summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2012-01-27 06:52:36 -0500
committerAnthony G. Basile <blueness@gentoo.org>2012-01-27 06:52:36 -0500
commit84c88d2374b2eb7906db747ce93e6046d0c7d644 (patch)
tree0ac8cd41b5f1fa68b5db3bb236018ac64e6e433a
parentGrsec/PaX: 2.2.2-2.6.32.55-201201252116 + 2.2.2-3.2.2-201201252117 (diff)
downloadhardened-patchset-20120125.tar.gz
hardened-patchset-20120125.tar.bz2
hardened-patchset-20120125.zip
Added needed patch to bump to 3.2.220120125
-rw-r--r--3.2.2/0000_README4
-rw-r--r--3.2.2/1001_linux-3.2.2.patch6552
2 files changed, 6556 insertions, 0 deletions
diff --git a/3.2.2/0000_README b/3.2.2/0000_README
index ab46037..742124c 100644
--- a/3.2.2/0000_README
+++ b/3.2.2/0000_README
@@ -2,6 +2,10 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
+Patch: 1001_linux-3.2.2.patch
+From: http://www.kernel.org
+Desc: Linux 3.2.2
+
Patch: 4420_grsecurity-2.2.2-3.2.2-201201252117.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.2/1001_linux-3.2.2.patch b/3.2.2/1001_linux-3.2.2.patch
new file mode 100644
index 0000000..ec16cce
--- /dev/null
+++ b/3.2.2/1001_linux-3.2.2.patch
@@ -0,0 +1,6552 @@
+diff --git a/Makefile b/Makefile
+index c5edffa..2f684da 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 1
++SUBLEVEL = 2
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+
+diff --git a/arch/ia64/kernel/acpi.c b/arch/ia64/kernel/acpi.c
+index bfb4d01..5207035 100644
+--- a/arch/ia64/kernel/acpi.c
++++ b/arch/ia64/kernel/acpi.c
+@@ -429,22 +429,24 @@ static u32 __devinitdata pxm_flag[PXM_FLAG_LEN];
+ static struct acpi_table_slit __initdata *slit_table;
+ cpumask_t early_cpu_possible_map = CPU_MASK_NONE;
+
+-static int get_processor_proximity_domain(struct acpi_srat_cpu_affinity *pa)
++static int __init
++get_processor_proximity_domain(struct acpi_srat_cpu_affinity *pa)
+ {
+ int pxm;
+
+ pxm = pa->proximity_domain_lo;
+- if (ia64_platform_is("sn2"))
++ if (ia64_platform_is("sn2") || acpi_srat_revision >= 2)
+ pxm += pa->proximity_domain_hi[0] << 8;
+ return pxm;
+ }
+
+-static int get_memory_proximity_domain(struct acpi_srat_mem_affinity *ma)
++static int __init
++get_memory_proximity_domain(struct acpi_srat_mem_affinity *ma)
+ {
+ int pxm;
+
+ pxm = ma->proximity_domain;
+- if (!ia64_platform_is("sn2"))
++ if (!ia64_platform_is("sn2") && acpi_srat_revision <= 1)
+ pxm &= 0xff;
+
+ return pxm;
+diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
+index 577abba..83bb960 100644
+--- a/arch/score/kernel/entry.S
++++ b/arch/score/kernel/entry.S
+@@ -408,7 +408,7 @@ ENTRY(handle_sys)
+ sw r9, [r0, PT_EPC]
+
+ cmpi.c r27, __NR_syscalls # check syscall number
+- bgtu illegal_syscall
++ bgeu illegal_syscall
+
+ slli r8, r27, 2 # get syscall routine
+ la r11, sys_call_table
+diff --git a/arch/x86/include/asm/amd_nb.h b/arch/x86/include/asm/amd_nb.h
+index 8e41071..49ad773 100644
+--- a/arch/x86/include/asm/amd_nb.h
++++ b/arch/x86/include/asm/amd_nb.h
+@@ -1,6 +1,7 @@
+ #ifndef _ASM_X86_AMD_NB_H
+ #define _ASM_X86_AMD_NB_H
+
++#include <linux/ioport.h>
+ #include <linux/pci.h>
+
+ struct amd_nb_bus_dev_range {
+@@ -13,6 +14,7 @@ extern const struct pci_device_id amd_nb_misc_ids[];
+ extern const struct amd_nb_bus_dev_range amd_nb_bus_dev_ranges[];
+
+ extern bool early_is_amd_nb(u32 value);
++extern struct resource *amd_get_mmconfig_range(struct resource *res);
+ extern int amd_cache_northbridges(void);
+ extern void amd_flush_garts(void);
+ extern int amd_numa_init(void);
+diff --git a/arch/x86/include/asm/uv/uv_bau.h b/arch/x86/include/asm/uv/uv_bau.h
+index 8e862aa..1b82f7e 100644
+--- a/arch/x86/include/asm/uv/uv_bau.h
++++ b/arch/x86/include/asm/uv/uv_bau.h
+@@ -65,7 +65,7 @@
+ * UV2: Bit 19 selects between
+ * (0): 10 microsecond timebase and
+ * (1): 80 microseconds
+- * we're using 655us, similar to UV1: 65 units of 10us
++ * we're using 560us, similar to UV1: 65 units of 10us
+ */
+ #define UV1_INTD_SOFT_ACK_TIMEOUT_PERIOD (9UL)
+ #define UV2_INTD_SOFT_ACK_TIMEOUT_PERIOD (15UL)
+@@ -167,6 +167,7 @@
+ #define FLUSH_RETRY_TIMEOUT 2
+ #define FLUSH_GIVEUP 3
+ #define FLUSH_COMPLETE 4
++#define FLUSH_RETRY_BUSYBUG 5
+
+ /*
+ * tuning the action when the numalink network is extremely delayed
+@@ -235,10 +236,10 @@ struct bau_msg_payload {
+
+
+ /*
+- * Message header: 16 bytes (128 bits) (bytes 0x30-0x3f of descriptor)
++ * UV1 Message header: 16 bytes (128 bits) (bytes 0x30-0x3f of descriptor)
+ * see table 4.2.3.0.1 in broacast_assist spec.
+ */
+-struct bau_msg_header {
++struct uv1_bau_msg_header {
+ unsigned int dest_subnodeid:6; /* must be 0x10, for the LB */
+ /* bits 5:0 */
+ unsigned int base_dest_nasid:15; /* nasid of the first bit */
+@@ -318,19 +319,87 @@ struct bau_msg_header {
+ };
+
+ /*
++ * UV2 Message header: 16 bytes (128 bits) (bytes 0x30-0x3f of descriptor)
++ * see figure 9-2 of harp_sys.pdf
++ */
++struct uv2_bau_msg_header {
++ unsigned int base_dest_nasid:15; /* nasid of the first bit */
++ /* bits 14:0 */ /* in uvhub map */
++ unsigned int dest_subnodeid:5; /* must be 0x10, for the LB */
++ /* bits 19:15 */
++ unsigned int rsvd_1:1; /* must be zero */
++ /* bit 20 */
++ /* Address bits 59:21 */
++ /* bits 25:2 of address (44:21) are payload */
++ /* these next 24 bits become bytes 12-14 of msg */
++ /* bits 28:21 land in byte 12 */
++ unsigned int replied_to:1; /* sent as 0 by the source to
++ byte 12 */
++ /* bit 21 */
++ unsigned int msg_type:3; /* software type of the
++ message */
++ /* bits 24:22 */
++ unsigned int canceled:1; /* message canceled, resource
++ is to be freed*/
++ /* bit 25 */
++ unsigned int payload_1:3; /* not currently used */
++ /* bits 28:26 */
++
++ /* bits 36:29 land in byte 13 */
++ unsigned int payload_2a:3; /* not currently used */
++ unsigned int payload_2b:5; /* not currently used */
++ /* bits 36:29 */
++
++ /* bits 44:37 land in byte 14 */
++ unsigned int payload_3:8; /* not currently used */
++ /* bits 44:37 */
++
++ unsigned int rsvd_2:7; /* reserved */
++ /* bits 51:45 */
++ unsigned int swack_flag:1; /* software acknowledge flag */
++ /* bit 52 */
++ unsigned int rsvd_3a:3; /* must be zero */
++ unsigned int rsvd_3b:8; /* must be zero */
++ unsigned int rsvd_3c:8; /* must be zero */
++ unsigned int rsvd_3d:3; /* must be zero */
++ /* bits 74:53 */
++ unsigned int fairness:3; /* usually zero */
++ /* bits 77:75 */
++
++ unsigned int sequence:16; /* message sequence number */
++ /* bits 93:78 Suppl_A */
++ unsigned int chaining:1; /* next descriptor is part of
++ this activation*/
++ /* bit 94 */
++ unsigned int multilevel:1; /* multi-level multicast
++ format */
++ /* bit 95 */
++ unsigned int rsvd_4:24; /* ordered / source node /
++ source subnode / aging
++ must be zero */
++ /* bits 119:96 */
++ unsigned int command:8; /* message type */
++ /* bits 127:120 */
++};
++
++/*
+ * The activation descriptor:
+ * The format of the message to send, plus all accompanying control
+ * Should be 64 bytes
+ */
+ struct bau_desc {
+- struct pnmask distribution;
++ struct pnmask distribution;
+ /*
+ * message template, consisting of header and payload:
+ */
+- struct bau_msg_header header;
+- struct bau_msg_payload payload;
++ union bau_msg_header {
++ struct uv1_bau_msg_header uv1_hdr;
++ struct uv2_bau_msg_header uv2_hdr;
++ } header;
++
++ struct bau_msg_payload payload;
+ };
+-/*
++/* UV1:
+ * -payload-- ---------header------
+ * bytes 0-11 bits 41-56 bits 58-81
+ * A B (2) C (3)
+@@ -340,6 +409,16 @@ struct bau_desc {
+ * bytes 0-11 bytes 12-14 bytes 16-17 (byte 15 filled in by hw as vector)
+ * ------------payload queue-----------
+ */
++/* UV2:
++ * -payload-- ---------header------
++ * bytes 0-11 bits 70-78 bits 21-44
++ * A B (2) C (3)
++ *
++ * A/B/C are moved to:
++ * A C B
++ * bytes 0-11 bytes 12-14 bytes 16-17 (byte 15 filled in by hw as vector)
++ * ------------payload queue-----------
++ */
+
+ /*
+ * The payload queue on the destination side is an array of these.
+@@ -385,7 +464,6 @@ struct bau_pq_entry {
+ struct msg_desc {
+ struct bau_pq_entry *msg;
+ int msg_slot;
+- int swack_slot;
+ struct bau_pq_entry *queue_first;
+ struct bau_pq_entry *queue_last;
+ };
+@@ -439,6 +517,9 @@ struct ptc_stats {
+ unsigned long s_retry_messages; /* retry broadcasts */
+ unsigned long s_bau_reenabled; /* for bau enable/disable */
+ unsigned long s_bau_disabled; /* for bau enable/disable */
++ unsigned long s_uv2_wars; /* uv2 workaround, perm. busy */
++ unsigned long s_uv2_wars_hw; /* uv2 workaround, hiwater */
++ unsigned long s_uv2_war_waits; /* uv2 workaround, long waits */
+ /* destination statistics */
+ unsigned long d_alltlb; /* times all tlb's on this
+ cpu were flushed */
+@@ -511,9 +592,12 @@ struct bau_control {
+ short osnode;
+ short uvhub_cpu;
+ short uvhub;
++ short uvhub_version;
+ short cpus_in_socket;
+ short cpus_in_uvhub;
+ short partition_base_pnode;
++ short using_desc; /* an index, like uvhub_cpu */
++ unsigned int inuse_map;
+ unsigned short message_number;
+ unsigned short uvhub_quiesce;
+ short socket_acknowledge_count[DEST_Q_SIZE];
+@@ -531,6 +615,7 @@ struct bau_control {
+ int cong_response_us;
+ int cong_reps;
+ int cong_period;
++ unsigned long clocks_per_100_usec;
+ cycles_t period_time;
+ long period_requests;
+ struct hub_and_pnode *thp;
+@@ -591,6 +676,11 @@ static inline void write_mmr_sw_ack(unsigned long mr)
+ uv_write_local_mmr(UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE_ALIAS, mr);
+ }
+
++static inline void write_gmmr_sw_ack(int pnode, unsigned long mr)
++{
++ write_gmmr(pnode, UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE_ALIAS, mr);
++}
++
+ static inline unsigned long read_mmr_sw_ack(void)
+ {
+ return read_lmmr(UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE);
+diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
+index 4c39baa..bae1efe 100644
+--- a/arch/x86/kernel/amd_nb.c
++++ b/arch/x86/kernel/amd_nb.c
+@@ -119,6 +119,37 @@ bool __init early_is_amd_nb(u32 device)
+ return false;
+ }
+
++struct resource *amd_get_mmconfig_range(struct resource *res)
++{
++ u32 address;
++ u64 base, msr;
++ unsigned segn_busn_bits;
++
++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
++ return NULL;
++
++ /* assume all cpus from fam10h have mmconfig */
++ if (boot_cpu_data.x86 < 0x10)
++ return NULL;
++
++ address = MSR_FAM10H_MMIO_CONF_BASE;
++ rdmsrl(address, msr);
++
++ /* mmconfig is not enabled */
++ if (!(msr & FAM10H_MMIO_CONF_ENABLE))
++ return NULL;
++
++ base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
++
++ segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
++ FAM10H_MMIO_CONF_BUSRANGE_MASK;
++
++ res->flags = IORESOURCE_MEM;
++ res->start = base;
++ res->end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
++ return res;
++}
++
+ int amd_get_subcaches(int cpu)
+ {
+ struct pci_dev *link = node_to_amd_nb(amd_get_nb_id(cpu))->link;
+diff --git a/arch/x86/kernel/apic/x2apic_uv_x.c b/arch/x86/kernel/apic/x2apic_uv_x.c
+index 9d59bba..79b05b8 100644
+--- a/arch/x86/kernel/apic/x2apic_uv_x.c
++++ b/arch/x86/kernel/apic/x2apic_uv_x.c
+@@ -769,7 +769,12 @@ void __init uv_system_init(void)
+ for(i = 0; i < UVH_NODE_PRESENT_TABLE_DEPTH; i++)
+ uv_possible_blades +=
+ hweight64(uv_read_local_mmr( UVH_NODE_PRESENT_TABLE + i * 8));
+- printk(KERN_DEBUG "UV: Found %d blades\n", uv_num_possible_blades());
++
++ /* uv_num_possible_blades() is really the hub count */
++ printk(KERN_INFO "UV: Found %d blades, %d hubs\n",
++ is_uv1_hub() ? uv_num_possible_blades() :
++ (uv_num_possible_blades() + 1) / 2,
++ uv_num_possible_blades());
+
+ bytes = sizeof(struct uv_blade_info) * uv_num_possible_blades();
+ uv_blade_info = kzalloc(bytes, GFP_KERNEL);
+diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
+index 4b5ba85..845df68 100644
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -75,9 +75,9 @@ static unsigned long mmap_rnd(void)
+ */
+ if (current->flags & PF_RANDOMIZE) {
+ if (mmap_is_ia32())
+- rnd = (long)get_random_int() % (1<<8);
++ rnd = get_random_int() % (1<<8);
+ else
+- rnd = (long)(get_random_int() % (1<<28));
++ rnd = get_random_int() % (1<<28);
+ }
+ return rnd << PAGE_SHIFT;
+ }
+diff --git a/arch/x86/mm/srat.c b/arch/x86/mm/srat.c
+index 81dbfde..7efd0c6 100644
+--- a/arch/x86/mm/srat.c
++++ b/arch/x86/mm/srat.c
+@@ -104,6 +104,8 @@ acpi_numa_processor_affinity_init(struct acpi_srat_cpu_affinity *pa)
+ if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0)
+ return;
+ pxm = pa->proximity_domain_lo;
++ if (acpi_srat_revision >= 2)
++ pxm |= *((unsigned int*)pa->proximity_domain_hi) << 8;
+ node = setup_node(pxm);
+ if (node < 0) {
+ printk(KERN_ERR "SRAT: Too many proximity domains %x\n", pxm);
+@@ -155,6 +157,8 @@ acpi_numa_memory_affinity_init(struct acpi_srat_mem_affinity *ma)
+ start = ma->base_address;
+ end = start + ma->length;
+ pxm = ma->proximity_domain;
++ if (acpi_srat_revision <= 1)
++ pxm &= 0xff;
+ node = setup_node(pxm);
+ if (node < 0) {
+ printk(KERN_ERR "SRAT: Too many proximity domains.\n");
+diff --git a/arch/x86/pci/Makefile b/arch/x86/pci/Makefile
+index 6b8759f..d24d3da 100644
+--- a/arch/x86/pci/Makefile
++++ b/arch/x86/pci/Makefile
+@@ -18,8 +18,9 @@ obj-$(CONFIG_X86_NUMAQ) += numaq_32.o
+ obj-$(CONFIG_X86_MRST) += mrst.o
+
+ obj-y += common.o early.o
+-obj-y += amd_bus.o bus_numa.o
++obj-y += bus_numa.o
+
++obj-$(CONFIG_AMD_NB) += amd_bus.o
+ obj-$(CONFIG_PCI_CNB20LE_QUIRK) += broadcom_bus.o
+
+ ifeq ($(CONFIG_PCI_DEBUG),y)
+diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
+index 404f21a..f8348ab 100644
+--- a/arch/x86/pci/acpi.c
++++ b/arch/x86/pci/acpi.c
+@@ -149,7 +149,7 @@ setup_resource(struct acpi_resource *acpi_res, void *data)
+ struct acpi_resource_address64 addr;
+ acpi_status status;
+ unsigned long flags;
+- u64 start, end;
++ u64 start, orig_end, end;
+
+ status = resource_to_addr(acpi_res, &addr);
+ if (!ACPI_SUCCESS(status))
+@@ -165,7 +165,21 @@ setup_resource(struct acpi_resource *acpi_res, void *data)
+ return AE_OK;
+
+ start = addr.minimum + addr.translation_offset;
+- end = addr.maximum + addr.translation_offset;
++ orig_end = end = addr.maximum + addr.translation_offset;
++
++ /* Exclude non-addressable range or non-addressable portion of range */
++ end = min(end, (u64)iomem_resource.end);
++ if (end <= start) {
++ dev_info(&info->bridge->dev,
++ "host bridge window [%#llx-%#llx] "
++ "(ignored, not CPU addressable)\n", start, orig_end);
++ return AE_OK;
++ } else if (orig_end != end) {
++ dev_info(&info->bridge->dev,
++ "host bridge window [%#llx-%#llx] "
++ "([%#llx-%#llx] ignored, not CPU addressable)\n",
++ start, orig_end, end + 1, orig_end);
++ }
+
+ res = &info->res[info->res_num];
+ res->name = info->name;
+diff --git a/arch/x86/pci/amd_bus.c b/arch/x86/pci/amd_bus.c
+index 026e493..385a940 100644
+--- a/arch/x86/pci/amd_bus.c
++++ b/arch/x86/pci/amd_bus.c
+@@ -30,34 +30,6 @@ static struct pci_hostbridge_probe pci_probes[] __initdata = {
+ { 0, 0x18, PCI_VENDOR_ID_AMD, 0x1300 },
+ };
+
+-static u64 __initdata fam10h_mmconf_start;
+-static u64 __initdata fam10h_mmconf_end;
+-static void __init get_pci_mmcfg_amd_fam10h_range(void)
+-{
+- u32 address;
+- u64 base, msr;
+- unsigned segn_busn_bits;
+-
+- /* assume all cpus from fam10h have mmconf */
+- if (boot_cpu_data.x86 < 0x10)
+- return;
+-
+- address = MSR_FAM10H_MMIO_CONF_BASE;
+- rdmsrl(address, msr);
+-
+- /* mmconfig is not enable */
+- if (!(msr & FAM10H_MMIO_CONF_ENABLE))
+- return;
+-
+- base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
+-
+- segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
+- FAM10H_MMIO_CONF_BUSRANGE_MASK;
+-
+- fam10h_mmconf_start = base;
+- fam10h_mmconf_end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
+-}
+-
+ #define RANGE_NUM 16
+
+ /**
+@@ -85,6 +57,9 @@ static int __init early_fill_mp_bus_info(void)
+ u64 val;
+ u32 address;
+ bool found;
++ struct resource fam10h_mmconf_res, *fam10h_mmconf;
++ u64 fam10h_mmconf_start;
++ u64 fam10h_mmconf_end;
+
+ if (!early_pci_allowed())
+ return -1;
+@@ -211,12 +186,17 @@ static int __init early_fill_mp_bus_info(void)
+ subtract_range(range, RANGE_NUM, 0, end);
+
+ /* get mmconfig */
+- get_pci_mmcfg_amd_fam10h_range();
++ fam10h_mmconf = amd_get_mmconfig_range(&fam10h_mmconf_res);
+ /* need to take out mmconf range */
+- if (fam10h_mmconf_end) {
+- printk(KERN_DEBUG "Fam 10h mmconf [%llx, %llx]\n", fam10h_mmconf_start, fam10h_mmconf_end);
++ if (fam10h_mmconf) {
++ printk(KERN_DEBUG "Fam 10h mmconf %pR\n", fam10h_mmconf);
++ fam10h_mmconf_start = fam10h_mmconf->start;
++ fam10h_mmconf_end = fam10h_mmconf->end;
+ subtract_range(range, RANGE_NUM, fam10h_mmconf_start,
+ fam10h_mmconf_end + 1);
++ } else {
++ fam10h_mmconf_start = 0;
++ fam10h_mmconf_end = 0;
+ }
+
+ /* mmio resource */
+diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
+index 5b55219..9010ca7 100644
+--- a/arch/x86/platform/uv/tlb_uv.c
++++ b/arch/x86/platform/uv/tlb_uv.c
+@@ -157,13 +157,14 @@ static int __init uvhub_to_first_apicid(int uvhub)
+ * clear of the Timeout bit (as well) will free the resource. No reply will
+ * be sent (the hardware will only do one reply per message).
+ */
+-static void reply_to_message(struct msg_desc *mdp, struct bau_control *bcp)
++static void reply_to_message(struct msg_desc *mdp, struct bau_control *bcp,
++ int do_acknowledge)
+ {
+ unsigned long dw;
+ struct bau_pq_entry *msg;
+
+ msg = mdp->msg;
+- if (!msg->canceled) {
++ if (!msg->canceled && do_acknowledge) {
+ dw = (msg->swack_vec << UV_SW_ACK_NPENDING) | msg->swack_vec;
+ write_mmr_sw_ack(dw);
+ }
+@@ -212,8 +213,8 @@ static void bau_process_retry_msg(struct msg_desc *mdp,
+ if (mmr & (msg_res << UV_SW_ACK_NPENDING)) {
+ unsigned long mr;
+ /*
+- * is the resource timed out?
+- * make everyone ignore the cancelled message.
++ * Is the resource timed out?
++ * Make everyone ignore the cancelled message.
+ */
+ msg2->canceled = 1;
+ stat->d_canceled++;
+@@ -231,8 +232,8 @@ static void bau_process_retry_msg(struct msg_desc *mdp,
+ * Do all the things a cpu should do for a TLB shootdown message.
+ * Other cpu's may come here at the same time for this message.
+ */
+-static void bau_process_message(struct msg_desc *mdp,
+- struct bau_control *bcp)
++static void bau_process_message(struct msg_desc *mdp, struct bau_control *bcp,
++ int do_acknowledge)
+ {
+ short socket_ack_count = 0;
+ short *sp;
+@@ -284,8 +285,9 @@ static void bau_process_message(struct msg_desc *mdp,
+ if (msg_ack_count == bcp->cpus_in_uvhub) {
+ /*
+ * All cpus in uvhub saw it; reply
++ * (unless we are in the UV2 workaround)
+ */
+- reply_to_message(mdp, bcp);
++ reply_to_message(mdp, bcp, do_acknowledge);
+ }
+ }
+
+@@ -491,27 +493,138 @@ static int uv1_wait_completion(struct bau_desc *bau_desc,
+ /*
+ * UV2 has an extra bit of status in the ACTIVATION_STATUS_2 register.
+ */
+-static unsigned long uv2_read_status(unsigned long offset, int rshft, int cpu)
++static unsigned long uv2_read_status(unsigned long offset, int rshft, int desc)
+ {
+ unsigned long descriptor_status;
+ unsigned long descriptor_status2;
+
+ descriptor_status = ((read_lmmr(offset) >> rshft) & UV_ACT_STATUS_MASK);
+- descriptor_status2 = (read_mmr_uv2_status() >> cpu) & 0x1UL;
++ descriptor_status2 = (read_mmr_uv2_status() >> desc) & 0x1UL;
+ descriptor_status = (descriptor_status << 1) | descriptor_status2;
+ return descriptor_status;
+ }
+
++/*
++ * Return whether the status of the descriptor that is normally used for this
++ * cpu (the one indexed by its hub-relative cpu number) is busy.
++ * The status of the original 32 descriptors is always reflected in the 64
++ * bits of UVH_LB_BAU_SB_ACTIVATION_STATUS_0.
++ * The bit provided by the activation_status_2 register is irrelevant to
++ * the status if it is only being tested for busy or not busy.
++ */
++int normal_busy(struct bau_control *bcp)
++{
++ int cpu = bcp->uvhub_cpu;
++ int mmr_offset;
++ int right_shift;
++
++ mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_0;
++ right_shift = cpu * UV_ACT_STATUS_SIZE;
++ return (((((read_lmmr(mmr_offset) >> right_shift) &
++ UV_ACT_STATUS_MASK)) << 1) == UV2H_DESC_BUSY);
++}
++
++/*
++ * Entered when a bau descriptor has gone into a permanent busy wait because
++ * of a hardware bug.
++ * Workaround the bug.
++ */
++int handle_uv2_busy(struct bau_control *bcp)
++{
++ int busy_one = bcp->using_desc;
++ int normal = bcp->uvhub_cpu;
++ int selected = -1;
++ int i;
++ unsigned long descriptor_status;
++ unsigned long status;
++ int mmr_offset;
++ struct bau_desc *bau_desc_old;
++ struct bau_desc *bau_desc_new;
++ struct bau_control *hmaster = bcp->uvhub_master;
++ struct ptc_stats *stat = bcp->statp;
++ cycles_t ttm;
++
++ stat->s_uv2_wars++;
++ spin_lock(&hmaster->uvhub_lock);
++ /* try for the original first */
++ if (busy_one != normal) {
++ if (!normal_busy(bcp))
++ selected = normal;
++ }
++ if (selected < 0) {
++ /* can't use the normal, select an alternate */
++ mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_1;
++ descriptor_status = read_lmmr(mmr_offset);
++
++ /* scan available descriptors 32-63 */
++ for (i = 0; i < UV_CPUS_PER_AS; i++) {
++ if ((hmaster->inuse_map & (1 << i)) == 0) {
++ status = ((descriptor_status >>
++ (i * UV_ACT_STATUS_SIZE)) &
++ UV_ACT_STATUS_MASK) << 1;
++ if (status != UV2H_DESC_BUSY) {
++ selected = i + UV_CPUS_PER_AS;
++ break;
++ }
++ }
++ }
++ }
++
++ if (busy_one != normal)
++ /* mark the busy alternate as not in-use */
++ hmaster->inuse_map &= ~(1 << (busy_one - UV_CPUS_PER_AS));
++
++ if (selected >= 0) {
++ /* switch to the selected descriptor */
++ if (selected != normal) {
++ /* set the selected alternate as in-use */
++ hmaster->inuse_map |=
++ (1 << (selected - UV_CPUS_PER_AS));
++ if (selected > stat->s_uv2_wars_hw)
++ stat->s_uv2_wars_hw = selected;
++ }
++ bau_desc_old = bcp->descriptor_base;
++ bau_desc_old += (ITEMS_PER_DESC * busy_one);
++ bcp->using_desc = selected;
++ bau_desc_new = bcp->descriptor_base;
++ bau_desc_new += (ITEMS_PER_DESC * selected);
++ *bau_desc_new = *bau_desc_old;
++ } else {
++ /*
++ * All are busy. Wait for the normal one for this cpu to
++ * free up.
++ */
++ stat->s_uv2_war_waits++;
++ spin_unlock(&hmaster->uvhub_lock);
++ ttm = get_cycles();
++ do {
++ cpu_relax();
++ } while (normal_busy(bcp));
++ spin_lock(&hmaster->uvhub_lock);
++ /* switch to the original descriptor */
++ bcp->using_desc = normal;
++ bau_desc_old = bcp->descriptor_base;
++ bau_desc_old += (ITEMS_PER_DESC * bcp->using_desc);
++ bcp->using_desc = (ITEMS_PER_DESC * normal);
++ bau_desc_new = bcp->descriptor_base;
++ bau_desc_new += (ITEMS_PER_DESC * normal);
++ *bau_desc_new = *bau_desc_old; /* copy the entire descriptor */
++ }
++ spin_unlock(&hmaster->uvhub_lock);
++ return FLUSH_RETRY_BUSYBUG;
++}
++
+ static int uv2_wait_completion(struct bau_desc *bau_desc,
+ unsigned long mmr_offset, int right_shift,
+ struct bau_control *bcp, long try)
+ {
+ unsigned long descriptor_stat;
+ cycles_t ttm;
+- int cpu = bcp->uvhub_cpu;
++ int desc = bcp->using_desc;
++ long busy_reps = 0;
+ struct ptc_stats *stat = bcp->statp;
+
+- descriptor_stat = uv2_read_status(mmr_offset, right_shift, cpu);
++ descriptor_stat = uv2_read_status(mmr_offset, right_shift, desc);
+
+ /* spin on the status MMR, waiting for it to go idle */
+ while (descriptor_stat != UV2H_DESC_IDLE) {
+@@ -542,12 +655,23 @@ static int uv2_wait_completion(struct bau_desc *bau_desc,
+ bcp->conseccompletes = 0;
+ return FLUSH_RETRY_TIMEOUT;
+ } else {
++ busy_reps++;
++ if (busy_reps > 1000000) {
++ /* not to hammer on the clock */
++ busy_reps = 0;
++ ttm = get_cycles();
++ if ((ttm - bcp->send_message) >
++ (bcp->clocks_per_100_usec)) {
++ return handle_uv2_busy(bcp);
++ }
++ }
+ /*
+ * descriptor_stat is still BUSY
+ */
+ cpu_relax();
+ }
+- descriptor_stat = uv2_read_status(mmr_offset, right_shift, cpu);
++ descriptor_stat = uv2_read_status(mmr_offset, right_shift,
++ desc);
+ }
+ bcp->conseccompletes++;
+ return FLUSH_COMPLETE;
+@@ -563,17 +687,17 @@ static int wait_completion(struct bau_desc *bau_desc,
+ {
+ int right_shift;
+ unsigned long mmr_offset;
+- int cpu = bcp->uvhub_cpu;
++ int desc = bcp->using_desc;
+
+- if (cpu < UV_CPUS_PER_AS) {
++ if (desc < UV_CPUS_PER_AS) {
+ mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_0;
+- right_shift = cpu * UV_ACT_STATUS_SIZE;
++ right_shift = desc * UV_ACT_STATUS_SIZE;
+ } else {
+ mmr_offset = UVH_LB_BAU_SB_ACTIVATION_STATUS_1;
+- right_shift = ((cpu - UV_CPUS_PER_AS) * UV_ACT_STATUS_SIZE);
++ right_shift = ((desc - UV_CPUS_PER_AS) * UV_ACT_STATUS_SIZE);
+ }
+
+- if (is_uv1_hub())
++ if (bcp->uvhub_version == 1)
+ return uv1_wait_completion(bau_desc, mmr_offset, right_shift,
+ bcp, try);
+ else
+@@ -752,19 +876,22 @@ static void handle_cmplt(int completion_status, struct bau_desc *bau_desc,
+ * Returns 1 if it gives up entirely and the original cpu mask is to be
+ * returned to the kernel.
