Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.2/, 2.6.32/, 3.2.4/
Date: Sun, 05 Feb 2012 16:22:05
Message-Id: cb29449ba86b1b7d605c9b24417178739547505b.blueness@gentoo
1 commit: cb29449ba86b1b7d605c9b24417178739547505b
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Sun Feb 5 16:21:29 2012 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Sun Feb 5 16:21:29 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=cb29449b
7
8 Grsec/PaX: 2.2.2-2.6.32.56-201202032051 + 2.2.2-3.2.4-201202032052
9
10 ---
11 2.6.32/0000_README | 6 +-
12 2.6.32/1055_linux-2.6.32.56.patch | 716 +++
13 ..._grsecurity-2.2.2-2.6.32.56-201202032051.patch} | 620 +--
14 2.6.32/4425_grsec-pax-without-grsec.patch | 6 +-
15 2.6.32/4430_grsec-kconfig-default-gids.patch | 14 +-
16 2.6.32/4435_grsec-kconfig-gentoo.patch | 4 +-
17 2.6.32/4437-grsec-kconfig-proc-user.patch | 4 +-
18 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 2 +-
19 3.2.2/1001_linux-3.2.2.patch | 6552 --------------------
20 {3.2.2 => 3.2.4}/0000_README | 10 +-
21 3.2.4/1002_linux-3.2.3.patch | 3760 +++++++++++
22 3.2.4/1003_linux-3.2.4.patch | 40 +
23 .../4420_grsecurity-2.2.2-3.2.4-201202032052.patch | 996 ++--
24 .../4421_grsec-remove-localversion-grsec.patch | 0
25 {3.2.2 => 3.2.4}/4422_grsec-mute-warnings.patch | 0
26 .../4423_grsec-remove-protected-paths.patch | 0
27 .../4425_grsec-pax-without-grsec.patch | 0
28 .../4430_grsec-kconfig-default-gids.patch | 12 +-
29 {3.2.2 => 3.2.4}/4435_grsec-kconfig-gentoo.patch | 2 +-
30 .../4437-grsec-kconfig-proc-user.patch | 0
31 .../4440_selinux-avc_audit-log-curr_ip.patch | 2 +-
32 {3.2.2 => 3.2.4}/4445_disable-compat_vdso.patch | 0
33 22 files changed, 5254 insertions(+), 7492 deletions(-)
34
35 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
36 index c4e9b3d..f0c7190 100644
37 --- a/2.6.32/0000_README
38 +++ b/2.6.32/0000_README
39 @@ -14,7 +14,11 @@ Patch: 1054_linux-2.6.32.55.patch
40 From: http://www.kernel.org
41 Desc: Linux 2.6.32.55
42
43 -Patch: 4420_grsecurity-2.2.2-2.6.32.55-201201272054.patch
44 +Patch: 1055_linux-2.6.32.56.patch
45 +From: http://www.kernel.org
46 +Desc: Linux 2.6.32.56
47 +
48 +Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
49 From: http://www.grsecurity.net
50 Desc: hardened-sources base patch from upstream grsecurity
51
52
53 diff --git a/2.6.32/1055_linux-2.6.32.56.patch b/2.6.32/1055_linux-2.6.32.56.patch
54 new file mode 100644
55 index 0000000..53aba88
56 --- /dev/null
57 +++ b/2.6.32/1055_linux-2.6.32.56.patch
58 @@ -0,0 +1,716 @@
59 +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
60 +index 114ee29..2be0a97 100644
61 +--- a/block/scsi_ioctl.c
62 ++++ b/block/scsi_ioctl.c
63 +@@ -24,6 +24,7 @@
64 + #include <linux/capability.h>
65 + #include <linux/completion.h>
66 + #include <linux/cdrom.h>
67 ++#include <linux/ratelimit.h>
68 + #include <linux/slab.h>
69 + #include <linux/times.h>
70 + #include <asm/uaccess.h>
71 +@@ -689,9 +690,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
72 + }
73 + EXPORT_SYMBOL(scsi_cmd_ioctl);
74 +
75 ++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
76 ++{
77 ++ if (bd && bd == bd->bd_contains)
78 ++ return 0;
79 ++
80 ++ /* Actually none of these is particularly useful on a partition,
81 ++ * but they are safe.
82 ++ */
83 ++ switch (cmd) {
84 ++ case SCSI_IOCTL_GET_IDLUN:
85 ++ case SCSI_IOCTL_GET_BUS_NUMBER:
86 ++ case SCSI_IOCTL_GET_PCI:
87 ++ case SCSI_IOCTL_PROBE_HOST:
88 ++ case SG_GET_VERSION_NUM:
89 ++ case SG_SET_TIMEOUT:
90 ++ case SG_GET_TIMEOUT:
91 ++ case SG_GET_RESERVED_SIZE:
92 ++ case SG_SET_RESERVED_SIZE:
93 ++ case SG_EMULATED_HOST:
94 ++ return 0;
95 ++ case CDROM_GET_CAPABILITY:
96 ++ /* Keep this until we remove the printk below. udev sends it
97 ++ * and we do not want to spam dmesg about it. CD-ROMs do
98 ++ * not have partitions, so we get here only for disks.
99 ++ */
100 ++ return -ENOTTY;
101 ++ default:
102 ++ break;
103 ++ }
104 ++
105 ++ /* In particular, rule out all resets and host-specific ioctls. */
106 ++ printk_ratelimited(KERN_WARNING
107 ++ "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
108 ++
109 ++ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
110 ++}
111 ++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
112 ++
113 + int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
114 + unsigned int cmd, void __user *arg)
115 + {
116 ++ int ret;
117 ++
118 ++ ret = scsi_verify_blk_ioctl(bd, cmd);
119 ++ if (ret < 0)
120 ++ return ret;
121 ++
122 + return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
123 + }
124 + EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
125 +diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
126 +index 9ed9f60..88f160b 100644
127 +--- a/crypto/sha512_generic.c
128 ++++ b/crypto/sha512_generic.c
129 +@@ -21,8 +21,6 @@
130 + #include <linux/percpu.h>
131 + #include <asm/byteorder.h>
132 +
133 +-static DEFINE_PER_CPU(u64[80], msg_schedule);
134 +-
135 + static inline u64 Ch(u64 x, u64 y, u64 z)
136 + {
137 + return z ^ (x & (y ^ z));
138 +@@ -80,7 +78,7 @@ static inline void LOAD_OP(int I, u64 *W, const u8 *input)
139 +
140 + static inline void BLEND_OP(int I, u64 *W)
141 + {
142 +- W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
143 ++ W[I % 16] += s1(W[(I-2) % 16]) + W[(I-7) % 16] + s0(W[(I-15) % 16]);
144 + }
145 +
146 + static void
147 +@@ -89,38 +87,48 @@ sha512_transform(u64 *state, const u8 *input)
148 + u64 a, b, c, d, e, f, g, h, t1, t2;
149 +
150 + int i;
151 +- u64 *W = get_cpu_var(msg_schedule);
152 ++ u64 W[16];
153 +
154 + /* load the input */
155 + for (i = 0; i < 16; i++)
156 + LOAD_OP(i, W, input);
157 +
158 +- for (i = 16; i < 80; i++) {
159 +- BLEND_OP(i, W);
160 +- }
161 +-
162 + /* load the state into our registers */
163 + a=state[0]; b=state[1]; c=state[2]; d=state[3];
164 + e=state[4]; f=state[5]; g=state[6]; h=state[7];
165 +
166 +- /* now iterate */
167 +- for (i=0; i<80; i+=8) {
168 +- t1 = h + e1(e) + Ch(e,f,g) + sha512_K[i ] + W[i ];
169 +- t2 = e0(a) + Maj(a,b,c); d+=t1; h=t1+t2;
170 +- t1 = g + e1(d) + Ch(d,e,f) + sha512_K[i+1] + W[i+1];
171 +- t2 = e0(h) + Maj(h,a,b); c+=t1; g=t1+t2;
172 +- t1 = f + e1(c) + Ch(c,d,e) + sha512_K[i+2] + W[i+2];
173 +- t2 = e0(g) + Maj(g,h,a); b+=t1; f=t1+t2;
174 +- t1 = e + e1(b) + Ch(b,c,d) + sha512_K[i+3] + W[i+3];
175 +- t2 = e0(f) + Maj(f,g,h); a+=t1; e=t1+t2;
176 +- t1 = d + e1(a) + Ch(a,b,c) + sha512_K[i+4] + W[i+4];
177 +- t2 = e0(e) + Maj(e,f,g); h+=t1; d=t1+t2;
178 +- t1 = c + e1(h) + Ch(h,a,b) + sha512_K[i+5] + W[i+5];
179 +- t2 = e0(d) + Maj(d,e,f); g+=t1; c=t1+t2;
180 +- t1 = b + e1(g) + Ch(g,h,a) + sha512_K[i+6] + W[i+6];
181 +- t2 = e0(c) + Maj(c,d,e); f+=t1; b=t1+t2;
182 +- t1 = a + e1(f) + Ch(f,g,h) + sha512_K[i+7] + W[i+7];
183 +- t2 = e0(b) + Maj(b,c,d); e+=t1; a=t1+t2;
184 ++#define SHA512_0_15(i, a, b, c, d, e, f, g, h) \
185 ++ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[i]; \
186 ++ t2 = e0(a) + Maj(a, b, c); \
187 ++ d += t1; \
188 ++ h = t1 + t2
189 ++
190 ++#define SHA512_16_79(i, a, b, c, d, e, f, g, h) \
191 ++ BLEND_OP(i, W); \
192 ++ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[(i)%16]; \
193 ++ t2 = e0(a) + Maj(a, b, c); \
194 ++ d += t1; \
195 ++ h = t1 + t2
196 ++
197 ++ for (i = 0; i < 16; i += 8) {
198 ++ SHA512_0_15(i, a, b, c, d, e, f, g, h);
199 ++ SHA512_0_15(i + 1, h, a, b, c, d, e, f, g);
200 ++ SHA512_0_15(i + 2, g, h, a, b, c, d, e, f);
201 ++ SHA512_0_15(i + 3, f, g, h, a, b, c, d, e);
202 ++ SHA512_0_15(i + 4, e, f, g, h, a, b, c, d);
203 ++ SHA512_0_15(i + 5, d, e, f, g, h, a, b, c);
204 ++ SHA512_0_15(i + 6, c, d, e, f, g, h, a, b);
205 ++ SHA512_0_15(i + 7, b, c, d, e, f, g, h, a);
206 ++ }
207 ++ for (i = 16; i < 80; i += 8) {
208 ++ SHA512_16_79(i, a, b, c, d, e, f, g, h);
209 ++ SHA512_16_79(i + 1, h, a, b, c, d, e, f, g);
210 ++ SHA512_16_79(i + 2, g, h, a, b, c, d, e, f);
211 ++ SHA512_16_79(i + 3, f, g, h, a, b, c, d, e);
212 ++ SHA512_16_79(i + 4, e, f, g, h, a, b, c, d);
213 ++ SHA512_16_79(i + 5, d, e, f, g, h, a, b, c);
214 ++ SHA512_16_79(i + 6, c, d, e, f, g, h, a, b);
215 ++ SHA512_16_79(i + 7, b, c, d, e, f, g, h, a);
216 + }
217 +
218 + state[0] += a; state[1] += b; state[2] += c; state[3] += d;
219 +@@ -128,8 +136,6 @@ sha512_transform(u64 *state, const u8 *input)
220 +
221 + /* erase our data */
222 + a = b = c = d = e = f = g = h = t1 = t2 = 0;
223 +- memset(W, 0, sizeof(__get_cpu_var(msg_schedule)));
224 +- put_cpu_var(msg_schedule);
225 + }
226 +
227 + static int
228 +diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
229 +index 932b5aa..d676d49 100644
230 +--- a/drivers/gpu/drm/drm_auth.c
231 ++++ b/drivers/gpu/drm/drm_auth.c
232 +@@ -102,7 +102,7 @@ static int drm_add_magic(struct drm_master *master, struct drm_file *priv,
233 + * Searches and unlinks the entry in drm_device::magiclist with the magic
234 + * number hash key, while holding the drm_device::struct_mutex lock.
235 + */
236 +-static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
237 ++int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
238 + {
239 + struct drm_magic_entry *pt;
240 + struct drm_hash_item *hash;
241 +@@ -137,6 +137,8 @@ static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
242 + * If there is a magic number in drm_file::magic then use it, otherwise
243 + * searches an unique non-zero magic number and add it associating it with \p
244 + * file_priv.
245 ++ * This ioctl needs protection by the drm_global_mutex, which protects
246 ++ * struct drm_file::magic and struct drm_magic_entry::priv.
247 + */
248 + int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
249 + {
250 +@@ -174,6 +176,8 @@ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
251 + * \return zero if authentication successed, or a negative number otherwise.
252 + *
253 + * Checks if \p file_priv is associated with the magic number passed in \arg.
254 ++ * This ioctl needs protection by the drm_global_mutex, which protects
255 ++ * struct drm_file::magic and struct drm_magic_entry::priv.
256 + */
257 + int drm_authmagic(struct drm_device *dev, void *data,
258 + struct drm_file *file_priv)
259 +diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
260 +index ba14553..519161e 100644
261 +--- a/drivers/gpu/drm/drm_fops.c
262 ++++ b/drivers/gpu/drm/drm_fops.c
263 +@@ -449,6 +449,11 @@ int drm_release(struct inode *inode, struct file *filp)
264 + (long)old_encode_dev(file_priv->minor->device),
265 + dev->open_count);
266 +
267 ++ /* Release any auth tokens that might point to this file_priv,
268 ++ (do that under the drm_global_mutex) */
269 ++ if (file_priv->magic)
270 ++ (void) drm_remove_magic(file_priv->master, file_priv->magic);
271 ++
272 + /* if the master has gone away we can't do anything with the lock */
273 + if (file_priv->minor->master)
274 + drm_master_release(dev, filp);
275 +diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c
276 +index 525a00b..15645ab 100644
277 +--- a/drivers/hwmon/f71805f.c
278 ++++ b/drivers/hwmon/f71805f.c
279 +@@ -281,11 +281,11 @@ static inline long temp_from_reg(u8 reg)
280 +
281 + static inline u8 temp_to_reg(long val)
282 + {
283 +- if (val < 0)
284 +- val = 0;
285 +- else if (val > 1000 * 0xff)
286 +- val = 0xff;
287 +- return ((val + 500) / 1000);
288 ++ if (val <= 0)
289 ++ return 0;
290 ++ if (val >= 1000 * 0xff)
291 ++ return 0xff;
292 ++ return (val + 500) / 1000;
293 + }
294 +
295 + /*
296 +diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
297 +index 2040507..740785e 100644
298 +--- a/drivers/hwmon/sht15.c
299 ++++ b/drivers/hwmon/sht15.c
300 +@@ -515,7 +515,7 @@ static int sht15_invalidate_voltage(struct notifier_block *nb,
301 +
302 + static int __devinit sht15_probe(struct platform_device *pdev)
303 + {
304 +- int ret = 0;
305 ++ int ret;
306 + struct sht15_data *data = kzalloc(sizeof(*data), GFP_KERNEL);
307 +
308 + if (!data) {
309 +@@ -532,6 +532,7 @@ static int __devinit sht15_probe(struct platform_device *pdev)
310 + init_waitqueue_head(&data->wait_queue);
311 +
312 + if (pdev->dev.platform_data == NULL) {
313 ++ ret = -EINVAL;
314 + dev_err(&pdev->dev, "no platform data supplied");
315 + goto err_free_data;
316 + }
317 +diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
318 +index 82f7d6e..7ab302d 100644
319 +--- a/drivers/md/dm-linear.c
320 ++++ b/drivers/md/dm-linear.c
321 +@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
322 + unsigned long arg)
323 + {
324 + struct linear_c *lc = (struct linear_c *) ti->private;
325 +- return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg);
326 ++ struct dm_dev *dev = lc->dev;
327 ++ int r = 0;
328 ++
329 ++ /*
330 ++ * Only pass ioctls through if the device sizes match exactly.
331 ++ */
332 ++ if (lc->start ||
333 ++ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
334 ++ r = scsi_verify_blk_ioctl(NULL, cmd);
335 ++
336 ++ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
337 + }
338 +
339 + static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
340 +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
341 +index b03cd39..4ec5fe2 100644
342 +--- a/drivers/md/dm-mpath.c
343 ++++ b/drivers/md/dm-mpath.c
344 +@@ -1464,6 +1464,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
345 +
346 + spin_unlock_irqrestore(&m->lock, flags);
347 +
348 ++ /*
349 ++ * Only pass ioctls through if the device sizes match exactly.
350 ++ */
351 ++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
352 ++ r = scsi_verify_blk_ioctl(NULL, cmd);
353 ++
354 + return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
355 + }
356 +
357 +diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
358 +index 68d800f..705a589 100644
359 +--- a/drivers/mmc/host/mmci.c
360 ++++ b/drivers/mmc/host/mmci.c
361 +@@ -232,12 +232,8 @@ mmci_cmd_irq(struct mmci_host *host, struct mmc_command *cmd,
362 + }
363 +
364 + if (!cmd->data || cmd->error) {
365 +- if (host->data) {
366 +- /* Terminate the DMA transfer */
367 +- if (dma_inprogress(host))
368 +- mmci_dma_data_error(host);
369 ++ if (host->data)
370 + mmci_stop_data(host);
371 +- }
372 + mmci_request_end(host, cmd->mrq);
373 + } else if (!(cmd->data->flags & MMC_DATA_READ)) {
374 + mmci_start_data(host, cmd->data);
375 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
376 +index 2dd1b73..a5b55fe 100644
377 +--- a/drivers/scsi/sd.c
378 ++++ b/drivers/scsi/sd.c
379 +@@ -817,6 +817,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
380 + SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
381 + disk->disk_name, cmd));
382 +
383 ++ error = scsi_verify_blk_ioctl(bdev, cmd);
384 ++ if (error < 0)
385 ++ return error;
386 ++
387 + /*
388 + * If we are in the middle of error recovery, don't let anyone
389 + * else try and use this device. Also, if error recovery fails, it
390 +@@ -996,6 +1000,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
391 + unsigned int cmd, unsigned long arg)
392 + {
393 + struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
394 ++ int ret;
395 ++
396 ++ ret = scsi_verify_blk_ioctl(bdev, cmd);
397 ++ if (ret < 0)
398 ++ return -ENOIOCTLCMD;
399 +
400 + /*
401 + * If we are in the middle of error recovery, don't let anyone
402 +@@ -1007,8 +1016,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
403 + return -ENODEV;
404 +
405 + if (sdev->host->hostt->compat_ioctl) {
406 +- int ret;
407 +-
408 + ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
409 +
410 + return ret;
411 +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
412 +index 696ca75f..d71514b 100644
413 +--- a/drivers/usb/class/cdc-wdm.c
414 ++++ b/drivers/usb/class/cdc-wdm.c
415 +@@ -458,7 +458,9 @@ retry:
416 + for (i = 0; i < desc->length - cntr; i++)
417 + desc->ubuf[i] = desc->ubuf[i + cntr];
418 +
419 ++ spin_lock_irq(&desc->iuspin);
420 + desc->length -= cntr;
421 ++ spin_unlock_irq(&desc->iuspin);
422 + /* in case we had outstanding data */
423 + if (!desc->length)
424 + clear_bit(WDM_READ, &desc->flags);
425 +diff --git a/drivers/usb/misc/usbsevseg.c b/drivers/usb/misc/usbsevseg.c
426 +index cd8726c..6bc0bf3 100644
427 +--- a/drivers/usb/misc/usbsevseg.c
428 ++++ b/drivers/usb/misc/usbsevseg.c
429 +@@ -24,7 +24,7 @@
430 +
431 + #define VENDOR_ID 0x0fc5
432 + #define PRODUCT_ID 0x1227
433 +-#define MAXLEN 6
434 ++#define MAXLEN 8
435 +
436 + /* table of devices that work with this driver */
437 + static struct usb_device_id id_table[] = {
438 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
439 +index 8dcaf42..bb16725 100644
440 +--- a/drivers/usb/serial/cp210x.c
441 ++++ b/drivers/usb/serial/cp210x.c
442 +@@ -140,6 +140,7 @@ static struct usb_device_id id_table [] = {
443 + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
444 + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
445 + { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
446 ++ { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
447 + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */
448 + { } /* Terminating Entry */
449 + };
450 +@@ -360,8 +361,8 @@ static inline int cp210x_set_config_single(struct usb_serial_port *port,
451 + * Quantises the baud rate as per AN205 Table 1
452 + */
453 + static unsigned int cp210x_quantise_baudrate(unsigned int baud) {
454 +- if (baud <= 56) baud = 0;
455 +- else if (baud <= 300) baud = 300;
456 ++ if (baud <= 300)
457 ++ baud = 300;
458 + else if (baud <= 600) baud = 600;
459 + else if (baud <= 1200) baud = 1200;
460 + else if (baud <= 1800) baud = 1800;
461 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
462 +index 5ce2cb9..85d630e 100644
463 +--- a/drivers/usb/serial/ftdi_sio.c
464 ++++ b/drivers/usb/serial/ftdi_sio.c
465 +@@ -798,6 +798,7 @@ static struct usb_device_id id_table_combined [] = {
466 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
467 + { USB_DEVICE(ADI_VID, ADI_GNICEPLUS_PID),
468 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
469 ++ { USB_DEVICE(HORNBY_VID, HORNBY_ELITE_PID) },
470 + { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
471 + { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
472 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
473 +@@ -806,6 +807,8 @@ static struct usb_device_id id_table_combined [] = {
474 + { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
475 + { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
476 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
477 ++ { USB_DEVICE(FTDI_VID, TI_XDS100V2_PID),
478 ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
479 + { USB_DEVICE(FTDI_VID, HAMEG_HO820_PID) },
480 + { USB_DEVICE(FTDI_VID, HAMEG_HO720_PID) },
481 + { USB_DEVICE(FTDI_VID, HAMEG_HO730_PID) },
482 +@@ -842,6 +845,7 @@ static struct usb_device_id id_table_combined [] = {
483 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
484 + { USB_DEVICE(ST_VID, ST_STMCLT1030_PID),
485 + .driver_info = (kernel_ulong_t)&ftdi_stmclite_quirk },
486 ++ { USB_DEVICE(FTDI_VID, FTDI_RF_R106) },
487 + { }, /* Optional parameter entry */
488 + { } /* Terminating entry */
489 + };
490 +@@ -1351,8 +1355,7 @@ static int set_serial_info(struct tty_struct *tty,
491 + goto check_and_exit;
492 + }
493 +
494 +- if ((new_serial.baud_base != priv->baud_base) &&
495 +- (new_serial.baud_base < 9600)) {
496 ++ if (new_serial.baud_base != priv->baud_base) {
497 + unlock_kernel();
498 + return -EINVAL;
499 + }
500 +@@ -1865,6 +1868,7 @@ static int ftdi_submit_read_urb(struct usb_serial_port *port, gfp_t mem_flags)
501 +
502 + static int ftdi_open(struct tty_struct *tty, struct usb_serial_port *port)
503 + { /* ftdi_open */
504 ++ struct ktermios dummy;
505 + struct usb_device *dev = port->serial->dev;
506 + struct ftdi_private *priv = usb_get_serial_port_data(port);
507 + unsigned long flags;
508 +@@ -1892,8 +1896,10 @@ static int ftdi_open(struct tty_struct *tty, struct usb_serial_port *port)
509 + This is same behaviour as serial.c/rs_open() - Kuba */
510 +
511 + /* ftdi_set_termios will send usb control messages */
512 +- if (tty)
513 +- ftdi_set_termios(tty, port, tty->termios);
514 ++ if (tty) {
515 ++ memset(&dummy, 0, sizeof(dummy));
516 ++ ftdi_set_termios(tty, port, &dummy);
517 ++ }
518 +
519 + /* Not throttled */
520 + spin_lock_irqsave(&port->lock, flags);
521 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
522 +index 8ce1bcb..212fc41 100644
523 +--- a/drivers/usb/serial/ftdi_sio_ids.h
524 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
525 +@@ -38,6 +38,13 @@
526 + /* www.candapter.com Ewert Energy Systems CANdapter device */
527 + #define FTDI_CANDAPTER_PID 0x9F80 /* Product Id */
528 +
529 ++/*
530 ++ * Texas Instruments XDS100v2 JTAG / BeagleBone A3
531 ++ * http://processors.wiki.ti.com/index.php/XDS100
532 ++ * http://beagleboard.org/bone
533 ++ */
534 ++#define TI_XDS100V2_PID 0xa6d0
535 ++
536 + #define FTDI_NXTCAM_PID 0xABB8 /* NXTCam for Mindstorms NXT */
537 +
538 + /* US Interface Navigator (http://www.usinterface.com/) */
539 +@@ -524,6 +531,12 @@
540 + #define ADI_GNICEPLUS_PID 0xF001
541 +
542 + /*
543 ++ * Hornby Elite
544 ++ */
545 ++#define HORNBY_VID 0x04D8
546 ++#define HORNBY_ELITE_PID 0x000A
547 ++
548 ++/*
549 + * RATOC REX-USB60F
550 + */
551 + #define RATOC_VENDOR_ID 0x0584
552 +@@ -1173,3 +1186,9 @@
553 + */
554 + /* TagTracer MIFARE*/
555 + #define FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID 0xF7C0
556 ++
557 ++/*
558 ++ * Rainforest Automation
559 ++ */
560 ++/* ZigBee controller */
561 ++#define FTDI_RF_R106 0x8A28
562 +diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
563 +index fbdbac5..14d51e6 100644
564 +--- a/drivers/usb/serial/io_ti.c
565 ++++ b/drivers/usb/serial/io_ti.c
566 +@@ -2664,15 +2664,7 @@ cleanup:
567 +
568 + static void edge_disconnect(struct usb_serial *serial)
569 + {
570 +- int i;
571 +- struct edgeport_port *edge_port;
572 +-
573 + dbg("%s", __func__);
574 +-
575 +- for (i = 0; i < serial->num_ports; ++i) {
576 +- edge_port = usb_get_serial_port_data(serial->port[i]);
577 +- edge_remove_sysfs_attrs(edge_port->port);
578 +- }
579 + }
580 +
581 + static void edge_release(struct usb_serial *serial)
582 +@@ -2927,6 +2919,7 @@ static struct usb_serial_driver edgeport_1port_device = {
583 + .disconnect = edge_disconnect,
584 + .release = edge_release,
585 + .port_probe = edge_create_sysfs_attrs,
586 ++ .port_remove = edge_remove_sysfs_attrs,
587 + .ioctl = edge_ioctl,
588 + .set_termios = edge_set_termios,
589 + .tiocmget = edge_tiocmget,
590 +@@ -2957,6 +2950,7 @@ static struct usb_serial_driver edgeport_2port_device = {
591 + .disconnect = edge_disconnect,
592 + .release = edge_release,
593 + .port_probe = edge_create_sysfs_attrs,
594 ++ .port_remove = edge_remove_sysfs_attrs,
595 + .ioctl = edge_ioctl,
596 + .set_termios = edge_set_termios,
597 + .tiocmget = edge_tiocmget,
598 +diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
599 +index 443947f..7a5f1ac 100644
600 +--- a/fs/ecryptfs/crypto.c
601 ++++ b/fs/ecryptfs/crypto.c
602 +@@ -1609,7 +1609,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
603 + rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
604 + if (rc) {
605 + printk(KERN_DEBUG "Valid eCryptfs headers not found in "
606 +- "file header region or xattr region\n");
607 ++ "file header region or xattr region, inode %lu\n",
608 ++ ecryptfs_inode->i_ino);
609 + rc = -EINVAL;
610 + goto out;
611 + }
612 +@@ -1618,7 +1619,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
613 + ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
614 + if (rc) {
615 + printk(KERN_DEBUG "Valid eCryptfs headers not found in "
616 +- "file xattr region either\n");
617 ++ "file xattr region either, inode %lu\n",
618 ++ ecryptfs_inode->i_ino);
619 + rc = -EINVAL;
620 + }
621 + if (crypt_stat->mount_crypt_stat->flags
622 +@@ -1629,7 +1631,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
623 + "crypto metadata only in the extended attribute "
624 + "region, but eCryptfs was mounted without "
625 + "xattr support enabled. eCryptfs will not treat "
626 +- "this like an encrypted file.\n");
627 ++ "this like an encrypted file, inode %lu\n",
628 ++ ecryptfs_inode->i_ino);
629 + rc = -EINVAL;
630 + }
631 + }
632 +diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
633 +index 4ec8f61..c4b0bc5 100644
634 +--- a/fs/ecryptfs/miscdev.c
635 ++++ b/fs/ecryptfs/miscdev.c
636 +@@ -408,11 +408,47 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
637 + ssize_t sz = 0;
638 + char *data;
639 + uid_t euid = current_euid();
640 ++ unsigned char packet_size_peek[3];
641 + int rc;
642 +
643 +- if (count == 0)
644 ++ if (count == 0) {
645 + goto out;
646 ++ } else if (count == (1 + 4)) {
647 ++ /* Likely a harmless MSG_HELO or MSG_QUIT - no packet length */
648 ++ goto memdup;
649 ++ } else if (count < (1 + 4 + 1)
650 ++ || count > (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
651 ++ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES)) {
652 ++ printk(KERN_WARNING "%s: Acceptable packet size range is "
653 ++ "[%d-%lu], but amount of data written is [%zu].",
654 ++ __func__, (1 + 4 + 1),
655 ++ (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
656 ++ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES), count);
657 ++ return -EINVAL;
658 ++ }
659 ++
660 ++ if (copy_from_user(packet_size_peek, (buf + 1 + 4),
661 ++ sizeof(packet_size_peek))) {
662 ++ printk(KERN_WARNING "%s: Error while inspecting packet size\n",
663 ++ __func__);
664 ++ return -EFAULT;
665 ++ }
666 ++
667 ++ rc = ecryptfs_parse_packet_length(packet_size_peek, &packet_size,
668 ++ &packet_size_length);
669 ++ if (rc) {
670 ++ printk(KERN_WARNING "%s: Error parsing packet length; "
671 ++ "rc = [%d]\n", __func__, rc);
672 ++ return rc;
673 ++ }
674 ++
675 ++ if ((1 + 4 + packet_size_length + packet_size) != count) {
676 ++ printk(KERN_WARNING "%s: Invalid packet size [%zu]\n", __func__,
677 ++ packet_size);
678 ++ return -EINVAL;
679 ++ }
680 +
681 ++memdup:
682 + data = memdup_user(buf, count);
683 + if (IS_ERR(data)) {
684 + printk(KERN_ERR "%s: memdup_user returned error [%ld]\n",
685 +@@ -434,23 +470,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
686 + }
687 + memcpy(&counter_nbo, &data[i], 4);
688 + seq = be32_to_cpu(counter_nbo);
689 +- i += 4;
690 +- rc = ecryptfs_parse_packet_length(&data[i], &packet_size,
691 +- &packet_size_length);
692 +- if (rc) {
693 +- printk(KERN_WARNING "%s: Error parsing packet length; "
694 +- "rc = [%d]\n", __func__, rc);
695 +- goto out_free;
696 +- }
697 +- i += packet_size_length;
698 +- if ((1 + 4 + packet_size_length + packet_size) != count) {
699 +- printk(KERN_WARNING "%s: (1 + packet_size_length([%zd])"
700 +- " + packet_size([%zd]))([%zd]) != "
701 +- "count([%zd]). Invalid packet format.\n",
702 +- __func__, packet_size_length, packet_size,
703 +- (1 + packet_size_length + packet_size), count);
704 +- goto out_free;
705 +- }
706 ++ i += 4 + packet_size_length;
707 + rc = ecryptfs_miscdev_response(&data[i], packet_size,
708 + euid, current_user_ns(),
709 + task_pid(current), seq);
710 +diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
711 +index 0cc4faf..6b78546 100644
712 +--- a/fs/ecryptfs/read_write.c
713 ++++ b/fs/ecryptfs/read_write.c
714 +@@ -136,6 +136,11 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
715 + size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
716 + size_t total_remaining_bytes = ((offset + size) - pos);
717 +
718 ++ if (fatal_signal_pending(current)) {
719 ++ rc = -EINTR;
720 ++ break;
721 ++ }
722 ++
723 + if (num_bytes > total_remaining_bytes)
724 + num_bytes = total_remaining_bytes;
725 + if (pos < offset) {
726 +@@ -197,15 +202,19 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
727 + }
728 + pos += num_bytes;
729 + }
730 +- if ((offset + size) > ecryptfs_file_size) {
731 +- i_size_write(ecryptfs_inode, (offset + size));
732 ++ if (pos > ecryptfs_file_size) {
733 ++ i_size_write(ecryptfs_inode, pos);
734 + if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
735 +- rc = ecryptfs_write_inode_size_to_metadata(
736 ++ int rc2;
737 ++
738 ++ rc2 = ecryptfs_write_inode_size_to_metadata(
739 + ecryptfs_inode);
740 +- if (rc) {
741 ++ if (rc2) {
742 + printk(KERN_ERR "Problem with "
743 + "ecryptfs_write_inode_size_to_metadata; "
744 +- "rc = [%d]\n", rc);
745 ++ "rc = [%d]\n", rc2);
746 ++ if (!rc)
747 ++ rc = rc2;
748 + goto out;
749 + }
750 + }
751 +diff --git a/include/drm/drmP.h b/include/drm/drmP.h
752 +index 66713c6..ebab6a6 100644
753 +--- a/include/drm/drmP.h
754 ++++ b/include/drm/drmP.h
755 +@@ -1221,6 +1221,7 @@ extern int drm_getmagic(struct drm_device *dev, void *data,
756 + struct drm_file *file_priv);
757 + extern int drm_authmagic(struct drm_device *dev, void *data,
758 + struct drm_file *file_priv);
759 ++extern int drm_remove_magic(struct drm_master *master, drm_magic_t magic);
760 +
761 + /* Cache management (drm_cache.c) */
762 + void drm_clflush_pages(struct page *pages[], unsigned long num_pages);
763 +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
764 +index 63070ad..5eb6cb0 100644
765 +--- a/include/linux/blkdev.h
766 ++++ b/include/linux/blkdev.h
767 +@@ -777,6 +777,7 @@ extern void blk_plug_device(struct request_queue *);
768 + extern void blk_plug_device_unlocked(struct request_queue *);
769 + extern int blk_remove_plug(struct request_queue *);
770 + extern void blk_recount_segments(struct request_queue *, struct bio *);
771 ++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
772 + extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
773 + unsigned int, void __user *);
774 + extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
775
776 diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.55-201201272054.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
777 similarity index 99%
778 rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.55-201201272054.patch
779 rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
780 index 4b8b2b0..c0e9b3a 100644
781 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.55-201201272054.patch
782 +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
783 @@ -185,7 +185,7 @@ index c840e7d..f4c451c 100644
784
785 pcd. [PARIDE]
786 diff --git a/Makefile b/Makefile
787 -index 64d4fc6..3b32f7f 100644
788 +index 81ad738..cbdaeb0 100644
789 --- a/Makefile
790 +++ b/Makefile
791 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
792 @@ -13949,10 +13949,18 @@ index ef3cd31..9d2f6ab 100644
793 .store = store,
794 };
795 diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c
796 -index 5c0e653..1e82c7c 100644
797 +index 5c0e653..0882b0a 100644
798 --- a/arch/x86/kernel/cpu/mcheck/p5.c
799 +++ b/arch/x86/kernel/cpu/mcheck/p5.c
800 -@@ -50,7 +50,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
801 +@@ -12,6 +12,7 @@
802 + #include <asm/system.h>
803 + #include <asm/mce.h>
804 + #include <asm/msr.h>
805 ++#include <asm/pgtable.h>
806 +
807 + /* By default disabled */
808 + int mce_p5_enabled __read_mostly;
809 +@@ -50,7 +51,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
810 if (!cpu_has(c, X86_FEATURE_MCE))
811 return;
812
813 @@ -13963,10 +13971,18 @@ index 5c0e653..1e82c7c 100644
814 wmb();
815
816 diff --git a/arch/x86/kernel/cpu/mcheck/winchip.c b/arch/x86/kernel/cpu/mcheck/winchip.c
817 -index 54060f5..e6ba93d 100644
818 +index 54060f5..c1a7577 100644
819 --- a/arch/x86/kernel/cpu/mcheck/winchip.c
820 +++ b/arch/x86/kernel/cpu/mcheck/winchip.c
821 -@@ -24,7 +24,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
822 +@@ -11,6 +11,7 @@
823 + #include <asm/system.h>
824 + #include <asm/mce.h>
825 + #include <asm/msr.h>
826 ++#include <asm/pgtable.h>
827 +
828 + /* Machine check handler for WinChip C6: */
829 + static void winchip_machine_check(struct pt_regs *regs, long error_code)
830 +@@ -24,7 +25,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
831 {
832 u32 lo, hi;
833
834 @@ -25343,7 +25359,7 @@ index 84e236c..69bd3f6 100644
835
836 return (void *)vaddr;
837 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
838 -index 2feb9bd..3646202 100644
839 +index 2feb9bd..ab91e7b 100644
840 --- a/arch/x86/mm/ioremap.c
841 +++ b/arch/x86/mm/ioremap.c
842 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
843 @@ -25373,7 +25389,17 @@ index 2feb9bd..3646202 100644
844 return NULL;
845 WARN_ON_ONCE(is_ram);
846 }
847 -@@ -407,7 +404,7 @@ static int __init early_ioremap_debug_setup(char *str)
848 +@@ -378,6 +375,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
849 +
850 + /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
851 + if (page_is_ram(start >> PAGE_SHIFT))
852 ++#ifdef CONFIG_HIGHMEM
853 ++ if ((start >> PAGE_SHIFT) < max_low_pfn)
854 ++#endif
855 + return __va(phys);
856 +
857 + addr = (void __force *)ioremap_default(start, PAGE_SIZE);
858 +@@ -407,7 +407,7 @@ static int __init early_ioremap_debug_setup(char *str)
859 early_param("early_ioremap_debug", early_ioremap_debug_setup);
860
861 static __initdata int after_paging_init;
862 @@ -25382,7 +25408,7 @@ index 2feb9bd..3646202 100644
863
864 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
865 {
866 -@@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
867 +@@ -439,8 +439,7 @@ void __init early_ioremap_init(void)
868 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
869
870 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
871 @@ -27300,18 +27326,10 @@ index a847046..75a1746 100644
872 .store = elv_attr_store,
873 };
874 diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
875 -index 114ee29..d0efa50 100644
876 +index 2be0a97..bded3fd 100644
877 --- a/block/scsi_ioctl.c
878 +++ b/block/scsi_ioctl.c
879 -@@ -24,6 +24,7 @@
880 - #include <linux/capability.h>
881 - #include <linux/completion.h>
882 - #include <linux/cdrom.h>
883 -+#include <linux/ratelimit.h>
884 - #include <linux/slab.h>
885 - #include <linux/times.h>
886 - #include <asm/uaccess.h>
887 -@@ -220,8 +221,20 @@ EXPORT_SYMBOL(blk_verify_command);
888 +@@ -221,8 +221,20 @@ EXPORT_SYMBOL(blk_verify_command);
889 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
890 struct sg_io_hdr *hdr, fmode_t mode)
891 {
892 @@ -27333,7 +27351,7 @@ index 114ee29..d0efa50 100644
893 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
894 return -EPERM;
895
896 -@@ -430,6 +443,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
897 +@@ -431,6 +443,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
898 int err;
899 unsigned int in_len, out_len, bytes, opcode, cmdlen;
900 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
901 @@ -27342,7 +27360,7 @@ index 114ee29..d0efa50 100644
902
903 if (!sic)
904 return -EINVAL;
905 -@@ -463,9 +478,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
906 +@@ -464,9 +478,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
907 */
908 err = -EFAULT;
909 rq->cmd_len = cmdlen;
910 @@ -27362,61 +27380,6 @@ index 114ee29..d0efa50 100644
911 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
912 goto error;
913
914 -@@ -689,9 +713,54 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
915 - }
916 - EXPORT_SYMBOL(scsi_cmd_ioctl);
917 -
918 -+int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
919 -+{
920 -+ if (bd && bd == bd->bd_contains)
921 -+ return 0;
922 -+
923 -+ /* Actually none of these is particularly useful on a partition,
924 -+ * but they are safe.
925 -+ */
926 -+ switch (cmd) {
927 -+ case SCSI_IOCTL_GET_IDLUN:
928 -+ case SCSI_IOCTL_GET_BUS_NUMBER:
929 -+ case SCSI_IOCTL_GET_PCI:
930 -+ case SCSI_IOCTL_PROBE_HOST:
931 -+ case SG_GET_VERSION_NUM:
932 -+ case SG_SET_TIMEOUT:
933 -+ case SG_GET_TIMEOUT:
934 -+ case SG_GET_RESERVED_SIZE:
935 -+ case SG_SET_RESERVED_SIZE:
936 -+ case SG_EMULATED_HOST:
937 -+ return 0;
938 -+ case CDROM_GET_CAPABILITY:
939 -+ /* Keep this until we remove the printk below. udev sends it
940 -+ * and we do not want to spam dmesg about it. CD-ROMs do
941 -+ * not have partitions, so we get here only for disks.
942 -+ */
943 -+ return -ENOIOCTLCMD;
944 -+ default:
945 -+ break;
946 -+ }
947 -+
948 -+ /* In particular, rule out all resets and host-specific ioctls. */
949 -+ if (printk_ratelimit())
950 -+ printk(KERN_WARNING "%s: sending ioctl %x to a partition!\n",
951 -+ current->comm, cmd);
952 -+
953 -+ return capable(CAP_SYS_RAWIO) ? 0 : -ENOIOCTLCMD;
954 -+}
955 -+EXPORT_SYMBOL(scsi_verify_blk_ioctl);
956 -+
957 - int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
958 - unsigned int cmd, void __user *arg)
959 - {
960 -+ int ret;
961 -+
962 -+ ret = scsi_verify_blk_ioctl(bd, cmd);
963 -+ if (ret < 0)
964 -+ return ret;
965 -+
966 - return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
967 - }
968 - EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
969 diff --git a/crypto/cryptd.c b/crypto/cryptd.c
970 index 3533582..f143117 100644
971 --- a/crypto/cryptd.c
972 @@ -27473,109 +27436,6 @@ index b651a55..023297d 100644
973 /* Copy key, add padding */
974
975 for (i = 0; i < keylen; ++i)
976 -diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
977 -index 9ed9f60..88f160b 100644
978 ---- a/crypto/sha512_generic.c
979 -+++ b/crypto/sha512_generic.c
980 -@@ -21,8 +21,6 @@
981 - #include <linux/percpu.h>
982 - #include <asm/byteorder.h>
983 -
984 --static DEFINE_PER_CPU(u64[80], msg_schedule);
985 --
986 - static inline u64 Ch(u64 x, u64 y, u64 z)
987 - {
988 - return z ^ (x & (y ^ z));
989 -@@ -80,7 +78,7 @@ static inline void LOAD_OP(int I, u64 *W, const u8 *input)
990 -
991 - static inline void BLEND_OP(int I, u64 *W)
992 - {
993 -- W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
994 -+ W[I % 16] += s1(W[(I-2) % 16]) + W[(I-7) % 16] + s0(W[(I-15) % 16]);
995 - }
996 -
997 - static void
998 -@@ -89,38 +87,48 @@ sha512_transform(u64 *state, const u8 *input)
999 - u64 a, b, c, d, e, f, g, h, t1, t2;
1000 -
1001 - int i;
1002 -- u64 *W = get_cpu_var(msg_schedule);
1003 -+ u64 W[16];
1004 -
1005 - /* load the input */
1006 - for (i = 0; i < 16; i++)
1007 - LOAD_OP(i, W, input);
1008 -
1009 -- for (i = 16; i < 80; i++) {
1010 -- BLEND_OP(i, W);
1011 -- }
1012 --
1013 - /* load the state into our registers */
1014 - a=state[0]; b=state[1]; c=state[2]; d=state[3];
1015 - e=state[4]; f=state[5]; g=state[6]; h=state[7];
1016 -
1017 -- /* now iterate */
1018 -- for (i=0; i<80; i+=8) {
1019 -- t1 = h + e1(e) + Ch(e,f,g) + sha512_K[i ] + W[i ];
1020 -- t2 = e0(a) + Maj(a,b,c); d+=t1; h=t1+t2;
1021 -- t1 = g + e1(d) + Ch(d,e,f) + sha512_K[i+1] + W[i+1];
1022 -- t2 = e0(h) + Maj(h,a,b); c+=t1; g=t1+t2;
1023 -- t1 = f + e1(c) + Ch(c,d,e) + sha512_K[i+2] + W[i+2];
1024 -- t2 = e0(g) + Maj(g,h,a); b+=t1; f=t1+t2;
1025 -- t1 = e + e1(b) + Ch(b,c,d) + sha512_K[i+3] + W[i+3];
1026 -- t2 = e0(f) + Maj(f,g,h); a+=t1; e=t1+t2;
1027 -- t1 = d + e1(a) + Ch(a,b,c) + sha512_K[i+4] + W[i+4];
1028 -- t2 = e0(e) + Maj(e,f,g); h+=t1; d=t1+t2;
1029 -- t1 = c + e1(h) + Ch(h,a,b) + sha512_K[i+5] + W[i+5];
1030 -- t2 = e0(d) + Maj(d,e,f); g+=t1; c=t1+t2;
1031 -- t1 = b + e1(g) + Ch(g,h,a) + sha512_K[i+6] + W[i+6];
1032 -- t2 = e0(c) + Maj(c,d,e); f+=t1; b=t1+t2;
1033 -- t1 = a + e1(f) + Ch(f,g,h) + sha512_K[i+7] + W[i+7];
1034 -- t2 = e0(b) + Maj(b,c,d); e+=t1; a=t1+t2;
1035 -+#define SHA512_0_15(i, a, b, c, d, e, f, g, h) \
1036 -+ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[i]; \
1037 -+ t2 = e0(a) + Maj(a, b, c); \
1038 -+ d += t1; \
1039 -+ h = t1 + t2
1040 -+
1041 -+#define SHA512_16_79(i, a, b, c, d, e, f, g, h) \
1042 -+ BLEND_OP(i, W); \
1043 -+ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[(i)%16]; \
1044 -+ t2 = e0(a) + Maj(a, b, c); \
1045 -+ d += t1; \
1046 -+ h = t1 + t2
1047 -+
1048 -+ for (i = 0; i < 16; i += 8) {
1049 -+ SHA512_0_15(i, a, b, c, d, e, f, g, h);
1050 -+ SHA512_0_15(i + 1, h, a, b, c, d, e, f, g);
1051 -+ SHA512_0_15(i + 2, g, h, a, b, c, d, e, f);
1052 -+ SHA512_0_15(i + 3, f, g, h, a, b, c, d, e);
1053 -+ SHA512_0_15(i + 4, e, f, g, h, a, b, c, d);
1054 -+ SHA512_0_15(i + 5, d, e, f, g, h, a, b, c);
1055 -+ SHA512_0_15(i + 6, c, d, e, f, g, h, a, b);
1056 -+ SHA512_0_15(i + 7, b, c, d, e, f, g, h, a);
1057 -+ }
1058 -+ for (i = 16; i < 80; i += 8) {
1059 -+ SHA512_16_79(i, a, b, c, d, e, f, g, h);
1060 -+ SHA512_16_79(i + 1, h, a, b, c, d, e, f, g);
1061 -+ SHA512_16_79(i + 2, g, h, a, b, c, d, e, f);
1062 -+ SHA512_16_79(i + 3, f, g, h, a, b, c, d, e);
1063 -+ SHA512_16_79(i + 4, e, f, g, h, a, b, c, d);
1064 -+ SHA512_16_79(i + 5, d, e, f, g, h, a, b, c);
1065 -+ SHA512_16_79(i + 6, c, d, e, f, g, h, a, b);
1066 -+ SHA512_16_79(i + 7, b, c, d, e, f, g, h, a);
1067 - }
1068 -
1069 - state[0] += a; state[1] += b; state[2] += c; state[3] += d;
1070 -@@ -128,8 +136,6 @@ sha512_transform(u64 *state, const u8 *input)
1071 -
1072 - /* erase our data */
1073 - a = b = c = d = e = f = g = h = t1 = t2 = 0;
1074 -- memset(W, 0, sizeof(__get_cpu_var(msg_schedule)));
1075 -- put_cpu_var(msg_schedule);
1076 - }
1077 -
1078 - static int
1079 diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c
1080 index 0d2cdb8..d8de48d 100644
1081 --- a/drivers/acpi/acpi_pad.c
1082 @@ -31876,9 +31736,18 @@ index bf2170f..ce8cab9 100644
1083 acpi_os_unmap_memory(virt, len);
1084 return 0;
1085 diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
1086 -index 123cedf..137edef 100644
1087 +index 123cedf..6664cb4 100644
1088 --- a/drivers/char/tty_io.c
1089 +++ b/drivers/char/tty_io.c
1090 +@@ -146,7 +146,7 @@ static int tty_open(struct inode *, struct file *);
1091 + static int tty_release(struct inode *, struct file *);
1092 + long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
1093 + #ifdef CONFIG_COMPAT
1094 +-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
1095 ++long tty_compat_ioctl(struct file *file, unsigned int cmd,
1096 + unsigned long arg);
1097 + #else
1098 + #define tty_compat_ioctl NULL
1099 @@ -1774,6 +1774,7 @@ got_driver:
1100
1101 if (IS_ERR(tty)) {
1102 @@ -32792,7 +32661,7 @@ index 0e27d98..dec8768 100644
1103
1104 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
1105 diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
1106 -index ba14553..182d0bb 100644
1107 +index 519161e..98c840c 100644
1108 --- a/drivers/gpu/drm/drm_fops.c
1109 +++ b/drivers/gpu/drm/drm_fops.c
1110 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device * dev)
1111 @@ -32832,9 +32701,9 @@ index ba14553..182d0bb 100644
1112 - dev->open_count);
1113 + local_read(&dev->open_count));
1114
1115 - /* if the master has gone away we can't do anything with the lock */
1116 - if (file_priv->minor->master)
1117 -@@ -524,9 +524,9 @@ int drm_release(struct inode *inode, struct file *filp)
1118 + /* Release any auth tokens that might point to this file_priv,
1119 + (do that under the drm_global_mutex) */
1120 +@@ -529,9 +529,9 @@ int drm_release(struct inode *inode, struct file *filp)
1121 * End inline drm_release
1122 */
1123
1124 @@ -34105,7 +33974,7 @@ index 7cdd76f..fe0efdf 100644
1125 int ycalib; /* calibrated null value for y */
1126 int zcalib; /* calibrated null value for z */
1127 diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
1128 -index 2040507..706ec1e 100644
1129 +index 740785e..5a5c6c6 100644
1130 --- a/drivers/hwmon/sht15.c
1131 +++ b/drivers/hwmon/sht15.c
1132 @@ -112,7 +112,7 @@ struct sht15_data {
1133 @@ -41626,42 +41495,6 @@ index 21a045e..ec89e03 100644
1134 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
1135
1136 transport_setup_device(&rport->dev);
1137 -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
1138 -index 2dd1b73..fd8145f 100644
1139 ---- a/drivers/scsi/sd.c
1140 -+++ b/drivers/scsi/sd.c
1141 -@@ -817,6 +817,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
1142 - SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
1143 - disk->disk_name, cmd));
1144 -
1145 -+ error = scsi_verify_blk_ioctl(bdev, cmd);
1146 -+ if (error < 0)
1147 -+ return error;
1148 -+
1149 - /*
1150 - * If we are in the middle of error recovery, don't let anyone
1151 - * else try and use this device. Also, if error recovery fails, it
1152 -@@ -996,6 +1000,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
1153 - unsigned int cmd, unsigned long arg)
1154 - {
1155 - struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
1156 -+ int ret;
1157 -+
1158 -+ ret = scsi_verify_blk_ioctl(bdev, cmd);
1159 -+ if (ret < 0)
1160 -+ return ret;
1161 -
1162 - /*
1163 - * If we are in the middle of error recovery, don't let anyone
1164 -@@ -1007,8 +1016,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
1165 - return -ENODEV;
1166 -
1167 - if (sdev->host->hostt->compat_ioctl) {
1168 -- int ret;
1169 --
1170 - ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
1171 -
1172 - return ret;
1173 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
1174 index 040f751..98a5ed2 100644
1175 --- a/drivers/scsi/sg.c
1176 @@ -48429,6 +48262,22 @@ index 44c0aea..2529092 100644
1177
1178 dcache_init();
1179 inode_init();
1180 +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
1181 +index 39c6ee8..dcee0f1 100644
1182 +--- a/fs/debugfs/inode.c
1183 ++++ b/fs/debugfs/inode.c
1184 +@@ -269,7 +269,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
1185 + struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
1186 + {
1187 + return debugfs_create_file(name,
1188 ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
1189 ++ S_IFDIR | S_IRWXU,
1190 ++#else
1191 + S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
1192 ++#endif
1193 + parent, NULL, NULL);
1194 + }
1195 + EXPORT_SYMBOL_GPL(debugfs_create_dir);
1196 diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
1197 index c010ecf..a8d8c59 100644
1198 --- a/fs/dlm/lockspace.c
1199 @@ -48443,7 +48292,7 @@ index c010ecf..a8d8c59 100644
1200 .store = dlm_attr_store,
1201 };
1202 diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
1203 -index 443947f..a871402 100644
1204 +index 7a5f1ac..205b034 100644
1205 --- a/fs/ecryptfs/crypto.c
1206 +++ b/fs/ecryptfs/crypto.c
1207 @@ -418,17 +418,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
1208 @@ -48497,20 +48346,20 @@ index 443947f..a871402 100644
1209 rc = ecryptfs_decrypt_page_offset(crypt_stat, page,
1210 (extent_offset
1211 * crypt_stat->extent_size),
1212 -@@ -569,6 +539,7 @@ static int ecryptfs_decrypt_extent(struct page *page,
1213 +@@ -569,16 +539,6 @@ static int ecryptfs_decrypt_extent(struct page *page,
1214 goto out;
1215 }
1216 rc = 0;
1217 -+<<<<<<< HEAD
1218 - if (unlikely(ecryptfs_verbosity > 0)) {
1219 - ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16x]; "
1220 - "rc = [%d]\n", (extent_base + extent_offset),
1221 -@@ -579,6 +550,8 @@ static int ecryptfs_decrypt_extent(struct page *page,
1222 - + (extent_offset
1223 - * crypt_stat->extent_size)), 8);
1224 - }
1225 -+=======
1226 -+>>>>>>> 58ded24... eCryptfs: Fix oops when printing debug info in extent crypto functions
1227 +- if (unlikely(ecryptfs_verbosity > 0)) {
1228 +- ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16x]; "
1229 +- "rc = [%d]\n", (extent_base + extent_offset),
1230 +- rc);
1231 +- ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
1232 +- "decryption:\n");
1233 +- ecryptfs_dump_hex((char *)(page_address(page)
1234 +- + (extent_offset
1235 +- * crypt_stat->extent_size)), 8);
1236 +- }
1237 out:
1238 return rc;
1239 }
1240 @@ -48536,89 +48385,11 @@ index 88ba4d4..073f003 100644
1241 set_fs(old_fs);
1242 if (rc < 0)
1243 goto out_free;
1244 -diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
1245 -index 4ec8f61..c4b0bc5 100644
1246 ---- a/fs/ecryptfs/miscdev.c
1247 -+++ b/fs/ecryptfs/miscdev.c
1248 -@@ -408,11 +408,47 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
1249 - ssize_t sz = 0;
1250 - char *data;
1251 - uid_t euid = current_euid();
1252 -+ unsigned char packet_size_peek[3];
1253 - int rc;
1254 -
1255 -- if (count == 0)
1256 -+ if (count == 0) {
1257 - goto out;
1258 -+ } else if (count == (1 + 4)) {
1259 -+ /* Likely a harmless MSG_HELO or MSG_QUIT - no packet length */
1260 -+ goto memdup;
1261 -+ } else if (count < (1 + 4 + 1)
1262 -+ || count > (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
1263 -+ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES)) {
1264 -+ printk(KERN_WARNING "%s: Acceptable packet size range is "
1265 -+ "[%d-%lu], but amount of data written is [%zu].",
1266 -+ __func__, (1 + 4 + 1),
1267 -+ (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
1268 -+ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES), count);
1269 -+ return -EINVAL;
1270 -+ }
1271 -
1272 -+ if (copy_from_user(packet_size_peek, (buf + 1 + 4),
1273 -+ sizeof(packet_size_peek))) {
1274 -+ printk(KERN_WARNING "%s: Error while inspecting packet size\n",
1275 -+ __func__);
1276 -+ return -EFAULT;
1277 -+ }
1278 -+
1279 -+ rc = ecryptfs_parse_packet_length(packet_size_peek, &packet_size,
1280 -+ &packet_size_length);
1281 -+ if (rc) {
1282 -+ printk(KERN_WARNING "%s: Error parsing packet length; "
1283 -+ "rc = [%d]\n", __func__, rc);
1284 -+ return rc;
1285 -+ }
1286 -+
1287 -+ if ((1 + 4 + packet_size_length + packet_size) != count) {
1288 -+ printk(KERN_WARNING "%s: Invalid packet size [%zu]\n", __func__,
1289 -+ packet_size);
1290 -+ return -EINVAL;
1291 -+ }
1292 -+
1293 -+memdup:
1294 - data = memdup_user(buf, count);
1295 - if (IS_ERR(data)) {
1296 - printk(KERN_ERR "%s: memdup_user returned error [%ld]\n",
1297 -@@ -434,23 +470,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
1298 - }
1299 - memcpy(&counter_nbo, &data[i], 4);
1300 - seq = be32_to_cpu(counter_nbo);
1301 -- i += 4;
1302 -- rc = ecryptfs_parse_packet_length(&data[i], &packet_size,
1303 -- &packet_size_length);
1304 -- if (rc) {
1305 -- printk(KERN_WARNING "%s: Error parsing packet length; "
1306 -- "rc = [%d]\n", __func__, rc);
1307 -- goto out_free;
1308 -- }
1309 -- i += packet_size_length;
1310 -- if ((1 + 4 + packet_size_length + packet_size) != count) {
1311 -- printk(KERN_WARNING "%s: (1 + packet_size_length([%zd])"
1312 -- " + packet_size([%zd]))([%zd]) != "
1313 -- "count([%zd]). Invalid packet format.\n",
1314 -- __func__, packet_size_length, packet_size,
1315 -- (1 + packet_size_length + packet_size), count);
1316 -- goto out_free;
1317 -- }
1318 -+ i += 4 + packet_size_length;
1319 - rc = ecryptfs_miscdev_response(&data[i], packet_size,
1320 - euid, current_user_ns(),
1321 - task_pid(current), seq);
1322 diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
1323 -index 0cc4faf..0404659 100644
1324 +index 6b78546..7ba3260 100644
1325 --- a/fs/ecryptfs/read_write.c
1326 +++ b/fs/ecryptfs/read_write.c
1327 -@@ -134,13 +134,18 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
1328 +@@ -134,7 +134,12 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
1329 pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
1330 size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
1331 size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
1332 @@ -48630,7 +48401,9 @@ index 0cc4faf..0404659 100644
1333 + break;
1334 + }
1335
1336 - if (num_bytes > total_remaining_bytes)
1337 + if (fatal_signal_pending(current)) {
1338 + rc = -EINTR;
1339 +@@ -145,7 +150,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
1340 num_bytes = total_remaining_bytes;
1341 if (pos < offset) {
1342 /* remaining zeros to write, up to destination offset */
1343 @@ -48639,31 +48412,6 @@ index 0cc4faf..0404659 100644
1344
1345 if (num_bytes > total_remaining_zeros)
1346 num_bytes = total_remaining_zeros;
1347 -@@ -197,15 +202,19 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
1348 - }
1349 - pos += num_bytes;
1350 - }
1351 -- if ((offset + size) > ecryptfs_file_size) {
1352 -- i_size_write(ecryptfs_inode, (offset + size));
1353 -+ if (pos > ecryptfs_file_size) {
1354 -+ i_size_write(ecryptfs_inode, pos);
1355 - if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
1356 -- rc = ecryptfs_write_inode_size_to_metadata(
1357 -+ int rc2;
1358 -+
1359 -+ rc2 = ecryptfs_write_inode_size_to_metadata(
1360 - ecryptfs_inode);
1361 -- if (rc) {
1362 -+ if (rc2) {
1363 - printk(KERN_ERR "Problem with "
1364 - "ecryptfs_write_inode_size_to_metadata; "
1365 -- "rc = [%d]\n", rc);
1366 -+ "rc = [%d]\n", rc2);
1367 -+ if (!rc)
1368 -+ rc = rc2;
1369 - goto out;
1370 - }
1371 - }
1372 diff --git a/fs/exec.c b/fs/exec.c
1373 index 86fafc6..5033350 100644
1374 --- a/fs/exec.c
1375 @@ -54633,6 +54381,29 @@ index bb92b7c..5aa72b0 100644
1376 ret = -EAGAIN;
1377
1378 pipe_unlock(ipipe);
1379 +diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
1380 +index e020183..18d64b4 100644
1381 +--- a/fs/sysfs/dir.c
1382 ++++ b/fs/sysfs/dir.c
1383 +@@ -678,6 +678,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd,
1384 + struct sysfs_dirent *sd;
1385 + int rc;
1386 +
1387 ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
1388 ++ const char *parent_name = parent_sd->s_name;
1389 ++
1390 ++ mode = S_IFDIR | S_IRWXU;
1391 ++
1392 ++ if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
1393 ++ (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
1394 ++ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse"))) ||
1395 ++ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
1396 ++ mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
1397 ++#endif
1398 ++
1399 + /* allocate */
1400 + sd = sysfs_new_dirent(name, mode, SYSFS_DIR);
1401 + if (!sd)
1402 diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
1403 index 7118a38..70af853 100644
1404 --- a/fs/sysfs/file.c
1405 @@ -54718,22 +54489,6 @@ index 7118a38..70af853 100644
1406 wake_up_interruptible(&od->poll);
1407 }
1408
1409 -diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
1410 -index 4974995..c26609c 100644
1411 ---- a/fs/sysfs/mount.c
1412 -+++ b/fs/sysfs/mount.c
1413 -@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
1414 - .s_name = "",
1415 - .s_count = ATOMIC_INIT(1),
1416 - .s_flags = SYSFS_DIR,
1417 -+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
1418 -+ .s_mode = S_IFDIR | S_IRWXU,
1419 -+#else
1420 - .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
1421 -+#endif
1422 - .s_ino = 1,
1423 - };
1424 -
1425 diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c
1426 index c5081ad..342ea86 100644
1427 --- a/fs/sysfs/symlink.c
1428 @@ -55023,10 +54778,10 @@ index 8f32f50..b6a41e8 100644
1429 link[pathlen] = '\0';
1430 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
1431 new file mode 100644
1432 -index 0000000..883b00b
1433 +index 0000000..8cac8cb
1434 --- /dev/null
1435 +++ b/grsecurity/Kconfig
1436 -@@ -0,0 +1,1064 @@
1437 +@@ -0,0 +1,1068 @@
1438 +#
1439 +# grecurity configuration
1440 +#
1441 @@ -55496,15 +55251,19 @@ index 0000000..883b00b
1442 + depends on SYSFS
1443 + help
1444 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
1445 -+ any filesystem normally mounted under it (e.g. debugfs) will only
1446 -+ be accessible by root. These filesystems generally provide access
1447 ++ any filesystem normally mounted under it (e.g. debugfs) will be
1448 ++ mostly accessible only by root. These filesystems generally provide access
1449 + to hardware and debug information that isn't appropriate for unprivileged
1450 + users of the system. Sysfs and debugfs have also become a large source
1451 + of new vulnerabilities, ranging from infoleaks to local compromise.
1452 + There has been very little oversight with an eye toward security involved
1453 + in adding new exporters of information to these filesystems, so their
1454 + use is discouraged.
1455 -+ This option is equivalent to a chmod 0700 of the mount paths.
1456 ++ For reasons of compatibility, a few directories have been whitelisted
1457 ++ for access by non-root users:
1458 ++ /sys/fs/selinux
1459 ++ /sys/fs/fuse
1460 ++ /sys/devices/system/cpu
1461 +
1462 +config GRKERNSEC_ROFS
1463 + bool "Runtime read-only mount protection"
1464 @@ -64946,10 +64705,10 @@ index 0000000..0dc13c3
1465 +EXPORT_SYMBOL(gr_log_timechange);
1466 diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
1467 new file mode 100644
1468 -index 0000000..4a78774
1469 +index 0000000..a35ba33
1470 --- /dev/null
1471 +++ b/grsecurity/grsec_tpe.c
1472 -@@ -0,0 +1,39 @@
1473 +@@ -0,0 +1,73 @@
1474 +#include <linux/kernel.h>
1475 +#include <linux/sched.h>
1476 +#include <linux/file.h>
1477 @@ -64964,25 +64723,59 @@ index 0000000..4a78774
1478 +#ifdef CONFIG_GRKERNSEC
1479 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
1480 + const struct cred *cred = current_cred();
1481 ++ char *msg = NULL;
1482 ++ char *msg2 = NULL;
1483 ++
1484 ++ // never restrict root
1485 ++ if (!cred->uid)
1486 ++ return 1;
1487 +
1488 -+ if (cred->uid && ((grsec_enable_tpe &&
1489 ++ if (grsec_enable_tpe) {
1490 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
1491 -+ ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
1492 -+ (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
1493 ++ if (grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid))
1494 ++ msg = "not being in trusted group";
1495 ++ else if (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid))
1496 ++ msg = "being in untrusted group";
1497 +#else
1498 -+ in_group_p(grsec_tpe_gid)
1499 ++ if (in_group_p(grsec_tpe_gid))
1500 ++ msg = "being in untrusted group";
1501 +#endif
1502 -+ ) || gr_acl_tpe_check()) &&
1503 -+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
1504 -+ (inode->i_mode & S_IWOTH))))) {
1505 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
1506 ++ }
1507 ++ if (!msg && gr_acl_tpe_check())
1508 ++ msg = "being in untrusted role";
1509 ++
1510 ++ // not in any affected group/role
1511 ++ if (!msg)
1512 ++ goto next_check;
1513 ++
1514 ++ if (inode->i_uid)
1515 ++ msg2 = "file in non-root-owned directory";
1516 ++ else if (inode->i_mode & S_IWOTH)
1517 ++ msg2 = "file in world-writable directory";
1518 ++ else if (inode->i_mode & S_IWGRP)
1519 ++ msg2 = "file in group-writable directory";
1520 ++
1521 ++ if (msg && msg2) {
1522 ++ char fullmsg[64] = {0};
1523 ++ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
1524 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
1525 + return 0;
1526 + }
1527 ++ msg = NULL;
1528 ++next_check:
1529 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
1530 -+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
1531 -+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
1532 -+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
1533 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
1534 ++ if (!grsec_enable_tpe || !grsec_enable_tpe_all)
1535 ++ return 1;
1536 ++
1537 ++ if (inode->i_uid && (inode->i_uid != cred->uid))
1538 ++ msg = "directory not owned by user";
1539 ++ else if (inode->i_mode & S_IWOTH)
1540 ++ msg = "file in world-writable directory";
1541 ++ else if (inode->i_mode & S_IWGRP)
1542 ++ msg = "file in group-writable directory";
1543 ++
1544 ++ if (msg) {
1545 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
1546 + return 0;
1547 + }
1548 +#endif
1549 @@ -65755,7 +65548,7 @@ index b6e818f..21aa58a 100644
1550 /**
1551 * PERCPU - define output section for percpu area, simple version
1552 diff --git a/include/drm/drmP.h b/include/drm/drmP.h
1553 -index 66713c6..98c0460 100644
1554 +index ebab6a6..351dba1 100644
1555 --- a/include/drm/drmP.h
1556 +++ b/include/drm/drmP.h
1557 @@ -71,6 +71,7 @@
1558 @@ -65942,18 +65735,10 @@ index a3d802e..482f69c 100644
1559 int hasvdso;
1560 };
1561 diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
1562 -index 63070ad..a2906d2 100644
1563 +index 5eb6cb0..a2906d2 100644
1564 --- a/include/linux/blkdev.h
1565 +++ b/include/linux/blkdev.h
1566 -@@ -777,6 +777,7 @@ extern void blk_plug_device(struct request_queue *);
1567 - extern void blk_plug_device_unlocked(struct request_queue *);
1568 - extern int blk_remove_plug(struct request_queue *);
1569 - extern void blk_recount_segments(struct request_queue *, struct bio *);
1570 -+extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
1571 - extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
1572 - unsigned int, void __user *);
1573 - extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
1574 -@@ -1280,7 +1281,7 @@ struct block_device_operations {
1575 +@@ -1281,7 +1281,7 @@ struct block_device_operations {
1576 int (*revalidate_disk) (struct gendisk *);
1577 int (*getgeo)(struct block_device *, struct hd_geometry *);
1578 struct module *owner;
1579 @@ -67354,7 +67139,7 @@ index 0000000..3826b91
1580 +#endif
1581 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
1582 new file mode 100644
1583 -index 0000000..dfb15ef
1584 +index 0000000..b3347e2
1585 --- /dev/null
1586 +++ b/include/linux/grmsg.h
1587 @@ -0,0 +1,109 @@
1588 @@ -67392,7 +67177,7 @@ index 0000000..dfb15ef
1589 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
1590 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
1591 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
1592 -+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
1593 ++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "
1594 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
1595 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
1596 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
1597 @@ -75211,7 +74996,7 @@ index 04a0252..580c512 100644
1598 struct tasklet_struct *list;
1599
1600 diff --git a/kernel/sys.c b/kernel/sys.c
1601 -index e9512b1..f07185f 100644
1602 +index e9512b1..8a10cb3 100644
1603 --- a/kernel/sys.c
1604 +++ b/kernel/sys.c
1605 @@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
1606 @@ -75333,7 +75118,29 @@ index e9512b1..f07185f 100644
1607 if (capable(CAP_SETUID)) {
1608 new->suid = new->uid = uid;
1609 if (uid != old->uid) {
1610 -@@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
1611 +@@ -721,9 +750,18 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
1612 +
1613 + retval = -EPERM;
1614 + if (!capable(CAP_SETUID)) {
1615 +- if (ruid != (uid_t) -1 && ruid != old->uid &&
1616 +- ruid != old->euid && ruid != old->suid)
1617 +- goto error;
1618 ++ // if RBAC is enabled, require CAP_SETUID to change
1619 ++ // uid to euid (from a suid binary, for instance)
1620 ++ // this is a hardening of normal permissions, not
1621 ++ // weakening
1622 ++ if (gr_acl_is_enabled()) {
1623 ++ if (ruid != (uid_t) -1 && ruid != old->uid)
1624 ++ goto error;
1625 ++ } else {
1626 ++ if (ruid != (uid_t) -1 && ruid != old->uid &&
1627 ++ ruid != old->euid && ruid != old->suid)
1628 ++ goto error;
1629 ++ }
1630 + if (euid != (uid_t) -1 && euid != old->uid &&
1631 + euid != old->euid && euid != old->suid)
1632 + goto error;
1633 +@@ -732,6 +770,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
1634 goto error;
1635 }
1636
1637 @@ -75343,7 +75150,29 @@ index e9512b1..f07185f 100644
1638 if (ruid != (uid_t) -1) {
1639 new->uid = ruid;
1640 if (ruid != old->uid) {
1641 -@@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
1642 +@@ -789,9 +830,18 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
1643 +
1644 + retval = -EPERM;
1645 + if (!capable(CAP_SETGID)) {
1646 +- if (rgid != (gid_t) -1 && rgid != old->gid &&
1647 +- rgid != old->egid && rgid != old->sgid)
1648 +- goto error;
1649 ++ // if RBAC is enabled, require CAP_SETGID to change
1650 ++ // gid to egid (from a sgid binary, for instance)
1651 ++ // this is a hardening of normal permissions, not
1652 ++ // weakening
1653 ++ if (gr_acl_is_enabled()) {
1654 ++ if (rgid != (gid_t) -1 && rgid != old->gid)
1655 ++ goto error;
1656 ++ } else {
1657 ++ if (rgid != (gid_t) -1 && rgid != old->gid &&
1658 ++ rgid != old->egid && rgid != old->sgid)
1659 ++ goto error;
1660 ++ }
1661 + if (egid != (gid_t) -1 && egid != old->gid &&
1662 + egid != old->egid && egid != old->sgid)
1663 + goto error;
1664 +@@ -800,6 +850,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
1665 goto error;
1666 }
1667
1668 @@ -75353,7 +75182,7 @@ index e9512b1..f07185f 100644
1669 if (rgid != (gid_t) -1)
1670 new->gid = rgid;
1671 if (egid != (gid_t) -1)
1672 -@@ -849,6 +884,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
1673 +@@ -849,6 +902,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
1674 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
1675 goto error;
1676
1677 @@ -75363,7 +75192,7 @@ index e9512b1..f07185f 100644
1678 if (uid == old->uid || uid == old->euid ||
1679 uid == old->suid || uid == old->fsuid ||
1680 capable(CAP_SETUID)) {
1681 -@@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
1682 +@@ -889,6 +945,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
1683 if (gid == old->gid || gid == old->egid ||
1684 gid == old->sgid || gid == old->fsgid ||
1685 capable(CAP_SETGID)) {
1686 @@ -75373,7 +75202,7 @@ index e9512b1..f07185f 100644
1687 if (gid != old_fsgid) {
1688 new->fsgid = gid;
1689 goto change_okay;
1690 -@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
1691 +@@ -1454,7 +1513,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
1692 error = get_dumpable(me->mm);
1693 break;
1694 case PR_SET_DUMPABLE:
1695 @@ -84589,10 +84418,10 @@ index d52f7a0..269eb1b 100755
1696 rm -f tags
1697 xtags ctags
1698 diff --git a/security/Kconfig b/security/Kconfig
1699 -index fb363cd..0524cf3 100644
1700 +index fb363cd..886ace4 100644
1701 --- a/security/Kconfig
1702 +++ b/security/Kconfig
1703 -@@ -4,6 +4,625 @@
1704 +@@ -4,6 +4,626 @@
1705
1706 menu "Security options"
1707
1708 @@ -85100,6 +84929,7 @@ index fb363cd..0524cf3 100644
1709 +
1710 +config PAX_MEMORY_SANITIZE
1711 + bool "Sanitize all freed memory"
1712 ++ depends on !HIBERNATION
1713 + help
1714 + By saying Y here the kernel will erase memory pages as soon as they
1715 + are freed. This in turn reduces the lifetime of data stored in the
1716 @@ -85218,7 +85048,7 @@ index fb363cd..0524cf3 100644
1717 config KEYS
1718 bool "Enable access key retention support"
1719 help
1720 -@@ -146,7 +765,7 @@ config INTEL_TXT
1721 +@@ -146,7 +766,7 @@ config INTEL_TXT
1722 config LSM_MMAP_MIN_ADDR
1723 int "Low address space for LSM to protect from user allocation"
1724 depends on SECURITY && SECURITY_SELINUX
1725
1726 diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4425_grsec-pax-without-grsec.patch
1727 index bbb8671..0f87dc1 100644
1728 --- a/2.6.32/4425_grsec-pax-without-grsec.patch
1729 +++ b/2.6.32/4425_grsec-pax-without-grsec.patch
1730 @@ -36,7 +36,7 @@ diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
1731 diff -Naur a/fs/exec.c b/fs/exec.c
1732 --- a/fs/exec.c 2011-04-17 18:15:55.000000000 -0400
1733 +++ b/fs/exec.c 2011-04-17 18:29:40.000000000 -0400
1734 -@@ -1807,9 +1807,11 @@
1735 +@@ -1812,9 +1812,11 @@
1736 }
1737 up_read(&mm->mmap_sem);
1738 }
1739 @@ -48,7 +48,7 @@ diff -Naur a/fs/exec.c b/fs/exec.c
1740 printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
1741 printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
1742 "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
1743 -@@ -1824,10 +1826,12 @@
1744 +@@ -1829,10 +1831,12 @@
1745 #ifdef CONFIG_PAX_REFCOUNT
1746 void pax_report_refcount_overflow(struct pt_regs *regs)
1747 {
1748 @@ -61,7 +61,7 @@ diff -Naur a/fs/exec.c b/fs/exec.c
1749 printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
1750 current->comm, task_pid_nr(current), current_uid(), current_euid());
1751 print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
1752 -@@ -1887,10 +1891,12 @@
1753 +@@ -1892,10 +1896,12 @@
1754
1755 NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
1756 {
1757
1758 diff --git a/2.6.32/4430_grsec-kconfig-default-gids.patch b/2.6.32/4430_grsec-kconfig-default-gids.patch
1759 index 2cd1c5a..763d845 100644
1760 --- a/2.6.32/4430_grsec-kconfig-default-gids.patch
1761 +++ b/2.6.32/4430_grsec-kconfig-default-gids.patch
1762 @@ -12,7 +12,7 @@ from shooting themselves in the foot.
1763 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1764 --- a/grsecurity/Kconfig 2011-12-12 15:11:47.000000000 -0500
1765 +++ b/grsecurity/Kconfig 2011-12-12 15:13:17.000000000 -0500
1766 -@@ -431,7 +431,7 @@
1767 +@@ -433,7 +433,7 @@
1768 config GRKERNSEC_PROC_GID
1769 int "GID for special group"
1770 depends on GRKERNSEC_PROC_USERGROUP
1771 @@ -21,7 +21,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1772
1773 config GRKERNSEC_PROC_ADD
1774 bool "Additional restrictions"
1775 -@@ -655,7 +655,7 @@
1776 +@@ -661,7 +661,7 @@
1777 config GRKERNSEC_AUDIT_GID
1778 int "GID for auditing"
1779 depends on GRKERNSEC_AUDIT_GROUP
1780 @@ -30,7 +30,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1781
1782 config GRKERNSEC_EXECLOG
1783 bool "Exec logging"
1784 -@@ -833,7 +833,7 @@
1785 +@@ -865,7 +865,7 @@
1786 config GRKERNSEC_TPE_GID
1787 int "GID for untrusted users"
1788 depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
1789 @@ -39,7 +39,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1790 help
1791 Setting this GID determines what group TPE restrictions will be
1792 *enabled* for. If the sysctl option is enabled, a sysctl option
1793 -@@ -842,7 +842,7 @@
1794 +@@ -874,7 +874,7 @@
1795 config GRKERNSEC_TPE_GID
1796 int "GID for trusted users"
1797 depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
1798 @@ -48,7 +48,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1799 help
1800 Setting this GID determines what group TPE restrictions will be
1801 *disabled* for. If the sysctl option is enabled, a sysctl option
1802 -@@ -915,7 +915,7 @@
1803 +@@ -947,7 +947,7 @@
1804 config GRKERNSEC_SOCKET_ALL_GID
1805 int "GID to deny all sockets for"
1806 depends on GRKERNSEC_SOCKET_ALL
1807 @@ -57,7 +57,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1808 help
1809 Here you can choose the GID to disable socket access for. Remember to
1810 add the users you want socket access disabled for to the GID
1811 -@@ -936,7 +936,7 @@
1812 +@@ -968,7 +968,7 @@
1813 config GRKERNSEC_SOCKET_CLIENT_GID
1814 int "GID to deny client sockets for"
1815 depends on GRKERNSEC_SOCKET_CLIENT
1816 @@ -66,7 +66,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1817 help
1818 Here you can choose the GID to disable client socket access for.
1819 Remember to add the users you want client socket access disabled for to
1820 -@@ -954,7 +954,7 @@
1821 +@@ -986,7 +986,7 @@
1822 config GRKERNSEC_SOCKET_SERVER_GID
1823 int "GID to deny server sockets for"
1824 depends on GRKERNSEC_SOCKET_SERVER
1825
1826 diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
1827 index 7c9be0d..b7e7322 100644
1828 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch
1829 +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
1830 @@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1831
1832 config GRKERNSEC_LOW
1833 bool "Low"
1834 -@@ -190,6 +190,259 @@
1835 +@@ -192,6 +192,259 @@
1836 - Restricted sysfs/debugfs
1837 - Active kernel exploit response
1838
1839 @@ -341,7 +341,7 @@ diff -Naur a/security/Kconfig b/security/Kconfig
1840 default ""
1841
1842 config PAX_KERNEXEC_MODULE_TEXT
1843 -@@ -553,8 +554,9 @@
1844 +@@ -554,8 +555,9 @@
1845
1846 config PAX_MEMORY_UDEREF
1847 bool "Prevent invalid userland pointer dereference"
1848
1849 diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
1850 index d84eb57..ca88ef7 100644
1851 --- a/2.6.32/4437-grsec-kconfig-proc-user.patch
1852 +++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
1853 @@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre
1854 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1855 --- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
1856 +++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
1857 -@@ -665,7 +665,7 @@
1858 +@@ -667,7 +667,7 @@
1859
1860 config GRKERNSEC_PROC_USER
1861 bool "Restrict /proc to user only"
1862 @@ -15,7 +15,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1863 help
1864 If you say Y here, non-root users will only be able to view their own
1865 processes, and restricts them from viewing network-related information,
1866 -@@ -673,7 +673,7 @@
1867 +@@ -675,7 +675,7 @@
1868
1869 config GRKERNSEC_PROC_USERGROUP
1870 bool "Allow special group"
1871
1872 diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
1873 index 5bbfa24..0873c15 100644
1874 --- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
1875 +++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
1876 @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
1877 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1878 --- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
1879 +++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
1880 -@@ -1264,6 +1264,27 @@
1881 +@@ -1296,6 +1296,27 @@
1882 menu "Logging Options"
1883 depends on GRKERNSEC
1884
1885
1886 diff --git a/3.2.2/1001_linux-3.2.2.patch b/3.2.2/1001_linux-3.2.2.patch
1887 deleted file mode 100644
1888 index ec16cce..0000000
1889 --- a/3.2.2/1001_linux-3.2.2.patch
1890 +++ /dev/null
1891 @@ -1,6552 +0,0 @@
1892 -diff --git a/Makefile b/Makefile
1893 -index c5edffa..2f684da 100644
1894 ---- a/Makefile
1895 -+++ b/Makefile
1896 -@@ -1,6 +1,6 @@
1897 - VERSION = 3
1898 - PATCHLEVEL = 2
1899 --SUBLEVEL = 1
1900 -+SUBLEVEL = 2
1901 - EXTRAVERSION =
1902 - NAME = Saber-toothed Squirrel
1903 -
1904 -diff --git a/arch/ia64/kernel/acpi.c b/arch/ia64/kernel/acpi.c
1905 -index bfb4d01..5207035 100644
1906 ---- a/arch/ia64/kernel/acpi.c
1907 -+++ b/arch/ia64/kernel/acpi.c
1908 -@@ -429,22 +429,24 @@ static u32 __devinitdata pxm_flag[PXM_FLAG_LEN];
1909 - static struct acpi_table_slit __initdata *slit_table;
1910 - cpumask_t early_cpu_possible_map = CPU_MASK_NONE;
1911 -
1912 --static int get_processor_proximity_domain(struct acpi_srat_cpu_affinity *pa)
1913 -+static int __init
1914 -+get_processor_proximity_domain(struct acpi_srat_cpu_affinity *pa)
1915 - {
1916 - int pxm;
1917 -
1918 - pxm = pa->proximity_domain_lo;
1919 -- if (ia64_platform_is("sn2"))
1920 -+ if (ia64_platform_is("sn2") || acpi_srat_revision >= 2)
1921 - pxm += pa->proximity_domain_hi[0] << 8;
1922 - return pxm;
1923 - }
1924 -
1925 --static int get_memory_proximity_domain(struct acpi_srat_mem_affinity *ma)
1926 -+static int __init
1927 -+get_memory_proximity_domain(struct acpi_srat_mem_affinity *ma)
1928 - {
1929 - int pxm;
1930 -
1931 - pxm = ma->proximity_domain;
1932 -- if (!ia64_platform_is("sn2"))
1933 -+ if (!ia64_platform_is("sn2") && acpi_srat_revision <= 1)
1934 - pxm &= 0xff;
1935 -
1936 - return pxm;
1937 -diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
1938 -index 577abba..83bb960 100644
1939 ---- a/arch/score/kernel/entry.S
1940 -+++ b/arch/score/kernel/entry.S
1941 -@@ -408,7 +408,7 @@ ENTRY(handle_sys)
1942 - sw r9, [r0, PT_EPC]
1943 -
1944 - cmpi.c r27, __NR_syscalls # check syscall number
1945 -- bgtu illegal_syscall
1946 -+ bgeu illegal_syscall
1947 -
1948 - slli r8, r27, 2 # get syscall routine
1949 - la r11, sys_call_table
1950 -diff --git a/arch/x86/include/asm/amd_nb.h b/arch/x86/include/asm/amd_nb.h
1951 -index 8e41071..49ad773 100644
1952 ---- a/arch/x86/include/asm/amd_nb.h
1953 -+++ b/arch/x86/include/asm/amd_nb.h
1954 -@@ -1,6 +1,7 @@
1955 - #ifndef _ASM_X86_AMD_NB_H
1956 - #define _ASM_X86_AMD_NB_H
1957 -
1958 -+#include <linux/ioport.h>
1959 - #include <linux/pci.h>
1960 -
1961 - struct amd_nb_bus_dev_range {
1962 -@@ -13,6 +14,7 @@ extern const struct pci_device_id amd_nb_misc_ids[];
1963 - extern const struct amd_nb_bus_dev_range amd_nb_bus_dev_ranges[];
1964 -
1965 - extern bool early_is_amd_nb(u32 value);
1966 -+extern struct resource *amd_get_mmconfig_range(struct resource *res);
1967 - extern int amd_cache_northbridges(void);
1968 - extern void amd_flush_garts(void);
1969 - extern int amd_numa_init(void);
1970 -diff --git a/arch/x86/include/asm/uv/uv_bau.h b/arch/x86/include/asm/uv/uv_bau.h
1971 -index 8e862aa..1b82f7e 100644
1972 ---- a/arch/x86/include/asm/uv/uv_bau.h
1973 -+++ b/arch/x86/include/asm/uv/uv_bau.h
1974 -@@ -65,7 +65,7 @@
1975 - * UV2: Bit 19 selects between
1976 - * (0): 10 microsecond timebase and
1977 - * (1): 80 microseconds
1978 -- * we're using 655us, similar to UV1: 65 units of 10us
1979 -+ * we're using 560us, similar to UV1: 65 units of 10us
1980 - */
1981 - #define UV1_INTD_SOFT_ACK_TIMEOUT_PERIOD (9UL)
1982 - #define UV2_INTD_SOFT_ACK_TIMEOUT_PERIOD (15UL)
1983 -@@ -167,6 +167,7 @@
1984 - #define FLUSH_RETRY_TIMEOUT 2
1985 - #define FLUSH_GIVEUP 3
1986 - #define FLUSH_COMPLETE 4
1987 -+#define FLUSH_RETRY_BUSYBUG 5
1988 -
1989 - /*
1990 - * tuning the action when the numalink network is extremely delayed
1991 -@@ -235,10 +236,10 @@ struct bau_msg_payload {
1992 -
1993 -
1994 - /*
1995 -- * Message header: 16 bytes (128 bits) (bytes 0x30-0x3f of descriptor)
1996 -+ * UV1 Message header: 16 bytes (128 bits) (bytes 0x30-0x3f of descriptor)
1997 - * see table 4.2.3.0.1 in broacast_assist spec.
