Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Pagano (mpagano)" <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r1573 - genpatches-2.6/trunk/2.6.30
Date: Fri, 05 Jun 2009 16:29:14
Message-Id: E1MCcHi-0008U0-Eu@stork.gentoo.org
1 Author: mpagano
2 Date: 2009-06-05 16:28:49 +0000 (Fri, 05 Jun 2009)
3 New Revision: 1573
4
5 Removed:
6 genpatches-2.6/trunk/2.6.30/1000_linux-2.6.29.1.patch
7 genpatches-2.6/trunk/2.6.30/1001_linux-2.6.29.2.patch
8 genpatches-2.6/trunk/2.6.30/1002_linux-2.6.29.3.patch
9 genpatches-2.6/trunk/2.6.30/1003_linux-2.6.29.4.patch
10 genpatches-2.6/trunk/2.6.30/1915_ext4-automatically-allocate-delay-allocated-blocks-on-rename.patch
11 genpatches-2.6/trunk/2.6.30/1916_ext4-automatically-allocate-delay-allocated-blocks-on-close.patch
12 genpatches-2.6/trunk/2.6.30/1917_ext4-add-EXT4_IOC_ALLOC_DA_BLKS-ioctl.patch
13 genpatches-2.6/trunk/2.6.30/1918_ext4-fix-discard-of-inode-prealloc-space-with-delayed-allocation.patch
14 genpatches-2.6/trunk/2.6.30/2300_alpha-add-pci-resources.patch
15 genpatches-2.6/trunk/2.6.30/2700_usblp-poll-for-status.patch
16 Modified:
17 genpatches-2.6/trunk/2.6.30/0000_README
18 Log:
19 Preparing for 2.6.30 kernel
20
21 Modified: genpatches-2.6/trunk/2.6.30/0000_README
22 ===================================================================
23 --- genpatches-2.6/trunk/2.6.30/0000_README 2009-06-05 16:26:11 UTC (rev 1572)
24 +++ genpatches-2.6/trunk/2.6.30/0000_README 2009-06-05 16:28:49 UTC (rev 1573)
25 @@ -39,46 +39,6 @@
26 Individual Patch Descriptions:
27 --------------------------------------------------------------------------
28
29 -Patch: 1000_linux-2.6.29.1.patch
30 -From: http://www.kernel.org
31 -Desc: Linux 2.6.29.1
32 -
33 -Patch: 1001_linux-2.6.29.2.patch
34 -From: http://www.kernel.org
35 -Desc: Linux 2.6.29.2
36 -
37 -Patch: 1002_linux-2.6.29.3.patch
38 -From: http://www.kernel.org
39 -Desc: Linux 2.6.29.3
40 -
41 -Patch: 1003_linux-2.6.29.4.patch
42 -From: http://www.kernel.org
43 -Desc: Linux 2.6.29.4
44 -
45 -Patch: 1915_ext4-automatically-allocate-delay-allocated-blocks-on-rename.patch
46 -From: Theodore Ts'o <tytso@×××.edu>
47 -Desc: ext4: Automatically allocate delay allocated blocks on rename
48 -
49 -Patch: 1916_ext4-automatically-allocate-delay-allocated-blocks-on-close.patch
50 -From: Theodore Ts'o <tytso@×××.edu>
51 -Desc: ext4: Automatically allocate delay allocated blocks on close
52 -
53 -Patch: 1917_ext4-add-EXT4_IOC_ALLOC_DA_BLKS-ioctl.patch
54 -From: Theodore Ts'o <tytso@×××.edu>
55 -Desc: ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl
56 -
57 -Patch: 1918_ext4-fix-discard-of-inode-prealloc-space-with-delayed-allocation.patch
58 -From: Aneesh Kumar K.V <aneesh.kumar@××××××××××××××.com>
59 -Desc: ext4: Fix discard of inode prealloc space with delayed allocation
60 -
61 -Patch: 2300_alpha-add-pci-resources.patch
62 -From: http://bugs.gentoo.org/show_bug.cgi?id=270069
63 -Desc: PCI/alpha: make PCI resources available
64 -
65 -Patch: 2700_usblp-poll-for-status.patch
66 -From: http://bugs.gentoo.org/show_bug.cgi?id=251237
67 -Desc: usblp: continuously poll for status
68 -
69 Patch: 4100_dm-bbr.patch
70 From: EVMS 2.5.2
71 Desc: Bad block relocation support for LiveCD users
72
73 Deleted: genpatches-2.6/trunk/2.6.30/1000_linux-2.6.29.1.patch
74 ===================================================================
75 --- genpatches-2.6/trunk/2.6.30/1000_linux-2.6.29.1.patch 2009-06-05 16:26:11 UTC (rev 1572)
76 +++ genpatches-2.6/trunk/2.6.30/1000_linux-2.6.29.1.patch 2009-06-05 16:28:49 UTC (rev 1573)
77 @@ -1,1243 +0,0 @@
78 -diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
79 -index a58378c..ce3b36e 100644
80 ---- a/arch/arm/include/asm/elf.h
81 -+++ b/arch/arm/include/asm/elf.h
82 -@@ -50,6 +50,7 @@ typedef struct user_fp elf_fpregset_t;
83 - #define R_ARM_ABS32 2
84 - #define R_ARM_CALL 28
85 - #define R_ARM_JUMP24 29
86 -+#define R_ARM_V4BX 40
87 -
88 - /*
89 - * These are used to set parameters in the core dumps.
90 -diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
91 -index dab48f2..9f509fd 100644
92 ---- a/arch/arm/kernel/module.c
93 -+++ b/arch/arm/kernel/module.c
94 -@@ -132,6 +132,15 @@ apply_relocate(Elf32_Shdr *sechdrs, const char *strtab, unsigned int symindex,
95 - *(u32 *)loc |= offset & 0x00ffffff;
96 - break;
97 -
98 -+ case R_ARM_V4BX:
99 -+ /* Preserve Rm and the condition code. Alter
100 -+ * other bits to re-code instruction as
101 -+ * MOV PC,Rm.
102 -+ */
103 -+ *(u32 *)loc &= 0xf000000f;
104 -+ *(u32 *)loc |= 0x01a0f000;
105 -+ break;
106 -+
107 - default:
108 - printk(KERN_ERR "%s: unknown relocation: %u\n",
109 - module->name, ELF32_R_TYPE(rel->r_info));
110 -diff --git a/arch/arm/mach-iop13xx/pci.c b/arch/arm/mach-iop13xx/pci.c
111 -index 673b0db..4873f26 100644
112 ---- a/arch/arm/mach-iop13xx/pci.c
113 -+++ b/arch/arm/mach-iop13xx/pci.c
114 -@@ -1026,8 +1026,10 @@ int iop13xx_pci_setup(int nr, struct pci_sys_data *sys)
115 - which_atu = 0;
116 - }
117 -
118 -- if (!which_atu)
119 -+ if (!which_atu) {
120 -+ kfree(res);
121 - return 0;
122 -+ }
123 -
124 - switch(which_atu) {
125 - case IOP13XX_INIT_ATU_ATUX:
126 -@@ -1074,6 +1076,7 @@ int iop13xx_pci_setup(int nr, struct pci_sys_data *sys)
127 - sys->map_irq = iop13xx_pcie_map_irq;
128 - break;
129 - default:
130 -+ kfree(res);
131 - return 0;
132 - }
133 -
134 -diff --git a/arch/arm/mach-omap2/mmc-twl4030.c b/arch/arm/mach-omap2/mmc-twl4030.c
135 -index 437f520..e1dadf7 100644
136 ---- a/arch/arm/mach-omap2/mmc-twl4030.c
137 -+++ b/arch/arm/mach-omap2/mmc-twl4030.c
138 -@@ -397,6 +397,7 @@ void __init twl4030_mmc_init(struct twl4030_hsmmc_info *controllers)
139 - break;
140 - default:
141 - pr_err("MMC%d configuration not supported!\n", c->mmc);
142 -+ kfree(mmc);
143 - continue;
144 - }
145 - hsmmc_data[c->mmc - 1] = mmc;
146 -diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
147 -index d4d082c..5a89e57 100644
148 ---- a/arch/arm/mm/mmu.c
149 -+++ b/arch/arm/mm/mmu.c
150 -@@ -694,7 +694,7 @@ static void __init sanity_check_meminfo(void)
151 - * the vmalloc area.
152 - */
153 - if (__va(bank->start) >= VMALLOC_MIN ||
154 -- __va(bank->start) < PAGE_OFFSET) {
155 -+ __va(bank->start) < (void *)PAGE_OFFSET) {
156 - printk(KERN_NOTICE "Ignoring RAM at %.8lx-%.8lx "
157 - "(vmalloc region overlap).\n",
158 - bank->start, bank->start + bank->size - 1);
159 -diff --git a/arch/sparc/include/asm/tlb_64.h b/arch/sparc/include/asm/tlb_64.h
160 -index ec81cde..0aaa086 100644
161 ---- a/arch/sparc/include/asm/tlb_64.h
162 -+++ b/arch/sparc/include/asm/tlb_64.h
163 -@@ -58,6 +58,8 @@ static inline struct mmu_gather *tlb_gather_mmu(struct mm_struct *mm, unsigned i
164 - static inline void tlb_flush_mmu(struct mmu_gather *mp)
165 - {
166 - if (mp->need_flush) {
167 -+ if (!mp->fullmm)
168 -+ flush_tlb_pending();
169 - free_pages_and_swap_cache(mp->pages, mp->pages_nr);
170 - mp->pages_nr = 0;
171 - mp->need_flush = 0;
172 -@@ -78,8 +80,6 @@ static inline void tlb_finish_mmu(struct mmu_gather *mp, unsigned long start, un
173 -
174 - if (mp->fullmm)
175 - mp->fullmm = 0;
176 -- else
177 -- flush_tlb_pending();
178 -
179 - /* keep the page table cache within bounds */
180 - check_pgt_cache();
181 -diff --git a/arch/sparc/kernel/nmi.c b/arch/sparc/kernel/nmi.c
182 -index f357722..2c0cc72 100644
183 ---- a/arch/sparc/kernel/nmi.c
184 -+++ b/arch/sparc/kernel/nmi.c
185 -@@ -13,6 +13,7 @@
186 - #include <linux/module.h>
187 - #include <linux/kprobes.h>
188 - #include <linux/kernel_stat.h>
189 -+#include <linux/reboot.h>
190 - #include <linux/slab.h>
191 - #include <linux/kdebug.h>
192 - #include <linux/delay.h>
193 -@@ -206,13 +207,33 @@ void nmi_adjust_hz(unsigned int new_hz)
194 - }
195 - EXPORT_SYMBOL_GPL(nmi_adjust_hz);
196 -
197 -+static int nmi_shutdown(struct notifier_block *nb, unsigned long cmd, void *p)
198 -+{
199 -+ on_each_cpu(stop_watchdog, NULL, 1);
200 -+ return 0;
201 -+}
202 -+
203 -+static struct notifier_block nmi_reboot_notifier = {
204 -+ .notifier_call = nmi_shutdown,
205 -+};
206 -+
207 - int __init nmi_init(void)
208 - {
209 -+ int err;
210 -+
211 - nmi_usable = 1;
212 -
213 - on_each_cpu(start_watchdog, NULL, 1);
214 -
215 -- return check_nmi_watchdog();
216 -+ err = check_nmi_watchdog();
217 -+ if (!err) {
218 -+ err = register_reboot_notifier(&nmi_reboot_notifier);
219 -+ if (err) {
220 -+ nmi_usable = 0;
221 -+ on_each_cpu(stop_watchdog, NULL, 1);
222 -+ }
223 -+ }
224 -+ return err;
225 - }
226 -
227 - static int __init setup_nmi_watchdog(char *str)
228 -diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
229 -index 6cd1a5b..79457f6 100644
230 ---- a/arch/sparc/kernel/smp_64.c
231 -+++ b/arch/sparc/kernel/smp_64.c
232 -@@ -1031,7 +1031,7 @@ void smp_fetch_global_regs(void)
233 - * If the address space is non-shared (ie. mm->count == 1) we avoid
234 - * cross calls when we want to flush the currently running process's
235 - * tlb state. This is done by clearing all cpu bits except the current
236 -- * processor's in current->active_mm->cpu_vm_mask and performing the
237 -+ * processor's in current->mm->cpu_vm_mask and performing the
238 - * flush locally only. This will force any subsequent cpus which run
239 - * this task to flush the context from the local tlb if the process
240 - * migrates to another cpu (again).
241 -@@ -1074,7 +1074,7 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long
242 - u32 ctx = CTX_HWBITS(mm->context);
243 - int cpu = get_cpu();
244 -
245 -- if (mm == current->active_mm && atomic_read(&mm->mm_users) == 1)
246 -+ if (mm == current->mm && atomic_read(&mm->mm_users) == 1)
247 - mm->cpu_vm_mask = cpumask_of_cpu(cpu);
248 - else
249 - smp_cross_call_masked(&xcall_flush_tlb_pending,
250 -diff --git a/arch/x86/kernel/check.c b/arch/x86/kernel/check.c
251 -index 2ac0ab7..a7a50b2 100644
252 ---- a/arch/x86/kernel/check.c
253 -+++ b/arch/x86/kernel/check.c
254 -@@ -86,12 +86,12 @@ void __init setup_bios_corruption_check(void)
255 - if (addr == 0)
256 - break;
257 -
258 -+ if (addr >= corruption_check_size)
259 -+ break;
260 -+
261 - if ((addr + size) > corruption_check_size)
262 - size = corruption_check_size - addr;
263 -
264 -- if (size == 0)
265 -- break;
266 --
267 - e820_update_range(addr, size, E820_RAM, E820_RESERVED);
268 - scan_areas[num_scan_areas].addr = addr;
269 - scan_areas[num_scan_areas].size = size;
270 -diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
271 -index 0c0a455..6f557e0 100644
272 ---- a/arch/x86/kernel/cpu/mtrr/generic.c
273 -+++ b/arch/x86/kernel/cpu/mtrr/generic.c
274 -@@ -41,6 +41,32 @@ static int __init mtrr_debug(char *opt)
275 - }
276 - early_param("mtrr.show", mtrr_debug);
277 -
278 -+/**
279 -+ * BIOS is expected to clear MtrrFixDramModEn bit, see for example
280 -+ * "BIOS and Kernel Developer's Guide for the AMD Athlon 64 and AMD
281 -+ * Opteron Processors" (26094 Rev. 3.30 February 2006), section
282 -+ * "13.2.1.2 SYSCFG Register": "The MtrrFixDramModEn bit should be set
283 -+ * to 1 during BIOS initalization of the fixed MTRRs, then cleared to
284 -+ * 0 for operation."
285 -+ */
286 -+static inline void k8_check_syscfg_dram_mod_en(void)
287 -+{
288 -+ u32 lo, hi;
289 -+
290 -+ if (!((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) &&
291 -+ (boot_cpu_data.x86 >= 0x0f)))
292 -+ return;
293 -+
294 -+ rdmsr(MSR_K8_SYSCFG, lo, hi);
295 -+ if (lo & K8_MTRRFIXRANGE_DRAM_MODIFY) {
296 -+ printk(KERN_ERR FW_WARN "MTRR: CPU %u: SYSCFG[MtrrFixDramModEn]"
297 -+ " not cleared by BIOS, clearing this bit\n",
298 -+ smp_processor_id());
299 -+ lo &= ~K8_MTRRFIXRANGE_DRAM_MODIFY;
300 -+ mtrr_wrmsr(MSR_K8_SYSCFG, lo, hi);
301 -+ }
302 -+}
303 -+
304 - /*
305 - * Returns the effective MTRR type for the region
306 - * Error returns:
307 -@@ -174,6 +200,8 @@ get_fixed_ranges(mtrr_type * frs)
308 - unsigned int *p = (unsigned int *) frs;
309 - int i;
310 -
311 -+ k8_check_syscfg_dram_mod_en();
312 -+
313 - rdmsr(MTRRfix64K_00000_MSR, p[0], p[1]);
314 -
315 - for (i = 0; i < 2; i++)
316 -@@ -308,27 +336,10 @@ void mtrr_wrmsr(unsigned msr, unsigned a, unsigned b)
317 - }
318 -
319 - /**
320 -- * Enable and allow read/write of extended fixed-range MTRR bits on K8 CPUs
321 -- * see AMD publication no. 24593, chapter 3.2.1 for more information
322 -- */
323 --static inline void k8_enable_fixed_iorrs(void)
324 --{
325 -- unsigned lo, hi;
326 --
327 -- rdmsr(MSR_K8_SYSCFG, lo, hi);
328 -- mtrr_wrmsr(MSR_K8_SYSCFG, lo
329 -- | K8_MTRRFIXRANGE_DRAM_ENABLE
330 -- | K8_MTRRFIXRANGE_DRAM_MODIFY, hi);
331 --}
332 --
333 --/**
334 - * set_fixed_range - checks & updates a fixed-range MTRR if it differs from the value it should have
335 - * @msr: MSR address of the MTTR which should be checked and updated
336 - * @changed: pointer which indicates whether the MTRR needed to be changed
337 - * @msrwords: pointer to the MSR values which the MSR should have
338 -- *
339 -- * If K8 extentions are wanted, update the K8 SYSCFG MSR also.
340 -- * See AMD publication no. 24593, chapter 7.8.1, page 233 for more information.
341 - */
342 - static void set_fixed_range(int msr, bool *changed, unsigned int *msrwords)
343 - {
344 -@@ -337,10 +348,6 @@ static void set_fixed_range(int msr, bool *changed, unsigned int *msrwords)
345 - rdmsr(msr, lo, hi);
346 -
347 - if (lo != msrwords[0] || hi != msrwords[1]) {
348 -- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
349 -- (boot_cpu_data.x86 >= 0x0f && boot_cpu_data.x86 <= 0x11) &&
350 -- ((msrwords[0] | msrwords[1]) & K8_MTRR_RDMEM_WRMEM_MASK))
351 -- k8_enable_fixed_iorrs();
352 - mtrr_wrmsr(msr, msrwords[0], msrwords[1]);
353 - *changed = true;
354 - }
355 -@@ -419,6 +426,8 @@ static int set_fixed_ranges(mtrr_type * frs)
356 - bool changed = false;
357 - int block=-1, range;
358 -
359 -+ k8_check_syscfg_dram_mod_en();
360 -+
361 - while (fixed_range_blocks[++block].ranges)
362 - for (range=0; range < fixed_range_blocks[block].ranges; range++)
363 - set_fixed_range(fixed_range_blocks[block].base_msr + range,
364 -diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
365 -index 06ca07f..f7d38d6 100644
366 ---- a/arch/x86/kernel/ptrace.c
367 -+++ b/arch/x86/kernel/ptrace.c
368 -@@ -690,9 +690,8 @@ static int ptrace_bts_config(struct task_struct *child,
369 - if (!cfg.signal)
370 - return -EINVAL;
371 -
372 -- return -EOPNOTSUPP;
373 --
374 - child->thread.bts_ovfl_signal = cfg.signal;
375 -+ return -EOPNOTSUPP;
376 - }
377 -
378 - if ((cfg.flags & PTRACE_BTS_O_ALLOC) &&
379 -diff --git a/arch/x86/kernel/tlb_uv.c b/arch/x86/kernel/tlb_uv.c
380 -index 6812b82..16e505a 100644
381 ---- a/arch/x86/kernel/tlb_uv.c
382 -+++ b/arch/x86/kernel/tlb_uv.c
383 -@@ -742,7 +742,7 @@ static int __init uv_bau_init(void)
384 - int node;
385 - int nblades;
386 - int last_blade;
387 -- int cur_cpu = 0;
388 -+ int cur_cpu;
389 -
390 - if (!is_uv_system())
391 - return 0;
392 -@@ -752,6 +752,7 @@ static int __init uv_bau_init(void)
393 - uv_mmask = (1UL << uv_hub_info->n_val) - 1;
394 - nblades = 0;
395 - last_blade = -1;
396 -+ cur_cpu = 0;
397 - for_each_online_node(node) {
398 - blade = uv_node_to_blade_id(node);
399 - if (blade == last_blade)
400 -diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
401 -index 9fd78b6..c95a67d 100644
402 ---- a/arch/x86/kvm/paging_tmpl.h
403 -+++ b/arch/x86/kvm/paging_tmpl.h
404 -@@ -314,9 +314,9 @@ static int FNAME(shadow_walk_entry)(struct kvm_shadow_walk *_sw,
405 - return 0;
406 -
407 - if (is_large_pte(*sptep)) {
408 -+ rmap_remove(vcpu->kvm, sptep);
409 - set_shadow_pte(sptep, shadow_trap_nonpresent_pte);
410 - kvm_flush_remote_tlbs(vcpu->kvm);
411 -- rmap_remove(vcpu->kvm, sptep);
412 - }
413 -
414 - if (level == PT_DIRECTORY_LEVEL && gw->level == PT_DIRECTORY_LEVEL) {
415 -diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
416 -index a9e769e..da56821 100644
417 ---- a/arch/x86/kvm/svm.c
418 -+++ b/arch/x86/kvm/svm.c
419 -@@ -760,20 +760,37 @@ static void svm_get_segment(struct kvm_vcpu *vcpu,
420 - var->db = (s->attrib >> SVM_SELECTOR_DB_SHIFT) & 1;
421 - var->g = (s->attrib >> SVM_SELECTOR_G_SHIFT) & 1;
422 -
423 -- /*
424 -- * SVM always stores 0 for the 'G' bit in the CS selector in
425 -- * the VMCB on a VMEXIT. This hurts cross-vendor migration:
426 -- * Intel's VMENTRY has a check on the 'G' bit.
427 -- */
428 -- if (seg == VCPU_SREG_CS)
429 -+ switch (seg) {
430 -+ case VCPU_SREG_CS:
431 -+ /*
432 -+ * SVM always stores 0 for the 'G' bit in the CS selector in
433 -+ * the VMCB on a VMEXIT. This hurts cross-vendor migration:
434 -+ * Intel's VMENTRY has a check on the 'G' bit.
435 -+ */
436 - var->g = s->limit > 0xfffff;
437 --
438 -- /*
439 -- * Work around a bug where the busy flag in the tr selector
440 -- * isn't exposed
441 -- */
442 -- if (seg == VCPU_SREG_TR)
443 -+ break;
444 -+ case VCPU_SREG_TR:
445 -+ /*
446 -+ * Work around a bug where the busy flag in the tr selector
447 -+ * isn't exposed
448 -+ */
449 - var->type |= 0x2;
450 -+ break;
451 -+ case VCPU_SREG_DS:
452 -+ case VCPU_SREG_ES:
453 -+ case VCPU_SREG_FS:
454 -+ case VCPU_SREG_GS:
455 -+ /*
456 -+ * The accessed bit must always be set in the segment
457 -+ * descriptor cache, although it can be cleared in the
458 -+ * descriptor, the cached bit always remains at 1. Since
459 -+ * Intel has a check on this, set it here to support
460 -+ * cross-vendor migration.
461 -+ */
462 -+ if (!var->unusable)
463 -+ var->type |= 0x1;
464 -+ break;
465 -+ }
466 -
467 - var->unusable = !var->present;
468 - }
469 -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
470 -index 7611af5..90de444 100644
471 ---- a/arch/x86/kvm/vmx.c
472 -+++ b/arch/x86/kvm/vmx.c
473 -@@ -928,11 +928,11 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
474 - int ret = 0;
475 -
476 - switch (msr_index) {
477 --#ifdef CONFIG_X86_64
478 - case MSR_EFER:
479 - vmx_load_host_state(vmx);
480 - ret = kvm_set_msr_common(vcpu, msr_index, data);
481 - break;
482 -+#ifdef CONFIG_X86_64
483 - case MSR_FS_BASE:
484 - vmcs_writel(GUEST_FS_BASE, data);
485 - break;
486 -diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
487 -index 960a8d9..4175cb4 100644
488 ---- a/arch/x86/lguest/boot.c
489 -+++ b/arch/x86/lguest/boot.c
490 -@@ -485,11 +485,17 @@ static void lguest_write_cr4(unsigned long val)
491 - * into a process' address space. We set the entry then tell the Host the
492 - * toplevel and address this corresponds to. The Guest uses one pagetable per
493 - * process, so we need to tell the Host which one we're changing (mm->pgd). */
494 -+static void lguest_pte_update(struct mm_struct *mm, unsigned long addr,
495 -+ pte_t *ptep)
496 -+{
497 -+ lazy_hcall(LHCALL_SET_PTE, __pa(mm->pgd), addr, ptep->pte_low);
498 -+}
499 -+
500 - static void lguest_set_pte_at(struct mm_struct *mm, unsigned long addr,
501 - pte_t *ptep, pte_t pteval)
502 - {
503 - *ptep = pteval;
504 -- lazy_hcall(LHCALL_SET_PTE, __pa(mm->pgd), addr, pteval.pte_low);
505 -+ lguest_pte_update(mm, addr, ptep);
506 - }
507 -
508 - /* The Guest calls this to set a top-level entry. Again, we set the entry then
509 -@@ -1034,6 +1040,8 @@ __init void lguest_init(void)
510 - pv_mmu_ops.read_cr3 = lguest_read_cr3;
511 - pv_mmu_ops.lazy_mode.enter = paravirt_enter_lazy_mmu;
512 - pv_mmu_ops.lazy_mode.leave = lguest_leave_lazy_mode;
513 -+ pv_mmu_ops.pte_update = lguest_pte_update;
514 -+ pv_mmu_ops.pte_update_defer = lguest_pte_update;
515 -
516 - #ifdef CONFIG_X86_LOCAL_APIC
517 - /* apic read/write intercepts */
518 -diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
519 -index e0ab173..21bc1f7 100644
520 ---- a/arch/x86/mm/pat.c
521 -+++ b/arch/x86/mm/pat.c
522 -@@ -641,10 +641,11 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
523 - is_ram = pat_pagerange_is_ram(paddr, paddr + size);
524 -
525 - /*
526 -- * reserve_pfn_range() doesn't support RAM pages.
527 -+ * reserve_pfn_range() doesn't support RAM pages. Maintain the current
528 -+ * behavior with RAM pages by returning success.
529 - */
530 - if (is_ram != 0)
531 -- return -EINVAL;
532 -+ return 0;
533 -
534 - ret = reserve_memtype(paddr, paddr + size, want_flags, &flags);
535 - if (ret)
536 -diff --git a/arch/x86/pci/i386.c b/arch/x86/pci/i386.c
537 -index 5ead808..f234a37 100644
538 ---- a/arch/x86/pci/i386.c
539 -+++ b/arch/x86/pci/i386.c
540 -@@ -319,6 +319,9 @@ int pci_mmap_page_range(struct pci_dev *dev, struct vm_area_struct *vma,
541 - return -EINVAL;
542 - }
543 - flags = new_flags;
544 -+ vma->vm_page_prot = __pgprot(
545 -+ (pgprot_val(vma->vm_page_prot) & ~_PAGE_CACHE_MASK) |
546 -+ flags);
547 - }
548 -
549 - if (((vma->vm_pgoff < max_low_pfn_mapped) ||
550 -diff --git a/drivers/char/raw.c b/drivers/char/raw.c
551 -index 96adf28..20d90e6 100644
552 ---- a/drivers/char/raw.c
553 -+++ b/drivers/char/raw.c
554 -@@ -90,6 +90,7 @@ out1:
555 - blkdev_put(bdev, filp->f_mode);
556 - out:
557 - mutex_unlock(&raw_mutex);
558 -+ unlock_kernel();
559 - return err;
560 - }
561 -
562 -diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
563 -index 576a831..82ff484 100644
564 ---- a/drivers/lguest/page_tables.c
565 -+++ b/drivers/lguest/page_tables.c
566 -@@ -373,8 +373,10 @@ unsigned long guest_pa(struct lg_cpu *cpu, unsigned long vaddr)
567 - /* First step: get the top-level Guest page table entry. */
568 - gpgd = lgread(cpu, gpgd_addr(cpu, vaddr), pgd_t);
569 - /* Toplevel not present? We can't map it in. */
570 -- if (!(pgd_flags(gpgd) & _PAGE_PRESENT))
571 -+ if (!(pgd_flags(gpgd) & _PAGE_PRESENT)) {
572 - kill_guest(cpu, "Bad address %#lx", vaddr);
573 -+ return -1UL;
574 -+ }
575 -
576 - gpte = lgread(cpu, gpte_addr(gpgd, vaddr), pte_t);
577 - if (!(pte_flags(gpte) & _PAGE_PRESENT))
578 -diff --git a/drivers/media/dvb/firewire/firedtv-avc.c b/drivers/media/dvb/firewire/firedtv-avc.c
579 -index b55d9cc..adc2ce9 100644
580 ---- a/drivers/media/dvb/firewire/firedtv-avc.c
581 -+++ b/drivers/media/dvb/firewire/firedtv-avc.c
582 -@@ -135,6 +135,7 @@ static const char *debug_fcp_opcode(unsigned int opcode,
583 - case SFE_VENDOR_OPCODE_REGISTER_REMOTE_CONTROL: return "RegisterRC";
584 - case SFE_VENDOR_OPCODE_LNB_CONTROL: return "LNBControl";
585 - case SFE_VENDOR_OPCODE_TUNE_QPSK: return "TuneQPSK";
586 -+ case SFE_VENDOR_OPCODE_TUNE_QPSK2: return "TuneQPSK2";
587 - case SFE_VENDOR_OPCODE_HOST2CA: return "Host2CA";
588 - case SFE_VENDOR_OPCODE_CA2HOST: return "CA2Host";
589 - }
590 -@@ -266,7 +267,10 @@ static void avc_tuner_tuneqpsk(struct firedtv *fdtv,
591 - c->operand[0] = SFE_VENDOR_DE_COMPANYID_0;
592 - c->operand[1] = SFE_VENDOR_DE_COMPANYID_1;
593 - c->operand[2] = SFE_VENDOR_DE_COMPANYID_2;
594 -- c->operand[3] = SFE_VENDOR_OPCODE_TUNE_QPSK;
595 -+ if (fdtv->type == FIREDTV_DVB_S2)
596 -+ c->operand[3] = SFE_VENDOR_OPCODE_TUNE_QPSK2;
597 -+ else
598 -+ c->operand[3] = SFE_VENDOR_OPCODE_TUNE_QPSK;
599 -
600 - c->operand[4] = (params->frequency >> 24) & 0xff;
601 - c->operand[5] = (params->frequency >> 16) & 0xff;
602 -diff --git a/drivers/media/video/v4l2-common.c b/drivers/media/video/v4l2-common.c
603 -index b8f2be8..907cd02 100644
604 ---- a/drivers/media/video/v4l2-common.c
605 -+++ b/drivers/media/video/v4l2-common.c
606 -@@ -910,10 +910,10 @@ struct v4l2_subdev *v4l2_i2c_new_subdev(struct i2c_adapter *adapter,
607 - struct i2c_board_info info;
608 -
609 - BUG_ON(!dev);
610 --#ifdef MODULE
611 -+
612 - if (module_name)
613 - request_module(module_name);
614 --#endif
615 -+
616 - /* Setup the i2c board info with the device type and
617 - the device address. */
618 - memset(&info, 0, sizeof(info));
619 -@@ -958,10 +958,10 @@ struct v4l2_subdev *v4l2_i2c_new_probed_subdev(struct i2c_adapter *adapter,
620 - struct i2c_board_info info;
621 -
622 - BUG_ON(!dev);
623 --#ifdef MODULE
624 -+
625 - if (module_name)
626 - request_module(module_name);
627 --#endif
628 -+
629 - /* Setup the i2c board info with the device type and
630 - the device address. */
631 - memset(&info, 0, sizeof(info));
632 -diff --git a/drivers/net/dnet.c b/drivers/net/dnet.c
633 -index 1b40632..edf23c9 100644
634 ---- a/drivers/net/dnet.c
635 -+++ b/drivers/net/dnet.c
636 -@@ -9,6 +9,7 @@
637 - * published by the Free Software Foundation.
638 - */
639 - #include <linux/version.h>
640 -+#include <linux/io.h>
641 - #include <linux/module.h>
642 - #include <linux/moduleparam.h>
643 - #include <linux/kernel.h>
644 -diff --git a/drivers/net/wireless/ath5k/base.c b/drivers/net/wireless/ath5k/base.c
645 -index 1d77ee9..6cf69d3 100644
646 ---- a/drivers/net/wireless/ath5k/base.c
647 -+++ b/drivers/net/wireless/ath5k/base.c
648 -@@ -1090,8 +1090,18 @@ ath5k_mode_setup(struct ath5k_softc *sc)
649 - static inline int
650 - ath5k_hw_to_driver_rix(struct ath5k_softc *sc, int hw_rix)
651 - {
652 -- WARN_ON(hw_rix < 0 || hw_rix > AR5K_MAX_RATES);
653 -- return sc->rate_idx[sc->curband->band][hw_rix];
654 -+ int rix;
655 -+
656 -+ /* return base rate on errors */
657 -+ if (WARN(hw_rix < 0 || hw_rix >= AR5K_MAX_RATES,
658 -+ "hw_rix out of bounds: %x\n", hw_rix))
659 -+ return 0;
660 -+
661 -+ rix = sc->rate_idx[sc->curband->band][hw_rix];
662 -+ if (WARN(rix < 0, "invalid hw_rix: %x\n", hw_rix))
663 -+ rix = 0;
664 -+
665 -+ return rix;
666 - }
667 -
668 - /***************\
669 -@@ -1668,7 +1678,6 @@ ath5k_check_ibss_tsf(struct ath5k_softc *sc, struct sk_buff *skb,
670 - }
671 - }
672 -
673 --
674 - static void
675 - ath5k_tasklet_rx(unsigned long data)
676 - {
677 -@@ -2188,6 +2197,7 @@ static void
678 - ath5k_beacon_config(struct ath5k_softc *sc)
679 - {
680 - struct ath5k_hw *ah = sc->ah;
681 -+ unsigned long flags;
682 -
683 - ath5k_hw_set_imr(ah, 0);
684 - sc->bmisscount = 0;
685 -@@ -2211,9 +2221,9 @@ ath5k_beacon_config(struct ath5k_softc *sc)
686 -
687 - if (sc->opmode == NL80211_IFTYPE_ADHOC) {
688 - if (ath5k_hw_hasveol(ah)) {
689 -- spin_lock(&sc->block);
690 -+ spin_lock_irqsave(&sc->block, flags);
691 - ath5k_beacon_send(sc);
692 -- spin_unlock(&sc->block);
693 -+ spin_unlock_irqrestore(&sc->block, flags);
694 - }
695 - } else
696 - ath5k_beacon_update_timers(sc, -1);
697 -@@ -2259,7 +2269,7 @@ ath5k_init(struct ath5k_softc *sc, bool is_resume)
698 - sc->curband = &sc->sbands[sc->curchan->band];
699 - sc->imask = AR5K_INT_RXOK | AR5K_INT_RXERR | AR5K_INT_RXEOL |
700 - AR5K_INT_RXORN | AR5K_INT_TXDESC | AR5K_INT_TXEOL |
701 -- AR5K_INT_FATAL | AR5K_INT_GLOBAL | AR5K_INT_MIB;
702 -+ AR5K_INT_FATAL | AR5K_INT_GLOBAL;
703 - ret = ath5k_reset(sc, false, false);
704 - if (ret)
705 - goto done;
706 -diff --git a/drivers/net/wireless/ath5k/base.h b/drivers/net/wireless/ath5k/base.h
707 -index facc60d..d86ab39 100644
708 ---- a/drivers/net/wireless/ath5k/base.h
709 -+++ b/drivers/net/wireless/ath5k/base.h
710 -@@ -112,7 +112,7 @@ struct ath5k_softc {
711 - struct ieee80211_supported_band sbands[IEEE80211_NUM_BANDS];
712 - struct ieee80211_channel channels[ATH_CHAN_MAX];
713 - struct ieee80211_rate rates[IEEE80211_NUM_BANDS][AR5K_MAX_RATES];
714 -- u8 rate_idx[IEEE80211_NUM_BANDS][AR5K_MAX_RATES];
715 -+ s8 rate_idx[IEEE80211_NUM_BANDS][AR5K_MAX_RATES];
716 - enum nl80211_iftype opmode;
717 - struct ath5k_hw *ah; /* Atheros HW */
718 -
719 -diff --git a/drivers/net/wireless/ath9k/recv.c b/drivers/net/wireless/ath9k/recv.c
720 -index 462e08c..c114cb7 100644
721 ---- a/drivers/net/wireless/ath9k/recv.c
722 -+++ b/drivers/net/wireless/ath9k/recv.c
723 -@@ -322,8 +322,13 @@ void ath_rx_cleanup(struct ath_softc *sc)
724 -
725 - list_for_each_entry(bf, &sc->rx.rxbuf, list) {
726 - skb = bf->bf_mpdu;
727 -- if (skb)
728 -+ if (skb) {
729 -+ pci_unmap_single(sc->pdev,
730 -+ bf->bf_buf_addr,
731 -+ sc->rx.bufsize,
732 -+ DMA_FROM_DEVICE);
733 - dev_kfree_skb(skb);
734 -+ }
735 - }
736 -
737 - if (sc->rx.rxdma.dd_desc_len != 0)
738 -diff --git a/drivers/net/wireless/ath9k/xmit.c b/drivers/net/wireless/ath9k/xmit.c
739 -index c92f0c6..80af54e 100644
740 ---- a/drivers/net/wireless/ath9k/xmit.c
741 -+++ b/drivers/net/wireless/ath9k/xmit.c
742 -@@ -2035,7 +2035,7 @@ struct ath_txq *ath_test_get_txq(struct ath_softc *sc, struct sk_buff *skb)
743 -
744 - /* Try to avoid running out of descriptors */
745 - if (txq->axq_depth >= (ATH_TXBUF - 20)) {
746 -- DPRINTF(sc, ATH_DBG_FATAL,
747 -+ DPRINTF(sc, ATH_DBG_XMIT,
748 - "TX queue: %d is full, depth: %d\n",
749 - qnum, txq->axq_depth);
750 - ieee80211_stop_queue(sc->hw, skb_get_queue_mapping(skb));
751 -diff --git a/drivers/net/wireless/b43/xmit.c b/drivers/net/wireless/b43/xmit.c
752 -index eae9b80..12069e5 100644
753 ---- a/drivers/net/wireless/b43/xmit.c
754 -+++ b/drivers/net/wireless/b43/xmit.c
755 -@@ -50,7 +50,7 @@ static int b43_plcp_get_bitrate_idx_cck(struct b43_plcp_hdr6 *plcp)
756 - }
757 -
758 - /* Extract the bitrate index out of an OFDM PLCP header. */
759 --static u8 b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy)
760 -+static int b43_plcp_get_bitrate_idx_ofdm(struct b43_plcp_hdr6 *plcp, bool aphy)
761 - {
762 - int base = aphy ? 0 : 4;
763 -
764 -diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c
765 -index 68a6412..ed502b7 100644
766 ---- a/drivers/scsi/arm/cumana_2.c
767 -+++ b/drivers/scsi/arm/cumana_2.c
768 -@@ -318,7 +318,7 @@ cumanascsi_2_set_proc_info(struct Scsi_Host *host, char *buffer, int length)
769 - {
770 - int ret = length;
771 -
772 -- if (length >= 11 && strcmp(buffer, "CUMANASCSI2") == 0) {
773 -+ if (length >= 11 && strncmp(buffer, "CUMANASCSI2", 11) == 0) {
774 - buffer += 11;
775 - length -= 11;
776 -
777 -diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
778 -index 49e7f56..3922fa9 100644
779 ---- a/drivers/usb/core/message.c
780 -+++ b/drivers/usb/core/message.c
781 -@@ -1719,7 +1719,8 @@ free_interfaces:
782 - }
783 - kfree(new_interfaces);
784 -
785 -- if (cp->string == NULL)
786 -+ if (cp->string == NULL &&
787 -+ !(dev->quirks & USB_QUIRK_CONFIG_INTF_STRINGS))
788 - cp->string = usb_cache_string(dev, cp->desc.iConfiguration);
789 -
790 - /* Now that all the interfaces are set up, register them
791 -diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
792 -index c070b34..ab93918 100644
793 ---- a/drivers/usb/core/quirks.c
794 -+++ b/drivers/usb/core/quirks.c
795 -@@ -54,6 +54,10 @@ static const struct usb_device_id usb_quirk_list[] = {
796 - { USB_DEVICE(0x0638, 0x0a13), .driver_info =
797 - USB_QUIRK_STRING_FETCH_255 },
798 -
799 -+ /* Saitek Cyborg Gold Joystick */
800 -+ { USB_DEVICE(0x06a3, 0x0006), .driver_info =
801 -+ USB_QUIRK_CONFIG_INTF_STRINGS },
802 -+
803 - /* M-Systems Flash Disk Pioneers */
804 - { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
805 -
806 -diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
807 -index 4cc2456..c667891 100644
808 ---- a/drivers/usb/core/sysfs.c
809 -+++ b/drivers/usb/core/sysfs.c
810 -@@ -13,6 +13,7 @@
811 - #include <linux/kernel.h>
812 - #include <linux/string.h>
813 - #include <linux/usb.h>
814 -+#include <linux/usb/quirks.h>
815 - #include "usb.h"
816 -
817 - /* Active configuration fields */
818 -@@ -813,7 +814,8 @@ int usb_create_sysfs_intf_files(struct usb_interface *intf)
819 - if (intf->sysfs_files_created || intf->unregistering)
820 - return 0;
821 -
822 -- if (alt->string == NULL)
823 -+ if (alt->string == NULL &&
824 -+ !(udev->quirks & USB_QUIRK_CONFIG_INTF_STRINGS))
825 - alt->string = usb_cache_string(udev, alt->desc.iInterface);
826 - if (alt->string)
827 - retval = device_create_file(&intf->dev, &dev_attr_interface);
828 -diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
829 -index 3a8bb53..fd7b356 100644
830 ---- a/drivers/usb/gadget/f_rndis.c
831 -+++ b/drivers/usb/gadget/f_rndis.c
832 -@@ -437,7 +437,7 @@ invalid:
833 - DBG(cdev, "rndis req%02x.%02x v%04x i%04x l%d\n",
834 - ctrl->bRequestType, ctrl->bRequest,
835 - w_value, w_index, w_length);
836 -- req->zero = 0;
837 -+ req->zero = (value < w_length);
838 - req->length = value;
839 - value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
840 - if (value < 0)
841 -diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
842 -index ecc9b66..01132ac 100644
843 ---- a/drivers/usb/host/ehci-q.c
844 -+++ b/drivers/usb/host/ehci-q.c
845 -@@ -333,12 +333,40 @@ qh_completions (struct ehci_hcd *ehci, struct ehci_qh *qh)
846 - token = hc32_to_cpu(ehci, qtd->hw_token);
847 -
848 - /* always clean up qtds the hc de-activated */
849 -+ retry_xacterr:
850 - if ((token & QTD_STS_ACTIVE) == 0) {
851 -
852 - /* on STALL, error, and short reads this urb must
853 - * complete and all its qtds must be recycled.
854 - */
855 - if ((token & QTD_STS_HALT) != 0) {
856 -+
857 -+ /* retry transaction errors until we
858 -+ * reach the software xacterr limit
859 -+ */
860 -+ if ((token & QTD_STS_XACT) &&
861 -+ QTD_CERR(token) == 0 &&
862 -+ --qh->xacterrs > 0 &&
863 -+ !urb->unlinked) {
864 -+ ehci_dbg(ehci,
865 -+ "detected XactErr len %d/%d retry %d\n",
866 -+ qtd->length - QTD_LENGTH(token), qtd->length,
867 -+ QH_XACTERR_MAX - qh->xacterrs);
868 -+
869 -+ /* reset the token in the qtd and the
870 -+ * qh overlay (which still contains
871 -+ * the qtd) so that we pick up from
872 -+ * where we left off
873 -+ */
874 -+ token &= ~QTD_STS_HALT;
875 -+ token |= QTD_STS_ACTIVE |
876 -+ (EHCI_TUNE_CERR << 10);
877 -+ qtd->hw_token = cpu_to_hc32(ehci,
878 -+ token);
879 -+ wmb();
880 -+ qh->hw_token = cpu_to_hc32(ehci, token);
881 -+ goto retry_xacterr;
882 -+ }
883 - stopped = 1;
884 -
885 - /* magic dummy for some short reads; qh won't advance.
886 -@@ -421,6 +449,9 @@ halt:
887 - /* remove qtd; it's recycled after possible urb completion */
888 - list_del (&qtd->qtd_list);
889 - last = qtd;
890 -+
891 -+ /* reinit the xacterr counter for the next qtd */
892 -+ qh->xacterrs = QH_XACTERR_MAX;
893 - }
894 -
895 - /* last urb's completion might still need calling */
896 -@@ -862,6 +893,7 @@ static void qh_link_async (struct ehci_hcd *ehci, struct ehci_qh *qh)
897 - head->qh_next.qh = qh;
898 - head->hw_next = dma;
899 -
900 -+ qh->xacterrs = QH_XACTERR_MAX;
901 - qh->qh_state = QH_STATE_LINKED;
902 - /* qtd completions reported later by interrupt */
903 - }
904 -diff --git a/drivers/usb/host/ehci.h b/drivers/usb/host/ehci.h
905 -index 262b00c..c7385f2 100644
906 ---- a/drivers/usb/host/ehci.h
907 -+++ b/drivers/usb/host/ehci.h
908 -@@ -376,6 +376,9 @@ struct ehci_qh {
909 - #define QH_STATE_UNLINK_WAIT 4 /* LINKED and on reclaim q */
910 - #define QH_STATE_COMPLETING 5 /* don't touch token.HALT */
911 -
912 -+ u8 xacterrs; /* XactErr retry counter */
913 -+#define QH_XACTERR_MAX 32 /* XactErr retry limit */
914 -+
915 - /* periodic schedule info */
916 - u8 usecs; /* intr bandwidth */
917 - u8 gap_uf; /* uframes split/csplit gap */
918 -diff --git a/drivers/usb/storage/cypress_atacb.c b/drivers/usb/storage/cypress_atacb.c
919 -index 898e67d..9466a99 100644
920 ---- a/drivers/usb/storage/cypress_atacb.c
921 -+++ b/drivers/usb/storage/cypress_atacb.c
922 -@@ -133,19 +133,18 @@ void cypress_atacb_passthrough(struct scsi_cmnd *srb, struct us_data *us)
923 -
924 - /* build the command for
925 - * reading the ATA registers */
926 -- scsi_eh_prep_cmnd(srb, &ses, NULL, 0, 0);
927 -- srb->sdb.length = sizeof(regs);
928 -- sg_init_one(&ses.sense_sgl, regs, srb->sdb.length);
929 -- srb->sdb.table.sgl = &ses.sense_sgl;
930 -- srb->sc_data_direction = DMA_FROM_DEVICE;
931 -- srb->sdb.table.nents = 1;
932 -+ scsi_eh_prep_cmnd(srb, &ses, NULL, 0, sizeof(regs));
933 -+
934 - /* we use the same command as before, but we set
935 - * the read taskfile bit, for not executing atacb command,
936 - * but reading register selected in srb->cmnd[4]
937 - */
938 -+ srb->cmd_len = 16;
939 -+ srb->cmnd = ses.cmnd;
940 - srb->cmnd[2] = 1;
941 -
942 - usb_stor_transparent_scsi_command(srb, us);
943 -+ memcpy(regs, srb->sense_buffer, sizeof(regs));
944 - tmp_result = srb->result;
945 - scsi_eh_restore_cmnd(srb, &ses);
946 - /* we fail to get registers, report invalid command */
947 -@@ -162,8 +161,8 @@ void cypress_atacb_passthrough(struct scsi_cmnd *srb, struct us_data *us)
948 -
949 - /* XXX we should generate sk, asc, ascq from status and error
950 - * regs
951 -- * (see 11.1 Error translation ­ ATA device error to SCSI error map)
952 -- * and ata_to_sense_error from libata.
953 -+ * (see 11.1 Error translation ATA device error to SCSI error
954 -+ * map, and ata_to_sense_error from libata.)
955 - */
956 -
957 - /* Sense data is current and format is descriptor. */
958 -diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
959 -index 727c506..ed710bc 100644
960 ---- a/drivers/usb/storage/scsiglue.c
961 -+++ b/drivers/usb/storage/scsiglue.c
962 -@@ -135,6 +135,12 @@ static int slave_configure(struct scsi_device *sdev)
963 - if (sdev->request_queue->max_sectors > max_sectors)
964 - blk_queue_max_sectors(sdev->request_queue,
965 - max_sectors);
966 -+ } else if (sdev->type == TYPE_TAPE) {
967 -+ /* Tapes need much higher max_sector limits, so just
968 -+ * raise it to the maximum possible (4 GB / 512) and
969 -+ * let the queue segment size sort out the real limit.
970 -+ */
971 -+ blk_queue_max_sectors(sdev->request_queue, 0x7FFFFF);
972 - }
973 -
974 - /* Some USB host controllers can't do DMA; they have to use PIO.
975 -diff --git a/drivers/video/pxafb.c b/drivers/video/pxafb.c
976 -index 2552b9f..642c1d4 100644
977 ---- a/drivers/video/pxafb.c
978 -+++ b/drivers/video/pxafb.c
979 -@@ -883,10 +883,21 @@ static void __devinit init_pxafb_overlay(struct pxafb_info *fbi,
980 - init_completion(&ofb->branch_done);
981 - }
982 -
983 -+static inline int pxafb_overlay_supported(void)
984 -+{
985 -+ if (cpu_is_pxa27x() || cpu_is_pxa3xx())
986 -+ return 1;
987 -+
988 -+ return 0;
989 -+}
990 -+
991 - static int __devinit pxafb_overlay_init(struct pxafb_info *fbi)
992 - {
993 - int i, ret;
994 -
995 -+ if (!pxafb_overlay_supported())
996 -+ return 0;
997 -+
998 - for (i = 0; i < 2; i++) {
999 - init_pxafb_overlay(fbi, &fbi->overlay[i], i);
1000 - ret = register_framebuffer(&fbi->overlay[i].fb);
1001 -@@ -909,6 +920,9 @@ static void __devexit pxafb_overlay_exit(struct pxafb_info *fbi)
1002 - {
1003 - int i;
1004 -
1005 -+ if (!pxafb_overlay_supported())
1006 -+ return;
1007 -+
1008 - for (i = 0; i < 2; i++)
1009 - unregister_framebuffer(&fbi->overlay[i].fb);
1010 - }
1011 -diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES
1012 -index 851388f..6562eb0 100644
1013 ---- a/fs/cifs/CHANGES
1014 -+++ b/fs/cifs/CHANGES
1015 -@@ -7,6 +7,9 @@ are authenticated as guest, as reconnections, invalidating the earlier
1016 - user's smb session. This fix allows cifs to mount multiple times to the
1017 - same server with different userids without risking invalidating earlier
1018 - established security contexts.
1019 -+Fix "redzone overwritten" bug in cifs_put_tcon (CIFSTcon may allocate too
1020 -+little memory for the "nativeFileSystem" field returned by the server
1021 -+during mount).
1022 -
1023 - Version 1.56
1024 - ------------
1025 -diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
1026 -index 939e2f7..71ae000 100644
1027 ---- a/fs/cifs/cifssmb.c
1028 -+++ b/fs/cifs/cifssmb.c
1029 -@@ -2356,8 +2356,10 @@ winCreateHardLinkRetry:
1030 - PATH_MAX, nls_codepage, remap);
1031 - name_len++; /* trailing null */
1032 - name_len *= 2;
1033 -- pSMB->OldFileName[name_len] = 0; /* pad */
1034 -- pSMB->OldFileName[name_len + 1] = 0x04;
1035 -+
1036 -+ /* protocol specifies ASCII buffer format (0x04) for unicode */
1037 -+ pSMB->OldFileName[name_len] = 0x04;
1038 -+ pSMB->OldFileName[name_len + 1] = 0x00; /* pad */
1039 - name_len2 =
1040 - cifsConvertToUCS((__le16 *)&pSMB->OldFileName[name_len + 2],
1041 - toName, PATH_MAX, nls_codepage, remap);
1042 -diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
1043 -index da0f4ff..4b64f39 100644
1044 ---- a/fs/cifs/connect.c
1045 -+++ b/fs/cifs/connect.c
1046 -@@ -3667,7 +3667,7 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
1047 - BCC(smb_buffer_response)) {
1048 - kfree(tcon->nativeFileSystem);
1049 - tcon->nativeFileSystem =
1050 -- kzalloc(length + 2, GFP_KERNEL);
1051 -+ kzalloc(2*(length + 1), GFP_KERNEL);
1052 - if (tcon->nativeFileSystem)
1053 - cifs_strfromUCS_le(
1054 - tcon->nativeFileSystem,
1055 -diff --git a/fs/fuse/file.c b/fs/fuse/file.c
1056 -index d9fdb7c..821d10f 100644
1057 ---- a/fs/fuse/file.c
1058 -+++ b/fs/fuse/file.c
1059 -@@ -1465,7 +1465,7 @@ static loff_t fuse_file_llseek(struct file *file, loff_t offset, int origin)
1060 - case SEEK_END:
1061 - retval = fuse_update_attributes(inode, NULL, file, NULL);
1062 - if (retval)
1063 -- return retval;
1064 -+ goto exit;
1065 - offset += i_size_read(inode);
1066 - break;
1067 - case SEEK_CUR:
1068 -@@ -1479,6 +1479,7 @@ static loff_t fuse_file_llseek(struct file *file, loff_t offset, int origin)
1069 - }
1070 - retval = offset;
1071 - }
1072 -+exit:
1073 - mutex_unlock(&inode->i_mutex);
1074 - return retval;
1075 - }
1076 -diff --git a/include/linux/mm.h b/include/linux/mm.h
1077 -index 065cdf8..3daa05f 100644
1078 ---- a/include/linux/mm.h
1079 -+++ b/include/linux/mm.h
1080 -@@ -98,7 +98,7 @@ extern unsigned int kobjsize(const void *objp);
1081 - #define VM_HUGETLB 0x00400000 /* Huge TLB Page VM */
1082 - #define VM_NONLINEAR 0x00800000 /* Is non-linear (remap_file_pages) */
1083 - #define VM_MAPPED_COPY 0x01000000 /* T if mapped copy of data (nommu mmap) */
1084 --#define VM_INSERTPAGE 0x02000000 /* The vma has had "vm_insert_page()" done on it */
1085 -+#define VM_INSERTPAGE 0x02000000 /* The vma has had "vm_insert_page()" done on it. Refer note in VM_PFNMAP_AT_MMAP below */
1086 - #define VM_ALWAYSDUMP 0x04000000 /* Always include in core dumps */
1087 -
1088 - #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
1089 -@@ -127,6 +127,17 @@ extern unsigned int kobjsize(const void *objp);
1090 - #define VM_SPECIAL (VM_IO | VM_DONTEXPAND | VM_RESERVED | VM_PFNMAP)
1091 -
1092 - /*
1093 -+ * pfnmap vmas that are fully mapped at mmap time (not mapped on fault).
1094 -+ * Used by x86 PAT to identify such PFNMAP mappings and optimize their handling.
1095 -+ * Note VM_INSERTPAGE flag is overloaded here. i.e,
1096 -+ * VM_INSERTPAGE && !VM_PFNMAP implies
1097 -+ * The vma has had "vm_insert_page()" done on it
1098 -+ * VM_INSERTPAGE && VM_PFNMAP implies
1099 -+ * The vma is PFNMAP with full mapping at mmap time
1100 -+ */
1101 -+#define VM_PFNMAP_AT_MMAP (VM_INSERTPAGE | VM_PFNMAP)
1102 -+
1103 -+/*
1104 - * mapping from the currently active vm_flags protection bits (the
1105 - * low four bits) to a page protection mask..
1106 - */
1107 -@@ -145,7 +156,7 @@ extern pgprot_t protection_map[16];
1108 - */
1109 - static inline int is_linear_pfn_mapping(struct vm_area_struct *vma)
1110 - {
1111 -- return ((vma->vm_flags & VM_PFNMAP) && vma->vm_pgoff);
1112 -+ return ((vma->vm_flags & VM_PFNMAP_AT_MMAP) == VM_PFNMAP_AT_MMAP);
1113 - }
1114 -
1115 - static inline int is_pfn_mapping(struct vm_area_struct *vma)
1116 -diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
1117 -index 7f6c603..2526f3b 100644
1118 ---- a/include/linux/usb/quirks.h
1119 -+++ b/include/linux/usb/quirks.h
1120 -@@ -16,4 +16,7 @@
1121 - /* device can't handle Set-Interface requests */
1122 - #define USB_QUIRK_NO_SET_INTF 0x00000004
1123 -
1124 -+/* device can't handle its Configuration or Interface strings */
1125 -+#define USB_QUIRK_CONFIG_INTF_STRINGS 0x00000008
1126 -+
1127 - #endif /* __LINUX_USB_QUIRKS_H */
1128 -diff --git a/mm/memory.c b/mm/memory.c
1129 -index baa999e..d7df5ba 100644
1130 ---- a/mm/memory.c
1131 -+++ b/mm/memory.c
1132 -@@ -1665,9 +1665,10 @@ int remap_pfn_range(struct vm_area_struct *vma, unsigned long addr,
1133 - * behaviour that some programs depend on. We mark the "original"
1134 - * un-COW'ed pages by matching them up with "vma->vm_pgoff".
1135 - */
1136 -- if (addr == vma->vm_start && end == vma->vm_end)
1137 -+ if (addr == vma->vm_start && end == vma->vm_end) {
1138 - vma->vm_pgoff = pfn;
1139 -- else if (is_cow_mapping(vma->vm_flags))
1140 -+ vma->vm_flags |= VM_PFNMAP_AT_MMAP;
1141 -+ } else if (is_cow_mapping(vma->vm_flags))
1142 - return -EINVAL;
1143 -
1144 - vma->vm_flags |= VM_IO | VM_RESERVED | VM_PFNMAP;
1145 -@@ -1679,6 +1680,7 @@ int remap_pfn_range(struct vm_area_struct *vma, unsigned long addr,
1146 - * needed from higher level routine calling unmap_vmas
1147 - */
1148 - vma->vm_flags &= ~(VM_IO | VM_RESERVED | VM_PFNMAP);
1149 -+ vma->vm_flags &= ~VM_PFNMAP_AT_MMAP;
1150 - return -EINVAL;
1151 - }
1152 -
1153 -diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
1154 -index 727c5c5..8a96672 100644
1155 ---- a/net/bridge/br_if.c
1156 -+++ b/net/bridge/br_if.c
1157 -@@ -426,7 +426,6 @@ err2:
1158 - err1:
1159 - kobject_del(&p->kobj);
1160 - err0:
1161 -- kobject_put(&p->kobj);
1162 - dev_set_promiscuity(dev, -1);
1163 - put_back:
1164 - dev_put(dev);
1165 -diff --git a/net/core/dev.c b/net/core/dev.c
1166 -index e3fe5c7..e438f54 100644
1167 ---- a/net/core/dev.c
1168 -+++ b/net/core/dev.c
1169 -@@ -2588,18 +2588,15 @@ static int process_backlog(struct napi_struct *napi, int quota)
1170 - local_irq_disable();
1171 - skb = __skb_dequeue(&queue->input_pkt_queue);
1172 - if (!skb) {
1173 -+ __napi_complete(napi);
1174 - local_irq_enable();
1175 -- napi_complete(napi);
1176 -- goto out;
1177 -+ break;
1178 - }
1179 - local_irq_enable();
1180 -
1181 -- napi_gro_receive(napi, skb);
1182 -+ netif_receive_skb(skb);
1183 - } while (++work < quota && jiffies == start_time);
1184 -
1185 -- napi_gro_flush(napi);
1186 --
1187 --out:
1188 - return work;
1189 - }
1190 -
1191 -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
1192 -index c47c989..c8bee18 100644
1193 ---- a/net/ipv4/udp.c
1194 -+++ b/net/ipv4/udp.c
1195 -@@ -1614,7 +1614,8 @@ static struct sock *udp_get_next(struct seq_file *seq, struct sock *sk)
1196 - } while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != state->family));
1197 -
1198 - if (!sk) {
1199 -- spin_unlock_bh(&state->udp_table->hash[state->bucket].lock);
1200 -+ if (state->bucket < UDP_HTABLE_SIZE)
1201 -+ spin_unlock_bh(&state->udp_table->hash[state->bucket].lock);
1202 - return udp_get_first(seq, state->bucket + 1);
1203 - }
1204 - return sk;
1205 -@@ -1632,6 +1633,9 @@ static struct sock *udp_get_idx(struct seq_file *seq, loff_t pos)
1206 -
1207 - static void *udp_seq_start(struct seq_file *seq, loff_t *pos)
1208 - {
1209 -+ struct udp_iter_state *state = seq->private;
1210 -+ state->bucket = UDP_HTABLE_SIZE;
1211 -+
1212 - return *pos ? udp_get_idx(seq, *pos-1) : SEQ_START_TOKEN;
1213 - }
1214 -
1215 -diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
1216 -index f171e8d..8f04bd9 100644
1217 ---- a/net/ipv6/ip6_input.c
1218 -+++ b/net/ipv6/ip6_input.c
1219 -@@ -75,8 +75,7 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
1220 - if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL ||
1221 - !idev || unlikely(idev->cnf.disable_ipv6)) {
1222 - IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INDISCARDS);
1223 -- rcu_read_unlock();
1224 -- goto out;
1225 -+ goto drop;
1226 - }
1227 -
1228 - memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
1229 -@@ -147,7 +146,6 @@ err:
1230 - drop:
1231 - rcu_read_unlock();
1232 - kfree_skb(skb);
1233 --out:
1234 - return 0;
1235 - }
1236 -
1237 -diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
1238 -index f3fd154..56ac4ee 100644
1239 ---- a/net/netfilter/nf_conntrack_proto_tcp.c
1240 -+++ b/net/netfilter/nf_conntrack_proto_tcp.c
1241 -@@ -15,6 +15,7 @@
1242 - #include <linux/skbuff.h>
1243 - #include <linux/ipv6.h>
1244 - #include <net/ip6_checksum.h>
1245 -+#include <asm/unaligned.h>
1246 -
1247 - #include <net/tcp.h>
1248 -
1249 -@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
1250 - for (i = 0;
1251 - i < (opsize - TCPOLEN_SACK_BASE);
1252 - i += TCPOLEN_SACK_PERBLOCK) {
1253 -- tmp = ntohl(*((__be32 *)(ptr+i)+1));
1254 -+ tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
1255 -
1256 - if (after(tmp, *sack))
1257 - *sack = tmp;
1258 -diff --git a/net/wireless/reg.c b/net/wireless/reg.c
1259 -index bd0a16c..4f9ff2a 100644
1260 ---- a/net/wireless/reg.c
1261 -+++ b/net/wireless/reg.c
1262 -@@ -1083,6 +1083,8 @@ EXPORT_SYMBOL(regulatory_hint);
1263 - static bool reg_same_country_ie_hint(struct wiphy *wiphy,
1264 - u32 country_ie_checksum)
1265 - {
1266 -+ if (unlikely(last_request->initiator != REGDOM_SET_BY_COUNTRY_IE))
1267 -+ return false;
1268 - if (!last_request->wiphy)
1269 - return false;
1270 - if (likely(last_request->wiphy != wiphy))
1271 -@@ -1133,7 +1135,9 @@ void regulatory_hint_11d(struct wiphy *wiphy,
1272 - /* We will run this for *every* beacon processed for the BSSID, so
1273 - * we optimize an early check to exit out early if we don't have to
1274 - * do anything */
1275 -- if (likely(last_request->wiphy)) {
1276 -+ if (likely(last_request->initiator ==
1277 -+ REGDOM_SET_BY_COUNTRY_IE &&
1278 -+ likely(last_request->wiphy))) {
1279 - struct cfg80211_registered_device *drv_last_ie;
1280 -
1281 - drv_last_ie = wiphy_to_dev(last_request->wiphy);
1282 -@@ -1469,13 +1473,20 @@ int regulatory_init(void)
1283 -
1284 - printk(KERN_INFO "cfg80211: Using static regulatory domain info\n");
1285 - print_regdomain_info(cfg80211_regdomain);
1286 -- /* The old code still requests for a new regdomain and if
1287 -+ /*
1288 -+ * The old code still requests for a new regdomain and if
1289 - * you have CRDA you get it updated, otherwise you get
1290 - * stuck with the static values. We ignore "EU" code as
1291 -- * that is not a valid ISO / IEC 3166 alpha2 */
1292 -- if (ieee80211_regdom[0] != 'E' || ieee80211_regdom[1] != 'U')
1293 -- err = __regulatory_hint(NULL, REGDOM_SET_BY_CORE,
1294 -- ieee80211_regdom, 0, ENVIRON_ANY);
1295 -+ * that is not a valid ISO / IEC 3166 alpha2
1296 -+ * stuck with the static values. Since "EU" is not a valid
1297 -+ * ISO / IEC 3166 alpha2 code we can't expect userpace to
1298 -+ * give us a regulatory domain for it. We need last_request
1299 -+ * iniitalized though so lets just send a request which we
1300 -+ * know will be ignored... this crap will be removed once
1301 -+ * OLD_REG dies.
1302 -+ */
1303 -+ err = __regulatory_hint(NULL, REGDOM_SET_BY_CORE,
1304 -+ ieee80211_regdom, 0, ENVIRON_ANY);
1305 - #else
1306 - cfg80211_regdomain = cfg80211_world_regdom;
1307 -
1308 -diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
1309 -index 62a5425..8227172 100644
1310 ---- a/net/xfrm/xfrm_state.c
1311 -+++ b/net/xfrm/xfrm_state.c
1312 -@@ -1615,7 +1615,7 @@ void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1313 -
1314 - spin_lock_bh(&xfrm_state_lock);
1315 - list_del(&walk->all);
1316 -- spin_lock_bh(&xfrm_state_lock);
1317 -+ spin_unlock_bh(&xfrm_state_lock);
1318 - }
1319 - EXPORT_SYMBOL(xfrm_state_walk_done);
1320 -
1321
1322 Deleted: genpatches-2.6/trunk/2.6.30/1001_linux-2.6.29.2.patch
1323 ===================================================================
1324 --- genpatches-2.6/trunk/2.6.30/1001_linux-2.6.29.2.patch 2009-06-05 16:26:11 UTC (rev 1572)
1325 +++ genpatches-2.6/trunk/2.6.30/1001_linux-2.6.29.2.patch 2009-06-05 16:28:49 UTC (rev 1573)
1326 @@ -1,4591 +0,0 @@
1327 -diff --git a/Documentation/networking/bonding.txt b/Documentation/networking/bonding.txt
1328 -index 5ede747..0876275 100644
1329 ---- a/Documentation/networking/bonding.txt
1330 -+++ b/Documentation/networking/bonding.txt
1331 -@@ -1242,7 +1242,7 @@ monitoring is enabled, and vice-versa.
1332 - To add ARP targets:
1333 - # echo +192.168.0.100 > /sys/class/net/bond0/bonding/arp_ip_target
1334 - # echo +192.168.0.101 > /sys/class/net/bond0/bonding/arp_ip_target
1335 -- NOTE: up to 10 target addresses may be specified.
1336 -+ NOTE: up to 16 target addresses may be specified.
1337 -
1338 - To remove an ARP target:
1339 - # echo -192.168.0.100 > /sys/class/net/bond0/bonding/arp_ip_target
1340 -diff --git a/arch/ia64/kvm/Kconfig b/arch/ia64/kvm/Kconfig
1341 -index f833a0b..0a2d6b8 100644
1342 ---- a/arch/ia64/kvm/Kconfig
1343 -+++ b/arch/ia64/kvm/Kconfig
1344 -@@ -4,6 +4,10 @@
1345 - config HAVE_KVM
1346 - bool
1347 -
1348 -+config HAVE_KVM_IRQCHIP
1349 -+ bool
1350 -+ default y
1351 -+
1352 - menuconfig VIRTUALIZATION
1353 - bool "Virtualization"
1354 - depends on HAVE_KVM || IA64
1355 -diff --git a/arch/mips/kernel/linux32.c b/arch/mips/kernel/linux32.c
1356 -index 1a86f84..5abcc7f 100644
1357 ---- a/arch/mips/kernel/linux32.c
1358 -+++ b/arch/mips/kernel/linux32.c
1359 -@@ -134,9 +134,9 @@ SYSCALL_DEFINE4(32_ftruncate64, unsigned long, fd, unsigned long, __dummy,
1360 - return sys_ftruncate(fd, merge_64(a2, a3));
1361 - }
1362 -
1363 --SYSCALL_DEFINE5(32_llseek, unsigned long, fd, unsigned long, offset_high,
1364 -- unsigned long, offset_low, loff_t __user *, result,
1365 -- unsigned long, origin)
1366 -+SYSCALL_DEFINE5(32_llseek, unsigned int, fd, unsigned int, offset_high,
1367 -+ unsigned int, offset_low, loff_t __user *, result,
1368 -+ unsigned int, origin)
1369 - {
1370 - return sys_llseek(fd, offset_high, offset_low, result, origin);
1371 - }
1372 -diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h
1373 -index 6d406c5..9696cc3 100644
1374 ---- a/arch/powerpc/include/asm/futex.h
1375 -+++ b/arch/powerpc/include/asm/futex.h
1376 -@@ -27,7 +27,7 @@
1377 - PPC_LONG "1b,4b,2b,4b\n" \
1378 - ".previous" \
1379 - : "=&r" (oldval), "=&r" (ret) \
1380 -- : "b" (uaddr), "i" (-EFAULT), "1" (oparg) \
1381 -+ : "b" (uaddr), "i" (-EFAULT), "r" (oparg) \
1382 - : "cr0", "memory")
1383 -
1384 - static inline int futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
1385 -@@ -47,19 +47,19 @@ static inline int futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
1386 -
1387 - switch (op) {
1388 - case FUTEX_OP_SET:
1389 -- __futex_atomic_op("", ret, oldval, uaddr, oparg);
1390 -+ __futex_atomic_op("mr %1,%4\n", ret, oldval, uaddr, oparg);
1391 - break;
1392 - case FUTEX_OP_ADD:
1393 -- __futex_atomic_op("add %1,%0,%1\n", ret, oldval, uaddr, oparg);
1394 -+ __futex_atomic_op("add %1,%0,%4\n", ret, oldval, uaddr, oparg);
1395 - break;
1396 - case FUTEX_OP_OR:
1397 -- __futex_atomic_op("or %1,%0,%1\n", ret, oldval, uaddr, oparg);
1398 -+ __futex_atomic_op("or %1,%0,%4\n", ret, oldval, uaddr, oparg);
1399 - break;
1400 - case FUTEX_OP_ANDN:
1401 -- __futex_atomic_op("andc %1,%0,%1\n", ret, oldval, uaddr, oparg);
1402 -+ __futex_atomic_op("andc %1,%0,%4\n", ret, oldval, uaddr, oparg);
1403 - break;
1404 - case FUTEX_OP_XOR:
1405 -- __futex_atomic_op("xor %1,%0,%1\n", ret, oldval, uaddr, oparg);
1406 -+ __futex_atomic_op("xor %1,%0,%4\n", ret, oldval, uaddr, oparg);
1407 - break;
1408 - default:
1409 - ret = -ENOSYS;
1410 -diff --git a/arch/powerpc/kvm/Kconfig b/arch/powerpc/kvm/Kconfig
1411 -index 6dbdc48..03becdf 100644
1412 ---- a/arch/powerpc/kvm/Kconfig
1413 -+++ b/arch/powerpc/kvm/Kconfig
1414 -@@ -2,6 +2,9 @@
1415 - # KVM configuration
1416 - #
1417 -
1418 -+config HAVE_KVM_IRQCHIP
1419 -+ bool
1420 -+
1421 - menuconfig VIRTUALIZATION
1422 - bool "Virtualization"
1423 - ---help---
1424 -diff --git a/arch/s390/kvm/Kconfig b/arch/s390/kvm/Kconfig
1425 -index e051cad..3e260b7 100644
1426 ---- a/arch/s390/kvm/Kconfig
1427 -+++ b/arch/s390/kvm/Kconfig
1428 -@@ -4,6 +4,9 @@
1429 - config HAVE_KVM
1430 - bool
1431 -
1432 -+config HAVE_KVM_IRQCHIP
1433 -+ bool
1434 -+
1435 - menuconfig VIRTUALIZATION
1436 - bool "Virtualization"
1437 - default y
1438 -diff --git a/arch/sparc/include/asm/tlb_64.h b/arch/sparc/include/asm/tlb_64.h
1439 -index 0aaa086..ee38e73 100644
1440 ---- a/arch/sparc/include/asm/tlb_64.h
1441 -+++ b/arch/sparc/include/asm/tlb_64.h
1442 -@@ -57,9 +57,9 @@ static inline struct mmu_gather *tlb_gather_mmu(struct mm_struct *mm, unsigned i
1443 -
1444 - static inline void tlb_flush_mmu(struct mmu_gather *mp)
1445 - {
1446 -+ if (!mp->fullmm)
1447 -+ flush_tlb_pending();
1448 - if (mp->need_flush) {
1449 -- if (!mp->fullmm)
1450 -- flush_tlb_pending();
1451 - free_pages_and_swap_cache(mp->pages, mp->pages_nr);
1452 - mp->pages_nr = 0;
1453 - mp->need_flush = 0;
1454 -diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
1455 -index c98d52e..6ed3aca 100644
1456 ---- a/arch/x86/Kconfig.cpu
1457 -+++ b/arch/x86/Kconfig.cpu
1458 -@@ -523,6 +523,7 @@ config X86_PTRACE_BTS
1459 - bool "Branch Trace Store"
1460 - default y
1461 - depends on X86_DEBUGCTLMSR
1462 -+ depends on BROKEN
1463 - help
1464 - This adds a ptrace interface to the hardware's branch trace store.