+ */
+-int uv_flush_send_and_wait(struct bau_desc *bau_desc,
+- struct cpumask *flush_mask, struct bau_control *bcp)
++int uv_flush_send_and_wait(struct cpumask *flush_mask, struct bau_control *bcp)
+ {
+ int seq_number = 0;
+ int completion_stat = 0;
++ int uv1 = 0;
+ long try = 0;
+ unsigned long index;
+ cycles_t time1;
+ cycles_t time2;
+ struct ptc_stats *stat = bcp->statp;
+ struct bau_control *hmaster = bcp->uvhub_master;
++ struct uv1_bau_msg_header *uv1_hdr = NULL;
++ struct uv2_bau_msg_header *uv2_hdr = NULL;
++ struct bau_desc *bau_desc;
+
+- if (is_uv1_hub())
++ if (bcp->uvhub_version == 1)
+ uv1_throttle(hmaster, stat);
+
+ while (hmaster->uvhub_quiesce)
+@@ -772,22 +899,39 @@ int uv_flush_send_and_wait(struct bau_desc *bau_desc,
+
+ time1 = get_cycles();
+ do {
+- if (try == 0) {
+- bau_desc->header.msg_type = MSG_REGULAR;
++ bau_desc = bcp->descriptor_base;
++ bau_desc += (ITEMS_PER_DESC * bcp->using_desc);
++ if (bcp->uvhub_version == 1) {
++ uv1 = 1;
++ uv1_hdr = &bau_desc->header.uv1_hdr;
++ } else
++ uv2_hdr = &bau_desc->header.uv2_hdr;
++ if ((try == 0) || (completion_stat == FLUSH_RETRY_BUSYBUG)) {
++ if (uv1)
++ uv1_hdr->msg_type = MSG_REGULAR;
++ else
++ uv2_hdr->msg_type = MSG_REGULAR;
+ seq_number = bcp->message_number++;
+ } else {
+- bau_desc->header.msg_type = MSG_RETRY;
++ if (uv1)
++ uv1_hdr->msg_type = MSG_RETRY;
++ else
++ uv2_hdr->msg_type = MSG_RETRY;
+ stat->s_retry_messages++;
+ }
+
+- bau_desc->header.sequence = seq_number;
+- index = (1UL << AS_PUSH_SHIFT) | bcp->uvhub_cpu;
++ if (uv1)
++ uv1_hdr->sequence = seq_number;
++ else
++ uv2_hdr->sequence = seq_number;
++ index = (1UL << AS_PUSH_SHIFT) | bcp->using_desc;
+ bcp->send_message = get_cycles();
+
+ write_mmr_activation(index);
+
+ try++;
+ completion_stat = wait_completion(bau_desc, bcp, try);
++ /* UV2: wait_completion() may change the bcp->using_desc */
+
+ handle_cmplt(completion_stat, bau_desc, bcp, hmaster, stat);
+
+@@ -798,6 +942,7 @@ int uv_flush_send_and_wait(struct bau_desc *bau_desc,
+ }
+ cpu_relax();
+ } while ((completion_stat == FLUSH_RETRY_PLUGGED) ||
++ (completion_stat == FLUSH_RETRY_BUSYBUG) ||
+ (completion_stat == FLUSH_RETRY_TIMEOUT));
+
+ time2 = get_cycles();
+@@ -812,6 +957,7 @@ int uv_flush_send_and_wait(struct bau_desc *bau_desc,
+ record_send_stats(time1, time2, bcp, stat, completion_stat, try);
+
+ if (completion_stat == FLUSH_GIVEUP)
++ /* FLUSH_GIVEUP will fall back to using IPI's for tlb flush */
+ return 1;
+ return 0;
+ }
+@@ -967,7 +1113,7 @@ const struct cpumask *uv_flush_tlb_others(const struct cpumask *cpumask,
+ stat->s_ntargself++;
+
+ bau_desc = bcp->descriptor_base;
+- bau_desc += ITEMS_PER_DESC * bcp->uvhub_cpu;
++ bau_desc += (ITEMS_PER_DESC * bcp->using_desc);
+ bau_uvhubs_clear(&bau_desc->distribution, UV_DISTRIBUTION_SIZE);
+ if (set_distrib_bits(flush_mask, bcp, bau_desc, &locals, &remotes))
+ return NULL;
+@@ -980,13 +1126,86 @@ const struct cpumask *uv_flush_tlb_others(const struct cpumask *cpumask,
+ * uv_flush_send_and_wait returns 0 if all cpu's were messaged,
+ * or 1 if it gave up and the original cpumask should be returned.
+ */
+- if (!uv_flush_send_and_wait(bau_desc, flush_mask, bcp))
++ if (!uv_flush_send_and_wait(flush_mask, bcp))
+ return NULL;
+ else
+ return cpumask;
+ }
+
+ /*
++ * Search the message queue for any 'other' message with the same software
++ * acknowledge resource bit vector.
++ */
++struct bau_pq_entry *find_another_by_swack(struct bau_pq_entry *msg,
++ struct bau_control *bcp, unsigned char swack_vec)
++{
++ struct bau_pq_entry *msg_next = msg + 1;
++
++ if (msg_next > bcp->queue_last)
++ msg_next = bcp->queue_first;
++ while ((msg_next->swack_vec != 0) && (msg_next != msg)) {
++ if (msg_next->swack_vec == swack_vec)
++ return msg_next;
++ msg_next++;
++ if (msg_next > bcp->queue_last)
++ msg_next = bcp->queue_first;
++ }
++ return NULL;
++}
++
++/*
++ * UV2 needs to work around a bug in which an arriving message has not
++ * set a bit in the UVH_LB_BAU_INTD_SOFTWARE_ACKNOWLEDGE register.
++ * Such a message must be ignored.
++ */
++void process_uv2_message(struct msg_desc *mdp, struct bau_control *bcp)
++{
++ unsigned long mmr_image;
++ unsigned char swack_vec;
++ struct bau_pq_entry *msg = mdp->msg;
++ struct bau_pq_entry *other_msg;
++
++ mmr_image = read_mmr_sw_ack();
++ swack_vec = msg->swack_vec;
++
++ if ((swack_vec & mmr_image) == 0) {
++ /*
++ * This message was assigned a swack resource, but no
++ * reserved acknowlegment is pending.
++ * The bug has prevented this message from setting the MMR.
++ * And no other message has used the same sw_ack resource.
++ * Do the requested shootdown but do not reply to the msg.
++ * (the 0 means make no acknowledge)
++ */
++ bau_process_message(mdp, bcp, 0);
++ return;
++ }
++
++ /*
++ * Some message has set the MMR 'pending' bit; it might have been
++ * another message. Look for that message.
++ */
++ other_msg = find_another_by_swack(msg, bcp, msg->swack_vec);
++ if (other_msg) {
++ /* There is another. Do not ack the current one. */
++ bau_process_message(mdp, bcp, 0);
++ /*
++ * Let the natural processing of that message acknowledge
++ * it. Don't get the processing of sw_ack's out of order.
++ */
++ return;
++ }
++
++ /*
++ * There is no other message using this sw_ack, so it is safe to
++ * acknowledge it.
++ */
++ bau_process_message(mdp, bcp, 1);
++
++ return;
++}
++
++/*
+ * The BAU message interrupt comes here. (registered by set_intr_gate)
+ * See entry_64.S
+ *
+@@ -1022,9 +1241,11 @@ void uv_bau_message_interrupt(struct pt_regs *regs)
+ count++;
+
+ msgdesc.msg_slot = msg - msgdesc.queue_first;
+- msgdesc.swack_slot = ffs(msg->swack_vec) - 1;
+ msgdesc.msg = msg;
+- bau_process_message(&msgdesc, bcp);
++ if (bcp->uvhub_version == 2)
++ process_uv2_message(&msgdesc, bcp);
++ else
++ bau_process_message(&msgdesc, bcp, 1);
+
+ msg++;
+ if (msg > msgdesc.queue_last)
+@@ -1083,7 +1304,7 @@ static void __init enable_timeouts(void)
+ */
+ mmr_image |= (1L << SOFTACK_MSHIFT);
+ if (is_uv2_hub()) {
+- mmr_image |= (1L << UV2_LEG_SHFT);
++ mmr_image &= ~(1L << UV2_LEG_SHFT);
+ mmr_image |= (1L << UV2_EXT_SHFT);
+ }
+ write_mmr_misc_control(pnode, mmr_image);
+@@ -1142,7 +1363,7 @@ static int ptc_seq_show(struct seq_file *file, void *data)
+ seq_printf(file,
+ "all one mult none retry canc nocan reset rcan ");
+ seq_printf(file,
+- "disable enable\n");
++ "disable enable wars warshw warwaits\n");
+ }
+ if (cpu < num_possible_cpus() && cpu_online(cpu)) {
+ stat = &per_cpu(ptcstats, cpu);
+@@ -1173,8 +1394,10 @@ static int ptc_seq_show(struct seq_file *file, void *data)
+ stat->d_nomsg, stat->d_retries, stat->d_canceled,
+ stat->d_nocanceled, stat->d_resets,
+ stat->d_rcanceled);
+- seq_printf(file, "%ld %ld\n",
+- stat->s_bau_disabled, stat->s_bau_reenabled);
++ seq_printf(file, "%ld %ld %ld %ld %ld\n",
++ stat->s_bau_disabled, stat->s_bau_reenabled,
++ stat->s_uv2_wars, stat->s_uv2_wars_hw,
++ stat->s_uv2_war_waits);
+ }
+ return 0;
+ }
+@@ -1432,12 +1655,15 @@ static void activation_descriptor_init(int node, int pnode, int base_pnode)
+ {
+ int i;
+ int cpu;
++ int uv1 = 0;
+ unsigned long gpa;
+ unsigned long m;
+ unsigned long n;
+ size_t dsize;
+ struct bau_desc *bau_desc;
+ struct bau_desc *bd2;
++ struct uv1_bau_msg_header *uv1_hdr;
++ struct uv2_bau_msg_header *uv2_hdr;
+ struct bau_control *bcp;
+
+ /*
+@@ -1451,6 +1677,8 @@ static void activation_descriptor_init(int node, int pnode, int base_pnode)
+ gpa = uv_gpa(bau_desc);
+ n = uv_gpa_to_gnode(gpa);
+ m = uv_gpa_to_offset(gpa);
++ if (is_uv1_hub())
++ uv1 = 1;
+
+ /* the 14-bit pnode */
+ write_mmr_descriptor_base(pnode, (n << UV_DESC_PSHIFT | m));
+@@ -1461,21 +1689,33 @@ static void activation_descriptor_init(int node, int pnode, int base_pnode)
+ */
+ for (i = 0, bd2 = bau_desc; i < (ADP_SZ * ITEMS_PER_DESC); i++, bd2++) {
+ memset(bd2, 0, sizeof(struct bau_desc));
+- bd2->header.swack_flag = 1;
+- /*
+- * The base_dest_nasid set in the message header is the nasid
+- * of the first uvhub in the partition. The bit map will
+- * indicate destination pnode numbers relative to that base.
+- * They may not be consecutive if nasid striding is being used.
+- */
+- bd2->header.base_dest_nasid = UV_PNODE_TO_NASID(base_pnode);
+- bd2->header.dest_subnodeid = UV_LB_SUBNODEID;
+- bd2->header.command = UV_NET_ENDPOINT_INTD;
+- bd2->header.int_both = 1;
+- /*
+- * all others need to be set to zero:
+- * fairness chaining multilevel count replied_to
+- */
++ if (uv1) {
++ uv1_hdr = &bd2->header.uv1_hdr;
++ uv1_hdr->swack_flag = 1;
++ /*
++ * The base_dest_nasid set in the message header
++ * is the nasid of the first uvhub in the partition.
++ * The bit map will indicate destination pnode numbers
++ * relative to that base. They may not be consecutive
++ * if nasid striding is being used.
++ */
++ uv1_hdr->base_dest_nasid =
++ UV_PNODE_TO_NASID(base_pnode);
++ uv1_hdr->dest_subnodeid = UV_LB_SUBNODEID;
++ uv1_hdr->command = UV_NET_ENDPOINT_INTD;
++ uv1_hdr->int_both = 1;
++ /*
++ * all others need to be set to zero:
++ * fairness chaining multilevel count replied_to
++ */
++ } else {
++ uv2_hdr = &bd2->header.uv2_hdr;
++ uv2_hdr->swack_flag = 1;
++ uv2_hdr->base_dest_nasid =
++ UV_PNODE_TO_NASID(base_pnode);
++ uv2_hdr->dest_subnodeid = UV_LB_SUBNODEID;
++ uv2_hdr->command = UV_NET_ENDPOINT_INTD;
++ }
+ }
+ for_each_present_cpu(cpu) {
+ if (pnode != uv_blade_to_pnode(uv_cpu_to_blade_id(cpu)))
+@@ -1531,6 +1771,7 @@ static void pq_init(int node, int pnode)
+ write_mmr_payload_first(pnode, pn_first);
+ write_mmr_payload_tail(pnode, first);
+ write_mmr_payload_last(pnode, last);
++ write_gmmr_sw_ack(pnode, 0xffffUL);
+
+ /* in effect, all msg_type's are set to MSG_NOOP */
+ memset(pqp, 0, sizeof(struct bau_pq_entry) * DEST_Q_SIZE);
+@@ -1584,14 +1825,14 @@ static int calculate_destination_timeout(void)
+ ts_ns = base * mult1 * mult2;
+ ret = ts_ns / 1000;
+ } else {
+- /* 4 bits 0/1 for 10/80us, 3 bits of multiplier */
+- mmr_image = uv_read_local_mmr(UVH_AGING_PRESCALE_SEL);
++ /* 4 bits 0/1 for 10/80us base, 3 bits of multiplier */
++ mmr_image = uv_read_local_mmr(UVH_LB_BAU_MISC_CONTROL);
+ mmr_image = (mmr_image & UV_SA_MASK) >> UV_SA_SHFT;
+ if (mmr_image & (1L << UV2_ACK_UNITS_SHFT))
+- mult1 = 80;
++ base = 80;
+ else
+- mult1 = 10;
+- base = mmr_image & UV2_ACK_MASK;
++ base = 10;
++ mult1 = mmr_image & UV2_ACK_MASK;
+ ret = mult1 * base;
+ }
+ return ret;
+@@ -1618,6 +1859,7 @@ static void __init init_per_cpu_tunables(void)
+ bcp->cong_response_us = congested_respns_us;
+ bcp->cong_reps = congested_reps;
+ bcp->cong_period = congested_period;
++ bcp->clocks_per_100_usec = usec_2_cycles(100);
+ }
+ }
+
+@@ -1728,8 +1970,17 @@ static int scan_sock(struct socket_desc *sdp, struct uvhub_desc *bdp,
+ bcp->cpus_in_socket = sdp->num_cpus;
+ bcp->socket_master = *smasterp;
+ bcp->uvhub = bdp->uvhub;
++ if (is_uv1_hub())
++ bcp->uvhub_version = 1;
++ else if (is_uv2_hub())
++ bcp->uvhub_version = 2;
++ else {
++ printk(KERN_EMERG "uvhub version not 1 or 2\n");
++ return 1;
++ }
+ bcp->uvhub_master = *hmasterp;
+ bcp->uvhub_cpu = uv_cpu_hub_info(cpu)->blade_processor_id;
++ bcp->using_desc = bcp->uvhub_cpu;
+ if (bcp->uvhub_cpu >= MAX_CPUS_PER_UVHUB) {
+ printk(KERN_EMERG "%d cpus per uvhub invalid\n",
+ bcp->uvhub_cpu);
+@@ -1845,6 +2096,8 @@ static int __init uv_bau_init(void)
+ uv_base_pnode = uv_blade_to_pnode(uvhub);
+ }
+
++ enable_timeouts();
++
+ if (init_per_cpu(nuvhubs, uv_base_pnode)) {
+ nobau = 1;
+ return 0;
+@@ -1855,7 +2108,6 @@ static int __init uv_bau_init(void)
+ if (uv_blade_nr_possible_cpus(uvhub))
+ init_uvhub(uvhub, vector, uv_base_pnode);
+
+- enable_timeouts();
+ alloc_intr_gate(vector, uv_bau_message_intr1);
+
+ for_each_possible_blade(uvhub) {
+@@ -1867,7 +2119,8 @@ static int __init uv_bau_init(void)
+ val = 1L << 63;
+ write_gmmr_activation(pnode, val);
+ mmr = 1; /* should be 1 to broadcast to both sockets */
+- write_mmr_data_broadcast(pnode, mmr);
++ if (!is_uv1_hub())
++ write_mmr_data_broadcast(pnode, mmr);
+ }
+ }
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index fbdf0d8..688be8a 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -24,6 +24,7 @@
+ #include <linux/capability.h>
+ #include <linux/completion.h>
+ #include <linux/cdrom.h>
++#include <linux/ratelimit.h>
+ #include <linux/slab.h>
+ #include <linux/times.h>
+ #include <asm/uaccess.h>
+@@ -690,6 +691,57 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+ }
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+
++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
++{
++ if (bd && bd == bd->bd_contains)
++ return 0;
++
++ /* Actually none of these is particularly useful on a partition,
++ * but they are safe.
++ */
++ switch (cmd) {
++ case SCSI_IOCTL_GET_IDLUN:
++ case SCSI_IOCTL_GET_BUS_NUMBER:
++ case SCSI_IOCTL_GET_PCI:
++ case SCSI_IOCTL_PROBE_HOST:
++ case SG_GET_VERSION_NUM:
++ case SG_SET_TIMEOUT:
++ case SG_GET_TIMEOUT:
++ case SG_GET_RESERVED_SIZE:
++ case SG_SET_RESERVED_SIZE:
++ case SG_EMULATED_HOST:
++ return 0;
++ case CDROM_GET_CAPABILITY:
++ /* Keep this until we remove the printk below. udev sends it
++ * and we do not want to spam dmesg about it. CD-ROMs do
++ * not have partitions, so we get here only for disks.
++ */
++ return -ENOTTY;
++ default:
++ break;
++ }
++
++ /* In particular, rule out all resets and host-specific ioctls. */
++ printk_ratelimited(KERN_WARNING
++ "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
++
++ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
++}
++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
++
++int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
++ unsigned int cmd, void __user *arg)
++{
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bd, cmd);
++ if (ret < 0)
++ return ret;
++
++ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
++}
++EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
++
+ static int __init blk_scsi_ioctl_init(void)
+ {
+ blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
+diff --git a/drivers/acpi/acpica/dsargs.c b/drivers/acpi/acpica/dsargs.c
+index 8c7b997..42163d8 100644
+--- a/drivers/acpi/acpica/dsargs.c
++++ b/drivers/acpi/acpica/dsargs.c
+@@ -387,5 +387,29 @@ acpi_status acpi_ds_get_region_arguments(union acpi_operand_object *obj_desc)
+ status = acpi_ds_execute_arguments(node, node->parent,
+ extra_desc->extra.aml_length,
+ extra_desc->extra.aml_start);
++ if (ACPI_FAILURE(status)) {
++ return_ACPI_STATUS(status);
++ }
++
++ /* Validate the region address/length via the host OS */
++
++ status = acpi_os_validate_address(obj_desc->region.space_id,
++ obj_desc->region.address,
++ (acpi_size) obj_desc->region.length,
++ acpi_ut_get_node_name(node));
++
++ if (ACPI_FAILURE(status)) {
++ /*
++ * Invalid address/length. We will emit an error message and mark
++ * the region as invalid, so that it will cause an additional error if
++ * it is ever used. Then return AE_OK.
++ */
++ ACPI_EXCEPTION((AE_INFO, status,
++ "During address validation of OpRegion [%4.4s]",
++ node->name.ascii));
++ obj_desc->common.flags |= AOPOBJ_INVALID;
++ status = AE_OK;
++ }
++
+ return_ACPI_STATUS(status);
+ }
+diff --git a/drivers/acpi/numa.c b/drivers/acpi/numa.c
+index 3b5c318..e56f3be 100644
+--- a/drivers/acpi/numa.c
++++ b/drivers/acpi/numa.c
+@@ -45,6 +45,8 @@ static int pxm_to_node_map[MAX_PXM_DOMAINS]
+ static int node_to_pxm_map[MAX_NUMNODES]
+ = { [0 ... MAX_NUMNODES - 1] = PXM_INVAL };
+
++unsigned char acpi_srat_revision __initdata;
++
+ int pxm_to_node(int pxm)
+ {
+ if (pxm < 0)
+@@ -255,9 +257,13 @@ acpi_parse_memory_affinity(struct acpi_subtable_header * header,
+
+ static int __init acpi_parse_srat(struct acpi_table_header *table)
+ {
++ struct acpi_table_srat *srat;
+ if (!table)
+ return -EINVAL;
+
++ srat = (struct acpi_table_srat *)table;
++ acpi_srat_revision = srat->header.revision;
++
+ /* Real work done in acpi_table_parse_srat below. */
+
+ return 0;
+diff --git a/drivers/acpi/processor_core.c b/drivers/acpi/processor_core.c
+index 3a0428e..c850de4 100644
+--- a/drivers/acpi/processor_core.c
++++ b/drivers/acpi/processor_core.c
+@@ -173,8 +173,30 @@ int acpi_get_cpuid(acpi_handle handle, int type, u32 acpi_id)
+ apic_id = map_mat_entry(handle, type, acpi_id);
+ if (apic_id == -1)
+ apic_id = map_madt_entry(type, acpi_id);
+- if (apic_id == -1)
+- return apic_id;
++ if (apic_id == -1) {
++ /*
++ * On UP processor, there is no _MAT or MADT table.
++ * So above apic_id is always set to -1.
++ *
++ * BIOS may define multiple CPU handles even for UP processor.
++ * For example,
++ *
++ * Scope (_PR)
++ * {
++ * Processor (CPU0, 0x00, 0x00000410, 0x06) {}
++ * Processor (CPU1, 0x01, 0x00000410, 0x06) {}
++ * Processor (CPU2, 0x02, 0x00000410, 0x06) {}
++ * Processor (CPU3, 0x03, 0x00000410, 0x06) {}
++ * }
++ *
++ * Ignores apic_id and always return 0 for CPU0's handle.
++ * Return -1 for other CPU's handle.
++ */
++ if (acpi_id == 0)
++ return acpi_id;
++ else
++ return apic_id;
++ }
+
+ #ifdef CONFIG_SMP
+ for_each_possible_cpu(i) {
+diff --git a/drivers/bcma/host_pci.c b/drivers/bcma/host_pci.c
+index 990f5a8..48e06be 100644
+--- a/drivers/bcma/host_pci.c
++++ b/drivers/bcma/host_pci.c
+@@ -227,11 +227,14 @@ static void bcma_host_pci_remove(struct pci_dev *dev)
+ #ifdef CONFIG_PM
+ static int bcma_host_pci_suspend(struct pci_dev *dev, pm_message_t state)
+ {
++ struct bcma_bus *bus = pci_get_drvdata(dev);
++
+ /* Host specific */
+ pci_save_state(dev);
+ pci_disable_device(dev);
+ pci_set_power_state(dev, pci_choose_state(dev, state));
+
++ bus->mapped_core = NULL;
+ return 0;
+ }
+
+diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
+index 587cce5..b0f553b 100644
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -1735,7 +1735,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+ case CCISS_BIG_PASSTHRU:
+ return cciss_bigpassthru(h, argp);
+
+- /* scsi_cmd_ioctl handles these, below, though some are not */
++ /* scsi_cmd_blk_ioctl handles these, below, though some are not */
+ /* very meaningful for cciss. SG_IO is the main one people want. */
+
+ case SG_GET_VERSION_NUM:
+@@ -1746,9 +1746,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+ case SG_EMULATED_HOST:
+ case SG_IO:
+ case SCSI_IOCTL_SEND_COMMAND:
+- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
++ return scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
+
+- /* scsi_cmd_ioctl would normally handle these, below, but */
++ /* scsi_cmd_blk_ioctl would normally handle these, below, but */
+ /* they aren't a good fit for cciss, as CD-ROMs are */
+ /* not supported, and we don't have any bus/target/lun */
+ /* which we present to the kernel. */
+diff --git a/drivers/block/ub.c b/drivers/block/ub.c
+index 0e376d4..7333b9e 100644
+--- a/drivers/block/ub.c
++++ b/drivers/block/ub.c
+@@ -1744,12 +1744,11 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode)
+ static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg)
+ {
+- struct gendisk *disk = bdev->bd_disk;
+ void __user *usermem = (void __user *) arg;
+ int ret;
+
+ mutex_lock(&ub_mutex);
+- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, usermem);
++ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, usermem);
+ mutex_unlock(&ub_mutex);
+
+ return ret;
+diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
+index 4d0b70a..e46f2f7 100644
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -243,8 +243,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
+ if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
+ return -ENOTTY;
+
+- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd,
+- (void __user *)data);
++ return scsi_cmd_blk_ioctl(bdev, mode, cmd,
++ (void __user *)data);
+ }
+
+ /* We provide getgeo only to please some old bootloader/partitioning tools */
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index f997c27..cedb231 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2747,12 +2747,11 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
+ {
+ void __user *argp = (void __user *)arg;
+ int ret;
+- struct gendisk *disk = bdev->bd_disk;
+
+ /*
+ * Try the generic SCSI command ioctl's first.
+ */
+- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
++ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
+ if (ret != -ENOTTY)
+ return ret;
+
+diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
+index bfc08f6..31b0d1a 100644
+--- a/drivers/gpu/drm/radeon/r100.c
++++ b/drivers/gpu/drm/radeon/r100.c
+@@ -2177,6 +2177,7 @@ bool r100_gpu_is_lockup(struct radeon_device *rdev)
+ void r100_bm_disable(struct radeon_device *rdev)
+ {
+ u32 tmp;
++ u16 tmp16;
+
+ /* disable bus mastering */
+ tmp = RREG32(R_000030_BUS_CNTL);
+@@ -2187,8 +2188,8 @@ void r100_bm_disable(struct radeon_device *rdev)
+ WREG32(R_000030_BUS_CNTL, (tmp & 0xFFFFFFFF) | 0x00000040);
+ tmp = RREG32(RADEON_BUS_CNTL);
+ mdelay(1);
+- pci_read_config_word(rdev->pdev, 0x4, (u16*)&tmp);
+- pci_write_config_word(rdev->pdev, 0x4, tmp & 0xFFFB);
++ pci_read_config_word(rdev->pdev, 0x4, &tmp16);
++ pci_write_config_word(rdev->pdev, 0x4, tmp16 & 0xFFFB);
+ mdelay(1);
+ }
+
+diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c
+index f5ac7e7..c45d921 100644
+--- a/drivers/gpu/drm/radeon/r600_hdmi.c
++++ b/drivers/gpu/drm/radeon/r600_hdmi.c
+@@ -196,6 +196,13 @@ static void r600_hdmi_videoinfoframe(
+ frame[0xD] = (right_bar >> 8);
+
+ r600_hdmi_infoframe_checksum(0x82, 0x02, 0x0D, frame);
++ /* Our header values (type, version, length) should be alright, Intel
++ * is using the same. Checksum function also seems to be OK, it works
++ * fine for audio infoframe. However calculated value is always lower
++ * by 2 in comparison to fglrx. It breaks displaying anything in case
++ * of TVs that strictly check the checksum. Hack it manually here to
++ * workaround this issue. */
++ frame[0x0] += 2;
+
+ WREG32(offset+R600_HDMI_VIDEOINFOFRAME_0,
+ frame[0x0] | (frame[0x1] << 8) | (frame[0x2] << 16) | (frame[0x3] << 24));
+diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
+index c4d00a1..9b39145 100644
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -224,8 +224,11 @@ int radeon_wb_init(struct radeon_device *rdev)
+ if (radeon_no_wb == 1)
+ rdev->wb.enabled = false;
+ else {
+- /* often unreliable on AGP */
+ if (rdev->flags & RADEON_IS_AGP) {
++ /* often unreliable on AGP */
++ rdev->wb.enabled = false;
++ } else if (rdev->family < CHIP_R300) {
++ /* often unreliable on pre-r300 */
+ rdev->wb.enabled = false;
+ } else {
+ rdev->wb.enabled = true;
+diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c
+index b1053d6..c259e21 100644
+--- a/drivers/gpu/drm/radeon/rs600.c
++++ b/drivers/gpu/drm/radeon/rs600.c
+@@ -324,10 +324,10 @@ void rs600_hpd_fini(struct radeon_device *rdev)
+
+ void rs600_bm_disable(struct radeon_device *rdev)
+ {
+- u32 tmp;
++ u16 tmp;
+
+ /* disable bus mastering */
+- pci_read_config_word(rdev->pdev, 0x4, (u16*)&tmp);
++ pci_read_config_word(rdev->pdev, 0x4, &tmp);
+ pci_write_config_word(rdev->pdev, 0x4, tmp & 0xFFFB);
+ mdelay(1);
+ }
+diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig
+index 22a4a05..d21f6d0 100644
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -335,6 +335,7 @@ config HID_MULTITOUCH
+ Say Y here if you have one of the following devices:
+ - 3M PCT touch screens
+ - ActionStar dual touch panels
++ - Atmel panels
+ - Cando dual touch panels
+ - Chunghwa panels
+ - CVTouch panels
+@@ -355,6 +356,7 @@ config HID_MULTITOUCH
+ - Touch International Panels
+ - Unitec Panels
+ - XAT optical touch panels
++ - Xiroku optical touch panels
+
+ If unsure, say N.
+
+@@ -620,6 +622,7 @@ config HID_WIIMOTE
+ depends on BT_HIDP
+ depends on LEDS_CLASS
+ select POWER_SUPPLY
++ select INPUT_FF_MEMLESS
+ ---help---
+ Support for the Nintendo Wii Remote bluetooth device.
