Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Pagano (mpagano)" <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r1817 - genpatches-2.6/trunk/2.6.32
Date: Sun, 31 Oct 2010 22:37:01
Message-Id: 20101031223653.F126120051@flycatcher.gentoo.org
1 Author: mpagano
2 Date: 2010-10-31 22:36:53 +0000 (Sun, 31 Oct 2010)
3 New Revision: 1817
4
5 Added:
6 genpatches-2.6/trunk/2.6.32/1024_linux-2.6.32.25.patch
7 Removed:
8 genpatches-2.6/trunk/2.6.32/1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch
9 Modified:
10 genpatches-2.6/trunk/2.6.32/0000_README
11 Log:
12 Linux patch 2.6.32.25 and removal of redundant patch.
13
14 Modified: genpatches-2.6/trunk/2.6.32/0000_README
15 ===================================================================
16 --- genpatches-2.6/trunk/2.6.32/0000_README 2010-10-21 20:47:49 UTC (rev 1816)
17 +++ genpatches-2.6/trunk/2.6.32/0000_README 2010-10-31 22:36:53 UTC (rev 1817)
18 @@ -135,9 +135,9 @@
19 From: http://www.kernel.org
20 Desc: Linux 2.6.32.24
21
22 -Patch: 1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch
23 +Patch: 1024_linux-2.6.32.25.patch
24 From: http://www.kernel.org
25 -Desc: CVE-2010-3904 RDS Protocol priviledge escalation
26 +Desc: Linux 2.6.32.25
27
28 Patch: 2500_libata-fix-truncated-LBA48-ret-vals.patch
29 From: http://bugs.gentoo.org/show_bug.cgi?id=303313
30
31 Added: genpatches-2.6/trunk/2.6.32/1024_linux-2.6.32.25.patch
32 ===================================================================
33 --- genpatches-2.6/trunk/2.6.32/1024_linux-2.6.32.25.patch (rev 0)
34 +++ genpatches-2.6/trunk/2.6.32/1024_linux-2.6.32.25.patch 2010-10-31 22:36:53 UTC (rev 1817)
35 @@ -0,0 +1,2018 @@
36 +diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S
37 +index c38afdb..0a3cf9e 100644
38 +--- a/arch/powerpc/kernel/head_64.S
39 ++++ b/arch/powerpc/kernel/head_64.S
40 +@@ -563,15 +563,21 @@ __secondary_start:
41 + /* Set thread priority to MEDIUM */
42 + HMT_MEDIUM
43 +
44 +- /* Do early setup for that CPU (stab, slb, hash table pointer) */
45 +- bl .early_setup_secondary
46 +-
47 + /* Initialize the kernel stack. Just a repeat for iSeries. */
48 + LOAD_REG_ADDR(r3, current_set)
49 + sldi r28,r24,3 /* get current_set[cpu#] */
50 +- ldx r1,r3,r28
51 +- addi r1,r1,THREAD_SIZE-STACK_FRAME_OVERHEAD
52 +- std r1,PACAKSAVE(r13)
53 ++ ldx r14,r3,r28
54 ++ addi r14,r14,THREAD_SIZE-STACK_FRAME_OVERHEAD
55 ++ std r14,PACAKSAVE(r13)
56 ++
57 ++ /* Do early setup for that CPU (stab, slb, hash table pointer) */
58 ++ bl .early_setup_secondary
59 ++
60 ++ /*
61 ++ * setup the new stack pointer, but *don't* use this until
62 ++ * translation is on.
63 ++ */
64 ++ mr r1, r14
65 +
66 + /* Clear backchain so we get nice backtraces */
67 + li r7,0
68 +diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c
69 +index 635d16d..9fcf26c 100644
70 +--- a/arch/um/drivers/ubd_kern.c
71 ++++ b/arch/um/drivers/ubd_kern.c
72 +@@ -160,6 +160,7 @@ struct ubd {
73 + struct scatterlist sg[MAX_SG];
74 + struct request *request;
75 + int start_sg, end_sg;
76 ++ sector_t rq_pos;
77 + };
78 +
79 + #define DEFAULT_COW { \
80 +@@ -184,6 +185,7 @@ struct ubd {
81 + .request = NULL, \
82 + .start_sg = 0, \
83 + .end_sg = 0, \
84 ++ .rq_pos = 0, \
85 + }
86 +
87 + /* Protected by ubd_lock */
88 +@@ -1222,7 +1224,6 @@ static void do_ubd_request(struct request_queue *q)
89 + {
90 + struct io_thread_req *io_req;
91 + struct request *req;
92 +- sector_t sector;
93 + int n;
94 +
95 + while(1){
96 +@@ -1233,12 +1234,12 @@ static void do_ubd_request(struct request_queue *q)
97 + return;
98 +
99 + dev->request = req;
100 ++ dev->rq_pos = blk_rq_pos(req);
101 + dev->start_sg = 0;
102 + dev->end_sg = blk_rq_map_sg(q, req, dev->sg);
103 + }
104 +
105 + req = dev->request;
106 +- sector = blk_rq_pos(req);
107 + while(dev->start_sg < dev->end_sg){
108 + struct scatterlist *sg = &dev->sg[dev->start_sg];
109 +
110 +@@ -1250,10 +1251,9 @@ static void do_ubd_request(struct request_queue *q)
111 + return;
112 + }
113 + prepare_request(req, io_req,
114 +- (unsigned long long)sector << 9,
115 ++ (unsigned long long)dev->rq_pos << 9,
116 + sg->offset, sg->length, sg_page(sg));
117 +
118 +- sector += sg->length >> 9;
119 + n = os_write_file(thread_fd, &io_req,
120 + sizeof(struct io_thread_req *));
121 + if(n != sizeof(struct io_thread_req *)){
122 +@@ -1266,6 +1266,7 @@ static void do_ubd_request(struct request_queue *q)
123 + return;
124 + }
125 +
126 ++ dev->rq_pos += sg->length >> 9;
127 + dev->start_sg++;
128 + }
129 + dev->end_sg = 0;
130 +diff --git a/arch/x86/include/asm/amd_iommu_types.h b/arch/x86/include/asm/amd_iommu_types.h
131 +index 2a2cc7a..7beb491 100644
132 +--- a/arch/x86/include/asm/amd_iommu_types.h
133 ++++ b/arch/x86/include/asm/amd_iommu_types.h
134 +@@ -305,6 +305,9 @@ struct amd_iommu {
135 + /* capabilities of that IOMMU read from ACPI */
136 + u32 cap;
137 +
138 ++ /* flags read from acpi table */
139 ++ u8 acpi_flags;
140 ++
141 + /*
142 + * Capability pointer. There could be more than one IOMMU per PCI
143 + * device function if there are more than one AMD IOMMU capability
144 +@@ -348,6 +351,15 @@ struct amd_iommu {
145 +
146 + /* default dma_ops domain for that IOMMU */
147 + struct dma_ops_domain *default_dom;
148 ++
149 ++ /*
150 ++ * This array is required to work around a potential BIOS bug.
151 ++ * The BIOS may miss to restore parts of the PCI configuration
152 ++ * space when the system resumes from S3. The result is that the
153 ++ * IOMMU does not execute commands anymore which leads to system
154 ++ * failure.
155 ++ */
156 ++ u32 cache_cfg[4];
157 + };
158 +
159 + /*
160 +@@ -469,4 +481,10 @@ static inline void amd_iommu_stats_init(void) { }
161 + /* some function prototypes */
162 + extern void amd_iommu_reset_cmd_buffer(struct amd_iommu *iommu);
163 +
164 ++static inline bool is_rd890_iommu(struct pci_dev *pdev)
165 ++{
166 ++ return (pdev->vendor == PCI_VENDOR_ID_ATI) &&
167 ++ (pdev->device == PCI_DEVICE_ID_RD890_IOMMU);
168 ++}
169 ++
170 + #endif /* _ASM_X86_AMD_IOMMU_TYPES_H */
171 +diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
172 +index d8e5d0c..d1911ab 100644
173 +--- a/arch/x86/kernel/Makefile
174 ++++ b/arch/x86/kernel/Makefile
175 +@@ -11,6 +11,8 @@ ifdef CONFIG_FUNCTION_TRACER
176 + CFLAGS_REMOVE_tsc.o = -pg
177 + CFLAGS_REMOVE_rtc.o = -pg
178 + CFLAGS_REMOVE_paravirt-spinlocks.o = -pg
179 ++CFLAGS_REMOVE_pvclock.o = -pg
180 ++CFLAGS_REMOVE_kvmclock.o = -pg
181 + CFLAGS_REMOVE_ftrace.o = -pg
182 + CFLAGS_REMOVE_early_printk.o = -pg
183 + endif
184 +diff --git a/arch/x86/kernel/amd_iommu.c b/arch/x86/kernel/amd_iommu.c
185 +index f0fa7a1..7cd33f7 100644
186 +--- a/arch/x86/kernel/amd_iommu.c
187 ++++ b/arch/x86/kernel/amd_iommu.c
188 +@@ -1688,6 +1688,7 @@ static void __unmap_single(struct amd_iommu *iommu,
189 + size_t size,
190 + int dir)
191 + {
192 ++ dma_addr_t flush_addr;
193 + dma_addr_t i, start;
194 + unsigned int pages;
195 +
196 +@@ -1695,6 +1696,7 @@ static void __unmap_single(struct amd_iommu *iommu,
197 + (dma_addr + size > dma_dom->aperture_size))
198 + return;
199 +
200 ++ flush_addr = dma_addr;
201 + pages = iommu_num_pages(dma_addr, size, PAGE_SIZE);
202 + dma_addr &= PAGE_MASK;
203 + start = dma_addr;
204 +@@ -1709,7 +1711,7 @@ static void __unmap_single(struct amd_iommu *iommu,
205 + dma_ops_free_addresses(dma_dom, dma_addr, pages);
206 +
207 + if (amd_iommu_unmap_flush || dma_dom->need_flush) {
208 +- iommu_flush_pages(iommu, dma_dom->domain.id, dma_addr, size);
209 ++ iommu_flush_pages(iommu, dma_dom->domain.id, flush_addr, size);
210 + dma_dom->need_flush = false;
211 + }
212 + }
213 +diff --git a/arch/x86/kernel/amd_iommu_init.c b/arch/x86/kernel/amd_iommu_init.c
214 +index 3925adf..400be99 100644
215 +--- a/arch/x86/kernel/amd_iommu_init.c
216 ++++ b/arch/x86/kernel/amd_iommu_init.c
217 +@@ -622,6 +622,13 @@ static void __init init_iommu_from_pci(struct amd_iommu *iommu)
218 + iommu->last_device = calc_devid(MMIO_GET_BUS(range),
219 + MMIO_GET_LD(range));
220 + iommu->evt_msi_num = MMIO_MSI_NUM(misc);
221 ++
222 ++ if (is_rd890_iommu(iommu->dev)) {
223 ++ pci_read_config_dword(iommu->dev, 0xf0, &iommu->cache_cfg[0]);
224 ++ pci_read_config_dword(iommu->dev, 0xf4, &iommu->cache_cfg[1]);
225 ++ pci_read_config_dword(iommu->dev, 0xf8, &iommu->cache_cfg[2]);
226 ++ pci_read_config_dword(iommu->dev, 0xfc, &iommu->cache_cfg[3]);
227 ++ }
228 + }
229 +
230 + /*
231 +@@ -639,29 +646,9 @@ static void __init init_iommu_from_acpi(struct amd_iommu *iommu,
232 + struct ivhd_entry *e;
233 +
234 + /*
235 +- * First set the recommended feature enable bits from ACPI
236 +- * into the IOMMU control registers
237 ++ * First save the recommended feature enable bits from ACPI
238 + */
239 +- h->flags & IVHD_FLAG_HT_TUN_EN_MASK ?
240 +- iommu_feature_enable(iommu, CONTROL_HT_TUN_EN) :
241 +- iommu_feature_disable(iommu, CONTROL_HT_TUN_EN);
242 +-
243 +- h->flags & IVHD_FLAG_PASSPW_EN_MASK ?
