.c
4534 ++++ b/fs/fuse/inode.c
4535 +@@ -92,6 +92,7 @@ static struct inode *fuse_alloc_inode(struct super_block *sb)
4536 + fi->attr_version = 0;
4537 + fi->writectr = 0;
4538 + fi->orig_ino = 0;
4539 ++ fi->state = 0;
4540 + INIT_LIST_HEAD(&fi->write_files);
4541 + INIT_LIST_HEAD(&fi->queued_writes);
4542 + INIT_LIST_HEAD(&fi->writepages);
4543 +@@ -200,7 +201,8 @@ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
4544 + loff_t oldsize;
4545 +
4546 + spin_lock(&fc->lock);
4547 +- if (attr_version != 0 && fi->attr_version > attr_version) {
4548 ++ if ((attr_version != 0 && fi->attr_version > attr_version) ||
4549 ++ test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
4550 + spin_unlock(&fc->lock);
4551 + return;
4552 + }
4553 +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
4554 +index f950059..a5f25a7 100644
4555 +--- a/fs/isofs/inode.c
4556 ++++ b/fs/isofs/inode.c
4557 +@@ -120,8 +120,8 @@ static void destroy_inodecache(void)
4558 +
4559 + static int isofs_remount(struct super_block *sb, int *flags, char *data)
4560 + {
4561 +- /* we probably want a lot more here */
4562 +- *flags |= MS_RDONLY;
4563 ++ if (!(*flags & MS_RDONLY))
4564 ++ return -EROFS;
4565 + return 0;
4566 + }
4567 +
4568 +@@ -770,15 +770,6 @@ root_found:
4569 + */
4570 + s->s_maxbytes = 0x80000000000LL;
4571 +
4572 +- /*
4573 +- * The CDROM is read-only, has no nodes (devices) on it, and since
4574 +- * all of the files appear to be owned by root, we really do not want
4575 +- * to allow suid. (suid or devices will not show up unless we have
4576 +- * Rock Ridge extensions)
4577 +- */
4578 +-
4579 +- s->s_flags |= MS_RDONLY /* | MS_NODEV | MS_NOSUID */;
4580 +-
4581 + /* Set this for reference. Its not currently used except on write
4582 + which we don't have .. */
4583 +
4584 +@@ -1535,6 +1526,9 @@ struct inode *isofs_iget(struct super_block *sb,
4585 + static struct dentry *isofs_mount(struct file_system_type *fs_type,
4586 + int flags, const char *dev_name, void *data)
4587 + {
4588 ++ /* We don't support read-write mounts */
4589 ++ if (!(flags & MS_RDONLY))
4590 ++ return ERR_PTR(-EACCES);
4591 + return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super);
4592 + }
4593 +
4594 +diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
4595 +index 65221a0..16eacec 100644
4596 +--- a/fs/nilfs2/page.c
4597 ++++ b/fs/nilfs2/page.c
4598 +@@ -94,6 +94,7 @@ void nilfs_forget_buffer(struct buffer_head *bh)
4599 + clear_buffer_nilfs_volatile(bh);
4600 + clear_buffer_nilfs_checked(bh);
4601 + clear_buffer_nilfs_redirected(bh);
4602 ++ clear_buffer_async_write(bh);
4603 + clear_buffer_dirty(bh);
4604 + if (nilfs_page_buffers_clean(page))
4605 + __nilfs_clear_page_dirty(page);
4606 +@@ -390,6 +391,7 @@ void nilfs_clear_dirty_pages(struct address_space *mapping)
4607 + bh = head = page_buffers(page);
4608 + do {
4609 + lock_buffer(bh);
4610 ++ clear_buffer_async_write(bh);
4611 + clear_buffer_dirty(bh);
4612 + clear_buffer_nilfs_volatile(bh);
4613 + clear_buffer_nilfs_checked(bh);
4614 +diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
4615 +index 6f24e67..233d3ed 100644
4616 +--- a/fs/nilfs2/segment.c
4617 ++++ b/fs/nilfs2/segment.c
4618 +@@ -662,7 +662,7 @@ static size_t nilfs_lookup_dirty_data_buffers(struct inode *inode,
4619 +
4620 + bh = head = page_buffers(page);
4621 + do {
4622 +- if (!buffer_dirty(bh))
4623 ++ if (!buffer_dirty(bh) || buffer_async_write(bh))
4624 + continue;
4625 + get_bh(bh);
4626 + list_add_tail(&bh->b_assoc_buffers, listp);
4627 +@@ -696,7 +696,8 @@ static void nilfs_lookup_dirty_node_buffers(struct inode *inode,
4628 + for (i = 0; i < pagevec_count(&pvec); i++) {
4629 + bh = head = page_buffers(pvec.pages[i]);
4630 + do {
4631 +- if (buffer_dirty(bh)) {
4632 ++ if (buffer_dirty(bh) &&
4633 ++ !buffer_async_write(bh)) {
4634 + get_bh(bh);
4635 + list_add_tail(&bh->b_assoc_buffers,
4636 + listp);
4637 +@@ -1576,6 +1577,7 @@ static void nilfs_segctor_prepare_write(struct nilfs_sc_info *sci)
4638 +
4639 + list_for_each_entry(bh, &segbuf->sb_segsum_buffers,
4640 + b_assoc_buffers) {
4641 ++ set_buffer_async_write(bh);
4642 + if (bh->b_page != bd_page) {
4643 + if (bd_page) {
4644 + lock_page(bd_page);
4645 +@@ -1589,6 +1591,7 @@ static void nilfs_segctor_prepare_write(struct nilfs_sc_info *sci)
4646 +
4647 + list_for_each_entry(bh, &segbuf->sb_payload_buffers,
4648 + b_assoc_buffers) {
4649 ++ set_buffer_async_write(bh);
4650 + if (bh == segbuf->sb_super_root) {
4651 + if (bh->b_page != bd_page) {
4652 + lock_page(bd_page);
4653 +@@ -1674,6 +1677,7 @@ static void nilfs_abort_logs(struct list_head *logs, int err)
4654 + list_for_each_entry(segbuf, logs, sb_list) {
4655 + list_for_each_entry(bh, &segbuf->sb_segsum_buffers,
4656 + b_assoc_buffers) {
4657 ++ clear_buffer_async_write(bh);
4658 + if (bh->b_page != bd_page) {
4659 + if (bd_page)
4660 + end_page_writeback(bd_page);
4661 +@@ -1683,6 +1687,7 @@ static void nilfs_abort_logs(struct list_head *logs, int err)
4662 +
4663 + list_for_each_entry(bh, &segbuf->sb_payload_buffers,
4664 + b_assoc_buffers) {
4665 ++ clear_buffer_async_write(bh);
4666 + if (bh == segbuf->sb_super_root) {
4667 + if (bh->b_page != bd_page) {
4668 + end_page_writeback(bd_page);
4669 +@@ -1752,6 +1757,7 @@ static void nilfs_segctor_complete_write(struct nilfs_sc_info *sci)
4670 + b_assoc_buffers) {
4671 + set_buffer_uptodate(bh);
4672 + clear_buffer_dirty(bh);
4673 ++ clear_buffer_async_write(bh);
4674 + if (bh->b_page != bd_page) {
4675 + if (bd_page)
4676 + end_page_writeback(bd_page);
4677 +@@ -1773,6 +1779,7 @@ static void nilfs_segctor_complete_write(struct nilfs_sc_info *sci)
4678 + b_assoc_buffers) {
4679 + set_buffer_uptodate(bh);
4680 + clear_buffer_dirty(bh);
4681 ++ clear_buffer_async_write(bh);
4682 + clear_buffer_delay(bh);
4683 + clear_buffer_nilfs_volatile(bh);
4684 + clear_buffer_nilfs_redirected(bh);
4685 +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
4686 +index a506360..0c2f912 100644
4687 +--- a/fs/notify/fanotify/fanotify.c
4688 ++++ b/fs/notify/fanotify/fanotify.c
4689 +@@ -18,6 +18,12 @@ static bool should_merge(struct fsnotify_event *old, struct fsnotify_event *new)
4690 + old->tgid == new->tgid) {
4691 + switch (old->data_type) {
4692 + case (FSNOTIFY_EVENT_PATH):
4693 ++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
4694 ++ /* dont merge two permission events */
4695 ++ if ((old->mask & FAN_ALL_PERM_EVENTS) &&
4696 ++ (new->mask & FAN_ALL_PERM_EVENTS))
4697 ++ return false;
4698 ++#endif
4699 + if ((old->path.mnt == new->path.mnt) &&
4700 + (old->path.dentry == new->path.dentry))
4701 + return true;
4702 +diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
4703 +index 7eb1c0c..cf22847 100644
4704 +--- a/fs/ocfs2/extent_map.c
4705 ++++ b/fs/ocfs2/extent_map.c
4706 +@@ -782,7 +782,6 @@ int ocfs2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
4707 + cpos = map_start >> osb->s_clustersize_bits;
4708 + mapping_end = ocfs2_clusters_for_bytes(inode->i_sb,
4709 + map_start + map_len);
4710 +- mapping_end -= cpos;
4711 + is_last = 0;
4712 + while (cpos < mapping_end && !is_last) {
4713 + u32 fe_flags;
4714 +diff --git a/include/linux/hid.h b/include/linux/hid.h
4715 +index 331e2ef..19fe719 100644
4716 +--- a/include/linux/hid.h
4717 ++++ b/include/linux/hid.h
4718 +@@ -416,10 +416,12 @@ struct hid_report {
4719 + struct hid_device *device; /* associated device */
4720 + };
4721 +
4722 ++#define HID_MAX_IDS 256
4723 ++
4724 + struct hid_report_enum {
4725 + unsigned numbered;
4726 + struct list_head report_list;
4727 +- struct hid_report *report_id_hash[256];
4728 ++ struct hid_report *report_id_hash[HID_MAX_IDS];
4729 + };
4730 +
4731 + #define HID_REPORT_TYPES 3
4732 +@@ -716,6 +718,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
4733 + struct hid_device *hid_allocate_device(void);
4734 + struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
4735 + int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
4736 ++struct hid_report *hid_validate_values(struct hid_device *hid,
4737 ++ unsigned int type, unsigned int id,
4738 ++ unsigned int field_index,
4739 ++ unsigned int report_counts);
4740 + int hid_check_keys_pressed(struct hid_device *hid);
4741 + int hid_connect(struct hid_device *hid, unsigned int connect_mask);
4742 + void hid_disconnect(struct hid_device *hid);
4743 +diff --git a/include/linux/icmpv6.h b/include/linux/icmpv6.h
4744 +index ba45e6b..f5a21d0 100644
4745 +--- a/include/linux/icmpv6.h
4746 ++++ b/include/linux/icmpv6.h
4747 +@@ -123,6 +123,8 @@ static inline struct icmp6hdr *icmp6_hdr(const struct sk_buff *skb)
4748 + #define ICMPV6_NOT_NEIGHBOUR 2
4749 + #define ICMPV6_ADDR_UNREACH 3
4750 + #define ICMPV6_PORT_UNREACH 4
4751 ++#define ICMPV6_POLICY_FAIL 5
4752 ++#define ICMPV6_REJECT_ROUTE 6
4753 +
4754 + /*
4755 + * Codes for Time Exceeded
4756 +diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
4757 +index 0c99776..84b1447 100644
4758 +--- a/include/linux/ipv6.h
4759 ++++ b/include/linux/ipv6.h
4760 +@@ -255,6 +255,7 @@ struct inet6_skb_parm {
4761 + #define IP6SKB_XFRM_TRANSFORMED 1
4762 + #define IP6SKB_FORWARDED 2
4763 + #define IP6SKB_REROUTED 4
4764 ++#define IP6SKB_FRAGMENTED 16
4765 + };
4766 +
4767 + #define IP6CB(skb) ((struct inet6_skb_parm*)((skb)->cb))
4768 +diff --git a/include/linux/mm.h b/include/linux/mm.h
4769 +index d0493f6..305fd75 100644
4770 +--- a/include/linux/mm.h
4771 ++++ b/include/linux/mm.h
4772 +@@ -865,7 +865,8 @@ extern void pagefault_out_of_memory(void);
4773 + * Flags passed to show_mem() and show_free_areas() to suppress output in
4774 + * various contexts.
4775 + */
4776 +-#define SHOW_MEM_FILTER_NODES (0x0001u) /* filter disallowed nodes */
4777 ++#define SHOW_MEM_FILTER_NODES (0x0001u) /* disallowed nodes */
4778 ++#define SHOW_MEM_FILTER_PAGE_COUNT (0x0002u) /* page type count */
4779 +
4780 + extern void show_free_areas(unsigned int flags);
4781 + extern bool skip_free_areas_node(unsigned int flags, int nid);
4782 +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
4783 +index 3cfcfea..eeb6a29 100644
4784 +--- a/include/linux/perf_event.h
4785 ++++ b/include/linux/perf_event.h
4786 +@@ -927,7 +927,7 @@ struct perf_cpu_context {
4787 + int exclusive;
4788 + struct list_head rotation_list;
4789 + int jiffies_interval;
4790 +- struct pmu *active_pmu;
4791 ++ struct pmu *unique_pmu;
4792 + struct perf_cgroup *cgrp;
4793 + };
4794 +
4795 +diff --git a/include/linux/rculist.h b/include/linux/rculist.h
4796 +index 6f95e24..3863352 100644
4797 +--- a/include/linux/rculist.h
4798 ++++ b/include/linux/rculist.h
4799 +@@ -254,8 +254,9 @@ static inline void list_splice_init_rcu(struct list_head *list,
4800 + */
4801 + #define list_first_or_null_rcu(ptr, type, member) \
4802 + ({struct list_head *__ptr = (ptr); \
4803 +- struct list_head __rcu *__next = list_next_rcu(__ptr); \
4804 +- likely(__ptr != __next) ? container_of(__next, type, member) : NULL; \
4805 ++ struct list_head *__next = ACCESS_ONCE(__ptr->next); \
4806 ++ likely(__ptr != __next) ? \
4807 ++ list_entry_rcu(__next, type, member) : NULL; \
4808 + })
4809 +
4810 + /**
4811 +diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
4812 +index 03354d5..0daa46b 100644
4813 +--- a/include/linux/usb/hcd.h
4814 ++++ b/include/linux/usb/hcd.h
4815 +@@ -395,7 +395,7 @@ extern int usb_hcd_pci_probe(struct pci_dev *dev,
4816 + extern void usb_hcd_pci_remove(struct pci_dev *dev);
4817 + extern void usb_hcd_pci_shutdown(struct pci_dev *dev);
4818 +
4819 +-#ifdef CONFIG_PM_SLEEP
4820 ++#ifdef CONFIG_PM
4821 + extern const struct dev_pm_ops usb_hcd_pci_pm_ops;
4822 + #endif
4823 + #endif /* CONFIG_PCI */
4824 +diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
4825 +index e9ff3fc..34b06da 100644
4826 +--- a/include/net/inetpeer.h
4827 ++++ b/include/net/inetpeer.h
4828 +@@ -41,6 +41,10 @@ struct inet_peer {
4829 + u32 pmtu_orig;
4830 + u32 pmtu_learned;
4831 + struct inetpeer_addr_base redirect_learned;
4832 ++ union {
4833 ++ struct list_head gc_list;
4834 ++ struct rcu_head gc_rcu;
4835 ++ };
4836 + /*
4837 + * Once inet_peer is queued for deletion (refcnt == -1), following fields
4838 + * are not available: rid, ip_id_count, tcp_ts, tcp_ts_stamp
4839 +@@ -96,6 +100,8 @@ static inline struct inet_peer *inet_getpeer_v6(const struct in6_addr *v6daddr,
4840 + extern void inet_putpeer(struct inet_peer *p);
4841 + extern bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout);
4842 +
4843 ++extern void inetpeer_invalidate_tree(int family);
4844 ++
4845 + /*
4846 + * temporary check to make sure we dont access rid, ip_id_count, tcp_ts,
4847 + * tcp_ts_stamp if no refcount is taken on inet_peer
4848 +diff --git a/include/net/ip.h b/include/net/ip.h
4849 +index eca0ef7..06aed72 100644
4850 +--- a/include/net/ip.h
4851 ++++ b/include/net/ip.h
4852 +@@ -266,9 +266,11 @@ int ip_dont_fragment(struct sock *sk, struct dst_entry *dst)
4853 +
4854 + extern void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more);
4855 +
4856 +-static inline void ip_select_ident(struct iphdr *iph, struct dst_entry *dst, struct sock *sk)
4857 ++static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk)
4858 + {
4859 +- if (iph->frag_off & htons(IP_DF)) {
4860 ++ struct iphdr *iph = ip_hdr(skb);
4861 ++
4862 ++ if ((iph->frag_off & htons(IP_DF)) && !skb->local_df) {
4863 + /* This is only to work around buggy Windows95/2000
4864 + * VJ compression implementations. If the ID field
4865 + * does not change, they drop every other packet in
4866 +@@ -280,9 +282,11 @@ static inline void ip_select_ident(struct iphdr *iph, struct dst_entry *dst, str
4867 + __ip_select_ident(iph, dst, 0);
4868 + }
4869 +
4870 +-static inline void ip_select_ident_more(struct iphdr *iph, struct dst_entry *dst, struct sock *sk, int more)
4871 ++static inline void ip_select_ident_more(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk, int more)
4872 + {
4873 +- if (iph->frag_off & htons(IP_DF)) {
4874 ++ struct iphdr *iph = ip_hdr(skb);
4875 ++
4876 ++ if ((iph->frag_off & htons(IP_DF)) && !skb->local_df) {
4877 + if (sk && inet_sk(sk)->inet_daddr) {
4878 + iph->id = htons(inet_sk(sk)->inet_id);
4879 + inet_sk(sk)->inet_id += 1 + more;
4880 +diff --git a/include/net/ipip.h b/include/net/ipip.h
4881 +index a32654d..4dccfe3 100644
4882 +--- a/include/net/ipip.h
4883 ++++ b/include/net/ipip.h
4884 +@@ -50,7 +50,7 @@ struct ip_tunnel_prl_entry {
4885 + int pkt_len = skb->len - skb_transport_offset(skb); \
4886 + \
4887 + skb->ip_summed = CHECKSUM_NONE; \
4888 +- ip_select_ident(iph, &rt->dst, NULL); \
4889 ++ ip_select_ident(skb, &rt->dst, NULL); \
4890 + \
4891 + err = ip_local_out(skb); \
4892 + if (likely(net_xmit_eval(err) == 0)) { \
4893 +diff --git a/kernel/cgroup.c b/kernel/cgroup.c
4894 +index d2a01fe..2a1ffb7 100644
4895 +--- a/kernel/cgroup.c
4896 ++++ b/kernel/cgroup.c
4897 +@@ -3504,6 +3504,7 @@ static int cgroup_write_event_control(struct cgroup *cgrp, struct cftype *cft,
4898 + const char *buffer)
4899 + {
4900 + struct cgroup_event *event = NULL;
4901 ++ struct cgroup *cgrp_cfile;
4902 + unsigned int efd, cfd;
4903 + struct file *efile = NULL;
4904 + struct file *cfile = NULL;
4905 +@@ -3559,6 +3560,16 @@ static int cgroup_write_event_control(struct cgroup *cgrp, struct cftype *cft,
4906 + goto fail;
4907 + }
4908 +
4909 ++ /*
4910 ++ * The file to be monitored must be in the same cgroup as
4911 ++ * cgroup.event_control is.
4912 ++ */
4913 ++ cgrp_cfile = __d_cgrp(cfile->f_dentry->d_parent);
4914 ++ if (cgrp_cfile != cgrp) {
4915 ++ ret = -EINVAL;
4916 ++ goto fail;
4917 ++ }
4918 ++
4919 + if (!event->cft->register_event || !event->cft->unregister_event) {
4920 + ret = -EINVAL;
4921 + goto fail;
4922 +diff --git a/kernel/events/core.c b/kernel/events/core.c
4923 +index 5bbe443..83d5621 100644
4924 +--- a/kernel/events/core.c
4925 ++++ b/kernel/events/core.c
4926 +@@ -242,9 +242,9 @@ perf_cgroup_match(struct perf_event *event)
4927 + return !event->cgrp || event->cgrp == cpuctx->cgrp;
4928 + }
4929 +
4930 +-static inline void perf_get_cgroup(struct perf_event *event)
4931 ++static inline bool perf_tryget_cgroup(struct perf_event *event)
4932 + {
4933 +- css_get(&event->cgrp->css);
4934 ++ return css_tryget(&event->cgrp->css);
4935 + }
4936 +
4937 + static inline void perf_put_cgroup(struct perf_event *event)
4938 +@@ -360,6 +360,8 @@ void perf_cgroup_switch(struct task_struct *task, int mode)
4939 +
4940 + list_for_each_entry_rcu(pmu, &pmus, entry) {
4941 + cpuctx = this_cpu_ptr(pmu->pmu_cpu_context);
4942 ++ if (cpuctx->unique_pmu != pmu)
4943 ++ continue; /* ensure we process each cpuctx once */
4944 +
4945 + /*
4946 + * perf_cgroup_events says at least one
4947 +@@ -383,9 +385,10 @@ void perf_cgroup_switch(struct task_struct *task, int mode)
4948 +
4949 + if (mode & PERF_CGROUP_SWIN) {
4950 + WARN_ON_ONCE(cpuctx->cgrp);
4951 +- /* set cgrp before ctxsw in to
4952 +- * allow event_filter_match() to not
4953 +- * have to pass task around
4954 ++ /*
4955 ++ * set cgrp before ctxsw in to allow
4956 ++ * event_filter_match() to not have to pass
4957 ++ * task around
4958 + */
4959 + cpuctx->cgrp = perf_cgroup_from_task(task);
4960 + cpu_ctx_sched_in(cpuctx, EVENT_ALL, task);
4961 +@@ -473,7 +476,11 @@ static inline int perf_cgroup_connect(int fd, struct perf_event *event,
4962 + event->cgrp = cgrp;
4963 +
4964 + /* must be done before we fput() the file */
4965 +- perf_get_cgroup(event);
4966 ++ if (!perf_tryget_cgroup(event)) {
4967 ++ event->cgrp = NULL;
4968 ++ ret = -ENOENT;
4969 ++ goto out;
4970 ++ }
4971 +
4972 + /*
4973 + * all events in a group must monitor
4974 +@@ -4377,7 +4384,7 @@ static void perf_event_task_event(struct perf_task_event *task_event)
4975 + rcu_read_lock();
4976 + list_for_each_entry_rcu(pmu, &pmus, entry) {
4977 + cpuctx = get_cpu_ptr(pmu->pmu_cpu_context);
4978 +- if (cpuctx->active_pmu != pmu)
4979 ++ if (cpuctx->unique_pmu != pmu)
4980 + goto next;
4981 + perf_event_task_ctx(&cpuctx->ctx, task_event);
4982 +
4983 +@@ -4523,7 +4530,7 @@ static void perf_event_comm_event(struct perf_comm_event *comm_event)
4984 + rcu_read_lock();
4985 + list_for_each_entry_rcu(pmu, &pmus, entry) {
4986 + cpuctx = get_cpu_ptr(pmu->pmu_cpu_context);
4987 +- if (cpuctx->active_pmu != pmu)
4988 ++ if (cpuctx->unique_pmu != pmu)
4989 + goto next;
4990 + perf_event_comm_ctx(&cpuctx->ctx, comm_event);
4991 +
4992 +@@ -4719,7 +4726,7 @@ got_name:
4993 + rcu_read_lock();
4994 + list_for_each_entry_rcu(pmu, &pmus, entry) {
4995 + cpuctx = get_cpu_ptr(pmu->pmu_cpu_context);
4996 +- if (cpuctx->active_pmu != pmu)
4997 ++ if (cpuctx->unique_pmu != pmu)
4998 + goto next;
4999 + perf_event_mmap_ctx(&cpuctx->ctx, mmap_event,
5000 + vma->vm_flags & VM_EXEC);
5001 +@@ -5741,8 +5748,8 @@ static void update_pmu_context(struct pmu *pmu, struct pmu *old_pmu)
5002 +
5003 + cpuctx = per_cpu_ptr(pmu->pmu_cpu_context, cpu);
5004 +
5005 +- if (cpuctx->active_pmu == old_pmu)
5006 +- cpuctx->active_pmu = pmu;
5007 ++ if (cpuctx->unique_pmu == old_pmu)
5008 ++ cpuctx->unique_pmu = pmu;
5009 + }
5010 + }
5011 +
5012 +@@ -5877,7 +5884,7 @@ skip_type:
5013 + cpuctx->ctx.pmu = pmu;
5014 + cpuctx->jiffies_interval = 1;
5015 + INIT_LIST_HEAD(&cpuctx->rotation_list);
5016 +- cpuctx->active_pmu = pmu;
5017 ++ cpuctx->unique_pmu = pmu;
5018 + }
5019 +
5020 + got_cpu_context:
5021 +diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
5022 +index 59474c5..c261da7 100644
5023 +--- a/kernel/sched_fair.c
5024 ++++ b/kernel/sched_fair.c
5025 +@@ -4890,11 +4890,15 @@ static void task_fork_fair(struct task_struct *p)
5026 +
5027 + update_rq_clock(rq);
5028 +
5029 +- if (unlikely(task_cpu(p) != this_cpu)) {
5030 +- rcu_read_lock();
5031 +- __set_task_cpu(p, this_cpu);
5032 +- rcu_read_unlock();
5033 +- }
5034 ++ /*
5035 ++ * Not only the cpu but also the task_group of the parent might have
5036 ++ * been changed after parent->se.parent,cfs_rq were copied to
5037 ++ * child->se.parent,cfs_rq. So call __set_task_cpu() to make those
5038 ++ * of child point to valid ones.