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index af35384..bb656d8 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -362,7 +362,7 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
+
+ case HID_GLOBAL_ITEM_TAG_REPORT_SIZE:
+ parser->global.report_size = item_udata(item);
+- if (parser->global.report_size > 32) {
++ if (parser->global.report_size > 96) {
+ dbg_hid("invalid report_size %d\n",
+ parser->global.report_size);
+ return -1;
+@@ -1404,11 +1404,13 @@ static const struct hid_device_id hid_have_special_driver[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_CYPRESS, USB_DEVICE_ID_CYPRESS_TRUETOUCH) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 0x0006) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 0x0011) },
+- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH) },
+- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH1) },
+- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH2) },
+- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH3) },
+- { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH4) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480D) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480E) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_720C) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_726B) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72A1) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7302) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001) },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2515) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II) },
+@@ -1423,6 +1425,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_GYRATION, USB_DEVICE_ID_GYRATION_REMOTE_2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_GYRATION, USB_DEVICE_ID_GYRATION_REMOTE_3) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_HANVON, USB_DEVICE_ID_HANVON_MULTITOUCH) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_HANVON_ALT, USB_DEVICE_ID_HANVON_ALT_MULTITOUCH) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_IDEACOM, USB_DEVICE_ID_IDEACOM_IDC6650) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK, USB_DEVICE_ID_HOLTEK_ON_LINE_GRIP) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ILITEK, USB_DEVICE_ID_ILITEK_MULTITOUCH) },
+@@ -1549,6 +1552,15 @@ static const struct hid_device_id hid_have_special_driver[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_MEDIA_TABLET_10_6_INCH) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_MEDIA_TABLET_14_1_INCH) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_XAT, USB_DEVICE_ID_XAT_CSR) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_SPX) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_MPX) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_CSR) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_SPX1) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_MPX1) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_CSR1) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_SPX2) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_MPX2) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIROKU, USB_DEVICE_ID_XIROKU_CSR2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_X_TENSIONS, USB_DEVICE_ID_SPEEDLINK_VAD_CEZANNE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0005) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0030) },
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 4a441a6..00cabb3 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -21,6 +21,7 @@
+ #define USB_VENDOR_ID_3M 0x0596
+ #define USB_DEVICE_ID_3M1968 0x0500
+ #define USB_DEVICE_ID_3M2256 0x0502
++#define USB_DEVICE_ID_3M3266 0x0506
+
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+@@ -145,6 +146,9 @@
+ #define USB_DEVICE_ID_ATEN_4PORTKVM 0x2205
+ #define USB_DEVICE_ID_ATEN_4PORTKVMC 0x2208
+
++#define USB_VENDOR_ID_ATMEL 0x03eb
++#define USB_DEVICE_ID_ATMEL_MULTITOUCH 0x211c
++
+ #define USB_VENDOR_ID_AVERMEDIA 0x07ca
+ #define USB_DEVICE_ID_AVER_FM_MR800 0xb800
+
+@@ -230,11 +234,14 @@
+
+ #define USB_VENDOR_ID_DWAV 0x0eef
+ #define USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER 0x0001
+-#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH 0x480d
+-#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH1 0x720c
+-#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH2 0x72a1
+-#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH3 0x480e
+-#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH4 0x726b
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480D 0x480d
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480E 0x480e
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_720C 0x720c
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_726B 0x726b
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72A1 0x72a1
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72FA 0x72fa
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7302 0x7302
++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001
+
+ #define USB_VENDOR_ID_ELECOM 0x056e
+ #define USB_DEVICE_ID_ELECOM_BM084 0x0061
+@@ -356,6 +363,9 @@
+ #define USB_VENDOR_ID_HANVON 0x20b3
+ #define USB_DEVICE_ID_HANVON_MULTITOUCH 0x0a18
+
++#define USB_VENDOR_ID_HANVON_ALT 0x22ed
++#define USB_DEVICE_ID_HANVON_ALT_MULTITOUCH 0x1010
++
+ #define USB_VENDOR_ID_HAPP 0x078b
+ #define USB_DEVICE_ID_UGCI_DRIVING 0x0010
+ #define USB_DEVICE_ID_UGCI_FLYING 0x0020
+@@ -707,6 +717,17 @@
+ #define USB_VENDOR_ID_XAT 0x2505
+ #define USB_DEVICE_ID_XAT_CSR 0x0220
+
++#define USB_VENDOR_ID_XIROKU 0x1477
++#define USB_DEVICE_ID_XIROKU_SPX 0x1006
++#define USB_DEVICE_ID_XIROKU_MPX 0x1007
++#define USB_DEVICE_ID_XIROKU_CSR 0x100e
++#define USB_DEVICE_ID_XIROKU_SPX1 0x1021
++#define USB_DEVICE_ID_XIROKU_CSR1 0x1022
++#define USB_DEVICE_ID_XIROKU_MPX1 0x1023
++#define USB_DEVICE_ID_XIROKU_SPX2 0x1024
++#define USB_DEVICE_ID_XIROKU_CSR2 0x1025
++#define USB_DEVICE_ID_XIROKU_MPX2 0x1026
++
+ #define USB_VENDOR_ID_YEALINK 0x6993
+ #define USB_DEVICE_ID_YEALINK_P1K_P4K_B2K 0xb001
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index f1c909f..995fc4c 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -609,12 +609,20 @@ static const struct hid_device_id mt_devices[] = {
+ { .driver_data = MT_CLS_3M,
+ HID_USB_DEVICE(USB_VENDOR_ID_3M,
+ USB_DEVICE_ID_3M2256) },
++ { .driver_data = MT_CLS_3M,
++ HID_USB_DEVICE(USB_VENDOR_ID_3M,
++ USB_DEVICE_ID_3M3266) },
+
+ /* ActionStar panels */
+ { .driver_data = MT_CLS_DEFAULT,
+ HID_USB_DEVICE(USB_VENDOR_ID_ACTIONSTAR,
+ USB_DEVICE_ID_ACTIONSTAR_1011) },
+
++ /* Atmel panels */
++ { .driver_data = MT_CLS_SERIAL,
++ HID_USB_DEVICE(USB_VENDOR_ID_ATMEL,
++ USB_DEVICE_ID_ATMEL_MULTITOUCH) },
++
+ /* Cando panels */
+ { .driver_data = MT_CLS_DUAL_INRANGE_CONTACTNUMBER,
+ HID_USB_DEVICE(USB_VENDOR_ID_CANDO,
+@@ -645,23 +653,32 @@ static const struct hid_device_id mt_devices[] = {
+ USB_DEVICE_ID_CYPRESS_TRUETOUCH) },
+
+ /* eGalax devices (resistive) */
+- { .driver_data = MT_CLS_EGALAX,
++ { .driver_data = MT_CLS_EGALAX,
+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
+- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH) },
+- { .driver_data = MT_CLS_EGALAX,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480D) },
++ { .driver_data = MT_CLS_EGALAX,
+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
+- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH3) },
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_480E) },
+
+ /* eGalax devices (capacitive) */
+- { .driver_data = MT_CLS_EGALAX,
++ { .driver_data = MT_CLS_EGALAX,
++ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_720C) },
++ { .driver_data = MT_CLS_EGALAX,
+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
+- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH1) },
+- { .driver_data = MT_CLS_EGALAX,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_726B) },
++ { .driver_data = MT_CLS_EGALAX,
+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
+- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH2) },
+- { .driver_data = MT_CLS_EGALAX,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72A1) },
++ { .driver_data = MT_CLS_EGALAX,
+ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
+- USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH4) },
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_72FA) },
++ { .driver_data = MT_CLS_EGALAX,
++ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7302) },
++ { .driver_data = MT_CLS_EGALAX,
++ HID_USB_DEVICE(USB_VENDOR_ID_DWAV,
++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001) },
+
+ /* Elo TouchSystems IntelliTouch Plus panel */
+ { .driver_data = MT_CLS_DUAL_NSMU_CONTACTID,
+@@ -678,6 +695,11 @@ static const struct hid_device_id mt_devices[] = {
+ HID_USB_DEVICE(USB_VENDOR_ID_GOODTOUCH,
+ USB_DEVICE_ID_GOODTOUCH_000f) },
+
++ /* Hanvon panels */
++ { .driver_data = MT_CLS_DUAL_INRANGE_CONTACTID,
++ HID_USB_DEVICE(USB_VENDOR_ID_HANVON_ALT,
++ USB_DEVICE_ID_HANVON_ALT_MULTITOUCH) },
++
+ /* Ideacom panel */
+ { .driver_data = MT_CLS_SERIAL,
+ HID_USB_DEVICE(USB_VENDOR_ID_IDEACOM,
+@@ -758,6 +780,35 @@ static const struct hid_device_id mt_devices[] = {
+ HID_USB_DEVICE(USB_VENDOR_ID_XAT,
+ USB_DEVICE_ID_XAT_CSR) },
+
++ /* Xiroku */
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_SPX) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_MPX) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_CSR) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_SPX1) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_MPX1) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_CSR1) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_SPX2) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_MPX2) },
++ { .driver_data = MT_CLS_DEFAULT,
++ HID_USB_DEVICE(USB_VENDOR_ID_XIROKU,
++ USB_DEVICE_ID_XIROKU_CSR2) },
++
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, mt_devices);
+diff --git a/drivers/i2c/busses/i2c-ali1535.c b/drivers/i2c/busses/i2c-ali1535.c
+index b6807db..5b667e5 100644
+--- a/drivers/i2c/busses/i2c-ali1535.c
++++ b/drivers/i2c/busses/i2c-ali1535.c
+@@ -140,7 +140,7 @@ static unsigned short ali1535_smba;
+ defined to make the transition easier. */
+ static int __devinit ali1535_setup(struct pci_dev *dev)
+ {
+- int retval = -ENODEV;
++ int retval;
+ unsigned char temp;
+
+ /* Check the following things:
+@@ -155,6 +155,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
+ if (ali1535_smba == 0) {
+ dev_warn(&dev->dev,
+ "ALI1535_smb region uninitialized - upgrade BIOS?\n");
++ retval = -ENODEV;
+ goto exit;
+ }
+
+@@ -167,6 +168,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
+ ali1535_driver.name)) {
+ dev_err(&dev->dev, "ALI1535_smb region 0x%x already in use!\n",
+ ali1535_smba);
++ retval = -EBUSY;
+ goto exit;
+ }
+
+@@ -174,6 +176,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
+ pci_read_config_byte(dev, SMBCFG, &temp);
+ if ((temp & ALI1535_SMBIO_EN) == 0) {
+ dev_err(&dev->dev, "SMB device not enabled - upgrade BIOS?\n");
++ retval = -ENODEV;
+ goto exit_free;
+ }
+
+@@ -181,6 +184,7 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
+ pci_read_config_byte(dev, SMBHSTCFG, &temp);
+ if ((temp & 1) == 0) {
+ dev_err(&dev->dev, "SMBus controller not enabled - upgrade BIOS?\n");
++ retval = -ENODEV;
+ goto exit_free;
+ }
+
+@@ -198,12 +202,11 @@ static int __devinit ali1535_setup(struct pci_dev *dev)
+ dev_dbg(&dev->dev, "SMBREV = 0x%X\n", temp);
+ dev_dbg(&dev->dev, "ALI1535_smba = 0x%X\n", ali1535_smba);
+
+- retval = 0;
+-exit:
+- return retval;
++ return 0;
+
+ exit_free:
+ release_region(ali1535_smba, ALI1535_SMB_IOSIZE);
++exit:
+ return retval;
+ }
+
+diff --git a/drivers/i2c/busses/i2c-eg20t.c b/drivers/i2c/busses/i2c-eg20t.c
+index 18936ac..730215e 100644
+--- a/drivers/i2c/busses/i2c-eg20t.c
++++ b/drivers/i2c/busses/i2c-eg20t.c
+@@ -243,7 +243,7 @@ static void pch_i2c_init(struct i2c_algo_pch_data *adap)
+ if (pch_clk > PCH_MAX_CLK)
+ pch_clk = 62500;
+
+- pch_i2cbc = (pch_clk + (pch_i2c_speed * 4)) / pch_i2c_speed * 8;
++ pch_i2cbc = (pch_clk + (pch_i2c_speed * 4)) / (pch_i2c_speed * 8);
+ /* Set transfer speed in I2CBC */
+ iowrite32(pch_i2cbc, p + PCH_I2CBC);
+
+diff --git a/drivers/i2c/busses/i2c-nforce2.c b/drivers/i2c/busses/i2c-nforce2.c
+index ff1e127..4853b52 100644
+--- a/drivers/i2c/busses/i2c-nforce2.c
++++ b/drivers/i2c/busses/i2c-nforce2.c
+@@ -356,7 +356,7 @@ static int __devinit nforce2_probe_smb (struct pci_dev *dev, int bar,
+ error = acpi_check_region(smbus->base, smbus->size,
+ nforce2_driver.name);
+ if (error)
+- return -1;
++ return error;
+
+ if (!request_region(smbus->base, smbus->size, nforce2_driver.name)) {
+ dev_err(&smbus->adapter.dev, "Error requesting region %02x .. %02X for %s\n",
+diff --git a/drivers/i2c/busses/i2c-omap.c b/drivers/i2c/busses/i2c-omap.c
+index fa23faa..257c1a5 100644
+--- a/drivers/i2c/busses/i2c-omap.c
++++ b/drivers/i2c/busses/i2c-omap.c
+@@ -235,7 +235,7 @@ static const u8 reg_map_ip_v2[] = {
+ [OMAP_I2C_BUF_REG] = 0x94,
+ [OMAP_I2C_CNT_REG] = 0x98,
+ [OMAP_I2C_DATA_REG] = 0x9c,
+- [OMAP_I2C_SYSC_REG] = 0x20,
++ [OMAP_I2C_SYSC_REG] = 0x10,
+ [OMAP_I2C_CON_REG] = 0xa4,
+ [OMAP_I2C_OA_REG] = 0xa8,
+ [OMAP_I2C_SA_REG] = 0xac,
+diff --git a/drivers/i2c/busses/i2c-sis5595.c b/drivers/i2c/busses/i2c-sis5595.c
+index 4375866..6d60284 100644
+--- a/drivers/i2c/busses/i2c-sis5595.c
++++ b/drivers/i2c/busses/i2c-sis5595.c
+@@ -147,7 +147,7 @@ static int __devinit sis5595_setup(struct pci_dev *SIS5595_dev)
+ u16 a;
+ u8 val;
+ int *i;
+- int retval = -ENODEV;
++ int retval;
+
+ /* Look for imposters */
+ for (i = blacklist; *i != 0; i++) {
+@@ -223,7 +223,7 @@ static int __devinit sis5595_setup(struct pci_dev *SIS5595_dev)
+
+ error:
+ release_region(sis5595_base + SMB_INDEX, 2);
+- return retval;
++ return -ENODEV;
+ }
+
+ static int sis5595_transaction(struct i2c_adapter *adap)
+diff --git a/drivers/i2c/busses/i2c-sis630.c b/drivers/i2c/busses/i2c-sis630.c
+index e6f539e..b617fd0 100644
+--- a/drivers/i2c/busses/i2c-sis630.c
++++ b/drivers/i2c/busses/i2c-sis630.c
+@@ -393,7 +393,7 @@ static int __devinit sis630_setup(struct pci_dev *sis630_dev)
+ {
+ unsigned char b;
+ struct pci_dev *dummy = NULL;
+- int retval = -ENODEV, i;
++ int retval, i;
+
+ /* check for supported SiS devices */
+ for (i=0; supported[i] > 0 ; i++) {
+@@ -418,18 +418,21 @@ static int __devinit sis630_setup(struct pci_dev *sis630_dev)
+ */
+ if (pci_read_config_byte(sis630_dev, SIS630_BIOS_CTL_REG,&b)) {
+ dev_err(&sis630_dev->dev, "Error: Can't read bios ctl reg\n");
++ retval = -ENODEV;
+ goto exit;
+ }
+ /* if ACPI already enabled , do nothing */
+ if (!(b & 0x80) &&
+ pci_write_config_byte(sis630_dev, SIS630_BIOS_CTL_REG, b | 0x80)) {
+ dev_err(&sis630_dev->dev, "Error: Can't enable ACPI\n");
++ retval = -ENODEV;
+ goto exit;
+ }
+
+ /* Determine the ACPI base address */
+ if (pci_read_config_word(sis630_dev,SIS630_ACPI_BASE_REG,&acpi_base)) {
+ dev_err(&sis630_dev->dev, "Error: Can't determine ACPI base address\n");
++ retval = -ENODEV;
+ goto exit;
+ }
+
+@@ -445,6 +448,7 @@ static int __devinit sis630_setup(struct pci_dev *sis630_dev)
+ sis630_driver.name)) {
+ dev_err(&sis630_dev->dev, "SMBus registers 0x%04x-0x%04x already "
+ "in use!\n", acpi_base + SMB_STS, acpi_base + SMB_SAA);
++ retval = -EBUSY;
+ goto exit;
+ }
+
+diff --git a/drivers/i2c/busses/i2c-viapro.c b/drivers/i2c/busses/i2c-viapro.c
+index 0b012f1..58261d4 100644
+--- a/drivers/i2c/busses/i2c-viapro.c
++++ b/drivers/i2c/busses/i2c-viapro.c
+@@ -324,7 +324,7 @@ static int __devinit vt596_probe(struct pci_dev *pdev,
+ const struct pci_device_id *id)
+ {
+ unsigned char temp;
+- int error = -ENODEV;
++ int error;
+
+ /* Determine the address of the SMBus areas */
+ if (force_addr) {
+@@ -390,6 +390,7 @@ found:
+ dev_err(&pdev->dev, "SMBUS: Error: Host SMBus "
+ "controller not enabled! - upgrade BIOS or "
+ "use force=1\n");
++ error = -ENODEV;
+ goto release_region;
+ }
+ }
+@@ -422,9 +423,11 @@ found:
+ "SMBus Via Pro adapter at %04x", vt596_smba);
+
+ vt596_pdev = pci_dev_get(pdev);
+- if (i2c_add_adapter(&vt596_adapter)) {
++ error = i2c_add_adapter(&vt596_adapter);
++ if (error) {
+ pci_dev_put(vt596_pdev);
+ vt596_pdev = NULL;
++ goto release_region;
+ }
+
+ /* Always return failure here. This is to allow other drivers to bind
+diff --git a/drivers/ide/ide-floppy_ioctl.c b/drivers/ide/ide-floppy_ioctl.c
+index d267b7a..a22ca84 100644
+--- a/drivers/ide/ide-floppy_ioctl.c
++++ b/drivers/ide/ide-floppy_ioctl.c
+@@ -292,8 +292,7 @@ int ide_floppy_ioctl(ide_drive_t *drive, struct block_device *bdev,
+ * and CDROM_SEND_PACKET (legacy) ioctls
+ */
+ if (cmd != CDROM_SEND_PACKET && cmd != SCSI_IOCTL_SEND_COMMAND)
+- err = scsi_cmd_ioctl(bdev->bd_disk->queue, bdev->bd_disk,
+- mode, cmd, argp);
++ err = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
+
+ if (err == -ENOTTY)
+ err = generic_ide_ioctl(drive, bdev, cmd, arg);
+diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c
+index 5d2f8e1..5b39216 100644
+--- a/drivers/idle/intel_idle.c
++++ b/drivers/idle/intel_idle.c
+@@ -348,7 +348,8 @@ static int intel_idle_probe(void)
+ cpuid(CPUID_MWAIT_LEAF, &eax, &ebx, &ecx, &mwait_substates);
+
+ if (!(ecx & CPUID5_ECX_EXTENSIONS_SUPPORTED) ||
+- !(ecx & CPUID5_ECX_INTERRUPT_BREAK))
++ !(ecx & CPUID5_ECX_INTERRUPT_BREAK) ||
++ !mwait_substates)
+ return -ENODEV;
+
+ pr_debug(PREFIX "MWAIT substates: 0x%x\n", mwait_substates);
+@@ -394,7 +395,7 @@ static int intel_idle_probe(void)
+ if (boot_cpu_has(X86_FEATURE_ARAT)) /* Always Reliable APIC Timer */
+ lapic_timer_reliable_states = LAPIC_TIMER_ALWAYS_RELIABLE;
+ else {
+- smp_call_function(__setup_broadcast_timer, (void *)true, 1);
++ on_each_cpu(__setup_broadcast_timer, (void *)true, 1);
+ register_cpu_notifier(&setup_broadcast_notifier);
+ }
+
+@@ -471,7 +472,7 @@ static int intel_idle_cpuidle_driver_init(void)
+ }
+
+ if (auto_demotion_disable_flags)
+- smp_call_function(auto_demotion_disable, NULL, 1);
++ on_each_cpu(auto_demotion_disable, NULL, 1);
+
+ return 0;
+ }
+@@ -568,7 +569,7 @@ static void __exit intel_idle_exit(void)
+ cpuidle_unregister_driver(&intel_idle_driver);
+
+ if (lapic_timer_reliable_states != LAPIC_TIMER_ALWAYS_RELIABLE) {
+- smp_call_function(__setup_broadcast_timer, (void *)false, 1);
++ on_each_cpu(__setup_broadcast_timer, (void *)false, 1);
+ unregister_cpu_notifier(&setup_broadcast_notifier);
+ }
+
+diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
+index f84c080..9fb18c1 100644
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -368,8 +368,17 @@ static int flakey_status(struct dm_target *ti, status_type_t type,
+ static int flakey_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg)
+ {
+ struct flakey_c *fc = ti->private;
++ struct dm_dev *dev = fc->dev;
++ int r = 0;
+
+- return __blkdev_driver_ioctl(fc->dev->bdev, fc->dev->mode, cmd, arg);
++ /*
++ * Only pass ioctls through if the device sizes match exactly.
++ */
++ if (fc->start ||
++ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
++
++ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
+ }
+
+ static int flakey_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
+diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
+index 3921e3b..9728839 100644
+--- a/drivers/md/dm-linear.c
++++ b/drivers/md/dm-linear.c
+@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
+ unsigned long arg)
+ {
+ struct linear_c *lc = (struct linear_c *) ti->private;
+- return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg);
++ struct dm_dev *dev = lc->dev;
++ int r = 0;
++
++ /*
++ * Only pass ioctls through if the device sizes match exactly.
++ */
++ if (lc->start ||
++ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
++
++ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
+ }
+
+ static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
+diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
+index 5e0090e..801d92d 100644
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -1520,6 +1520,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
+
+ spin_unlock_irqrestore(&m->lock, flags);
+
++ /*
++ * Only pass ioctls through if the device sizes match exactly.
++ */
++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
++
+ return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
+ }
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index ede2461..7d9e071 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -525,8 +525,17 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect
+ if (test_bit(WriteMostly, &rdev->flags)) {
+ /* Don't balance among write-mostly, just
+ * use the first as a last resort */
+- if (best_disk < 0)
++ if (best_disk < 0) {
++ if (is_badblock(rdev, this_sector, sectors,
++ &first_bad, &bad_sectors)) {
++ if (first_bad < this_sector)
++ /* Cannot use this */
++ continue;
++ best_good_sectors = first_bad - this_sector;
++ } else
++ best_good_sectors = sectors;
+ best_disk = disk;
++ }
+ continue;
+ }
+ /* This is a reasonable device to use. It might
+diff --git a/drivers/media/video/cx23885/cx23885-dvb.c b/drivers/media/video/cx23885/cx23885-dvb.c
+index bcb45be..f0482b2 100644
+--- a/drivers/media/video/cx23885/cx23885-dvb.c
++++ b/drivers/media/video/cx23885/cx23885-dvb.c
+@@ -940,6 +940,11 @@ static int dvb_register(struct cx23885_tsport *port)
+
+ fe = dvb_attach(xc4000_attach, fe0->dvb.frontend,
+ &dev->i2c_bus[1].i2c_adap, &cfg);
++ if (!fe) {
++ printk(KERN_ERR "%s/2: xc4000 attach failed\n",
++ dev->name);
++ goto frontend_detach;
++ }
+ }
+ break;
+ case CX23885_BOARD_TBS_6920:
+diff --git a/drivers/media/video/cx88/cx88-cards.c b/drivers/media/video/cx88/cx88-cards.c
+index 0d719fa..3929d93 100644
+--- a/drivers/media/video/cx88/cx88-cards.c
++++ b/drivers/media/video/cx88/cx88-cards.c
+@@ -1573,8 +1573,8 @@ static const struct cx88_board cx88_boards[] = {
+ .name = "Pinnacle Hybrid PCTV",
+ .tuner_type = TUNER_XC2028,
+ .tuner_addr = 0x61,
+- .radio_type = TUNER_XC2028,
+- .radio_addr = 0x61,
++ .radio_type = UNSET,
++ .radio_addr = ADDR_UNSET,
+ .input = { {
+ .type = CX88_VMUX_TELEVISION,
+ .vmux = 0,
+@@ -1611,8 +1611,8 @@ static const struct cx88_board cx88_boards[] = {
+ .name = "Leadtek TV2000 XP Global",
+ .tuner_type = TUNER_XC2028,
+ .tuner_addr = 0x61,
+- .radio_type = TUNER_XC2028,
+- .radio_addr = 0x61,
++ .radio_type = UNSET,
++ .radio_addr = ADDR_UNSET,
+ .input = { {
+ .type = CX88_VMUX_TELEVISION,
+ .vmux = 0,
+@@ -2043,8 +2043,8 @@ static const struct cx88_board cx88_boards[] = {
+ .name = "Terratec Cinergy HT PCI MKII",
+ .tuner_type = TUNER_XC2028,
+ .tuner_addr = 0x61,
+- .radio_type = TUNER_XC2028,
+- .radio_addr = 0x61,
++ .radio_type = UNSET,
++ .radio_addr = ADDR_UNSET,
+ .input = { {
+ .type = CX88_VMUX_TELEVISION,
+ .vmux = 0,
+@@ -2082,9 +2082,9 @@ static const struct cx88_board cx88_boards[] = {
+ [CX88_BOARD_WINFAST_DTV1800H] = {
+ .name = "Leadtek WinFast DTV1800 Hybrid",
+ .tuner_type = TUNER_XC2028,
+- .radio_type = TUNER_XC2028,
++ .radio_type = UNSET,
+ .tuner_addr = 0x61,
+- .radio_addr = 0x61,
++ .radio_addr = ADDR_UNSET,
+ /*
+ * GPIO setting
+ *
+@@ -2123,9 +2123,9 @@ static const struct cx88_board cx88_boards[] = {
+ [CX88_BOARD_WINFAST_DTV1800H_XC4000] = {
+ .name = "Leadtek WinFast DTV1800 H (XC4000)",
+ .tuner_type = TUNER_XC4000,
+- .radio_type = TUNER_XC4000,
++ .radio_type = UNSET,
+ .tuner_addr = 0x61,
+- .radio_addr = 0x61,
++ .radio_addr = ADDR_UNSET,
+ /*
+ * GPIO setting
+ *
+@@ -2164,9 +2164,9 @@ static const struct cx88_board cx88_boards[] = {
+ [CX88_BOARD_WINFAST_DTV2000H_PLUS] = {
+ .name = "Leadtek WinFast DTV2000 H PLUS",
+ .tuner_type = TUNER_XC4000,
+- .radio_type = TUNER_XC4000,
++ .radio_type = UNSET,
+ .tuner_addr = 0x61,
+- .radio_addr = 0x61,
++ .radio_addr = ADDR_UNSET,
+ /*
+ * GPIO
+ * 2: 1: mute audio
+diff --git a/drivers/media/video/uvc/uvc_v4l2.c b/drivers/media/video/uvc/uvc_v4l2.c
+index dadf11f..cf7788f 100644
+--- a/drivers/media/video/uvc/uvc_v4l2.c
++++ b/drivers/media/video/uvc/uvc_v4l2.c
+@@ -58,6 +58,15 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
+ break;
+
+ case V4L2_CTRL_TYPE_MENU:
++ /* Prevent excessive memory consumption, as well as integer
++ * overflows.
++ */
++ if (xmap->menu_count == 0 ||
++ xmap->menu_count > UVC_MAX_CONTROL_MENU_ENTRIES) {
++ ret = -EINVAL;
++ goto done;
++ }
++
+ size = xmap->menu_count * sizeof(*map->menu_info);
+ map->menu_info = kmalloc(size, GFP_KERNEL);
+ if (map->menu_info == NULL) {
+diff --git a/drivers/media/video/uvc/uvcvideo.h b/drivers/media/video/uvc/uvcvideo.h
+index 4c1392e..bc446ba 100644
+--- a/drivers/media/video/uvc/uvcvideo.h
++++ b/drivers/media/video/uvc/uvcvideo.h
+@@ -113,6 +113,7 @@
+
+ /* Maximum allowed number of control mappings per device */
+ #define UVC_MAX_CONTROL_MAPPINGS 1024
++#define UVC_MAX_CONTROL_MENU_ENTRIES 32
+
+ /* Devices quirks */
+ #define UVC_QUIRK_STATUS_INTERVAL 0x00000001
+diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
+index e1da8fc..639abee 100644
+--- a/drivers/media/video/v4l2-ioctl.c
++++ b/drivers/media/video/v4l2-ioctl.c
+@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
+ struct v4l2_ext_controls *ctrls = parg;
+
+ if (ctrls->count != 0) {
++ if (ctrls->count > V4L2_CID_MAX_CTRLS) {
++ ret = -EINVAL;
++ break;
++ }
+ *user_ptr = (void __user *)ctrls->controls;
+ *kernel_ptr = (void *)&ctrls->controls;
+ *array_size = sizeof(struct v4l2_ext_control)
+diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
+index d240427..fb7c27f 100644
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1048,7 +1048,7 @@ static int mmc_init_card(struct mmc_host *host, u32 ocr,
+ *
+ * WARNING: eMMC rules are NOT the same as SD DDR
+ */
+- if (ddr == EXT_CSD_CARD_TYPE_DDR_1_2V) {
++ if (ddr == MMC_1_2V_DDR_MODE) {
+ err = mmc_set_signal_voltage(host,
+ MMC_SIGNAL_VOLTAGE_120, 0);
+ if (err)
+diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
+index 19ed580..6ce32a7 100644
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -1364,8 +1364,7 @@ static void sdhci_do_set_ios(struct sdhci_host *host, struct mmc_ios *ios)
+ if ((ios->timing == MMC_TIMING_UHS_SDR50) ||
+ (ios->timing == MMC_TIMING_UHS_SDR104) ||
+ (ios->timing == MMC_TIMING_UHS_DDR50) ||
+- (ios->timing == MMC_TIMING_UHS_SDR25) ||
+- (ios->timing == MMC_TIMING_UHS_SDR12))
++ (ios->timing == MMC_TIMING_UHS_SDR25))
+ ctrl |= SDHCI_CTRL_HISPD;
+
+ ctrl_2 = sdhci_readw(host, SDHCI_HOST_CONTROL2);
+@@ -2336,9 +2335,8 @@ int sdhci_suspend_host(struct sdhci_host *host)
+ /* Disable tuning since we are suspending */
+ if (host->version >= SDHCI_SPEC_300 && host->tuning_count &&
+ host->tuning_mode == SDHCI_TUNING_MODE_1) {
++ del_timer_sync(&host->tuning_timer);
+ host->flags &= ~SDHCI_NEEDS_RETUNING;
+- mod_timer(&host->tuning_timer, jiffies +
+- host->tuning_count * HZ);
+ }
+
+ ret = mmc_suspend_host(host->mmc);
+diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
+index ed8b5e7..424ca5f 100644
+--- a/drivers/mtd/mtd_blkdevs.c
++++ b/drivers/mtd/mtd_blkdevs.c
+@@ -215,7 +215,7 @@ static int blktrans_open(struct block_device *bdev, fmode_t mode)
+
+ mutex_lock(&dev->lock);
+
+- if (dev->open++)
++ if (dev->open)
+ goto unlock;
+
+ kref_get(&dev->ref);
+@@ -235,6 +235,7 @@ static int blktrans_open(struct block_device *bdev, fmode_t mode)
+ goto error_release;
+
+ unlock:
++ dev->open++;
+ mutex_unlock(&dev->lock);
+ blktrans_dev_put(dev);
+ return ret;
+diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
+index 1e2fa62..f3cdce9 100644
+--- a/drivers/mtd/mtdoops.c
++++ b/drivers/mtd/mtdoops.c
+@@ -253,6 +253,9 @@ static void find_next_position(struct mtdoops_context *cxt)
+ size_t retlen;
+
+ for (page = 0; page < cxt->oops_pages; page++) {
++ if (mtd->block_isbad &&
++ mtd->block_isbad(mtd, page * record_size))
++ continue;
+ /* Assume the page is used */
+ mark_page_used(cxt, page);
+ ret = mtd->read(mtd, page * record_size, MTDOOPS_HEADER_SIZE,
+@@ -369,7 +372,7 @@ static void mtdoops_notify_add(struct mtd_info *mtd)
+
+ /* oops_page_used is a bit field */
+ cxt->oops_page_used = vmalloc(DIV_ROUND_UP(mtdoops_pages,
+- BITS_PER_LONG));
++ BITS_PER_LONG) * sizeof(unsigned long));
+ if (!cxt->oops_page_used) {
+ printk(KERN_ERR "mtdoops: could not allocate page array\n");
+ return;
+diff --git a/drivers/mtd/tests/mtd_stresstest.c b/drivers/mtd/tests/mtd_stresstest.c
+index 52ffd91..811642f 100644
+--- a/drivers/mtd/tests/mtd_stresstest.c
++++ b/drivers/mtd/tests/mtd_stresstest.c
+@@ -284,6 +284,12 @@ static int __init mtd_stresstest_init(void)
+ (unsigned long long)mtd->size, mtd->erasesize,
+ pgsize, ebcnt, pgcnt, mtd->oobsize);
+
++ if (ebcnt < 2) {
++ printk(PRINT_PREF "error: need at least 2 eraseblocks\n");
++ err = -ENOSPC;
++ goto out_put_mtd;
++ }
++
+ /* Read or write up 2 eraseblocks at a time */
+ bufsize = mtd->erasesize * 2;
+
+@@ -322,6 +328,7 @@ out:
+ kfree(bbt);
+ vfree(writebuf);
+ vfree(readbuf);
++out_put_mtd:
+ put_mtd_device(mtd);
+ if (err)
+ printk(PRINT_PREF "error %d occurred\n", err);
+diff --git a/drivers/mtd/ubi/cdev.c b/drivers/mtd/ubi/cdev.c
+index 3320a50..ad76592 100644
+--- a/drivers/mtd/ubi/cdev.c
++++ b/drivers/mtd/ubi/cdev.c
+@@ -632,6 +632,9 @@ static int verify_mkvol_req(const struct ubi_device *ubi,
+ if (req->alignment != 1 && n)
+ goto bad;
+
++ if (!req->name[0] || !req->name_len)
++ goto bad;
++
+ if (req->name_len > UBI_VOL_NAME_MAX) {
+ err = -ENAMETOOLONG;
+ goto bad;
+diff --git a/drivers/mtd/ubi/debug.h b/drivers/mtd/ubi/debug.h
+index 64fbb00..ead2cd1 100644
+--- a/drivers/mtd/ubi/debug.h
++++ b/drivers/mtd/ubi/debug.h
+@@ -43,7 +43,10 @@
+ pr_debug("UBI DBG " type ": " fmt "\n", ##__VA_ARGS__)
+
+ /* Just a debugging messages not related to any specific UBI subsystem */
+-#define dbg_msg(fmt, ...) ubi_dbg_msg("msg", fmt, ##__VA_ARGS__)
++#define dbg_msg(fmt, ...) \
++ printk(KERN_DEBUG "UBI DBG (pid %d): %s: " fmt "\n", \
++ current->pid, __func__, ##__VA_ARGS__)
++
+ /* General debugging messages */
+ #define dbg_gen(fmt, ...) ubi_dbg_msg("gen", fmt, ##__VA_ARGS__)
+ /* Messages from the eraseblock association sub-system */
+diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
+index fb7f19b..cd26da8 100644
+--- a/drivers/mtd/ubi/eba.c
++++ b/drivers/mtd/ubi/eba.c
+@@ -1028,12 +1028,14 @@ int ubi_eba_copy_leb(struct ubi_device *ubi, int from, int to,
+ * 'ubi_wl_put_peb()' function on the @ubi->move_mutex. In turn, we are
+ * holding @ubi->move_mutex and go sleep on the LEB lock. So, if the
+ * LEB is already locked, we just do not move it and return
+- * %MOVE_CANCEL_RACE, which means that UBI will re-try, but later.