1998 - */
1999 --struct bau_msg_header {
2000 -+struct uv1_bau_msg_header {
2001 - unsigned int dest_subnodeid:6; /* must be 0x10, for the LB */
2002 - /* bits 5:0 */
2003 - unsigned int base_dest_nasid:15; /* nasid of the first bit */
2004 -@@ -318,19 +319,87 @@ struct bau_msg_header {
2005 - };
2006 -
2007 - /*
2008 -+ * UV2 Message header: 16 bytes (128 bits) (bytes 0x30-0x3f of descriptor)
2009 -+ * see figure 9-2 of harp_sys.pdf
2010 -+ */
2011 -+struct uv2_bau_msg_header {
2012 -+ unsigned int base_dest_nasid:15; /* nasid of the first bit */
2013 -+ /* bits 14:0 */ /* in uvhub map */
2014 -+ unsigned int dest_subnodeid:5; /* must be 0x10, for the LB */
2015 -+ /* bits 19:15 */
2016 -+ unsigned int rsvd_1:1; /* must be zero */
2017 -+ /* bit 20 */
2018 -+ /* Address bits 59:21 */
2019 -+ /* bits 25:2 of address (44:21) are payload */
2020 -+ /* these next 24 bits become bytes 12-14 of msg */
2021 -+ /* bits 28:21 land in byte 12 */
2022 -+ unsigned int replied_to:1; /* sent as 0 by the source to
2023 -+ byte 12 */
2024 -+ /* bit 21 */
2025 -+ unsigned int msg_type:3; /* software type of the
2026 -+ message */
2027 -+ /* bits 24:22 */
2028 -+ unsigned int canceled:1; /* message canceled, resource
2029 -+ is to be freed*/
2030 -+ /* bit 25 */
2031 -+ unsigned int payload_1:3; /* not currently used */
2032 -+ /* bits 28:26 */
2033 -+
2034 -+ /* bits 36:29 land in byte 13 */
2035 -+ unsigned int payload_2a:3; /* not currently used */
2036 -+ unsigned int payload_2b:5; /* not currently used */
2037 -+ /* bits 36:29 */
2038 -+
2039 -+ /* bits 44:37 land in byte 14 */
2040 -+ unsigned int payload_3:8; /* not currently used */
2041 -+ /* bits 44:37 */
2042 -+
2043 -+ unsigned int rsvd_2:7; /* reserved */
2044 -+ /* bits 51:45 */
2045 -+ unsigned int swack_flag:1; /* software acknowledge flag */
2046 -+ /* bit 52 */
2047 -+ unsigned int rsvd_3a:3; /* must be zero */
2048 -+ unsigned int rsvd_3b:8; /* must be zero */
2049 -+ unsigned int rsvd_3c:8; /* must be zero */
2050 -+ unsigned int rsvd_3d:3; /* must be zero */
2051 -+ /* bits 74:53 */
2052 -+ unsigned int fairness:3; /* usually zero */
2053 -+ /* bits 77:75 */
2054 -+
2055 -+ unsigned int sequence:16; /* message sequence number */
2056 -+ /* bits 93:78 Suppl_A */
2057 -+ unsigned int chaining:1; /* next descriptor is part of
2058 -+ this activation*/
2059 -+ /* bit 94 */
2060 -+ unsigned int multilevel:1; /* multi-level multicast
2061 -+ format */
2062 -+ /* bit 95 */
2063 -+ unsigned int rsvd_4:24; /* ordered / source node /
2064 -+ source subnode / aging
2065 -+ must be zero */
2066 -+ /* bits 119:96 */
2067 -+ unsigned int command:8; /* message type */
2068 -+ /* bits 127:120 */
2069 -+};
2070 -+
2071 -+/*
2072 - * The activation descriptor:
2073 - * The format of the message to send, plus all accompanying control
2074 - * Should be 64 bytes
2075 - */
2076 - struct bau_desc {
2077 -- struct pnmask distribution;
2078 -+ struct pnmask distribution;
2079 - /*
2080 - * message template, consisting of header and payload:
2081 - */
2082 -- struct bau_msg_header header;
2083 -- struct bau_msg_payload payload;
2084 -+ union bau_msg_header {
2085 -+ struct uv1_bau_msg_header uv1_hdr;
2086 -+ struct uv2_bau_msg_header uv2_hdr;
2087 -+ } header;
2088 -+
2089 -+ struct bau_msg_payload payload;
2090 - };
2091 --/*
2092 -+/* UV1:
2093 - * -payload-- ---------header------
2094 - * bytes 0-11 bits 41-56 bits 58-81
2095 - * A B (2) C (3)
2096 -@@ -340,6 +409,16 @@ struct bau_desc {
2097 - * bytes 0-11 bytes 12-14 bytes 16-17 (byte 15 filled in by hw as vector)
2098 - * ------------payload queue-----------
2099 - */
2100 -+/* UV2:
2101 -+ * -payload-- ---------header------
2102 -+ * bytes 0-11 bits 70-78 bits 21-44
2103 -+ * A B (2) C (3)
2104 -+ *
2105 -+ * A/B/C are moved to:
2106 -+ * A C B
2107 -+ * bytes 0-11 bytes 12-14 bytes 16-17 (byte 15 filled in by hw as vector)
2108 -+ * ------------payload queue-----------
2109 -+ */
2110 -
2111 - /*
2112 - * The payload queue on the destination side is an array of these.
2113 -@@ -385,7 +464,6 @@ struct bau_pq_entry {
2114 - struct msg_desc {
2115 - struct bau_pq_entry *msg;
2116 - int msg_slot;
2117 -- int swack_slot;
2118 - struct bau_pq_entry *queue_first;
2119 - struct bau_pq_entry *queue_last;
2120 - };
2121 -@@ -439,6 +517,9 @@ struct ptc_stats {
2122 - unsigned long s_retry_messages; /* retry broadcasts */
2123 - unsigned long s_bau_reenabled; /* for bau enable/disable */
2124 - unsigned long s_bau_disabled; /* for bau enable/disable */
2125 -+ unsigned long s_uv2_wars; /* uv2 workaround, perm. busy */
2126 -+ unsigned long s_uv2_wars_hw; /* uv2 workaround, hiwater */
2127 -+ unsigned long s_uv2_war_waits; /* uv2 workaround, long waits */
2128 - /* destination statistics */
2129 - unsigned long d_alltlb; /* times all tlb's on this
2130 - cpu were flushed */
2131 -@@ -511,9 +592,12 @@ struct bau_control {
2132 - short osnode;
2133 - short uvhub_cpu;
2134 - short uvhub;
2135 -+ short uvhub_version;
2136 - short cpus_in_socket;
2137 - short cpus_in_uvhub;
2138 - short partition_base_pnode;
2139 -+ short using_desc; /* an index, like uvhub_cpu */
2140 -+ unsigned int inuse_map;
2141 - unsigned short message_number;
2142 - unsigned short uvhub_quiesce;
2143 - short socket_acknowledge_count[DEST_Q_SIZE];
2144 -@@ -531,6 +615,7 @@ struct bau_control {
2145 - int cong_response_us;
2146 - int cong_reps;
2147 - int cong_period;
2148 -+ unsigned long clocks_per_100_usec;
2149 - cycles_t period_time;
2150 - long period_requests;
2151 - struct hub_and_pnode *thp;
2152 -@@ -591,6 +676,11 @@ static inline void write_mmr_sw_ack(unsigned long mr)
2153 - uv_write_local_mmr(UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE_ALIAS, mr);
2154 - }
2155 -
2156 -+static inline void write_gmmr_sw_ack(int pnode, unsigned long mr)
2157 -+{
2158 -+ write_gmmr(pnode, UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE_ALIAS, mr);
2159 -+}
2160 -+
2161 - static inline unsigned long read_mmr_sw_ack(void)
2162 - {
2163 - return read_lmmr(UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE);
2164 -diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
2165 -index 4c39baa..bae1efe 100644
2166 ---- a/arch/x86/kernel/amd_nb.c
2167 -+++ b/arch/x86/kernel/amd_nb.c
2168 -@@ -119,6 +119,37 @@ bool __init early_is_amd_nb(u32 device)
2169 - return false;
2170 - }
2171 -
2172 -+struct resource *amd_get_mmconfig_range(struct resource *res)
2173 -+{
2174 -+ u32 address;
2175 -+ u64 base, msr;
2176 -+ unsigned segn_busn_bits;
2177 -+
2178 -+ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
2179 -+ return NULL;
2180 -+
2181 -+ /* assume all cpus from fam10h have mmconfig */
2182 -+ if (boot_cpu_data.x86 < 0x10)
2183 -+ return NULL;
2184 -+
2185 -+ address = MSR_FAM10H_MMIO_CONF_BASE;
2186 -+ rdmsrl(address, msr);
2187 -+
2188 -+ /* mmconfig is not enabled */
2189 -+ if (!(msr & FAM10H_MMIO_CONF_ENABLE))
2190 -+ return NULL;
2191 -+
2192 -+ base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
2193 -+
2194 -+ segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
2195 -+ FAM10H_MMIO_CONF_BUSRANGE_MASK;
2196 -+
2197 -+ res->flags = IORESOURCE_MEM;
2198 -+ res->start = base;
2199 -+ res->end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
2200 -+ return res;
2201 -+}
2202 -+
2203 - int amd_get_subcaches(int cpu)
2204 - {
2205 - struct pci_dev *link = node_to_amd_nb(amd_get_nb_id(cpu))->link;
2206 -diff --git a/arch/x86/kernel/apic/x2apic_uv_x.c b/arch/x86/kernel/apic/x2apic_uv_x.c
2207 -index 9d59bba..79b05b8 100644
2208 ---- a/arch/x86/kernel/apic/x2apic_uv_x.c
2209 -+++ b/arch/x86/kernel/apic/x2apic_uv_x.c
2210 -@@ -769,7 +769,12 @@ void __init uv_system_init(void)
2211 - for(i = 0; i < UVH_NODE_PRESENT_TABLE_DEPTH; i++)
2212 - uv_possible_blades +=
2213 - hweight64(uv_read_local_mmr( UVH_NODE_PRESENT_TABLE + i * 8));
2214 -- printk(KERN_DEBUG "UV: Found %d blades\n", uv_num_possible_blades());
2215 -+
2216 -+ /* uv_num_possible_blades() is really the hub count */
2217 -+ printk(KERN_INFO "UV: Found %d blades, %d hubs\n",
2218 -+ is_uv1_hub() ? uv_num_possible_blades() :
2219 -+ (uv_num_possible_blades() + 1) / 2,
2220 -+ uv_num_possible_blades());
2221 -
2222 - bytes = sizeof(struct uv_blade_info) * uv_num_possible_blades();
2223 - uv_blade_info = kzalloc(bytes, GFP_KERNEL);
2224 -diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
2225 -index 4b5ba85..845df68 100644
2226 ---- a/arch/x86/mm/mmap.c
2227 -+++ b/arch/x86/mm/mmap.c
2228 -@@ -75,9 +75,9 @@ static unsigned long mmap_rnd(void)
2229 - */
2230 - if (current->flags & PF_RANDOMIZE) {
2231 - if (mmap_is_ia32())
2232 -- rnd = (long)get_random_int() % (1<<8);
2233 -+ rnd = get_random_int() % (1<<8);
2234 - else
2235 -- rnd = (long)(get_random_int() % (1<<28));
2236 -+ rnd = get_random_int() % (1<<28);
2237 - }
2238 - return rnd << PAGE_SHIFT;
2239 - }
2240 -diff --git a/arch/x86/mm/srat.c b/arch/x86/mm/srat.c
2241 -index 81dbfde..7efd0c6 100644
2242 ---- a/arch/x86/mm/srat.c
2243 -+++ b/arch/x86/mm/srat.c
2244 -@@ -104,6 +104,8 @@ acpi_numa_processor_affinity_init(struct acpi_srat_cpu_affinity *pa)
2245 - if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0)
2246 - return;
2247 - pxm = pa->proximity_domain_lo;
2248 -+ if (acpi_srat_revision >= 2)
2249 -+ pxm |= *((unsigned int*)pa->proximity_domain_hi) << 8;
2250 - node = setup_node(pxm);
2251 - if (node < 0) {
2252 - printk(KERN_ERR "SRAT: Too many proximity domains %x\n", pxm);
2253 -@@ -155,6 +157,8 @@ acpi_numa_memory_affinity_init(struct acpi_srat_mem_affinity *ma)
2254 - start = ma->base_address;
2255 - end = start + ma->length;
2256 - pxm = ma->proximity_domain;
2257 -+ if (acpi_srat_revision <= 1)
2258 -+ pxm &= 0xff;
2259 - node = setup_node(pxm);
2260 - if (node < 0) {
2261 - printk(KERN_ERR "SRAT: Too many proximity domains.\n");
2262 -diff --git a/arch/x86/pci/Makefile b/arch/x86/pci/Makefile
2263 -index 6b8759f..d24d3da 100644
2264 ---- a/arch/x86/pci/Makefile
2265 -+++ b/arch/x86/pci/Makefile
2266 -@@ -18,8 +18,9 @@ obj-$(CONFIG_X86_NUMAQ) += numaq_32.o
2267 - obj-$(CONFIG_X86_MRST) += mrst.o
2268 -
2269 - obj-y += common.o early.o
2270 --obj-y += amd_bus.o bus_numa.o
2271 -+obj-y += bus_numa.o
2272 -
2273 -+obj-$(CONFIG_AMD_NB) += amd_bus.o
2274 - obj-$(CONFIG_PCI_CNB20LE_QUIRK) += broadcom_bus.o
2275 -
2276 - ifeq ($(CONFIG_PCI_DEBUG),y)
2277 -diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
2278 -index 404f21a..f8348ab 100644
2279 ---- a/arch/x86/pci/acpi.c
2280 -+++ b/arch/x86/pci/acpi.c
2281 -@@ -149,7 +149,7 @@ setup_resource(struct acpi_resource *acpi_res, void *data)
2282 - struct acpi_resource_address64 addr;
2283 - acpi_status status;
2284 - unsigned long flags;
2285 -- u64 start, end;
2286 -+ u64 start, orig_end, end;
2287 -
2288 - status = resource_to_addr(acpi_res, &addr);
2289 - if (!ACPI_SUCCESS(status))
2290 -@@ -165,7 +165,21 @@ setup_resource(struct acpi_resource *acpi_res, void *data)
2291 - return AE_OK;
2292 -
2293 - start = addr.minimum + addr.translation_offset;
2294 -- end = addr.maximum + addr.translation_offset;
2295 -+ orig_end = end = addr.maximum + addr.translation_offset;
2296 -+
2297 -+ /* Exclude non-addressable range or non-addressable portion of range */
2298 -+ end = min(end, (u64)iomem_resource.end);
2299 -+ if (end <= start) {
2300 -+ dev_info(&info->bridge->dev,
2301 -+ "host bridge window [%#llx-%#llx] "
2302 -+ "(ignored, not CPU addressable)\n", start, orig_end);
2303 -+ return AE_OK;
2304 -+ } else if (orig_end != end) {
2305 -+ dev_info(&info->bridge->dev,
2306 -+ "host bridge window [%#llx-%#llx] "
2307 -+ "([%#llx-%#llx] ignored, not CPU addressable)\n",
2308 -+ start, orig_end, end + 1, orig_end);
2309 -+ }
2310 -
2311 - res = &info->res[info->res_num];
2312 - res->name = info->name;
2313 -diff --git a/arch/x86/pci/amd_bus.c b/arch/x86/pci/amd_bus.c
2314 -index 026e493..385a940 100644
2315 ---- a/arch/x86/pci/amd_bus.c
2316 -+++ b/arch/x86/pci/amd_bus.c
2317 -@@ -30,34 +30,6 @@ static struct pci_hostbridge_probe pci_probes[] __initdata = {
2318 - { 0, 0x18, PCI_VENDOR_ID_AMD, 0x1300 },
2319 - };
2320 -
2321 --static u64 __initdata fam10h_mmconf_start;
2322 --static u64 __initdata fam10h_mmconf_end;
2323 --static void __init get_pci_mmcfg_amd_fam10h_range(void)
2324 --{
2325 -- u32 address;
2326 -- u64 base, msr;
2327 -- unsigned segn_busn_bits;
2328 --
2329 -- /* assume all cpus from fam10h have mmconf */
2330 -- if (boot_cpu_data.x86 < 0x10)
2331 -- return;
2332 --
2333 -- address = MSR_FAM10H_MMIO_CONF_BASE;
2334 -- rdmsrl(address, msr);
2335 --
2336 -- /* mmconfig is not enable */
2337 -- if (!(msr & FAM10H_MMIO_CONF_ENABLE))
2338 -- return;
2339 --
2340 -- base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
2341 --
2342 -- segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
2343 -- FAM10H_MMIO_CONF_BUSRANGE_MASK;
2344 --
2345 -- fam10h_mmconf_start = base;
2346 -- fam10h_mmconf_end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
2347 --}
2348 --
2349 - #define RANGE_NUM 16
2350 -
2351 - /**
2352 -@@ -85,6 +57,9 @@ static int __init early_fill_mp_bus_info(void)
2353 - u64 val;
2354 - u32 address;
2355 - bool found;
2356 -+ struct resource fam10h_mmconf_res, *fam10h_mmconf;
2357 -+ u64 fam10h_mmconf_start;
2358 -+ u64 fam10h_mmconf_end;
2359 -
2360 - if (!early_pci_allowed())
2361 - return -1;
2362 -@@ -211,12 +186,17 @@ static int __init early_fill_mp_bus_info(void)
2363 - subtract_range(range, RANGE_NUM, 0, end);
2364 -
2365 - /* get mmconfig */
2366 -- get_pci_mmcfg_amd_fam10h_range();
2367 -+ fam10h_mmconf = amd_get_mmconfig_range(&fam10h_mmconf_res);
2368 - /* need to take out mmconf range */
2369 -- if (fam10h_mmconf_end) {
2370 -- printk(KERN_DEBUG "Fam 10h mmconf [%llx, %llx]\n", fam10h_mmconf_start, fam10h_mmconf_end);
2371 -+ if (fam10h_mmconf) {
2372 -+ printk(KERN_DEBUG "Fam 10h mmconf %pR\n", fam10h_mmconf);
2373 -+ fam10h_mmconf_start = fam10h_mmconf->start;
2374 -+ fam10h_mmconf_end = fam10h_mmconf->end;
2375 - subtract_range(range, RANGE_NUM, fam10h_mmconf_start,
2376 - fam10h_mmconf_end + 1);
2377 -+ } else {
2378 -+ fam10h_mmconf_start = 0;
2379 -+ fam10h_mmconf_end = 0;
2380 - }
2381 -
2382 - /* mmio resource */
2383 -diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
2384 -index 5b55219..9010ca7 100644
2385 ---- a/arch/x86/platform/uv/tlb_uv.c
2386 -+++ b/arch/x86/platform/uv/tlb_uv.c
2387 -@@ -157,13 +157,14 @@ static int __init uvhub_to_first_apicid(int uvhub)
2388 - * clear of the Timeout bit (as well) will free the resource. No reply will
2389 - * be sent (the hardware will only do one reply per message).
2390 - */
2391 --static void reply_to_message(struct msg_desc *mdp, struct bau_control *bcp)
2392 -+static void reply_to_message(struct msg_desc *mdp, struct bau_control *bcp,
2393 -+ int do_acknowledge)
2394 - {
2395 - unsigned long dw;
2396 - struct bau_pq_entry *msg;
2397 -
2398 - msg = mdp->msg;
2399 -- if (!msg->canceled) {
2400 -+ if (!msg->canceled && do_acknowledge) {
2401 - dw = (msg->swack_vec << UV_SW_ACK_NPENDING) | msg->swack_vec;
2402 - write_mmr_sw_ack(dw);
2403 - }
2404 -@@ -212,8 +213,8 @@ static void bau_process_retry_msg(struct msg_desc *mdp,
2405 - if (mmr & (msg_res << UV_SW_ACK_NPENDING)) {
2406 - unsigned long mr;
2407 - /*
2408 -- * is the resource timed out?
2409 -- * make everyone ignore the cancelled message.
2410 -+ * Is the resource timed out?
2411 -+ * Make everyone ignore the cancelled message.
2412 - */
2413 - msg2->canceled = 1;
2414 - stat->d_canceled++;
2415 -@@ -231,8 +232,8 @@ static void bau_process_retry_msg(struct msg_desc *mdp,
2416 - * Do all the things a cpu should do for a TLB shootdown message.
2417 - * Other cpu's may come here at the same time for this message.
2418 - */
2419 --static void bau_process_message(struct msg_desc *mdp,
2420 -- struct bau_control *bcp)
2421 -+static void bau_process_message(struct msg_desc *mdp, struct bau_control *bcp,
2422 -+ int do_acknowledge)
2423 - {
2424 - short socket_ack_count = 0;
2425 - short *sp;
2426 -@@ -284,8 +285,9 @@ static void bau_process_message(struct msg_desc *mdp,
2427 - if (msg_ack_count == bcp->cpus_in_uvhub) {
2428 - /*
2429 - * All cpus in uvhub saw it; reply
2430 -+ * (unless we are in the UV2 workaround)
2431 - */
2432 -- reply_to_message(mdp, bcp);
2433 -+ reply_to_message(mdp, bcp, do_acknowledge);
2434 - }
2435 - }
2436 -
2437 -@@ -491,27 +493,138 @@ static int uv1_wait_completion(struct bau_desc *bau_desc,
2438 - /*
2439 - * UV2 has an extra bit of status in the ACTIVATION_STATUS_2 register.
2440 - */
2441 --static unsigned long uv2_read_status(unsigned long offset, int rshft, int cpu)
2442 -+static unsigned long uv2_read_status(unsigned long offset, int rshft, int desc)
2443 - {
2444 - unsigned long descriptor_status;
2445 - unsigned long descriptor_status2;
2446 -
2447 - descriptor_status = ((read_lmmr(offset) >> rshft) & UV_ACT_STATUS_MASK);
2448 -- descriptor_status2 = (read_mmr_uv2_status() >> cpu) & 0x1UL;
2449 -+ descriptor_status2 = (read_mmr_uv2_status() >> desc) & 0x1UL;
2450 - descriptor_status = (descriptor_status << 1) | descriptor_status2;
2451 - return descriptor_status;
2452 - }
2453 -
2454 -+/*
2455 -+ * Return whether the status of the descriptor that is normally used for this
2456 -+ * cpu (the one indexed by its hub-relative cpu number) is busy.
2457 -+ * The status of the original 32 descriptors is always reflected in the 64
2458 -+ * bits of UVH_LB_BAU_SB_ACTIVATION_STATUS_0.
2459 -+ * The bit provided by the activation_status_2 register is irrelevant to
2460 -+ * the status if it is only being tested for busy or not busy.
2461 -+ */
2462 -+int normal_busy(struct bau_control *bcp)
2463 -+{
2464 -+ int cpu = bcp->uvhub_cpu;
2465 -+ int mmr_offset;
2466 -+ int right_shift;
2467 -+
2468 -+ mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_0;
2469 -+ right_shift = cpu * UV_ACT_STATUS_SIZE;
2470 -+ return (((((read_lmmr(mmr_offset) >> right_shift) &
2471 -+ UV_ACT_STATUS_MASK)) << 1) == UV2H_DESC_BUSY);
2472 -+}
2473 -+
2474 -+/*
2475 -+ * Entered when a bau descriptor has gone into a permanent busy wait because
2476 -+ * of a hardware bug.
2477 -+ * Workaround the bug.
2478 -+ */
2479 -+int handle_uv2_busy(struct bau_control *bcp)
2480 -+{
2481 -+ int busy_one = bcp->using_desc;
2482 -+ int normal = bcp->uvhub_cpu;
2483 -+ int selected = -1;
2484 -+ int i;
2485 -+ unsigned long descriptor_status;
2486 -+ unsigned long status;
2487 -+ int mmr_offset;
2488 -+ struct bau_desc *bau_desc_old;
2489 -+ struct bau_desc *bau_desc_new;
2490 -+ struct bau_control *hmaster = bcp->uvhub_master;
2491 -+ struct ptc_stats *stat = bcp->statp;
2492 -+ cycles_t ttm;
2493 -+
2494 -+ stat->s_uv2_wars++;
2495 -+ spin_lock(&hmaster->uvhub_lock);
2496 -+ /* try for the original first */
2497 -+ if (busy_one != normal) {
2498 -+ if (!normal_busy(bcp))
2499 -+ selected = normal;
2500 -+ }
2501 -+ if (selected < 0) {
2502 -+ /* can't use the normal, select an alternate */
2503 -+ mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_1;
2504 -+ descriptor_status = read_lmmr(mmr_offset);
2505 -+
2506 -+ /* scan available descriptors 32-63 */
2507 -+ for (i = 0; i < UV_CPUS_PER_AS; i++) {
2508 -+ if ((hmaster->inuse_map & (1 << i)) == 0) {
2509 -+ status = ((descriptor_status >>
2510 -+ (i * UV_ACT_STATUS_SIZE)) &
2511 -+ UV_ACT_STATUS_MASK) << 1;
2512 -+ if (status != UV2H_DESC_BUSY) {
2513 -+ selected = i + UV_CPUS_PER_AS;
2514 -+ break;
2515 -+ }
2516 -+ }
2517 -+ }
2518 -+ }
2519 -+
2520 -+ if (busy_one != normal)
2521 -+ /* mark the busy alternate as not in-use */
2522 -+ hmaster->inuse_map &= ~(1 << (busy_one - UV_CPUS_PER_AS));
2523 -+
2524 -+ if (selected >= 0) {
2525 -+ /* switch to the selected descriptor */
2526 -+ if (selected != normal) {
2527 -+ /* set the selected alternate as in-use */
2528 -+ hmaster->inuse_map |=
2529 -+ (1 << (selected - UV_CPUS_PER_AS));
2530 -+ if (selected > stat->s_uv2_wars_hw)
2531 -+ stat->s_uv2_wars_hw = selected;
2532 -+ }
2533 -+ bau_desc_old = bcp->descriptor_base;
2534 -+ bau_desc_old += (ITEMS_PER_DESC * busy_one);
2535 -+ bcp->using_desc = selected;
2536 -+ bau_desc_new = bcp->descriptor_base;
2537 -+ bau_desc_new += (ITEMS_PER_DESC * selected);
2538 -+ *bau_desc_new = *bau_desc_old;
2539 -+ } else {
2540 -+ /*
2541 -+ * All are busy. Wait for the normal one for this cpu to
2542 -+ * free up.
2543 -+ */
2544 -+ stat->s_uv2_war_waits++;
2545 -+ spin_unlock(&hmaster->uvhub_lock);
2546 -+ ttm = get_cycles();
2547 -+ do {
2548 -+ cpu_relax();
2549 -+ } while (normal_busy(bcp));
2550 -+ spin_lock(&hmaster->uvhub_lock);
2551 -+ /* switch to the original descriptor */
2552 -+ bcp->using_desc = normal;
2553 -+ bau_desc_old = bcp->descriptor_base;
2554 -+ bau_desc_old += (ITEMS_PER_DESC * bcp->using_desc);
2555 -+ bcp->using_desc = (ITEMS_PER_DESC * normal);
2556 -+ bau_desc_new = bcp->descriptor_base;
2557 -+ bau_desc_new += (ITEMS_PER_DESC * normal);
2558 -+ *bau_desc_new = *bau_desc_old; /* copy the entire descriptor */
2559 -+ }
2560 -+ spin_unlock(&hmaster->uvhub_lock);
2561 -+ return FLUSH_RETRY_BUSYBUG;
2562 -+}
2563 -+
2564 - static int uv2_wait_completion(struct bau_desc *bau_desc,
2565 - unsigned long mmr_offset, int right_shift,
2566 - struct bau_control *bcp, long try)
2567 - {
2568 - unsigned long descriptor_stat;
2569 - cycles_t ttm;
2570 -- int cpu = bcp->uvhub_cpu;
2571 -+ int desc = bcp->using_desc;
2572 -+ long busy_reps = 0;
2573 - struct ptc_stats *stat = bcp->statp;
2574 -
2575 -- descriptor_stat = uv2_read_status(mmr_offset, right_shift, cpu);
2576 -+ descriptor_stat = uv2_read_status(mmr_offset, right_shift, desc);
2577 -
2578 - /* spin on the status MMR, waiting for it to go idle */
2579 - while (descriptor_stat != UV2H_DESC_IDLE) {
2580 -@@ -542,12 +655,23 @@ static int uv2_wait_completion(struct bau_desc *bau_desc,
2581 - bcp->conseccompletes = 0;
2582 - return FLUSH_RETRY_TIMEOUT;
2583 - } else {
2584 -+ busy_reps++;
2585 -+ if (busy_reps > 1000000) {
2586 -+ /* not to hammer on the clock */
2587 -+ busy_reps = 0;
2588 -+ ttm = get_cycles();
2589 -+ if ((ttm - bcp->send_message) >
2590 -+ (bcp->clocks_per_100_usec)) {
2591 -+ return handle_uv2_busy(bcp);
2592 -+ }
2593 -+ }
2594 - /*
2595 - * descriptor_stat is still BUSY
2596 - */
2597 - cpu_relax();
2598 - }
2599 -- descriptor_stat = uv2_read_status(mmr_offset, right_shift, cpu);
2600 -+ descriptor_stat = uv2_read_status(mmr_offset, right_shift,
2601 -+ desc);
2602 - }
2603 - bcp->conseccompletes++;
2604 - return FLUSH_COMPLETE;
2605 -@@ -563,17 +687,17 @@ static int wait_completion(struct bau_desc *bau_desc,
2606 - {
2607 - int right_shift;
2608 - unsigned long mmr_offset;
2609 -- int cpu = bcp->uvhub_cpu;
2610 -+ int desc = bcp->using_desc;
2611 -
2612 -- if (cpu < UV_CPUS_PER_AS) {
2613 -+ if (desc < UV_CPUS_PER_AS) {
2614 - mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_0;
2615 -- right_shift = cpu * UV_ACT_STATUS_SIZE;
2616 -+ right_shift = desc * UV_ACT_STATUS_SIZE;
2617 - } else {
2618 - mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_1;
2619 -- right_shift = ((cpu - UV_CPUS_PER_AS) * UV_ACT_STATUS_SIZE);
2620 -+ right_shift = ((desc - UV_CPUS_PER_AS) * UV_ACT_STATUS_SIZE);
2621 - }
2622 -
2623 -- if (is_uv1_hub())
2624 -+ if (bcp->uvhub_version == 1)
2625 - return uv1_wait_completion(bau_desc, mmr_offset, right_shift,
2626 - bcp, try);
2627 - else
2628 -@@ -752,19 +876,22 @@ static void handle_cmplt(int completion_status, struct bau_desc *bau_desc,
2629 - * Returns 1 if it gives up entirely and the original cpu mask is to be
2630 - * returned to the kernel.
2631 - */
2632 --int uv_flush_send_and_wait(struct bau_desc *bau_desc,
2633 -- struct cpumask *flush_mask, struct bau_control *bcp)
2634 -+int uv_flush_send_and_wait(struct cpumask *flush_mask, struct bau_control *bcp)
2635 - {
2636 - int seq_number = 0;
2637 - int completion_stat = 0;
2638 -+ int uv1 = 0;
2639 - long try = 0;
2640 - unsigned long index;
2641 - cycles_t time1;
2642 - cycles_t time2;
2643 - struct ptc_stats *stat = bcp->statp;
2644 - struct bau_control *hmaster = bcp->uvhub_master;
2645 -+ struct uv1_bau_msg_header *uv1_hdr = NULL;
2646 -+ struct uv2_bau_msg_header *uv2_hdr = NULL;
2647 -+ struct bau_desc *bau_desc;
2648 -
2649 -- if (is_uv1_hub())
2650 -+ if (bcp->uvhub_version == 1)
2651 - uv1_throttle(hmaster, stat);
2652 -
2653 - while (hmaster->uvhub_quiesce)
2654 -@@ -772,22 +899,39 @@ int uv_flush_send_and_wait(struct bau_desc *bau_desc,
2655 -
2656 - time1 = get_cycles();
2657 - do {
2658 -- if (try == 0) {
2659 -- bau_desc->header.msg_type = MSG_REGULAR;
2660 -+ bau_desc = bcp->descriptor_base;
2661 -+ bau_desc += (ITEMS_PER_DESC * bcp->using_desc);
2662 -+ if (bcp->uvhub_version == 1) {
2663 -+ uv1 = 1;
2664 -+ uv1_hdr = &bau_desc->header.uv1_hdr;
2665 -+ } else
2666 -+ uv2_hdr = &bau_desc->header.uv2_hdr;
2667 -+ if ((try == 0) || (completion_stat == FLUSH_RETRY_BUSYBUG)) {
2668 -+ if (uv1)
2669 -+ uv1_hdr->msg_type = MSG_REGULAR;
2670 -+ else
2671 -+ uv2_hdr->msg_type = MSG_REGULAR;
2672 - seq_number = bcp->message_number++;
2673 - } else {
2674 -- bau_desc->header.msg_type = MSG_RETRY;
2675 -+ if (uv1)
2676 -+ uv1_hdr->msg_type = MSG_RETRY;
2677 -+ else
2678 -+ uv2_hdr->msg_type = MSG_RETRY;
2679 - stat->s_retry_messages++;
2680 - }
2681 -
2682 -- bau_desc->header.sequence = seq_number;
2683 -- index = (1UL << AS_PUSH_SHIFT) | bcp->uvhub_cpu;
2684 -+ if (uv1)
2685 -+ uv1_hdr->sequence = seq_number;
2686 -+ else
2687 -+ uv2_hdr->sequence = seq_number;
2688 -+ index = (1UL << AS_PUSH_SHIFT) | bcp->using_desc;
2689 - bcp->send_message = get_cycles();
2690 -
2691 - write_mmr_activation(index);
2692 -
2693 - try++;
2694 - completion_stat = wait_completion(bau_desc, bcp, try);
2695 -+ /* UV2: wait_completion() may change the bcp->using_desc */
2696 -
2697 - handle_cmplt(completion_stat, bau_desc, bcp, hmaster, stat);
2698 -
2699 -@@ -798,6 +942,7 @@ int uv_flush_send_and_wait(struct bau_desc *bau_desc,
2700 - }
2701 - cpu_relax();
2702 - } while ((completion_stat == FLUSH_RETRY_PLUGGED) ||
2703 -+ (completion_stat == FLUSH_RETRY_BUSYBUG) ||
2704 - (completion_stat == FLUSH_RETRY_TIMEOUT));
2705 -
2706 - time2 = get_cycles();
2707 -@@ -812,6 +957,7 @@ int uv_flush_send_and_wait(struct bau_desc *bau_desc,
2708 - record_send_stats(time1, time2, bcp, stat, completion_stat, try);
2709 -
2710 - if (completion_stat == FLUSH_GIVEUP)
2711 -+ /* FLUSH_GIVEUP will fall back to using IPI's for tlb flush */
2712 - return 1;
2713 - return 0;
2714 - }
2715 -@@ -967,7 +1113,7 @@ const struct cpumask *uv_flush_tlb_others(const struct cpumask *cpumask,
2716 - stat->s_ntargself++;
2717 -
2718 - bau_desc = bcp->descriptor_base;
2719 -- bau_desc += ITEMS_PER_DESC * bcp->uvhub_cpu;
2720 -+ bau_desc += (ITEMS_PER_DESC * bcp->using_desc);
2721 - bau_uvhubs_clear(&bau_desc->distribution, UV_DISTRIBUTION_SIZE);
2722 - if (set_distrib_bits(flush_mask, bcp, bau_desc, &locals, &remotes))
2723 - return NULL;
2724 -@@ -980,13 +1126,86 @@ const struct cpumask *uv_flush_tlb_others(const struct cpumask *cpumask,
2725 - * uv_flush_send_and_wait returns 0 if all cpu's were messaged,
2726 - * or 1 if it gave up and the original cpumask should be returned.
2727 - */
2728 -- if (!uv_flush_send_and_wait(bau_desc, flush_mask, bcp))
2729 -+ if (!uv_flush_send_and_wait(flush_mask, bcp))
2730 - return NULL;
2731 - else
2732 - return cpumask;
2733 - }
2734 -
2735 - /*
2736 -+ * Search the message queue for any 'other' message with the same software
2737 -+ * acknowledge resource bit vector.
2738 -+ */
2739 -+struct bau_pq_entry *find_another_by_swack(struct bau_pq_entry *msg,
2740 -+ struct bau_control *bcp, unsigned char swack_vec)
2741 -+{
2742 -+ struct bau_pq_entry *msg_next = msg + 1;
2743 -+
2744 -+ if (msg_next > bcp->queue_last)
2745 -+ msg_next = bcp->queue_first;
2746 -+ while ((msg_next->swack_vec != 0) && (msg_next != msg)) {
2747 -+ if (msg_next->swack_vec == swack_vec)
2748 -+ return msg_next;
2749 -+ msg_next++;
2750 -+ if (msg_next > bcp->queue_last)
2751 -+ msg_next = bcp->queue_first;
2752 -+ }
2753 -+ return NULL;
2754 -+}
2755 -+
2756 -+/*
2757 -+ * UV2 needs to work around a bug in which an arriving message has not
2758 -+ * set a bit in the UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE register.
2759 -+ * Such a message must be ignored.
2760 -+ */
2761 -+void process_uv2_message(struct msg_desc *mdp, struct bau_control *bcp)
2762 -+{
2763 -+ unsigned long mmr_image;
2764 -+ unsigned char swack_vec;
2765 -+ struct bau_pq_entry *msg = mdp->msg;
2766 -+ struct bau_pq_entry *other_msg;
2767 -+
2768 -+ mmr_image = read_mmr_sw_ack();
2769 -+ swack_vec = msg->swack_vec;
2770 -+
2771 -+ if ((swack_vec & mmr_image) == 0) {
2772 -+ /*
2773 -+ * This message was assigned a swack resource, but no
2774 -+ * reserved acknowlegment is pending.
2775 -+ * The bug has prevented this message from setting the MMR.
2776 -+ * And no other message has used the same sw_ack resource.
2777 -+ * Do the requested shootdown but do not reply to the msg.
2778 -+ * (the 0 means make no acknowledge)
2779 -+ */
2780 -+ bau_process_message(mdp, bcp, 0);
2781 -+ return;
2782 -+ }
2783 -+
2784 -+ /*
2785 -+ * Some message has set the MMR 'pending' bit; it might have been
2786 -+ * another message. Look for that message.
2787 -+ */
2788 -+ other_msg = find_another_by_swack(msg, bcp, msg->swack_vec);
2789 -+ if (other_msg) {
2790 -+ /* There is another. Do not ack the current one. */
2791 -+ bau_process_message(mdp, bcp, 0);
2792 -+ /*
2793 -+ * Let the natural processing of that message acknowledge
2794 -+ * it. Don't get the processing of sw_ack's out of order.
2795 -+ */
2796 -+ return;
2797 -+ }
2798 -+
2799 -+ /*
2800 -+ * There is no other message using this sw_ack, so it is safe to
2801 -+ * acknowledge it.
2802 -+ */
2803 -+ bau_process_message(mdp, bcp, 1);
2804 -+
2805 -+ return;
2806 -+}
2807 -+
2808 -+/*
2809 - * The BAU message interrupt comes here. (registered by set_intr_gate)
2810 - * See entry_64.S
2811 - *
2812 -@@ -1022,9 +1241,11 @@ void uv_bau_message_interrupt(struct pt_regs *regs)
2813 - count++;
2814 -
2815 - msgdesc.msg_slot = msg - msgdesc.queue_first;
2816 -- msgdesc.swack_slot = ffs(msg->swack_vec) - 1;
2817 - msgdesc.msg = msg;
2818 -- bau_process_message(&msgdesc, bcp);
2819 -+ if (bcp->uvhub_version == 2)
2820 -+ process_uv2_message(&msgdesc, bcp);
2821 -+ else
2822 -+ bau_process_message(&msgdesc, bcp, 1);
2823 -
2824 - msg++;
2825 - if (msg > msgdesc.queue_last)
2826 -@@ -1083,7 +1304,7 @@ static void __init enable_timeouts(void)
2827 - */
2828 - mmr_image |= (1L << SOFTACK_MSHIFT);
2829 - if (is_uv2_hub()) {
2830 -- mmr_image |= (1L << UV2_LEG_SHFT);
2831 -+ mmr_image &= ~(1L << UV2_LEG_SHFT);
2832 - mmr_image |= (1L << UV2_EXT_SHFT);
2833 - }
2834 - write_mmr_misc_control(pnode, mmr_image);
2835 -@@ -1142,7 +1363,7 @@ static int ptc_seq_show(struct seq_file *file, void *data)
2836 - seq_printf(file,
2837 - "all one mult none retry canc nocan reset rcan ");
2838 - seq_printf(file,
2839 -- "disable enable\n");
2840 -+ "disable enable wars warshw warwaits\n");
2841 - }
2842 - if (cpu < num_possible_cpus() && cpu_online(cpu)) {
2843 - stat = &per_cpu(ptcstats, cpu);
2844 -@@ -1173,8 +1394,10 @@ static int ptc_seq_show(struct seq_file *file, void *data)
2845 - stat->d_nomsg, stat->d_retries, stat->d_canceled,
2846 - stat->d_nocanceled, stat->d_resets,
2847 - stat->d_rcanceled);
2848 -- seq_printf(file, "%ld %ld\n",
2849 -- stat->s_bau_disabled, stat->s_bau_reenabled);
2850 -+ seq_printf(file, "%ld %ld %ld %ld %ld\n",
2851 -+ stat->s_bau_disabled, stat->s_bau_reenabled,
2852 -+ stat->s_uv2_wars, stat->s_uv2_wars_hw,
2853 -+ stat->s_uv2_war_waits);
2854 - }
2855 - return 0;
2856 - }
2857 -@@ -1432,12 +1655,15 @@ static void activation_descriptor_init(int node, int pnode, int base_pnode)
2858 - {
2859 - int i;
2860 - int cpu;
2861 -+ int uv1 = 0;
2862 - unsigned long gpa;
2863 - unsigned long m;
2864 - unsigned long n;
2865 - size_t dsize;
2866 - struct bau_desc *bau_desc;
2867 - struct bau_desc *bd2;
2868 -+ struct uv1_bau_msg_header *uv1_hdr;
2869 -+ struct uv2_bau_msg_header *uv2_hdr;
2870 - struct bau_control *bcp;
2871 -
2872 - /*
2873 -@@ -1451,6 +1677,8 @@ static void activation_descriptor_init(int node, int pnode, int base_pnode)
2874 - gpa = uv_gpa(bau_desc);
2875 - n = uv_gpa_to_gnode(gpa);
2876 - m = uv_gpa_to_offset(gpa);
2877 -+ if (is_uv1_hub())
2878 -+ uv1 = 1;
2879 -
2880 - /* the 14-bit pnode */
2881 - write_mmr_descriptor_base(pnode, (n << UV_DESC_PSHIFT | m));
2882 -@@ -1461,21 +1689,33 @@ static void activation_descriptor_init(int node, int pnode, int base_pnode)
2883 - */
2884 - for (i = 0, bd2 = bau_desc; i < (ADP_SZ * ITEMS_PER_DESC); i++, bd2++) {
2885 - memset(bd2, 0, sizeof(struct bau_desc));
2886 -- bd2->header.swack_flag = 1;
2887 -- /*
2888 -- * The base_dest_nasid set in the message header is the nasid
2889 -- * of the first uvhub in the partition. The bit map will
2890 -- * indicate destination pnode numbers relative to that base.
2891 -- * They may not be consecutive if nasid striding is being used.
2892 -- */
2893 -- bd2->header.base_dest_nasid = UV_PNODE_TO_NASID(base_pnode);
2894 -- bd2->header.dest_subnodeid = UV_LB_SUBNODEID;
2895 -- bd2->header.command = UV_NET_ENDPOINT_INTD;
2896 -- bd2->header.int_both = 1;
2897 -- /*
2898 -- * all others need to be set to zero:
2899 -- * fairness chaining multilevel count replied_to
2900 -- */
2901 -+ if (uv1) {
2902 -+ uv1_hdr = &bd2->header.uv1_hdr;
2903 -+ uv1_hdr->swack_flag = 1;
2904 -+ /*
2905 -+ * The base_dest_nasid set in the message header
2906 -+ * is the nasid of the first uvhub in the partition.
2907 -+ * The bit map will indicate destination pnode numbers
2908 -+ * relative to that base. They may not be consecutive
2909 -+ * if nasid striding is being used.
2910 -+ */
2911 -+ uv1_hdr->base_dest_nasid =
2912 -+ UV_PNODE_TO_NASID(base_pnode);
2913 -+ uv1_hdr->dest_subnodeid = UV_LB_SUBNODEID;
2914 -+ uv1_hdr->command = UV_NET_ENDPOINT_INTD;
2915 -+ uv1_hdr->int_both = 1;
2916 -+ /*
2917 -+ * all others need to be set to zero:
2918 -+ * fairness chaining multilevel count replied_to
2919 -+ */
2920 -+ } else {
2921 -+ uv2_hdr = &bd2->header.uv2_hdr;
2922 -+ uv2_hdr->swack_flag = 1;
2923 -+ uv2_hdr->base_dest_nasid =
2924 -+ UV_PNODE_TO_NASID(base_pnode);
2925 -+ uv2_hdr->dest_subnodeid = UV_LB_SUBNODEID;
2926 -+ uv2_hdr->command = UV_NET_ENDPOINT_INTD;
2927 -+ }
2928 - }
2929 - for_each_present_cpu(cpu) {
2930 - if (pnode != uv_blade_to_pnode(uv_cpu_to_blade_id(cpu)))
2931 -@@ -1531,6 +1771,7 @@ static void pq_init(int node, int pnode)
2932 - write_mmr_payload_first(pnode, pn_first);
2933 - write_mmr_payload_tail(pnode, first);
2934 - write_mmr_payload_last(pnode, last);
2935 -+ write_gmmr_sw_ack(pnode, 0xffffUL);
2936 -
2937 - /* in effect, all msg_type's are set to MSG_NOOP */
2938 - memset(pqp, 0, sizeof(struct bau_pq_entry) * DEST_Q_SIZE);
2939 -@@ -1584,14 +1825,14 @@ static int calculate_destination_timeout(void)
2940 - ts_ns = base * mult1 * mult2;
2941 - ret = ts_ns / 1000;
2942 - } else {
2943 -- /* 4 bits 0/1 for 10/80us, 3 bits of multiplier */
2944 -- mmr_image = uv_read_local_mmr(UVH_AGING_PRESCALE_SEL);
2945 -+ /* 4 bits 0/1 for 10/80us base, 3 bits of multiplier */
2946 -+ mmr_image = uv_read_local_mmr(UVH_LB_BAU_MISC_CONTROL);
2947 - mmr_image = (mmr_image & UV_SA_MASK) >> UV_SA_SHFT;
2948 - if (mmr_image & (1L << UV2_ACK_UNITS_SHFT))
2949 -- mult1 = 80;
2950 -+ base = 80;
2951 - else
2952 -- mult1 = 10;
2953 -- base = mmr_image & UV2_ACK_MASK;
2954 -+ base = 10;
2955 -+ mult1 = mmr_image & UV2_ACK_MASK;
2956 - ret = mult1 * base;
2957 - }
2958 - return ret;
2959 -@@ -1618,6 +1859,7 @@ static void __init init_per_cpu_tunables(void)
2960 - bcp->cong_response_us = congested_respns_us;
2961 - bcp->cong_reps = congested_reps;
2962 - bcp->cong_period = congested_period;
2963 -+ bcp->clocks_per_100_usec = usec_2_cycles(100);
2964 - }
2965 - }
2966 -
2967 -@@ -1728,8 +1970,17 @@ static int scan_sock(struct socket_desc *sdp, struct uvhub_desc *bdp,
2968 - bcp->cpus_in_socket = sdp->num_cpus;
2969 - bcp->socket_master = *smasterp;
2970 - bcp->uvhub = bdp->uvhub;
2971 -+ if (is_uv1_hub())
2972 -+ bcp->uvhub_version = 1;
2973 -+ else if (is_uv2_hub())
2974 -+ bcp->uvhub_version = 2;
2975 -+ else {
2976 -+ printk(KERN_EMERG "uvhub version not 1 or 2\n");
2977 -+ return 1;
2978 -+ }
2979 - bcp->uvhub_master = *hmasterp;
2980 - bcp->uvhub_cpu = uv_cpu_hub_info(cpu)->blade_processor_id;
2981 -+ bcp->using_desc = bcp->uvhub_cpu;
2982 - if (bcp->uvhub_cpu >= MAX_CPUS_PER_UVHUB) {
2983 - printk(KERN_EMERG "%d cpus per uvhub invalid\n",
2984 - bcp->uvhub_cpu);
2985 -@@ -1845,6 +2096,8 @@ static int __init uv_bau_init(void)
2986 - uv_base_pnode = uv_blade_to_pnode(uvhub);
2987 - }
2988 -
2989 -+ enable_timeouts();
2990 -+
2991 - if (init_per_cpu(nuvhubs, uv_base_pnode)) {
2992 - nobau = 1;
2993 - return 0;
2994 -@@ -1855,7 +2108,6 @@ static int __init uv_bau_init(void)
2995 - if (uv_blade_nr_possible_cpus(uvhub))
2996 - init_uvhub(uvhub, vector, uv_base_pnode);
2997 -
2998 -- enable_timeouts();
2999 - alloc_intr_gate(vector, uv_bau_message_intr1);
3000 -
3001 - for_each_possible_blade(uvhub) {
3002 -@@ -1867,7 +2119,8 @@ static int __init uv_bau_init(void)
3003 - val = 1L << 63;
3004 - write_gmmr_activation(pnode, val);
3005 - mmr = 1; /* should be 1 to broadcast to both sockets */
3006 -- write_mmr_data_broadcast(pnode, mmr);
3007 -+ if (!is_uv1_hub())
3008 -+ write_mmr_data_broadcast(pnode, mmr);
3009 - }
3010 - }
3011 -
3012 -diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
3013 -index fbdf0d8..688be8a 100644
3014 ---- a/block/scsi_ioctl.c
3015 -+++ b/block/scsi_ioctl.c
3016 -@@ -24,6 +24,7 @@
3017 - #include <linux/capability.h>
3018 - #include <linux/completion.h>
3019 - #include <linux/cdrom.h>
3020 -+#include <linux/ratelimit.h>
3021 - #include <linux/slab.h>
3022 - #include <linux/times.h>
3023 - #include <asm/uaccess.h>
3024 -@@ -690,6 +691,57 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
3025 - }
3026 - EXPORT_SYMBOL(scsi_cmd_ioctl);
3027 -
3028 -+int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
3029 -+{
3030 -+ if (bd && bd == bd->bd_contains)
3031 -+ return 0;
3032 -+
3033 -+ /* Actually none of these is particularly useful on a partition,
3034 -+ * but they are safe.
3035 -+ */
3036 -+ switch (cmd) {
3037 -+ case SCSI_IOCTL_GET_IDLUN:
3038 -+ case SCSI_IOCTL_GET_BUS_NUMBER:
3039 -+ case SCSI_IOCTL_GET_PCI:
3040 -+ case SCSI_IOCTL_PROBE_HOST:
3041 -+ case SG_GET_VERSION_NUM:
3042 -+ case SG_SET_TIMEOUT:
3043 -+ case SG_GET_TIMEOUT:
3044 -+ case SG_GET_RESERVED_SIZE:
3045 -+ case SG_SET_RESERVED_SIZE:
3046 -+ case SG_EMULATED_HOST:
3047 -+ return 0;
3048 -+ case CDROM_GET_CAPABILITY:
3049 -+ /* Keep this until we remove the printk below. udev sends it
3050 -+ * and we do not want to spam dmesg about it. CD-ROMs do
3051 -+ * not have partitions, so we get here only for disks.
3052 -+ */
3053 -+ return -ENOTTY;
3054 -+ default:
3055 -+ break;
3056 -+ }
3057 -+
3058 -+ /* In particular, rule out all resets and host-specific ioctls. */
3059 -+ printk_ratelimited(KERN_WARNING
3060 -+ "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
3061 -+
3062 -+ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
3063 -+}
3064 -+EXPORT_SYMBOL(scsi_verify_blk_ioctl);
3065 -+
3066 -+int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
3067 -+ unsigned int cmd, void __user *arg)
3068 -+{
3069 -+ int ret;
3070 -+
3071 -+ ret = scsi_verify_blk_ioctl(bd, cmd);
3072 -+ if (ret < 0)
3073 -+ return ret;
3074 -+
3075 -+ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
3076 -+}
3077 -+EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
3078 -+
3079 - static int __init blk_scsi_ioctl_init(void)
3080 - {
3081 - blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
3082 -diff --git a/drivers/acpi/acpica/dsargs.c b/drivers/acpi/acpica/dsargs.c
3083 -index 8c7b997..42163d8 100644
3084 ---- a/drivers/acpi/acpica/dsargs.c
3085 -+++ b/drivers/acpi/acpica/dsargs.c
3086 -@@ -387,5 +387,29 @@ acpi_status acpi_ds_get_region_arguments(union acpi_operand_object *obj_desc)
3087 - status = acpi_ds_execute_arguments(node, node->parent,
3088 - extra_desc->extra.aml_length,
3089 - extra_desc->extra.aml_start);
3090 -+ if (ACPI_FAILURE(status)) {
3091 -+ return_ACPI_STATUS(status);
3092 -+ }
3093 -+
3094 -+ /* Validate the region address/length via the host OS */
3095 -+
3096 -+ status = acpi_os_validate_address(obj_desc->region.space_id,
3097 -+ obj_desc->region.address,
3098 -+ (acpi_size) obj_desc->region.length,
3099 -+ acpi_ut_get_node_name(node));
3100 -+
3101 -+ if (ACPI_FAILURE(status)) {
3102 -+ /*
3103 -+ * Invalid address/length. We will emit an error message and mark
3104 -+ * the region as invalid, so that it will cause an additional error if
3105 -+ * it is ever used. Then return AE_OK.
3106 -+ */
3107 -+ ACPI_EXCEPTION((AE_INFO, status,
3108 -+ "During address validation of OpRegion [%4.4s]",
3109 -+ node->name.ascii));
3110 -+ obj_desc->common.flags |= AOPOBJ_INVALID;
3111 -+ status = AE_OK;
3112 -+ }
3113 -+
3114 - return_ACPI_STATUS(status);
3115 - }
3116 -diff --git a/drivers/acpi/numa.c b/drivers/acpi/numa.c
3117 -index 3b5c318..e56f3be 100644
3118 ---- a/drivers/acpi/numa.c
3119 -+++ b/drivers/acpi/numa.c
3120 -@@ -45,6 +45,8 @@ static int pxm_to_node_map[MAX_PXM_DOMAINS]
3121 - static int node_to_pxm_map[MAX_NUMNODES]
3122 - = { [0 ... MAX_NUMNODES - 1] = PXM_INVAL };
3123 -
3124 -+unsigned char acpi_srat_revision __initdata;
3125 -+
3126 - int pxm_to_node(int pxm)
3127 - {
3128 - if (pxm < 0)
3129 -@@ -255,9 +257,13 @@ acpi_parse_memory_affinity(struct acpi_subtable_header * header,
3130 -
3131 - static int __init acpi_parse_srat(struct acpi_table_header *table)
3132 - {
3133 -+ struct acpi_table_srat *srat;
3134 - if (!table)
3135 - return -EINVAL;
3136 -
3137 -+ srat = (struct acpi_table_srat *)table;
3138 -+ acpi_srat_revision = srat->header.revision;
3139 -+
3140 - /* Real work done in acpi_table_parse_srat below. */
3141 -
3142 - return 0;
3143 -diff --git a/drivers/acpi/processor_core.c b/drivers/acpi/processor_core.c
3144 -index 3a0428e..c850de4 100644
3145 ---- a/drivers/acpi/processor_core.c
3146 -+++ b/drivers/acpi/processor_core.c
3147 -@@ -173,8 +173,30 @@ int acpi_get_cpuid(acpi_handle handle, int type, u32 acpi_id)
3148 - apic_id = map_mat_entry(handle, type, acpi_id);
3149 - if (apic_id == -1)
3150 - apic_id = map_madt_entry(type, acpi_id);
3151 -- if (apic_id == -1)
3152 -- return apic_id;
3153 -+ if (apic_id == -1) {
3154 -+ /*
3155 -+ * On UP processor, there is no _MAT or MADT table.
3156 -+ * So above apic_id is always set to -1.
3157 -+ *
3158 -+ * BIOS may define multiple CPU handles even for UP processor.
3159 -+ * For example,
3160 -+ *
3161 -+ * Scope (_PR)
3162 -+ * {
3163 -+ * Processor (CPU0, 0x00, 0x00000410, 0x06) {}
3164 -+ * Processor (CPU1, 0x01, 0x00000410, 0x06) {}
3165 -+ * Processor (CPU2, 0x02, 0x00000410, 0x06) {}
3166 -+ * Processor (CPU3, 0x03, 0x00000410, 0x06) {}
3167 -+ * }
3168 -+ *
3169 -+ * Ignores apic_id and always return 0 for CPU0's handle.
3170 -+ * Return -1 for other CPU's handle.
3171 -+ */
3172 -+ if (acpi_id == 0)
3173 -+ return acpi_id;
3174 -+ else
3175 -+ return apic_id;
3176 -+ }
3177 -
3178 - #ifdef CONFIG_SMP
3179 - for_each_possible_cpu(i) {
3180 -diff --git a/drivers/bcma/host_pci.c b/drivers/bcma/host_pci.c
3181 -index 990f5a8..48e06be 100644
3182 ---- a/drivers/bcma/host_pci.c
3183 -+++ b/drivers/bcma/host_pci.c
3184 -@@ -227,11 +227,14 @@ static void bcma_host_pci_remove(struct pci_dev *dev)
3185 - #ifdef CONFIG_PM
3186 - static int bcma_host_pci_suspend(struct pci_dev *dev, pm_message_t state)
3187 - {
3188 -+ struct bcma_bus *bus = pci_get_drvdata(dev);
3189 -+
3190 - /* Host specific */
3191 - pci_save_state(dev);
3192 - pci_disable_device(dev);
3193 - pci_set_power_state(dev, pci_choose_state(dev, state));
3194 -
3195 -+ bus->mapped_core = NULL;
3196 - return 0;
3197 - }
3198 -
3199 -diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
3200 -index 587cce5..b0f553b 100644
3201 ---- a/drivers/block/cciss.c
3202 -+++ b/drivers/block/cciss.c
3203 -@@ -1735,7 +1735,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
3204 - case CCISS_BIG_PASSTHRU:
3205 - return cciss_bigpassthru(h, argp);
3206 -
3207 -- /* scsi_cmd_ioctl handles these, below, though some are not */
3208 -+ /* scsi_cmd_blk_ioctl handles these, below, though some are not */
3209 - /* very meaningful for cciss. SG_IO is the main one people want. */
3210 -
3211 - case SG_GET_VERSION_NUM:
3212 -@@ -1746,9 +1746,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
3213 - case SG_EMULATED_HOST:
3214 - case SG_IO:
3215 - case SCSI_IOCTL_SEND_COMMAND:
3216 -- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
3217 -+ return scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
3218 -
3219 -- /* scsi_cmd_ioctl would normally handle these, below, but */
3220 -+ /* scsi_cmd_blk_ioctl would normally handle these, below, but */
3221 - /* they aren't a good fit for cciss, as CD-ROMs are */
3222 - /* not supported, and we don't have any bus/target/lun */
3223 - /* which we present to the kernel. */
3224 -diff --git a/drivers/block/ub.c b/drivers/block/ub.c
3225 -index 0e376d4..7333b9e 100644
3226 ---- a/drivers/block/ub.c
3227 -+++ b/drivers/block/ub.c
3228 -@@ -1744,12 +1744,11 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode)
3229 - static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode,
3230 - unsigned int cmd, unsigned long arg)
3231 - {
3232 -- struct gendisk *disk = bdev->bd_disk;
3233 - void __user *usermem = (void __user *) arg;
3234 - int ret;
3235 -
3236 - mutex_lock(&ub_mutex);
3237 -- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, usermem);
3238 -+ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, usermem);
3239 - mutex_unlock(&ub_mutex);
3240 -
3241 - return ret;
3242 -diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
3243 -index 4d0b70a..e46f2f7 100644
3244 ---- a/drivers/block/virtio_blk.c
3245 -+++ b/drivers/block/virtio_blk.c
3246 -@@ -243,8 +243,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
3247 - if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
3248 - return -ENOTTY;
3249 -
3250 -- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd,
3251 -- (void __user *)data);
3252 -+ return scsi_cmd_blk_ioctl(bdev, mode, cmd,
3253 -+ (void __user *)data);
3254 - }
3255 -
3256 - /* We provide getgeo only to please some old bootloader/partitioning tools */
3257 -diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
3258 -index f997c27..cedb231 100644
3259 ---- a/drivers/cdrom/cdrom.c
3260 -+++ b/drivers/cdrom/cdrom.c
3261 -@@ -2747,12 +2747,11 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
3262 - {
3263 - void __user *argp = (void __user *)arg;
3264 - int ret;
3265 -- struct gendisk *disk = bdev->bd_disk;
3266 -
3267 - /*
3268 - * Try the generic SCSI command ioctl's first.
3269 - */
3270 -- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
3271 -+ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
3272 - if (ret != -ENOTTY)
3273 - return ret;
3274 -
3275 -diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
3276 -index bfc08f6..31b0d1a 100644
3277 ---- a/drivers/gpu/drm/radeon/r100.c
3278 -+++ b/drivers/gpu/drm/radeon/r100.c
3279 -@@ -2177,6 +2177,7 @@ bool r100_gpu_is_lockup(struct radeon_device *rdev)
3280 - void r100_bm_disable(struct radeon_device *rdev)
3281 - {
3282 - u32 tmp;
3283 -+ u16 tmp16;
3284 -
3285 - /* disable bus mastering */
3286 - tmp = RREG32(R_000030_BUS_CNTL);
3287 -@@ -2187,8 +2188,8 @@ void r100_bm_disable(struct radeon_device *rdev)
3288 - WREG32(R_000030_BUS_CNTL, (tmp & 0xFFFFFFFF) | 0x00000040);
3289 - tmp = RREG32(RADEON_BUS_CNTL);
3290 - mdelay(1);
3291 -- pci_read_config_word(rdev->pdev, 0x4, (u16*)&tmp);
3292 -- pci_write_config_word(rdev->pdev, 0x4, tmp & 0xFFFB);
3293 -+ pci_read_config_word(rdev->pdev, 0x4, &tmp16);
3294 -+ pci_write_config_word(rdev->pdev, 0x4, tmp16 & 0xFFFB);
3295 - mdelay(1);
3296 - }
3297 -
3298 -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c
3299 -index f5ac7e7..c45d921 100644
3300 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c
3301 -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c
3302 -@@ -196,6 +196,13 @@ static void r600_hdmi_videoinfoframe(
3303 - frame[0xD] = (right_bar >> 8);
3304 -
3305 - r600_hdmi_infoframe_checksum(0x82, 0x02, 0x0D, frame);
3306 -+ /* Our header values (type, version, length) should be alright, Intel
3307 -+ * is using the same. Checksum function also seems to be OK, it works
3308 -+ * fine for audio infoframe. However calculated value is always lower
3309 -+ * by 2 in comparison to fglrx. It breaks displaying anything in case
3310 -+ * of TVs that strictly check the checksum. Hack it manually here to
3311 -+ * workaround this issue. */
3312 -+ frame[0x0] += 2;
3313 -
3314 - WREG32(offset+R600_HDMI_VIDEOINFOFRAME_0,
3315 - frame[0x0] | (frame[0x1] << 8) | (frame[0x2] << 16) | (frame[0x3] << 24));
3316 -diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
3317 -index c4d00a1..9b39145 100644
3318 ---- a/drivers/gpu/drm/radeon/radeon_device.c
3319 -+++ b/drivers/gpu/drm/radeon/radeon_device.c
3320 -@@ -224,8 +224,11 @@ int radeon_wb_init(struct radeon_device *rdev)
3321 - if (radeon_no_wb == 1)
3322 - rdev->wb.enabled = false;
3323 - else {
3324 -- /* often unreliable on AGP */
3325 - if (rdev->flags & RADEON_IS_AGP) {
3326 -+ /* often unreliable on AGP */
3327 -+ rdev->wb.enabled = false;
3328 -+ } else if (rdev->family < CHIP_R300) {
3329 -+ /* often unreliable on pre-r300 */
3330 - rdev->wb.enabled = false;
3331 - } else {
3332 - rdev->wb.enabled = true;
3333 -diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c
3334 -index b1053d6..c259e21 100644
3335 ---- a/drivers/gpu/drm/radeon/rs600.c
3336 -+++ b/drivers/gpu/drm/radeon/rs600.c
3337 -@@ -324,10 +324,10 @@ void rs600_hpd_fini(struct radeon_device *rdev)
3338 -
3339 - void rs600_bm_disable(struct radeon_device *rdev)
3340 - {
3341 -- u32 tmp;
3342 -+ u16 tmp;
3343 -
3344 - /* disable bus mastering */
3345 -- pci_read_config_word(rdev->pdev, 0x4, (u16*)&tmp);
3346 -+ pci_read_config_word(rdev->pdev, 0x4, &tmp);
3347 - pci_write_config_word(rdev->pdev, 0x4, tmp & 0xFFFB);
3348 - mdelay(1);
3349 - }
3350 -diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig
3351 -index 22a4a05..d21f6d0 100644
3352 ---- a/drivers/hid/Kconfig
3353 -+++ b/drivers/hid/Kconfig
3354 -@@ -335,6 +335,7 @@ config HID_MULTITOUCH
3355 - Say Y here if you have one of the following devices:
3356 - - 3M PCT touch screens
3357 - - ActionStar dual touch panels
3358 -+ - Atmel panels
3359 - - Cando dual touch panels
3360 - - Chunghwa panels
3361 - - CVTouch panels
3362 -@@ -355,6 +356,7 @@ config HID_MULTITOUCH
3363 - - Touch International Panels
3364 - - Unitec Panels
3365 - - XAT optical touch panels
3366 -+ - Xiroku optical touch panels
3367 -
3368 - If unsure, say N.
3369 -
3370 -@@ -620,6 +622,7 @@ config HID_WIIMOTE
3371 - depends on BT_HIDP
3372 - depends on LEDS_CLASS
3373 - select POWER_SUPPLY
3374 -+ select INPUT_FF_MEMLESS
3375 - ---help---
3376 - Support for the Nintendo Wii Remote bluetooth device.
3377 -
3378 -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
3379 -index af35384..bb656d8 100644
3380 ---- a/drivers/hid/hid-core.c
3381 -+++ b/drivers/hid/hid-core.c
3382 -@@ -362,7 +362,7 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
3383 -
3384 - case HID_GLOBAL_ITEM_TAG_REPORT_SIZE:
3385 - parser->global.report_size = item_udata(item);
3386 -- if (parser->global.report_size > 32) {
3387 -+ if (parser->global.report_size > 96) {
3388 - dbg_hid("invalid report_size %d\n",
3389 - parser->global.report_size);
3390 - return -1;
3391 -@@ -1404,11 +1404,13 @@ static const struct hid_device_id hid_have_special_driver[] = {
3392 - { HID_USB_DEVICE(USB_VENDOR_ID_CYPRESS, USB_DEVICE_ID_CYPRESS_TRUETOUCH) },
3393 - { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 0x0006) },
3394 - { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 0x0011) },
3395 -- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH) },
3396 -- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH1) },
3397 -- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH2) },
3398 -- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH3) },
3399 -- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH4) },
3400 -+ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480D) },
3401 -+ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480E) },
3402 -+ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_720C) },
3403 -+ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_726B) },
3404 -+ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72A1) },
3405 -+ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7302) },
3406 -+ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001) },
3407 - { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) },
3408 - { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2515) },
3409 - { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II) },
3410 -@@ -1423,6 +1425,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
3411 - { HID_USB_DEVICE(USB_VENDOR_ID_GYRATION, USB_DEVICE_ID_GYRATION_REMOTE_2) },
3412 - { HID_USB_DEVICE(USB_VENDOR_ID_GYRATION, USB_DEVICE_ID_GYRATION_REMOTE_3) },
3413 - { HID_USB_DEVICE(USB_VENDOR_ID_HANVON, USB_DEVICE_ID_HANVON_MULTITOUCH) },
3414 -+ { HID_USB_DEVICE(USB_VENDOR_ID_HANVON_ALT, USB_DEVICE_ID_HANVON_ALT_MULTITOUCH) },
3415 - { HID_USB_DEVICE(USB_VENDOR_ID_IDEACOM, USB_DEVICE_ID_IDEACOM_IDC6650) },
3416 - { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK, USB_DEVICE_ID_HOLTEK_ON_LINE_GRIP) },
3417 - { HID_USB_DEVICE(USB_VENDOR_ID_ILITEK, USB_DEVICE_ID_ILITEK_MULTITOUCH) },
3418 -@@ -1549,6 +1552,15 @@ static const struct hid_device_id hid_have_special_driver[] = {
3419 - { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_MEDIA_TABLET_10_6_INCH) },
3420 - { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_MEDIA_TABLET_14_1_INCH) },
3421 - { HID_USB_DEVICE(USB_VENDOR_ID_XAT, USB_DEVICE_ID_XAT_CSR) },
3422 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_SPX) },
3423 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_MPX) },
3424 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_CSR) },
3425 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_SPX1) },
3426 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_MPX1) },
3427 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_CSR1) },
3428 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_SPX2) },
3429 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_MPX2) },
3430 -+ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_CSR2) },
3431 - { HID_USB_DEVICE(USB_VENDOR_ID_X_TENSIONS, USB_DEVICE_ID_SPEEDLINK_VAD_CEZANNE) },
3432 - { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0005) },
3433 - { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0030) },
3434 -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
3435 -index 4a441a6..00cabb3 100644
3436 ---- a/drivers/hid/hid-ids.h
3437 -+++ b/drivers/hid/hid-ids.h
3438 -@@ -21,6 +21,7 @@
3439 - #define USB_VENDOR_ID_3M 0x0596
3440 - #define USB_DEVICE_ID_3M1968 0x0500
3441 - #define USB_DEVICE_ID_3M2256 0x0502
3442 -+#define USB_DEVICE_ID_3M3266 0x0506
3443 -
3444 - #define USB_VENDOR_ID_A4TECH 0x09da
3445 - #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
3446 -@@ -145,6 +146,9 @@
3447 - #define USB_DEVICE_ID_ATEN_4PORTKVM 0x2205
3448 - #define USB_DEVICE_ID_ATEN_4PORTKVMC 0x2208
3449 -
3450 -+#define USB_VENDOR_ID_ATMEL 0x03eb
3451 -+#define USB_DEVICE_ID_ATMEL_MULTITOUCH 0x211c
3452 -+
3453 - #define USB_VENDOR_ID_AVERMEDIA 0x07ca
3454 - #define USB_DEVICE_ID_AVER_FM_MR800 0xb800
3455 -
3456 -@@ -230,11 +234,14 @@
3457 -
3458 - #define USB_VENDOR_ID_DWAV 0x0eef
3459 - #define USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER 0x0001
3460 --#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH 0x480d
3461 --#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH1 0x720c
3462 --#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH2 0x72a1
3463 --#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH3 0x480e
3464 --#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH4 0x726b
3465 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480D 0x480d
3466 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480E 0x480e
3467 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_720C 0x720c
3468 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_726B 0x726b
3469 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72A1 0x72a1
3470 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72FA 0x72fa
3471 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7302 0x7302
3472 -+#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001
3473 -
3474 - #define USB_VENDOR_ID_ELECOM 0x056e
3475 - #define USB_DEVICE_ID_ELECOM_BM084 0x0061
3476 -@@ -356,6 +363,9 @@
3477 - #define USB_VENDOR_ID_HANVON 0x20b3
3478 - #define USB_DEVICE_ID_HANVON_MULTITOUCH 0x0a18
3479 -
3480 -+#define USB_VENDOR_ID_HANVON_ALT 0x22ed
3481 -+#define USB_DEVICE_ID_HANVON_ALT_MULTITOUCH 0x1010
3482 -+
3483 - #define USB_VENDOR_ID_HAPP 0x078b
3484 - #define USB_DEVICE_ID_UGCI_DRIVING 0x0010
3485 - #define USB_DEVICE_ID_UGCI_FLYING 0x0020
3486 -@@ -707,6 +717,17 @@
3487 - #define USB_VENDOR_ID_XAT 0x2505
3488 - #define USB_DEVICE_ID_XAT_CSR 0x0220
3489 -
3490 -+#define USB_VENDOR_ID_XIROKU 0x1477
3491 -+#define USB_DEVICE_ID_XIROKU_SPX 0x1006
3492 -+#define USB_DEVICE_ID_XIROKU_MPX 0x1007
3493 -+#define USB_DEVICE_ID_XIROKU_CSR 0x100e
3494 -+#define USB_DEVICE_ID_XIROKU_SPX1 0x1021
3495 -+#define USB_DEVICE_ID_XIROKU_CSR1 0x1022
3496 -+#define USB_DEVICE_ID_XIROKU_MPX1 0x1023
3497 -+#define USB_DEVICE_ID_XIROKU_SPX2 0x1024
3498 -+#define USB_DEVICE_ID_XIROKU_CSR2 0x1025
3499 -+#define USB_DEVICE_ID_XIROKU_MPX2 0x1026
3500 -+
3501 - #define USB_VENDOR_ID_YEALINK 0x6993
3502 - #define USB_DEVICE_ID_YEALINK_P1K_P4K_B2K 0xb001
3503 -
3504 -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
3505 -index f1c909f..995fc4c 100644
3506 ---- a/drivers/hid/hid-multitouch.c
3507 -+++ b/drivers/hid/hid-multitouch.c
3508 -@@ -609,12 +609,20 @@ static const struct hid_device_id mt_devices[] = {
3509 - { .driver_data = MT_CLS_3M,
3510 - HID_USB_DEVICE(USB_VENDOR_ID_3M,
3511 - USB_DEVICE_ID_3M2256) },
3512 -+ { .driver_data = MT_CLS_3M,
3513 -+ HID_USB_DEVICE(USB_VENDOR_ID_3M,
3514 -+ USB_DEVICE_ID_3M3266) },
3515 -
3516 - /* ActionStar panels */
3517 - { .driver_data = MT_CLS_DEFAULT,
3518 - HID_USB_DEVICE(USB_VENDOR_ID_ACTIONSTAR,
3519 - USB_DEVICE_ID_ACTIONSTAR_1011) },
3520 -
3521 -+ /* Atmel panels */
3522 -+ { .driver_data = MT_CLS_SERIAL,
3523 -+ HID_USB_DEVICE(USB_VENDOR_ID_ATMEL,
3524 -+ USB_DEVICE_ID_ATMEL_MULTITOUCH) },
3525 -+
3526 - /* Cando panels */
3527 - { .driver_data = MT_CLS_DUAL_INRANGE_CONTACTNUMBER,
3528 - HID_USB_DEVICE(USB_VENDOR_ID_CANDO,
3529 -@@ -645,23 +653,32 @@ static const struct hid_device_id mt_devices[] = {
3530 - USB_DEVICE_ID_CYPRESS_TRUETOUCH) },
3531 -
3532 - /* eGalax devices (resistive) */
3533 -- { .driver_data = MT_CLS_EGALAX,
3534 -+ { .driver_data = MT_CLS_EGALAX,
3535 - HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3536 -- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH) },
3537 -- { .driver_data = MT_CLS_EGALAX,
3538 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480D) },
3539 -+ { .driver_data = MT_CLS_EGALAX,
3540 - HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3541 -- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH3) },
3542 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480E) },
3543 -
3544 - /* eGalax devices (capacitive) */
3545 -- { .driver_data = MT_CLS_EGALAX,
3546 -+ { .driver_data = MT_CLS_EGALAX,
3547 -+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3548 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_720C) },
3549 -+ { .driver_data = MT_CLS_EGALAX,
3550 - HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3551 -- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH1) },
3552 -- { .driver_data = MT_CLS_EGALAX,
3553 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_726B) },
3554 -+ { .driver_data = MT_CLS_EGALAX,
3555 - HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3556 -- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH2) },
3557 -- { .driver_data = MT_CLS_EGALAX,
3558 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72A1) },
3559 -+ { .driver_data = MT_CLS_EGALAX,
3560 - HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3561 -- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH4) },
3562 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72FA) },
3563 -+ { .driver_data = MT_CLS_EGALAX,
3564 -+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3565 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7302) },
3566 -+ { .driver_data = MT_CLS_EGALAX,
3567 -+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
3568 -+ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001) },
3569 -
3570 - /* Elo TouchSystems IntelliTouch Plus panel */
3571 - { .driver_data = MT_CLS_DUAL_NSMU_CONTACTID,
3572 -@@ -678,6 +695,11 @@ static const struct hid_device_id mt_devices[] = {
3573 - HID_USB_DEVICE(USB_VENDOR_ID_GOODTOUCH,
3574 - USB_DEVICE_ID_GOODTOUCH_000f) },
3575 -
3576 -+ /* Hanvon panels */
3577 -+ { .driver_data = MT_CLS_DUAL_INRANGE_CONTACTID,
3578 -+ HID_USB_DEVICE(USB_VENDOR_ID_HANVON_ALT,
3579 -+ USB_DEVICE_ID_HANVON_ALT_MULTITOUCH) },
3580 -+
3581 - /* Ideacom panel */
3582 - { .driver_data = MT_CLS_SERIAL,
3583 - HID_USB_DEVICE(USB_VENDOR_ID_IDEACOM,
3584 -@@ -758,6 +780,35 @@ static const struct hid_device_id mt_devices[] = {
3585 - HID_USB_DEVICE(USB_VENDOR_ID_XAT,
3586 - USB_DEVICE_ID_XAT_CSR) },
3587 -
3588 -+ /* Xiroku */
3589 -+ { .driver_data = MT_CLS_DEFAULT,
3590 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3591 -+ USB_DEVICE_ID_XIROKU_SPX) },
3592 -+ { .driver_data = MT_CLS_DEFAULT,
3593 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3594 -+ USB_DEVICE_ID_XIROKU_MPX) },
3595 -+ { .driver_data = MT_CLS_DEFAULT,
3596 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3597 -+ USB_DEVICE_ID_XIROKU_CSR) },
3598 -+ { .driver_data = MT_CLS_DEFAULT,
3599 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3600 -+ USB_DEVICE_ID_XIROKU_SPX1) },
3601 -+ { .driver_data = MT_CLS_DEFAULT,
3602 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3603 -+ USB_DEVICE_ID_XIROKU_MPX1) },
3604 -+ { .driver_data = MT_CLS_DEFAULT,
3605 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3606 -+ USB_DEVICE_ID_XIROKU_CSR1) },
3607 -+ { .driver_data = MT_CLS_DEFAULT,
3608 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3609 -+ USB_DEVICE_ID_XIROKU_SPX2) },
3610 -+ { .driver_data = MT_CLS_DEFAULT,
3611 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3612 -+ USB_DEVICE_ID_XIROKU_MPX2) },
3613 -+ { .driver_data = MT_CLS_DEFAULT,
3614 -+ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
3615 -+ USB_DEVICE_ID_XIROKU_CSR2) },
3616 -+
3617 - { }
3618 - };
3619 - MODULE_DEVICE_TABLE(hid, mt_devices);
3620 -diff --git a/drivers/i2c/busses/i2c-ali1535.c b/drivers/i2c/busses/i2c-ali1535.c
3621 -index b6807db..5b667e5 100644
3622 ---- a/drivers/i2c/busses/i2c-ali1535.c
3623 -+++ b/drivers/i2c/busses/i2c-ali1535.c
3624 -@@ -140,7 +140,7 @@ static unsigned short ali1535_smba;
3625 - defined to make the transition easier. */
3626 - static int __devinit ali1535_setup(struct pci_dev *dev)
3627 - {
3628 -- int retval = -ENODEV;
3629 -+ int retval;
3630 - unsigned char temp;
3631 -
3632 - /* Check the following things:
3633 -@@ -155,6 +155,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
3634 - if (ali1535_smba == 0) {
3635 - dev_warn(&dev->dev,
3636 - "ALI1535_smb region uninitialized - upgrade BIOS?\n");
3637 -+ retval = -ENODEV;
3638 - goto exit;
3639 - }
3640 -
3641 -@@ -167,6 +168,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
3642 - ali1535_driver.name)) {
3643 - dev_err(&dev->dev, "ALI1535_smb region 0x%x already in use!\n",
3644 - ali1535_smba);
3645 -+ retval = -EBUSY;
3646 - goto exit;
3647 - }
3648 -
3649 -@@ -174,6 +176,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
3650 - pci_read_config_byte(dev, SMBCFG, &temp);
3651 - if ((temp & ALI1535_SMBIO_EN) == 0) {
3652 - dev_err(&dev->dev, "SMB device not enabled - upgrade BIOS?\n");
3653 -+ retval = -ENODEV;
3654 - goto exit_free;
3655 - }
3656 -
3657 -@@ -181,6 +184,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
3658 - pci_read_config_byte(dev, SMBHSTCFG, &temp);
3659 - if ((temp & 1) == 0) {
3660 - dev_err(&dev->dev, "SMBus controller not enabled - upgrade BIOS?\n");
3661 -+ retval = -ENODEV;
3662 - goto exit_free;
3663 - }
3664 -
3665 -@@ -198,12 +202,11 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
3666 - dev_dbg(&dev->dev, "SMBREV = 0x%X\n", temp);
3667 - dev_dbg(&dev->dev, "ALI1535_smba = 0x%X\n", ali1535_smba);
3668 -
3669 -- retval = 0;
3670 --exit:
3671 -- return retval;
3672 -+ return 0;
3673 -
3674 - exit_free:
3675 - release_region(ali1535_smba, ALI1535_SMB_IOSIZE);
3676 -+exit:
3677 - return retval;
3678 - }
3679 -
3680 -diff --git a/drivers/i2c/busses/i2c-eg20t.c b/drivers/i2c/busses/i2c-eg20t.c
3681 -index 18936ac..730215e 100644
3682 ---- a/drivers/i2c/busses/i2c-eg20t.c
3683 -+++ b/drivers/i2c/busses/i2c-eg20t.c
3684 -@@ -243,7 +243,7 @@ static void pch_i2c_init(struct i2c_algo_pch_data *adap)
3685 - if (pch_clk > PCH_MAX_CLK)
3686 - pch_clk = 62500;
3687 -
3688 -- pch_i2cbc = (pch_clk + (pch_i2c_speed * 4)) / pch_i2c_speed * 8;
3689 -+ pch_i2cbc = (pch_clk + (pch_i2c_speed * 4)) / (pch_i2c_speed * 8);
3690 - /* Set transfer speed in I2CBC */
3691 - iowrite32(pch_i2cbc, p + PCH_I2CBC);
3692 -
3693 -diff --git a/drivers/i2c/busses/i2c-nforce2.c b/drivers/i2c/busses/i2c-nforce2.c
3694 -index ff1e127..4853b52 100644
3695 ---- a/drivers/i2c/busses/i2c-nforce2.c
3696 -+++ b/drivers/i2c/busses/i2c-nforce2.c
3697 -@@ -356,7 +356,7 @@ static int __devinit nforce2_probe_smb (struct pci_dev *dev, int bar,
3698 - error = acpi_check_region(smbus->base, smbus->size,
3699 - nforce2_driver.name);
3700 - if (error)
3701 -- return -1;
3702 -+ return error;
3703 -
3704 - if (!request_region(smbus->base, smbus->size, nforce2_driver.name)) {
3705 - dev_err(&smbus->adapter.dev, "Error requesting region %02x .. %02X for %s\n",
3706 -diff --git a/drivers/i2c/busses/i2c-omap.c b/drivers/i2c/busses/i2c-omap.c
3707 -index fa23faa..257c1a5 100644
3708 ---- a/drivers/i2c/busses/i2c-omap.c
3709 -+++ b/drivers/i2c/busses/i2c-omap.c
3710 -@@ -235,7 +235,7 @@ static const u8 reg_map_ip_v2[] = {
3711 - [OMAP_I2C_BUF_REG] = 0x94,
3712 - [OMAP_I2C_CNT_REG] = 0x98,
3713 - [OMAP_I2C_DATA_REG] = 0x9c,
3714 -- [OMAP_I2C_SYSC_REG] = 0x20,
3715 -+ [OMAP_I2C_SYSC_REG] = 0x10,
3716 - [OMAP_I2C_CON_REG] = 0xa4,
3717 - [OMAP_I2C_OA_REG] = 0xa8,
3718 - [OMAP_I2C_SA_REG] = 0xac,
3719 -diff --git a/drivers/i2c/busses/i2c-sis5595.c b/drivers/i2c/busses/i2c-sis5595.c
3720 -index 4375866..6d60284 100644
3721 ---- a/drivers/i2c/busses/i2c-sis5595.c
3722 -+++ b/drivers/i2c/busses/i2c-sis5595.c
3723 -@@ -147,7 +147,7 @@ static int __devinit sis5595_setup(struct pci_dev *SIS5595_dev)
3724 - u16 a;
3725 - u8 val;
3726 - int *i;
3727 -- int retval = -ENODEV;
3728 -+ int retval;
3729 -
3730 - /* Look for imposters */
3731 - for (i = blacklist; *i != 0; i++) {
3732 -@@ -223,7 +223,7 @@ static int __devinit sis5595_setup(struct pci_dev *SIS5595_dev)
3733 -
3734 - error:
3735 - release_region(sis5595_base + SMB_INDEX, 2);
3736 -- return retval;
3737 -+ return -ENODEV;
3738 - }
3739 -
3740 - static int sis5595_transaction(struct i2c_adapter *adap)
3741 -diff --git a/drivers/i2c/busses/i2c-sis630.c b/drivers/i2c/busses/i2c-sis630.c
3742 -index e6f539e..b617fd0 100644
3743 ---- a/drivers/i2c/busses/i2c-sis630.c
3744 -+++ b/drivers/i2c/busses/i2c-sis630.c
3745 -@@ -393,7 +393,7 @@ static int __devinit sis630_setup(struct pci_dev *sis630_dev)
3746 - {
3747 - unsigned char b;
3748 - struct pci_dev *dummy = NULL;
3749 -- int retval = -ENODEV, i;
3750 -+ int retval, i;
3751 -
3752 - /* check for supported SiS devices */
3753 - for (i=0; supported[i] > 0 ; i++) {
3754 -@@ -418,18 +418,21 @@ static int __devinit sis630_setup(struct pci_dev *sis630_dev)
3755 - */
3756 - if (pci_read_config_byte(sis630_dev, SIS630_BIOS_CTL_REG,&b)) {
3757 - dev_err(&sis630_dev->dev, "Error: Can't read bios ctl reg\n");
3758 -+ retval = -ENODEV;
3759 - goto exit;
3760 - }
3761 - /* if ACPI already enabled , do nothing */
3762 - if (!(b & 0x80) &&
3763 - pci_write_config_byte(sis630_dev, SIS630_BIOS_CTL_REG, b | 0x80)) {
3764 - dev_err(&sis630_dev->dev, "Error: Can't enable ACPI\n");
3765 -+ retval = -ENODEV;
3766 - goto exit;
3767 - }
3768 -
3769 - /* Determine the ACPI base address */
3770 - if (pci_read_config_word(sis630_dev,SIS630_ACPI_BASE_REG,&acpi_base)) {
3771 - dev_err(&sis630_dev->dev, "Error: Can't determine ACPI base address\n");
3772 -+ retval = -ENODEV;
3773 - goto exit;
3774 - }
3775 -
3776 -@@ -445,6 +448,7 @@ static int __devinit sis630_setup(struct pci_dev *sis630_dev)
3777 - sis630_driver.name)) {
3778 - dev_err(&sis630_dev->dev, "SMBus registers 0x%04x-0x%04x already "
3779 - "in use!\n", acpi_base + SMB_STS, acpi_base + SMB_SAA);
3780 -+ retval = -EBUSY;
3781 - goto exit;
3782 - }
3783 -
3784 -diff --git a/drivers/i2c/busses/i2c-viapro.c b/drivers/i2c/busses/i2c-viapro.c
3785 -index 0b012f1..58261d4 100644
3786 ---- a/drivers/i2c/busses/i2c-viapro.c
3787 -+++ b/drivers/i2c/busses/i2c-viapro.c
3788 -@@ -324,7 +324,7 @@ static int __devinit vt596_probe(struct pci_dev *pdev,
3789 - const struct pci_device_id *id)
3790 - {
3791 - unsigned char temp;
3792 -- int error = -ENODEV;
3793 -+ int error;
3794 -
3795 - /* Determine the address of the SMBus areas */
3796 - if (force_addr) {
3797 -@@ -390,6 +390,7 @@ found:
3798 - dev_err(&pdev->dev, "SMBUS: Error: Host SMBus "
3799 - "controller not enabled! - upgrade BIOS or "
3800 - "use force=1\n");
3801 -+ error = -ENODEV;
3802 - goto release_region;
3803 - }
3804 - }
3805 -@@ -422,9 +423,11 @@ found:
3806 - "SMBus Via Pro adapter at %04x", vt596_smba);
3807 -
3808 - vt596_pdev = pci_dev_get(pdev);
3809 -- if (i2c_add_adapter(&vt596_adapter)) {
3810 -+ error = i2c_add_adapter(&vt596_adapter);
3811 -+ if (error) {
3812 - pci_dev_put(vt596_pdev);
3813 - vt596_pdev = NULL;
3814 -+ goto release_region;
3815 - }
3816 -
3817 - /* Always return failure here. This is to allow other drivers to bind
3818 -diff --git a/drivers/ide/ide-floppy_ioctl.c b/drivers/ide/ide-floppy_ioctl.c
3819 -index d267b7a..a22ca84 100644
3820 ---- a/drivers/ide/ide-floppy_ioctl.c
3821 -+++ b/drivers/ide/ide-floppy_ioctl.c
3822 -@@ -292,8 +292,7 @@ int ide_floppy_ioctl(ide_drive_t *drive, struct block_device *bdev,
3823 - * and CDROM_SEND_PACKET (legacy) ioctls
3824 - */
3825 - if (cmd != CDROM_SEND_PACKET && cmd != SCSI_IOCTL_SEND_COMMAND)
3826 -- err = scsi_cmd_ioctl(bdev->bd_disk->queue, bdev->bd_disk,
3827 -- mode, cmd, argp);
3828 -+ err = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
3829 -
3830 - if (err == -ENOTTY)
3831 - err = generic_ide_ioctl(drive, bdev, cmd, arg);
3832 -diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c
3833 -index 5d2f8e1..5b39216 100644
3834 ---- a/drivers/idle/intel_idle.c
3835 -+++ b/drivers/idle/intel_idle.c
3836 -@@ -348,7 +348,8 @@ static int intel_idle_probe(void)
3837 - cpuid(CPUID_MWAIT_LEAF, &eax, &ebx, &ecx, &mwait_substates);
3838 -
3839 - if (!(ecx & CPUID5_ECX_EXTENSIONS_SUPPORTED) ||
3840 -- !(ecx & CPUID5_ECX_INTERRUPT_BREAK))
3841 -+ !(ecx & CPUID5_ECX_INTERRUPT_BREAK) ||
3842 -+ !mwait_substates)
3843 - return -ENODEV;
3844 -
3845 - pr_debug(PREFIX "MWAIT substates: 0x%x\n", mwait_substates);
3846 -@@ -394,7 +395,7 @@ static int intel_idle_probe(void)
3847 - if (boot_cpu_has(X86_FEATURE_ARAT)) /* Always Reliable APIC Timer */
3848 - lapic_timer_reliable_states = LAPIC_TIMER_ALWAYS_RELIABLE;
3849 - else {
3850 -- smp_call_function(__setup_broadcast_timer, (void *)true, 1);
3851 -+ on_each_cpu(__setup_broadcast_timer, (void *)true, 1);
3852 - register_cpu_notifier(&setup_broadcast_notifier);
3853 - }
3854 -
3855 -@@ -471,7 +472,7 @@ static int intel_idle_cpuidle_driver_init(void)
3856 - }
3857 -
3858 - if (auto_demotion_disable_flags)
3859 -- smp_call_function(auto_demotion_disable, NULL, 1);
3860 -+ on_each_cpu(auto_demotion_disable, NULL, 1);
3861 -
3862 - return 0;
3863 - }
3864 -@@ -568,7 +569,7 @@ static void __exit intel_idle_exit(void)
3865 - cpuidle_unregister_driver(&intel_idle_driver);
3866 -
3867 - if (lapic_timer_reliable_states != LAPIC_TIMER_ALWAYS_RELIABLE) {
3868 -- smp_call_function(__setup_broadcast_timer, (void *)false, 1);
3869 -+ on_each_cpu(__setup_broadcast_timer, (void *)false, 1);
3870 - unregister_cpu_notifier(&setup_broadcast_notifier);
3871 - }
3872 -
3873 -diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
3874 -index f84c080..9fb18c1 100644
3875 ---- a/drivers/md/dm-flakey.c
3876 -+++ b/drivers/md/dm-flakey.c
3877 -@@ -368,8 +368,17 @@ static int flakey_status(struct dm_target *ti, status_type_t type,
3878 - static int flakey_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg)
3879 - {
3880 - struct flakey_c *fc = ti->private;
3881 -+ struct dm_dev *dev = fc->dev;
3882 -+ int r = 0;
3883 -
3884 -- return __blkdev_driver_ioctl(fc->dev->bdev, fc->dev->mode, cmd, arg);
3885 -+ /*
3886 -+ * Only pass ioctls through if the device sizes match exactly.