1465 -
1466 -diff --git a/arch/x86/boot/memory.c b/arch/x86/boot/memory.c
1467 -index 8c3c25f..a99dbbe 100644
1468 ---- a/arch/x86/boot/memory.c
1469 -+++ b/arch/x86/boot/memory.c
1470 -@@ -27,13 +27,14 @@ static int detect_memory_e820(void)
1471 - do {
1472 - size = sizeof(struct e820entry);
1473 -
1474 -- /* Important: %edx is clobbered by some BIOSes,
1475 -- so it must be either used for the error output
1476 -+ /* Important: %edx and %esi are clobbered by some BIOSes,
1477 -+ so they must be either used for the error output
1478 - or explicitly marked clobbered. */
1479 - asm("int $0x15; setc %0"
1480 - : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
1481 - "=m" (*desc)
1482 -- : "D" (desc), "d" (SMAP), "a" (0xe820));
1483 -+ : "D" (desc), "d" (SMAP), "a" (0xe820)
1484 -+ : "esi");
1485 -
1486 - /* BIOSes which terminate the chain with CF = 1 as opposed
1487 - to %ebx = 0 don't always report the SMAP signature on
1488 -diff --git a/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c b/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
1489 -index 4b1c319..89c676d 100644
1490 ---- a/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
1491 -+++ b/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
1492 -@@ -680,6 +680,18 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
1493 - perf->states[i].transition_latency * 1000;
1494 - }
1495 -
1496 -+ /* Check for high latency (>20uS) from buggy BIOSes, like on T42 */
1497 -+ if (perf->control_register.space_id == ACPI_ADR_SPACE_FIXED_HARDWARE &&
1498 -+ policy->cpuinfo.transition_latency > 20 * 1000) {
1499 -+ static int print_once;
1500 -+ policy->cpuinfo.transition_latency = 20 * 1000;
1501 -+ if (!print_once) {
1502 -+ print_once = 1;
1503 -+ printk(KERN_INFO "Capping off P-state tranision latency"
1504 -+ " at 20 uS\n");
1505 -+ }
1506 -+ }
1507 -+
1508 - data->max_freq = perf->states[0].core_frequency * 1000;
1509 - /* table init */
1510 - for (i=0; i<perf->state_count; i++) {
1511 -diff --git a/arch/x86/kernel/io_apic.c b/arch/x86/kernel/io_apic.c
1512 -index bc7ac4d..7086b24 100644
1513 ---- a/arch/x86/kernel/io_apic.c
1514 -+++ b/arch/x86/kernel/io_apic.c
1515 -@@ -2475,6 +2475,7 @@ asmlinkage void smp_irq_move_cleanup_interrupt(void)
1516 - me = smp_processor_id();
1517 - for (vector = FIRST_EXTERNAL_VECTOR; vector < NR_VECTORS; vector++) {
1518 - unsigned int irq;
1519 -+ unsigned int irr;
1520 - struct irq_desc *desc;
1521 - struct irq_cfg *cfg;
1522 - irq = __get_cpu_var(vector_irq)[vector];
1523 -@@ -2494,6 +2495,18 @@ asmlinkage void smp_irq_move_cleanup_interrupt(void)
1524 - if (vector == cfg->vector && cpumask_test_cpu(me, cfg->domain))
1525 - goto unlock;
1526 -
1527 -+ irr = apic_read(APIC_IRR + (vector / 32 * 0x10));
1528 -+ /*
1529 -+ * Check if the vector that needs to be cleanedup is
1530 -+ * registered at the cpu's IRR. If so, then this is not
1531 -+ * the best time to clean it up. Lets clean it up in the
1532 -+ * next attempt by sending another IRQ_MOVE_CLEANUP_VECTOR
1533 -+ * to myself.
1534 -+ */
1535 -+ if (irr & (1 << (vector % 32))) {
1536 -+ send_IPI_self(IRQ_MOVE_CLEANUP_VECTOR);
1537 -+ goto unlock;
1538 -+ }
1539 - __get_cpu_var(vector_irq)[vector] = -1;
1540 - cfg->move_cleanup_count--;
1541 - unlock:
1542 -diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
1543 -index b81125f..0a303c3 100644
1544 ---- a/arch/x86/kvm/Kconfig
1545 -+++ b/arch/x86/kvm/Kconfig
1546 -@@ -4,6 +4,10 @@
1547 - config HAVE_KVM
1548 - bool
1549 -
1550 -+config HAVE_KVM_IRQCHIP
1551 -+ bool
1552 -+ default y
1553 -+
1554 - menuconfig VIRTUALIZATION
1555 - bool "Virtualization"
1556 - depends on HAVE_KVM || X86
1557 -diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
1558 -index 72bd275..3dceaef 100644
1559 ---- a/arch/x86/kvm/i8254.c
1560 -+++ b/arch/x86/kvm/i8254.c
1561 -@@ -536,6 +536,16 @@ void kvm_pit_reset(struct kvm_pit *pit)
1562 - pit->pit_state.irq_ack = 1;
1563 - }
1564 -
1565 -+static void pit_mask_notifer(struct kvm_irq_mask_notifier *kimn, bool mask)
1566 -+{
1567 -+ struct kvm_pit *pit = container_of(kimn, struct kvm_pit, mask_notifier);
1568 -+
1569 -+ if (!mask) {
1570 -+ atomic_set(&pit->pit_state.pit_timer.pending, 0);
1571 -+ pit->pit_state.irq_ack = 1;
1572 -+ }
1573 -+}
1574 -+
1575 - struct kvm_pit *kvm_create_pit(struct kvm *kvm)
1576 - {
1577 - struct kvm_pit *pit;
1578 -@@ -584,6 +594,9 @@ struct kvm_pit *kvm_create_pit(struct kvm *kvm)
1579 -
1580 - kvm_pit_reset(pit);
1581 -
1582 -+ pit->mask_notifier.func = pit_mask_notifer;
1583 -+ kvm_register_irq_mask_notifier(kvm, 0, &pit->mask_notifier);
1584 -+
1585 - return pit;
1586 - }
1587 -
1588 -@@ -592,6 +605,8 @@ void kvm_free_pit(struct kvm *kvm)
1589 - struct hrtimer *timer;
1590 -
1591 - if (kvm->arch.vpit) {
1592 -+ kvm_unregister_irq_mask_notifier(kvm, 0,
1593 -+ &kvm->arch.vpit->mask_notifier);
1594 - mutex_lock(&kvm->arch.vpit->pit_state.lock);
1595 - timer = &kvm->arch.vpit->pit_state.pit_timer.timer;
1596 - hrtimer_cancel(timer);
1597 -diff --git a/arch/x86/kvm/i8254.h b/arch/x86/kvm/i8254.h
1598 -index 4178022..0dfb936 100644
1599 ---- a/arch/x86/kvm/i8254.h
1600 -+++ b/arch/x86/kvm/i8254.h
1601 -@@ -45,6 +45,7 @@ struct kvm_pit {
1602 - struct kvm *kvm;
1603 - struct kvm_kpit_state pit_state;
1604 - int irq_source_id;
1605 -+ struct kvm_irq_mask_notifier mask_notifier;
1606 - };
1607 -
1608 - #define KVM_PIT_BASE_ADDRESS 0x40
1609 -diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
1610 -index 258e5d5..eaab214 100644
1611 ---- a/arch/x86/kvm/mmu.h
1612 -+++ b/arch/x86/kvm/mmu.h
1613 -@@ -54,7 +54,7 @@ static inline int kvm_mmu_reload(struct kvm_vcpu *vcpu)
1614 - static inline int is_long_mode(struct kvm_vcpu *vcpu)
1615 - {
1616 - #ifdef CONFIG_X86_64
1617 -- return vcpu->arch.shadow_efer & EFER_LME;
1618 -+ return vcpu->arch.shadow_efer & EFER_LMA;
1619 - #else
1620 - return 0;
1621 - #endif
1622 -diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
1623 -index c95a67d..89addbd 100644
1624 ---- a/arch/x86/kvm/paging_tmpl.h
1625 -+++ b/arch/x86/kvm/paging_tmpl.h
1626 -@@ -476,16 +476,20 @@ static int FNAME(shadow_invlpg_entry)(struct kvm_shadow_walk *_sw,
1627 - if (level == PT_PAGE_TABLE_LEVEL ||
1628 - ((level == PT_DIRECTORY_LEVEL) && is_large_pte(*sptep))) {
1629 - struct kvm_mmu_page *sp = page_header(__pa(sptep));
1630 -+ int need_flush = 0;
1631 -
1632 - sw->pte_gpa = (sp->gfn << PAGE_SHIFT);
1633 - sw->pte_gpa += (sptep - sp->spt) * sizeof(pt_element_t);
1634 -
1635 - if (is_shadow_present_pte(*sptep)) {
1636 -+ need_flush = 1;
1637 - rmap_remove(vcpu->kvm, sptep);
1638 - if (is_large_pte(*sptep))
1639 - --vcpu->kvm->stat.lpages;
1640 - }
1641 - set_shadow_pte(sptep, shadow_trap_nonpresent_pte);
1642 -+ if (need_flush)
1643 -+ kvm_flush_remote_tlbs(vcpu->kvm);
1644 - return 1;
1645 - }
1646 - if (!is_shadow_present_pte(*sptep))
1647 -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
1648 -index 90de444..898910c 100644
1649 ---- a/arch/x86/kvm/vmx.c
1650 -+++ b/arch/x86/kvm/vmx.c
1651 -@@ -1433,6 +1433,29 @@ continue_rmode:
1652 - init_rmode(vcpu->kvm);
1653 - }
1654 -
1655 -+static void vmx_set_efer(struct kvm_vcpu *vcpu, u64 efer)
1656 -+{
1657 -+ struct vcpu_vmx *vmx = to_vmx(vcpu);
1658 -+ struct kvm_msr_entry *msr = find_msr_entry(vmx, MSR_EFER);
1659 -+
1660 -+ vcpu->arch.shadow_efer = efer;
1661 -+ if (!msr)
1662 -+ return;
1663 -+ if (efer & EFER_LMA) {
1664 -+ vmcs_write32(VM_ENTRY_CONTROLS,
1665 -+ vmcs_read32(VM_ENTRY_CONTROLS) |
1666 -+ VM_ENTRY_IA32E_MODE);
1667 -+ msr->data = efer;
1668 -+ } else {
1669 -+ vmcs_write32(VM_ENTRY_CONTROLS,
1670 -+ vmcs_read32(VM_ENTRY_CONTROLS) &
1671 -+ ~VM_ENTRY_IA32E_MODE);
1672 -+
1673 -+ msr->data = efer & ~EFER_LME;
1674 -+ }
1675 -+ setup_msrs(vmx);
1676 -+}
1677 -+
1678 - #ifdef CONFIG_X86_64
1679 -
1680 - static void enter_lmode(struct kvm_vcpu *vcpu)
1681 -@@ -1447,13 +1470,8 @@ static void enter_lmode(struct kvm_vcpu *vcpu)
1682 - (guest_tr_ar & ~AR_TYPE_MASK)
1683 - | AR_TYPE_BUSY_64_TSS);
1684 - }
1685 --
1686 - vcpu->arch.shadow_efer |= EFER_LMA;
1687 --
1688 -- find_msr_entry(to_vmx(vcpu), MSR_EFER)->data |= EFER_LMA | EFER_LME;
1689 -- vmcs_write32(VM_ENTRY_CONTROLS,
1690 -- vmcs_read32(VM_ENTRY_CONTROLS)
1691 -- | VM_ENTRY_IA32E_MODE);
1692 -+ vmx_set_efer(vcpu, vcpu->arch.shadow_efer);
1693 - }
1694 -
1695 - static void exit_lmode(struct kvm_vcpu *vcpu)
1696 -@@ -1612,30 +1630,6 @@ static void vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
1697 - vmcs_writel(GUEST_CR4, hw_cr4);
1698 - }
1699 -
1700 --static void vmx_set_efer(struct kvm_vcpu *vcpu, u64 efer)
1701 --{
1702 -- struct vcpu_vmx *vmx = to_vmx(vcpu);
1703 -- struct kvm_msr_entry *msr = find_msr_entry(vmx, MSR_EFER);
1704 --
1705 -- vcpu->arch.shadow_efer = efer;
1706 -- if (!msr)
1707 -- return;
1708 -- if (efer & EFER_LMA) {
1709 -- vmcs_write32(VM_ENTRY_CONTROLS,
1710 -- vmcs_read32(VM_ENTRY_CONTROLS) |
1711 -- VM_ENTRY_IA32E_MODE);
1712 -- msr->data = efer;
1713 --
1714 -- } else {
1715 -- vmcs_write32(VM_ENTRY_CONTROLS,
1716 -- vmcs_read32(VM_ENTRY_CONTROLS) &
1717 -- ~VM_ENTRY_IA32E_MODE);
1718 --
1719 -- msr->data = efer & ~EFER_LME;
1720 -- }
1721 -- setup_msrs(vmx);
1722 --}
1723 --
1724 - static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg)
1725 - {
1726 - struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
1727 -diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
1728 -index 21bc1f7..441489c 100644
1729 ---- a/arch/x86/mm/pat.c
1730 -+++ b/arch/x86/mm/pat.c
1731 -@@ -713,29 +713,28 @@ static void free_pfn_range(u64 paddr, unsigned long size)
1732 - *
1733 - * If the vma has a linear pfn mapping for the entire range, we get the prot
1734 - * from pte and reserve the entire vma range with single reserve_pfn_range call.
1735 -- * Otherwise, we reserve the entire vma range, my ging through the PTEs page
1736 -- * by page to get physical address and protection.
1737 - */
1738 - int track_pfn_vma_copy(struct vm_area_struct *vma)
1739 - {
1740 -- int retval = 0;
1741 -- unsigned long i, j;
1742 - resource_size_t paddr;
1743 - unsigned long prot;
1744 -- unsigned long vma_start = vma->vm_start;
1745 -- unsigned long vma_end = vma->vm_end;
1746 -- unsigned long vma_size = vma_end - vma_start;
1747 -+ unsigned long vma_size = vma->vm_end - vma->vm_start;
1748 - pgprot_t pgprot;
1749 -
1750 - if (!pat_enabled)
1751 - return 0;
1752 -
1753 -+ /*
1754 -+ * For now, only handle remap_pfn_range() vmas where
1755 -+ * is_linear_pfn_mapping() == TRUE. Handling of
1756 -+ * vm_insert_pfn() is TBD.
1757 -+ */
1758 - if (is_linear_pfn_mapping(vma)) {
1759 - /*
1760 - * reserve the whole chunk covered by vma. We need the
1761 - * starting address and protection from pte.
1762 - */
1763 -- if (follow_phys(vma, vma_start, 0, &prot, &paddr)) {
1764 -+ if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) {
1765 - WARN_ON_ONCE(1);
1766 - return -EINVAL;
1767 - }
1768 -@@ -743,28 +742,7 @@ int track_pfn_vma_copy(struct vm_area_struct *vma)
1769 - return reserve_pfn_range(paddr, vma_size, &pgprot, 1);
1770 - }
1771 -
1772 -- /* reserve entire vma page by page, using pfn and prot from pte */
1773 -- for (i = 0; i < vma_size; i += PAGE_SIZE) {
1774 -- if (follow_phys(vma, vma_start + i, 0, &prot, &paddr))
1775 -- continue;
1776 --
1777 -- pgprot = __pgprot(prot);
1778 -- retval = reserve_pfn_range(paddr, PAGE_SIZE, &pgprot, 1);
1779 -- if (retval)
1780 -- goto cleanup_ret;
1781 -- }
1782 - return 0;
1783 --
1784 --cleanup_ret:
1785 -- /* Reserve error: Cleanup partial reservation and return error */
1786 -- for (j = 0; j < i; j += PAGE_SIZE) {
1787 -- if (follow_phys(vma, vma_start + j, 0, &prot, &paddr))
1788 -- continue;
1789 --
1790 -- free_pfn_range(paddr, PAGE_SIZE);
1791 -- }
1792 --
1793 -- return retval;
1794 - }
1795 -
1796 - /*
1797 -@@ -774,50 +752,28 @@ cleanup_ret:
1798 - * prot is passed in as a parameter for the new mapping. If the vma has a
1799 - * linear pfn mapping for the entire range reserve the entire vma range with
1800 - * single reserve_pfn_range call.
1801 -- * Otherwise, we look t the pfn and size and reserve only the specified range
1802 -- * page by page.
1803 -- *
1804 -- * Note that this function can be called with caller trying to map only a
1805 -- * subrange/page inside the vma.
1806 - */
1807 - int track_pfn_vma_new(struct vm_area_struct *vma, pgprot_t *prot,
1808 - unsigned long pfn, unsigned long size)
1809 - {
1810 -- int retval = 0;
1811 -- unsigned long i, j;
1812 -- resource_size_t base_paddr;
1813 - resource_size_t paddr;
1814 -- unsigned long vma_start = vma->vm_start;
1815 -- unsigned long vma_end = vma->vm_end;
1816 -- unsigned long vma_size = vma_end - vma_start;
1817 -+ unsigned long vma_size = vma->vm_end - vma->vm_start;
1818 -
1819 - if (!pat_enabled)
1820 - return 0;
1821 -
1822 -+ /*
1823 -+ * For now, only handle remap_pfn_range() vmas where
1824 -+ * is_linear_pfn_mapping() == TRUE. Handling of
1825 -+ * vm_insert_pfn() is TBD.
1826 -+ */
1827 - if (is_linear_pfn_mapping(vma)) {
1828 - /* reserve the whole chunk starting from vm_pgoff */
1829 - paddr = (resource_size_t)vma->vm_pgoff << PAGE_SHIFT;
1830 - return reserve_pfn_range(paddr, vma_size, prot, 0);
1831 - }
1832 -
1833 -- /* reserve page by page using pfn and size */
1834 -- base_paddr = (resource_size_t)pfn << PAGE_SHIFT;
1835 -- for (i = 0; i < size; i += PAGE_SIZE) {
1836 -- paddr = base_paddr + i;
1837 -- retval = reserve_pfn_range(paddr, PAGE_SIZE, prot, 0);
1838 -- if (retval)
1839 -- goto cleanup_ret;
1840 -- }
1841 - return 0;
1842 --
1843 --cleanup_ret:
1844 -- /* Reserve error: Cleanup partial reservation and return error */
1845 -- for (j = 0; j < i; j += PAGE_SIZE) {
1846 -- paddr = base_paddr + j;
1847 -- free_pfn_range(paddr, PAGE_SIZE);
1848 -- }
1849 --
1850 -- return retval;
1851 - }
1852 -
1853 - /*
1854 -@@ -828,39 +784,23 @@ cleanup_ret:
1855 - void untrack_pfn_vma(struct vm_area_struct *vma, unsigned long pfn,
1856 - unsigned long size)
1857 - {
1858 -- unsigned long i;
1859 - resource_size_t paddr;
1860 -- unsigned long prot;
1861 -- unsigned long vma_start = vma->vm_start;
1862 -- unsigned long vma_end = vma->vm_end;
1863 -- unsigned long vma_size = vma_end - vma_start;
1864 -+ unsigned long vma_size = vma->vm_end - vma->vm_start;
1865 -
1866 - if (!pat_enabled)
1867 - return;
1868 -
1869 -+ /*
1870 -+ * For now, only handle remap_pfn_range() vmas where
1871 -+ * is_linear_pfn_mapping() == TRUE. Handling of
1872 -+ * vm_insert_pfn() is TBD.
1873 -+ */
1874 - if (is_linear_pfn_mapping(vma)) {
1875 - /* free the whole chunk starting from vm_pgoff */
1876 - paddr = (resource_size_t)vma->vm_pgoff << PAGE_SHIFT;
1877 - free_pfn_range(paddr, vma_size);
1878 - return;
1879 - }
1880 --
1881 -- if (size != 0 && size != vma_size) {
1882 -- /* free page by page, using pfn and size */
1883 -- paddr = (resource_size_t)pfn << PAGE_SHIFT;
1884 -- for (i = 0; i < size; i += PAGE_SIZE) {
1885 -- paddr = paddr + i;
1886 -- free_pfn_range(paddr, PAGE_SIZE);
1887 -- }
1888 -- } else {
1889 -- /* free entire vma, page by page, using the pfn from pte */
1890 -- for (i = 0; i < vma_size; i += PAGE_SIZE) {
1891 -- if (follow_phys(vma, vma_start + i, 0, &prot, &paddr))
1892 -- continue;
1893 --
1894 -- free_pfn_range(paddr, PAGE_SIZE);
1895 -- }
1896 -- }
1897 - }
1898 -
1899 - pgprot_t pgprot_writecombine(pgprot_t prot)
1900 -diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
1901 -index 7d388d5..096b0ed 100644
1902 ---- a/arch/x86/pci/fixup.c
1903 -+++ b/arch/x86/pci/fixup.c
1904 -@@ -495,26 +495,6 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_SIEMENS, 0x0015,
1905 - pci_siemens_interrupt_controller);
1906 -
1907 - /*
1908 -- * Regular PCI devices have 256 bytes, but AMD Family 10h/11h CPUs have
1909 -- * 4096 bytes configuration space for each function of their processor
1910 -- * configuration space.
1911 -- */
1912 --static void amd_cpu_pci_cfg_space_size(struct pci_dev *dev)
1913 --{
1914 -- dev->cfg_size = pci_cfg_space_size_ext(dev);
1915 --}
1916 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1200, amd_cpu_pci_cfg_space_size);
1917 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1201, amd_cpu_pci_cfg_space_size);
1918 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1202, amd_cpu_pci_cfg_space_size);
1919 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1203, amd_cpu_pci_cfg_space_size);
1920 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1204, amd_cpu_pci_cfg_space_size);
1921 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1300, amd_cpu_pci_cfg_space_size);
1922 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1301, amd_cpu_pci_cfg_space_size);
1923 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1302, amd_cpu_pci_cfg_space_size);
1924 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1303, amd_cpu_pci_cfg_space_size);
1925 --DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, 0x1304, amd_cpu_pci_cfg_space_size);
1926 --
1927 --/*
1928 - * SB600: Disable BAR1 on device 14.0 to avoid HPET resources from
1929 - * confusing the PCI engine:
1930 - */
1931 -diff --git a/crypto/shash.c b/crypto/shash.c
1932 -index d5a2b61..6792a67 100644
1933 ---- a/crypto/shash.c
1934 -+++ b/crypto/shash.c
1935 -@@ -82,6 +82,9 @@ static int shash_update_unaligned(struct shash_desc *desc, const u8 *data,
1936 - u8 buf[shash_align_buffer_size(unaligned_len, alignmask)]
1937 - __attribute__ ((aligned));
1938 -
1939 -+ if (unaligned_len > len)
1940 -+ unaligned_len = len;
1941 -+
1942 - memcpy(buf, data, unaligned_len);
1943 -
1944 - return shash->update(desc, buf, unaligned_len) ?:
1945 -diff --git a/drivers/acpi/dock.c b/drivers/acpi/dock.c
1946 -index 35094f2..8f62fa0 100644
1947 ---- a/drivers/acpi/dock.c
1948 -+++ b/drivers/acpi/dock.c
1949 -@@ -1146,9 +1146,10 @@ static int __init dock_init(void)
1950 - static void __exit dock_exit(void)
1951 - {
1952 - struct dock_station *dock_station;
1953 -+ struct dock_station *tmp;
1954 -
1955 - unregister_acpi_bus_notifier(&dock_acpi_notifier);
1956 -- list_for_each_entry(dock_station, &dock_stations, sibiling)
1957 -+ list_for_each_entry_safe(dock_station, tmp, &dock_stations, sibiling)
1958 - dock_remove(dock_station);
1959 - }
1960 -
1961 -diff --git a/drivers/ata/pata_hpt37x.c b/drivers/ata/pata_hpt37x.c
1962 -index 4216399..233a5fd 100644
1963 ---- a/drivers/ata/pata_hpt37x.c
1964 -+++ b/drivers/ata/pata_hpt37x.c
1965 -@@ -8,7 +8,7 @@
1966 - * Copyright (C) 1999-2003 Andre Hedrick <andre@×××××××××.org>
1967 - * Portions Copyright (C) 2001 Sun Microsystems, Inc.
1968 - * Portions Copyright (C) 2003 Red Hat Inc
1969 -- * Portions Copyright (C) 2005-2007 MontaVista Software, Inc.
1970 -+ * Portions Copyright (C) 2005-2009 MontaVista Software, Inc.
1971 - *
1972 - * TODO
1973 - * Look into engine reset on timeout errors. Should not be required.
1974 -@@ -24,7 +24,7 @@
1975 - #include <linux/libata.h>
1976 -
1977 - #define DRV_NAME "pata_hpt37x"
1978 --#define DRV_VERSION "0.6.11"
1979 -+#define DRV_VERSION "0.6.12"
1980 -
1981 - struct hpt_clock {
1982 - u8 xfer_speed;
1983 -@@ -445,23 +445,6 @@ static void hpt370_set_dmamode(struct ata_port *ap, struct ata_device *adev)
1984 - }
1985 -
1986 - /**
1987 -- * hpt370_bmdma_start - DMA engine begin
1988 -- * @qc: ATA command
1989 -- *
1990 -- * The 370 and 370A want us to reset the DMA engine each time we
1991 -- * use it. The 372 and later are fine.
1992 -- */
1993 --
1994 --static void hpt370_bmdma_start(struct ata_queued_cmd *qc)
1995 --{
1996 -- struct ata_port *ap = qc->ap;
1997 -- struct pci_dev *pdev = to_pci_dev(ap->host->dev);
1998 -- pci_write_config_byte(pdev, 0x50 + 4 * ap->port_no, 0x37);
1999 -- udelay(10);
2000 -- ata_bmdma_start(qc);
2001 --}
2002 --
2003 --/**
2004 - * hpt370_bmdma_end - DMA engine stop
2005 - * @qc: ATA command
2006 - *
2007 -@@ -598,7 +581,6 @@ static struct scsi_host_template hpt37x_sht = {
2008 - static struct ata_port_operations hpt370_port_ops = {
2009 - .inherits = &ata_bmdma_port_ops,
2010 -
2011 -- .bmdma_start = hpt370_bmdma_start,
2012 - .bmdma_stop = hpt370_bmdma_stop,
2013 -
2014 - .mode_filter = hpt370_filter,
2015 -diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
2016 -index 10d6cbd..2224b76 100644
2017 ---- a/drivers/char/agp/generic.c
2018 -+++ b/drivers/char/agp/generic.c
2019 -@@ -1226,7 +1226,7 @@ int agp_generic_alloc_pages(struct agp_bridge_data *bridge, struct agp_memory *m
2020 - int i, ret = -ENOMEM;
2021 -
2022 - for (i = 0; i < num_pages; i++) {
2023 -- page = alloc_page(GFP_KERNEL | GFP_DMA32);
2024 -+ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO);
2025 - /* agp_free_memory() needs gart address */
2026 - if (page == NULL)
2027 - goto out;
2028 -@@ -1257,7 +1257,7 @@ void *agp_generic_alloc_page(struct agp_bridge_data *bridge)
2029 - {
2030 - struct page * page;
2031 -
2032 -- page = alloc_page(GFP_KERNEL | GFP_DMA32);
2033 -+ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO);
2034 - if (page == NULL)
2035 - return NULL;
2036 -
2037 -diff --git a/drivers/char/vt.c b/drivers/char/vt.c
2038 -index 7900bd6..60453ab 100644
2039 ---- a/drivers/char/vt.c
2040 -+++ b/drivers/char/vt.c
2041 -@@ -2271,7 +2271,7 @@ rescan_last_byte:
2042 - continue; /* nothing to display */
2043 - }
2044 - /* Glyph not found */
2045 -- if ((!(vc->vc_utf && !vc->vc_disp_ctrl) && c < 128) && !(c & ~charmask)) {
2046 -+ if ((!(vc->vc_utf && !vc->vc_disp_ctrl) || c < 128) && !(c & ~charmask)) {
2047 - /* In legacy mode use the glyph we get by a 1:1 mapping.
2048 - This would make absolutely no sense with Unicode in mind,
2049 - but do this for ASCII characters since a font may lack
2050 -diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
2051 -index 88d3368..7ee1ce1 100644
2052 ---- a/drivers/gpu/drm/drm_gem.c
2053 -+++ b/drivers/gpu/drm/drm_gem.c
2054 -@@ -505,7 +505,6 @@ int drm_gem_mmap(struct file *filp, struct vm_area_struct *vma)
2055 - struct drm_map *map = NULL;
2056 - struct drm_gem_object *obj;
2057 - struct drm_hash_item *hash;
2058 -- unsigned long prot;
2059 - int ret = 0;
2060 -
2061 - mutex_lock(&dev->struct_mutex);
2062 -@@ -538,11 +537,7 @@ int drm_gem_mmap(struct file *filp, struct vm_area_struct *vma)
2063 - vma->vm_ops = obj->dev->driver->gem_vm_ops;
2064 - vma->vm_private_data = map->handle;
2065 - /* FIXME: use pgprot_writecombine when available */
2066 -- prot = pgprot_val(vma->vm_page_prot);
2067 --#ifdef CONFIG_X86
2068 -- prot |= _PAGE_CACHE_WC;
2069 --#endif
2070 -- vma->vm_page_prot = __pgprot(prot);
2071 -+ vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
2072 -
2073 - /* Take a ref for this mapping of the object, so that the fault
2074 - * handler can dereference the mmap offset's pointer to the object.
2075 -diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
2076 -index 6d21b9e..908d24e 100644
2077 ---- a/drivers/gpu/drm/i915/i915_dma.c
2078 -+++ b/drivers/gpu/drm/i915/i915_dma.c
2079 -@@ -41,7 +41,6 @@
2080 - int i915_wait_ring(struct drm_device * dev, int n, const char *caller)
2081 - {
2082 - drm_i915_private_t *dev_priv = dev->dev_private;
2083 -- struct drm_i915_master_private *master_priv = dev->primary->master->driver_priv;
2084 - drm_i915_ring_buffer_t *ring = &(dev_priv->ring);
2085 - u32 acthd_reg = IS_I965G(dev) ? ACTHD_I965 : ACTHD;
2086 - u32 last_acthd = I915_READ(acthd_reg);
2087 -@@ -58,8 +57,12 @@ int i915_wait_ring(struct drm_device * dev, int n, const char *caller)
2088 - if (ring->space >= n)
2089 - return 0;
2090 -
2091 -- if (master_priv->sarea_priv)
2092 -- master_priv->sarea_priv->perf_boxes |= I915_BOX_WAIT;
2093 -+ if (dev->primary->master) {
2094 -+ struct drm_i915_master_private *master_priv = dev->primary->master->driver_priv;
2095 -+ if (master_priv->sarea_priv)
2096 -+ master_priv->sarea_priv->perf_boxes |= I915_BOX_WAIT;
2097 -+ }
2098 -+
2099 -
2100 - if (ring->head != last_head)
2101 - i = 0;
2102 -diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
2103 -index 37427e4..fb6390a 100644
2104 ---- a/drivers/gpu/drm/i915/i915_gem.c
2105 -+++ b/drivers/gpu/drm/i915/i915_gem.c
2106 -@@ -603,6 +603,7 @@ int i915_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
2107 - case -EAGAIN:
2108 - return VM_FAULT_OOM;
2109 - case -EFAULT:
2110 -+ case -EINVAL:
2111 - return VM_FAULT_SIGBUS;
2112 - default:
2113 - return VM_FAULT_NOPAGE;
2114 -diff --git a/drivers/gpu/drm/i915/i915_gem_tiling.c b/drivers/gpu/drm/i915/i915_gem_tiling.c
2115 -index 7fb4191..4cce1ae 100644
2116 ---- a/drivers/gpu/drm/i915/i915_gem_tiling.c
2117 -+++ b/drivers/gpu/drm/i915/i915_gem_tiling.c
2118 -@@ -96,16 +96,16 @@ i915_gem_detect_bit_6_swizzle(struct drm_device *dev)
2119 - */
2120 - swizzle_x = I915_BIT_6_SWIZZLE_NONE;
2121 - swizzle_y = I915_BIT_6_SWIZZLE_NONE;
2122 -- } else if ((!IS_I965G(dev) && !IS_G33(dev)) || IS_I965GM(dev) ||
2123 -- IS_GM45(dev)) {
2124 -+ } else if (IS_MOBILE(dev)) {
2125 - uint32_t dcc;
2126 -
2127 -- /* On 915-945 and GM965, channel interleave by the CPU is
2128 -- * determined by DCC. The CPU will alternate based on bit 6
2129 -- * in interleaved mode, and the GPU will then also alternate
2130 -- * on bit 6, 9, and 10 for X, but the CPU may also optionally
2131 -- * alternate based on bit 17 (XOR not disabled and XOR
2132 -- * bit == 17).
2133 -+ /* On mobile 9xx chipsets, channel interleave by the CPU is
2134 -+ * determined by DCC. For single-channel, neither the CPU
2135 -+ * nor the GPU do swizzling. For dual channel interleaved,
2136 -+ * the GPU's interleave is bit 9 and 10 for X tiled, and bit
2137 -+ * 9 for Y tiled. The CPU's interleave is independent, and
2138 -+ * can be based on either bit 11 (haven't seen this yet) or
2139 -+ * bit 17 (common).
2140 - */
2141 - dcc = I915_READ(DCC);
2142 - switch (dcc & DCC_ADDRESSING_MODE_MASK) {
2143 -@@ -115,19 +115,18 @@ i915_gem_detect_bit_6_swizzle(struct drm_device *dev)
2144 - swizzle_y = I915_BIT_6_SWIZZLE_NONE;
2145 - break;
2146 - case DCC_ADDRESSING_MODE_DUAL_CHANNEL_INTERLEAVED:
2147 -- if (IS_I915G(dev) || IS_I915GM(dev) ||
2148 -- dcc & DCC_CHANNEL_XOR_DISABLE) {
2149 -+ if (dcc & DCC_CHANNEL_XOR_DISABLE) {
2150 -+ /* This is the base swizzling by the GPU for
2151 -+ * tiled buffers.
2152 -+ */
2153 - swizzle_x = I915_BIT_6_SWIZZLE_9_10;
2154 - swizzle_y = I915_BIT_6_SWIZZLE_9;
2155 -- } else if ((IS_I965GM(dev) || IS_GM45(dev)) &&
2156 -- (dcc & DCC_CHANNEL_XOR_BIT_17) == 0) {
2157 -- /* GM965/GM45 does either bit 11 or bit 17
2158 -- * swizzling.
2159 -- */
2160 -+ } else if ((dcc & DCC_CHANNEL_XOR_BIT_17) == 0) {
2161 -+ /* Bit 11 swizzling by the CPU in addition. */
2162 - swizzle_x = I915_BIT_6_SWIZZLE_9_10_11;
2163 - swizzle_y = I915_BIT_6_SWIZZLE_9_11;
2164 - } else {
2165 -- /* Bit 17 or perhaps other swizzling */
2166 -+ /* Bit 17 swizzling by the CPU in addition. */
2167 - swizzle_x = I915_BIT_6_SWIZZLE_UNKNOWN;
2168 - swizzle_y = I915_BIT_6_SWIZZLE_UNKNOWN;
2169 - }
2170 -diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
2171 -index 90600d8..cc2938d 100644
2172 ---- a/drivers/gpu/drm/i915/i915_reg.h
2173 -+++ b/drivers/gpu/drm/i915/i915_reg.h
2174 -@@ -629,6 +629,22 @@
2175 - #define TV_HOTPLUG_INT_EN (1 << 18)
2176 - #define CRT_HOTPLUG_INT_EN (1 << 9)
2177 - #define CRT_HOTPLUG_FORCE_DETECT (1 << 3)
2178 -+#define CRT_HOTPLUG_ACTIVATION_PERIOD_32 (0 << 8)
2179 -+/* must use period 64 on GM45 according to docs */
2180 -+#define CRT_HOTPLUG_ACTIVATION_PERIOD_64 (1 << 8)
2181 -+#define CRT_HOTPLUG_DAC_ON_TIME_2M (0 << 7)
2182 -+#define CRT_HOTPLUG_DAC_ON_TIME_4M (1 << 7)
2183 -+#define CRT_HOTPLUG_VOLTAGE_COMPARE_40 (0 << 5)
2184 -+#define CRT_HOTPLUG_VOLTAGE_COMPARE_50 (1 << 5)
2185 -+#define CRT_HOTPLUG_VOLTAGE_COMPARE_60 (2 << 5)
2186 -+#define CRT_HOTPLUG_VOLTAGE_COMPARE_70 (3 << 5)
2187 -+#define CRT_HOTPLUG_VOLTAGE_COMPARE_MASK (3 << 5)
2188 -+#define CRT_HOTPLUG_DETECT_DELAY_1G (0 << 4)
2189 -+#define CRT_HOTPLUG_DETECT_DELAY_2G (1 << 4)
2190 -+#define CRT_HOTPLUG_DETECT_VOLTAGE_325MV (0 << 2)
2191 -+#define CRT_HOTPLUG_DETECT_VOLTAGE_475MV (1 << 2)
2192 -+#define CRT_HOTPLUG_MASK (0x3fc) /* Bits 9-2 */
2193 -+
2194 -
2195 - #define PORT_HOTPLUG_STAT 0x61114
2196 - #define HDMIB_HOTPLUG_INT_STATUS (1 << 29)
2197 -diff --git a/drivers/gpu/drm/i915/intel_crt.c b/drivers/gpu/drm/i915/intel_crt.c
2198 -index dcaed34..61c108e 100644
2199 ---- a/drivers/gpu/drm/i915/intel_crt.c
2200 -+++ b/drivers/gpu/drm/i915/intel_crt.c
2201 -@@ -133,20 +133,39 @@ static bool intel_crt_detect_hotplug(struct drm_connector *connector)
2202 - {
2203 - struct drm_device *dev = connector->dev;
2204 - struct drm_i915_private *dev_priv = dev->dev_private;
2205 -- u32 temp;
2206 --
2207 -- unsigned long timeout = jiffies + msecs_to_jiffies(1000);
2208 --
2209 -- temp = I915_READ(PORT_HOTPLUG_EN);
2210 --
2211 -- I915_WRITE(PORT_HOTPLUG_EN,
2212 -- temp | CRT_HOTPLUG_FORCE_DETECT | (1 << 5));
2213 -+ u32 hotplug_en;
2214 -+ int i, tries = 0;
2215 -+ /*
2216 -+ * On 4 series desktop, CRT detect sequence need to be done twice
2217 -+ * to get a reliable result.
2218 -+ */
2219 -
2220 -- do {
2221 -- if (!(I915_READ(PORT_HOTPLUG_EN) & CRT_HOTPLUG_FORCE_DETECT))
2222 -- break;
2223 -- msleep(1);
2224 -- } while (time_after(timeout, jiffies));
2225 -+ if (IS_G4X(dev) && !IS_GM45(dev))
2226 -+ tries = 2;
2227 -+ else
2228 -+ tries = 1;
2229 -+ hotplug_en = I915_READ(PORT_HOTPLUG_EN);
2230 -+ hotplug_en &= ~(CRT_HOTPLUG_MASK);
2231 -+ hotplug_en |= CRT_HOTPLUG_FORCE_DETECT;
2232 -+
2233 -+ if (IS_GM45(dev))
2234 -+ hotplug_en |= CRT_HOTPLUG_ACTIVATION_PERIOD_64;
2235 -+
2236 -+ hotplug_en |= CRT_HOTPLUG_VOLTAGE_COMPARE_50;
2237 -+
2238 -+ for (i = 0; i < tries ; i++) {
2239 -+ unsigned long timeout;
2240 -+ /* turn on the FORCE_DETECT */
2241 -+ I915_WRITE(PORT_HOTPLUG_EN, hotplug_en);
2242 -+ timeout = jiffies + msecs_to_jiffies(1000);
2243 -+ /* wait for FORCE_DETECT to go off */
2244 -+ do {
2245 -+ if (!(I915_READ(PORT_HOTPLUG_EN) &
2246 -+ CRT_HOTPLUG_FORCE_DETECT))
2247 -+ break;
2248 -+ msleep(1);
2249 -+ } while (time_after(timeout, jiffies));
2250 -+ }
2251 -
2252 - if ((I915_READ(PORT_HOTPLUG_STAT) & CRT_HOTPLUG_MONITOR_MASK) ==
2253 - CRT_HOTPLUG_MONITOR_COLOR)
2254 -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
2255 -index a283427..601a76f 100644
2256 ---- a/drivers/gpu/drm/i915/intel_display.c
2257 -+++ b/drivers/gpu/drm/i915/intel_display.c
2258 -@@ -1474,13 +1474,21 @@ static void intel_setup_outputs(struct drm_device *dev)
2259 -
2260 - if (IS_I9XX(dev)) {
2261 - int found;
2262 -+ u32 reg;
2263 -
2264 - if (I915_READ(SDVOB) & SDVO_DETECTED) {
2265 - found = intel_sdvo_init(dev, SDVOB);
2266 - if (!found && SUPPORTS_INTEGRATED_HDMI(dev))
2267 - intel_hdmi_init(dev, SDVOB);
2268 - }
2269 -- if (!IS_G4X(dev) || (I915_READ(SDVOB) & SDVO_DETECTED)) {
2270 -+
2271 -+ /* Before G4X SDVOC doesn't have its own detect register */
2272 -+ if (IS_G4X(dev))
2273 -+ reg = SDVOC;
2274 -+ else
2275 -+ reg = SDVOB;
2276 -+
2277 -+ if (I915_READ(reg) & SDVO_DETECTED) {
2278 - found = intel_sdvo_init(dev, SDVOC);
2279 - if (!found && SUPPORTS_INTEGRATED_HDMI(dev))
2280 - intel_hdmi_init(dev, SDVOC);
2281 -diff --git a/drivers/gpu/drm/i915/intel_tv.c b/drivers/gpu/drm/i915/intel_tv.c
2282 -index 56485d6..b05cb67 100644
2283 ---- a/drivers/gpu/drm/i915/intel_tv.c
2284 -+++ b/drivers/gpu/drm/i915/intel_tv.c
2285 -@@ -1558,33 +1558,49 @@ intel_tv_set_property(struct drm_connector *connector, struct drm_property *prop
2286 - struct drm_device *dev = connector->dev;
2287 - struct intel_output *intel_output = to_intel_output(connector);
2288 - struct intel_tv_priv *tv_priv = intel_output->dev_priv;
2289 -+ struct drm_encoder *encoder = &intel_output->enc;
2290 -+ struct drm_crtc *crtc = encoder->crtc;
2291 - int ret = 0;
2292 -+ bool changed = false;
2293 -
2294 - ret = drm_connector_property_set_value(connector, property, val);
2295 - if (ret < 0)
2296 - goto out;
2297 -
2298 -- if (property == dev->mode_config.tv_left_margin_property)
2299 -+ if (property == dev->mode_config.tv_left_margin_property &&
2300 -+ tv_priv->margin[TV_MARGIN_LEFT] != val) {
2301 - tv_priv->margin[TV_MARGIN_LEFT] = val;
2302 -- else if (property == dev->mode_config.tv_right_margin_property)
2303 -+ changed = true;
2304 -+ } else if (property == dev->mode_config.tv_right_margin_property &&
2305 -+ tv_priv->margin[TV_MARGIN_RIGHT] != val) {
2306 - tv_priv->margin[TV_MARGIN_RIGHT] = val;
2307 -- else if (property == dev->mode_config.tv_top_margin_property)
2308 -+ changed = true;
2309 -+ } else if (property == dev->mode_config.tv_top_margin_property &&
2310 -+ tv_priv->margin[TV_MARGIN_TOP] != val) {
2311 - tv_priv->margin[TV_MARGIN_TOP] = val;
2312 -- else if (property == dev->mode_config.tv_bottom_margin_property)
2313 -+ changed = true;
2314 -+ } else if (property == dev->mode_config.tv_bottom_margin_property &&
2315 -+ tv_priv->margin[TV_MARGIN_BOTTOM] != val) {
2316 - tv_priv->margin[TV_MARGIN_BOTTOM] = val;
2317 -- else if (property == dev->mode_config.tv_mode_property) {
2318 -+ changed = true;
2319 -+ } else if (property == dev->mode_config.tv_mode_property) {
2320 - if (val >= NUM_TV_MODES) {
2321 - ret = -EINVAL;
2322 - goto out;
2323 - }
2324 -+ if (!strcmp(tv_priv->tv_format, tv_modes[val].name))
2325 -+ goto out;
2326 -+
2327 - tv_priv->tv_format = tv_modes[val].name;
2328 -- intel_tv_mode_set(&intel_output->enc, NULL, NULL);
2329 -+ changed = true;
2330 - } else {
2331 - ret = -EINVAL;
2332 - goto out;
2333 - }
2334 -
2335 -- intel_tv_mode_set(&intel_output->enc, NULL, NULL);
2336 -+ if (changed && crtc)
2337 -+ drm_crtc_helper_set_mode(crtc, &crtc->mode, crtc->x,
2338 -+ crtc->y, crtc->fb);
2339 - out:
2340 - return ret;
2341 - }
2342 -diff --git a/drivers/ide/hpt366.c b/drivers/ide/hpt366.c
2343 -index 3eb9b5c..5ff6962 100644
2344 ---- a/drivers/ide/hpt366.c
2345 -+++ b/drivers/ide/hpt366.c
2346 -@@ -114,6 +114,8 @@
2347 - * the register setting lists into the table indexed by the clock selected
2348 - * - set the correct hwif->ultra_mask for each individual chip
2349 - * - add Ultra and MW DMA mode filtering for the HPT37[24] based SATA cards
2350 -+ * - stop resetting HPT370's state machine before each DMA transfer as that has
2351 -+ * caused more harm than good
2352 - * Sergei Shtylyov, <sshtylyov@×××××××××.com> or <source@××××××.com>
2353 - */
2354 -
2355 -@@ -133,7 +135,7 @@
2356 - #define DRV_NAME "hpt366"
2357 -
2358 - /* various tuning parameters */
2359 --#define HPT_RESET_STATE_ENGINE
2360 -+#undef HPT_RESET_STATE_ENGINE
2361 - #undef HPT_DELAY_INTERRUPT
2362 -
2363 - static const char *quirk_drives[] = {
2364 -diff --git a/drivers/ide/ide-atapi.c b/drivers/ide/ide-atapi.c
2365 -index e9d042d..53a9e8d 100644
2366 ---- a/drivers/ide/ide-atapi.c
2367 -+++ b/drivers/ide/ide-atapi.c
2368 -@@ -6,6 +6,8 @@
2369 - #include <linux/cdrom.h>
2370 - #include <linux/delay.h>
2371 - #include <linux/ide.h>
2372 -+#include <linux/scatterlist.h>
2373 -+
2374 - #include <scsi/scsi.h>
2375 -
2376 - #ifdef DEBUG
2377 -@@ -566,6 +568,10 @@ static ide_startstop_t ide_transfer_pc(ide_drive_t *drive)
2378 - : ide_pc_intr),
2379 - timeout, expiry);
2380 -
2381 -+ /* Send the actual packet */
2382 -+ if ((drive->atapi_flags & IDE_AFLAG_ZIP_DRIVE) == 0)
2383 -+ hwif->tp_ops->output_data(drive, NULL, rq->cmd, cmd_len);
2384 -+
2385 - /* Begin DMA, if necessary */
2386 - if (dev_is_idecd(drive)) {
2387 - if (drive->dma)
2388 -@@ -577,10 +583,6 @@ static ide_startstop_t ide_transfer_pc(ide_drive_t *drive)
2389 - }
2390 - }
2391 -
2392 -- /* Send the actual packet */
2393 -- if ((drive->atapi_flags & IDE_AFLAG_ZIP_DRIVE) == 0)
2394 -- hwif->tp_ops->output_data(drive, NULL, rq->cmd, cmd_len);
2395 --
2396 - return ide_started;
2397 - }
2398 -
2399 -diff --git a/drivers/ide/ide-io.c b/drivers/ide/ide-io.c
2400 -index a9a6c20..af70777 100644
2401 ---- a/drivers/ide/ide-io.c
2402 -+++ b/drivers/ide/ide-io.c
2403 -@@ -736,11 +736,10 @@ repeat:
2404 - prev_port = hwif->host->cur_port;
2405 - hwif->rq = NULL;
2406 -
2407 -- if (drive->dev_flags & IDE_DFLAG_SLEEPING) {
2408 -- if (time_before(drive->sleep, jiffies)) {
2409 -- ide_unlock_port(hwif);
2410 -- goto plug_device;
2411 -- }
2412 -+ if (drive->dev_flags & IDE_DFLAG_SLEEPING &&
2413 -+ time_after(drive->sleep, jiffies)) {
2414 -+ ide_unlock_port(hwif);
2415 -+ goto plug_device;
2416 - }
2417 -
2418 - if ((hwif->host->host_flags & IDE_HFLAG_SERIALIZE) &&
2419 -diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c
2420 -index ebf4be5..2d175b5 100644
2421 ---- a/drivers/input/gameport/gameport.c
2422 -+++ b/drivers/input/gameport/gameport.c
2423 -@@ -50,9 +50,8 @@ static LIST_HEAD(gameport_list);
2424 -
2425 - static struct bus_type gameport_bus;
2426 -
2427 --static void gameport_add_driver(struct gameport_driver *drv);
2428 - static void gameport_add_port(struct gameport *gameport);
2429 --static void gameport_destroy_port(struct gameport *gameport);
2430 -+static void gameport_attach_driver(struct gameport_driver *drv);
2431 - static void gameport_reconnect_port(struct gameport *gameport);
2432 - static void gameport_disconnect_port(struct gameport *gameport);
2433 -
2434 -@@ -230,7 +229,6 @@ static void gameport_find_driver(struct gameport *gameport)
2435 -
2436 - enum gameport_event_type {
2437 - GAMEPORT_REGISTER_PORT,
2438 -- GAMEPORT_REGISTER_DRIVER,
2439 - GAMEPORT_ATTACH_DRIVER,
2440 - };
2441 -
2442 -@@ -374,8 +372,8 @@ static void gameport_handle_event(void)
2443 - gameport_add_port(event->object);
2444 - break;
2445 -
2446 -- case GAMEPORT_REGISTER_DRIVER:
2447 -- gameport_add_driver(event->object);
2448 -+ case GAMEPORT_ATTACH_DRIVER:
2449 -+ gameport_attach_driver(event->object);
2450 - break;
2451 -
2452 - default:
2453 -@@ -706,14 +704,14 @@ static int gameport_driver_remove(struct device *dev)
2454 - return 0;
2455 - }
2456 -
2457 --static void gameport_add_driver(struct gameport_driver *drv)
2458 -+static void gameport_attach_driver(struct gameport_driver *drv)
2459 - {
2460 - int error;
2461 -
2462 -- error = driver_register(&drv->driver);
2463 -+ error = driver_attach(&drv->driver);
2464 - if (error)
2465 - printk(KERN_ERR
2466 -- "gameport: driver_register() failed for %s, error: %d\n",
2467 -+ "gameport: driver_attach() failed for %s, error: %d\n",
2468 - drv->driver.name, error);
2469 - }
2470 -
2471 -diff --git a/drivers/md/dm-bio-record.h b/drivers/md/dm-bio-record.h
2472 -index d3ec217..3a8cfa2 100644
2473 ---- a/drivers/md/dm-bio-record.h
2474 -+++ b/drivers/md/dm-bio-record.h
2475 -@@ -16,30 +16,56 @@
2476 - * functions in this file help the target record and restore the
2477 - * original bio state.
2478 - */
2479 -+
2480 -+struct dm_bio_vec_details {
2481 -+#if PAGE_SIZE < 65536
2482 -+ __u16 bv_len;
2483 -+ __u16 bv_offset;
2484 -+#else
2485 -+ unsigned bv_len;
2486 -+ unsigned bv_offset;
2487 -+#endif
2488 -+};
2489 -+
2490 - struct dm_bio_details {
2491 - sector_t bi_sector;
2492 - struct block_device *bi_bdev;
2493 - unsigned int bi_size;
2494 - unsigned short bi_idx;
2495 - unsigned long bi_flags;
2496 -+ struct dm_bio_vec_details bi_io_vec[BIO_MAX_PAGES];
2497 - };
2498 -
2499 - static inline void dm_bio_record(struct dm_bio_details *bd, struct bio *bio)
2500 - {
2501 -+ unsigned i;
2502 -+
2503 - bd->bi_sector = bio->bi_sector;
2504 - bd->bi_bdev = bio->bi_bdev;
2505 - bd->bi_size = bio->bi_size;
2506 - bd->bi_idx = bio->bi_idx;
2507 - bd->bi_flags = bio->bi_flags;
2508 -+
2509 -+ for (i = 0; i < bio->bi_vcnt; i++) {
2510 -+ bd->bi_io_vec[i].bv_len = bio->bi_io_vec[i].bv_len;
2511 -+ bd->bi_io_vec[i].bv_offset = bio->bi_io_vec[i].bv_offset;
2512 -+ }
2513 - }
2514 -
2515 - static inline void dm_bio_restore(struct dm_bio_details *bd, struct bio *bio)
2516 - {
2517 -+ unsigned i;
2518 -+
2519 - bio->bi_sector = bd->bi_sector;
2520 - bio->bi_bdev = bd->bi_bdev;
2521 - bio->bi_size = bd->bi_size;
2522 - bio->bi_idx = bd->bi_idx;
2523 - bio->bi_flags = bd->bi_flags;
2524 -+
2525 -+ for (i = 0; i < bio->bi_vcnt; i++) {
2526 -+ bio->bi_io_vec[i].bv_len = bd->bi_io_vec[i].bv_len;
2527 -+ bio->bi_io_vec[i].bv_offset = bd->bi_io_vec[i].bv_offset;
2528 -+ }
2529 - }
2530 -
2531 - #endif
2532 -diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
2533 -index 36e2b5e..e73aabd 100644
2534 ---- a/drivers/md/dm-io.c
2535 -+++ b/drivers/md/dm-io.c
2536 -@@ -370,16 +370,13 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions,
2537 - while (1) {
2538 - set_current_state(TASK_UNINTERRUPTIBLE);
2539 -
2540 -- if (!atomic_read(&io.count) || signal_pending(current))
2541 -+ if (!atomic_read(&io.count))
2542 - break;
2543 -
2544 - io_schedule();
2545 - }
2546 - set_current_state(TASK_RUNNING);
2547 -
2548 -- if (atomic_read(&io.count))
2549 -- return -EINTR;
2550 --
2551 - if (error_bits)
2552 - *error_bits = io.error_bits;
2553 -
2554 -diff --git a/drivers/md/dm-kcopyd.c b/drivers/md/dm-kcopyd.c
2555 -index 0a225da..3e3fc06 100644
2556 ---- a/drivers/md/dm-kcopyd.c
2557 -+++ b/drivers/md/dm-kcopyd.c
2558 -@@ -297,7 +297,8 @@ static int run_complete_job(struct kcopyd_job *job)
2559 - dm_kcopyd_notify_fn fn = job->fn;
2560 - struct dm_kcopyd_client *kc = job->kc;
2561 -
2562 -- kcopyd_put_pages(kc, job->pages);
2563 -+ if (job->pages)
2564 -+ kcopyd_put_pages(kc, job->pages);
2565 - mempool_free(job, kc->job_pool);
2566 - fn(read_err, write_err, context);
2567 -
2568 -@@ -461,6 +462,7 @@ static void segment_complete(int read_err, unsigned long write_err,
2569 - sector_t progress = 0;
2570 - sector_t count = 0;
2571 - struct kcopyd_job *job = (struct kcopyd_job *) context;
2572 -+ struct dm_kcopyd_client *kc = job->kc;
2573 -
2574 - mutex_lock(&job->lock);
2575 -
2576 -@@ -490,7 +492,7 @@ static void segment_complete(int read_err, unsigned long write_err,
2577 -
2578 - if (count) {
2579 - int i;
2580 -- struct kcopyd_job *sub_job = mempool_alloc(job->kc->job_pool,
2581 -+ struct kcopyd_job *sub_job = mempool_alloc(kc->job_pool,
2582 - GFP_NOIO);
2583 -
2584 - *sub_job = *job;
2585 -@@ -509,13 +511,16 @@ static void segment_complete(int read_err, unsigned long write_err,
2586 - } else if (atomic_dec_and_test(&job->sub_jobs)) {
2587 -
2588 - /*
2589 -- * To avoid a race we must keep the job around
2590 -- * until after the notify function has completed.
2591 -- * Otherwise the client may try and stop the job
2592 -- * after we've completed.
2593 -+ * Queue the completion callback to the kcopyd thread.
2594 -+ *
2595 -+ * Some callers assume that all the completions are called
2596 -+ * from a single thread and don't race with each other.
2597 -+ *
2598 -+ * We must not call the callback directly here because this
2599 -+ * code may not be executing in the thread.
2600 - */
2601 -- job->fn(read_err, write_err, job->context);
2602 -- mempool_free(job, job->kc->job_pool);
2603 -+ push(&kc->complete_jobs, job);
2604 -+ wake(kc);
2605 - }
2606 - }
2607 -
2608 -@@ -528,6 +533,8 @@ static void split_job(struct kcopyd_job *job)
2609 - {
2610 - int i;
2611 -
2612 -+ atomic_inc(&job->kc->nr_jobs);
2613 -+
2614 - atomic_set(&job->sub_jobs, SPLIT_COUNT);
2615 - for (i = 0; i < SPLIT_COUNT; i++)
2616 - segment_complete(0, 0u, job);
2617 -diff --git a/drivers/md/dm-path-selector.c b/drivers/md/dm-path-selector.c
2618 -index 96ea226..42c04f0 100644
2619 ---- a/drivers/md/dm-path-selector.c
2620 -+++ b/drivers/md/dm-path-selector.c
2621 -@@ -17,9 +17,7 @@
2622 -
2623 - struct ps_internal {
2624 - struct path_selector_type pst;
2625 --
2626 - struct list_head list;
2627 -- long use;
2628 - };
2629 -
2630 - #define pst_to_psi(__pst) container_of((__pst), struct ps_internal, pst)
2631 -@@ -45,12 +43,8 @@ static struct ps_internal *get_path_selector(const char *name)
2632 -
2633 - down_read(&_ps_lock);
2634 - psi = __find_path_selector_type(name);
2635 -- if (psi) {
2636 -- if ((psi->use == 0) && !try_module_get(psi->pst.module))
2637 -- psi = NULL;
2638 -- else
2639 -- psi->use++;
2640 -- }
2641 -+ if (psi && !try_module_get(psi->pst.module))
2642 -+ psi = NULL;
2643 - up_read(&_ps_lock);
2644 -
2645 - return psi;
2646 -@@ -84,11 +78,7 @@ void dm_put_path_selector(struct path_selector_type *pst)
2647 - if (!psi)
2648 - goto out;
2649 -
2650 -- if (--psi->use == 0)
2651 -- module_put(psi->pst.module);
2652 --
2653 -- BUG_ON(psi->use < 0);
2654 --
2655 -+ module_put(psi->pst.module);
2656 - out:
2657 - up_read(&_ps_lock);
2658 - }
2659 -@@ -136,11 +126,6 @@ int dm_unregister_path_selector(struct path_selector_type *pst)
2660 - return -EINVAL;
2661 - }
2662 -
2663 -- if (psi->use) {
2664 -- up_write(&_ps_lock);
2665 -- return -ETXTBSY;
2666 -- }
2667 --
2668 - list_del(&psi->list);
2669 -
2670 - up_write(&_ps_lock);
2671 -diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
2672 -index 4d6bc10..62d5948 100644
2673 ---- a/drivers/md/dm-raid1.c
2674 -+++ b/drivers/md/dm-raid1.c
2675 -@@ -145,6 +145,8 @@ struct dm_raid1_read_record {
2676 - struct dm_bio_details details;
2677 - };
2678 -
2679 -+static struct kmem_cache *_dm_raid1_read_record_cache;
2680 -+
2681 - /*
2682 - * Every mirror should look like this one.
2683 - */
2684 -@@ -764,9 +766,9 @@ static struct mirror_set *alloc_context(unsigned int nr_mirrors,
2685 - atomic_set(&ms->suspend, 0);
2686 - atomic_set(&ms->default_mirror, DEFAULT_MIRROR);
2687 -
2688 -- len = sizeof(struct dm_raid1_read_record);
2689 -- ms->read_record_pool = mempool_create_kmalloc_pool(MIN_READ_RECORDS,
2690 -- len);
2691 -+ ms->read_record_pool = mempool_create_slab_pool(MIN_READ_RECORDS,
2692 -+ _dm_raid1_read_record_cache);
2693 -+
2694 - if (!ms->read_record_pool) {
2695 - ti->error = "Error creating mirror read_record_pool";
2696 - kfree(ms);
2697 -@@ -1279,16 +1281,31 @@ static int __init dm_mirror_init(void)
2698 - {
2699 - int r;
2700 -
2701 -+ _dm_raid1_read_record_cache = KMEM_CACHE(dm_raid1_read_record, 0);
2702 -+ if (!_dm_raid1_read_record_cache) {
2703 -+ DMERR("Can't allocate dm_raid1_read_record cache");
2704 -+ r = -ENOMEM;
2705 -+ goto bad_cache;
2706 -+ }
2707 -+
2708 - r = dm_register_target(&mirror_target);
2709 -- if (r < 0)
2710 -+ if (r < 0) {
2711 - DMERR("Failed to register mirror target");
2712 -+ goto bad_target;
2713 -+ }
2714 -+
2715 -+ return 0;
2716 -
2717 -+bad_target:
2718 -+ kmem_cache_destroy(_dm_raid1_read_record_cache);
2719 -+bad_cache:
2720 - return r;
2721 - }
2722 -
2723 - static void __exit dm_mirror_exit(void)
2724 - {
2725 - dm_unregister_target(&mirror_target);
2726 -+ kmem_cache_destroy(_dm_raid1_read_record_cache);
2727 - }
2728 -
2729 - /* Module hooks */
2730 -diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
2731 -index 65ff82f..462750c 100644
2732 ---- a/drivers/md/dm-snap.c
2733 -+++ b/drivers/md/dm-snap.c
2734 -@@ -972,6 +972,17 @@ static void start_copy(struct dm_snap_pending_exception *pe)
2735 - &src, 1, &dest, 0, copy_callback, pe);
2736 - }
2737 -
2738 -+static struct dm_snap_pending_exception *
2739 -+__lookup_pending_exception(struct dm_snapshot *s, chunk_t chunk)
2740 -+{
2741 -+ struct dm_snap_exception *e = lookup_exception(&s->pending, chunk);
2742 -+
2743 -+ if (!e)
2744 -+ return NULL;
2745 -+
2746 -+ return container_of(e, struct dm_snap_pending_exception, e);
2747 -+}
2748 -+
2749 - /*
2750 - * Looks to see if this snapshot already has a pending exception
2751 - * for this chunk, otherwise it allocates a new one and inserts
2752 -@@ -981,40 +992,15 @@ static void start_copy(struct dm_snap_pending_exception *pe)
2753 - * this.
2754 - */
2755 - static struct dm_snap_pending_exception *
2756 --__find_pending_exception(struct dm_snapshot *s, struct bio *bio)
2757 -+__find_pending_exception(struct dm_snapshot *s,
2758 -+ struct dm_snap_pending_exception *pe, chunk_t chunk)
2759 - {
2760 -- struct dm_snap_exception *e;
2761 -- struct dm_snap_pending_exception *pe;
2762 -- chunk_t chunk = sector_to_chunk(s, bio->bi_sector);
2763 --
2764 -- /*
2765 -- * Is there a pending exception for this already ?
2766 -- */
2767 -- e = lookup_exception(&s->pending, chunk);
2768 -- if (e) {
2769 -- /* cast the exception to a pending exception */
2770 -- pe = container_of(e, struct dm_snap_pending_exception, e);
2771 -- goto out;
2772 -- }
2773 --
2774 -- /*
2775 -- * Create a new pending exception, we don't want
2776 -- * to hold the lock while we do this.
2777 -- */
2778 -- up_write(&s->lock);
2779 -- pe = alloc_pending_exception(s);
2780 -- down_write(&s->lock);
2781 --
2782 -- if (!s->valid) {
2783 -- free_pending_exception(pe);
2784 -- return NULL;
2785 -- }
2786 -+ struct dm_snap_pending_exception *pe2;
2787 -
2788 -- e = lookup_exception(&s->pending, chunk);
2789 -- if (e) {
2790 -+ pe2 = __lookup_pending_exception(s, chunk);
2791 -+ if (pe2) {
2792 - free_pending_exception(pe);
2793 -- pe = container_of(e, struct dm_snap_pending_exception, e);
2794 -- goto out;
2795 -+ return pe2;
2796 - }
2797 -
2798 - pe->e.old_chunk = chunk;
2799 -@@ -1032,7 +1018,6 @@ __find_pending_exception(struct dm_snapshot *s, struct bio *bio)
2800 - get_pending_exception(pe);
2801 - insert_exception(&s->pending, &pe->e);
2802 -
2803 -- out:
2804 - return pe;
2805 - }
2806 -
2807 -@@ -1083,11 +1068,31 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio,
2808 - * writeable.
2809 - */
2810 - if (bio_rw(bio) == WRITE) {
2811 -- pe = __find_pending_exception(s, bio);
2812 -+ pe = __lookup_pending_exception(s, chunk);
2813 - if (!pe) {
2814 -- __invalidate_snapshot(s, -ENOMEM);
2815 -- r = -EIO;
2816 -- goto out_unlock;
2817 -+ up_write(&s->lock);
2818 -+ pe = alloc_pending_exception(s);
2819 -+ down_write(&s->lock);
2820 -+
2821 -+ if (!s->valid) {
2822 -+ free_pending_exception(pe);
2823 -+ r = -EIO;
2824 -+ goto out_unlock;
2825 -+ }
2826 -+
2827 -+ e = lookup_exception(&s->complete, chunk);
2828 -+ if (e) {
2829 -+ free_pending_exception(pe);
2830 -+ remap_exception(s, e, bio, chunk);
2831 -+ goto out_unlock;
2832 -+ }
2833 -+
2834 -+ pe = __find_pending_exception(s, pe, chunk);
2835 -+ if (!pe) {
2836 -+ __invalidate_snapshot(s, -ENOMEM);
2837 -+ r = -EIO;
2838 -+ goto out_unlock;
2839 -+ }
2840 - }
2841 -
2842 - remap_exception(s, &pe->e, bio, chunk);
2843 -@@ -1217,10 +1222,28 @@ static int __origin_write(struct list_head *snapshots, struct bio *bio)
2844 - if (e)
2845 - goto next_snapshot;
2846 -
2847 -- pe = __find_pending_exception(snap, bio);
2848 -+ pe = __lookup_pending_exception(snap, chunk);
2849 - if (!pe) {
2850 -- __invalidate_snapshot(snap, -ENOMEM);
2851 -- goto next_snapshot;
2852 -+ up_write(&snap->lock);
2853 -+ pe = alloc_pending_exception(snap);
2854 -+ down_write(&snap->lock);
2855 -+
2856 -+ if (!snap->valid) {
2857 -+ free_pending_exception(pe);
2858 -+ goto next_snapshot;
2859 -+ }
2860 -+
2861 -+ e = lookup_exception(&snap->complete, chunk);
2862 -+ if (e) {
2863 -+ free_pending_exception(pe);
2864 -+ goto next_snapshot;
2865 -+ }
2866 -+
2867 -+ pe = __find_pending_exception(snap, pe, chunk);
2868 -+ if (!pe) {
2869 -+ __invalidate_snapshot(snap, -ENOMEM);
2870 -+ goto next_snapshot;
2871 -+ }
2872 - }
2873 -
2874 - if (!primary_pe) {
2875 -diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
2876 -index 2fd66c3..e8361b1 100644
2877 ---- a/drivers/md/dm-table.c
2878 -+++ b/drivers/md/dm-table.c
2879 -@@ -399,28 +399,30 @@ static int check_device_area(struct dm_dev_internal *dd, sector_t start,
2880 - }
2881 -
2882 - /*
2883 -- * This upgrades the mode on an already open dm_dev. Being
2884 -+ * This upgrades the mode on an already open dm_dev, being
2885 - * careful to leave things as they were if we fail to reopen the
2886 -- * device.
2887 -+ * device and not to touch the existing bdev field in case
2888 -+ * it is accessed concurrently inside dm_table_any_congested().