5039 ++ */
5040 ++ rcu_read_lock();
5041 ++ __set_task_cpu(p, this_cpu);
5042 ++ rcu_read_unlock();
5043 +
5044 + update_curr(cfs_rq);
5045 +
5046 +diff --git a/lib/show_mem.c b/lib/show_mem.c
5047 +index 4407f8c..b7c7231 100644
5048 +--- a/lib/show_mem.c
5049 ++++ b/lib/show_mem.c
5050 +@@ -18,6 +18,9 @@ void show_mem(unsigned int filter)
5051 + printk("Mem-Info:\n");
5052 + show_free_areas(filter);
5053 +
5054 ++ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
5055 ++ return;
5056 ++
5057 + for_each_online_pgdat(pgdat) {
5058 + unsigned long i, flags;
5059 +
5060 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
5061 +index d80ac4b..ed0ed8a 100644
5062 +--- a/mm/huge_memory.c
5063 ++++ b/mm/huge_memory.c
5064 +@@ -1882,6 +1882,8 @@ static void collapse_huge_page(struct mm_struct *mm,
5065 + goto out;
5066 +
5067 + vma = find_vma(mm, address);
5068 ++ if (!vma)
5069 ++ goto out;
5070 + hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
5071 + hend = vma->vm_end & HPAGE_PMD_MASK;
5072 + if (address < hstart || address + HPAGE_PMD_SIZE > hend)
5073 +diff --git a/mm/memcontrol.c b/mm/memcontrol.c
5074 +index d027a24..204de6a 100644
5075 +--- a/mm/memcontrol.c
5076 ++++ b/mm/memcontrol.c
5077 +@@ -4385,7 +4385,13 @@ static int compare_thresholds(const void *a, const void *b)
5078 + const struct mem_cgroup_threshold *_a = a;
5079 + const struct mem_cgroup_threshold *_b = b;
5080 +
5081 +- return _a->threshold - _b->threshold;
5082 ++ if (_a->threshold > _b->threshold)
5083 ++ return 1;
5084 ++
5085 ++ if (_a->threshold < _b->threshold)
5086 ++ return -1;
5087 ++
5088 ++ return 0;
5089 + }
5090 +
5091 + static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg)
5092 +diff --git a/mm/page_alloc.c b/mm/page_alloc.c
5093 +index b5afea2..d8762b2 100644
5094 +--- a/mm/page_alloc.c
5095 ++++ b/mm/page_alloc.c
5096 +@@ -1760,6 +1760,13 @@ void warn_alloc_failed(gfp_t gfp_mask, int order, const char *fmt, ...)
5097 + return;
5098 +
5099 + /*
5100 ++ * Walking all memory to count page types is very expensive and should
5101 ++ * be inhibited in non-blockable contexts.
5102 ++ */
5103 ++ if (!(gfp_mask & __GFP_WAIT))
5104 ++ filter |= SHOW_MEM_FILTER_PAGE_COUNT;
5105 ++
5106 ++ /*
5107 + * This documents exceptions given to allocations in certain
5108 + * contexts that are allowed to allocate outside current's set
5109 + * of allowed nodes.
5110 +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
5111 +index b81500c..a06deca 100644
5112 +--- a/net/bridge/br_multicast.c
5113 ++++ b/net/bridge/br_multicast.c
5114 +@@ -1155,7 +1155,8 @@ static int br_ip6_multicast_query(struct net_bridge *br,
5115 + mld2q = (struct mld2_query *)icmp6_hdr(skb);
5116 + if (!mld2q->mld2q_nsrcs)
5117 + group = &mld2q->mld2q_mca;
5118 +- max_delay = mld2q->mld2q_mrc ? MLDV2_MRC(mld2q->mld2q_mrc) : 1;
5119 ++
5120 ++ max_delay = max(msecs_to_jiffies(MLDV2_MRC(ntohs(mld2q->mld2q_mrc))), 1UL);
5121 + }
5122 +
5123 + if (!group)
5124 +diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
5125 +index dd147d7..8ac946f 100644
5126 +--- a/net/bridge/br_stp.c
5127 ++++ b/net/bridge/br_stp.c
5128 +@@ -189,7 +189,7 @@ static void br_record_config_information(struct net_bridge_port *p,
5129 + p->designated_age = jiffies + bpdu->message_age;
5130 +
5131 + mod_timer(&p->message_age_timer, jiffies
5132 +- + (p->br->max_age - bpdu->message_age));
5133 ++ + (bpdu->max_age - bpdu->message_age));
5134 + }
5135 +
5136 + /* called under bridge lock */
5137 +diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
5138 +index 5cf5222..84efbe4 100644
5139 +--- a/net/caif/cfctrl.c
5140 ++++ b/net/caif/cfctrl.c
5141 +@@ -288,9 +288,10 @@ int cfctrl_linkup_request(struct cflayer *layer,
5142 +
5143 + count = cfctrl_cancel_req(&cfctrl->serv.layer,
5144 + user_layer);
5145 +- if (count != 1)
5146 ++ if (count != 1) {
5147 + pr_err("Could not remove request (%d)", count);
5148 + return -ENODEV;
5149 ++ }
5150 + }
5151 + return 0;
5152 + }
5153 +diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
5154 +index f4f3f58..a70f426 100644
5155 +--- a/net/ceph/osd_client.c
5156 ++++ b/net/ceph/osd_client.c
5157 +@@ -1719,6 +1719,8 @@ int ceph_osdc_start_request(struct ceph_osd_client *osdc,
5158 + dout("osdc_start_request failed map, "
5159 + " will retry %lld\n", req->r_tid);
5160 + rc = 0;
5161 ++ } else {
5162 ++ __unregister_request(osdc, req);
5163 + }
5164 + goto out_unlock;
5165 + }
5166 +diff --git a/net/core/netpoll.c b/net/core/netpoll.c
5167 +index db4bb7a..9649cea 100644
5168 +--- a/net/core/netpoll.c
5169 ++++ b/net/core/netpoll.c
5170 +@@ -923,15 +923,14 @@ EXPORT_SYMBOL_GPL(__netpoll_cleanup);
5171 +
5172 + void netpoll_cleanup(struct netpoll *np)
5173 + {
5174 +- if (!np->dev)
5175 +- return;
5176 +-
5177 + rtnl_lock();
5178 ++ if (!np->dev)
5179 ++ goto out;
5180 + __netpoll_cleanup(np);
5181 +- rtnl_unlock();
5182 +-
5183 + dev_put(np->dev);
5184 + np->dev = NULL;
5185 ++out:
5186 ++ rtnl_unlock();
5187 + }
5188 + EXPORT_SYMBOL(netpoll_cleanup);
5189 +
5190 +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
5191 +index 77a65f0..f0bdd36 100644
5192 +--- a/net/core/sysctl_net_core.c
5193 ++++ b/net/core/sysctl_net_core.c
5194 +@@ -19,6 +19,9 @@
5195 + #include <net/sock.h>
5196 + #include <net/net_ratelimit.h>
5197 +
5198 ++static int zero = 0;
5199 ++static int ushort_max = USHRT_MAX;
5200 ++
5201 + #ifdef CONFIG_RPS
5202 + static int rps_sock_flow_sysctl(ctl_table *table, int write,
5203 + void __user *buffer, size_t *lenp, loff_t *ppos)
5204 +@@ -192,7 +195,9 @@ static struct ctl_table netns_core_table[] = {
5205 + .data = &init_net.core.sysctl_somaxconn,
5206 + .maxlen = sizeof(int),
5207 + .mode = 0644,
5208 +- .proc_handler = proc_dointvec
5209 ++ .extra1 = &zero,
5210 ++ .extra2 = &ushort_max,
5211 ++ .proc_handler = proc_dointvec_minmax
5212 + },
5213 + { }
5214 + };
5215 +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
5216 +index cd2d639..c7c6724 100644
5217 +--- a/net/ipv4/fib_trie.c
5218 ++++ b/net/ipv4/fib_trie.c
5219 +@@ -72,7 +72,6 @@
5220 + #include <linux/init.h>
5221 + #include <linux/list.h>
5222 + #include <linux/slab.h>
5223 +-#include <linux/prefetch.h>
5224 + #include <linux/export.h>
5225 + #include <net/net_namespace.h>
5226 + #include <net/ip.h>
5227 +@@ -1773,10 +1772,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
5228 + if (!c)
5229 + continue;
5230 +
5231 +- if (IS_LEAF(c)) {
5232 +- prefetch(rcu_dereference_rtnl(p->child[idx]));
5233 ++ if (IS_LEAF(c))
5234 + return (struct leaf *) c;
5235 +- }
5236 +
5237 + /* Rescan start scanning in new node */
5238 + p = (struct tnode *) c;
5239 +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
5240 +index c8989a7..75b0860 100644
5241 +--- a/net/ipv4/igmp.c
5242 ++++ b/net/ipv4/igmp.c
5243 +@@ -342,7 +342,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
5244 + pip->saddr = fl4.saddr;
5245 + pip->protocol = IPPROTO_IGMP;
5246 + pip->tot_len = 0; /* filled in later */
5247 +- ip_select_ident(pip, &rt->dst, NULL);
5248 ++ ip_select_ident(skb, &rt->dst, NULL);
5249 + ((u8*)&pip[1])[0] = IPOPT_RA;
5250 + ((u8*)&pip[1])[1] = 4;
5251 + ((u8*)&pip[1])[2] = 0;
5252 +@@ -683,7 +683,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
5253 + iph->daddr = dst;
5254 + iph->saddr = fl4.saddr;
5255 + iph->protocol = IPPROTO_IGMP;
5256 +- ip_select_ident(iph, &rt->dst, NULL);
5257 ++ ip_select_ident(skb, &rt->dst, NULL);
5258 + ((u8*)&iph[1])[0] = IPOPT_RA;
5259 + ((u8*)&iph[1])[1] = 4;
5260 + ((u8*)&iph[1])[2] = 0;
5261 +@@ -705,7 +705,7 @@ static void igmp_gq_timer_expire(unsigned long data)
5262 +
5263 + in_dev->mr_gq_running = 0;
5264 + igmpv3_send_report(in_dev, NULL);
5265 +- __in_dev_put(in_dev);
5266 ++ in_dev_put(in_dev);
5267 + }
5268 +
5269 + static void igmp_ifc_timer_expire(unsigned long data)
5270 +@@ -717,7 +717,7 @@ static void igmp_ifc_timer_expire(unsigned long data)
5271 + in_dev->mr_ifc_count--;
5272 + igmp_ifc_start_timer(in_dev, IGMP_Unsolicited_Report_Interval);
5273 + }
5274 +- __in_dev_put(in_dev);
5275 ++ in_dev_put(in_dev);
5276 + }
5277 +
5278 + static void igmp_ifc_event(struct in_device *in_dev)
5279 +diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
5280 +index 86f13c67..58c4e696 100644
5281 +--- a/net/ipv4/inetpeer.c
5282 ++++ b/net/ipv4/inetpeer.c
5283 +@@ -17,6 +17,7 @@
5284 + #include <linux/kernel.h>
5285 + #include <linux/mm.h>
5286 + #include <linux/net.h>
5287 ++#include <linux/workqueue.h>
5288 + #include <net/ip.h>
5289 + #include <net/inetpeer.h>
5290 + #include <net/secure_seq.h>
5291 +@@ -31,8 +32,8 @@
5292 + * At the moment of writing this notes identifier of IP packets is generated
5293 + * to be unpredictable using this code only for packets subjected
5294 + * (actually or potentially) to defragmentation. I.e. DF packets less than
5295 +- * PMTU in size uses a constant ID and do not use this code (see
5296 +- * ip_select_ident() in include/net/ip.h).
5297 ++ * PMTU in size when local fragmentation is disabled use a constant ID and do
5298 ++ * not use this code (see ip_select_ident() in include/net/ip.h).
5299 + *
5300 + * Route cache entries hold references to our nodes.
5301 + * New cache entries get references via lookup by destination IP address in
5302 +@@ -66,6 +67,11 @@
5303 +
5304 + static struct kmem_cache *peer_cachep __read_mostly;
5305 +
5306 ++static LIST_HEAD(gc_list);
5307 ++static const int gc_delay = 60 * HZ;
5308 ++static struct delayed_work gc_work;
5309 ++static DEFINE_SPINLOCK(gc_lock);
5310 ++
5311 + #define node_height(x) x->avl_height
5312 +
5313 + #define peer_avl_empty ((struct inet_peer *)&peer_fake_node)
5314 +@@ -102,6 +108,50 @@ int inet_peer_threshold __read_mostly = 65536 + 128; /* start to throw entries m
5315 + int inet_peer_minttl __read_mostly = 120 * HZ; /* TTL under high load: 120 sec */
5316 + int inet_peer_maxttl __read_mostly = 10 * 60 * HZ; /* usual time to live: 10 min */
5317 +
5318 ++static void inetpeer_gc_worker(struct work_struct *work)
5319 ++{
5320 ++ struct inet_peer *p, *n;
5321 ++ LIST_HEAD(list);
5322 ++
5323 ++ spin_lock_bh(&gc_lock);
5324 ++ list_replace_init(&gc_list, &list);
5325 ++ spin_unlock_bh(&gc_lock);
5326 ++
5327 ++ if (list_empty(&list))
5328 ++ return;
5329 ++
5330 ++ list_for_each_entry_safe(p, n, &list, gc_list) {
5331 ++
5332 ++ if(need_resched())
5333 ++ cond_resched();
5334 ++
5335 ++ if (p->avl_left != peer_avl_empty) {
5336 ++ list_add_tail(&p->avl_left->gc_list, &list);
5337 ++ p->avl_left = peer_avl_empty;
5338 ++ }
5339 ++
5340 ++ if (p->avl_right != peer_avl_empty) {
5341 ++ list_add_tail(&p->avl_right->gc_list, &list);
5342 ++ p->avl_right = peer_avl_empty;
5343 ++ }
5344 ++
5345 ++ n = list_entry(p->gc_list.next, struct inet_peer, gc_list);
5346 ++
5347 ++ if (!atomic_read(&p->refcnt)) {
5348 ++ list_del(&p->gc_list);
5349 ++ kmem_cache_free(peer_cachep, p);
5350 ++ }
5351 ++ }
5352 ++
5353 ++ if (list_empty(&list))
5354 ++ return;
5355 ++
5356 ++ spin_lock_bh(&gc_lock);
5357 ++ list_splice(&list, &gc_list);
5358 ++ spin_unlock_bh(&gc_lock);
5359 ++
5360 ++ schedule_delayed_work(&gc_work, gc_delay);
5361 ++}
5362 +
5363 + /* Called from ip_output.c:ip_init */
5364 + void __init inet_initpeers(void)
5365 +@@ -126,6 +176,7 @@ void __init inet_initpeers(void)
5366 + 0, SLAB_HWCACHE_ALIGN | SLAB_PANIC,
5367 + NULL);
5368 +
5369 ++ INIT_DELAYED_WORK_DEFERRABLE(&gc_work, inetpeer_gc_worker);
5370 + }
5371 +
5372 + static int addr_compare(const struct inetpeer_addr *a,
5373 +@@ -448,7 +499,7 @@ relookup:
5374 + p->pmtu_expires = 0;
5375 + p->pmtu_orig = 0;
5376 + memset(&p->redirect_learned, 0, sizeof(p->redirect_learned));
5377 +-
5378 ++ INIT_LIST_HEAD(&p->gc_list);
5379 +
5380 + /* Link the node. */
5381 + link_to_pool(p, base);
5382 +@@ -508,3 +559,38 @@ bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout)
5383 + return rc;
5384 + }
5385 + EXPORT_SYMBOL(inet_peer_xrlim_allow);
5386 ++
5387 ++static void inetpeer_inval_rcu(struct rcu_head *head)
5388 ++{
5389 ++ struct inet_peer *p = container_of(head, struct inet_peer, gc_rcu);
5390 ++
5391 ++ spin_lock_bh(&gc_lock);
5392 ++ list_add_tail(&p->gc_list, &gc_list);
5393 ++ spin_unlock_bh(&gc_lock);
5394 ++
5395 ++ schedule_delayed_work(&gc_work, gc_delay);
5396 ++}
5397 ++
5398 ++void inetpeer_invalidate_tree(int family)
5399 ++{
5400 ++ struct inet_peer *old, *new, *prev;
5401 ++ struct inet_peer_base *base = family_to_base(family);
5402 ++
5403 ++ write_seqlock_bh(&base->lock);
5404 ++
5405 ++ old = base->root;
5406 ++ if (old == peer_avl_empty_rcu)
5407 ++ goto out;
5408 ++
5409 ++ new = peer_avl_empty_rcu;
5410 ++
5411 ++ prev = cmpxchg(&base->root, old, new);
5412 ++ if (prev == old) {
5413 ++ base->total = 0;
5414 ++ call_rcu(&prev->gc_rcu, inetpeer_inval_rcu);
5415 ++ }
5416 ++
5417 ++out:
5418 ++ write_sequnlock_bh(&base->lock);
5419 ++}
5420 ++EXPORT_SYMBOL(inetpeer_invalidate_tree);
5421 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
5422 +index 0bc95f3..daf408e 100644
5423 +--- a/net/ipv4/ip_output.c
5424 ++++ b/net/ipv4/ip_output.c
5425 +@@ -162,7 +162,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
5426 + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
5427 + iph->saddr = saddr;
5428 + iph->protocol = sk->sk_protocol;
5429 +- ip_select_ident(iph, &rt->dst, sk);
5430 ++ ip_select_ident(skb, &rt->dst, sk);
5431 +
5432 + if (opt && opt->opt.optlen) {
5433 + iph->ihl += opt->opt.optlen>>2;
5434 +@@ -390,7 +390,7 @@ packet_routed:
5435 + ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);
5436 + }
5437 +
5438 +- ip_select_ident_more(iph, &rt->dst, sk,
5439 ++ ip_select_ident_more(skb, &rt->dst, sk,
5440 + (skb_shinfo(skb)->gso_segs ?: 1) - 1);
5441 +
5442 + skb->priority = sk->sk_priority;
5443 +@@ -1334,7 +1334,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
5444 + iph->ihl = 5;
5445 + iph->tos = inet->tos;
5446 + iph->frag_off = df;
5447 +- ip_select_ident(iph, &rt->dst, sk);
5448 ++ ip_select_ident(skb, &rt->dst, sk);
5449 + iph->ttl = ttl;
5450 + iph->protocol = sk->sk_protocol;
5451 + iph->saddr = fl4->saddr;
5452 +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
5453 +index 0064394..b5e64e4 100644
5454 +--- a/net/ipv4/ipmr.c
5455 ++++ b/net/ipv4/ipmr.c
5456 +@@ -1576,7 +1576,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
5457 + iph->protocol = IPPROTO_IPIP;
5458 + iph->ihl = 5;
5459 + iph->tot_len = htons(skb->len);
5460 +- ip_select_ident(iph, skb_dst(skb), NULL);
5461 ++ ip_select_ident(skb, skb_dst(skb), NULL);
5462 + ip_send_check(iph);
5463 +
5464 + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
5465 +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
5466 +index e1d4f30..2815014 100644
5467 +--- a/net/ipv4/raw.c
5468 ++++ b/net/ipv4/raw.c
5469 +@@ -380,7 +380,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
5470 + iph->check = 0;
5471 + iph->tot_len = htons(length);
5472 + if (!iph->id)
5473 +- ip_select_ident(iph, &rt->dst, NULL);
5474 ++ ip_select_ident(skb, &rt->dst, NULL);
5475 +
5476 + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
5477 + }
5478 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
5479 +index 94cdbc5..c45a155a3 100644
5480 +--- a/net/ipv4/route.c
5481 ++++ b/net/ipv4/route.c
5482 +@@ -939,6 +939,7 @@ static void rt_cache_invalidate(struct net *net)
5483 + get_random_bytes(&shuffle, sizeof(shuffle));
5484 + atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
5485 + redirect_genid++;
5486 ++ inetpeer_invalidate_tree(AF_INET);
5487 + }
5488 +
5489 + /*
5490 +diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
5491 +index f376b05..b78eac2 100644
5492 +--- a/net/ipv4/tcp_cubic.c
5493 ++++ b/net/ipv4/tcp_cubic.c
5494 +@@ -204,8 +204,8 @@ static u32 cubic_root(u64 a)
5495 + */
5496 + static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
5497 + {
5498 +- u64 offs;
5499 +- u32 delta, t, bic_target, max_cnt;
5500 ++ u32 delta, bic_target, max_cnt;
5501 ++ u64 offs, t;
5502 +
5503 + ca->ack_cnt++; /* count the number of ACKs */
5504 +
5505 +@@ -248,9 +248,11 @@ static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
5506 + * if the cwnd < 1 million packets !!!