3887 -+ */
3888 -+ if (fc->start ||
3889 -+ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
3890 -+ r = scsi_verify_blk_ioctl(NULL, cmd);
3891 -+
3892 -+ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
3893 - }
3894 -
3895 - static int flakey_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
3896 -diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
3897 -index 3921e3b..9728839 100644
3898 ---- a/drivers/md/dm-linear.c
3899 -+++ b/drivers/md/dm-linear.c
3900 -@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
3901 - unsigned long arg)
3902 - {
3903 - struct linear_c *lc = (struct linear_c *) ti->private;
3904 -- return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg);
3905 -+ struct dm_dev *dev = lc->dev;
3906 -+ int r = 0;
3907 -+
3908 -+ /*
3909 -+ * Only pass ioctls through if the device sizes match exactly.
3910 -+ */
3911 -+ if (lc->start ||
3912 -+ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
3913 -+ r = scsi_verify_blk_ioctl(NULL, cmd);
3914 -+
3915 -+ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
3916 - }
3917 -
3918 - static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
3919 -diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
3920 -index 5e0090e..801d92d 100644
3921 ---- a/drivers/md/dm-mpath.c
3922 -+++ b/drivers/md/dm-mpath.c
3923 -@@ -1520,6 +1520,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
3924 -
3925 - spin_unlock_irqrestore(&m->lock, flags);
3926 -
3927 -+ /*
3928 -+ * Only pass ioctls through if the device sizes match exactly.
3929 -+ */
3930 -+ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
3931 -+ r = scsi_verify_blk_ioctl(NULL, cmd);
3932 -+
3933 - return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
3934 - }
3935 -
3936 -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
3937 -index ede2461..7d9e071 100644
3938 ---- a/drivers/md/raid1.c
3939 -+++ b/drivers/md/raid1.c
3940 -@@ -525,8 +525,17 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect
3941 - if (test_bit(WriteMostly, &rdev->flags)) {
3942 - /* Don't balance among write-mostly, just
3943 - * use the first as a last resort */
3944 -- if (best_disk < 0)
3945 -+ if (best_disk < 0) {
3946 -+ if (is_badblock(rdev, this_sector, sectors,
3947 -+ &first_bad, &bad_sectors)) {
3948 -+ if (first_bad < this_sector)
3949 -+ /* Cannot use this */
3950 -+ continue;
3951 -+ best_good_sectors = first_bad - this_sector;
3952 -+ } else
3953 -+ best_good_sectors = sectors;
3954 - best_disk = disk;
3955 -+ }
3956 - continue;
3957 - }
3958 - /* This is a reasonable device to use. It might
3959 -diff --git a/drivers/media/video/cx23885/cx23885-dvb.c b/drivers/media/video/cx23885/cx23885-dvb.c
3960 -index bcb45be..f0482b2 100644
3961 ---- a/drivers/media/video/cx23885/cx23885-dvb.c
3962 -+++ b/drivers/media/video/cx23885/cx23885-dvb.c
3963 -@@ -940,6 +940,11 @@ static int dvb_register(struct cx23885_tsport *port)
3964 -
3965 - fe = dvb_attach(xc4000_attach, fe0->dvb.frontend,
3966 - &dev->i2c_bus[1].i2c_adap, &cfg);
3967 -+ if (!fe) {
3968 -+ printk(KERN_ERR "%s/2: xc4000 attach failed\n",
3969 -+ dev->name);
3970 -+ goto frontend_detach;
3971 -+ }
3972 - }
3973 - break;
3974 - case CX23885_BOARD_TBS_6920:
3975 -diff --git a/drivers/media/video/cx88/cx88-cards.c b/drivers/media/video/cx88/cx88-cards.c
3976 -index 0d719fa..3929d93 100644
3977 ---- a/drivers/media/video/cx88/cx88-cards.c
3978 -+++ b/drivers/media/video/cx88/cx88-cards.c
3979 -@@ -1573,8 +1573,8 @@ static const struct cx88_board cx88_boards[] = {
3980 - .name = "Pinnacle Hybrid PCTV",
3981 - .tuner_type = TUNER_XC2028,
3982 - .tuner_addr = 0x61,
3983 -- .radio_type = TUNER_XC2028,
3984 -- .radio_addr = 0x61,
3985 -+ .radio_type = UNSET,
3986 -+ .radio_addr = ADDR_UNSET,
3987 - .input = { {
3988 - .type = CX88_VMUX_TELEVISION,
3989 - .vmux = 0,
3990 -@@ -1611,8 +1611,8 @@ static const struct cx88_board cx88_boards[] = {
3991 - .name = "Leadtek TV2000 XP Global",
3992 - .tuner_type = TUNER_XC2028,
3993 - .tuner_addr = 0x61,
3994 -- .radio_type = TUNER_XC2028,
3995 -- .radio_addr = 0x61,
3996 -+ .radio_type = UNSET,
3997 -+ .radio_addr = ADDR_UNSET,
3998 - .input = { {
3999 - .type = CX88_VMUX_TELEVISION,
4000 - .vmux = 0,
4001 -@@ -2043,8 +2043,8 @@ static const struct cx88_board cx88_boards[] = {
4002 - .name = "Terratec Cinergy HT PCI MKII",
4003 - .tuner_type = TUNER_XC2028,
4004 - .tuner_addr = 0x61,
4005 -- .radio_type = TUNER_XC2028,
4006 -- .radio_addr = 0x61,
4007 -+ .radio_type = UNSET,
4008 -+ .radio_addr = ADDR_UNSET,
4009 - .input = { {
4010 - .type = CX88_VMUX_TELEVISION,
4011 - .vmux = 0,
4012 -@@ -2082,9 +2082,9 @@ static const struct cx88_board cx88_boards[] = {
4013 - [CX88_BOARD_WINFAST_DTV1800H] = {
4014 - .name = "Leadtek WinFast DTV1800 Hybrid",
4015 - .tuner_type = TUNER_XC2028,
4016 -- .radio_type = TUNER_XC2028,
4017 -+ .radio_type = UNSET,
4018 - .tuner_addr = 0x61,
4019 -- .radio_addr = 0x61,
4020 -+ .radio_addr = ADDR_UNSET,
4021 - /*
4022 - * GPIO setting
4023 - *
4024 -@@ -2123,9 +2123,9 @@ static const struct cx88_board cx88_boards[] = {
4025 - [CX88_BOARD_WINFAST_DTV1800H_XC4000] = {
4026 - .name = "Leadtek WinFast DTV1800 H (XC4000)",
4027 - .tuner_type = TUNER_XC4000,
4028 -- .radio_type = TUNER_XC4000,
4029 -+ .radio_type = UNSET,
4030 - .tuner_addr = 0x61,
4031 -- .radio_addr = 0x61,
4032 -+ .radio_addr = ADDR_UNSET,
4033 - /*
4034 - * GPIO setting
4035 - *
4036 -@@ -2164,9 +2164,9 @@ static const struct cx88_board cx88_boards[] = {
4037 - [CX88_BOARD_WINFAST_DTV2000H_PLUS] = {
4038 - .name = "Leadtek WinFast DTV2000 H PLUS",
4039 - .tuner_type = TUNER_XC4000,
4040 -- .radio_type = TUNER_XC4000,
4041 -+ .radio_type = UNSET,
4042 - .tuner_addr = 0x61,
4043 -- .radio_addr = 0x61,
4044 -+ .radio_addr = ADDR_UNSET,
4045 - /*
4046 - * GPIO
4047 - * 2: 1: mute audio
4048 -diff --git a/drivers/media/video/uvc/uvc_v4l2.c b/drivers/media/video/uvc/uvc_v4l2.c
4049 -index dadf11f..cf7788f 100644
4050 ---- a/drivers/media/video/uvc/uvc_v4l2.c
4051 -+++ b/drivers/media/video/uvc/uvc_v4l2.c
4052 -@@ -58,6 +58,15 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
4053 - break;
4054 -
4055 - case V4L2_CTRL_TYPE_MENU:
4056 -+ /* Prevent excessive memory consumption, as well as integer
4057 -+ * overflows.
4058 -+ */
4059 -+ if (xmap->menu_count == 0 ||
4060 -+ xmap->menu_count > UVC_MAX_CONTROL_MENU_ENTRIES) {
4061 -+ ret = -EINVAL;
4062 -+ goto done;
4063 -+ }
4064 -+
4065 - size = xmap->menu_count * sizeof(*map->menu_info);
4066 - map->menu_info = kmalloc(size, GFP_KERNEL);
4067 - if (map->menu_info == NULL) {
4068 -diff --git a/drivers/media/video/uvc/uvcvideo.h b/drivers/media/video/uvc/uvcvideo.h
4069 -index 4c1392e..bc446ba 100644
4070 ---- a/drivers/media/video/uvc/uvcvideo.h
4071 -+++ b/drivers/media/video/uvc/uvcvideo.h
4072 -@@ -113,6 +113,7 @@
4073 -
4074 - /* Maximum allowed number of control mappings per device */
4075 - #define UVC_MAX_CONTROL_MAPPINGS 1024
4076 -+#define UVC_MAX_CONTROL_MENU_ENTRIES 32
4077 -
4078 - /* Devices quirks */
4079 - #define UVC_QUIRK_STATUS_INTERVAL 0x00000001
4080 -diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
4081 -index e1da8fc..639abee 100644
4082 ---- a/drivers/media/video/v4l2-ioctl.c
4083 -+++ b/drivers/media/video/v4l2-ioctl.c
4084 -@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
4085 - struct v4l2_ext_controls *ctrls = parg;
4086 -
4087 - if (ctrls->count != 0) {
4088 -+ if (ctrls->count > V4L2_CID_MAX_CTRLS) {
4089 -+ ret = -EINVAL;
4090 -+ break;
4091 -+ }
4092 - *user_ptr = (void __user *)ctrls->controls;
4093 - *kernel_ptr = (void *)&ctrls->controls;
4094 - *array_size = sizeof(struct v4l2_ext_control)
4095 -diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
4096 -index d240427..fb7c27f 100644
4097 ---- a/drivers/mmc/core/mmc.c
4098 -+++ b/drivers/mmc/core/mmc.c
4099 -@@ -1048,7 +1048,7 @@ static int mmc_init_card(struct mmc_host *host, u32 ocr,
4100 - *
4101 - * WARNING: eMMC rules are NOT the same as SD DDR
4102 - */
4103 -- if (ddr == EXT_CSD_CARD_TYPE_DDR_1_2V) {
4104 -+ if (ddr == MMC_1_2V_DDR_MODE) {
4105 - err = mmc_set_signal_voltage(host,
4106 - MMC_SIGNAL_VOLTAGE_120, 0);
4107 - if (err)
4108 -diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
4109 -index 19ed580..6ce32a7 100644
4110 ---- a/drivers/mmc/host/sdhci.c
4111 -+++ b/drivers/mmc/host/sdhci.c
4112 -@@ -1364,8 +1364,7 @@ static void sdhci_do_set_ios(struct sdhci_host *host, struct mmc_ios *ios)
4113 - if ((ios->timing == MMC_TIMING_UHS_SDR50) ||
4114 - (ios->timing == MMC_TIMING_UHS_SDR104) ||
4115 - (ios->timing == MMC_TIMING_UHS_DDR50) ||
4116 -- (ios->timing == MMC_TIMING_UHS_SDR25) ||
4117 -- (ios->timing == MMC_TIMING_UHS_SDR12))
4118 -+ (ios->timing == MMC_TIMING_UHS_SDR25))
4119 - ctrl |= SDHCI_CTRL_HISPD;
4120 -
4121 - ctrl_2 = sdhci_readw(host, SDHCI_HOST_CONTROL2);
4122 -@@ -2336,9 +2335,8 @@ int sdhci_suspend_host(struct sdhci_host *host)
4123 - /* Disable tuning since we are suspending */
4124 - if (host->version >= SDHCI_SPEC_300 && host->tuning_count &&
4125 - host->tuning_mode == SDHCI_TUNING_MODE_1) {
4126 -+ del_timer_sync(&host->tuning_timer);
4127 - host->flags &= ~SDHCI_NEEDS_RETUNING;
4128 -- mod_timer(&host->tuning_timer, jiffies +
4129 -- host->tuning_count * HZ);
4130 - }
4131 -
4132 - ret = mmc_suspend_host(host->mmc);
4133 -diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
4134 -index ed8b5e7..424ca5f 100644
4135 ---- a/drivers/mtd/mtd_blkdevs.c
4136 -+++ b/drivers/mtd/mtd_blkdevs.c
4137 -@@ -215,7 +215,7 @@ static int blktrans_open(struct block_device *bdev, fmode_t mode)
4138 -
4139 - mutex_lock(&dev->lock);
4140 -
4141 -- if (dev->open++)
4142 -+ if (dev->open)
4143 - goto unlock;
4144 -
4145 - kref_get(&dev->ref);
4146 -@@ -235,6 +235,7 @@ static int blktrans_open(struct block_device *bdev, fmode_t mode)
4147 - goto error_release;
4148 -
4149 - unlock:
4150 -+ dev->open++;
4151 - mutex_unlock(&dev->lock);
4152 - blktrans_dev_put(dev);
4153 - return ret;
4154 -diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
4155 -index 1e2fa62..f3cdce9 100644
4156 ---- a/drivers/mtd/mtdoops.c
4157 -+++ b/drivers/mtd/mtdoops.c
4158 -@@ -253,6 +253,9 @@ static void find_next_position(struct mtdoops_context *cxt)
4159 - size_t retlen;
4160 -
4161 - for (page = 0; page < cxt->oops_pages; page++) {
4162 -+ if (mtd->block_isbad &&
4163 -+ mtd->block_isbad(mtd, page * record_size))
4164 -+ continue;
4165 - /* Assume the page is used */
4166 - mark_page_used(cxt, page);
4167 - ret = mtd->read(mtd, page * record_size, MTDOOPS_HEADER_SIZE,
4168 -@@ -369,7 +372,7 @@ static void mtdoops_notify_add(struct mtd_info *mtd)
4169 -
4170 - /* oops_page_used is a bit field */
4171 - cxt->oops_page_used = vmalloc(DIV_ROUND_UP(mtdoops_pages,
4172 -- BITS_PER_LONG));
4173 -+ BITS_PER_LONG) * sizeof(unsigned long));
4174 - if (!cxt->oops_page_used) {
4175 - printk(KERN_ERR "mtdoops: could not allocate page array\n");
4176 - return;
4177 -diff --git a/drivers/mtd/tests/mtd_stresstest.c b/drivers/mtd/tests/mtd_stresstest.c
4178 -index 52ffd91..811642f 100644
4179 ---- a/drivers/mtd/tests/mtd_stresstest.c
4180 -+++ b/drivers/mtd/tests/mtd_stresstest.c
4181 -@@ -284,6 +284,12 @@ static int __init mtd_stresstest_init(void)
4182 - (unsigned long long)mtd->size, mtd->erasesize,
4183 - pgsize, ebcnt, pgcnt, mtd->oobsize);
4184 -
4185 -+ if (ebcnt < 2) {
4186 -+ printk(PRINT_PREF "error: need at least 2 eraseblocks\n");
4187 -+ err = -ENOSPC;
4188 -+ goto out_put_mtd;
4189 -+ }
4190 -+
4191 - /* Read or write up 2 eraseblocks at a time */
4192 - bufsize = mtd->erasesize * 2;
4193 -
4194 -@@ -322,6 +328,7 @@ out:
4195 - kfree(bbt);
4196 - vfree(writebuf);
4197 - vfree(readbuf);
4198 -+out_put_mtd:
4199 - put_mtd_device(mtd);
4200 - if (err)
4201 - printk(PRINT_PREF "error %d occurred\n", err);
4202 -diff --git a/drivers/mtd/ubi/cdev.c b/drivers/mtd/ubi/cdev.c
4203 -index 3320a50..ad76592 100644
4204 ---- a/drivers/mtd/ubi/cdev.c
4205 -+++ b/drivers/mtd/ubi/cdev.c
4206 -@@ -632,6 +632,9 @@ static int verify_mkvol_req(const struct ubi_device *ubi,
4207 - if (req->alignment != 1 && n)
4208 - goto bad;
4209 -
4210 -+ if (!req->name[0] || !req->name_len)
4211 -+ goto bad;
4212 -+
4213 - if (req->name_len > UBI_VOL_NAME_MAX) {
4214 - err = -ENAMETOOLONG;
4215 - goto bad;
4216 -diff --git a/drivers/mtd/ubi/debug.h b/drivers/mtd/ubi/debug.h
4217 -index 64fbb00..ead2cd1 100644
4218 ---- a/drivers/mtd/ubi/debug.h
4219 -+++ b/drivers/mtd/ubi/debug.h
4220 -@@ -43,7 +43,10 @@
4221 - pr_debug("UBI DBG " type ": " fmt "\n", ##__VA_ARGS__)
4222 -
4223 - /* Just a debugging messages not related to any specific UBI subsystem */
4224 --#define dbg_msg(fmt, ...) ubi_dbg_msg("msg", fmt, ##__VA_ARGS__)
4225 -+#define dbg_msg(fmt, ...) \
4226 -+ printk(KERN_DEBUG "UBI DBG (pid %d): %s: " fmt "\n", \
4227 -+ current->pid, __func__, ##__VA_ARGS__)
4228 -+
4229 - /* General debugging messages */
4230 - #define dbg_gen(fmt, ...) ubi_dbg_msg("gen", fmt, ##__VA_ARGS__)
4231 - /* Messages from the eraseblock association sub-system */
4232 -diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
4233 -index fb7f19b..cd26da8 100644
4234 ---- a/drivers/mtd/ubi/eba.c
4235 -+++ b/drivers/mtd/ubi/eba.c
4236 -@@ -1028,12 +1028,14 @@ int ubi_eba_copy_leb(struct ubi_device *ubi, int from, int to,
4237 - * 'ubi_wl_put_peb()' function on the @ubi->move_mutex. In turn, we are
4238 - * holding @ubi->move_mutex and go sleep on the LEB lock. So, if the
4239 - * LEB is already locked, we just do not move it and return
4240 -- * %MOVE_CANCEL_RACE, which means that UBI will re-try, but later.
4241 -+ * %MOVE_RETRY. Note, we do not return %MOVE_CANCEL_RACE here because
4242 -+ * we do not know the reasons of the contention - it may be just a
4243 -+ * normal I/O on this LEB, so we want to re-try.
4244 - */
4245 - err = leb_write_trylock(ubi, vol_id, lnum);
4246 - if (err) {
4247 - dbg_wl("contention on LEB %d:%d, cancel", vol_id, lnum);
4248 -- return MOVE_CANCEL_RACE;
4249 -+ return MOVE_RETRY;
4250 - }
4251 -
4252 - /*
4253 -diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h
4254 -index dc64c76..d51d75d 100644
4255 ---- a/drivers/mtd/ubi/ubi.h
4256 -+++ b/drivers/mtd/ubi/ubi.h
4257 -@@ -120,6 +120,7 @@ enum {
4258 - * PEB
4259 - * MOVE_CANCEL_BITFLIPS: canceled because a bit-flip was detected in the
4260 - * target PEB
4261 -+ * MOVE_RETRY: retry scrubbing the PEB
4262 - */
4263 - enum {
4264 - MOVE_CANCEL_RACE = 1,
4265 -@@ -127,6 +128,7 @@ enum {
4266 - MOVE_TARGET_RD_ERR,
4267 - MOVE_TARGET_WR_ERR,
4268 - MOVE_CANCEL_BITFLIPS,
4269 -+ MOVE_RETRY,
4270 - };
4271 -
4272 - /**
4273 -diff --git a/drivers/mtd/ubi/vtbl.c b/drivers/mtd/ubi/vtbl.c
4274 -index 9ad18da..890754c 100644
4275 ---- a/drivers/mtd/ubi/vtbl.c
4276 -+++ b/drivers/mtd/ubi/vtbl.c
4277 -@@ -306,7 +306,7 @@ static int create_vtbl(struct ubi_device *ubi, struct ubi_scan_info *si,
4278 - int copy, void *vtbl)
4279 - {
4280 - int err, tries = 0;
4281 -- static struct ubi_vid_hdr *vid_hdr;
4282 -+ struct ubi_vid_hdr *vid_hdr;
4283 - struct ubi_scan_leb *new_seb;
4284 -
4285 - ubi_msg("create volume table (copy #%d)", copy + 1);
4286 -diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
4287 -index 42c684c..0696e36 100644
4288 ---- a/drivers/mtd/ubi/wl.c
4289 -+++ b/drivers/mtd/ubi/wl.c
4290 -@@ -795,7 +795,10 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
4291 - protect = 1;
4292 - goto out_not_moved;
4293 - }
4294 --
4295 -+ if (err == MOVE_RETRY) {
4296 -+ scrubbing = 1;
4297 -+ goto out_not_moved;
4298 -+ }
4299 - if (err == MOVE_CANCEL_BITFLIPS || err == MOVE_TARGET_WR_ERR ||
4300 - err == MOVE_TARGET_RD_ERR) {
4301 - /*
4302 -@@ -1049,7 +1052,6 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
4303 -
4304 - ubi_err("failed to erase PEB %d, error %d", pnum, err);
4305 - kfree(wl_wrk);
4306 -- kmem_cache_free(ubi_wl_entry_slab, e);
4307 -
4308 - if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
4309 - err == -EBUSY) {
4310 -@@ -1062,14 +1064,16 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
4311 - goto out_ro;
4312 - }
4313 - return err;
4314 -- } else if (err != -EIO) {
4315 -+ }
4316 -+
4317 -+ kmem_cache_free(ubi_wl_entry_slab, e);
4318 -+ if (err != -EIO)
4319 - /*
4320 - * If this is not %-EIO, we have no idea what to do. Scheduling
4321 - * this physical eraseblock for erasure again would cause
4322 - * errors again and again. Well, lets switch to R/O mode.
4323 - */
4324 - goto out_ro;
4325 -- }
4326 -
4327 - /* It is %-EIO, the PEB went bad */
4328 -
4329 -diff --git a/drivers/net/usb/asix.c b/drivers/net/usb/asix.c
4330 -index dd2625a..f5e063a 100644
4331 ---- a/drivers/net/usb/asix.c
4332 -+++ b/drivers/net/usb/asix.c
4333 -@@ -974,6 +974,7 @@ static int ax88772_link_reset(struct usbnet *dev)
4334 -
4335 - static int ax88772_reset(struct usbnet *dev)
4336 - {
4337 -+ struct asix_data *data = (struct asix_data *)&dev->data;
4338 - int ret, embd_phy;
4339 - u16 rx_ctl;
4340 -
4341 -@@ -1051,6 +1052,13 @@ static int ax88772_reset(struct usbnet *dev)
4342 - goto out;
4343 - }
4344 -
4345 -+ /* Rewrite MAC address */
4346 -+ memcpy(data->mac_addr, dev->net->dev_addr, ETH_ALEN);
4347 -+ ret = asix_write_cmd(dev, AX_CMD_WRITE_NODE_ID, 0, 0, ETH_ALEN,
4348 -+ data->mac_addr);
4349 -+ if (ret < 0)
4350 -+ goto out;
4351 -+
4352 - /* Set RX_CTL to default values with 2k buffer, and enable cactus */
4353 - ret = asix_write_rx_ctl(dev, AX_DEFAULT_RX_CTL);
4354 - if (ret < 0)
4355 -@@ -1316,6 +1324,13 @@ static int ax88178_reset(struct usbnet *dev)
4356 - if (ret < 0)
4357 - return ret;
4358 -
4359 -+ /* Rewrite MAC address */
4360 -+ memcpy(data->mac_addr, dev->net->dev_addr, ETH_ALEN);
4361 -+ ret = asix_write_cmd(dev, AX_CMD_WRITE_NODE_ID, 0, 0, ETH_ALEN,
4362 -+ data->mac_addr);
4363 -+ if (ret < 0)
4364 -+ return ret;
4365 -+
4366 - ret = asix_write_rx_ctl(dev, AX_DEFAULT_RX_CTL);
4367 - if (ret < 0)
4368 - return ret;
4369 -diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
4370 -index ccde784..f5ae3c6 100644
4371 ---- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c
4372 -+++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
4373 -@@ -526,10 +526,11 @@ int ath9k_hw_process_rxdesc_edma(struct ath_hw *ah, struct ath_rx_status *rxs,
4374 - rxs->rs_status |= ATH9K_RXERR_DECRYPT;
4375 - else if (rxsp->status11 & AR_MichaelErr)
4376 - rxs->rs_status |= ATH9K_RXERR_MIC;
4377 -- if (rxsp->status11 & AR_KeyMiss)
4378 -- rxs->rs_status |= ATH9K_RXERR_KEYMISS;
4379 - }
4380 -
4381 -+ if (rxsp->status11 & AR_KeyMiss)
4382 -+ rxs->rs_status |= ATH9K_RXERR_KEYMISS;
4383 -+
4384 - return 0;
4385 - }
4386 - EXPORT_SYMBOL(ath9k_hw_process_rxdesc_edma);
4387 -diff --git a/drivers/net/wireless/ath/ath9k/calib.c b/drivers/net/wireless/ath/ath9k/calib.c
4388 -index 9953881..8ddef3e 100644
4389 ---- a/drivers/net/wireless/ath/ath9k/calib.c
4390 -+++ b/drivers/net/wireless/ath/ath9k/calib.c
4391 -@@ -402,6 +402,7 @@ bool ath9k_hw_getnf(struct ath_hw *ah, struct ath9k_channel *chan)
4392 - ah->noise = ath9k_hw_getchan_noise(ah, chan);
4393 - return true;
4394 - }
4395 -+EXPORT_SYMBOL(ath9k_hw_getnf);
4396 -
4397 - void ath9k_init_nfcal_hist_buffer(struct ath_hw *ah,
4398 - struct ath9k_channel *chan)
4399 -diff --git a/drivers/net/wireless/ath/ath9k/mac.c b/drivers/net/wireless/ath/ath9k/mac.c
4400 -index ecdb6fd..bbcb777 100644
4401 ---- a/drivers/net/wireless/ath/ath9k/mac.c
4402 -+++ b/drivers/net/wireless/ath/ath9k/mac.c
4403 -@@ -621,10 +621,11 @@ int ath9k_hw_rxprocdesc(struct ath_hw *ah, struct ath_desc *ds,
4404 - rs->rs_status |= ATH9K_RXERR_DECRYPT;
4405 - else if (ads.ds_rxstatus8 & AR_MichaelErr)
4406 - rs->rs_status |= ATH9K_RXERR_MIC;
4407 -- if (ads.ds_rxstatus8 & AR_KeyMiss)
4408 -- rs->rs_status |= ATH9K_RXERR_KEYMISS;
4409 - }
4410 -
4411 -+ if (ads.ds_rxstatus8 & AR_KeyMiss)
4412 -+ rs->rs_status |= ATH9K_RXERR_KEYMISS;
4413 -+
4414 - return 0;
4415 - }
4416 - EXPORT_SYMBOL(ath9k_hw_rxprocdesc);
4417 -diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
4418 -index a9c5ae7..f76a814 100644
4419 ---- a/drivers/net/wireless/ath/ath9k/main.c
4420 -+++ b/drivers/net/wireless/ath/ath9k/main.c
4421 -@@ -1667,7 +1667,6 @@ static int ath9k_config(struct ieee80211_hw *hw, u32 changed)
4422 -
4423 - if (changed & IEEE80211_CONF_CHANGE_CHANNEL) {
4424 - struct ieee80211_channel *curchan = hw->conf.channel;
4425 -- struct ath9k_channel old_chan;
4426 - int pos = curchan->hw_value;
4427 - int old_pos = -1;
4428 - unsigned long flags;
4429 -@@ -1693,11 +1692,8 @@ static int ath9k_config(struct ieee80211_hw *hw, u32 changed)
4430 - * Preserve the current channel values, before updating
4431 - * the same channel
4432 - */
4433 -- if (old_pos == pos) {
4434 -- memcpy(&old_chan, &sc->sc_ah->channels[pos],
4435 -- sizeof(struct ath9k_channel));
4436 -- ah->curchan = &old_chan;
4437 -- }
4438 -+ if (ah->curchan && (old_pos == pos))
4439 -+ ath9k_hw_getnf(ah, ah->curchan);
4440 -
4441 - ath9k_cmn_update_ichannel(&sc->sc_ah->channels[pos],
4442 - curchan, conf->channel_type);
4443 -diff --git a/drivers/net/wireless/iwlegacy/iwl3945-base.c b/drivers/net/wireless/iwlegacy/iwl3945-base.c
4444 -index b282d86..05f2ad1 100644
4445 ---- a/drivers/net/wireless/iwlegacy/iwl3945-base.c
4446 -+++ b/drivers/net/wireless/iwlegacy/iwl3945-base.c
4447 -@@ -2656,14 +2656,13 @@ int iwl3945_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
4448 - IWL_WARN(priv, "Invalid scan band\n");
4449 - return -EIO;
4450 - }
4451 --
4452 - /*
4453 -- * If active scaning is requested but a certain channel
4454 -- * is marked passive, we can do active scanning if we
4455 -- * detect transmissions.
4456 -+ * If active scaning is requested but a certain channel is marked
4457 -+ * passive, we can do active scanning if we detect transmissions. For
4458 -+ * passive only scanning disable switching to active on any channel.
4459 - */
4460 - scan->good_CRC_th = is_active ? IWL_GOOD_CRC_TH_DEFAULT :
4461 -- IWL_GOOD_CRC_TH_DISABLED;
4462 -+ IWL_GOOD_CRC_TH_NEVER;
4463 -
4464 - len = iwl_legacy_fill_probe_req(priv, (struct ieee80211_mgmt *)scan->data,
4465 - vif->addr, priv->scan_request->ie,
4466 -diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
4467 -index 1a52ed2..6465983 100644
4468 ---- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
4469 -+++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
4470 -@@ -827,6 +827,7 @@ static int iwl_get_idle_rx_chain_count(struct iwl_priv *priv, int active_cnt)
4471 - case IEEE80211_SMPS_STATIC:
4472 - case IEEE80211_SMPS_DYNAMIC:
4473 - return IWL_NUM_IDLE_CHAINS_SINGLE;
4474 -+ case IEEE80211_SMPS_AUTOMATIC:
4475 - case IEEE80211_SMPS_OFF:
4476 - return active_cnt;
4477 - default:
4478 -diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
4479 -index 5c7c17c..d552fa3 100644
4480 ---- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
4481 -+++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
4482 -@@ -559,6 +559,9 @@ int iwlagn_mac_config(struct ieee80211_hw *hw, u32 changed)
4483 -
4484 - mutex_lock(&priv->shrd->mutex);
4485 -
4486 -+ if (test_bit(STATUS_EXIT_PENDING, &priv->shrd->status))
4487 -+ goto out;
4488 -+
4489 - if (unlikely(test_bit(STATUS_SCANNING, &priv->shrd->status))) {
4490 - IWL_DEBUG_MAC80211(priv, "leave - scanning\n");
4491 - goto out;
4492 -diff --git a/drivers/net/wireless/rt2x00/rt2800pci.c b/drivers/net/wireless/rt2x00/rt2800pci.c
4493 -index da48c8a..837b460 100644
4494 ---- a/drivers/net/wireless/rt2x00/rt2800pci.c
4495 -+++ b/drivers/net/wireless/rt2x00/rt2800pci.c
4496 -@@ -422,7 +422,6 @@ static int rt2800pci_init_queues(struct rt2x00_dev *rt2x00dev)
4497 - static void rt2800pci_toggle_irq(struct rt2x00_dev *rt2x00dev,
4498 - enum dev_state state)
4499 - {
4500 -- int mask = (state == STATE_RADIO_IRQ_ON);
4501 - u32 reg;
4502 - unsigned long flags;
4503 -
4504 -@@ -436,25 +435,14 @@ static void rt2800pci_toggle_irq(struct rt2x00_dev *rt2x00dev,
4505 - }
4506 -
4507 - spin_lock_irqsave(&rt2x00dev->irqmask_lock, flags);
4508 -- rt2x00pci_register_read(rt2x00dev, INT_MASK_CSR, &reg);
4509 -- rt2x00_set_field32(&reg, INT_MASK_CSR_RXDELAYINT, 0);
4510 -- rt2x00_set_field32(&reg, INT_MASK_CSR_TXDELAYINT, 0);
4511 -- rt2x00_set_field32(&reg, INT_MASK_CSR_RX_DONE, mask);
4512 -- rt2x00_set_field32(&reg, INT_MASK_CSR_AC0_DMA_DONE, 0);
4513 -- rt2x00_set_field32(&reg, INT_MASK_CSR_AC1_DMA_DONE, 0);
4514 -- rt2x00_set_field32(&reg, INT_MASK_CSR_AC2_DMA_DONE, 0);
4515 -- rt2x00_set_field32(&reg, INT_MASK_CSR_AC3_DMA_DONE, 0);
4516 -- rt2x00_set_field32(&reg, INT_MASK_CSR_HCCA_DMA_DONE, 0);
4517 -- rt2x00_set_field32(&reg, INT_MASK_CSR_MGMT_DMA_DONE, 0);
4518 -- rt2x00_set_field32(&reg, INT_MASK_CSR_MCU_COMMAND, 0);
4519 -- rt2x00_set_field32(&reg, INT_MASK_CSR_RXTX_COHERENT, 0);
4520 -- rt2x00_set_field32(&reg, INT_MASK_CSR_TBTT, mask);
4521 -- rt2x00_set_field32(&reg, INT_MASK_CSR_PRE_TBTT, mask);
4522 -- rt2x00_set_field32(&reg, INT_MASK_CSR_TX_FIFO_STATUS, mask);
4523 -- rt2x00_set_field32(&reg, INT_MASK_CSR_AUTO_WAKEUP, mask);
4524 -- rt2x00_set_field32(&reg, INT_MASK_CSR_GPTIMER, 0);
4525 -- rt2x00_set_field32(&reg, INT_MASK_CSR_RX_COHERENT, 0);
4526 -- rt2x00_set_field32(&reg, INT_MASK_CSR_TX_COHERENT, 0);
4527 -+ reg = 0;
4528 -+ if (state == STATE_RADIO_IRQ_ON) {
4529 -+ rt2x00_set_field32(&reg, INT_MASK_CSR_RX_DONE, 1);
4530 -+ rt2x00_set_field32(&reg, INT_MASK_CSR_TBTT, 1);
4531 -+ rt2x00_set_field32(&reg, INT_MASK_CSR_PRE_TBTT, 1);
4532 -+ rt2x00_set_field32(&reg, INT_MASK_CSR_TX_FIFO_STATUS, 1);
4533 -+ rt2x00_set_field32(&reg, INT_MASK_CSR_AUTO_WAKEUP, 1);
4534 -+ }
4535 - rt2x00pci_register_write(rt2x00dev, INT_MASK_CSR, reg);
4536 - spin_unlock_irqrestore(&rt2x00dev->irqmask_lock, flags);
4537 -
4538 -diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/fw.c b/drivers/net/wireless/rtlwifi/rtl8192se/fw.c
4539 -index 6f91a14..3fda6b1 100644
4540 ---- a/drivers/net/wireless/rtlwifi/rtl8192se/fw.c
4541 -+++ b/drivers/net/wireless/rtlwifi/rtl8192se/fw.c
4542 -@@ -196,6 +196,8 @@ static bool _rtl92s_firmware_downloadcode(struct ieee80211_hw *hw,
4543 - /* Allocate skb buffer to contain firmware */
4544 - /* info and tx descriptor info. */
4545 - skb = dev_alloc_skb(frag_length);
4546 -+ if (!skb)
4547 -+ return false;
4548 - skb_reserve(skb, extra_descoffset);
4549 - seg_ptr = (u8 *)skb_put(skb, (u32)(frag_length -
4550 - extra_descoffset));
4551 -@@ -573,6 +575,8 @@ static bool _rtl92s_firmware_set_h2c_cmd(struct ieee80211_hw *hw, u8 h2c_cmd,
4552 -
4553 - len = _rtl92s_get_h2c_cmdlen(MAX_TRANSMIT_BUFFER_SIZE, 1, &cmd_len);
4554 - skb = dev_alloc_skb(len);
4555 -+ if (!skb)
4556 -+ return false;
4557 - cb_desc = (struct rtl_tcb_desc *)(skb->cb);
4558 - cb_desc->queue_index = TXCMD_QUEUE;
4559 - cb_desc->cmd_or_init = DESC_PACKET_TYPE_NORMAL;
4560 -diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
4561 -index 0e6d04d..e3efb43 100644
4562 ---- a/drivers/pci/msi.c
4563 -+++ b/drivers/pci/msi.c
4564 -@@ -870,5 +870,15 @@ EXPORT_SYMBOL(pci_msi_enabled);
4565 -
4566 - void pci_msi_init_pci_dev(struct pci_dev *dev)
4567 - {
4568 -+ int pos;
4569 - INIT_LIST_HEAD(&dev->msi_list);
4570 -+
4571 -+ /* Disable the msi hardware to avoid screaming interrupts
4572 -+ * during boot. This is the power on reset default so
4573 -+ * usually this should be a noop.
4574 -+ */
4575 -+ pos = pci_find_capability(dev, PCI_CAP_ID_MSI);
4576 -+ if (pos)
4577 -+ msi_set_enable(dev, pos, 0);
4578 -+ msix_set_enable(dev, 0);
4579 - }
4580 -diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c
4581 -index dfbd5a6..258fef2 100644
4582 ---- a/drivers/pnp/quirks.c
4583 -+++ b/drivers/pnp/quirks.c
4584 -@@ -295,6 +295,45 @@ static void quirk_system_pci_resources(struct pnp_dev *dev)
4585 - }
4586 - }
4587 -
4588 -+#ifdef CONFIG_AMD_NB
4589 -+
4590 -+#include <asm/amd_nb.h>
4591 -+
4592 -+static void quirk_amd_mmconfig_area(struct pnp_dev *dev)
4593 -+{
4594 -+ resource_size_t start, end;
4595 -+ struct pnp_resource *pnp_res;
4596 -+ struct resource *res;
4597 -+ struct resource mmconfig_res, *mmconfig;
4598 -+
4599 -+ mmconfig = amd_get_mmconfig_range(&mmconfig_res);
4600 -+ if (!mmconfig)
4601 -+ return;
4602 -+
4603 -+ list_for_each_entry(pnp_res, &dev->resources, list) {
4604 -+ res = &pnp_res->res;
4605 -+ if (res->end < mmconfig->start || res->start > mmconfig->end ||
4606 -+ (res->start == mmconfig->start && res->end == mmconfig->end))
4607 -+ continue;
4608 -+
4609 -+ dev_info(&dev->dev, FW_BUG
4610 -+ "%pR covers only part of AMD MMCONFIG area %pR; adding more reservations\n",
4611 -+ res, mmconfig);
4612 -+ if (mmconfig->start < res->start) {
4613 -+ start = mmconfig->start;
4614 -+ end = res->start - 1;
4615 -+ pnp_add_mem_resource(dev, start, end, 0);
4616 -+ }
4617 -+ if (mmconfig->end > res->end) {
4618 -+ start = res->end + 1;
4619 -+ end = mmconfig->end;
4620 -+ pnp_add_mem_resource(dev, start, end, 0);
4621 -+ }
4622 -+ break;
4623 -+ }
4624 -+}
4625 -+#endif
4626 -+
4627 - /*
4628 - * PnP Quirks
4629 - * Cards or devices that need some tweaking due to incomplete resource info
4630 -@@ -322,6 +361,9 @@ static struct pnp_fixup pnp_fixups[] = {
4631 - /* PnP resources that might overlap PCI BARs */
4632 - {"PNP0c01", quirk_system_pci_resources},
4633 - {"PNP0c02", quirk_system_pci_resources},
4634 -+#ifdef CONFIG_AMD_NB
4635 -+ {"PNP0c01", quirk_amd_mmconfig_area},
4636 -+#endif
4637 - {""}
4638 - };
4639 -
4640 -diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
4641 -index 8e28625..8a1c031 100644
4642 ---- a/drivers/rtc/interface.c
4643 -+++ b/drivers/rtc/interface.c
4644 -@@ -228,11 +228,11 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
4645 - alarm->time.tm_hour = now.tm_hour;
4646 -
4647 - /* For simplicity, only support date rollover for now */
4648 -- if (alarm->time.tm_mday == -1) {
4649 -+ if (alarm->time.tm_mday < 1 || alarm->time.tm_mday > 31) {
4650 - alarm->time.tm_mday = now.tm_mday;
4651 - missing = day;
4652 - }
4653 -- if (alarm->time.tm_mon == -1) {
4654 -+ if ((unsigned)alarm->time.tm_mon >= 12) {
4655 - alarm->time.tm_mon = now.tm_mon;
4656 - if (missing == none)
4657 - missing = month;
4658 -diff --git a/drivers/scsi/mpt2sas/mpt2sas_base.c b/drivers/scsi/mpt2sas/mpt2sas_base.c
4659 -index beda04a..0794c72 100644
4660 ---- a/drivers/scsi/mpt2sas/mpt2sas_base.c
4661 -+++ b/drivers/scsi/mpt2sas/mpt2sas_base.c
4662 -@@ -65,6 +65,8 @@ static MPT_CALLBACK mpt_callbacks[MPT_MAX_CALLBACKS];
4663 -
4664 - #define FAULT_POLLING_INTERVAL 1000 /* in milliseconds */
4665 -
4666 -+#define MAX_HBA_QUEUE_DEPTH 30000
4667 -+#define MAX_CHAIN_DEPTH 100000
4668 - static int max_queue_depth = -1;
4669 - module_param(max_queue_depth, int, 0);
4670 - MODULE_PARM_DESC(max_queue_depth, " max controller queue depth ");
4671 -@@ -2311,8 +2313,6 @@ _base_release_memory_pools(struct MPT2SAS_ADAPTER *ioc)
4672 - }
4673 - if (ioc->chain_dma_pool)
4674 - pci_pool_destroy(ioc->chain_dma_pool);
4675 -- }
4676 -- if (ioc->chain_lookup) {
4677 - free_pages((ulong)ioc->chain_lookup, ioc->chain_pages);
4678 - ioc->chain_lookup = NULL;
4679 - }
4680 -@@ -2330,9 +2330,7 @@ static int
4681 - _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
4682 - {
4683 - struct mpt2sas_facts *facts;
4684 -- u32 queue_size, queue_diff;
4685 - u16 max_sge_elements;
4686 -- u16 num_of_reply_frames;
4687 - u16 chains_needed_per_io;
4688 - u32 sz, total_sz, reply_post_free_sz;
4689 - u32 retry_sz;
4690 -@@ -2359,7 +2357,8 @@ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
4691 - max_request_credit = (max_queue_depth < facts->RequestCredit)
4692 - ? max_queue_depth : facts->RequestCredit;
4693 - else
4694 -- max_request_credit = facts->RequestCredit;
4695 -+ max_request_credit = min_t(u16, facts->RequestCredit,
4696 -+ MAX_HBA_QUEUE_DEPTH);
4697 -
4698 - ioc->hba_queue_depth = max_request_credit;
4699 - ioc->hi_priority_depth = facts->HighPriorityCredit;
4700 -@@ -2400,50 +2399,25 @@ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
4701 - }
4702 - ioc->chains_needed_per_io = chains_needed_per_io;
4703 -
4704 -- /* reply free queue sizing - taking into account for events */
4705 -- num_of_reply_frames = ioc->hba_queue_depth + 32;
4706 --
4707 -- /* number of replies frames can't be a multiple of 16 */
4708 -- /* decrease number of reply frames by 1 */
4709 -- if (!(num_of_reply_frames % 16))
4710 -- num_of_reply_frames--;
4711 --
4712 -- /* calculate number of reply free queue entries
4713 -- * (must be multiple of 16)
4714 -- */
4715 --
4716 -- /* (we know reply_free_queue_depth is not a multiple of 16) */
4717 -- queue_size = num_of_reply_frames;
4718 -- queue_size += 16 - (queue_size % 16);
4719 -- ioc->reply_free_queue_depth = queue_size;
4720 --
4721 -- /* reply descriptor post queue sizing */
4722 -- /* this size should be the number of request frames + number of reply
4723 -- * frames
4724 -- */
4725 --
4726 -- queue_size = ioc->hba_queue_depth + num_of_reply_frames + 1;
4727 -- /* round up to 16 byte boundary */
4728 -- if (queue_size % 16)
4729 -- queue_size += 16 - (queue_size % 16);
4730 --
4731 -- /* check against IOC maximum reply post queue depth */
4732 -- if (queue_size > facts->MaxReplyDescriptorPostQueueDepth) {
4733 -- queue_diff = queue_size -
4734 -- facts->MaxReplyDescriptorPostQueueDepth;
4735 -+ /* reply free queue sizing - taking into account for 64 FW events */
4736 -+ ioc->reply_free_queue_depth = ioc->hba_queue_depth + 64;
4737 -
4738 -- /* round queue_diff up to multiple of 16 */
4739 -- if (queue_diff % 16)
4740 -- queue_diff += 16 - (queue_diff % 16);
4741 --
4742 -- /* adjust hba_queue_depth, reply_free_queue_depth,
4743 -- * and queue_size
4744 -- */
4745 -- ioc->hba_queue_depth -= (queue_diff / 2);
4746 -- ioc->reply_free_queue_depth -= (queue_diff / 2);
4747 -- queue_size = facts->MaxReplyDescriptorPostQueueDepth;
4748 -+ /* align the reply post queue on the next 16 count boundary */
4749 -+ if (!ioc->reply_free_queue_depth % 16)
4750 -+ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth + 16;
4751 -+ else
4752 -+ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth +
4753 -+ 32 - (ioc->reply_free_queue_depth % 16);
4754 -+ if (ioc->reply_post_queue_depth >
4755 -+ facts->MaxReplyDescriptorPostQueueDepth) {
4756 -+ ioc->reply_post_queue_depth = min_t(u16,
4757 -+ (facts->MaxReplyDescriptorPostQueueDepth -
4758 -+ (facts->MaxReplyDescriptorPostQueueDepth % 16)),
4759 -+ (ioc->hba_queue_depth - (ioc->hba_queue_depth % 16)));
4760 -+ ioc->reply_free_queue_depth = ioc->reply_post_queue_depth - 16;
4761 -+ ioc->hba_queue_depth = ioc->reply_free_queue_depth - 64;
4762 - }
4763 -- ioc->reply_post_queue_depth = queue_size;
4764 -+
4765 -
4766 - dinitprintk(ioc, printk(MPT2SAS_INFO_FMT "scatter gather: "
4767 - "sge_in_main_msg(%d), sge_per_chain(%d), sge_per_io(%d), "
4768 -@@ -2529,15 +2503,12 @@ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
4769 - "depth(%d)\n", ioc->name, ioc->request,
4770 - ioc->scsiio_depth));
4771 -
4772 -- /* loop till the allocation succeeds */
4773 -- do {
4774 -- sz = ioc->chain_depth * sizeof(struct chain_tracker);
4775 -- ioc->chain_pages = get_order(sz);
4776 -- ioc->chain_lookup = (struct chain_tracker *)__get_free_pages(
4777 -- GFP_KERNEL, ioc->chain_pages);
4778 -- if (ioc->chain_lookup == NULL)
4779 -- ioc->chain_depth -= 100;
4780 -- } while (ioc->chain_lookup == NULL);
4781 -+ ioc->chain_depth = min_t(u32, ioc->chain_depth, MAX_CHAIN_DEPTH);
4782 -+ sz = ioc->chain_depth * sizeof(struct chain_tracker);
4783 -+ ioc->chain_pages = get_order(sz);
4784 -+
4785 -+ ioc->chain_lookup = (struct chain_tracker *)__get_free_pages(
4786 -+ GFP_KERNEL, ioc->chain_pages);
4787 - ioc->chain_dma_pool = pci_pool_create("chain pool", ioc->pdev,
4788 - ioc->request_sz, 16, 0);
4789 - if (!ioc->chain_dma_pool) {
4790 -diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
4791 -index d570573..9bc6fb2 100644
4792 ---- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
4793 -+++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
4794 -@@ -1007,8 +1007,8 @@ _scsih_get_chain_buffer_tracker(struct MPT2SAS_ADAPTER *ioc, u16 smid)
4795 - spin_lock_irqsave(&ioc->scsi_lookup_lock, flags);
4796 - if (list_empty(&ioc->free_chain_list)) {
4797 - spin_unlock_irqrestore(&ioc->scsi_lookup_lock, flags);
4798 -- printk(MPT2SAS_WARN_FMT "chain buffers not available\n",
4799 -- ioc->name);
4800 -+ dfailprintk(ioc, printk(MPT2SAS_WARN_FMT "chain buffers not "
4801 -+ "available\n", ioc->name));
4802 - return NULL;
4803 - }
4804 - chain_req = list_entry(ioc->free_chain_list.next,
4805 -@@ -6714,6 +6714,7 @@ _scsih_mark_responding_raid_device(struct MPT2SAS_ADAPTER *ioc, u64 wwid,
4806 - } else
4807 - sas_target_priv_data = NULL;
4808 - raid_device->responding = 1;
4809 -+ spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
4810 - starget_printk(KERN_INFO, raid_device->starget,
4811 - "handle(0x%04x), wwid(0x%016llx)\n", handle,
4812 - (unsigned long long)raid_device->wwid);
4813 -@@ -6724,16 +6725,16 @@ _scsih_mark_responding_raid_device(struct MPT2SAS_ADAPTER *ioc, u64 wwid,
4814 - */
4815 - _scsih_init_warpdrive_properties(ioc, raid_device);
4816 - if (raid_device->handle == handle)
4817 -- goto out;
4818 -+ return;
4819 - printk(KERN_INFO "\thandle changed from(0x%04x)!!!\n",
4820 - raid_device->handle);
4821 - raid_device->handle = handle;
4822 - if (sas_target_priv_data)
4823 - sas_target_priv_data->handle = handle;
4824 -- goto out;
4825 -+ return;
4826 - }
4827 - }
4828 -- out:
4829 -+
4830 - spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
4831 - }
4832 -
4833 -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
4834 -index fa3a591..4b63c73 100644
4835 ---- a/drivers/scsi/sd.c
4836 -+++ b/drivers/scsi/sd.c
4837 -@@ -1074,6 +1074,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
4838 - SCSI_LOG_IOCTL(1, sd_printk(KERN_INFO, sdkp, "sd_ioctl: disk=%s, "
4839 - "cmd=0x%x\n", disk->disk_name, cmd));
4840 -
4841 -+ error = scsi_verify_blk_ioctl(bdev, cmd);
4842 -+ if (error < 0)
4843 -+ return error;
4844 -+
4845 - /*
4846 - * If we are in the middle of error recovery, don't let anyone
4847 - * else try and use this device. Also, if error recovery fails, it
4848 -@@ -1096,7 +1100,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
4849 - error = scsi_ioctl(sdp, cmd, p);
4850 - break;
4851 - default:
4852 -- error = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, p);
4853 -+ error = scsi_cmd_blk_ioctl(bdev, mode, cmd, p);
4854 - if (error != -ENOTTY)
4855 - break;
4856 - error = scsi_ioctl(sdp, cmd, p);
4857 -@@ -1266,6 +1270,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
4858 - unsigned int cmd, unsigned long arg)
4859 - {
4860 - struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
4861 -+ int ret;
4862 -+
4863 -+ ret = scsi_verify_blk_ioctl(bdev, cmd);
4864 -+ if (ret < 0)
4865 -+ return -ENOIOCTLCMD;
4866 -
4867 - /*
4868 - * If we are in the middle of error recovery, don't let anyone
4869 -@@ -1277,8 +1286,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
4870 - return -ENODEV;
4871 -
4872 - if (sdev->host->hostt->compat_ioctl) {
4873 -- int ret;
4874 --
4875 - ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
4876 -
4877 - return ret;
4878 -diff --git a/drivers/scsi/sym53c8xx_2/sym_glue.c b/drivers/scsi/sym53c8xx_2/sym_glue.c
4879 -index b4543f5..36d1ed7 100644
4880 ---- a/drivers/scsi/sym53c8xx_2/sym_glue.c
4881 -+++ b/drivers/scsi/sym53c8xx_2/sym_glue.c
4882 -@@ -839,6 +839,10 @@ static void sym53c8xx_slave_destroy(struct scsi_device *sdev)
4883 - struct sym_lcb *lp = sym_lp(tp, sdev->lun);
4884 - unsigned long flags;
4885 -
4886 -+ /* if slave_alloc returned before allocating a sym_lcb, return */
4887 -+ if (!lp)
4888 -+ return;
4889 -+
4890 - spin_lock_irqsave(np->s.host->host_lock, flags);
4891 -
4892 - if (lp->busy_itlq || lp->busy_itl) {
4893 -diff --git a/drivers/target/target_core_cdb.c b/drivers/target/target_core_cdb.c
4894 -index 831468b..2e8c1be 100644
4895 ---- a/drivers/target/target_core_cdb.c
4896 -+++ b/drivers/target/target_core_cdb.c
4897 -@@ -94,6 +94,18 @@ target_emulate_inquiry_std(struct se_cmd *cmd)
4898 - buf[2] = dev->transport->get_device_rev(dev);
4899 -
4900 - /*
4901 -+ * NORMACA and HISUP = 0, RESPONSE DATA FORMAT = 2
4902 -+ *
4903 -+ * SPC4 says:
4904 -+ * A RESPONSE DATA FORMAT field set to 2h indicates that the
4905 -+ * standard INQUIRY data is in the format defined in this
4906 -+ * standard. Response data format values less than 2h are
4907 -+ * obsolete. Response data format values greater than 2h are
4908 -+ * reserved.
4909 -+ */
4910 -+ buf[3] = 2;
4911 -+
4912 -+ /*
4913 - * Enable SCCS and TPGS fields for Emulated ALUA
4914 - */
4915 - if (dev->se_sub_dev->t10_alua.alua_type == SPC3_ALUA_EMULATED)
4916 -diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
4917 -index 0257658..e87d0eb 100644
4918 ---- a/drivers/target/target_core_transport.c
4919 -+++ b/drivers/target/target_core_transport.c
4920 -@@ -4353,6 +4353,7 @@ int transport_send_check_condition_and_sense(
4921 - case TCM_NON_EXISTENT_LUN:
4922 - /* CURRENT ERROR */
4923 - buffer[offset] = 0x70;
4924 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4925 - /* ILLEGAL REQUEST */
4926 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
4927 - /* LOGICAL UNIT NOT SUPPORTED */
4928 -@@ -4362,6 +4363,7 @@ int transport_send_check_condition_and_sense(
4929 - case TCM_SECTOR_COUNT_TOO_MANY:
4930 - /* CURRENT ERROR */
4931 - buffer[offset] = 0x70;
4932 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4933 - /* ILLEGAL REQUEST */
4934 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
4935 - /* INVALID COMMAND OPERATION CODE */
4936 -@@ -4370,6 +4372,7 @@ int transport_send_check_condition_and_sense(
4937 - case TCM_UNKNOWN_MODE_PAGE:
4938 - /* CURRENT ERROR */
4939 - buffer[offset] = 0x70;
4940 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4941 - /* ILLEGAL REQUEST */
4942 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
4943 - /* INVALID FIELD IN CDB */
4944 -@@ -4378,6 +4381,7 @@ int transport_send_check_condition_and_sense(
4945 - case TCM_CHECK_CONDITION_ABORT_CMD:
4946 - /* CURRENT ERROR */
4947 - buffer[offset] = 0x70;
4948 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4949 - /* ABORTED COMMAND */
4950 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
4951 - /* BUS DEVICE RESET FUNCTION OCCURRED */
4952 -@@ -4387,6 +4391,7 @@ int transport_send_check_condition_and_sense(
4953 - case TCM_INCORRECT_AMOUNT_OF_DATA:
4954 - /* CURRENT ERROR */
4955 - buffer[offset] = 0x70;
4956 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4957 - /* ABORTED COMMAND */
4958 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
4959 - /* WRITE ERROR */
4960 -@@ -4397,6 +4402,7 @@ int transport_send_check_condition_and_sense(
4961 - case TCM_INVALID_CDB_FIELD:
4962 - /* CURRENT ERROR */
4963 - buffer[offset] = 0x70;
4964 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4965 - /* ABORTED COMMAND */
4966 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
4967 - /* INVALID FIELD IN CDB */
4968 -@@ -4405,6 +4411,7 @@ int transport_send_check_condition_and_sense(
4969 - case TCM_INVALID_PARAMETER_LIST:
4970 - /* CURRENT ERROR */
4971 - buffer[offset] = 0x70;
4972 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4973 - /* ABORTED COMMAND */
4974 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
4975 - /* INVALID FIELD IN PARAMETER LIST */
4976 -@@ -4413,6 +4420,7 @@ int transport_send_check_condition_and_sense(
4977 - case TCM_UNEXPECTED_UNSOLICITED_DATA:
4978 - /* CURRENT ERROR */
4979 - buffer[offset] = 0x70;
4980 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4981 - /* ABORTED COMMAND */
4982 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
4983 - /* WRITE ERROR */
4984 -@@ -4423,6 +4431,7 @@ int transport_send_check_condition_and_sense(
4985 - case TCM_SERVICE_CRC_ERROR:
4986 - /* CURRENT ERROR */
4987 - buffer[offset] = 0x70;
4988 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4989 - /* ABORTED COMMAND */
4990 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
4991 - /* PROTOCOL SERVICE CRC ERROR */
4992 -@@ -4433,6 +4442,7 @@ int transport_send_check_condition_and_sense(
4993 - case TCM_SNACK_REJECTED:
4994 - /* CURRENT ERROR */
4995 - buffer[offset] = 0x70;
4996 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
4997 - /* ABORTED COMMAND */
4998 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
4999 - /* READ ERROR */
5000 -@@ -4443,6 +4453,7 @@ int transport_send_check_condition_and_sense(
5001 - case TCM_WRITE_PROTECTED:
5002 - /* CURRENT ERROR */
5003 - buffer[offset] = 0x70;
5004 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
5005 - /* DATA PROTECT */
5006 - buffer[offset+SPC_SENSE_KEY_OFFSET] = DATA_PROTECT;
5007 - /* WRITE PROTECTED */
5008 -@@ -4451,6 +4462,7 @@ int transport_send_check_condition_and_sense(
5009 - case TCM_CHECK_CONDITION_UNIT_ATTENTION:
5010 - /* CURRENT ERROR */
5011 - buffer[offset] = 0x70;
5012 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
5013 - /* UNIT ATTENTION */
5014 - buffer[offset+SPC_SENSE_KEY_OFFSET] = UNIT_ATTENTION;
5015 - core_scsi3_ua_for_check_condition(cmd, &asc, &ascq);
5016 -@@ -4460,6 +4472,7 @@ int transport_send_check_condition_and_sense(
5017 - case TCM_CHECK_CONDITION_NOT_READY:
5018 - /* CURRENT ERROR */
5019 - buffer[offset] = 0x70;
5020 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
5021 - /* Not Ready */
5022 - buffer[offset+SPC_SENSE_KEY_OFFSET] = NOT_READY;
5023 - transport_get_sense_codes(cmd, &asc, &ascq);
5024 -@@ -4470,6 +4483,7 @@ int transport_send_check_condition_and_sense(
5025 - default:
5026 - /* CURRENT ERROR */
5027 - buffer[offset] = 0x70;
5028 -+ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
5029 - /* ILLEGAL REQUEST */
5030 - buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
5031 - /* LOGICAL UNIT COMMUNICATION FAILURE */
5032 -diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
5033 -index ede860f..a580b17 100644
5034 ---- a/drivers/xen/xenbus/xenbus_xs.c
5035 -+++ b/drivers/xen/xenbus/xenbus_xs.c
5036 -@@ -801,6 +801,12 @@ static int process_msg(void)
5037 - goto out;
5038 - }
5039 -
5040 -+ if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
5041 -+ kfree(msg);
5042 -+ err = -EINVAL;
5043 -+ goto out;
5044 -+ }
5045 -+
5046 - body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
5047 - if (body == NULL) {
5048 - kfree(msg);
5049 -diff --git a/fs/aio.c b/fs/aio.c
5050 -index 78c514c..969beb0 100644
5051 ---- a/fs/aio.c
5052 -+++ b/fs/aio.c
5053 -@@ -476,14 +476,21 @@ static void kiocb_batch_init(struct kiocb_batch *batch, long total)
5054 - batch->count = total;
5055 - }
5056 -
5057 --static void kiocb_batch_free(struct kiocb_batch *batch)
5058 -+static void kiocb_batch_free(struct kioctx *ctx, struct kiocb_batch *batch)
5059 - {
5060 - struct kiocb *req, *n;
5061 -
5062 -+ if (list_empty(&batch->head))
5063 -+ return;
5064 -+
5065 -+ spin_lock_irq(&ctx->ctx_lock);
5066 - list_for_each_entry_safe(req, n, &batch->head, ki_batch) {
5067 - list_del(&req->ki_batch);
5068 -+ list_del(&req->ki_list);
5069 - kmem_cache_free(kiocb_cachep, req);
5070 -+ ctx->reqs_active--;
5071 - }
5072 -+ spin_unlock_irq(&ctx->ctx_lock);
5073 - }
5074 -
5075 - /*
5076 -@@ -1742,7 +1749,7 @@ long do_io_submit(aio_context_t ctx_id, long nr,
5077 - }
5078 - blk_finish_plug(&plug);
5079 -
5080 -- kiocb_batch_free(&batch);
5081 -+ kiocb_batch_free(ctx, &batch);
5082 - put_ioctx(ctx);
5083 - return i ? i : ret;
5084 - }
5085 -diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
5086 -index f3670cf..63e4be4 100644
5087 ---- a/fs/cifs/connect.c
5088 -+++ b/fs/cifs/connect.c
5089 -@@ -2914,18 +2914,33 @@ void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
5090 - #define CIFS_DEFAULT_IOSIZE (1024 * 1024)
5091 -
5092 - /*
5093 -- * Windows only supports a max of 60k reads. Default to that when posix
5094 -- * extensions aren't in force.
5095 -+ * Windows only supports a max of 60kb reads and 65535 byte writes. Default to
5096 -+ * those values when posix extensions aren't in force. In actuality here, we
5097 -+ * use 65536 to allow for a write that is a multiple of 4k. Most servers seem
5098 -+ * to be ok with the extra byte even though Windows doesn't send writes that
5099 -+ * are that large.
5100 -+ *
5101 -+ * Citation:
5102 -+ *
5103 -+ * http://blogs.msdn.com/b/openspecification/archive/2009/04/10/smb-maximum-transmit-buffer-size-and-performance-tuning.aspx
5104 - */
5105 - #define CIFS_DEFAULT_NON_POSIX_RSIZE (60 * 1024)
5106 -+#define CIFS_DEFAULT_NON_POSIX_WSIZE (65536)
5107 -
5108 - static unsigned int
5109 - cifs_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *pvolume_info)
5110 - {
5111 - __u64 unix_cap = le64_to_cpu(tcon->fsUnixInfo.Capability);
5112 - struct TCP_Server_Info *server = tcon->ses->server;
5113 -- unsigned int wsize = pvolume_info->wsize ? pvolume_info->wsize :
5114 -- CIFS_DEFAULT_IOSIZE;
5115 -+ unsigned int wsize;
5116 -+
5117 -+ /* start with specified wsize, or default */
5118 -+ if (pvolume_info->wsize)
5119 -+ wsize = pvolume_info->wsize;
5120 -+ else if (tcon->unix_ext && (unix_cap & CIFS_UNIX_LARGE_WRITE_CAP))
5121 -+ wsize = CIFS_DEFAULT_IOSIZE;
5122 -+ else
5123 -+ wsize = CIFS_DEFAULT_NON_POSIX_WSIZE;
5124 -
5125 - /* can server support 24-bit write sizes? (via UNIX extensions) */
5126 - if (!tcon->unix_ext || !(unix_cap & CIFS_UNIX_LARGE_WRITE_CAP))
5127 -diff --git a/fs/dcache.c b/fs/dcache.c
5128 -index 89509b5..f7908ae 100644
5129 ---- a/fs/dcache.c
5130 -+++ b/fs/dcache.c
5131 -@@ -242,6 +242,7 @@ static void dentry_lru_add(struct dentry *dentry)
5132 - static void __dentry_lru_del(struct dentry *dentry)
5133 - {
5134 - list_del_init(&dentry->d_lru);
5135 -+ dentry->d_flags &= ~DCACHE_SHRINK_LIST;
5136 - dentry->d_sb->s_nr_dentry_unused--;
5137 - dentry_stat.nr_unused--;
5138 - }
5139 -@@ -275,15 +276,15 @@ static void dentry_lru_prune(struct dentry *dentry)
5140 - }
5141 - }
5142 -
5143 --static void dentry_lru_move_tail(struct dentry *dentry)
5144 -+static void dentry_lru_move_list(struct dentry *dentry, struct list_head *list)
5145 - {
5146 - spin_lock(&dcache_lru_lock);
5147 - if (list_empty(&dentry->d_lru)) {
5148 -- list_add_tail(&dentry->d_lru, &dentry->d_sb->s_dentry_lru);
5149 -+ list_add_tail(&dentry->d_lru, list);
5150 - dentry->d_sb->s_nr_dentry_unused++;
5151 - dentry_stat.nr_unused++;
5152 - } else {
5153 -- list_move_tail(&dentry->d_lru, &dentry->d_sb->s_dentry_lru);
5154 -+ list_move_tail(&dentry->d_lru, list);
5155 - }
5156 - spin_unlock(&dcache_lru_lock);
5157 - }
5158 -@@ -769,14 +770,18 @@ static void shrink_dentry_list(struct list_head *list)
5159 - }
5160 -
5161 - /**
5162 -- * __shrink_dcache_sb - shrink the dentry LRU on a given superblock
5163 -- * @sb: superblock to shrink dentry LRU.
5164 -- * @count: number of entries to prune
5165 -- * @flags: flags to control the dentry processing
5166 -+ * prune_dcache_sb - shrink the dcache
5167 -+ * @sb: superblock
5168 -+ * @count: number of entries to try to free
5169 -+ *
5170 -+ * Attempt to shrink the superblock dcache LRU by @count entries. This is
5171 -+ * done when we need more memory an called from the superblock shrinker
5172 -+ * function.
5173 - *
5174 -- * If flags contains DCACHE_REFERENCED reference dentries will not be pruned.
5175 -+ * This function may fail to free any resources if all the dentries are in
5176 -+ * use.
5177 - */
5178 --static void __shrink_dcache_sb(struct super_block *sb, int count, int flags)
5179 -+void prune_dcache_sb(struct super_block *sb, int count)
5180 - {
5181 - struct dentry *dentry;
5182 - LIST_HEAD(referenced);
5183 -@@ -795,18 +800,13 @@ relock:
5184 - goto relock;
5185 - }
5186 -
5187 -- /*
5188 -- * If we are honouring the DCACHE_REFERENCED flag and the
5189 -- * dentry has this flag set, don't free it. Clear the flag
5190 -- * and put it back on the LRU.
5191 -- */
5192 -- if (flags & DCACHE_REFERENCED &&
5193 -- dentry->d_flags & DCACHE_REFERENCED) {
5194 -+ if (dentry->d_flags & DCACHE_REFERENCED) {
5195 - dentry->d_flags &= ~DCACHE_REFERENCED;
5196 - list_move(&dentry->d_lru, &referenced);
5197 - spin_unlock(&dentry->d_lock);
5198 - } else {
5199 - list_move_tail(&dentry->d_lru, &tmp);
5200 -+ dentry->d_flags |= DCACHE_SHRINK_LIST;
5201 - spin_unlock(&dentry->d_lock);
5202 - if (!--count)
5203 - break;
5204 -@@ -821,23 +821,6 @@ relock:
5205 - }
5206 -
5207 - /**
5208 -- * prune_dcache_sb - shrink the dcache
5209 -- * @sb: superblock
5210 -- * @nr_to_scan: number of entries to try to free
5211 -- *
5212 -- * Attempt to shrink the superblock dcache LRU by @nr_to_scan entries. This is
5213 -- * done when we need more memory an called from the superblock shrinker
5214 -- * function.
5215 -- *
5216 -- * This function may fail to free any resources if all the dentries are in
5217 -- * use.
5218 -- */
5219 --void prune_dcache_sb(struct super_block *sb, int nr_to_scan)
5220 --{
5221 -- __shrink_dcache_sb(sb, nr_to_scan, DCACHE_REFERENCED);
5222 --}
5223 --
5224 --/**
5225 - * shrink_dcache_sb - shrink dcache for a superblock
5226 - * @sb: superblock
5227 - *
5228 -@@ -1091,7 +1074,7 @@ EXPORT_SYMBOL(have_submounts);
5229 - * drop the lock and return early due to latency
5230 - * constraints.
5231 - */
5232 --static int select_parent(struct dentry * parent)
5233 -+static int select_parent(struct dentry *parent, struct list_head *dispose)
5234 - {
5235 - struct dentry *this_parent;
5236 - struct list_head *next;
5237 -@@ -1113,17 +1096,21 @@ resume:
5238 -
5239 - spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
5240 -
5241 -- /*
5242 -- * move only zero ref count dentries to the end
5243 -- * of the unused list for prune_dcache
5244 -+ /*
5245 -+ * move only zero ref count dentries to the dispose list.
5246 -+ *
5247 -+ * Those which are presently on the shrink list, being processed
5248 -+ * by shrink_dentry_list(), shouldn't be moved. Otherwise the
5249 -+ * loop in shrink_dcache_parent() might not make any progress
5250 -+ * and loop forever.
5251 - */
5252 -- if (!dentry->d_count) {
5253 -- dentry_lru_move_tail(dentry);
5254 -- found++;
5255 -- } else {
5256 -+ if (dentry->d_count) {
5257 - dentry_lru_del(dentry);
5258 -+ } else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) {
5259 -+ dentry_lru_move_list(dentry, dispose);
5260 -+ dentry->d_flags |= DCACHE_SHRINK_LIST;
5261 -+ found++;
5262 - }
5263 --
5264 - /*
5265 - * We can return to the caller if we have found some (this
5266 - * ensures forward progress). We'll be coming back to find
5267 -@@ -1180,14 +1167,13 @@ rename_retry:
5268 - *
5269 - * Prune the dcache to remove unused children of the parent dentry.