2889 - */
2890 - static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode,
2891 - struct mapped_device *md)
2892 - {
2893 - int r;
2894 -- struct dm_dev_internal dd_copy;
2895 -- dev_t dev = dd->dm_dev.bdev->bd_dev;
2896 -+ struct dm_dev_internal dd_new, dd_old;
2897 -
2898 -- dd_copy = *dd;
2899 -+ dd_new = dd_old = *dd;
2900 -+
2901 -+ dd_new.dm_dev.mode |= new_mode;
2902 -+ dd_new.dm_dev.bdev = NULL;
2903 -+
2904 -+ r = open_dev(&dd_new, dd->dm_dev.bdev->bd_dev, md);
2905 -+ if (r)
2906 -+ return r;
2907 -
2908 - dd->dm_dev.mode |= new_mode;
2909 -- dd->dm_dev.bdev = NULL;
2910 -- r = open_dev(dd, dev, md);
2911 -- if (!r)
2912 -- close_dev(&dd_copy, md);
2913 -- else
2914 -- *dd = dd_copy;
2915 -+ close_dev(&dd_old, md);
2916 -
2917 -- return r;
2918 -+ return 0;
2919 - }
2920 -
2921 - /*
2922 -diff --git a/drivers/md/dm-target.c b/drivers/md/dm-target.c
2923 -index 7decf10..db72c94 100644
2924 ---- a/drivers/md/dm-target.c
2925 -+++ b/drivers/md/dm-target.c
2926 -@@ -18,7 +18,6 @@ struct tt_internal {
2927 - struct target_type tt;
2928 -
2929 - struct list_head list;
2930 -- long use;
2931 - };
2932 -
2933 - static LIST_HEAD(_targets);
2934 -@@ -44,12 +43,8 @@ static struct tt_internal *get_target_type(const char *name)
2935 - down_read(&_lock);
2936 -
2937 - ti = __find_target_type(name);
2938 -- if (ti) {
2939 -- if ((ti->use == 0) && !try_module_get(ti->tt.module))
2940 -- ti = NULL;
2941 -- else
2942 -- ti->use++;
2943 -- }
2944 -+ if (ti && !try_module_get(ti->tt.module))
2945 -+ ti = NULL;
2946 -
2947 - up_read(&_lock);
2948 - return ti;
2949 -@@ -77,10 +72,7 @@ void dm_put_target_type(struct target_type *t)
2950 - struct tt_internal *ti = (struct tt_internal *) t;
2951 -
2952 - down_read(&_lock);
2953 -- if (--ti->use == 0)
2954 -- module_put(ti->tt.module);
2955 --
2956 -- BUG_ON(ti->use < 0);
2957 -+ module_put(ti->tt.module);
2958 - up_read(&_lock);
2959 -
2960 - return;
2961 -@@ -140,12 +132,6 @@ void dm_unregister_target(struct target_type *t)
2962 - BUG();
2963 - }
2964 -
2965 -- if (ti->use) {
2966 -- DMCRIT("Attempt to unregister target still in use: %s",
2967 -- t->name);
2968 -- BUG();
2969 -- }
2970 --
2971 - list_del(&ti->list);
2972 - kfree(ti);
2973 -
2974 -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
2975 -index e246642..4a25fa9 100644
2976 ---- a/drivers/md/raid1.c
2977 -+++ b/drivers/md/raid1.c
2978 -@@ -120,6 +120,7 @@ static void * r1buf_pool_alloc(gfp_t gfp_flags, void *data)
2979 - goto out_free_pages;
2980 -
2981 - bio->bi_io_vec[i].bv_page = page;
2982 -+ bio->bi_vcnt = i+1;
2983 - }
2984 - }
2985 - /* If not user-requests, copy the page pointers to all bios */
2986 -@@ -135,9 +136,9 @@ static void * r1buf_pool_alloc(gfp_t gfp_flags, void *data)
2987 - return r1_bio;
2988 -
2989 - out_free_pages:
2990 -- for (i=0; i < RESYNC_PAGES ; i++)
2991 -- for (j=0 ; j < pi->raid_disks; j++)
2992 -- safe_put_page(r1_bio->bios[j]->bi_io_vec[i].bv_page);
2993 -+ for (j=0 ; j < pi->raid_disks; j++)
2994 -+ for (i=0; i < r1_bio->bios[j]->bi_vcnt ; i++)
2995 -+ put_page(r1_bio->bios[j]->bi_io_vec[i].bv_page);
2996 - j = -1;
2997 - out_free_bio:
2998 - while ( ++j < pi->raid_disks )
2999 -diff --git a/drivers/media/video/cx88/cx88-input.c b/drivers/media/video/cx88/cx88-input.c
3000 -index 8683d10..5b107fa 100644
3001 ---- a/drivers/media/video/cx88/cx88-input.c
3002 -+++ b/drivers/media/video/cx88/cx88-input.c
3003 -@@ -48,8 +48,7 @@ struct cx88_IR {
3004 -
3005 - /* poll external decoder */
3006 - int polling;
3007 -- struct work_struct work;
3008 -- struct timer_list timer;
3009 -+ struct delayed_work work;
3010 - u32 gpio_addr;
3011 - u32 last_gpio;
3012 - u32 mask_keycode;
3013 -@@ -143,27 +142,19 @@ static void cx88_ir_handle_key(struct cx88_IR *ir)
3014 - }
3015 - }
3016 -
3017 --static void ir_timer(unsigned long data)
3018 --{
3019 -- struct cx88_IR *ir = (struct cx88_IR *)data;
3020 --
3021 -- schedule_work(&ir->work);
3022 --}
3023 --
3024 - static void cx88_ir_work(struct work_struct *work)
3025 - {
3026 -- struct cx88_IR *ir = container_of(work, struct cx88_IR, work);
3027 -+ struct cx88_IR *ir = container_of(work, struct cx88_IR, work.work);
3028 -
3029 - cx88_ir_handle_key(ir);
3030 -- mod_timer(&ir->timer, jiffies + msecs_to_jiffies(ir->polling));
3031 -+ schedule_delayed_work(&ir->work, msecs_to_jiffies(ir->polling));
3032 - }
3033 -
3034 - void cx88_ir_start(struct cx88_core *core, struct cx88_IR *ir)
3035 - {
3036 - if (ir->polling) {
3037 -- setup_timer(&ir->timer, ir_timer, (unsigned long)ir);
3038 -- INIT_WORK(&ir->work, cx88_ir_work);
3039 -- schedule_work(&ir->work);
3040 -+ INIT_DELAYED_WORK(&ir->work, cx88_ir_work);
3041 -+ schedule_delayed_work(&ir->work, 0);
3042 - }
3043 - if (ir->sampling) {
3044 - core->pci_irqmask |= PCI_INT_IR_SMPINT;
3045 -@@ -179,10 +170,8 @@ void cx88_ir_stop(struct cx88_core *core, struct cx88_IR *ir)
3046 - core->pci_irqmask &= ~PCI_INT_IR_SMPINT;
3047 - }
3048 -
3049 -- if (ir->polling) {
3050 -- del_timer_sync(&ir->timer);
3051 -- flush_scheduled_work();
3052 -- }
3053 -+ if (ir->polling)
3054 -+ cancel_delayed_work_sync(&ir->work);
3055 - }
3056 -
3057 - /* ---------------------------------------------------------------------- */
3058 -diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
3059 -index ea3aafb..6fc789e 100644
3060 ---- a/drivers/message/fusion/mptbase.c
3061 -+++ b/drivers/message/fusion/mptbase.c
3062 -@@ -5934,7 +5934,7 @@ mpt_config(MPT_ADAPTER *ioc, CONFIGPARMS *pCfg)
3063 -
3064 - /* Initalize the timer
3065 - */
3066 -- init_timer(&pCfg->timer);
3067 -+ init_timer_on_stack(&pCfg->timer);
3068 - pCfg->timer.data = (unsigned long) ioc;
3069 - pCfg->timer.function = mpt_timer_expired;
3070 - pCfg->wait_done = 0;
3071 -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
3072 -index 3d76686..87045f8 100644
3073 ---- a/drivers/net/bonding/bond_main.c
3074 -+++ b/drivers/net/bonding/bond_main.c
3075 -@@ -2565,7 +2565,7 @@ static void bond_arp_send_all(struct bonding *bond, struct slave *slave)
3076 -
3077 - for (i = 0; (i < BOND_MAX_ARP_TARGETS); i++) {
3078 - if (!targets[i])
3079 -- continue;
3080 -+ break;
3081 - pr_debug("basa: target %x\n", targets[i]);
3082 - if (list_empty(&bond->vlan_list)) {
3083 - pr_debug("basa: empty vlan: arp_send\n");
3084 -@@ -2672,7 +2672,6 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32
3085 - int i;
3086 - __be32 *targets = bond->params.arp_targets;
3087 -
3088 -- targets = bond->params.arp_targets;
3089 - for (i = 0; (i < BOND_MAX_ARP_TARGETS) && targets[i]; i++) {
3090 - pr_debug("bva: sip %pI4 tip %pI4 t[%d] %pI4 bhti(tip) %d\n",
3091 - &sip, &tip, i, &targets[i], bond_has_this_ip(bond, tip));
3092 -@@ -3294,7 +3293,7 @@ static void bond_info_show_master(struct seq_file *seq)
3093 -
3094 - for(i = 0; (i < BOND_MAX_ARP_TARGETS) ;i++) {
3095 - if (!bond->params.arp_targets[i])
3096 -- continue;
3097 -+ break;
3098 - if (printed)
3099 - seq_printf(seq, ",");
3100 - seq_printf(seq, " %pI4", &bond->params.arp_targets[i]);
3101 -diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
3102 -index 18cf478..d287315 100644
3103 ---- a/drivers/net/bonding/bond_sysfs.c
3104 -+++ b/drivers/net/bonding/bond_sysfs.c
3105 -@@ -684,17 +684,15 @@ static ssize_t bonding_store_arp_targets(struct device *d,
3106 - goto out;
3107 - }
3108 - /* look for an empty slot to put the target in, and check for dupes */
3109 -- for (i = 0; (i < BOND_MAX_ARP_TARGETS); i++) {
3110 -+ for (i = 0; (i < BOND_MAX_ARP_TARGETS) && !done; i++) {
3111 - if (targets[i] == newtarget) { /* duplicate */
3112 - printk(KERN_ERR DRV_NAME
3113 - ": %s: ARP target %pI4 is already present\n",
3114 - bond->dev->name, &newtarget);
3115 -- if (done)
3116 -- targets[i] = 0;
3117 - ret = -EINVAL;
3118 - goto out;
3119 - }
3120 -- if (targets[i] == 0 && !done) {
3121 -+ if (targets[i] == 0) {
3122 - printk(KERN_INFO DRV_NAME
3123 - ": %s: adding ARP target %pI4.\n",
3124 - bond->dev->name, &newtarget);
3125 -@@ -720,12 +718,16 @@ static ssize_t bonding_store_arp_targets(struct device *d,
3126 - goto out;
3127 - }
3128 -
3129 -- for (i = 0; (i < BOND_MAX_ARP_TARGETS); i++) {
3130 -+ for (i = 0; (i < BOND_MAX_ARP_TARGETS) && !done; i++) {
3131 - if (targets[i] == newtarget) {
3132 -+ int j;
3133 - printk(KERN_INFO DRV_NAME
3134 - ": %s: removing ARP target %pI4.\n",
3135 - bond->dev->name, &newtarget);
3136 -- targets[i] = 0;
3137 -+ for (j = i; (j < (BOND_MAX_ARP_TARGETS-1)) && targets[j+1]; j++)
3138 -+ targets[j] = targets[j+1];
3139 -+
3140 -+ targets[j] = 0;
3141 - done = 1;
3142 - }
3143 - }
3144 -diff --git a/drivers/net/ixgbe/ixgbe_ethtool.c b/drivers/net/ixgbe/ixgbe_ethtool.c
3145 -index 67f87a7..090ada6 100644
3146 ---- a/drivers/net/ixgbe/ixgbe_ethtool.c
3147 -+++ b/drivers/net/ixgbe/ixgbe_ethtool.c
3148 -@@ -691,9 +691,10 @@ static int ixgbe_set_ringparam(struct net_device *netdev,
3149 - struct ethtool_ringparam *ring)
3150 - {
3151 - struct ixgbe_adapter *adapter = netdev_priv(netdev);
3152 -- struct ixgbe_ring *temp_ring;
3153 -+ struct ixgbe_ring *temp_tx_ring, *temp_rx_ring;
3154 - int i, err;
3155 - u32 new_rx_count, new_tx_count;
3156 -+ bool need_update = false;
3157 -
3158 - if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending))
3159 - return -EINVAL;
3160 -@@ -712,80 +713,94 @@ static int ixgbe_set_ringparam(struct net_device *netdev,
3161 - return 0;
3162 - }
3163 -
3164 -- temp_ring = kcalloc(adapter->num_tx_queues,
3165 -- sizeof(struct ixgbe_ring), GFP_KERNEL);
3166 -- if (!temp_ring)
3167 -- return -ENOMEM;
3168 --
3169 - while (test_and_set_bit(__IXGBE_RESETTING, &adapter->state))
3170 - msleep(1);
3171 -
3172 -- if (new_tx_count != adapter->tx_ring->count) {
3173 -+ temp_tx_ring = kcalloc(adapter->num_tx_queues,
3174 -+ sizeof(struct ixgbe_ring), GFP_KERNEL);
3175 -+ if (!temp_tx_ring) {
3176 -+ err = -ENOMEM;
3177 -+ goto err_setup;
3178 -+ }
3179 -+
3180 -+ if (new_tx_count != adapter->tx_ring_count) {
3181 -+ memcpy(temp_tx_ring, adapter->tx_ring,
3182 -+ adapter->num_tx_queues * sizeof(struct ixgbe_ring));
3183 - for (i = 0; i < adapter->num_tx_queues; i++) {
3184 -- temp_ring[i].count = new_tx_count;
3185 -- err = ixgbe_setup_tx_resources(adapter, &temp_ring[i]);
3186 -+ temp_tx_ring[i].count = new_tx_count;
3187 -+ err = ixgbe_setup_tx_resources(adapter,
3188 -+ &temp_tx_ring[i]);
3189 - if (err) {
3190 - while (i) {
3191 - i--;
3192 - ixgbe_free_tx_resources(adapter,
3193 -- &temp_ring[i]);
3194 -+ &temp_tx_ring[i]);
3195 - }
3196 - goto err_setup;
3197 - }
3198 -- temp_ring[i].v_idx = adapter->tx_ring[i].v_idx;
3199 -+ temp_tx_ring[i].v_idx = adapter->tx_ring[i].v_idx;
3200 - }
3201 -- if (netif_running(netdev))
3202 -- netdev->netdev_ops->ndo_stop(netdev);
3203 -- ixgbe_reset_interrupt_capability(adapter);
3204 -- ixgbe_napi_del_all(adapter);
3205 -- INIT_LIST_HEAD(&netdev->napi_list);
3206 -- kfree(adapter->tx_ring);
3207 -- adapter->tx_ring = temp_ring;
3208 -- temp_ring = NULL;
3209 -- adapter->tx_ring_count = new_tx_count;
3210 -+ need_update = true;
3211 - }
3212 -
3213 -- temp_ring = kcalloc(adapter->num_rx_queues,
3214 -- sizeof(struct ixgbe_ring), GFP_KERNEL);
3215 -- if (!temp_ring) {
3216 -- if (netif_running(netdev))
3217 -- netdev->netdev_ops->ndo_open(netdev);
3218 -- return -ENOMEM;
3219 -+ temp_rx_ring = kcalloc(adapter->num_rx_queues,
3220 -+ sizeof(struct ixgbe_ring), GFP_KERNEL);
3221 -+ if ((!temp_rx_ring) && (need_update)) {
3222 -+ for (i = 0; i < adapter->num_tx_queues; i++)
3223 -+ ixgbe_free_tx_resources(adapter, &temp_tx_ring[i]);
3224 -+ kfree(temp_tx_ring);
3225 -+ err = -ENOMEM;
3226 -+ goto err_setup;
3227 - }
3228 -
3229 -- if (new_rx_count != adapter->rx_ring->count) {
3230 -+ if (new_rx_count != adapter->rx_ring_count) {
3231 -+ memcpy(temp_rx_ring, adapter->rx_ring,
3232 -+ adapter->num_rx_queues * sizeof(struct ixgbe_ring));
3233 - for (i = 0; i < adapter->num_rx_queues; i++) {
3234 -- temp_ring[i].count = new_rx_count;
3235 -- err = ixgbe_setup_rx_resources(adapter, &temp_ring[i]);
3236 -+ temp_rx_ring[i].count = new_rx_count;
3237 -+ err = ixgbe_setup_rx_resources(adapter,
3238 -+ &temp_rx_ring[i]);
3239 - if (err) {
3240 - while (i) {
3241 - i--;
3242 - ixgbe_free_rx_resources(adapter,
3243 -- &temp_ring[i]);
3244 -+ &temp_rx_ring[i]);
3245 - }
3246 - goto err_setup;
3247 - }
3248 -- temp_ring[i].v_idx = adapter->rx_ring[i].v_idx;
3249 -+ temp_rx_ring[i].v_idx = adapter->rx_ring[i].v_idx;
3250 - }
3251 -+ need_update = true;
3252 -+ }
3253 -+
3254 -+ /* if rings need to be updated, here's the place to do it in one shot */
3255 -+ if (need_update) {
3256 - if (netif_running(netdev))
3257 -- netdev->netdev_ops->ndo_stop(netdev);
3258 -- ixgbe_reset_interrupt_capability(adapter);
3259 -- ixgbe_napi_del_all(adapter);
3260 -- INIT_LIST_HEAD(&netdev->napi_list);
3261 -- kfree(adapter->rx_ring);
3262 -- adapter->rx_ring = temp_ring;
3263 -- temp_ring = NULL;
3264 --
3265 -- adapter->rx_ring_count = new_rx_count;
3266 -+ ixgbe_down(adapter);
3267 -+
3268 -+ /* tx */
3269 -+ if (new_tx_count != adapter->tx_ring_count) {
3270 -+ kfree(adapter->tx_ring);
3271 -+ adapter->tx_ring = temp_tx_ring;
3272 -+ temp_tx_ring = NULL;
3273 -+ adapter->tx_ring_count = new_tx_count;
3274 -+ }
3275 -+
3276 -+ /* rx */
3277 -+ if (new_rx_count != adapter->rx_ring_count) {
3278 -+ kfree(adapter->rx_ring);
3279 -+ adapter->rx_ring = temp_rx_ring;
3280 -+ temp_rx_ring = NULL;
3281 -+ adapter->rx_ring_count = new_rx_count;
3282 -+ }
3283 - }
3284 -
3285 - /* success! */
3286 - err = 0;
3287 --err_setup:
3288 -- ixgbe_init_interrupt_scheme(adapter);
3289 - if (netif_running(netdev))
3290 -- netdev->netdev_ops->ndo_open(netdev);
3291 -+ ixgbe_up(adapter);
3292 -
3293 -+err_setup:
3294 - clear_bit(__IXGBE_RESETTING, &adapter->state);
3295 - return err;
3296 - }
3297 -diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
3298 -index 43fedb9..9201e5a 100644
3299 ---- a/drivers/net/r8169.c
3300 -+++ b/drivers/net/r8169.c
3301 -@@ -2075,8 +2075,7 @@ rtl8169_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
3302 - if (!tp->pcie_cap && netif_msg_probe(tp))
3303 - dev_info(&pdev->dev, "no PCI Express capability\n");
3304 -
3305 -- /* Unneeded ? Don't mess with Mrs. Murphy. */
3306 -- rtl8169_irq_mask_and_ack(ioaddr);
3307 -+ RTL_W16(IntrMask, 0x0000);
3308 -
3309 - /* Soft reset the chip. */
3310 - RTL_W8(ChipCmd, CmdReset);
3311 -@@ -2088,6 +2087,8 @@ rtl8169_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
3312 - msleep_interruptible(1);
3313 - }
3314 -
3315 -+ RTL_W16(IntrStatus, 0xffff);
3316 -+
3317 - /* Identify chip attached to board */
3318 - rtl8169_get_mac_version(tp, ioaddr);
3319 -
3320 -diff --git a/drivers/net/sfc/efx.c b/drivers/net/sfc/efx.c
3321 -index ab0e09b..655e9b2 100644
3322 ---- a/drivers/net/sfc/efx.c
3323 -+++ b/drivers/net/sfc/efx.c
3324 -@@ -424,10 +424,6 @@ static void efx_start_channel(struct efx_channel *channel)
3325 -
3326 - EFX_LOG(channel->efx, "starting chan %d\n", channel->channel);
3327 -
3328 -- if (!(channel->efx->net_dev->flags & IFF_UP))
3329 -- netif_napi_add(channel->napi_dev, &channel->napi_str,
3330 -- efx_poll, napi_weight);
3331 --
3332 - /* The interrupt handler for this channel may set work_pending
3333 - * as soon as we enable it. Make sure it's cleared before
3334 - * then. Similarly, make sure it sees the enabled flag set. */
3335 -@@ -1273,6 +1269,8 @@ static int efx_init_napi(struct efx_nic *efx)
3336 -
3337 - efx_for_each_channel(channel, efx) {
3338 - channel->napi_dev = efx->net_dev;
3339 -+ netif_napi_add(channel->napi_dev, &channel->napi_str,
3340 -+ efx_poll, napi_weight);
3341 - rc = efx_lro_init(&channel->lro_mgr, efx);
3342 - if (rc)
3343 - goto err;
3344 -@@ -1289,6 +1287,8 @@ static void efx_fini_napi(struct efx_nic *efx)
3345 -
3346 - efx_for_each_channel(channel, efx) {
3347 - efx_lro_fini(&channel->lro_mgr);
3348 -+ if (channel->napi_dev)
3349 -+ netif_napi_del(&channel->napi_str);
3350 - channel->napi_dev = NULL;
3351 - }
3352 - }
3353 -diff --git a/drivers/net/skge.c b/drivers/net/skge.c
3354 -index c9dbb06..2bbb44b 100644
3355 ---- a/drivers/net/skge.c
3356 -+++ b/drivers/net/skge.c
3357 -@@ -2674,7 +2674,7 @@ static int skge_down(struct net_device *dev)
3358 - if (netif_msg_ifdown(skge))
3359 - printk(KERN_INFO PFX "%s: disabling interface\n", dev->name);
3360 -
3361 -- netif_stop_queue(dev);
3362 -+ netif_tx_disable(dev);
3363 -
3364 - if (hw->chip_id == CHIP_ID_GENESIS && hw->phy_type == SK_PHY_XMAC)
3365 - del_timer_sync(&skge->link_timer);
3366 -@@ -2881,7 +2881,6 @@ static void skge_tx_clean(struct net_device *dev)
3367 - }
3368 -
3369 - skge->tx_ring.to_clean = e;
3370 -- netif_wake_queue(dev);
3371 - }
3372 -
3373 - static void skge_tx_timeout(struct net_device *dev)
3374 -@@ -2893,6 +2892,7 @@ static void skge_tx_timeout(struct net_device *dev)
3375 -
3376 - skge_write8(skge->hw, Q_ADDR(txqaddr[skge->port], Q_CSR), CSR_STOP);
3377 - skge_tx_clean(dev);
3378 -+ netif_wake_queue(dev);
3379 - }
3380 -
3381 - static int skge_change_mtu(struct net_device *dev, int new_mtu)
3382 -diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
3383 -index 39ecf3b..820fdb2 100644
3384 ---- a/drivers/net/wireless/rt2x00/rt2x00.h
3385 -+++ b/drivers/net/wireless/rt2x00/rt2x00.h
3386 -@@ -687,8 +687,7 @@ struct rt2x00_dev {
3387 - */
3388 - #ifdef CONFIG_RT2X00_LIB_RFKILL
3389 - unsigned long rfkill_state;
3390 --#define RFKILL_STATE_ALLOCATED 1
3391 --#define RFKILL_STATE_REGISTERED 2
3392 -+#define RFKILL_STATE_REGISTERED 1
3393 - struct rfkill *rfkill;
3394 - struct delayed_work rfkill_work;
3395 - #endif /* CONFIG_RT2X00_LIB_RFKILL */
3396 -diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
3397 -index 87c0f2c..e694bb7 100644
3398 ---- a/drivers/net/wireless/rt2x00/rt2x00dev.c
3399 -+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
3400 -@@ -1105,7 +1105,6 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev)
3401 - * Register extra components.
3402 - */
3403 - rt2x00leds_register(rt2x00dev);
3404 -- rt2x00rfkill_allocate(rt2x00dev);
3405 - rt2x00debug_register(rt2x00dev);
3406 -
3407 - set_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
3408 -@@ -1137,7 +1136,6 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
3409 - * Free extra components
3410 - */
3411 - rt2x00debug_deregister(rt2x00dev);
3412 -- rt2x00rfkill_free(rt2x00dev);
3413 - rt2x00leds_unregister(rt2x00dev);
3414 -
3415 - /*
3416 -diff --git a/drivers/net/wireless/rt2x00/rt2x00lib.h b/drivers/net/wireless/rt2x00/rt2x00lib.h
3417 -index 86cd26f..49309d4 100644
3418 ---- a/drivers/net/wireless/rt2x00/rt2x00lib.h
3419 -+++ b/drivers/net/wireless/rt2x00/rt2x00lib.h
3420 -@@ -260,8 +260,6 @@ static inline void rt2x00crypto_rx_insert_iv(struct sk_buff *skb,
3421 - #ifdef CONFIG_RT2X00_LIB_RFKILL
3422 - void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev);
3423 - void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev);
3424 --void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev);
3425 --void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev);
3426 - #else
3427 - static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
3428 - {
3429 -@@ -270,14 +268,6 @@ static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
3430 - static inline void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
3431 - {
3432 - }
3433 --
3434 --static inline void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
3435 --{
3436 --}
3437 --
3438 --static inline void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
3439 --{
3440 --}
3441 - #endif /* CONFIG_RT2X00_LIB_RFKILL */
3442 -
3443 - /*
3444 -diff --git a/drivers/net/wireless/rt2x00/rt2x00rfkill.c b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
3445 -index 3298cae..08ffc6d 100644
3446 ---- a/drivers/net/wireless/rt2x00/rt2x00rfkill.c
3447 -+++ b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
3448 -@@ -94,14 +94,50 @@ static void rt2x00rfkill_poll(struct work_struct *work)
3449 - &rt2x00dev->rfkill_work, RFKILL_POLL_INTERVAL);
3450 - }
3451 -
3452 -+static int rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
3453 -+{
3454 -+ struct device *dev = wiphy_dev(rt2x00dev->hw->wiphy);
3455 -+
3456 -+ rt2x00dev->rfkill = rfkill_allocate(dev, RFKILL_TYPE_WLAN);
3457 -+ if (!rt2x00dev->rfkill)
3458 -+ return -ENOMEM;
3459 -+
3460 -+ rt2x00dev->rfkill->name = rt2x00dev->ops->name;
3461 -+ rt2x00dev->rfkill->data = rt2x00dev;
3462 -+ rt2x00dev->rfkill->toggle_radio = rt2x00rfkill_toggle_radio;
3463 -+ if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
3464 -+ rt2x00dev->rfkill->get_state = rt2x00rfkill_get_state;
3465 -+ rt2x00dev->rfkill->state =
3466 -+ rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
3467 -+ RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
3468 -+ } else {
3469 -+ rt2x00dev->rfkill->state = RFKILL_STATE_UNBLOCKED;
3470 -+ }
3471 -+
3472 -+ INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
3473 -+
3474 -+ return 0;
3475 -+}
3476 -+
3477 -+static void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
3478 -+{
3479 -+ rfkill_free(rt2x00dev->rfkill);
3480 -+ rt2x00dev->rfkill = NULL;
3481 -+}
3482 -+
3483 - void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
3484 - {
3485 -- if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
3486 -- test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
3487 -+ if (test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
3488 -+ return;
3489 -+
3490 -+ if (rt2x00rfkill_allocate(rt2x00dev)) {
3491 -+ ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
3492 - return;
3493 -+ }
3494 -
3495 - if (rfkill_register(rt2x00dev->rfkill)) {
3496 - ERROR(rt2x00dev, "Failed to register rfkill handler.\n");
3497 -+ rt2x00rfkill_free(rt2x00dev);
3498 - return;
3499 - }
3500 -
3501 -@@ -117,8 +153,7 @@ void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
3502 -
3503 - void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
3504 - {
3505 -- if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
3506 -- !test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
3507 -+ if (!test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
3508 - return;
3509 -
3510 - cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
3511 -@@ -127,46 +162,3 @@ void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
3512 -
3513 - __clear_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state);
3514 - }
3515 --
3516 --void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
3517 --{
3518 -- struct device *dev = wiphy_dev(rt2x00dev->hw->wiphy);
3519 --
3520 -- if (test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
3521 -- return;
3522 --
3523 -- rt2x00dev->rfkill = rfkill_allocate(dev, RFKILL_TYPE_WLAN);
3524 -- if (!rt2x00dev->rfkill) {
3525 -- ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
3526 -- return;
3527 -- }
3528 --
3529 -- __set_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state);
3530 --
3531 -- rt2x00dev->rfkill->name = rt2x00dev->ops->name;
3532 -- rt2x00dev->rfkill->data = rt2x00dev;
3533 -- rt2x00dev->rfkill->toggle_radio = rt2x00rfkill_toggle_radio;
3534 -- if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
3535 -- rt2x00dev->rfkill->get_state = rt2x00rfkill_get_state;
3536 -- rt2x00dev->rfkill->state =
3537 -- rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
3538 -- RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
3539 -- } else {
3540 -- rt2x00dev->rfkill->state = RFKILL_STATE_UNBLOCKED;
3541 -- }
3542 --
3543 -- INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
3544 --
3545 -- return;
3546 --}
3547 --
3548 --void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
3549 --{
3550 -- if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
3551 -- return;
3552 --
3553 -- cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
3554 --
3555 -- rfkill_free(rt2x00dev->rfkill);
3556 -- rt2x00dev->rfkill = NULL;
3557 --}
3558 -diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
3559 -index 55ec44a..31cfd86 100644
3560 ---- a/drivers/pci/probe.c
3561 -+++ b/drivers/pci/probe.c
3562 -@@ -847,6 +847,11 @@ int pci_cfg_space_size(struct pci_dev *dev)
3563 - {
3564 - int pos;
3565 - u32 status;
3566 -+ u16 class;
3567 -+
3568 -+ class = dev->class >> 8;
3569 -+ if (class == PCI_CLASS_BRIDGE_HOST)
3570 -+ return pci_cfg_space_size_ext(dev);
3571 -
3572 - pos = pci_find_capability(dev, PCI_CAP_ID_EXP);
3573 - if (!pos) {
3574 -@@ -936,7 +941,6 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn)
3575 - dev->multifunction = !!(hdr_type & 0x80);
3576 - dev->vendor = l & 0xffff;
3577 - dev->device = (l >> 16) & 0xffff;
3578 -- dev->cfg_size = pci_cfg_space_size(dev);
3579 - dev->error_state = pci_channel_io_normal;
3580 - set_pcie_port_type(dev);
3581 -
3582 -@@ -952,6 +956,9 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn)
3583 - return NULL;
3584 - }
3585 -
3586 -+ /* need to have dev->class ready */
3587 -+ dev->cfg_size = pci_cfg_space_size(dev);
3588 -+
3589 - return dev;
3590 - }
3591 -
3592 -diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
3593 -index a6a42e8..60fbef2 100644
3594 ---- a/drivers/platform/x86/acer-wmi.c
3595 -+++ b/drivers/platform/x86/acer-wmi.c
3596 -@@ -225,6 +225,25 @@ static struct quirk_entry quirk_fujitsu_amilo_li_1718 = {
3597 - .wireless = 2,
3598 - };
3599 -
3600 -+/* The Aspire One has a dummy ACPI-WMI interface - disable it */
3601 -+static struct dmi_system_id __devinitdata acer_blacklist[] = {
3602 -+ {
3603 -+ .ident = "Acer Aspire One (SSD)",
3604 -+ .matches = {
3605 -+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
3606 -+ DMI_MATCH(DMI_PRODUCT_NAME, "AOA110"),
3607 -+ },
3608 -+ },
3609 -+ {
3610 -+ .ident = "Acer Aspire One (HDD)",
3611 -+ .matches = {
3612 -+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
3613 -+ DMI_MATCH(DMI_PRODUCT_NAME, "AOA150"),
3614 -+ },
3615 -+ },
3616 -+ {}
3617 -+};
3618 -+
3619 - static struct dmi_system_id acer_quirks[] = {
3620 - {
3621 - .callback = dmi_matched,
3622 -@@ -1254,6 +1273,12 @@ static int __init acer_wmi_init(void)
3623 -
3624 - printk(ACER_INFO "Acer Laptop ACPI-WMI Extras\n");
3625 -
3626 -+ if (dmi_check_system(acer_blacklist)) {
3627 -+ printk(ACER_INFO "Blacklisted hardware detected - "
3628 -+ "not loading\n");
3629 -+ return -ENODEV;
3630 -+ }
3631 -+
3632 - find_quirks();
3633 -
3634 - /*
3635 -diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
3636 -index 809d32d..ca4467c 100644
3637 ---- a/drivers/scsi/libiscsi.c
3638 -+++ b/drivers/scsi/libiscsi.c
3639 -@@ -1944,12 +1944,14 @@ iscsi_pool_init(struct iscsi_pool *q, int max, void ***items, int item_size)
3640 - num_arrays++;
3641 - q->pool = kzalloc(num_arrays * max * sizeof(void*), GFP_KERNEL);
3642 - if (q->pool == NULL)
3643 -- goto enomem;
3644 -+ return -ENOMEM;
3645 -
3646 - q->queue = kfifo_init((void*)q->pool, max * sizeof(void*),
3647 - GFP_KERNEL, NULL);
3648 -- if (q->queue == ERR_PTR(-ENOMEM))
3649 -+ if (IS_ERR(q->queue)) {
3650 -+ q->queue = NULL;
3651 - goto enomem;
3652 -+ }
3653 -
3654 - for (i = 0; i < max; i++) {
3655 - q->pool[i] = kzalloc(item_size, GFP_KERNEL);
3656 -@@ -1979,8 +1981,7 @@ void iscsi_pool_free(struct iscsi_pool *q)
3657 -
3658 - for (i = 0; i < q->max; i++)
3659 - kfree(q->pool[i]);
3660 -- if (q->pool)
3661 -- kfree(q->pool);
3662 -+ kfree(q->pool);
3663 - kfree(q->queue);
3664 - }
3665 - EXPORT_SYMBOL_GPL(iscsi_pool_free);
3666 -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
3667 -index 516925d..5e390d2 100644
3668 ---- a/drivers/scsi/sg.c
3669 -+++ b/drivers/scsi/sg.c
3670 -@@ -101,6 +101,7 @@ static int scatter_elem_sz_prev = SG_SCATTER_SZ;
3671 - #define SG_SECTOR_MSK (SG_SECTOR_SZ - 1)
3672 -
3673 - static int sg_add(struct device *, struct class_interface *);
3674 -+static void sg_device_destroy(struct kref *kref);
3675 - static void sg_remove(struct device *, struct class_interface *);
3676 -
3677 - static DEFINE_IDR(sg_index_idr);
3678 -@@ -137,6 +138,7 @@ typedef struct sg_request { /* SG_MAX_QUEUE requests outstanding per file */
3679 - volatile char done; /* 0->before bh, 1->before read, 2->read */
3680 - struct request *rq;
3681 - struct bio *bio;
3682 -+ struct execute_work ew;
3683 - } Sg_request;
3684 -
3685 - typedef struct sg_fd { /* holds the state of a file descriptor */
3686 -@@ -158,6 +160,8 @@ typedef struct sg_fd { /* holds the state of a file descriptor */
3687 - char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */
3688 - char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */
3689 - char mmap_called; /* 0 -> mmap() never called on this fd */
3690 -+ struct kref f_ref;
3691 -+ struct execute_work ew;
3692 - } Sg_fd;
3693 -
3694 - typedef struct sg_device { /* holds the state of each scsi generic device */
3695 -@@ -171,6 +175,7 @@ typedef struct sg_device { /* holds the state of each scsi generic device */
3696 - char sgdebug; /* 0->off, 1->sense, 9->dump dev, 10-> all devs */
3697 - struct gendisk *disk;
3698 - struct cdev * cdev; /* char_dev [sysfs: /sys/cdev/major/sg<n>] */
3699 -+ struct kref d_ref;
3700 - } Sg_device;
3701 -
3702 - static int sg_fasync(int fd, struct file *filp, int mode);
3703 -@@ -185,7 +190,7 @@ static ssize_t sg_new_read(Sg_fd * sfp, char __user *buf, size_t count,
3704 - Sg_request * srp);
3705 - static ssize_t sg_new_write(Sg_fd *sfp, struct file *file,
3706 - const char __user *buf, size_t count, int blocking,
3707 -- int read_only, Sg_request **o_srp);
3708 -+ int read_only, int sg_io_owned, Sg_request **o_srp);
3709 - static int sg_common_write(Sg_fd * sfp, Sg_request * srp,
3710 - unsigned char *cmnd, int timeout, int blocking);
3711 - static int sg_read_oxfer(Sg_request * srp, char __user *outp, int num_read_xfer);
3712 -@@ -194,13 +199,14 @@ static void sg_build_reserve(Sg_fd * sfp, int req_size);
3713 - static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size);
3714 - static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp);
3715 - static Sg_fd *sg_add_sfp(Sg_device * sdp, int dev);
3716 --static int sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp);
3717 --static void __sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp);
3718 -+static void sg_remove_sfp(struct kref *);
3719 - static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
3720 - static Sg_request *sg_add_request(Sg_fd * sfp);
3721 - static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
3722 - static int sg_res_in_use(Sg_fd * sfp);
3723 -+static Sg_device *sg_lookup_dev(int dev);
3724 - static Sg_device *sg_get_dev(int dev);
3725 -+static void sg_put_dev(Sg_device *sdp);
3726 - #ifdef CONFIG_SCSI_PROC_FS
3727 - static int sg_last_dev(void);
3728 - #endif
3729 -@@ -237,22 +243,17 @@ sg_open(struct inode *inode, struct file *filp)
3730 - nonseekable_open(inode, filp);
3731 - SCSI_LOG_TIMEOUT(3, printk("sg_open: dev=%d, flags=0x%x\n", dev, flags));
3732 - sdp = sg_get_dev(dev);
3733 -- if ((!sdp) || (!sdp->device)) {
3734 -- unlock_kernel();
3735 -- return -ENXIO;
3736 -- }
3737 -- if (sdp->detached) {
3738 -- unlock_kernel();
3739 -- return -ENODEV;
3740 -+ if (IS_ERR(sdp)) {
3741 -+ retval = PTR_ERR(sdp);
3742 -+ sdp = NULL;
3743 -+ goto sg_put;
3744 - }
3745 -
3746 - /* This driver's module count bumped by fops_get in <linux/fs.h> */
3747 - /* Prevent the device driver from vanishing while we sleep */
3748 - retval = scsi_device_get(sdp->device);
3749 -- if (retval) {
3750 -- unlock_kernel();
3751 -- return retval;
3752 -- }
3753 -+ if (retval)
3754 -+ goto sg_put;
3755 -
3756 - if (!((flags & O_NONBLOCK) ||
3757 - scsi_block_when_processing_errors(sdp->device))) {
3758 -@@ -303,16 +304,20 @@ sg_open(struct inode *inode, struct file *filp)
3759 - if ((sfp = sg_add_sfp(sdp, dev)))
3760 - filp->private_data = sfp;
3761 - else {
3762 -- if (flags & O_EXCL)
3763 -+ if (flags & O_EXCL) {
3764 - sdp->exclude = 0; /* undo if error */
3765 -+ wake_up_interruptible(&sdp->o_excl_wait);
3766 -+ }
3767 - retval = -ENOMEM;
3768 - goto error_out;
3769 - }
3770 -- unlock_kernel();
3771 -- return 0;
3772 --
3773 -- error_out:
3774 -- scsi_device_put(sdp->device);
3775 -+ retval = 0;
3776 -+error_out:
3777 -+ if (retval)
3778 -+ scsi_device_put(sdp->device);
3779 -+sg_put:
3780 -+ if (sdp)
3781 -+ sg_put_dev(sdp);
3782 - unlock_kernel();
3783 - return retval;
3784 - }
3785 -@@ -327,13 +332,13 @@ sg_release(struct inode *inode, struct file *filp)
3786 - if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
3787 - return -ENXIO;
3788 - SCSI_LOG_TIMEOUT(3, printk("sg_release: %s\n", sdp->disk->disk_name));
3789 -- if (0 == sg_remove_sfp(sdp, sfp)) { /* Returns 1 when sdp gone */
3790 -- if (!sdp->detached) {
3791 -- scsi_device_put(sdp->device);
3792 -- }
3793 -- sdp->exclude = 0;
3794 -- wake_up_interruptible(&sdp->o_excl_wait);
3795 -- }
3796 -+
3797 -+ sfp->closed = 1;
3798 -+
3799 -+ sdp->exclude = 0;
3800 -+ wake_up_interruptible(&sdp->o_excl_wait);
3801 -+
3802 -+ kref_put(&sfp->f_ref, sg_remove_sfp);
3803 - return 0;
3804 - }
3805 -
3806 -@@ -557,7 +562,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
3807 - return -EFAULT;
3808 - blocking = !(filp->f_flags & O_NONBLOCK);
3809 - if (old_hdr.reply_len < 0)
3810 -- return sg_new_write(sfp, filp, buf, count, blocking, 0, NULL);
3811 -+ return sg_new_write(sfp, filp, buf, count,
3812 -+ blocking, 0, 0, NULL);
3813 - if (count < (SZ_SG_HEADER + 6))
3814 - return -EIO; /* The minimum scsi command length is 6 bytes. */
3815 -
3816 -@@ -638,7 +644,7 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
3817 -
3818 - static ssize_t
3819 - sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
3820 -- size_t count, int blocking, int read_only,
3821 -+ size_t count, int blocking, int read_only, int sg_io_owned,
3822 - Sg_request **o_srp)
3823 - {
3824 - int k;
3825 -@@ -658,6 +664,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
3826 - SCSI_LOG_TIMEOUT(1, printk("sg_new_write: queue full\n"));
3827 - return -EDOM;
3828 - }
3829 -+ srp->sg_io_owned = sg_io_owned;
3830 - hp = &srp->header;
3831 - if (__copy_from_user(hp, buf, SZ_SG_IO_HDR)) {
3832 - sg_remove_request(sfp, srp);
3833 -@@ -755,24 +762,13 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
3834 - hp->duration = jiffies_to_msecs(jiffies);
3835 -
3836 - srp->rq->timeout = timeout;
3837 -+ kref_get(&sfp->f_ref); /* sg_rq_end_io() does kref_put(). */
3838 - blk_execute_rq_nowait(sdp->device->request_queue, sdp->disk,
3839 - srp->rq, 1, sg_rq_end_io);
3840 - return 0;
3841 - }
3842 -
3843 - static int
3844 --sg_srp_done(Sg_request *srp, Sg_fd *sfp)
3845 --{
3846 -- unsigned long iflags;
3847 -- int done;
3848 --
3849 -- read_lock_irqsave(&sfp->rq_list_lock, iflags);
3850 -- done = srp->done;
3851 -- read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
3852 -- return done;
3853 --}
3854 --
3855 --static int
3856 - sg_ioctl(struct inode *inode, struct file *filp,
3857 - unsigned int cmd_in, unsigned long arg)
3858 - {
3859 -@@ -804,27 +800,26 @@ sg_ioctl(struct inode *inode, struct file *filp,
3860 - return -EFAULT;
3861 - result =
3862 - sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
3863 -- blocking, read_only, &srp);
3864 -+ blocking, read_only, 1, &srp);
3865 - if (result < 0)
3866 - return result;
3867 -- srp->sg_io_owned = 1;
3868 - while (1) {
3869 - result = 0; /* following macro to beat race condition */
3870 - __wait_event_interruptible(sfp->read_wait,
3871 -- (sdp->detached || sfp->closed || sg_srp_done(srp, sfp)),
3872 -- result);
3873 -+ (srp->done || sdp->detached),
3874 -+ result);
3875 - if (sdp->detached)
3876 - return -ENODEV;
3877 -- if (sfp->closed)
3878 -- return 0; /* request packet dropped already */
3879 -- if (0 == result)
3880 -+ write_lock_irq(&sfp->rq_list_lock);
3881 -+ if (srp->done) {
3882 -+ srp->done = 2;
3883 -+ write_unlock_irq(&sfp->rq_list_lock);
3884 - break;
3885 -+ }
3886 - srp->orphan = 1;
3887 -+ write_unlock_irq(&sfp->rq_list_lock);
3888 - return result; /* -ERESTARTSYS because signal hit process */
3889 - }
3890 -- write_lock_irqsave(&sfp->rq_list_lock, iflags);
3891 -- srp->done = 2;
3892 -- write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
3893 - result = sg_new_read(sfp, p, SZ_SG_IO_HDR, srp);
3894 - return (result < 0) ? result : 0;
3895 - }
3896 -@@ -1240,6 +1235,15 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
3897 - return 0;
3898 - }
3899 -
3900 -+static void sg_rq_end_io_usercontext(struct work_struct *work)
3901 -+{
3902 -+ struct sg_request *srp = container_of(work, struct sg_request, ew.work);
3903 -+ struct sg_fd *sfp = srp->parentfp;
3904 -+
3905 -+ sg_finish_rem_req(srp);
3906 -+ kref_put(&sfp->f_ref, sg_remove_sfp);
3907 -+}
3908 -+
3909 - /*
3910 - * This function is a "bottom half" handler that is called by the mid
3911 - * level when a command is completed (or has failed).
3912 -@@ -1247,24 +1251,23 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
3913 - static void sg_rq_end_io(struct request *rq, int uptodate)
3914 - {
3915 - struct sg_request *srp = rq->end_io_data;
3916 -- Sg_device *sdp = NULL;
3917 -+ Sg_device *sdp;
3918 - Sg_fd *sfp;
3919 - unsigned long iflags;
3920 - unsigned int ms;
3921 - char *sense;
3922 -- int result, resid;
3923 -+ int result, resid, done = 1;
3924 -
3925 -- if (NULL == srp) {
3926 -- printk(KERN_ERR "sg_cmd_done: NULL request\n");
3927 -+ if (WARN_ON(srp->done != 0))
3928 - return;
3929 -- }
3930 -+
3931 - sfp = srp->parentfp;
3932 -- if (sfp)
3933 -- sdp = sfp->parentdp;
3934 -- if ((NULL == sdp) || sdp->detached) {
3935 -- printk(KERN_INFO "sg_cmd_done: device detached\n");
3936 -+ if (WARN_ON(sfp == NULL))
3937 - return;
3938 -- }
3939 -+
3940 -+ sdp = sfp->parentdp;
3941 -+ if (unlikely(sdp->detached))
3942 -+ printk(KERN_INFO "sg_rq_end_io: device detached\n");
3943 -
3944 - sense = rq->sense;
3945 - result = rq->errors;
3946 -@@ -1303,32 +1306,26 @@ static void sg_rq_end_io(struct request *rq, int uptodate)
3947 - }
3948 - /* Rely on write phase to clean out srp status values, so no "else" */
3949 -
3950 -- if (sfp->closed) { /* whoops this fd already released, cleanup */
3951 -- SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, freeing ...\n"));
3952 -- sg_finish_rem_req(srp);
3953 -- srp = NULL;
3954 -- if (NULL == sfp->headrp) {
3955 -- SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, final cleanup\n"));
3956 -- if (0 == sg_remove_sfp(sdp, sfp)) { /* device still present */
3957 -- scsi_device_put(sdp->device);
3958 -- }
3959 -- sfp = NULL;
3960 -- }
3961 -- } else if (srp && srp->orphan) {
3962 -+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
3963 -+ if (unlikely(srp->orphan)) {
3964 - if (sfp->keep_orphan)
3965 - srp->sg_io_owned = 0;
3966 -- else {
3967 -- sg_finish_rem_req(srp);
3968 -- srp = NULL;
3969 -- }
3970 -+ else
3971 -+ done = 0;
3972 - }
3973 -- if (sfp && srp) {
3974 -- /* Now wake up any sg_read() that is waiting for this packet. */
3975 -- kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
3976 -- write_lock_irqsave(&sfp->rq_list_lock, iflags);
3977 -- srp->done = 1;
3978 -+ srp->done = done;
3979 -+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
3980 -+
3981 -+ if (likely(done)) {
3982 -+ /* Now wake up any sg_read() that is waiting for this
3983 -+ * packet.
3984 -+ */
3985 - wake_up_interruptible(&sfp->read_wait);
3986 -- write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
3987 -+ kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
3988 -+ kref_put(&sfp->f_ref, sg_remove_sfp);
3989 -+ } else {
3990 -+ INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
3991 -+ schedule_work(&srp->ew.work);
3992 - }
3993 - }
3994 -
3995 -@@ -1364,17 +1361,18 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
3996 - printk(KERN_WARNING "kmalloc Sg_device failure\n");
3997 - return ERR_PTR(-ENOMEM);
3998 - }
3999 -- error = -ENOMEM;
4000 -+
4001 - if (!idr_pre_get(&sg_index_idr, GFP_KERNEL)) {
4002 - printk(KERN_WARNING "idr expansion Sg_device failure\n");
4003 -+ error = -ENOMEM;
4004 - goto out;
4005 - }
4006 -
4007 - write_lock_irqsave(&sg_index_lock, iflags);
4008 -- error = idr_get_new(&sg_index_idr, sdp, &k);
4009 -- write_unlock_irqrestore(&sg_index_lock, iflags);
4010 -
4011 -+ error = idr_get_new(&sg_index_idr, sdp, &k);
4012 - if (error) {
4013 -+ write_unlock_irqrestore(&sg_index_lock, iflags);
4014 - printk(KERN_WARNING "idr allocation Sg_device failure: %d\n",
4015 - error);
4016 - goto out;
4017 -@@ -1391,6 +1389,9 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
4018 - init_waitqueue_head(&sdp->o_excl_wait);
4019 - sdp->sg_tablesize = min(q->max_hw_segments, q->max_phys_segments);
4020 - sdp->index = k;
4021 -+ kref_init(&sdp->d_ref);
4022 -+
4023 -+ write_unlock_irqrestore(&sg_index_lock, iflags);
4024 -
4025 - error = 0;
4026 - out:
4027 -@@ -1401,6 +1402,8 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
4028 - return sdp;
4029 -
4030 - overflow:
4031 -+ idr_remove(&sg_index_idr, k);
4032 -+ write_unlock_irqrestore(&sg_index_lock, iflags);
4033 - sdev_printk(KERN_WARNING, scsidp,
4034 - "Unable to attach sg device type=%d, minor "
4035 - "number exceeds %d\n", scsidp->type, SG_MAX_DEVS - 1);
4036 -@@ -1488,49 +1491,46 @@ out:
4037 - return error;
4038 - }
4039 -
4040 --static void
4041 --sg_remove(struct device *cl_dev, struct class_interface *cl_intf)
4042 -+static void sg_device_destroy(struct kref *kref)
4043 -+{
4044 -+ struct sg_device *sdp = container_of(kref, struct sg_device, d_ref);
4045 -+ unsigned long flags;
4046 -+
4047 -+ /* CAUTION! Note that the device can still be found via idr_find()
4048 -+ * even though the refcount is 0. Therefore, do idr_remove() BEFORE
4049 -+ * any other cleanup.
4050 -+ */
4051 -+
4052 -+ write_lock_irqsave(&sg_index_lock, flags);
4053 -+ idr_remove(&sg_index_idr, sdp->index);
4054 -+ write_unlock_irqrestore(&sg_index_lock, flags);
4055 -+
4056 -+ SCSI_LOG_TIMEOUT(3,
4057 -+ printk("sg_device_destroy: %s\n",
4058 -+ sdp->disk->disk_name));
4059 -+
4060 -+ put_disk(sdp->disk);
4061 -+ kfree(sdp);
4062 -+}
4063 -+
4064 -+static void sg_remove(struct device *cl_dev, struct class_interface *cl_intf)
4065 - {
4066 - struct scsi_device *scsidp = to_scsi_device(cl_dev->parent);
4067 - Sg_device *sdp = dev_get_drvdata(cl_dev);
4068 - unsigned long iflags;
4069 - Sg_fd *sfp;
4070 -- Sg_fd *tsfp;
4071 -- Sg_request *srp;
4072 -- Sg_request *tsrp;
4073 -- int delay;
4074 -
4075 -- if (!sdp)
4076 -+ if (!sdp || sdp->detached)
4077 - return;
4078 -
4079 -- delay = 0;
4080 -+ SCSI_LOG_TIMEOUT(3, printk("sg_remove: %s\n", sdp->disk->disk_name));
4081 -+
4082 -+ /* Need a write lock to set sdp->detached. */
4083 - write_lock_irqsave(&sg_index_lock, iflags);
4084 -- if (sdp->headfp) {
4085 -- sdp->detached = 1;
4086 -- for (sfp = sdp->headfp; sfp; sfp = tsfp) {
4087 -- tsfp = sfp->nextfp;
4088 -- for (srp = sfp->headrp; srp; srp = tsrp) {
4089 -- tsrp = srp->nextrp;
4090 -- if (sfp->closed || (0 == sg_srp_done(srp, sfp)))
4091 -- sg_finish_rem_req(srp);
4092 -- }
4093 -- if (sfp->closed) {
4094 -- scsi_device_put(sdp->device);
4095 -- __sg_remove_sfp(sdp, sfp);
4096 -- } else {
4097 -- delay = 1;
4098 -- wake_up_interruptible(&sfp->read_wait);
4099 -- kill_fasync(&sfp->async_qp, SIGPOLL,
4100 -- POLL_HUP);
4101 -- }
4102 -- }
4103 -- SCSI_LOG_TIMEOUT(3, printk("sg_remove: dev=%d, dirty\n", sdp->index));
4104 -- if (NULL == sdp->headfp) {
4105 -- idr_remove(&sg_index_idr, sdp->index);
4106 -- }
4107 -- } else { /* nothing active, simple case */
4108 -- SCSI_LOG_TIMEOUT(3, printk("sg_remove: dev=%d\n", sdp->index));
4109 -- idr_remove(&sg_index_idr, sdp->index);
4110 -+ sdp->detached = 1;
4111 -+ for (sfp = sdp->headfp; sfp; sfp = sfp->nextfp) {
4112 -+ wake_up_interruptible(&sfp->read_wait);
4113 -+ kill_fasync(&sfp->async_qp, SIGPOLL, POLL_HUP);
4114 - }
4115 - write_unlock_irqrestore(&sg_index_lock, iflags);
4116 -
4117 -@@ -1538,13 +1538,8 @@ sg_remove(struct device *cl_dev, struct class_interface *cl_intf)
4118 - device_destroy(sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index));
4119 - cdev_del(sdp->cdev);
4120 - sdp->cdev = NULL;
4121 -- put_disk(sdp->disk);
4122 -- sdp->disk = NULL;
4123 -- if (NULL == sdp->headfp)
4124 -- kfree(sdp);
4125 -
4126 -- if (delay)
4127 -- msleep(10); /* dirty detach so delay device destruction */
4128 -+ sg_put_dev(sdp);
4129 - }
4130 -
4131 - module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR);
4132 -@@ -1673,10 +1668,30 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
4133 - md->null_mapped = hp->dxferp ? 0 : 1;
4134 - }
4135 -
4136 -- if (iov_count)
4137 -- res = blk_rq_map_user_iov(q, rq, md, hp->dxferp, iov_count,
4138 -- hp->dxfer_len, GFP_ATOMIC);
4139 -- else
4140 -+ if (iov_count) {
4141 -+ int len, size = sizeof(struct sg_iovec) * iov_count;
4142 -+ struct iovec *iov;
4143 -+
4144 -+ iov = kmalloc(size, GFP_ATOMIC);
4145 -+ if (!iov)
4146 -+ return -ENOMEM;
4147 -+
4148 -+ if (copy_from_user(iov, hp->dxferp, size)) {
4149 -+ kfree(iov);
4150 -+ return -EFAULT;
4151 -+ }
4152 -+
4153 -+ len = iov_length(iov, iov_count);
4154 -+ if (hp->dxfer_len < len) {
4155 -+ iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
4156 -+ len = hp->dxfer_len;
4157 -+ }
4158 -+
4159 -+ res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
4160 -+ iov_count,
4161 -+ len, GFP_ATOMIC);
4162 -+ kfree(iov);
4163 -+ } else
4164 - res = blk_rq_map_user(q, rq, md, hp->dxferp,
4165 - hp->dxfer_len, GFP_ATOMIC);
4166 -
4167 -@@ -1941,22 +1956,6 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
4168 - return resp;
4169 - }
4170 -
4171 --#ifdef CONFIG_SCSI_PROC_FS
4172 --static Sg_request *
4173 --sg_get_nth_request(Sg_fd * sfp, int nth)
4174 --{
4175 -- Sg_request *resp;
4176 -- unsigned long iflags;
4177 -- int k;
4178 --
4179 -- read_lock_irqsave(&sfp->rq_list_lock, iflags);
4180 -- for (k = 0, resp = sfp->headrp; resp && (k < nth);
4181 -- ++k, resp = resp->nextrp) ;
4182 -- read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
4183 -- return resp;
4184 --}
4185 --#endif
4186 --
4187 - /* always adds to end of list */
4188 - static Sg_request *
4189 - sg_add_request(Sg_fd * sfp)
4190 -@@ -2032,22 +2031,6 @@ sg_remove_request(Sg_fd * sfp, Sg_request * srp)
4191 - return res;
4192 - }
4193 -
4194 --#ifdef CONFIG_SCSI_PROC_FS
4195 --static Sg_fd *
4196 --sg_get_nth_sfp(Sg_device * sdp, int nth)
4197 --{
4198 -- Sg_fd *resp;
4199 -- unsigned long iflags;
4200 -- int k;
4201 --
4202 -- read_lock_irqsave(&sg_index_lock, iflags);
4203 -- for (k = 0, resp = sdp->headfp; resp && (k < nth);
4204 -- ++k, resp = resp->nextfp) ;
4205 -- read_unlock_irqrestore(&sg_index_lock, iflags);
4206 -- return resp;
4207 --}
4208 --#endif
4209 --
4210 - static Sg_fd *
4211 - sg_add_sfp(Sg_device * sdp, int dev)
4212 - {
4213 -@@ -2062,6 +2045,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
4214 - init_waitqueue_head(&sfp->read_wait);
4215 - rwlock_init(&sfp->rq_list_lock);
4216 -
4217 -+ kref_init(&sfp->f_ref);
4218 - sfp->timeout = SG_DEFAULT_TIMEOUT;
4219 - sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER;
4220 - sfp->force_packid = SG_DEF_FORCE_PACK_ID;
4221 -@@ -2089,15 +2073,54 @@ sg_add_sfp(Sg_device * sdp, int dev)
4222 - sg_build_reserve(sfp, bufflen);
4223 - SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: bufflen=%d, k_use_sg=%d\n",
4224 - sfp->reserve.bufflen, sfp->reserve.k_use_sg));
4225 -+
4226 -+ kref_get(&sdp->d_ref);
4227 -+ __module_get(THIS_MODULE);
4228 - return sfp;
4229 - }
4230 -
4231 --static void
4232 --__sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
4233 -+static void sg_remove_sfp_usercontext(struct work_struct *work)
4234 -+{
4235 -+ struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
4236 -+ struct sg_device *sdp = sfp->parentdp;
4237 -+
4238 -+ /* Cleanup any responses which were never read(). */
4239 -+ while (sfp->headrp)
4240 -+ sg_finish_rem_req(sfp->headrp);
4241 -+
4242 -+ if (sfp->reserve.bufflen > 0) {
4243 -+ SCSI_LOG_TIMEOUT(6,
4244 -+ printk("sg_remove_sfp: bufflen=%d, k_use_sg=%d\n",
4245 -+ (int) sfp->reserve.bufflen,
4246 -+ (int) sfp->reserve.k_use_sg));
4247 -+ sg_remove_scat(&sfp->reserve);
4248 -+ }
4249 -+
4250 -+ SCSI_LOG_TIMEOUT(6,
4251 -+ printk("sg_remove_sfp: %s, sfp=0x%p\n",
4252 -+ sdp->disk->disk_name,
4253 -+ sfp));
4254 -+ kfree(sfp);
4255 -+
4256 -+ scsi_device_put(sdp->device);
4257 -+ sg_put_dev(sdp);
4258 -+ module_put(THIS_MODULE);
4259 -+}
4260 -+
4261 -+static void sg_remove_sfp(struct kref *kref)
4262 - {
4263 -+ struct sg_fd *sfp = container_of(kref, struct sg_fd, f_ref);
4264 -+ struct sg_device *sdp = sfp->parentdp;
4265 - Sg_fd *fp;
4266 - Sg_fd *prev_fp;
4267 -+ unsigned long iflags;
4268 -
4269 -+ /* CAUTION! Note that sfp can still be found by walking sdp->headfp
4270 -+ * even though the refcount is now 0. Therefore, unlink sfp from
4271 -+ * sdp->headfp BEFORE doing any other cleanup.
4272 -+ */
4273 -+
4274 -+ write_lock_irqsave(&sg_index_lock, iflags);
4275 - prev_fp = sdp->headfp;
4276 - if (sfp == prev_fp)
4277 - sdp->headfp = prev_fp->nextfp;
4278 -@@ -2110,54 +2133,11 @@ __sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
4279 - prev_fp = fp;
4280 - }
4281 - }
4282 -- if (sfp->reserve.bufflen > 0) {
4283 -- SCSI_LOG_TIMEOUT(6,
4284 -- printk("__sg_remove_sfp: bufflen=%d, k_use_sg=%d\n",
4285 -- (int) sfp->reserve.bufflen, (int) sfp->reserve.k_use_sg));
4286 -- sg_remove_scat(&sfp->reserve);
4287 -- }
4288 -- sfp->parentdp = NULL;
4289 -- SCSI_LOG_TIMEOUT(6, printk("__sg_remove_sfp: sfp=0x%p\n", sfp));
4290 -- kfree(sfp);
4291 --}
4292 --
4293 --/* Returns 0 in normal case, 1 when detached and sdp object removed */
4294 --static int
4295 --sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
4296 --{
4297 -- Sg_request *srp;
4298 -- Sg_request *tsrp;
4299 -- int dirty = 0;
4300 -- int res = 0;
4301 --
4302 -- for (srp = sfp->headrp; srp; srp = tsrp) {
4303 -- tsrp = srp->nextrp;
4304 -- if (sg_srp_done(srp, sfp))
4305 -- sg_finish_rem_req(srp);
4306 -- else
4307 -- ++dirty;
4308 -- }
4309 -- if (0 == dirty) {
4310 -- unsigned long iflags;
4311 -+ write_unlock_irqrestore(&sg_index_lock, iflags);
4312 -+ wake_up_interruptible(&sdp->o_excl_wait);
4313 -
4314 -- write_lock_irqsave(&sg_index_lock, iflags);
4315 -- __sg_remove_sfp(sdp, sfp);
4316 -- if (sdp->detached && (NULL == sdp->headfp)) {
4317 -- idr_remove(&sg_index_idr, sdp->index);
4318 -- kfree(sdp);
4319 -- res = 1;
4320 -- }
4321 -- write_unlock_irqrestore(&sg_index_lock, iflags);
4322 -- } else {
4323 -- /* MOD_INC's to inhibit unloading sg and associated adapter driver */
4324 -- /* only bump the access_count if we actually succeeded in
4325 -- * throwing another counter on the host module */
4326 -- scsi_device_get(sdp->device); /* XXX: retval ignored? */
4327 -- sfp->closed = 1; /* flag dirty state on this fd */
4328 -- SCSI_LOG_TIMEOUT(1, printk("sg_remove_sfp: worrisome, %d writes pending\n",
4329 -- dirty));
4330 -- }
4331 -- return res;
4332 -+ INIT_WORK(&sfp->ew.work, sg_remove_sfp_usercontext);
4333 -+ schedule_work(&sfp->ew.work);
4334 - }
4335 -
4336 - static int
4337 -@@ -2199,19 +2179,38 @@ sg_last_dev(void)
4338 - }
4339 - #endif
4340 -
4341 --static Sg_device *
4342 --sg_get_dev(int dev)
4343 -+/* must be called with sg_index_lock held */
4344 -+static Sg_device *sg_lookup_dev(int dev)
4345 - {
4346 -- Sg_device *sdp;
4347 -- unsigned long iflags;
4348 -+ return idr_find(&sg_index_idr, dev);
4349 -+}
4350 -
4351 -- read_lock_irqsave(&sg_index_lock, iflags);
4352 -- sdp = idr_find(&sg_index_idr, dev);
4353 -- read_unlock_irqrestore(&sg_index_lock, iflags);
4354 -+static Sg_device *sg_get_dev(int dev)
4355 -+{
4356 -+ struct sg_device *sdp;
4357 -+ unsigned long flags;
4358 -+
4359 -+ read_lock_irqsave(&sg_index_lock, flags);
4360 -+ sdp = sg_lookup_dev(dev);
4361 -+ if (!sdp)
4362 -+ sdp = ERR_PTR(-ENXIO);
4363 -+ else if (sdp->detached) {
4364 -+ /* If sdp->detached, then the refcount may already be 0, in
4365 -+ * which case it would be a bug to do kref_get().
4366 -+ */
4367 -+ sdp = ERR_PTR(-ENODEV);
4368 -+ } else
4369 -+ kref_get(&sdp->d_ref);
4370 -+ read_unlock_irqrestore(&sg_index_lock, flags);
4371 -
4372 - return sdp;
4373 - }
4374 -
4375 -+static void sg_put_dev(struct sg_device *sdp)
4376 -+{
4377 -+ kref_put(&sdp->d_ref, sg_device_destroy);
4378 -+}
4379 -+
4380 - #ifdef CONFIG_SCSI_PROC_FS
4381 -
4382 - static struct proc_dir_entry *sg_proc_sgp = NULL;
4383 -@@ -2468,8 +2467,10 @@ static int sg_proc_seq_show_dev(struct seq_file *s, void *v)
4384 - struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
4385 - Sg_device *sdp;
4386 - struct scsi_device *scsidp;
4387 -+ unsigned long iflags;
4388 -
4389 -- sdp = it ? sg_get_dev(it->index) : NULL;
4390 -+ read_lock_irqsave(&sg_index_lock, iflags);
4391 -+ sdp = it ? sg_lookup_dev(it->index) : NULL;
4392 - if (sdp && (scsidp = sdp->device) && (!sdp->detached))
4393 - seq_printf(s, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n",
4394 - scsidp->host->host_no, scsidp->channel,
4395 -@@ -2480,6 +2481,7 @@ static int sg_proc_seq_show_dev(struct seq_file *s, void *v)
4396 - (int) scsi_device_online(scsidp));
4397 - else
4398 - seq_printf(s, "-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\n");
4399 -+ read_unlock_irqrestore(&sg_index_lock, iflags);
4400 - return 0;
4401 - }
4402 -
4403 -@@ -2493,16 +2495,20 @@ static int sg_proc_seq_show_devstrs(struct seq_file *s, void *v)
4404 - struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
4405 - Sg_device *sdp;
4406 - struct scsi_device *scsidp;
4407 -+ unsigned long iflags;
4408 -
4409 -- sdp = it ? sg_get_dev(it->index) : NULL;
4410 -+ read_lock_irqsave(&sg_index_lock, iflags);
4411 -+ sdp = it ? sg_lookup_dev(it->index) : NULL;
4412 - if (sdp && (scsidp = sdp->device) && (!sdp->detached))
4413 - seq_printf(s, "%8.8s\t%16.16s\t%4.4s\n",
4414 - scsidp->vendor, scsidp->model, scsidp->rev);
4415 - else
4416 - seq_printf(s, "<no active device>\n");
4417 -+ read_unlock_irqrestore(&sg_index_lock, iflags);
4418 - return 0;
4419 - }
4420 -
4421 -+/* must be called while holding sg_index_lock */
4422 - static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
4423 - {
4424 - int k, m, new_interface, blen, usg;
4425 -@@ -2512,7 +2518,8 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
4426 - const char * cp;
4427 - unsigned int ms;
4428 -
4429 -- for (k = 0; (fp = sg_get_nth_sfp(sdp, k)); ++k) {
4430 -+ for (k = 0, fp = sdp->headfp; fp != NULL; ++k, fp = fp->nextfp) {
4431 -+ read_lock(&fp->rq_list_lock); /* irqs already disabled */
4432 - seq_printf(s, " FD(%d): timeout=%dms bufflen=%d "
4433 - "(res)sgat=%d low_dma=%d\n", k + 1,
4434 - jiffies_to_msecs(fp->timeout),
4435 -@@ -2522,7 +2529,9 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
4436 - seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=%d\n",
4437 - (int) fp->cmd_q, (int) fp->force_packid,
4438 - (int) fp->keep_orphan, (int) fp->closed);
4439 -- for (m = 0; (srp = sg_get_nth_request(fp, m)); ++m) {
4440 -+ for (m = 0, srp = fp->headrp;
4441 -+ srp != NULL;
4442 -+ ++m, srp = srp->nextrp) {
4443 - hp = &srp->header;
4444 - new_interface = (hp->interface_id == '\0') ? 0 : 1;
4445 - if (srp->res_used) {
4446 -@@ -2559,6 +2568,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
4447 - }
4448 - if (0 == m)
4449 - seq_printf(s, " No requests active\n");
4450 -+ read_unlock(&fp->rq_list_lock);
4451 - }
4452 - }
4453 -
4454 -@@ -2571,39 +2581,34 @@ static int sg_proc_seq_show_debug(struct seq_file *s, void *v)
4455 - {
4456 - struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
4457 - Sg_device *sdp;
4458 -+ unsigned long iflags;
4459 -
4460 - if (it && (0 == it->index)) {
4461 - seq_printf(s, "max_active_device=%d(origin 1)\n",
4462 - (int)it->max);
4463 - seq_printf(s, " def_reserved_size=%d\n", sg_big_buff);
4464 - }
4465 -- sdp = it ? sg_get_dev(it->index) : NULL;
4466 -- if (sdp) {
4467 -- struct scsi_device *scsidp = sdp->device;
4468 -
4469 -- if (NULL == scsidp) {
4470 -- seq_printf(s, "device %d detached ??\n",
4471 -- (int)it->index);
4472 -- return 0;
4473 -- }
4474 -+ read_lock_irqsave(&sg_index_lock, iflags);
4475 -+ sdp = it ? sg_lookup_dev(it->index) : NULL;
4476 -+ if (sdp && sdp->headfp) {
4477 -+ struct scsi_device *scsidp = sdp->device;
4478 -
4479 -- if (sg_get_nth_sfp(sdp, 0)) {
4480 -- seq_printf(s, " >>> device=%s ",
4481 -- sdp->disk->disk_name);
4482 -- if (sdp->detached)
4483 -- seq_printf(s, "detached pending close ");
4484 -- else
4485 -- seq_printf
4486 -- (s, "scsi%d chan=%d id=%d lun=%d em=%d",
4487 -- scsidp->host->host_no,
4488 -- scsidp->channel, scsidp->id,
4489 -- scsidp->lun,
4490 -- scsidp->host->hostt->emulated);
4491 -- seq_printf(s, " sg_tablesize=%d excl=%d\n",
4492 -- sdp->sg_tablesize, sdp->exclude);
4493 -- }
4494 -+ seq_printf(s, " >>> device=%s ", sdp->disk->disk_name);
4495 -+ if (sdp->detached)
4496 -+ seq_printf(s, "detached pending close ");
4497 -+ else
4498 -+ seq_printf
4499 -+ (s, "scsi%d chan=%d id=%d lun=%d em=%d",
4500 -+ scsidp->host->host_no,
4501 -+ scsidp->channel, scsidp->id,
4502 -+ scsidp->lun,
4503 -+ scsidp->host->hostt->emulated);
4504 -+ seq_printf(s, " sg_tablesize=%d excl=%d\n",
4505 -+ sdp->sg_tablesize, sdp->exclude);
4506 - sg_proc_debug_helper(s, sdp);
4507 - }
4508 -+ read_unlock_irqrestore(&sg_index_lock, iflags);
4509 - return 0;
4510 - }
4511 -
4512 -diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
4513 -index 643908b..8eba98c 100644
4514 ---- a/drivers/spi/spi.c
4515 -+++ b/drivers/spi/spi.c
4516 -@@ -658,7 +658,7 @@ int spi_write_then_read(struct spi_device *spi,
4517 -
4518 - int status;
4519 - struct spi_message message;
4520 -- struct spi_transfer x;
4521 -+ struct spi_transfer x[2];
4522 - u8 *local_buf;
4523 -
4524 - /* Use preallocated DMA-safe buffer. We can't avoid copying here,
4525 -@@ -669,9 +669,15 @@ int spi_write_then_read(struct spi_device *spi,
4526 - return -EINVAL;
4527 -
4528 - spi_message_init(&message);
4529 -- memset(&x, 0, sizeof x);
4530 -- x.len = n_tx + n_rx;
4531 -- spi_message_add_tail(&x, &message);
4532 -+ memset(x, 0, sizeof x);
4533 -+ if (n_tx) {
4534 -+ x[0].len = n_tx;
4535 -+ spi_message_add_tail(&x[0], &message);
4536 -+ }
4537 -+ if (n_rx) {
4538 -+ x[1].len = n_rx;
4539 -+ spi_message_add_tail(&x[1], &message);
4540 -+ }
4541 -
4542 - /* ... unless someone else is using the pre-allocated buffer */
4543 - if (!mutex_trylock(&lock)) {
4544 -@@ -682,15 +688,15 @@ int spi_write_then_read(struct spi_device *spi,
4545 - local_buf = buf;
4546 -
4547 - memcpy(local_buf, txbuf, n_tx);
4548 -- x.tx_buf = local_buf;
4549 -- x.rx_buf = local_buf;
4550 -+ x[0].tx_buf = local_buf;
4551 -+ x[1].rx_buf = local_buf + n_tx;
4552 -
4553 - /* do the i/o */
4554 - status = spi_sync(spi, &message);
4555 - if (status == 0)
4556 -- memcpy(rxbuf, x.rx_buf + n_tx, n_rx);
4557 -+ memcpy(rxbuf, x[1].rx_buf, n_rx);
4558 -
4559 -- if (x.tx_buf == buf)
4560 -+ if (x[0].tx_buf == buf)
4561 - mutex_unlock(&lock);
4562 - else
4563 - kfree(local_buf);
4564 -diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
4565 -index 3771d6e..34e6108 100644
4566 ---- a/drivers/usb/class/cdc-wdm.c
4567 -+++ b/drivers/usb/class/cdc-wdm.c
4568 -@@ -652,7 +652,7 @@ next_desc:
4569 -
4570 - iface = &intf->altsetting[0];
4571 - ep = &iface->endpoint[0].desc;
4572 -- if (!usb_endpoint_is_int_in(ep)) {
4573 -+ if (!ep || !usb_endpoint_is_int_in(ep)) {
4574 - rv = -EINVAL;
4575 - goto err;
4576 - }
4577 -diff --git a/drivers/usb/gadget/u_ether.c b/drivers/usb/gadget/u_ether.c
4578 -index 96d65ca..4007770 100644
4579 ---- a/drivers/usb/gadget/u_ether.c
4580 -+++ b/drivers/usb/gadget/u_ether.c
4581 -@@ -175,12 +175,6 @@ static void eth_get_drvinfo(struct net_device *net, struct ethtool_drvinfo *p)
4582 - strlcpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof p->bus_info);
4583 - }
4584 -
4585 --static u32 eth_get_link(struct net_device *net)
4586 --{
4587 -- struct eth_dev *dev = netdev_priv(net);
4588 -- return dev->gadget->speed != USB_SPEED_UNKNOWN;
4589 --}
4590 --
4591 - /* REVISIT can also support:
4592 - * - WOL (by tracking suspends and issuing remote wakeup)
4593 - * - msglevel (implies updated messaging)
4594 -@@ -189,7 +183,7 @@ static u32 eth_get_link(struct net_device *net)
4595 -
4596 - static struct ethtool_ops ops = {
4597 - .get_drvinfo = eth_get_drvinfo,
4598 -- .get_link = eth_get_link
4599 -+ .get_link = ethtool_op_get_link,
4600 - };
4601 -
4602 - static void defer_kevent(struct eth_dev *dev, int flag)
4603 -diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
4604 -index ae84c32..bb3143e 100644
4605 ---- a/drivers/usb/serial/ftdi_sio.c
4606 -+++ b/drivers/usb/serial/ftdi_sio.c
4607 -@@ -668,6 +668,7 @@ static struct usb_device_id id_table_combined [] = {
4608 - { USB_DEVICE(DE_VID, WHT_PID) },
4609 - { USB_DEVICE(ADI_VID, ADI_GNICE_PID),
4610 - .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
4611 -+ { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
4612 - { }, /* Optional parameter entry */
4613 - { } /* Terminating entry */
4614 - };
4615 -diff --git a/drivers/usb/serial/ftdi_sio.h b/drivers/usb/serial/ftdi_sio.h
4616 -index daaf63d..c09f658 100644
4617 ---- a/drivers/usb/serial/ftdi_sio.h
4618 -+++ b/drivers/usb/serial/ftdi_sio.h
4619 -@@ -913,6 +913,13 @@
4620 - #define ADI_GNICE_PID 0xF000
4621 -
4622 - /*
4623 -+ * JETI SPECTROMETER SPECBOS 1201
4624 -+ * http://www.jeti.com/products/sys/scb/scb1201.php
4625 -+ */
4626 -+#define JETI_VID 0x0c6c
4627 -+#define JETI_SPC1201_PID 0x04b2
4628 -+
4629 -+/*
4630 - * BmRequestType: 1100 0000b
4631 - * bRequest: FTDI_E2_READ
4632 - * wValue: 0
4633 -diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
4634 -index 2620bf6..9c4c700 100644
4635 ---- a/drivers/usb/serial/ti_usb_3410_5052.c
4636 -+++ b/drivers/usb/serial/ti_usb_3410_5052.c
4637 -@@ -1215,20 +1215,22 @@ static void ti_bulk_in_callback(struct urb *urb)
4638 - }
4639 -
4640 - tty = tty_port_tty_get(&port->port);
4641 -- if (tty && urb->actual_length) {
4642 -- usb_serial_debug_data(debug, dev, __func__,
4643 -- urb->actual_length, urb->transfer_buffer);
4644 --
4645 -- if (!tport->tp_is_open)
4646 -- dbg("%s - port closed, dropping data", __func__);
4647 -- else
4648 -- ti_recv(&urb->dev->dev, tty,
4649 -+ if (tty) {
4650 -+ if (urb->actual_length) {
4651 -+ usb_serial_debug_data(debug, dev, __func__,
4652 -+ urb->actual_length, urb->transfer_buffer);
4653 -+
4654 -+ if (!tport->tp_is_open)
4655 -+ dbg("%s - port closed, dropping data",
4656 -+ __func__);
4657 -+ else
4658 -+ ti_recv(&urb->dev->dev, tty,
4659 - urb->transfer_buffer,
4660 - urb->actual_length);
4661 --
4662 -- spin_lock(&tport->tp_lock);
4663 -- tport->tp_icount.rx += urb->actual_length;
4664 -- spin_unlock(&tport->tp_lock);
4665 -+ spin_lock(&tport->tp_lock);
4666 -+ tport->tp_icount.rx += urb->actual_length;
4667 -+ spin_unlock(&tport->tp_lock);
4668 -+ }
4669 - tty_kref_put(tty);
4670 - }
4671 -
4672 -diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
4673 -index cfde74a..0f54399 100644
4674 ---- a/drivers/usb/storage/unusual_devs.h
4675 -+++ b/drivers/usb/storage/unusual_devs.h
4676 -@@ -1218,12 +1218,14 @@ UNUSUAL_DEV( 0x07c4, 0xa400, 0x0000, 0xffff,
4677 - US_SC_DEVICE, US_PR_DEVICE, NULL,
4678 - US_FL_FIX_INQUIRY | US_FL_FIX_CAPACITY ),
4679 -
4680 --/* Reported by Rauch Wolke <rauchwolke@×××.net> */
4681 -+/* Reported by Rauch Wolke <rauchwolke@×××.net>
4682 -+ * and augmented by binbin <binbinsh@×××××.com> (Bugzilla #12882)
4683 -+ */
4684 - UNUSUAL_DEV( 0x07c4, 0xa4a5, 0x0000, 0xffff,
4685 - "Simple Tech/Datafab",
4686 - "CF+SM Reader",
4687 - US_SC_DEVICE, US_PR_DEVICE, NULL,
4688 -- US_FL_IGNORE_RESIDUE ),
4689 -+ US_FL_IGNORE_RESIDUE | US_FL_MAX_SECTORS_64 ),
4690 -
4691 - /* Casio QV 2x00/3x00/4000/8000 digital still cameras are not conformant
4692 - * to the USB storage specification in two ways:
4693 -diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
4694 -index 1657b96..471a9a6 100644
4695 ---- a/drivers/video/console/fbcon.c
4696 -+++ b/drivers/video/console/fbcon.c
4697 -@@ -2263,9 +2263,12 @@ static void fbcon_generic_blank(struct vc_data *vc, struct fb_info *info,
4698 - }
4699 -
4700 -
4701 -+ if (!lock_fb_info(info))
4702 -+ return;
4703 - event.info = info;
4704 - event.data = &blank;
4705 - fb_notifier_call_chain(FB_EVENT_CONBLANK, &event);
4706 -+ unlock_fb_info(info);
4707 - }
4708 -
4709 - static int fbcon_blank(struct vc_data *vc, int blank, int mode_switch)
4710 -@@ -2954,8 +2957,9 @@ static int fbcon_fb_unbind(int idx)
4711 -
4712 - static int fbcon_fb_unregistered(struct fb_info *info)
4713 - {
4714 -- int i, idx = info->node;
4715 -+ int i, idx;
4716 -
4717 -+ idx = info->node;
4718 - for (i = first_fb_vc; i <= last_fb_vc; i++) {
4719 - if (con2fb_map[i] == idx)
4720 - con2fb_map[i] = -1;
4721 -@@ -2979,13 +2983,12 @@ static int fbcon_fb_unregistered(struct fb_info *info)
4722 - }
4723 - }
4724 -
4725 -- if (!num_registered_fb)
4726 -- unregister_con_driver(&fb_con);
4727 --
4728 --
4729 - if (primary_device == idx)
4730 - primary_device = -1;
4731 -
4732 -+ if (!num_registered_fb)
4733 -+ unregister_con_driver(&fb_con);
4734 -+
4735 - return 0;
4736 - }
4737 -
4738 -@@ -3021,8 +3024,9 @@ static inline void fbcon_select_primary(struct fb_info *info)
4739 -
4740 - static int fbcon_fb_registered(struct fb_info *info)
4741 - {
4742 -- int ret = 0, i, idx = info->node;
4743 -+ int ret = 0, i, idx;
4744 -
4745 -+ idx = info->node;
4746 - fbcon_select_primary(info);
4747 -
4748 - if (info_idx == -1) {
4749 -@@ -3124,7 +3128,7 @@ static void fbcon_get_requirement(struct fb_info *info,
4750 - }
4751 - }
4752 -
4753 --static int fbcon_event_notify(struct notifier_block *self,
4754 -+static int fbcon_event_notify(struct notifier_block *self,
4755 - unsigned long action, void *data)
4756 - {
4757 - struct fb_event *event = data;
4758 -@@ -3132,7 +3136,7 @@ static int fbcon_event_notify(struct notifier_block *self,
4759 - struct fb_videomode *mode;
4760 - struct fb_con2fbmap *con2fb;
4761 - struct fb_blit_caps *caps;
4762 -- int ret = 0;
4763 -+ int idx, ret = 0;
4764 -
4765 - /*
4766 - * ignore all events except driver registration and deregistration
4767 -@@ -3160,7 +3164,8 @@ static int fbcon_event_notify(struct notifier_block *self,
4768 - ret = fbcon_mode_deleted(info, mode);
4769 - break;
4770 - case FB_EVENT_FB_UNBIND:
4771 -- ret = fbcon_fb_unbind(info->node);
4772 -+ idx = info->node;
4773 -+ ret = fbcon_fb_unbind(idx);
4774 - break;
4775 - case FB_EVENT_FB_REGISTERED:
4776 - ret = fbcon_fb_registered(info);
4777 -@@ -3188,7 +3193,6 @@ static int fbcon_event_notify(struct notifier_block *self,
4778 - fbcon_get_requirement(info, caps);
4779 - break;
4780 - }
4781 --
4782 - done:
4783 - return ret;
4784 - }
4785 -diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
4786 -index cfd9dce..1d6fb41 100644
4787 ---- a/drivers/video/fbmem.c
4788 -+++ b/drivers/video/fbmem.c
4789 -@@ -1086,13 +1086,11 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
4790 - return -EINVAL;
4791 - con2fb.framebuffer = -1;
4792 - event.data = &con2fb;
4793 --
4794 - if (!lock_fb_info(info))
4795 - return -ENODEV;
4796 - event.info = info;
4797 - fb_notifier_call_chain(FB_EVENT_GET_CONSOLE_MAP, &event);
4798 - unlock_fb_info(info);
4799 --
4800 - ret = copy_to_user(argp, &con2fb, sizeof(con2fb)) ? -EFAULT : 0;
4801 - break;
4802 - case FBIOPUT_CON2FBMAP:
4803 -@@ -1112,8 +1110,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
4804 - if (!lock_fb_info(info))
4805 - return -ENODEV;
4806 - event.info = info;
4807 -- ret = fb_notifier_call_chain(FB_EVENT_SET_CONSOLE_MAP,
4808 -- &event);
4809 -+ ret = fb_notifier_call_chain(FB_EVENT_SET_CONSOLE_MAP, &event);
4810 - unlock_fb_info(info);
4811 - break;
4812 - case FBIOBLANK:
4813 -@@ -1519,7 +1516,10 @@ register_framebuffer(struct fb_info *fb_info)
4814 - registered_fb[i] = fb_info;
4815 -
4816 - event.info = fb_info;
4817 -+ if (!lock_fb_info(fb_info))
4818 -+ return -ENODEV;
4819 - fb_notifier_call_chain(FB_EVENT_FB_REGISTERED, &event);
4820 -+ unlock_fb_info(fb_info);
4821 - return 0;
4822 - }
4823 -
4824 -@@ -1553,8 +1553,12 @@ unregister_framebuffer(struct fb_info *fb_info)
4825 - goto done;
4826 - }
4827 -
4828 -+
4829 -+ if (!lock_fb_info(fb_info))
4830 -+ return -ENODEV;
4831 - event.info = fb_info;
4832 - ret = fb_notifier_call_chain(FB_EVENT_FB_UNBIND, &event);
4833 -+ unlock_fb_info(fb_info);
4834 -
4835 - if (ret) {
4836 - ret = -EINVAL;
4837 -@@ -1588,6 +1592,8 @@ void fb_set_suspend(struct fb_info *info, int state)
4838 - {
4839 - struct fb_event event;
4840 -
4841 -+ if (!lock_fb_info(info))
4842 -+ return;
4843 - event.info = info;
4844 - if (state) {
4845 - fb_notifier_call_chain(FB_EVENT_SUSPEND, &event);
4846 -@@ -1596,6 +1602,7 @@ void fb_set_suspend(struct fb_info *info, int state)
4847 - info->state = FBINFO_STATE_RUNNING;
4848 - fb_notifier_call_chain(FB_EVENT_RESUME, &event);
4849 - }
4850 -+ unlock_fb_info(info);
4851 - }
4852 -
4853 - /**
4854 -@@ -1665,8 +1672,11 @@ int fb_new_modelist(struct fb_info *info)
4855 - err = 1;
4856 -
4857 - if (!list_empty(&info->modelist)) {
4858 -+ if (!lock_fb_info(info))
4859 -+ return -ENODEV;
4860 - event.info = info;
4861 - err = fb_notifier_call_chain(FB_EVENT_NEW_MODELIST, &event);
4862 -+ unlock_fb_info(info);
4863 - }
4864 -
4865 - return err;
4866 -diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
4867 -index 5926826..9c76a06 100644
4868 ---- a/drivers/virtio/virtio_balloon.c
4869 -+++ b/drivers/virtio/virtio_balloon.c
4870 -@@ -190,7 +190,8 @@ static int balloon(void *_vballoon)
4871 - try_to_freeze();
4872 - wait_event_interruptible(vb->config_change,
4873 - (diff = towards_target(vb)) != 0
4874 -- || kthread_should_stop());
4875 -+ || kthread_should_stop()
4876 -+ || freezing(current));
4877 - if (diff > 0)
4878 - fill_balloon(vb, diff);
4879 - else if (diff < 0)
4880 -diff --git a/fs/dquot.c b/fs/dquot.c
4881 -index bca3cac..5a0059d 100644
4882 ---- a/fs/dquot.c
4883 -+++ b/fs/dquot.c
4884 -@@ -793,7 +793,7 @@ static void add_dquot_ref(struct super_block *sb, int type)
4885 - continue;
4886 - if (!dqinit_needed(inode, type))
4887 - continue;
4888 -- if (inode->i_state & (I_FREEING|I_WILL_FREE))
4889 -+ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE))
4890 - continue;
4891 -
4892 - __iget(inode);
4893 -diff --git a/fs/drop_caches.c b/fs/drop_caches.c
4894 -index 3e5637f..f7e66c0 100644
4895 ---- a/fs/drop_caches.c
4896 -+++ b/fs/drop_caches.c
4897 -@@ -18,7 +18,7 @@ static void drop_pagecache_sb(struct super_block *sb)
4898 -
4899 - spin_lock(&inode_lock);
4900 - list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
4901 -- if (inode->i_state & (I_FREEING|I_WILL_FREE))
4902 -+ if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE))
4903 - continue;
4904 - if (inode->i_mapping->nrpages == 0)
4905 - continue;
4906 -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
4907 -index 9f61e62..27b3741 100644
4908 ---- a/fs/ext4/mballoc.c
4909 -+++ b/fs/ext4/mballoc.c
4910 -@@ -2693,7 +2693,7 @@ int ext4_mb_init(struct super_block *sb, int needs_recovery)
4911 - i = (sb->s_blocksize_bits + 2) * sizeof(unsigned int);
4912 - sbi->s_mb_maxs = kmalloc(i, GFP_KERNEL);
4913 - if (sbi->s_mb_maxs == NULL) {
4914 -- kfree(sbi->s_mb_maxs);
4915 -+ kfree(sbi->s_mb_offsets);
4916 - return -ENOMEM;
4917 - }
4918 -
4919 -@@ -4439,7 +4439,7 @@ static void ext4_mb_add_n_trim(struct ext4_allocation_context *ac)
4920 - pa_inode_list) {
4921 - spin_lock(&tmp_pa->pa_lock);
4922 - if (tmp_pa->pa_deleted) {
4923 -- spin_unlock(&pa->pa_lock);
4924 -+ spin_unlock(&tmp_pa->pa_lock);
4925 - continue;
4926 - }
4927 - if (!added && pa->pa_free < tmp_pa->pa_free) {
4928 -diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
4929 -index e3fe991..f81f9e7 100644
4930 ---- a/fs/fs-writeback.c
4931 -+++ b/fs/fs-writeback.c
4932 -@@ -538,7 +538,8 @@ void generic_sync_sb_inodes(struct super_block *sb,
4933 - list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
4934 - struct address_space *mapping;
4935 -
4936 -- if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW))
4937 -+ if (inode->i_state &
4938 -+ (I_FREEING|I_CLEAR|I_WILL_FREE|I_NEW))
4939 - continue;
4940 - mapping = inode->i_mapping;
4941 - if (mapping->nrpages == 0)
4942 -diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
4943 -index 9b800d9..c91a818 100644
4944 ---- a/fs/hugetlbfs/inode.c
4945 -+++ b/fs/hugetlbfs/inode.c
4946 -@@ -26,7 +26,6 @@
4947 - #include <linux/pagevec.h>
4948 - #include <linux/parser.h>
4949 - #include <linux/mman.h>
4950 --#include <linux/quotaops.h>
4951 - #include <linux/slab.h>
4952 - #include <linux/dnotify.h>
4953 - #include <linux/statfs.h>
4954 -@@ -842,7 +841,7 @@ hugetlbfs_parse_options(char *options, struct hugetlbfs_config *pconfig)
4955 - bad_val:
4956 - printk(KERN_ERR "hugetlbfs: Bad value '%s' for mount option '%s'\n",
4957 - args[0].from, p);
4958 -- return 1;
4959 -+ return -EINVAL;
4960 - }
4961 -
4962 - static int
4963 -diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c
4964 -index 6cdeacf..4bd49c1 100644
4965 ---- a/fs/nfs/nfs3xdr.c
4966 -+++ b/fs/nfs/nfs3xdr.c
4967 -@@ -716,7 +716,8 @@ nfs3_xdr_setaclargs(struct rpc_rqst *req, __be32 *p,
4968 - if (args->npages != 0)
4969 - xdr_encode_pages(buf, args->pages, 0, args->len);
4970 - else
4971 -- req->rq_slen += args->len;
4972 -+ req->rq_slen = xdr_adjust_iovec(req->rq_svec,
4973 -+ p + XDR_QUADLEN(args->len));
4974 -
4975 - err = nfsacl_encode(buf, base, args->inode,
4976 - (args->mask & NFS_ACL) ?