244 +- iommu_feature_enable(iommu, CONTROL_PASSPW_EN) :
245 +- iommu_feature_disable(iommu, CONTROL_PASSPW_EN);
246 +-
247 +- h->flags & IVHD_FLAG_RESPASSPW_EN_MASK ?
248 +- iommu_feature_enable(iommu, CONTROL_RESPASSPW_EN) :
249 +- iommu_feature_disable(iommu, CONTROL_RESPASSPW_EN);
250 +-
251 +- h->flags & IVHD_FLAG_ISOC_EN_MASK ?
252 +- iommu_feature_enable(iommu, CONTROL_ISOC_EN) :
253 +- iommu_feature_disable(iommu, CONTROL_ISOC_EN);
254 +-
255 +- /*
256 +- * make IOMMU memory accesses cache coherent
257 +- */
258 +- iommu_feature_enable(iommu, CONTROL_COHERENT_EN);
259 ++ iommu->acpi_flags = h->flags;
260 +
261 + /*
262 + * Done. Now parse the device entries
263 +@@ -1089,6 +1076,40 @@ static void init_device_table(void)
264 + }
265 + }
266 +
267 ++static void iommu_init_flags(struct amd_iommu *iommu)
268 ++{
269 ++ iommu->acpi_flags & IVHD_FLAG_HT_TUN_EN_MASK ?
270 ++ iommu_feature_enable(iommu, CONTROL_HT_TUN_EN) :
271 ++ iommu_feature_disable(iommu, CONTROL_HT_TUN_EN);
272 ++
273 ++ iommu->acpi_flags & IVHD_FLAG_PASSPW_EN_MASK ?
274 ++ iommu_feature_enable(iommu, CONTROL_PASSPW_EN) :
275 ++ iommu_feature_disable(iommu, CONTROL_PASSPW_EN);
276 ++
277 ++ iommu->acpi_flags & IVHD_FLAG_RESPASSPW_EN_MASK ?
278 ++ iommu_feature_enable(iommu, CONTROL_RESPASSPW_EN) :
279 ++ iommu_feature_disable(iommu, CONTROL_RESPASSPW_EN);
280 ++
281 ++ iommu->acpi_flags & IVHD_FLAG_ISOC_EN_MASK ?
282 ++ iommu_feature_enable(iommu, CONTROL_ISOC_EN) :
283 ++ iommu_feature_disable(iommu, CONTROL_ISOC_EN);
284 ++
285 ++ /*
286 ++ * make IOMMU memory accesses cache coherent
287 ++ */
288 ++ iommu_feature_enable(iommu, CONTROL_COHERENT_EN);
289 ++}
290 ++
291 ++static void iommu_apply_quirks(struct amd_iommu *iommu)
292 ++{
293 ++ if (is_rd890_iommu(iommu->dev)) {
294 ++ pci_write_config_dword(iommu->dev, 0xf0, iommu->cache_cfg[0]);
295 ++ pci_write_config_dword(iommu->dev, 0xf4, iommu->cache_cfg[1]);
296 ++ pci_write_config_dword(iommu->dev, 0xf8, iommu->cache_cfg[2]);
297 ++ pci_write_config_dword(iommu->dev, 0xfc, iommu->cache_cfg[3]);
298 ++ }
299 ++}
300 ++
301 + /*
302 + * This function finally enables all IOMMUs found in the system after
303 + * they have been initialized
304 +@@ -1099,6 +1120,8 @@ static void enable_iommus(void)
305 +
306 + for_each_iommu(iommu) {
307 + iommu_disable(iommu);
308 ++ iommu_apply_quirks(iommu);
309 ++ iommu_init_flags(iommu);
310 + iommu_set_device_table(iommu);
311 + iommu_enable_command_buffer(iommu);
312 + iommu_enable_event_buffer(iommu);
313 +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
314 +index 0da6495..420e43e 100644
315 +--- a/arch/x86/kernel/apic/io_apic.c
316 ++++ b/arch/x86/kernel/apic/io_apic.c
317 +@@ -332,14 +332,19 @@ void arch_init_copy_chip_data(struct irq_desc *old_desc,
318 +
319 + old_cfg = old_desc->chip_data;
320 +
321 +- memcpy(cfg, old_cfg, sizeof(struct irq_cfg));
322 ++ cfg->vector = old_cfg->vector;
323 ++ cfg->move_in_progress = old_cfg->move_in_progress;
324 ++ cpumask_copy(cfg->domain, old_cfg->domain);
325 ++ cpumask_copy(cfg->old_domain, old_cfg->old_domain);
326 +
327 + init_copy_irq_2_pin(old_cfg, cfg, node);
328 + }
329 +
330 +-static void free_irq_cfg(struct irq_cfg *old_cfg)
331 ++static void free_irq_cfg(struct irq_cfg *cfg)
332 + {
333 +- kfree(old_cfg);
334 ++ free_cpumask_var(cfg->domain);
335 ++ free_cpumask_var(cfg->old_domain);
336 ++ kfree(cfg);
337 + }
338 +
339 + void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc)
340 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
341 +index cc25c2b..4e34d10 100644
342 +--- a/arch/x86/kernel/cpu/common.c
343 ++++ b/arch/x86/kernel/cpu/common.c
344 +@@ -540,7 +540,7 @@ void __cpuinit cpu_detect(struct cpuinfo_x86 *c)
345 + }
346 + }
347 +
348 +-static void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c)
349 ++void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c)
350 + {
351 + u32 tfms, xlvl;
352 + u32 ebx;
353 +@@ -579,6 +579,7 @@ static void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c)
354 + if (c->extended_cpuid_level >= 0x80000007)
355 + c->x86_power = cpuid_edx(0x80000007);
356 +
357 ++ init_scattered_cpuid_features(c);
358 + }
359 +
360 + static void __cpuinit identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
361 +@@ -727,7 +728,6 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
362 +
363 + get_model_name(c); /* Default name */
364 +
365 +- init_scattered_cpuid_features(c);
366 + detect_nopl(c);
367 + }
368 +
369 +diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
370 +index 6de9a90..eb19c08 100644
371 +--- a/arch/x86/kernel/cpu/cpu.h
372 ++++ b/arch/x86/kernel/cpu/cpu.h
373 +@@ -33,5 +33,6 @@ extern const struct cpu_dev *const __x86_cpu_dev_start[],
374 + *const __x86_cpu_dev_end[];
375 +
376 + extern void display_cacheinfo(struct cpuinfo_x86 *c);
377 ++extern void get_cpu_cap(struct cpuinfo_x86 *c);
378 +
379 + #endif
380 +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
381 +index 2f12d6d..6a77cca 100644
382 +--- a/arch/x86/kernel/cpu/intel.c
383 ++++ b/arch/x86/kernel/cpu/intel.c
384 +@@ -40,6 +40,7 @@ static void __cpuinit early_init_intel(struct cpuinfo_x86 *c)
385 + misc_enable &= ~MSR_IA32_MISC_ENABLE_LIMIT_CPUID;
386 + wrmsrl(MSR_IA32_MISC_ENABLE, misc_enable);
387 + c->cpuid_level = cpuid_eax(0);
388 ++ get_cpu_cap(c);
389 + }
390 + }
391 +
392 +diff --git a/arch/x86/kernel/cpu/mcheck/mce_amd.c b/arch/x86/kernel/cpu/mcheck/mce_amd.c
393 +index 83a3d1f..8387792 100644
394 +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
395 ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
396 +@@ -140,6 +140,7 @@ void mce_amd_feature_init(struct cpuinfo_x86 *c)
397 + address = (low & MASK_BLKPTR_LO) >> 21;
398 + if (!address)
399 + break;
400 ++
401 + address += MCG_XBLK_ADDR;
402 + } else
403 + ++address;
404 +@@ -147,12 +148,8 @@ void mce_amd_feature_init(struct cpuinfo_x86 *c)
405 + if (rdmsr_safe(address, &low, &high))
406 + break;
407 +
408 +- if (!(high & MASK_VALID_HI)) {
409 +- if (block)
410 +- continue;
411 +- else
412 +- break;
413 +- }
414 ++ if (!(high & MASK_VALID_HI))
415 ++ continue;
416 +
417 + if (!(high & MASK_CNTP_HI) ||
418 + (high & MASK_LOCKED_HI))
419 +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
420 +index 19528ef..c771e1a 100644
421 +--- a/arch/x86/kernel/hpet.c
422 ++++ b/arch/x86/kernel/hpet.c
423 +@@ -497,7 +497,7 @@ static int hpet_assign_irq(struct hpet_dev *dev)
424 + {
425 + unsigned int irq;
426 +
427 +- irq = create_irq();
428 ++ irq = create_irq_nr(0, -1);
429 + if (!irq)
430 + return -EINVAL;
431 +
432 +diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c
433 +index 238526b..ca6b336 100644
434 +--- a/arch/x86/oprofile/nmi_int.c
435 ++++ b/arch/x86/oprofile/nmi_int.c
436 +@@ -624,6 +624,7 @@ static int __init ppro_init(char **cpu_type)
437 + case 0x0f:
438 + case 0x16:
439 + case 0x17:
440 ++ case 0x1d:
441 + *cpu_type = "i386/core_2";
442 + break;
443 + case 0x1a:
444 +diff --git a/block/bsg.c b/block/bsg.c
445 +index 0676301..7154a7a 100644
446 +--- a/block/bsg.c
447 ++++ b/block/bsg.c
448 +@@ -424,7 +424,7 @@ static int blk_complete_sgv4_hdr_rq(struct request *rq, struct sg_io_v4 *hdr,
449 + /*
450 + * fill in all the output members
451 + */
452 +- hdr->device_status = status_byte(rq->errors);
453 ++ hdr->device_status = rq->errors & 0xff;
454 + hdr->transport_status = host_byte(rq->errors);
455 + hdr->driver_status = driver_byte(rq->errors);
456 + hdr->info = 0;
457 +diff --git a/drivers/acpi/acpica/aclocal.h b/drivers/acpi/acpica/aclocal.h
458 +index 81e64f4..d46e256 100644
459 +--- a/drivers/acpi/acpica/aclocal.h
460 ++++ b/drivers/acpi/acpica/aclocal.h
461 +@@ -846,6 +846,7 @@ struct acpi_bit_register_info {
462 + ACPI_BITMASK_POWER_BUTTON_STATUS | \
463 + ACPI_BITMASK_SLEEP_BUTTON_STATUS | \
464 + ACPI_BITMASK_RT_CLOCK_STATUS | \
465 ++ ACPI_BITMASK_PCIEXP_WAKE_DISABLE | \
466 + ACPI_BITMASK_WAKE_STATUS)
467 +
468 + #define ACPI_BITMASK_TIMER_ENABLE 0x0001
469 +diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
470 +index 2815df6..ab645bb 100644
471 +--- a/drivers/acpi/blacklist.c
472 ++++ b/drivers/acpi/blacklist.c
473 +@@ -218,6 +218,14 @@ static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
474 + },
475 + },
476 + {
477 ++ .callback = dmi_disable_osi_vista,
478 ++ .ident = "Toshiba Satellite L355",
479 ++ .matches = {
480 ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
481 ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Satellite L355"),
482 ++ },
483 ++ },
484 ++ {
485 + .callback = dmi_disable_osi_win7,
486 + .ident = "ASUS K50IJ",
487 + .matches = {
488 +@@ -225,6 +233,14 @@ static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
489 + DMI_MATCH(DMI_PRODUCT_NAME, "K50IJ"),
490 + },
491 + },
492 ++ {
493 ++ .callback = dmi_disable_osi_vista,
494 ++ .ident = "Toshiba P305D",
495 ++ .matches = {
496 ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
497 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Satellite P305D"),
498 ++ },
499 ++ },
500 +
501 + /*
502 + * BIOS invocation of _OSI(Linux) is almost always a BIOS bug.