5270 - */
5271 --
5272 - void shrink_dcache_parent(struct dentry * parent)
5273 - {
5274 -- struct super_block *sb = parent->d_sb;
5275 -+ LIST_HEAD(dispose);
5276 - int found;
5277 -
5278 -- while ((found = select_parent(parent)) != 0)
5279 -- __shrink_dcache_sb(sb, found, 0);
5280 -+ while ((found = select_parent(parent, &dispose)) != 0)
5281 -+ shrink_dentry_list(&dispose);
5282 - }
5283 - EXPORT_SYMBOL(shrink_dcache_parent);
5284 -
5285 -diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
5286 -index a567968..ab25f57 100644
5287 ---- a/fs/ext4/ioctl.c
5288 -+++ b/fs/ext4/ioctl.c
5289 -@@ -182,19 +182,22 @@ setversion_out:
5290 - if (err)
5291 - return err;
5292 -
5293 -- if (get_user(n_blocks_count, (__u32 __user *)arg))
5294 -- return -EFAULT;
5295 -+ if (get_user(n_blocks_count, (__u32 __user *)arg)) {
5296 -+ err = -EFAULT;
5297 -+ goto group_extend_out;
5298 -+ }
5299 -
5300 - if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
5301 - EXT4_FEATURE_RO_COMPAT_BIGALLOC)) {
5302 - ext4_msg(sb, KERN_ERR,
5303 - "Online resizing not supported with bigalloc");
5304 -- return -EOPNOTSUPP;
5305 -+ err = -EOPNOTSUPP;
5306 -+ goto group_extend_out;
5307 - }
5308 -
5309 - err = mnt_want_write(filp->f_path.mnt);
5310 - if (err)
5311 -- return err;
5312 -+ goto group_extend_out;
5313 -
5314 - err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count);
5315 - if (EXT4_SB(sb)->s_journal) {
5316 -@@ -204,9 +207,10 @@ setversion_out:
5317 - }
5318 - if (err == 0)
5319 - err = err2;
5320 -+
5321 - mnt_drop_write(filp->f_path.mnt);
5322 -+group_extend_out:
5323 - ext4_resize_end(sb);
5324 --
5325 - return err;
5326 - }
5327 -
5328 -@@ -267,19 +271,22 @@ mext_out:
5329 - return err;
5330 -
5331 - if (copy_from_user(&input, (struct ext4_new_group_input __user *)arg,
5332 -- sizeof(input)))
5333 -- return -EFAULT;
5334 -+ sizeof(input))) {
5335 -+ err = -EFAULT;
5336 -+ goto group_add_out;
5337 -+ }
5338 -
5339 - if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
5340 - EXT4_FEATURE_RO_COMPAT_BIGALLOC)) {
5341 - ext4_msg(sb, KERN_ERR,
5342 - "Online resizing not supported with bigalloc");
5343 -- return -EOPNOTSUPP;
5344 -+ err = -EOPNOTSUPP;
5345 -+ goto group_add_out;
5346 - }
5347 -
5348 - err = mnt_want_write(filp->f_path.mnt);
5349 - if (err)
5350 -- return err;
5351 -+ goto group_add_out;
5352 -
5353 - err = ext4_group_add(sb, &input);
5354 - if (EXT4_SB(sb)->s_journal) {
5355 -@@ -289,9 +296,10 @@ mext_out:
5356 - }
5357 - if (err == 0)
5358 - err = err2;
5359 -+
5360 - mnt_drop_write(filp->f_path.mnt);
5361 -+group_add_out:
5362 - ext4_resize_end(sb);
5363 --
5364 - return err;
5365 - }
5366 -
5367 -diff --git a/fs/ext4/super.c b/fs/ext4/super.c
5368 -index 3e1329e..9281dbe 100644
5369 ---- a/fs/ext4/super.c
5370 -+++ b/fs/ext4/super.c
5371 -@@ -2006,17 +2006,16 @@ static int ext4_fill_flex_info(struct super_block *sb)
5372 - struct ext4_group_desc *gdp = NULL;
5373 - ext4_group_t flex_group_count;
5374 - ext4_group_t flex_group;
5375 -- int groups_per_flex = 0;
5376 -+ unsigned int groups_per_flex = 0;
5377 - size_t size;
5378 - int i;
5379 -
5380 - sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
5381 -- groups_per_flex = 1 << sbi->s_log_groups_per_flex;
5382 --
5383 -- if (groups_per_flex < 2) {
5384 -+ if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
5385 - sbi->s_log_groups_per_flex = 0;
5386 - return 1;
5387 - }
5388 -+ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
5389 -
5390 - /* We allocate both existing and potentially added groups */
5391 - flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
5392 -diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
5393 -index 281ae95..3db6b82 100644
5394 ---- a/fs/nfs/blocklayout/blocklayout.c
5395 -+++ b/fs/nfs/blocklayout/blocklayout.c
5396 -@@ -146,14 +146,19 @@ static struct bio *bl_alloc_init_bio(int npg, sector_t isect,
5397 - {
5398 - struct bio *bio;
5399 -
5400 -+ npg = min(npg, BIO_MAX_PAGES);
5401 - bio = bio_alloc(GFP_NOIO, npg);
5402 -- if (!bio)
5403 -- return NULL;
5404 -+ if (!bio && (current->flags & PF_MEMALLOC)) {
5405 -+ while (!bio && (npg /= 2))
5406 -+ bio = bio_alloc(GFP_NOIO, npg);
5407 -+ }
5408 -
5409 -- bio->bi_sector = isect - be->be_f_offset + be->be_v_offset;
5410 -- bio->bi_bdev = be->be_mdev;
5411 -- bio->bi_end_io = end_io;
5412 -- bio->bi_private = par;
5413 -+ if (bio) {
5414 -+ bio->bi_sector = isect - be->be_f_offset + be->be_v_offset;
5415 -+ bio->bi_bdev = be->be_mdev;
5416 -+ bio->bi_end_io = end_io;
5417 -+ bio->bi_private = par;
5418 -+ }
5419 - return bio;
5420 - }
5421 -
5422 -@@ -779,16 +784,13 @@ bl_cleanup_layoutcommit(struct nfs4_layoutcommit_data *lcdata)
5423 - static void free_blk_mountid(struct block_mount_id *mid)
5424 - {
5425 - if (mid) {
5426 -- struct pnfs_block_dev *dev;
5427 -- spin_lock(&mid->bm_lock);
5428 -- while (!list_empty(&mid->bm_devlist)) {
5429 -- dev = list_first_entry(&mid->bm_devlist,
5430 -- struct pnfs_block_dev,
5431 -- bm_node);
5432 -+ struct pnfs_block_dev *dev, *tmp;
5433 -+
5434 -+ /* No need to take bm_lock as we are last user freeing bm_devlist */
5435 -+ list_for_each_entry_safe(dev, tmp, &mid->bm_devlist, bm_node) {
5436 - list_del(&dev->bm_node);
5437 - bl_free_block_dev(dev);
5438 - }
5439 -- spin_unlock(&mid->bm_lock);
5440 - kfree(mid);
5441 - }
5442 - }
5443 -diff --git a/fs/nfs/blocklayout/extents.c b/fs/nfs/blocklayout/extents.c
5444 -index 19fa7b0..c69682a 100644
5445 ---- a/fs/nfs/blocklayout/extents.c
5446 -+++ b/fs/nfs/blocklayout/extents.c
5447 -@@ -139,11 +139,13 @@ static int _set_range(struct my_tree *tree, int32_t tag, u64 s, u64 length)
5448 - }
5449 -
5450 - /* Ensure that future operations on given range of tree will not malloc */
5451 --static int _preload_range(struct my_tree *tree, u64 offset, u64 length)
5452 -+static int _preload_range(struct pnfs_inval_markings *marks,
5453 -+ u64 offset, u64 length)
5454 - {
5455 - u64 start, end, s;
5456 - int count, i, used = 0, status = -ENOMEM;
5457 - struct pnfs_inval_tracking **storage;
5458 -+ struct my_tree *tree = &marks->im_tree;
5459 -
5460 - dprintk("%s(%llu, %llu) enter\n", __func__, offset, length);
5461 - start = normalize(offset, tree->mtt_step_size);
5462 -@@ -161,12 +163,11 @@ static int _preload_range(struct my_tree *tree, u64 offset, u64 length)
5463 - goto out_cleanup;
5464 - }
5465 -
5466 -- /* Now need lock - HOW??? */
5467 --
5468 -+ spin_lock(&marks->im_lock);
5469 - for (s = start; s < end; s += tree->mtt_step_size)
5470 - used += _add_entry(tree, s, INTERNAL_EXISTS, storage[used]);
5471 -+ spin_unlock(&marks->im_lock);
5472 -
5473 -- /* Unlock - HOW??? */
5474 - status = 0;
5475 -
5476 - out_cleanup:
5477 -@@ -286,7 +287,7 @@ int bl_mark_sectors_init(struct pnfs_inval_markings *marks,
5478 -
5479 - start = normalize(offset, marks->im_block_size);
5480 - end = normalize_up(offset + length, marks->im_block_size);
5481 -- if (_preload_range(&marks->im_tree, start, end - start))
5482 -+ if (_preload_range(marks, start, end - start))
5483 - goto outerr;
5484 -
5485 - spin_lock(&marks->im_lock);
5486 -diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c
5487 -index 43926ad..54cea8a 100644
5488 ---- a/fs/nfs/callback_proc.c
5489 -+++ b/fs/nfs/callback_proc.c
5490 -@@ -339,7 +339,7 @@ validate_seqid(struct nfs4_slot_table *tbl, struct cb_sequenceargs * args)
5491 - dprintk("%s enter. slotid %d seqid %d\n",
5492 - __func__, args->csa_slotid, args->csa_sequenceid);
5493 -
5494 -- if (args->csa_slotid > NFS41_BC_MAX_CALLBACKS)
5495 -+ if (args->csa_slotid >= NFS41_BC_MAX_CALLBACKS)
5496 - return htonl(NFS4ERR_BADSLOT);
5497 -
5498 - slot = tbl->slots + args->csa_slotid;
5499 -diff --git a/fs/nfs/file.c b/fs/nfs/file.c
5500 -index 606ef0f..c43a452 100644
5501 ---- a/fs/nfs/file.c
5502 -+++ b/fs/nfs/file.c
5503 -@@ -272,13 +272,13 @@ nfs_file_fsync(struct file *file, loff_t start, loff_t end, int datasync)
5504 - datasync);
5505 -
5506 - ret = filemap_write_and_wait_range(inode->i_mapping, start, end);
5507 -- if (ret)
5508 -- return ret;
5509 - mutex_lock(&inode->i_mutex);
5510 -
5511 - nfs_inc_stats(inode, NFSIOS_VFSFSYNC);
5512 - have_error = test_and_clear_bit(NFS_CONTEXT_ERROR_WRITE, &ctx->flags);
5513 - status = nfs_commit_inode(inode, FLUSH_SYNC);
5514 -+ if (status >= 0 && ret < 0)
5515 -+ status = ret;
5516 - have_error |= test_bit(NFS_CONTEXT_ERROR_WRITE, &ctx->flags);
5517 - if (have_error)
5518 - ret = xchg(&ctx->error, 0);
5519 -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
5520 -index d9f4d78..055d702 100644
5521 ---- a/fs/nfs/nfs4proc.c
5522 -+++ b/fs/nfs/nfs4proc.c
5523 -@@ -3430,19 +3430,6 @@ static inline int nfs4_server_supports_acls(struct nfs_server *server)
5524 - */
5525 - #define NFS4ACL_MAXPAGES (XATTR_SIZE_MAX >> PAGE_CACHE_SHIFT)
5526 -
5527 --static void buf_to_pages(const void *buf, size_t buflen,
5528 -- struct page **pages, unsigned int *pgbase)
5529 --{
5530 -- const void *p = buf;
5531 --
5532 -- *pgbase = offset_in_page(buf);
5533 -- p -= *pgbase;
5534 -- while (p < buf + buflen) {
5535 -- *(pages++) = virt_to_page(p);
5536 -- p += PAGE_CACHE_SIZE;
5537 -- }
5538 --}
5539 --
5540 - static int buf_to_pages_noslab(const void *buf, size_t buflen,
5541 - struct page **pages, unsigned int *pgbase)
5542 - {
5543 -@@ -3539,9 +3526,19 @@ out:
5544 - nfs4_set_cached_acl(inode, acl);
5545 - }
5546 -
5547 -+/*
5548 -+ * The getxattr API returns the required buffer length when called with a
5549 -+ * NULL buf. The NFSv4 acl tool then calls getxattr again after allocating
5550 -+ * the required buf. On a NULL buf, we send a page of data to the server
5551 -+ * guessing that the ACL request can be serviced by a page. If so, we cache
5552 -+ * up to the page of ACL data, and the 2nd call to getxattr is serviced by
5553 -+ * the cache. If not so, we throw away the page, and cache the required
5554 -+ * length. The next getxattr call will then produce another round trip to
5555 -+ * the server, this time with the input buf of the required size.
5556 -+ */
5557 - static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
5558 - {
5559 -- struct page *pages[NFS4ACL_MAXPAGES];
5560 -+ struct page *pages[NFS4ACL_MAXPAGES] = {NULL, };
5561 - struct nfs_getaclargs args = {
5562 - .fh = NFS_FH(inode),
5563 - .acl_pages = pages,
5564 -@@ -3556,41 +3553,60 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
5565 - .rpc_argp = &args,
5566 - .rpc_resp = &res,
5567 - };
5568 -- struct page *localpage = NULL;
5569 -- int ret;
5570 -+ int ret = -ENOMEM, npages, i, acl_len = 0;
5571 -
5572 -- if (buflen < PAGE_SIZE) {
5573 -- /* As long as we're doing a round trip to the server anyway,
5574 -- * let's be prepared for a page of acl data. */
5575 -- localpage = alloc_page(GFP_KERNEL);
5576 -- resp_buf = page_address(localpage);
5577 -- if (localpage == NULL)
5578 -- return -ENOMEM;
5579 -- args.acl_pages[0] = localpage;
5580 -- args.acl_pgbase = 0;
5581 -- args.acl_len = PAGE_SIZE;
5582 -- } else {
5583 -- resp_buf = buf;
5584 -- buf_to_pages(buf, buflen, args.acl_pages, &args.acl_pgbase);
5585 -+ npages = (buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;
5586 -+ /* As long as we're doing a round trip to the server anyway,
5587 -+ * let's be prepared for a page of acl data. */
5588 -+ if (npages == 0)
5589 -+ npages = 1;
5590 -+
5591 -+ for (i = 0; i < npages; i++) {
5592 -+ pages[i] = alloc_page(GFP_KERNEL);
5593 -+ if (!pages[i])
5594 -+ goto out_free;
5595 -+ }
5596 -+ if (npages > 1) {
5597 -+ /* for decoding across pages */
5598 -+ args.acl_scratch = alloc_page(GFP_KERNEL);
5599 -+ if (!args.acl_scratch)
5600 -+ goto out_free;
5601 - }
5602 -- ret = nfs4_call_sync(NFS_SERVER(inode)->client, NFS_SERVER(inode), &msg, &args.seq_args, &res.seq_res, 0);
5603 -+ args.acl_len = npages * PAGE_SIZE;
5604 -+ args.acl_pgbase = 0;
5605 -+ /* Let decode_getfacl know not to fail if the ACL data is larger than
5606 -+ * the page we send as a guess */
5607 -+ if (buf == NULL)
5608 -+ res.acl_flags |= NFS4_ACL_LEN_REQUEST;
5609 -+ resp_buf = page_address(pages[0]);
5610 -+
5611 -+ dprintk("%s buf %p buflen %ld npages %d args.acl_len %ld\n",
5612 -+ __func__, buf, buflen, npages, args.acl_len);
5613 -+ ret = nfs4_call_sync(NFS_SERVER(inode)->client, NFS_SERVER(inode),
5614 -+ &msg, &args.seq_args, &res.seq_res, 0);
5615 - if (ret)
5616 - goto out_free;
5617 -- if (res.acl_len > args.acl_len)
5618 -- nfs4_write_cached_acl(inode, NULL, res.acl_len);
5619 -+
5620 -+ acl_len = res.acl_len - res.acl_data_offset;
5621 -+ if (acl_len > args.acl_len)
5622 -+ nfs4_write_cached_acl(inode, NULL, acl_len);
5623 - else
5624 -- nfs4_write_cached_acl(inode, resp_buf, res.acl_len);
5625 -+ nfs4_write_cached_acl(inode, resp_buf + res.acl_data_offset,
5626 -+ acl_len);
5627 - if (buf) {
5628 - ret = -ERANGE;
5629 -- if (res.acl_len > buflen)
5630 -+ if (acl_len > buflen)
5631 - goto out_free;
5632 -- if (localpage)
5633 -- memcpy(buf, resp_buf, res.acl_len);
5634 -+ _copy_from_pages(buf, pages, res.acl_data_offset,
5635 -+ res.acl_len);
5636 - }
5637 -- ret = res.acl_len;
5638 -+ ret = acl_len;
5639 - out_free:
5640 -- if (localpage)
5641 -- __free_page(localpage);
5642 -+ for (i = 0; i < npages; i++)
5643 -+ if (pages[i])
5644 -+ __free_page(pages[i]);
5645 -+ if (args.acl_scratch)
5646 -+ __free_page(args.acl_scratch);
5647 - return ret;
5648 - }
5649 -
5650 -@@ -3621,6 +3637,8 @@ static ssize_t nfs4_proc_get_acl(struct inode *inode, void *buf, size_t buflen)
5651 - nfs_zap_acl_cache(inode);
5652 - ret = nfs4_read_cached_acl(inode, buf, buflen);
5653 - if (ret != -ENOENT)
5654 -+ /* -ENOENT is returned if there is no ACL or if there is an ACL
5655 -+ * but no cached acl data, just the acl length */
5656 - return ret;
5657 - return nfs4_get_acl_uncached(inode, buf, buflen);
5658 - }
5659 -diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
5660 -index e6161b2..dcaf693 100644
5661 ---- a/fs/nfs/nfs4xdr.c
5662 -+++ b/fs/nfs/nfs4xdr.c
5663 -@@ -2517,11 +2517,13 @@ static void nfs4_xdr_enc_getacl(struct rpc_rqst *req, struct xdr_stream *xdr,
5664 - encode_compound_hdr(xdr, req, &hdr);
5665 - encode_sequence(xdr, &args->seq_args, &hdr);
5666 - encode_putfh(xdr, args->fh, &hdr);
5667 -- replen = hdr.replen + op_decode_hdr_maxsz + nfs4_fattr_bitmap_maxsz + 1;
5668 -+ replen = hdr.replen + op_decode_hdr_maxsz + 1;
5669 - encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr);
5670 -
5671 - xdr_inline_pages(&req->rq_rcv_buf, replen << 2,
5672 - args->acl_pages, args->acl_pgbase, args->acl_len);
5673 -+ xdr_set_scratch_buffer(xdr, page_address(args->acl_scratch), PAGE_SIZE);
5674 -+
5675 - encode_nops(&hdr);
5676 - }
5677 -
5678 -@@ -4957,17 +4959,18 @@ decode_restorefh(struct xdr_stream *xdr)
5679 - }
5680 -
5681 - static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
5682 -- size_t *acl_len)
5683 -+ struct nfs_getaclres *res)
5684 - {
5685 -- __be32 *savep;
5686 -+ __be32 *savep, *bm_p;
5687 - uint32_t attrlen,
5688 - bitmap[3] = {0};
5689 - struct kvec *iov = req->rq_rcv_buf.head;
5690 - int status;
5691 -
5692 -- *acl_len = 0;
5693 -+ res->acl_len = 0;
5694 - if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)
5695 - goto out;
5696 -+ bm_p = xdr->p;
5697 - if ((status = decode_attr_bitmap(xdr, bitmap)) != 0)
5698 - goto out;
5699 - if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)
5700 -@@ -4979,18 +4982,30 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
5701 - size_t hdrlen;
5702 - u32 recvd;
5703 -
5704 -+ /* The bitmap (xdr len + bitmaps) and the attr xdr len words
5705 -+ * are stored with the acl data to handle the problem of
5706 -+ * variable length bitmaps.*/
5707 -+ xdr->p = bm_p;
5708 -+ res->acl_data_offset = be32_to_cpup(bm_p) + 2;
5709 -+ res->acl_data_offset <<= 2;
5710 -+
5711 - /* We ignore &savep and don't do consistency checks on
5712 - * the attr length. Let userspace figure it out.... */
5713 - hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base;
5714 -+ attrlen += res->acl_data_offset;
5715 - recvd = req->rq_rcv_buf.len - hdrlen;
5716 - if (attrlen > recvd) {
5717 -- dprintk("NFS: server cheating in getattr"
5718 -- " acl reply: attrlen %u > recvd %u\n",
5719 -+ if (res->acl_flags & NFS4_ACL_LEN_REQUEST) {
5720 -+ /* getxattr interface called with a NULL buf */
5721 -+ res->acl_len = attrlen;
5722 -+ goto out;
5723 -+ }
5724 -+ dprintk("NFS: acl reply: attrlen %u > recvd %u\n",
5725 - attrlen, recvd);
5726 - return -EINVAL;
5727 - }
5728 - xdr_read_pages(xdr, attrlen);
5729 -- *acl_len = attrlen;
5730 -+ res->acl_len = attrlen;
5731 - } else
5732 - status = -EOPNOTSUPP;
5733 -
5734 -@@ -6028,7 +6043,7 @@ nfs4_xdr_dec_getacl(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
5735 - status = decode_putfh(xdr);
5736 - if (status)
5737 - goto out;
5738 -- status = decode_getacl(xdr, rqstp, &res->acl_len);
5739 -+ status = decode_getacl(xdr, rqstp, res);
5740 -
5741 - out:
5742 - return status;
5743 -diff --git a/fs/nfs/objlayout/objio_osd.c b/fs/nfs/objlayout/objio_osd.c
5744 -index c807ab9..55d0128 100644
5745 ---- a/fs/nfs/objlayout/objio_osd.c
5746 -+++ b/fs/nfs/objlayout/objio_osd.c
5747 -@@ -551,7 +551,8 @@ static const struct nfs_pageio_ops objio_pg_write_ops = {
5748 - static struct pnfs_layoutdriver_type objlayout_type = {
5749 - .id = LAYOUT_OSD2_OBJECTS,
5750 - .name = "LAYOUT_OSD2_OBJECTS",
5751 -- .flags = PNFS_LAYOUTRET_ON_SETATTR,
5752 -+ .flags = PNFS_LAYOUTRET_ON_SETATTR |
5753 -+ PNFS_LAYOUTRET_ON_ERROR,
5754 -
5755 - .alloc_layout_hdr = objlayout_alloc_layout_hdr,
5756 - .free_layout_hdr = objlayout_free_layout_hdr,
5757 -diff --git a/fs/nfs/objlayout/objlayout.c b/fs/nfs/objlayout/objlayout.c
5758 -index 72074e3..b3c2903 100644
5759 ---- a/fs/nfs/objlayout/objlayout.c
5760 -+++ b/fs/nfs/objlayout/objlayout.c
5761 -@@ -254,6 +254,8 @@ objlayout_read_done(struct objlayout_io_res *oir, ssize_t status, bool sync)
5762 - oir->status = rdata->task.tk_status = status;
5763 - if (status >= 0)
5764 - rdata->res.count = status;
5765 -+ else
5766 -+ rdata->pnfs_error = status;
5767 - objlayout_iodone(oir);
5768 - /* must not use oir after this point */
5769 -
5770 -@@ -334,6 +336,8 @@ objlayout_write_done(struct objlayout_io_res *oir, ssize_t status, bool sync)
5771 - if (status >= 0) {
5772 - wdata->res.count = status;
5773 - wdata->verf.committed = oir->committed;
5774 -+ } else {
5775 -+ wdata->pnfs_error = status;
5776 - }
5777 - objlayout_iodone(oir);
5778 - /* must not use oir after this point */
5779 -diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
5780 -index 8e672a2..f881a63 100644
5781 ---- a/fs/nfs/pnfs.c
5782 -+++ b/fs/nfs/pnfs.c
5783 -@@ -1178,6 +1178,15 @@ void pnfs_ld_write_done(struct nfs_write_data *data)
5784 - put_lseg(data->lseg);
5785 - data->lseg = NULL;
5786 - dprintk("pnfs write error = %d\n", data->pnfs_error);
5787 -+ if (NFS_SERVER(data->inode)->pnfs_curr_ld->flags &
5788 -+ PNFS_LAYOUTRET_ON_ERROR) {
5789 -+ /* Don't lo_commit on error, Server will needs to
5790 -+ * preform a file recovery.
5791 -+ */
5792 -+ clear_bit(NFS_INO_LAYOUTCOMMIT,
5793 -+ &NFS_I(data->inode)->flags);
5794 -+ pnfs_return_layout(data->inode);
5795 -+ }
5796 - }
5797 - data->mds_ops->rpc_release(data);
5798 - }
5799 -@@ -1267,6 +1276,9 @@ static void pnfs_ld_handle_read_error(struct nfs_read_data *data)
5800 - put_lseg(data->lseg);
5801 - data->lseg = NULL;
5802 - dprintk("pnfs write error = %d\n", data->pnfs_error);
5803 -+ if (NFS_SERVER(data->inode)->pnfs_curr_ld->flags &
5804 -+ PNFS_LAYOUTRET_ON_ERROR)
5805 -+ pnfs_return_layout(data->inode);
5806 -
5807 - nfs_pageio_init_read_mds(&pgio, data->inode);
5808 -
5809 -diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
5810 -index 1509530..53d593a 100644
5811 ---- a/fs/nfs/pnfs.h
5812 -+++ b/fs/nfs/pnfs.h
5813 -@@ -68,6 +68,7 @@ enum {
5814 - enum layoutdriver_policy_flags {
5815 - /* Should the pNFS client commit and return the layout upon a setattr */
5816 - PNFS_LAYOUTRET_ON_SETATTR = 1 << 0,
5817 -+ PNFS_LAYOUTRET_ON_ERROR = 1 << 1,
5818 - };
5819 -
5820 - struct nfs4_deviceid_node;
5821 -diff --git a/fs/nfs/super.c b/fs/nfs/super.c
5822 -index 1347774..3ada13c 100644
5823 ---- a/fs/nfs/super.c
5824 -+++ b/fs/nfs/super.c
5825 -@@ -909,10 +909,24 @@ static struct nfs_parsed_mount_data *nfs_alloc_parsed_mount_data(unsigned int ve
5826 - data->auth_flavor_len = 1;
5827 - data->version = version;
5828 - data->minorversion = 0;
5829 -+ security_init_mnt_opts(&data->lsm_opts);
5830 - }
5831 - return data;
5832 - }
5833 -
5834 -+static void nfs_free_parsed_mount_data(struct nfs_parsed_mount_data *data)
5835 -+{
5836 -+ if (data) {
5837 -+ kfree(data->client_address);
5838 -+ kfree(data->mount_server.hostname);
5839 -+ kfree(data->nfs_server.export_path);
5840 -+ kfree(data->nfs_server.hostname);
5841 -+ kfree(data->fscache_uniq);
5842 -+ security_free_mnt_opts(&data->lsm_opts);
5843 -+ kfree(data);
5844 -+ }
5845 -+}
5846 -+
5847 - /*
5848 - * Sanity-check a server address provided by the mount command.
5849 - *
5850 -@@ -2220,9 +2234,7 @@ static struct dentry *nfs_fs_mount(struct file_system_type *fs_type,
5851 - data = nfs_alloc_parsed_mount_data(NFS_DEFAULT_VERSION);
5852 - mntfh = nfs_alloc_fhandle();
5853 - if (data == NULL || mntfh == NULL)
5854 -- goto out_free_fh;
5855 --
5856 -- security_init_mnt_opts(&data->lsm_opts);
5857 -+ goto out;
5858 -
5859 - /* Validate the mount data */
5860 - error = nfs_validate_mount_data(raw_data, data, mntfh, dev_name);
5861 -@@ -2234,8 +2246,6 @@ static struct dentry *nfs_fs_mount(struct file_system_type *fs_type,
5862 - #ifdef CONFIG_NFS_V4
5863 - if (data->version == 4) {
5864 - mntroot = nfs4_try_mount(flags, dev_name, data);
5865 -- kfree(data->client_address);
5866 -- kfree(data->nfs_server.export_path);
5867 - goto out;
5868 - }
5869 - #endif /* CONFIG_NFS_V4 */
5870 -@@ -2290,13 +2300,8 @@ static struct dentry *nfs_fs_mount(struct file_system_type *fs_type,
5871 - s->s_flags |= MS_ACTIVE;
5872 -
5873 - out:
5874 -- kfree(data->nfs_server.hostname);
5875 -- kfree(data->mount_server.hostname);
5876 -- kfree(data->fscache_uniq);
5877 -- security_free_mnt_opts(&data->lsm_opts);
5878 --out_free_fh:
5879 -+ nfs_free_parsed_mount_data(data);
5880 - nfs_free_fhandle(mntfh);
5881 -- kfree(data);
5882 - return mntroot;
5883 -
5884 - out_err_nosb:
5885 -@@ -2623,9 +2628,7 @@ nfs4_remote_mount(struct file_system_type *fs_type, int flags,
5886 -
5887 - mntfh = nfs_alloc_fhandle();
5888 - if (data == NULL || mntfh == NULL)
5889 -- goto out_free_fh;
5890 --
5891 -- security_init_mnt_opts(&data->lsm_opts);
5892 -+ goto out;
5893 -
5894 - /* Get a volume representation */
5895 - server = nfs4_create_server(data, mntfh);
5896 -@@ -2677,13 +2680,10 @@ nfs4_remote_mount(struct file_system_type *fs_type, int flags,
5897 -
5898 - s->s_flags |= MS_ACTIVE;
5899 -
5900 -- security_free_mnt_opts(&data->lsm_opts);
5901 - nfs_free_fhandle(mntfh);
5902 - return mntroot;
5903 -
5904 - out:
5905 -- security_free_mnt_opts(&data->lsm_opts);
5906 --out_free_fh:
5907 - nfs_free_fhandle(mntfh);
5908 - return ERR_PTR(error);
5909 -
5910 -@@ -2838,7 +2838,7 @@ static struct dentry *nfs4_mount(struct file_system_type *fs_type,
5911 -
5912 - data = nfs_alloc_parsed_mount_data(4);
5913 - if (data == NULL)
5914 -- goto out_free_data;
5915 -+ goto out;
5916 -
5917 - /* Validate the mount data */
5918 - error = nfs4_validate_mount_data(raw_data, data, dev_name);
5919 -@@ -2852,12 +2852,7 @@ static struct dentry *nfs4_mount(struct file_system_type *fs_type,
5920 - error = PTR_ERR(res);
5921 -
5922 - out:
5923 -- kfree(data->client_address);
5924 -- kfree(data->nfs_server.export_path);
5925 -- kfree(data->nfs_server.hostname);
5926 -- kfree(data->fscache_uniq);
5927 --out_free_data:
5928 -- kfree(data);
5929 -+ nfs_free_parsed_mount_data(data);
5930 - dprintk("<-- nfs4_mount() = %d%s\n", error,
5931 - error != 0 ? " [error]" : "");
5932 - return res;
5933 -diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
5934 -index 62f3b90..5f312ab 100644
5935 ---- a/fs/nfsd/export.c
5936 -+++ b/fs/nfsd/export.c
5937 -@@ -87,7 +87,7 @@ static int expkey_parse(struct cache_detail *cd, char *mesg, int mlen)
5938 - struct svc_expkey key;
5939 - struct svc_expkey *ek = NULL;
5940 -
5941 -- if (mesg[mlen-1] != '\n')
5942 -+ if (mlen < 1 || mesg[mlen-1] != '\n')
5943 - return -EINVAL;
5944 - mesg[mlen-1] = 0;
5945 -
5946 -diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
5947 -index 47e94e3..5abced7 100644
5948 ---- a/fs/nfsd/nfs4state.c
5949 -+++ b/fs/nfsd/nfs4state.c
5950 -@@ -3809,16 +3809,29 @@ nevermind:
5951 - deny->ld_type = NFS4_WRITE_LT;
5952 - }
5953 -
5954 -+static bool same_lockowner_ino(struct nfs4_lockowner *lo, struct inode *inode, clientid_t *clid, struct xdr_netobj *owner)
5955 -+{
5956 -+ struct nfs4_ol_stateid *lst;
5957 -+
5958 -+ if (!same_owner_str(&lo->lo_owner, owner, clid))
5959 -+ return false;
5960 -+ lst = list_first_entry(&lo->lo_owner.so_stateids,
5961 -+ struct nfs4_ol_stateid, st_perstateowner);
5962 -+ return lst->st_file->fi_inode == inode;
5963 -+}
5964 -+
5965 - static struct nfs4_lockowner *
5966 - find_lockowner_str(struct inode *inode, clientid_t *clid,
5967 - struct xdr_netobj *owner)
5968 - {
5969 - unsigned int hashval = lock_ownerstr_hashval(inode, clid->cl_id, owner);
5970 -+ struct nfs4_lockowner *lo;
5971 - struct nfs4_stateowner *op;
5972 -
5973 - list_for_each_entry(op, &lock_ownerstr_hashtbl[hashval], so_strhash) {
5974 -- if (same_owner_str(op, owner, clid))
5975 -- return lockowner(op);
5976 -+ lo = lockowner(op);
5977 -+ if (same_lockowner_ino(lo, inode, clid, owner))
5978 -+ return lo;
5979 - }
5980 - return NULL;
5981 - }
5982 -diff --git a/fs/notify/mark.c b/fs/notify/mark.c
5983 -index e14587d..f104d56 100644
5984 ---- a/fs/notify/mark.c
5985 -+++ b/fs/notify/mark.c
5986 -@@ -135,9 +135,6 @@ void fsnotify_destroy_mark(struct fsnotify_mark *mark)
5987 -
5988 - mark->flags &= ~FSNOTIFY_MARK_FLAG_ALIVE;
5989 -
5990 -- /* 1 from caller and 1 for being on i_list/g_list */
5991 -- BUG_ON(atomic_read(&mark->refcnt) < 2);
5992 --
5993 - spin_lock(&group->mark_lock);
5994 -
5995 - if (mark->flags & FSNOTIFY_MARK_FLAG_INODE) {
5996 -@@ -182,6 +179,11 @@ void fsnotify_destroy_mark(struct fsnotify_mark *mark)
5997 - iput(inode);
5998 -
5999 - /*
6000 -+ * We don't necessarily have a ref on mark from caller so the above iput
6001 -+ * may have already destroyed it. Don't touch from now on.
6002 -+ */
6003 -+
6004 -+ /*
6005 - * it's possible that this group tried to destroy itself, but this
6006 - * this mark was simultaneously being freed by inode. If that's the
6007 - * case, we finish freeing the group here.
6008 -diff --git a/fs/proc/base.c b/fs/proc/base.c
6009 -index 851ba3d..1fc1dca 100644
6010 ---- a/fs/proc/base.c
6011 -+++ b/fs/proc/base.c
6012 -@@ -194,65 +194,7 @@ static int proc_root_link(struct inode *inode, struct path *path)
6013 - return result;
6014 - }
6015 -
6016 --static struct mm_struct *__check_mem_permission(struct task_struct *task)
6017 --{
6018 -- struct mm_struct *mm;
6019 --
6020 -- mm = get_task_mm(task);
6021 -- if (!mm)
6022 -- return ERR_PTR(-EINVAL);
6023 --
6024 -- /*
6025 -- * A task can always look at itself, in case it chooses
6026 -- * to use system calls instead of load instructions.
6027 -- */
6028 -- if (task == current)
6029 -- return mm;
6030 --
6031 -- /*
6032 -- * If current is actively ptrace'ing, and would also be
6033 -- * permitted to freshly attach with ptrace now, permit it.
6034 -- */
6035 -- if (task_is_stopped_or_traced(task)) {
6036 -- int match;
6037 -- rcu_read_lock();
6038 -- match = (ptrace_parent(task) == current);
6039 -- rcu_read_unlock();
6040 -- if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
6041 -- return mm;
6042 -- }
6043 --
6044 -- /*
6045 -- * No one else is allowed.
6046 -- */
6047 -- mmput(mm);
6048 -- return ERR_PTR(-EPERM);
6049 --}
6050 --
6051 --/*
6052 -- * If current may access user memory in @task return a reference to the
6053 -- * corresponding mm, otherwise ERR_PTR.
6054 -- */
6055 --static struct mm_struct *check_mem_permission(struct task_struct *task)
6056 --{
6057 -- struct mm_struct *mm;
6058 -- int err;
6059 --
6060 -- /*
6061 -- * Avoid racing if task exec's as we might get a new mm but validate
6062 -- * against old credentials.
6063 -- */
6064 -- err = mutex_lock_killable(&task->signal->cred_guard_mutex);
6065 -- if (err)
6066 -- return ERR_PTR(err);
6067 --
6068 -- mm = __check_mem_permission(task);
6069 -- mutex_unlock(&task->signal->cred_guard_mutex);
6070 --
6071 -- return mm;
6072 --}
6073 --
6074 --struct mm_struct *mm_for_maps(struct task_struct *task)
6075 -+static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
6076 - {
6077 - struct mm_struct *mm;
6078 - int err;
6079 -@@ -263,7 +205,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
6080 -
6081 - mm = get_task_mm(task);
6082 - if (mm && mm != current->mm &&
6083 -- !ptrace_may_access(task, PTRACE_MODE_READ)) {
6084 -+ !ptrace_may_access(task, mode)) {
6085 - mmput(mm);
6086 - mm = ERR_PTR(-EACCES);
6087 - }
6088 -@@ -272,6 +214,11 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
6089 - return mm;
6090 - }
6091 -
6092 -+struct mm_struct *mm_for_maps(struct task_struct *task)
6093 -+{
6094 -+ return mm_access(task, PTRACE_MODE_READ);
6095 -+}
6096 -+
6097 - static int proc_pid_cmdline(struct task_struct *task, char * buffer)
6098 - {
6099 - int res = 0;
6100 -@@ -816,38 +763,39 @@ static const struct file_operations proc_single_file_operations = {
6101 -
6102 - static int mem_open(struct inode* inode, struct file* file)
6103 - {
6104 -- file->private_data = (void*)((long)current->self_exec_id);
6105 -+ struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
6106 -+ struct mm_struct *mm;
6107 -+
6108 -+ if (!task)
6109 -+ return -ESRCH;
6110 -+
6111 -+ mm = mm_access(task, PTRACE_MODE_ATTACH);
6112 -+ put_task_struct(task);
6113 -+
6114 -+ if (IS_ERR(mm))
6115 -+ return PTR_ERR(mm);
6116 -+
6117 - /* OK to pass negative loff_t, we can catch out-of-range */
6118 - file->f_mode |= FMODE_UNSIGNED_OFFSET;
6119 -+ file->private_data = mm;
6120 -+
6121 - return 0;
6122 - }
6123 -
6124 - static ssize_t mem_read(struct file * file, char __user * buf,
6125 - size_t count, loff_t *ppos)
6126 - {
6127 -- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
6128 -+ int ret;
6129 - char *page;
6130 - unsigned long src = *ppos;
6131 -- int ret = -ESRCH;
6132 -- struct mm_struct *mm;
6133 -+ struct mm_struct *mm = file->private_data;
6134 -
6135 -- if (!task)
6136 -- goto out_no_task;
6137 -+ if (!mm)
6138 -+ return 0;
6139 -
6140 -- ret = -ENOMEM;
6141 - page = (char *)__get_free_page(GFP_TEMPORARY);
6142 - if (!page)
6143 -- goto out;
6144 --
6145 -- mm = check_mem_permission(task);
6146 -- ret = PTR_ERR(mm);
6147 -- if (IS_ERR(mm))
6148 -- goto out_free;
6149 --
6150 -- ret = -EIO;
6151 --
6152 -- if (file->private_data != (void*)((long)current->self_exec_id))
6153 -- goto out_put;
6154 -+ return -ENOMEM;
6155 -
6156 - ret = 0;
6157 -
6158 -@@ -874,13 +822,7 @@ static ssize_t mem_read(struct file * file, char __user * buf,
6159 - }
6160 - *ppos = src;
6161 -
6162 --out_put:
6163 -- mmput(mm);
6164 --out_free:
6165 - free_page((unsigned long) page);
6166 --out:
6167 -- put_task_struct(task);
6168 --out_no_task:
6169 - return ret;
6170 - }
6171 -
6172 -@@ -889,27 +831,15 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
6173 - {
6174 - int copied;
6175 - char *page;
6176 -- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
6177 - unsigned long dst = *ppos;
6178 -- struct mm_struct *mm;
6179 -+ struct mm_struct *mm = file->private_data;
6180 -
6181 -- copied = -ESRCH;
6182 -- if (!task)
6183 -- goto out_no_task;
6184 -+ if (!mm)
6185 -+ return 0;
6186 -
6187 -- copied = -ENOMEM;
6188 - page = (char *)__get_free_page(GFP_TEMPORARY);
6189 - if (!page)
6190 -- goto out_task;
6191 --
6192 -- mm = check_mem_permission(task);
6193 -- copied = PTR_ERR(mm);
6194 -- if (IS_ERR(mm))
6195 -- goto out_free;
6196 --
6197 -- copied = -EIO;
6198 -- if (file->private_data != (void *)((long)current->self_exec_id))
6199 -- goto out_mm;
6200 -+ return -ENOMEM;
6201 -
6202 - copied = 0;
6203 - while (count > 0) {
6204 -@@ -933,13 +863,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
6205 - }
6206 - *ppos = dst;
6207 -
6208 --out_mm:
6209 -- mmput(mm);
6210 --out_free:
6211 - free_page((unsigned long) page);
6212 --out_task:
6213 -- put_task_struct(task);
6214 --out_no_task:
6215 - return copied;
6216 - }
6217 -
6218 -@@ -959,11 +883,20 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig)
6219 - return file->f_pos;
6220 - }
6221 -
6222 -+static int mem_release(struct inode *inode, struct file *file)
6223 -+{
6224 -+ struct mm_struct *mm = file->private_data;
6225 -+
6226 -+ mmput(mm);
6227 -+ return 0;
6228 -+}
6229 -+
6230 - static const struct file_operations proc_mem_operations = {
6231 - .llseek = mem_lseek,
6232 - .read = mem_read,
6233 - .write = mem_write,
6234 - .open = mem_open,
6235 -+ .release = mem_release,
6236 - };
6237 -
6238 - static ssize_t environ_read(struct file *file, char __user *buf,
6239 -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
6240 -index e418c5a..7dcd2a2 100644
6241 ---- a/fs/proc/task_mmu.c
6242 -+++ b/fs/proc/task_mmu.c
6243 -@@ -518,6 +518,9 @@ static int clear_refs_pte_range(pmd_t *pmd, unsigned long addr,
6244 - if (!page)
6245 - continue;
6246 -
6247 -+ if (PageReserved(page))
6248 -+ continue;
6249 -+
6250 - /* Clear accessed and referenced bits. */
6251 - ptep_test_and_clear_young(vma, addr, pte);
6252 - ClearPageReferenced(page);
6253 -diff --git a/fs/proc/uptime.c b/fs/proc/uptime.c
6254 -index 766b1d4..29166ec 100644
6255 ---- a/fs/proc/uptime.c
6256 -+++ b/fs/proc/uptime.c
6257 -@@ -11,15 +11,20 @@ static int uptime_proc_show(struct seq_file *m, void *v)
6258 - {
6259 - struct timespec uptime;
6260 - struct timespec idle;
6261 -+ cputime64_t idletime;
6262 -+ u64 nsec;
6263 -+ u32 rem;
6264 - int i;
6265 -- cputime_t idletime = cputime_zero;
6266 -
6267 -+ idletime = 0;
6268 - for_each_possible_cpu(i)
6269 - idletime = cputime64_add(idletime, kstat_cpu(i).cpustat.idle);
6270 -
6271 - do_posix_clock_monotonic_gettime(&uptime);
6272 - monotonic_to_bootbased(&uptime);
6273 -- cputime_to_timespec(idletime, &idle);
6274 -+ nsec = cputime64_to_jiffies64(idletime) * TICK_NSEC;
6275 -+ idle.tv_sec = div_u64_rem(nsec, NSEC_PER_SEC, &rem);
6276 -+ idle.tv_nsec = rem;
6277 - seq_printf(m, "%lu.%02lu %lu.%02lu\n",
6278 - (unsigned long) uptime.tv_sec,
6279 - (uptime.tv_nsec / (NSEC_PER_SEC / 100)),
6280 -diff --git a/fs/ubifs/debug.h b/fs/ubifs/debug.h
6281 -index 8d9c468..c9d2941 100644
6282 ---- a/fs/ubifs/debug.h
6283 -+++ b/fs/ubifs/debug.h
6284 -@@ -175,22 +175,23 @@ const char *dbg_key_str1(const struct ubifs_info *c,
6285 - const union ubifs_key *key);
6286 -
6287 - /*
6288 -- * DBGKEY macros require @dbg_lock to be held, which it is in the dbg message
6289 -- * macros.
6290 -+ * TODO: these macros are now broken because there is no locking around them
6291 -+ * and we use a global buffer for the key string. This means that in case of
6292 -+ * concurrent execution we will end up with incorrect and messy key strings.
6293 - */
6294 - #define DBGKEY(key) dbg_key_str0(c, (key))
6295 - #define DBGKEY1(key) dbg_key_str1(c, (key))
6296 -
6297 - extern spinlock_t dbg_lock;
6298 -
6299 --#define ubifs_dbg_msg(type, fmt, ...) do { \
6300 -- spin_lock(&dbg_lock); \
6301 -- pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__); \
6302 -- spin_unlock(&dbg_lock); \
6303 --} while (0)
6304 -+#define ubifs_dbg_msg(type, fmt, ...) \
6305 -+ pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__)
6306 -
6307 - /* Just a debugging messages not related to any specific UBIFS subsystem */
6308 --#define dbg_msg(fmt, ...) ubifs_dbg_msg("msg", fmt, ##__VA_ARGS__)
6309 -+#define dbg_msg(fmt, ...) \
6310 -+ printk(KERN_DEBUG "UBIFS DBG (pid %d): %s: " fmt "\n", current->pid, \
6311 -+ __func__, ##__VA_ARGS__)
6312 -+
6313 - /* General messages */
6314 - #define dbg_gen(fmt, ...) ubifs_dbg_msg("gen", fmt, ##__VA_ARGS__)
6315 - /* Additional journal messages */
6316 -diff --git a/fs/xfs/xfs_discard.c b/fs/xfs/xfs_discard.c
6317 -index 8a24f0c..286a051 100644
6318 ---- a/fs/xfs/xfs_discard.c
6319 -+++ b/fs/xfs/xfs_discard.c
6320 -@@ -68,7 +68,7 @@ xfs_trim_extents(
6321 - * Look up the longest btree in the AGF and start with it.
6322 - */
6323 - error = xfs_alloc_lookup_le(cur, 0,
6324 -- XFS_BUF_TO_AGF(agbp)->agf_longest, &i);
6325 -+ be32_to_cpu(XFS_BUF_TO_AGF(agbp)->agf_longest), &i);
6326 - if (error)
6327 - goto out_del_cursor;
6328 -
6329 -@@ -84,7 +84,7 @@ xfs_trim_extents(
6330 - if (error)
6331 - goto out_del_cursor;
6332 - XFS_WANT_CORRUPTED_GOTO(i == 1, out_del_cursor);
6333 -- ASSERT(flen <= XFS_BUF_TO_AGF(agbp)->agf_longest);
6334 -+ ASSERT(flen <= be32_to_cpu(XFS_BUF_TO_AGF(agbp)->agf_longest));
6335 -
6336 - /*
6337 - * Too small? Give up.
6338 -diff --git a/include/acpi/acpi_numa.h b/include/acpi/acpi_numa.h
6339 -index 1739726..451823c 100644
6340 ---- a/include/acpi/acpi_numa.h
6341 -+++ b/include/acpi/acpi_numa.h
6342 -@@ -15,6 +15,7 @@ extern int pxm_to_node(int);
6343 - extern int node_to_pxm(int);
6344 - extern void __acpi_map_pxm_to_node(int, int);
6345 - extern int acpi_map_pxm_to_node(int);
6346 -+extern unsigned char acpi_srat_revision;
6347 -
6348 - #endif /* CONFIG_ACPI_NUMA */
6349 - #endif /* __ACP_NUMA_H */
6350 -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
6351 -index 94acd81..0ed1eb0 100644
6352 ---- a/include/linux/blkdev.h
6353 -+++ b/include/linux/blkdev.h
6354 -@@ -675,6 +675,9 @@ extern int blk_insert_cloned_request(struct request_queue *q,
6355 - struct request *rq);
6356 - extern void blk_delay_queue(struct request_queue *, unsigned long);
6357 - extern void blk_recount_segments(struct request_queue *, struct bio *);
6358 -+extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
6359 -+extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
6360 -+ unsigned int, void __user *);
6361 - extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
6362 - unsigned int, void __user *);
6363 - extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
6364 -diff --git a/include/linux/crash_dump.h b/include/linux/crash_dump.h
6365 -index 5c4abce..b936763 100644
6366 ---- a/include/linux/crash_dump.h
6367 -+++ b/include/linux/crash_dump.h
6368 -@@ -5,6 +5,7 @@
6369 - #include <linux/kexec.h>
6370 - #include <linux/device.h>
6371 - #include <linux/proc_fs.h>
6372 -+#include <linux/elf.h>
6373 -
6374 - #define ELFCORE_ADDR_MAX (-1ULL)
6375 - #define ELFCORE_ADDR_ERR (-2ULL)
6376 -diff --git a/include/linux/dcache.h b/include/linux/dcache.h
6377 -index ed9f74f..4eb8c80 100644
6378 ---- a/include/linux/dcache.h
6379 -+++ b/include/linux/dcache.h
6380 -@@ -203,6 +203,7 @@ struct dentry_operations {
6381 -
6382 - #define DCACHE_CANT_MOUNT 0x0100
6383 - #define DCACHE_GENOCIDE 0x0200
6384 -+#define DCACHE_SHRINK_LIST 0x0400
6385 -
6386 - #define DCACHE_NFSFS_RENAMED 0x1000
6387 - /* this dentry has been "silly renamed" and has to be deleted on the last
6388 -diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
6389 -index b87068a..81572af 100644
6390 ---- a/include/linux/memcontrol.h
6391 -+++ b/include/linux/memcontrol.h
6392 -@@ -119,6 +119,8 @@ struct zone_reclaim_stat*
6393 - mem_cgroup_get_reclaim_stat_from_page(struct page *page);
6394 - extern void mem_cgroup_print_oom_info(struct mem_cgroup *memcg,
6395 - struct task_struct *p);
6396 -+extern void mem_cgroup_replace_page_cache(struct page *oldpage,
6397 -+ struct page *newpage);
6398 -
6399 - #ifdef CONFIG_CGROUP_MEM_RES_CTLR_SWAP
6400 - extern int do_swap_account;
6401 -@@ -366,6 +368,10 @@ static inline
6402 - void mem_cgroup_count_vm_event(struct mm_struct *mm, enum vm_event_item idx)
6403 - {
6404 - }
6405 -+static inline void mem_cgroup_replace_page_cache(struct page *oldpage,
6406 -+ struct page *newpage)
6407 -+{
6408 -+}
6409 - #endif /* CONFIG_CGROUP_MEM_CONT */
6410 -
6411 - #if !defined(CONFIG_CGROUP_MEM_RES_CTLR) || !defined(CONFIG_DEBUG_VM)
6412 -diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
6413 -index 2a7c533..6c898af 100644
6414 ---- a/include/linux/nfs_xdr.h
6415 -+++ b/include/linux/nfs_xdr.h
6416 -@@ -602,11 +602,16 @@ struct nfs_getaclargs {
6417 - size_t acl_len;
6418 - unsigned int acl_pgbase;
6419 - struct page ** acl_pages;
6420 -+ struct page * acl_scratch;
6421 - struct nfs4_sequence_args seq_args;
6422 - };
6423 -
6424 -+/* getxattr ACL interface flags */
6425 -+#define NFS4_ACL_LEN_REQUEST 0x0001 /* zero length getxattr buffer */
6426 - struct nfs_getaclres {
6427 - size_t acl_len;
6428 -+ size_t acl_data_offset;
6429 -+ int acl_flags;
6430 - struct nfs4_sequence_res seq_res;
6431 - };
6432 -
6433 -diff --git a/include/linux/pci_regs.h b/include/linux/pci_regs.h
6434 -index b5d9657..411c412 100644
6435 ---- a/include/linux/pci_regs.h
6436 -+++ b/include/linux/pci_regs.h
6437 -@@ -392,7 +392,7 @@
6438 - #define PCI_EXP_TYPE_DOWNSTREAM 0x6 /* Downstream Port */
6439 - #define PCI_EXP_TYPE_PCI_BRIDGE 0x7 /* PCI/PCI-X Bridge */
6440 - #define PCI_EXP_TYPE_RC_END 0x9 /* Root Complex Integrated Endpoint */
6441 --#define PCI_EXP_TYPE_RC_EC 0x10 /* Root Complex Event Collector */
6442 -+#define PCI_EXP_TYPE_RC_EC 0xa /* Root Complex Event Collector */
6443 - #define PCI_EXP_FLAGS_SLOT 0x0100 /* Slot implemented */
6444 - #define PCI_EXP_FLAGS_IRQ 0x3e00 /* Interrupt message number */
6445 - #define PCI_EXP_DEVCAP 4 /* Device capabilities */
6446 -diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
6447 -index 9291ac3..6f10c9c 100644
6448 ---- a/include/linux/shmem_fs.h
6449 -+++ b/include/linux/shmem_fs.h
6450 -@@ -48,6 +48,7 @@ extern struct file *shmem_file_setup(const char *name,
6451 - loff_t size, unsigned long flags);
6452 - extern int shmem_zero_setup(struct vm_area_struct *);
6453 - extern int shmem_lock(struct file *file, int lock, struct user_struct *user);
6454 -+extern void shmem_unlock_mapping(struct address_space *mapping);
6455 - extern struct page *shmem_read_mapping_page_gfp(struct address_space *mapping,
6456 - pgoff_t index, gfp_t gfp_mask);
6457 - extern void shmem_truncate_range(struct inode *inode, loff_t start, loff_t end);
6458 -diff --git a/include/linux/sunrpc/svcsock.h b/include/linux/sunrpc/svcsock.h
6459 -index 85c50b4..c84e974 100644
6460 ---- a/include/linux/sunrpc/svcsock.h
6461 -+++ b/include/linux/sunrpc/svcsock.h
6462 -@@ -34,7 +34,7 @@ struct svc_sock {
6463 - /*
6464 - * Function prototypes.
6465 - */
6466 --void svc_close_all(struct list_head *);
6467 -+void svc_close_all(struct svc_serv *);
6468 - int svc_recv(struct svc_rqst *, long);
6469 - int svc_send(struct svc_rqst *);
6470 - void svc_drop(struct svc_rqst *);
6471 -diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
6472 -index a20970e..af70af3 100644
6473 ---- a/include/linux/sunrpc/xdr.h
6474 -+++ b/include/linux/sunrpc/xdr.h
6475 -@@ -191,6 +191,8 @@ extern int xdr_decode_array2(struct xdr_buf *buf, unsigned int base,
6476 - struct xdr_array2_desc *desc);
6477 - extern int xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
6478 - struct xdr_array2_desc *desc);
6479 -+extern void _copy_from_pages(char *p, struct page **pages, size_t pgbase,
6480 -+ size_t len);
6481 -
6482 - /*
6483 - * Provide some simple tools for XDR buffer overflow-checking etc.
6484 -diff --git a/include/linux/swap.h b/include/linux/swap.h
6485 -index 1e22e12..67b3fa3 100644
6486 ---- a/include/linux/swap.h
6487 -+++ b/include/linux/swap.h
6488 -@@ -272,7 +272,7 @@ static inline int zone_reclaim(struct zone *z, gfp_t mask, unsigned int order)
6489 - #endif
6490 -
6491 - extern int page_evictable(struct page *page, struct vm_area_struct *vma);
6492 --extern void scan_mapping_unevictable_pages(struct address_space *);
6493 -+extern void check_move_unevictable_pages(struct page **, int nr_pages);
6494 -
6495 - extern unsigned long scan_unevictable_pages;
6496 - extern int scan_unevictable_handler(struct ctl_table *, int,
6497 -diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
6498 -index 4b752d5..45a7698 100644
6499 ---- a/include/linux/videodev2.h
6500 -+++ b/include/linux/videodev2.h
6501 -@@ -1131,6 +1131,7 @@ struct v4l2_querymenu {
6502 - #define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
6503 -
6504 - /* User-class control IDs defined by V4L2 */
6505 -+#define V4L2_CID_MAX_CTRLS 1024
6506 - #define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
6507 - #define V4L2_CID_USER_BASE V4L2_CID_BASE
6508 - /* IDs reserved for driver specific controls */
6509 -diff --git a/include/media/tuner.h b/include/media/tuner.h
6510 -index 89c290b..29e1920 100644
6511 ---- a/include/media/tuner.h
6512 -+++ b/include/media/tuner.h
6513 -@@ -127,7 +127,6 @@
6514 - #define TUNER_PHILIPS_FMD1216MEX_MK3 78
6515 - #define TUNER_PHILIPS_FM1216MK5 79
6516 - #define TUNER_PHILIPS_FQ1216LME_MK3 80 /* Active loopthrough, no FM */
6517 --#define TUNER_XC4000 81 /* Xceive Silicon Tuner */
6518 -
6519 - #define TUNER_PARTSNIC_PTI_5NF05 81
6520 - #define TUNER_PHILIPS_CU1216L 82
6521 -@@ -136,6 +135,8 @@
6522 - #define TUNER_PHILIPS_FQ1236_MK5 85 /* NTSC, TDA9885, no FM radio */
6523 - #define TUNER_TENA_TNF_5337 86
6524 -
6525 -+#define TUNER_XC4000 87 /* Xceive Silicon Tuner */
6526 -+
6527 - /* tv card specific */
6528 - #define TDA9887_PRESENT (1<<0)
6529 - #define TDA9887_PORT1_INACTIVE (1<<1)
6530 -diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
6531 -index 6873c7d..a79886c 100644
6532 ---- a/include/target/target_core_base.h
6533 -+++ b/include/target/target_core_base.h
6534 -@@ -34,6 +34,7 @@
6535 - #define TRANSPORT_SENSE_BUFFER SCSI_SENSE_BUFFERSIZE
6536 - /* Used by transport_send_check_condition_and_sense() */
6537 - #define SPC_SENSE_KEY_OFFSET 2
6538 -+#define SPC_ADD_SENSE_LEN_OFFSET 7
6539 - #define SPC_ASC_KEY_OFFSET 12
6540 - #define SPC_ASCQ_KEY_OFFSET 13
6541 - #define TRANSPORT_IQN_LEN 224
6542 -diff --git a/include/xen/interface/io/xs_wire.h b/include/xen/interface/io/xs_wire.h
6543 -index f6f07aa..7cdfca2 100644
6544 ---- a/include/xen/interface/io/xs_wire.h
6545 -+++ b/include/xen/interface/io/xs_wire.h
6546 -@@ -87,4 +87,7 @@ struct xenstore_domain_interface {
6547 - XENSTORE_RING_IDX rsp_cons, rsp_prod;
6548 - };
6549 -
6550 -+/* Violating this is very bad. See docs/misc/xenstore.txt. */
6551 -+#define XENSTORE_PAYLOAD_MAX 4096
6552 -+
6553 - #endif /* _XS_WIRE_H */
6554 -diff --git a/init/do_mounts.c b/init/do_mounts.c
6555 -index 0f6e1d9..db6e5ee 100644
6556 ---- a/init/do_mounts.c
6557 -+++ b/init/do_mounts.c
6558 -@@ -398,15 +398,42 @@ out:
6559 - }
6560 -
6561 - #ifdef CONFIG_ROOT_NFS
6562 -+
6563 -+#define NFSROOT_TIMEOUT_MIN 5
6564 -+#define NFSROOT_TIMEOUT_MAX 30
6565 -+#define NFSROOT_RETRY_MAX 5
6566 -+
6567 - static int __init mount_nfs_root(void)
6568 - {
6569 - char *root_dev, *root_data;
6570 -+ unsigned int timeout;
6571 -+ int try, err;
6572 -
6573 -- if (nfs_root_data(&root_dev, &root_data) != 0)
6574 -- return 0;
6575 -- if (do_mount_root(root_dev, "nfs", root_mountflags, root_data) != 0)
6576 -+ err = nfs_root_data(&root_dev, &root_data);
6577 -+ if (err != 0)
6578 - return 0;
6579 -- return 1;
6580 -+
6581 -+ /*
6582 -+ * The server or network may not be ready, so try several
6583 -+ * times. Stop after a few tries in case the client wants
6584 -+ * to fall back to other boot methods.
6585 -+ */
6586 -+ timeout = NFSROOT_TIMEOUT_MIN;
6587 -+ for (try = 1; ; try++) {
6588 -+ err = do_mount_root(root_dev, "nfs",
6589 -+ root_mountflags, root_data);
6590 -+ if (err == 0)
6591 -+ return 1;
6592 -+ if (try > NFSROOT_RETRY_MAX)
6593 -+ break;
6594 -+
6595 -+ /* Wait, in case the server refused us immediately */
6596 -+ ssleep(timeout);
6597 -+ timeout <<= 1;
6598 -+ if (timeout > NFSROOT_TIMEOUT_MAX)
6599 -+ timeout = NFSROOT_TIMEOUT_MAX;
6600 -+ }
6601 -+ return 0;
6602 - }
6603 - #endif
6604 -
6605 -diff --git a/ipc/shm.c b/ipc/shm.c
6606 -index 02ecf2c..b76be5b 100644
6607 ---- a/ipc/shm.c
6608 -+++ b/ipc/shm.c
6609 -@@ -870,9 +870,7 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
6610 - case SHM_LOCK:
6611 - case SHM_UNLOCK:
6612 - {
6613 -- struct file *uninitialized_var(shm_file);
6614 --
6615 -- lru_add_drain_all(); /* drain pagevecs to lru lists */
6616 -+ struct file *shm_file;
6617 -
6618 - shp = shm_lock_check(ns, shmid);
6619 - if (IS_ERR(shp)) {
6620 -@@ -895,22 +893,31 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
6621 - err = security_shm_shmctl(shp, cmd);
6622 - if (err)
6623 - goto out_unlock;
6624 --
6625 -- if(cmd==SHM_LOCK) {
6626 -+
6627 -+ shm_file = shp->shm_file;
6628 -+ if (is_file_hugepages(shm_file))
6629 -+ goto out_unlock;
6630 -+
6631 -+ if (cmd == SHM_LOCK) {
6632 - struct user_struct *user = current_user();
6633 -- if (!is_file_hugepages(shp->shm_file)) {
6634 -- err = shmem_lock(shp->shm_file, 1, user);
6635 -- if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){
6636 -- shp->shm_perm.mode |= SHM_LOCKED;
6637 -- shp->mlock_user = user;
6638 -- }
6639 -+ err = shmem_lock(shm_file, 1, user);
6640 -+ if (!err && !(shp->shm_perm.mode & SHM_LOCKED)) {
6641 -+ shp->shm_perm.mode |= SHM_LOCKED;
6642 -+ shp->mlock_user = user;
6643 - }
6644 -- } else if (!is_file_hugepages(shp->shm_file)) {
6645 -- shmem_lock(shp->shm_file, 0, shp->mlock_user);
6646 -- shp->shm_perm.mode &= ~SHM_LOCKED;
6647 -- shp->mlock_user = NULL;
6648 -+ goto out_unlock;
6649 - }
6650 -+
6651 -+ /* SHM_UNLOCK */
6652 -+ if (!(shp->shm_perm.mode & SHM_LOCKED))
6653 -+ goto out_unlock;
6654 -+ shmem_lock(shm_file, 0, shp->mlock_user);
6655 -+ shp->shm_perm.mode &= ~SHM_LOCKED;
6656 -+ shp->mlock_user = NULL;
6657 -+ get_file(shm_file);
6658 - shm_unlock(shp);
6659 -+ shmem_unlock_mapping(shm_file->f_mapping);
6660 -+ fput(shm_file);
6661 - goto out;
6662 - }
6663 - case IPC_RMID:
6664 -diff --git a/kernel/kprobes.c b/kernel/kprobes.c
6665 -index e5d8464..52fd049 100644
6666 ---- a/kernel/kprobes.c
6667 -+++ b/kernel/kprobes.c
6668 -@@ -1077,6 +1077,7 @@ void __kprobes kprobe_flush_task(struct task_struct *tk)
6669 - /* Early boot. kretprobe_table_locks not yet initialized. */
6670 - return;
6671 -
6672 -+ INIT_HLIST_HEAD(&empty_rp);
6673 - hash = hash_ptr(tk, KPROBE_HASH_BITS);
6674 - head = &kretprobe_inst_table[hash];
6675 - kretprobe_table_lock(hash, &flags);
6676 -@@ -1085,7 +1086,6 @@ void __kprobes kprobe_flush_task(struct task_struct *tk)
6677 - recycle_rp_inst(ri, &empty_rp);
6678 - }
6679 - kretprobe_table_unlock(hash, &flags);
6680 -- INIT_HLIST_HEAD(&empty_rp);
6681 - hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
6682 - hlist_del(&ri->hlist);
6683 - kfree(ri);
6684 -diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
6685 -index b1e8943..25b4f4d 100644
6686 ---- a/kernel/trace/ftrace.c
6687 -+++ b/kernel/trace/ftrace.c
6688 -@@ -948,7 +948,7 @@ struct ftrace_func_probe {
6689 - };
6690 -
6691 - enum {
6692 -- FTRACE_ENABLE_CALLS = (1 << 0),
6693 -+ FTRACE_UPDATE_CALLS = (1 << 0),
6694 - FTRACE_DISABLE_CALLS = (1 << 1),
6695 - FTRACE_UPDATE_TRACE_FUNC = (1 << 2),
6696 - FTRACE_START_FUNC_RET = (1 << 3),
6697 -@@ -1519,7 +1519,7 @@ int ftrace_text_reserved(void *start, void *end)
6698 -
6699 -
6700 - static int
6701 --__ftrace_replace_code(struct dyn_ftrace *rec, int enable)
6702 -+__ftrace_replace_code(struct dyn_ftrace *rec, int update)
6703 - {
6704 - unsigned long ftrace_addr;
6705 - unsigned long flag = 0UL;
6706 -@@ -1527,17 +1527,17 @@ __ftrace_replace_code(struct dyn_ftrace *rec, int enable)
6707 - ftrace_addr = (unsigned long)FTRACE_ADDR;
6708 -
6709 - /*
6710 -- * If we are enabling tracing:
6711 -+ * If we are updating calls:
6712 - *
6713 - * If the record has a ref count, then we need to enable it
6714 - * because someone is using it.
6715 - *
6716 - * Otherwise we make sure its disabled.
6717 - *
6718 -- * If we are disabling tracing, then disable all records that
6719 -+ * If we are disabling calls, then disable all records that
6720 - * are enabled.
6721 - */
6722 -- if (enable && (rec->flags & ~FTRACE_FL_MASK))
6723 -+ if (update && (rec->flags & ~FTRACE_FL_MASK))
6724 - flag = FTRACE_FL_ENABLED;
6725 -
6726 - /* If the state of this record hasn't changed, then do nothing */
6727 -@@ -1553,7 +1553,7 @@ __ftrace_replace_code(struct dyn_ftrace *rec, int enable)
6728 - return ftrace_make_nop(NULL, rec, ftrace_addr);
6729 - }
6730 -
6731 --static void ftrace_replace_code(int enable)
6732 -+static void ftrace_replace_code(int update)
6733 - {
6734 - struct dyn_ftrace *rec;
6735 - struct ftrace_page *pg;
6736 -@@ -1567,7 +1567,7 @@ static void ftrace_replace_code(int enable)
6737 - if (rec->flags & FTRACE_FL_FREE)
6738 - continue;
6739 -
6740 -- failed = __ftrace_replace_code(rec, enable);
6741 -+ failed = __ftrace_replace_code(rec, update);
6742 - if (failed) {
6743 - ftrace_bug(failed, rec->ip);
6744 - /* Stop processing */
6745 -@@ -1623,7 +1623,7 @@ static int __ftrace_modify_code(void *data)
6746 - */
6747 - function_trace_stop++;
6748 -
6749 -- if (*command & FTRACE_ENABLE_CALLS)
6750 -+ if (*command & FTRACE_UPDATE_CALLS)
6751 - ftrace_replace_code(1);
6752 - else if (*command & FTRACE_DISABLE_CALLS)
6753 - ftrace_replace_code(0);
6754 -@@ -1691,7 +1691,7 @@ static int ftrace_startup(struct ftrace_ops *ops, int command)
6755 - return -ENODEV;
6756 -
6757 - ftrace_start_up++;
6758 -- command |= FTRACE_ENABLE_CALLS;
6759 -+ command |= FTRACE_UPDATE_CALLS;
6760 -
6761 - /* ops marked global share the filter hashes */
6762 - if (ops->flags & FTRACE_OPS_FL_GLOBAL) {
6763 -@@ -1743,8 +1743,7 @@ static void ftrace_shutdown(struct ftrace_ops *ops, int command)
6764 - if (ops != &global_ops || !global_start_up)
6765 - ops->flags &= ~FTRACE_OPS_FL_ENABLED;
6766 -
6767 -- if (!ftrace_start_up)
6768 -- command |= FTRACE_DISABLE_CALLS;
6769 -+ command |= FTRACE_UPDATE_CALLS;
6770 -
6771 - if (saved_ftrace_func != ftrace_trace_function) {
6772 - saved_ftrace_func = ftrace_trace_function;
6773 -@@ -1766,7 +1765,7 @@ static void ftrace_startup_sysctl(void)
6774 - saved_ftrace_func = NULL;
6775 - /* ftrace_start_up is true if we want ftrace running */
6776 - if (ftrace_start_up)
6777 -- ftrace_run_update_code(FTRACE_ENABLE_CALLS);
6778 -+ ftrace_run_update_code(FTRACE_UPDATE_CALLS);
6779 - }
6780 -
6781 - static void ftrace_shutdown_sysctl(void)
6782 -@@ -2919,7 +2918,7 @@ ftrace_set_regex(struct ftrace_ops *ops, unsigned char *buf, int len,
6783 - ret = ftrace_hash_move(ops, enable, orig_hash, hash);
6784 - if (!ret && ops->flags & FTRACE_OPS_FL_ENABLED
6785 - && ftrace_enabled)
6786 -- ftrace_run_update_code(FTRACE_ENABLE_CALLS);
6787 -+ ftrace_run_update_code(FTRACE_UPDATE_CALLS);
6788 -
6789 - mutex_unlock(&ftrace_lock);
6790 -
6791 -@@ -3107,7 +3106,7 @@ ftrace_regex_release(struct inode *inode, struct file *file)
6792 - orig_hash, iter->hash);
6793 - if (!ret && (iter->ops->flags & FTRACE_OPS_FL_ENABLED)
6794 - && ftrace_enabled)
6795 -- ftrace_run_update_code(FTRACE_ENABLE_CALLS);
6796 -+ ftrace_run_update_code(FTRACE_UPDATE_CALLS);
6797 -
6798 - mutex_unlock(&ftrace_lock);
6799 - }
6800 -diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
6801 -index db110b8..f1539de 100644
6802 ---- a/kernel/tracepoint.c
6803 -+++ b/kernel/tracepoint.c
6804 -@@ -634,10 +634,11 @@ static int tracepoint_module_coming(struct module *mod)
6805 - int ret = 0;
6806 -
6807 - /*
6808 -- * We skip modules that tain the kernel, especially those with different
6809 -- * module header (for forced load), to make sure we don't cause a crash.
6810 -+ * We skip modules that taint the kernel, especially those with different
6811 -+ * module headers (for forced load), to make sure we don't cause a crash.
6812 -+ * Staging and out-of-tree GPL modules are fine.
6813 - */
6814 -- if (mod->taints)
6815 -+ if (mod->taints & ~((1 << TAINT_OOT_MODULE) | (1 << TAINT_CRAP)))
6816 - return 0;
6817 - mutex_lock(&tracepoints_mutex);
6818 - tp_mod = kmalloc(sizeof(struct tp_module), GFP_KERNEL);
6819 -diff --git a/mm/filemap.c b/mm/filemap.c
6820 -index 5f0a3c9..90286a4 100644
6821 ---- a/mm/filemap.c
6822 -+++ b/mm/filemap.c
6823 -@@ -393,24 +393,11 @@ EXPORT_SYMBOL(filemap_write_and_wait_range);
6824 - int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
6825 - {
6826 - int error;
6827 -- struct mem_cgroup *memcg = NULL;
6828 -
6829 - VM_BUG_ON(!PageLocked(old));
6830 - VM_BUG_ON(!PageLocked(new));
6831 - VM_BUG_ON(new->mapping);
6832 -
6833 -- /*
6834 -- * This is not page migration, but prepare_migration and
6835 -- * end_migration does enough work for charge replacement.
6836 -- *
6837 -- * In the longer term we probably want a specialized function
6838 -- * for moving the charge from old to new in a more efficient
6839 -- * manner.
6840 -- */
6841 -- error = mem_cgroup_prepare_migration(old, new, &memcg, gfp_mask);
6842 -- if (error)
6843 -- return error;
6844 --
6845 - error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM);
6846 - if (!error) {
6847 - struct address_space *mapping = old->mapping;
6848 -@@ -432,13 +419,12 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
6849 - if (PageSwapBacked(new))
6850 - __inc_zone_page_state(new, NR_SHMEM);
6851 - spin_unlock_irq(&mapping->tree_lock);
6852 -+ /* mem_cgroup codes must not be called under tree_lock */
6853 -+ mem_cgroup_replace_page_cache(old, new);
6854 - radix_tree_preload_end();
6855 - if (freepage)
6856 - freepage(old);
6857 - page_cache_release(old);
6858 -- mem_cgroup_end_migration(memcg, old, new, true);
6859 -- } else {
6860 -- mem_cgroup_end_migration(memcg, old, new, false);
6861 - }
6862 -
6863 - return error;
6864 -diff --git a/mm/memcontrol.c b/mm/memcontrol.c
6865 -index b63f5f7..f538e9b 100644
6866 ---- a/mm/memcontrol.c
6867 -+++ b/mm/memcontrol.c
6868 -@@ -3366,6 +3366,50 @@ void mem_cgroup_end_migration(struct mem_cgroup *memcg,
6869 - cgroup_release_and_wakeup_rmdir(&memcg->css);
6870 - }
6871 -
6872 -+/*
6873 -+ * At replace page cache, newpage is not under any memcg but it's on
6874 -+ * LRU. So, this function doesn't touch res_counter but handles LRU
6875 -+ * in correct way. Both pages are locked so we cannot race with uncharge.
6876 -+ */
6877 -+void mem_cgroup_replace_page_cache(struct page *oldpage,
6878 -+ struct page *newpage)
6879 -+{
6880 -+ struct mem_cgroup *memcg;
6881 -+ struct page_cgroup *pc;
6882 -+ struct zone *zone;
6883 -+ enum charge_type type = MEM_CGROUP_CHARGE_TYPE_CACHE;
6884 -+ unsigned long flags;
6885 -+
6886 -+ if (mem_cgroup_disabled())
6887 -+ return;
6888 -+
6889 -+ pc = lookup_page_cgroup(oldpage);
6890 -+ /* fix accounting on old pages */
6891 -+ lock_page_cgroup(pc);
6892 -+ memcg = pc->mem_cgroup;
6893 -+ mem_cgroup_charge_statistics(memcg, PageCgroupCache(pc), -1);
6894 -+ ClearPageCgroupUsed(pc);
6895 -+ unlock_page_cgroup(pc);
6896 -+
6897 -+ if (PageSwapBacked(oldpage))
6898 -+ type = MEM_CGROUP_CHARGE_TYPE_SHMEM;
6899 -+
6900 -+ zone = page_zone(newpage);
6901 -+ pc = lookup_page_cgroup(newpage);
6902 -+ /*
6903 -+ * Even if newpage->mapping was NULL before starting replacement,
6904 -+ * the newpage may be on LRU(or pagevec for LRU) already. We lock
6905 -+ * LRU while we overwrite pc->mem_cgroup.
6906 -+ */
6907 -+ spin_lock_irqsave(&zone->lru_lock, flags);
6908 -+ if (PageLRU(newpage))
6909 -+ del_page_from_lru_list(zone, newpage, page_lru(newpage));
6910 -+ __mem_cgroup_commit_charge(memcg, newpage, 1, pc, type);
6911 -+ if (PageLRU(newpage))
6912 -+ add_page_to_lru_list(zone, newpage, page_lru(newpage));
6913 -+ spin_unlock_irqrestore(&zone->lru_lock, flags);
6914 -+}
6915 -+
6916 - #ifdef CONFIG_DEBUG_VM
6917 - static struct page_cgroup *lookup_page_cgroup_used(struct page *page)
6918 - {
6919 -diff --git a/mm/page_alloc.c b/mm/page_alloc.c
6920 -index 2b8ba3a..485be89 100644
6921 ---- a/mm/page_alloc.c
6922 -+++ b/mm/page_alloc.c
6923 -@@ -5608,6 +5608,17 @@ __count_immobile_pages(struct zone *zone, struct page *page, int count)
6924 - bool is_pageblock_removable_nolock(struct page *page)
6925 - {
6926 - struct zone *zone = page_zone(page);
6927 -+ unsigned long pfn = page_to_pfn(page);
6928 -+
6929 -+ /*
6930 -+ * We have to be careful here because we are iterating over memory
6931 -+ * sections which are not zone aware so we might end up outside of
6932 -+ * the zone but still within the section.
6933 -+ */
6934 -+ if (!zone || zone->zone_start_pfn > pfn ||
6935 -+ zone->zone_start_pfn + zone->spanned_pages <= pfn)
6936 -+ return false;
6937 -+
6938 - return __count_immobile_pages(zone, page, 0);
6939 - }
6940 -
6941 -diff --git a/mm/shmem.c b/mm/shmem.c
6942 -index d672250..6c253f7 100644
6943 ---- a/mm/shmem.c
6944 -+++ b/mm/shmem.c
6945 -@@ -379,7 +379,7 @@ static int shmem_free_swap(struct address_space *mapping,
6946 - /*
6947 - * Pagevec may contain swap entries, so shuffle up pages before releasing.
6948 - */
6949 --static void shmem_pagevec_release(struct pagevec *pvec)
6950 -+static void shmem_deswap_pagevec(struct pagevec *pvec)
6951 - {
6952 - int i, j;
6953 -
6954 -@@ -389,7 +389,36 @@ static void shmem_pagevec_release(struct pagevec *pvec)
6955 - pvec->pages[j++] = page;
6956 - }
6957 - pvec->nr = j;
6958 -- pagevec_release(pvec);
6959 -+}
6960 -+
6961 -+/*
6962 -+ * SysV IPC SHM_UNLOCK restore Unevictable pages to their evictable lists.
6963 -+ */
6964 -+void shmem_unlock_mapping(struct address_space *mapping)
6965 -+{
6966 -+ struct pagevec pvec;
6967 -+ pgoff_t indices[PAGEVEC_SIZE];
6968 -+ pgoff_t index = 0;
6969 -+
6970 -+ pagevec_init(&pvec, 0);
6971 -+ /*
6972 -+ * Minor point, but we might as well stop if someone else SHM_LOCKs it.
6973 -+ */
6974 -+ while (!mapping_unevictable(mapping)) {
6975 -+ /*
6976 -+ * Avoid pagevec_lookup(): find_get_pages() returns 0 as if it
6977 -+ * has finished, if it hits a row of PAGEVEC_SIZE swap entries.
6978 -+ */
6979 -+ pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
6980 -+ PAGEVEC_SIZE, pvec.pages, indices);
6981 -+ if (!pvec.nr)
6982 -+ break;
6983 -+ index = indices[pvec.nr - 1] + 1;
6984 -+ shmem_deswap_pagevec(&pvec);
6985 -+ check_move_unevictable_pages(pvec.pages, pvec.nr);
6986 -+ pagevec_release(&pvec);
6987 -+ cond_resched();
6988 -+ }
6989 - }
6990 -
6991 - /*
6992 -@@ -440,7 +469,8 @@ void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
6993 - }
6994 - unlock_page(page);
6995 - }
6996 -- shmem_pagevec_release(&pvec);
6997 -+ shmem_deswap_pagevec(&pvec);
6998 -+ pagevec_release(&pvec);
6999 - mem_cgroup_uncharge_end();
7000 - cond_resched();
7001 - index++;
7002 -@@ -470,7 +500,8 @@ void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
7003 - continue;
7004 - }
7005 - if (index == start && indices[0] > end) {
7006 -- shmem_pagevec_release(&pvec);
7007 -+ shmem_deswap_pagevec(&pvec);
7008 -+ pagevec_release(&pvec);
7009 - break;
7010 - }
7011 - mem_cgroup_uncharge_start();
7012 -@@ -494,7 +525,8 @@ void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
7013 - }
7014 - unlock_page(page);
7015 - }
7016 -- shmem_pagevec_release(&pvec);
7017 -+ shmem_deswap_pagevec(&pvec);
7018 -+ pagevec_release(&pvec);
7019 - mem_cgroup_uncharge_end();
7020 - index++;
7021 - }
7022 -@@ -1068,13 +1100,6 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
7023 - user_shm_unlock(inode->i_size, user);
7024 - info->flags &= ~VM_LOCKED;
7025 - mapping_clear_unevictable(file->f_mapping);
7026 -- /*
7027 -- * Ensure that a racing putback_lru_page() can see
7028 -- * the pages of this mapping are evictable when we
7029 -- * skip them due to !PageLRU during the scan.
7030 -- */
7031 -- smp_mb__after_clear_bit();
7032 -- scan_mapping_unevictable_pages(file->f_mapping);
7033 - }
7034 - retval = 0;
7035 -
7036 -@@ -2446,6 +2471,10 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
7037 - return 0;
7038 - }
7039 -
7040 -+void shmem_unlock_mapping(struct address_space *mapping)
7041 -+{
7042 -+}
7043 -+
7044 - void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
7045 - {
7046 - truncate_inode_pages_range(inode->i_mapping, lstart, lend);
7047 -diff --git a/mm/slub.c b/mm/slub.c
7048 -index ed3334d..1a919f0 100644
7049 ---- a/mm/slub.c
7050 -+++ b/mm/slub.c
7051 -@@ -2166,6 +2166,11 @@ redo:
7052 - goto new_slab;
7053 - }
7054 -
7055 -+ /* must check again c->freelist in case of cpu migration or IRQ */
7056 -+ object = c->freelist;
7057 -+ if (object)
7058 -+ goto load_freelist;
7059 -+
7060 - stat(s, ALLOC_SLOWPATH);
7061 -
7062 - do {
7063 -diff --git a/mm/vmscan.c b/mm/vmscan.c
7064 -index f54a05b..cb33d9c 100644
7065 ---- a/mm/vmscan.c
7066 -+++ b/mm/vmscan.c
7067 -@@ -636,7 +636,7 @@ redo:
7068 - * When racing with an mlock or AS_UNEVICTABLE clearing
7069 - * (page is unlocked) make sure that if the other thread
7070 - * does not observe our setting of PG_lru and fails
7071 -- * isolation/check_move_unevictable_page,
7072 -+ * isolation/check_move_unevictable_pages,
7073 - * we see PG_mlocked/AS_UNEVICTABLE cleared below and move
7074 - * the page back to the evictable list.