5507 + */
5508 +
5509 ++ t = (s32)(tcp_time_stamp - ca->epoch_start);
5510 ++ t += msecs_to_jiffies(ca->delay_min >> 3);
5511 + /* change the unit from HZ to bictcp_HZ */
5512 +- t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3)
5513 +- - ca->epoch_start) << BICTCP_HZ) / HZ;
5514 ++ t <<= BICTCP_HZ;
5515 ++ do_div(t, HZ);
5516 +
5517 + if (t < ca->bic_K) /* t - K */
5518 + offs = ca->bic_K - t;
5519 +@@ -412,7 +414,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
5520 + return;
5521 +
5522 + /* Discard delay samples right after fast recovery */
5523 +- if ((s32)(tcp_time_stamp - ca->epoch_start) < HZ)
5524 ++ if (ca->epoch_start && (s32)(tcp_time_stamp - ca->epoch_start) < HZ)
5525 + return;
5526 +
5527 + delay = (rtt_us << 3) / USEC_PER_MSEC;
5528 +diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
5529 +index ed4bf11..938553e 100644
5530 +--- a/net/ipv4/xfrm4_mode_tunnel.c
5531 ++++ b/net/ipv4/xfrm4_mode_tunnel.c
5532 +@@ -54,7 +54,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
5533 +
5534 + top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
5535 + 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF));
5536 +- ip_select_ident(top_iph, dst->child, NULL);
5537 ++ ip_select_ident(skb, dst->child, NULL);
5538 +
5539 + top_iph->ttl = ip4_dst_hoplimit(dst->child);
5540 +
5541 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
5542 +index 314bda2..5d41293 100644
5543 +--- a/net/ipv6/addrconf.c
5544 ++++ b/net/ipv6/addrconf.c
5545 +@@ -913,12 +913,10 @@ retry:
5546 + if (ifp->flags & IFA_F_OPTIMISTIC)
5547 + addr_flags |= IFA_F_OPTIMISTIC;
5548 +
5549 +- ift = !max_addresses ||
5550 +- ipv6_count_addresses(idev) < max_addresses ?
5551 +- ipv6_add_addr(idev, &addr, tmp_plen,
5552 +- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
5553 +- addr_flags) : NULL;
5554 +- if (!ift || IS_ERR(ift)) {
5555 ++ ift = ipv6_add_addr(idev, &addr, tmp_plen,
5556 ++ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
5557 ++ addr_flags);
5558 ++ if (IS_ERR(ift)) {
5559 + in6_ifa_put(ifp);
5560 + in6_dev_put(idev);
5561 + printk(KERN_INFO
5562 +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
5563 +index 90868fb..d505453 100644
5564 +--- a/net/ipv6/icmp.c
5565 ++++ b/net/ipv6/icmp.c
5566 +@@ -911,6 +911,14 @@ static const struct icmp6_err {
5567 + .err = ECONNREFUSED,
5568 + .fatal = 1,
5569 + },
5570 ++ { /* POLICY_FAIL */
5571 ++ .err = EACCES,
5572 ++ .fatal = 1,
5573 ++ },
5574 ++ { /* REJECT_ROUTE */
5575 ++ .err = EACCES,
5576 ++ .fatal = 1,
5577 ++ },
5578 + };
5579 +
5580 + int icmpv6_err_convert(u8 type, u8 code, int *err)
5581 +@@ -922,7 +930,7 @@ int icmpv6_err_convert(u8 type, u8 code, int *err)
5582 + switch (type) {
5583 + case ICMPV6_DEST_UNREACH:
5584 + fatal = 1;
5585 +- if (code <= ICMPV6_PORT_UNREACH) {
5586 ++ if (code < ARRAY_SIZE(tab_unreach)) {
5587 + *err = tab_unreach[code].err;
5588 + fatal = tab_unreach[code].fatal;
5589 + }
5590 +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
5591 +index 93718f3..443724f 100644
5592 +--- a/net/ipv6/ip6_fib.c
5593 ++++ b/net/ipv6/ip6_fib.c
5594 +@@ -862,14 +862,22 @@ static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
5595 +
5596 + if (ipv6_prefix_equal(&key->addr, args->addr, key->plen)) {
5597 + #ifdef CONFIG_IPV6_SUBTREES
5598 +- if (fn->subtree)
5599 +- fn = fib6_lookup_1(fn->subtree, args + 1);
5600 ++ if (fn->subtree) {
5601 ++ struct fib6_node *sfn;
5602 ++ sfn = fib6_lookup_1(fn->subtree,
5603 ++ args + 1);
5604 ++ if (!sfn)
5605 ++ goto backtrack;
5606 ++ fn = sfn;
5607 ++ }
5608 + #endif
5609 +- if (!fn || fn->fn_flags & RTN_RTINFO)
5610 ++ if (fn->fn_flags & RTN_RTINFO)
5611 + return fn;
5612 + }
5613 + }
5614 +-
5615 ++#ifdef CONFIG_IPV6_SUBTREES
5616 ++backtrack:
5617 ++#endif
5618 + if (fn->fn_flags & RTN_ROOT)
5619 + break;
5620 +
5621 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
5622 +index db60043..91d0711 100644
5623 +--- a/net/ipv6/ip6_output.c
5624 ++++ b/net/ipv6/ip6_output.c
5625 +@@ -1125,6 +1125,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
5626 + * udp datagram
5627 + */
5628 + if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
5629 ++ struct frag_hdr fhdr;
5630 ++
5631 + skb = sock_alloc_send_skb(sk,
5632 + hh_len + fragheaderlen + transhdrlen + 20,
5633 + (flags & MSG_DONTWAIT), &err);
5634 +@@ -1145,12 +1147,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
5635 +
5636 + skb->ip_summed = CHECKSUM_PARTIAL;
5637 + skb->csum = 0;
5638 +- }
5639 +-
5640 +- err = skb_append_datato_frags(sk,skb, getfrag, from,
5641 +- (length - transhdrlen));
5642 +- if (!err) {
5643 +- struct frag_hdr fhdr;
5644 +
5645 + /* Specify the length of each IPv6 datagram fragment.
5646 + * It has to be a multiple of 8.
5647 +@@ -1161,15 +1157,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
5648 + ipv6_select_ident(&fhdr, rt);
5649 + skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
5650 + __skb_queue_tail(&sk->sk_write_queue, skb);
5651 +-
5652 +- return 0;
5653 + }
5654 +- /* There is not enough support do UPD LSO,
5655 +- * so follow normal path
5656 +- */
5657 +- kfree_skb(skb);
5658 +
5659 +- return err;
5660 ++ return skb_append_datato_frags(sk, skb, getfrag, from,
5661 ++ (length - transhdrlen));
5662 + }
5663 +
5664 + static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
5665 +@@ -1342,27 +1333,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
5666 + * --yoshfuji
5667 + */
5668 +
5669 +- cork->length += length;
5670 +- if (length > mtu) {
5671 +- int proto = sk->sk_protocol;
5672 +- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
5673 +- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
5674 +- return -EMSGSIZE;
5675 +- }
5676 +-
5677 +- if (proto == IPPROTO_UDP &&
5678 +- (rt->dst.dev->features & NETIF_F_UFO)) {
5679 ++ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
5680 ++ sk->sk_protocol == IPPROTO_RAW)) {
5681 ++ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
5682 ++ return -EMSGSIZE;
5683 ++ }
5684 +
5685 +- err = ip6_ufo_append_data(sk, getfrag, from, length,
5686 +- hh_len, fragheaderlen,
5687 +- transhdrlen, mtu, flags, rt);
5688 +- if (err)
5689 +- goto error;
5690 +- return 0;
5691 +- }
5692 ++ skb = skb_peek_tail(&sk->sk_write_queue);
5693 ++ cork->length += length;
5694 ++ if (((length > mtu) ||
5695 ++ (skb && skb_is_gso(skb))) &&
5696 ++ (sk->sk_protocol == IPPROTO_UDP) &&
5697 ++ (rt->dst.dev->features & NETIF_F_UFO)) {
5698 ++ err = ip6_ufo_append_data(sk, getfrag, from, length,
5699 ++ hh_len, fragheaderlen,
5700 ++ transhdrlen, mtu, flags, rt);
5701 ++ if (err)
5702 ++ goto error;
5703 ++ return 0;
5704 + }
5705 +
5706 +- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
5707 ++ if (!skb)
5708 + goto alloc_new_skb;
5709 +
5710 + while (length > 0) {
5711 +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
5712 +index c7ec4bb..d20a9be 100644
5713 +--- a/net/ipv6/mcast.c
5714 ++++ b/net/ipv6/mcast.c
5715 +@@ -2159,7 +2159,7 @@ static void mld_gq_timer_expire(unsigned long data)
5716 +
5717 + idev->mc_gq_running = 0;
5718 + mld_send_report(idev, NULL);
5719 +- __in6_dev_put(idev);
5720 ++ in6_dev_put(idev);
5721 + }
5722 +
5723 + static void mld_ifc_timer_expire(unsigned long data)
5724 +@@ -2172,7 +2172,7 @@ static void mld_ifc_timer_expire(unsigned long data)
5725 + if (idev->mc_ifc_count)
5726 + mld_ifc_start_timer(idev, idev->mc_maxdelay);
5727 + }
5728 +- __in6_dev_put(idev);
5729 ++ in6_dev_put(idev);
5730 + }
5731 +
5732 + static void mld_ifc_event(struct inet6_dev *idev)
5733 +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
5734 +index 9ffc37f..bc55358 100644
5735 +--- a/net/ipv6/ndisc.c
5736 ++++ b/net/ipv6/ndisc.c
5737 +@@ -447,7 +447,6 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
5738 + struct sk_buff *skb;
5739 + struct icmp6hdr *hdr;
5740 + int len;
5741 +- int err;
5742 + u8 *opt;
5743 +
5744 + if (!dev->addr_len)
5745 +@@ -457,14 +456,12 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
5746 + if (llinfo)
5747 + len += ndisc_opt_addr_space(dev);
5748 +
5749 +- skb = sock_alloc_send_skb(sk,
5750 +- (MAX_HEADER + sizeof(struct ipv6hdr) +
5751 +- len + LL_ALLOCATED_SPACE(dev)),
5752 +- 1, &err);
5753 ++ skb = alloc_skb((MAX_HEADER + sizeof(struct ipv6hdr) +
5754 ++ len + LL_ALLOCATED_SPACE(dev)), GFP_ATOMIC);
5755 + if (!skb) {
5756 + ND_PRINTK0(KERN_ERR
5757 +- "ICMPv6 ND: %s() failed to allocate an skb, err=%d.\n",
5758 +- __func__, err);
5759 ++ "ICMPv6 ND: %s() failed to allocate an skb.\n",
5760 ++ __func__);
5761 + return NULL;
5762 + }
5763 +
5764 +@@ -492,6 +489,11 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
5765 + csum_partial(hdr,
5766 + len, 0));
5767 +
5768 ++ /* Manually assign socket ownership as we avoid calling
5769 ++ * sock_alloc_send_pskb() to bypass wmem buffer limits
5770 ++ */
5771 ++ skb_set_owner_w(skb, sk);
5772 ++
5773 + return skb;
5774 + }
5775 +
5776 +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
5777 +index 411fe2c..eba5deb 100644
5778 +--- a/net/ipv6/reassembly.c
5779 ++++ b/net/ipv6/reassembly.c
5780 +@@ -517,6 +517,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
5781 + head->tstamp = fq->q.stamp;
5782 + ipv6_hdr(head)->payload_len = htons(payload_len);
5783 + IP6CB(head)->nhoff = nhoff;
5784 ++ IP6CB(head)->flags |= IP6SKB_FRAGMENTED;
5785 +
5786 + /* Yes, and fold redundant checksum back. 8) */
5787 + if (head->ip_summed == CHECKSUM_COMPLETE)
5788 +@@ -552,6 +553,9 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
5789 + const struct ipv6hdr *hdr = ipv6_hdr(skb);
5790 + struct net *net = dev_net(skb_dst(skb)->dev);
5791 +
5792 ++ if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
5793 ++ goto fail_hdr;
5794 ++
5795 + IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
5796 +
5797 + /* Jumbo payload inhibits frag. header */
5798 +@@ -572,6 +576,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
5799 + ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);
5800 +
5801 + IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
5802 ++ IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
5803 + return 1;
5804 + }
5805 +
5806 +diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
5807 +index aa2d720..38c0813 100644
5808 +--- a/net/netfilter/ipvs/ip_vs_xmit.c
5809 ++++ b/net/netfilter/ipvs/ip_vs_xmit.c
5810 +@@ -853,7 +853,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
5811 + iph->daddr = cp->daddr.ip;
5812 + iph->saddr = saddr;
5813 + iph->ttl = old_iph->ttl;
5814 +- ip_select_ident(iph, &rt->dst, NULL);
5815 ++ ip_select_ident(skb, &rt->dst, NULL);
5816 +
5817 + /* Another hack: avoid icmp_send in ip_fragment */
5818 + skb->local_df = 1;
5819 +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
5820 +index f08b9166..caa5aff 100644
5821 +--- a/net/sched/sch_htb.c
5822 ++++ b/net/sched/sch_htb.c
5823 +@@ -86,7 +86,7 @@ struct htb_class {
5824 + unsigned int children;
5825 + struct htb_class *parent; /* parent class */
5826 +
5827 +- int prio; /* these two are used only by leaves... */
5828 ++ u32 prio; /* these two are used only by leaves... */
5829 + int quantum; /* but stored for parent-to-leaf return */
5830 +
5831 + union {
5832 +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
5833 +index 8104278..0b6a391 100644
5834 +--- a/net/sctp/ipv6.c
5835 ++++ b/net/sctp/ipv6.c
5836 +@@ -205,45 +205,24 @@ out:
5837 + in6_dev_put(idev);
5838 + }
5839 +
5840 +-/* Based on tcp_v6_xmit() in tcp_ipv6.c. */
5841 + static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
5842 + {
5843 + struct sock *sk = skb->sk;
5844 + struct ipv6_pinfo *np = inet6_sk(sk);
5845 +- struct flowi6 fl6;
5846 +-
5847 +- memset(&fl6, 0, sizeof(fl6));
5848 +-
5849 +- fl6.flowi6_proto = sk->sk_protocol;
5850 +-
5851 +- /* Fill in the dest address from the route entry passed with the skb
5852 +- * and the source address from the transport.
5853 +- */
5854 +- ipv6_addr_copy(&fl6.daddr, &transport->ipaddr.v6.sin6_addr);
5855 +- ipv6_addr_copy(&fl6.saddr, &transport->saddr.v6.sin6_addr);
5856 +-
5857 +- fl6.flowlabel = np->flow_label;
5858 +- IP6_ECN_flow_xmit(sk, fl6.flowlabel);
5859 +- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL)
5860 +- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id;
5861 +- else
5862 +- fl6.flowi6_oif = sk->sk_bound_dev_if;
5863 +-
5864 +- if (np->opt && np->opt->srcrt) {
5865 +- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
5866 +- ipv6_addr_copy(&fl6.daddr, rt0->addr);
5867 +- }
5868 ++ struct flowi6 *fl6 = &transport->fl.u.ip6;
5869 +
5870 + SCTP_DEBUG_PRINTK("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n",
5871 + __func__, skb, skb->len,
5872 +- &fl6.saddr, &fl6.daddr);
5873 ++ &fl6->saddr, &fl6->daddr);
5874 +
5875 +- SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
5876 ++ IP6_ECN_flow_xmit(sk, fl6->flowlabel);
5877 +
5878 + if (!(transport->param_flags & SPP_PMTUD_ENABLE))
5879 + skb->local_df = 1;
5880 +
5881 +- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
5882 ++ SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
5883 ++
5884 ++ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
5885 + }
5886 +
5887 + /* Returns the dst cache entry for the given source and destination ip
5888 +@@ -256,10 +235,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
5889 + struct dst_entry *dst = NULL;
5890 + struct flowi6 *fl6 = &fl->u.ip6;
5891 + struct sctp_bind_addr *bp;
5892 ++ struct ipv6_pinfo *np = inet6_sk(sk);
5893 + struct sctp_sockaddr_entry *laddr;
5894 + union sctp_addr *baddr = NULL;
5895 + union sctp_addr *daddr = &t->ipaddr;
5896 + union sctp_addr dst_saddr;
5897 ++ struct in6_addr *final_p, final;
5898 + __u8 matchlen = 0;
5899 + __u8 bmatchlen;
5900 + sctp_scope_t scope;
5901 +@@ -282,7 +263,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
5902 + SCTP_DEBUG_PRINTK("SRC=%pI6 - ", &fl6->saddr);
5903 + }
5904 +
5905 +- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
5906 ++ final_p = fl6_update_dst(fl6, np->opt, &final);
5907 ++ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
5908 + if (!asoc || saddr)
5909 + goto out;
5910 +
5911 +@@ -333,10 +315,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
5912 + }
5913 + }
5914 + rcu_read_unlock();
5915 ++
5916 + if (baddr) {
5917 + ipv6_addr_copy(&fl6->saddr, &baddr->v6.sin6_addr);
5918 + fl6->fl6_sport = baddr->v6.sin6_port;
5919 +- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
5920 ++ final_p = fl6_update_dst(fl6, np->opt, &final);
5921 ++ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
5922 + }
5923 +
5924 + out:
5925 +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
5926 +index 9032d50..76388b0 100644
5927 +--- a/net/sctp/sm_sideeffect.c
5928 ++++ b/net/sctp/sm_sideeffect.c
5929 +@@ -1604,9 +1604,8 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
5930 + asoc->outqueue.outstanding_bytes;
5931 + sackh.num_gap_ack_blocks = 0;
5932 + sackh.num_dup_tsns = 0;
5933 +- chunk->subh.sack_hdr = &sackh;
5934 + sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK,
5935 +- SCTP_CHUNK(chunk));
5936 ++ SCTP_SACKH(&sackh));
5937 + break;
5938 +
5939 + case SCTP_CMD_DISCARD_PACKET:
5940 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
5941 +index ba0108f..c53d01e 100644
5942 +--- a/net/sctp/socket.c
5943 ++++ b/net/sctp/socket.c
5944 +@@ -814,6 +814,9 @@ static int sctp_send_asconf_del_ip(struct sock *sk,
5945 + goto skip_mkasconf;
5946 + }
5947 +
5948 ++ if (laddr == NULL)
5949 ++ return -EINVAL;
5950 ++
5951 + /* We do not need RCU protection throughout this loop
5952 + * because this is done under a socket lock from the
5953 + * setsockopt call.