++ * %MOVE_RETRY. Note, we do not return %MOVE_CANCEL_RACE here because
++ * we do not know the reasons of the contention - it may be just a
++ * normal I/O on this LEB, so we want to re-try.
+ */
+ err = leb_write_trylock(ubi, vol_id, lnum);
+ if (err) {
+ dbg_wl("contention on LEB %d:%d, cancel", vol_id, lnum);
+- return MOVE_CANCEL_RACE;
++ return MOVE_RETRY;
+ }
+
+ /*
+diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h
+index dc64c76..d51d75d 100644
+--- a/drivers/mtd/ubi/ubi.h
++++ b/drivers/mtd/ubi/ubi.h
+@@ -120,6 +120,7 @@ enum {
+ * PEB
+ * MOVE_CANCEL_BITFLIPS: canceled because a bit-flip was detected in the
+ * target PEB
++ * MOVE_RETRY: retry scrubbing the PEB
+ */
+ enum {
+ MOVE_CANCEL_RACE = 1,
+@@ -127,6 +128,7 @@ enum {
+ MOVE_TARGET_RD_ERR,
+ MOVE_TARGET_WR_ERR,
+ MOVE_CANCEL_BITFLIPS,
++ MOVE_RETRY,
+ };
+
+ /**
+diff --git a/drivers/mtd/ubi/vtbl.c b/drivers/mtd/ubi/vtbl.c
+index 9ad18da..890754c 100644
+--- a/drivers/mtd/ubi/vtbl.c
++++ b/drivers/mtd/ubi/vtbl.c
+@@ -306,7 +306,7 @@ static int create_vtbl(struct ubi_device *ubi, struct ubi_scan_info *si,
+ int copy, void *vtbl)
+ {
+ int err, tries = 0;
+- static struct ubi_vid_hdr *vid_hdr;
++ struct ubi_vid_hdr *vid_hdr;
+ struct ubi_scan_leb *new_seb;
+
+ ubi_msg("create volume table (copy #%d)", copy + 1);
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index 42c684c..0696e36 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -795,7 +795,10 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+ protect = 1;
+ goto out_not_moved;
+ }
+-
++ if (err == MOVE_RETRY) {
++ scrubbing = 1;
++ goto out_not_moved;
++ }
+ if (err == MOVE_CANCEL_BITFLIPS || err == MOVE_TARGET_WR_ERR ||
+ err == MOVE_TARGET_RD_ERR) {
+ /*
+@@ -1049,7 +1052,6 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
+
+ ubi_err("failed to erase PEB %d, error %d", pnum, err);
+ kfree(wl_wrk);
+- kmem_cache_free(ubi_wl_entry_slab, e);
+
+ if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
+ err == -EBUSY) {
+@@ -1062,14 +1064,16 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
+ goto out_ro;
+ }
+ return err;
+- } else if (err != -EIO) {
++ }
++
++ kmem_cache_free(ubi_wl_entry_slab, e);
++ if (err != -EIO)
+ /*
+ * If this is not %-EIO, we have no idea what to do. Scheduling
+ * this physical eraseblock for erasure again would cause
+ * errors again and again. Well, lets switch to R/O mode.
+ */
+ goto out_ro;
+- }
+
+ /* It is %-EIO, the PEB went bad */
+
+diff --git a/drivers/net/usb/asix.c b/drivers/net/usb/asix.c
+index dd2625a..f5e063a 100644
+--- a/drivers/net/usb/asix.c
++++ b/drivers/net/usb/asix.c
+@@ -974,6 +974,7 @@ static int ax88772_link_reset(struct usbnet *dev)
+
+ static int ax88772_reset(struct usbnet *dev)
+ {
++ struct asix_data *data = (struct asix_data *)&dev->data;
+ int ret, embd_phy;
+ u16 rx_ctl;
+
+@@ -1051,6 +1052,13 @@ static int ax88772_reset(struct usbnet *dev)
+ goto out;
+ }
+
++ /* Rewrite MAC address */
++ memcpy(data->mac_addr, dev->net->dev_addr, ETH_ALEN);
++ ret = asix_write_cmd(dev, AX_CMD_WRITE_NODE_ID, 0, 0, ETH_ALEN,
++ data->mac_addr);
++ if (ret < 0)
++ goto out;
++
+ /* Set RX_CTL to default values with 2k buffer, and enable cactus */
+ ret = asix_write_rx_ctl(dev, AX_DEFAULT_RX_CTL);
+ if (ret < 0)
+@@ -1316,6 +1324,13 @@ static int ax88178_reset(struct usbnet *dev)
+ if (ret < 0)
+ return ret;
+
++ /* Rewrite MAC address */
++ memcpy(data->mac_addr, dev->net->dev_addr, ETH_ALEN);
++ ret = asix_write_cmd(dev, AX_CMD_WRITE_NODE_ID, 0, 0, ETH_ALEN,
++ data->mac_addr);
++ if (ret < 0)
++ return ret;
++
+ ret = asix_write_rx_ctl(dev, AX_DEFAULT_RX_CTL);
+ if (ret < 0)
+ return ret;
+diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
+index ccde784..f5ae3c6 100644
+--- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
+@@ -526,10 +526,11 @@ int ath9k_hw_process_rxdesc_edma(struct ath_hw *ah, struct ath_rx_status *rxs,
+ rxs->rs_status |= ATH9K_RXERR_DECRYPT;
+ else if (rxsp->status11 & AR_MichaelErr)
+ rxs->rs_status |= ATH9K_RXERR_MIC;
+- if (rxsp->status11 & AR_KeyMiss)
+- rxs->rs_status |= ATH9K_RXERR_KEYMISS;
+ }
+
++ if (rxsp->status11 & AR_KeyMiss)
++ rxs->rs_status |= ATH9K_RXERR_KEYMISS;
++
+ return 0;
+ }
+ EXPORT_SYMBOL(ath9k_hw_process_rxdesc_edma);
+diff --git a/drivers/net/wireless/ath/ath9k/calib.c b/drivers/net/wireless/ath/ath9k/calib.c
+index 9953881..8ddef3e 100644
+--- a/drivers/net/wireless/ath/ath9k/calib.c
++++ b/drivers/net/wireless/ath/ath9k/calib.c
+@@ -402,6 +402,7 @@ bool ath9k_hw_getnf(struct ath_hw *ah, struct ath9k_channel *chan)
+ ah->noise = ath9k_hw_getchan_noise(ah, chan);
+ return true;
+ }
++EXPORT_SYMBOL(ath9k_hw_getnf);
+
+ void ath9k_init_nfcal_hist_buffer(struct ath_hw *ah,
+ struct ath9k_channel *chan)
+diff --git a/drivers/net/wireless/ath/ath9k/mac.c b/drivers/net/wireless/ath/ath9k/mac.c
+index ecdb6fd..bbcb777 100644
+--- a/drivers/net/wireless/ath/ath9k/mac.c
++++ b/drivers/net/wireless/ath/ath9k/mac.c
+@@ -621,10 +621,11 @@ int ath9k_hw_rxprocdesc(struct ath_hw *ah, struct ath_desc *ds,
+ rs->rs_status |= ATH9K_RXERR_DECRYPT;
+ else if (ads.ds_rxstatus8 & AR_MichaelErr)
+ rs->rs_status |= ATH9K_RXERR_MIC;
+- if (ads.ds_rxstatus8 & AR_KeyMiss)
+- rs->rs_status |= ATH9K_RXERR_KEYMISS;
+ }
+
++ if (ads.ds_rxstatus8 & AR_KeyMiss)
++ rs->rs_status |= ATH9K_RXERR_KEYMISS;
++
+ return 0;
+ }
+ EXPORT_SYMBOL(ath9k_hw_rxprocdesc);
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index a9c5ae7..f76a814 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -1667,7 +1667,6 @@ static int ath9k_config(struct ieee80211_hw *hw, u32 changed)
+
+ if (changed & IEEE80211_CONF_CHANGE_CHANNEL) {
+ struct ieee80211_channel *curchan = hw->conf.channel;
+- struct ath9k_channel old_chan;
+ int pos = curchan->hw_value;
+ int old_pos = -1;
+ unsigned long flags;
+@@ -1693,11 +1692,8 @@ static int ath9k_config(struct ieee80211_hw *hw, u32 changed)
+ * Preserve the current channel values, before updating
+ * the same channel
+ */
+- if (old_pos == pos) {
+- memcpy(&old_chan, &sc->sc_ah->channels[pos],
+- sizeof(struct ath9k_channel));
+- ah->curchan = &old_chan;
+- }
++ if (ah->curchan && (old_pos == pos))
++ ath9k_hw_getnf(ah, ah->curchan);
+
+ ath9k_cmn_update_ichannel(&sc->sc_ah->channels[pos],
+ curchan, conf->channel_type);
+diff --git a/drivers/net/wireless/iwlegacy/iwl3945-base.c b/drivers/net/wireless/iwlegacy/iwl3945-base.c
+index b282d86..05f2ad1 100644
+--- a/drivers/net/wireless/iwlegacy/iwl3945-base.c
++++ b/drivers/net/wireless/iwlegacy/iwl3945-base.c
+@@ -2656,14 +2656,13 @@ int iwl3945_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
+ IWL_WARN(priv, "Invalid scan band\n");
+ return -EIO;
+ }
+-
+ /*
+- * If active scaning is requested but a certain channel
+- * is marked passive, we can do active scanning if we
+- * detect transmissions.
++ * If active scaning is requested but a certain channel is marked
++ * passive, we can do active scanning if we detect transmissions. For
++ * passive only scanning disable switching to active on any channel.
+ */
+ scan->good_CRC_th = is_active ? IWL_GOOD_CRC_TH_DEFAULT :
+- IWL_GOOD_CRC_TH_DISABLED;
++ IWL_GOOD_CRC_TH_NEVER;
+
+ len = iwl_legacy_fill_probe_req(priv, (struct ieee80211_mgmt *)scan->data,
+ vif->addr, priv->scan_request->ie,
+diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
+index 1a52ed2..6465983 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c
+@@ -827,6 +827,7 @@ static int iwl_get_idle_rx_chain_count(struct iwl_priv *priv, int active_cnt)
+ case IEEE80211_SMPS_STATIC:
+ case IEEE80211_SMPS_DYNAMIC:
+ return IWL_NUM_IDLE_CHAINS_SINGLE;
++ case IEEE80211_SMPS_AUTOMATIC:
+ case IEEE80211_SMPS_OFF:
+ return active_cnt;
+ default:
+diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
+index 5c7c17c..d552fa3 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
+@@ -559,6 +559,9 @@ int iwlagn_mac_config(struct ieee80211_hw *hw, u32 changed)
+
+ mutex_lock(&priv->shrd->mutex);
+
++ if (test_bit(STATUS_EXIT_PENDING, &priv->shrd->status))
++ goto out;
++
+ if (unlikely(test_bit(STATUS_SCANNING, &priv->shrd->status))) {
+ IWL_DEBUG_MAC80211(priv, "leave - scanning\n");
+ goto out;
+diff --git a/drivers/net/wireless/rt2x00/rt2800pci.c b/drivers/net/wireless/rt2x00/rt2800pci.c
+index da48c8a..837b460 100644
+--- a/drivers/net/wireless/rt2x00/rt2800pci.c
++++ b/drivers/net/wireless/rt2x00/rt2800pci.c
+@@ -422,7 +422,6 @@ static int rt2800pci_init_queues(struct rt2x00_dev *rt2x00dev)
+ static void rt2800pci_toggle_irq(struct rt2x00_dev *rt2x00dev,
+ enum dev_state state)
+ {
+- int mask = (state == STATE_RADIO_IRQ_ON);
+ u32 reg;
+ unsigned long flags;
+
+@@ -436,25 +435,14 @@ static void rt2800pci_toggle_irq(struct rt2x00_dev *rt2x00dev,
+ }
+
+ spin_lock_irqsave(&rt2x00dev->irqmask_lock, flags);
+- rt2x00pci_register_read(rt2x00dev, INT_MASK_CSR, &reg);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_RXDELAYINT, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_TXDELAYINT, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_RX_DONE, mask);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_AC0_DMA_DONE, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_AC1_DMA_DONE, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_AC2_DMA_DONE, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_AC3_DMA_DONE, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_HCCA_DMA_DONE, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_MGMT_DMA_DONE, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_MCU_COMMAND, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_RXTX_COHERENT, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_TBTT, mask);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_PRE_TBTT, mask);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_TX_FIFO_STATUS, mask);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_AUTO_WAKEUP, mask);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_GPTIMER, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_RX_COHERENT, 0);
+- rt2x00_set_field32(&reg, INT_MASK_CSR_TX_COHERENT, 0);
++ reg = 0;
++ if (state == STATE_RADIO_IRQ_ON) {
++ rt2x00_set_field32(&reg, INT_MASK_CSR_RX_DONE, 1);
++ rt2x00_set_field32(&reg, INT_MASK_CSR_TBTT, 1);
++ rt2x00_set_field32(&reg, INT_MASK_CSR_PRE_TBTT, 1);
++ rt2x00_set_field32(&reg, INT_MASK_CSR_TX_FIFO_STATUS, 1);
++ rt2x00_set_field32(&reg, INT_MASK_CSR_AUTO_WAKEUP, 1);
++ }
+ rt2x00pci_register_write(rt2x00dev, INT_MASK_CSR, reg);
+ spin_unlock_irqrestore(&rt2x00dev->irqmask_lock, flags);
+
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/fw.c b/drivers/net/wireless/rtlwifi/rtl8192se/fw.c
+index 6f91a14..3fda6b1 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192se/fw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192se/fw.c
+@@ -196,6 +196,8 @@ static bool _rtl92s_firmware_downloadcode(struct ieee80211_hw *hw,
+ /* Allocate skb buffer to contain firmware */
+ /* info and tx descriptor info. */
+ skb = dev_alloc_skb(frag_length);
++ if (!skb)
++ return false;
+ skb_reserve(skb, extra_descoffset);
+ seg_ptr = (u8 *)skb_put(skb, (u32)(frag_length -
+ extra_descoffset));
+@@ -573,6 +575,8 @@ static bool _rtl92s_firmware_set_h2c_cmd(struct ieee80211_hw *hw, u8 h2c_cmd,
+
+ len = _rtl92s_get_h2c_cmdlen(MAX_TRANSMIT_BUFFER_SIZE, 1, &cmd_len);
+ skb = dev_alloc_skb(len);
++ if (!skb)
++ return false;
+ cb_desc = (struct rtl_tcb_desc *)(skb->cb);
+ cb_desc->queue_index = TXCMD_QUEUE;
+ cb_desc->cmd_or_init = DESC_PACKET_TYPE_NORMAL;
+diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
+index 0e6d04d..e3efb43 100644
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -870,5 +870,15 @@ EXPORT_SYMBOL(pci_msi_enabled);
+
+ void pci_msi_init_pci_dev(struct pci_dev *dev)
+ {
++ int pos;
+ INIT_LIST_HEAD(&dev->msi_list);
++
++ /* Disable the msi hardware to avoid screaming interrupts
++ * during boot. This is the power on reset default so
++ * usually this should be a noop.
++ */
++ pos = pci_find_capability(dev, PCI_CAP_ID_MSI);
++ if (pos)
++ msi_set_enable(dev, pos, 0);
++ msix_set_enable(dev, 0);
+ }
+diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c
+index dfbd5a6..258fef2 100644
+--- a/drivers/pnp/quirks.c
++++ b/drivers/pnp/quirks.c
+@@ -295,6 +295,45 @@ static void quirk_system_pci_resources(struct pnp_dev *dev)
+ }
+ }
+
++#ifdef CONFIG_AMD_NB
++
++#include <asm/amd_nb.h>
++
++static void quirk_amd_mmconfig_area(struct pnp_dev *dev)
++{
++ resource_size_t start, end;
++ struct pnp_resource *pnp_res;
++ struct resource *res;
++ struct resource mmconfig_res, *mmconfig;
++
++ mmconfig = amd_get_mmconfig_range(&mmconfig_res);
++ if (!mmconfig)
++ return;
++
++ list_for_each_entry(pnp_res, &dev->resources, list) {
++ res = &pnp_res->res;
++ if (res->end < mmconfig->start || res->start > mmconfig->end ||
++ (res->start == mmconfig->start && res->end == mmconfig->end))
++ continue;
++
++ dev_info(&dev->dev, FW_BUG
++ "%pR covers only part of AMD MMCONFIG area %pR; adding more reservations\n",
++ res, mmconfig);
++ if (mmconfig->start < res->start) {
++ start = mmconfig->start;
++ end = res->start - 1;
++ pnp_add_mem_resource(dev, start, end, 0);
++ }
++ if (mmconfig->end > res->end) {
++ start = res->end + 1;
++ end = mmconfig->end;
++ pnp_add_mem_resource(dev, start, end, 0);
++ }
++ break;
++ }
++}
++#endif
++
+ /*
+ * PnP Quirks
+ * Cards or devices that need some tweaking due to incomplete resource info
+@@ -322,6 +361,9 @@ static struct pnp_fixup pnp_fixups[] = {
+ /* PnP resources that might overlap PCI BARs */
+ {"PNP0c01", quirk_system_pci_resources},
+ {"PNP0c02", quirk_system_pci_resources},
++#ifdef CONFIG_AMD_NB
++ {"PNP0c01", quirk_amd_mmconfig_area},
++#endif
+ {""}
+ };
+
+diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
+index 8e28625..8a1c031 100644
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -228,11 +228,11 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
+ alarm->time.tm_hour = now.tm_hour;
+
+ /* For simplicity, only support date rollover for now */
+- if (alarm->time.tm_mday == -1) {
++ if (alarm->time.tm_mday < 1 || alarm->time.tm_mday > 31) {
+ alarm->time.tm_mday = now.tm_mday;
+ missing = day;
+ }
+- if (alarm->time.tm_mon == -1) {
++ if ((unsigned)alarm->time.tm_mon >= 12) {
+ alarm->time.tm_mon = now.tm_mon;
+ if (missing == none)
+ missing = month;
+diff --git a/drivers/scsi/mpt2sas/mpt2sas_base.c b/drivers/scsi/mpt2sas/mpt2sas_base.c
+index beda04a..0794c72 100644
+--- a/drivers/scsi/mpt2sas/mpt2sas_base.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_base.c
+@@ -65,6 +65,8 @@ static MPT_CALLBACK mpt_callbacks[MPT_MAX_CALLBACKS];
+
+ #define FAULT_POLLING_INTERVAL 1000 /* in milliseconds */
+
++#define MAX_HBA_QUEUE_DEPTH 30000
++#define MAX_CHAIN_DEPTH 100000
+ static int max_queue_depth = -1;
+ module_param(max_queue_depth, int, 0);
+ MODULE_PARM_DESC(max_queue_depth, " max controller queue depth ");
+@@ -2311,8 +2313,6 @@ _base_release_memory_pools(struct MPT2SAS_ADAPTER *ioc)
+ }
+ if (ioc->chain_dma_pool)
+ pci_pool_destroy(ioc->chain_dma_pool);
+- }
+- if (ioc->chain_lookup) {
+ free_pages((ulong)ioc->chain_lookup, ioc->chain_pages);
+ ioc->chain_lookup = NULL;
+ }
+@@ -2330,9 +2330,7 @@ static int
+ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
+ {
+ struct mpt2sas_facts *facts;
+- u32 queue_size, queue_diff;
+ u16 max_sge_elements;
+- u16 num_of_reply_frames;
+ u16 chains_needed_per_io;
+ u32 sz, total_sz, reply_post_free_sz;
+ u32 retry_sz;
+@@ -2359,7 +2357,8 @@ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
+ max_request_credit = (max_queue_depth < facts->RequestCredit)
+ ? max_queue_depth : facts->RequestCredit;
+ else
+- max_request_credit = facts->RequestCredit;
++ max_request_credit = min_t(u16, facts->RequestCredit,
++ MAX_HBA_QUEUE_DEPTH);
+
+ ioc->hba_queue_depth = max_request_credit;
+ ioc->hi_priority_depth = facts->HighPriorityCredit;
+@@ -2400,50 +2399,25 @@ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
+ }
+ ioc->chains_needed_per_io = chains_needed_per_io;
+
+- /* reply free queue sizing - taking into account for events */
+- num_of_reply_frames = ioc->hba_queue_depth + 32;
+-
+- /* number of replies frames can't be a multiple of 16 */
+- /* decrease number of reply frames by 1 */
+- if (!(num_of_reply_frames % 16))
+- num_of_reply_frames--;
+-
+- /* calculate number of reply free queue entries
+- * (must be multiple of 16)
+- */
+-
+- /* (we know reply_free_queue_depth is not a multiple of 16) */
+- queue_size = num_of_reply_frames;
+- queue_size += 16 - (queue_size % 16);
+- ioc->reply_free_queue_depth = queue_size;
+-
+- /* reply descriptor post queue sizing */
+- /* this size should be the number of request frames + number of reply
+- * frames
+- */
+-
+- queue_size = ioc->hba_queue_depth + num_of_reply_frames + 1;
+- /* round up to 16 byte boundary */
+- if (queue_size % 16)
+- queue_size += 16 - (queue_size % 16);
+-
+- /* check against IOC maximum reply post queue depth */
+- if (queue_size > facts->MaxReplyDescriptorPostQueueDepth) {
+- queue_diff = queue_size -
+- facts->MaxReplyDescriptorPostQueueDepth;
++ /* reply free queue sizing - taking into account for 64 FW events */
++ ioc->reply_free_queue_depth = ioc->hba_queue_depth + 64;
+
+- /* round queue_diff up to multiple of 16 */
+- if (queue_diff % 16)
+- queue_diff += 16 - (queue_diff % 16);
+-
+- /* adjust hba_queue_depth, reply_free_queue_depth,
+- * and queue_size
+- */
+- ioc->hba_queue_depth -= (queue_diff / 2);
+- ioc->reply_free_queue_depth -= (queue_diff / 2);
+- queue_size = facts->MaxReplyDescriptorPostQueueDepth;
++ /* align the reply post queue on the next 16 count boundary */
++ if (!ioc->reply_free_queue_depth % 16)
++ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth + 16;
++ else
++ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth +
++ 32 - (ioc->reply_free_queue_depth % 16);
++ if (ioc->reply_post_queue_depth >
++ facts->MaxReplyDescriptorPostQueueDepth) {
++ ioc->reply_post_queue_depth = min_t(u16,
++ (facts->MaxReplyDescriptorPostQueueDepth -
++ (facts->MaxReplyDescriptorPostQueueDepth % 16)),
++ (ioc->hba_queue_depth - (ioc->hba_queue_depth % 16)));
++ ioc->reply_free_queue_depth = ioc->reply_post_queue_depth - 16;
++ ioc->hba_queue_depth = ioc->reply_free_queue_depth - 64;
+ }
+- ioc->reply_post_queue_depth = queue_size;
++
+
+ dinitprintk(ioc, printk(MPT2SAS_INFO_FMT "scatter gather: "
+ "sge_in_main_msg(%d), sge_per_chain(%d), sge_per_io(%d), "
+@@ -2529,15 +2503,12 @@ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
+ "depth(%d)\n", ioc->name, ioc->request,
+ ioc->scsiio_depth));
+
+- /* loop till the allocation succeeds */
+- do {
+- sz = ioc->chain_depth * sizeof(struct chain_tracker);
+- ioc->chain_pages = get_order(sz);
+- ioc->chain_lookup = (struct chain_tracker *)__get_free_pages(
+- GFP_KERNEL, ioc->chain_pages);
+- if (ioc->chain_lookup == NULL)
+- ioc->chain_depth -= 100;
+- } while (ioc->chain_lookup == NULL);
++ ioc->chain_depth = min_t(u32, ioc->chain_depth, MAX_CHAIN_DEPTH);
++ sz = ioc->chain_depth * sizeof(struct chain_tracker);
++ ioc->chain_pages = get_order(sz);
++
++ ioc->chain_lookup = (struct chain_tracker *)__get_free_pages(
++ GFP_KERNEL, ioc->chain_pages);
+ ioc->chain_dma_pool = pci_pool_create("chain pool", ioc->pdev,
+ ioc->request_sz, 16, 0);
+ if (!ioc->chain_dma_pool) {
+diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+index d570573..9bc6fb2 100644
+--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+@@ -1007,8 +1007,8 @@ _scsih_get_chain_buffer_tracker(struct MPT2SAS_ADAPTER *ioc, u16 smid)
+ spin_lock_irqsave(&ioc->scsi_lookup_lock, flags);
+ if (list_empty(&ioc->free_chain_list)) {
+ spin_unlock_irqrestore(&ioc->scsi_lookup_lock, flags);
+- printk(MPT2SAS_WARN_FMT "chain buffers not available\n",
+- ioc->name);
++ dfailprintk(ioc, printk(MPT2SAS_WARN_FMT "chain buffers not "
++ "available\n", ioc->name));
+ return NULL;
+ }
+ chain_req = list_entry(ioc->free_chain_list.next,
+@@ -6714,6 +6714,7 @@ _scsih_mark_responding_raid_device(struct MPT2SAS_ADAPTER *ioc, u64 wwid,
+ } else
+ sas_target_priv_data = NULL;
+ raid_device->responding = 1;
++ spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
+ starget_printk(KERN_INFO, raid_device->starget,
+ "handle(0x%04x), wwid(0x%016llx)\n", handle,
+ (unsigned long long)raid_device->wwid);
+@@ -6724,16 +6725,16 @@ _scsih_mark_responding_raid_device(struct MPT2SAS_ADAPTER *ioc, u64 wwid,
+ */
+ _scsih_init_warpdrive_properties(ioc, raid_device);
+ if (raid_device->handle == handle)
+- goto out;
++ return;
+ printk(KERN_INFO "\thandle changed from(0x%04x)!!!\n",
+ raid_device->handle);
+ raid_device->handle = handle;
+ if (sas_target_priv_data)
+ sas_target_priv_data->handle = handle;
+- goto out;
++ return;
+ }
+ }
+- out:
++
+ spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
+ }
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index fa3a591..4b63c73 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1074,6 +1074,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ SCSI_LOG_IOCTL(1, sd_printk(KERN_INFO, sdkp, "sd_ioctl: disk=%s, "
+ "cmd=0x%x\n", disk->disk_name, cmd));
+
++ error = scsi_verify_blk_ioctl(bdev, cmd);
++ if (error < 0)
++ return error;
++
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+ * else try and use this device. Also, if error recovery fails, it
+@@ -1096,7 +1100,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ error = scsi_ioctl(sdp, cmd, p);
+ break;
+ default:
+- error = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, p);
++ error = scsi_cmd_blk_ioctl(bdev, mode, cmd, p);
+ if (error != -ENOTTY)
+ break;
+ error = scsi_ioctl(sdp, cmd, p);
+@@ -1266,6 +1270,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bdev, cmd);
++ if (ret < 0)
++ return -ENOIOCTLCMD;
+
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+@@ -1277,8 +1286,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ return -ENODEV;
+
+ if (sdev->host->hostt->compat_ioctl) {
+- int ret;
+-
+ ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
+
+ return ret;
+diff --git a/drivers/scsi/sym53c8xx_2/sym_glue.c b/drivers/scsi/sym53c8xx_2/sym_glue.c
+index b4543f5..36d1ed7 100644
+--- a/drivers/scsi/sym53c8xx_2/sym_glue.c
++++ b/drivers/scsi/sym53c8xx_2/sym_glue.c
+@@ -839,6 +839,10 @@ static void sym53c8xx_slave_destroy(struct scsi_device *sdev)
+ struct sym_lcb *lp = sym_lp(tp, sdev->lun);
+ unsigned long flags;
+
++ /* if slave_alloc returned before allocating a sym_lcb, return */
++ if (!lp)
++ return;
++
+ spin_lock_irqsave(np->s.host->host_lock, flags);
+
+ if (lp->busy_itlq || lp->busy_itl) {
+diff --git a/drivers/target/target_core_cdb.c b/drivers/target/target_core_cdb.c
+index 831468b..2e8c1be 100644
+--- a/drivers/target/target_core_cdb.c
++++ b/drivers/target/target_core_cdb.c
+@@ -94,6 +94,18 @@ target_emulate_inquiry_std(struct se_cmd *cmd)
+ buf[2] = dev->transport->get_device_rev(dev);
+
+ /*
++ * NORMACA and HISUP = 0, RESPONSE DATA FORMAT = 2
++ *
++ * SPC4 says:
++ * A RESPONSE DATA FORMAT field set to 2h indicates that the
++ * standard INQUIRY data is in the format defined in this
++ * standard. Response data format values less than 2h are
++ * obsolete. Response data format values greater than 2h are
++ * reserved.