7075 - *
7076 -@@ -3353,97 +3353,59 @@ int page_evictable(struct page *page, struct vm_area_struct *vma)
7077 - return 1;
7078 - }
7079 -
7080 -+#ifdef CONFIG_SHMEM
7081 - /**
7082 -- * check_move_unevictable_page - check page for evictability and move to appropriate zone lru list
7083 -- * @page: page to check evictability and move to appropriate lru list
7084 -- * @zone: zone page is in
7085 -+ * check_move_unevictable_pages - check pages for evictability and move to appropriate zone lru list
7086 -+ * @pages: array of pages to check
7087 -+ * @nr_pages: number of pages to check
7088 - *
7089 -- * Checks a page for evictability and moves the page to the appropriate
7090 -- * zone lru list.
7091 -+ * Checks pages for evictability and moves them to the appropriate lru list.
7092 - *
7093 -- * Restrictions: zone->lru_lock must be held, page must be on LRU and must
7094 -- * have PageUnevictable set.
7095 -+ * This function is only used for SysV IPC SHM_UNLOCK.
7096 - */
7097 --static void check_move_unevictable_page(struct page *page, struct zone *zone)
7098 -+void check_move_unevictable_pages(struct page **pages, int nr_pages)
7099 - {
7100 -- VM_BUG_ON(PageActive(page));
7101 --
7102 --retry:
7103 -- ClearPageUnevictable(page);
7104 -- if (page_evictable(page, NULL)) {
7105 -- enum lru_list l = page_lru_base_type(page);
7106 -+ struct zone *zone = NULL;
7107 -+ int pgscanned = 0;
7108 -+ int pgrescued = 0;
7109 -+ int i;
7110 -
7111 -- __dec_zone_state(zone, NR_UNEVICTABLE);
7112 -- list_move(&page->lru, &zone->lru[l].list);
7113 -- mem_cgroup_move_lists(page, LRU_UNEVICTABLE, l);
7114 -- __inc_zone_state(zone, NR_INACTIVE_ANON + l);
7115 -- __count_vm_event(UNEVICTABLE_PGRESCUED);
7116 -- } else {
7117 -- /*
7118 -- * rotate unevictable list
7119 -- */
7120 -- SetPageUnevictable(page);
7121 -- list_move(&page->lru, &zone->lru[LRU_UNEVICTABLE].list);
7122 -- mem_cgroup_rotate_lru_list(page, LRU_UNEVICTABLE);
7123 -- if (page_evictable(page, NULL))
7124 -- goto retry;
7125 -- }
7126 --}
7127 -+ for (i = 0; i < nr_pages; i++) {
7128 -+ struct page *page = pages[i];
7129 -+ struct zone *pagezone;
7130 -
7131 --/**
7132 -- * scan_mapping_unevictable_pages - scan an address space for evictable pages
7133 -- * @mapping: struct address_space to scan for evictable pages
7134 -- *
7135 -- * Scan all pages in mapping. Check unevictable pages for
7136 -- * evictability and move them to the appropriate zone lru list.
7137 -- */
7138 --void scan_mapping_unevictable_pages(struct address_space *mapping)
7139 --{
7140 -- pgoff_t next = 0;
7141 -- pgoff_t end = (i_size_read(mapping->host) + PAGE_CACHE_SIZE - 1) >>
7142 -- PAGE_CACHE_SHIFT;
7143 -- struct zone *zone;
7144 -- struct pagevec pvec;
7145 -+ pgscanned++;
7146 -+ pagezone = page_zone(page);
7147 -+ if (pagezone != zone) {
7148 -+ if (zone)
7149 -+ spin_unlock_irq(&zone->lru_lock);
7150 -+ zone = pagezone;
7151 -+ spin_lock_irq(&zone->lru_lock);
7152 -+ }
7153 -
7154 -- if (mapping->nrpages == 0)
7155 -- return;
7156 -+ if (!PageLRU(page) || !PageUnevictable(page))
7157 -+ continue;
7158 -
7159 -- pagevec_init(&pvec, 0);
7160 -- while (next < end &&
7161 -- pagevec_lookup(&pvec, mapping, next, PAGEVEC_SIZE)) {
7162 -- int i;
7163 -- int pg_scanned = 0;
7164 --
7165 -- zone = NULL;
7166 --
7167 -- for (i = 0; i < pagevec_count(&pvec); i++) {
7168 -- struct page *page = pvec.pages[i];
7169 -- pgoff_t page_index = page->index;
7170 -- struct zone *pagezone = page_zone(page);
7171 --
7172 -- pg_scanned++;
7173 -- if (page_index > next)
7174 -- next = page_index;
7175 -- next++;
7176 --
7177 -- if (pagezone != zone) {
7178 -- if (zone)
7179 -- spin_unlock_irq(&zone->lru_lock);
7180 -- zone = pagezone;
7181 -- spin_lock_irq(&zone->lru_lock);
7182 -- }
7183 -+ if (page_evictable(page, NULL)) {
7184 -+ enum lru_list lru = page_lru_base_type(page);
7185 -
7186 -- if (PageLRU(page) && PageUnevictable(page))
7187 -- check_move_unevictable_page(page, zone);
7188 -+ VM_BUG_ON(PageActive(page));
7189 -+ ClearPageUnevictable(page);
7190 -+ __dec_zone_state(zone, NR_UNEVICTABLE);
7191 -+ list_move(&page->lru, &zone->lru[lru].list);
7192 -+ mem_cgroup_move_lists(page, LRU_UNEVICTABLE, lru);
7193 -+ __inc_zone_state(zone, NR_INACTIVE_ANON + lru);
7194 -+ pgrescued++;
7195 - }
7196 -- if (zone)
7197 -- spin_unlock_irq(&zone->lru_lock);
7198 -- pagevec_release(&pvec);
7199 --
7200 -- count_vm_events(UNEVICTABLE_PGSCANNED, pg_scanned);
7201 - }
7202 -
7203 -+ if (zone) {
7204 -+ __count_vm_events(UNEVICTABLE_PGRESCUED, pgrescued);
7205 -+ __count_vm_events(UNEVICTABLE_PGSCANNED, pgscanned);
7206 -+ spin_unlock_irq(&zone->lru_lock);
7207 -+ }
7208 - }
7209 -+#endif /* CONFIG_SHMEM */
7210 -
7211 - static void warn_scan_unevictable_pages(void)
7212 - {
7213 -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
7214 -index ea10a51..73495f1 100644
7215 ---- a/net/mac80211/ieee80211_i.h
7216 -+++ b/net/mac80211/ieee80211_i.h
7217 -@@ -702,6 +702,8 @@ struct tpt_led_trigger {
7218 - * well be on the operating channel
7219 - * @SCAN_HW_SCANNING: The hardware is scanning for us, we have no way to
7220 - * determine if we are on the operating channel or not
7221 -+ * @SCAN_OFF_CHANNEL: We're off our operating channel for scanning,
7222 -+ * gets only set in conjunction with SCAN_SW_SCANNING
7223 - * @SCAN_COMPLETED: Set for our scan work function when the driver reported
7224 - * that the scan completed.
7225 - * @SCAN_ABORTED: Set for our scan work function when the driver reported
7226 -@@ -710,6 +712,7 @@ struct tpt_led_trigger {
7227 - enum {
7228 - SCAN_SW_SCANNING,
7229 - SCAN_HW_SCANNING,
7230 -+ SCAN_OFF_CHANNEL,
7231 - SCAN_COMPLETED,
7232 - SCAN_ABORTED,
7233 - };
7234 -@@ -1140,14 +1143,10 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata);
7235 - void ieee80211_sched_scan_stopped_work(struct work_struct *work);
7236 -
7237 - /* off-channel helpers */
7238 --bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local);
7239 --void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
7240 -- bool tell_ap);
7241 --void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
7242 -- bool offchannel_ps_enable);
7243 -+void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local);
7244 -+void ieee80211_offchannel_stop_station(struct ieee80211_local *local);
7245 - void ieee80211_offchannel_return(struct ieee80211_local *local,
7246 -- bool enable_beaconing,
7247 -- bool offchannel_ps_disable);
7248 -+ bool enable_beaconing);
7249 - void ieee80211_hw_roc_setup(struct ieee80211_local *local);
7250 -
7251 - /* interface handling */
7252 -diff --git a/net/mac80211/main.c b/net/mac80211/main.c
7253 -index cae4435..a7536fd 100644
7254 ---- a/net/mac80211/main.c
7255 -+++ b/net/mac80211/main.c
7256 -@@ -92,47 +92,6 @@ static void ieee80211_reconfig_filter(struct work_struct *work)
7257 - ieee80211_configure_filter(local);
7258 - }
7259 -
7260 --/*
7261 -- * Returns true if we are logically configured to be on
7262 -- * the operating channel AND the hardware-conf is currently
7263 -- * configured on the operating channel. Compares channel-type
7264 -- * as well.
7265 -- */
7266 --bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local)
7267 --{
7268 -- struct ieee80211_channel *chan, *scan_chan;
7269 -- enum nl80211_channel_type channel_type;
7270 --
7271 -- /* This logic needs to match logic in ieee80211_hw_config */
7272 -- if (local->scan_channel) {
7273 -- chan = local->scan_channel;
7274 -- /* If scanning on oper channel, use whatever channel-type
7275 -- * is currently in use.
7276 -- */
7277 -- if (chan == local->oper_channel)
7278 -- channel_type = local->_oper_channel_type;
7279 -- else
7280 -- channel_type = NL80211_CHAN_NO_HT;
7281 -- } else if (local->tmp_channel) {
7282 -- chan = scan_chan = local->tmp_channel;
7283 -- channel_type = local->tmp_channel_type;
7284 -- } else {
7285 -- chan = local->oper_channel;
7286 -- channel_type = local->_oper_channel_type;
7287 -- }
7288 --
7289 -- if (chan != local->oper_channel ||
7290 -- channel_type != local->_oper_channel_type)
7291 -- return false;
7292 --
7293 -- /* Check current hardware-config against oper_channel. */
7294 -- if ((local->oper_channel != local->hw.conf.channel) ||
7295 -- (local->_oper_channel_type != local->hw.conf.channel_type))
7296 -- return false;
7297 --
7298 -- return true;
7299 --}
7300 --
7301 - int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
7302 - {
7303 - struct ieee80211_channel *chan, *scan_chan;
7304 -@@ -145,9 +104,6 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
7305 -
7306 - scan_chan = local->scan_channel;
7307 -
7308 -- /* If this off-channel logic ever changes, ieee80211_on_oper_channel
7309 -- * may need to change as well.
7310 -- */
7311 - offchannel_flag = local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL;
7312 - if (scan_chan) {
7313 - chan = scan_chan;
7314 -@@ -158,19 +114,17 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
7315 - channel_type = local->_oper_channel_type;
7316 - else
7317 - channel_type = NL80211_CHAN_NO_HT;
7318 -- } else if (local->tmp_channel) {
7319 -+ local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
7320 -+ } else if (local->tmp_channel &&
7321 -+ local->oper_channel != local->tmp_channel) {
7322 - chan = scan_chan = local->tmp_channel;
7323 - channel_type = local->tmp_channel_type;
7324 -+ local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
7325 - } else {
7326 - chan = local->oper_channel;
7327 - channel_type = local->_oper_channel_type;
7328 -- }
7329 --
7330 -- if (chan != local->oper_channel ||
7331 -- channel_type != local->_oper_channel_type)
7332 -- local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
7333 -- else
7334 - local->hw.conf.flags &= ~IEEE80211_CONF_OFFCHANNEL;
7335 -+ }
7336 -
7337 - offchannel_flag ^= local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL;
7338 -
7339 -@@ -279,7 +233,7 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata,
7340 -
7341 - if (changed & BSS_CHANGED_BEACON_ENABLED) {
7342 - if (local->quiescing || !ieee80211_sdata_running(sdata) ||
7343 -- test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)) {
7344 -+ test_bit(SCAN_SW_SCANNING, &local->scanning)) {
7345 - sdata->vif.bss_conf.enable_beacon = false;
7346 - } else {
7347 - /*
7348 -diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
7349 -index 3d41441..1b239be 100644
7350 ---- a/net/mac80211/offchannel.c
7351 -+++ b/net/mac80211/offchannel.c
7352 -@@ -18,14 +18,10 @@
7353 - #include "driver-trace.h"
7354 -
7355 - /*
7356 -- * Tell our hardware to disable PS.
7357 -- * Optionally inform AP that we will go to sleep so that it will buffer
7358 -- * the frames while we are doing off-channel work. This is optional
7359 -- * because we *may* be doing work on-operating channel, and want our
7360 -- * hardware unconditionally awake, but still let the AP send us normal frames.
7361 -+ * inform AP that we will go to sleep so that it will buffer the frames
7362 -+ * while we scan
7363 - */
7364 --static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata,
7365 -- bool tell_ap)
7366 -+static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata)
7367 - {
7368 - struct ieee80211_local *local = sdata->local;
7369 - struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
7370 -@@ -46,8 +42,8 @@ static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata,
7371 - ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
7372 - }
7373 -
7374 -- if (tell_ap && (!local->offchannel_ps_enabled ||
7375 -- !(local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)))
7376 -+ if (!(local->offchannel_ps_enabled) ||
7377 -+ !(local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK))
7378 - /*
7379 - * If power save was enabled, no need to send a nullfunc
7380 - * frame because AP knows that we are sleeping. But if the
7381 -@@ -82,9 +78,6 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
7382 - * we are sleeping, let's just enable power save mode in
7383 - * hardware.
7384 - */
7385 -- /* TODO: Only set hardware if CONF_PS changed?
7386 -- * TODO: Should we set offchannel_ps_enabled to false?
7387 -- */
7388 - local->hw.conf.flags |= IEEE80211_CONF_PS;
7389 - ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
7390 - } else if (local->hw.conf.dynamic_ps_timeout > 0) {
7391 -@@ -103,61 +96,63 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
7392 - ieee80211_sta_reset_conn_monitor(sdata);
7393 - }
7394 -
7395 --void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
7396 -- bool offchannel_ps_enable)
7397 -+void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local)
7398 - {
7399 - struct ieee80211_sub_if_data *sdata;
7400 -
7401 -- /*
7402 -- * notify the AP about us leaving the channel and stop all
7403 -- * STA interfaces.
7404 -- */
7405 - mutex_lock(&local->iflist_mtx);
7406 - list_for_each_entry(sdata, &local->interfaces, list) {
7407 - if (!ieee80211_sdata_running(sdata))
7408 - continue;
7409 -
7410 -- if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
7411 -- set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
7412 --
7413 -- /* Check to see if we should disable beaconing. */
7414 -+ /* disable beaconing */
7415 - if (sdata->vif.type == NL80211_IFTYPE_AP ||
7416 - sdata->vif.type == NL80211_IFTYPE_ADHOC ||
7417 - sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
7418 - ieee80211_bss_info_change_notify(
7419 - sdata, BSS_CHANGED_BEACON_ENABLED);
7420 -
7421 -- if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
7422 -+ /*
7423 -+ * only handle non-STA interfaces here, STA interfaces
7424 -+ * are handled in ieee80211_offchannel_stop_station(),
7425 -+ * e.g., from the background scan state machine.
7426 -+ *
7427 -+ * In addition, do not stop monitor interface to allow it to be
7428 -+ * used from user space controlled off-channel operations.
7429 -+ */
7430 -+ if (sdata->vif.type != NL80211_IFTYPE_STATION &&
7431 -+ sdata->vif.type != NL80211_IFTYPE_MONITOR) {
7432 -+ set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
7433 - netif_tx_stop_all_queues(sdata->dev);
7434 -- if (offchannel_ps_enable &&
7435 -- (sdata->vif.type == NL80211_IFTYPE_STATION) &&
7436 -- sdata->u.mgd.associated)
7437 -- ieee80211_offchannel_ps_enable(sdata, true);
7438 - }
7439 - }
7440 - mutex_unlock(&local->iflist_mtx);
7441 - }
7442 -
7443 --void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
7444 -- bool tell_ap)
7445 -+void ieee80211_offchannel_stop_station(struct ieee80211_local *local)
7446 - {
7447 - struct ieee80211_sub_if_data *sdata;
7448 -
7449 -+ /*
7450 -+ * notify the AP about us leaving the channel and stop all STA interfaces
7451 -+ */
7452 - mutex_lock(&local->iflist_mtx);
7453 - list_for_each_entry(sdata, &local->interfaces, list) {
7454 - if (!ieee80211_sdata_running(sdata))
7455 - continue;
7456 -
7457 -- if (sdata->vif.type == NL80211_IFTYPE_STATION &&
7458 -- sdata->u.mgd.associated)
7459 -- ieee80211_offchannel_ps_enable(sdata, tell_ap);
7460 -+ if (sdata->vif.type == NL80211_IFTYPE_STATION) {
7461 -+ set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
7462 -+ netif_tx_stop_all_queues(sdata->dev);
7463 -+ if (sdata->u.mgd.associated)
7464 -+ ieee80211_offchannel_ps_enable(sdata);
7465 -+ }
7466 - }
7467 - mutex_unlock(&local->iflist_mtx);
7468 - }
7469 -
7470 - void ieee80211_offchannel_return(struct ieee80211_local *local,
7471 -- bool enable_beaconing,
7472 -- bool offchannel_ps_disable)
7473 -+ bool enable_beaconing)
7474 - {
7475 - struct ieee80211_sub_if_data *sdata;
7476 -
7477 -@@ -167,8 +162,7 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
7478 - continue;
7479 -
7480 - /* Tell AP we're back */
7481 -- if (offchannel_ps_disable &&
7482 -- sdata->vif.type == NL80211_IFTYPE_STATION) {
7483 -+ if (sdata->vif.type == NL80211_IFTYPE_STATION) {
7484 - if (sdata->u.mgd.associated)
7485 - ieee80211_offchannel_ps_disable(sdata);
7486 - }
7487 -@@ -188,7 +182,7 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
7488 - netif_tx_wake_all_queues(sdata->dev);
7489 - }
7490 -
7491 -- /* Check to see if we should re-enable beaconing */
7492 -+ /* re-enable beaconing */
7493 - if (enable_beaconing &&
7494 - (sdata->vif.type == NL80211_IFTYPE_AP ||
7495 - sdata->vif.type == NL80211_IFTYPE_ADHOC ||
7496 -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
7497 -index fb123e2..5c51607 100644
7498 ---- a/net/mac80211/rx.c
7499 -+++ b/net/mac80211/rx.c
7500 -@@ -421,10 +421,16 @@ ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
7501 - return RX_CONTINUE;
7502 -
7503 - if (test_bit(SCAN_HW_SCANNING, &local->scanning) ||
7504 -- test_bit(SCAN_SW_SCANNING, &local->scanning) ||
7505 - local->sched_scanning)
7506 - return ieee80211_scan_rx(rx->sdata, skb);
7507 -
7508 -+ if (test_bit(SCAN_SW_SCANNING, &local->scanning)) {
7509 -+ /* drop all the other packets during a software scan anyway */
7510 -+ if (ieee80211_scan_rx(rx->sdata, skb) != RX_QUEUED)
7511 -+ dev_kfree_skb(skb);
7512 -+ return RX_QUEUED;
7513 -+ }
7514 -+
7515 - /* scanning finished during invoking of handlers */
7516 - I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
7517 - return RX_DROP_UNUSABLE;
7518 -@@ -2858,7 +2864,7 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
7519 - local->dot11ReceivedFragmentCount++;
7520 -
7521 - if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
7522 -- test_bit(SCAN_SW_SCANNING, &local->scanning)))
7523 -+ test_bit(SCAN_OFF_CHANNEL, &local->scanning)))
7524 - status->rx_flags |= IEEE80211_RX_IN_SCAN;
7525 -
7526 - if (ieee80211_is_mgmt(fc))
7527 -diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
7528 -index 105436d..5279300 100644
7529 ---- a/net/mac80211/scan.c
7530 -+++ b/net/mac80211/scan.c
7531 -@@ -213,14 +213,6 @@ ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
7532 - if (bss)
7533 - ieee80211_rx_bss_put(sdata->local, bss);
7534 -
7535 -- /* If we are on-operating-channel, and this packet is for the
7536 -- * current channel, pass the pkt on up the stack so that
7537 -- * the rest of the stack can make use of it.
7538 -- */
7539 -- if (ieee80211_cfg_on_oper_channel(sdata->local)
7540 -- && (channel == sdata->local->oper_channel))
7541 -- return RX_CONTINUE;
7542 --
7543 - dev_kfree_skb(skb);
7544 - return RX_QUEUED;
7545 - }
7546 -@@ -264,8 +256,6 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
7547 - bool was_hw_scan)
7548 - {
7549 - struct ieee80211_local *local = hw_to_local(hw);
7550 -- bool on_oper_chan;
7551 -- bool enable_beacons = false;
7552 -
7553 - lockdep_assert_held(&local->mtx);
7554 -
7555 -@@ -298,25 +288,11 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
7556 - local->scanning = 0;
7557 - local->scan_channel = NULL;
7558 -
7559 -- on_oper_chan = ieee80211_cfg_on_oper_channel(local);
7560 --
7561 -- if (was_hw_scan || !on_oper_chan)
7562 -- ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
7563 -- else
7564 -- /* Set power back to normal operating levels. */
7565 -- ieee80211_hw_config(local, 0);
7566 --
7567 -+ ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
7568 - if (!was_hw_scan) {
7569 -- bool on_oper_chan2;
7570 - ieee80211_configure_filter(local);
7571 - drv_sw_scan_complete(local);
7572 -- on_oper_chan2 = ieee80211_cfg_on_oper_channel(local);
7573 -- /* We should always be on-channel at this point. */
7574 -- WARN_ON(!on_oper_chan2);
7575 -- if (on_oper_chan2 && (on_oper_chan != on_oper_chan2))
7576 -- enable_beacons = true;
7577 --
7578 -- ieee80211_offchannel_return(local, enable_beacons, true);
7579 -+ ieee80211_offchannel_return(local, true);
7580 - }
7581 -
7582 - ieee80211_recalc_idle(local);
7583 -@@ -357,15 +333,13 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
7584 - */
7585 - drv_sw_scan_start(local);
7586 -
7587 -+ ieee80211_offchannel_stop_beaconing(local);
7588 -+
7589 - local->leave_oper_channel_time = 0;
7590 - local->next_scan_state = SCAN_DECISION;
7591 - local->scan_channel_idx = 0;
7592 -
7593 -- /* We always want to use off-channel PS, even if we
7594 -- * are not really leaving oper-channel. Don't
7595 -- * tell the AP though, as long as we are on-channel.
7596 -- */
7597 -- ieee80211_offchannel_enable_all_ps(local, false);
7598 -+ drv_flush(local, false);
7599 -
7600 - ieee80211_configure_filter(local);
7601 -
7602 -@@ -508,20 +482,7 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
7603 - }
7604 - mutex_unlock(&local->iflist_mtx);
7605 -
7606 -- next_chan = local->scan_req->channels[local->scan_channel_idx];
7607 --
7608 -- if (ieee80211_cfg_on_oper_channel(local)) {
7609 -- /* We're currently on operating channel. */
7610 -- if (next_chan == local->oper_channel)
7611 -- /* We don't need to move off of operating channel. */
7612 -- local->next_scan_state = SCAN_SET_CHANNEL;
7613 -- else
7614 -- /*
7615 -- * We do need to leave operating channel, as next
7616 -- * scan is somewhere else.
7617 -- */
7618 -- local->next_scan_state = SCAN_LEAVE_OPER_CHANNEL;
7619 -- } else {
7620 -+ if (local->scan_channel) {
7621 - /*
7622 - * we're currently scanning a different channel, let's
7623 - * see if we can scan another channel without interfering
7624 -@@ -537,6 +498,7 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
7625 - *
7626 - * Otherwise switch back to the operating channel.
7627 - */
7628 -+ next_chan = local->scan_req->channels[local->scan_channel_idx];
7629 -
7630 - bad_latency = time_after(jiffies +
7631 - ieee80211_scan_get_channel_time(next_chan),
7632 -@@ -554,6 +516,12 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
7633 - local->next_scan_state = SCAN_ENTER_OPER_CHANNEL;
7634 - else
7635 - local->next_scan_state = SCAN_SET_CHANNEL;
7636 -+ } else {
7637 -+ /*
7638 -+ * we're on the operating channel currently, let's
7639 -+ * leave that channel now to scan another one
7640 -+ */
7641 -+ local->next_scan_state = SCAN_LEAVE_OPER_CHANNEL;
7642 - }
7643 -
7644 - *next_delay = 0;
7645 -@@ -562,10 +530,9 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
7646 - static void ieee80211_scan_state_leave_oper_channel(struct ieee80211_local *local,
7647 - unsigned long *next_delay)
7648 - {
7649 -- /* PS will already be in off-channel mode,
7650 -- * we do that once at the beginning of scanning.
7651 -- */
7652 -- ieee80211_offchannel_stop_vifs(local, false);
7653 -+ ieee80211_offchannel_stop_station(local);
7654 -+
7655 -+ __set_bit(SCAN_OFF_CHANNEL, &local->scanning);
7656 -
7657 - /*
7658 - * What if the nullfunc frames didn't arrive?
7659 -@@ -588,15 +555,15 @@ static void ieee80211_scan_state_enter_oper_channel(struct ieee80211_local *loca
7660 - {
7661 - /* switch back to the operating channel */
7662 - local->scan_channel = NULL;
7663 -- if (!ieee80211_cfg_on_oper_channel(local))
7664 -- ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
7665 -+ ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
7666 -
7667 - /*
7668 -- * Re-enable vifs and beaconing. Leave PS
7669 -- * in off-channel state..will put that back
7670 -- * on-channel at the end of scanning.
7671 -+ * Only re-enable station mode interface now; beaconing will be
7672 -+ * re-enabled once the full scan has been completed.
7673 - */
7674 -- ieee80211_offchannel_return(local, true, false);
7675 -+ ieee80211_offchannel_return(local, false);
7676 -+
7677 -+ __clear_bit(SCAN_OFF_CHANNEL, &local->scanning);
7678 -
7679 - *next_delay = HZ / 5;
7680 - local->next_scan_state = SCAN_DECISION;
7681 -diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
7682 -index 1f8b120..eff1f4e 100644
7683 ---- a/net/mac80211/tx.c
7684 -+++ b/net/mac80211/tx.c
7685 -@@ -259,8 +259,7 @@ ieee80211_tx_h_check_assoc(struct ieee80211_tx_data *tx)
7686 - if (unlikely(info->flags & IEEE80211_TX_CTL_INJECTED))
7687 - return TX_CONTINUE;
7688 -
7689 -- if (unlikely(test_bit(SCAN_SW_SCANNING, &tx->local->scanning)) &&
7690 -- test_bit(SDATA_STATE_OFFCHANNEL, &tx->sdata->state) &&
7691 -+ if (unlikely(test_bit(SCAN_OFF_CHANNEL, &tx->local->scanning)) &&
7692 - !ieee80211_is_probe_req(hdr->frame_control) &&
7693 - !ieee80211_is_nullfunc(hdr->frame_control))
7694 - /*
7695 -diff --git a/net/mac80211/work.c b/net/mac80211/work.c
7696 -index 6c53b6d..99165ef 100644
7697 ---- a/net/mac80211/work.c
7698 -+++ b/net/mac80211/work.c
7699 -@@ -899,26 +899,6 @@ static bool ieee80211_work_ct_coexists(enum nl80211_channel_type wk_ct,
7700 - return false;
7701 - }
7702 -
7703 --static enum nl80211_channel_type
7704 --ieee80211_calc_ct(enum nl80211_channel_type wk_ct,
7705 -- enum nl80211_channel_type oper_ct)
7706 --{
7707 -- switch (wk_ct) {
7708 -- case NL80211_CHAN_NO_HT:
7709 -- return oper_ct;
7710 -- case NL80211_CHAN_HT20:
7711 -- if (oper_ct != NL80211_CHAN_NO_HT)
7712 -- return oper_ct;
7713 -- return wk_ct;
7714 -- case NL80211_CHAN_HT40MINUS:
7715 -- case NL80211_CHAN_HT40PLUS:
7716 -- return wk_ct;
7717 -- }
7718 -- WARN_ON(1); /* shouldn't get here */
7719 -- return wk_ct;
7720 --}
7721 --
7722 --
7723 - static void ieee80211_work_timer(unsigned long data)
7724 - {
7725 - struct ieee80211_local *local = (void *) data;
7726 -@@ -969,52 +949,18 @@ static void ieee80211_work_work(struct work_struct *work)
7727 - }
7728 -
7729 - if (!started && !local->tmp_channel) {
7730 -- bool on_oper_chan;
7731 -- bool tmp_chan_changed = false;
7732 -- bool on_oper_chan2;
7733 -- enum nl80211_channel_type wk_ct;
7734 -- on_oper_chan = ieee80211_cfg_on_oper_channel(local);
7735 --
7736 -- /* Work with existing channel type if possible. */
7737 -- wk_ct = wk->chan_type;
7738 -- if (wk->chan == local->hw.conf.channel)
7739 -- wk_ct = ieee80211_calc_ct(wk->chan_type,
7740 -- local->hw.conf.channel_type);
7741 --
7742 -- if (local->tmp_channel)
7743 -- if ((local->tmp_channel != wk->chan) ||
7744 -- (local->tmp_channel_type != wk_ct))
7745 -- tmp_chan_changed = true;
7746 --
7747 -- local->tmp_channel = wk->chan;
7748 -- local->tmp_channel_type = wk_ct;
7749 - /*
7750 -- * Leave the station vifs in awake mode if they
7751 -- * happen to be on the same channel as
7752 -- * the requested channel.
7753 -+ * TODO: could optimize this by leaving the
7754 -+ * station vifs in awake mode if they
7755 -+ * happen to be on the same channel as
7756 -+ * the requested channel
7757 - */
7758 -- on_oper_chan2 = ieee80211_cfg_on_oper_channel(local);
7759 -- if (on_oper_chan != on_oper_chan2) {
7760 -- if (on_oper_chan2) {
7761 -- /* going off oper channel, PS too */
7762 -- ieee80211_offchannel_stop_vifs(local,
7763 -- true);
7764 -- ieee80211_hw_config(local, 0);
7765 -- } else {
7766 -- /* going on channel, but leave PS
7767 -- * off-channel. */
7768 -- ieee80211_hw_config(local, 0);
7769 -- ieee80211_offchannel_return(local,
7770 -- true,
7771 -- false);
7772 -- }
7773 -- } else if (tmp_chan_changed)
7774 -- /* Still off-channel, but on some other
7775 -- * channel, so update hardware.
7776 -- * PS should already be off-channel.
7777 -- */
7778 -- ieee80211_hw_config(local, 0);
7779 -+ ieee80211_offchannel_stop_beaconing(local);
7780 -+ ieee80211_offchannel_stop_station(local);
7781 -
7782 -+ local->tmp_channel = wk->chan;
7783 -+ local->tmp_channel_type = wk->chan_type;
7784 -+ ieee80211_hw_config(local, 0);
7785 - started = true;
7786 - wk->timeout = jiffies;
7787 - }
7788 -@@ -1100,8 +1046,7 @@ static void ieee80211_work_work(struct work_struct *work)
7789 - * we still need to do a hardware config. Currently,
7790 - * we cannot be here while scanning, however.
7791 - */
7792 -- if (!ieee80211_cfg_on_oper_channel(local))
7793 -- ieee80211_hw_config(local, 0);
7794 -+ ieee80211_hw_config(local, 0);
7795 -
7796 - /* At the least, we need to disable offchannel_ps,
7797 - * so just go ahead and run the entire offchannel
7798 -@@ -1109,7 +1054,7 @@ static void ieee80211_work_work(struct work_struct *work)
7799 - * beaconing if we were already on-oper-channel
7800 - * as a future optimization.
7801 - */
7802 -- ieee80211_offchannel_return(local, true, true);
7803 -+ ieee80211_offchannel_return(local, true);
7804 -
7805 - /* give connection some time to breathe */
7806 - run_again(local, jiffies + HZ/2);
7807 -diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
7808 -index f614ce7..28a39bb 100644
7809 ---- a/net/mac80211/wpa.c
7810 -+++ b/net/mac80211/wpa.c
7811 -@@ -106,7 +106,7 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
7812 - if (status->flag & RX_FLAG_MMIC_ERROR)
7813 - goto mic_fail;
7814 -
7815 -- if (!(status->flag & RX_FLAG_IV_STRIPPED))
7816 -+ if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
7817 - goto update_iv;
7818 -
7819 - return RX_CONTINUE;
7820 -diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
7821 -index 6e03888..d4ad50e 100644
7822 ---- a/net/sunrpc/svc.c
7823 -+++ b/net/sunrpc/svc.c
7824 -@@ -167,6 +167,7 @@ svc_pool_map_alloc_arrays(struct svc_pool_map *m, unsigned int maxpools)
7825 -
7826 - fail_free:
7827 - kfree(m->to_pool);
7828 -+ m->to_pool = NULL;
7829 - fail:
7830 - return -ENOMEM;
7831 - }
7832 -@@ -287,7 +288,9 @@ svc_pool_map_put(void)
7833 - if (!--m->count) {
7834 - m->mode = SVC_POOL_DEFAULT;
7835 - kfree(m->to_pool);
7836 -+ m->to_pool = NULL;
7837 - kfree(m->pool_to);
7838 -+ m->pool_to = NULL;
7839 - m->npools = 0;
7840 - }
7841 -
7842 -@@ -527,17 +530,20 @@ svc_destroy(struct svc_serv *serv)
7843 - printk("svc_destroy: no threads for serv=%p!\n", serv);
7844 -
7845 - del_timer_sync(&serv->sv_temptimer);
7846 --
7847 -- svc_close_all(&serv->sv_tempsocks);
7848 -+ /*
7849 -+ * The set of xprts (contained in the sv_tempsocks and
7850 -+ * sv_permsocks lists) is now constant, since it is modified
7851 -+ * only by accepting new sockets (done by service threads in
7852 -+ * svc_recv) or aging old ones (done by sv_temptimer), or
7853 -+ * configuration changes (excluded by whatever locking the
7854 -+ * caller is using--nfsd_mutex in the case of nfsd). So it's
7855 -+ * safe to traverse those lists and shut everything down:
7856 -+ */
7857 -+ svc_close_all(serv);
7858 -
7859 - if (serv->sv_shutdown)
7860 - serv->sv_shutdown(serv);
7861 -
7862 -- svc_close_all(&serv->sv_permsocks);
7863 --
7864 -- BUG_ON(!list_empty(&serv->sv_permsocks));
7865 -- BUG_ON(!list_empty(&serv->sv_tempsocks));
7866 --
7867 - cache_clean_deferred(serv);
7868 -
7869 - if (svc_serv_is_pooled(serv))
7870 -diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
7871 -index 447cd0e..9ed2cd0 100644
7872 ---- a/net/sunrpc/svc_xprt.c
7873 -+++ b/net/sunrpc/svc_xprt.c
7874 -@@ -893,14 +893,7 @@ void svc_delete_xprt(struct svc_xprt *xprt)
7875 - spin_lock_bh(&serv->sv_lock);
7876 - if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags))
7877 - list_del_init(&xprt->xpt_list);
7878 -- /*
7879 -- * The only time we're called while xpt_ready is still on a list
7880 -- * is while the list itself is about to be destroyed (in
7881 -- * svc_destroy). BUT svc_xprt_enqueue could still be attempting
7882 -- * to add new entries to the sp_sockets list, so we can't leave
7883 -- * a freed xprt on it.
7884 -- */
7885 -- list_del_init(&xprt->xpt_ready);
7886 -+ BUG_ON(!list_empty(&xprt->xpt_ready));
7887 - if (test_bit(XPT_TEMP, &xprt->xpt_flags))
7888 - serv->sv_tmpcnt--;
7889 - spin_unlock_bh(&serv->sv_lock);
7890 -@@ -928,22 +921,48 @@ void svc_close_xprt(struct svc_xprt *xprt)
7891 - }
7892 - EXPORT_SYMBOL_GPL(svc_close_xprt);
7893 -
7894 --void svc_close_all(struct list_head *xprt_list)
7895 -+static void svc_close_list(struct list_head *xprt_list)
7896 -+{
7897 -+ struct svc_xprt *xprt;
7898 -+
7899 -+ list_for_each_entry(xprt, xprt_list, xpt_list) {
7900 -+ set_bit(XPT_CLOSE, &xprt->xpt_flags);
7901 -+ set_bit(XPT_BUSY, &xprt->xpt_flags);
7902 -+ }
7903 -+}
7904 -+
7905 -+void svc_close_all(struct svc_serv *serv)
7906 - {
7907 -+ struct svc_pool *pool;
7908 - struct svc_xprt *xprt;
7909 - struct svc_xprt *tmp;
7910 -+ int i;
7911 -+
7912 -+ svc_close_list(&serv->sv_tempsocks);
7913 -+ svc_close_list(&serv->sv_permsocks);
7914 -
7915 -+ for (i = 0; i < serv->sv_nrpools; i++) {
7916 -+ pool = &serv->sv_pools[i];
7917 -+
7918 -+ spin_lock_bh(&pool->sp_lock);
7919 -+ while (!list_empty(&pool->sp_sockets)) {
7920 -+ xprt = list_first_entry(&pool->sp_sockets, struct svc_xprt, xpt_ready);
7921 -+ list_del_init(&xprt->xpt_ready);
7922 -+ }
7923 -+ spin_unlock_bh(&pool->sp_lock);
7924 -+ }
7925 - /*
7926 -- * The server is shutting down, and no more threads are running.
7927 -- * svc_xprt_enqueue() might still be running, but at worst it
7928 -- * will re-add the xprt to sp_sockets, which will soon get
7929 -- * freed. So we don't bother with any more locking, and don't
7930 -- * leave the close to the (nonexistent) server threads:
7931 -+ * At this point the sp_sockets lists will stay empty, since
7932 -+ * svc_enqueue will not add new entries without taking the
7933 -+ * sp_lock and checking XPT_BUSY.
7934 - */
7935 -- list_for_each_entry_safe(xprt, tmp, xprt_list, xpt_list) {
7936 -- set_bit(XPT_CLOSE, &xprt->xpt_flags);
7937 -+ list_for_each_entry_safe(xprt, tmp, &serv->sv_tempsocks, xpt_list)
7938 - svc_delete_xprt(xprt);
7939 -- }
7940 -+ list_for_each_entry_safe(xprt, tmp, &serv->sv_permsocks, xpt_list)
7941 -+ svc_delete_xprt(xprt);
7942 -+
7943 -+ BUG_ON(!list_empty(&serv->sv_permsocks));
7944 -+ BUG_ON(!list_empty(&serv->sv_tempsocks));
7945 - }
7946 -
7947 - /*
7948 -diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
7949 -index 277ebd4..593f4c6 100644
7950 ---- a/net/sunrpc/xdr.c
7951 -+++ b/net/sunrpc/xdr.c
7952 -@@ -296,7 +296,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
7953 - * Copies data into an arbitrary memory location from an array of pages
7954 - * The copy is assumed to be non-overlapping.
7955 - */
7956 --static void
7957 -+void
7958 - _copy_from_pages(char *p, struct page **pages, size_t pgbase, size_t len)
7959 - {
7960 - struct page **pgfrom;
7961 -@@ -324,6 +324,7 @@ _copy_from_pages(char *p, struct page **pages, size_t pgbase, size_t len)
7962 -
7963 - } while ((len -= copy) != 0);
7964 - }
7965 -+EXPORT_SYMBOL_GPL(_copy_from_pages);
7966 -
7967 - /*
7968 - * xdr_shrink_bufhead
7969 -diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl
7970 -index ec7afce..bccf07d 100644
7971 ---- a/scripts/kconfig/streamline_config.pl
7972 -+++ b/scripts/kconfig/streamline_config.pl
7973 -@@ -250,33 +250,61 @@ if ($kconfig) {
7974 - read_kconfig($kconfig);
7975 - }
7976 -
7977 -+sub convert_vars {
7978 -+ my ($line, %vars) = @_;
7979 -+
7980 -+ my $process = "";
7981 -+
7982 -+ while ($line =~ s/^(.*?)(\$\((.*?)\))//) {
7983 -+ my $start = $1;
7984 -+ my $variable = $2;
7985 -+ my $var = $3;
7986 -+
7987 -+ if (defined($vars{$var})) {
7988 -+ $process .= $start . $vars{$var};
7989 -+ } else {
7990 -+ $process .= $start . $variable;
7991 -+ }
7992 -+ }
7993 -+
7994 -+ $process .= $line;
7995 -+
7996 -+ return $process;
7997 -+}
7998 -+
7999 - # Read all Makefiles to map the configs to the objects
8000 - foreach my $makefile (@makefiles) {
8001 -
8002 -- my $cont = 0;
8003 -+ my $line = "";
8004 -+ my %make_vars;
8005 -
8006 - open(MIN,$makefile) || die "Can't open $makefile";
8007 - while (<MIN>) {
8008 -+ # if this line ends with a backslash, continue
8009 -+ chomp;
8010 -+ if (/^(.*)\\$/) {
8011 -+ $line .= $1;
8012 -+ next;
8013 -+ }
8014 -+
8015 -+ $line .= $_;
8016 -+ $_ = $line;
8017 -+ $line = "";
8018 -+
8019 - my $objs;
8020 -
8021 -- # is this a line after a line with a backslash?
8022 -- if ($cont && /(\S.*)$/) {
8023 -- $objs = $1;
8024 -- }
8025 -- $cont = 0;
8026 -+ $_ = convert_vars($_, %make_vars);
8027 -
8028 - # collect objects after obj-$(CONFIG_FOO_BAR)
8029 - if (/obj-\$\((CONFIG_[^\)]*)\)\s*[+:]?=\s*(.*)/) {
8030 - $var = $1;
8031 - $objs = $2;
8032 -+
8033 -+ # check if variables are set
8034 -+ } elsif (/^\s*(\S+)\s*[:]?=\s*(.*\S)/) {
8035 -+ $make_vars{$1} = $2;
8036 - }
8037 - if (defined($objs)) {
8038 -- # test if the line ends with a backslash
8039 -- if ($objs =~ m,(.*)\\$,) {
8040 -- $objs = $1;
8041 -- $cont = 1;
8042 -- }
8043 --
8044 - foreach my $obj (split /\s+/,$objs) {
8045 - $obj =~ s/-/_/g;
8046 - if ($obj =~ /(.*)\.o$/) {
8047 -diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
8048 -index f40a6af6..54e35c1 100644
8049 ---- a/scripts/recordmcount.h
8050 -+++ b/scripts/recordmcount.h
8051 -@@ -462,7 +462,7 @@ __has_rel_mcount(Elf_Shdr const *const relhdr, /* is SHT_REL or SHT_RELA */
8052 - succeed_file();
8053 - }
8054 - if (w(txthdr->sh_type) != SHT_PROGBITS ||
8055 -- !(w(txthdr->sh_flags) & SHF_EXECINSTR))
8056 -+ !(_w(txthdr->sh_flags) & SHF_EXECINSTR))
8057 - return NULL;
8058 - return txtname;
8059 - }
8060 -diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
8061 -index 0d50df0..88a2788 100644
8062 ---- a/security/integrity/ima/ima_api.c
8063 -+++ b/security/integrity/ima/ima_api.c
8064 -@@ -178,8 +178,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
8065 - strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
8066 -
8067 - result = ima_store_template(entry, violation, inode);
8068 -- if (!result)
8069 -+ if (!result || result == -EEXIST)
8070 - iint->flags |= IMA_MEASURED;
8071 -- else
8072 -+ if (result < 0)
8073 - kfree(entry);
8074 - }
8075 -diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
8076 -index 8e28f04..55a6271 100644
8077 ---- a/security/integrity/ima/ima_queue.c
8078 -+++ b/security/integrity/ima/ima_queue.c
8079 -@@ -23,6 +23,8 @@
8080 - #include <linux/slab.h>
8081 - #include "ima.h"
8082 -
8083 -+#define AUDIT_CAUSE_LEN_MAX 32
8084 -+
8085 - LIST_HEAD(ima_measurements); /* list of all measurements */
8086 -
8087 - /* key: inode (before secure-hashing a file) */
8088 -@@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash)
8089 -
8090 - result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash);
8091 - if (result != 0)
8092 -- pr_err("IMA: Error Communicating to TPM chip\n");
8093 -+ pr_err("IMA: Error Communicating to TPM chip, result: %d\n",
8094 -+ result);
8095 - return result;
8096 - }
8097 -
8098 -@@ -106,14 +109,16 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
8099 - {
8100 - u8 digest[IMA_DIGEST_SIZE];
8101 - const char *audit_cause = "hash_added";
8102 -+ char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
8103 - int audit_info = 1;
8104 -- int result = 0;
8105 -+ int result = 0, tpmresult = 0;
8106 -
8107 - mutex_lock(&ima_extend_list_mutex);
8108 - if (!violation) {
8109 - memcpy(digest, entry->digest, sizeof digest);
8110 - if (ima_lookup_digest_entry(digest)) {
8111 - audit_cause = "hash_exists";
8112 -+ result = -EEXIST;
8113 - goto out;
8114 - }
8115 - }
8116 -@@ -128,9 +133,11 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
8117 - if (violation) /* invalidate pcr */
8118 - memset(digest, 0xff, sizeof digest);
8119 -
8120 -- result = ima_pcr_extend(digest);
8121 -- if (result != 0) {
8122 -- audit_cause = "TPM error";
8123 -+ tpmresult = ima_pcr_extend(digest);
8124 -+ if (tpmresult != 0) {
8125 -+ snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
8126 -+ tpmresult);
8127 -+ audit_cause = tpm_audit_cause;
8128 - audit_info = 0;
8129 - }
8130 - out:
8131 -diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c
8132 -index 4a9b4b2..867558c 100644
8133 ---- a/security/tomoyo/util.c
8134 -+++ b/security/tomoyo/util.c
8135 -@@ -492,13 +492,13 @@ static bool tomoyo_correct_word2(const char *string, size_t len)
8136 - if (d < '0' || d > '7' || e < '0' || e > '7')
8137 - break;
8138 - c = tomoyo_make_byte(c, d, e);
8139 -- if (tomoyo_invalid(c))
8140 -- continue; /* pattern is not \000 */
8141 -+ if (c <= ' ' || c >= 127)
8142 -+ continue;
8143 - }
8144 - goto out;
8145 - } else if (in_repetition && c == '/') {
8146 - goto out;
8147 -- } else if (tomoyo_invalid(c)) {
8148 -+ } else if (c <= ' ' || c >= 127) {
8149 - goto out;
8150 - }
8151 - }
8152 -diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
8153 -index c2f79e6..5b2b75b 100644
8154 ---- a/sound/pci/hda/hda_intel.c
8155 -+++ b/sound/pci/hda/hda_intel.c
8156 -@@ -2509,6 +2509,7 @@ static struct snd_pci_quirk position_fix_list[] __devinitdata = {
8157 - SND_PCI_QUIRK(0x1043, 0x81e7, "ASUS M2V", POS_FIX_LPIB),
8158 - SND_PCI_QUIRK(0x1043, 0x83ce, "ASUS 1101HA", POS_FIX_LPIB),
8159 - SND_PCI_QUIRK(0x104d, 0x9069, "Sony VPCS11V9E", POS_FIX_LPIB),
8160 -+ SND_PCI_QUIRK(0x10de, 0xcb89, "Macbook Pro 7,1", POS_FIX_LPIB),
8161 - SND_PCI_QUIRK(0x1297, 0x3166, "Shuttle", POS_FIX_LPIB),
8162 - SND_PCI_QUIRK(0x1458, 0xa022, "ga-ma770-ud3", POS_FIX_LPIB),
8163 - SND_PCI_QUIRK(0x1462, 0x1002, "MSI Wind U115", POS_FIX_LPIB),
8164 -diff --git a/sound/pci/hda/hda_local.h b/sound/pci/hda/hda_local.h
8165 -index 618ddad..368f0c5 100644
8166 ---- a/sound/pci/hda/hda_local.h
8167 -+++ b/sound/pci/hda/hda_local.h
8168 -@@ -487,7 +487,12 @@ static inline u32 get_wcaps(struct hda_codec *codec, hda_nid_t nid)
8169 - }
8170 -
8171 - /* get the widget type from widget capability bits */
8172 --#define get_wcaps_type(wcaps) (((wcaps) & AC_WCAP_TYPE) >> AC_WCAP_TYPE_SHIFT)
8173 -+static inline int get_wcaps_type(unsigned int wcaps)
8174 -+{
8175 -+ if (!wcaps)
8176 -+ return -1; /* invalid type */
8177 -+ return (wcaps & AC_WCAP_TYPE) >> AC_WCAP_TYPE_SHIFT;
8178 -+}
8179 -
8180 - static inline unsigned int get_wcaps_channels(u32 wcaps)
8181 - {
8182 -diff --git a/sound/pci/hda/hda_proc.c b/sound/pci/hda/hda_proc.c
8183 -index 2c981b5..254ab52 100644
8184 ---- a/sound/pci/hda/hda_proc.c
8185 -+++ b/sound/pci/hda/hda_proc.c
8186 -@@ -54,6 +54,8 @@ static const char *get_wid_type_name(unsigned int wid_value)
8187 - [AC_WID_BEEP] = "Beep Generator Widget",
8188 - [AC_WID_VENDOR] = "Vendor Defined Widget",
8189 - };
8190 -+ if (wid_value == -1)
8191 -+ return "UNKNOWN Widget";
8192 - wid_value &= 0xf;
8193 - if (names[wid_value])
8194 - return names[wid_value];
8195 -diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c
8196 -index 70a7abd..5b0a9bb 100644
8197 ---- a/sound/pci/hda/patch_cirrus.c
8198 -+++ b/sound/pci/hda/patch_cirrus.c
8199 -@@ -920,16 +920,14 @@ static void cs_automute(struct hda_codec *codec)
8200 -
8201 - /* mute speakers if spdif or hp jack is plugged in */
8202 - for (i = 0; i < cfg->speaker_outs; i++) {
8203 -+ int pin_ctl = hp_present ? 0 : PIN_OUT;
8204 -+ /* detect on spdif is specific to CS421x */
8205 -+ if (spdif_present && (spec->vendor_nid == CS421X_VENDOR_NID))
8206 -+ pin_ctl = 0;
8207 -+
8208 - nid = cfg->speaker_pins[i];
8209 - snd_hda_codec_write(codec, nid, 0,
8210 -- AC_VERB_SET_PIN_WIDGET_CONTROL,
8211 -- hp_present ? 0 : PIN_OUT);
8212 -- /* detect on spdif is specific to CS421x */
8213 -- if (spec->vendor_nid == CS421X_VENDOR_NID) {
8214 -- snd_hda_codec_write(codec, nid, 0,
8215 -- AC_VERB_SET_PIN_WIDGET_CONTROL,
8216 -- spdif_present ? 0 : PIN_OUT);
8217 -- }
8218 -+ AC_VERB_SET_PIN_WIDGET_CONTROL, pin_ctl);
8219 - }
8220 - if (spec->gpio_eapd_hp) {
8221 - unsigned int gpio = hp_present ?
8222 -@@ -1771,30 +1769,19 @@ static int build_cs421x_output(struct hda_codec *codec)
8223 - struct auto_pin_cfg *cfg = &spec->autocfg;
8224 - struct snd_kcontrol *kctl;
8225 - int err;
8226 -- char *name = "HP/Speakers";
8227 -+ char *name = "Master";
8228 -
8229 - fix_volume_caps(codec, dac);
8230 -- if (!spec->vmaster_sw) {
8231 -- err = add_vmaster(codec, dac);
8232 -- if (err < 0)
8233 -- return err;
8234 -- }
8235 -
8236 - err = add_mute(codec, name, 0,
8237 - HDA_COMPOSE_AMP_VAL(dac, 3, 0, HDA_OUTPUT), 0, &kctl);
8238 - if (err < 0)
8239 - return err;
8240 -- err = snd_ctl_add_slave(spec->vmaster_sw, kctl);
8241 -- if (err < 0)
8242 -- return err;
8243 -
8244 - err = add_volume(codec, name, 0,
8245 - HDA_COMPOSE_AMP_VAL(dac, 3, 0, HDA_OUTPUT), 0, &kctl);
8246 - if (err < 0)
8247 - return err;
8248 -- err = snd_ctl_add_slave(spec->vmaster_vol, kctl);
8249 -- if (err < 0)
8250 -- return err;
8251 -
8252 - if (cfg->speaker_outs) {
8253 - err = snd_hda_ctl_add(codec, 0,
8254 -diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
8255 -index 0de2119..7072251 100644
8256 ---- a/sound/pci/hda/patch_conexant.c
8257 -+++ b/sound/pci/hda/patch_conexant.c
8258 -@@ -1120,8 +1120,6 @@ static const char * const cxt5045_models[CXT5045_MODELS] = {
8259 -
8260 - static const struct snd_pci_quirk cxt5045_cfg_tbl[] = {
8261 - SND_PCI_QUIRK(0x103c, 0x30d5, "HP 530", CXT5045_LAPTOP_HP530),
8262 -- SND_PCI_QUIRK_MASK(0x103c, 0xff00, 0x3000, "HP DV Series",
8263 -- CXT5045_LAPTOP_HPSENSE),
8264 - SND_PCI_QUIRK(0x1179, 0xff31, "Toshiba P105", CXT5045_LAPTOP_MICSENSE),
8265 - SND_PCI_QUIRK(0x152d, 0x0753, "Benq R55E", CXT5045_BENQ),
8266 - SND_PCI_QUIRK(0x1734, 0x10ad, "Fujitsu Si1520", CXT5045_LAPTOP_MICSENSE),
8267 -diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
8268 -index 616678f..f3c73a9 100644
8269 ---- a/sound/pci/hda/patch_sigmatel.c
8270 -+++ b/sound/pci/hda/patch_sigmatel.c
8271 -@@ -1631,7 +1631,7 @@ static const struct snd_pci_quirk stac92hd73xx_cfg_tbl[] = {
8272 - SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02bd,
8273 - "Dell Studio 1557", STAC_DELL_M6_DMIC),
8274 - SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02fe,
8275 -- "Dell Studio XPS 1645", STAC_DELL_M6_BOTH),
8276 -+ "Dell Studio XPS 1645", STAC_DELL_M6_DMIC),
8277 - SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0413,
8278 - "Dell Studio 1558", STAC_DELL_M6_DMIC),
8279 - {} /* terminator */
8280 -@@ -4326,6 +4326,27 @@ static void stac_store_hints(struct hda_codec *codec)
8281 - }
8282 - }
8283 -
8284 -+static void stac_issue_unsol_events(struct hda_codec *codec, int num_pins,
8285 -+ const hda_nid_t *pins)
8286 -+{
8287 -+ while (num_pins--)
8288 -+ stac_issue_unsol_event(codec, *pins++);
8289 -+}
8290 -+
8291 -+/* fake event to set up pins */
8292 -+static void stac_fake_hp_events(struct hda_codec *codec)
8293 -+{
8294 -+ struct sigmatel_spec *spec = codec->spec;
8295 -+
8296 -+ if (spec->autocfg.hp_outs)
8297 -+ stac_issue_unsol_events(codec, spec->autocfg.hp_outs,
8298 -+ spec->autocfg.hp_pins);
8299 -+ if (spec->autocfg.line_outs &&
8300 -+ spec->autocfg.line_out_pins[0] != spec->autocfg.hp_pins[0])
8301 -+ stac_issue_unsol_events(codec, spec->autocfg.line_outs,
8302 -+ spec->autocfg.line_out_pins);
8303 -+}
8304 -+
8305 - static int stac92xx_init(struct hda_codec *codec)
8306 - {
8307 - struct sigmatel_spec *spec = codec->spec;
8308 -@@ -4376,10 +4397,7 @@ static int stac92xx_init(struct hda_codec *codec)
8309 - stac92xx_auto_set_pinctl(codec, spec->autocfg.line_out_pins[0],
8310 - AC_PINCTL_OUT_EN);
8311 - /* fake event to set up pins */
8312 -- if (cfg->hp_pins[0])
8313 -- stac_issue_unsol_event(codec, cfg->hp_pins[0]);
8314 -- else if (cfg->line_out_pins[0])
8315 -- stac_issue_unsol_event(codec, cfg->line_out_pins[0]);
8316 -+ stac_fake_hp_events(codec);
8317 - } else {
8318 - stac92xx_auto_init_multi_out(codec);
8319 - stac92xx_auto_init_hp_out(codec);
8320 -@@ -5028,19 +5046,11 @@ static void stac927x_proc_hook(struct snd_info_buffer *buffer,
8321 - #ifdef CONFIG_PM
8322 - static int stac92xx_resume(struct hda_codec *codec)
8323 - {
8324 -- struct sigmatel_spec *spec = codec->spec;
8325 --
8326 - stac92xx_init(codec);
8327 - snd_hda_codec_resume_amp(codec);
8328 - snd_hda_codec_resume_cache(codec);
8329 - /* fake event to set up pins again to override cached values */
8330 -- if (spec->hp_detect) {
8331 -- if (spec->autocfg.hp_pins[0])
8332 -- stac_issue_unsol_event(codec, spec->autocfg.hp_pins[0]);
8333 -- else if (spec->autocfg.line_out_pins[0])
8334 -- stac_issue_unsol_event(codec,
8335 -- spec->autocfg.line_out_pins[0]);
8336 -- }
8337 -+ stac_fake_hp_events(codec);
8338 - return 0;
8339 - }
8340 -
8341 -diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c
8342 -index b513762..8d69e59 100644
8343 ---- a/sound/pci/hda/patch_via.c
8344 -+++ b/sound/pci/hda/patch_via.c
8345 -@@ -2200,7 +2200,10 @@ static int via_auto_create_loopback_switch(struct hda_codec *codec)
8346 - {
8347 - struct via_spec *spec = codec->spec;
8348 -
8349 -- if (!spec->aa_mix_nid || !spec->out_mix_path.depth)
8350 -+ if (!spec->aa_mix_nid)
8351 -+ return 0; /* no loopback switching available */
8352 -+ if (!(spec->out_mix_path.depth || spec->hp_mix_path.depth ||
8353 -+ spec->speaker_path.depth))
8354 - return 0; /* no loopback switching available */
8355 - if (!via_clone_control(spec, &via_aamix_ctl_enum))
8356 - return -ENOMEM;
8357 -diff --git a/sound/pci/ice1712/amp.c b/sound/pci/ice1712/amp.c
8358 -index e328cfb..e525da2 100644
8359 ---- a/sound/pci/ice1712/amp.c
8360 -+++ b/sound/pci/ice1712/amp.c
8361 -@@ -68,8 +68,11 @@ static int __devinit snd_vt1724_amp_init(struct snd_ice1712 *ice)
8362 -
8363 - static int __devinit snd_vt1724_amp_add_controls(struct snd_ice1712 *ice)
8364 - {
8365 -- /* we use pins 39 and 41 of the VT1616 for left and right read outputs */
8366 -- snd_ac97_write_cache(ice->ac97, 0x5a, snd_ac97_read(ice->ac97, 0x5a) & ~0x8000);
8367 -+ if (ice->ac97)
8368 -+ /* we use pins 39 and 41 of the VT1616 for left and right
8369 -+ read outputs */
8370 -+ snd_ac97_write_cache(ice->ac97, 0x5a,
8371 -+ snd_ac97_read(ice->ac97, 0x5a) & ~0x8000);
8372 - return 0;
8373 - }
8374 -
8375 -diff --git a/sound/pci/oxygen/xonar_wm87x6.c b/sound/pci/oxygen/xonar_wm87x6.c
8376 -index 42d1ab1..915546a 100644
8377 ---- a/sound/pci/oxygen/xonar_wm87x6.c
8378 -+++ b/sound/pci/oxygen/xonar_wm87x6.c
8379 -@@ -177,6 +177,7 @@ static void wm8776_registers_init(struct oxygen *chip)
8380 - struct xonar_wm87x6 *data = chip->model_data;
8381 -
8382 - wm8776_write(chip, WM8776_RESET, 0);
8383 -+ wm8776_write(chip, WM8776_PHASESWAP, WM8776_PH_MASK);
8384 - wm8776_write(chip, WM8776_DACCTRL1, WM8776_DZCEN |
8385 - WM8776_PL_LEFT_LEFT | WM8776_PL_RIGHT_RIGHT);
8386 - wm8776_write(chip, WM8776_DACMUTE, chip->dac_mute ? WM8776_DMUTE : 0);
8387 -diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
8388 -index 81c6ede..08dcce5 100644
8389 ---- a/sound/usb/endpoint.c
8390 -+++ b/sound/usb/endpoint.c
8391 -@@ -17,6 +17,7 @@
8392 -
8393 - #include <linux/gfp.h>
8394 - #include <linux/init.h>
8395 -+#include <linux/ratelimit.h>
8396 - #include <linux/usb.h>
8397 - #include <linux/usb/audio.h>
8398 -
8399 -@@ -458,8 +459,8 @@ static int retire_capture_urb(struct snd_usb_substream *subs,
8400 -
8401 - for (i = 0; i < urb->number_of_packets; i++) {
8402 - cp = (unsigned char *)urb->transfer_buffer + urb->iso_frame_desc[i].offset;
8403 -- if (urb->iso_frame_desc[i].status) {
8404 -- snd_printd(KERN_ERR "frame %d active: %d\n", i, urb->iso_frame_desc[i].status);
8405 -+ if (urb->iso_frame_desc[i].status && printk_ratelimit()) {
8406 -+ snd_printdd("frame %d active: %d\n", i, urb->iso_frame_desc[i].status);
8407 - // continue;
8408 - }
8409 - bytes = urb->iso_frame_desc[i].actual_length;
8410 -diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
8411 -index c400ade..1e7a47a 100644
8412 ---- a/sound/usb/usx2y/usb_stream.c
8413 -+++ b/sound/usb/usx2y/usb_stream.c
8414 -@@ -674,7 +674,7 @@ dotry:
8415 - inurb->transfer_buffer_length =
8416 - inurb->number_of_packets *
8417 - inurb->iso_frame_desc[0].length;
8418 -- preempt_disable();
8419 -+
8420 - if (u == 0) {
8421 - int now;
8422 - struct usb_device *dev = inurb->dev;
8423 -@@ -686,19 +686,17 @@ dotry:
8424 - }
8425 - err = usb_submit_urb(inurb, GFP_ATOMIC);
8426 - if (err < 0) {
8427 -- preempt_enable();
8428 - snd_printk(KERN_ERR"usb_submit_urb(sk->inurb[%i])"
8429 - " returned %i\n", u, err);
8430 - return err;
8431 - }
8432 - err = usb_submit_urb(outurb, GFP_ATOMIC);
8433 - if (err < 0) {
8434 -- preempt_enable();
8435 - snd_printk(KERN_ERR"usb_submit_urb(sk->outurb[%i])"
8436 - " returned %i\n", u, err);
8437 - return err;
8438 - }
8439 -- preempt_enable();
8440 -+
8441 - if (inurb->start_frame != outurb->start_frame) {
8442 - snd_printd(KERN_DEBUG
8443 - "u[%i] start_frames differ in:%u out:%u\n",
8444
8445 diff --git a/3.2.2/0000_README b/3.2.4/0000_README
8446 similarity index 90%
8447 rename from 3.2.2/0000_README
8448 rename to 3.2.4/0000_README
8449 index a38ba28..97fce67 100644
8450 --- a/3.2.2/0000_README
8451 +++ b/3.2.4/0000_README
8452 @@ -2,11 +2,15 @@ README
8453 -----------------------------------------------------------------------------
8454 Individual Patch Descriptions:
8455 -----------------------------------------------------------------------------
8456 -Patch: 1001_linux-3.2.2.patch
8457 +Patch: 1002_linux-3.2.3.patch
8458 From: http://www.kernel.org
8459 -Desc: Linux 3.2.2
8460 +Desc: Linux 3.2.3
8461
8462 -Patch: 4420_grsecurity-2.2.2-3.2.2-201201272014.patch
8463 +Patch: 1003_linux-3.2.4.patch
8464 +From: http://www.kernel.org
8465 +Desc: Linux 3.2.4
8466 +
8467 +Patch: 4420_grsecurity-2.2.2-3.2.4-201202032052.patch
8468 From: http://www.grsecurity.net
8469 Desc: hardened-sources base patch from upstream grsecurity
8470
8471
8472 diff --git a/3.2.4/1002_linux-3.2.3.patch b/3.2.4/1002_linux-3.2.3.patch
8473 new file mode 100644
8474 index 0000000..98925b0
8475 --- /dev/null
8476 +++ b/3.2.4/1002_linux-3.2.3.patch
8477 @@ -0,0 +1,3760 @@
8478 +diff --git a/Makefile b/Makefile
8479 +index 2f684da..d45e887 100644
8480 +--- a/Makefile
8481 ++++ b/Makefile
8482 +@@ -1,6 +1,6 @@
8483 + VERSION = 3
8484 + PATCHLEVEL = 2
8485 +-SUBLEVEL = 2
8486 ++SUBLEVEL = 3
8487 + EXTRAVERSION =
8488 + NAME = Saber-toothed Squirrel
8489 +
8490 +diff --git a/arch/arm/mach-at91/setup.c b/arch/arm/mach-at91/setup.c
8491 +index aa64294..f5bbe0ef 100644
8492 +--- a/arch/arm/mach-at91/setup.c
8493 ++++ b/arch/arm/mach-at91/setup.c
8494 +@@ -27,9 +27,12 @@ EXPORT_SYMBOL(at91_soc_initdata);
8495 + void __init at91rm9200_set_type(int type)
8496 + {
8497 + if (type == ARCH_REVISON_9200_PQFP)
8498 +- at91_soc_initdata.subtype = AT91_SOC_RM9200_BGA;
8499 +- else
8500 + at91_soc_initdata.subtype = AT91_SOC_RM9200_PQFP;
8501 ++ else
8502 ++ at91_soc_initdata.subtype = AT91_SOC_RM9200_BGA;
8503 ++
8504 ++ pr_info("AT91: filled in soc subtype: %s\n",
8505 ++ at91_get_soc_subtype(&at91_soc_initdata));
8506 + }
8507 +
8508 + void __init at91_init_irq_default(void)
8509 +diff --git a/arch/arm/mach-ux500/Kconfig b/arch/arm/mach-ux500/Kconfig
8510 +index a3e0c86..52af004 100644
8511 +--- a/arch/arm/mach-ux500/Kconfig
8512 ++++ b/arch/arm/mach-ux500/Kconfig
8513 +@@ -7,6 +7,7 @@ config UX500_SOC_COMMON
8514 + select HAS_MTU
8515 + select ARM_ERRATA_753970
8516 + select ARM_ERRATA_754322
8517 ++ select ARM_ERRATA_764369
8518 +
8519 + menu "Ux500 SoC"
8520 +
8521 +diff --git a/arch/arm/mach-ux500/board-mop500-sdi.c b/arch/arm/mach-ux500/board-mop500-sdi.c
8522 +index 6826fae..306cff0 100644
8523 +--- a/arch/arm/mach-ux500/board-mop500-sdi.c
8524 ++++ b/arch/arm/mach-ux500/board-mop500-sdi.c
8525 +@@ -233,6 +233,8 @@ void __init snowball_sdi_init(void)
8526 + {
8527 + u32 periphid = 0x10480180;
8528 +
8529 ++ /* On Snowball MMC_CAP_SD_HIGHSPEED isn't supported on sdi0 */
8530 ++ mop500_sdi0_data.capabilities &= ~MMC_CAP_SD_HIGHSPEED;
8531 + mop500_sdi2_data.capabilities |= MMC_CAP_MMC_HIGHSPEED;
8532 +
8533 + /* On-board eMMC */
8534 +diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S
8535 +index e70a737..40cc7aa 100644
8536 +--- a/arch/arm/mm/proc-v7.S
8537 ++++ b/arch/arm/mm/proc-v7.S
8538 +@@ -271,10 +271,6 @@ ENDPROC(cpu_v7_do_resume)
8539 + * Initialise TLB, Caches, and MMU state ready to switch the MMU
8540 + * on. Return in r0 the new CP15 C1 control register setting.
8541 + *
8542 +- * We automatically detect if we have a Harvard cache, and use the
8543 +- * Harvard cache control instructions insead of the unified cache
8544 +- * control instructions.
8545 +- *
8546 + * This should be able to cover all ARMv7 cores.
8547 + *
8548 + * It is assumed that:
8549 +@@ -373,9 +369,7 @@ __v7_setup:
8550 + #endif
8551 +
8552 + 3: mov r10, #0
8553 +-#ifdef HARVARD_CACHE
8554 + mcr p15, 0, r10, c7, c5, 0 @ I+BTB cache invalidate
8555 +-#endif
8556 + dsb
8557 + #ifdef CONFIG_MMU
8558 + mcr p15, 0, r10, c8, c7, 0 @ invalidate I + D TLBs
8559 +diff --git a/arch/m68k/atari/config.c b/arch/m68k/atari/config.c
8560 +index 4203d10..c4ac15c 100644
8561 +--- a/arch/m68k/atari/config.c
8562 ++++ b/arch/m68k/atari/config.c
8563 +@@ -414,9 +414,9 @@ void __init config_atari(void)
8564 + * FDC val = 4 -> Supervisor only */
8565 + asm volatile ("\n"
8566 + " .chip 68030\n"
8567 +- " pmove %0@,%/tt1\n"
8568 ++ " pmove %0,%/tt1\n"
8569 + " .chip 68k"
8570 +- : : "a" (&tt1_val));
8571 ++ : : "m" (tt1_val));
8572 + } else {
8573 + asm volatile ("\n"
8574 + " .chip 68040\n"
8575 +@@ -569,10 +569,10 @@ static void atari_reset(void)
8576 + : "d0");
8577 + } else
8578 + asm volatile ("\n"
8579 +- " pmove %0@,%%tc\n"
8580 ++ " pmove %0,%%tc\n"
8581 + " jmp %1@"
8582 + : /* no outputs */
8583 +- : "a" (&tc_val), "a" (reset_addr));
8584 ++ : "m" (tc_val), "a" (reset_addr));
8585 + }
8586 +
8587 +
8588 +diff --git a/arch/m68k/kernel/process_mm.c b/arch/m68k/kernel/process_mm.c
8589 +index 1bc223a..aa4ffb8 100644
8590 +--- a/arch/m68k/kernel/process_mm.c
8591 ++++ b/arch/m68k/kernel/process_mm.c
8592 +@@ -189,8 +189,8 @@ void flush_thread(void)
8593 + current->thread.fs = __USER_DS;
8594 + if (!FPU_IS_EMU)
8595 + asm volatile (".chip 68k/68881\n\t"
8596 +- "frestore %0@\n\t"
8597 +- ".chip 68k" : : "a" (&zero));
8598 ++ "frestore %0\n\t"
8599 ++ ".chip 68k" : : "m" (zero));
8600 + }
8601 +
8602 + /*
8603 +diff --git a/arch/m68k/kernel/process_no.c b/arch/m68k/kernel/process_no.c
8604 +index 69c1803..5e1078c 100644
8605 +--- a/arch/m68k/kernel/process_no.c
8606 ++++ b/arch/m68k/kernel/process_no.c
8607 +@@ -163,8 +163,8 @@ void flush_thread(void)
8608 + #ifdef CONFIG_FPU
8609 + if (!FPU_IS_EMU)
8610 + asm volatile (".chip 68k/68881\n\t"
8611 +- "frestore %0@\n\t"
8612 +- ".chip 68k" : : "a" (&zero));
8613 ++ "frestore %0\n\t"
8614 ++ ".chip 68k" : : "m" (zero));
8615 + #endif
8616 + }
8617 +
8618 +diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c
8619 +index 89362f2..eb67469 100644
8620 +--- a/arch/m68k/kernel/traps.c
8621 ++++ b/arch/m68k/kernel/traps.c
8622 +@@ -552,13 +552,13 @@ static inline void bus_error030 (struct frame *fp)
8623 +
8624 + #ifdef DEBUG
8625 + asm volatile ("ptestr %3,%2@,#7,%0\n\t"
8626 +- "pmove %%psr,%1@"
8627 +- : "=a&" (desc)
8628 +- : "a" (&temp), "a" (addr), "d" (ssw));
8629 ++ "pmove %%psr,%1"
8630 ++ : "=a&" (desc), "=m" (temp)
8631 ++ : "a" (addr), "d" (ssw));
8632 + #else
8633 + asm volatile ("ptestr %2,%1@,#7\n\t"
8634 +- "pmove %%psr,%0@"
8635 +- : : "a" (&temp), "a" (addr), "d" (ssw));
8636 ++ "pmove %%psr,%0"
8637 ++ : "=m" (temp) : "a" (addr), "d" (ssw));
8638 + #endif
8639 + mmusr = temp;
8640 +
8641 +@@ -605,20 +605,18 @@ static inline void bus_error030 (struct frame *fp)
8642 + !(ssw & RW) ? "write" : "read", addr,
8643 + fp->ptregs.pc, ssw);
8644 + asm volatile ("ptestr #1,%1@,#0\n\t"
8645 +- "pmove %%psr,%0@"
8646 +- : /* no outputs */
8647 +- : "a" (&temp), "a" (addr));
8648 ++ "pmove %%psr,%0"
8649 ++ : "=m" (temp)
8650 ++ : "a" (addr));
8651 + mmusr = temp;
8652 +
8653 + printk ("level 0 mmusr is %#x\n", mmusr);
8654 + #if 0
8655 +- asm volatile ("pmove %%tt0,%0@"
8656 +- : /* no outputs */
8657 +- : "a" (&tlong));
8658 ++ asm volatile ("pmove %%tt0,%0"
8659 ++ : "=m" (tlong));
8660 + printk("tt0 is %#lx, ", tlong);
8661 +- asm volatile ("pmove %%tt1,%0@"
8662 +- : /* no outputs */
8663 +- : "a" (&tlong));
8664 ++ asm volatile ("pmove %%tt1,%0"
8665 ++ : "=m" (tlong));
8666 + printk("tt1 is %#lx\n", tlong);
8667 + #endif
8668 + #ifdef DEBUG
8669 +@@ -668,13 +666,13 @@ static inline void bus_error030 (struct frame *fp)
8670 +
8671 + #ifdef DEBUG
8672 + asm volatile ("ptestr #1,%2@,#7,%0\n\t"
8673 +- "pmove %%psr,%1@"
8674 +- : "=a&" (desc)
8675 +- : "a" (&temp), "a" (addr));
8676 ++ "pmove %%psr,%1"
8677 ++ : "=a&" (desc), "=m" (temp)
8678 ++ : "a" (addr));
8679 + #else
8680 + asm volatile ("ptestr #1,%1@,#7\n\t"
8681 +- "pmove %%psr,%0@"
8682 +- : : "a" (&temp), "a" (addr));
8683 ++ "pmove %%psr,%0"
8684 ++ : "=m" (temp) : "a" (addr));
8685 + #endif
8686 + mmusr = temp;
8687 +
8688 +diff --git a/arch/m68k/mm/cache.c b/arch/m68k/mm/cache.c
8689 +index 5437fff..5550aa4 100644
8690 +--- a/arch/m68k/mm/cache.c
8691 ++++ b/arch/m68k/mm/cache.c
8692 +@@ -52,9 +52,9 @@ static unsigned long virt_to_phys_slow(unsigned long vaddr)
8693 + unsigned long *descaddr;
8694 +
8695 + asm volatile ("ptestr %3,%2@,#7,%0\n\t"
8696 +- "pmove %%psr,%1@"
8697 +- : "=a&" (descaddr)
8698 +- : "a" (&mmusr), "a" (vaddr), "d" (get_fs().seg));
8699 ++ "pmove %%psr,%1"
8700 ++ : "=a&" (descaddr), "=m" (mmusr)
8701 ++ : "a" (vaddr), "d" (get_fs().seg));
8702 + if (mmusr & (MMU_I|MMU_B|MMU_L))
8703 + return 0;
8704 + descaddr = phys_to_virt((unsigned long)descaddr);
8705 +diff --git a/arch/x86/include/asm/uv/uv_hub.h b/arch/x86/include/asm/uv/uv_hub.h
8706 +index 54a13aa..21f7385 100644
8707 +--- a/arch/x86/include/asm/uv/uv_hub.h
8708 ++++ b/arch/x86/include/asm/uv/uv_hub.h
8709 +@@ -318,13 +318,13 @@ uv_gpa_in_mmr_space(unsigned long gpa)
8710 + /* UV global physical address --> socket phys RAM */
8711 + static inline unsigned long uv_gpa_to_soc_phys_ram(unsigned long gpa)
8712 + {
8713 +- unsigned long paddr = gpa & uv_hub_info->gpa_mask;
8714 ++ unsigned long paddr;
8715 + unsigned long remap_base = uv_hub_info->lowmem_remap_base;
8716 + unsigned long remap_top = uv_hub_info->lowmem_remap_top;
8717 +
8718 + gpa = ((gpa << uv_hub_info->m_shift) >> uv_hub_info->m_shift) |
8719 + ((gpa >> uv_hub_info->n_lshift) << uv_hub_info->m_val);
8720 +- gpa = gpa & uv_hub_info->gpa_mask;
8721 ++ paddr = gpa & uv_hub_info->gpa_mask;
8722 + if (paddr >= remap_base && paddr < remap_base + remap_top)
8723 + paddr -= remap_base;
8724 + return paddr;
8725 +diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c
8726 +index d494799..ac52c15 100644
8727 +--- a/arch/x86/kernel/microcode_amd.c
8728 ++++ b/arch/x86/kernel/microcode_amd.c
8729 +@@ -300,13 +300,33 @@ free_table:
8730 + return state;
8731 + }
8732 +
8733 ++/*
8734 ++ * AMD microcode firmware naming convention, up to family 15h they are in
8735 ++ * the legacy file:
8736 ++ *
8737 ++ * amd-ucode/microcode_amd.bin
8738 ++ *
8739 ++ * This legacy file is always smaller than 2K in size.
8740 ++ *
8741 ++ * Starting at family 15h they are in family specific firmware files:
8742 ++ *
8743 ++ * amd-ucode/microcode_amd_fam15h.bin
8744 ++ * amd-ucode/microcode_amd_fam16h.bin
8745 ++ * ...
8746 ++ *
8747 ++ * These might be larger than 2K.
8748 ++ */
8749 + static enum ucode_state request_microcode_amd(int cpu, struct device *device)
8750 + {
8751 +- const char *fw_name = "amd-ucode/microcode_amd.bin";
8752 ++ char fw_name[36] = "amd-ucode/microcode_amd.bin";
8753 + const struct firmware *fw;
8754 + enum ucode_state ret = UCODE_NFOUND;
8755 ++ struct cpuinfo_x86 *c = &cpu_data(cpu);
8756 ++
8757 ++ if (c->x86 >= 0x15)
8758 ++ snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86);
8759 +
8760 +- if (request_firmware(&fw, fw_name, device)) {
8761 ++ if (request_firmware(&fw, (const char *)fw_name, device)) {
8762 + pr_err("failed to load file %s\n", fw_name);
8763 + goto out;
8764 + }
8765 +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
8766 +index 7b65f75..7c1b765 100644
8767 +--- a/arch/x86/net/bpf_jit_comp.c
8768 ++++ b/arch/x86/net/bpf_jit_comp.c
8769 +@@ -151,17 +151,18 @@ void bpf_jit_compile(struct sk_filter *fp)
8770 + cleanup_addr = proglen; /* epilogue address */
8771 +
8772 + for (pass = 0; pass < 10; pass++) {
8773 ++ u8 seen_or_pass0 = (pass == 0) ? (SEEN_XREG | SEEN_DATAREF | SEEN_MEM) : seen;
8774 + /* no prologue/epilogue for trivial filters (RET something) */
8775 + proglen = 0;
8776 + prog = temp;
8777 +
8778 +- if (seen) {
8779 ++ if (seen_or_pass0) {
8780 + EMIT4(0x55, 0x48, 0x89, 0xe5); /* push %rbp; mov %rsp,%rbp */
8781 + EMIT4(0x48, 0x83, 0xec, 96); /* subq $96,%rsp */
8782 + /* note : must save %rbx in case bpf_error is hit */
8783 +- if (seen & (SEEN_XREG | SEEN_DATAREF))
8784 ++ if (seen_or_pass0 & (SEEN_XREG | SEEN_DATAREF))
8785 + EMIT4(0x48, 0x89, 0x5d, 0xf8); /* mov %rbx, -8(%rbp) */
8786 +- if (seen & SEEN_XREG)
8787 ++ if (seen_or_pass0 & SEEN_XREG)
8788 + CLEAR_X(); /* make sure we dont leek kernel memory */
8789 +
8790 + /*
8791 +@@ -170,7 +171,7 @@ void bpf_jit_compile(struct sk_filter *fp)
8792 + * r9 = skb->len - skb->data_len
8793 + * r8 = skb->data
8794 + */
8795 +- if (seen & SEEN_DATAREF) {
8796 ++ if (seen_or_pass0 & SEEN_DATAREF) {
8797 + if (offsetof(struct sk_buff, len) <= 127)
8798 + /* mov off8(%rdi),%r9d */
8799 + EMIT4(0x44, 0x8b, 0x4f, offsetof(struct sk_buff, len));
8800 +@@ -260,9 +261,14 @@ void bpf_jit_compile(struct sk_filter *fp)
8801 + case BPF_S_ALU_DIV_X: /* A /= X; */
8802 + seen |= SEEN_XREG;
8803 + EMIT2(0x85, 0xdb); /* test %ebx,%ebx */
8804 +- if (pc_ret0 != -1)
8805 +- EMIT_COND_JMP(X86_JE, addrs[pc_ret0] - (addrs[i] - 4));
8806 +- else {
8807 ++ if (pc_ret0 > 0) {
8808 ++ /* addrs[pc_ret0 - 1] is start address of target
8809 ++ * (addrs[i] - 4) is the address following this jmp
8810 ++ * ("xor %edx,%edx; div %ebx" being 4 bytes long)
8811 ++ */
8812 ++ EMIT_COND_JMP(X86_JE, addrs[pc_ret0 - 1] -
8813 ++ (addrs[i] - 4));
8814 ++ } else {
8815 + EMIT_COND_JMP(X86_JNE, 2 + 5);
8816 + CLEAR_A();
8817 + EMIT1_off32(0xe9, cleanup_addr - (addrs[i] - 4)); /* jmp .+off32 */
8818 +@@ -335,12 +341,12 @@ void bpf_jit_compile(struct sk_filter *fp)
8819 + }
8820 + /* fallinto */
8821 + case BPF_S_RET_A:
8822 +- if (seen) {
8823 ++ if (seen_or_pass0) {
8824 + if (i != flen - 1) {
8825 + EMIT_JMP(cleanup_addr - addrs[i]);
8826 + break;
8827 + }
8828 +- if (seen & SEEN_XREG)
8829 ++ if (seen_or_pass0 & SEEN_XREG)
8830 + EMIT4(0x48, 0x8b, 0x5d, 0xf8); /* mov -8(%rbp),%rbx */
8831 + EMIT1(0xc9); /* leaveq */
8832 + }
8833 +@@ -483,8 +489,9 @@ common_load: seen |= SEEN_DATAREF;
8834 + goto common_load;
8835 + case BPF_S_LDX_B_MSH:
8836 + if ((int)K < 0) {
8837 +- if (pc_ret0 != -1) {
8838 +- EMIT_JMP(addrs[pc_ret0] - addrs[i]);
8839 ++ if (pc_ret0 > 0) {
8840 ++ /* addrs[pc_ret0 - 1] is the start address */
8841 ++ EMIT_JMP(addrs[pc_ret0 - 1] - addrs[i]);
8842 + break;
8843 + }
8844 + CLEAR_A();
8845 +@@ -599,13 +606,14 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
8846 + * use it to give the cleanup instruction(s) addr
8847 + */
8848 + cleanup_addr = proglen - 1; /* ret */
8849 +- if (seen)
8850 ++ if (seen_or_pass0)
8851 + cleanup_addr -= 1; /* leaveq */
8852 +- if (seen & SEEN_XREG)
8853 ++ if (seen_or_pass0 & SEEN_XREG)
8854 + cleanup_addr -= 4; /* mov -8(%rbp),%rbx */
8855 +
8856 + if (image) {
8857 +- WARN_ON(proglen != oldproglen);
8858 ++ if (proglen != oldproglen)
8859 ++ pr_err("bpb_jit_compile proglen=%u != oldproglen=%u\n", proglen, oldproglen);
8860 + break;
8861 + }
8862 + if (proglen == oldproglen) {
8863 +diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
8864 +index 9010ca7..81aee5a 100644
8865 +--- a/arch/x86/platform/uv/tlb_uv.c
8866 ++++ b/arch/x86/platform/uv/tlb_uv.c
8867 +@@ -1860,6 +1860,8 @@ static void __init init_per_cpu_tunables(void)
8868 + bcp->cong_reps = congested_reps;
8869 + bcp->cong_period = congested_period;
8870 + bcp->clocks_per_100_usec = usec_2_cycles(100);
8871 ++ spin_lock_init(&bcp->queue_lock);
8872 ++ spin_lock_init(&bcp->uvhub_lock);
8873 + }
8874 + }
8875 +
8876 +diff --git a/arch/x86/platform/uv/uv_irq.c b/arch/x86/platform/uv/uv_irq.c
8877 +index 374a05d..f25c276 100644
8878 +--- a/arch/x86/platform/uv/uv_irq.c
8879 ++++ b/arch/x86/platform/uv/uv_irq.c
8880 +@@ -25,7 +25,7 @@ struct uv_irq_2_mmr_pnode{
8881 + int irq;
8882 + };
8883 +
8884 +-static spinlock_t uv_irq_lock;
8885 ++static DEFINE_SPINLOCK(uv_irq_lock);
8886 + static struct rb_root uv_irq_root;
8887 +
8888 + static int uv_set_irq_affinity(struct irq_data *, const struct cpumask *, bool);
8889 +diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
8890 +index cc9b1e1..d69cc6c 100644
8891 +--- a/arch/x86/xen/spinlock.c
8892 ++++ b/arch/x86/xen/spinlock.c
8893 +@@ -116,9 +116,26 @@ static inline void spin_time_accum_blocked(u64 start)
8894 + }
8895 + #endif /* CONFIG_XEN_DEBUG_FS */
8896 +
8897 ++/*
8898 ++ * Size struct xen_spinlock so it's the same as arch_spinlock_t.