5954 +diff --git a/net/tipc/eth_media.c b/net/tipc/eth_media.c
5955 +index e728d4c..a224a38 100644
5956 +--- a/net/tipc/eth_media.c
5957 ++++ b/net/tipc/eth_media.c
5958 +@@ -53,6 +53,7 @@ struct eth_bearer {
5959 + struct tipc_bearer *bearer;
5960 + struct net_device *dev;
5961 + struct packet_type tipc_packet_type;
5962 ++ struct work_struct setup;
5963 + };
5964 +
5965 + static struct eth_bearer eth_bearers[MAX_ETH_BEARERS];
5966 +@@ -121,6 +122,17 @@ static int recv_msg(struct sk_buff *buf, struct net_device *dev,
5967 + }
5968 +
5969 + /**
5970 ++ * setup_bearer - setup association between Ethernet bearer and interface
5971 ++ */
5972 ++static void setup_bearer(struct work_struct *work)
5973 ++{
5974 ++ struct eth_bearer *eb_ptr =
5975 ++ container_of(work, struct eth_bearer, setup);
5976 ++
5977 ++ dev_add_pack(&eb_ptr->tipc_packet_type);
5978 ++}
5979 ++
5980 ++/**
5981 + * enable_bearer - attach TIPC bearer to an Ethernet interface
5982 + */
5983 +
5984 +@@ -164,7 +176,8 @@ static int enable_bearer(struct tipc_bearer *tb_ptr)
5985 + eb_ptr->tipc_packet_type.func = recv_msg;
5986 + eb_ptr->tipc_packet_type.af_packet_priv = eb_ptr;
5987 + INIT_LIST_HEAD(&(eb_ptr->tipc_packet_type.list));
5988 +- dev_add_pack(&eb_ptr->tipc_packet_type);
5989 ++ INIT_WORK(&eb_ptr->setup, setup_bearer);
5990 ++ schedule_work(&eb_ptr->setup);
5991 +
5992 + /* Associate TIPC bearer with Ethernet bearer */
5993 +
5994 +diff --git a/scripts/kernel-doc b/scripts/kernel-doc
5995 +index d793001..ba3d9df 100755
5996 +--- a/scripts/kernel-doc
5997 ++++ b/scripts/kernel-doc
5998 +@@ -2044,6 +2044,9 @@ sub process_file($) {
5999 +
6000 + $section_counter = 0;
6001 + while (<IN>) {
6002 ++ while (s/\\\s*$//) {
6003 ++ $_ .= <IN>;
6004 ++ }
6005 + if ($state == 0) {
6006 + if (/$doc_start/o) {
6007 + $state = 1; # next line is always the function name
6008 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
6009 +index a166a85..7ebe4b7 100644
6010 +--- a/sound/pci/hda/hda_intel.c
6011 ++++ b/sound/pci/hda/hda_intel.c
6012 +@@ -2621,6 +2621,7 @@ static struct snd_pci_quirk msi_black_list[] __devinitdata = {
6013 + SND_PCI_QUIRK(0x1043, 0x81f2, "ASUS", 0), /* Athlon64 X2 + nvidia */
6014 + SND_PCI_QUIRK(0x1043, 0x81f6, "ASUS", 0), /* nvidia */
6015 + SND_PCI_QUIRK(0x1043, 0x822d, "ASUS", 0), /* Athlon64 X2 + nvidia MCP55 */
6016 ++ SND_PCI_QUIRK(0x1179, 0xfb44, "Toshiba Satellite C870", 0), /* AMD Hudson */
6017 + SND_PCI_QUIRK(0x1849, 0x0888, "ASRock", 0), /* Athlon64 X2 + nvidia */
6018 + SND_PCI_QUIRK(0xa0a0, 0x0575, "Aopen MZ915-M", 0), /* ICH6 */
6019 + {}
6020 +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
6021 +index 55d9b30..05f097a 100644
6022 +--- a/sound/pci/hda/patch_hdmi.c
6023 ++++ b/sound/pci/hda/patch_hdmi.c
6024 +@@ -512,6 +512,17 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
6025 + }
6026 + }
6027 +
6028 ++ if (!ca) {
6029 ++ /* if there was no match, select the regular ALSA channel
6030 ++ * allocation with the matching number of channels */
6031 ++ for (i = 0; i < ARRAY_SIZE(channel_allocations); i++) {
6032 ++ if (channels == channel_allocations[i].channels) {
6033 ++ ca = channel_allocations[i].ca_index;
6034 ++ break;
6035 ++ }
6036 ++ }
6037 ++ }
6038 ++
6039 + snd_print_channel_allocation(eld->spk_alloc, buf, sizeof(buf));
6040 + snd_printdd("HDMI: select CA 0x%x for %d-channel allocation: %s\n",
6041 + ca, channels, buf);
6042 +diff --git a/sound/soc/codecs/88pm860x-codec.c b/sound/soc/codecs/88pm860x-codec.c
6043 +index 5ca122e..290f4d3 100644
6044 +--- a/sound/soc/codecs/88pm860x-codec.c
6045 ++++ b/sound/soc/codecs/88pm860x-codec.c
6046 +@@ -351,6 +351,9 @@ static int snd_soc_put_volsw_2r_st(struct snd_kcontrol *kcontrol,
6047 + val = ucontrol->value.integer.value[0];
6048 + val2 = ucontrol->value.integer.value[1];
6049 +
6050 ++ if (val >= ARRAY_SIZE(st_table) || val2 >= ARRAY_SIZE(st_table))
6051 ++ return -EINVAL;
6052 ++
6053 + err = snd_soc_update_bits(codec, reg, 0x3f, st_table[val].m);
6054 + if (err < 0)
6055 + return err;
6056 +diff --git a/sound/soc/codecs/max98095.c b/sound/soc/codecs/max98095.c
6057 +index 26d7b08..a52c15b 100644
6058 +--- a/sound/soc/codecs/max98095.c
6059 ++++ b/sound/soc/codecs/max98095.c
6060 +@@ -1861,7 +1861,7 @@ static int max98095_put_eq_enum(struct snd_kcontrol *kcontrol,
6061 + struct max98095_pdata *pdata = max98095->pdata;
6062 + int channel = max98095_get_eq_channel(kcontrol->id.name);
6063 + struct max98095_cdata *cdata;
6064 +- int sel = ucontrol->value.integer.value[0];
6065 ++ unsigned int sel = ucontrol->value.integer.value[0];
6066 + struct max98095_eq_cfg *coef_set;
6067 + int fs, best, best_val, i;
6068 + int regmask, regsave;
6069 +@@ -2014,7 +2014,7 @@ static int max98095_put_bq_enum(struct snd_kcontrol *kcontrol,
6070 + struct max98095_pdata *pdata = max98095->pdata;
6071 + int channel = max98095_get_bq_channel(codec, kcontrol->id.name);
6072 + struct max98095_cdata *cdata;
6073 +- int sel = ucontrol->value.integer.value[0];
6074 ++ unsigned int sel = ucontrol->value.integer.value[0];
6075 + struct max98095_biquad_cfg *coef_set;
6076 + int fs, best, best_val, i;
6077 + int regmask, regsave;
6078 +diff --git a/sound/soc/codecs/wm8960.c b/sound/soc/codecs/wm8960.c
6079 +index 2df253c..ef96ca6 100644
6080 +--- a/sound/soc/codecs/wm8960.c
6081 ++++ b/sound/soc/codecs/wm8960.c
6082 +@@ -805,9 +805,9 @@ static int wm8960_set_dai_pll(struct snd_soc_dai *codec_dai, int pll_id,
6083 + if (pll_div.k) {
6084 + reg |= 0x20;
6085 +
6086 +- snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 18) & 0x3f);
6087 +- snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 9) & 0x1ff);
6088 +- snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0x1ff);
6089 ++ snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 16) & 0xff);
6090 ++ snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 8) & 0xff);
6091 ++ snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0xff);
6092 + }
6093 + snd_soc_write(codec, WM8960_PLL1, reg);
6094 +
6095 +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
6096 +index 42dffa0..f7a7b9d 100644
6097 +--- a/tools/perf/util/map.c
6098 ++++ b/tools/perf/util/map.c
6099 +@@ -16,6 +16,7 @@ const char *map_type__name[MAP__NR_TYPES] = {
6100 + static inline int is_anon_memory(const char *filename)
6101 + {
6102 + return !strcmp(filename, "//anon") ||
6103 ++ !strcmp(filename, "/dev/zero (deleted)") ||
6104 + !strcmp(filename, "/anon_hugepage (deleted)");
6105 + }
6106 +
6107
6108 diff --git a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201310260849.patch b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201310271550.patch
6109 similarity index 99%
6110 rename from 3.2.51/4420_grsecurity-2.9.1-3.2.51-201310260849.patch
6111 rename to 3.2.52/4420_grsecurity-2.9.1-3.2.52-201310271550.patch
6112 index 0ea9ee0..82cc38f 100644
6113 --- a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201310260849.patch
6114 +++ b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201310271550.patch
6115 @@ -270,7 +270,7 @@ index 88fd7f5..b318a78 100644
6116 ==============================================================
6117
6118 diff --git a/Makefile b/Makefile
6119 -index 0f11936..8f1b567 100644
6120 +index 1dd2c09..6f850c4 100644
6121 --- a/Makefile
6122 +++ b/Makefile
6123 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
6124 @@ -4997,10 +4997,10 @@ index f2496f2..4e3cc47 100644
6125 }
6126 #endif
6127 diff --git a/arch/powerpc/kernel/sysfs.c b/arch/powerpc/kernel/sysfs.c
6128 -index 55be64d..94d8783 100644
6129 +index ca683a1..ab912dd 100644
6130 --- a/arch/powerpc/kernel/sysfs.c
6131 +++ b/arch/powerpc/kernel/sysfs.c
6132 -@@ -517,7 +517,7 @@ static int __cpuinit sysfs_cpu_notify(struct notifier_block *self,
6133 +@@ -531,7 +531,7 @@ static int __cpuinit sysfs_cpu_notify(struct notifier_block *self,
6134 return NOTIFY_OK;
6135 }
6136
6137 @@ -6979,7 +6979,7 @@ index 5e4252b..379f84f 100644
6138 mm->unmap_area = arch_unmap_area_topdown;
6139 }
6140 diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
6141 -index 7f5f65d..3308382 100644
6142 +index 817187d..1d4541e 100644
6143 --- a/arch/sparc/kernel/syscalls.S
6144 +++ b/arch/sparc/kernel/syscalls.S
6145 @@ -62,7 +62,7 @@ sys32_rt_sigreturn:
6146 @@ -6993,13 +6993,13 @@ index 7f5f65d..3308382 100644
6147 call syscall_trace_leave
6148 @@ -179,7 +179,7 @@ linux_sparc_syscall32:
6149
6150 - srl %i5, 0, %o5 ! IEU1
6151 + srl %i3, 0, %o3 ! IEU0
6152 srl %i2, 0, %o2 ! IEU0 Group
6153 - andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
6154 + andcc %l0, _TIF_WORK_SYSCALL, %g0
6155 bne,pn %icc, linux_syscall_trace32 ! CTI
6156 mov %i0, %l5 ! IEU1
6157 - call %l7 ! CTI Group brk forced
6158 + 5: call %l7 ! CTI Group brk forced
6159 @@ -202,7 +202,7 @@ linux_sparc_syscall:
6160
6161 mov %i3, %o3 ! IEU1
6162 @@ -7628,10 +7628,10 @@ index 59186e0..f747d7a 100644
6163 cmp %g1, %g7
6164 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6165 diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
6166 -index 1b30bb3..b4a16c7 100644
6167 +index fbb8005..984a269 100644
6168 --- a/arch/sparc/lib/ksyms.c
6169 +++ b/arch/sparc/lib/ksyms.c
6170 -@@ -142,12 +142,18 @@ EXPORT_SYMBOL(__downgrade_write);
6171 +@@ -133,12 +133,18 @@ EXPORT_SYMBOL(__clear_user);
6172
6173 /* Atomic counter implementation. */
6174 EXPORT_SYMBOL(atomic_add);
6175 @@ -20837,7 +20837,7 @@ index 42eb330..139955c 100644
6176
6177 return ret;
6178 diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
6179 -index 47f4e5f..849a8a6 100644
6180 +index a4e1b4b..0460044 100644
6181 --- a/arch/x86/kernel/reboot.c
6182 +++ b/arch/x86/kernel/reboot.c
6183 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
6184 @@ -20922,7 +20922,7 @@ index 47f4e5f..849a8a6 100644
6185 }
6186 #ifdef CONFIG_APM_MODULE
6187 EXPORT_SYMBOL(machine_real_restart);
6188 -@@ -548,7 +580,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
6189 +@@ -564,7 +596,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
6190 * try to force a triple fault and then cycle between hitting the keyboard
6191 * controller and doing that
6192 */
6193 @@ -20931,7 +20931,7 @@ index 47f4e5f..849a8a6 100644
6194 {
6195 int i;
6196 int attempt = 0;
6197 -@@ -672,13 +704,13 @@ void native_machine_shutdown(void)
6198 +@@ -688,13 +720,13 @@ void native_machine_shutdown(void)
6199 #endif
6200 }
6201
6202 @@ -20947,7 +20947,7 @@ index 47f4e5f..849a8a6 100644
6203 {
6204 printk("machine restart\n");
6205
6206 -@@ -687,7 +719,7 @@ static void native_machine_restart(char *__unused)
6207 +@@ -703,7 +735,7 @@ static void native_machine_restart(char *__unused)
6208 __machine_emergency_restart(0);
6209 }
6210
6211 @@ -20956,7 +20956,7 @@ index 47f4e5f..849a8a6 100644
6212 {
6213 /* stop other cpus and apics */
6214 machine_shutdown();
6215 -@@ -698,7 +730,7 @@ static void native_machine_halt(void)
6216 +@@ -714,7 +746,7 @@ static void native_machine_halt(void)
6217 stop_this_cpu(NULL);
6218 }
6219
6220 @@ -20965,7 +20965,7 @@ index 47f4e5f..849a8a6 100644
6221 {
6222 if (pm_power_off) {
6223 if (!reboot_force)
6224 -@@ -707,9 +739,10 @@ static void native_machine_power_off(void)
6225 +@@ -723,9 +755,10 @@ static void native_machine_power_off(void)
6226 }
6227 /* a fallback in case there is no PM info available */
6228 tboot_shutdown(TB_SHUTDOWN_HALT);
6229 @@ -30374,10 +30374,10 @@ index 9e76a32..48d7145 100644
6230 goto error;
6231
6232 diff --git a/crypto/api.c b/crypto/api.c
6233 -index 033a714..4f98dd5 100644
6234 +index cea3cf6..86a0f6f 100644
6235 --- a/crypto/api.c
6236 +++ b/crypto/api.c
6237 -@@ -40,6 +40,8 @@ static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
6238 +@@ -42,6 +42,8 @@ static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
6239 return alg;
6240 }
6241
6242 @@ -30386,19 +30386,6 @@ index 033a714..4f98dd5 100644
6243 struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
6244 {
6245 return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
6246 -@@ -150,8 +152,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
6247 - }
6248 - up_write(&crypto_alg_sem);
6249 -
6250 -- if (alg != &larval->alg)
6251 -+ if (alg != &larval->alg) {
6252 - kfree(larval);
6253 -+ if (crypto_is_larval(alg))
6254 -+ alg = crypto_larval_wait(alg);
6255 -+ }
6256 -
6257 - return alg;
6258 - }
6259 diff --git a/crypto/cryptd.c b/crypto/cryptd.c
6260 index 7bdd61b..afec999 100644
6261 --- a/crypto/cryptd.c
6262 @@ -31884,18 +31871,10 @@ index e8d11b6..7b1b36f 100644
6263 }
6264 EXPORT_SYMBOL_GPL(unregister_syscore_ops);
6265 diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
6266 -index d3446f6..61ddf2c 100644
6267 +index d7ad865..61ddf2c 100644
6268 --- a/drivers/block/cciss.c
6269 +++ b/drivers/block/cciss.c
6270 -@@ -1186,6 +1186,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
6271 - int err;
6272 - u32 cp;
6273 -
6274 -+ memset(&arg64, 0, sizeof(arg64));
6275 - err = 0;
6276 - err |=
6277 - copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
6278 -@@ -3007,7 +3008,7 @@ static void start_io(ctlr_info_t *h)
6279 +@@ -3008,7 +3008,7 @@ static void start_io(ctlr_info_t *h)
6280 while (!list_empty(&h->reqQ)) {
6281 c = list_entry(h->reqQ.next, CommandList_struct, list);
6282 /* can't do anything if fifo is full */
6283 @@ -31904,7 +31883,7 @@ index d3446f6..61ddf2c 100644
6284 dev_warn(&h->pdev->dev, "fifo full\n");
6285 break;
6286 }
6287 -@@ -3017,7 +3018,7 @@ static void start_io(ctlr_info_t *h)
6288 +@@ -3018,7 +3018,7 @@ static void start_io(ctlr_info_t *h)
6289 h->Qdepth--;
6290
6291 /* Tell the controller execute command */
6292 @@ -31913,7 +31892,7 @@ index d3446f6..61ddf2c 100644
6293
6294 /* Put job onto the completed Q */
6295 addQ(&h->cmpQ, c);
6296 -@@ -3443,17 +3444,17 @@ startio:
6297 +@@ -3444,17 +3444,17 @@ startio:
6298
6299 static inline unsigned long get_next_completion(ctlr_info_t *h)
6300 {
6301 @@ -31934,7 +31913,7 @@ index d3446f6..61ddf2c 100644
6302 (h->interrupts_enabled == 0));
6303 }
6304
6305 -@@ -3486,7 +3487,7 @@ static inline u32 next_command(ctlr_info_t *h)
6306 +@@ -3487,7 +3487,7 @@ static inline u32 next_command(ctlr_info_t *h)
6307 u32 a;
6308
6309 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
6310 @@ -31943,7 +31922,7 @@ index d3446f6..61ddf2c 100644
6311
6312 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
6313 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
6314 -@@ -4044,7 +4045,7 @@ static void __devinit cciss_put_controller_into_performant_mode(ctlr_info_t *h)
6315 +@@ -4045,7 +4045,7 @@ static void __devinit cciss_put_controller_into_performant_mode(ctlr_info_t *h)
6316 trans_support & CFGTBL_Trans_use_short_tags);
6317
6318 /* Change the access methods to the performant access methods */
6319 @@ -31952,7 +31931,7 @@ index d3446f6..61ddf2c 100644
6320 h->transMethod = CFGTBL_Trans_Performant;
6321
6322 return;
6323 -@@ -4316,7 +4317,7 @@ static int __devinit cciss_pci_init(ctlr_info_t *h)
6324 +@@ -4317,7 +4317,7 @@ static int __devinit cciss_pci_init(ctlr_info_t *h)
6325 if (prod_index < 0)
6326 return -ENODEV;
6327 h->product_name = products[prod_index].product_name;
6328 @@ -31961,7 +31940,7 @@ index d3446f6..61ddf2c 100644
6329
6330 if (cciss_board_disabled(h)) {
6331 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
6332 -@@ -5041,7 +5042,7 @@ reinit_after_soft_reset:
6333 +@@ -5042,7 +5042,7 @@ reinit_after_soft_reset:
6334 }
6335
6336 /* make sure the board interrupts are off */
6337 @@ -31970,7 +31949,7 @@ index d3446f6..61ddf2c 100644
6338 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
6339 if (rc)
6340 goto clean2;
6341 -@@ -5093,7 +5094,7 @@ reinit_after_soft_reset:
6342 +@@ -5094,7 +5094,7 @@ reinit_after_soft_reset:
6343 * fake ones to scoop up any residual completions.
6344 */
6345 spin_lock_irqsave(&h->lock, flags);
6346 @@ -31979,7 +31958,7 @@ index d3446f6..61ddf2c 100644
6347 spin_unlock_irqrestore(&h->lock, flags);
6348 free_irq(h->intr[h->intr_mode], h);
6349 rc = cciss_request_irq(h, cciss_msix_discard_completions,
6350 -@@ -5113,9 +5114,9 @@ reinit_after_soft_reset:
6351 +@@ -5114,9 +5114,9 @@ reinit_after_soft_reset:
6352 dev_info(&h->pdev->dev, "Board READY.\n");
6353 dev_info(&h->pdev->dev,
6354 "Waiting for stale completions to drain.\n");
6355 @@ -31991,7 +31970,7 @@ index d3446f6..61ddf2c 100644
6356
6357 rc = controller_reset_failed(h->cfgtable);
6358 if (rc)
6359 -@@ -5138,7 +5139,7 @@ reinit_after_soft_reset:
6360 +@@ -5139,7 +5139,7 @@ reinit_after_soft_reset:
6361 cciss_scsi_setup(h);
6362
6363 /* Turn the interrupts on so we can service requests */
6364 @@ -32000,7 +31979,7 @@ index d3446f6..61ddf2c 100644
6365
6366 /* Get the firmware version */
6367 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
6368 -@@ -5211,7 +5212,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
6369 +@@ -5212,7 +5212,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
6370 kfree(flush_buf);
6371 if (return_code != IO_OK)
6372 dev_warn(&h->pdev->dev, "Error flushing cache\n");
6373 @@ -32023,7 +32002,7 @@ index 7fda30e..eb5dfe0 100644
6374 /* queue and queue Info */
6375 struct list_head reqQ;
6376 diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
6377 -index 9125bbe..eede5c8 100644
6378 +index 504bc16..e13b631 100644
6379 --- a/drivers/block/cpqarray.c
6380 +++ b/drivers/block/cpqarray.c
6381 @@ -404,7 +404,7 @@ static int __devinit cpqarray_register_ctlr( int i, struct pci_dev *pdev)
6382 @@ -32098,7 +32077,7 @@ index 9125bbe..eede5c8 100644
6383 a1 = a; a &= ~3;
6384 if ((c = h->cmpQ) == NULL)
6385 {
6386 -@@ -1449,11 +1449,11 @@ static int sendcmd(
6387 +@@ -1450,11 +1450,11 @@ static int sendcmd(
6388 /*
6389 * Disable interrupt
6390 */
6391 @@ -32112,7 +32091,7 @@ index 9125bbe..eede5c8 100644
6392 if (temp != 0) {
6393 break;
6394 }
6395 -@@ -1466,7 +1466,7 @@ DBG(
6396 +@@ -1467,7 +1467,7 @@ DBG(
6397 /*
6398 * Send the cmd
6399 */
6400 @@ -32121,7 +32100,7 @@ index 9125bbe..eede5c8 100644
6401 complete = pollcomplete(ctlr);
6402
6403 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
6404 -@@ -1549,9 +1549,9 @@ static int revalidate_allvol(ctlr_info_t *host)
6405 +@@ -1550,9 +1550,9 @@ static int revalidate_allvol(ctlr_info_t *host)
6406 * we check the new geometry. Then turn interrupts back on when
6407 * we're done.
6408 */
6409 @@ -32133,7 +32112,7 @@ index 9125bbe..eede5c8 100644
6410
6411 for(i=0; i<NWD; i++) {
6412 struct gendisk *disk = ida_gendisk[ctlr][i];
6413 -@@ -1591,7 +1591,7 @@ static int pollcomplete(int ctlr)
6414 +@@ -1592,7 +1592,7 @@ static int pollcomplete(int ctlr)
6415 /* Wait (up to 2 seconds) for a command to complete */
6416
6417 for (i = 200000; i > 0; i--) {
6418 @@ -35263,10 +35242,10 @@ index a9e33ce..09edd4b 100644
6419
6420 #endif
6421 diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
6422 -index f5962a0..a542c90 100644
6423 +index a68057a..f3e26dd 100644
6424 --- a/drivers/gpu/drm/radeon/evergreen.c
6425 +++ b/drivers/gpu/drm/radeon/evergreen.c
6426 -@@ -3077,7 +3077,9 @@ static int evergreen_startup(struct radeon_device *rdev)
6427 +@@ -3094,7 +3094,9 @@ static int evergreen_startup(struct radeon_device *rdev)
6428 r = evergreen_blit_init(rdev);
6429 if (r) {
6430 r600_blit_fini(rdev);
6431 @@ -35444,7 +35423,7 @@ index a2e1eae..8e4a0ec 100644
6432
6433 return 0;
6434 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
6435 -index cd94abb..5a6052d 100644
6436 +index 8cde84b..0d3f11f 100644
6437 --- a/drivers/gpu/drm/radeon/radeon_device.c
6438 +++ b/drivers/gpu/drm/radeon/radeon_device.c
6439 @@ -687,7 +687,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
6440 @@ -35961,112 +35940,10 @@ index 8a8725c2..afed796 100644
6441 marker = list_first_entry(&queue->head,
6442 struct vmw_marker, head);
6443 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
6444 -index 611aafc..3f9bbc0 100644
6445 +index 9ac4389..5c05af3 100644
6446 --- a/drivers/hid/hid-core.c
6447 +++ b/drivers/hid/hid-core.c
6448 -@@ -59,6 +59,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
6449 - struct hid_report_enum *report_enum = device->report_enum + type;
6450 - struct hid_report *report;
6451 -
6452 -+ if (id >= HID_MAX_IDS)
6453 -+ return NULL;
6454 - if (report_enum->report_id_hash[id])
6455 - return report_enum->report_id_hash[id];
6456 -
6457 -@@ -380,8 +382,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
6458 -
6459 - case HID_GLOBAL_ITEM_TAG_REPORT_ID:
6460 - parser->global.report_id = item_udata(item);
6461 -- if (parser->global.report_id == 0) {
6462 -- dbg_hid("report_id 0 is invalid\n");
6463 -+ if (parser->global.report_id == 0 ||
6464 -+ parser->global.report_id >= HID_MAX_IDS) {
6465 -+ dbg_hid("report_id %u is invalid\n",
6466 -+ parser->global.report_id);
6467 - return -1;
6468 - }
6469 - return 0;
6470 -@@ -552,7 +556,7 @@ static void hid_device_release(struct device *dev)
6471 - for (i = 0; i < HID_REPORT_TYPES; i++) {
6472 - struct hid_report_enum *report_enum = device->report_enum + i;
6473 -
6474 -- for (j = 0; j < 256; j++) {
6475 -+ for (j = 0; j < HID_MAX_IDS; j++) {
6476 - struct hid_report *report = report_enum->report_id_hash[j];
6477 - if (report)
6478 - hid_free_report(report);
6479 -@@ -710,6 +714,56 @@ err:
6480 - }
6481 - EXPORT_SYMBOL_GPL(hid_parse_report);
6482 -
6483 -+static const char * const hid_report_names[] = {
6484 -+ "HID_INPUT_REPORT",
6485 -+ "HID_OUTPUT_REPORT",
6486 -+ "HID_FEATURE_REPORT",
6487 -+};
6488 -+/**
6489 -+ * hid_validate_report - validate existing device report
6490 -+ *
6491 -+ * @device: hid device
6492 -+ * @type: which report type to examine
6493 -+ * @id: which report ID to examine (0 for first)
6494 -+ * @fields: expected number of fields
6495 -+ * @report_counts: expected number of values per field
6496 -+ *
6497 -+ * Validate the report details after parsing.