503 +diff --git a/drivers/acpi/processor_core.c b/drivers/acpi/processor_core.c
504 +index ec742a4..7102474 100644
505 +--- a/drivers/acpi/processor_core.c
506 ++++ b/drivers/acpi/processor_core.c
507 +@@ -134,12 +134,6 @@ static int set_no_mwait(const struct dmi_system_id *id)
508 +
509 + static struct dmi_system_id __cpuinitdata processor_idle_dmi_table[] = {
510 + {
511 +- set_no_mwait, "IFL91 board", {
512 +- DMI_MATCH(DMI_BIOS_VENDOR, "COMPAL"),
513 +- DMI_MATCH(DMI_SYS_VENDOR, "ZEPTO"),
514 +- DMI_MATCH(DMI_PRODUCT_VERSION, "3215W"),
515 +- DMI_MATCH(DMI_BOARD_NAME, "IFL91") }, NULL},
516 +- {
517 + set_no_mwait, "Extensa 5220", {
518 + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
519 + DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
520 +diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
521 +index 466ab10..f2b44d5 100644
522 +--- a/drivers/dma/mv_xor.c
523 ++++ b/drivers/dma/mv_xor.c
524 +@@ -161,7 +161,7 @@ static int mv_is_err_intr(u32 intr_cause)
525 +
526 + static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan)
527 + {
528 +- u32 val = (1 << (1 + (chan->idx * 16)));
529 ++ u32 val = ~(1 << (chan->idx * 16));
530 + dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val);
531 + __raw_writel(val, XOR_INTR_CAUSE(chan));
532 + }
533 +diff --git a/drivers/i2c/busses/i2c-pca-isa.c b/drivers/i2c/busses/i2c-pca-isa.c
534 +index f7346a9..62a5ce5 100644
535 +--- a/drivers/i2c/busses/i2c-pca-isa.c
536 ++++ b/drivers/i2c/busses/i2c-pca-isa.c
537 +@@ -71,8 +71,8 @@ static int pca_isa_readbyte(void *pd, int reg)
538 +
539 + static int pca_isa_waitforcompletion(void *pd)
540 + {
541 +- long ret = ~0;
542 + unsigned long timeout;
543 ++ long ret;
544 +
545 + if (irq > -1) {
546 + ret = wait_event_timeout(pca_wait,
547 +@@ -81,11 +81,15 @@ static int pca_isa_waitforcompletion(void *pd)
548 + } else {
549 + /* Do polling */
550 + timeout = jiffies + pca_isa_ops.timeout;
551 +- while (((pca_isa_readbyte(pd, I2C_PCA_CON)
552 +- & I2C_PCA_CON_SI) == 0)
553 +- && (ret = time_before(jiffies, timeout)))
554 ++ do {
555 ++ ret = time_before(jiffies, timeout);
556 ++ if (pca_isa_readbyte(pd, I2C_PCA_CON)
557 ++ & I2C_PCA_CON_SI)
558 ++ break;
559 + udelay(100);
560 ++ } while (ret);
561 + }
562 ++
563 + return ret > 0;
564 + }
565 +
566 +diff --git a/drivers/i2c/busses/i2c-pca-platform.c b/drivers/i2c/busses/i2c-pca-platform.c
567 +index 5b2213d..1d8c208 100644
568 +--- a/drivers/i2c/busses/i2c-pca-platform.c
569 ++++ b/drivers/i2c/busses/i2c-pca-platform.c
570 +@@ -80,8 +80,8 @@ static void i2c_pca_pf_writebyte32(void *pd, int reg, int val)
571 + static int i2c_pca_pf_waitforcompletion(void *pd)
572 + {
573 + struct i2c_pca_pf_data *i2c = pd;
574 +- long ret = ~0;
575 + unsigned long timeout;
576 ++ long ret;
577 +
578 + if (i2c->irq) {
579 + ret = wait_event_timeout(i2c->wait,
580 +@@ -90,10 +90,13 @@ static int i2c_pca_pf_waitforcompletion(void *pd)
581 + } else {
582 + /* Do polling */
583 + timeout = jiffies + i2c->adap.timeout;
584 +- while (((i2c->algo_data.read_byte(i2c, I2C_PCA_CON)
585 +- & I2C_PCA_CON_SI) == 0)
586 +- && (ret = time_before(jiffies, timeout)))
587 ++ do {
588 ++ ret = time_before(jiffies, timeout);
589 ++ if (i2c->algo_data.read_byte(i2c, I2C_PCA_CON)
590 ++ & I2C_PCA_CON_SI)
591 ++ break;
592 + udelay(100);
593 ++ } while (ret);
594 + }
595 +
596 + return ret > 0;
597 +diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
598 +index 66b4135..675fc04 100644
599 +--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
600 ++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
601 +@@ -486,7 +486,8 @@ static int send_connect(struct iwch_ep *ep)
602 + V_MSS_IDX(mtu_idx) |
603 + V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx);
604 + opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10);
605 +- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor);
606 ++ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) |
607 ++ V_CONG_CONTROL_FLAVOR(cong_flavor);
608 + skb->priority = CPL_PRIORITY_SETUP;
609 + set_arp_failure_handler(skb, act_open_req_arp_failure);
610 +
611 +@@ -1303,7 +1304,8 @@ static void accept_cr(struct iwch_ep *ep, __be32 peer_ip, struct sk_buff *skb)
612 + V_MSS_IDX(mtu_idx) |
613 + V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx);
614 + opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10);
615 +- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor);
616 ++ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) |
617 ++ V_CONG_CONTROL_FLAVOR(cong_flavor);
618 +
619 + rpl = cplhdr(skb);
620 + rpl->wr.wr_hi = htonl(V_WR_OP(FW_WROPCODE_FORWARD));
621 +diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
622 +index b1bd6dd..93c60e0 100644
623 +--- a/drivers/input/joydev.c
624 ++++ b/drivers/input/joydev.c
625 +@@ -481,6 +481,9 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev,
626 +
627 + memcpy(joydev->abspam, abspam, len);
628 +
629 ++ for (i = 0; i < joydev->nabs; i++)
630 ++ joydev->absmap[joydev->abspam[i]] = i;
631 ++
632 + out:
633 + kfree(abspam);
634 + return retval;
635 +diff --git a/drivers/media/video/cx231xx/cx231xx-cards.c b/drivers/media/video/cx231xx/cx231xx-cards.c
636 +index 319c459..dd30b9d 100644
637 +--- a/drivers/media/video/cx231xx/cx231xx-cards.c
638 ++++ b/drivers/media/video/cx231xx/cx231xx-cards.c
639 +@@ -225,14 +225,16 @@ void cx231xx_pre_card_setup(struct cx231xx *dev)
640 + dev->board.name, dev->model);
641 +
642 + /* set the direction for GPIO pins */
643 +- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
644 +- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
645 +- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
646 ++ if (dev->board.tuner_gpio) {
647 ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1);
648 ++ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1);
649 ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1);
650 +
651 +- /* request some modules if any required */
652 ++ /* request some modules if any required */
653 +
654 +- /* reset the Tuner */
655 +- cx231xx_gpio_set(dev, dev->board.tuner_gpio);
656 ++ /* reset the Tuner */
657 ++ cx231xx_gpio_set(dev, dev->board.tuner_gpio);
658 ++ }
659 +
660 + /* set the mode to Analog mode initially */
661 + cx231xx_set_mode(dev, CX231XX_ANALOG_MODE);
662 +diff --git a/drivers/media/video/saa7134/saa7134-core.c b/drivers/media/video/saa7134/saa7134-core.c
663 +index f87757f..09d4223 100644
664 +--- a/drivers/media/video/saa7134/saa7134-core.c
665 ++++ b/drivers/media/video/saa7134/saa7134-core.c
666 +@@ -420,19 +420,6 @@ int saa7134_set_dmabits(struct saa7134_dev *dev)
667 + ctrl |= SAA7134_MAIN_CTRL_TE5;
668 + irq |= SAA7134_IRQ1_INTE_RA2_1 |
669 + SAA7134_IRQ1_INTE_RA2_0;
670 +-
671 +- /* dma: setup channel 5 (= TS) */
672 +-
673 +- saa_writeb(SAA7134_TS_DMA0, (dev->ts.nr_packets - 1) & 0xff);
674 +- saa_writeb(SAA7134_TS_DMA1,
675 +- ((dev->ts.nr_packets - 1) >> 8) & 0xff);
676 +- /* TSNOPIT=0, TSCOLAP=0 */
677 +- saa_writeb(SAA7134_TS_DMA2,
678 +- (((dev->ts.nr_packets - 1) >> 16) & 0x3f) | 0x00);
679 +- saa_writel(SAA7134_RS_PITCH(5), TS_PACKET_SIZE);
680 +- saa_writel(SAA7134_RS_CONTROL(5), SAA7134_RS_CONTROL_BURST_16 |
681 +- SAA7134_RS_CONTROL_ME |
682 +- (dev->ts.pt_ts.dma >> 12));
683 + }
684 +
685 + /* set task conditions + field handling */
686 +diff --git a/drivers/media/video/saa7134/saa7134-ts.c b/drivers/media/video/saa7134/saa7134-ts.c
687 +index 03488ba..b9817d7 100644
688 +--- a/drivers/media/video/saa7134/saa7134-ts.c
689 ++++ b/drivers/media/video/saa7134/saa7134-ts.c
690 +@@ -250,6 +250,19 @@ int saa7134_ts_start(struct saa7134_dev *dev)
691 +
692 + BUG_ON(dev->ts_started);
693 +
694 ++ /* dma: setup channel 5 (= TS) */
695 ++ saa_writeb(SAA7134_TS_DMA0, (dev->ts.nr_packets - 1) & 0xff);
696 ++ saa_writeb(SAA7134_TS_DMA1,
697 ++ ((dev->ts.nr_packets - 1) >> 8) & 0xff);
698 ++ /* TSNOPIT=0, TSCOLAP=0 */
699 ++ saa_writeb(SAA7134_TS_DMA2,
700 ++ (((dev->ts.nr_packets - 1) >> 16) & 0x3f) | 0x00);
701 ++ saa_writel(SAA7134_RS_PITCH(5), TS_PACKET_SIZE);
702 ++ saa_writel(SAA7134_RS_CONTROL(5), SAA7134_RS_CONTROL_BURST_16 |
703 ++ SAA7134_RS_CONTROL_ME |
704 ++ (dev->ts.pt_ts.dma >> 12));
705 ++
706 ++ /* reset hardware TS buffers */
707 + saa_writeb(SAA7134_TS_SERIAL1, 0x00);
708 + saa_writeb(SAA7134_TS_SERIAL1, 0x03);
709 + saa_writeb(SAA7134_TS_SERIAL1, 0x00);
710 +diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c
711 +index 997975d..64076ff 100644
712 +--- a/drivers/media/video/v4l2-compat-ioctl32.c
713 ++++ b/drivers/media/video/v4l2-compat-ioctl32.c
714 +@@ -193,17 +193,24 @@ static int put_video_window32(struct video_window *kp, struct video_window32 __u
715 + struct video_code32 {
716 + char loadwhat[16]; /* name or tag of file being passed */
717 + compat_int_t datasize;
718 +- unsigned char *data;
719 ++ compat_uptr_t data;
720 + };
721 +
722 +-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
723 ++static struct video_code __user *get_microcode32(struct video_code32 *kp)
724 + {
725 +- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
726 +- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
727 +- get_user(kp->datasize, &up->datasize) ||
728 +- copy_from_user(kp->data, up->data, up->datasize))
729 +- return -EFAULT;
730 +- return 0;
731 ++ struct video_code __user *up;
732 ++
733 ++ up = compat_alloc_user_space(sizeof(*up));
734 ++
735 ++ /*
736 ++ * NOTE! We don't actually care if these fail. If the
737 ++ * user address is invalid, the native ioctl will do
738 ++ * the error handling for us
739 ++ */
740 ++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
741 ++ (void) put_user(kp->datasize, &up->datasize);
742 ++ (void) put_user(compat_ptr(kp->data), &up->data);
743 ++ return up;
744 + }
745 +
746 + #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
747 +@@ -741,7 +748,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
748 + struct video_tuner vt;