++ */
++ buf[3] = 2;
++
++ /*
+ * Enable SCCS and TPGS fields for Emulated ALUA
+ */
+ if (dev->se_sub_dev->t10_alua.alua_type == SPC3_ALUA_EMULATED)
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index 0257658..e87d0eb 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -4353,6 +4353,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_NON_EXISTENT_LUN:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ILLEGAL REQUEST */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
+ /* LOGICAL UNIT NOT SUPPORTED */
+@@ -4362,6 +4363,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_SECTOR_COUNT_TOO_MANY:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ILLEGAL REQUEST */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
+ /* INVALID COMMAND OPERATION CODE */
+@@ -4370,6 +4372,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_UNKNOWN_MODE_PAGE:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ILLEGAL REQUEST */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
+ /* INVALID FIELD IN CDB */
+@@ -4378,6 +4381,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_CHECK_CONDITION_ABORT_CMD:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ABORTED COMMAND */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
+ /* BUS DEVICE RESET FUNCTION OCCURRED */
+@@ -4387,6 +4391,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_INCORRECT_AMOUNT_OF_DATA:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ABORTED COMMAND */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
+ /* WRITE ERROR */
+@@ -4397,6 +4402,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_INVALID_CDB_FIELD:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ABORTED COMMAND */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
+ /* INVALID FIELD IN CDB */
+@@ -4405,6 +4411,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_INVALID_PARAMETER_LIST:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ABORTED COMMAND */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
+ /* INVALID FIELD IN PARAMETER LIST */
+@@ -4413,6 +4420,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_UNEXPECTED_UNSOLICITED_DATA:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ABORTED COMMAND */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
+ /* WRITE ERROR */
+@@ -4423,6 +4431,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_SERVICE_CRC_ERROR:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ABORTED COMMAND */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
+ /* PROTOCOL SERVICE CRC ERROR */
+@@ -4433,6 +4442,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_SNACK_REJECTED:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ABORTED COMMAND */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ABORTED_COMMAND;
+ /* READ ERROR */
+@@ -4443,6 +4453,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_WRITE_PROTECTED:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* DATA PROTECT */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = DATA_PROTECT;
+ /* WRITE PROTECTED */
+@@ -4451,6 +4462,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_CHECK_CONDITION_UNIT_ATTENTION:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* UNIT ATTENTION */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = UNIT_ATTENTION;
+ core_scsi3_ua_for_check_condition(cmd, &asc, &ascq);
+@@ -4460,6 +4472,7 @@ int transport_send_check_condition_and_sense(
+ case TCM_CHECK_CONDITION_NOT_READY:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* Not Ready */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = NOT_READY;
+ transport_get_sense_codes(cmd, &asc, &ascq);
+@@ -4470,6 +4483,7 @@ int transport_send_check_condition_and_sense(
+ default:
+ /* CURRENT ERROR */
+ buffer[offset] = 0x70;
++ buffer[offset+SPC_ADD_SENSE_LEN_OFFSET] = 10;
+ /* ILLEGAL REQUEST */
+ buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST;
+ /* LOGICAL UNIT COMMUNICATION FAILURE */
+diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
+index ede860f..a580b17 100644
+--- a/drivers/xen/xenbus/xenbus_xs.c
++++ b/drivers/xen/xenbus/xenbus_xs.c
+@@ -801,6 +801,12 @@ static int process_msg(void)
+ goto out;
+ }
+
++ if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
++ kfree(msg);
++ err = -EINVAL;
++ goto out;
++ }
++
+ body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
+ if (body == NULL) {
+ kfree(msg);
+diff --git a/fs/aio.c b/fs/aio.c
+index 78c514c..969beb0 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -476,14 +476,21 @@ static void kiocb_batch_init(struct kiocb_batch *batch, long total)
+ batch->count = total;
+ }
+
+-static void kiocb_batch_free(struct kiocb_batch *batch)
++static void kiocb_batch_free(struct kioctx *ctx, struct kiocb_batch *batch)
+ {
+ struct kiocb *req, *n;
+
++ if (list_empty(&batch->head))
++ return;
++
++ spin_lock_irq(&ctx->ctx_lock);
+ list_for_each_entry_safe(req, n, &batch->head, ki_batch) {
+ list_del(&req->ki_batch);
++ list_del(&req->ki_list);
+ kmem_cache_free(kiocb_cachep, req);
++ ctx->reqs_active--;
+ }
++ spin_unlock_irq(&ctx->ctx_lock);
+ }
+
+ /*
+@@ -1742,7 +1749,7 @@ long do_io_submit(aio_context_t ctx_id, long nr,
+ }
+ blk_finish_plug(&plug);
+
+- kiocb_batch_free(&batch);
++ kiocb_batch_free(ctx, &batch);
+ put_ioctx(ctx);
+ return i ? i : ret;
+ }
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index f3670cf..63e4be4 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2914,18 +2914,33 @@ void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
+ #define CIFS_DEFAULT_IOSIZE (1024 * 1024)
+
+ /*
+- * Windows only supports a max of 60k reads. Default to that when posix
+- * extensions aren't in force.
++ * Windows only supports a max of 60kb reads and 65535 byte writes. Default to
++ * those values when posix extensions aren't in force. In actuality here, we
++ * use 65536 to allow for a write that is a multiple of 4k. Most servers seem
++ * to be ok with the extra byte even though Windows doesn't send writes that
++ * are that large.
++ *
++ * Citation:
++ *
++ * http://blogs.msdn.com/b/openspecification/archive/2009/04/10/smb-maximum-transmit-buffer-size-and-performance-tuning.aspx
+ */
+ #define CIFS_DEFAULT_NON_POSIX_RSIZE (60 * 1024)
++#define CIFS_DEFAULT_NON_POSIX_WSIZE (65536)
+
+ static unsigned int
+ cifs_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *pvolume_info)
+ {
+ __u64 unix_cap = le64_to_cpu(tcon->fsUnixInfo.Capability);
+ struct TCP_Server_Info *server = tcon->ses->server;
+- unsigned int wsize = pvolume_info->wsize ? pvolume_info->wsize :
+- CIFS_DEFAULT_IOSIZE;
++ unsigned int wsize;
++
++ /* start with specified wsize, or default */
++ if (pvolume_info->wsize)
++ wsize = pvolume_info->wsize;
++ else if (tcon->unix_ext && (unix_cap & CIFS_UNIX_LARGE_WRITE_CAP))
++ wsize = CIFS_DEFAULT_IOSIZE;
++ else
++ wsize = CIFS_DEFAULT_NON_POSIX_WSIZE;
+
+ /* can server support 24-bit write sizes? (via UNIX extensions) */
+ if (!tcon->unix_ext || !(unix_cap & CIFS_UNIX_LARGE_WRITE_CAP))
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 89509b5..f7908ae 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -242,6 +242,7 @@ static void dentry_lru_add(struct dentry *dentry)
+ static void __dentry_lru_del(struct dentry *dentry)
+ {
+ list_del_init(&dentry->d_lru);
++ dentry->d_flags &= ~DCACHE_SHRINK_LIST;
+ dentry->d_sb->s_nr_dentry_unused--;
+ dentry_stat.nr_unused--;
+ }
+@@ -275,15 +276,15 @@ static void dentry_lru_prune(struct dentry *dentry)
+ }
+ }
+
+-static void dentry_lru_move_tail(struct dentry *dentry)
++static void dentry_lru_move_list(struct dentry *dentry, struct list_head *list)
+ {
+ spin_lock(&dcache_lru_lock);
+ if (list_empty(&dentry->d_lru)) {
+- list_add_tail(&dentry->d_lru, &dentry->d_sb->s_dentry_lru);
++ list_add_tail(&dentry->d_lru, list);
+ dentry->d_sb->s_nr_dentry_unused++;
+ dentry_stat.nr_unused++;
+ } else {
+- list_move_tail(&dentry->d_lru, &dentry->d_sb->s_dentry_lru);
++ list_move_tail(&dentry->d_lru, list);
+ }
+ spin_unlock(&dcache_lru_lock);
+ }
+@@ -769,14 +770,18 @@ static void shrink_dentry_list(struct list_head *list)
+ }
+
+ /**
+- * __shrink_dcache_sb - shrink the dentry LRU on a given superblock
+- * @sb: superblock to shrink dentry LRU.
+- * @count: number of entries to prune
+- * @flags: flags to control the dentry processing
++ * prune_dcache_sb - shrink the dcache
++ * @sb: superblock
++ * @count: number of entries to try to free
++ *
++ * Attempt to shrink the superblock dcache LRU by @count entries. This is
++ * done when we need more memory an called from the superblock shrinker
++ * function.
+ *
+- * If flags contains DCACHE_REFERENCED reference dentries will not be pruned.
++ * This function may fail to free any resources if all the dentries are in
++ * use.
+ */
+-static void __shrink_dcache_sb(struct super_block *sb, int count, int flags)
++void prune_dcache_sb(struct super_block *sb, int count)
+ {
+ struct dentry *dentry;
+ LIST_HEAD(referenced);
+@@ -795,18 +800,13 @@ relock:
+ goto relock;
+ }
+
+- /*
+- * If we are honouring the DCACHE_REFERENCED flag and the
+- * dentry has this flag set, don't free it. Clear the flag
+- * and put it back on the LRU.
+- */
+- if (flags & DCACHE_REFERENCED &&
+- dentry->d_flags & DCACHE_REFERENCED) {
++ if (dentry->d_flags & DCACHE_REFERENCED) {
+ dentry->d_flags &= ~DCACHE_REFERENCED;
+ list_move(&dentry->d_lru, &referenced);
+ spin_unlock(&dentry->d_lock);
+ } else {
+ list_move_tail(&dentry->d_lru, &tmp);
++ dentry->d_flags |= DCACHE_SHRINK_LIST;
+ spin_unlock(&dentry->d_lock);
+ if (!--count)
+ break;
+@@ -821,23 +821,6 @@ relock:
+ }
+
+ /**
+- * prune_dcache_sb - shrink the dcache
+- * @sb: superblock
+- * @nr_to_scan: number of entries to try to free
+- *
+- * Attempt to shrink the superblock dcache LRU by @nr_to_scan entries. This is
+- * done when we need more memory an called from the superblock shrinker
+- * function.
+- *
+- * This function may fail to free any resources if all the dentries are in
+- * use.
+- */
+-void prune_dcache_sb(struct super_block *sb, int nr_to_scan)
+-{
+- __shrink_dcache_sb(sb, nr_to_scan, DCACHE_REFERENCED);
+-}
+-
+-/**
+ * shrink_dcache_sb - shrink dcache for a superblock
+ * @sb: superblock
+ *
+@@ -1091,7 +1074,7 @@ EXPORT_SYMBOL(have_submounts);
+ * drop the lock and return early due to latency
+ * constraints.
+ */
+-static int select_parent(struct dentry * parent)
++static int select_parent(struct dentry *parent, struct list_head *dispose)
+ {
+ struct dentry *this_parent;
+ struct list_head *next;
+@@ -1113,17 +1096,21 @@ resume:
+
+ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+
+- /*
+- * move only zero ref count dentries to the end
+- * of the unused list for prune_dcache
++ /*
++ * move only zero ref count dentries to the dispose list.
++ *
++ * Those which are presently on the shrink list, being processed
++ * by shrink_dentry_list(), shouldn't be moved. Otherwise the
++ * loop in shrink_dcache_parent() might not make any progress
++ * and loop forever.
+ */
+- if (!dentry->d_count) {
+- dentry_lru_move_tail(dentry);
+- found++;
+- } else {
++ if (dentry->d_count) {
+ dentry_lru_del(dentry);
++ } else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) {
++ dentry_lru_move_list(dentry, dispose);
++ dentry->d_flags |= DCACHE_SHRINK_LIST;
++ found++;
+ }
+-
+ /*
+ * We can return to the caller if we have found some (this
+ * ensures forward progress). We'll be coming back to find
+@@ -1180,14 +1167,13 @@ rename_retry:
+ *
+ * Prune the dcache to remove unused children of the parent dentry.
+ */
+-
+ void shrink_dcache_parent(struct dentry * parent)
+ {
+- struct super_block *sb = parent->d_sb;
++ LIST_HEAD(dispose);
+ int found;
+
+- while ((found = select_parent(parent)) != 0)
+- __shrink_dcache_sb(sb, found, 0);
++ while ((found = select_parent(parent, &dispose)) != 0)
++ shrink_dentry_list(&dispose);
+ }
+ EXPORT_SYMBOL(shrink_dcache_parent);
+
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index a567968..ab25f57 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -182,19 +182,22 @@ setversion_out:
+ if (err)
+ return err;
+
+- if (get_user(n_blocks_count, (__u32 __user *)arg))
+- return -EFAULT;
++ if (get_user(n_blocks_count, (__u32 __user *)arg)) {
++ err = -EFAULT;
++ goto group_extend_out;
++ }
+
+ if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
+ EXT4_FEATURE_RO_COMPAT_BIGALLOC)) {
+ ext4_msg(sb, KERN_ERR,
+ "Online resizing not supported with bigalloc");
+- return -EOPNOTSUPP;
++ err = -EOPNOTSUPP;
++ goto group_extend_out;
+ }
+
+ err = mnt_want_write(filp->f_path.mnt);
+ if (err)
+- return err;
++ goto group_extend_out;
+
+ err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count);
+ if (EXT4_SB(sb)->s_journal) {
+@@ -204,9 +207,10 @@ setversion_out:
+ }
+ if (err == 0)
+ err = err2;
++
+ mnt_drop_write(filp->f_path.mnt);
++group_extend_out:
+ ext4_resize_end(sb);
+-
+ return err;
+ }
+
+@@ -267,19 +271,22 @@ mext_out:
+ return err;
+
+ if (copy_from_user(&input, (struct ext4_new_group_input __user *)arg,
+- sizeof(input)))
+- return -EFAULT;
++ sizeof(input))) {
++ err = -EFAULT;
++ goto group_add_out;
++ }
+
+ if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
+ EXT4_FEATURE_RO_COMPAT_BIGALLOC)) {
+ ext4_msg(sb, KERN_ERR,
+ "Online resizing not supported with bigalloc");
+- return -EOPNOTSUPP;
++ err = -EOPNOTSUPP;
++ goto group_add_out;
+ }
+
+ err = mnt_want_write(filp->f_path.mnt);
+ if (err)
+- return err;
++ goto group_add_out;
+
+ err = ext4_group_add(sb, &input);
+ if (EXT4_SB(sb)->s_journal) {
+@@ -289,9 +296,10 @@ mext_out:
+ }
+ if (err == 0)
+ err = err2;
++
+ mnt_drop_write(filp->f_path.mnt);
++group_add_out:
+ ext4_resize_end(sb);
+-
+ return err;
+ }
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 3e1329e..9281dbe 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2006,17 +2006,16 @@ static int ext4_fill_flex_info(struct super_block *sb)
+ struct ext4_group_desc *gdp = NULL;
+ ext4_group_t flex_group_count;
+ ext4_group_t flex_group;
+- int groups_per_flex = 0;
++ unsigned int groups_per_flex = 0;
+ size_t size;
+ int i;
+
+ sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+- groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+-
+- if (groups_per_flex < 2) {
++ if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
+ sbi->s_log_groups_per_flex = 0;
+ return 1;
+ }
++ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+ /* We allocate both existing and potentially added groups */
+ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
+diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
+index 281ae95..3db6b82 100644
+--- a/fs/nfs/blocklayout/blocklayout.c
++++ b/fs/nfs/blocklayout/blocklayout.c
+@@ -146,14 +146,19 @@ static struct bio *bl_alloc_init_bio(int npg, sector_t isect,
+ {
+ struct bio *bio;
+
++ npg = min(npg, BIO_MAX_PAGES);
+ bio = bio_alloc(GFP_NOIO, npg);
+- if (!bio)
+- return NULL;
++ if (!bio && (current->flags & PF_MEMALLOC)) {
++ while (!bio && (npg /= 2))
++ bio = bio_alloc(GFP_NOIO, npg);
++ }
+
+- bio->bi_sector = isect - be->be_f_offset + be->be_v_offset;
+- bio->bi_bdev = be->be_mdev;
+- bio->bi_end_io = end_io;
+- bio->bi_private = par;
++ if (bio) {
++ bio->bi_sector = isect - be->be_f_offset + be->be_v_offset;
++ bio->bi_bdev = be->be_mdev;
++ bio->bi_end_io = end_io;
++ bio->bi_private = par;
++ }
+ return bio;
+ }
+
+@@ -779,16 +784,13 @@ bl_cleanup_layoutcommit(struct nfs4_layoutcommit_data *lcdata)
+ static void free_blk_mountid(struct block_mount_id *mid)
+ {
+ if (mid) {
+- struct pnfs_block_dev *dev;
+- spin_lock(&mid->bm_lock);
+- while (!list_empty(&mid->bm_devlist)) {
+- dev = list_first_entry(&mid->bm_devlist,
+- struct pnfs_block_dev,
+- bm_node);
++ struct pnfs_block_dev *dev, *tmp;
++
++ /* No need to take bm_lock as we are last user freeing bm_devlist */
++ list_for_each_entry_safe(dev, tmp, &mid->bm_devlist, bm_node) {
+ list_del(&dev->bm_node);
+ bl_free_block_dev(dev);
+ }
+- spin_unlock(&mid->bm_lock);
+ kfree(mid);
+ }
+ }
+diff --git a/fs/nfs/blocklayout/extents.c b/fs/nfs/blocklayout/extents.c
+index 19fa7b0..c69682a 100644
+--- a/fs/nfs/blocklayout/extents.c
++++ b/fs/nfs/blocklayout/extents.c
+@@ -139,11 +139,13 @@ static int _set_range(struct my_tree *tree, int32_t tag, u64 s, u64 length)
+ }
+
+ /* Ensure that future operations on given range of tree will not malloc */
+-static int _preload_range(struct my_tree *tree, u64 offset, u64 length)
++static int _preload_range(struct pnfs_inval_markings *marks,
++ u64 offset, u64 length)
+ {
+ u64 start, end, s;
+ int count, i, used = 0, status = -ENOMEM;
+ struct pnfs_inval_tracking **storage;
++ struct my_tree *tree = &marks->im_tree;
+
+ dprintk("%s(%llu, %llu) enter\n", __func__, offset, length);
+ start = normalize(offset, tree->mtt_step_size);
+@@ -161,12 +163,11 @@ static int _preload_range(struct my_tree *tree, u64 offset, u64 length)
+ goto out_cleanup;
+ }
+
+- /* Now need lock - HOW??? */
+-
++ spin_lock(&marks->im_lock);
+ for (s = start; s < end; s += tree->mtt_step_size)
+ used += _add_entry(tree, s, INTERNAL_EXISTS, storage[used]);
++ spin_unlock(&marks->im_lock);
+
+- /* Unlock - HOW??? */
+ status = 0;
+
+ out_cleanup:
+@@ -286,7 +287,7 @@ int bl_mark_sectors_init(struct pnfs_inval_markings *marks,
+
+ start = normalize(offset, marks->im_block_size);
+ end = normalize_up(offset + length, marks->im_block_size);
+- if (_preload_range(&marks->im_tree, start, end - start))
++ if (_preload_range(marks, start, end - start))
+ goto outerr;
+
+ spin_lock(&marks->im_lock);
+diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c
+index 43926ad..54cea8a 100644
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -339,7 +339,7 @@ validate_seqid(struct nfs4_slot_table *tbl, struct cb_sequenceargs * args)
+ dprintk("%s enter. slotid %d seqid %d\n",
+ __func__, args->csa_slotid, args->csa_sequenceid);
+
+- if (args->csa_slotid > NFS41_BC_MAX_CALLBACKS)
++ if (args->csa_slotid >= NFS41_BC_MAX_CALLBACKS)
+ return htonl(NFS4ERR_BADSLOT);
+
+ slot = tbl->slots + args->csa_slotid;
+diff --git a/fs/nfs/file.c b/fs/nfs/file.c
+index 606ef0f..c43a452 100644
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -272,13 +272,13 @@ nfs_file_fsync(struct file *file, loff_t start, loff_t end, int datasync)
+ datasync);
+
+ ret = filemap_write_and_wait_range(inode->i_mapping, start, end);
+- if (ret)
+- return ret;
+ mutex_lock(&inode->i_mutex);
+
+ nfs_inc_stats(inode, NFSIOS_VFSFSYNC);
+ have_error = test_and_clear_bit(NFS_CONTEXT_ERROR_WRITE, &ctx->flags);
+ status = nfs_commit_inode(inode, FLUSH_SYNC);
++ if (status >= 0 && ret < 0)
++ status = ret;
+ have_error |= test_bit(NFS_CONTEXT_ERROR_WRITE, &ctx->flags);
+ if (have_error)
+ ret = xchg(&ctx->error, 0);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index d9f4d78..055d702 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3430,19 +3430,6 @@ static inline int nfs4_server_supports_acls(struct nfs_server *server)
+ */
+ #define NFS4ACL_MAXPAGES (XATTR_SIZE_MAX >> PAGE_CACHE_SHIFT)
+
+-static void buf_to_pages(const void *buf, size_t buflen,
+- struct page **pages, unsigned int *pgbase)
+-{
+- const void *p = buf;
+-
+- *pgbase = offset_in_page(buf);
+- p -= *pgbase;
+- while (p < buf + buflen) {
+- *(pages++) = virt_to_page(p);
+- p += PAGE_CACHE_SIZE;
+- }
+-}
+-
+ static int buf_to_pages_noslab(const void *buf, size_t buflen,
+ struct page **pages, unsigned int *pgbase)
+ {
+@@ -3539,9 +3526,19 @@ out:
+ nfs4_set_cached_acl(inode, acl);
+ }
+
++/*
++ * The getxattr API returns the required buffer length when called with a
++ * NULL buf. The NFSv4 acl tool then calls getxattr again after allocating
++ * the required buf. On a NULL buf, we send a page of data to the server
++ * guessing that the ACL request can be serviced by a page. If so, we cache
++ * up to the page of ACL data, and the 2nd call to getxattr is serviced by
++ * the cache. If not so, we throw away the page, and cache the required
++ * length. The next getxattr call will then produce another round trip to
++ * the server, this time with the input buf of the required size.
++ */
+ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
+ {
+- struct page *pages[NFS4ACL_MAXPAGES];
++ struct page *pages[NFS4ACL_MAXPAGES] = {NULL, };
+ struct nfs_getaclargs args = {
+ .fh = NFS_FH(inode),
+ .acl_pages = pages,
+@@ -3556,41 +3553,60 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
+ .rpc_argp = &args,
+ .rpc_resp = &res,
+ };
+- struct page *localpage = NULL;
+- int ret;
++ int ret = -ENOMEM, npages, i, acl_len = 0;
+
+- if (buflen < PAGE_SIZE) {
+- /* As long as we're doing a round trip to the server anyway,
+- * let's be prepared for a page of acl data. */
+- localpage = alloc_page(GFP_KERNEL);
+- resp_buf = page_address(localpage);
+- if (localpage == NULL)
+- return -ENOMEM;
+- args.acl_pages[0] = localpage;
+- args.acl_pgbase = 0;
+- args.acl_len = PAGE_SIZE;
+- } else {
+- resp_buf = buf;
+- buf_to_pages(buf, buflen, args.acl_pages, &args.acl_pgbase);
++ npages = (buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;
++ /* As long as we're doing a round trip to the server anyway,
++ * let's be prepared for a page of acl data. */
++ if (npages == 0)
++ npages = 1;
++
++ for (i = 0; i < npages; i++) {
++ pages[i] = alloc_page(GFP_KERNEL);
++ if (!pages[i])
++ goto out_free;
++ }
++ if (npages > 1) {
++ /* for decoding across pages */
++ args.acl_scratch = alloc_page(GFP_KERNEL);
++ if (!args.acl_scratch)
++ goto out_free;
+ }
+- ret = nfs4_call_sync(NFS_SERVER(inode)->client, NFS_SERVER(inode), &msg, &args.seq_args, &res.seq_res, 0);
++ args.acl_len = npages * PAGE_SIZE;
++ args.acl_pgbase = 0;
++ /* Let decode_getfacl know not to fail if the ACL data is larger than
++ * the page we send as a guess */
++ if (buf == NULL)
++ res.acl_flags |= NFS4_ACL_LEN_REQUEST;
++ resp_buf = page_address(pages[0]);
++
++ dprintk("%s buf %p buflen %ld npages %d args.acl_len %ld\n",
++ __func__, buf, buflen, npages, args.acl_len);
++ ret = nfs4_call_sync(NFS_SERVER(inode)->client, NFS_SERVER(inode),
++ &msg, &args.seq_args, &res.seq_res, 0);
+ if (ret)
+ goto out_free;
+- if (res.acl_len > args.acl_len)
+- nfs4_write_cached_acl(inode, NULL, res.acl_len);
++
++ acl_len = res.acl_len - res.acl_data_offset;
++ if (acl_len > args.acl_len)
++ nfs4_write_cached_acl(inode, NULL, acl_len);
+ else
+- nfs4_write_cached_acl(inode, resp_buf, res.acl_len);
++ nfs4_write_cached_acl(inode, resp_buf + res.acl_data_offset,
++ acl_len);
+ if (buf) {
+ ret = -ERANGE;
+- if (res.acl_len > buflen)
++ if (acl_len > buflen)
+ goto out_free;
+- if (localpage)
+- memcpy(buf, resp_buf, res.acl_len);
++ _copy_from_pages(buf, pages, res.acl_data_offset,
++ res.acl_len);
+ }
+- ret = res.acl_len;
++ ret = acl_len;
+ out_free:
+- if (localpage)
+- __free_page(localpage);
++ for (i = 0; i < npages; i++)
++ if (pages[i])
++ __free_page(pages[i]);
++ if (args.acl_scratch)
++ __free_page(args.acl_scratch);
+ return ret;
+ }
+
+@@ -3621,6 +3637,8 @@ static ssize_t nfs4_proc_get_acl(struct inode *inode, void *buf, size_t buflen)
+ nfs_zap_acl_cache(inode);
+ ret = nfs4_read_cached_acl(inode, buf, buflen);
+ if (ret != -ENOENT)
++ /* -ENOENT is returned if there is no ACL or if there is an ACL
++ * but no cached acl data, just the acl length */
+ return ret;
+ return nfs4_get_acl_uncached(inode, buf, buflen);
+ }
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index e6161b2..dcaf693 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -2517,11 +2517,13 @@ static void nfs4_xdr_enc_getacl(struct rpc_rqst *req, struct xdr_stream *xdr,
+ encode_compound_hdr(xdr, req, &hdr);
+ encode_sequence(xdr, &args->seq_args, &hdr);
+ encode_putfh(xdr, args->fh, &hdr);
+- replen = hdr.replen + op_decode_hdr_maxsz + nfs4_fattr_bitmap_maxsz + 1;
++ replen = hdr.replen + op_decode_hdr_maxsz + 1;
+ encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr);
+
+ xdr_inline_pages(&req->rq_rcv_buf, replen << 2,
+ args->acl_pages, args->acl_pgbase, args->acl_len);
++ xdr_set_scratch_buffer(xdr, page_address(args->acl_scratch), PAGE_SIZE);
++
+ encode_nops(&hdr);
+ }
+
+@@ -4957,17 +4959,18 @@ decode_restorefh(struct xdr_stream *xdr)
+ }
+
+ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+- size_t *acl_len)
++ struct nfs_getaclres *res)
+ {
+- __be32 *savep;
++ __be32 *savep, *bm_p;
+ uint32_t attrlen,
+ bitmap[3] = {0};
+ struct kvec *iov = req->rq_rcv_buf.head;
+ int status;
+
+- *acl_len = 0;
++ res->acl_len = 0;
+ if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)
+ goto out;
++ bm_p = xdr->p;
+ if ((status = decode_attr_bitmap(xdr, bitmap)) != 0)
+ goto out;
+ if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)
+@@ -4979,18 +4982,30 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ size_t hdrlen;
+ u32 recvd;
+
++ /* The bitmap (xdr len + bitmaps) and the attr xdr len words
++ * are stored with the acl data to handle the problem of
++ * variable length bitmaps.*/
++ xdr->p = bm_p;
++ res->acl_data_offset = be32_to_cpup(bm_p) + 2;
++ res->acl_data_offset <<= 2;
++
+ /* We ignore &savep and don't do consistency checks on
+ * the attr length. Let userspace figure it out.... */
+ hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base;
++ attrlen += res->acl_data_offset;
+ recvd = req->rq_rcv_buf.len - hdrlen;
+ if (attrlen > recvd) {
+- dprintk("NFS: server cheating in getattr"
+- " acl reply: attrlen %u > recvd %u\n",
++ if (res->acl_flags & NFS4_ACL_LEN_REQUEST) {
++ /* getxattr interface called with a NULL buf */
++ res->acl_len = attrlen;
++ goto out;
++ }
++ dprintk("NFS: acl reply: attrlen %u > recvd %u\n",
+ attrlen, recvd);
+ return -EINVAL;
+ }
+ xdr_read_pages(xdr, attrlen);
+- *acl_len = attrlen;
++ res->acl_len = attrlen;
+ } else
+ status = -EOPNOTSUPP;
+
+@@ -6028,7 +6043,7 @@ nfs4_xdr_dec_getacl(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
+ status = decode_putfh(xdr);
+ if (status)
+ goto out;
+- status = decode_getacl(xdr, rqstp, &res->acl_len);
++ status = decode_getacl(xdr, rqstp, res);
+
+ out:
+ return status;
+diff --git a/fs/nfs/objlayout/objio_osd.c b/fs/nfs/objlayout/objio_osd.c
+index c807ab9..55d0128 100644
+--- a/fs/nfs/objlayout/objio_osd.c
++++ b/fs/nfs/objlayout/objio_osd.c
+@@ -551,7 +551,8 @@ static const struct nfs_pageio_ops objio_pg_write_ops = {
+ static struct pnfs_layoutdriver_type objlayout_type = {
+ .id = LAYOUT_OSD2_OBJECTS,
+ .name = "LAYOUT_OSD2_OBJECTS",
+- .flags = PNFS_LAYOUTRET_ON_SETATTR,
++ .flags = PNFS_LAYOUTRET_ON_SETATTR |
++ PNFS_LAYOUTRET_ON_ERROR,
+
+ .alloc_layout_hdr = objlayout_alloc_layout_hdr,
+ .free_layout_hdr = objlayout_free_layout_hdr,
+diff --git a/fs/nfs/objlayout/objlayout.c b/fs/nfs/objlayout/objlayout.c
+index 72074e3..b3c2903 100644
+--- a/fs/nfs/objlayout/objlayout.c
++++ b/fs/nfs/objlayout/objlayout.c
+@@ -254,6 +254,8 @@ objlayout_read_done(struct objlayout_io_res *oir, ssize_t status, bool sync)
+ oir->status = rdata->task.tk_status = status;
+ if (status >= 0)
+ rdata->res.count = status;
++ else
++ rdata->pnfs_error = status;
+ objlayout_iodone(oir);
+ /* must not use oir after this point */
+
+@@ -334,6 +336,8 @@ objlayout_write_done(struct objlayout_io_res *oir, ssize_t status, bool sync)
+ if (status >= 0) {
+ wdata->res.count = status;
+ wdata->verf.committed = oir->committed;
++ } else {
++ wdata->pnfs_error = status;
+ }
+ objlayout_iodone(oir);
+ /* must not use oir after this point */
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 8e672a2..f881a63 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1178,6 +1178,15 @@ void pnfs_ld_write_done(struct nfs_write_data *data)
+ put_lseg(data->lseg);
+ data->lseg = NULL;
+ dprintk("pnfs write error = %d\n", data->pnfs_error);
++ if (NFS_SERVER(data->inode)->pnfs_curr_ld->flags &
++ PNFS_LAYOUTRET_ON_ERROR) {
++ /* Don't lo_commit on error, Server will needs to
++ * preform a file recovery.
++ */
++ clear_bit(NFS_INO_LAYOUTCOMMIT,
++ &NFS_I(data->inode)->flags);
++ pnfs_return_layout(data->inode);
++ }
+ }
+ data->mds_ops->rpc_release(data);
+ }
+@@ -1267,6 +1276,9 @@ static void pnfs_ld_handle_read_error(struct nfs_read_data *data)
+ put_lseg(data->lseg);
+ data->lseg = NULL;
+ dprintk("pnfs write error = %d\n", data->pnfs_error);
++ if (NFS_SERVER(data->inode)->pnfs_curr_ld->flags &
++ PNFS_LAYOUTRET_ON_ERROR)
++ pnfs_return_layout(data->inode);
+
+ nfs_pageio_init_read_mds(&pgio, data->inode);
+
+diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
+index 1509530..53d593a 100644
+--- a/fs/nfs/pnfs.h
++++ b/fs/nfs/pnfs.h
+@@ -68,6 +68,7 @@ enum {
+ enum layoutdriver_policy_flags {
+ /* Should the pNFS client commit and return the layout upon a setattr */
+ PNFS_LAYOUTRET_ON_SETATTR = 1 << 0,
++ PNFS_LAYOUTRET_ON_ERROR = 1 << 1,
+ };
+
+ struct nfs4_deviceid_node;
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 1347774..3ada13c 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -909,10 +909,24 @@ static struct nfs_parsed_mount_data *nfs_alloc_parsed_mount_data(unsigned int ve
+ data->auth_flavor_len = 1;
+ data->version = version;
+ data->minorversion = 0;
++ security_init_mnt_opts(&data->lsm_opts);
+ }
+ return data;
+ }
+
++static void nfs_free_parsed_mount_data(struct nfs_parsed_mount_data *data)
++{
++ if (data) {
++ kfree(data->client_address);
++ kfree(data->mount_server.hostname);
++ kfree(data->nfs_server.export_path);
++ kfree(data->nfs_server.hostname);
++ kfree(data->fscache_uniq);
++ security_free_mnt_opts(&data->lsm_opts);
++ kfree(data);
++ }
++}
++
+ /*
+ * Sanity-check a server address provided by the mount command.