6498 -+ */
6499 -+struct hid_report *hid_validate_report(struct hid_device *hid,
6500 -+ unsigned int type, unsigned int id,
6501 -+ unsigned int fields,
6502 -+ unsigned int report_counts)
6503 -+{
6504 -+ struct hid_report *report;
6505 -+ unsigned int i;
6506 -+
6507 -+ if (type > HID_FEATURE_REPORT) {
6508 -+ hid_err(hid, "invalid HID report %u\n", type);
6509 -+ return NULL;
6510 -+ }
6511 -+
6512 -+ report = hid->report_enum[type].report_id_hash[id];
6513 -+ if (!report) {
6514 -+ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
6515 -+ return NULL;
6516 -+ }
6517 -+ if (report->maxfield < fields) {
6518 -+ hid_err(hid, "not enough fields in %s %u\n",
6519 -+ hid_report_names[type], id);
6520 -+ return NULL;
6521 -+ }
6522 -+ for (i = 0; i < fields; i++) {
6523 -+ if (report->field[i]->report_count < report_counts) {
6524 -+ hid_err(hid, "not enough values in %s %u fields\n",
6525 -+ hid_report_names[type], id);
6526 -+ return NULL;
6527 -+ }
6528 -+ }
6529 -+ return report;
6530 -+}
6531 -+EXPORT_SYMBOL_GPL(hid_validate_report);
6532 -+
6533 - /*
6534 - * Convert a signed n-bit integer to signed 32-bit integer. Common
6535 - * cases are done through the compiler, the screwed things has to be
6536 -@@ -990,7 +1044,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
6537 -
6538 - int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
6539 - {
6540 -- unsigned size = field->report_size;
6541 -+ unsigned size;
6542 -+
6543 -+ if (!field)
6544 -+ return -1;
6545 -+
6546 -+ size = field->report_size;
6547 -
6548 - hid_dump_input(field->report->device, field->usage + offset, value);
6549 -
6550 -@@ -2034,7 +2093,7 @@ static bool hid_ignore(struct hid_device *hdev)
6551 +@@ -2102,7 +2102,7 @@ static bool hid_ignore(struct hid_device *hdev)
6552
6553 int hid_add_device(struct hid_device *hdev)
6554 {
6555 @@ -36075,7 +35952,7 @@ index 611aafc..3f9bbc0 100644
6556 int ret;
6557
6558 if (WARN_ON(hdev->status & HID_STAT_ADDED))
6559 -@@ -2049,7 +2108,7 @@ int hid_add_device(struct hid_device *hdev)
6560 +@@ -2117,7 +2117,7 @@ int hid_add_device(struct hid_device *hdev)
6561 /* XXX hack, any other cleaner solution after the driver core
6562 * is converted to allow more than 20 bytes as the device name? */
6563 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
6564 @@ -36084,167 +35961,6 @@ index 611aafc..3f9bbc0 100644
6565
6566 hid_debug_register(hdev, dev_name(&hdev->dev));
6567 ret = device_add(&hdev->dev);
6568 -diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
6569 -index 3c31bc6..f7b432a 100644
6570 ---- a/drivers/hid/hid-lg2ff.c
6571 -+++ b/drivers/hid/hid-lg2ff.c
6572 -@@ -66,26 +66,13 @@ int lg2ff_init(struct hid_device *hid)
6573 - struct hid_report *report;
6574 - struct hid_input *hidinput = list_entry(hid->inputs.next,
6575 - struct hid_input, list);
6576 -- struct list_head *report_list =
6577 -- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
6578 - struct input_dev *dev = hidinput->input;
6579 - int error;
6580 -
6581 -- if (list_empty(report_list)) {
6582 -- hid_err(hid, "no output report found\n");
6583 -+ /* Check that the report looks ok */
6584 -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7);
6585 -+ if (!report)
6586 - return -ENODEV;
6587 -- }
6588 --
6589 -- report = list_entry(report_list->next, struct hid_report, list);
6590 --
6591 -- if (report->maxfield < 1) {
6592 -- hid_err(hid, "output report is empty\n");
6593 -- return -ENODEV;
6594 -- }
6595 -- if (report->field[0]->report_count < 7) {
6596 -- hid_err(hid, "not enough values in the field\n");
6597 -- return -ENODEV;
6598 -- }
6599 -
6600 - lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
6601 - if (!lg2ff)
6602 -diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
6603 -index f98644c..8590851 100644
6604 ---- a/drivers/hid/hid-lg3ff.c
6605 -+++ b/drivers/hid/hid-lg3ff.c
6606 -@@ -68,10 +68,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
6607 - int x, y;
6608 -
6609 - /*
6610 -- * Maxusage should always be 63 (maximum fields)
6611 -- * likely a better way to ensure this data is clean
6612 -+ * Available values in the field should always be 63, but we only use up to
6613 -+ * 35. Instead, clear the entire area, however big it is.
6614 - */
6615 -- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
6616 -+ memset(report->field[0]->value, 0,
6617 -+ sizeof(__s32) * report->field[0]->report_count);
6618 -
6619 - switch (effect->type) {
6620 - case FF_CONSTANT:
6621 -@@ -131,32 +132,14 @@ static const signed short ff3_joystick_ac[] = {
6622 - int lg3ff_init(struct hid_device *hid)
6623 - {
6624 - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
6625 -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
6626 - struct input_dev *dev = hidinput->input;
6627 -- struct hid_report *report;
6628 -- struct hid_field *field;
6629 - const signed short *ff_bits = ff3_joystick_ac;
6630 - int error;
6631 - int i;
6632 -
6633 -- /* Find the report to use */
6634 -- if (list_empty(report_list)) {
6635 -- hid_err(hid, "No output report found\n");
6636 -- return -1;
6637 -- }
6638 --
6639 - /* Check that the report looks ok */
6640 -- report = list_entry(report_list->next, struct hid_report, list);
6641 -- if (!report) {
6642 -- hid_err(hid, "NULL output report\n");
6643 -- return -1;
6644 -- }
6645 --
6646 -- field = report->field[0];
6647 -- if (!field) {
6648 -- hid_err(hid, "NULL field\n");
6649 -- return -1;
6650 -- }
6651 -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35))
6652 -+ return -ENODEV;
6653 -
6654 - /* Assume single fixed device G940 */
6655 - for (i = 0; ff_bits[i] >= 0; i++)
6656 -diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
6657 -index 103f30d..b9a39e5 100644
6658 ---- a/drivers/hid/hid-lg4ff.c
6659 -+++ b/drivers/hid/hid-lg4ff.c
6660 -@@ -339,33 +339,15 @@ static ssize_t lg4ff_range_store(struct device *dev, struct device_attribute *at
6661 - int lg4ff_init(struct hid_device *hid)
6662 - {
6663 - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
6664 -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
6665 - struct input_dev *dev = hidinput->input;
6666 -- struct hid_report *report;
6667 -- struct hid_field *field;
6668 - struct lg4ff_device_entry *entry;
6669 - struct usb_device_descriptor *udesc;
6670 - int error, i, j;
6671 - __u16 bcdDevice, rev_maj, rev_min;
6672 -
6673 -- /* Find the report to use */
6674 -- if (list_empty(report_list)) {
6675 -- hid_err(hid, "No output report found\n");
6676 -- return -1;
6677 -- }
6678 --
6679 - /* Check that the report looks ok */
6680 -- report = list_entry(report_list->next, struct hid_report, list);
6681 -- if (!report) {
6682 -- hid_err(hid, "NULL output report\n");
6683 -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
6684 - return -1;
6685 -- }
6686 --
6687 -- field = report->field[0];
6688 -- if (!field) {
6689 -- hid_err(hid, "NULL field\n");
6690 -- return -1;
6691 -- }
6692 -
6693 - /* Check what wheel has been connected */
6694 - for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
6695 -diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
6696 -index 27bc54f..6d25789 100644
6697 ---- a/drivers/hid/hid-lgff.c
6698 -+++ b/drivers/hid/hid-lgff.c
6699 -@@ -130,27 +130,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
6700 - int lgff_init(struct hid_device* hid)
6701 - {
6702 - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
6703 -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
6704 - struct input_dev *dev = hidinput->input;
6705 -- struct hid_report *report;
6706 -- struct hid_field *field;
6707 - const signed short *ff_bits = ff_joystick;
6708 - int error;
6709 - int i;
6710 -
6711 -- /* Find the report to use */
6712 -- if (list_empty(report_list)) {
6713 -- hid_err(hid, "No output report found\n");
6714 -- return -1;
6715 -- }
6716 --
6717 - /* Check that the report looks ok */
6718 -- report = list_entry(report_list->next, struct hid_report, list);
6719 -- field = report->field[0];
6720 -- if (!field) {
6721 -- hid_err(hid, "NULL field\n");
6722 -- return -1;
6723 -- }
6724 -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
6725 -+ return -ENODEV;
6726 -
6727 - for (i = 0; i < ARRAY_SIZE(devices); i++) {
6728 - if (dev->id.vendor == devices[i].idVendor &&
6729 diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
6730 index 13af0f1..dc797c9 100644
6731 --- a/drivers/hid/hid-multitouch.c
6732 @@ -36267,70 +35983,6 @@ index 13af0f1..dc797c9 100644
6733 }
6734
6735 /* we have handled the hidinput part, now remains hiddev */
6736 -diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
6737 -index 9fae2eb..48cba85 100644
6738 ---- a/drivers/hid/hid-ntrig.c
6739 -+++ b/drivers/hid/hid-ntrig.c
6740 -@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
6741 - struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
6742 - report_id_hash[0x0d];
6743 -
6744 -- if (!report)
6745 -+ if (!report || report->maxfield < 1 ||
6746 -+ report->field[0]->report_count < 1)
6747 - return -EINVAL;
6748 -
6749 - usbhid_submit_report(hdev, report, USB_DIR_IN);
6750 -diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
6751 -index 070f93a..12786cd 100644
6752 ---- a/drivers/hid/hid-pl.c
6753 -+++ b/drivers/hid/hid-pl.c
6754 -@@ -129,8 +129,14 @@ static int plff_init(struct hid_device *hid)
6755 - strong = &report->field[0]->value[2];
6756 - weak = &report->field[0]->value[3];
6757 - debug("detected single-field device");
6758 -- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
6759 -- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
6760 -+ } else if (report->field[0]->maxusage == 1 &&
6761 -+ report->field[0]->usage[0].hid ==
6762 -+ (HID_UP_LED | 0x43) &&
6763 -+ report->maxfield >= 4 &&
6764 -+ report->field[0]->report_count >= 1 &&
6765 -+ report->field[1]->report_count >= 1 &&
6766 -+ report->field[2]->report_count >= 1 &&
6767 -+ report->field[3]->report_count >= 1) {
6768 - report->field[0]->value[0] = 0x00;
6769 - report->field[1]->value[0] = 0x00;
6770 - strong = &report->field[2]->value[0];
6771 -diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
6772 -index f6ba81d..f7e37f7 100644
6773 ---- a/drivers/hid/hid-zpff.c
6774 -+++ b/drivers/hid/hid-zpff.c
6775 -@@ -70,22 +70,12 @@ static int zpff_init(struct hid_device *hid)
6776 - struct hid_report *report;
6777 - struct hid_input *hidinput = list_entry(hid->inputs.next,
6778 - struct hid_input, list);
6779 -- struct list_head *report_list =
6780 -- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
6781 - struct input_dev *dev = hidinput->input;
6782 - int error;
6783 -
6784 -- if (list_empty(report_list)) {
6785 -- hid_err(hid, "no output report found\n");
6786 -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1);
6787 -+ if (!report)
6788 - return -ENODEV;
6789 -- }
6790 --
6791 -- report = list_entry(report_list->next, struct hid_report, list);
6792 --
6793 -- if (report->maxfield < 4) {
6794 -- hid_err(hid, "not enough fields in report\n");
6795 -- return -ENODEV;
6796 -- }
6797 -
6798 - zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
6799 - if (!zpff)
6800 diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
6801 index 4ef02b2..8a96831 100644
6802 --- a/drivers/hid/usbhid/hiddev.c
6803 @@ -36443,10 +36095,10 @@ index 66f6729..4de8c4a 100644
6804 int res = 0;
6805
6806 diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
6807 -index d99aa84..c977790 100644
6808 +index 30cac58..f6406b3 100644
6809 --- a/drivers/hwmon/applesmc.c
6810 +++ b/drivers/hwmon/applesmc.c
6811 -@@ -1056,7 +1056,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
6812 +@@ -1069,7 +1069,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
6813 {
6814 struct applesmc_node_group *grp;
6815 struct applesmc_dev_attr *node;
6816 @@ -40263,10 +39915,10 @@ index a9ff89ff..461d313 100644
6817 struct sm_sysfs_attribute *vendor_attribute;
6818
6819 diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
6820 -index b436b84..d3cecc5 100644
6821 +index 1bf36ac..55c534e 100644
6822 --- a/drivers/net/bonding/bond_main.c
6823 +++ b/drivers/net/bonding/bond_main.c
6824 -@@ -4796,7 +4796,7 @@ static int bond_get_tx_queues(struct net *net, struct nlattr *tb[],
6825 +@@ -4803,7 +4803,7 @@ static int bond_get_tx_queues(struct net *net, struct nlattr *tb[],
6826 return 0;
6827 }
6828
6829 @@ -40275,7 +39927,7 @@ index b436b84..d3cecc5 100644
6830 .kind = "bond",
6831 .priv_size = sizeof(struct bonding),
6832 .setup = bond_setup,
6833 -@@ -4921,8 +4921,8 @@ static void __exit bonding_exit(void)
6834 +@@ -4928,8 +4928,8 @@ static void __exit bonding_exit(void)
6835
6836 bond_destroy_debugfs();
6837
6838 @@ -40958,10 +40610,10 @@ index 301b39e..345c414 100644
6839 };
6840
6841 diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
6842 -index 96b9e3c..d9cfb75 100644
6843 +index b0f9015..93da3cf 100644
6844 --- a/drivers/net/macvtap.c
6845 +++ b/drivers/net/macvtap.c
6846 -@@ -1073,7 +1073,7 @@ static int macvtap_device_event(struct notifier_block *unused,
6847 +@@ -1085,7 +1085,7 @@ static int macvtap_device_event(struct notifier_block *unused,
6848 return NOTIFY_DONE;
6849 }
6850
6851 @@ -41095,7 +40747,7 @@ index 46db5c5..37c1536 100644
6852 err = platform_driver_register(&sk_isa_driver);
6853 if (err)
6854 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
6855 -index f4c5de6..31aa71c 100644
6856 +index ee1aab0..31aa71c 100644
6857 --- a/drivers/net/tun.c
6858 +++ b/drivers/net/tun.c
6859 @@ -359,7 +359,7 @@ static void tun_free_netdev(struct net_device *dev)
6860 @@ -41107,29 +40759,7 @@ index f4c5de6..31aa71c 100644
6861 }
6862
6863 /* Net device open. */
6864 -@@ -614,8 +614,9 @@ static ssize_t tun_get_user(struct tun_struct *tun,
6865 - int offset = 0;
6866 -
6867 - if (!(tun->flags & TUN_NO_PI)) {
6868 -- if ((len -= sizeof(pi)) > count)
6869 -+ if (len < sizeof(pi))
6870 - return -EINVAL;
6871 -+ len -= sizeof(pi);
6872 -
6873 - if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
6874 - return -EFAULT;
6875 -@@ -623,8 +624,9 @@ static ssize_t tun_get_user(struct tun_struct *tun,
6876 - }
6877 -
6878 - if (tun->flags & TUN_VNET_HDR) {
6879 -- if ((len -= tun->vnet_hdr_sz) > count)
6880 -+ if (len < tun->vnet_hdr_sz)
6881 - return -EINVAL;
6882 -+ len -= tun->vnet_hdr_sz;
6883 -
6884 - if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
6885 - return -EFAULT;
6886 -@@ -981,10 +983,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock,
6887 +@@ -983,10 +983,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock,
6888 return ret;
6889 }
6890
6891 @@ -41148,7 +40778,7 @@ index f4c5de6..31aa71c 100644
6892 };
6893
6894 static struct proto tun_proto = {
6895 -@@ -1111,10 +1121,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
6896 +@@ -1113,10 +1121,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
6897 tun->vnet_hdr_sz = sizeof(struct virtio_net_hdr);
6898
6899 err = -ENOMEM;
6900 @@ -41161,7 +40791,7 @@ index f4c5de6..31aa71c 100644
6901 tun->socket.wq = &tun->wq;
6902 init_waitqueue_head(&tun->wq.wait);
6903 tun->socket.ops = &tun_socket_ops;
6904 -@@ -1175,7 +1186,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
6905 +@@ -1177,7 +1186,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
6906 return 0;
6907
6908 err_free_sk:
6909 @@ -41170,7 +40800,7 @@ index f4c5de6..31aa71c 100644
6910 err_free_dev:
6911 free_netdev(dev);
6912 failed:
6913 -@@ -1234,7 +1245,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
6914 +@@ -1236,7 +1245,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
6915 }
6916
6917 static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
6918 @@ -41179,7 +40809,7 @@ index f4c5de6..31aa71c 100644
6919 {
6920 struct tun_file *tfile = file->private_data;
6921 struct tun_struct *tun;
6922 -@@ -1245,6 +1256,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
6923 +@@ -1247,6 +1256,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
6924 int vnet_hdr_sz;
6925 int ret;
6926
6927 @@ -41394,6 +41024,18 @@ index ebb9f24..7a4c491 100644
6928 sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed);
6929 /* Lucky card and linux use same encoding here */
6930 sync.clock_type = FST_RDB(card, portConfig[i].internalClock) ==
6931 +diff --git a/drivers/net/wan/wanxl.c b/drivers/net/wan/wanxl.c
6932 +index 44b7071..c643d77 100644
6933 +--- a/drivers/net/wan/wanxl.c
6934 ++++ b/drivers/net/wan/wanxl.c
6935 +@@ -355,6 +355,7 @@ static int wanxl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
6936 + ifr->ifr_settings.size = size; /* data size wanted */
6937 + return -ENOBUFS;
6938 + }
6939 ++ memset(&line, 0, sizeof(line));
6940 + line.clock_type = get_status(port)->clocking;
6941 + line.clock_rate = 0;
6942 + line.loopback = 0;
6943 diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
6944 index 4045e5a..506f1cf 100644
6945 --- a/drivers/net/wireless/at76c50x-usb.c
6946 @@ -43674,7 +43316,7 @@ index 1b21491..1b7f60e 100644
6947 /*
6948 * Check for overflow; dev_loss_tmo is u32
6949 diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
6950 -index 96029e6..4d77fa0 100644
6951 +index c874458..568a977 100644
6952 --- a/drivers/scsi/scsi_transport_iscsi.c
6953 +++ b/drivers/scsi/scsi_transport_iscsi.c
6954 @@ -79,7 +79,7 @@ struct iscsi_internal {
6955 @@ -43736,10 +43378,10 @@ index 21a045e..ec89e03 100644
6956
6957 transport_setup_device(&rport->dev);
6958 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
6959 -index 17603da..332e23a 100644
6960 +index f6d2b62..d9aa1a4 100644
6961 --- a/drivers/scsi/sd.c
6962 +++ b/drivers/scsi/sd.c
6963 -@@ -2637,7 +2637,7 @@ static int sd_probe(struct device *dev)
6964 +@@ -2632,7 +2632,7 @@ static int sd_probe(struct device *dev)
6965 device_initialize(&sdkp->dev);
6966 sdkp->dev.parent = dev;
6967 sdkp->dev.class = &sd_disk_class;
6968 @@ -45276,7 +44918,7 @@ index 032e5a6..bc422e4 100644
6969 wake_up(&usb_kill_urb_queue);
6970 usb_put_urb(urb);
6971 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
6972 -index 2768a7e..7b5c7a9 100644
6973 +index a5ea85f..6530989 100644
6974 --- a/drivers/usb/core/hub.c
6975 +++ b/drivers/usb/core/hub.c
6976 @@ -25,6 +25,7 @@
6977 @@ -51444,7 +51086,7 @@ index d322929..9f4b816 100644
6978 dcache_init();
6979 inode_init();
6980 diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
6981 -index f3a257d..9235188 100644
6982 +index fb001cd..95129c3 100644
6983 --- a/fs/debugfs/inode.c
6984 +++ b/fs/debugfs/inode.c
6985 @@ -145,6 +145,7 @@ static struct file_system_type debug_fs_type = {
6986 @@ -51498,6 +51140,32 @@ index a9be90d..3cf866c 100644
6987 if (!IS_ERR(buf)) {
6988 /* Free the char* */
6989 kfree(buf);
6990 +diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
6991 +index ac1ad48..d80e1db 100644
6992 +--- a/fs/ecryptfs/keystore.c
6993 ++++ b/fs/ecryptfs/keystore.c
6994 +@@ -1151,8 +1151,8 @@ decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
6995 + struct ecryptfs_msg_ctx *msg_ctx;
6996 + struct ecryptfs_message *msg = NULL;
6997 + char *auth_tok_sig;
6998 +- char *payload;
6999 +- size_t payload_len;
7000 ++ char *payload = NULL;
7001 ++ size_t payload_len = 0;
7002 + int rc;
7003 +
7004 + rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok);
7005 +@@ -1204,8 +1204,8 @@ decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
7006 + crypt_stat->key_size);
7007 + }
7008 + out:
7009 +- if (msg)
7010 +- kfree(msg);
7011 ++ kfree(msg);
7012 ++ kfree(payload);
7013 + return rc;
7014 + }
7015 +
7016 diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