749 + struct video_buffer vb;
750 + struct video_window vw;
751 +- struct video_code vc;
752 ++ struct video_code32 vc;
753 + struct video_audio va;
754 + #endif
755 + struct v4l2_format v2f;
756 +@@ -820,8 +827,11 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
757 + break;
758 +
759 + case VIDIOCSMICROCODE:
760 +- err = get_microcode32(&karg.vc, up);
761 +- compatible_arg = 0;
762 ++ /* Copy the 32-bit "video_code32" to kernel space */
763 ++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
764 ++ return -EFAULT;
765 ++ /* Convert the 32-bit version to a 64-bit version in user space */
766 ++ up = get_microcode32(&karg.vc);
767 + break;
768 +
769 + case VIDIOCSFREQ:
770 +diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c
771 +index 676cd0c..14c5480 100644
772 +--- a/drivers/mmc/host/sdhci-s3c.c
773 ++++ b/drivers/mmc/host/sdhci-s3c.c
774 +@@ -379,8 +379,10 @@ static int __devexit sdhci_s3c_remove(struct platform_device *pdev)
775 + sdhci_remove_host(host, 1);
776 +
777 + for (ptr = 0; ptr < 3; ptr++) {
778 +- clk_disable(sc->clk_bus[ptr]);
779 +- clk_put(sc->clk_bus[ptr]);
780 ++ if (sc->clk_bus[ptr]) {
781 ++ clk_disable(sc->clk_bus[ptr]);
782 ++ clk_put(sc->clk_bus[ptr]);
783 ++ }
784 + }
785 + clk_disable(sc->clk_io);
786 + clk_put(sc->clk_io);
787 +diff --git a/drivers/net/atlx/atl1.c b/drivers/net/atlx/atl1.c
788 +index 00569dc..403bfb6 100644
789 +--- a/drivers/net/atlx/atl1.c
790 ++++ b/drivers/net/atlx/atl1.c
791 +@@ -2856,10 +2856,11 @@ static int atl1_resume(struct pci_dev *pdev)
792 + pci_enable_wake(pdev, PCI_D3cold, 0);
793 +
794 + atl1_reset_hw(&adapter->hw);
795 +- adapter->cmb.cmb->int_stats = 0;
796 +
797 +- if (netif_running(netdev))
798 ++ if (netif_running(netdev)) {
799 ++ adapter->cmb.cmb->int_stats = 0;
800 + atl1_up(adapter);
801 ++ }
802 + netif_device_attach(netdev);
803 +
804 + return 0;
805 +diff --git a/drivers/net/b44.c b/drivers/net/b44.c
806 +index 4869adb..137cb03 100644
807 +--- a/drivers/net/b44.c
808 ++++ b/drivers/net/b44.c
809 +@@ -2175,8 +2175,6 @@ static int __devinit b44_init_one(struct ssb_device *sdev,
810 + dev->irq = sdev->irq;
811 + SET_ETHTOOL_OPS(dev, &b44_ethtool_ops);
812 +
813 +- netif_carrier_off(dev);
814 +-
815 + err = ssb_bus_powerup(sdev->bus, 0);
816 + if (err) {
817 + dev_err(sdev->dev,
818 +@@ -2216,6 +2214,8 @@ static int __devinit b44_init_one(struct ssb_device *sdev,
819 + goto err_out_powerdown;
820 + }
821 +
822 ++ netif_carrier_off(dev);
823 ++
824 + ssb_set_drvdata(sdev, dev);
825 +
826 + /* Chip reset provides power to the b44 MAC & PCI cores, which
827 +diff --git a/drivers/net/netxen/netxen_nic_init.c b/drivers/net/netxen/netxen_nic_init.c
828 +index 8a09043..0f3ae46 100644
829 +--- a/drivers/net/netxen/netxen_nic_init.c
830 ++++ b/drivers/net/netxen/netxen_nic_init.c
831 +@@ -1199,7 +1199,6 @@ netxen_process_rcv(struct netxen_adapter *adapter,
832 + if (pkt_offset)
833 + skb_pull(skb, pkt_offset);
834 +
835 +- skb->truesize = skb->len + sizeof(struct sk_buff);
836 + skb->protocol = eth_type_trans(skb, netdev);
837 +
838 + napi_gro_receive(&sds_ring->napi, skb);
839 +@@ -1261,8 +1260,6 @@ netxen_process_lro(struct netxen_adapter *adapter,
840 +
841 + skb_put(skb, lro_length + data_offset);
842 +
843 +- skb->truesize = skb->len + sizeof(struct sk_buff) + skb_headroom(skb);
844 +-
845 + skb_pull(skb, l2_hdr_offset);
846 + skb->protocol = eth_type_trans(skb, netdev);
847 +
848 +diff --git a/drivers/net/r6040.c b/drivers/net/r6040.c
849 +index 8b14c6e..9ee9f01 100644
850 +--- a/drivers/net/r6040.c
851 ++++ b/drivers/net/r6040.c
852 +@@ -135,7 +135,7 @@
853 + #define RX_DESC_SIZE (RX_DCNT * sizeof(struct r6040_descriptor))
854 + #define TX_DESC_SIZE (TX_DCNT * sizeof(struct r6040_descriptor))
855 + #define MBCR_DEFAULT 0x012A /* MAC Bus Control Register */
856 +-#define MCAST_MAX 4 /* Max number multicast addresses to filter */
857 ++#define MCAST_MAX 3 /* Max number multicast addresses to filter */
858 +
859 + /* Descriptor status */
860 + #define DSC_OWNER_MAC 0x8000 /* MAC is the owner of this descriptor */
861 +@@ -985,9 +985,6 @@ static void r6040_multicast_list(struct net_device *dev)
862 + crc >>= 26;
863 + hash_table[crc >> 4] |= 1 << (15 - (crc & 0xf));
864 + }
865 +- /* Write the index of the hash table */
866 +- for (i = 0; i < 4; i++)
867 +- iowrite16(hash_table[i] << 14, ioaddr + MCR1);
868 + /* Fill the MAC hash tables with their values */
869 + iowrite16(hash_table[0], ioaddr + MAR0);
870 + iowrite16(hash_table[1], ioaddr + MAR1);
871 +@@ -995,6 +992,7 @@ static void r6040_multicast_list(struct net_device *dev)
872 + iowrite16(hash_table[3], ioaddr + MAR3);
873 + }
874 + /* Multicast Address 1~4 case */
875 ++ dmi = dev->mc_list;
876 + for (i = 0, dmi; (i < dev->mc_count) && (i < MCAST_MAX); i++) {
877 + adrp = (u16 *)dmi->dmi_addr;
878 + iowrite16(adrp[0], ioaddr + MID_1L + 8*i);
879 +@@ -1003,9 +1001,9 @@ static void r6040_multicast_list(struct net_device *dev)
880 + dmi = dmi->next;
881 + }
882 + for (i = dev->mc_count; i < MCAST_MAX; i++) {
883 +- iowrite16(0xffff, ioaddr + MID_0L + 8*i);
884 +- iowrite16(0xffff, ioaddr + MID_0M + 8*i);
885 +- iowrite16(0xffff, ioaddr + MID_0H + 8*i);
886 ++ iowrite16(0xffff, ioaddr + MID_1L + 8*i);
887 ++ iowrite16(0xffff, ioaddr + MID_1M + 8*i);
888 ++ iowrite16(0xffff, ioaddr + MID_1H + 8*i);
889 + }
890 + }
891 +
892 +diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
893 +index 62e784a..7dd2132 100644
894 +--- a/drivers/net/r8169.c
895 ++++ b/drivers/net/r8169.c
896 +@@ -3999,7 +3999,7 @@ static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
897 + static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev,
898 + struct net_device *dev,
899 + struct RxDesc *desc, int rx_buf_sz,
900 +- unsigned int align)
901 ++ unsigned int align, gfp_t gfp)
902 + {
903 + struct sk_buff *skb;
904 + dma_addr_t mapping;
905 +@@ -4007,7 +4007,7 @@ static struct sk_buff *rtl8169_alloc_rx_skb(struct pci_dev *pdev,
906 +
907 + pad = align ? align : NET_IP_ALIGN;
908 +
909 +- skb = netdev_alloc_skb(dev, rx_buf_sz + pad);
910 ++ skb = __netdev_alloc_skb(dev, rx_buf_sz + pad, gfp);
911 + if (!skb)
912 + goto err_out;
913 +
914 +@@ -4038,7 +4038,7 @@ static void rtl8169_rx_clear(struct rtl8169_private *tp)
915 + }
916 +
917 + static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev,
918 +- u32 start, u32 end)
919 ++ u32 start, u32 end, gfp_t gfp)
920 + {
921 + u32 cur;
922 +
923 +@@ -4053,7 +4053,7 @@ static u32 rtl8169_rx_fill(struct rtl8169_private *tp, struct net_device *dev,
924 +
925 + skb = rtl8169_alloc_rx_skb(tp->pci_dev, dev,
926 + tp->RxDescArray + i,
927 +- tp->rx_buf_sz, tp->align);
928 ++ tp->rx_buf_sz, tp->align, gfp);
929 + if (!skb)
930 + break;
931 +
932 +@@ -4081,7 +4081,7 @@ static int rtl8169_init_ring(struct net_device *dev)
933 + memset(tp->tx_skb, 0x0, NUM_TX_DESC * sizeof(struct ring_info));
934 + memset(tp->Rx_skbuff, 0x0, NUM_RX_DESC * sizeof(struct sk_buff *));
935 +
936 +- if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC) != NUM_RX_DESC)
937 ++ if (rtl8169_rx_fill(tp, dev, 0, NUM_RX_DESC, GFP_KERNEL) != NUM_RX_DESC)
938 + goto err_out;
939 +
940 + rtl8169_mark_as_last_descriptor(tp->RxDescArray + NUM_RX_DESC - 1);
941 +@@ -4584,7 +4584,7 @@ static int rtl8169_rx_interrupt(struct net_device *dev,
942 + count = cur_rx - tp->cur_rx;
943 + tp->cur_rx = cur_rx;
944 +
945 +- delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx);
946 ++ delta = rtl8169_rx_fill(tp, dev, tp->dirty_rx, tp->cur_rx, GFP_ATOMIC);
947 + if (!delta && count && netif_msg_intr(tp))
948 + printk(KERN_INFO "%s: no Rx buffer allocated\n", dev->name);
949 + tp->dirty_rx += delta;
950 +diff --git a/drivers/net/skge.c b/drivers/net/skge.c
951 +index 8f54143..5b07e00 100644
952 +--- a/drivers/net/skge.c
953 ++++ b/drivers/net/skge.c
954 +@@ -40,6 +40,7 @@
955 + #include <linux/sched.h>
956 + #include <linux/seq_file.h>
957 + #include <linux/mii.h>
958 ++#include <linux/dmi.h>
959 + #include <asm/irq.h>
960 +
961 + #include "skge.h"
962 +@@ -3890,6 +3891,8 @@ static void __devinit skge_show_addr(struct net_device *dev)
963 + dev->name, dev->dev_addr);
964 + }
965 +
966 ++static int only_32bit_dma;
967 ++
968 + static int __devinit skge_probe(struct pci_dev *pdev,
969 + const struct pci_device_id *ent)
970 + {
971 +@@ -3911,7 +3914,7 @@ static int __devinit skge_probe(struct pci_dev *pdev,
972 +
973 + pci_set_master(pdev);
974 +
975 +- if (!pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) {
976 ++ if (!only_32bit_dma && !pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) {
977 + using_dac = 1;
978 + err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
979 + } else if (!(err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) {
980 +@@ -4168,8 +4171,21 @@ static struct pci_driver skge_driver = {
981 + .shutdown = skge_shutdown,
982 + };
983 +
984 ++static struct dmi_system_id skge_32bit_dma_boards[] = {
985 ++ {
986 ++ .ident = "Gigabyte nForce boards",
987 ++ .matches = {
988 ++ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co"),
989 ++ DMI_MATCH(DMI_BOARD_NAME, "nForce"),
990 ++ },
991 ++ },
992 ++ {}
993 ++};
994 ++
995 + static int __init skge_init_module(void)
996 + {
997 ++ if (dmi_check_system(skge_32bit_dma_boards))
998 ++ only_32bit_dma = 1;
999 + skge_debug_init();
1000 + return pci_register_driver(&skge_driver);
1001 + }
1002 +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
1003 +index bf6bd67..4633fc2 100644
1004 +--- a/drivers/pci/quirks.c
1005 ++++ b/drivers/pci/quirks.c
1006 +@@ -155,6 +155,26 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NEC, PCI_DEVICE_ID_NEC_CBUS_2, quirk_isa_d
1007 + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NEC, PCI_DEVICE_ID_NEC_CBUS_3, quirk_isa_dma_hangs);
1008 +
1009 + /*
1010 ++ * Intel NM10 "TigerPoint" LPC PM1a_STS.BM_STS must be clear
1011 ++ * for some HT machines to use C4 w/o hanging.