4977 -diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
4978 -index a5887df..8672b95 100644
4979 ---- a/fs/ocfs2/file.c
4980 -+++ b/fs/ocfs2/file.c
4981 -@@ -1926,7 +1926,7 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
4982 - out->f_path.dentry->d_name.len,
4983 - out->f_path.dentry->d_name.name);
4984 -
4985 -- inode_double_lock(inode, pipe->inode);
4986 -+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
4987 -
4988 - ret = ocfs2_rw_lock(inode, 1);
4989 - if (ret < 0) {
4990 -@@ -1941,12 +1941,16 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
4991 - goto out_unlock;
4992 - }
4993 -
4994 -+ if (pipe->inode)
4995 -+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
4996 - ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
4997 -+ if (pipe->inode)
4998 -+ mutex_unlock(&pipe->inode->i_mutex);
4999 -
5000 - out_unlock:
5001 - ocfs2_rw_unlock(inode, 1);
5002 - out:
5003 -- inode_double_unlock(inode, pipe->inode);
5004 -+ mutex_unlock(&inode->i_mutex);
5005 -
5006 - mlog_exit(ret);
5007 - return ret;
5008 -diff --git a/fs/splice.c b/fs/splice.c
5009 -index 4ed0ba4..4c1029a 100644
5010 ---- a/fs/splice.c
5011 -+++ b/fs/splice.c
5012 -@@ -736,10 +736,19 @@ ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
5013 - * ->write_end. Most of the time, these expect i_mutex to
5014 - * be held. Since this may result in an ABBA deadlock with
5015 - * pipe->inode, we have to order lock acquiry here.
5016 -+ *
5017 -+ * Outer lock must be inode->i_mutex, as pipe_wait() will
5018 -+ * release and reacquire pipe->inode->i_mutex, AND inode must
5019 -+ * never be a pipe.
5020 - */
5021 -- inode_double_lock(inode, pipe->inode);
5022 -+ WARN_ON(S_ISFIFO(inode->i_mode));
5023 -+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
5024 -+ if (pipe->inode)
5025 -+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
5026 - ret = __splice_from_pipe(pipe, &sd, actor);
5027 -- inode_double_unlock(inode, pipe->inode);
5028 -+ if (pipe->inode)
5029 -+ mutex_unlock(&pipe->inode->i_mutex);
5030 -+ mutex_unlock(&inode->i_mutex);
5031 -
5032 - return ret;
5033 - }
5034 -@@ -830,11 +839,17 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
5035 - };
5036 - ssize_t ret;
5037 -
5038 -- inode_double_lock(inode, pipe->inode);
5039 -+ WARN_ON(S_ISFIFO(inode->i_mode));
5040 -+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
5041 - ret = file_remove_suid(out);
5042 -- if (likely(!ret))
5043 -+ if (likely(!ret)) {
5044 -+ if (pipe->inode)
5045 -+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
5046 - ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
5047 -- inode_double_unlock(inode, pipe->inode);
5048 -+ if (pipe->inode)
5049 -+ mutex_unlock(&pipe->inode->i_mutex);
5050 -+ }
5051 -+ mutex_unlock(&inode->i_mutex);
5052 - if (ret > 0) {
5053 - unsigned long nr_pages;
5054 -
5055 -diff --git a/include/linux/capability.h b/include/linux/capability.h
5056 -index 4864a43..c302110 100644
5057 ---- a/include/linux/capability.h
5058 -+++ b/include/linux/capability.h
5059 -@@ -377,7 +377,21 @@ struct cpu_vfs_cap_data {
5060 - #define CAP_FOR_EACH_U32(__capi) \
5061 - for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
5062 -
5063 -+/*
5064 -+ * CAP_FS_MASK and CAP_NFSD_MASKS:
5065 -+ *
5066 -+ * The fs mask is all the privileges that fsuid==0 historically meant.
5067 -+ * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
5068 -+ *
5069 -+ * It has never meant setting security.* and trusted.* xattrs.
5070 -+ *
5071 -+ * We could also define fsmask as follows:
5072 -+ * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
5073 -+ * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
5074 -+ */
5075 -+
5076 - # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
5077 -+ | CAP_TO_MASK(CAP_MKNOD) \
5078 - | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
5079 - | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
5080 - | CAP_TO_MASK(CAP_FOWNER) \
5081 -@@ -392,11 +406,12 @@ struct cpu_vfs_cap_data {
5082 - # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
5083 - # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
5084 - # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
5085 --# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } })
5086 -+# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
5087 -+ | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
5088 -+ CAP_FS_MASK_B1 } })
5089 - # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
5090 -- | CAP_TO_MASK(CAP_SYS_RESOURCE) \
5091 -- | CAP_TO_MASK(CAP_MKNOD), \
5092 -- CAP_FS_MASK_B1 } })
5093 -+ | CAP_TO_MASK(CAP_SYS_RESOURCE), \
5094 -+ CAP_FS_MASK_B1 } })
5095 -
5096 - #endif /* _KERNEL_CAPABILITY_U32S != 2 */
5097 -
5098 -diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
5099 -index bd37078..0d2f7c8 100644
5100 ---- a/include/linux/hrtimer.h
5101 -+++ b/include/linux/hrtimer.h
5102 -@@ -336,6 +336,11 @@ extern int hrtimer_start(struct hrtimer *timer, ktime_t tim,
5103 - const enum hrtimer_mode mode);
5104 - extern int hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
5105 - unsigned long range_ns, const enum hrtimer_mode mode);
5106 -+extern int
5107 -+__hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
5108 -+ unsigned long delta_ns,
5109 -+ const enum hrtimer_mode mode, int wakeup);
5110 -+
5111 - extern int hrtimer_cancel(struct hrtimer *timer);
5112 - extern int hrtimer_try_to_cancel(struct hrtimer *timer);
5113 -
5114 -diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
5115 -index 9127f6b..564d1c0 100644
5116 ---- a/include/linux/interrupt.h
5117 -+++ b/include/linux/interrupt.h
5118 -@@ -274,6 +274,7 @@ extern void softirq_init(void);
5119 - #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
5120 - extern void raise_softirq_irqoff(unsigned int nr);
5121 - extern void raise_softirq(unsigned int nr);
5122 -+extern void wakeup_softirqd(void);
5123 -
5124 - /* This is the worklist that queues up per-cpu softirq work.
5125 - *
5126 -diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
5127 -index bf6f703..552ef4f 100644
5128 ---- a/include/linux/kvm_host.h
5129 -+++ b/include/linux/kvm_host.h
5130 -@@ -127,6 +127,10 @@ struct kvm {
5131 - struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
5132 - #endif
5133 -
5134 -+#ifdef CONFIG_HAVE_KVM_IRQCHIP
5135 -+ struct hlist_head mask_notifier_list;
5136 -+#endif
5137 -+
5138 - #ifdef KVM_ARCH_WANT_MMU_NOTIFIER
5139 - struct mmu_notifier mmu_notifier;
5140 - unsigned long mmu_notifier_seq;
5141 -@@ -321,6 +325,19 @@ struct kvm_assigned_dev_kernel {
5142 - struct pci_dev *dev;
5143 - struct kvm *kvm;
5144 - };
5145 -+
5146 -+struct kvm_irq_mask_notifier {
5147 -+ void (*func)(struct kvm_irq_mask_notifier *kimn, bool masked);
5148 -+ int irq;
5149 -+ struct hlist_node link;
5150 -+};
5151 -+
5152 -+void kvm_register_irq_mask_notifier(struct kvm *kvm, int irq,
5153 -+ struct kvm_irq_mask_notifier *kimn);
5154 -+void kvm_unregister_irq_mask_notifier(struct kvm *kvm, int irq,
5155 -+ struct kvm_irq_mask_notifier *kimn);
5156 -+void kvm_fire_mask_notifiers(struct kvm *kvm, int irq, bool mask);
5157 -+
5158 - void kvm_set_irq(struct kvm *kvm, int irq_source_id, int irq, int level);
5159 - void kvm_notify_acked_irq(struct kvm *kvm, unsigned gsi);
5160 - void kvm_register_irq_ack_notifier(struct kvm *kvm,
5161 -diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
5162 -index 01ca085..076a7dc 100644
5163 ---- a/include/linux/pagemap.h
5164 -+++ b/include/linux/pagemap.h
5165 -@@ -18,9 +18,14 @@
5166 - * Bits in mapping->flags. The lower __GFP_BITS_SHIFT bits are the page
5167 - * allocation mode flags.
5168 - */
5169 --#define AS_EIO (__GFP_BITS_SHIFT + 0) /* IO error on async write */
5170 --#define AS_ENOSPC (__GFP_BITS_SHIFT + 1) /* ENOSPC on async write */
5171 --#define AS_MM_ALL_LOCKS (__GFP_BITS_SHIFT + 2) /* under mm_take_all_locks() */
5172 -+enum mapping_flags {
5173 -+ AS_EIO = __GFP_BITS_SHIFT + 0, /* IO error on async write */
5174 -+ AS_ENOSPC = __GFP_BITS_SHIFT + 1, /* ENOSPC on async write */
5175 -+ AS_MM_ALL_LOCKS = __GFP_BITS_SHIFT + 2, /* under mm_take_all_locks() */
5176 -+#ifdef CONFIG_UNEVICTABLE_LRU
5177 -+ AS_UNEVICTABLE = __GFP_BITS_SHIFT + 3, /* e.g., ramdisk, SHM_LOCK */
5178 -+#endif
5179 -+};
5180 -
5181 - static inline void mapping_set_error(struct address_space *mapping, int error)
5182 - {
5183 -@@ -33,7 +38,6 @@ static inline void mapping_set_error(struct address_space *mapping, int error)
5184 - }
5185 -
5186 - #ifdef CONFIG_UNEVICTABLE_LRU
5187 --#define AS_UNEVICTABLE (__GFP_BITS_SHIFT + 2) /* e.g., ramdisk, SHM_LOCK */
5188 -
5189 - static inline void mapping_set_unevictable(struct address_space *mapping)
5190 - {
5191 -diff --git a/include/linux/sched.h b/include/linux/sched.h
5192 -index 011db2f..f8af167 100644
5193 ---- a/include/linux/sched.h
5194 -+++ b/include/linux/sched.h
5195 -@@ -202,7 +202,8 @@ extern unsigned long long time_sync_thresh;
5196 - #define task_is_stopped_or_traced(task) \
5197 - ((task->state & (__TASK_STOPPED | __TASK_TRACED)) != 0)
5198 - #define task_contributes_to_load(task) \
5199 -- ((task->state & TASK_UNINTERRUPTIBLE) != 0)
5200 -+ ((task->state & TASK_UNINTERRUPTIBLE) != 0 && \
5201 -+ (task->flags & PF_FROZEN) == 0)
5202 -
5203 - #define __set_task_state(tsk, state_value) \
5204 - do { (tsk)->state = (state_value); } while (0)
5205 -diff --git a/kernel/fork.c b/kernel/fork.c
5206 -index 4854c2c..9b51a1b 100644
5207 ---- a/kernel/fork.c
5208 -+++ b/kernel/fork.c
5209 -@@ -808,6 +808,12 @@ static void posix_cpu_timers_init_group(struct signal_struct *sig)
5210 - sig->cputime_expires.virt_exp = cputime_zero;
5211 - sig->cputime_expires.sched_exp = 0;
5212 -
5213 -+ if (sig->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
5214 -+ sig->cputime_expires.prof_exp =
5215 -+ secs_to_cputime(sig->rlim[RLIMIT_CPU].rlim_cur);
5216 -+ sig->cputimer.running = 1;
5217 -+ }
5218 -+
5219 - /* The timer lists. */
5220 - INIT_LIST_HEAD(&sig->cpu_timers[0]);
5221 - INIT_LIST_HEAD(&sig->cpu_timers[1]);
5222 -@@ -823,11 +829,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
5223 - atomic_inc(&current->signal->live);
5224 - return 0;
5225 - }
5226 -- sig = kmem_cache_alloc(signal_cachep, GFP_KERNEL);
5227 --
5228 -- if (sig)
5229 -- posix_cpu_timers_init_group(sig);
5230 -
5231 -+ sig = kmem_cache_alloc(signal_cachep, GFP_KERNEL);
5232 - tsk->signal = sig;
5233 - if (!sig)
5234 - return -ENOMEM;
5235 -@@ -865,6 +868,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
5236 - memcpy(sig->rlim, current->signal->rlim, sizeof sig->rlim);
5237 - task_unlock(current->group_leader);
5238 -
5239 -+ posix_cpu_timers_init_group(sig);
5240 -+
5241 - acct_init_pacct(&sig->pacct);
5242 -
5243 - tty_audit_fork(sig);
5244 -diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
5245 -index f394d2a..cb8a15c 100644
5246 ---- a/kernel/hrtimer.c
5247 -+++ b/kernel/hrtimer.c
5248 -@@ -651,14 +651,20 @@ static inline void hrtimer_init_timer_hres(struct hrtimer *timer)
5249 - * and expiry check is done in the hrtimer_interrupt or in the softirq.
5250 - */
5251 - static inline int hrtimer_enqueue_reprogram(struct hrtimer *timer,
5252 -- struct hrtimer_clock_base *base)
5253 -+ struct hrtimer_clock_base *base,
5254 -+ int wakeup)
5255 - {
5256 - if (base->cpu_base->hres_active && hrtimer_reprogram(timer, base)) {
5257 -- spin_unlock(&base->cpu_base->lock);
5258 -- raise_softirq_irqoff(HRTIMER_SOFTIRQ);
5259 -- spin_lock(&base->cpu_base->lock);
5260 -+ if (wakeup) {
5261 -+ spin_unlock(&base->cpu_base->lock);
5262 -+ raise_softirq_irqoff(HRTIMER_SOFTIRQ);
5263 -+ spin_lock(&base->cpu_base->lock);
5264 -+ } else
5265 -+ __raise_softirq_irqoff(HRTIMER_SOFTIRQ);
5266 -+
5267 - return 1;
5268 - }
5269 -+
5270 - return 0;
5271 - }
5272 -
5273 -@@ -703,7 +709,8 @@ static inline int hrtimer_is_hres_enabled(void) { return 0; }
5274 - static inline int hrtimer_switch_to_hres(void) { return 0; }
5275 - static inline void hrtimer_force_reprogram(struct hrtimer_cpu_base *base) { }
5276 - static inline int hrtimer_enqueue_reprogram(struct hrtimer *timer,
5277 -- struct hrtimer_clock_base *base)
5278 -+ struct hrtimer_clock_base *base,
5279 -+ int wakeup)
5280 - {
5281 - return 0;
5282 - }
5283 -@@ -886,20 +893,9 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base)
5284 - return 0;
5285 - }
5286 -
5287 --/**
5288 -- * hrtimer_start_range_ns - (re)start an hrtimer on the current CPU
5289 -- * @timer: the timer to be added
5290 -- * @tim: expiry time
5291 -- * @delta_ns: "slack" range for the timer
5292 -- * @mode: expiry mode: absolute (HRTIMER_ABS) or relative (HRTIMER_REL)
5293 -- *
5294 -- * Returns:
5295 -- * 0 on success
5296 -- * 1 when the timer was active
5297 -- */
5298 --int
5299 --hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, unsigned long delta_ns,
5300 -- const enum hrtimer_mode mode)
5301 -+int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
5302 -+ unsigned long delta_ns, const enum hrtimer_mode mode,
5303 -+ int wakeup)
5304 - {
5305 - struct hrtimer_clock_base *base, *new_base;
5306 - unsigned long flags;
5307 -@@ -940,12 +936,29 @@ hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, unsigned long delta_n
5308 - * XXX send_remote_softirq() ?
5309 - */
5310 - if (leftmost && new_base->cpu_base == &__get_cpu_var(hrtimer_bases))
5311 -- hrtimer_enqueue_reprogram(timer, new_base);
5312 -+ hrtimer_enqueue_reprogram(timer, new_base, wakeup);
5313 -
5314 - unlock_hrtimer_base(timer, &flags);
5315 -
5316 - return ret;
5317 - }
5318 -+
5319 -+/**
5320 -+ * hrtimer_start_range_ns - (re)start an hrtimer on the current CPU
5321 -+ * @timer: the timer to be added
5322 -+ * @tim: expiry time
5323 -+ * @delta_ns: "slack" range for the timer
5324 -+ * @mode: expiry mode: absolute (HRTIMER_ABS) or relative (HRTIMER_REL)
5325 -+ *
5326 -+ * Returns:
5327 -+ * 0 on success
5328 -+ * 1 when the timer was active
5329 -+ */
5330 -+int hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
5331 -+ unsigned long delta_ns, const enum hrtimer_mode mode)
5332 -+{
5333 -+ return __hrtimer_start_range_ns(timer, tim, delta_ns, mode, 1);
5334 -+}
5335 - EXPORT_SYMBOL_GPL(hrtimer_start_range_ns);
5336 -
5337 - /**
5338 -@@ -961,7 +974,7 @@ EXPORT_SYMBOL_GPL(hrtimer_start_range_ns);
5339 - int
5340 - hrtimer_start(struct hrtimer *timer, ktime_t tim, const enum hrtimer_mode mode)
5341 - {
5342 -- return hrtimer_start_range_ns(timer, tim, 0, mode);
5343 -+ return __hrtimer_start_range_ns(timer, tim, 0, mode, 1);
5344 - }
5345 - EXPORT_SYMBOL_GPL(hrtimer_start);
5346 -
5347 -diff --git a/kernel/kprobes.c b/kernel/kprobes.c
5348 -index 7ba8cd9..6589776 100644
5349 ---- a/kernel/kprobes.c
5350 -+++ b/kernel/kprobes.c
5351 -@@ -912,10 +912,8 @@ static int __kprobes pre_handler_kretprobe(struct kprobe *p,
5352 - ri->rp = rp;
5353 - ri->task = current;
5354 -
5355 -- if (rp->entry_handler && rp->entry_handler(ri, regs)) {
5356 -- spin_unlock_irqrestore(&rp->lock, flags);
5357 -+ if (rp->entry_handler && rp->entry_handler(ri, regs))
5358 - return 0;
5359 -- }
5360 -
5361 - arch_prepare_kretprobe(ri, regs);
5362 -
5363 -diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
5364 -index e976e50..68647c1 100644
5365 ---- a/kernel/posix-cpu-timers.c
5366 -+++ b/kernel/posix-cpu-timers.c
5367 -@@ -18,7 +18,7 @@ void update_rlimit_cpu(unsigned long rlim_new)
5368 -
5369 - cputime = secs_to_cputime(rlim_new);
5370 - if (cputime_eq(current->signal->it_prof_expires, cputime_zero) ||
5371 -- cputime_lt(current->signal->it_prof_expires, cputime)) {
5372 -+ cputime_gt(current->signal->it_prof_expires, cputime)) {
5373 - spin_lock_irq(&current->sighand->siglock);
5374 - set_process_cpu_timer(current, CPUCLOCK_PROF, &cputime, NULL);
5375 - spin_unlock_irq(&current->sighand->siglock);
5376 -@@ -224,7 +224,7 @@ static int cpu_clock_sample(const clockid_t which_clock, struct task_struct *p,
5377 - cpu->cpu = virt_ticks(p);
5378 - break;
5379 - case CPUCLOCK_SCHED:
5380 -- cpu->sched = p->se.sum_exec_runtime + task_delta_exec(p);
5381 -+ cpu->sched = task_sched_runtime(p);
5382 - break;
5383 - }
5384 - return 0;
5385 -@@ -305,18 +305,19 @@ static int cpu_clock_sample_group(const clockid_t which_clock,
5386 - {
5387 - struct task_cputime cputime;
5388 -
5389 -- thread_group_cputime(p, &cputime);
5390 - switch (CPUCLOCK_WHICH(which_clock)) {
5391 - default:
5392 - return -EINVAL;
5393 - case CPUCLOCK_PROF:
5394 -+ thread_group_cputime(p, &cputime);
5395 - cpu->cpu = cputime_add(cputime.utime, cputime.stime);
5396 - break;
5397 - case CPUCLOCK_VIRT:
5398 -+ thread_group_cputime(p, &cputime);
5399 - cpu->cpu = cputime.utime;
5400 - break;
5401 - case CPUCLOCK_SCHED:
5402 -- cpu->sched = cputime.sum_exec_runtime + task_delta_exec(p);
5403 -+ cpu->sched = thread_group_sched_runtime(p);
5404 - break;
5405 - }
5406 - return 0;
5407 -diff --git a/kernel/sched.c b/kernel/sched.c
5408 -index 8e2558c..5e80629 100644
5409 ---- a/kernel/sched.c
5410 -+++ b/kernel/sched.c
5411 -@@ -231,13 +231,20 @@ static void start_rt_bandwidth(struct rt_bandwidth *rt_b)
5412 -
5413 - spin_lock(&rt_b->rt_runtime_lock);
5414 - for (;;) {
5415 -+ unsigned long delta;
5416 -+ ktime_t soft, hard;
5417 -+
5418 - if (hrtimer_active(&rt_b->rt_period_timer))
5419 - break;
5420 -
5421 - now = hrtimer_cb_get_time(&rt_b->rt_period_timer);
5422 - hrtimer_forward(&rt_b->rt_period_timer, now, rt_b->rt_period);
5423 -- hrtimer_start_expires(&rt_b->rt_period_timer,
5424 -- HRTIMER_MODE_ABS);
5425 -+
5426 -+ soft = hrtimer_get_softexpires(&rt_b->rt_period_timer);
5427 -+ hard = hrtimer_get_expires(&rt_b->rt_period_timer);
5428 -+ delta = ktime_to_ns(ktime_sub(hard, soft));
5429 -+ __hrtimer_start_range_ns(&rt_b->rt_period_timer, soft, delta,
5430 -+ HRTIMER_MODE_ABS, 0);
5431 - }
5432 - spin_unlock(&rt_b->rt_runtime_lock);
5433 - }
5434 -@@ -1129,7 +1136,8 @@ static __init void init_hrtick(void)
5435 - */
5436 - static void hrtick_start(struct rq *rq, u64 delay)
5437 - {
5438 -- hrtimer_start(&rq->hrtick_timer, ns_to_ktime(delay), HRTIMER_MODE_REL);
5439 -+ __hrtimer_start_range_ns(&rq->hrtick_timer, ns_to_ktime(delay), 0,
5440 -+ HRTIMER_MODE_REL, 0);
5441 - }
5442 -
5443 - static inline void init_hrtick(void)
5444 -@@ -4134,9 +4142,25 @@ DEFINE_PER_CPU(struct kernel_stat, kstat);
5445 - EXPORT_PER_CPU_SYMBOL(kstat);
5446 -
5447 - /*
5448 -- * Return any ns on the sched_clock that have not yet been banked in
5449 -+ * Return any ns on the sched_clock that have not yet been accounted in
5450 - * @p in case that task is currently running.
5451 -+ *
5452 -+ * Called with task_rq_lock() held on @rq.
5453 - */
5454 -+static u64 do_task_delta_exec(struct task_struct *p, struct rq *rq)
5455 -+{
5456 -+ u64 ns = 0;
5457 -+
5458 -+ if (task_current(rq, p)) {
5459 -+ update_rq_clock(rq);
5460 -+ ns = rq->clock - p->se.exec_start;
5461 -+ if ((s64)ns < 0)
5462 -+ ns = 0;
5463 -+ }
5464 -+
5465 -+ return ns;
5466 -+}
5467 -+
5468 - unsigned long long task_delta_exec(struct task_struct *p)
5469 - {
5470 - unsigned long flags;
5471 -@@ -4144,16 +4168,49 @@ unsigned long long task_delta_exec(struct task_struct *p)
5472 - u64 ns = 0;
5473 -
5474 - rq = task_rq_lock(p, &flags);
5475 -+ ns = do_task_delta_exec(p, rq);
5476 -+ task_rq_unlock(rq, &flags);
5477 -
5478 -- if (task_current(rq, p)) {
5479 -- u64 delta_exec;
5480 -+ return ns;
5481 -+}
5482 -
5483 -- update_rq_clock(rq);
5484 -- delta_exec = rq->clock - p->se.exec_start;
5485 -- if ((s64)delta_exec > 0)
5486 -- ns = delta_exec;
5487 -- }
5488 -+/*
5489 -+ * Return accounted runtime for the task.
5490 -+ * In case the task is currently running, return the runtime plus current's
5491 -+ * pending runtime that have not been accounted yet.
5492 -+ */
5493 -+unsigned long long task_sched_runtime(struct task_struct *p)
5494 -+{
5495 -+ unsigned long flags;
5496 -+ struct rq *rq;
5497 -+ u64 ns = 0;
5498 -
5499 -+ rq = task_rq_lock(p, &flags);
5500 -+ ns = p->se.sum_exec_runtime + do_task_delta_exec(p, rq);
5501 -+ task_rq_unlock(rq, &flags);
5502 -+
5503 -+ return ns;
5504 -+}
5505 -+
5506 -+/*
5507 -+ * Return sum_exec_runtime for the thread group.
5508 -+ * In case the task is currently running, return the sum plus current's
5509 -+ * pending runtime that have not been accounted yet.
5510 -+ *
5511 -+ * Note that the thread group might have other running tasks as well,
5512 -+ * so the return value not includes other pending runtime that other
5513 -+ * running tasks might have.
5514 -+ */
5515 -+unsigned long long thread_group_sched_runtime(struct task_struct *p)
5516 -+{
5517 -+ struct task_cputime totals;
5518 -+ unsigned long flags;
5519 -+ struct rq *rq;
5520 -+ u64 ns;
5521 -+
5522 -+ rq = task_rq_lock(p, &flags);
5523 -+ thread_group_cputime(p, &totals);
5524 -+ ns = totals.sum_exec_runtime + do_task_delta_exec(p, rq);
5525 - task_rq_unlock(rq, &flags);
5526 -
5527 - return ns;
5528 -diff --git a/kernel/softirq.c b/kernel/softirq.c
5529 -index 9041ea7..d2b183e 100644
5530 ---- a/kernel/softirq.c
5531 -+++ b/kernel/softirq.c
5532 -@@ -58,7 +58,7 @@ static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
5533 - * to the pending events, so lets the scheduler to balance
5534 - * the softirq load for us.
5535 - */
5536 --static inline void wakeup_softirqd(void)
5537 -+void wakeup_softirqd(void)
5538 - {
5539 - /* Interrupts are disabled: no need to stop preemption */
5540 - struct task_struct *tsk = __get_cpu_var(ksoftirqd);
5541 -diff --git a/kernel/sysctl.c b/kernel/sysctl.c
5542 -index c5ef44f..7755ae7 100644
5543 ---- a/kernel/sysctl.c
5544 -+++ b/kernel/sysctl.c
5545 -@@ -95,12 +95,9 @@ static int sixty = 60;
5546 - static int neg_one = -1;
5547 - #endif
5548 -
5549 --#if defined(CONFIG_MMU) && defined(CONFIG_FILE_LOCKING)
5550 --static int two = 2;
5551 --#endif
5552 --
5553 - static int zero;
5554 - static int one = 1;
5555 -+static int two = 2;
5556 - static unsigned long one_ul = 1;
5557 - static int one_hundred = 100;
5558 -
5559 -@@ -1373,10 +1370,7 @@ static struct ctl_table fs_table[] = {
5560 - .data = &lease_break_time,
5561 - .maxlen = sizeof(int),
5562 - .mode = 0644,
5563 -- .proc_handler = &proc_dointvec_minmax,
5564 -- .strategy = &sysctl_intvec,
5565 -- .extra1 = &zero,
5566 -- .extra2 = &two,
5567 -+ .proc_handler = &proc_dointvec,
5568 - },
5569 - #endif
5570 - #ifdef CONFIG_AIO
5571 -@@ -1417,7 +1411,10 @@ static struct ctl_table fs_table[] = {
5572 - .data = &suid_dumpable,
5573 - .maxlen = sizeof(int),
5574 - .mode = 0644,
5575 -- .proc_handler = &proc_dointvec,
5576 -+ .proc_handler = &proc_dointvec_minmax,
5577 -+ .strategy = &sysctl_intvec,
5578 -+ .extra1 = &zero,
5579 -+ .extra2 = &two,
5580 - },
5581 - #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
5582 - {
5583 -diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
5584 -index 17bb88d..b2387c0 100644
5585 ---- a/kernel/trace/trace.c
5586 -+++ b/kernel/trace/trace.c
5587 -@@ -3886,7 +3886,8 @@ __init static int tracer_alloc_buffers(void)
5588 - &trace_panic_notifier);
5589 -
5590 - register_die_notifier(&trace_die_notifier);
5591 -- ret = 0;
5592 -+
5593 -+ return 0;
5594 -
5595 - out_free_cpumask:
5596 - free_cpumask_var(tracing_cpumask);
5597 -diff --git a/lib/cpumask.c b/lib/cpumask.c
5598 -index 3389e24..1f71b97 100644
5599 ---- a/lib/cpumask.c
5600 -+++ b/lib/cpumask.c
5601 -@@ -109,10 +109,10 @@ bool alloc_cpumask_var_node(cpumask_var_t *mask, gfp_t flags, int node)
5602 - #endif
5603 - /* FIXME: Bandaid to save us from old primitives which go to NR_CPUS. */
5604 - if (*mask) {
5605 -+ unsigned char *ptr = (unsigned char *)cpumask_bits(*mask);
5606 - unsigned int tail;
5607 - tail = BITS_TO_LONGS(NR_CPUS - nr_cpumask_bits) * sizeof(long);
5608 -- memset(cpumask_bits(*mask) + cpumask_size() - tail,
5609 -- 0, tail);
5610 -+ memset(ptr + cpumask_size() - tail, 0, tail);
5611 - }
5612 -
5613 - return *mask != NULL;
5614 -diff --git a/mm/filemap_xip.c b/mm/filemap_xip.c
5615 -index 0c04615..427dfe3 100644
5616 ---- a/mm/filemap_xip.c
5617 -+++ b/mm/filemap_xip.c
5618 -@@ -89,8 +89,8 @@ do_xip_mapping_read(struct address_space *mapping,
5619 - }
5620 - }
5621 - nr = nr - offset;
5622 -- if (nr > len)
5623 -- nr = len;
5624 -+ if (nr > len - copied)
5625 -+ nr = len - copied;
5626 -
5627 - error = mapping->a_ops->get_xip_mem(mapping, index, 0,
5628 - &xip_mem, &xip_pfn);
5629 -diff --git a/mm/mmap.c b/mm/mmap.c
5630 -index 00ced3e..f1aa6f9 100644
5631 ---- a/mm/mmap.c
5632 -+++ b/mm/mmap.c
5633 -@@ -1571,7 +1571,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
5634 - * Overcommit.. This must be the final test, as it will
5635 - * update security statistics.
5636 - */
5637 -- if (security_vm_enough_memory(grow))
5638 -+ if (security_vm_enough_memory_mm(mm, grow))
5639 - return -ENOMEM;
5640 -
5641 - /* Ok, everything looks good - let it rip */
5642 -diff --git a/net/core/skbuff.c b/net/core/skbuff.c
5643 -index c6a6b16..eae6954 100644
5644 ---- a/net/core/skbuff.c
5645 -+++ b/net/core/skbuff.c
5646 -@@ -2496,7 +2496,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
5647 - skb_network_header_len(skb));
5648 - skb_copy_from_linear_data(skb, nskb->data, doffset);
5649 -
5650 -- if (pos >= offset + len)
5651 -+ if (fskb != skb_shinfo(skb)->frag_list)
5652 - continue;
5653 -
5654 - if (!sg) {
5655 -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
5656 -index 7ea88b6..39879ae 100644
5657 ---- a/net/ipv4/netfilter/arp_tables.c
5658 -+++ b/net/ipv4/netfilter/arp_tables.c
5659 -@@ -374,7 +374,9 @@ static int mark_source_chains(struct xt_table_info *newinfo,
5660 - && unconditional(&e->arp)) || visited) {
5661 - unsigned int oldpos, size;
5662 -
5663 -- if (t->verdict < -NF_MAX_VERDICT - 1) {
5664 -+ if ((strcmp(t->target.u.user.name,
5665 -+ ARPT_STANDARD_TARGET) == 0) &&
5666 -+ t->verdict < -NF_MAX_VERDICT - 1) {
5667 - duprintf("mark_source_chains: bad "
5668 - "negative verdict (%i)\n",
5669 - t->verdict);
5670 -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
5671 -index ef8b6ca..ec362a3 100644
5672 ---- a/net/ipv4/netfilter/ip_tables.c
5673 -+++ b/net/ipv4/netfilter/ip_tables.c
5674 -@@ -496,7 +496,9 @@ mark_source_chains(struct xt_table_info *newinfo,
5675 - && unconditional(&e->ip)) || visited) {
5676 - unsigned int oldpos, size;
5677 -
5678 -- if (t->verdict < -NF_MAX_VERDICT - 1) {
5679 -+ if ((strcmp(t->target.u.user.name,
5680 -+ IPT_STANDARD_TARGET) == 0) &&
5681 -+ t->verdict < -NF_MAX_VERDICT - 1) {
5682 - duprintf("mark_source_chains: bad "
5683 - "negative verdict (%i)\n",
5684 - t->verdict);
5685 -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
5686 -index a33485d..def375b 100644
5687 ---- a/net/ipv6/netfilter/ip6_tables.c
5688 -+++ b/net/ipv6/netfilter/ip6_tables.c
5689 -@@ -525,7 +525,9 @@ mark_source_chains(struct xt_table_info *newinfo,
5690 - && unconditional(&e->ipv6)) || visited) {
5691 - unsigned int oldpos, size;
5692 -
5693 -- if (t->verdict < -NF_MAX_VERDICT - 1) {
5694 -+ if ((strcmp(t->target.u.user.name,
5695 -+ IP6T_STANDARD_TARGET) == 0) &&
5696 -+ t->verdict < -NF_MAX_VERDICT - 1) {
5697 - duprintf("mark_source_chains: bad "
5698 - "negative verdict (%i)\n",
5699 - t->verdict);
5700 -diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
5701 -index e9c05b8..dcce778 100644
5702 ---- a/net/netrom/af_netrom.c
5703 -+++ b/net/netrom/af_netrom.c
5704 -@@ -1082,7 +1082,13 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
5705 -
5706 - SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
5707 -
5708 -- /* Build a packet */
5709 -+ /* Build a packet - the conventional user limit is 236 bytes. We can
5710 -+ do ludicrously large NetROM frames but must not overflow */
5711 -+ if (len > 65536) {
5712 -+ err = -EMSGSIZE;
5713 -+ goto out;
5714 -+ }
5715 -+
5716 - SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
5717 - size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
5718 -
5719 -diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
5720 -index 0139264..5e75bbf 100644
5721 ---- a/net/rose/af_rose.c
5722 -+++ b/net/rose/af_rose.c
5723 -@@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
5724 -
5725 - /* Build a packet */
5726 - SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
5727 -+ /* Sanity check the packet size */
5728 -+ if (len > 65535)
5729 -+ return -EMSGSIZE;
5730 -+
5731 - size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
5732 -
5733 - if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
5734 -diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
5735 -index 9fc5b02..88d80f5 100644
5736 ---- a/net/x25/af_x25.c
5737 -+++ b/net/x25/af_x25.c
5738 -@@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
5739 - sx25.sx25_addr = x25->dest_addr;
5740 - }
5741 -
5742 -+ /* Sanity check the packet size */
5743 -+ if (len > 65535) {
5744 -+ rc = -EMSGSIZE;
5745 -+ goto out;
5746 -+ }
5747 -+
5748 - SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
5749 -
5750 - /* Build a packet */
5751 -diff --git a/security/commoncap.c b/security/commoncap.c
5752 -index 7cd61a5..beac025 100644
5753 ---- a/security/commoncap.c
5754 -+++ b/security/commoncap.c
5755 -@@ -916,7 +916,6 @@ changed:
5756 - return commit_creds(new);
5757 -
5758 - no_change:
5759 -- error = 0;
5760 - error:
5761 - abort_creds(new);
5762 - return error;
5763 -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
5764 -index e7ded13..c1c5f36 100644
5765 ---- a/security/smack/smack_lsm.c
5766 -+++ b/security/smack/smack_lsm.c
5767 -@@ -607,6 +607,8 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
5768 - strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
5769 - if (!capable(CAP_MAC_ADMIN))
5770 - rc = -EPERM;
5771 -+ if (size == 0)
5772 -+ rc = -EINVAL;
5773 - } else
5774 - rc = cap_inode_setxattr(dentry, name, value, size, flags);
5775 -
5776 -@@ -1430,7 +1432,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
5777 - struct socket *sock;
5778 - int rc = 0;
5779 -
5780 -- if (value == NULL || size > SMK_LABELLEN)
5781 -+ if (value == NULL || size > SMK_LABELLEN || size == 0)
5782 - return -EACCES;
5783 -
5784 - sp = smk_import(value, size);
5785 -diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
5786 -index d03f992..cef1ce0 100644
5787 ---- a/sound/pci/hda/hda_codec.c
5788 -+++ b/sound/pci/hda/hda_codec.c
5789 -@@ -2003,7 +2003,11 @@ int snd_hda_codec_write_cache(struct hda_codec *codec, hda_nid_t nid,
5790 - err = bus->ops.command(bus, res);
5791 - if (!err) {
5792 - struct hda_cache_head *c;
5793 -- u32 key = build_cmd_cache_key(nid, verb);
5794 -+ u32 key;
5795 -+ /* parm may contain the verb stuff for get/set amp */
5796 -+ verb = verb | (parm >> 8);
5797 -+ parm &= 0xff;
5798 -+ key = build_cmd_cache_key(nid, verb);
5799 - c = get_alloc_hash(&codec->cmd_cache, key);
5800 - if (c)
5801 - c->val = parm;
5802 -diff --git a/sound/pci/hda/patch_analog.c b/sound/pci/hda/patch_analog.c
5803 -index e486123..5a6d6d8 100644
5804 ---- a/sound/pci/hda/patch_analog.c
5805 -+++ b/sound/pci/hda/patch_analog.c
5806 -@@ -3239,7 +3239,7 @@ static const char *ad1884_slave_vols[] = {
5807 - "Mic Playback Volume",
5808 - "CD Playback Volume",
5809 - "Internal Mic Playback Volume",
5810 -- "Docking Mic Playback Volume"
5811 -+ "Docking Mic Playback Volume",
5812 - "Beep Playback Volume",
5813 - "IEC958 Playback Volume",
5814 - NULL
5815 -diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
5816 -index 23b81cf..e85a2bc 100644
5817 ---- a/virt/kvm/ioapic.c
5818 -+++ b/virt/kvm/ioapic.c
5819 -@@ -101,6 +101,7 @@ static void ioapic_service(struct kvm_ioapic *ioapic, unsigned int idx)
5820 - static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
5821 - {
5822 - unsigned index;
5823 -+ bool mask_before, mask_after;
5824 -
5825 - switch (ioapic->ioregsel) {
5826 - case IOAPIC_REG_VERSION:
5827 -@@ -120,6 +121,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
5828 - ioapic_debug("change redir index %x val %x\n", index, val);
5829 - if (index >= IOAPIC_NUM_PINS)
5830 - return;
5831 -+ mask_before = ioapic->redirtbl[index].fields.mask;
5832 - if (ioapic->ioregsel & 1) {
5833 - ioapic->redirtbl[index].bits &= 0xffffffff;
5834 - ioapic->redirtbl[index].bits |= (u64) val << 32;
5835 -@@ -128,6 +130,9 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
5836 - ioapic->redirtbl[index].bits |= (u32) val;
5837 - ioapic->redirtbl[index].fields.remote_irr = 0;
5838 - }
5839 -+ mask_after = ioapic->redirtbl[index].fields.mask;
5840 -+ if (mask_before != mask_after)
5841 -+ kvm_fire_mask_notifiers(ioapic->kvm, index, mask_after);
5842 - if (ioapic->irr & (1 << index))
5843 - ioapic_service(ioapic, index);
5844 - break;
5845 -@@ -426,3 +431,4 @@ int kvm_ioapic_init(struct kvm *kvm)
5846 - kvm_io_bus_register_dev(&kvm->mmio_bus, &ioapic->dev);
5847 - return 0;
5848 - }
5849 -+
5850 -diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
5851 -index aa5d1e5..5162a41 100644
5852 ---- a/virt/kvm/irq_comm.c
5853 -+++ b/virt/kvm/irq_comm.c
5854 -@@ -99,3 +99,27 @@ void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id)
5855 - clear_bit(irq_source_id, &kvm->arch.irq_states[i]);
5856 - clear_bit(irq_source_id, &kvm->arch.irq_sources_bitmap);
5857 - }
5858 -+
5859 -+void kvm_register_irq_mask_notifier(struct kvm *kvm, int irq,
5860 -+ struct kvm_irq_mask_notifier *kimn)
5861 -+{
5862 -+ kimn->irq = irq;
5863 -+ hlist_add_head(&kimn->link, &kvm->mask_notifier_list);
5864 -+}
5865 -+
5866 -+void kvm_unregister_irq_mask_notifier(struct kvm *kvm, int irq,
5867 -+ struct kvm_irq_mask_notifier *kimn)
5868 -+{
5869 -+ hlist_del(&kimn->link);
5870 -+}
5871 -+
5872 -+void kvm_fire_mask_notifiers(struct kvm *kvm, int irq, bool mask)
5873 -+{
5874 -+ struct kvm_irq_mask_notifier *kimn;
5875 -+ struct hlist_node *n;
5876 -+
5877 -+ hlist_for_each_entry(kimn, n, &kvm->mask_notifier_list, link)
5878 -+ if (kimn->irq == irq)
5879 -+ kimn->func(kimn, mask);
5880 -+}
5881 -+
5882 -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
5883 -index 29a667c..6723411 100644
5884 ---- a/virt/kvm/kvm_main.c
5885 -+++ b/virt/kvm/kvm_main.c
5886 -@@ -563,7 +563,7 @@ static int kvm_vm_ioctl_deassign_device(struct kvm *kvm,
5887 - goto out;
5888 - }
5889 -
5890 -- if (assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU)
5891 -+ if (match->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU)
5892 - kvm_deassign_device(kvm, match);
5893 -
5894 - kvm_free_assigned_device(kvm, match);
5895 -@@ -581,8 +581,10 @@ static inline int valid_vcpu(int n)
5896 -
5897 - inline int kvm_is_mmio_pfn(pfn_t pfn)
5898 - {
5899 -- if (pfn_valid(pfn))
5900 -- return PageReserved(pfn_to_page(pfn));
5901 -+ if (pfn_valid(pfn)) {
5902 -+ struct page *page = compound_head(pfn_to_page(pfn));
5903 -+ return PageReserved(page);
5904 -+ }
5905 -
5906 - return true;
5907 - }
5908 -@@ -828,6 +830,9 @@ static struct kvm *kvm_create_vm(void)
5909 -
5910 - if (IS_ERR(kvm))
5911 - goto out;
5912 -+#ifdef CONFIG_HAVE_KVM_IRQCHIP
5913 -+ INIT_HLIST_HEAD(&kvm->mask_notifier_list);
5914 -+#endif
5915 -
5916 - #ifdef KVM_COALESCED_MMIO_PAGE_OFFSET
5917 - page = alloc_page(GFP_KERNEL | __GFP_ZERO);
5918
5919 Deleted: genpatches-2.6/trunk/2.6.30/1002_linux-2.6.29.3.patch
5920 ===================================================================
5921 --- genpatches-2.6/trunk/2.6.30/1002_linux-2.6.29.3.patch 2009-06-05 16:26:11 UTC (rev 1572)
5922 +++ genpatches-2.6/trunk/2.6.30/1002_linux-2.6.29.3.patch 2009-06-05 16:28:49 UTC (rev 1573)
5923 @@ -1,2934 +0,0 @@
5924 -diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h
5925 -index d346649..9eed29e 100644
5926 ---- a/arch/powerpc/include/asm/processor.h
5927 -+++ b/arch/powerpc/include/asm/processor.h
5928 -@@ -313,6 +313,25 @@ static inline void prefetchw(const void *x)
5929 - #define HAVE_ARCH_PICK_MMAP_LAYOUT
5930 - #endif
5931 -
5932 -+#ifdef CONFIG_PPC64
5933 -+static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
5934 -+{
5935 -+ unsigned long sp;
5936 -+
5937 -+ if (is_32)
5938 -+ sp = regs->gpr[1] & 0x0ffffffffUL;
5939 -+ else
5940 -+ sp = regs->gpr[1];
5941 -+
5942 -+ return sp;
5943 -+}
5944 -+#else
5945 -+static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
5946 -+{
5947 -+ return regs->gpr[1];
5948 -+}
5949 -+#endif
5950 -+
5951 - #endif /* __KERNEL__ */
5952 - #endif /* __ASSEMBLY__ */
5953 - #endif /* _ASM_POWERPC_PROCESSOR_H */
5954 -diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c
5955 -index a54405e..00b5078 100644
5956 ---- a/arch/powerpc/kernel/signal.c
5957 -+++ b/arch/powerpc/kernel/signal.c
5958 -@@ -26,12 +26,12 @@ int show_unhandled_signals = 0;
5959 - * Allocate space for the signal frame
5960 - */
5961 - void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
5962 -- size_t frame_size)
5963 -+ size_t frame_size, int is_32)
5964 - {
5965 - unsigned long oldsp, newsp;
5966 -
5967 - /* Default to using normal stack */
5968 -- oldsp = regs->gpr[1];
5969 -+ oldsp = get_clean_sp(regs, is_32);
5970 -
5971 - /* Check for alt stack */
5972 - if ((ka->sa.sa_flags & SA_ONSTACK) &&
5973 -diff --git a/arch/powerpc/kernel/signal.h b/arch/powerpc/kernel/signal.h
5974 -index b427bf8..95e1b14 100644
5975 ---- a/arch/powerpc/kernel/signal.h
5976 -+++ b/arch/powerpc/kernel/signal.h
5977 -@@ -15,7 +15,7 @@
5978 - extern void do_signal(struct pt_regs *regs, unsigned long thread_info_flags);
5979 -
5980 - extern void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
5981 -- size_t frame_size);
5982 -+ size_t frame_size, int is_32);
5983 - extern void restore_sigmask(sigset_t *set);
5984 -
5985 - extern int handle_signal32(unsigned long sig, struct k_sigaction *ka,
5986 -diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
5987 -index b13abf3..d670429 100644
5988 ---- a/arch/powerpc/kernel/signal_32.c
5989 -+++ b/arch/powerpc/kernel/signal_32.c
5990 -@@ -836,7 +836,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
5991 -
5992 - /* Set up Signal Frame */
5993 - /* Put a Real Time Context onto stack */
5994 -- rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf));
5995 -+ rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf), 1);
5996 - addr = rt_sf;
5997 - if (unlikely(rt_sf == NULL))
5998 - goto badframe;
5999 -@@ -1182,7 +1182,7 @@ int handle_signal32(unsigned long sig, struct k_sigaction *ka,
6000 - unsigned long newsp = 0;
6001 -
6002 - /* Set up Signal Frame */
6003 -- frame = get_sigframe(ka, regs, sizeof(*frame));
6004 -+ frame = get_sigframe(ka, regs, sizeof(*frame), 1);
6005 - if (unlikely(frame == NULL))
6006 - goto badframe;
6007 - sc = (struct sigcontext __user *) &frame->sctx;
6008 -diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
6009 -index e132891..2fe6fc6 100644
6010 ---- a/arch/powerpc/kernel/signal_64.c
6011 -+++ b/arch/powerpc/kernel/signal_64.c
6012 -@@ -402,7 +402,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
6013 - unsigned long newsp = 0;
6014 - long err = 0;
6015 -
6016 -- frame = get_sigframe(ka, regs, sizeof(*frame));
6017 -+ frame = get_sigframe(ka, regs, sizeof(*frame), 0);
6018 - if (unlikely(frame == NULL))
6019 - goto badframe;
6020 -
6021 -diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
6022 -index 2b54fe0..aa8bc45 100644
6023 ---- a/arch/x86/kernel/xsave.c
6024 -+++ b/arch/x86/kernel/xsave.c
6025 -@@ -89,7 +89,7 @@ int save_i387_xstate(void __user *buf)
6026 -
6027 - if (!used_math())
6028 - return 0;
6029 -- clear_used_math(); /* trigger finit */
6030 -+
6031 - if (task_thread_info(tsk)->status & TS_USEDFPU) {
6032 - /*
6033 - * Start with clearing the user buffer. This will present a
6034 -@@ -114,6 +114,8 @@ int save_i387_xstate(void __user *buf)
6035 - return -1;
6036 - }
6037 -
6038 -+ clear_used_math(); /* trigger finit */
6039 -+
6040 - if (task_thread_info(tsk)->status & TS_XSAVE) {
6041 - struct _fpstate __user *fx = buf;
6042 - struct _xstate __user *x = buf;
6043 -diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
6044 -index 2d4477c..8005da2 100644
6045 ---- a/arch/x86/kvm/mmu.c
6046 -+++ b/arch/x86/kvm/mmu.c
6047 -@@ -797,7 +797,7 @@ static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu,
6048 - ASSERT(is_empty_shadow_page(sp->spt));
6049 - bitmap_zero(sp->slot_bitmap, KVM_MEMORY_SLOTS + KVM_PRIVATE_MEM_SLOTS);
6050 - sp->multimapped = 0;
6051 -- sp->global = 1;
6052 -+ sp->global = 0;
6053 - sp->parent_pte = parent_pte;
6054 - --vcpu->kvm->arch.n_free_mmu_pages;
6055 - return sp;
6056 -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
6057 -index 758b7a1..425423e 100644
6058 ---- a/arch/x86/kvm/x86.c
6059 -+++ b/arch/x86/kvm/x86.c
6060 -@@ -3962,6 +3962,11 @@ EXPORT_SYMBOL_GPL(kvm_put_guest_fpu);
6061 -
6062 - void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
6063 - {
6064 -+ if (vcpu->arch.time_page) {
6065 -+ kvm_release_page_dirty(vcpu->arch.time_page);
6066 -+ vcpu->arch.time_page = NULL;
6067 -+ }
6068 -+
6069 - kvm_x86_ops->vcpu_free(vcpu);
6070 - }
6071 -
6072 -diff --git a/arch/x86/mm/kmmio.c b/arch/x86/mm/kmmio.c
6073 -index 6a518dd..4a68571 100644
6074 ---- a/arch/x86/mm/kmmio.c
6075 -+++ b/arch/x86/mm/kmmio.c
6076 -@@ -87,7 +87,7 @@ static struct kmmio_probe *get_kmmio_probe(unsigned long addr)
6077 - {
6078 - struct kmmio_probe *p;
6079 - list_for_each_entry_rcu(p, &kmmio_probes, list) {
6080 -- if (addr >= p->addr && addr <= (p->addr + p->len))
6081 -+ if (addr >= p->addr && addr < (p->addr + p->len))
6082 - return p;
6083 - }
6084 - return NULL;
6085 -diff --git a/arch/x86/pci/mmconfig-shared.c b/arch/x86/pci/mmconfig-shared.c
6086 -index 89bf924..9136946 100644
6087 ---- a/arch/x86/pci/mmconfig-shared.c
6088 -+++ b/arch/x86/pci/mmconfig-shared.c
6089 -@@ -254,7 +254,7 @@ static acpi_status __init check_mcfg_resource(struct acpi_resource *res,
6090 - if (!fixmem32)
6091 - return AE_OK;
6092 - if ((mcfg_res->start >= fixmem32->address) &&
6093 -- (mcfg_res->end < (fixmem32->address +
6094 -+ (mcfg_res->end <= (fixmem32->address +
6095 - fixmem32->address_length))) {
6096 - mcfg_res->flags = 1;
6097 - return AE_CTRL_TERMINATE;
6098 -@@ -271,7 +271,7 @@ static acpi_status __init check_mcfg_resource(struct acpi_resource *res,
6099 - return AE_OK;
6100 -
6101 - if ((mcfg_res->start >= address.minimum) &&
6102 -- (mcfg_res->end < (address.minimum + address.address_length))) {
6103 -+ (mcfg_res->end <= (address.minimum + address.address_length))) {
6104 - mcfg_res->flags = 1;
6105 - return AE_CTRL_TERMINATE;
6106 - }
6107 -@@ -318,7 +318,7 @@ static int __init is_mmconf_reserved(check_reserved_t is_reserved,
6108 - u64 old_size = size;
6109 - int valid = 0;
6110 -
6111 -- while (!is_reserved(addr, addr + size - 1, E820_RESERVED)) {
6112 -+ while (!is_reserved(addr, addr + size, E820_RESERVED)) {
6113 - size >>= 1;
6114 - if (size < (16UL<<20))
6115 - break;
6116 -diff --git a/block/genhd.c b/block/genhd.c
6117 -index a9ec910..1a4916e 100644
6118 ---- a/block/genhd.c
6119 -+++ b/block/genhd.c
6120 -@@ -98,7 +98,7 @@ void disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk,
6121 -
6122 - if (flags & DISK_PITER_REVERSE)
6123 - piter->idx = ptbl->len - 1;
6124 -- else if (flags & DISK_PITER_INCL_PART0)
6125 -+ else if (flags & (DISK_PITER_INCL_PART0 | DISK_PITER_INCL_EMPTY_PART0))
6126 - piter->idx = 0;
6127 - else
6128 - piter->idx = 1;
6129 -@@ -134,7 +134,8 @@ struct hd_struct *disk_part_iter_next(struct disk_part_iter *piter)
6130 - /* determine iteration parameters */
6131 - if (piter->flags & DISK_PITER_REVERSE) {
6132 - inc = -1;
6133 -- if (piter->flags & DISK_PITER_INCL_PART0)
6134 -+ if (piter->flags & (DISK_PITER_INCL_PART0 |
6135 -+ DISK_PITER_INCL_EMPTY_PART0))
6136 - end = -1;
6137 - else
6138 - end = 0;
6139 -@@ -150,7 +151,10 @@ struct hd_struct *disk_part_iter_next(struct disk_part_iter *piter)
6140 - part = rcu_dereference(ptbl->part[piter->idx]);
6141 - if (!part)
6142 - continue;
6143 -- if (!(piter->flags & DISK_PITER_INCL_EMPTY) && !part->nr_sects)
6144 -+ if (!part->nr_sects &&
6145 -+ !(piter->flags & DISK_PITER_INCL_EMPTY) &&
6146 -+ !(piter->flags & DISK_PITER_INCL_EMPTY_PART0 &&
6147 -+ piter->idx == 0))
6148 - continue;
6149 -
6150 - get_device(part_to_dev(part));
6151 -@@ -1011,7 +1015,7 @@ static int diskstats_show(struct seq_file *seqf, void *v)
6152 - "\n\n");
6153 - */
6154 -
6155 -- disk_part_iter_init(&piter, gp, DISK_PITER_INCL_PART0);
6156 -+ disk_part_iter_init(&piter, gp, DISK_PITER_INCL_EMPTY_PART0);
6157 - while ((hd = disk_part_iter_next(&piter))) {
6158 - cpu = part_stat_lock();
6159 - part_round_stats(cpu, hd);
6160 -diff --git a/drivers/acpi/acpica/rscreate.c b/drivers/acpi/acpica/rscreate.c
6161 -index 61566b1..2b60413 100644
6162 ---- a/drivers/acpi/acpica/rscreate.c
6163 -+++ b/drivers/acpi/acpica/rscreate.c
6164 -@@ -191,8 +191,6 @@ acpi_rs_create_pci_routing_table(union acpi_operand_object *package_object,
6165 - user_prt = ACPI_CAST_PTR(struct acpi_pci_routing_table, buffer);
6166 -
6167 - for (index = 0; index < number_of_elements; index++) {
6168 -- int source_name_index = 2;
6169 -- int source_index_index = 3;
6170 -
6171 - /*
6172 - * Point user_prt past this current structure
6173 -@@ -261,27 +259,6 @@ acpi_rs_create_pci_routing_table(union acpi_operand_object *package_object,
6174 - return_ACPI_STATUS(AE_BAD_DATA);
6175 - }
6176 -
6177 -- /*
6178 -- * If BIOS erroneously reversed the _PRT source_name and source_index,
6179 -- * then reverse them back.