7017 index 94afdfd..bdb8854 100644
7018 --- a/fs/ecryptfs/main.c
7019 @@ -54577,10 +54245,10 @@ index 5c029fb..96e676c 100644
7020 if (!ret)
7021 ret = -EPIPE;
7022 diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
7023 -index 5ef7afb..5fc7f4f 100644
7024 +index 06e2f73..e6c5fc8 100644
7025 --- a/fs/fuse/dir.c
7026 +++ b/fs/fuse/dir.c
7027 -@@ -1148,7 +1148,7 @@ static char *read_link(struct dentry *dentry)
7028 +@@ -1150,7 +1150,7 @@ static char *read_link(struct dentry *dentry)
7029 return link;
7030 }
7031
7032 @@ -54590,10 +54258,10 @@ index 5ef7afb..5fc7f4f 100644
7033 if (!IS_ERR(link))
7034 free_page((unsigned long) link);
7035 diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
7036 -index 1f82d95..763ac54 100644
7037 +index 912c250..f0aee59 100644
7038 --- a/fs/fuse/inode.c
7039 +++ b/fs/fuse/inode.c
7040 -@@ -1092,6 +1092,7 @@ static struct file_system_type fuse_fs_type = {
7041 +@@ -1094,6 +1094,7 @@ static struct file_system_type fuse_fs_type = {
7042 .mount = fuse_mount,
7043 .kill_sb = fuse_kill_sb_anon,
7044 };
7045 @@ -54601,7 +54269,7 @@ index 1f82d95..763ac54 100644
7046
7047 #ifdef CONFIG_BLOCK
7048 static struct dentry *fuse_mount_blk(struct file_system_type *fs_type,
7049 -@@ -1121,6 +1122,7 @@ static struct file_system_type fuseblk_fs_type = {
7050 +@@ -1123,6 +1124,7 @@ static struct file_system_type fuseblk_fs_type = {
7051 .kill_sb = fuse_kill_sb_blk,
7052 .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE,
7053 };
7054 @@ -54811,10 +54479,10 @@ index e2d3633..e6f3833 100644
7055 spin_unlock(&inode->i_lock);
7056 }
7057 diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
7058 -index f950059..78748e8 100644
7059 +index a5f25a7..8ac9cc8 100644
7060 --- a/fs/isofs/inode.c
7061 +++ b/fs/isofs/inode.c
7062 -@@ -1545,6 +1545,8 @@ static struct file_system_type iso9660_fs_type = {
7063 +@@ -1539,6 +1539,8 @@ static struct file_system_type iso9660_fs_type = {
7064 .kill_sb = kill_block_super,
7065 .fs_flags = FS_REQUIRES_DEV,
7066 };
7067 @@ -54823,7 +54491,7 @@ index f950059..78748e8 100644
7068
7069 static int __init init_iso9660_fs(void)
7070 {
7071 -@@ -1582,5 +1584,3 @@ static void __exit exit_iso9660_fs(void)
7072 +@@ -1576,5 +1578,3 @@ static void __exit exit_iso9660_fs(void)
7073 module_init(init_iso9660_fs)
7074 module_exit(exit_iso9660_fs)
7075 MODULE_LICENSE("GPL");
7076 @@ -72735,35 +72403,6 @@ index 0000000..e7ffaaf
7077 + const int protocol);
7078 +
7079 +#endif
7080 -diff --git a/include/linux/hid.h b/include/linux/hid.h
7081 -index 331e2ef..37c06bd 100644
7082 ---- a/include/linux/hid.h
7083 -+++ b/include/linux/hid.h
7084 -@@ -416,10 +416,12 @@ struct hid_report {
7085 - struct hid_device *device; /* associated device */
7086 - };
7087 -
7088 -+#define HID_MAX_IDS 256
7089 -+
7090 - struct hid_report_enum {
7091 - unsigned numbered;
7092 - struct list_head report_list;
7093 -- struct hid_report *report_id_hash[256];
7094 -+ struct hid_report *report_id_hash[HID_MAX_IDS];
7095 - };
7096 -
7097 - #define HID_REPORT_TYPES 3
7098 -@@ -716,6 +718,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
7099 - struct hid_device *hid_allocate_device(void);
7100 - struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
7101 - int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
7102 -+struct hid_report *hid_validate_report(struct hid_device *hid,
7103 -+ unsigned int type, unsigned int id,
7104 -+ unsigned int fields,
7105 -+ unsigned int report_counts);
7106 - int hid_check_keys_pressed(struct hid_device *hid);
7107 - int hid_connect(struct hid_device *hid, unsigned int connect_mask);
7108 - void hid_disconnect(struct hid_device *hid);
7109 diff --git a/include/linux/highmem.h b/include/linux/highmem.h
7110 index 52e9620..26c34b1 100644
7111 --- a/include/linux/highmem.h
7112 @@ -73308,7 +72947,7 @@ index 3797270..7765ede 100644
7113 struct mca_bus {
7114 u64 default_dma_mask;
7115 diff --git a/include/linux/mm.h b/include/linux/mm.h
7116 -index d0493f6..ce3ea0b 100644
7117 +index 305fd75..f0db13d 100644
7118 --- a/include/linux/mm.h
7119 +++ b/include/linux/mm.h
7120 @@ -115,7 +115,14 @@ extern unsigned int kobjsize(const void *objp);
7121 @@ -73345,7 +72984,7 @@ index d0493f6..ce3ea0b 100644
7122
7123 struct mmu_gather;
7124 struct inode;
7125 -@@ -940,8 +948,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
7126 +@@ -941,8 +949,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
7127 unsigned long *pfn);
7128 int follow_phys(struct vm_area_struct *vma, unsigned long address,
7129 unsigned int flags, unsigned long *prot, resource_size_t *phys);
7130 @@ -73356,7 +72995,7 @@ index d0493f6..ce3ea0b 100644
7131
7132 static inline void unmap_shared_mapping_range(struct address_space *mapping,
7133 loff_t const holebegin, loff_t const holelen)
7134 -@@ -983,10 +991,10 @@ static inline int fixup_user_fault(struct task_struct *tsk,
7135 +@@ -984,10 +992,10 @@ static inline int fixup_user_fault(struct task_struct *tsk,
7136 }
7137 #endif
7138
7139 @@ -73371,7 +73010,7 @@ index d0493f6..ce3ea0b 100644
7140
7141 int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
7142 unsigned long start, int len, unsigned int foll_flags,
7143 -@@ -1012,34 +1020,6 @@ int set_page_dirty(struct page *page);
7144 +@@ -1013,34 +1021,6 @@ int set_page_dirty(struct page *page);
7145 int set_page_dirty_lock(struct page *page);
7146 int clear_page_dirty_for_io(struct page *page);
7147
7148 @@ -73406,7 +73045,7 @@ index d0493f6..ce3ea0b 100644
7149 extern unsigned long move_page_tables(struct vm_area_struct *vma,
7150 unsigned long old_addr, struct vm_area_struct *new_vma,
7151 unsigned long new_addr, unsigned long len);
7152 -@@ -1134,6 +1114,15 @@ static inline void sync_mm_rss(struct task_struct *task, struct mm_struct *mm)
7153 +@@ -1135,6 +1115,15 @@ static inline void sync_mm_rss(struct task_struct *task, struct mm_struct *mm)
7154 }
7155 #endif
7156
7157 @@ -73422,7 +73061,7 @@ index d0493f6..ce3ea0b 100644
7158 int vma_wants_writenotify(struct vm_area_struct *vma);
7159
7160 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
7161 -@@ -1152,8 +1141,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
7162 +@@ -1153,8 +1142,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
7163 {
7164 return 0;
7165 }
7166 @@ -73438,7 +73077,7 @@ index d0493f6..ce3ea0b 100644
7167 #endif
7168
7169 #ifdef __PAGETABLE_PMD_FOLDED
7170 -@@ -1162,8 +1158,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
7171 +@@ -1163,8 +1159,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
7172 {
7173 return 0;
7174 }
7175 @@ -73454,7 +73093,7 @@ index d0493f6..ce3ea0b 100644
7176 #endif
7177
7178 int __pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
7179 -@@ -1181,11 +1184,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
7180 +@@ -1182,11 +1185,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
7181 NULL: pud_offset(pgd, address);
7182 }
7183
7184 @@ -73478,7 +73117,7 @@ index d0493f6..ce3ea0b 100644
7185 #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
7186
7187 #if USE_SPLIT_PTLOCKS
7188 -@@ -1419,6 +1434,7 @@ out:
7189 +@@ -1420,6 +1435,7 @@ out:
7190 }
7191
7192 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
7193 @@ -73486,7 +73125,7 @@ index d0493f6..ce3ea0b 100644
7194
7195 extern unsigned long do_brk(unsigned long, unsigned long);
7196
7197 -@@ -1476,6 +1492,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
7198 +@@ -1477,6 +1493,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
7199 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
7200 struct vm_area_struct **pprev);
7201
7202 @@ -73497,7 +73136,7 @@ index d0493f6..ce3ea0b 100644
7203 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
7204 NULL if none. Assume start_addr < end_addr. */
7205 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
7206 -@@ -1492,15 +1512,6 @@ static inline unsigned long vma_pages(struct vm_area_struct *vma)
7207 +@@ -1493,15 +1513,6 @@ static inline unsigned long vma_pages(struct vm_area_struct *vma)
7208 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
7209 }
7210
7211 @@ -73513,7 +73152,7 @@ index d0493f6..ce3ea0b 100644
7212 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
7213 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
7214 unsigned long pfn, unsigned long size, pgprot_t);
7215 -@@ -1536,6 +1547,12 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
7216 +@@ -1537,6 +1548,12 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
7217 static inline void vm_stat_account(struct mm_struct *mm,
7218 unsigned long flags, struct file *file, long pages)
7219 {
7220 @@ -73526,7 +73165,7 @@ index d0493f6..ce3ea0b 100644
7221 }
7222 #endif /* CONFIG_PROC_FS */
7223
7224 -@@ -1616,7 +1633,7 @@ extern int unpoison_memory(unsigned long pfn);
7225 +@@ -1617,7 +1634,7 @@ extern int unpoison_memory(unsigned long pfn);
7226 extern int sysctl_memory_failure_early_kill;
7227 extern int sysctl_memory_failure_recovery;
7228 extern void shake_page(struct page *p, int access);
7229 @@ -73535,7 +73174,7 @@ index d0493f6..ce3ea0b 100644
7230 extern int soft_offline_page(struct page *page, int flags);
7231
7232 extern void dump_page(struct page *page);
7233 -@@ -1630,5 +1647,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
7234 +@@ -1631,5 +1648,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
7235 unsigned int pages_per_huge_page);
7236 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
7237
7238 @@ -74041,7 +73680,7 @@ index 45fc162..01a4068 100644
7239 /**
7240 * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
7241 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
7242 -index 3cfcfea..0227030 100644
7243 +index eeb6a29..6eb2b52 100644
7244 --- a/include/linux/perf_event.h
7245 +++ b/include/linux/perf_event.h
7246 @@ -748,8 +748,8 @@ struct perf_event {
7247 @@ -74327,7 +73966,7 @@ index 29e217a..a76bcd0 100644
7248
7249 /**
7250 diff --git a/include/linux/rculist.h b/include/linux/rculist.h
7251 -index 6f95e24..68fe817 100644
7252 +index 3863352..4ec4bfb 100644
7253 --- a/include/linux/rculist.h
7254 +++ b/include/linux/rculist.h
7255 @@ -39,6 +39,9 @@ static inline void __list_add_rcu(struct list_head *new,
7256 @@ -74876,7 +74515,7 @@ index 92808b8..c28cac4 100644
7257
7258 /* shm_mode upper byte flags */
7259 diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
7260 -index efe50af..0d0b145 100644
7261 +index efe50af..9a039e5 100644
7262 --- a/include/linux/skbuff.h
7263 +++ b/include/linux/skbuff.h
7264 @@ -538,7 +538,7 @@ extern void consume_skb(struct sk_buff *skb);
7265 @@ -74915,7 +74554,19 @@ index efe50af..0d0b145 100644
7266 }
7267
7268 /**
7269 -@@ -1546,7 +1546,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
7270 +@@ -1157,6 +1157,11 @@ static inline int skb_pagelen(const struct sk_buff *skb)
7271 + return len + skb_headlen(skb);
7272 + }
7273 +
7274 ++static inline bool skb_has_frags(const struct sk_buff *skb)
7275 ++{
7276 ++ return skb_shinfo(skb)->nr_frags;
7277 ++}
7278 ++
7279 + /**
7280 + * __skb_fill_page_desc - initialise a paged fragment in an skb
7281 + * @skb: buffer containing fragment to be initialised
7282 +@@ -1546,7 +1551,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
7283 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
7284 */
7285 #ifndef NET_SKB_PAD
7286 @@ -74924,7 +74575,7 @@ index efe50af..0d0b145 100644
7287 #endif
7288
7289 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
7290 -@@ -2085,7 +2085,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
7291 +@@ -2085,7 +2090,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
7292 int noblock, int *err);
7293 extern unsigned int datagram_poll(struct file *file, struct socket *sock,
7294 struct poll_table_struct *wait);
7295 @@ -74933,7 +74584,7 @@ index efe50af..0d0b145 100644
7296 int offset, struct iovec *to,
7297 int size);
7298 extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
7299 -@@ -2365,6 +2365,9 @@ static inline void nf_reset(struct sk_buff *skb)
7300 +@@ -2365,6 +2370,9 @@ static inline void nf_reset(struct sk_buff *skb)
7301 nf_bridge_put(skb->nf_bridge);
7302 skb->nf_bridge = NULL;
7303 #endif
7304 @@ -76139,10 +75790,10 @@ index ca2755f..85ec88c 100644
7305 /** inet_connection_sock - INET connection oriented sock
7306 *
7307 diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
7308 -index e9ff3fc..c19998a 100644
7309 +index 34b06da..03b1d34 100644
7310 --- a/include/net/inetpeer.h
7311 +++ b/include/net/inetpeer.h
7312 -@@ -48,8 +48,8 @@ struct inet_peer {
7313 +@@ -52,8 +52,8 @@ struct inet_peer {
7314 */
7315 union {
7316 struct {
7317 @@ -76153,7 +75804,7 @@ index e9ff3fc..c19998a 100644
7318 __u32 tcp_ts;
7319 __u32 tcp_ts_stamp;
7320 };
7321 -@@ -109,16 +109,13 @@ static inline void inet_peer_refcheck(const struct inet_peer *p)
7322 +@@ -115,16 +115,13 @@ static inline void inet_peer_refcheck(const struct inet_peer *p)
7323 /* can be called with or without local BH being disabled */
7324 static inline int inet_getid(struct inet_peer *p, int more)
7325 {
7326 @@ -76176,7 +75827,7 @@ index e9ff3fc..c19998a 100644
7327
7328 #endif /* _NET_INETPEER_H */
7329 diff --git a/include/net/ip.h b/include/net/ip.h
7330 -index eca0ef7..88118cb 100644
7331 +index 06aed72..54fbf5b 100644
7332 --- a/include/net/ip.h
7333 +++ b/include/net/ip.h
7334 @@ -214,7 +214,7 @@ extern struct local_ports {
7335 @@ -77808,10 +77459,10 @@ index b463871..59495fd 100644
7336 * nsown_capable - Check superior capability to one's own user_ns
7337 * @cap: The capability in question
7338 diff --git a/kernel/cgroup.c b/kernel/cgroup.c
7339 -index d2a01fe..493cba0 100644
7340 +index 2a1ffb7..b99a595 100644
7341 --- a/kernel/cgroup.c
7342 +++ b/kernel/cgroup.c
7343 -@@ -5153,7 +5153,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
7344 +@@ -5164,7 +5164,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
7345 struct css_set *cg = link->cg;
7346 struct task_struct *task;
7347 int count = 0;
7348 @@ -78229,7 +77880,7 @@ index 63786e7..0780cac 100644
7349 #ifdef CONFIG_MODULE_UNLOAD
7350 {
7351 diff --git a/kernel/events/core.c b/kernel/events/core.c
7352 -index 5bbe443..c8b6b81 100644
7353 +index 83d5621..8c6738d 100644
7354 --- a/kernel/events/core.c
7355 +++ b/kernel/events/core.c
7356 @@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu;
7357 @@ -78258,7 +77909,7 @@ index 5bbe443..c8b6b81 100644
7358
7359 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
7360 enum event_type_t event_type);
7361 -@@ -2568,7 +2575,7 @@ static void __perf_event_read(void *info)
7362 +@@ -2575,7 +2582,7 @@ static void __perf_event_read(void *info)
7363
7364 static inline u64 perf_event_count(struct perf_event *event)
7365 {
7366 @@ -78267,7 +77918,7 @@ index 5bbe443..c8b6b81 100644
7367 }
7368
7369 static u64 perf_event_read(struct perf_event *event)
7370 -@@ -3114,9 +3121,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
7371 +@@ -3121,9 +3128,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
7372 mutex_lock(&event->child_mutex);
7373 total += perf_event_read(event);
7374 *enabled += event->total_time_enabled +
7375 @@ -78279,7 +77930,7 @@ index 5bbe443..c8b6b81 100644
7376
7377 list_for_each_entry(child, &event->child_list, child_list) {
7378 total += perf_event_read(child);
7379 -@@ -3508,10 +3515,10 @@ void perf_event_update_userpage(struct perf_event *event)
7380 +@@ -3515,10 +3522,10 @@ void perf_event_update_userpage(struct perf_event *event)
7381 userpg->offset -= local64_read(&event->hw.prev_count);
7382
7383 userpg->time_enabled = enabled +
7384 @@ -78292,7 +77943,7 @@ index 5bbe443..c8b6b81 100644
7385
7386 barrier();
7387 ++userpg->lock;
7388 -@@ -4019,11 +4026,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
7389 +@@ -4026,11 +4033,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
7390 values[n++] = perf_event_count(event);
7391 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
7392 values[n++] = enabled +
7393 @@ -78306,7 +77957,7 @@ index 5bbe443..c8b6b81 100644
7394 }
7395 if (read_format & PERF_FORMAT_ID)
7396 values[n++] = primary_event_id(event);
7397 -@@ -4674,12 +4681,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
7398 +@@ -4681,12 +4688,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
7399 * need to add enough zero bytes after the string to handle
7400 * the 64bit alignment we do later.
7401 */
7402 @@ -78321,7 +77972,7 @@ index 5bbe443..c8b6b81 100644
7403 if (IS_ERR(name)) {
7404 name = strncpy(tmp, "//toolong", sizeof(tmp));
7405 goto got_name;
7406 -@@ -6036,7 +6043,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
7407 +@@ -6043,7 +6050,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
7408 event->parent = parent_event;
7409
7410 event->ns = get_pid_ns(current->nsproxy->pid_ns);
7411 @@ -78330,7 +77981,7 @@ index 5bbe443..c8b6b81 100644
7412
7413 event->state = PERF_EVENT_STATE_INACTIVE;
7414
7415 -@@ -6282,6 +6289,11 @@ SYSCALL_DEFINE5(perf_event_open,
7416 +@@ -6289,6 +6296,11 @@ SYSCALL_DEFINE5(perf_event_open,
7417 if (flags & ~PERF_FLAG_ALL)
7418 return -EINVAL;
7419
7420 @@ -78342,7 +77993,7 @@ index 5bbe443..c8b6b81 100644
7421 err = perf_copy_attr(attr_uptr, &attr);
7422 if (err)
7423 return err;
7424 -@@ -6577,10 +6589,10 @@ static void sync_child_event(struct perf_event *child_event,
7425 +@@ -6584,10 +6596,10 @@ static void sync_child_event(struct perf_event *child_event,
7426 /*
7427 * Add back the child's count to the parent's count:
7428 */
7429 @@ -81632,7 +81283,7 @@ index f280df1..da1281d 100644
7430 #ifdef CONFIG_RT_GROUP_SCHED
7431 /*
7432 diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
7433 -index 59474c5..efcae8d 100644
7434 +index c261da7..4e5221ad 100644
7435 --- a/kernel/sched_fair.c
7436 +++ b/kernel/sched_fair.c
7437 @@ -4801,7 +4801,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
7438 @@ -84248,7 +83899,7 @@ index 2a07f97..2cdc054 100644
7439 set_page_address(page, (void *)vaddr);
7440
7441 diff --git a/mm/huge_memory.c b/mm/huge_memory.c
7442 -index d80ac4b..9fd73bc 100644
7443 +index ed0ed8a..cc835b9 100644
7444 --- a/mm/huge_memory.c
7445 +++ b/mm/huge_memory.c
7446 @@ -704,7 +704,7 @@ out:
7447 @@ -87238,7 +86889,7 @@ index 5a688a2..fffb9f6 100644
7448
7449 if (nstart < prev->vm_end)
7450 diff --git a/mm/mremap.c b/mm/mremap.c
7451 -index d6959cb..51051b9 100644
7452 +index d6959cb..7bc76da 100644
7453 --- a/mm/mremap.c
7454 +++ b/mm/mremap.c
7455 @@ -23,6 +23,7 @@
7456 @@ -87249,19 +86900,7 @@ index d6959cb..51051b9 100644
7457
7458 #include "internal.h"
7459
7460 -@@ -60,8 +61,10 @@ static pmd_t *alloc_new_pmd(struct mm_struct *mm, struct vm_area_struct *vma,
7461 - return NULL;
7462 -
7463 - pmd = pmd_alloc(mm, pud, addr);
7464 -- if (!pmd)
7465 -+ if (!pmd) {
7466 -+ pud_free(mm, pud);
7467 - return NULL;
7468 -+ }
7469 -
7470 - VM_BUG_ON(pmd_trans_huge(*pmd));
7471 -
7472 -@@ -106,6 +109,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
7473 +@@ -106,6 +107,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
7474 continue;
7475 pte = ptep_get_and_clear(mm, old_addr, old_pte);
7476 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
7477 @@ -87274,7 +86913,7 @@ index d6959cb..51051b9 100644
7478 set_pte_at(mm, new_addr, new_pte, pte);
7479 }
7480
7481 -@@ -251,7 +260,6 @@ static unsigned long move_vma(struct vm_area_struct *vma,
7482 +@@ -251,7 +258,6 @@ static unsigned long move_vma(struct vm_area_struct *vma,
7483 * If this were a serious issue, we'd add a flag to do_munmap().