1012 ++ */
1013 ++static void __devinit quirk_tigerpoint_bm_sts(struct pci_dev *dev)
1014 ++{
1015 ++ u32 pmbase;
1016 ++ u16 pm1a;
1017 ++
1018 ++ pci_read_config_dword(dev, 0x40, &pmbase);
1019 ++ pmbase = pmbase & 0xff80;
1020 ++ pm1a = inw(pmbase);
1021 ++
1022 ++ if (pm1a & 0x10) {
1023 ++ dev_info(&dev->dev, FW_BUG "TigerPoint LPC.BM_STS cleared\n");
1024 ++ outw(0x10, pmbase);
1025 ++ }
1026 ++}
1027 ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGP_LPC, quirk_tigerpoint_bm_sts);
1028 ++
1029 ++/*
1030 + * Chipsets where PCI->PCI transfers vanish or hang
1031 + */
1032 + static void __devinit quirk_nopcipci(struct pci_dev *dev)
1033 +diff --git a/drivers/usb/core/file.c b/drivers/usb/core/file.c
1034 +index 222ee07..8164ba5 100644
1035 +--- a/drivers/usb/core/file.c
1036 ++++ b/drivers/usb/core/file.c
1037 +@@ -159,9 +159,9 @@ void usb_major_cleanup(void)
1038 + int usb_register_dev(struct usb_interface *intf,
1039 + struct usb_class_driver *class_driver)
1040 + {
1041 +- int retval = -EINVAL;
1042 ++ int retval;
1043 + int minor_base = class_driver->minor_base;
1044 +- int minor = 0;
1045 ++ int minor;
1046 + char name[20];
1047 + char *temp;
1048 +
1049 +@@ -173,12 +173,17 @@ int usb_register_dev(struct usb_interface *intf,
1050 + */
1051 + minor_base = 0;
1052 + #endif
1053 +- intf->minor = -1;
1054 +-
1055 +- dbg ("looking for a minor, starting at %d", minor_base);
1056 +
1057 + if (class_driver->fops == NULL)
1058 +- goto exit;
1059 ++ return -EINVAL;
1060 ++ if (intf->minor >= 0)
1061 ++ return -EADDRINUSE;
1062 ++
1063 ++ retval = init_usb_class();
1064 ++ if (retval)
1065 ++ return retval;
1066 ++
1067 ++ dev_dbg(&intf->dev, "looking for a minor, starting at %d", minor_base);
1068 +
1069 + down_write(&minor_rwsem);
1070 + for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) {
1071 +@@ -186,20 +191,12 @@ int usb_register_dev(struct usb_interface *intf,
1072 + continue;
1073 +
1074 + usb_minors[minor] = class_driver->fops;
1075 +-
1076 +- retval = 0;
1077 ++ intf->minor = minor;
1078 + break;
1079 + }
1080 + up_write(&minor_rwsem);
1081 +-
1082 +- if (retval)
1083 +- goto exit;
1084 +-
1085 +- retval = init_usb_class();
1086 +- if (retval)
1087 +- goto exit;
1088 +-
1089 +- intf->minor = minor;
1090 ++ if (intf->minor < 0)
1091 ++ return -EXFULL;
1092 +
1093 + /* create a usb class device for this usb interface */
1094 + snprintf(name, sizeof(name), class_driver->name, minor - minor_base);
1095 +@@ -213,11 +210,11 @@ int usb_register_dev(struct usb_interface *intf,
1096 + "%s", temp);
1097 + if (IS_ERR(intf->usb_dev)) {
1098 + down_write(&minor_rwsem);
1099 +- usb_minors[intf->minor] = NULL;
1100 ++ usb_minors[minor] = NULL;
1101 ++ intf->minor = -1;
1102 + up_write(&minor_rwsem);
1103 + retval = PTR_ERR(intf->usb_dev);
1104 + }
1105 +-exit:
1106 + return retval;
1107 + }
1108 + EXPORT_SYMBOL_GPL(usb_register_dev);
1109 +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
1110 +index 980a8d2..1ca6545 100644
1111 +--- a/drivers/usb/core/message.c
1112 ++++ b/drivers/usb/core/message.c
1113 +@@ -1792,6 +1792,7 @@ free_interfaces:
1114 + intf->dev.groups = usb_interface_groups;
1115 + intf->dev.dma_mask = dev->dev.dma_mask;
1116 + INIT_WORK(&intf->reset_ws, __usb_queue_reset_device);
1117 ++ intf->minor = -1;
1118 + device_initialize(&intf->dev);
1119 + mark_quiesced(intf);
1120 + dev_set_name(&intf->dev, "%d-%s:%d.%d",
1121 +diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
1122 +index 74073f9..c6f5ee4 100644
1123 +--- a/drivers/usb/musb/musb_gadget.c
1124 ++++ b/drivers/usb/musb/musb_gadget.c
1125 +@@ -577,11 +577,19 @@ static void rxstate(struct musb *musb, struct musb_request *req)
1126 + {
1127 + const u8 epnum = req->epnum;
1128 + struct usb_request *request = &req->request;
1129 +- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
1130 ++ struct musb_ep *musb_ep;
1131 + void __iomem *epio = musb->endpoints[epnum].regs;
1132 + unsigned fifo_count = 0;
1133 +- u16 len = musb_ep->packet_sz;
1134 ++ u16 len;
1135 + u16 csr = musb_readw(epio, MUSB_RXCSR);
1136 ++ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
1137 ++
1138 ++ if (hw_ep->is_shared_fifo)
1139 ++ musb_ep = &hw_ep->ep_in;
1140 ++ else
1141 ++ musb_ep = &hw_ep->ep_out;
1142 ++
1143 ++ len = musb_ep->packet_sz;
1144 +
1145 + /* We shouldn't get here while DMA is active, but we do... */
1146 + if (dma_channel_status(musb_ep->dma) == MUSB_DMA_STATUS_BUSY) {
1147 +@@ -749,9 +757,15 @@ void musb_g_rx(struct musb *musb, u8 epnum)
1148 + u16 csr;
1149 + struct usb_request *request;
1150 + void __iomem *mbase = musb->mregs;
1151 +- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
1152 ++ struct musb_ep *musb_ep;
1153 + void __iomem *epio = musb->endpoints[epnum].regs;
1154 + struct dma_channel *dma;
1155 ++ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
1156 ++
1157 ++ if (hw_ep->is_shared_fifo)
1158 ++ musb_ep = &hw_ep->ep_in;
1159 ++ else
1160 ++ musb_ep = &hw_ep->ep_out;
1161 +
1162 + musb_ep_select(mbase, epnum);
1163 +
1164 +@@ -1074,7 +1088,7 @@ struct free_record {
1165 + /*
1166 + * Context: controller locked, IRQs blocked.
1167 + */
1168 +-static void musb_ep_restart(struct musb *musb, struct musb_request *req)
1169 ++void musb_ep_restart(struct musb *musb, struct musb_request *req)
1170 + {
1171 + DBG(3, "<== %s request %p len %u on hw_ep%d\n",
1172 + req->tx ? "TX/IN" : "RX/OUT",
1173 +diff --git a/drivers/usb/musb/musb_gadget.h b/drivers/usb/musb/musb_gadget.h
1174 +index 59502da..76711f2 100644
1175 +--- a/drivers/usb/musb/musb_gadget.h
1176 ++++ b/drivers/usb/musb/musb_gadget.h
1177 +@@ -105,4 +105,6 @@ extern void musb_g_giveback(struct musb_ep *, struct usb_request *, int);
1178 +
1179 + extern int musb_gadget_set_halt(struct usb_ep *ep, int value);
1180 +
1181 ++extern void musb_ep_restart(struct musb *, struct musb_request *);
1182 ++
1183 + #endif /* __MUSB_GADGET_H */
1184 +diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
1185 +index 067e5a9..53c0444 100644
1186 +--- a/drivers/usb/musb/musb_gadget_ep0.c
1187 ++++ b/drivers/usb/musb/musb_gadget_ep0.c
1188 +@@ -369,6 +369,7 @@ stall:
1189 + ctrlrequest->wIndex & 0x0f;
1190 + struct musb_ep *musb_ep;
1191 + struct musb_hw_ep *ep;
1192 ++ struct musb_request *request;
1193 + void __iomem *regs;
1194 + int is_in;
1195 + u16 csr;
1196 +@@ -411,6 +412,14 @@ stall:
1197 + csr);
1198 + }
1199 +
1200 ++ /* Maybe start the first request in the queue */
1201 ++ request = to_musb_request(
1202 ++ next_request(musb_ep));
1203 ++ if (!musb_ep->busy && request) {
1204 ++ DBG(3, "restarting the request\n");
1205 ++ musb_ep_restart(musb, request);
1206 ++ }
1207 ++
1208 + /* select ep0 again */
1209 + musb_ep_select(mbase, 0);
1210 + handled = 1;
1211 +diff --git a/fs/exec.c b/fs/exec.c
1212 +index 56da15f..a0410eb 100644
1213 +--- a/fs/exec.c
1214 ++++ b/fs/exec.c
1215 +@@ -376,6 +376,9 @@ static int count(char __user * __user * argv, int max)
1216 + argv++;
1217 + if (i++ >= max)
1218 + return -E2BIG;
1219 ++
1220 ++ if (fatal_signal_pending(current))
1221 ++ return -ERESTARTNOHAND;
1222 + cond_resched();
1223 + }
1224 + }
1225 +@@ -419,6 +422,12 @@ static int copy_strings(int argc, char __user * __user * argv,
1226 + while (len > 0) {
1227 + int offset, bytes_to_copy;
1228 +
1229 ++ if (fatal_signal_pending(current)) {
1230 ++ ret = -ERESTARTNOHAND;
1231 ++ goto out;
1232 ++ }
1233 ++ cond_resched();
1234 ++
1235 + offset = pos % PAGE_SIZE;
1236 + if (offset == 0)
1237 + offset = PAGE_SIZE;
1238 +@@ -594,6 +603,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
1239 + #else
1240 + stack_top = arch_align_stack(stack_top);
1241 + stack_top = PAGE_ALIGN(stack_top);
1242 ++
1243 ++ if (unlikely(stack_top < mmap_min_addr) ||
1244 ++ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
1245 ++ return -ENOMEM;
1246 ++
1247 + stack_shift = vma->vm_end - stack_top;
1248 +
1249 + bprm->p -= stack_shift;
1250 +diff --git a/fs/ocfs2/symlink.c b/fs/ocfs2/symlink.c
1251 +index e342103..91e656f 100644
1252 +--- a/fs/ocfs2/symlink.c
1253 ++++ b/fs/ocfs2/symlink.c
1254 +@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(struct dentry *dentry,
1255 + }
1256 +
1257 + /* Fast symlinks can't be large */
1258 +- len = strlen(target);
1259 ++ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb));
1260 + link = kzalloc(len + 1, GFP_NOFS);
1261 + if (!link) {
1262 + status = -ENOMEM;
1263 +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
1264 +index 899145d..e10ef04 100644
1265 +--- a/fs/proc/task_mmu.c
1266 ++++ b/fs/proc/task_mmu.c
1267 +@@ -220,7 +220,8 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
1268 + /* We don't show the stack guard page in /proc/maps */
1269 + start = vma->vm_start;
1270 + if (vma->vm_flags & VM_GROWSDOWN)
1271 +- start += PAGE_SIZE;
1272 ++ if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
1273 ++ start += PAGE_SIZE;
1274 +
1275 + seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
1276 + start,