+ *
+@@ -2220,9 +2234,7 @@ static struct dentry *nfs_fs_mount(struct file_system_type *fs_type,
+ data = nfs_alloc_parsed_mount_data(NFS_DEFAULT_VERSION);
+ mntfh = nfs_alloc_fhandle();
+ if (data == NULL || mntfh == NULL)
+- goto out_free_fh;
+-
+- security_init_mnt_opts(&data->lsm_opts);
++ goto out;
+
+ /* Validate the mount data */
+ error = nfs_validate_mount_data(raw_data, data, mntfh, dev_name);
+@@ -2234,8 +2246,6 @@ static struct dentry *nfs_fs_mount(struct file_system_type *fs_type,
+ #ifdef CONFIG_NFS_V4
+ if (data->version == 4) {
+ mntroot = nfs4_try_mount(flags, dev_name, data);
+- kfree(data->client_address);
+- kfree(data->nfs_server.export_path);
+ goto out;
+ }
+ #endif /* CONFIG_NFS_V4 */
+@@ -2290,13 +2300,8 @@ static struct dentry *nfs_fs_mount(struct file_system_type *fs_type,
+ s->s_flags |= MS_ACTIVE;
+
+ out:
+- kfree(data->nfs_server.hostname);
+- kfree(data->mount_server.hostname);
+- kfree(data->fscache_uniq);
+- security_free_mnt_opts(&data->lsm_opts);
+-out_free_fh:
++ nfs_free_parsed_mount_data(data);
+ nfs_free_fhandle(mntfh);
+- kfree(data);
+ return mntroot;
+
+ out_err_nosb:
+@@ -2623,9 +2628,7 @@ nfs4_remote_mount(struct file_system_type *fs_type, int flags,
+
+ mntfh = nfs_alloc_fhandle();
+ if (data == NULL || mntfh == NULL)
+- goto out_free_fh;
+-
+- security_init_mnt_opts(&data->lsm_opts);
++ goto out;
+
+ /* Get a volume representation */
+ server = nfs4_create_server(data, mntfh);
+@@ -2677,13 +2680,10 @@ nfs4_remote_mount(struct file_system_type *fs_type, int flags,
+
+ s->s_flags |= MS_ACTIVE;
+
+- security_free_mnt_opts(&data->lsm_opts);
+ nfs_free_fhandle(mntfh);
+ return mntroot;
+
+ out:
+- security_free_mnt_opts(&data->lsm_opts);
+-out_free_fh:
+ nfs_free_fhandle(mntfh);
+ return ERR_PTR(error);
+
+@@ -2838,7 +2838,7 @@ static struct dentry *nfs4_mount(struct file_system_type *fs_type,
+
+ data = nfs_alloc_parsed_mount_data(4);
+ if (data == NULL)
+- goto out_free_data;
++ goto out;
+
+ /* Validate the mount data */
+ error = nfs4_validate_mount_data(raw_data, data, dev_name);
+@@ -2852,12 +2852,7 @@ static struct dentry *nfs4_mount(struct file_system_type *fs_type,
+ error = PTR_ERR(res);
+
+ out:
+- kfree(data->client_address);
+- kfree(data->nfs_server.export_path);
+- kfree(data->nfs_server.hostname);
+- kfree(data->fscache_uniq);
+-out_free_data:
+- kfree(data);
++ nfs_free_parsed_mount_data(data);
+ dprintk("<-- nfs4_mount() = %d%s\n", error,
+ error != 0 ? " [error]" : "");
+ return res;
+diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
+index 62f3b90..5f312ab 100644
+--- a/fs/nfsd/export.c
++++ b/fs/nfsd/export.c
+@@ -87,7 +87,7 @@ static int expkey_parse(struct cache_detail *cd, char *mesg, int mlen)
+ struct svc_expkey key;
+ struct svc_expkey *ek = NULL;
+
+- if (mesg[mlen-1] != '\n')
++ if (mlen < 1 || mesg[mlen-1] != '\n')
+ return -EINVAL;
+ mesg[mlen-1] = 0;
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 47e94e3..5abced7 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3809,16 +3809,29 @@ nevermind:
+ deny->ld_type = NFS4_WRITE_LT;
+ }
+
++static bool same_lockowner_ino(struct nfs4_lockowner *lo, struct inode *inode, clientid_t *clid, struct xdr_netobj *owner)
++{
++ struct nfs4_ol_stateid *lst;
++
++ if (!same_owner_str(&lo->lo_owner, owner, clid))
++ return false;
++ lst = list_first_entry(&lo->lo_owner.so_stateids,
++ struct nfs4_ol_stateid, st_perstateowner);
++ return lst->st_file->fi_inode == inode;
++}
++
+ static struct nfs4_lockowner *
+ find_lockowner_str(struct inode *inode, clientid_t *clid,
+ struct xdr_netobj *owner)
+ {
+ unsigned int hashval = lock_ownerstr_hashval(inode, clid->cl_id, owner);
++ struct nfs4_lockowner *lo;
+ struct nfs4_stateowner *op;
+
+ list_for_each_entry(op, &lock_ownerstr_hashtbl[hashval], so_strhash) {
+- if (same_owner_str(op, owner, clid))
+- return lockowner(op);
++ lo = lockowner(op);
++ if (same_lockowner_ino(lo, inode, clid, owner))
++ return lo;
+ }
+ return NULL;
+ }
+diff --git a/fs/notify/mark.c b/fs/notify/mark.c
+index e14587d..f104d56 100644
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -135,9 +135,6 @@ void fsnotify_destroy_mark(struct fsnotify_mark *mark)
+
+ mark->flags &= ~FSNOTIFY_MARK_FLAG_ALIVE;
+
+- /* 1 from caller and 1 for being on i_list/g_list */
+- BUG_ON(atomic_read(&mark->refcnt) < 2);
+-
+ spin_lock(&group->mark_lock);
+
+ if (mark->flags & FSNOTIFY_MARK_FLAG_INODE) {
+@@ -182,6 +179,11 @@ void fsnotify_destroy_mark(struct fsnotify_mark *mark)
+ iput(inode);
+
+ /*
++ * We don't necessarily have a ref on mark from caller so the above iput
++ * may have already destroyed it. Don't touch from now on.
++ */
++
++ /*
+ * it's possible that this group tried to destroy itself, but this
+ * this mark was simultaneously being freed by inode. If that's the
+ * case, we finish freeing the group here.
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 851ba3d..1fc1dca 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -194,65 +194,7 @@ static int proc_root_link(struct inode *inode, struct path *path)
+ return result;
+ }
+
+-static struct mm_struct *__check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+-
+- mm = get_task_mm(task);
+- if (!mm)
+- return ERR_PTR(-EINVAL);
+-
+- /*
+- * A task can always look at itself, in case it chooses
+- * to use system calls instead of load instructions.
+- */
+- if (task == current)
+- return mm;
+-
+- /*
+- * If current is actively ptrace'ing, and would also be
+- * permitted to freshly attach with ptrace now, permit it.
+- */
+- if (task_is_stopped_or_traced(task)) {
+- int match;
+- rcu_read_lock();
+- match = (ptrace_parent(task) == current);
+- rcu_read_unlock();
+- if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
+- return mm;
+- }
+-
+- /*
+- * No one else is allowed.
+- */
+- mmput(mm);
+- return ERR_PTR(-EPERM);
+-}
+-
+-/*
+- * If current may access user memory in @task return a reference to the
+- * corresponding mm, otherwise ERR_PTR.
+- */
+-static struct mm_struct *check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+- int err;
+-
+- /*
+- * Avoid racing if task exec's as we might get a new mm but validate
+- * against old credentials.
+- */
+- err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+- if (err)
+- return ERR_PTR(err);
+-
+- mm = __check_mem_permission(task);
+- mutex_unlock(&task->signal->cred_guard_mutex);
+-
+- return mm;
+-}
+-
+-struct mm_struct *mm_for_maps(struct task_struct *task)
++static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+ {
+ struct mm_struct *mm;
+ int err;
+@@ -263,7 +205,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+
+ mm = get_task_mm(task);
+ if (mm && mm != current->mm &&
+- !ptrace_may_access(task, PTRACE_MODE_READ)) {
++ !ptrace_may_access(task, mode)) {
+ mmput(mm);
+ mm = ERR_PTR(-EACCES);
+ }
+@@ -272,6 +214,11 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ return mm;
+ }
+
++struct mm_struct *mm_for_maps(struct task_struct *task)
++{
++ return mm_access(task, PTRACE_MODE_READ);
++}
++
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+ {
+ int res = 0;
+@@ -816,38 +763,39 @@ static const struct file_operations proc_single_file_operations = {
+
+ static int mem_open(struct inode* inode, struct file* file)
+ {
+- file->private_data = (void*)((long)current->self_exec_id);
++ struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ struct mm_struct *mm;
++
++ if (!task)
++ return -ESRCH;
++
++ mm = mm_access(task, PTRACE_MODE_ATTACH);
++ put_task_struct(task);
++
++ if (IS_ERR(mm))
++ return PTR_ERR(mm);
++
+ /* OK to pass negative loff_t, we can catch out-of-range */
+ file->f_mode |= FMODE_UNSIGNED_OFFSET;
++ file->private_data = mm;
++
+ return 0;
+ }
+
+ static ssize_t mem_read(struct file * file, char __user * buf,
+ size_t count, loff_t *ppos)
+ {
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ int ret;
+ char *page;
+ unsigned long src = *ppos;
+- int ret = -ESRCH;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- ret = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out;
+-
+- mm = check_mem_permission(task);
+- ret = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- ret = -EIO;
+-
+- if (file->private_data != (void*)((long)current->self_exec_id))
+- goto out_put;
++ return -ENOMEM;
+
+ ret = 0;
+
+@@ -874,13 +822,7 @@ static ssize_t mem_read(struct file * file, char __user * buf,
+ }
+ *ppos = src;
+
+-out_put:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out:
+- put_task_struct(task);
+-out_no_task:
+ return ret;
+ }
+
+@@ -889,27 +831,15 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
+ {
+ int copied;
+ char *page;
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
+ unsigned long dst = *ppos;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- copied = -ESRCH;
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- copied = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out_task;
+-
+- mm = check_mem_permission(task);
+- copied = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- copied = -EIO;
+- if (file->private_data != (void *)((long)current->self_exec_id))
+- goto out_mm;
++ return -ENOMEM;
+
+ copied = 0;
+ while (count > 0) {
+@@ -933,13 +863,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
+ }
+ *ppos = dst;
+
+-out_mm:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out_task:
+- put_task_struct(task);
+-out_no_task:
+ return copied;
+ }
+
+@@ -959,11 +883,20 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig)
+ return file->f_pos;
+ }
+
++static int mem_release(struct inode *inode, struct file *file)
++{
++ struct mm_struct *mm = file->private_data;
++
++ mmput(mm);
++ return 0;
++}
++
+ static const struct file_operations proc_mem_operations = {
+ .llseek = mem_lseek,
+ .read = mem_read,
+ .write = mem_write,
+ .open = mem_open,
++ .release = mem_release,
+ };
+
+ static ssize_t environ_read(struct file *file, char __user *buf,
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index e418c5a..7dcd2a2 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -518,6 +518,9 @@ static int clear_refs_pte_range(pmd_t *pmd, unsigned long addr,
+ if (!page)
+ continue;
+
++ if (PageReserved(page))
++ continue;
++
+ /* Clear accessed and referenced bits. */
+ ptep_test_and_clear_young(vma, addr, pte);
+ ClearPageReferenced(page);
+diff --git a/fs/proc/uptime.c b/fs/proc/uptime.c
+index 766b1d4..29166ec 100644
+--- a/fs/proc/uptime.c
++++ b/fs/proc/uptime.c
+@@ -11,15 +11,20 @@ static int uptime_proc_show(struct seq_file *m, void *v)
+ {
+ struct timespec uptime;
+ struct timespec idle;
++ cputime64_t idletime;
++ u64 nsec;
++ u32 rem;
+ int i;
+- cputime_t idletime = cputime_zero;
+
++ idletime = 0;
+ for_each_possible_cpu(i)
+ idletime = cputime64_add(idletime, kstat_cpu(i).cpustat.idle);
+
+ do_posix_clock_monotonic_gettime(&uptime);
+ monotonic_to_bootbased(&uptime);
+- cputime_to_timespec(idletime, &idle);
++ nsec = cputime64_to_jiffies64(idletime) * TICK_NSEC;
++ idle.tv_sec = div_u64_rem(nsec, NSEC_PER_SEC, &rem);
++ idle.tv_nsec = rem;
+ seq_printf(m, "%lu.%02lu %lu.%02lu\n",
+ (unsigned long) uptime.tv_sec,
+ (uptime.tv_nsec / (NSEC_PER_SEC / 100)),
+diff --git a/fs/ubifs/debug.h b/fs/ubifs/debug.h
+index 8d9c468..c9d2941 100644
+--- a/fs/ubifs/debug.h
++++ b/fs/ubifs/debug.h
+@@ -175,22 +175,23 @@ const char *dbg_key_str1(const struct ubifs_info *c,
+ const union ubifs_key *key);
+
+ /*
+- * DBGKEY macros require @dbg_lock to be held, which it is in the dbg message
+- * macros.
++ * TODO: these macros are now broken because there is no locking around them
++ * and we use a global buffer for the key string. This means that in case of
++ * concurrent execution we will end up with incorrect and messy key strings.
+ */
+ #define DBGKEY(key) dbg_key_str0(c, (key))
+ #define DBGKEY1(key) dbg_key_str1(c, (key))
+
+ extern spinlock_t dbg_lock;
+
+-#define ubifs_dbg_msg(type, fmt, ...) do { \
+- spin_lock(&dbg_lock); \
+- pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__); \
+- spin_unlock(&dbg_lock); \
+-} while (0)
++#define ubifs_dbg_msg(type, fmt, ...) \
++ pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__)
+
+ /* Just a debugging messages not related to any specific UBIFS subsystem */
+-#define dbg_msg(fmt, ...) ubifs_dbg_msg("msg", fmt, ##__VA_ARGS__)
++#define dbg_msg(fmt, ...) \
++ printk(KERN_DEBUG "UBIFS DBG (pid %d): %s: " fmt "\n", current->pid, \
++ __func__, ##__VA_ARGS__)
++
+ /* General messages */
+ #define dbg_gen(fmt, ...) ubifs_dbg_msg("gen", fmt, ##__VA_ARGS__)
+ /* Additional journal messages */
+diff --git a/fs/xfs/xfs_discard.c b/fs/xfs/xfs_discard.c
+index 8a24f0c..286a051 100644
+--- a/fs/xfs/xfs_discard.c
++++ b/fs/xfs/xfs_discard.c
+@@ -68,7 +68,7 @@ xfs_trim_extents(
+ * Look up the longest btree in the AGF and start with it.
+ */
+ error = xfs_alloc_lookup_le(cur, 0,
+- XFS_BUF_TO_AGF(agbp)->agf_longest, &i);
++ be32_to_cpu(XFS_BUF_TO_AGF(agbp)->agf_longest), &i);
+ if (error)
+ goto out_del_cursor;
+
+@@ -84,7 +84,7 @@ xfs_trim_extents(
+ if (error)
+ goto out_del_cursor;
+ XFS_WANT_CORRUPTED_GOTO(i == 1, out_del_cursor);
+- ASSERT(flen <= XFS_BUF_TO_AGF(agbp)->agf_longest);
++ ASSERT(flen <= be32_to_cpu(XFS_BUF_TO_AGF(agbp)->agf_longest));
+
+ /*
+ * Too small? Give up.
+diff --git a/include/acpi/acpi_numa.h b/include/acpi/acpi_numa.h
+index 1739726..451823c 100644
+--- a/include/acpi/acpi_numa.h
++++ b/include/acpi/acpi_numa.h
+@@ -15,6 +15,7 @@ extern int pxm_to_node(int);
+ extern int node_to_pxm(int);
+ extern void __acpi_map_pxm_to_node(int, int);
+ extern int acpi_map_pxm_to_node(int);
++extern unsigned char acpi_srat_revision;
+
+ #endif /* CONFIG_ACPI_NUMA */
+ #endif /* __ACP_NUMA_H */
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 94acd81..0ed1eb0 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -675,6 +675,9 @@ extern int blk_insert_cloned_request(struct request_queue *q,
+ struct request *rq);
+ extern void blk_delay_queue(struct request_queue *, unsigned long);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
++extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
++ unsigned int, void __user *);
+ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+ unsigned int, void __user *);
+ extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+diff --git a/include/linux/crash_dump.h b/include/linux/crash_dump.h
+index 5c4abce..b936763 100644
+--- a/include/linux/crash_dump.h
++++ b/include/linux/crash_dump.h
+@@ -5,6 +5,7 @@
+ #include <linux/kexec.h>
+ #include <linux/device.h>
+ #include <linux/proc_fs.h>
++#include <linux/elf.h>
+
+ #define ELFCORE_ADDR_MAX (-1ULL)
+ #define ELFCORE_ADDR_ERR (-2ULL)
+diff --git a/include/linux/dcache.h b/include/linux/dcache.h
+index ed9f74f..4eb8c80 100644
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -203,6 +203,7 @@ struct dentry_operations {
+
+ #define DCACHE_CANT_MOUNT 0x0100
+ #define DCACHE_GENOCIDE 0x0200
++#define DCACHE_SHRINK_LIST 0x0400
+
+ #define DCACHE_NFSFS_RENAMED 0x1000
+ /* this dentry has been "silly renamed" and has to be deleted on the last
+diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
+index b87068a..81572af 100644
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -119,6 +119,8 @@ struct zone_reclaim_stat*
+ mem_cgroup_get_reclaim_stat_from_page(struct page *page);
+ extern void mem_cgroup_print_oom_info(struct mem_cgroup *memcg,
+ struct task_struct *p);
++extern void mem_cgroup_replace_page_cache(struct page *oldpage,
++ struct page *newpage);
+
+ #ifdef CONFIG_CGROUP_MEM_RES_CTLR_SWAP
+ extern int do_swap_account;
+@@ -366,6 +368,10 @@ static inline
+ void mem_cgroup_count_vm_event(struct mm_struct *mm, enum vm_event_item idx)
+ {
+ }
++static inline void mem_cgroup_replace_page_cache(struct page *oldpage,
++ struct page *newpage)
++{
++}
+ #endif /* CONFIG_CGROUP_MEM_CONT */
+
+ #if !defined(CONFIG_CGROUP_MEM_RES_CTLR) || !defined(CONFIG_DEBUG_VM)
+diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
+index 2a7c533..6c898af 100644
+--- a/include/linux/nfs_xdr.h
++++ b/include/linux/nfs_xdr.h
+@@ -602,11 +602,16 @@ struct nfs_getaclargs {
+ size_t acl_len;
+ unsigned int acl_pgbase;
+ struct page ** acl_pages;
++ struct page * acl_scratch;
+ struct nfs4_sequence_args seq_args;
+ };
+
++/* getxattr ACL interface flags */
++#define NFS4_ACL_LEN_REQUEST 0x0001 /* zero length getxattr buffer */
+ struct nfs_getaclres {
+ size_t acl_len;
++ size_t acl_data_offset;
++ int acl_flags;
+ struct nfs4_sequence_res seq_res;
+ };
+
+diff --git a/include/linux/pci_regs.h b/include/linux/pci_regs.h
+index b5d9657..411c412 100644
+--- a/include/linux/pci_regs.h
++++ b/include/linux/pci_regs.h
+@@ -392,7 +392,7 @@
+ #define PCI_EXP_TYPE_DOWNSTREAM 0x6 /* Downstream Port */
+ #define PCI_EXP_TYPE_PCI_BRIDGE 0x7 /* PCI/PCI-X Bridge */
+ #define PCI_EXP_TYPE_RC_END 0x9 /* Root Complex Integrated Endpoint */
+-#define PCI_EXP_TYPE_RC_EC 0x10 /* Root Complex Event Collector */
++#define PCI_EXP_TYPE_RC_EC 0xa /* Root Complex Event Collector */
+ #define PCI_EXP_FLAGS_SLOT 0x0100 /* Slot implemented */
+ #define PCI_EXP_FLAGS_IRQ 0x3e00 /* Interrupt message number */
+ #define PCI_EXP_DEVCAP 4 /* Device capabilities */
+diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
+index 9291ac3..6f10c9c 100644
+--- a/include/linux/shmem_fs.h
++++ b/include/linux/shmem_fs.h
+@@ -48,6 +48,7 @@ extern struct file *shmem_file_setup(const char *name,
+ loff_t size, unsigned long flags);
+ extern int shmem_zero_setup(struct vm_area_struct *);
+ extern int shmem_lock(struct file *file, int lock, struct user_struct *user);
++extern void shmem_unlock_mapping(struct address_space *mapping);
+ extern struct page *shmem_read_mapping_page_gfp(struct address_space *mapping,
+ pgoff_t index, gfp_t gfp_mask);
+ extern void shmem_truncate_range(struct inode *inode, loff_t start, loff_t end);
+diff --git a/include/linux/sunrpc/svcsock.h b/include/linux/sunrpc/svcsock.h
+index 85c50b4..c84e974 100644
+--- a/include/linux/sunrpc/svcsock.h
++++ b/include/linux/sunrpc/svcsock.h
+@@ -34,7 +34,7 @@ struct svc_sock {
+ /*
+ * Function prototypes.
+ */
+-void svc_close_all(struct list_head *);
++void svc_close_all(struct svc_serv *);
+ int svc_recv(struct svc_rqst *, long);
+ int svc_send(struct svc_rqst *);
+ void svc_drop(struct svc_rqst *);
+diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
+index a20970e..af70af3 100644
+--- a/include/linux/sunrpc/xdr.h
++++ b/include/linux/sunrpc/xdr.h
+@@ -191,6 +191,8 @@ extern int xdr_decode_array2(struct xdr_buf *buf, unsigned int base,
+ struct xdr_array2_desc *desc);
+ extern int xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
+ struct xdr_array2_desc *desc);
++extern void _copy_from_pages(char *p, struct page **pages, size_t pgbase,
++ size_t len);
+
+ /*
+ * Provide some simple tools for XDR buffer overflow-checking etc.
+diff --git a/include/linux/swap.h b/include/linux/swap.h
+index 1e22e12..67b3fa3 100644
+--- a/include/linux/swap.h
++++ b/include/linux/swap.h
+@@ -272,7 +272,7 @@ static inline int zone_reclaim(struct zone *z, gfp_t mask, unsigned int order)
+ #endif
+
+ extern int page_evictable(struct page *page, struct vm_area_struct *vma);
+-extern void scan_mapping_unevictable_pages(struct address_space *);
++extern void check_move_unevictable_pages(struct page **, int nr_pages);
+
+ extern unsigned long scan_unevictable_pages;
+ extern int scan_unevictable_handler(struct ctl_table *, int,
+diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
+index 4b752d5..45a7698 100644
+--- a/include/linux/videodev2.h
++++ b/include/linux/videodev2.h
+@@ -1131,6 +1131,7 @@ struct v4l2_querymenu {
+ #define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
+
+ /* User-class control IDs defined by V4L2 */
++#define V4L2_CID_MAX_CTRLS 1024
+ #define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
+ #define V4L2_CID_USER_BASE V4L2_CID_BASE
+ /* IDs reserved for driver specific controls */
+diff --git a/include/media/tuner.h b/include/media/tuner.h
+index 89c290b..29e1920 100644
+--- a/include/media/tuner.h
++++ b/include/media/tuner.h
+@@ -127,7 +127,6 @@
+ #define TUNER_PHILIPS_FMD1216MEX_MK3 78
+ #define TUNER_PHILIPS_FM1216MK5 79
+ #define TUNER_PHILIPS_FQ1216LME_MK3 80 /* Active loopthrough, no FM */
+-#define TUNER_XC4000 81 /* Xceive Silicon Tuner */
+
+ #define TUNER_PARTSNIC_PTI_5NF05 81
+ #define TUNER_PHILIPS_CU1216L 82
+@@ -136,6 +135,8 @@
+ #define TUNER_PHILIPS_FQ1236_MK5 85 /* NTSC, TDA9885, no FM radio */
+ #define TUNER_TENA_TNF_5337 86
+
++#define TUNER_XC4000 87 /* Xceive Silicon Tuner */
++
+ /* tv card specific */
+ #define TDA9887_PRESENT (1<<0)
+ #define TDA9887_PORT1_INACTIVE (1<<1)
+diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
+index 6873c7d..a79886c 100644
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -34,6 +34,7 @@
+ #define TRANSPORT_SENSE_BUFFER SCSI_SENSE_BUFFERSIZE
+ /* Used by transport_send_check_condition_and_sense() */
+ #define SPC_SENSE_KEY_OFFSET 2
++#define SPC_ADD_SENSE_LEN_OFFSET 7
+ #define SPC_ASC_KEY_OFFSET 12
+ #define SPC_ASCQ_KEY_OFFSET 13
+ #define TRANSPORT_IQN_LEN 224
+diff --git a/include/xen/interface/io/xs_wire.h b/include/xen/interface/io/xs_wire.h
+index f6f07aa..7cdfca2 100644
+--- a/include/xen/interface/io/xs_wire.h
++++ b/include/xen/interface/io/xs_wire.h
+@@ -87,4 +87,7 @@ struct xenstore_domain_interface {
+ XENSTORE_RING_IDX rsp_cons, rsp_prod;
+ };
+
++/* Violating this is very bad. See docs/misc/xenstore.txt. */
++#define XENSTORE_PAYLOAD_MAX 4096
++
+ #endif /* _XS_WIRE_H */
+diff --git a/init/do_mounts.c b/init/do_mounts.c
+index 0f6e1d9..db6e5ee 100644
+--- a/init/do_mounts.c
++++ b/init/do_mounts.c
+@@ -398,15 +398,42 @@ out:
+ }
+
+ #ifdef CONFIG_ROOT_NFS
++
++#define NFSROOT_TIMEOUT_MIN 5
++#define NFSROOT_TIMEOUT_MAX 30
++#define NFSROOT_RETRY_MAX 5
++
+ static int __init mount_nfs_root(void)
+ {
+ char *root_dev, *root_data;
++ unsigned int timeout;
++ int try, err;
+
+- if (nfs_root_data(&root_dev, &root_data) != 0)
+- return 0;
+- if (do_mount_root(root_dev, "nfs", root_mountflags, root_data) != 0)
++ err = nfs_root_data(&root_dev, &root_data);
++ if (err != 0)
+ return 0;
+- return 1;
++
++ /*
++ * The server or network may not be ready, so try several
++ * times. Stop after a few tries in case the client wants
++ * to fall back to other boot methods.
++ */
++ timeout = NFSROOT_TIMEOUT_MIN;
++ for (try = 1; ; try++) {
++ err = do_mount_root(root_dev, "nfs",
++ root_mountflags, root_data);
++ if (err == 0)
++ return 1;
++ if (try > NFSROOT_RETRY_MAX)
++ break;
++
++ /* Wait, in case the server refused us immediately */
++ ssleep(timeout);
++ timeout <<= 1;
++ if (timeout > NFSROOT_TIMEOUT_MAX)
++ timeout = NFSROOT_TIMEOUT_MAX;
++ }
++ return 0;
+ }
+ #endif
+
+diff --git a/ipc/shm.c b/ipc/shm.c
+index 02ecf2c..b76be5b 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -870,9 +870,7 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ case SHM_LOCK:
+ case SHM_UNLOCK:
+ {
+- struct file *uninitialized_var(shm_file);
+-
+- lru_add_drain_all(); /* drain pagevecs to lru lists */
++ struct file *shm_file;
+
+ shp = shm_lock_check(ns, shmid);
+ if (IS_ERR(shp)) {
+@@ -895,22 +893,31 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ err = security_shm_shmctl(shp, cmd);
+ if (err)
+ goto out_unlock;
+-
+- if(cmd==SHM_LOCK) {
++
++ shm_file = shp->shm_file;
++ if (is_file_hugepages(shm_file))
++ goto out_unlock;
++
++ if (cmd == SHM_LOCK) {
+ struct user_struct *user = current_user();
+- if (!is_file_hugepages(shp->shm_file)) {
+- err = shmem_lock(shp->shm_file, 1, user);
+- if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){
+- shp->shm_perm.mode |= SHM_LOCKED;
+- shp->mlock_user = user;
+- }
++ err = shmem_lock(shm_file, 1, user);
++ if (!err && !(shp->shm_perm.mode & SHM_LOCKED)) {
++ shp->shm_perm.mode |= SHM_LOCKED;
++ shp->mlock_user = user;
+ }
+- } else if (!is_file_hugepages(shp->shm_file)) {
+- shmem_lock(shp->shm_file, 0, shp->mlock_user);
+- shp->shm_perm.mode &= ~SHM_LOCKED;
+- shp->mlock_user = NULL;
++ goto out_unlock;
+ }
++
++ /* SHM_UNLOCK */
++ if (!(shp->shm_perm.mode & SHM_LOCKED))
++ goto out_unlock;
++ shmem_lock(shm_file, 0, shp->mlock_user);
++ shp->shm_perm.mode &= ~SHM_LOCKED;
++ shp->mlock_user = NULL;
++ get_file(shm_file);
+ shm_unlock(shp);
++ shmem_unlock_mapping(shm_file->f_mapping);
++ fput(shm_file);
+ goto out;
+ }
+ case IPC_RMID:
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index e5d8464..52fd049 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1077,6 +1077,7 @@ void __kprobes kprobe_flush_task(struct task_struct *tk)
+ /* Early boot. kretprobe_table_locks not yet initialized. */
+ return;
+
++ INIT_HLIST_HEAD(&empty_rp);
+ hash = hash_ptr(tk, KPROBE_HASH_BITS);
+ head = &kretprobe_inst_table[hash];
+ kretprobe_table_lock(hash, &flags);
+@@ -1085,7 +1086,6 @@ void __kprobes kprobe_flush_task(struct task_struct *tk)
+ recycle_rp_inst(ri, &empty_rp);
+ }
+ kretprobe_table_unlock(hash, &flags);
+- INIT_HLIST_HEAD(&empty_rp);
+ hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
+ hlist_del(&ri->hlist);
+ kfree(ri);
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index b1e8943..25b4f4d 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -948,7 +948,7 @@ struct ftrace_func_probe {
+ };
+
+ enum {
+- FTRACE_ENABLE_CALLS = (1 << 0),
++ FTRACE_UPDATE_CALLS = (1 << 0),
+ FTRACE_DISABLE_CALLS = (1 << 1),
+ FTRACE_UPDATE_TRACE_FUNC = (1 << 2),
+ FTRACE_START_FUNC_RET = (1 << 3),
+@@ -1519,7 +1519,7 @@ int ftrace_text_reserved(void *start, void *end)
+
+
+ static int
+-__ftrace_replace_code(struct dyn_ftrace *rec, int enable)
++__ftrace_replace_code(struct dyn_ftrace *rec, int update)
+ {
+ unsigned long ftrace_addr;
+ unsigned long flag = 0UL;
+@@ -1527,17 +1527,17 @@ __ftrace_replace_code(struct dyn_ftrace *rec, int enable)
+ ftrace_addr = (unsigned long)FTRACE_ADDR;
+
+ /*
+- * If we are enabling tracing:
++ * If we are updating calls:
+ *
+ * If the record has a ref count, then we need to enable it
+ * because someone is using it.
+ *
+ * Otherwise we make sure its disabled.
+ *
+- * If we are disabling tracing, then disable all records that
++ * If we are disabling calls, then disable all records that
+ * are enabled.