8899 ++ */
8900 ++#if NR_CPUS < 256
8901 ++typedef u8 xen_spinners_t;
8902 ++# define inc_spinners(xl) \
8903 ++ asm(LOCK_PREFIX " incb %0" : "+m" ((xl)->spinners) : : "memory");
8904 ++# define dec_spinners(xl) \
8905 ++ asm(LOCK_PREFIX " decb %0" : "+m" ((xl)->spinners) : : "memory");
8906 ++#else
8907 ++typedef u16 xen_spinners_t;
8908 ++# define inc_spinners(xl) \
8909 ++ asm(LOCK_PREFIX " incw %0" : "+m" ((xl)->spinners) : : "memory");
8910 ++# define dec_spinners(xl) \
8911 ++ asm(LOCK_PREFIX " decw %0" : "+m" ((xl)->spinners) : : "memory");
8912 ++#endif
8913 ++
8914 + struct xen_spinlock {
8915 + unsigned char lock; /* 0 -> free; 1 -> locked */
8916 +- unsigned short spinners; /* count of waiting cpus */
8917 ++ xen_spinners_t spinners; /* count of waiting cpus */
8918 + };
8919 +
8920 + static int xen_spin_is_locked(struct arch_spinlock *lock)
8921 +@@ -164,8 +181,7 @@ static inline struct xen_spinlock *spinning_lock(struct xen_spinlock *xl)
8922 +
8923 + wmb(); /* set lock of interest before count */
8924 +
8925 +- asm(LOCK_PREFIX " incw %0"
8926 +- : "+m" (xl->spinners) : : "memory");
8927 ++ inc_spinners(xl);
8928 +
8929 + return prev;
8930 + }
8931 +@@ -176,8 +192,7 @@ static inline struct xen_spinlock *spinning_lock(struct xen_spinlock *xl)
8932 + */
8933 + static inline void unspinning_lock(struct xen_spinlock *xl, struct xen_spinlock *prev)
8934 + {
8935 +- asm(LOCK_PREFIX " decw %0"
8936 +- : "+m" (xl->spinners) : : "memory");
8937 ++ dec_spinners(xl);
8938 + wmb(); /* decrement count before restoring lock */
8939 + __this_cpu_write(lock_spinners, prev);
8940 + }
8941 +@@ -373,6 +388,8 @@ void xen_uninit_lock_cpu(int cpu)
8942 +
8943 + void __init xen_init_spinlocks(void)
8944 + {
8945 ++ BUILD_BUG_ON(sizeof(struct xen_spinlock) > sizeof(arch_spinlock_t));
8946 ++
8947 + pv_lock_ops.spin_is_locked = xen_spin_is_locked;
8948 + pv_lock_ops.spin_is_contended = xen_spin_is_contended;
8949 + pv_lock_ops.spin_lock = xen_spin_lock;
8950 +diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
8951 +index 9ed9f60..88f160b 100644
8952 +--- a/crypto/sha512_generic.c
8953 ++++ b/crypto/sha512_generic.c
8954 +@@ -21,8 +21,6 @@
8955 + #include <linux/percpu.h>
8956 + #include <asm/byteorder.h>
8957 +
8958 +-static DEFINE_PER_CPU(u64[80], msg_schedule);
8959 +-
8960 + static inline u64 Ch(u64 x, u64 y, u64 z)
8961 + {
8962 + return z ^ (x & (y ^ z));
8963 +@@ -80,7 +78,7 @@ static inline void LOAD_OP(int I, u64 *W, const u8 *input)
8964 +
8965 + static inline void BLEND_OP(int I, u64 *W)
8966 + {
8967 +- W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
8968 ++ W[I % 16] += s1(W[(I-2) % 16]) + W[(I-7) % 16] + s0(W[(I-15) % 16]);
8969 + }
8970 +
8971 + static void
8972 +@@ -89,38 +87,48 @@ sha512_transform(u64 *state, const u8 *input)
8973 + u64 a, b, c, d, e, f, g, h, t1, t2;
8974 +
8975 + int i;
8976 +- u64 *W = get_cpu_var(msg_schedule);
8977 ++ u64 W[16];
8978 +
8979 + /* load the input */
8980 + for (i = 0; i < 16; i++)
8981 + LOAD_OP(i, W, input);
8982 +
8983 +- for (i = 16; i < 80; i++) {
8984 +- BLEND_OP(i, W);
8985 +- }
8986 +-
8987 + /* load the state into our registers */
8988 + a=state[0]; b=state[1]; c=state[2]; d=state[3];
8989 + e=state[4]; f=state[5]; g=state[6]; h=state[7];
8990 +
8991 +- /* now iterate */
8992 +- for (i=0; i<80; i+=8) {
8993 +- t1 = h + e1(e) + Ch(e,f,g) + sha512_K[i ] + W[i ];
8994 +- t2 = e0(a) + Maj(a,b,c); d+=t1; h=t1+t2;
8995 +- t1 = g + e1(d) + Ch(d,e,f) + sha512_K[i+1] + W[i+1];
8996 +- t2 = e0(h) + Maj(h,a,b); c+=t1; g=t1+t2;
8997 +- t1 = f + e1(c) + Ch(c,d,e) + sha512_K[i+2] + W[i+2];
8998 +- t2 = e0(g) + Maj(g,h,a); b+=t1; f=t1+t2;
8999 +- t1 = e + e1(b) + Ch(b,c,d) + sha512_K[i+3] + W[i+3];
9000 +- t2 = e0(f) + Maj(f,g,h); a+=t1; e=t1+t2;
9001 +- t1 = d + e1(a) + Ch(a,b,c) + sha512_K[i+4] + W[i+4];
9002 +- t2 = e0(e) + Maj(e,f,g); h+=t1; d=t1+t2;
9003 +- t1 = c + e1(h) + Ch(h,a,b) + sha512_K[i+5] + W[i+5];
9004 +- t2 = e0(d) + Maj(d,e,f); g+=t1; c=t1+t2;
9005 +- t1 = b + e1(g) + Ch(g,h,a) + sha512_K[i+6] + W[i+6];
9006 +- t2 = e0(c) + Maj(c,d,e); f+=t1; b=t1+t2;
9007 +- t1 = a + e1(f) + Ch(f,g,h) + sha512_K[i+7] + W[i+7];
9008 +- t2 = e0(b) + Maj(b,c,d); e+=t1; a=t1+t2;
9009 ++#define SHA512_0_15(i, a, b, c, d, e, f, g, h) \
9010 ++ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[i]; \
9011 ++ t2 = e0(a) + Maj(a, b, c); \
9012 ++ d += t1; \
9013 ++ h = t1 + t2
9014 ++
9015 ++#define SHA512_16_79(i, a, b, c, d, e, f, g, h) \
9016 ++ BLEND_OP(i, W); \
9017 ++ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[(i)%16]; \
9018 ++ t2 = e0(a) + Maj(a, b, c); \
9019 ++ d += t1; \
9020 ++ h = t1 + t2
9021 ++
9022 ++ for (i = 0; i < 16; i += 8) {
9023 ++ SHA512_0_15(i, a, b, c, d, e, f, g, h);
9024 ++ SHA512_0_15(i + 1, h, a, b, c, d, e, f, g);
9025 ++ SHA512_0_15(i + 2, g, h, a, b, c, d, e, f);
9026 ++ SHA512_0_15(i + 3, f, g, h, a, b, c, d, e);
9027 ++ SHA512_0_15(i + 4, e, f, g, h, a, b, c, d);
9028 ++ SHA512_0_15(i + 5, d, e, f, g, h, a, b, c);
9029 ++ SHA512_0_15(i + 6, c, d, e, f, g, h, a, b);
9030 ++ SHA512_0_15(i + 7, b, c, d, e, f, g, h, a);
9031 ++ }
9032 ++ for (i = 16; i < 80; i += 8) {
9033 ++ SHA512_16_79(i, a, b, c, d, e, f, g, h);
9034 ++ SHA512_16_79(i + 1, h, a, b, c, d, e, f, g);
9035 ++ SHA512_16_79(i + 2, g, h, a, b, c, d, e, f);
9036 ++ SHA512_16_79(i + 3, f, g, h, a, b, c, d, e);
9037 ++ SHA512_16_79(i + 4, e, f, g, h, a, b, c, d);
9038 ++ SHA512_16_79(i + 5, d, e, f, g, h, a, b, c);
9039 ++ SHA512_16_79(i + 6, c, d, e, f, g, h, a, b);
9040 ++ SHA512_16_79(i + 7, b, c, d, e, f, g, h, a);
9041 + }
9042 +
9043 + state[0] += a; state[1] += b; state[2] += c; state[3] += d;
9044 +@@ -128,8 +136,6 @@ sha512_transform(u64 *state, const u8 *input)
9045 +
9046 + /* erase our data */
9047 + a = b = c = d = e = f = g = h = t1 = t2 = 0;
9048 +- memset(W, 0, sizeof(__get_cpu_var(msg_schedule)));
9049 +- put_cpu_var(msg_schedule);
9050 + }
9051 +
9052 + static int
9053 +diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
9054 +index 3f4051a..c7e5282 100644
9055 +--- a/drivers/char/tpm/tpm_tis.c
9056 ++++ b/drivers/char/tpm/tpm_tis.c
9057 +@@ -432,6 +432,9 @@ static int probe_itpm(struct tpm_chip *chip)
9058 + out:
9059 + itpm = rem_itpm;
9060 + tpm_tis_ready(chip);
9061 ++ /* some TPMs need a break here otherwise they will not work
9062 ++ * correctly on the immediately subsequent command */
9063 ++ msleep(chip->vendor.timeout_b);
9064 + release_locality(chip, chip->vendor.locality, 0);
9065 +
9066 + return rc;
9067 +diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
9068 +index 3f46772..ba23790 100644
9069 +--- a/drivers/gpu/drm/drm_auth.c
9070 ++++ b/drivers/gpu/drm/drm_auth.c
9071 +@@ -101,7 +101,7 @@ static int drm_add_magic(struct drm_master *master, struct drm_file *priv,
9072 + * Searches and unlinks the entry in drm_device::magiclist with the magic
9073 + * number hash key, while holding the drm_device::struct_mutex lock.
9074 + */
9075 +-static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
9076 ++int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
9077 + {
9078 + struct drm_magic_entry *pt;
9079 + struct drm_hash_item *hash;
9080 +@@ -136,6 +136,8 @@ static int drm_remove_magic(struct drm_master *master, drm_magic_t magic)
9081 + * If there is a magic number in drm_file::magic then use it, otherwise
9082 + * searches an unique non-zero magic number and add it associating it with \p
9083 + * file_priv.
9084 ++ * This ioctl needs protection by the drm_global_mutex, which protects
9085 ++ * struct drm_file::magic and struct drm_magic_entry::priv.
9086 + */
9087 + int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
9088 + {
9089 +@@ -173,6 +175,8 @@ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv)
9090 + * \return zero if authentication successed, or a negative number otherwise.
9091 + *
9092 + * Checks if \p file_priv is associated with the magic number passed in \arg.
9093 ++ * This ioctl needs protection by the drm_global_mutex, which protects
9094 ++ * struct drm_file::magic and struct drm_magic_entry::priv.
9095 + */
9096 + int drm_authmagic(struct drm_device *dev, void *data,
9097 + struct drm_file *file_priv)
9098 +diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
9099 +index 4911e1d..828bf65 100644
9100 +--- a/drivers/gpu/drm/drm_fops.c
9101 ++++ b/drivers/gpu/drm/drm_fops.c
9102 +@@ -487,6 +487,11 @@ int drm_release(struct inode *inode, struct file *filp)
9103 + (long)old_encode_dev(file_priv->minor->device),
9104 + dev->open_count);
9105 +
9106 ++ /* Release any auth tokens that might point to this file_priv,
9107 ++ (do that under the drm_global_mutex) */
9108 ++ if (file_priv->magic)
9109 ++ (void) drm_remove_magic(file_priv->master, file_priv->magic);
9110 ++
9111 + /* if the master has gone away we can't do anything with the lock */
9112 + if (file_priv->minor->master)
9113 + drm_master_release(dev, filp);
9114 +diff --git a/drivers/gpu/drm/i915/i915_suspend.c b/drivers/gpu/drm/i915/i915_suspend.c
9115 +index 7886e4f..43cbafe 100644
9116 +--- a/drivers/gpu/drm/i915/i915_suspend.c
9117 ++++ b/drivers/gpu/drm/i915/i915_suspend.c
9118 +@@ -822,7 +822,7 @@ int i915_save_state(struct drm_device *dev)
9119 +
9120 + if (IS_IRONLAKE_M(dev))
9121 + ironlake_disable_drps(dev);
9122 +- if (IS_GEN6(dev))
9123 ++ if (INTEL_INFO(dev)->gen >= 6)
9124 + gen6_disable_rps(dev);
9125 +
9126 + /* Cache mode state */
9127 +@@ -881,7 +881,7 @@ int i915_restore_state(struct drm_device *dev)
9128 + intel_init_emon(dev);
9129 + }
9130 +
9131 +- if (IS_GEN6(dev)) {
9132 ++ if (INTEL_INFO(dev)->gen >= 6) {
9133 + gen6_enable_rps(dev_priv);
9134 + gen6_update_ring_freq(dev_priv);
9135 + }
9136 +diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
9137 +index ca70e2f..30a9af9 100644
9138 +--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
9139 ++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
9140 +@@ -631,6 +631,19 @@ render_ring_add_request(struct intel_ring_buffer *ring,
9141 + }
9142 +
9143 + static u32
9144 ++gen6_ring_get_seqno(struct intel_ring_buffer *ring)
9145 ++{
9146 ++ struct drm_device *dev = ring->dev;
9147 ++
9148 ++ /* Workaround to force correct ordering between irq and seqno writes on
9149 ++ * ivb (and maybe also on snb) by reading from a CS register (like
9150 ++ * ACTHD) before reading the status page. */
9151 ++ if (IS_GEN7(dev))
9152 ++ intel_ring_get_active_head(ring);
9153 ++ return intel_read_status_page(ring, I915_GEM_HWS_INDEX);
9154 ++}
9155 ++
9156 ++static u32
9157 + ring_get_seqno(struct intel_ring_buffer *ring)
9158 + {
9159 + return intel_read_status_page(ring, I915_GEM_HWS_INDEX);
9160 +@@ -795,6 +808,12 @@ gen6_ring_get_irq(struct intel_ring_buffer *ring, u32 gflag, u32 rflag)
9161 + if (!dev->irq_enabled)
9162 + return false;
9163 +
9164 ++ /* It looks like we need to prevent the gt from suspending while waiting
9165 ++ * for an notifiy irq, otherwise irqs seem to get lost on at least the
9166 ++ * blt/bsd rings on ivb. */
9167 ++ if (IS_GEN7(dev))
9168 ++ gen6_gt_force_wake_get(dev_priv);
9169 ++
9170 + spin_lock(&ring->irq_lock);
9171 + if (ring->irq_refcount++ == 0) {
9172 + ring->irq_mask &= ~rflag;
9173 +@@ -819,6 +838,9 @@ gen6_ring_put_irq(struct intel_ring_buffer *ring, u32 gflag, u32 rflag)
9174 + ironlake_disable_irq(dev_priv, gflag);
9175 + }
9176 + spin_unlock(&ring->irq_lock);
9177 ++
9178 ++ if (IS_GEN7(dev))
9179 ++ gen6_gt_force_wake_put(dev_priv);
9180 + }
9181 +
9182 + static bool
9183 +@@ -1316,7 +1338,7 @@ static const struct intel_ring_buffer gen6_bsd_ring = {
9184 + .write_tail = gen6_bsd_ring_write_tail,
9185 + .flush = gen6_ring_flush,
9186 + .add_request = gen6_add_request,
9187 +- .get_seqno = ring_get_seqno,
9188 ++ .get_seqno = gen6_ring_get_seqno,
9189 + .irq_get = gen6_bsd_ring_get_irq,
9190 + .irq_put = gen6_bsd_ring_put_irq,
9191 + .dispatch_execbuffer = gen6_ring_dispatch_execbuffer,
9192 +@@ -1451,7 +1473,7 @@ static const struct intel_ring_buffer gen6_blt_ring = {
9193 + .write_tail = ring_write_tail,
9194 + .flush = blt_ring_flush,
9195 + .add_request = gen6_add_request,
9196 +- .get_seqno = ring_get_seqno,
9197 ++ .get_seqno = gen6_ring_get_seqno,
9198 + .irq_get = blt_ring_get_irq,
9199 + .irq_put = blt_ring_put_irq,
9200 + .dispatch_execbuffer = gen6_ring_dispatch_execbuffer,
9201 +@@ -1474,6 +1496,7 @@ int intel_init_render_ring_buffer(struct drm_device *dev)
9202 + ring->flush = gen6_render_ring_flush;
9203 + ring->irq_get = gen6_render_ring_get_irq;
9204 + ring->irq_put = gen6_render_ring_put_irq;
9205 ++ ring->get_seqno = gen6_ring_get_seqno;
9206 + } else if (IS_GEN5(dev)) {
9207 + ring->add_request = pc_render_add_request;
9208 + ring->get_seqno = pc_render_get_seqno;
9209 +diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
9210 +index f7b9268..e334ec3 100644
9211 +--- a/drivers/gpu/drm/i915/intel_sdvo.c
9212 ++++ b/drivers/gpu/drm/i915/intel_sdvo.c
9213 +@@ -1066,15 +1066,13 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder,
9214 +
9215 + /* Set the SDVO control regs. */
9216 + if (INTEL_INFO(dev)->gen >= 4) {
9217 +- sdvox = 0;
9218 ++ /* The real mode polarity is set by the SDVO commands, using
9219 ++ * struct intel_sdvo_dtd. */
9220 ++ sdvox = SDVO_VSYNC_ACTIVE_HIGH | SDVO_HSYNC_ACTIVE_HIGH;
9221 + if (intel_sdvo->is_hdmi)
9222 + sdvox |= intel_sdvo->color_range;
9223 + if (INTEL_INFO(dev)->gen < 5)
9224 + sdvox |= SDVO_BORDER_ENABLE;
9225 +- if (adjusted_mode->flags & DRM_MODE_FLAG_PVSYNC)
9226 +- sdvox |= SDVO_VSYNC_ACTIVE_HIGH;
9227 +- if (adjusted_mode->flags & DRM_MODE_FLAG_PHSYNC)
9228 +- sdvox |= SDVO_HSYNC_ACTIVE_HIGH;
9229 + } else {
9230 + sdvox = I915_READ(intel_sdvo->sdvo_reg);
9231 + switch (intel_sdvo->sdvo_reg) {
9232 +diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c
9233 +index 6fb335a..a71557c 100644
9234 +--- a/drivers/gpu/drm/radeon/atombios_dp.c
9235 ++++ b/drivers/gpu/drm/radeon/atombios_dp.c
9236 +@@ -549,8 +549,8 @@ bool radeon_dp_getdpcd(struct radeon_connector *radeon_connector)
9237 + return false;
9238 + }
9239 +
9240 +-static void radeon_dp_set_panel_mode(struct drm_encoder *encoder,
9241 +- struct drm_connector *connector)
9242 ++int radeon_dp_get_panel_mode(struct drm_encoder *encoder,
9243 ++ struct drm_connector *connector)
9244 + {
9245 + struct drm_device *dev = encoder->dev;
9246 + struct radeon_device *rdev = dev->dev_private;
9247 +@@ -558,7 +558,7 @@ static void radeon_dp_set_panel_mode(struct drm_encoder *encoder,
9248 + int panel_mode = DP_PANEL_MODE_EXTERNAL_DP_MODE;
9249 +
9250 + if (!ASIC_IS_DCE4(rdev))
9251 +- return;
9252 ++ return panel_mode;
9253 +
9254 + if (radeon_connector_encoder_get_dp_bridge_encoder_id(connector) ==
9255 + ENCODER_OBJECT_ID_NUTMEG)
9256 +@@ -572,14 +572,7 @@ static void radeon_dp_set_panel_mode(struct drm_encoder *encoder,
9257 + panel_mode = DP_PANEL_MODE_INTERNAL_DP2_MODE;
9258 + }
9259 +
9260 +- atombios_dig_encoder_setup(encoder,
9261 +- ATOM_ENCODER_CMD_SETUP_PANEL_MODE,
9262 +- panel_mode);
9263 +-
9264 +- if ((connector->connector_type == DRM_MODE_CONNECTOR_eDP) &&
9265 +- (panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE)) {
9266 +- radeon_write_dpcd_reg(radeon_connector, DP_EDP_CONFIGURATION_SET, 1);
9267 +- }
9268 ++ return panel_mode;
9269 + }
9270 +
9271 + void radeon_dp_set_link_config(struct drm_connector *connector,
9272 +@@ -717,6 +710,8 @@ static void radeon_dp_set_tp(struct radeon_dp_link_train_info *dp_info, int tp)
9273 +
9274 + static int radeon_dp_link_train_init(struct radeon_dp_link_train_info *dp_info)
9275 + {
9276 ++ struct radeon_encoder *radeon_encoder = to_radeon_encoder(dp_info->encoder);
9277 ++ struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
9278 + u8 tmp;
9279 +
9280 + /* power up the sink */
9281 +@@ -732,7 +727,10 @@ static int radeon_dp_link_train_init(struct radeon_dp_link_train_info *dp_info)
9282 + radeon_write_dpcd_reg(dp_info->radeon_connector,
9283 + DP_DOWNSPREAD_CTRL, 0);
9284 +
9285 +- radeon_dp_set_panel_mode(dp_info->encoder, dp_info->connector);
9286 ++ if ((dp_info->connector->connector_type == DRM_MODE_CONNECTOR_eDP) &&
9287 ++ (dig->panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE)) {
9288 ++ radeon_write_dpcd_reg(dp_info->radeon_connector, DP_EDP_CONFIGURATION_SET, 1);
9289 ++ }
9290 +
9291 + /* set the lane count on the sink */
9292 + tmp = dp_info->dp_lane_count;
9293 +diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
9294 +index 39c04c1..0f8eb48 100644
9295 +--- a/drivers/gpu/drm/radeon/atombios_encoders.c
9296 ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
9297 +@@ -1352,7 +1352,8 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
9298 + switch (mode) {
9299 + case DRM_MODE_DPMS_ON:
9300 + /* some early dce3.2 boards have a bug in their transmitter control table */
9301 +- if ((rdev->family == CHIP_RV710) || (rdev->family == CHIP_RV730))
9302 ++ if ((rdev->family == CHIP_RV710) || (rdev->family == CHIP_RV730) ||
9303 ++ ASIC_IS_DCE41(rdev) || ASIC_IS_DCE5(rdev))
9304 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE, 0, 0);
9305 + else
9306 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE_OUTPUT, 0, 0);
9307 +@@ -1362,8 +1363,6 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
9308 + ATOM_TRANSMITTER_ACTION_POWER_ON);
9309 + radeon_dig_connector->edp_on = true;
9310 + }
9311 +- if (ASIC_IS_DCE4(rdev))
9312 +- atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_OFF, 0);
9313 + radeon_dp_link_train(encoder, connector);
9314 + if (ASIC_IS_DCE4(rdev))
9315 + atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_ON, 0);
9316 +@@ -1374,7 +1373,10 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
9317 + case DRM_MODE_DPMS_STANDBY:
9318 + case DRM_MODE_DPMS_SUSPEND:
9319 + case DRM_MODE_DPMS_OFF:
9320 +- atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_DISABLE_OUTPUT, 0, 0);
9321 ++ if (ASIC_IS_DCE41(rdev) || ASIC_IS_DCE5(rdev))
9322 ++ atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_DISABLE, 0, 0);
9323 ++ else
9324 ++ atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_DISABLE_OUTPUT, 0, 0);
9325 + if (ENCODER_MODE_IS_DP(atombios_get_encoder_mode(encoder)) && connector) {
9326 + if (ASIC_IS_DCE4(rdev))
9327 + atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_OFF, 0);
9328 +@@ -1821,7 +1823,21 @@ radeon_atom_encoder_mode_set(struct drm_encoder *encoder,
9329 + case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1:
9330 + case ENCODER_OBJECT_ID_INTERNAL_UNIPHY2:
9331 + case ENCODER_OBJECT_ID_INTERNAL_KLDSCP_LVTMA:
9332 +- if (ASIC_IS_DCE4(rdev)) {
9333 ++ if (ASIC_IS_DCE41(rdev) || ASIC_IS_DCE5(rdev)) {
9334 ++ struct drm_connector *connector = radeon_get_connector_for_encoder(encoder);
9335 ++ struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
9336 ++
9337 ++ if (!connector)
9338 ++ dig->panel_mode = DP_PANEL_MODE_EXTERNAL_DP_MODE;
9339 ++ else
9340 ++ dig->panel_mode = radeon_dp_get_panel_mode(encoder, connector);
9341 ++
9342 ++ /* setup and enable the encoder */
9343 ++ atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_SETUP, 0);
9344 ++ atombios_dig_encoder_setup(encoder,
9345 ++ ATOM_ENCODER_CMD_SETUP_PANEL_MODE,
9346 ++ dig->panel_mode);
9347 ++ } else if (ASIC_IS_DCE4(rdev)) {
9348 + /* disable the transmitter */
9349 + atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_DISABLE, 0, 0);
9350 + /* setup and enable the encoder */
9351 +diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
9352 +index 8f86aeb..e7ddb49 100644
9353 +--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
9354 ++++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
9355 +@@ -134,6 +134,12 @@ static bool radeon_msi_ok(struct radeon_device *rdev)
9356 + /* Dell RS690 only seems to work with MSIs. */
9357 + if ((rdev->pdev->device == 0x791f) &&
9358 + (rdev->pdev->subsystem_vendor == 0x1028) &&
9359 ++ (rdev->pdev->subsystem_device == 0x01fc))
9360 ++ return true;
9361 ++
9362 ++ /* Dell RS690 only seems to work with MSIs. */
9363 ++ if ((rdev->pdev->device == 0x791f) &&
9364 ++ (rdev->pdev->subsystem_vendor == 0x1028) &&
9365 + (rdev->pdev->subsystem_device == 0x01fd))
9366 + return true;
9367 +
9368 +diff --git a/drivers/gpu/drm/radeon/radeon_mode.h b/drivers/gpu/drm/radeon/radeon_mode.h
9369 +index 2c2e75e..8254d5a 100644
9370 +--- a/drivers/gpu/drm/radeon/radeon_mode.h
9371 ++++ b/drivers/gpu/drm/radeon/radeon_mode.h
9372 +@@ -362,6 +362,7 @@ struct radeon_encoder_atom_dig {
9373 + struct backlight_device *bl_dev;
9374 + int dpms_mode;
9375 + uint8_t backlight_level;
9376 ++ int panel_mode;
9377 + };
9378 +
9379 + struct radeon_encoder_atom_dac {
9380 +@@ -482,6 +483,8 @@ extern void radeon_dp_link_train(struct drm_encoder *encoder,
9381 + extern bool radeon_dp_needs_link_train(struct radeon_connector *radeon_connector);
9382 + extern u8 radeon_dp_getsinktype(struct radeon_connector *radeon_connector);
9383 + extern bool radeon_dp_getdpcd(struct radeon_connector *radeon_connector);
9384 ++extern int radeon_dp_get_panel_mode(struct drm_encoder *encoder,
9385 ++ struct drm_connector *connector);
9386 + extern void atombios_dig_encoder_setup(struct drm_encoder *encoder, int action, int panel_mode);
9387 + extern void radeon_atom_encoder_init(struct radeon_device *rdev);
9388 + extern void atombios_dig_transmitter_setup(struct drm_encoder *encoder,
9389 +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
9390 +index f94b33a..7c88f1f 100644
9391 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
9392 ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
9393 +@@ -378,7 +378,7 @@ int vmw_framebuffer_create_handle(struct drm_framebuffer *fb,
9394 + unsigned int *handle)
9395 + {
9396 + if (handle)
9397 +- handle = 0;
9398 ++ *handle = 0;
9399 +
9400 + return 0;
9401 + }
9402 +diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c
9403 +index 92f9497..6dbfd3e 100644
9404 +--- a/drivers/hwmon/f71805f.c
9405 ++++ b/drivers/hwmon/f71805f.c
9406 +@@ -283,11 +283,11 @@ static inline long temp_from_reg(u8 reg)
9407 +
9408 + static inline u8 temp_to_reg(long val)
9409 + {
9410 +- if (val < 0)
9411 +- val = 0;
9412 +- else if (val > 1000 * 0xff)
9413 +- val = 0xff;
9414 +- return ((val + 500) / 1000);
9415 ++ if (val <= 0)
9416 ++ return 0;
9417 ++ if (val >= 1000 * 0xff)
9418 ++ return 0xff;
9419 ++ return (val + 500) / 1000;
9420 + }
9421 +
9422 + /*
9423 +diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
9424 +index fe4104c..5357925 100644
9425 +--- a/drivers/hwmon/sht15.c
9426 ++++ b/drivers/hwmon/sht15.c
9427 +@@ -883,7 +883,7 @@ static int sht15_invalidate_voltage(struct notifier_block *nb,
9428 +
9429 + static int __devinit sht15_probe(struct platform_device *pdev)
9430 + {
9431 +- int ret = 0;
9432 ++ int ret;
9433 + struct sht15_data *data = kzalloc(sizeof(*data), GFP_KERNEL);
9434 + u8 status = 0;
9435 +
9436 +@@ -901,6 +901,7 @@ static int __devinit sht15_probe(struct platform_device *pdev)
9437 + init_waitqueue_head(&data->wait_queue);
9438 +
9439 + if (pdev->dev.platform_data == NULL) {
9440 ++ ret = -EINVAL;
9441 + dev_err(&pdev->dev, "no platform data supplied\n");
9442 + goto err_free_data;
9443 + }
9444 +diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c
9445 +index 93f5fc7..4b57ab6 100644
9446 +--- a/drivers/hwmon/w83627ehf.c
9447 ++++ b/drivers/hwmon/w83627ehf.c
9448 +@@ -1319,6 +1319,7 @@ store_pwm_mode(struct device *dev, struct device_attribute *attr,
9449 + {
9450 + struct w83627ehf_data *data = dev_get_drvdata(dev);
9451 + struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
9452 ++ struct w83627ehf_sio_data *sio_data = dev->platform_data;
9453 + int nr = sensor_attr->index;
9454 + unsigned long val;
9455 + int err;
9456 +@@ -1330,6 +1331,11 @@ store_pwm_mode(struct device *dev, struct device_attribute *attr,
9457 +
9458 + if (val > 1)
9459 + return -EINVAL;
9460 ++
9461 ++ /* On NCT67766F, DC mode is only supported for pwm1 */
9462 ++ if (sio_data->kind == nct6776 && nr && val != 1)
9463 ++ return -EINVAL;
9464 ++
9465 + mutex_lock(&data->update_lock);
9466 + reg = w83627ehf_read_value(data, W83627EHF_REG_PWM_ENABLE[nr]);
9467 + data->pwm_mode[nr] = val;
9468 +diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
9469 +index 106b88a..30431d8 100644
9470 +--- a/drivers/net/bonding/bond_alb.c
9471 ++++ b/drivers/net/bonding/bond_alb.c
9472 +@@ -871,16 +871,12 @@ static void alb_send_learning_packets(struct slave *slave, u8 mac_addr[])
9473 + }
9474 + }
9475 +
9476 +-/* hw is a boolean parameter that determines whether we should try and
9477 +- * set the hw address of the device as well as the hw address of the
9478 +- * net_device
9479 +- */
9480 +-static int alb_set_slave_mac_addr(struct slave *slave, u8 addr[], int hw)
9481 ++static int alb_set_slave_mac_addr(struct slave *slave, u8 addr[])
9482 + {
9483 + struct net_device *dev = slave->dev;
9484 + struct sockaddr s_addr;
9485 +
9486 +- if (!hw) {
9487 ++ if (slave->bond->params.mode == BOND_MODE_TLB) {
9488 + memcpy(dev->dev_addr, addr, dev->addr_len);
9489 + return 0;
9490 + }
9491 +@@ -910,8 +906,8 @@ static void alb_swap_mac_addr(struct bonding *bond, struct slave *slave1, struct
9492 + u8 tmp_mac_addr[ETH_ALEN];
9493 +
9494 + memcpy(tmp_mac_addr, slave1->dev->dev_addr, ETH_ALEN);
9495 +- alb_set_slave_mac_addr(slave1, slave2->dev->dev_addr, bond->alb_info.rlb_enabled);
9496 +- alb_set_slave_mac_addr(slave2, tmp_mac_addr, bond->alb_info.rlb_enabled);
9497 ++ alb_set_slave_mac_addr(slave1, slave2->dev->dev_addr);
9498 ++ alb_set_slave_mac_addr(slave2, tmp_mac_addr);
9499 +
9500 + }
9501 +
9502 +@@ -1058,8 +1054,7 @@ static int alb_handle_addr_collision_on_attach(struct bonding *bond, struct slav
9503 +
9504 + /* Try setting slave mac to bond address and fall-through
9505 + to code handling that situation below... */
9506 +- alb_set_slave_mac_addr(slave, bond->dev->dev_addr,
9507 +- bond->alb_info.rlb_enabled);
9508 ++ alb_set_slave_mac_addr(slave, bond->dev->dev_addr);
9509 + }
9510 +
9511 + /* The slave's address is equal to the address of the bond.
9512 +@@ -1095,8 +1090,7 @@ static int alb_handle_addr_collision_on_attach(struct bonding *bond, struct slav
9513 + }
9514 +
9515 + if (free_mac_slave) {
9516 +- alb_set_slave_mac_addr(slave, free_mac_slave->perm_hwaddr,
9517 +- bond->alb_info.rlb_enabled);
9518 ++ alb_set_slave_mac_addr(slave, free_mac_slave->perm_hwaddr);
9519 +
9520 + pr_warning("%s: Warning: the hw address of slave %s is in use by the bond; giving it the hw address of %s\n",
9521 + bond->dev->name, slave->dev->name,
9522 +@@ -1451,8 +1445,7 @@ int bond_alb_init_slave(struct bonding *bond, struct slave *slave)
9523 + {
9524 + int res;
9525 +
9526 +- res = alb_set_slave_mac_addr(slave, slave->perm_hwaddr,
9527 +- bond->alb_info.rlb_enabled);
9528 ++ res = alb_set_slave_mac_addr(slave, slave->perm_hwaddr);
9529 + if (res) {
9530 + return res;
9531 + }
9532 +@@ -1603,8 +1596,7 @@ void bond_alb_handle_active_change(struct bonding *bond, struct slave *new_slave
9533 + alb_swap_mac_addr(bond, swap_slave, new_slave);
9534 + } else {
9535 + /* set the new_slave to the bond mac address */
9536 +- alb_set_slave_mac_addr(new_slave, bond->dev->dev_addr,
9537 +- bond->alb_info.rlb_enabled);
9538 ++ alb_set_slave_mac_addr(new_slave, bond->dev->dev_addr);
9539 + }
9540 +
9541 + if (swap_slave) {
9542 +@@ -1664,8 +1656,7 @@ int bond_alb_set_mac_address(struct net_device *bond_dev, void *addr)
9543 + alb_swap_mac_addr(bond, swap_slave, bond->curr_active_slave);
9544 + alb_fasten_mac_swap(bond, swap_slave, bond->curr_active_slave);
9545 + } else {
9546 +- alb_set_slave_mac_addr(bond->curr_active_slave, bond_dev->dev_addr,
9547 +- bond->alb_info.rlb_enabled);
9548 ++ alb_set_slave_mac_addr(bond->curr_active_slave, bond_dev->dev_addr);
9549 +
9550 + read_lock(&bond->lock);
9551 + alb_send_learning_packets(bond->curr_active_slave, bond_dev->dev_addr);
9552 +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
9553 +index 7413497..959d448 100644
9554 +--- a/drivers/net/macvlan.c
9555 ++++ b/drivers/net/macvlan.c
9556 +@@ -172,6 +172,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
9557 + skb = ip_check_defrag(skb, IP_DEFRAG_MACVLAN);
9558 + if (!skb)
9559 + return RX_HANDLER_CONSUMED;
9560 ++ eth = eth_hdr(skb);
9561 + src = macvlan_hash_lookup(port, eth->h_source);
9562 + if (!src)
9563 + /* frame comes from an external address */
9564 +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c
9565 +index 510e9bb..453f58e 100644
9566 +--- a/drivers/net/wireless/brcm80211/brcmsmac/main.c
9567 ++++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c
9568 +@@ -8217,13 +8217,21 @@ int brcms_c_get_curband(struct brcms_c_info *wlc)
9569 +
9570 + void brcms_c_wait_for_tx_completion(struct brcms_c_info *wlc, bool drop)
9571 + {
9572 ++ int timeout = 20;
9573 ++
9574 + /* flush packet queue when requested */
9575 + if (drop)
9576 + brcmu_pktq_flush(&wlc->pkt_queue->q, false, NULL, NULL);
9577 +
9578 + /* wait for queue and DMA fifos to run dry */
9579 +- while (!pktq_empty(&wlc->pkt_queue->q) || brcms_txpktpendtot(wlc) > 0)
9580 ++ while (!pktq_empty(&wlc->pkt_queue->q) || brcms_txpktpendtot(wlc) > 0) {
9581 + brcms_msleep(wlc->wl, 1);
9582 ++
9583 ++ if (--timeout == 0)
9584 ++ break;
9585 ++ }
9586 ++
9587 ++ WARN_ON_ONCE(timeout == 0);
9588 + }
9589 +
9590 + void brcms_c_set_beacon_listen_interval(struct brcms_c_info *wlc, u8 interval)
9591 +diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
9592 +index 1920237..1daf01e 100644
9593 +--- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
9594 ++++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
9595 +@@ -957,11 +957,11 @@ void iwl_irq_tasklet(struct iwl_trans *trans)
9596 + }
9597 + #endif
9598 +
9599 +- spin_unlock_irqrestore(&trans->shrd->lock, flags);
9600 +-
9601 + /* saved interrupt in inta variable now we can reset trans_pcie->inta */
9602 + trans_pcie->inta = 0;
9603 +
9604 ++ spin_unlock_irqrestore(&trans->shrd->lock, flags);
9605 ++
9606 + /* Now service all interrupt bits discovered above. */
9607 + if (inta & CSR_INT_BIT_HW_ERR) {
9608 + IWL_ERR(trans, "Hardware error detected. Restarting.\n");
9609 +diff --git a/drivers/scsi/mpt2sas/mpt2sas_base.c b/drivers/scsi/mpt2sas/mpt2sas_base.c
9610 +index 0794c72..b1ddfef 100644
9611 +--- a/drivers/scsi/mpt2sas/mpt2sas_base.c
9612 ++++ b/drivers/scsi/mpt2sas/mpt2sas_base.c
9613 +@@ -4033,7 +4033,8 @@ _base_make_ioc_operational(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
9614 + ioc->reply_free[i] = cpu_to_le32(reply_address);
9615 +
9616 + /* initialize reply queues */
9617 +- _base_assign_reply_queues(ioc);
9618 ++ if (ioc->is_driver_loading)
9619 ++ _base_assign_reply_queues(ioc);
9620 +
9621 + /* initialize Reply Post Free Queue */
9622 + reply_post_free = (long)ioc->reply_post_free;
9623 +@@ -4081,24 +4082,17 @@ _base_make_ioc_operational(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
9624 +
9625 +
9626 + if (ioc->is_driver_loading) {
9627 +-
9628 +-
9629 +-
9630 +- ioc->wait_for_discovery_to_complete =
9631 +- _base_determine_wait_on_discovery(ioc);
9632 +- return r; /* scan_start and scan_finished support */
9633 +- }
9634 +-
9635 +-
9636 +- if (ioc->wait_for_discovery_to_complete && ioc->is_warpdrive) {
9637 +- if (ioc->manu_pg10.OEMIdentifier == 0x80) {
9638 ++ if (ioc->is_warpdrive && ioc->manu_pg10.OEMIdentifier
9639 ++ == 0x80) {
9640 + hide_flag = (u8) (ioc->manu_pg10.OEMSpecificFlags0 &
9641 + MFG_PAGE10_HIDE_SSDS_MASK);
9642 + if (hide_flag != MFG_PAGE10_HIDE_SSDS_MASK)
9643 + ioc->mfg_pg10_hide_flag = hide_flag;
9644 + }
9645 ++ ioc->wait_for_discovery_to_complete =
9646 ++ _base_determine_wait_on_discovery(ioc);
9647 ++ return r; /* scan_start and scan_finished support */
9648 + }
9649 +-
9650 + r = _base_send_port_enable(ioc, sleep_flag);
9651 + if (r)
9652 + return r;
9653 +diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
9654 +index 9bc6fb2..2824a90 100644
9655 +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
9656 ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
9657 +@@ -8001,7 +8001,6 @@ _scsih_probe(struct pci_dev *pdev, const struct pci_device_id *id)
9658 + goto out_attach_fail;
9659 + }
9660 +
9661 +- scsi_scan_host(shost);
9662 + if (ioc->is_warpdrive) {
9663 + if (ioc->mfg_pg10_hide_flag == MFG_PAGE10_EXPOSE_ALL_DISKS)
9664 + ioc->hide_drives = 0;
9665 +@@ -8015,8 +8014,8 @@ _scsih_probe(struct pci_dev *pdev, const struct pci_device_id *id)
9666 + }
9667 + } else
9668 + ioc->hide_drives = 0;
9669 ++ scsi_scan_host(shost);
9670 +
9671 +- _scsih_probe_devices(ioc);
9672 + return 0;
9673 +
9674 + out_attach_fail:
9675 +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
9676 +index 00233af..8e00926 100644
9677 +--- a/drivers/tty/serial/amba-pl011.c
9678 ++++ b/drivers/tty/serial/amba-pl011.c
9679 +@@ -1740,9 +1740,19 @@ pl011_console_write(struct console *co, const char *s, unsigned int count)
9680 + {
9681 + struct uart_amba_port *uap = amba_ports[co->index];
9682 + unsigned int status, old_cr, new_cr;
9683 ++ unsigned long flags;
9684 ++ int locked = 1;
9685 +
9686 + clk_enable(uap->clk);
9687 +
9688 ++ local_irq_save(flags);
9689 ++ if (uap->port.sysrq)
9690 ++ locked = 0;
9691 ++ else if (oops_in_progress)
9692 ++ locked = spin_trylock(&uap->port.lock);
9693 ++ else
9694 ++ spin_lock(&uap->port.lock);
9695 ++
9696 + /*
9697 + * First save the CR then disable the interrupts
9698 + */
9699 +@@ -1762,6 +1772,10 @@ pl011_console_write(struct console *co, const char *s, unsigned int count)
9700 + } while (status & UART01x_FR_BUSY);
9701 + writew(old_cr, uap->port.membase + UART011_CR);
9702 +
9703 ++ if (locked)
9704 ++ spin_unlock(&uap->port.lock);
9705 ++ local_irq_restore(flags);
9706 ++
9707 + clk_disable(uap->clk);
9708 + }
9709 +
9710 +diff --git a/drivers/tty/serial/jsm/jsm_driver.c b/drivers/tty/serial/jsm/jsm_driver.c
9711 +index 7c867a0..7545fe1 100644
9712 +--- a/drivers/tty/serial/jsm/jsm_driver.c
9713 ++++ b/drivers/tty/serial/jsm/jsm_driver.c
9714 +@@ -251,6 +251,7 @@ static void jsm_io_resume(struct pci_dev *pdev)
9715 + struct jsm_board *brd = pci_get_drvdata(pdev);
9716 +
9717 + pci_restore_state(pdev);
9718 ++ pci_save_state(pdev);
9719 +
9720 + jsm_uart_port_init(brd);
9721 + }
9722 +diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
9723 +index ef9dd62..bf6e238 100644
9724 +--- a/drivers/tty/tty_port.c
9725 ++++ b/drivers/tty/tty_port.c
9726 +@@ -227,7 +227,6 @@ int tty_port_block_til_ready(struct tty_port *port,
9727 + int do_clocal = 0, retval;
9728 + unsigned long flags;
9729 + DEFINE_WAIT(wait);
9730 +- int cd;
9731 +
9732 + /* block if port is in the process of being closed */
9733 + if (tty_hung_up_p(filp) || port->flags & ASYNC_CLOSING) {
9734 +@@ -284,11 +283,14 @@ int tty_port_block_til_ready(struct tty_port *port,
9735 + retval = -ERESTARTSYS;
9736 + break;
9737 + }
9738 +- /* Probe the carrier. For devices with no carrier detect this
9739 +- will always return true */
9740 +- cd = tty_port_carrier_raised(port);
9741 ++ /*
9742 ++ * Probe the carrier. For devices with no carrier detect
9743 ++ * tty_port_carrier_raised will always return true.
9744 ++ * Never ask drivers if CLOCAL is set, this causes troubles
9745 ++ * on some hardware.
9746 ++ */
9747 + if (!(port->flags & ASYNC_CLOSING) &&
9748 +- (do_clocal || cd))
9749 ++ (do_clocal || tty_port_carrier_raised(port)))
9750 + break;
9751 + if (signal_pending(current)) {
9752 + retval = -ERESTARTSYS;
9753 +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
9754 +index efe6849..fd4aee1 100644
9755 +--- a/drivers/usb/class/cdc-wdm.c
9756 ++++ b/drivers/usb/class/cdc-wdm.c
9757 +@@ -57,6 +57,8 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
9758 +
9759 + #define WDM_MAX 16
9760 +
9761 ++/* CDC-WMC r1.1 requires wMaxCommand to be "at least 256 decimal (0x100)" */
9762 ++#define WDM_DEFAULT_BUFSIZE 256
9763 +
9764 + static DEFINE_MUTEX(wdm_mutex);
9765 +
9766 +@@ -88,7 +90,8 @@ struct wdm_device {
9767 + int count;
9768 + dma_addr_t shandle;
9769 + dma_addr_t ihandle;
9770 +- struct mutex lock;
9771 ++ struct mutex wlock;
9772 ++ struct mutex rlock;
9773 + wait_queue_head_t wait;
9774 + struct work_struct rxwork;
9775 + int werr;
9776 +@@ -323,7 +326,7 @@ static ssize_t wdm_write
9777 + }
9778 +
9779 + /* concurrent writes and disconnect */
9780 +- r = mutex_lock_interruptible(&desc->lock);
9781 ++ r = mutex_lock_interruptible(&desc->wlock);
9782 + rv = -ERESTARTSYS;
9783 + if (r) {
9784 + kfree(buf);
9785 +@@ -386,7 +389,7 @@ static ssize_t wdm_write
9786 + out:
9787 + usb_autopm_put_interface(desc->intf);
9788 + outnp:
9789 +- mutex_unlock(&desc->lock);
9790 ++ mutex_unlock(&desc->wlock);
9791 + outnl:
9792 + return rv < 0 ? rv : count;
9793 + }
9794 +@@ -399,7 +402,7 @@ static ssize_t wdm_read
9795 + struct wdm_device *desc = file->private_data;
9796 +
9797 +
9798 +- rv = mutex_lock_interruptible(&desc->lock); /*concurrent reads */
9799 ++ rv = mutex_lock_interruptible(&desc->rlock); /*concurrent reads */
9800 + if (rv < 0)
9801 + return -ERESTARTSYS;
9802 +
9803 +@@ -467,14 +470,16 @@ retry:
9804 + for (i = 0; i < desc->length - cntr; i++)
9805 + desc->ubuf[i] = desc->ubuf[i + cntr];
9806 +
9807 ++ spin_lock_irq(&desc->iuspin);
9808 + desc->length -= cntr;
9809 ++ spin_unlock_irq(&desc->iuspin);
9810 + /* in case we had outstanding data */
9811 + if (!desc->length)
9812 + clear_bit(WDM_READ, &desc->flags);
9813 + rv = cntr;
9814 +
9815 + err:
9816 +- mutex_unlock(&desc->lock);
9817 ++ mutex_unlock(&desc->rlock);
9818 + return rv;
9819 + }
9820 +
9821 +@@ -540,7 +545,8 @@ static int wdm_open(struct inode *inode, struct file *file)
9822 + }
9823 + intf->needs_remote_wakeup = 1;
9824 +
9825 +- mutex_lock(&desc->lock);
9826 ++ /* using write lock to protect desc->count */
9827 ++ mutex_lock(&desc->wlock);
9828 + if (!desc->count++) {
9829 + desc->werr = 0;
9830 + desc->rerr = 0;
9831 +@@ -553,7 +559,7 @@ static int wdm_open(struct inode *inode, struct file *file)
9832 + } else {
9833 + rv = 0;
9834 + }
9835 +- mutex_unlock(&desc->lock);
9836 ++ mutex_unlock(&desc->wlock);
9837 + usb_autopm_put_interface(desc->intf);
9838 + out:
9839 + mutex_unlock(&wdm_mutex);
9840 +@@ -565,9 +571,11 @@ static int wdm_release(struct inode *inode, struct file *file)
9841 + struct wdm_device *desc = file->private_data;
9842 +
9843 + mutex_lock(&wdm_mutex);
9844 +- mutex_lock(&desc->lock);
9845 ++
9846 ++ /* using write lock to protect desc->count */
9847 ++ mutex_lock(&desc->wlock);
9848 + desc->count--;
9849 +- mutex_unlock(&desc->lock);
9850 ++ mutex_unlock(&desc->wlock);
9851 +
9852 + if (!desc->count) {
9853 + dev_dbg(&desc->intf->dev, "wdm_release: cleanup");
9854 +@@ -630,7 +638,7 @@ static int wdm_probe(struct usb_interface *intf, const struct usb_device_id *id)
9855 + struct usb_cdc_dmm_desc *dmhd;
9856 + u8 *buffer = intf->altsetting->extra;
9857 + int buflen = intf->altsetting->extralen;
9858 +- u16 maxcom = 0;
9859 ++ u16 maxcom = WDM_DEFAULT_BUFSIZE;
9860 +
9861 + if (!buffer)
9862 + goto out;
9863 +@@ -665,7 +673,8 @@ next_desc:
9864 + desc = kzalloc(sizeof(struct wdm_device), GFP_KERNEL);
9865 + if (!desc)
9866 + goto out;
9867 +- mutex_init(&desc->lock);
9868 ++ mutex_init(&desc->rlock);
9869 ++ mutex_init(&desc->wlock);
9870 + spin_lock_init(&desc->iuspin);
9871 + init_waitqueue_head(&desc->wait);
9872 + desc->wMaxCommand = maxcom;
9873 +@@ -716,7 +725,7 @@ next_desc:
9874 + goto err;
9875 +
9876 + desc->inbuf = usb_alloc_coherent(interface_to_usbdev(intf),
9877 +- desc->bMaxPacketSize0,
9878 ++ desc->wMaxCommand,
9879 + GFP_KERNEL,
9880 + &desc->response->transfer_dma);
9881 + if (!desc->inbuf)
9882 +@@ -779,11 +788,13 @@ static void wdm_disconnect(struct usb_interface *intf)
9883 + /* to terminate pending flushes */
9884 + clear_bit(WDM_IN_USE, &desc->flags);
9885 + spin_unlock_irqrestore(&desc->iuspin, flags);
9886 +- mutex_lock(&desc->lock);
9887 ++ wake_up_all(&desc->wait);
9888 ++ mutex_lock(&desc->rlock);
9889 ++ mutex_lock(&desc->wlock);
9890 + kill_urbs(desc);
9891 + cancel_work_sync(&desc->rxwork);
9892 +- mutex_unlock(&desc->lock);
9893 +- wake_up_all(&desc->wait);
9894 ++ mutex_unlock(&desc->wlock);
9895 ++ mutex_unlock(&desc->rlock);
9896 + if (!desc->count)
9897 + cleanup(desc);
9898 + mutex_unlock(&wdm_mutex);
9899 +@@ -798,8 +809,10 @@ static int wdm_suspend(struct usb_interface *intf, pm_message_t message)
9900 + dev_dbg(&desc->intf->dev, "wdm%d_suspend\n", intf->minor);
9901 +
9902 + /* if this is an autosuspend the caller does the locking */
9903 +- if (!PMSG_IS_AUTO(message))
9904 +- mutex_lock(&desc->lock);
9905 ++ if (!PMSG_IS_AUTO(message)) {
9906 ++ mutex_lock(&desc->rlock);
9907 ++ mutex_lock(&desc->wlock);
9908 ++ }
9909 + spin_lock_irq(&desc->iuspin);
9910 +
9911 + if (PMSG_IS_AUTO(message) &&
9912 +@@ -815,8 +828,10 @@ static int wdm_suspend(struct usb_interface *intf, pm_message_t message)
9913 + kill_urbs(desc);
9914 + cancel_work_sync(&desc->rxwork);
9915 + }
9916 +- if (!PMSG_IS_AUTO(message))
9917 +- mutex_unlock(&desc->lock);
9918 ++ if (!PMSG_IS_AUTO(message)) {
9919 ++ mutex_unlock(&desc->wlock);
9920 ++ mutex_unlock(&desc->rlock);
9921 ++ }
9922 +
9923 + return rv;
9924 + }
9925 +@@ -854,7 +869,8 @@ static int wdm_pre_reset(struct usb_interface *intf)
9926 + {
9927 + struct wdm_device *desc = usb_get_intfdata(intf);
9928 +
9929 +- mutex_lock(&desc->lock);
9930 ++ mutex_lock(&desc->rlock);
9931 ++ mutex_lock(&desc->wlock);
9932 + kill_urbs(desc);
9933 +
9934 + /*
9935 +@@ -876,7 +892,8 @@ static int wdm_post_reset(struct usb_interface *intf)
9936 + int rv;
9937 +
9938 + rv = recover_from_urb_loss(desc);
9939 +- mutex_unlock(&desc->lock);
9940 ++ mutex_unlock(&desc->wlock);
9941 ++ mutex_unlock(&desc->rlock);
9942 + return 0;
9943 + }
9944 +
9945 +diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
9946 +index 69a4e43..27bd50a 100644
9947 +--- a/drivers/usb/dwc3/ep0.c
9948 ++++ b/drivers/usb/dwc3/ep0.c
9949 +@@ -149,20 +149,14 @@ static int __dwc3_gadget_ep0_queue(struct dwc3_ep *dep,
9950 +
9951 + direction = !!(dep->flags & DWC3_EP0_DIR_IN);
9952 +
9953 +- if (dwc->ep0state == EP0_STATUS_PHASE) {
9954 +- type = dwc->three_stage_setup
9955 +- ? DWC3_TRBCTL_CONTROL_STATUS3
9956 +- : DWC3_TRBCTL_CONTROL_STATUS2;
9957 +- } else if (dwc->ep0state == EP0_DATA_PHASE) {
9958 +- type = DWC3_TRBCTL_CONTROL_DATA;
9959 +- } else {
9960 +- /* should never happen */
9961 +- WARN_ON(1);
9962 ++ if (dwc->ep0state != EP0_DATA_PHASE) {
9963 ++ dev_WARN(dwc->dev, "Unexpected pending request\n");
9964 + return 0;
9965 + }
9966 +
9967 + ret = dwc3_ep0_start_trans(dwc, direction,
9968 +- req->request.dma, req->request.length, type);
9969 ++ req->request.dma, req->request.length,
9970 ++ DWC3_TRBCTL_CONTROL_DATA);
9971 + dep->flags &= ~(DWC3_EP_PENDING_REQUEST |
9972 + DWC3_EP0_DIR_IN);
9973 + }
9974 +diff --git a/drivers/usb/gadget/langwell_udc.c b/drivers/usb/gadget/langwell_udc.c
9975 +index c9fa3bf..6ad0ad6 100644
9976 +--- a/drivers/usb/gadget/langwell_udc.c
9977 ++++ b/drivers/usb/gadget/langwell_udc.c
9978 +@@ -1522,8 +1522,7 @@ static void langwell_udc_stop(struct langwell_udc *dev)
9979 +
9980 +
9981 + /* stop all USB activities */
9982 +-static void stop_activity(struct langwell_udc *dev,
9983 +- struct usb_gadget_driver *driver)
9984 ++static void stop_activity(struct langwell_udc *dev)
9985 + {
9986 + struct langwell_ep *ep;
9987 + dev_dbg(&dev->pdev->dev, "---> %s()\n", __func__);
9988 +@@ -1535,9 +1534,9 @@ static void stop_activity(struct langwell_udc *dev,
9989 + }
9990 +
9991 + /* report disconnect; the driver is already quiesced */
9992 +- if (driver) {
9993 ++ if (dev->driver) {
9994 + spin_unlock(&dev->lock);
9995 +- driver->disconnect(&dev->gadget);
9996 ++ dev->driver->disconnect(&dev->gadget);
9997 + spin_lock(&dev->lock);
9998 + }
9999 +
10000 +@@ -1925,11 +1924,10 @@ static int langwell_stop(struct usb_gadget *g,
10001 +
10002 + /* stop all usb activities */
10003 + dev->gadget.speed = USB_SPEED_UNKNOWN;
10004 +- stop_activity(dev, driver);
10005 +- spin_unlock_irqrestore(&dev->lock, flags);
10006 +-
10007 + dev->gadget.dev.driver = NULL;
10008 + dev->driver = NULL;
10009 ++ stop_activity(dev);
10010 ++ spin_unlock_irqrestore(&dev->lock, flags);
10011 +
10012 + device_remove_file(&dev->pdev->dev, &dev_attr_function);
10013 +
10014 +@@ -2733,7 +2731,7 @@ static void handle_usb_reset(struct langwell_udc *dev)
10015 + dev->bus_reset = 1;
10016 +
10017 + /* reset all the queues, stop all USB activities */
10018 +- stop_activity(dev, dev->driver);
10019 ++ stop_activity(dev);
10020 + dev->usb_state = USB_STATE_DEFAULT;
10021 + } else {
10022 + dev_vdbg(&dev->pdev->dev, "device controller reset\n");
10023 +@@ -2741,7 +2739,7 @@ static void handle_usb_reset(struct langwell_udc *dev)
10024 + langwell_udc_reset(dev);
10025 +
10026 + /* reset all the queues, stop all USB activities */
10027 +- stop_activity(dev, dev->driver);
10028 ++ stop_activity(dev);
10029 +
10030 + /* reset ep0 dQH and endptctrl */
10031 + ep0_reset(dev);
10032 +@@ -3367,7 +3365,7 @@ static int langwell_udc_suspend(struct pci_dev *pdev, pm_message_t state)
10033 +
10034 + spin_lock_irq(&dev->lock);
10035 + /* stop all usb activities */
10036 +- stop_activity(dev, dev->driver);
10037 ++ stop_activity(dev);
10038 + spin_unlock_irq(&dev->lock);
10039 +
10040 + /* free dTD dma_pool and dQH */
10041 +diff --git a/drivers/usb/gadget/storage_common.c b/drivers/usb/gadget/storage_common.c
10042 +index c7f291a..85ea14e 100644
10043 +--- a/drivers/usb/gadget/storage_common.c
10044 ++++ b/drivers/usb/gadget/storage_common.c
10045 +@@ -598,16 +598,16 @@ static __maybe_unused struct usb_ss_cap_descriptor fsg_ss_cap_desc = {
10046 + | USB_5GBPS_OPERATION),
10047 + .bFunctionalitySupport = USB_LOW_SPEED_OPERATION,
10048 + .bU1devExitLat = USB_DEFAULT_U1_DEV_EXIT_LAT,
10049 +- .bU2DevExitLat = USB_DEFAULT_U2_DEV_EXIT_LAT,
10050 ++ .bU2DevExitLat = cpu_to_le16(USB_DEFAULT_U2_DEV_EXIT_LAT),
10051 + };
10052 +
10053 + static __maybe_unused struct usb_bos_descriptor fsg_bos_desc = {
10054 + .bLength = USB_DT_BOS_SIZE,
10055 + .bDescriptorType = USB_DT_BOS,
10056 +
10057 +- .wTotalLength = USB_DT_BOS_SIZE
10058 ++ .wTotalLength = cpu_to_le16(USB_DT_BOS_SIZE
10059 + + USB_DT_USB_EXT_CAP_SIZE
10060 +- + USB_DT_USB_SS_CAP_SIZE,
10061 ++ + USB_DT_USB_SS_CAP_SIZE),
10062 +
10063 + .bNumDeviceCaps = 2,
10064 + };
10065 +diff --git a/drivers/usb/host/ehci-fsl.c b/drivers/usb/host/ehci-fsl.c
10066 +index e90344a..b556a72 100644
10067 +--- a/drivers/usb/host/ehci-fsl.c
10068 ++++ b/drivers/usb/host/ehci-fsl.c
10069 +@@ -125,7 +125,7 @@ static int usb_hcd_fsl_probe(const struct hc_driver *driver,
10070 + */
10071 + if (pdata->init && pdata->init(pdev)) {
10072 + retval = -ENODEV;
10073 +- goto err3;
10074 ++ goto err4;
10075 + }
10076 +
10077 + /* Enable USB controller, 83xx or 8536 */
10078 +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
10079 +index d28c586..ae92dc4 100644
10080 +--- a/drivers/usb/host/xhci-ring.c
10081 ++++ b/drivers/usb/host/xhci-ring.c
10082 +@@ -1215,6 +1215,7 @@ static void handle_vendor_event(struct xhci_hcd *xhci,
10083 + *
10084 + * Returns a zero-based port number, which is suitable for indexing into each of
10085 + * the split roothubs' port arrays and bus state arrays.
10086 ++ * Add one to it in order to call xhci_find_slot_id_by_port.
10087 + */
10088 + static unsigned int find_faked_portnum_from_hw_portnum(struct usb_hcd *hcd,
10089 + struct xhci_hcd *xhci, u32 port_id)
10090 +@@ -1335,7 +1336,7 @@ static void handle_port_status(struct xhci_hcd *xhci,
10091 + xhci_set_link_state(xhci, port_array, faked_port_index,
10092 + XDEV_U0);
10093 + slot_id = xhci_find_slot_id_by_port(hcd, xhci,
10094 +- faked_port_index);
10095 ++ faked_port_index + 1);
10096 + if (!slot_id) {
10097 + xhci_dbg(xhci, "slot_id is zero\n");
10098 + goto cleanup;
10099 +@@ -3372,7 +3373,8 @@ static int xhci_queue_isoc_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
10100 + /* Check TD length */
10101 + if (running_total != td_len) {
10102 + xhci_err(xhci, "ISOC TD length unmatch\n");
10103 +- return -EINVAL;
10104 ++ ret = -EINVAL;
10105 ++ goto cleanup;
10106 + }
10107 + }
10108 +
10109 +diff --git a/drivers/usb/misc/usbsevseg.c b/drivers/usb/misc/usbsevseg.c
10110 +index 417b8f2..59689fa 100644
10111 +--- a/drivers/usb/misc/usbsevseg.c
10112 ++++ b/drivers/usb/misc/usbsevseg.c
10113 +@@ -24,7 +24,7 @@
10114 +
10115 + #define VENDOR_ID 0x0fc5
10116 + #define PRODUCT_ID 0x1227
10117 +-#define MAXLEN 6
10118 ++#define MAXLEN 8
10119 +
10120 + /* table of devices that work with this driver */
10121 + static const struct usb_device_id id_table[] = {
10122 +diff --git a/drivers/usb/musb/davinci.c b/drivers/usb/musb/davinci.c
10123 +index f9a3f62..7c569f5 100644
10124 +--- a/drivers/usb/musb/davinci.c
10125 ++++ b/drivers/usb/musb/davinci.c
10126 +@@ -33,9 +33,6 @@
10127 + #include <linux/platform_device.h>
10128 + #include <linux/dma-mapping.h>
10129 +
10130 +-#include <mach/hardware.h>
10131 +-#include <mach/memory.h>
10132 +-#include <asm/gpio.h>
10133 + #include <mach/cputype.h>
10134 +
10135 + #include <asm/mach-types.h>
10136 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
10137 +index a1a324b..a515237 100644
10138 +--- a/drivers/usb/serial/cp210x.c
10139 ++++ b/drivers/usb/serial/cp210x.c
10140 +@@ -39,6 +39,8 @@ static void cp210x_get_termios(struct tty_struct *,
10141 + struct usb_serial_port *port);
10142 + static void cp210x_get_termios_port(struct usb_serial_port *port,
10143 + unsigned int *cflagp, unsigned int *baudp);
10144 ++static void cp210x_change_speed(struct tty_struct *, struct usb_serial_port *,
10145 ++ struct ktermios *);
10146 + static void cp210x_set_termios(struct tty_struct *, struct usb_serial_port *,
10147 + struct ktermios*);
10148 + static int cp210x_tiocmget(struct tty_struct *);
10149 +@@ -138,6 +140,7 @@ static const struct usb_device_id id_table[] = {
10150 + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
10151 + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
10152 + { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
10153 ++ { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
10154 + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */
10155 + { } /* Terminating Entry */
10156 + };
10157 +@@ -201,6 +204,8 @@ static struct usb_serial_driver cp210x_device = {
10158 + #define CP210X_EMBED_EVENTS 0x15
10159 + #define CP210X_GET_EVENTSTATE 0x16
10160 + #define CP210X_SET_CHARS 0x19
10161 ++#define CP210X_GET_BAUDRATE 0x1D
10162 ++#define CP210X_SET_BAUDRATE 0x1E
10163 +
10164 + /* CP210X_IFC_ENABLE */
10165 + #define UART_ENABLE 0x0001
10166 +@@ -354,8 +359,8 @@ static inline int cp210x_set_config_single(struct usb_serial_port *port,
10167 + * Quantises the baud rate as per AN205 Table 1
10168 + */
10169 + static unsigned int cp210x_quantise_baudrate(unsigned int baud) {
10170 +- if (baud <= 56) baud = 0;
10171 +- else if (baud <= 300) baud = 300;
10172 ++ if (baud <= 300)
10173 ++ baud = 300;
10174 + else if (baud <= 600) baud = 600;
10175 + else if (baud <= 1200) baud = 1200;
10176 + else if (baud <= 1800) baud = 1800;
10177 +@@ -383,17 +388,15 @@ static unsigned int cp210x_quantise_baudrate(unsigned int baud) {
10178 + else if (baud <= 491520) baud = 460800;
10179 + else if (baud <= 567138) baud = 500000;
10180 + else if (baud <= 670254) baud = 576000;
10181 +- else if (baud <= 1053257) baud = 921600;
10182 +- else if (baud <= 1474560) baud = 1228800;
10183 +- else if (baud <= 2457600) baud = 1843200;
10184 +- else baud = 3686400;
10185 ++ else if (baud < 1000000)
10186 ++ baud = 921600;
10187 ++ else if (baud > 2000000)
10188 ++ baud = 2000000;
10189 + return baud;
10190 + }
10191 +
10192 + static int cp210x_open(struct tty_struct *tty, struct usb_serial_port *port)
10193 + {
10194 +- int result;
10195 +-
10196 + dbg("%s - port %d", __func__, port->number);
10197 +
10198 + if (cp210x_set_config_single(port, CP210X_IFC_ENABLE, UART_ENABLE)) {
10199 +@@ -402,13 +405,14 @@ static int cp210x_open(struct tty_struct *tty, struct usb_serial_port *port)
10200 + return -EPROTO;
10201 + }
10202 +
10203 +- result = usb_serial_generic_open(tty, port);
10204 +- if (result)
10205 +- return result;
10206 +-
10207 + /* Configure the termios structure */
10208 + cp210x_get_termios(tty, port);
10209 +- return 0;
10210 ++
10211 ++ /* The baud rate must be initialised on cp2104 */
10212 ++ if (tty)
10213 ++ cp210x_change_speed(tty, port, NULL);
10214 ++
10215 ++ return usb_serial_generic_open(tty, port);
10216 + }
10217 +
10218 + static void cp210x_close(struct usb_serial_port *port)
10219 +@@ -460,10 +464,7 @@ static void cp210x_get_termios_port(struct usb_serial_port *port,
10220 +
10221 + dbg("%s - port %d", __func__, port->number);
10222 +
10223 +- cp210x_get_config(port, CP210X_GET_BAUDDIV, &baud, 2);
10224 +- /* Convert to baudrate */
10225 +- if (baud)
10226 +- baud = cp210x_quantise_baudrate((BAUD_RATE_GEN_FREQ + baud/2)/ baud);
10227 ++ cp210x_get_config(port, CP210X_GET_BAUDRATE, &baud, 4);
10228 +
10229 + dbg("%s - baud rate = %d", __func__, baud);
10230 + *baudp = baud;
10231 +@@ -577,11 +578,64 @@ static void cp210x_get_termios_port(struct usb_serial_port *port,
10232 + *cflagp = cflag;
10233 + }
10234 +
10235 ++/*
10236 ++ * CP2101 supports the following baud rates:
10237 ++ *
10238 ++ * 300, 600, 1200, 1800, 2400, 4800, 7200, 9600, 14400, 19200, 28800,
10239 ++ * 38400, 56000, 57600, 115200, 128000, 230400, 460800, 921600
10240 ++ *
10241 ++ * CP2102 and CP2103 support the following additional rates:
10242 ++ *
10243 ++ * 4000, 16000, 51200, 64000, 76800, 153600, 250000, 256000, 500000,
10244 ++ * 576000
10245 ++ *
10246 ++ * The device will map a requested rate to a supported one, but the result
10247 ++ * of requests for rates greater than 1053257 is undefined (see AN205).
10248 ++ *
10249 ++ * CP2104, CP2105 and CP2110 support most rates up to 2M, 921k and 1M baud,
10250 ++ * respectively, with an error less than 1%. The actual rates are determined
10251 ++ * by
10252 ++ *
10253 ++ * div = round(freq / (2 x prescale x request))
10254 ++ * actual = freq / (2 x prescale x div)
10255 ++ *
10256 ++ * For CP2104 and CP2105 freq is 48Mhz and prescale is 4 for request <= 365bps
10257 ++ * or 1 otherwise.
10258 ++ * For CP2110 freq is 24Mhz and prescale is 4 for request <= 300bps or 1
10259 ++ * otherwise.
10260 ++ */
10261 ++static void cp210x_change_speed(struct tty_struct *tty,
10262 ++ struct usb_serial_port *port, struct ktermios *old_termios)
10263 ++{
10264 ++ u32 baud;
10265 ++
10266 ++ baud = tty->termios->c_ospeed;
10267 ++
10268 ++ /* This maps the requested rate to a rate valid on cp2102 or cp2103,
10269 ++ * or to an arbitrary rate in [1M,2M].
10270 ++ *
10271 ++ * NOTE: B0 is not implemented.
10272 ++ */
10273 ++ baud = cp210x_quantise_baudrate(baud);
10274 ++
10275 ++ dbg("%s - setting baud rate to %u", __func__, baud);
10276 ++ if (cp210x_set_config(port, CP210X_SET_BAUDRATE, &baud,
10277 ++ sizeof(baud))) {
10278 ++ dev_warn(&port->dev, "failed to set baud rate to %u\n", baud);
10279 ++ if (old_termios)
10280 ++ baud = old_termios->c_ospeed;
10281 ++ else
10282 ++ baud = 9600;
10283 ++ }
10284 ++
10285 ++ tty_encode_baud_rate(tty, baud, baud);
10286 ++}
10287 ++
10288 + static void cp210x_set_termios(struct tty_struct *tty,
10289 + struct usb_serial_port *port, struct ktermios *old_termios)
10290 + {
10291 + unsigned int cflag, old_cflag;
10292 +- unsigned int baud = 0, bits;
10293 ++ unsigned int bits;
10294 + unsigned int modem_ctl[4];
10295 +
10296 + dbg("%s - port %d", __func__, port->number);
10297 +@@ -592,20 +646,9 @@ static void cp210x_set_termios(struct tty_struct *tty,
10298 + tty->termios->c_cflag &= ~CMSPAR;
10299 + cflag = tty->termios->c_cflag;
10300 + old_cflag = old_termios->c_cflag;
10301 +- baud = cp210x_quantise_baudrate(tty_get_baud_rate(tty));
10302 +-
10303 +- /* If the baud rate is to be updated*/
10304 +- if (baud != tty_termios_baud_rate(old_termios) && baud != 0) {
10305 +- dbg("%s - Setting baud rate to %d baud", __func__,
10306 +- baud);
10307 +- if (cp210x_set_config_single(port, CP210X_SET_BAUDDIV,
10308 +- ((BAUD_RATE_GEN_FREQ + baud/2) / baud))) {
10309 +- dbg("Baud rate requested not supported by device");
10310 +- baud = tty_termios_baud_rate(old_termios);
10311 +- }
10312 +- }
10313 +- /* Report back the resulting baud rate */
10314 +- tty_encode_baud_rate(tty, baud, baud);
10315 ++
10316 ++ if (tty->termios->c_ospeed != old_termios->c_ospeed)
10317 ++ cp210x_change_speed(tty, port, old_termios);
10318 +
10319 + /* If the number of data bits is to be updated */
10320 + if ((cflag & CSIZE) != (old_cflag & CSIZE)) {
10321 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
10322 +index ff3db5d..058b92c 100644
10323 +--- a/drivers/usb/serial/ftdi_sio.c
10324 ++++ b/drivers/usb/serial/ftdi_sio.c
10325 +@@ -797,6 +797,7 @@ static struct usb_device_id id_table_combined [] = {
10326 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
10327 + { USB_DEVICE(ADI_VID, ADI_GNICEPLUS_PID),
10328 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
10329 ++ { USB_DEVICE(HORNBY_VID, HORNBY_ELITE_PID) },
10330 + { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
10331 + { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
10332 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
10333 +@@ -805,6 +806,8 @@ static struct usb_device_id id_table_combined [] = {
10334 + { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
10335 + { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
10336 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
10337 ++ { USB_DEVICE(FTDI_VID, TI_XDS100V2_PID),
10338 ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
10339 + { USB_DEVICE(FTDI_VID, HAMEG_HO820_PID) },
10340 + { USB_DEVICE(FTDI_VID, HAMEG_HO720_PID) },
10341 + { USB_DEVICE(FTDI_VID, HAMEG_HO730_PID) },
10342 +@@ -841,6 +844,7 @@ static struct usb_device_id id_table_combined [] = {
10343 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
10344 + { USB_DEVICE(ST_VID, ST_STMCLT1030_PID),
10345 + .driver_info = (kernel_ulong_t)&ftdi_stmclite_quirk },
10346 ++ { USB_DEVICE(FTDI_VID, FTDI_RF_R106) },
10347 + { }, /* Optional parameter entry */
10348 + { } /* Terminating entry */
10349 + };
10350 +@@ -1333,8 +1337,7 @@ static int set_serial_info(struct tty_struct *tty,
10351 + goto check_and_exit;
10352 + }
10353 +
10354 +- if ((new_serial.baud_base != priv->baud_base) &&
10355 +- (new_serial.baud_base < 9600)) {
10356 ++ if (new_serial.baud_base != priv->baud_base) {
10357 + mutex_unlock(&priv->cfg_lock);
10358 + return -EINVAL;
10359 + }
10360 +@@ -1824,6 +1827,7 @@ static int ftdi_sio_port_remove(struct usb_serial_port *port)
10361 +
10362 + static int ftdi_open(struct tty_struct *tty, struct usb_serial_port *port)
10363 + {
10364 ++ struct ktermios dummy;
10365 + struct usb_device *dev = port->serial->dev;
10366 + struct ftdi_private *priv = usb_get_serial_port_data(port);
10367 + int result;
10368 +@@ -1842,8 +1846,10 @@ static int ftdi_open(struct tty_struct *tty, struct usb_serial_port *port)
10369 + This is same behaviour as serial.c/rs_open() - Kuba */
10370 +
10371 + /* ftdi_set_termios will send usb control messages */
10372 +- if (tty)
10373 +- ftdi_set_termios(tty, port, tty->termios);
10374 ++ if (tty) {
10375 ++ memset(&dummy, 0, sizeof(dummy));
10376 ++ ftdi_set_termios(tty, port, &dummy);
10377 ++ }
10378 +
10379 + /* Start reading from the device */
10380 + result = usb_serial_generic_open(tty, port);
10381 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
10382 +index 055b64e..76d4f31 100644
10383 +--- a/drivers/usb/serial/ftdi_sio_ids.h
10384 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
10385 +@@ -39,6 +39,13 @@
10386 + /* www.candapter.com Ewert Energy Systems CANdapter device */
10387 + #define FTDI_CANDAPTER_PID 0x9F80 /* Product Id */
10388 +
10389 ++/*
10390 ++ * Texas Instruments XDS100v2 JTAG / BeagleBone A3
10391 ++ * http://processors.wiki.ti.com/index.php/XDS100
10392 ++ * http://beagleboard.org/bone
10393 ++ */
10394 ++#define TI_XDS100V2_PID 0xa6d0
10395 ++
10396 + #define FTDI_NXTCAM_PID 0xABB8 /* NXTCam for Mindstorms NXT */
10397 +
10398 + /* US Interface Navigator (http://www.usinterface.com/) */
10399 +@@ -525,6 +532,12 @@
10400 + #define ADI_GNICEPLUS_PID 0xF001
10401 +
10402 + /*
10403 ++ * Hornby Elite
10404 ++ */
10405 ++#define HORNBY_VID 0x04D8
10406 ++#define HORNBY_ELITE_PID 0x000A
10407 ++
10408 ++/*
10409 + * RATOC REX-USB60F
10410 + */
10411 + #define RATOC_VENDOR_ID 0x0584
10412 +@@ -1168,3 +1181,9 @@
10413 + */
10414 + /* TagTracer MIFARE*/
10415 + #define FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID 0xF7C0
10416 ++
10417 ++/*
10418 ++ * Rainforest Automation
10419 ++ */
10420 ++/* ZigBee controller */
10421 ++#define FTDI_RF_R106 0x8A28
10422 +diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
10423 +index 0aac00a..8a90d58 100644
10424 +--- a/drivers/usb/serial/io_ti.c
10425 ++++ b/drivers/usb/serial/io_ti.c
10426 +@@ -2677,15 +2677,7 @@ cleanup:
10427 +
10428 + static void edge_disconnect(struct usb_serial *serial)
10429 + {
10430 +- int i;
10431 +- struct edgeport_port *edge_port;
10432 +-
10433 + dbg("%s", __func__);
10434 +-
10435 +- for (i = 0; i < serial->num_ports; ++i) {
10436 +- edge_port = usb_get_serial_port_data(serial->port[i]);
10437 +- edge_remove_sysfs_attrs(edge_port->port);
10438 +- }
10439 + }
10440 +
10441 + static void edge_release(struct usb_serial *serial)
10442 +@@ -2764,6 +2756,7 @@ static struct usb_serial_driver edgeport_1port_device = {
10443 + .disconnect = edge_disconnect,
10444 + .release = edge_release,
10445 + .port_probe = edge_create_sysfs_attrs,
10446 ++ .port_remove = edge_remove_sysfs_attrs,
10447 + .ioctl = edge_ioctl,
10448 + .set_termios = edge_set_termios,
10449 + .tiocmget = edge_tiocmget,
10450 +@@ -2795,6 +2788,7 @@ static struct usb_serial_driver edgeport_2port_device = {
10451 + .disconnect = edge_disconnect,
10452 + .release = edge_release,
10453 + .port_probe = edge_create_sysfs_attrs,
10454 ++ .port_remove = edge_remove_sysfs_attrs,
10455 + .ioctl = edge_ioctl,
10456 + .set_termios = edge_set_termios,
10457 + .tiocmget = edge_tiocmget,
10458 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
10459 +index c96b6b6..2a9ed6e 100644
10460 +--- a/drivers/usb/serial/option.c
10461 ++++ b/drivers/usb/serial/option.c
10462 +@@ -480,6 +480,10 @@ static void option_instat_callback(struct urb *urb);
10463 + #define ZD_VENDOR_ID 0x0685
10464 + #define ZD_PRODUCT_7000 0x7000
10465 +
10466 ++/* LG products */
10467 ++#define LG_VENDOR_ID 0x1004
10468 ++#define LG_PRODUCT_L02C 0x618f
10469 ++
10470 + /* some devices interfaces need special handling due to a number of reasons */
10471 + enum option_blacklist_reason {
10472 + OPTION_BLACKLIST_NONE = 0,
10473 +@@ -1183,6 +1187,7 @@ static const struct usb_device_id option_ids[] = {
10474 + { USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CLU526) },
10475 + { USB_DEVICE_AND_INTERFACE_INFO(VIETTEL_VENDOR_ID, VIETTEL_PRODUCT_VT1000, 0xff, 0xff, 0xff) },
10476 + { USB_DEVICE_AND_INTERFACE_INFO(ZD_VENDOR_ID, ZD_PRODUCT_7000, 0xff, 0xff, 0xff) },
10477 ++ { USB_DEVICE(LG_VENDOR_ID, LG_PRODUCT_L02C) }, /* docomo L-02C modem */
10478 + { } /* Terminating entry */
10479 + };
10480 + MODULE_DEVICE_TABLE(usb, option_ids);
10481 +diff --git a/drivers/usb/serial/qcaux.c b/drivers/usb/serial/qcaux.c
10482 +index 30b73e6..a348198 100644
10483 +--- a/drivers/usb/serial/qcaux.c
10484 ++++ b/drivers/usb/serial/qcaux.c
10485 +@@ -36,6 +36,7 @@
10486 + #define UTSTARCOM_PRODUCT_UM175_V1 0x3712
10487 + #define UTSTARCOM_PRODUCT_UM175_V2 0x3714
10488 + #define UTSTARCOM_PRODUCT_UM175_ALLTEL 0x3715
10489 ++#define PANTECH_PRODUCT_UML190_VZW 0x3716
10490 + #define PANTECH_PRODUCT_UML290_VZW 0x3718
10491 +
10492 + /* CMOTECH devices */
10493 +@@ -67,7 +68,11 @@ static struct usb_device_id id_table[] = {
10494 + { USB_DEVICE_AND_INTERFACE_INFO(LG_VENDOR_ID, LG_PRODUCT_VX4400_6000, 0xff, 0xff, 0x00) },
10495 + { USB_DEVICE_AND_INTERFACE_INFO(SANYO_VENDOR_ID, SANYO_PRODUCT_KATANA_LX, 0xff, 0xff, 0x00) },
10496 + { USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_U520, 0xff, 0x00, 0x00) },
10497 +- { USB_DEVICE_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, PANTECH_PRODUCT_UML290_VZW, 0xff, 0xff, 0xff) },
10498 ++ { USB_DEVICE_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, PANTECH_PRODUCT_UML190_VZW, 0xff, 0xff, 0xff) },
10499 ++ { USB_DEVICE_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, PANTECH_PRODUCT_UML190_VZW, 0xff, 0xfe, 0xff) },
10500 ++ { USB_DEVICE_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, PANTECH_PRODUCT_UML290_VZW, 0xff, 0xfd, 0xff) }, /* NMEA */
10501 ++ { USB_DEVICE_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, PANTECH_PRODUCT_UML290_VZW, 0xff, 0xfe, 0xff) }, /* WMC */
10502 ++ { USB_DEVICE_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, PANTECH_PRODUCT_UML290_VZW, 0xff, 0xff, 0xff) }, /* DIAG */
10503 + { },
10504 + };
10505 + MODULE_DEVICE_TABLE(usb, id_table);
10506 +diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
10507 +index 0ce5f79..32c93d7 100644
10508 +--- a/drivers/usb/storage/realtek_cr.c
10509 ++++ b/drivers/usb/storage/realtek_cr.c
10510 +@@ -791,7 +791,7 @@ static void rts51x_suspend_timer_fn(unsigned long data)
10511 + rts51x_set_stat(chip, RTS51X_STAT_SS);
10512 + /* ignore mass storage interface's children */
10513 + pm_suspend_ignore_children(&us->pusb_intf->dev, true);
10514 +- usb_autopm_put_interface(us->pusb_intf);
10515 ++ usb_autopm_put_interface_async(us->pusb_intf);
10516 + US_DEBUGP("%s: RTS51X_STAT_SS 01,"
10517 + "intf->pm_usage_cnt:%d, power.usage:%d\n",
10518 + __func__,
10519 +diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
10520 +index 2a83425..68b19ab 100644
10521 +--- a/fs/ecryptfs/crypto.c
10522 ++++ b/fs/ecryptfs/crypto.c
10523 +@@ -417,17 +417,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
10524 + (unsigned long long)(extent_base + extent_offset), rc);
10525 + goto out;
10526 + }
10527 +- if (unlikely(ecryptfs_verbosity > 0)) {
10528 +- ecryptfs_printk(KERN_DEBUG, "Encrypting extent "
10529 +- "with iv:\n");
10530 +- ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
10531 +- ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
10532 +- "encryption:\n");
10533 +- ecryptfs_dump_hex((char *)
10534 +- (page_address(page)
10535 +- + (extent_offset * crypt_stat->extent_size)),
10536 +- 8);
10537 +- }
10538 + rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,
10539 + page, (extent_offset
10540 + * crypt_stat->extent_size),
10541 +@@ -440,14 +429,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
10542 + goto out;
10543 + }
10544 + rc = 0;
10545 +- if (unlikely(ecryptfs_verbosity > 0)) {
10546 +- ecryptfs_printk(KERN_DEBUG, "Encrypt extent [0x%.16llx]; "
10547 +- "rc = [%d]\n",
10548 +- (unsigned long long)(extent_base + extent_offset), rc);
10549 +- ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
10550 +- "encryption:\n");
10551 +- ecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8);
10552 +- }
10553 + out:
10554 + return rc;
10555 + }
10556 +@@ -543,17 +524,6 @@ static int ecryptfs_decrypt_extent(struct page *page,
10557 + (unsigned long long)(extent_base + extent_offset), rc);
10558 + goto out;
10559 + }
10560 +- if (unlikely(ecryptfs_verbosity > 0)) {
10561 +- ecryptfs_printk(KERN_DEBUG, "Decrypting extent "
10562 +- "with iv:\n");
10563 +- ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
10564 +- ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
10565 +- "decryption:\n");
10566 +- ecryptfs_dump_hex((char *)
10567 +- (page_address(enc_extent_page)
10568 +- + (extent_offset * crypt_stat->extent_size)),
10569 +- 8);
10570 +- }
10571 + rc = ecryptfs_decrypt_page_offset(crypt_stat, page,
10572 + (extent_offset
10573 + * crypt_stat->extent_size),
10574 +@@ -567,16 +537,6 @@ static int ecryptfs_decrypt_extent(struct page *page,
10575 + goto out;
10576 + }
10577 + rc = 0;
10578 +- if (unlikely(ecryptfs_verbosity > 0)) {
10579 +- ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16llx]; "
10580 +- "rc = [%d]\n",
10581 +- (unsigned long long)(extent_base + extent_offset), rc);
10582 +- ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
10583 +- "decryption:\n");
10584 +- ecryptfs_dump_hex((char *)(page_address(page)
10585 +- + (extent_offset
10586 +- * crypt_stat->extent_size)), 8);
10587 +- }
10588 + out:
10589 + return rc;
10590 + }
10591 +@@ -1620,7 +1580,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
10592 + rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
10593 + if (rc) {
10594 + printk(KERN_DEBUG "Valid eCryptfs headers not found in "
10595 +- "file header region or xattr region\n");
10596 ++ "file header region or xattr region, inode %lu\n",
10597 ++ ecryptfs_inode->i_ino);
10598 + rc = -EINVAL;
10599 + goto out;
10600 + }
10601 +@@ -1629,7 +1590,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
10602 + ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
10603 + if (rc) {
10604 + printk(KERN_DEBUG "Valid eCryptfs headers not found in "
10605 +- "file xattr region either\n");
10606 ++ "file xattr region either, inode %lu\n",
10607 ++ ecryptfs_inode->i_ino);
10608 + rc = -EINVAL;
10609 + }
10610 + if (crypt_stat->mount_crypt_stat->flags
10611 +@@ -1640,7 +1602,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
10612 + "crypto metadata only in the extended attribute "
10613 + "region, but eCryptfs was mounted without "
10614 + "xattr support enabled. eCryptfs will not treat "
10615 +- "this like an encrypted file.\n");
10616 ++ "this like an encrypted file, inode %lu\n",
10617 ++ ecryptfs_inode->i_ino);
10618 + rc = -EINVAL;
10619 + }
10620 + }
10621 +diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
10622 +index 32f90a3..d2039ca 100644
10623 +--- a/fs/ecryptfs/inode.c
10624 ++++ b/fs/ecryptfs/inode.c
10625 +@@ -841,18 +841,6 @@ static int truncate_upper(struct dentry *dentry, struct iattr *ia,
10626 + size_t num_zeros = (PAGE_CACHE_SIZE
10627 + - (ia->ia_size & ~PAGE_CACHE_MASK));
10628 +
10629 +-
10630 +- /*
10631 +- * XXX(truncate) this should really happen at the begginning
10632 +- * of ->setattr. But the code is too messy to that as part
10633 +- * of a larger patch. ecryptfs is also totally missing out
10634 +- * on the inode_change_ok check at the beginning of
10635 +- * ->setattr while would include this.