1277 +diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h
1278 +index 0cbdccc..3d016e9 100644
1279 +--- a/include/drm/drm_pciids.h
1280 ++++ b/include/drm/drm_pciids.h
1281 +@@ -85,7 +85,6 @@
1282 + {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
1283 + {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
1284 + {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \
1285 +- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \
1286 + {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
1287 + {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
1288 + {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \
1289 +@@ -103,6 +102,7 @@
1290 + {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
1291 + {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
1292 + {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
1293 ++ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \
1294 + {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \
1295 + {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \
1296 + {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \
1297 +diff --git a/include/linux/mm.h b/include/linux/mm.h
1298 +index a8d25e4..11e5be6 100644
1299 +--- a/include/linux/mm.h
1300 ++++ b/include/linux/mm.h
1301 +@@ -841,6 +841,12 @@ int set_page_dirty(struct page *page);
1302 + int set_page_dirty_lock(struct page *page);
1303 + int clear_page_dirty_for_io(struct page *page);
1304 +
1305 ++/* Is the vma a continuation of the stack vma above it? */
1306 ++static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
1307 ++{
1308 ++ return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
1309 ++}
1310 ++
1311 + extern unsigned long move_page_tables(struct vm_area_struct *vma,
1312 + unsigned long old_addr, struct vm_area_struct *new_vma,
1313 + unsigned long new_addr, unsigned long len);
1314 +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
1315 +index 67325bf..07ed684 100644
1316 +--- a/include/linux/pci_ids.h
1317 ++++ b/include/linux/pci_ids.h
1318 +@@ -393,6 +393,9 @@
1319 + #define PCI_DEVICE_ID_VLSI_82C147 0x0105
1320 + #define PCI_DEVICE_ID_VLSI_VAS96011 0x0702
1321 +
1322 ++/* AMD RD890 Chipset */
1323 ++#define PCI_DEVICE_ID_RD890_IOMMU 0x5a23
1324 ++
1325 + #define PCI_VENDOR_ID_ADL 0x1005
1326 + #define PCI_DEVICE_ID_ADL_2301 0x2301
1327 +
1328 +diff --git a/include/linux/socket.h b/include/linux/socket.h
1329 +index 3273a0c..9464cfb 100644
1330 +--- a/include/linux/socket.h
1331 ++++ b/include/linux/socket.h
1332 +@@ -304,7 +304,7 @@ extern int csum_partial_copy_fromiovecend(unsigned char *kdata,
1333 + int offset,
1334 + unsigned int len, __wsum *csump);
1335 +
1336 +-extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
1337 ++extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
1338 + extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
1339 + extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
1340 + int offset, int len);
1341 +diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
1342 +index 931a4d9..a6e9d00 100644
1343 +--- a/kernel/hrtimer.c
1344 ++++ b/kernel/hrtimer.c
1345 +@@ -920,6 +920,7 @@ static inline int
1346 + remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
1347 + {
1348 + if (hrtimer_is_queued(timer)) {
1349 ++ unsigned long state;
1350 + int reprogram;
1351 +
1352 + /*
1353 +@@ -933,8 +934,13 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
1354 + debug_deactivate(timer);
1355 + timer_stats_hrtimer_clear_start_info(timer);
1356 + reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
1357 +- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE,
1358 +- reprogram);
1359 ++ /*
1360 ++ * We must preserve the CALLBACK state flag here,
1361 ++ * otherwise we could move the timer base in
1362 ++ * switch_hrtimer_base.
1363 ++ */
1364 ++ state = timer->state & HRTIMER_STATE_CALLBACK;
1365 ++ __remove_hrtimer(timer, base, state, reprogram);
1366 + return 1;
1367 + }
1368 + return 0;
1369 +@@ -1221,6 +1227,9 @@ static void __run_hrtimer(struct hrtimer *timer, ktime_t *now)
1370 + BUG_ON(timer->state != HRTIMER_STATE_CALLBACK);
1371 + enqueue_hrtimer(timer, base);
1372 + }
1373 ++
1374 ++ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK));
1375 ++
1376 + timer->state &= ~HRTIMER_STATE_CALLBACK;
1377 + }
1378 +
1379 +diff --git a/kernel/sched.c b/kernel/sched.c
1380 +index 3480822..a675fd6 100644
1381 +--- a/kernel/sched.c
1382 ++++ b/kernel/sched.c
1383 +@@ -7752,10 +7752,9 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
1384 + unsigned long flags;
1385 + struct rq *rq;
1386 +
1387 +- switch (action) {
1388 ++ switch (action & ~CPU_TASKS_FROZEN) {
1389 +
1390 + case CPU_UP_PREPARE:
1391 +- case CPU_UP_PREPARE_FROZEN:
1392 + p = kthread_create(migration_thread, hcpu, "migration/%d", cpu);
1393 + if (IS_ERR(p))
1394 + return NOTIFY_BAD;
1395 +@@ -7770,7 +7769,6 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
1396 + break;
1397 +
1398 + case CPU_ONLINE:
1399 +- case CPU_ONLINE_FROZEN:
1400 + /* Strictly unnecessary, as first user will wake it. */
1401 + wake_up_process(cpu_rq(cpu)->migration_thread);
1402 +
1403 +@@ -7787,7 +7785,6 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
1404 +
1405 + #ifdef CONFIG_HOTPLUG_CPU
1406 + case CPU_UP_CANCELED:
1407 +- case CPU_UP_CANCELED_FROZEN:
1408 + if (!cpu_rq(cpu)->migration_thread)
1409 + break;
1410 + /* Unbind it from offline cpu so it can run. Fall thru. */
1411 +@@ -7812,7 +7809,6 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
1412 + break;
1413 +
1414 + case CPU_DEAD:
1415 +- case CPU_DEAD_FROZEN:
1416 + migrate_live_tasks(cpu);
1417 + rq = cpu_rq(cpu);
1418 + /* Idle task back to normal (off runqueue, low prio) */
1419 +@@ -7846,7 +7842,6 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
1420 + break;
1421 +
1422 + case CPU_DYING:
1423 +- case CPU_DYING_FROZEN:
1424 + /* Update our root-domain */
1425 + rq = cpu_rq(cpu);
1426 + spin_lock_irqsave(&rq->lock, flags);
1427 +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
1428 +index c88b21c..e749a05 100644
1429 +--- a/kernel/trace/ring_buffer.c
1430 ++++ b/kernel/trace/ring_buffer.c
1431 +@@ -389,7 +389,7 @@ static inline int test_time_stamp(u64 delta)
1432 + #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2))
1433 +
1434 + /* Max number of timestamps that can fit on a page */
1435 +-#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP)
1436 ++#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND)
1437 +
1438 + int ring_buffer_print_page_header(struct trace_seq *s)
1439 + {
1440 +diff --git a/mm/mlock.c b/mm/mlock.c
1441 +index 380ea89..2d846cf 100644
1442 +--- a/mm/mlock.c
1443 ++++ b/mm/mlock.c
1444 +@@ -138,12 +138,6 @@ void munlock_vma_page(struct page *page)
1445 + }
1446 + }
1447 +
1448 +-/* Is the vma a continuation of the stack vma above it? */
1449 +-static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
1450 +-{
1451 +- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
1452 +-}
1453 +-
1454 + static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
1455 + {
1456 + return (vma->vm_flags & VM_GROWSDOWN) &&
1457 +diff --git a/net/core/ethtool.c b/net/core/ethtool.c
1458 +index 5aef51e..450862e 100644
1459 +--- a/net/core/ethtool.c
1460 ++++ b/net/core/ethtool.c
1461 +@@ -311,7 +311,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
1462 + if (regs.len > reglen)
1463 + regs.len = reglen;
1464 +
1465 +- regbuf = kmalloc(reglen, GFP_USER);
1466 ++ regbuf = kzalloc(reglen, GFP_USER);
1467 + if (!regbuf)
1468 + return -ENOMEM;
1469 +
1470 +diff --git a/net/core/iovec.c b/net/core/iovec.c
1471 +index 16ad45d..8cee101 100644
1472 +--- a/net/core/iovec.c
1473 ++++ b/net/core/iovec.c
1474 +@@ -36,9 +36,10 @@
1475 + * in any case.
1476 + */
1477 +
1478 +-int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
1479 ++long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
1480 + {
1481 +- int size, err, ct;
1482 ++ int size, ct;
1483 ++ long err;
1484 +
1485 + if (m->msg_namelen) {
1486 + if (mode == VERIFY_READ) {
1487 +diff --git a/net/core/stream.c b/net/core/stream.c
1488 +index a37debf..e48c85f 100644
1489 +--- a/net/core/stream.c
1490 ++++ b/net/core/stream.c
1491 +@@ -140,10 +140,10 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
1492 +
1493 + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
1494 + sk->sk_write_pending++;
1495 +- sk_wait_event(sk, &current_timeo, !sk->sk_err &&
1496 +- !(sk->sk_shutdown & SEND_SHUTDOWN) &&
1497 +- sk_stream_memory_free(sk) &&
1498 +- vm_wait);
1499 ++ sk_wait_event(sk, &current_timeo, sk->sk_err ||
1500 ++ (sk->sk_shutdown & SEND_SHUTDOWN) ||
1501 ++ (sk_stream_memory_free(sk) &&
1502 ++ !vm_wait));
1503 + sk->sk_write_pending--;
1504 +
1505 + if (vm_wait) {
1506 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
1507 +index 4d50daa..2ef9026 100644
1508 +--- a/net/ipv4/ip_output.c
1509 ++++ b/net/ipv4/ip_output.c
1510 +@@ -476,9 +476,8 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1511 + * we can switch to copy when see the first bad fragment.