6180 -- */
6181 -- if (ACPI_GET_OBJECT_TYPE(sub_object_list[3]) !=
6182 -- ACPI_TYPE_INTEGER) {
6183 -- if (acpi_gbl_enable_interpreter_slack) {
6184 -- source_name_index = 3;
6185 -- source_index_index = 2;
6186 -- printk(KERN_WARNING
6187 -- "ACPI: Handling Garbled _PRT entry\n");
6188 -- } else {
6189 -- ACPI_ERROR((AE_INFO,
6190 -- "(PRT[%X].source_index) Need Integer, found %s",
6191 -- index,
6192 -- acpi_ut_get_object_type_name
6193 -- (sub_object_list[3])));
6194 -- return_ACPI_STATUS(AE_BAD_DATA);
6195 -- }
6196 -- }
6197 --
6198 - user_prt->pin = (u32) obj_desc->integer.value;
6199 -
6200 - /*
6201 -@@ -305,7 +282,7 @@ acpi_rs_create_pci_routing_table(union acpi_operand_object *package_object,
6202 - * 3) Third subobject: Dereference the PRT.source_name
6203 - * The name may be unresolved (slack mode), so allow a null object
6204 - */
6205 -- obj_desc = sub_object_list[source_name_index];
6206 -+ obj_desc = sub_object_list[2];
6207 - if (obj_desc) {
6208 - switch (ACPI_GET_OBJECT_TYPE(obj_desc)) {
6209 - case ACPI_TYPE_LOCAL_REFERENCE:
6210 -@@ -379,7 +356,7 @@ acpi_rs_create_pci_routing_table(union acpi_operand_object *package_object,
6211 -
6212 - /* 4) Fourth subobject: Dereference the PRT.source_index */
6213 -
6214 -- obj_desc = sub_object_list[source_index_index];
6215 -+ obj_desc = sub_object_list[3];
6216 - if (ACPI_GET_OBJECT_TYPE(obj_desc) != ACPI_TYPE_INTEGER) {
6217 - ACPI_ERROR((AE_INFO,
6218 - "(PRT[%X].SourceIndex) Need Integer, found %s",
6219 -diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
6220 -index d0e563e..86e83f8 100644
6221 ---- a/drivers/char/hw_random/virtio-rng.c
6222 -+++ b/drivers/char/hw_random/virtio-rng.c
6223 -@@ -37,9 +37,9 @@ static void random_recv_done(struct virtqueue *vq)
6224 - {
6225 - int len;
6226 -
6227 -- /* We never get spurious callbacks. */
6228 -+ /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */
6229 - if (!vq->vq_ops->get_buf(vq, &len))
6230 -- BUG();
6231 -+ return;
6232 -
6233 - data_left = len / sizeof(random_data[0]);
6234 - complete(&have_data);
6235 -diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
6236 -index d9e751b..af9761c 100644
6237 ---- a/drivers/crypto/ixp4xx_crypto.c
6238 -+++ b/drivers/crypto/ixp4xx_crypto.c
6239 -@@ -101,6 +101,7 @@ struct buffer_desc {
6240 - u32 phys_addr;
6241 - u32 __reserved[4];
6242 - struct buffer_desc *next;
6243 -+ enum dma_data_direction dir;
6244 - };
6245 -
6246 - struct crypt_ctl {
6247 -@@ -132,14 +133,10 @@ struct crypt_ctl {
6248 - struct ablk_ctx {
6249 - struct buffer_desc *src;
6250 - struct buffer_desc *dst;
6251 -- unsigned src_nents;
6252 -- unsigned dst_nents;
6253 - };
6254 -
6255 - struct aead_ctx {
6256 - struct buffer_desc *buffer;
6257 -- unsigned short assoc_nents;
6258 -- unsigned short src_nents;
6259 - struct scatterlist ivlist;
6260 - /* used when the hmac is not on one sg entry */
6261 - u8 *hmac_virt;
6262 -@@ -312,7 +309,7 @@ static struct crypt_ctl *get_crypt_desc_emerg(void)
6263 - }
6264 - }
6265 -
6266 --static void free_buf_chain(struct buffer_desc *buf, u32 phys)
6267 -+static void free_buf_chain(struct device *dev, struct buffer_desc *buf,u32 phys)
6268 - {
6269 - while (buf) {
6270 - struct buffer_desc *buf1;
6271 -@@ -320,6 +317,7 @@ static void free_buf_chain(struct buffer_desc *buf, u32 phys)
6272 -
6273 - buf1 = buf->next;
6274 - phys1 = buf->phys_next;
6275 -+ dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir);
6276 - dma_pool_free(buffer_pool, buf, phys);
6277 - buf = buf1;
6278 - phys = phys1;
6279 -@@ -348,7 +346,6 @@ static void one_packet(dma_addr_t phys)
6280 - struct crypt_ctl *crypt;
6281 - struct ixp_ctx *ctx;
6282 - int failed;
6283 -- enum dma_data_direction src_direction = DMA_BIDIRECTIONAL;
6284 -
6285 - failed = phys & 0x1 ? -EBADMSG : 0;
6286 - phys &= ~0x3;
6287 -@@ -358,13 +355,8 @@ static void one_packet(dma_addr_t phys)
6288 - case CTL_FLAG_PERFORM_AEAD: {
6289 - struct aead_request *req = crypt->data.aead_req;
6290 - struct aead_ctx *req_ctx = aead_request_ctx(req);
6291 -- dma_unmap_sg(dev, req->assoc, req_ctx->assoc_nents,
6292 -- DMA_TO_DEVICE);
6293 -- dma_unmap_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL);
6294 -- dma_unmap_sg(dev, req->src, req_ctx->src_nents,
6295 -- DMA_BIDIRECTIONAL);
6296 -
6297 -- free_buf_chain(req_ctx->buffer, crypt->src_buf);
6298 -+ free_buf_chain(dev, req_ctx->buffer, crypt->src_buf);
6299 - if (req_ctx->hmac_virt) {
6300 - finish_scattered_hmac(crypt);
6301 - }
6302 -@@ -374,16 +366,11 @@ static void one_packet(dma_addr_t phys)
6303 - case CTL_FLAG_PERFORM_ABLK: {
6304 - struct ablkcipher_request *req = crypt->data.ablk_req;
6305 - struct ablk_ctx *req_ctx = ablkcipher_request_ctx(req);
6306 -- int nents;
6307 -+
6308 - if (req_ctx->dst) {
6309 -- nents = req_ctx->dst_nents;
6310 -- dma_unmap_sg(dev, req->dst, nents, DMA_FROM_DEVICE);
6311 -- free_buf_chain(req_ctx->dst, crypt->dst_buf);
6312 -- src_direction = DMA_TO_DEVICE;
6313 -+ free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
6314 - }
6315 -- nents = req_ctx->src_nents;
6316 -- dma_unmap_sg(dev, req->src, nents, src_direction);
6317 -- free_buf_chain(req_ctx->src, crypt->src_buf);
6318 -+ free_buf_chain(dev, req_ctx->src, crypt->src_buf);
6319 - req->base.complete(&req->base, failed);
6320 - break;
6321 - }
6322 -@@ -750,56 +737,35 @@ static int setup_cipher(struct crypto_tfm *tfm, int encrypt,
6323 - return 0;
6324 - }
6325 -
6326 --static int count_sg(struct scatterlist *sg, int nbytes)
6327 -+static struct buffer_desc *chainup_buffers(struct device *dev,
6328 -+ struct scatterlist *sg, unsigned nbytes,
6329 -+ struct buffer_desc *buf, gfp_t flags,
6330 -+ enum dma_data_direction dir)
6331 - {
6332 -- int i;
6333 -- for (i = 0; nbytes > 0; i++, sg = sg_next(sg))
6334 -- nbytes -= sg->length;
6335 -- return i;
6336 --}
6337 --
6338 --static struct buffer_desc *chainup_buffers(struct scatterlist *sg,
6339 -- unsigned nbytes, struct buffer_desc *buf, gfp_t flags)
6340 --{
6341 -- int nents = 0;
6342 --
6343 -- while (nbytes > 0) {
6344 -+ for (;nbytes > 0; sg = scatterwalk_sg_next(sg)) {
6345 -+ unsigned len = min(nbytes, sg->length);
6346 - struct buffer_desc *next_buf;
6347 - u32 next_buf_phys;
6348 -- unsigned len = min(nbytes, sg_dma_len(sg));
6349 -+ void *ptr;
6350 -
6351 -- nents++;
6352 - nbytes -= len;
6353 -- if (!buf->phys_addr) {
6354 -- buf->phys_addr = sg_dma_address(sg);
6355 -- buf->buf_len = len;
6356 -- buf->next = NULL;
6357 -- buf->phys_next = 0;
6358 -- goto next;
6359 -- }
6360 -- /* Two consecutive chunks on one page may be handled by the old
6361 -- * buffer descriptor, increased by the length of the new one
6362 -- */
6363 -- if (sg_dma_address(sg) == buf->phys_addr + buf->buf_len) {
6364 -- buf->buf_len += len;
6365 -- goto next;
6366 -- }
6367 -+ ptr = page_address(sg_page(sg)) + sg->offset;
6368 - next_buf = dma_pool_alloc(buffer_pool, flags, &next_buf_phys);
6369 -- if (!next_buf)
6370 -- return NULL;
6371 -+ if (!next_buf) {
6372 -+ buf = NULL;
6373 -+ break;
6374 -+ }
6375 -+ sg_dma_address(sg) = dma_map_single(dev, ptr, len, dir);
6376 - buf->next = next_buf;
6377 - buf->phys_next = next_buf_phys;
6378 --
6379 - buf = next_buf;
6380 -- buf->next = NULL;
6381 -- buf->phys_next = 0;
6382 -+
6383 - buf->phys_addr = sg_dma_address(sg);
6384 - buf->buf_len = len;
6385 --next:
6386 -- if (nbytes > 0) {
6387 -- sg = sg_next(sg);
6388 -- }
6389 -+ buf->dir = dir;
6390 - }
6391 -+ buf->next = NULL;
6392 -+ buf->phys_next = 0;
6393 - return buf;
6394 - }
6395 -
6396 -@@ -860,12 +826,12 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt)
6397 - struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
6398 - struct ixp_ctx *ctx = crypto_ablkcipher_ctx(tfm);
6399 - unsigned ivsize = crypto_ablkcipher_ivsize(tfm);
6400 -- int ret = -ENOMEM;
6401 - struct ix_sa_dir *dir;
6402 - struct crypt_ctl *crypt;
6403 -- unsigned int nbytes = req->nbytes, nents;
6404 -+ unsigned int nbytes = req->nbytes;
6405 - enum dma_data_direction src_direction = DMA_BIDIRECTIONAL;
6406 - struct ablk_ctx *req_ctx = ablkcipher_request_ctx(req);
6407 -+ struct buffer_desc src_hook;
6408 - gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
6409 - GFP_KERNEL : GFP_ATOMIC;
6410 -
6411 -@@ -878,7 +844,7 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt)
6412 -
6413 - crypt = get_crypt_desc();
6414 - if (!crypt)
6415 -- return ret;
6416 -+ return -ENOMEM;
6417 -
6418 - crypt->data.ablk_req = req;
6419 - crypt->crypto_ctx = dir->npe_ctx_phys;
6420 -@@ -891,53 +857,41 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt)
6421 - BUG_ON(ivsize && !req->info);
6422 - memcpy(crypt->iv, req->info, ivsize);
6423 - if (req->src != req->dst) {
6424 -+ struct buffer_desc dst_hook;
6425 - crypt->mode |= NPE_OP_NOT_IN_PLACE;
6426 -- nents = count_sg(req->dst, nbytes);
6427 - /* This was never tested by Intel
6428 - * for more than one dst buffer, I think. */
6429 -- BUG_ON(nents != 1);
6430 -- req_ctx->dst_nents = nents;
6431 -- dma_map_sg(dev, req->dst, nents, DMA_FROM_DEVICE);
6432 -- req_ctx->dst = dma_pool_alloc(buffer_pool, flags,&crypt->dst_buf);
6433 -- if (!req_ctx->dst)
6434 -- goto unmap_sg_dest;
6435 -- req_ctx->dst->phys_addr = 0;
6436 -- if (!chainup_buffers(req->dst, nbytes, req_ctx->dst, flags))
6437 -+ BUG_ON(req->dst->length < nbytes);
6438 -+ req_ctx->dst = NULL;
6439 -+ if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook,
6440 -+ flags, DMA_FROM_DEVICE))
6441 - goto free_buf_dest;
6442 - src_direction = DMA_TO_DEVICE;
6443 -+ req_ctx->dst = dst_hook.next;
6444 -+ crypt->dst_buf = dst_hook.phys_next;
6445 - } else {
6446 - req_ctx->dst = NULL;
6447 -- req_ctx->dst_nents = 0;
6448 - }
6449 -- nents = count_sg(req->src, nbytes);
6450 -- req_ctx->src_nents = nents;
6451 -- dma_map_sg(dev, req->src, nents, src_direction);
6452 --
6453 -- req_ctx->src = dma_pool_alloc(buffer_pool, flags, &crypt->src_buf);
6454 -- if (!req_ctx->src)
6455 -- goto unmap_sg_src;
6456 -- req_ctx->src->phys_addr = 0;
6457 -- if (!chainup_buffers(req->src, nbytes, req_ctx->src, flags))
6458 -+ req_ctx->src = NULL;
6459 -+ if (!chainup_buffers(dev, req->src, nbytes, &src_hook,
6460 -+ flags, src_direction))
6461 - goto free_buf_src;
6462 -
6463 -+ req_ctx->src = src_hook.next;
6464 -+ crypt->src_buf = src_hook.phys_next;
6465 - crypt->ctl_flags |= CTL_FLAG_PERFORM_ABLK;
6466 - qmgr_put_entry(SEND_QID, crypt_virt2phys(crypt));
6467 - BUG_ON(qmgr_stat_overflow(SEND_QID));
6468 - return -EINPROGRESS;
6469 -
6470 - free_buf_src:
6471 -- free_buf_chain(req_ctx->src, crypt->src_buf);
6472 --unmap_sg_src:
6473 -- dma_unmap_sg(dev, req->src, req_ctx->src_nents, src_direction);
6474 -+ free_buf_chain(dev, req_ctx->src, crypt->src_buf);
6475 - free_buf_dest:
6476 - if (req->src != req->dst) {
6477 -- free_buf_chain(req_ctx->dst, crypt->dst_buf);
6478 --unmap_sg_dest:
6479 -- dma_unmap_sg(dev, req->src, req_ctx->dst_nents,
6480 -- DMA_FROM_DEVICE);
6481 -+ free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
6482 - }
6483 - crypt->ctl_flags = CTL_FLAG_UNUSED;
6484 -- return ret;
6485 -+ return -ENOMEM;
6486 - }
6487 -
6488 - static int ablk_encrypt(struct ablkcipher_request *req)
6489 -@@ -985,7 +939,7 @@ static int hmac_inconsistent(struct scatterlist *sg, unsigned start,
6490 - break;
6491 -
6492 - offset += sg->length;
6493 -- sg = sg_next(sg);
6494 -+ sg = scatterwalk_sg_next(sg);
6495 - }
6496 - return (start + nbytes > offset + sg->length);
6497 - }
6498 -@@ -997,11 +951,10 @@ static int aead_perform(struct aead_request *req, int encrypt,
6499 - struct ixp_ctx *ctx = crypto_aead_ctx(tfm);
6500 - unsigned ivsize = crypto_aead_ivsize(tfm);
6501 - unsigned authsize = crypto_aead_authsize(tfm);
6502 -- int ret = -ENOMEM;
6503 - struct ix_sa_dir *dir;
6504 - struct crypt_ctl *crypt;
6505 -- unsigned int cryptlen, nents;
6506 -- struct buffer_desc *buf;
6507 -+ unsigned int cryptlen;
6508 -+ struct buffer_desc *buf, src_hook;
6509 - struct aead_ctx *req_ctx = aead_request_ctx(req);
6510 - gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
6511 - GFP_KERNEL : GFP_ATOMIC;
6512 -@@ -1022,7 +975,7 @@ static int aead_perform(struct aead_request *req, int encrypt,
6513 - }
6514 - crypt = get_crypt_desc();
6515 - if (!crypt)
6516 -- return ret;
6517 -+ return -ENOMEM;
6518 -
6519 - crypt->data.aead_req = req;
6520 - crypt->crypto_ctx = dir->npe_ctx_phys;
6521 -@@ -1041,31 +994,27 @@ static int aead_perform(struct aead_request *req, int encrypt,
6522 - BUG(); /* -ENOTSUP because of my lazyness */
6523 - }
6524 -
6525 -- req_ctx->buffer = dma_pool_alloc(buffer_pool, flags, &crypt->src_buf);
6526 -- if (!req_ctx->buffer)
6527 -- goto out;
6528 -- req_ctx->buffer->phys_addr = 0;
6529 - /* ASSOC data */
6530 -- nents = count_sg(req->assoc, req->assoclen);
6531 -- req_ctx->assoc_nents = nents;
6532 -- dma_map_sg(dev, req->assoc, nents, DMA_TO_DEVICE);
6533 -- buf = chainup_buffers(req->assoc, req->assoclen, req_ctx->buffer,flags);
6534 -+ buf = chainup_buffers(dev, req->assoc, req->assoclen, &src_hook,
6535 -+ flags, DMA_TO_DEVICE);
6536 -+ req_ctx->buffer = src_hook.next;
6537 -+ crypt->src_buf = src_hook.phys_next;
6538 - if (!buf)
6539 -- goto unmap_sg_assoc;
6540 -+ goto out;
6541 - /* IV */
6542 - sg_init_table(&req_ctx->ivlist, 1);
6543 - sg_set_buf(&req_ctx->ivlist, iv, ivsize);
6544 -- dma_map_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL);
6545 -- buf = chainup_buffers(&req_ctx->ivlist, ivsize, buf, flags);
6546 -+ buf = chainup_buffers(dev, &req_ctx->ivlist, ivsize, buf, flags,
6547 -+ DMA_BIDIRECTIONAL);
6548 - if (!buf)
6549 -- goto unmap_sg_iv;
6550 -+ goto free_chain;
6551 - if (unlikely(hmac_inconsistent(req->src, cryptlen, authsize))) {
6552 - /* The 12 hmac bytes are scattered,
6553 - * we need to copy them into a safe buffer */
6554 - req_ctx->hmac_virt = dma_pool_alloc(buffer_pool, flags,
6555 - &crypt->icv_rev_aes);
6556 - if (unlikely(!req_ctx->hmac_virt))
6557 -- goto unmap_sg_iv;
6558 -+ goto free_chain;
6559 - if (!encrypt) {
6560 - scatterwalk_map_and_copy(req_ctx->hmac_virt,
6561 - req->src, cryptlen, authsize, 0);
6562 -@@ -1075,33 +1024,28 @@ static int aead_perform(struct aead_request *req, int encrypt,
6563 - req_ctx->hmac_virt = NULL;
6564 - }
6565 - /* Crypt */
6566 -- nents = count_sg(req->src, cryptlen + authsize);
6567 -- req_ctx->src_nents = nents;
6568 -- dma_map_sg(dev, req->src, nents, DMA_BIDIRECTIONAL);
6569 -- buf = chainup_buffers(req->src, cryptlen + authsize, buf, flags);
6570 -+ buf = chainup_buffers(dev, req->src, cryptlen + authsize, buf, flags,
6571 -+ DMA_BIDIRECTIONAL);
6572 - if (!buf)
6573 -- goto unmap_sg_src;
6574 -+ goto free_hmac_virt;
6575 - if (!req_ctx->hmac_virt) {
6576 - crypt->icv_rev_aes = buf->phys_addr + buf->buf_len - authsize;
6577 - }
6578 -+
6579 - crypt->ctl_flags |= CTL_FLAG_PERFORM_AEAD;
6580 - qmgr_put_entry(SEND_QID, crypt_virt2phys(crypt));
6581 - BUG_ON(qmgr_stat_overflow(SEND_QID));
6582 - return -EINPROGRESS;
6583 --unmap_sg_src:
6584 -- dma_unmap_sg(dev, req->src, req_ctx->src_nents, DMA_BIDIRECTIONAL);
6585 -+free_hmac_virt:
6586 - if (req_ctx->hmac_virt) {
6587 - dma_pool_free(buffer_pool, req_ctx->hmac_virt,
6588 - crypt->icv_rev_aes);
6589 - }
6590 --unmap_sg_iv:
6591 -- dma_unmap_sg(dev, &req_ctx->ivlist, 1, DMA_BIDIRECTIONAL);
6592 --unmap_sg_assoc:
6593 -- dma_unmap_sg(dev, req->assoc, req_ctx->assoc_nents, DMA_TO_DEVICE);
6594 -- free_buf_chain(req_ctx->buffer, crypt->src_buf);
6595 -+free_chain:
6596 -+ free_buf_chain(dev, req_ctx->buffer, crypt->src_buf);
6597 - out:
6598 - crypt->ctl_flags = CTL_FLAG_UNUSED;
6599 -- return ret;
6600 -+ return -ENOMEM;
6601 - }
6602 -
6603 - static int aead_setup(struct crypto_aead *tfm, unsigned int authsize)
6604 -diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
6605 -index d6cc986..9239747 100644
6606 ---- a/drivers/gpu/drm/i915/i915_drv.h
6607 -+++ b/drivers/gpu/drm/i915/i915_drv.h
6608 -@@ -773,7 +773,8 @@ extern int i915_wait_ring(struct drm_device * dev, int n, const char *caller);
6609 - (dev)->pci_device == 0x2A42 || \
6610 - (dev)->pci_device == 0x2E02 || \
6611 - (dev)->pci_device == 0x2E12 || \
6612 -- (dev)->pci_device == 0x2E22)
6613 -+ (dev)->pci_device == 0x2E22 || \
6614 -+ (dev)->pci_device == 0x2E32)
6615 -
6616 - #define IS_I965GM(dev) ((dev)->pci_device == 0x2A02)
6617 -
6618 -@@ -782,6 +783,7 @@ extern int i915_wait_ring(struct drm_device * dev, int n, const char *caller);
6619 - #define IS_G4X(dev) ((dev)->pci_device == 0x2E02 || \
6620 - (dev)->pci_device == 0x2E12 || \
6621 - (dev)->pci_device == 0x2E22 || \
6622 -+ (dev)->pci_device == 0x2E32 || \
6623 - IS_GM45(dev))
6624 -
6625 - #define IS_G33(dev) ((dev)->pci_device == 0x29C2 || \
6626 -diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
6627 -index cc2938d..a787fb8 100644
6628 ---- a/drivers/gpu/drm/i915/i915_reg.h
6629 -+++ b/drivers/gpu/drm/i915/i915_reg.h
6630 -@@ -1431,6 +1431,7 @@
6631 - #define DISPPLANE_NO_LINE_DOUBLE 0
6632 - #define DISPPLANE_STEREO_POLARITY_FIRST 0
6633 - #define DISPPLANE_STEREO_POLARITY_SECOND (1<<18)
6634 -+#define DISPPLANE_TILED (1<<10)
6635 - #define DSPAADDR 0x70184
6636 - #define DSPASTRIDE 0x70188
6637 - #define DSPAPOS 0x7018C /* reserved */
6638 -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
6639 -index 601a76f..254c5ca 100644
6640 ---- a/drivers/gpu/drm/i915/intel_display.c
6641 -+++ b/drivers/gpu/drm/i915/intel_display.c
6642 -@@ -338,6 +338,7 @@ intel_pipe_set_base(struct drm_crtc *crtc, int x, int y,
6643 - int dspbase = (pipe == 0 ? DSPAADDR : DSPBADDR);
6644 - int dspsurf = (pipe == 0 ? DSPASURF : DSPBSURF);
6645 - int dspstride = (pipe == 0) ? DSPASTRIDE : DSPBSTRIDE;
6646 -+ int dsptileoff = (pipe == 0 ? DSPATILEOFF : DSPBTILEOFF);
6647 - int dspcntr_reg = (pipe == 0) ? DSPACNTR : DSPBCNTR;
6648 - u32 dspcntr, alignment;
6649 - int ret;
6650 -@@ -414,6 +415,13 @@ intel_pipe_set_base(struct drm_crtc *crtc, int x, int y,
6651 - mutex_unlock(&dev->struct_mutex);
6652 - return -EINVAL;
6653 - }
6654 -+ if (IS_I965G(dev)) {
6655 -+ if (obj_priv->tiling_mode != I915_TILING_NONE)
6656 -+ dspcntr |= DISPPLANE_TILED;
6657 -+ else
6658 -+ dspcntr &= ~DISPPLANE_TILED;
6659 -+ }
6660 -+
6661 - I915_WRITE(dspcntr_reg, dspcntr);
6662 -
6663 - Start = obj_priv->gtt_offset;
6664 -@@ -426,6 +434,7 @@ intel_pipe_set_base(struct drm_crtc *crtc, int x, int y,
6665 - I915_READ(dspbase);
6666 - I915_WRITE(dspsurf, Start);
6667 - I915_READ(dspsurf);
6668 -+ I915_WRITE(dsptileoff, (y << 16) | x);
6669 - } else {
6670 - I915_WRITE(dspbase, Start + Offset);
6671 - I915_READ(dspbase);
6672 -diff --git a/drivers/ide/cs5536.c b/drivers/ide/cs5536.c
6673 -index 7a62db7..dc89bc2 100644
6674 ---- a/drivers/ide/cs5536.c
6675 -+++ b/drivers/ide/cs5536.c
6676 -@@ -237,6 +237,7 @@ static const struct ide_dma_ops cs5536_dma_ops = {
6677 - .dma_test_irq = ide_dma_test_irq,
6678 - .dma_lost_irq = ide_dma_lost_irq,
6679 - .dma_timeout = ide_dma_timeout,
6680 -+ .dma_sff_read_status = ide_dma_sff_read_status,
6681 - };
6682 -
6683 - static const struct ide_port_info cs5536_info = {
6684 -diff --git a/drivers/net/b44.c b/drivers/net/b44.c
6685 -index dc5f051..c2ffa8c 100644
6686 ---- a/drivers/net/b44.c
6687 -+++ b/drivers/net/b44.c
6688 -@@ -750,7 +750,7 @@ static void b44_recycle_rx(struct b44 *bp, int src_idx, u32 dest_idx_unmasked)
6689 - dest_idx * sizeof(dest_desc),
6690 - DMA_BIDIRECTIONAL);
6691 -
6692 -- ssb_dma_sync_single_for_device(bp->sdev, le32_to_cpu(src_desc->addr),
6693 -+ ssb_dma_sync_single_for_device(bp->sdev, dest_map->mapping,
6694 - RX_PKT_BUF_SZ,
6695 - DMA_FROM_DEVICE);
6696 - }
6697 -diff --git a/drivers/net/forcedeth.c b/drivers/net/forcedeth.c
6698 -index b8251e8..df0794e 100644
6699 ---- a/drivers/net/forcedeth.c
6700 -+++ b/drivers/net/forcedeth.c
6701 -@@ -5995,6 +5995,9 @@ static int nv_resume(struct pci_dev *pdev)
6702 - for (i = 0;i <= np->register_size/sizeof(u32); i++)
6703 - writel(np->saved_config_space[i], base+i*sizeof(u32));
6704 -
6705 -+ /* restore phy state, including autoneg */
6706 -+ phy_init(dev);
6707 -+
6708 - netif_device_attach(dev);
6709 - if (netif_running(dev)) {
6710 - rc = nv_open(dev);
6711 -diff --git a/drivers/net/mv643xx_eth.c b/drivers/net/mv643xx_eth.c
6712 -index b0bc3bc..67bb769 100644
6713 ---- a/drivers/net/mv643xx_eth.c
6714 -+++ b/drivers/net/mv643xx_eth.c
6715 -@@ -372,12 +372,12 @@ struct mv643xx_eth_private {
6716 - struct work_struct tx_timeout_task;
6717 -
6718 - struct napi_struct napi;
6719 -+ u8 oom;
6720 - u8 work_link;
6721 - u8 work_tx;
6722 - u8 work_tx_end;
6723 - u8 work_rx;
6724 - u8 work_rx_refill;
6725 -- u8 work_rx_oom;
6726 -
6727 - int skb_size;
6728 - struct sk_buff_head rx_recycle;
6729 -@@ -603,7 +603,7 @@ static int rxq_refill(struct rx_queue *rxq, int budget)
6730 - dma_get_cache_alignment() - 1);
6731 -
6732 - if (skb == NULL) {
6733 -- mp->work_rx_oom |= 1 << rxq->index;
6734 -+ mp->oom = 1;
6735 - goto oom;
6736 - }
6737 -
6738 -@@ -1177,7 +1177,6 @@ static void mib_counters_update(struct mv643xx_eth_private *mp)
6739 -
6740 - spin_lock_bh(&mp->mib_counters_lock);
6741 - p->good_octets_received += mib_read(mp, 0x00);
6742 -- p->good_octets_received += (u64)mib_read(mp, 0x04) << 32;
6743 - p->bad_octets_received += mib_read(mp, 0x08);
6744 - p->internal_mac_transmit_err += mib_read(mp, 0x0c);
6745 - p->good_frames_received += mib_read(mp, 0x10);
6746 -@@ -1191,7 +1190,6 @@ static void mib_counters_update(struct mv643xx_eth_private *mp)
6747 - p->frames_512_to_1023_octets += mib_read(mp, 0x30);
6748 - p->frames_1024_to_max_octets += mib_read(mp, 0x34);
6749 - p->good_octets_sent += mib_read(mp, 0x38);
6750 -- p->good_octets_sent += (u64)mib_read(mp, 0x3c) << 32;
6751 - p->good_frames_sent += mib_read(mp, 0x40);
6752 - p->excessive_collision += mib_read(mp, 0x44);
6753 - p->multicast_frames_sent += mib_read(mp, 0x48);
6754 -@@ -1908,8 +1906,10 @@ static int mv643xx_eth_poll(struct napi_struct *napi, int budget)
6755 -
6756 - mp = container_of(napi, struct mv643xx_eth_private, napi);
6757 -
6758 -- mp->work_rx_refill |= mp->work_rx_oom;
6759 -- mp->work_rx_oom = 0;
6760 -+ if (unlikely(mp->oom)) {
6761 -+ mp->oom = 0;
6762 -+ del_timer(&mp->rx_oom);
6763 -+ }
6764 -
6765 - work_done = 0;
6766 - while (work_done < budget) {
6767 -@@ -1923,8 +1923,10 @@ static int mv643xx_eth_poll(struct napi_struct *napi, int budget)
6768 - continue;
6769 - }
6770 -
6771 -- queue_mask = mp->work_tx | mp->work_tx_end |
6772 -- mp->work_rx | mp->work_rx_refill;
6773 -+ queue_mask = mp->work_tx | mp->work_tx_end | mp->work_rx;
6774 -+ if (likely(!mp->oom))
6775 -+ queue_mask |= mp->work_rx_refill;
6776 -+
6777 - if (!queue_mask) {
6778 - if (mv643xx_eth_collect_events(mp))
6779 - continue;
6780 -@@ -1945,7 +1947,7 @@ static int mv643xx_eth_poll(struct napi_struct *napi, int budget)
6781 - txq_maybe_wake(mp->txq + queue);
6782 - } else if (mp->work_rx & queue_mask) {
6783 - work_done += rxq_process(mp->rxq + queue, work_tbd);
6784 -- } else if (mp->work_rx_refill & queue_mask) {
6785 -+ } else if (!mp->oom && (mp->work_rx_refill & queue_mask)) {
6786 - work_done += rxq_refill(mp->rxq + queue, work_tbd);
6787 - } else {
6788 - BUG();
6789 -@@ -1953,7 +1955,7 @@ static int mv643xx_eth_poll(struct napi_struct *napi, int budget)
6790 - }
6791 -
6792 - if (work_done < budget) {
6793 -- if (mp->work_rx_oom)
6794 -+ if (mp->oom)
6795 - mod_timer(&mp->rx_oom, jiffies + (HZ / 10));
6796 - napi_complete(napi);
6797 - wrlp(mp, INT_MASK, INT_TX_END | INT_RX | INT_EXT);
6798 -@@ -2145,7 +2147,7 @@ static int mv643xx_eth_open(struct net_device *dev)
6799 - rxq_refill(mp->rxq + i, INT_MAX);
6800 - }
6801 -
6802 -- if (mp->work_rx_oom) {
6803 -+ if (mp->oom) {
6804 - mp->rx_oom.expires = jiffies + (HZ / 10);
6805 - add_timer(&mp->rx_oom);
6806 - }
6807 -diff --git a/drivers/net/wireless/ath5k/debug.c b/drivers/net/wireless/ath5k/debug.c
6808 -index ccaeb5c..9347a3c 100644
6809 ---- a/drivers/net/wireless/ath5k/debug.c
6810 -+++ b/drivers/net/wireless/ath5k/debug.c
6811 -@@ -465,7 +465,7 @@ ath5k_debug_dump_bands(struct ath5k_softc *sc)
6812 -
6813 - for (b = 0; b < IEEE80211_NUM_BANDS; b++) {
6814 - struct ieee80211_supported_band *band = &sc->sbands[b];
6815 -- char bname[5];
6816 -+ char bname[6];
6817 - switch (band->band) {
6818 - case IEEE80211_BAND_2GHZ:
6819 - strcpy(bname, "2 GHz");
6820 -diff --git a/drivers/net/wireless/ath9k/main.c b/drivers/net/wireless/ath9k/main.c
6821 -index 3c04044..1cc826b 100644
6822 ---- a/drivers/net/wireless/ath9k/main.c
6823 -+++ b/drivers/net/wireless/ath9k/main.c
6824 -@@ -2300,11 +2300,6 @@ static void ath9k_configure_filter(struct ieee80211_hw *hw,
6825 - rfilt = ath_calcrxfilter(sc);
6826 - ath9k_hw_setrxfilter(sc->sc_ah, rfilt);
6827 -
6828 -- if (changed_flags & FIF_BCN_PRBRESP_PROMISC) {
6829 -- if (*total_flags & FIF_BCN_PRBRESP_PROMISC)
6830 -- ath9k_hw_write_associd(sc->sc_ah, ath_bcast_mac, 0);
6831 -- }
6832 --
6833 - DPRINTF(sc, ATH_DBG_CONFIG, "Set HW RX filter: 0x%x\n", sc->rx.rxfilter);
6834 - }
6835 -
6836 -diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c
6837 -index 6d65a02..dbae617 100644
6838 ---- a/drivers/net/wireless/b43/dma.c
6839 -+++ b/drivers/net/wireless/b43/dma.c
6840 -@@ -551,11 +551,32 @@ address_error:
6841 - return 1;
6842 - }
6843 -
6844 -+static bool b43_rx_buffer_is_poisoned(struct b43_dmaring *ring, struct sk_buff *skb)
6845 -+{
6846 -+ unsigned char *f = skb->data + ring->frameoffset;
6847 -+
6848 -+ return ((f[0] & f[1] & f[2] & f[3] & f[4] & f[5] & f[6] & f[7]) == 0xFF);
6849 -+}
6850 -+
6851 -+static void b43_poison_rx_buffer(struct b43_dmaring *ring, struct sk_buff *skb)
6852 -+{
6853 -+ struct b43_rxhdr_fw4 *rxhdr;
6854 -+ unsigned char *frame;
6855 -+
6856 -+ /* This poisons the RX buffer to detect DMA failures. */
6857 -+
6858 -+ rxhdr = (struct b43_rxhdr_fw4 *)(skb->data);
6859 -+ rxhdr->frame_len = 0;
6860 -+
6861 -+ B43_WARN_ON(ring->rx_buffersize < ring->frameoffset + sizeof(struct b43_plcp_hdr6) + 2);
6862 -+ frame = skb->data + ring->frameoffset;
6863 -+ memset(frame, 0xFF, sizeof(struct b43_plcp_hdr6) + 2 /* padding */);
6864 -+}
6865 -+
6866 - static int setup_rx_descbuffer(struct b43_dmaring *ring,
6867 - struct b43_dmadesc_generic *desc,
6868 - struct b43_dmadesc_meta *meta, gfp_t gfp_flags)
6869 - {
6870 -- struct b43_rxhdr_fw4 *rxhdr;
6871 - dma_addr_t dmaaddr;
6872 - struct sk_buff *skb;
6873 -
6874 -@@ -564,6 +585,7 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring,
6875 - skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags);
6876 - if (unlikely(!skb))
6877 - return -ENOMEM;
6878 -+ b43_poison_rx_buffer(ring, skb);
6879 - dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0);
6880 - if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) {
6881 - /* ugh. try to realloc in zone_dma */
6882 -@@ -574,6 +596,7 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring,
6883 - skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags);
6884 - if (unlikely(!skb))
6885 - return -ENOMEM;
6886 -+ b43_poison_rx_buffer(ring, skb);
6887 - dmaaddr = map_descbuffer(ring, skb->data,
6888 - ring->rx_buffersize, 0);
6889 - }
6890 -@@ -589,9 +612,6 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring,
6891 - ring->ops->fill_descriptor(ring, desc, dmaaddr,
6892 - ring->rx_buffersize, 0, 0, 0);
6893 -
6894 -- rxhdr = (struct b43_rxhdr_fw4 *)(skb->data);
6895 -- rxhdr->frame_len = 0;
6896 --
6897 - return 0;
6898 - }
6899 -
6900 -@@ -1476,12 +1496,17 @@ static void dma_rx(struct b43_dmaring *ring, int *slot)
6901 - len = le16_to_cpu(rxhdr->frame_len);
6902 - } while (len == 0 && i++ < 5);
6903 - if (unlikely(len == 0)) {
6904 -- /* recycle the descriptor buffer. */
6905 -- sync_descbuffer_for_device(ring, meta->dmaaddr,
6906 -- ring->rx_buffersize);
6907 -- goto drop;
6908 -+ dmaaddr = meta->dmaaddr;
6909 -+ goto drop_recycle_buffer;
6910 - }
6911 - }
6912 -+ if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) {
6913 -+ /* Something went wrong with the DMA.
6914 -+ * The device did not touch the buffer and did not overwrite the poison. */
6915 -+ b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n");
6916 -+ dmaaddr = meta->dmaaddr;
6917 -+ goto drop_recycle_buffer;
6918 -+ }
6919 - if (unlikely(len > ring->rx_buffersize)) {
6920 - /* The data did not fit into one descriptor buffer
6921 - * and is split over multiple buffers.
6922 -@@ -1494,6 +1519,7 @@ static void dma_rx(struct b43_dmaring *ring, int *slot)
6923 - while (1) {
6924 - desc = ops->idx2desc(ring, *slot, &meta);
6925 - /* recycle the descriptor buffer. */
6926 -+ b43_poison_rx_buffer(ring, meta->skb);
6927 - sync_descbuffer_for_device(ring, meta->dmaaddr,
6928 - ring->rx_buffersize);
6929 - *slot = next_slot(ring, *slot);
6930 -@@ -1512,8 +1538,7 @@ static void dma_rx(struct b43_dmaring *ring, int *slot)
6931 - err = setup_rx_descbuffer(ring, desc, meta, GFP_ATOMIC);
6932 - if (unlikely(err)) {
6933 - b43dbg(ring->dev->wl, "DMA RX: setup_rx_descbuffer() failed\n");
6934 -- sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize);
6935 -- goto drop;
6936 -+ goto drop_recycle_buffer;
6937 - }
6938 -
6939 - unmap_descbuffer(ring, dmaaddr, ring->rx_buffersize, 0);
6940 -@@ -1523,6 +1548,11 @@ static void dma_rx(struct b43_dmaring *ring, int *slot)
6941 - b43_rx(ring->dev, skb, rxhdr);
6942 - drop:
6943 - return;
6944 -+
6945 -+drop_recycle_buffer:
6946 -+ /* Poison and recycle the RX buffer. */
6947 -+ b43_poison_rx_buffer(ring, skb);
6948 -+ sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize);
6949 - }
6950 -
6951 - void b43_dma_rx(struct b43_dmaring *ring)
6952 -diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
6953 -index ed93ac4..f6a9388 100644
6954 ---- a/drivers/net/wireless/rndis_wlan.c
6955 -+++ b/drivers/net/wireless/rndis_wlan.c
6956 -@@ -2550,6 +2550,11 @@ static int rndis_wext_bind(struct usbnet *usbdev, struct usb_interface *intf)
6957 - mutex_init(&priv->command_lock);
6958 - spin_lock_init(&priv->stats_lock);
6959 -
6960 -+ /* because rndis_command() sleeps we need to use workqueue */
6961 -+ priv->workqueue = create_singlethread_workqueue("rndis_wlan");
6962 -+ INIT_WORK(&priv->work, rndis_wext_worker);
6963 -+ INIT_DELAYED_WORK(&priv->stats_work, rndis_update_wireless_stats);
6964 -+
6965 - /* try bind rndis_host */
6966 - retval = generic_rndis_bind(usbdev, intf, FLAG_RNDIS_PHYM_WIRELESS);
6967 - if (retval < 0)
6968 -@@ -2594,16 +2599,17 @@ static int rndis_wext_bind(struct usbnet *usbdev, struct usb_interface *intf)
6969 - disassociate(usbdev, 1);
6970 - netif_carrier_off(usbdev->net);
6971 -
6972 -- /* because rndis_command() sleeps we need to use workqueue */
6973 -- priv->workqueue = create_singlethread_workqueue("rndis_wlan");
6974 -- INIT_DELAYED_WORK(&priv->stats_work, rndis_update_wireless_stats);
6975 - queue_delayed_work(priv->workqueue, &priv->stats_work,
6976 - round_jiffies_relative(STATS_UPDATE_JIFFIES));
6977 -- INIT_WORK(&priv->work, rndis_wext_worker);
6978 -
6979 - return 0;
6980 -
6981 - fail:
6982 -+ cancel_delayed_work_sync(&priv->stats_work);
6983 -+ cancel_work_sync(&priv->work);
6984 -+ flush_workqueue(priv->workqueue);
6985 -+ destroy_workqueue(priv->workqueue);
6986 -+
6987 - kfree(priv);
6988 - return retval;
6989 - }
6990 -diff --git a/drivers/pci/dmar.c b/drivers/pci/dmar.c
6991 -index 26c536b..8a01120 100644
6992 ---- a/drivers/pci/dmar.c
6993 -+++ b/drivers/pci/dmar.c
6994 -@@ -170,12 +170,21 @@ dmar_parse_one_drhd(struct acpi_dmar_header *header)
6995 - struct dmar_drhd_unit *dmaru;
6996 - int ret = 0;
6997 -
6998 -+ drhd = (struct acpi_dmar_hardware_unit *)header;
6999 -+ if (!drhd->address) {
7000 -+ /* Promote an attitude of violence to a BIOS engineer today */
7001 -+ WARN(1, "Your BIOS is broken; DMAR reported at address zero!\n"
7002 -+ "BIOS vendor: %s; Ver: %s; Product Version: %s\n",
7003 -+ dmi_get_system_info(DMI_BIOS_VENDOR),
7004 -+ dmi_get_system_info(DMI_BIOS_VERSION),
7005 -+ dmi_get_system_info(DMI_PRODUCT_VERSION));
7006 -+ return -ENODEV;
7007 -+ }
7008 - dmaru = kzalloc(sizeof(*dmaru), GFP_KERNEL);
7009 - if (!dmaru)
7010 - return -ENOMEM;
7011 -
7012 - dmaru->hdr = header;
7013 -- drhd = (struct acpi_dmar_hardware_unit *)header;
7014 - dmaru->reg_base_addr = drhd->address;
7015 - dmaru->include_all = drhd->flags & 0x1; /* BIT0: INCLUDE_ALL */
7016 -
7017 -diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
7018 -index f3f6865..7e4f9e6 100644
7019 ---- a/drivers/pci/intel-iommu.c
7020 -+++ b/drivers/pci/intel-iommu.c
7021 -@@ -447,11 +447,17 @@ static struct intel_iommu *device_to_iommu(u8 bus, u8 devfn)
7022 - if (drhd->ignored)
7023 - continue;
7024 -
7025 -- for (i = 0; i < drhd->devices_cnt; i++)
7026 -+ for (i = 0; i < drhd->devices_cnt; i++) {
7027 - if (drhd->devices[i] &&
7028 - drhd->devices[i]->bus->number == bus &&
7029 - drhd->devices[i]->devfn == devfn)
7030 - return drhd->iommu;
7031 -+ if (drhd->devices[i] &&
7032 -+ drhd->devices[i]->subordinate &&
7033 -+ drhd->devices[i]->subordinate->number <= bus &&
7034 -+ drhd->devices[i]->subordinate->subordinate >= bus)
7035 -+ return drhd->iommu;
7036 -+ }
7037 -
7038 - if (drhd->include_all)
7039 - return drhd->iommu;
7040 -diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
7041 -index 92b9efe..c65c2f4 100644
7042 ---- a/drivers/pci/quirks.c
7043 -+++ b/drivers/pci/quirks.c
7044 -@@ -1960,6 +1960,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS400_200, quirk_di
7045 - DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi);
7046 - DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3336, quirk_disable_all_msi);
7047 - DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi);
7048 -+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3364, quirk_disable_all_msi);
7049 -
7050 - /* Disable MSI on chipsets that are known to not support it */
7051 - static void __devinit quirk_disable_msi(struct pci_dev *dev)
7052 -diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
7053 -index d243320..99d32f7 100644
7054 ---- a/drivers/platform/x86/thinkpad_acpi.c
7055 -+++ b/drivers/platform/x86/thinkpad_acpi.c
7056 -@@ -306,11 +306,17 @@ static u32 dbg_level;
7057 -
7058 - static struct workqueue_struct *tpacpi_wq;
7059 -
7060 -+enum led_status_t {
7061 -+ TPACPI_LED_OFF = 0,
7062 -+ TPACPI_LED_ON,
7063 -+ TPACPI_LED_BLINK,
7064 -+};
7065 -+
7066 - /* Special LED class that can defer work */
7067 - struct tpacpi_led_classdev {
7068 - struct led_classdev led_classdev;
7069 - struct work_struct work;
7070 -- enum led_brightness new_brightness;
7071 -+ enum led_status_t new_state;
7072 - unsigned int led;
7073 - };
7074 -
7075 -@@ -4057,7 +4063,7 @@ static void light_set_status_worker(struct work_struct *work)
7076 - container_of(work, struct tpacpi_led_classdev, work);
7077 -
7078 - if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING))
7079 -- light_set_status((data->new_brightness != LED_OFF));
7080 -+ light_set_status((data->new_state != TPACPI_LED_OFF));
7081 - }
7082 -
7083 - static void light_sysfs_set(struct led_classdev *led_cdev,
7084 -@@ -4067,7 +4073,8 @@ static void light_sysfs_set(struct led_classdev *led_cdev,
7085 - container_of(led_cdev,
7086 - struct tpacpi_led_classdev,
7087 - led_classdev);
7088 -- data->new_brightness = brightness;
7089 -+ data->new_state = (brightness != LED_OFF) ?
7090 -+ TPACPI_LED_ON : TPACPI_LED_OFF;
7091 - queue_work(tpacpi_wq, &data->work);
7092 - }
7093 -
7094 -@@ -4574,12 +4581,6 @@ enum { /* For TPACPI_LED_OLD */
7095 - TPACPI_LED_EC_HLMS = 0x0e, /* EC reg to select led to command */
7096 - };
7097 -
7098 --enum led_status_t {
7099 -- TPACPI_LED_OFF = 0,
7100 -- TPACPI_LED_ON,
7101 -- TPACPI_LED_BLINK,
7102 --};
7103 --
7104 - static enum led_access_mode led_supported;
7105 -
7106 - TPACPI_HANDLE(led, ec, "SLED", /* 570 */
7107 -@@ -4673,23 +4674,13 @@ static int led_set_status(const unsigned int led,
7108 - return rc;
7109 - }
7110 -
7111 --static void led_sysfs_set_status(unsigned int led,
7112 -- enum led_brightness brightness)
7113 --{
7114 -- led_set_status(led,
7115 -- (brightness == LED_OFF) ?
7116 -- TPACPI_LED_OFF :
7117 -- (tpacpi_led_state_cache[led] == TPACPI_LED_BLINK) ?
7118 -- TPACPI_LED_BLINK : TPACPI_LED_ON);
7119 --}
7120 --
7121 - static void led_set_status_worker(struct work_struct *work)
7122 - {
7123 - struct tpacpi_led_classdev *data =
7124 - container_of(work, struct tpacpi_led_classdev, work);
7125 -
7126 - if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING))
7127 -- led_sysfs_set_status(data->led, data->new_brightness);
7128 -+ led_set_status(data->led, data->new_state);
7129 - }
7130 -
7131 - static void led_sysfs_set(struct led_classdev *led_cdev,
7132 -@@ -4698,7 +4689,13 @@ static void led_sysfs_set(struct led_classdev *led_cdev,
7133 - struct tpacpi_led_classdev *data = container_of(led_cdev,
7134 - struct tpacpi_led_classdev, led_classdev);
7135 -
7136 -- data->new_brightness = brightness;
7137 -+ if (brightness == LED_OFF)
7138 -+ data->new_state = TPACPI_LED_OFF;
7139 -+ else if (tpacpi_led_state_cache[data->led] != TPACPI_LED_BLINK)
7140 -+ data->new_state = TPACPI_LED_ON;
7141 -+ else
7142 -+ data->new_state = TPACPI_LED_BLINK;
7143 -+
7144 - queue_work(tpacpi_wq, &data->work);
7145 - }
7146 -
7147 -@@ -4716,7 +4713,7 @@ static int led_sysfs_blink_set(struct led_classdev *led_cdev,
7148 - } else if ((*delay_on != 500) || (*delay_off != 500))
7149 - return -EINVAL;
7150 -
7151 -- data->new_brightness = TPACPI_LED_BLINK;
7152 -+ data->new_state = TPACPI_LED_BLINK;
7153 - queue_work(tpacpi_wq, &data->work);
7154 -
7155 - return 0;
7156 -diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
7157 -index cfcfd5a..4b36d88 100644
7158 ---- a/drivers/usb/serial/usb-serial.c
7159 -+++ b/drivers/usb/serial/usb-serial.c
7160 -@@ -136,22 +136,10 @@ static void destroy_serial(struct kref *kref)
7161 -
7162 - dbg("%s - %s", __func__, serial->type->description);
7163 -
7164 -- serial->type->shutdown(serial);
7165 --
7166 - /* return the minor range that this device had */
7167 - if (serial->minor != SERIAL_TTY_NO_MINOR)
7168 - return_serial(serial);
7169 -
7170 -- for (i = 0; i < serial->num_ports; ++i)
7171 -- serial->port[i]->port.count = 0;
7172 --
7173 -- /* the ports are cleaned up and released in port_release() */
7174 -- for (i = 0; i < serial->num_ports; ++i)
7175 -- if (serial->port[i]->dev.parent != NULL) {
7176 -- device_unregister(&serial->port[i]->dev);
7177 -- serial->port[i] = NULL;
7178 -- }
7179 --
7180 - /* If this is a "fake" port, we have to clean it up here, as it will
7181 - * not get cleaned up in port_release() as it was never registered with
7182 - * the driver core */
7183 -@@ -186,7 +174,7 @@ static int serial_open (struct tty_struct *tty, struct file *filp)
7184 - struct usb_serial *serial;
7185 - struct usb_serial_port *port;
7186 - unsigned int portNumber;
7187 -- int retval;
7188 -+ int retval = 0;
7189 -
7190 - dbg("%s", __func__);
7191 -
7192 -@@ -197,16 +185,24 @@ static int serial_open (struct tty_struct *tty, struct file *filp)
7193 - return -ENODEV;
7194 - }
7195 -
7196 -+ mutex_lock(&serial->disc_mutex);
7197 - portNumber = tty->index - serial->minor;
7198 - port = serial->port[portNumber];
7199 -- if (!port) {
7200 -+ if (!port || serial->disconnected)
7201 - retval = -ENODEV;
7202 -- goto bailout_kref_put;
7203 -- }
7204 -+ else
7205 -+ get_device(&port->dev);
7206 -+ /*
7207 -+ * Note: Our locking order requirement does not allow port->mutex
7208 -+ * to be acquired while serial->disc_mutex is held.
7209 -+ */
7210 -+ mutex_unlock(&serial->disc_mutex);
7211 -+ if (retval)
7212 -+ goto bailout_serial_put;
7213 -
7214 - if (mutex_lock_interruptible(&port->mutex)) {
7215 - retval = -ERESTARTSYS;
7216 -- goto bailout_kref_put;
7217 -+ goto bailout_port_put;
7218 - }
7219 -
7220 - ++port->port.count;
7221 -@@ -226,14 +222,20 @@ static int serial_open (struct tty_struct *tty, struct file *filp)
7222 - goto bailout_mutex_unlock;
7223 - }
7224 -
7225 -- retval = usb_autopm_get_interface(serial->interface);
7226 -+ mutex_lock(&serial->disc_mutex);
7227 -+ if (serial->disconnected)
7228 -+ retval = -ENODEV;
7229 -+ else
7230 -+ retval = usb_autopm_get_interface(serial->interface);
7231 - if (retval)
7232 - goto bailout_module_put;
7233 -+
7234 - /* only call the device specific open if this
7235 - * is the first time the port is opened */
7236 - retval = serial->type->open(tty, port, filp);
7237 - if (retval)
7238 - goto bailout_interface_put;
7239 -+ mutex_unlock(&serial->disc_mutex);
7240 - }
7241 -
7242 - mutex_unlock(&port->mutex);
7243 -@@ -242,13 +244,16 @@ static int serial_open (struct tty_struct *tty, struct file *filp)
7244 - bailout_interface_put:
7245 - usb_autopm_put_interface(serial->interface);
7246 - bailout_module_put:
7247 -+ mutex_unlock(&serial->disc_mutex);
7248 - module_put(serial->type->driver.owner);
7249 - bailout_mutex_unlock:
7250 - port->port.count = 0;
7251 - tty->driver_data = NULL;
7252 - tty_port_tty_set(&port->port, NULL);
7253 - mutex_unlock(&port->mutex);
7254 --bailout_kref_put:
7255 -+bailout_port_put:
7256 -+ put_device(&port->dev);
7257 -+bailout_serial_put:
7258 - usb_serial_put(serial);
7259 - return retval;
7260 - }
7261 -@@ -256,6 +261,9 @@ bailout_kref_put:
7262 - static void serial_close(struct tty_struct *tty, struct file *filp)
7263 - {
7264 - struct usb_serial_port *port = tty->driver_data;
7265 -+ struct usb_serial *serial;
7266 -+ struct module *owner;
7267 -+ int count;
7268 -
7269 - if (!port)
7270 - return;
7271 -@@ -263,6 +271,8 @@ static void serial_close(struct tty_struct *tty, struct file *filp)
7272 - dbg("%s - port %d", __func__, port->number);
7273 -
7274 - mutex_lock(&port->mutex);
7275 -+ serial = port->serial;
7276 -+ owner = serial->type->driver.owner;
7277 -
7278 - if (port->port.count == 0) {
7279 - mutex_unlock(&port->mutex);
7280 -@@ -275,7 +285,7 @@ static void serial_close(struct tty_struct *tty, struct file *filp)
7281 - * this before we drop the port count. The call is protected
7282 - * by the port mutex
7283 - */
7284 -- port->serial->type->close(tty, port, filp);
7285 -+ serial->type->close(tty, port, filp);
7286 -
7287 - if (port->port.count == (port->console ? 2 : 1)) {
7288 - struct tty_struct *tty = tty_port_tty_get(&port->port);
7289 -@@ -289,17 +299,23 @@ static void serial_close(struct tty_struct *tty, struct file *filp)
7290 - }
7291 - }
7292 -
7293 -- if (port->port.count == 1) {
7294 -- mutex_lock(&port->serial->disc_mutex);
7295 -- if (!port->serial->disconnected)
7296 -- usb_autopm_put_interface(port->serial->interface);
7297 -- mutex_unlock(&port->serial->disc_mutex);
7298 -- module_put(port->serial->type->driver.owner);
7299 -- }
7300 - --port->port.count;
7301 --
7302 -+ count = port->port.count;
7303 - mutex_unlock(&port->mutex);
7304 -- usb_serial_put(port->serial);
7305 -+ put_device(&port->dev);
7306 -+
7307 -+ /* Mustn't dereference port any more */
7308 -+ if (count == 0) {
7309 -+ mutex_lock(&serial->disc_mutex);
7310 -+ if (!serial->disconnected)
7311 -+ usb_autopm_put_interface(serial->interface);
7312 -+ mutex_unlock(&serial->disc_mutex);
7313 -+ }
7314 -+ usb_serial_put(serial);
7315 -+
7316 -+ /* Mustn't dereference serial any more */
7317 -+ if (count == 0)
7318 -+ module_put(owner);
7319 - }
7320 -
7321 - static int serial_write(struct tty_struct *tty, const unsigned char *buf,
7322 -@@ -548,7 +564,13 @@ static void kill_traffic(struct usb_serial_port *port)
7323 -
7324 - static void port_free(struct usb_serial_port *port)
7325 - {
7326 -+ /*
7327 -+ * Stop all the traffic before cancelling the work, so that
7328 -+ * nobody will restart it by calling usb_serial_port_softint.
7329 -+ */
7330 - kill_traffic(port);
7331 -+ cancel_work_sync(&port->work);
7332 -+
7333 - usb_free_urb(port->read_urb);
7334 - usb_free_urb(port->write_urb);
7335 - usb_free_urb(port->interrupt_in_urb);
7336 -@@ -557,7 +579,6 @@ static void port_free(struct usb_serial_port *port)
7337 - kfree(port->bulk_out_buffer);
7338 - kfree(port->interrupt_in_buffer);
7339 - kfree(port->interrupt_out_buffer);
7340 -- flush_scheduled_work(); /* port->work */
7341 - kfree(port);
7342 - }
7343 -
7344 -@@ -1042,6 +1063,12 @@ void usb_serial_disconnect(struct usb_interface *interface)
7345 - usb_set_intfdata(interface, NULL);
7346 - /* must set a flag, to signal subdrivers */
7347 - serial->disconnected = 1;
7348 -+ mutex_unlock(&serial->disc_mutex);
7349 -+
7350 -+ /* Unfortunately, many of the sub-drivers expect the port structures
7351 -+ * to exist when their shutdown method is called, so we have to go
7352 -+ * through this awkward two-step unregistration procedure.
7353 -+ */
7354 - for (i = 0; i < serial->num_ports; ++i) {
7355 - port = serial->port[i];
7356 - if (port) {
7357 -@@ -1051,11 +1078,21 @@ void usb_serial_disconnect(struct usb_interface *interface)
7358 - tty_kref_put(tty);
7359 - }
7360 - kill_traffic(port);
7361 -+ cancel_work_sync(&port->work);
7362 -+ device_del(&port->dev);
7363 -+ }
7364 -+ }
7365 -+ serial->type->shutdown(serial);
7366 -+ for (i = 0; i < serial->num_ports; ++i) {
7367 -+ port = serial->port[i];
7368 -+ if (port) {
7369 -+ put_device(&port->dev);
7370 -+ serial->port[i] = NULL;
7371 - }
7372 - }
7373 -+
7374 - /* let the last holder of this object
7375 - * cause it to be cleaned up */
7376 -- mutex_unlock(&serial->disc_mutex);
7377 - usb_serial_put(serial);
7378 - dev_info(dev, "device disconnected\n");
7379 - }
7380 -diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
7381 -index 0f54399..af39dec 100644
7382 ---- a/drivers/usb/storage/unusual_devs.h
7383 -+++ b/drivers/usb/storage/unusual_devs.h
7384 -@@ -2134,6 +2134,12 @@ UNUSUAL_DEV( 0xed06, 0x4500, 0x0001, 0x0001,
7385 - US_SC_DEVICE, US_PR_DEVICE, NULL,
7386 - US_FL_CAPACITY_HEURISTICS),
7387 -
7388 -+/* Reported by Alessio Treglia <quadrispro@××××××.com> */
7389 -+UNUSUAL_DEV( 0xed10, 0x7636, 0x0001, 0x0001,
7390 -+ "TGE",
7391 -+ "Digital MP3 Audio Player",
7392 -+ US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_NOT_LOCKABLE ),
7393 -+
7394 - /* Control/Bulk transport for all SubClass values */
7395 - USUAL_DEV(US_SC_RBC, US_PR_CB, USB_US_TYPE_STOR),
7396 - USUAL_DEV(US_SC_8020, US_PR_CB, USB_US_TYPE_STOR),
7397 -diff --git a/fs/Makefile b/fs/Makefile
7398 -index dc20db3..0cd7097 100644
7399 ---- a/fs/Makefile
7400 -+++ b/fs/Makefile
7401 -@@ -11,7 +11,7 @@ obj-y := open.o read_write.o file_table.o super.o \
7402 - attr.o bad_inode.o file.o filesystems.o namespace.o \
7403 - seq_file.o xattr.o libfs.o fs-writeback.o \
7404 - pnode.o drop_caches.o splice.o sync.o utimes.o \
7405 -- stack.o
7406 -+ stack.o fs_struct.o
7407 -
7408 - ifeq ($(CONFIG_BLOCK),y)
7409 - obj-y += buffer.o bio.o block_dev.o direct-io.o mpage.o ioprio.o
7410 -diff --git a/fs/bio.c b/fs/bio.c
7411 -index d4f0632..bfdfe57 100644
7412 ---- a/fs/bio.c
7413 -+++ b/fs/bio.c
7414 -@@ -806,6 +806,9 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
7415 - len += iov[i].iov_len;
7416 - }
7417 -
7418 -+ if (offset)
7419 -+ nr_pages++;
7420 -+
7421 - bmd = bio_alloc_map_data(nr_pages, iov_count, gfp_mask);
7422 - if (!bmd)
7423 - return ERR_PTR(-ENOMEM);
7424 -diff --git a/fs/compat.c b/fs/compat.c
7425 -index d0145ca..1df8926 100644
7426 ---- a/fs/compat.c
7427 -+++ b/fs/compat.c
7428 -@@ -51,6 +51,7 @@
7429 - #include <linux/poll.h>
7430 - #include <linux/mm.h>
7431 - #include <linux/eventpoll.h>
7432 -+#include <linux/fs_struct.h>
7433 -
7434 - #include <asm/uaccess.h>
7435 - #include <asm/mmu_context.h>
7436 -@@ -1392,12 +1393,18 @@ int compat_do_execve(char * filename,
7437 - {
7438 - struct linux_binprm *bprm;
7439 - struct file *file;
7440 -+ struct files_struct *displaced;
7441 -+ bool clear_in_exec;
7442 - int retval;
7443 -
7444 -+ retval = unshare_files(&displaced);
7445 -+ if (retval)
7446 -+ goto out_ret;
7447 -+
7448 - retval = -ENOMEM;
7449 - bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
7450 - if (!bprm)
7451 -- goto out_ret;
7452 -+ goto out_files;
7453 -
7454 - retval = mutex_lock_interruptible(&current->cred_exec_mutex);
7455 - if (retval < 0)
7456 -@@ -1407,12 +1414,16 @@ int compat_do_execve(char * filename,
7457 - bprm->cred = prepare_exec_creds();
7458 - if (!bprm->cred)
7459 - goto out_unlock;
7460 -- check_unsafe_exec(bprm, current->files);
7461 -+
7462 -+ retval = check_unsafe_exec(bprm);
7463 -+ if (retval < 0)
7464 -+ goto out_unlock;
7465 -+ clear_in_exec = retval;
7466 -
7467 - file = open_exec(filename);
7468 - retval = PTR_ERR(file);
7469 - if (IS_ERR(file))
7470 -- goto out_unlock;
7471 -+ goto out_unmark;
7472 -
7473 - sched_exec();
7474 -
7475 -@@ -1454,9 +1465,12 @@ int compat_do_execve(char * filename,
7476 - goto out;
7477 -
7478 - /* execve succeeded */
7479 -+ current->fs->in_exec = 0;
7480 - mutex_unlock(&current->cred_exec_mutex);
7481 - acct_update_integrals(current);
7482 - free_bprm(bprm);
7483 -+ if (displaced)
7484 -+ put_files_struct(displaced);
7485 - return retval;
7486 -
7487 - out:
7488 -@@ -1469,12 +1483,19 @@ out_file:
7489 - fput(bprm->file);
7490 - }
7491 -
7492 -+out_unmark:
7493 -+ if (clear_in_exec)
7494 -+ current->fs->in_exec = 0;
7495 -+
7496 - out_unlock:
7497 - mutex_unlock(&current->cred_exec_mutex);
7498 -
7499 - out_free:
7500 - free_bprm(bprm);
7501 -
7502 -+out_files:
7503 -+ if (displaced)
7504 -+ reset_files_struct(displaced);
7505 - out_ret:
7506 - return retval;
7507 - }
7508 -diff --git a/fs/exec.c b/fs/exec.c
7509 -index 929b580..3b36c69 100644
7510 ---- a/fs/exec.c
7511 -+++ b/fs/exec.c
7512 -@@ -1049,32 +1049,35 @@ EXPORT_SYMBOL(install_exec_creds);
7513 - * - the caller must hold current->cred_exec_mutex to protect against
7514 - * PTRACE_ATTACH
7515 - */
7516 --void check_unsafe_exec(struct linux_binprm *bprm, struct files_struct *files)
7517 -+int check_unsafe_exec(struct linux_binprm *bprm)
7518 - {
7519 - struct task_struct *p = current, *t;
7520 -- unsigned long flags;
7521 -- unsigned n_fs, n_files, n_sighand;
7522 -+ unsigned n_fs;
7523 -+ int res = 0;
7524 -
7525 - bprm->unsafe = tracehook_unsafe_exec(p);
7526 -
7527 - n_fs = 1;
7528 -- n_files = 1;
7529 -- n_sighand = 1;
7530 -- lock_task_sighand(p, &flags);
7531 -+ write_lock(&p->fs->lock);
7532 -+ rcu_read_lock();
7533 - for (t = next_thread(p); t != p; t = next_thread(t)) {
7534 - if (t->fs == p->fs)
7535 - n_fs++;
7536 -- if (t->files == files)
7537 -- n_files++;
7538 -- n_sighand++;
7539 - }
7540 -+ rcu_read_unlock();
7541 -
7542 -- if (atomic_read(&p->fs->count) > n_fs ||
7543 -- atomic_read(&p->files->count) > n_files ||
7544 -- atomic_read(&p->sighand->count) > n_sighand)
7545 -+ if (p->fs->users > n_fs) {
7546 - bprm->unsafe |= LSM_UNSAFE_SHARE;
7547 -+ } else {
7548 -+ res = -EAGAIN;
7549 -+ if (!p->fs->in_exec) {
7550 -+ p->fs->in_exec = 1;
7551 -+ res = 1;
7552 -+ }
7553 -+ }
7554 -+ write_unlock(&p->fs->lock);
7555 -
7556 -- unlock_task_sighand(p, &flags);
7557 -+ return res;
7558 - }
7559 -
7560 - /*
7561 -@@ -1270,6 +1273,7 @@ int do_execve(char * filename,
7562 - struct linux_binprm *bprm;
7563 - struct file *file;
7564 - struct files_struct *displaced;
7565 -+ bool clear_in_exec;
7566 - int retval;
7567 -
7568 - retval = unshare_files(&displaced);
7569 -@@ -1289,12 +1293,16 @@ int do_execve(char * filename,
7570 - bprm->cred = prepare_exec_creds();
7571 - if (!bprm->cred)
7572 - goto out_unlock;
7573 -- check_unsafe_exec(bprm, displaced);
7574 -+
7575 -+ retval = check_unsafe_exec(bprm);
7576 -+ if (retval < 0)
7577 -+ goto out_unlock;
7578 -+ clear_in_exec = retval;
7579 -
7580 - file = open_exec(filename);
7581 - retval = PTR_ERR(file);
7582 - if (IS_ERR(file))
7583 -- goto out_unlock;
7584 -+ goto out_unmark;
7585 -
7586 - sched_exec();
7587 -
7588 -@@ -1337,6 +1345,7 @@ int do_execve(char * filename,
7589 - goto out;
7590 -
7591 - /* execve succeeded */
7592 -+ current->fs->in_exec = 0;
7593 - mutex_unlock(&current->cred_exec_mutex);
7594 - acct_update_integrals(current);
7595 - free_bprm(bprm);
7596 -@@ -1354,6 +1363,10 @@ out_file:
7597 - fput(bprm->file);
7598 - }
7599 -
7600 -+out_unmark:
7601 -+ if (clear_in_exec)
7602 -+ current->fs->in_exec = 0;
7603 -+
7604 - out_unlock:
7605 - mutex_unlock(&current->cred_exec_mutex);
7606 -
7607 -diff --git a/fs/fs_struct.c b/fs/fs_struct.c
7608 -new file mode 100644
7609 -index 0000000..41cff72
7610 ---- /dev/null
7611 -+++ b/fs/fs_struct.c
7612 -@@ -0,0 +1,170 @@
7613 -+#include <linux/module.h>
7614 -+#include <linux/sched.h>
7615 -+#include <linux/fs.h>
7616 -+#include <linux/path.h>
7617 -+#include <linux/slab.h>
7618 -+
7619 -+/*
7620 -+ * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
7621 -+ * It can block.
7622 -+ */
7623 -+void set_fs_root(struct fs_struct *fs, struct path *path)
7624 -+{
7625 -+ struct path old_root;
7626 -+
7627 -+ write_lock(&fs->lock);
7628 -+ old_root = fs->root;
7629 -+ fs->root = *path;
7630 -+ path_get(path);
7631 -+ write_unlock(&fs->lock);
7632 -+ if (old_root.dentry)
7633 -+ path_put(&old_root);
7634 -+}
7635 -+
7636 -+/*
7637 -+ * Replace the fs->{pwdmnt,pwd} with {mnt,dentry}. Put the old values.
7638 -+ * It can block.
7639 -+ */
7640 -+void set_fs_pwd(struct fs_struct *fs, struct path *path)
7641 -+{
7642 -+ struct path old_pwd;
7643 -+
7644 -+ write_lock(&fs->lock);
7645 -+ old_pwd = fs->pwd;
7646 -+ fs->pwd = *path;
7647 -+ path_get(path);
7648 -+ write_unlock(&fs->lock);
7649 -+
7650 -+ if (old_pwd.dentry)
7651 -+ path_put(&old_pwd);
7652 -+}
7653 -+
7654 -+void chroot_fs_refs(struct path *old_root, struct path *new_root)
7655 -+{
7656 -+ struct task_struct *g, *p;
7657 -+ struct fs_struct *fs;
7658 -+ int count = 0;
7659 -+
7660 -+ read_lock(&tasklist_lock);
7661 -+ do_each_thread(g, p) {
7662 -+ task_lock(p);
7663 -+ fs = p->fs;
7664 -+ if (fs) {
7665 -+ write_lock(&fs->lock);
7666 -+ if (fs->root.dentry == old_root->dentry
7667 -+ && fs->root.mnt == old_root->mnt) {
7668 -+ path_get(new_root);
7669 -+ fs->root = *new_root;
7670 -+ count++;
7671 -+ }
7672 -+ if (fs->pwd.dentry == old_root->dentry
7673 -+ && fs->pwd.mnt == old_root->mnt) {
7674 -+ path_get(new_root);
7675 -+ fs->pwd = *new_root;
7676 -+ count++;
7677 -+ }
7678 -+ write_unlock(&fs->lock);
7679 -+ }
7680 -+ task_unlock(p);
7681 -+ } while_each_thread(g, p);
7682 -+ read_unlock(&tasklist_lock);
7683 -+ while (count--)
7684 -+ path_put(old_root);
7685 -+}
7686 -+
7687 -+void free_fs_struct(struct fs_struct *fs)
7688 -+{
7689 -+ path_put(&fs->root);
7690 -+ path_put(&fs->pwd);
7691 -+ kmem_cache_free(fs_cachep, fs);
7692 -+}
7693 -+
7694 -+void exit_fs(struct task_struct *tsk)
7695 -+{
7696 -+ struct fs_struct *fs = tsk->fs;
7697 -+
7698 -+ if (fs) {
7699 -+ int kill;
7700 -+ task_lock(tsk);
7701 -+ write_lock(&fs->lock);
7702 -+ tsk->fs = NULL;
7703 -+ kill = !--fs->users;
7704 -+ write_unlock(&fs->lock);
7705 -+ task_unlock(tsk);
7706 -+ if (kill)
7707 -+ free_fs_struct(fs);
7708 -+ }
7709 -+}
7710 -+
7711 -+struct fs_struct *copy_fs_struct(struct fs_struct *old)
7712 -+{
7713 -+ struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
7714 -+ /* We don't need to lock fs - think why ;-) */
7715 -+ if (fs) {
7716 -+ fs->users = 1;
7717 -+ fs->in_exec = 0;
7718 -+ rwlock_init(&fs->lock);
7719 -+ fs->umask = old->umask;
7720 -+ read_lock(&old->lock);
7721 -+ fs->root = old->root;
7722 -+ path_get(&old->root);
7723 -+ fs->pwd = old->pwd;
7724 -+ path_get(&old->pwd);
7725 -+ read_unlock(&old->lock);
7726 -+ }
7727 -+ return fs;
7728 -+}
7729 -+
7730 -+int unshare_fs_struct(void)
7731 -+{
7732 -+ struct fs_struct *fs = current->fs;
7733 -+ struct fs_struct *new_fs = copy_fs_struct(fs);
7734 -+ int kill;
7735 -+
7736 -+ if (!new_fs)
7737 -+ return -ENOMEM;
7738 -+
7739 -+ task_lock(current);
7740 -+ write_lock(&fs->lock);
7741 -+ kill = !--fs->users;
7742 -+ current->fs = new_fs;
7743 -+ write_unlock(&fs->lock);
7744 -+ task_unlock(current);
7745 -+
7746 -+ if (kill)
7747 -+ free_fs_struct(fs);
7748 -+
7749 -+ return 0;
7750 -+}
7751 -+EXPORT_SYMBOL_GPL(unshare_fs_struct);
7752 -+
7753 -+/* to be mentioned only in INIT_TASK */
7754 -+struct fs_struct init_fs = {
7755 -+ .users = 1,
7756 -+ .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
7757 -+ .umask = 0022,
7758 -+};
7759 -+
7760 -+void daemonize_fs_struct(void)
7761 -+{
7762 -+ struct fs_struct *fs = current->fs;
7763 -+
7764 -+ if (fs) {
7765 -+ int kill;
7766 -+
7767 -+ task_lock(current);
7768 -+
7769 -+ write_lock(&init_fs.lock);
7770 -+ init_fs.users++;
7771 -+ write_unlock(&init_fs.lock);
7772 -+
7773 -+ write_lock(&fs->lock);
7774 -+ current->fs = &init_fs;
7775 -+ kill = !--fs->users;
7776 -+ write_unlock(&fs->lock);
7777 -+
7778 -+ task_unlock(current);
7779 -+ if (kill)
7780 -+ free_fs_struct(fs);
7781 -+ }
7782 -+}
7783 -diff --git a/fs/internal.h b/fs/internal.h
7784 -index 0d8ac49..b4dac4f 100644
7785 ---- a/fs/internal.h
7786 -+++ b/fs/internal.h
7787 -@@ -11,6 +11,7 @@
7788 -
7789 - struct super_block;
7790 - struct linux_binprm;
7791 -+struct path;
7792 -
7793 - /*
7794 - * block_dev.c
7795 -@@ -43,7 +44,7 @@ extern void __init chrdev_init(void);
7796 - /*
7797 - * exec.c
7798 - */
7799 --extern void check_unsafe_exec(struct linux_binprm *, struct files_struct *);
7800 -+extern int check_unsafe_exec(struct linux_binprm *);
7801 -
7802 - /*
7803 - * namespace.c
7804 -@@ -60,3 +61,8 @@ extern void umount_tree(struct vfsmount *, int, struct list_head *);
7805 - extern struct vfsmount *copy_tree(struct vfsmount *, struct dentry *, int);
7806 -
7807 - extern void __init mnt_init(void);
7808 -+
7809 -+/*
7810 -+ * fs_struct.c
7811 -+ */
7812 -+extern void chroot_fs_refs(struct path *, struct path *);
7813 -diff --git a/fs/namei.c b/fs/namei.c
7814 -index bbc15c2..2389dda 100644
7815 ---- a/fs/namei.c
7816 -+++ b/fs/namei.c
7817 -@@ -2891,10 +2891,3 @@ EXPORT_SYMBOL(vfs_symlink);
7818 - EXPORT_SYMBOL(vfs_unlink);
7819 - EXPORT_SYMBOL(dentry_unhash);
7820 - EXPORT_SYMBOL(generic_readlink);
7821 --
7822 --/* to be mentioned only in INIT_TASK */
7823 --struct fs_struct init_fs = {
7824 -- .count = ATOMIC_INIT(1),
7825 -- .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
7826 -- .umask = 0022,
7827 --};
7828 -diff --git a/fs/namespace.c b/fs/namespace.c
7829 -index 06f8e63..685e354 100644
7830 ---- a/fs/namespace.c
7831 -+++ b/fs/namespace.c
7832 -@@ -2089,66 +2089,6 @@ out1:
7833 - }
7834 -
7835 - /*
7836 -- * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
7837 -- * It can block. Requires the big lock held.
7838 -- */
7839 --void set_fs_root(struct fs_struct *fs, struct path *path)
7840 --{
7841 -- struct path old_root;
7842 --
7843 -- write_lock(&fs->lock);
7844 -- old_root = fs->root;
7845 -- fs->root = *path;
7846 -- path_get(path);
7847 -- write_unlock(&fs->lock);
7848 -- if (old_root.dentry)
7849 -- path_put(&old_root);
7850 --}
7851 --
7852 --/*
7853 -- * Replace the fs->{pwdmnt,pwd} with {mnt,dentry}. Put the old values.
7854 -- * It can block. Requires the big lock held.
7855 -- */
7856 --void set_fs_pwd(struct fs_struct *fs, struct path *path)
7857 --{
7858 -- struct path old_pwd;
7859 --
7860 -- write_lock(&fs->lock);
7861 -- old_pwd = fs->pwd;
7862 -- fs->pwd = *path;
7863 -- path_get(path);
7864 -- write_unlock(&fs->lock);
7865 --
7866 -- if (old_pwd.dentry)
7867 -- path_put(&old_pwd);
7868 --}
7869 --
7870 --static void chroot_fs_refs(struct path *old_root, struct path *new_root)
7871 --{
7872 -- struct task_struct *g, *p;
7873 -- struct fs_struct *fs;
7874 --
7875 -- read_lock(&tasklist_lock);
7876 -- do_each_thread(g, p) {
7877 -- task_lock(p);
7878 -- fs = p->fs;
7879 -- if (fs) {
7880 -- atomic_inc(&fs->count);
7881 -- task_unlock(p);
7882 -- if (fs->root.dentry == old_root->dentry
7883 -- && fs->root.mnt == old_root->mnt)
7884 -- set_fs_root(fs, new_root);
7885 -- if (fs->pwd.dentry == old_root->dentry
7886 -- && fs->pwd.mnt == old_root->mnt)
7887 -- set_fs_pwd(fs, new_root);
7888 -- put_fs_struct(fs);
7889 -- } else
7890 -- task_unlock(p);
7891 -- } while_each_thread(g, p);
7892 -- read_unlock(&tasklist_lock);
7893 --}
7894 --
7895 --/*
7896 - * pivot_root Semantics:
7897 - * Moves the root file system of the current process to the directory put_old,
7898 - * makes new_root as the new root file system of the current process, and sets
7899 -diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
7900 -index 07e4f5d..144d699 100644
7901 ---- a/fs/nfsd/nfssvc.c
7902 -+++ b/fs/nfsd/nfssvc.c
7903 -@@ -404,7 +404,6 @@ static int
7904 - nfsd(void *vrqstp)
7905 - {
7906 - struct svc_rqst *rqstp = (struct svc_rqst *) vrqstp;
7907 -- struct fs_struct *fsp;
7908 - int err, preverr = 0;
7909 -
7910 - /* Lock module and set up kernel thread */
7911 -@@ -413,13 +412,11 @@ nfsd(void *vrqstp)
7912 - /* At this point, the thread shares current->fs
7913 - * with the init process. We need to create files with a
7914 - * umask of 0 instead of init's umask. */
7915 -- fsp = copy_fs_struct(current->fs);
7916 -- if (!fsp) {
7917 -+ if (unshare_fs_struct() < 0) {
7918 - printk("Unable to start nfsd thread: out of memory\n");
7919 - goto out;
7920 - }
7921 -- exit_fs(current);
7922 -- current->fs = fsp;
7923 -+
7924 - current->fs->umask = 0;
7925 -
7926 - /*
7927 -diff --git a/fs/proc/array.c b/fs/proc/array.c
7928 -index 7e4877d..725a650 100644
7929 ---- a/fs/proc/array.c
7930 -+++ b/fs/proc/array.c
7931 -@@ -80,6 +80,7 @@
7932 - #include <linux/delayacct.h>
7933 - #include <linux/seq_file.h>
7934 - #include <linux/pid_namespace.h>
7935 -+#include <linux/ptrace.h>
7936 - #include <linux/tracehook.h>
7937 -
7938 - #include <asm/pgtable.h>
7939 -@@ -352,6 +353,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
7940 - char state;
7941 - pid_t ppid = 0, pgid = -1, sid = -1;
7942 - int num_threads = 0;
7943 -+ int permitted;
7944 - struct mm_struct *mm;
7945 - unsigned long long start_time;
7946 - unsigned long cmin_flt = 0, cmaj_flt = 0;
7947 -@@ -364,11 +366,14 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
7948 -
7949 - state = *get_task_state(task);
7950 - vsize = eip = esp = 0;
7951 -+ permitted = ptrace_may_access(task, PTRACE_MODE_READ);
7952 - mm = get_task_mm(task);
7953 - if (mm) {
7954 - vsize = task_vsize(mm);
7955 -- eip = KSTK_EIP(task);
7956 -- esp = KSTK_ESP(task);
7957 -+ if (permitted) {
7958 -+ eip = KSTK_EIP(task);
7959 -+ esp = KSTK_ESP(task);
7960 -+ }
7961 - }
7962 -
7963 - get_task_comm(tcomm, task);
7964 -@@ -424,7 +429,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
7965 - unlock_task_sighand(task, &flags);
7966 - }
7967 -
7968 -- if (!whole || num_threads < 2)
7969 -+ if (permitted && (!whole || num_threads < 2))
7970 - wchan = get_wchan(task);
7971 - if (!whole) {
7972 - min_flt = task->min_flt;
7973 -@@ -476,7 +481,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
7974 - rsslim,
7975 - mm ? mm->start_code : 0,
7976 - mm ? mm->end_code : 0,
7977 -- mm ? mm->start_stack : 0,
7978 -+ (permitted && mm) ? mm->start_stack : 0,
7979 - esp,
7980 - eip,
7981 - /* The signal information here is obsolete.