10636 +- */
10637 +- rc = inode_newsize_ok(inode, ia->ia_size);
10638 +- if (rc)
10639 +- goto out;
10640 +-
10641 + if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
10642 + truncate_setsize(inode, ia->ia_size);
10643 + lower_ia->ia_size = ia->ia_size;
10644 +@@ -902,6 +890,28 @@ out:
10645 + return rc;
10646 + }
10647 +
10648 ++static int ecryptfs_inode_newsize_ok(struct inode *inode, loff_t offset)
10649 ++{
10650 ++ struct ecryptfs_crypt_stat *crypt_stat;
10651 ++ loff_t lower_oldsize, lower_newsize;
10652 ++
10653 ++ crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
10654 ++ lower_oldsize = upper_size_to_lower_size(crypt_stat,
10655 ++ i_size_read(inode));
10656 ++ lower_newsize = upper_size_to_lower_size(crypt_stat, offset);
10657 ++ if (lower_newsize > lower_oldsize) {
10658 ++ /*
10659 ++ * The eCryptfs inode and the new *lower* size are mixed here
10660 ++ * because we may not have the lower i_mutex held and/or it may
10661 ++ * not be appropriate to call inode_newsize_ok() with inodes
10662 ++ * from other filesystems.
10663 ++ */
10664 ++ return inode_newsize_ok(inode, lower_newsize);
10665 ++ }
10666 ++
10667 ++ return 0;
10668 ++}
10669 ++
10670 + /**
10671 + * ecryptfs_truncate
10672 + * @dentry: The ecryptfs layer dentry
10673 +@@ -918,6 +928,10 @@ int ecryptfs_truncate(struct dentry *dentry, loff_t new_length)
10674 + struct iattr lower_ia = { .ia_valid = 0 };
10675 + int rc;
10676 +
10677 ++ rc = ecryptfs_inode_newsize_ok(dentry->d_inode, new_length);
10678 ++ if (rc)
10679 ++ return rc;
10680 ++
10681 + rc = truncate_upper(dentry, &ia, &lower_ia);
10682 + if (!rc && lower_ia.ia_valid & ATTR_SIZE) {
10683 + struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
10684 +@@ -997,6 +1011,16 @@ static int ecryptfs_setattr(struct dentry *dentry, struct iattr *ia)
10685 + }
10686 + }
10687 + mutex_unlock(&crypt_stat->cs_mutex);
10688 ++
10689 ++ rc = inode_change_ok(inode, ia);
10690 ++ if (rc)
10691 ++ goto out;
10692 ++ if (ia->ia_valid & ATTR_SIZE) {
10693 ++ rc = ecryptfs_inode_newsize_ok(inode, ia->ia_size);
10694 ++ if (rc)
10695 ++ goto out;
10696 ++ }
10697 ++
10698 + if (S_ISREG(inode->i_mode)) {
10699 + rc = filemap_write_and_wait(inode->i_mapping);
10700 + if (rc)
10701 +diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
10702 +index 940a82e..0dc5a3d 100644
10703 +--- a/fs/ecryptfs/miscdev.c
10704 ++++ b/fs/ecryptfs/miscdev.c
10705 +@@ -409,11 +409,47 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
10706 + ssize_t sz = 0;
10707 + char *data;
10708 + uid_t euid = current_euid();
10709 ++ unsigned char packet_size_peek[3];
10710 + int rc;
10711 +
10712 +- if (count == 0)
10713 ++ if (count == 0) {
10714 + goto out;
10715 ++ } else if (count == (1 + 4)) {
10716 ++ /* Likely a harmless MSG_HELO or MSG_QUIT - no packet length */
10717 ++ goto memdup;
10718 ++ } else if (count < (1 + 4 + 1)
10719 ++ || count > (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
10720 ++ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES)) {
10721 ++ printk(KERN_WARNING "%s: Acceptable packet size range is "
10722 ++ "[%d-%lu], but amount of data written is [%zu].",
10723 ++ __func__, (1 + 4 + 1),
10724 ++ (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
10725 ++ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES), count);
10726 ++ return -EINVAL;
10727 ++ }
10728 ++
10729 ++ if (copy_from_user(packet_size_peek, (buf + 1 + 4),
10730 ++ sizeof(packet_size_peek))) {
10731 ++ printk(KERN_WARNING "%s: Error while inspecting packet size\n",
10732 ++ __func__);
10733 ++ return -EFAULT;
10734 ++ }
10735 ++
10736 ++ rc = ecryptfs_parse_packet_length(packet_size_peek, &packet_size,
10737 ++ &packet_size_length);
10738 ++ if (rc) {
10739 ++ printk(KERN_WARNING "%s: Error parsing packet length; "
10740 ++ "rc = [%d]\n", __func__, rc);
10741 ++ return rc;
10742 ++ }
10743 ++
10744 ++ if ((1 + 4 + packet_size_length + packet_size) != count) {
10745 ++ printk(KERN_WARNING "%s: Invalid packet size [%zu]\n", __func__,
10746 ++ packet_size);
10747 ++ return -EINVAL;
10748 ++ }
10749 +
10750 ++memdup:
10751 + data = memdup_user(buf, count);
10752 + if (IS_ERR(data)) {
10753 + printk(KERN_ERR "%s: memdup_user returned error [%ld]\n",
10754 +@@ -435,23 +471,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
10755 + }
10756 + memcpy(&counter_nbo, &data[i], 4);
10757 + seq = be32_to_cpu(counter_nbo);
10758 +- i += 4;
10759 +- rc = ecryptfs_parse_packet_length(&data[i], &packet_size,
10760 +- &packet_size_length);
10761 +- if (rc) {
10762 +- printk(KERN_WARNING "%s: Error parsing packet length; "
10763 +- "rc = [%d]\n", __func__, rc);
10764 +- goto out_free;
10765 +- }
10766 +- i += packet_size_length;
10767 +- if ((1 + 4 + packet_size_length + packet_size) != count) {
10768 +- printk(KERN_WARNING "%s: (1 + packet_size_length([%zd])"
10769 +- " + packet_size([%zd]))([%zd]) != "
10770 +- "count([%zd]). Invalid packet format.\n",
10771 +- __func__, packet_size_length, packet_size,
10772 +- (1 + packet_size_length + packet_size), count);
10773 +- goto out_free;
10774 +- }
10775 ++ i += 4 + packet_size_length;
10776 + rc = ecryptfs_miscdev_response(&data[i], packet_size,
10777 + euid, current_user_ns(),
10778 + task_pid(current), seq);
10779 +diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
10780 +index 3745f7c..54eb14c 100644
10781 +--- a/fs/ecryptfs/read_write.c
10782 ++++ b/fs/ecryptfs/read_write.c
10783 +@@ -132,6 +132,11 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
10784 + size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
10785 + size_t total_remaining_bytes = ((offset + size) - pos);
10786 +
10787 ++ if (fatal_signal_pending(current)) {
10788 ++ rc = -EINTR;
10789 ++ break;
10790 ++ }
10791 ++
10792 + if (num_bytes > total_remaining_bytes)
10793 + num_bytes = total_remaining_bytes;
10794 + if (pos < offset) {
10795 +@@ -193,15 +198,19 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
10796 + }
10797 + pos += num_bytes;
10798 + }
10799 +- if ((offset + size) > ecryptfs_file_size) {
10800 +- i_size_write(ecryptfs_inode, (offset + size));
10801 ++ if (pos > ecryptfs_file_size) {
10802 ++ i_size_write(ecryptfs_inode, pos);
10803 + if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
10804 +- rc = ecryptfs_write_inode_size_to_metadata(
10805 ++ int rc2;
10806 ++
10807 ++ rc2 = ecryptfs_write_inode_size_to_metadata(
10808 + ecryptfs_inode);
10809 +- if (rc) {
10810 ++ if (rc2) {
10811 + printk(KERN_ERR "Problem with "
10812 + "ecryptfs_write_inode_size_to_metadata; "
10813 +- "rc = [%d]\n", rc);
10814 ++ "rc = [%d]\n", rc2);
10815 ++ if (!rc)
10816 ++ rc = rc2;
10817 + goto out;
10818 + }
10819 + }
10820 +diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c
10821 +index f94fc48..5c93ffc 100644
10822 +--- a/fs/jbd/checkpoint.c
10823 ++++ b/fs/jbd/checkpoint.c
10824 +@@ -453,8 +453,6 @@ out:
10825 + *
10826 + * Return <0 on error, 0 on success, 1 if there was nothing to clean up.
10827 + *
10828 +- * Called with the journal lock held.
10829 +- *
10830 + * This is the only part of the journaling code which really needs to be
10831 + * aware of transaction aborts. Checkpointing involves writing to the
10832 + * main filesystem area rather than to the journal, so it can proceed
10833 +@@ -472,13 +470,14 @@ int cleanup_journal_tail(journal_t *journal)
10834 + if (is_journal_aborted(journal))
10835 + return 1;
10836 +
10837 +- /* OK, work out the oldest transaction remaining in the log, and
10838 ++ /*
10839 ++ * OK, work out the oldest transaction remaining in the log, and
10840 + * the log block it starts at.
10841 + *
10842 + * If the log is now empty, we need to work out which is the
10843 + * next transaction ID we will write, and where it will
10844 +- * start. */
10845 +-
10846 ++ * start.
10847 ++ */
10848 + spin_lock(&journal->j_state_lock);
10849 + spin_lock(&journal->j_list_lock);
10850 + transaction = journal->j_checkpoint_transactions;
10851 +@@ -504,7 +503,25 @@ int cleanup_journal_tail(journal_t *journal)
10852 + spin_unlock(&journal->j_state_lock);
10853 + return 1;
10854 + }
10855 ++ spin_unlock(&journal->j_state_lock);
10856 ++
10857 ++ /*
10858 ++ * We need to make sure that any blocks that were recently written out
10859 ++ * --- perhaps by log_do_checkpoint() --- are flushed out before we
10860 ++ * drop the transactions from the journal. It's unlikely this will be
10861 ++ * necessary, especially with an appropriately sized journal, but we
10862 ++ * need this to guarantee correctness. Fortunately
10863 ++ * cleanup_journal_tail() doesn't get called all that often.
10864 ++ */
10865 ++ if (journal->j_flags & JFS_BARRIER)
10866 ++ blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL);
10867 +
10868 ++ spin_lock(&journal->j_state_lock);
10869 ++ if (!tid_gt(first_tid, journal->j_tail_sequence)) {
10870 ++ spin_unlock(&journal->j_state_lock);
10871 ++ /* Someone else cleaned up journal so return 0 */
10872 ++ return 0;
10873 ++ }
10874 + /* OK, update the superblock to recover the freed space.
10875 + * Physical blocks come first: have we wrapped beyond the end of
10876 + * the log? */
10877 +diff --git a/fs/jbd/recovery.c b/fs/jbd/recovery.c
10878 +index 5b43e96..008bf06 100644
10879 +--- a/fs/jbd/recovery.c
10880 ++++ b/fs/jbd/recovery.c
10881 +@@ -20,6 +20,7 @@
10882 + #include <linux/fs.h>
10883 + #include <linux/jbd.h>
10884 + #include <linux/errno.h>
10885 ++#include <linux/blkdev.h>
10886 + #endif
10887 +
10888 + /*
10889 +@@ -263,6 +264,9 @@ int journal_recover(journal_t *journal)
10890 + err2 = sync_blockdev(journal->j_fs_dev);
10891 + if (!err)
10892 + err = err2;
10893 ++ /* Flush disk caches to get replayed data on the permanent storage */
10894 ++ if (journal->j_flags & JFS_BARRIER)
10895 ++ blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL);
10896 +
10897 + return err;
10898 + }
10899 +diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
10900 +index d4e6080b..779789a 100644
10901 +--- a/fs/sysfs/file.c
10902 ++++ b/fs/sysfs/file.c
10903 +@@ -493,6 +493,12 @@ int sysfs_attr_ns(struct kobject *kobj, const struct attribute *attr,
10904 + const void *ns = NULL;
10905 + int err;
10906 +
10907 ++ if (!dir_sd) {
10908 ++ WARN(1, KERN_ERR "sysfs: kobject %s without dirent\n",
10909 ++ kobject_name(kobj));
10910 ++ return -ENOENT;
10911 ++ }
10912 ++
10913 + err = 0;
10914 + if (!sysfs_ns_type(dir_sd))
10915 + goto out;
10916 +diff --git a/fs/sysfs/inode.c b/fs/sysfs/inode.c
10917 +index c81b22f..deb804b 100644
10918 +--- a/fs/sysfs/inode.c
10919 ++++ b/fs/sysfs/inode.c
10920 +@@ -318,8 +318,11 @@ int sysfs_hash_and_remove(struct sysfs_dirent *dir_sd, const void *ns, const cha
10921 + struct sysfs_addrm_cxt acxt;
10922 + struct sysfs_dirent *sd;
10923 +
10924 +- if (!dir_sd)
10925 ++ if (!dir_sd) {
10926 ++ WARN(1, KERN_WARNING "sysfs: can not remove '%s', no directory\n",
10927 ++ name);
10928 + return -ENOENT;
10929 ++ }
10930 +
10931 + sysfs_addrm_start(&acxt, dir_sd);
10932 +
10933 +diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
10934 +index ce9268a..ee98d0b 100644
10935 +--- a/fs/xfs/xfs_vnodeops.c
10936 ++++ b/fs/xfs/xfs_vnodeops.c
10937 +@@ -131,7 +131,8 @@ xfs_readlink(
10938 + __func__, (unsigned long long) ip->i_ino,
10939 + (long long) pathlen);
10940 + ASSERT(0);
10941 +- return XFS_ERROR(EFSCORRUPTED);
10942 ++ error = XFS_ERROR(EFSCORRUPTED);
10943 ++ goto out;
10944 + }
10945 +
10946 +
10947 +diff --git a/include/drm/drmP.h b/include/drm/drmP.h
10948 +index 1f9e951..bf4b2dc 100644
10949 +--- a/include/drm/drmP.h
10950 ++++ b/include/drm/drmP.h
10951 +@@ -1328,6 +1328,7 @@ extern int drm_getmagic(struct drm_device *dev, void *data,
10952 + struct drm_file *file_priv);
10953 + extern int drm_authmagic(struct drm_device *dev, void *data,
10954 + struct drm_file *file_priv);
10955 ++extern int drm_remove_magic(struct drm_master *master, drm_magic_t magic);
10956 +
10957 + /* Cache management (drm_cache.c) */
10958 + void drm_clflush_pages(struct page *pages[], unsigned long num_pages);
10959 +diff --git a/include/net/netns/generic.h b/include/net/netns/generic.h
10960 +index 3419bf5..d55f434 100644
10961 +--- a/include/net/netns/generic.h
10962 ++++ b/include/net/netns/generic.h
10963 +@@ -41,6 +41,7 @@ static inline void *net_generic(const struct net *net, int id)
10964 + ptr = ng->ptr[id - 1];
10965 + rcu_read_unlock();
10966 +
10967 ++ BUG_ON(!ptr);
10968 + return ptr;
10969 + }
10970 + #endif
10971 +diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
10972 +index f1fa1f6..68223e4 100644
10973 +--- a/net/caif/caif_dev.c
10974 ++++ b/net/caif/caif_dev.c
10975 +@@ -53,7 +53,6 @@ struct cfcnfg *get_cfcnfg(struct net *net)
10976 + struct caif_net *caifn;
10977 + BUG_ON(!net);
10978 + caifn = net_generic(net, caif_net_id);
10979 +- BUG_ON(!caifn);
10980 + return caifn->cfg;
10981 + }
10982 + EXPORT_SYMBOL(get_cfcnfg);
10983 +@@ -63,7 +62,6 @@ static struct caif_device_entry_list *caif_device_list(struct net *net)
10984 + struct caif_net *caifn;
10985 + BUG_ON(!net);
10986 + caifn = net_generic(net, caif_net_id);
10987 +- BUG_ON(!caifn);
10988 + return &caifn->caifdevs;
10989 + }
10990 +
10991 +@@ -92,7 +90,6 @@ static struct caif_device_entry *caif_device_alloc(struct net_device *dev)
10992 + struct caif_device_entry *caifd;
10993 +
10994 + caifdevs = caif_device_list(dev_net(dev));
10995 +- BUG_ON(!caifdevs);
10996 +
10997 + caifd = kzalloc(sizeof(*caifd), GFP_KERNEL);
10998 + if (!caifd)
10999 +@@ -112,7 +109,7 @@ static struct caif_device_entry *caif_get(struct net_device *dev)
11000 + struct caif_device_entry_list *caifdevs =
11001 + caif_device_list(dev_net(dev));
11002 + struct caif_device_entry *caifd;
11003 +- BUG_ON(!caifdevs);
11004 ++
11005 + list_for_each_entry_rcu(caifd, &caifdevs->list, list) {
11006 + if (caifd->netdev == dev)
11007 + return caifd;
11008 +@@ -353,7 +350,7 @@ static struct notifier_block caif_device_notifier = {
11009 + static int caif_init_net(struct net *net)
11010 + {
11011 + struct caif_net *caifn = net_generic(net, caif_net_id);
11012 +- BUG_ON(!caifn);
11013 ++
11014 + INIT_LIST_HEAD(&caifn->caifdevs.list);
11015 + mutex_init(&caifn->caifdevs.lock);
11016 +
11017 +@@ -418,7 +415,7 @@ static int __init caif_device_init(void)
11018 + {
11019 + int result;
11020 +
11021 +- result = register_pernet_device(&caif_net_ops);
11022 ++ result = register_pernet_subsys(&caif_net_ops);
11023 +
11024 + if (result)
11025 + return result;
11026 +@@ -431,7 +428,7 @@ static int __init caif_device_init(void)
11027 +
11028 + static void __exit caif_device_exit(void)
11029 + {
11030 +- unregister_pernet_device(&caif_net_ops);
11031 ++ unregister_pernet_subsys(&caif_net_ops);
11032 + unregister_netdevice_notifier(&caif_device_notifier);
11033 + dev_remove_pack(&caif_packet_type);
11034 + }
11035 +diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
11036 +index 00523ec..86ff37c 100644
11037 +--- a/net/caif/cfcnfg.c
11038 ++++ b/net/caif/cfcnfg.c
11039 +@@ -309,7 +309,6 @@ int caif_connect_client(struct net *net, struct caif_connect_request *conn_req,
11040 + int err;
11041 + struct cfctrl_link_param param;
11042 + struct cfcnfg *cfg = get_cfcnfg(net);
11043 +- caif_assert(cfg != NULL);
11044 +
11045 + rcu_read_lock();
11046 + err = caif_connect_req_to_link_param(cfg, conn_req, &param);
11047 +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
11048 +index 385aefe..0329404 100644
11049 +--- a/net/core/net-sysfs.c
11050 ++++ b/net/core/net-sysfs.c
11051 +@@ -990,9 +990,9 @@ static ssize_t store_xps_map(struct netdev_queue *queue,
11052 + nonempty = 1;
11053 + }
11054 +
11055 +- if (nonempty)
11056 +- RCU_INIT_POINTER(dev->xps_maps, new_dev_maps);
11057 +- else {
11058 ++ if (nonempty) {
11059 ++ rcu_assign_pointer(dev->xps_maps, new_dev_maps);
11060 ++ } else {
11061 + kfree(new_dev_maps);
11062 + RCU_INIT_POINTER(dev->xps_maps, NULL);
11063 + }
11064 +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
11065 +index aefcd7a..0e950fd 100644
11066 +--- a/net/core/net_namespace.c
11067 ++++ b/net/core/net_namespace.c
11068 +@@ -30,6 +30,20 @@ EXPORT_SYMBOL(init_net);
11069 +
11070 + #define INITIAL_NET_GEN_PTRS 13 /* +1 for len +2 for rcu_head */
11071 +
11072 ++static unsigned int max_gen_ptrs = INITIAL_NET_GEN_PTRS;
11073 ++
11074 ++static struct net_generic *net_alloc_generic(void)
11075 ++{
11076 ++ struct net_generic *ng;
11077 ++ size_t generic_size = offsetof(struct net_generic, ptr[max_gen_ptrs]);
11078 ++
11079 ++ ng = kzalloc(generic_size, GFP_KERNEL);
11080 ++ if (ng)
11081 ++ ng->len = max_gen_ptrs;
11082 ++
11083 ++ return ng;
11084 ++}
11085 ++
11086 + static int net_assign_generic(struct net *net, int id, void *data)
11087 + {
11088 + struct net_generic *ng, *old_ng;
11089 +@@ -43,8 +57,7 @@ static int net_assign_generic(struct net *net, int id, void *data)
11090 + if (old_ng->len >= id)
11091 + goto assign;
11092 +
11093 +- ng = kzalloc(sizeof(struct net_generic) +
11094 +- id * sizeof(void *), GFP_KERNEL);
11095 ++ ng = net_alloc_generic();
11096 + if (ng == NULL)
11097 + return -ENOMEM;
11098 +
11099 +@@ -59,7 +72,6 @@ static int net_assign_generic(struct net *net, int id, void *data)
11100 + * the old copy for kfree after a grace period.
11101 + */
11102 +
11103 +- ng->len = id;
11104 + memcpy(&ng->ptr, &old_ng->ptr, old_ng->len * sizeof(void*));
11105 +
11106 + rcu_assign_pointer(net->gen, ng);
11107 +@@ -161,18 +173,6 @@ out_undo:
11108 + goto out;
11109 + }
11110 +
11111 +-static struct net_generic *net_alloc_generic(void)
11112 +-{
11113 +- struct net_generic *ng;
11114 +- size_t generic_size = sizeof(struct net_generic) +
11115 +- INITIAL_NET_GEN_PTRS * sizeof(void *);
11116 +-
11117 +- ng = kzalloc(generic_size, GFP_KERNEL);
11118 +- if (ng)
11119 +- ng->len = INITIAL_NET_GEN_PTRS;
11120 +-
11121 +- return ng;
11122 +-}
11123 +
11124 + #ifdef CONFIG_NET_NS
11125 + static struct kmem_cache *net_cachep;
11126 +@@ -483,6 +483,7 @@ again:
11127 + }
11128 + return error;
11129 + }
11130 ++ max_gen_ptrs = max_t(unsigned int, max_gen_ptrs, *ops->id);
11131 + }
11132 + error = __register_pernet_operations(list, ops);
11133 + if (error) {
11134 +diff --git a/net/core/netpoll.c b/net/core/netpoll.c
11135 +index cf64c1f..5d4d896 100644
11136 +--- a/net/core/netpoll.c
11137 ++++ b/net/core/netpoll.c
11138 +@@ -763,7 +763,7 @@ int __netpoll_setup(struct netpoll *np)
11139 + }
11140 +
11141 + /* last thing to do is link it to the net device structure */
11142 +- RCU_INIT_POINTER(ndev->npinfo, npinfo);
11143 ++ rcu_assign_pointer(ndev->npinfo, npinfo);
11144 +
11145 + return 0;
11146 +
11147 +diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
11148 +index 2ab16e1..74d321a 100644
11149 +--- a/net/decnet/dn_dev.c
11150 ++++ b/net/decnet/dn_dev.c
11151 +@@ -388,7 +388,7 @@ static int dn_dev_insert_ifa(struct dn_dev *dn_db, struct dn_ifaddr *ifa)
11152 + }
11153 +
11154 + ifa->ifa_next = dn_db->ifa_list;
11155 +- RCU_INIT_POINTER(dn_db->ifa_list, ifa);
11156 ++ rcu_assign_pointer(dn_db->ifa_list, ifa);
11157 +
11158 + dn_ifaddr_notify(RTM_NEWADDR, ifa);
11159 + blocking_notifier_call_chain(&dnaddr_chain, NETDEV_UP, ifa);
11160 +@@ -1093,7 +1093,7 @@ static struct dn_dev *dn_dev_create(struct net_device *dev, int *err)
11161 +
11162 + memcpy(&dn_db->parms, p, sizeof(struct dn_dev_parms));
11163 +
11164 +- RCU_INIT_POINTER(dev->dn_ptr, dn_db);
11165 ++ rcu_assign_pointer(dev->dn_ptr, dn_db);
11166 + dn_db->dev = dev;
11167 + init_timer(&dn_db->timer);
11168 +
11169 +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
11170 +index 65f01dc..e41c40f 100644
11171 +--- a/net/ipv4/devinet.c
11172 ++++ b/net/ipv4/devinet.c
11173 +@@ -258,7 +258,7 @@ static struct in_device *inetdev_init(struct net_device *dev)
11174 + ip_mc_up(in_dev);
11175 +
11176 + /* we can receive as soon as ip_ptr is set -- do this last */
11177 +- RCU_INIT_POINTER(dev->ip_ptr, in_dev);
11178 ++ rcu_assign_pointer(dev->ip_ptr, in_dev);
11179 + out:
11180 + return in_dev;
11181 + out_kfree:
11182 +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
11183 +index 37b6711..3ce23f9 100644
11184 +--- a/net/ipv4/fib_trie.c
11185 ++++ b/net/ipv4/fib_trie.c
11186 +@@ -205,7 +205,7 @@ static inline struct tnode *node_parent_rcu(const struct rt_trie_node *node)
11187 + return (struct tnode *)(parent & ~NODE_TYPE_MASK);
11188 + }
11189 +
11190 +-/* Same as RCU_INIT_POINTER
11191 ++/* Same as rcu_assign_pointer
11192 + * but that macro() assumes that value is a pointer.
11193 + */
11194 + static inline void node_set_parent(struct rt_trie_node *node, struct tnode *ptr)
11195 +@@ -529,7 +529,7 @@ static void tnode_put_child_reorg(struct tnode *tn, int i, struct rt_trie_node *
11196 + if (n)
11197 + node_set_parent(n, tn);
11198 +
11199 +- RCU_INIT_POINTER(tn->child[i], n);
11200 ++ rcu_assign_pointer(tn->child[i], n);
11201 + }
11202 +
11203 + #define MAX_WORK 10
11204 +@@ -1015,7 +1015,7 @@ static void trie_rebalance(struct trie *t, struct tnode *tn)
11205 +
11206 + tp = node_parent((struct rt_trie_node *) tn);
11207 + if (!tp)
11208 +- RCU_INIT_POINTER(t->trie, (struct rt_trie_node *)tn);
11209 ++ rcu_assign_pointer(t->trie, (struct rt_trie_node *)tn);
11210 +
11211 + tnode_free_flush();
11212 + if (!tp)
11213 +@@ -1027,7 +1027,7 @@ static void trie_rebalance(struct trie *t, struct tnode *tn)
11214 + if (IS_TNODE(tn))
11215 + tn = (struct tnode *)resize(t, (struct tnode *)tn);
11216 +
11217 +- RCU_INIT_POINTER(t->trie, (struct rt_trie_node *)tn);
11218 ++ rcu_assign_pointer(t->trie, (struct rt_trie_node *)tn);
11219 + tnode_free_flush();
11220 + }
11221 +
11222 +@@ -1164,7 +1164,7 @@ static struct list_head *fib_insert_node(struct trie *t, u32 key, int plen)
11223 + put_child(t, (struct tnode *)tp, cindex,
11224 + (struct rt_trie_node *)tn);
11225 + } else {
11226 +- RCU_INIT_POINTER(t->trie, (struct rt_trie_node *)tn);
11227 ++ rcu_assign_pointer(t->trie, (struct rt_trie_node *)tn);
11228 + tp = tn;
11229 + }
11230 + }
11231 +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
11232 +index c3cc64c..c8989a7 100644
11233 +--- a/net/ipv4/igmp.c
11234 ++++ b/net/ipv4/igmp.c
11235 +@@ -1244,7 +1244,7 @@ void ip_mc_inc_group(struct in_device *in_dev, __be32 addr)
11236 +
11237 + im->next_rcu = in_dev->mc_list;
11238 + in_dev->mc_count++;
11239 +- RCU_INIT_POINTER(in_dev->mc_list, im);
11240 ++ rcu_assign_pointer(in_dev->mc_list, im);
11241 +
11242 + #ifdef CONFIG_IP_MULTICAST
11243 + igmpv3_del_delrec(in_dev, im->multiaddr);
11244 +@@ -1816,7 +1816,7 @@ int ip_mc_join_group(struct sock *sk , struct ip_mreqn *imr)
11245 + iml->next_rcu = inet->mc_list;
11246 + iml->sflist = NULL;
11247 + iml->sfmode = MCAST_EXCLUDE;
11248 +- RCU_INIT_POINTER(inet->mc_list, iml);
11249 ++ rcu_assign_pointer(inet->mc_list, iml);
11250 + ip_mc_inc_group(in_dev, addr);
11251 + err = 0;
11252 + done:
11253 +@@ -2003,7 +2003,7 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct
11254 + atomic_sub(IP_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
11255 + kfree_rcu(psl, rcu);
11256 + }
11257 +- RCU_INIT_POINTER(pmc->sflist, newpsl);
11258 ++ rcu_assign_pointer(pmc->sflist, newpsl);
11259 + psl = newpsl;
11260 + }
11261 + rv = 1; /* > 0 for insert logic below if sl_count is 0 */
11262 +@@ -2106,7 +2106,7 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex)
11263 + } else
11264 + (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
11265 + 0, NULL, 0);
11266 +- RCU_INIT_POINTER(pmc->sflist, newpsl);
11267 ++ rcu_assign_pointer(pmc->sflist, newpsl);
11268 + pmc->sfmode = msf->imsf_fmode;
11269 + err = 0;
11270 + done:
11271 +diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
11272 +index 0b2e732..17ad951 100644
11273 +--- a/net/ipv4/ipip.c
11274 ++++ b/net/ipv4/ipip.c
11275 +@@ -231,7 +231,7 @@ static void ipip_tunnel_unlink(struct ipip_net *ipn, struct ip_tunnel *t)
11276 + (iter = rtnl_dereference(*tp)) != NULL;
11277 + tp = &iter->next) {
11278 + if (t == iter) {
11279 +- RCU_INIT_POINTER(*tp, t->next);
11280 ++ rcu_assign_pointer(*tp, t->next);
11281 + break;
11282 + }
11283 + }
11284 +@@ -241,8 +241,8 @@ static void ipip_tunnel_link(struct ipip_net *ipn, struct ip_tunnel *t)
11285 + {
11286 + struct ip_tunnel __rcu **tp = ipip_bucket(ipn, t);
11287 +
11288 +- RCU_INIT_POINTER(t->next, rtnl_dereference(*tp));
11289 +- RCU_INIT_POINTER(*tp, t);
11290 ++ rcu_assign_pointer(t->next, rtnl_dereference(*tp));
11291 ++ rcu_assign_pointer(*tp, t);
11292 + }
11293 +
11294 + static struct ip_tunnel * ipip_tunnel_locate(struct net *net,
11295 +@@ -792,7 +792,7 @@ static int __net_init ipip_fb_tunnel_init(struct net_device *dev)
11296 + return -ENOMEM;
11297 +
11298 + dev_hold(dev);
11299 +- RCU_INIT_POINTER(ipn->tunnels_wc[0], tunnel);
11300 ++ rcu_assign_pointer(ipn->tunnels_wc[0], tunnel);
11301 + return 0;
11302 + }
11303 +
11304 +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
11305 +index 76a7f07..d2aae27 100644
11306 +--- a/net/ipv4/ipmr.c
11307 ++++ b/net/ipv4/ipmr.c
11308 +@@ -1225,7 +1225,7 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
11309 +
11310 + ret = ip_ra_control(sk, 1, mrtsock_destruct);
11311 + if (ret == 0) {
11312 +- RCU_INIT_POINTER(mrt->mroute_sk, sk);
11313 ++ rcu_assign_pointer(mrt->mroute_sk, sk);
11314 + IPV4_DEVCONF_ALL(net, MC_FORWARDING)++;
11315 + }
11316 + rtnl_unlock();
11317 +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
11318 +index a9db4b1..c89e354 100644
11319 +--- a/net/ipv4/tcp_ipv4.c
11320 ++++ b/net/ipv4/tcp_ipv4.c
11321 +@@ -630,7 +630,7 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
11322 + arg.iov[0].iov_len = sizeof(rep.th);
11323 +
11324 + #ifdef CONFIG_TCP_MD5SIG
11325 +- key = sk ? tcp_v4_md5_do_lookup(sk, ip_hdr(skb)->daddr) : NULL;
11326 ++ key = sk ? tcp_v4_md5_do_lookup(sk, ip_hdr(skb)->saddr) : NULL;
11327 + if (key) {
11328 + rep.opt[0] = htonl((TCPOPT_NOP << 24) |
11329 + (TCPOPT_NOP << 16) |
11330 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
11331 +index 63170e2..097e0c7 100644
11332 +--- a/net/ipv4/tcp_output.c
11333 ++++ b/net/ipv4/tcp_output.c
11334 +@@ -1138,11 +1138,9 @@ int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len)
11335 + sk_mem_uncharge(sk, len);
11336 + sock_set_flag(sk, SOCK_QUEUE_SHRUNK);
11337 +
11338 +- /* Any change of skb->len requires recalculation of tso
11339 +- * factor and mss.
11340 +- */
11341 ++ /* Any change of skb->len requires recalculation of tso factor. */
11342 + if (tcp_skb_pcount(skb) > 1)
11343 +- tcp_set_skb_tso_segs(sk, skb, tcp_current_mss(sk));
11344 ++ tcp_set_skb_tso_segs(sk, skb, tcp_skb_mss(skb));
11345 +
11346 + return 0;
11347 + }
11348 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
11349 +index 36806de..836c4ea 100644
11350 +--- a/net/ipv6/addrconf.c
11351 ++++ b/net/ipv6/addrconf.c
11352 +@@ -429,7 +429,7 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
11353 + ndev->tstamp = jiffies;
11354 + addrconf_sysctl_register(ndev);
11355 + /* protected by rtnl_lock */
11356 +- RCU_INIT_POINTER(dev->ip6_ptr, ndev);
11357 ++ rcu_assign_pointer(dev->ip6_ptr, ndev);
11358 +
11359 + /* Join all-node multicast group */
11360 + ipv6_dev_mc_inc(dev, &in6addr_linklocal_allnodes);
11361 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
11362 +index 4e2e9ff..d19f499 100644
11363 +--- a/net/ipv6/ip6_tunnel.c
11364 ++++ b/net/ipv6/ip6_tunnel.c
11365 +@@ -218,8 +218,8 @@ ip6_tnl_link(struct ip6_tnl_net *ip6n, struct ip6_tnl *t)
11366 + {
11367 + struct ip6_tnl __rcu **tp = ip6_tnl_bucket(ip6n, &t->parms);
11368 +
11369 +- RCU_INIT_POINTER(t->next , rtnl_dereference(*tp));
11370 +- RCU_INIT_POINTER(*tp, t);
11371 ++ rcu_assign_pointer(t->next , rtnl_dereference(*tp));
11372 ++ rcu_assign_pointer(*tp, t);
11373 + }
11374 +
11375 + /**
11376 +@@ -237,7 +237,7 @@ ip6_tnl_unlink(struct ip6_tnl_net *ip6n, struct ip6_tnl *t)
11377 + (iter = rtnl_dereference(*tp)) != NULL;
11378 + tp = &iter->next) {
11379 + if (t == iter) {
11380 +- RCU_INIT_POINTER(*tp, t->next);
11381 ++ rcu_assign_pointer(*tp, t->next);
11382 + break;
11383 + }
11384 + }
11385 +@@ -1450,7 +1450,7 @@ static int __net_init ip6_fb_tnl_dev_init(struct net_device *dev)
11386 +
11387 + t->parms.proto = IPPROTO_IPV6;
11388 + dev_hold(dev);
11389 +- RCU_INIT_POINTER(ip6n->tnls_wc[0], t);
11390 ++ rcu_assign_pointer(ip6n->tnls_wc[0], t);
11391 + return 0;
11392 + }
11393 +
11394 +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
11395 +index 331af3b..361ebf3 100644
11396 +--- a/net/ipv6/raw.c
11397 ++++ b/net/ipv6/raw.c
11398 +@@ -131,7 +131,7 @@ static mh_filter_t __rcu *mh_filter __read_mostly;
11399 +
11400 + int rawv6_mh_filter_register(mh_filter_t filter)
11401 + {
11402 +- RCU_INIT_POINTER(mh_filter, filter);
11403 ++ rcu_assign_pointer(mh_filter, filter);
11404 + return 0;
11405 + }
11406 + EXPORT_SYMBOL(rawv6_mh_filter_register);
11407 +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
11408 +index 96f3623..72a939d 100644
11409 +--- a/net/ipv6/sit.c
11410 ++++ b/net/ipv6/sit.c
11411 +@@ -182,7 +182,7 @@ static void ipip6_tunnel_unlink(struct sit_net *sitn, struct ip_tunnel *t)
11412 + (iter = rtnl_dereference(*tp)) != NULL;
11413 + tp = &iter->next) {
11414 + if (t == iter) {
11415 +- RCU_INIT_POINTER(*tp, t->next);
11416 ++ rcu_assign_pointer(*tp, t->next);
11417 + break;
11418 + }
11419 + }
11420 +@@ -192,8 +192,8 @@ static void ipip6_tunnel_link(struct sit_net *sitn, struct ip_tunnel *t)
11421 + {
11422 + struct ip_tunnel __rcu **tp = ipip6_bucket(sitn, t);
11423 +
11424 +- RCU_INIT_POINTER(t->next, rtnl_dereference(*tp));
11425 +- RCU_INIT_POINTER(*tp, t);
11426 ++ rcu_assign_pointer(t->next, rtnl_dereference(*tp));
11427 ++ rcu_assign_pointer(*tp, t);
11428 + }
11429 +
11430 + static void ipip6_tunnel_clone_6rd(struct net_device *dev, struct sit_net *sitn)
11431 +@@ -393,7 +393,7 @@ ipip6_tunnel_add_prl(struct ip_tunnel *t, struct ip_tunnel_prl *a, int chg)
11432 + p->addr = a->addr;
11433 + p->flags = a->flags;
11434 + t->prl_count++;
11435 +- RCU_INIT_POINTER(t->prl, p);
11436 ++ rcu_assign_pointer(t->prl, p);
11437 + out:
11438 + return err;
11439 + }
11440 +@@ -1177,7 +1177,7 @@ static int __net_init ipip6_fb_tunnel_init(struct net_device *dev)
11441 + if (!dev->tstats)
11442 + return -ENOMEM;
11443 + dev_hold(dev);
11444 +- RCU_INIT_POINTER(sitn->tunnels_wc[0], tunnel);
11445 ++ rcu_assign_pointer(sitn->tunnels_wc[0], tunnel);
11446 + return 0;
11447 + }
11448 +
11449 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
11450 +index 2dea4bb..b859e4a 100644
11451 +--- a/net/ipv6/tcp_ipv6.c
11452 ++++ b/net/ipv6/tcp_ipv6.c
11453 +@@ -1084,7 +1084,7 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
11454 +
11455 + #ifdef CONFIG_TCP_MD5SIG
11456 + if (sk)
11457 +- key = tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr);
11458 ++ key = tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr);
11459 + #endif
11460 +
11461 + if (th->ack)
11462 +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
11463 +index d21e7eb..55670ec 100644
11464 +--- a/net/l2tp/l2tp_ip.c
11465 ++++ b/net/l2tp/l2tp_ip.c
11466 +@@ -393,11 +393,6 @@ static int l2tp_ip_backlog_recv(struct sock *sk, struct sk_buff *skb)
11467 + {
11468 + int rc;
11469 +
11470 +- if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
11471 +- goto drop;
11472 +-
11473 +- nf_reset(skb);
11474 +-
11475 + /* Charge it to the socket, dropping if the queue is full. */
11476 + rc = sock_queue_rcv_skb(sk, skb);
11477 + if (rc < 0)
11478 +diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
11479 +index 93b2434..41c2310 100644
11480 +--- a/net/mac80211/agg-rx.c
11481 ++++ b/net/mac80211/agg-rx.c
11482 +@@ -326,7 +326,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
11483 + status = WLAN_STATUS_SUCCESS;
11484 +
11485 + /* activate it for RX */
11486 +- RCU_INIT_POINTER(sta->ampdu_mlme.tid_rx[tid], tid_agg_rx);
11487 ++ rcu_assign_pointer(sta->ampdu_mlme.tid_rx[tid], tid_agg_rx);
11488 +
11489 + if (timeout)
11490 + mod_timer(&tid_agg_rx->session_timer, TU_TO_EXP_TIME(timeout));
11491 +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
11492 +index d06c65f..11cee76 100644
11493 +--- a/net/mac80211/cfg.c
11494 ++++ b/net/mac80211/cfg.c
11495 +@@ -575,7 +575,7 @@ static int ieee80211_config_beacon(struct ieee80211_sub_if_data *sdata,
11496 +
11497 + sdata->vif.bss_conf.dtim_period = new->dtim_period;
11498 +
11499 +- RCU_INIT_POINTER(sdata->u.ap.beacon, new);
11500 ++ rcu_assign_pointer(sdata->u.ap.beacon, new);
11501 +
11502 + synchronize_rcu();
11503 +
11504 +@@ -922,7 +922,7 @@ static int ieee80211_change_station(struct wiphy *wiphy,
11505 + return -EBUSY;
11506 + }
11507 +
11508 +- RCU_INIT_POINTER(vlansdata->u.vlan.sta, sta);
11509 ++ rcu_assign_pointer(vlansdata->u.vlan.sta, sta);
11510 + }
11511 +
11512 + sta->sdata = vlansdata;
11513 +diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
11514 +index ede9a8b..3ece106 100644
11515 +--- a/net/mac80211/ibss.c
11516 ++++ b/net/mac80211/ibss.c
11517 +@@ -184,7 +184,7 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
11518 + *pos++ = 0; /* U-APSD no in use */
11519 + }
11520 +
11521 +- RCU_INIT_POINTER(ifibss->presp, skb);
11522 ++ rcu_assign_pointer(ifibss->presp, skb);
11523 +
11524 + sdata->vif.bss_conf.beacon_int = beacon_int;
11525 + sdata->vif.bss_conf.basic_rates = basic_rates;
11526 +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
11527 +index b1b1bb3..9da8626 100644
11528 +--- a/net/mac80211/mlme.c
11529 ++++ b/net/mac80211/mlme.c
11530 +@@ -2719,7 +2719,6 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
11531 + {
11532 + struct ieee80211_local *local = sdata->local;
11533 + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
11534 +- struct ieee80211_work *wk;
11535 + u8 bssid[ETH_ALEN];
11536 + bool assoc_bss = false;
11537 +
11538 +@@ -2732,30 +2731,47 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
11539 + assoc_bss = true;
11540 + } else {
11541 + bool not_auth_yet = false;
11542 ++ struct ieee80211_work *tmp, *wk = NULL;
11543 +
11544 + mutex_unlock(&ifmgd->mtx);
11545 +
11546 + mutex_lock(&local->mtx);
11547 +- list_for_each_entry(wk, &local->work_list, list) {
11548 +- if (wk->sdata != sdata)
11549 ++ list_for_each_entry(tmp, &local->work_list, list) {
11550 ++ if (tmp->sdata != sdata)
11551 + continue;
11552 +
11553 +- if (wk->type != IEEE80211_WORK_DIRECT_PROBE &&
11554 +- wk->type != IEEE80211_WORK_AUTH &&
11555 +- wk->type != IEEE80211_WORK_ASSOC &&
11556 +- wk->type != IEEE80211_WORK_ASSOC_BEACON_WAIT)
11557 ++ if (tmp->type != IEEE80211_WORK_DIRECT_PROBE &&
11558 ++ tmp->type != IEEE80211_WORK_AUTH &&
11559 ++ tmp->type != IEEE80211_WORK_ASSOC &&
11560 ++ tmp->type != IEEE80211_WORK_ASSOC_BEACON_WAIT)
11561 + continue;
11562 +
11563 +- if (memcmp(req->bss->bssid, wk->filter_ta, ETH_ALEN))
11564 ++ if (memcmp(req->bss->bssid, tmp->filter_ta, ETH_ALEN))
11565 + continue;
11566 +
11567 +- not_auth_yet = wk->type == IEEE80211_WORK_DIRECT_PROBE;
11568 +- list_del_rcu(&wk->list);
11569 +- free_work(wk);
11570 ++ not_auth_yet = tmp->type == IEEE80211_WORK_DIRECT_PROBE;
11571 ++ list_del_rcu(&tmp->list);
11572 ++ synchronize_rcu();
11573 ++ wk = tmp;
11574 + break;
11575 + }
11576 + mutex_unlock(&local->mtx);
11577 +
11578 ++ if (wk && wk->type == IEEE80211_WORK_ASSOC) {
11579 ++ /* clean up dummy sta & TX sync */
11580 ++ sta_info_destroy_addr(wk->sdata, wk->filter_ta);
11581 ++ if (wk->assoc.synced)
11582 ++ drv_finish_tx_sync(local, wk->sdata,
11583 ++ wk->filter_ta,
11584 ++ IEEE80211_TX_SYNC_ASSOC);
11585 ++ } else if (wk && wk->type == IEEE80211_WORK_AUTH) {
11586 ++ if (wk->probe_auth.synced)
11587 ++ drv_finish_tx_sync(local, wk->sdata,
11588 ++ wk->filter_ta,
11589 ++ IEEE80211_TX_SYNC_AUTH);
11590 ++ }
11591 ++ kfree(wk);
11592 ++
11593 + /*
11594 + * If somebody requests authentication and we haven't
11595 + * sent out an auth frame yet there's no need to send
11596 +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
11597 +index 8eaa746..1fdd8ff 100644
11598 +--- a/net/mac80211/sta_info.c
11599 ++++ b/net/mac80211/sta_info.c
11600 +@@ -73,7 +73,7 @@ static int sta_info_hash_del(struct ieee80211_local *local,
11601 + if (!s)
11602 + return -ENOENT;
11603 + if (s == sta) {
11604 +- RCU_INIT_POINTER(local->sta_hash[STA_HASH(sta->sta.addr)],
11605 ++ rcu_assign_pointer(local->sta_hash[STA_HASH(sta->sta.addr)],
11606 + s->hnext);
11607 + return 0;
11608 + }
11609 +@@ -83,7 +83,7 @@ static int sta_info_hash_del(struct ieee80211_local *local,
11610 + s = rcu_dereference_protected(s->hnext,
11611 + lockdep_is_held(&local->sta_lock));
11612 + if (rcu_access_pointer(s->hnext)) {
11613 +- RCU_INIT_POINTER(s->hnext, sta->hnext);
11614 ++ rcu_assign_pointer(s->hnext, sta->hnext);
11615 + return 0;
11616 + }
11617 +
11618 +@@ -232,7 +232,7 @@ static void sta_info_hash_add(struct ieee80211_local *local,
11619 + struct sta_info *sta)
11620 + {
11621 + sta->hnext = local->sta_hash[STA_HASH(sta->sta.addr)];
11622 +- RCU_INIT_POINTER(local->sta_hash[STA_HASH(sta->sta.addr)], sta);
11623 ++ rcu_assign_pointer(local->sta_hash[STA_HASH(sta->sta.addr)], sta);
11624 + }
11625 +
11626 + static void sta_unblock(struct work_struct *wk)
11627 +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
11628 +index 7202b06..1d15193 100644
11629 +--- a/net/netfilter/nf_conntrack_core.c
11630 ++++ b/net/netfilter/nf_conntrack_core.c
11631 +@@ -776,7 +776,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
11632 + if (exp->helper) {
11633 + help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
11634 + if (help)
11635 +- RCU_INIT_POINTER(help->helper, exp->helper);
11636 ++ rcu_assign_pointer(help->helper, exp->helper);
11637 + }
11638 +
11639 + #ifdef CONFIG_NF_CONNTRACK_MARK
11640 +diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
11641 +index b62c414..14af632 100644
11642 +--- a/net/netfilter/nf_conntrack_ecache.c
11643 ++++ b/net/netfilter/nf_conntrack_ecache.c
11644 +@@ -91,7 +91,7 @@ int nf_conntrack_register_notifier(struct net *net,
11645 + ret = -EBUSY;
11646 + goto out_unlock;
11647 + }
11648 +- RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, new);
11649 ++ rcu_assign_pointer(net->ct.nf_conntrack_event_cb, new);
11650 + mutex_unlock(&nf_ct_ecache_mutex);
11651 + return ret;
11652 +
11653 +@@ -128,7 +128,7 @@ int nf_ct_expect_register_notifier(struct net *net,
11654 + ret = -EBUSY;
11655 + goto out_unlock;
11656 + }
11657 +- RCU_INIT_POINTER(net->ct.nf_expect_event_cb, new);
11658 ++ rcu_assign_pointer(net->ct.nf_expect_event_cb, new);
11659 + mutex_unlock(&nf_ct_ecache_mutex);
11660 + return ret;
11661 +
11662 +diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
11663 +index 4605c94..641ff5f 100644
11664 +--- a/net/netfilter/nf_conntrack_extend.c
11665 ++++ b/net/netfilter/nf_conntrack_extend.c
11666 +@@ -169,7 +169,7 @@ int nf_ct_extend_register(struct nf_ct_ext_type *type)
11667 + before updating alloc_size */
11668 + type->alloc_size = ALIGN(sizeof(struct nf_ct_ext), type->align)
11669 + + type->len;
11670 +- RCU_INIT_POINTER(nf_ct_ext_types[type->id], type);
11671 ++ rcu_assign_pointer(nf_ct_ext_types[type->id], type);
11672 + update_alloc_size(type);
11673 + out:
11674 + mutex_unlock(&nf_ct_ext_type_mutex);
11675 +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
11676 +index 93c4bdb..bbe23ba 100644
11677 +--- a/net/netfilter/nf_conntrack_helper.c
11678 ++++ b/net/netfilter/nf_conntrack_helper.c
11679 +@@ -145,7 +145,7 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
11680 + memset(&help->help, 0, sizeof(help->help));
11681 + }
11682 +
11683 +- RCU_INIT_POINTER(help->helper, helper);
11684 ++ rcu_assign_pointer(help->helper, helper);
11685 + out:
11686 + return ret;
11687 + }
11688 +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
11689 +index 257e772..782cdcd 100644
11690 +--- a/net/netfilter/nf_conntrack_netlink.c
11691 ++++ b/net/netfilter/nf_conntrack_netlink.c
11692 +@@ -1163,7 +1163,7 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
11693 + return -EOPNOTSUPP;
11694 + }
11695 +
11696 +- RCU_INIT_POINTER(help->helper, helper);
11697 ++ rcu_assign_pointer(help->helper, helper);
11698 +
11699 + return 0;
11700 + }
11701 +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
11702 +index ce0c406..957374a 100644
11703 +--- a/net/netfilter/nf_log.c
11704 ++++ b/net/netfilter/nf_log.c
11705 +@@ -55,7 +55,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger)
11706 + llog = rcu_dereference_protected(nf_loggers[pf],
11707 + lockdep_is_held(&nf_log_mutex));
11708 + if (llog == NULL)
11709 +- RCU_INIT_POINTER(nf_loggers[pf], logger);
11710 ++ rcu_assign_pointer(nf_loggers[pf], logger);
11711 + }
11712 +
11713 + mutex_unlock(&nf_log_mutex);
11714 +@@ -92,7 +92,7 @@ int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger)
11715 + mutex_unlock(&nf_log_mutex);
11716 + return -ENOENT;
11717 + }
11718 +- RCU_INIT_POINTER(nf_loggers[pf], logger);
11719 ++ rcu_assign_pointer(nf_loggers[pf], logger);
11720 + mutex_unlock(&nf_log_mutex);
11721 + return 0;
11722 + }
11723 +@@ -250,7 +250,7 @@ static int nf_log_proc_dostring(ctl_table *table, int write,
11724 + mutex_unlock(&nf_log_mutex);
11725 + return -ENOENT;
11726 + }
11727 +- RCU_INIT_POINTER(nf_loggers[tindex], logger);
11728 ++ rcu_assign_pointer(nf_loggers[tindex], logger);
11729 + mutex_unlock(&nf_log_mutex);
11730 + } else {
11731 + mutex_lock(&nf_log_mutex);
11732 +diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
11733 +index 99ffd28..b3a7db6 100644
11734 +--- a/net/netfilter/nf_queue.c
11735 ++++ b/net/netfilter/nf_queue.c
11736 +@@ -40,7 +40,7 @@ int nf_register_queue_handler(u_int8_t pf, const struct nf_queue_handler *qh)
11737 + else if (old)
11738 + ret = -EBUSY;
11739 + else {
11740 +- RCU_INIT_POINTER(queue_handler[pf], qh);
11741 ++ rcu_assign_pointer(queue_handler[pf], qh);
11742 + ret = 0;
11743 + }
11744 + mutex_unlock(&queue_handler_mutex);
11745 +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
11746 +index c879c1a..b4f8d84 100644
11747 +--- a/net/netfilter/nfnetlink.c
11748 ++++ b/net/netfilter/nfnetlink.c
11749 +@@ -59,7 +59,7 @@ int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)
11750 + nfnl_unlock();
11751 + return -EBUSY;
11752 + }
11753 +- RCU_INIT_POINTER(subsys_table[n->subsys_id], n);
11754 ++ rcu_assign_pointer(subsys_table[n->subsys_id], n);
11755 + nfnl_unlock();
11756 +
11757 + return 0;
11758 +@@ -210,7 +210,7 @@ static int __net_init nfnetlink_net_init(struct net *net)
11759 + if (!nfnl)
11760 + return -ENOMEM;
11761 + net->nfnl_stash = nfnl;
11762 +- RCU_INIT_POINTER(net->nfnl, nfnl);
11763 ++ rcu_assign_pointer(net->nfnl, nfnl);
11764 + return 0;
11765 + }
11766 +
11767 +diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
11768 +index 3f905e5..e5330ed 100644
11769 +--- a/net/netlabel/netlabel_domainhash.c
11770 ++++ b/net/netlabel/netlabel_domainhash.c
11771 +@@ -282,7 +282,7 @@ int __init netlbl_domhsh_init(u32 size)
11772 + INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
11773 +
11774 + spin_lock(&netlbl_domhsh_lock);
11775 +- RCU_INIT_POINTER(netlbl_domhsh, hsh_tbl);
11776 ++ rcu_assign_pointer(netlbl_domhsh, hsh_tbl);
11777 + spin_unlock(&netlbl_domhsh_lock);
11778 +
11779 + return 0;
11780 +@@ -330,7 +330,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
11781 + &rcu_dereference(netlbl_domhsh)->tbl[bkt]);
11782 + } else {
11783 + INIT_LIST_HEAD(&entry->list);
11784 +- RCU_INIT_POINTER(netlbl_domhsh_def, entry);
11785 ++ rcu_assign_pointer(netlbl_domhsh_def, entry);
11786 + }
11787 +
11788 + if (entry->type == NETLBL_NLTYPE_ADDRSELECT) {
11789 +diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
11790 +index e251c2c..d463f5a 100644
11791 +--- a/net/netlabel/netlabel_unlabeled.c
11792 ++++ b/net/netlabel/netlabel_unlabeled.c
11793 +@@ -354,7 +354,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex)
11794 + INIT_LIST_HEAD(&iface->list);
11795 + if (netlbl_unlhsh_rcu_deref(netlbl_unlhsh_def) != NULL)
11796 + goto add_iface_failure;
11797 +- RCU_INIT_POINTER(netlbl_unlhsh_def, iface);
11798 ++ rcu_assign_pointer(netlbl_unlhsh_def, iface);
11799 + }
11800 + spin_unlock(&netlbl_unlhsh_lock);
11801 +
11802 +@@ -1447,11 +1447,9 @@ int __init netlbl_unlabel_init(u32 size)
11803 + for (iter = 0; iter < hsh_tbl->size; iter++)
11804 + INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
11805 +
11806 +- rcu_read_lock();
11807 + spin_lock(&netlbl_unlhsh_lock);
11808 +- RCU_INIT_POINTER(netlbl_unlhsh, hsh_tbl);
11809 ++ rcu_assign_pointer(netlbl_unlhsh, hsh_tbl);
11810 + spin_unlock(&netlbl_unlhsh_lock);
11811 +- rcu_read_unlock();
11812 +
11813 + register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier);
11814 +
11815 +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
11816 +index bf10ea8..d65f699 100644
11817 +--- a/net/phonet/af_phonet.c
11818 ++++ b/net/phonet/af_phonet.c
11819 +@@ -480,7 +480,7 @@ int __init_or_module phonet_proto_register(unsigned int protocol,
11820 + if (proto_tab[protocol])
11821 + err = -EBUSY;
11822 + else
11823 +- RCU_INIT_POINTER(proto_tab[protocol], pp);
11824 ++ rcu_assign_pointer(proto_tab[protocol], pp);
11825 + mutex_unlock(&proto_tab_lock);
11826 +
11827 + return err;
11828 +diff --git a/net/phonet/pn_dev.c b/net/phonet/pn_dev.c
11829 +index c582761..9b9a85e 100644
11830 +--- a/net/phonet/pn_dev.c
11831 ++++ b/net/phonet/pn_dev.c
11832 +@@ -390,7 +390,7 @@ int phonet_route_add(struct net_device *dev, u8 daddr)
11833 + daddr = daddr >> 2;
11834 + mutex_lock(&routes->lock);
11835 + if (routes->table[daddr] == NULL) {
11836 +- RCU_INIT_POINTER(routes->table[daddr], dev);
11837 ++ rcu_assign_pointer(routes->table[daddr], dev);
11838 + dev_hold(dev);
11839 + err = 0;
11840 + }
11841 +diff --git a/net/phonet/socket.c b/net/phonet/socket.c
11842 +index 3f8d0b1..4c7eff3 100644
11843 +--- a/net/phonet/socket.c
11844 ++++ b/net/phonet/socket.c
11845 +@@ -680,7 +680,7 @@ int pn_sock_bind_res(struct sock *sk, u8 res)
11846 + mutex_lock(&resource_mutex);
11847 + if (pnres.sk[res] == NULL) {
11848 + sock_hold(sk);
11849 +- RCU_INIT_POINTER(pnres.sk[res], sk);
11850 ++ rcu_assign_pointer(pnres.sk[res], sk);
11851 + ret = 0;
11852 + }
11853 + mutex_unlock(&resource_mutex);
11854 +diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
11855 +index bb6ad81..424ff62 100644
11856 +--- a/net/rds/af_rds.c
11857 ++++ b/net/rds/af_rds.c
11858 +@@ -68,7 +68,6 @@ static int rds_release(struct socket *sock)
11859 + {
11860 + struct sock *sk = sock->sk;
11861 + struct rds_sock *rs;
11862 +- unsigned long flags;
11863 +
11864 + if (!sk)
11865 + goto out;
11866 +@@ -94,10 +93,10 @@ static int rds_release(struct socket *sock)
11867 + rds_rdma_drop_keys(rs);
11868 + rds_notify_queue_get(rs, NULL);
11869 +
11870 +- spin_lock_irqsave(&rds_sock_lock, flags);
11871 ++ spin_lock_bh(&rds_sock_lock);
11872 + list_del_init(&rs->rs_item);
11873 + rds_sock_count--;
11874 +- spin_unlock_irqrestore(&rds_sock_lock, flags);
11875 ++ spin_unlock_bh(&rds_sock_lock);
11876 +
11877 + rds_trans_put(rs->rs_transport);
11878 +
11879 +@@ -409,7 +408,6 @@ static const struct proto_ops rds_proto_ops = {
11880 +
11881 + static int __rds_create(struct socket *sock, struct sock *sk, int protocol)
11882 + {
11883 +- unsigned long flags;
11884 + struct rds_sock *rs;
11885 +
11886 + sock_init_data(sock, sk);
11887 +@@ -426,10 +424,10 @@ static int __rds_create(struct socket *sock, struct sock *sk, int protocol)
11888 + spin_lock_init(&rs->rs_rdma_lock);
11889 + rs->rs_rdma_keys = RB_ROOT;
11890 +
11891 +- spin_lock_irqsave(&rds_sock_lock, flags);
11892 ++ spin_lock_bh(&rds_sock_lock);
11893 + list_add_tail(&rs->rs_item, &rds_sock_list);
11894 + rds_sock_count++;
11895 +- spin_unlock_irqrestore(&rds_sock_lock, flags);
11896 ++ spin_unlock_bh(&rds_sock_lock);
11897 +
11898 + return 0;
11899 + }
11900 +@@ -471,12 +469,11 @@ static void rds_sock_inc_info(struct socket *sock, unsigned int len,
11901 + {
11902 + struct rds_sock *rs;
11903 + struct rds_incoming *inc;
11904 +- unsigned long flags;
11905 + unsigned int total = 0;
11906 +
11907 + len /= sizeof(struct rds_info_message);
11908 +
11909 +- spin_lock_irqsave(&rds_sock_lock, flags);
11910 ++ spin_lock_bh(&rds_sock_lock);
11911 +
11912 + list_for_each_entry(rs, &rds_sock_list, rs_item) {
11913 + read_lock(&rs->rs_recv_lock);
11914 +@@ -492,7 +489,7 @@ static void rds_sock_inc_info(struct socket *sock, unsigned int len,
11915 + read_unlock(&rs->rs_recv_lock);
11916 + }
11917 +
11918 +- spin_unlock_irqrestore(&rds_sock_lock, flags);
11919 ++ spin_unlock_bh(&rds_sock_lock);
11920 +
11921 + lens->nr = total;
11922 + lens->each = sizeof(struct rds_info_message);
11923 +@@ -504,11 +501,10 @@ static void rds_sock_info(struct socket *sock, unsigned int len,
11924 + {
11925 + struct rds_info_socket sinfo;
11926 + struct rds_sock *rs;
11927 +- unsigned long flags;
11928 +
11929 + len /= sizeof(struct rds_info_socket);
11930 +
11931 +- spin_lock_irqsave(&rds_sock_lock, flags);
11932 ++ spin_lock_bh(&rds_sock_lock);
11933 +
11934 + if (len < rds_sock_count)
11935 + goto out;
11936 +@@ -529,7 +525,7 @@ out:
11937 + lens->nr = rds_sock_count;
11938 + lens->each = sizeof(struct rds_info_socket);
11939 +
11940 +- spin_unlock_irqrestore(&rds_sock_lock, flags);
11941 ++ spin_unlock_bh(&rds_sock_lock);
11942 + }
11943 +
11944 + static void rds_exit(void)
11945 +diff --git a/net/socket.c b/net/socket.c
11946 +index 2877647..2dce67a 100644
11947 +--- a/net/socket.c
11948 ++++ b/net/socket.c
11949 +@@ -2472,7 +2472,7 @@ int sock_register(const struct net_proto_family *ops)
11950 + lockdep_is_held(&net_family_lock)))
11951 + err = -EEXIST;
11952 + else {
11953 +- RCU_INIT_POINTER(net_families[ops->family], ops);
11954 ++ rcu_assign_pointer(net_families[ops->family], ops);
11955 + err = 0;
11956 + }
11957 + spin_unlock(&net_family_lock);
11958 +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
11959 +index afb5655..db0efde 100644
11960 +--- a/net/sunrpc/auth_gss/auth_gss.c
11961 ++++ b/net/sunrpc/auth_gss/auth_gss.c
11962 +@@ -122,7 +122,7 @@ gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx)
11963 + if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags))
11964 + return;
11965 + gss_get_ctx(ctx);
11966 +- RCU_INIT_POINTER(gss_cred->gc_ctx, ctx);
11967 ++ rcu_assign_pointer(gss_cred->gc_ctx, ctx);
11968 + set_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
11969 + smp_mb__before_clear_bit();
11970 + clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags);
11971 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
11972 +index b595a3d..d99678a 100644
11973 +--- a/net/unix/af_unix.c
11974 ++++ b/net/unix/af_unix.c
11975 +@@ -1915,7 +1915,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
11976 + struct sk_buff *skb;
11977 +
11978 + unix_state_lock(sk);
11979 +- skb = skb_dequeue(&sk->sk_receive_queue);
11980 ++ skb = skb_peek(&sk->sk_receive_queue);
11981 + if (skb == NULL) {
11982 + unix_sk(sk)->recursion_level = 0;
11983 + if (copied >= target)
11984 +@@ -1955,11 +1955,8 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
11985 + if (check_creds) {
11986 + /* Never glue messages from different writers */
11987 + if ((UNIXCB(skb).pid != siocb->scm->pid) ||
11988 +- (UNIXCB(skb).cred != siocb->scm->cred)) {
11989 +- skb_queue_head(&sk->sk_receive_queue, skb);
11990 +- sk->sk_data_ready(sk, skb->len);
11991 ++ (UNIXCB(skb).cred != siocb->scm->cred))
11992 + break;
11993 +- }
11994 + } else {
11995 + /* Copy credentials */
11996 + scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
11997 +@@ -1974,8 +1971,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
11998 +
11999 + chunk = min_t(unsigned int, skb->len, size);
12000 + if (memcpy_toiovec(msg->msg_iov, skb->data, chunk)) {
12001 +- skb_queue_head(&sk->sk_receive_queue, skb);
12002 +- sk->sk_data_ready(sk, skb->len);
12003 + if (copied == 0)
12004 + copied = -EFAULT;
12005 + break;
12006 +@@ -1990,13 +1985,10 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
12007 + if (UNIXCB(skb).fp)
12008 + unix_detach_fds(siocb->scm, skb);
12009 +
12010 +- /* put the skb back if we didn't use it up.. */
12011 +- if (skb->len) {
12012 +- skb_queue_head(&sk->sk_receive_queue, skb);
12013 +- sk->sk_data_ready(sk, skb->len);
12014 ++ if (skb->len)
12015 + break;
12016 +- }
12017 +
12018 ++ skb_unlink(skb, &sk->sk_receive_queue);
12019 + consume_skb(skb);
12020 +
12021 + if (siocb->scm->fp)
12022 +@@ -2007,9 +1999,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
12023 + if (UNIXCB(skb).fp)
12024 + siocb->scm->fp = scm_fp_dup(UNIXCB(skb).fp);
12025 +
12026 +- /* put message back and return */
12027 +- skb_queue_head(&sk->sk_receive_queue, skb);
12028 +- sk->sk_data_ready(sk, skb->len);
12029 + break;
12030 + }
12031 + } while (size);
12032 +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
12033 +index d0a42df..7cae73e 100644
12034 +--- a/net/xfrm/xfrm_user.c
12035 ++++ b/net/xfrm/xfrm_user.c
12036 +@@ -2927,7 +2927,7 @@ static int __net_init xfrm_user_net_init(struct net *net)
12037 + if (nlsk == NULL)
12038 + return -ENOMEM;
12039 + net->xfrm.nlsk_stash = nlsk; /* Don't set to NULL */
12040 +- RCU_INIT_POINTER(net->xfrm.nlsk, nlsk);
12041 ++ rcu_assign_pointer(net->xfrm.nlsk, nlsk);
12042 + return 0;
12043 + }
12044 +
12045 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
12046 +index 5b2b75b..192e6c0 100644
12047 +--- a/sound/pci/hda/hda_intel.c
12048 ++++ b/sound/pci/hda/hda_intel.c
12049 +@@ -461,6 +461,7 @@ struct azx {
12050 + unsigned int irq_pending_warned :1;
12051 + unsigned int probing :1; /* codec probing phase */
12052 + unsigned int snoop:1;
12053 ++ unsigned int align_buffer_size:1;
12054 +
12055 + /* for debugging */
12056 + unsigned int last_cmd[AZX_MAX_CODECS];
12057 +@@ -1697,7 +1698,7 @@ static int azx_pcm_open(struct snd_pcm_substream *substream)
12058 + runtime->hw.rates = hinfo->rates;
12059 + snd_pcm_limit_hw_rates(runtime);
12060 + snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS);
12061 +- if (align_buffer_size)
12062 ++ if (chip->align_buffer_size)
12063 + /* constrain buffer sizes to be multiple of 128
12064 + bytes. This is more efficient in terms of memory
12065 + access but isn't required by the HDA spec and
12066 +@@ -2753,8 +2754,9 @@ static int __devinit azx_create(struct snd_card *card, struct pci_dev *pci,
12067 + }
12068 +
12069 + /* disable buffer size rounding to 128-byte multiples if supported */
12070 ++ chip->align_buffer_size = align_buffer_size;
12071 + if (chip->driver_caps & AZX_DCAPS_BUFSIZE)
12072 +- align_buffer_size = 0;
12073 ++ chip->align_buffer_size = 0;
12074 +
12075 + /* allow 64bit DMA address if supported by H/W */
12076 + if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64)))
12077 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
12078 +index 1d07e8f..5f03c40 100644
12079 +--- a/sound/pci/hda/patch_realtek.c
12080 ++++ b/sound/pci/hda/patch_realtek.c
12081 +@@ -5223,6 +5223,7 @@ static const struct hda_amp_list alc861_loopbacks[] = {
12082 + /* Pin config fixes */
12083 + enum {
12084 + PINFIX_FSC_AMILO_PI1505,
12085 ++ PINFIX_ASUS_A6RP,
12086 + };
12087 +
12088 + static const struct alc_fixup alc861_fixups[] = {
12089 +@@ -5234,9 +5235,19 @@ static const struct alc_fixup alc861_fixups[] = {
12090 + { }
12091 + }
12092 + },
12093 ++ [PINFIX_ASUS_A6RP] = {
12094 ++ .type = ALC_FIXUP_VERBS,
12095 ++ .v.verbs = (const struct hda_verb[]) {
12096 ++ /* node 0x0f VREF seems controlling the master output */
12097 ++ { 0x0f, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_VREF50 },
12098 ++ { }
12099 ++ },
12100 ++ },
12101 + };
12102 +
12103 + static const struct snd_pci_quirk alc861_fixup_tbl[] = {
12104 ++ SND_PCI_QUIRK(0x1043, 0x1393, "ASUS A6Rp", PINFIX_ASUS_A6RP),
12105 ++ SND_PCI_QUIRK(0x1584, 0x2b01, "Haier W18", PINFIX_ASUS_A6RP),
12106 + SND_PCI_QUIRK(0x1734, 0x10c7, "FSC Amilo Pi1505", PINFIX_FSC_AMILO_PI1505),
12107 + {}
12108 + };
12109 +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
12110 +index f3c73a9..ccdac27 100644
12111 +--- a/sound/pci/hda/patch_sigmatel.c
12112 ++++ b/sound/pci/hda/patch_sigmatel.c
12113 +@@ -4253,13 +4253,15 @@ static int enable_pin_detect(struct hda_codec *codec, hda_nid_t nid,
12114 + return 1;
12115 + }
12116 +
12117 +-static int is_nid_hp_pin(struct auto_pin_cfg *cfg, hda_nid_t nid)
12118 ++static int is_nid_out_jack_pin(struct auto_pin_cfg *cfg, hda_nid_t nid)
12119 + {
12120 + int i;
12121 + for (i = 0; i < cfg->hp_outs; i++)
12122 + if (cfg->hp_pins[i] == nid)
12123 + return 1; /* nid is a HP-Out */
12124 +-
12125 ++ for (i = 0; i < cfg->line_outs; i++)
12126 ++ if (cfg->line_out_pins[i] == nid)
12127 ++ return 1; /* nid is a line-Out */
12128 + return 0; /* nid is not a HP-Out */
12129 + };
12130 +
12131 +@@ -4465,7 +4467,7 @@ static int stac92xx_init(struct hda_codec *codec)
12132 + continue;
12133 + }
12134 +
12135 +- if (is_nid_hp_pin(cfg, nid))
12136 ++ if (is_nid_out_jack_pin(cfg, nid))
12137 + continue; /* already has an unsol event */
12138 +
12139 + pinctl = snd_hda_codec_read(codec, nid, 0,
12140 +@@ -4950,7 +4952,14 @@ static int find_mute_led_gpio(struct hda_codec *codec, int default_polarity)
12141 + /* BIOS bug: unfilled OEM string */
12142 + if (strstr(dev->name, "HP_Mute_LED_P_G")) {
12143 + set_hp_led_gpio(codec);
12144 +- spec->gpio_led_polarity = 1;
12145 ++ switch (codec->subsystem_id) {
12146 ++ case 0x103c148a:
12147 ++ spec->gpio_led_polarity = 0;
12148 ++ break;
12149 ++ default:
12150 ++ spec->gpio_led_polarity = 1;
12151 ++ break;
12152 ++ }
12153 + return 1;
12154 + }
12155 + }
12156 +diff --git a/sound/soc/codecs/wm5100.c b/sound/soc/codecs/wm5100.c
12157 +index 42d9039..d0beeec 100644
12158 +--- a/sound/soc/codecs/wm5100.c
12159 ++++ b/sound/soc/codecs/wm5100.c
12160 +@@ -1379,6 +1379,7 @@ static int wm5100_set_bias_level(struct snd_soc_codec *codec,
12161 +
12162 + switch (wm5100->rev) {
12163 + case 0:
12164 ++ regcache_cache_bypass(wm5100->regmap, true);
12165 + snd_soc_write(codec, 0x11, 0x3);
12166 + snd_soc_write(codec, 0x203, 0xc);
12167 + snd_soc_write(codec, 0x206, 0);
12168 +@@ -1394,6 +1395,7 @@ static int wm5100_set_bias_level(struct snd_soc_codec *codec,
12169 + snd_soc_write(codec,
12170 + wm5100_reva_patches[i].reg,
12171 + wm5100_reva_patches[i].val);
12172 ++ regcache_cache_bypass(wm5100->regmap, false);
12173 + break;
12174 + default:
12175 + break;
12176 +@@ -1404,6 +1406,7 @@ static int wm5100_set_bias_level(struct snd_soc_codec *codec,
12177 + break;
12178 +
12179 + case SND_SOC_BIAS_OFF:
12180 ++ regcache_cache_only(wm5100->regmap, true);
12181 + if (wm5100->pdata.ldo_ena)
12182 + gpio_set_value_cansleep(wm5100->pdata.ldo_ena, 0);
12183 + regulator_bulk_disable(ARRAY_SIZE(wm5100->core_supplies),
12184 +diff --git a/sound/soc/codecs/wm8996.c b/sound/soc/codecs/wm8996.c
12185 +index a33b04d..6d98a57 100644
12186 +--- a/sound/soc/codecs/wm8996.c
12187 ++++ b/sound/soc/codecs/wm8996.c
12188 +@@ -1049,7 +1049,8 @@ SND_SOC_DAPM_SUPPLY_S("SYSCLK", 1, WM8996_AIF_CLOCKING_1, 0, 0, NULL, 0),
12189 + SND_SOC_DAPM_SUPPLY_S("SYSDSPCLK", 2, WM8996_CLOCKING_1, 1, 0, NULL, 0),
12190 + SND_SOC_DAPM_SUPPLY_S("AIFCLK", 2, WM8996_CLOCKING_1, 2, 0, NULL, 0),
12191 + SND_SOC_DAPM_SUPPLY_S("Charge Pump", 2, WM8996_CHARGE_PUMP_1, 15, 0, cp_event,
12192 +- SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
12193 ++ SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMU |
12194 ++ SND_SOC_DAPM_POST_PMD),
12195 + SND_SOC_DAPM_SUPPLY("Bandgap", SND_SOC_NOPM, 0, 0, bg_event,
12196 + SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
12197 + SND_SOC_DAPM_SUPPLY("LDO2", WM8996_POWER_MANAGEMENT_2, 1, 0, NULL, 0),
12198 +@@ -1932,6 +1933,7 @@ static int wm8996_set_sysclk(struct snd_soc_dai *dai,
12199 + struct wm8996_priv *wm8996 = snd_soc_codec_get_drvdata(codec);
12200 + int lfclk = 0;
12201 + int ratediv = 0;
12202 ++ int sync = WM8996_REG_SYNC;
12203 + int src;
12204 + int old;
12205 +
12206 +@@ -1976,6 +1978,7 @@ static int wm8996_set_sysclk(struct snd_soc_dai *dai,
12207 + case 32000:
12208 + case 32768:
12209 + lfclk = WM8996_LFCLK_ENA;
12210 ++ sync = 0;
12211 + break;
12212 + default:
12213 + dev_warn(codec->dev, "Unsupported clock rate %dHz\n",
12214 +@@ -1989,6 +1992,8 @@ static int wm8996_set_sysclk(struct snd_soc_dai *dai,
12215 + WM8996_SYSCLK_SRC_MASK | WM8996_SYSCLK_DIV_MASK,
12216 + src << WM8996_SYSCLK_SRC_SHIFT | ratediv);
12217 + snd_soc_update_bits(codec, WM8996_CLOCKING_1, WM8996_LFCLK_ENA, lfclk);
12218 ++ snd_soc_update_bits(codec, WM8996_CONTROL_INTERFACE_1,
12219 ++ WM8996_REG_SYNC, sync);
12220 + snd_soc_update_bits(codec, WM8996_AIF_CLOCKING_1,
12221 + WM8996_SYSCLK_ENA, old);
12222 +
12223 +diff --git a/sound/soc/codecs/wm8996.h b/sound/soc/codecs/wm8996.h
12224 +index 0fde643..de9ac3e 100644
12225 +--- a/sound/soc/codecs/wm8996.h
12226 ++++ b/sound/soc/codecs/wm8996.h
12227 +@@ -1567,6 +1567,10 @@ int wm8996_detect(struct snd_soc_codec *codec, struct snd_soc_jack *jack,
12228 + /*
12229 + * R257 (0x101) - Control Interface (1)
12230 + */
12231 ++#define WM8996_REG_SYNC 0x8000 /* REG_SYNC */
12232 ++#define WM8996_REG_SYNC_MASK 0x8000 /* REG_SYNC */
12233 ++#define WM8996_REG_SYNC_SHIFT 15 /* REG_SYNC */
12234 ++#define WM8996_REG_SYNC_WIDTH 1 /* REG_SYNC */
12235 + #define WM8996_AUTO_INC 0x0004 /* AUTO_INC */
12236 + #define WM8996_AUTO_INC_MASK 0x0004 /* AUTO_INC */
12237 + #define WM8996_AUTO_INC_SHIFT 2 /* AUTO_INC */
12238
12239 diff --git a/3.2.4/1003_linux-3.2.4.patch b/3.2.4/1003_linux-3.2.4.patch
12240 new file mode 100644
12241 index 0000000..e49de55
12242 --- /dev/null
12243 +++ b/3.2.4/1003_linux-3.2.4.patch
12244 @@ -0,0 +1,40 @@
12245 +diff --git a/Makefile b/Makefile
12246 +index d45e887..c8e187e 100644
12247 +--- a/Makefile
12248 ++++ b/Makefile
12249 +@@ -1,6 +1,6 @@
12250 + VERSION = 3
12251 + PATCHLEVEL = 2
12252 +-SUBLEVEL = 3
12253 ++SUBLEVEL = 4
12254 + EXTRAVERSION =
12255 + NAME = Saber-toothed Squirrel
12256 +
12257 +diff --git a/sound/soc/codecs/wm5100.c b/sound/soc/codecs/wm5100.c
12258 +index d0beeec..42d9039 100644
12259 +--- a/sound/soc/codecs/wm5100.c
12260 ++++ b/sound/soc/codecs/wm5100.c
12261 +@@ -1379,7 +1379,6 @@ static int wm5100_set_bias_level(struct snd_soc_codec *codec,
12262 +
12263 + switch (wm5100->rev) {
12264 + case 0:
12265 +- regcache_cache_bypass(wm5100->regmap, true);
12266 + snd_soc_write(codec, 0x11, 0x3);
12267 + snd_soc_write(codec, 0x203, 0xc);
12268 + snd_soc_write(codec, 0x206, 0);
12269 +@@ -1395,7 +1394,6 @@ static int wm5100_set_bias_level(struct snd_soc_codec *codec,
12270 + snd_soc_write(codec,
12271 + wm5100_reva_patches[i].reg,
12272 + wm5100_reva_patches[i].val);
12273 +- regcache_cache_bypass(wm5100->regmap, false);
12274 + break;
12275 + default:
12276 + break;
12277 +@@ -1406,7 +1404,6 @@ static int wm5100_set_bias_level(struct snd_soc_codec *codec,
12278 + break;
12279 +
12280 + case SND_SOC_BIAS_OFF:
12281 +- regcache_cache_only(wm5100->regmap, true);
12282 + if (wm5100->pdata.ldo_ena)
12283 + gpio_set_value_cansleep(wm5100->pdata.ldo_ena, 0);
12284 + regulator_bulk_disable(ARRAY_SIZE(wm5100->core_supplies),
12285
12286 diff --git a/3.2.2/4420_grsecurity-2.2.2-3.2.2-201201272014.patch b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch
12287 similarity index 99%
12288 rename from 3.2.2/4420_grsecurity-2.2.2-3.2.2-201201272014.patch
12289 rename to 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch
12290 index 3f6029d..9b95205 100644
12291 --- a/3.2.2/4420_grsecurity-2.2.2-3.2.2-201201272014.patch
12292 +++ b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch
12293 @@ -186,7 +186,7 @@ index 81c287f..d456d02 100644
12294
12295 pcd. [PARIDE]
12296 diff --git a/Makefile b/Makefile
12297 -index 2f684da..bf21f8d 100644
12298 +index c8e187e..c445af7 100644
12299 --- a/Makefile
12300 +++ b/Makefile
12301 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
12302 @@ -12223,19 +12223,18 @@ index 2af127d..8ff7ac0 100644
12303 atomic_set(&mce_callin, 0);
12304 atomic_set(&global_nwo, 0);
12305 diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c
12306 -index 5c0e653..51ddf2c 100644
12307 +index 5c0e653..0882b0a 100644
12308 --- a/arch/x86/kernel/cpu/mcheck/p5.c
12309 +++ b/arch/x86/kernel/cpu/mcheck/p5.c
12310 -@@ -11,7 +11,7 @@
12311 - #include <asm/processor.h>
12312 +@@ -12,6 +12,7 @@
12313 #include <asm/system.h>
12314 #include <asm/mce.h>
12315 --#include <asm/msr.h>
12316 + #include <asm/msr.h>
12317 +#include <asm/pgtable.h>
12318
12319 /* By default disabled */
12320 int mce_p5_enabled __read_mostly;
12321 -@@ -50,7 +50,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
12322 +@@ -50,7 +51,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
12323 if (!cpu_has(c, X86_FEATURE_MCE))
12324 return;
12325
12326 @@ -22963,7 +22962,7 @@ index 7b179b4..6bd1777 100644
12327
12328 return (void *)vaddr;
12329 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
12330 -index be1ef57..9680edc 100644
12331 +index be1ef57..55f0160 100644
12332 --- a/arch/x86/mm/ioremap.c
12333 +++ b/arch/x86/mm/ioremap.c
12334 @@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr,
12335 @@ -22975,7 +22974,17 @@ index be1ef57..9680edc 100644
12336 return NULL;
12337 WARN_ON_ONCE(is_ram);
12338 }
12339 -@@ -344,7 +344,7 @@ static int __init early_ioremap_debug_setup(char *str)
12340 +@@ -315,6 +315,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
12341 +
12342 + /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
12343 + if (page_is_ram(start >> PAGE_SHIFT))
12344 ++#ifdef CONFIG_HIGHMEM
12345 ++ if ((start >> PAGE_SHIFT) < max_low_pfn)
12346 ++#endif
12347 + return __va(phys);
12348 +
12349 + addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
12350 +@@ -344,7 +347,7 @@ static int __init early_ioremap_debug_setup(char *str)
12351 early_param("early_ioremap_debug", early_ioremap_debug_setup);
12352
12353 static __initdata int after_paging_init;
12354 @@ -22984,7 +22993,7 @@ index be1ef57..9680edc 100644
12355
12356 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
12357 {
12358 -@@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
12359 +@@ -381,8 +384,7 @@ void __init early_ioremap_init(void)
12360 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
12361
12362 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
12363 @@ -23725,7 +23734,7 @@ index 6687022..ceabcfa 100644
12364 + pax_force_retaddr
12365 ret
12366 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
12367 -index 7b65f75..63097f6 100644
12368 +index 7c1b765..180e3b2 100644
12369 --- a/arch/x86/net/bpf_jit_comp.c
12370 +++ b/arch/x86/net/bpf_jit_comp.c
12371 @@ -117,6 +117,10 @@ static inline void bpf_flush_icache(void *start, void *end)
12372 @@ -23750,7 +23759,7 @@ index 7b65f75..63097f6 100644
12373 /* Before first pass, make a rough estimation of addrs[]
12374 * each bpf instruction is translated to less than 64 bytes
12375 */
12376 -@@ -585,11 +593,12 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
12377 +@@ -592,11 +600,12 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
12378 if (image) {
12379 if (unlikely(proglen + ilen > oldproglen)) {
12380 pr_err("bpb_jit_compile fatal error\n");
12381 @@ -23766,7 +23775,7 @@ index 7b65f75..63097f6 100644
12382 }
12383 proglen += ilen;
12384 addrs[i] = proglen;
12385 -@@ -609,7 +618,7 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
12386 +@@ -617,7 +626,7 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
12387 break;
12388 }
12389 if (proglen == oldproglen) {
12390 @@ -23775,7 +23784,7 @@ index 7b65f75..63097f6 100644
12391 proglen,
12392 sizeof(struct work_struct)));
12393 if (!image)
12394 -@@ -631,24 +640,27 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
12395 +@@ -639,24 +648,27 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
12396 fp->bpf_func = (void *)image;
12397 }
12398 out:
12399 @@ -24994,109 +25003,6 @@ index 671d4d6..5f24030 100644
12400
12401 static void cryptd_queue_worker(struct work_struct *work);
12402
12403 -diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
12404 -index 9ed9f60..88f160b 100644
12405 ---- a/crypto/sha512_generic.c
12406 -+++ b/crypto/sha512_generic.c
12407 -@@ -21,8 +21,6 @@
12408 - #include <linux/percpu.h>
12409 - #include <asm/byteorder.h>
12410 -
12411 --static DEFINE_PER_CPU(u64[80], msg_schedule);
12412 --
12413 - static inline u64 Ch(u64 x, u64 y, u64 z)
12414 - {
12415 - return z ^ (x & (y ^ z));
12416 -@@ -80,7 +78,7 @@ static inline void LOAD_OP(int I, u64 *W, const u8 *input)
12417 -
12418 - static inline void BLEND_OP(int I, u64 *W)
12419 - {
12420 -- W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
12421 -+ W[I % 16] += s1(W[(I-2) % 16]) + W[(I-7) % 16] + s0(W[(I-15) % 16]);
12422 - }
12423 -
12424 - static void
12425 -@@ -89,38 +87,48 @@ sha512_transform(u64 *state, const u8 *input)
12426 - u64 a, b, c, d, e, f, g, h, t1, t2;
12427 -
12428 - int i;
12429 -- u64 *W = get_cpu_var(msg_schedule);
12430 -+ u64 W[16];
12431 -
12432 - /* load the input */
12433 - for (i = 0; i < 16; i++)
12434 - LOAD_OP(i, W, input);
12435 -
12436 -- for (i = 16; i < 80; i++) {
12437 -- BLEND_OP(i, W);
12438 -- }
12439 --
12440 - /* load the state into our registers */
12441 - a=state[0]; b=state[1]; c=state[2]; d=state[3];
12442 - e=state[4]; f=state[5]; g=state[6]; h=state[7];
12443 -
12444 -- /* now iterate */
12445 -- for (i=0; i<80; i+=8) {
12446 -- t1 = h + e1(e) + Ch(e,f,g) + sha512_K[i ] + W[i ];
12447 -- t2 = e0(a) + Maj(a,b,c); d+=t1; h=t1+t2;
12448 -- t1 = g + e1(d) + Ch(d,e,f) + sha512_K[i+1] + W[i+1];
12449 -- t2 = e0(h) + Maj(h,a,b); c+=t1; g=t1+t2;
12450 -- t1 = f + e1(c) + Ch(c,d,e) + sha512_K[i+2] + W[i+2];
12451 -- t2 = e0(g) + Maj(g,h,a); b+=t1; f=t1+t2;
12452 -- t1 = e + e1(b) + Ch(b,c,d) + sha512_K[i+3] + W[i+3];
12453 -- t2 = e0(f) + Maj(f,g,h); a+=t1; e=t1+t2;
12454 -- t1 = d + e1(a) + Ch(a,b,c) + sha512_K[i+4] + W[i+4];
12455 -- t2 = e0(e) + Maj(e,f,g); h+=t1; d=t1+t2;
12456 -- t1 = c + e1(h) + Ch(h,a,b) + sha512_K[i+5] + W[i+5];
12457 -- t2 = e0(d) + Maj(d,e,f); g+=t1; c=t1+t2;
12458 -- t1 = b + e1(g) + Ch(g,h,a) + sha512_K[i+6] + W[i+6];
12459 -- t2 = e0(c) + Maj(c,d,e); f+=t1; b=t1+t2;
12460 -- t1 = a + e1(f) + Ch(f,g,h) + sha512_K[i+7] + W[i+7];
12461 -- t2 = e0(b) + Maj(b,c,d); e+=t1; a=t1+t2;
12462 -+#define SHA512_0_15(i, a, b, c, d, e, f, g, h) \
12463 -+ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[i]; \
12464 -+ t2 = e0(a) + Maj(a, b, c); \
12465 -+ d += t1; \
12466 -+ h = t1 + t2
12467 -+
12468 -+#define SHA512_16_79(i, a, b, c, d, e, f, g, h) \
12469 -+ BLEND_OP(i, W); \
12470 -+ t1 = h + e1(e) + Ch(e, f, g) + sha512_K[i] + W[(i)%16]; \
12471 -+ t2 = e0(a) + Maj(a, b, c); \
12472 -+ d += t1; \
12473 -+ h = t1 + t2
12474 -+
12475 -+ for (i = 0; i < 16; i += 8) {
12476 -+ SHA512_0_15(i, a, b, c, d, e, f, g, h);
12477 -+ SHA512_0_15(i + 1, h, a, b, c, d, e, f, g);
12478 -+ SHA512_0_15(i + 2, g, h, a, b, c, d, e, f);
12479 -+ SHA512_0_15(i + 3, f, g, h, a, b, c, d, e);
12480 -+ SHA512_0_15(i + 4, e, f, g, h, a, b, c, d);
12481 -+ SHA512_0_15(i + 5, d, e, f, g, h, a, b, c);
12482 -+ SHA512_0_15(i + 6, c, d, e, f, g, h, a, b);
12483 -+ SHA512_0_15(i + 7, b, c, d, e, f, g, h, a);
12484 -+ }
12485 -+ for (i = 16; i < 80; i += 8) {
12486 -+ SHA512_16_79(i, a, b, c, d, e, f, g, h);
12487 -+ SHA512_16_79(i + 1, h, a, b, c, d, e, f, g);
12488 -+ SHA512_16_79(i + 2, g, h, a, b, c, d, e, f);
12489 -+ SHA512_16_79(i + 3, f, g, h, a, b, c, d, e);
12490 -+ SHA512_16_79(i + 4, e, f, g, h, a, b, c, d);
12491 -+ SHA512_16_79(i + 5, d, e, f, g, h, a, b, c);
12492 -+ SHA512_16_79(i + 6, c, d, e, f, g, h, a, b);
12493 -+ SHA512_16_79(i + 7, b, c, d, e, f, g, h, a);
12494 - }
12495 -
12496 - state[0] += a; state[1] += b; state[2] += c; state[3] += d;
12497 -@@ -128,8 +136,6 @@ sha512_transform(u64 *state, const u8 *input)
12498 -
12499 - /* erase our data */
12500 - a = b = c = d = e = f = g = h = t1 = t2 = 0;
12501 -- memset(W, 0, sizeof(__get_cpu_var(msg_schedule)));
12502 -- put_cpu_var(msg_schedule);
12503 - }
12504 -
12505 - static int
12506 diff --git a/drivers/acpi/apei/cper.c b/drivers/acpi/apei/cper.c
12507 index 5d41894..22021e4 100644
12508 --- a/drivers/acpi/apei/cper.c
12509 @@ -27943,7 +27849,7 @@ index 40c187c..5746164 100644
12510
12511 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
12512 diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
12513 -index 4911e1d..484c8a3 100644
12514 +index 828bf65..cdaa0e9 100644
12515 --- a/drivers/gpu/drm/drm_fops.c
12516 +++ b/drivers/gpu/drm/drm_fops.c
12517 @@ -71,7 +71,7 @@ static int drm_setup(struct drm_device * dev)
12518 @@ -27982,9 +27888,9 @@ index 4911e1d..484c8a3 100644
12519 - dev->open_count);
12520 + local_read(&dev->open_count));
12521
12522 - /* if the master has gone away we can't do anything with the lock */
12523 - if (file_priv->minor->master)
12524 -@@ -566,8 +566,8 @@ int drm_release(struct inode *inode, struct file *filp)
12525 + /* Release any auth tokens that might point to this file_priv,
12526 + (do that under the drm_global_mutex) */
12527 +@@ -571,8 +571,8 @@ int drm_release(struct inode *inode, struct file *filp)
12528 * End inline drm_release
12529 */
12530
12531 @@ -29164,7 +29070,7 @@ index 66f6729..2d6de0a 100644
12532 mutex_lock(&resource->lock);
12533 resource->trip[attr->index - 7] = temp;
12534 diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
12535 -index fe4104c..346febb 100644
12536 +index 5357925..6cf0418 100644
12537 --- a/drivers/hwmon/sht15.c
12538 +++ b/drivers/hwmon/sht15.c
12539 @@ -166,7 +166,7 @@ struct sht15_data {
12540 @@ -41403,80 +41309,24 @@ index f7908ae..920a680 100644
12541
12542 dcache_init();
12543 inode_init();
12544 -diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
12545 -index 2a83425..b082cec 100644
12546 ---- a/fs/ecryptfs/crypto.c
12547 -+++ b/fs/ecryptfs/crypto.c
12548 -@@ -417,17 +417,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
12549 - (unsigned long long)(extent_base + extent_offset), rc);
12550 - goto out;
12551 - }
12552 -- if (unlikely(ecryptfs_verbosity > 0)) {
12553 -- ecryptfs_printk(KERN_DEBUG, "Encrypting extent "
12554 -- "with iv:\n");
12555 -- ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
12556 -- ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
12557 -- "encryption:\n");
12558 -- ecryptfs_dump_hex((char *)
12559 -- (page_address(page)
12560 -- + (extent_offset * crypt_stat->extent_size)),
12561 -- 8);
12562 -- }
12563 - rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,
12564 - page, (extent_offset
12565 - * crypt_stat->extent_size),
12566 -@@ -440,14 +429,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
12567 - goto out;
12568 - }
12569 - rc = 0;
12570 -- if (unlikely(ecryptfs_verbosity > 0)) {
12571 -- ecryptfs_printk(KERN_DEBUG, "Encrypt extent [0x%.16llx]; "
12572 -- "rc = [%d]\n",
12573 -- (unsigned long long)(extent_base + extent_offset), rc);
12574 -- ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
12575 -- "encryption:\n");
12576 -- ecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8);
12577 -- }
12578 - out:
12579 - return rc;
12580 - }
12581 -@@ -543,17 +524,6 @@ static int ecryptfs_decrypt_extent(struct page *page,
12582 - (unsigned long long)(extent_base + extent_offset), rc);
12583 - goto out;
12584 - }
12585 -- if (unlikely(ecryptfs_verbosity > 0)) {
12586 -- ecryptfs_printk(KERN_DEBUG, "Decrypting extent "
12587 -- "with iv:\n");
12588 -- ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
12589 -- ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
12590 -- "decryption:\n");
12591 -- ecryptfs_dump_hex((char *)
12592 -- (page_address(enc_extent_page)
12593 -- + (extent_offset * crypt_stat->extent_size)),
12594 -- 8);
12595 -- }
12596 - rc = ecryptfs_decrypt_page_offset(crypt_stat, page,
12597 - (extent_offset
12598 - * crypt_stat->extent_size),
12599 -@@ -567,16 +537,6 @@ static int ecryptfs_decrypt_extent(struct page *page,
12600 - goto out;
12601 - }
12602 - rc = 0;
12603 -- if (unlikely(ecryptfs_verbosity > 0)) {
12604 -- ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16llx]; "
12605 -- "rc = [%d]\n",
12606 -- (unsigned long long)(extent_base + extent_offset), rc);
12607 -- ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
12608 -- "decryption:\n");
12609 -- ecryptfs_dump_hex((char *)(page_address(page)
12610 -- + (extent_offset
12611 -- * crypt_stat->extent_size)), 8);
12612 -- }
12613 - out:
12614 - return rc;
12615 +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
12616 +index f3a257d..715ac0f 100644
12617 +--- a/fs/debugfs/inode.c
12618 ++++ b/fs/debugfs/inode.c
12619 +@@ -261,7 +261,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
12620 + struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
12621 + {
12622 + return debugfs_create_file(name,
12623 ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
12624 ++ S_IFDIR | S_IRWXU,
12625 ++#else
12626 + S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
12627 ++#endif
12628 + parent, NULL, NULL);
12629 }
12630 + EXPORT_SYMBOL_GPL(debugfs_create_dir);
12631 diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
12632 -index 32f90a3..a766407 100644
12633 +index d2039ca..a766407 100644
12634 --- a/fs/ecryptfs/inode.c
12635 +++ b/fs/ecryptfs/inode.c
12636 @@ -691,7 +691,7 @@ static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
12637 @@ -41506,84 +41356,8 @@ index 32f90a3..a766407 100644
12638 if (!IS_ERR(buf)) {
12639 /* Free the char* */
12640 kfree(buf);
12641 -@@ -841,18 +841,6 @@ static int truncate_upper(struct dentry *dentry, struct iattr *ia,
12642 - size_t num_zeros = (PAGE_CACHE_SIZE
12643 - - (ia->ia_size & ~PAGE_CACHE_MASK));
12644 -
12645 --
12646 -- /*
12647 -- * XXX(truncate) this should really happen at the begginning
12648 -- * of ->setattr. But the code is too messy to that as part
12649 -- * of a larger patch. ecryptfs is also totally missing out
12650 -- * on the inode_change_ok check at the beginning of
12651 -- * ->setattr while would include this.