7484 */
7485 hiwater_vm = mm->hiwater_vm;
7486 @@ -87282,7 +86921,7 @@ index d6959cb..51051b9 100644
7487 vm_stat_account(mm, vma->vm_flags, vma->vm_file, new_len>>PAGE_SHIFT);
7488
7489 if (do_munmap(mm, old_addr, old_len) < 0) {
7490 -@@ -290,6 +298,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
7491 +@@ -290,6 +296,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
7492 if (is_vm_hugetlb_page(vma))
7493 goto Einval;
7494
7495 @@ -87294,7 +86933,7 @@ index d6959cb..51051b9 100644
7496 /* We can't remap across vm area boundaries */
7497 if (old_len > vma->vm_end - addr)
7498 goto Efault;
7499 -@@ -346,20 +359,25 @@ static unsigned long mremap_to(unsigned long addr,
7500 +@@ -346,20 +357,25 @@ static unsigned long mremap_to(unsigned long addr,
7501 unsigned long ret = -EINVAL;
7502 unsigned long charged = 0;
7503 unsigned long map_flags;
7504 @@ -87325,7 +86964,7 @@ index d6959cb..51051b9 100644
7505 goto out;
7506
7507 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
7508 -@@ -431,6 +449,7 @@ unsigned long do_mremap(unsigned long addr,
7509 +@@ -431,6 +447,7 @@ unsigned long do_mremap(unsigned long addr,
7510 struct vm_area_struct *vma;
7511 unsigned long ret = -EINVAL;
7512 unsigned long charged = 0;
7513 @@ -87333,7 +86972,7 @@ index d6959cb..51051b9 100644
7514
7515 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
7516 goto out;
7517 -@@ -449,6 +468,17 @@ unsigned long do_mremap(unsigned long addr,
7518 +@@ -449,6 +466,17 @@ unsigned long do_mremap(unsigned long addr,
7519 if (!new_len)
7520 goto out;
7521
7522 @@ -87351,7 +86990,7 @@ index d6959cb..51051b9 100644
7523 if (flags & MREMAP_FIXED) {
7524 if (flags & MREMAP_MAYMOVE)
7525 ret = mremap_to(addr, old_len, new_addr, new_len);
7526 -@@ -490,7 +520,6 @@ unsigned long do_mremap(unsigned long addr,
7527 +@@ -490,7 +518,6 @@ unsigned long do_mremap(unsigned long addr,
7528 goto out;
7529 }
7530
7531 @@ -87359,7 +86998,7 @@ index d6959cb..51051b9 100644
7532 vm_stat_account(mm, vma->vm_flags, vma->vm_file, pages);
7533 if (vma->vm_flags & VM_LOCKED) {
7534 mm->locked_vm += pages;
7535 -@@ -498,6 +527,7 @@ unsigned long do_mremap(unsigned long addr,
7536 +@@ -498,6 +525,7 @@ unsigned long do_mremap(unsigned long addr,
7537 addr + new_len);
7538 }
7539 ret = addr;
7540 @@ -87367,7 +87006,7 @@ index d6959cb..51051b9 100644
7541 goto out;
7542 }
7543 }
7544 -@@ -524,7 +554,13 @@ unsigned long do_mremap(unsigned long addr,
7545 +@@ -524,7 +552,13 @@ unsigned long do_mremap(unsigned long addr,
7546 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
7547 if (ret)
7548 goto out;
7549 @@ -87508,7 +87147,7 @@ index ea3f83b..001a216 100644
7550 .next = NULL,
7551 };
7552 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
7553 -index b5afea2..762ffa1 100644
7554 +index d8762b2..8a25d14 100644
7555 --- a/mm/page_alloc.c
7556 +++ b/mm/page_alloc.c
7557 @@ -57,6 +57,7 @@
7558 @@ -89659,10 +89298,10 @@ index 82ce164..00bd057 100644
7559 err = -EFAULT;
7560 break;
7561 diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
7562 -index b81500c..92fc8ec 100644
7563 +index a06deca..2269299 100644
7564 --- a/net/bridge/br_multicast.c
7565 +++ b/net/bridge/br_multicast.c
7566 -@@ -1409,7 +1409,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
7567 +@@ -1410,7 +1410,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
7568 nexthdr = ip6h->nexthdr;
7569 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
7570
7571 @@ -89876,7 +89515,7 @@ index 53a8e37..45c033e 100644
7572 if (!IS_ERR(debugfsdir)) {
7573
7574 diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
7575 -index 5cf5222..6f704ad 100644
7576 +index 84efbe4..51d47bc 100644
7577 --- a/net/caif/cfctrl.c
7578 +++ b/net/caif/cfctrl.c
7579 @@ -9,6 +9,7 @@
7580 @@ -90037,23 +89676,25 @@ index f78f898..d7aa843 100644
7581
7582 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
7583 diff --git a/net/compat.c b/net/compat.c
7584 -index 8c979cc..5800e81 100644
7585 +index 8c979cc..2b1960c 100644
7586 --- a/net/compat.c
7587 +++ b/net/compat.c
7588 -@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
7589 +@@ -71,9 +71,11 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
7590 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
7591 __get_user(kmsg->msg_flags, &umsg->msg_flags))
7592 return -EFAULT;
7593 - kmsg->msg_name = compat_ptr(tmp1);
7594 - kmsg->msg_iov = compat_ptr(tmp2);
7595 - kmsg->msg_control = compat_ptr(tmp3);
7596 ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
7597 ++ return -EINVAL;
7598 + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
7599 + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
7600 + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
7601 return 0;
7602 }
7603
7604 -@@ -85,7 +85,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
7605 +@@ -85,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
7606
7607 if (kern_msg->msg_namelen) {
7608 if (mode == VERIFY_READ) {
7609 @@ -90062,7 +89703,7 @@ index 8c979cc..5800e81 100644
7610 kern_msg->msg_namelen,
7611 kern_address);
7612 if (err < 0)
7613 -@@ -96,7 +96,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
7614 +@@ -96,7 +98,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
7615 kern_msg->msg_name = NULL;
7616
7617 tot_len = iov_from_user_compat_to_kern(kern_iov,
7618 @@ -90071,7 +89712,7 @@ index 8c979cc..5800e81 100644
7619 kern_msg->msg_iovlen);
7620 if (tot_len >= 0)
7621 kern_msg->msg_iov = kern_iov;
7622 -@@ -116,20 +116,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
7623 +@@ -116,20 +118,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
7624
7625 #define CMSG_COMPAT_FIRSTHDR(msg) \
7626 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
7627 @@ -90095,7 +89736,7 @@ index 8c979cc..5800e81 100644
7628 msg->msg_controllen)
7629 return NULL;
7630 return (struct compat_cmsghdr __user *)ptr;
7631 -@@ -221,7 +221,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
7632 +@@ -221,7 +223,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
7633 {
7634 struct compat_timeval ctv;
7635 struct compat_timespec cts[3];
7636 @@ -90104,7 +89745,7 @@ index 8c979cc..5800e81 100644
7637 struct compat_cmsghdr cmhdr;
7638 int cmlen;
7639
7640 -@@ -273,7 +273,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
7641 +@@ -273,7 +275,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
7642
7643 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
7644 {
7645 @@ -90113,7 +89754,7 @@ index 8c979cc..5800e81 100644
7646 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
7647 int fdnum = scm->fp->count;
7648 struct file **fp = scm->fp->fp;
7649 -@@ -370,7 +370,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
7650 +@@ -370,7 +372,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
7651 return -EFAULT;
7652 old_fs = get_fs();
7653 set_fs(KERNEL_DS);
7654 @@ -90122,7 +89763,7 @@ index 8c979cc..5800e81 100644
7655 set_fs(old_fs);
7656
7657 return err;
7658 -@@ -431,7 +431,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
7659 +@@ -431,7 +433,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
7660 len = sizeof(ktime);
7661 old_fs = get_fs();
7662 set_fs(KERNEL_DS);
7663 @@ -90131,7 +89772,7 @@ index 8c979cc..5800e81 100644
7664 set_fs(old_fs);
7665
7666 if (!err) {
7667 -@@ -566,7 +566,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
7668 +@@ -566,7 +568,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
7669 case MCAST_JOIN_GROUP:
7670 case MCAST_LEAVE_GROUP:
7671 {
7672 @@ -90140,7 +89781,7 @@ index 8c979cc..5800e81 100644
7673 struct group_req __user *kgr =
7674 compat_alloc_user_space(sizeof(struct group_req));
7675 u32 interface;
7676 -@@ -587,7 +587,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
7677 +@@ -587,7 +589,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
7678 case MCAST_BLOCK_SOURCE:
7679 case MCAST_UNBLOCK_SOURCE:
7680 {
7681 @@ -90149,7 +89790,7 @@ index 8c979cc..5800e81 100644
7682 struct group_source_req __user *kgsr = compat_alloc_user_space(
7683 sizeof(struct group_source_req));
7684 u32 interface;
7685 -@@ -608,7 +608,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
7686 +@@ -608,7 +610,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
7687 }
7688 case MCAST_MSFILTER:
7689 {
7690 @@ -90158,7 +89799,7 @@ index 8c979cc..5800e81 100644
7691 struct group_filter __user *kgf;
7692 u32 interface, fmode, numsrc;
7693
7694 -@@ -646,7 +646,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
7695 +@@ -646,7 +648,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
7696 char __user *optval, int __user *optlen,
7697 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
7698 {
7699 @@ -90167,7 +89808,7 @@ index 8c979cc..5800e81 100644
7700 struct group_filter __user *kgf;
7701 int __user *koptlen;
7702 u32 interface, fmode, numsrc;
7703 -@@ -799,7 +799,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
7704 +@@ -799,7 +801,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
7705
7706 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
7707 return -EINVAL;
7708 @@ -90743,10 +90384,10 @@ index 8a2c2dd..3ba3cf1 100644
7709 .exit = proto_exit_net,
7710 };
7711 diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
7712 -index 77a65f0..ebd69a8 100644
7713 +index f0bdd36..957fc06 100644
7714 --- a/net/core/sysctl_net_core.c
7715 +++ b/net/core/sysctl_net_core.c
7716 -@@ -25,7 +25,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write,
7717 +@@ -28,7 +28,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write,
7718 {
7719 unsigned int orig_size, size;
7720 int ret, i;
7721 @@ -90755,7 +90396,7 @@ index 77a65f0..ebd69a8 100644
7722 .data = &size,
7723 .maxlen = sizeof(size),
7724 .mode = table->mode
7725 -@@ -205,29 +205,27 @@ __net_initdata struct ctl_path net_core_path[] = {
7726 +@@ -210,29 +210,27 @@ __net_initdata struct ctl_path net_core_path[] = {
7727
7728 static __net_init int sysctl_core_net_init(struct net *net)
7729 {
7730 @@ -90791,7 +90432,7 @@ index 77a65f0..ebd69a8 100644
7731 err_dup:
7732 return -ENOMEM;
7733 }
7734 -@@ -242,7 +240,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
7735 +@@ -247,7 +245,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
7736 kfree(tbl);
7737 }
7738
7739 @@ -91086,30 +90727,6 @@ index d01f9c6..284c56c 100644
7740
7741 return nh->nh_saddr;
7742 }
7743 -diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
7744 -index cd2d639..c7c6724 100644
7745 ---- a/net/ipv4/fib_trie.c
7746 -+++ b/net/ipv4/fib_trie.c
7747 -@@ -72,7 +72,6 @@
7748 - #include <linux/init.h>
7749 - #include <linux/list.h>
7750 - #include <linux/slab.h>
7751 --#include <linux/prefetch.h>
7752 - #include <linux/export.h>
7753 - #include <net/net_namespace.h>
7754 - #include <net/ip.h>
7755 -@@ -1773,10 +1772,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
7756 - if (!c)
7757 - continue;
7758 -
7759 -- if (IS_LEAF(c)) {
7760 -- prefetch(rcu_dereference_rtnl(p->child[idx]));
7761 -+ if (IS_LEAF(c))
7762 - return (struct leaf *) c;
7763 -- }
7764 -
7765 - /* Rescan start scanning in new node */
7766 - p = (struct tnode *) c;
7767 diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
7768 index ab188ae..662585c 100644
7769 --- a/net/ipv4/icmp.c
7770 @@ -91202,7 +90819,7 @@ index ccee270..db23c3c 100644
7771 tmo = req->expires - jiffies;
7772 if (tmo < 0)
7773 diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
7774 -index 984ec65..97ac518 100644
7775 +index 984ec65..392d206 100644
7776 --- a/net/ipv4/inet_hashtables.c
7777 +++ b/net/ipv4/inet_hashtables.c
7778 @@ -18,12 +18,15 @@
7779 @@ -91221,6 +90838,15 @@ index 984ec65..97ac518 100644
7780 /*
7781 * Allocate and initialize a new local port bind bucket.
7782 * The bindhash mutex for snum's hash chain must be held here.
7783 +@@ -268,7 +271,7 @@ begintw:
7784 + }
7785 + if (unlikely(!INET_TW_MATCH(sk, net, hash, acookie,
7786 + saddr, daddr, ports, dif))) {
7787 +- sock_put(sk);
7788 ++ inet_twsk_put(inet_twsk(sk));
7789 + goto begintw;
7790 + }
7791 + goto out;
7792 @@ -530,6 +533,8 @@ ok:
7793 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
7794 spin_unlock(&head->lock);
7795 @@ -91231,10 +90857,10 @@ index 984ec65..97ac518 100644
7796 inet_twsk_deschedule(tw, death_row);
7797 while (twrefcnt) {
7798 diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
7799 -index 86f13c67..59a35b5 100644
7800 +index 58c4e696..4f025f0 100644
7801 --- a/net/ipv4/inetpeer.c
7802 +++ b/net/ipv4/inetpeer.c
7803 -@@ -436,8 +436,8 @@ relookup:
7804 +@@ -487,8 +487,8 @@ relookup:
7805 if (p) {
7806 p->daddr = *daddr;
7807 atomic_set(&p->refcnt, 1);
7808 @@ -91326,6 +90952,19 @@ index 5f28fab..ebd7a97 100644
7809 .kind = "gretap",
7810 .maxtype = IFLA_GRE_MAX,
7811 .policy = ipgre_policy,
7812 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
7813 +index daf408e..16191f0 100644
7814 +--- a/net/ipv4/ip_output.c
7815 ++++ b/net/ipv4/ip_output.c
7816 +@@ -833,7 +833,7 @@ static int __ip_append_data(struct sock *sk,
7817 + csummode = CHECKSUM_PARTIAL;
7818 +
7819 + cork->length += length;
7820 +- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
7821 ++ if (((length > mtu) || (skb && skb_has_frags(skb))) &&
7822 + (sk->sk_protocol == IPPROTO_UDP) &&
7823 + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
7824 + err = ip_ufo_append_data(sk, queue, getfrag, from, length,
7825 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
7826 index 3b36002..27e6634 100644
7827 --- a/net/ipv4/ip_sockglue.c
7828 @@ -91381,7 +91020,7 @@ index 99ec116..c5628fe 100644
7829 return res;
7830 }
7831 diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
7832 -index 0064394..2d993a0 100644
7833 +index b5e64e4..4a9a5c4 100644
7834 --- a/net/ipv4/ipmr.c
7835 +++ b/net/ipv4/ipmr.c
7836 @@ -1320,6 +1320,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
7837 @@ -91555,7 +91194,7 @@ index f7fdbe9..63740b7 100644
7838 .exit = ip_proc_exit_net,
7839 };
7840 diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
7841 -index e1d4f30..5e8918e 100644
7842 +index 2815014..1d39ae6 100644
7843 --- a/net/ipv4/raw.c
7844 +++ b/net/ipv4/raw.c
7845 @@ -305,7 +305,7 @@ static int raw_rcv_skb(struct sock * sk, struct sk_buff * skb)
7846 @@ -91625,7 +91264,7 @@ index e1d4f30..5e8918e 100644
7847 .exit = raw_exit_net,
7848 };
7849 diff --git a/net/ipv4/route.c b/net/ipv4/route.c
7850 -index 94cdbc5..01d3a77 100644
7851 +index c45a155a3..dadea8d 100644
7852 --- a/net/ipv4/route.c
7853 +++ b/net/ipv4/route.c
7854 @@ -313,7 +313,7 @@ static inline unsigned int rt_hash(__be32 daddr, __be32 saddr, int idx,
7855 @@ -91653,9 +91292,9 @@ index 94cdbc5..01d3a77 100644
7856 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
7857 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
7858 redirect_genid++;
7859 + inetpeer_invalidate_tree(AF_INET);
7860 }
7861 -
7862 -@@ -3022,7 +3022,7 @@ static int rt_fill_info(struct net *net,
7863 +@@ -3023,7 +3023,7 @@ static int rt_fill_info(struct net *net,
7864 error = rt->dst.error;
7865 if (peer) {
7866 inet_peer_refcheck(rt->peer);
7867 @@ -91664,7 +91303,7 @@ index 94cdbc5..01d3a77 100644
7868 if (peer->tcp_ts_stamp) {
7869 ts = peer->tcp_ts;
7870 tsage = get_seconds() - peer->tcp_ts_stamp;
7871 -@@ -3221,7 +3221,7 @@ static int ipv4_sysctl_rtcache_flush(ctl_table *__ctl, int write,
7872 +@@ -3222,7 +3222,7 @@ static int ipv4_sysctl_rtcache_flush(ctl_table *__ctl, int write,
7873 {
7874 if (write) {
7875 int flush_delay;
7876 @@ -91673,7 +91312,7 @@ index 94cdbc5..01d3a77 100644
7877 struct net *net;
7878
7879 memcpy(&ctl, __ctl, sizeof(ctl));
7880 -@@ -3370,6 +3370,7 @@ static struct ctl_table ipv4_route_flush_table[] = {
7881 +@@ -3371,6 +3371,7 @@ static struct ctl_table ipv4_route_flush_table[] = {
7882 .maxlen = sizeof(int),
7883 .mode = 0200,
7884 .proc_handler = ipv4_sysctl_rtcache_flush,
7885 @@ -91681,7 +91320,7 @@ index 94cdbc5..01d3a77 100644
7886 },
7887 { },
7888 };
7889 -@@ -3383,25 +3384,23 @@ static __net_initdata struct ctl_path ipv4_route_path[] = {
7890 +@@ -3384,25 +3385,23 @@ static __net_initdata struct ctl_path ipv4_route_path[] = {
7891
7892 static __net_init int sysctl_route_net_init(struct net *net)
7893 {
7894 @@ -91714,7 +91353,7 @@ index 94cdbc5..01d3a77 100644
7895 err_dup:
7896 return -ENOMEM;
7897 }
7898 -@@ -3416,7 +3415,7 @@ static __net_exit void sysctl_route_net_exit(struct net *net)
7899 +@@ -3417,7 +3416,7 @@ static __net_exit void sysctl_route_net_exit(struct net *net)
7900 kfree(tbl);
7901 }
7902
7903 @@ -91723,7 +91362,7 @@ index 94cdbc5..01d3a77 100644
7904 .init = sysctl_route_net_init,
7905 .exit = sysctl_route_net_exit,
7906 };
7907 -@@ -3431,7 +3430,7 @@ static __net_init int rt_genid_init(struct net *net)
7908 +@@ -3432,7 +3431,7 @@ static __net_init int rt_genid_init(struct net *net)
7909 return 0;
7910 }
7911
7912 @@ -92259,27 +91898,10 @@ index a0b4c5d..a5818a1 100644
7913 }
7914
7915 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
7916 -index 314bda2..19a815f 100644
7917 +index 5d41293..19a815f 100644
7918 --- a/net/ipv6/addrconf.c
7919 +++ b/net/ipv6/addrconf.c
7920 -@@ -913,12 +913,10 @@ retry:
7921 - if (ifp->flags & IFA_F_OPTIMISTIC)
7922 - addr_flags |= IFA_F_OPTIMISTIC;
7923 -
7924 -- ift = !max_addresses ||
7925 -- ipv6_count_addresses(idev) < max_addresses ?
7926 -- ipv6_add_addr(idev, &addr, tmp_plen,
7927 -- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
7928 -- addr_flags) : NULL;
7929 -- if (!ift || IS_ERR(ift)) {
7930 -+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
7931 -+ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
7932 -+ addr_flags);
7933 -+ if (IS_ERR(ift)) {
7934 - in6_ifa_put(ifp);
7935 - in6_dev_put(idev);
7936 - printk(KERN_INFO
7937 -@@ -2159,7 +2157,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
7938 +@@ -2157,7 +2157,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
7939 p.iph.ihl = 5;
7940 p.iph.protocol = IPPROTO_IPV6;
7941 p.iph.ttl = 64;
7942 @@ -92323,10 +91945,10 @@ index 65dd543..e6c6e6d 100644
7943
7944 static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
7945 diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
7946 -index 90868fb..7aeff1e 100644
7947 +index d505453..ff99535 100644
7948 --- a/net/ipv6/icmp.c
7949 +++ b/net/ipv6/icmp.c
7950 -@@ -961,7 +961,7 @@ ctl_table ipv6_icmp_table_template[] = {
7951 +@@ -969,7 +969,7 @@ ctl_table ipv6_icmp_table_template[] = {
7952
7953 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
7954 {
7955 @@ -92357,8 +91979,21 @@ index 1567fb1..29af910 100644
7956 __sk_dst_reset(sk);
7957 dst = NULL;
7958 }
7959 +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
7960 +index 73f1a00..e38290b 100644
7961 +--- a/net/ipv6/inet6_hashtables.c
7962 ++++ b/net/ipv6/inet6_hashtables.c
7963 +@@ -110,7 +110,7 @@ begintw:
7964 + goto out;
7965 + }
7966 + if (!INET6_TW_MATCH(sk, net, hash, saddr, daddr, ports, dif)) {
7967 +- sock_put(sk);
7968 ++ inet_twsk_put(inet_twsk(sk));
7969 + goto begintw;
7970 + }
7971 + goto out;
7972 diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
7973 -index db60043..7f8a2c1 100644
7974 +index 91d0711..7dc5e62 100644
7975 --- a/net/ipv6/ip6_output.c
7976 +++ b/net/ipv6/ip6_output.c
7977 @@ -600,8 +600,8 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
7978 @@ -92390,92 +92025,15 @@ index db60043..7f8a2c1 100644
7979 }
7980
7981 int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
7982 -@@ -1125,6 +1122,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
7983 - * udp datagram
7984 - */
7985 - if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
7986 -+ struct frag_hdr fhdr;
7987 -+
7988 - skb = sock_alloc_send_skb(sk,
7989 - hh_len + fragheaderlen + transhdrlen + 20,
7990 - (flags & MSG_DONTWAIT), &err);
7991 -@@ -1145,12 +1144,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
7992 -
7993 - skb->ip_summed = CHECKSUM_PARTIAL;
7994 - skb->csum = 0;
7995 -- }
7996 --
7997 -- err = skb_append_datato_frags(sk,skb, getfrag, from,
7998 -- (length - transhdrlen));
7999 -- if (!err) {
8000 -- struct frag_hdr fhdr;
8001 -
8002 - /* Specify the length of each IPv6 datagram fragment.
8003 - * It has to be a multiple of 8.