7982 -diff --git a/fs/proc/base.c b/fs/proc/base.c
7983 -index beaa0ce..74e83e7 100644
7984 ---- a/fs/proc/base.c
7985 -+++ b/fs/proc/base.c
7986 -@@ -146,15 +146,22 @@ static unsigned int pid_entry_count_dirs(const struct pid_entry *entries,
7987 - return count;
7988 - }
7989 -
7990 --static struct fs_struct *get_fs_struct(struct task_struct *task)
7991 -+static int get_fs_path(struct task_struct *task, struct path *path, bool root)
7992 - {
7993 - struct fs_struct *fs;
7994 -+ int result = -ENOENT;
7995 -+
7996 - task_lock(task);
7997 - fs = task->fs;
7998 -- if(fs)
7999 -- atomic_inc(&fs->count);
8000 -+ if (fs) {
8001 -+ read_lock(&fs->lock);
8002 -+ *path = root ? fs->root : fs->pwd;
8003 -+ path_get(path);
8004 -+ read_unlock(&fs->lock);
8005 -+ result = 0;
8006 -+ }
8007 - task_unlock(task);
8008 -- return fs;
8009 -+ return result;
8010 - }
8011 -
8012 - static int get_nr_threads(struct task_struct *tsk)
8013 -@@ -172,42 +179,24 @@ static int get_nr_threads(struct task_struct *tsk)
8014 - static int proc_cwd_link(struct inode *inode, struct path *path)
8015 - {
8016 - struct task_struct *task = get_proc_task(inode);
8017 -- struct fs_struct *fs = NULL;
8018 - int result = -ENOENT;
8019 -
8020 - if (task) {
8021 -- fs = get_fs_struct(task);
8022 -+ result = get_fs_path(task, path, 0);
8023 - put_task_struct(task);
8024 - }
8025 -- if (fs) {
8026 -- read_lock(&fs->lock);
8027 -- *path = fs->pwd;
8028 -- path_get(&fs->pwd);
8029 -- read_unlock(&fs->lock);
8030 -- result = 0;
8031 -- put_fs_struct(fs);
8032 -- }
8033 - return result;
8034 - }
8035 -
8036 - static int proc_root_link(struct inode *inode, struct path *path)
8037 - {
8038 - struct task_struct *task = get_proc_task(inode);
8039 -- struct fs_struct *fs = NULL;
8040 - int result = -ENOENT;
8041 -
8042 - if (task) {
8043 -- fs = get_fs_struct(task);
8044 -+ result = get_fs_path(task, path, 1);
8045 - put_task_struct(task);
8046 - }
8047 -- if (fs) {
8048 -- read_lock(&fs->lock);
8049 -- *path = fs->root;
8050 -- path_get(&fs->root);
8051 -- read_unlock(&fs->lock);
8052 -- result = 0;
8053 -- put_fs_struct(fs);
8054 -- }
8055 - return result;
8056 - }
8057 -
8058 -@@ -332,7 +321,10 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer)
8059 - wchan = get_wchan(task);
8060 -
8061 - if (lookup_symbol_name(wchan, symname) < 0)
8062 -- return sprintf(buffer, "%lu", wchan);
8063 -+ if (!ptrace_may_access(task, PTRACE_MODE_READ))
8064 -+ return 0;
8065 -+ else
8066 -+ return sprintf(buffer, "%lu", wchan);
8067 - else
8068 - return sprintf(buffer, "%s", symname);
8069 - }
8070 -@@ -596,7 +588,6 @@ static int mounts_open_common(struct inode *inode, struct file *file,
8071 - struct task_struct *task = get_proc_task(inode);
8072 - struct nsproxy *nsp;
8073 - struct mnt_namespace *ns = NULL;
8074 -- struct fs_struct *fs = NULL;
8075 - struct path root;
8076 - struct proc_mounts *p;
8077 - int ret = -EINVAL;
8078 -@@ -610,22 +601,16 @@ static int mounts_open_common(struct inode *inode, struct file *file,
8079 - get_mnt_ns(ns);
8080 - }
8081 - rcu_read_unlock();
8082 -- if (ns)
8083 -- fs = get_fs_struct(task);
8084 -+ if (ns && get_fs_path(task, &root, 1) == 0)
8085 -+ ret = 0;
8086 - put_task_struct(task);
8087 - }
8088 -
8089 - if (!ns)
8090 - goto err;
8091 -- if (!fs)
8092 -+ if (ret)
8093 - goto err_put_ns;
8094 -
8095 -- read_lock(&fs->lock);
8096 -- root = fs->root;
8097 -- path_get(&root);
8098 -- read_unlock(&fs->lock);
8099 -- put_fs_struct(fs);
8100 --
8101 - ret = -ENOMEM;
8102 - p = kmalloc(sizeof(struct proc_mounts), GFP_KERNEL);
8103 - if (!p)
8104 -diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
8105 -index 43d2394..52981cd 100644
8106 ---- a/fs/proc/meminfo.c
8107 -+++ b/fs/proc/meminfo.c
8108 -@@ -35,7 +35,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
8109 - #define K(x) ((x) << (PAGE_SHIFT - 10))
8110 - si_meminfo(&i);
8111 - si_swapinfo(&i);
8112 -- committed = atomic_long_read(&vm_committed_space);
8113 -+ committed = percpu_counter_read_positive(&vm_committed_as);
8114 - allowed = ((totalram_pages - hugetlb_total_pages())
8115 - * sysctl_overcommit_ratio / 100) + total_swap_pages;
8116 -
8117 -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
8118 -index 9406384..c93ed2d 100644
8119 ---- a/fs/proc/task_mmu.c
8120 -+++ b/fs/proc/task_mmu.c
8121 -@@ -663,6 +663,10 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
8122 - goto out_task;
8123 -
8124 - ret = 0;
8125 -+
8126 -+ if (!count)
8127 -+ goto out_task;
8128 -+
8129 - mm = get_task_mm(task);
8130 - if (!mm)
8131 - goto out_task;
8132 -diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
8133 -index 343ea12..6ca0105 100644
8134 ---- a/fs/proc/task_nommu.c
8135 -+++ b/fs/proc/task_nommu.c
8136 -@@ -49,7 +49,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
8137 - else
8138 - bytes += kobjsize(mm);
8139 -
8140 -- if (current->fs && atomic_read(&current->fs->count) > 1)
8141 -+ if (current->fs && current->fs->users > 1)
8142 - sbytes += kobjsize(current->fs);
8143 - else
8144 - bytes += kobjsize(current->fs);
8145 -diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h
8146 -index 5165f24..671fab3 100644
8147 ---- a/include/drm/drm_pciids.h
8148 -+++ b/include/drm/drm_pciids.h
8149 -@@ -418,4 +418,5 @@
8150 - {0x8086, 0x2e02, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
8151 - {0x8086, 0x2e12, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
8152 - {0x8086, 0x2e22, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
8153 -+ {0x8086, 0x2e32, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
8154 - {0, 0, 0}
8155 -diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h
8156 -index a97c053..78a05bf 100644
8157 ---- a/include/linux/fs_struct.h
8158 -+++ b/include/linux/fs_struct.h
8159 -@@ -4,9 +4,10 @@
8160 - #include <linux/path.h>
8161 -
8162 - struct fs_struct {
8163 -- atomic_t count;
8164 -+ int users;
8165 - rwlock_t lock;
8166 - int umask;
8167 -+ int in_exec;
8168 - struct path root, pwd;
8169 - };
8170 -
8171 -@@ -16,6 +17,8 @@ extern void exit_fs(struct task_struct *);
8172 - extern void set_fs_root(struct fs_struct *, struct path *);
8173 - extern void set_fs_pwd(struct fs_struct *, struct path *);
8174 - extern struct fs_struct *copy_fs_struct(struct fs_struct *);
8175 --extern void put_fs_struct(struct fs_struct *);
8176 -+extern void free_fs_struct(struct fs_struct *);
8177 -+extern void daemonize_fs_struct(void);
8178 -+extern int unshare_fs_struct(void);
8179 -
8180 - #endif /* _LINUX_FS_STRUCT_H */
8181 -diff --git a/include/linux/genhd.h b/include/linux/genhd.h
8182 -index 16948ea..102d9e9 100644
8183 ---- a/include/linux/genhd.h
8184 -+++ b/include/linux/genhd.h
8185 -@@ -214,6 +214,7 @@ static inline void disk_put_part(struct hd_struct *part)
8186 - #define DISK_PITER_REVERSE (1 << 0) /* iterate in the reverse direction */
8187 - #define DISK_PITER_INCL_EMPTY (1 << 1) /* include 0-sized parts */
8188 - #define DISK_PITER_INCL_PART0 (1 << 2) /* include partition 0 */
8189 -+#define DISK_PITER_INCL_EMPTY_PART0 (1 << 3) /* include empty partition 0 */
8190 -
8191 - struct disk_part_iter {
8192 - struct gendisk *disk;
8193 -diff --git a/include/linux/kvm.h b/include/linux/kvm.h
8194 -index 0424326..c344599 100644
8195 ---- a/include/linux/kvm.h
8196 -+++ b/include/linux/kvm.h
8197 -@@ -396,6 +396,8 @@ struct kvm_trace_rec {
8198 - #ifdef __KVM_HAVE_USER_NMI
8199 - #define KVM_CAP_USER_NMI 22
8200 - #endif
8201 -+/* Another bug in KVM_SET_USER_MEMORY_REGION fixed: */
8202 -+#define KVM_CAP_JOIN_MEMORY_REGIONS_WORKS 30
8203 -
8204 - /*
8205 - * ioctls for VM fds
8206 -diff --git a/include/linux/mman.h b/include/linux/mman.h
8207 -index 30d1073..9872d6c 100644
8208 ---- a/include/linux/mman.h
8209 -+++ b/include/linux/mman.h
8210 -@@ -12,21 +12,18 @@
8211 -
8212 - #ifdef __KERNEL__
8213 - #include <linux/mm.h>
8214 -+#include <linux/percpu_counter.h>
8215 -
8216 - #include <asm/atomic.h>
8217 -
8218 - extern int sysctl_overcommit_memory;
8219 - extern int sysctl_overcommit_ratio;
8220 --extern atomic_long_t vm_committed_space;
8221 -+extern struct percpu_counter vm_committed_as;
8222 -
8223 --#ifdef CONFIG_SMP
8224 --extern void vm_acct_memory(long pages);
8225 --#else
8226 - static inline void vm_acct_memory(long pages)
8227 - {
8228 -- atomic_long_add(pages, &vm_committed_space);
8229 -+ percpu_counter_add(&vm_committed_as, pages);
8230 - }
8231 --#endif
8232 -
8233 - static inline void vm_unacct_memory(long pages)
8234 - {
8235 -diff --git a/include/linux/pci_regs.h b/include/linux/pci_regs.h
8236 -index 027815b..b647a4d 100644
8237 ---- a/include/linux/pci_regs.h
8238 -+++ b/include/linux/pci_regs.h
8239 -@@ -235,7 +235,7 @@
8240 - #define PCI_PM_CAP_PME_SHIFT 11 /* Start of the PME Mask in PMC */
8241 - #define PCI_PM_CTRL 4 /* PM control and status register */
8242 - #define PCI_PM_CTRL_STATE_MASK 0x0003 /* Current power state (D0 to D3) */
8243 --#define PCI_PM_CTRL_NO_SOFT_RESET 0x0004 /* No reset for D3hot->D0 */
8244 -+#define PCI_PM_CTRL_NO_SOFT_RESET 0x0008 /* No reset for D3hot->D0 */
8245 - #define PCI_PM_CTRL_PME_ENABLE 0x0100 /* PME pin enable */
8246 - #define PCI_PM_CTRL_DATA_SEL_MASK 0x1e00 /* Data select (??) */
8247 - #define PCI_PM_CTRL_DATA_SCALE_MASK 0x6000 /* Data scale (??) */
8248 -diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c
8249 -index 667c841..cb8e962 100644
8250 ---- a/kernel/exec_domain.c
8251 -+++ b/kernel/exec_domain.c
8252 -@@ -145,28 +145,6 @@ __set_personality(u_long personality)
8253 - return 0;
8254 - }
8255 -
8256 -- if (atomic_read(&current->fs->count) != 1) {
8257 -- struct fs_struct *fsp, *ofsp;
8258 --
8259 -- fsp = copy_fs_struct(current->fs);
8260 -- if (fsp == NULL) {
8261 -- module_put(ep->module);
8262 -- return -ENOMEM;
8263 -- }
8264 --
8265 -- task_lock(current);
8266 -- ofsp = current->fs;
8267 -- current->fs = fsp;
8268 -- task_unlock(current);
8269 --
8270 -- put_fs_struct(ofsp);
8271 -- }
8272 --
8273 -- /*
8274 -- * At that point we are guaranteed to be the sole owner of
8275 -- * current->fs.
8276 -- */
8277 --
8278 - current->personality = personality;
8279 - oep = current_thread_info()->exec_domain;
8280 - current_thread_info()->exec_domain = ep;
8281 -diff --git a/kernel/exit.c b/kernel/exit.c
8282 -index efd30cc..467ffcd 100644
8283 ---- a/kernel/exit.c
8284 -+++ b/kernel/exit.c
8285 -@@ -429,7 +429,6 @@ EXPORT_SYMBOL(disallow_signal);
8286 - void daemonize(const char *name, ...)
8287 - {
8288 - va_list args;
8289 -- struct fs_struct *fs;
8290 - sigset_t blocked;
8291 -
8292 - va_start(args, name);
8293 -@@ -462,11 +461,7 @@ void daemonize(const char *name, ...)
8294 -
8295 - /* Become as one with the init task */
8296 -
8297 -- exit_fs(current); /* current->fs->count--; */
8298 -- fs = init_task.fs;
8299 -- current->fs = fs;
8300 -- atomic_inc(&fs->count);
8301 --
8302 -+ daemonize_fs_struct();
8303 - exit_files(current);
8304 - current->files = init_task.files;
8305 - atomic_inc(&current->files->count);
8306 -@@ -565,30 +560,6 @@ void exit_files(struct task_struct *tsk)
8307 - }
8308 - }
8309 -
8310 --void put_fs_struct(struct fs_struct *fs)
8311 --{
8312 -- /* No need to hold fs->lock if we are killing it */
8313 -- if (atomic_dec_and_test(&fs->count)) {
8314 -- path_put(&fs->root);
8315 -- path_put(&fs->pwd);
8316 -- kmem_cache_free(fs_cachep, fs);
8317 -- }
8318 --}
8319 --
8320 --void exit_fs(struct task_struct *tsk)
8321 --{
8322 -- struct fs_struct * fs = tsk->fs;
8323 --
8324 -- if (fs) {
8325 -- task_lock(tsk);
8326 -- tsk->fs = NULL;
8327 -- task_unlock(tsk);
8328 -- put_fs_struct(fs);
8329 -- }
8330 --}
8331 --
8332 --EXPORT_SYMBOL_GPL(exit_fs);
8333 --
8334 - #ifdef CONFIG_MM_OWNER
8335 - /*
8336 - * Task p is exiting and it owned mm, lets find a new owner for it
8337 -@@ -950,8 +921,7 @@ static void exit_notify(struct task_struct *tsk, int group_dead)
8338 - */
8339 - if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) &&
8340 - (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
8341 -- tsk->self_exec_id != tsk->parent_exec_id) &&
8342 -- !capable(CAP_KILL))
8343 -+ tsk->self_exec_id != tsk->parent_exec_id))
8344 - tsk->exit_signal = SIGCHLD;
8345 -
8346 - signal = tracehook_notify_death(tsk, &cookie, group_dead);
8347 -diff --git a/kernel/fork.c b/kernel/fork.c
8348 -index 9b51a1b..8727a5a 100644
8349 ---- a/kernel/fork.c
8350 -+++ b/kernel/fork.c
8351 -@@ -676,38 +676,21 @@ fail_nomem:
8352 - return retval;
8353 - }
8354 -
8355 --static struct fs_struct *__copy_fs_struct(struct fs_struct *old)
8356 --{
8357 -- struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
8358 -- /* We don't need to lock fs - think why ;-) */
8359 -- if (fs) {
8360 -- atomic_set(&fs->count, 1);
8361 -- rwlock_init(&fs->lock);
8362 -- fs->umask = old->umask;
8363 -- read_lock(&old->lock);
8364 -- fs->root = old->root;
8365 -- path_get(&old->root);
8366 -- fs->pwd = old->pwd;
8367 -- path_get(&old->pwd);
8368 -- read_unlock(&old->lock);
8369 -- }
8370 -- return fs;
8371 --}
8372 --
8373 --struct fs_struct *copy_fs_struct(struct fs_struct *old)
8374 --{
8375 -- return __copy_fs_struct(old);
8376 --}
8377 --
8378 --EXPORT_SYMBOL_GPL(copy_fs_struct);
8379 --
8380 - static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
8381 - {
8382 -+ struct fs_struct *fs = current->fs;
8383 - if (clone_flags & CLONE_FS) {
8384 -- atomic_inc(&current->fs->count);
8385 -+ /* tsk->fs is already what we want */
8386 -+ write_lock(&fs->lock);
8387 -+ if (fs->in_exec) {
8388 -+ write_unlock(&fs->lock);
8389 -+ return -EAGAIN;
8390 -+ }
8391 -+ fs->users++;
8392 -+ write_unlock(&fs->lock);
8393 - return 0;
8394 - }
8395 -- tsk->fs = __copy_fs_struct(current->fs);
8396 -+ tsk->fs = copy_fs_struct(fs);
8397 - if (!tsk->fs)
8398 - return -ENOMEM;
8399 - return 0;
8400 -@@ -1543,12 +1526,16 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
8401 - {
8402 - struct fs_struct *fs = current->fs;
8403 -
8404 -- if ((unshare_flags & CLONE_FS) &&
8405 -- (fs && atomic_read(&fs->count) > 1)) {
8406 -- *new_fsp = __copy_fs_struct(current->fs);
8407 -- if (!*new_fsp)
8408 -- return -ENOMEM;
8409 -- }
8410 -+ if (!(unshare_flags & CLONE_FS) || !fs)
8411 -+ return 0;
8412 -+
8413 -+ /* don't need lock here; in the worst case we'll do useless copy */
8414 -+ if (fs->users == 1)
8415 -+ return 0;
8416 -+
8417 -+ *new_fsp = copy_fs_struct(fs);
8418 -+ if (!*new_fsp)
8419 -+ return -ENOMEM;
8420 -
8421 - return 0;
8422 - }
8423 -@@ -1664,8 +1651,13 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
8424 -
8425 - if (new_fs) {
8426 - fs = current->fs;
8427 -+ write_lock(&fs->lock);
8428 - current->fs = new_fs;
8429 -- new_fs = fs;
8430 -+ if (--fs->users)
8431 -+ new_fs = NULL;
8432 -+ else
8433 -+ new_fs = fs;
8434 -+ write_unlock(&fs->lock);
8435 - }
8436 -
8437 - if (new_mm) {
8438 -@@ -1704,7 +1696,7 @@ bad_unshare_cleanup_sigh:
8439 -
8440 - bad_unshare_cleanup_fs:
8441 - if (new_fs)
8442 -- put_fs_struct(new_fs);
8443 -+ free_fs_struct(new_fs);
8444 -
8445 - bad_unshare_cleanup_thread:
8446 - bad_unshare_out:
8447 -diff --git a/kernel/ptrace.c b/kernel/ptrace.c
8448 -index c9cf48b..dc3b98e 100644
8449 ---- a/kernel/ptrace.c
8450 -+++ b/kernel/ptrace.c
8451 -@@ -186,7 +186,7 @@ int ptrace_attach(struct task_struct *task)
8452 - /* Protect exec's credential calculations against our interference;
8453 - * SUID, SGID and LSM creds get determined differently under ptrace.
8454 - */
8455 -- retval = mutex_lock_interruptible(&current->cred_exec_mutex);
8456 -+ retval = mutex_lock_interruptible(&task->cred_exec_mutex);
8457 - if (retval < 0)
8458 - goto out;
8459 -
8460 -@@ -230,7 +230,7 @@ repeat:
8461 - bad:
8462 - write_unlock_irqrestore(&tasklist_lock, flags);
8463 - task_unlock(task);
8464 -- mutex_unlock(&current->cred_exec_mutex);
8465 -+ mutex_unlock(&task->cred_exec_mutex);
8466 - out:
8467 - return retval;
8468 - }
8469 -diff --git a/kernel/sched.c b/kernel/sched.c
8470 -index 5e80629..7d13deb 100644
8471 ---- a/kernel/sched.c
8472 -+++ b/kernel/sched.c
8473 -@@ -4347,7 +4347,7 @@ void account_process_tick(struct task_struct *p, int user_tick)
8474 -
8475 - if (user_tick)
8476 - account_user_time(p, one_jiffy, one_jiffy_scaled);
8477 -- else if (p != rq->idle)
8478 -+ else if ((p != rq->idle) || (irq_count() != HARDIRQ_OFFSET))
8479 - account_system_time(p, HARDIRQ_OFFSET, one_jiffy,
8480 - one_jiffy_scaled);
8481 - else
8482 -diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
8483 -index 21a5ca8..83c4417 100644
8484 ---- a/kernel/time/tick-common.c
8485 -+++ b/kernel/time/tick-common.c
8486 -@@ -93,7 +93,17 @@ void tick_handle_periodic(struct clock_event_device *dev)
8487 - for (;;) {
8488 - if (!clockevents_program_event(dev, next, ktime_get()))
8489 - return;
8490 -- tick_periodic(cpu);
8491 -+ /*
8492 -+ * Have to be careful here. If we're in oneshot mode,
8493 -+ * before we call tick_periodic() in a loop, we need
8494 -+ * to be sure we're using a real hardware clocksource.
8495 -+ * Otherwise we could get trapped in an infinite
8496 -+ * loop, as the tick_periodic() increments jiffies,
8497 -+ * when then will increment time, posibly causing
8498 -+ * the loop to trigger again and again.
8499 -+ */
8500 -+ if (timekeeping_valid_for_hres())
8501 -+ tick_periodic(cpu);
8502 - next = ktime_add(next, tick_period);
8503 - }
8504 - }
8505 -diff --git a/mm/madvise.c b/mm/madvise.c
8506 -index b9ce574..36d6ea2 100644
8507 ---- a/mm/madvise.c
8508 -+++ b/mm/madvise.c
8509 -@@ -112,6 +112,14 @@ static long madvise_willneed(struct vm_area_struct * vma,
8510 - if (!file)
8511 - return -EBADF;
8512 -
8513 -+ /*
8514 -+ * Page cache readahead assumes page cache pages are order-0 which
8515 -+ * is not the case for hugetlbfs. Do not give a bad return value
8516 -+ * but ignore the advice.
8517 -+ */
8518 -+ if (vma->vm_flags & VM_HUGETLB)
8519 -+ return 0;
8520 -+
8521 - if (file->f_mapping->a_ops->get_xip_mem) {
8522 - /* no bad return value, but ignore advice */
8523 - return 0;
8524 -diff --git a/mm/mmap.c b/mm/mmap.c
8525 -index f1aa6f9..efff81b 100644
8526 ---- a/mm/mmap.c
8527 -+++ b/mm/mmap.c
8528 -@@ -84,7 +84,7 @@ EXPORT_SYMBOL(vm_get_page_prot);
8529 - int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
8530 - int sysctl_overcommit_ratio = 50; /* default is 50% */
8531 - int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
8532 --atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
8533 -+struct percpu_counter vm_committed_as;
8534 -
8535 - /*
8536 - * Check that a process has enough memory to allocate a new virtual
8537 -@@ -178,11 +178,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
8538 - if (mm)
8539 - allowed -= mm->total_vm / 32;
8540 -
8541 -- /*
8542 -- * cast `allowed' as a signed long because vm_committed_space
8543 -- * sometimes has a negative value
8544 -- */
8545 -- if (atomic_long_read(&vm_committed_space) < (long)allowed)
8546 -+ if (percpu_counter_read_positive(&vm_committed_as) < allowed)
8547 - return 0;
8548 - error:
8549 - vm_unacct_memory(pages);
8550 -@@ -2477,6 +2473,10 @@ void mm_drop_all_locks(struct mm_struct *mm)
8551 - */
8552 - void __init mmap_init(void)
8553 - {
8554 -+ int ret;
8555 -+
8556 -+ ret = percpu_counter_init(&vm_committed_as, 0);
8557 -+ VM_BUG_ON(ret);
8558 - vm_area_cachep = kmem_cache_create("vm_area_struct",
8559 - sizeof(struct vm_area_struct), 0,
8560 - SLAB_PANIC, NULL);
8561 -diff --git a/mm/nommu.c b/mm/nommu.c
8562 -index 2fcf47d..ee955bc 100644
8563 ---- a/mm/nommu.c
8564 -+++ b/mm/nommu.c
8565 -@@ -62,7 +62,7 @@ void *high_memory;
8566 - struct page *mem_map;
8567 - unsigned long max_mapnr;
8568 - unsigned long num_physpages;
8569 --atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
8570 -+struct percpu_counter vm_committed_as;
8571 - int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
8572 - int sysctl_overcommit_ratio = 50; /* default is 50% */
8573 - int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
8574 -@@ -463,6 +463,10 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
8575 - */
8576 - void __init mmap_init(void)
8577 - {
8578 -+ int ret;
8579 -+
8580 -+ ret = percpu_counter_init(&vm_committed_as, 0);
8581 -+ VM_BUG_ON(ret);
8582 - vm_region_jar = kmem_cache_create("vm_region_jar",
8583 - sizeof(struct vm_region), 0,
8584 - SLAB_PANIC, NULL);
8585 -@@ -1849,12 +1853,9 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
8586 - if (mm)
8587 - allowed -= mm->total_vm / 32;
8588 -
8589 -- /*
8590 -- * cast `allowed' as a signed long because vm_committed_space
8591 -- * sometimes has a negative value
8592 -- */
8593 -- if (atomic_long_read(&vm_committed_space) < (long)allowed)
8594 -+ if (percpu_counter_read_positive(&vm_committed_as) < allowed)
8595 - return 0;
8596 -+
8597 - error:
8598 - vm_unacct_memory(pages);
8599 -
8600 -diff --git a/mm/swap.c b/mm/swap.c
8601 -index 8adb9fe..2460f7d 100644
8602 ---- a/mm/swap.c
8603 -+++ b/mm/swap.c
8604 -@@ -514,49 +514,6 @@ unsigned pagevec_lookup_tag(struct pagevec *pvec, struct address_space *mapping,
8605 -
8606 - EXPORT_SYMBOL(pagevec_lookup_tag);
8607 -
8608 --#ifdef CONFIG_SMP
8609 --/*
8610 -- * We tolerate a little inaccuracy to avoid ping-ponging the counter between
8611 -- * CPUs
8612 -- */
8613 --#define ACCT_THRESHOLD max(16, NR_CPUS * 2)
8614 --
8615 --static DEFINE_PER_CPU(long, committed_space);
8616 --
8617 --void vm_acct_memory(long pages)
8618 --{
8619 -- long *local;
8620 --
8621 -- preempt_disable();
8622 -- local = &__get_cpu_var(committed_space);
8623 -- *local += pages;
8624 -- if (*local > ACCT_THRESHOLD || *local < -ACCT_THRESHOLD) {
8625 -- atomic_long_add(*local, &vm_committed_space);
8626 -- *local = 0;
8627 -- }
8628 -- preempt_enable();
8629 --}
8630 --
8631 --#ifdef CONFIG_HOTPLUG_CPU
8632 --
8633 --/* Drop the CPU's cached committed space back into the central pool. */
8634 --static int cpu_swap_callback(struct notifier_block *nfb,
8635 -- unsigned long action,
8636 -- void *hcpu)
8637 --{
8638 -- long *committed;
8639 --
8640 -- committed = &per_cpu(committed_space, (long)hcpu);
8641 -- if (action == CPU_DEAD || action == CPU_DEAD_FROZEN) {
8642 -- atomic_long_add(*committed, &vm_committed_space);
8643 -- *committed = 0;
8644 -- drain_cpu_pagevecs((long)hcpu);
8645 -- }
8646 -- return NOTIFY_OK;
8647 --}
8648 --#endif /* CONFIG_HOTPLUG_CPU */
8649 --#endif /* CONFIG_SMP */
8650 --
8651 - /*
8652 - * Perform any setup for the swap system
8653 - */
8654 -@@ -577,7 +534,4 @@ void __init swap_setup(void)
8655 - * Right now other parts of the system means that we
8656 - * _really_ don't want to cluster much more
8657 - */
8658 --#ifdef CONFIG_HOTPLUG_CPU
8659 -- hotcpu_notifier(cpu_swap_callback, 0);
8660 --#endif
8661 - }
8662 -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
8663 -index 2b890af..4a78c17 100644
8664 ---- a/net/mac80211/mlme.c
8665 -+++ b/net/mac80211/mlme.c
8666 -@@ -1342,7 +1342,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
8667 -
8668 - for (i = 0; i < elems.ext_supp_rates_len; i++) {
8669 - int rate = (elems.ext_supp_rates[i] & 0x7f) * 5;
8670 -- bool is_basic = !!(elems.supp_rates[i] & 0x80);
8671 -+ bool is_basic = !!(elems.ext_supp_rates[i] & 0x80);
8672 -
8673 - if (rate > 110)
8674 - have_higher_than_11mbit = true;
8675 -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
8676 -index 7175ae8..75837ca 100644
8677 ---- a/net/mac80211/rx.c
8678 -+++ b/net/mac80211/rx.c
8679 -@@ -29,6 +29,7 @@
8680 - static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
8681 - struct tid_ampdu_rx *tid_agg_rx,
8682 - struct sk_buff *skb,
8683 -+ struct ieee80211_rx_status *status,
8684 - u16 mpdu_seq_num,
8685 - int bar_req);
8686 - /*
8687 -@@ -1538,7 +1539,7 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx)
8688 - /* manage reordering buffer according to requested */
8689 - /* sequence number */
8690 - rcu_read_lock();
8691 -- ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL,
8692 -+ ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, NULL,
8693 - start_seq_num, 1);
8694 - rcu_read_unlock();
8695 - return RX_DROP_UNUSABLE;
8696 -@@ -2034,6 +2035,7 @@ static inline u16 seq_sub(u16 sq1, u16 sq2)
8697 - static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
8698 - struct tid_ampdu_rx *tid_agg_rx,
8699 - struct sk_buff *skb,
8700 -+ struct ieee80211_rx_status *rxstatus,
8701 - u16 mpdu_seq_num,
8702 - int bar_req)
8703 - {
8704 -@@ -2115,6 +2117,8 @@ static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
8705 -
8706 - /* put the frame in the reordering buffer */
8707 - tid_agg_rx->reorder_buf[index] = skb;
8708 -+ memcpy(tid_agg_rx->reorder_buf[index]->cb, rxstatus,
8709 -+ sizeof(*rxstatus));
8710 - tid_agg_rx->stored_mpdu_num++;
8711 - /* release the buffer until next missing frame */
8712 - index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn)
8713 -@@ -2140,7 +2144,8 @@ static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
8714 - }
8715 -
8716 - static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local,
8717 -- struct sk_buff *skb)
8718 -+ struct sk_buff *skb,
8719 -+ struct ieee80211_rx_status *status)
8720 - {
8721 - struct ieee80211_hw *hw = &local->hw;
8722 - struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
8723 -@@ -2191,7 +2196,7 @@ static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local,
8724 -
8725 - /* according to mpdu sequence number deal with reordering buffer */
8726 - mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
8727 -- ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb,
8728 -+ ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, status,
8729 - mpdu_seq_num, 0);
8730 - end_reorder:
8731 - return ret;
8732 -@@ -2255,7 +2260,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
8733 - return;
8734 - }
8735 -
8736 -- if (!ieee80211_rx_reorder_ampdu(local, skb))
8737 -+ if (!ieee80211_rx_reorder_ampdu(local, skb, status))
8738 - __ieee80211_rx_handle_packet(hw, skb, status, rate);
8739 -
8740 - rcu_read_unlock();
8741 -diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
8742 -index 8892161..723b647 100644
8743 ---- a/scripts/mod/modpost.c
8744 -+++ b/scripts/mod/modpost.c
8745 -@@ -2005,6 +2005,7 @@ static void read_markers(const char *fname)
8746 - if (!mod->skip)
8747 - add_marker(mod, marker, fmt);
8748 - }
8749 -+ release_file(file, size);
8750 - return;
8751 - fail:
8752 - fatal("parse error in markers list file\n");
8753 -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
8754 -index 0081597..e210b21 100644
8755 ---- a/security/selinux/hooks.c
8756 -+++ b/security/selinux/hooks.c
8757 -@@ -4661,6 +4661,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
8758 - if (err)
8759 - return err;
8760 - err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
8761 -+ if (err)
8762 - return err;
8763 -
8764 - err = sel_netnode_sid(addrp, family, &node_sid);
8765 -diff --git a/sound/soc/codecs/wm8580.c b/sound/soc/codecs/wm8580.c
8766 -index d004e58..f3d15d5 100644
8767 ---- a/sound/soc/codecs/wm8580.c
8768 -+++ b/sound/soc/codecs/wm8580.c
8769 -@@ -533,7 +533,7 @@ static int wm8580_set_dai_pll(struct snd_soc_dai *codec_dai,
8770 - reg = wm8580_read(codec, WM8580_PLLA4 + offset);
8771 - reg &= ~0x3f;
8772 - reg |= pll_div.prescale | pll_div.postscale << 1 |
8773 -- pll_div.freqmode << 4;
8774 -+ pll_div.freqmode << 3;
8775 -
8776 - wm8580_write(codec, WM8580_PLLA4 + offset, reg);
8777 -
8778 -diff --git a/sound/usb/usx2y/us122l.c b/sound/usb/usx2y/us122l.c
8779 -index 73e59f4..9ce1c59 100644
8780 ---- a/sound/usb/usx2y/us122l.c
8781 -+++ b/sound/usb/usx2y/us122l.c
8782 -@@ -478,6 +478,14 @@ static bool us122l_create_card(struct snd_card *card)
8783 - return true;
8784 - }
8785 -
8786 -+static void snd_us122l_free(struct snd_card *card)
8787 -+{
8788 -+ struct us122l *us122l = US122L(card);
8789 -+ int index = us122l->chip.index;
8790 -+ if (index >= 0 && index < SNDRV_CARDS)
8791 -+ snd_us122l_card_used[index] = 0;
8792 -+}
8793 -+
8794 - static struct snd_card *usx2y_create_card(struct usb_device *device)
8795 - {
8796 - int dev;
8797 -@@ -492,7 +500,7 @@ static struct snd_card *usx2y_create_card(struct usb_device *device)
8798 - if (!card)
8799 - return NULL;
8800 - snd_us122l_card_used[US122L(card)->chip.index = dev] = 1;
8801 --
8802 -+ card->private_free = snd_us122l_free;
8803 - US122L(card)->chip.dev = device;
8804 - US122L(card)->chip.card = card;
8805 - mutex_init(&US122L(card)->mutex);
8806 -@@ -575,7 +583,7 @@ static void snd_us122l_disconnect(struct usb_interface *intf)
8807 - }
8808 -
8809 - usb_put_intf(intf);
8810 -- usb_put_dev(US122L(card)->chip.dev);
8811 -+ usb_put_dev(us122l->chip.dev);
8812 -
8813 - while (atomic_read(&us122l->mmap_count))
8814 - msleep(500);
8815 -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
8816 -index 6723411..d85642e 100644
8817 ---- a/virt/kvm/kvm_main.c
8818 -+++ b/virt/kvm/kvm_main.c
8819 -@@ -964,6 +964,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
8820 - int r;
8821 - gfn_t base_gfn;
8822 - unsigned long npages;
8823 -+ int largepages;
8824 - unsigned long i;
8825 - struct kvm_memory_slot *memslot;
8826 - struct kvm_memory_slot old, new;
8827 -@@ -1004,7 +1005,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
8828 - for (i = 0; i < KVM_MEMORY_SLOTS; ++i) {
8829 - struct kvm_memory_slot *s = &kvm->memslots[i];
8830 -
8831 -- if (s == memslot)
8832 -+ if (s == memslot || !s->npages)
8833 - continue;
8834 - if (!((base_gfn + npages <= s->base_gfn) ||
8835 - (base_gfn >= s->base_gfn + s->npages)))
8836 -@@ -1039,11 +1040,8 @@ int __kvm_set_memory_region(struct kvm *kvm,
8837 - new.userspace_addr = 0;
8838 - }
8839 - if (npages && !new.lpage_info) {
8840 -- int largepages = npages / KVM_PAGES_PER_HPAGE;
8841 -- if (npages % KVM_PAGES_PER_HPAGE)
8842 -- largepages++;
8843 -- if (base_gfn % KVM_PAGES_PER_HPAGE)
8844 -- largepages++;
8845 -+ largepages = 1 + (base_gfn + npages - 1) / KVM_PAGES_PER_HPAGE;
8846 -+ largepages -= base_gfn / KVM_PAGES_PER_HPAGE;
8847 -
8848 - new.lpage_info = vmalloc(largepages * sizeof(*new.lpage_info));
8849 -
8850 -@@ -1999,6 +1997,7 @@ static long kvm_dev_ioctl_check_extension_generic(long arg)
8851 - switch (arg) {
8852 - case KVM_CAP_USER_MEMORY:
8853 - case KVM_CAP_DESTROY_MEMORY_REGION_WORKS:
8854 -+ case KVM_CAP_JOIN_MEMORY_REGIONS_WORKS:
8855 - return 1;
8856 - default:
8857 - break;
8858
8859 Deleted: genpatches-2.6/trunk/2.6.30/1003_linux-2.6.29.4.patch
8860 ===================================================================
8861 --- genpatches-2.6/trunk/2.6.30/1003_linux-2.6.29.4.patch 2009-06-05 16:26:11 UTC (rev 1572)
8862 +++ genpatches-2.6/trunk/2.6.30/1003_linux-2.6.29.4.patch 2009-06-05 16:28:49 UTC (rev 1573)
8863 @@ -1,3211 +0,0 @@
8864 -diff --git a/Documentation/filesystems/Locking b/Documentation/filesystems/Locking
8865 -index ec6a939..eea7102 100644
8866 ---- a/Documentation/filesystems/Locking
8867 -+++ b/Documentation/filesystems/Locking
8868 -@@ -502,23 +502,31 @@ prototypes:
8869 - void (*open)(struct vm_area_struct*);
8870 - void (*close)(struct vm_area_struct*);
8871 - int (*fault)(struct vm_area_struct*, struct vm_fault *);
8872 -- int (*page_mkwrite)(struct vm_area_struct *, struct page *);
8873 -+ int (*page_mkwrite)(struct vm_area_struct *, struct vm_fault *);
8874 - int (*access)(struct vm_area_struct *, unsigned long, void*, int, int);
8875 -
8876 - locking rules:
8877 - BKL mmap_sem PageLocked(page)
8878 - open: no yes
8879 - close: no yes
8880 --fault: no yes
8881 --page_mkwrite: no yes no
8882 -+fault: no yes can return with page locked
8883 -+page_mkwrite: no yes can return with page locked
8884 - access: no yes
8885 -
8886 -- ->page_mkwrite() is called when a previously read-only page is
8887 --about to become writeable. The file system is responsible for
8888 --protecting against truncate races. Once appropriate action has been
8889 --taking to lock out truncate, the page range should be verified to be
8890 --within i_size. The page mapping should also be checked that it is not
8891 --NULL.
8892 -+ ->fault() is called when a previously not present pte is about
8893 -+to be faulted in. The filesystem must find and return the page associated
8894 -+with the passed in "pgoff" in the vm_fault structure. If it is possible that
8895 -+the page may be truncated and/or invalidated, then the filesystem must lock
8896 -+the page, then ensure it is not already truncated (the page lock will block
8897 -+subsequent truncate), and then return with VM_FAULT_LOCKED, and the page
8898 -+locked. The VM will unlock the page.
8899 -+
8900 -+ ->page_mkwrite() is called when a previously read-only pte is
8901 -+about to become writeable. The filesystem again must ensure that there are
8902 -+no truncate/invalidate races, and then return with the page locked. If
8903 -+the page has been truncated, the filesystem should not look up a new page
8904 -+like the ->fault() handler, but simply return with VM_FAULT_NOPAGE, which
8905 -+will cause the VM to retry the fault.
8906 -
8907 - ->access() is called when get_user_pages() fails in
8908 - acces_process_vm(), typically used to debug a process through
8909 -diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
8910 -index da56821..dd8eeea 100644
8911 ---- a/arch/x86/kvm/svm.c
8912 -+++ b/arch/x86/kvm/svm.c
8913 -@@ -411,7 +411,6 @@ static __init int svm_hardware_setup(void)
8914 -
8915 - iopm_va = page_address(iopm_pages);
8916 - memset(iopm_va, 0xff, PAGE_SIZE * (1 << IOPM_ALLOC_ORDER));
8917 -- clear_bit(0x80, iopm_va); /* allow direct access to PC debug port */
8918 - iopm_base = page_to_pfn(iopm_pages) << PAGE_SHIFT;
8919 -
8920 - if (boot_cpu_has(X86_FEATURE_NX))
8921 -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
8922 -index 425423e..92f0457 100644
8923 ---- a/arch/x86/kvm/x86.c
8924 -+++ b/arch/x86/kvm/x86.c
8925 -@@ -1075,9 +1075,9 @@ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
8926 -
8927 - static int is_efer_nx(void)
8928 - {
8929 -- u64 efer;
8930 -+ unsigned long long efer = 0;
8931 -
8932 -- rdmsrl(MSR_EFER, efer);
8933 -+ rdmsrl_safe(MSR_EFER, &efer);
8934 - return efer & EFER_NX;
8935 - }
8936 -
8937 -diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
8938 -index e190d8b..7ffc5ac 100644
8939 ---- a/drivers/dma/dmatest.c
8940 -+++ b/drivers/dma/dmatest.c
8941 -@@ -410,9 +410,7 @@ static int __init dmatest_init(void)
8942 - chan = dma_request_channel(mask, filter, NULL);
8943 - if (chan) {
8944 - err = dmatest_add_channel(chan);
8945 -- if (err == 0)
8946 -- continue;
8947 -- else {
8948 -+ if (err) {
8949 - dma_release_channel(chan);
8950 - break; /* add_channel failed, punt */
8951 - }
8952 -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
8953 -index 8851197..700ebec 100644
8954 ---- a/drivers/hid/hid-ids.h
8955 -+++ b/drivers/hid/hid-ids.h
8956 -@@ -110,6 +110,11 @@
8957 - #define USB_VENDOR_ID_BERKSHIRE 0x0c98
8958 - #define USB_DEVICE_ID_BERKSHIRE_PCWD 0x1140
8959 -
8960 -+#define USB_VENDOR_ID_CH 0x068e
8961 -+#define USB_DEVICE_ID_CH_PRO_PEDALS 0x00f2
8962 -+#define USB_DEVICE_ID_CH_COMBATSTICK 0x00f4
8963 -+#define USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE 0x00ff
8964 -+
8965 - #define USB_VENDOR_ID_CHERRY 0x046a
8966 - #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023
8967 -
8968 -diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
8969 -index 4391717..d8f7423 100644
8970 ---- a/drivers/hid/usbhid/hid-quirks.c
8971 -+++ b/drivers/hid/usbhid/hid-quirks.c
8972 -@@ -50,6 +50,9 @@ static const struct hid_blacklist {
8973 - { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_2PORTKVM, HID_QUIRK_NOGET },
8974 - { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVM, HID_QUIRK_NOGET },
8975 - { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVMC, HID_QUIRK_NOGET },
8976 -+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_COMBATSTICK, HID_QUIRK_NOGET },
8977 -+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE, HID_QUIRK_NOGET },
8978 -+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS, HID_QUIRK_NOGET },
8979 - { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
8980 - { USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },
8981 - { USB_VENDOR_ID_SUN, USB_DEVICE_ID_RARITAN_KVM_DONGLE, HID_QUIRK_NOGET },
8982 -diff --git a/drivers/hwmon/w83781d.c b/drivers/hwmon/w83781d.c
8983 -index dbfb30c..0bdab95 100644
8984 ---- a/drivers/hwmon/w83781d.c
8985 -+++ b/drivers/hwmon/w83781d.c
8986 -@@ -1462,7 +1462,8 @@ static struct w83781d_data *w83781d_update_device(struct device *dev)
8987 - data->pwm[i] =
8988 - w83781d_read_value(data,
8989 - W83781D_REG_PWM[i]);
8990 -- if ((data->type != w83782d || !client->driver)
8991 -+ /* Only W83782D on SMBus has PWM3 and PWM4 */
8992 -+ if ((data->type != w83782d || !client)
8993 - && i == 1)
8994 - break;
8995 - }
8996 -diff --git a/drivers/i2c/algos/i2c-algo-bit.c b/drivers/i2c/algos/i2c-algo-bit.c
8997 -index eb8f72c..0e034a4 100644
8998 ---- a/drivers/i2c/algos/i2c-algo-bit.c
8999 -+++ b/drivers/i2c/algos/i2c-algo-bit.c
9000 -@@ -104,7 +104,7 @@ static int sclhi(struct i2c_algo_bit_data *adap)
9001 - * chips may hold it low ("clock stretching") while they
9002 - * are processing data internally.
9003 - */
9004 -- if (time_after_eq(jiffies, start + adap->timeout))
9005 -+ if (time_after(jiffies, start + adap->timeout))
9006 - return -ETIMEDOUT;
9007 - cond_resched();
9008 - }
9009 -diff --git a/drivers/i2c/algos/i2c-algo-pca.c b/drivers/i2c/algos/i2c-algo-pca.c
9010 -index d50b329..2346a89 100644
9011 ---- a/drivers/i2c/algos/i2c-algo-pca.c
9012 -+++ b/drivers/i2c/algos/i2c-algo-pca.c
9013 -@@ -270,10 +270,21 @@ static int pca_xfer(struct i2c_adapter *i2c_adap,
9014 -
9015 - case 0x30: /* Data byte in I2CDAT has been transmitted; NOT ACK has been received */
9016 - DEB2("NOT ACK received after data byte\n");
9017 -+ pca_stop(adap);
9018 - goto out;
9019 -
9020 - case 0x38: /* Arbitration lost during SLA+W, SLA+R or data bytes */
9021 - DEB2("Arbitration lost\n");
9022 -+ /*
9023 -+ * The PCA9564 data sheet (2006-09-01) says "A
9024 -+ * START condition will be transmitted when the
9025 -+ * bus becomes free (STOP or SCL and SDA high)"
9026 -+ * when the STA bit is set (p. 11).
9027 -+ *
9028 -+ * In case this won't work, try pca_reset()
9029 -+ * instead.
9030 -+ */
9031 -+ pca_start(adap);
9032 - goto out;
9033 -
9034 - case 0x58: /* Data byte has been received; NOT ACK has been returned */
9035 -diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
9036 -index 7199437..b411249 100644
9037 ---- a/drivers/md/bitmap.c
9038 -+++ b/drivers/md/bitmap.c
9039 -@@ -985,6 +985,9 @@ static int bitmap_init_from_disk(struct bitmap *bitmap, sector_t start)
9040 - oldindex = index;
9041 - oldpage = page;
9042 -
9043 -+ bitmap->filemap[bitmap->file_pages++] = page;
9044 -+ bitmap->last_page_size = count;
9045 -+
9046 - if (outofdate) {
9047 - /*
9048 - * if bitmap is out of date, dirty the
9049 -@@ -997,15 +1000,9 @@ static int bitmap_init_from_disk(struct bitmap *bitmap, sector_t start)
9050 - write_page(bitmap, page, 1);
9051 -
9052 - ret = -EIO;
9053 -- if (bitmap->flags & BITMAP_WRITE_ERROR) {
9054 -- /* release, page not in filemap yet */
9055 -- put_page(page);
9056 -+ if (bitmap->flags & BITMAP_WRITE_ERROR)
9057 - goto err;
9058 -- }
9059 - }
9060 --
9061 -- bitmap->filemap[bitmap->file_pages++] = page;
9062 -- bitmap->last_page_size = count;
9063 - }
9064 - paddr = kmap_atomic(page, KM_USER0);
9065 - if (bitmap->flags & BITMAP_HOSTENDIAN)
9066 -@@ -1015,9 +1012,11 @@ static int bitmap_init_from_disk(struct bitmap *bitmap, sector_t start)
9067 - kunmap_atomic(paddr, KM_USER0);
9068 - if (b) {
9069 - /* if the disk bit is set, set the memory bit */
9070 -- bitmap_set_memory_bits(bitmap, i << CHUNK_BLOCK_SHIFT(bitmap),
9071 -- ((i+1) << (CHUNK_BLOCK_SHIFT(bitmap)) >= start)
9072 -- );
9073 -+ int needed = ((sector_t)(i+1) << (CHUNK_BLOCK_SHIFT(bitmap))
9074 -+ >= start);
9075 -+ bitmap_set_memory_bits(bitmap,
9076 -+ (sector_t)i << CHUNK_BLOCK_SHIFT(bitmap),
9077 -+ needed);
9078 - bit_cnt++;
9079 - set_page_attr(bitmap, page, BITMAP_PAGE_CLEAN);
9080 - }
9081 -@@ -1153,8 +1152,9 @@ void bitmap_daemon_work(struct bitmap *bitmap)
9082 - spin_lock_irqsave(&bitmap->lock, flags);
9083 - clear_page_attr(bitmap, page, BITMAP_PAGE_CLEAN);
9084 - }
9085 -- bmc = bitmap_get_counter(bitmap, j << CHUNK_BLOCK_SHIFT(bitmap),
9086 -- &blocks, 0);
9087 -+ bmc = bitmap_get_counter(bitmap,
9088 -+ (sector_t)j << CHUNK_BLOCK_SHIFT(bitmap),
9089 -+ &blocks, 0);
9090 - if (bmc) {
9091 - /*
9092 - if (j < 100) printk("bitmap: j=%lu, *bmc = 0x%x\n", j, *bmc);
9093 -@@ -1168,7 +1168,8 @@ void bitmap_daemon_work(struct bitmap *bitmap)
9094 - } else if (*bmc == 1) {
9095 - /* we can clear the bit */
9096 - *bmc = 0;
9097 -- bitmap_count_page(bitmap, j << CHUNK_BLOCK_SHIFT(bitmap),
9098 -+ bitmap_count_page(bitmap,
9099 -+ (sector_t)j << CHUNK_BLOCK_SHIFT(bitmap),
9100 - -1);
9101 -
9102 - /* clear the bit */
9103 -@@ -1484,7 +1485,7 @@ void bitmap_dirty_bits(struct bitmap *bitmap, unsigned long s, unsigned long e)
9104 - unsigned long chunk;
9105 -
9106 - for (chunk = s; chunk <= e; chunk++) {
9107 -- sector_t sec = chunk << CHUNK_BLOCK_SHIFT(bitmap);
9108 -+ sector_t sec = (sector_t)chunk << CHUNK_BLOCK_SHIFT(bitmap);
9109 - bitmap_set_memory_bits(bitmap, sec, 1);
9110 - bitmap_file_set_bit(bitmap, sec);
9111 - }
9112 -diff --git a/drivers/md/md.c b/drivers/md/md.c
9113 -index a307f87..dc85211 100644
9114 ---- a/drivers/md/md.c
9115 -+++ b/drivers/md/md.c
9116 -@@ -2844,11 +2844,8 @@ array_state_store(mddev_t *mddev, const char *buf, size_t len)
9117 - } else
9118 - err = -EBUSY;
9119 - spin_unlock_irq(&mddev->write_lock);
9120 -- } else {
9121 -- mddev->ro = 0;
9122 -- mddev->recovery_cp = MaxSector;
9123 -- err = do_md_run(mddev);
9124 -- }
9125 -+ } else
9126 -+ err = -EINVAL;
9127 - break;
9128 - case active:
9129 - if (mddev->pers) {
9130 -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
9131 -index 7301631..d849533 100644
9132 ---- a/drivers/md/raid10.c
9133 -+++ b/drivers/md/raid10.c
9134 -@@ -1807,17 +1807,17 @@ static sector_t sync_request(mddev_t *mddev, sector_t sector_nr, int *skipped, i
9135 - r10_bio->sector = sect;
9136 -
9137 - raid10_find_phys(conf, r10_bio);
9138 -- /* Need to check if this section will still be
9139 -+
9140 -+ /* Need to check if the array will still be
9141 - * degraded
9142 - */
9143 -- for (j=0; j<conf->copies;j++) {
9144 -- int d = r10_bio->devs[j].devnum;
9145 -- if (conf->mirrors[d].rdev == NULL ||
9146 -- test_bit(Faulty, &conf->mirrors[d].rdev->flags)) {
9147 -+ for (j=0; j<conf->raid_disks; j++)
9148 -+ if (conf->mirrors[j].rdev == NULL ||
9149 -+ test_bit(Faulty, &conf->mirrors[j].rdev->flags)) {
9150 - still_degraded = 1;
9151 - break;
9152 - }
9153 -- }
9154 -+
9155 - must_sync = bitmap_start_sync(mddev->bitmap, sect,
9156 - &sync_blocks, still_degraded);
9157 -
9158 -diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c
9159 -index 6bd63cc..d436e27 100644
9160 ---- a/drivers/net/e1000/e1000_main.c
9161 -+++ b/drivers/net/e1000/e1000_main.c
9162 -@@ -3712,7 +3712,7 @@ static irqreturn_t e1000_intr(int irq, void *data)
9163 - struct e1000_hw *hw = &adapter->hw;
9164 - u32 rctl, icr = er32(ICR);
9165 -
9166 -- if (unlikely((!icr) || test_bit(__E1000_RESETTING, &adapter->flags)))
9167 -+ if (unlikely((!icr) || test_bit(__E1000_DOWN, &adapter->flags)))
9168 - return IRQ_NONE; /* Not our interrupt */
9169 -
9170 - /* IMS will not auto-mask if INT_ASSERTED is not set, and if it is
9171 -diff --git a/drivers/net/ehea/ehea_main.c b/drivers/net/ehea/ehea_main.c
9172 -index dfe9226..9a59414 100644
9173 ---- a/drivers/net/ehea/ehea_main.c
9174 -+++ b/drivers/net/ehea/ehea_main.c
9175 -@@ -529,14 +529,17 @@ static inline struct sk_buff *get_skb_by_index(struct sk_buff **skb_array,
9176 - x &= (arr_len - 1);
9177 -
9178 - pref = skb_array[x];
9179 -- prefetchw(pref);
9180 -- prefetchw(pref + EHEA_CACHE_LINE);
9181 --
9182 -- pref = (skb_array[x]->data);
9183 -- prefetch(pref);
9184 -- prefetch(pref + EHEA_CACHE_LINE);
9185 -- prefetch(pref + EHEA_CACHE_LINE * 2);
9186 -- prefetch(pref + EHEA_CACHE_LINE * 3);
9187 -+ if (pref) {
9188 -+ prefetchw(pref);
9189 -+ prefetchw(pref + EHEA_CACHE_LINE);
9190 -+
9191 -+ pref = (skb_array[x]->data);
9192 -+ prefetch(pref);
9193 -+ prefetch(pref + EHEA_CACHE_LINE);
9194 -+ prefetch(pref + EHEA_CACHE_LINE * 2);
9195 -+ prefetch(pref + EHEA_CACHE_LINE * 3);
9196 -+ }
9197 -+
9198 - skb = skb_array[skb_index];
9199 - skb_array[skb_index] = NULL;
9200 - return skb;
9201 -@@ -553,12 +556,14 @@ static inline struct sk_buff *get_skb_by_index_ll(struct sk_buff **skb_array,
9202 - x &= (arr_len - 1);
9203 -
9204 - pref = skb_array[x];
9205 -- prefetchw(pref);
9206 -- prefetchw(pref + EHEA_CACHE_LINE);
9207 -+ if (pref) {
9208 -+ prefetchw(pref);
9209 -+ prefetchw(pref + EHEA_CACHE_LINE);
9210 -
9211 -- pref = (skb_array[x]->data);
9212 -- prefetchw(pref);
9213 -- prefetchw(pref + EHEA_CACHE_LINE);
9214 -+ pref = (skb_array[x]->data);
9215 -+ prefetchw(pref);
9216 -+ prefetchw(pref + EHEA_CACHE_LINE);
9217 -+ }
9218 -
9219 - skb = skb_array[wqe_index];
9220 - skb_array[wqe_index] = NULL;
9221 -diff --git a/drivers/net/ne2k-pci.c b/drivers/net/ne2k-pci.c
9222 -index f090d3b..453d6bb 100644
9223 ---- a/drivers/net/ne2k-pci.c
9224 -+++ b/drivers/net/ne2k-pci.c
9225 -@@ -373,18 +373,17 @@ static int __devinit ne2k_pci_init_one (struct pci_dev *pdev,
9226 - dev->ethtool_ops = &ne2k_pci_ethtool_ops;
9227 - NS8390_init(dev, 0);
9228 -
9229 -+ memcpy(dev->dev_addr, SA_prom, 6);
9230 -+ memcpy(dev->perm_addr, dev->dev_addr, dev->addr_len);
9231 -+
9232 - i = register_netdev(dev);
9233 - if (i)
9234 - goto err_out_free_netdev;
9235 -
9236 -- for(i = 0; i < 6; i++)
9237 -- dev->dev_addr[i] = SA_prom[i];
9238 - printk("%s: %s found at %#lx, IRQ %d, %pM.\n",
9239 - dev->name, pci_clone_list[chip_idx].name, ioaddr, dev->irq,
9240 - dev->dev_addr);
9241 -
9242 -- memcpy(dev->perm_addr, dev->dev_addr, dev->addr_len);
9243 --
9244 - return 0;
9245 -
9246 - err_out_free_netdev:
9247 -diff --git a/drivers/serial/mpc52xx_uart.c b/drivers/serial/mpc52xx_uart.c
9248 -index 0c3a2ab..28d2c8d 100644
9249 ---- a/drivers/serial/mpc52xx_uart.c
9250 -+++ b/drivers/serial/mpc52xx_uart.c
9251 -@@ -522,7 +522,7 @@ mpc52xx_uart_startup(struct uart_port *port)
9252 -
9253 - /* Request IRQ */
9254 - ret = request_irq(port->irq, mpc52xx_uart_int,
9255 -- IRQF_DISABLED | IRQF_SAMPLE_RANDOM | IRQF_SHARED,
9256 -+ IRQF_DISABLED | IRQF_SAMPLE_RANDOM,
9257 - "mpc52xx_psc_uart", port);
9258 - if (ret)
9259 - return ret;
9260 -diff --git a/drivers/usb/gadget/usbstring.c b/drivers/usb/gadget/usbstring.c
9261 -index 4154be3..58c4d37 100644
9262 ---- a/drivers/usb/gadget/usbstring.c
9263 -+++ b/drivers/usb/gadget/usbstring.c
9264 -@@ -38,7 +38,7 @@ static int utf8_to_utf16le(const char *s, __le16 *cp, unsigned len)
9265 - uchar = (c & 0x1f) << 6;
9266 -
9267 - c = (u8) *s++;
9268 -- if ((c & 0xc0) != 0xc0)
9269 -+ if ((c & 0xc0) != 0x80)
9270 - goto fail;
9271 - c &= 0x3f;
9272 - uchar |= c;
9273 -@@ -49,13 +49,13 @@ static int utf8_to_utf16le(const char *s, __le16 *cp, unsigned len)
9274 - uchar = (c & 0x0f) << 12;
9275 -
9276 - c = (u8) *s++;
9277 -- if ((c & 0xc0) != 0xc0)
9278 -+ if ((c & 0xc0) != 0x80)
9279 - goto fail;
9280 - c &= 0x3f;
9281 - uchar |= c << 6;
9282 -
9283 - c = (u8) *s++;
9284 -- if ((c & 0xc0) != 0xc0)
9285 -+ if ((c & 0xc0) != 0x80)
9286 - goto fail;
9287 - c &= 0x3f;
9288 - uchar |= c;
9289 -diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
9290 -index bb3143e..5daa517 100644
9291 ---- a/drivers/usb/serial/ftdi_sio.c
9292 -+++ b/drivers/usb/serial/ftdi_sio.c
9293 -@@ -56,6 +56,7 @@ static __u16 vendor = FTDI_VID;
9294 - static __u16 product;
9295 -
9296 - struct ftdi_private {
9297 -+ struct kref kref;
9298 - ftdi_chip_type_t chip_type;
9299 - /* type of device, either SIO or FT8U232AM */
9300 - int baud_base; /* baud base clock for divisor setting */
9301 -@@ -1352,6 +1353,7 @@ static int ftdi_sio_port_probe(struct usb_serial_port *port)
9302 - return -ENOMEM;
9303 - }
9304 -
9305 -+ kref_init(&priv->kref);
9306 - spin_lock_init(&priv->rx_lock);
9307 - spin_lock_init(&priv->tx_lock);
9308 - init_waitqueue_head(&priv->delta_msr_wait);
9309 -@@ -1468,6 +1470,13 @@ static void ftdi_shutdown(struct usb_serial *serial)
9310 - dbg("%s", __func__);
9311 - }
9312 -
9313 -+static void ftdi_sio_priv_release(struct kref *k)
9314 -+{
9315 -+ struct ftdi_private *priv = container_of(k, struct ftdi_private, kref);
9316 -+
9317 -+ kfree(priv);
9318 -+}
9319 -+
9320 - static int ftdi_sio_port_remove(struct usb_serial_port *port)
9321 - {
9322 - struct ftdi_private *priv = usb_get_serial_port_data(port);
9323 -@@ -1482,7 +1491,7 @@ static int ftdi_sio_port_remove(struct usb_serial_port *port)
9324 -
9325 - if (priv) {
9326 - usb_set_serial_port_data(port, NULL);
9327 -- kfree(priv);
9328 -+ kref_put(&priv->kref, ftdi_sio_priv_release);
9329 - }
9330 -
9331 - return 0;
9332 -@@ -1547,7 +1556,8 @@ static int ftdi_open(struct tty_struct *tty,
9333 - dev_err(&port->dev,
9334 - "%s - failed submitting read urb, error %d\n",
9335 - __func__, result);
9336 --
9337 -+ else
9338 -+ kref_get(&priv->kref);
9339 -
9340 - return result;
9341 - } /* ftdi_open */
9342 -@@ -1589,11 +1599,11 @@ static void ftdi_close(struct tty_struct *tty,
9343 - mutex_unlock(&port->serial->disc_mutex);
9344 -
9345 - /* cancel any scheduled reading */
9346 -- cancel_delayed_work(&priv->rx_work);
9347 -- flush_scheduled_work();
9348 -+ cancel_delayed_work_sync(&priv->rx_work);
9349 -
9350 - /* shutdown our bulk read */
9351 - usb_kill_urb(port->read_urb);
9352 -+ kref_put(&priv->kref, ftdi_sio_priv_release);
9353 - } /* ftdi_close */
9354 -
9355 -
9356 -diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c
9357 -index 0820265..0a7a667 100644
9358 ---- a/drivers/video/fb_defio.c
9359 -+++ b/drivers/video/fb_defio.c
9360 -@@ -85,8 +85,9 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_fsync);
9361 -
9362 - /* vm_ops->page_mkwrite handler */
9363 - static int fb_deferred_io_mkwrite(struct vm_area_struct *vma,
9364 -- struct page *page)
9365 -+ struct vm_fault *vmf)
9366 - {
9367 -+ struct page *page = vmf->page;
9368 - struct fb_info *info = vma->vm_private_data;
9369 - struct fb_deferred_io *fbdefio = info->fbdefio;
9370 - struct page *cur;
9371 -diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
9372 -index 5e1d4e3..7dd1b6d 100644
9373 ---- a/fs/btrfs/ctree.h
9374 -+++ b/fs/btrfs/ctree.h
9375 -@@ -2060,7 +2060,7 @@ int btrfs_merge_bio_hook(struct page *page, unsigned long offset,
9376 - unsigned long btrfs_force_ra(struct address_space *mapping,
9377 - struct file_ra_state *ra, struct file *file,
9378 - pgoff_t offset, pgoff_t last_index);
9379 --int btrfs_page_mkwrite(struct vm_area_struct *vma, struct page *page);
9380 -+int btrfs_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf);
9381 - int btrfs_readpage(struct file *file, struct page *page);
9382 - void btrfs_delete_inode(struct inode *inode);
9383 - void btrfs_put_inode(struct inode *inode);
9384 -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
9385 -index 7d4f948..17e608c 100644
9386 ---- a/fs/btrfs/inode.c
9387 -+++ b/fs/btrfs/inode.c
9388 -@@ -4292,8 +4292,9 @@ static void btrfs_invalidatepage(struct page *page, unsigned long offset)
9389 - * beyond EOF, then the page is guaranteed safe against truncation until we
9390 - * unlock the page.
9391 - */
9392 --int btrfs_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9393 -+int btrfs_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
9394 - {
9395 -+ struct page *page = vmf->page;
9396 - struct inode *inode = fdentry(vma->vm_file)->d_inode;
9397 - struct btrfs_root *root = BTRFS_I(inode)->root;
9398 - struct extent_io_tree *io_tree = &BTRFS_I(inode)->io_tree;
9399 -@@ -4306,10 +4307,15 @@ int btrfs_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9400 - u64 page_end;
9401 -
9402 - ret = btrfs_check_data_free_space(root, inode, PAGE_CACHE_SIZE);
9403 -- if (ret)
9404 -+ if (ret) {
9405 -+ if (ret == -ENOMEM)
9406 -+ ret = VM_FAULT_OOM;
9407 -+ else /* -ENOSPC, -EIO, etc */
9408 -+ ret = VM_FAULT_SIGBUS;
9409 - goto out;
9410 -+ }
9411 -
9412 -- ret = -EINVAL;
9413 -+ ret = VM_FAULT_NOPAGE; /* make the VM retry the fault */
9414 - again:
9415 - lock_page(page);
9416 - size = i_size_read(inode);
9417 -diff --git a/fs/buffer.c b/fs/buffer.c
9418 -index 891e1c7..4eb8992 100644
9419 ---- a/fs/buffer.c
9420 -+++ b/fs/buffer.c
9421 -@@ -2465,20 +2465,22 @@ int block_commit_write(struct page *page, unsigned from, unsigned to)
9422 - * unlock the page.
9423 - */
9424 - int
9425 --block_page_mkwrite(struct vm_area_struct *vma, struct page *page,
9426 -+block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
9427 - get_block_t get_block)
9428 - {
9429 -+ struct page *page = vmf->page;
9430 - struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
9431 - unsigned long end;
9432 - loff_t size;
9433 -- int ret = -EINVAL;
9434 -+ int ret = VM_FAULT_NOPAGE; /* make the VM retry the fault */
9435 -
9436 - lock_page(page);
9437 - size = i_size_read(inode);
9438 - if ((page->mapping != inode->i_mapping) ||
9439 - (page_offset(page) > size)) {
9440 - /* page got truncated out from underneath us */
9441 -- goto out_unlock;
9442 -+ unlock_page(page);
9443 -+ goto out;
9444 - }
9445 -
9446 - /* page is wholly or partially inside EOF */
9447 -@@ -2491,8 +2493,16 @@ block_page_mkwrite(struct vm_area_struct *vma, struct page *page,
9448 - if (!ret)
9449 - ret = block_commit_write(page, 0, end);
9450 -
9451 --out_unlock:
9452 -- unlock_page(page);
9453 -+ if (unlikely(ret)) {
9454 -+ unlock_page(page);
9455 -+ if (ret == -ENOMEM)
9456 -+ ret = VM_FAULT_OOM;
9457 -+ else /* -ENOSPC, -EIO, etc */
9458 -+ ret = VM_FAULT_SIGBUS;
9459 -+ } else
9460 -+ ret = VM_FAULT_LOCKED;
9461 -+
9462 -+out:
9463 - return ret;
9464 - }
9465 -
9466 -diff --git a/fs/cifs/cifs_unicode.h b/fs/cifs/cifs_unicode.h
9467 -index 14eb9a2..604ce8a 100644
9468 ---- a/fs/cifs/cifs_unicode.h
9469 -+++ b/fs/cifs/cifs_unicode.h
9470 -@@ -64,6 +64,13 @@ int cifs_strtoUCS(__le16 *, const char *, int, const struct nls_table *);
9471 - #endif
9472 -
9473 - /*
9474 -+ * To be safe - for UCS to UTF-8 with strings loaded with the rare long
9475 -+ * characters alloc more to account for such multibyte target UTF-8
9476 -+ * characters.
9477 -+ */
9478 -+#define UNICODE_NAME_MAX ((4 * NAME_MAX) + 2)
9479 -+
9480 -+/*
9481 - * UniStrcat: Concatenate the second string to the first
9482 - *
9483 - * Returns:
9484 -diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
9485 -index 71ae000..4fbb6b5 100644
9486 ---- a/fs/cifs/cifssmb.c
9487 -+++ b/fs/cifs/cifssmb.c
9488 -@@ -91,23 +91,22 @@ static int
9489 - cifs_strncpy_to_host(char **dst, const char *src, const int maxlen,
9490 - const bool is_unicode, const struct nls_table *nls_codepage)
9491 - {
9492 -- int plen;
9493 -+ int src_len, dst_len;
9494 -
9495 - if (is_unicode) {
9496 -- plen = UniStrnlen((wchar_t *)src, maxlen);
9497 -- *dst = kmalloc(plen + 2, GFP_KERNEL);
9498 -+ src_len = UniStrnlen((wchar_t *)src, maxlen);
9499 -+ *dst = kmalloc((4 * src_len) + 2, GFP_KERNEL);
9500 - if (!*dst)
9501 - goto cifs_strncpy_to_host_ErrExit;
9502 -- cifs_strfromUCS_le(*dst, (__le16 *)src, plen, nls_codepage);
9503 -+ dst_len = cifs_strfromUCS_le(*dst, (__le16 *)src, src_len, nls_codepage);
9504 -+ (*dst)[dst_len + 1] = 0;
9505 - } else {
9506 -- plen = strnlen(src, maxlen);
9507 -- *dst = kmalloc(plen + 2, GFP_KERNEL);
9508 -+ src_len = strnlen(src, maxlen);
9509 -+ *dst = kmalloc(src_len + 1, GFP_KERNEL);
9510 - if (!*dst)
9511 - goto cifs_strncpy_to_host_ErrExit;
9512 -- strncpy(*dst, src, plen);
9513 -+ strlcpy(*dst, src, src_len + 1);
9514 - }
9515 -- (*dst)[plen] = 0;
9516 -- (*dst)[plen+1] = 0; /* harmless for ASCII case, needed for Unicode */
9517 - return 0;
9518 -
9519 - cifs_strncpy_to_host_ErrExit:
9520 -diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
9521 -index 4b64f39..0344b26 100644
9522 ---- a/fs/cifs/connect.c
9523 -+++ b/fs/cifs/connect.c
9524 -@@ -3667,16 +3667,12 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
9525 - BCC(smb_buffer_response)) {
9526 - kfree(tcon->nativeFileSystem);
9527 - tcon->nativeFileSystem =
9528 -- kzalloc(2*(length + 1), GFP_KERNEL);
9529 -+ kzalloc((4 * length) + 2, GFP_KERNEL);
9530 - if (tcon->nativeFileSystem)
9531 - cifs_strfromUCS_le(
9532 - tcon->nativeFileSystem,
9533 - (__le16 *) bcc_ptr,
9534 - length, nls_codepage);
9535 -- bcc_ptr += 2 * length;
9536 -- bcc_ptr[0] = 0; /* null terminate the string */
9537 -- bcc_ptr[1] = 0;
9538 -- bcc_ptr += 2;
9539 - }
9540 - /* else do not bother copying these information fields*/
9541 - } else {
9542 -diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
9543 -index 4c89c57..b2990b1 100644
9544 ---- a/fs/cifs/misc.c
9545 -+++ b/fs/cifs/misc.c
9546 -@@ -691,14 +691,15 @@ cifs_convertUCSpath(char *target, const __le16 *source, int maxlen,
9547 - NLS_MAX_CHARSET_SIZE);
9548 - if (len > 0) {
9549 - j += len;
9550 -- continue;
9551 -+ goto overrun_chk;
9552 - } else {
9553 - target[j] = '?';
9554 - }
9555 - }
9556 - j++;
9557 - /* make sure we do not overrun callers allocated temp buffer */
9558 -- if (j >= (2 * NAME_MAX))
9559 -+overrun_chk:
9560 -+ if (j >= UNICODE_NAME_MAX)
9561 - break;
9562 - }
9563 - cUCS_out:
9564 -diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
9565 -index c2c01ff..0bdd5a6 100644
9566 ---- a/fs/cifs/readdir.c
9567 -+++ b/fs/cifs/readdir.c
9568 -@@ -1072,7 +1072,7 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
9569 - with the rare long characters alloc more to account for
9570 - such multibyte target UTF-8 characters. cifs_unicode.c,
9571 - which actually does the conversion, has the same limit */
9572 -- tmp_buf = kmalloc((2 * NAME_MAX) + 4, GFP_KERNEL);
9573 -+ tmp_buf = kmalloc(UNICODE_NAME_MAX, GFP_KERNEL);
9574 - for (i = 0; (i < num_to_fill) && (rc == 0); i++) {
9575 - if (current_entry == NULL) {
9576 - /* evaluate whether this case is an error */
9577 -diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
9578 -index 5c68b42..23e8f99 100644
9579 ---- a/fs/cifs/sess.c
9580 -+++ b/fs/cifs/sess.c
9581 -@@ -111,7 +111,7 @@ static __le16 get_next_vcnum(struct cifsSesInfo *ses)
9582 - get_vc_num_exit:
9583 - write_unlock(&cifs_tcp_ses_lock);
9584 -
9585 -- return le16_to_cpu(vcnum);
9586 -+ return cpu_to_le16(vcnum);
9587 - }
9588 -
9589 - static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
9590 -@@ -285,27 +285,26 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
9591 - int words_left, len;
9592 - char *data = *pbcc_area;
9593 -
9594 --
9595 --
9596 - cFYI(1, ("bleft %d", bleft));
9597 -
9598 --
9599 -- /* SMB header is unaligned, so cifs servers word align start of
9600 -- Unicode strings */
9601 -- data++;
9602 -- bleft--; /* Windows servers do not always double null terminate
9603 -- their final Unicode string - in which case we
9604 -- now will not attempt to decode the byte of junk
9605 -- which follows it */
9606 -+ /*
9607 -+ * Windows servers do not always double null terminate their final
9608 -+ * Unicode string. Check to see if there are an uneven number of bytes
9609 -+ * left. If so, then add an extra NULL pad byte to the end of the
9610 -+ * response.