12652 -- */
12653 -- rc = inode_newsize_ok(inode, ia->ia_size);
12654 -- if (rc)
12655 -- goto out;
12656 --
12657 - if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
12658 - truncate_setsize(inode, ia->ia_size);
12659 - lower_ia->ia_size = ia->ia_size;
12660 -@@ -902,6 +890,28 @@ out:
12661 - return rc;
12662 - }
12663 -
12664 -+static int ecryptfs_inode_newsize_ok(struct inode *inode, loff_t offset)
12665 -+{
12666 -+ struct ecryptfs_crypt_stat *crypt_stat;
12667 -+ loff_t lower_oldsize, lower_newsize;
12668 -+
12669 -+ crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
12670 -+ lower_oldsize = upper_size_to_lower_size(crypt_stat,
12671 -+ i_size_read(inode));
12672 -+ lower_newsize = upper_size_to_lower_size(crypt_stat, offset);
12673 -+ if (lower_newsize > lower_oldsize) {
12674 -+ /*
12675 -+ * The eCryptfs inode and the new *lower* size are mixed here
12676 -+ * because we may not have the lower i_mutex held and/or it may
12677 -+ * not be appropriate to call inode_newsize_ok() with inodes
12678 -+ * from other filesystems.
12679 -+ */
12680 -+ return inode_newsize_ok(inode, lower_newsize);
12681 -+ }
12682 -+
12683 -+ return 0;
12684 -+}
12685 -+
12686 - /**
12687 - * ecryptfs_truncate
12688 - * @dentry: The ecryptfs layer dentry
12689 -@@ -918,6 +928,10 @@ int ecryptfs_truncate(struct dentry *dentry, loff_t new_length)
12690 - struct iattr lower_ia = { .ia_valid = 0 };
12691 - int rc;
12692 -
12693 -+ rc = ecryptfs_inode_newsize_ok(dentry->d_inode, new_length);
12694 -+ if (rc)
12695 -+ return rc;
12696 -+
12697 - rc = truncate_upper(dentry, &ia, &lower_ia);
12698 - if (!rc && lower_ia.ia_valid & ATTR_SIZE) {
12699 - struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
12700 -@@ -997,6 +1011,16 @@ static int ecryptfs_setattr(struct dentry *dentry, struct iattr *ia)
12701 - }
12702 - }
12703 - mutex_unlock(&crypt_stat->cs_mutex);
12704 -+
12705 -+ rc = inode_change_ok(inode, ia);
12706 -+ if (rc)
12707 -+ goto out;
12708 -+ if (ia->ia_valid & ATTR_SIZE) {
12709 -+ rc = ecryptfs_inode_newsize_ok(inode, ia->ia_size);
12710 -+ if (rc)
12711 -+ goto out;
12712 -+ }
12713 -+
12714 - if (S_ISREG(inode->i_mode)) {
12715 - rc = filemap_write_and_wait(inode->i_mapping);
12716 - if (rc)
12717 diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
12718 -index 940a82e..d3cdeea 100644
12719 +index 0dc5a3d..d3cdeea 100644
12720 --- a/fs/ecryptfs/miscdev.c
12721 +++ b/fs/ecryptfs/miscdev.c
12722 @@ -328,7 +328,7 @@ check_list:
12723 @@ -41595,82 +41369,8 @@ index 940a82e..d3cdeea 100644
12724 goto out_unlock_msg_ctx;
12725 i += packet_length_size;
12726 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
12727 -@@ -409,11 +409,47 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
12728 - ssize_t sz = 0;
12729 - char *data;
12730 - uid_t euid = current_euid();
12731 -+ unsigned char packet_size_peek[3];
12732 - int rc;
12733 -
12734 -- if (count == 0)
12735 -+ if (count == 0) {
12736 - goto out;
12737 -+ } else if (count == (1 + 4)) {
12738 -+ /* Likely a harmless MSG_HELO or MSG_QUIT - no packet length */
12739 -+ goto memdup;
12740 -+ } else if (count < (1 + 4 + 1)
12741 -+ || count > (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
12742 -+ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES)) {
12743 -+ printk(KERN_WARNING "%s: Acceptable packet size range is "
12744 -+ "[%d-%lu], but amount of data written is [%zu].",
12745 -+ __func__, (1 + 4 + 1),
12746 -+ (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
12747 -+ + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES), count);
12748 -+ return -EINVAL;
12749 -+ }
12750 -
12751 -+ if (copy_from_user(packet_size_peek, (buf + 1 + 4),
12752 -+ sizeof(packet_size_peek))) {
12753 -+ printk(KERN_WARNING "%s: Error while inspecting packet size\n",
12754 -+ __func__);
12755 -+ return -EFAULT;
12756 -+ }
12757 -+
12758 -+ rc = ecryptfs_parse_packet_length(packet_size_peek, &packet_size,
12759 -+ &packet_size_length);
12760 -+ if (rc) {
12761 -+ printk(KERN_WARNING "%s: Error parsing packet length; "
12762 -+ "rc = [%d]\n", __func__, rc);
12763 -+ return rc;
12764 -+ }
12765 -+
12766 -+ if ((1 + 4 + packet_size_length + packet_size) != count) {
12767 -+ printk(KERN_WARNING "%s: Invalid packet size [%zu]\n", __func__,
12768 -+ packet_size);
12769 -+ return -EINVAL;
12770 -+ }
12771 -+
12772 -+memdup:
12773 - data = memdup_user(buf, count);
12774 - if (IS_ERR(data)) {
12775 - printk(KERN_ERR "%s: memdup_user returned error [%ld]\n",
12776 -@@ -435,23 +471,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
12777 - }
12778 - memcpy(&counter_nbo, &data[i], 4);
12779 - seq = be32_to_cpu(counter_nbo);
12780 -- i += 4;
12781 -- rc = ecryptfs_parse_packet_length(&data[i], &packet_size,
12782 -- &packet_size_length);
12783 -- if (rc) {
12784 -- printk(KERN_WARNING "%s: Error parsing packet length; "
12785 -- "rc = [%d]\n", __func__, rc);
12786 -- goto out_free;
12787 -- }
12788 -- i += packet_size_length;
12789 -- if ((1 + 4 + packet_size_length + packet_size) != count) {
12790 -- printk(KERN_WARNING "%s: (1 + packet_size_length([%zd])"
12791 -- " + packet_size([%zd]))([%zd]) != "
12792 -- "count([%zd]). Invalid packet format.\n",
12793 -- __func__, packet_size_length, packet_size,
12794 -- (1 + packet_size_length + packet_size), count);
12795 -- goto out_free;
12796 -- }
12797 -+ i += 4 + packet_size_length;
12798 - rc = ecryptfs_miscdev_response(&data[i], packet_size,
12799 - euid, current_user_ns(),
12800 - task_pid(current), seq);
12801 diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
12802 -index 3745f7c..7d040a8 100644
12803 +index 54eb14c..e51b453 100644
12804 --- a/fs/ecryptfs/read_write.c
12805 +++ b/fs/ecryptfs/read_write.c
12806 @@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *ecryptfs_inode, char *data,
12807 @@ -41682,7 +41382,7 @@ index 3745f7c..7d040a8 100644
12808 set_fs(fs_save);
12809 mark_inode_dirty_sync(ecryptfs_inode);
12810 return rc;
12811 -@@ -130,13 +130,18 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
12812 +@@ -130,7 +130,12 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
12813 pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
12814 size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
12815 size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
12816 @@ -41694,7 +41394,9 @@ index 3745f7c..7d040a8 100644
12817 + break;
12818 + }
12819
12820 - if (num_bytes > total_remaining_bytes)
12821 + if (fatal_signal_pending(current)) {
12822 + rc = -EINTR;
12823 +@@ -141,7 +146,7 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
12824 num_bytes = total_remaining_bytes;
12825 if (pos < offset) {
12826 /* remaining zeros to write, up to destination offset */
12827 @@ -41703,32 +41405,7 @@ index 3745f7c..7d040a8 100644
12828
12829 if (num_bytes > total_remaining_zeros)
12830 num_bytes = total_remaining_zeros;
12831 -@@ -193,15 +198,19 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
12832 - }
12833 - pos += num_bytes;
12834 - }
12835 -- if ((offset + size) > ecryptfs_file_size) {
12836 -- i_size_write(ecryptfs_inode, (offset + size));
12837 -+ if (pos > ecryptfs_file_size) {
12838 -+ i_size_write(ecryptfs_inode, pos);
12839 - if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
12840 -- rc = ecryptfs_write_inode_size_to_metadata(
12841 -+ int rc2;
12842 -+
12843 -+ rc2 = ecryptfs_write_inode_size_to_metadata(
12844 - ecryptfs_inode);
12845 -- if (rc) {
12846 -+ if (rc2) {
12847 - printk(KERN_ERR "Problem with "
12848 - "ecryptfs_write_inode_size_to_metadata; "
12849 -- "rc = [%d]\n", rc);
12850 -+ "rc = [%d]\n", rc2);
12851 -+ if (!rc)
12852 -+ rc = rc2;
12853 - goto out;
12854 - }
12855 - }
12856 -@@ -235,7 +244,7 @@ int ecryptfs_read_lower(char *data, loff_t offset, size_t size,
12857 +@@ -244,7 +249,7 @@ int ecryptfs_read_lower(char *data, loff_t offset, size_t size,
12858 return -EIO;
12859 fs_save = get_fs();
12860 set_fs(get_ds());
12861 @@ -45585,7 +45262,7 @@ index 3a1dafd..d41fc37 100644
12862 +}
12863 +#endif
12864 diff --git a/fs/proc/base.c b/fs/proc/base.c
12865 -index 1fc1dca..813fd0b 100644
12866 +index 1fc1dca..357b933 100644
12867 --- a/fs/proc/base.c
12868 +++ b/fs/proc/base.c
12869 @@ -107,6 +107,22 @@ struct pid_entry {
12870 @@ -45611,24 +45288,34 @@ index 1fc1dca..813fd0b 100644
12871 #define NOD(NAME, MODE, IOP, FOP, OP) { \
12872 .name = (NAME), \
12873 .len = sizeof(NAME) - 1, \
12874 -@@ -204,10 +220,12 @@ static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
12875 - return ERR_PTR(err);
12876 +@@ -194,26 +210,6 @@ static int proc_root_link(struct inode *inode, struct path *path)
12877 + return result;
12878 + }
12879
12880 - mm = get_task_mm(task);
12881 +-static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
12882 +-{
12883 +- struct mm_struct *mm;
12884 +- int err;
12885 +-
12886 +- err = mutex_lock_killable(&task->signal->cred_guard_mutex);
12887 +- if (err)
12888 +- return ERR_PTR(err);
12889 +-
12890 +- mm = get_task_mm(task);
12891 - if (mm && mm != current->mm &&
12892 - !ptrace_may_access(task, mode)) {
12893 - mmput(mm);
12894 - mm = ERR_PTR(-EACCES);
12895 -+ if (mm) {
12896 -+ if ((mm != current->mm && !ptrace_may_access(task, mode)) ||
12897 -+ (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task)))) {
12898 -+ mmput(mm);
12899 -+ mm = ERR_PTR(-EACCES);
12900 -+ }
12901 - }
12902 - mutex_unlock(&task->signal->cred_guard_mutex);
12903 -
12904 -@@ -229,6 +247,9 @@ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
12905 +- }
12906 +- mutex_unlock(&task->signal->cred_guard_mutex);
12907 +-
12908 +- return mm;
12909 +-}
12910 +-
12911 + struct mm_struct *mm_for_maps(struct task_struct *task)
12912 + {
12913 + return mm_access(task, PTRACE_MODE_READ);
12914 +@@ -229,6 +225,9 @@ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
12915 if (!mm->arg_end)
12916 goto out_mm; /* Shh! No looking before we're done */
12917
12918 @@ -45638,7 +45325,7 @@ index 1fc1dca..813fd0b 100644
12919 len = mm->arg_end - mm->arg_start;
12920
12921 if (len > PAGE_SIZE)
12922 -@@ -256,12 +277,28 @@ out:
12923 +@@ -256,12 +255,28 @@ out:
12924 return res;
12925 }
12926
12927 @@ -45667,7 +45354,7 @@ index 1fc1dca..813fd0b 100644
12928 do {
12929 nwords += 2;
12930 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
12931 -@@ -275,7 +312,7 @@ static int proc_pid_auxv(struct task_struct *task, char *buffer)
12932 +@@ -275,7 +290,7 @@ static int proc_pid_auxv(struct task_struct *task, char *buffer)
12933 }
12934
12935
12936 @@ -45676,7 +45363,7 @@ index 1fc1dca..813fd0b 100644
12937 /*
12938 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
12939 * Returns the resolved symbol. If that fails, simply return the address.
12940 -@@ -314,7 +351,7 @@ static void unlock_trace(struct task_struct *task)
12941 +@@ -314,7 +329,7 @@ static void unlock_trace(struct task_struct *task)
12942 mutex_unlock(&task->signal->cred_guard_mutex);
12943 }
12944
12945 @@ -45685,7 +45372,7 @@ index 1fc1dca..813fd0b 100644
12946
12947 #define MAX_STACK_TRACE_DEPTH 64
12948
12949 -@@ -505,7 +542,7 @@ static int proc_pid_limits(struct task_struct *task, char *buffer)
12950 +@@ -505,7 +520,7 @@ static int proc_pid_limits(struct task_struct *task, char *buffer)
12951 return count;
12952 }
12953
12954 @@ -45694,7 +45381,7 @@ index 1fc1dca..813fd0b 100644
12955 static int proc_pid_syscall(struct task_struct *task, char *buffer)
12956 {
12957 long nr;
12958 -@@ -534,7 +571,7 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer)
12959 +@@ -534,7 +549,7 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer)
12960 /************************************************************************/
12961
12962 /* permission checks */
12963 @@ -45703,7 +45390,7 @@ index 1fc1dca..813fd0b 100644
12964 {
12965 struct task_struct *task;
12966 int allowed = 0;
12967 -@@ -544,7 +581,10 @@ static int proc_fd_access_allowed(struct inode *inode)
12968 +@@ -544,7 +559,10 @@ static int proc_fd_access_allowed(struct inode *inode)
12969 */
12970 task = get_proc_task(inode);
12971 if (task) {
12972 @@ -45715,26 +45402,164 @@ index 1fc1dca..813fd0b 100644
12973 put_task_struct(task);
12974 }
12975 return allowed;
12976 -@@ -826,6 +866,10 @@ static ssize_t mem_read(struct file * file, char __user * buf,
12977 - return ret;
12978 - }
12979 +@@ -775,6 +793,13 @@ static int mem_open(struct inode* inode, struct file* file)
12980 + if (IS_ERR(mm))
12981 + return PTR_ERR(mm);
12982
12983 -+#define mem_write NULL
12984 ++ if (mm) {
12985 ++ /* ensure this mm_struct can't be freed */
12986 ++ atomic_inc(&mm->mm_count);
12987 ++ /* but do not pin its memory */
12988 ++ mmput(mm);
12989 ++ }
12990 +
12991 -+#ifndef mem_write
12992 -+/* They were right the first time */
12993 - static ssize_t mem_write(struct file * file, const char __user *buf,
12994 - size_t count, loff_t *ppos)
12995 + /* OK to pass negative loff_t, we can catch out-of-range */
12996 + file->f_mode |= FMODE_UNSIGNED_OFFSET;
12997 + file->private_data = mm;
12998 +@@ -782,57 +807,18 @@ static int mem_open(struct inode* inode, struct file* file)
12999 + return 0;
13000 + }
13001 +
13002 +-static ssize_t mem_read(struct file * file, char __user * buf,
13003 +- size_t count, loff_t *ppos)
13004 ++static ssize_t mem_rw(struct file *file, char __user *buf,
13005 ++ size_t count, loff_t *ppos, int write)
13006 {
13007 -@@ -866,6 +910,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
13008 +- int ret;
13009 +- char *page;
13010 +- unsigned long src = *ppos;
13011 + struct mm_struct *mm = file->private_data;
13012 +-
13013 +- if (!mm)
13014 +- return 0;
13015 +-
13016 +- page = (char *)__get_free_page(GFP_TEMPORARY);
13017 +- if (!page)
13018 +- return -ENOMEM;
13019 +-
13020 +- ret = 0;
13021 +-
13022 +- while (count > 0) {
13023 +- int this_len, retval;
13024 +-
13025 +- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count;
13026 +- retval = access_remote_vm(mm, src, page, this_len, 0);
13027 +- if (!retval) {
13028 +- if (!ret)
13029 +- ret = -EIO;
13030 +- break;
13031 +- }
13032 +-
13033 +- if (copy_to_user(buf, page, retval)) {
13034 +- ret = -EFAULT;
13035 +- break;
13036 +- }
13037 +-
13038 +- ret += retval;
13039 +- src += retval;
13040 +- buf += retval;
13041 +- count -= retval;
13042 +- }
13043 +- *ppos = src;
13044 +-
13045 +- free_page((unsigned long) page);
13046 +- return ret;
13047 +-}
13048 +-
13049 +-static ssize_t mem_write(struct file * file, const char __user *buf,
13050 +- size_t count, loff_t *ppos)
13051 +-{
13052 +- int copied;
13053 ++ unsigned long addr = *ppos;
13054 ++ ssize_t copied;
13055 + char *page;
13056 +- unsigned long dst = *ppos;
13057 +- struct mm_struct *mm = file->private_data;
13058 ++
13059 ++#ifdef CONFIG_GRKERNSEC
13060 ++ if (write)
13061 ++ return -EPERM;
13062 ++#endif
13063 +
13064 + if (!mm)
13065 + return 0;
13066 +@@ -842,31 +828,54 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
13067 + return -ENOMEM;
13068 +
13069 + copied = 0;
13070 ++ if (!atomic_inc_not_zero(&mm->mm_users))
13071 ++ goto free;
13072 ++
13073 + while (count > 0) {
13074 +- int this_len, retval;
13075 ++ int this_len = min_t(int, count, PAGE_SIZE);
13076 +
13077 +- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count;
13078 +- if (copy_from_user(page, buf, this_len)) {
13079 ++ if (write && copy_from_user(page, buf, this_len)) {
13080 + copied = -EFAULT;
13081 + break;
13082 + }
13083 +- retval = access_remote_vm(mm, dst, page, this_len, 1);
13084 +- if (!retval) {
13085 ++
13086 ++ this_len = access_remote_vm(mm, addr, page, this_len, write);
13087 ++ if (!this_len) {
13088 + if (!copied)
13089 + copied = -EIO;
13090 + break;
13091 + }
13092 +- copied += retval;
13093 +- buf += retval;
13094 +- dst += retval;
13095 +- count -= retval;
13096 ++
13097 ++ if (!write && copy_to_user(buf, page, this_len)) {
13098 ++ copied = -EFAULT;
13099 ++ break;
13100 ++ }
13101 ++
13102 ++ buf += this_len;
13103 ++ addr += this_len;
13104 ++ copied += this_len;
13105 ++ count -= this_len;
13106 + }
13107 +- *ppos = dst;
13108 ++ *ppos = addr;
13109 +
13110 ++ mmput(mm);
13111 ++free:
13112 free_page((unsigned long) page);
13113 return copied;
13114 }
13115 -+#endif
13116
13117 ++static ssize_t mem_read(struct file *file, char __user *buf,
13118 ++ size_t count, loff_t *ppos)
13119 ++{
13120 ++ return mem_rw(file, buf, count, ppos, 0);
13121 ++}
13122 ++
13123 ++static ssize_t mem_write(struct file *file, const char __user *buf,
13124 ++ size_t count, loff_t *ppos)
13125 ++{
13126 ++ return mem_rw(file, (char __user*)buf, count, ppos, 1);
13127 ++}
13128 ++
13129 loff_t mem_lseek(struct file *file, loff_t offset, int orig)
13130 {
13131 -@@ -911,6 +956,9 @@ static ssize_t environ_read(struct file *file, char __user *buf,
13132 + switch (orig) {
13133 +@@ -886,8 +895,8 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig)
13134 + static int mem_release(struct inode *inode, struct file *file)
13135 + {
13136 + struct mm_struct *mm = file->private_data;
13137 +-
13138 +- mmput(mm);
13139 ++ if (mm)
13140 ++ mmdrop(mm);
13141 + return 0;
13142 + }
13143 +
13144 +@@ -911,6 +920,9 @@ static ssize_t environ_read(struct file *file, char __user *buf,
13145 if (!task)
13146 goto out_no_task;
13147
13148 @@ -45744,7 +45569,7 @@ index 1fc1dca..813fd0b 100644
13149 ret = -ENOMEM;
13150 page = (char *)__get_free_page(GFP_TEMPORARY);
13151 if (!page)
13152 -@@ -1533,7 +1581,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd)
13153 +@@ -1533,7 +1545,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd)
13154 path_put(&nd->path);
13155
13156 /* Are we allowed to snoop on the tasks file descriptors? */
13157 @@ -45753,7 +45578,7 @@ index 1fc1dca..813fd0b 100644
13158 goto out;
13159
13160 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
13161 -@@ -1572,8 +1620,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
13162 +@@ -1572,8 +1584,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
13163 struct path path;
13164
13165 /* Are we allowed to snoop on the tasks file descriptors? */
13166 @@ -45774,7 +45599,7 @@ index 1fc1dca..813fd0b 100644
13167
13168 error = PROC_I(inode)->op.proc_get_link(inode, &path);
13169 if (error)
13170 -@@ -1638,7 +1696,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
13171 +@@ -1638,7 +1660,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
13172 rcu_read_lock();
13173 cred = __task_cred(task);
13174 inode->i_uid = cred->euid;
13175 @@ -45786,7 +45611,7 @@ index 1fc1dca..813fd0b 100644
13176 rcu_read_unlock();
13177 }
13178 security_task_to_inode(task, inode);
13179 -@@ -1656,6 +1718,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
13180 +@@ -1656,6 +1682,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
13181 struct inode *inode = dentry->d_inode;
13182 struct task_struct *task;
13183 const struct cred *cred;
13184 @@ -45796,7 +45621,7 @@ index 1fc1dca..813fd0b 100644
13185
13186 generic_fillattr(inode, stat);
13187
13188 -@@ -1663,13 +1728,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
13189 +@@ -1663,13 +1692,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
13190 stat->uid = 0;
13191 stat->gid = 0;
13192 task = pid_task(proc_pid(inode), PIDTYPE_PID);
13193 @@ -45839,7 +45664,7 @@ index 1fc1dca..813fd0b 100644
13194 }
13195 rcu_read_unlock();
13196 return 0;
13197 -@@ -1706,11 +1799,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd)
13198 +@@ -1706,11 +1763,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd)
13199
13200 if (task) {
13201 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
13202 @@ -45860,7 +45685,7 @@ index 1fc1dca..813fd0b 100644
13203 rcu_read_unlock();
13204 } else {
13205 inode->i_uid = 0;
13206 -@@ -1828,7 +1930,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info)
13207 +@@ -1828,7 +1894,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info)
13208 int fd = proc_fd(inode);
13209
13210 if (task) {
13211 @@ -45870,7 +45695,7 @@ index 1fc1dca..813fd0b 100644
13212 put_task_struct(task);
13213 }
13214 if (files) {
13215 -@@ -2096,11 +2199,21 @@ static const struct file_operations proc_fd_operations = {
13216 +@@ -2096,11 +2163,21 @@ static const struct file_operations proc_fd_operations = {
13217 */
13218 static int proc_fd_permission(struct inode *inode, int mask)
13219 {
13220 @@ -45894,7 +45719,7 @@ index 1fc1dca..813fd0b 100644
13221 return rv;
13222 }
13223
13224 -@@ -2210,6 +2323,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
13225 +@@ -2210,6 +2287,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
13226 if (!task)
13227 goto out_no_task;
13228
13229 @@ -45904,7 +45729,7 @@ index 1fc1dca..813fd0b 100644
13230 /*
13231 * Yes, it does not scale. And it should not. Don't add
13232 * new entries into /proc/<tgid>/ without very good reasons.
13233 -@@ -2254,6 +2370,9 @@ static int proc_pident_readdir(struct file *filp,
13234 +@@ -2254,6 +2334,9 @@ static int proc_pident_readdir(struct file *filp,
13235 if (!task)
13236 goto out_no_task;
13237
13238 @@ -45914,7 +45739,7 @@ index 1fc1dca..813fd0b 100644
13239 ret = 0;
13240 i = filp->f_pos;
13241 switch (i) {
13242 -@@ -2524,7 +2643,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd)
13243 +@@ -2524,7 +2607,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd)
13244 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
13245 void *cookie)
13246 {
13247 @@ -45923,7 +45748,7 @@ index 1fc1dca..813fd0b 100644
13248 if (!IS_ERR(s))
13249 __putname(s);
13250 }
13251 -@@ -2722,7 +2841,7 @@ static const struct pid_entry tgid_base_stuff[] = {
13252 +@@ -2722,7 +2805,7 @@ static const struct pid_entry tgid_base_stuff[] = {
13253 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
13254 #endif
13255 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
13256 @@ -45932,7 +45757,7 @@ index 1fc1dca..813fd0b 100644
13257 INF("syscall", S_IRUGO, proc_pid_syscall),
13258 #endif
13259 INF("cmdline", S_IRUGO, proc_pid_cmdline),
13260 -@@ -2747,10 +2866,10 @@ static const struct pid_entry tgid_base_stuff[] = {
13261 +@@ -2747,10 +2830,10 @@ static const struct pid_entry tgid_base_stuff[] = {
13262 #ifdef CONFIG_SECURITY
13263 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
13264 #endif
13265 @@ -45945,7 +45770,7 @@ index 1fc1dca..813fd0b 100644
13266 ONE("stack", S_IRUGO, proc_pid_stack),
13267 #endif
13268 #ifdef CONFIG_SCHEDSTATS
13269 -@@ -2784,6 +2903,9 @@ static const struct pid_entry tgid_base_stuff[] = {
13270 +@@ -2784,6 +2867,9 @@ static const struct pid_entry tgid_base_stuff[] = {
13271 #ifdef CONFIG_HARDWALL
13272 INF("hardwall", S_IRUGO, proc_pid_hardwall),
13273 #endif
13274 @@ -45955,7 +45780,7 @@ index 1fc1dca..813fd0b 100644
13275 };
13276
13277 static int proc_tgid_base_readdir(struct file * filp,
13278 -@@ -2909,7 +3031,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir,
13279 +@@ -2909,7 +2995,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir,
13280 if (!inode)
13281 goto out;
13282
13283 @@ -45970,7 +45795,7 @@ index 1fc1dca..813fd0b 100644
13284 inode->i_op = &proc_tgid_base_inode_operations;
13285 inode->i_fop = &proc_tgid_base_operations;
13286 inode->i_flags|=S_IMMUTABLE;
13287 -@@ -2951,7 +3080,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct
13288 +@@ -2951,7 +3044,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct
13289 if (!task)
13290 goto out;
13291
13292 @@ -45982,7 +45807,7 @@ index 1fc1dca..813fd0b 100644
13293 put_task_struct(task);
13294 out:
13295 return result;
13296 -@@ -3016,6 +3149,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
13297 +@@ -3016,6 +3113,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
13298 {
13299 unsigned int nr;
13300 struct task_struct *reaper;
13301 @@ -45994,7 +45819,7 @@ index 1fc1dca..813fd0b 100644
13302 struct tgid_iter iter;
13303 struct pid_namespace *ns;
13304
13305 -@@ -3039,8 +3177,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
13306 +@@ -3039,8 +3141,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
13307 for (iter = next_tgid(ns, iter);
13308 iter.task;
13309 iter.tgid += 1, iter = next_tgid(ns, iter)) {
13310 @@ -46023,7 +45848,7 @@ index 1fc1dca..813fd0b 100644
13311 put_task_struct(iter.task);
13312 goto out;
13313 }
13314 -@@ -3068,7 +3225,7 @@ static const struct pid_entry tid_base_stuff[] = {
13315 +@@ -3068,7 +3189,7 @@ static const struct pid_entry tid_base_stuff[] = {
13316 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
13317 #endif
13318 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
13319 @@ -46032,7 +45857,7 @@ index 1fc1dca..813fd0b 100644
13320 INF("syscall", S_IRUGO, proc_pid_syscall),
13321 #endif
13322 INF("cmdline", S_IRUGO, proc_pid_cmdline),
13323 -@@ -3092,10 +3249,10 @@ static const struct pid_entry tid_base_stuff[] = {
13324 +@@ -3092,10 +3213,10 @@ static const struct pid_entry tid_base_stuff[] = {
13325 #ifdef CONFIG_SECURITY
13326 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
13327 #endif
13328 @@ -46894,8 +46719,31 @@ index fa2defa..8601650 100644
13329 ret = -EAGAIN;
13330
13331 pipe_unlock(ipipe);
13332 +diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
13333 +index 7fdf6a7..e6cd8ad 100644
13334 +--- a/fs/sysfs/dir.c
13335 ++++ b/fs/sysfs/dir.c
13336 +@@ -642,6 +642,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd,
13337 + struct sysfs_dirent *sd;
13338 + int rc;
13339 +
13340 ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
13341 ++ const char *parent_name = parent_sd->s_name;
13342 ++
13343 ++ mode = S_IFDIR | S_IRWXU;
13344 ++
13345 ++ if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
13346 ++ (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
13347 ++ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse"))) ||
13348 ++ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
13349 ++ mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
13350 ++#endif
13351 ++
13352 + /* allocate */
13353 + sd = sysfs_new_dirent(name, mode, SYSFS_DIR);
13354 + if (!sd)
13355 diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
13356 -index d4e6080b..0e58b99 100644
13357 +index 779789a..f58193c 100644
13358 --- a/fs/sysfs/file.c
13359 +++ b/fs/sysfs/file.c
13360 @@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent_lock);
13361 @@ -46943,22 +46791,6 @@ index d4e6080b..0e58b99 100644
13362 wake_up_interruptible(&od->poll);
13363 }
13364
13365 -diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
13366 -index e34f0d9..740ea7b 100644
13367 ---- a/fs/sysfs/mount.c
13368 -+++ b/fs/sysfs/mount.c
13369 -@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
13370 - .s_name = "",
13371 - .s_count = ATOMIC_INIT(1),
13372 - .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
13373 -+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
13374 -+ .s_mode = S_IFDIR | S_IRWXU,
13375 -+#else
13376 - .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
13377 -+#endif
13378 - .s_ino = 1,
13379 - };
13380 -
13381 diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c
13382 index a7ac78f..02158e1 100644
13383 --- a/fs/sysfs/symlink.c
13384 @@ -47151,26 +46983,12 @@ index 23ce927..e274cc1 100644
13385
13386 if (!IS_ERR(s))
13387 kfree(s);
13388 -diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
13389 -index ce9268a..ee98d0b 100644
13390 ---- a/fs/xfs/xfs_vnodeops.c
13391 -+++ b/fs/xfs/xfs_vnodeops.c
13392 -@@ -131,7 +131,8 @@ xfs_readlink(
13393 - __func__, (unsigned long long) ip->i_ino,
13394 - (long long) pathlen);
13395 - ASSERT(0);
13396 -- return XFS_ERROR(EFSCORRUPTED);
13397 -+ error = XFS_ERROR(EFSCORRUPTED);
13398 -+ goto out;
13399 - }
13400 -
13401 -
13402 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
13403 new file mode 100644
13404 -index 0000000..ab77366
13405 +index 0000000..dfd3d34
13406 --- /dev/null
13407 +++ b/grsecurity/Kconfig
13408 -@@ -0,0 +1,1065 @@
13409 +@@ -0,0 +1,1069 @@
13410 +#
13411 +# grecurity configuration
13412 +#
13413 @@ -47641,15 +47459,19 @@ index 0000000..ab77366
13414 + depends on SYSFS
13415 + help
13416 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
13417 -+ any filesystem normally mounted under it (e.g. debugfs) will only
13418 -+ be accessible by root. These filesystems generally provide access
13419 ++ any filesystem normally mounted under it (e.g. debugfs) will be
13420 ++ mostly accessible only by root. These filesystems generally provide access
13421 + to hardware and debug information that isn't appropriate for unprivileged
13422 + users of the system. Sysfs and debugfs have also become a large source
13423 + of new vulnerabilities, ranging from infoleaks to local compromise.
13424 + There has been very little oversight with an eye toward security involved
13425 + in adding new exporters of information to these filesystems, so their
13426 + use is discouraged.
13427 -+ This option is equivalent to a chmod 0700 of the mount paths.
13428 ++ For reasons of compatibility, a few directories have been whitelisted
13429 ++ for access by non-root users:
13430 ++ /sys/fs/selinux
13431 ++ /sys/fs/fuse
13432 ++ /sys/devices/system/cpu
13433 +
13434 +config GRKERNSEC_ROFS
13435 + bool "Runtime read-only mount protection"
13436 @@ -56948,10 +56770,10 @@ index 0000000..0dc13c3
13437 +EXPORT_SYMBOL(gr_log_timechange);
13438 diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
13439 new file mode 100644
13440 -index 0000000..4a78774
13441 +index 0000000..a35ba33
13442 --- /dev/null
13443 +++ b/grsecurity/grsec_tpe.c
13444 -@@ -0,0 +1,39 @@
13445 +@@ -0,0 +1,73 @@
13446 +#include <linux/kernel.h>
13447 +#include <linux/sched.h>
13448 +#include <linux/file.h>
13449 @@ -56966,25 +56788,59 @@ index 0000000..4a78774
13450 +#ifdef CONFIG_GRKERNSEC
13451 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
13452 + const struct cred *cred = current_cred();
13453 ++ char *msg = NULL;
13454 ++ char *msg2 = NULL;
13455 ++
13456 ++ // never restrict root
13457 ++ if (!cred->uid)
13458 ++ return 1;
13459 +
13460 -+ if (cred->uid && ((grsec_enable_tpe &&
13461 ++ if (grsec_enable_tpe) {
13462 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
13463 -+ ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
13464 -+ (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
13465 ++ if (grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid))
13466 ++ msg = "not being in trusted group";
13467 ++ else if (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid))
13468 ++ msg = "being in untrusted group";
13469 +#else
13470 -+ in_group_p(grsec_tpe_gid)
13471 ++ if (in_group_p(grsec_tpe_gid))
13472 ++ msg = "being in untrusted group";
13473 +#endif
13474 -+ ) || gr_acl_tpe_check()) &&
13475 -+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
13476 -+ (inode->i_mode & S_IWOTH))))) {
13477 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
13478 ++ }
13479 ++ if (!msg && gr_acl_tpe_check())
13480 ++ msg = "being in untrusted role";
13481 ++
13482 ++ // not in any affected group/role
13483 ++ if (!msg)
13484 ++ goto next_check;
13485 ++
13486 ++ if (inode->i_uid)
13487 ++ msg2 = "file in non-root-owned directory";
13488 ++ else if (inode->i_mode & S_IWOTH)
13489 ++ msg2 = "file in world-writable directory";
13490 ++ else if (inode->i_mode & S_IWGRP)
13491 ++ msg2 = "file in group-writable directory";
13492 ++
13493 ++ if (msg && msg2) {
13494 ++ char fullmsg[64] = {0};
13495 ++ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
13496 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
13497 + return 0;
13498 + }
13499 ++ msg = NULL;
13500 ++next_check:
13501 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
13502 -+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
13503 -+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
13504 -+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
13505 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
13506 ++ if (!grsec_enable_tpe || !grsec_enable_tpe_all)
13507 ++ return 1;
13508 ++
13509 ++ if (inode->i_uid && (inode->i_uid != cred->uid))
13510 ++ msg = "directory not owned by user";
13511 ++ else if (inode->i_mode & S_IWOTH)
13512 ++ msg = "file in world-writable directory";
13513 ++ else if (inode->i_mode & S_IWGRP)
13514 ++ msg = "file in group-writable directory";
13515 ++
13516 ++ if (msg) {
13517 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
13518 + return 0;
13519 + }
13520 +#endif
13521 @@ -57589,7 +57445,7 @@ index b5e2e4c..6a5373e 100644
13522 /**
13523 * PERCPU_SECTION - define output section for percpu area, simple version
13524 diff --git a/include/drm/drmP.h b/include/drm/drmP.h
13525 -index 1f9e951..14ef517 100644
13526 +index bf4b2dc..2d0762f 100644
13527 --- a/include/drm/drmP.h
13528 +++ b/include/drm/drmP.h
13529 @@ -72,6 +72,7 @@
13530 @@ -59014,7 +58870,7 @@ index 0000000..da390f1
13531 +#endif
13532 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
13533 new file mode 100644
13534 -index 0000000..dfb15ef
13535 +index 0000000..b3347e2
13536 --- /dev/null
13537 +++ b/include/linux/grmsg.h
13538 @@ -0,0 +1,109 @@
13539 @@ -59052,7 +58908,7 @@ index 0000000..dfb15ef
13540 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
13541 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
13542 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
13543 -+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
13544 ++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "
13545 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
13546 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
13547 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
13548 @@ -60435,7 +60291,7 @@ index 2148b12..519b820 100644
13549
13550 static inline void anon_vma_merge(struct vm_area_struct *vma,
13551 diff --git a/include/linux/sched.h b/include/linux/sched.h
13552 -index 1c4f3e9..c5b241a 100644
13553 +index 1c4f3e9..f29cbeb 100644
13554 --- a/include/linux/sched.h
13555 +++ b/include/linux/sched.h
13556 @@ -101,6 +101,7 @@ struct bio_list;
13557 @@ -60639,7 +60495,20 @@ index 1c4f3e9..c5b241a 100644
13558 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
13559 struct pid_namespace *ns);
13560
13561 -@@ -2251,7 +2343,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
13562 +@@ -2235,6 +2327,12 @@ static inline void mmdrop(struct mm_struct * mm)
13563 + extern void mmput(struct mm_struct *);
13564 + /* Grab a reference to a task's mm, if it is not already going away */
13565 + extern struct mm_struct *get_task_mm(struct task_struct *task);
13566 ++/*
13567 ++ * Grab a reference to a task's mm, if it is not already going away
13568 ++ * and ptrace_may_access with the mode parameter passed to it
13569 ++ * succeeds.
13570 ++ */
13571 ++extern struct mm_struct *mm_access(struct task_struct *task, unsigned int mode);
13572 + /* Remove the current tasks stale references to the old mm_struct */
13573 + extern void mm_release(struct task_struct *, struct mm_struct *);
13574 + /* Allocate a new mm structure and copy contents from tsk->mm */
13575 +@@ -2251,7 +2349,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
13576 extern void exit_itimers(struct signal_struct *);
13577 extern void flush_itimer_signals(void);
13578
13579 @@ -60648,7 +60517,7 @@ index 1c4f3e9..c5b241a 100644
13580
13581 extern void daemonize(const char *, ...);
13582 extern int allow_signal(int);
13583 -@@ -2416,13 +2508,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
13584 +@@ -2416,13 +2514,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
13585
13586 #endif
13587
13588 @@ -63319,7 +63188,7 @@ index e6e01b9..619f837 100644
13589
13590 if (group_dead)
13591 diff --git a/kernel/fork.c b/kernel/fork.c
13592 -index da4a6a1..c04943c 100644
13593 +index da4a6a1..0973380 100644
13594 --- a/kernel/fork.c
13595 +++ b/kernel/fork.c
13596 @@ -280,7 +280,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
13597 @@ -63536,7 +63405,34 @@ index da4a6a1..c04943c 100644
13598 }
13599
13600 static inline int mm_alloc_pgd(struct mm_struct *mm)
13601 -@@ -829,13 +866,14 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
13602 +@@ -644,6 +681,26 @@ struct mm_struct *get_task_mm(struct task_struct *task)
13603 + }
13604 + EXPORT_SYMBOL_GPL(get_task_mm);
13605 +
13606 ++struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
13607 ++{
13608 ++ struct mm_struct *mm;
13609 ++ int err;
13610 ++
13611 ++ err = mutex_lock_killable(&task->signal->cred_guard_mutex);
13612 ++ if (err)
13613 ++ return ERR_PTR(err);
13614 ++
13615 ++ mm = get_task_mm(task);
13616 ++ if (mm && ((mm != current->mm && !ptrace_may_access(task, mode)) ||
13617 ++ (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) {
13618 ++ mmput(mm);
13619 ++ mm = ERR_PTR(-EACCES);
13620 ++ }
13621 ++ mutex_unlock(&task->signal->cred_guard_mutex);
13622 ++
13623 ++ return mm;
13624 ++}
13625 ++
13626 + /* Please note the differences between mmput and mm_release.
13627 + * mmput is called whenever we stop holding onto a mm_struct,
13628 + * error success whatever.
13629 +@@ -829,13 +886,14 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
13630 spin_unlock(&fs->lock);
13631 return -EAGAIN;
13632 }
13633 @@ -63552,7 +63448,7 @@ index da4a6a1..c04943c 100644
13634 return 0;
13635 }
13636
13637 -@@ -1097,6 +1135,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
13638 +@@ -1097,6 +1155,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
13639 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
13640 #endif
13641 retval = -EAGAIN;
13642 @@ -63562,7 +63458,7 @@ index da4a6a1..c04943c 100644
13643 if (atomic_read(&p->real_cred->user->processes) >=
13644 task_rlimit(p, RLIMIT_NPROC)) {
13645 if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
13646 -@@ -1256,6 +1297,8 @@ static struct task_struct *copy_process(unsigned long clone_flags,
13647 +@@ -1256,6 +1317,8 @@ static struct task_struct *copy_process(unsigned long clone_flags,
13648 if (clone_flags & CLONE_THREAD)
13649 p->tgid = current->tgid;
13650
13651 @@ -63571,7 +63467,7 @@ index da4a6a1..c04943c 100644
13652 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
13653 /*
13654 * Clear TID on mm_release()?
13655 -@@ -1418,6 +1461,8 @@ bad_fork_cleanup_count:
13656 +@@ -1418,6 +1481,8 @@ bad_fork_cleanup_count:
13657 bad_fork_free:
13658 free_task(p);
13659 fork_out:
13660 @@ -63580,7 +63476,7 @@ index da4a6a1..c04943c 100644
13661 return ERR_PTR(retval);
13662 }
13663
13664 -@@ -1518,6 +1563,8 @@ long do_fork(unsigned long clone_flags,
13665 +@@ -1518,6 +1583,8 @@ long do_fork(unsigned long clone_flags,
13666 if (clone_flags & CLONE_PARENT_SETTID)
13667 put_user(nr, parent_tidptr);
13668
13669 @@ -63589,7 +63485,7 @@ index da4a6a1..c04943c 100644
13670 if (clone_flags & CLONE_VFORK) {
13671 p->vfork_done = &vfork;
13672 init_completion(&vfork);
13673 -@@ -1627,7 +1674,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
13674 +@@ -1627,7 +1694,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
13675 return 0;
13676
13677 /* don't need lock here; in the worst case we'll do useless copy */
13678 @@ -63598,7 +63494,7 @@ index da4a6a1..c04943c 100644
13679 return 0;
13680
13681 *new_fsp = copy_fs_struct(fs);
13682 -@@ -1716,7 +1763,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
13683 +@@ -1716,7 +1783,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
13684 fs = current->fs;
13685 spin_lock(&fs->lock);
13686 current->fs = new_fs;
13687 @@ -66227,7 +66123,7 @@ index 2c71d91..1021f81 100644
13688 struct tasklet_struct *list;
13689
13690 diff --git a/kernel/sys.c b/kernel/sys.c
13691 -index 481611f..0754d86 100644
13692 +index 481611f..4665125 100644
13693 --- a/kernel/sys.c
13694 +++ b/kernel/sys.c
13695 @@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
13696 @@ -66296,7 +66192,29 @@ index 481611f..0754d86 100644
13697 if (nsown_capable(CAP_SETUID)) {
13698 new->suid = new->uid = uid;
13699 if (uid != old->uid) {
13700 -@@ -786,6 +808,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
13701 +@@ -775,9 +797,18 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
13702 +
13703 + retval = -EPERM;
13704 + if (!nsown_capable(CAP_SETUID)) {
13705 +- if (ruid != (uid_t) -1 && ruid != old->uid &&
13706 +- ruid != old->euid && ruid != old->suid)
13707 +- goto error;
13708 ++ // if RBAC is enabled, require CAP_SETUID to change
13709 ++ // uid to euid (from a suid binary, for instance)
13710 ++ // this is a hardening of normal permissions, not
13711 ++ // weakening
13712 ++ if (gr_acl_is_enabled()) {
13713 ++ if (ruid != (uid_t) -1 && ruid != old->uid)
13714 ++ goto error;
13715 ++ } else {
13716 ++ if (ruid != (uid_t) -1 && ruid != old->uid &&
13717 ++ ruid != old->euid && ruid != old->suid)
13718 ++ goto error;
13719 ++ }
13720 + if (euid != (uid_t) -1 && euid != old->uid &&
13721 + euid != old->euid && euid != old->suid)
13722 + goto error;
13723 +@@ -786,6 +817,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
13724 goto error;
13725 }
13726
13727 @@ -66306,7 +66224,29 @@ index 481611f..0754d86 100644
13728 if (ruid != (uid_t) -1) {
13729 new->uid = ruid;
13730 if (ruid != old->uid) {
13731 -@@ -850,6 +875,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
13732 +@@ -839,9 +873,18 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
13733 +
13734 + retval = -EPERM;
13735 + if (!nsown_capable(CAP_SETGID)) {
13736 +- if (rgid != (gid_t) -1 && rgid != old->gid &&
13737 +- rgid != old->egid && rgid != old->sgid)
13738 +- goto error;
13739 ++ // if RBAC is enabled, require CAP_SETGID to change
13740 ++ // gid to egid (from a sgid binary, for instance)
13741 ++ // this is a hardening of normal permissions, not
13742 ++ // weakening
13743 ++ if (gr_acl_is_enabled()) {
13744 ++ if (rgid != (gid_t) -1 && rgid != old->gid)
13745 ++ goto error;
13746 ++ } else {
13747 ++ if (rgid != (gid_t) -1 && rgid != old->gid &&
13748 ++ rgid != old->egid && rgid != old->sgid)
13749 ++ goto error;
13750 ++ }
13751 + if (egid != (gid_t) -1 && egid != old->gid &&
13752 + egid != old->egid && egid != old->sgid)
13753 + goto error;
13754 +@@ -850,6 +893,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
13755 goto error;
13756 }
13757
13758 @@ -66316,7 +66256,7 @@ index 481611f..0754d86 100644
13759 if (rgid != (gid_t) -1)
13760 new->gid = rgid;
13761 if (egid != (gid_t) -1)
13762 -@@ -896,6 +924,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
13763 +@@ -896,6 +942,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
13764 old = current_cred();
13765 old_fsuid = old->fsuid;
13766
13767 @@ -66326,7 +66266,7 @@ index 481611f..0754d86 100644
13768 if (uid == old->uid || uid == old->euid ||
13769 uid == old->suid || uid == old->fsuid ||
13770 nsown_capable(CAP_SETUID)) {
13771 -@@ -906,6 +937,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
13772 +@@ -906,6 +955,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
13773 }
13774 }
13775
13776 @@ -66334,7 +66274,7 @@ index 481611f..0754d86 100644
13777 abort_creds(new);
13778 return old_fsuid;
13779
13780 -@@ -932,12 +964,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
13781 +@@ -932,12 +982,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
13782 if (gid == old->gid || gid == old->egid ||
13783 gid == old->sgid || gid == old->fsgid ||
13784 nsown_capable(CAP_SETGID)) {
13785 @@ -66351,7 +66291,7 @@ index 481611f..0754d86 100644
13786 abort_creds(new);
13787 return old_fsgid;
13788
13789 -@@ -1189,7 +1225,10 @@ static int override_release(char __user *release, int len)
13790 +@@ -1189,7 +1243,10 @@ static int override_release(char __user *release, int len)
13791 }
13792 v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
13793 snprintf(buf, len, "2.6.%u%s", v, rest);
13794 @@ -66363,7 +66303,7 @@ index 481611f..0754d86 100644
13795 }
13796 return ret;
13797 }
13798 -@@ -1243,19 +1282,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
13799 +@@ -1243,19 +1300,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
13800 return -EFAULT;
13801
13802 down_read(&uts_sem);
13803 @@ -66388,7 +66328,7 @@ index 481611f..0754d86 100644
13804 __OLD_UTS_LEN);
13805 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
13806 up_read(&uts_sem);
13807 -@@ -1720,7 +1759,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
13808 +@@ -1720,7 +1777,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
13809 error = get_dumpable(me->mm);
13810 break;
13811 case PR_SET_DUMPABLE:
13812 @@ -70360,7 +70300,7 @@ index 716eb4a..8d10419 100644
13813
13814 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
13815 diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
13816 -index e920aa3..78fe584 100644
13817 +index e920aa3..137702a 100644
13818 --- a/mm/process_vm_access.c
13819 +++ b/mm/process_vm_access.c
13820 @@ -13,6 +13,7 @@
13821 @@ -70398,21 +70338,40 @@ index e920aa3..78fe584 100644
13822 }
13823
13824 if (nr_pages == 0)
13825 -@@ -298,8 +299,13 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec,
13826 +@@ -298,23 +299,23 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec,
13827 goto free_proc_pages;
13828 }
13829
13830 -+ if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) {
13831 -+ rc = -EPERM;
13832 -+ goto put_task_struct;
13833 -+ }
13834 -+
13835 - task_lock(task);
13836 +- task_lock(task);
13837 - if (__ptrace_may_access(task, PTRACE_MODE_ATTACH)) {
13838 -+ if (ptrace_may_access_nolock(task, PTRACE_MODE_ATTACH)) {
13839 - task_unlock(task);
13840 +- task_unlock(task);
13841 ++ if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) {
13842 rc = -EPERM;
13843 goto put_task_struct;
13844 + }
13845 +- mm = task->mm;
13846 +
13847 +- if (!mm || (task->flags & PF_KTHREAD)) {
13848 +- task_unlock(task);
13849 +- rc = -EINVAL;
13850 ++ mm = mm_access(task, PTRACE_MODE_ATTACH);
13851 ++ if (!mm || IS_ERR(mm)) {
13852 ++ rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
13853 ++ /*
13854 ++ * Explicitly map EACCES to EPERM as EPERM is a more a
13855 ++ * appropriate error code for process_vw_readv/writev
13856 ++ */
13857 ++ if (rc == -EACCES)
13858 ++ rc = -EPERM;
13859 + goto put_task_struct;
13860 + }
13861 +
13862 +- atomic_inc(&mm->mm_users);
13863 +- task_unlock(task);
13864 +-
13865 + for (i = 0; i < riovcnt && iov_l_curr_idx < liovcnt; i++) {
13866 + rc = process_vm_rw_single_vec(
13867 + (unsigned long)rvec[i].iov_base, rvec[i].iov_len,
13868 diff --git a/mm/rmap.c b/mm/rmap.c
13869 index a4fd368..e0ffec7 100644
13870 --- a/mm/rmap.c
13871 @@ -72994,7 +72953,7 @@ index 94cdbc5..0cb0063 100644
13872 ts = peer->tcp_ts;
13873 tsage = get_seconds() - peer->tcp_ts_stamp;
13874 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
13875 -index a9db4b1..3c03301 100644
13876 +index c89e354..8bd55c8 100644
13877 --- a/net/ipv4/tcp_ipv4.c
13878 +++ b/net/ipv4/tcp_ipv4.c
13879 @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
13880 @@ -73277,7 +73236,7 @@ index 5a65eea..bd913a1 100644
13881
13882 int udp4_seq_show(struct seq_file *seq, void *v)
13883 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
13884 -index 36806de..b86f74c 100644
13885 +index 836c4ea..cbb74dc 100644
13886 --- a/net/ipv6/addrconf.c
13887 +++ b/net/ipv6/addrconf.c
13888 @@ -2149,7 +2149,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
13889 @@ -73325,7 +73284,7 @@ index 26cb08c..8af9877 100644
13890 msg.msg_flags = flags;
13891
13892 diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
13893 -index 331af3b..7789844 100644
13894 +index 361ebf3..d5628fb 100644
13895 --- a/net/ipv6/raw.c
13896 +++ b/net/ipv6/raw.c
13897 @@ -377,7 +377,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
13898 @@ -73415,7 +73374,7 @@ index 331af3b..7789844 100644
13899
13900 static int raw6_seq_show(struct seq_file *seq, void *v)
13901 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
13902 -index 2dea4bb..dca8ac5 100644
13903 +index b859e4a..f9d1589 100644
13904 --- a/net/ipv6/tcp_ipv6.c
13905 +++ b/net/ipv6/tcp_ipv6.c
13906 @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
13907 @@ -74282,7 +74241,7 @@ index d9d4970..d5a6a68 100644
13908 return 0;
13909 }
13910 diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
13911 -index bf10ea8..aeb4c3e 100644
13912 +index d65f699..05aa6ce 100644
13913 --- a/net/phonet/af_phonet.c
13914 +++ b/net/phonet/af_phonet.c
13915 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_proto_get(unsigned int protocol)
13916 @@ -74335,7 +74294,7 @@ index 2ba6e9f..409573f 100644
13917 break;
13918 }
13919 diff --git a/net/phonet/socket.c b/net/phonet/socket.c
13920 -index 3f8d0b1..74635e0 100644
13921 +index 4c7eff3..59c727f 100644
13922 --- a/net/phonet/socket.c
13923 +++ b/net/phonet/socket.c
13924 @@ -613,8 +613,13 @@ static int pn_sock_seq_show(struct seq_file *seq, void *v)
13925 @@ -74795,7 +74754,7 @@ index 54a7cd2..944edae 100644
13926 to += addrlen;
13927 cnt++;
13928 diff --git a/net/socket.c b/net/socket.c
13929 -index 2877647..08e2fde 100644
13930 +index 2dce67a..1e91168 100644
13931 --- a/net/socket.c
13932 +++ b/net/socket.c
13933 @@ -88,6 +88,7 @@
13934 @@ -75360,7 +75319,7 @@ index 1983717..4d6102c 100644
13935
13936 sub->evt.event = htohl(event, sub->swap);
13937 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
13938 -index b595a3d..b1cd354 100644
13939 +index d99678a..3514a21 100644
13940 --- a/net/unix/af_unix.c
13941 +++ b/net/unix/af_unix.c
13942 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(struct net *net,
13943 @@ -75851,10 +75810,10 @@ index 5c11312..72742b5 100644
13944 write_hex_cnt = 0;
13945 for (i = 0; i < logo_clutsize; i++) {
13946 diff --git a/security/Kconfig b/security/Kconfig
13947 -index 51bd5a0..8465ae6 100644
13948 +index 51bd5a0..eeabc9f 100644
13949 --- a/security/Kconfig
13950 +++ b/security/Kconfig
13951 -@@ -4,6 +4,626 @@
13952 +@@ -4,6 +4,627 @@
13953
13954 menu "Security options"
13955
13956 @@ -76364,6 +76323,7 @@ index 51bd5a0..8465ae6 100644
13957 +
13958 +config PAX_MEMORY_SANITIZE
13959 + bool "Sanitize all freed memory"
13960 ++ depends on !HIBERNATION
13961 + help
13962 + By saying Y here the kernel will erase memory pages as soon as they
13963 + are freed. This in turn reduces the lifetime of data stored in the
13964 @@ -76481,7 +76441,7 @@ index 51bd5a0..8465ae6 100644
13965 config KEYS
13966 bool "Enable access key retention support"
13967 help
13968 -@@ -169,7 +789,7 @@ config INTEL_TXT
13969 +@@ -169,7 +790,7 @@ config INTEL_TXT
13970 config LSM_MMAP_MIN_ADDR
13971 int "Low address space for LSM to protect from user allocation"
13972 depends on SECURITY && SECURITY_SELINUX
13973
13974 diff --git a/3.2.2/4421_grsec-remove-localversion-grsec.patch b/3.2.4/4421_grsec-remove-localversion-grsec.patch
13975 similarity index 100%
13976 rename from 3.2.2/4421_grsec-remove-localversion-grsec.patch
13977 rename to 3.2.4/4421_grsec-remove-localversion-grsec.patch
13978
13979 diff --git a/3.2.2/4422_grsec-mute-warnings.patch b/3.2.4/4422_grsec-mute-warnings.patch
13980 similarity index 100%
13981 rename from 3.2.2/4422_grsec-mute-warnings.patch
13982 rename to 3.2.4/4422_grsec-mute-warnings.patch
13983
13984 diff --git a/3.2.2/4423_grsec-remove-protected-paths.patch b/3.2.4/4423_grsec-remove-protected-paths.patch
13985 similarity index 100%
13986 rename from 3.2.2/4423_grsec-remove-protected-paths.patch
13987 rename to 3.2.4/4423_grsec-remove-protected-paths.patch
13988
13989 diff --git a/3.2.2/4425_grsec-pax-without-grsec.patch b/3.2.4/4425_grsec-pax-without-grsec.patch
13990 similarity index 100%
13991 rename from 3.2.2/4425_grsec-pax-without-grsec.patch
13992 rename to 3.2.4/4425_grsec-pax-without-grsec.patch
13993
13994 diff --git a/3.2.2/4430_grsec-kconfig-default-gids.patch b/3.2.4/4430_grsec-kconfig-default-gids.patch
13995 similarity index 95%
13996 rename from 3.2.2/4430_grsec-kconfig-default-gids.patch
13997 rename to 3.2.4/4430_grsec-kconfig-default-gids.patch
13998 index 3c76d91..0807a4e 100644
13999 --- a/3.2.2/4430_grsec-kconfig-default-gids.patch
14000 +++ b/3.2.4/4430_grsec-kconfig-default-gids.patch
14001 @@ -21,7 +21,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
14002
14003 config GRKERNSEC_PROC_ADD
14004 bool "Additional restrictions"
14005 -@@ -658,7 +658,7 @@
14006 +@@ -662,7 +662,7 @@
14007 config GRKERNSEC_AUDIT_GID
14008 int "GID for auditing"
14009 depends on GRKERNSEC_AUDIT_GROUP
14010 @@ -30,7 +30,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
14011
14012 config GRKERNSEC_EXECLOG
14013 bool "Exec logging"
14014 -@@ -864,7 +864,7 @@
14015 +@@ -866,7 +866,7 @@
14016 config GRKERNSEC_TPE_GID
14017 int "GID for untrusted users"
14018 depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
14019 @@ -39,7 +39,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
14020 help
14021 Setting this GID determines what group TPE restrictions will be
14022 *enabled* for. If the sysctl option is enabled, a sysctl option
14023 -@@ -873,7 +873,7 @@
14024 +@@ -875,7 +875,7 @@
14025 config GRKERNSEC_TPE_GID
14026 int "GID for trusted users"
14027 depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
14028 @@ -48,7 +48,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
14029 help
14030 Setting this GID determines what group TPE restrictions will be
14031 *disabled* for. If the sysctl option is enabled, a sysctl option
14032 -@@ -946,7 +946,7 @@
14033 +@@ -948,7 +948,7 @@
14034 config GRKERNSEC_SOCKET_ALL_GID
14035 int "GID to deny all sockets for"
14036 depends on GRKERNSEC_SOCKET_ALL
14037 @@ -57,7 +57,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
14038 help
14039 Here you can choose the GID to disable socket access for. Remember to
14040 add the users you want socket access disabled for to the GID
14041 -@@ -967,7 +967,7 @@
14042 +@@ -969,7 +969,7 @@
14043 config GRKERNSEC_SOCKET_CLIENT_GID
14044 int "GID to deny client sockets for"
14045 depends on GRKERNSEC_SOCKET_CLIENT
14046 @@ -66,7 +66,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
14047 help
14048 Here you can choose the GID to disable client socket access for.
14049 Remember to add the users you want client socket access disabled for to
14050 -@@ -985,7 +985,7 @@
14051 +@@ -987,7 +987,7 @@
14052 config GRKERNSEC_SOCKET_SERVER_GID
14053 int "GID to deny server sockets for"
14054 depends on GRKERNSEC_SOCKET_SERVER
14055
14056 diff --git a/3.2.2/4435_grsec-kconfig-gentoo.patch b/3.2.4/4435_grsec-kconfig-gentoo.patch
14057 similarity index 99%
14058 rename from 3.2.2/4435_grsec-kconfig-gentoo.patch
14059 rename to 3.2.4/4435_grsec-kconfig-gentoo.patch
14060 index 1e145df..587b7d9 100644
14061 --- a/3.2.2/4435_grsec-kconfig-gentoo.patch
14062 +++ b/3.2.4/4435_grsec-kconfig-gentoo.patch
14063 @@ -341,7 +341,7 @@ diff -Naur a/security/Kconfig b/security/Kconfig
14064 default ""
14065
14066 config PAX_KERNEXEC_MODULE_TEXT
14067 -@@ -555,8 +556,9 @@
14068 +@@ -556,8 +557,9 @@
14069
14070 config PAX_MEMORY_UDEREF
14071 bool "Prevent invalid userland pointer dereference"
14072
14073 diff --git a/3.2.2/4437-grsec-kconfig-proc-user.patch b/3.2.4/4437-grsec-kconfig-proc-user.patch
14074 similarity index 100%
14075 rename from 3.2.2/4437-grsec-kconfig-proc-user.patch
14076 rename to 3.2.4/4437-grsec-kconfig-proc-user.patch
14077
14078 diff --git a/3.2.2/4440_selinux-avc_audit-log-curr_ip.patch b/3.2.4/4440_selinux-avc_audit-log-curr_ip.patch
14079 similarity index 99%
14080 rename from 3.2.2/4440_selinux-avc_audit-log-curr_ip.patch
14081 rename to 3.2.4/4440_selinux-avc_audit-log-curr_ip.patch
14082 index f9f62df..7c9894c 100644
14083 --- a/3.2.2/4440_selinux-avc_audit-log-curr_ip.patch
14084 +++ b/3.2.4/4440_selinux-avc_audit-log-curr_ip.patch
14085 @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
14086 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
14087 --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
14088 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
14089 -@@ -1295,6 +1295,27 @@
14090 +@@ -1297,6 +1297,27 @@
14091 menu "Logging Options"
14092 depends on GRKERNSEC
14093
14094
14095 diff --git a/3.2.2/4445_disable-compat_vdso.patch b/3.2.4/4445_disable-compat_vdso.patch
14096 similarity index 100%
14097 rename from 3.2.2/4445_disable-compat_vdso.patch
14098 rename to 3.2.4/4445_disable-compat_vdso.patch
Report Message
Find on MARC Find on Google Groups