8004 -@@ -1161,15 +1154,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
8005 - ipv6_select_ident(&fhdr, rt);
8006 - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
8007 - __skb_queue_tail(&sk->sk_write_queue, skb);
8008 --
8009 -- return 0;
8010 - }
8011 -- /* There is not enough support do UPD LSO,
8012 -- * so follow normal path
8013 -- */
8014 -- kfree_skb(skb);
8015 -
8016 -- return err;
8017 -+ return skb_append_datato_frags(sk, skb, getfrag, from,
8018 -+ (length - transhdrlen));
8019 - }
8020 -
8021 - static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
8022 -@@ -1342,27 +1330,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
8023 - * --yoshfuji
8024 - */
8025 -
8026 -+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
8027 -+ sk->sk_protocol == IPPROTO_RAW)) {
8028 -+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
8029 -+ return -EMSGSIZE;
8030 -+ }
8031 -+
8032 -+ skb = skb_peek_tail(&sk->sk_write_queue);
8033 +@@ -1342,7 +1339,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
8034 + skb = skb_peek_tail(&sk->sk_write_queue);
8035 cork->length += length;
8036 -- if (length > mtu) {
8037 -- int proto = sk->sk_protocol;
8038 -- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
8039 -- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
8040 -- return -EMSGSIZE;
8041 -- }
8042 --
8043 -- if (proto == IPPROTO_UDP &&
8044 -- (rt->dst.dev->features & NETIF_F_UFO)) {
8045 --
8046 -- err = ip6_ufo_append_data(sk, getfrag, from, length,
8047 -- hh_len, fragheaderlen,
8048 -- transhdrlen, mtu, flags, rt);
8049 -- if (err)
8050 -- goto error;
8051 -- return 0;
8052 -- }
8053 -+ if (((length > mtu) ||
8054 -+ (skb && skb_is_gso(skb))) &&
8055 -+ (sk->sk_protocol == IPPROTO_UDP) &&
8056 -+ (rt->dst.dev->features & NETIF_F_UFO)) {
8057 -+ err = ip6_ufo_append_data(sk, getfrag, from, length,
8058 -+ hh_len, fragheaderlen,
8059 -+ transhdrlen, mtu, flags, rt);
8060 -+ if (err)
8061 -+ goto error;
8062 -+ return 0;
8063 - }
8064 -
8065 -- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
8066 -+ if (!skb)
8067 - goto alloc_new_skb;
8068 -
8069 - while (length > 0) {
8070 + if (((length > mtu) ||
8071 +- (skb && skb_is_gso(skb))) &&
8072 ++ (skb && skb_has_frags(skb))) &&
8073 + (sk->sk_protocol == IPPROTO_UDP) &&
8074 + (rt->dst.dev->features & NETIF_F_UFO)) {
8075 + err = ip6_ufo_append_data(sk, getfrag, from, length,
8076 diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
8077 index b204df8..8f274f4 100644
8078 --- a/net/ipv6/ipv6_sockglue.c
8079 @@ -92638,10 +92196,10 @@ index 6e6c2c4..c97891e 100644
8080
8081 static int raw6_seq_show(struct seq_file *seq, void *v)
8082 diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
8083 -index 411fe2c..cdea3e4 100644
8084 +index eba5deb..61e026f 100644
8085 --- a/net/ipv6/reassembly.c
8086 +++ b/net/ipv6/reassembly.c
8087 -@@ -646,21 +646,21 @@ static struct ctl_table ip6_frags_ctl_table[] = {
8088 +@@ -651,21 +651,21 @@ static struct ctl_table ip6_frags_ctl_table[] = {
8089
8090 static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
8091 {
8092 @@ -92668,7 +92226,7 @@ index 411fe2c..cdea3e4 100644
8093 if (hdr == NULL)
8094 goto err_reg;
8095
8096 -@@ -668,8 +668,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
8097 +@@ -673,8 +673,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
8098 return 0;
8099
8100 err_reg:
8101 @@ -93563,7 +93121,7 @@ index 2b6678c0..aaa41fc 100644
8102 cp->old_state = cp->state;
8103 /*
8104 diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
8105 -index aa2d720..d8aa111 100644
8106 +index 38c0813..a29519d 100644
8107 --- a/net/netfilter/ipvs/ip_vs_xmit.c
8108 +++ b/net/netfilter/ipvs/ip_vs_xmit.c
8109 @@ -1151,7 +1151,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
8110 @@ -94721,100 +94279,10 @@ index 7635107..4670276 100644
8111
8112 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
8113 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
8114 -index 8104278..c969717 100644
8115 +index 0b6a391..febcef2 100644
8116 --- a/net/sctp/ipv6.c
8117 +++ b/net/sctp/ipv6.c
8118 -@@ -205,45 +205,23 @@ out:
8119 - in6_dev_put(idev);
8120 - }
8121 -
8122 --/* Based on tcp_v6_xmit() in tcp_ipv6.c. */
8123 - static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
8124 - {
8125 - struct sock *sk = skb->sk;
8126 - struct ipv6_pinfo *np = inet6_sk(sk);
8127 -- struct flowi6 fl6;
8128 -+ struct flowi6 *fl6 = &transport->fl.u.ip6;
8129 -
8130 -- memset(&fl6, 0, sizeof(fl6));
8131 -+ pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb,
8132 -+ skb->len, &fl6->saddr, &fl6->daddr);
8133 -
8134 -- fl6.flowi6_proto = sk->sk_protocol;
8135 --
8136 -- /* Fill in the dest address from the route entry passed with the skb
8137 -- * and the source address from the transport.
8138 -- */
8139 -- ipv6_addr_copy(&fl6.daddr, &transport->ipaddr.v6.sin6_addr);
8140 -- ipv6_addr_copy(&fl6.saddr, &transport->saddr.v6.sin6_addr);
8141 --
8142 -- fl6.flowlabel = np->flow_label;
8143 -- IP6_ECN_flow_xmit(sk, fl6.flowlabel);
8144 -- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL)
8145 -- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id;
8146 -- else
8147 -- fl6.flowi6_oif = sk->sk_bound_dev_if;
8148 --
8149 -- if (np->opt && np->opt->srcrt) {
8150 -- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
8151 -- ipv6_addr_copy(&fl6.daddr, rt0->addr);
8152 -- }
8153 --
8154 -- SCTP_DEBUG_PRINTK("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n",
8155 -- __func__, skb, skb->len,
8156 -- &fl6.saddr, &fl6.daddr);
8157 --
8158 -- SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
8159 -+ IP6_ECN_flow_xmit(sk, fl6->flowlabel);
8160 -
8161 - if (!(transport->param_flags & SPP_PMTUD_ENABLE))
8162 - skb->local_df = 1;
8163 -
8164 -- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
8165 -+ SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
8166 -+
8167 -+ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
8168 - }
8169 -
8170 - /* Returns the dst cache entry for the given source and destination ip
8171 -@@ -256,10 +234,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
8172 - struct dst_entry *dst = NULL;
8173 - struct flowi6 *fl6 = &fl->u.ip6;
8174 - struct sctp_bind_addr *bp;
8175 -+ struct ipv6_pinfo *np = inet6_sk(sk);
8176 - struct sctp_sockaddr_entry *laddr;
8177 - union sctp_addr *baddr = NULL;
8178 - union sctp_addr *daddr = &t->ipaddr;
8179 - union sctp_addr dst_saddr;
8180 -+ struct in6_addr *final_p, final;
8181 - __u8 matchlen = 0;
8182 - __u8 bmatchlen;
8183 - sctp_scope_t scope;
8184 -@@ -282,7 +262,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
8185 - SCTP_DEBUG_PRINTK("SRC=%pI6 - ", &fl6->saddr);
8186 - }
8187 -
8188 -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
8189 -+ final_p = fl6_update_dst(fl6, np->opt, &final);
8190 -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
8191 - if (!asoc || saddr)
8192 - goto out;
8193 -
8194 -@@ -333,10 +314,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
8195 - }
8196 - }
8197 - rcu_read_unlock();
8198 -+
8199 - if (baddr) {
8200 - ipv6_addr_copy(&fl6->saddr, &baddr->v6.sin6_addr);
8201 - fl6->fl6_sport = baddr->v6.sin6_port;
8202 -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
8203 -+ final_p = fl6_update_dst(fl6, np->opt, &final);
8204 -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
8205 - }
8206 -
8207 - out:
8208 -@@ -977,7 +960,7 @@ static const struct inet6_protocol sctpv6_protocol = {
8209 +@@ -961,7 +961,7 @@ static const struct inet6_protocol sctpv6_protocol = {
8210 .flags = INET6_PROTO_NOPOLICY | INET6_PROTO_FINAL,
8211 };
8212
8213 @@ -94823,7 +94291,7 @@ index 8104278..c969717 100644
8214 .sa_family = AF_INET6,
8215 .sctp_xmit = sctp_v6_xmit,
8216 .setsockopt = ipv6_setsockopt,
8217 -@@ -1009,7 +992,7 @@ static struct sctp_af sctp_af_inet6 = {
8218 +@@ -993,7 +993,7 @@ static struct sctp_af sctp_af_inet6 = {
8219 #endif
8220 };
8221
8222 @@ -94832,7 +94300,7 @@ index 8104278..c969717 100644
8223 .event_msgname = sctp_inet6_event_msgname,
8224 .skb_msgname = sctp_inet6_skb_msgname,
8225 .af_supported = sctp_inet6_af_supported,
8226 -@@ -1034,7 +1017,7 @@ void sctp_v6_pf_init(void)
8227 +@@ -1018,7 +1018,7 @@ void sctp_v6_pf_init(void)
8228
8229 void sctp_v6_pf_exit(void)
8230 {
8231 @@ -94912,7 +94380,7 @@ index 6f6ad86..d52dc47 100644
8232
8233 static int sctp_v4_protosw_init(void)
8234 diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
8235 -index 9032d50..49eb875 100644
8236 +index 76388b0..a967f68 100644
8237 --- a/net/sctp/sm_sideeffect.c
8238 +++ b/net/sctp/sm_sideeffect.c
8239 @@ -441,7 +441,7 @@ static void sctp_generate_sack_event(unsigned long data)
8240 @@ -94925,10 +94393,10 @@ index 9032d50..49eb875 100644
8241 sctp_generate_t1_cookie_event,
8242 sctp_generate_t1_init_event,
8243 diff --git a/net/sctp/socket.c b/net/sctp/socket.c
8244 -index ba0108f..f09fd13 100644
8245 +index c53d01e..9659111 100644
8246 --- a/net/sctp/socket.c
8247 +++ b/net/sctp/socket.c
8248 -@@ -2157,11 +2157,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
8249 +@@ -2160,11 +2160,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
8250 {
8251 struct sctp_association *asoc;
8252 struct sctp_ulpevent *event;
8253 @@ -94943,7 +94411,7 @@ index ba0108f..f09fd13 100644
8254
8255 /*
8256 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
8257 -@@ -4147,13 +4149,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
8258 +@@ -4150,13 +4152,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
8259 static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
8260 int __user *optlen)
8261 {
8262 @@ -94961,7 +94429,7 @@ index ba0108f..f09fd13 100644
8263 return -EFAULT;
8264 return 0;
8265 }
8266 -@@ -4171,6 +4176,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
8267 +@@ -4174,6 +4179,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
8268 */
8269 static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
8270 {
8271 @@ -94970,7 +94438,7 @@ index ba0108f..f09fd13 100644
8272 /* Applicable to UDP-style socket only */
8273 if (sctp_style(sk, TCP))
8274 return -EOPNOTSUPP;
8275 -@@ -4179,7 +4186,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
8276 +@@ -4182,7 +4189,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
8277 len = sizeof(int);
8278 if (put_user(len, optlen))
8279 return -EFAULT;
8280 @@ -94980,7 +94448,7 @@ index ba0108f..f09fd13 100644
8281 return -EFAULT;
8282 return 0;
8283 }
8284 -@@ -4543,12 +4551,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
8285 +@@ -4546,12 +4554,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
8286 */
8287 static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
8288 {
8289 @@ -94997,7 +94465,7 @@ index ba0108f..f09fd13 100644
8290 return -EFAULT;
8291 return 0;
8292 }
8293 -@@ -4589,6 +4600,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
8294 +@@ -4592,6 +4603,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
8295 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
8296 if (space_left < addrlen)
8297 return -ENOMEM;
8298 @@ -95060,7 +94528,7 @@ index 8da4481..d02565e 100644
8299 + (rtt >> sctp_rto_alpha);
8300 } else {
8301 diff --git a/net/socket.c b/net/socket.c
8302 -index cf546a3..a9b550f 100644
8303 +index cf546a3..3cb0fca 100644
8304 --- a/net/socket.c
8305 +++ b/net/socket.c
8306 @@ -88,6 +88,7 @@
8307 @@ -95244,7 +94712,38 @@ index cf546a3..a9b550f 100644
8308 int err, err2;
8309 int fput_needed;
8310
8311 -@@ -1950,7 +2016,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
8312 +@@ -1876,6 +1942,16 @@ struct used_address {
8313 + unsigned int name_len;
8314 + };
8315 +
8316 ++static int copy_msghdr_from_user(struct msghdr *kmsg,
8317 ++ struct msghdr __user *umsg)
8318 ++{
8319 ++ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
8320 ++ return -EFAULT;
8321 ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
8322 ++ return -EINVAL;
8323 ++ return 0;
8324 ++}
8325 ++
8326 + static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
8327 + struct msghdr *msg_sys, unsigned flags,
8328 + struct used_address *used_address)
8329 +@@ -1894,8 +1970,11 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
8330 + if (MSG_CMSG_COMPAT & flags) {
8331 + if (get_compat_msghdr(msg_sys, msg_compat))
8332 + return -EFAULT;
8333 +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
8334 +- return -EFAULT;
8335 ++ } else {
8336 ++ err = copy_msghdr_from_user(msg_sys, msg);
8337 ++ if (err)
8338 ++ return err;
8339 ++ }
8340 +
8341 + /* do not move before msg_sys is valid */
8342 + err = -EMSGSIZE;
8343 +@@ -1950,7 +2029,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
8344 * checking falls down on this.
8345 */
8346 if (copy_from_user(ctl_buf,
8347 @@ -95253,7 +94752,7 @@ index cf546a3..a9b550f 100644
8348 ctl_len))
8349 goto out_freectl;
8350 msg_sys->msg_control = ctl_buf;
8351 -@@ -2101,7 +2167,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
8352 +@@ -2101,7 +2180,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
8353 int err, iov_size, total_len, len;
8354
8355 /* kernel mode address */
8356 @@ -95262,7 +94761,21 @@ index cf546a3..a9b550f 100644
8357
8358 /* user mode address pointers */
8359 struct sockaddr __user *uaddr;
8360 -@@ -2131,7 +2197,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
8361 +@@ -2110,8 +2189,11 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
8362 + if (MSG_CMSG_COMPAT & flags) {
8363 + if (get_compat_msghdr(msg_sys, msg_compat))
8364 + return -EFAULT;
8365 +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
8366 +- return -EFAULT;
8367 ++ } else {
8368 ++ err = copy_msghdr_from_user(msg_sys, msg);
8369 ++ if (err)
8370 ++ return err;
8371 ++ }
8372 +
8373 + err = -EMSGSIZE;
8374 + if (msg_sys->msg_iovlen > UIO_MAXIOV)
8375 +@@ -2131,7 +2213,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
8376 * kernel msghdr to use the kernel address space)
8377 */
8378
8379 @@ -95271,7 +94784,7 @@ index cf546a3..a9b550f 100644
8380 uaddr_len = COMPAT_NAMELEN(msg);
8381 if (MSG_CMSG_COMPAT & flags) {
8382 err = verify_compat_iovec(msg_sys, iov,
8383 -@@ -2772,7 +2838,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
8384 +@@ -2772,7 +2854,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
8385 }
8386
8387 ifr = compat_alloc_user_space(buf_size);
8388 @@ -95280,7 +94793,7 @@ index cf546a3..a9b550f 100644
8389
8390 if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
8391 return -EFAULT;
8392 -@@ -2796,12 +2862,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
8393 +@@ -2796,12 +2878,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
8394 offsetof(struct ethtool_rxnfc, fs.ring_cookie));
8395
8396 if (copy_in_user(rxnfc, compat_rxnfc,
8397 @@ -95297,7 +94810,7 @@ index cf546a3..a9b550f 100644
8398 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
8399 sizeof(rxnfc->rule_cnt)))
8400 return -EFAULT;
8401 -@@ -2813,12 +2879,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
8402 +@@ -2813,12 +2895,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
8403
8404 if (convert_out) {
8405 if (copy_in_user(compat_rxnfc, rxnfc,
8406 @@ -95314,7 +94827,7 @@ index cf546a3..a9b550f 100644
8407 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
8408 sizeof(rxnfc->rule_cnt)))
8409 return -EFAULT;
8410 -@@ -2888,7 +2954,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
8411 +@@ -2888,7 +2970,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
8412 old_fs = get_fs();
8413 set_fs(KERNEL_DS);
8414 err = dev_ioctl(net, cmd,
8415 @@ -95323,7 +94836,7 @@ index cf546a3..a9b550f 100644
8416 set_fs(old_fs);
8417
8418 return err;
8419 -@@ -2997,7 +3063,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
8420 +@@ -2997,7 +3079,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
8421
8422 old_fs = get_fs();
8423 set_fs(KERNEL_DS);
8424 @@ -95332,7 +94845,7 @@ index cf546a3..a9b550f 100644
8425 set_fs(old_fs);
8426
8427 if (cmd == SIOCGIFMAP && !err) {
8428 -@@ -3102,7 +3168,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
8429 +@@ -3102,7 +3184,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
8430 ret |= __get_user(rtdev, &(ur4->rt_dev));
8431 if (rtdev) {
8432 ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
8433 @@ -95341,7 +94854,7 @@ index cf546a3..a9b550f 100644
8434 devname[15] = 0;
8435 } else
8436 r4.rt_dev = NULL;
8437 -@@ -3342,8 +3408,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
8438 +@@ -3342,8 +3424,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
8439 int __user *uoptlen;
8440 int err;
8441
8442 @@ -95352,7 +94865,7 @@ index cf546a3..a9b550f 100644
8443
8444 set_fs(KERNEL_DS);
8445 if (level == SOL_SOCKET)
8446 -@@ -3363,7 +3429,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
8447 +@@ -3363,7 +3445,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
8448 char __user *uoptval;
8449 int err;
8450
8451 @@ -96032,10 +95545,10 @@ index e758139..d29ea47 100644
8452 return (mode << 6) | (mode << 3) | mode;
8453 }
8454 diff --git a/net/tipc/eth_media.c b/net/tipc/eth_media.c
8455 -index e728d4c..dffdddf 100644
8456 +index a224a38..c31d40a 100644
8457 --- a/net/tipc/eth_media.c
8458 +++ b/net/tipc/eth_media.c
8459 -@@ -57,7 +57,6 @@ struct eth_bearer {
8460 +@@ -58,7 +58,6 @@ struct eth_bearer {
8461
8462 static struct eth_bearer eth_bearers[MAX_ETH_BEARERS];
8463 static int eth_started;
8464 @@ -96043,7 +95556,7 @@ index e728d4c..dffdddf 100644
8465
8466 /**
8467 * send_msg - send a TIPC message out over an Ethernet interface
8468 -@@ -264,6 +263,11 @@ static char *eth_addr2str(struct tipc_media_addr *a, char *str_buf, int str_size
8469 +@@ -277,6 +276,11 @@ static char *eth_addr2str(struct tipc_media_addr *a, char *str_buf, int str_size
8470 * with OS for notifications about device state changes.
8471 */
8472
8473 @@ -96055,7 +95568,7 @@ index e728d4c..dffdddf 100644
8474 int tipc_eth_media_start(void)
8475 {
8476 struct tipc_media_addr bcast_addr;
8477 -@@ -284,8 +288,6 @@ int tipc_eth_media_start(void)
8478 +@@ -297,8 +301,6 @@ int tipc_eth_media_start(void)
8479 if (res)
8480 return res;
8481
8482
8483 diff --git a/3.2.51/4425_grsec_remove_EI_PAX.patch b/3.2.52/4425_grsec_remove_EI_PAX.patch
8484 similarity index 100%
8485 rename from 3.2.51/4425_grsec_remove_EI_PAX.patch
8486 rename to 3.2.52/4425_grsec_remove_EI_PAX.patch
8487
8488 diff --git a/3.2.51/4427_force_XATTR_PAX_tmpfs.patch b/3.2.52/4427_force_XATTR_PAX_tmpfs.patch
8489 similarity index 100%
8490 rename from 3.2.51/4427_force_XATTR_PAX_tmpfs.patch
8491 rename to 3.2.52/4427_force_XATTR_PAX_tmpfs.patch
8492
8493 diff --git a/3.2.51/4430_grsec-remove-localversion-grsec.patch b/3.2.52/4430_grsec-remove-localversion-grsec.patch
8494 similarity index 100%
8495 rename from 3.2.51/4430_grsec-remove-localversion-grsec.patch
8496 rename to 3.2.52/4430_grsec-remove-localversion-grsec.patch
8497
8498 diff --git a/3.2.51/4435_grsec-mute-warnings.patch b/3.2.52/4435_grsec-mute-warnings.patch
8499 similarity index 100%
8500 rename from 3.2.51/4435_grsec-mute-warnings.patch
8501 rename to 3.2.52/4435_grsec-mute-warnings.patch
8502
8503 diff --git a/3.2.51/4440_grsec-remove-protected-paths.patch b/3.2.52/4440_grsec-remove-protected-paths.patch
8504 similarity index 100%
8505 rename from 3.2.51/4440_grsec-remove-protected-paths.patch
8506 rename to 3.2.52/4440_grsec-remove-protected-paths.patch
8507
8508 diff --git a/3.2.51/4450_grsec-kconfig-default-gids.patch b/3.2.52/4450_grsec-kconfig-default-gids.patch
8509 similarity index 100%
8510 rename from 3.2.51/4450_grsec-kconfig-default-gids.patch
8511 rename to 3.2.52/4450_grsec-kconfig-default-gids.patch
8512
8513 diff --git a/3.2.51/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.52/4465_selinux-avc_audit-log-curr_ip.patch
8514 similarity index 100%
8515 rename from 3.2.51/4465_selinux-avc_audit-log-curr_ip.patch
8516 rename to 3.2.52/4465_selinux-avc_audit-log-curr_ip.patch
8517
8518 diff --git a/3.2.51/4470_disable-compat_vdso.patch b/3.2.52/4470_disable-compat_vdso.patch
8519 similarity index 100%
8520 rename from 3.2.51/4470_disable-compat_vdso.patch
8521 rename to 3.2.52/4470_disable-compat_vdso.patch
8522
8523 diff --git a/3.2.51/4475_emutramp_default_on.patch b/3.2.52/4475_emutramp_default_on.patch
8524 similarity index 100%
8525 rename from 3.2.51/4475_emutramp_default_on.patch
8526 rename to 3.2.52/4475_emutramp_default_on.patch
Report Message
Find on MARC Find on Google Groups