1512 + */
1513 + if (skb_has_frags(skb)) {
1514 +- struct sk_buff *frag;
1515 ++ struct sk_buff *frag, *frag2;
1516 + int first_len = skb_pagelen(skb);
1517 +- int truesizes = 0;
1518 +
1519 + if (first_len - hlen > mtu ||
1520 + ((first_len - hlen) & 7) ||
1521 +@@ -491,18 +490,18 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1522 + if (frag->len > mtu ||
1523 + ((frag->len & 7) && frag->next) ||
1524 + skb_headroom(frag) < hlen)
1525 +- goto slow_path;
1526 ++ goto slow_path_clean;
1527 +
1528 + /* Partially cloned skb? */
1529 + if (skb_shared(frag))
1530 +- goto slow_path;
1531 ++ goto slow_path_clean;
1532 +
1533 + BUG_ON(frag->sk);
1534 + if (skb->sk) {
1535 + frag->sk = skb->sk;
1536 + frag->destructor = sock_wfree;
1537 + }
1538 +- truesizes += frag->truesize;
1539 ++ skb->truesize -= frag->truesize;
1540 + }
1541 +
1542 + /* Everything is OK. Generate! */
1543 +@@ -512,7 +511,6 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1544 + frag = skb_shinfo(skb)->frag_list;
1545 + skb_frag_list_init(skb);
1546 + skb->data_len = first_len - skb_headlen(skb);
1547 +- skb->truesize -= truesizes;
1548 + skb->len = first_len;
1549 + iph->tot_len = htons(first_len);
1550 + iph->frag_off = htons(IP_MF);
1551 +@@ -564,6 +562,15 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1552 + }
1553 + IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
1554 + return err;
1555 ++
1556 ++slow_path_clean:
1557 ++ skb_walk_frags(skb, frag2) {
1558 ++ if (frag2 == frag)
1559 ++ break;
1560 ++ frag2->sk = NULL;
1561 ++ frag2->destructor = NULL;
1562 ++ skb->truesize += frag2->truesize;
1563 ++ }
1564 + }
1565 +
1566 + slow_path:
1567 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
1568 +index 5b1050a..6c8f6c9 100644
1569 +--- a/net/ipv4/route.c
1570 ++++ b/net/ipv4/route.c
1571 +@@ -2712,6 +2712,11 @@ slow_output:
1572 +
1573 + EXPORT_SYMBOL_GPL(__ip_route_output_key);
1574 +
1575 ++static struct dst_entry *ipv4_blackhole_dst_check(struct dst_entry *dst, u32 cookie)
1576 ++{
1577 ++ return NULL;
1578 ++}
1579 ++
1580 + static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
1581 + {
1582 + }
1583 +@@ -2720,7 +2725,7 @@ static struct dst_ops ipv4_dst_blackhole_ops = {
1584 + .family = AF_INET,
1585 + .protocol = cpu_to_be16(ETH_P_IP),
1586 + .destroy = ipv4_dst_destroy,
1587 +- .check = ipv4_dst_check,
1588 ++ .check = ipv4_blackhole_dst_check,
1589 + .update_pmtu = ipv4_rt_blackhole_update_pmtu,
1590 + .entries = ATOMIC_INIT(0),
1591 + };
1592 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
1593 +index 108fad0..4678308 100644
1594 +--- a/net/ipv4/tcp.c
1595 ++++ b/net/ipv4/tcp.c
1596 +@@ -386,8 +386,6 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
1597 + */
1598 +
1599 + mask = 0;
1600 +- if (sk->sk_err)
1601 +- mask = POLLERR;
1602 +
1603 + /*
1604 + * POLLHUP is certainly not done right. But poll() doesn't
1605 +@@ -457,6 +455,11 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
1606 + if (tp->urg_data & TCP_URG_VALID)
1607 + mask |= POLLPRI;
1608 + }
1609 ++ /* This barrier is coupled with smp_wmb() in tcp_reset() */
1610 ++ smp_rmb();
1611 ++ if (sk->sk_err)
1612 ++ mask |= POLLERR;
1613 ++
1614 + return mask;
1615 + }
1616 +
1617 +@@ -935,7 +938,7 @@ int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
1618 + goto out_err;
1619 +
1620 + while (--iovlen >= 0) {
1621 +- int seglen = iov->iov_len;
1622 ++ size_t seglen = iov->iov_len;
1623 + unsigned char __user *from = iov->iov_base;
1624 +
1625 + iov++;
1626 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
1627 +index 2433bcd..ce1ce82 100644
1628 +--- a/net/ipv4/tcp_input.c
1629 ++++ b/net/ipv4/tcp_input.c
1630 +@@ -3969,6 +3969,8 @@ static void tcp_reset(struct sock *sk)
1631 + default:
1632 + sk->sk_err = ECONNRESET;
1633 + }
1634 ++ /* This barrier is coupled with smp_rmb() in tcp_poll() */
1635 ++ smp_wmb();
1636 +
1637 + if (!sock_flag(sk, SOCK_DEAD))
1638 + sk->sk_error_report(sk);
1639 +diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
1640 +index 74fb2eb..e3a9a65 100644
1641 +--- a/net/ipv4/xfrm4_policy.c
1642 ++++ b/net/ipv4/xfrm4_policy.c
1643 +@@ -71,7 +71,7 @@ __xfrm4_find_bundle(struct flowi *fl, struct xfrm_policy *policy)
1644 + if (xdst->u.rt.fl.oif == fl->oif && /*XXX*/
1645 + xdst->u.rt.fl.fl4_dst == fl->fl4_dst &&
1646 + xdst->u.rt.fl.fl4_src == fl->fl4_src &&
1647 +- xdst->u.rt.fl.fl4_tos == fl->fl4_tos &&
1648 ++ !((xdst->u.rt.fl.fl4_tos ^ fl->fl4_tos) & IPTOS_RT_MASK) &&
1649 + xfrm_bundle_ok(policy, xdst, fl, AF_INET, 0)) {
1650 + dst_clone(dst);
1651 + break;
1652 +@@ -83,7 +83,7 @@ __xfrm4_find_bundle(struct flowi *fl, struct xfrm_policy *policy)
1653 +
1654 + static int xfrm4_get_tos(struct flowi *fl)
1655 + {
1656 +- return fl->fl4_tos;
1657 ++ return IPTOS_RT_MASK & fl->fl4_tos; /* Strip ECN bits */
1658 + }
1659 +
1660 + static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1661 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
1662 +index cd48801..eca3ef7 100644
1663 +--- a/net/ipv6/ip6_output.c
1664 ++++ b/net/ipv6/ip6_output.c
1665 +@@ -643,7 +643,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1666 +
1667 + if (skb_has_frags(skb)) {
1668 + int first_len = skb_pagelen(skb);
1669 +- int truesizes = 0;
1670 ++ struct sk_buff *frag2;
1671 +
1672 + if (first_len - hlen > mtu ||
1673 + ((first_len - hlen) & 7) ||
1674 +@@ -655,18 +655,18 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1675 + if (frag->len > mtu ||
1676 + ((frag->len & 7) && frag->next) ||
1677 + skb_headroom(frag) < hlen)
1678 +- goto slow_path;
1679 ++ goto slow_path_clean;
1680 +
1681 + /* Partially cloned skb? */
1682 + if (skb_shared(frag))
1683 +- goto slow_path;
1684 ++ goto slow_path_clean;
1685 +
1686 + BUG_ON(frag->sk);
1687 + if (skb->sk) {
1688 + frag->sk = skb->sk;
1689 + frag->destructor = sock_wfree;
1690 +- truesizes += frag->truesize;
1691 + }
1692 ++ skb->truesize -= frag->truesize;
1693 + }
1694 +
1695 + err = 0;
1696 +@@ -697,7 +697,6 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1697 +
1698 + first_len = skb_pagelen(skb);
1699 + skb->data_len = first_len - skb_headlen(skb);
1700 +- skb->truesize -= truesizes;
1701 + skb->len = first_len;
1702 + ipv6_hdr(skb)->payload_len = htons(first_len -
1703 + sizeof(struct ipv6hdr));
1704 +@@ -760,6 +759,15 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
1705 + IPSTATS_MIB_FRAGFAILS);
1706 + dst_release(&rt->u.dst);
1707 + return err;
1708 ++
1709 ++slow_path_clean:
1710 ++ skb_walk_frags(skb, frag2) {
1711 ++ if (frag2 == frag)
1712 ++ break;
1713 ++ frag2->sk = NULL;
1714 ++ frag2->destructor = NULL;
1715 ++ skb->truesize += frag2->truesize;
1716 ++ }
1717 + }
1718 +
1719 + slow_path:
1720 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
1721 +index d6fe764..e307517 100644
1722 +--- a/net/ipv6/route.c
1723 ++++ b/net/ipv6/route.c
1724 +@@ -1561,14 +1561,13 @@ out:
1725 + * i.e. Path MTU discovery
1726 + */
1727 +
1728 +-void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
1729 +- struct net_device *dev, u32 pmtu)
1730 ++static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr,
1731 ++ struct net *net, u32 pmtu, int ifindex)
1732 + {
1733 + struct rt6_info *rt, *nrt;
1734 +- struct net *net = dev_net(dev);
1735 + int allfrag = 0;
1736 +
1737 +- rt = rt6_lookup(net, daddr, saddr, dev->ifindex, 0);
1738 ++ rt = rt6_lookup(net, daddr, saddr, ifindex, 0);
1739 + if (rt == NULL)
1740 + return;
1741 +
1742 +@@ -1636,6 +1635,27 @@ out:
1743 + dst_release(&rt->u.dst);
1744 + }
1745 +
1746 ++void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
1747 ++ struct net_device *dev, u32 pmtu)
1748 ++{
1749 ++ struct net *net = dev_net(dev);
1750 ++
1751 ++ /*
1752 ++ * RFC 1981 states that a node "MUST reduce the size of the packets it
1753 ++ * is sending along the path" that caused the Packet Too Big message.
1754 ++ * Since it's not possible in the general case to determine which
1755 ++ * interface was used to send the original packet, we update the MTU
1756 ++ * on the interface that will be used to send future packets. We also
1757 ++ * update the MTU on the interface that received the Packet Too Big in
1758 ++ * case the original packet was forced out that interface with
1759 ++ * SO_BINDTODEVICE or similar. This is the next best thing to the
1760 ++ * correct behaviour, which would be to update the MTU on all
1761 ++ * interfaces.