9611 -+ *
9612 -+ * See section 2.7.2 in "Implementing CIFS" for details
9613 -+ */
9614 -+ if (bleft % 2) {
9615 -+ data[bleft] = 0;
9616 -+ ++bleft;
9617 -+ }
9618 -
9619 - words_left = bleft / 2;
9620 -
9621 - /* save off server operating system */
9622 - len = UniStrnlen((wchar_t *) data, words_left);
9623 -
9624 --/* We look for obvious messed up bcc or strings in response so we do not go off
9625 -- the end since (at least) WIN2K and Windows XP have a major bug in not null
9626 -- terminating last Unicode string in response */
9627 - if (len >= words_left)
9628 - return rc;
9629 -
9630 -@@ -343,13 +342,10 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
9631 - return rc;
9632 -
9633 - kfree(ses->serverDomain);
9634 -- ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
9635 -- if (ses->serverDomain != NULL) {
9636 -+ ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
9637 -+ if (ses->serverDomain != NULL)
9638 - cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
9639 - nls_cp);
9640 -- ses->serverDomain[2*len] = 0;
9641 -- ses->serverDomain[(2*len) + 1] = 0;
9642 -- }
9643 - data += 2 * (len + 1);
9644 - words_left -= len + 1;
9645 -
9646 -@@ -702,12 +698,18 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
9647 - }
9648 -
9649 - /* BB check if Unicode and decode strings */
9650 -- if (smb_buf->Flags2 & SMBFLG2_UNICODE)
9651 -+ if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
9652 -+ /* unicode string area must be word-aligned */
9653 -+ if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
9654 -+ ++bcc_ptr;
9655 -+ --bytes_remaining;
9656 -+ }
9657 - rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
9658 -- ses, nls_cp);
9659 -- else
9660 -+ ses, nls_cp);
9661 -+ } else {
9662 - rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
9663 - ses, nls_cp);
9664 -+ }
9665 -
9666 - ssetup_exit:
9667 - if (spnego_key) {
9668 -diff --git a/fs/eventpoll.c b/fs/eventpoll.c
9669 -index 011b9b8..e323e47 100644
9670 ---- a/fs/eventpoll.c
9671 -+++ b/fs/eventpoll.c
9672 -@@ -1136,7 +1136,7 @@ error_return:
9673 -
9674 - SYSCALL_DEFINE1(epoll_create, int, size)
9675 - {
9676 -- if (size < 0)
9677 -+ if (size <= 0)
9678 - return -EINVAL;
9679 -
9680 - return sys_epoll_create1(0);
9681 -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
9682 -index b0c87dc..90909f9 100644
9683 ---- a/fs/ext4/ext4.h
9684 -+++ b/fs/ext4/ext4.h
9685 -@@ -1097,7 +1097,7 @@ extern int ext4_meta_trans_blocks(struct inode *, int nrblocks, int idxblocks);
9686 - extern int ext4_chunk_trans_blocks(struct inode *, int nrblocks);
9687 - extern int ext4_block_truncate_page(handle_t *handle,
9688 - struct address_space *mapping, loff_t from);
9689 --extern int ext4_page_mkwrite(struct vm_area_struct *vma, struct page *page);
9690 -+extern int ext4_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf);
9691 -
9692 - /* ioctl.c */
9693 - extern long ext4_ioctl(struct file *, unsigned int, unsigned long);
9694 -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
9695 -index c7fed5b..2c0439d 100644
9696 ---- a/fs/ext4/inode.c
9697 -+++ b/fs/ext4/inode.c
9698 -@@ -5116,8 +5116,9 @@ static int ext4_bh_unmapped(handle_t *handle, struct buffer_head *bh)
9699 - return !buffer_mapped(bh);
9700 - }
9701 -
9702 --int ext4_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9703 -+int ext4_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
9704 - {
9705 -+ struct page *page = vmf->page;
9706 - loff_t size;
9707 - unsigned long len;
9708 - int ret = -EINVAL;
9709 -@@ -5169,6 +5170,8 @@ int ext4_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9710 - goto out_unlock;
9711 - ret = 0;
9712 - out_unlock:
9713 -+ if (ret)
9714 -+ ret = VM_FAULT_SIGBUS;
9715 - up_read(&inode->i_alloc_sem);
9716 - return ret;
9717 - }
9718 -diff --git a/fs/fcntl.c b/fs/fcntl.c
9719 -index bd215cc..fc2aaa6 100644
9720 ---- a/fs/fcntl.c
9721 -+++ b/fs/fcntl.c
9722 -@@ -117,11 +117,13 @@ SYSCALL_DEFINE2(dup2, unsigned int, oldfd, unsigned int, newfd)
9723 - {
9724 - if (unlikely(newfd == oldfd)) { /* corner case */
9725 - struct files_struct *files = current->files;
9726 -+ int retval = oldfd;
9727 -+
9728 - rcu_read_lock();
9729 - if (!fcheck_files(files, oldfd))
9730 -- oldfd = -EBADF;
9731 -+ retval = -EBADF;
9732 - rcu_read_unlock();
9733 -- return oldfd;
9734 -+ return retval;
9735 - }
9736 - return sys_dup3(oldfd, newfd, 0);
9737 - }
9738 -diff --git a/fs/fuse/file.c b/fs/fuse/file.c
9739 -index 821d10f..4e340fe 100644
9740 ---- a/fs/fuse/file.c
9741 -+++ b/fs/fuse/file.c
9742 -@@ -1234,8 +1234,9 @@ static void fuse_vma_close(struct vm_area_struct *vma)
9743 - * - sync(2)
9744 - * - try_to_free_pages() with order > PAGE_ALLOC_COSTLY_ORDER
9745 - */
9746 --static int fuse_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9747 -+static int fuse_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
9748 - {
9749 -+ struct page *page = vmf->page;
9750 - /*
9751 - * Don't use page->mapping as it may become NULL from a
9752 - * concurrent truncate.
9753 -diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
9754 -index 459b73d..75ca5ac 100644
9755 ---- a/fs/fuse/inode.c
9756 -+++ b/fs/fuse/inode.c
9757 -@@ -908,6 +908,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
9758 - err_put_root:
9759 - dput(root_dentry);
9760 - err_put_conn:
9761 -+ bdi_destroy(&fc->bdi);
9762 - fuse_conn_put(fc);
9763 - err_fput:
9764 - fput(file);
9765 -diff --git a/fs/gfs2/ops_file.c b/fs/gfs2/ops_file.c
9766 -index 93fe41b..0093a33 100644
9767 ---- a/fs/gfs2/ops_file.c
9768 -+++ b/fs/gfs2/ops_file.c
9769 -@@ -336,8 +336,9 @@ static int gfs2_allocate_page_backing(struct page *page)
9770 - * blocks allocated on disk to back that page.
9771 - */
9772 -
9773 --static int gfs2_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9774 -+static int gfs2_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
9775 - {
9776 -+ struct page *page = vmf->page;
9777 - struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
9778 - struct gfs2_inode *ip = GFS2_I(inode);
9779 - struct gfs2_sbd *sdp = GFS2_SB(inode);
9780 -@@ -409,6 +410,10 @@ out_unlock:
9781 - gfs2_glock_dq(&gh);
9782 - out:
9783 - gfs2_holder_uninit(&gh);
9784 -+ if (ret == -ENOMEM)
9785 -+ ret = VM_FAULT_OOM;
9786 -+ else if (ret)
9787 -+ ret = VM_FAULT_SIGBUS;
9788 - return ret;
9789 - }
9790 -
9791 -diff --git a/fs/ioctl.c b/fs/ioctl.c
9792 -index 240ec63..344d9f3 100644
9793 ---- a/fs/ioctl.c
9794 -+++ b/fs/ioctl.c
9795 -@@ -258,7 +258,7 @@ int __generic_block_fiemap(struct inode *inode,
9796 - long long length = 0, map_len = 0;
9797 - u64 logical = 0, phys = 0, size = 0;
9798 - u32 flags = FIEMAP_EXTENT_MERGED;
9799 -- int ret = 0;
9800 -+ int ret = 0, past_eof = 0, whole_file = 0;
9801 -
9802 - if ((ret = fiemap_check_flags(fieinfo, FIEMAP_FLAG_SYNC)))
9803 - return ret;
9804 -@@ -266,6 +266,9 @@ int __generic_block_fiemap(struct inode *inode,
9805 - start_blk = logical_to_blk(inode, start);
9806 -
9807 - length = (long long)min_t(u64, len, i_size_read(inode));
9808 -+ if (length < len)
9809 -+ whole_file = 1;
9810 -+
9811 - map_len = length;
9812 -
9813 - do {
9814 -@@ -282,11 +285,26 @@ int __generic_block_fiemap(struct inode *inode,
9815 -
9816 - /* HOLE */
9817 - if (!buffer_mapped(&tmp)) {
9818 -+ length -= blk_to_logical(inode, 1);
9819 -+ start_blk++;
9820 -+
9821 -+ /*
9822 -+ * we want to handle the case where there is an
9823 -+ * allocated block at the front of the file, and then
9824 -+ * nothing but holes up to the end of the file properly,
9825 -+ * to make sure that extent at the front gets properly
9826 -+ * marked with FIEMAP_EXTENT_LAST
9827 -+ */
9828 -+ if (!past_eof &&
9829 -+ blk_to_logical(inode, start_blk) >=
9830 -+ blk_to_logical(inode, 0)+i_size_read(inode))
9831 -+ past_eof = 1;
9832 -+
9833 - /*
9834 - * first hole after going past the EOF, this is our
9835 - * last extent
9836 - */
9837 -- if (length <= 0) {
9838 -+ if (past_eof && size) {
9839 - flags = FIEMAP_EXTENT_MERGED|FIEMAP_EXTENT_LAST;
9840 - ret = fiemap_fill_next_extent(fieinfo, logical,
9841 - phys, size,
9842 -@@ -294,15 +312,37 @@ int __generic_block_fiemap(struct inode *inode,
9843 - break;
9844 - }
9845 -
9846 -- length -= blk_to_logical(inode, 1);
9847 --
9848 - /* if we have holes up to/past EOF then we're done */
9849 -- if (length <= 0)
9850 -+ if (length <= 0 || past_eof)
9851 - break;
9852 --
9853 -- start_blk++;
9854 - } else {
9855 -- if (length <= 0 && size) {
9856 -+ /*
9857 -+ * we have gone over the length of what we wanted to
9858 -+ * map, and it wasn't the entire file, so add the extent
9859 -+ * we got last time and exit.
9860 -+ *
9861 -+ * This is for the case where say we want to map all the
9862 -+ * way up to the second to the last block in a file, but
9863 -+ * the last block is a hole, making the second to last
9864 -+ * block FIEMAP_EXTENT_LAST. In this case we want to
9865 -+ * see if there is a hole after the second to last block
9866 -+ * so we can mark it properly. If we found data after
9867 -+ * we exceeded the length we were requesting, then we
9868 -+ * are good to go, just add the extent to the fieinfo
9869 -+ * and break
9870 -+ */
9871 -+ if (length <= 0 && !whole_file) {
9872 -+ ret = fiemap_fill_next_extent(fieinfo, logical,
9873 -+ phys, size,
9874 -+ flags);
9875 -+ break;
9876 -+ }
9877 -+
9878 -+ /*
9879 -+ * if size != 0 then we know we already have an extent
9880 -+ * to add, so add it.
9881 -+ */
9882 -+ if (size) {
9883 - ret = fiemap_fill_next_extent(fieinfo, logical,
9884 - phys, size,
9885 - flags);
9886 -@@ -319,19 +359,14 @@ int __generic_block_fiemap(struct inode *inode,
9887 - start_blk += logical_to_blk(inode, size);
9888 -
9889 - /*
9890 -- * if we are past the EOF we need to loop again to see
9891 -- * if there is a hole so we can mark this extent as the
9892 -- * last one, and if not keep mapping things until we
9893 -- * find a hole, or we run out of slots in the extent
9894 -- * array
9895 -+ * If we are past the EOF, then we need to make sure as
9896 -+ * soon as we find a hole that the last extent we found
9897 -+ * is marked with FIEMAP_EXTENT_LAST
9898 - */
9899 -- if (length <= 0)
9900 -- continue;
9901 --
9902 -- ret = fiemap_fill_next_extent(fieinfo, logical, phys,
9903 -- size, flags);
9904 -- if (ret)
9905 -- break;
9906 -+ if (!past_eof &&
9907 -+ logical+size >=
9908 -+ blk_to_logical(inode, 0)+i_size_read(inode))
9909 -+ past_eof = 1;
9910 - }
9911 - cond_resched();
9912 - } while (1);
9913 -diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
9914 -index 64f1c31..38af057 100644
9915 ---- a/fs/lockd/svc.c
9916 -+++ b/fs/lockd/svc.c
9917 -@@ -115,6 +115,16 @@ static void set_grace_period(void)
9918 - schedule_delayed_work(&grace_period_end, grace_period);
9919 - }
9920 -
9921 -+static void restart_grace(void)
9922 -+{
9923 -+ if (nlmsvc_ops) {
9924 -+ cancel_delayed_work_sync(&grace_period_end);
9925 -+ locks_end_grace(&lockd_manager);
9926 -+ nlmsvc_invalidate_all();
9927 -+ set_grace_period();
9928 -+ }
9929 -+}
9930 -+
9931 - /*
9932 - * This is the lockd kernel thread
9933 - */
9934 -@@ -160,10 +170,7 @@ lockd(void *vrqstp)
9935 -
9936 - if (signalled()) {
9937 - flush_signals(current);
9938 -- if (nlmsvc_ops) {
9939 -- nlmsvc_invalidate_all();
9940 -- set_grace_period();
9941 -- }
9942 -+ restart_grace();
9943 - continue;
9944 - }
9945 -
9946 -diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
9947 -index 672368f..3b2f697 100644
9948 ---- a/fs/nfs/dir.c
9949 -+++ b/fs/nfs/dir.c
9950 -@@ -1624,8 +1624,7 @@ static int nfs_rename(struct inode *old_dir, struct dentry *old_dentry,
9951 - } else if (atomic_read(&new_dentry->d_count) > 1)
9952 - /* dentry still busy? */
9953 - goto out;
9954 -- } else
9955 -- nfs_drop_nlink(new_inode);
9956 -+ }
9957 -
9958 - go_ahead:
9959 - /*
9960 -@@ -1638,10 +1637,8 @@ go_ahead:
9961 - }
9962 - nfs_inode_return_delegation(old_inode);
9963 -
9964 -- if (new_inode != NULL) {
9965 -+ if (new_inode != NULL)
9966 - nfs_inode_return_delegation(new_inode);
9967 -- d_delete(new_dentry);
9968 -- }
9969 -
9970 - error = NFS_PROTO(old_dir)->rename(old_dir, &old_dentry->d_name,
9971 - new_dir, &new_dentry->d_name);
9972 -@@ -1650,6 +1647,8 @@ out:
9973 - if (rehash)
9974 - d_rehash(rehash);
9975 - if (!error) {
9976 -+ if (new_inode != NULL)
9977 -+ nfs_drop_nlink(new_inode);
9978 - d_move(old_dentry, new_dentry);
9979 - nfs_set_verifier(new_dentry,
9980 - nfs_save_change_attribute(new_dir));
9981 -diff --git a/fs/nfs/file.c b/fs/nfs/file.c
9982 -index 90f292b..523e7e0 100644
9983 ---- a/fs/nfs/file.c
9984 -+++ b/fs/nfs/file.c
9985 -@@ -451,8 +451,9 @@ const struct address_space_operations nfs_file_aops = {
9986 - .launder_page = nfs_launder_page,
9987 - };
9988 -
9989 --static int nfs_vm_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9990 -+static int nfs_vm_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
9991 - {
9992 -+ struct page *page = vmf->page;
9993 - struct file *filp = vma->vm_file;
9994 - struct dentry *dentry = filp->f_path.dentry;
9995 - unsigned pagelen;
9996 -@@ -479,11 +480,11 @@ static int nfs_vm_page_mkwrite(struct vm_area_struct *vma, struct page *page)
9997 - goto out_unlock;
9998 -
9999 - ret = nfs_updatepage(filp, page, 0, pagelen);
10000 -- if (ret == 0)
10001 -- ret = pagelen;
10002 - out_unlock:
10003 -+ if (!ret)
10004 -+ return VM_FAULT_LOCKED;
10005 - unlock_page(page);
10006 -- return ret;
10007 -+ return VM_FAULT_SIGBUS;
10008 - }
10009 -
10010 - static struct vm_operations_struct nfs_file_vm_ops = {
10011 -diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
10012 -index 9250067..4c5fb99 100644
10013 ---- a/fs/nfsd/nfs4xdr.c
10014 -+++ b/fs/nfsd/nfs4xdr.c
10015 -@@ -1843,6 +1843,15 @@ nfsd4_encode_dirent_fattr(struct nfsd4_readdir *cd,
10016 - dentry = lookup_one_len(name, cd->rd_fhp->fh_dentry, namlen);
10017 - if (IS_ERR(dentry))
10018 - return nfserrno(PTR_ERR(dentry));
10019 -+ if (!dentry->d_inode) {
10020 -+ /*
10021 -+ * nfsd_buffered_readdir drops the i_mutex between
10022 -+ * readdir and calling this callback, leaving a window
10023 -+ * where this directory entry could have gone away.
10024 -+ */
10025 -+ dput(dentry);
10026 -+ return nfserr_noent;
10027 -+ }
10028 -
10029 - exp_get(exp);
10030 - /*
10031 -@@ -1905,6 +1914,7 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
10032 - struct nfsd4_readdir *cd = container_of(ccd, struct nfsd4_readdir, common);
10033 - int buflen;
10034 - __be32 *p = cd->buffer;
10035 -+ __be32 *cookiep;
10036 - __be32 nfserr = nfserr_toosmall;
10037 -
10038 - /* In nfsv4, "." and ".." never make it onto the wire.. */
10039 -@@ -1921,7 +1931,7 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
10040 - goto fail;
10041 -
10042 - *p++ = xdr_one; /* mark entry present */
10043 -- cd->offset = p; /* remember pointer */
10044 -+ cookiep = p;
10045 - p = xdr_encode_hyper(p, NFS_OFFSET_MAX); /* offset of next entry */
10046 - p = xdr_encode_array(p, name, namlen); /* name length & name */
10047 -
10048 -@@ -1935,6 +1945,8 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
10049 - goto fail;
10050 - case nfserr_dropit:
10051 - goto fail;
10052 -+ case nfserr_noent:
10053 -+ goto skip_entry;
10054 - default:
10055 - /*
10056 - * If the client requested the RDATTR_ERROR attribute,
10057 -@@ -1953,6 +1965,8 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
10058 - }
10059 - cd->buflen -= (p - cd->buffer);
10060 - cd->buffer = p;
10061 -+ cd->offset = cookiep;
10062 -+skip_entry:
10063 - cd->common.err = nfs_ok;
10064 - return 0;
10065 - fail:
10066 -diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
10067 -index 8672b95..c2a87c8 100644
10068 ---- a/fs/ocfs2/file.c
10069 -+++ b/fs/ocfs2/file.c
10070 -@@ -1912,6 +1912,22 @@ out_sems:
10071 - return written ? written : ret;
10072 - }
10073 -
10074 -+static int ocfs2_splice_to_file(struct pipe_inode_info *pipe,
10075 -+ struct file *out,
10076 -+ struct splice_desc *sd)
10077 -+{
10078 -+ int ret;
10079 -+
10080 -+ ret = ocfs2_prepare_inode_for_write(out->f_path.dentry, &sd->pos,
10081 -+ sd->total_len, 0, NULL);
10082 -+ if (ret < 0) {
10083 -+ mlog_errno(ret);
10084 -+ return ret;
10085 -+ }
10086 -+
10087 -+ return splice_from_pipe_feed(pipe, sd, pipe_to_file);
10088 -+}
10089 -+
10090 - static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
10091 - struct file *out,
10092 - loff_t *ppos,
10093 -@@ -1919,38 +1935,76 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
10094 - unsigned int flags)
10095 - {
10096 - int ret;
10097 -- struct inode *inode = out->f_path.dentry->d_inode;
10098 -+ struct address_space *mapping = out->f_mapping;
10099 -+ struct inode *inode = mapping->host;
10100 -+ struct splice_desc sd = {
10101 -+ .total_len = len,
10102 -+ .flags = flags,
10103 -+ .pos = *ppos,
10104 -+ .u.file = out,
10105 -+ };
10106 -
10107 - mlog_entry("(0x%p, 0x%p, %u, '%.*s')\n", out, pipe,
10108 - (unsigned int)len,
10109 - out->f_path.dentry->d_name.len,
10110 - out->f_path.dentry->d_name.name);
10111 -
10112 -- mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
10113 -+ if (pipe->inode)
10114 -+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
10115 -
10116 -- ret = ocfs2_rw_lock(inode, 1);
10117 -- if (ret < 0) {
10118 -- mlog_errno(ret);
10119 -- goto out;
10120 -- }
10121 -+ splice_from_pipe_begin(&sd);
10122 -+ do {
10123 -+ ret = splice_from_pipe_next(pipe, &sd);
10124 -+ if (ret <= 0)
10125 -+ break;
10126 -
10127 -- ret = ocfs2_prepare_inode_for_write(out->f_path.dentry, ppos, len, 0,
10128 -- NULL);
10129 -- if (ret < 0) {
10130 -- mlog_errno(ret);
10131 -- goto out_unlock;
10132 -- }
10133 -+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_CHILD);
10134 -+ ret = ocfs2_rw_lock(inode, 1);
10135 -+ if (ret < 0)
10136 -+ mlog_errno(ret);
10137 -+ else {
10138 -+ ret = ocfs2_splice_to_file(pipe, out, &sd);
10139 -+ ocfs2_rw_unlock(inode, 1);
10140 -+ }
10141 -+ mutex_unlock(&inode->i_mutex);
10142 -+ } while (ret > 0);
10143 -+ splice_from_pipe_end(pipe, &sd);
10144 -
10145 - if (pipe->inode)
10146 -- mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
10147 -- ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
10148 -- if (pipe->inode)
10149 - mutex_unlock(&pipe->inode->i_mutex);
10150 -
10151 --out_unlock:
10152 -- ocfs2_rw_unlock(inode, 1);
10153 --out:
10154 -- mutex_unlock(&inode->i_mutex);
10155 -+ if (sd.num_spliced)
10156 -+ ret = sd.num_spliced;
10157 -+
10158 -+ if (ret > 0) {
10159 -+ unsigned long nr_pages;
10160 -+
10161 -+ *ppos += ret;
10162 -+ nr_pages = (ret + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
10163 -+
10164 -+ /*
10165 -+ * If file or inode is SYNC and we actually wrote some data,
10166 -+ * sync it.
10167 -+ */
10168 -+ if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) {
10169 -+ int err;
10170 -+
10171 -+ mutex_lock(&inode->i_mutex);
10172 -+ err = ocfs2_rw_lock(inode, 1);
10173 -+ if (err < 0) {
10174 -+ mlog_errno(err);
10175 -+ } else {
10176 -+ err = generic_osync_inode(inode, mapping,
10177 -+ OSYNC_METADATA|OSYNC_DATA);
10178 -+ ocfs2_rw_unlock(inode, 1);
10179 -+ }
10180 -+ mutex_unlock(&inode->i_mutex);
10181 -+
10182 -+ if (err)
10183 -+ ret = err;
10184 -+ }
10185 -+ balance_dirty_pages_ratelimited_nr(mapping, nr_pages);
10186 -+ }
10187 -
10188 - mlog_exit(ret);
10189 - return ret;
10190 -diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
10191 -index eea1d24..b606496 100644
10192 ---- a/fs/ocfs2/mmap.c
10193 -+++ b/fs/ocfs2/mmap.c
10194 -@@ -154,8 +154,9 @@ out:
10195 - return ret;
10196 - }
10197 -
10198 --static int ocfs2_page_mkwrite(struct vm_area_struct *vma, struct page *page)
10199 -+static int ocfs2_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
10200 - {
10201 -+ struct page *page = vmf->page;
10202 - struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
10203 - struct buffer_head *di_bh = NULL;
10204 - sigset_t blocked, oldset;
10205 -@@ -196,7 +197,8 @@ out:
10206 - ret2 = ocfs2_vm_op_unblock_sigs(&oldset);
10207 - if (ret2 < 0)
10208 - mlog_errno(ret2);
10209 --
10210 -+ if (ret)
10211 -+ ret = VM_FAULT_SIGBUS;
10212 - return ret;
10213 - }
10214 -
10215 -diff --git a/fs/splice.c b/fs/splice.c
10216 -index 4c1029a..caa79d2 100644
10217 ---- a/fs/splice.c
10218 -+++ b/fs/splice.c
10219 -@@ -554,8 +554,8 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe,
10220 - * SPLICE_F_MOVE isn't set, or we cannot move the page, we simply create
10221 - * a new page in the output file page cache and fill/dirty that.
10222 - */
10223 --static int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
10224 -- struct splice_desc *sd)
10225 -+int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
10226 -+ struct splice_desc *sd)
10227 - {
10228 - struct file *file = sd->u.file;
10229 - struct address_space *mapping = file->f_mapping;
10230 -@@ -599,108 +599,178 @@ static int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
10231 - out:
10232 - return ret;
10233 - }
10234 -+EXPORT_SYMBOL(pipe_to_file);
10235 -+
10236 -+static void wakeup_pipe_writers(struct pipe_inode_info *pipe)
10237 -+{
10238 -+ smp_mb();
10239 -+ if (waitqueue_active(&pipe->wait))
10240 -+ wake_up_interruptible(&pipe->wait);
10241 -+ kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
10242 -+}
10243 -
10244 - /**
10245 -- * __splice_from_pipe - splice data from a pipe to given actor
10246 -+ * splice_from_pipe_feed - feed available data from a pipe to a file
10247 - * @pipe: pipe to splice from
10248 - * @sd: information to @actor
10249 - * @actor: handler that splices the data
10250 - *
10251 - * Description:
10252 -- * This function does little more than loop over the pipe and call
10253 -- * @actor to do the actual moving of a single struct pipe_buffer to
10254 -- * the desired destination. See pipe_to_file, pipe_to_sendpage, or
10255 -- * pipe_to_user.
10256 -+
10257 -+ * This function loops over the pipe and calls @actor to do the
10258 -+ * actual moving of a single struct pipe_buffer to the desired
10259 -+ * destination. It returns when there's no more buffers left in
10260 -+ * the pipe or if the requested number of bytes (@sd->total_len)
10261 -+ * have been copied. It returns a positive number (one) if the
10262 -+ * pipe needs to be filled with more data, zero if the required
10263 -+ * number of bytes have been copied and -errno on error.
10264 - *
10265 -+ * This, together with splice_from_pipe_{begin,end,next}, may be
10266 -+ * used to implement the functionality of __splice_from_pipe() when
10267 -+ * locking is required around copying the pipe buffers to the
10268 -+ * destination.
10269 - */
10270 --ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
10271 -- splice_actor *actor)
10272 -+int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_desc *sd,
10273 -+ splice_actor *actor)
10274 - {
10275 -- int ret, do_wakeup, err;
10276 --
10277 -- ret = 0;
10278 -- do_wakeup = 0;
10279 --
10280 -- for (;;) {
10281 -- if (pipe->nrbufs) {
10282 -- struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
10283 -- const struct pipe_buf_operations *ops = buf->ops;
10284 -+ int ret;
10285 -
10286 -- sd->len = buf->len;
10287 -- if (sd->len > sd->total_len)
10288 -- sd->len = sd->total_len;
10289 -+ while (pipe->nrbufs) {
10290 -+ struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
10291 -+ const struct pipe_buf_operations *ops = buf->ops;
10292 -
10293 -- err = actor(pipe, buf, sd);
10294 -- if (err <= 0) {
10295 -- if (!ret && err != -ENODATA)
10296 -- ret = err;
10297 -+ sd->len = buf->len;
10298 -+ if (sd->len > sd->total_len)
10299 -+ sd->len = sd->total_len;
10300 -
10301 -- break;
10302 -- }
10303 -+ ret = actor(pipe, buf, sd);
10304 -+ if (ret <= 0) {
10305 -+ if (ret == -ENODATA)
10306 -+ ret = 0;
10307 -+ return ret;
10308 -+ }
10309 -+ buf->offset += ret;
10310 -+ buf->len -= ret;
10311 -
10312 -- ret += err;
10313 -- buf->offset += err;
10314 -- buf->len -= err;
10315 -+ sd->num_spliced += ret;
10316 -+ sd->len -= ret;
10317 -+ sd->pos += ret;
10318 -+ sd->total_len -= ret;
10319 -
10320 -- sd->len -= err;
10321 -- sd->pos += err;
10322 -- sd->total_len -= err;
10323 -- if (sd->len)
10324 -- continue;
10325 -+ if (!buf->len) {
10326 -+ buf->ops = NULL;
10327 -+ ops->release(pipe, buf);
10328 -+ pipe->curbuf = (pipe->curbuf + 1) & (PIPE_BUFFERS - 1);
10329 -+ pipe->nrbufs--;
10330 -+ if (pipe->inode)
10331 -+ sd->need_wakeup = true;
10332 -+ }
10333 -
10334 -- if (!buf->len) {
10335 -- buf->ops = NULL;
10336 -- ops->release(pipe, buf);
10337 -- pipe->curbuf = (pipe->curbuf + 1) & (PIPE_BUFFERS - 1);
10338 -- pipe->nrbufs--;
10339 -- if (pipe->inode)
10340 -- do_wakeup = 1;
10341 -- }
10342 -+ if (!sd->total_len)
10343 -+ return 0;
10344 -+ }
10345 -
10346 -- if (!sd->total_len)
10347 -- break;
10348 -- }
10349 -+ return 1;
10350 -+}
10351 -+EXPORT_SYMBOL(splice_from_pipe_feed);
10352 -
10353 -- if (pipe->nrbufs)
10354 -- continue;
10355 -+/**
10356 -+ * splice_from_pipe_next - wait for some data to splice from
10357 -+ * @pipe: pipe to splice from
10358 -+ * @sd: information about the splice operation
10359 -+ *
10360 -+ * Description:
10361 -+ * This function will wait for some data and return a positive
10362 -+ * value (one) if pipe buffers are available. It will return zero
10363 -+ * or -errno if no more data needs to be spliced.
10364 -+ */
10365 -+int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
10366 -+{
10367 -+ while (!pipe->nrbufs) {
10368 - if (!pipe->writers)
10369 -- break;
10370 -- if (!pipe->waiting_writers) {
10371 -- if (ret)
10372 -- break;
10373 -- }
10374 -+ return 0;
10375 -
10376 -- if (sd->flags & SPLICE_F_NONBLOCK) {
10377 -- if (!ret)
10378 -- ret = -EAGAIN;
10379 -- break;
10380 -- }
10381 -+ if (!pipe->waiting_writers && sd->num_spliced)
10382 -+ return 0;
10383 -
10384 -- if (signal_pending(current)) {
10385 -- if (!ret)
10386 -- ret = -ERESTARTSYS;
10387 -- break;
10388 -- }
10389 -+ if (sd->flags & SPLICE_F_NONBLOCK)
10390 -+ return -EAGAIN;
10391 -
10392 -- if (do_wakeup) {
10393 -- smp_mb();
10394 -- if (waitqueue_active(&pipe->wait))
10395 -- wake_up_interruptible_sync(&pipe->wait);
10396 -- kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
10397 -- do_wakeup = 0;
10398 -+ if (signal_pending(current))
10399 -+ return -ERESTARTSYS;
10400 -+
10401 -+ if (sd->need_wakeup) {
10402 -+ wakeup_pipe_writers(pipe);
10403 -+ sd->need_wakeup = false;
10404 - }
10405 -
10406 - pipe_wait(pipe);
10407 - }
10408 -
10409 -- if (do_wakeup) {
10410 -- smp_mb();
10411 -- if (waitqueue_active(&pipe->wait))
10412 -- wake_up_interruptible(&pipe->wait);
10413 -- kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
10414 -- }
10415 -+ return 1;
10416 -+}
10417 -+EXPORT_SYMBOL(splice_from_pipe_next);
10418 -
10419 -- return ret;
10420 -+/**
10421 -+ * splice_from_pipe_begin - start splicing from pipe
10422 -+ * @pipe: pipe to splice from
10423 -+ *
10424 -+ * Description:
10425 -+ * This function should be called before a loop containing
10426 -+ * splice_from_pipe_next() and splice_from_pipe_feed() to
10427 -+ * initialize the necessary fields of @sd.
10428 -+ */
10429 -+void splice_from_pipe_begin(struct splice_desc *sd)
10430 -+{
10431 -+ sd->num_spliced = 0;
10432 -+ sd->need_wakeup = false;
10433 -+}
10434 -+EXPORT_SYMBOL(splice_from_pipe_begin);
10435 -+
10436 -+/**
10437 -+ * splice_from_pipe_end - finish splicing from pipe
10438 -+ * @pipe: pipe to splice from
10439 -+ * @sd: information about the splice operation
10440 -+ *
10441 -+ * Description:
10442 -+ * This function will wake up pipe writers if necessary. It should
10443 -+ * be called after a loop containing splice_from_pipe_next() and
10444 -+ * splice_from_pipe_feed().
10445 -+ */
10446 -+void splice_from_pipe_end(struct pipe_inode_info *pipe, struct splice_desc *sd)
10447 -+{
10448 -+ if (sd->need_wakeup)
10449 -+ wakeup_pipe_writers(pipe);
10450 -+}
10451 -+EXPORT_SYMBOL(splice_from_pipe_end);
10452 -+
10453 -+/**
10454 -+ * __splice_from_pipe - splice data from a pipe to given actor
10455 -+ * @pipe: pipe to splice from
10456 -+ * @sd: information to @actor
10457 -+ * @actor: handler that splices the data
10458 -+ *
10459 -+ * Description:
10460 -+ * This function does little more than loop over the pipe and call
10461 -+ * @actor to do the actual moving of a single struct pipe_buffer to
10462 -+ * the desired destination. See pipe_to_file, pipe_to_sendpage, or
10463 -+ * pipe_to_user.
10464 -+ *
10465 -+ */
10466 -+ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
10467 -+ splice_actor *actor)
10468 -+{
10469 -+ int ret;
10470 -+
10471 -+ splice_from_pipe_begin(sd);
10472 -+ do {
10473 -+ ret = splice_from_pipe_next(pipe, sd);
10474 -+ if (ret > 0)
10475 -+ ret = splice_from_pipe_feed(pipe, sd, actor);
10476 -+ } while (ret > 0);
10477 -+ splice_from_pipe_end(pipe, sd);
10478 -+
10479 -+ return sd->num_spliced ? sd->num_spliced : ret;
10480 - }
10481 - EXPORT_SYMBOL(__splice_from_pipe);
10482 -
10483 -@@ -714,7 +784,7 @@ EXPORT_SYMBOL(__splice_from_pipe);
10484 - * @actor: handler that splices the data
10485 - *
10486 - * Description:
10487 -- * See __splice_from_pipe. This function locks the input and output inodes,
10488 -+ * See __splice_from_pipe. This function locks the pipe inode,
10489 - * otherwise it's identical to __splice_from_pipe().
10490 - *
10491 - */
10492 -@@ -723,7 +793,6 @@ ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
10493 - splice_actor *actor)
10494 - {
10495 - ssize_t ret;
10496 -- struct inode *inode = out->f_mapping->host;
10497 - struct splice_desc sd = {
10498 - .total_len = len,
10499 - .flags = flags,
10500 -@@ -731,24 +800,11 @@ ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
10501 - .u.file = out,
10502 - };
10503 -
10504 -- /*
10505 -- * The actor worker might be calling ->write_begin and
10506 -- * ->write_end. Most of the time, these expect i_mutex to
10507 -- * be held. Since this may result in an ABBA deadlock with
10508 -- * pipe->inode, we have to order lock acquiry here.
10509 -- *
10510 -- * Outer lock must be inode->i_mutex, as pipe_wait() will
10511 -- * release and reacquire pipe->inode->i_mutex, AND inode must
10512 -- * never be a pipe.
10513 -- */
10514 -- WARN_ON(S_ISFIFO(inode->i_mode));
10515 -- mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
10516 - if (pipe->inode)
10517 -- mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
10518 -+ mutex_lock(&pipe->inode->i_mutex);
10519 - ret = __splice_from_pipe(pipe, &sd, actor);
10520 - if (pipe->inode)
10521 - mutex_unlock(&pipe->inode->i_mutex);
10522 -- mutex_unlock(&inode->i_mutex);
10523 -
10524 - return ret;
10525 - }
10526 -@@ -839,17 +895,29 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
10527 - };
10528 - ssize_t ret;
10529 -
10530 -- WARN_ON(S_ISFIFO(inode->i_mode));
10531 -- mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
10532 -- ret = file_remove_suid(out);
10533 -- if (likely(!ret)) {
10534 -- if (pipe->inode)
10535 -- mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
10536 -- ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
10537 -- if (pipe->inode)
10538 -- mutex_unlock(&pipe->inode->i_mutex);
10539 -- }
10540 -- mutex_unlock(&inode->i_mutex);
10541 -+ if (pipe->inode)
10542 -+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
10543 -+
10544 -+ splice_from_pipe_begin(&sd);
10545 -+ do {
10546 -+ ret = splice_from_pipe_next(pipe, &sd);
10547 -+ if (ret <= 0)
10548 -+ break;
10549 -+
10550 -+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_CHILD);
10551 -+ ret = file_remove_suid(out);
10552 -+ if (!ret)
10553 -+ ret = splice_from_pipe_feed(pipe, &sd, pipe_to_file);
10554 -+ mutex_unlock(&inode->i_mutex);
10555 -+ } while (ret > 0);
10556 -+ splice_from_pipe_end(pipe, &sd);
10557 -+
10558 -+ if (pipe->inode)
10559 -+ mutex_unlock(&pipe->inode->i_mutex);
10560 -+
10561 -+ if (sd.num_spliced)
10562 -+ ret = sd.num_spliced;
10563 -+
10564 - if (ret > 0) {
10565 - unsigned long nr_pages;
10566 -
10567 -diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
10568 -index 93b6de5..0ff89fe 100644
10569 ---- a/fs/ubifs/file.c
10570 -+++ b/fs/ubifs/file.c
10571 -@@ -1434,8 +1434,9 @@ static int ubifs_releasepage(struct page *page, gfp_t unused_gfp_flags)
10572 - * mmap()d file has taken write protection fault and is being made
10573 - * writable. UBIFS must ensure page is budgeted for.
10574 - */
10575 --static int ubifs_vm_page_mkwrite(struct vm_area_struct *vma, struct page *page)
10576 -+static int ubifs_vm_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
10577 - {
10578 -+ struct page *page = vmf->page;
10579 - struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
10580 - struct ubifs_info *c = inode->i_sb->s_fs_info;
10581 - struct timespec now = ubifs_current_time(inode);
10582 -@@ -1447,7 +1448,7 @@ static int ubifs_vm_page_mkwrite(struct vm_area_struct *vma, struct page *page)
10583 - ubifs_assert(!(inode->i_sb->s_flags & MS_RDONLY));
10584 -
10585 - if (unlikely(c->ro_media))
10586 -- return -EROFS;
10587 -+ return VM_FAULT_SIGBUS; /* -EROFS */
10588 -
10589 - /*
10590 - * We have not locked @page so far so we may budget for changing the
10591 -@@ -1480,7 +1481,7 @@ static int ubifs_vm_page_mkwrite(struct vm_area_struct *vma, struct page *page)
10592 - if (err == -ENOSPC)
10593 - ubifs_warn("out of space for mmapped file "
10594 - "(inode number %lu)", inode->i_ino);
10595 -- return err;
10596 -+ return VM_FAULT_SIGBUS;
10597 - }
10598 -
10599 - lock_page(page);
10600 -@@ -1520,6 +1521,8 @@ static int ubifs_vm_page_mkwrite(struct vm_area_struct *vma, struct page *page)
10601 - out_unlock:
10602 - unlock_page(page);
10603 - ubifs_release_budget(c, &req);
10604 -+ if (err)
10605 -+ err = VM_FAULT_SIGBUS;
10606 - return err;
10607 - }
10608 -
10609 -diff --git a/fs/xfs/linux-2.6/xfs_file.c b/fs/xfs/linux-2.6/xfs_file.c
10610 -index e14c4e3..f4e2554 100644
10611 ---- a/fs/xfs/linux-2.6/xfs_file.c
10612 -+++ b/fs/xfs/linux-2.6/xfs_file.c
10613 -@@ -234,9 +234,9 @@ xfs_file_mmap(
10614 - STATIC int
10615 - xfs_vm_page_mkwrite(
10616 - struct vm_area_struct *vma,
10617 -- struct page *page)
10618 -+ struct vm_fault *vmf)
10619 - {
10620 -- return block_page_mkwrite(vma, page, xfs_get_blocks);
10621 -+ return block_page_mkwrite(vma, vmf, xfs_get_blocks);
10622 - }
10623 -
10624 - const struct file_operations xfs_file_operations = {
10625 -diff --git a/include/linux/buffer_head.h b/include/linux/buffer_head.h
10626 -index bd7ac79..2c2d216 100644
10627 ---- a/include/linux/buffer_head.h
10628 -+++ b/include/linux/buffer_head.h
10629 -@@ -223,7 +223,7 @@ int cont_write_begin(struct file *, struct address_space *, loff_t,
10630 - get_block_t *, loff_t *);
10631 - int generic_cont_expand_simple(struct inode *inode, loff_t size);
10632 - int block_commit_write(struct page *page, unsigned from, unsigned to);
10633 --int block_page_mkwrite(struct vm_area_struct *vma, struct page *page,
10634 -+int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
10635 - get_block_t get_block);
10636 - void block_sync_page(struct page *);
10637 - sector_t generic_block_bmap(struct address_space *, sector_t, get_block_t *);
10638 -diff --git a/include/linux/compiler.h b/include/linux/compiler.h
10639 -index d95da10..0011cd7 100644
10640 ---- a/include/linux/compiler.h
10641 -+++ b/include/linux/compiler.h
10642 -@@ -75,7 +75,8 @@ struct ftrace_branch_data {
10643 - * Note: DISABLE_BRANCH_PROFILING can be used by special lowlevel code
10644 - * to disable branch tracing on a per file basis.
10645 - */
10646 --#if defined(CONFIG_TRACE_BRANCH_PROFILING) && !defined(DISABLE_BRANCH_PROFILING)
10647 -+#if defined(CONFIG_TRACE_BRANCH_PROFILING) \
10648 -+ && !defined(DISABLE_BRANCH_PROFILING) && !defined(__CHECKER__)
10649 - void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
10650 -
10651 - #define likely_notrace(x) __builtin_expect(!!(x), 1)
10652 -diff --git a/include/linux/mm.h b/include/linux/mm.h
10653 -index 3daa05f..93d0a69 100644
10654 ---- a/include/linux/mm.h
10655 -+++ b/include/linux/mm.h
10656 -@@ -145,6 +145,7 @@ extern pgprot_t protection_map[16];
10657 -
10658 - #define FAULT_FLAG_WRITE 0x01 /* Fault was a write access */
10659 - #define FAULT_FLAG_NONLINEAR 0x02 /* Fault was via a nonlinear mapping */
10660 -+#define FAULT_FLAG_MKWRITE 0x04 /* Fault was mkwrite of existing pte */
10661 -
10662 - /*
10663 - * This interface is used by x86 PAT code to identify a pfn mapping that is
10664 -@@ -197,7 +198,7 @@ struct vm_operations_struct {
10665 -
10666 - /* notification that a previously read-only page is about to become
10667 - * writable, if an error is returned it will cause a SIGBUS */
10668 -- int (*page_mkwrite)(struct vm_area_struct *vma, struct page *page);
10669 -+ int (*page_mkwrite)(struct vm_area_struct *vma, struct vm_fault *vmf);
10670 -
10671 - /* called by access_process_vm when get_user_pages() fails, typically
10672 - * for use by special VMAs that can switch between memory and hardware
10673 -diff --git a/include/linux/splice.h b/include/linux/splice.h
10674 -index 528dcb9..5f3faa9 100644
10675 ---- a/include/linux/splice.h
10676 -+++ b/include/linux/splice.h
10677 -@@ -36,6 +36,8 @@ struct splice_desc {
10678 - void *data; /* cookie */
10679 - } u;
10680 - loff_t pos; /* file position */
10681 -+ size_t num_spliced; /* number of bytes already spliced */
10682 -+ bool need_wakeup; /* need to wake up writer */
10683 - };
10684 -
10685 - struct partial_page {
10686 -@@ -66,6 +68,16 @@ extern ssize_t splice_from_pipe(struct pipe_inode_info *, struct file *,
10687 - splice_actor *);
10688 - extern ssize_t __splice_from_pipe(struct pipe_inode_info *,
10689 - struct splice_desc *, splice_actor *);
10690 -+extern int splice_from_pipe_feed(struct pipe_inode_info *, struct splice_desc *,
10691 -+ splice_actor *);
10692 -+extern int splice_from_pipe_next(struct pipe_inode_info *,
10693 -+ struct splice_desc *);
10694 -+extern void splice_from_pipe_begin(struct splice_desc *);
10695 -+extern void splice_from_pipe_end(struct pipe_inode_info *,
10696 -+ struct splice_desc *);
10697 -+extern int pipe_to_file(struct pipe_inode_info *, struct pipe_buffer *,
10698 -+ struct splice_desc *);
10699 -+
10700 - extern ssize_t splice_to_pipe(struct pipe_inode_info *,
10701 - struct splice_pipe_desc *);
10702 - extern ssize_t splice_direct_to_actor(struct file *, struct splice_desc *,
10703 -diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
10704 -index bedc7f6..abd4436 100644
10705 ---- a/include/net/cipso_ipv4.h
10706 -+++ b/include/net/cipso_ipv4.h
10707 -@@ -40,6 +40,7 @@
10708 - #include <linux/net.h>
10709 - #include <linux/skbuff.h>
10710 - #include <net/netlabel.h>
10711 -+#include <net/request_sock.h>
10712 - #include <asm/atomic.h>
10713 -
10714 - /* known doi values */
10715 -@@ -215,6 +216,10 @@ int cipso_v4_sock_setattr(struct sock *sk,
10716 - const struct netlbl_lsm_secattr *secattr);
10717 - void cipso_v4_sock_delattr(struct sock *sk);
10718 - int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
10719 -+int cipso_v4_req_setattr(struct request_sock *req,
10720 -+ const struct cipso_v4_doi *doi_def,
10721 -+ const struct netlbl_lsm_secattr *secattr);
10722 -+void cipso_v4_req_delattr(struct request_sock *req);
10723 - int cipso_v4_skbuff_setattr(struct sk_buff *skb,
10724 - const struct cipso_v4_doi *doi_def,
10725 - const struct netlbl_lsm_secattr *secattr);
10726 -@@ -247,6 +252,18 @@ static inline int cipso_v4_sock_getattr(struct sock *sk,
10727 - return -ENOSYS;
10728 - }
10729 -
10730 -+static inline int cipso_v4_req_setattr(struct request_sock *req,
10731 -+ const struct cipso_v4_doi *doi_def,
10732 -+ const struct netlbl_lsm_secattr *secattr)
10733 -+{
10734 -+ return -ENOSYS;
10735 -+}
10736 -+
10737 -+static inline void cipso_v4_req_delattr(struct request_sock *req)
10738 -+{
10739 -+ return;
10740 -+}
10741 -+
10742 - static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb,
10743 - const struct cipso_v4_doi *doi_def,
10744 - const struct netlbl_lsm_secattr *secattr)
10745 -diff --git a/include/net/netlabel.h b/include/net/netlabel.h
10746 -index 749011e..bf77b5c 100644
10747 ---- a/include/net/netlabel.h
10748 -+++ b/include/net/netlabel.h
10749 -@@ -36,6 +36,7 @@
10750 - #include <linux/in.h>
10751 - #include <linux/in6.h>
10752 - #include <net/netlink.h>
10753 -+#include <net/request_sock.h>
10754 - #include <asm/atomic.h>
10755 -
10756 - struct cipso_v4_doi;
10757 -@@ -413,6 +414,9 @@ int netlbl_sock_getattr(struct sock *sk,
10758 - int netlbl_conn_setattr(struct sock *sk,
10759 - struct sockaddr *addr,
10760 - const struct netlbl_lsm_secattr *secattr);
10761 -+int netlbl_req_setattr(struct request_sock *req,
10762 -+ const struct netlbl_lsm_secattr *secattr);
10763 -+void netlbl_req_delattr(struct request_sock *req);
10764 - int netlbl_skbuff_setattr(struct sk_buff *skb,
10765 - u16 family,
10766 - const struct netlbl_lsm_secattr *secattr);
10767 -@@ -519,7 +523,7 @@ static inline int netlbl_enabled(void)
10768 - return 0;
10769 - }
10770 - static inline int netlbl_sock_setattr(struct sock *sk,
10771 -- const struct netlbl_lsm_secattr *secattr)
10772 -+ const struct netlbl_lsm_secattr *secattr)
10773 - {
10774 - return -ENOSYS;
10775 - }
10776 -@@ -537,6 +541,15 @@ static inline int netlbl_conn_setattr(struct sock *sk,
10777 - {
10778 - return -ENOSYS;
10779 - }
10780 -+static inline int netlbl_req_setattr(struct request_sock *req,
10781 -+ const struct netlbl_lsm_secattr *secattr)
10782 -+{
10783 -+ return -ENOSYS;
10784 -+}
10785 -+static inline void netlbl_req_delattr(struct request_sock *req)
10786 -+{
10787 -+ return;
10788 -+}
10789 - static inline int netlbl_skbuff_setattr(struct sk_buff *skb,
10790 - u16 family,
10791 - const struct netlbl_lsm_secattr *secattr)
10792 -diff --git a/mm/memory.c b/mm/memory.c
10793 -index d7df5ba..c304626 100644
10794 ---- a/mm/memory.c
10795 -+++ b/mm/memory.c
10796 -@@ -1940,6 +1940,15 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma,
10797 - * get_user_pages(.write=1, .force=1).
10798 - */
10799 - if (vma->vm_ops && vma->vm_ops->page_mkwrite) {
10800 -+ struct vm_fault vmf;
10801 -+ int tmp;
10802 -+
10803 -+ vmf.virtual_address = (void __user *)(address &
10804 -+ PAGE_MASK);
10805 -+ vmf.pgoff = old_page->index;
10806 -+ vmf.flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE;
10807 -+ vmf.page = old_page;
10808 -+
10809 - /*
10810 - * Notify the address space that the page is about to
10811 - * become writable so that it can prohibit this or wait
10812 -@@ -1951,8 +1960,21 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma,
10813 - page_cache_get(old_page);
10814 - pte_unmap_unlock(page_table, ptl);
10815 -
10816 -- if (vma->vm_ops->page_mkwrite(vma, old_page) < 0)
10817 -+ tmp = vma->vm_ops->page_mkwrite(vma, &vmf);
10818 -+ if (unlikely(tmp &
10819 -+ (VM_FAULT_ERROR | VM_FAULT_NOPAGE))) {
10820 -+ ret = tmp;
10821 - goto unwritable_page;
10822 -+ }
10823 -+ if (unlikely(!(tmp & VM_FAULT_LOCKED))) {
10824 -+ lock_page(old_page);
10825 -+ if (!old_page->mapping) {
10826 -+ ret = 0; /* retry the fault */
10827 -+ unlock_page(old_page);
10828 -+ goto unwritable_page;
10829 -+ }
10830 -+ } else
10831 -+ VM_BUG_ON(!PageLocked(old_page));
10832 -
10833 - /*
10834 - * Since we dropped the lock we need to revalidate
10835 -@@ -1962,9 +1984,11 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma,
10836 - */
10837 - page_table = pte_offset_map_lock(mm, pmd, address,
10838 - &ptl);
10839 -- page_cache_release(old_page);
10840 -- if (!pte_same(*page_table, orig_pte))
10841 -+ if (!pte_same(*page_table, orig_pte)) {
10842 -+ unlock_page(old_page);
10843 -+ page_cache_release(old_page);
10844 - goto unlock;
10845 -+ }
10846 -
10847 - page_mkwrite = 1;
10848 - }
10849 -@@ -2076,9 +2100,6 @@ gotten:
10850 - unlock:
10851 - pte_unmap_unlock(page_table, ptl);
10852 - if (dirty_page) {
10853 -- if (vma->vm_file)
10854 -- file_update_time(vma->vm_file);
10855 --
10856 - /*
10857 - * Yes, Virginia, this is actually required to prevent a race
10858 - * with clear_page_dirty_for_io() from clearing the page dirty
10859 -@@ -2087,21 +2108,46 @@ unlock:
10860 - *
10861 - * do_no_page is protected similarly.
10862 - */
10863 -- wait_on_page_locked(dirty_page);
10864 -- set_page_dirty_balance(dirty_page, page_mkwrite);
10865 -+ if (!page_mkwrite) {
10866 -+ wait_on_page_locked(dirty_page);
10867 -+ set_page_dirty_balance(dirty_page, page_mkwrite);
10868 -+ }
10869 - put_page(dirty_page);
10870 -+ if (page_mkwrite) {
10871 -+ struct address_space *mapping = dirty_page->mapping;
10872 -+
10873 -+ set_page_dirty(dirty_page);
10874 -+ unlock_page(dirty_page);
10875 -+ page_cache_release(dirty_page);
10876 -+ if (mapping) {
10877 -+ /*
10878 -+ * Some device drivers do not set page.mapping
10879 -+ * but still dirty their pages
10880 -+ */
10881 -+ balance_dirty_pages_ratelimited(mapping);
10882 -+ }
10883 -+ }
10884 -+
10885 -+ /* file_update_time outside page_lock */
10886 -+ if (vma->vm_file)
10887 -+ file_update_time(vma->vm_file);
10888 - }
10889 - return ret;
10890 - oom_free_new:
10891 - page_cache_release(new_page);
10892 - oom:
10893 -- if (old_page)
10894 -+ if (old_page) {
10895 -+ if (page_mkwrite) {
10896 -+ unlock_page(old_page);
10897 -+ page_cache_release(old_page);
10898 -+ }
10899 - page_cache_release(old_page);
10900 -+ }
10901 - return VM_FAULT_OOM;
10902 -
10903 - unwritable_page:
10904 - page_cache_release(old_page);
10905 -- return VM_FAULT_SIGBUS;
10906 -+ return ret;
10907 - }
10908 -
10909 - /*
10910 -@@ -2645,25 +2691,25 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
10911 - * to become writable
10912 - */
10913 - if (vma->vm_ops->page_mkwrite) {
10914 -+ int tmp;
10915 -+
10916 - unlock_page(page);
10917 -- if (vma->vm_ops->page_mkwrite(vma, page) < 0) {
10918 -- ret = VM_FAULT_SIGBUS;
10919 -- anon = 1; /* no anon but release vmf.page */
10920 -- goto out_unlocked;
10921 -- }
10922 -- lock_page(page);
10923 -- /*
10924 -- * XXX: this is not quite right (racy vs
10925 -- * invalidate) to unlock and relock the page
10926 -- * like this, however a better fix requires
10927 -- * reworking page_mkwrite locking API, which
10928 -- * is better done later.
10929 -- */
10930 -- if (!page->mapping) {
10931 -- ret = 0;
10932 -- anon = 1; /* no anon but release vmf.page */
10933 -- goto out;
10934 -+ vmf.flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE;
10935 -+ tmp = vma->vm_ops->page_mkwrite(vma, &vmf);
10936 -+ if (unlikely(tmp &
10937 -+ (VM_FAULT_ERROR | VM_FAULT_NOPAGE))) {
10938 -+ ret = tmp;
10939 -+ goto unwritable_page;
10940 - }
10941 -+ if (unlikely(!(tmp & VM_FAULT_LOCKED))) {
10942 -+ lock_page(page);
10943 -+ if (!page->mapping) {
10944 -+ ret = 0; /* retry the fault */
10945 -+ unlock_page(page);
10946 -+ goto unwritable_page;
10947 -+ }
10948 -+ } else
10949 -+ VM_BUG_ON(!PageLocked(page));
10950 - page_mkwrite = 1;
10951 - }
10952 - }
10953 -@@ -2715,19 +2761,35 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
10954 - pte_unmap_unlock(page_table, ptl);
10955 -
10956 - out:
10957 -- unlock_page(vmf.page);
10958 --out_unlocked:
10959 -- if (anon)
10960 -- page_cache_release(vmf.page);
10961 -- else if (dirty_page) {
10962 -- if (vma->vm_file)
10963 -- file_update_time(vma->vm_file);
10964 -+ if (dirty_page) {
10965 -+ struct address_space *mapping = page->mapping;
10966 -
10967 -- set_page_dirty_balance(dirty_page, page_mkwrite);
10968 -+ if (set_page_dirty(dirty_page))
10969 -+ page_mkwrite = 1;
10970 -+ unlock_page(dirty_page);
10971 - put_page(dirty_page);
10972 -+ if (page_mkwrite && mapping) {
10973 -+ /*
10974 -+ * Some device drivers do not set page.mapping but still
10975 -+ * dirty their pages
10976 -+ */
10977 -+ balance_dirty_pages_ratelimited(mapping);
10978 -+ }
10979 -+
10980 -+ /* file_update_time outside page_lock */
10981 -+ if (vma->vm_file)
10982 -+ file_update_time(vma->vm_file);
10983 -+ } else {
10984 -+ unlock_page(vmf.page);
10985 -+ if (anon)
10986 -+ page_cache_release(vmf.page);
10987 - }
10988 -
10989 - return ret;
10990 -+
10991 -+unwritable_page:
10992 -+ page_cache_release(page);
10993 -+ return ret;
10994 - }
10995 -
10996 - static int do_linear_fault(struct mm_struct *mm, struct vm_area_struct *vma,
10997 -diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
10998 -index 7bc9929..4ea2c38 100644
10999 ---- a/net/ipv4/cipso_ipv4.c
11000 -+++ b/net/ipv4/cipso_ipv4.c
11001 -@@ -1942,6 +1942,72 @@ socket_setattr_failure:
11002 - }
11003 -
11004 - /**
11005 -+ * cipso_v4_req_setattr - Add a CIPSO option to a connection request socket
11006 -+ * @req: the connection request socket
11007 -+ * @doi_def: the CIPSO DOI to use
11008 -+ * @secattr: the specific security attributes of the socket
11009 -+ *
11010 -+ * Description:
11011 -+ * Set the CIPSO option on the given socket using the DOI definition and
11012 -+ * security attributes passed to the function. Returns zero on success and
11013 -+ * negative values on failure.
11014 -+ *
11015 -+ */
11016 -+int cipso_v4_req_setattr(struct request_sock *req,
11017 -+ const struct cipso_v4_doi *doi_def,
11018 -+ const struct netlbl_lsm_secattr *secattr)
11019 -+{
11020 -+ int ret_val = -EPERM;
11021 -+ unsigned char *buf = NULL;
11022 -+ u32 buf_len;
11023 -+ u32 opt_len;
11024 -+ struct ip_options *opt = NULL;
11025 -+ struct inet_request_sock *req_inet;
11026 -+
11027 -+ /* We allocate the maximum CIPSO option size here so we are probably
11028 -+ * being a little wasteful, but it makes our life _much_ easier later
11029 -+ * on and after all we are only talking about 40 bytes. */
11030 -+ buf_len = CIPSO_V4_OPT_LEN_MAX;
11031 -+ buf = kmalloc(buf_len, GFP_ATOMIC);
11032 -+ if (buf == NULL) {
11033 -+ ret_val = -ENOMEM;
11034 -+ goto req_setattr_failure;
11035 -+ }
11036 -+
11037 -+ ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
11038 -+ if (ret_val < 0)
11039 -+ goto req_setattr_failure;
11040 -+ buf_len = ret_val;
11041 -+
11042 -+ /* We can't use ip_options_get() directly because it makes a call to
11043 -+ * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
11044 -+ * we won't always have CAP_NET_RAW even though we _always_ want to
11045 -+ * set the IPOPT_CIPSO option. */
11046 -+ opt_len = (buf_len + 3) & ~3;
11047 -+ opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
11048 -+ if (opt == NULL) {
11049 -+ ret_val = -ENOMEM;
11050 -+ goto req_setattr_failure;
11051 -+ }
11052 -+ memcpy(opt->__data, buf, buf_len);
11053 -+ opt->optlen = opt_len;
11054 -+ opt->cipso = sizeof(struct iphdr);
11055 -+ kfree(buf);
11056 -+ buf = NULL;
11057 -+
11058 -+ req_inet = inet_rsk(req);
11059 -+ opt = xchg(&req_inet->opt, opt);
11060 -+ kfree(opt);
11061 -+
11062 -+ return 0;
11063 -+
11064 -+req_setattr_failure:
11065 -+ kfree(buf);
11066 -+ kfree(opt);
11067 -+ return ret_val;
11068 -+}
11069 -+
11070 -+/**
11071 - * cipso_v4_sock_delattr - Delete the CIPSO option from a socket
11072 - * @sk: the socket
11073 - *
11074 -@@ -2016,6 +2082,70 @@ void cipso_v4_sock_delattr(struct sock *sk)
11075 - }
11076 -
11077 - /**
11078 -+ * cipso_v4_req_delattr - Delete the CIPSO option from a request socket
11079 -+ * @reg: the request socket
11080 -+ *
11081 -+ * Description:
11082 -+ * Removes the CIPSO option from a request socket, if present.
11083 -+ *
11084 -+ */
11085 -+void cipso_v4_req_delattr(struct request_sock *req)
11086 -+{
11087 -+ struct ip_options *opt;
11088 -+ struct inet_request_sock *req_inet;
11089 -+
11090 -+ req_inet = inet_rsk(req);
11091 -+ opt = req_inet->opt;
11092 -+ if (opt == NULL || opt->cipso == 0)
11093 -+ return;
11094 -+
11095 -+ if (opt->srr || opt->rr || opt->ts || opt->router_alert) {
11096 -+ u8 cipso_len;
11097 -+ u8 cipso_off;
11098 -+ unsigned char *cipso_ptr;
11099 -+ int iter;
11100 -+ int optlen_new;
11101 -+
11102 -+ cipso_off = opt->cipso - sizeof(struct iphdr);
11103 -+ cipso_ptr = &opt->__data[cipso_off];
11104 -+ cipso_len = cipso_ptr[1];
11105 -+
11106 -+ if (opt->srr > opt->cipso)
11107 -+ opt->srr -= cipso_len;
11108 -+ if (opt->rr > opt->cipso)
11109 -+ opt->rr -= cipso_len;
11110 -+ if (opt->ts > opt->cipso)
11111 -+ opt->ts -= cipso_len;
11112 -+ if (opt->router_alert > opt->cipso)
11113 -+ opt->router_alert -= cipso_len;
11114 -+ opt->cipso = 0;
11115 -+
11116 -+ memmove(cipso_ptr, cipso_ptr + cipso_len,
11117 -+ opt->optlen - cipso_off - cipso_len);
11118 -+
11119 -+ /* determining the new total option length is tricky because of
11120 -+ * the padding necessary, the only thing i can think to do at
11121 -+ * this point is walk the options one-by-one, skipping the
11122 -+ * padding at the end to determine the actual option size and
11123 -+ * from there we can determine the new total option length */
11124 -+ iter = 0;
11125 -+ optlen_new = 0;
11126 -+ while (iter < opt->optlen)
11127 -+ if (opt->__data[iter] != IPOPT_NOP) {
11128 -+ iter += opt->__data[iter + 1];
11129 -+ optlen_new = iter;
11130 -+ } else
11131 -+ iter++;
11132 -+ opt->optlen = (optlen_new + 3) & ~3;
11133 -+ } else {
11134 -+ /* only the cipso option was present on the socket so we can
11135 -+ * remove the entire option struct */
11136 -+ req_inet->opt = NULL;
11137 -+ kfree(opt);
11138 -+ }
11139 -+}
11140 -+
11141 -+/**
11142 - * cipso_v4_getattr - Helper function for the cipso_v4_*_getattr functions
11143 - * @cipso: the CIPSO v4 option
11144 - * @secattr: the security attributes
11145 -diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
11146 -index d346c22..b35a950 100644
11147 ---- a/net/ipv4/syncookies.c
11148 -+++ b/net/ipv4/syncookies.c
11149 -@@ -288,10 +288,6 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
11150 - if (!req)
11151 - goto out;
11152 -
11153 -- if (security_inet_conn_request(sk, skb, req)) {
11154 -- reqsk_free(req);
11155 -- goto out;
11156 -- }
11157 - ireq = inet_rsk(req);
11158 - treq = tcp_rsk(req);
11159 - treq->rcv_isn = ntohl(th->seq) - 1;
11160 -@@ -322,6 +318,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
11161 - }
11162 - }
11163 -
11164 -+ if (security_inet_conn_request(sk, skb, req)) {
11165 -+ reqsk_free(req);
11166 -+ goto out;
11167 -+ }
11168 -+
11169 - req->expires = 0UL;
11170 - req->retrans = 0;
11171 -
11172 -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
11173 -index cf74c41..5499c28 100644
11174 ---- a/net/ipv4/tcp_ipv4.c
11175 -+++ b/net/ipv4/tcp_ipv4.c
11176 -@@ -1239,14 +1239,15 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
11177 -
11178 - tcp_openreq_init(req, &tmp_opt, skb);
11179 -
11180 -- if (security_inet_conn_request(sk, skb, req))
11181 -- goto drop_and_free;
11182 --
11183 - ireq = inet_rsk(req);
11184 - ireq->loc_addr = daddr;
11185 - ireq->rmt_addr = saddr;
11186 - ireq->no_srccheck = inet_sk(sk)->transparent;
11187 - ireq->opt = tcp_v4_save_options(sk, skb);
11188 -+
11189 -+ if (security_inet_conn_request(sk, skb, req))
11190 -+ goto drop_and_free;
11191 -+
11192 - if (!want_cookie)
11193 - TCP_ECN_create_request(req, tcp_hdr(skb));
11194 -
11195 -diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
11196 -index fd9229d..a52ca1c 100644
11197 ---- a/net/netlabel/netlabel_kapi.c
11198 -+++ b/net/netlabel/netlabel_kapi.c
11199 -@@ -757,6 +757,90 @@ conn_setattr_return:
11200 - }
11201 -
11202 - /**
11203 -+ * netlbl_req_setattr - Label a request socket using the correct protocol
11204 -+ * @req: the request socket to label
11205 -+ * @secattr: the security attributes
11206 -+ *
11207 -+ * Description:
11208 -+ * Attach the correct label to the given socket using the security attributes
11209 -+ * specified in @secattr. Returns zero on success, negative values on failure.
11210 -+ *
11211 -+ */
11212 -+int netlbl_req_setattr(struct request_sock *req,
11213 -+ const struct netlbl_lsm_secattr *secattr)
11214 -+{
11215 -+ int ret_val;
11216 -+ struct netlbl_dom_map *dom_entry;
11217 -+ struct netlbl_domaddr4_map *af4_entry;
11218 -+ u32 proto_type;
11219 -+ struct cipso_v4_doi *proto_cv4;
11220 -+
11221 -+ rcu_read_lock();
11222 -+ dom_entry = netlbl_domhsh_getentry(secattr->domain);
11223 -+ if (dom_entry == NULL) {
11224 -+ ret_val = -ENOENT;
11225 -+ goto req_setattr_return;
11226 -+ }
11227 -+ switch (req->rsk_ops->family) {
11228 -+ case AF_INET:
11229 -+ if (dom_entry->type == NETLBL_NLTYPE_ADDRSELECT) {
11230 -+ struct inet_request_sock *req_inet = inet_rsk(req);
11231 -+ af4_entry = netlbl_domhsh_getentry_af4(secattr->domain,
11232 -+ req_inet->rmt_addr);
11233 -+ if (af4_entry == NULL) {
11234 -+ ret_val = -ENOENT;
11235 -+ goto req_setattr_return;
11236 -+ }
11237 -+ proto_type = af4_entry->type;
11238 -+ proto_cv4 = af4_entry->type_def.cipsov4;
11239 -+ } else {
11240 -+ proto_type = dom_entry->type;
11241 -+ proto_cv4 = dom_entry->type_def.cipsov4;
11242 -+ }
11243 -+ switch (proto_type) {
11244 -+ case NETLBL_NLTYPE_CIPSOV4:
11245 -+ ret_val = cipso_v4_req_setattr(req, proto_cv4, secattr);
11246 -+ break;
11247 -+ case NETLBL_NLTYPE_UNLABELED:
11248 -+ /* just delete the protocols we support for right now
11249 -+ * but we could remove other protocols if needed */
11250 -+ cipso_v4_req_delattr(req);
11251 -+ ret_val = 0;
11252 -+ break;
11253 -+ default:
11254 -+ ret_val = -ENOENT;
11255 -+ }
11256 -+ break;
11257 -+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
11258 -+ case AF_INET6:
11259 -+ /* since we don't support any IPv6 labeling protocols right
11260 -+ * now we can optimize everything away until we do */
11261 -+ ret_val = 0;
11262 -+ break;
11263 -+#endif /* IPv6 */
11264 -+ default:
11265 -+ ret_val = -EPROTONOSUPPORT;
11266 -+ }
11267 -+
11268 -+req_setattr_return:
11269 -+ rcu_read_unlock();
11270 -+ return ret_val;
11271 -+}
11272 -+
11273 -+/**
11274 -+* netlbl_req_delattr - Delete all the NetLabel labels on a socket
11275 -+* @req: the socket
11276 -+*
11277 -+* Description:
11278 -+* Remove all the NetLabel labeling from @req.