+ */
+- if (enable && (rec->flags & ~FTRACE_FL_MASK))
++ if (update && (rec->flags & ~FTRACE_FL_MASK))
+ flag = FTRACE_FL_ENABLED;
+
+ /* If the state of this record hasn't changed, then do nothing */
+@@ -1553,7 +1553,7 @@ __ftrace_replace_code(struct dyn_ftrace *rec, int enable)
+ return ftrace_make_nop(NULL, rec, ftrace_addr);
+ }
+
+-static void ftrace_replace_code(int enable)
++static void ftrace_replace_code(int update)
+ {
+ struct dyn_ftrace *rec;
+ struct ftrace_page *pg;
+@@ -1567,7 +1567,7 @@ static void ftrace_replace_code(int enable)
+ if (rec->flags & FTRACE_FL_FREE)
+ continue;
+
+- failed = __ftrace_replace_code(rec, enable);
++ failed = __ftrace_replace_code(rec, update);
+ if (failed) {
+ ftrace_bug(failed, rec->ip);
+ /* Stop processing */
+@@ -1623,7 +1623,7 @@ static int __ftrace_modify_code(void *data)
+ */
+ function_trace_stop++;
+
+- if (*command & FTRACE_ENABLE_CALLS)
++ if (*command & FTRACE_UPDATE_CALLS)
+ ftrace_replace_code(1);
+ else if (*command & FTRACE_DISABLE_CALLS)
+ ftrace_replace_code(0);
+@@ -1691,7 +1691,7 @@ static int ftrace_startup(struct ftrace_ops *ops, int command)
+ return -ENODEV;
+
+ ftrace_start_up++;
+- command |= FTRACE_ENABLE_CALLS;
++ command |= FTRACE_UPDATE_CALLS;
+
+ /* ops marked global share the filter hashes */
+ if (ops->flags & FTRACE_OPS_FL_GLOBAL) {
+@@ -1743,8 +1743,7 @@ static void ftrace_shutdown(struct ftrace_ops *ops, int command)
+ if (ops != &global_ops || !global_start_up)
+ ops->flags &= ~FTRACE_OPS_FL_ENABLED;
+
+- if (!ftrace_start_up)
+- command |= FTRACE_DISABLE_CALLS;
++ command |= FTRACE_UPDATE_CALLS;
+
+ if (saved_ftrace_func != ftrace_trace_function) {
+ saved_ftrace_func = ftrace_trace_function;
+@@ -1766,7 +1765,7 @@ static void ftrace_startup_sysctl(void)
+ saved_ftrace_func = NULL;
+ /* ftrace_start_up is true if we want ftrace running */
+ if (ftrace_start_up)
+- ftrace_run_update_code(FTRACE_ENABLE_CALLS);
++ ftrace_run_update_code(FTRACE_UPDATE_CALLS);
+ }
+
+ static void ftrace_shutdown_sysctl(void)
+@@ -2919,7 +2918,7 @@ ftrace_set_regex(struct ftrace_ops *ops, unsigned char *buf, int len,
+ ret = ftrace_hash_move(ops, enable, orig_hash, hash);
+ if (!ret && ops->flags & FTRACE_OPS_FL_ENABLED
+ && ftrace_enabled)
+- ftrace_run_update_code(FTRACE_ENABLE_CALLS);
++ ftrace_run_update_code(FTRACE_UPDATE_CALLS);
+
+ mutex_unlock(&ftrace_lock);
+
+@@ -3107,7 +3106,7 @@ ftrace_regex_release(struct inode *inode, struct file *file)
+ orig_hash, iter->hash);
+ if (!ret && (iter->ops->flags & FTRACE_OPS_FL_ENABLED)
+ && ftrace_enabled)
+- ftrace_run_update_code(FTRACE_ENABLE_CALLS);
++ ftrace_run_update_code(FTRACE_UPDATE_CALLS);
+
+ mutex_unlock(&ftrace_lock);
+ }
+diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
+index db110b8..f1539de 100644
+--- a/kernel/tracepoint.c
++++ b/kernel/tracepoint.c
+@@ -634,10 +634,11 @@ static int tracepoint_module_coming(struct module *mod)
+ int ret = 0;
+
+ /*
+- * We skip modules that tain the kernel, especially those with different
+- * module header (for forced load), to make sure we don't cause a crash.
++ * We skip modules that taint the kernel, especially those with different
++ * module headers (for forced load), to make sure we don't cause a crash.
++ * Staging and out-of-tree GPL modules are fine.
+ */
+- if (mod->taints)
++ if (mod->taints & ~((1 << TAINT_OOT_MODULE) | (1 << TAINT_CRAP)))
+ return 0;
+ mutex_lock(&tracepoints_mutex);
+ tp_mod = kmalloc(sizeof(struct tp_module), GFP_KERNEL);
+diff --git a/mm/filemap.c b/mm/filemap.c
+index 5f0a3c9..90286a4 100644
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -393,24 +393,11 @@ EXPORT_SYMBOL(filemap_write_and_wait_range);
+ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
+ {
+ int error;
+- struct mem_cgroup *memcg = NULL;
+
+ VM_BUG_ON(!PageLocked(old));
+ VM_BUG_ON(!PageLocked(new));
+ VM_BUG_ON(new->mapping);
+
+- /*
+- * This is not page migration, but prepare_migration and
+- * end_migration does enough work for charge replacement.
+- *
+- * In the longer term we probably want a specialized function
+- * for moving the charge from old to new in a more efficient
+- * manner.
+- */
+- error = mem_cgroup_prepare_migration(old, new, &memcg, gfp_mask);
+- if (error)
+- return error;
+-
+ error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM);
+ if (!error) {
+ struct address_space *mapping = old->mapping;
+@@ -432,13 +419,12 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
+ if (PageSwapBacked(new))
+ __inc_zone_page_state(new, NR_SHMEM);
+ spin_unlock_irq(&mapping->tree_lock);
++ /* mem_cgroup codes must not be called under tree_lock */
++ mem_cgroup_replace_page_cache(old, new);
+ radix_tree_preload_end();
+ if (freepage)
+ freepage(old);
+ page_cache_release(old);
+- mem_cgroup_end_migration(memcg, old, new, true);
+- } else {
+- mem_cgroup_end_migration(memcg, old, new, false);
+ }
+
+ return error;
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index b63f5f7..f538e9b 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -3366,6 +3366,50 @@ void mem_cgroup_end_migration(struct mem_cgroup *memcg,
+ cgroup_release_and_wakeup_rmdir(&memcg->css);
+ }
+
++/*
++ * At replace page cache, newpage is not under any memcg but it's on
++ * LRU. So, this function doesn't touch res_counter but handles LRU
++ * in correct way. Both pages are locked so we cannot race with uncharge.
++ */
++void mem_cgroup_replace_page_cache(struct page *oldpage,
++ struct page *newpage)
++{
++ struct mem_cgroup *memcg;
++ struct page_cgroup *pc;
++ struct zone *zone;
++ enum charge_type type = MEM_CGROUP_CHARGE_TYPE_CACHE;
++ unsigned long flags;
++
++ if (mem_cgroup_disabled())
++ return;
++
++ pc = lookup_page_cgroup(oldpage);
++ /* fix accounting on old pages */
++ lock_page_cgroup(pc);
++ memcg = pc->mem_cgroup;
++ mem_cgroup_charge_statistics(memcg, PageCgroupCache(pc), -1);
++ ClearPageCgroupUsed(pc);
++ unlock_page_cgroup(pc);
++
++ if (PageSwapBacked(oldpage))
++ type = MEM_CGROUP_CHARGE_TYPE_SHMEM;
++
++ zone = page_zone(newpage);
++ pc = lookup_page_cgroup(newpage);
++ /*
++ * Even if newpage->mapping was NULL before starting replacement,
++ * the newpage may be on LRU(or pagevec for LRU) already. We lock
++ * LRU while we overwrite pc->mem_cgroup.
++ */
++ spin_lock_irqsave(&zone->lru_lock, flags);
++ if (PageLRU(newpage))
++ del_page_from_lru_list(zone, newpage, page_lru(newpage));
++ __mem_cgroup_commit_charge(memcg, newpage, 1, pc, type);
++ if (PageLRU(newpage))
++ add_page_to_lru_list(zone, newpage, page_lru(newpage));
++ spin_unlock_irqrestore(&zone->lru_lock, flags);
++}
++
+ #ifdef CONFIG_DEBUG_VM
+ static struct page_cgroup *lookup_page_cgroup_used(struct page *page)
+ {
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index 2b8ba3a..485be89 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -5608,6 +5608,17 @@ __count_immobile_pages(struct zone *zone, struct page *page, int count)
+ bool is_pageblock_removable_nolock(struct page *page)
+ {
+ struct zone *zone = page_zone(page);
++ unsigned long pfn = page_to_pfn(page);
++
++ /*
++ * We have to be careful here because we are iterating over memory
++ * sections which are not zone aware so we might end up outside of
++ * the zone but still within the section.
++ */
++ if (!zone || zone->zone_start_pfn > pfn ||
++ zone->zone_start_pfn + zone->spanned_pages <= pfn)
++ return false;
++
+ return __count_immobile_pages(zone, page, 0);
+ }
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index d672250..6c253f7 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -379,7 +379,7 @@ static int shmem_free_swap(struct address_space *mapping,
+ /*
+ * Pagevec may contain swap entries, so shuffle up pages before releasing.
+ */
+-static void shmem_pagevec_release(struct pagevec *pvec)
++static void shmem_deswap_pagevec(struct pagevec *pvec)
+ {
+ int i, j;
+
+@@ -389,7 +389,36 @@ static void shmem_pagevec_release(struct pagevec *pvec)
+ pvec->pages[j++] = page;
+ }
+ pvec->nr = j;
+- pagevec_release(pvec);
++}
++
++/*
++ * SysV IPC SHM_UNLOCK restore Unevictable pages to their evictable lists.
++ */
++void shmem_unlock_mapping(struct address_space *mapping)
++{
++ struct pagevec pvec;
++ pgoff_t indices[PAGEVEC_SIZE];
++ pgoff_t index = 0;
++
++ pagevec_init(&pvec, 0);
++ /*
++ * Minor point, but we might as well stop if someone else SHM_LOCKs it.
++ */
++ while (!mapping_unevictable(mapping)) {
++ /*
++ * Avoid pagevec_lookup(): find_get_pages() returns 0 as if it
++ * has finished, if it hits a row of PAGEVEC_SIZE swap entries.
++ */
++ pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
++ PAGEVEC_SIZE, pvec.pages, indices);
++ if (!pvec.nr)
++ break;
++ index = indices[pvec.nr - 1] + 1;
++ shmem_deswap_pagevec(&pvec);
++ check_move_unevictable_pages(pvec.pages, pvec.nr);
++ pagevec_release(&pvec);
++ cond_resched();
++ }
+ }
+
+ /*
+@@ -440,7 +469,8 @@ void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
+ }
+ unlock_page(page);
+ }
+- shmem_pagevec_release(&pvec);
++ shmem_deswap_pagevec(&pvec);
++ pagevec_release(&pvec);
+ mem_cgroup_uncharge_end();
+ cond_resched();
+ index++;
+@@ -470,7 +500,8 @@ void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
+ continue;
+ }
+ if (index == start && indices[0] > end) {
+- shmem_pagevec_release(&pvec);
++ shmem_deswap_pagevec(&pvec);
++ pagevec_release(&pvec);
+ break;
+ }
+ mem_cgroup_uncharge_start();
+@@ -494,7 +525,8 @@ void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
+ }
+ unlock_page(page);
+ }
+- shmem_pagevec_release(&pvec);
++ shmem_deswap_pagevec(&pvec);
++ pagevec_release(&pvec);
+ mem_cgroup_uncharge_end();
+ index++;
+ }
+@@ -1068,13 +1100,6 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
+ user_shm_unlock(inode->i_size, user);
+ info->flags &= ~VM_LOCKED;
+ mapping_clear_unevictable(file->f_mapping);
+- /*
+- * Ensure that a racing putback_lru_page() can see
+- * the pages of this mapping are evictable when we
+- * skip them due to !PageLRU during the scan.
+- */
+- smp_mb__after_clear_bit();
+- scan_mapping_unevictable_pages(file->f_mapping);
+ }
+ retval = 0;
+
+@@ -2446,6 +2471,10 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user)
+ return 0;
+ }
+
++void shmem_unlock_mapping(struct address_space *mapping)
++{
++}
++
+ void shmem_truncate_range(struct inode *inode, loff_t lstart, loff_t lend)
+ {
+ truncate_inode_pages_range(inode->i_mapping, lstart, lend);
+diff --git a/mm/slub.c b/mm/slub.c
+index ed3334d..1a919f0 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -2166,6 +2166,11 @@ redo:
+ goto new_slab;
+ }
+
++ /* must check again c->freelist in case of cpu migration or IRQ */
++ object = c->freelist;
++ if (object)
++ goto load_freelist;
++
+ stat(s, ALLOC_SLOWPATH);
+
+ do {
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index f54a05b..cb33d9c 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -636,7 +636,7 @@ redo:
+ * When racing with an mlock or AS_UNEVICTABLE clearing
+ * (page is unlocked) make sure that if the other thread
+ * does not observe our setting of PG_lru and fails
+- * isolation/check_move_unevictable_page,
++ * isolation/check_move_unevictable_pages,
+ * we see PG_mlocked/AS_UNEVICTABLE cleared below and move
+ * the page back to the evictable list.
+ *
+@@ -3353,97 +3353,59 @@ int page_evictable(struct page *page, struct vm_area_struct *vma)
+ return 1;
+ }
+
++#ifdef CONFIG_SHMEM
+ /**
+- * check_move_unevictable_page - check page for evictability and move to appropriate zone lru list
+- * @page: page to check evictability and move to appropriate lru list
+- * @zone: zone page is in
++ * check_move_unevictable_pages - check pages for evictability and move to appropriate zone lru list
++ * @pages: array of pages to check
++ * @nr_pages: number of pages to check
+ *
+- * Checks a page for evictability and moves the page to the appropriate
+- * zone lru list.
++ * Checks pages for evictability and moves them to the appropriate lru list.
+ *
+- * Restrictions: zone->lru_lock must be held, page must be on LRU and must
+- * have PageUnevictable set.
++ * This function is only used for SysV IPC SHM_UNLOCK.
+ */
+-static void check_move_unevictable_page(struct page *page, struct zone *zone)
++void check_move_unevictable_pages(struct page **pages, int nr_pages)
+ {
+- VM_BUG_ON(PageActive(page));
+-
+-retry:
+- ClearPageUnevictable(page);
+- if (page_evictable(page, NULL)) {
+- enum lru_list l = page_lru_base_type(page);
++ struct zone *zone = NULL;
++ int pgscanned = 0;
++ int pgrescued = 0;
++ int i;
+
+- __dec_zone_state(zone, NR_UNEVICTABLE);
+- list_move(&page->lru, &zone->lru[l].list);
+- mem_cgroup_move_lists(page, LRU_UNEVICTABLE, l);
+- __inc_zone_state(zone, NR_INACTIVE_ANON + l);
+- __count_vm_event(UNEVICTABLE_PGRESCUED);
+- } else {
+- /*
+- * rotate unevictable list
+- */
+- SetPageUnevictable(page);
+- list_move(&page->lru, &zone->lru[LRU_UNEVICTABLE].list);
+- mem_cgroup_rotate_lru_list(page, LRU_UNEVICTABLE);
+- if (page_evictable(page, NULL))
+- goto retry;
+- }
+-}
++ for (i = 0; i < nr_pages; i++) {
++ struct page *page = pages[i];
++ struct zone *pagezone;
+
+-/**
+- * scan_mapping_unevictable_pages - scan an address space for evictable pages
+- * @mapping: struct address_space to scan for evictable pages
+- *
+- * Scan all pages in mapping. Check unevictable pages for
+- * evictability and move them to the appropriate zone lru list.
+- */
+-void scan_mapping_unevictable_pages(struct address_space *mapping)
+-{
+- pgoff_t next = 0;
+- pgoff_t end = (i_size_read(mapping->host) + PAGE_CACHE_SIZE - 1) >>
+- PAGE_CACHE_SHIFT;
+- struct zone *zone;
+- struct pagevec pvec;
++ pgscanned++;
++ pagezone = page_zone(page);
++ if (pagezone != zone) {
++ if (zone)
++ spin_unlock_irq(&zone->lru_lock);
++ zone = pagezone;
++ spin_lock_irq(&zone->lru_lock);
++ }
+
+- if (mapping->nrpages == 0)
+- return;
++ if (!PageLRU(page) || !PageUnevictable(page))
++ continue;
+
+- pagevec_init(&pvec, 0);
+- while (next < end &&
+- pagevec_lookup(&pvec, mapping, next, PAGEVEC_SIZE)) {
+- int i;
+- int pg_scanned = 0;
+-
+- zone = NULL;
+-
+- for (i = 0; i < pagevec_count(&pvec); i++) {
+- struct page *page = pvec.pages[i];
+- pgoff_t page_index = page->index;
+- struct zone *pagezone = page_zone(page);
+-
+- pg_scanned++;
+- if (page_index > next)
+- next = page_index;
+- next++;
+-
+- if (pagezone != zone) {
+- if (zone)
+- spin_unlock_irq(&zone->lru_lock);
+- zone = pagezone;
+- spin_lock_irq(&zone->lru_lock);
+- }
++ if (page_evictable(page, NULL)) {
++ enum lru_list lru = page_lru_base_type(page);
+
+- if (PageLRU(page) && PageUnevictable(page))
+- check_move_unevictable_page(page, zone);
++ VM_BUG_ON(PageActive(page));
++ ClearPageUnevictable(page);
++ __dec_zone_state(zone, NR_UNEVICTABLE);
++ list_move(&page->lru, &zone->lru[lru].list);
++ mem_cgroup_move_lists(page, LRU_UNEVICTABLE, lru);
++ __inc_zone_state(zone, NR_INACTIVE_ANON + lru);
++ pgrescued++;
+ }
+- if (zone)
+- spin_unlock_irq(&zone->lru_lock);
+- pagevec_release(&pvec);
+-
+- count_vm_events(UNEVICTABLE_PGSCANNED, pg_scanned);
+ }
+
++ if (zone) {
++ __count_vm_events(UNEVICTABLE_PGRESCUED, pgrescued);
++ __count_vm_events(UNEVICTABLE_PGSCANNED, pgscanned);
++ spin_unlock_irq(&zone->lru_lock);
++ }
+ }
++#endif /* CONFIG_SHMEM */
+
+ static void warn_scan_unevictable_pages(void)
+ {
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index ea10a51..73495f1 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -702,6 +702,8 @@ struct tpt_led_trigger {
+ * well be on the operating channel
+ * @SCAN_HW_SCANNING: The hardware is scanning for us, we have no way to
+ * determine if we are on the operating channel or not
++ * @SCAN_OFF_CHANNEL: We're off our operating channel for scanning,
++ * gets only set in conjunction with SCAN_SW_SCANNING
+ * @SCAN_COMPLETED: Set for our scan work function when the driver reported
+ * that the scan completed.
+ * @SCAN_ABORTED: Set for our scan work function when the driver reported
+@@ -710,6 +712,7 @@ struct tpt_led_trigger {
+ enum {
+ SCAN_SW_SCANNING,
+ SCAN_HW_SCANNING,
++ SCAN_OFF_CHANNEL,
+ SCAN_COMPLETED,
+ SCAN_ABORTED,
+ };
+@@ -1140,14 +1143,10 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata);
+ void ieee80211_sched_scan_stopped_work(struct work_struct *work);
+
+ /* off-channel helpers */
+-bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local);
+-void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
+- bool tell_ap);
+-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+- bool offchannel_ps_enable);
++void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local);
++void ieee80211_offchannel_stop_station(struct ieee80211_local *local);
+ void ieee80211_offchannel_return(struct ieee80211_local *local,
+- bool enable_beaconing,
+- bool offchannel_ps_disable);
++ bool enable_beaconing);
+ void ieee80211_hw_roc_setup(struct ieee80211_local *local);
+
+ /* interface handling */
+diff --git a/net/mac80211/main.c b/net/mac80211/main.c
+index cae4435..a7536fd 100644
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -92,47 +92,6 @@ static void ieee80211_reconfig_filter(struct work_struct *work)
+ ieee80211_configure_filter(local);
+ }
+
+-/*
+- * Returns true if we are logically configured to be on
+- * the operating channel AND the hardware-conf is currently
+- * configured on the operating channel. Compares channel-type
+- * as well.
+- */
+-bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local)
+-{
+- struct ieee80211_channel *chan, *scan_chan;
+- enum nl80211_channel_type channel_type;
+-
+- /* This logic needs to match logic in ieee80211_hw_config */
+- if (local->scan_channel) {
+- chan = local->scan_channel;
+- /* If scanning on oper channel, use whatever channel-type
+- * is currently in use.
+- */
+- if (chan == local->oper_channel)
+- channel_type = local->_oper_channel_type;
+- else
+- channel_type = NL80211_CHAN_NO_HT;
+- } else if (local->tmp_channel) {
+- chan = scan_chan = local->tmp_channel;
+- channel_type = local->tmp_channel_type;
+- } else {
+- chan = local->oper_channel;
+- channel_type = local->_oper_channel_type;
+- }
+-
+- if (chan != local->oper_channel ||
+- channel_type != local->_oper_channel_type)
+- return false;
+-
+- /* Check current hardware-config against oper_channel. */
+- if ((local->oper_channel != local->hw.conf.channel) ||
+- (local->_oper_channel_type != local->hw.conf.channel_type))
+- return false;
+-
+- return true;
+-}
+-
+ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
+ {
+ struct ieee80211_channel *chan, *scan_chan;
+@@ -145,9 +104,6 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
+
+ scan_chan = local->scan_channel;
+
+- /* If this off-channel logic ever changes, ieee80211_on_oper_channel
+- * may need to change as well.
+- */
+ offchannel_flag = local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL;
+ if (scan_chan) {
+ chan = scan_chan;
+@@ -158,19 +114,17 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
+ channel_type = local->_oper_channel_type;
+ else
+ channel_type = NL80211_CHAN_NO_HT;
+- } else if (local->tmp_channel) {
++ local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
++ } else if (local->tmp_channel &&
++ local->oper_channel != local->tmp_channel) {
+ chan = scan_chan = local->tmp_channel;
+ channel_type = local->tmp_channel_type;
++ local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
+ } else {
+ chan = local->oper_channel;
+ channel_type = local->_oper_channel_type;
+- }
+-
+- if (chan != local->oper_channel ||
+- channel_type != local->_oper_channel_type)
+- local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
+- else
+ local->hw.conf.flags &= ~IEEE80211_CONF_OFFCHANNEL;
++ }
+
+ offchannel_flag ^= local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL;
+
+@@ -279,7 +233,7 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata,
+
+ if (changed & BSS_CHANGED_BEACON_ENABLED) {
+ if (local->quiescing || !ieee80211_sdata_running(sdata) ||
+- test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)) {
++ test_bit(SCAN_SW_SCANNING, &local->scanning)) {
+ sdata->vif.bss_conf.enable_beacon = false;
+ } else {
+ /*
+diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
+index 3d41441..1b239be 100644
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -18,14 +18,10 @@
+ #include "driver-trace.h"
+
+ /*
+- * Tell our hardware to disable PS.
+- * Optionally inform AP that we will go to sleep so that it will buffer
+- * the frames while we are doing off-channel work. This is optional
+- * because we *may* be doing work on-operating channel, and want our
+- * hardware unconditionally awake, but still let the AP send us normal frames.
++ * inform AP that we will go to sleep so that it will buffer the frames
++ * while we scan
+ */
+-static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata,
+- bool tell_ap)
++static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata)
+ {
+ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+@@ -46,8 +42,8 @@ static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata,
+ ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
+ }
+
+- if (tell_ap && (!local->offchannel_ps_enabled ||
+- !(local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)))
++ if (!(local->offchannel_ps_enabled) ||
++ !(local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK))
+ /*
+ * If power save was enabled, no need to send a nullfunc
+ * frame because AP knows that we are sleeping. But if the
+@@ -82,9 +78,6 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
+ * we are sleeping, let's just enable power save mode in
+ * hardware.
+ */
+- /* TODO: Only set hardware if CONF_PS changed?
+- * TODO: Should we set offchannel_ps_enabled to false?
+- */
+ local->hw.conf.flags |= IEEE80211_CONF_PS;
+ ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
+ } else if (local->hw.conf.dynamic_ps_timeout > 0) {
+@@ -103,61 +96,63 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
+ ieee80211_sta_reset_conn_monitor(sdata);
+ }
+
+-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+- bool offchannel_ps_enable)
++void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local)
+ {
+ struct ieee80211_sub_if_data *sdata;
+
+- /*
+- * notify the AP about us leaving the channel and stop all
+- * STA interfaces.
+- */
+ mutex_lock(&local->iflist_mtx);
+ list_for_each_entry(sdata, &local->interfaces, list) {
+ if (!ieee80211_sdata_running(sdata))
+ continue;
+
+- if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
+- set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
+-
+- /* Check to see if we should disable beaconing. */
++ /* disable beaconing */
+ if (sdata->vif.type == NL80211_IFTYPE_AP ||
+ sdata->vif.type == NL80211_IFTYPE_ADHOC ||
+ sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
+ ieee80211_bss_info_change_notify(
+ sdata, BSS_CHANGED_BEACON_ENABLED);
+
+- if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
++ /*
++ * only handle non-STA interfaces here, STA interfaces
++ * are handled in ieee80211_offchannel_stop_station(),
++ * e.g., from the background scan state machine.
++ *
++ * In addition, do not stop monitor interface to allow it to be
++ * used from user space controlled off-channel operations.
++ */
++ if (sdata->vif.type != NL80211_IFTYPE_STATION &&
++ sdata->vif.type != NL80211_IFTYPE_MONITOR) {
++ set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
+ netif_tx_stop_all_queues(sdata->dev);
+- if (offchannel_ps_enable &&
+- (sdata->vif.type == NL80211_IFTYPE_STATION) &&
+- sdata->u.mgd.associated)
+- ieee80211_offchannel_ps_enable(sdata, true);
+ }
+ }
+ mutex_unlock(&local->iflist_mtx);
+ }
+
+-void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
+- bool tell_ap)
++void ieee80211_offchannel_stop_station(struct ieee80211_local *local)
+ {
+ struct ieee80211_sub_if_data *sdata;
+
++ /*
++ * notify the AP about us leaving the channel and stop all STA interfaces
++ */
+ mutex_lock(&local->iflist_mtx);
+ list_for_each_entry(sdata, &local->interfaces, list) {
+ if (!ieee80211_sdata_running(sdata))
+ continue;
+
+- if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+- sdata->u.mgd.associated)
+- ieee80211_offchannel_ps_enable(sdata, tell_ap);
++ if (sdata->vif.type == NL80211_IFTYPE_STATION) {
++ set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
++ netif_tx_stop_all_queues(sdata->dev);
++ if (sdata->u.mgd.associated)
++ ieee80211_offchannel_ps_enable(sdata);
++ }
+ }
+ mutex_unlock(&local->iflist_mtx);
+ }
+
+ void ieee80211_offchannel_return(struct ieee80211_local *local,
+- bool enable_beaconing,
+- bool offchannel_ps_disable)
++ bool enable_beaconing)
+ {
+ struct ieee80211_sub_if_data *sdata;
+
+@@ -167,8 +162,7 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
+ continue;
+
+ /* Tell AP we're back */
+- if (offchannel_ps_disable &&
+- sdata->vif.type == NL80211_IFTYPE_STATION) {
++ if (sdata->vif.type == NL80211_IFTYPE_STATION) {
+ if (sdata->u.mgd.associated)
+ ieee80211_offchannel_ps_disable(sdata);
+ }
+@@ -188,7 +182,7 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
+ netif_tx_wake_all_queues(sdata->dev);
+ }
+
+- /* Check to see if we should re-enable beaconing */
++ /* re-enable beaconing */
+ if (enable_beaconing &&
+ (sdata->vif.type == NL80211_IFTYPE_AP ||
+ sdata->vif.type == NL80211_IFTYPE_ADHOC ||
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index fb123e2..5c51607 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -421,10 +421,16 @@ ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
+ return RX_CONTINUE;
+
+ if (test_bit(SCAN_HW_SCANNING, &local->scanning) ||
+- test_bit(SCAN_SW_SCANNING, &local->scanning) ||
+ local->sched_scanning)
+ return ieee80211_scan_rx(rx->sdata, skb);
+
++ if (test_bit(SCAN_SW_SCANNING, &local->scanning)) {
++ /* drop all the other packets during a software scan anyway */
++ if (ieee80211_scan_rx(rx->sdata, skb) != RX_QUEUED)
++ dev_kfree_skb(skb);
++ return RX_QUEUED;
++ }
++
+ /* scanning finished during invoking of handlers */
+ I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
+ return RX_DROP_UNUSABLE;
+@@ -2858,7 +2864,7 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
+ local->dot11ReceivedFragmentCount++;
+
+ if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
+- test_bit(SCAN_SW_SCANNING, &local->scanning)))
++ test_bit(SCAN_OFF_CHANNEL, &local->scanning)))
+ status->rx_flags |= IEEE80211_RX_IN_SCAN;
+
+ if (ieee80211_is_mgmt(fc))
+diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
+index 105436d..5279300 100644
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -213,14 +213,6 @@ ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
+ if (bss)
+ ieee80211_rx_bss_put(sdata->local, bss);
+
+- /* If we are on-operating-channel, and this packet is for the
+- * current channel, pass the pkt on up the stack so that
+- * the rest of the stack can make use of it.
+- */
+- if (ieee80211_cfg_on_oper_channel(sdata->local)
+- && (channel == sdata->local->oper_channel))
+- return RX_CONTINUE;
+-
+ dev_kfree_skb(skb);
+ return RX_QUEUED;
+ }
+@@ -264,8 +256,6 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
+ bool was_hw_scan)
+ {
+ struct ieee80211_local *local = hw_to_local(hw);
+- bool on_oper_chan;
+- bool enable_beacons = false;
+
+ lockdep_assert_held(&local->mtx);
+
+@@ -298,25 +288,11 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
+ local->scanning = 0;
+ local->scan_channel = NULL;
+
+- on_oper_chan = ieee80211_cfg_on_oper_channel(local);
+-
+- if (was_hw_scan || !on_oper_chan)
+- ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+- else
+- /* Set power back to normal operating levels. */
+- ieee80211_hw_config(local, 0);
+-
++ ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+ if (!was_hw_scan) {
+- bool on_oper_chan2;
+ ieee80211_configure_filter(local);
+ drv_sw_scan_complete(local);
+- on_oper_chan2 = ieee80211_cfg_on_oper_channel(local);
+- /* We should always be on-channel at this point. */
+- WARN_ON(!on_oper_chan2);
+- if (on_oper_chan2 && (on_oper_chan != on_oper_chan2))
+- enable_beacons = true;
+-
+- ieee80211_offchannel_return(local, enable_beacons, true);
++ ieee80211_offchannel_return(local, true);
+ }
+
+ ieee80211_recalc_idle(local);
+@@ -357,15 +333,13 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
+ */
+ drv_sw_scan_start(local);
+
++ ieee80211_offchannel_stop_beaconing(local);
++
+ local->leave_oper_channel_time = 0;
+ local->next_scan_state = SCAN_DECISION;
+ local->scan_channel_idx = 0;
+
+- /* We always want to use off-channel PS, even if we
+- * are not really leaving oper-channel. Don't
+- * tell the AP though, as long as we are on-channel.
+- */
+- ieee80211_offchannel_enable_all_ps(local, false);
++ drv_flush(local, false);
+
+ ieee80211_configure_filter(local);
+
+@@ -508,20 +482,7 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
+ }
+ mutex_unlock(&local->iflist_mtx);
+
+- next_chan = local->scan_req->channels[local->scan_channel_idx];
+-
+- if (ieee80211_cfg_on_oper_channel(local)) {
+- /* We're currently on operating channel. */
+- if (next_chan == local->oper_channel)
+- /* We don't need to move off of operating channel. */
+- local->next_scan_state = SCAN_SET_CHANNEL;
+- else
+- /*
+- * We do need to leave operating channel, as next
+- * scan is somewhere else.
+- */
+- local->next_scan_state = SCAN_LEAVE_OPER_CHANNEL;
+- } else {
++ if (local->scan_channel) {
+ /*
+ * we're currently scanning a different channel, let's
+ * see if we can scan another channel without interfering
+@@ -537,6 +498,7 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
+ *
+ * Otherwise switch back to the operating channel.
+ */
++ next_chan = local->scan_req->channels[local->scan_channel_idx];
+
+ bad_latency = time_after(jiffies +
+ ieee80211_scan_get_channel_time(next_chan),
+@@ -554,6 +516,12 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
+ local->next_scan_state = SCAN_ENTER_OPER_CHANNEL;
+ else
+ local->next_scan_state = SCAN_SET_CHANNEL;
++ } else {
++ /*
++ * we're on the operating channel currently, let's
++ * leave that channel now to scan another one
++ */
++ local->next_scan_state = SCAN_LEAVE_OPER_CHANNEL;
+ }
+
+ *next_delay = 0;
+@@ -562,10 +530,9 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
+ static void ieee80211_scan_state_leave_oper_channel(struct ieee80211_local *local,
+ unsigned long *next_delay)
+ {
+- /* PS will already be in off-channel mode,
+- * we do that once at the beginning of scanning.