1762 ++ */
1763 ++ rt6_do_pmtu_disc(daddr, saddr, net, pmtu, 0);
1764 ++ rt6_do_pmtu_disc(daddr, saddr, net, pmtu, dev->ifindex);
1765 ++}
1766 ++
1767 + /*
1768 + * Misc support functions
1769 + */
1770 +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
1771 +index f60c0c2..519ff9d 100644
1772 +--- a/net/phonet/af_phonet.c
1773 ++++ b/net/phonet/af_phonet.c
1774 +@@ -67,6 +67,8 @@ static int pn_socket_create(struct net *net, struct socket *sock, int protocol)
1775 + struct phonet_protocol *pnp;
1776 + int err;
1777 +
1778 ++ if (!net_eq(net, &init_net))
1779 ++ return -EAFNOSUPPORT;
1780 + if (!capable(CAP_SYS_ADMIN))
1781 + return -EPERM;
1782 +
1783 +@@ -353,6 +355,8 @@ static int phonet_rcv(struct sk_buff *skb, struct net_device *dev,
1784 + struct sockaddr_pn sa;
1785 + u16 len;
1786 +
1787 ++ if (!net_eq(net, &init_net))
1788 ++ goto out;
1789 + /* check we have at least a full Phonet header */
1790 + if (!pskb_pull(skb, sizeof(struct phonethdr)))
1791 + goto out;
1792 +diff --git a/net/phonet/pep.c b/net/phonet/pep.c
1793 +index 5f32d21..9cdd35e 100644
1794 +--- a/net/phonet/pep.c
1795 ++++ b/net/phonet/pep.c
1796 +@@ -224,12 +224,13 @@ static void pipe_grant_credits(struct sock *sk)
1797 + static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
1798 + {
1799 + struct pep_sock *pn = pep_sk(sk);
1800 +- struct pnpipehdr *hdr = pnp_hdr(skb);
1801 ++ struct pnpipehdr *hdr;
1802 + int wake = 0;
1803 +
1804 + if (!pskb_may_pull(skb, sizeof(*hdr) + 4))
1805 + return -EINVAL;
1806 +
1807 ++ hdr = pnp_hdr(skb);
1808 + if (hdr->data[0] != PN_PEP_TYPE_COMMON) {
1809 + LIMIT_NETDEBUG(KERN_DEBUG"Phonet unknown PEP type: %u\n",
1810 + (unsigned)hdr->data[0]);
1811 +diff --git a/net/phonet/pn_dev.c b/net/phonet/pn_dev.c
1812 +index 5f42f30..5a2275c 100644
1813 +--- a/net/phonet/pn_dev.c
1814 ++++ b/net/phonet/pn_dev.c
1815 +@@ -246,7 +246,11 @@ static struct notifier_block phonet_device_notifier = {
1816 + /* Per-namespace Phonet devices handling */
1817 + static int phonet_init_net(struct net *net)
1818 + {
1819 +- struct phonet_net *pnn = kmalloc(sizeof(*pnn), GFP_KERNEL);
1820 ++ struct phonet_net *pnn;
1821 ++
1822 ++ if (!net_eq(net, &init_net))
1823 ++ return 0;
1824 ++ pnn = kmalloc(sizeof(*pnn), GFP_KERNEL);
1825 + if (!pnn)
1826 + return -ENOMEM;
1827 +
1828 +@@ -263,9 +267,13 @@ static int phonet_init_net(struct net *net)
1829 +
1830 + static void phonet_exit_net(struct net *net)
1831 + {
1832 +- struct phonet_net *pnn = net_generic(net, phonet_net_id);
1833 ++ struct phonet_net *pnn;
1834 + struct net_device *dev;
1835 +
1836 ++ if (!net_eq(net, &init_net))
1837 ++ return;
1838 ++ pnn = net_generic(net, phonet_net_id);
1839 ++
1840 + rtnl_lock();
1841 + for_each_netdev(net, dev)
1842 + phonet_device_destroy(dev);
1843 +diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
1844 +index d21fd35..7acab1e 100644
1845 +--- a/net/phonet/pn_netlink.c
1846 ++++ b/net/phonet/pn_netlink.c
1847 +@@ -68,6 +68,8 @@ static int addr_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *attr)
1848 + int err;
1849 + u8 pnaddr;
1850 +
1851 ++ if (!net_eq(net, &init_net))
1852 ++ return -EOPNOTSUPP;
1853 + if (!capable(CAP_SYS_ADMIN))
1854 + return -EPERM;
1855 +
1856 +@@ -124,12 +126,16 @@ nla_put_failure:
1857 +
1858 + static int getaddr_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
1859 + {
1860 ++ struct net *net = sock_net(skb->sk);
1861 + struct phonet_device_list *pndevs;
1862 + struct phonet_device *pnd;
1863 + int dev_idx = 0, dev_start_idx = cb->args[0];
1864 + int addr_idx = 0, addr_start_idx = cb->args[1];
1865 +
1866 +- pndevs = phonet_device_list(sock_net(skb->sk));
1867 ++ if (!net_eq(net, &init_net))
1868 ++ goto skip;
1869 ++
1870 ++ pndevs = phonet_device_list(net);
1871 + spin_lock_bh(&pndevs->lock);
1872 + list_for_each_entry(pnd, &pndevs->list, list) {
1873 + u8 addr;
1874 +@@ -154,6 +160,7 @@ static int getaddr_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
1875 +
1876 + out:
1877 + spin_unlock_bh(&pndevs->lock);
1878 ++skip:
1879 + cb->args[0] = dev_idx;
1880 + cb->args[1] = addr_idx;
1881 +
1882 +diff --git a/net/rds/page.c b/net/rds/page.c
1883 +index 3679012..b442a48 100644
1884 +--- a/net/rds/page.c
1885 ++++ b/net/rds/page.c
1886 +@@ -56,30 +56,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset,
1887 + unsigned long ret;
1888 + void *addr;
1889 +
1890 +- if (to_user)
1891 ++ addr = kmap(page);
1892 ++ if (to_user) {
1893 + rds_stats_add(s_copy_to_user, bytes);
1894 +- else
1895 ++ ret = copy_to_user(ptr, addr + offset, bytes);
1896 ++ } else {
1897 + rds_stats_add(s_copy_from_user, bytes);
1898 +-
1899 +- addr = kmap_atomic(page, KM_USER0);
1900 +- if (to_user)
1901 +- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
1902 +- else
1903 +- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
1904 +- kunmap_atomic(addr, KM_USER0);
1905 +-
1906 +- if (ret) {
1907 +- addr = kmap(page);
1908 +- if (to_user)
1909 +- ret = copy_to_user(ptr, addr + offset, bytes);
1910 +- else
1911 +- ret = copy_from_user(addr + offset, ptr, bytes);
1912 +- kunmap(page);
1913 +- if (ret)
1914 +- return -EFAULT;
1915 ++ ret = copy_from_user(addr + offset, ptr, bytes);
1916 + }
1917 ++ kunmap(page);
1918 +
1919 +- return 0;
1920 ++ return ret ? -EFAULT : 0;
1921 + }
1922 + EXPORT_SYMBOL_GPL(rds_page_copy_user);
1923 +
1924 +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
1925 +index 502cce7..7d188bc 100644
1926 +--- a/net/rose/af_rose.c
1927 ++++ b/net/rose/af_rose.c
1928 +@@ -677,7 +677,7 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
1929 + if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
1930 + return -EINVAL;
1931 +
1932 +- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
1933 ++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
1934 + return -EINVAL;
1935 +
1936 + if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
1937 +@@ -737,7 +737,7 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
1938 + if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
1939 + return -EINVAL;
1940 +
1941 +- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
1942 ++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
1943 + return -EINVAL;
1944 +
1945 + /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
1946 +diff --git a/net/wireless/wext.c b/net/wireless/wext.c
1947 +index fddcf9c..a2e4c60 100644
1948 +--- a/net/wireless/wext.c
1949 ++++ b/net/wireless/wext.c
1950 +@@ -1029,7 +1029,7 @@ static int ioctl_private_iw_point(struct iw_point *iwp, unsigned int cmd,
1951 + } else if (!iwp->pointer)
1952 + return -EFAULT;
1953 +
1954 +- extra = kmalloc(extra_size, GFP_KERNEL);
1955 ++ extra = kzalloc(extra_size, GFP_KERNEL);
1956 + if (!extra)
1957 + return -ENOMEM;
1958 +
1959 +diff --git a/sound/core/control.c b/sound/core/control.c
1960 +index a8b7fab..7834a54 100644
1961 +--- a/sound/core/control.c
1962 ++++ b/sound/core/control.c
1963 +@@ -31,6 +31,7 @@
1964 +
1965 + /* max number of user-defined controls */
1966 + #define MAX_USER_CONTROLS 32
1967 ++#define MAX_CONTROL_COUNT 1028
1968 +
1969 + struct snd_kctl_ioctl {
1970 + struct list_head list; /* list of all ioctls */
1971 +@@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
1972 +
1973 + if (snd_BUG_ON(!control || !control->count))
1974 + return NULL;
1975 ++
1976 ++ if (control->count > MAX_CONTROL_COUNT)
1977 ++ return NULL;
1978 ++
1979 + kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
1980 + if (kctl == NULL) {
1981 + snd_printk(KERN_ERR "Cannot allocate control instance\n");
1982 +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
1983 +index 70d6f25..e4c12a1 100644
1984 +--- a/sound/core/rawmidi.c
1985 ++++ b/sound/core/rawmidi.c
1986 +@@ -530,13 +530,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file)
1987 + {
1988 + struct snd_rawmidi_file *rfile;
1989 + struct snd_rawmidi *rmidi;
1990 ++ struct module *module;
1991 +
1992 + rfile = file->private_data;
1993 + rmidi = rfile->rmidi;
1994 + rawmidi_release_priv(rfile);
1995 + kfree(rfile);
1996 ++ module = rmidi->card->module;
1997 + snd_card_file_remove(rmidi->card, file);
1998 +- module_put(rmidi->card->module);
1999 ++ module_put(module);
2000 + return 0;
2001 + }
2002 +
2003 +diff --git a/sound/pci/hda/patch_analog.c b/sound/pci/hda/patch_analog.c
2004 +index bd0794e..3736bc4 100644
2005 +--- a/sound/pci/hda/patch_analog.c
2006 ++++ b/sound/pci/hda/patch_analog.c
2007 +@@ -3510,6 +3510,7 @@ static struct snd_pci_quirk ad1984_cfg_tbl[] = {
2008 + /* Lenovo Thinkpad T61/X61 */
2009 + SND_PCI_QUIRK_VENDOR(0x17aa, "Lenovo Thinkpad", AD1984_THINKPAD),
2010 + SND_PCI_QUIRK(0x1028, 0x0214, "Dell T3400", AD1984_DELL_DESKTOP),
2011 ++ SND_PCI_QUIRK(0x1028, 0x0233, "Dell Latitude E6400", AD1984_DELL_DESKTOP),
2012 + {}
2013 + };
2014 +
2015 +diff --git a/sound/pci/oxygen/oxygen.c b/sound/pci/oxygen/oxygen.c
2016 +index 72db4c3..6811433 100644
2017 +--- a/sound/pci/oxygen/oxygen.c
2018 ++++ b/sound/pci/oxygen/oxygen.c
2019 +@@ -393,6 +393,10 @@ static int __devinit get_oxygen_model(struct oxygen *chip,
2020 + chip->model.suspend = claro_suspend;
2021 + chip->model.resume = claro_resume;
2022 + chip->model.set_adc_params = set_ak5385_params;
2023 ++ chip->model.device_config = PLAYBACK_0_TO_I2S |
2024 ++ PLAYBACK_1_TO_SPDIF |
2025 ++ CAPTURE_0_FROM_I2S_2 |
2026 ++ CAPTURE_1_FROM_SPDIF;
2027 + break;
2028 + }
2029 + if (id->driver_data == MODEL_MERIDIAN ||
2030 +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
2031 +index 7bb827c..401518c 100644
2032 +--- a/sound/pci/rme9652/hdsp.c
2033 ++++ b/sound/pci/rme9652/hdsp.c
2034 +@@ -4610,6 +4610,7 @@ static int snd_hdsp_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, unsigne
2035 + if (err < 0)
2036 + return err;
2037 +
2038 ++ memset(&info, 0, sizeof(info));
2039 + spin_lock_irqsave(&hdsp->lock, flags);
2040 + info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
2041 + info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
2042 +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
2043 +index 0dce331..ec2125c 100644
2044 +--- a/sound/pci/rme9652/hdspm.c
2045 ++++ b/sound/pci/rme9652/hdspm.c
2046 +@@ -4127,6 +4127,7 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep * hw, struct file *file,
2047 +
2048 + case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
2049 +
2050 ++ memset(&info, 0, sizeof(info));
2051 + spin_lock_irq(&hdspm->lock);
2052 + info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
2053 + info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
2054
2055 Deleted: genpatches-2.6/trunk/2.6.32/1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch
2056 ===================================================================
2057 --- genpatches-2.6/trunk/2.6.32/1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch 2010-10-21 20:47:49 UTC (rev 1816)
2058 +++ genpatches-2.6/trunk/2.6.32/1500_CVE-2010-3904-RDS-Priv-Escal-fix.patch 2010-10-31 22:36:53 UTC (rev 1817)
2059 @@ -1,41 +0,0 @@
2060 ---- a/net/rds/page.c 2010-10-19 16:40:45.060591205 -0400
2061 -+++ b/net/rds/page.c 2010-10-19 16:46:14.119044215 -0400
2062 -@@ -57,30 +57,18 @@ int rds_page_copy_user(struct page *page
2063 - unsigned long ret;
2064 - void *addr;
2065 -
2066 -- if (to_user)
2067 -+ addr = kmap(page);
2068 -+ if (to_user) {
2069 - rds_stats_add(s_copy_to_user, bytes);
2070 -- else
2071 -+ ret = copy_to_user(ptr, addr + offset, bytes);
2072 -+ } else {
2073 - rds_stats_add(s_copy_from_user, bytes);
2074 --
2075 -- addr = kmap_atomic(page, KM_USER0);
2076 -- if (to_user)
2077 -- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
2078 -- else
2079 -- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
2080 -- kunmap_atomic(addr, KM_USER0);
2081 --
2082 -- if (ret) {
2083 -- addr = kmap(page);
2084 -- if (to_user)
2085 -- ret = copy_to_user(ptr, addr + offset, bytes);
2086 -- else
2087 -- ret = copy_from_user(addr + offset, ptr, bytes);
2088 -- kunmap(page);
2089 -- if (ret)
2090 -- return -EFAULT;
2091 -+ ret = copy_from_user(addr + offset, ptr, bytes);
2092 - }
2093 -
2094 -- return 0;
2095 -+ kunmap(page);
2096 -+
2097 -+ return ret ? -EFAULT : 0;
2098 - }
2099 - EXPORT_SYMBOL_GPL(rds_page_copy_user);
2100 -
Report Message
Find on MARC Find on Google Groups