11279 -+*
11280 -+*/
11281 -+void netlbl_req_delattr(struct request_sock *req)
11282 -+{
11283 -+ cipso_v4_req_delattr(req);
11284 -+}
11285 -+
11286 -+/**
11287 - * netlbl_skbuff_setattr - Label a packet using the correct protocol
11288 - * @skb: the packet
11289 - * @family: protocol family
11290 -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
11291 -index e210b21..8d24c91 100644
11292 ---- a/security/selinux/hooks.c
11293 -+++ b/security/selinux/hooks.c
11294 -@@ -311,7 +311,7 @@ static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
11295 - ssec->sid = SECINITSID_UNLABELED;
11296 - sk->sk_security = ssec;
11297 -
11298 -- selinux_netlbl_sk_security_reset(ssec, family);
11299 -+ selinux_netlbl_sk_security_reset(ssec);
11300 -
11301 - return 0;
11302 - }
11303 -@@ -2952,7 +2952,6 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
11304 - static int selinux_revalidate_file_permission(struct file *file, int mask)
11305 - {
11306 - const struct cred *cred = current_cred();
11307 -- int rc;
11308 - struct inode *inode = file->f_path.dentry->d_inode;
11309 -
11310 - if (!mask) {
11311 -@@ -2964,30 +2963,16 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
11312 - if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
11313 - mask |= MAY_APPEND;
11314 -
11315 -- rc = file_has_perm(cred, file,
11316 -- file_mask_to_av(inode->i_mode, mask));
11317 -- if (rc)
11318 -- return rc;
11319 --
11320 -- return selinux_netlbl_inode_permission(inode, mask);
11321 -+ return file_has_perm(cred, file, file_mask_to_av(inode->i_mode, mask));
11322 - }
11323 -
11324 - static int selinux_file_permission(struct file *file, int mask)
11325 - {
11326 -- struct inode *inode = file->f_path.dentry->d_inode;
11327 -- struct file_security_struct *fsec = file->f_security;
11328 -- struct inode_security_struct *isec = inode->i_security;
11329 -- u32 sid = current_sid();
11330 --
11331 - if (!mask) {
11332 - /* No permission to check. Existence test. */
11333 - return 0;
11334 - }
11335 -
11336 -- if (sid == fsec->sid && fsec->isid == isec->sid
11337 -- && fsec->pseqno == avc_policy_seqno())
11338 -- return selinux_netlbl_inode_permission(inode, mask);
11339 --
11340 - return selinux_revalidate_file_permission(file, mask);
11341 - }
11342 -
11343 -@@ -3799,7 +3784,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
11344 - sksec = sock->sk->sk_security;
11345 - sksec->sid = isec->sid;
11346 - sksec->sclass = isec->sclass;
11347 -- err = selinux_netlbl_socket_post_create(sock);
11348 -+ err = selinux_netlbl_socket_post_create(sock->sk, family);
11349 - }
11350 -
11351 - return err;
11352 -@@ -3990,13 +3975,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
11353 - static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
11354 - int size)
11355 - {
11356 -- int rc;
11357 --
11358 -- rc = socket_has_perm(current, sock, SOCKET__WRITE);
11359 -- if (rc)
11360 -- return rc;
11361 --
11362 -- return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
11363 -+ return socket_has_perm(current, sock, SOCKET__WRITE);
11364 - }
11365 -
11366 - static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
11367 -@@ -4384,7 +4363,7 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
11368 - newssec->peer_sid = ssec->peer_sid;
11369 - newssec->sclass = ssec->sclass;
11370 -
11371 -- selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
11372 -+ selinux_netlbl_sk_security_reset(newssec);
11373 - }
11374 -
11375 - static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
11376 -@@ -4429,15 +4408,15 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
11377 - req->secid = sksec->sid;
11378 - req->peer_secid = SECSID_NULL;
11379 - return 0;
11380 -+ } else {
11381 -+ err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
11382 -+ if (err)
11383 -+ return err;
11384 -+ req->secid = newsid;
11385 -+ req->peer_secid = peersid;
11386 - }
11387 -
11388 -- err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
11389 -- if (err)
11390 -- return err;
11391 --
11392 -- req->secid = newsid;
11393 -- req->peer_secid = peersid;
11394 -- return 0;
11395 -+ return selinux_netlbl_inet_conn_request(req, family);
11396 - }
11397 -
11398 - static void selinux_inet_csk_clone(struct sock *newsk,
11399 -@@ -4454,7 +4433,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
11400 -
11401 - /* We don't need to take any sort of lock here as we are the only
11402 - * thread with access to newsksec */
11403 -- selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
11404 -+ selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
11405 - }
11406 -
11407 - static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
11408 -@@ -4467,8 +4446,6 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
11409 - family = PF_INET;
11410 -
11411 - selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
11412 --
11413 -- selinux_netlbl_inet_conn_established(sk, family);
11414 - }
11415 -
11416 - static void selinux_req_classify_flow(const struct request_sock *req,
11417 -diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
11418 -index b913c8d..a5537cd 100644
11419 ---- a/security/selinux/include/netlabel.h
11420 -+++ b/security/selinux/include/netlabel.h
11421 -@@ -32,6 +32,7 @@
11422 - #include <linux/net.h>
11423 - #include <linux/skbuff.h>
11424 - #include <net/sock.h>
11425 -+#include <net/request_sock.h>
11426 -
11427 - #include "avc.h"
11428 - #include "objsec.h"
11429 -@@ -42,8 +43,7 @@ void selinux_netlbl_cache_invalidate(void);
11430 - void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
11431 -
11432 - void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec);
11433 --void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
11434 -- int family);
11435 -+void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec);
11436 -
11437 - int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
11438 - u16 family,
11439 -@@ -53,8 +53,9 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
11440 - u16 family,
11441 - u32 sid);
11442 -
11443 --void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family);
11444 --int selinux_netlbl_socket_post_create(struct socket *sock);
11445 -+int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family);
11446 -+void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family);
11447 -+int selinux_netlbl_socket_post_create(struct sock *sk, u16 family);
11448 - int selinux_netlbl_inode_permission(struct inode *inode, int mask);
11449 - int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
11450 - struct sk_buff *skb,
11451 -@@ -85,8 +86,7 @@ static inline void selinux_netlbl_sk_security_free(
11452 - }
11453 -
11454 - static inline void selinux_netlbl_sk_security_reset(
11455 -- struct sk_security_struct *ssec,
11456 -- int family)
11457 -+ struct sk_security_struct *ssec)
11458 - {
11459 - return;
11460 - }
11461 -@@ -113,12 +113,17 @@ static inline int selinux_netlbl_conn_setsid(struct sock *sk,
11462 - return 0;
11463 - }
11464 -
11465 --static inline void selinux_netlbl_inet_conn_established(struct sock *sk,
11466 -- u16 family)
11467 -+static inline int selinux_netlbl_inet_conn_request(struct request_sock *req,
11468 -+ u16 family)
11469 -+{
11470 -+ return 0;
11471 -+}
11472 -+static inline void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
11473 - {
11474 - return;
11475 - }
11476 --static inline int selinux_netlbl_socket_post_create(struct socket *sock)
11477 -+static inline int selinux_netlbl_socket_post_create(struct sock *sk,
11478 -+ u16 family)
11479 - {
11480 - return 0;
11481 - }
11482 -diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
11483 -index 350794a..5786c8c 100644
11484 ---- a/security/selinux/netlabel.c
11485 -+++ b/security/selinux/netlabel.c
11486 -@@ -100,41 +100,6 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
11487 - }
11488 -
11489 - /**
11490 -- * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
11491 -- * @sk: the socket to label
11492 -- *
11493 -- * Description:
11494 -- * Attempt to label a socket using the NetLabel mechanism. Returns zero values
11495 -- * on success, negative values on failure.
11496 -- *
11497 -- */
11498 --static int selinux_netlbl_sock_setsid(struct sock *sk)
11499 --{
11500 -- int rc;
11501 -- struct sk_security_struct *sksec = sk->sk_security;
11502 -- struct netlbl_lsm_secattr *secattr;
11503 --
11504 -- if (sksec->nlbl_state != NLBL_REQUIRE)
11505 -- return 0;
11506 --
11507 -- secattr = selinux_netlbl_sock_genattr(sk);
11508 -- if (secattr == NULL)
11509 -- return -ENOMEM;
11510 -- rc = netlbl_sock_setattr(sk, secattr);
11511 -- switch (rc) {
11512 -- case 0:
11513 -- sksec->nlbl_state = NLBL_LABELED;
11514 -- break;
11515 -- case -EDESTADDRREQ:
11516 -- sksec->nlbl_state = NLBL_REQSKB;
11517 -- rc = 0;
11518 -- break;
11519 -- }
11520 --
11521 -- return rc;
11522 --}
11523 --
11524 --/**
11525 - * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
11526 - *
11527 - * Description:
11528 -@@ -188,13 +153,9 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec)
11529 - * The caller is responsibile for all the NetLabel sk_security_struct locking.
11530 - *
11531 - */
11532 --void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
11533 -- int family)
11534 -+void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec)
11535 - {
11536 -- if (family == PF_INET)
11537 -- ssec->nlbl_state = NLBL_REQUIRE;
11538 -- else
11539 -- ssec->nlbl_state = NLBL_UNSET;
11540 -+ ssec->nlbl_state = NLBL_UNSET;
11541 - }
11542 -
11543 - /**
11544 -@@ -281,127 +242,85 @@ skbuff_setsid_return:
11545 - }
11546 -
11547 - /**
11548 -- * selinux_netlbl_inet_conn_established - Netlabel the newly accepted connection
11549 -- * @sk: the new connection
11550 -+ * selinux_netlbl_inet_conn_request - Label an incoming stream connection
11551 -+ * @req: incoming connection request socket
11552 - *
11553 - * Description:
11554 -- * A new connection has been established on @sk so make sure it is labeled
11555 -- * correctly with the NetLabel susbsystem.
11556 -+ * A new incoming connection request is represented by @req, we need to label
11557 -+ * the new request_sock here and the stack will ensure the on-the-wire label
11558 -+ * will get preserved when a full sock is created once the connection handshake
11559 -+ * is complete. Returns zero on success, negative values on failure.
11560 - *
11561 - */
11562 --void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
11563 -+int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
11564 - {
11565 - int rc;
11566 -- struct sk_security_struct *sksec = sk->sk_security;
11567 -- struct netlbl_lsm_secattr *secattr;
11568 -- struct inet_sock *sk_inet = inet_sk(sk);
11569 -- struct sockaddr_in addr;
11570 --
11571 -- if (sksec->nlbl_state != NLBL_REQUIRE)
11572 -- return;
11573 -+ struct netlbl_lsm_secattr secattr;
11574 -
11575 -- secattr = selinux_netlbl_sock_genattr(sk);
11576 -- if (secattr == NULL)
11577 -- return;
11578 -+ if (family != PF_INET)
11579 -+ return 0;
11580 -
11581 -- rc = netlbl_sock_setattr(sk, secattr);
11582 -- switch (rc) {
11583 -- case 0:
11584 -- sksec->nlbl_state = NLBL_LABELED;
11585 -- break;
11586 -- case -EDESTADDRREQ:
11587 -- /* no PF_INET6 support yet because we don't support any IPv6
11588 -- * labeling protocols */
11589 -- if (family != PF_INET) {
11590 -- sksec->nlbl_state = NLBL_UNSET;
11591 -- return;
11592 -- }
11593 --
11594 -- addr.sin_family = family;
11595 -- addr.sin_addr.s_addr = sk_inet->daddr;
11596 -- if (netlbl_conn_setattr(sk, (struct sockaddr *)&addr,
11597 -- secattr) != 0) {
11598 -- /* we failed to label the connected socket (could be
11599 -- * for a variety of reasons, the actual "why" isn't
11600 -- * important here) so we have to go to our backup plan,
11601 -- * labeling the packets individually in the netfilter
11602 -- * local output hook. this is okay but we need to
11603 -- * adjust the MSS of the connection to take into
11604 -- * account any labeling overhead, since we don't know
11605 -- * the exact overhead at this point we'll use the worst
11606 -- * case value which is 40 bytes for IPv4 */
11607 -- struct inet_connection_sock *sk_conn = inet_csk(sk);
11608 -- sk_conn->icsk_ext_hdr_len += 40 -
11609 -- (sk_inet->opt ? sk_inet->opt->optlen : 0);
11610 -- sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
11611 --
11612 -- sksec->nlbl_state = NLBL_REQSKB;
11613 -- } else
11614 -- sksec->nlbl_state = NLBL_CONNLABELED;
11615 -- break;
11616 -- default:
11617 -- /* note that we are failing to label the socket which could be
11618 -- * a bad thing since it means traffic could leave the system
11619 -- * without the desired labeling, however, all is not lost as
11620 -- * we have a check in selinux_netlbl_inode_permission() to
11621 -- * pick up the pieces that we might drop here because we can't
11622 -- * return an error code */
11623 -- break;
11624 -- }
11625 -+ netlbl_secattr_init(&secattr);
11626 -+ rc = security_netlbl_sid_to_secattr(req->secid, &secattr);
11627 -+ if (rc != 0)
11628 -+ goto inet_conn_request_return;
11629 -+ rc = netlbl_req_setattr(req, &secattr);
11630 -+inet_conn_request_return:
11631 -+ netlbl_secattr_destroy(&secattr);
11632 -+ return rc;
11633 - }
11634 -
11635 - /**
11636 -- * selinux_netlbl_socket_post_create - Label a socket using NetLabel
11637 -- * @sock: the socket to label
11638 -+ * selinux_netlbl_inet_csk_clone - Initialize the newly created sock
11639 -+ * @sk: the new sock
11640 - *
11641 - * Description:
11642 -- * Attempt to label a socket using the NetLabel mechanism using the given
11643 -- * SID. Returns zero values on success, negative values on failure.
11644 -+ * A new connection has been established using @sk, we've already labeled the
11645 -+ * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but
11646 -+ * we need to set the NetLabel state here since we now have a sock structure.
11647 - *
11648 - */
11649 --int selinux_netlbl_socket_post_create(struct socket *sock)
11650 -+void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
11651 - {
11652 -- return selinux_netlbl_sock_setsid(sock->sk);
11653 -+ struct sk_security_struct *sksec = sk->sk_security;
11654 -+
11655 -+ if (family == PF_INET)
11656 -+ sksec->nlbl_state = NLBL_LABELED;
11657 -+ else
11658 -+ sksec->nlbl_state = NLBL_UNSET;
11659 - }
11660 -
11661 - /**
11662 -- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
11663 -- * @inode: the file descriptor's inode
11664 -- * @mask: the permission mask
11665 -+ * selinux_netlbl_socket_post_create - Label a socket using NetLabel
11666 -+ * @sock: the socket to label
11667 - *
11668 - * Description:
11669 -- * Looks at a file's inode and if it is marked as a socket protected by
11670 -- * NetLabel then verify that the socket has been labeled, if not try to label
11671 -- * the socket now with the inode's SID. Returns zero on success, negative
11672 -- * values on failure.
11673 -+ * Attempt to label a socket using the NetLabel mechanism using the given
11674 -+ * SID. Returns zero values on success, negative values on failure.
11675 - *
11676 - */
11677 --int selinux_netlbl_inode_permission(struct inode *inode, int mask)
11678 -+int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
11679 - {
11680 - int rc;
11681 -- struct sock *sk;
11682 -- struct socket *sock;
11683 -- struct sk_security_struct *sksec;
11684 -+ struct sk_security_struct *sksec = sk->sk_security;
11685 -+ struct netlbl_lsm_secattr *secattr;
11686 -
11687 -- if (!S_ISSOCK(inode->i_mode) ||
11688 -- ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
11689 -- return 0;
11690 -- sock = SOCKET_I(inode);
11691 -- sk = sock->sk;
11692 -- if (sk == NULL)
11693 -- return 0;
11694 -- sksec = sk->sk_security;
11695 -- if (sksec == NULL || sksec->nlbl_state != NLBL_REQUIRE)
11696 -+ if (family != PF_INET)
11697 - return 0;
11698 -
11699 -- local_bh_disable();
11700 -- bh_lock_sock_nested(sk);
11701 -- if (likely(sksec->nlbl_state == NLBL_REQUIRE))
11702 -- rc = selinux_netlbl_sock_setsid(sk);
11703 -- else
11704 -+ secattr = selinux_netlbl_sock_genattr(sk);
11705 -+ if (secattr == NULL)
11706 -+ return -ENOMEM;
11707 -+ rc = netlbl_sock_setattr(sk, secattr);
11708 -+ switch (rc) {
11709 -+ case 0:
11710 -+ sksec->nlbl_state = NLBL_LABELED;
11711 -+ break;
11712 -+ case -EDESTADDRREQ:
11713 -+ sksec->nlbl_state = NLBL_REQSKB;
11714 - rc = 0;
11715 -- bh_unlock_sock(sk);
11716 -- local_bh_enable();
11717 -+ break;
11718 -+ }
11719 -
11720 - return rc;
11721 - }
11722 -diff --git a/security/smack/smack.h b/security/smack/smack.h
11723 -index b79582e..1983196 100644
11724 ---- a/security/smack/smack.h
11725 -+++ b/security/smack/smack.h
11726 -@@ -40,7 +40,6 @@ struct superblock_smack {
11727 - struct socket_smack {
11728 - char *smk_out; /* outbound label */
11729 - char *smk_in; /* inbound label */
11730 -- int smk_labeled; /* label scheme */
11731 - char smk_packet[SMK_LABELLEN]; /* TCP peer label */
11732 - };
11733 -
11734 -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
11735 -index c1c5f36..b4e811b 100644
11736 ---- a/security/smack/smack_lsm.c
11737 -+++ b/security/smack/smack_lsm.c
11738 -@@ -7,6 +7,8 @@
11739 - * Casey Schaufler <casey@××××××××××××.com>
11740 - *
11741 - * Copyright (C) 2007 Casey Schaufler <casey@××××××××××××.com>
11742 -+ * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
11743 -+ * Paul Moore <paul.moore@××.com>
11744 - *
11745 - * This program is free software; you can redistribute it and/or modify
11746 - * it under the terms of the GNU General Public License version 2,
11747 -@@ -20,6 +22,7 @@
11748 - #include <linux/ext2_fs.h>
11749 - #include <linux/kd.h>
11750 - #include <asm/ioctls.h>
11751 -+#include <linux/ip.h>
11752 - #include <linux/tcp.h>
11753 - #include <linux/udp.h>
11754 - #include <linux/mutex.h>
11755 -@@ -1279,7 +1282,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
11756 -
11757 - ssp->smk_in = csp;
11758 - ssp->smk_out = csp;
11759 -- ssp->smk_labeled = SMACK_CIPSO_SOCKET;
11760 - ssp->smk_packet[0] = '\0';
11761 -
11762 - sk->sk_security = ssp;
11763 -@@ -1397,16 +1399,6 @@ static int smack_netlabel(struct sock *sk, int labeled)
11764 -
11765 - bh_unlock_sock(sk);
11766 - local_bh_enable();
11767 -- /*
11768 -- * Remember the label scheme used so that it is not
11769 -- * necessary to do the netlabel setting if it has not
11770 -- * changed the next time through.
11771 -- *
11772 -- * The -EDESTADDRREQ case is an indication that there's
11773 -- * a single level host involved.
11774 -- */
11775 -- if (rc == 0)
11776 -- ssp->smk_labeled = labeled;
11777 -
11778 - return rc;
11779 - }
11780 -@@ -1551,19 +1543,14 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
11781 - return -EINVAL;
11782 -
11783 - hostsp = smack_host_label((struct sockaddr_in *)sap);
11784 -- if (hostsp == NULL) {
11785 -- if (ssp->smk_labeled != SMACK_CIPSO_SOCKET)
11786 -- return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
11787 -- return 0;
11788 -- }
11789 -+ if (hostsp == NULL)
11790 -+ return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
11791 -
11792 - rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
11793 - if (rc != 0)
11794 - return rc;
11795 -
11796 -- if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET)
11797 -- return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
11798 -- return 0;
11799 -+ return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
11800 - }
11801 -
11802 - /**
11803 -@@ -2275,21 +2262,14 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
11804 - return 0;
11805 -
11806 - hostsp = smack_host_label(sip);
11807 -- if (hostsp == NULL) {
11808 -- if (ssp->smk_labeled != SMACK_CIPSO_SOCKET)
11809 -- return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
11810 -- return 0;
11811 -- }
11812 -+ if (hostsp == NULL)
11813 -+ return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
11814 -
11815 - rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
11816 - if (rc != 0)
11817 - return rc;
11818 -
11819 -- if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET)
11820 -- return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
11821 --
11822 -- return 0;
11823 --
11824 -+ return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
11825 - }
11826 -
11827 -
11828 -@@ -2504,22 +2484,14 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
11829 - static void smack_sock_graft(struct sock *sk, struct socket *parent)
11830 - {
11831 - struct socket_smack *ssp;
11832 -- int rc;
11833 -
11834 -- if (sk == NULL)
11835 -- return;
11836 --
11837 -- if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
11838 -+ if (sk == NULL ||
11839 -+ (sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
11840 - return;
11841 -
11842 - ssp = sk->sk_security;
11843 - ssp->smk_in = ssp->smk_out = current_security();
11844 -- ssp->smk_packet[0] = '\0';
11845 --
11846 -- rc = smack_netlabel(sk, SMACK_CIPSO_SOCKET);
11847 -- if (rc != 0)
11848 -- printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
11849 -- __func__, -rc);
11850 -+ /* cssp->smk_packet is already set in smack_inet_csk_clone() */
11851 - }
11852 -
11853 - /**
11854 -@@ -2534,35 +2506,82 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
11855 - static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
11856 - struct request_sock *req)
11857 - {
11858 -- struct netlbl_lsm_secattr skb_secattr;
11859 -+ u16 family = sk->sk_family;
11860 - struct socket_smack *ssp = sk->sk_security;
11861 -+ struct netlbl_lsm_secattr secattr;
11862 -+ struct sockaddr_in addr;
11863 -+ struct iphdr *hdr;
11864 - char smack[SMK_LABELLEN];
11865 - int rc;
11866 -
11867 -- if (skb == NULL)
11868 -- return -EACCES;
11869 -+ /* handle mapped IPv4 packets arriving via IPv6 sockets */
11870 -+ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
11871 -+ family = PF_INET;
11872 -
11873 -- netlbl_secattr_init(&skb_secattr);
11874 -- rc = netlbl_skbuff_getattr(skb, sk->sk_family, &skb_secattr);
11875 -+ netlbl_secattr_init(&secattr);
11876 -+ rc = netlbl_skbuff_getattr(skb, family, &secattr);
11877 - if (rc == 0)
11878 -- smack_from_secattr(&skb_secattr, smack);
11879 -+ smack_from_secattr(&secattr, smack);
11880 - else
11881 - strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN);
11882 -- netlbl_secattr_destroy(&skb_secattr);
11883 -+ netlbl_secattr_destroy(&secattr);
11884 -+
11885 - /*
11886 -- * Receiving a packet requires that the other end
11887 -- * be able to write here. Read access is not required.
11888 -- *
11889 -- * If the request is successful save the peer's label
11890 -- * so that SO_PEERCRED can report it.
11891 -- */
11892 -+ * Receiving a packet requires that the other end be able to write
11893 -+ * here. Read access is not required.
11894 -+ */
11895 - rc = smk_access(smack, ssp->smk_in, MAY_WRITE);
11896 -- if (rc == 0)
11897 -- strncpy(ssp->smk_packet, smack, SMK_MAXLEN);
11898 -+ if (rc != 0)
11899 -+ return rc;
11900 -+
11901 -+ /*
11902 -+ * Save the peer's label in the request_sock so we can later setup
11903 -+ * smk_packet in the child socket so that SO_PEERCRED can report it.
11904 -+ */
11905 -+ req->peer_secid = smack_to_secid(smack);
11906 -+
11907 -+ /*
11908 -+ * We need to decide if we want to label the incoming connection here
11909 -+ * if we do we only need to label the request_sock and the stack will
11910 -+ * propogate the wire-label to the sock when it is created.
11911 -+ */
11912 -+ hdr = ip_hdr(skb);
11913 -+ addr.sin_addr.s_addr = hdr->saddr;
11914 -+ rcu_read_lock();
11915 -+ if (smack_host_label(&addr) == NULL) {
11916 -+ rcu_read_unlock();
11917 -+ netlbl_secattr_init(&secattr);
11918 -+ smack_to_secattr(smack, &secattr);
11919 -+ rc = netlbl_req_setattr(req, &secattr);
11920 -+ netlbl_secattr_destroy(&secattr);
11921 -+ } else {
11922 -+ rcu_read_unlock();
11923 -+ netlbl_req_delattr(req);
11924 -+ }
11925 -
11926 - return rc;
11927 - }
11928 -
11929 -+/**
11930 -+* smack_inet_csk_clone - Copy the connection information to the new socket
11931 -+* @sk: the new socket
11932 -+* @req: the connection's request_sock
11933 -+*
11934 -+* Transfer the connection's peer label to the newly created socket.
11935 -+*/
11936 -+static void smack_inet_csk_clone(struct sock *sk,
11937 -+ const struct request_sock *req)
11938 -+{
11939 -+ struct socket_smack *ssp = sk->sk_security;
11940 -+ char *smack;
11941 -+
11942 -+ if (req->peer_secid != 0) {
11943 -+ smack = smack_from_secid(req->peer_secid);
11944 -+ strncpy(ssp->smk_packet, smack, SMK_MAXLEN);
11945 -+ } else
11946 -+ ssp->smk_packet[0] = '\0';
11947 -+}
11948 -+
11949 - /*
11950 - * Key management security hooks
11951 - *
11952 -@@ -2915,6 +2934,7 @@ struct security_operations smack_ops = {
11953 - .sk_free_security = smack_sk_free_security,
11954 - .sock_graft = smack_sock_graft,
11955 - .inet_conn_request = smack_inet_conn_request,
11956 -+ .inet_csk_clone = smack_inet_csk_clone,
11957 -
11958 - /* key management security hooks */
11959 - #ifdef CONFIG_KEYS
11960 -diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
11961 -index 6094344..0547239 100644
11962 ---- a/sound/pci/hda/patch_sigmatel.c
11963 -+++ b/sound/pci/hda/patch_sigmatel.c
11964 -@@ -4007,7 +4007,12 @@ static int stac92xx_init(struct hda_codec *codec)
11965 - pinctl = snd_hda_codec_read(codec, nid, 0,
11966 - AC_VERB_GET_PIN_WIDGET_CONTROL, 0);
11967 - /* if PINCTL already set then skip */
11968 -- if (!(pinctl & AC_PINCTL_IN_EN)) {
11969 -+ /* Also, if both INPUT and OUTPUT are set,
11970 -+ * it must be a BIOS bug; need to override, too
11971 -+ */
11972 -+ if (!(pinctl & AC_PINCTL_IN_EN) ||
11973 -+ (pinctl & AC_PINCTL_OUT_EN)) {
11974 -+ pinctl &= ~AC_PINCTL_OUT_EN;
11975 - pinctl |= AC_PINCTL_IN_EN;
11976 - stac92xx_auto_set_pinctl(codec, nid,
11977 - pinctl);
11978 -diff --git a/sound/soc/codecs/wm8990.c b/sound/soc/codecs/wm8990.c
11979 -index a5731fa..380302d 100644
11980 ---- a/sound/soc/codecs/wm8990.c
11981 -+++ b/sound/soc/codecs/wm8990.c
11982 -@@ -744,7 +744,7 @@ SND_SOC_DAPM_MIXER_E("INMIXL", WM8990_INTDRIVBITS, WM8990_INMIXL_PWR_BIT, 0,
11983 - inmixer_event, SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
11984 -
11985 - /* AINLMUX */
11986 --SND_SOC_DAPM_MUX_E("AILNMUX", WM8990_INTDRIVBITS, WM8990_AINLMUX_PWR_BIT, 0,
11987 -+SND_SOC_DAPM_MUX_E("AINLMUX", WM8990_INTDRIVBITS, WM8990_AINLMUX_PWR_BIT, 0,
11988 - &wm8990_dapm_ainlmux_controls, inmixer_event,
11989 - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
11990 -
11991 -@@ -755,7 +755,7 @@ SND_SOC_DAPM_MIXER_E("INMIXR", WM8990_INTDRIVBITS, WM8990_INMIXR_PWR_BIT, 0,
11992 - inmixer_event, SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
11993 -
11994 - /* AINRMUX */
11995 --SND_SOC_DAPM_MUX_E("AIRNMUX", WM8990_INTDRIVBITS, WM8990_AINRMUX_PWR_BIT, 0,
11996 -+SND_SOC_DAPM_MUX_E("AINRMUX", WM8990_INTDRIVBITS, WM8990_AINRMUX_PWR_BIT, 0,
11997 - &wm8990_dapm_ainrmux_controls, inmixer_event,
11998 - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
11999 -
12000 -@@ -863,40 +863,40 @@ static const struct snd_soc_dapm_route audio_map[] = {
12001 - {"LIN12 PGA", "LIN2 Switch", "LIN2"},
12002 - /* LIN34 PGA */
12003 - {"LIN34 PGA", "LIN3 Switch", "LIN3"},
12004 -- {"LIN34 PGA", "LIN4 Switch", "LIN4"},
12005 -+ {"LIN34 PGA", "LIN4 Switch", "LIN4/RXN"},
12006 - /* INMIXL */
12007 - {"INMIXL", "Record Left Volume", "LOMIX"},
12008 - {"INMIXL", "LIN2 Volume", "LIN2"},
12009 - {"INMIXL", "LINPGA12 Switch", "LIN12 PGA"},
12010 - {"INMIXL", "LINPGA34 Switch", "LIN34 PGA"},
12011 -- /* AILNMUX */
12012 -- {"AILNMUX", "INMIXL Mix", "INMIXL"},
12013 -- {"AILNMUX", "DIFFINL Mix", "LIN12PGA"},
12014 -- {"AILNMUX", "DIFFINL Mix", "LIN34PGA"},
12015 -- {"AILNMUX", "RXVOICE Mix", "LIN4/RXN"},
12016 -- {"AILNMUX", "RXVOICE Mix", "RIN4/RXP"},
12017 -+ /* AINLMUX */
12018 -+ {"AINLMUX", "INMIXL Mix", "INMIXL"},
12019 -+ {"AINLMUX", "DIFFINL Mix", "LIN12 PGA"},
12020 -+ {"AINLMUX", "DIFFINL Mix", "LIN34 PGA"},
12021 -+ {"AINLMUX", "RXVOICE Mix", "LIN4/RXN"},
12022 -+ {"AINLMUX", "RXVOICE Mix", "RIN4/RXP"},
12023 - /* ADC */
12024 -- {"Left ADC", NULL, "AILNMUX"},
12025 -+ {"Left ADC", NULL, "AINLMUX"},
12026 -
12027 - /* RIN12 PGA */
12028 - {"RIN12 PGA", "RIN1 Switch", "RIN1"},
12029 - {"RIN12 PGA", "RIN2 Switch", "RIN2"},
12030 - /* RIN34 PGA */
12031 - {"RIN34 PGA", "RIN3 Switch", "RIN3"},
12032 -- {"RIN34 PGA", "RIN4 Switch", "RIN4"},
12033 -+ {"RIN34 PGA", "RIN4 Switch", "RIN4/RXP"},
12034 - /* INMIXL */
12035 - {"INMIXR", "Record Right Volume", "ROMIX"},
12036 - {"INMIXR", "RIN2 Volume", "RIN2"},
12037 - {"INMIXR", "RINPGA12 Switch", "RIN12 PGA"},
12038 - {"INMIXR", "RINPGA34 Switch", "RIN34 PGA"},
12039 -- /* AIRNMUX */
12040 -- {"AIRNMUX", "INMIXR Mix", "INMIXR"},
12041 -- {"AIRNMUX", "DIFFINR Mix", "RIN12PGA"},
12042 -- {"AIRNMUX", "DIFFINR Mix", "RIN34PGA"},
12043 -- {"AIRNMUX", "RXVOICE Mix", "RIN4/RXN"},
12044 -- {"AIRNMUX", "RXVOICE Mix", "RIN4/RXP"},
12045 -+ /* AINRMUX */
12046 -+ {"AINRMUX", "INMIXR Mix", "INMIXR"},
12047 -+ {"AINRMUX", "DIFFINR Mix", "RIN12 PGA"},
12048 -+ {"AINRMUX", "DIFFINR Mix", "RIN34 PGA"},
12049 -+ {"AINRMUX", "RXVOICE Mix", "LIN4/RXN"},
12050 -+ {"AINRMUX", "RXVOICE Mix", "RIN4/RXP"},
12051 - /* ADC */
12052 -- {"Right ADC", NULL, "AIRNMUX"},
12053 -+ {"Right ADC", NULL, "AINRMUX"},
12054 -
12055 - /* LOMIX */
12056 - {"LOMIX", "LOMIX RIN3 Bypass Switch", "RIN3"},
12057 -@@ -937,7 +937,7 @@ static const struct snd_soc_dapm_route audio_map[] = {
12058 - {"LOPMIX", "LOPMIX Left Mixer PGA Switch", "LOPGA"},
12059 -
12060 - /* OUT3MIX */
12061 -- {"OUT3MIX", "OUT3MIX LIN4/RXP Bypass Switch", "LIN4/RXP"},
12062 -+ {"OUT3MIX", "OUT3MIX LIN4/RXP Bypass Switch", "LIN4/RXN"},
12063 - {"OUT3MIX", "OUT3MIX Left Out PGA Switch", "LOPGA"},
12064 -
12065 - /* OUT4MIX */
12066 -@@ -964,7 +964,7 @@ static const struct snd_soc_dapm_route audio_map[] = {
12067 - /* Output Pins */
12068 - {"LON", NULL, "LONMIX"},
12069 - {"LOP", NULL, "LOPMIX"},
12070 -- {"OUT", NULL, "OUT3MIX"},
12071 -+ {"OUT3", NULL, "OUT3MIX"},
12072 - {"LOUT", NULL, "LOUT PGA"},
12073 - {"SPKN", NULL, "SPKMIX"},
12074 - {"ROUT", NULL, "ROUT PGA"},
12075
12076 Deleted: genpatches-2.6/trunk/2.6.30/1915_ext4-automatically-allocate-delay-allocated-blocks-on-rename.patch
12077 ===================================================================
12078 --- genpatches-2.6/trunk/2.6.30/1915_ext4-automatically-allocate-delay-allocated-blocks-on-rename.patch 2009-06-05 16:26:11 UTC (rev 1572)
12079 +++ genpatches-2.6/trunk/2.6.30/1915_ext4-automatically-allocate-delay-allocated-blocks-on-rename.patch 2009-06-05 16:28:49 UTC (rev 1573)
12080 @@ -1,50 +0,0 @@
12081 -Added-By: Gordon Malm <gengor@g.o>
12082 -
12083 ----
12084 -From: Theodore Ts'o <tytso@×××.edu>
12085 -Date: Tue, 24 Feb 2009 04:05:27 +0000 (-0500)
12086 -Subject: ext4: Automatically allocate delay allocated blocks on rename
12087 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=dbc85aa9f11d8c13c15527d43a3def8d7beffdc8
12088 -
12089 -ext4: Automatically allocate delay allocated blocks on rename
12090 -
12091 -When renaming a file such that a link to another inode is overwritten,
12092 -force any delay allocated blocks that to be allocated so that if the
12093 -filesystem is mounted with data=ordered, the data blocks will be
12094 -pushed out to disk along with the journal commit. Many application
12095 -programs expect this, so we do this to avoid zero length files if the
12096 -system crashes unexpectedly.
12097 -
12098 -Signed-off-by: "Theodore Ts'o" <tytso@×××.edu>
12099 ----
12100 -
12101 -diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
12102 -index cb15900..a9a7581 100644
12103 ---- a/fs/ext4/namei.c
12104 -+++ b/fs/ext4/namei.c
12105 -@@ -2357,7 +2357,7 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry,
12106 - struct inode *old_inode, *new_inode;
12107 - struct buffer_head *old_bh, *new_bh, *dir_bh;
12108 - struct ext4_dir_entry_2 *old_de, *new_de;
12109 -- int retval;
12110 -+ int retval, force_da_alloc = 0;
12111 -
12112 - old_bh = new_bh = dir_bh = NULL;
12113 -
12114 -@@ -2497,6 +2497,7 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry,
12115 - ext4_mark_inode_dirty(handle, new_inode);
12116 - if (!new_inode->i_nlink)
12117 - ext4_orphan_add(handle, new_inode);
12118 -+ force_da_alloc = 1;
12119 - }
12120 - retval = 0;
12121 -
12122 -@@ -2505,6 +2506,8 @@ end_rename:
12123 - brelse(old_bh);
12124 - brelse(new_bh);
12125 - ext4_journal_stop(handle);
12126 -+ if (retval == 0 && force_da_alloc)
12127 -+ ext4_alloc_da_blocks(old_inode);
12128 - return retval;
12129 - }
12130 -
12131
12132 Deleted: genpatches-2.6/trunk/2.6.30/1916_ext4-automatically-allocate-delay-allocated-blocks-on-close.patch
12133 ===================================================================
12134 --- genpatches-2.6/trunk/2.6.30/1916_ext4-automatically-allocate-delay-allocated-blocks-on-close.patch 2009-06-05 16:26:11 UTC (rev 1572)
12135 +++ genpatches-2.6/trunk/2.6.30/1916_ext4-automatically-allocate-delay-allocated-blocks-on-close.patch 2009-06-05 16:28:49 UTC (rev 1573)
12136 @@ -1,61 +0,0 @@
12137 -Added-By: Gordon Malm <gengor@g.o>
12138 -
12139 ----
12140 -From: Theodore Ts'o <tytso@×××.edu>
12141 -Date: Tue, 24 Feb 2009 13:21:14 +0000 (-0500)
12142 -Subject: ext4: Automatically allocate delay allocated blocks on close
12143 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=6645f8c3bc3cdaa7de4aaa3d34d40c2e8e5f09ae
12144 -
12145 -ext4: Automatically allocate delay allocated blocks on close
12146 -
12147 -When closing a file that had been previously truncated, force any
12148 -delay allocated blocks that to be allocated so that if the filesystem
12149 -is mounted with data=ordered, the data blocks will be pushed out to
12150 -disk along with the journal commit. Many application programs expect
12151 -this, so we do this to avoid zero length files if the system crashes
12152 -unexpectedly.
12153 -
12154 -Signed-off-by: "Theodore Ts'o" <tytso@×××.edu>
12155 ----
12156 -
12157 -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
12158 -index ea51c89..234c731 100644
12159 ---- a/fs/ext4/ext4.h
12160 -+++ b/fs/ext4/ext4.h
12161 -@@ -269,6 +269,7 @@ static inline __u32 ext4_mask_flags(umode_t mode, __u32 flags)
12162 - #define EXT4_STATE_NEW 0x00000002 /* inode is newly created */
12163 - #define EXT4_STATE_XATTR 0x00000004 /* has in-inode xattrs */
12164 - #define EXT4_STATE_NO_EXPAND 0x00000008 /* No space for expansion */
12165 -+#define EXT4_STATE_DA_ALLOC_CLOSE 0x00000010 /* Alloc DA blks on close */
12166 -
12167 - /* Used to pass group descriptor data when online resize is done */
12168 - struct ext4_new_group_input {
12169 -diff --git a/fs/ext4/file.c b/fs/ext4/file.c
12170 -index f731cb5..06df827 100644
12171 ---- a/fs/ext4/file.c
12172 -+++ b/fs/ext4/file.c
12173 -@@ -33,6 +33,10 @@
12174 - */
12175 - static int ext4_release_file(struct inode *inode, struct file *filp)
12176 - {
12177 -+ if (EXT4_I(inode)->i_state & EXT4_STATE_DA_ALLOC_CLOSE) {
12178 -+ ext4_alloc_da_blocks(inode);
12179 -+ EXT4_I(inode)->i_state &= ~EXT4_STATE_DA_ALLOC_CLOSE;
12180 -+ }
12181 - /* if we are the last writer on the inode, drop the block reservation */
12182 - if ((filp->f_mode & FMODE_WRITE) &&
12183 - (atomic_read(&inode->i_writecount) == 1))
12184 -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
12185 -index ead57ab..666caa9 100644
12186 ---- a/fs/ext4/inode.c
12187 -+++ b/fs/ext4/inode.c
12188 -@@ -3871,6 +3871,9 @@ void ext4_truncate(struct inode *inode)
12189 - if (!ext4_can_truncate(inode))
12190 - return;
12191 -
12192 -+ if (inode->i_size == 0)
12193 -+ ei->i_state |= EXT4_STATE_DA_ALLOC_CLOSE;
12194 -+
12195 - if (EXT4_I(inode)->i_flags & EXT4_EXTENTS_FL) {
12196 - ext4_ext_truncate(inode);
12197 - return;
12198
12199 Deleted: genpatches-2.6/trunk/2.6.30/1917_ext4-add-EXT4_IOC_ALLOC_DA_BLKS-ioctl.patch
12200 ===================================================================
12201 --- genpatches-2.6/trunk/2.6.30/1917_ext4-add-EXT4_IOC_ALLOC_DA_BLKS-ioctl.patch 2009-06-05 16:26:11 UTC (rev 1572)
12202 +++ genpatches-2.6/trunk/2.6.30/1917_ext4-add-EXT4_IOC_ALLOC_DA_BLKS-ioctl.patch 2009-06-05 16:28:49 UTC (rev 1573)
12203 @@ -1,118 +0,0 @@
12204 -Added-By: Gordon Malm <gengor@g.o>
12205 -
12206 ----
12207 -From: Theodore Ts'o <tytso@×××.edu>
12208 -Date: Thu, 26 Feb 2009 06:04:07 +0000 (-0500)
12209 -Subject: ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl
12210 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=3bf3342f394d72ed2ec7e77b5b39e1b50fad8284
12211 -
12212 -ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl
12213 -
12214 -Add an ioctl which forces all of the delay allocated blocks to be
12215 -allocated. This also provides a function ext4_alloc_da_blocks() which
12216 -will be used by the following commits to force files to be fully
12217 -allocated to preserve application-expected ext3 behaviour.
12218 -
12219 -Signed-off-by: "Theodore Ts'o" <tytso@×××.edu>
12220 ----
12221 -
12222 -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
12223 -index 684a063..ea51c89 100644
12224 ---- a/fs/ext4/ext4.h
12225 -+++ b/fs/ext4/ext4.h
12226 -@@ -316,7 +316,9 @@ struct ext4_new_group_data {
12227 - #define EXT4_IOC_GROUP_EXTEND _IOW('f', 7, unsigned long)
12228 - #define EXT4_IOC_GROUP_ADD _IOW('f', 8, struct ext4_new_group_input)
12229 - #define EXT4_IOC_MIGRATE _IO('f', 9)
12230 -+ /* note ioctl 10 reserved for an early version of the FIEMAP ioctl */
12231 - /* note ioctl 11 reserved for filesystem-independent FIEMAP ioctl */
12232 -+#define EXT4_IOC_ALLOC_DA_BLKS _IO('f', 12)
12233 -
12234 - /*
12235 - * ioctl commands in 32 bit emulation
12236 -@@ -1093,6 +1095,7 @@ extern int ext4_can_truncate(struct inode *inode);
12237 - extern void ext4_truncate(struct inode *);
12238 - extern void ext4_set_inode_flags(struct inode *);
12239 - extern void ext4_get_inode_flags(struct ext4_inode_info *);
12240 -+extern int ext4_alloc_da_blocks(struct inode *inode);
12241 - extern void ext4_set_aops(struct inode *inode);
12242 - extern int ext4_writepage_trans_blocks(struct inode *);
12243 - extern int ext4_meta_trans_blocks(struct inode *, int nrblocks, int idxblocks);
12244 -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
12245 -index c67f46e..ead57ab 100644
12246 ---- a/fs/ext4/inode.c
12247 -+++ b/fs/ext4/inode.c
12248 -@@ -2807,6 +2807,48 @@ out:
12249 - return;
12250 - }
12251 -
12252 -+/*
12253 -+ * Force all delayed allocation blocks to be allocated for a given inode.
12254 -+ */
12255 -+int ext4_alloc_da_blocks(struct inode *inode)
12256 -+{
12257 -+ if (!EXT4_I(inode)->i_reserved_data_blocks &&
12258 -+ !EXT4_I(inode)->i_reserved_meta_blocks)
12259 -+ return 0;
12260 -+
12261 -+ /*
12262 -+ * We do something simple for now. The filemap_flush() will
12263 -+ * also start triggering a write of the data blocks, which is
12264 -+ * not strictly speaking necessary (and for users of
12265 -+ * laptop_mode, not even desirable). However, to do otherwise
12266 -+ * would require replicating code paths in:
12267 -+ *
12268 -+ * ext4_da_writepages() ->
12269 -+ * write_cache_pages() ---> (via passed in callback function)
12270 -+ * __mpage_da_writepage() -->
12271 -+ * mpage_add_bh_to_extent()
12272 -+ * mpage_da_map_blocks()
12273 -+ *
12274 -+ * The problem is that write_cache_pages(), located in
12275 -+ * mm/page-writeback.c, marks pages clean in preparation for
12276 -+ * doing I/O, which is not desirable if we're not planning on
12277 -+ * doing I/O at all.
12278 -+ *
12279 -+ * We could call write_cache_pages(), and then redirty all of
12280 -+ * the pages by calling redirty_page_for_writeback() but that
12281 -+ * would be ugly in the extreme. So instead we would need to
12282 -+ * replicate parts of the code in the above functions,
12283 -+ * simplifying them becuase we wouldn't actually intend to
12284 -+ * write out the pages, but rather only collect contiguous
12285 -+ * logical block extents, call the multi-block allocator, and
12286 -+ * then update the buffer heads with the block allocations.
12287 -+ *
12288 -+ * For now, though, we'll cheat by calling filemap_flush(),
12289 -+ * which will map the blocks, and start the I/O, but not
12290 -+ * actually wait for the I/O to complete.
12291 -+ */
12292 -+ return filemap_flush(inode->i_mapping);
12293 -+}
12294 -
12295 - /*
12296 - * bmap() is special. It gets used by applications such as lilo and by
12297 -diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
12298 -index 22dd29f..91e75f7 100644
12299 ---- a/fs/ext4/ioctl.c
12300 -+++ b/fs/ext4/ioctl.c
12301 -@@ -262,6 +262,20 @@ setversion_out:
12302 - return err;
12303 - }
12304 -
12305 -+ case EXT4_IOC_ALLOC_DA_BLKS:
12306 -+ {
12307 -+ int err;
12308 -+ if (!is_owner_or_cap(inode))
12309 -+ return -EACCES;
12310 -+
12311 -+ err = mnt_want_write(filp->f_path.mnt);
12312 -+ if (err)
12313 -+ return err;
12314 -+ err = ext4_alloc_da_blocks(inode);
12315 -+ mnt_drop_write(filp->f_path.mnt);
12316 -+ return err;
12317 -+ }
12318 -+
12319 - default:
12320 - return -ENOTTY;
12321 - }
12322
12323 Deleted: genpatches-2.6/trunk/2.6.30/1918_ext4-fix-discard-of-inode-prealloc-space-with-delayed-allocation.patch
12324 ===================================================================
12325 --- genpatches-2.6/trunk/2.6.30/1918_ext4-fix-discard-of-inode-prealloc-space-with-delayed-allocation.patch 2009-06-05 16:26:11 UTC (rev 1572)
12326 +++ genpatches-2.6/trunk/2.6.30/1918_ext4-fix-discard-of-inode-prealloc-space-with-delayed-allocation.patch 2009-06-05 16:28:49 UTC (rev 1573)
12327 @@ -1,53 +0,0 @@
12328 -Added-By: Gordon Malm <gengor@g.o>
12329 -
12330 ----
12331 -From: Aneesh Kumar K.V <aneesh.kumar@××××××××××××××.com>
12332 -Date: Thu, 26 Feb 2009 05:54:52 +0000 (-0500)
12333 -Subject: ext4: Fix discard of inode prealloc space with delayed allocation.
12334 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=3cb5e61547e9ee5f040d7a02c48c7cdf6485eecc
12335 -
12336 -ext4: Fix discard of inode prealloc space with delayed allocation.
12337 -
12338 -With delayed allocation we should not/cannot discard inode prealloc
12339 -space during file close. We would still have dirty pages for which we
12340 -haven't allocated blocks yet. With this fix after each get_blocks
12341 -request we check whether we have zero reserved blocks and if yes and
12342 -we don't have any writers on the file we discard inode prealloc space.
12343 -
12344 -Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@××××××××××××××.com>
12345 -Signed-off-by: "Theodore Ts'o" <tytso@×××.edu>
12346 ----
12347 -
12348 -diff --git a/fs/ext4/file.c b/fs/ext4/file.c
12349 -index 06df827..588af8c 100644
12350 ---- a/fs/ext4/file.c
12351 -+++ b/fs/ext4/file.c
12352 -@@ -39,7 +39,8 @@ static int ext4_release_file(struct inode *inode, struct file *filp)
12353 - }
12354 - /* if we are the last writer on the inode, drop the block reservation */
12355 - if ((filp->f_mode & FMODE_WRITE) &&
12356 -- (atomic_read(&inode->i_writecount) == 1))
12357 -+ (atomic_read(&inode->i_writecount) == 1) &&
12358 -+ !EXT4_I(inode)->i_reserved_data_blocks)
12359 - {
12360 - down_write(&EXT4_I(inode)->i_data_sem);
12361 - ext4_discard_preallocations(inode);
12362 -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
12363 -index 666caa9..8815b9c 100644
12364 ---- a/fs/ext4/inode.c
12365 -+++ b/fs/ext4/inode.c
12366 -@@ -1053,6 +1053,14 @@ static void ext4_da_update_reserve_space(struct inode *inode, int used)
12367 - EXT4_I(inode)->i_reserved_data_blocks -= used;
12368 -
12369 - spin_unlock(&EXT4_I(inode)->i_block_reservation_lock);
12370 -+
12371 -+ /*
12372 -+ * If have done all the pending block allocation and if the we
12373 -+ * don't have any writer on the inode, we can discard the
12374 -+ * inode's preallocations.
12375 -+ */
12376 -+ if (!total && (atomic_read(&inode->i_writecount) == 0))
12377 -+ ext4_discard_preallocations(inode);
12378 - }
12379 -
12380 - /*
12381
12382 Deleted: genpatches-2.6/trunk/2.6.30/2300_alpha-add-pci-resources.patch
12383 ===================================================================
12384 --- genpatches-2.6/trunk/2.6.30/2300_alpha-add-pci-resources.patch 2009-06-05 16:26:11 UTC (rev 1572)
12385 +++ genpatches-2.6/trunk/2.6.30/2300_alpha-add-pci-resources.patch 2009-06-05 16:28:49 UTC (rev 1573)
12386 @@ -1,499 +0,0 @@
12387 -From: Ivan Kokshaysky <ink@×××××××××××××××××.ru>
12388 -Date: Tue, 17 Feb 2009 10:46:53 +0000 (+0300)
12389 -Subject: PCI/alpha: pci sysfs resources
12390 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Faxboe%2Flinux-2.6-block.git;a=commitdiff_plain;h=10a0ef39fbd1d484c2bbc1ffd83d57ecef209140
12391 -
12392 -PCI/alpha: pci sysfs resources
12393 -
12394 -This closes http://bugzilla.kernel.org/show_bug.cgi?id=10893
12395 -which is a showstopper for X development on alpha.
12396 -
12397 -The generic HAVE_PCI_MMAP code (drivers/pci-sysfs.c) is not
12398 -very useful since we have to deal with three different types
12399 -of MMIO address spaces: sparse and dense mappings for old
12400 -ev4/ev5 machines and "normal" 1:1 MMIO space (bwx) for ev56 and
12401 -later.
12402 -Also "write combine" mappings are meaningless on alpha - roughly
12403 -speaking, alpha does write combining, IO reordering and other
12404 -optimizations by default, unless user splits IO accesses
12405 -with memory barriers.
12406 -
12407 -I think the cleanest way to deal with resource files on alpha
12408 -is to convert the default no-op pci_create_resource_files() and
12409 -pci_remove_resource_files() for !HAVE_PCI_MMAP case into __weak
12410 -functions and override them with alpha specific ones.
12411 -
12412 -Another alpha hook is needed for "legacy_" resource files
12413 -to handle sparse addressing (pci_adjust_legacy_attr).
12414 -
12415 -With the "standard" resourceN files on ev56/ev6 libpciaccess
12416 -works "out of the box". Handling of resourceN_sparse/resourceN_dense
12417 -files on older machines obviously requires some userland work.
12418 -
12419 -Sparse/dense stuff has been tested on sx164 (pca56/pyxis, normally
12420 -uses bwx IO) with the kernel hacked into "cia compatible" mode.
12421 -
12422 -Signed-off-by: Ivan Kokshaysky <ink@×××××××××××××××××.ru>
12423 -Signed-off-by: Jesse Barnes <jbarnes@××××××××××××.org>
12424 ----
12425 -
12426 -diff --git a/arch/alpha/include/asm/pci.h b/arch/alpha/include/asm/pci.h
12427 -index 2a14302..cb04eaa 100644
12428 ---- a/arch/alpha/include/asm/pci.h
12429 -+++ b/arch/alpha/include/asm/pci.h
12430 -@@ -273,4 +273,18 @@ struct pci_dev *alpha_gendev_to_pci(struct device *dev);
12431 -
12432 - extern struct pci_dev *isa_bridge;
12433 -
12434 -+extern int pci_legacy_read(struct pci_bus *bus, loff_t port, u32 *val,
12435 -+ size_t count);
12436 -+extern int pci_legacy_write(struct pci_bus *bus, loff_t port, u32 val,
12437 -+ size_t count);
12438 -+extern int pci_mmap_legacy_page_range(struct pci_bus *bus,
12439 -+ struct vm_area_struct *vma,
12440 -+ enum pci_mmap_state mmap_state);
12441 -+extern void pci_adjust_legacy_attr(struct pci_bus *bus,
12442 -+ enum pci_mmap_state mmap_type);
12443 -+#define HAVE_PCI_LEGACY 1
12444 -+
12445 -+extern int pci_create_resource_files(struct pci_dev *dev);
12446 -+extern void pci_remove_resource_files(struct pci_dev *dev);
12447 -+
12448 - #endif /* __ALPHA_PCI_H */
12449 -diff --git a/arch/alpha/kernel/Makefile b/arch/alpha/kernel/Makefile
12450 -index b469775..a427538 100644
12451 ---- a/arch/alpha/kernel/Makefile
12452 -+++ b/arch/alpha/kernel/Makefile
12453 -@@ -12,7 +12,7 @@ obj-y := entry.o traps.o process.o init_task.o osf_sys.o irq.o \
12454 -
12455 - obj-$(CONFIG_VGA_HOSE) += console.o
12456 - obj-$(CONFIG_SMP) += smp.o
12457 --obj-$(CONFIG_PCI) += pci.o pci_iommu.o
12458 -+obj-$(CONFIG_PCI) += pci.o pci_iommu.o pci-sysfs.o
12459 - obj-$(CONFIG_SRM_ENV) += srm_env.o
12460 - obj-$(CONFIG_MODULES) += module.o
12461 -
12462 -diff --git a/arch/alpha/kernel/pci-sysfs.c b/arch/alpha/kernel/pci-sysfs.c
12463 -new file mode 100644
12464 -index 0000000..6ea822e
12465 ---- /dev/null
12466 -+++ b/arch/alpha/kernel/pci-sysfs.c
12467 -@@ -0,0 +1,366 @@
12468 -+/*
12469 -+ * arch/alpha/kernel/pci-sysfs.c
12470 -+ *
12471 -+ * Copyright (C) 2009 Ivan Kokshaysky
12472 -+ *
12473 -+ * Alpha PCI resource files.
12474 -+ *
12475 -+ * Loosely based on generic HAVE_PCI_MMAP implementation in
12476 -+ * drivers/pci/pci-sysfs.c
12477 -+ */
12478 -+
12479 -+#include <linux/sched.h>
12480 -+#include <linux/pci.h>
12481 -+
12482 -+static int hose_mmap_page_range(struct pci_controller *hose,
12483 -+ struct vm_area_struct *vma,
12484 -+ enum pci_mmap_state mmap_type, int sparse)
12485 -+{
12486 -+ unsigned long base;
12487 -+
12488 -+ if (mmap_type == pci_mmap_mem)
12489 -+ base = sparse ? hose->sparse_mem_base : hose->dense_mem_base;
12490 -+ else
12491 -+ base = sparse ? hose->sparse_io_base : hose->dense_io_base;
12492 -+
12493 -+ vma->vm_pgoff += base >> PAGE_SHIFT;
12494 -+ vma->vm_flags |= (VM_IO | VM_RESERVED);
12495 -+
12496 -+ return io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
12497 -+ vma->vm_end - vma->vm_start,
12498 -+ vma->vm_page_prot);
12499 -+}
12500 -+
12501 -+static int __pci_mmap_fits(struct pci_dev *pdev, int num,
12502 -+ struct vm_area_struct *vma, int sparse)
12503 -+{
12504 -+ unsigned long nr, start, size;
12505 -+ int shift = sparse ? 5 : 0;
12506 -+
12507 -+ nr = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
12508 -+ start = vma->vm_pgoff;
12509 -+ size = ((pci_resource_len(pdev, num) - 1) >> (PAGE_SHIFT - shift)) + 1;
12510 -+
12511 -+ if (start < size && size - start >= nr)
12512 -+ return 1;
12513 -+ WARN(1, "process \"%s\" tried to map%s 0x%08lx-0x%08lx on %s BAR %d "
12514 -+ "(size 0x%08lx)\n",
12515 -+ current->comm, sparse ? " sparse" : "", start, start + nr,
12516 -+ pci_name(pdev), num, size);
12517 -+ return 0;
12518 -+}
12519 -+
12520 -+/**
12521 -+ * pci_mmap_resource - map a PCI resource into user memory space
12522 -+ * @kobj: kobject for mapping
12523 -+ * @attr: struct bin_attribute for the file being mapped
12524 -+ * @vma: struct vm_area_struct passed into the mmap
12525 -+ * @sparse: address space type
12526 -+ *
12527 -+ * Use the bus mapping routines to map a PCI resource into userspace.
12528 -+ */
12529 -+static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
12530 -+ struct vm_area_struct *vma, int sparse)
12531 -+{
12532 -+ struct pci_dev *pdev = to_pci_dev(container_of(kobj,
12533 -+ struct device, kobj));
12534 -+ struct resource *res = (struct resource *)attr->private;
12535 -+ enum pci_mmap_state mmap_type;
12536 -+ struct pci_bus_region bar;
12537 -+ int i;
12538 -+
12539 -+ for (i = 0; i < PCI_ROM_RESOURCE; i++)
12540 -+ if (res == &pdev->resource[i])
12541 -+ break;
12542 -+ if (i >= PCI_ROM_RESOURCE)
12543 -+ return -ENODEV;
12544 -+
12545 -+ if (!__pci_mmap_fits(pdev, i, vma, sparse))
12546 -+ return -EINVAL;
12547 -+
12548 -+ if (iomem_is_exclusive(res->start))
12549 -+ return -EINVAL;
12550 -+
12551 -+ pcibios_resource_to_bus(pdev, &bar, res);
12552 -+ vma->vm_pgoff += bar.start >> (PAGE_SHIFT - (sparse ? 5 : 0));
12553 -+ mmap_type = res->flags & IORESOURCE_MEM ? pci_mmap_mem : pci_mmap_io;
12554 -+
12555 -+ return hose_mmap_page_range(pdev->sysdata, vma, mmap_type, sparse);
12556 -+}
12557 -+
12558 -+static int pci_mmap_resource_sparse(struct kobject *kobj,
12559 -+ struct bin_attribute *attr,
12560 -+ struct vm_area_struct *vma)
12561 -+{
12562 -+ return pci_mmap_resource(kobj, attr, vma, 1);
12563 -+}
12564 -+
12565 -+static int pci_mmap_resource_dense(struct kobject *kobj,
12566 -+ struct bin_attribute *attr,
12567 -+ struct vm_area_struct *vma)
12568 -+{
12569 -+ return pci_mmap_resource(kobj, attr, vma, 0);
12570 -+}
12571 -+
12572 -+/**
12573 -+ * pci_remove_resource_files - cleanup resource files
12574 -+ * @dev: dev to cleanup
12575 -+ *
12576 -+ * If we created resource files for @dev, remove them from sysfs and
12577 -+ * free their resources.
12578 -+ */
12579 -+void pci_remove_resource_files(struct pci_dev *pdev)
12580 -+{
12581 -+ int i;
12582 -+
12583 -+ for (i = 0; i < PCI_ROM_RESOURCE; i++) {
12584 -+ struct bin_attribute *res_attr;
12585 -+
12586 -+ res_attr = pdev->res_attr[i];
12587 -+ if (res_attr) {
12588 -+ sysfs_remove_bin_file(&pdev->dev.kobj, res_attr);
12589 -+ kfree(res_attr);
12590 -+ }
12591 -+
12592 -+ res_attr = pdev->res_attr_wc[i];
12593 -+ if (res_attr) {
12594 -+ sysfs_remove_bin_file(&pdev->dev.kobj, res_attr);
12595 -+ kfree(res_attr);
12596 -+ }
12597 -+ }
12598 -+}
12599 -+
12600 -+static int sparse_mem_mmap_fits(struct pci_dev *pdev, int num)
12601 -+{
12602 -+ struct pci_bus_region bar;
12603 -+ struct pci_controller *hose = pdev->sysdata;
12604 -+ long dense_offset;
12605 -+ unsigned long sparse_size;
12606 -+
12607 -+ pcibios_resource_to_bus(pdev, &bar, &pdev->resource[num]);
12608 -+
12609 -+ /* All core logic chips have 4G sparse address space, except
12610 -+ CIA which has 16G (see xxx_SPARSE_MEM and xxx_DENSE_MEM
12611 -+ definitions in asm/core_xxx.h files). This corresponds
12612 -+ to 128M or 512M of the bus space. */
12613 -+ dense_offset = (long)(hose->dense_mem_base - hose->sparse_mem_base);
12614 -+ sparse_size = dense_offset >= 0x400000000UL ? 0x20000000 : 0x8000000;
12615 -+
12616 -+ return bar.end < sparse_size;
12617 -+}
12618 -+
12619 -+static int pci_create_one_attr(struct pci_dev *pdev, int num, char *name,
12620 -+ char *suffix, struct bin_attribute *res_attr,
12621 -+ unsigned long sparse)
12622 -+{
12623 -+ size_t size = pci_resource_len(pdev, num);
12624 -+
12625 -+ sprintf(name, "resource%d%s", num, suffix);
12626 -+ res_attr->mmap = sparse ? pci_mmap_resource_sparse :
12627 -+ pci_mmap_resource_dense;
12628 -+ res_attr->attr.name = name;
12629 -+ res_attr->attr.mode = S_IRUSR | S_IWUSR;
12630 -+ res_attr->size = sparse ? size << 5 : size;
12631 -+ res_attr->private = &pdev->resource[num];
12632 -+ return sysfs_create_bin_file(&pdev->dev.kobj, res_attr);
12633 -+}
12634 -+
12635 -+static int pci_create_attr(struct pci_dev *pdev, int num)
12636 -+{
12637 -+ /* allocate attribute structure, piggyback attribute name */
12638 -+ int retval, nlen1, nlen2 = 0, res_count = 1;
12639 -+ unsigned long sparse_base, dense_base;
12640 -+ struct bin_attribute *attr;
12641 -+ struct pci_controller *hose = pdev->sysdata;
12642 -+ char *suffix, *attr_name;
12643 -+
12644 -+ suffix = ""; /* Assume bwx machine, normal resourceN files. */
12645 -+ nlen1 = 10;
12646 -+
12647 -+ if (pdev->resource[num].flags & IORESOURCE_MEM) {
12648 -+ sparse_base = hose->sparse_mem_base;
12649 -+ dense_base = hose->dense_mem_base;
12650 -+ if (sparse_base && !sparse_mem_mmap_fits(pdev, num)) {
12651 -+ sparse_base = 0;
12652 -+ suffix = "_dense";
12653 -+ nlen1 = 16; /* resourceN_dense */
12654 -+ }
12655 -+ } else {
12656 -+ sparse_base = hose->sparse_io_base;
12657 -+ dense_base = hose->dense_io_base;
12658 -+ }
12659 -+
12660 -+ if (sparse_base) {
12661 -+ suffix = "_sparse";
12662 -+ nlen1 = 17;
12663 -+ if (dense_base) {
12664 -+ nlen2 = 16; /* resourceN_dense */
12665 -+ res_count = 2;
12666 -+ }
12667 -+ }
12668 -+
12669 -+ attr = kzalloc(sizeof(*attr) * res_count + nlen1 + nlen2, GFP_ATOMIC);
12670 -+ if (!attr)
12671 -+ return -ENOMEM;
12672 -+
12673 -+ /* Create bwx, sparse or single dense file */
12674 -+ attr_name = (char *)(attr + res_count);
12675 -+ pdev->res_attr[num] = attr;
12676 -+ retval = pci_create_one_attr(pdev, num, attr_name, suffix, attr,
12677 -+ sparse_base);
12678 -+ if (retval || res_count == 1)
12679 -+ return retval;
12680 -+
12681 -+ /* Create dense file */
12682 -+ attr_name += nlen1;
12683 -+ attr++;
12684 -+ pdev->res_attr_wc[num] = attr;
12685 -+ return pci_create_one_attr(pdev, num, attr_name, "_dense", attr, 0);
12686 -+}
12687 -+
12688 -+/**
12689 -+ * pci_create_resource_files - create resource files in sysfs for @dev
12690 -+ * @dev: dev in question
12691 -+ *
12692 -+ * Walk the resources in @dev creating files for each resource available.
12693 -+ */
12694 -+int pci_create_resource_files(struct pci_dev *pdev)
12695 -+{
12696 -+ int i;
12697 -+ int retval;
12698 -+
12699 -+ /* Expose the PCI resources from this device as files */
12700 -+ for (i = 0; i < PCI_ROM_RESOURCE; i++) {
12701 -+
12702 -+ /* skip empty resources */
12703 -+ if (!pci_resource_len(pdev, i))
12704 -+ continue;
12705 -+
12706 -+ retval = pci_create_attr(pdev, i);
12707 -+ if (retval) {
12708 -+ pci_remove_resource_files(pdev);
12709 -+ return retval;
12710 -+ }
12711 -+ }
12712 -+ return 0;
12713 -+}
12714 -+
12715 -+/* Legacy I/O bus mapping stuff. */
12716 -+
12717 -+static int __legacy_mmap_fits(struct pci_controller *hose,
12718 -+ struct vm_area_struct *vma,
12719 -+ unsigned long res_size, int sparse)
12720 -+{
12721 -+ unsigned long nr, start, size;
12722 -+
12723 -+ nr = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
12724 -+ start = vma->vm_pgoff;
12725 -+ size = ((res_size - 1) >> PAGE_SHIFT) + 1;
12726 -+
12727 -+ if (start < size && size - start >= nr)
12728 -+ return 1;
12729 -+ WARN(1, "process \"%s\" tried to map%s 0x%08lx-0x%08lx on hose %d "
12730 -+ "(size 0x%08lx)\n",
12731 -+ current->comm, sparse ? " sparse" : "", start, start + nr,
12732 -+ hose->index, size);
12733 -+ return 0;
12734 -+}
12735 -+
12736 -+static inline int has_sparse(struct pci_controller *hose,
12737 -+ enum pci_mmap_state mmap_type)
12738 -+{
12739 -+ unsigned long base;
12740 -+
12741 -+ base = (mmap_type == pci_mmap_mem) ? hose->sparse_mem_base :
12742 -+ hose->sparse_io_base;
12743 -+
12744 -+ return base != 0;
12745 -+}
12746 -+
12747 -+int pci_mmap_legacy_page_range(struct pci_bus *bus, struct vm_area_struct *vma,
12748 -+ enum pci_mmap_state mmap_type)
12749 -+{
12750 -+ struct pci_controller *hose = bus->sysdata;
12751 -+ int sparse = has_sparse(hose, mmap_type);
12752 -+ unsigned long res_size;
12753 -+
12754 -+ res_size = (mmap_type == pci_mmap_mem) ? bus->legacy_mem->size :
12755 -+ bus->legacy_io->size;
12756 -+ if (!__legacy_mmap_fits(hose, vma, res_size, sparse))
12757 -+ return -EINVAL;
12758 -+
12759 -+ return hose_mmap_page_range(hose, vma, mmap_type, sparse);
12760 -+}
12761 -+
12762 -+/**
12763 -+ * pci_adjust_legacy_attr - adjustment of legacy file attributes
12764 -+ * @b: bus to create files under
12765 -+ * @mmap_type: I/O port or memory
12766 -+ *
12767 -+ * Adjust file name and size for sparse mappings.
12768 -+ */
12769 -+void pci_adjust_legacy_attr(struct pci_bus *bus, enum pci_mmap_state mmap_type)
12770 -+{
12771 -+ struct pci_controller *hose = bus->sysdata;
12772 -+
12773 -+ if (!has_sparse(hose, mmap_type))
12774 -+ return;
12775 -+
12776 -+ if (mmap_type == pci_mmap_mem) {
12777 -+ bus->legacy_mem->attr.name = "legacy_mem_sparse";
12778 -+ bus->legacy_mem->size <<= 5;
12779 -+ } else {
12780 -+ bus->legacy_io->attr.name = "legacy_io_sparse";
12781 -+ bus->legacy_io->size <<= 5;
12782 -+ }
12783 -+ return;
12784 -+}
12785 -+
12786 -+/* Legacy I/O bus read/write functions */
12787 -+int pci_legacy_read(struct pci_bus *bus, loff_t port, u32 *val, size_t size)
12788 -+{
12789 -+ struct pci_controller *hose = bus->sysdata;
12790 -+
12791 -+ port += hose->io_space->start;
12792 -+
12793 -+ switch(size) {
12794 -+ case 1:
12795 -+ *((u8 *)val) = inb(port);
12796 -+ return 1;
12797 -+ case 2:
12798 -+ if (port & 1)
12799 -+ return -EINVAL;
12800 -+ *((u16 *)val) = inw(port);
12801 -+ return 2;
12802 -+ case 4:
12803 -+ if (port & 3)
12804 -+ return -EINVAL;
12805 -+ *((u32 *)val) = inl(port);
12806 -+ return 4;
12807 -+ }
12808 -+ return -EINVAL;
12809 -+}
12810 -+
12811 -+int pci_legacy_write(struct pci_bus *bus, loff_t port, u32 val, size_t size)
12812 -+{
12813 -+ struct pci_controller *hose = bus->sysdata;
12814 -+
12815 -+ port += hose->io_space->start;
12816 -+
12817 -+ switch(size) {
12818 -+ case 1:
12819 -+ outb(port, val);
12820 -+ return 1;
12821 -+ case 2:
12822 -+ if (port & 1)
12823 -+ return -EINVAL;
12824 -+ outw(port, val);
12825 -+ return 2;
12826 -+ case 4:
12827 -+ if (port & 3)
12828 -+ return -EINVAL;
12829 -+ outl(port, val);
12830 -+ return 4;
12831 -+ }
12832 -+ return -EINVAL;
12833 -+}
12834 -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
12835 -index dfc4e0d..1c89298 100644
12836 ---- a/drivers/pci/pci-sysfs.c
12837 -+++ b/drivers/pci/pci-sysfs.c
12838 -@@ -493,6 +493,19 @@ pci_mmap_legacy_io(struct kobject *kobj, struct bin_attribute *attr,
12839 - }
12840 -
12841 - /**
12842 -+ * pci_adjust_legacy_attr - adjustment of legacy file attributes
12843 -+ * @b: bus to create files under
12844 -+ * @mmap_type: I/O port or memory
12845 -+ *
12846 -+ * Stub implementation. Can be overridden by arch if necessary.
12847 -+ */
12848 -+void __weak
12849 -+pci_adjust_legacy_attr(struct pci_bus *b, enum pci_mmap_state mmap_type)
12850 -+{
12851 -+ return;
12852 -+}
12853 -+
12854 -+/**
12855 - * pci_create_legacy_files - create legacy I/O port and memory files
12856 - * @b: bus to create files under
12857 - *
12858 -@@ -518,6 +531,7 @@ void pci_create_legacy_files(struct pci_bus *b)
12859 - b->legacy_io->read = pci_read_legacy_io;
12860 - b->legacy_io->write = pci_write_legacy_io;
12861 - b->legacy_io->mmap = pci_mmap_legacy_io;
12862 -+ pci_adjust_legacy_attr(b, pci_mmap_io);
12863 - error = device_create_bin_file(&b->dev, b->legacy_io);
12864 - if (error)
12865 - goto legacy_io_err;
12866 -@@ -528,6 +542,7 @@ void pci_create_legacy_files(struct pci_bus *b)
12867 - b->legacy_mem->size = 1024*1024;
12868 - b->legacy_mem->attr.mode = S_IRUSR | S_IWUSR;
12869 - b->legacy_mem->mmap = pci_mmap_legacy_mem;
12870 -+ pci_adjust_legacy_attr(b, pci_mmap_mem);
12871 - error = device_create_bin_file(&b->dev, b->legacy_mem);
12872 - if (error)
12873 - goto legacy_mem_err;
12874 -@@ -719,8 +734,8 @@ static int pci_create_resource_files(struct pci_dev *pdev)
12875 - return 0;
12876 - }
12877 - #else /* !HAVE_PCI_MMAP */
12878 --static inline int pci_create_resource_files(struct pci_dev *dev) { return 0; }
12879 --static inline void pci_remove_resource_files(struct pci_dev *dev) { return; }
12880 -+int __weak pci_create_resource_files(struct pci_dev *dev) { return 0; }
12881 -+void __weak pci_remove_resource_files(struct pci_dev *dev) { return; }
12882 - #endif /* HAVE_PCI_MMAP */
12883 -
12884 - /**
12885 -
12886
12887 Deleted: genpatches-2.6/trunk/2.6.30/2700_usblp-poll-for-status.patch
12888 ===================================================================
12889 --- genpatches-2.6/trunk/2.6.30/2700_usblp-poll-for-status.patch 2009-06-05 16:26:11 UTC (rev 1572)
12890 +++ genpatches-2.6/trunk/2.6.30/2700_usblp-poll-for-status.patch 2009-06-05 16:28:49 UTC (rev 1573)
12891 @@ -1,51 +0,0 @@
12892 -From: Pete Zaitcev <zaitcev@××××××.com>
12893 -Date: Wed, 7 Jan 2009 00:20:42 +0000 (-0700)
12894 -Subject: usblp: continuously poll for status
12895 -X-Git-Tag: v2.6.30-rc1~670^2~93
12896 -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dd44be6b17ac52238aa6c7f46b906d9fb76e7052
12897 -
12898 -usblp: continuously poll for status
12899 -
12900 -The usblp in 2.6.18 polled for status regardless if we actually needed it.
12901 -At some point I dropped it, to save the batteries if nothing else.
12902 -As it turned out, printers exist (e.g. Canon BJC-3000) that need prodding
12903 -this way or else they stop. This patch restores the old behaviour.
12904 -If you want to save battery, don't leave jobs in the print queue.
12905 -
12906 -I tested this on my printers by printing and examining usbmon traces
12907 -to make sure status is being requested and printers continue to print.
12908 -Tuomas Jäntti verified the fix on BJC-3000.
12909 -
12910 -Signed-off-by: Pete Zaitcev <zaitcev@××××××.com>
12911 -Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
12912 ----
12913 -
12914 -diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
12915 -index 3f3ee13..d2747a4 100644
12916 ---- a/drivers/usb/class/usblp.c
12917 -+++ b/drivers/usb/class/usblp.c
12918 -@@ -880,16 +880,19 @@ static int usblp_wwait(struct usblp *usblp, int nonblock)
12919 - if (rc <= 0)
12920 - break;
12921 -
12922 -- if (usblp->flags & LP_ABORT) {
12923 -- if (schedule_timeout(msecs_to_jiffies(5000)) == 0) {
12924 -+ if (schedule_timeout(msecs_to_jiffies(1500)) == 0) {
12925 -+ if (usblp->flags & LP_ABORT) {
12926 - err = usblp_check_status(usblp, err);
12927 - if (err == 1) { /* Paper out */
12928 - rc = -ENOSPC;
12929 - break;
12930 - }
12931 -+ } else {
12932 -+ /* Prod the printer, Gentoo#251237. */
12933 -+ mutex_lock(&usblp->mut);
12934 -+ usblp_read_status(usblp, usblp->statusbuf);
12935 -+ mutex_unlock(&usblp->mut);
12936 - }
12937 -- } else {
12938 -- schedule();
12939 - }
12940 - }
12941 - set_current_state(TASK_RUNNING);
12942 -
Report Message
Find on MARC Find on Google Groups