+- */
+- ieee80211_offchannel_stop_vifs(local, false);
++ ieee80211_offchannel_stop_station(local);
++
++ __set_bit(SCAN_OFF_CHANNEL, &local->scanning);
+
+ /*
+ * What if the nullfunc frames didn't arrive?
+@@ -588,15 +555,15 @@ static void ieee80211_scan_state_enter_oper_channel(struct ieee80211_local *loca
+ {
+ /* switch back to the operating channel */
+ local->scan_channel = NULL;
+- if (!ieee80211_cfg_on_oper_channel(local))
+- ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
++ ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+
+ /*
+- * Re-enable vifs and beaconing. Leave PS
+- * in off-channel state..will put that back
+- * on-channel at the end of scanning.
++ * Only re-enable station mode interface now; beaconing will be
++ * re-enabled once the full scan has been completed.
+ */
+- ieee80211_offchannel_return(local, true, false);
++ ieee80211_offchannel_return(local, false);
++
++ __clear_bit(SCAN_OFF_CHANNEL, &local->scanning);
+
+ *next_delay = HZ / 5;
+ local->next_scan_state = SCAN_DECISION;
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 1f8b120..eff1f4e 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -259,8 +259,7 @@ ieee80211_tx_h_check_assoc(struct ieee80211_tx_data *tx)
+ if (unlikely(info->flags & IEEE80211_TX_CTL_INJECTED))
+ return TX_CONTINUE;
+
+- if (unlikely(test_bit(SCAN_SW_SCANNING, &tx->local->scanning)) &&
+- test_bit(SDATA_STATE_OFFCHANNEL, &tx->sdata->state) &&
++ if (unlikely(test_bit(SCAN_OFF_CHANNEL, &tx->local->scanning)) &&
+ !ieee80211_is_probe_req(hdr->frame_control) &&
+ !ieee80211_is_nullfunc(hdr->frame_control))
+ /*
+diff --git a/net/mac80211/work.c b/net/mac80211/work.c
+index 6c53b6d..99165ef 100644
+--- a/net/mac80211/work.c
++++ b/net/mac80211/work.c
+@@ -899,26 +899,6 @@ static bool ieee80211_work_ct_coexists(enum nl80211_channel_type wk_ct,
+ return false;
+ }
+
+-static enum nl80211_channel_type
+-ieee80211_calc_ct(enum nl80211_channel_type wk_ct,
+- enum nl80211_channel_type oper_ct)
+-{
+- switch (wk_ct) {
+- case NL80211_CHAN_NO_HT:
+- return oper_ct;
+- case NL80211_CHAN_HT20:
+- if (oper_ct != NL80211_CHAN_NO_HT)
+- return oper_ct;
+- return wk_ct;
+- case NL80211_CHAN_HT40MINUS:
+- case NL80211_CHAN_HT40PLUS:
+- return wk_ct;
+- }
+- WARN_ON(1); /* shouldn't get here */
+- return wk_ct;
+-}
+-
+-
+ static void ieee80211_work_timer(unsigned long data)
+ {
+ struct ieee80211_local *local = (void *) data;
+@@ -969,52 +949,18 @@ static void ieee80211_work_work(struct work_struct *work)
+ }
+
+ if (!started && !local->tmp_channel) {
+- bool on_oper_chan;
+- bool tmp_chan_changed = false;
+- bool on_oper_chan2;
+- enum nl80211_channel_type wk_ct;
+- on_oper_chan = ieee80211_cfg_on_oper_channel(local);
+-
+- /* Work with existing channel type if possible. */
+- wk_ct = wk->chan_type;
+- if (wk->chan == local->hw.conf.channel)
+- wk_ct = ieee80211_calc_ct(wk->chan_type,
+- local->hw.conf.channel_type);
+-
+- if (local->tmp_channel)
+- if ((local->tmp_channel != wk->chan) ||
+- (local->tmp_channel_type != wk_ct))
+- tmp_chan_changed = true;
+-
+- local->tmp_channel = wk->chan;
+- local->tmp_channel_type = wk_ct;
+ /*
+- * Leave the station vifs in awake mode if they
+- * happen to be on the same channel as
+- * the requested channel.
++ * TODO: could optimize this by leaving the
++ * station vifs in awake mode if they
++ * happen to be on the same channel as
++ * the requested channel
+ */
+- on_oper_chan2 = ieee80211_cfg_on_oper_channel(local);
+- if (on_oper_chan != on_oper_chan2) {
+- if (on_oper_chan2) {
+- /* going off oper channel, PS too */
+- ieee80211_offchannel_stop_vifs(local,
+- true);
+- ieee80211_hw_config(local, 0);
+- } else {
+- /* going on channel, but leave PS
+- * off-channel. */
+- ieee80211_hw_config(local, 0);
+- ieee80211_offchannel_return(local,
+- true,
+- false);
+- }
+- } else if (tmp_chan_changed)
+- /* Still off-channel, but on some other
+- * channel, so update hardware.
+- * PS should already be off-channel.
+- */
+- ieee80211_hw_config(local, 0);
++ ieee80211_offchannel_stop_beaconing(local);
++ ieee80211_offchannel_stop_station(local);
+
++ local->tmp_channel = wk->chan;
++ local->tmp_channel_type = wk->chan_type;
++ ieee80211_hw_config(local, 0);
+ started = true;
+ wk->timeout = jiffies;
+ }
+@@ -1100,8 +1046,7 @@ static void ieee80211_work_work(struct work_struct *work)
+ * we still need to do a hardware config. Currently,
+ * we cannot be here while scanning, however.
+ */
+- if (!ieee80211_cfg_on_oper_channel(local))
+- ieee80211_hw_config(local, 0);
++ ieee80211_hw_config(local, 0);
+
+ /* At the least, we need to disable offchannel_ps,
+ * so just go ahead and run the entire offchannel
+@@ -1109,7 +1054,7 @@ static void ieee80211_work_work(struct work_struct *work)
+ * beaconing if we were already on-oper-channel
+ * as a future optimization.
+ */
+- ieee80211_offchannel_return(local, true, true);
++ ieee80211_offchannel_return(local, true);
+
+ /* give connection some time to breathe */
+ run_again(local, jiffies + HZ/2);
+diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
+index f614ce7..28a39bb 100644
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -106,7 +106,7 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
+ if (status->flag & RX_FLAG_MMIC_ERROR)
+ goto mic_fail;
+
+- if (!(status->flag & RX_FLAG_IV_STRIPPED))
++ if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
+ goto update_iv;
+
+ return RX_CONTINUE;
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index 6e03888..d4ad50e 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -167,6 +167,7 @@ svc_pool_map_alloc_arrays(struct svc_pool_map *m, unsigned int maxpools)
+
+ fail_free:
+ kfree(m->to_pool);
++ m->to_pool = NULL;
+ fail:
+ return -ENOMEM;
+ }
+@@ -287,7 +288,9 @@ svc_pool_map_put(void)
+ if (!--m->count) {
+ m->mode = SVC_POOL_DEFAULT;
+ kfree(m->to_pool);
++ m->to_pool = NULL;
+ kfree(m->pool_to);
++ m->pool_to = NULL;
+ m->npools = 0;
+ }
+
+@@ -527,17 +530,20 @@ svc_destroy(struct svc_serv *serv)
+ printk("svc_destroy: no threads for serv=%p!\n", serv);
+
+ del_timer_sync(&serv->sv_temptimer);
+-
+- svc_close_all(&serv->sv_tempsocks);
++ /*
++ * The set of xprts (contained in the sv_tempsocks and
++ * sv_permsocks lists) is now constant, since it is modified
++ * only by accepting new sockets (done by service threads in
++ * svc_recv) or aging old ones (done by sv_temptimer), or
++ * configuration changes (excluded by whatever locking the
++ * caller is using--nfsd_mutex in the case of nfsd). So it's
++ * safe to traverse those lists and shut everything down:
++ */
++ svc_close_all(serv);
+
+ if (serv->sv_shutdown)
+ serv->sv_shutdown(serv);
+
+- svc_close_all(&serv->sv_permsocks);
+-
+- BUG_ON(!list_empty(&serv->sv_permsocks));
+- BUG_ON(!list_empty(&serv->sv_tempsocks));
+-
+ cache_clean_deferred(serv);
+
+ if (svc_serv_is_pooled(serv))
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 447cd0e..9ed2cd0 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -893,14 +893,7 @@ void svc_delete_xprt(struct svc_xprt *xprt)
+ spin_lock_bh(&serv->sv_lock);
+ if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags))
+ list_del_init(&xprt->xpt_list);
+- /*
+- * The only time we're called while xpt_ready is still on a list
+- * is while the list itself is about to be destroyed (in
+- * svc_destroy). BUT svc_xprt_enqueue could still be attempting
+- * to add new entries to the sp_sockets list, so we can't leave
+- * a freed xprt on it.
+- */
+- list_del_init(&xprt->xpt_ready);
++ BUG_ON(!list_empty(&xprt->xpt_ready));
+ if (test_bit(XPT_TEMP, &xprt->xpt_flags))
+ serv->sv_tmpcnt--;
+ spin_unlock_bh(&serv->sv_lock);
+@@ -928,22 +921,48 @@ void svc_close_xprt(struct svc_xprt *xprt)
+ }
+ EXPORT_SYMBOL_GPL(svc_close_xprt);
+
+-void svc_close_all(struct list_head *xprt_list)
++static void svc_close_list(struct list_head *xprt_list)
++{
++ struct svc_xprt *xprt;
++
++ list_for_each_entry(xprt, xprt_list, xpt_list) {
++ set_bit(XPT_CLOSE, &xprt->xpt_flags);
++ set_bit(XPT_BUSY, &xprt->xpt_flags);
++ }
++}
++
++void svc_close_all(struct svc_serv *serv)
+ {
++ struct svc_pool *pool;
+ struct svc_xprt *xprt;
+ struct svc_xprt *tmp;
++ int i;
++
++ svc_close_list(&serv->sv_tempsocks);
++ svc_close_list(&serv->sv_permsocks);
+
++ for (i = 0; i < serv->sv_nrpools; i++) {
++ pool = &serv->sv_pools[i];
++
++ spin_lock_bh(&pool->sp_lock);
++ while (!list_empty(&pool->sp_sockets)) {
++ xprt = list_first_entry(&pool->sp_sockets, struct svc_xprt, xpt_ready);
++ list_del_init(&xprt->xpt_ready);
++ }
++ spin_unlock_bh(&pool->sp_lock);
++ }
+ /*
+- * The server is shutting down, and no more threads are running.
+- * svc_xprt_enqueue() might still be running, but at worst it
+- * will re-add the xprt to sp_sockets, which will soon get
+- * freed. So we don't bother with any more locking, and don't
+- * leave the close to the (nonexistent) server threads:
++ * At this point the sp_sockets lists will stay empty, since
++ * svc_enqueue will not add new entries without taking the
++ * sp_lock and checking XPT_BUSY.
+ */
+- list_for_each_entry_safe(xprt, tmp, xprt_list, xpt_list) {
+- set_bit(XPT_CLOSE, &xprt->xpt_flags);
++ list_for_each_entry_safe(xprt, tmp, &serv->sv_tempsocks, xpt_list)
+ svc_delete_xprt(xprt);
+- }
++ list_for_each_entry_safe(xprt, tmp, &serv->sv_permsocks, xpt_list)
++ svc_delete_xprt(xprt);
++
++ BUG_ON(!list_empty(&serv->sv_permsocks));
++ BUG_ON(!list_empty(&serv->sv_tempsocks));
+ }
+
+ /*
+diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
+index 277ebd4..593f4c6 100644
+--- a/net/sunrpc/xdr.c
++++ b/net/sunrpc/xdr.c
+@@ -296,7 +296,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
+ * Copies data into an arbitrary memory location from an array of pages
+ * The copy is assumed to be non-overlapping.
+ */
+-static void
++void
+ _copy_from_pages(char *p, struct page **pages, size_t pgbase, size_t len)
+ {
+ struct page **pgfrom;
+@@ -324,6 +324,7 @@ _copy_from_pages(char *p, struct page **pages, size_t pgbase, size_t len)
+
+ } while ((len -= copy) != 0);
+ }
++EXPORT_SYMBOL_GPL(_copy_from_pages);
+
+ /*
+ * xdr_shrink_bufhead
+diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl
+index ec7afce..bccf07d 100644
+--- a/scripts/kconfig/streamline_config.pl
++++ b/scripts/kconfig/streamline_config.pl
+@@ -250,33 +250,61 @@ if ($kconfig) {
+ read_kconfig($kconfig);
+ }
+
++sub convert_vars {
++ my ($line, %vars) = @_;
++
++ my $process = "";
++
++ while ($line =~ s/^(.*?)(\$\((.*?)\))//) {
++ my $start = $1;
++ my $variable = $2;
++ my $var = $3;
++
++ if (defined($vars{$var})) {
++ $process .= $start . $vars{$var};
++ } else {
++ $process .= $start . $variable;
++ }
++ }
++
++ $process .= $line;
++
++ return $process;
++}
++
+ # Read all Makefiles to map the configs to the objects
+ foreach my $makefile (@makefiles) {
+
+- my $cont = 0;
++ my $line = "";
++ my %make_vars;
+
+ open(MIN,$makefile) || die "Can't open $makefile";
+ while (<MIN>) {
++ # if this line ends with a backslash, continue
++ chomp;
++ if (/^(.*)\\$/) {
++ $line .= $1;
++ next;
++ }
++
++ $line .= $_;
++ $_ = $line;
++ $line = "";
++
+ my $objs;
+
+- # is this a line after a line with a backslash?
+- if ($cont && /(\S.*)$/) {
+- $objs = $1;
+- }
+- $cont = 0;
++ $_ = convert_vars($_, %make_vars);
+
+ # collect objects after obj-$(CONFIG_FOO_BAR)
+ if (/obj-\$\((CONFIG_[^\)]*)\)\s*[+:]?=\s*(.*)/) {
+ $var = $1;
+ $objs = $2;
++
++ # check if variables are set
++ } elsif (/^\s*(\S+)\s*[:]?=\s*(.*\S)/) {
++ $make_vars{$1} = $2;
+ }
+ if (defined($objs)) {
+- # test if the line ends with a backslash
+- if ($objs =~ m,(.*)\\$,) {
+- $objs = $1;
+- $cont = 1;
+- }
+-
+ foreach my $obj (split /\s+/,$objs) {
+ $obj =~ s/-/_/g;
+ if ($obj =~ /(.*)\.o$/) {
+diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
+index f40a6af6..54e35c1 100644
+--- a/scripts/recordmcount.h
++++ b/scripts/recordmcount.h
+@@ -462,7 +462,7 @@ __has_rel_mcount(Elf_Shdr const *const relhdr, /* is SHT_REL or SHT_RELA */
+ succeed_file();
+ }
+ if (w(txthdr->sh_type) != SHT_PROGBITS ||
+- !(w(txthdr->sh_flags) & SHF_EXECINSTR))
++ !(_w(txthdr->sh_flags) & SHF_EXECINSTR))
+ return NULL;
+ return txtname;
+ }
+diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
+index 0d50df0..88a2788 100644
+--- a/security/integrity/ima/ima_api.c
++++ b/security/integrity/ima/ima_api.c
+@@ -178,8 +178,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
+ strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
+
+ result = ima_store_template(entry, violation, inode);
+- if (!result)
++ if (!result || result == -EEXIST)
+ iint->flags |= IMA_MEASURED;
+- else
++ if (result < 0)
+ kfree(entry);
+ }
+diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
+index 8e28f04..55a6271 100644
+--- a/security/integrity/ima/ima_queue.c
++++ b/security/integrity/ima/ima_queue.c
+@@ -23,6 +23,8 @@
+ #include <linux/slab.h>
+ #include "ima.h"
+
++#define AUDIT_CAUSE_LEN_MAX 32
++
+ LIST_HEAD(ima_measurements); /* list of all measurements */
+
+ /* key: inode (before secure-hashing a file) */
+@@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash)
+
+ result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash);
+ if (result != 0)
+- pr_err("IMA: Error Communicating to TPM chip\n");
++ pr_err("IMA: Error Communicating to TPM chip, result: %d\n",
++ result);
+ return result;
+ }
+
+@@ -106,14 +109,16 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
+ {
+ u8 digest[IMA_DIGEST_SIZE];
+ const char *audit_cause = "hash_added";
++ char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
+ int audit_info = 1;
+- int result = 0;
++ int result = 0, tpmresult = 0;
+
+ mutex_lock(&ima_extend_list_mutex);
+ if (!violation) {
+ memcpy(digest, entry->digest, sizeof digest);
+ if (ima_lookup_digest_entry(digest)) {
+ audit_cause = "hash_exists";
++ result = -EEXIST;
+ goto out;
+ }
+ }
+@@ -128,9 +133,11 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
+ if (violation) /* invalidate pcr */
+ memset(digest, 0xff, sizeof digest);
+
+- result = ima_pcr_extend(digest);
+- if (result != 0) {
+- audit_cause = "TPM error";
++ tpmresult = ima_pcr_extend(digest);
++ if (tpmresult != 0) {
++ snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
++ tpmresult);
++ audit_cause = tpm_audit_cause;
+ audit_info = 0;
+ }
+ out:
+diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c
+index 4a9b4b2..867558c 100644
+--- a/security/tomoyo/util.c
++++ b/security/tomoyo/util.c
+@@ -492,13 +492,13 @@ static bool tomoyo_correct_word2(const char *string, size_t len)
+ if (d < '0' || d > '7' || e < '0' || e > '7')
+ break;
+ c = tomoyo_make_byte(c, d, e);
+- if (tomoyo_invalid(c))
+- continue; /* pattern is not \000 */
++ if (c <= ' ' || c >= 127)
++ continue;
+ }
+ goto out;
+ } else if (in_repetition && c == '/') {
+ goto out;
+- } else if (tomoyo_invalid(c)) {
++ } else if (c <= ' ' || c >= 127) {
+ goto out;
+ }
+ }
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index c2f79e6..5b2b75b 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2509,6 +2509,7 @@ static struct snd_pci_quirk position_fix_list[] __devinitdata = {
+ SND_PCI_QUIRK(0x1043, 0x81e7, "ASUS M2V", POS_FIX_LPIB),
+ SND_PCI_QUIRK(0x1043, 0x83ce, "ASUS 1101HA", POS_FIX_LPIB),
+ SND_PCI_QUIRK(0x104d, 0x9069, "Sony VPCS11V9E", POS_FIX_LPIB),
++ SND_PCI_QUIRK(0x10de, 0xcb89, "Macbook Pro 7,1", POS_FIX_LPIB),
+ SND_PCI_QUIRK(0x1297, 0x3166, "Shuttle", POS_FIX_LPIB),
+ SND_PCI_QUIRK(0x1458, 0xa022, "ga-ma770-ud3", POS_FIX_LPIB),
+ SND_PCI_QUIRK(0x1462, 0x1002, "MSI Wind U115", POS_FIX_LPIB),
+diff --git a/sound/pci/hda/hda_local.h b/sound/pci/hda/hda_local.h
+index 618ddad..368f0c5 100644
+--- a/sound/pci/hda/hda_local.h
++++ b/sound/pci/hda/hda_local.h
+@@ -487,7 +487,12 @@ static inline u32 get_wcaps(struct hda_codec *codec, hda_nid_t nid)
+ }
+
+ /* get the widget type from widget capability bits */
+-#define get_wcaps_type(wcaps) (((wcaps) & AC_WCAP_TYPE) >> AC_WCAP_TYPE_SHIFT)
++static inline int get_wcaps_type(unsigned int wcaps)
++{
++ if (!wcaps)
++ return -1; /* invalid type */
++ return (wcaps & AC_WCAP_TYPE) >> AC_WCAP_TYPE_SHIFT;
++}
+
+ static inline unsigned int get_wcaps_channels(u32 wcaps)
+ {
+diff --git a/sound/pci/hda/hda_proc.c b/sound/pci/hda/hda_proc.c
+index 2c981b5..254ab52 100644
+--- a/sound/pci/hda/hda_proc.c
++++ b/sound/pci/hda/hda_proc.c
+@@ -54,6 +54,8 @@ static const char *get_wid_type_name(unsigned int wid_value)
+ [AC_WID_BEEP] = "Beep Generator Widget",
+ [AC_WID_VENDOR] = "Vendor Defined Widget",
+ };
++ if (wid_value == -1)
++ return "UNKNOWN Widget";
+ wid_value &= 0xf;
+ if (names[wid_value])
+ return names[wid_value];
+diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c
+index 70a7abd..5b0a9bb 100644
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -920,16 +920,14 @@ static void cs_automute(struct hda_codec *codec)
+
+ /* mute speakers if spdif or hp jack is plugged in */
+ for (i = 0; i < cfg->speaker_outs; i++) {
++ int pin_ctl = hp_present ? 0 : PIN_OUT;
++ /* detect on spdif is specific to CS421x */
++ if (spdif_present && (spec->vendor_nid == CS421X_VENDOR_NID))
++ pin_ctl = 0;
++
+ nid = cfg->speaker_pins[i];
+ snd_hda_codec_write(codec, nid, 0,
+- AC_VERB_SET_PIN_WIDGET_CONTROL,
+- hp_present ? 0 : PIN_OUT);
+- /* detect on spdif is specific to CS421x */
+- if (spec->vendor_nid == CS421X_VENDOR_NID) {
+- snd_hda_codec_write(codec, nid, 0,
+- AC_VERB_SET_PIN_WIDGET_CONTROL,
+- spdif_present ? 0 : PIN_OUT);
+- }
++ AC_VERB_SET_PIN_WIDGET_CONTROL, pin_ctl);
+ }
+ if (spec->gpio_eapd_hp) {
+ unsigned int gpio = hp_present ?
+@@ -1771,30 +1769,19 @@ static int build_cs421x_output(struct hda_codec *codec)
+ struct auto_pin_cfg *cfg = &spec->autocfg;
+ struct snd_kcontrol *kctl;
+ int err;
+- char *name = "HP/Speakers";
++ char *name = "Master";
+
+ fix_volume_caps(codec, dac);
+- if (!spec->vmaster_sw) {
+- err = add_vmaster(codec, dac);
+- if (err < 0)
+- return err;
+- }
+
+ err = add_mute(codec, name, 0,
+ HDA_COMPOSE_AMP_VAL(dac, 3, 0, HDA_OUTPUT), 0, &kctl);
+ if (err < 0)
+ return err;
+- err = snd_ctl_add_slave(spec->vmaster_sw, kctl);
+- if (err < 0)
+- return err;
+
+ err = add_volume(codec, name, 0,
+ HDA_COMPOSE_AMP_VAL(dac, 3, 0, HDA_OUTPUT), 0, &kctl);
+ if (err < 0)
+ return err;
+- err = snd_ctl_add_slave(spec->vmaster_vol, kctl);
+- if (err < 0)
+- return err;
+
+ if (cfg->speaker_outs) {
+ err = snd_hda_ctl_add(codec, 0,
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 0de2119..7072251 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1120,8 +1120,6 @@ static const char * const cxt5045_models[CXT5045_MODELS] = {
+
+ static const struct snd_pci_quirk cxt5045_cfg_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x30d5, "HP 530", CXT5045_LAPTOP_HP530),
+- SND_PCI_QUIRK_MASK(0x103c, 0xff00, 0x3000, "HP DV Series",
+- CXT5045_LAPTOP_HPSENSE),
+ SND_PCI_QUIRK(0x1179, 0xff31, "Toshiba P105", CXT5045_LAPTOP_MICSENSE),
+ SND_PCI_QUIRK(0x152d, 0x0753, "Benq R55E", CXT5045_BENQ),
+ SND_PCI_QUIRK(0x1734, 0x10ad, "Fujitsu Si1520", CXT5045_LAPTOP_MICSENSE),
+diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
+index 616678f..f3c73a9 100644
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -1631,7 +1631,7 @@ static const struct snd_pci_quirk stac92hd73xx_cfg_tbl[] = {
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02bd,
+ "Dell Studio 1557", STAC_DELL_M6_DMIC),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02fe,
+- "Dell Studio XPS 1645", STAC_DELL_M6_BOTH),
++ "Dell Studio XPS 1645", STAC_DELL_M6_DMIC),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0413,
+ "Dell Studio 1558", STAC_DELL_M6_DMIC),
+ {} /* terminator */
+@@ -4326,6 +4326,27 @@ static void stac_store_hints(struct hda_codec *codec)
+ }
+ }
+
++static void stac_issue_unsol_events(struct hda_codec *codec, int num_pins,
++ const hda_nid_t *pins)
++{
++ while (num_pins--)
++ stac_issue_unsol_event(codec, *pins++);
++}
++
++/* fake event to set up pins */
++static void stac_fake_hp_events(struct hda_codec *codec)
++{
++ struct sigmatel_spec *spec = codec->spec;
++
++ if (spec->autocfg.hp_outs)
++ stac_issue_unsol_events(codec, spec->autocfg.hp_outs,
++ spec->autocfg.hp_pins);
++ if (spec->autocfg.line_outs &&
++ spec->autocfg.line_out_pins[0] != spec->autocfg.hp_pins[0])
++ stac_issue_unsol_events(codec, spec->autocfg.line_outs,
++ spec->autocfg.line_out_pins);
++}
++
+ static int stac92xx_init(struct hda_codec *codec)
+ {
+ struct sigmatel_spec *spec = codec->spec;
+@@ -4376,10 +4397,7 @@ static int stac92xx_init(struct hda_codec *codec)
+ stac92xx_auto_set_pinctl(codec, spec->autocfg.line_out_pins[0],
+ AC_PINCTL_OUT_EN);
+ /* fake event to set up pins */
+- if (cfg->hp_pins[0])
+- stac_issue_unsol_event(codec, cfg->hp_pins[0]);
+- else if (cfg->line_out_pins[0])
+- stac_issue_unsol_event(codec, cfg->line_out_pins[0]);
++ stac_fake_hp_events(codec);
+ } else {
+ stac92xx_auto_init_multi_out(codec);
+ stac92xx_auto_init_hp_out(codec);
+@@ -5028,19 +5046,11 @@ static void stac927x_proc_hook(struct snd_info_buffer *buffer,
+ #ifdef CONFIG_PM
+ static int stac92xx_resume(struct hda_codec *codec)
+ {
+- struct sigmatel_spec *spec = codec->spec;
+-
+ stac92xx_init(codec);
+ snd_hda_codec_resume_amp(codec);
+ snd_hda_codec_resume_cache(codec);
+ /* fake event to set up pins again to override cached values */
+- if (spec->hp_detect) {
+- if (spec->autocfg.hp_pins[0])
+- stac_issue_unsol_event(codec, spec->autocfg.hp_pins[0]);
+- else if (spec->autocfg.line_out_pins[0])
+- stac_issue_unsol_event(codec,
+- spec->autocfg.line_out_pins[0]);
+- }
++ stac_fake_hp_events(codec);
+ return 0;
+ }
+
+diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c
+index b513762..8d69e59 100644
+--- a/sound/pci/hda/patch_via.c
++++ b/sound/pci/hda/patch_via.c
+@@ -2200,7 +2200,10 @@ static int via_auto_create_loopback_switch(struct hda_codec *codec)
+ {
+ struct via_spec *spec = codec->spec;
+
+- if (!spec->aa_mix_nid || !spec->out_mix_path.depth)
++ if (!spec->aa_mix_nid)
++ return 0; /* no loopback switching available */
++ if (!(spec->out_mix_path.depth || spec->hp_mix_path.depth ||
++ spec->speaker_path.depth))
+ return 0; /* no loopback switching available */
+ if (!via_clone_control(spec, &via_aamix_ctl_enum))
+ return -ENOMEM;
+diff --git a/sound/pci/ice1712/amp.c b/sound/pci/ice1712/amp.c
+index e328cfb..e525da2 100644
+--- a/sound/pci/ice1712/amp.c
++++ b/sound/pci/ice1712/amp.c
+@@ -68,8 +68,11 @@ static int __devinit snd_vt1724_amp_init(struct snd_ice1712 *ice)
+
+ static int __devinit snd_vt1724_amp_add_controls(struct snd_ice1712 *ice)
+ {
+- /* we use pins 39 and 41 of the VT1616 for left and right read outputs */
+- snd_ac97_write_cache(ice->ac97, 0x5a, snd_ac97_read(ice->ac97, 0x5a) & ~0x8000);
++ if (ice->ac97)
++ /* we use pins 39 and 41 of the VT1616 for left and right
++ read outputs */
++ snd_ac97_write_cache(ice->ac97, 0x5a,
++ snd_ac97_read(ice->ac97, 0x5a) & ~0x8000);
+ return 0;
+ }
+
+diff --git a/sound/pci/oxygen/xonar_wm87x6.c b/sound/pci/oxygen/xonar_wm87x6.c
+index 42d1ab1..915546a 100644
+--- a/sound/pci/oxygen/xonar_wm87x6.c
++++ b/sound/pci/oxygen/xonar_wm87x6.c
+@@ -177,6 +177,7 @@ static void wm8776_registers_init(struct oxygen *chip)
+ struct xonar_wm87x6 *data = chip->model_data;
+
+ wm8776_write(chip, WM8776_RESET, 0);
++ wm8776_write(chip, WM8776_PHASESWAP, WM8776_PH_MASK);
+ wm8776_write(chip, WM8776_DACCTRL1, WM8776_DZCEN |
+ WM8776_PL_LEFT_LEFT | WM8776_PL_RIGHT_RIGHT);
+ wm8776_write(chip, WM8776_DACMUTE, chip->dac_mute ? WM8776_DMUTE : 0);
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index 81c6ede..08dcce5 100644
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -17,6 +17,7 @@
+
+ #include <linux/gfp.h>
+ #include <linux/init.h>
++#include <linux/ratelimit.h>
+ #include <linux/usb.h>
+ #include <linux/usb/audio.h>
+
+@@ -458,8 +459,8 @@ static int retire_capture_urb(struct snd_usb_substream *subs,
+
+ for (i = 0; i < urb->number_of_packets; i++) {
+ cp = (unsigned char *)urb->transfer_buffer + urb->iso_frame_desc[i].offset;
+- if (urb->iso_frame_desc[i].status) {
+- snd_printd(KERN_ERR "frame %d active: %d\n", i, urb->iso_frame_desc[i].status);
++ if (urb->iso_frame_desc[i].status && printk_ratelimit()) {
++ snd_printdd("frame %d active: %d\n", i, urb->iso_frame_desc[i].status);
+ // continue;
+ }
+ bytes = urb->iso_frame_desc[i].actual_length;
+diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
+index c400ade..1e7a47a 100644
+--- a/sound/usb/usx2y/usb_stream.c
++++ b/sound/usb/usx2y/usb_stream.c
+@@ -674,7 +674,7 @@ dotry:
+ inurb->transfer_buffer_length =
+ inurb->number_of_packets *
+ inurb->iso_frame_desc[0].length;
+- preempt_disable();
++
+ if (u == 0) {
+ int now;
+ struct usb_device *dev = inurb->dev;
+@@ -686,19 +686,17 @@ dotry:
+ }
+ err = usb_submit_urb(inurb, GFP_ATOMIC);
+ if (err < 0) {
+- preempt_enable();
+ snd_printk(KERN_ERR"usb_submit_urb(sk->inurb[%i])"
+ " returned %i\n", u, err);
+ return err;
+ }
+ err = usb_submit_urb(outurb, GFP_ATOMIC);
+ if (err < 0) {
+- preempt_enable();
+ snd_printk(KERN_ERR"usb_submit_urb(sk->outurb[%i])"
+ " returned %i\n", u, err);
+ return err;
+ }
+- preempt_enable();
++
+ if (inurb->start_frame != outurb->start_frame) {
+ snd_printd(KERN_DEBUG
+ "u[%i] start_frames differ in:%u out:%u\n",